| Prime field with |
|
| Characteristic of the field | |
| Elliptic curve given by a short Weierstrass equation over the field | |
| Order of the elliptic curve | |
| Frobenius map |
Let:
This can be transformed to:
Hasse's bound states:
We already know
- Choose a set
$S = {l_1, l_2, \dots, l_k}$ of the smallest distinct primes$l \neq p$ , such that the product$L$ is larger than$4\sqrt{p}$ - Compute
$t \bmod{l}$ for each prime$l \in S$ :- For
$l = 2$ :- if
$\deg(\gcd(x^3 + ax + b, (x^p - x) \bmod (x^3 + ax + b))) = 0$ (i.e. if$y^2$ has no roots):$t \equiv 1 \pmod{2}$
- else:
$t \equiv 0 \pmod{2}$
- if
- For each other
$l$ :- Compute the
$l$ -division polynomial$\psi_l(x)$ of$E(\mathbb{F}_p)$ - Following computations happen in the polynomial quotient ring
$\mathbb{F}_p[x,y]/(\psi_l(x), y^2 - x^3 - ax - b)$ - Define the symbolic point
$P = (x, y)$ on$E(\mathbb{F}_p)$ - Define the Frobenius endomorphism
$\phi(P) = (x^p, y^p)$ - Define the square of the Frobenius endomorphism
$\phi^2(P) = (x^{p^2}, y^{p^2})$ - For each
$\tau \in {0, \dots, l-1}$ :- If
$\phi^2(P) + [p \bmod l]P = [\tau]\phi(P)$ $t \equiv \tau \pmod{l}$ - Break from for loop
- If
- Compute the
- For
- Recover
$t$ :- Use the Chinese Remainder Theorem on the computed congruences (
$t \bmod{l}$ ) - This gives a unique solution
$t \bmod L$ - Find the specific value of
$t$ in the interval$[-2\sqrt{p}, 2\sqrt{p}]$ that matches this solution.
- Use the Chinese Remainder Theorem on the computed congruences (