0

Given a curve with points over GF(p), a subgroup of prime order q and a co-factor h.

How do I calculate the size of q which is also the modulus?

I was thinking q = p/h

WeCanBeFriends
  • 1,303
  • 11
  • 20
  • Dupe https://crypto.stackexchange.com/questions/40726/how-is-the-order-of-a-point-calculated-for-elliptic-curves-over-gfp and more linked there. – dave_thompson_085 Apr 27 '19 at 00:33

1 Answers1

1

Run Schoof's algorithm on the curve parameters to find $qh$, and divide by $h$.

The size $p$ of the coordinate field is only required, by Hasse's theorem, to be near $qh$, within a factor of a square root: $|qh - (p + 1)| \leq 2 \sqrt p$. Consequently, $p/h$ may be near $q$ but is not equal to $q$ except in anomalous curves in which ECDLP is easily solved by additive transfers as described by Smart (preprint), Araki–Satoh, and Semaev (the ‘Smart-ASS’ attack).

For example, Curve25519's coordinate field is $\operatorname{GF}(2^{255} - 19)$, and its order $2^{255} + 221938542218978828286815502327069187944 = qh$ where $q = 2^{252} + 27742317777372353535851937790883648493$ and $h = 8$.

Squeamish Ossifrage
  • 48,392
  • 3
  • 116
  • 223
  • Thanks for the answer. Could you explain why I cannot just divide by the co-factor? – WeCanBeFriends Apr 26 '19 at 20:12
  • @WeCanBeFriends: divide what by the cofactor? You need to know the number of points on the curve (and while it'll be close to $p$, it won't be exactly $p$) – poncho Apr 26 '19 at 20:21
  • Oh, I was referring to do p/h . TBC I have the order of the basefield p already – WeCanBeFriends Apr 26 '19 at 20:33
  • @poncho To rephrase, given a group p, how do I find the largest subgroup? – WeCanBeFriends Apr 26 '19 at 20:46
  • @WeCanBeFriends: you find the order of the group (Schoof's algorithm), and then factor it. This latter part is easier than it sounds; we only use curves that have orders that are easy to factor (qh, for a large prime q, and a small integer h) – poncho Apr 26 '19 at 20:53
  • @poncho Would the order of GF(p) be p, if p is prime? – WeCanBeFriends Apr 26 '19 at 21:12
  • 1
    @WeCanBeFriends: do you mean the order of an elliptic curve based on $GF(p)$; no, in general, it wouldn't (but again, it would be close). Do you mean the order of the multiplicative group $\mathbb{Z}_p^*$? No, that'd be $p-1$. Do you mean the order of the additive group $\mathbb{Z}_p^+$? Yes, that would be (however, that group isn't typically used in cryptography, as things like the 'discrete log' problem (modular division) is easy – poncho Apr 26 '19 at 21:25