Content deleted Content added
Bear-rings (talk | contribs) m ]]s |
m revision for accuracy and clarity →Case 1: (x^{q^{2}}, y^{q^{2}}) \neq \pm \bar{q}(x, y) |
||
(14 intermediate revisions by 10 users not shown) | |||
Line 1:
{{Short description|Efficient algorithm to count points on elliptic curves}}
'''Schoof's algorithm''' is an efficient algorithm to count points on [[elliptic curve]]s over [[finite fields]]. The algorithm has applications in [[elliptic curve cryptography]] where it is important to know the number of points to judge the difficulty of solving the [[discrete logarithm problem]] in the [[Group (mathematics)|group]] of points on an elliptic curve.
Line 12 ⟶ 13:
with <math>A,B\in \mathbb{F}_{q}</math>. The set of points defined over <math>\mathbb{F}_{q}</math> consists of the solutions <math>(a,b)\in\mathbb{F}_{q}^2</math> satisfying the curve equation and a [[point at infinity]] <math>O</math>. Using the [[Elliptic curve#The group law|group law]] on elliptic curves restricted to this set one can see that this set <math>E(\mathbb{F}_{q})</math> forms an [[abelian group]], with <math>O</math> acting as the zero element.
In order to count points on an elliptic curve, we compute the cardinality of <math>E(\mathbb{F}_{q})</math>.
Schoof's approach to computing the cardinality <math>\
==Hasse's theorem==
Line 22 ⟶ 23:
</math>
This powerful result, given by Hasse in 1934, simplifies our problem by narrowing down <math>\# E(\mathbb{F}_{q})</math> to a finite (albeit large) set of possibilities. Defining <math>t</math> to be <math>q + 1 - \# E(\mathbb{F}_{q})</math>, and making use of this result, we now have that computing the
In order to compute <math>t \pmod l</math> for a prime <math>l \neq p</math>, we make use of the theory of the Frobenius endomorphism <math>\phi</math> and [[division polynomials]]. Note that considering primes <math>l \neq p</math> is no loss since we can always pick a bigger prime to take its place to ensure the product is big enough. In any case Schoof's algorithm is most frequently used in addressing the case <math>q=p</math> since there are more efficient, so called <math>p</math> adic algorithms for small-characteristic fields.
Line 29 ⟶ 30:
Given the elliptic curve <math>E</math> defined over <math>\mathbb{F}_{q}</math> we consider points on <math>E</math> over <math>\bar{\mathbb{F}}_{q}</math>, the [[algebraic closure]] of <math>\mathbb{F}_{q}</math>; i.e. we allow points with coordinates in <math>\bar{\mathbb{F}}_{q}</math>. The [[Frobenius endomorphism]] of <math>\bar{\mathbb{F}}_{q}</math> over <math>\mathbb{F}_q</math> extends to the elliptic curve by <math> \phi : (x, y) \mapsto (x^{q}, y^{q})</math>.
This map is the identity on <math>E(\mathbb{F}_{q})</math> and one can extend it to the point at infinity <math>O</math>, making it a [[group morphism]] from <math>E(\bar{\mathbb{F}}_{q
The Frobenius endomorphism satisfies a quadratic polynomial which is linked to the cardinality of <math>E(\mathbb{F}_{q})</math> by the following theorem:
Line 81 ⟶ 82:
: <math>
(x^3+Ax+B)((x^3+Ax+B)^{\frac{q^{2}-1}{2}}-\theta(x))^2
</math>
Line 87 ⟶ 88:
: <math>
X(x)\equiv (x^3+Ax+B)\left(\frac{(x^3+Ax+B)^{\frac{q^{2}-1}{2}}-\theta(x)}{x^{q^2}-x_{\bar{q}}}\right)^2\bmod \psi_l(x).
</math>
Now if <math>X \equiv x^{q} _ {\bar{t}}\bmod \psi_l(x)</math> for
: <math>
Line 160 ⟶ 159:
==Implementations==
Several algorithms were implemented in [[C++]] by Mike Scott
* Schoof's algorithm [
* Schoof's algorithm [
==See also==
Line 180 ⟶ 179:
{{Number-theoretic algorithms}}
{{Algebraic curves navbox}}
[[Category:Asymmetric-key algorithms]]
|