Prime Numbers

7.5 Counting points on elliptic curves 351
Set s as the (unique) element of S;
β = ind(A, s); γ = ind(B,s); // Find indices of unique match.
Choose sign in t = β ± γW such that [p +1+t]P == O on E;
return p +1+σt; // Desired order of original curve Ea,b.
4. [Function shanks()]
shanks(P, E) { // P is assumed on given curve E.
A = {x([p +1+β]P ):β ∈ [0,W − 1]}; //Baby steps.
B = {x([γW]P ):γ ∈ [0,W]}; // Giant steps.
return A ∩ B; // Via Algorithm 7.5.1.
}
Note that assignment of point P based on random x canbedoneeitheras
P =(x, y, 1), where y is a square root of the cubic form, or as P =[x :1]in
case Montgomery parameterization—and thus, avoidance of y-coordinates—
is desired. (In this latter parameterization, the algorithm should be modified
slightly, to use notation consistent with Theorem 7.2.6.) Likewise, in the
shanks() function, one may use Algorithm 7.2.7 (or more efficient, detailed
application of the addh(), doubleh() functions) to get the desired point
multiples in [X : Z] form, then construct the A, B lists from numbers XZ −1 .
One can even imagine rendering the entire procedure inversionless, by working
out an analogue of baby-steps, giant-steps for lists of (x, z) pairs, seeking
matches not of the form x = x ′ , rather of the form xz ′ = zx ′ .
The condition p>229 for applicability of the Shanks–Mestre approach
is not artificial: There is a scenario for p = 229 in which the existence of a
singleton set s of matches is not guaranteed (see Exercise 7.18).
7.5.2 Schoof method
Having seen point-counting schemes of complexities ranging from O p1+ɛ to O p1/2+ɛ and O p1/4+ɛ , we next turn to an elegant point-counting
algorithm due to Schoof, which algorithm has polynomial-time complexity
O ln k
p for fixed k. The basic notion of Schoof is to resolve the order #E
(mod l) for sufficiently many small primes l, so as to reconstruct the desired
order using the CRT. Let us first look at the comparatively trivial case of #E
(mod 2). Now, the order of a group is even if and only if there is an element
of order 2. Since a point P = O has 2P = O if and only if the calculated
slope (from Definition 7.1.2) involves a vanishing y-coordinate, we know that
points of order 2 are those of the form P =(x, 0). Therefore, the curve order
is even if and only if the governing cubic x 3 + ax + b has roots in Fp. This,in
turn, can be checked via a polynomial gcd as in Algorithm 2.3.10.
To consider #E (mod l) for small primes l > 2, we introduce a few
more tools for elliptic curves over finite fields. Suppose we have an elliptic
curve E(Fp), but now we consider points on the curve where the coordinates
are in the algebraic closure Fp of Fp. Raising to the p-th power is a field
automorphism of Fp that fixes elements of Fp, so this automorphism, applied