Cryptography Reference
In-Depth Information
The
j
-invariant of
y
2
=
x
(
x
PROOF
−
1)(
x
−
λ
)is
2
8
(
λ
2
− λ
+1)
3
λ
2
(
λ −
1)
2
(see Exercise 2.13), so the values of
λ
yielding a given
j
are roots of the
polynomial
P
j
(
λ
)=2
8
(
λ
2
− λ
+1)
3
− jλ
2
(
λ −
1)
2
.
The discriminant of this polynomial is 2
30
(
j
1728)
3
j
4
, whic
h i
s nonzero unless
j
= 0 or 1728. Therefore, there are 6 distinct values of
λ
−
∈
F
p
corresponding
to each value of
j
=0
,
1728. If one of these
λ
's is a root of
H
p
(
T
), then all
six must be roots, since the corresponding elliptic curves are all the same (up
to changes of variables), and therefore all or none are supersingular.
Since the degree of
H
p
(
T
)is(
p −
1)
/
2, we expect approximately (
p −
1)
/
12
supersingular
j
-invariants, with corrections needed for the cases when at least
one of
j
=0or
j
= 1728 is supersingular.
When
j
= 0, the polynomial
P
j
(
λ
) becomes 2
8
(
λ
2
λ
+1)
3
,sothereare
two values of
λ
that give
j
=0. When
j
= 1728, the polynomial becomes
2
8
(
λ
−
2
)
2
(
λ
+1)
2
, so there are three values of
λ
yielding
j
= 1728.
Acurvewith
j
-invariant 0 can be put into the form
y
2
=
x
3
+1 over an
algebraically closed field. Theorem 4.34 therefore tells us that when
p
2)
2
(
λ
1
−
−
2
(mod 3), the two
λ
's yielding
j
= 0 are roots of
H
p
(
T
). Similarly, when
p ≡
3
(mod 4), the three
λ
yielding
j
= 1728 are roots of
H
p
(
T
).
Putting everything together, the total count of roots of
H
p
(
T
)is
≡
6
·
#
{
supersingular
j
=0
,
1728
}
+2
δ
2(3)
+3
δ
3(4)
=deg
H
p
(
T
)=(
p −
1)
/
2
,
where
δ
i
(
j
)
=1if
p ≡ i
(mod
j
) and = 0 otherwise.
Suppose that
p ≡
5 (mod 12). Then
δ
2(3)
=1and
δ
3(4)
=0,sothenumber
of supersingular
j
=0
,
1728 is
12
.
Adding 1 for the case
j
= 0 yields the number given in the proposition. The
other cases of
p
(mod 12) are similar.
3
=
p
p
−
1
12
1
−
Example 4.14
When
p
= 23, we have
H
23
(
T
)=(
T −
3)(
T −
8)(
T −
21)(
T −
11)(
T −
13)(
T −
16)
·
(
T −
2)(
T −
12)(
T
+1)(
T
2
− T
+1)
(this is a factorization over
F
23
). The first 6 factors correspond to
{λ,
1
1
λ
1
,
λ
−
1
λ
,
1
− λ,
λ
,
},
1
−
λ
−
λ
Search WWH ::
Custom Search