Prime Numbers
Share Embed Flag
Download ePaper

Prime Numbers

Prime Numbers Prime Numbers

thales.doa.fmph.uniba.sk
from thales.doa.fmph.uniba.sk More from this publisher
10.12.2012 Views

7.5 Counting points on elliptic curves 355 if(P1 + P2 == O) return 0; // #E = p +1− t with t ≡ 0(modl). P3 = P0; for(1 ≤ k ≤ l/2) { if(X-coordinates of (P1 + P2) and P3 match) { if(Y -coordinates also match) return k; // Y -coordinate check. return l − k; } P3 = P3 + P0; } In the addition tests above for matching of some coordinate between (P1 +P2) and P3, one is asking generally whether (N1/D1,YM1/C1)+(N2/D2,YM2/C2) =(N3/D3,YM3/C3), and such a relation is to be checked, of course, using the usual elliptic addition rules. The polynomial P1 + P2 on the left can be combined—using the elliptic rules of Algorithm 7.2.2, with the coordinates in that algorithm being now, of course, our polynomial ratios—into polynomial form (N ′ /D ′ ,YM ′ /C ′ ), and this is compared with (N3/D3,YM3/C3).Forsuchcomparisoninturnone checks whether the cross products (N3D ′ − N ′ D3) and(M3C ′ − M ′ C3) both vanish mod (Ψl,p). As for the check on whether P1 + P2 = O, we are asking whether M1/C1 = −M2/C2, and this is also an easy cross product relation. The idea is that the entire implementation we are describing involves only polynomial multiplication and the mod (Ψl,p) reductions throughout. And as we have mentioned, both polynomial multiply and mod can be made quite efficient. In case an attempt is made by the reader to implement Algorithm 7.5.6, we give here some small cases within the calculation, for purpose of, shall we say, “algorithm debugging.” For p = 101 and the curve Y 2 = X 3 +3X +4 over Fp, the algorithm gives, for l selections l =2, 3, 5, 7, the results t mod 2 = 0, t mod 3 = 1, t mod 5 = 0, t mod 7 = 3, from which we infer #E = 92. (We might have skipped the prime l = 5, since the product of the other primes exceeds 4 √ p.) Along the way we have, for example, X p2 ,Y p2 [2](X, Y )= Ψ3 =98+16X +6X 2 + X 4 , = 32 + 17X +13X 2 +92X 3 , Y(74 + 96X +14X 2 +68X 3 ) , 2 12 + 53X +89X 16 + 12X +4X3 , Y 74 + 10X +5X2 +64X3 27 + 91X +96X2 +37X3 , (X p ,Y p )= 70 + 61X +83X 2 +44X 3 , Y(43 + 76X +21X 2 +25X 3 ) , where it will be observed that every polynomial appearing in the point coordinates has been reduced mod (Ψ3,p). (Note that p in Step [Analyze

356 Chapter 7 ELLIPTIC CURVE ARITHMETIC ...]is2,whichiswhyweconsider[2](X, Y ).)Itturnsoutthatthelastpoint here is indeed the elliptic sum of the two points previous, consistent with the claim that t mod 3 = 1. There is an important enhancement that we have intentionally left out for clarity. This is that prime powers work equally well. In other words, l = q a can be used directly in the algorithm (with the gcd for l = 2 ignored when l =4, 8, 16,...) to reduce the computation somewhat. All that is required is that the overall product of all prime-power values l used (but no more than one for each prime) exceed 4 √ p. We have been able to assess curve orders, via this basic Schoof scheme, for primes in the region p ≈ 10 80 ,byusingprimepowersl < 100. It is sometimes said in the literature that there is little hope of using l much larger than 30, say, but with the aforementioned enhancements—in particular the large-polynomial multiply/mod algorithms covered in Chapter 8.8—the Schoof prime l can be pressed to 100 and perhaps beyond. By not taking Algorithm 7.5.6 all the way to CRT saturation (that is, not handling quite enough small primes l to resolve the order), and by then employing a Shanks–Mestre approach to finish the calculation based on the new knowledge of the possible orders, one may, in turn, press this rough bound of 10 80 further. However, it is a testimony to the power of the Schoof algorithm that, upon analysis of how far a “Shanks–Mestre boost” can take us, we see that only a few extra decimal digits—say 10 or 20 digits—can be added to the 80 digits we resolve using the Schoof algorithm alone. For such reasons, it usually makes more practical sense to enhance an existing Schoof implementation, rather than to piggyback a Shanks–Mestre atop it. But can one carry out point counting for significantly larger primes? Indeed, the transformation of the Schoof algorithm into a “Schoof–Elkies– Atkin” (SEA) variant (see [Atkin 1986, 1988, 1992] and [Elkies 1991, 1997], with computational enhancements in [Morain 1995], [Couveignes and Morain 1994], [Couveignes et al. 1996]) has achieved unprecedented point-counting performance. The essential improvement of Elkies was to observe that for some of the l (depending on a, b, p; in fact, for about half of possible l values), a certain polynomial fl dividing Ψl but of degree only (l−1)/2 can be employed, and furthermore, that the Schoof relation of (7.10) can be simplified. The Elkies approach is to seek an eigenvalue λ with (X p ,Y p )=[λ](X, Y ), where all calculations are done mod (fl,p), whence #E = p +1− t with t ≡ λ + p/λ (mod l). Because the degrees of fl are so small, this important discovery effectively pulls some powers of ln p off the complexity estimate, to yield O(ln 6 p) rather than the original Schoof complexity O(ln 8 p) [Schoof 1995]. (Note, however, that such estimates assume direct “grammar-school” multiplication of integers, and can be reduced yet further in the power of ln.) The SEA ideas certainly give

356 Chapter 7 ELLIPTIC CURVE ARITHMETIC<br />

...]is2,whichiswhyweconsider[2](X, Y ).)Itturnsoutthatthelastpoint<br />

here is indeed the elliptic sum of the two points previous, consistent with the<br />

claim that t mod 3 = 1.<br />

There is an important enhancement that we have intentionally left out for<br />

clarity. This is that prime powers work equally well. In other words, l = q a<br />

can be used directly in the algorithm (with the gcd for l = 2 ignored when<br />

l =4, 8, 16,...) to reduce the computation somewhat. All that is required is<br />

that the overall product of all prime-power values l used (but no more than<br />

one for each prime) exceed 4 √ p.<br />

We have been able to assess curve orders, via this basic Schoof scheme,<br />

for primes in the region p ≈ 10 80 ,byusingprimepowersl < 100. It is<br />

sometimes said in the literature that there is little hope of using l much<br />

larger than 30, say, but with the aforementioned enhancements—in particular<br />

the large-polynomial multiply/mod algorithms covered in Chapter 8.8—the<br />

Schoof prime l can be pressed to 100 and perhaps beyond.<br />

By not taking Algorithm 7.5.6 all the way to CRT saturation (that is,<br />

not handling quite enough small primes l to resolve the order), and by then<br />

employing a Shanks–Mestre approach to finish the calculation based on the<br />

new knowledge of the possible orders, one may, in turn, press this rough<br />

bound of 10 80 further. However, it is a testimony to the power of the Schoof<br />

algorithm that, upon analysis of how far a “Shanks–Mestre boost” can take<br />

us, we see that only a few extra decimal digits—say 10 or 20 digits—can be<br />

added to the 80 digits we resolve using the Schoof algorithm alone. For such<br />

reasons, it usually makes more practical sense to enhance an existing Schoof<br />

implementation, rather than to piggyback a Shanks–Mestre atop it.<br />

But can one carry out point counting for significantly larger primes?<br />

Indeed, the transformation of the Schoof algorithm into a “Schoof–Elkies–<br />

Atkin” (SEA) variant (see [Atkin 1986, 1988, 1992] and [Elkies 1991, 1997],<br />

with computational enhancements in [Morain 1995], [Couveignes and Morain<br />

1994], [Couveignes et al. 1996]) has achieved unprecedented point-counting<br />

performance. The essential improvement of Elkies was to observe that for some<br />

of the l (depending on a, b, p; in fact, for about half of possible l values), a<br />

certain polynomial fl dividing Ψl but of degree only (l−1)/2 can be employed,<br />

and furthermore, that the Schoof relation of (7.10) can be simplified. The<br />

Elkies approach is to seek an eigenvalue λ with<br />

(X p ,Y p )=[λ](X, Y ),<br />

where all calculations are done mod (fl,p), whence #E = p +1− t with<br />

t ≡ λ + p/λ (mod l).<br />

Because the degrees of fl are so small, this important discovery effectively pulls<br />

some powers of ln p off the complexity estimate, to yield O(ln 6 p) rather than<br />

the original Schoof complexity O(ln 8 p) [Schoof 1995]. (Note, however, that<br />

such estimates assume direct “grammar-school” multiplication of integers, and<br />

can be reduced yet further in the power of ln.) The SEA ideas certainly give

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!