## CONSTRUCTING ELLIPTIC CURVES OF PRIME ORDER

Citations: | 6 - 3 self |

### BibTeX

@MISC{Bröker_constructingelliptic,

author = {Reinier Bröker and Peter Stevenhagen},

title = {CONSTRUCTING ELLIPTIC CURVES OF PRIME ORDER},

year = {}

}

### OpenURL

### Abstract

Abstract. We present a very efficient algorithm to construct an elliptic curve E and a finite field F such that the order of the point group E(F) is a given prime number N. Heuristically, this algorithm only takes polynomial time e O((log N) 3), and it is so fast that it may profitably be used to tackle the related problem of finding elliptic curves with point groups of prime order of prescribed size. We also discuss the impact of the use of high level modular functions to reduce the run time by large constant factors and show that recent gonality bounds for modular curves imply limits on the time reduction that can be obtained. 1.

### Citations

240 | Factoring integers with elliptic curves - Lenstra - 1987 |

85 | Counting points on elliptic curves over finite fields
- Schoof
- 1995
(Show Context)
Citation Context ...st suitable discriminant D found in this way will be D = � O((log N) 2 ). Moreover, as the principality of the ideal a ⊂ OD lying over N can be tested effiently using the 1908 algorithm of Cornacchia =-=[23]-=-, we can expect to find this D in time O((log N) 4+ε ). Cornacchia’s algorithm explicitly computes the positive integers x, y that satisfy x 2 − Dy 2 = 4N in case such integers exist. For D < −4, such... |

46 | Diophantine Geometry, An Introduction - Hindry, Silverman - 2000 |

45 |
Constructing elliptic curves with given group order over large finite fields. Algorithmic Number Theory
- Lay, Zimmer
- 1994
(Show Context)
Citation Context ...raphy. Partly because of this application, the mathematically natural question on how to generate elliptic curves over finite fields with a given number of points has attracted considerable attention =-=[16, 15, 2, 5]-=-. More in particular [22, 14], one is led to the question of how to efficiently generate ‘cryptographic’ elliptic curves for which the order of the point group is a prime number. For elliptic curves o... |

37 |
Lehrbuch der Algebra
- Weber
(Show Context)
Citation Context ...rithm from Section 2 for that N. From a practical point of view, CM-methods are hampered by the enormous size of the auxiliary class polynomials entering the construction, and since the time of Weber =-=[25]-=-, extensive use has been made of ‘small’ modular functions to perform CM-constructions. We discuss the practical improvements of this nature in Section 4, and show how recent results on the gonality o... |

28 | Implementing the Asymptotically fast Version of the Elliptic Curve Primality Proving Algorithm
- Morain
(Show Context)
Citation Context ... of size (log N) 2 takes time � O((log N) 4 ), and this dominates the run time of the algorithm. We will lower the heuristic run time to � O((logN) 3 ) by applying an idea attributed to J. Shallit in =-=[18]-=- to speed up the algorithm. We start from the observation that N splits into principal primes in OD if and only if N splits completely in the Hilbert class field HD of Q( √ D). If this is the case, th... |

26 | Action of modular correspondences around CM-points, Algorithmic Number Theory Symposium V
- Couveignes, Henocq
(Show Context)
Citation Context ...· −b + √ ∆ ] ∈ Pic(O∆). 2 The polynomial P∆ has integer coefficients, so it can be computed by approximating the roots j(τQ) ∈ C with sufficient accuracy. Alternatively, one can use p-adic algorithms =-=[7, 4, 5]-=- to compute P∆. The polynomial P∆ splits completely modulo p, and its roots in Fp are the jinvariants of the elliptic curves E/Fp with endomorphism ring isomorphic to O∆. If j0 �= 0, 1728 ∈ Fp is one ... |

24 |
Comparing invariants for class fields of imaginary quadratric fields
- Enge, Morain
(Show Context)
Citation Context ...t follows as in [17, Section 1] that, heuristically, we have to try O(log p) curves over Fp until we find one of prime order. This leads to a heuristic run time � O(k 5 ). As was noted by many people =-=[8, 14]-=-, we can also use complex multiplication techniques to tackle the problem. Unlike our Algorithm 2.2, which starts with a desired prime value N for the group order and computes a suitable prime field F... |

22 |
Constructing elliptic curves over finite fields using double eta-quotients, Journal de Théorie des Nombres de Bordeaux 16
- Enge, Schertz
- 2004
(Show Context)
Citation Context ...nants, such as the discriminants congruent to 5 mod 8 from the previous sections, similar but somewhat smaller factors may be gained by using double eta-quotients η(z/p)η(z/q)η(z) −1 η(z/pq) −1 as in =-=[9]-=-. The ‘reduction factor’ that is obtained when using a modular function f instead of j depends on the degree of the irreducible polynomial relation Ψ(j, f) = 0 that exists between j and f. In terms of... |

21 |
Hilbert’s 12th problem, complex multiplication and Shimura reciprocity
- Stevenhagen
- 2001
(Show Context)
Citation Context ...ar function f at some τ ∈ Q( √ D) generates the Hilbert class field HD over Q( √ D), we call f(τ) a class invariant. Class invariants have been well studied, and it is now a rather mechanical process =-=[24, 12]-=- to check for which D class invariants can be obtained from a given modular function f, and, in case f(τ) is a class invariant for Q( √ D), to find its Galois over Q. coming from the j-function. The p... |

19 | Constructing elliptic curves with a known number of points over a prime field, High Primes and Misdemeanours: lectures in honour of the 60th birthday of H
- Agashe, Lauter, et al.
(Show Context)
Citation Context ...raphy. Partly because of this application, the mathematically natural question on how to generate elliptic curves over finite fields with a given number of points has attracted considerable attention =-=[16, 15, 2, 5]-=-. More in particular [22, 14], one is led to the question of how to efficiently generate ‘cryptographic’ elliptic curves for which the order of the point group is a prime number. For elliptic curves o... |

19 | Proving Primality in Essentially Quartic Random Time
- Bernstein
(Show Context)
Citation Context ...p order is a prime of exactly k decimal digits. If we insist on a curve with proven prime order, we cannot hope for an algorithm with a faster run time than O(k 4 ), since the fastest known algorithm =-=[3]-=- to rigorouslysCONSTRUCTING ELLIPTIC CURVES OF PRIME ORDER 7 prove primality of an integer N ≈ 10 k has expected run time O((log N) 4+ε ) = O(k 4+ε ) for all ε > 0. The naive algorithm of selecting a ... |

18 | Constructing elliptic curves of prescribed order
- Bröker
(Show Context)
Citation Context ...· −b + √ ∆ ] ∈ Pic(O∆). 2 The polynomial P∆ has integer coefficients, so it can be computed by approximating the roots j(τQ) ∈ C with sufficient accuracy. Alternatively, one can use p-adic algorithms =-=[7, 4, 5]-=- to compute P∆. The polynomial P∆ splits completely modulo p, and its roots in Fp are the jinvariants of the elliptic curves E/Fp with endomorphism ring isomorphic to O∆. If j0 �= 0, 1728 ∈ Fp is one ... |

16 |
Generating Class Fields Using Shimura Reciprocity
- Gee, Stevenhagen
- 1998
(Show Context)
Citation Context ...ar function f at some τ ∈ Q( √ D) generates the Hilbert class field HD over Q( √ D), we call f(τ) a class invariant. Class invariants have been well studied, and it is now a rather mechanical process =-=[24, 12]-=- to check for which D class invariants can be obtained from a given modular function f, and, in case f(τ) is a class invariant for Q( √ D), to find its Galois over Q. coming from the j-function. The p... |

11 | Elliptic curves with a given number of points
- Bröker, Stevenhagen
(Show Context)
Citation Context ...raphy. Partly because of this application, the mathematically natural question on how to generate elliptic curves over finite fields with a given number of points has attracted considerable attention =-=[16, 15, 2, 5]-=-. More in particular [22, 14], one is led to the question of how to efficiently generate ‘cryptographic’ elliptic curves for which the order of the point group is a prime number. For elliptic curves o... |

10 | Class invariants by Shimura’s reciprocity law - Gee - 1999 |

8 |
Modular curves of composite level
- Enge, Schertz
- 2005
(Show Context)
Citation Context ... N points. The value of the double η-quotient f = η(z/5)η(z/13) η(z)η(z/65) at z = −21+√−2419 2 generates the Hilbert class field H−2419. The minimal polynomial Ψ of f over C(j) can be computed as in =-=[10]-=-. It has degree 4 in j and degree 84 in X, and we have r(f) = 84/4 = 21. Indeed, the polynomial P f −2419 = X8 +87X 7 +14637X 6 −3810X 5 +39662X 4 +42026X 3 +12593X 2 −221X+1 has coefficients of no mo... |

8 |
Selberg’s Eigenvalue Conjecture
- Sarnak
(Show Context)
Citation Context ...n view of the following theorem.s10 REINIER BRÖKER, PETER STEVENHAGEN 4.1. Theorem. The reduction factor of a modular function f satisfies r(f) ≤ 800/7 ≈ 114.28. If Selberg’s eigenvalue conjecture in =-=[21]-=- holds, then we have r(f) ≤ 96. Proof. Let f be modular of level N ≥ 1, and Γ(f) ⊂ SL2(Z) the stabilizer of f inside SL2(Z). Then Γ(f) contains the principal congruence subgroup Γ(N) of level N, and t... |

6 | On the construction of prime order elliptic curves
- Konstantinou, Stamatiou, et al.
(Show Context)
Citation Context ...cation, the mathematically natural question on how to generate elliptic curves over finite fields with a given number of points has attracted considerable attention [16, 15, 2, 5]. More in particular =-=[22, 14]-=-, one is led to the question of how to efficiently generate ‘cryptographic’ elliptic curves for which the order of the point group is a prime number. For elliptic curves of prime order N, the discrete... |

6 |
On the discrete logarithm problem in the divisor class group of curves
- Ruck
- 1997
(Show Context)
Citation Context ...different from FN. This is certainly desirable from a cryptographic point of view, as curves of order N over FN are cryptographically unsafe: the discrete logarithm problem on them can be transformed =-=[20]-=- into a discrete logarithm problem for the additive group of FN that is easily solved. Let p be any prime in HN, and write N = p + 1 − t. Then we have t �= 0, as the primes p and N > 3 are not consecu... |

5 |
C.K.: Generating elliptic curves of prime order. In: Cryptographic hardware and embedded systems—CHES 2001
- Savas, Schmidt, et al.
- 2001
(Show Context)
Citation Context ...cation, the mathematically natural question on how to generate elliptic curves over finite fields with a given number of points has attracted considerable attention [16, 15, 2, 5]. More in particular =-=[22, 14]-=-, one is led to the question of how to efficiently generate ‘cryptographic’ elliptic curves for which the order of the point group is a prime number. For elliptic curves of prime order N, the discrete... |

4 | Efficient CM-constructions of elliptic curves over finite fields
- Bröker, Stevenhagen
(Show Context)
Citation Context ... curve E/Fp with #E(Fp) = N. Under heuristic assumptions, its run time is � O((logN) 3 ) for every ε > 0. Proof. As the smoothness properties of D are irrelevant in the heuristic analysis detailed in =-=[6]-=-, the smallest suitable D found by our Algorithm, which restricts to the positive density subset of discriminants, will be of size � O((log N) 2 ). The expected number r of rounds of our Algorithm wil... |

2 |
A linear bound on the gonality of modular curves
- Abramovich
- 1996
(Show Context)
Citation Context ...) → P1 C is equal to deg f(Ψ(f, j)) = [SL2(Z) : Γ(f)]. We now consider the gonality γ(X(f)) of the modular curve X(f), i.e., the minimal degree of a non-constant morphism π : X(f) → P1 C . Abramovich =-=[1]-=- proved in 1996 that the gonality of any modular curve XH corresponding to some congruence subgroup H ⊂ SL2(Z) is bounded from below by c ·[SL2(Z) : H] for some universal constant c > 0. His proof yie... |

2 |
Modulus Search for Elliptic Curve Cryptosystems
- Koyama, Tsuruoka, et al.
- 1999
(Show Context)
Citation Context |

2 |
Smooth numbers and the quadratic sieve, Surveys in Algorithmic Number Theory
- Pomerance
- 2006
(Show Context)
Citation Context ... basis, and so on. In this way, we encounter in the r-th round all discriminants D with |D| < (r log N) 2 that are made up of prime factors below r log N. Asymptotically (cf. the ‘analytic tidbit’ in =-=[19]-=-), this is a positive fraction 1 − log 2 ≈ 0.30685 of all discriminants below (r log N) 2 . As the smoothness properties of D play no role in our heuristics, we still expect to find a suitable discrim... |