AN EXPOSITION OF SCHOOF’S ALGORITHM
ALEJANDRA ALVARADO
ARIZONA STATE UNIVERSITY
Abstract. Elliptic curves have a number of important applications in different areas, including cryptography. In particular, it is often important that
curves have a large number of points over a given finite field, or at least that
the number of points only admit certain types of prime factors. Given a (perhaps randomly chosen) elliptic curve, there are many ways to either count
the points or at least obtain information about the number of points, and
finding algorithms that do this efficiently is still an area of research. Here
we will describe one such method, Schoof’s algorithm, along with a Pari/GP
implementation, and compare its running time with brute force search.
Contents
1. Introduction
2. An Analogy of Schoof: the Chinese Remainder Theorem
3. Background definitions and theorems
4. Schoof’s Algorithm
5. Improvements on Schoof’s Algorithm
6. An example in PARI
References
1
3
3
4
7
8
12
1. Introduction
Consider an elliptic curve, such as given by the Weierstrass equation
y 2 = x3 − x + 1.
Although one could consider the locus of real-valued solutions to this equation,
which leads to the familiar pictures of elliptic curves, one can instead consider
solutions (x, y) defined over a given finite field Fq . Together with the “point at
infinity” as identity element, these solutions form a finite abelian group. By varying
both the finite field and the elliptic curve defined over that finite field, we thus have
a source of possibly interesting finite groups; these groups in turn can be used in
various applications, from primality testing to factoring to various cryptosystems.
In the applications, it is important to ideally know the order of the finite group; or,
at a minimum, to know some information about that order, such as knowing the
order does not admit small prime factors. Determining the order of the group is
equivalent to the point counting problem, the problem of determining the number
of points on the given curve.
Date: March 15, 2005.
1
2
ALEJANDRA ALVARADO ARIZONA STATE UNIVERSITY
P’
P2
P1
P3
Figure 1. Addition of Points on an Elliptic Curve
Since we are working over a finite field, there is a simple brute force algorithm
for counting the points on the elliptic curve y 2 = f (x): for each x ∈ Fq , determine
whether the number f (x) ∈ Fq is zero (one point), a nonzero square (two points),
or a nonsquare (no points); add up all the points, and include the point at infinity.
The running time of this algorithm depends partly on how hard it is to determine
whether an element of Fq is a square. Although better algorithms exist, let’s just
consider a brute force algorithm for that as well: given f (x) ∈ Fq , for each y ∈ Fq
we ask whether y 2 = f (x)? It takes log q bits to represent numbers in Fq , and
about n2 bit operations to multiply two numbers of bitsize n. Therefore, it takes
q(log q)2 bit operations to brute force test whether f (x) is a square, and it takes
O((log q)2 ) operations to evaluate f (x) itself, leading to about O(q · ((log q)2 ) ·
q(log q)2 ) operations overall. In summary, counting points on y 2 = f (x) over Fq by
brute force is at worst a O(q 2 (log q)4 ) algorithm.
An algorithm is theoretically better if its big-oh running time is better. An
algorithm is better in practice at a particular time in human history if, on the
size problems being run on the computers in use at that time, the algorithm is
preferred because of some subjective combination of either running faster, or using
less memory, or being easier to implement [4].
For point counting on elliptic curves, in addition to brute force, some of the
algorithms in use today are Baby Step/Giant Step and Cornacchia’s algorithm [7].
In 1985, René Schoof presented the algorithm which we will be discussing in this
paper [8]. In this paper, we will describe this algorithm, including an implementation in Pari/GP. Schoof’s algorithm was subsequently refined by Atkin and Elkies,
and we will briefly touch on this towards the end [1].
AN EXPOSITION OF SCHOOF’S ALGORITHM
3
2. An Analogy of Schoof: the Chinese Remainder Theorem
Consider the following example. Suppose we want to determine x (mod 46013)
given x ≡ 8 (mod 11), x ≡ 3 (mod 47) and x ≡ 28 (mod 89). To solve this
problem, we refer to the following theorem and algorithm.
Theorem 1 (Chinese Remainder Theorem). Let a1 , a2 , ..., at be any t integers and
m1 , m2 , ..., mt integers such that gcd(mi , mj ) = 1 whenever i 6= j. Then there exists
a unique solution a (mod m1 · · · mt ) with the property that a ≡ ai (mod mi ) for
i = 1, 2, ..., t.
Chinese Remainder Algorithm (Sun Zi) Given the above congruences, we first
compute values for s1 , ..., st satisfying si ≡ 1 (mod mi ), si ≡ 0 (mod mj ) for i 6= j.
Then
t
X
a=
ai si (mod m1 · · · mt )
i=1
is the smallest nonnegative solution modulo m1 m2 · · · mt .
The original Chinese Remainder problem and algorithm was proposed by Sun
Zi, a Chinese mathematician, around the first century A.D. [3, p. 14]. Proof for the
Chinese Remainder theorem can be found in any standard number theory textbook.
Applying the algorithm to our example modulo 46013, we find that x ≡ 42303
(mod 46013). If, in addition, we are given |x| ≤ 4000, then x = −3710. In other
words, combining a congruence with a size restriction allows a unique solution to
be found.
The idea behind Schoof’s algorithm is to count the number of points on the curve
modulo l, for a certain number of primes l, and then to apply the Chinese Remainder
theorem to find the number of points modulo the product of these primes. Finally,
using Hasse’s bound (see below), we can determine the exact number of points.
3. Background definitions and theorems
Before we begin discussing the algorithm, we need some background. We assume
the reader is quite familiar with the theory of elliptic curves as presented in [9].
Included in this section are the results we need that do not appear there.
We expect the order of E(Fq ) to be close to q + 1. The reason is as follows.
There are q possibilities for the x coordinates and about half of these are solutions
to equation y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 . Of those solutions, we have
two choices for y, unless y = 0. Including the point at infinity, we have about q + 1
expected points on E. Let a = q + 1 − #E(Fq ) be the integer measuring how much
#E(Fq ) deviates from the expected value.
Definition 2. Let E be an elliptic curve defined over Fq . Then the Frobenius
endomorphism φq is defined by φq (x, y) = (xq , y q ).
Theorem 3. Let E be an elliptic curve over Fq . Let a = q + 1 − #E(Fq ) as above.
Then there exists a unique integer a such that
φ2q − aφq + q = 0.
(1)
Furthermore,
(2)
a ≡ Trace(φq,m ) (mod m) for all m with gcd(m, q) = 1,
4
ALEJANDRA ALVARADO ARIZONA STATE UNIVERSITY
where φq,m is the matrix induced by φq which describes the action of φq on E[m].
Additionally, det(φq,m ) ≡ q (mod m).
Proof. See [10, ch. 4].
The following theorem, due to H. Hasse, gives a nice approximation to the number of points on an elliptic curve over finite fields.
Theorem 4 (Hasse). Let E be an elliptic curve over the finite field F q , and let
√
a = q + 1 − #E(Fq ). Then |a| ≤ 2 q.
Proof. See [10, p. 91].
The following theorem is necessary to estimate the running time of Schoof’s
algorithm.
Theorem 5 (Prime Number Theorem). Let π(x) denote the number of primes less
π(x)
than x. Then π(x) is asymptotically approximately logx x ; precisely, lim
= 1.
x→∞ x/ log x
Proof. Omitted, see [5].
The number of primes less than x is O(x/ log x) each with O(log x) binary digits.
So the number of binary digits of the product of all these primes is O(x). The
number of bit operations to compute the product of all prime numbers less than x
is therefore O(x2 ).
4. Schoof’s Algorithm
When generating curves for elliptic curve cipher systems, the order of the group
of points is important. The main method for generating these curves depends on
the point counting problem. We require, at least, for the group to be divisible by
a large prime factor. By large we mean at least 160 bits in length [1].
Being able to randomly choose an elliptic curve over large finite fields is important in elliptic curve cryptosystems. The point counting problem, the problem
of determining the number of points on this curve, is important. In some elliptic
curve cipher systems, the order does not need to be known, but its security depends
upon the order having large prime factors. The following algorithm is one technique
which has become the basis of most current efficient schemes for counting points
on an elliptic curve.
Let E be an elliptic curve of the form y 2 = x3 + Ax + B over the finite field Fq
where q = pn , p is prime. Assume that the characteristic is not 2 or 3. In [1], the
authors also consider curves of the form y 2 + xy = x3 + a6 over F2n , a6 6= 0, which
√
we won’t do here. By Hasse’s Theorem, recall #E(Fq ) = q + 1 − a where |a| ≤ 2 q.
Let S be the set of primes, S = {2, 3, ..., L} such that the product of all its
√
elements is larger than 4 q, the length of the interval over which a lies in. We will
also assume that the characteristic p of Fq is not an element in S. The idea behind
Schoof’s algorithm is to find a mod l for all l ∈ S, then use the Chinese Remainder
Theorem to determine a, see [8].
I. Suppose l = 2. If x3 +Ax+B has a root α ∈ Fq , then (α, 0) is a point of order
two. So (α, 0) ∈ E[2]. By Lagrange’s Theorem, E(Fq ) has even order, so
q +1−a ≡ 0 mod 2, i.e., a ≡ 0 mod 2. To determine whether x3 +Ax+B
has a root in E(Fq ), consider the equation xq − x = 0. Recall the solutions
AN EXPOSITION OF SCHOOF’S ALGORITHM
5
to the given equation are precisely the elements in Fq = {α ∈ Fq |αq = α}.
Thus, x3 + Ax + B has a root in Fq if and only if it has a root in common
with xq − x = 0, i.e., the gcd(x3 + Ax + B, xq − x) 6= 1. Note that if
q is very large, we can replace xq with xq ≡ xq mod (x3 + Ax + B). If
gcd(x3 + Ax + B, xq − x) = 1, then there is no common root, so a ≡ 1
mod 2.
II. Suppose l 6= 2. Recall that the division polynomial ψn is a function of x
for n odd, and (x, y) ∈ E[n] ⇐⇒ ψn (x) = 0.
A. Let P = (x, y) ∈ E[l]∗ , the nontrivial l-torsion points, and let k ≡ q
(mod l) such that |k| < 2l . Let φ be the Frobenius endomorphism as
discussed in section 3. We will omit the subscript for the remainder of
the paper. Then
φ2 − aφ + q = 0.
(3)
2
2
In other words, (xq , y q ) + [k](x, y) = [a](xq , y q ).
B. Assume φ2 P 6= [k]P for every P ∈ E[l]∗ and denote (xn , yn ) :=
2
2
[n](x, y). We want to determine whether a j exists such that (xq , y q )+
(xk , yk ) = (xqj , yjq ) for some j ∈ {1, 2, ..., l − 1}. This procedure tests
if ±j is our required a, since the x coordinates are the same for either
sign and the y coordinates may differ by a constant. Since we will only
evaluate the x coordinates, we only need to consider j ∈ {1, 2, ..., l−1
2 }
q
q
q2
q2
and (x , y ) + (xk , yk ) = ±(xj , yj ).
2
2
The addition of points is an endomorphism. So (xq , y q ) + (xk , yk ) =
(G1 (x), yH1 (x)) for rational functions G1 and H1 . We also have (xqj , yjq ) =
(G2 (x), yH2 (x)) since this is just the multiplication by j map. According to the group law,
2
H1 (x) =
(4)
y q − yk
xq 2 − x k
!2
2
− xq − xk
!2
2
− ry,k (x)
=y
− xq − xk
2
q
x − xk
"
#2
q2 −1
2
(x3 + Ax + B) 2 − ry,k (x)
3
= (x + Ax + B)
− xq − xk ,
2
q
x − xk
2
yq
2
−1
where yk = yry,k (x) and ry,k (x) is a rational function. Now, (G1 (x), yH1 (x)) =
±(G2 (x), yH2 (x)) if and only if G1 (x) = G2 (x) for a point (x, y) ∈ E[l].
2
Since E[l] w Z/lZ × Z/lZ, there are l 2 − 1 nonzero elements and l −1
2
2
distinct x coordinates. Recall ψl has degree l 2−1 , so this is a minimal
polynomial whose roots are all the x coordinates of elements in E[l].
Thus, for (x, y) ∈ E[l], ψl |G1 − G2 if and only if G1 (x) = G2 (x).
6
(5)
ALEJANDRA ALVARADO ARIZONA STATE UNIVERSITY
Suppose we found j such that (G1 (x), yH1 (x)) = (G2 (x), ±yH2 (x)),
i.e., a ≡ ±j mod l. To determine the sign, consider
!
2
2
2
y q − yk
yH1 (x) =
(xq − G1 (x)) − y q
2
q
x − xk
q2 −1
(x3 + Ax + b) 2 − ry,k (x) q2
(x − G1 (x)) − yr(x)
=y
xq 2 − x k
2
where y q = yr(x). So
H1 (x)
y
is a rational function of x, and similarly,
H2 (x)
y
2
is a rational function of x, as mentioned earlier. If H1 −H
≡0
y
mod ψl , then a ≡ j mod l. Otherwise, a ≡ −j mod l.
C. Now suppose no such j works. Then there must exist a P ∈ E[l]∗
such that φ2 (P ) = ±[k]P . We now first test as follows. To determine
whether such a P exists, we want to check whether the x coordinates
2
are the same, i.e., check whether xq = xk holds. Recall xk = x −
ψk−1 ψk+1
. In other words,
ψk2

k+1 (x)
 x − f2k−1 (x)f
if k even;
2
fk (x)(x3 +Ax+B)
xq =
3
f
(x)f
(x)(x
+Ax+B)
k+1
 x − k−1
if k odd.
f 2 (x)
k
By rewriting, without denominators, we have
2
(xq − x)fk2 (x)(x3 + Ax + B) + fk−1 (x)fk+1 (x) = 0, k even
2
(xq − x)fk2 (x) + fk−1 (x)fk+1 (x)(x3 + Ax + B) = 0, k odd
if and only if φ2 (P ) = ±[k]P .
To determine whether a point P exists with one of the above properties, compute the gcd of the left hand side of the above equation and
fl (x). If their gcd is not one, then a nonzero point P exists in E[l].
Otherwise, a 6≡ 0 mod l and we need to check if there exists a j such
2
2
that (xq , y q ) + [k](x, y) = [j](xq , y q ).
Suppose this P exists. If φ2 (P ) = +[k]P , then [2k]P = [a]φ(P ).
It follows that [ 2k
a ]P = φ(P ) for the following reasons. Recall k ≡ q
(mod l) 6≡ 0 (mod l) since l 6= p. Notice [2k]P 6= 0 since l 6= 2
and 0 < |k| < 2l . And since φ(P ) 6= 0, a 6≡ 0 (mod l). Take φ
4k2
2
2
on both sides, [ 2k
≡ 4k
a ]φ(P ) = φ (P ) ⇒ [ a2 ]P = [k]P ⇒ a
2
2
mod l ⇒ a ≡ 4q mod l. Thus, q ≡ w (mod l). If q is not a
square mod l, then we cannot be in this case and so a ≡ 0 (mod l).
But if q ≡ w2 (mod l), then [(φ + w)(φ − w)]P = [φ2 − q]P = O.
Either [φ − w]P = O or [φ + w]P 0 = O where P 0 = [φ − w]P .
So φP = ±[w]P for some point P ∈ E[l]. Since φ(P ) = [ 2k
a ]P ,
2
a ≡ ±2w mod l. If φP = [w]P , then O = [φ − aφ + q]P =
[q − aw + q]P ⇒ [2q]P = [aw]P ⇒ [2w 2 ]P = [aw]P ⇒ a ≡ 2w
mod l. Similarly, if φ(P ) = −[w]P then a ≡ −2w mod l. To check
whether we are even in the case φ(P ) = ±[w]P , we need to determine whether or not y q = ±yw . If gcd(numerator(xq − xw ), ψl ) 6= 1,
AN EXPOSITION OF SCHOOF’S ALGORITHM
7
then such a point exists. To determine the sign, compute the y coq
w
ordinates as follows. Compute gcd(numerator( y −y
, ψl ). If this gcd
y
is not one, a ≡ 2w mod l. Otherwise, a ≡ −2w mod l. Finally, if
2
2
gcd(numerator(xq − xw ), ψl ) = 1, then (xq , y q ) = −[q](x, y). This
implies a ≡ 0 mod l since [a]φ(P ) = 0 but φ(P ) 6= 0.
Below we give a summary of Schoof’s algorithm. Recall E : y 2 = x3 + Ax + B
over Fq and we want to determine #E(Fq ) = q + 1 − a. Let S = Q
{2, 3, ..., L}, a
√
set of primes such that the characteristic of the field is not in S and l > 4 q for
l ∈ S.
I. Let l = 2. If gcd(x3 + Ax + B, xq − x) = 1, then a ≡ 1 mod 2. Else, a ≡ 0
mod 2.
II. For each prime l ∈ S, l 6= 2, do the following:
A. Let k ≡ q mod l such that |k| < 2l .
B. For j = 1, 2, ..., l−1
2 , do the following:
i. If numerator(x0 − xqj ) ≡ 0 mod ψl , then:
a. If (y 0 −yjq )/y ≡ 0 mod ψl , then a ≡ j mod l. Else, a ≡ −j
mod l. In either case, go to next l ∈ S.
ii. Else, go to next j.
C. If no j works, do the following:
i. Let w2 ≡ q mod l. If w does not exist, then a ≡ 0 mod l and
go to next l ∈ S. Else:
a. If gcd(numerator(xq − xw ), ψl ) = 1, then a ≡ 0 mod l and
go to next l ∈ S. Else:
b. If gcd(numerator((y q −ym )/y), ψl ) 6= 1, then a ≡ 2w mod l.
Else, a ≡ −2w mod l. In either case, Q
go to next l ∈ S.
III. Use Chinese Remainder theorem to compute a mod
l. We want to find
√
a value of a such that |a| ≤ 2 q. Once we have found a, we can determine
#E(Fq ) = q + 1 − a.
Schoof’s algorithm is a deterministic algorithm. Let us now determine the
running time. The degrees of fl are O(l2 ) = O(log2 q). Elements of the ring
Fq [x, y]/hfl , y 2 − x3 − Ax − Bi have size O(l 2 log q) = O(log3 q). Since most of
2
2
the computation done in this ring is in finding xq , y q , xq , y q , O(log q(log3 q)2 ) =
O(log7 q) bit operations are required. By the Prime Number theorem, there are
O(log q) primes in S, so the total amount of work involved is O(log 8 q). Thus,
Schoof’s algorithm is a polynomial time algorithm in log q. Comparing with our
earlier estimates for brute force, we see that Schoof’s algorithm does better.
5. Improvements on Schoof’s Algorithm
Improvements have been made on Schoof’s algorithm, most notably, by Elkies
and Atkins, see [1]. Improvements depend on equation (3), taken modulus l for
each l in S, as in Schoof’s algorithm. The techniques of Elkies and Atkins depend
on the roots of the characteristic equation of the Frobenius map
(6)
u2 − au + q = 0 mod l.
If the discriminant of this equation ∆ = a2 − 4q is a square modulo l, l is called an
Elkies prime, otherwise it is called an Atkins prime. Since a is unknown, this new
algorithm uses modular polynomials, as described in [7].
8
ALEJANDRA ALVARADO ARIZONA STATE UNIVERSITY
Definition 6. Modular polynomials are symmetric polynomials over Z written
as Φn (x, y), where n ∈ N and the coefficient of the highest power of x is 1.
When n = p, a prime, it can be shown that Φn (x, y) = xp+1 − xp y p + y p+1 plus
terms of the form aij xi y j where i, j ≤ p and i + j < 2p. One of the properties
of these modular polynomials is the rapid growth of some of its coefficients as n
increases.
The new algorithm is known as the SEA algorithm. The Elkies portion of the
algorithm is O(log6 q) and the Atkins portion is exponential. This is an improvement on time estimates, compared to O(log8 q) of Schoof’s algorithm. It turns out
that using only Elkies primes has some disadvantages. The best approach would
be to use a small subset of Atkins primes in the algorithm.
6. An example in PARI
Example 7. Consider the curve y 2 = x3 + 23x + 8 over F67 . By Hasse’s theorem,
we know 52 ≤ #E(F67 ) ≤ 84 and #E(F67 ) = 68 − a, where a is the trace of
the Frobenius map. Choose a set of primes S = {2, 3, 5, 7}. We apply Schoof ’s
algorithm for each prime in the set, and we find the following congruences:
a ≡ 1 mod 2
a ≡ 0 mod 3
a ≡ 2 mod 5
a ≡ 4 mod 7
√
By the Chinese Remainder theorem, a ≡ 207 mod 210. Since |a| < 2 67 < 33,
a = −3 and so #E(F67 ) = 71.
The calculations in this paper have been done in PARI, [6]. The following program was written to calculate the above example. The function elldivpol can be
found in [2]. The program works well with primes under 100 and overflows for
larger primes. The input is an elliptic curve in Weierstrass form over Fp , p prime.
The brute force algorithm is included in the program, and is denoted by jecc.
For small primes, brute force is much faster. But for large q, Schoof’s algorithm
is faster. The SEA algorithm has been successful when q is several hundred digits.
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
\\ Elldivpol0(e,n) returns a polynomial in x whose zeros are the
\\ (x-coordinates of the) non-zero points P on e satisfying n*P=0
\\ and 2*P!=0.
\\ Elldivpol(e,n) returns a polynomial in x,y whose zeros are the
\\ non-zero points P on e satisfying n*P=0. Same as elldivpol0(e,n)
\\ when n is odd, but when n is even it equals
\\ elldivpol0(e,n)*(2*y+a1*x+a3). Users are only expected to use
\\ elldivpol normally.
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
global(x,y);
{ elldivpol(e,n)=
AN EXPOSITION OF SCHOOF’S ALGORITHM
9
if(n%2==1,elldivpol0(e,n),elldivpol0(e,n)*(2*y+e[1]*x+e[3]));}
{ elldivpol0(e,n)= local(m,a1,a2,a3,a4,a6,t1,t2,f1,f2,psi24);
a1=e[1];a2=e[2];a3=e[3];a4=e[4];a6=e[5]; f1=x^3+a2*x^2+a4*x+a6;
f2=a1*x+a3; n=abs(n);
if(n==0,return(0));
if(n==1,return(1));
if(n==2,return(1));
if(n==3,return(3*x^4+(a1^2+4*a2)*x^3+(3*a1*a3+6*a4)*x^2+
(3*a3^2+12*a6)*x+a1^2*a6-a1*a3*a4+a2*a3^2+4*a2*a6-a4^2));
if(n==4,return(2*x^6+(a1^2+4*a2)*x^5+(5*a1*a3+10*a4)*x^4+(10*a3^2+40*a6)
*x^3+(10*a1^2*a6-10*a1*a3*a4+10*a2*a3^2+40*a2*a6-10*a4^2)*x^2+(a1^4*a6a1^3*a3*a4+a1^2*a2*a3^2+8*a1^2*a2*a6-a1^2*a4^2-4*a1*a2*a3*a4-a1*a3^34*a1*a3*a6+4*a2^2*a3^2+16*a2^2*a6-4*a2*a4^2-2*a3^2*a4-8*a4*a6)*x+a1^3*
a3*a6-a1^2*a3^2*a4+2*a1^2*a4*a6+a1*a2*a3^3+4*a1*a2*a3*a6-3*a1*a3*a4^2+
2*a2*a3^2*a4+8*a2*a4*a6-a3^4-8*a3^2*a6-2*a4^3-16*a6^2));
\\ general case, use recursion
\\ If n is odd, n=2m+1:
if(n%2==1,m=(n-1)/2;
t1=elldivpol0(e,m+2)*elldivpol0(e,m)^3;
t2=elldivpol0(e,m-1)*elldivpol0(e,m+1)^3; psi24=(4*f1+f2^2)^2;
if(m%2==1,return(t1-psi24*t2),return(psi24*t1-t2)));
\\ Now n is even, n=2m:
m=n/2; t1=elldivpol0(e,m+2)*elldivpol0(e,m-1)^2;
t2=elldivpol0(e,m-2)*elldivpol0(e,m+1)^2;
elldivpol0(e,m)*(t1-t2);}
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
\\ The following two functions returns the x and y coordinates
\\ of [n](x,y) using the division polynomials.
\\ xn is a rational function of x,
\\ yn is y times a rational function of x.
\\ We are assuming the curve is in Weierstrass form.
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
{ nthxpoint(e,n)= local(xn,nodd,neven); n=abs(n);
if(n%2==1,
nodd=elldivpol(e,n-1)*elldivpol(e,n+1)*(x^3+e[4]*x+e[5])/y^2;
xn=(x*elldivpol(e,n)^2-nodd)/(elldivpol(e,n)^2);
return(xn),
neven=(x^3+e[4]*x+e[5])*elldivpol(e,n)^2/y^2;
xn=(x*neven-elldivpol(e,n-1)*elldivpol(e,n+1))/(neven);
return(xn))}
{ nthypoint(e,n)= local(yn,ntemp); ntemp=n; n=abs(n);
if(ntemp==1,yn=y;return(yn)); if(ntemp==-1,yn=-y;return(yn));
yn=(elldivpol(e,n+2)*elldivpol(e,n-1)^2-elldivpol(e,n-2)*elldivpol(e,n+1)^2)
/(4*y*elldivpol(e,n)^3);
10
ALEJANDRA ALVARADO ARIZONA STATE UNIVERSITY
if(n%2==1,
if(ntemp<0,return(-yn),return(yn)),
yn=yn*y^4/(x^3+e[4]*x+e[5])^2;
if(ntemp<0,return(-yn),return(yn)))}
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
\\ (x’,y’):=(x^(p^2),y^(p^2))+[k](x,y) mod psi_l
\\ Ellxcoord computes the x-coordinate x’
\\ and is a rational function of x.
\\ Ellycoord computes y’
\\ and is y times a rational function of x
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
{ ellxcoord(e,p,xn,yn)=
local(xcoordtemp1,xcoordtemp2,xcoordtemp3,xcoordtemp4,xcoordtemp5,
xcoordtemp6,xcoord);
if(x^(p^2)==xn,print("ERROR"));
xcoordtemp1=Mod(1,p)*(x^3+e[4]*x+e[5]);
xcoordtemp2=(x^3+e[4]*x+e[5])^((p^2-1)/2); xcoordtemp6=yn/y;
xcoordtemp3=(xcoordtemp2-xcoordtemp6)^2;
xcoordtemp4=Mod(1,p)*(x^(p^2)-xn)^2;
xcoordtemp5=Mod(1,p)*(x^(p^2)+xn);
xcoord=(xcoordtemp1*xcoordtemp3)/xcoordtemp4-xcoordtemp5; }
{ ellycoord(e,p,xn,yn,xcoord)= local(ycoordtemp,ycoord);
ycoordtemp=Mod(1,p)*y*(x^3+e[4]*x+e[5])^((p^2-1)/2);
ycoord=(x^(p^2)-xcoord)*(yn-ycoordtemp)/(xn-x^(p^2))-ycoordtemp; }
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
\\ Brute force computation to determine the number of
\\ points on an elliptic curve of Weierstrass form.
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
{ jecc(p,a4,a6)=local(n,xc,f,s);
n=1;
for(xc=0,p-1,f=(xc^3+a4*xc+a6)*Mod(1,p);
if(f==0,n=n+1,
if(issquare(f),n=n+2)));
return(p+1-n);}
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
\\ Schoof’s Algorithm
\\ INPUT:
An elliptic curve E over a finite field F_p
\\ OUTPUT: The order of E(F_p)
\\
\\ This program works in PARI 2.1.5, but
\\ fails in 2.2.8.
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
AN EXPOSITION OF SCHOOF’S ALGORITHM
11
{ schoof()=local(a4,a6,p,debug,debugcheck);
print("Enter an elliptic curve of the form y^2=x^3+a4x+a6 mod p.");
print("Enter p, a4, a6:");
print1("p= "); p=input();
print1("a4= "); a4=input();
print1("a6= "); a6=input();
print1("Do you want to debug? y/n "); debug=input();
print1("Do you want to check the answer? y/n "); debugcheck=input();
schoof1(p,a4,a6,debug,debugcheck);}
{ schoof1(p,a4,a6,debug,debugcheck)=local(a,atemp,a1,a2,a3,e,l,m,
k,success,xk,yk,el,xcoord,ycoord,xj,yj,yjp);
a1=0; a2=0; a3=0;
e=ellinit([a1, a2, a3, a4, a6]*Mod(1, p)); l=2; m=2;
xp=(x^p)%(x^3+e[2]*x^2+e[4]*x+e[5]);
if(gcd(xp-x,x^3+e[2]*x^2+e[4]*x+e[5])==1,a=Mod(1,l),a=Mod(0,l));
if(debug==y,print1("a= ");print(a));
while (m<(4*sqrt(p)),
l=nextprime(l+1);
if(p==l,l=nextprime(l+1));
m=m*l;
k=centerlift(Mod(p,l));
if(debug==y,print1("k= ");print(k));
if(debug==y,print1("l= ");print(l));
success=0;
xk=nthxpoint(e,k);
yk=nthypoint(e,k);
el=elldivpol(e,l);
\\xcoord is x-coordinate, x’
xcoord=ellxcoord(e,p,xk,yk);
for(j=1,(l-1)/2,
if(debug==y,print1("j= ");print(j));
\\xj is x-coordinate of [j](x,y)
xj=nthxpoint(e,j);
if(Mod(numerator(xcoord-xj^p),el)==0,
\\ycoord is y-coordinate, y’
ycoord=ellycoord(e,p,xk,yk,xcoord);
\\xj is y-coordinate of [j](x,y)
yj=nthypoint(e,j);
yjp=(yj/y)^p*y*(x^3+a4*x+a6)^((p-1)/2);
if(Mod(numerator((ycoord-yjp)/y),el)==0,
atemp=Mod(j,l);
success=1;
break(),
atemp=Mod(-j,l);
success=1;
break())));
12
ALEJANDRA ALVARADO ARIZONA STATE UNIVERSITY
if(debug==y,print("Out of FOR loop."));
if(success==0,
if(issquare(Mod(p,l))==0,
atemp=Mod(0,l),
for(i=1,(p-1)/2,if(Mod(i^2,l)==Mod(p,l),w=i;break()));
if(debug==y,print1("w= ");print(w));
xw=nthxpoint(e,w);
if(gcd(numerator(x^p-xw),elldivpol(e,l))==1,
atemp=Mod(0,l),
if(gcd(numerator((y^p-yw)/y),elldivpol(e,l))!=1,
atemp=Mod(2*w,l),
atemp=Mod(-2*w,l)))));
a=chinese(a,atemp);
if(debug==y,print1("atemp= "); print(atemp); print1("a= "); print(a)));
if(debugcheck==y,
if(a!=jecc(p,a4,a6),
print("ERROR: INCORRECT VALUE FOUND");
print1("We found a=");
print(a);
print1("But it ought to be a=");
print(jecc(p,a4,a6))));
a=lift(a);
if(a^2>=4*p,a=a-m);
print1("We found a to be: "); print(a);
print1("So the number of points on E is "); print(p+1-a);}
References
[1]
I. F. Blake, G. Seroussi, and N. P. Smart, Elliptic curves in cryptography, London Mathematical Society Lecture Note Series, vol. 265, Cambridge University Press, Cambridge, 2000.
Reprint of the 1999 original.MR1771549 (2001i:94048)
[2] John Cremona, PARI/GP Scripts, Nottingham, 2004. available from http://www.maths.
nott.ac.uk/personal/jec/ftp/progs/pari/.
[3] C. Ding, D. Pei, and A. Salomaa, Chinese remainder theorem, World Scientific Publishing
Co. Inc., River Edge, NJ, 1996. Applications in computing, coding, cryptography.MR1437142
(98d:94001)
[4] Darrel Hankerson, Alfred Menezes, and Scott Vanstone, Guide to elliptic curve cryptography, Springer Professional Computing, Springer-Verlag, New York, 2004.MR2054891
(2005c:94049)
[5] Neal Koblitz, A course in number theory and cryptography, Graduate Texts in Mathematics,
vol. 114, Springer-Verlag, New York, 1987.MR910297 (88i:94001)
[6] PARI/GP, version 2.1.5, The PARI Group, Bordeaux, 2004. available from http://pari.
math.u-bordeaux.fr/.
[7] René Schoof, Counting points on elliptic curves over finite fields, J. Théor. Nombres Bordeaux 7 (1995), no. 1, 219–254. Les Dix-huitièmes Journées Arithmétiques (Bordeaux,
1993).MR1413578 (97i:11070)
[8]
, Elliptic curves over finite fields and the computation of square roots mod p, Math.
Comp. 44 (1985), no. 170, 483–494.MR777280 (86e:11122)
[9] Joseph H. Silverman, The arithmetic of elliptic curves, Graduate Texts in Mathematics,
vol. 106, Springer-Verlag, New York, 1986.MR817210 (87g:11070)
[10] Lawrence C. Washington, Elliptic curves, Discrete Mathematics and its Applications
(Boca Raton), Chapman & Hall/CRC, Boca Raton, FL. Number theory and cryptography.MR1989729 (2004e:11061)
AN EXPOSITION OF SCHOOF’S ALGORITHM
13
DEPARTMENT OF MATHEMATICS, ARIZONA STATE UNIVERSITY, TEMPE, ARIZONA 85287
E-mail address: [email protected]