Implement EllipticCurve_with_prime_order() constructor #38341
Conversation
|
Documentation preview for this PR (built with commit 11270fb; changes) is ready! 🎉 |
|
From my perspective the work was done during a Sage days and most probably can be improved but I would be interested in tracing that over flow error... I thought we tested it for larger values and it was fine and fast enough. Don't know... |
Now that I read my comment again, I might have wrongfully expressed myself. I wanted to argue why this code that would intuitively fit inside your work is written separately. |
| # of elements of S than using a powerset. Here many multiplications are | ||
| # done multiple times. | ||
| for e in powerset(S): | ||
| D = product(e) |
There was a problem hiding this comment.
In the paper, the algorithm takes a product of the p^* terms, not the p terms. Should there be a computation of the p^* terms somewhere? I also don't see where you do the square root mod N part of the algorithm.
There was a problem hiding this comment.
The square roots are used to solve the diophantine equation for 4 * N and BinaryQF does it for us.
The p* are defined as p* = (-1)^(p-1 / 2) * p. Basically, it checks the parity of p-1 / 2 to negate or not p. This is a shady part for me because this wouldn't work and it kept yielding non-discriminants for the Hilbert polynomial. I found a hack around that seems to work but maybe I'm wrong here.
I disagree, I mean CM method inherently generates multiple curves, so it makes sense to return an iterator. If you want a single curve, just use the (builtin) |
|
Also I will have to look closer at the paper and the implementation, but why don't use you just use |
Agreed, I believe this work is fine but the ways around for the discriminant computation would require second, maybe deeper review. Thanks a lot for the good review so far! |
I suggest this diff against develop that implements the
EllipticCurve_with_prime_order(N)constructor. Using the prime orderNin input, this method finds another primepand constructs an elliptic curveE/Fpwith#E(Fp) = N.It follows Algorithm 2.2 of the paper Constructing Elliptic Curves of prime order by Bröker and Stevenhagen. The running time is quite random depending on the input parameter but can turn out to be fast for some larger values (≃ 256 bits primes). It's also worth noticing that some values will make this function run for a very long time.
There had been a PR by @grhkm21 and @GiacomoPope that implements the
EllipticCurve_with_order()method. This PR would intuitively fit nice into their work but I felt uncomfortable with it returning an iterator. I felt like returning a single curve was more handy so I implemented this method in a separate function that does so but I'm open to suggestions if this is of any interest to the community.📝 Checklist
⌛ Dependencies