**Computing Hilbert class polynomials with the Chinese Remainder Theorem**

*Andrew V. Sutherland*

**Abstract: **We present a space-efficient algorithm to compute the Hilbert class polynomial H_D(X) modulo a positive integer P, based on an explicit form of the Chinese Remainder Theorem. Under the Generalized Riemann Hypothesis, the algorithm uses O(|D|^(1/2+o(1))log P) space and has an expected running time of O(|D|^(1+o(1)). We describe practical optimizations that allow us to handle larger discriminants than other methods, with |D| as large as 10^13 and h(D) up to 10^6. We apply these results to construct pairing-friendly elliptic curves of prime order, using the CM method.

**Category / Keywords: **public-key cryptography / elliptic curve cryptography, complex multiplication, pairing-friendly curves

**Date: **received 10 Sep 2009

**Contact author: **drew at math mit edu

**Available format(s): **PDF | BibTeX Citation

**Version: **20090914:011628 (All versions of this report)

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]