Prime Numbers
Share Embed Flag
Download ePaper

Prime Numbers

Prime Numbers Prime Numbers

thales.doa.fmph.uniba.sk
from thales.doa.fmph.uniba.sk More from this publisher
10.12.2012 Views

7.5 Counting points on elliptic curves 349 Now to Shanks’s application of the list intersection notion to the problem of curve order. Imagine we can find a relation for a point P ∈ E, say [p +1+u]P = ±[v]P, or, what amounts to the same thing because −(x, y) =(x, −y) always,we find a match between the x-coordinates of [p +1+u]P and vP. Such a match implies that [p +1+u ∓ v]P = O. This would be a tantalizing match, because the multiplier here on the left must now be a multiple of the order of the point P , and might be the curve order itself. Define an integer W = p 1/4√ 2 . We can represent integers k with |k| < 2 √ p as k = β + γW, whereβ ranges over [0,W − 1] and γ ranges over [0,W]. (We use the letters β,γ to remind us of Shanks’s baby-steps and giant-steps, respectively.) Thus, we can form a list of x-coordinates of the points {[p +1+β]P : β ∈ [0,...,W − 1]}, calling that list A (with #A = W ), and form a separate list of x-coordinates of the points {[γW]P : γ ∈ [0,...,W]}, calling this list B (with #B = W + 1). When we find a match, we can test directly to see which multiple [p +1+β ∓ γW]P (or both) is the point at infinity. We see that the generation of baby-step and giant-step points requires O p 1/4 elliptic operations, and the intersection algorithm has O p 1/4 ln p steps, for a total complexity of O p 1/4+ɛ . Unfortunately, finding a vanishing point multiple is not the complete task; it can happen that more than one vanishing multiple is found (and this is why we have phrased Algorithm 7.5.1 to return all elements of an intersection). However, whenever the point chosen has order greater than 4 √ p, the algorithm will find the unique multiple of the order in the target interval, and this will be the actual curve order. It occasionally may occur that the group has low exponent (that is, all points have low order), and the Shanks method will never find the true group order using just one point. There are two ways around this impasse. One is to iterate the Shanks method with subsequent choices of points, building up larger subgroups that are not necessarily cyclic. If the subgroup order has a unique multiple in the Hasse interval, this multiple is the curve order. The second idea is much simpler to implement and is based on the following result of J. Mestre; see [Cohen 2000], [Schoof 1995]: Theorem 7.5.2 (Mestre). For an elliptic curve E(Fp) and its twist E ′ (Fp) by a quadratic nonresidue mod p, we have #E +#E ′ =2p +2. When p>457, there exists a point of order greater than 4 √ p on at least one of the two elliptic curves E,E ′ .Furthermore,ifp>229, at least one

350 Chapter 7 ELLIPTIC CURVE ARITHMETIC of the two curves possesses a point P with the property that the only integer m ∈ (p +1− 2 √ p, p +1+2 √ p) having [m]P = O is the actual curve order. Note that the relation #E +#E ′ =2p+2 is an easy result (see Exercise 7.16) and that the real content of the theorem lies in the statement concerning a singleton m in the stated Hasse range of orders. It is a further easy argument to get that there is a positive constant c (which is independent of p and the elliptic curve) such that the number of points P satisfying the theorem exceeds cp/ ln ln p—see Exercise 7.17—so that points satisfying the theorem are fairly common. The idea now is to use the Shanks method on E, andif this fails (because the point order has more than one multiple in the Hasse interval), to use it on E ′ , and if this fails, to use it on E, and so on. According to the theorem, if we try this long enough, it should eventually work. This leads to an efficient point-counting algorithm for curves E(Fp) whenp is up to, roughly speaking, 10 30 . In the algorithm following, we denote by x(P )the x-coordinate of a point P . In the convenient scenario where all x-coordinates are given by X/Z ratios, the fact of denominator Z = 0 signifies as usual the point at infinity: Algorithm 7.5.3 (Shanks–Mestre assessment of curve order). Given an elliptic curve E = Ea,b(Fp), this algorithm returns the order #E. For list S = {s1,s2,...} and entry s ∈ S, we assume an index function ind(S, s) to return some index i such that si = s. Also, list-returning function shanks() is defined at the end of the algorithm; this function modifies two global lists A, B of coordinates. 1. [Check magnitude of p] if(p ≤ 229) return p +1+ x 3 x +ax+b p ; // Equation (7.8). 2. [Initialize Shanks search] Find a quadratic nonresidue g (mod p); W = ⌈p 1/4√ 2⌉; // Giant-step parameter. (c, d) =(g 2 a, g 3 b); // Twist parameters. 3. [Mestre loop] // We shall find a P of Theorem 7.5.2. Choose random x ∈ [0,p− 1]; σ = x 3 +ax+b p ; if(σ == 0) goto [Mestre loop]; // Henceforth we have a definite curve signature σ = ±1. if(σ == 1) E = Ea,b; // Set original curve. else { E = Ec,d; x = gx; // Set twist curve and valid x. } Define an initial point P ∈ E to have x(P )=x; S = shanks(P, E); // Search for Shanks intersection. if(#S = 1) goto [Mestre loop]; // Exactly one match is sought.

350 Chapter 7 ELLIPTIC CURVE ARITHMETIC<br />

of the two curves possesses a point P with the property that the only integer<br />

m ∈ (p +1− 2 √ p, p +1+2 √ p) having [m]P = O is the actual curve order.<br />

Note that the relation #E +#E ′ =2p+2 is an easy result (see Exercise 7.16)<br />

and that the real content of the theorem lies in the statement concerning a<br />

singleton m in the stated Hasse range of orders. It is a further easy argument<br />

to get that there is a positive constant c (which is independent of p and<br />

the elliptic curve) such that the number of points P satisfying the theorem<br />

exceeds cp/ ln ln p—see Exercise 7.17—so that points satisfying the theorem<br />

are fairly common. The idea now is to use the Shanks method on E, andif<br />

this fails (because the point order has more than one multiple in the Hasse<br />

interval), to use it on E ′ , and if this fails, to use it on E, and so on. According<br />

to the theorem, if we try this long enough, it should eventually work. This<br />

leads to an efficient point-counting algorithm for curves E(Fp) whenp is up<br />

to, roughly speaking, 10 30 . In the algorithm following, we denote by x(P )the<br />

x-coordinate of a point P . In the convenient scenario where all x-coordinates<br />

are given by X/Z ratios, the fact of denominator Z = 0 signifies as usual the<br />

point at infinity:<br />

Algorithm 7.5.3 (Shanks–Mestre assessment of curve order).<br />

Given an elliptic curve E = Ea,b(Fp), this algorithm returns the order #E. For<br />

list S = {s1,s2,...} and entry s ∈ S, we assume an index function ind(S, s) to<br />

return some index i such that si = s. Also, list-returning function shanks() is<br />

defined at the end of the algorithm; this function modifies two global lists A, B<br />

of coordinates.<br />

1. [Check magnitude of p]<br />

if(p ≤ 229) return p +1+ <br />

x<br />

3 <br />

x +ax+b<br />

p ; // Equation (7.8).<br />

2. [Initialize Shanks search]<br />

Find a quadratic nonresidue g (mod p);<br />

W = ⌈p 1/4√ 2⌉; // Giant-step parameter.<br />

(c, d) =(g 2 a, g 3 b); // Twist parameters.<br />

3. [Mestre loop] // We shall find a P of Theorem 7.5.2.<br />

Choose random x ∈ [0,p− 1];<br />

σ = x 3 <br />

+ax+b<br />

p ;<br />

if(σ == 0) goto [Mestre loop];<br />

// Henceforth we have a definite curve signature σ = ±1.<br />

if(σ == 1) E = Ea,b; // Set original curve.<br />

else {<br />

E = Ec,d;<br />

x = gx; // Set twist curve and valid x.<br />

}<br />

Define an initial point P ∈ E to have x(P )=x;<br />

S = shanks(P, E); // Search for Shanks intersection.<br />

if(#S = 1) goto [Mestre loop]; // Exactly one match is sought.

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!