Prime Numbers

7.5 Counting points on elliptic curves 347
difficulties of a problem before having solved it.” The paper [Brent et al. 2000]
indicates other test values for recent factors of other Fermat numbers. Such
data are extremely useful for algorithm debugging. In fact, one can effect a
very rapid program check by taking the explicit factorization of a known curve
order, starting with a point P , and just multiplying in the handful of primes,
expecting a successful factor to indicate that the program is good.
As we have discussed, ECM is especially suitable when the hidden prime
factor is not too large, even if n itself is very large. In practice, factors
discovered via ECM are fairly rare in the 30-decimal-digit region, yet more
rare in the 40-digit region, and so far have a vanishing population at say 60
digits.
7.5 Counting points on elliptic curves
We have seen in Section 7.3 that the number of points on an elliptic
curve defined over a prime finite field Fp is an integer in the interval
( √ p − 1) 2 , ( √ p +1) 2 . In this section we shall discuss how one may go about
actually finding this integer.
7.5.1 Shanks–Mestre method
For small primes p, less than 1000, say, one can simply carry out the explicit
sum (7.8) for #Ea,b(Fp). But this involves, without any special enhancements
(such as fast algorithms for computing successive polynomial evaluations),
O(p ln p) field operations for the O(p) instances of (p − 1)/2-th powers. One
can do asymptotically better by choosing a point P on E, and finding all
multiples [n]P for n ∈ (p +1− 2 √ p, p +1+2 √ p), looking for an occurrence
[n]P = O. (Note that this finds only a multiple of the order of P —it is the
actual order if it occurs that the order of P has a unique multiple in the
interval (p +1− 2 √ p, p +1+2 √ p), an event that is not unlikely.) But this
approach involves O( √ p ln p) field operations (with a fairly large implied big-O
constant due to the elliptic arithmetic), and for large p, say greater than 10 10 ,
√p
k
this becomes a cumbersome method. There are faster O ln p algorithms
that do not involve explicit elliptic algebra (see Exercise 7.26), but these, too,
are currently useless for primes of modern interest in the present context,
say p ≈ 10 50 and beyond, this rough threshold being driven in large part by
practical cryptography. All is not lost, however, for there are sophisticated
modern algorithms, and enhancements to same, that press the limit on point
counting to more acceptable heights.
There is an elegant, often useful, O(p 1/4+ɛ ) algorithm for assessing curve
order. We have already visited the basic idea in Algorithm 5.3.1, the babysteps,
giant-steps method of Shanks (for discrete logarithms). In essence this
algorithm exploits a marvelous answer to the following question: If we have two
length-N lists of numbers, say A = {A0,...,AN−1} and B = {B0,...,BN−1},
how many operations (comparisons) are required to determine whether A ∩ B