Constructing elliptic
curves overfinite fields using
double eta-quotients
par ANDREAS ENGE et REINHARD SCHERTZ
RÉSUMÉ. Nous examinons une classe de fonctions modulaires pour
03930(N)
dont les valeursengendrent
des corps de classes d’anneaux d’ordresquadratiques
imaginaires. Nous nous en ser- vons pourdévelopper
un nouvelalgorithme
de construction de courbeselliptiques
àmultiplication complexe.
Vu que le genre desX0 (N)
associées n’est paszéro,
le calcul de la courbe se fait àl’aide de certains
polynômes
modulaires.Étant
unproduit
de quatre fonctions ~, les fonctions modu- lairesproposées
peuvent être vues comme unegénéralisation
na-turelle des fonctions traitées par Weber et
généralement
utiliséespour construire des courbes
elliptiques
àmultiplication complexes.
Contrairement au cas des fonctions de
Weber,
les valeurs des fonc- tions examinées iciengendrent
tous les corps de classes d’anneaux den’importe quel
ordrequadratique
imaginaire sans tenir compte des congruences satisfaites par leur discriminant modulo des puis-sances de 2 ou 3.
ABSTRACT. We examine a class of modular functions for
03930(N)
whose values generate ring class fields of
imaginary quadratic
or-ders. This fact leads to a new
algorithm
for constructingelliptic
curves with
complex multiplication.
The difficulties arising whenthe genus of
X0 (N)
is not zero are overcomeby
computing certain modularpolynomials.
Being
aproduct
of four~-functions,
theproposed
modular func-tions can be viewed as a natural
generalisation
of the functions ex-amined
by
Weber andusually employed
to construct CM-curves.Unlike the Weber
functions,
the values of the examined functions generate any ring class field of an imaginaryquadratic
order re-gardless
of the congruences modulo powers of 2 and 3 satisfiedby
the discriminant.
Manuscrit reçu le 8 avril 2003.
1. Introduction
Over the
past decades, elliptic
curves over finite fields have become animportant ingredient
for different number theoreticalgorithms. They
areused,
forinstance,
to construct securepublic key cryptosystems [17, 21],
factor
integers [20]
or prove theprimality
of aninteger [13, 1].
For atleast two of these
applications
it is necessary to construct curves whose orderssatisfy
certain constraints. The order of anelliptic
curve suitable forcryptography
must have alarge prime
factor toexploit
to the maximumthe
security potential
of thekey
space. To show that aninteger q
isprime,
one may construct an
elliptic
curve overZ /qZ
and apoint
on the curve oforder
larger
than( 4 q + 1)2
andrecursively
show that this order isprime.
The
theory
ofcomplex multiplication yields
an attractiveapproach
tothe construction of
elliptic
curves with a suitable number ofpoints
over afinite field. It allows to first determine the relevant
parameters
and thento tailor the
elliptic
curve to one’s needs.Furthermore,
it can be usedto construct many
non-isomorphic (albeit isogenous)
curves at the sametime. For
obtaining
the curves it is necessary toexplicitly
determine thering
class field of animaginary-quadratic
order.Classically,
this involvessingular
values of certain modularfunctions,
whose minimalpolynomials
have to be
computed during
thealgorithm.
A nice feature of the functions described in the literature is thatthey generate
a rational extension of the fieldC(j)
of modular functions for the full modular group.Thus,
itis easy to deduce the
j-invariant
of the curve andfinally
the curve itself.On the other
hand,
some of these functions lead to minimalpolynomials
with
prohibitively large coefficients,
which limits theirapplicability
to smalldiscriminants. Others are suited for discriminants of a
special type only.
In
particular,
thecommonly employed
Weber functions cannot be useddirectly
for discriminants divisibleby
96 orcongruent
to 5 modulo 8.In this
article,
we propose a newfamily
of modular functions whosesingu-
lar values allow to construct the
ring
class field of anyimaginary-quadratic order,
thuspermitting
a unifiedapproach regardless
of the discriminant.Moreover,
their associated classpolynomials
havecomparatively
small co-efficients and can thus be
computed
in a reasonable amount of time. In Section2,
wegive
a concise introduction to thetheory
ofcomplex multipli-
cation and the
algorithms proposed
in theliterature,
beforepresenting
ouralternative modular functions in Section 3. In
general,
these functions do not generate a rational function field overC(j)
any more. Hence the actualcomputation
of thej-invariant corresponding
to asingular
value of a sucha function
(and
thus of thecomplex multiplication
curveitself)
becomesa
problem.
In Section4,
we propose a solutionby factoring
the modularpolynomial relating
our functions andj.
We concludeby presenting
a fewexamples
in Section 5.2.
Complex multiplication
2.1.
Orders,
classfields,
and curves.Complex multiplication
of el-liptic
curves is thestudy
of theirendomorphism rings,
which turn out to be orders inimaginary-quadratic
number fields. We introduce the nota- tion usedthroughout
this article and recall a few basicfacts;
for a morecomprehensive
account ofquadratic orders,
see[2, Chapter 2.7]
or[3].
Let d 0 be a
fundamental discriminant,
D =f 2d
and K =the
imaginary-quadratic
field of discriminant d. Denoteby O i
its maximal order andby Of
the order of discriminant D and conductorf .
The elements of the ideal class group of the orderOf
areconveniently (for
the sakeof
computations) represented by quadratic forms:
to the ideal a =a2l
of
Of
we associate its basisquotient a
=2,
where we suppose that thenumbering
is such that a E ff3I =z
e C :0(z)
>0}.
Inturn,
a is the rootof a
primitive quadratic
form[A, B, C] = AX2
+ BX + C of discriminantD,
thatis,
A >0, gcd(A, B, C)
= 1 and D= B2 -
4AC.The hf
=h(D)
elements
of Sj f
are inbijective correspondence
with certainquadratic
formsof discriminant
D,
calledreduced,
which areeasily
enumerated.Concerning elliptic
curves, the standard reference is[26],
a more elemen-tary (and
far lesscomprehensive) introductory
book is[7].
Over the
complex numbers,
theendomorphism ring
of anordinary elliptic
curve is either Z or an
imaginary quadratic
orderOf;
in the latter case, the curve is said to havecorraplex multiplication. by O j
or D. There areexactly h(D) isomorphism
classes of such curves.They
are characterisedby
theirj-invariant being
asingular
value of the absolute modular invariantj,
thatis,
avalue j(a)
where a is the root of aprimitive quadratic
formof discriminant
D,
orequivalently
the basisquotient
of a proper ideal of Thesingular
valuesof j
have thealgebraic property
thatthey generate
the
ring
classfield Kf over
K =By
class fieldtheory,
the Galoisgroup of
Kf IK
iscanonically isomorphic
toSif : if j (a)
is thesingular
valueassociated to the ideal a, then the
automorphism corresponding
to anideal class b acts on
Kf by
=j(ab-’).
Ordinary elliptic
curves over finite fieldsFq
havenecessarily complex multiplication by
someimaginary-quadratic
orderDeuring’s lifting
andreduction theorem
[5,
p.202-203]
states that any such curve is obtained asthe reduction of an
elliptic
curve over C withcomplex multiplication by O j (so
that in fact thecomplex
curve is defined overKf).
Moreprecisely,
ifq =
p’"z
with pprime,
then psplits
inOf
as p =p~,
and p is of order m inBy
class fieldtheory,
the ideals above p in thering
ofintegers
ofK f
are of inertia
degree
m, and the curve overFq
is obtainedby reducing
acomplex multiplication
curve overKf
modulo aprime
ideal above p. Theorder of p
being
mimplies that q
=p"2
can be written asIf D
g {20133, 20134},
then the number ofIFq-rational points
on the reducedcurve is given by q + 1 + u or q + 1 - u.
2.2. Classical
complex multiplication
constructions. The results mentioned in theprevious
sectionimply
aconceptually simple
way ofconstructing elliptic
curves withcomplex multiplication.
For a suitablecombination
of q = pm
andD, compute
the minimalpolynomial HD ~j~,
called the class
polynomial,
of asingular
valueof j
as follows: enumeratea
system [Ai, B2,
i =1, ... , h(D),
of reducedquadratic
forms of dis- criminant D andcompute complex approximations
of thesingular
valuesand of the class
polynomial
(
2Ai)
In
fact,
has rationalintegral coefficient,
and if thecomplex
ap-proximations
aresufficiently accurate,
the coefficients can be obtainedby rounding.
OverFg,
thispolynomial splits completely,
and itsroots j
areprecisely
thej-invariants
of theelliptic
curves over1F9
withcomplex
multi-plication by
D. Anelliptic
curveequation
is thengiven by simple
formulae(which
weprovide
forD ~ {-3, -4}):
Any elliptic
curve withj-invariant 3
is thenisomorphic
over1Fq
either to Eor to its
quadratic
twist.Unfortunately,
the coefficients ofHD~j~
grow very fast with D. Considerthe
logarithmic height
ofHDD],
i.e. thelogarithm
of thelargest
absolutevalue of its coefficients.
Obviously,
theconjugates j(ai)
have to be approx-imated to a
precision
of at least thisheight
so that the coefficients may be roundedproperly.
Inpractice,
it suffices to increase the accuracyby only
a fewdigits
to account for numerical errors.Thus,
the time neededto determine
HD U]
isclosely
correlated to itsheight,
and it is desirable todevise
equivalent polynomials
with smaller coefficients which mayplay
therole of class
equations.
In order to not loose theelliptic
curves out ofsight,
it appears
hereby
reasonable to remain closeto j,
and thus to thering
classfield
Kf generated by
thesingular
valuesof j.
This motivates thefollowing
definition,
cf.[27].
Definition. Let tv be a non-constant modular function and a the root of a
primitive quadratic
form of discriminant D =f 2d.
If thesingular
value lies in the
ring
class field we call it a class invariant for D.The characteristic
polynomial HD[to]
of thesingular
value with respect toKf IK
is called a classpolynomial.
A few such modular functions have been
investigated
in the literature[27, l,19, 24],
all of which are suitedonly
forspecific types
of discriminants.Denote
by
q =e21riz
the Fourier transform of acomplex
variable z, and letq1124 - e(2~riz)/24,
We introduce Dedekind’s1ffunction [4]
I I
The
simple
r~quotients
aregiven by
for some
integer (often
chosen as aprime).
Weber examined the functionf l
= tv2 and the further functionsf
andf 2,
obtained in a similar fashionas a
quotient of 1/ by applying
a modular transformation of level 2 andnormalising suitably: f
=e-7ri/24 77(+l)
andf2
= r z Certain powersof these functions turn out to be class invariants for some discriminants
D,
where the main constraint is that 2 be not inert in
Q(v~D-).
The exactexponents depend
on the congruences of D satisfied modulo powers of 2 and modulo3;
for modernproofs,
see[24].
These results have been
generalised
to powers of rot forprimes i
suchthat i -
1124,
see[1],
underessentially
the same condition that t be not inertHence there are discriminants for which this finite
family
of functions is not suited.Moreover,
thehigher
the additionalexponent,
thelarger
theheight
of the classpolynomial,
see[8].
Thus even in cases where these functions areactually
classinvariants, they
need not be agood
choice froma
computational point
of view.3.
Double 71 quotients
as class invariantsIn this
section,
we examine a class of functions that can be seen as anatural
generalisation
of thesimple
1/quotients
as described in theprevious
section.
Being
defined for an infinite combination ofparameter values, they
yield
invariants for any discriminant. For twoprime
numbers pi and p2,define the
double q quotient
of level N = pip2by
Here we do not exclude the cases that pl - p2 or that pi, p2 E
{2,3}.
In
fact, letting
PI = p2 = 2 shows aninteresting
connection to Weber’s functions: the well-knownidentity f f l f 2
=vl2, already proved
in[16],
implies
that-
Let s =
24/ gcd(24, (pi - 1) (p2 - 1))
be theinteger measuring
how far(pi - 1) (p2 - 1)
is frombeing
divisibleby
24. Then the functions we areinterested in are the
ros
,P2 .(We
mention that an infinitefamily
of classinvariants may also be obtained from
simple q quotients
ofarbitrary level,
as examined in
[9].)
As can be seen
by examining
the behaviour of q under unimodular trans-formations,
tvs Pl,P2 is a modular function for= ( a c d b E r : ° N b I ’
see
[22]. Furthermore,
it is invariant under the Fricke-Atkin-Lehner invo- lution of level Nby [10],
Theorem2,
and an element of the field of modular functions of level N whoseq-expansions
at any cusp lie in the N-thcyclotomic field, by
Theorem 7 of[10].
Our first aim is to determine under which conditions the
singular
valuesof lie in the
ring
class field whichplaces
them close to thesingular
values
of j.
In Section4,
we discuss how to obtain thecorresponding elliptic
curves with
complex multiplication by
Theproperties
of allowto
apply
thefollowing result,
which is Theorem 4 of[24].
Theorem 3.1. Let ? E
TN
be a modularf unction for
such thattv (z)
and roz1)
have rationalq-expansions.
Let D 0 be aquadratic
discriminant. Assume that there is a
quadratic f orm Bi,
=A, X2+
B1X
+Cl of
discriminantBl - 4A,Cl
= D such thatgcd(Al, N)
=1 andand let al be its root in H.
If al
is not apole of tv,
thentv(al)
EK f.
The
conjugates
underGal(K f/K)
aregiven by
thetu(0152i),
whereaj varies over the roots in H
of
anN-system for D,
that is acomplete
system o f inequivalent quadratic f orms [Ai, Bi, Ci] of
discriminant D such thatIt is not difficult to show that an
N-system
canalways
be obtainedeffectively by applying
unimodular transformations to anysystem
of re-presentatives
of the class group(cf. [24], Proposition 3).
Notice also that(3.1) implies
thedivisibility by
N of all theCi.
Theorem 3.2. Let D = with d 0 a
fundamental discriminant,
N = pip2
w2th pl,
p2prime, satisfying furthermore
thefollowing
condition:~pi~p2~~(~(g)~-l;
~
if pl
=P2 = p, then either(D)
= 1Then there is a
primitive quadratic f orm Ci] o f
discriminant D withgcd(AI’ N)
=1 andNICl.
Let 0!i be its root in H. Thesingular
valueThe
conjugates
are thewhere the ai vary over the roots
of an N -system
asdefined
in Theorem ~.1.Proof.
The existence of thequadratic
form amounts to the existence ofBi
such thatBf,
which canreadily
be shown to beequivalent
to thegiven
conditions on pi and p2.The
remaining
assertions are a direct consequence of Theorem 3.1. The mainpoint
we have notyet
verified is therationality
of the different q-expansions.
For itself this followsdirectly
from therationality
ofthe
q-expansion
of 17. The invariance of under the Fricke-Atkin- Lehner involution zH N
associated toimplies
that(2013-!-)
=which
clearly
has a rationalq-expansion. Finally,
as 17 has neither zeroes norpoles
inJHI,
also has nopoles
in H. 0Remark. It can be shown that
depending
on the congruences satisfiedby
D modulo
12,
lower powers of mayyield singular
values in thering
class field.
Indeed,
Satz 4 of[23]
states that(q2q3)
hassingular
values inK f
if N iscoprime
to6 f . Depending
on D modulo12,
the
singular
values of ’)’2 and ’)’3 may lie inK f themselves,
so the sameholds
already
for We do not pursue this issue any furtherhere,
asthe incurred technicalities would rather obscure the
following
discussions.The
singular
values of arealgebraic integers
and in many caseseven
units,
for which there is asimple proof
in the case p2.Theorem 3.3. Under the conditions
o f
Theorem3.2,
theis an
algebraic integer.
p2, orpi = p2 = P and(~) =1,
thenthey
are units.
Proof.
Consider the modularpolynomial relating tu;1,P2 and j;
this isthe monic
polynomial
ofdegree
= prime(1 + ~)
in X such that 0. It is shown in Theorem 7 of
[10]
thatis an element of
7~(j, X ~. Specialising
in thesingular
valuesyields
that is a monic
polynomial
with coefficients inand with as a root. is an
algebraic integer,
thisimplies
that also is an
integer.
For P2, Theorem 9 of
[10]
states that the constant coefficient of 1.Hence,
thespecialised reciprocal polynomial
is monic with root and with
integral coefficients,
so thatindeed a unit.
If pi = p2 = p, then the constant coefficient of the modular
polynomial
is a proper power of p, so that the
preceding argument
does notapply.
Inthis case, the
prime
idealdecomposition
of thesingular
valuesgiven
in[6],
S 22, provides
aproof.
DThe
previous
two theoremsyield
asimple algorithm
tocompute
the classpolynomial
of Thealgorithm
consists of enumerat-ing
anN-system, computing complex approximations
of theconjugates
and of =
X - ~~ (ai) -
+:E~~~)-1
Thecoefficients ai
are elements of theprincipal
order91,
and
choosing
anintegral
basis ofOi
andseparating
the real and theimaginary parts
ofthe a2
allows torecognise
them asalgebraic integers.
The
following
theorem shows that under mild additionalconstraints,
this
algorithm
can besimplified,
since the classpolynomials
areactually
elements of
7X .
So theconjugates
are either real or come incomplex- conjugate pairs,
which saves about half of thework,
asonly
oneconjugate
in each
pair
needs to becomputed.
Theorem 3.4. Under the
assumptions o f
Theorem3.1,
supposef urther-
more that tu is invariant under the Fricke-Atkin-Lehner
involution,
thatis, tu (2013~)
=f or z
E H. Assume thatCi
= N. Denote =Ai,
the idealcorresponding to
thequadratic f orm Bi, Ct]. I f
L 2
J
____
is
equivalent
to thentu(ai)
= Inpartzcular,
Proof.
Denote thecomplex conjugation by
x. We consider first thespecial
2
case i = 1 with N =
Cl
= and 1 =0,
where ao is defined as the basisquotient
of ao = =[1,
Since issupposed
to have arational
q-expansion,
i.e. it can be written as a Laurent series with rational coefficients inql/n
= for some n eN,
and since =e21ri(-z)/n,
we have
tv(z)"
=tu( _ZK).
NowLet now ai
and al
bearbitrary.
We aregoing
to use the action ofon the
singular
values of to to reduce this case to thepreviously
consideredone. For a proper ideal a
= 1 A, - B +,I 2 D- 17.
ofOf
we haveso ~ is an
automorphism
ofK¡/Q.
If b is a second proper ideal of
Of,
thenNotice that =
(cf.
theproof
of Theorem 7 in[24],
used for the
proof
of Theorem3.1),
whenceCorollary
3.1. With the notationsof
Theorem3.2,
suppose that thefol- lowing
conditions hold:Then there is a
primitive quadratic form [AI, Bl, Cl] of
discriminant D withgcd(Al, N)
= 1 andCI
= N. The assertionsof
Theorem 3.2hold,
and the class
polynomial
is an elementsIf -
denotesequivalence of ideals,
the classpolynomial
can becomputed
aswhere Tr resp. N denote the
complex
trace resp. norm.Proof.
For p2, the existence of thequadratic
form withCI
= N isequivalent
to the existence ofBl
such that pl, p211 9 .
2 For pi = p2, it isequivalent
to the existence ofBl
such thatN 11 (
2.
. It isreadily
verifiedthat this situation is
captured by exactly
the conditions of thecorollary.
The assertion now follows
directly
from Theorem 3.4. D Remark. The additional constraint of thecorollary
in the case PI = p2 =2,
whencompared
to Theorem3.2,
is in fact no serious restriction: If D - 4(mod 32),
thenf
= 2 and(Z)
= 1. One may then use thedoubleq quotient
for the fundamental discriminant d to construct the Hilbert class field
Kl,
which in this
special
caseequals
thering
class fieldK2
associated to D.4.
Retrieving j
As observed in the
previous sections,
anelliptic
curve over a finite field Fhaving complex multiplication by
the discriminant D =df 2
can be obtained via thering
class fieldUsing
some class invariant ro, theapproach
consists of
computing
the classpolynomial
as an element ofZ[X]
or
0 1 [X]
and ofreducing
it modulo the characteristic of F. If F has been chosen such that the desiredcomplex multiplication
curveexists,
then thereduced class
polynomial splits completely
overF,
and one determines aroot i5.
Writing
down anexplicit equation
for theelliptic
curve is nowequivalent
todetermining
thecorresponding value j
of itsj-invariant,
cf.the formulae in Section 2.2.
In the classical case where ro is one of the Weber
functions,
this taskis
easily accomplished:
there is a rationalexpression for j
in terms of ro, with coefficients inZ,
so thatreducing
to Fyields
a rationalexpression for j
in terms of tr.However,
thisapproach
canonly
bepossible
whenthe associated modular curve is of genus zero. This is the case for the Weber
functions,
which are functions onXo(2).
A rationalexpression
stillexists for the
simple 71-quotients
tri with f E~3, 4, 5, 7, 9, 13, 251.
All othermodular curves
Xo (N)
are notrational,
whence there is nopossibility
of ob-taining j directly.
Forrol
of level4,
9 or25,
moreover, the function field extension is ofdegree 2;
otherwisesaid,
isnot a rational model for the function field of
Xo(N).
However,
in any casero’ and j
are still relatedby
the modularpoly-
nomial E which
already played
a role in theproof
of Theorem
3.3,
and which is studied morethoroughly
in[10]. Here,
itsuffices to recall that is a
polynomial
inZ[X, j]
such that0.
Hence,
the desiredvalue j
is among the roots of(tu, J)
in F. _ _In
general,
there will be severalleading
to severalelliptic
curves
El, ... , Ek (and
theirquadratic twists),
and it remains to test which of them hascomplex multiplication by
D. As thecardinality
of thetarget
curve is
known,
aquick
check consists oftaking
a randompoint
on eachcurve and
testing
whether it has torsionby
thiscardinality.
This test willrule out most
(in particular
thequadratic twists),
but notnecessarily
all ofthe candidates.
In certain
applications (construction
ofelliptic
curvecryptosystems,
el-liptic
curveprimality proving),
one is notnecessarily
interested in the com-plex multiplication
discriminantitself,
but rather in the curvehaving
apoint
oflarge,
knownprime order,
which can be checkedeasily.
In the casethat
4[F[
=u2
+IDtv2 with v # 1,
onemight
then end up with a curvehaving complex multiplication by D f i
with and1;
if one hasstarted with D = of non-trivial conductor
f ,
onemight
also end up withcomplex multiplication by D/g2 for
someUnfortunately, v #
1happens systematically
for D = 1(mod 8) and [F[ odd,
where21v
and thecurves with
complex multiplication by
D andby
4D have the same cardi-nality.
If one wants to be sure to havecomplex multiplication by
thegiven discriminant,
one needs to use Kohel’salgorithm [18, 12]
forcomputing
theexact
endomorphism rings
of the constructed curves.Of course, the
approach
sketched here forderiving
thej-invariant
andthus the
complex multiplication
curve from a root of some classpolynomial
is not limited to : it can be used for tul or any other class invariant whose modular
polynomial
is an element of7l[X,j].
5.
Examples
and discussionWe
implemented
thecomputation
ofring
class fields andelliptic
curvesover
prime
fields via double1]-quotients
inC, using
gmp,mpfr
and mpc for thecomputation
of classpolynomials
and ntl for their factorisation[14, 15, 11, 25].
For more details andimplementational tricks,
see[8].
As a first small
example, computable "by hand",
consider D = -23 withh(D)
=3,
pi = 3 and p2 = 13. Let q be the smallestprime larger
than1000 such that the
resulting
curve overFq
has order C =cQ
withQ prime
and c E
{1,2,3,4}.
Then q = 1117 and C = 1084 = 4. 271.A
(partial) 39-system
isgiven by [1, -61, 936~, leading
to thepair
of com-plex conjugates 0.87 + 0.75i,
and[2, - 61, 468], leading
to the realconjugate
-0.75.
Hence,
the classpolynomial
isH-23[tP3,131 = X 3 - X 2
+ 1. A rootmodulo q
isgiven by
176. The modularpolynomial ~3,13
is ofdegree
2in
j,
see(10~,
and itsspecialisation
has the two roots 946 and88;
an el-liptic
curve withj-invariant
946 and 1084points
overFii17
is obtained asE :
y2
=X3
+ 455X + 1048.For
larger examples,
it is useful to know therequired precision
for thecomplex approximations.
Thisprecision depends essentially
on thelargest
coefficient of the
computed
classpolynomial.
Thelogarithm
of its absolutevalue is the
logarithmic height
of thepolynomial.
An estimate for theheight
is
provided
in[8].
ForHD ( j ~,
the heuristic estimate is~,
wherethe sum is taken over all reduced
quadratic
forms(A, B, C]
of discrimi- nant D. For other classinvariants,
theheight
isproved
toasymptotically change by
a constantfactor, given by
thequotient
of thedegrees
of themodular
polynomial
pol Yn in the differentvariables, g2013 (x ?’
degx(FXj7
In our case,by
yTheorem 9 of
[10],
the factor iswhich is
always
smaller than 1. Its smallest value1/28
is obtained fortu3,13.
The size of this factor allows to set up a
hierarchy
of classinvariants,
orderedcorresponding
to theprecision required
to carry out thecomputations
andthus
ultimately according
to theefhciency
of thecomputations.
Providing
anexample
ofcryptographic size,
let D = -78641219 withh(D)
=5000,
andlet q
be the smallest 192-bitprime leading
to anelliptic
curve with a
prime
number ofpoints.
Thenand the
cardinality
isWe may choose pi = 3 and p2 = 61.
Using
the above estimate for theheight
of the class
polynomial (and adding
a few bits to allow forrounding errors),
we
compute
allapproximations
tocomplex
numbers with aprecision
of14793 bits. In
fact,
thelargest
coefficient of the classpolynomial
turns outto have 13050 bits.
On an Athlon 64 with 2.4
GHz,
thetimings
for the differentsteps
of thecurve
computation
are as follows:0.3 s for the class group and an
N-system
94 s for the
conjugates
58 s to derive the minimal
polynomial
from theconjugates
29 s for the root i5 modulo p
0.1 s for
factoring ’I~3,61(15,j)
andconstructing
the curveWhile the
degree
of the modularpolynomial ~3,61 in j
is 10by
Theorem 9of
[10], actually only
2 of its roots are elementsof Fq.
Anelliptic
curve overand
finally
the curveequation
E :y2
=X~
+ aX + b withAcknowledgements.
We aregrateful
toFrançois
Morain for hishelp-
ful comments on a
previous
version of this article. The first author wassupported by
agrant
of the German AcademicExchange
Service(DAAD).
References
[1] A. O. L. ATKIN, F. MORAIN, Elliptic curves and primality proving. Mathematics of Com- putation, 61(203) (July 1993), 29-68.
[2] Z. I. BOREVICH, I. R. SHAFAREVICH, Number Theory. Pure and Applied Mathematics, Aca- demic Press, New York, 1966.
[3] DAVID A. Cox, Primes of the Form x2 +ny2 - Fermat, Class Field Theory, and Complex Multiplication. John Wiley & Sons, New York, 1989.
[4] R. DEDEKIND, Erläuterungen zu den vorstehenden Fragmenten. In R. Dedekind and H. We- ber, editors, Bernhard Riemann’s gesammelte mathematische Werke und wissenschaftlicher Nachlaß, pages 438-447. Teubner, Leipzig, 1876.
[5] MAX DEURING, Die Typen der Multiplikatorenringe elliptischer Funktionenkörper. Abhand- lungen aus dem mathematischen Seminar der hamburgischen Universität 14 (1941), 197-
272.
[6] MAX DEURING, Die Klassenkörper der komplexen Multiplikation. In Enzyklop. d. math.
Wissenschaften, volume I 2 Heft 10. Teubner, Stuttgart, 2 edition, 1958.
[7] ANDREAS ENGE, Elliptic Curves and Their Applications to Cryptography - An Introduc- tion. Kluwer Academic Publishers, 1999.
[8] ANDREAS ENGE, FRANÇOIS MORAIN, Comparing invariants for class fields of imaginary quadratic fields. In Claus Fieker and David R. Kohel, editors, Algorithmic Number Theory
2014
ANTS-V, volume 2369 of Lecture Notes in Computer Science, pages 252-266, Berlin,
2002. Springer-Verlag.
[9] ANDREAS ENGE, FRANÇOIS MORAIN, Further investigations of the generalised Weber func-
tions. In preparation, 2005.
[10] ANDREAS ENGE, REINHARD SCHERTZ, Modular curves of composite level. To appear in Acta Arithmetica, 2005.
[11] ANDREAS ENGE, PAUL ZIMMERMANN, mpc 2014 a library for multiprecision complex arithmetic with exact rounding. Version 0.4.3, available from http://www.lix.polytechnique.fr/Labo/
Andreas.Enge/Software.html.
[12] MIREILLE FOUQUET, FRANÇOIS MORAIN, Isogeny volcanoes and the SEA algorithm. In Claus
Fieker and David R. Kohel, editors, Algorithmic Number Theory 2014 ANTS-V, volume 2369 of Lecture Notes in Computer Science, pages 276-291, Berlin, 2002. Springer-Verlag.
[13] SHAFI GOLDWASSER, JOE KILIAN. Almost all primes can be quickly certified. In Proc. 18th
Annual ACM Symp. on Theory of Computing, pages 316-329, 1986.
[14] TORBJÖRN GRANLUND ET. AL., gmp 2014 GNU multiprecision library. Version 4.1.4, available from http://www.swox.com/gmp.
[15] GUILLAUME HANROT, VINCENT LEFÈVRE, PAUL ZIMMERMANN ET. AL., mpfr 2014 a library for multiple-precision floating-point computations with exact rounding. Version 2.1.0, available
from http://www.mpfr.org.
[16] CARL GUSTAV JACOB JACOBI, Fundamenta nova theoriae functionum ellipticarum. In Gesammelte Werke, pages 49-239. Chelsea, New York, 2 (1969) edition, 1829.
[17] NEAL KOBLITZ Elliptic curve cryptosystems. Mathematics of Computation 48(177) (Janu-
ary 1987), 203-209.
[18] DAVID KOHEL Endomorphism Rings of Elliptic Curves over Finite Fields. PhD thesis, Uni- versity of California at Berkeley, 1996.
[19] GEORG-JOHANN LAY, HORST G. ZIMMER, Constructing elliptic curves with given group order
over large finite fields. In Leonard M. Adleman and Ming-Deh Huang, editors, Algorithmic
Number Theory, volume 877 of Lecture Notes in Computer Science, pages 250-263, Berlin,
1994. Springer-Verlag.
[20] H. W. LENSTRA JR., Factoring integers with elliptic curves. Annals of Mathematics 126
(1987), 649-673.
[21] VICTOR S. MILLER, Use of elliptic curves in cryptography. In Hugh C. Williams, editor, Advances in Cryptology 2014 CRYPTO ’85, volume 218 of Lecture Notes in Computer Science,
pages 417-426, Berlin,1986. Springer-Verlag.
[22] MORRIS NEWMAN, Construction and application of a class of modular functions (II). Pro- ceedings of the London Mathematical Society 3rd Series 9 (1959), 373-387.
[23] REINHARD SCHERTZ, Zur expliziten Berechnung von Ganzheitsbasen in Strahlklassenkörpern
über einem imaginär-quadratischen Zahlkörper. Journal of Number Theory 34(1) (January 1990), 41-53.
[24] REINHARD SCHERTZ, Weber’s class invariants revisited, Journal de Théorie des Nombres de Bordeaux 14(1) (2002), 325-343.
[25] VICTOR SHOUP, ntl 2014 a library for doing number theory. Version 5.3.2, available from
http://www.shoup.net/ntl/.
[26] JOSEPH H. SILVERMAN, The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics.
Springer-Verlag, New York, 1986.
[27] HEINRICH WEBER, Lehrbuch der Algebra, volume 3. Chelsea Publishing Company, New York, 3rd edition, 1908.
Andreas ENGE
INRIA Futurs & LIX (CNRS/UMR 7161) Ecole polytechnique
91128 Palaiseau cedex, France E-mail: engeGlix.polytechnique.fr
URL: http : //www. lix . polytechnique. fr/Labo/Andreas . Enge/
Reinhard SCHERTZ Institut fur Mathematik Universitat Augsburg
86135 Augsburg, Deutschland
E-mail: schertzomath. uni-augsburg . de
