forEiandEi+1and the kernel ofΣi. Consider the following diagram:
Ei+1 Ei Σi Ei+1/Ker(Σi) 3 QQ QQs - νi λi (VI.3)
Given Ker(Σi), Satoh uses V´elu’s formulae [332] to compute an equation for
the curve Ei/Ker(Σi) and the isogeny νi. Since νi and Σi are both separa-
ble, Ker(νi) = Ker(Σi) and deg(νi) = deg(Σi), there exists an isomorphism
λi:Ei+1/Ker(Σi)→ Ei that makes the above diagram commutative. Due to
V´elu’s construction, the action of νi on the invariant differential is trivial,
i.e.,νi∗(ωi+1,K) =ωi+1withωi+1,K the invariant differential onEi+1/Ker(Σi).
Therefore it is sufficient to compute the action of λi onωi.
Note that KerΣi is a subgroup of orderpofEi+1[p]. LetHi(x) be
Hi(x) =
P∈(KerΣi\{O})/±
(x−x(P)) ;
then Hi(x) divides the p-division polynomial Ψp,i+1(x) of Ei+1. To find the
correct factor of Ψp,i+1(x) Satoh proves the following lemma.
Lemma VI.5 (Satoh). Letp≥3. ThenKerΣi=Ei+1[p]∩ Ei+1(Zurq ), withZ
ur
q the valuation ring of the maximal unramified extensionQur
q of Qq.
The above lemma implies thatHi(x)∈Zq[x] is the unique monic polyno-
mial of degree (p−1)/2 that divides Ψp,i+1(x) and such thatHi(x) (modp) is
square-free. SinceEiis ordinary, Ker ˆσi=Ei+1[p] and Ψp,i+1(x) (modp) has
inseparable degreep. Therefore, δiHi(x)p ≡Ψp,i+1(x) (modp). This implies
that we cannot apply Hensel’s lemma since the polynomials Hi(x) (mod p)
and Ψp,i+1(x)/Hi(x) (modp) are not coprime. To this end, Satoh devized a
modified Hensel lifting [285, Lemma 2.1], which has quadratic convergence.
Lemma VI.6 (Satoh). Let p ≥ 3 be a prime and Ψ(x) ∈ Zq[x] satisfying
Ψ(x)≡ 0 (mod p) and Ψ(x) ≡ 0 (mod p2). Let h(x) ∈ Z
q[x] be a monic polynomial such that
1. h(x) (modp)is square-free and coprime to(Ψ(x)/p) (modp),
2. Ψ(x)≡q(x)h(x) (modpm+1).
Then the polynomial
H(x) =h(x) +
Ψ(x) Ψ(x)h
(x) (modh(x))
VI.2. SATOH’S ALGORITHM 111
Algorithm VI.2: Lift Kernel
INPUT: The p-division polynomial Ψp(x) of an elliptic curve E
over Zq/(pmZq), precision m.
OUTPUT: H(x) =P∈(KerΣ
i\{O})/±(x−x(P)) (modpm−1).
1. If m= 1 then
2. H(x)←h(x) monic with Ψp(x)≡δh(x)p(modp).
3. Else 4. m← m2−1. 5. H(x)← Lift Kernel(Ψp(x), m). 6. H(x)←H(x) +H(x)Ψp(x) Ψp(x) (modH(x)) (modpm). 7. Return H(x).
Forp > 3,Ei+1 can be defined by the equation y2 =x3+Ai+1x+Bi+1.
Using V´elu’s formulae, Satoh [285, Proposition 4.3] shows thatEi+1/Ker(Σi)
is given by the equation y2 =x3+α
i+1x+βi+1with αi+1= (6−5p)Ai+1−30(h2i,1−2hi,2),
βi+1= (15−14p)Bi+1−70(−h3i,1+ 3hi,1hi,2−3hi,3) + 42Ai+1hi,1, wherehi,k denotes the coefficient ofx(p−1)/2−kinHi(x) and we definehi,k = 0
for (p−1)/2−k <0.
Given the above Weierstraß model forEi+1/Ker(Σi) we can now compute
the isomorphismλito Ei:y2=x3+Aix+Bi. The only change of variables
preserving the form of these equations isλi: (x, y)→(u2ix, u
3 iy) with u2 i = αi+1 βi+1 Bi Ai .
The action of λi onωiis given byλ∗i(ωi) =u−i1ωi+1,K, and therefore
c2i = βi+1 αi+1 Ai Bi . (VI.4) Computing c2 =n−1 i=0 c 2
i = NQq/Qp(c20) and taking the square root gives the trace of Frobenius up to the sign. As shown in the proof of [307, Theorem V.4.1], we have
t≡γγσ· · ·γσn−1(modp),
where γ is the coefficient of xp−1 in the polynomial (x3+ 3ax+ 2a)(p−1)/2. This finally leads to Algorithm VI.3.
Algorithm VI.3: Satoh
INPUT: Elliptic curve E:y2=x3+ax+b over F
pn, j(E)∈Fp2.
OUTPUT: The number of points on E(Fpn).
1. m← logp4 +n/2. 2. S←1, T←1. 3. j0←jn←j(E). 4. For i= 0 to n−2 do: 5. ji+1←jip. 6. (Jn−1, . . . , J0)← Lift j Invariants((jn−1, . . . , j0), m). 7. For i= 0 to n−1 do: 8. γ←Ji/(1728−Ji) (modpm). 9. A←3γ(modpm), B←2γ(modpm). 10. Ψp(x)← p-division polynomial of y2=x3+Ax+B. 11. H(x)← Lift Kernel(Ψp(x), m+ 1). 12. For j = 1 to 3 do: 13. hj← Coeff(H(x),(p−1)/2−j). 14. α←(6−5p)A−30(h2 1−2h2). 15. β←(15−14p)B−70(−h3 1+ 3h1h2−3h3) + 42Ah1. 16. S←βAS, T←αBT. 17. t← Sqrt(S/T, m). 18. γ← Coeff((x3+ax+b)(p−1)/2, p−1).
19. If t≡γγσ· · ·γσn−1(modp) then t← −t(modpm).
20. If t2 >4pn then t←t−pm.
21. Return pn+ 1−t
.
The casep= 3 is very similar to the casep≥5. There are only two minor adaptations: firstly, note that KerΣi={Q,−Q,O}withQa 3-torsion point
onEi+1with integral coordinates, so Algorithm VI.2 reduces to a simple New- ton iteration on the 3-division polynomial of Ei+1; secondly, the Weierstraß
equation for Ei is different from the one for p ≥ 5, which slightly changes
V´elu’s formulae. LetxQ denote the x-coordinate ofQ∈KerΣiand let Ei+1 be defined byy2=x3+x2/4 +A
i+1x+Bi+1. ThenEi+1/Ker(Σi) is given by
the equationy2=x3+x2/4 +α i+1x+βi+1, with αi+1=−15x2Q−(5/2)xQ−4Ai+1, βi+1=−49x3Q−(27/2)x 2 Q−(35Ai+1+ 1/2)xQ−Ai+1−27Bi+1. Analogous to the case p ≥ 5, we conclude that c2
i is given by (VI.4) and
taking the square root ofc2=n−1
i=0 c 2
i determines the trace of Frobeniustup
to the sign. Furthermore, since the curve E is defined by an equation of the formy2 =x3+x2+a, the correct sign follows fromt≡1 (mod 3).
VI.2. SATOH’S ALGORITHM 113
For p = 2, Lemma VI.5 no longer holds. Indeed, the Newton polygon
of the 2-division polynomial shows that there are two non-trivial points in
Ei+1[p]∩ Ei+1(Zurq ), whereas KerΣihas only one non-trivial point. The main
problem in extending Satoh’s algorithm to characteristic 2 therefore lies in choosing the correct 2-torsion point. There are two algorithms which are both based on diagram (VI.3). Let KerΣ = Q; then, sinceλis an isomorphism, we conclude j(Ei+1/Q) =j(Ei).
The first algorithm to computeQ is due to Skjernaa [308] who gives an explicit formula for the x-coordinate xQ as a function of j(Ei) and j(Ei+1).
SinceQis a 2-torsion point, it follows that 2yQ+xQ= 0. SubstitutingyQ in
the equation of the curve and using the equalityj(Ei+1/Q) =j(Ei), Skjernaa
deduces an explicit expression for xQ. A proof of the following proposition
can be found in [308, Lemma 4.1].
Proposition VI.7. Let Q = (xQ, yQ) be the non-trivial point in KerΣi+1 and letzQ=xQ/2. Then
zQ=−
j(Ei)2+195120j(Ei)+4095j(Ei+1)+660960000
8(j(Ei)2+j(Ei)(563760−512j(Ei+1))+372735j(Ei+1)+8981280000).
Skjernaa shows that the 2-adic valuation of both the numerator and the denominator is 12, so we have to compute j(Ei) (mod 2m+12) to recover
zQ(mod 2m).
The second algorithm is due to Fouquet, Gaudry and Harley [123] and is based on the fact that KerΣi =Q ⊂ Ei+1[2]. Let Ei+1 be given by the equationy2+xy=x3+ 36A
i+1x+Ai+1withAi+1= 1/(1728−j(Ei+1)). Since
Qis a 2-torsion point, we have 2yQ+xQ= 0 and thex-coordinatexQis a zero
of the 2-division polynomial 4x3+x2+ 144A
i+1x+ 4Ai+1. Clearly we have
xQ ≡ 0 (mod 2), so Fouquet, Gaudry and Harley compute zQ =xQ/2 as a
zero of the modified 2-division polynomial 8z3+z2+72A
i+1z+Ai+1. The main
problem is choosing the correct starting value when considering this equation modulo 8. Usingj(Ei+1/Q) =j(Ei) they proved thatz≡1/j(Ei) (mod 8)
is the correct starting value givingxQ.
V´elu’s formulae show thatEi+1/KerΣiis given by the Weierstraß equation
y2+xy=x3+α i+1x+βi+1 with αi+1=− 36 j(Ei+1)−1728− 5γi+1, βi+1=− 1 j(Ei+1)−1728− (1 + 7xQ)γi+1,
whereγi+1= 3x2Q−36/(j(Ei+1)−1728) +xQ/2. The isomorphismλinow has
the general form
(x, y)→(u2ix+ri, u3iy+u
2
isix+ti), (ui, ri, si, ti)∈Q∗q×Q
3
but an easy calculation shows thatc2
i =u−
2
i . Solving the equations satisfied
by (ui, ri, si, ti) given in [307, Table 1.2] finally leads to
c2
i =−
864βi−72αi+ 1
48αi−1
. (VI.5)
The complexity of Algorithm VI.3 directly follows from Hasse’s theorem, which states that|t| ≤2√q. Therefore it suffices to lift all data with precision m # n/2. Since elements of Zq/(pmZq) are represented as polynomials of
degree less than n with coefficients in Z/(pmZ), every element takes O(n2) memory for fixedp. Therefore, multiplication and division inZq/(pmZq) take
O(n2µ) time.
For each curve Ei with 0≤i < n we needO(1) elements of Zq/(pmZq),
so the total memory needed isO(n3) bits. Lifting the cycle ofj-invariants to precision m requires O(logm) iterations. In every iteration the precision of the computations almost doubles, so the complexity is determined by the last iteration, which takes O(n2µ+1) bit-operations. Computing one coefficient c2
i requiresO(1) multiplications, so to compute allciwe also needO(n2µ+1)
bit-operations.
In conclusion, there exists a deterministic algorithm to compute the num- ber of points on an elliptic curve E over a finite field Fq with q = pn and
j(E) ∈ Fp2, which requires O(n2µ+1) bit-operations and O(n3) space for
fixedp.
VI.2.6. Vercauteren’s Algorithm. The first improvement of Satoh’s