On the Product of Small Elkies Primes
This addresses a theoretical gap in elliptic curve cryptography by providing unconditional results on the distribution of Elkies primes, which is crucial for optimizing point-counting algorithms.
The paper tackles the problem of bounding the product of small Elkies primes used in efficient algorithms for counting points on elliptic curves over finite fields, showing that there exist infinitely many prime-curve pairs where this bound is significantly larger than the naive heuristic estimate of log p, specifically at least c log p log log log p for some constant c.
Given an elliptic curve $E$ over a finite field $\F_q$ of $q$ elements, we say that an odd prime $\ell \nmid q$ is an Elkies prime for $E$ if $t_E^2 - 4q$ is a quadratic residue modulo $\ell$, where $t_E = q+1 - #E(\F_q)$ and $#E(\F_q)$ is the number of $\F_q$-rational points on $E$. These primes are used in the presently most efficient algorithm to compute $#E(\F_q)$. In particular, the bound $L_q(E)$ such that the product of all Elkies primes for $E$ up to $L_q(E)$ exceeds $4q^{1/2}$ is a crucial parameter of this algorithm. We show that there are infinitely many pairs $(p, E)$ of primes $p$ and curves $E$ over $\F_p$ with $L_p(E) \ge c \log p \log \log \log p$ for some absolute constant $c>0$, while a naive heuristic estimate suggests that $L_p(E) \sim \log p$. This complements recent results of Galbraith and Satoh (2002), conditional under the Generalised Riemann Hypothesis, and of Shparlinski and Sutherland (2012), unconditional for almost all pairs $(p,E)$.