Counting points on elliptic curves

An important aspect in the study of elliptic curves is devising effective ways of counting points on the curve. There have been several approaches to do so, and the algorithms devised have proved to be useful tools in the study of various fields such as number theory, and more recently in cryptography and Digital Signature Authentication (See elliptic curve cryptography and elliptic curve DSA). While in number theory they have important consequences in the solving of Diophantine equations, with respect to cryptography, they enable us to make effective use of the difficulty of the discrete logarithm problem (DLP) for the group ${\displaystyle E(\mathbb {F} _{q})}$, of elliptic curves over a finite field ${\displaystyle \mathbb {F} _{q}}$, where q = p^k and p is a prime. The DLP, as it has come to be known, is a widely used approach to public key cryptography, and the difficulty in solving this problem determines the level of security of the cryptosystem. This article covers algorithms to count points on elliptic curves over fields of large characteristic, in particular p > 3. For curves over fields of small characteristic more efficient algorithms based on p-adic methods exist.

Approaches to counting points on elliptic curves

There are several approaches to the problem. Beginning with the naive approach, we trace the developments up to Schoof's definitive work on the subject, while also listing the improvements to Schoof's algorithm made by Elkies (1990) and Atkin (1992).

Several algorithms make use of the fact that groups of the form ${\displaystyle E(\mathbb {F} _{q})}$ are subject to an important theorem due to Hasse, that bounds the number of points to be considered. Hasse's theorem states that if E is an elliptic curve over the finite field ${\displaystyle \mathbb {F} _{q}}$, then the cardinality of ${\displaystyle E(\mathbb {F} _{q})}$ satisfies

${\displaystyle ||E(\mathbb {F} _{q})|-(q+1)|\leq 2{\sqrt {q}}.\,}$

Naive approach

The naive approach to counting points, which is the least sophisticated, involves running through all the elements of the field ${\displaystyle \mathbb {F} _{q}}$ and testing which ones satisfy the Weierstrass form of the elliptic curve

${\displaystyle y^{2}=x^{3}+Ax+B.\,}$

Example

Let E be the curve y² = x³ + x + 1 over ${\displaystyle \mathbb {F} _{5}}$. To count points on E, we make a list of the possible values of x, then of the quadratic residues of x mod 5 (for lookup purpose only), then of x³ + x + 1 mod 5, then of y of x³ + x + 1 mod 5. This yields the points on E.

${\displaystyle x}$	${\displaystyle x^{2}}$	${\displaystyle x^{3}+x+1}$	${\displaystyle y}$	Points
${\displaystyle \quad 0}$	${\displaystyle 0}$	${\displaystyle 1}$	${\displaystyle 1,4}$	${\displaystyle (0,1),(0,4)}$
${\displaystyle \quad 1}$	${\displaystyle 1}$	${\displaystyle 3}$	${\displaystyle -}$	${\displaystyle -}$
${\displaystyle \quad 2}$	${\displaystyle 4}$	${\displaystyle 1}$	${\displaystyle 1,4}$	${\displaystyle (2,1),(2,4)}$
${\displaystyle \quad 3}$	${\displaystyle 4}$	${\displaystyle 1}$	${\displaystyle 1,4}$	${\displaystyle (3,1),(3,4)}$
${\displaystyle \quad 4}$	${\displaystyle 1}$	${\displaystyle 4}$	${\displaystyle 2,3}$	${\displaystyle (4,2),(4,3)}$

E.g. the last row is computed as follows: If you insert ${\displaystyle x=4}$ in the equation x³ + x + 1 mod 5 you get ${\displaystyle 4}$ as result (3rd column). This result can be achieved if ${\displaystyle y=2,3}$ (Quadratic residues can be looked up in the 2nd column). So the points for the last row are ${\displaystyle (4,2),(4,3)}$.

Therefore, ${\displaystyle E(\mathbb {F} _{5})}$ has cardinality of 9: the 8 points listed before and the point at infinity.

This algorithm requires running time O(q), because all the values of ${\displaystyle x\in \mathbb {F} _{q}}$ must be considered.

Baby-step giant-step

An improvement in running time is obtained using a different approach: we pick an element ${\displaystyle P=(x,y)\in E(\mathbb {F} _{q})}$ by selecting random values of ${\displaystyle x}$ until ${\displaystyle x^{3}+Ax+B}$ is a square in ${\displaystyle \mathbb {F} _{q}}$ and then computing the square root of this value in order to get ${\displaystyle y}$. Hasse's theorem tells us that ${\displaystyle |E(\mathbb {F} _{q})|}$ lies in the interval ${\displaystyle (q+1-2{\sqrt {q}},q+1+2{\sqrt {q}})}$. Thus, by Lagrange's theorem, finding a unique ${\displaystyle M}$ lying in this interval and satisfying ${\displaystyle MP=O}$, results in finding the cardinality of ${\displaystyle E(\mathbb {F} _{q})}$. The algorithm fails if there exist two distinct integers ${\displaystyle M}$ and ${\displaystyle M'}$ in the interval such that ${\displaystyle MP=M'P=O}$. In such a case it usually suffices to repeat the algorithm with another randomly chosen point in ${\displaystyle E(\mathbb {F} _{q})}$.

Trying all values of ${\displaystyle M}$ in order to find the one that satisfies ${\displaystyle MP=O}$ takes around ${\displaystyle 4{\sqrt {q}}}$ steps.

However, by applying the baby-step giant-step algorithm to ${\displaystyle E(\mathbb {F} _{q})}$, we are able to speed this up to around ${\displaystyle 4{\sqrt[{4}]{q}}}$ steps. The algorithm is as follows.

The algorithm

1. choose ${\displaystyle m}$ integer, ${\displaystyle m>{\sqrt[{4}]{q}}}$ 2. FOR{${\displaystyle j=0}$ to ${\displaystyle m}$} DO  3.    ${\displaystyle P_{j}\leftarrow jP}$ 4. ENDFOR 5. ${\displaystyle L\leftarrow 1}$ 6. ${\displaystyle Q\leftarrow (q+1)P}$ 7. REPEAT compute the points ${\displaystyle Q+k(2mP)}$ 8. UNTIL${\displaystyle \exists j}$: ${\displaystyle Q+k(2mP)=\pm P_{j}}$  \\the ${\displaystyle x}$-coordinates are compared 9. ${\displaystyle M\leftarrow q+1+2mk\mp j}$     \\note ${\displaystyle MP=O}$ 10. Factor ${\displaystyle M}$. Let ${\displaystyle p_{1},\ldots ,p_{r}}$ be the distinct prime factors of ${\displaystyle M}$. 11. WHILE${\displaystyle i\leq r}$DO 12.    IF${\displaystyle {\frac {M}{p_{i}}}P=O}$ 13.       THEN${\displaystyle M\leftarrow {\frac {M}{p_{i}}}}$ 14.       ELSE${\displaystyle i\leftarrow i+1}$  15.    ENDIF 16. ENDWHILE 17. ${\displaystyle L\leftarrow \operatorname {lcm} (L,M)}$     \\note ${\displaystyle M}$ is the order of the point ${\displaystyle P}$ 18. WHILE${\displaystyle L}$ divides more than one integer ${\displaystyle N}$ in ${\displaystyle (q+1-2{\sqrt {q}},q+1+2{\sqrt {q}})}$ 19.    DO choose a new point ${\displaystyle P}$ and go to 1. 20. ENDWHILE 21. RETURN${\displaystyle N}$     \\it is the cardinality of ${\displaystyle E(\mathbb {F} _{q})}$

Notes to the algorithm

• In line 8. we assume the existence of a match. Indeed, the following lemma assures that such a match exists:

Let ${\displaystyle a}$ be an integer with ${\displaystyle |a|\leq 2m^{2}}$. There exist integers ${\displaystyle a_{0}}$ and ${\displaystyle a_{1}}$ with

${\displaystyle -m<a_{0}\leq m{\mbox{ and }}-m\leq a_{1}\leq m{\mbox{ s.t. }}a=a_{0}+2ma_{1}.}$

• Computing ${\displaystyle (j+1)P}$ once ${\displaystyle jP}$ has been computed can be done by adding ${\displaystyle P}$ to ${\displaystyle jP}$ instead of computing the complete scalar multiplication anew. The complete computation thus requires ${\displaystyle m}$ additions. ${\displaystyle 2mP}$ can be obtained with one doubling from ${\displaystyle mP}$. The computation of ${\displaystyle Q}$ requires ${\displaystyle \log(q+1)}$ doublings and ${\displaystyle w}$ additions, where ${\displaystyle w}$ is the number of nonzero digits in the binary representation of ${\displaystyle q+1}$; note that knowledge of the ${\displaystyle jP}$ and ${\displaystyle 2mP}$ allows us to reduce the number of doublings. Finally, to get from ${\displaystyle Q+k(2mP)}$ to ${\displaystyle Q+(k+1)(2mP)}$, simply add ${\displaystyle 2mP}$ rather than recomputing everything.
• We are assuming that we can factor ${\displaystyle M}$. If not, we can at least find all the small prime factors ${\displaystyle p_{i}}$ and check that ${\displaystyle {\frac {M}{p_{i}}}\neq O}$ for these. Then ${\displaystyle M}$ will be a good candidate for the order of ${\displaystyle P}$.
• The conclusion of step 17 can be proved using elementary group theory: since ${\displaystyle MP=O}$, the order of ${\displaystyle P}$ divides ${\displaystyle M}$. If no proper divisor ${\displaystyle {\bar {M}}}$ of ${\displaystyle M}$ realizes ${\displaystyle {\bar {M}}P=O}$, then ${\displaystyle M}$ is the order of ${\displaystyle P}$.

One drawback of this method is that there is a need for too much memory when the group becomes large. In order to address this, it might be more efficient to store only the ${\displaystyle x}$ coordinates of the points ${\displaystyle jP}$ (along with the corresponding integer ${\displaystyle j}$). However, this leads to an extra scalar multiplication in order to choose between ${\displaystyle -j}$ and ${\displaystyle +j}$.

There are other generic algorithms for computing the order of a group element that are more space efficient, such as Pollard's rho algorithm and the Pollard kangaroo method. The Pollard kangaroo method allows one to search for a solution in a prescribed interval, yielding a running time of ${\displaystyle O({\sqrt[{4}]{q}})}$, using ${\displaystyle O(\log ^{2}{q})}$ space.

Schoof's algorithm

Main article: Schoof's algorithm

A theoretical breakthrough for the problem of computing the cardinality of groups of the type ${\displaystyle E(\mathbb {F} _{q})}$ was achieved by René Schoof, who, in 1985, published the first deterministic polynomial time algorithm. Central to Schoof's algorithm are the use of division polynomials and Hasse's theorem, along with the Chinese remainder theorem.

Schoof's insight exploits the fact that, by Hasse's theorem, there is a finite range of possible values for ${\displaystyle |E(\mathbb {F} _{q})|}$. It suffices to compute ${\displaystyle |E(\mathbb {F} _{q})|}$ modulo an integer ${\displaystyle N>4{\sqrt {q}}}$. This is achieved by computing ${\displaystyle |E(\mathbb {F} _{q})|}$ modulo primes ${\displaystyle \ell _{1},\ldots ,\ell _{s}}$ whose product exceeds ${\displaystyle 4{\sqrt {q}}}$, and then applying the Chinese remainder theorem. The key to the algorithm is using the division polynomial ${\displaystyle \psi _{\ell }}$ to efficiently compute ${\displaystyle |E(\mathbb {F} _{q})|}$ modulo ${\displaystyle \ell }$.

The running time of Schoof's Algorithm is polynomial in ${\displaystyle n=\log {q}}$, with an asymptotic complexity of ${\displaystyle O(n^{2}M(n^{3})/\log {n})=O(n^{5+o(1)})}$, where ${\displaystyle M(n)}$ denotes the complexity of integer multiplication. Its space complexity is ${\displaystyle O(n^{3})}$.

Schoof–Elkies–Atkin algorithm

Main article: Schoof–Elkies–Atkin algorithm

In the 1990s, Noam Elkies, followed by A. O. L. Atkin devised improvements to Schoof's basic algorithm by making a distinction among the primes ${\displaystyle \ell _{1},\ldots ,\ell _{s}}$ that are used. A prime ${\displaystyle \ell }$ is called an Elkies prime if the characteristic equation of the Frobenius endomorphism, ${\displaystyle \phi ^{2}-t\phi +q=0}$, splits over ${\displaystyle \mathbb {F} _{\ell }}$. Otherwise ${\displaystyle \ell }$ is called an Atkin prime. Elkies primes are the key to improving the asymptotic complexity of Schoof's algorithm. Information obtained from the Atkin primes permits a further improvement which is asymptotically negligible but can be quite important in practice. The modification of Schoof's algorithm to use Elkies and Atkin primes is known as the Schoof–Elkies–Atkin (SEA) algorithm.

The status of a particular prime ${\displaystyle \ell }$ depends on the elliptic curve ${\displaystyle E/\mathbb {F} _{q}}$, and can be determined using the modular polynomial ${\displaystyle \Psi _{\ell }(X,Y)}$. If the univariate polynomial ${\displaystyle \Psi _{\ell }(X,j(E))}$ has a root in ${\displaystyle \mathbb {F} _{q}}$, where ${\displaystyle j(E)}$ denotes the j-invariant of ${\displaystyle E}$, then ${\displaystyle \ell }$ is an Elkies prime, and otherwise it is an Atkin prime. In the Elkies case, further computations involving modular polynomials are used to obtain a proper factor of the division polynomial ${\displaystyle \psi _{\ell }}$. The degree of this factor is ${\displaystyle O(\ell )}$, whereas ${\displaystyle \psi _{\ell }}$ has degree ${\displaystyle O(\ell ^{2})}$.

Unlike Schoof's algorithm, the SEA algorithm is typically implemented as a probabilistic algorithm (of the Las Vegas type), so that root-finding and other operations can be performed more efficiently. Its computational complexity is dominated by the cost of computing the modular polynomials ${\displaystyle \Psi _{\ell }(X,Y)}$, but as these do not depend on ${\displaystyle E}$, they may be computed once and reused. Under the heuristic assumption that there are sufficiently many small Elkies primes, and excluding the cost of computing modular polynomials, the asymptotic running time of the SEA algorithm is ${\displaystyle O(n^{2}M(n^{2})/\log {n})=O(n^{4+o(1)})}$, where ${\displaystyle n=\log {q}}$. Its space complexity is ${\displaystyle O(n^{3}\log {n})}$, but when precomputed modular polynomials are used this increases to ${\displaystyle O(n^{4})}$.

See also

• Schoof's algorithm
• Elliptic curve cryptography
• Baby-step giant-step
• Public key cryptography
• Schoof–Elkies–Atkin algorithm
• Pollard rho
• Pollard kangaroo
• Elliptic curve primality proving

Bibliography

• I. Blake, G. Seroussi, and N. Smart: Elliptic Curves in Cryptography, Cambridge University Press, 1999.
• A. Enge: Elliptic Curves and their Applications to Cryptography: An Introduction. Kluwer Academic Publishers, Dordrecht, 1999.
• G. Musiker: Schoof's Algorithm for Counting Points on ${\displaystyle E(\mathbb {F} _{q})}$. Available at http://www.math.umn.edu/~musiker/schoof.pdf
• R. Schoof: Counting Points on Elliptic Curves over Finite Fields. J. Theor. Nombres Bordeaux 7:219-254, 1995. Available at http://www.mat.uniroma2.it/~schoof/ctg.pdf
• L. C. Washington: Elliptic Curves: Number Theory and Cryptography. Chapman \& Hall/CRC, New York, 2003.