. The heart of Schoof's algorithm for computing the cardinality m of an elliptic curve over a finite field is the computation of m modulo small primes `. Elkies and Atkin have designed practical improvements to the basic algorithm, that make use of "good" primes `. We show how to use powers of good primes in an efficient way. This is done by computing isogenies between curves over the ground field. A new structure appears, called "isogeny cycle". We investigate some properties of this structure. 1 Introduction Let E be an elliptic curve over a primitive finite field F p where p is a large prime integer. (We are not dealing with the case of small characteristic here.) The curve is given by some equation E(X; Y ) = 0 in Weierstrass form E(X; Y ) = Y 2 \Gamma X 3 \Gamma AX \Gamma B so that a generic point on the curve is given by (X; Y ) mod E . Let m be the number of points of E. It is well known that m = p + 1 \Gamma t, with t an integer satisfying jtj ! 2 p p. If p is small...

Abstract. We analyse the complexity of computing class polynomials, that are an important ingredient for CM constructions of elliptic curves, via complex floating point approximations of their roots. The heart of the algorithm is the evaluation of modular functions in several arguments. The fastest one of the presented approaches uses a technique devised by Dupont to evaluate modular functions by Newton iterations on an expression involving the arithmetic-geometric mean. Under the heuristic assumption, justified by experiments, that the correctness of the result is not perturbed by rounding errors, the algorithm runs in time 3 2

Abstract. In this article we show how to generalize the CM-method for elliptic curves to genus two. We describe the algorithm in detail and discuss the results of our implementation. 1.

Abstract. The heart of the improvements by Elkies to Schoof’s algorithm for computing the cardinality of elliptic curves over a finite field is the ability to compute isogenies between curves. Elkies ’ approach is well suited for the case where the characteristic of the field is large. Couveignes showed how to compute isogenies in small characteristic. The aim of this paper is to describe the first successful implementation of Couveignes’s algorithm. In particular, we describe the use of fast algorithms for performing incremental operations on series. We also insist on the particular case of the characteristic 2. 1.

Abstract. We present a primality proving algorithm—a probabilistic primality test that produces short certificates of primality on prime inputs. We prove that the test runs in expected polynomial time for all but a vanishingly small fraction of the primes. As a corollary, we obtain an algorithm for generating large certified primes with distribution statistically close to uniform. Under the conjecture that the gap between consecutive primes is bounded by some polynomial in their size, the test is shown to run in expected polynomial time for all primes, yielding a Las Vegas primality test. Our test is based on a new methodology for applying group theory to the problem of prime certification, and the application of this methodology using groups generated by elliptic curves over finite fields. We note that our methodology and methods have been subsequently used and improved upon, most notably in the primality proving algorithm of Adleman and Huang using hyperelliptic curves and

Abstract. The elliptic curve primality proving (ECPP) algorithm is one of the current fastest practical algorithms for proving the primality of large numbers. Its running time currently cannot be proven rigorously, but heuristic arguments show that it should run in time Õ((log N)5) to prove the primality of N. An asymptotically fast version of it, attributed to J. O. Shallit, is expected to run in time Õ((log N)4). We describe this version in more details, leading to actual implementations able to handle numbers with several thousands of decimal digits. 1.

We study the action of modular correspondences in the p- adic neighborhood of CM points. We deduce and prove two stable and ecient p-adic analytic methods for computing singular values of modular functions. On the way we prove a non trivial lower bound for the density of smooth numbers in imaginary quadratic rings and show that the canonical lift of an elliptic curve over Fq can be computed in probabilistic time exp((log q) ) under GRH. We also extend the notion of canonical lift to supersingular elliptic curves and show how to compute it in that case.

We describe the complete factorization of the tenth Fermat number F 10 by the elliptic curve method (ECM). F 10 is a product of four prime factors with 8, 10, 40 and 252 decimal digits. The 40-digit factor was found after about 140 Mflop-years of computation. We also discuss the complete factorization of other Fermat numbers by ECM, and summarize the factorizations of F 5 ; : : : ; F 11 .

. We describe the complete factorization of the tenth and eleventh Fermat numbers. The tenth Fermat number is a product of four prime factors with 8, 10, 40 and 252 decimal digits. The eleventh Fermat number is a product of five prime factors with 6, 6, 21, 22 and 564 decimal digits. We also note a new 27-decimal digit factor of the thirteenth Fermat number. This number has four known prime factors and a 2391-decimal digit composite factor. All the new factors reported here were found by the elliptic curve method (ECM). The 40-digit factor of the tenth Fermat number was found after about 140 Mflop-years of computation. We discuss aspects of the practical implementation of ECM, including the use of special-purpose hardware, and note several other large factors found recently by ECM. 1. Introduction For a nonnegative integer n, the n-th Fermat number is F n = 2 2 n + 1. It is known that F n is prime for 0 n 4, and composite for 5 n 23. Also, for n 2, the factors of F n are of th...

Abstract. Elliptic curves with a known number of points over a given prime field Fn are often needed for use in cryptography. In the context of primality proving, Atkin and Morain suggested the use of the theory of complex multiplication to construct such curves. One of the steps in this method is the calculation of a root modulo n of the Hilbert class polynomial HD(X) for a fundamental discriminant D. The usual way is to compute HD(X) over the integers and then to find the root modulo n. We present a modified version of the Chinese remainder theorem (CRT) to compute HD(X) modulo n directly from the knowledge of HD(X) modulo enough small primes. Our complexity analysis suggests that asymptotically our algorithm is an improvement over previously known methods. 1.