Bjarki Holm

Constructing Elliptic Curves

with a Given Number of Points

University of Cambridge
Hughes Hall

I declare that this essay is work done as part of the Part

III Examination. It is the result of my own work, and
except where stated otherwise, includes nothing which
was performed in collaboration. No part of this essay
has been submitted for a degree or any such qualification.

Submitted: May 19, 2005

Signed:
Constructing Elliptic Curves
with a Given Number of Points
Abstract. We describe how the theory of complex
multiplication can be used to construct elliptic curves
over a finite field with a given number of rational
points and illustrate how this method can be applied
to primality testing.
 CONTENTS 1

Contents
1 Introduction 2

2 The Modular Invariant j 4

2.1 The Weierstrass ℘-Function . . . . . . . . . . . . . . . . . . . . . 4
2.2 The j-Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.3 Quadratic Forms . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.4 Hilbert Class Fields of Imaginary Quadratic Fields . . . . . . . . 8

3 Elliptic Curves 11
3.1 Basic Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.2 The Group Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.3 Complex Multiplication . . . . . . . . . . . . . . . . . . . . . . . 13
3.4 Elliptic Curves Over C . . . . . . . . . . . . . . . . . . . . . . . . 15
3.5 Elliptic Curves Over Finite Fields . . . . . . . . . . . . . . . . . . 16
3.6 The Deuring Lifting Theorem . . . . . . . . . . . . . . . . . . . . 18

4 Constructing Elliptic Curves 21

4.1 Naive Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.2 Complex Multiplication Method . . . . . . . . . . . . . . . . . . 22
4.3 Computational Aspects . . . . . . . . . . . . . . . . . . . . . . . 24

5 Constructing the Class Polynomial 26

5.1 Numerical Evaluation of the j-Function . . . . . . . . . . . . . . 26
5.2 Complex Analytic Approach . . . . . . . . . . . . . . . . . . . . . 28
5.3 Directly Constructing HD (X) Modulo p . . . . . . . . . . . . . . 32
5.4 Non-Archimedean Approach . . . . . . . . . . . . . . . . . . . . . 38
5.5 Using Class Invariants . . . . . . . . . . . . . . . . . . . . . . . . 39

6 Primality Testing 42
 1 Introduction 2

1 Introduction
The study of computational number theory has answered many fundamental
questions on the theory of elliptic curves. In this essay we are concerned with
the following question:

Given a prime number p and a positive integer N , how can we construct an

elliptic curve defined over the finite field with p elements, having N rational
points?

This problem was originally solved by Atkin and Morain [2] in the 1980s, in
relation to the elliptic curve primality test of Goldwasser and Kilian. The method
that they developed draws upon such rich subjects in number theory as the
theory of complex multiplication and the class field theory of imaginary quadratic
fields. Their basic idea was to look at a class of elliptic curves over the finite
field Z/pZ, which can be constructed from certain class polynomials modulo
the prime number p. The hardest part of this method is the construction of
these class polynomials. In their original paper Atkin and Morain used direct
construction over the complex numbers, using floating point precision, but in
recent years some alternatives have been suggested. In 2000, Agashe et al. [1]
proposed the use of a modified Chinese Remainder Theorem to compute a class
polynomial modulo p directly from a set of smaller polynomials. More recently,
in 2004, Bröker and Stevenhagen [4] have presented an algorithm that works in
a non-archimedean setting rather than over the complex numbers.
The main body of this essay is structured into five sections. In Section 2 we
review the basics of quadratic forms, modular functions and imaginary quadratic
fields. Section 3 presents some of the theory of elliptic curves relevant to our
topic. We discuss general elliptic curves before turning our focus on curves over
the field of complex numbers and over finite fields. This theory will be used
in Section 4 when we derive the complex multiplication method for construct-
ing elliptic curves. In Section 5 we discuss a few different ways of generating
class polynomials, and lastly in section 6 we briefly describe how the complex
multiplication method can be applied to primality testing.
A few numerical examples are provided in the text to illustrate some of the
algorithms and procedures that we discuss. All non-trivial calculations were
carried out by the author using the PARI computer algebra package [3].
 1 Introduction 3

Notation. We write Fq to denote the finite field with q elements, where q = pa

is a prime power. We denote by H the upper half complex plane, i.e. H = {α ∈
C | =α > 0}. If K is a field then we let K̄ be the algebraic closure of K.
 2 The Modular Invariant j 4

2 The Modular Invariant j

In this section we recall some basic definitions of quadratic forms and modular
functions. We start by looking at the j-invariant of a lattice in the complex
plane, in terms of the Weierstrass ℘-function, which then leads to the definition
of the elliptic j-function. Then we look at the imaginary quadratic extension
√
K = Q( D), D < 0, and the relation with the set Cl(D) of reduced binary
quadratic forms. Lastly we present some important results about the Hilbert
class field of K and the associated class polynomial HD (X).

2.1 The Weierstrass ℘-Function

A lattice in the complex plane C is the set of all integral linear combinations of
two complex numbers that are linearly independent over R. We write L[ω1 , ω2 ]
for the lattice L generated by the complex numbers ω1 and ω2 . The Weierstrass
℘-function of L is defined by

1 X  1 1

℘(z) = ℘(z; L) = + − (1)
z2 (z − 1)2 l2
l∈L\{0}

We know from Koblitz [9, Chapter I, Proposition 6] that the above sum converges
absolutely and uniformly for z in any compact subset of C − L. The ℘-function is
an important example of an elliptic function, i.e. a doubly periodic meromorphic
function on C. In fact, every elliptic function defined for a lattice L can be
expressed as a rational function in ℘(z; L) and ℘0 (z; L) (see [10, §1.2]). Elliptic
functions are closely related to elliptic curves, as we will see in §3.4. One can
show that ℘ satisfies the differential equation [9, §6]

℘0 (z)2 = 4℘(z)3 − g2 (L)℘(z) − g3 (L), (2)

−4 −6
P P
where g2 (L) = 60 ω∈L\{0} ω and g3 (L) = 140 ω∈L\{0} ω (and both sums
converge under the same assumption as ℘(z)). Associated with the lattice L is
the j-invariant j(L),

g2 (L)3 g2 (L)3
j(L) = 1728 = 1728 . (3)
g2 (L)3 − 27g3 (L)2 ∆(L)
If L is a lattice then ∆(L) 6= 0, which means that the j(L) is always well defined
 2.2 The j-Function 5

[6, §10].

2.2 The j-Function

Let SL2 (Z) denote the group of integer coefficient 2-by-2 matrices of determinant
1, i.e.
 a b


SL2 (Z) = c d | a, b, c, d ∈ Z, ad − bc = 1 .

An element of SL2 (Z) acts on a complex number τ by

aτ +b
a b


c d τ= bτ +d .

A function f is said to be a modular form of weight 2k if it is meromorphic

everywhere in the upper half plane H and at infinity, and if for any τ in H it
satisfies the relation

a b


a b


f c d τ = f (τ ) for all c d ∈ SL2 (Z).

A modular form of weight 0 is generally called a modular function.

Now let Lτ be a lattice generated by 1, τ , where τ a complex number in the
upper half plane H. The j-function j(τ ) is then defined in terms of the j-invariant
of Lτ by
j(τ ) = j(Lτ ) = j([1, τ ]).

The complex functions g2 (τ ), g3 (τ ) and the modular discriminant ∆(τ ) are de-
fined in a similar manner. The main properties of the j-function are given by the
following proposition [2, Proposition 3.1].

Proposition 2.1. The j-function is a modular function, holomorphic in the

upper half plane H, and has a simple pole at infinity.

Because the j-function is SL2 (Z)-invariant, we have that

11



j(τ + 1) = j 01 τ = j(τ ),

which shows that j(τ ) is periodic of period 1. Hence it has a Fourier expansion
which, if we write qτ = e2πiτ , is called the q-expansion of j. By Cox [6, Theorem
 2.3 Quadratic Forms 6

11.8], we can write the q-expansion as

∞
1 X
j(τ ) = + 744 + cm qτm ,
qτ
m=1

where τ ∈ H such that 0 < |qτ | < 1 and the coefficients cm are positive integers
for all m ≥ 1. Instead of working directly with this series it is usually better
to express j(τ ) in terms of the Dedekind η-function, which is a modular form
defined by
∞
Y
η(τ ) = qτ1/24 (1 − qτm ),
m=1

where, as before, qτ = e2πiτ . Because 0 < |qτ | < 1, this product converges for
any τ ∈ H. Using Euler’s identity
∞
Y ∞
X
(1 − q m ) = q m(3m+1)/2 ,
m=1 m=−∞

this product can be expanded as [2, §3.5]

 ∞
X 
η(τ ) = qτ1/24 1+ m m(3m−1)/2
(−1) (qτ m(3m+1)/2
+ qτ ) . (4)
m=1

The η-function satisfies the functional equations [6, Corollary 12.19]

√
η(τ + 1) = ζ24 η(τ ), η(−τ −1 ) = −iτ η(τ ), (5)

where ζ24 is the 24th root of unity in C. The modular discriminant of Lτ is

related to η by
∆(τ ) = (2π)12 η(τ )24 . (6)

This implies that, if we set f (τ ) = ∆(2τ )/∆(τ ), we can compute j in terms of η

by the formula
(256f (τ ) + 1)3
j(τ ) = . (7)
f (τ )

2.3 Quadratic Forms

An integral binary quadratic form [a, b, c] is a polynomial f (x, y) = ax2 +bxy+cy 2 ,
where a, b, c are integers. In this essay we will be working exclusively with
 2.3 Quadratic Forms 7

integral binary quadratic forms and for simplicity we will write quadratic form
to mean just that. The discriminant of the quadratic form [a, b, c] is defined to
be D = b2 − 4ac. To each quadratic form F = [a, b, c] we associate a matrix
a b/2

M (F ) = b/2 c . This allows us to define an equivalence relation: Two forms
F and F 0 of the same discriminant are (properly) equivalent (written F ∼ F 0 ) if
there exists A in SL2 (Z) such that [6, §2]

M (F 0 ) = A−1 M (F )A.

A quadratic form [a, b, c] is said to be primitive if gcd(a, b, c) = 1 and reduced if

it further satisifies

|b| ≤ a ≤ c and b ≥ 0 whenever |b| = a or a = c. (8)

Following Cohen [5, §5.3.1] we can define a reduced quadratic form in an alter-
native manner: Let f (x, y) = ax2 + bxy + cy 2 be a quadratic form and denote by
τ the root of f (x, 1) in the upper half plane H, i.e.
√
−b + D
τ= . (9)
2a

Then the quadratic form [a, b, c] is reduced if τ is in the domain

D = {τ ∈ H | <(τ ) ∈ [− 12 , 21 [, |τ | > 1} ∪ {τ ∈ H | <(τ ) ∈ [− 12 ; 0], |τ | = 1}

As the complex number τ lies in the upper half plane H, we see that j(τ
√
) is well
defined. When the context is clear, we write j([a, b, c]) to mean j( −b+
2a
D
). For
any quadratic number τ in H we define the discriminant of τ as the discriminant
of the unique primitive positive definite quadratic form [a, b, c] such that τ is a
root of ax2 + bx + c = 0.
Now let Cl(D) denote the set of reduced quadratic forms of discriminant D
and let h(D) be its order. It follows from (8) that Cl(D) has finite order. The set
Cl(D) can be given the structure of an abelian group, under multiplication given
by a composition of equivalence classes. The inverse of the class of [a, b, c] in
Cl(D) is the class of [a, −b, c] and we say that a form is ambiguous if it has order
2 in Cl(D) [15]. It follows that an ambiguous binary quadratic is one among the
 2.4 Hilbert Class Fields of Imaginary Quadratic Fields 8

types
[a, 0, c], [a, a, c], [a, b, a].

2.4 Hilbert Class Fields of Imaginary Quadratic Fields

An imaginary quadratic field is obtained by adjoining to the field of rationals the
square root of a fundamental discriminant D < 0.

Definition 2.1. An integer D is called a fundamental discriminant if D 6= 1 and

either D ≡ 1 (mod 4) and is square-free, or D ≡ 0 (mod 4), D/4 is square-free
and D/4 ≡ 2, 3 (mod 4).

Remark. Unless otherwise noted, we henceforth write D to mean a negative

fundamental discriminant.
√
If K = Q( D) then dK , the discriminant of the field K, is exactly equal to D.
There is a one-to-one correspondence between Cl(D) and the set of classes of
fractional ideals of the unique quadratic field with discriminant D. Hence the
√ √
class number of the imaginary quadratic field Q( −D = Q( D) is equal√to the
D+ D
order h(D). An integral basis of K is given by (1, ω), where ω = 2√. It
follows that K has ring of integers OK = Z[ω] [2, §2.2]. The conjugates of D in
√
K are the two imaginary numbers ± D, hence K has no real embeddings and
one pair of complex embeddings into C. It follows from Dirichlet’s Unit Theorem
that O∗ ∼
K = µ(K), where O∗ is the group of units in K and µ(K) is the finite
K √
1+ −3
cyclic group of roots of unity in K. When D = −3 then K contains ζ6 = 2 ,
√
a primitive sixth root of unity, and in the case D = −4, K contains ζ4 = −1.
In the general case D < −4 the only roots of unity in K are ±1. These results
are summarised in the following Lemma.

Lemma 2.2. Let D < 0 be a fundamental discriminant and let OK be the ring
√
of integers of K = Q( D). If we let $(D) denote the number of units in OK
then
( 2 if D < −4
$(D) = 4 if D = −4
6 if D = −3

and the group of units in OK is equal to the $(D)th roots of unity in K.

Remark. This statement does in fact hold for an arbitrary order in K. Recall
that an order O in the quadratic field K is a subring of K, containing 1, which
 2.4 Hilbert Class Fields of Imaginary Quadratic Fields 9

is a free Z-module of rank 2. The ring of integers OK is the maximal order in

K and the finite integer f = [OK : O] is called the conductor of O. It is easy to
show that the discriminant of O is D0 = f 2 dK , from which it follows that OK is
the unique order of discriminant D in K. This implies, of course, that any order
other than the maximal order can only have two units.

The Hilbert class field of K, which we denote by H, is the maximal unramified

abelian extension of K, i.e. the composite of all the unramified abelian extensions.
The following Proposition, which we state without proof, relates the Hilbert class
field to values of the j-function at points in the upper half complex plane [2,
Theorem 3.2].
√
Theorem 2.3. Let K = Q( D), where D is a negative fundamental discrimi-
nant. Then the Hilbert class field of K can be obtained by adjoining to K a value
of j([a, b, c]), where [a, b, c] ∈ Cl(D) is any one of the reduced quadratic forms of
discriminant D. The minimal polynomial of the j([a, b, c])’s, denoted by HD (X),
has integer coefficients. The Galois group Gal(H/K) is isomorphic to Cl(D),
and if f is an element of Cl(D) then we write σf to mean the corresponding
element in Gal(H/K). The action of σf on j is given by

σf (j(f )) = j(f −1 · f ).

The minimal polynomial HD (X) is called the Hilbert class polynomial and we
refer to the equation HD (X) = 0 as the class equation. The class polynomial can
be expressed as
Y √
X − j( −b+ D


HD (X) = 2a ) ∈ Z[X]. (10)
[a,b,c]∈Cl(D)

It then follows that if τ is any quadratic number of discriminant D in H, then

j(τ ) is an algebraic integer of degree exactly equal to h(D). If the discriminant
D is not divisible by 3, then j(τ ) is a cube in H, up to a multiplication by a unit
in K [5, §7.2.4]. Furthermore, the norm of any j = j(τ ) in H, which is precisely
the constant term of the class polynomial HD (X), is the cube of some rational
integer [2, Proposition 7.1]. This property will become useful for checking the
correctness of our calculations in §5.

Remark. The class polynomial can in general be defined for any integer D0 that
 2.4 Hilbert Class Fields of Imaginary Quadratic Fields 10

occurs as the discriminant of some order O in K. Then the class polynomial of

Q
O is HO (X) = (X − j(a)) where the product is over representatives a of each
ideal class of O. We also write HD0 (X) to mean HO (X). Just as the zeroes of
the Hilbert class polynomial generate the Hilbert class field of K, the roots of
the class equation for an order of conductor f in K generate an abelian extension
Kf which is called the ring class field of K. In short, the ring class field Kf is
unramified outside f and any prime ideal of K not dividing f is totally split if
and only if it can be generated by an element which is in the congruence class of
rationals modulo f (see Cox [6]). The subject of ring class fields will be mostly
ignored in this essay, as all the algorithms that we will consider are limited to the
class of elliptic curves that have complex multiplication by the maximal order in
some imaginary quadratic field.

We finish this section with an important theorem that describes the behaviour
of certain rational primes in the Hilbert class field [2, Theorems 2.3 and 3.3].
√
Theorem 2.4. Let K = Q( D) and let H be the Hilbert class field of K. Then,
if p is a rational prime, the following statements are equivalent.
(i) p is a norm in K.
(ii) (p) splits completely in H.
(iii) p splits as the product of two distinct elements in OK .
(iv) HD (X) modulo p splits completely into linear factors with roots in Fp .
(v) 4p = t2 + s2 |D| has a solution in rational integers (x, y).
 3 Elliptic Curves 11

3 Elliptic Curves
In this section we introduce the basic theory of elliptic curves relevant to our
topic. We start by recalling some definitions for curves given by Weierstrass
equations and then go on to discuss the group law and complex multiplication
over general fields. We then turn our attention to elliptic curves over the field
of complex numbers and over finite fields. The theory of elliptic curves over C
follows naturally from the discussion of lattices and the ℘-function in §2. Over
finite fields we will focus on the case of ‘ordinary’ elliptic curves, which relate
nicely to curves over C. Finally, we review some of the work of Deuring concerning
the reduction of elliptic curves, and state an important theorem that will provide
a basis for our derivation of the complex multiplication method in §4.
This section is intended only as an overview of some of the rich theory of
elliptic curves. For a more information on the subject, we refer to reader to
Silverman [16] and Koblitz [9], or any of the other references given in the text.

3.1 Basic Definitions

Let K be a field. An elliptic curve over K (written E/K) is a non-singular
projective plane cubic curve over K together with a distinguished point OE with
coordinates in K, called the “point at infinity”. The set of projective points which
are on the curve and have coordinates in K will be called the set of K-rational
points of E, denoted by E(K).
In this essay we will be working with elliptic curves over a field K of char-
acteristic different from 2 and 3. Such a curve can always be given by an affine
Weierstrass equation of the form

E : y 2 = x3 + ax + b (a, b ∈ K), (11)

the point OE taken over K as the point (x : y : z) = (0 : 1 : 0) in projective space

[5, §7.1.4]. For an elliptic curve E/K given by a Weierstrass equation, the set of
K-rational points can be written E(K) = {(x, y) ∈ K 2 | y 2 = x3 +ax+b}∪{OE }.
Associated with the Weierstrass equation are quantities

∆ = −16(4a3 + 27b2 ), j = −1728(4a)3 /∆, (12)

called the discriminant and j-invariant of the elliptic curve, respectively. A curve
 3.2 The Group Law 12

E is said to be singular if and only if ∆(E) = 0. By definition, elliptic curves are

non-singular.
Now let E(a, b) be shorthand notation for an elliptic curve with a Weierstrass
equation given by (11).

Theorem 3.1. Two elliptic curves E(a, b) and E(a0 , b0 ) defined over K are iso-
morphic (over K̄) if and only if there exists a c ∈ K̄ ∗ such that a0 = c4 a and
b0 = c6 b, the isomorphism being under the map

(x, y) 7→ (c2 x, c3 y).

Proof. See [16, III, Proposition 3.1(b)], which gives a proof for elliptic curves
defined over general fields (whose characteristic may be 2 or 3).

Corollary. Two elliptic curves are isomorphic if and only if they have the same
j-invariant.

Proof. If E(a, b) and E(a0 , b0 ) are isomorphic then it follows from formulas (12)
and Theorem 3.1 that they have the same j-invariant. On the other hand, if
the curves have the same j-invariant, we compute the relation a3 b02 = a03 b2 and
verify (splitting into cases a = 0, b = 0 and ab 6= 0) that there always exists a
c ∈ K̄ ∗ that satisfies Theorem 3.1.

Remark. From this corollary it is clear that the j-invariant of an elliptic curve
is an invariant of the isomorphism class of that curve (hence the name).

3.2 The Group Law

The set of points on an elliptic curve can be given the structure of an abelian
group, with a group law ⊕ defined by the following rule:

Let P and Q be points on the projective curve E, and let L be the line connecting
P and Q (a tangent line if P = Q), which intersects the curve in a third point
R. Then, if OE is the point at infinity on E, the sum P ⊕ Q is the point so that
the line connecting OE and R intersects E in OE , R and P ⊕ Q.

The group E(K) has neutral element OE . We note that the inverse of a point P
on E is the point P , such that P ⊕ ( P ) = OE . For further properties of the
 3.3 Complex Multiplication 13

group law we refer to Silverman [16, III]. For an integer m and a point P on E,
we define multiplication by m by

| ⊕P ⊕
[m]P = P {z. . . ⊕ P} (m > 0)
m terms

[0]P = OE
[m]P = [−m]( P ) (m < 0)

Explicit formulas for the group law are given by the following Theorem.

Theorem 3.2. Let E : y 2 = x3 + ax + b be an elliptic curve. The inversion of

a point (x0 , y0 ) on E is the point (x0 , −y0 ), i.e. reflection in the x-axis. If P1 =
(x1 , y1 ) and P2 = (x2 , y2 ) ar two points on E, then the sum P1 ⊕ P2 = (x3 , y3 ) is
given by

x3 = λ2 − x1 − x2
y3 = λ(x1 − x3 ) − y1

where (
(y2 − y1 )(x2 − x1 )−1 if x2 6= x1 ,
λ=
(3x21 + a)(2y1 )−1 otherwise.

Proof. Follows from direct manipulation of plane coordinates.

3.3 Complex Multiplication

Let E and E 0 be elliptic curves defined over a field K. An isogeny from E to E 0
is a rational map from E to E 0 , sending the point OE on E to the point OE 0 on
E 0 . If there exists a non-constant isogeny from E to E 0 , then we say that the
two curves are isogenous. The endomorphism ring of an elliptic curve E over a
field K is defined to be

EndK (E) = {isogenies φ : E → E, over K}

It is a ring with multiplication given by the composition (φψ)(P ) = φ(ψ(P )) and

addition given by (φ + ψ)(P ) = φ(P ) + ψ(P ), where φ and ψ are elements of
EndK (E) and P is a point on E. When E is defined over K, we write End(E)
to denote EndK̄ (E), where K̄ is the algebraic closure of K. Fundamental to our
 3.3 Complex Multiplication 14

study of the endomorphism ring is the multiplication-by-m map, defined for any
integer m by
E→E
[m] : (13)
P 7→ [m](P )

where [m](P ) is defined as before. This map can be shown to be non-constant

(see e.g. Silverman [16, p.72]). We see that the maps [m] are elements of End(E),
and we get an injection Z ,→ End(E). In most cases these maps are the only
elements, in which case End(E) ∼
= Z because the maps are distinct. But if
End(E) is strictly larger than Z, then we say that E has complex multiplication.
Let φ : E → E 0 be a non-constant isogeny over K and let K(E) and K(E 0 )
denote the function fields1 of E and E 0 respectively. Then composition with φ
induces an injection of function fields:

K(E 0 ) → K(E)
φ∗ : (14)
f 7→ f ◦ φ

We define the degree of φ as deg(φ) = [K(E) : φ∗ (K(E 0 ))] and we say that φ
is separable if the extension K(E)/φ∗ (K(E 0 )) is separable. If φ : E → E 0 is a
non-constant isogeny of degree m then there exists a unique isogeny φ̂ : E 0 → E
such that φ̂ ◦ φ = [m]. We call φ̂ the dual of φ (for existence, see [16, III, Theorem
6.1(b)]).
To classify the endomorpism ring for elliptic curves with complex multiplica-
tion, we need to recall some definitions. Let K be a number field and denote by
OK the ring of algebraic integers in K. By an order in K we mean a subring of
OK whose dimension over Z equals [K : Q]. We define a quaternion algebra over
K to be a central simple algebra of dimension four over K. We can now state:

Proposition 3.3. The endomorphism ring of an elliptic curve is (isomorphic to)

either Z, an order in a quaternion algebra or an order in an imaginary quadratic
field.

Proof. See Silverman [16, §III.9].

1
The function field of E/K is the field of fractions of the coordinate ring K[E] =
K[X, Y ]/(y 2 = x3 + ax + b), assuming char(K) 6= 2, 3.
 3.4 Elliptic Curves Over C 15

3.4 Elliptic Curves Over C

We observe that the Weierstrass equation (11) bears resemblance to the differ-
ential equation (2) for the Weierstrass ℘-function (in equation (11), set y 0 = y/2
and multiply through by 4 to get a similar form). This is no coincidence. We
define a map from the complex torus C/L to the projective complex plane by

ψ: z 7→ (℘(z), ℘(z), 1) (if z 6= 0)

(15)
0 7→ (0 : 1 : 0)

We look at the equation ℘(z) − x = 0 and observe that it has (i) one solution for
the roots of 4x3 − g2 (L)x − g3 (L) and the point at infinity, and the corresponding
y-coordinates are y = ℘0 (z) = 0; (ii) two solutions in all other cases and the
corresponding y-coordinates are y = ±(4℘(z)3 − g2 (L)℘(z) − g3 (L))1/2 .
In both cases a point z is sent to a point on the elliptic curve y 2 = 4x3 −
g2 (L)x−g3 (L) in the complex projective plane, and the map ψ gives a one-to-one
correspondence between the torus C/L and the curve. Moreover, because both ℘
and ℘0 are analytic functions, the ψ is given by analytic functions near any point
in C/L [9, §6]. We have sketched a proof of the following theorem.

Theorem 3.4. Let L be a lattice in C. Then the map ψ defines a one-to-one

correspondence between C/L and the elliptic curve E : y 2 = 4x3 −g2 (L)x−g3 (L).

Let L be a lattice in C and define the set of complex numbers that stabilise
L as M (L) = {α ∈ C | αL ⊂ L}. Clearly M (L) contains Z and we say that
L has complex multiplication if M (L) is strictly larger than Z. If we let Eτ
denote the elliptic curve over C that corresponds to the lattice Lτ = [1, τ ], then
the endomorphism ring of Eτ is canonically isomorphic to M (Lτ ) [6, §14.B].
Specifically, Eτ has complex multiplication if and only if Lτ does. By Theorem 3.4
we know that Eτ is defined by a Weierstrass equation y 2 = 4x3 −g2 (Lτ )x−g3 (Lτ ).
We observe that the j-invariant of the curve is j(Eτ ) = 1728g2 (Lτ )3 /(g2 (Lτ )3 −
27g3 (Lτ )2 ) = j(τ ), where j(τ ) is a complex value of the j-function, which we
defined in §2.2. It follows from Theorem 2.3 that j(Eτ ) is an algebraic integer of
degree exactly equal to h(D), where D is the discriminant of τ , and that HD (X)
is the minimal polynomial of j(Eτ ). The final theorem we will need about elliptic
curves over C concerns the structure of the endomorphism ring.
 3.5 Elliptic Curves Over Finite Fields 16

Theorem 3.5. Let E be an elliptic curve defined over C and assume that E has
complex multiplication. Then EndC (E) is an order in an imaginary quadratic
field.

Proof. An order in an imaginary quadratic field has the form Z + τ Z, where

τ ∈ H is an algebraic integer of degree two. Let E be an elliptic curve defined
over C. We know that E ' C/L where L = L[ω1 , ω2 ] is a lattice in C. After
division by one of its generators, say ω1 , we can assume that L = Lτ for a certain
τ ∈ H. For all α ∈ M (L) there exist integers a, b, c and d such that α = a + bτ


and ατ = c + dτ . This implies that α is an eigenvalue of the matrix ac db (for
eigenvector [1 τ ]T ), i.e. α satisfies the equation λ2 − (a + d)λ + ad − bc, and is
therefore an algebraic integer of degreee two.
Now as we assume that E has complex multiplication, it follows that the
extension K = Q(α) = Q(τ ) is a quadratic imaginary extension of Q and End(E)
is an order in OK (M (L) is integral over Z), the ring of integers of K.

3.5 Elliptic Curves Over Finite Fields

We now look at elliptic curves over the prime field Fp , where p > 3 is a prime
number. Over Fp , we can consider the projective line as the set Z/pZ plus
an extra “point at infinity”, containing p + 1 elements. Although we are only
interested in prime fields for our purpose of constructing elliptic curves with a
certain cardinality, some of the results we state in this section can apply to the
more general case Fq , where q = pa is a power of p.
If E is an elliptic curve defined over some field of characteristic p then we let
E (q) denote the curve that we get by raising each coefficient of the Weierstrass
equation for E to the q th power. It can easily be shown that E (q) is indeed an
elliptic curve. In fact, direct calculations reveal that ∆(E (q) ) = ∆(E)q , which
implies that E (q) is singular if and only if E is singular. From this we define the
q th -power Frobenius morphism Fq :

Fq : E → E (q)
(16)
(x, y) 7→ (xq , y q )

When E is defined over Fq then this map is clearly an endomorphism of E,

sending every point (x, y) = (xq , y q ) to itself. It can be shown that Fq ∈
/ Z (see
for example Silverman [16, §V.1, Theorem 3.1]), which imples that Z is always
 3.5 Elliptic Curves Over Finite Fields 17

strictly larger than EndF̄q (E). This implies that all elliptic curves over finite
fields have complex multiplication and can thus be classified into two groups
based on the structure of their endomorphism ring:

Definition 3.1. Let E/Fq be an elliptic curve. Then E is said to be supersingular

if EndF̄q (E) is an order in a quaternion algebra and ordinary if EndF̄q (E) is an
order in an imaginary quadratic field.

If we write f (x) = x3 + ax + b, with a, b ∈ Fq , it is clear that for every x in Fq

there are at most two solutions y in Fq to the Weierstrass equation y 2 = f (x).
Taking into consideration the point at infinity, the order of the group E(Fq ) is
therefore clearly bounded above by 2q + 1. A classical theorem of Hasse gives a
more precise bound on the number of rational points.

Theorem 3.6. Let E be an elliptic curve defined over Fq . Then the order of the
group E(Fq ) of Fq -rational points is an integer in the Hasse interval

√ √
Hq = [q + 1 − 2 q, q + 1 + 2 q].

Proof. We briefly sketch the proof of this theorem. We will use the fact that the
map (1 − Fq ), where Fq is the q th power Frobenious map, is separable and hence
that deg(1−Fq ) = | ker(1−Fq )|. The Frobenius endomorphism sends every point
P in E(Fq ) to itself which implies that P is in E(Fq ) if and only if P is in the
kernel of the map 1 − Fq . Hence

|E(Fq )| = | ker(1 − Fq )| = deg(1 − Fq ),

and the proof follows from a version of the Cauchy-Schwarz inequality for pos-
itive quadratic forms over abelian groups, using the fact that deg(Fq ) = q (see
Silverman [16, §V.1, Theorem 1.1]).

Over the prime field Fp there is a simple criteria for E to be supersingular.

Theorem 3.7. Let E be an elliptic curve defined over Fp . Then E is supersin-

gular if and only if |E(Fp )| = p + 1.

Proof. The proof of this theorem relies on the fact, which we state without proof,
that E is supersingular over Fp if and only if the dual Frobenius Fˆp is purely
inseparable (see Silverman [16, V, Theorem 3.1(a)]). Let a be an integer such
 3.6 The Deuring Lifting Theorem 18

that [a] = Fp + Fˆp , i.e. a = 1 − deg(1 − Fp ) + deg(Fp ) (here we use the property
\
that φ + ψ = φ̂ + ψ̂). This implies that

|E(Fp )| = deg(1 − Fp ) = 1 + p − a.

But Fˆp = [a] − Fp implies that Fˆp is purely inseparable if and only if a = 0
modulo p.

We note that any rational point P in E(Fp ) is annihilated by the group order
N = |E(Fp )|, i.e. [N ]P = OE [5, §9.2]. This fact can be used to check if a certain
curve has a given number of rational points, as we will see later.

3.6 The Deuring Lifting Theorem

Let K be a number field and let

E : y 2 = x3 + ax + b (a, b ∈ K),

be an elliptic curve over K. We are interested in the operation of reducing E

modulo a prime p of OK lying above p. We will denote the natural reduction map
by a tilde. If we can write a, b in the form r/s, where s ∈
/ p, then we can define
ã and b̃ as the images of a and b, respectively, in the finite field Fp , OK /p. If
∆ = −16(4ã3 + 27b̃2 ) 6= 0 then the curve Ẽ given by

Ẽ : y 2 = x3 + ãx + b̃,

defines an elliptic curve over Fp and p is said to be a “prime of good reduction”.

In the 1940s, Deuring developed a remarkable theory concerning the reduction of
elliptic curves. While the full statement of Deuring’s results is beyound the scope
of this essay, we will state without proof the following proposition, which defines
the behaviour of the endomorphism ring of an elliptic curve under reduction [10,
§5, Theorem 14].

Proposition 3.8 (Deuring Lifting Theorem). Let E be an elliptic curve defined

over the prime field Fp , with a non-trivial endomorphism ψ. Then there exists an
elliptic curve E 0 defined over a number field K, an endomorphism ψ 0 of E 0 , and
a good reduction Ẽ of E 0 at a place p lying above p, such that Ẽ 0 is isomorphic
to E and ψ̃ 0 corresponds to ψ under the isomorphism.
 3.6 The Deuring Lifting Theorem 19

We get an immediate corollary:

Corollary. With notation as above, reduction induces an isomorphism

EndK̄ (E) ∼
= EndF̄p (Ẽ),

which preserves degrees.

Now consider an elliptic curve E over C, with

K: 0
complex multiplication by an order OD , of dis- E
lift 
? AAA
AAreduce
criminant D, in a quadratic imaginary field K.
 AA
According to Proposition 3.8 there is some en- 
Fp : E ∼
= Ẽ 0
domorphism π ∈ EndC (E) which corresponds to
Fp ∈ EndF̄p (Ẽ) under reduction modulo p. Since the reduction preserves degrees,
deg(π) = deg(Fp ) = p. The degree of the complex number π ∈ OD is simply its
norm in K, so N (π) = ππ̄ = p, i.e. p splits as the product of two elements in
OD .
Now look at the group of rational points E(Fp ). We have seen that the
Frobenius endomorpishm Fp acts trivially on points in Fp . In other words, P is
in E(Fp ) if and only if Fp (P ) = P . This implies that

|E(Fp )| = |ker(1 − Fp )|
= deg(1 − Fp )  By proof of Theorem 3.6
= deg(1 − π)  Reduction map preserves degrees
= (1 − π)(1 − π̄)  N (π)
= 1 + p − (π + π̄)  p = ππ̄
= 1 + p − T r(π)

These results are summarised by the following theorem [5, §7.2.4].

Theorem 3.9. Let E be an elliptic curve with complex multiplication by an

imaginary quadratic order OD of discriminant D, and let p be a prime number
that splits into a product of two prime elements in OD , say p = ππ̄ where π ∈ OD .
Then, for a suitable choice of π, |Ẽ(Fp )| = p + 1 − t, where t = (π + π̄).

The question of a “suitable choice of π” is important in this context. If u is a

unit in OD , then N (uπ) = N (π) = p, but (uπ + uπ) 6= (π + π̄) in general. In
 3.6 The Deuring Lifting Theorem 20

§2.4 we counted the number of units in the unique imaginary quadratic order of
discriminant D, which we denote by $(D). It can be shown that for each D there
exist $(D) isomorphism classes of elliptic curves having complex multiplication
by OD . What remains is to find the explicit equation of the elliptic curves in
each case.
In the general case D < −4 the two units in OD are ±1. This implies that an
“incorrect” choice of π gives an opposite value of t in Theorem 3.9. If j0 6= 0, 1728
(mod p) is a j-invariant corresponding to the order of discriminant D, then we
set k = j0 /(1728 − j0 ) and choose one of the two elliptic curves defined by

y 2 = x3 + 3kx + 2k (17)
y 2 = x3 + 3kc2 x + 2kc3 (c ∈ Fp and not a square). (18)

One of these curves will have p + 1 − t rational points and the other will have
p + 1 + t points.
The special cases D = −3, −4 are a bit more involved. Atkin and Morain [2,
§8.6.2] give complete algorithms for finding the proper equations in each case.
We follow Cohen [5, §9.2] and let g denote a value of Fp such that g (p−1)/l 6= 1
for each prime l dividing $(D). Then the isomorphism classes of elliptic curves
with complex multiplication by OD are given by the equations

y 2 = x3 − g k x (0 ≤ k ≤ 3) when D = −4 (19)
y 2 = x3 − g k (0 ≤ k ≤ 5) when D = −3. (20)
 4 Constructing Elliptic Curves 21

4 Constructing Elliptic Curves

Now that we have presented the relevant theory of elliptic curves, j-functions and
quadratic fields, it is time that we look at the task of constructing elliptic curves
with a certain number of points over a prime field. In this section we will present
a general method for such construction, which is based on the theory of complex
multiplication and the class field theory of imaginary quadratic fields. We will
refer to this simply as the complex multiplication method, or ‘CM method’ for
short.
We begin this section by briefly describing a trivial “brute force” procedure
for finding an elliptic curve with a given cardinality. Next we present the CM
method and discuss computational complexity and other practical aspects. The
main step of the CM method, constructing the class polynomial for discriminant
D, will be covered in detail in §5.

4.1 Naive Method

A naive method to produce an elliptic curve with N rational points in Fp is to
randomly pick an element a ∈ Fp \{ −27
4 } and try whether the elliptic curve

Ea : y 2 = x3 + ax − a

has N rational points. We observe that the point point P = (1, 1) is on Ea for
all a. By writing N = p + 1 − t, we check whether P is annihilated by either
N = p+1−t or N 0 = p+1+t. If it is, then we know that Ea has p+1±t rational
points. If P was annihilated by N then we are finished but if it was annihilated
by N 0 then we take the quadratic “twist” of Ea by equation (17). The procedure
Naive-Method(p, N ) illustrates this method.
 4.2 Complex Multiplication Method 22

Naive-Method(p, N )
1 P ← (1, 1)
2 t←p+1−N
3 i←0
4 S ← Fp \{ −27
4 }
5 repeat
6 Pick a random a ∈ S
7 Ea ← y 2 = x3 + ax − a
8 if P is annihilated by p + 1 − t then
9 return Ea
10 elseif P is annihilated by p + 1 + t then
11 return quadratic twist of Ea
12 end
13 S = S − {a}
14 until S = ∅

Although the distribution of group orders |Ea (Fp )| is not even among the ele-
√
ments a ∈ Fp , we can expect to check approximately O( p) curves on average
before finding a right one. According to Bröker and Stevenhagen [4] the expected
√
running time of the naive algorithm is O( p) × (constructing curve + multiply-
ing P + counting points) = O(N 1/2+ ), for some small  > 0. When N is small
it may be feasible to use the naive method. All the other alternatives we will
discuss in this essay are only assymptotically faster in N and may very well be
slower for small inputs. However for large N , say N  1010 , the naive method
becomes quite impractical.

4.2 Complex Multiplication Method

By the Deuring Lifting Theorem we can consider every elliptic curve over Fp
as the reduction of some elliptic curve over a number field K with the same
endomorphism ring. Our task is to construct a curve having exactly N rational
points over Fp .
Let K be the imaginary quadratic field of discriminant D where p splits as
the product of two elements. If we look at elliptic curves over K with complex
multiplication by the full ring of integers OK in K then we are able to apply
Theorem 3.9 which immediately gives us the desired cardinality over Fp . To
 4.2 Complex Multiplication Method 23

find such a field K we choose a fundamental discriminant D < 0 such that

4p = t2 + s2 |D| has a solution for t = p + 1 − N and s any integer. Then, by
Theorem 2.4, (p) splits into two distinct ideals in K. In other words, p is a norm
in K and p = ππ, where π is an element of OK . If we next find the equation of an
elliptic curve E over C with EndC (E) ' OK then by Theorem 3.9 the reduction
of E modulo p will give us a curve with p + 1 − t = N rational points over Fp .
We know that j(E) is an algebraic integer of degree equal to h(D), the class
number of K. By Theorem 2.4 we know that our choice of D implies that the
minimal polynomial HD (X) of j(E) splits completely into linear factors modulo
p. This allows us to consider a root of HD (X) ≡ 0 (mod p) as the j-invariant of
Ẽ, the reduction of E modulo p. We finally construct Ẽ by the formulas given
in §3.6 and that solves our task. The interaction of theory which underlies the
CM method is further illustrated in the following diagram.

Fundamental discriminant D < 0 such

that 4p = t2 + s2 |D|. τ is a com-
plex number corresponding to a re-
duced quadratic form of discriminant
D.
Q
Thm. 2.4 and Thm. 3.5
Q
Q Thm. 2.4
Q
? Q
Q
Eτ √/C has CM by OK in K = Qs
Q( D). The minimal polyno- p splits into a product of
mial of j(Eτ ) is HD (X), which two elements in OK , i.e.
splits into linear factors modulo p = ππ, π ∈ OK .
Prop. 3.8
1
 p. 
 
 
Reduction Thm. 3.9  Thm. 3.9
by Deuring 

PP
P
q
P ? +

Prop. 3.8 One solution of HD (X) ≡ 0 (mod p)
is the j-invariant of an elliptic curve Ẽ
over Fp with CM by OK and |Ẽ(Fp )| =
p + 1 ± (π + π̄).

Figure 1: Basic theory behind the complex multiplication method

Let us assume that D < −4. Once we know the j-invariant in Fp , the elliptic
curve with p + 1 − t points is constructed from one of the two equations (17). To
 4.3 Computational Aspects 24

see whether we have the right curve we can pick a random rational point and see
whether it is annihilated by N . If that is not the case then we have selected a
curve with p + 1 + t points and the opposite equation gives the right choice. The
complex multiplication method is summarised by the following procedure.

Remark. The two special cases D = −3 and D = −4 can be handled in a

manner similar to the general case. To select between the different isomorphism
classes in each case we can use certain algorithms instead of multiplying random
points as in the general case. We refer the reader to [2] for full details.

CM-Method(p, N )
1 t←p+1−N
2 Find a fundamental discriminant D which satisifies 4p = t2 + s2 |D| for s ∈ Z.
3 Construct the Hilbert class polynomial HD (X).
4 Compute a solution j0 of HD (X) ≡ 0 (mod p).
5 Construct the equation of an elliptic curve E over Fp of invariant j0 .
6 Find a random point P on E.
7 if [N ]P 6= OE then
8 E ← quadratic “twist” of E
9 end
10 return E

4.3 Computational Aspects

Apart from the construction of the Hilbert class polynomial HD (X), which we
will look at in detail in §5, the other hard step in this algorithm is computing a
root of HD (X) ≡ 0 (mod p). Many standard factorisation algorithms are known
for that purpose. See for example Cohen [5, §1.6.1] or Knuth [8, §4.6.2].
Finding a “good” discriminant D that is suitable for our prime p is quite
simple, as we are expecting a certain cardinality N (the situation becomes more
involved when we use this method for primality testing, as we will see in §6). We
set t = p + 1 − N and

t2 − 4p (p + 1 − N )2 − 4p
D= = ,
s2 s2

and search for an s such that s2 divides (t2 − 4p) and D < 0 is fundamental and
as small as possible. The condition that D is small is important as we expect
 4.3 Computational Aspects 25

the algorithm to run in time asymptotic to a power of |D|, as we will soon see2 .
Of course, a necessary condition for this algorithm to produce a solution is that
the integer N is contained in the Hasse interval Hp . In fact, since we restrict to
the case of a prime field Fp , all integers in Hp do occur as the group order E(Fp )
of some elliptic curve E over Fp [4].
We should note one special case for the algorithm, namely when N = p + 1.
Then by Theorem 3.7 we know that we can pick any supersingular curve over
Fp . There are many criteria for supersingular curves, see for example [16, §V,
Theorem 4.1]. As an example, the elliptic curve E/Fp defined by y 2 = x3 + 1 is
supersingular if and only if p ≡ 2 (mod 3).
Finally we remark on the computational complexity of the method. The two
time consuming steps in the algorithm are the construction of the Hilbert class
polynomial HD (X) and the computation of a root of HD (X) modulo p. Crucial to
√
the complexity analysis is the estimate log(h(D)) ∼ log( d) [11, §XVI.4], where
p
we write d = |D|. It follows that the approximation h(D) ∼ |D| should not be
too bad. We will see in the next section that the basic complex analytic method
to construct HD (X) takes time O(d2 (log d)2 ). By one approximation [12, §5.10]
it takes time O(d(log p)3 ) to calculate a solution to HD (X) ≡ 0 (mod p). Which
one of these two steps will dominate the running time of the algorithm depends
of course on the relative size of d and p. In general, we expect the O(d2 (log d)2 )
term to prevail if we seek elliptic curves with a large number of rational points.
The other steps in the algorithm count less towards the overall complexity. For
example, there is an algorithm to compute [m]P , for an integer m and a point P
on E, in time asymptotically O(log m) [14].

2
In elliptic curve cryptography the discriminant has to be of certain minimal size to ensure
security. According to [1] some cryptography standards recommend using elliptic curves with
complex multiplication by an order of discriminant at least equal to 200.
 5 Constructing the Class Polynomial 26

5 Constructing the Class Polynomial

The main step in the complex multiplication method is the construction of the
class polynomial of the imaginary quadratic order of discriminant D. In this sec-
tion we present a few different ways of solving that task. In their original paper
[2], Atkin and Morain suggested a complex analytic method based on numerical
evaluation of the j-function, which we will look at in some detail. The complex
analytic method has been estimated to run in time asymptotically O(d2 (log d)2 ),
which is not much better than the naive method when we consider small inputs.
This method also requires extensive computing resources to work with the huge
Hilbert polynomials in high precision. Over the past few years a number of au-
thors have suggested alternative approaches to tackle these problems. Bröker and
Stevenhagen [4] have proposed solving the class equation in a non-archimedean
setting by working over the p-adic numbers. The main advantage of this method
is that it requires substantially less precision than the complex analytic approach.
To address the problem of working with huge Hilbert polynomials with integer
coefficients, Agashe, Lauter, and Venkatesan [1] have come up with an algorithm
based on the Chinese Remainder Theorem, which can be used to directly con-
struct HD (X) modulo p from a set of polynomials HD (X) modulo smaller primes.
Apart from avoiding the computation of the full Hilbert class polynomial over
the complex numbers, this method promises to be asymptotically faster than the
complex analytic approach for certain inputs, as we will see. At the end of this
section we will also look at how we can use higher class invariants, instead of the
invariant j, to generate Hilbert class fields.

5.1 Numerical Evaluation of the j-Function

In §2.2 we gave a formula for j(τ ) in terms of the Dirichlet η-function and
the modular invariant ∆(τ ) (equations (4) and (6)). The convergence of the
q-expansion for η is quite good as the exponents for each term grow quadrati-
cally. It should therefore be practical to apply this formula directly to compute a
numerical value of j(τ ). To see how many terms have to be included for a desired
precision, we look at the truncated series
 M
X 
ηM (τ ) = qτ1/24 1 + (−1)m (qτm(3m−1)/2 + qτm(3m+1)/2 ) , (21)
m=1
 5.1 Numerical Evaluation of the j-Function 27

where M is a positive integer and qτ = e2iπτ as before. For an upper bound on

the error we get by truncating the series we use the following Lemma [13].

Lemma 5.1. Let qτ = e2πiτ = ρτ eiθ , where τ is a complex number in the upper
half plane H such that 0 < |qτ | < 12 . Then if M is a positive integer,

2 /2
|η(τ ) − ηM (τ )| ≤ 6ρ3M
τ .

Proof. Write qτ = ρτ eiθ = ρτ (cos(θ) + i sin(θ)) and assume that 0 < |qτ | < 1.
Then define the functions
∞
X
f (τ ) = f (qτ ) = (−1)n (qτm(3m−1)/2 + qτm(3m+1)/2 )
n=1
M
X
fM (τ ) = fM (qτ ) = (−1)m (qτm(3m−1)/2 + qτm(3m+1)/2 )
m=1

Let r(τ ) = r(qτ ) and rN (τ ) = rN (qτ ) to be the real parts of f (τ ) and fN (τ ),

respectively, and

δ(τ ) = δ(qτ ) = r(ρτ ) − r(qτ )

δM (τ ) = δM (qτ ) = rM (ρτ ) − rM (qτ )

We look at the difference δ(qτ ) − δN (qτ ). This is an alternating series and since
|ρτ | < 1 we get (using shorthand notation fm = m(3m − 1)/2 and gm = m(3m +
1)/2)

|δ(qτ ) − δN (qτ )| =
∞
X
(−1)m (ρfτm (1 − cos(θfm )) + ρgτm (1 − cos(θgm )))
m=M +1

≤ ρfτm (1 − cos(θfm )) + ρgτm (1 − cos(θgm ))m=M +1



≤ 2(ρ(M
τ
+1)(3M +2)/2
+ ρτ(M +1)(3M +4)/2 )
= 2M +1 .
 5.2 Complex Analytic Approach 28

Simple manipulation yields

|r(qτ ) − rM (qτ )| = |(r(qτ ) − r(ρτ )) + (rM (ρτ ) − rM (qτ )) + (r(ρτ ) − rM (ρτ ))|
= |(δM (qτ ) − δ(qτ )) + (r(ρτ ) − rM (ρτ ))|
≤ 3M +1 .

Repeating the calculations for the imaginary parts, we obtain the bound |f (τ ) −
fN (τ )| ≤ 6N +1 . We estimate the size of the term m by

m = ρm(3m−1)/2
τ + ρm(3m+1)/2
τ

= ρm(3m−1)/2
τ (1 + ρm
τ )

≤ 2ρτm(3m−1)/2
2 /2 −2 log 2/ log ρτ +3
≤ ρ3(m−1)
τ if m ≥ 5 ,

1
which is true for all m ≥ 1 if ρτ ≤ 2. Combining this with the bound for
1/24
|f (τ ) − fN (τ )|, and noting that |qτ | is always less than 1, gives the desired
result.

5.2 Complex Analytic Approach

By Theorem 2.3, we know that

Y √
X − j( −b+i d


HD (X) = 2a ) ,
[a,b,c]∈Cl(D)

where Cl(D) is the set of all reduced quadratic forms of discriminant D and d =
|D|. We know that the degree of HD (X) equals the class number h = h(D). By
iterating through all reduced forms of discriminant D, and computing a numerical
value of the corresponding j-value, we get a simple method for constructing
the polynomial HD (X). The important part here is that if we ensure sufficient
precision in our calculations then we can exactly determine HD (X) because it
has integer coefficients (Theorem 2.3).

Remark. As we noted in §2.4, we can use the fact that HD (0) is a cube of a
rational integer to check our computations.

To make sure that we get the correct outcome we make some observations on the
polynomial HD (X). Because it has integer coefficients the absolute error in the
 5.2 Complex Analytic Approach 29

final computation of each coefficient must be within 0.5. To achieve this accuracy
we need some prior estimate of the size of the coefficients. From τ = (−b +
√ √
i d)/(2a) we obtain ρτ = e−π d/a and θ = −πb/a, where we write qτ = ρτ eiθ . By
√
the q-expansion of j (eq. (2.2)) we get the estimate |j(τ )| = O(qτ−1 ) = O(eπ d/a ).

We then get an upper bound B on the size of the coefficients by forming a product
√
of all the values of eπ d/a associated with reduced quadratic forms [a, b, c] of
discriminant D, times the largest (middle) binomial coefficient.

√ X 1
   
h
B= exp π d . (22)
bh/2c a
[a,b,c]

The required decimal precision is obtained by taking the base-10 logarithm of

this bound: √
h
 log

bh/2c + π d X 1
Prec(D) = + p0 . (23)
log 10 a
[a,b,c]

Here p0 is an empirical constant that takes care of rounding errors and errors due
to our estimate of |j(τ )|. According to Cohen [5, §7.6.2] and Atkin [2, §7.1], the
value of p0 is typically chosen to be 10. The figure Prec(D) should be calculated
once, before computing HD (X).
Now we need to know what value of M in eq. (21) approximates η(τ ) =
√
η((−b + i d)/(2a)) with the desired floating point precision. We observe that if
[a, b, c] is a reduced form of negative discriminant D then d = 4ac − b2 ≥ 4a2 − a2 ,
p
which implies that a ≤ d/3. Hence
√ √
ρτ = e−π d/a
≤ e−π 3
< 12 ,

so we can apply Lemma 5.1. Equating the base-10 logarithm of the error bound
given by the Lemma and the precision Prec(D) yields

s 
2 Prec(D) log 10 + log 6
M= a √ (24)
3 π d

Then to calculate an accurate numerical value of j(τ ) we compute ηM (τ ) by eq.

(21) and apply the result to eq. (7). For that we need to compute both ∆(τ )
and ∆(2τ ). In general, to compute ∆(kτ ) we compute ηM (qτk ) to the order M
a
obtained by replacing a with k in eq. (24).
 5.2 Complex Analytic Approach 30

We can make some further remarks to make the computation more efficient.
If [a, b, c] is ambiguous (see §2.3) we get j([a, −b, c]) = j([a, b, c]), where x̄ denotes
the complex conjugate of x. If r is a root of HD (X) then r̄ is also a root, so we
can halve the computation by checking for ambiguous forms. Then if [a, b, c] is
ambiguous we adjoin a factor

(X − j([a, b, c]))(X − j([a, b, c])) = X 2 − 2<(j([a, b, c]))X + |j([a, b, c])|2

to the polynomial. Otherwise we adjoin a factor (X − j([a, b, c])). Finally we

note that because b is even if and only if D is even (look at D = b2 − 4ac, and the
term 4ac is even), we can reduce the number of iterations by initially checking
the parity of D.
With these remarks in mind, the procedure Hilbert-Basic runs through
2
all positive a, b such that b ≤ a ≤ d/3 and a divides b −D
p
4 , and constructs a
polynomial whose roots are the j-invariants associated with the reduced forms
2 −D
[a, b, b 4a ].
 5.2 Complex Analytic Approach 31

Hilbert-Basic(D)
1 Compute Prec(D)  Using formula (23)
2 HD ← 1  Polynomial variable HD
3 b ← |D| mod 2  Init. b to 0 or 1 (D odd/even)
 Upper bound of range
p
4 B ← b |D|/3c
5 while b ≤ B do
b2 −D
6 t← 4  Possibly t = ac
7 a ← max(b, 1)  If b = 0 then a 6= b
8 repeat
9 if a | t then
√
10 j ← j((−b + D)/(2a))  Using (21) and (7)
11 if a = b or a2 = t or b = 0 then
12 HD ← P · (X − j)
13 else
14 HD ← P · (X 2 − 2<(j)X + |j|2 )
15 end
16 end
17 a←a+1  Loop on a
18 until a2 >t
19 b←b+2  Loop on b (either odd or even)
20 end
21 Round coefficients of HD to nearest integer
22 return HD modulo p

We note that there are two serious drawbacks to this procedure. First of all,
the Hilbert class polynomial has huge integer coefficients, which grow fast as the
class number increases. Secondly, the algorithm requires immense precision for
floating point calculations in order to ensure correct results. From a practical
point of view, the high precision and memory handling required by this method
hinders its implementation on simple processors with limited amount of memory,
as encountered in many cryptography applications.

Example 1. Let us look at a simple example to illustrate the algorithm. We

will construct HD (X) for a fundamental discriminant D = −23. The class
√
number of the imaginary quadratic field Q( −23) is h(−23) = 3 and the three
 5.3 Directly Constructing HD (X) Modulo p 32

reduced quadratic forms of discriminant -23 are f1 = [1, 1, 6], f2 = [2, 1, 3] and
f3 = [2, −1, 3], with corresponding τ -values τ1 , τ2 and τ3 , respectively. We
calculate the required precision by formula (23)
 log 3+π√23 1
+ 21 ) + 10 = 25.

Prec(−23) = log 10 (1 + 2

This means that our calculations have to be carried out with at least 25 decimal
digits. To achieve this precision we need to compute ηM (τ ) to order M = 2
and M2 = M3 = 3 for arguments τ1 , τ2 and τ3 , respectively. That we need
only consider 2 or 3 terms to achieve such high precision illustrates the good
convergence of the q-expansion. Now we compute the polynomial

P = (X − j(τ1 ))(X − j(τ2 ))(X − j(τ3 )),

and after taking real parts and rounding the coefficients to the nearest integer,
we get

H−23 (X) = X 3 + 3491750X 2 − 5151296875X + 12771880859375.

We observe that the constant factor is correctly a cube of an integer, 233753 =

12771880859375. To verify our result we check if H−23 (X) splits into linear
factors modulo a prime p. We look at the prime p = 59, which is “good” for the
discriminant D = −23, which means that there is a solution to 4 · 59 = t2 + 23s2
(just take (t, s) = (12, 2)). Reduction modulo 59 gives

H−23 (X) ≡ (X − 20)(X − 42)(X − 44) (mod 59),

and all the roots lie in F59 . Taking j0 = 20, we construct the elliptic curve
E : y 2 = x3 + 33x + 13 from equation (17). Point counting reveals that the order
is correctly |E(F59 )| = 48 = 59 + 1 − 12.

5.3 Directly Constructing HD (X) Modulo p

In the complex analytic method we compute the class polynomial over C using
the fact that its coefficients are rational integers. Even though we are eventually
looking for HD (X) mod p, we first have to compute HD (X) with full precision
and then perform reduction. The problem with this approach is that the coeffi-
cients of the class polynomial come to be very large. We have already seen an
example for class number 3 where the constant term of HD (X) has 16 decimal
digits. In the case when D = −832603, for example, the class number is 96 and
 5.3 Directly Constructing HD (X) Modulo p 33

the constant term has more than 1200 digits. These large coefficients make the
complex analytic method rather unwieldy in practise.
In a recent paper, Agashe et al. [1] suggest a method to directly compute
the reduced polynomial HD (X) mod p without ever constructing HD (X) over C.
This is achieved by generating a set of reduced polynomials Hq (X) = HD (X) mod
q, where q is a prime number relatively small compared to p. Then using an al-
gorithm based on a modified version of the Chinese Remainder Theorem, the
polynomial HD (X) mod p can be constructed one coefficient at a time, from
knowledge of each of the reduced polynomials Hq (X).

Theorem 5.2 (Modified Chinese Remainder Theorem). Let Sm = (mi )li=1 and
Sa = (ai )li=1 be sets of integers for some l > 0, such that all the mi are co-prime
and 0 ≤ ai < mi for i = 1, 2, · · · , l. Assume that there exists an integer x such
that |x| < ( 21 − ) li=1 mi for some small positive real number  < 12 . Then,
Q

given an integer n less than |x|, there exists an algorithm for directly computing
x mod n from Sm and Sa .

Remark. The point of the theorem is that we can compute x mod n without
ever knowing x explicitly.

Proof. We will prove the existence of such an algorithm. Define

l
Y
M= mi
i=1

Mi = M/mi
bi ≡ 1/Mi (mod mi ) 0 ≤ bi < mi

The definition of bi implies that bi Mi ≡ 1 (mod mi ) for all i = 1, 2, · · · , l. Then

Pl
by the Chinese Remainder Theorem, the positive integer s = i=1 ai bi Mi is
congruent to x modulo M , i.e. s = x + rM , where r is some non-negative
integer. We write x = s − rM and we want to compute x mod n. If we knew
nothing of x we would not be able to infer anything about the integer r, but
because we are told that x < ( 21 − )M , we observe that r = b M
s
+ 12 c (if x were
s
greater or equal than M/2 then r would be d M + 12 e). If we can recover r, then
x mod n may be computed by

x mod n = (s mod n) − (r mod n) · (M mod n),

 5.3 Directly Constructing HD (X) Modulo p 34

as all the quantities on the right hand side are known. To solve for r, we observe
that |x| < ( 12 − )M implies that s
M + 1
2 is not within  of an integer. Thus we
s
can recover r by computing an approximation r0 such that |r0 − M | <  and then
round r0 to the nearest integer. We achieve this by setting

l
X ai bi
r0 = ,
mi
i=1

where each term in the series is computed with floating point precision /l.

From the ideas developed in the proof of Theorem 5.2 we present an algorithm
for computing x mod n, given n, Sm , Sa and  having the same signature and
properties as in the theorem. Note that in the description of the algorithm we let
rem(a, b) denote a variable (and not a function call) holding the value of a mod b,
the remainder of the Euclidian division of a by b.

Modified-CRT(n, Sm , Sa , )
1 M ← li=1 mi
Q

2 l ← |Sm |
3 for i ← 1 to l do  Calculate the Mi ’s and bi ’s
4 Mi ← M/mi
5 bi ← 1/Mi mod mi
6 end
7 rem(M, n) ← M mod n
8 Compute rem(Mi , n) ← rem(M, n)/(mi mod n) for all i
9 Compute rem(ai bi , n) ← ai bi mod n for all i
10 r ← round( li=1 ami bii  With precision /l
P

11 rem(r, n) ← r mod n
rem(s, n) ← ( li=1 rem(ai bi , n) · rem(Mi , n)) mod n
P
12
13 return (rem(s, n) − rem(r, n) · rem(M, n)) mod n

Remarks.

1. The computation of Mi mod n in step 8 can be parallelised. This could be

useful when working with very large class numbers.

2. In step 10 we need to compute each term to precision /l. In practise,

we would perform the calculations with d− log /l/ log 10e + p0 significant
 5.3 Directly Constructing HD (X) Modulo p 35

digits, where p0 is some positive constant that takes into account rounding
errors, as we described in §5.2.

Now we describe how this algorithm can be used to compute HD (X) mod p
directly. Unless otherwise noted we assume that D < −4. To begin with, we
calculate B, the upper bound of coefficients of HD (X), by formula (22), and the
class number h. One way of computing the class number is to use an algorithm
similar to the Hilbert-Basic procedure, i.e. by traversing the reduced quadratic
forms of discriminant D and keeping a counter. We then fix a small positive
number  (for example  = 0.001 as suggested in [1]) and set M = B/( 12 − ).
Next we generate a set of distinct prime numbers q, that satisfy 4q = x2 + |D|
for some integer x, such that the product of all the primes will exceed M .
For each prime q we search for the h elliptic curves over Fq that have q +
1 − t or q + 1 + t rational points, where t comes from 4q = t2 + |D|. We can
do this either by counting points or by finding a random point on the curve
and seeing if it is annihilated by either order (in the latter case we are doing
something similar to the naive algorithm that we described on page 22). In
the algorithm Hilbert-CRT below we apply the first method. After computing
these j-invariants we construct the polynomial HD (X) mod q. Finally we use the
Mod-CRT routine to compute HD (X) mod p, one coefficient at a time, from the
coefficients of all the “smaller” polynomials.

Remark. By selecting a fundamental discriminant D which satisifies 4p = t2 +

s2 |D|, for some integers t and s, we know that the roots of HD (X) mod p are
the j-invariants of elliptic curves that have p + 1 ± t rational points over Fp . The
opposite, that a suitable j-invariant in Fp is a root of HD (X) mod p, is however
not true in general. Checking all j-invariants in Fp for p + 1 ± t rational points
would reveal curves having complex multiplication by an order in K containing
the order of index s in OK . Hence we restrict the algorithm to discriminants
that satisfy D = t2 − 4p, which has solutions in t for all odd primes p unless
D ≡ 1 (mod 8). To date, the CRT method has not been extended to work with
arbitrary orders in K, to our best knowledge.
 5.3 Directly Constructing HD (X) Modulo p 36

Hilbert-CRT(D, p)
1 Initialise B and h
2 S ← ∅, H ← ∅
3 M ←1
4 while M ≤ B do  Generate a set S of small primes
 such that their product M exceeds B
5 Find a prime q such that
6 4q = t2 + d has a solution for t
7 S ← S ∪ {q}  Add q to the set S
8 M ←M ·q
9 end
10 for each q in S do  Compute HD (X) mod q for all q ∈ S
11 Sq ← ∅
12 for each j ∈ Fq \{0, 1728} do  We should also break when |Sq | = h
j
13 k ← 1728−j
14 E ← y 2 = x3 + 3kx + 2k  Elliptic curve E with j(E) = j
15 if |E(Fq )| = q + 1 ± t then
16 Sq ← Sq ∪ {j}
17 end
18 end
 Hq (X) denotes HD (X) mod q
Q
19 Hq (X) = j∈Sq (X − j)
20 H ← H ∪ Hq (X)  Add Hq to the set H
21 end
22 for i ← 1 to h do  Lift to HD (X) mod p
23 Form a set Sa of the ith coefficients of every Hq (X)
24 ci ← Mod-CRT(p, S, Sa , )  Compute the ith coefficient of HD (X) mod p
25 end
Ph
26 return i=1 ci X
i  HD (X) mod p

Remark. Note that in practise one would not implement this algorithm directly
as it is written here. For example, a large part of the Mod-CRT procedure is
common to all coefficients of HD (X) (mod p), so they should be executed only
once. The two procedures are defined separately here simply for the sake of
clarity.
 5.3 Directly Constructing HD (X) Modulo p 37

According to [1] the overall complexity of this algorithm, when d is large, is with
high probability

O d3/2 (log d)10 + d(log d)2 log p + d1/2 (log p)2 .

This shows that we may expect this algorithm to run faster than the complex
analytic method when d is roughly larger than (log p)2 [1]. In practical terms, this
might be the case in some cryptography applications, where one usually requires
a large discriminant. On the other hand, in elliptic curve primality testing one
typically looks for a small discriminant, which implies that the complex analytic
approach might work better. We look better at primality testing in §6.

Example 2. The version of the Hilbert-CRT algorithm that we present here

can only work for a discriminant D 6= 1 (mod 8) as we have remarked. Let D =
−35 be a fundamental discriminant and assume we want to compute HD (X) mod
p where p = 3089 = 1112 + 35 is a prime number. The class number of the
√
imaginary quadratic field Q( −35) is h(−35) = 2, corresponding to the reduced
quadratic forms [3, ±1, 3]. By formula (22) we obtain the bound B ≈ 2e13 and
set M = B/( 21 − ) ≈ 106 , where we choose  to be 0.001. Then we compute
a set of small primes q that satisfy 4q = t2 + 35, for some integer t, and whose
product exceeds M . For each q we also compute the two j-invariants of the
elliptic curves over Fq that have q + 1 ± t rational points. The following table
displays the results of these computations.
q t j HD (X) mod q
11 3 4, 10 X 2 + 8X + 7
29 9 13, 24 X 2 + 21X + 22
191 27 12, 35 X 2 + 144X + 38
281 33 198,207 X 2 + 157X + 241
389 39 51, 177 X 2 + 161X + 80
659 51 76, 78 X 2 + 505X + 656
Setting S = {11, 29, 191, 281, 389, 659}, we calculate

Modified-CRT(p, S, {8, 21, 144, 157, 161, 505}, ) = 2068,

Modified-CRT(p, S, {7, 22, 38, 241, 80, 656}, ) = 1580.

Hence

H−35 (X) ≡ X 2 + 2068X + 1580 ≡ (X − 1874)(X − 2236) (mod 59).

 5.4 Non-Archimedean Approach 38

Taking j0 = 1874 gives the elliptic curve E : y 2 = x3 + 1104x + 736 over F3089 ,
which has exactly N = 3089 + 1 − 111 = 2979 rational points.

5.4 Non-Archimedean Approach

Bröker and Stevenhagen have recently come up with a new idea for constructing
the Hilbert class polynomial in a non-archimedean (p-adic) setting. We will now
briefly review this method, referring to to [4] for full details.
The first step in the non-archimedean method is to find a small prime q <
p such that 4q = t2 + D, for a positive t as small as possible. Here D is a
fundamental discriminant for p, which is computed as before. For such a prime
q, we know that there exists an ordinary elliptic curve over Fq with complex
multiplication by the order OK (D is fundamental) and Nq = q + 1 − t rational
points. Since we are working with a small Nq we can just as well search for such
a curve using the naive method that we have seen before.
√
Now let H denote the Hilbert class field of K = Q( D). According to the
Deuring Lifting Theorem there exists an elliptic curve E 0 over H, with complex
multiplication by the unique quadratic order of discriminant D, and a prime q|q
in H, such that E 0 reduces modulo q to E. Now the important point is that since
q splits completely in H, the curve E 0 is in fact defined over the q-adic field Qq .
The Hilbert polynomial HD (X), whose roots are the j-invariants of isomorphic
elliptic curves over H, generates the Hilbert class field. In the complex analytic
approach we computed HD (X) by approximating the j-function using floating
point arithmetic. If we instead consider elliptic curves over Qq , we can generate
HD (X) using q-adic arithmetic, which has many advantages. Of course, the
reduction of HD (X) modulo p splits as before into linear factors, whose roots are
j-invariants of the elliptic curves over Fp which we eventually want to generate.
The advantage of working in a q-adic setting is that the q-adic accuracy is
preserved when adding or multiplying two integers. If n and m are known with
q-adic accuracy up to O(q k ) then nm and n + m are also known up to O(q k ).
This is of course not true over the real or complex numbers.
For this method to work, we of course need some method to numerically
evaluate j over Qq . This is provided by the recent work of Couveignes and
Henocq, using a Newton process that doubles the precision with each iteration,
as described in [4]. It would certainly carry us too far to describe this process
in any detail. Complexity estimates of the non-archimedean algorithm have not
 5.5 Using Class Invariants 39

yet been published, to our best knowledge, but the full details should be given
in Bröker’s forthcoming doctoral thesis (due in 2006).

5.5 Using Class Invariants

The coefficients of the Hilbert class polynomial become huge as the class number
grows as we have mentioned. Even though our goal is to compute the reduction
of this polynomial modulo p, the intermediary steps still need to be performed
with high precision to ensure that we get the correct result.
From the work of Weber (see [7], for example) we know that we can construct
generating polynomials for the Hilbert class fields using various higher level mod-
ular functions other than the j-function. If we let ω denote the generator of OK ,
√
the ring of integers of K = Q( D), we call u(ω) a class invariant if it is contained
in K(j(ω)) = Q(ω, j(ω)). It follows that if u(ω) is a class invariant then so is
any of its conjugates. Since we are working only with fundamental discriminants
D, the field K(j(ω)) is precisely H, the Hilbert class field of K (Theorem 2.3).
We will refer to the irreducible polynomial of the class invariant u as a Weber
polynomial, written as WD [u](X). If we can find a class invariant for K and
determine the Galois action of Cl(D) on this invariant, we can compute its min-
imal polynomial over K. Of course, since our goal is to compute j-invariants of
elliptic curves rather than just generate H, we also need some relation to recover
j from some value of u.
A concise treatment of the vast theory of class invariants is well beyond the
scope of this essay. To give some idea of the subject we will look at one example,
for a particular congruence class of D, in the complex analytic setting. Bröker
and Stevenhagen [4] describe how the non-archimedean approach can be adapted
to work with Weber polynomials as well as Hilbert polynomials, the full details
of which will be published in Bröker’s doctoral thesis. To our best knowledge,
there are yet no published results concerning the extension of the CRT method
to work with class invariants.
Assume that τ is a quadratic number defined by aτ 2 + bτ + c = 0. Then we
define

−1 η( τ +1
2 )
f (τ ) = ζ48 , (25)
η(τ )
 5.5 Using Class Invariants 40

f (τ )24 − 16
γ2 (τ ) = , (26)
f (τ )8
where ζ48 is the 48th root of unity in C. We can recover the elliptic modular
invariant j(τ ) by
j(τ ) = γ2 (τ )3 = γ3 (τ )2 + 1728. (27)

We have the following theorem [2, Theorem 7.1].

Theorem 5.3. Let τ be a quadratic number defined by aτ 2 + bτ + c = 0. If 3 | a,

3 | c but 3 - b, then Q(γ2 (τ )) = Q(j(τ )).

Now assume that D is a fundamental discriminant and that p is a rational prime

that satisfies the relation 4p = t2 + s2 |D|. The roots of WD [γ2 ](X) generate the
√
Hilbert class field H of K = Q( D) and the prime p splits completely in H. To
construct WD [γ2 ](X) we also need to determine the Galois action of Cl(D) on the
invariant γ2 (τ ). Using the functional equations for η, Atkin and Morain present
a simple algorithm that computes an equivalent form [a1 , b1 , c1 ] and a CM-point
τ1 from a given form [a0 , b0 , c0 ] and a point τ0 , satisfying Theorem 5.3. We refer
to [2, §7.2] for the details. Once we have constructed the Weber polynomial for
γ2 , we recover the j-values from the roots of WD (X) ≡ 0 (mod p) in Fp , using
formula (27).

Example 3. We can use the γ2 class invariant to compute the Weber polynomial
for discriminant D = −23. Starting with τ0 , a root of 3τ 2 − 7τ + 6, we obtain

W−23 [γ2 ](X) = X 3 + 155X 2 + 650X + 23375.

Clearly this is a more simple expression than the one we obtained by using j-
invariants in Example 1. Reduction modulo p = 59 yields

W−23 [γ2 ](X) ≡ (X − 40)(X − 47)(X − 53) (mod 59).

We verify that (40)3 ≡ 44 (mod 59), (47)3 ≡ 42 (mod 59) and (53)3 ≡ 20
(mod 59), which is in accordance with our previous results.

From this example we see that we reduce the size of the constant term of the
class polynomial from 14 decimal digits, when using j, to 5 decimal digits, when
using γ2 . According to Cohen [5, §7.6.3] the use of higher class invariants reduces
 5.5 Using Class Invariants 41

the size of coefficients only up to some constant factor. Although this may be
useful in practise, it has of course, according to this, no effect on the asymptotic
complexity estimate of an algorithm.
 6 Primality Testing 42

6 Primality Testing
In 1986 Goldwasser and Kilian presented the first general purpose primality test
that was based on the theory of elliptic curves. A crucial step in their method
was to search for an elliptic curve with a given number of rational points, by
picking random curves and counting points. Although quite powerful in theory,
this method proved hard to implement in practice. Soon after, Atkin came up
with a better approach. Instead of searching for a curve, he applied the theory of
complex multiplication to explicitly construct a curve with the properties needed
for the test. We will now finish this essay by briefly describing this elliptic curve
primality test, referring the reader to Atkin [2] and Cohen [5] for full details.
Let N denote an integer whose primality is to be tested. The following
proposition, which we state without proof, provides the basis for the primality
test [5, Propositions 9.2.1 and 9.2.2].

Proposition 6.1. Let N > 3 be an integer, E an elliptic curve modulo N and

let m = |E(FN )|. Assume that we know a point P ∈ E(FN ) such that m and P
satisfy the following conditions.

2
(i) There exists a prime divisor q of m such that q > N 1/4 + 1 .
(ii) [m]P = OE = (0 : 1 : 0).
(iii) [ m ∗
q ]P = (x : y : t) with t ∈ (FN ) .

Then, assuming all computations are possible, N is prime.

The last statement of this proposition, concerning valid computations, is impor-

tant. Since N may be composite, we could very well be dealing with elliptic
curves over rings instead of fields. However, instead of adapting our methods we
simply act as if N was prime. Then as soon as some basic arithmetic operation
on E fails, we know that N must indeed be composite.
The first step of the primality test is to see whether N is small enough to be
easily factored using simple methods, such as trial division. We arbitrarily set
a threshold B that determines our action, e.g. B = 1020 . If N is larger than
B, then we progress to find a fundamental discriminant D which satisfies the
conditions of Theorem 2.4 for some t and s, and for which m = N + 1 − t has
a large factor q which is a probable prime. To solve for t and s we can use a
well-known algorithm of Cornacchia (see [14] for a recent version that has been
 6 Primality Testing 43

optimised for our purpose). Once such a discriminant has been found, we progress
to compute the equation of an elliptic curve E over FN with m rational points,
using the CM method. Of course, if anything fails at this stage, we immediately
abort the algorithm and output that N is composite. After we have found the
equation for E, we pick a random point P and see if conditions (ii) and (iii) of
Proposition 6.1 hold. If that is the case, then all there is left is to verify that q
is indeed a prime. We do that by making a recursive call to the primality testing
procedure. This produces a tower of probable primes which acts as a certificate
for the primality of N : If one term fails to be prime then the previous term is
neither a prime, and the whole tower crumbles. The recursive process should
terminate as q < N . In fact, since q is always less than half of N , we expect the
number of recursive calls to be O(log N ). We summarise what has been said in
the following algorithm.

AGK-Primality-Test(N)
1 if N < B then
2 Trial divide to see if N is prime, return ‘prime’ or ‘composite’ accordingly.
3 end
4 repeat
5 Find a fundamental discriminant D such that N splits as a
product of two elements in the ring OK of integers in
√
K = Q( −D), i.e. p = ππ̄, π ∈ OK .
6 m ← N + 1 − (π + π̄)

2
7 until m = kq with k > 2 and q > N 1/4 + 1 a probable prime
8 Compute E with m rational points by the CM method
9 Search for a rational point P such that [m]P = OE but [ m
q ]P 6= OE .
10 if there is such a point P with m > (N 1/4 + 1)2 then
11 if AGK-Primality-Test(q) =‘prime’ then
12 return ‘prime’
13 else
14 return ‘composite’
15 end
16 end
 REFERENCES 44

References
[1] Amod Agashe, Kristin Lauter, and Ramarathnam Venkatesan. Constructing
elliptic curves with a known number of points over a prime field, 2000.

[2] A. O. L. Atkin and F. Morain. Elliptic curves and primality proving. Math.
Comp., 61(203):29–63, 1993.

[3] C. Batut, K. Belabas, D. Bernardi, H. Cohen, and M. Olivier. pari/gp, a

computer algebra package, 2004. URL http://www.parigp-home.de.

[4] Reinier Bröker and Peter Stevenhagen. Elliptic curves with a given num-
ber of points. In Duncan A. Buell, editor, Algorithmic Number Theory, 6th
International Symposium, ANTS-VI, volume 3076 of Lecture Notes in Com-
puter Science, pages 117–131, Burlington, VT, USA, June 13-18, 2004, 2004.
Springer.

[5] Henri Cohen. A course in computational algebraic number theory. Graduate

texts in mathematics 138. Springer, Berlin/London, 1993.

[6] David A. Cox. Primes of the form x2 + ny 2 : Fermat, class field theory, and
complex multiplication. Wiley, New York, 1989.

[7] E. Kaltofen and N. Yui. Explicit construction of the hilbert class fields of
imaginary quadratic fields by integer lattice reduction. In Number Theory,
pages 149–202, New York/London, 1991. Springer.

[8] Donald Ervin Knuth. The art of computer programming. 2nd ed. Vol.2.
Addison-Wesley, Reading, Mass., 1981.

[9] Neal Koblitz. Introduction to elliptic curves and modular forms. Graduate
texts in mathematics 97. Springer, New York/London, 1984.

[10] Serge Lang. Elliptic functions. Graduate texts in mathematics 112.

Springer, New York/London, 2nd edition, 1987.

[11] Serge Lang. Algebraic number theory. Graduate texts in mathematics 110.
Springer, New York/London, 1986.
 REFERENCES 45

[12] A. K. Lenstra and Jr. H. W. Lenstra. Algorithms in number theory. In

Handbook of theoretical computer science (vol. A): Algorithms and complex-
ity, pages 673–715. MIT Press, 1990.

[13] F. Morain. Construction of hilbert class fields of imaginary quadratic fields

and dihedral equations modulo p. Technical Report RR-1087, INRIA, 1989
1989.

[14] Francois Morain. Implementing the asymptotically fast version of the elliptic
curve primality proving algorithm, 2005.

[15] Francois Morain. Implementation of the atkin-goldwasser-kilian primality

testing algorithm. Technical Report RR-0911, INRIA, 1988.

[16] Joseph H. Silverman. The arithmetic of elliptic curves. Graduate texts in

mathematics 106. Springer, New York/London, 1986.