We present a space-efficient algorithm to compute the Hilbert class polynomial HD(X) modulo a positive integer P, based on an explicit form of the Chinese Remainder Theorem. Under the Generalized Riemann Hypothesis, the algorithm uses O(|D | 1/2+ɛ log P) space and has an expected running time of O(|D | 1+ɛ). We describe practical optimizations that allow us to handle larger discriminants than other methods, with |D | as large as 1013 and h(D) up to 106. We apply these results to construct pairing-friendly elliptic curves of prime order, using the CM method.

. The paper gives a formula for the probability that a randomly chosen elliptic curve over a nite eld has a prime number of points. Two heuristic arguments in support of the formula are given as well as experimental evidence. The paper also gives a formula for the probability that a randomly chosen elliptic curve over a nite eld has kq points where k is a small number and where q is a prime. 1. Introduction Cryptographic and computational applications have recently motivated the study of several questions in the theory of elliptic curves over nite elds. For instance, the analysis of the elliptic curve factoring method leads to estimates ([7], [8]) for the probability that the number of points on an elliptic curve is smooth. In this paper, motivated by the use of elliptic curves in public key cryptosystems, we consider the \opposite" problem. More specically, we ask the question: What is the probability that a randomly chosen elliptic curve over F p has kq points, where k is sm...

We determine the probability that a randomly chosen elliptic curve E/Fp over a randomly chosen prime field Fp has an ℓ-primary part E(Fp)[ℓ ∞ ] isomorphic with a fixed abelian ℓ-group H (ℓ) α,β = Z/ℓα × Z/ℓ β. Probabilities for “|E(Fp) | divisible by n”, “E(Fp) cyclic ” and expectations for the number of elements of precise order n in E(Fp) are derived, both for unbiased E/Fp and for E/Fp with p ≡ 1 (ℓ r).

Three questions concerning the distribution of the numbers of points on elliptic curves over a finite prime field are considered. First, the previously published bounds for the distribution are tightened slightly. Within these bounds, there are wild fluctuations in the distribution, and some heuristics are discussed (supported by numerical evidence) which suggest that numbers of points with no large prime divisors are unusually prevalent. Finally, allowing the prime field to vary while fixing the field of fractions of the endomorphism ring of the curve, the order of magnitude of the average order of the number of divisors of the number of points is determined, subject to assumptions about primes in quadratic progressions. There are implications for factoring integers by Lenstra’s elliptic curve method. The heuristics suggest that (i) the subtleties in the distribution actually favour the elliptic curve method, and (ii) this gain is transient, dying away as the factors to be found tend to infinity. 1.

The security of many cryptographic protocols depends on the difficulty of solving the so-called "discrete logarithm" problem, in the multiplicative group of a finite field. Although, in the general case, there are no polynomial time algorithms for this problem, constant improvements are being made -- with the result that the use of these protocols require much larger key sizes, for a given level of security, than may be convenient. An abstraction of these protocols shows that they have analogues in any group. The challenge presents itself: find some other groups for which there are no good attacks on the discrete logarithm, and for which the group operations are sufficiently economical. In 1985, the author suggested that the groups arising from a particular mathematical object known as an "elliptic curve" might fill the bill. In this paper I review the general cryptographic protocols which are involved, briefly describe elliptic curves and review the possible attacks again...

Abstract. We show that one can find two nonisomorphic curves over a field K that become isomorphic to one another over two finite extensions of K whose degrees over K are coprime to one another. More specifically, let K0 be an arbitrary prime field and let r> 1 and s> 1 be integers that are coprime to one another. We show that one can find a finite extension K of K0, a degree-r extension L of K, a degree-s extension M of K, and two curves C and D over K such that C and D become isomorphic to one another over L and over M, but not over any proper subextensions of L/K or M/K. We show that such C and D can never have genus 0, and that if K is finite, C and D can have genus 1 if and only if {r, s} = {2, 3} and K is an odd-degree extension of F3. On the other hand, when {r, s} = {2, 3} we show that genus-2 examples occur in every characteristic other than 3. Our detailed analysis of the case {r, s} = {2, 3} shows that over every finite field K there exist nonisomorphic curves C and D that become isomorphic to one another over the quadratic and cubic extensions of K. Most of our proofs rely on Galois cohomology. Without using Galois cohomology, we show that two nonisomorphic genus-0 curves over an arbitrary field remain nonisomorphic over every odd-degree extension of the base field. 1.

this paper, and Tom Tucker for useful conversations. REFERENCES

A prohibitive barrier faced by elliptic curve users is the difficulty of computing the curves' cardinalities. Despite recent theoretical breakthroughs, point counting still remains very cumbersome and intensively time consuming.

Abstract not found

Abstract not found