## Computing Hilbert class polynomials with the Chinese Remainder Theorem (2010)

Citations: | 18 - 1 self |

### BibTeX

@MISC{Sutherland10computinghilbert,

author = {Andrew V. Sutherland},

title = {Computing Hilbert class polynomials with the Chinese Remainder Theorem },

year = {2010}

}

### OpenURL

### Abstract

We present a space-efficient algorithm to compute the Hilbert class polynomial HD(X) modulo a positive integer P, based on an explicit form of the Chinese Remainder Theorem. Under the Generalized Riemann Hypothesis, the algorithm uses O(|D | 1/2+ɛ log P) space and has an expected running time of O(|D | 1+ɛ). We describe practical optimizations that allow us to handle larger discriminants than other methods, with |D | as large as 1013 and h(D) up to 106. We apply these results to construct pairing-friendly elliptic curves of prime order, using the CM method.

### Citations

910 |
A Course in Computational Algebraic Number Theory (fourth corrected printing
- Cohen
- 2000
(Show Context)
Citation Context ...). Given HD mod pi with coefficients cj: 1. For j from 0 to h(D): 2. Set Cj ← Cj + cjdi mod P . 3. Set sj ← sj + ⌊2δcjai/pi⌋. The total running time of Algorithm 2.4 over all pi ∈ S may be bounded by =-=(18)-=- O ( nh(D)M(log P )+h(D)M(log M + n log n) ) . Typically the first term dominates, and it is here that we need log P = O(log 3 |D|). The space complexity is O(h(D)(log P +logpM+logn)). Algorithm 2.5 (... |

818 |
The arithmetic of elliptic curves
- Silverman
- 1986
(Show Context)
Citation Context ...0,000 472,000 (24,17,59) 6.8 36MB 400GB 17, 131, 564, 271 300,000 1,240,000 (20,15,65) 5.9 61MB 920GB 30, 541, 342, 079 400,000 2,090,000 (21,16,63) 6.4 71MB 1.7TB 42, 905, 564, 831 500,000 3,050,000 =-=(22,17,61)-=- 6.9 81MB 2.6TB 67, 034, 296, 559 600,000 5,630,000 (18,14,68) 5.6 121MB 3.9TB 82, 961, 887, 511 700,000 7,180,000 (19,14,67) 5.9 132MB 5.3TB 113, 625, 590, 399 800,000 9,520,000 (19,15,66) 5.9 142MB ... |

296 | Approximate formulas for some functions of prime numbers - Rosser, Schoenfeld - 1962 |

233 |
Factoring Integers with Elliptic Curves
- Lenstra
- 1987
(Show Context)
Citation Context ... where H(4p − t 2 ) is the Hurwitz class number (as in [18, Def. 5.3.6] or [23, p. 319]). A more precise formula uses weighted cardinalities, but the difference is negligible; see [23, Thm. 14.18] or =-=[51]-=- for further details. We expect to sample approximately 1/ρ(p, t) random curves over Fp in order to find one with trace ±t. When selecting primes p ∈PD, we may give preference to primes with larger ρ-... |

162 | Elliptic curves and primality proving
- Atkin, Morain
(Show Context)
Citation Context ...ing-friendly elliptic curves of prime order, using the CM method. 1. Introduction Elliptic curves with a prescribed number of points have many applications, including elliptic curve primality proving =-=[2]-=- and pairing-based cryptography [31]. The number of points on an elliptic curve E/Fq is of the form N = q +1− t, where |t| ≤2 √ q. For an ordinary elliptic curve, we additionally require t ̸≡ 0modp,wh... |

158 |
Elliptic curves in cryptography
- Blake, Seroussi, et al.
- 1999
(Show Context)
Citation Context ... this approach with additional torsion constraints that can be quickly computed. For example, to generate a curve containing a point of order 132, it is much faster to generate several curves using X1=-=(11)-=- and apply tests for 3 and 4 torsion to each than it is to use X1(132). A table of particularly effective combinations of torsion constraints, ranked by cost/benefit ratio, appears in Appendix 2. The ... |

110 |
Die Typen der Multiplikatorenringe elliptischer Funktionenkörper
- Deuring
- 1941
(Show Context)
Citation Context ...arch by our choice of p, which determines t = t(p) and therefore N0 and N1. 3.1. The density of curves with trace ±t. We may compute the density of Ellt(Fp) as a subset of Fp via a formula of Deuring =-=[26]-=-. For convenience we define (7) ρ(p, t) = H(4p − t2 ) p ≈ #Ellt(Fp) , #Fp6 ANDREW V. SUTHERLAND where H(4p − t 2 ) is the Hurwitz class number (as in [18, Def. 5.3.6] or [23, p. 319]). A more precise... |

107 |
Handbook of elliptic and hyperelliptic curve cryptography. Discrete mathematics and its applications
- Cohen, Frey, et al.
- 2006
(Show Context)
Citation Context ...unds; the outputs of Algorithms 1 and 2 are unconditionally correct.COMPUTING HILBERT CLASS POLYNOMIALS WITH THE CRT 21 Let M(n) denote the cost of multiplication, as defined in [70, Ch. 8]. We have =-=(20)-=- M(n) =O(n log n llog n), by [57], where llog(n) denotes log log n (and we use lllog(n) to denote log log log n). Here we focus on asymptotic results and apply (20) throughout, noting that the larger ... |

107 | Elliptic Curves: Number Theory and Cryptography(Second Edition - Washington - 2008 |

89 |
Effective versions of the Chebotarev density theorem, in Algebraic
- Lagarias, Odlyzko
- 1977
(Show Context)
Citation Context ...r (see [5, §5.1]), but the last four depend critically on either the ERH or GRH. Heuristic bounds are discussed in Section 7.1. To prove (v) we use an effective form of the Chebotarev density theorem =-=[48]-=-. Recall that PD is the set of primes (greater than 3) that split completely in the ring class field KO of O. For a positive real number x, letπ1(x, KO/Q) counttheprimes p ≤ x that split completely in... |

66 |
Explicit bounds for primality testing and related problems
- Bach
- 1990
(Show Context)
Citation Context ...ble. We achieve this by computing an optimal polycyclic presentation for cl(D), derived from a sequence of generators for cl(D). Under the Extended Reimann Hypothesis (ERH) we have ℓi ≤ 6log 2 |D|, by=-=[4]-=-. This approach corrects an error in [5] which relies on a basis for cl(D) and fails to achieve such a bound (see Section 5.3 for a counterexample). The rest of this paper is organized as follows: • S... |

62 |
A rigorous subexponential algorithm for computation of class groups
- Hafner, McCurley
- 1989
(Show Context)
Citation Context ...n be computed using discrete logarithms with respect to γ. In the specific case G =cl(D), one may go further and use a nongeneric algorithm to compute a basis α in subexponential time (under the ERH) =-=[34]-=- and apply a vector form of the discrete logarithm algorithm in [69]. 5.2. Application to D. For the practical range of D, the group G =cl(D) is relatively small (typically |G| < 108 ), and the consta... |

56 | Elliptic Curves - Husemöller - 2000 |

51 |
Universal bounds on the torsion of elliptic curves
- Kubert
- 1976
(Show Context)
Citation Context ... plane models Fm(r, s) = 0 that have been optimized for this purpose; see [65]. For m in the set {2, 3, 4, 5, 6, 7, 8, 9, 10, 12}, the curve X1(m) has genus 0, and we obtain Kubert’s parametrizations =-=[47]-=- of elliptic curves with a prescribed (cyclic) torsion subgroup over Q. WorkinginFp, wemay use any m not divisible p, although we typically use m ≤ 40, due to the cost of finding points on Fm(r, s) =0... |

46 |
Endomorphism rings of elliptic curves over finite fields
- Kohel
- 1996
(Show Context)
Citation Context ...′ /Fp connected to E via an isogeny of degree ℓ (an ℓ-isogeny) [71, Thm. 12.19]. This gives us a computationally explicit way to define the graph of ℓ-isogenies on the set Ellt(Fp). As shown by Kohel =-=[46]-=-, the connected components of this graph all have a particular shape, aptly described in [29] as a volcano (see Figure 1 in Section 4).4 ANDREW V. SUTHERLAND The curves in an isogeny volcano are natu... |

45 |
Constructing elliptic curves with given group order over large finite fields. Algorithmic Number Theory
- Lay, Zimmer
- 1994
(Show Context)
Citation Context ...an elliptic curve E/Fq with this j-invariant. Either E or its quadratic twist has N points, and we may easily determine which. For more details on constructing elliptic curves with the CM method, see =-=[2, 13, 50]-=-. The most difficult step in this process is obtaining HD, an integer polynomial of degree h(D) (the class number) and total size O(|D| 1+ɛ ) bits. There are several algorithms that, under reasonable ... |

41 | Detecting perfect powers in essentially linear time
- Bernstein
- 1998
(Show Context)
Citation Context ... we can uniquely determine c. This is the usual CRT approach. Alternatively, if M is slightly larger, say M > 4B, we may apply the explicit CRT (mod P ) [8, Thm. 3.1] and compute c mod P directly via =-=(6)-=- c ≡ ∑ ciaiMi − rM mod P. Here r is the nearest integer to ∑ ciai/pi. When computing r it suffices to approximate each rational number ciai/pi to within 1/(4n). Asnotedin[27],evenwhenP is small one st... |

41 |
Schnelle Multiplikation großer Zahlen, Computing 7
- Schönhage, Strassen
- 1971
(Show Context)
Citation Context ... and 2 are unconditionally correct.COMPUTING HILBERT CLASS POLYNOMIALS WITH THE CRT 21 Let M(n) denote the cost of multiplication, as defined in [70, Ch. 8]. We have (20) M(n) =O(n log n llog n), by =-=[57]-=-, where llog(n) denotes log log n (and we use lllog(n) to denote log log log n). Here we focus on asymptotic results and apply (20) throughout, noting that the larger computations in Section 8 make ex... |

41 |
Primes of the Form x 2 +ny 2 . Fermat, class field theory and complex multiplication, A Wiley-Interscience Publication
- Cox
- 1989
(Show Context)
Citation Context ...ts completely over Fp. It has h(D) roots, which form EllO(Fp). 2. The map j(E) ↦→ j(E) a defines a free transitive action of cl(D) on EllO(Fp). For further background, we recommend the expositions in =-=[23]-=- and [60], and also the material in [49, Ch. 10] and [62, Ch. II]. Let p be a prime in PD. Our plan is to compute HD mod p by determining its roots and forming the product of the corresponding linear ... |

33 | The complexity of class polynomial computation via floating point approximations
- Enge
(Show Context)
Citation Context ... an integer polynomial of degree h(D) (the class number) and total size O(|D| 1+ɛ ) bits. There are several algorithms that, under reasonable heuristic assumptions, can compute HD in quasilinear time =-=[5, 12, 22, 27]-=-, but its size severely restricts the feasible range of D. The bound |D| < 10 10 is commonly cited as a practical upper limit for the CM method [31, 43, 44, 68], and this already assumes the use of al... |

28 | Constructing Pairing-Friendly Elliptic Curves with Embedding Degree 10. Algorithmic Number Theory
- Freeman
- 2006
(Show Context)
Citation Context ...performance and security characteristics. For additional background on pairing-based cryptography we refer to [20, Ch. 24]. To obtain suitable discriminants we used algorithms in [44] (for k = 6) and =-=[30]-=- (for k = 10) that were optimized to search for q within a specified range. This produced a set DPF of nearly 2000 fundamental discriminants (1722 with k =6 and 254 with k = 10), with |D| ranging from... |

26 |
Handbook of computational group theory
- Holt, Eick, et al.
(Show Context)
Citation Context ...r1,...,rk), andletX(α) ={x ∈ Zk :0≤ xi <ri}. 1. For each β ∈ G there is a unique x ∈ X(α) such that β = αx . 2. The vector x such that α ri i = αx has xj =0for j ≥ i. Proof. See Lemmas 8.3 and 8.6 in =-=[37]-=-. □ The vector x is the discrete logarithm (exponent vector) of β with respect to α. The relations α ri i = αx are called power relations and may be used to define a (consistent) polycyclic presentati... |

18 | Calculating the order of an invertible matrix
- Celler, Leedham-Green
- 1997
(Show Context)
Citation Context ...es) is given by Lemma 6 of Section 7. A simple implementation of FastOrder appears below, based on a recursive algorithm to compute the order of a generic group element due to Celler and LeedhamGreen =-=[16]-=-. By convention, generic groups are written multiplicatively, and we do so here, although we apply FastOrder to the additive groups E(Fp) and˜ E(Fp). The function ω(N) counts the distinct prime factor... |

17 | Computing modular polynomials in quasi-linear time - Enge |

16 |
Binary Quadratic Forms: An Algorithmic Approach
- Buchmann, Vollmer
- 2007
(Show Context)
Citation Context ...ve α,r(α), and s(α). We define s(γ) using a bijection X(γ) →{z ∈ Z :0≤ z<|G|} given by (14) Z(x) = ∑ Njxj, where Nj = ∏ ri. 1≤j≤n 1≤i<j For each power relation γ ri i = γx ,wesetsi= Z(x). The formula =-=(15)-=- xj = ⌊si/Nj⌋ mod rj recovers the component xj of the vector x for which si = Z(x). Algorithm 2.2. Given γ =(γ1,...,γn) generating a finite abelian group G: 1. Let T be an empty table and call TableIn... |

16 | A space efficient algorithm for group structure computation
- Teske
- 1998
(Show Context)
Citation Context ...sentially optimal. However, if γ has size n = o(|G| 1/2 ), we can do asymptotically better with an O(n|G| 1/2 ) algorithm. This is achieved by computing a basis α for G via a generic algorithm (as in =-=[14, 64, 66, 67]-=-) and then determining the representation of each γi = α x in this basis using a vector discrete logarithm algorithm (such as [64, Alg. 9.3]). It is then straightforward to compute |Gi| for each i, an... |

15 | Computing the endomorphism ring of an ordinary elliptic curve over a finite field
- Bisson, Sutherland
(Show Context)
Citation Context ... L-smooth, verify that j ∈ EllO(Fp) and abort if not. 3. Return j ′ = j. The verification in step 2 involves computing End(E) for an elliptic curve E/Fp with j(E) =j. Here we may use the algorithm in =-=[10]-=-, or Kohel’s algorithm [46]. The former is faster in practice (with a heuristically subexponential running time), but for the proof of Theorem 1 we use the O(p 1/3 ) complexity bound of Kohel’s algori... |

15 | On the group orders of elliptic curves over finite fields - Howe - 1993 |

14 | A p-adic algorithm to compute the Hilbert class polynomial
- Bröker
(Show Context)
Citation Context ... an integer polynomial of degree h(D) (the class number) and total size O(|D| 1+ɛ ) bits. There are several algorithms that, under reasonable heuristic assumptions, can compute HD in quasilinear time =-=[5, 12, 22, 27]-=-, but its size severely restricts the feasible range of D. The bound |D| < 10 10 is commonly cited as a practical upper limit for the CM method [31, 43, 44, 68], and this already assumes the use of al... |

14 |
of the form x2 + ny2 . Fermat, class field theory and complex multiplication. A Wiley-Interscience Publication
- Cox, Primes
- 1989
(Show Context)
Citation Context ...ts completely over Fp. It has h(D) roots, which form EllO(Fp). 2. The map j(E) ↦→ j(E) a defines a free transitive action of cl(D) on EllO(Fp). For further background, we recommend the expositions in =-=[23]-=- and [60], and also the material in [49, Ch. 10] and [62, Ch. II]. Let p be a prime in PD. Our plan is to compute HD mod p by determining its roots and forming the product of the corresponding linear ... |

14 | topics in the arithmetic of elliptic curves - Advanced - 1994 |

14 | The exponents of the groups of points on the reductions of an elliptic curve, Arithmetic Algebraic Geometry - Schoof - 1991 |

13 | An analysis of the reduction algorithms for binary quadratic forms
- Biehl, Buchmann
- 1998
(Show Context)
Citation Context ... use O(|D| 1/2 (log |D| +logP ) llog |D|) space. Proof. The complexity of step 1 is addressed by Lemma 4 above. By Proposition 6, step 2 performs h(D) operationsincl(D), each taking O(log 2 |D|) time =-=[9]-=-. Even if we compute a different presentation for every v ≤ vM, the total time is O(|D| 1/2+ɛ ). The table used by Algorithm 2.2 stores h(D) =O(|D| 1/2 llog |D|) group elements, by bound (i), requirin... |

13 |
Complex Multiplication. In: Algebraic Number Theory
- Serre
- 1967
(Show Context)
Citation Context ...tely over Fp. It has h(D) roots, which form EllO(Fp). 2. The map j(E) ↦→ j(E) a defines a free transitive action of cl(D) on EllO(Fp). For further background, we recommend the expositions in [23] and =-=[60]-=-, and also the material in [49, Ch. 10] and [62, Ch. II]. Let p be a prime in PD. Our plan is to compute HD mod p by determining its roots and forming the product of the corresponding linear factors. ... |

12 |
Computing Hilbert class polynomials, in "Algorithmic number theory
- BELDING, BRÖKER, et al.
(Show Context)
Citation Context ... an integer polynomial of degree h(D) (the class number) and total size O(|D| 1+ɛ ) bits. There are several algorithms that, under reasonable heuristic assumptions, can compute HD in quasilinear time =-=[5, 12, 22, 27]-=-, but its size severely restricts the feasible range of D. The bound |D| < 10 10 is commonly cited as a practical upper limit for the CM method [31, 43, 44, 68], and this already assumes the use of al... |

11 | Computing the structure of a finite abelian group
- Buchmann, Schmidt
(Show Context)
Citation Context ...sentially optimal. However, if γ has size n = o(|G| 1/2 ), we can do asymptotically better with an O(n|G| 1/2 ) algorithm. This is achieved by computing a basis α for G via a generic algorithm (as in =-=[14, 64, 66, 67]-=-) and then determining the representation of each γi = α x in this basis using a vector discrete logarithm algorithm (such as [64, Alg. 9.3]). It is then straightforward to compute |Gi| for each i, an... |

11 |
On the coefficients of the transformation polynomials for the elliptic modular function
- Cohen
- 1984
(Show Context)
Citation Context ... p ≤ x that split completely in KO. Equivalently,π1(x, KO/Q) countsprimeswhose image in Gal(KO/Q) under the Artin map is the identity element [23, Cor. 5.21]. Applying Theorem 1.1 of [48] then yields =-=(21)-=- ∣π1(x, KO/Q) − Li(x) ( ( 1/2 h(D) 2h(D) x log |D| x 2h(D) ∣ ≤ c1 ) +log(|D| 2h(D) h(D) ) ) , as in [5, Eq. 3], where the constant c1 is effectively computable. Lemma 2 (GRH). For any real constant c3... |

11 |
et al. GNU Multiple Precision Arithmetic Library. URL: http: //gmplib.org
- Granlund
(Show Context)
Citation Context ...s j-invariant and ensure that the trace of E has the correct sign. 1 8.1. Implementation. The algorithms described in this paper were implemented using the GNU C/C++ compiler [63] and the GMP library =-=[33]-=- on a 64-bit Linux platform. Multiplication of large polynomials was handled by the zn poly library developed by Harvey [36], based on the algorithm in [35]. The hardware platform included sixteen 2.8... |

10 |
Isogeny volcanoes and the SEA algorithm, Algorithmic Number Theory — ANTS-V
- Fouquet, Morain
- 2002
(Show Context)
Citation Context ...s a computationally explicit way to define the graph of ℓ-isogenies on the set Ellt(Fp). As shown by Kohel [46], the connected components of this graph all have a particular shape, aptly described in =-=[29]-=- as a volcano (see Figure 1 in Section 4).4 ANDREW V. SUTHERLAND The curves in an isogeny volcano are naturally partitioned into one or more levels, according to their endomorphism rings, with the cu... |

10 |
M.: Constructing Brezing-Weng pairing friendly elliptic curves using elements in the cyclotomic field
- Kachisa, Schaeffer, et al.
- 2008
(Show Context)
Citation Context ...ions, can compute HD in quasilinear time [5, 12, 22, 27], but its size severely restricts the feasible range of D. The bound |D| < 10 10 is commonly cited as a practical upper limit for the CM method =-=[31, 43, 44, 68]-=-, and this already assumes the use of alternative class polynomials that are smaller (and less general) than HD. As noted in [27], space is the limiting factor in these computations, not running time.... |

9 | Order Computations in Generic Groups
- Sutherland
- 2007
(Show Context)
Citation Context ...sentially optimal. However, if γ has size n = o(|G| 1/2 ), we can do asymptotically better with an O(n|G| 1/2 ) algorithm. This is achieved by computing a basis α for G via a generic algorithm (as in =-=[14, 64, 66, 67]-=-) and then determining the representation of each γi = α x in this basis using a vector discrete logarithm algorithm (such as [64, Alg. 9.3]). It is then straightforward to compute |Gi| for each i, an... |

8 | Modular exponentiation via the explicit Chinese Remainder Theorem - Bernstein, Sorenson |

7 |
Teske – “A taxonomy of pairing-friendly elliptic curves
- Freeman, Scott, et al.
(Show Context)
Citation Context ...me order, using the CM method. 1. Introduction Elliptic curves with a prescribed number of points have many applications, including elliptic curve primality proving [2] and pairing-based cryptography =-=[31]-=-. The number of points on an elliptic curve E/Fq is of the form N = q +1− t, where |t| ≤2 √ q. For an ordinary elliptic curve, we additionally require t ̸≡ 0modp,where p is the characteristic of Fq. W... |

7 |
Einige Bemerkungen zu der vorstehenden Arbeit des Herrn G. Pólya: Über die Verteilung der quadratischen Reste und
- Schur
- 1918
(Show Context)
Citation Context ... which implies B0 ≤ B1Mh/Mh ≤ B2Mh−1Mh/M 2 h ≤···≤BmMh−m+1 ···Mh/M m h = B. It follows that B bounds every Bn. The bound log B = O(|D| 1/2 log 2 |D|) follows from h = O(|D| 1/2 log |D|), as proven in =-=[59]-=-, and the bound ∑ k 1 ak = O(log2 |D|), as proven in [58, Lemma 2.2]. As shown in [5, Lemma 2], under the GRH the bound ∑ k 1 = O(log |D| llog |D|) ak follows from [52], which yields log B = O(|D| 1/2... |

6 | The distribution of group structures on elliptic curves over finite prime fields, Documenta Mathematica 11
- Gekeler
- 2006
(Show Context)
Citation Context ...32 (ℓ r1 1 ,...,ℓ rk k ) (720203) (17 1128 , 19 10 ) (3 27038 , 5 2 ) step 1 0.0s 0.0s 0.0s step 2 1.2s 0.5s 4.0s step 3 0.6s 0.3s 2.0s step 4 23,300s 26,000s 61,000s step 5 0.0s 0.0s 0.0s (Tf,Te,Tb) =-=(57,32,11)-=- (51,47,2) (53,20,27) throughput 2.0Mb/s 0.6Mb/s 4.9Mb/s memory 3.9MB 2.1MB 9.4MB total data 5.7GB 1.9GB 37GB Solve HD(X) =0overFq 127s 86s 332s (2.8 GHz AMD Athlon) 8.3. Examples. Table 2 summarizes ... |

6 |
On the class-number of the corpus P( √ −k
- Littlewood
- 1928
(Show Context)
Citation Context ...e norms ℓ1,...,ℓk arising in a polycyclic presentation of cl(D) thatisderivedfromasetofgenerators. (GRH) For convenient reference, we note the following bounds: (i) h = h(D) =O(|D| 1/2 llog |D|) (see =-=[52]-=-). (ii) b =lgB +2=O(|D| 1/2 log |D| llog |D|) (Lemma 8). (iii) n =#S = O(|D| 1/2 llog |D|) (follows from (ii)). (iv) ℓ M =max{ℓ1,...,ℓk} = O(log 2 |D|) (see[4]). (v) z = O(|D| 1/2 log 3 |D| llog |D|) ... |

6 |
Choosing the correct elliptic curve
- Rubin, Silverberg
- 2010
(Show Context)
Citation Context ...rformance of Algorithm 2 in more extreme cases we also conducted tests using discriminants with very large values of L(1,χD). These results are presented in Section 8.5. 1 One may apply the method in =-=[56]-=-, or simply compute NQ for a nonzero point Q ∈ E(Fq), where N is the desired (prime) order of E(Fq), and switch to a quadratic twist of E if NQ ̸= 0.28 ANDREW V. SUTHERLAND Table 2. Example computati... |

4 |
Ramarathnam Venkatesan, Constructing elliptic curves with a known number of points over a prime field
- Agashe, Lauter
- 2004
(Show Context)
Citation Context ...pace. This includes the case where P is larger than the coefficients of HD (for which we have accurate bounds); hence it may be used to determine HD over Z. Our algorithm is based on the CRT approach =-=[1, 5, 17]-=-, which computes the coefficients of HD modulo many “small” primes p and then applies the Chinese Remainder Theorem (CRT). As in [1], we use the explicit CRT [8, Thm. 3.1] to obtain HD mod P , and we ... |

4 | Efficient CM-constructions of elliptic curves over finite fields
- Bröker, Stevenhagen
(Show Context)
Citation Context ...an elliptic curve E/Fq with this j-invariant. Either E or its quadratic twist has N points, and we may easily determine which. For more details on constructing elliptic curves with the CM method, see =-=[2, 13, 50]-=-. The most difficult step in this process is obtaining HD, an integer polynomial of degree h(D) (the class number) and total size O(|D| 1+ɛ ) bits. There are several algorithms that, under reasonable ... |

4 | Faster polynomial multiplication via multipoint Kronecker substitution
- Harvey
- 2007
(Show Context)
Citation Context ...GNU C/C++ compiler [63] and the GMP library [33] on a 64-bit Linux platform. Multiplication of large polynomials was handled by the zn poly library developed by Harvey [36], based on the algorithm in =-=[35]-=-. The hardware platform included sixteen 2.8 GHz AMD Athlon processors, each with two cores. Up to 32 cores were used in each test (with essentially linear speedup), but for consistency we report tota... |