Counting points on elliptic curves explained

An important aspect in the study of elliptic curves is devising effective ways of counting points on the curve. There have been several approaches to do so, and the algorithms devised have proved to be useful tools in the study of various fields such as number theory, and more recently in cryptography and Digital Signature Authentication (See elliptic curve cryptography and elliptic curve DSA). While in number theory they have important consequences in the solving of Diophantine equations, with respect to cryptography, they enable us to make effective use of the difficulty of the discrete logarithm problem (DLP) for the group

E(Fq)

, of elliptic curves over a finite field

Fq

, where q = pk and p is a prime. The DLP, as it has come to be known, is a widely used approach to public key cryptography, and the difficulty in solving this problem determines the level of security of the cryptosystem. This article covers algorithms to count points on elliptic curves over fields of large characteristic, in particular p > 3. For curves over fields of small characteristic more efficient algorithms based on p-adic methods exist.

Approaches to counting points on elliptic curves

There are several approaches to the problem. Beginning with the naive approach, we trace the developments up to Schoof's definitive work on the subject, while also listing the improvements to Schoof's algorithm made by Elkies (1990) and Atkin (1992).

Several algorithms make use of the fact that groups of the form

E(Fq)

are subject to an important theorem due to Hasse, that bounds the number of points to be considered. Hasse's theorem states that if E is an elliptic curve over the finite field

Fq

, then the cardinality of

E(Fq)

satisfies

||E(Fq)|-(q+1)|\leq2\sqrt{q}.

Naive approach

The naive approach to counting points, which is the least sophisticated, involves running through all the elements of the field

Fq

and testing which ones satisfy the Weierstrass form of the elliptic curve

y2=x3+Ax+B.

Example

Let E be the curve y2 = x3 + x + 1 over

F5

. To count points on E, we make alist of the possible values of x, then of the quadratic residues of x mod 5 (for lookup purpose only), then of x3 + x + 1 mod 5, then of y of x3 + x + 1 mod 5. This yields the points on E.

x

x2

x3+x+1

y

Points

0

0

1

1,4

(0,1),(0,4)

1

1

3

-

-

2

4

1

1,4

(2,1),(2,4)

3

4

1

1,4

(3,1),(3,4)

4

1

4

2,3

(4,2),(4,3)

E.g. the last row is computed as follows: If you insert

x=4

in the equation x3 + x + 1 mod 5 you get

4

as result (3rd column). This result can be achieved if

y=2,3

(Quadratic residues can be looked up in the 2nd column). So the points for the last row are

(4,2),(4,3)

.

Therefore,

E(F5)

has cardinality of 9: the 8 points listed before and the point at infinity.

This algorithm requires running time O(q), because all the values of

x\inFq

must be considered.

Baby-step giant-step

An improvement in running time is obtained using a different approach: we pick an element

P=(x,y)\inE(Fq)

by selecting random values of

x

until

x3+Ax+B

is a square in

Fq

and then computing the square root of this value in order to get

y

.Hasse's theorem tells us that

|E(Fq)|

lies in the interval

(q+1-2\sqrt{q},q+1+2\sqrt{q})

. Thus, by Lagrange's theorem, finding a unique

M

lying in this interval and satisfying

MP=O

, results in finding the cardinality of

E(Fq)

. The algorithm fails if there exist two distinct integers

M

and

M'

in the interval such that

MP=M'P=O

. In such a case it usually suffices to repeat the algorithm with another randomly chosen point in

E(Fq)

.

Trying all values of

M

in order to find the one that satisfies

MP=O

takes around

4\sqrt{q}

steps. However, by applying the baby-step giant-step algorithm to

E(Fq)

, we are able to speed this up to around

4\sqrt[4]{q}

steps. The algorithm is as follows.

The algorithm

1. choose

m

integer,

m>\sqrt[4]{q}

2. FOR DO 3.

Pj\leftarrowjP

4. ENDFOR 5.

L\leftarrow1

6.

Q\leftarrow(q+1)P

7. REPEAT compute the points

Q+k(2mP)

8. UNTIL

\existsj

:

Q+k(2mP)=\pmPj

\\the

x

-coordinates are compared 9.

M\leftarrowq+1+2mk\mpj

\\note

MP=O

10. Factor

M

. Let

p1,\ldots,pr

be the distinct prime factors of

M

. 11. WHILE

i\leqr

DO 12. IF
M
pi

P=O

13. THEN

M\leftarrow

M
pi
14. ELSE

i\leftarrowi+1

15. ENDIF 16. ENDWHILE 17.

L\leftarrow\operatorname{lcm}(L,M)

\\note

M

is the order of the point

P

18. WHILE

L

divides more than one integer

N

in

(q+1-2\sqrt{q},q+1+2\sqrt{q})

19. DO choose a new point

P

and go to 1. 20. ENDWHILE 21. RETURN

N

\\it is the cardinality of

E(Fq)

Notes to the algorithm

Let

a

be an integer with

|a|\leq2m2

. There exist integers

a0

and

a1

with

-m<a0\leqmand-m\leqa1\leqms.t.a=a0+2ma1.

(j+1)P

once

jP

has been computed can be done by adding

P

to

jP

instead of computing the complete scalar multiplication anew. The complete computation thus requires

m

additions.

2mP

can be obtained with one doubling from

mP

. The computation of

Q

requires

log(q+1)

doublings and

w

additions, where

w

is the number of nonzero digits in the binary representation of

q+1

; note that knowledge of the

jP

and

2mP

allows us to reduce the number of doublings. Finally, to get from

Q+k(2mP)

to

Q+(k+1)(2mP)

, simply add

2mP

rather than recomputing everything.

M

. If not, we can at least find all the small prime factors

pi

and check that
M
pi

O

for these. Then

M

will be a good candidate for the order of

P

.

MP=O

, the order of

P

divides

M

. If no proper divisor

\bar{M}

of

M

realizes

\bar{M}P=O

, then

M

is the order of

P

.

One drawback of this method is that there is a need for too much memory when the group becomes large. In order to address this, it might be more efficient to store only the

x

coordinates of the points

jP

(along with the corresponding integer

j

). However, this leads to an extra scalar multiplication in order to choose between

-j

and

+j

.

There are other generic algorithms for computing the order of a group element that are more space efficient, such as Pollard's rho algorithm and the Pollard kangaroo method. The Pollard kangaroo method allows one to search for a solution in a prescribed interval, yielding a running time of

O(\sqrt[4]{q})

, using

O(log2{q})

space.

Schoof's algorithm

See main article: Schoof's algorithm.

A theoretical breakthrough for the problem of computing the cardinality of groups of the type

E(Fq)

was achieved by René Schoof, who, in 1985, published the first deterministic polynomial time algorithm. Central to Schoof's algorithm are the use of division polynomials and Hasse's theorem, along with the Chinese remainder theorem.

Schoof's insight exploits the fact that, by Hasse's theorem, there is a finite range of possible values for

|E(Fq)|

. It suffices to compute

|E(Fq)|

modulo an integer

N>4\sqrt{q}

. This is achieved by computing

|E(Fq)|

modulo primes

\ell1,\ldots,\ells

whose product exceeds

4\sqrt{q}

, and then applying the Chinese remainder theorem. The key to the algorithm is using the division polynomial

\psi\ell

to efficiently compute

|E(Fq)|

modulo

\ell

.

The running time of Schoof's Algorithm is polynomial in

n=log{q}

, with an asymptotic complexity of

O(n2M(n3)/log{n})=O(n5+o(1))

, where

M(n)

denotes the complexity of integer multiplication. Its space complexity is

O(n3)

.

Schoof–Elkies–Atkin algorithm

See main article: Schoof–Elkies–Atkin algorithm.

In the 1990s, Noam Elkies, followed by A. O. L. Atkin devised improvements to Schoof's basic algorithm by making a distinction among the primes

\ell1,\ldots,\ells

that are used. A prime

\ell

is called an Elkies prime if the characteristic equation of the Frobenius endomorphism,

\phi2-t\phi+q=0

, splits over

F\ell

. Otherwise

\ell

is called an Atkin prime. Elkies primes are the key to improving the asymptotic complexity of Schoof's algorithm. Information obtained from the Atkin primes permits a further improvement which is asymptotically negligible but can be quite important in practice. The modification of Schoof's algorithm to use Elkies and Atkin primes is known as the Schoof–Elkies–Atkin (SEA) algorithm.

The status of a particular prime

\ell

depends on the elliptic curve

E/Fq

, and can be determined using the modular polynomial

\Psi\ell(X,Y)

. If the univariate polynomial

\Psi\ell(X,j(E))

has a root in

Fq

, where

j(E)

denotes the j-invariant of

E

, then

\ell

is an Elkies prime, and otherwise it is an Atkin prime. In the Elkies case, further computations involving modular polynomials are used to obtain a proper factor of the division polynomial

\psi\ell

. The degree of this factor is

O(\ell)

, whereas

\psi\ell

has degree

O(\ell2)

.

Unlike Schoof's algorithm, the SEA algorithm is typically implemented as a probabilistic algorithm (of the Las Vegas type), so that root-finding and other operations can be performed more efficiently. Its computational complexity is dominated by the cost of computing the modular polynomials

\Psi\ell(X,Y)

, but as these do not depend on

E

, they may be computed once and reused. Under the heuristic assumption that there are sufficiently many small Elkies primes, and excluding the cost of computing modular polynomials, the asymptotic running time of the SEA algorithm is

O(n2M(n2)/log{n})=O(n4+o(1))

, where

n=log{q}

. Its space complexity is

O(n3log{n})

, but when precomputed modular polynomials are used this increases to

O(n4)

.

See also

Bibliography

E(Fq)

. Available at http://www.math.umn.edu/~musiker/schoof.pdf

This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "Counting points on elliptic curves".

Except where otherwise indicated, Everything.Explained.Today is © Copyright 2009-2024, A B Cryer, All Rights Reserved. Cookie policy.