## COMPUTING HILBERT CLASS POLYNOMIALS WITH THE CHINESE REMAINDER THEOREM (2009)

Citations: | 19 - 1 self |

### BibTeX

@MISC{Sutherland09computinghilbert,

author = {Andrew V. Sutherland},

title = { COMPUTING HILBERT CLASS POLYNOMIALS WITH THE CHINESE REMAINDER THEOREM},

year = {2009}

}

### OpenURL

### Abstract

We present a space-efficient algorithm to compute the Hilbert class polynomial HD(X) modulo a positive integer P, based on an explicit form of the Chinese Remainder Theorem. Under the Generalized Riemann Hypothesis, the algorithm uses O(|D | 1/2+ǫ log P) space and has an expected running time of O(|D | 1+ǫ). We describe practical optimizations that allow us to handle larger discriminants than other methods, with |D | as large as 10 13 and h(D) up to 10 6. We apply these results to construct pairing-friendly elliptic curves of prime order, using the CM method.

### Citations

985 |
A Course in Computational Algebraic Number Theory
- Cohen
- 1995
(Show Context)
Citation Context ...). Given HD mod pi with coefficients cj: 1. For j from 0 to h(D): 2. Set Cj ← Cj + cjdi mod P . 3. Set sj ← sj + ⌊2δcjai/pi⌋. The total running time of Algorithm 2.4 over all pi ∈ S may be bounded by =-=(18)-=- O ( nh(D)M(log P )+h(D)M(log M + n log n) ) . Typically the first term dominates, and it is here that we need log P = O(log 3 |D|). The space complexity is O(h(D)(log P +logpM+logn)). Algorithm 2.5 (... |

318 | ld, Approximate formulas for some functions of prime numbers - Rosser, Schoenfe - 1962 |

249 |
Factoring integers with elliptic curves
- Lenstra
- 1987
(Show Context)
Citation Context ... where H(4p − t 2 ) is the Hurwitz class number (as in [18, Def. 5.3.6] or [23, p. 319]). A more precise formula uses weighted cardinalities, but the difference is negligible; see [23, Thm. 14.18] or =-=[51]-=- for further details. We expect to sample approximately 1/ρ(p, t) random curves over Fp in order to find one with trace ±t. When selecting primes p ∈PD, we may give preference to primes with larger ρ-... |

177 |
Elliptic Curves in Cryptography
- Blake, Seroussi, et al.
- 1999
(Show Context)
Citation Context ... this approach with additional torsion constraints that can be quickly computed. For example, to generate a curve containing a point of order 132, it is much faster to generate several curves using X1=-=(11)-=- and apply tests for 3 and 4 torsion to each than it is to use X1(132). A table of particularly effective combinations of torsion constraints, ranked by cost/benefit ratio, appears in Appendix 2. The ... |

174 | Elliptic curves and primality proving
- Atkin, Morain
- 1993
(Show Context)
Citation Context ...ing-friendly elliptic curves of prime order, using the CM method. 1. Introduction Elliptic curves with a prescribed number of points have many applications, including elliptic curve primality proving =-=[2]-=- and pairing-based cryptography [31]. The number of points on an elliptic curve E/Fq is of the form N = q +1− t, where |t| ≤2 √ q. For an ordinary elliptic curve, we additionally require t ̸≡ 0modp,wh... |

120 |
Handbook of Elliptic and Hyperelliptic Curve Cryptography
- Cohen, Frey
- 2005
(Show Context)
Citation Context ...unds; the outputs of Algorithms 1 and 2 are unconditionally correct.COMPUTING HILBERT CLASS POLYNOMIALS WITH THE CRT 21 Let M(n) denote the cost of multiplication, as defined in [70, Ch. 8]. We have =-=(20)-=- M(n) =O(n log n llog n), by [57], where llog(n) denotes log log n (and we use lllog(n) to denote log log log n). Here we focus on asymptotic results and apply (20) throughout, noting that the larger ... |

118 |
Die Typen der Multiplikatorenringe elliptischer Funktionenkörper
- Deuring
- 1941
(Show Context)
Citation Context ...arch by our choice of p, which determines t = t(p) and therefore N0 and N1. 3.1. The density of curves with trace ±t. We may compute the density of Ellt(Fp) as a subset of Fp via a formula of Deuring =-=[26]-=-. For convenience we define (7) ρ(p, t) = H(4p − t2 ) p ≈ #Ellt(Fp) , #Fp6 ANDREW V. SUTHERLAND where H(4p − t 2 ) is the Hurwitz class number (as in [18, Def. 5.3.6] or [23, p. 319]). A more precise... |

100 |
Effective versions of the Chebotarev density theorem
- Lagarias, Odlyzko
- 1975
(Show Context)
Citation Context ...r (see [5, §5.1]), but the last four depend critically on either the ERH or GRH. Heuristic bounds are discussed in Section 7.1. To prove (v) we use an effective form of the Chebotarev density theorem =-=[48]-=-. Recall that PD is the set of primes (greater than 3) that split completely in the ring class field KO of O. For a positive real number x, letπ1(x, KO/Q) counttheprimes p ≤ x that split completely in... |

71 |
Explicit bounds for primality testing and related problems
- Bach
- 1990
(Show Context)
Citation Context ...ble. We achieve this by computing an optimal polycyclic presentation for cl(D), derived from a sequence of generators for cl(D). Under the Extended Reimann Hypothesis (ERH) we have ℓi ≤ 6log 2 |D|, by=-=[4]-=-. This approach corrects an error in [5] which relies on a basis for cl(D) and fails to achieve such a bound (see Section 5.3 for a counterexample). The rest of this paper is organized as follows: • S... |

65 | Elliptic Curves - Husemoller - 1987 |

63 |
A rigorous sub-exponential algorithm for computation of class groups
- Hafner, McCurley
- 1989
(Show Context)
Citation Context ...n be computed using discrete logarithms with respect to γ. In the specific case G =cl(D), one may go further and use a nongeneric algorithm to compute a basis α in subexponential time (under the ERH) =-=[34]-=- and apply a vector form of the discrete logarithm algorithm in [69]. 5.2. Application to D. For the practical range of D, the group G =cl(D) is relatively small (typically |G| < 108 ), and the consta... |

56 |
Universal bounds on the torsion of elliptic curves
- Kubert
- 1976
(Show Context)
Citation Context ... plane models Fm(r, s) = 0 that have been optimized for this purpose; see [65]. For m in the set {2, 3, 4, 5, 6, 7, 8, 9, 10, 12}, the curve X1(m) has genus 0, and we obtain Kubert’s parametrizations =-=[47]-=- of elliptic curves with a prescribed (cyclic) torsion subgroup over Q. WorkinginFp, wemay use any m not divisible p, although we typically use m ≤ 40, due to the cost of finding points on Fm(r, s) =0... |

51 |
Endomorphism rings of elliptic curves over finite fields
- Kohel
- 1996
(Show Context)
Citation Context ...′ /Fp connected to E via an isogeny of degree ℓ (an ℓ-isogeny) [71, Thm. 12.19]. This gives us a computationally explicit way to define the graph of ℓ-isogenies on the set Ellt(Fp). As shown by Kohel =-=[46]-=-, the connected components of this graph all have a particular shape, aptly described in [29] as a volcano (see Figure 1 in Section 4).4 ANDREW V. SUTHERLAND The curves in an isogeny volcano are natu... |

45 |
Constructing elliptic curves with given group order over large In: \Algorithmic Number Theory
- Lay, Zimmer
- 1994
(Show Context)
Citation Context ...an elliptic curve E/Fq with this j-invariant. Either E or its quadratic twist has N points, and we may easily determine which. For more details on constructing elliptic curves with the CM method, see =-=[2, 13, 50]-=-. The most difficult step in this process is obtaining HD, an integer polynomial of degree h(D) (the class number) and total size O(|D| 1+ɛ ) bits. There are several algorithms that, under reasonable ... |

43 | Detecting perfect powers in essentially linear time
- Bernstein
- 1998
(Show Context)
Citation Context ... we can uniquely determine c. This is the usual CRT approach. Alternatively, if M is slightly larger, say M > 4B, we may apply the explicit CRT (mod P ) [8, Thm. 3.1] and compute c mod P directly via =-=(6)-=- c ≡ ∑ ciaiMi − rM mod P. Here r is the nearest integer to ∑ ciai/pi. When computing r it suffices to approximate each rational number ciai/pi to within 1/(4n). Asnotedin[27],evenwhenP is small one st... |

42 |
Schnelle Multiplikation großer Zahlen. Computing 7
- Schönhage, Strassen
- 1971
(Show Context)
Citation Context ... and 2 are unconditionally correct.COMPUTING HILBERT CLASS POLYNOMIALS WITH THE CRT 21 Let M(n) denote the cost of multiplication, as defined in [70, Ch. 8]. We have (20) M(n) =O(n log n llog n), by =-=[57]-=-, where llog(n) denotes log log n (and we use lllog(n) to denote log log log n). Here we focus on asymptotic results and apply (20) throughout, noting that the larger computations in Section 8 make ex... |

34 | The complexity of class polynomial computation via floating point approximations
- Enge
(Show Context)
Citation Context ... an integer polynomial of degree h(D) (the class number) and total size O(|D| 1+ɛ ) bits. There are several algorithms that, under reasonable heuristic assumptions, can compute HD in quasilinear time =-=[5, 12, 22, 27]-=-, but its size severely restricts the feasible range of D. The bound |D| < 10 10 is commonly cited as a practical upper limit for the CM method [31, 43, 44, 68], and this already assumes the use of al... |

28 | Constructing Pairing-Friendly Elliptic Curves with Embedding Degree 10. Algorithmic Number Theory
- Freeman
- 2006
(Show Context)
Citation Context ...performance and security characteristics. For additional background on pairing-based cryptography we refer to [20, Ch. 24]. To obtain suitable discriminants we used algorithms in [44] (for k = 6) and =-=[30]-=- (for k = 10) that were optimized to search for q within a specified range. This produced a set DPF of nearly 2000 fundamental discriminants (1722 with k =6 and 254 with k = 10), with |D| ranging from... |

26 |
Handbook of Computational Group Theory
- Holt
- 2005
(Show Context)
Citation Context ...r1,...,rk), andletX(α) ={x ∈ Zk :0≤ xi <ri}. 1. For each β ∈ G there is a unique x ∈ X(α) such that β = αx . 2. The vector x such that α ri i = αx has xj =0for j ≥ i. Proof. See Lemmas 8.3 and 8.6 in =-=[37]-=-. □ The vector x is the discrete logarithm (exponent vector) of β with respect to α. The relations α ri i = αx are called power relations and may be used to define a (consistent) polycyclic presentati... |

22 |
Primes of the form x2 + ny2: Fermat, class field theory and complex multiplication
- Cox
- 1989
(Show Context)
Citation Context ...ts completely over Fp. It has h(D) roots, which form EllO(Fp). 2. The map j(E) ↦→ j(E) a defines a free transitive action of cl(D) on EllO(Fp). For further background, we recommend the expositions in =-=[23]-=- and [60], and also the material in [49, Ch. 10] and [62, Ch. II]. Let p be a prime in PD. Our plan is to compute HD mod p by determining its roots and forming the product of the corresponding linear ... |

20 | Calculating the order of an invertible matrix
- Celler, Leedham-Green
- 1995
(Show Context)
Citation Context ...es) is given by Lemma 6 of Section 7. A simple implementation of FastOrder appears below, based on a recursive algorithm to compute the order of a generic group element due to Celler and LeedhamGreen =-=[16]-=-. By convention, generic groups are written multiplicatively, and we do so here, although we apply FastOrder to the additive groups E(Fp) and˜ E(Fp). The function ω(N) counts the distinct prime factor... |

16 |
Binary quadratic forms. An algorithmic approach
- Buchmann, Vollmer
- 2007
(Show Context)
Citation Context ...ve α,r(α), and s(α). We define s(γ) using a bijection X(γ) →{z ∈ Z :0≤ z<|G|} given by (14) Z(x) = ∑ Njxj, where Nj = ∏ ri. 1≤j≤n 1≤i<j For each power relation γ ri i = γx ,wesetsi= Z(x). The formula =-=(15)-=- xj = ⌊si/Nj⌋ mod rj recovers the component xj of the vector x for which si = Z(x). Algorithm 2.2. Given γ =(γ1,...,γn) generating a finite abelian group G: 1. Let T be an empty table and call TableIn... |

16 | On the group orders of elliptic curves over finite fields - Howe - 1993 |

15 | Computing the endomorphism ring of an ordinary elliptic curve over a finite field. Preprint available at http://arxiv.org/abs/0902.4670
- Bisson, Sutherland
(Show Context)
Citation Context ... L-smooth, verify that j ∈ EllO(Fp) and abort if not. 3. Return j ′ = j. The verification in step 2 involves computing End(E) for an elliptic curve E/Fp with j(E) =j. Here we may use the algorithm in =-=[10]-=-, or Kohel’s algorithm [46]. The former is faster in practice (with a heuristically subexponential running time), but for the proof of Theorem 1 we use the O(p 1/3 ) complexity bound of Kohel’s algori... |

14 | An Analysis of the Reduction Algorithms for Binary Quadratic Forms
- Biehl, Buchmann
- 1997
(Show Context)
Citation Context ... use O(|D| 1/2 (log |D| +logP ) llog |D|) space. Proof. The complexity of step 1 is addressed by Lemma 4 above. By Proposition 6, step 2 performs h(D) operationsincl(D), each taking O(log 2 |D|) time =-=[9]-=-. Even if we compute a different presentation for every v ≤ vM, the total time is O(|D| 1/2+ɛ ). The table used by Algorithm 2.2 stores h(D) =O(|D| 1/2 llog |D|) group elements, by bound (i), requirin... |

14 | A p-adic algorithm to compute the Hilbert class polynomial
- Bröker
(Show Context)
Citation Context ... an integer polynomial of degree h(D) (the class number) and total size O(|D| 1+ɛ ) bits. There are several algorithms that, under reasonable heuristic assumptions, can compute HD in quasilinear time =-=[5, 12, 22, 27]-=-, but its size severely restricts the feasible range of D. The bound |D| < 10 10 is commonly cited as a practical upper limit for the CM method [31, 43, 44, 68], and this already assumes the use of al... |

13 |
Computing Hilbert class polynomials, in Algorithmic number theory
- Belding, Bröker, et al.
(Show Context)
Citation Context ... an integer polynomial of degree h(D) (the class number) and total size O(|D| 1+ɛ ) bits. There are several algorithms that, under reasonable heuristic assumptions, can compute HD in quasilinear time =-=[5, 12, 22, 27]-=-, but its size severely restricts the feasible range of D. The bound |D| < 10 10 is commonly cited as a practical upper limit for the CM method [31, 43, 44, 68], and this already assumes the use of al... |

12 | Computing the structure of a finite abelian group
- Buchmann, Schmidt
(Show Context)
Citation Context ...sentially optimal. However, if γ has size n = o(|G| 1/2 ), we can do asymptotically better with an O(n|G| 1/2 ) algorithm. This is achieved by computing a basis α for G via a generic algorithm (as in =-=[14, 64, 66, 67]-=-) and then determining the representation of each γi = α x in this basis using a vector discrete logarithm algorithm (such as [64, Alg. 9.3]). It is then straightforward to compute |Gi| for each i, an... |

12 |
et al. GNU multiple precision arithmetic library 4.1.2
- Granlund
- 2002
(Show Context)
Citation Context ...s j-invariant and ensure that the trace of E has the correct sign. 1 8.1. Implementation. The algorithms described in this paper were implemented using the GNU C/C++ compiler [63] and the GMP library =-=[33]-=- on a 64-bit Linux platform. Multiplication of large polynomials was handled by the zn poly library developed by Harvey [36], based on the algorithm in [35]. The hardware platform included sixteen 2.8... |

11 |
On the coefficients of the transformation polynomials for the elliptic modular function
- Cohen
- 1984
(Show Context)
Citation Context ... p ≤ x that split completely in KO. Equivalently,π1(x, KO/Q) countsprimeswhose image in Gal(KO/Q) under the Artin map is the identity element [23, Cor. 5.21]. Applying Theorem 1.1 of [48] then yields =-=(21)-=- ∣π1(x, KO/Q) − Li(x) ( ( 1/2 h(D) 2h(D) x log |D| x 2h(D) ∣ ≤ c1 ) +log(|D| 2h(D) h(D) ) ) , as in [5, Eq. 3], where the constant c1 is effectively computable. Lemma 2 (GRH). For any real constant c3... |

10 |
Isogeny volcanoes and the SEA algorithm, Algorithmic Number Theory — ANTS-V
- Fouquet, Morain
- 2002
(Show Context)
Citation Context ...s a computationally explicit way to define the graph of ℓ-isogenies on the set Ellt(Fp). As shown by Kohel [46], the connected components of this graph all have a particular shape, aptly described in =-=[29]-=- as a volcano (see Figure 1 in Section 4).4 ANDREW V. SUTHERLAND The curves in an isogeny volcano are naturally partitioned into one or more levels, according to their endomorphism rings, with the cu... |

10 |
M.: Constructing Brezing-Weng pairing friendly elliptic curves using elements in the cyclotomic field
- Kachisa, Schaeffer, et al.
- 2008
(Show Context)
Citation Context ...ions, can compute HD in quasilinear time [5, 12, 22, 27], but its size severely restricts the feasible range of D. The bound |D| < 10 10 is commonly cited as a practical upper limit for the CM method =-=[31, 43, 44, 68]-=-, and this already assumes the use of alternative class polynomials that are smaller (and less general) than HD. As noted in [27], space is the limiting factor in these computations, not running time.... |

8 | The distribution of group structures on elliptic curves over finite prime fields
- Gekeler
(Show Context)
Citation Context ...32 (ℓ r1 1 ,...,ℓ rk k ) (720203) (17 1128 , 19 10 ) (3 27038 , 5 2 ) step 1 0.0s 0.0s 0.0s step 2 1.2s 0.5s 4.0s step 3 0.6s 0.3s 2.0s step 4 23,300s 26,000s 61,000s step 5 0.0s 0.0s 0.0s (Tf,Te,Tb) =-=(57,32,11)-=- (51,47,2) (53,20,27) throughput 2.0Mb/s 0.6Mb/s 4.9Mb/s memory 3.9MB 2.1MB 9.4MB total data 5.7GB 1.9GB 37GB Solve HD(X) =0overFq 127s 86s 332s (2.8 GHz AMD Athlon) 8.3. Examples. Table 2 summarizes ... |

7 |
Teske – “A taxonomy of pairing-friendly elliptic curves
- Freeman, Scott, et al.
(Show Context)
Citation Context ...me order, using the CM method. 1. Introduction Elliptic curves with a prescribed number of points have many applications, including elliptic curve primality proving [2] and pairing-based cryptography =-=[31]-=-. The number of points on an elliptic curve E/Fq is of the form N = q +1− t, where |t| ≤2 √ q. For an ordinary elliptic curve, we additionally require t ̸≡ 0modp,where p is the characteristic of Fq. W... |

7 |
Einige Bemerkungen zu der vorstehenden Arbeit des Herrn G. Pólya: Über die Verteilung der quadratischen Reste und
- Schur
- 1918
(Show Context)
Citation Context ... which implies B0 ≤ B1Mh/Mh ≤ B2Mh−1Mh/M 2 h ≤···≤BmMh−m+1 ···Mh/M m h = B. It follows that B bounds every Bn. The bound log B = O(|D| 1/2 log 2 |D|) follows from h = O(|D| 1/2 log |D|), as proven in =-=[59]-=-, and the bound ∑ k 1 ak = O(log2 |D|), as proven in [58, Lemma 2.2]. As shown in [5, Lemma 2], under the GRH the bound ∑ k 1 = O(log |D| llog |D|) ak follows from [52], which yields log B = O(|D| 1/2... |

6 |
On the class-number of the corpus P( √ −k
- Littlewood
- 1928
(Show Context)
Citation Context ...e norms ℓ1,...,ℓk arising in a polycyclic presentation of cl(D) thatisderivedfromasetofgenerators. (GRH) For convenient reference, we note the following bounds: (i) h = h(D) =O(|D| 1/2 llog |D|) (see =-=[52]-=-). (ii) b =lgB +2=O(|D| 1/2 log |D| llog |D|) (Lemma 8). (iii) n =#S = O(|D| 1/2 llog |D|) (follows from (ii)). (iv) ℓ M =max{ℓ1,...,ℓk} = O(log 2 |D|) (see[4]). (v) z = O(|D| 1/2 log 3 |D| llog |D|) ... |

6 |
Choosing the correct elliptic curve
- Rubin, Silverberg
- 2010
(Show Context)
Citation Context ...rformance of Algorithm 2 in more extreme cases we also conducted tests using discriminants with very large values of L(1,χD). These results are presented in Section 8.5. 1 One may apply the method in =-=[56]-=-, or simply compute NQ for a nonzero point Q ∈ E(Fq), where N is the desired (prime) order of E(Fq), and switch to a quadratic twist of E if NQ ̸= 0.28 ANDREW V. SUTHERLAND Table 2. Example computati... |

5 |
Ramarathnam Venkatesan. Constructing elliptic curves with a known number of points over a prime field
- Agashe, Lauter
- 2004
(Show Context)
Citation Context ...pace. This includes the case where P is larger than the coefficients of HD (for which we have accurate bounds); hence it may be used to determine HD over Z. Our algorithm is based on the CRT approach =-=[1, 5, 17]-=-, which computes the coefficients of HD modulo many “small” primes p and then applies the Chinese Remainder Theorem (CRT). As in [1], we use the explicit CRT [8, Thm. 3.1] to obtain HD mod P , and we ... |

5 |
Numerical results on class groups of imaginary quadratic fields
- Jacobson, Ramachandran, et al.
(Show Context)
Citation Context ...(|D| 1/2 log 1+ω+ɛ |D|) 4. Compute ∏ j∈EllO(Fp) (X − j) O(|D|1/2 log 2+ɛ |D|) The value of ω depends on our estimate for M(ℓ). One can find values of D in the feasible range where ℓM is over 300 (see =-=[40, 41]-=-), and here it is reasonable to assume M(ℓ) =ℓω with ω =lg3≈1.585. In the worst case, step 3 dominates. However, the critical parameter is ℓ1, the least cost ℓi used by Algorithm 1.3. If ℓ1 ∤ D we exp... |

4 | Efficient CM-constructions of elliptic curves over finite fields
- Bröker, Stevenhagen
(Show Context)
Citation Context ...an elliptic curve E/Fq with this j-invariant. Either E or its quadratic twist has N points, and we may easily determine which. For more details on constructing elliptic curves with the CM method, see =-=[2, 13, 50]-=-. The most difficult step in this process is obtaining HD, an integer polynomial of degree h(D) (the class number) and total size O(|D| 1+ɛ ) bits. There are several algorithms that, under reasonable ... |

4 | Faster polynomial multiplication via multipoint Kronecker substitution
- Harvey
- 2007
(Show Context)
Citation Context ...GNU C/C++ compiler [63] and the GMP library [33] on a 64-bit Linux platform. Multiplication of large polynomials was handled by the zn poly library developed by Harvey [36], based on the algorithm in =-=[35]-=-. The hardware platform included sixteen 2.8 GHz AMD Athlon processors, each with two cores. Up to 32 cores were used in each test (with essentially linear speedup), but for consistency we report tota... |

3 | On the arithmetic of certain modular curves - Joen, Kim - 2006 |

3 | Computing L-series of hyperelliptic curves - Kedlaya, Sutherland |

3 | Determining the 2-Sylow subgroup of an elliptic curve over a finite field
- Miret, Moreno, et al.
(Show Context)
Citation Context ... torsion constraint 14 = 2 0 · 3 0 · 14, for example, indicates that #E is divisible by 14 but not divisible by 3 or 4. Efficient methods for analyzing the Sylow 2-subgroup of E(Fp) are considered in =-=[53, 65]-=-, and for 3-torsion we use the 3-division polynomial [71, § 3.2]. For the sake of brevity, here we consider constraints on the Sylow 2-subgroup only up to 4-torsion, but one may obtain minor improveme... |

2 |
On a theorem of Mestre and Schoof, Journal de Théorie des Nombres de Bordeaux 22
- Cremona, Sutherland
- 2010
(Show Context)
Citation Context ...m of the orders of random points in Es(Fp). By [64, Thm. 8.1] we expect that O(1) points yield ms = λ(Es(Fp)), the group exponent of Es(Fp). For p>11, Theorem 224 ANDREW V. SUTHERLAND and Table 1 of =-=[25]-=- then imply N⊆{N0,N1}, forcing termination. We thus expect to execute each step O(1) times. We now bound the cost of steps 2-5: 2. The nonresidue used to compute ˜ E can be probabilistically obtained ... |

1 |
modular multiplication with the explicit chinese remainder theorem
- Multidigit
- 1995
(Show Context)
Citation Context ...⌋M mod P . 3. Output HD mod P with coefficients Cj. Algorithm 2.5 uses O(h(D)M(log P )) time and O(h(D)logP ) space. The formulas used by Algorithms 2.4 and 2.5 are taken from [8, Thm. 2.2] (also see =-=[7]-=-). 6.3. Applying the CRT when P is large. When P is larger than M, we simply compute HD ∈ Z[X] using a standard application of the CRT. That is, we compute HD mod pi for pi ∈ S, and then apply (5) c ≡... |

1 |
Kohji Sobataka, and Shigeo Tsujii, Construction of secure elliptic cryptosystems using CM tests and liftings
- Chao, Nakamura
- 1998
(Show Context)
Citation Context ...pace. This includes the case where P is larger than the coefficients of HD (for which we have accurate bounds); hence it may be used to determine HD over Z. Our algorithm is based on the CRT approach =-=[1, 5, 17]-=-, which computes the coefficients of HD modulo many “small” primes p and then applies the Chinese Remainder Theorem (CRT). As in [1], we use the explicit CRT [8, Thm. 3.1] to obtain HD mod P , and we ... |

1 |
precision computation of Hardy-Littlewood constants
- High
- 1999
(Show Context)
Citation Context ...MPUTING HILBERT CLASS POLYNOMIALS WITH THE CRT 33 We now apply the bound ∑ p≤x 1 B1 =0.261497 ...,andalso ∑ p log ∏ p≤x p < llog x + B1 +1/(log x) 2 from [55, 3.20], where 1 p(p−1) =0.773156 ... from =-=[19]-=- to obtain p +1 < 2 llog x +2.218, p − 1 valid for x ≥ 41. This yields ∏ p+1 p≤x p−1 < 9.189 · log2 x. We also have the bound x(1 − 1/ log x) < ∑ p≤x log p, valid for x ≥ 41, by [55, 3.16], which impl... |

1 |
tables for “Numerical results on class groups of imaginary quadratic fields”, 2006, available at http://www.math.tu-berlin.de/ ∼ kant/ants/Proceedings/ ramachandran-74/ramachandran-74-tables.pdf
- Supplementary
(Show Context)
Citation Context ...(|D| 1/2 log 1+ω+ɛ |D|) 4. Compute ∏ j∈EllO(Fp) (X − j) O(|D|1/2 log 2+ɛ |D|) The value of ω depends on our estimate for M(ℓ). One can find values of D in the feasible range where ℓM is over 300 (see =-=[40, 41]-=-), and here it is reasonable to assume M(ℓ) =ℓω with ω =lg3≈1.585. In the worst case, step 3 dominates. However, the critical parameter is ℓ1, the least cost ℓi used by Algorithm 1.3. If ℓ1 ∤ D we exp... |

1 |
Computing the height of volcanoes of l-isogenies of elliptic curves over finite fields
- Miret, Moreno, et al.
(Show Context)
Citation Context ...e vertices on the floor have degree 1, and in every case their degree is at most 2; all other vertices have degree ℓ +1> 2. We refer to d as the depth of the ℓ-volcano. The term “height” is also used =-=[54]-=-, but “depth” better suits our indexing of the levels Vi and is consistent with [46]. Figure 1. A 3-volcano of depth 2, with a 4-cycle on the surface. Definition 2. For a prime ℓ ̸= p, letΓℓ,t(Fp) be ... |