Wikipedia

Schoof's algorithm: Difference between revisions

Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
 
(76 intermediate revisions by 50 users not shown)
Line 1:
{{Short description|Efficient algorithm to count points on elliptic curves}}
'''Schoof's Algorithmalgorithm''' is an an efficient algorithm to count points on [[elliptic curvescurve]]s over [[finite fields]]. The algorithm has applications in [[elliptic curve cryptography]] where it is important to know the number of points to judge the difficulty of solving the [[discrete logarithm problem]] in the [[Group (mathematics)|group]] of points on an elliptic curve.
 
The algorithm was published by [[René Schoof]] in 1985 and it was a theoretical break throughbreakthrough, as it was the first deterministic polynomial time algorithm for [[counting points on elliptic curves]]. Before Schoof's algorithm, approaches to [[counting points on elliptic curves]] such as the naive and [[baby-step giant-step]] algorithms were, for the most part, tedious and had an exponential running time.
This article explains Schoof's approach, laying emphasis on the mathematical ideas underlying the structure of the algorithm.
Line 7 ⟶ 8:
==Introduction==
Let <math>E</math> be an [[elliptic curve]] defined over the finite field <math>\mathbb{F}_{q}</math>, where <math>q=p^n</math> for <math>p</math> a prime and <math>n</math> an integer <math>\geq 1</math>. Over a field of characteristic <math>\neq 2, 3</math> an elliptic curve can be given by a (short) Weierstrass equation
: <math>
y^{2} = x^{3} + Ax + B
</math>
with <math>A,B\in \mathbb{F}_{q}</math>. The set of points defined over <math>\mathbb{F}_{q}</math> consists of the solutions <math>(a,b)\in\mathbb{F}_{q}^2</math> satisfying the curve equation and a [[point at infinity]] <math>O</math>. Using the [[Elliptic_curveElliptic curve#The_group_lawThe group law|group law]] on elliptic curves restricted to this set one can see that this set <math>E(\mathbb{F}_{q})</math> forms an [[abelian group]], with <math>O</math> acting as the zero element.
In order to count points on an elliptic curve, we compute the cardinality of <math>E(\mathbb{F}_{q})</math>.
Schoof's approach to computing the cardinality <math>\sharp# E(\mathbb{F}_{q})</math> makes use of [[Hasse's theorem on elliptic curves]] along with the [[Chinese remainder theorem]] and [[division polynomials]].
 
==Hasse's Theoremtheorem==
{{main|Hasse's theorem on elliptic curves}}
Hasse's theorem states that if <math>E/\mathbb{F}_{q}</math> is an elliptic curve over the finite field <math>\mathbb{F}_{q}</math>, then <math>\sharp# E(\mathbb{F}_{q}_q)</math> satisfies
 
: <math>
\mid q + 1 - \sharp# E(\mathbb{F}_{q}) \mid \leq 2\sqrt{q}.
</math>
 
This powerful result, given by Hasse in 1934, simplifies our problem by narrowing down <math>\sharp# E(\mathbb{F}_{q})</math> to a finite (albeit large) set of possibilities. Defining <math>t</math> to be <math>q + 1 - \sharp# E(\mathbb{F}_{q})</math>, and making use of this result, we now have that computing the cardinalityvalue of <math>t</math> modulo <math>N</math> where <math>N > 4\sqrt{q}</math>, is sufficient for determining <math>t</math>, and thus <math>\sharp# E(\mathbb{F}_{q})</math>. While there is no efficient way to compute <math>t \pmod N</math> directly for general <math>N</math>, it is possible to compute <math>t \pmod l</math> for <math>l</math> a small prime, rather efficiently. We choose <math>S=\{l_1,l_2,...,l_r\}</math> to be a set of distinct primes such that <math>\prod l_i = N > 4\sqrt{q}</math>. Given <math>t \pmod {l_i}</math> for all <math>l_i\in S</math>, the [[Chinese remainder theorem]] allows us to compute <math>t \pmod N</math>.
 
In order to compute <math>t \pmod l</math> for a prime <math>l \neq p</math>, we make use of the theory of the Frobenius endomorphism <math>\phi</math> and [[division polynomials]]. Note that considering primes <math>l \neq p</math> is no loss since we can always pick a bigger prime to take its place to ensure the product is big enough. In any case Schoof's algorithm is most frequently used in addressing the case <math>q=p</math> since there are more efficient, so called <math>p</math> adic algorithms for small -characteristic fields.
 
==The Frobenius Endomorphismendomorphism==
Given the elliptic curve <math>E</math> defined over <math>\mathbb{F}_{q}</math> we consider points on <math>E</math> over <math>\overlinebar{\mathbb{F}}_{q}}</math>, the [[algebraic closure]] of <math>\mathbb{F}_{q}</math>; i.e. we allow points with coordinates in <math>\bar{\mathbb{F}}_{q}</math>. The [[Frobenius endomorphism]] of <math>\bar{\mathbb{F}}_{q}</math> over <math>\mathbb{F}_{q}_q</math> extends to the elliptic curve by <math> \phi : (x, y) \mapsto (x^{q}, y^{q})</math>.
 
This map is the identity on <math>E(\mathbb{F}_{q})</math> and one can extend it to the point at infinity <math>O</math>, making it a [[group morphism]] from <math>E(\bar{\mathbb{F}}_{q}})</math> to itself.
 
The Frobenius endomorphism satisfies a quadratic polynomial which is linked to the cardinality of <math>E(\mathbb{F}_{q})</math> by the following theorem:
'''Theorem:''' The Frobenius endomorphism given by <math>\phi</math> satisfies the characteristic equation
 
: <math> \phi ^{2} - t\phi + q = 0,</math> where <math> t = q + 1 - \sharp# E(\mathbb{F}_{q}_q) </math>
 
Thus we have for all <math>P=(x, y) \in E</math> that <math>(x^{q^{2}}, y^{q^{2}} ) + q(x, y) = t(x^{q}, y^{q})</math>, where + denotes addition on the elliptic curve and <math>q(x,y)</math> and <math>t(x^{q},y^{q})</math>
denote scalar multiplication of <math>(x,y)</math> by <math>q</math> and of <math>(x^{q},y^{q})</math> by <math>t</math>.
 
One could try to symbolically compute these points <math>(x^{q^{2}}, y^{q^{2}})</math>, <math>(x^{q}, y^{q})</math> and <math>q(x, y)</math> as functions in the [[Imaginary_hyperelliptic_curveImaginary hyperelliptic curve#Coordinate_ringCoordinate ring|coordinate ring]] <math>\mathbb{F}_{q}[x,y]/(y^{2}-x^{3}-Ax-B)</math> of <math>E</math>
and thethen search for a value of <math>t</math> which satisfies the equation. However, the degrees get very large and this approach is impractical.
 
Schoof's idea was to carry out this computation restricted to points of order <math>l</math> for various small primes <math>l</math>.
Fixing an odd prime <math>l</math>, we now move on to solving the problem of determining <math>t_{l}</math>, defined as <math>t \pmod l</math>, for a given prime <math>l \neq 2, p</math>.
If a point <math>(x, y)</math> is in the <math>l</math>-[[torsion subgroup]] <math>E[l]=\{P\in E(\bar{\mathbb{F}_{q}}) \mid lP=O \}</math>, then <math>qP = \bar{q}P</math> where <math>\bar{q}</math> is the unique integer such that <math>q \equiv \bar{q} \pmod l</math> and <math>\mid \bar{q} \mid< l/2</math>.
Note that <math>\phi(O) = O</math> and that for any integer <math>r</math> we have <math>r\phi (P) = \phi (rP)</math>. Thus <math>\phi (P)</math> will have the same order as <math>P</math>. Thus for <math>(x, y)</math> belonging to <math>E[l]</math>, we also have <math>t(x^{q}, y^{q})= \bar{t}(x^{q}, y^{q})</math> if <math>t \equiv \bar{t} \pmod l</math>. Hence we have reduced our problem to solving the equation
 
: <math> (x^{q^{2}}, y^{q^{2}}) + \bar{q}(x, y) \equiv \bar{t}(x^{q}, y^{q}),</math>
 
<math> (x^{q^{2}}, y^{q^{2}}) + \bar{q}(x, y) \equiv \bar{t}(x^{q}, y^{q}),</math>
where <math>\bar{t}</math> and <math>\bar{q}</math> have integer values in <math>[-(l-1)/2,(l-1)/2]</math>.
 
==Computation modulo primes==
The <math>{{mvar|l</math>}}th [[division polynomial]] is such that its roots are precisely the <math>{{mvar|x</math>}} coordinates of points of order <math>{{mvar|l</math>}}. Thus, to restrict the computatiocomputation of <math>(x^{q^{2}}, y^{q^{2}}) + \bar{q}(x, y)</math> to the <math>{{mvar|l</math>}}-torsion points means computing these expressions as functions in the coordinate ring of <math>{{mvar|E</math>}} ''and'' modulo the <math>{{mvar|l</math>}}th division polynomial. I.e. we are working in <math>\mathbb{F}_{q}[x,y]/(y^{2}-x^{3}-Ax-B, \psi_{l})</math>. This means in particular that the degree of <math>{{mvar|X</math>}} and <math>{{mvar|Y</math>}} defined via <math>(X(x,y),Y(x,y)):=(x^{q^{2}}, y^{q^{2}}) + \bar{q}(x, y)</math> is at most 1 in <math>{{mvar|y</math>}} and at most <math>(l^2-3)/2</math>
in <math>{{mvar|x</math>}}.
 
The scalar multiplication <math>\bar{q}(x, y)</math> can be done either by [[exponentiation by squaring|double-and-add]] methods or by using the <math>\bar{q}</math>th division polynomial. The latter approach gives:
 
: <math>
\bar{q} (x,y) = (x_{\bar{q}},y_{\bar{q}}) = \left( x - \frac {\psi_{\bar{q}-1} \psi_{\bar{q}+1}}{\psi^{2}_{\bar{q}}}, \frac{\psi_{2\bar{q}}}{2\psi^{4}_{\bar{q}}} \right)
</math>
 
where <math>\psi_{n}</math> is the <math>{{mvar|n</math>}}th division polynomial. Note that
<math>y_{\bar{q}}/y</math> is a function in <math>{{mvar|x</math>}} only and denote it by <math>\theta(x)</math>.
 
We must split the problem into two cases: the case in which <math>(x^{q^{2}}, y^{q^{2}}) \neq \pm \bar{q}(x, y)</math>, and the case in which <math>(x^{q^{2}}, y^{q^{2}}) = \pm \bar{q}(x, y)</math>. Note that these equalities are checked modulo <math>\psi_l</math>.
 
===Case 1: <math>(x^{q^{2}}, y^{q^{2}}) \neq \pm \bar{q}(x, y)</math>===
By using the [[Elliptic_curvesElliptic curves#The_group_lawThe group law|addition formula]] for the group <math>E(\mathbb{F}_{q})</math> we obtain:
 
: <math>
X(x,y) = \left( \frac{y^{q^{2}} - y_{\bar{q}}}{x^{q^{2}} - x_{\bar{q}}} \right) ^{2} - x^{q^{2}} - x_{\bar{q}}.
</math>
Note that this computation fails in case the assumption of inequality was wrong.
 
We are now able to use the <math>{{mvar|x</math>}}-coordinate to narrow down the choice of <math>\bar{t}</math> to two possibilities, namely the positive and negative case. Using the <math>{{mvar|y</math>}}-coordinate one later determines which of the two cases holds.
 
We first show that <math>{{mvar|X</math>}} is a function in <math>{{mvar|x</math>}} alone. Consider <math>(y^{q^{2}} - y_{\bar{q}})^{2}=y^{2}(y^{q^{2}-1}-y_{\bar{q}}/y)^{2}</math>.
Since <math>q^{2}-1</math> is even, by replacing <math>y^{2}</math> by <math>x^3+Ax+B</math>, we rewrite the expression as
 
: <math>
(x^3+Ax+B)((x^3+Ax+B)^{\frac{q^{2}-1}{2}}-\theta(x))^2
</math>
 
and have that
 
: <math>
X(x)\equiv (x^3+Ax+B)\left(\frac{(x^3+Ax+B)^{\frac{q^{2}-1}{2}}-\theta(x)}{x^{q^2}-x_{\bar{q}}}\right)^2\bmod \psi_l(x).
</math>
 
Now if <math>X \equiv x^{q} _ {\bar{t}}\bmod \psi_l(x)</math> for onesome <math>\bar{t}\in [0,(l-1)/2]</math>, then <math>\bar{t}</math> satisfies
 
: <math>
\phi ^{2}(P) \mp \bar{t} \phi(P) + \bar{q}P = O
</math>
for all <math>l</math>-torsion points <math>P</math>.
 
for all <math>{{mvar|l</math>}}-torsion points <math>{{mvar|P</math>}}.
As mentioned earlier, using <math>Y</math> and <math>y_{\bar{t}}^{q}</math> we are now able to determine which of the two values of <math>\bar{t}</math> (<math>\bar{t}</math> or <math>-\bar{t}</math>) works. This gives the value of <math>t\equiv \bar{t}\pmod l</math>. Schoof's algorithm stores the values of <math>\bar{t}\pmod l</math> in a variable <math>t_l</math> for each prime <math>l</math> considered.
 
As mentioned earlier, using <math>{{mvar|Y</math>}} and <math>y_{\bar{t}}^{q}</math> we are now able to determine which of the two values of <math>\bar{t}</math> (<math>\bar{t}</math> or <math>-\bar{t}</math>) works. This gives the value of <math>t\equiv \bar{t}\pmod l</math>. Schoof's algorithm stores the values of <math>\bar{t}\pmod l</math> in a variable <math>t_l</math> for each prime <math>{{mvar|l</math>}} considered.
 
===Case 2: <math>(x^{q^{2}}, y^{q^{2}}) = \pm \bar{q}(x, y)</math>===
We begin with the assumption that <math>(x^{q^{2}}, y^{q^{2}}) = \bar{q}(x, y)</math>. Since <math>{{mvar|l</math>}} is an odd prime it cannot be that <math>\bar{q}(x, y)=-\bar{q}(x, y)</math> and thus <math>\bar{t}\neq 0</math>. The characteristic equation yields that <math>\bar{t} \phi(P) = 2\bar{q} P</math>. And consequently that <math>\bar{t}^{2}\bar{q} \equiv (2q)^{2} \pmod l</math>.
This implies that <math>{{mvar|q</math>}} is a square modulo <math>{{mvar|l</math>}}. Let <math>q \equiv w^{2} \pmod l</math>. Compute <math>w\phi(x,y)</math> in <math>\mathbb{F}_{q}[x,y]/(y^{2}-x^{3}-Ax-B, \psi_{l})</math> and check whether <math>
\bar{q}(x, y)=w\phi(x,y)</math>. If so, <math>t_{l}</math> is <math>\pm 2w \pmod l</math> depending on the y-coordinate.
If <math>{{mvar|q</math>}} turns out not to be a square modulo <math>{{mvar|l</math>}} or if the equation does not hold for any of <math>{{mvar|w</math>}} and <math>-w</math>, our assumption that <math>(x^{q^{2}}, y^{q^{2}}) = +\bar{q}(x, y)</math> is false, thus <math>(x^{q^{2}}, y^{q^{2}}) = - \bar{q}(x, y)</math>. The characteristic equation gives <math>t_l=0</math>.
 
===Additional Case:case <math>l = 2</math>===
If you recall, our initial considerations omit the case of <math>l = 2</math>.
Since we assume <math>{{mvar|q</math>}} to be odd, <math>q + 1 - t \equiv t \pmod 2</math> and in particular, <math>t_{2} \equiv 0 \pmod 2</math> if and only if <math>E(\mathbb{F}_{q})</math> has an element of order 2. By definition of addition in the group, any element of order 2 must be of the form <math>(x_{0}, 0)</math>. Thus <math>t_{2} \equiv 0 \pmod 2</math> if and only if the polynomial <math>x^{3} + Ax + B</math> has a root in <math>\mathbb{F}_{q}</math>, if and only if <math>\gcd(x^{q}-x, x^{3} + Ax + B)\neq 1</math>.
 
==The Algorithmalgorithm==
Input:
:(1) Choose a set of odd primes <math>S</math>, <math>p \notin S</math> such that <math>N=\prod_{l\in S} l > 2\sqrt{q}.</math>
:(2) put 1. An elliptic curve <math>t_2E =0</math> if <math>\gcd(xy^{q2}-x, x^{3} + -Ax + -B)\neq 1</math>, else <math>t_2=1</math>.
:(3) 2. An integer {{mvar|q}} for a finite field <math>lF_q</math> with <math>q=p^{b}, b \inge S1</math> do:.
Output:
::(a) Let <math>\bar{q}</math> be the unique integer such that <math>q \equiv \bar{q} \pmod l</math> and <math>\mid \bar{q} \mid< l/2</math>. Compute <math>\psi_l</math>. All following computations in this loop are in the following ring: <math>\mathbb{F}_{q}[x,y]/(y^{2}-x^{3}-Ax-B, \psi_{l}).</math>
The number of points of {{mvar|E}} over <math>F_q</math>.
::(b) Compute <math>(x^{q}, y^{q})</math>, <math>(x^{q^{2}}, y^{q^{2}})</math> and <math>(x_{\bar{q}},y_{\bar{q}})</math> .
:(1) Choose a set of odd primes <math>{{mvar|S</math>,}} <math>pnot \notincontaining S</math>{{mvar|p}} {{nowrap|such that <math>N=\prod_{l\in S} l > 24\sqrt{q}.</math> }}
::(c) if <math>x^{q^{2}}\neq x_{\bar{q}}</math> then
{{nowrap|'''Put''' <math>t_2=0</math> '''if''' <math>\gcd(x^{q}-x, x^{3} + Ax + B)\neq 1</math>, '''else''' <math>t_2=1</math>.}}
:::(i) compute <math>(X,Y) </math>.
{{nowrap|Compute the division polynomial <math>\psi_l</math>}}.
:::(ii)for <math>1\leq \bar{t} \leq (l-1)/2</math> do
All computations in the loop below are performed {{nowrap|in the ring <math>\mathbb{F}_{q}[x,y]/(y^{2}-x^{3}-Ax-B, \psi_{l}).</math>}}
::::(iii)if <math>X = x^{q} _ {\bar{t}}</math> then
:::::(iv)if <math>Y = y^{q} _ {\bar{t}}</math> thennowrap|'''For''' <math>t_{l}= \bar{t}in S</math>; else <math>t_{l'''do''':}=-\bar{t}</math>.
::(a) {{nowrap|'''Let''' <math>\bar{q}</math> be the unique integer}} {{nowrap|such that <math>q \equiv \bar{q} \pmod l</math> and <math>\mid \bar{q} \mid< l/2</math>. Compute <math>\psi_l</math>. All following computations in this loop are in the following ring: <math>\mathbb{F}_{q}[x,y]/(y^{2}-x^{3}-Ax-B, \psi_{l}).</math>
::(d)else if <math>q</math> is a square modulo <math>l</math> then
:::(i)compute {{nowrap|Compute <math>w(x^{q}, y^{q})</math> with, <math>(x^{q\equiv^{2}}, wy^{q^{2}})</math> \pmodand l<math>(x_{\bar{q}},y_{\bar{q}})</math>.}}
:::(ii)compute {{nowrap|'''if''' <math>w(x^{q^{2}},\neq y^x_{\bar{q})}</math> '''then'''}}
{{nowrap|Compute <math>(X,Y)</math>.}}
:::(iii)if <math>w(x^{q}, y^{q})=(x^{q^{2}}, y^{q^{2}})</math> then <math>t_l=2w</math>
:::(ii)for {{nowrap|'''for''' <math>1\leq \bar{t} \leq (l-1)/2</math> '''do ''':}}
:::(iv)else if <math>w(x^{q}, y^{q})=(x^{q^{2}}, -y^{q^{2}})</math> then <math>t_l=-2w</math>
::::(iii)if {{nowrap|'''if''' <math>X = x^{q} _ {\bar{t}}</math> '''then'''}}
:::(v)else <math>t_{l}=0</math>
{{nowrap|'''if''' <math>Y = y^{q} _ {\bar{t}}</math> '''then'''}}
::(e)else <math>t_{l}=0</math>
{{nowrap|<math>t_{l}=\bar{t}</math>;}}
:(4)Use the Chinese Remainder Theorem to compute <math>\sharp E(\mathbb{F}_{q}) \pmod{2N}</math>.
'''else'''
{{nowrap|<math>t_{l}=-\bar{t}</math>.}}
::(d) '''else if''' <math>{{mvar|q</math>}} is a square modulo <math>{{mvar|l</math>}} '''then'''
{{nowrap|compute {{mvar|w}} with <math>q\equiv w^{2} \pmod l</math>}}
{{nowrap|compute <math>w(x^{q}, y^{q})</math>}}
:::(iii) {{nowrap|'''if''' <math>w(x^{q}, y^{q})=(x^{q^{2}}, y^{q^{2}})</math> '''then <math>t_l=2w</math>'''}}
{{nowrap|<math>t_l=2w</math>}}
:::(iv) {{nowrap|'''else if''' <math>w(x^{q}, y^{q})=(x^{q^{2}}, -y^{q^{2}})</math> '''then <math>t_l=-2w</math>'''}}
{{nowrap|<math>t_l=-2w</math>}}
'''else'''
{{nowrap|<math>t_{l}=0</math>}}
'''else'''
{{nowrap|<math>t_{l}=0</math>}}
:(4) Use the [[Chinese Remainder Theorem]] to compute <math>\sharp E(\mathbb{F}_{qmvar|t}}) \pmodmodulo {2N{mvar|N}}</math>.
from the equations <math>t \equiv t_{l} \pmod l</math>, where <math>l \in S</math>.
:::(i) compute Output <math>(X,Y) q+1-t</math>.
 
==Complexity==
Note that since the set <math>S</math> was chosen so that <math>2N>4\sqrt{q}</math>, by Hasse's theorem, we in fact know <math> \sharp E(\mathbb{F}_{q})</math> precisely.
Most of the computation is taken by the evaluation of <math>\phi(P)</math> and <math>\phi^{2}(P)</math>, for each prime <math>l</math>, that is computing <math>x^q</math>, <math>y^q</math>, <math>x^{q^2}</math>, <math>y^{q^2}</math> for each prime <math>l</math>. This involves exponentiation in the ring <math>R = \mathbb{F}_{q}[x, y]/ (y^2-x^3-Ax-B, \psi_l)</math> and requires <math>O(\log q)</math> multiplications. Since the degree of <math>\psi_l</math> is <math>\frac{l^2-1}{2}</math>, each element in the ring is a polynomial of degree <math>O(l^2)</math>. By the [[prime number theorem]], wethere haveare around <math>O(\log q)</math> primes of size <math>O(\log q)</math>, giving that <math>l</math> is <math>O(\log q)</math> and we obtain that <math>O(l^2) = O(\log^2q)</math>. Thus each multiplication in the ring <math>R</math> requires <math>O(\log^4 q)</math> multiplications in <math>\mathbb{F}_{q}</math> which in turn requires <math>O(\log^2 q)</math> bit operations. In total, the number of bit operations for each prime <math>l</math> is <math>O(\log^7 q)</math>. Given that this computation needs to be carried out for each of the <math>O(\log q)</math> primes, the total complexity of Schoof's algorithm turns out to be <math>O(\log^8 q)</math>. Note thatUsing fast polynomial and integer arithmetic reduces the costs downthis to <math>\tilde{O}(\log^5 q)</math>.
 
==ComplexityImprovements ofto Schoof's Algorithmalgorithm==
Most of the computation is taken by the evaluation of <math>\phi(P)</math> and <math>\phi^{2}(P)</math>, for each prime <math>l</math>, that is computing <math>x^q</math>, <math>y^q</math>, <math>x^{q^2}</math>, <math>y^{q^2}</math> for each prime <math>l</math>. This involves exponentiation in the ring <math>R = \mathbb{F}_{q}[x, y]/ (y^2-x^3-Ax-B, \psi_l)</math> and requires <math>O(\log q)</math> multiplications. Since the degree of <math>\psi_l</math> is <math>\frac{l^2-1}{2}</math>, each element in the ring is a polynomial of degree <math>O(l^2)</math>. By the [[prime number theorem]], we have around <math>O(\log q)</math> primes of size <math>O(\log q)</math> giving that <math>l</math> is <math>O(\log q)</math> and we obtain that <math>O(l^2) = O(\log^2q)</math>. Thus each multiplication in the ring <math>R</math> requires <math>O(\log^4 q)</math> multiplications in <math>\mathbb{F}_{q}</math> which in turn requires <math>O(\log^2 q)</math> bit operations. In total, the number of bit operations for each prime <math>l</math> is <math>O(\log^7 q)</math>. Given that this computation needs to be carried out for each of the <math>O(\log q)</math> primes, the total complexity of Schoof's algorithm turns out to be <math>O(\log^8 q)</math>. Note that fast polynomial arithmetic reduces the costs down to <math>O(\log^5 q)</math>.
 
{{main|Schoof–Elkies–Atkin algorithm}}
==Improvements to Schoof's Algorithm==
 
In the 1990s, [[Noam Elkies]], followed by [[A. O. L. Atkin]], devised improvements to Schoof's basic algorithm by restricting the set of primes <math>S = \{l_1, \ldots, l_s\}</math> considered before to primes of a certain kind. These came to be called Elkies primes and Atkin primes respectively. A prime <math>l</math> is called an Elkies prime if the characteristic equation: <math>\phi^2-t\phi+ q = 0</math> splits over <math>\mathbb{F}_l</math>, while an Atkin prime is a prime that is not an Elkies prime. Atkin showed how to combine information obtained from the Atkin primes with the information obtained from Elkies primes to produce an efficient algorithm, which came to be known as the [[Schoof-Elkies-AtkinSchoof–Elkies–Atkin algorithm]]. The first problem to address is to determine whether a given prime is Elkies or Atkin. In order to do so, we make use of modular polynomials, which come from the study of [[modular forms]] and an interpretation of [[Elliptic curve#Elliptic curves over the complex numbers|elliptic curves over the complex numbers]] as lattices. Once we have determined which case we are in, instead of using [[division polynomials]], we proceedare byable workingto modulowork thewith modulara polynomialspolynomial <math>f_l</math>that which have ahas lower degree than the corresponding division polynomial <math>\psi_l</math> (degree: <math>O(l)</math> rather than <math>O(l^2)</math>). This resultsFor inefficient aimplementation, furtherprobabilistic reductionroot-finding inalgorithms theare running timeused, givingwhich usmakes anthis algorithma more[[Las efficientVegas thanalgorithm]] Schoof's,rather withthan complexitya <math>O(\log^6deterministic q)</math> for standard arithmetic and <math>O(\log^4 q)</math>algorithm.
Under the heuristic assumption that approximately half of the primes up to an <math>O(\log q)</math> bound are Elkies primes, this yields an algorithm that is more efficient than Schoof's, with an expected running time of <math>O(\log^6 q)</math> using naive arithmetic, and <math>\tilde{O}(\log^4 q)</math> using fast arithmetic. Although this heuristic assumption is known to hold for most elliptic curves, it is not known to hold in every case, even under the [[Generalized Riemann Hypothesis|GRH]].
 
==Implementations==
Several algorithms were implemented in [[C++]] by Mike Scott and are available with [ftp://ftp.compapp.dcu.ie/pub/crypto/ source code]. The implementations are free (no terms, no conditions), butand theymake use of the [httphttps://indigogithub.iecom/~mscottmiracl/MIRACL MIRACL] library which is onlydistributed freeunder forthe non-commercial use[[AGPLv3]]. Note that (unmodified) programs may be used to generate curves for commercial use. There are
* Schoof's algorithm [ftphttps://ftpgithub.compapp.dcu.iecom/miracl/MIRACL/blob/master/pubsource/cryptocurve/schoof.cpp implementation] for <math>E(\mathbb{F}_p)</math> with prime <math>p</math>.
* Schoof's algorithm [ftphttps://ftpgithub.compapp.dcu.iecom/miracl/MIRACL/blob/master/pubsource/cryptocurve/schoof2.cpp implementation] for <math>E(\mathbb{F}_{2^m})</math>.
 
==See also==
* [[Elliptic Curvecurve Cryptographycryptography]]
* [[Counting points on elliptic curves]]
* [[Division Polynomials]]
Line 146 ⟶ 170:
 
==References==
* R. Schoof: Elliptic Curves over Finite Fields and the Computation of Square Roots mod p. Math. Comp., 44(170):483-494483–494, 1985. Available at http://www.mat.uniroma2.it/~schoof/ctpts.pdf
* R. Schoof: Counting Points on Elliptic Curves over Finite Fields. J. Theor. Nombres Bordeaux 7:219-254219–254, 1995. Available at http://www.mat.uniroma2.it/~schoof/ctg.pdf
* G. Musiker: Schoof's Algorithm for Counting Points on <math>E(\mathbb{F}_{q})</math>. Available at http://www-.math.mitumn.edu/~musiker/schoof.pdf
* A. Brown: Algorithms for Elliptic Curves over Finite Fields, EPFL - LMA. Available at http://algo.epfl.ch/handouts/en/andrew.pdf
* V. Müller : Die Berechnung der Punktanzahl von elliptischen kurven über endlichen Primkörpern. Master's Thesis. Universität des Saarlandes, Saarbrücken, 1991. Available at http://lecturer.ukdw.ac.id/vmueller/publications.php
* A. Enge: Elliptic Curves and their Applications to Cryptography: An Introduction. Kluwer Academic Publishers, Dordrecht, 1999.
Line 155 ⟶ 178:
* N. Koblitz: A Course in Number Theory and Cryptography, Graduate Texts in Math. No. 114, Springer-Verlag, 1987. Second edition, 1994
 
{{Number-theoretic algorithms}}
[[Category:Asymmetric-key cryptosystems]]
{{Algebraic curves navbox}}
[[Category:Cryptographic algorithms]]
 
[[Category:Group theory]]
[[Category:Asymmetric-key cryptosystemsalgorithms]]
[[Category:Elliptic curve cryptography]]
[[Category:Elliptic curves]]
[[Category:Group theory]]
[[Category:Finite fields]]
[[Category:Number theory]]
 
[[fr:Algorithme de Schoof]]
[[pl:Algorytm Schoofa]]
Retrieved from "https://en.wikipedia.org/wiki/Schoof%27s_algorithm"