Schoof's algorithm

Last updated September 03, 2024

Schoof's algorithm is an efficient algorithm to count points on elliptic curves over finite fields. The algorithm has applications in elliptic curve cryptography where it is important to know the number of points to judge the difficulty of solving the discrete logarithm problem in the group of points on an elliptic curve.

Introduction
Hasse's theorem
The Frobenius endomorphism
Computation modulo primes
Case 1: ( x q 2 , y q 2 ) ≠ ± q ¯ ( x , y ) {\displaystyle (x^{q^{2}},y^{q^{2}})\neq \pm {\bar {q}}(x,y)}
Case 2: ( x q 2 , y q 2 ) = ± q ¯ ( x , y ) {\displaystyle (x^{q^{2}},y^{q^{2}})=\pm {\bar {q}}(x,y)}
Additional case l = 2 {\displaystyle l=2}
The algorithm
Complexity
Improvements to Schoof's algorithm
Implementations
See also
References

The algorithm was published by René Schoof in 1985 and it was a theoretical breakthrough, as it was the first deterministic polynomial time algorithm for counting points on elliptic curves. Before Schoof's algorithm, approaches to counting points on elliptic curves such as the naive and baby-step giant-step algorithms were, for the most part, tedious and had an exponential running time.

This article explains Schoof's approach, laying emphasis on the mathematical ideas underlying the structure of the algorithm.

Introduction

Let $E$ be an elliptic curve defined over the finite field $\mathbb {F} _{q}$ , where $q=p^{n}$ for $p$ a prime and $n$ an integer $\geq 1$ . Over a field of characteristic $\neq 2,3$ an elliptic curve can be given by a (short) Weierstrass equation

y^{2}=x^{3}+Ax+B

with $A,B\in \mathbb {F} _{q}$ . The set of points defined over $\mathbb {F} _{q}$ consists of the solutions $(a,b)\in \mathbb {F} _{q}^{2}$ satisfying the curve equation and a point at infinity $O$ . Using the group law on elliptic curves restricted to this set one can see that this set $E(\mathbb {F} _{q})$ forms an abelian group, with $O$ acting as the zero element. In order to count points on an elliptic curve, we compute the cardinality of $E(\mathbb {F} _{q})$ . Schoof's approach to computing the cardinality $\#E(\mathbb {F} _{q})$ makes use of Hasse's theorem on elliptic curves along with the Chinese remainder theorem and division polynomials.

Hasse's theorem

Hasse's theorem states that if $E/\mathbb {F} _{q}$ is an elliptic curve over the finite field $\mathbb {F} _{q}$ , then $\#E(\mathbb {F} _{q})$ satisfies

\mid q+1-\#E(\mathbb {F} _{q})\mid \leq 2{\sqrt {q}}.

This powerful result, given by Hasse in 1934, simplifies our problem by narrowing down $\#E(\mathbb {F} _{q})$ to a finite (albeit large) set of possibilities. Defining $t$ to be $q+1-\#E(\mathbb {F} _{q})$ , and making use of this result, we now have that computing the value of $t$ modulo $N$ where $N>4{\sqrt {q}}$ , is sufficient for determining $t$ , and thus $\#E(\mathbb {F} _{q})$ . While there is no efficient way to compute $t{\pmod {N}}$ directly for general $N$ , it is possible to compute $t{\pmod {l}}$ for $l$ a small prime, rather efficiently. We choose $S=\{l_{1},l_{2},...,l_{r}\}$ to be a set of distinct primes such that $\prod l_{i}=N>4{\sqrt {q}}$ . Given $t{\pmod {l_{i}}}$ for all $l_{i}\in S$ , the Chinese remainder theorem allows us to compute $t{\pmod {N}}$ .

In order to compute $t{\pmod {l}}$ for a prime $l\neq p$ , we make use of the theory of the Frobenius endomorphism $\phi$ and division polynomials. Note that considering primes $l\neq p$ is no loss since we can always pick a bigger prime to take its place to ensure the product is big enough. In any case Schoof's algorithm is most frequently used in addressing the case $q=p$ since there are more efficient, so called $p$ adic algorithms for small-characteristic fields.

The Frobenius endomorphism

Given the elliptic curve $E$ defined over $\mathbb {F} _{q}$ we consider points on $E$ over ${\bar {\mathbb {F} }}_{q}$ , the algebraic closure of $\mathbb {F} _{q}$ ; i.e. we allow points with coordinates in ${\bar {\mathbb {F} }}_{q}$ . The Frobenius endomorphism of ${\bar {\mathbb {F} }}_{q}$ over $\mathbb {F} _{q}$ extends to the elliptic curve by ${\displaystyle \phi$ .

This map is the identity on $E(\mathbb {F} _{q})$ and one can extend it to the point at infinity $O$ , making it a group morphism from $E({\bar {\mathbb {F} }}_{q})$ to itself.

The Frobenius endomorphism satisfies a quadratic polynomial which is linked to the cardinality of $E(\mathbb {F} _{q})$ by the following theorem:

Theorem: The Frobenius endomorphism given by $\phi$ satisfies the characteristic equation

\phi ^{2}-t\phi +q=0,

where

t=q+1-\#E(\mathbb {F} _{q})

Thus we have for all $P=(x,y)\in E$ that $(x^{q^{2}},y^{q^{2}})+q(x,y)=t(x^{q},y^{q})$ , where + denotes addition on the elliptic curve and $q(x,y)$ and $t(x^{q},y^{q})$ denote scalar multiplication of $(x,y)$ by $q$ and of $(x^{q},y^{q})$ by $t$ .

One could try to symbolically compute these points $(x^{q^{2}},y^{q^{2}})$ , $(x^{q},y^{q})$ and $q(x,y)$ as functions in the coordinate ring $\mathbb {F} _{q}[x,y]/(y^{2}-x^{3}-Ax-B)$ of $E$ and then search for a value of $t$ which satisfies the equation. However, the degrees get very large and this approach is impractical.

Schoof's idea was to carry out this computation restricted to points of order $l$ for various small primes $l$ . Fixing an odd prime $l$ , we now move on to solving the problem of determining $t_{l}$ , defined as $t{\pmod {l}}$ , for a given prime $l\neq 2,p$ . If a point $(x,y)$ is in the $l$ -torsion subgroup $E[l]=\{P\in E({\bar {\mathbb {F} _{q}}})\mid lP=O\}$ , then $qP={\bar {q}}P$ where ${\bar {q}}$ is the unique integer such that $q\equiv {\bar {q}}{\pmod {l}}$ and $\mid {\bar {q}}\mid <l/2$ . Note that $\phi (O)=O$ and that for any integer $r$ we have $r\phi (P)=\phi (rP)$ . Thus $\phi (P)$ will have the same order as $P$ . Thus for $(x,y)$ belonging to $E[l]$ , we also have $t(x^{q},y^{q})={\bar {t}}(x^{q},y^{q})$ if $t\equiv {\bar {t}}{\pmod {l}}$ . Hence we have reduced our problem to solving the equation

(x^{q^{2}},y^{q^{2}})+{\bar {q}}(x,y)\equiv {\bar {t}}(x^{q},y^{q}),

where ${\bar {t}}$ and ${\bar {q}}$ have integer values in $[-(l-1)/2,(l-1)/2]$ .

Computation modulo primes

The $l$ th division polynomial is such that its roots are precisely the $x$ coordinates of points of order $l$ . Thus, to restrict the computation of $(x^{q^{2}},y^{q^{2}})+{\bar {q}}(x,y)$ to the $l$ -torsion points means computing these expressions as functions in the coordinate ring of $E$ and modulo the $l$ th division polynomial. I.e. we are working in $\mathbb {F} _{q}[x,y]/(y^{2}-x^{3}-Ax-B,\psi _{l})$ . This means in particular that the degree of $X$ and $Y$ defined via $(X(x,y),Y(x,y)):=(x^{q^{2}},y^{q^{2}})+{\bar {q}}(x,y)$ is at most 1 in $y$ and at most $(l^{2}-3)/2$ in $x$ .

The scalar multiplication ${\bar {q}}(x,y)$ can be done either by double-and-add methods or by using the ${\bar {q}}$ th division polynomial. The latter approach gives:

{\bar {q}}(x,y)=(x_{\bar {q}},y_{\bar {q}})=\left(x-{\frac {\psi _{{\bar {q}}-1}\psi _{{\bar {q}}+1}}{\psi _{\bar {q}}^{2}}},{\frac {\psi _{2{\bar {q}}}}{2\psi _{\bar {q}}^{4}}}\right)

where $\psi _{n}$ is the $n$ th division polynomial. Note that $y_{\bar {q}}/y$ is a function in $x$ only and denote it by $\theta (x)$ .

We must split the problem into two cases: the case in which $(x^{q^{2}},y^{q^{2}})\neq \pm {\bar {q}}(x,y)$ , and the case in which $(x^{q^{2}},y^{q^{2}})=\pm {\bar {q}}(x,y)$ . Note that these equalities are checked modulo $\psi _{l}$ .

Case 1: $(x^{q^{2}},y^{q^{2}})\neq \pm {\bar {q}}(x,y)$

By using the addition formula for the group $E(\mathbb {F} _{q})$ we obtain:

X(x,y)=\left({\frac {y^{q^{2}}-y_{\bar {q}}}{x^{q^{2}}-x_{\bar {q}}}}\right)^{2}-x^{q^{2}}-x_{\bar {q}}.

Note that this computation fails in case the assumption of inequality was wrong.

We are now able to use the $x$ -coordinate to narrow down the choice of ${\bar {t}}$ to two possibilities, namely the positive and negative case. Using the $y$ -coordinate one later determines which of the two cases holds.

We first show that $X$ is a function in $x$ alone. Consider $(y^{q^{2}}-y_{\bar {q}})^{2}=y^{2}(y^{q^{2}-1}-y_{\bar {q}}/y)^{2}$ . Since $q^{2}-1$ is even, by replacing $y^{2}$ by $x^{3}+Ax+B$ , we rewrite the expression as

(x^{3}+Ax+B)((x^{3}+Ax+B)^{\frac {q^{2}-1}{2}}-\theta (x))

and have that

X(x)\equiv (x^{3}+Ax+B)((x^{3}+Ax+B)^{\frac {q^{2}-1}{2}}-\theta (x)){\bmod {\psi }}_{l}(x).

Here, it seems not right, we throw away $x^{q^{2}}-x_{\bar {q}}$ ?

Now if $X\equiv x_{\bar {t}}^{q}{\bmod {\psi }}_{l}(x)$ for one ${\bar {t}}\in [0,(l-1)/2]$ then ${\bar {t}}$ satisfies

\phi ^{2}(P)\mp {\bar {t}}\phi (P)+{\bar {q}}P=O

for all $l$ -torsion points $P$ .

As mentioned earlier, using $Y$ and $y_{\bar {t}}^{q}$ we are now able to determine which of the two values of ${\bar {t}}$ ( ${\bar {t}}$ or $-{\bar {t}}$ ) works. This gives the value of $t\equiv {\bar {t}}{\pmod {l}}$ . Schoof's algorithm stores the values of ${\bar {t}}{\pmod {l}}$ in a variable $t_{l}$ for each prime $l$ considered.

Case 2: $(x^{q^{2}},y^{q^{2}})=\pm {\bar {q}}(x,y)$

We begin with the assumption that $(x^{q^{2}},y^{q^{2}})={\bar {q}}(x,y)$ . Since $l$ is an odd prime it cannot be that ${\bar {q}}(x,y)=-{\bar {q}}(x,y)$ and thus ${\bar {t}}\neq 0$ . The characteristic equation yields that ${\bar {t}}\phi (P)=2{\bar {q}}P$ . And consequently that ${\bar {t}}^{2}{\bar {q}}\equiv (2q)^{2}{\pmod {l}}$ . This implies that $q$ is a square modulo $l$ . Let $q\equiv w^{2}{\pmod {l}}$ . Compute $w\phi (x,y)$ in $\mathbb {F} _{q}[x,y]/(y^{2}-x^{3}-Ax-B,\psi _{l})$ and check whether ${\bar {q}}(x,y)=w\phi (x,y)$ . If so, $t_{l}$ is $\pm 2w{\pmod {l}}$ depending on the y-coordinate.

If $q$ turns out not to be a square modulo $l$ or if the equation does not hold for any of $w$ and $-w$ , our assumption that $(x^{q^{2}},y^{q^{2}})=+{\bar {q}}(x,y)$ is false, thus $(x^{q^{2}},y^{q^{2}})=-{\bar {q}}(x,y)$ . The characteristic equation gives $t_{l}=0$ .

Additional case $l=2$

If you recall, our initial considerations omit the case of $l=2$ . Since we assume $q$ to be odd, $q+1-t\equiv t{\pmod {2}}$ and in particular, $t_{2}\equiv 0{\pmod {2}}$ if and only if $E(\mathbb {F} _{q})$ has an element of order 2. By definition of addition in the group, any element of order 2 must be of the form $(x_{0},0)$ . Thus $t_{2}\equiv 0{\pmod {2}}$ if and only if the polynomial $x^{3}+Ax+B$ has a root in $\mathbb {F} _{q}$ , if and only if $\gcd(x^{q}-x,x^{3}+Ax+B)\neq 1$ .

The algorithm

    Input:         1. An elliptic curve  $E=y^{2}-x^{3}-Ax-B$ .         2. An integer  $q$  for a finite field  $F_{q}$  with  $q=p^{b},b\geq 1$ .     Output:         The number of points of  $E$  over  $F_{q}$ .     Choose a set of odd primes  $S$  not containing  $p$ such that  $N=\prod _{l\in S}l>4{\sqrt {q}}.$ Put $t_{2}=0$ if $\gcd(x^{q}-x,x^{3}+Ax+B)\neq 1$ , else $t_{2}=1$ .Compute the division polynomial  $\psi _{l}$ .      All computations in the loop below are performed in the ring  $\mathbb {F} _{q}[x,y]/(y^{2}-x^{3}-Ax-B,\psi _{l}).$ For $l\in S$ do:Let ${\bar {q}}$  be the unique integersuch that   $q\equiv {\bar {q}}{\pmod {l}}$  and  $\mid {\bar {q}}\mid <l/2$ .Compute  $(x^{q},y^{q})$ ,  $(x^{q^{2}},y^{q^{2}})$  and  $(x_{\bar {q}},y_{\bar {q}})$ .if $x^{q^{2}}\neq x_{\bar {q}}$ thenCompute  $(X,Y)$ .for $1\leq {\bar {t}}\leq (l-1)/2$ do:if $X=x_{\bar {t}}^{q}$ thenif $Y=y_{\bar {t}}^{q}$ then $t_{l}={\bar {t}}$ ;else $t_{l}=-{\bar {t}}$ .else if $q$  is a square modulo  $l$ thencompute  $w$  with  $q\equiv w^{2}{\pmod {l}}$ compute  $w(x^{q},y^{q})$ if $w(x^{q},y^{q})=(x^{q^{2}},y^{q^{2}})$ then $t_{l}=2w$ else if $w(x^{q},y^{q})=(x^{q^{2}},-y^{q^{2}})$ then $t_{l}=-2w$ else $t_{l}=0$ else $t_{l}=0$      Use the Chinese Remainder Theorem to compute  $t$  modulo  $N$          from the equations  $t\equiv t_{l}{\pmod {l}}$ , where  $l\in S$ .     Output  $q+1-t$ .

Complexity

Most of the computation is taken by the evaluation of $\phi (P)$ and $\phi ^{2}(P)$ , for each prime $l$ , that is computing $x^{q}$ , $y^{q}$ , $x^{q^{2}}$ , $y^{q^{2}}$ for each prime $l$ . This involves exponentiation in the ring $R=\mathbb {F} _{q}[x,y]/(y^{2}-x^{3}-Ax-B,\psi _{l})$ and requires $O(\log q)$ multiplications. Since the degree of $\psi _{l}$ is ${\frac {l^{2}-1}{2}}$ , each element in the ring is a polynomial of degree $O(l^{2})$ . By the prime number theorem, there are around $O(\log q)$ primes of size $O(\log q)$ , giving that $l$ is $O(\log q)$ and we obtain that $O(l^{2})=O(\log ^{2}q)$ . Thus each multiplication in the ring $R$ requires $O(\log ^{4}q)$ multiplications in $\mathbb {F} _{q}$ which in turn requires $O(\log ^{2}q)$ bit operations. In total, the number of bit operations for each prime $l$ is $O(\log ^{7}q)$ . Given that this computation needs to be carried out for each of the $O(\log q)$ primes, the total complexity of Schoof's algorithm turns out to be $O(\log ^{8}q)$ . Using fast polynomial and integer arithmetic reduces this to ${\tilde {O}}(\log ^{5}q)$ .

Improvements to Schoof's algorithm

In the 1990s, Noam Elkies, followed by A. O. L. Atkin, devised improvements to Schoof's basic algorithm by restricting the set of primes $S=\{l_{1},\ldots ,l_{s}\}$ considered before to primes of a certain kind. These came to be called Elkies primes and Atkin primes respectively. A prime $l$ is called an Elkies prime if the characteristic equation: $\phi ^{2}-t\phi +q=0$ splits over $\mathbb {F} _{l}$ , while an Atkin prime is a prime that is not an Elkies prime. Atkin showed how to combine information obtained from the Atkin primes with the information obtained from Elkies primes to produce an efficient algorithm, which came to be known as the Schoof–Elkies–Atkin algorithm. The first problem to address is to determine whether a given prime is Elkies or Atkin. In order to do so, we make use of modular polynomials, which come from the study of modular forms and an interpretation of elliptic curves over the complex numbers as lattices. Once we have determined which case we are in, instead of using division polynomials, we are able to work with a polynomial that has lower degree than the corresponding division polynomial: $O(l)$ rather than $O(l^{2})$ . For efficient implementation, probabilistic root-finding algorithms are used, which makes this a Las Vegas algorithm rather than a deterministic algorithm. Under the heuristic assumption that approximately half of the primes up to an $O(\log q)$ bound are Elkies primes, this yields an algorithm that is more efficient than Schoof's, with an expected running time of $O(\log ^{6}q)$ using naive arithmetic, and ${\tilde {O}}(\log ^{4}q)$ using fast arithmetic. Although this heuristic assumption is known to hold for most elliptic curves, it is not known to hold in every case, even under the GRH.

Implementations

Several algorithms were implemented in C++ by Mike Scott and are available with source code. The implementations are free (no terms, no conditions), and make use of the MIRACL library which is distributed under the AGPLv3.

Schoof's algorithm implementation for $E(\mathbb {F} _{p})$ with prime $p$ .
Schoof's algorithm implementation for $E(\mathbb {F} _{2^{m}})$ .

Related Research Articles

In mathematics, the Chinese remainder theorem states that if one knows the remainders of the Euclidean division of an integer n by several integers, then one can determine uniquely the remainder of the division of n by the product of these integers, under the condition that the divisors are pairwise coprime.

Shor's algorithm is a quantum algorithm for finding the prime factors of an integer. It was developed in 1994 by the American mathematician Peter Shor. It is one of the few known quantum algorithms with compelling potential applications and strong evidence of superpolynomial speedup compared to best known classical (non-quantum) algorithms. On the other hand, factoring numbers of practical significance requires far more qubits than available in the near future. Another concern is that noise in quantum circuits may undermine results, requiring additional qubits for quantum error correction.

In analytic number theory and related branches of mathematics, a complex-valued arithmetic function $:\mathbb {Z} \rightarrow \mathbb {C} }$ is a Dirichlet character of modulus if for all integers $and :$

$that is, is completely multiplicative.$
$; that is, is periodic with period .$

In theoretical computer science and cryptography, a trapdoor function is a function that is easy to compute in one direction, yet difficult to compute in the opposite direction without special information, called the "trapdoor". Trapdoor functions are a special case of one-way functions and are widely used in public-key cryptography.

In mathematics, the Lucas–Lehmer test (LLT) is a primality test for Mersenne numbers. The test was originally developed by Édouard Lucas in 1878 and subsequently proved by Derrick Henry Lehmer in 1930.

The AKS primality test is a deterministic primality-proving algorithm created and published by Manindra Agrawal, Neeraj Kayal, and Nitin Saxena, computer scientists at the Indian Institute of Technology Kanpur, on August 6, 2002, in an article titled "PRIMES is in P". The algorithm was the first one which is able to determine in polynomial time, whether a given number is prime or composite and this without relying on mathematical conjectures such as the generalized Riemann hypothesis. The proof is also notable for not relying on the field of analysis. In 2006 the authors received both the Gödel Prize and Fulkerson Prize for their work.

The quadratic sieve algorithm (QS) is an integer factorization algorithm and, in practice, the second-fastest method known. It is still the fastest for integers under 100 decimal digits or so, and is considerably simpler than the number field sieve. It is a general-purpose factorization algorithm, meaning that its running time depends solely on the size of the integer to be factored, and not on special structure or properties. It was invented by Carl Pomerance in 1981 as an improvement to Schroeppel's linear sieve.

In computational number theory, the index calculus algorithm is a probabilistic algorithm for computing discrete logarithms. Dedicated to the discrete logarithm in $where is a prime, index calculus leads to a family of algorithms adapted to finite fields and to some families of elliptic curves. The algorithm collects relations among the discrete logarithms of small primes, computes them by a linear algebra procedure and finally expresses the desired discrete logarithm with respect to the discrete logarithms of small primes.$

In number theory, the law of quadratic reciprocity, like the Pythagorean theorem, has lent itself to an unusually large number of proofs. Several hundred proofs of the law of quadratic reciprocity have been published.

The Tonelli–Shanks algorithm is used in modular arithmetic to solve for r in a congruence of the form r² ≡ n, where p is a prime: that is, to find a square root of n modulo p.

The Schoof–Elkies–Atkin algorithm (SEA) is an algorithm used for finding the order of or calculating the number of points on an elliptic curve over a finite field. Its primary application is in elliptic curve cryptography. The algorithm is an extension of Schoof's algorithm by Noam Elkies and A. O. L. Atkin to significantly improve its efficiency.

In computational algebra, the Cantor–Zassenhaus algorithm is a method for factoring polynomials over finite fields.

The Benaloh Cryptosystem is an extension of the Goldwasser-Micali cryptosystem (GM) created in 1985 by Josh (Cohen) Benaloh. The main improvement of the Benaloh Cryptosystem over GM is that longer blocks of data can be encrypted at once, whereas in GM each bit is encrypted individually.

CEILIDH is a public key cryptosystem based on the discrete logarithm problem in algebraic torus. This idea was first introduced by Alice Silverberg and Karl Rubin in 2003; Silverberg named CEILIDH after her cat. The main advantage of the system is the reduced size of the keys for the same security over basic schemes.

An important aspect in the study of elliptic curves is devising effective ways of counting points on the curve. There have been several approaches to do so, and the algorithms devised have proved to be useful tools in the study of various fields such as number theory, and more recently in cryptography and Digital Signature Authentication. While in number theory they have important consequences in the solving of Diophantine equations, with respect to cryptography, they enable us to make effective use of the difficulty of the discrete logarithm problem (DLP) for the group $, of elliptic curves over a finite field, where q = p k and p is a prime. The DLP, as it has come to be known, is a widely used approach to public key cryptography, and the difficulty in solving this problem determines the level of security of the cryptosystem. This article covers algorithms to count points on elliptic curves over fields of large characteristic, in particular p > 3. For curves over fields of small characteristic more efficient algorithms based on p -adic methods exist.$

In mathematics the division polynomials provide a way to calculate multiples of points on elliptic curves and to study the fields generated by torsion points. They play a central role in the study of counting points on elliptic curves in Schoof's algorithm.

In mathematics the Function Field Sieve is one of the most efficient algorithms to solve the Discrete Logarithm Problem (DLP) in a finite field. It has heuristic subexponential complexity. Leonard Adleman developed it in 1994 and then elaborated it together with M. D. Huang in 1999. Previous work includes the work of D. Coppersmith about the DLP in fields of characteristic two.

In mathematics, elliptic curve primality testing techniques, or elliptic curve primality proving (ECPP), are among the quickest and most widely used methods in primality proving. It is an idea put forward by Shafi Goldwasser and Joe Kilian in 1986 and turned into an algorithm by A. O. L. Atkin the same year. The algorithm was altered and improved by several collaborators subsequently, and notably by Atkin and François Morain, in 1993. The concept of using elliptic curves in factorization had been developed by H. W. Lenstra in 1985, and the implications for its use in primality testing followed quickly.

In cryptography, FourQ is an elliptic curve developed by Microsoft Research. It is designed for key agreements schemes and digital signatures (Schnorr), and offers about 128 bits of security. It is equipped with a reference implementation made by the authors of the original paper. The open source implementation is called FourQlib and runs on Windows and Linux and is available for x86, x64, and ARM. It is licensed under the MIT License and the source code is available on GitHub.

In number theory, Berlekamp's root finding algorithm, also called the Berlekamp–Rabin algorithm, is the probabilistic method of finding roots of polynomials over the field $with elements. The method was discovered by Elwyn Berlekamp in 1970 as an auxiliary to the algorithm for polynomial factorization over finite fields. The algorithm was later modified by Rabin for arbitrary finite fields in 1979. The method was also independently discovered before Berlekamp by other researchers.$

References

R. Schoof: Elliptic Curves over Finite Fields and the Computation of Square Roots mod p. Math. Comp., 44(170):483–494, 1985. Available at http://www.mat.uniroma2.it/~schoof/ctpts.pdf
R. Schoof: Counting Points on Elliptic Curves over Finite Fields. J. Theor. Nombres Bordeaux 7:219–254, 1995. Available at http://www.mat.uniroma2.it/~schoof/ctg.pdf
G. Musiker: Schoof's Algorithm for Counting Points on $E(\mathbb {F} _{q})$ . Available at http://www.math.umn.edu/~musiker/schoof.pdf
V. Müller : Die Berechnung der Punktanzahl von elliptischen kurven über endlichen Primkörpern. Master's Thesis. Universität des Saarlandes, Saarbrücken, 1991. Available at http://lecturer.ukdw.ac.id/vmueller/publications.php
A. Enge: Elliptic Curves and their Applications to Cryptography: An Introduction. Kluwer Academic Publishers, Dordrecht, 1999.
L. C. Washington: Elliptic Curves: Number Theory and Cryptography. Chapman & Hall/CRC, New York, 2003.
N. Koblitz: A Course in Number Theory and Cryptography, Graduate Texts in Math. No. 114, Springer-Verlag, 1987. Second edition, 1994

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

v t e Number-theoretic algorithms
Primality tests	AKS APR Baillie–PSW Elliptic curve Pocklington Fermat Lucas Lucas–Lehmer Lucas–Lehmer–Riesel Proth's theorem Pépin's Quadratic Frobenius Solovay–Strassen Miller–Rabin
Prime-generating	Sieve of Atkin Sieve of Eratosthenes Sieve of Pritchard Sieve of Sundaram Wheel factorization
Integer factorization	Continued fraction (CFRAC) Dixon's Lenstra elliptic curve (ECM) Euler's Pollard's rho p − 1 p + 1 Quadratic sieve (QS) General number field sieve (GNFS) Special number field sieve (SNFS) Rational sieve Fermat's Shanks's square forms Trial division Shor's
Multiplication	Ancient Egyptian Long Karatsuba Toom–Cook Schönhage–Strassen Fürer's
Euclidean division	Binary Chunking Fourier Goldschmidt Newton-Raphson Long Short SRT
Discrete logarithm	Baby-step giant-step Pollard rho Pollard kangaroo Pohlig–Hellman Index calculus Function field sieve
Greatest common divisor	Binary Euclidean Extended Euclidean Lehmer's
Modular square root	Cipolla Pocklington's Tonelli–Shanks Berlekamp Kunerth
Other algorithms	Chakravala Cornacchia Exponentiation by squaring Integer square root Integer relation (LLL; KZ) Modular exponentiation Montgomery reduction Schoof Trachtenberg system
Italics indicate that algorithm is for numbers of special forms