Line coordinates: Difference between revisions

From formulasearchengine
Jump to navigation Jump to search
en>Bugo30
m grammar
 
en>Addbot
m Bot: Migrating 1 interwiki links, now provided by Wikidata on d:q6553237
Line 1: Line 1:
Today, there are several other types of web development and blogging software available to design and host your website blogs online and that too in minutes, if not hours. You can either install Word - Press yourself or use free services offered on the web today. This is a service where people write articles using a specific keyword you have given them. If you're using Wordpress and want to make your blog a "dofollow" blog, meaning that links from your blog pass on the benefits of Google pagerank, you can install one of the many dofollow plugins available. If you are happy with your new look then click "Activate 'New Theme'" in the top right corner. <br><br>Choosing what kind of links you'll be using is a ctitical aspect of any linkwheel strategy, especially since there are several different types of links that are assessed by search engines. But as expected the level of support you get with them can be hit or miss based on the developer's free time and desire. This plugin allows a blogger get more Facebook fans on the related fan page. E-commerce websites are meant to be buzzed with fresh contents, graphical enhancements, and functionalities. Moreover, many Word - Press themes need to be purchased and designing your own WP site can be boring. <br><br>Usually, Wordpress owners selling the ad space on monthly basis and this means a residual income source. Browse through the popular Wordpress theme clubs like the Elegant Themes, Studio Press, Woo - Themes, Rocket Theme, Simple Themes and many moreWhen you loved this information and you wish to receive details relating to [http://www.twitpics.ca/ifive-63/ wordpress backup] assure visit the web page. Use this section to change many formatting elements. The first thing you need to do is to choose the right web hosting plan. If you've hosted your Word - Press website on a shared hosting server then it'll be easier for you to confirm the restricted access to your site files. <br><br>Word - Press has plenty of SEO benefits over Joomla and Drupal. The SEOPressor Word - Press SEO Plugin works by analysing each page and post against your chosen keyword (or keyword phrase) and giving a score, with instructions on how to improve it. Exacting subjects in reality must be accumulated in head ahead of planning on your high quality theme. Giant business organizations can bank on enterprise solutions to incorporate latest web technologies such as content management system etc, yet some are looking for economical solutions. See a product, take a picture, and it gives you an Amazon price for that product, or related products. <br><br>More it extends numerous opportunities where your firm is at comfort and rest assured of no risks & errors. Being a Plugin Developer, it is important for you to know that development of Word - Press driven website should be done only when you enable debugging. By the time you get the Gallery Word - Press Themes, the first thing that you should know is on how to install it. Thus, Word - Press is a good alternative if you are looking for free blogging software. Definitely when you wake up from the slumber, you can be sure that you will be lagging behind and getting on track would be a tall order.
An important aspect in the study of [[elliptic curves]] is devising effective ways of '''counting points on the curve'''. There have been several approaches to do so, and the [[algorithms]] devised have proved to be useful tools in the study of various fields such as [[number theory]], and more recently in [[cryptography]] and Digital Signature Authentication (See [[elliptic curve cryptography]] and [[elliptic curve DSA]]). While in number theory they have important consequences in the solving of [[Diophantine equations]], with respect to cryptography, they enable us to make effective use of the difficulty of the [[discrete logarithm problem]] (DLP) for the group <math>E(\mathbb{F}_q)</math>, of elliptic curves over a [[finite field]] <math>\mathbb{F}_q</math>, where ''q''&nbsp;=&nbsp;''p''<sup>''k''</sup> and ''p'' is a prime. The DLP, as it has come to be known, is a widely used approach to [[public key cryptography]], and the difficulty in solving this problem determines the level of security of the cryptosystem.  This article covers algorithms to count points on elliptic curves over fields of large characteristic, in  particular ''p''&nbsp;>&nbsp;3. For curves over fields of small characteristic more efficient algorithms based on ''p''-adic methods exist.
 
==Approaches to counting points on elliptic curves==
 
There are several approaches to the problem. Beginning with the naive approach, we trace the developments up to Schoof's definitive work on the subject, while also listing the improvements to Schoof's algorithm made by Elkies (1990) and Atkin (1992).
 
Several algorithms make use of the fact that groups of the form <math>E(\mathbb{F}_q)</math> are subject to an important theorem due to Hasse, that bounds the number of points to be considered. The [[Hasse's theorem on elliptic curves|Hasse's theorem]] states that if ''E'' is an elliptic curve over the finite field <math>\mathbb{F}_q</math>, then the [[cardinality]] of <math>E(\mathbb{F}_q)</math> satisfies
 
:<math>
||E(\mathbb{F}_q)| - (q+1)| \leq 2 \sqrt{q}. \,
</math>
 
==Naive approach==
 
The naive approach to counting points, which is the least sophisticated, involves running through all the elements of the field <math>\mathbb{F}_q</math> and testing which ones satisfy the Weierstrass form of the elliptic curve
 
:<math>
y^2 = x^3 + Ax + B. \,
</math>
 
===Example===
Let ''E'' be the curve ''y''<sup>2</sup> = ''x''<sup>3</sup> + ''x'' + 1 over <math>\mathbb{F}_5</math>. To count points on ''E'', we make a
list of the possible values of ''x'', then of ''x''<sup>3</sup> + ''x'' + 1 mod 5, then of the square
roots ''y'' of ''x''<sup>3</sup> + ''x'' + 1 mod 5. This yields the points on ''E''.
 
{| class="wikitable" border="1"
|-
! <math>x</math>
! <math>x^3 + x + 1</math>
! <math>y</math>
! Points
|-
| <math> \quad 0</math>
| <math>1</math>
| <math>\pm1</math>
| <math>(0, 1), (0, 4)</math>
|-
| <math> \quad 1</math>
| <math>3</math>
| <math>-</math>
| <math>-</math>
|-
| <math> \quad 2</math>
| <math>1</math>
| <math>\pm1</math>
| <math>(2, 1), (2, 4)</math>
|-
| <math> \quad 3</math>
| <math>1</math>
| <math>\pm1</math>
| <math>(3, 1), (3, 4)</math>
|-
| <math> \quad 4</math>
| <math>4</math>
| <math>\pm2</math>
| <math>(4, 2), (4, 3)</math>
|-
|}
 
Therefore, <math>E(\mathbb{F}_5)</math> has [[cardinality]] of 9: the 8 points listed before and the point at infinity.
 
This algorithm requires running time ''O''(''q''), because all the values of <math>x \in \mathbb{F}_q</math> must be considered.  
 
==Baby-step giant-step==
An improvement in running time is obtained using a different approach: we pick an element <math>P=(x,y) \in E(\mathbb{F}_q)</math> by selecting random values of <math>x</math> until <math>x^3 + Ax +B</math> is a square in <math>\mathbb{F}_q</math> and then computing the square root of this value in order to get <math>y</math>.
Hasse's theorem tells us that <math>|E(\mathbb{F}_q)|</math> lies in the interval <math>(q +1 - 2 \sqrt{q}, q + 1 + 2 \sqrt{q})</math>. Thus, by [[Lagrange's theorem (group theory)|Lagrange's theorem]], finding a unique <math>M</math> lying in this interval and satisfying <math>MP=O</math>, results in finding the cardinality of <math>E(\mathbb{F}_q)</math>. The algorithm fails if there exist two integers <math>M</math> and <math>M'</math> in the interval such that <math>MP = M'P = O</math>. In such a case it usually suffices to repeat the algorithm with another randomly chosen point in <math>E(\mathbb{F}_q)</math>.
 
Trying all values of <math>M</math> in order to find the one that satisfies <math>MP=O</math> takes around <math>4 \sqrt{q}</math> steps.
   
However, by applying the [[baby-step giant-step]] algorithm to <math>E(\mathbb{F}_q)</math>, we are able to speed this up to around <math>4 \sqrt[4]{q}</math> steps. The algorithm is as follows.
 
===The algorithm===
 
1. choose <math>m</math> integer, <math>m > \sqrt[4]{q}</math>
2. '''FOR'''{<math>j=0</math> to <math>m</math>} '''DO'''
3.    <math>P_j \leftarrow jP</math>
4. '''ENDFOR'''
5. <math>L \leftarrow 1</math>
6. <math>Q \leftarrow (q+1)P</math>
7. '''REPEAT''' compute the points <math>Q + k(2mP)</math>
8. '''UNTIL''' <math>\exists j</math>: <math>Q + k(2mP) = \pm P_j</math>  \\the <math>x</math>-coordinates are compared
9. <math>M \leftarrow q + 1 + 2mk \mp j</math>    \\note <math>MP=O</math>
10. Factor <math>M</math>. Let <math>p_1, \ldots, p_r</math> be the distinct prime factors of <math>M</math>.
11. '''WHILE''' <math>i \leq r</math> '''DO'''
12.    '''IF''' <math>\frac{M}{p_i}P=O</math>
13.      '''THEN''' <math>M \leftarrow \frac{M}{p_i}</math>
14.      '''ELSE''' <math>i \leftarrow i+1</math>
15.    '''ENDIF'''
16. '''ENDWHILE'''
17. <math>L \leftarrow \operatorname{lcm}(L, M)</math>    \\note <math>M</math> is the order of the point <math>P</math>
18. '''WHILE''' <math>L</math> divides more than one integer <math>N</math> in <math>(q+1-2\sqrt{q},q+1+2\sqrt{q})</math>
19.    '''DO''' choose a new point <math>P</math> and go to 1.
20. '''ENDWHILE'''
21. '''RETURN''' <math>N</math>    \\it is the cardinality of <math>E(\mathbb{F}_q)</math>
 
===Notes to the algorithm===
* In line 8. we assume the existence of a match. Indeed, the following lemma assures that such a match exists:
 
::Let <math>a</math> be an integer with <math>|a| \leq 2m^2</math>. There exist integers <math>a_0</math> and <math>a_1</math> with
::<math>
-m < a_0 \leq m \mbox{ and } -m \leq a_1 \leq m \mbox{ s.t. } a = a_0 + 2ma_1.
</math>
     
* Computing <math>(j+1)P</math> once <math>jP</math> has been computed can be done by adding <math>P</math> to <math>jP</math> instead of computing the complete scalar multiplication anew. The complete computation thus requires <math>m</math> additions. <math>2mP</math> can be obtained with one doubling from <math>mP</math>. The computation of <math>Q</math> requires <math>\log (q+1)</math> doublings and <math>w</math> additions, where <math>w</math> is the number of nonzero digits in the binary representation of <math>q+1</math>; note that knowledge of the <math>jP</math> and <math>2mP</math> allows us to reduce the number of doublings. Finally, to get from <math>Q+k(2mP)</math> to <math>Q+(k+1)(2mP)</math>, simply add <math>2mP</math> rather than recomputing everything.
 
* We are assuming that we can factor <math>M</math>. If not, we can at least find all the small prime factors <math>p_i</math> and check that <math>\frac{M}{p_i} \neq O</math> for these. Then <math>M</math> will be a good candidate for the [[Order (group theory)|order]] of <math>P</math>.
 
* The conclusion of step 17 can be proved using elementary group theory: since <math>MP=O</math>, the order of <math>P</math> divides <math>M</math>. If no proper divisor <math>\bar{M}</math> of <math>M</math> realizes <math>\bar{M}P=O</math>, then <math>M</math> is the order of <math>P</math>.
 
One drawback of this method is that there is a need for too much memory when the group becomes large. In order to address this, it might be more efficient to store only the <math>x</math> coordinates of the points <math>jP</math> (along with the corresponding integer <math>j</math>). However, this leads to an extra scalar multiplication in order to choose between <math>-j</math> and <math>+j</math>.
 
There are other generic algorithms for computing the order of a group element that are more space efficient, such as [[Pollard's rho algorithm for logarithms|Pollard's rho algorithm]] and the [[Pollard kangaroo]] method. The Pollard kangaroo method allows one to search for a solution in a prescribed interval, yielding a running time of <math>O(\sqrt[4]{q})</math>, using <math>O(\log^2{q})</math> space.
 
==Schoof's algorithm==
{{main|Schoof's algorithm}}
 
A theoretical breakthrough for the problem of computing the cardinality of groups of the type <math>E(\mathbb{F}_q)</math> was achieved by René Schoof, who, in 1985, published the first deterministic polynomial time algorithm. Central to Schoof's algorithm are the use of [[division polynomial]]s and [[Hasse's theorem on elliptic curves|Hasse's theorem]], along with the [[Chinese remainder theorem]].
 
Schoof's insight exploits the fact that, by Hasse's theorem, there is a finite range of possible values for <math>|E(\mathbb{F}_q)|</math>. It suffices to compute <math>|E(\mathbb{F}_q)|</math> modulo an integer <math>N > 4\sqrt{q}</math>.  This is achieved by computing <math>|E(\mathbb{F}_q)|</math> modulo primes <math>\ell_1, \ldots, \ell_s</math> whose product exceeds <math>4 \sqrt{q}</math>, and then applying the Chinese remainder theorem.  The key to the algorithm is using the division polynomial <math>\psi_{\ell}</math> to efficiently compute <math>|E(\mathbb{F}_q)|</math> modulo <math>\ell</math>.
 
The running time of Schoof's Algorithm is polynomial in <math>n=\log{q}</math>, with an asymptotic complexity of <math>O(n^2M(n^3)/\log{n})=O(n^{5+o(1)})</math>, where <math>M(n)</math> denotes the [[Computational complexity of mathematical operations|complexity of multiplication]].  Its space complexity is <math>O(n^3)</math>.
 
==Schoof–Elkies–Atkin algorithm==
{{Main|Schoof–Elkies–Atkin algorithm}}
 
In the 1990s, [[Noam Elkies]], followed by [[A. O. L. Atkin]] devised improvements to Schoof's basic algorithm by making a distinction among the primes <math>\ell_1, \ldots, \ell_s</math> that are used.  A prime <math>\ell</math> is called an Elkies prime if the characteristic equation of the Frobenius endomorphism, <math>\phi^2-t\phi+ q = 0</math>, splits over <math>\mathbb{F}_\ell</math>.  Otherwise <math>\ell</math> is called an Atkin prime.  Elkies primes are the key to improving the asymptotic complexity of Schoof's algorithm.  Information obtained from the Atkin primes permits a further improvement which is asymptotically negligible but can be quite important in practice.  The modification of Schoof's algorithm to use Elkies and Atkin primes is known as the Schoof–Elkies–Atkin (SEA) algorithm.
 
The status of a particular prime <math>\ell</math> depends on the elliptic curve <math>E/\mathbb{F}_q</math>, and can be determined using the [[Classical modular curve|modular polynomial]] <math>\Psi_\ell(X,Y)</math>. If the univariate polynomial <math>\Psi_\ell(X,j(E))</math> has a root in <math>\mathbb{F}_q</math>, where <math>j(E)</math> denotes the [[j-invariant]] of <math>E</math>, then <math>\ell</math> is an Elkies prime, and otherwise it is an Atkin prime.  In the Elkies case, further computations involving modular polynomials are used to obtain a proper factor of the division polynomial <math>\psi_\ell</math>.  The degree of this factor is <math>O(\ell)</math>, whereas <math>\psi_\ell</math> has degree <math>O(\ell^2)</math>.
 
Unlike Schoof's algorithm, the SEA algorithm is typically implemented as a [[Randomized algorithm|probabilistic algorithm]] (of the [[Las Vegas algorithm|Las Vegas]] type), so that root-finding and other operations can be performed more efficiently. Its computational complexity is dominated by the cost of computing the modular polynomials <math>\Psi_\ell(X,Y)</math>, but as these do not depend on <math>E</math>, they may be computed once and reused.  Under the heuristic assumption that there are sufficiently many small Elkies primes, and excluding the cost of computing modular polynomials, the asymptotic running time of the SEA algorithm is <math>O(n^2 M(n^2)/\log{n}) = O(n^{4+o(1)})</math>, where <math>n=\log{q}</math>.  Its space complexity is <math>O(n^3\log{n})</math>, but when precomputed modular polynomials are used this increases to <math>O(n^4)</math>.
 
==See also==
* [[Schoof's algorithm]]
* [[Elliptic curve cryptography]]
* [[Baby-step giant-step]]
* [[Public key cryptography]]
* [[Schoof–Elkies–Atkin algorithm]]
* [[Pollard rho]]
* [[Pollard kangaroo]]
* [[Elliptic curve primality proving]]
 
==Bibliography==
 
* I. Blake, G. Seroussi, and N. Smart: ''Elliptic Curves in Cryptography'', Cambridge University Press, 1999.
* A. Enge: ''Elliptic Curves and their Applications to Cryptography: An Introduction''. Kluwer Academic Publishers, Dordrecht, 1999.
* G. Musiker: Schoof's Algorithm for Counting Points on <math>E(\mathbb{F}_q)</math>. Available at http://www.math.umn.edu/~musiker/schoof.pdf
* R. Schoof: Counting Points on Elliptic Curves over Finite Fields. J. Theor. Nombres Bordeaux 7:219-254, 1995. Available at http://www.mat.uniroma2.it/~schoof/ctg.pdf
* L. C. Washington: Elliptic Curves: Number Theory and Cryptography. Chapman \& Hall/CRC, New York, 2003.
* C. Peters: Counting points on elliptic curves over <math>\mathbb{F}_q</math>. Available at http://www2.mat.dtu.dk/people/C.Peters/talks/2008.eccs.pdf
 
==References==
<references/>
[[Category:Elliptic curves]]

Revision as of 01:09, 20 March 2013

An important aspect in the study of elliptic curves is devising effective ways of counting points on the curve. There have been several approaches to do so, and the algorithms devised have proved to be useful tools in the study of various fields such as number theory, and more recently in cryptography and Digital Signature Authentication (See elliptic curve cryptography and elliptic curve DSA). While in number theory they have important consequences in the solving of Diophantine equations, with respect to cryptography, they enable us to make effective use of the difficulty of the discrete logarithm problem (DLP) for the group E(𝔽q), of elliptic curves over a finite field 𝔽q, where q = pk and p is a prime. The DLP, as it has come to be known, is a widely used approach to public key cryptography, and the difficulty in solving this problem determines the level of security of the cryptosystem. This article covers algorithms to count points on elliptic curves over fields of large characteristic, in particular p > 3. For curves over fields of small characteristic more efficient algorithms based on p-adic methods exist.

Approaches to counting points on elliptic curves

There are several approaches to the problem. Beginning with the naive approach, we trace the developments up to Schoof's definitive work on the subject, while also listing the improvements to Schoof's algorithm made by Elkies (1990) and Atkin (1992).

Several algorithms make use of the fact that groups of the form E(𝔽q) are subject to an important theorem due to Hasse, that bounds the number of points to be considered. The Hasse's theorem states that if E is an elliptic curve over the finite field 𝔽q, then the cardinality of E(𝔽q) satisfies

||E(𝔽q)|(q+1)|2q.

Naive approach

The naive approach to counting points, which is the least sophisticated, involves running through all the elements of the field 𝔽q and testing which ones satisfy the Weierstrass form of the elliptic curve

y2=x3+Ax+B.

Example

Let E be the curve y2 = x3 + x + 1 over 𝔽5. To count points on E, we make a list of the possible values of x, then of x3 + x + 1 mod 5, then of the square roots y of x3 + x + 1 mod 5. This yields the points on E.

x x3+x+1 y Points
0 1 ±1 (0,1),(0,4)
1 3
2 1 ±1 (2,1),(2,4)
3 1 ±1 (3,1),(3,4)
4 4 ±2 (4,2),(4,3)

Therefore, E(𝔽5) has cardinality of 9: the 8 points listed before and the point at infinity.

This algorithm requires running time O(q), because all the values of x𝔽q must be considered.

Baby-step giant-step

An improvement in running time is obtained using a different approach: we pick an element P=(x,y)E(𝔽q) by selecting random values of x until x3+Ax+B is a square in 𝔽q and then computing the square root of this value in order to get y. Hasse's theorem tells us that |E(𝔽q)| lies in the interval (q+12q,q+1+2q). Thus, by Lagrange's theorem, finding a unique M lying in this interval and satisfying MP=O, results in finding the cardinality of E(𝔽q). The algorithm fails if there exist two integers M and M in the interval such that MP=MP=O. In such a case it usually suffices to repeat the algorithm with another randomly chosen point in E(𝔽q).

Trying all values of M in order to find the one that satisfies MP=O takes around 4q steps.

However, by applying the baby-step giant-step algorithm to E(𝔽q), we are able to speed this up to around 4q4 steps. The algorithm is as follows.

The algorithm

1. choose m integer, m>q4
2. FOR{j=0 to m} DO 
3.    PjjP
4. ENDFOR
5. L1
6. Q(q+1)P
7. REPEAT compute the points Q+k(2mP)
8. UNTIL j: Q+k(2mP)=±Pj  \\the x-coordinates are compared
9. Mq+1+2mkj     \\note MP=O
10. Factor M. Let p1,,pr be the distinct prime factors of M.
11. WHILE ir DO
12.    IF MpiP=O
13.       THEN MMpi
14.       ELSE ii+1 
15.    ENDIF
16. ENDWHILE
17. Llcm(L,M)     \\note M is the order of the point P
18. WHILE L divides more than one integer N in (q+12q,q+1+2q)
19.    DO choose a new point P and go to 1.
20. ENDWHILE
21. RETURN N     \\it is the cardinality of E(𝔽q)

Notes to the algorithm

  • In line 8. we assume the existence of a match. Indeed, the following lemma assures that such a match exists:
Let a be an integer with |a|2m2. There exist integers a0 and a1 with
m<a0m and ma1m s.t. a=a0+2ma1.
  • Computing (j+1)P once jP has been computed can be done by adding P to jP instead of computing the complete scalar multiplication anew. The complete computation thus requires m additions. 2mP can be obtained with one doubling from mP. The computation of Q requires log(q+1) doublings and w additions, where w is the number of nonzero digits in the binary representation of q+1; note that knowledge of the jP and 2mP allows us to reduce the number of doublings. Finally, to get from Q+k(2mP) to Q+(k+1)(2mP), simply add 2mP rather than recomputing everything.
  • We are assuming that we can factor M. If not, we can at least find all the small prime factors pi and check that MpiO for these. Then M will be a good candidate for the order of P.
  • The conclusion of step 17 can be proved using elementary group theory: since MP=O, the order of P divides M. If no proper divisor M¯ of M realizes M¯P=O, then M is the order of P.

One drawback of this method is that there is a need for too much memory when the group becomes large. In order to address this, it might be more efficient to store only the x coordinates of the points jP (along with the corresponding integer j). However, this leads to an extra scalar multiplication in order to choose between j and +j.

There are other generic algorithms for computing the order of a group element that are more space efficient, such as Pollard's rho algorithm and the Pollard kangaroo method. The Pollard kangaroo method allows one to search for a solution in a prescribed interval, yielding a running time of O(q4), using O(log2q) space.

Schoof's algorithm

Mining Engineer (Excluding Oil ) Truman from Alma, loves to spend time knotting, largest property developers in singapore developers in singapore and stamp collecting. Recently had a family visit to Urnes Stave Church.

A theoretical breakthrough for the problem of computing the cardinality of groups of the type E(𝔽q) was achieved by René Schoof, who, in 1985, published the first deterministic polynomial time algorithm. Central to Schoof's algorithm are the use of division polynomials and Hasse's theorem, along with the Chinese remainder theorem.

Schoof's insight exploits the fact that, by Hasse's theorem, there is a finite range of possible values for |E(𝔽q)|. It suffices to compute |E(𝔽q)| modulo an integer N>4q. This is achieved by computing |E(𝔽q)| modulo primes 1,,s whose product exceeds 4q, and then applying the Chinese remainder theorem. The key to the algorithm is using the division polynomial ψ to efficiently compute |E(𝔽q)| modulo .

The running time of Schoof's Algorithm is polynomial in n=logq, with an asymptotic complexity of O(n2M(n3)/logn)=O(n5+o(1)), where M(n) denotes the complexity of multiplication. Its space complexity is O(n3).

Schoof–Elkies–Atkin algorithm

Mining Engineer (Excluding Oil ) Truman from Alma, loves to spend time knotting, largest property developers in singapore developers in singapore and stamp collecting. Recently had a family visit to Urnes Stave Church.

In the 1990s, Noam Elkies, followed by A. O. L. Atkin devised improvements to Schoof's basic algorithm by making a distinction among the primes 1,,s that are used. A prime is called an Elkies prime if the characteristic equation of the Frobenius endomorphism, ϕ2tϕ+q=0, splits over 𝔽. Otherwise is called an Atkin prime. Elkies primes are the key to improving the asymptotic complexity of Schoof's algorithm. Information obtained from the Atkin primes permits a further improvement which is asymptotically negligible but can be quite important in practice. The modification of Schoof's algorithm to use Elkies and Atkin primes is known as the Schoof–Elkies–Atkin (SEA) algorithm.

The status of a particular prime depends on the elliptic curve E/𝔽q, and can be determined using the modular polynomial Ψ(X,Y). If the univariate polynomial Ψ(X,j(E)) has a root in 𝔽q, where j(E) denotes the j-invariant of E, then is an Elkies prime, and otherwise it is an Atkin prime. In the Elkies case, further computations involving modular polynomials are used to obtain a proper factor of the division polynomial ψ. The degree of this factor is O(), whereas ψ has degree O(2).

Unlike Schoof's algorithm, the SEA algorithm is typically implemented as a probabilistic algorithm (of the Las Vegas type), so that root-finding and other operations can be performed more efficiently. Its computational complexity is dominated by the cost of computing the modular polynomials Ψ(X,Y), but as these do not depend on E, they may be computed once and reused. Under the heuristic assumption that there are sufficiently many small Elkies primes, and excluding the cost of computing modular polynomials, the asymptotic running time of the SEA algorithm is O(n2M(n2)/logn)=O(n4+o(1)), where n=logq. Its space complexity is O(n3logn), but when precomputed modular polynomials are used this increases to O(n4).

See also

Bibliography

References