2 A class of point counting problems

This series of three lectures of one hour each was preceded by two introductory lectures by Henk van Tilborg about applications of discrete logarithms (in multiplicative groups as well as elliptic curves) to cryptography. Those introductory lectures should now serve as motivation for the coming three lectures. Large cyclic subgroups of prime order in elliptic curves or in Jacobians of higher genus curves are useful in the cryptographic applications because at present there seems to be no sub-exponential algorithm known for the discrete log problem in this context (except in some very special cases), in contrast to the index calculus algorithm for the discrete log problem in the multiplicative group of a finite field. This state of affairs is then used as justification for a smaller block size, preserving the security. Let us consider the case of elliptic curves. As one needs subgroups of prime order, it is crucial to know the exact order of groups such as E(Fq), where E is an elliptic curve over a finite field Fq, as well as the factorization into prime factors of them. In practice one uses finite fields Fq with q of size at least about 200 binary digits. At the start of elliptic curve cryptography around 1986 there was only one algorithm to compute #E(Fq), namely, Schoof’s algorithm, running in time O((log q)) (after improvements by Atkin, Elkies and Couveignes; Schoof’s original algorithm had running time O((log q))). Schoof’s algorithm is often said to use l-adic methods, because it uses the torsion points of all prime orders l up to a suitable bound. But, in 20001, Satoh came up with a so-called p-adic method. Here, p is the characteristic 1Note added during the workshop: Vercauteren showed me the article [5] by Goro Kato and Saul Lubkin,