Prime Numbers

7.5 Counting points on elliptic curves 359
too much larger than Z: if it is not isomorphic to Z, then it is isomorphic to
an order in an imaginary quadratic number field. (An “order” is a subring of
finite index of the ring of algebraic integers in the field.) In such a case it is
said that E has complex multiplication, or is a CM curve.
Suppose E is an elliptic curve defined over the rationals, and when
considered over the complex numbers has complex multiplication by an order
in Q( √ D), where D is a negative integer. Suppose p>3isaprimethat
does not divide the discriminant of E. We then may consider E over Fp by
reducing the coefficients of E modulo p. Suppose the prime p is a norm of
an algebraic integer in Q( √ D). In this case it turns out that we can easily
find the order of the elliptic-curve group E(Fp). The work in computing this
order does not even require the coefficients of the curve E, one only needs the
numbers D and p. And this work to compute the order is indeed simple; one
uses the Cornacchia–Smith Algorithm 2.3.13. There is additional, somewhat
harder, work to compute the coefficients of an equation defining E, but if one
can see for some reason that the order will not be useful, this extra work can
be short-circuited. This, in essence, is the idea of Atkin and Morain.
We now review some ideas connected with imaginary quadratic fields, and
the dual theory of binary quadratic forms of negative discriminant. Some of
these ideas were developed in Section 5.6. The (negative) discriminants D
relevant to curve order assessment are defined thus:
Definition 7.5.7. A negative integer D is a fundamental discriminant if the
odd part of D is squarefree, and |D| ≡3, 4, 7, 8, 11, 15 (mod 16).
Briefly put, these are discriminants of imaginary quadratic fields. Now,
associated with each fundamental discriminant is the class number h(D). As
we saw in Section 5.6.3, h(D) is the order of the group C(D) of reduced binary
quadratic forms of discriminant D. In Section 5.6.4 we mentioned how the
baby-steps, giant-steps method of Shanks can be used to compute h(D). The
following algorithm serves to do this and to optionally generate the reduced
forms, as well as to compute the Hilbert class polynomial corresponding to
D. This is a polynomial of degree h(D) with coefficients in Z such that the
splitting field for the polynomial over Q( √ D) has Galois group isomorphic to
the class group C(D). This splitting field is called the Hilbert class field for
Q( √ D) and is the largest abelian unramified extension of Q( √ D). The Hilbert
class field has the property that a prime number p splits completely in this
field if and only if there are integers u, v with 4p = u 2 + |D|v 2 . In particular,
since the Hilbert class field has degree 2h(D) over the rational field Q, the
proportion, among all primes, of primes p with 4p so representable is 1/2h(D),
[Cox 1989].
We require a function (again, we bypass the beautiful and complicated
foundations of the theory in favor of an immediate algorithm development)
∆(q) =q
1+
∞
(−1)
n=1
n
q n(3n−1)/2 + q n(3n+1)/2 24
,