ELLIPTIC CURVE PUBLIC KEY

CRYPTOSYSTEMS
 THE KLUWER INTERNATIONAL SERIES
IN ENGINEERING AND COMPUTER SCIENCE

COMMUNICATIONS AND INFORMATION THEORY

Consulting Editor
Robert Gallager

Other books in the series:

SATELLITE COMMUNICATIONS: Mobile and FIXed Services, Michael Miller, Branka Vucetic
and Les Berry
ISBN: 0-7923-9333-3
WIRELESS COMMUNICATIONS: Future Directions, Jack M. Holtzman and David J. Goodman
ISBN: 0-7923-9316-3
DISCRETE-TIME MODELS FOR COMMUNICATION SYSTEMS INCLUDING ATM,
Herwig Bruneel and Byung G. Kim
ISBN: 0-7923-9292-2
APPLICATIONS OF FINITE FIELDS, Alfred J. Menezes, Ian F. Blake, XuHong Gao, Ronald
C. Mullin, Scott A. Vanstone, Tomik Yaghoobian
ISBN: 0-7923-9282-5
WIRELESS PERSONAL COMMUNICATIONS, Martin J. Feuerstein, Theodore S. Rappaport
ISBN: 0-7923-9280-9
SEQUENCE DETECTION FOR HIGH-DENSITY STORAGE CHANNEL, Jaekyun Moon, L.
Richard Carley
ISBN: 0-7923-9264-7
DIGITAL SATELLITE COMMUNICATIONS SYSTEMS AND TECHNOLOGIES: Military
and Civil Applications, A. Nejat Ince
ISBN: 0-7923-9254-X
IMAGE AND TEXT COMPRESSION, James A. Storer
ISBN: 0-7923-9243-4
VECTOR QUANTIZATION AND SIGNAL COMPRESSION, Allen Gersho, Robert M. Gray
ISBN: 0-7923-9181-0
THIRD GENERATION WIRELESS INFORMATION NETWORKS, Sanjiv Nanda, David J.
Goodman
ISBN: 0-7923-9128-3
SOURCE AND CHANNEL CODING: An Algorithmic Approach, John B. Anderson, Seshadri
Mohan
ISBN: 0-7923-9210-8
ADVANCES IN SPEECH CODING, Bishnu Atal, Vladimir Cuperman, Allen Gersho
ISBN: 0-7923-9091-1
SWITCHING AND TRAFFIC THEORY FOR INTEGRATED BROADBAND NETWORKS,
Joseph Y. Hui
ISBN: 0-7923-9061-X
ADAPTIVE DATA COMPRESSION, Ross N. Williams
ISBN: 0-7923-9085
SOURCE CODING THEORY, Robert M. Gray
ISBN: 0-7923-9048-2
AN INTRODUCTION TO ERROR CORRECTING CODES WITH APPLICATIONS, Scott
A. Vanstone, Paul C. van Oorschot
ISBN: 0-7923-9017-2
FINITE FIELDS FOR COMPUTER SCIENTISTS AND ENGINEERS, Robert 1. McEliece
ISBN: 0-89838-191-6
AN INTRODUCTION TO CRYPTOLOGY, Henk C. A. van Tilborg
ISBN: 0-89838-271-8
ELLIPTIC CURVE PUBLIC KEY
CRVPTOSYSTEMS

by

Alfred Menezes
Aubum University

joreword by

Neal Koblitz

....
"
SPRINGER SCIENCE+BUSINESS MEDIA, LLC
Library of Congress Cataloging-in-Publication Data

Menezes, AI fred , 1965-

Elliptic curve public key cryptosystems / by Alfred Menezes ;
foreword by Neal Koblitz.
p. cm. -- (The Kluwer international series in engineering and
computer science ; SECS 234. Communications and information theory)
ISBN 978-1-4613-6403-0 ISBN 978-1-4615-3198-2 (eBook)
DOI 10.1007/978-1-4615-3198-2
1. Computers--Access control. 2. Cryptography. I. Title.
11. Series: Kluwer international series in engineering and computer
science ; SECS 234. III. Series: Kluwer international series in
engineering and computer science. Communications and information
theory.
QA76.9.A25M46 1993
005.8'2--dc20 93-10961
CIP

Copyright © 1993 by Springer Science+Business Media New Y ork

Originally published by Kluwer Academic Publishers, New York in 1993
Softcover reprint ofthe hardcover 1st edition 1993
All rights reserved. No part of this publication may be reproduced, stored in
a retrieval system or transmitted in any form or by any means, mechanical,
photo-copying, recording, or otherwise, without the prior written permission of
the publisher, Springer Science+Business Media, LLC.

Printed on acid-free paper.

Contents

Foreword ix

Preface xi

1 Introduction to Public Key Cryptography 1

1.1 Private Key Cryptography. . 1
1.2 Diffie-Hellman Key Exchange . . . : . . . . 3
1.3 Public Key Cryptography . . . . . . . . . . 4
1.4 Trapdoor One-Way Functions Based on Groups. 5
1.4.1 Group Order as a TOF 6
1.4.2 RSA Cryptosystem . . . . 6
1.4.3 Exponentiation as a TOF 7
1.5 NIST Digital Signature Standard 10
1.6 Elliptic Curve Cryptosystems 13
1.7 Notes . . . . . . . . . . . . . . 14

2 Introduction to Elliptic Curves 15

2.1 Definitions............ 15
2.2 Group Law . . . . . . . . . . . 17
2.3 The Discriminant and j-Invariant . 19
2.4 Curves over K, char( K) :f:. 2,3 20
2.5 Curves over K, char( K) = 2 . 21
2.6 Group Structure . . . . . 23
2.7 Divisor Theory . . . . . 28
2.8 Elliptic Curves over tl n 32

v
vi CONTENTS

2.9 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

3 Isomorphism Classes of Elliptic Curves over Finite Fields 35

3.1 Introduction......................... 35
3.2 Isomorphism Classes of Curves over Fq , char(Fq ) I: 2,3. 37
3.3 Isomorphism Classes of Non-Supersingular Curves over
F2 m • • • • • • • • • • • • • • • • • • • • • • • • • • • • • 39
3.4 Isomorphism Classes of Supersingular Curves over F2m,
m odd. . . . . . . . . . . . . . . . . . . . . . . . . . .. 40
3.5 Isomorphism Classes of Supersingular Curves over F2 m,
m even. . . . . . . 41
3.6 Number of Points. 46
3.7 Notes . . . . . . . 48

4 The Discrete Logarithm Problem 49

4.1 Algorithms . . . . . . . . . . . 49
4.1.1 Square Root Methods . 50
4.1.2 Pohlig-Hellman Method 51
4.1.3 Index Calculus Method 52
4.1.4 Index Calculus Method for Elliptic Curves. 54
4.2 Reducing Some Logarithm Problems to Logarithms in a
Finite Field . . . . . . . . . . . . . . . . . 54
4.2.1 Singular Elliptic Curves . . . . . . 55
4.2.2 Another Class of Genus 0 Curves. 57
4.3 Notes 59

5 The Elliptic Curve Logarithm Problem 61

5.1 The Weil Pairing . . . . . . . . . . . . . 61
5.1.1 Definition . . . . . . . . . . . . . 62
5.1.2 Computing the Function of a Principal Divisor 63
5.1.3 Computing the Wei! Pairing . . . . . . . . . . . 66
5.2 Reducing Elliptic Curve Logarithms to Logarithms in a
Finite Field . . . . . . 68
5.2.1 The Reduction . . . . 69
5.2.2 Supersingular Curves. 72
CONTENTS vii

5.2.3 Non-Supersingular Curves. 77

5.3 Cryptographic Implications . 77
5.4 Finding the Group Structure 79
5.5 Notes . . . . . . . . . . . . . 81

6 Implementation of Elliptic Curve Cryptosystems 83

6.1 Field Arithmetic in F2 m • • • • 83
6.2 Selecting a Curve and Field K 86
6.3 Projective Coordinates. 90
6.4 ElGamal Cryptosystem .. 91
6.5 Performance . . . . . . . . . 92
6.6 Using Supersingular Curves 93
6.7 Elliptic Curve Cryptosystems over 'lln 97
6.8 Implementations 98
6.9 Notes . . . . . . . . . . . . . . . . . . 99

7 Counting Points on Elliptic Curves Over F2 m 101

7.1 Some Basics . . . . . . . . . . . 102
7.2 Outline of Schoof's Algorithm . . . . . . . . . . 103
7.3 Some Heuristics . . . . . . . . . . . . . . . . . . 104
7.3.1 Finding an Eigenvalue of 4>, if One Exists 105
7.3.2 Schoof's Algorithm . . . . . . . . 106
7.3.3 Determining t modulo I = 2C • • 107
7.3.4 Baby-step Giant-step Algorithm 109
7.3.5 Checking Results . . . 110
7.4 Implementation and Results. 111
7.5 Recent Work 115
7.6 Notes 116

Bibliography 117

Index 127
Foreword

The invention of public key cryptography by Diffie and Hellman in 1976

not only revolutionized the field of cryptography, but also had a pro-
found effect on the direction of research in computational number the-
ory. For the first time the question of the relative complexity of various
number-theoretic tasks took on a practical urgency.
The first usable public key system, introduced in 1978, was the RSA
cryptosystem, which is based on the problem of factoring large integers.
RSA soon became the best known and most widely used public key
cryptosystem. It stimulated a tremelldous amount of research on the
twin subjects of factoring and primality testing.
Another type of public key cryptography - based on the discrete
analogue of the logarithm function -- gave rise to a second current of
research in computational number theory. The discrete log problem was
first considered in the multiplicative group of a finite field, especially a
prime finite field or a finite field of characteristic 2 (since these fields
seemed to be the most practical for implementation). Although discrete
log cryptosystems have been in the public eye much less than RSA, the
discrete log problem and related issues have been receiving considerable
attention in the research community. The practical questions that have
arisen in discrete log cryptography have served as an impetus for much
work on the structure of finite fields and the complexity of certain tasks
related to this structure.
In 1985 a variant of discrete log cryptography was proposed, based
on the discrete log problem in the group of points of an elliptic curve
defined over a finite field. Cryptosystems using discrete logarithms in
this group have two potential advantages over systems based on the
multiplicative group of a finite field (and also over systems based on
RSA): (1) the great diversity of elliptic curves available to provide the
groups; and (2) the absence of sub exponential time algorithms (such

ix
x FOREWORD

as those of 'index calculus' type) that; could find discrete logs in these
groups.
Of the developments in elliptic curve cryptography since 1985, the
most dramatic was the demonstration by Menezes, Okamoto and Van-
stone in 1990 that the discrete log problem on a so-called 'supersingular'
elliptic curve can be reduced to (i.e., has the same complexity as) the
discrete log problem in a finite field. This result means that one should
avoid the (relatively small) set of supersingular curves if one wants to
have a cryptosystem whose cracking problem is, to the best of our cur-
rent knowledge, of fully exponential complexity.
After a brief but complete introduction to public key cryptography,
the present work gives a full account of all of the developments con-
nected with elliptic curve cryptosystems. Alfred Menezes has included
a comprehensive treatment of the most important practical aspects of
their use; this is the first book to deal extensively with implementation
as well as with theory. Menezes is uniquely qualified to write such a
multi-faceted treatment: he belongs to the research group (based at
Waterloo) that has apparently gone the farthest in improving and im-
plementing elliptic curve cryptography:
The book is written in a lucid style with the objective of making the
subject truly accessible. One hopes that as a result of its publication the
field of elliptic curve cryptography will never again be unfairly stigma-
tized as 'incredibly complicated' (in the words of a leading popularizer
of cryptography).
This thorough, up-to-date, and self-contained treatment of elliptic
curve-based public key cryptography will be a valuable resource for
graduate students in mathematics, applied math, and computer sci-
ence; for cryptographic researchers and laypeoplej and for specialists
in government and industry anywhere in the world who are concerned
with issues of data security.

NEAL KOBLITZ
University of Washington, Seattle
Preface

Elliptic curves have been intensively studied in algebraic geometry and

number theory, and there is an enormous literature on the subject. Re-
cently, they have been used in devising efficient algorithms for factoring
integers [80, 105, 106, 143] and for primality proving [7,48, 125]. In the
field of cryptography, elliptic curves have found applications in the con-
struction of public key cryptosystems [67, 100] and in the construction
of pseudorandom bit generators [62, 63] and one-way permutations [64].
Other uses of elliptic curves are found in coding theory, where they are
used to obtain good error-correcting codes [36,46, 147].
Elliptic curve cryptosystems potentially provide equivalent security
as the existing public key schemes, but with shorter key lengths. Having
short key lengths means smaller bandwidth and memory requirements
and can be a crucial factor in some applications, for example the design
of smart card systems. In this book we explore the feasibility of im-
plementing secure and efficient public key cryptosystems using elliptic
curves.
We have attempted to keep the presentation self-contained, however
the inexperienced reader might find it useful to first read Chapter 6 of
Koblitz's book [68].
We begin in Chapter 1 with an introduction to private and public
key cryptography. Chapter 2 gives a summary of the relevant theory
of elliptic curves over finite fields that we shall need. In Chapter 3 we
count and list the number of different elliptic curves over finite fields of
characteristic 2. The results of this chapter are useful when selecting
suitable curves to implement cryptosystems.
In Chapter 4 we briefly survey the algorithms known for the discrete
logarithm problem. We demonstrate how the logarithm problem in some
groups, including singular elliptic curves, can be efficiently reduced to
the logarithm problem in a finite field. Chapter 5 presents a reduction

xi
xii PREFACE

of the elliptic curve logarithm problem to the logarithm problem in a

finite field. The reduction is efficient for a special class of elliptic curves,
namely the supersingular curves. In view of these results, it is evident
that when designing a cryptosystem some care must be exercised in
choosing the curve and underlying field.
Chapter 6 considers various issues that arise in the efficient imple-
mentation of elliptic curve cryptosystems. We demonstrate that these
cryptosystems are very practical, and are amenable to both software
and hardware implementation.
When choosing a curve it is important to know its order to guarantee
that the logarithm problem can resist some of the known attacks on
it. In Chapter 7, we present some heuristics for improving Schoof's
algorithm for counting the number of points on an elliptic curve over
finite fields of characteristic two.
Comments and questions on the text are welcomed and may be sent
by electronic mail to the account [email protected].
I would like to thank Neal Koblitz and Scott Vanstone for encour-
aging me to embark upon this project, and supporting it to comple-
tion. I am also grateful to Overtoun Jenda, Paul van Oorschot and
Rob Zuccherato for their careful reading of preliminary versions of this
manuscript and their many helpful comments.

ALFRED MENEZES
Auburn University
ELLIPTIC CURVE PUBLIC KEY
CRYPTOSYSTEMS
Chapter 1

Introduction to Public
Key Cryptography

We begin with an introduction to private and public key cryptography,

and then proceed to introduce elliptic curve cryptosystems.

1.1 Private Key Cryptography

The fundamental goal of cryptography has historically been to achieve
privacy, i.e., to enable two people, A( Alice) and B(Bob), to send each
other messages over an insecure channel in such a way that only the
intended recipient can read the message. This objective has traditionally
been met by using private key cryptosystems which we now describe.
Let M denote the set of all possible plaintext messages, C the set
of all possible ciphertext messages (en crypted messages), and K the set
of all possible keys. A private key cryptosystem consists of a family of
pairs of function Ek : M - C, Dk : C - M, k E K, such that
Dk(Ek(m)) = m for all m E M and k E /(. To use such a system,
A and B initially agree upon a secret key k E K. They may do this,
for example, by physically meeting or by using the services of a trusted
courier. If at a later time A wishes to send B a message m EM, she
sends the ciphertext c = Ek( m) to B, from which B can recover m by
applying the decryption function Dk. Clearly, some desirable properties
of a cryptosystem are that the functions Ek and Dk should be easy to
apply, and that it should be infeasible for an eavesdropper who sees c
to determine the message m (or the key k). The latter property should
1
2 CHAPTER 1. INTRODUCTION TO CRYPTOGRAPHY

hold even if the opponent knows everything about the cryptosystem

being used (except, of course, the particular key chosen).
In the one-time pad, keys are random binary strings. A message,
assumed to be a binary string, is encrypted by exclusive-oring the key
to it, one bit at a time. It is not hard to see that this system is uncondi-
tionally secure in the sense that the eavesdropper can gain no knowledge
about the plaintext (except its length) even with infinite computer re-
sources. The one-time pad however suffers from the obvious defect that
its key is as long as the message.
The most widely used private key cryptosystem today is the Data
Encryption Standard (DES) [111]. It was developed by IBM and sub-
sequently adopted as a U.S. standard in 1977 by the National Bureau
of Standards (now called NIST) for the protection of unclassified data.
Keys in DES are only 56 bits in length. Because ofthe small key size it
remains a question whether DES is vulnerable to an attack by exhaus-
tive key search; there has been much controversy about the security of
DES. However, to date, these fears have not been realized, and the best
attacks known on DES [13] are not considered to be practical under nor-
mal circumstances. DES has the advantage that it is extremely fast to
implement, both in hardware and software. Software implementations
have achieved encryption rates of 20 Kbits/sec on a personal computer
[145] and 350 Kbits/sec on a Motorola DSP56000 [37], while hardware
implementations can encrypt at the rate of 1 Gbit/sec [38]. In addition,
DES can be programmed on a smart card without using up very much
valuable memory [53].
Although private key cryptograpby is adequate for many applica-
tions, it has the following disadvantages which make it unsuitable for
use in certain applications.

(i) Key Distribution Problem: As mentioned before, the two users

have to select a key in secret before they can commence commu-
nications over an insecure channel. A secret channel for selecting
a key may not be available.
(ii) Key Management Problem: In a network of n users, every pair of
users must share a secret key, for a total of n(n - 1)/2 keys. If n
is large, then the number of keys becomes unmanageable.
(iii) No signatures possible: A digital signature is an electronic ana-
logue of a hand-written signature. That is, a digital signature
allows the receiver of a message to convince any third party that
1.2. DIFFIE-HELLMAN KEY EXCHANGE 3

the message in fact originated from the sender. In a private key

cryptosystem, A and B have the same capabilities for encryption
and decryption, and thus B. cannot convince a third party that a
message he received from A in fact originated from A.

In 1976, W. Diffie and M. Hellman invented public key cryptogra-

phy to address these three deficiencies in private key cryptography. In
Section 1.2 we present their solution to the key distribution problem.
Section 1.3 discusses their solution to the latter two problems.

1.2 Diffie-Hellman Key Exchange

In 1976, Diffie and Hellman in their seminal paper [35] on public key
cryptography described a protocol whereby two people, A and B, can
derive and share a common piece of secret information over an insecure
communications channel. They can then use this secret as their key in a
private key cryptosystem such as DES. We describe this protocol, known
as the Diffie-Hellman key exchange, in terms of an arbitrary group.

(i) (Setup) A and B publicly select a (multiplicatively written) finite

group G and an element a E G.
(ii) A generates a random integer a, computes aa in G, and transmits
aa to B over a public communications channel.
(iii) B generates a random integer b, computes a b in G, and transmits
a b to A over the same channel.
(iv) A receives a b and computes (ab)a.
(v) B receives aa and computes (aa)b.

A and B now share the common group element aab. We comment that
this is not an authenticated key exchange since any third party C could
impersonate either A or B. However, the protocol can easily be modified
by requiring a central trusted authority to certify (sign) ahead of time
the element aa for each user A. This certification can be accomplished
using one of the techniques for digital signatures described in Section 1.4.
Note that an eavesdropper C knows G, a, Qa and Qb, and his task is
to use this information to reconstruct Qab. This problem is commonly
referred to as the Diffie-Hellman problem.
It is clear that if C can use his knowledge of Q and Qa to recover
the integer a, then C can easily solve the Diffie-Hellman problem. The
4 CHAPTER 1. INTRODUCTION TO CRYPTOGRAPHY

problem of computing a, given G, a and aa is called the discrete loga-

rithm problem. Although it is not known, in general, whether the Diffie-
Hellman and discrete logarithm problems are computationally equiva-
lent, this is widely believed and assumed to be the case. For this reason
we say that the security of the Diffie-Hellman key exchange is based on
the difficulty of the discrete logarithm problem.

1.3 Public Key Cryptography

To introduce public key cryptography we need to define the notion of a
trapdoor one-way function.
A one-way function f : M ---+ C is an invertible function such that
for each m EMit is "easy" to compute f( m), while for most c E C it is
"hard" to compute f-l(c). This definition can be made more precise by
requiring "easy" to mean computable in polynomial time, and "hard"
to mean requiring exponential time. In practice, the term "hard" will
usually mean computationally infeasible, i.e., infeasible using the best
known algorithms and best available computer technology. At present,
it is not known whether one-way functions exist, although there are
several candidate one-way functions, as we shall see in the next section.
A one-way function f : M ---+ C is said to be a trapdoor one-way
function (TOF) if there is some extra information with which f can be
efficiently inverted. This extra information is called the trapdoor.
To construct a public key cryptosystem, we need a family h: : M ---+
C, k E Ie, of TOFs. The family should have the property that for each
k E Ie, the trapdoor, denoted t(k), is easy to obtain. Additionally, for
each k E Ie, it must be possible to describe an efficient algorithm for
computing fk' such that it is infeasible to recover k (and thus t(k» from
this description.
Given such a family of TOFs, each user A selects a random a E
Ie and publishes in a (certified) public directory the algorithm Ea for
computing fa. Ea is the user's public key, while the trapdoor t(a) which
is used to invert fa is the user's private key. To send a message m E
M to A, user B simply looks up A's public key Ea in the directory
and transmits fa(m) to A. Since A is the only person who possesses
the ability to invert fa, only A can recover the message m. Observe
that there is no longer the need to exchange keys in secret prior to
communicating. Also, there is only one key pair associated with each
user. Public key cryptosystems thus overcome the key distribution and
1.4. TOFs BASED ON GROUPS 5

management problems inherent with private key systems.

To allow for digital signatures, we assume that M = C. If A wishes
to send B a signed message m, she simply sends B the quantity s =
f;;l{m) together with m. Now, anyone can verify that m = fa{s) by
using A's public key E a , but only A could have computed s. Hence the
quantity s serves as A's signature for the message m. Notice that there
is no secrecy with this scheme. If secrecy is also desired, then A would
send fb{m) and fb{S) to B, where Eb is B's public key.
In the next section we study how groups can be utilized as a source
of TOFs.

1.4 'I'rapdoor One-Way Functions Based on

Groups
Let G be a multiplicatively written finite group of order n. We assume
that the group operation is easy to compute, i.e., an efficient (poly-
nomial time) algorithm is known for computing the product a . {3 for
any pair of elements a, {3 E G. Exponentiation in G can then also be
performed efficiently by the "repeated square-and-multiply" method,
outlined below.

Input: a E G, I E 'lJ.,.
Output: a l •

(i) Let I = rr~=obi2i, bi E {O,l}, bt = 1, be the binary representation

ofl,
(ii) Set {3 +- a.
(iii) For i from t - 1 downto 0 do
{3 +- {3 . {3.
If bi = 1 then
{3 +- {3. a.

(iv) Output {3.

Note that the number of group operations used in computing a 1 is

r
at most 2 flog211, where x1 denotes the smallest integer greater than
or equal to x.
6 CHAPTER 1. INTRODUCTION TO CRYPTOGRAPHY

1.4.1 Group Order as a TOF

Suppose now that G has the property that an efficient algorithm for
multiplying group elements can be described, but computing its order
n from this description is intractable without a specific piece of trap-
door information. Such groups can be used to construct public key
cryptosystems as follows.
Each user A picks a group G such that she knows n, the order of G.
A then selects a random integer e, 1 ~ e ~ n-1, such that gcd(e, n) = 1
and computes, by using the extended Euclidean algorithm, an integer
d, 1 ~ d ~ n - 1, such that ed == 1 (mod n). A's public key consists of
the group G and the integer e. The message and ciphertext spaces are
M = G and C = G respectively. If user B wishes to send mEG to A,
he simply sends the group element c = me. A can recover m since she
knows d and can compute

The last equation is true because ed = 1 + kn for some integer k, and

mn = 1 by Lagrange's Theorem from group theory. Clearly, for the
system to be secure, taking e-th roots in G should also be a computa-
tionally infeasible problem.
If A wishes to send B a signed message mEG, she sends the element
s = m d to B. B can prove the validity of the signature to any third
party by demonstrating that

There are two classes of groups that we know of which satisfy the
properties mentioned. The first class form the basis of the RSA cryp-
tosystem, discussed below. The second class are elliptic curves over the
ring '!In, which we study further in Section 6.7.

1.4.2 RSA Cryptosystem

The RSA cryptosystem was invented in 1977 by Rivest, Shamir and
Adleman [129], and was the first realization of Diffie and Hellman's
abstract model for public key cryptography which we introduced in
Section 1.3.
To set up this system, each user A picks two large primes p and q
and computes their product n = pq. The group used is G = '!l~, the
1.4. TOFs BASED ON GROUPS 7

multiplicative group of units in the integers modulo n. (We will always

use the integers 0,1,2, ... , n - 1 as representatives of the elements in
7l n .) It is well known that the order of Gis ¢( n) = (p-1)( q -1), where
¢ denotes the Euler phi function. Clearly, A can compute the group
order ¢( n). A's public key is the pair of integers (n, e) and her private
key is d.
Now, it is easily seen that the problem of computing ¢(n) given
only n is computationally equivalent to the problem of factoring n.
Moreover, no efficient algorithm is known for taking e-th roots in 7l~
without the knowledge of p and q. Hence it is believed (although no
proof is known) that breaking the RSA system is equivalent to factoring
n. We say that the security of RSA is based on the factoring problem. A
great deal of progress has been made in devising efficient algorithms for
factoring integers. For a discussion of the two most practical algorithms,
namely the elliptic curve and multi-polynomial quadratic sieve factoring
algorithms, see [126]. With the current state of our knowledge and
technology, if p and q are each about 100 decimal digits, then factoring
n is an intractable problem.
The RSA cryptosystem is the most widely used public key cryptosys-
tern today. Since multiplication of integers modulo n is a relatively com-
plicated procedure to implement, and since an exponentiation requires
repeated multiplication, the RSA system cannot achieve the speeds of
private key systems such as DES. Of course, this is also true of all ex-
isting public key systems. RSA encryption and signature verification
can be speeded up significantly by selecting a small exponent e. Typ-
ical values used in practice are e = 3 and e = 216 + 1. The fastest
existing hardware implementation of RSA can encrypt data at the rate
of 64Kbits/sec [60] with a 512-bit modulus n. Software implementa-
tions on the Motorola DSP56000 which can encrypt at the rate of 13.4
Kbits/sec [120, page 314] and 11.6 Kbits/sec [37] have been reported
for a 512-bit modulus.

1.4.3 Exponentiation as a TOF

Let G be a finite group of order n and assume that the discrete loga-
rithm problem in G is intractable. In 1985, T. EIGamal [39] proposed
the following public key scheme based on discrete exponentiation which
exhibits the properties of a TOF.
8 CHAPTER 1. INTRODUCTION TO CRYPTOGRAPHY

EIGamal Cryptosystem
(i) (Setup) A finite group G and element a E G are chosen. Each user
picks a random integer I (the private key), and makes public a l
(the public key). We suppose that messages are elements of G and
that user A wishes to send a message m to user B.
(ii) A generates a random integer k and computes a k •
(iii) A looks up B's public key a b, and computes (ab)k and ma bk .
(iv) A sends to B the pair of group elements (a k , mabk ).
(v) B computes (ak)b and uses this to recover m.

It can easily be seen that the security of the ElGamal cryptosystem

and the Diffie-Hellman key exchange are equivalent, and hence the se-
curity of the ElGamal cryptosystem is also based on the difficulty of the
discrete logarithm problem.
For both a secure and an efficient implementation of these cryp-
tosystems, the group G and element a E G should be chosen to satisfy
the following two conditions.

(i) For efficiency, the group operation in G should be "easy" to apply.

(ii) For security, the discrete logarithm problem in <a>, the cyclic
subgroup of G generated by a, should be "hard".

ElGamal described the system using the multiplicative group of a

finite field '!lp. Some other groups that have since been considered are
the multiplicative group of a finite field F 2 /c, the group of points on an
elliptic curve over a finite field [67, 100], the Jacobian of an hyperelliptic
curve defined over a finite field [70], the group of non-singular matrices
over a finite field [117], the class group of an imaginary quadratic field
[21], and the group of units '!l~ where n is a composite integer [85].
A single chip implementation of arithmetic in the finite field F 2 593
has been built and is described in [130, 2]. Using exponents of limited
Hamming weight for the EIGamal cryptosystem, encryption rates of 150
Kbits/sec have been achieved. The chip can also perform arithmetic in
the quadratic extension of F2 593, namely F2 1186, for added security.
EIGamal [39] also designed a signature scheme which makes use of
the group G. Let us assume now that G is cyclic and is generated by
a. Let f and 9 be bijections from M and G respectively to the set of
integers {0,1,2, ... ,n -1}. Suppose person A has private key a and
public key all and that A wants to sign a message m EM.
1.4. TOFs BASED ON GROUPS 9

EIGamal Signature Scheme

Creating Signatures A does the foUowing:
(i) Generate a random integer k such that gcd(k, n) = 1.
(ii) Compute the group element r = o:k.
(iii) Solve the congruence

f(m) == ag(r) + ks (mod n) (1.1)

for s. The signature for m is the pair (r, s).

Verifying Signatures Given m and the signature (r,s), we verify as
follows:
(i) Compute r S = o:ks and (o:a)g(r).
(ii) Compute (o:ag(r»(o:ks) and o:f(m) and verify that they are the same
group element.

The verification works because from (1.1) we have

o:f(m) = o:"g(r)o:ks.

To forge A's signature for a message m, an adversary would have to

solve the equation
o:f(m) = (Qa )g(r)r s

for rand s. Fixing r first and then attempting to solve for s is a discrete
logarithm problem in G. Fixing s fil'st and then attempting to solve
for r gives a mixed exponential congruence in r, for which no efficient
algorithm is known. Hence we say that the security of the EIGamal
signature scheme is based on the difficulty of the discrete logarithm
problem in G.
In practice, the message to be signed is a long sequence of entries
from M. It is inefficient to sign each element of the sequence, so instead
a hash function is first applied to the message to produce a much smaller
message digest, and it is this message digest which is then signed. (A
hash function is a one-way function that takes as input an arbitrarily
long string and outputs a string of a fixed size.) The hash function is
public knowledge. To prevent forgery and impersonation, it must be
infeasible to find two distinct inputs which hash to the same output
value, and it must be infeasible to find an input which hashes to a given
value.
10 CHAPTER 1. INTRODUCTION TO CRYPTOGRAPHY

A modification of the EIGamal signature scheme is one given by

Schnorr in [135]. This method requirt!s a hash function h : M X G ---+
{a, 1,2, ... , t - I}. We describe a variation of Schnorr's scheme below.
Schnorr's Signature Scheme
Creating Signatures To sign message m, person A does the following:
(i) Pick a random integer k and compute the group element r = a k •
(ii) Compute the hash value of m and r, that is, e = h(m, r).
(iii) Compute s == ae + k (mod n). The signature for message m is
(s, e).
Verifying Signatures Given m and the signature (s, e) we verify as
follows:
(i) Compute as, (aa)e and thus aSa-ae = r.
(ii) Verify that h(m,r) equals e.

The verification works because aSa-ae = a k = r. The security of

Schnorr's signature scheme is also based on the difficulty of the discrete
logarithm problem in G. It has the advantage that signatures can be
smaller that EIGamal signatures by choosing t of an appropriate size.

1.5 NIST Digital Signature Standard

In August 1991, the U.S. National Institute of Standards and Tech-
nology (NIST) proposed a digital signature standard (DSS) [112] and
solicited public comments prior to adoption of the standard. The goal
is to provide a standard for U.S. government organizations to use for
applications in which a digital signature is required. The proposal has
received a lot of attention and comments from industry; some comments
and responses by NIST can be found in [146] and [155]. The reference
[155] also contains a detailed description of the DSS.
The proposed DSS is a variant of the EIGamal and Schnorr signature
schemes described above. We proceed to describe the DSS.

NIST Signature Scheme

Setup Each user picks the following parameters:
(i) p = a prime modulus, where 2 511 < p < 2512.
(ii) q = a prime divisor of p - 1, where 2 159 < q < 2160.
1.5. DIGITAL SIGNATURE STANDARD 11

(iii) 9 = a generator of the unique cyclic subgroup of'll; of order q.

(iv) x = an integer with 0 < x < q.
(v) y = gX mod p.
The user's public and private keys are y and x, respectively. Let
H : M ---+ 'll be a one-way hash function, and suppose that the
message to be signed is m.
Creating Signatures
(i) Pick a random integer k, 0 < k < q.
(ii) Compute r = (l mod p) mod q.
(iii) Solve the congruence

H(m) == -xr + k8 (mod q) (1.2)

for 8. The signature for m is the pair (r, 8).

Verifying Signatures
(i) Compute w = 8- 1 mod q.
(ii) Compute U1 = H(m)w mod q and U2 = rw mod q.
(iii) Compute v = «gUl yU2) mod p) mod q.
(iv) Verify that v = r.

To see that the verification works, notice that from (1.2) we have

wH(m) + xrw == k (mod q),

where w = 8- 1 mod q, or

Ul + XU2 == k (mod q).

Finally, raising 9 to the powers U1 + XU2 and k gives

The security of the NIST signature scheme is based on the difficulty

of the discrete logarithm problem in the cyclic subgroup of order q in
'll; generated by g. However, since the best algorithm known for this
problem requires computing logarithms in'll;, we say that the security
is based on the difficulty of the discrete logarithm problem in'll;. One
of the main criticisms of DSS was that the size of the parameters did
12 CHAPTER 1. INTRODUCTION TO CRYPTOGRAPHY

not afford adequate security. Of course, the size of the parameters can
simply be increased and it is expected that NIST will allow for more
flexibility in choosing the parameters in their forthcoming revision of
the standard.
The advantage of working in a subgroup of 7l; is that signature
sizes are smaller. For example, if p ~ 2512 , then an EIGamal signature
(working in the group 7l;) is 1024 bits, while a NIST signature is only
320 bits.
As with the EIGamal and Schnorr signature schemes, the NIST
scheme can be applied to any cyclic group of order q as follows (see
also [155, page 51]). Let G be a cyclic group of order q generated by a.

Generalized NIST Signature Scheme

Setup Each user picks a random integer x, 0 < x < q, and publishes
the element y = aX.
Let m be the message to be signed, and H : M ---+ 7l a one-way hash
function. Also, let 9 be a bijection from G to the set of integers
{0,1,2, ... ,q-l}.
Creating Signatures
(i) Pick a random integer k, 0 < k < q, such that gcd(k,q) = 1.
(ii) Compute r = ak•
(iii) Solve the congruence

H(m) == -xg(r) + ks (mod q)

for s. The signature for m is the pair (r, s).

Verifying Signatures
(i) Compute w = s-1 mod q.
(ii) Compute Ul = H(m)w mod q and U2 = g(r)w mod q.
(iii) Compute v = a UI yU 2.
(iv) Verify that v = r.

Again, the security of this scheme is based on the difficulty of computing

logarithms in the group G.
1.6. ELLIPTIC CURVE CRYPTOSYSTEMS 13

1.6 Elliptic Curve Cryptosystems

The points on an elliptic curve E over a finite field K form an abelian
group. The addition operation of this abelian group involves a few arith-
metic operations in the underlying field K, and is easy to implement,
both in hardware and in software. Moreover, the discrete logarithm
problem in this group is believed to be very difficult, in particular,
harder that the discrete logarithm problem in finite fields of the same
size as K. It was for these reasons that elliptic curves were first sug-
gested in 1985 by N. Koblitz [67] and V. Miller [100] for implementing
public key cryptosystems.
Elliptic curves over finite fields can be used to implement the Diffie-
Hellman key passing scheme, and the EIGamal, Schnorr and NIST sig-
nature schemes. These systems potentially provide equivalent security
as the existing public key schemes, but with shorter key lengths. Having
short key lengths means smaller bandwidth and memory requirements
and can be a crucial factor in some applications, for example the de-
sign of smart card systems, where both memory and processing power
is liniited. The arithmetic processor on a smart card is generally re-
stricted in size to an area of roughly 20mm2 [53, page 579]. The chip
[60] designed to do modular multiplication of 512-bit numbers for use
in the RSA encryption scheme has about 50,000 gates, while the chip
designed to perform arithmetic in the field F 2li93 has about 90,000 gates.
With current technology, placing these devices on a smart card is a com-
plicated and expensive procedure. By comparison, a chip designed to
do arithmetic in F2m, where m ~ 200 (which is used to perform the
operations in an elliptic curve over F2m), would have less than 15,000
gates, and would occupy less than 20% of the 20mm2 area assigned for
the processor. In fact, in an effort to demonstrate the feasibility of such
devices, an F21!i!i ASIC (application specific integrated circuit) has been
built [3]; it has about 11,000 gates. Experience with this device now
indicates that a complete elliptic curve cryptosystem over F211i1i could
be fabricated and use up less than 4% ofthe area designated for a smart
card processor.
Another advantage to be gained by using elliptic curves is that each
user may select a different curve E, even though all users use the same
underlying field K. Consequently, all users require the same hardware
for performing the field arithmetic, and the curve E can be changed
periodically for extra security.
14 CHAPTER 1. INTRODUCTION TO CRYPTOGRAPHY

1.7 Notes
For a survey of the use of elliptic curves in number-theoretic algorithms,
see [8], [78] and [81].
For an account on the development of DES, consult [145].
Diffie [34] gives a delightful synopsis of public key cryptography and
its early development. A comprehensive overview of public key cryp-
tography can be found in [114].
For an extensive study of digital signatures including potential appli-
cations to public key certification, electronic mail, and secure telephone
systems, consult [102]. Some hash functions that have been proposed
are MD4 [127], MD5 [128] and SHS [113]. We note that private key
cryptosystems can be used indirectly for digital signatures; for exam-
ple, see [99]. The article [53] discusses the technology of smart cards,
and also their security and applications.
Some other well-known public key cryptosystems not discussed here
are the Chor-Rivest knapsack [27], 1fcEliece's cryptosystem based on
algebraic coding theory [88], the Goldwasser-Micali probabilistic encryp-
tion scheme [49], and the Fiat-Shamir signature scheme [42]. Among
the many cryptosystems known whose security is based on the diffi-
culty of the discrete logarithm problem, we mention [11], [14], [18] and
[148]. There are many applications of public key cryptography besides
privacy and signatures, for example, authentication, identification, no-
tarization, virus protection, and voting schemes. Some good references
on the different aspects of cryptography are [16], [68], [144] and [153].
In [15], the equivalence of the discrete logarithm and Diffie-Hellman
problem is shown for a special kind of group G. The result there can
be generalized to obtain the following: if G is a cyclic group of order
n, where <1>( n) is smooth, then there is a probabilistic polynomial time
reduction of the discrete logarithm problem in G to the Diffie-Hellman
problem in G.
For a thorough comparison of the RSA cryptosystem and the EI-
Gamal cryptosystem in fields F 2 m, including a detailed analysis of the
underlying mathematical problems, we refer the reader to [120].
Chapter 2

Introduction to Elliptic
Curves

In this chapter, we introduce some basic notions about elliptic curves,

and collect various results that will be used throughout this book. We
make no attempt to be complete in the presentation; rather we wish to
expand upon the introduction to elliptic curves provided in Chapter 6
of Koblitz's book [68]. Unless otherwise stated, proofs of these results
can be found in the book by J. Silverman [140]. For an elementary
introduction to elliptic curves, we recommend the notes by Charlap and
Robbins [26], and also to the recent book by Silverman and Tate [141].

2.1 Definitions
Let Fq denote the finite field containitlg q elements, where q is a prime
power. If K is a field, let K denote its algebraic closure. (If K =
Fq then K = Urn>1 Fqm.) The projective plane p2(K) over K is the
set of equivalence -classes of the relation '" acting on K3 \ {(O, 0, On,
where (XbYbZt) '" (X2,Y2,Z2) if and only if there exists u E K* such
that Xl = UX2, YI = UY2, and Zl = UZ2' We denote the equivalence
class containing (x, Y, z) by (x : y : z). A Weierstrass equation is a
homogeneous equation of degree 3 of the form

where al,a2,a3,a4,aS E K. The V\'eierstrass equation is said to be

smooth or non-singular if for all projective points P = (X : y : Z) E
15
16 CHAPTER 2. INTRODUCTION TO ELLIPTIC CURVES

p2( K) satisfying
F(X,Y,Z)
at least one ofthe three partial derivatives *,
= y2Z+alXYZ+a3YZ2-X3-a2X2Z-a4XZ2-a6Z3 = 0,
~, ~ is non-zero at P.
If all three partial derivatives vanish at some point P, then P is called
a singular point, and the Weierstrass equation is said to be singular.
An elliptic curve E (or an algebraic curve of genus 1) is the set of all
solutions in P2(K) of a smooth Weierstrass equation. There is exactly
one point in E with Z-coordinate equal to 0, namely (0 : 1 : 0). We call
this point the point at infinity and denote it by O.
For convenience, we will write the Weierstrass equation for an elliptic
curve using non-homogeneous (affine) coordinates x = X/Z, Y = Y/Z,
y2 + alXY + a3Y = x 3 + a2x2 + a4x + a6. (2.1)
An elliptic curve E is then the set of solutions to equation (2.1) in the
affine plane A2(K) = K X K, together with the extra point at infinity
O. If al, a2, a3, a4, a6 E K, then E is said to be defined over K, and we
denote this by E / K. If E is defined over K, then the set of K -rational
points of E, denoted E(K), is the set of points both of whose coordinates
lie in K, together with the point O. We will abuse the notation slightly,
and label the defining equation (2.1) as E.
Two elliptic curves are said to be isomorphic if they are isomorphic as
projective varieties. Briefly, two projective varieties Vb V2 defined over
a field K are isomorphic over K if there exist morphisms <p : Vl ---+ V2,
,p : V2 ---+ Vl (<p, ,p defined over K), such that t/J 0 <p and <p 0 ,p are
the identity maps on Vl , V2 respectively. The following result relates
the notion of isomorphism of elliptic curves to the coefficients of the
Weierstrass equations that define the curves.

Theorem 2.1 Two elliptic curves E l / K and E2/ K given by the equa-
tions

are isomorphic over K, deHoted Ed K ~ E2/ K, if and only if there

exists u,r,s,t E K, u i: 0, such that the change of variables
(2.2)
transforms equation El to equation E 2. The relationship of isomorphism
is an equivalence relation. 0
2.2. GROUP LAW 17

The change of variables (2.2) is referred to as an admissible change

of variables. Notice that if El ~ E2 over K, and if the change of
variables (2.2) transforms equationEt to equation E 2 , then the change
of variables

transforms equation E2 to equation Eb and (2.3) is also an admissible

change of variables. Also,

maps the points of El onto the points of E 2, while

(2.5)

maps E2 onto E l . Note also that 1/J 0 4> is the identity map on Et, while
4> 0 1/J is the identity map on E 2. In fact, 4> restricted to El(K) is a
bijection between El(K) and E2(K).
Now, if El ~ E2 over K, then the change of variables (2.2) trans-
forms equation El to equation E 2. This yields the following set of
equations:

ual = al + 2s
u 2a2 = a2 - sal + 3r - S2
u3a3 = a3 + ral + 2t (2.6)
u 4a4 = a4 - sa3 + 2ra2 - (t+ rs)at + 3r 2 - 2st
uSas = as + ra4 + r 2a2 + r3 - ta3 - t 2 - rtal.

The next theorem is now clearly equivalent to Theorem 2.1.

Theorem 2.2 Two elliptic curves Etl J( and E2/ K are isomorphic
over K if and only if there exists u, r, s, t E K, u f:. 0, that satisfy
{2.6}. 0

2.2 Group Law

It is well known that the points on an elliptic curve form an abelian
group under a certain addition. Let E be an elliptic curve given by the
Weierstrass equation (2.1). The addition rules are given below.
18 CHAPTER 2. INTRODUCTION TO ELLIPTIC CURVES

For all P,Q E E,

(i) O+P = P and P+O = P. (So 0 serves as the identity element.)
(ii) -0 = O.
(iii) If P = =
(xt,yd :f: 0, then -P (Xl, -Yl - alXl - a3). (Note
that P and - P are the only points on E with x-coordinate equal
to Xl')
(iv) If Q = -P, then P + Q = o.
(v) If P :f: 0, Q :f: 0, Q :f: -P, then let R be the third point
of intersection (counting multiplicities) of either the line PQ if
P :f: Q, or the tangent line to the curve at P if P = Q, with
the curve (as usual, the tangent line to the curve f(x, y) = 0 at
P = (a,b) is the line U(P)(x - a) + ¥U(P)(y - b) = 0). Then
P+Q = -R.

Theorem 2.3 (E, +) is an abelian group with identity element O. If

E is defined over [(, then E([() is a subgroup of E. 0

We remark that the only difficulty in proving Theorem 2.3 lies in

verifying the associativity of the addition rule. Two proofs which are
easiest to follow are the geometric argument presented in [24] and the
algebraic argument using divisor theory in [26].
The map ¢ defined in (2.4), is a group isomorphism between E l ([()
and E2([(). Hence if Ed [( ~ E2/ [(. then E l ([() and E 2([() are also
isomorphic as abelian groups. The converse statement is not true in
general, as we shall see in Example 3.4.
Explicit rational formulae for the coordinates of P+Q in terms of the
coordinates of P and Q for case (v) are easy to derive. Let P = (Xl. yIl,
Q = (X2' Y2), P +Q = (X3' Y3). Let I be the line passing through P and
Q if P :f: Q. or the tangent line to the curve at P in the case P = Q.
The slope of I is

{ :: =::.
if P :f: Q,
A=
3x~ + 2a2xl + a4 - al Yl
, if P = Q.
2Yl + alxl + a3
If f3 = =
Yl - AXl, then the equation defining 1 is Y AX +f3. To find the
third point of intersection of 1 with the curve, we substitute Y = AX +f3
2.3. THE DISCRIMINANT AND j-INVARIANT 19

into the equation (2.1) to get a cubic polynomial equation

x3 +a2x2 +a4x +a6 - (AX +{3)2 - alx(Ax +{3) - a3(Ax +{3) = O. (2.7)
Now, the roots of (2.7) are X}, X2 and X3. Hence (2.7) factors as
(x - xt}(x - X2)(X - X3) = O. (2.8)
Comparing coefficients of x2 in (2.7) and (2.8), we obtain
-(Xl + X2 + X3) = a2 - A2 - alA.
Hence

and
Y3 = -(A + at}x3 - {3 - a3·
If P, Q E E(J(), then computing P+Q involves just a few arithmetic
operations in the field J(. Hence if J( is a finite field, then computing
P + Q takes (deterministic) polynomial time.

2.3 The Discriminant and j-Invariant

Let E be a curve given by a non-homogeneous Weierstrass equation
(2.1). Define the quantities
d2 = a~ + 4a2
d4 = 2a4 + ala3
d6 = a~ + 4a6
ds = 2 4
al a6 + a2 a6 - al a3 a4 + a2 a3 - a4
2 2

c4 = d~ - 24d4
~ -d~ds - 8d~ - 27d~ + 9d2d4d6 (2.9)
j(E) cV~· (2.10)
The quantity ~ is called the discriminant of the Weierstrass equation,
while j( E) is called the j-invariant of E if ~ "I O. The next two theorems
explain the significance of these quantities.
Theorem 2.4 E is an elliptic curve, i.e., the Weierstrass equation is
non-singular, if and only if ~ i: O. 0

Theorem 2.5 If two elliptic curves Ed J( and E2/ J( are isomorphic

over J(, then j(Ed = j(E2). The converse is also true if J( is an
algebraically closed field. 0
20 CHAPTER 2. INTRODUCTION TO ELLIPTIC CURVES

2.4 Curves over K, char(K) =J 2,3

If an elliptic curve is defined over a field K whose characteristic is neither
2 nor 3, then the Weierstrass equation for the curve can be simplified
considerably.
Let E/ K be an elliptic curve given ~y the Weierstrass equation (2.1).
If char(K) 1: 2, then the admissible change of variables

(x,y)~(x, y_~lx_~3)
transforms E / K to the curve

E' / K : y2 = x 3 + b2x2 +b4x + bs .

Note that E ~ E' over K.
If char(K) 1: 2,3, then the admissible change of variables

(x,y) ~ (
X - 3b
36' 216
2 Y)
further transforms E' to the curve

E" / K : y2 = a: 3 + ax + b.
Note again that E' ~ E" over K, and hence E ~ E" over K.
Hence if char( K) t 2,3, we can assume that E / K has the form

E : y2 = x 3 +ax+b, a,bE K. (2.11)

That is, we can always select a Weierstrass equation for E so that at =

a2 = a3 = O.
For the remainder of this section, we will assume that K is a field
whose characteristic is neither 2 nor 3.
Let E / K be an elliptic curve gi ven by the Weierstrass equation
(2.11). The associated quantities, which specialize equations (2.9) and
(2.10), are

and
j(E) = -1728(4a?/~.
Since E is assumed to be non-singular, we have ~ 1: O. Specializing
Theorem 2.2 gives the next result.
2.5. CURVES OVER K, CHAR(K) -= 2 21

Theorem 2.6 The elliptic curves Ed J( : y2 = x3 +ax +band E2/ J( :

y2 = x3 + ax + b are isomorphic over J( if and only if there exists
u E K* such that u4 a = a and u6 b = b. If El ~ E2 over K, then the
isomorphism is given by
<p: El ----+ E 2, <p: (x,y) ....... (u- 2x,u- 3y),
or equivalently,
o

Addition Formula
If P = (Xl! yd E E, then -P = (Xl, -yd. If Q = (X2, Y2) E E,
Q ¥= -P, then P + Q = (X3, Y3), where
X3 A2 - :1:1 - X2
Y3 A(Xl-X3)-Yl,
and
Y2 - Yl , ifP¥=Q,
X2 - Xl
{
A=
3x~ + a
2Yl '
if P = Q.
Example 2.7 The equation E : y2 = x 3 +x+6 over the finite field 7111
(the integers modulo 11) defines an elliptic curve since its discriminant
is ~ = 4 ¥= 0. The 7l11 -rational points on E are
E(7111) = {O, (2,4), (2,7), (3,5), (3,6), (5,2), (5,9), (7,2),
(7,9), (8,3), (8,8), (10,2), (10,9)}.

Some applications of the addition law are (2,4) + (2,7) = 0, (2,4) +

(3,5) = (7,2), and (2,4) + (2,4) = (5,9). 0

2.5 Curves over K, char(K) =2

Let K be a field of characteristic 2, and let E / J( be the elliptic curve
given by the Weierstrass equation
22 CHAPTER 2. INTRODUCTION TO ELLIPTIC CURVES

Specializing (2.10) we find that j(E) = (at}12 /~.

If j(E) -I 0 (so al -10), then the admissible change of variables
a3 _ 3
( _al 2x +::-, a1 2a4 + (32)
(x, y) ---> al Y + _ 3
al al
transforms E to the curve
Ed]( : y2 + xy = x3 + a2x2 + a6' (2.12)
For E1. ~ = a6 and j(El) = 1/a6'
If j(E) = 0 (so al = 0), then the admissible change of variables
(x, y) ---> (x + a2, y)
transforms E to the curve
+ a3Y = X3 + a4x + a6.
E 2/]( : y2 (2.13)
For E 2, ~ = aj and j(E2) = o.

Addition Formula when j(E) -I 0

=
Let P = (Xl, yt) EEl; then -P (Xl. Yl +Xl). If Q = (X2' Y2) E El
and Q -I -P, then P + Q = (X3, Y3), where

( Yl+Y2)2 + Yl+Y2 +Xl+X2+ a2, P-IQ,

Xl + X2 Xl + X2
X3 = {
2 a6
Xl +2
Xl
' P = Q,
and

Y3={ (:::!:)(Xl+ X3)+X3+Yb P-IQ,

X~+ (Xl + ::)X3+X3, P=Q.

Addition Formula when j(E) = 0

Let P = (X1. yt) E E2; then -P = (Xl. Yl +a3). If Q = (X2' Y2) E E2
and Q -I -P, then P + Q = (X3, Y3), where

( Yl+Y2)2+ Xl + X2, P -I Q,
Xl + x2

P=Q,
2.6. GROUP STRUCTURE 23

and
P i= Q,
Y3 =

We will not consider elliptic curves over fields of characteristic 3 in

this book.

2.6 Group Structure

Let E be an elliptic curve defined over Fq • Let q = pm, where p (a
prime) is the characteristic of Fq • We denote the number of points in
E(Fq) by #E(Fq).
If E is given by a Weierstrass equation (2.1), then since this equa-
tion has at most 2 solutions for each choice of x E F q , we know that
#E( Fq) ::; 2q + 1. Heuristically, we would expect that for each choice of
x E Fq the equation (2.1) has a solution in Fq with probability 1/2, and
consequently #E(Fq) ~ q. The following theorem confirms that this
reasoning is correct. We will discuss algorithms for computing #E(Fq)
in Chapter 7.

Theorem 2.8 (Hasse) Let #E(Fq) = q + 1 - t. Then It I ::; 2.;q. 0

An important consequence of Hasse's Theorem is that we can pick

points P uniformly and randomly on an elliptic curve E(Fq ) in prob-
abilistic polynomial time. This can be accomplished as follows. We
first randomly choose an element Xl E Fq • If Xl is the x-coordinate of
some point in E( Fq), then we can find Yl such that (Xl, yt) E E( Fq)
by solving a root finding problem in Fq • There are various techniques
for finding the roots of a polynomial over Fq in probabilistic polynomial
time; for example, see [10]. We then set P = (Xl, Yl) or (Xl, -yt) if the
curve has equation (2.11) (respectively, P = (Xl, Yl) or (Xl, Yl +xt}, and
p = (Xl, Yl) or (Xl, Yl + a3) if the curve has equation (2.12) or (2.13)).
From Hasse's Theorem, the probability that Xl is the x-coordinate of
some point in E(Fq) is at least 1/2 - 1/.;q. Note that with the method
just described the probability of picking a point of order 2 is twice the
probability of picking any other point; this does not present a problem
as there are at most three points of order 2.
24 CHAPTER 2. INTRODUCTION TO ELLIPTIC CURVES

The next result, proved by Waterhouse [152], determines the possible

values for #E{Fq ) as E varies over all elliptic curves defined over Fq ,
where q = pm.

Lemma 2.9 There exists an elliptic curve E / Fq such that E( Fq) has
order q + 1 - t over Fq if and only if one of the following conditions
holds:

(i) t"¢ 0 (mod p) and t 2 ~ 4q.

(ii) m is odd and one of the following holds:
(1) t = O.
(2) t 2 = 2q and p = 2.
(3) t 2 = 3q and p = 3.
(iii) m is even and one of the following holds:
(1) t 2 = 4q.
(2) t 2 = q and p "¢ 1 (mod 3).
(3) t = 0 and p"¢ 1 (mod 4). o

Note that if q = p is a prime, then there exists at least one elliptic

curve E defined over F, with #E(F,) = p + 1- t for every t satisfying
It I ~ 2y'P. If fact, as E varies over all elliptic curves over F" the
values #E(F,) are nearly uniformly distributed in the interval of size
y'P centered at p + 1. This statement is made precise in the following
theorem, which was a key ingredient in Lenstra's elliptic curve algo"ithm
for factoring integers [80].

Theorem 2.10 There exist positive effectively computable constants Ct

and C2 such that for each prime p ~ 5 and for any subset S of integers
in the interval (p + 1- v'P, p + 1 + v'Pl, the probability rs of a random
pair (a, b) E F, X F, defining an elliptic curve E : y2 = x 3 +ax +b with
#E(F,) E S is bounded as follows:

#s - 2 -1 #S 2
2lv'PJ + 1 . Ct (log p) ~ rs ~ 2lv'PJ + 1 . c2(logp)(loglogp). 0

The elliptic curve E is said to be supersingular if p divides t, where

#E{Fq ) = q + 1 - t. Otherwise, it js called non-supersingular. It is
= =
well-known that if p 2 or if p 3, then E is supersingular if and only
if j(E) = O. From Lemma 2.9, we can easily deduce the following.
2.6. GROUP STRUCTURE 25

Corollary 2.11 Let E be defined over Fq • Then E is supersingular if

and only if t 2 = 0, q, 2q, 3q, or 4q. 0

The next theorem gives the group type of E(Fq ). We use '!In (or
'!l/n) to denote the cyclic group on n elements. We first recall some
standard results from abelian group theory. Every finite abelian group
G can be decomposed into a direct sum of cyclic groups
G = '!lnl E9 '!ln2 E9 ... E9 '!In.,
where ni+1lni for all i = 1,2, ... , s - 1, and n8 ~ 2. Furthermore this
decomposition is unique in the following sense: if
G = 7I..ml E9 7I..m2 E9 ... E9 7I..ml

is another decomposition of G into a direct sum of cyclic groups where

mi+1lmi for all i = 1,2, ... , t - 1, and mt ~ 2, then s = t and ni = mi
for each i = 1,2, ... , s. We say that G is an abelian group of type
(nl! n2, ... , n 8 ) and rank s.

Theorem 2.12 E(Fq ) is an abelian group of rank 1 or 2. The type

of the group is (nl!n2), i.e., E(Fq ) !:::! 7I..nl E9 7I..n21 where n2lnl' and
furthermore n21q - 1. 0

In Section 5.4 we will describe an algorithm for computing the group

structure of E(Fq). If E is a supersingular curve, then the group struc-
ture of E(Fq ) is determined by the next result.

Lemma 2.13 ([137]) Let #E(Fq ) =q +1 - t.

(i) Ift 2 = q, 2q, or 3q, then E(Fq ) is cyclic.
(ii) If t 2 = 4q, then either E(Fq) ~ '!l..ft- 1 E9 '!l..ft- 1 or E(Fq) !:::!
'!l.;q+l' E9 '!l.;q+1l depending on whether t = 2vq or t = -2vq
respectively.
(iii) 1ft = 0 and q ¢ 3 (mod 4), then E(Fq ) is cyclic. 1ft = 0 and q ==
3 (mod 4), then either E(Fq ) is cyclic, or E(Fq) ~ '!l(q+1)/2 E9
~. 0

If I is a prime, then let vl(n) be the largest integer with Itll(n)ln. We

can deduce immediately from Theorem 2.12 that if #E(Fq ) = N, then
the group E(Fq) has the structure

'!l/ptlp(N) E9 €a ("lL/1 1l1 E9 '!l/lbl ) (2.14)

l#:p
26 CHAPTER 2. INTRODUCTION TO ELLIPTIC CURVES

with al 2: b/, al + bl = vl(N), and bl ~ v/(q - 1). For example, if

gcd(N, q - 1) = 1 then E(Fq) is cyclic. Also, if N = #E(Fq) factors as
a product of distinct primes, then E( Fq) is cyclic.
The next lemma determines all possible groups E( Fq) that occur as
E varies over all non-supersingular curves defined over Fq •

Lemma 2.14 ([132, 150]) Let N = q+1-t, where t ¢ 0 (mod p) and

t 2 ~ 4q. If at, b/ are integers which satisfy al 2: bl, a/ + b/ = v/(N) and
b/ ~ v/(q-1) for each prime If:: p, thw there exists a non-supersingular
curve E defined over Fq such that E(Fq) has group structure (2.14). 0

The curve E can also be viewed as an elliptic curve over any ex-
tension field L = Fqk of Fq; E(Fq) is a subgroup of E(L). The Wei!
Theorem (which was proved by Hasse in 1934) enables one to compute
#E(Fqk), for k 2: 2, from #E(Fq) as follows.

Theorem 2.15 Let E be an elliptic curve defined over Fq, and let t =
q + 1 - #E(Fq). Then #E(Fqk) = qk + 1 - a k - f3k, where a, f3 are
complex numbers determined from the factorization of 1 - tT + qT2 =
(1 - aT)(l - f3T). 0

We now state a few results on the group structure of E = E( Fq). E

is a torsion group, i.e., for each point PEE there is a positive integer
k such that kP = O. The smallest such integer is called the order
of P. An n-torsion point is a point P E E(Fq) satisfying nP = O.
Let E(Fq)[n] denote the subgroup of n-torsion points in E(Fq), where
n f:: O. We will write E[n] for E(Fq)[n]. If nand q are relatively prime,
then E[n] ~ '!In EEl '!In. If n = pe, then either E[pe] ~ {O} if E is
supersingular, or else E[pe] ~ 'llp. if E is non-supersingular.

Example 2.16 Consider the elliptic curve E / Fq : y2 = x 3 + ax + b,

where char(Fq ) f:. 2,3. A point P = (x, y) E E has order 2 if P = -P =
(x, -y), i.e., if y = O. Let Xl! X2, X3 be the roots ofthe cubic polynomial
x3 + ax + b (note that Xl! X2, X3 are distinct since ~ f:: 0). Thus

Example 2.17 Let q be an odd prime power satisfying q == 2 (mod 3).

Let bE Fq, b f:: 0, and consider the eIJiptic curve Ed Fq : y2 = x 3 + b.
2.6. GROUP STRUCTURE 27

Since q == 2 (mod 3), the map x H x 3 + b is a permutation on Fq •

Thus each of the (q - 1)/2 elements x E Fq for which x 3 + b is a (non-
zero) quadratic residue in Fq is the x-coordinate of 2 points in Et(Fq),
namely (x, ±v'x3 + b). The other poiilts in Et(Fq ) are ({Cb, 0) and OJ
hence #Et(Fq) = q + 1 and so E t is supersingular.
By J,emma 2.13(iii), the only two possibilities for the group type of
Et(Fq) are ((q + 1)/2,2) and (q + 1). Now, the only 2-torsion points in
Et(Fq) are 0 and ({Cb, 0), and so Et(Fq)[2] ~ '112. Hence Et(Fq) is a
cyclic group of order q + 1. 0

Example 2.18 Let q be an odd prime power satisfying q == 3 (mod 4).

Let dE Fq , a f:: 0, and consider the elliptic curve Ed Fq : y2 = x 3 + ax.
Since q == 3 (mod 4), -1 is a quadratic non-residue in Fq • Observe
that (-x)3 + a( -x) = _(x 3 + ax). Therefore for each x E Fq for which
x 3 + ax f:: 0, exactly one of x, -x is the x-coordinate of 2 points in
E 2(Fq ). If x E Fq , x"f:: 0, satisfies x 3 + ax = 0, then (x,O), (-x,O) are
2 points in E 2 (Fq ). Together with (0,0) and 0, the total number of
points in E 2 (Fq ) is q + 1, and so E2 is supersingular.
There are 3 points of order 2 in E 2 , namely P t = (0,0), P2 =
(Fa,O) and P3 = (-Fa, 0). Now, P2 and P3 are in E 2 (Fq ) if and only
if Fa E Fq, i.e., a is a quadratic non-residue in Fq. Hence E 2 (Fq) is
cyclic if a is a quadratic residue in Fq , while E 2 (Fq ) has type «q+1)/2, 2)
if a is a quadratic non-residue in Fq • 0

We introduce the division polynomials associated with an elliptic

curve (see [77], [136] or [26]). Let E/Fq be the curve y2 = x 3 + ax +
b, where char( Fq) f:: 2,3 (we will consider the case char( Fq) = 2 in
Chapter 7). Define the polynomials 1l1n(x, y) E Fq[x, y] for n ;::: as
follows:
°
1l10(x, y)
1l1 t (x, y)
=
= °
1
1l1 2(x, y) 2y
1l1 3(x, y) = 3x 4 + 6ax 2 + 12b:r - a2
W4(X, y) 4y(x 6 + 5ax 4 + 20bx 3 - 5a 2 x 2 - 4abx - 8b 2 _ a3)
W2n+1(X, y) Wn(Wn+2W~_t - Wn-2W~+1)/2y, n;::: 2
W2n(X, y) Wn+2W~ - W~+1 Wn-t, n;::: 3.
It can easily be checked by induction on n that each q; n is in fact a
polynomial in Fq[x, y]. Let W~ be the polynomial obtained by repeatedly
28 CHAPTER 2. INTRODUCTION TO ELLIPTIC CURVES

replacing occurrences of y2 in qi' n by ;1;3 + ax + b. If we define

!: _ {qi'~(X,y), if n is odd,
n - qi'~(x, y)/y, if n is even,

then in fact fn E Fq[x]. The following results illustrate the utility of

division polynomials when doing computations with n-torsion points of
E.

Theorem 2.19 Let P = (x,y) E E \ {OJ.

(i) P E E[n] if and only if qi'n(x, y) = O. (i.e., on E the polynomial

qi'n has roots precisely on the n(ln-zero n-torsion points.)

(ii) If P ¢ E[2], then P E E[n] if and only if fn(x) = O. (i.e., the

roots of fn are precisely the x-coordinates of the n-torsion points
not in E[2].)
(iii) If P ¢ E[n], then

where qi' k is shorthand for qi' k (x, y). o

2.7 Divisor Theory

Divisors are useful devices for keeping track of the zeros and poles of a
rational function. We shall use divisor theory extensively in Chapter 5
when we study a reduction of the discrete logarithm problem in an
elliptic curve to the discrete logarithm problem in some finite field.
Elementary proofs of all results stated in this section may be found in
[26].
Let K = Fq, and let E / Fq be an elliptic curve. A divisor D is a
formal sum of Fq points

D = E np(P),
PeE

where np E 7l, and np = 0 for all but finitely many PEE. The support
of a divisor D, denoted supp(D), is the set of points {P EEl np :I OJ.
2.7. DIVISOR THEORY 29

The set of all divisors, denoted by D, forms a group, where the addition
is given by

E np(P) + E mp(P) = E (np + mp)(P).

PEE PEE PEE

D is the free abelian group generated by the points of E.

The degree of a divisor D = E np( P) is the integer deg( D) = E np.
Let DO be the set of all divisors of degree O. Then DO is a subgroup of
D.
If E is defined by the (affine) Weierstrass equation

where r E K[x, y], then the coordinate ring of E over K, denoted K[E],
is the integral domain

K[E] = K[;1:, y]!(r),

where (r) denotes the ideal in K[x, y] generated by·r. Similarly, we

define
K[E] = K[;r, y]/(r).
Observe that for each IE K[E] we can repeatedly replace any occurrence
of y2 by y2 - rex, y) to finally obtain a representation

lex, y) = vex) + yw(x), where vex), w(x) E K[x].

The function field K(E) of E over K is the field of fractions of K[E].

(Recall that if I is an integral domain then its field of fractions F is the
set of equivalence classes of quotients alb, a, b E I, b :f; 0, where we
identify at/bt, a2/b2 E F if a1 b2 = a2bl' Addition and multiplication in
F are defined in the natural way.) Similarly, K(E), the function field of
E over K, is the field of fractions of K[E]. The elements of K(E) are
called rational functions. Note that K is a subfield of K(E).
Let f E K(E)* be a non-zero rational function and P E E\{O}.
Then f is said to be defined at P if there exists a representation f = 9 / h,
g, h E K[E], with h(P) :f; O. If f is defined at P, we put f(P) =
g(P)/h(P). It is easy to see that this is well-defined, Le., the value
f(P) does not depend on the choice of 9 and h. If f(P) = 0, then f is
said to have a zero at P. If f is not defined at P then f is said to have
a pole at P, in which case we write flP) = 00.
30 CHAPTER 2. INTRODUCTION TO ELLIPTIC CURVES

Example 2.20 Consider the elliptic curve E : y2 = x 3 - x over a

finite field K = Fq , with char(K) ::/= 2,3. Let P = (1,0) E E, and let
1= (x 2 - x)/y E K(E).
Note that if I is considered as a quotient of polynomials, i.e., I E
K(x,y), then I is undefined at P. However, as an element of K(E),

x2 - x (x 2 - x)y (x 2 - x)y Y
1= -y- = y2 = x3 - X = X + l'
whence I(P) = 0. o

In defining the value of I at the point 0 we follow the approach

taken in [26]. For 1 E K[E] we can write l(x,y) = v(x) + yw(x), where
v(x), w(x) E K[x]. Assign a weight of 2 to x and a weight of 3 to y. We
define the Degree of 1 by

Deg(l) = max(2degAv), 3+2degx (w».

Now, let 1= g/h, where g,h E K[x,y]/(r). If Deg(g) < Deg(h), then
1(0) = O. If Deg(g) > Deg(h), then 1(0) = 00. If Deg(g) = Deg(h),
then if the highest Degree terms in 9 and hare ax d and bx d respectively
then 1(0) = a/b. Otherwise the highest Degree terms are cyx d and
dyx d , in which case 1(0) = c/d.

Example 2.21 Consider the elliptic curve E : y2 = x 3 + ax + b. Let

I = y, 9 = x/y, h = (x 2 - xy)/(1 + xy) E K(E). Then 1(0) = 00,
g(O) = 0, and h(O) = -1. 0

For each point PEE there exists a rational function u E K(E),

u(P) = 0, such that if I E K(E)* then we can write I = uds, where
s E K(E), s(P) ::/= 0,00. The integer d does not depend on the choice of
u. The function u is called a unilormizing parameter for P. The next
result [44, page 70] aids in finding uniformizing parameters.

Theorem 2.22 Let PEE. II I : a3:+by+c = 0 is any line through P

that is not the tangent line to E at P, then I is a unilormizing parameter
lor P.

Example 2.23 Consider the elliptic curve E y2 = x 3 + ax + b over

a finite field ]( = Fq , char( K) ::/= 2,3.
2.7. DNISOR THEORY 31

• Let P = (c, d) f/. E[2]. The tangent line to E at P is

(-3c 2 - a)(x - c) + 2d(y - d) = O.
Since d -# 0, a uniformizing pammeter for P is u = x-c.
• Let P = (c, 0) E E be a point of order 2. The tangent line to E
at Pis
(-3c 2 - a)(x - c) = o.
Therefore u = y is a uniformizing parameter for P.

• To find a uniformizing parameter for 0 we need to work with a

different set of coordinates. Recall that the homogeneous equation
for E is y2 Z = X 3 + aX Z2 + bZ3 • Choosing the affine coordi-
nates v = XjY, w = ZjY, the equation for E is transformed to
I( v, w) = v 3 +avw 2 +bw 3 - W = O. Note that 0 = (0,0) ill (v, w)-
coordinates. Now, ¥v(0) = 0 and Ui(O) = -1, so the equation
of the tangent line to E at 0 is w = o. The line v = 0 passes
through 0 and is not the tangent line at O. Reverting back to the
original (x, y) coordinates, u = xjy is a uniformizing parameter
for O. 0

Let 1 E K(E), PEE. Write 1 = uds, where u is any uniformizing

parameter for P, s E K(E), and s(P) -# 0,00. The order 01 1 at P is
defined to be d, and we write ordp(J) = d. The point P is a zero of 1
if and only if ordp(J) > 0, in which case its multiplicity is defined to be
ordp(J). Similarly, the point P is a pole of f if and only if ordp(J) < 0,
in which case its multiplicity is defined to be -ordp(J). Since a function
f has only a finite number of zeros and poles on E, we can define div(J),
the divisor of f, as

div(J) = E ordp(J)(P).
PEE

A fundamental fact about rational functions is that if 1 E K(E)*, then

div(J) E DO. Moreover, div(J) = 0 if and only if f E K*.

Example 2.24 Consider the elliptic curve E : y2 = x 3 + ax + b over

a finite field K = F q , char(K) -# 2,3 .

• Let P = (c,d) f/. E[2]. Then

div(x - c) = (P) + (-P) - 2(0).

32 CHAPTER 2. INTRODUCTION TO ELLIPTIC CURVES

• Let PI, P2, P3 E E be the points of order 2. Then

div(y) = (PI) + (P2) + (P3 ) - 3(0) .

• Assume that b =F 0, and let P4 = (0, Vb), Ps = (0, -Vb). Then

div (~) = (P4 ) + (Ps) + (0) - (Pt) - (P2) - (P3 ). 0

A divisor D E DO is principal if D = dive!) for some f E K(E)*.

The following is a useful characterization of principal divisors. We shall
see, in Section 5.1.2, how to efficiently compute the function of a prin-
cipal divisor.

Theorem 2.25 Let D = E np(P) bE: a divisor. Then D is principal if

and only ifEnp = °
and EnpP O. = 0

Let D, denote the set of all principal divisors. If It, h E K(E),

then div(lth) = div(ft) + div(h)j it follows that D, forms a subgroup
of DO. The quotient group DO / D, is called the (zero part of the) divisor
class group or the Picard group of E.
Two divisors Db D2 E DO are said to be equivalent, denoted DI '"
D 2, if DI - D2 ED" i.e., if DI = D2 + div(f) for some f E K(E).
For each D E DO, there exists a unique point Q E E such that D '"
(Q)-(O). In fact, if D = Enp(P), then Q = E npP. Let (1 : DO - - E
be the map given by this association. Then (1 induces an isomorphism
between the groups DO / D, and E.

2.8 Elliptic Curves over 7l n

We define the notion of an elliptic curve over the ring 'lln. Elliptic curves
over 'lln are used in Lenstra's integer factoring algorithm [80] and the
Goldwasser-Kilian primality proving algorithm [48]. In Section 6.7 we
will mention a cryptosystem which uses elliptic curves over 'lln.
Let n be a positive integer with gcd( n, 6) = 1. An elliptic curve over
'lln is given by an equation

(2.15)
where a, bE'll and gcd( 4a3 +27b2 , n) = 1. The points on Ea,b, denoted
Ea,b('lln), are the set of solutions in 'lln X 'lln to the equation (2.15),
together with a point at infinity, denoted On.
2.8. ELLIPTIC CURVES OVER 'lln 33

Let p be any prime divisor of n, and let if denote the congruence

class containing a modulo p. Observe that Ea Ii is the equation of an
elliptic curve defined over Fp. Let P E E(7.1n ). 'If we define
p. _ {(X,y), if P = (x,y),
p - Op, if P = On,
Op being the point at infinity in Eli,Ti(Fp), then Pp E Eli,Ii(Fp).
We define a "pseudo-addition" on the points of Ea,b('lln) by using the
same addition rules as in Section 2.4. Unlike the case with elliptic curves
over a finite field, Ea,b('lln) is not a group under this addition. This is
evident since the addition is not always defined: if gcd( X2 - Xl, n) > 1
(for the case P f:. Q), or if gcd(2Ybn) > 1 (for the case P = Q), then
the formula for A involves division by a non-invertible element in 'lln.
The following properties about the pseudo-addition can be easily
verified.
(i) If P, Q E Ea,b(71n ) and P +Q is undefined then application ofthe
addition law must yield a non-trivial divisor of n.
(ll) If P, Q E Ea,b(71n ) and P + Q is well-defined by the pseudo-
addition, then (P + Q)p = Pp + Qp for all prime divisors p of
n.
(iii) If P E E a,b(71n ), k E 7l, and kP is well-defined by repeated
application of the pseudo-addition, then (kP)p = kPp for all prime
divisors p of n.
Assume now that n is a product of 2 primes p and q. Let
Ea,b(71n) = Ea,b(Fp) x Ea,b(Fq).
Note that Ea,b('lln) is a group, being the direct product of two groups.
Each point P E Ea,b(71 n ) corresponds to a unique element of E a,b(71n ),
namely (Pp, Pq). This accounts for all the elements in Ea,b(71n ) except
those elements (P,Q) where either P = Op or Q = Oq, but not both.
By property (ii) above, the addition operation on Ea,b('lln), whenever
it is defined, coincides with the group operation on Ea,b(71n ). We can
thus compute in the group Ea,b('lln) without knowing the prime factors
p and q. An application of the group operation is either successful, or
it is unsuccessful and yields a non-trivial factor of n. If p and q are
large, say 100 decimal digits each, then factoring n is believed to be an
intractable problem, and thus it is extremely unlikely that one would
encounter an application of the group operation that is unsuccessful.
34 CHAPTER 2. INTRODUCTION TO ELLIPTIC CURVES

2.9 Notes
Some other books devoted to the study of elliptic curves are [22], [58],
[66), [77]. For an introduction to the general theory of algebraic curves,
we refer the reader to Fulton's book [44), or the recent book by Moreno
(109).
Chapter 3

Isomorphism Classes of
Elliptic Curves over Finite
Fields

In this chapter, we count the isomorphism classes of elliptic curves over

finite fields K. For the case K = F2m, we list a representative, in
Weierstrass form, of each isomorphism class. We determine #E(F2m)
for each supersingular curve E defined over F2 m.

3.1 Introduction
Let (%) denote the usual Jacobi symbol. We also define

~:
if a == ±1 mod 8,
(i) = { if a· == 0 mod 2,
-1, if a == ±3 mod 8.

Waterhouse [152] (see also [137]) counted the number of isomorphism

classes of elliptic curves defined over the finite field Fq by first deter-
mining which rings can occur as the endomorphism ring of some elliptic
curve, and then counting the number of isomorphism classes of elliptic
curves with a given endomorphism ring. He also proceeded to determine
Nq(t), the number of isomorphism cla~ses of elliptic curves over Fq such
that #E(Fq ) = q + 1 - t. The results obtained are the following.

35
36 CHAPTER 3. ISOMORPHISM CLASSES

Theorem 3.1 ([152]) Let Fq be a finite field. The number of isomor-

phism classes of elliptic curves defined over Fq equals

N = 2q +3+ (~14) + 2(~3) .

q o

Theorem 3.2 ([152]) Let p be a prime and q = pm. Let t be an integer

with It I ~ 2y'q. Then

H(t 2 - 4q), ift 2 < 4q, and p yt.

H(-4p), ift = 0 and m odd.
1, ift 2 = 2q, P = 2, m odd.
1, ift 2 = 3q, P = 3, m odd.
Nq(t) = l2 (p + 6 - 4 ( ~3) - 3 ( ~J4)) , if t 2 = 4q and m even.

1-
1-
i-;3l '
-4
if t 2 = q and m
ift = 0 and m even.
even.
P ,
0, otherwise.
o

Here, H(fl.) denotes the Kronecker class number of fl., and is the
number of SL 2 (71)-orbits of positive definite binary quadratic forms
of discriminant fl., where fl. is a negative integer congruent to 0 or 1
modulo 4. One method of computing H(fl.) follows from the fact that
H(fl.) = #B(fl.), where

B(fl.) = {(a, b, c) E 713 : a> 0, b2 - 4ac = fl., Ibl ~ a ~ c,

and b ~ 0 whenever a = Ibl or a = c}.

(Observe that if (a,b,c) E B(Ll), then a ~ JILlI/3, so B(Ll) is a finite

set.) For more details of binary quadratic forms and their relationship
to endomorphism rings of elliptic curves, consult [137].
We will provide an elementary proof of Theorem 3.1. We are able
to simplify the proofs by using Theorem 2.2
as our working definition
of isomorphism. The only background needed to understand the proofs
will be some elementary results on finite fields. For convenience, we
summarize them here.
Let Tr, the trace function denote the linear function Tr : F2m --+ F2
defined by
Tr : a 1-+ a + a + a + ... + a
21 22 2m - 1
.
3.2. ISOMORPHISM CLASSES 37

If m is even, then let Te denote the function Te : F2m - F4 defined

by

The elements of F4 are denoted by 0,1, Cl and C2. We thus have the
identities c~ + Cl + 1 = 0, c~ + C2 + 1 = 0, Cl C2 = 1 and CI + C2 = 1.
Note that Te( Cl 0:) = clTe( 0:), and Te( C20:) = c2Te( 0:).
The quadratic equation

X2 + ax + b = 0, a, b E F2m, a '" 0,

has a solution in F2 m if and only if Tr( a- 2 b) = O. If Xl is one solution,

then the other solution is Xl + a.
Using the general results in [98] concerning the number of roots of
an affine polynomial over a finite field, we obtain the following results
on the number of solutions in F2m of the quartic equation

X4 + ax + b = 0, a, b E F2m, a '" O. (3.1)

(i) If m is odd, then (3.1) has either no solution or exactly two solu-
tions.
(ii) If m is even and a is not a cube, then (3.1) has exactly one solution.
(iii) If m is even and a is a cube, then (.3.1) has four solutions if
Te(b/a 4/ 3) = 0, and no solutions if Te(b/a 4/ 3) f. O.

3.2 Isomorphism Classes of Curves over Fq ,

char(Fq ) =1= 2,3
Let E l / Fq : y2 = x3 +ax +b and E2/}~ : y2 = x3 +ax +b be two elliptic
curves isomorphic over Fq • By Theorem 2.6, there exists a solution
u' E F; to the equations u4 a = a and u6 b = b. We proceed to count
the number of such solutions u E F;, denoted Aut(Et}. (Aut(Et) is the
number of automorphisms of EI defined over F q .) Observe first that
a = 0 if and only if a = 0, and b = 0 if and only if b = O. There are 3
cases to consider.

(i) If a f. 0, b f. 0 (so j(E) f. 0,1728), then u 2 = ~, and hence the

solutions are u E {u', -u'}.
38 CHAPTER 3. ISOMORPHISM CLASSES

(ii) If a = 0 and b :/: 0 (so j(E) = 0), we have u6 = bib. Thus

if F; has an element a of order 3 then there are six solutions
u E {u', au', a 2u', -u', -au', -o2u'}. Otherwise u E {u', -u'}.
(iii) If a :/: 0 and b = 0 (so j(E) = 1728), we have u4 = a/a. Thus
if F; has an element (3 of order 4 then u E {u', (3u', (32u', (33U'} ,
otherwise u E {u', - u'}.

Now, an admissible change of variables is of the form (x, y) H (u 2 x, u3 y),

U E F;. Hence the number of curves isomorphic to a given curve E I Fq ,
is (q-l)1 Aut(E). The number of elliptic curves defined over Fq is q2 -q,
=
since the number of solutions (a, b) to the equation 4a 3 + 27b 2 0 is q.
It follows that
Lq-l = q2 _ q
E Aut(E)

and so
1
~ Aut(E) = q,
where the summations are over a set of representatives of the isomor-
phism classes of elliptic curves defined over Fq •
Since gcd(q, 6) = 1, we have q == 1. 5, 7 or 11 (mod 12). Now hasF;
an element of order 3 if and only if q == 1 or 7 (mod 12), and F;
has an
element of order 4 if and only if q == 1 or 5 (mod 12). Combining these
facts with the results on the size of Aut(E), we immediately obtain the
next theorem.

Theorem 3.3 The number of isomorphism classes of elliptic curves

over the finite field Fq , char(Fq ) > 3, is 2q + 6, 2q + 2, 2q + 4, 2q, for
q == 1,5,7,11 (mod 12) respectively. 0

In Table 3.1, we tabulate the isomorphism classes of elliptic curves

over the field Fs , together with the size and group structure of each
curve. The ordered pair (a, b) will denote the curve y2 = x 3 + ax + b.
The following is an example of two non-isomorphic elliptic curves
that are isomorphic as abelian groups.

Example 3.4 Consider the elliptic curves y2 = x 3 + 1 and y2 = x 3 + 2

over Fs. Each of these curves has order 6, and hence both groups are
isomorphic to '!l6. However the curv~s are not isomorphic over Fs , as
there is no u E F; such that 2u6 = 1. 0
3.3. NON-SUPERSINGULAR CURVES 39

Isomorphism Number of Group

Class Points Type
(0,1) (0,4) 6 'll6
(0,2) (0,3) 6 'll6
(1,0) 4 'll2 EB 'll2
(2,0) 2 'll2
(3,0) 10 'll1O
(4,0) 8 'll2 EB 71 4
(1,1) (1,4) 9 'llg
(1,2) (1,3) 4 'll4
(2,1) (2,4) 7 'll7
(3,2) (3,3) 5 'll5
(4,1) (4,4) 8 'lls
(4,2) (4,3) 3 'll3

Table 3.1: Isomorphism classes of elliptic curves over F5

3.3 Isomorphism Classes of Non-Supersingular

Curves over F2m
Let E l , E2 be non-supersingular elliptic curves defined over F2m and
given by the equations
El : y2 + xy = x 3 + lt2X2 + a6 (a6 -:f 0)
E2 : y2 + xy = x 3 + a2x2 + a6 (a6 -:f 0).
Specializing Theorem 2.2, we find that El ~ E2 over F2m if and only if
a6 = a6 and if there exists s E F2m such that a2 = a2 +s +s2. The latter
condition is equivalent to having Tr(a2 + a2) = 0, i.e., Tr(a2) = Tr( a2).
This leads to the following result.

Theorem 3.5 There are 2( q-l) isomorphism classes of non-supersing-

ular elliptic curves over F2m, where q = 2m . Let, be an element of
F2m such that Tr(,) = 1 (if m is odd, we can take, = I). A set of
representatives of the isomorphism classes is
{y2 + xy = x 3 + a2x2 + a6 I a6 E F;m, a2 E {O,,}}. 0

The q/2 curves isomorphic to El are the curves y2 + xy = x 3 +

ax 2 + a6, where a ranges over the q/2 elements of F2 m which satisfy
Tr(a) = Tr(a2)' If El ~ E2 over F2m, then an isomorphism is given by
cI>: (x, y) t--+ (x, y + sx), where 8 2 + 8 = a2 + a2.
40 CHAPTER 3. ISOMORPHISM CLASSES

3.4 Isomorphism Classes of Supersingular

Curves over F2m, m odd
If m is odd, then 2m - 1 == 1 (mod 3). Hence F2m has no elements of
order 3, and so the map f : F2 m - ; F2 m defined by f : x ~ x 3 is a
bijection.
Let E' / F2 m be the curve given by the equation

E': y2+a~y=x3+(£~x+a~ (a~:f:O).

Let r = ~. Then the admissible change of variables (x, y) --+

(r 2 x, r 3 y) transforms E' to a curve given by

(3.2)

Thus we can assume that any supersingular elliptic curve over F2m with
m odd has the form (3.2); there are q2 such curves, where q = 2m. If E
is the curve given by

then specializing Theorem 2.2, we see that E ~ E over F2m if and only
if there exist 8, t E F 2 m such that

84+8+a4+a4 0 (3.3)
t2 + t + + a482 + a6 + a6 =
86 O. (3.4)

An admissible change of variables is of the form (x, y) --+ (x + 82, Y +

8X + t), where 8, t E F 2 m.

Let E1 be the curve

Suppose that E ~ E1 over F2 m. Then there exists 81, t1 E F2 m, satisfy-

ing the equations

+ 8 + a4 =
84 0 (3.5)
t + t + 8 6 + 116
2 O. (3.6)

Since m is odd, (3.5) has exactly two solutions in F2m, namely 81 and
81 +1. Since (81, tt) is a solution to (3.6), we have Tr(8~ +a6) = O. But
then Tr«81 + 1)6 + a6) = 1, so there are exactly two solutions (8, t) to
3.5. SUPERSINGULAR CURVES, TTl. EVEN 41

(3.5) and (3.6). Since there are q2 admissible changes of variables, we

conclude that there are q2/2 curves isomorphic to E l .
Let E2 be the curve
E2 : y2 + y = x 3 + x.
Since Tr(8 4 + 8) = 0 and Tr(l) = 1, (3.3) has no solution in F2m
and thus El ~ E2 over F2m. If E e! E2 over F2m, then there exists
81, tl E F2m, satisfying the equations

+ 8 + 1 + a4 = 0
84 (3.7)
t 2 +t
+ 8 + 8 + a6 = O.
6 2 (3.8)
Now, (3.7) has two solutions 81 and 81 + 1. Since Tr(8r + 8~ + a6) = 0,
we find that
Tr ((81 + 1)6 + (81 + 1)2 + a6) = O.
Thus there are 4 solutions to (3.7) and (3.8), and we deduce that there
are q2 /4 curves isomorphic to E 2.
Finally, let E3 be the curve
E3 : y2 + y = x 3 + X + 1.
It is easily checked that El ~ E3 and .E2 ~ E3 over F2m by verifying that
the equations (3.3) and (3.4) have no solution in F2 m. As in the previous
paragraph, we can verify that there are q2 /4 curves isomorphic to E 3 •
We have thus accounted for all of the supersingular elliptic curves. We
summarize the results of this section below.

Theorem 3.6 There are 3 isomorphism classes of supersingular elliptic

curves over F2m, where m is odd. A 1'epresentative from each class is

(i) y2 + y = x 3
(ii) y2 + y = x 3 + x
(iii) y2 + y = x 3 + X + 1. o

3.5 Isomorphism Classes of Supersingular

Curves over F2m, m even
In this section we will prove that there are exactly seven isomorphism
classes of supersingular elliptic curves over F2 m (q = 2m ), where m is
even.
42 CHAPTER 3. ISOMORPHISM CLASSES

Let E / F2 m be the curve

We will consider the following three types of curves:

Type I: a3 is not a cube.
Type II: a3 is a cube, and Te(a4) f; O.
Type III: a3 is a cube, and Te( a4) = O.

Type I Curves
We call a Type I curve with the coefficient of x being 0, a Type Ia
curve. Let El be a Type Ia curve

and let
E2 : y2 + a3Y = x3 +a4x +a6
be any curve over F 2m, isomorphic to El' Since El ~ E2 over F2m,
there exists Ul, 81, tl E F 2m, satisfying the equations

u3 (3.9)
84+ a38 + U 4a4 (3.10)
t2 + a3t + + a6 + u6a6
86 (3.11)

Since a3 = a3/ u 3 and a3 is a non-cube, a3 is also a non-cube. Hence E2

is also a Type I curve. We proceed to count the number of admissible
changes of variables which transform El to E 2 • We achieve this by
counting the total number of solutions (u, 8, t) to the equations (3.9),
(3.10) and (3.11) in F2m.
Now, (3.9) has exactly 3 solutions. namely Ut,CIU}, and C2Ul. Since
a3 is a non-cube, (3.10) has exactly one solution for each choice of u. For
U = U},CIU1,C2Ul, these unique solutions to (3.10) are 8 = 81,CI8},C281
respectively. Finally, for (u, 8) = (Ul, 8t), (Cl'Ut, C18t) or (C2Ut, C281),
there are always 2 solutions to (3.11), namely tl and tl +a3' Thus there
are 6 admissible changes of variables which transform El to E 2 •
Since the total number of admissible changes of variables is (q -1 )q2,
the number of curves isomorphic to El is (q - 1)q2/6. Now, there are
exactly (q - 1)q admissible changes of variables which transform El to
a Type Ia curve. This follows since a4 = (84+a38)/u4, whence a4 = 0 if
and only if 8 = O. Hence there are (q -- 1)q / 6 Type Ia curves isomorphic
3.5. SUPERSINGULAR CURVES, m EVEN 43

to E l , including El itself. Since there are 2(q -1)q/3 Type Ia curves in

total, the Type Ia curves must be distributed in 4 isomorphism classes
of curves. Each isomorphism class contains (q - 1)q2/6 Type I curves,
of which (q - 1)q/6 are Type Ia curves. These 4 classes account for all
of the 2( q - 1 )q2 / 3 Type I curves.

Type II Curves
Since a3 is a cube, we can assume that the Type II (and Type III)
curves have the form y2 + y = x 3 + a4x + a6. The admissible changes
of variables are of the form (x, y) - - 7 (u 2x + s2, u3y + u 2sx + t), where
u, s, t E F 2 m, u 3 = 1. Let El be the Type II curve given by

and let

be any curve over F2 m isomorphic to E 1 • Then a3 must be a cube, and

so we can assume that a3 = 1. Since E1 ~ E2 over F2m, there exists
Ul, 81, tl E F 2 m, satisfying the equations

U3 1 (3.12)
s4+s+a4+ua4 0 (3.13)
t 2 + t + 8 6 + a4s2 + a6 = O. (3.14)

Note that

If u = 1,Cl or C2, then Te(a4/u) = 1,c2 or C1 respectively. Thus

Te(a4) f; 0, and E2 is also a Type II curve. We proceed to count
the number of admissible changes of variables which transform El to
E2 •
Since u3 = 1, we have u = 1, Cl or C2. For each choice of u, equation

°
(3.13) has exactly 4 distinct solutions or no solution (in F2m), according
to whether Te(a4 + U(4) = or Te(a4 + ua4) f; 0, respectively. We
find that for u = 1, Cll C2, (3.13) has 4 solutions if and only if Te(a4) =
44 CHAPTER 3. ISOMORPHISM CLASSES

1, C2, Cl respectively. Assume, without loss of generality, that Te(a4) =

1. Then the equation

has 4 distinct solutions, namely 8 = 81,81 + 1,81 + C1 and 81 +C2' Since

(81, t1) is a solution to (3.14), we have that
Tr(8~ + a48~ + aa) = O.
Now,

Tr + l)a + a4(81 + 1)2 + aa) =

(81 Tr(a4) = 0,
Tr (81 + C1)a + a4(81 + C1)2 + aa) = Tr(C2 a4) = 1,
Tr (81 + C2)a + a4(81 + C2)2 + aa) = Tr(C1 a4) = 1.
Thus (3.14) has solutions only when 8 = 81 and 8 = 81 +1. We conclude
that there are 4 solutions (u, 8, t) to equations (3.12)-(3.14).
Now there are 3q2 admissible changes of variables, and hence there
are 3q2 /4 Type II curves isomorphic to E 1 • Since the total number of
Type II curves is 3q2 /4, we can conclude that the Type II curves form
an isomorphism class of elliptic curves.

Type III Curves

Let El be the Type III curve given by the equation

E1 y2 +Y = x 3 •
Let
E2 : y2 + y = x 3 +a4X +li6
be any curve over F2m, isomorphic to E 1 • Since El ~ E2 over F2m,
m,
there exists U1, 81, tl E F2 satisfying the equations

= 1
u3 (3.15)
+ 8 + Ua4 = 0
84 (3.16)
t + t + 8 a +aa = o.
2 (3.17)
Note that
3.5. SUPERSINGULAR CURVES, m EVEN 45

and hence E2 is also a Type III curve. As before, we proceed to count

the number of admissible changes of variables which transform El to
E2•
Since u3 = 1, we have u = 1, C1 or C2. Since Te(a4) = 0, we have
Te(c1a4) = 0 and Te(c2a4) = O. Thus for each choice of u = 1,CllC2,
equation (3.16) has 4 distinct solutions in F2m. We find that these 12
solutions to (3.16) are

u = 1; 8 = 81, 81 + 1, 81 +Cll
u = Cl; 8 = C18t, C18} +1, C:181 +Cl, (3.18)
u = C2; 8 = C28t, C281 + 1, (:281 + ClI

Since (811 t1) is a solution to (3.17), we have that Tr(8r+a6) = O. Using

this fact, we can easily check that T·r(8 6 + (6) = 0 for each of the 12
choices for 8 in (3.18). Thus there are 24 solutions (u, 8, t) to (3.15) -
(3.17).
Since there are 3q2 admissible changes of variables, there are 3q2/24
Type III curves isomorphic to E1, and these account for half of the q2 /4
Type III curves.
Let E3 be the Type III curve

E3 : y2 + y = x3 + a,
where a E F2m, Tr(a) = 1. Now, E1 ~ E 3 , since the equations
=
tt3 1
84+8 = 0
t2 + t + 86 + a = 0

have no solution (tI, 8, t) in F 2m. We can now deduce that the remaining
q2 /4 Type III curves not isomorphic to El must lie in an isomorphism
class, represented by E 3 •
We summarize these results below.

Theorem 3.7 There are 7 isomorphism classes of stlpersingular elliptic

curve8 over F2 m, where m is even. Let I be a non-cube in F2 m. Let
a,{j,6,w E F2m be such that Tr(,-2a) = 1, Tr(,- 4 {j) = 1, Te(6) -::f 0
and Tr(w) = 1. Then a representative from each class is:

(i) E1 : + IY = x 3 (Type I)
y2
(ii) E2 : y2 + IY = x 3 + a (Type I)
46 CHAPTER 3. ISOMORPHISM CLASSES

(iii) E3 : y2 +,2y = x 3 (Type I)

(iv) E4 : y2 + ,2y = x3 + f3 (Type I)
(v) Es: y2 + y = x 3 + Ox (Type II)
(vi) E6 : y2 + y = x 3 (Type III)
(vii) E7 : y2 + y = x 3 + w (Type III). o

In Table 3.2, we list a representative of each of the 13 isomorphism

classes of elliptic curves over F4 , together with the size and group struc-
ture of each curve. As before, we denote the elements of F4 by 0, 1, CI, C2.

Representative j-invariant #E(F4) Group

Curve E Type
y~ + xy = x"'+ 1 1 8 7ls
y2 + xy = x 3 + ClX 2 + 1 1 2 712
y2 + xy = x 3 + Cl C2 4 71 4
y2 + xy = x 3 + ClX 2 + Cl C2 6 716
y2 + xy = x 3 + C2 Cl 4 71 4
y2 + xy = x 3 + ClX 2 + C2 Cl 6 716
y2 + elY = x 3 (Type I) 0 3 713
y2 + ClY = x 3 + 1 (Type I) 0 7 71 7
y2 + C2Y = x 3 (Type I) 0 3 713
y2 + C2Y = x 3 + 1 (Type I) 0 7 717
y2 + Y = x 3 + x (Type II) 0 5 715
y2 + y = x 3 (Type III) 0 9 713 EEl 713
y2 + y = x 3 + Cl (Type III) 0 1 7ll

Table 3.2: Representatives of the 13 isomorphism classes of elliptic

curves over F4 .

3.6 N umber of Points

We determine #E(F2m), where E is a supersingular curve over F2m.
The group type of these curves may subsequently be determined by
using Lemma 2.13.

(i) m odd
In this case, each of the 3 isomorphism classes of supersingular curves
over F2 m has a representative with coefficients in F2 • Using the Weil
3.6. NUMBER OF POINTS 47

Theorem, we can easily determine the order of curves over F 2m. The re-
sults are listed in Table 3.3. (The column of "k" values will be explained
in Chapter 5.)

ICurve E m

1l- +y= x 3 odd q+l cyclic 2

y2 + y =x 3 +x m == 1,7 (mod 8) q+ 1+ V!q cyclic 4
m == 3,5 (mod 8) q+l-y'2q cyclic 4
y2 + y = x 3 + X +1 m == 1,7 (mod 8) q+l-V2q cyclic 4
m == 3,5 (mod 8) q+l+V2q cyclic 4

Table 3.3: Orders of supersingular elliptic curves over F2 m, where m is

odd.

(ii) m even
Let #Ei = #Ei(F2m) = q + 1 - ti for 1 :$ i :$ 7, where q = 2m , and
the curves Ei are those of Theorem 3.7. By Theorem 3.2, we obtain
that the 7 values of ti are 0, 2Vii, -2..jij, Vii, Vii, -Vii, and -Vii (not
necessarily in that order).
We first observe that #Et + #E2 = 2q + 2, and hence tt = -t2.
This holds because for each x E Fq , either Tr(-y-2 x 3) = 0 or Tr(-y-2 x 3+
-y- 2 a) = 0, but not both. The curves Ell E2 are an example of a twisted
pair of elliptic curves. E 3 , E4 and E 6 , E7 are also twisted pairs, and so
t3 = -t4 and ts = -t7. It follows then that ts = O.
Since the coefficients of Es are in F 2 , we can apply the Weil Theorem
to determine #Es, and hence #E7. We find that ts = 2.fij or -2.fij
according to whether m == 0 or 2 (mod 4) respectively.
We now know that tll t3 = Vii or -Vii. We determine their exact
values as follows. Let -y = g-t, where 9 is a generator of F2 m, and
consider the sets
A = {x3: x E F2m} = {g3i: 1 :$ i :$ (2m - 1)/3} U {O},
B = {-y-2x 3 : x E F2m} = {g3i+2: 1 :$ i :$ (2m - 1)/3} U {O},
C = {-y-4x3: X E F2m} = {g3i+1: 1 :$ i :$ (2m - 1)/3} U {O}.
Since (A \ {O}, B\ {O}, C\ {O}) is a partition of Fim, and since precisely
half the elements of F2m have trace equal to 0, we deduce that
#Et + #E3 + #Es = 3q + 3,
48 CHAPTER 3. ISOMORPHISM CLASSES

and hence tl + t3 = -t6. Thus we must have tl = t3 = -.;q if m :: 0

(mod 4), and tl = t3 = .;q if m == 2 (mod 4). The orders of the
curves Ei, 1 ~ i ~ 7, are listed in Table 3.4. Notice that the curves
El : y2 + -yy = x3 and E3 : y2 + -y2y = x 3 ar.e non-isomorphic as
elliptic curves, however the groups El (Fq) and E3 ( Fq) are isomorphic.

ICurve Ei m Group
Type
y7. +ry = x" m = 0 (mod 4) q+l+y'q cyclic 3
m:: 2 (mod 4) q+l-Jq cyclic 3
y7. +ry=x"+a m = 0 (mod 4) q+l-y'q cyclic 3
m:: 2 (mod 4) q+l+Jq cyclic 3
y7. +r7.y = x" m = 0 ~mod4) q+l+y'q cyclic 3
m:: 2 (mod 4) q+l-Jq cyclic 3
y7. + r7.y = x" + {J m = 0 (mod 4) q+l-Jq cyclic 3
m:: 2 (mod4) q+l+.jq cyclic 3
y7. + y = x" + ox m even q+l cyclic 2
y"+y-x" m = 0 (mod 4) q + 1- 2y'i '/1,,,,-1 $ '/1,,,,-1 1
m:: 2 (mod4) q+ 1+2Jq '/1,J9+1 $ '/1,J9+1 1
y7.+ y =x"+w m = 0 (mod 4) q+ 1+2yq '/1,"'+1$'/1,"'+1 1
m:: 2 (mod 4) q+ 1-2Jq '/1,A-1 $ '/1,J9-1 1

Table 3.4: Orders of supersingular elliptic curves over F2 m, where m is

even.
Given an arbitrary supersingular elliptic curve E over F2m, we can
compute #E(F2m) by first determining to which isomorphism class E
belongs. This can be accomplished by solving the appropriate root find-
ing problems given by Theorem 2.2. There are several efficient polyno-
mial time algorithms for finding the roots of a polynomial over F2mj for
example, see [10].

3.7 Notes
The work of Waterhouse is based on Deuring's classic paper [32). Deur-
ing considers two elliptic curves defined over Fq to be isomorphic over
Fq if they are isomorphic, in our sense, over Fq. Some of Waterhouse's
work was generalized by Ruck [133) to Jacobians of algebraic curves of
genus 2 over finite fields.
The material of Sections 3.3 - 3.6 is taken from [94).
Chapter 4

The Discrete I.Jogarithm

Problem

There are many public-key cryptosystems whose security lies in the pre-
sumed intractability of the discrete logarithm problem in some group
G. The discrete logarithm problem has received a great deal of atten-
tion in recent years, and numerous algorithms which use a variety of
techniques have been devised. In Section 4.1 we briefly survey the algo-
rithms known for this problem. In Seetion 4.2, we demonstrate efficient
reductions of the logarithm problems ill singular elliptic curves and some
other groups to the logarithm problem in a finite field.

4.1 Algorithms
Let G be a (multiplicatively written) finite cyclic group of order n,
and let a be a generator for G. Lel {3 E G. The discrete logarithm
(logarithm) of {3 to the base a, denoted loga {3, is the unique integer
x, 0 ~ x < n, such that {3 = aX. The discrete logarithm problem is to
find a computationally feasible method for finding logarithms in a given
group G. The obvious algorithm of computing successive powers of a
until (3 is found takes O( n) group operations, and so is inefficient if n is
large.
The algorithms which are known for finding logarithms can be cat-
egorized as follows.

(i) Algorithms which work in arbitra.ry groups (square root methods).

49
50 CHAPTER 4. THE DISCR.ETE LOGARITHM PROBLEM

(ii) Algorithms which work in arbitrary groups but exploit the sub-
group structure (Pohlig-Hellman method).
(iii) The index calculus methods.
(iv) Methods which exploit isomorphisms between groups.
We proceed to briefly describe each of these methods. Category (iv)
is discussed in detail in Section 4.2.

4.1.1 Square Root Methods

Let m = rv'nl.
Baby-Step Giant-Step Method
Observe that if x = logO! {J, then we can uniquely write x = jm + i,
where 0 ~ i < m. Precompute a list of pairs (i, a i ) for 0 ~ i < m and
sort this list by second component. For each j, 0 ~ j < m, compute
{Ja- jm and check (by a binary search) if this element is equal to the
second component of some pair in the list. If {Ja- jm = a i for some i,
o ~ i < m, then {J = ai+jm and hence logO! (J = i + jm.
This algorithm requires a table with O( m) entries. To sort the table
and search it for each value of j requires in total O( m log m) operations
(by operation here we mean either a group operation or a comparison).
A group of approximately 1040 elements would render this attack infea-
sible with current technology.
Pollard p-method
J. Pollard [123] gave a method to find logarithms which is probabilistic
but removes the necessity of precomputing a list of logarithms.
Partition the group G into three sets SI, S2 and S3 of roughly equal
size. (Some care must be exercised in selecting the partition, for example
1 ¢ S2') Define a sequence of group elements xo, xl, X2, ... by Xo = 1
and
{JXi-b Xi-l E St,
Xi = { xLI' Xi-l E S2,
aXi-b Xi-l E S3,

for i ~ 1. It easily follows that the sequence of group elements defines a

= = =
sequence of integers {ail and {bi} where Xi {JBia bi , i ~ 0, ao bo 0,
ai+! == ai +1, 2ai or ai (mod n) and bi+! == bi, 2bi or bi +1 (mod n) de-
pending on which set SI, S2 or S3 contains Xi-I. Making use of Floyd's
4.1. ALGORITHMS 51

cycling algorithm, Pollard computes the six tuple (Xi, ai, bi, X2i, a2i, b2i ),
i = 1,2, ... until Xi = X2i. At this stage, we have

where r == ai - a2i and s == b2i - bi (mod n). This gives

rlog a .8 == s (mod n).

There are only d = gcd(r, n) possible values for loga.8. If d is small then
each of these possibilities can be enumerated to find the correct value.
If we make the heuristic assumption that the sequence {Xi} behaves
like a random sequence of elements of G, then the expected running
time of this method is O( m) group operations. Again, the method is
infeasible if the order of G is about 1040 •

4.1.2 Pohlig-Hellman Method

This method for computing logarithms in a cyclic group [122) takes
advantage of the factorization of the order of the group. Let
t
n = rIp;'
;=1

where Pi is a prime number and .Ai is a positive integer for each 1 ~ i ~ t.

If x = log", f3 then the approach is to determine x modulo P;'
for each
i, 1 ~ i ~ t, and then use the Chinese Remainder Theorem to compute
x modulo n. We begin by determining z == x (mod p;I).
Suppose that
Al- 1
Z = L ziPL
i=O

where 0 ~ Zi ~ Pl - 1. Let, = an/PI be a Pl th root of unity in G. Then

Using one of the square root methods described in the previous section
we determine the logarithm of ,zo to the base, in the cyclic group of
order Pl in G. This gives us ZOo If.Al > 1 then to determine Zl we
consider
52 CHAPTER 4. THE DISCltETE LOGARITHM PROBLEM

Again Zl can be found by a square root method. In a similar manner

we can determine all Zi, 0 ~ i < Al! and thus x modulo p~l.
This technique requires O(E!=l Ai(logn + ylPilogpi» group oper-
ations [122], and is thus only efficient if the order is a smooth integer,
i.e., n is only divisible by small prime numbers.

4.1.3 Index Calculus Method

We begin with some definitions from complexity theory. By a subexpo-
nential algorithm we mean an algorithm whose running time is L[x, c, al,
where

L[x,c,a] = 0 (exp(c+o(l))(lnx)O(lnlnx)l-o)), (4.1)

and where x is the size ofthe input space, c is a constant, and 0 < a < 1.
A subexponential algorithm is asymptotically faster (resp. slower) than
an algorithm whose running is fully exponential (resp. polynomial) in
the input size. Note that if a = 0 then (4.1) is a polynomial in lnx,
while if a = 1 then (4.1) is fully exponential in lnx. By a probabilis-
tic polynomial (subexponential) time algorithm we mean a randomized
algorithm whose expected running time is bounded by a polynomial
(subexponential function) in the size of the input.
In the first stage of the index calculus method, we attempt to find the
logarithms of elements of a fixed subset r = bI, "'(2, ••• , "'(t} of G, called
the factor base, as follows. We pick a. random integer s and attempt to
write as as a product of elements in r:
t
as = II "'(ii. (4.2)
i=l
If we are successful, then taking logarithms of both sides of (4.2) yields
a linear congruence
t
S == EailogoA/i (mod n). (4.3)
i=l

After collecting a sufficient number of relations of the form (4.3), one

can then hopefully solve for the indeterminates logo "'(i, 1 ~ i ~ t.
In the second stage, we find logo P as follows. Repeatedly pick ran-
dom integers s until as f3 can be written as a product of elements in
4.1. ALGORITHMS 53

r:
(4.4)
i=1
Taking logarithms of both sides, we get
t
10gO',8 = L: bi logO' /i - s (mod n).
;=1

To complete the description of the index calculus method, we need

to specify how to select an appropriate factor base r, and also how to
efficiently generate the relations (4.2) and (4.4). By an appropriate r we
mean a set that is small (so that the :>ystem of equations is not too big
in stage 1), and at the same time the proportion of elements of G that
factor in r is large (so that the expected number of trials to generate
a relation (4.2) or (4.4) is not too big). At present such specifications
are only known for some (multiplicative groups of) finite fields and class
groups of imaginary quadratic fields [86J.
For the field F p , p a prime, we can choose r to be the first t prime
integers. To generate a relation (4.2), we express a 8 as an integer in
the interval [l,p - 1] and attempt to factor a' in r by trial division.
For an appropriate choice of t, the expected running time of the index
calculus method is L[p, 2,1/2]. A more practical version for Fp is the
Gaussian integer method [30] whose running time is L[p, 1, 1/2]. The
fastest method known for Fp , although it appears to be impractical at
present, is the number field sieve [50) with running time L[p, 32 / 3 ,1/3).
For the finite field F2m (or in general Fpm where p is fixed [56]),
we represent the elements of F2m as polynomials in F2[X] of degree at
most m-1, where multiplication is performed modulo a fixed irreducible
polynomial of degree min F2[X], The set r is then taken to be the set of
all irreducible polynomials of degree at most some prescribed bound b.
To generate a relation (4.2), we express a 8 as a polynomial of degree at
most m-1, and attempt to factor it in F2[X] as a product of polynomials
in r. The runing time of this method (after some improvements) is
L[2m, c, 1/3], where 1.3507 ~ c::; 1.4047 [29].
We comment that the algorithms mentioned for Fp and F2m are all
probabilistic, and that the running times given are based on (reasonable)
heuristic arguments which have not been rigorously proven. The best
algorithms for Fp and F2 m with rigorously proved running times are due
to Pomerance [124], with expected running times of L[p,.J2, 1/2] and
L[2 m,.J2, 1/2] respectively.
54 CHAPTER 4. THE DISCRETE LOGARITHM PROBLEM

For fields Fpm where m is fixed, the number field sieve (51J is the
best algorithm known, with a heuristic running time of L[pm, c, 1/3] (c
is a constant which depends only on m). Algorithms with rigorously
proved running times for Fp2 and Fpm with log p < mO. 98 are due to
Lovorn [84] with running times of L[pm, c, 1/2] for some c> O.
We conclude this section by noting that it is still unknown whether
there exist subexponential algorithms (with either heuristically of rigor-
ously proven running times) for the discrete logarithm problem in fields
Fqm where both q and m tend to infinity.

4.1.4 Index Calculus Method for Elliptic Curves

In [100], V. Miller discusses the index calculus method as it might apply

to elliptic curve groups. He comments that unlike the case of F; where
the candidates for the factor base r are very natural (prime numbers
of small size, or small degree irreducible polynomials) there appears to
be no likely candidates in E( Fq). The most natural seem to be points
of small height in E(Q), Q the field of rational numbers (the height of
a point is related to the number of bits needed to represent the point).
However, he then argues that there are very few points of small height
in E( Q). Furthermore, even if such it set r exists, finding an efficient
method for lifting a point in E( Fq) to a point in E( Q) looks hopeless.
We shall study the elliptic curve logarithm problem further in Chap-
ter 5.

4.2 Reducing Some Logarithm Problems to

Logarithms in a Finite Field
Even though any two cyclic groups of the same order are isomorphic,
an efficient algorithm to compute loga.rithms in one does not necessarily
imply an efficient algorithm for the others. This statement is obvious
when one considers that any cyclic group of order n is isomorphic to the
additive group of 'lln and computing logarithms in 'lln is a triviality,
by the extended Euclidean algorithm. In fact, the discrete logarithm
problem can be restated as follows: determine a computationally effi-
cient algorithm for computing an isomorphism between a cyclic group
of order n and the additive cyclic grollp '!In.
In this section we shall reduce (in polynomial or probabilistic poly-
4.2. REDUCING SOME LOGARITHM PROBLEMS 55

nomial time) the logarithm problem in some groups to the logarithm

problem in a finite field. In Section 4.2.1, we show that the logarithm
problem in a singular elliptic curve E defined over Fq is no harder than
the logarithm problem in Fqk, where k = 1 or k = 2, in the case that
E has a "node". If E has a "cusp", then in fact logarithms can in fact

°
be efficiently computed. In Section 4.2.2, we demonstrate that the loga-
rithm problem in the class of genus curves defined by the Pell equation
over Fq is no harder than the logarithm problem in Fqk, where k = 1 or
k = 2.
These results are perhaps a little surprising at first since the group
operations in these groups seem to be more complicated that the multi~
plication operation in Fq • Since the gl'OUp operation in the groups con-
sidered here is more expensive than the group operation in Fqk, we can
conclude that the former groups offer no advantage over finite fields for
the implementation of cryptographic protocols whose security is based
on the difficulty of computing discrete logarithms in a group.

4.2.1 Singular Elliptic Curves

Let E be a singular elliptic curve defined over a field K, i.e., E is given
by a singular Weierstrass equation
f(x,y) = y2+atxy+a3y-x3-a2x2-a4x-a6=0.
Then it can be shown that E has precisely one singular point, and we
will assume that this point is P = (xo,Yo) E E(K). After the change
of variables x ~ x' + xo, y ~ y' + Yo, we can assume that the singular
°
point is P = (0,0). Since f(P) = 0, g(P) = and Mi(P) = 0, we have
a6 = a4 = a3 = 0, and so the Weierstrass equation for E simplifies to
E : y2 + alXY - a2x2 - x 3 = 0, al,a2 E K. (4.5)

Let y2 + alXY - a2x2 = (y - QX)(y - (3x), where Q, (3 are in K or

in Kl (Kl is the quadratic extension of K). Then P is called a node
if Q :f; (3, and a cusp if Q = (3. Let Ens(I() denote the set of solutions
(x, y) E K x K to (4.5), excluding the point P, and including the point
at infinity OJ Ens(K) is called the non-singular part of E(K). One can
define an addition on Ens(K) given by the chord-and-tangent law, as
was done in Section 2.2 for E(K). The next result states that Ens(K)
is a group, and determines the structure of this group. K* denotes the
multiplicative group of non-zero elements of K, while K+ denotes the
additive group of K.
56 CHAPTER 4. THE DISCRETE LOGARITHM PROBLEM

Theorem 4.1 ([58), Theorem 7.2) Let E be a singular elliptic curve

defined over the finite field K with singular point P.

(i) If P is a node, and a, f3 E K, then the map ¢ : Ens(K) - K*

defined by
¢: Ch-d ¢: (x, y) 1-+ (y - f3x)/(y - ax)
is a group isomorphism.
(ii) If P is a node, and a, f3 ¢ K, a, f3 E KlI then let L be the
subgroup of Ki consisting of the elements of norm 1. The map
t/J : Ens(K) - L defined by
t/J : 01-+1 t/J : (x, y) 1-+ (y - f3x)/(y - ax)
is a group isomorphism.
(iii) If P is a cusp, then the map w : Ens(K) - K+ defined by
w: 01-+0 w: (x,y) 1-+ x/(y - ax)
is a group isomorphism. o
Using the result above, we immediately derive the following.

Theorem 4.2 Let E be a singular elliptic curve defined over the finite
field Fq with singular point P.
(i) If P is a node, then the logarithm problem in Ens(Fq) is reducible in
polynomial time to the logarithm problem in Fq or Fq2, depending
on whether a E Fq or a f/. Fq, respectively.
(ii) If P is a cusp, then the logarithm problem in Ens(Fq) is reducible
in polynomial time to the logarithm problem in F: . 0

Let q = pm, where p is the characteristic of Fq • Then

Fi ~
,Fp+ EfJ ... EfJ F: .
m
. ,

Observe that the logarithm problem in F:

can be efficiently solved in
polynomial time by the extended Euclidean algorithm. Thus if we are
given a basis of Fq over Fp, then we mn also compute logarithms in F:
in polynomial time. We thus obtain the following.

Corollary 4.3 If E is a singular elliptic curve defined over a field Fq

with a cusp, then logarithms in Ens(}~) can be computed in polynomial
time. 0
4.2. REDUCING SOME LOGARITHM PROBLEMS 57

4.2.2 Another Class of Genus 0 Curves

The curves described in this section were pointed out to us by Jeff Shallit
[139].
Let q be an odd prime power, and let D be a non-zero element of Fq •
Let C denote the set of solutions (x, y) E Fq X Fq to the Pell equation

(4.6)

The elements of C are the affine poillts of an algebraic curve of genus

0, defined by equation (4.6). We define an operation EB on the elements
of C as follows. If (Xl, yd, (X2' Y2) E C, then

Lemma 4.4 (C, EB) is an abelian group.

Proof: It can easily be verified that the addition operation is closed,

associative and commutative. The identity element is (1,0), while the
inverse of the element (x, y) is (x, -y). 0
Let x(a) denote the quadratic cha,racter of a E Fq, i.e.,

0, if a = 0,
x(a) = { 1, if a is a quadratic residue in Fq ,
-1, if a is a quadratic non-residue in Fq •

It is well known that x(a) = a(q-l)/2. We next determine the group

structure of C.

Theorem 4.5 (C,EB) is a cyclic group of order q - XeD).

Proof:
Case (i) (x(D) = -1): =
Let feW) w2 - DE Fq[W]. Then feW) is
irreducible over Fq, and so Fq2 ~ Fq[W]/(J(W)), (J(W)) being the ideal
in Fq[W] generated by feW). Let H denote the unique multiplicative
subgroup of Fq2 of order q + 1, and let a = x + yW be an arbitrary
element of Fq2. Then a E H if and only if a q+1 = 1. Now,

a q+1 = (x + yW)q (x + yW)

= (x + ywq) (x + yW).
58 CHAPTER 4. THE DISCRETE LOGARITHM PROBLEM

Since

we have
a q+1 = (x - yW) (x + yW)
= X 2 _ y 2W 2
= x 2 _Dy2.

Consequently, a E H if and only if (x, y) E e.

Thus the map 4> e--
H defined by
4> : (x,y) I-> x + yW
is a bijective map. It is also easy to verify that 4> is a group homomor-
phism. Hence e is a cyclic group of order q + 1.
ease (ii) (x(D) = 1): Let a E F~ be a square root of D. We can
rewrite equation (4.6) as (x - ay)( x + ay) = 1. Let
u = x - ay and v = x + ay.
We then have
u+v v-u
x=-- and y=--.
2 2a
This gives a 1- 1 correspondence between solutions (x, y) of (4.6), and
solutions (u, v) of uv = 1. The equation uv = 1 has exactly q - 1
solutions (u, v) in Fq X Fq, namely a unique solution for each u E F;.
Thus the map 1/J : e -- F; defined by
1/J : (x, y) I-> X - ay
is a bijective map. It is also easy to verify that 4> is a group homomor-
phism. Hence e is a cyclic group of order q - 1. 0
Note that if X(D) = -1, then the isomorphism 4> is trivial to com-
pute, while if X(D) = 1, then the isomorphism 1/J is easy to compute,
given a square root a of D in Fq • Since square roots in Fq can be com-
puted in probabilistic polynomial time (see [10]) we can state the next
result.

Theorem 4.6 If x(D) = -1 then the logarithm problem in e is re-

ducible in constant time to the logarithm problem in Fq2. If x(D) = 1,
then the logarithm problem in e
is reducible in probabilistic polynomial
time to the logarithm problem in Fq • 0
4.3. NOTES 59

4.3 Notes
For a recent survey of the discrete logarithm problem, we recommend
the article by McCurley [87]. Odlyzko's article [115] gives a comprehen-
sive account of the problem of computing logarithms in finite fields of
characteristic 2.
The results of Section 4.2 are taken from [95]. It is well-known
that any smooth curve of genus 0 is isomorphic to the projective line.
What we have shown for the genus 0 curves considered here is that the
isomorphism can be efficiently computed.
Chapter 5

The Elliptic Curve

Logarithm Problem

We begin in Section 5.1, by introducing the Weil pairing and Miller's

algorithm for efficiently computing it. We then use the Weil pairing in
Section 5.2 to reduce the elliptic cune logarithm problem to the loga-
rithm problem in a finite field. The reduction is efficient if the curve is
supersingular. In Section 5.3, we disctlss the cryptographic implications
of the reduction. Finally, in Section 5.4, we use the Weil pajring to
determine the type of an elliptic curve group. Before proceeding, the
reader might find it useful to first reviE!w the definitions and terminology
introduced in Section 2.7.

5.1 The Weil Pairing

Let E be an elliptic curve defined over the finite field K = Fq of char-
acteristic p.
Let D = L: np(P) E D be a divisor and let f E K(E)* be a rational
function such that D and div(f) havl! disjoint support. Then it makes
sense to define f evaluated at D as

f(D) = II f(p)n p •
PEsupp(D)

In Section 5.1.1 we define the Weil pairing. In Sections 5.1.2 and

5.1.3 we describe Miller's probabilistic polynomial. time algorithm [101]
for computing the Weil pairing.

61
62 CHAPTER 5. ELLIPTIC CURVE LOGARITHM PROBLEM

5.1.1 Definition

Let m be a positive integer coprime to p, and let Jlm C 1(* be the group
of mth roots of unity.
Let P, Q E E[m]. Let A and B he divisors of degree 0 such that
A '" (P) - (0), B '" (Q) - (0), and A, B have disjoint support. Let
fA, fB E K(E) such that

div(fA) = mA

and
div(fB) = mB.

Note that fA and fB exist by Theorem 2.25 since P and Q are both
m-torsion points. Note also that div(fA) and B have disjoint supports,
as do div(fB) and A.
The Weil pairing, em, is a function

em : E[m] X E[m] --+ Jlm

and is defined as

The value of em(P,Q) is independent of the choice of A, B, fA and fB.

We list some useful properties of the Wei! pairing [140].

(i) Identity: For all P E E[m], em(P, P) = 1.

(ii) Alternation: For all P,Q E E[m], em(P,Q) = em(Q,p)-l.

(iii) Bilinearity: For all P, Q, R E E[m], em(P + Q, R) = em(P, R)

em(Q,R), and em(P,Q + R) = em(P,Q)em(P,R).
(iv) Non-degeneracy: If P E E[m] then em(P,O) = 1. Moreover, if
em(P, Q) = 1 for all Q E E[m], then P = O.
(v) If E[m] s:;; E(K), then em(P,Q) E K for all P,Q E E[m] (that is,
Jlm s:;; K").
(vi) Compatible: If P E E[m] and Q E E[mm'], then emm,(P,Q) =
em(P,m'Q).
5.1. THE WElL PAIRING 63

5.1.2 Computing the Function of a Principal Divisor

Recall that any degree 0 divisor D E DO can be written as

D = (P) - (0) + div(f) (5.1)

for a unique PEE, and some f E K(E). The function f is deter-

mined up to multiplication by a non-zero element of K. We call (5.1) a
canonical form for D.
We first show how to add two divisors given in canonical form, and
express the result in canonical form. I,et DI and D2 be divisors of degree
0, where
DI (Pd - (0) +div(h),
and
D2 = (P2 ) - (0) + div(h),
with PI. P2 E E and h, hE K(E). Suppose further that DI ¢ DI and
D2 ¢ DI (Le., PI =J 0, P2 =J 0). Then

DI + D2 = (P3 ) - (0) + div(hhh),

where P3 = PI + P2 , and h = (/v, where 1 is the equation of the line
through PI and P2 , and v is the equation of the vertical line through P3
(if P3 = 0, then we may take v = 1). This is true since div(hhh) =
div(ft) + div(h) + div(h) and div(h) = div(l) - div( v) where
div(l) = (PI) + (P2 ) + (-P3) - 3(0)

and
div(v) = (P3 ) + (-P3)-2(0).
Observe that if PI. P2 E E(K) and if h, hE K(E), then P3 E E(K)
and h E K(E), and so all the computations take place in the field K
itself. Observe also that h (as an element of K(x,y» is undefined only
at the points P3 and -P3 , while 1/ h (again as an element of K(x, y» is
only undefined at PI. P2 and -P3. (If we treat h as a rational function,
then since div(h) = (PI) + (P2 ) - (P3 ) - (0), the only points of Eat
which h is undefined are P3 and 0.)
Now, let D = Ei=l ai(Pj) be a principal divisor. We can find f E
K(E) such that D = div(f) as follows.

(i) Write D = Ei=l aj«Pj)-(O)). This is possible since D has degree

O.
64 CHAPTER 5. ELLIPTIC CURVE LOGARITHM PROBLEM

(ii) For each i, 1 ~ i ~ n, compute PI E E and fi E K(E) such that

ai«Pd - (0)) = (Pi) - (0) +divUd

as follows.
Let 1 = d1 , d2 , ••• , dt = ai be a fixed addition chain for ai, i.e., each
dj, j ~ 2, can be obtained as a sum dj = dk + d/, where k < j and
1 < j. Note that there is always an addition chain for ai of length
t ~ 2r, where r = rlog2 ai 1. By using the method described for
adding divisors in canonical from, we then successively compute
the canonical forms for dj«P) - (0)), j = 1,2, ... ,t. Note that
Ii will be of the form

(5.2)

where lk' Vk are linear polynomials in K(E). Furthermore, the

number of terms lk/vk in the product (5.2) is at most 2r, and
each exponent bk is at most 22r.

(iii) Now add the divisors (PI) - (0) + divUd, 1 ~ i ~ n.

Observe again that if each Pi E E(K), then I E K(E), and all

computations take place in the field J( itself.
Assume now that K is a finite field, and each Pi E E(K). The prob-
lem with the algorithm is that the bivariate rational function I may itself
be of exponential size, relative to the size of the input. Hence instead
of writing I explicitly, we keep I in factored form. By the comments
made in (ii) we see that the factored form for each Ii, and hence also for
I, will be of polynomial size. Moreover the method takes polynomial
time. I can be evaluated at points P in polynomial time (provided that
f(P) is defined). Let the canonical form of the intermediate divisors be
Dj = (Qj) - (0) + div(gj). Then f (as an element of K(x, y)) may be
undefined at most on the points ±Q j. We shall deal with this problem
in the next section, when we use this algorithm to compute the Weil
pairing.

Example 5.1 Consider the elliptic curve y2 = x 3 +7x defined over F13 •
The points on E(F13 ) and their orden; are listed in Table 5.1. From the
table we deduce that #E(F13) = 18 a.nd E(F13) ~ '116 $ '113.
5.1. THE WElL PAIRING 65

Point I Order II Point I Order I

PO=o 1 Pg = (5,11) 6
PI = (0,0) 2 P10 = (8,3) 6
=
P2 (2,3) 6 P l l = (8,10) 6
P3 = (2,10) 6 Pl2 = (9,5) 3
P4 = (3,3) 3 P13 = (9,8) 3
P5 = (3,10) 3 =
P14 (10,2) 3
P6 = (4,1) 3 P 15 = (10,11) 3
P7 = (4,12) 3 =
P16 (11,2) 6
Ps = (5,2) 6 =
P17 (11,11) 6

Table 5.1: Ft3-rational points on E : y2 = x3 + 7x.

Let D = 6( Ps ) - 6(0). By Theorem 2.25, D is principal. We proceed

to find a rational function f such that div(f) = D. We compute

(Ps ) - (0) = (Ps ) - (0) + div(l).

2(Ps ) - 2(0) = [(Ps) - (0)] + [(Ps) - (0)]
= (P7)-(0)+div (-X+ y +3).
x-4
4(Ps ) - 4(0) = [2(Ps ) - 2(0)] + [2(Ps) - 2(0)]

= (P6 ) - (0) + div ( -x + y + 3)2 (5x + y +

(x _4)2 (x -4)
7») .
6(Ps) - 6(0) = [2(Ps ) - 2(0)] + [4(Ps) - 4(0)]
d' (-x + y + 3)3 (5x + y +
= IV (x-4)3 (x-4)
7) (x -1 4») .
So, the desired function in factored form is
(-x + y + 3)3
f = (x-4)3 (5x+y+7).

Note that as element of F13(X,y), f is undefined at the points P6 and

P7. However, when considered as a "ational function, it is defined at
these points. This follows because
66 CHAPTER 5. ELLIPTIC CURVE LOGARITHM PROBLEM

which is clearly defined at P6 and P7. o

5.1.3 Computing the Weil Pairing

Let m be an integer coprime to p, and let P, Q E E[m]. We proceed to
compute em(P,Q).
Pick points T, U E E such that P + T -::J U,Q + U, and T -::J U,Q + U.
Let A = (P + T) - (T). Then A rv (P) - (0), since

A-(P)+(O) = (P+T)-(T)-(P)+(O) E D/.

Similarly, let B = (Q + U) - (U). Then B rv (Q) - (0).

Let fA, fB E K(E), with

div(JA) = m(P + T) - m(T),

and
div(JB) = m(Q + U) - m(U).
The functions fA and fB can be computed by the method of the previous
section. Then

(P Q) = fA(B) = fA«Q + U) - (U)) = fA(Q + U)fB(T)

em, fB(A) fB(P + T) - (T)) fA(U)fB(P + T)'
Note that em(P,Q) is defined by choice of T and U. Observe that if
P, Q E E(K), and we pick T, U E E(K), then fA, fB E K(E), and all
computations take place in the field K itself.
Assume now that K is a finite field, P, Q E E(K), and we select
T, U E E(K). As observed in the previous section, the rational functions
fA and fB may be exponentially large, relative to the size of the input.
We will thus represent fA and fB in factored form instead of writing
them explicitly.
5.1. THE WElL PAIRING 67

Let 1 = at, a2, ... ,at = m be a fixed addition chain for m. Let
R E E(K), and let f be the function computed using the method of the
previous section, where

meR) - m(O) = (Pi) - (0) + div(J).

The intermediate divisors are (aiR) - (0) + div(Ji) for 1 ::; i ::; t. Thus
f, as an element of K(x, y), may be undefined at most on all the points
±atR, ±a2R, ... , ±atR .
As a rational function, fA is defined at U and Q + U. However,
as an element of K(x,y), fA may be undefined at U or Q + U. To
guarantee that fA (as an element of K (x, y)) is defined at the points
Q + U and U, we select U such that U and Q + U are distinct from
±a1T, ±a2T, ... , ±atT, ±al(P + T), ±a2(P + T), ... , ±at(P + T). For
a fixed T, the number of points U which do not satisfy these conditions
is at most St. Similarly, in order to guarantee that fB is defined at the
points P +T and T, we select T such that T and P +T are distinct from
±a1U, ±a2U, ... , ±atU, ±al(Q + U), ±a2(Q + U), ... , ±at(Q + U). For
a fixed U, the number of points T which do not satisfy these conditions
is at most St. Thus the number of pairs of points (T, U) E E( K) x E( K)
which do not satisfy these conditions is at most 16t#E(K). Since there
is always an addition chain for m of length t ::; 2log2 m, the probability
of picking a good pair (T, U) is > 1/2 when m ~ 1024.
Finally, since we can select random points on an elliptic curve in
probabilistic polynomial time (see Section 2.6), if follows that the algo-
rithm to compute em(P, Q), where J( is a finite field, takes probabilistic
polynomial time.

Example 5.2 We consider the same curve E/Ft3 : y2 = x 3 + 7x as

in Example 5.1. Let P = P4 = (3,3) and Q = P6 = (4,1). We shall
compute e3(P, Q).
=
We first pick random points T = (S, 3), U (5,2) and compute P+T =
(2,10), Q + U = (5,11). We then proceed to express the following
divisors in canonical form:

3(P + T) - 3(0) = (Pt ) - (0) + div Csx +:1;:~r + 1)) .

3(T) - 3(0) = (Pt} _ (0) + div (11X + =~~8: :)y + 11)) .

3(Q + U) - 3(0) (Pd - (0) + div (3X + !~~X++9~ + 10)) .
68 CHAPTER 5. ELLIPTIC CURVE LOGARITHM PROBLEM

3(U) - 3(0) = (Pt ) - (0) + div (10Z + =~~1!Z9r y + 3») .

Recall that fA and fB are functions with div(fA) = 3(P + T) - 3(T),
div(fB) = 3(Q + U) - 3(U). Subtracting the first two equations gives

(8z + y)(z + y + l)(z + 4)

fA = (z+3)(llz+y)(8z+y+ll)'

while subtracting the last two equations gives

(3z+y)(z+y+10)
fB = (10z + y)(12z + y + 3)'

Finally, we obtain

Note that the element 9 has order 3 in Ft3 . o

5.2 Reducing Elliptic Curve Logarithms to

Logarithms in a Finite Field
The following result from [63] provides a method for partitioning the
points of an elliptic curve E(Fq) into the cosets of <P>, the subgroup
of E(Fq ) generated by a point P of maximum order.

Lemma 5.3 Let E(Fq) be an elliptic curve with group type (nt,n2),
and let P be an element of mazimum order nt. Then for all points
PI, P2 E E(Fq), Pt and P2 are in the same coset of <P> if and only if
enl (P, PI) = e nl (P, P2). 0

The next result is similar to, and has a similar proof, as Lemma 5.3.
For completeness, we include it here.

Lemma 5.4 Let E(Fq) be an elliptic curve such that E[n] ~ E(Fq),
where n is a positive integer coprime to q. Let P E E[n] be a point of
order n. Then for all PI, P2 E E[n], Pt and P2 are in the same coset of
<P> within E[n] if and only if en(P, Pt) = en(P, P2).
5.2. REDUCING ELLIPTIC CURVE LOGARITHMS 69

Proof: If PI = P2 + kP, then clearly

en(P, Pt) = en(J), P 2) en(P, p)k
en(P, P 2).

Conversely, suppose that PI and P 2 are in different cosets of < P >

within E[n]. Then we can write PI - P2 = alP + a2Q, where (P, Q) is
a generating pair for E[n] ~ 'lln Ell 'lln' and where a2Q f:. O.
If blP + b2Q is any point in E[n], then

en (a2Q,b l P + b2Q) en (a2Q, p)b 1 en(Q, Q)a 2 b2

= en(P, azQ)-b 1 •

If en (P, azQ) = 1 then by the non-degeneracy property of en, we have

that a2Q = 0, a contradiction. Thus en(P, azQ) f:. 1. Finally,

en(P, P z ) en(P, p)a 1 en(P, azQ)

f:. en (P,P2 ). o

For future reference, we state the following results.

Lemma 5.5 Let G be a group and nEG. Let n = Of=l p/"i be the
prime factorization of n. Then a has order n if and only if

(i) an = 1, and
(ii) an/Pi ¥ 1 for each i, 1:::; i :::; k. o

Lemma 5.6 Let G be an abelian group of type (cn, cn). If elements

{ail are selected uniformly and randomly from G, then the elements
{Gai} are uniformly distributed about the elements of the subgroup of G
of type (n,n). 0

5.2.1 The Reduction

Let E(Fq) be an elliptic curve over the finite field Fq with group struc-
ture 'llnl Ell 'lln2' where nZlnl' Given the defining equation for E(Fq),
we can compute #E(Fq) in polynomial time by using Schoof's algo-
rithm [136] (see Chapter 7). Also, given the integer factorization of
gcd(#E(Fq),q-1), we can determine nl and nz in probabilistic polyno-
mial time by the algorithm discussed in Section 5.4. We further assume
that gcd(#E(Fq),q) = 1; it follows tlJat E[nl] ~ 'llnl Ell'llnl'
70 CHAPTER 5. ELLIPTIC CURVE LOGARITHM PROBLEM

Let P E E(Fq ) be a point of order n, where n is a divisor of nt, and

let R E E(Fq ). We assume that n is known. The elliptic curve logarithm
problem is the following: Given P and R, determine the unique integer
1,0 $ I $ n -1, such that R = IP, provided that such an integer exists.
Since en(P, P) = 1, we deduce from Lemma 5.3 that R E< P >
if and only if nR = () and en(P, R) = 1, conditions which can be
checked in probabilistic polynomial time. Henceforth, we will assume
that R E<P>.
We first describe an algorithm for obtaining partial information
about I by solving a discrete logarithm problem in the field Fq itself, in
the case that P has maximum order.

Algorithm 1
Input: An element P E E(Fq ) of maximum order nl, and R = IP.
Output: An integer I' == I (mod n'), where n' is a divisor of n2.
Step 1. Pick a random point T E E(Fq ).
Step 2. Compute a = enl (P, T) and (3 = enl (R, T).
Step 3. Compute I', the discrete logarithm of (3 to the base a in Fq •

Theorem 5.7 Algorithm 1 correctly computes I' == I (mod n'), where

n' is some divisor of n2.

Proof: Let G E E(Fq) be an element of order n2 such that the pair of

points (P, G) generates E(Fq), and let T = CIP + C2G. Then

a n2 = en1 (P, Tt2 = enl (P, p)Cln2enl (P, C2n2G) = enl (P, 0) = 1,

and hence the order of a, denoted n', divides n2. Since n21q - 1 it also
follows that a E F q • Now, since

we can then determine I' by computing the discrete logarithm of (3 to

the base a in F q • 0
Since there are n2 cosets of < P > within E( Fq), we deduce from
Lemma 5.3 that the probability that n' = n2 is 4>( n2)/n2. If n2 is
small compared to nl however (and this is expected if the curve is
randomly chosen since n21 gcd(nl' q - 1», then this method does not
5.2. REDUCING ELLIPTIC CURVE LOGARITHMS 71

provide us with any significant information about I. In the remainder

of this section, we describe a technique for computing I modulo n.
Let k be the smallest positive integer such that E[n] ~ E(Fqk)j it is
clear that such an integer k exists.

Theorem 5.8 Let PEE be a point of order n. There exists Q E E[n]

such that en(P, Q) is a primitive nth root of unity.

Proof: Let Q E E[n]. Then, by the bilinearity of the Weil pairing, we

have that
en(P, Q)n = en(P, nQ) = en(P,O) = 1.
Thus en(P, Q) E /Ln, where /Ln denotes the subgroup of the nth roots of
unity in Fqlc.
There are n cosets of <P> within E[n], and by Lemma 5.4 we deduce
that as Q varies among the representatives of these n cosets, en(P, Q)
varies among all of the elements of /Ln. The result now follows. 0
Let Q E E[n] such that en(P, Q) is a primitive nth root of unity.
The proof of the next result is straightforward.

Theorem 5.9 Let f : <P> - - t /Ln be defined by f: R f-+ en(R,Q).

Then f is a group isomorphism. 0

We can now describe the method for reducing the elliptic curve log-
arithm problem to the discrete logarithm problem in a finite field.

Algorithm 2
Input: An element P E E(Fq) of order n, and R E<P>.
Output: An integer I such that R = IP.
Step 1. Determine the smallest integer k such that E[n] ~ E(Fqk).
Step 2. Find Q E E[n] such that a = en(P, Q) has order n.
Step 3. Compute (3 = en(R, Q).
Step 4. Compute I, the discrete logarithm of {3 to the base a in Fqk.

Note that the output of Algorithm 2 is correct since

72 CHAPTER 5. ELLIPTIC CURVE LOGARITHM PROBLEM

Remarks
Algorithm 2 takes exponential time (in In q) in general, as k is exponen-
tially large in general (see Section 5.2.3). Algorithm 2 is also incomplete
as we have not provided methods for determining k, and for finding the
point Q. We shall accomplish this next for the class of supersingular
elliptic curves.

Example 5.10 Again, we consider the curve E / F13 : y2 = x3 + 7x of

Example 5.1.
Let P =
(3,3) and R = =
2P (3,10). In the notation of Algorithm 2,
we have n =
3. Note that E[3] ~ E(F13 ), and hence k 1. We pick =
Q = (4,1). From Example 5.2, we have

a = e3(P,Q) = 9,
which has order 3. A similar calculation gives

f3 = e3(R, Q) = 3.
Finally, since 92 == 3 (mod 13), we have logp R = 2. o

5.2.2 Supersingular Curves

In this section, we prove that the reduction of Algorithm 2 takes proba-
bilistic polynomial time for supersingular curves. When combined with
the subexponential algorithms for the discrete logarithm problem in a
finite field, this yields a probabilistic subexponential time algorithm for
computing elliptic curve logarithms in supersingular curves.
Let E( Fq) be a supersingular elliptic curve of order q + 1 - t over Fq,
and let q = pm. By Lemmas 2.9 and 2.13, E lies in one of the following
classes of curves.

(I) t = 0 and E(Fq ) !?;! 7l q+1 •

(II) t = 0 and E(Fq ) !?;! 7l(q+1)/2 Ef) 7/.,2 (and q == 3 (mod 4)).
(III) t 2 = q (and m is even).
(IV) t 2 = 2q (and p = 2 and m is odd).
(V) t 2 = 3q (and p = 3 and m is odd).
(VI) t 2 = 4q (and m is even).
5.2. REDUCING ELLIPTIC CURVE LOGARITHMS 73

Let P be a point of order n in E(Fq). Since nll(q + 1 - t), and

pit,we have gcd(n},q) = 1. By applying the Weil Theorem and using
Lemma 2.13, one can easily determine the smallest positive integer k
such that E[nl] ~ E(Fq,,), and hence E[n] ~ E(Fqk). We show a sample
calculation for class (IV) curves.

Lemma 5.11 For class (IV) curves, we have k = 4.

Proof: Let q = 2m (m odd) and #E(Fq) = n = q + 1 + -I2q. (The
case n = q + 1- -I2q is handled simila.rly.) By Lemma 2.13(i), E(Fq ) is
cyclic. Now, using the Weil Theorem, we have #E(Fq2) = q2 + 1 and
#E(Fq3) = q3 + 1 - .../2r1. By Lemma 2.13(iii) we have that E(Fq2) is
cyclic, and by Lemma 2.13(i), E(Fq3) is also cyclic. Consequently

n E[n] = E(Fq).
and
E(Fq3)
Finally, #E(Fq4) = q4 + 1 + 2H, and by Lemma 2.13(ii) we have that
E(Fq4) ~ 7l(q2+l) EEl 7l(q2+l). Since

it follows that E[n] ~ E(Fq4). o

For convenience, we summarize the relevant information for super-
singular curves in the following two tables.

I Class of
curve
I t Group
structure
I 0 cyclic q+l 2
II 0 7l(q+1)/2 ED 712 (q + 1)/2 2
III ±"fo cyclic q+l=F"fo 3
IV ±V2q cyclic q+l=FV2q 4
V ±J3q cyclic q+1=FJ3i 6
VI ±2"fo 7l"'''F1 E9 7l~"Fl vq=F 1 1

Table 5.2: Some information about supersingular curves.

74 CHAPTER 5. ELLIPTIC CURVE LOGARITHM PROBLEM

I Class of
curve
I c

I (q + l,q+ 1) 1
II (q + l,q+ 1) 2
III (n ± 1, .,jq3 ± 1) .;q± 1
IV (q2 + l,q2 + 1) q±$q+l
V (q3 + 1, q3 + 1) (q + 1)(q ± y'3q + 1)
VI (.;q=f 1,.;q=f 1) 1

Table 5.3: Some information about supersingular curves.

Note that for each class of curves, the structure of E(Fq,,) is of the
form 1lcnl E91lCR1' for appropriate c. We now proceed to give a detailed
description of the reduction for supersingular curves.

Algorithm 3
Input: An element P of order n on a supersingular curve E(Fq), and
R E<P>.
Output: An integer I such that R = IP.
Step 1. Determine k and c from Tables 5.2 and 5.3.
Step 2. Pick a random point Q' E E(Fq/c) and set Q = (cnt/n)Q'.
Step 3. Compute a = en(P, Q) and f3 = en(R, Q).
Step 4. Compute the discrete logarithm I' of f3 to the base a in Fq/c.

Step 5. Check whether I' P = R. If this is so, then I = I' and we are
done. Otherwise, the order of a must be less than n, so go to
Step 2.

Observe that by Lemma 5.6, Q is a random point in E[n]. Observe

also that the probability that the field element a has order n is 4>(n)/n.
This follows from Lemma 5.4 and the facts that there are 4>( n) elements
of order n in Fq,., and there are n cosets of <P> within E[n).
We now proceed to prove that the reduction of Algorithm 3 is a
probabilistic polynomial time (in In q) reduction.
5.2. REDUCING ELLIPTIC CURVE LOGARITHMS 75

Theorem 5.12 If E{Fq) is a supersingular curve, then the reduction of

the elliptic curve logarithm problem in E{ Fq) to the discrete logarithm
problem in Fqk is a probabilistic polynomial time (in In q) reduction.

Proof: We assume t:tat a basis of the field Fq over its prime field is
explicitly given. To do arithmetic in Fqk, we need to find an irreducible
polynomial f( x) of degree k over Fq • This can be done in probabilistic
polynomial time, for example by the method given in [10]. We then have
Fq" ~ Fq[x]I(I(x)), where (I(x)) denotes the ideal in Fq[x] generated
by f(x). Note that the constant polynomials in Fq[x] form a subfield
isomorphic to Fq •
The point Q' can be chosen in probabilistic polynomial time since Q' E
E( Fqk) and k ::::; 6, and then Q can be determined in polynomial time.
The elements Q and f3 can be computed in probabilistic polynomial time
by Miller's algorithm. Since
n
- - < 6lnln n, for n >_ 5,
4>(n) -
(see [131]), the expected number of iterations before we find a Q such
that en(P, Q) has order n is O(ln In 11,). Finally, observe that {' P = R
can be tested in polynomial time, and that n = O(q). 0
Note that the discrete logarithm problem in Fqk that we solve in
Step 4 of Algorithm 3 has a base element Q of order n, where n < qk_1.
The probabilistic sub exponential algorithms discussed in Section 4.1.3
for computing discrete logarithms in a finite field require that the base
element be primitive. Using these algorithms, we obtain the following.

Corollary 5.13 Let P be an element of order n in a supersingular

elliptic curve E(Fq), and let R = lP be a point in E(Fq). If q is a prime,
or if q is a prime power q = pm, where p is fixed, then Algorithm 3 can
determine I in probabilistic subexponential time.

Proof: The problem of finding the logarithm of f3 to the base a in Fqk

can be solved in probabilistic sub exponential time as follows. We first
obtain the integer factorization of qk - 1 in probabilistic subexponential
time using one of the many techniques available for integer factoriza-
tion (for example [79] or [142] for practical algorithms with heuristic
running time analyses, and [82, 125] for algorithms with rigorous run-
ning time analyses). Observe that we a priori have the following partial
factorizations of qk - 1:
76 CHAPTER 5. ELLIPTIC CURVE LOGARITHM PROBLEM

(I) q2 - 1 = (q + 1)(q - 1).

(II) q2 -1 = (q+ 1)(q-l).
(III) q3 - 1 = (q - 1)(q + 1 - ..;q)(q + 1 + ..;q).
(IV) q4 - 1 = (q - 1)(q + 1)(q + 1 - J2q)(q + 1 + J2q).
(V) q6 - 1 = (q - 1)(q + 1)(q + 1 - vaq)(q + 1 + vaq)(q2 + q + 1).

We then select random elements , in Fqk, until , has order qk - 1;

the expected number of trials is (qk - 1)/¢>(qk -1) which is O(lnlnq)
since k :::; 6. The order of , can be checked in polynomial time using
Lemma 5.5. By solving two discrete logarithm problems in Fqk, we find
the unique integers sand t, 0 :::; s, t :::; qk - 1, such that a = ,S and
f3 = It. Since f3 = aI', we obtain the t:ongruence sl' == t (mod qk - 1).
Let w = gcd(s,qk -1), and let v = (qk -1)/w be the order of a. Then
[' = (s/w)-l(t/w) (mod v).
The logarithms in Fqk can be computed in probabilistic subexponen-
tial time in In qk (and consequently also subexponential in In q) using,
for example, the algorithm in [30] if q is prime and k = 1, [40] if q is
prime and k > 1, or [29, 56] if q is the proper power of a fixed prime. 0
In solving an elliptic curve logarithm problem in practice, one would
first factor n. Using this factorization, we can easily check the order of
a. Thus to find Q, we repeatedly choose random points in E[n] until
a has order n. This avoids the possibility of having to solve several
discrete logarithm problems before I' is in fact equal to I. Note however
that this modified reduction is different from the reduction described in
Algorithm 3, and in particular is no longer a probabilistic polynomial
time reduction to the discrete logarithm problem in a finite field.
The dominant step of the algorithm as modified in the previous
paragraph is the final stage of computing discrete logarithms in Fqk.
The number field sieve [79] for factoring an integer n has an expected
running time of L[n, c, 1/3]. The expected running time ofthe algorithm
is thus either L[qk, c, 1/2] or L[qk, c, 1/3] depending on the running time
of the best algorithm known for the discrete logarithm problem in Fqk.
We conclude that for supersingular curves, the elliptic curve discrete
logarithm problem is more tractable than was previously believed.
5.3. CRYPTOGRAPHIC IMPLICATIONS 77

5.2.3 Non-Supersingular Curves

Let E be a non-supersingular curve defined over the field Fq of charac-
teristic p. Let P E E(Fq ) be a point of order n, and R E<P>. The
reduction of Algorithm 2 for computing logp R is only valid for the case
where gcd( n, q) = 1. However it can easily be extended to the case
gcd( n, q) f= 1 as follows.
Let n = pSn', where s 2: 1, and gcd(n',p) = 1. Put P' = pS P and
R' = pS R. Then R' E<P'>, and Algorithm 2 can be applied to compute
log pi R'. Observe that

logpi R' == logp R (mod n'). (5.3)

Now, let p lI = n' P, R" = n'R. Note that ord(plI ) = pS and R" E<
plI>. We may use the Pohlig-Hellman method (see Section 4.1.2) to
find logpll R". Observe that

10gpII R" == logp R (mod pS). (5.4)

The computation of 10gpII R" is only efficient if p is small (the worst

case occurring when q = p). Finally, we can use the Chinese remainder
theorem to combine (5.3) and (5.4) and obtain logp R.
Let us now assume that gcd( n, q) = 1. We also assume that the
running time of the best algorithm for the discrete logarithm problem
in Fq is L[q, c, 1/3). Algorithm 2 reduces the logarithm problem in
E(Fq ) to the logarithm problem in Fqk, which can be solved in time
L[qk, c, 1/3]. A necessary condition for the quantity L[qk, c, 1/3) to be
subexponential in In q is that k ~ (In q)2. One necessary condition for
E[n] ~ E( Fqk) is that nlqk - 1, i.e., the order of q modulo n is a divisor
of k. For random n ~ q, it is highly unlikely that k ~ (In q)2. This
statement is made precise for the case q and n both primes in [72]. Thus
for most non-supersingular curves, the reduction of Algorithm 2 gives a
fully exponential algorithm for the elliptic curve logarithm problem.

5.3 Cryptographic Implications

La Macchia and Odlyzko [76] have recently implemented the Gaussian
integer variant of the index calculus method, and they were easily able
to compute logarithms in Fp , p a 192-bit prime. While the number field
sieve has a much better asymptotic running time that the Gaussian in-
teger method (see Section 4.1.3), it does not seem to be practical for
78 CHAPTER 5. ELLIPTIC CURVE LOGARITHM PROBLEM

fields Fp , where p ::; 2512. For F2m, recent computations of Gordon and
McCurley [52] indicate that computing logarithms in F 2m for m about
500 is barely feasible given large amounts of computer resources. There-
fore it appears that, given the best algorithms known for the discrete
logarithm problem in finite fields and given the best available computer
technology, the discrete logarithm is intractable for finite fields of size
greater than 2600 •
We comment on the following four families of supersingular curves
that have previously been suggested for the implementation of elliptic
curve cryptosystems. All these curves have k value equal to 2, i.e., the
elliptic curve logarithm problem in these curves is efficiently reducible
to the logarithm problem in the quadratic extension of the underlying
field.

(A) y2 + y = x 3 + b over F2m, m odd (class I).

(B) y2 = x3 -ax over Fp , where p > 3 is a prime, a is a quadratic
non-residue in Fp , and p == 3 (mod 4) (class I).
(C) y2 = x 3 - ax over Fp , where p > 3 is a prime, a is a quadratic
residue in Fp , and p == 3 (mod ,1) (class II).
(D) y2 = x 3 + b over Fp , where p > 3 is a prime, and p == 2 (mod 3)
(class I).

The curve

over F2m is especially attractive for implementation purposes, as we

shall see in Chapter 6. It is now clear that using E over F2 m is no more
secure that using the cyclic group of non-zero elements in F22m. Since
it appears that the cost of computations on the curve is higher than the
cost of computations in F22m, such a curve is inferior for cryptographic
purposes to other existing systems. Similar statements are valid for the
classes of curves (B), (C) and (D).
The curve y2 + y = x 3 over F 2m was first considered for the imple-
mentation of elliptic curve cryptosystems by Koblitz [67]. In [9], the
authors suggested the particular values m = 61 and m = 127. Since the
discrete logarithm problem in the fields F2122 and F 2254 is very tractable
using the index-calculus methods, these curves are clearly inadequate for
cryptographic purposes. The particular values m = 191 and m = 251
were suggested in [93]. These curves should also be avoided for the same
5.4. FINDING THE GROUP STRUCTURE 79

reasons. The class of curves (B) and (C) were suggested by Miller [100].
The class of curves (D) was suggested in [9] for the implementation of
elliptic curve cryptosystems, and by Kaliski [62] for the implementation
of secure pseudorandom number generators. Finally, in [65], cryptosys-
terns based on the elliptic curves (B) and (D) over a 167-bit prime field
were implemented in software; these systems are also insecure.
Alternatives to the curve y2 + y = x 3 are the supersingular curves
y2 + Y = x 3 + x and y2 + y = x 3 + X + lover F2m, m odd. These curves
have k values equal to 4 (see Table 3.3) and will be further studied in
Chapter 6.
If a non-supersingular curve is desired, then the curve must be chosen
so that the corresponding k value is sufficiently large. Let E be a non-
supersingular curve defined over Fq • Let P E E(Fq ) be a point of order
n, and assume that n is divisible by CL large prime v (this condition on
n is necessary if the Pohlig-Hellman attack for computing logarithms is
to be avoided). To avoid the attack of Algorithm 2, i.e., to ensure that
k > c for sufficiently large c, we must check that the set E[v] is not
contained in E( Fq,) for each I, 1 ::; I ::; c. (By sufficiently large c we
mean c for which the discrete logarit hm problem in Fqc is considered
intractable.) Two sufficient conditions for E[v] Cf: E(Fq,) are that v2
does not divide #E( Fq,) and v does not divide ql - 1j these conditions
can be easily verified. If these conditions are satisfied, then the best
known algorithm for computing logarithms to the base P is the Pohlig-
Hellman attack, whose running time is roughly proportional to Vv.

5.4 Finding the Group Structure

Let E be an elliptic curve defined over Fq , and let N = #E(Fq ). We
assume that the factorization of N is known, and also assume that
gcd(N,q) = 1. Let E(Fq) have type (nl,n2)j we present an algorithm,
due to Miller [101], for finding nl and n2. We first make some observa-
tions.

Lemma 5.14 Let P, Q E E(Fq), r = lcm(ord(P),ord(Q)), and let

a = er(P,Q). Thenord(a)lgcd(r,n2).

Proof: Let ord(P) = a and r = ar'. Then Q E E[ar'], P E E[a]. By

the compatible property of the Weil pairing,

a = er(P, Q) = ear,(P, Q) = ea(P, r'Q).

80 CHAPTER 5. ELLIPTIC CURVE LOGARITHM PROBLEM

Hence, we can assume without loss of generality that ord( P) = r.

Now, let (P, R) be a generating pair for E[r], and let Ct, C2 be
integers such that Q = clP + c2R. Since E(Fq)[r] e:! 'llr $ 'll/, where
1 = gcd(r, n2), and since c2R = Q - clP E E(Fq), we must have lC2R =
O. Therefore

er(P, clP + c2Ri

er(P, p)c11 er(P, lC2R )
1· er(P, 0) = 1,
as required. o
Corollary 5.15 Let P, Q E E(Fq), and let r = lcm(ord(P),ord(Q)),
s= ord(er(P,Q)). [Irs = N, then nj = rand n2 = s.
Proof: Since rlnl and sln2' the result follows. 0
Corollary 5.15 suggests the following algorithm for computing the
group structure of E(Fq).

Input: An equation defining an elliptic curve E over a finite field Fq

such that gcd(N, q) = 1, where N = #E(Fq), and the prime
factorization of N is known.
Output: The group type (nI, n2) of E(Fq).
Step 1. Pick P, Q E E( Fq) at random.
Step 2. Compute ord(P), ord(Q) (using the factorization of N) and
r = lcm(ord(P),ord(Q)).
Step 3. Compute 0: = er(P,Q).
Step 4. Compute s = ord(o:).
Step 5. If rs = N, then output nl = r, n2 = s. Otherwise go to Step
1.

We analyze the probability of success in Step 5. Firstly,

Prob( P has order nl) > ¢( nl)

nl
Secondly, by Lemma 5.4,

Prob( 0: has order n2 IP has order nl)

5.5. NOTES 81

Hence the expected number of iterations before the algorithm stops is

nl n2
::; ¢(nl)¢(n2) = O((lnlnN )2) = 2
O((lnlnq)).

Since each iteration of the algorithm can be performed in probabilistic

polynomial time, the algorithm halts in expected polynomial time.
We conclude by commenting that the condition gcd( N, q) = 1 was
only made to simplify the exposition. Moreover, the algorithm can be
easily modified to work in probabilistic polynomial time even if we only
know the factorization of gcd( N, q - 1). The reader may wish to verify
these assertions as an exercise.

5.5 Notes
For an alternate definition of the Weil pairing, and proofs of the prop-
erties of the pairing, see [26] or [142]. The algorithm for computing the
Weil pairing in Section 5.1 is based 011 Miller's unpublished paper [101],
as is the algorithm in Section 5.4 for computing the group structure of
an elliptic curve. We comment that these algorithms are very efficient in
practice. Zuccherato [l54J has implemented them on a SUN-2 SPARC-
station and reported running times of just a few minutes for computing
the Wei! pairing of points on curves E( F2m), where m ~ 200.
The results in Section 5.2 are taken from [92], and are reprinted
here with permission from the IEEE. The extension of the reduction
algorithm in Section 5.2.3 was also observed by Miyaji [103]. Necessary
and sufficient conditions for all the n- torsion points of an elliptic curve
to be defined over Fq, that is E[n] ~ E(Fq), are given in [137].
Frey and ~iick [43] recently showed how to use a variant of the Tate
pairing for Abelian varieties over local fields to reduce the logarithm
problem in the n-torsion part of the divisor class group of a projective
irreducible non-singular curve over Fq (with char( Fq) coprime with n)
to the discrete logarithm problem in }~k, where k is the smallest integer
such that nil - 1. For elliptic curves, this method has the advantage
over the method of Section 5.2 that the condition nlqk - 1 is usually
weaker than the condition E[nJ ~ E(Pqk).
In [57], Huang and Ierardi present. a polynomial time algorithm for
constructing a rational function of a principal divisor over a projective
plane curve that has only ordinary multiple points.
Chapter 6

Implementation of Elliptic
Curve Cryptosystems

In this chapter we explore the feasibility of efficient implementation of

an arithmetic processor for performing elliptic curve computations over
finite fields. For a secure system, it is evident from the results of Chap-
ter 5 that the curve and underlying field should be judiciously chosen.
However we should point out that for a given underlying field there are
a large number of suitable elliptic curve to choose from. If the logarithm
problem in supersingular curves is indeed as hard as the logarithm prob-
lem in finite fields, and/or if the logarithm problem in non-supersingular
curves is indeed intractable, then the systems discussed here are both
efficient and secure and very attractive for practical usage.
The chapter is organized as follows. In Section 6.1 we discuss how
arithmetic in F 2 m can be efficiently accomplished. Sections 6.2 through
6.5 consider various issues which arise when using non-supersingular
curves to implement EIGamal's cryptosystemj Section 6.6 does the same
for supersingular curves. In Section 6.7, we study a scheme, similar in
spirit to the RSA cryptosystem, which uses elliptic curves over the ring
'!In. Finally, in Section 6.8, we mention some existing implementations
of elliptic curve cryptosystems.

6.1 Field Arithmetic in F2m

Since we will be most interested in elliptic curves over finite fields of
characteristic two, we begin by discussing efficient techniques for per-
83
84 CI1APTER 6. IMPLEMENTATION

forming the arithmetic operations in such fields.

The field F2m can be viewed as a vector space of dimension mover
F2. That is, there exists a set of m elements ao, al, . .. , a m -l in F2m
such that each a E F 2 m can be written uniquely in the form

m-l
a = L ajO:j, where aj E {0,1}.
i=O

We can then represent 0: as the 0-1 vector (ao, aI, ... , am-I). In hard-
ware, a field element is stored in a shift register of length m. Addition
of field elements is performed by bitwise XOR-ing the vector represen-
tations, and takes one clock cycle.
In general, there are many different bases of F2m over F2 • A normal
basis of F2 m over F2 is a basis of the form

2 22
,{3 2
m - I }
{ {3,{3,{3 , ... ,

where {3 E F2ffi; it is well-known [83] that such a basis always exists.

Given any element 0: E F2m, we can write 0: = :L~(;t ai{32', where
ai E {O, 1}. Since squaring is a linear operator in F2m, we have

with indices reduced modulo m. Hence a normal basis representation

of F2 m is advantageous because squaring a field element can then be
accomplished by a simple rotation of the vector representation, an op-
eration that is easily implemented in hardware; squaring an element
also takes one clock cycle.
Multiplication in a normal basis representation is more complicated.
Let A = (aO,al, ... ,am-I), B = (bo,b l , ••• ,bm- l ) be arbitrary elements
in F2 m, and let C = A· B = (CO,Cb ... , cm-d. Then

m-lm-l
C = L L ai bj{32' {32j . (6.1)
;=0 j=O

If we let

A;j(k) E {O, 1}, (6.2)

6.1. FIELD ARITHMETIC IN F2 m 85

then comparing coefficients of f32 k in (6.1) yields the formulae

m-lm-l
Ck = L L aibjA~%), 0 ~ k ~ m - 1. (6.3)
;=0 j=O

Raising both sides of (6.2) to the 2-I-th power, we find that

m-l m-l
f3 2i - 1 f3 2j - 1 =L A~~I.j_If32k =L A~7) f32 k- l • (6.4)
k=O k=O

Equating coefficients of f32 0 in (6.4) then yields

AW = A~~I.j_I' for all 0 ~ i,j,l ~ m - 1.

The formula (6.3) can now be rewritten as
m-l m-l m-l m-l
Ck = L L aibjA~~k.j_k = L L ai+kbi+kA~~).
i=O j=O i=O j=O

Hence if a logic circuit with inputs ,'l and B is built to compute the
product digit Co, the same circuit witll in~uts A 2 - k and B 2 - k yields the
product digit Ck. Note that A2- k and B 2 - are simply cyclic shifts ofthe
vector representations of A and B. In this way C can be computed in m
clock cycles. Massey and Omura [119] constructed a serial-in serial-out
multiplier to exploit this particular aspect of normal bases.
The complexity of such a circuit is determined by eN, the number of
non-zero terms A~~), since this quantity measures the number of inter-
connections between the registers containing A, B and the product C.
Clearly, we have eN :::; m 2 • A lower bound on eN is CN 2: 2m -1 [110].
If CN = 2m - 1, then the normal basis is said to be optimal. Optimal
normal bases were introduced and studied by Mullin, Onyszchuk, Van-
stone and Wilson [110], where constructions are given, together with
a list of fields for which these bases exist. An associated architecture
for a hardware implementation is given in [2]. Using this architecture a
multiplication can be performed in m clock cycles.
Finally, the most efficient techniq lle, from the point of view of min-
imizing the number of multiplications, to compute an inverse of an el-
ement in F2 m was proposed by Itoh, Teechai and Tsujii [59]. Observe
that if a E F2 m, a f:. 0, then
86 CHAPTER 6. IMPLEMENTATION

If m is odd, then since

2m- 1 _ 1 = (2(m-l)/2 - 1) (2(m-l)/2 + 1) ,

we have
2m~1_1 (2(m_l)/2-'1)2(m-l)/2+l
a = a
Hence it takes only one multiplication to evaluate a 2m - 1 - 1 once the
quantity a 2(m-l)/2_1 has been computed (we are again ignoring the cost
of squaring). If m is even, then we have

and consequently it takes two multiplications to evaluate a 2m - 1 - 1 once

• h
a 2(m-2)/2 - 1 has been computed. The procedure IS t en repeated recur-
sively.

Example 6.1 Consider the field F2 155. We have

2155 - 2 = 2(277 - 1)(277 + 1),

277 - 1 = 2(219 - 1)(219 + 1){238 + 1) + 1,
219 - 1 = 2{29 - 1){29 + 1) + 1,
29 - 1 = 2(2 + 1)(22 + 1)(24 + 1) + 1,
and so an inversion in F 2156 takes 10 multiplications. o
It can easily be verified by induction that this method requires ex-
actly I(m) = llog2(m - I)J + w(m - 1) - 1 field multiplications, where
w( m -1) denotes the number of 1's in the binary representation of m -1.

6.2 Selecting a Curve and Field K

For convenience, we duplicate below the addition formulae for elliptic
curves from Sections 2.4 and 2.5.

Addition Formula for E : y2 = x3 + ax + b

If P = (Xl, Yl) E E, then -P = (Xl, -yd. If Q = (X2' Y2) E E,
Q "# -P, then P + Q = (X3, Y3), where
X3 = A2 - :I~1 - X2
Y3 = ,x(X1 -- X3) - Yt,
6.2. SELECTING A CURVE AND FIELD 87

and
Y2 - YI, if P f= Q,
X2 - Xl
A= {
3xi+ a
-'"---, 'fP-Q
1 - •
2YI

Addition Formula for E / F2m : y2 + xy = x 3 + a2x2 + a6

Let P = (Xl. YI) E Eli then -P = (Xl. YI +xt). If Q = (X2' Y2) E EI
and Q f= -P, then P + Q = (X3, Y3), where

( YI + Y2) 2 + YI + Y2 + Xl + X2 + a2, P f= Q,
Xl + X2 Xl + X2
X3 = {
2 a6
Xl + 2'
Xl
P=Q,

and
+ Y2)(
+ X2 Xl + X" + X3 + YI,
( YI ) P f= Q,
Xl

P=Q.

Addition Formula for E / F2m : y2 + a3Y = x3 + a4x + a6

Let P = (Xl. YI) E E 2; then -P = (Xl. YI +a3). If Q = (X2' Y2) E E2
and Q f= -P, then P + Q = (X3' Y3), where

P=Q,

and
Y3 J (::: ~)(. .+.,)+ y.+ ·3, P # Q,

1(.1:.,) (x.+ X3) +y.+ .3, P ~ Q.

It is evident that two distinct points on an elliptic curve can be added
by means of three multiplications and one inversion of field elements in
88 CI1APTER fl. IMPLEMENTATION

the underlying field J(, while a point can be doubled in one inversion and
four multiplications in J(. Additions and subtractions are not considered
in this count since these operations are relatively inexpensive. We would
like to select a curve and field J( so that the number of field operations
involved in adding two points is minimized. Curves over J( = F2m are
preferred for the following four reasons.

(i) The arithmetic in F2 m is easier to implement in computer hard-

ware than the arithmetic in finite fields of characteristic greater
than 2.
(ii) When using a normal basis representation for the elements of F2m,
squaring a field element becomeH a simple cyclic shift of the vector
representation, and thus the multiplication count in adding two
points is reduced.
(iii) With curves over F 2 m it is easy to recover the y-coordinate of
a point given its x-coordinate plus a single bit of extra informa-
tion. This is useful in reducing message expansion in the EIGamal
cryptosystem, as will be explained in Section 6.4.
(iv) A fourth reason applies to supersingular curves. For supersingular
curves over F2m, the inverse operation in doubling a point can be
eliminated by choosing a3 = 1, further reducing the operation
count.

For these reasons we will first consider non-supersingular curves over

F 2 m. The implementation of supersingular curves over F 2", will be con-
sidered in Section 6.6.
Recall from Chapter 3 that there are 2( q - 1) isomorphism classes
of non-supersingular elliptic curves over Fq , where q = 2m • A set of
representative curves, one from each class, is

(6.5)
where a6 E Fq \ {O}, a2 E {O, "f}, and "f is an element in Fq of trace 1.
As discussed in Chapter 5, if the attack of Algorithm 2 is not feasi-
ble, then the best algorithm known for the logarithm problem in non-
supersingular elliptic curves is the baby-step giant-step algorithm. A
non-supersingular curve that is suitable for cryptographic applications
is one whose order is divisible by a large prime factor, say a prime
factor of at least 40 decimal digits. Consequently, the underlying field
6.2. SELECTING A CURVE AND FIELD 89

should be of size at least 2130 • The underlying field should also have
an optimal normal basis in order to a<:hieve efficient field arithmetic. In
addition, we prefer a curve whose group is cyclic; this will be the case,
for example, if #E(Fq) has no repeated prime factors.
One method of selecting curves is to choose a curve E defined over
Fq, where q is small enough so that #E(Fq) can be computed directly,
and then using the group E(Fqn) for suitable n. Note that #E(Fqn) can
easily be computed from #E(Fq) by the Weil Theorem. Observe also
that if I divides n, then #E(Fql) divides #E(Fqn), and so we should
select n such that it is prime, or else a product of a small factor and a
large prime.

Example 6.2 In selecting a non-supersingular curve over F2 155 , we may

pick a curve defined over F25. There are 12 possibilities for #E(F25).
Of these, there are 5 values for which #E(F2155) is divisible be a large
prime. We list in Table 6.1 the size of the largest prime divisor of
#E( F2155) for these 5 values. The curves with #E( F25) = 36 or 42

Number of digits in
#E(F26) the largest prime
divisor of #E(F2 166)
22 37
28 36
36 46
38 36
42 41

Table 6.1: Some non-supersingular curves over F 25.

would be best suited for cryptographic purposes. o

If a random elliptic curve E is required, then #E(Fq) can be com-

puted in polynomial time by Schoof's algorithm [136], as was suitably
adapted by Koblitz to curves over fields of characteristic 2 [71]. We will
study this method and an implementation of it in Chapter 7. Using
heuristic arguments, Koblitz [71] showed that if E / Fq is a randomly
chosen non-supersingular curve, then the probability that N = #E(Fq)
is divisible by a prime factor ~ N / B is about ;k log2(B /2). Thus,
for example, the probability that the order of a randomly chosen non-
supersingular curve over F 2 155 is divisible by a 40-digit prime is approx-
90 CI1APTER 6. IMPLEMENTATION

imately

1 log2 ( 2.2155
155 1040 ) ~ 0.136.

Hence one can expect to try about 7 curves before a suitable one is
found.

6.3 Projective Coordinates

From the addition formulae, we see that adding. two distinct points on
a non-supersingular curve over K = F2m takes 2 field multiplications
and 1 inversion, while doubling a point takes 3 multiplications and 1
inversion. Even though there are special techniques for computing in-
verses in F2 m, a field inversion is still far more expensive than a field
multiplication. The inverse operation needed when adding two points
can be eliminated by resorting to projective coordinates.
Let E / K be the non-supersingular curve y2 + xy = x3 + a2x2 + a6.
The curve E can be equivalently viewed as the set of all points in the
projective plane P2(K) which satisfy the homogeneous cubic equation
y2 z + xyz = x3 + a2x2z + a6z3. Let P = (Xl: Yl : zd E E, Q = (X2 :
Y2 : 1) E E, and suppose that P,Q "# 0, P"# Q and P "# -Q. Since
P = (Xl/Zl : Yl/Zl : 1) we can use the addition formula for E in affine
coordinates to find P + Q = (x~ : y~ : 1). We obtain

where A = (X2Z1 + Xl) and B = (Y2 Z1 + Yl).

To eliminate the denominators of the expressions for x~ and Y~, we
set Z3 = A3z1 , X3 = X~Z3 and Y3 = Y~Z3, to obtain P+Q = (X3 : Y3 : Z3),
where

X3 = AD
Y3 = CD + A2(Bxl + AYl)
Z3 = A3z},
6.4. ELGAMAL CRYPTOSYSTEM 91

This addition can be done in 13 multiplications of field elements,

which is more than the 2 multiplications required when using affine co-
ordinates. We save however by not having to perform a costly inversion.
The gain occurs at the expense of space however, as we now need extra
registers to store P and Q, and also to store intermediate results when
doing the addition.
The formulae for computing 2P = (X3 : Y3 : Z3) are

X3 AB
Y3 = xtA + B(x~ + Y1Zl + A)

where A = Xl Zl and B = a6zt + xt. Hence a doubling can be done in

7 multiplications, which again is an improvement on the formulae with
affine coordinates which needed 1 inversion and 3 multiplications.
If k is a positive integer and P is the affine point (Xl! Yl! 1), then the
multiple kP can be computed by always doubling the accumulator and
adding in the point P when necessary. The result kP = (X3, Y3, Z3) can
be converted back into affine coordinates by multiplying each coordinate
by zil. If w(k) = t + 1, then the total operation count to compute kP
is 13t + 7m + 2 field multiplications a.nd one inversion.

6.4 EIGamal Cryptosystem

We begin by reviewing the EIGamal cryptosystem for message passing
using elliptic curve groups.
Let E be the non-supersingular curve y2 + xy = x3 + a2x2 + a6
defined over F2 m, and let P be a publicly known point on E, preferably
a generator of E. The elements of F2m are assumed to be represented
with respect to a normal basis. User A randomly chooses an integer
a and makes public the point aP, while keeping a itself secret. We
assume that messages are ordered pairs of elements in F2 m. To transmit
the message (Mb M 2 ) to A, sender B selects a random integer k and
computes the points kP and akP = (x,17). Assuming that x,17 i= 0 (the
event x = 0 or 17 = 0 occurs with negligible probability for random k),
B then sends A the point kP, and the field elements Mlx and M 217.
To read the message, A mUltiplies the point kP by her secret key a to
obtain (x,17), from which she can recover Ml and M2 in two divisions.
A drawback of the method is that if an intruder happens to know
92 CHAPTER 6. IMPLEMENTATION

Ml (or M 2), he can then easily obtain M2 (or Md. This attack can be
prevented by only sending (kP, Mlx),
In the EIGamal cryptosystem, four field elements are transmitted
in order to convey a message consisting of two field elements. We say
that there is message expansion by a factor of 2. The message expansion
factor can be reduced to 3/2 by only sending Xl and a single bit of ydxl
(if Xl =1= 0), instead of sending the point P = (xt, yI). The following
method can then be used to recover YI. First, if Xl = 0, then Yl = .jli6.
If Xl =1= 0, then the change of variables (x,y) ~ (x,xz) transforms
the equation of the curve (6.5) to Z2 + z = X + a2 + a6x-2. Compute
o = Xl + a2 + a6x12. To solve the quadratic equation z2 + z = 0,
let z = (zo,zl,,,,,zm-d and 0 = (oo,ol, ... ,om-d be the vector
representations of Z and 0 respectively. Then

Z2+Z = (Zm-l+ ZO,ZO+Zl"",Zm-2+ Zm-t).

Each choice Zo = 0 or Zo = 1 uni(IUely determines a solution z to

z2 + Z = 0, by comparing the components of Z2 + Z and o. The correct
solution z is selected by comparison with the corresponding bit of ydxl
that was transmitted. Finally, YI is recovered as YI = Xl Z.
If every user uses the same elliptic curve and base point P, then the
public key, lamely the point aP, is m + 1 bits in length. Otherwise the
public key consists of a6 (a2 can be fixed to be 0), and the points P and
aP, for a total size of 3m + 2 bits.

6.5 Performance

We estimate the throughput rate of encryption using the elliptic curve

analogue of the EIGamal public key cryptosystem. The estimates are
based on calculating kP and so also apply to the EIGamal and gener-
alized NIST signature schemes. For concreteness we will only consider
non-supersingular curves over F2155 (rn = 155). This choice is appropri-
ate because there is an optimal normal basis in F2155.
A multiplication in F2155 takes 155 clock cycles, while an inversion
takes /(155) = 10 multiplications. We use projective coordinates, so
adding two points takes 13 multiplications, and a doubling 7.
In the EIGamal system, the computation of kP and kaP requires m
additions of points on average and 2m doublings, for a randomly chosen
k. To increase the speed of the system, and also to place an upper
6.6. SUPERSINGULAR CURVES 93

bound on the time for encryption, we limit the Hamming weight of k

to some integer d, where d :::; m. A similar technique is used in RSA
(see [55]) and in [2]. The integer dsh(~uld be selected so that ( d/2) is
large in order to prevent attacks by the (close to) square root method
[116]. For the present discussion, we choose d = 30.
The computation of kP takes 29 additions of points, 155 doublings, 1
field inversion and 2 field multiplications. The same holds for computing
kaP. Computing Mtx and M 2 y, where kaP = (x, y), takes another 2
multiplications. Thus two field elements can be encrypted in 2950 field
multiplications. Finally, assuming a clock rate of 40 MHz, we get an
encryption rate of

310 X 40,000,000
1000 X 2950 X 155 ::::: 27 Kbits/sec.

If extra registers are available, as is the case if the implementation is

in software, then the computation of A:P can be speeded up significantly
by precomputing some multiplies of P [17].

6.6 Using Supersingular Curves

So far we have restricted the discussion to non-supersingular elliptic

curves. However, supersingular curves may also be attractive for im-
plementation of cryptosystems. We consider the case of supersingular
curves over F 2 m, m odd.
Recall from Chapter 3 that there a.re precisely 3 isomorphism classes
of supersingular curves over F 2 m, m odd. A representative curve from
each class is

Et y2 + y = x3
E2 y2 + Y = x 3 + X
E3 y2 + y = x 3 + + 1.
X

The "k" values for the 3 curves are 2, 4 and 4 respectively. Hence we
shall only consider the curves E2 and E3 • With the current state of
our knowledge, it appears that the discrete logarithm problem in these
curves is equivalent to the discrete loga.rithm in the extension field F24m.
94 CHAPTER 6. IMPLEMENTATION

The addition formula for the curves E2 and E3 simplifies to

( Yl+Y2)2+XI+X2, P::JQ,
X3 = { Xl + X2

xt+1, P=Q,
and

Y3= { (:::~:)(XI+X3)+YI+1, P::JQ,

xt + yt + 1, P = Q.
If a normal basis representation is chosen for the elements of F2 m, we
see that doubling a point in E2 or E3 is "free", while adding two distinct
points can be accomplished in two multiplications and one inversion.
The multiple kP of the point P is computed by the repeated square-
and-multiply method. If w(k) = t + 1, then the exponentiation takes 2t
multiplications and t inversions.
The inverse operation needed when adding two points can be elim-
inated by resorting to projective coordinates. We present the formu-
lae below. Let E be either E2 or E 3. Let P = (Xl : YI : 1) E E,
Q = (X2 : Y2 : Z2) E E, and suppose that P,Q f 0, P f Q and
P f -Q. Let P+ Q = (X3: Y3: Z3). Then

X3 A 2Bz2 +B4
Y3 = (1 + Yl)Z3 + A 3z2 + AB2x2
Z3 = B 3z2,

where A = (YIZ2 + Y2) and B = (X1Z2 + X2). This addition formula

requires 9 multiplications of field elements.
One can now compute the multiple kP, where P is the affine point
(XI,YI,l), by the repeated square-and-multiply method. The result
kP = (X3, Y3, Z3) can be converted back into affine coordinates by mul-
tiplying each coordinate by Z;l. If w(k) = t+ 1, then the total operation
count to compute kP is 9t + 2 field multiplications and one inversion.
As with the non-supersingular curves, the curves E2 or E3 can be
used to implement the ElGamal cryptosystem. Again, the message ex-
pansion factor can be reduced to 3/2 by only sending the x-coordinate
Xl of kP and a single bit of the y-coordinate Yl of kP. Yl can easily
be recovered from this information as follows. First 0: = x~ + Xl or
6.6. SUPERSINGULAR CURVES 95

xi + Xl + 1 is computed, depending on whether E = E2 or E3 respec-

tively, by a single multiplication of Xl and x? Since the trace of a must
be 0, we have that either

or else
+a 24 +···+a 2
22 m- 1
Yl=a+a +1.
The identity 1 is represented by the vector of all 1's, and so the single
bit of Yl that was sent enables one to make the correct choice for Yl.
Notice that the computation of Yl is inexpensive, since the terms in the
formula for Yl may be obtained by sllccessively squaring a.
We estimate the throughput rate of encryption using the elliptic
curve analogue of the EIGamal public key cryptosystem. We assume
that a multiplication in F2 m takes rn clock cycles, while an inversion
takes I( rn) = llog2( rn-1)J +w( rn-1)-1 multiplications. For simplicity,
we ignore the cost of field additions and squarings. Elliptic curve points
will be represented using projective coordinates. Again, to increase
the speed of the system, and to place an upper bound on the time for
encryption, we limit the Hamming w{!ight of k to 30.
The computation of kP and kaP takes 58 additions of points, 2 field
inversions and 4 field multiplications. Computing Mlx and M 2y, where
=
kaP (x, y), takes another 2 multiplications. Thus two field elements
can be encrypted in 528+ 2J( m) field multiplications. For concreteness
we select the curve E3 over F2239. This choice is appropriate because an
optimal normal basis exists in F2239. Also, since #E3(F2239) is a 72 digit
prime, the square root attacks for computing elliptic curve logarithms
do not apply. Finally, noting that 1(239) = 12, and assuming a clock
rate of 40 MHz, we get an encryption rate of
478 x 40,000,000 '" 145 Kb. /
1000 x 552 X 239 '" Its sec.
Table 6.2 lists some fields F2m for which an optimal normal basis
exists, and where either #E2(F2m) or #E3(F2m) contains a large prime
factor, precluding a square-root attack. The factorizations of the order
of curves was obtained from [19]. The approximate running time for
an index calculus attack in F24m is also included, using the asymptotic
running time estimate of
exp (1.35)nl/3(lnn)2/3)

operations for computing discrete logarithms in F2" [115].

96 CHAPTER 6. IMPLEMENTATION

Estimation of the oper-

m Curve Order of curve over F 2m ation count for an index
calculus attack in F 2<m
173 E2 5 . 13625405957 . P42 l.4x lOlI!'

173 E3 7152893721041 . P40 1.4 x 10 18

179 E3 1301260549 . P45 2.5 x 10 18

191 E2 5 . 3821 . 89618875387061 . P40 8.6 x 10 18

191 E3 25212001 . 5972216269 . P41 8.6 x 10 18

233 E2 5 . 3108221 . P63 4.3 x 10 20

239 E2 5 . 77852679293 . P61 7.2 x 10 20

239 E3 P72 7.2 x 10 20

281 E3 91568909 . PRP77 2.3 x 10 22

323 E3 137 . 953 . 525313 . P87 5.3 x 10 23

Table 6.2: Some suitable supersingular curves over F2m, m odd.

6.7. CRYPTOSYSTEMS OVER 'll-n 97

6.7 Elliptic Curve Cryptosystems over 7l n

To set up this scheme, each user, say A, selects 2 large primes p and q
each congruent to 2 modulo 3, and computes n = pq. A then selects a
random integer e such that gcd(e, (p+ l)(q + 1)) = 1, and computes an
integer d such that

ed == 1 (mod (p + l)(q + 1)).

A makes nand e public. To transmit a message m = (x, Y)E 'll-n x 'll-n

to A, user B computes

in the group
Eo,b('ll-n) = EO,b(Fp) x EO,b(Fq),

where b = y2 - x 3 (mod n). Note that m is indeed in EO,b('ll-n). B

can do this by computing in EO,b('ll-n) since, as noted in Section 2.8,
the probability of an application of the group law being unsuccessful is
remote. B then transmits (C1!C2) tO.lt who can recover the message by
computing

The last equation is true because, as noted in Example 2.17, we have

whence

As with RSA, the system can also be used by A to sign messages.

The cryptosystem has the interesting property that the particular
curve on which the computations are performed depends on the message.
Like the RSA system, its security is based on the difficulty of factoring
n, however it is not known whether breaking the system is equivalent
to factoring n.
Although the system is not as efficient as RSA, it has the advantage
that it appears to be resistant to some of the known attacks on RSA.
We refer the reader to the original paper [74] for more details.
98 CHAPTER 6. IMPLEMENTATION

6.8 Implementations
In 1988, Newbridge Microsystems Inc. in conjunction with Cryptech
Systems Inc., Canada (now called Mohius Encryption Technologies Inc.,
Mississauga, Ontario), manufactured a single chip device that imple-
ments various public and conventional key cryptosystems based on arith-
metic in the field F 2593. Since the field size is quite large, a slower two-
pass multiplication technique was used in order to reduce the number
of cell interconnections (see [2] or [130]). Also, to reduce the number
of registers, a slower method to compute inverses was used. Multipli-
cation of two field elements takes 1,300 clock cycles, while an inverse
computation takes about 50,000 clock cycles. The chip has a clock rat-
ing of 20 MHz, and so the multiplication and inverse computations take
.065ms and 2.5ms respectively.
More recently, a VLSI device has been built for performing the arith-
metic operations in the field F 2 155 [3]. The device required about 11,000
gates. A multiplication takes 156 clock cycles, while an inverse compu-
tation takes about 3800 cycles. The chip has a clock rating of 40 MHz,
and so the multiplication and inverse computations take .004ms and
.095ms respectively.
Both these devices can be used as a coprocessor for performing com-
putations in the base field. A high p(!rformance programmable control
processor, such as the Motorola DSP56000, can be used as the control
processor to implement the various elliptic curve cryptosystems.
The paper [54] describes a software implementation of the EIGamal
cryptosystem over the finite field F 2 104. Encryption rates of 2 Kbits/sec
were achieved on a SUN-2 SPARe-station. The public keys are only
105 bits in size.
In [31], R. Crandall describes an implementation of the elliptic curve
analogue of the Diffie-Hellman key exchange. The elliptic curves are
defined over finite fields Fpk, where p is a Mersenne prime (or more
generally of the form 2r - s, where s is small). Crandall presents a
method for performing arithmetic modulo p using only shift a.nd add
operations, eliminating the need for costly divisions. This technique,
together with an inversionless parameterization of the elliptic curve, re-
sults in a very efficient implementatio:.t of elliptic curve arithmetic. The
system is called Fast Elliptic Encryption (FEE), and is being considered
by the NeXT computer company for incorporation into their products.
6.9. NOTES 99

6.9 Notes
In a recent paper [45], Gao and Lenstra proved that the optimal normal
bases constructed in [110] are essentially all ofthe optimal normal bases.
For fields in which optimal normal bases do not exist, the so-called low
complexity normal bases described in [4] may be useful.
The method of Itoh, Teechai and Tsujii for computing inverses in
F2m is costly in terms of hardware implementation in that it requires
the storage of several intermediate results. An alternate method for
inversion which is slower but which does not require the storage of such
intermediate results is described in [11.
For some other hardware designed to perform calculations in finite
fields, see [33], [41], [47], [138] and [151]. Consult also the books [61],
[83], [89] and [91].
The material in Sections 6.2 to 6.6 is based on [96].
The use of non-supersingular elliptic curves for cryptosystems was
also considered by Beth and Schaefer [12]. Miyaji [104] presents some
methods for selecting elliptic curves over prime fields that are suitable
for implementing Schnorr's digital signature scheme on smart cards.
Morain [108] shows how to construct cyclic elliptic curves over large
prime fields.
A different method for selecting elliptic curves over prime fields suit-
able for use in cryptosystems is to select a fixed curve E defined over
the integers, and then choose a prime p such that #E(Fp) is prime.
Koblitz [69] gives conjectural asymptotic formulas for the probability
that #E(Fp) is prime as the prime p varies.
Alternative parameterizations of elliptic curves were considered by
Chudnovsky and Chudnovsky [28] and Montgomery [105]. Morain [107]
presents some addition-subtraction chains for integers k which lead to
faster algorithms than the usual binary method for computing kP in
an elliptic curve. Koyama and Tsurlloka [75] do the same for elliptic
curves over the ring 'lln.
As we have seen, elliptic curve cryptosystems have small key lengths.
By comparison, in the RSA cryptosystem [1291, the public key consists
of a pair of integers (e, n). Although e can be chosen to be small, there
is not the same flexibility with the choice of n which should be at least
512 bits in length (however, recent work by Vanstone and Zuccherato
[149] shows how to choose n with some bits prespecified); For the EI-
Gamal cryptosystem based on discrete exponentiation in a finite field,
100 CHAPTER 6. IMPLEMENTATION

the public key aa is the same size as the field, namely at least 500 bits
in length.
If E : y2 = x 3 + ax + b is an elliptic curve over the prime field Fp ,
the twist of E is the curve E' : y2 = x 3 + au 2 x + bu3 , where u is a
quadratic non-residue modulo p. It is easy to verify that #E(Fp) +
#E'(Fp) = 2p + 2. In the case where both E and E' are cyclic, Kaliski
[63, 64] describes a method for using these curves to construct a one-
way permutation on the set {O, 1,2, ... , 2p + I}. The construction was
extended to elliptic curves over finite fields of characteristic 2 by Meier
and Staffelbach [90].
Koblitz [73] observed that if one uses exponents k of a small Ham-
ming weight, then one gets doubling of points "almost 3/4 for free" for
the non-supersingular curves y2 +xy = x 3 +1 and y2 +xy = x 3 + x 2 +1
when computing kP. In [73] one can find a list of curves defined over F2
(respectively F4, Fs and F16 ) such that #E(F2n) (respectively #E(F4n),
#E( Fsn) and #E( F16n)) has a prime factor of at least 30 digits, there
exists an optimal normal basis in Fq", and any string of ~ 4 zeros (re-
spectively exactly 2, 3, 4 zeros) can be handled with a single addition
of points. The study of these anomalous curves was pursued further by
Meier and Staffelbach [90].
In [118], Okamoto, Fujioka and Fujisaki propose a practical digital
signature scheme based on elliptic curves over '!In, where n = p2q.
The scheme appears to be several times faster than the RSA signature
scheme.
Chapter 7

Counting Points on
Elliptic Curves Over F2m

In 1985, Schoof [136] presented a polynomial time algorithm for com-

puting #E(Fq), the number of Fq-rational points on an elliptic curve E
defined over the field Fq • The algorithm has a running time of 0 (logS q)
bit operations, and is rather cumbersome in practice. Buchmann and
Muller [20] combined Schoof's algorithm with Shanks' baby-step giant-
step algorithm, and were able to compute orders of curves over Fp ,
where p is a 27-decimal digit prime. The algorithm took 4.5 hours on a
SUN-l SPARe-station.
The work mentioned above was all described for the case q odd.
From the point of view of practical cryptography however, curves over
fields of characteristic 2 are more attractive. In [71] Koblitz adapted
Schoof's algorithm to curves over F2", and studied the implementation
and security of a random-curve cryptosystem. Special emphasis was
placed on the underlying field F 2135. The VLSI device built to perform
arithmetic in F2 155 that was mentioned in Chapter 6 is being used to
perform computations on a random elliptic curve over this field. Con-
sequently, it is of interest to determine the order of random curves over
F2155.
In this chapter we discuss Schoof's algorithm, together with some
heuristic improvements, for counting the points on an arbitrary ellip-
tic curve over F2m. Chapter 3 showed how to count the points on a
supersingular curve over F2 m, and hence we shall only consider non-
supersingular curves in this chapter.

101
102 CHAPTER 7. COUNTING POINTS

The remainder of the chapter is organized as follows. In Section 7.1,

we mention the relevant properties of elliptic curves over finite fields of
characteristic 2. Schoof's algorithm is outlined in Section 7.2, and in
Section 7.3 we present some heuristics for improving Schoof's algorithm.
In Section 7.4 we present some experimental results. We conclude by
surveying the latest research on the problem of counting points on an
elliptic curve.

7.1 Some Basics

Let q = 2m , and let K = Fq • Let E be a non-supersingular elliptic
curve defined over K. By Theorem 3.5 the defining equation for E has
the form
y2 + xy = x 3 + a2x2 + a6, (7.1)
where a2 E {O,;}, ; E K being a fixed element of trace 1, and a6 E K*.
If E and if; are the curves y2 + xy = x 3 +a6 and y2 +xy = x 3 +;x 2 +a6
respectively, then it is easily verified that #E( K) + # if; ( K) = 2q + 2.
Hence, for the remainder of this chapter, we will always assume that
the equation for E is of the form
(7.2)

We introduce the division polynomials In(x) E K[x] associated with

the non-supersingular curve E given by the equation (7.1) (see [71]):

10 = 0
h = 1
h = x
h = x4 + x 3 + a6
i4 x 6 + a6 x2
hn+1 = 1~/n+2 + In-d~+1' n~2
xhn = 1~-tfnln+2 + In-2in/~+1' n ~ 3.
The polynomials In are monic in x, and if n is odd then the degree of In
is (n 2 -1)/2. The division polynomials have the following useful proper-
ties which will enable us to perform computations in E[n]. Theorem 7.1
is from [77], while Theorem 7.2 is from [71].

Theorem 7.1 Let P = (x, Y) E E* (md let n ~ O. Then P E E[n] if

and only if fn(x) = O. 0
7.2. SCHOOF'S ALGORlTHM 103

Theorem 7.2 Let n ~ 2, and let P = (x, y) E E* with nP f. O. Then

nP = (x,ii), where

and
- _ - +-y + fn-tln+!
y-x f2
+ fn-2!~+!
-f3
+ (-2
X
+ _)
Y
fn-tln+l
-f2 .
n X n X n

(In is shorthand for fn(x).} 0

The ring of endomorphisms of E that are defined over K is denoted

by EndKE. For any integer m, the multiplication-by-m map P I-t mP
is an endomorphism of E, and hence 'll ~ EndKE. The map tP E
EndKE sending (x,y) to (xq,yq) and fixing 0 is called the Frobenius
endomorphism of E. In EndK E, tP satisfies the relation

tP2 - ttP + q = 0
for a unique t E 'll, called the trace of the Frobenius endomorphism.
In fact, t = q + 1 - #E(K). Recall that if I is an odd prime then
E[l] ~ 'll, ED 'll,. Consequently, E[l] can be viewed as a vector space over
F/j the vector space has dimension 2. The map tP restricted to E[l] is a
linear transformation on E[I] with characteristic equation tP 2 -ttP+q = O.

7.2 Outline of Schoof's Algorithm

We give an outline of Schoof's algoritnm for computing #E(K), where
K = Fq , q = 2m , and E is given by equation (7.2). The method in [136]
is only described for fields of odd characteristic. Further details for the
case q even will be provided in Section 7.3.
n
Let #E(Fq ) = q + 1- t. Choose a number L' such that 1> 4.,fo,
where the product ranges over all primes I between 3 and L'. We proceed
to compute t (mod l) for each odd prime 1 $ L'j since It I $ 2.,fo, we
can then recover t by the Chinese Remainder Theorem.
Let P = (x, y) E E[/]* and let k == q (mod 1), 0 $ k $ 1 - 1. We
search for an integer· T, 0 :::; T :::; I - 1, such that

(7.3)
Since tP2 (P) + kP = ttP(P), we deduee that (t - T)tP(P) = O. Hence,
since tP(P) is a point of order I, t == T (mod 1). The problem with
104 CHAPTER 7. COUNTING POINTS

implementing this idea is that the coordinates of P, which are in K, may

not lie in any small extension of K, and thus cannot be efficiently found
in general. We overcome this problem by observing that x is a root of the
division polynomial Il(x) E K[x]. Moreover, we can use Theorem 7.2
to obtain an expression for kP and r¢(P), where the coordinates of the
expressions are rational functions in x and y. We may then use the
addition rules to sum </>2(p) and kP.
To test whether there exists some P E E[l]* satisfying (7.3), we
equate the x-coordinates of the expressions for </>2(p) + kP and r</>(P),
and eliminate denominators and the variable y to obtain an equation
hl(X) = O. We then compute H1 (x) = gcd(hl(x),II(x)). If H 1 {x) = 1,
then there is no P E E[I]* satisfying (7.3). If H1(x) f. 1, then there
exists P E E[l]* with </>2(p) + kP = ±r</>(P). To determine the correct
sign, we equate the y-coordinates of the expressions for </>2 ( P) +kP and
r</>(P), eliminate denominators and the variable y to obtain an equation
h2(X) = 0, and then compute H 2 {x) = gcd(h 2(x),11(x)). If H 2 (x) f. 1,
then P satisfies (7.3), otherwise P satisfies </>2(P)+kP = -r</>(P). Note
that all computations now take place in the ring K[x] itself.
The running time of o (logB q) bit operations is obtained as follows.
We have that L' = O(log q). For each 1, the search for T satisfyin~
(7.3) is dominated by the computations of the residues of x q2 and yq
mod ulo II (x) (note that </>2 (P) = (xq2 , yq2)). Since the degree of II{ x) is
O(log2 q), these residues can be computed in O(log5 q) field operations,
or o (1og7 q) bit operations. If fast multiplication techniques are em-
ployed for multiplication in K[x] and in Fq , then the total running time
reduces to O(log5+< q) bit operations, for any ( > O. However, since the
fast multiplication techniques are only practical for very large q, we will
henceforth only use classical multiplication algorithms.

7.3 Some Heuristics

Again, we assume that K = Fq , where q = 2m , and that the curve E
has equation (7.2). Let #E{K) = q + 1 - t, where It I ::; 2yq. From the
expression for the division polynomial 14, we have #E(K) == 0 (mod 4).
This follows because x = {/li6 is a root of 14 in K, and the equation
y2 + xy = x 3 + a6 has a solution in K when x = (/ii6. Thus E(K) has
a point of order 4, and so we can easily determine t (mod 4).
In Sections 7.3.1 and 7.3.2 we describe how to find t (mod il, where
I is an odd prime.
 7.3. SOME HEURISTICS 105

7.3.1 Finding an Eigenvalue of </>, if One Exists

Recall that when viewing I/> as a linear transformation on E[l], the char-
=
acteristic equation of I/> is 1/>2 - tl/> +q o. Thus I/> has eigenvalues in FI
if and only if either t 2 - 4q is a quadratic residue mod I, or t 2 - 4q is 0
mod I. If s is an eigenvalue of 1/>, then the eigenspace corresponding to
s is the set {P E E[l] : I/>(P) = sP}. Assume that s, r are eigenvalues
of I/> in Fl. The following two observa,tions are useful.

• Since s2 - ts + q = 0, we have t == s + q/s (mod I).

• If s '# r, then let S denote the set of x-coordinates of non-zero
points in the one-dimensional eigenspace corresponding to s. Ob-
serve that if I/>(P) = sP then I/>(I/>(P» = sl/>(P)j hence if (} E S
then (}q E S. It follows that f( x) = TIaES{ x - (}) is a degree
(l- 1)/2 factor of fl{x) in K[x].

Let w be an integer, 1 ~ w ~ {I - 1)/2. To test whether ±w is

an eigenvalue of 1/>, we have to check if there exists P = (x, y) E E[I]*
with I/>{P) = ±wP. Explicitly, we equate the x-coordinates of I/>(P) and
±wP to obtain
q + fw-1fw+1
X =X f~.

Thus the search is successful if and only if

91{X) = gcd«xq + x)f~ + fw-tfw+b fz) '# 1. (7.4)

The dominant step in these calculations is the computation of x q modulo

fleX).
If 91(X) '# 1, then we need to test if I/>(P) = wP or I/>(P) = -wP.
The roots of 91 (x) are the x-coordinl\otes of points P E E[l]* satisfying
I/>(P) = ±wP. Ifthe eigenvalues of I/> a.re wand -w, then t == 0 (mod I),
and this will be detected since the degree of 91 (x) will be I - 1. If the
eigenvalues of I/> are the same, then either 91 (x) = fl( x) or deg 91 (x) =
(I - 1)/2. Otherwise, if either w or -w (but not both) is one of the
two eigenvalues of I/> in Fl, then the degree of 91(X) is (1- 1)/2. In the
following computations, all polynomials in x are reduced modulo 91(X).
Equating y-coordinates of I/>(P) and -wP, and clearing denominators,
we obtain the equation
106 CH.4PTER 7. COUNTING POINTS

Since y2 = x 3 + a6 + xy, we can compute yq by repeatedly squaring y2.

After m - 1 squarings, we obtain

yq = a(x) + b(x)y,
with a(x) and b(x) both reduced modulo 91(X). Equation (7.5) then
reduces to
a(x) +b(x)y = O.
Substituting y = a(x)/b(x) into the equation of the curve (7.2) yields
the following equation of the curve

hex) = a(x)2 + a(x)b(x)x + (x 3 + a6)b(x)2 = O.

Finally, if gcd(h(x), 91(X» = 1, then t == w + q/w (mod I), otherwise
t== -w - q/w (mod I).
We comment that this method of searching for eigenvalues of 4> easily
extends to the case q an odd prime power.

7.3.2 Schoof's Algorithm

If there is no eigenvalue of 4> in Fl, Le., if t 2 - 4q is a quadratic non-
residue mod I, then we apply Schoof's test to determine the T satisfying
(7.3).
We first check if there is a P = (x, y) E E[l]* with 4>2(P) = ±kP,
where k is q modulo I. This is the case if and only if

gcd((xq2 + x)If + Ik-tfk+l' II)::j:. 1.

=
Observe that ift == 0 (mod I), then 4>2(p) -kP. Now, if 4>2(P) kP, =
then 4>(P) = (2k/t)P, whence 4> has an eigenvalue in Fl. But t 2 - 4q is
a quadratic non-residue mod 1, so we conclude that 4>2(P) = -kP. It
follows that t4>(P) = 0 and t == 0 (mod I).
Assume now that there is no P E E[/]* with 4>2(p) = ±kP. In order
to determine t (mod 1), we check for each T, 1 S T S 1-1, if there exists
P E E[l]* satisfying (7.3). Since 4>2(p) ::j:. ±kP, we can use the rule for
adding distinct points (see Section 2.5) to compute an expression for
4>2(p) + kP. Explicitly, let (P)z denote the x-coordinate of point P.
Then, for k ~ 2,

(±Tt/>(P))z (7.6)
7.3. SOME HEURISTICS 107

and

where
A = (yq2 + y + x)xf2 + fk-2!~+1 + (X 2 + X + y)(ik-tfkfk+1). (7.7)
xf2(x + x q ) +:Cfk-tfkfk+l
Similar equations can be obtained for the case k = 1. Equate the x-
coordinates of ¢>2(P) + kP and ±r¢>(P), and eliminate denominators
and the variable y, to get an identity h3(X) = O. Then there ex-
ists aPE E[I]* with ¢>2(p) + kP = ±r¢>(P) if and only if h4 (x) =
gcd(h3(x), f/(x)) f. 1. This is repeated for each r, 1 ::; r ::; (1- 1)/2,
for which r2 - 4q is a quadratic non-residue mod 1. If the gcd is non-
trivial then we can determine the correct sign by first equating the
y-coordinates of ¢>2(p) + kP and T¢>(P). Explicitly, for T ~ 2,
f q fq q 2q q q
(r¢>(P»y = xq+yq+ T-l T+1 + f T-2 f T+l +(x2q+yq) f T-l f T+1 (7.8)
i:' q a: qf~q x qf;q
and
2
(¢> (P) + kP)y = A(Xq
2
+ X3) + X3 + yq 2
,
where X3 = (</>2(p) + kP)z and A is as in (7.7) (similar equations can be
obtained for the case T = 1). As was done above, we then proceed to
eliminate the denominator and the variable y to get an identity h s( x) =
O. Then if gcd(fl(X) , hs(x» f. 1, we have t = T; otherwise t = -T. The
dominant step in these calculations is the computation of xq2 and yq2
modulo fl(X).
To determine t (mod I) in practice, one would first search for an
eigenvalue of </> in Fi, and if this fails, then Schoof's algorithm is applied.
The first method is faster since it only requires the residue of x q modulo
f/( x), while the second method requires the residues x q, xq2, yq and yq2
modulo j,(x). Heuristically, for a random curve, we would expect ¢>
to have an eigenvalue in Fi (Le., t 2 - 4q is a quadratic residue in F,)
for half of all I's. Moreover, if ¢> does have eigenvalues in F" then
in most cases the eigenvalues will be distinct, and so the test whether
¢>(P) = wP or ¢>(P) = -wp in Section 7.3.1 takes negligible time (since
deggl(x) = (1-1)/2 or I-I).

7.3.3 Determining t modulo 1= 2C

If I = 2c , then in fact f/( x) has a factor of small degree.
108 CHAPTER 7. COUNTING POINTS

Lemma 7.3 If 1 = 2c, then II( x) has a factor f( x) of degree 1/4 in

K[x].

Proof: Since E[l] ~ 7l/, f/( x) has only 1/2 distinct roots. Of these,
only 1/4 are x-coordinates of points of order I. Thus fl(x) has a factor
f(x) of degree 1/4 in K[x], whose roots are precisely the x-coordinates
of points of order I. 0
The next lemma shows how the factor f( x) may be easily con-
structed.

Lemma 7.4 Let 1 = 2C • Define the sequence of polynomials {9i( x)} in

K[x] as follows:

90 = X

g1 = b1 + x, where a6 = bt
i-2
2 + bi X
gj = g;-1 gj' IT
2 whlTe a6 = bi2iH 'Jor
I i ~ 2.
j=1
Then f(x) = 9c-l(X) is a degree 1/4 factor of fl(x) in K[xJ. Moreover,
the roots of f( x) are precisely the x-coordinates of points of order I.

Proof: Define the sequence of polynomials {hj(x)} in K[x] by

i
ho = 1, hl = x, hi = x II gJ for i ~ 2.
j=l

Let P = (x,y) E E*, and let (2np)x = Gn/Hn, for n ~ O. From the
formula for doubling a point, we see that Gn and Hn are polynomials
in K[xJ. We prove by induction that Gn = (gn)2 n+1 and Hn = (h n )2n
for n ~ 1.
For n = 1, we have
gt
= h~
=
which indeed is (2P)x'
Assuming that the statement is true for n = i, we have
(2i+1 P)x = Gi+1 = (2; P + 2i P)x = a6~? + G~
Hi+1 Gj Hi
(blH; + Gi)4 (bi+1hi +g[)2 +i 2
(9i+1)2 i +2
= (G;H;)2 = (glh i )2 +i 1 = (hi+1)2i+l'
7.3. SOME HEURISTICS 109

It is also easily proved by induction that deg gn = 2n - l for n ~ 1, and

gcd(gn' hn) = 1 for n ~ o.
Now, let P = (x,y) E E*. Since (2 c- l p)x = (9C_l)2 C/(h c_d 2C -\ we
have ord(P) = 2c if and only if gc-l(X) = 0 and giCx) =I 0 for 0 ~ i ~
c - 2. But, since h c- 1 = go I1j:j gJ and gcd(gc-t, hc-l) = 1, we have
ord(P) = 2c if and only if 9c-l(X) = O. Finally, since deg9c-l = 1/4,
the desired factor f(x) must in fact be gc-l(X). 0
For 1 = 2C that divides q, we have q == 0 (mod l). Hence for P E
E[l]*, we know that (p2(P) - T¢(P) = O. Since ¢ is the Frobenius
endomorphism, ¢(P) =I 0 for P =I O. Therefore ¢(P) - TP = 0 and T
is an eigenvalue of ¢ in 7l1.
Since we know that #E(Fq) == 0 (mod 4), it follows that t == 1
(mod 4) and T == 1 (mod 4). This gives us only 2 possible choices for
T modulo 8. We can easily obtain this eigenvalue using a factor of
!s( x) obtained as above, and using our heuristic for finding eigenvalues.
This procedure can then similarly be applied to finding eigenvalues for
1 = 16,32,64, .... The method is efficient for I being a small power of 2,
since the polynomial arithmetic is performed modulo a degree 1/4 factor
of fl(X).

7.3.4 Baby-step Giant-step Algorithm

The calculation of t modulo I using Schoof's algorithm for small primes
I is very simple. However, since deg(fI(x» = (12 - 1)/2, the calculation
quickly becomes infeasible as the value of I increases. In [20], the authors
combined Schoof's algorithm with Shanks' baby-step giant-step method.
In this method, one first computes #E(Fq ) modulo L = 10 ·It·· ·In
where It, ... , lr are small primes and to is a small power of 2. One may
then use the baby-step giant-step algorithm to determine #E(Fq).
We describe Shanks' algorithm with suitable modifications for use
with Schoof's algorithm.

Step 1. Choose a random point Pin E(Fq) and set

k = min { k' I k' ~ rj L . 4 . y'q 1, k' == 0 (mod L) }.

Step 2. Compute iP for i == (lq + 1 - 2y'qJ - #E(Fq (mod L) and »

o~ i ~ k-l. If for some i we have iP = 0, then return to Step l.
Otherwise, store i and the first 32 bits of the x-coordinate of iP
in a table sorted by the entry iP.
110 CHAPTER 7. COUNTING POINTS

Step 3. Set Q = kP.

Step 4. Compute
Hj = lq+ 1-2JqJP+jQ
for j = 1,2, ... , k/ L and check (by a binary search) whether the
first 32 bits of the x-coordinate of Hj correspond to the first 32
bits of the x-coordinate of iP for some i. If it does, we then check
if Hj = iP (by recalculating iP). If we have only one pair (i,j)
with Hj = iP then

#E(Fq) = lq + 1 - 2JqJ + kj - i,

and the algorithm terminates. If not, then return to Step 1.

We discuss the correctness and running time of the algorithm.

Since P E E(Fq), then ord(P) divides #E(Fq). Thus if there exists
a unique integer r E [q + 1 - 2Jq, q + 1 + 2y'q] such that r P = 0 then
r = #E(Fq); if not then ord(P) ::; 4y'q. Either case is detected in
Step 4. Thus in Step 1 we hope that ord(P) > 4y'q.
Recall that E(Fq ) ~ 'llnl E9 'lln2' where n21nl and n21(q - 1). For a
random elliptic curve, we would expect nl >> n2 and so nl > > 4y'q.
Thus with very high probability ord(P) > 4y'q. Since #E(Fq ) ~ (y'q-
1)2, we have nl ~ y'q -1. Moreover, since 41#E(Fq) and n2 is odd, we
have nl ~ 2( y'q -1). If in fact nl ::; 4y'q, then there is no point in E( Fq)
of order greater that 4y'q. This will be detected since the algorithm will
fail in Step 4 each time. If this happens, then we determine ord( P) and
repeat the algorithm until we find a point P with ord(P) ~ 2(y'q - 1).
We then search for a point pI which has order ~ 3 in the quotient group
E(Fq)/ <P>. For more details, consult [20].
The table in Step 2 has about S = 2ql/4/VI entries, which are
computed with O(S) field operations. The table is then sorted using
O(SlogS) comparisons. Computing Hj for j = 1,2, .. . ,k/L takes O(S)
field operations, while each binary search takes O(1og S) comparisons.
Thus the whole algorithm takes 0(ql/4(logq)2/VI) bit operations, and
requires 0(ql/4(logq)/v'L) bits of storage.

7.3.5 Checking Results

Let #E(Fq) = q + 1 - t, where t is unknown, and suppose that the
algorithm outputs #E(Fq) = q + 1 - t'. We may verify that t = t' as
follows.
7.4. IMPLEMENTATION 111

Let P be the point in the baby-step giant-step algorithm. Since the

algorithm terminated, we believe that ord(P) > 4y'q. We first verify
that (q+l-t')P = OJ ifthis does not hold, then t ::j:. t'. We then proceed
to factor q + 1 - t', which is an easy task since q + 1 - t' ~ 1050 for the
q's we are concerned with. Given the prime factorization of q + 1 - t',
we can easily determine ord(P) by Lemma 5.5, and then check that
ord(P) > 4vq. Now, since (q + 1- t)P = 0 and (q + 1- t')P = 0, we
deduce that (t - t')P = O. Finally, since ord(P) > 4.Jq and It - t'l ~
4y'q, we conclude that t = t'.
Of course, this check is only successful if nl > 4y'q, which, as was
pointed out in Section 7.3.4, is true for most curves.

7.4 Implementation and Results

In [97], the algorithm described in Section 7.3 was implemented in the
C programming language on a SUN-2 SPARe-station with 64 Mbytes
of main memory. We make some comments on the implementation.
(i) The elements of Fq = F2m were represented with respect to an opti-
mal normal basis.
(ii) Let n = deg!l(x). To compute gcd(A(x),fl(x» for some A(x) E
J([x], A(x) was first reduced modulo f,(X), and then the gcl! of the
resulting polynomial with f,(x) was computed. In order to compute
x q (mod f,(x», which is needed, for example, in (7.4), the residues x 2j
modulo f,(x), for 0 ~ j ~ n-l were precomputed. Then x q (mod ft(x»
is obtained by repeatedly squaring x. Explicitly,

X2i (mod !l(x» = (x2i-l (mod fl(X»)2 (mod !l(x»)

= (~aj3:j) 2 (mod fl(X»

3=0
n-l
= E a1(x 2j (mod fl(X))).
j=O

The residues of xq2, yq and yq2 modulo f,( x) are obtained in a similar
manner.
(iii) In calculating (7.6) and (7.8), we need to compute n
(mod fl(X»,
for 0 ~ T ~ (1- 1)/2 + 1. Since we already know x (mod ft(x», we
q
112 CHAPTER 7. COUNTING POINTS

can easily compute n (mod II(x)) recursively:

18 = 0 (mod II(x»
Jl = 1 (mod II(x»
Ii = x q (mod II(x»
J: = x4q + x 3q + a6 (mod II(x»
J4 = x6q + a6 x2q (mod fl(x»
l~i+1 = Irq li~2 + li~dr~l (mod I,(x», i~2
Iii = s(x)Ul!.dt li~2 +It_2/iqli2~2) (mod I,(x», i ~ 3,

where s(x) E K[x] satisfies

s(x)x q == 1 (mod II(x».

Note that indeed gcd(xq,f,(x» = 1 when 1is odd, since the only points
with x-coordinates equal to 0 have order 2.
(iv) l's up to 31 were chosen in order to keep manageable the size of the
space searched in the baby-step giant-step part of the method. If more
= =
memory is available, then the cases I 29 and I 31 may be excluded,
at the expense of an increase in the time for the baby-step giant-step
part.
Using the method of Section 7.3.3, t modulo 64 was also computed. If
(t modulo 64) ::::; 31, then t modulo 128 was computed (for this only the
division polynomials Ii (x ), 1 ::::; i ::::; 31, modulo the degree 32 factor of
!t2S(X) were needed). Similarly, if (t modulo 128) ::::; 31, t modulo 256
was computed. In this way t modulo 1024 may have been computed.
In Table 7.1, we list the time taken for the major steps in Sec-
tions 7.3.1, 7.3.2 and 7.3.3 of the algorithm for counting points on a
single randomly chosen curve over F2 155. As was expected, the compu-
tation of x q (mod II) dominated the time to search for an eigenvalue,
while the computation of xq2, yq and yq2 modulo II is the dominant
step in the Schoof part of the algorithm. If an eigenvalue exists, then
determining its sign takes negligible time. Observe that searching for
an eigenvalue is a useful heuristic, and results in a significant time sav-
ings when such an eigenvalue exists. Lastly, note that the time taken
to compute the division polynomials, and to compute t modulo 128 is
also negligible.
In Table 7.2, we list the time for the baby-step giant-step method
(Section 7.3.4) for various problem instances. The size of the space
7.4. IMPLEMENTATION 113

Time to compute li(:Z:), 0 < i < 31 245.3

Time to compute t modulo 128 162.7
1 3 5 7 11 13 17 19 23 29 31
(a) 1.7 9.4 35.6 278 469 1231 2149 4612 11939 14170
(b) 0.1 0.7 1.1 31 69 89 458 1243 778 5252
(c) - - 13.1 - - 88 - - 72 -
(d) 1.7 9.7 - 247 488 - 2268 4890 - 15188
(e) 11.5 - - 552 1026 - 4539 9525 - 28869
(f) 3.4 - - 495 977 - 4536 9805 - 30141
(g) 0.1 - - 87 299 - 2036 6072 - 22463
(h) 0.7 - - 173 177 - 2018 786 - 6298
(i) 0.9 - - 213 348 - 1831 3444 - 9971
Legend
Searching for an eigenvalue of tP
(a) Compute:Z: 9 (mod J,(:z:».
(b) Search for an eigenvalue.
(c) Determining the sign of the eigenvalue.
Schoof's algorithm
(d) Compute :z:q2 (mod J,(:z:».
(e) Compute y9 (mod J,(z».
(f) Compute yq2 (mod J,(:z:».
(g) Compute It (mod J,(:z:», 0 ~ i ~ (1-1)/2 + 1.
(h) Search for r, 1 ~ r ~ (/- 1)/2.
(i) Determine the sign of r.

Table 7.1: Times (in seconds) for the major steps in Sections 7.3.1,7.3.2
and 7.3.3 of the algorithm for counting points on a single randomly
chosen curve over Fq , q = 2155.
114 CHA.PTER 7. COUNTING POINTS

m l's used in Size of space Time

steps 4.1, 4.2 and 4.3 searched
33 3,5,64 3.9 ·10" 0.2 sec
52 3,5,7,11,128 1.8.103 0.5 sec
65 3,5,7,11,13,64 2.5.10 4 1 sec
82 3,5,7,11,13,17,64 5.4 . 10 5 4 sec
100 3,5,7,11,13,17,64 2.8. lOs 1 min 43 sec
113 3,5,7,11,13,17,64 2.5. 10 10 18 min 31 sec
135 3,5,7,11,13,17,19,23,64 1.2.10 11 51 min 22 sec
148 3,5,7,11,13,17,19,23,29,64 3.6.10 11 100 min 42 sec
155 3,5,7,11,13,17,19,23,29,31,128 6.7.10 10 44 min 11 sec

Table 7.2: Times for the baby-step giant-step part (Section 7.3.4) for a
curve over F2 m.

searched is 4.;9./ L where L is the product of those l's for which t modulo
1 is known.
Finally, Table 7.3 presents the total running time of the method
for evaluating #E( F2m) for single randomly chosen curves and several
values of m. For a fixed m, the running time for counting #E(F2m)
has a large variance; the longest running times are observed when no
eigenvalue of ¢ exists in F, for the largest prime l's used.

m l's for which an eigenvalue Total running time (Sections

of IjJ was found in F, 7.3.1,7.3.2,7.3.3 and 7.3.4)
33 3 1 min 6 sec
52 3,5,7 4 min 51 sec
65 5 22 min 29 sec
82 3,7,11,13 57 min 46 sec
100 5,7,11,17 46 min 21 sec
113 3,7,17 1hr8min7sec
135 3,7,13,19,23 5 hr 43 min 47 sec
148 5,7,11,13,17,19,29 16 hr 7 min 26 sec
155 7,17,29 60 hr 29 min 33 sec

Table 7.3: Total time for counting points on randomly chosen curves
over F2m.

Computing #E{F2155) takes roughly 61 hours on a SUN-2 SPARC-

7.5. RECENT WORK 115

station. (The algorithm takes 61 hours or less provided that ¢ has an

eigenvalue in either F29 or F31 • Heuristically, one would expect this
to occur about 75% of the time for random curves.) On the SPARC-
station, field elements in F2155 can be multiplied at the rate of 900
multiplications per second. The special purpose chip which does the
field arithmetic in F2155 can perform 250,000 multiplications per second.
Since roughly 90% of all time of the algorithm is spent in multiplying
m,
field elements in F 2 the use of this chip should reduce the time for
computing #E(F2155) to about 6 hours.
Possible improvements not implemented were the computation of t
modulo 27, and using Pollard's Lambda method for catching kangaroos
[123] instead of the baby-step giant-step algorithm. Pollard's method
has the same expected running time as the latter method, but requires
very little storage.

7.5 Recent Work

Let K = Fq • As was observed in Section 7.3.1, there is a degree (1-1)/2
factor J(x) of J,(x) in K[x] for those primes I for which ¢ has distinct
eigenvalues in F,. If this factor exists and is known, then it may be
used instead of J,( x) in Schoof's algorithm for a considerable savings
in time. In unpublished work, Elkies and Miller independently showed
how to construct the factor J( x) without having to first construct J,( x).
Charlap, Coley and Robbins [25], modified Elkies' work, whereby J(x)
can be easily computed after some one-time work. These modifications
o
reduce the work for determining #E(K) from O(log8 q) to (1og6 q) bit
operations. The running of O(log6 q) is not rigorously proved since, for
example, it is assumed that t 2 - 4q is a quadratic residue modulo I for
roughly half of all odd primes I. The method is described only for the
case q an odd prime, and the generalization to the case q = 2m does not
appear to be straightforward. We are unaware of any implementations
of this method.
Recently Atkin [5] described a new algorithm for computing #E(K)
which uses modular equations. For each odd prime I, the algorithm
performs operations in K[x] modulo a polynomial of degree 1+1 instead
of the polynomial J,(x) of degree (12 --1)/2. Each iteration determines
that t (mod I) E S" where S, is a subset of {O, 1,2, ... , I}, and where
IS,I < 1/2 but usually IS,I « 1/2. This partial information for various
I's is then combined to reveal t. The algorithm has not been rigorously
116 CHAPTER 7. COUNTING POINTS

analyzed but performs remarkably well in practice. It is almost certain

to work when q Rj 1050, and Atkin has computed #E(K) where q is an
odd prime, and q Rj 1068 • The algorithm was only described for the case
q an odd prime, however Atkin has now modified the method for the
even characteristic case. The method was implemented and the running
time for computing #E{F2155) dropped to about 9 hours. We were also
able to compute #E(F2196) in about LlO hours.
Very recently Atkin [6], inspired by Elkies' ideas, has developed and
implemented a new method for computing #E(K) which uses modular
equations. He has successfully computed #E{Fq ) where q is an odd
prime and q Rj 102 °°. Again, the generalization to the case of q even
does not appear to be straightforward.

7.6 Notes
The material of this chapter has been extracted from [97], and is reprint-
ed here by permission of the American Mathematical Society.
In [121], Pila gives a generalization of Schoof's algorithm for com-
puting the characteristic polynomial of the Frobenius endomorphism of
an abelian variety defined over a finite field in deterministic polynomial
time. In the case that the abelian variety is the Jacobian of an algebraic
curve C defined over Fq , the number of Fq-rationaI points on C is then
easily recovered. We are not aware of any practical implementations of
this algorithm.
Cantor [23] obtained the analogue of the division polynomials of an
elliptic curve for the Jacobian of hyperelliptic curves.
Bibliography

[1] G. AGNEW, T. BETH, R. MULLIN AND S. VANSTONE, "Arithmetic

operations in GF(2m)" , Journal of Cryptology, to appear, 1993.
[2] G. AGNEW, R. MULLIN, I. ONYSZCHUK AND S. VANSTONE, "An im-
plementation for a fast public-key C)'yptosystem", Journal of Cryptology,
3 (1991),63-79.
[3] G. AGNEW, R. MULLIN AND S. VANSTONE, "An implementation of
elliptic curve cryptosystems over F2 155" , IEEE Journal on Selected Areas
in Communications, to appear.
[4] D. ASH, I. BLAKE AND S. VANSTONE, "Low complexity normal bases",
Discrete Applied Mathematics, 25 (1989), 191-210.
[5] A. ATKIN, "The number of points on an elliptic curve modulo a prime" ,
manuscript, 1991.
[6] A. ATKIN, personal communicatioll, 1992.
[7] A. ATKIN AND F. MORAIN, "Elliptic curves and primality proving",
Mathematics of Computation, to appear, 1993.
[8] E. BACH, "Number theoretic algol'ithms", Annual Review in Computer
Science, 4 (1990), 119-172.
[9] A. BENDER AND G. CASTAGNOLI, "On the implementation of elliptic
curve cryptosystems" , Advances in Cryptology - CRYPTO '89, Lecture
Notes in Computer Science, 435 (1990), Springer-Verlag, 417-426.
[10] M. BEN-OR, "Probabilistic algorithms in finite fields", 22nd Annual
Symposium on Foundations of Computer Science, 394-398, 1981.
[11] T. BETH, "Efficient zero-knowledge identification scheme for smart
cards", Advances in Cryptology - IEUROCRYPT '88, Lecture Notes in
Computer Science, 330 (1988), Springer-Verlag, 77-84.
[12] T. BETH AND F. SCHAEFER, "Non supersingular elliptic curves for pub-
lic key cryptosystems", Advances in Cryptology - EUROCRYPT '91,
Lecture Notes in Computer Scienc.l~, 547 (1991), Springer Verlag, 316-
327.

117
118 BIBLIOGRAPHY

[13] E. BIRAM AND A. SHAMIR, "Differential cryptanalysis of the full 16-

round DES", Advances in Cryptology - CRYPTO '92, to appear.
[14] M. BLUM AND S. MICALI, "How to generate cryptographically strong
sequences of pseudo-random bits", SIAM Journal on Computing, 13
(1984), 850-864.
[15] B. DEN BOER, "Diffie-Hellman is as strong as discrete log for certain
primes", Advances in Cryptology - CRYPTO '88, Lecture Notes in Com-
puter Science, 403 (1990), Springer Verlag, 530-539.
[16] G. BRASSARD, Modern Cryptology: A Tutorial, Springer-Verlag, Berlin,
1988.
[17] E. BRICKELL, D. GORDON, K. MCCURLEY AND D. WILSON, "Fast
exponentiation with precomputation", Advances in Cryptology - EU-
ROCRYPT '92, to appear.
[18] E. BRICKELL AND K. MCCURLEY, "An interactive identification scheme
based on discrete logarithms and factoring", Journal of Cryptology, 5
(1992), 29-39.

[19] J. BRILLHART, D. LEHMER, J. SELFRIDGE, B. TUCKERMAN AND S.

WAGSTAFF, "Factorizations of b" ± 1, b =2,3,5,6,7,10,11,12 up to high
powers", Contemporary Mathematics, 22, 1983.

[20] J. BUCHMANN AND V. MULLER, "Computing the number of points of

elliptic curves over finite fields", presented at International Symposium
on Symbolic and Algebraic Computation, Bonn, July 1991.

[21] J. BUCHMANN AND H. WILLIAMS, "A key-exchange system based on

imaginary quadratic fields" Journal of Cryptology, 1 (1988), 107-118.
[22] J. CASSELS, Lectures on Elliptic Curves, Cambridge University Press,
1991.
[23] D. CANTOR, "On the analogue of the division polynomials for hyperel-
liptic curves I", preprint, 1992.
[24] J. CHAHAL, Topics in Number Theory, Plenum Press, New York, 1988.

[25] L. CHARLAP, R. COLEY AND D. ROBBINS, "Enumeration of rational

points on elliptic curves over finite fields", preprint, 1991.
[26] L. CHARLAP AND D. ROBBINS, "An elementary introduction to elliptic
curves", CRD Expository Report No. 31, Institute for Defense Analysis,
Princeton, December 1988.
[27] B. CHOR AND R. RIVEST, "A knapsack-type public key cryptosystem
based on arithmetic in finite fields", IEEE Transactions on Information
Theory, 34 (1988), 901-909.
BIBLIOGRAPHY 119

[28] D. CHUDNOVSKY AND G. CHUDNOVSKY, "Sequences of numbers gen-

erated by addition in formal groups and new primality and factoring
tests", Advances in Applied Mathematics, 7 (1987), 385-434.

[29] D. COPPERSMITH, "Fast evaluation oflogarithms in fields of characteris-

tic two", IEEE 'Iransactions on Information Theory, 30 (1984), 587-594.

[30] D. COPPERSMITH, A. ODLYZKO AND R. SCHROEPPEL, "Discrete loga-

rithms in GF(p)", Algorithmica, 1 (1986), 1-15.

[31] R. CRANDALL, "Method and apparatus for public key exchange in a

cryptographic system", U.S. patent number 5,159,632, October 1992.

[32] M. DEURING, "Die typen der multiplikatorenringe elliptischer funktio-

nenkorper", Abh. Math. Sem. Univ. Hamburg, 14 (1941), 197-272.
[33] M. DIAB, "Systolic architectures for multiplication over finite field
GF(2m)", Proceedings of AAECC-9, Lecture Notes in Computer Sci-
ence, 508 (1991), Springer-Verlag, 329-340.

[34] W. DIFFIE, "The first ten years of public key cryptography", in [144],
135-175.

[35] W. DIFFIE AND M. HELLMAN, "New directions in cryptography", IEEE

'Iransactions on Information Theory, 22 (1976), 644-654.
[36] Y. DRIENCOURT AND J. MICHON, "Elliptic codes over a field of charac-
teristic 2", Journal of Pure and Applied Algebra, 45 (1987), 15-39.

[37] S. DUSSE AND B. KALISKI, "A cryptographic library for the Motorola
DSP56000" , Advances in Cryptology - EUROCRYPT '90, Lecture Notes
in Computer Science, 473 (1991), Springer-Verlag, 230-244.
[38] H. EBERLE, "A high-speed DES implementation for network applica-
tions", Advances in Cryptology - CRYPTO '92, to appear.
[39] T. ELGAMAL, "A public key cryptosystem and a signature scheme based
on discrete logarithms", IEEE 'lransactions on Information Theory, 31
(1985), 469-472.

[40] T. ELGAMAL, "A subexponential-time algorithm for computing discrete

logarithms over G F(p2)" , IEEE 'Iransactions on Information Theory, 31
(1985), 473-481.

[41] M. FENG, "A VLSI architecture for fast inversion in GF(2m)", IEEE
'Iransactions on Computers, 38 (1989), 1383-1386.

[42] A. FIAT AND A. SHAMIR, "How to prove yourself: Practical solutions

to identification and signature problems", Advances in Cryptology -
CRYPTO '86, Lecture Notes in Computer Science, 293 (1987), Springer
Verlag, 186-194.
120 BIBLIOGRAPHY

[43] G. FREY AND H. RUCK, "A rema.rk concerning m-divisibility and the
discrete logarithm in the divisor clllSS group of curves", Mathematics of
Computation, to appear.
[44] W. FULTON, Algebraic Curves, Benjamin, New York, 1969.
[45] S. GAO AND H.W. LENSTRA, "Optimal normal bases", Designs, Codes
and Cryptography, 2 (1992), 315-323.
[46] G. VAN DER GEER, "Codes and elliptic curves", in Effective Methods in
Algebraic Geometry, Birkhauser, 1991, 159-168.
[47] W. GEISELMANN AND D. GOLLMANN, "VLSI design for exponentiation
in GF(2 R )", Advances in Cryptology - AUSCRYPT '90, Lecture Notes
in Computer Science, 453 (1990), Springer-Verlag, 398-405.
[48] S. GOLDWASSER AND J. KILIAN, "Almost all primes can be quickly
certified", Proceedings of the Eighteenth Annual ACM Symposium on
Theory of Computing, 316-329, 1986.
[49] S. GOLDWASSER AND S. MICALI, "Probabilistic encryption", Journal of
Computer and System Sciences, 28 (1984), 270-299.
[50] D. GORDON, "Discrete logarithms in GF(p) using the number field
sieve", SIAM Journal on Discrete Mathematics, to appear.
[51] D. GORDON, "Discrete logarithms in GF(pR) using the number field
sieve", preprint, 1991.
[52] D. GORDON AND K. MCCURLEY, "Massively parallel co.mputation of
discrete logarithms", Advances in Cryptology - CRYPTO '92, to appear.
[53] L. GUILLOU, M. UGON AND J. QUISQUATER, "The smart card: a stan-
dardized security device dedicated to public cryptology", in [144], 561-
613.
[54] G. HARPER, A. MENEZES AND S. VANSTONE, "Public-key Cl'yptosys-
terns with very small key lengths", Advances in Cryptology -- EURO-
CRYPT '92, to appear.
[55] J. HASTAD, "On using RSA with low exponent in a public key network",
Advances in Cryptology - CRYPTO '85, Lecture Notes in Computer
Science, 218 (1986), Springer Verlag, 403-408.
[56] M. HELLMAN AND M. REYNERI, "Fast computation of discrete log-
arithms in GF(q)", Advances in Cryptology - CRYPTO '82, Plenum
Press, 1983, 3-13.
[57] M. HUANG AND D. IERARDI, "Efficient algorithms for the Riemann-
Roch problem and for addition in the jacobian of a curve", 31st Annual
Symposium on Foundations of Computer Science, 678-687, 1991.
[58] D. HUSEMOLLER, Elliptic Curves, Springer-Verlag, New York, 1987.
BIBLIOGRAPHY 121

[59] T. ITOH, O. TEECHAI AND S. TSUJII, "A fast algorithm for computing
multiplicative inverses in GF(2') using normal bases" (in Japanese), J.
Society for Electronic Communications (Japan), 44 (1986), 31-36.
[60] P. IVEY, S. WALKER, J. STERN AND S. DAVIDSON, "An ultra-high
speed public key encryption processor", Proceedings of IEEE Custom
Integrated Circuits Conference, Boston, 1992, 19.6.1 - 19.6.4.
[61] D. JUNGNICKEL, Finite Fields: Structure and Arithmetics, Bibli-
ographisches Institut, Mannheim, 1993.
[62] B. KALISKI, "A pseudorandom bit generator based on elliptic loga-
rithms" , Advances in Cryptology - CRYPTO '86, Lecture Notes in Com-
puter Science, 293 (1987), Springer-Verlag, 84-103.
[63] B. KALISKI, "Elliptic curves and cryptography: A pseudorandom bit
generator and other tools", Ph.D. thesis, M.I.T., January 1988.
[64] B. KALISKI, "One-way permutations on elliptic curves", Journal ofCryp-
tology,3 (1991), 187-199.
[65] C. KIT AND R.. LIDL, "On implementing elliptic curve cryptosystems",
Contributions to General Algebra, 6 (1988), 155-166.
[66] N. KOBLITZ, Introduction to Elliptic Curves and Modular Forms,
Springer-Verlag, New York, 1984.
[67] N. KOBLITZ, "Elliptic curve cryptosystems", Mathematics of Com put a-
tion, 48 (1987), 203-209.
[68] N. KOBLITZ, A Course in Number Theory and Cryptography, Springer-
Verlag, New York, 1987.
[69] N. KOBLITZ, "Primality of the number of points on an elliptic curve over
a finite field", Pacific Journal of Ma.thematics, 131 (1988), 157-165.
[70] N. KOBLITZ, "Hyperelliptic cryptosystems", Journal of Cryptology, 1
(1989), 139-150.
[71] N. KOBLITZ, "Constructing elliptic curve crypt08ystems in characteristic
2" , Advances in Cryptology - CRYPTO '90, Lecture Notes in Computer
Science, 537 (1991), Springer-Verlag, 156-167.
[72] N. KOBLITZ, "Elliptic curve implementation of zero-knowledge blobs" ,
Journal of Cryptology, 4 (1991), 207-213.
[73] N. KOBLITZ, "CM-curves with good cryptographic properties", Ad-
vances in Cryptology - CRYPTO '91, Lecture Notes in Computer Sci-
ence, 576 (1992), Springer-Verlag, 279-287.
[74] K. KOYAMA, U. MAURER, T. OKAMOTO AND S. VANSTONE, "New
public-key schemes based on elliptic curves over the ring Zpq", IEEE
Transactions on Information Theory, to appear.
122 BIBLIOGRAPHY

[75] K. KOYAMA AND Y. TSURUOKA, "Speeding up elliptic cryptosystems

using a signed binary window method", Advances in Cryptology -
CRYPTO '92, to appear.
[76] B. LA MACCHIA AND A. ODLYZKO, "Computation of discrete loga-
rithms in prime fields", Designs, Codes and Cryptography, 1 (1991),
47-62.
[77] S. LANG, Elliptic Curves: Diophalltine Analysis, Springer-Verlag, 1978.
[78] A. LENSTRA AND H.W. LENSTRA, "Algorithms in number theory",
in Handbook of Theoretical Computer Science, vol. A, Algorithms and
Complexity, MIT Press, Cambridge, 1990, 673-715.
[79] A. LENSTRA, H.W. LENSTRA, M. MANASSE AND J. POLLARD, "The
number field sieve", Proceedings of the Twenty Second Annual ACM
Symposium on Theory of Computillg, 564-572, 1990.
[80] H.W. LENSTRA, "Factoring integers with elliptic curves", Annals of
Mathematics, 126 (1987), 649-673.
[81] H.W. LENSTRA, "Elliptic curves and number-theoretic algorithms",
Proceedings of the International Congress of Mathematicians, American
Mathematical Society, Providence, RI, 1988, 99-120.
[82] H.W. LENSTRA AND C. POMERANCE, "A rigorous time bound for
factoring integers", Journal of the American Mathematical Society, 5
(1992), 483-516.
[83] R. LIDL AND H. NIEDERREITER, Finite Fields, Cambridge University
Press, 1987.
[84] R. LOVORN, "Rigorous, sub exponential algorithms for discrete loga-
rithms over finite fields", Ph.D. thesis, University of Georgia, 1992.
[85] K. MCCURLEY, "A key distribution system equivalent to factoring",
Journal of Cryptology, 1 (1988), 95-105.
[86] K. MCCURLEY, "Cryptographic key distribution and computation in
class groups", in Number Theory lind Applications, Proceedings of the
NATO Advanced Study Institute on Number Theory and Applications,
Richard Mollin, ed., Kluwer, Boston, 1989.
[87] K. MCCURLEY, "The discrete logarithm problem", Cryptology and
Computational Number Theory, Proceedings of Symposia in Applied
Mathematics, 42 (1990), 49-74.
[88] R. McELIECE, "A public-key cryptosystem based on algebraic coding
theory", DSN Progress Report 42-·14, Jet Propulsion LaboratoJ'Y, 1978,
114-116.
[89] R.J. McELIECE, Finite Fields for Computer Scientists and Engineers,
Kluwer Academic Publishers, 1987.
BIBLIOGRAPHY 123

[90] W. MEIER AND O. STAFFELBACH, "Efficient multiplication on certain

non-supersingular elliptic curves", Advances in Cryptology - CRYPTO
'92, to appear.
[91] A. MENEZES (EDITOR), I. BLAKE, X. GAO, R. MULLIN, S. VANSTONE
AND T. YAGHOOBIAN, Applications of Finite Fields, Kluwer Academic
Publishers, 1992.
[92] A. MENEZES, T. OKAMOTO AND S. VANSTONE, "Reducing elliptio
curve logarithms to logarithms in a finite field", IEEE 'hansactions on
Information Theory, to appear.
[93] A. MENEZES AND S. VANSTONE, "The implementation of elliptic curve
cryptosystems", Advances in Cryptology - AUSCRYPT '90, Lecture
Notes in Computer Science, 453 (1990), Springer-Verlag, 2-13.
[94] A. MENEZES AND S. VANSTONE, "[somorphism classes of elliptic curves
over finite fields of characteristic 2", Utilitas Mathematica, 38 (1990),
135-154.
[95] A. MENEZES AND S. VANSTONE, "A note on cyclic groups, finite fields,
and the discrete logarithm problem" , Applicable Algebra in Engineering,
Communication and Computing, 3 (1992),67-74.
[96] A. MENEZES AND S. VANSTONE, "Elliptic curve cryptosystems and their
implementation", Journal of Cryptology, to appear.
[97] A. MENEZES, S. VANSTONE AND R. ZUCCHERATO, "Counting points
on elliptic curves over F2m", Mathematics of Computation, 60 (1993),
407-420.
[98] G. MENICHETTI, "Roots of affine polynomials", Annals of Discrete
Mathematics, 30 (1986), 303-310.
[99] R. MERKLE, "A certified digital signature", Advances in Cryptology -
CRYPTO '89, Lecture Notes in Computer Science, 435 (1990), Springer-
Verlag, 218-238.
[100] V. MILLER, "Uses of elliptic curves in cryptography", Advances in Cryp-
tology - CRYPTO '85, Lecture Notes in Computer Science, 218 (1986),
Springer-Verlag, 417-426.
[101] V. MILLER, "Short programs for fUllctions on curves", unpublished man-
uscript, 1986.
[102] C. MITCHELL, F. PIPER AND P. WILD, "Digital signatures", in [144],
325-378.
[103] A. MIYAJI, "On ordinary elliptic curves", Advances in Cryptology -
ASIACRYPT '91, to appear.
[104] A. MIYAJI, "Elliptic curves over Fp suitable for cryptosystems", Ad-
vances in Cryptology - AUSCRYPT '92, to appear.
124 BIBLIOGRAPHY

[105] P. MONTGOMERY, "Speeding the Pollard and elliptic curve methods of

factorization" , Mathematics of Computation, 48 (1987), 243-264.
[106] P. MONTGOMERY, "A FFT ExtenHion of the Elliptic Curve Method of
Factorization", Ph.D. thesis, UCLA, 1992.
[107] F. MORAIN AND J. OLIVOS, "Speeding up the computations on an el-
liptic curve using addition-subtract.ion chains", Theoretical Informatics
and Applications, 24 (1990), 531-543.
(108) F. MORAIN, "Building cyclic elliptic curves modulo large primes" , Ad-
vances in Cryptology - EUROCRYPT '91, Lecture Notes in Computer
Science, 547 (1991), Springer Verlag, 328-336.
(109) C. MORENO, Algebraic Curves over Finite Fields, Cambridge University
Press, 1991.
[110] R. MULLIN, I. ONYSZCHUK, S. VANSTONE AND R. WILSON, "Optimal
normal bases in GF(pn)", Discrete Applied Mathematics, 22 (1988/89),
149-161.
[111] NATIONAL BUREAU OF STANDARDS, "Data Encryption Standard", Fed-
eral Information Processing Standard, U.S. Department of Commerce,
FIPS PUB 46, Washington, DC, 1977.
[112] NATIONAL INSTITUTE FOR STANDARDS AND TECHNOLOGY, "A pro-
posed federal information processing standard for digital signature stan-
dard (DSS)" , Technical Report FIPS PUB XX, Draft, August 1991.
[113) NATIONAL INSTITUTE FOR STANDARDS AND TECHNOLOGY, "An-
nouncement and specifications for a secure hash standard (SHS)" , Tech-
nical Report FIPS PUB YY, Draft, January 1992.
[114] J. NECHVATAL, "Public key cryptography", in [144], 177-288.
[115] A. ODLYZKO, "Discrete logarithms and their cryptographic signifi-
cance", Advances in Cryptology - EUROCRYPT '84, Lecture Notes in
Computer Science, 209 (1985), Springer-Verlag, 224-314.
[116] A. ODLYZKO, personal communication, 1986.
[117] R. ODONI, V. VARADHARAJAN AND R. SANDERS, "Public key distri-
bution in matrix rings", Electronics Letters, 20 (1984), 386-387.
[118] T. OKAMOTO, A. FUJIOKA AND Eo FUJISAKI, "An efficient digital sig-
nature scheme based on an elliptic curve over the ring Zn", Advances in
Cryptology - CRYPTO '92, to appear.
[119] J. OMURA AND J. MASSEY, "Computational method and apparatus for
finite field arithmetic", U.S. patent number 4,587,627, May 1986.
120) P. VAN OORSCHOT, "A comparison of practical public key cryptosystems
based on integer factorization and discrete logarithms", in [144], 289-322.
BIBLIOGRAPHY 125

[121] J. PILA, "Frobenius maps of abelian varieties and finding roots of unity
in finite fields", Mathematics of Computation, 55 (1990), 745-763.
[122] S. POHLIG AND M. HELLMAN, "An improved algorithm for computing
logarithms over GF(p) and its cryptographic significance", IEEE 1i-ans-
actions on Information Theory, 24 (1978), 106-110.
[123] J. POLLARD, "Monte Carlo methods for index computation mod p",
Mathematics of Computation, 32 (1978), 918-924.
[124] C. POMERANCE, "Fast, rigorous factorization and discrete logarithms
algorithms", in Discrete Algorithms and Complexity, 1987, 119-143.
[125] C. POMERANCE, "Very short primality proofs", Mathematics of Com-
putation, 48 (1987), 315-322.
[126] C. POMERANCE, "Factoring", Cryptology and Computational Number
Theory, Proceedings of Symposia in Applied Mathematics, 42 (1990),
27-47.
[127] R. RIVEST, "The MD4 message digest algorithm", Advances in Cryp-
tology - CRYPTO '90, Lecture Not.es in Computer Science, 537 (1991),
Springer-Verlag, 303-311.
[128] 'R. RIVEST, "RFC 1321: The MD5 message digest algorithm", Internet
Activities Board, April 1992.
[129] R. RIVEST, A. SHAMIR AND L. ADLEMAN, "A method for obtaining
digital signatures and public-key cryptosystems", Communications of the
ACM, 21 (1978), 120-126.
[130] T. ROSATI, "A high speed data encryption processor for public key cryp-
tography" , Proceedings of IEEE Custom Integrated Circuits Conference,
San Diego, 1989, 12.3.1 - 12.3.5.
[131] J. ROSSER AND L. SCHOENFIELD, "Approximateformulasforsomefunc-
tions of prime numbers", Illinois J. of Mathematics, 6 (1962), 64-94.
[132] H. RUCK, "A note on elliptic curves over finite fields", Mathematics of
Computation, 49 (1987), 301-304.
[133] H. RUCK, "Abelian surfaces and jacobian varieties over finite fields",
Compositio Mathematica, 76 (1990), 351-366.
[134] A. SALOMAA, Public-Key Cryptography, Springer-Verlag, Berlin, 1990.
[135] C. SCHNORR, "Efficient signature generation by smart cards", Journal
of Cryptology, 4 (1991),161-174.
[136] R. SCHOOF, "Elliptic curves over finite fields and the computation of
square roots mod p" , Mathematics of Computation, 44 (1985), 483-494.
[137] R. SCHOOF, "Nonsingular plane cubic curves over finite fields", Journal
of Combinatorial Theory, A 46 (1987), 183-211.
126 BIBLIOGRAPHY

[138] P. SCOTT, S. SIMMONS, S. TAVARES AND L. PEPPARD, "Architec-

tures for exponentiation in GF(2"')", IEEE Journal on Selected Areas
in Communication, 6 (1988), 578-586.
[139] J. SHALLIT, personal communication, 1991.
[140] J. SILVERMAN, The Arithmetic of Elliptic Curves, Springer-Verlag, New
York,1986.
[141] J. SILVERMAN AND J. TATE, Rational Points on Elliptic Curves,
Springer-Verlag, New York, 1992.
[142] R. SILVERMAN, "The multiple polynomial quadratic sieve", Mathemat-
ics of Computation, 48 (1987), 329-339.
[143] R. SILVERMAN AND S. WAGSTAFF, "A practical analysis of the elliptic
curve factoring algorithm", Mathematics of Computation, July 1993, to
appear.
[144] G. SIMMONS (editor), Contemporary Cryptology: The Science ofInfor-
mation Integrity, IEEE Press, New York, 1991.
[145] M. SMID AND D. BRANSTAD, "The Data Encryption Standard: past
and future", in [144], 43-64.
[146] M. SMID AND D. BRANSTAD, "Response to comments on the NIST pro-
posed Digital Signature Standard" , Advances in Cryptology - CRYPTO
'92, to appear.
[147] M. TSFASMAN AND S. VLADUT, Algebraic-Geometric Codes, Kluwer
Academic Publishers, Dordrecht, 1991.
[148] S. TSUJll AND T. ITOH, "An ID-based cryptosystem based on the dis-
crete logarithm problem" , IEEE Journal on Selected Areas in Commu-
nications, 8 (1989), 467-473.
[149] S. VANSTONE AND R. ZUCCHERATO "Short RSA keys and their gener-
at ion" , preprint, 1993.
[150] J. VOLOCH, "A note on elliptic curves over finite fields", Bull. Soc. Math.
France, 116 (1988), 455-458.
[151] C. WANG AND D. PEl, "A VLSI design for computing exponentiations
in GF(2m) and its application to generate pseudorandom number se-
quences", IEEE Transactions on Computers, 39 (1990), 258-262.
[152] E. WATERHOUSE, "Abelian varieties over finite fields", Ann. Sci. Ecole
Norm. Sup., 2 (1969), 521-560.
[153] D. WELSH, Codes and Cryptography, Claredon Press, Oxford, 1988.
[154] R. ZUCCHERATO, personal communication, 1992.
[155] "Debating Encryption Standards". Communications of the ACM, 35
(1992), 33-54.
Index

Addition formulae 18, 21, 22 non-supersingular 77

Admissible change of variables 17 singular 55
Affine plane 16 supersingular 72
Algebraic closure 15 Discriminant 19
Algorithms for logarithms Division polynomials 27, 102
baby-step giant-step method 50 Divisor 28
index-calculus method 52 canonical form 63
in elliptic curves 68-77 degree of 29
in Pell equation curve 57 equivalent 32
in singular elliptic curves 55 principal 32
Pohlig-Hellman method 51 support 28
Pollard p-method 50 Divisor class group 32
Anomalous curve 100
EIGamal cryptosystem 8, 91, 95
Baby-step giant-step method 50,109 EIGamal signature scheme 9
Bilinearity of Weil pairing 62 Elliptic curve
Binary quadratic form 36 addition formulae 18, 21, 22
definition 16
Canonical form of divisor 63 group law 17
Ciphertext 1 isomorphic 16
Coordinate ring 29 j-invariant 19
Cusp 55 logarithm problem 70
non-supersingular 24
Data Encryption Standard 2 over 1ln 32
Degree of a divisor 29 point at infinity 16
Diffie-Hellman key exchange 3 rational point 16
Diffie-Hellman problem 3 supersingular 24
Digital signatures 2, 5, 6 torsion point 26
EIGamal signature 9 twist 47, 100
Generalized NIST signature 12 Elliptic curve cryptosystems 13
NIST signature 10 EIGamal cryptosystem 91
RSA signature 6 implementations 98
Schnorr signature 10 non-supersingular curves 86-93
Discrete logarithm problem 4, 49 over 1ln 97
algorithms, see Algorithms for supersingular curves 93-95
logarithms Equivalent divisors 32
elliptic curves 68-77 Exponentiation 5

127
128 INDEX

Factor base 52 Private key 4

Frobenius endomorphism 103
Function field 29
Generalized NIST signature 12
Hash function 9
Hasse's Theorem 23
Hyperelliptic curves 8, 116
Index-calculus method 52
j-invariant 19
Kronecker class number 36
Message digest 9
Message expansion 92, 94
Miller's algorithms
computing Wei} pairing 66
finding group structure 79
Multiplicity of a point 31
NIST signature scheme 10
Node 55
Non-singular part 55
Non-supersingular elliptic curve 24
Normal basis 84
inversion 85
multiplication 84
optimal 85
squaring 84
Number field sieve 53, 76, 77
One-time pad 2
One-way function 4
Optimal normal basis 85
Order of a point 26
Pell equation 57
P'icard group 32
Plaintext 1
Pohlig-Hellman method 51
Point at infinity 16
Poles of a function 29
Pollard p-method 50
Principal divisor 32
Private key cryptosystem 1
Projective coordinates 90, 94
Projective plane 15
Public key 4
Public key cryptosystem 4
Rank of group 25
Rational function 29
Rational point 16
Repeated square-and-muIt.iply
method 5
RSA cryptosystem 6, 97
Schnorr signature scheme 10
Schoof's algorithm 103
Signatures, see Digital signatures
Singular elliptic curve 55
Singular point 16
Smart cards 13
Subexponential algorithm 52
Supersillgular elliptic curve 24
Support of a divisor 28
Torsion point 26
Trace function 36
Trapdoor one-way function 4
Type of group 25
Unconditionally secure system 2
. Uniformizing parameter 30
Weierstrass equation
discriminant of 19
non-singular 15
singular 16
Wei! pairing
computation 66
definition 62
properties 62
Wei! Theorem 26
Zeros of a function 29