Prime Numbers

7.3 The theorems of Hasse, Deuring, and Lenstra 333
Algorithm 7.2.8 (Sum/difference without y-coordinates (Crandall)). For
an elliptic curve E determined by the cubic
y 2 = x 3 + Cx 2 + Ax + B,
we are given the unequal x-coordinates x1,x2 of two respective points P1,P2.
This algorithm returns a quadratic polynomial whose roots are (in unspecified
order) the x-coordinates of P1 ± P2.
1. [Form coefficients]
G = x1 − x2;
α =(x1x2 + A)(x1 + x2)+2(Cx1x2 + B);
β =(x1x2 − A) 2 − 4B(x1 + x2 + C);
2. [Return quadratic polynomial]
return G 2 X 2 − 2αX + β;
// This polynomial vanishes for x+,x−, thex-coordinates of P1 ± P2.
It turns out that the discriminant 4(α 2 − βG 2 )mustalwaysbesquareinthe
field, so that if one requires the explicit pair of x-coordinates for P1 ± P2, one
may calculate
α ± α2 − βG2
G −2
in the field, to obtain x+,x−, although again, which sign of the radical goes
with which coordinate is unspecified (see Exercise 7.11). The algorithm thus
offers a test of whether P3 = P1±P2 for a set of three given points with missing
y-coordinates; this test has value in certain cryptographic applications, such as
digital signature [Crandall 1996b]. Note that the missing case of the algorithm,
x1 = x2 is immediate: One of P1 ± P2 is O, the other has x-coordinate as in
the last part of Theorem 7.2.6. For more on elliptic arithmetic, see [Cohen et
al. 1998]. The issue of efficient ladders for elliptic arithmetic is discussed later,
in Section 9.3.
7.3 The theorems of Hasse, Deuring, and Lenstra
A fascinating and difficult problem is that of finding the order of an elliptic
curve group defined over a finite field, i.e., the number of points including
O on an elliptic curve Ea,b(F ) for a finite field F .ForfieldFp, withprime
p>3, we can immediately write out an exact expression for the order #E
by observing, as we did in the simple Algorithm 7.2.1, that for (x, y) tobea
point, the cubic form in x must be a square in the field. Using the Legendre
symbol we can write
#E (Fp) =p +1+
3 x + ax + b
p
x∈Fp
(7.8)
as the required number of points (x, y) (modp) that solve the cubic (mod p),
with of course 1 added for the point at infinity. This equation may be