Cryptography Reference
In-Depth Information
If
q
is very large, the polynomial
x
q
has very large degree. Therefore, it is
x
q
(mod
x
3
+
Ax
+
B
) by successive squaring
(cf. Section 2.2), and then use the result to compute
more e
cient to compute
x
q
≡
x, x
3
+
Ax
+
B
)=gcd(
x
q
x, x
3
+
Ax
+
B
)
.
gcd(
x
q
−
−
If the gcd is 1, then there is no common root and
a
is odd. If the gcd is not
1, then
a
is even. This finishes the case
=2.
In the following, various expressions such as
x
q
and
x
q
2
will be used. They
will always be computed mod a polynomial in a manner similar to that just
done in the case
=2
In Section 3.2, we defined the division polynomials
ψ
n
.When
n
is odd,
ψ
n
is a polynomial in
x
and, for (
x, y
)
∈
E
(
F
q
), we have
(
x, y
)
∈ E
[
n
]
⇐⇒ ψ
n
(
x
)=0
.
These polynomials play a crucial role in Schoof's algorithm.
Let
φ
q
be the Frobenius endomorphism (not to be confused with the poly-
nomials
φ
n
from Section 3.2, which are not used in this section), so
φ
q
(
x, y
)=(
x
q
,y
q
)
.
By Theorem 4.10,
φ
q
− aφ
q
+
q
=0
.
Let (
x, y
)beapointoforder
.Then
x
q
2
,y
q
2
+
q
(
x, y
)=
a
(
x
q
,y
q
)
.
Let
q
≡ q
(mod
)
,
|q
| </
2
.
Then
q
(
x, y
)=
q
(
x, y
), so
x
q
2
,y
q
2
+
q
(
x, y
)=
a
(
x
q
,y
q
)
.
Since (
x
q
,y
q
) is also a point of order
, this relation determines
a
mod
.The
idea is to compute all the terms except
a
in this relation, then determine a
value of
a
that makes the relation hold. Note that if the relation holds for
one point (
x, y
)
∈ E
[
], then we have determined
a
(mod
); hence, it holds
for all (
x, y
)
∈ E
[
].
Assume first that
x
q
2
,y
q
2
=
±
q
(
x, y
)forsome(
x, y
)
∈
E
[
]. Then
(
x
,y
)
de
=
x
q
2
,y
q
2
+
q
(
x, y
)
=
∞,
Search WWH ::
Custom Search