Counting points on elliptic curves over finite fields

(1)

J

OURNAL DE

T

HÉORIE DES

N

OMBRES DE

B

ORDEAUX

R

ENÉ

S

CHOOF

Counting points on elliptic curves over finite fields

Journal de Théorie des Nombres de Bordeaux, tome

7, n

o

_{1 (1995),}

p. 219-254

<http://www.numdam.org/item?id=JTNB_1995__7_1_219_0>

L’accès aux archives de la revue « Journal de Théorie des Nombres de Bordeaux » (http://jtnb.cedram.org/) implique l’accord avec les condi-tions générales d’utilisation (http://www.numdam.org/conditions). Toute uti-lisation commerciale ou impression systématique est constitutive d’une infraction pénale. Toute copie ou impression de ce fichier doit conte-nir la présente mention de copyright.

Article numérisé dans le cadre du programme Numérisation de documents anciens mathématiques

(2)

Counting

points

on

elliptic

curves over

finite

fields

par

RENÉ

SCHOOF

ABSTRACT. -We describe three _algorithmsto count the number of _points

on an _ellipticcurve over a finite field. The first one is very practical when the finite field is not too _large;it is based on Shanks’s _{baby-step-giant-step}

strategy. The second _algorithmis very efficient when the endomorphism

ring of the curve is known. It _exploitsthe natural lattice structure of this

ring. The third _algorithmis based on calculations with the torsion _points

of the _ellipticcurve

[18].

This deterministic polynomial time algorithm was

impractical in its _originalform. We discuss several practical improvements by Atkin and Elkies.

1. Introduction.

Let _pbe a

_large

_prime

and let E be an

_elliptic

curve over

_Fp

_given

_by

a

WeierstraB

_equation

for some

A,

B E

_Fp.

Since the curve is not

_singular

we have that

4A3

+

2782 ~

0

_{(mod p~ .}

We describe several methods to count the rational

points

on

_E,

_i.e.,

methods to determine the number of

_points

_{{x, y)}

on E

with _{x, y}E

_Fp.

Most of what we _say

_applies

to

_elliptic

curves over _any

finite base field. An

_exception

is the

_algorithm

in section 8.

In _{this paper}we

_merely

_report

on work

by

others;

these results have not

been and will not be

_{published by}

the authors themselves. We discuss an

algorithm

due to J.-F.

_Mestre,

an

_exposition

of Cornacchia’s

_algorithm

due

to H.W. Lenstra and recent work

_by

A.O.L. Atkin and N.D. Elkies. Let

_.E{Fp)

denote the set of rational

_points

_{of E. It is easy}to see that

the number of

_points

in

_E(Fp)

with

_given

X-coordinate x E

_Fp

is

_{0, 1}

or 2. More

_precisely,

there are

(3)

rational

_points

on E with X-coordinate

_equal

to x. Here

p

denotes the

quadratic

residue

_{symbol. Including}

the

_point

at

_infinity,

the set of rational

points

E(Fp)

of E therefore has

_cardinality

This

_implies

that

_evaluating

the sum

is the same

_problem

as

_computing

#E(Fp) .

For very small

primes

(p

200

_say)

a

straightforward

evaluation of this

sum is an efficient _wayto

_compute

_{~E (Fp) .}

In

_practice

it is convenient to

make first a table of _squaresmodulo p and then count how often is a _{square for x}=

0, 1,

... , p -- 1. The

running

time of this

algorithm

is

for _{every c}> 0.

For

_larger

_p,there are better

_algorithms.

In section 2 we discuss an

al-gorithm

based on Shanks’s

baby-step-giant-step

_strategy.

Its

running

time

is _{for every c}> 0. This

_algorithm

is

_practical

for somewhat

larger

primes;

it becomes

_impractical

when _phas more

than,

_{say, 20}

dec-imal

_digits.

In section 3 we

explain

a clever trick due to J.-F.Mestre

_[6,

Alg.7.4.12]

which

_simplifies

_{certain group theoretical}

_computations

in the

baby-step-giant-step algorithm.

This version has been

implemented

in the PARI

_computer

_algebra

_package

_[4].

In section 4 we discuss an

algorithm

to count the number of

_points

on an

_elliptic

curve E over

Fp,

when the

endomorphism ring

of .E is known.

It is based on the usual reduction

_algorithm

for lattices in

R,2.

We dis-cuss Cornacchia’s related

_algorithm

[7]

and H.W. Lenstra’s

proof

[15]

of its correctness.

In section 5 we discuss a deterministic

_polynomial

time

_algorithm

to

count the number of

_points

on an

elliptic

curve over a finite field

[18].

It

is based on calculations with torsion

points.

The

_running

time is

_{O (log8p),}

but the

_algorithm

is _{not very}efficient in

_practice.

In sections

_6,

7 and 8 we

explain practical improvements by

A.O.L. Atkin

_{[1, 2]}

and N.D. Elkies

_[l0].

These enabled Atkin in 1992 to

_compute

the number of

_points

on the curve

(4)

modulo the the smallest 200

_digit

prime:

The result is

The curve is "random" in the sense that it was

inspired by

the address

of the INRIA institute: Domaine de Voluceau -

_{Rocquencourt,}

B.P.

_105,

78153 Le

_Chesnay

cedex. See the papers

by

Morain and

_Couveignes

_[8,17]

and

_by

Lehmann et ale

_[13]

for even

_larger

_examples.

There are several unsolved

computational

_{problems concerning elliptic}

curves over finite fields. There

_is,

for

_instance,

no efficient

_algorithm

known to find the Weierstrafl

_equation

of an

_elliptic

curve over

_Fp

with a

_given

number of rational

_points.

The

_problem

of

_{efficiently computing}

the

struc-ture _{of the group of}

_points

over a finite

field,

_or,more

_generally,

the

_problem

of

_determining

the

_endomorphism

_ring

of a

given

elliptic

curve, is also very

interesting.

Finally,

Elkies’s

_{improvement, explained}

in sections 7 and

_8,

_{applies only}

to half the

_primes

1: those for which the Frobenius

_endomorphism

_acting

on

the 1-torsion

_points,

has its

_eigenvalues

in

Fi.

It _{would be very}

_interesting

to extend his ideas to the

_remaining

I.

Recently

the methods of section 8 have been extended

by

J.-M.

Cou-veignes

[9]

to

_large

finite fields of small

_{characteristic,}

in

_particular

to

_large

finite fields of characteristic 2. This

_problem

first came _upin

cryptogra-phy

[16].

Couveignes

exploits

the formal group associated to the

_elliptic

curve.

I would like to thank J.-M.

_Couveignes,

D. Kohel and H.W. Lenstra for their comments on earlier versions of this _paper.

(5)

2.

_Baby

_steps

and

_giant

_steps.

In this section we

explain

the

baby-step-giant-step algorithm

to

_compute

the number of

_points

on an

_elliptic

curve E over

_Fp

_given

by

Y2

=

X3

₊ AX + B. The most

_important

_ingredient

is the fact that the set of

_points

forms an additive group with the well-known chord and

_tangent

method:

Fig.l. The _grouplaw.

The

_point

at

_infinity

_{(0 :}

1 :

₀₎

is the neutral _{element of this group. The}

opposite

of a

_point

P = is the

point

It is

very easy

to derive

_explicit

formulas for the addition of

points:

if P =

(Xl,

Yl)

and

~ _

(X2, y2)

are two

_points

with

_{Q :1= - P,}

then their sum is

(X3,

Y3)

where

Here A is the

_slope

of the line

_through

P and

Q.

We have A =

(y2

-yl)/(x2 - XI) if

P

_{,- Q}

and A =

(3x

₊

A) /2yi

otherwise.

The

_following

_result,

the

_analogue

of the Riemann

_{Hypothesis, gives}

an

(6)

Theorem 2.1.

_(H.

_Hasse,

₁₉₃₃₎

Let _pbe a

prime

and Iet E be an

_elliptic

curve over

_Fp.

Then

Proof. See

_[21].

The _groups

_E(Fp)

"tend" to

_{be cyclic.}

Not

_only

can

they

be

generated

by

at most two

_points,

but for any

prime l,

the

_proportion

of curves E over

Fp

with the

_I-part

of

_E~Fp~

not

_{cyclic does,}

_{roughly speaking,}

not exceed

1/~-1).

The idea of the

_algorithm

is to

_pick

a random

_point

P E

_E(Fp)

and to

_compute

an

_integer

m in the interval

(p

+ 1-

_{2qfi, p}

+ 1 +

_2vfP)

such that mP = 0. If m is the

only

such number in the

interval,

it follows from

Theorem 2.1 that m =

#E(Fp).

To

_pick

the

_point

P =

(x, y)

in

E~Fp)

_one

just

selects random values of

x until

X3

+ Ax + B is a _{square in}

_Fp.

Then

_compute

a _square

_{root y}

of

x3

+ Ax + B. See

_[20]

and

_{[6, Alg.1.5.11}

for efhcient

_practical

methods to

compute

square roots mod p.

The number m is

computed

by

means of the

so-called

baby-step-giant-step

strategy

due to D. Shanks

_[19];

_{[6, Alg.5.4.1].}

His method

proceeds

as follows. First make the

_baby

_steps:

make a list of the first

s x

_~

multiples

P, 2P, 3P, ... ,

sP of the

point

P. Note

that,

since the

inverse of a

_point

is obtained

by inverting

the

sign

of its

Y-coordinate,

one

actually

knows the coordinates of the 2s + 1

points:

0,

~P,

::l:2P,

... , ~sP.

_Q

=

(2s

₊

1)P

and

_compute,

using

the

binary expansion

of p+1,

the

_point

R =

(p+ I)P. Finally

make the

giant

steps:

by

repeatedly

adding

and

_subtracting

the

_{point Q}

_{compute R,}

R ±

_Q,

R ±

_{2C~, ... ,}

R ~

tQ.

Here t =

[2y’P/(2s

+

_1)],

which is

_{approximately}

_equal

to

_By

Theorem

2.1,

the

_point

R +

_iQ

_is,

for some

_integer

i =

0,

±1,

±2,... ,

~t

equal

to one of the

_points

in our list of

baby

_steps:

for this i one has that

Putting

m = _{p +}1 +

(2s

₊

I)i -- j,

_wehave mP = 0. This

_completes

the

description

of the

_algorithm.

It is

_important

that one can

_efficiently

search among the

_points

in the

list of

_baby

_steps;

one should sort this list or use some kind of hash

_coding.

It is not difhcult to see that the

_running

time of this

algorithm

is

(7)

for every - > 0. The

_algorithm

fails if there are two distinct

_integers

_m,

m’

in the interval

_(p

+ 1 ~- + 1 +

_2JP)

with mP =

m’P

= 0. This

rarely

happens

in

_practice.

If it

does,

then

_{(m - m’) P}

= ₀and _one

knows,

_in

fact,

the order d of P.

_Usually

it suffices to

_repeat

the

_algorithm

with a second

random

_point.

The fact

_that,

this

_time,

one knows that d divides

_#E(Fp)

usually

speeds

up the second

computation

considerably.

Very

rarely

the

_algorithm

is doomed to fail because there is for _every

point

P more than one m in the interval

(p

+ 1-

_2JP,p

+ 1 +

_2JP)

for which mP = 0. This

happens

when the

_exponent

of the group

E(Fp)

is very small.

Although writing

a _{program that}covers these rare

_exceptional

cases is somewhat

_painful,

these are not _veryserious

_problems;

one can

compute

independent

generators

for the group, ... etc. In the next section

we discuss Mestre’s

_elegant

trick to avoid these

_{complications.}

3. Mestre’s

_algorithm.

We

_explain

an idea of J.-F. Mestre to _{avoid the group theoretical}

com-plications

that were mentioned at the end of section 2. It

_employs

the

quadratic

twist of E. If the

_elliptic

curve E is

given

by

the

WeierstraB-equation y2

=

X3

₊AX ₊

B,

then the twisted _curveE’ is

_{given by}

gY2 -

X~

+ AX + B for some _{non-square g}E

_Fp.

The

_isomorphism

class of this curve does not

_depend

on the choice of _g.It is easy to see that

is a

_{WeierstraB-equation}

of the curve B’. It follows from the formula

_given

in the introduction that

_#E’(Fp)

_{+ #E(Fp)}

=

2 ~p +

1).

Therefore,

in order

to

_compute

one _mayas well

_compute

~E’~Fp).

It follows from Theorems 3.1 and 3.2 below that if has a _{very small}

_exponent,

then

the group of

points

on its

quadratic

twist

E’

does not. One can use this

observation as follows: if for a curve

_E,

the

_{baby-step-giant-step}

_strategy

has failed for a number of

_points

P because each time more than one value

of m was found for which mP =

0,

then

replace

E

by

its

quadratic

twist E’ and

_try

_{again. By}

the discussion at the end of section

_3,

it _{is very}

_likely

that this time the

_algorithm

will succeed.

Before

_formulating

Theorems 3.1 and 3.2 we introduce a few more

con-cepts :

the j -invariant

of an

elliptic

curve B which is

_{given by}

the

_equation

(8)

It is easy to see that E and its

quadratic

twist E’ have the same

_{j-invariants.}

For most

_{j-invariants j}

E

_Fp

there _{are, up}to

_isomorphism,

_precisely

two

elliptic

curves E over

_{Fp with j(E)}

=

j:

_{a curve}E and its

quadratic

twist. There are two well known

_{exceptions: j =}

0 _{when p ==}1

_(mod

₃₎

and

j

= 1728 when p = 1

_(mod

_4).

In the first case there are six curves and in

the second case there are four.

The

_morphisms

_{f :}

E - E _{that preserve the}

_point

at

_infinity

form the

_ring

_{End(E) ofF p-endomorphisms}

_of

E. It is

_isomorphic

to a

_complex

quadratic

order. If A E

_Zo

denotes the discriminant of the order we have

where 6 = ₂

or b = °

₂

_depending

on whether A is even or odd. An

elliptic

curve and its

_quadratic

twist have

_isomorphic

_{endomorphism rings.}

If _{p = 1}

_{(mod 3),}

the six curves

with j

= 0 all have their

endomorphism

ring

isomorphic

to

_Z[(l

+

--3~~2~

and

_{if p m 1 (mod}

_4),

the four curves E

with j

= 1728 all have

_End(E)

_isomorphic

to the

_ring

of Gaussian

_integers

ZM.

The Frobenius

_endomorphism

p E

End(.E)

is

the endomorphism

given

by

’

It satisfies the

_quadratic

relation

in the

_{endomorphism ring}

of ~E. Here t is an

_integer

which is related to the number of

_Fp-points

on E

_by

The group

E (F p )

is

_precisely

the kernel of the

_homomorphism

_{p - 1}

_acting

on the group of

_points

over an

algebraic

closure of

Fp.

Therefore the

exponent

of the group

E(Fp)

is

_(p

+ 1-

_{t) /n,}

where n is the

_{largest integer}

such

_E(Fp)

admits a

_subgroup

_isomorphic

to

_Z/nZ

x

_Z/nZ.

_{Equivalently,}

n is the

largest integer

for

which p

z 1

(mod n)

in

End(E).

Theorem 3.1.

_{~J.-F. Mestre)}

Let _p> 457 be a

_prime

and let E be an

elliptic

curve over

_Fp.

Then either E or its

_quadratic

twist E’ admits an

(9)

Proof. The

_endomorphism

_rings

of E and E‘ are both

_isomorphic

to the

same

_quadratic

order 0 of discriminant A.

_{Let p}

E ~ denote the Frobenius

endomorphism

of E. Let n be the

_largest

_integer

such

_{that p}

= 1

_{(mod n)}

in

_End(E)

and let N =

(p

₊1 -

t)/n

denote the

_exponent

of

E(Fp).

We have that

which

_implies

that n divides the index

_{[0 :}

Since

_{E~ :}

is

_equal

to the

_quotient

of the discriminants of the orders 0 and we see that

n2 divides

_{(tz -}

_4p)/A.

Similarly,

let m be the

largest

_integer

such that _-~p= 1

_(mod

_m)

in

End(E)

and let NI =

(p

₊1 +

t)/m

denote the

_exponent

of

E’(Fp).

Then

Therefore

m2

also divides

_{(t~ -}

_{4p)/ A.}

Since n divides

_{~p -1}

and m divides

p +

1,

we see that

gcd(n, m)

divides which divides 2.

Therefore ~ .

3 this

_implies

that

_(nrn~2

4 3

* If both

exponents

N and

M are less than we have that

and therefore

which

_implies

that _p 1362.

A

_{straightforward}

_case-by-case

calculation shows that the theorem also holds for the

_primes

p with 457 p 1362. This

completes

the

proof.

For _p= 457 the theorem is not valid: consider the _curve

given by

Its

_j-invariant

is 0 and the

_ring

of

_{endomorphisms}

is

_Z~b~,

where

_{6 = (1 +}

(10)

endomorphism

is

_{given by p}

= -17 + 246 which has trace -10. The _group of

_points

over

F457

has

cardinality

468 and since _{cp = 1 -}

6(3 -

4b),

it is

isomorphic

to

_{Z/78Z ? Z/6Z.}

The

_quadratic

twist

Y2

=

X3 -125

has Frobenius 17 - 246 = 1 +

8(2 -

36).

The group of rational

_points

has

cardinality

468 and is

_isomorphic

to

_{Z/56Z ? Z/8Z.}

_{Both groups have}an

exponent

not

_exceeding

_{4 457 N}

85.51023.

Note that the result mentioned in

_{[6, Prop.7.4.11]}

is not correct.

To make sure that the

baby-step-giant-step

algorithm

as

_{explained above,}

works for an

_elliptic

curve over

_E,

one does not

_really

need to find a rational

point

on E of order at least What one needs is a

_point

P as described

in the

_following

theorem.

Theorem 3.2. Let _p> 229 be a

_prime

and let E be an

_elliptic

curve over

Fp.

Then either E or its

quadratic

twist

E’

admits an

_Fp-rational

_point

P with the

_property

that the

_{only integer}

m E

_(p

+ 1-

_2VP,p

+ 1 + for which mP = 0 is the order of the group of

points.

Proof.

_By

the

_proof

of Mestre’s

_result,

the theorem is true for _p> 457. A

case-by-case

calculation shows that it is

_actually

true for p > 229.

For _p= 229 the theorem is _notvalid: consider the _curve

given by

Its

_ring

of

_{endomorphisms}

is

_again

_Z[b].

The Frobenius

_endomorphism

is

given

by cp

= -17 ₊126 which has trace -22.

Since p

= 1 +

6(-3

+

26)

the group of

points

over

F229

has

cardinality

252 and is

isomorphic

to

Z/42Z0153Z/6Z.

The

_quadratic

twist

y2

=

X 3 - 8

has Frobenius _{17 + 126}=

1 -

_{4(4 - 3~).}

_{The group of rational}

_points

has

_cardinality

208 and is

isomorphic

to

_Z/52ZOZ/4Z.

_Every

rational

_point

on the curve

y2 = X3-1

is killed

_by

the order of _{the group}

252,

but also

_by

252 - 42 = 210.

Every

rational

_point

on the twisted curve

y2

=

X~ -

8 is killed

by

both 208 and

by

260 = 208 ₊_52.

The interval

_(p

+ 1 -

_2Vp-,p

+ 1 +

_2JP)

contains the

_integers

_200,

_201,

... ,

259,

260.

Many

of the curves E for which Theorem 3.2.

fails,

have their

j-invariants

_equal

to 0 or 1728 and therefore their

endomorphism rings

are

isomorphic

to

_Z[(1

+

H)/2]

or

Z[il

_{respectively. However,}

if one knows

(11)

when _{p is}_very

_large.

This is a _{consequence of Theorem 4.1 of the}next

sec-tion. When one excludes the curves with

_j-invariant

_0,

then Theorem 3.1 is correct for p > 193 and Theorem 3.2 is correct for p > 53.

4. Cornacchia’s

_algorithm.

In this section we

_explain

how to count the number of

_points

on an

_elliptic

curve

_.E,

when the

endomorphism ring

of E is known. In this case there is an

extremely

efficient

practical

algorithm.

It forms the basis of the

_primality

test of Atkin and Morain

_[3].

As

_usual,

_pis a

_large

_prime

and E is an

_elliptic

curve over

_Fp

_given

_by

a

Weierstra13-equation

y2

=

X3

₊AX ₊B. Let A denote the discriminant of the

_{endomorphism ring}

_End(E)

of E. Recall that

_End(E)

is

_isomorphic

to a

_subring

of C:

where 6

2

or

2 _depending

on whether A is even or odd.

The Frobenius

_{endomorphism p}

E

_End(E)

satisfies = 0 where

t is an

_integer

_satisfying

t2

_4p.

It is related to

_#E(Fp)

_by

the formula

#E(Fp)

= _p₊1- t. If _pdivides

A,

then t = 0 and

#E(Fp)

= _p₊1. Therefore we assume from now on that p does not divide A. In order to

compute

#E(Fp),

it suffices to

_{compute cp}

E

_{End(E) ~}

_Z[6]

c C. First we

observe that _p= This shows that the

prime

_p

splits

in

End(E)

into a

product

of the two

_{principale prime}

ideals

_(cup)

and

_(IT)

of index p.

The idea of the

_algorithm

is to

_compute

a

_generator

of a

prime divisor p

of p in

Z[6].

If

~ ~

-3 or

_-4,

a

_generator

is

_unique

up to

sign

and hence we

_obtain

(or

its

conjugate)

and therefore _{t up}to

_sign.

This leaves

_only

two

_{possibilities}

for

_#E(Fp).

It is not difficult to decide which of the two

_possible

values is the correct one. One either

_picks

a random

point Q

E and checks whether

_(p

+ 1 ~

t)Q

= 0 _or_oneconsiders the action of _cpon the 3-torsion

_points.

When A = -3 or

_-4,

there are 6 and

4

_{possibilities respectively}

for the value of t. These cases can be handled

in a

_similar,

_{efficient way}

_{[14, p.112].}

To

_compute

a

_generator

of the

_prime

_{ideal p}

C

_Z[b]

we _first

_compute

a

square root b of A modulo p.

Replacing

b

by

p - b if necessary, we _may

(12)

prime

ideal of index _p.It divides p.

Since p

is

principal,

the fractional ideal

is

_equal

to an ideal of the form

(Z

+

_62)a

for some a E

_Z[b].

In other

words,

there is a matrix

(p $)

E

_{SL2 (Z)}

such that

Inspection

of the

_imaginary

_parts,

shows that =

p. Therefore

r + sb is a

_generator

of either the

_{ideal p}

or its

_conjugate.

To find the matrix

_{(~ ~),}

we consider the usual action of _{the group}

_{SL2 (Z)}

on the upper half

_plane

Iz

E C : Imz >

_0}.

Both

_(b

+

B/A)/2

and b are

in the same

SL2(Z)-orbit

and b is contained in the standard fundamental

domain.

By

successive

_applications

of the matrices

_(~l~)

and

_{(~ k) 1}

E

_SL2(Z)

one

transforms z =

to

6. The matrix

_(:)

is then the

_product

of all the

2p

r s

matrices involved.

This

_algorithm

is well known. It is a

reformulation

of the usual

algo-rithm for

_reducing

_positive

definite

_quadratic

_{forms. It is very}efhcient

_[6,

Alg.5.4.2].

We do not

_give

all the details because the

_following

theorem

_[7]

gives

an even

_simpler

solution our

problem.

Theorem 4.1.

_(G.

_Cornacch.ia,

_I908)

Let 0 be a

complex quadratic

order

of discriminant 0 and let p be an odd

_prime

number for which A is a

non-zero _squaremodulo _p. Let x be an

_integer

with

x 2 =- A

(mod p),

x - ~

_{(mod 2)}

and 0 x

2p.

Defne the finiEe sequence of

non-negative

integers

xo, x~, ... , xt = 0 _asfollows,

xo

= 2p,

zi = x,

xi+l the remainder after division

by

xi.

Let i be the smallest index for

_{which xi}

_2JP.

If A divides

_{x2 -}

_4p

and the

_quotient

is a _square

v2,

then

is a

_generator

of a

_prime

ideal p

of 0

dividing

p. If

not,

then the

_prime

ideals p of 0 that divide p are not

_principal.

(13)

Proof.

_(H.W.

Lenstra

_[15])

_{The ideal p}=

((x -

~~~2, p~

of 0 is a

_prime

divisor of p. We

view p

as a lattice L in C. We define a finite sequence of

elements zt E L

_by

_zo_{= p,}

_{(x -}

_B/A)/2

and

where _qE

_Z>o

is the

_integral

part

of

_Rezi/Rezi-1.

Since _{the sequence}

Re Zi

is

_strictly

_decreasing,

the

last zt

has real

_part

_equal

to 0. The traces zi + zi are

_precisely

_{the Xi}

in Cornacchia’s

algorithm.

The

_imaginary

_parts

of

the Zi

form an

_alternating

_sequenceand is

_increasing.

_Any

two

_{consecutive zi}

form a basis for L over Z.

Fig.2. The lattice L.

’

A minimal element of the lattice L is a non-zero vector z E L with the

(14)

lattice

_points

_except

on its corners. In other

_words,

_{every w E}

L with

satisfies

_irewl

_[

=

irezi

[

and

limwl

[

=

limzl.

It is

easy to see that all

the _{vectors zi}are minimal. There is

only

one small

_exception

to this: when the real

_part

of z, exceeds

Re zo /2

=

p/2,

then

Im z2

=

_{-Im zl,}

but

so Zl is not minimal in this case.

i

Fig.3. w = + pzi.

Apart

from this

_exception,

the vectors

_+zj

are

_precisely

all minimal

vectors of L. We

_{briefly explain}

this

_general

fact: let w E L be a minimal vector with Re w > 0.

_Then,

_putting

-zt, one can either "see" w

from the

_origin

between and for some i

_{= 1, 2,... , t}

or one can

(15)

Im zo

= 0

_{which, by}

the

_minimality

of w,

implies

that w =

zo or w = _zl. In the other cases

let q

denote the

integral

_part

of Then

zi+l = _{zi-i -}

9~ and

If A > 2 then either or would be contained in the interior of the

rectangular

box with center 0 and corner w. Since w is

_minimal

this is

impossible

and we have that

for some p

satisfying

(

The

_{point zi}

is contained in the box with center 0 and corner + _pzj whenever 0 _A _q.It is

_usually

contained in the

_interior,

in which case

we

_{conclude, by minimality of w,}

that _/z= 0 or A =

q. The

exceptional

case

occurs when zz+1

_{+ pzj}

= za. In this and w =

(zo

₊

z2)/2.

Since p does not

divide x,

this case does not occur for our lattice L.

If p

is

_principal,

_every

_generator

is

_evidently

minimal. Therefore one of

the Zi

is a

_generator

of p. Consider the one with maximal real

_part.

Since

I

=

B/P?

its _{trace Xi}i = _zi_{+ z2}is less than

2

We must show that

Re zi-,

> Since is

_{in p =}

_(zi)

and since the real

_{part of Zi}

is

maximal,

z2-i is not a

_generator

of p and we have that

IZi-112

21zi

2.

Therefore

which shows that

_{Re z;-i}

>

_qfi.

This

_completes

the

_proof.

When A is even, both initial values xo and x, are even. Therefore all _xi

are even and one can

_simplify

Cornacchia’s

algorithm

a little bit

_by

_dividing

everything

by

2: let xo = _P

A/4

(mod

p)

and

_stop

the Euclidean

algorithm

when xi

JP.

See

[6, Alg.15.2].

The

_running

time of both these

_algorithms

to

_compute

_E(Fp)

when the

endomorphism

ring

is

_given,

is dominated

_by

the calculation _{of the square}

root of A modulo _p.

_Using

the method

_explained

in

_[20]

or

_{[6, Alg.1.5.1]}

(16)

5. A

_polynomial

time

_algorithm.

In this section we

_briefly

_explain

a deterministic

_polynomial

time

algo-rithm

_[18]

to count the number of

_points

on an

_elliptic

curve E over

_Fp.

We suppose that E is

given

by

a Weierstra8

_{equation y2}

=

X3

₊AX ₊B.

It is _easyto

_compute

_~E~Fp)

modulo 2: the

_cardinality

_{of the group}

E(Fp)

is even if and

only

if it contains a

_point

of order 2. Since the

_points

of order 2 have the form

_(~,0),

this means

_precisely

that the

polynomial

X3

+ AX + B has a zero in

_Fp.

_This,

in

_turn,

is

_equivalent

to

This can be tested

_efhciently;

the bulk of the

_computation

is the calcu-lation of XP in the

_ring

_{Fp[X] /(X}

+ AX +

_B),

which can be done

_by

repeated

squarings

and

_{multiplications,}

_using

the

_binary

_presentation

of the

_exponent

p. The amount of work involved is

O (logp) .

Now we

_generalize

this calculation to other

_primes

l. We

_compute

#E(Fp)

modulo the first few small

primes 1

=

3, 5, ?, ....

Since, by

Hasse’s

Theorem ,

it suffices that

in order to determine the

_cardinality

_uniquely

_by

means of the Chinese Remainder Theorem. A weak form of the

_prime

number theorem shows that this can be achieved with at most

0(log p)

primes

each of size at

most

_O(logp).

Since _pis

_large,

the

_{primes I}

are _{very small with}

_respect

to _{p. In}

_{particular, 1 :A}

_p.

As in the case where 1 =

2,

_{we use}the

subgroup

of 1-torsion

_points

of

_E(Fp):

The group

E[l]

is

_isomorphic

to

_Z/IZ

x

Z/lZ.

There exist

_polynomials,

the socalled division

_polynomials

(17)

that vanish

_precisely

in the 1-torsion

_points.

For

_example

The division

_polynomials

can be calculated

_{recursively by}

means of the

addition formulas

_{[5, 18].}

Their

_degree

is

_{(12 -}

_1)/2.

The amount of work involved in

_calculating

them is dominated

_by

the rest of the

_computation,

so we don’t bother

_estimating

it.

The Frobenius

_endomorphism

~p : E - E satisfies the

quadratic

rela-tion

-where t is an

_integer

_satisfying

_#E(Fp)

= _{p +}1-- t. In the

algorithm

we

check which of the relations

holds on the _group

E[l]

of

1-torsion

_points.

It is

_easily

seen that the relation can

_only

hold for t’ - t

_{(mod 1)}

and in this _waywe _{obtain the value of}t modulo t.

The

_point

is that the relations can be

expressed

by

means of

_polynomials

and that

_they

can be checked

_efficiently:

we have that

if and

_only

if

modulo the

_polynomials

and

y2 - X 3 -

AX -- B. Here

_p’

denotes the

_integer

_congruent

to p

(mod

1)

that satisfies 0

p’

l. Note that the

"+" that occurs in the formula is the addition on the

_elliptic

curve and

that the

_{multiplications}

are

repeated

additions.

The bulk of the

_computation

_is,

_first,

the

_computation

_{of the powers}

_Xp,

(18)

and

_{then, I}

times,

the addition of the

_point

_{(XP, YP),}

which boils down to a

few additions and

_{multiplications}

in the same

_ring.

Since the elements of the

ring

have size

_12log,

the amount of work involved is

_{O(logp(l2Iogp)2)}

and

respectively.

Here we assume that the usual

multiplication

algorithms

are

_being

used,

so that

multiplying

two elements of

_{length n}

takes time

_proportional

to

n2 .

Keeping

in mind that I =

0 (log p~

and that we have to do this calculation for

_{each 1,}

we conclude that the amount of work involved in the entire calculation is

So,

this is a deterministic

polynomial

time

algorithm,

i.e. it is

asymptoti-cally

very fast. In

practice

it

_behaves,

_{unfortunately,}

rather

_poorly

because of the

_huge

_degrees

of the division

_polynomials

involved. For

_instance,

the

computations

for the

_example

with p ~

10200

mentioned in the introduc-tion would involve

_{primes 1}

> 250. For such

_{1, representing}

one element

in the

_ring

X3 -

AX -

_B)

_requires

more than 1.5

megabytes

of memory.

In the

_following

sections we

_{explain practical improvements}

of this

algo-rithm due to Atkin and Elkies. ,

6. The action of Frobenius on the 1-torsion

points.

As in the

_{previous sections, let}

_pbe a

_large

_prime

and let E be an

elliptic

curve over

_Fp

_{given by}

a

_{Weierstrafi-equation.}

In this section His a

_prime

different from _pand we

study

the action of the Frobenius

endomorphism

on the group

E[l]

of 1-torsion

_points

on an

elliptic

curve. As an

application

we describe Atkin’s

_algorithm

[1,2]

to

_compute

the order of the

_image

of the Frobenius

_endomorphism

in _{the group}

_{PGL2 (Fd).}

We

_explain

how this

can be used to count the number of

_points

on an

elliptic

curve over

_Fp.

For every

prime I

we introduce the so-called modular

_equations.

This a

symmetric

polynomial

4li(S, T)

E

_Z[S,T],

which is

_equal

to to

SIT’

i

+

TI+1

_plus

terms of the form with and i

_{+ j}

21.

By

the

famous

_{Kronecker congruence}

_relation,

one has that

_T)

==

(Sl -

T) (T -

Sl)

(mod t).

The

_polynomial

has the

_property

_{that for any} field_F’ of and _{for every}

_{j-invariant j}

E

_F,

the I + 1 zeroes

j

E ~’ of the

_polynomial

_{4li (j, T)}

= 0 _are

precisely

the

j-invariants

of the

isogenous

curves

E/C.

Here E is an

elliptic

curve with

_{j-invariant j}

and C

runs

_through

the t + 1

_{cyclic subgroups}

of

_E[t].

See

_[21]

for the construction of the curves

E/C.

(19)

The

_polynomial

_T)

describes a

_singular

model for the modular curve

Xo (1)

in

P’

x P~ over

Z. As an

example

we

_give

the modular

_equation

for ~=3:

An

_elliptic

curve .E over a finite field of characteristic _pis called

super-singular if

it possesses no

points

of order _{p, not}even over an

algebraic

closure

_Fp.

_{Equivalently,}

some _powerof the Frobenius

endomorphism

of E

is an

integer.

Since the

_property

of

being supersingular only depends

on the

curve E over

Fr,

it

only depends

on the

_j-invariant

of E. Therefore we can

speak

of

_{supersingular j-invariants.}

_{Supersingular}

curves are rare. Their

j-invariants

are

_always

contained in

_Fp2

and the number of

_{supersingular}

j-invariants

in

_Fp

is

_{approximately}

See

_[21].

For an

_elliptic

curve

_E,

an

_isogeny

E -~

E/C

is

usually

defined over

the field that contains the

_j-invariants

of E and but this need not

be true if the

_j-invariant

of E is

_{supersingular}

or

_equal

to 0 or 1728. The

following

proposition

is sufficient for our _purposes.

Proposition

6.1. Let E be an

elliptic

curve over

_Fr.

_Suppose

that its

j-invariant j

is not

_{supersingular}

and 0 or 1728. Then

~i~

the

_polynomial

_{~l( j, T)}

has a

_{zero j}

E

_Fpr

if and

_only

if the kernel C of the

_{corresponding isogeny}

is a 1-dimensional

_eigenspace

in

E[l].

Here p

denotes the Frobenius

endomorphism

of E.

(ii)

The

_polynomial

_4~1(j,

_T)

_{splits completely}

in

_Fpr

_[T]

if and

_only

acts as a scalar matrix on

Proof.

_(i)

If C is an

_eigenspace

of it is stable under the action of the

Galois _group

_{generated by}

Therefore the

_isogeny

.E ~--~

_E~C

is defined

over

_Fpr

and the

_{j-invariant j}

of

E/C

is contained in

_Fpr.

Conversely,

=

_0,

then there is a

cyclic

_subgroup

C of such that the

_j-invariant

of

_E~C

is

_equal

_{to j E}

_{Fpr .}

Let E’ be an

_elliptic

curve

(20)

over

_Fpr

with

_j-invariant

_equal

to

_j.

Let

_{E/C --;}

E’

be an

_{Fp-isomorphism}

and let

_{f :}

E )

_{E /C -}

E’

be the

_composite

_isogeny.

It has kernel C. The group

_Homppr

(E, E’)

of

_isogenies

E ---> E’’ that are defined over

Fpr

is a

subgroup

of the _groupof all

_isogenies

_HomFp

(E,

E’).

Since

E is not

_{supersingular,}

_{Romi" p (E,}

_E’)

is free of rank 2. The

_subgroup

HomFpr

(E,

E’)

is either trivial or

_equal

to

_E’).

Therefore

_f

is defined over

_Fpr

as soon as there exists an

_isogeny

E ---~

E’

which is

de-fined over

Fpr.

This means that C is an

_eigenspace

of

_cpr,

as soon as curves

E and E’ are

_{FPT-isogenous}

_or,

_{equivalently,}

when their Frobenius

endo-morphisms

over

_{F pr satisfy}

the same characteristic

_equation

[21,

_Chpt.III,

Thm.

_7.7].

We will show that E’ can be chosen to be

_{Fpr-isogenous}

to E. Since E

and E’

are

_isogenous

over

_Fp,

the

_quotient

fields of their

_endomorphism

rings

are

_isomorphic

to the same

_{complex quadratic}

field K.

_{Let 0}

and

1/J’

denote the Frobenius

_{endomorphisms}

over

_Fpr

of E and

E’

_{respectively.}

We have

_that

_pr.

we

_have,

_upto

_{complex conjugation,}

the relation

’lj;s = 1/;’ S

for some

positive integer

s.

If ~ _ 1/;’,

the curves E and

E’

are

_{Fpr-isogenous. If 0 =}

then we

replace

E’

_by

its

_quadratic

_twist,

which has Frobenius

_endomorphism

_2013~.

Again

the curves E and

E’

are

_{Fpr-isogenous.}

From now on we _suppose

_{that 0 0 -.:J:1/l.}

Then

1/J / ’lj;’

E K is a root of

unity

of order at least 3 and either K =

Q(i)

or K =

Q(()

and 0’

=

:I:(1f;

_or

::i:(-11/J.

Here C

denotes _a

primitive

cube root of

unity.

The

_{endomorphism rings}

of E

and E’

are orders of conductor

f

and

f ’

respectively

in K. We have the

_following:

-

f

and

_f’

are

_coprime.

We

only give

the easy

proof

for K =

Q(i);

the other case is similar. .

Let 0

= a + bi for some a, b E

Z,

and

_f

divides b while

_{f ’}

divides a. Since a and b are

_{coprime integers,}

so are

_f

and

_f’.

- The

quotient

f / f’

is

_equal

to

_{1, 1}

or

1/1.

To see

this,

let

_Rc

C

_End(E)

be the

_subring

defined

_by

The index of this

_ring

in _{divides I and the natural map}

_RC

-End(E’)

given by g

~ g is a well defined

_{injective ring homomorphism.}

(21)

the dual

_isogeny

of

_{f ,}

we find in a similar way that

_f

divides

l f’.

_If

_f

would not divide

_f’

and

_f’

would not divide

_{f ,}

then

_ordz(J)

=

ordl( f’)+1

and

_{ord, (f ’)}

= + 1 which is absurd. Therefore either

f

divides

f’

or

f’

divides

f

and we conclude that either

f’/ f

divides I or

_{f / f’}

di-vides l.

It follows

_easily

that either

_f

or

f’

is

equal

to 1.

_{Since j 0}

0 or

_1728,

the conductor

_f

cannot be 1. Therefore

_f’

= 1 and the

_{j-invariant j}

of

E’

is 1728 or 0

_{respectively.}

In the first case K =

Q(i)

and,

since E is

not

_{supersingular,}

_{p -}1

_{(mod 4)}

and there _{are, up}to

_{isomorphisms,}

four

curves over

_Fp

_{with j}

= 1728. Their Frobenius

_{endomorphisms}

_are

given

by

~~, =l:.i1/J.

Therefore one of these curves is

_{Fpr-isogenous}

to E and we

replace

E’

_by

this

_{Fp-isomorphic}

curve. In the second

_{case j = 0}

and

p - 1

(mod

3);

there are six curves

_Fp

with

_{3*-’invariants equal}

to

_0,

one of

which is

_isogenous

to E. We

_replace

E’

_by

this curve. In both cases we

conclude that the

_isogeny

_f

and its kernel C are defined over

_Fpr,

This

proves

(i).

(ii)

If all

_{zeroes j}

of are contained in

_Fpr,

then

_{by (i),}

all 1-dimensional

_subspaces

of

_E(l]

are

_eigenspaces

of This

_implies

that

cpr

is a scalar matrix.

This proves the

proposition.

’

The conditions of the

_proposition

are _{necessary. For}

_instance,

let E be

the

_elliptic

curve over

F7

_{given by}

the

equation

y2

=

X3 -

1. It

has

j-invariant 0. Let 1 = 3. The 3-division

polynomial

is

equal

to

W3(X) =

X (X 3 -

4)

and the modular

_equation

with S

_{= j}

= 0 becomes

~3 ( j, T )

=

T(T -

3)3

(mod

7).

The zero X = 0 of

~Y3(X)

gives

rise to the

subgroup

C =

{oo,

(0, ~i)}

where i _E

F49

satisfies

i2

= -1. The group C is the

kernel of the

endomorphism

1 - 6 where 6 is

_{given by}

_{6(z, y) = (2x, y).}

Therefore

_{E/C 9!}

E and

_E/C

has

_{j-invariant equal to j}

= 0. This

_explains

the

_{zero j}

= 0 of

~3(j,T).

The other

(triple)

zero j

= 3 is the

j-invariant

of

E/C

where C is _anyof the other three

_subgroups

of order 3. The six

non-trivial

_points

in _{these groups}are

_{given by}

(±2z, ~4).

Since the Frobenius

endomorphism cp

acts

_transitively

on these six

_points,

we conclude that

the

_only

_eigenspace

_{of cp}

is the kernel of 1 - 6. There are no

_eigenspaces

corresponding

to the the

_{zero j}

= 3 of

~3 ( j, T ).

For

_{supersingular}

curves E

_Prop.6.1

_is,

in

_general,

also false. For

in-stance,

let _p= 13 and consider the _curveE

given by

y2

=

X3 -

3X - 6

over

_F13.

The

_j-invariant

of E is

_equal

to 5 and E has 14

_points

over

Fig.

Therefore the trace of the Frobenius

_{endomorphism p}

is zero and _cp

(22)

su-persingular.

All

_{supersingular}

curves over

_F13

have

_{j-invariant equal}

to 5.

Therefore,

for _every

_{prime 1,}

the modular

_equation

_{4li(j, T)}

is

_congruent

to

_{(T -}

_5)i~’~

_{(mod 13).}

All its zeroes are in

F13,

but when I is a

_prime

modulo which -13 is not a _square,the characteristic

_equation

cp2 +

13 = 0 of the Frobenius

_endomorphism

p is irreducible modulo l.

Therefore p

has

no 1-dimensional

_eigenspaces

in

E[l].

In

_{general, if j}

is a

supersingular

_j-invariant,

all irreducible factors of

the

_polynomial

E

_{F p [T ~}

have

_degree

1 or 2. The

_following

two

propositions

are in

[2].

Proposition

6.2. Let E be a

_{non-supersingular}

_eltiptic

curve over

_Fp

with

j-invariant j ~

0 or 1728. Let

_{~~( j, T)}

=

fi f2 ...

f s

be the factorization of

~~( j, T~

E

_Fp[T]

as a

product

of irreducible

polynomials.

Then there are

the

_following

_{possibilities}

for the

_degrees

_{f s:}

tj)

1

_{and d;}

in other factors as a

_product

of a linear factor and an

irreducible factor of

_degree

I. In this case 1 divides the discriminant

t2 - 4p.

We

_put

r = I in this _case.

,

(ii)

l,l,r,r,...

,r;

in this

case t2 -

_4p

is a _square

modulo t,

the

degree

r divides 1 -1 and

p acts

on

E[l]

as a matrix

_(g§)

with

_{À, P,}

E

_{Fi .}

0,0

(ill)

r, r, r, ... , r for some r >

_1;

in this case

t2 -

_4p

is not a _squaremodulo

l,

the

degree

r divides 1 + 1 and _cpacts on

E[t]

as a 2 x 2-matrix that has a characteristic

_polynomial

which is irreducible modulo t.

In all _cases,r is the order of _cpin the group

PGL2(F,)

and the trace t of cp

satisfies

~~

=

((

₊

~-~ ~~p

(mod

l ~

for _some

primitive

r-th _rootof

unity C

_E

Fl.

Proof. This follows from the

_previous

_proposition.

The Frobenius

endo-morphism W

acts on via a 2 x 2-matrix with characteristic

_equation

cp2 - tcp

+ p

= 0. If the matrix has a double

eigenvalue

and is not

diagonal-izable,

then there is

_only

one 1-dimensional

eigenspace of p

and the matrix

(23)

If the matrix has two

_eigenvalues

in

_Fi

I and is

diagonalizable,

then the

discriminant t2 --

4p

is a _squaremodulo I and

_E[l]

is the direct

_product

of two 1-dimensional

_{p-eigenspaces.}

This accounts for the two factors of

degree

1 of

_{~I ( j, T~ .}

The

_remaining

factors have

_{degree r,}

where r is the smallest

_{positive integer}

such that

_cpr

is a scalar matrix. This is case

(ii).

If the matrix has two

_conjugate

_eigenvalues

_À,1t

E

F12 - F1,

then there

are no 1-dimensional

_eigenspaces

and all irreducible factors of

_{4), (j, T)}

have

degree

r where r is the smallest

_exponent

such that ar E

_{Fi .}

_{It is easy} to see that this is also the smallest

_exponent

such that

_cpr

is scalar. This

covers case

_(iii)

To prove the last

statement,

we note that the matrix

_cpr

acts on

E[l]

as

a scalar matrix. This

_implies

that the

_eigenvalues

A and _pof p

satisfy

ar = Since

_Att

= _p,we have

~2r - pr

and hence

a~

=

(p

for _some

_primitive

r-th root of

_{unity .}

This

_implies

that t2

=

(a+p/~)2 -

(~+~’-1)ap

(mod 1)

as

_required.

Here one should

_{take C}

=1 in case

_(i)

where r = t.

The

_following

_proposition

_puts

a further restriction on the

_possible

value

of r.

Proposition

6.3.

_Suppose

E is a

_{non-supersingular}

curve over

Fr

with

j-invaria~nt j ~

0 or 1728. Let I be an odd

_prime

and let s denote the number of irreducible factors in the factorization of

_{4), (j,}

_T)

E

_{Fp [T].}

Then

Proof. If 1

divides t~ -

_4p

and _~phas order I we are in case

(i)

of

_Prop.6.2

and the result is true.

_Suppose

therefore

that t2 -

_4p

0

_i.e.,

that we are in case

(ii)

or

(iii)

and let T C

_{PGL2 (FI)}

be a maximal torus

containing

o. In other

words,

we take T

= (o ° :

E

_split

in

op I

case

_(ii)

and we take T

non-split,

_i.e.,

isomorphic

to in case

(ill).

Let

12

T denote the

_image

of T in

_PGL2(FI).

_{The group T is}

_cyclic

of order 1 - 1 in case

(ii)

and of order 1 + 1 in

_{case (ui).}

The determinant induces an

isomorphism

det :

T/T2

_{---~ F* / (F* ~ ~ .}

Since the characteristic

_equation

of p

is + p =

_0,

the action

of p

is via

det(cp)

=

p and we obtain an

isomorphism

This shows that the index

_{[T : cpJ}

is odd if and

_only

if p is not a _square

mod l. Since the number s of irreducible factors

_T)

over

_Fp

is

_equal

(24)

Propositions

6.2 and 6.3 can be

_employed

to obtain information about the trace t. The restriction to

_elliptic

curves that are not

_{supersingular}

and 0 or 1728 is not _{very serious. For}curves with

_{j-invariant equal}

to

0 or

_1728,

the

algorithm

of section 4 is much more

_efhcient,

while

supersin-gular

curves

always

have t = 0 and hence _p+ 1

points

_over

Fp.

The chance that a "random"

elliptic

curve like in the

introduction,

is

_{supersingular,}

is very

small;

the

probability

is bounded

by

O(p-l/2).

In

practice

this case

is

_recognized

_easily

because for each

_{prime 1,}

the

_polynomial

_{(11 (j, T)}

has

only

irreducible factors of

_degree

1 and 2.

Rather than

_doing

the

_computations

modulo the division

_polynomial

Wi (X )

of

_degree

_~t2-1)/2

that were introduced in section

5,

Atkin does

com-putations

modulo the

_polynomial

T)

of

_degree

l+1.

This is much more

efhcient,

but one obtains less information: instead of

computing

t

(mod 1),

Atkin

_only

obtains certain restrictions on the value of t

(mod 1).

Atkin’s

_algorithm.

Let E be an

_elliptic

curve over

_Fp

_{given by}

a

Weierstrafl-equation. Let j

E

_Fp

denote its

_j-invariant.

Let I be a

_prime

number.

Atkin first determines how many zeroes the

polynomial

«p,(j, T)

has in

Fp.

This is done

_{by computing}

,

Then one can see which case of

_Prop.6.2

applies

to the

_prime

l. The bulk

of the calculation is the

_computation

of TP in the

_ring

since the

_degree

is I +

_1,

the amount of work is

_proportional

to

To

_compute

the exact order r of the Frobenius

endomorphism in

PGL2(Fl),

Atkin

_computes

in addition

for i =

2, 3, ....

For i = _{r one}finds that the

gcd

is

equal

to

T)

and this is the smallest index i with this

property.

One knows

_{by Prop.6.2}

that

r divides 1 + 1 and

_{by Prop.6.3}

one knows the

_parity

of

(1

±

_1)/r.

This information can be used to

_speed

up the

computations.

By

the last statement of

_Prop.6.2,

the

_knowledge

of r

severely

restricts

the

_{possibilities}

for t

_{(mod 1).}

For

instance,

when r =

1, 2, 3, 4

_onehas

that t2 =

4p, 4p,

p and 0

(mod

1)

respectively.

For r > 2 the number of

_{possibilities}

for t are at least cut in half: there are, a

_priori,

(1

+