Prime Numbers

358 Chapter 7 ELLIPTIC CURVE ARITHMETIC
But with modified title, that title now ending with “... square roots mod p,”
the modified paper [Schoof 1985] was, as we appreciate, finally published.
Though the SEA method remains as of this writing the bastion of hope
for point counting over E(Fp) withp prime, there have been several very
new—and remarkable—developments for curves E(F p d) where the prime p is
small. In fact, R. Harley showed in 2002 that the points can be counted, for
fixed characteristic p, intime
O(d 2 ln 2 d ln ln d),
and succeeded in counting the points on a curve over the enormous field
F 2 130020. Other lines of development are due to T. Satoh on canonical lifts
and even p-adic forms of the arithmetic-geometric mean (AGM). One good
way to envision the excitement in this new algebraic endeavor is to peruse the
references at Harley’s site [Harley 2002].
7.5.3 Atkin–Morain method
We have addressed the question, given a curve E = Ea,b(Fp), what is #E? A
kind of converse question—which is of great importance in primality proving
and cryptography is, can we find a suitable order #E, andthen specify a
curve having that order? For example, one might want a prime order, or an
order 2q for prime q, or an order divisible by a high power of 2. One might
call this the study of “closed-form” curve orders, in the following sense: for
certain representations 4p = u 2 + |D|v 2 , as we have encountered previously in
Algorithm 2.3.13, one can write down immediately certain curve orders and
also—usually with more effort—the a, b parameters of the governing cubic.
These ideas emerged from the seminal work of A. O. L. Atkin in the latter
1980s and his later joint work with F. Morain.
In order to make sense of these ideas it is necessary to delve a bit into some
additional theoretical considerations on elliptic curves. For a more thorough
treatment, see [Atkin and Morain 1993b], [Cohen 2000], [Silverman 1986].
For an elliptic curve E defined over the complex numbers C, onemay
consider the “endomorphisms” of E. These are group homomorphisms from
the group E to itself that are given by rational functions. The set of such
endomorphisms, denoted by End(E), naturally form a ring, where addition
is derived from elliptic addition, and multiplication is composition. That is,
if φ, σ are in End(E), then φ + σ is the endomorphism on E that sends a
point P to φ(P )+σ(P ), the latter “+” being elliptic addition; and φ · σ is
the endomorphism on E that sends P to φ(σ(P )).
If n is an integer, the map [n] that sends a point P on E to [n]P is a member
of End(E), since it is a group homomorphism and since Theorem 7.5.5 shows
that [n]P has coordinates that are rational functions of the coordinates of
P . Thus the ring End(E) contains an isomorphic copy of the ring of integers
Z. It is often the case, in fact usually the case, that this is the whole story
for End(E). However, sometimes there are endomorphisms of E that do not
correspond to an integer. It turns out, though, that the ring End(E) is never