 The curve is that it has a characteristic equation of degree 2, and the constant coefficient in its characteristic equation, the norm of the Frobenius element, is exactly the cardinality of our finite field. So our characteristic polynomial for Frobenius is always going to look like x squared, some constant coefficient times x plus q, and minus that constant coefficient is exactly the trace of Frobenius. So if t is, we're going to call our trace of Frobenius, I'm not going to have an aq here, it'll be, simply just call it t for trace, so our characteristic polynomial for the Frobenius endomorphism is x squared minus tx plus q, and I'm going to use pi sub e to denote the Frobenius endomorphism. So t is the trace Frobenius, q is the degree of the Frobenius endomorphism as an isogyny, as an endomorphism from the elliptic curve to itself. Now we want to understand things mod l, so the thing to do, and this is really sort of I think scope's essential insight, is we should think about the Frobenius endomorphism not acting on the entire endomorphism ring, but let's just restrict our attention to the l-tourism. So the endomorphisms are going to preserve, are going to take l-tourism points to l-tourism points, so we can take any endomorphism we like and restrict it to the l-tourism. And so we could view, we could think about n e bracket l, the l, the endomorphisms of our l-tourism subgroup, and the Frobenius endomorphism is, you know, restricts to some particular element, an endomorphism of e bracket l. And we could even write down those endomorphisms explicitly with two-by-two matrices with entries in z mod lz if we wanted to. Okay, I'm not going to do that, we don't need to do that for the purpose of implementing scope's algorithm, but that's a useful thing to do, a lot of information that can be gained from doing so. Okay, so what are some other elements of our endomorphism ring? Well, there's certain endomorphisms that are always there, right, what are the endomorphisms that every elliptic curve has? Well, there's always multiplication by m maps for every integer m, right? What is, if I add two points, if I add a point to itself on the elliptic curve, I'm really executing the multiplication by two endomorphism, and scalar multiplication by m corresponds to a morphism that looks like the, if you think of the endomorphisms, well, they're a ring, z is our initial object in the category of rings, there is an element of this endomorphism ring that represents that integer m, and it corresponds to multiplication by m, and I could think about that as acting on the entire, all of either the rational points or even the fq bar points of the elliptic curve, or I could just restrict it to the l-torsion, it's going to restrict to a scalar multiplication by m map on the l-torsion. Of course, when we're restricted to the l-torsion, we only care about the multiplication, you know, the scalar multiplication maps are only going to matter mod l, but they're going to correspond to endomorphisms, and we know how to compute algebraic equations that specify these endomorphisms explicitly. So, if these all can be derived directly from the group law, right, I could apply the group law to doubling a point that's giving me the multiplication by two endomorphism, and I could do the same thing for tripling a point, if the equations get more and more complicated. But fortunately, we know some standard tools for computing those equations using division polynomials, so we're going to use, we're going to make use of those. Right, so we want to now interpret this characteristic equation of Frobenius, I've now replaced the E's with little sub-L's to indicate that I'm taking all of these endomorphisms and restricting them to the l-torsion, and I should note, even in the top equation, that's an equation in the endomorphism ring, so the t and the q there, you could think of them as integers, but really you should think of them as the image of integers in the endomorphism ring, so multiplication by t is an endomorphism, that's how we want to think of that t, and that q, we don't want to think about it as the cardinality of our finite field, we want to think of that as the multiplication by q endomorphism, okay, and that also makes sense mod l. So, now we have equation one, we should think of that as an identity inside the endomorphism ring of our l-torsion. We know everything, but we know or it can easily compute everything in that equation except t, t sub-L. Right, we know what q is, so we know what q sub-L is, we can compute the multiplication by q map restricted to the l-torsion, we'll see exactly how to do that. How about the Frobenius endomorphism? Well, where does the Frobenius endomorphism come from? It comes from the Frobenius automorphism of our finite field, right, it's the q power Frobenius. How does it act on points on our elliptic curve? It just raises coordinates to q-th powers. Okay, so we know exactly what Frobenius does, we also know what it square does, it raises to the q-th power twice. So, our strategy is to compute everything in that equation, and you know, one strategy would be compute everything in that equation and solve for t. An even simpler strategy is to realize that l is not that big, let's just try every possible value of t, right, there's only l different multiplication, scalar multiplication maps on the l-torsion, 0, 1 up to l minus 1. We're just going to try all of them until we find one that makes this equation, that satisfies this equation, because we're going to have a way to uniquely represent endomorphisms that will allow us to compare them and know when we have an equality. So, our strategy rather than solve for t sub-L, we're just going to try every possible value because there aren't that many to choose from. You can be a little bit more clever than that, but it turns out being more clever doesn't actually improve the asymptotic running time of the algorithm. You might as well just try the possibility. Okay, so in the bottom of the slide, I'm just making it sort of completely explicit how we could compute the q sub-L here. We're not actually going to compute it by reducing the q-power, reducing multiplication by q to the l-torsion. We're going to compute it inside the l-torsion ring using an endomorphism we know the identity. We know how to compute one as an endomorphism and we know how to add one to itself q times. Now, q is huge, but we can use our standard double binary addition trick here, our binary and binary multiplication, I guess, to do, you know, add it, you know, double and add algorithm to add one, the one endomorphism to itself q times to get q sub-L. And that's exactly what we're going to do. So, in order for this algorithm to work, to sort of bootstrap ourselves, the only thing we need to know how to do is to compute one and to compute pi sub-L. And we need to know how to do arithmetic in the endomorphism ring of the restricted endomorphisms restricted to the l-torsion. So that's what I want to dig into next. But before we get into the details of how one would actually implement this, are there any questions on what we're trying to do here, where our goal is? Can you also do prime power for L? Yeah, there are some extensions of optimizations to scope's algorithm or even Elkie's algorithm, but they don't really do this directly. They do something more efficient and more clever. But it's not really a huge win because there just aren't that many prime powers up. I mean, it's a small game, but it's not going to improve the asymptotic running time to try and take advantage of prime powers. But yes, people have definitely thought about it, and really I think most of the work there is on the side of trying to enhance Elkie's approach, which uses L isogenes. You can also gain information by thinking about L power isogenes. But for today, for this lecture, we're just going to stick to the classic scope's algorithm in its original form. There are no isogenes anywhere in the picture, just endomorphisms. Any other questions? Yeah. In very small, for very small cues it can, but actually this algorithm will work fine for super singular curves as well. But in fact, as you'll see on the problem set, there's a better way to detect super singular curves that's even faster than point counting. And so in practice, people do that first, or that's what you should do first before you even run scope's algorithm. I should also mention we're going to assume that the J invariant of our elliptic curve is not 0 or 1728. That's another annoying special case, but it turns out it's really easy to count points on curves whose J invariant is 0 or 1728. It's like falling off a log, but I won't go into the details of that. So yes, there are some special cases that you want to avoid, but in fact for a large, for large cue you can handle the super singular curves just fine. Any other questions? Okay. Yeah, I mean, just maybe to amplify my answer to your question, even in your cotterny and algebra, or your order in your cotterny and algebra is your endomorphism ring, it's still the case that the Frobenius endomorphism has a characteristic polynomial that looks exactly like this. All the characteristic polynomials are degree two. All right. Okay. So as I mentioned, our strategy to compute T sub l is just to try all the possibilities, and I'll use c to indicate a candidate for T sub l. And we're just going to compute this endomorphism. Pi sub l squared minus c times pi sub l plus q sub l. In fact, we're going to be slightly more clever than that. We're going to sort of pre-compute pi l squared plus q sub l, and then iteratively try computing multiples of pi sub l until we find one that matches. But this is basically what we're doing, and we're going to check whether we get zero. And one important lemma that we need, and this will be very important in a particularly interesting, exceptional case that actually does prop up in practice, is you might wonder, is this guaranteed to work? And the answer is yes, it's guaranteed to work. One can prove that if you have a c that works, it has to be congruent to the trace-forbenius model. Yeah, I won't walk through the steps of that proof, but I'll put a link in the notes. Moreover, this is true even if you're working in a subring of the endomorphism ring of the altorsion, which we will sometimes have the opportunity to do. All right, so now I want to talk about how we're going to compute the endomorphisms that we need to sort of bootstrap our computation. How do we get started, and how do we do these, how are we going to represent these endomorphisms that are acting on the altorsion? So we first, we're going to make use of the ELF division polynomial of our elliptic curve, and if you're not familiar with ELF division polynomials, you could take it as a definition. It's the polynomial whose roots are all the x-coordinates of the non-zero elements of the altorsion subgroup of E, which is because L is not dividing Q, the altorsion subgroup over FQ bar is going to look like, it's going to be isomorphic to Z mod Lz cross Z mod Lz. Okay, so there's going to be L squared elements, one of them is zero, so there's going to be L squared minus one elements. L is odd, so all the points, the altorsion points and their negations are different, and have the same, but they have the same x-coordinate because we're working with a short virus trust model. So there are L squared minus one over two distinct x-coordinates, and that's exactly the degree of the ELF division polynomial, L squared minus one over two. And to represent elements of our anamorphism rooms acting on the altorsion as rational maps, we're going to work in the following quotient ring. We're going to take the two variable ring over FQ, and we want to mod out by our curve equation, which is y squared minus F of x, the ideal generated by that, and our division polynomial. And so this quotient ring, which is definitely not necessarily a field, there may be zero divisors in this ring, but in this quotient ring is how we're going to represent anamorphisms acting on the altorsion. And we're going to use a sort of a standard representation that'll be familiar to you, any of you who've studied anamorphisms of elliptic curves, especially if you've read Larry Washington's book, we're going to put all of our anamorphisms in a standard form, where we're just thinking of these acting on affine points,