andrew v. sutherlanddrew/ecc2012.pdfasymptotically, its size is o(‘3 log‘) bits. ‘...
TRANSCRIPT
![Page 1: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/1.jpg)
On the evaluation of modular polynomials
Andrew V. SutherlandMassachusetts Institute of Technology
ECC 2012
http://arxiv.org/abs/1202.3985http://arxiv.org/abs/1208.5370
1 / 34
![Page 2: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/2.jpg)
A brief journey through space-time...
2 / 34
![Page 3: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/3.jpg)
Space and time
In a universe with n dimensions, the amount of data that can bestored within a distance r of the CPU is O(rn).
An algorithm with space complexity S is at an average distanceΩ(S1/n) from its data. The speed of light is bounded by a constant,thus the time to read or write a bit located at a distance r is Ω(r).
Conclusion: space complexity S =⇒ time complexity Ω(S1+1/n).
The RAM model permits algorithms with quasi-linear space and timecomplexity, but these complexities cannot be realized in practice.
If we are given an algorithm whose theoretical space and timecomplexity are quasi-linear, reducing the space complexity will speedup the real-world running time of the algorithm, often dramatically.
3 / 34
![Page 4: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/4.jpg)
Space and time
In a universe with n dimensions, the amount of data that can bestored within a distance r of the CPU is O(rn).
An algorithm with space complexity S is at an average distanceΩ(S1/n) from its data. The speed of light is bounded by a constant,thus the time to read or write a bit located at a distance r is Ω(r).
Conclusion: space complexity S =⇒ time complexity Ω(S1+1/n).
The RAM model permits algorithms with quasi-linear space and timecomplexity, but these complexities cannot be realized in practice.
If we are given an algorithm whose theoretical space and timecomplexity are quasi-linear, reducing the space complexity will speedup the real-world running time of the algorithm, often dramatically.
3 / 34
![Page 5: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/5.jpg)
Isogenies of elliptic curves
An elliptic curve E/k is a smooth projective curve of genus 1 witha distinguished k-rational point 0.
An isogeny φ : E1 → E2 is a morphism of elliptic curves,a rational map that fixes the point 0. We shall assume φ 6= 0.
The induced homomorphism φ : E1(k)→ E2(k) has a finite kernel.Conversely, every finite subgroup of E1(k) is the kernel of an isogeny.
The degree of an isogeny is its degree as a rational map.For nonzero separable isogenies, degφ = | kerφ|.
We are primarily interested in isogenies of prime degree ` 6= char k,which are necessarily separable isogenies with cyclic kernels.
4 / 34
![Page 6: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/6.jpg)
-invariants
The k-isomorphism classes of elliptic curves E/k are in bijectionwith the field k. For E : y2 = x3 + Ax + B, the -invariant of E is
(E) = (A,B) = 17284A3
4A3 + 27B2 ∈ k.
The -invariants (0,B) = 0 and (A, 0) = 1728 are special.They correspond to elliptic curves with extra automorphisms.
For j 6∈ 0, 1728, we have j = (A,B), where
A = 3j(1728− j) and B = 2j(1728− j)2.
Note that (E1) = (E2) does not necessarily imply that E1 and E2are isomorphic over k, only that they are isomorphic over k.
5 / 34
![Page 7: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/7.jpg)
The modular equation
Let : H→ C be the classical modular function.
For any τ ∈ H, the values (τ) and (`τ) are the -invariants ofelliptic curves Eτ/C and E`τ/C that are `-isogenous.
The minimal polynomial Φ`(Y) of the function (`z) over C(j)has coefficients that are integer polynomials in (z).
Replacing (z) with X yields the modular polynomial Φ` ∈ Z[X,Y]that parameterizes pairs of `-isogenous elliptic curves E/C:
Φ`((E1), (E2)
)= 0 ⇐⇒ (E1) and (E2) are `-isogenous.
This moduli interpretation remains valid over any field whosecharacteristic is not equal to `.
Φ`(X, Y) = 0 is a defining equation for the affine modular curve Y0(`) = Γ0(`)\H.6 / 34
![Page 8: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/8.jpg)
Isogenies make hard problems easier
Isogenies play a key role in many applications:
I The Schoof-Elkies-Atkin (SEA) point-counting algorithm.
I Computing the endomorphism ring of an elliptic curve.
I The elliptic curve discrete logarithm problem (?).
I Computing Hilbert class polynomials HD(X).
I Computing modular polynomials.
Modular polynomials Φ`(X,Y) are used in all of these applications.
Given an elliptic curve E/F, the roots of the univariate polynomial
φ`(Y) = Φ`((E),Y) ∈ F[Y]
that lie in F are precisely the -invariants of the elliptic curves E/Fthat are `-isogenous to E.
7 / 34
![Page 9: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/9.jpg)
Isogenies make hard problems easier
Isogenies play a key role in many applications:
I The Schoof-Elkies-Atkin (SEA) point-counting algorithm.
I Computing the endomorphism ring of an elliptic curve.
I The elliptic curve discrete logarithm problem (?).
I Computing Hilbert class polynomials HD(X).
I Computing modular polynomials.
Modular polynomials Φ`(X,Y) are used in all of these applications.
Given an elliptic curve E/F, the roots of the univariate polynomial
φ`(Y) = Φ`((E),Y) ∈ F[Y]
that lie in F are precisely the -invariants of the elliptic curves E/Fthat are `-isogenous to E.
7 / 34
![Page 10: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/10.jpg)
Modular polynomials are very large. . .
Φ` ∈ Z[X,Y] is symmetric, with degree `+ 1 in both X and Y.Asymptotically, its size is O(`3 log `) bits.
` coefficients largest average total
127 8258 7.5kb 5.3kb 5.5MB251 31880 16kb 12kb 48MB503 127262 36kb 27kb 431MB1009 510557 78kb 60kb 3.9GB2003 2009012 166kb 132kb 33GB3001 4507505 259kb 208kb 117GB4001 8010005 356kb 287kb 287GB5003 12522512 454kb 369kb 577GB10007 50085038 968kb 774kb 4.8TB
Size of Φ`(X, Y)
8 / 34
![Page 11: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/11.jpg)
. . . but instantiated modular polynomials are not.
For an elliptic curve E over a finite field Fq, the size of theinstantiated polynomial φ`(Y) = Φ`((E),Y) is only O(` log q) bits.
Even if q is quite large, say 4096 bits, for ` = 10007 the size of φ`(Y)is just 5MB, which is almost a million times smaller than Φ`(X,Y).
A quote from the former elliptic curve point-counting world recordholder (at 2500 decimal digits):
“Despite this progress, computing modular polynomials remains thestumbling block for new point counting records. Clearly, to circumventthe memory problems, one would need an algorithm that directlyobtains the polynomial specialised in one variable.”
INRIA Project TANC, 2007
9 / 34
![Page 12: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/12.jpg)
. . . but instantiated modular polynomials are not.
For an elliptic curve E over a finite field Fq, the size of theinstantiated polynomial φ`(Y) = Φ`((E),Y) is only O(` log q) bits.
Even if q is quite large, say 4096 bits, for ` = 10007 the size of φ`(Y)is just 5MB, which is almost a million times smaller than Φ`(X,Y).
A quote from the former elliptic curve point-counting world recordholder (at 2500 decimal digits):
“Despite this progress, computing modular polynomials remains thestumbling block for new point counting records. Clearly, to circumventthe memory problems, one would need an algorithm that directlyobtains the polynomial specialised in one variable.”
INRIA Project TANC, 2007
9 / 34
![Page 13: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/13.jpg)
ResultsLet E/Fq be an elliptic curve and let ` < q be a prime (` 6= char Fq).
TheoremUnder the generalized Riemann hypothesis (GRH), one can computethe instantiated modular polynomial Φ`((E),Y) using O(` log q) spacein time quasi-linear in the size of Φ` (quasi-cubic in `).
Applying this to SEA, we can compute #E(Fq) in O(n4) time andO(n2 log n) space (n = log q), under standard heuristic assumptions.Previously, the SEA algorithm required Ω(n3 log n) space (or Ω(n4) ifprecomputed modular polynomials are used).
This has led to a new elliptic curve point-counting record modulo a5011-digit prime (and improvements in the range of practical interest).
The new results also yield improved space complexity bounds (andbetter performance) for many other algorithms that use isogenies.
10 / 34
![Page 14: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/14.jpg)
ResultsLet E/Fq be an elliptic curve and let ` < q be a prime (` 6= char Fq).
TheoremUnder the generalized Riemann hypothesis (GRH), one can computethe instantiated modular polynomial Φ`((E),Y) using O(` log q) spacein time quasi-linear in the size of Φ` (quasi-cubic in `).
Applying this to SEA, we can compute #E(Fq) in O(n4) time andO(n2 log n) space (n = log q), under standard heuristic assumptions.Previously, the SEA algorithm required Ω(n3 log n) space (or Ω(n4) ifprecomputed modular polynomials are used).
This has led to a new elliptic curve point-counting record modulo a5011-digit prime (and improvements in the range of practical interest).
The new results also yield improved space complexity bounds (andbetter performance) for many other algorithms that use isogenies.
10 / 34
![Page 15: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/15.jpg)
A volcano
11 / 34
![Page 16: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/16.jpg)
A volcano
12 / 34
![Page 17: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/17.jpg)
`-volcanoes
For a prime `, an `-volcano is a connected undirected graph whosevertices are partitioned into levels V0, . . . ,Vd such that:
1. The subgraph on V0 (the surface) is a connected regular graphof degree 0, 1, or 2.
2. For i > 0, each v ∈ Vi has exactly one neighbor in Vi−1.All edges not on the surface arise in this manner.
3. For i < d, each v ∈ Vi has degree `+1.
We allow self-loops and multi-edges, but this can happen only on the surface.13 / 34
![Page 18: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/18.jpg)
A 3-volcano of depth 2
14 / 34
![Page 19: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/19.jpg)
The graph of `-isogenies
DefinitionThe `-isogeny graph G`(k) has vertex set (E) : E/k = kand edges (j1, j2) for each root j2 ∈ k of Φ`(j1,Y) (with multiplicity).
Except for j ∈ 0, 1728, the in-degree of each vertex of G`is equal to its out-degree.
Thus G` is a bi-directed graph on k\0, 1728, which we mayregard as an undirected graph.
It consists of ordinary and supersingular components.
We have an infinite family of graphs G`(k) with vertex set k,one for each prime ` 6= char(k).
An elliptic curve E over a field of characteristic p > 0 is supersingular iff E[p] = 0.15 / 34
![Page 20: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/20.jpg)
Endomorphism rings
Isogenies from an elliptic curve E to itself are endomorphisms.They form a ring End(E) under composition and point addition.
We always have Z ⊆ End(E), due to scalar multiplication maps.If Z ( End(E), then E has complex multiplication (CM).
For an elliptic curve E with complex multiplication:
End(E) '
order in an imaginary quadratic field (ordinary),order in a quaternion algebra (supersingular).
In characteristic p > 0, every elliptic curve has CM, since the p-powerFrobenius endomorphism (x, y) 7→ (xp, yp) does not lie in Z.
16 / 34
![Page 21: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/21.jpg)
Horizontal and vertical isogenies
Let ϕ : E1 → E2 by an `-isogeny of ordinary elliptic curves with CM.Let End(E1) ' O1 = [1, τ1] and End(E2) ' O2 = [1, τ2].
Then `τ2 ∈ O1 and `τ1 ∈ O2.
Thus one of the following holds:
I O1 = O2, in which case ϕ is horizontal;
I [O1 : O2] = `, in which case ϕ is descending;
I [O2 : O1] = `, in which case ϕ is ascending.
In the latter two cases we say that ϕ is a vertical isogeny.
17 / 34
![Page 22: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/22.jpg)
The theory of complex multiplication
Let E/k have CM by an imaginary quadratic order O.
For each invertible O-ideal a, the a-torsion subgroup
E[a] = P ∈ E(k) : α(P) = 0 for all α ∈ a
is the kernel of an isogeny ϕa : E → E′ of degree N(a) = [O : a].We necessarily have End(E) ' End(E′), so ϕa is horizontal.
If a is principal, then E′ ' E. This induces a cl(O)-action on the set
EllO(k) = (E) : E/k with End(E) ' O.
This action is faithful and transitive; thus EllO(k) is a principalhomogeneous space, a torsor, for cl(O).
One can decompose horizontal isogenies of large prime degree into an equivalentsequence of isogenies of small prime degrees, which makes them easy to compute;see [Broker-Charles-Lauter 2008, Jao-Souhkarev ANTS IX].
18 / 34
![Page 23: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/23.jpg)
Isogeny volcanoes
Theorem (Kohel)Let V be an ordinary connected component of G`(Fq) that does not
contain 0, 1728. Then V is an `-volcano in which the following hold:
(i) Vertices in level Vi all have the same endomorphism ring Oi.
(ii) ` - [OK : O0], and [Oi : Oi+1] = `.
(iii) The subgraph on V0 has degree 1 + ( D` ), where D = disc(O0).
(iv) If ( D` ) ≥ 0 then |V0| is the order of [l] in cl(O0).
(v) The depth of V is ord`(v), where 4q = t2 − v2D.
The term volcano is due to Fouquet and Morain (ANTS V).See http://arxiv.org/abs/1208.5370 for more on isogeny volcanoes.
19 / 34
![Page 24: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/24.jpg)
Modular polynomials via isogeny volcanoes [BLS]
Given an odd prime `, we may compute Φ`(X,Y) as follows:
1. Select a sufficiently large set of primes of the form4p = t2 − `2v2D with ` - v, p ≡ 1 mod `, and h(D) > `+ 1.
2. For each prime p, compute Φ`(X,Y) mod p as follows:a. Compute EllO(Fp) using HD(X) mod p.b. Map the `-volcanoes intersecting EllO(Fp) (without using Φ`).c. Interpolate Φ`(X,Y) mod p.
3. Use the CRT to recover Φ` over Z (or mod q via the explicit CRT).
Under the GRH, the expected running time is O(`3 log3+ε `) usingO(`3 log `) space (or O(`2 log q) space to compute Φ` mod q).
We can similarly compute modular polynomials for other modular functions.One can also use a CRT approach to compute ΦN for composite N [Ono-S in prog].
20 / 34
![Page 25: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/25.jpg)
Explicit Chinese Remainder Theorem
Suppose c ≡ ci mod pi for k distinct primes pi. Then
c ≡∑
ciaiMi mod M,
where M =∏
pi, Mi = M/pi and ai = 1/Mi mod pi.If M > 2|c|, we can recover c ∈ Z.
With M > 4|c|, the explicit CRT computes c mod q directly via
c =(∑
ciaiMi − rM)
mod q,
where r = rnd(∑
aici/pi) is computed using O(log k) bits of precision.
Using an online algorithm, this can be applied to N coefficients c inparallel, using O(log M + k log q + N(log q + log k)) ≈ O(N log q) space.
Montgomery-Silverman 1990, Bernstein 1995, S 2011.21 / 34
![Page 26: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/26.jpg)
Mapping a volcano
Example General requirements` = 5, p = 4451, D = −151 4p = t2 − v2`2D, p ≡ 1 mod `t = 52, v = 2, h(D) = 7 ` - v, ( D
`) = 1, h(D) ≥ `+ 2
`0 = 2, α5 = α32, β25 = β7
2 `0 6= `, ( D`0
) = 1, α` = αk`0, β`2 = βk′
`0
901901901901351351 22152215
25012501
2872287215821582701701
318831883188 2970 1478 33283188 2970 1478 3328 3508 2464 2976 25663508 2464 2976 2566 334118682434676 334118682434676 3147225511803144 3147222511803144
fourblanklineslineslines
22 / 34
![Page 27: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/27.jpg)
Mapping a volcano
Example General requirements` = 5, p = 4451, D = −151 4p = t2 − v2`2D, p ≡ 1 mod `
t = 52, v = 2, h(D) = 7 ` - v, ( D`
) = 1, h(D) ≥ `+ 2
`0 = 2, α5 = α32, β25 = β7
2 `0 6= `, ( D`0
) = 1, α` = αk`0, β`2 = βk′
`0
901901901901351351 22152215
25012501
2872287215821582701701
318831883188 2970 1478 33283188 2970 1478 3328 3508 2464 2976 25663508 2464 2976 2566 334118682434676 334118682434676 3147225511803144 3147222511803144
fourblanklineslineslines
22 / 34
![Page 28: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/28.jpg)
Mapping a volcano
Example General requirements` = 5, p = 4451, D = −151 4p = t2 − v2`2D, p ≡ 1 mod `t = 52, v = 2, h(D) = 7 ` - v, ( D
`) = 1, h(D) ≥ `+ 2
`0 = 2, α5 = α32, β25 = β7
2 `0 6= `, ( D`0
) = 1, α` = αk`0, β`2 = βk′
`0
901901901901351351 22152215
25012501
2872287215821582701701
318831883188 2970 1478 33283188 2970 1478 3328 3508 2464 2976 25663508 2464 2976 2566 334118682434676 334118682434676 3147225511803144 3147222511803144
fourblanklineslineslines
22 / 34
![Page 29: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/29.jpg)
Mapping a volcano
Example General requirements` = 5, p = 4451, D = −151 4p = t2 − v2`2D, p ≡ 1 mod `t = 52, v = 2, h(D) = 7 ` - v, ( D
`) = 1, h(D) ≥ `+ 2
`0 = 2, α5 = α32, β25 = β7
2 `0 6= `, ( D`0
) = 1, α` = αk`0, β`2 = βk′
`0
901901901901351351 22152215
25012501
2872287215821582701701
318831883188 2970 1478 33283188 2970 1478 3328 3508 2464 2976 25663508 2464 2976 2566 334118682434676 334118682434676 3147225511803144 3147222511803144
1. Find a root of HD(X)
blanklineslineslines
22 / 34
![Page 30: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/30.jpg)
Mapping a volcano
Example General requirements` = 5, p = 4451, D = −151 4p = t2 − v2`2D, p ≡ 1 mod `t = 52, v = 2, h(D) = 7 ` - v, ( D
`) = 1, h(D) ≥ `+ 2
`0 = 2, α5 = α32, β25 = β7
2 `0 6= `, ( D`0
) = 1, α` = αk`0, β`2 = βk′
`0
901
901901901351351 22152215
25012501
2872287215821582701701
318831883188 2970 1478 33283188 2970 1478 3328 3508 2464 2976 25663508 2464 2976 2566 334118682434676 334118682434676 3147225511803144 3147222511803144
1. Find a root of HD(X): 901
blanklineslineslines
22 / 34
![Page 31: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/31.jpg)
Mapping a volcano
Example General requirements` = 5, p = 4451, D = −151 4p = t2 − v2`2D, p ≡ 1 mod `t = 52, v = 2, h(D) = 7 ` - v, ( D
`) = 1, h(D) ≥ `+ 2
`0 = 2
, α5 = α32, β25 = β7
2
`0 6= `, ( D`0
) = 1
, α` = αk`0, β`2 = βk′
`0
901
901
901901351351 22152215
25012501
2872287215821582701701
318831883188 2970 1478 33283188 2970 1478 3328 3508 2464 2976 25663508 2464 2976 2566 334118682434676 334118682434676 3147225511803144 3147222511803144
2. Enumerate surface using the action of α`0
blanklineslineslines
22 / 34
![Page 32: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/32.jpg)
Mapping a volcano
Example General requirements` = 5, p = 4451, D = −151 4p = t2 − v2`2D, p ≡ 1 mod `t = 52, v = 2, h(D) = 7 ` - v, ( D
`) = 1, h(D) ≥ `+ 2
`0 = 2, α5 = α32
, β25 = β72
`0 6= `, ( D`0
) = 1, α` = αk`0
β`2 = βk′`0
901901
901
901351351 22152215
25012501
2872287215821582701701
318831883188 2970 1478 33283188 2970 1478 3328 3508 2464 2976 25663508 2464 2976 2566 334118682434676 334118682434676 3147225511803144 3147222511803144
2. Enumerate surface using the action of α`0
901
9
2−→ 1582 2−→ 2501 2−→ 351
9
2−→ 701
9
2−→ 2872 2−→ 2215 2−→
lineslineslines
22 / 34
![Page 33: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/33.jpg)
Mapping a volcano
Example General requirements` = 5, p = 4451, D = −151 4p = t2 − v2`2D, p ≡ 1 mod `t = 52, v = 2, h(D) = 7 ` - v, ( D
`) = 1, h(D) ≥ `+ 2
`0 = 2, α5 = α32
, β25 = β72
`0 6= `, ( D`0
) = 1, α` = αk`0
β`2 = βk′`0
901901901
901351
351 2215221525012501
2872287215821582701701
318831883188 2970 1478 33283188 2970 1478 3328 3508 2464 2976 25663508 2464 2976 2566 334118682434676 334118682434676 3147225511803144 3147222511803144
2. Enumerate surface using the action of α`0
901
9
2−→ 1582 2−→ 2501 2−→ 351
9
2−→ 701
9
2−→ 2872 2−→ 2215 2−→
lineslineslines
22 / 34
![Page 34: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/34.jpg)
Mapping a volcano
Example General requirements` = 5, p = 4451, D = −151 4p = t2 − v2`2D, p ≡ 1 mod `t = 52, v = 2, h(D) = 7 ` - v, ( D
`) = 1, h(D) ≥ `+ 2
`0 = 2, α5 = α32
, β25 = β72
`0 6= `, ( D`0
) = 1, α` = αk`0
β`2 = βk′`0
901901901
901
351
351 2215
221525012501
2872287215821582701701
318831883188 2970 1478 33283188 2970 1478 3328 3508 2464 2976 25663508 2464 2976 2566 334118682434676 334118682434676 3147225511803144 3147222511803144
2. Enumerate surface using the action of α`0
901
9
2−→ 1582 2−→ 2501 2−→ 351
9
2−→ 701
9
2−→ 2872 2−→ 2215 2−→
lineslineslines
22 / 34
![Page 35: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/35.jpg)
Mapping a volcano
Example General requirements` = 5, p = 4451, D = −151 4p = t2 − v2`2D, p ≡ 1 mod `t = 52, v = 2, h(D) = 7 ` - v, ( D
`) = 1, h(D) ≥ `+ 2
`0 = 2, α5 = α32
, β25 = β72
`0 6= `, ( D`0
) = 1, α` = αk`0
β`2 = βk′`0
901901901
901
351
351
2215
22152501
2501
2872287215821582701701
318831883188 2970 1478 33283188 2970 1478 3328 3508 2464 2976 25663508 2464 2976 2566 334118682434676 334118682434676 3147225511803144 3147222511803144
2. Enumerate surface using the action of α`0
901
9
2−→ 1582 2−→ 2501 2−→ 351
9
2−→ 701
9
2−→ 2872 2−→ 2215 2−→
lineslineslines
22 / 34
![Page 36: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/36.jpg)
Mapping a volcano
Example General requirements` = 5, p = 4451, D = −151 4p = t2 − v2`2D, p ≡ 1 mod `t = 52, v = 2, h(D) = 7 ` - v, ( D
`) = 1, h(D) ≥ `+ 2
`0 = 2, α5 = α32
, β25 = β72
`0 6= `, ( D`0
) = 1, α` = αk`0
β`2 = βk′`0
901901901
901
351
351
2215
2215
2501
2501
2872
287215821582701701
318831883188 2970 1478 33283188 2970 1478 3328 3508 2464 2976 25663508 2464 2976 2566 334118682434676 334118682434676 3147225511803144 3147222511803144
2. Enumerate surface using the action of α`0
901
9
2−→ 1582 2−→ 2501 2−→ 351
9
2−→ 701
9
2−→ 2872 2−→ 2215 2−→
lineslineslines
22 / 34
![Page 37: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/37.jpg)
Mapping a volcano
Example General requirements` = 5, p = 4451, D = −151 4p = t2 − v2`2D, p ≡ 1 mod `t = 52, v = 2, h(D) = 7 ` - v, ( D
`) = 1, h(D) ≥ `+ 2
`0 = 2, α5 = α32
, β25 = β72
`0 6= `, ( D`0
) = 1, α` = αk`0
β`2 = βk′`0
901901901
901
351
351
2215
2215
2501
2501
2872
28721582
1582701701
318831883188 2970 1478 33283188 2970 1478 3328 3508 2464 2976 25663508 2464 2976 2566 334118682434676 334118682434676 3147225511803144 3147222511803144
2. Enumerate surface using the action of α`0
901
9
2−→ 1582 2−→ 2501 2−→ 351
9
2−→ 701
9
2−→ 2872 2−→ 2215 2−→
lineslineslines
22 / 34
![Page 38: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/38.jpg)
Mapping a volcano
Example General requirements` = 5, p = 4451, D = −151 4p = t2 − v2`2D, p ≡ 1 mod `t = 52, v = 2, h(D) = 7 ` - v, ( D
`) = 1, h(D) ≥ `+ 2
`0 = 2, α5 = α32
, β25 = β72
`0 6= `, ( D`0
) = 1, α` = αk`0
β`2 = βk′`0
901901901
901
351
351
2215
2215
2501
2501
2872
2872
1582
1582701
701
318831883188 2970 1478 33283188 2970 1478 3328 3508 2464 2976 25663508 2464 2976 2566 334118682434676 334118682434676 3147225511803144 3147222511803144
2. Enumerate surface using the action of α`0
901
9
2−→ 1582 2−→ 2501 2−→ 351
9
2−→ 701
9
2−→ 2872 2−→ 2215 2−→
lineslineslines
22 / 34
![Page 39: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/39.jpg)
Mapping a volcano
Example General requirements` = 5, p = 4451, D = −151 4p = t2 − v2`2D, p ≡ 1 mod `t = 52, v = 2, h(D) = 7 ` - v, ( D
`) = 1, h(D) ≥ `+ 2
`0 = 2, α5 = α32
, β25 = β72
`0 6= `, ( D`0
) = 1, α` = αk`0
β`2 = βk′`0
901901901
901
351
351
2215
2215
2501
2501
2872
2872
1582
1582
701
701
318831883188 2970 1478 33283188 2970 1478 3328 3508 2464 2976 25663508 2464 2976 2566 334118682434676 334118682434676 3147225511803144 3147222511803144
3. Descend to the floor using Velu’s formula
blanklineslineslines
22 / 34
![Page 40: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/40.jpg)
Mapping a volcano
Example General requirements` = 5, p = 4451, D = −151 4p = t2 − v2`2D, p ≡ 1 mod `t = 52, v = 2, h(D) = 7 ` - v, ( D
`) = 1, h(D) ≥ `+ 2
`0 = 2, α5 = α32
, β25 = β72
`0 6= `, ( D`0
) = 1, α` = αk`0
β`2 = βk′`0
901901901
901
351
351
2215
2215
2501
2501
2872
2872
1582
1582
701
701
3188
31883188 2970 1478 33283188 2970 1478 3328 3508 2464 2976 25663508 2464 2976 2566 334118682434676 334118682434676 3147225511803144 3147222511803144
3. Descend to the floor using Velu’s formula: 901 5−→ 3188
blanklineslineslines
22 / 34
![Page 41: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/41.jpg)
Mapping a volcano
Example General requirements` = 5, p = 4451, D = −151 4p = t2 − v2`2D, p ≡ 1 mod `t = 52, v = 2, h(D) = 7 ` - v, ( D
`) = 1, h(D) ≥ `+ 2
`0 = 2, α5 = α32
, β25 = β72
`0 6= `, ( D`0
) = 1, α` = αk`0
β`2 = βk′`0
901901901
901
351
351
2215
2215
2501
2501
2872
2872
1582
1582
701
701
3188
3188
3188 2970 1478 33283188 2970 1478 3328 3508 2464 2976 25663508 2464 2976 2566 334118682434676 334118682434676 3147225511803144 3147222511803144
4. Enumerate floor using the action of β`0
blanklineslineslines
22 / 34
![Page 42: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/42.jpg)
Mapping a volcano
Example General requirements` = 5, p = 4451, D = −151 4p = t2 − v2`2D, p ≡ 1 mod `t = 52, v = 2, h(D) = 7 ` - v, ( D
`) = 1, h(D) ≥ `+ 2
`0 = 2, α5 = α32, β25 = β7
2 `0 6= `, ( D`0
) = 1, α` = αk`0, β`2 = βk′
`0
901901901
901
351
351
2215
2215
2501
2501
2872
2872
1582
1582
701
701
3188
3188
3188 2970 1478 33283188 2970 1478 3328 3508 2464 2976 25663508 2464 2976 2566 334118682434676 334118682434676 3147225511803144 3147222511803144
4. Enumerate floor using the action of β`0
3188 2−→ 945
9
2−→ 3144 2−→ 3508 2−→ 2843 2−→ 1502 2−→ 676
9
2−→2970 2−→ 3497 2−→ 1180 2−→ 2464 2−→ 4221 2−→ 4228 2−→ 2434 2−→1478 2−→ 3244 2−→ 2255 2−→ 2976 2−→ 3345 2−→ 1064 2−→ 1868 2−→3328 2−→ 291
9
2−→ 3147 2−→ 2566 2−→ 4397 2−→ 2087 2−→ 3341 2−→
22 / 34
![Page 43: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/43.jpg)
Mapping a volcano
Example General requirements` = 5, p = 4451, D = −151 4p = t2 − v2`2D, p ≡ 1 mod `t = 52, v = 2, h(D) = 7 ` - v, ( D
`) = 1, h(D) ≥ `+ 2
`0 = 2, α5 = α32, β25 = β7
2 `0 6= `, ( D`0
) = 1, α` = αk`0, β`2 = βk′
`0
901901901
901
351
351
2215
2215
2501
2501
2872
2872
1582
1582
701
701
31883188
3188 2970 1478 3328
3188 2970 1478 3328 3508 2464 2976 25663508 2464 2976 2566 334118682434676 334118682434676 3147225511803144 3147222511803144
4. Enumerate floor using the action of β`0
3188 2−→ 945
9
2−→ 3144 2−→ 3508 2−→ 2843 2−→ 1502 2−→ 676
9
2−→2970 2−→ 3497 2−→ 1180 2−→ 2464 2−→ 4221 2−→ 4228 2−→ 2434 2−→1478 2−→ 3244 2−→ 2255 2−→ 2976 2−→ 3345 2−→ 1064 2−→ 1868 2−→3328 2−→ 291
9
2−→ 3147 2−→ 2566 2−→ 4397 2−→ 2087 2−→ 3341 2−→
22 / 34
![Page 44: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/44.jpg)
Mapping a volcano
Example General requirements` = 5, p = 4451, D = −151 4p = t2 − v2`2D, p ≡ 1 mod `t = 52, v = 2, h(D) = 7 ` - v, ( D
`) = 1, h(D) ≥ `+ 2
`0 = 2, α5 = α32, β25 = β7
2 `0 6= `, ( D`0
) = 1, α` = αk`0, β`2 = βk′
`0
901901901
901
351
351
2215
2215
2501
2501
2872
2872
1582
1582
701
701
318831883188 2970 1478 3328
3188 2970 1478 3328 3508 2464 2976 2566
3508 2464 2976 2566 334118682434676 334118682434676 3147225511803144 3147222511803144
4. Enumerate floor using the action of β`0
3188 2−→ 945
9
2−→ 3144 2−→ 3508 2−→ 2843 2−→ 1502 2−→ 676
9
2−→2970 2−→ 3497 2−→ 1180 2−→ 2464 2−→ 4221 2−→ 4228 2−→ 2434 2−→1478 2−→ 3244 2−→ 2255 2−→ 2976 2−→ 3345 2−→ 1064 2−→ 1868 2−→3328 2−→ 291
9
2−→ 3147 2−→ 2566 2−→ 4397 2−→ 2087 2−→ 3341 2−→
22 / 34
![Page 45: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/45.jpg)
Mapping a volcano
Example General requirements` = 5, p = 4451, D = −151 4p = t2 − v2`2D, p ≡ 1 mod `t = 52, v = 2, h(D) = 7 ` - v, ( D
`) = 1, h(D) ≥ `+ 2
`0 = 2, α5 = α32, β25 = β7
2 `0 6= `, ( D`0
) = 1, α` = αk`0, β`2 = βk′
`0
901901901
901
351
351
2215
2215
2501
2501
2872
2872
1582
1582
701
701
318831883188 2970 1478 3328
3188 2970 1478 3328
3508 2464 2976 2566
3508 2464 2976 2566 334118682434676
334118682434676 3147225511803144 3147222511803144
4. Enumerate floor using the action of β`0
3188 2−→ 945
9
2−→ 3144 2−→ 3508 2−→ 2843 2−→ 1502 2−→ 676
9
2−→2970 2−→ 3497 2−→ 1180 2−→ 2464 2−→ 4221 2−→ 4228 2−→ 2434 2−→1478 2−→ 3244 2−→ 2255 2−→ 2976 2−→ 3345 2−→ 1064 2−→ 1868 2−→3328 2−→ 291
9
2−→ 3147 2−→ 2566 2−→ 4397 2−→ 2087 2−→ 3341 2−→
22 / 34
![Page 46: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/46.jpg)
Mapping a volcano
Example General requirements` = 5, p = 4451, D = −151 4p = t2 − v2`2D, p ≡ 1 mod `t = 52, v = 2, h(D) = 7 ` - v, ( D
`) = 1, h(D) ≥ `+ 2
`0 = 2, α5 = α32, β25 = β7
2 `0 6= `, ( D`0
) = 1, α` = αk`0, β`2 = βk′
`0
901901901
901
351
351
2215
2215
2501
2501
2872
2872
1582
1582
701
701
318831883188 2970 1478 3328
3188 2970 1478 3328
3508 2464 2976 2566
3508 2464 2976 2566
334118682434676
334118682434676 3147225511803144
3147222511803144
4. Enumerate floor using the action of β`0
3188 2−→ 945
9
2−→ 3144 2−→ 3508 2−→ 2843 2−→ 1502 2−→ 676
9
2−→2970 2−→ 3497 2−→ 1180 2−→ 2464 2−→ 4221 2−→ 4228 2−→ 2434 2−→1478 2−→ 3244 2−→ 2255 2−→ 2976 2−→ 3345 2−→ 1064 2−→ 1868 2−→3328 2−→ 291
9
2−→ 3147 2−→ 2566 2−→ 4397 2−→ 2087 2−→ 3341 2−→
22 / 34
![Page 47: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/47.jpg)
Mapping a volcano
Example General requirements` = 5, p = 4451, D = −151 4p = t2 − v2`2D, p ≡ 1 mod `t = 52, v = 2, h(D) = 7 ` - v, ( D
`) = 1, h(D) ≥ `+ 2
`0 = 2, α5 = α32, β25 = β7
2 `0 6= `, ( D`0
) = 1, α` = αk`0, β`2 = βk′
`0
901901901
901
351
351
2215
2215
2501
2501
2872
2872
1582
1582
701
701
318831883188 2970 1478 3328
3188 2970 1478 3328
3508 2464 2976 2566
3508 2464 2976 2566
334118682434676
334118682434676
3147225511803144
3147222511803144
4. Enumerate floor using the action of β`0
3188 2−→ 945
9
2−→ 3144 2−→ 3508 2−→ 2843 2−→ 1502 2−→ 676
9
2−→2970 2−→ 3497 2−→ 1180 2−→ 2464 2−→ 4221 2−→ 4228 2−→ 2434 2−→1478 2−→ 3244 2−→ 2255 2−→ 2976 2−→ 3345 2−→ 1064 2−→ 1868 2−→3328 2−→ 291
9
2−→ 3147 2−→ 2566 2−→ 4397 2−→ 2087 2−→ 3341 2−→
22 / 34
![Page 48: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/48.jpg)
Mapping a volcano
Example General requirements` = 5, p = 4451, D = −151 4p = t2 − v2`2D, p ≡ 1 mod `t = 52, v = 2, h(D) = 7 ` - v, ( D
`) = 1, h(D) ≥ `+ 2
`0 = 2, α5 = α32, β25 = β7
2 `0 6= `, ( D`0
) = 1, α` = αk`0, β`2 = βk′
`0
901901901
901
351
351
2215
2215
2501
2501
2872
2872
1582
1582
701
701
318831883188 2970 1478 3328
3188 2970 1478 3328
3508 2464 2976 2566
3508 2464 2976 2566
334118682434676
334118682434676
3147225511803144
3147222511803144
4. Enumerate floor using the action of β`0
3188 2−→ 945
9
2−→ 3144 2−→ 3508 2−→ 2843 2−→ 1502 2−→ 676
9
2−→2970 2−→ 3497 2−→ 1180 2−→ 2464 2−→ 4221 2−→ 4228 2−→ 2434 2−→1478 2−→ 3244 2−→ 2255 2−→ 2976 2−→ 3345 2−→ 1064 2−→ 1868 2−→3328 2−→ 291
9
2−→ 3147 2−→ 2566 2−→ 4397 2−→ 2087 2−→ 3341 2−→
22 / 34
![Page 49: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/49.jpg)
Mapping a volcano
Example General requirements` = 5, p = 4451, D = −151 4p = t2 − v2`2D, p ≡ 1 mod `t = 52, v = 2, h(D) = 7 ` - v, ( D
`) = 1, h(D) ≥ `+ 2
`0 = 2, α5 = α32, β25 = β7
2 `0 6= `, ( D`0
) = 1, α` = αk`0, β`2 = βk′
`0
901901901
901
351
351
2215
2215
2501
2501
2872
2872
1582
1582
701
701
318831883188 2970 1478 3328
3188 2970 1478 3328
3508 2464 2976 2566
3508 2464 2976 2566
334118682434676
334118682434676
3147225511803144
3147222511803144
4. Enumerate floor using the action of β`0
3188 2−→ 945
9
2−→ 3144 2−→ 3508 2−→ 2843 2−→ 1502 2−→ 676
9
2−→2970 2−→ 3497 2−→ 1180 2−→ 2464 2−→ 4221 2−→ 4228 2−→ 2434 2−→1478 2−→ 3244 2−→ 2255 2−→ 2976 2−→ 3345 2−→ 1064 2−→ 1868 2−→3328 2−→ 291
9
2−→ 3147 2−→ 2566 2−→ 4397 2−→ 2087 2−→ 3341 2−→
22 / 34
![Page 50: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/50.jpg)
Mapping a volcano
Example General requirements` = 5, p = 4451, D = −151 4p = t2 − v2`2D, p ≡ 1 mod `t = 52, v = 2, h(D) = 7 ` - v, ( D
`) = 1, h(D) ≥ `+ 2
`0 = 2, α5 = α32, β25 = β7
2 `0 6= `, ( D`0
) = 1, α` = αk`0, β`2 = βk′
`0
901901901
901
351
351
2215
2215
2501
2501
2872
2872
1582
1582
701
701
318831883188 2970 1478 3328
3188 2970 1478 3328
3508 2464 2976 2566
3508 2464 2976 2566
334118682434676
334118682434676
3147225511803144
3147222511803144
fourblanklineslineslines
22 / 34
![Page 51: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/51.jpg)
Interpolating Φ` mod p
901901351 2215
2501
28721582701
3188 2970 1478 3328 3508 2464 2976 2566 334118682434676 3147222511803144
Φ5(X,
9
901) = (X −
9
701)(X −
9
351)(X − 3188)(X − 2970)(X − 1478)(X − 3328)
X6
Φ5(X,
9
351) = (X −
9
901)(X − 2215)(X − 3508)(X − 2464)(X − 2976)(X − 2566)
X6
Φ5(X, 2215) = (X −
9
351)(X − 2501)(X − 3341)(X − 1868)(X − 2434)(X −
9
676)
X6
Φ5(X, 2501) = (X − 2215)(X − 2872)(X − 3147)(X − 2255)(X − 1180)(X − 3144)
X6
Φ5(X, 2872) = (X − 2501)(X − 1582)(X − 1502)(X − 4228)(X − 1064)(X − 2087)
X6
Φ5(X, 1582) = (X − 2872)(X −
9
701)(X −
9
945)(X − 3497)(X − 3244)(X −
9
291)
X6
Φ5(X,
9
701) = (X − 1582)(X −
9
901)(X − 2843)(X − 4221)(X − 3345)(X − 4397)
X6
23 / 34
![Page 52: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/52.jpg)
Interpolating Φ` mod p
901901351 2215
2501
28721582701
3188 2970 1478 3328 3508 2464 2976 2566 334118682434676 3147222511803144
Φ5(X,
9
901) = X6 + 1337X5 +
9
543X4 +
9
497X3 + 4391X2 + 3144X + 3262Φ5(X,
9
351) = X6 + 3174X5 + 1789X4 + 3373X3 + 3972X2 + 2932X + 4019Φ5(X, 2215) = X6 + 2182X5 +
9
512X4 +
9
435X3 + 2844X2 + 2084X + 2709Φ5(X, 2501) = X6 + 2991X5 + 3075X5 + 3918X3 + 2241X2 + 3755X + 1157Φ5(X, 2872) = X6 +
9
389X5 + 3292X4 + 3909X3 +
9
161X2 + 1003X + 2091Φ5(X, 1582) = X6 + 1803X5 +
9
794X4 + 3584X3 +
9
225X2 + 1530X + 1975Φ5(X,
9
701) = X6 +
9
515X5 + 1419X4 +
9
941X3 + 4145X2 + 2722X + 2754
23 / 34
![Page 53: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/53.jpg)
Interpolating Φ` mod p
901901351 2215
2501
28721582701
3188 2970 1478 3328 3508 2464 2976 2566 334118682434676 3147222511803144
Φ5(X,Y) = X6 + (4450Y5 + 3720Y4 + 2433Y3 + 3499Y2 +
99
70Y + 3927)X5
X6
(3720Y5 + 3683Y4 + 2348Y3 + 2808Y2 + 3745Y +
9
233)X4
X6
(2433Y5 + 2348Y4 + 2028Y3 + 2025Y2 + 4006Y + 2211)X3
X6
(3499Y5 + 2808Y4 + 2025Y3 + 4378Y2 + 3886Y + 2050)X2
X6
(
99
70Y5 + 3745Y4 + 4006Y3 + 3886Y2 +
9
905Y + 2091)X
X6
(Y6 + 3927Y5 +
9
233Y4 + 2211Y3 + 2050Y2 + 2091Y + 2108)
X6
(Y6 + 3927Y5 +
9
233Y4 + 2211Y3 + 2050Y2 + 2091Y + 2108)
X6
23 / 34
![Page 54: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/54.jpg)
The Weber function
The Weber f-function is defined by
f(τ) =η((τ + 1)/2
)ζ48η(τ)
,
and satisfies (τ) = (f(τ)24 − 16)3/f(τ)24.
The coefficients of Φf` are roughly 72 times smaller.
This means we need 72 times fewer primes.
The polynomial Φf` is roughly 24 times sparser.
This means we need 24 times fewer interpolation points.
Overall, we get nearly a 1728-fold speedup using Φf`.
24 / 34
![Page 55: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/55.jpg)
Modular polynomials for ` = 11
Classical:
X12+ Y12 − X11Y11
+ 8184X11Y10 − 28278756X11Y9+ 53686822816X11Y8
− 61058988656490X11Y7+ 42570393135641712X11Y6 − 17899526272883039048X11Y5
+ 4297837238774928467520X11Y4 − 529134841844639613861795X11Y3+ 27209811658056645815522600X11Y2
− 374642006356701393515817612X11Y + 296470902355240575283200000X11
. . . 8 pages omitted . . .
+ 3924233450945276549086964624087200490995247233706746270899364206426701740619416867392454656000 . . . 000
Atkin:
X12 − X11Y + 744X11+ 196680X10
+ 187X9Y + 21354080X9+ 506X8Y + 830467440X8
− 11440X7Y + 16875327744X7 − 57442X6Y + 208564958976X6+ 184184X5Y + 1678582287360X5
+ 1675784X4Y + 9031525113600X4+ 1867712X3Y + 32349979904000X3 − 8252640X2Y + 74246810880000X2
− 19849600XY + 98997734400000X + Y2 − 8720000Y + 58411072000000
Weber:
X12 + Y12 − X11Y11 + 11X9Y9 − 44X7Y7 + 88X5Y5 − 88X3Y3 + 32XY
25 / 34
![Page 56: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/56.jpg)
Computational results
Level records
1. 10009: Φ`
2. 20011: Φ` mod q
3. 60013: Φf`
Speed records
1. 251: Φ` in 28s Φ` mod q in 4.8s (vs 688s)
2. 1009: Φ` in 2830s Φ` mod q in 265s (vs 107200s)
3. 1009: Φf` in 2.8s
Effective throughput when computing Φ1009 mod q is 100Mb/s.
Single core CPU times (AMD 3.0 GHz), using prime q ≈ 2256.
Polynomials Φf` for ` < 5000 available at http://math.mit.edu/˜drew.
26 / 34
![Page 57: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/57.jpg)
Computing φ`(Y) with the CRT (naıve approach)
Strategy: lift (E) from Fq to Z, compute Φ`(X,Y) mod p and evaluate
φ`(Y) = Φ`((E),Y) mod p
for sufficiently many primes p. Obtain φ` mod q via the explicit CRT.
Uses O(`2 log3+ε p) expected time for each p, and O(`2 log p) space.
However, “sufficiently many” is now O(`n), where n = log q.Total expected time is O(`3n log3+ε `), using O(`n + `2 log `) space.
This approach is not very useful:I If n is large (e.g. n ≈ `), it takes way too long (quartic in `).I It n is small (e.g. n ≈ log `), it doesn’t save any space.
27 / 34
![Page 58: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/58.jpg)
Computing φ`(Y) with the CRT (naıve approach)
Strategy: lift (E) from Fq to Z, compute Φ`(X,Y) mod p and evaluate
φ`(Y) = Φ`((E),Y) mod p
for sufficiently many primes p. Obtain φ` mod q via the explicit CRT.
Uses O(`2 log3+ε p) expected time for each p, and O(`2 log p) space.
However, “sufficiently many” is now O(`n), where n = log q.Total expected time is O(`3n log3+ε `), using O(`n + `2 log `) space.
This approach is not very useful:I If n is large (e.g. n ≈ `), it takes way too long (quartic in `).I It n is small (e.g. n ≈ log `), it doesn’t save any space.
27 / 34
![Page 59: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/59.jpg)
Computing φ`(Y) with the CRT (Algorithm 1)
Strategy: lift (E), (E)2, (E)3, . . . , (E)`+1 from Fq to Z and compute
φ`(Y) =∑
cik (E)iYk mod p
for sufficiently many primes p, where Φ` =∑
cikXiYk.Obtain φ` mod q via the explicit CRT.
Now “sufficiently many” is O(`+ n).
For n = O(` log `), uses O(`3 log3+ε `) expected timeand O(`2 log `) space (under GRH).For n = Ω(` log `), the space bound is optimal.
This algorithm can also evaluate the partial derivatives of Φ` neededto construct normalized equations for E (important for SEA).
28 / 34
![Page 60: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/60.jpg)
Computing φ`(Y) with the CRT (Algorithm 1)
Strategy: lift (E), (E)2, (E)3, . . . , (E)`+1 from Fq to Z and compute
φ`(Y) =∑
cik (E)iYk mod p
for sufficiently many primes p, where Φ` =∑
cikXiYk.Obtain φ` mod q via the explicit CRT.
Now “sufficiently many” is O(`+ n).
For n = O(` log `), uses O(`3 log3+ε `) expected timeand O(`2 log `) space (under GRH).For n = Ω(` log `), the space bound is optimal.
This algorithm can also evaluate the partial derivatives of Φ` neededto construct normalized equations for E (important for SEA).
28 / 34
![Page 61: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/61.jpg)
Computing φ`(Y) with the CRT (Algorithm 2)
Strategy: lift (E) from Fq to Z and for sufficiently many primes pcompute φ` mod p as follows:
1. For each of `+ 2 -invariants yi, compute zi =∏
k((E)− jk),where the jk range over `+ 1 neighbors of yi in G`(Fp).
2. Interpolate φ`(Y) ∈ Fp as the unique polynomial of degree `+ 1for which φ`(yi) = zi.
Obtain φ` mod q via the explicit CRT.
For n = O(`c), uses O(`3(n + log `) log1+ε `) expected timeand O(`n + ` log `) space (under GRH).
For n = O(log2−ε q) the algorithm is faster than computing Φ`.For n = Ω(log `) the space bound is optimal.
If n is Ω(log2 `) and O(` log `), one can use a hybrid approach.This yields an optimal space bound for all q > `.
29 / 34
![Page 62: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/62.jpg)
Computing φ`(Y) with the CRT (Algorithm 2)
Strategy: lift (E) from Fq to Z and for sufficiently many primes pcompute φ` mod p as follows:
1. For each of `+ 2 -invariants yi, compute zi =∏
k((E)− jk),where the jk range over `+ 1 neighbors of yi in G`(Fp).
2. Interpolate φ`(Y) ∈ Fp as the unique polynomial of degree `+ 1for which φ`(yi) = zi.
Obtain φ` mod q via the explicit CRT.
For n = O(`c), uses O(`3(n + log `) log1+ε `) expected timeand O(`n + ` log `) space (under GRH).
For n = O(log2−ε q) the algorithm is faster than computing Φ`.For n = Ω(log `) the space bound is optimal.
If n is Ω(log2 `) and O(` log `), one can use a hybrid approach.This yields an optimal space bound for all q > `.
29 / 34
![Page 63: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/63.jpg)
Genus 1 point counting in large characteristic
Algorithms to compute #E(Fq) = q + 1− t.
Algorithm Time Space
Totally naive O(e2n+ε) O(n)Slightly less naive O(en+ε) O(n)Baby-step giant-step O(en/4+ε) O(en/4+ε)Pollard kangaroo O(en/4+ε) O(n2)Schoof O(n5 llog n) O(n3)
SEA∗ O(n4 log3 n llog n) O(n3 log n)SEA (Φ` precomputed) O(n4 llog n) O(n4)
SEA with Algorithm 1 O(n4 log2 n llog n) O(n2 log n)Amortized O(n4 llog n) O(n2 log n)
∗Complexity estimates for SEA-based algorithms are heuristic expected times.30 / 34
![Page 64: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/64.jpg)
Genus 1 point counting in large characteristic
Algorithms to compute #E(Fq) = q + 1− t.
Algorithm Time Space
Totally naive O(e2n+ε) O(n)Slightly less naive O(en+ε) O(n)Baby-step giant-step O(en/4+ε) O(en/4+ε)Pollard kangaroo O(en/4+ε) O(n2)Schoof O(n5 llog n) O(n3)
SEA∗ O(n4 log3 n llog n) O(n3 log n)SEA (Φ` precomputed) O(n4 llog n) O(n4)
SEA with Algorithm 1 O(n4 log2 n llog n) O(n2 log n)Amortized O(n4 llog n) O(n2 log n)
∗Complexity estimates for SEA-based algorithms are heuristic expected times.30 / 34
![Page 65: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/65.jpg)
Elliptic curve point-counting record
The number of points on the elliptic curve E defined by
y2 = x3 + 2718281828x + 3141592653,
modulo the 5011 digit prime q = 16219299585 · 216612 − 1 is
8323769891444946600619018491391378260069836370604500159309667928183741136740938227669912830997846627009617004020582940190774831705166648378125548174433501622236054400053883949202245191148598673381916600955085921652538526785284252424097879654450042795873424585910365069362326006585495567690584276040421110290806662321358856620706610396707595803419181094300641608406907483630190371031699788941805567263670144002967819837985135622693714012764272092867022540471740784700901798590441199208750379215971112344019653309999668029194772178482699210001668960742884085944350942098735441112464897682811881029409157742761498481361823613398307630269299941813854855214010577801252598907240564188955333987243324279357096770029086016947382059730330051806950506583258753330867074804800846369839004271346457865324407167865202282210199065495326810929978854624298288481916297348239030843306705546043295502481730932870433180532793495744878882506348393787807087351238867988051327037590331790801872453585872437467694874112726738073095037665888862659824866162979710551480066332118269833639587932989704356263549436446848603965666427837093575009979091922302413453716095887661432089373163729653025768255602712754566610542223232815622048111888283590483215892528728153087049654418794163034575764891117186500373809179386465716056073958857886659984917838400020437572986666397067817373843456657959297914239933377113677822538016636015241053779745447935639933068437226703067711612870475974728874060256153829424355309461429412863767016010448708725782340275978368434887328902748704620332776144279810260429883073285589599324633304714799454649284242674253031456570427212647114749626733565213374345500028792023241372392282583915035127429507360347735858922343130927780773465726085617792679251930303901806198152773080257003776361130528801147302363823348520265804075377873270137482894511973046679428777685534275306203922096387437778405610945156936507440996084119730814303901482626498520813641540064044431078342859539882090926223504237272408488115432700226947839711625212061713336002272556065579316884991097867376849796331576452708469259023115974151222787610622866769067522066036835295821168236918513059172724626618829733555769988656469584293610818091626921818662703380667041026811998131268436795000766254728604090647491868154452743670675868434070554634021891358398165724885432541336551115909636456700693477449865260368511045411205847035453060636486512589217930914523201112950463798415869418991750541041378713105362188790883183727300546588120061627174480168248774745589818525177228021451045150114779535554987684535229998681835176117651014768576344140108558104150453207370935052150913863261504324212007549804732358464553488560987919468961144855825465612614456411458521607747389949586595126074306085812134617236309956765621860727156856482046150112012015113007122286669299590274282107690933890300810525603558710045399536727403969324912420806389527152955993943311641026894824263736268535534370585102219836177805656167035861860036286963374250257588182644200835242804131190172272014414549659547457165879852600232647304991195644305287939827885207654988125751221239741075244973427819843776465089557666171337403497596850461399835327434541250151698094846056890996956914938171459951869000669270969498525993914751206760782244790625122626848753012733495289200641795967184561011226439252930596090031649974277634943933178938510726596259437826466293379162132564825895692129029330256714749154770003140032780641102586358889574523411175821853412004266108458134154747384432584651586199896849475842009365338952535884111160271960868999014742012591971478237292524813948600029227796125549029381598957721574805007478966997024108691274018357785171489306377152166096191664750803979956621679571978953552211724552632230710653244433669331067442040140391602456581858747401436772403284080454895800825555079522458369190254711040601200028499012649426967495115480636409733058979879385173976155641587413347889866287021950635203417893709652546248256133417835452925731715740688561063321641057055461825084563212070367457331486354681841758049252732599116595430817436406080011315918900828645131242470137313661372714961047058097433021586751093908895745441684195336715770412686321350796787391486224738612016911715739107481092463845433183146882764205897555692474146749724490484592370638492569933497005028781048032734897097622833295643389100786217086915770725300529087910723550751401318787576647364571766938618440620554990814181207394577639163458834949267687793194747139050054400221521434458599314044867381063285572380923329713520153405615749711252696047443494747652497316648062057666953271152425843341789770616064557079435236406353029020560141015314103419765029534921177065625577774688408769857858804251711896591035794406728856602939161842221528770720582112364327715631856765897848302241231421628544594675301323023661942160414993178396196877455996341128827795369279474773827993735868297936899429512496912028871093270632846246774367220129816851945807778140092913366453585259624246494437340122223955248
31 / 34
![Page 66: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/66.jpg)
Elliptic curve point counting record
Task Total CPU Time
Compute φf` 32 daysFind a root 995 daysCompute g` 3 daysCompute π mod g`,E 326 daysFind λ` 22 days
φf`(Y) = Φf`((E),Y) was computed for ` from 5 to 11681.
Exactly 700 of 1400 were found to be Elkies primes.Atkin primes were not used.
The largest φf` was under 20MB in size and took abouttwo hours to compute using 1 core.
32 / 34
![Page 67: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/67.jpg)
Modular polynomial evaluation record
For ` = 100019 and q = 286243 − 1 we computed φf`(Y) = Φf`((E),Y).
This is much larger than one would need to set a 25,000 digitpoint-counting record.
The size of φf` is about 1 GB.
For comparison:
I The size of Φf` mod q is about 2 TB.
I The size of Φ` mod q is about 50 TB.
I The size of Φ` is more than 10 PB.
33 / 34
![Page 68: Andrew V. Sutherlanddrew/ECC2012.pdfAsymptotically, its size is O(‘3 log‘) bits. ‘ coefficients largest average total 127 8258 7.5kb 5.3kb 5.5MB 251 31880 16kb 12kb 48MB 503](https://reader036.vdocuments.us/reader036/viewer/2022071500/611fa75acbdd3804e567136b/html5/thumbnails/68.jpg)
Improved space complexity of computinghorizontal isogenies
The algorithm of [Bisson-S 2011] for computing the endomorphismring of an elliptic curve E/Fq runs in L[1/2,
√3/2] expected time and
uses L[1/2, 1/√
3] space (under GRH).
The space complexity can now be improved to L[1/2, 1/√
12].
A similar improvement applies to algorithms for computing horizontalisogenies of large degree [Jao-Soukharev 2010].
34 / 34