AN EXPOSITION OF SCHOOF S ALGORITHM

Transcription

1 AN EXPOSITION OF SCHOOF S ALGORITHM ALEJANDRA ALVARADO ARIZONA STATE UNIVERSITY Abstract. Elliptic curves have a number of important applications in different areas, including cryptography. In particular, it is often important that curves have a large number of points over a given finite field, or at least that the number of points only admit certain types of prime factors. Given a (perhaps randomly chosen) elliptic curve, there are many ways to either count the points or at least obtain information about the number of points, and finding algorithms that do this efficiently is still an area of research. Here we will describe one such method, Schoof s algorithm, along with a Pari/GP implementation, and compare its running time with brute force search. Contents 1. Introduction 1 2. An Analogy of Schoof: the Chinese Remainder Theorem 3 3. Background definitions and theorems 3 4. Schoof s Algorithm 4 5. Improvements on Schoof s Algorithm 7 6. An example in PARI 8 References Introduction Consider an elliptic curve, such as given by the Weierstrass equation y 2 = x 3 x + 1. Although one could consider the locus of real-valued solutions to this equation, which leads to the familiar pictures of elliptic curves, one can instead consider solutions (x, y) defined over a given finite field F q. Together with the point at infinity as identity element, these solutions form a finite abelian group. By varying both the finite field and the elliptic curve defined over that finite field, we thus have a source of possibly interesting finite groups; these groups in turn can be used in various applications, from primality testing to factoring to various cryptosystems. In the applications, it is important to ideally know the order of the finite group; or, at a minimum, to know some information about that order, such as knowing the order does not admit small prime factors. Determining the order of the group is equivalent to the point counting problem, the problem of determining the number of points on the given curve. Date: March 15,

2 2 ALEJANDRA ALVARADO ARIZONA STATE UNIVERSITY P P 1 P 2 P 3 Figure 1. Addition of Points on an Elliptic Curve Since we are working over a finite field, there is a simple brute force algorithm for counting the points on the elliptic curve y 2 = f(x): for each x F q, determine whether the number f(x) F q is zero (one point), a nonzero square (two points), or a nonsquare (no points); add up all the points, and include the point at infinity. The running time of this algorithm depends partly on how hard it is to determine whether an element of F q is a square. Although better algorithms exist, let s just consider a brute force algorithm for that as well: given f(x) F q, for each y F q we ask whether y 2 = f(x)? It takes log q bits to represent numbers in F q, and about n 2 bit operations to multiply two numbers of bitsize n. Therefore, it takes q(log q) 2 bit operations to brute force test whether f(x) is a square, and it takes O((log q) 2 ) operations to evaluate f(x) itself, leading to about O(q ((log q) 2 ) q(log q) 2 ) operations overall. In summary, counting points on y 2 = f(x) over F q by brute force is at worst a O(q 2 (log q) 4 ) algorithm. An algorithm is theoretically better if its big-oh running time is better. An algorithm is better in practice at a particular time in human history if, on the size problems being run on the computers in use at that time, the algorithm is preferred because of some subjective combination of either running faster, or using less memory, or being easier to implement [4]. For point counting on elliptic curves, in addition to brute force, some of the algorithms in use today are Baby Step/Giant Step and Cornacchia s algorithm [7]. In 1985, René Schoof presented the algorithm which we will be discussing in this paper [8]. In this paper, we will describe this algorithm, including an implementation in Pari/GP. Schoof s algorithm was subsequently refined by Atkin and Elkies, and we will briefly touch on this towards the end [1].

3 AN EXPOSITION OF SCHOOF S ALGORITHM 3 2. An Analogy of Schoof: the Chinese Remainder Theorem Consider the following example. Suppose we want to determine x (mod 46013) given x 8 (mod 11), x 3 (mod 47) and x 28 (mod 89). To solve this problem, we refer to the following theorem and algorithm. Theorem 1 (Chinese Remainder Theorem). Let a 1, a 2,..., a t be any t integers and m 1, m 2,..., m t integers such that gcd(m i, m j ) = 1 whenever i j. Then there exists a unique solution a (mod m 1 m t ) with the property that a a i (mod m i ) for i = 1, 2,..., t. Chinese Remainder Algorithm (Sun Zi) Given the above congruences, we first compute values for s 1,..., s t satisfying s i 1 (mod m i ), s i 0 (mod m j ) for i j. Then t a = a i s i (mod m 1 m t ) i=1 is the smallest nonnegative solution modulo m 1 m 2 m t. The original Chinese Remainder problem and algorithm was proposed by Sun Zi, a Chinese mathematician, around the first century A.D. [3, p. 14]. Proof for the Chinese Remainder theorem can be found in any standard number theory textbook. Applying the algorithm to our example modulo 46013, we find that x (mod 46013). If, in addition, we are given x 4000, then x = In other words, combining a congruence with a size restriction allows a unique solution to be found. The idea behind Schoof s algorithm is to count the number of points on the curve modulo l, for a certain number of primes l, and then to apply the Chinese Remainder theorem to find the number of points modulo the product of these primes. Finally, using Hasse s bound (see below), we can determine the exact number of points. 3. Background definitions and theorems Before we begin discussing the algorithm, we need some background. We assume the reader is quite familiar with the theory of elliptic curves as presented in [9]. Included in this section are the results we need that do not appear there. We expect the order of E(F q ) to be close to q + 1. The reason is as follows. There are q possibilities for the x coordinates and about half of these are solutions to equation y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6. Of those solutions, we have two choices for y, unless y = 0. Including the point at infinity, we have about q + 1 expected points on E. Let a = q + 1 #E(F q ) be the integer measuring how much #E(F q ) deviates from the expected value. Definition 2. Let E be an elliptic curve defined over F q. endomorphism φ q is defined by φ q (x, y) = (x q, y q ). Then the Frobenius Theorem 3. Let E be an elliptic curve over F q. Let a = q + 1 #E(F q ) as above. Then there exists a unique integer a such that (1) φ 2 q aφ q + q = 0. Furthermore, (2) a Trace(φ q,m ) (mod m) for all m with gcd(m, q) = 1,

4 4 ALEJANDRA ALVARADO ARIZONA STATE UNIVERSITY where φ q,m is the matrix induced by φ q which describes the action of φ q on E[m]. Additionally, det(φ q,m ) q (mod m). Proof. See [10, ch. 4]. The following theorem, due to H. Hasse, gives a nice approximation to the number of points on an elliptic curve over finite fields. Theorem 4 (Hasse). Let E be an elliptic curve over the finite field F q, and let a = q + 1 #E(F q ). Then a 2 q. Proof. See [10, p. 91]. The following theorem is necessary to estimate the running time of Schoof s algorithm. Theorem 5 (Prime Number Theorem). Let π(x) denote the number of primes less x π(x) than x. Then π(x) is asymptotically approximately log x ; precisely, lim x x/ log x = 1. Proof. Omitted, see [5]. The number of primes less than x is O(x/ log x) each with O(log x) binary digits. So the number of binary digits of the product of all these primes is O(x). The number of bit operations to compute the product of all prime numbers less than x is therefore O(x 2 ). 4. Schoof s Algorithm When generating curves for elliptic curve cipher systems, the order of the group of points is important. The main method for generating these curves depends on the point counting problem. We require, at least, for the group to be divisible by a large prime factor. By large we mean at least 160 bits in length [1]. Being able to randomly choose an elliptic curve over large finite fields is important in elliptic curve cryptosystems. The point counting problem, the problem of determining the number of points on this curve, is important. In some elliptic curve cipher systems, the order does not need to be known, but its security depends upon the order having large prime factors. The following algorithm is one technique which has become the basis of most current efficient schemes for counting points on an elliptic curve. Let E be an elliptic curve of the form y 2 = x 3 + Ax + B over the finite field F q where q = p n, p is prime. Assume that the characteristic is not 2 or 3. In [1], the authors also consider curves of the form y 2 + xy = x 3 + a 6 over F 2 n, a 6 0, which we won t do here. By Hasse s Theorem, recall #E(F q ) = q +1 a where a 2 q. Let S be the set of primes, S = {2, 3,..., L} such that the product of all its elements is larger than 4 q, the length of the interval over which a lies in. We will also assume that the characteristic p of F q is not an element in S. The idea behind Schoof s algorithm is to find a mod l for all l S, then use the Chinese Remainder Theorem to determine a, see [8]. I. Suppose l = 2. If x 3 +Ax+B has a root α F q, then (α, 0) is a point of order two. So (α, 0) E[2]. By Lagrange s Theorem, E(F q ) has even order, so q +1 a 0 mod 2, i.e., a 0 mod 2. To determine whether x 3 +Ax+B has a root in E(F q ), consider the equation x q x = 0. Recall the solutions

5 AN EXPOSITION OF SCHOOF S ALGORITHM 5 to the given equation are precisely the elements in F q = {α F q α q = α}. Thus, x 3 + Ax + B has a root in F q if and only if it has a root in common with x q x = 0, i.e., the gcd(x 3 + Ax + B, x q x) 1. Note that if q is very large, we can replace x q with x q x q mod (x 3 + Ax + B). If gcd(x 3 + Ax + B, x q x) = 1, then there is no common root, so a 1 mod 2. II. Suppose l 2. Recall that the division polynomial ψ n is a function of x for n odd, and (x, y) E[n] ψ n (x) = 0. A. Let P = (x, y) E[l], the nontrivial l-torsion points, and let k q (mod l) such that k < l 2. Let φ be the Frobenius endomorphism as discussed in section 3. We will omit the subscript for the remainder of the paper. Then (3) φ 2 aφ + q = 0. In other words, (x q2, y q2 ) + [k](x, y) = [a](x q, y q ). B. Assume φ 2 P [k]p for every P E[l] and denote (x n, y n ) := [n](x, y). We want to determine whether a j exists such that (x q2, y q2 )+ (x k, y k ) = (x q j, yq j ) for some j {1, 2,..., l 1}. This procedure tests if ±j is our required a, since the x coordinates are the same for either sign and the y coordinates may differ by a constant. Since we will only evaluate the x coordinates, we only need to consider j {1, 2,..., l 1 2 } and (x q2, y q2 ) + (x k, y k ) = ±(x q j, yq j ). The addition of points is an endomorphism. So (x q2, y q2 ) + (x k, y k ) = (G 1 (x), yh 1 (x)) for rational functions G 1 and H 1. We also have (x q j, yq j ) = (G 2 (x), yh 2 (x)) since this is just the multiplication by j map. According to the group law, (4) ( ) 2 y q2 y k H 1 (x) = x q2 x k x q2 x k ( ) 2 = y 2 y q2 1 r y,k (x) x q2 x k x q2 x k [(x = (x Ax + B) q2 1 2 r y,k (x) + Ax + B) x q2 x k ]2 x q2 x k, where y k = yr y,k (x) and r y,k (x) is a rational function. Now, (G 1 (x), yh 1 (x)) = ±(G 2 (x), yh 2 (x)) if and only if G 1 (x) = G 2 (x) for a point (x, y) E[l]. Since E[l] Z/lZ Z/lZ, there are l 2 1 nonzero elements and l2 1 2 distinct x coordinates. Recall ψ l has degree l2 1 2, so this is a minimal polynomial whose roots are all the x coordinates of elements in E[l]. Thus, for (x, y) E[l], ψ l G 1 G 2 if and only if G 1 (x) = G 2 (x).

6 6 ALEJANDRA ALVARADO ARIZONA STATE UNIVERSITY (5) Suppose we found j such that (G 1 (x), yh 1 (x)) = (G 2 (x), ±yh 2 (x)), i.e., a ±j mod l. To determine the sign, consider ( ) y q2 y k yh 1 (x) = (x q2 G 1 (x)) y q2 x q2 x k = y (x3 + Ax + b) q2 1 2 r y,k (x) (x q 2 G 1 (x)) yr(x) x q2 x k where y q2 H 2(x) y = yr(x). So H1(x) y is a rational function of x, and similarly, is a rational function of x, as mentioned earlier. If H1 H2 y 0 mod ψ l, then a j mod l. Otherwise, a j mod l. C. Now suppose no such j works. Then there must exist a P E[l] such that φ 2 (P ) = ±[k]p. We now first test as follows. To determine whether such a P exists, we want to check whether the x coordinates are the same, i.e., check whether x q2 = x k holds. Recall x k = x ψ k 1 ψ k+1. In other words, ψk 2 x f k 1(x)f k+1 (x) if k even; x q2 fk = 2(x)(x3 +Ax+B) x f k 1(x)f k+1 (x)(x 3 +Ax+B) fk 2(x) if k odd. By rewriting, without denominators, we have (x q2 x)f 2 k (x)(x3 + Ax + B) + f k 1 (x)f k+1 (x) = 0, k even (x q2 x)f 2 k (x) + f k 1 (x)f k+1 (x)(x 3 + Ax + B) = 0, k odd if and only if φ 2 (P ) = ±[k]p. To determine whether a point P exists with one of the above properties, compute the gcd of the left hand side of the above equation and f l (x). If their gcd is not one, then a nonzero point P exists in E[l]. Otherwise, a 0 mod l and we need to check if there exists a j such that (x q2, y q2 ) + [k](x, y) = [j](x q, y q ). Suppose this P exists. If φ 2 (P ) = +[k]p, then [2k]P = [a]φ(p ). It follows that [ 2k a ]P = φ(p ) for the following reasons. Recall k q (mod l) 0 (mod l) since l p. Notice [2k]P 0 since l 2 and 0 < k < l 2. And since φ(p ) 0, a 0 (mod l). Take φ on both sides, [ 2k a ]φ(p ) = φ2 (P ) [ 4k2 a ]P = [k]p a 2 4k 2 mod l a 2 4q mod l. Thus, q w 2 (mod l). If q is not a square mod l, then we cannot be in this case and so a 0 (mod l). But if q w 2 (mod l), then [(φ + w)(φ w)]p = [φ 2 q]p = O. Either [φ w]p = O or [φ + w]p = O where P = [φ w]p. So φp = ±[w]p for some point P E[l]. Since φ(p ) = [ 2k a ]P, a ±2w mod l. If φp = [w]p, then O = [φ 2 aφ + q]p = [q aw + q]p [2q]P = [aw]p [2w 2 ]P = [aw]p a 2w mod l. Similarly, if φ(p ) = [w]p then a 2w mod l. To check whether we are even in the case φ(p ) = ±[w]p, we need to determine whether or not y q = ±y w. If gcd(numerator(x q x w ), ψ l ) 1,

7 AN EXPOSITION OF SCHOOF S ALGORITHM 7 then such a point exists. To determine the sign, compute the y coordinates as follows. Compute gcd(numerator( yq y w y, ψ l ). If this gcd is not one, a 2w mod l. Otherwise, a 2w mod l. Finally, if gcd(numerator(x q x w ), ψ l ) = 1, then (x q2, y q2 ) = [q](x, y). This implies a 0 mod l since [a]φ(p ) = 0 but φ(p ) 0. Below we give a summary of Schoof s algorithm. Recall E : y 2 = x 3 + Ax + B over F q and we want to determine #E(F q ) = q + 1 a. Let S = {2, 3,..., L}, a set of primes such that the characteristic of the field is not in S and l > 4 q for l S. I. Let l = 2. If gcd(x 3 + Ax + B, x q x) = 1, then a 1 mod 2. Else, a 0 mod 2. II. For each prime l S, l 2, do the following: A. Let k q mod l such that k < l 2. B. For j = 1, 2,..., l 1 2, do the following: i. If numerator(x x q j ) 0 mod ψ l, then: a. If (y y q j )/y 0 mod ψ l, then a j mod l. Else, a j mod l. In either case, go to next l S. ii. Else, go to next j. C. If no j works, do the following: i. Let w 2 q mod l. If w does not exist, then a 0 mod l and go to next l S. Else: a. If gcd(numerator(x q x w ), ψ l ) = 1, then a 0 mod l and go to next l S. Else: b. If gcd(numerator((y q y m )/y), ψ l ) 1, then a 2w mod l. Else, a 2w mod l. In either case, go to next l S. III. Use Chinese Remainder theorem to compute a mod l. We want to find a value of a such that a 2 q. Once we have found a, we can determine #E(F q ) = q + 1 a. Schoof s algorithm is a deterministic algorithm. Let us now determine the running time. The degrees of f l are O(l 2 ) = O(log 2 q). Elements of the ring F q [x, y]/ f l, y 2 x 3 Ax B have size O(l 2 log q) = O(log 3 q). Since most of the computation done in this ring is in finding x q, y q, x q2, y q2, O(log q(log 3 q) 2 ) = O(log 7 q) bit operations are required. By the Prime Number theorem, there are O(log q) primes in S, so the total amount of work involved is O(log 8 q). Thus, Schoof s algorithm is a polynomial time algorithm in log q. Comparing with our earlier estimates for brute force, we see that Schoof s algorithm does better. 5. Improvements on Schoof s Algorithm Improvements have been made on Schoof s algorithm, most notably, by Elkies and Atkins, see [1]. Improvements depend on equation (3), taken modulus l for each l in S, as in Schoof s algorithm. The techniques of Elkies and Atkins depend on the roots of the characteristic equation of the Frobenius map (6) u 2 au + q = 0 mod l. If the discriminant of this equation = a 2 4q is a square modulo l, l is called an Elkies prime, otherwise it is called an Atkins prime. Since a is unknown, this new algorithm uses modular polynomials, as described in [7].

8 8 ALEJANDRA ALVARADO ARIZONA STATE UNIVERSITY Definition 6. Modular polynomials are symmetric polynomials over Z written as Φ n (x, y), where n N and the coefficient of the highest power of x is 1. When n = p, a prime, it can be shown that Φ n (x, y) = x p+1 x p y p + y p+1 plus terms of the form a ij x i y j where i, j p and i + j < 2p. One of the properties of these modular polynomials is the rapid growth of some of its coefficients as n increases. The new algorithm is known as the SEA algorithm. The Elkies portion of the algorithm is O(log 6 q) and the Atkins portion is exponential. This is an improvement on time estimates, compared to O(log 8 q) of Schoof s algorithm. It turns out that using only Elkies primes has some disadvantages. The best approach would be to use a small subset of Atkins primes in the algorithm. 6. An example in PARI Example 7. Consider the curve y 2 = x x + 8 over F 67. By Hasse s theorem, we know 52 #E(F 67 ) 84 and #E(F 67 ) = 68 a, where a is the trace of the Frobenius map. Choose a set of primes S = {2, 3, 5, 7}. We apply Schoof s algorithm for each prime in the set, and we find the following congruences: a 1 mod 2 a 0 mod 3 a 2 mod 5 a 4 mod 7 By the Chinese Remainder theorem, a 207 mod 210. Since a < 2 67 < 33, a = 3 and so #E(F 67 ) = 71. The calculations in this paper have been done in PARI, [6]. The following program was written to calculate the above example. The function elldivpol can be found in [2]. The program works well with primes under 100 and overflows for larger primes. The input is an elliptic curve in Weierstrass form over F p, p prime. The brute force algorithm is included in the program, and is denoted by jecc. For small primes, brute force is much faster. But for large q, Schoof s algorithm is faster. The SEA algorithm has been successful when q is several hundred digits. \\ Elldivpol0(e,n) returns a polynomial in x whose zeros are the \\ (x-coordinates of the) non-zero points P on e satisfying n*p=0 \\ and 2*P!=0. \\ Elldivpol(e,n) returns a polynomial in x,y whose zeros are the \\ non-zero points P on e satisfying n*p=0. Same as elldivpol0(e,n) \\ when n is odd, but when n is even it equals \\ elldivpol0(e,n)*(2*y+a1*x+a3). Users are only expected to use \\ elldivpol normally. global(x,y); { elldivpol(e,n)=

9 AN EXPOSITION OF SCHOOF S ALGORITHM 9 if(n%2==1,elldivpol0(e,n),elldivpol0(e,n)*(2*y+e[1]*x+e[3]));} { elldivpol0(e,n)= local(m,a1,a2,a3,a4,a6,t1,t2,f1,f2,psi24); a1=e[1];a2=e[2];a3=e[3];a4=e[4];a6=e[5]; f1=x^3+a2*x^2+a4*x+a6; f2=a1*x+a3; n=abs(n); if(n==0,return(0)); if(n==1,return(1)); if(n==2,return(1)); if(n==3,return(3*x^4+(a1^2+4*a2)*x^3+(3*a1*a3+6*a4)*x^2+ (3*a3^2+12*a6)*x+a1^2*a6-a1*a3*a4+a2*a3^2+4*a2*a6-a4^2)); if(n==4,return(2*x^6+(a1^2+4*a2)*x^5+(5*a1*a3+10*a4)*x^4+(10*a3^2+40*a6) *x^3+(10*a1^2*a6-10*a1*a3*a4+10*a2*a3^2+40*a2*a6-10*a4^2)*x^2+(a1^4*a6- a1^3*a3*a4+a1^2*a2*a3^2+8*a1^2*a2*a6-a1^2*a4^2-4*a1*a2*a3*a4-a1*a3^3-4*a1*a3*a6+4*a2^2*a3^2+16*a2^2*a6-4*a2*a4^2-2*a3^2*a4-8*a4*a6)*x+a1^3* a3*a6-a1^2*a3^2*a4+2*a1^2*a4*a6+a1*a2*a3^3+4*a1*a2*a3*a6-3*a1*a3*a4^2+ 2*a2*a3^2*a4+8*a2*a4*a6-a3^4-8*a3^2*a6-2*a4^3-16*a6^2)); \\ general case, use recursion \\ If n is odd, n=2m+1: if(n%2==1,m=(n-1)/2; t1=elldivpol0(e,m+2)*elldivpol0(e,m)^3; t2=elldivpol0(e,m-1)*elldivpol0(e,m+1)^3; psi24=(4*f1+f2^2)^2; if(m%2==1,return(t1-psi24*t2),return(psi24*t1-t2))); \\ Now n is even, n=2m: m=n/2; t1=elldivpol0(e,m+2)*elldivpol0(e,m-1)^2; t2=elldivpol0(e,m-2)*elldivpol0(e,m+1)^2; elldivpol0(e,m)*(t1-t2);} \\ The following two functions returns the x and y coordinates \\ of [n](x,y) using the division polynomials. \\ xn is a rational function of x, \\ yn is y times a rational function of x. \\ We are assuming the curve is in Weierstrass form. { nthxpoint(e,n)= local(xn,nodd,neven); n=abs(n); if(n%2==1, nodd=elldivpol(e,n-1)*elldivpol(e,n+1)*(x^3+e[4]*x+e[5])/y^2; xn=(x*elldivpol(e,n)^2-nodd)/(elldivpol(e,n)^2); return(xn), neven=(x^3+e[4]*x+e[5])*elldivpol(e,n)^2/y^2; xn=(x*neven-elldivpol(e,n-1)*elldivpol(e,n+1))/(neven); return(xn))} { nthypoint(e,n)= local(yn,ntemp); ntemp=n; n=abs(n); if(ntemp==1,yn=y;return(yn)); if(ntemp==-1,yn=-y;return(yn)); yn=(elldivpol(e,n+2)*elldivpol(e,n-1)^2-elldivpol(e,n-2)*elldivpol(e,n+1)^2) /(4*y*elldivpol(e,n)^3);

10 10 ALEJANDRA ALVARADO ARIZONA STATE UNIVERSITY if(n%2==1, if(ntemp<0,return(-yn),return(yn)), yn=yn*y^4/(x^3+e[4]*x+e[5])^2; if(ntemp<0,return(-yn),return(yn)))} \\ (x,y ):=(x^(p^2),y^(p^2))+[k](x,y) mod psi_l \\ Ellxcoord computes the x-coordinate x \\ and is a rational function of x. \\ Ellycoord computes y \\ and is y times a rational function of x { ellxcoord(e,p,xn,yn)= local(xcoordtemp1,xcoordtemp2,xcoordtemp3,xcoordtemp4,xcoordtemp5, xcoordtemp6,xcoord); if(x^(p^2)==xn,print("error")); xcoordtemp1=mod(1,p)*(x^3+e[4]*x+e[5]); xcoordtemp2=(x^3+e[4]*x+e[5])^((p^2-1)/2); xcoordtemp6=yn/y; xcoordtemp3=(xcoordtemp2-xcoordtemp6)^2; xcoordtemp4=mod(1,p)*(x^(p^2)-xn)^2; xcoordtemp5=mod(1,p)*(x^(p^2)+xn); xcoord=(xcoordtemp1*xcoordtemp3)/xcoordtemp4-xcoordtemp5; } { ellycoord(e,p,xn,yn,xcoord)= local(ycoordtemp,ycoord); ycoordtemp=mod(1,p)*y*(x^3+e[4]*x+e[5])^((p^2-1)/2); ycoord=(x^(p^2)-xcoord)*(yn-ycoordtemp)/(xn-x^(p^2))-ycoordtemp; } \\ Brute force computation to determine the number of \\ points on an elliptic curve of Weierstrass form. { jecc(p,a4,a6)=local(n,xc,f,s); n=1; for(xc=0,p-1,f=(xc^3+a4*xc+a6)*mod(1,p); if(f==0,n=n+1, if(issquare(f),n=n+2))); return(p+1-n);} \\ Schoof s Algorithm \\ INPUT: An elliptic curve E over a finite field F_p \\ OUTPUT: The order of E(F_p) \\ \\ This program works in PARI 2.1.5, but \\ fails in

11 AN EXPOSITION OF SCHOOF S ALGORITHM 11 { schoof()=local(a4,a6,p,debug,debugcheck); print("enter an elliptic curve of the form y^2=x^3+a4x+a6 mod p."); print("enter p, a4, a6:"); print1("p= "); p=input(); print1("a4= "); a4=input(); print1("a6= "); a6=input(); print1("do you want to debug? y/n "); debug=input(); print1("do you want to check the answer? y/n "); debugcheck=input(); schoof1(p,a4,a6,debug,debugcheck);} { schoof1(p,a4,a6,debug,debugcheck)=local(a,atemp,a1,a2,a3,e,l,m, k,success,xk,yk,el,xcoord,ycoord,xj,yj,yjp); a1=0; a2=0; a3=0; e=ellinit([a1, a2, a3, a4, a6]*mod(1, p)); l=2; m=2; xp=(x^p)%(x^3+e[2]*x^2+e[4]*x+e[5]); if(gcd(xp-x,x^3+e[2]*x^2+e[4]*x+e[5])==1,a=mod(1,l),a=mod(0,l)); if(debug==y,print1("a= ");print(a)); while (m<(4*sqrt(p)), l=nextprime(l+1); if(p==l,l=nextprime(l+1)); m=m*l; k=centerlift(mod(p,l)); if(debug==y,print1("k= ");print(k)); if(debug==y,print1("l= ");print(l)); success=0; xk=nthxpoint(e,k); yk=nthypoint(e,k); el=elldivpol(e,l); \\xcoord is x-coordinate, x xcoord=ellxcoord(e,p,xk,yk); for(j=1,(l-1)/2, if(debug==y,print1("j= ");print(j)); \\xj is x-coordinate of [j](x,y) xj=nthxpoint(e,j); if(mod(numerator(xcoord-xj^p),el)==0, \\ycoord is y-coordinate, y ycoord=ellycoord(e,p,xk,yk,xcoord); \\xj is y-coordinate of [j](x,y) yj=nthypoint(e,j); yjp=(yj/y)^p*y*(x^3+a4*x+a6)^((p-1)/2); if(mod(numerator((ycoord-yjp)/y),el)==0, atemp=mod(j,l); success=1; break(), atemp=mod(-j,l); success=1; break())));

12 12 ALEJANDRA ALVARADO ARIZONA STATE UNIVERSITY if(debug==y,print("out of FOR loop.")); if(success==0, if(issquare(mod(p,l))==0, atemp=mod(0,l), for(i=1,(p-1)/2,if(mod(i^2,l)==mod(p,l),w=i;break())); if(debug==y,print1("w= ");print(w)); xw=nthxpoint(e,w); if(gcd(numerator(x^p-xw),elldivpol(e,l))==1, atemp=mod(0,l), if(gcd(numerator((y^p-yw)/y),elldivpol(e,l))!=1, atemp=mod(2*w,l), atemp=mod(-2*w,l))))); a=chinese(a,atemp); if(debug==y,print1("atemp= "); print(atemp); print1("a= "); print(a))); if(debugcheck==y, if(a!=jecc(p,a4,a6), print("error: INCORRECT VALUE FOUND"); print1("we found a="); print(a); print1("but it ought to be a="); print(jecc(p,a4,a6)))); a=lift(a); if(a^2>=4*p,a=a-m); print1("we found a to be: "); print(a); print1("so the number of points on E is "); print(p+1-a);} References [1] I. F. Blake, G. Seroussi, and N. P. Smart, Elliptic curves in cryptography, London Mathematical Society Lecture Note Series, vol. 265, Cambridge University Press, Cambridge, Reprint of the 1999 original.mr (2001i:94048) [2] John Cremona, PARI/GP Scripts, Nottingham, available from nott.ac.uk/personal/jec/ftp/progs/pari/. [3] C. Ding, D. Pei, and A. Salomaa, Chinese remainder theorem, World Scientific Publishing Co. Inc., River Edge, NJ, Applications in computing, coding, cryptography.mr (98d:94001) [4] Darrel Hankerson, Alfred Menezes, and Scott Vanstone, Guide to elliptic curve cryptography, Springer Professional Computing, Springer-Verlag, New York, 2004.MR (2005c:94049) [5] Neal Koblitz, A course in number theory and cryptography, Graduate Texts in Mathematics, vol. 114, Springer-Verlag, New York, 1987.MR (88i:94001) [6] PARI/GP, version 2.1.5, The PARI Group, Bordeaux, available from math.u-bordeaux.fr/. [7] René Schoof, Counting points on elliptic curves over finite fields, J. Théor. Nombres Bordeaux 7 (1995), no. 1, Les Dix-huitièmes Journées Arithmétiques (Bordeaux, 1993).MR (97i:11070) [8], Elliptic curves over finite fields and the computation of square roots mod p, Math. Comp. 44 (1985), no. 170, MR (86e:11122) [9] Joseph H. Silverman, The arithmetic of elliptic curves, Graduate Texts in Mathematics, vol. 106, Springer-Verlag, New York, 1986.MR (87g:11070) [10] Lawrence C. Washington, Elliptic curves, Discrete Mathematics and its Applications (Boca Raton), Chapman & Hall/CRC, Boca Raton, FL. Number theory and cryptography.mr (2004e:11061)

13 AN EXPOSITION OF SCHOOF S ALGORITHM 13 DEPARTMENT OF MATHEMATICS, ARIZONA STATE UNIVERSITY, TEMPE, ARIZONA address: alvarado@mathpost.asu.edu