Prime Numbers

7.5 Counting points on elliptic curves 353
Y times a polynomial in X alone. For n odd and not a multiple of p, we have
deg(Ψn) =(n 2 − 1)/2. Forn even and not a multiple of p, we have that the
degree of Ψn in the variable X is (n 2 − 4)/2. For a point (x, y) ∈ E(Fp) \ E[2]
we have [n]P = O if and only if Ψn(x) =0(when n is odd) and Ψn(x, y) =0
(when n is even). Further, if (x, y) ∈ E(Fp) \ E[n], then
[n](x, y) =
x − Ψn−1Ψn+1
Ψ2 ,
n
Ψn+2Ψ2 n−1 − Ψn−2Ψ2 n+1
4yΨ3 n
Note that in the last statement, if y =0,thennmust be odd (since y =0
signifies a point of order 2, and we are given that (x, y) ∈ E[n]), so y2 divides
the numerator of the rational expression in the second coordinate. In this case,
it is natural to take this expression as 0.
It is worth remarking that for odd prime l = p, thereisaunique integer t
in [0,l− 1] such that
x p2
,y p2
+[p mod l](x, y) =[t] x p ,y p for all (x, y) ∈ E[l] \{O}. (7.10)
Indeed, this follows directly from (7.9) and the consequence of Theorem 7.5.5
that E(Fp) does indeed contain points of order l. If this unique integer t could
be computed, we would then know that the order of E(Fp) is congruent to
p +1− t modulo l.
The computational significance of the relation is that using the division
polynomials, it is feasible to test the various choices for t to see which one
works. This is done as follows:
(1) Points are pairs of polynomials in Fp[X, Y ].
(2) Since the points are on E, we may constantly reduce modulo Y 2 − X 3 −
aX − b so as to keep powers of Y no higher than the first power, and
since the points we are considering are in E[n], we may reduce also by
the polynomial Ψn to keep the X powers in check as well. Finally, the
coefficients are in Fp, sothatmodp reductions can be taken with the
coefficients, whenever convenient. These three kinds of reductions may be
taken in any order.
(3) High powers of X, Y are to be reduced by a powering ladder such as that
provided in Algorithm 2.1.5, with appropriate polynomial mods taken
along the way for continual degree reduction.
(4) The addition on the left side of (7.10) is to be simulated using the formulae
in Definition 7.1.2.
On the face of it, explicit polynomial inversion—from the fundamental
elliptic operation definition—would seem to be required. This could be
accomplished via Algorithm 2.2.2, but it is not necessary to do so because
of the following observation. We have seen in various elliptic addition
algorithms previous that inversions can be avoided by adroit representations of
coordinates. In actual practice, we have found it convenient to work either with
the projective point representation of Algorithm 7.2.3 or a “rational” variant
.