The aim of this paper is to describe the theory and implementation of the Elliptic Curve Primality Proving algorithm.

. --We describe three algorithms to count the number of points on an elliptic curve over a finite field. The first one is very practical when the finite field is not too large; it is based on Shanks's baby-step-giant-step strategy. The second algorithm is very efficient when the endomorphism ring of the curve is known. It exploits the natural lattice structure of this ring. The third algorithm is based on calculations with the torsion points of the elliptic curve [18]. This deterministic polynomial time algorithm was impractical in its original form. We discuss several practical improvements by Atkin and Elkies. 1. Introduction. Let p be a large prime and let E be an elliptic curve over F p given by a Weierstraß equation Y 2 = X 3 +AX +B for some A, B 2 F p . Since the curve is not singular we have that 4A 3 + 27B 2 6j 0 (mod p). We describe several methods to count the rational points on E, i.e., methods to determine the number of points (x; y) on E with x; y 2 F p . Most o...

. In Pollard's rho method, an iterating function f is used to define a sequence (y i ) by y i+1 = f(y i ) for i = 0; 1; 2; : : : , with some starting value y 0 . In this paper, we define and discuss new iterating functions for computing discrete logarithms with the rho method. We compare their performances in experiments with elliptic curve groups. Our experiments show that one of our newly defined functions is expected to reduce the number of steps by a factor of approximately 0:8, in comparison with Pollard's originally used function, and we show that this holds independently of the size of the group order. For group orders large enough such that the run time for precomputation can be neglected, this means a real-time speed-up of more than 1:2. 1. Introduction Let G be a finite cyclic group, written multiplicatively, and generated by the group element g. Given an element h in G, we wish to find the least non-negative number x such that g x = h. This problem is the discre...

Abstract. The noisy polynomial interpolation problem is a new intractability assumption introduced last year in oblivious polynomial evaluation. It also appeared independently in password identification schemes, due to its connection with secret sharing schemes based on Lagrange’s polynomial interpolation. This paper presents new algorithms to solve the noisy polynomial interpolation problem. In particular, we prove a reduction from noisy polynomial interpolation to the lattice shortest vector problem, when the parameters satisfy a certain condition that we make explicit. Standard lattice reduction techniques appear to solve many instances of the problem. It follows that noisy polynomial interpolation is much easier than expected. We therefore suggest simple modifications to several cryptographic schemes recently proposed, in order to change the intractability assumption. We also discuss analogous methods for the related noisy Chinese remaindering problem arising from the well-known analogy between polynomials and integers. 1

Cryptographic schemes using elliptic curves over finite fields require the computation of the cardinality of the curves. Dramatic progress have been achieved recently in that field by various authors. The aim of this article is to highlight part of these improvements and to describe an efficient implementation of them in the particular case of the fields GF (2 n ), for n 600. 1 Introduction Elliptic curves have been used successfully to factor integers [26, 36], and prove the primality of large integers [6, 15, 4]. Moreover they turned out to be an interesting alternative to the use of Z=NZ in cryptographical schemes [33, 21]. Elliptic curve cryptosystems over finite fields have been built, see [5, 30]; some have been proposed in Z=NZ, N composite [23, 12, 42]. More applications were studied in [19, 22]. The interested reader should also consult [31]. In order to perform key exchange algorithms using an elliptic curve E over a finite field K, the cardinality of E must be known. Th...

. The heart of Schoof's algorithm for computing the cardinality m of an elliptic curve over a finite field is the computation of m modulo small primes `. Elkies and Atkin have designed practical improvements to the basic algorithm, that make use of "good" primes `. We show how to use powers of good primes in an efficient way. This is done by computing isogenies between curves over the ground field. A new structure appears, called "isogeny cycle". We investigate some properties of this structure. 1 Introduction Let E be an elliptic curve over a primitive finite field F p where p is a large prime integer. (We are not dealing with the case of small characteristic here.) The curve is given by some equation E(X; Y ) = 0 in Weierstrass form E(X; Y ) = Y 2 \Gamma X 3 \Gamma AX \Gamma B so that a generic point on the curve is given by (X; Y ) mod E . Let m be the number of points of E. It is well known that m = p + 1 \Gamma t, with t an integer satisfying jtj ! 2 p p. If p is small...

Let E 1 and E 2 be ordinary elliptic curves over a finite field Fp such that #E1 (Fp ) = #E2 (Fp ). Tate's isogeny theorem states that there is an isogeny from E1 to E2 which is defined over Fp . The goal of this paper is to describe a probabilistic algorithm for constructing such an isogeny.

Abstract. In this article we show how to generalize the CM-method for elliptic curves to genus two. We describe the algorithm in detail and discuss the results of our implementation. 1.

Abstract. The heart of the improvements by Elkies to Schoof’s algorithm for computing the cardinality of elliptic curves over a finite field is the ability to compute isogenies between curves. Elkies ’ approach is well suited for the case where the characteristic of the field is large. Couveignes showed how to compute isogenies in small characteristic. The aim of this paper is to describe the first successful implementation of Couveignes’s algorithm. In particular, we describe the use of fast algorithms for performing incremental operations on series. We also insist on the particular case of the characteristic 2. 1.

Abstract. We present a primality proving algorithm—a probabilistic primality test that produces short certificates of primality on prime inputs. We prove that the test runs in expected polynomial time for all but a vanishingly small fraction of the primes. As a corollary, we obtain an algorithm for generating large certified primes with distribution statistically close to uniform. Under the conjecture that the gap between consecutive primes is bounded by some polynomial in their size, the test is shown to run in expected polynomial time for all primes, yielding a Las Vegas primality test. Our test is based on a new methodology for applying group theory to the problem of prime certification, and the application of this methodology using groups generated by elliptic curves over finite fields. We note that our methodology and methods have been subsequently used and improved upon, most notably in the primality proving algorithm of Adleman and Huang using hyperelliptic curves and