Schoof's algorithm explained

Schoof's algorithm is an efficient algorithm to count points on elliptic curves over finite fields. The algorithm has applications in elliptic curve cryptography where it is important to know the number of points to judge the difficulty of solving the discrete logarithm problem in the group of points on an elliptic curve.

The algorithm was published by René Schoof in 1985 and it was a theoretical breakthrough, as it was the first deterministic polynomial time algorithm for counting points on elliptic curves. Before Schoof's algorithm, approaches to counting points on elliptic curves such as the naive and baby-step giant-step algorithms were, for the most part, tedious and had an exponential running time. This article explains Schoof's approach, laying emphasis on the mathematical ideas underlying the structure of the algorithm.

Introduction

Let

E

be an elliptic curve defined over the finite field

Fq

, where

q=pn

for

p

a prime and

n

an integer

\geq1

. Over a field of characteristic

2,3

an elliptic curve can be given by a (short) Weierstrass equation

y2=x3+Ax+B

with

A,B\inFq

. The set of points defined over

Fq

consists of the solutions
2
(a,b)\inF
q
satisfying the curve equation and a point at infinity

O

. Using the group law on elliptic curves restricted to this set one can see that this set

E(Fq)

forms an abelian group, with

O

acting as the zero element.In order to count points on an elliptic curve, we compute the cardinality of

E(Fq)

.Schoof's approach to computing the cardinality

\#E(Fq)

makes use of Hasse's theorem on elliptic curves along with the Chinese remainder theorem and division polynomials.

Hasse's theorem

See main article: Hasse's theorem on elliptic curves. Hasse's theorem states that if

E/Fq

is an elliptic curve over the finite field

Fq

, then

\#E(Fq)

satisfies

\midq+1-\#E(Fq)\mid\leq2\sqrt{q}.

This powerful result, given by Hasse in 1934, simplifies our problem by narrowing down

\#E(Fq)

to a finite (albeit large) set of possibilities. Defining

t

to be

q+1-\#E(Fq)

, and making use of this result, we now have that computing the value of

t

modulo

N

where

N>4\sqrt{q}

, is sufficient for determining

t

, and thus

\#E(Fq)

. While there is no efficient way to compute

t\pmodN

directly for general

N

, it is possible to compute

t\pmodl

for

l

a small prime, rather efficiently. We choose

S=\{l1,l2,...,lr\}

to be a set of distinct primes such that

\prodli=N>4\sqrt{q}

. Given

t\pmod{li}

for all

li\inS

, the Chinese remainder theorem allows us to compute

t\pmodN

.

In order to compute

t\pmodl

for a prime

lp

, we make use of the theory of the Frobenius endomorphism

\phi

and division polynomials. Note that considering primes

lp

is no loss since we can always pick a bigger prime to take its place to ensure the product is big enough. In any case Schoof's algorithm is most frequently used in addressing the case

q=p

since there are more efficient, so called

p

adic algorithms for small-characteristic fields.

The Frobenius endomorphism

Given the elliptic curve

E

defined over

Fq

we consider points on

E

over

\bar{F

}_, the algebraic closure of

Fq

; i.e. we allow points with coordinates in

\bar{F

}_. The Frobenius endomorphism of

\bar{F

}_ over

Fq

extends to the elliptic curve by

\phi:(x,y)\mapsto(xq,yq)

.

This map is the identity on

E(Fq)

and one can extend it to the point at infinity

O

, making it a group morphism from

E(\bar{F

}_) to itself.

The Frobenius endomorphism satisfies a quadratic polynomial which is linked to the cardinality of

E(Fq)

by the following theorem: Theorem: The Frobenius endomorphism given by

\phi

satisfies the characteristic equation

\phi2-t\phi+q=0,

where

t=q+1-\#E(Fq)

Thus we have for all

P=(x,y)\inE

that
q2
(x

,

q2
y

)+q(x,y)=t(xq,yq)

, where + denotes addition on the elliptic curve and

q(x,y)

and

t(xq,yq)

denote scalar multiplication of

(x,y)

by

q

and of

(xq,yq)

by

t

.

One could try to symbolically compute these points

q2
(x

,

q2
y

)

,

(xq,yq)

and

q(x,y)

as functions in the coordinate ring

Fq[x,y]/(y2-x3-Ax-B)

of

E

and then search for a value of

t

which satisfies the equation. However, the degrees get very large and this approach is impractical.

Schoof's idea was to carry out this computation restricted to points of order

l

for various small primes

l

.Fixing an odd prime

l

, we now move on to solving the problem of determining

tl

, defined as

t\pmodl

, for a given prime

l2,p

. If a point

(x,y)

is in the

l

-torsion subgroup

E[l]=\{P\inE(\bar{Fq

}) \mid lP=O \}, then

qP=\bar{q}P

where

\bar{q}

is the unique integer such that

q\equiv\bar{q}\pmodl

and

\mid\bar{q}\mid<l/2

. Note that

\phi(O)=O

and that for any integer

r

we have

r\phi(P)=\phi(rP)

. Thus

\phi(P)

will have the same order as

P

. Thus for

(x,y)

belonging to

E[l]

, we also have

t(xq,yq)=\bar{t}(xq,yq)

if

t\equiv\bar{t}\pmodl

. Hence we have reduced our problem to solving the equation
q2
(x

,

q2
y

)+\bar{q}(x,y)\equiv\bar{t}(xq,yq),

where

\bar{t}

and

\bar{q}

have integer values in

[-(l-1)/2,(l-1)/2]

.

Computation modulo primes

The th division polynomial is such that its roots are precisely the coordinates of points of order . Thus, to restrict the computation of

q2
(x

,

q2
y

)+\bar{q}(x,y)

to the -torsion points means computing these expressions as functions in the coordinate ring of and modulo the th division polynomial. I.e. we are working in

Fq[x,y]/(y2-x3-Ax-B,\psil)

. This means in particular that the degree of and defined via
q2
(X(x,y),Y(x,y)):=(x

,

q2
y

)+\bar{q}(x,y)

is at most 1 in and at most

(l2-3)/2

in .

The scalar multiplication

\bar{q}(x,y)

can be done either by double-and-add methods or by using the

\bar{q}

th division polynomial. The latter approach gives:

\bar{q}(x,y)=(x\bar{q

},y_) = \left(x - \frac, \frac \right)

where

\psin

is the th division polynomial. Note that

y\bar{q

}/y is a function in only and denote it by

\theta(x)

.

We must split the problem into two cases: the case in which

q2
(x

,

q2
y

)\pm\bar{q}(x,y)

, and the case in which
q2
(x

,

q2
y

)=\pm\bar{q}(x,y)

. Note that these equalities are checked modulo

\psil

.

Case 1:

q2
(x

,

q2
y

)\pm\bar{q}(x,y)

By using the addition formula for the group

E(Fq)

we obtain:

X(x,y)=\left(

q2
y-y\bar{q
} \right) ^ - x^ - x_.Note that this computation fails in case the assumption of inequality was wrong.

We are now able to use the -coordinate to narrow down the choice of

\bar{t}

to two possibilities, namely the positive and negative case. Using the -coordinate one later determines which of the two cases holds.

We first show that is a function in alone. Consider

q2
(y

-y\bar{q

})^=y^(y^-y_/y)^.Since

q2-1

is even, by replacing

y2

by

x3+Ax+B

, we rewrite the expression as

(x3+Ax+B)((x3+Ax+B)

q2-1
2

-\theta(x))

and have that

X(x)\equiv(x3+Ax+B)((x3+Ax+B)

q2-1
2

-\theta(x))\bmod\psil(x).

Here, it seems not right, we throw away
q2
x

-x\bar{q

}?

Now if

X\equivxq\bar{t

}\bmod \psi_l(x) for one

\bar{t}\in[0,(l-1)/2]

then

\bar{t}

satisfies

\phi2(P)\mp\bar{t}\phi(P)+\bar{q}P=O

for all -torsion points .

As mentioned earlier, using and

y\bar{t

}^ we are now able to determine which of the two values of

\bar{t}

(

\bar{t}

or

-\bar{t}

) works. This gives the value of

t\equiv\bar{t}\pmodl

. Schoof's algorithm stores the values of

\bar{t}\pmodl

in a variable

tl

for each prime considered.

Case 2:

q2
(x

,

q2
y

)=\pm\bar{q}(x,y)

We begin with the assumption that

q2
(x

,

q2
y

)=\bar{q}(x,y)

. Since is an odd prime it cannot be that

\bar{q}(x,y)=-\bar{q}(x,y)

and thus

\bar{t}0

. The characteristic equation yields that

\bar{t}\phi(P)=2\bar{q}P

. And consequently that

\bar{t}2\bar{q}\equiv(2q)2\pmodl

. This implies that is a square modulo . Let

q\equivw2\pmodl

. Compute

w\phi(x,y)

in

Fq[x,y]/(y2-x3-Ax-B,\psil)

and check whether

\bar{q}(x,y)=w\phi(x,y)

. If so,

tl

is

\pm2w\pmodl

depending on the y-coordinate. If turns out not to be a square modulo or if the equation does not hold for any of and

-w

, our assumption that
q2
(x

,

q2
y

)=+\bar{q}(x,y)

is false, thus
q2
(x

,

q2
y

)=-\bar{q}(x,y)

. The characteristic equation gives

tl=0

.

Additional case

l=2

If you recall, our initial considerations omit the case of

l=2

. Since we assume to be odd,

q+1-t\equivt\pmod2

and in particular,

t2\equiv0\pmod2

if and only if

E(Fq)

has an element of order 2. By definition of addition in the group, any element of order 2 must be of the form

(x0,0)

. Thus

t2\equiv0\pmod2

if and only if the polynomial

x3+Ax+B

has a root in

Fq

, if and only if

\gcd(xq-x,x3+Ax+B)1

.

The algorithm

Input: 1. An elliptic curve

E=y2-x3-Ax-B

. 2. An integer for a finite field

Fq

with

q=pb,b\ge1

. Output: The number of points of over

Fq

. Choose a set of odd primes not containing . All computations in the loop below are performed else else if is a square modulo then else else Use the Chinese Remainder Theorem to compute modulo from the equations

t\equivtl\pmodl

, where

l\inS

. Output

q+1-t

.

Complexity

Most of the computation is taken by the evaluation of

\phi(P)

and

\phi2(P)

, for each prime

l

, that is computing

xq

,

yq

,
q2
x
,
q2
y
for each prime

l

. This involves exponentiation in the ring

R=Fq[x,y]/(y2-x3-Ax-B,\psil)

and requires

O(logq)

multiplications. Since the degree of

\psil

is
l2-1
2
, each element in the ring is a polynomial of degree

O(l2)

. By the prime number theorem, there are around

O(logq)

primes of size

O(logq)

, giving that

l

is

O(logq)

and we obtain that

O(l2)=O(log2q)

. Thus each multiplication in the ring

R

requires

O(log4q)

multiplications in

Fq

which in turn requires

O(log2q)

bit operations. In total, the number of bit operations for each prime

l

is

O(log7q)

. Given that this computation needs to be carried out for each of the

O(logq)

primes, the total complexity of Schoof's algorithm turns out to be

O(log8q)

. Using fast polynomial and integer arithmetic reduces this to

\tilde{O}(log5q)

.

Improvements to Schoof's algorithm

See main article: Schoof–Elkies–Atkin algorithm.

In the 1990s, Noam Elkies, followed by A. O. L. Atkin, devised improvements to Schoof's basic algorithm by restricting the set of primes

S=\{l1,\ldots,ls\}

considered before to primes of a certain kind. These came to be called Elkies primes and Atkin primes respectively. A prime

l

is called an Elkies prime if the characteristic equation:

\phi2-t\phi+q=0

splits over

Fl

, while an Atkin prime is a prime that is not an Elkies prime. Atkin showed how to combine information obtained from the Atkin primes with the information obtained from Elkies primes to produce an efficient algorithm, which came to be known as the Schoof–Elkies–Atkin algorithm. The first problem to address is to determine whether a given prime is Elkies or Atkin. In order to do so, we make use of modular polynomials, which come from the study of modular forms and an interpretation of elliptic curves over the complex numbers as lattices. Once we have determined which case we are in, instead of using division polynomials, we are able to work with a polynomial that has lower degree than the corresponding division polynomial:

O(l)

rather than

O(l2)

. For efficient implementation, probabilistic root-finding algorithms are used, which makes this a Las Vegas algorithm rather than a deterministic algorithm.Under the heuristic assumption that approximately half of the primes up to an

O(logq)

bound are Elkies primes, this yields an algorithm that is more efficient than Schoof's, with an expected running time of

O(log6q)

using naive arithmetic, and

\tilde{O}(log4q)

using fast arithmetic. Although this heuristic assumption is known to hold for most elliptic curves, it is not known to hold in every case, even under the GRH.

Implementations

Several algorithms were implemented in C++ by Mike Scott and are available with [ftp://ftp.computing.dcu.ie/pub/crypto/ source code]. The implementations are free (no terms, no conditions), and make use of the MIRACL library which is distributed under the AGPLv3.

E(Fp)

with prime

p

.
E(F
2m

)

.

See also

References

E(Fq)

. Available at http://www.math.umn.edu/~musiker/schoof.pdf

This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "Schoof's algorithm".

Except where otherwise indicated, Everything.Explained.Today is © Copyright 2009-2025, A B Cryer, All Rights Reserved. Cookie policy.