Cryptology ePrint Archive: Report 2009/445

Computing Hilbert class polynomials with the Chinese Remainder Theorem

Andrew V. Sutherland

Abstract: We present a space-efficient algorithm to compute the Hilbert class polynomial H_D(X) modulo a positive integer P, based on an explicit form of the Chinese Remainder Theorem. Under the Generalized Riemann Hypothesis, the algorithm uses O(|D|^(1/2+o(1))log P) space and has an expected running time of O(|D|^(1+o(1)). We describe practical optimizations that allow us to handle larger discriminants than other methods, with |D| as large as 10^13 and h(D) up to 10^6. We apply these results to construct pairing-friendly elliptic curves of prime order, using the CM method.

Category / Keywords: public-key cryptography / elliptic curve cryptography, complex multiplication, pairing-friendly curves

Date: received 10 Sep 2009

Contact author: drew at math mit edu

Available formats: PDF | BibTeX Citation

Version: 20090914:011628 (All versions of this report)

Discussion forum: Show discussion | Start new discussion