Constructing elliptic curves with a known number of points over a prime field

Abstract

Elliptic curves with a known number of points over a given prime field Fn are often needed for use in cryptography. In the context of primality proving, Atkin and Morain suggested the use of the theory of complex multiplication to construct such curves. One of the steps in this method is the calculation of a root modulo n of the Hilbert class polynomial HD(X) for a fundamental discriminant D. The usual way is to compute HD(X) over the integers and then to find the root modulo n. We present a modified version of the Chinese remainder theorem (CRT) to compute HD(X) modulo n directly from the knowledge of HD(X) modulo enough small primes. Our complexity analysis suggests that asymptotically our algorithm is an improvement over previously known methods. In order to use elliptic curves in cryptography, one often needs to construct elliptic curves with a known number of points over a given prime field. One way of doing this is to randomly pick elliptic curves and then to count the number of points on the curve over the prime field, repeating this until the desired number of points is found. Atkin and Morain (AtMor) pointed out that instead, one can use the theory of complex multiplication to construct elliptic curves with a known number of points. Although at present it may still be more efficient to count points on random curves, we hope thatimproving the complex multiplication method will eventually yield a more efficientalgorithm. In some situations, using complex multiplication methods is the only practical possibility (e.g. if the prime is too large for point-counting to be efficient yet the discriminant of the imaginary quadratic field is relatively small). This paper provides a new version of the complex multiplication method. Suppose n is an integer, usually a prime or a pseudo-prime, and one wants to construct an elliptic curve modulo n along with the number of points on that curve modulo n. One of the steps in the complex multiplication method is the calculation of the Hilbert class polynomial HD(X) modulo n for a certain fundamental discriminant D. The usual way to do this is to compute HD(X) over the integers and then to reduce it modulo n. Atkin and Morain proposed computing HD(X) as an integral polynomial by listing all the relevant binary quadratic forms, associating to each form an algebraic integer, evaluating the j-function at each of those as a floating point integer with sufficient precision, and then taking the product and rounding the coefficients to nearest integers. Let d =|D|. If we use the estimate given by formula (3), then in view of (LL, §5.10), the computation of HD(X) by this method takes time O(d 2 (log d) 2 ). In (CNST, §4), the authors suggested computing HD(X) mod p for sufficiently many small primes p and then using the Chinese remainder theorem (CRT) to compute HD(X) as a polynomial with integer coefficients. In this paper we usea modified version of CRT to compute HD(X) modulo n directly (knowing HD(X) mod p for sufficiently many small