An Efﬁcient Approach to Point-Counting on Elliptic Curves from a Prominent Family over the Prime Field F p

: Here, we elaborate an approach for determining the number of points on elliptic curves from the family E p = { E a : y 2 = x 3 + a ( mod p ) , a (cid:54) = 0 } , where p is a prime number > 3. The essence of this approach consists in combining the well-known Hasse bound with an explicit formula for the quantities of interest-reduced modulo p . It allows to advance an efﬁcient technique to compute the six cardinalities associated with the family E p , for p ≡ 1 ( mod 3 ) , whose complexity is ˜ O ( log 2 p ) , thus improving the best-known algorithmic solution with almost an order of magnitude.


Introduction
The elliptic curves over finite fields play an important role in modern cryptography.We refer to [1] for an introduction concerning their cryptographic significance (see, as well, the pioneering works of V. Miller and N. Koblitz from 1980's [2,3]).Briefly speaking, the advantage of the so-called elliptic curve cryptography (ECC) over the non-ECC is that it requires smaller keys to provide the same level of security.
It is well-known that to avoid successful relevant attacks against an ECC system, the number of points on the involved curve (called order of the curve) must have at least one very large prime factor.In particular, if the order itself is a (large) prime, then the entire capabilities of the curve are exploited to achieve maximum security.
An efficient deterministic algorithm (of a complexity of, at most, constant times log 8 q bit-operations where q is the order of an employed finite field) which computes the order of a given elliptic curve of a general type is present in [4].In this paper, however, we are interested in the whole family of curves E p = {E a : y 2 = x 3 + a (mod p), a = 0} of cardinality p − 1.Thus, it seems that there is no deterministic way to apply the Schoof algorithm for finding the orders of all curves in E p when p is large, although it is still feasible, taking into account the existence of only six equiprobable possibilities (see Corollary 1) and the so-called coupon collector's problem from the probability theory (see, e.g., [5]).Of course, a similar claim is valid in respect to the probabilistic improvement of the Schoof algorithm, that is, the SEA algorithm [4] with expected running time, heuristically, Õ(log 4 p).
Nevertheless, there are more efficient approaches to the problem of interest, like the algorithmic solution presented in [6] that takes O(log 3 p) bit operations.Moreover, an even better approach (to which this article is devoted) does exist.There are two main differences between the approach followed in [6] and our own:

•
Munuera and Tena proposed to use a general-purpose probabilistic algorithm [7] for finding out the square root of arbitrary quadratic residue modulo p in order to find √ −3, where p ≡ 1 (mod 3).Their algorithm is of complexity O(log 3 p), whereas our proposal for this task improves to complexity Õ(log 2 p) due to an efficient targeted method for computing that specific value;

•
The authors of [6] find solutions of the Diophantine equation F(X, Y) = X 2 + XY + Y 2 = 3p, while we solve for X 2 + 3Y 2 = p.However, both tasks are carried out by appropriate utilizations of the Euclidean algorithm involving p and √ −3 mod p; thus, both take O(log 2 p) bit operations (see, e.g., [8] or [9]).
Hence, our proposal outperforms that in [6] with almost an order of magnitude, although it is of probabilistic type, too.
For an analytic solution of the problem considered here, we refer to [10], where explicit formulae are obtained for the order of a curve E a ∈ E p in terms of a proper representation of the prime p in the form p = X 2 + Y 2 − XY for some integers X and Y.Those formulas, however, distinguish between many separate cases, and the computational efficiency is certainly beyond the author's goals (see, for details, [10] Theorem 1).One also may find some particular instances of this problem as exercises in [11] Ch. 8, Ex.15, 27.
Finally, it is worth pointing out that the results obtained by the approach followed in this article are comprehensive and compact, despite the fact that some long-established facts from the theory of quadratic partitions of primes are used.Additionally, that approach has been described in [12], but its efficiency is demonstrated only in the case p ≡ 7 (mod 12), while in the present paper, the idea is further refined and elaborated in full generality.
The paper is organized as follows.In the next section, we give some preliminaries.Section 3 exposes our approach to the problem including the amended computational estimates for large p. Section 4 provides an example with a specially constructed prime modulo, and also discusses the results of an program experiment to compare the performance of our proposed algorithmic technique with that of the SEA algorithm in the considered scenario.Some conclusions are drawn in the last section.

Preliminaries
Let p be a prime > 3 and Z p be the ring of residues modulo p, which can also be identified with the prime field F p .We consider a family of elliptic curves defined as E p = {E a : y 2 = x 3 + a (mod p), a ∈ Z * p }, where Z * p = Z p \ {0} is the multiplicative group of Z p .Our aim is to find a suitable method (involving closed-form formulae) for computing the order #E a of a general member of that family, the curve E a , in terms of the parameters a and p.
For basic number-theoretic notions as the least non-negative and absolute least residues of an integer z modulo another (odd) integer m, we refer to ( [13], p. 93).Notations "≡" for congruence modulo p and "=" in Z p will be used in an interchangeable manner, depending on the context.
Hereinafter, we recall some necessary supplementary notions and facts (possibly with slight abuses).
An element z ∈ Z * p is called a quadratic residue modulo p if there exists x ∈ Z * p such that z = x 2 .Analogously, for d > 2, an element of z ∈ Z * p is called the d−th order residue modulo p if there exists x ∈ Z * p such that z = x d .The set of all d−th order residues form a subgroup of Z * p .We will denote the subgroups of quadratic and cubic residues (d = 2, 3) modulo p by QR p and CR p , respectively.
The next fact appears to be an immediate extension of the celebrated Euler criterion from the elementary number theory (see, e.g., [14] Ch. 7.5).It is well-known that −3 ∈ QR p if, and only if p ≡ 1 (mod 3) (of course, √ −3 modulo p takes two values with opposite signs to each other).The following statement, which is crucial for the efficiency of our approach, shows how to find such a square root.Proposition 2. Let z be a cubic non-residue modulo p, where p ≡ 1 (mod 3).Then 2z p−1 3 + 1 is equal to one of the square roots of −3 modulo p.
Proof.Indeed, according to Proposition 1, the assumption z ∈ CR p implies z = z p−1 3 is a third root of unity in Z * p , different from 1. Thus, z satisfies the equation Remark 1. Proposition 1 (with d = 3) easily implies that if p ≡ 1 (mod 3), the cardinality of the set of cubic non-residues modulo p equals to 2 3 (p − 1).This can be interpreted as a reasoning that a randomly selected element of Z * p is a cubic non-residue with probability of 2/3.Thus, provided there is a high-quality generator of random integers in the interval [2, p − 1], a cubic non-residue can be found after 1.5 attempts on average.In turn, the square roots of −3 modulo p can be efficiently determined by using Proposition 2.
The next proposition expresses a folklore fact that is decisive for our work.
For completeness, we give an alternative proof of that exposed in [12].
Proof.We use the fact that Z * p is a cyclic group.Let g be its generating element, that is, for any z ∈ Z * p , there exists an i : 0 Putting u = g k as the last congruence implies that S k (p) (mod p) = ∑ p−2 i=0 u i .Now, there are two cases to be considered: , since the order of Z * p is p − 1 then u = 1, which in turn gives that S k (p) (mod p) = (u p−1 − 1)/(u − 1) = 0; • otherwise, the same reasoning implies S k (p) ≡ p − 1 (mod p) = −1.
There is no explicit formula for the number of points on a general type elliptic curve over Z p .The most relevant well-known result in this direction is the following bound (see, e.g., [15] Ch. 4).

Theorem 1 (Hasse).
The number of points N on an elliptic curve over Z p satisfies the inequality At the end of this section, we recall a needed fact from the theory of quadratic partitions of primes.This is a long-standing result due to Jacobi (1827) later elaborated by Stern (1832) (see, [16] vol.III, p. 55 about historical details).Proposition 4. If p is a prime of the form p = 6k + 1 for which p = X 2 + 3Y 2 , then where the sign utilized is such that ±X ≡ 1 (mod 3).

Our Approach
As mentioned in the Introduction, the general framework of our approach was described in [12].We briefly exhibit its basic steps here.
The following proposition helps to unambiguously fix the number N of points on a given elliptic curve, provided one can compute the absolute least residue of (N − 1) modulo p denoted by ALR(N − 1, p).Proposition 5.In notations of Theorem 1, for a prime p ≥ 17, it holds: Proof.Indeed, if p ≥ 17, then evidently, 2 √ p < p 2 .Thus, the Hasse theorem implies |(N − 1) − p| < p 2 , which means that ALR(N − 1, p) = (N − 1) − p.
Remark 2. Note that if one can compute z (mod m), or equivalently, the least non-negative residue R of an integer z modulo odd m, he/she could easily get: 3.1.An Explicit Formula for the Order of Elliptic Curve E a ∈ E p Reduced Modulo p Initially, we yield the following congruence: where with l = p−1 2 − i and sums S 3l (p) defined in Proposition 3. (For the reader's convenience, in the Appendix A we present a derivation of the expression for H(a, p), which has already been obtained in [12].)Further, we evaluate H(a, p) (mod p) using Proposition 3 and observe that the involved powers are only multiples of 3 in the interval [3, 3 p−1 2 ].Thus, there are two distinct cases to be considered: In this case, Proposition 3 implies that for all summands on the right-hand-side of Equation (2) vanish mod p. So, H(a, p) ≡ 0 (mod p), and in turn for each a, it holds that #E a = p + 1.Indeed, this is a well-known fact (see, e.g., [11] Ch. 18, Ex.1).
• p ≡ 1 (mod 6) In this essential case, it can be easily seen that H(a, p) contains exactly one nonzero summand modulo p, that is, that for i = p−1 6 .Thus, it holds: Finally, together with Proposition 5, this immediately implies the following: Theorem 2. For a prime p ≥ 19 such that p ≡ 1 (mod 6), it holds: where R(a, p) denotes the absolute least residue of ( 3).
An immediate consequence (except the trivial cases p = 7, 13) of Proposition 1 with d = 6, and Theorem 2 is next. .Remark 3.Although the claim of Corollary 1 is known in one or another form (see, e.g., [17]), it seems that the uniform distribution of the curves' order has not been widely discussed in the literature.

Computational Aspects of Point-Counting in E p When p Is a Large Prime
In this subsection, we refine and re-estimate the algorithmic technique described roughly in [12].
A key part of those computations is that of ( p−1 2 p−1 6 ) (mod p).Fortunately, this problem can be addressed by noticing that if p is of the form p = 6k + 1, then it holds: Hence, Proposition 4 allows modular computation of this binomial coefficient to be performed by taking the proper X from a solution of the quadratic Diophantine equation X 2 + 3Y 2 = p with two unknowns, X and Y.Such a solution can be found by applying a similar method as that exhibited in [18], and consisting of two steps:

•
Step 1. Find a square root of −3 in Z * p ; • Step 2. Find X by applying (partly) the Euclidean algorithm for p and the already found √ −3 ∈ Z * p .As follows by Proposition 2, Step 1 can be performed if one knows in advance a cubic non-residue mod p. If, for a given p, such a non-residue is not available, it can be found after 1.5 attempts on average following Remark 1. Namely, in every such attempt for a randomly selected integer z ∈ [2, p − 1], we compute the element z = z p− 1 3 and check whether z = 1.If this happens, then 2z + 1 is one of the possible √ −3 in demand.Thus, taking into account the complexity of single multiplication (squaring) (see, e.g., [19,20]), the expected amount of work in Step 1 is, heuristically, Õ(log 2 p).Additionally, notice that Step 2 is of complexity O(log 2 p) (see, e.g., [9] Theorem 3.13 about details).Remark 4. If p ≡ 7 (mod 12), there is an efficient deterministic way to find a square root of any quadratic residue ζ, that is, by computing ζ p+1 4 .In particular, this can be applied for ζ = −3 (see [12]).
Besides that, as can be seen by Corollary 1, the six possible distinct values of the second multiplier a p−1 6 in expression (3) are linearly expressed in terms of the already found √ −3.In summary, the above considerations show the validity of the next theorem: Theorem 3. The total computational complexity for simultaneously finding out the six orders linked with family E p by the proposed algorithmic technique is Õ(log 2 p).

An Example
The example presented here illustrates our probabilistic approach.We choose as the modulo the following prime p = 2 256 + 2 56 + 2 44 + 1, which is congruent to 1 (mod 12).
The numerical data presented below are in the hexadecimal number system.Consecutively, we: ) (mod p) = 2X : Calculate the values of expression (3) using 1, ζ 1 and ζ 2 in the role of multiplier a p−1 6 , and take their opposites.Finally, we find out the six orders associated with E p : 100000000000000000000000000000001424C31B8DEEE3560F43EEB286A294004, FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBDB3CE472111CA9F0DC134D795D6C000, FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE065220C024EA85B297C0746F361E6B81, * 100000000000000000000000000000001F9ADDF3FDB157A4D6A3FAB90C9E19483, 100000000000000000000000000000000B761AD86FC2744EC7700D0685FB85481, * FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF489E527903D8BB138AFF4F97A047AB83.Finally, by examining the above numbers with the APR-CL primality test, we detect the presence of two prime orders (remarked by "*") which correspond to #E 31 and #E 11 .

Efficiency Comparison with the SEA Algorithm
In the program experiments for comparing efficiency of the SEA algorithm with the proposed one, both working at instances of considered task, we used a common laptop with an Intel Core i7-6820HQ at 2.7 GHz (four cores).The algorithm implementation is written in Python, whereas SEA's one is a highly optimized code written in C from the PARI/GP computer algebra system designed specifically for fast computations in the number theory.
In Table A1 of the Appendix B, we give a list of 257−bit primes used as experimental data input.As shown in Table A2, our method is between 20 to 67 times faster, although the implementation is not optimized.We also carried out an experiment with a sporadic 857−bit prime input, whereby the SEA computes the orders for 22.5 s, while our own performs the work for 33.1 milliseconds, that is, almost 680 times faster.The latter fact indicates that the method is much more efficient than the SEA algorithm for large primes, say, above 800 bits.

Conclusions
Less or more convenient formulae to compute the orders of elliptic curves over finite fields do exist in contemporary literature (see, e.g., [10,15,21], etc.).In this article, we derive an explicit formula for the order of a curve in the family E p = {E a : y 2 = x 3 + a (mod p), a = 0} reduced modulo p. Alongside the famous Hasse bound, this formula comprehensively and concisely resolves the problem we deal with.Moreover, our approach permits the transparent determination of the spectrum of orders for fixed p ≡ 1 (mod 6), as well as to re-prove the corresponding known fact in the complementary case p ≡ 5 (mod 6).Besides that, based on classical results for quadratic partitions of primes, we describe an efficient algorithmic technique (with complexity Õ(log 2 p)) to simultaneously compute the six orders associated with E p in cases of interest.The experimental results confirm theoretical estimations for efficiency within expected slight abuse due to still unoptimized implementation.This technique improves the best previously known algorithmic solution [6] with almost an order of magnitude, thus enabling under the same cost to achieve values of the parameter p peculiar to higher security ECC systems.It is especially useful when looking (say, by random search) for prime order elliptic curves belonging to families of considered type if the modulo p is varied.
Further, performing the binomial expansion and changing the order of summation, we have: where the expression for H(a, p) is obtained from (A3) by removing the last summand.

Proposition 1 .
If d is a factor of p − 1, then the monomial m(z) = z p−1 d takes exactly d distinct values in Z * p , each one of them p−1 d times.These values are the d−th roots of unity in Z * p , that is, solutions of the equation: Z d = 1.In particular, m(z) equals to 1 if, and only if z is a d−th power residue.

Corollary 1 . 1 6
If p is a prime ≡ 1 (mod 6), then the order of the curves from E p takes exactly six distinct values, each one p−times in accordance with the sixth roots of unity in Z * p : ±1, ±ζ, ±(ζ + √ −3) where ζ =

2
(p − 1) ≡ −( a p ) (mod p) then Equation (A2) is simplified to N ≡ H(a, p) (mod p),(A4) by applying the Euclidean algorithm for p and the found