Renй Schoof's Algorithm for Determining the Order of the ... - John J

René Schoof’s Algorithm for Determining the Order of the Group of Points on an Elliptic Curve over a Finite Field John McGee Radford University 14-August-2007 ABSTRACT

Elliptic curves have a rich mathematical history dating back to Diophantus (c. 250 C.E.), who used a form of these cubic equations to find right triangles of integer area with rational sides. In more recent times the deep mathematics of elliptic curves was used by Andrew Wiles et. al., to construct a proof of Fermat's last theorem, a problem which challenged mathematicians for more than 300 years. In addition, elliptic curves over finite fields find practical application in the areas of cryptography and coding theory. For such problems, knowing the order of the group of points satisfying the elliptic curve equation is important to the security of these applications. In 1985 René Schoof published a paper [5] describing a polynomial time algorithm for solving this problem. In this thesis we explain some of the key mathematical principles that provide the basis for Schoof's method. We also present an implementation of Schoof's algorithm as a collection of Mathematica functions. The operation of each algorithm is illustrated by way of numerical examples.

Acknowlegements This material was developed as part of my Master's Thesis completed at Virginia Tech in June of 2006. I am forever indebted to my advisors Charles Parry for help with number theory, Michael Williams for extensive help with Mathematica and expecially to Ezra Brown who inspired this project and supported and guided me through the work. I also thank Lawrence Washington for his excellent text [7] which provided the basis for my work and for his willingness answering questions concerning Schoof's algorithm. This document represents an update of that work in which errors in my Mathematica code have been corrected, testing has been extended, and code restructuring was done to improve performance and provide compatibility with Mathematica version 6.0.

2

SchoofsAlgorithm06.nb

Chapter 1 - Introduction "In re mathematica ars propendi pluris facienda est quam solvendi" - Georg Cantor. Consider the following cubic polynomial in x, y over the field of real numbers : y2 = x3 + A x + B.

(1)

Suppose further that the right hand side of equation (1) has distinct roots. Then the graph of this curve is called an elliptic curve. Elliptic curves have a rich mathematical history dating back to Diophantus (c. 200 C.E.), who used a form of these cubic equations to find right triangles of integer area with rational sides. In more recent times some deep mathematical properties of elliptic curves were used by Andrew Wiles et. al., to construct a proof of Fermat's last theorem, a problem that had challenged mathematicians for more than 300 years. The Birch-Swinnerton-Dyer conjecture, one of the Clay Math Institute's million dollar problems, is also a question about certain mathematical properties of elliptic curves. In addition, elliptic curves over the finite field q for some large integer q = pk , find practical application in the areas of cryptography and coding theory. One example of this is the Massey-Omura encryption method which relies on the difficulty of solving the elliptic curve discrete logarithm problem for security. For such methods, knowing the order of the group of points satisfying (1) with coefficients and coordinates in q , written as Ò EIq M, is very important because a poor choice of curve parameters can lead to a situation that gives a potential eavesdropper the ability to break the code in reasonable time. In 1985 René Schoof ( Figure 1) published a paper entitled "Elliptic curves over finite fields and the computation of square roots mod p" [5]. His paper describes a polynomial time algorithm for determining Ò EIq M. Refinements to his method by Elkies and Atkin have resulted in computer algorithms capable of finding results for elliptic curves over fields with orders greater than 10100 [3,6]. Figure 1 - René Schoof

SchoofsAlgorithm06.nb

The purpose of this thesis is to explain the mathematical basis for Schoof's algorithm and to provide a Mathematica reference implementation of it. In order to achieve this goal we first present some background on elliptic curves in the x-y plane. In particular we will see that the set points on the curve have the structure of an algebraic group. In chapter 2 we review the finite field arithmetic needed to work with elliptic curves over finite fields. In chapter 3 we present some basic algorithms for arithmetic in the group of points on an elliptic curve over a finite field. Chapter 4 describes some methods for computing the elliptic curve group order, and includes an introduction to Schoof's algorithm. We present the details of Schoof's algorithm in chapter 5. For each algorithm we first give a mathematical justification for the method or provide a reference to such. Next we present numerical examples that illustrates the operation of the algorithm. In chapter 6 we present results of running Schoof's algorithm against various curves. We conclude in chapter 7 with some applications that motivate efficient solutions to the elliptic curve group order problem. Appendix A contains a listing of the Mathematica functions that implement these algorithms, and Appendix B presents the Mathematica code for their implementation.

1.2 When is f(x,y) an Elliptic Curve? Much of the following discussion is based on material presented in Lawrence Washington's book "Elliptic Curves - Number Theory and Cryptography" [7]. An elliptic curve is the set of points satisfying a nonsingular cubic polynomial in two variables. If K is a field, then an elliptic curve can be specified as E : 8Hx, yL œ K ä K » f Hx, yL œ F@x, yD, f Hx, yL = 0 b and divide a by b producing a = s0 b + r0

where 0 § r0 < b

(by the division algorithm).

If r0 = 0, then b divides a so gcdHa, bL = b. Otherwise, divide b by r0 giving b = s1 r0 + r1 where 0 § r1 < r0 .

If r1 = 0 then r0 divides b and since a = s0 b + r0 then r0 also divides a giving gcdHa, bL = r0 . If ri ∫ 0, we can continue the process dividing ri-1 by ri giving r0 = s2 r1 + r2 ... ri-1 = si+1 ri + ri+1 . Eventually we must find rn+1 = 0 because at each step 0 § ri < ri-1 . gcdHrn-1 , rn L = rn .

Then rn-1 = sn+1 rn so that

Note, however, that if x = q y + r then gcdHx, yL = gcdHy, rL. This is true because gcdHy, rL divides both y and r, so it divides x also, hence gcdHy, rL divides gcdHx, yL. But we can write gcdHy, rL as a linear combination of y and r so that gcdHy, rL = u y + v r = u y + vHx - q yL = Hu - v qL y + v x,

9

10

SchoofsAlgorithm06.nb

so gcdHx, yL divides gcdHy, rL, hence gcdHx, yL = gcdHy, rL. Applying this to the chain of divisions above gives gcdHri-1 , ri L = gcdHri-2 , ri-1 L, so in particular gcdHr0 , r1 L = gcdHb, r0 L = gcdHa, bL. Therefore the last Euclid's algorithm for computing the greatest common divisor is nonzero divisor rn = gcdHa, bL. implemented in the Mathematica function EuclideanAlgorithm.

2.3 The Extended Euclidean Algorithm The Extended Euclidean Algorithm computes the greatest common divisor d of the integers a, b and also computes two integers r, s such that d = r a + s b. This method provides a fast way to compute multiplicative inverses in  p . The algorithm proceeds as follows. Starting with r0 = 1, s1 = 0 we take d0 = a = r0 a + s0 b. For step 1 we take r1 = 0, s1 = 1 so we can write d1 = b = r1 a + s1 b. At each succeeding step we compute the smallest positive di ª di-2 Hmod di-1 L, so that di = di-2 - k di-1 for some positive integer k . The algorithm maintains di = ri a + si b at each step so that di = Hri-2 a + si-2 bL - kHri-1 a + si-1 bL = Hri-2 - k ri-1 L a + Hsi-2 - k si-1 L b.

Hence, we must have ri = ri-2 - k ri-1 and si = si-2 - k si-1 , which completes the formulation of the recursion definition. Our Mathematica implementation is based on Rosen [4] §3.3. ü

Example 2 - The Extended Euclidean Algorithm If we can find the prime factorization of two numbers then we can write down the greatest common divisor directly. It is the product of the largest prime powers that divide both numbers. For example, let a = 7960 = 23 * 5 * 199 and b = 6580 = 24 * 34 * 5. Then gcdHa, bL = 23 * 5 = 40. Even for such easy problems, however, the determination of gcdHa, bL as a linear combination of a and b is best accomplished using the Extended Euclidean algorithm. Using ExtendedEucideanAlgorithm[ a, b ] we find gcdH7960, 6480L = 40 = -35 * 7960 + 43 * 6480.

2.4 Finding the modular inverse We can also use the Euclidean algorithm to find the modular inverse. The extended Euclidean algorithm finds the greatest common divisor of two numbers d = gcdHa, bL. It also computes two numbers r, s such that d = r a + s b. If a is relatively prime to p, which is always true if p is a prime and 1 < a < p, then gcdHa, pL = 1. So to find the modular inverse of a modulo p, we use the Euclidean algorithm to compute gcdHa, pL = 1 = r a + s p ª r a Hmod pL, hence a-1 ª r Hmod pL.

We need to compute modular inverses in order to perform the divisions in the elliptic curve point addition formulas.

SchoofsAlgorithm06.nb

ü

11

Example 3 - Multiplicative Inverse (mod p)

As an example, lets work over 19 , the field with 19 elements 80, 1, ..., 18< with arithmetic modulo 19, a prime. In a field, every nonzero element has a multiplicative inverse, so lets find the inverse of 7. The Euclidean algorithm gives gcdH7, 19L = 1 = -8 * 7 + 3 * 19 ª -8 * 7 Hmod 19L.

But -8 ª 11 Hmod 19L so that 11 * 7 ª 1 Hmod 19L. Hence 7-1 ª 11 Hmod 19L. This is verified by the fact that 11 * 7 = 77 = 4 * 19 + 1 ª 1 Hmod 19L.

2.5 Modular Exponentiation This method uses the binary representation of n to construct the result. Starts with a1 ª aHmod pL, x = 1 then at each iteration k we compute If the k th bit of n is 1 then x ª x * ak Hmod pL. Then a2 k ª ak * ak Hmod pL for the next iteration. In this way the arithmetic is done with relatively small integers, even though an may have hundreds or thousands of digits. In fact, at each step of the algorithm we multiply two numbers which are less than p, so the largest product we ever compute is less than p2 . Hence, if the binary representing of p requires m bits, then we need no more than 2 m bits to store the intermediate results. On the other hand, if we compute an directly, and a has m bits then we would need n m bits to hold the intermediate result. ü

Example 4 - Modular Exponentiation

As an example, let's compute 1137 Hmod 97L. The direct method would first compute 1137 = 340 039 485 861 577 398 992 406 882 305 761 986 971 in  and then find 1137 = 3 505 561 709 913 169 061 777 390 539 234 659 659 * 97 + 48 so that 1137 ª 48 Hmod 97L. However, in binary 37 = "100101""2" , so we can compute 1137 Hmod 97L as follows.

11

37

= 11

32+4+1

= 11

25 +22 +1

= 11

I23 +1M 22 +1

=

JI11 M N * 11 2 2 2

2 2

* 11.

But 112 ª 24 Hmod 97L, 242 ª 91 Hmod 97L and 912 ª 36 Hmod 97L so that

1137 ª IH36 * 11L2 M * 11 Hmod 97L. Then 396 ª 8 Hmod 97L, I82 M ª 22 Hmod 97L, 2

hence 1137 ª 22 * 11 ª 48 Hmod 97L.

2

Notice that we performed these computations without using any number larger than 972 . We will see later how this same idea, applied to polynomial arithmetic will allow us to compute f HxLk Hmod gHxLL in an efficient manner.

12

SchoofsAlgorithm06.nb

2.6 Square roots modulo p

One of the steps in Schoof's algorithm requires the solution of the congruence w2 ª p Hmod lL for w, with l a prime number less than

p . In other words we need to find the square root of p modulo l. Unlike the

multiplicative inverse problem in a field, this problem does not always have a solution. When it does, we say that p is a quadratic residue modulo l, else p is called quadratic nonresidue. If there is an x such that x2 ª a Hmod pL, then a is a quadratic residue mod p and aH p-1Lê2 ª Ix2 M

H p-1Lê2

ª x p-1 ª 1 Hmod pL by Fermat's little theorem.

Otherwise, for all i < p, gcdHi , pL = 1. Then for each i less than p, i j ª a Hmod pL has a unique solution, which can not be j = i, else i2 ª aHmod pL. Hence we can group the solutions into H p - 1L ê 2 pairs, each with product congruent to a Hmod pL. Taking the product of all of the solutions gives: aH p-1Lê2 ª H p - 1L! Hmod pL,

since each number less than p is included exactly once in the product. Then Wilson's Theorem gives H p - 1L ! ª -1 Hmod pL, so that aH p-1Lê2 ª -1 Hmod pL.

Note that a more efficient algorithm exists which makes use of the Quadratic Reciprocity Theorem of Gauss, but we do not need the complexity of this method because we will be testing for quadratic residues for only modest sized integers.

2.7 Shanks-Tonelli Modular Square Root Algorithm Once we have determined that integer a is a quadratic residue modulo p, we need a method to find the square root. One method to accomplish this is called the Shanks-Tonelli modular square root algorithm. The details of the algorithm, which has performance logarithmic in the number of digits of p, are described in the paper "Square Roots from 1; 24, 51, 10 to Dan Shanks" by Ezra Brown [1].

SchoofsAlgorithm06.nb

ü

13

Example 5 - Computing Square Roots Modulo p We consider the following nontrivial example. Let p = 360 027 784 083 079 948 259 017 962 255 826 129 .

We want to find x such that x2 ª 2865 Hmod pL. The Shanks-Tonelli algorithm gives x = 203 744 876 602 447 660 339 212 047 901 408 164 .

We could verify that this is the correct solution using the modular exponentiation method described above, but since we are only computing x2 Hmod pL we can compute this directly, showing that x2 ª 2865 Hmod pL.

2.8 The Chinese Remainder Theorem The Chinese Remainder Theorem provides a method to compute the smallest positive integer satisfying a set of congruences. It first appeared as a method of solution to a particular modular congruence problem in a third-century book by Chinese mathematician Sun Tzu [4] § 4.5. In Schoof's algorithm, we compute ti ª t Hmod li L for a set of small primes li , where t satisfies Ò EI p M = p + 1 - t. The Chinese Remainder Theorem allows us to recover t from this set of congruences, thus determining the order of the group. We are given the following information, for the unknown z < N ri ª z Hmod ni L for i = 1, 2, ..., k

where N = n1 n2 ... nk and gcdIni , n j M = 1 when i ∫ j, so that N is also the least common multiple of the 8ni 2, we need to make use of what are called the division polynomials for E : y2 = x3 + a x + b. These are polynomials which go to zero on points of a particular order. We define E@nD as the set of n-torsion points of an elliptic curve E : y2 = x3 + a x + b, that is, the set of points in EH p L with order dividing n, so that E@nD = 9P œ EH p L … n P = 6=. Note that this set includes

points with coordinates in  p , the algebraic closure of  p . With this definition the division polynomials yn of an elliptic curve E are elements of  p @x, yD with the

property that yn Hx, yL = 0 if and only if Hx, yL œ E@nD. follows.

These polynomials are defined recursively as

y0 = 0, y1 = 1, y2 = 2 y, y3 = 3 x4 + 6 a x2 + 12 b x - a2 y4 = 4 yIx6 + 5 a x4 + 20 b x3 - 5 a2 x2 - 4 a b x - 8 b2 - a3 M

y2 n = yn Iyn+2 y2n-1 - yn-2 y2n+1 M y2 n+1 =

yn+2 y3n

- y3n+1

yn-1

n œ , n > 2 n œ , n > 1

Lets see why y3 is the correct polynomial. First, if P = Hx, yL œ E@3D then 3 P = 0 which means that 2 P = -P, hence the x-coordinates of 2 P and -P must be the same. Using Equations (11,12) to compute 2 P we find x = l2 - 2 x =

so that

I3 x2 +AM 4y

2

2

- 2x

H-3 xL I4 y2 M = 9 x4 + 6 A x2 + A2 .

But y2 = x3 + A x + B so that -12 Ix4 + A x2 + B xM = 9 x4 + 6 A x2 + A2 . Collecting terms and multiplying through by -1 gives 3 x4 + 6 A x2 + 12 B x - A2 = y3 .

So if y3 = 0 then 2 P = ≤ P, meaning that P = 6 or P is a point of order 3. In either case P œ E@3D. The division polynomials are polynomials in x, y. Using the elliptic curve equation we can replace y2

with x3 + A x + B. More generally we can replace y2 k with Ix3 + A x + BM . This allows us to express the k

division polynomials as elements of  p @xD or y  p @xD, so that no power of y greater than 1 will appear.

It can be further proved that we can produce polynomials in  p @xD with the following replacements.

SchoofsAlgorithm06.nb

fn HxL = :

yn Hx, yL yn Hx, yL ê y

27

if n is odd if n is even

These polynomials, by definition, also have the property that fn HxL = 0 if and only if x is the x-coordinate of a point of order n.

5.4 How many division polynomials? How many division polynomials will we need for the execution of Schoof's algorithm? As noted in the outline of Schoof's algorithm in chapter 4, we need to test Equation (15) for a set of primes li such the cardinality of 8li < = k , then yk+2 is the highest order division polynomial required.

product of these primes is greater than 4

p . The function ComputePrimeSet determines this set. If the

What is the relationship between k and p? Figure 4 contains a plot of Log10 @ pD vs. k , which indicates that k grows approximately logarithmically with p. The horizontal axis is the number of primes k , the vertical axis is the number of decimal digits in p, the size  p . A statistical fit of this data gives the approximate

relationship for k > 10. Log10 @pD = 0.012 k2 + 3.34 k - 15.98

Given that we wish to apply Schoof's algorithm to an elliptic curve over  p we could use this graph to estimate the number of small primes k that would be required. Figure 4 - Number of digits in p vs. number of small primes.

28

SchoofsAlgorithm06.nb

ü

Example 9 - Computation of the Division Polynomials For our example E : y2 = x3 + 46 x + 74 over 97 , we first compute the set of small primes whose product

97 , such that p T 1 Hmod li L for li > 2. The necessary primes are 2, 5, 7 whose product

is 70 > 4 97 . Then p ª 2 Hmod 5L, and p ª 6 Hmod 7L. Therefore we will need division polynomials up to and including y9 , so we compute these at this time. Note that the odd numbered polynomials, such as y1 , y3 , ... are polynomials in x only, while the even numbered polynomials are polynomials in x multiplied by y. More precisely y2 n+1 œ  p @xD and y2 n œ y  p @xD. is greater than 4

For our sample curve we find that the first five division polynomials are y1 Hx, yL = 1, y2 Hx, yL = 2 y, y3 Hx, yL = 18 + 15 x + 82 x2 + 3 x4 , y4 Hx, yL = I61 + 50 x + 69 x2 + 3 x3 + 47 x4 + 4 x6 M y,

y5 Hx, yL = 23 + 67 x + 11 x2 + 38 x3 + 77 x4 + 43 x5 + 93 x6 +26 x7 + 47 x8 + 87 x9 + 39 x10 + 5 x12 .

With E : y2 = x3 + 46 x + 74 over 97 we have that H4, 15L is a point of order 4. Then we must have fn @4D = 0 if and only if 4 » n. To check the function ComputeDivisionPolynomials we calculate fn @4D for 2 § n § 8 giving f2 @4D = 2, f3 @4D = 24, f4 @4D = 0, f5 @4D = 47, f6 @4D = 25, f7 @4D = 22, f8 @4D = 0,

as expected, since H4, 15L œ E@4D and E@4D Œ E@8D. Similarly the point H90, 31L is of order 5 and we find f2 @90D = 2, f3 @90D = 76, f4 @90D = 14, f5 @90D = 0, f6 @90D = 21, f7 @90D = 23.

So the division polynomials are correct, at least for this particular case.

5.5 Computing n P with the Division Polynomials

If P = Hx, yL is a point in EH p L then

yn-1 yn+1 yn+2 y2n-1 - yn-2 y2n+1 nP = x, y2n 4 y y3n

(22)

It can be shown that multiplication by n is an endomorphism mn of EH p L. This follows from the fact that EH p L is an abelian group so that nHP + QL = n P + n Q.

Since n P = 6 if and only if P œ E@nD we have

that the kernel of mn is E@nD. Further, because mn is expressed as a separable rational polynomial of degree n2 , we have that Ò E@nD = degHmn L = n2 . For a proof of (21) see Washington [7] § 9.5. It should be noted that Equation (21) does not provide an efficient way to compute n P for specific points

SchoofsAlgorithm06.nb

29

P. Rather, it provides the basis of proof for the characteristic equation of the Frobenius (15), one of the key equations used in Schoof's method.

5.6 The Frobenius Endomorphism

Let fq : EHq L Ø EHq L with fq Hx, yL = Hxq , yq L, called the Frobenius endomorphism. Since aq = a for all a œ q this map is the identity for points with coordinates in q . Let Hx1 , y1 L œ EHq L then y1 2 = x31 + A x1 + B in q .

Now fq Hx1 , y1 L = Ix1 , y1 M. Substituting this into the elliptic curve equation gives q

q

Iy1 M = Iy21 M = Ix31 + A x1 + BM . q 2

q

q

However, for all a, b œ q we have Ha + bLq = aq + bq in q so that Iy1 M = Ix31 M + Aq x1 + HBLq = Ix1 M + A x1 + B, since A, B œ q . q

q 2

q 3

q

q

Hence Ix1 , y1 M = fq Hx1 , y1 L œ EHq L, so that fq maps a point on the curve to another point on the curve. q

q

Let P = Hx1 , y1 L, Q = Hx2 , y2 L be two points in EHq L with x1 ∫ x2 , then with l = Hy2 - y1 L ê Hx2 - x1 L we have P + Q = Hx3 , y3 L with x3 = l2 - x1 - x2 , y3 = lHx1 - x3 L - y1 .

Using the same properties of qth powers in q we have fq HP + QL = Il2 q - x1 - x2 , lq Ix1 q - x3 M - y1 M , q

q

q

q

with lq = Iy2 - y1 M ë Ix2 - x1 M. q

q

q

q

Therefore fq HP + QL = fq HPL + fq HQL. It can also be shown that this holds also for Q = P and Q = -P, so

that fq is a homomorphism from EHq L to EHq L, hence an endomorphism.

30

SchoofsAlgorithm06.nb

5.7 The Characteristic Equation of the Frobenius We now proceed to the equation that provides the foundation for Schoof's algorithm. Remember that E@lD is the set of points in EHq L who's order divides l. First we show that E@lD is a subgroup of EHq L. Clearly 6 œ E@lD. If P, Q œ E@lD then, because EHq L is abelian, 6 = l P + l Q = lHP + QL, so that P + Q œ E@lD.

Further, 6 = l 6 = lHP + H-PLL = l P + lH-PL = 6 + lH-PL = lH-PL,

therefore -P œ E@lD. Hence E@lD is a subgroup of EHq L.

Since E@lD is an abelian group of order l2 , it follows from the structure theorem for finite abelian groups that E@lD @ l ∆ l . The integer l is a prime so that l is a cyclic group generated by any number 1 § a < l, and there exists points b1 , b2 œ E@lD such that any point in E@lD can be written as a l -linear combination P = m1 b1 + m2 b2 with m1 , m2 œ l . Suppose a is any homomorphism of E@lD, then aHPL œ E@lD for all P œ E@lD because » aHPL » divides » P ». Then, in particular, aHb1 L = s b1 + t b2 and aHb2 L = u b1 + v b2 , so that aHPL = aHm1 b1 + m2 b2 L = m1 aHb1 L + m2 aHb2 L = m1 s b1 + m1 t b2 + m2 u b1 + m2 v b2 .

We can express this in matrix form as aHPL =

s t u v

m1 b1 . m2 b2

(23)

In particular, the action of the Frobenius on E@lD, denoted fq,l can be described by such a 2 μ 2 matrix. Applied to E@lD we have degIfq - 1M ª detIfq,l - IM Hmod lL

= Hs - 1L Hv - 1L - t u = s v - t u - Hs + vL + 1.

But s v - u t = detIfq,l M ª q Hmod lL (by Washington [7] Proposition 3.15). Then by Hasse's theorem, using a instead of t to avoid conflicting variable names, we have Ò kerIfq - 1M = q + 1 - a ª q - Hs + vL + 1 Hmod lL.

Hence we have the following congruences. t u ª s v - q Hmod lL.

First, a ª Hs + vL Hmod lL, the trace of fq,l . Also

SchoofsAlgorithm06.nb

31

We can now compute Ifq,l M - a Ifq,l M + q using *, so that 2

s t u v

=

2

-a

s t as-q at 1 0 s2 + t u s t + t v +q = u v ay av-q 0 1 s u + u v t u + v2

s2 + t u - a s + q

st+tv-at

su+uv-au

v +tu -av+q 2

.

Applying the congruences yield ª ª

s2 + s v - q - Hs + vL s + q

Hs + vL t - Hs + vL t

v2 + s v - q - Hs + vL v + q

Hs + vL u - Hs + vL u

0 0 Hmod lL. 0 0

.

Therefore Ifq,l M - a Ifq,l M + q ª 0 Hmod lL for all l such that gcdHl, qL = 1. 2

number of choices for such l, the kernel of

f2q

Since there are an infinite

+ q - a fq is not finite, hence, as stated in Equation (15),

f2q + q - a fq = 0 for all P œ EHq L.

In particular, if P œ E@lD then, f2q + k ª t fq Hmod lL where k ª q Hmod lL and t ª a Hmod lL.

So for a particular point P = Hx, yL œ E@lD it must be true that

Ixq , yq M + kHx, yL ª tHxq , yq L Hmod lL, 2

2

(24)

where addition is performed in EHq L using (9) through (12), and scalar point multiplication is performed using the division polynomials as in Equation (22). We can simplify the computation of (24) further by noting that if Hx, yL œ E@lD then the division polynomial yl Hx, yL = 0, so we can reduce (24) mod yl without changing the set of points which satisfy the equation.

32

SchoofsAlgorithm06.nb

5.8 Schoof's Algorithm: Case One In order to use Equation (24) we must first test if f2l P = ≤ k P for some P œ E@lD. We can determine this by computing the test condition for the x coordinate using Schoof (16): 2

xp ª x -

yk-1 yk+1 yk2

Hmod fl , pL.

This is true if and only if p16 Hx, yL = Ixq - xM y2k - yk-1 yk+1 ª 0 Hmod fl , pL. 2

For k even, yk = y fk and since y2 = x3 + a x + b we obtain p16 HxL = Ix p - xM fk2 HxL Ix3 + a x + bM + fk-1 HxL fk+1 HxL. 2

For k odd, yk-1 = y fk-1 and yk+1 = y fk+1 so that p16 HxL = Ix p - xM fk2 HxL + fk-1 HxL fk+1 HxL Ix3 + a x + bM. 2

Notice that p16 Hx, yL is a polynomial in x only. Hence if gcdH p16 HxL, fl HxLL ∫ 1 then some point P exists in E@lD which satisfies f2l P = ≤ k P, so we are in case 1. Otherwise we must proceed to case 2 where we test equation (24) for various values of t.

SchoofsAlgorithm06.nb

33

5.9 Schoof Equation (17)

Given that f2l P = ≤k P for some P œ E@lD, then t œ 80, -2 w, 2 w< where w2 ª k Hmod lL. This is shown as follows. Suppose f2l P = k P, then, by equation (24) we have 2 k ª t fl . Squaring both sides gives 4 k 2 = t2 f2l = t2 k , so that 4 k = t2 , then we must have that k is a quadratic residue. If so, find w such that w2 ª k Hmod lL, then 4 w2 = t2 so that t = ≤ 2 w. Now we can compute Hfl - wL Hfl + wL = f2l - k = 0, so fl P = ≤w P.

f2l P + k P = 0 = tfl P for all P œ E@lD so that t ª 0 Hmod lL.

If k is not a quadratic residue, we can not be in this case, hence

f2l P = -k P so that

We can test if fl P = ≤ w P using the point multiplication formula (22) again yielding for the x-coordinate the test xp ª x -

yw-1 yw+1 yw2

Hmod fl , pL.

Multiplying through by y2w produces Schoof equation (17) p17 Hx, yL = Hx p - xL y2w - yw-1 yw+1 .

For w even or odd this can be reduced to a polynomial in x only, as in p17 HxL = Hx p - xL fw2 HxL Ix3 + a x + bM + fw-1 HxL fw+1 HxLw even, p17 HxL = Hx p - xL fw2 HxL + fw-1 HxL fw+1 HxL Ix3 + a x + bMw odd.

If gcdH p17 HxL, fl HxLL = 1 then we must have f2l P = -k P so that t ª 0 Hmod lL. Otherwise t ª ≤ wHmod lL and we test the y-coordinate of fl P = ≤ w P to determine the sign.

34

SchoofsAlgorithm06.nb

5.10 Schoof Equation (18) After we know that fl P = ≤ w P we need test the y-coordinate of fl P = w P. Equation (22) gives for the y-coordinate, yp ª

yw+2 y2w-1 - yw-2 y2w+1 4 y y3w

Hmod yl , pL.

Multiplying through by the denominator of the right hand side and collecting terms gives p18 Hx, yL = 4 y3w y p+1 - yw+2 y2w-1 - yw-2 y2w+1 . p18 HxL = 4 Iy2 M

2 2 fw3 HxL - fw+2 HxL fw-1 HxL + fw-2 HxL fw+1 HxL.

p18 HxL = 4 Iy2 M

2 2 fw3 HxL - fw+2 HxL fw-1 HxL + fw-2 HxL fw+1 HxL.

For w even:

For w odd:

H p+3Lê2

H p-1Lê2

Notice that p18 HxL is also a polynomial in x only since all exponents of y are even. If gcdH p18 HxL, fl HxLL = 1 then there is no P œ E@lD for which fl P = w P, so t ª -2 w Hmod lL, else such a point exists and t ª 2 w Hmod lL. This completes the equations required to test for case 1.

SchoofsAlgorithm06.nb

35

5.11 Schoof's Algorithm: Case Two

If there is no P œ E@lD such that f2l P = ≤ k P then we are in case 2 so we need to test for each t œ  ê l x if there exist P œ E@lD such that (24) holds. In order to perform this test we apply addition formulas H5L, H9L and H10L to compute polynomials representing Ix p , y p M + kHx, yL, 2

2

where kHx, yL is computed using the division polynomials and equation (22). Since we are in case 2 we know that x1 ∫ x2 so we can compute l = Hy2 - y1 L ê Hx2 - x1 L. We find y2 - y1 =

yk+2 y2k-1 - yk-2 y2k+1 4

x2 - x1 = x -

So then l=

y2 -y1 x2 -x1

y y3k

yk-1 yk+1 y2k

2

- yp ,

2

- xp

2 2 Iyk+2 yk-1 - yk-2 yk+1 -4 yk3 y p +1 M 2

=

4 y yk I-yk-1 yk+1 -yk2 Ix p -xMM 2

.

Put l = a ê b then a = yk+2 y2k-1 - yk-2 y2k+1 - 4 y3k y p +1 2

and

b = 4 y yk Iy2k Ix - x p M - yk-1 yk+1 M. 2

For k even we have 2 2 a = yI fk+2 fk-1 - fk-2 fk+1 - 4 fk3 y p +3 M 2

and

b = 4 y2 fk Iy2 fk2 Ix - x p M - fk-1 fk+1 M . 2

Otherwise, for k odd 2 2 a = y2 I fk+2 fk-1 - fk-2 fk+1 M - 4 fk3 y p +1 2

and

b = yI4 fk I fk2 Ix - x p M - y2 fk-1 fk+1 MM. 2

We use these equations for a and b to formulate the tests of Schoof equations (19).

36

SchoofsAlgorithm06.nb

5.12 Schoof Equation (19x)

Using the equations we just derived for l = a ê b we can now compute the addition of points using equation (22) so that if Hx3 , y3 L = Ix p , y p M + kHx, yL 2

2

then x3 is given by x3 = l2 - x1 - x2 =

a2 b2

- Ix p + xM + 2

yk-1 yk+1

.

y2k

Also y3 is given by y3 = lI2 x1 + x2 - l2 M - y1 =

a b

2

2 xp + x -

yk-1 yk+1 y2k

- ab2 - y p . 2

2

Further, since yn Hx p , y p L = yn Hx, yL p we have tHx p , y p L = KJx -

N ,J

yt-1 yt+1 p yt2

N O.

p 2 2 yt+2 yt-1 - yt-2 yt+1 4 y yt3

Then (23) holds if and only if (for the x-coordinate) a2 b2

- Ix p + xM + 2

yk-1 yk+1 y2k

= Jx -

yt-1 yt+1 yt2

N . p

Expanding and clearing the (nonzero) denominators gives yt Ia y2k - b2 y2k Ix p + xM + b2 Hyk-1 yk+1 LM. 2p

2

= y2k b2 Iyt x p - Hyt-1 yt-1 L p M 2p

Bringing everything to the left hand side we have p19x Hx, yL = yt Ib2 Iyk-1 yk+1 - y2k Ix p + x p + xM + a y2k MM, 2p

+ y2k b2 Hyt-1 yt-1 L = 0

2

p

which is Schoof equation (19) for the x-coordinate. Since we are testing this equation for points in E@lD we perform all of the polynomial arithmetic modulo yl . Now there exists a point in E@lD satisfying p19x if and only if gcdI p19x , fl M ∫ 1. If such a point exist, then t ª ≤tHmod lL. We use Schoof equation (19y), explained in the next section, to determine the sign of t.

SchoofsAlgorithm06.nb

5.13 Schoof Equation (19y)

Once we know that there exists Hx, yL œ E@lD such that Ix p , y p M + kHx, yL = ≤ tHx p , y p L, 2

2

we must test the y-coordinate to determine the sign of t. We have from the previous section, y3 =

a b

yk-1 yk+1

2

2 xp + x -

y2k

- ab2 - y p . 2

2

Then if (24) holds for the y-coordinate we have a b

- ab2 - y p = K

yk-1 yk+1

2

2 xp + x -

2

y2k

2

3p

Multiplying through by b3 y2k 4 y p yt

2 2 yt+2 yt-1 - yt-2 yt+1

4

y yt3

O . p

to clear the denominators we have

4 y p yt Ia b2 Iy2k I2 x p + xM - yk-1 yk+1M - y2k Ia3 + b3 y p MM 3p

2

2

= b3 y2k Iyt+2 y2t-1 - yt-2 y2t+1 M . p

Rearranging gives for Schoof (19y) (corrected) p19 y Hx, yL = 4 ft

3p

y p III2 x p + xM a b2 - b3 y p - a3 M fk2 - a b2 fk-1 fk+1 M 2

2

2 2 - b3 fk2 I ft-1 ft+2 - ft-2 ft+1 M . p

For k even, t even, we must take a Ø y a so that, p19 y HxL = 4 ft

3p

y3 p-1 III2 x p + xM a b2 - b3 y p -1 - y2 a3 M y2 fk2 2

2

2 2 - a b2 fk-1 fk+1 M - b3 fk2 I ft-1 ft+2 - ft-2 ft+1 M . p

For k even, t odd, p19 y HxL = 4 ft

3p

III2 x p + xM a b2 - b3 y p -1 - a3 y2 M y2 fk2 2

2

2 2 - a b2 fk-1 fk+1 M - b3 fk2 y p+1 I ft-1 ft+2 - ft-2 ft+1 M . p

For k odd, t even we must take b Ø y b so that,

37

38

SchoofsAlgorithm06.nb

p19 y HxL = 4 ft

3p

y3 p-3 III2 x p + xM a y2 b2 - b3 y p +3 - a3 M fk2 2

2

2 2 - a y2 b2 fk-1 fk+1 M - b3 fk2 I ft-1 ft+2 - ft-2 ft+1 M . p

For k odd, t odd, p19 y HxL = 4 ft

3p

III2 x p + xM a y2 b2 - b3 y p +3 - a3 M fk2 2

2

2 2 - a y2 b2 fk-1 fk+1 M - b3 fk2 y p+3 I ft-1 ft+2 - ft-2 ft+1 M . p

Now if gcdI p19 y , fl M ∫ 1 then E@lD has a point satisfying f2l P + k P = tf P, so that t ª tHmod lL, else t = -tHmod lL.

SchoofsAlgorithm06.nb

5.14 Schoof's Algorithm Summary We can now summarize Schoof's algorithm for E : y2 = x3 + a x + b over  p as follows. By Hasse's

theorem we have Ò EI p M = p + 1 - t.

1. If gcdIx3 + a x + b, x p - xM = 1 then t ª 0 Hmod 2L, else t ª 1 Hmod 2L L 2. Create a set of small primes S = 8li < such that ¤i=1 li > 4

p.

3. Compute the first lL + 2 division polynomials yk . 4. For each l œ S , compute k ª pH mod lL 5. If gcdH p16 , fl L ∫ 1 then there exists P œ E@lD such that f2l P = ≤k P. 6. 7. 8. 9. 10. 11. 12.

If k is not a quadratic residue mod l, then t ª 0 Hmod lL else Compute w such that w2 ª k Hmod lL If gcdH p17 , fl L = 1 then t ª 0 Hmod lL, else If gcdH p18 , fl L ∫ 1 then t ª 2 wHmod lL, else t ª -2 wHmod lL. else we are in case two For each t § Hl + 1L ê 2 If gcdH p19 , fl L ∫ 1 then f p 2 + k ª ≤t f p Hmod lL

13. for some point in E@lD so we test 14. If gcdH p19 , fl L ∫ 1 then t ª tHmod lL else t ª -t Hmod lL 15. Next t 16. Next l 17. At this point we have computed t Hmod li L for all li œ S , 18. so we use the Chinese Remainder Theorem to compute L T ª t Hmod NL where N = ¤i=1 li . 19. 20. If T is within Hasse's bounds then t = T , else t ª -THmod NL and 21. Ò EI p M = p + 1 - t. This completes the description of Schoof's algorithm.

39

40

SchoofsAlgorithm06.nb

Chapter 6 - Results of Running Schoof's Algorithm This chapter contains the results of running our implementation of Schoof's algorithm for several different elliptic curves. We present detailed results for one particular curve and then summarize the results for other curves in table 1. We conclude this section with a discussion of lessons learned from these experiments.

6.1 A Detailed Example For our example curve E : y2 = x3 + 46 x + 74 over 97 , Schoof's algorithm produces the following results. First, since b4

p r = 40, we need a product of small primes at least this large so the algorithm selects the

primes 82, 5, 7