Testing latest pari + WASM + node.js... and it works?! Wow.

1
% Copyright (c) 2000  The PARI Group
2
%
3
% This file is part of the PARI/GP documentation
4
%
5
% Permission is granted to copy, distribute and/or modify this document
6
% under the terms of the GNU General Public License
7
\chapter{Elliptic curves and arithmetic geometry}
8

9
This chapter is quite short, but is added as a placeholder, since
10
we expect the library to expand in that direction.
11

12
\section{Elliptic curves}
13
Elliptic curves are represented in the Weierstrass model
14
$$ (E): y^2z + a_1xyz + a_3 yz = x^3 + a_2 x^2z + a_4 xz^2 + a_6z^3, $$
15
by the $5$-tuple $[a_1,a_2,a_3,a_4,a_6]$. Points in the projective
16
plane are represented as follows: the point at infinity $(0:1:0)$ is coded
17
as \kbd{[0]}, a finite point $(x:y:1)$ outside the projective line at infinity
18
$z = 0$ is coded as $[x,y]$. Note that other points at infinity than $(0:1:0)$
19
cannot be represented; this is harmless, since they do not belong to any of
20
the elliptic curves $E$ above.
21

22
\emph{Points on the curve} are just projective points as described above,
23
they are not tied to a curve in any way: the same point may be used in
24
conjunction with different curves, provided it satisfies their equations (if
25
it does not, the result is usually undefined). In particular, the point at
26
infinity belongs to all elliptic curves.
27

28
As with \tet{factor} for polynomial factorization, the $5$-tuple
29
$[a_1,a_2,a_3,a_4,a_6]$ implicitly defines a base ring over which the curve
30
is defined. Point coordinates must be operation-compatible with this
31
base ring (\kbd{gadd}, \kbd{gmul}, \kbd{gdiv} involving them should not give
32
errors).
33

34
\subsec{Types of elliptic curves}
35

36
We call a $5$-tuble as above an \kbd{ell5}; most functions require an
37
\kbd{ell} structure, as returned by \tet{ellinit}, which contains additional
38
data (usually dynamically computed as needed), depending on the base field.
39

40
\fun{GEN}{ellinit}{GEN E, GEN D, long prec}, returns an \tet{ell} structure,
41
attached to the elliptic curve $E$ : either an \kbd{ell5}, a pair $[a_4,a_6]$
42
or a \typ{STR} in Cremona's notation, e.g. \kbd{"11a1"}. The optional $D$
43
(\kbd{NULL} to omit) describes the domain over which the curve is defined.
44

45
\subsec{Type checking}
46

47
\fun{void}{checkell}{GEN e} raise an error unless $e$ is an \var{ell}.
48

49
\fun{int}{checkell_i}{GEN e} return $1$ if $e$ is an \var{ell} and $0$
50
otherwise.
51

52
\fun{void}{checkell5}{GEN e} raise an error unless $e$ is an \var{ell}
53
or an \var{ell5}.
54

55
\fun{void}{checkellpt}{GEN z} raise an error unless $z$ is a point
56
(either finite or at infinity).
57

58
\fun{long}{ell_get_type}{GEN e} returns the domain type over which the curve
59
is defined, one of
60

61
  \tet{t_ELL_Q} the field of rational numbers;
62

63
  \tet{t_ELL_NF} a number field;
64

65
  \tet{t_ELL_Qp} the field of $p$-adic numbers, for some prime $p$;
66

67
  \tet{t_ELL_Fp} a prime finite field, base field elements are represented as
68
  \kbd{Fp}, i.e.~a \typ{INT} reduced modulo~$p$;
69

70
  \tet{t_ELL_Fq} a nonprime finite field (a prime finite field can also be
71
  represented by this subtype, but this is inefficient), base field elements
72
  are represented as \typ{FFELT};
73

74
  \tet{t_ELL_Rg} none of the above.
75

76
\fun{void}{checkell_Fq}{GEN e} checks whether $e$ is an \kbd{ell}, defined
77
over a finite field (either prime or nonprime). Otherwise the function
78
raises a \tet{pari_err_TYPE} exception.
79

80
\fun{void}{checkell_Q}{GEN e} checks whether $e$ is an \kbd{ell}, defined
81
over $\Q$. Otherwise the function raises a \tet{pari_err_TYPE} exception.
82

83
\fun{void}{checkell_Qp}{GEN e} checks whether $e$ is an \kbd{ell}, defined
84
over some $\Q_p$. Otherwise the function raises a \tet{pari_err_TYPE}
85
exception.
86

87
\fun{void}{checkellisog}{GEN v} raise an error unless $v$ is an isogeny,
88
from \tet{ellisogeny}.
89

90
\subsec{Extracting info from an \kbd{ell} structure}
91

92
These functions expect an \kbd{ell} argument. If the required data is not
93
part of the structure, it is computed then inserted, and the new value is
94
returned.
95

96
\subsubsec{All domains}
97

98
\fun{GEN}{ell_get_a1}{GEN e}
99

100
\fun{GEN}{ell_get_a2}{GEN e}
101

102
\fun{GEN}{ell_get_a3}{GEN e}
103

104
\fun{GEN}{ell_get_a4}{GEN e}
105

106
\fun{GEN}{ell_get_a6}{GEN e}
107

108
\fun{GEN}{ell_get_b2}{GEN e}
109

110
\fun{GEN}{ell_get_b4}{GEN e}
111

112
\fun{GEN}{ell_get_b6}{GEN e}
113

114
\fun{GEN}{ell_get_b8}{GEN e}
115

116
\fun{GEN}{ell_get_c4}{GEN e}
117

118
\fun{GEN}{ell_get_c6}{GEN e}
119

120
\fun{GEN}{ell_get_disc}{GEN e}
121

122
\fun{GEN}{ell_get_j}{GEN e}
123

124
\subsubsec{Curves over $\Q$}
125

126
\fun{GEN}{ellQ_get_N}{GEN e} returns the curve conductor
127

128
\fun{void}{ellQ_get_Nfa}{GEN e, GEN *N, GEN *faN} sets $N$ to the conductor
129
and \kbd{faN} to its factorization
130

131
\fun{int}{ell_is_integral}{GEN e} return $1$ if $e$ is given by an integral
132
model, and $0$ otherwise.
133

134
\fun{long}{ellQ_get_CM}{GEN e} if $e$ has CM by a principal imaginary
135
quadratic order, return its discriminant. Else return $0$.
136

137
\fun{long}{ellap_CM_fast}{GEN e, ulong p, long CM} assuming that $p$
138
does not divide the discriminant of $E$ (in particular, $E$ has good
139
reduction at $p$), and that \kbd{CM} is as given by \tet{ellQ_get_CM},
140
return the trace of Frobenius for $E/\F_p$. This is meant to quickly compute
141
lots of $a_p$, esp.~when $e$ has CM by a principal quadratic order.
142

143
\fun{long}{ellrootno_global}{GEN e} returns the global root number
144
$c\in \{-1,1\}$.
145

146
\fun{GEN}{ellheightoo}{GEN E, GEN P, long prec} given $P = [x,y]$ an affine
147
point on $E$, return
148
$$
149
\lambda_\infty(P) + \dfrac{1}{12}\log|\disc E| =
150
 \dfrac{1}{2} \text{real}(z\eta(z)) - \log |\sigma(E,z)|
151
\in \R, $$
152
where $\lambda_\infty(P)$ is the canonical local height at infinity
153
and $z$ is \kbd{ellpointtoz}$(E,P)$. This
154
is computed using Mestre's (quadratically convergent) AGM algorithm.
155

156
\fun{long}{ellorder_Q}{GEN E, GEN P} return the order of $P\in E(\Q)$, using
157
the impossible value $0$ for a point of infinite order. Ultimately called
158
by the generic \tet{ellorder} function.
159

160
\fun{GEN}{point_to_a4a6}{GEN E, GEN P, GEN p, GEN *a4} given $E/\Q$,
161
$p\neq 2,3$ not dividing the discriminant of $E$ and $P\in E(\Q)$ outside the
162
kernel of reduction, return the image of $P$ on the short Weierstrass
163
model $y^2 = x^3 + a_4x + a_6$ isomorphic to the reduction $E_p$ of $E$ at $p$.
164
Also set \kbd{a4} to the $a_4$ coefficient in the above model. This function
165
allows quick computations modulo varying primes $p$, avoiding the overhead of
166
\kbd{ellinit}$(E,p)$, followed by a change of coordinates. It produces data
167
suitable for \kbd{FpE} routines.
168

169
\fun{GEN}{point_to_a4a6_Fl}{GEN E, GEN P, ulong p, ulong *pa4} as
170
\tet{point_to_a4a6}, returning a \kbd{Fle}.
171

172
\fun{GEN}{elldatagenerators}{GEN E} returns generators for $E(\Q)$
173
extracted from Cremona's table.
174

175
\fun{GEN}{ellanal_globalred}{GEN e, GEN *v} takes an \var{ell} over $\Q$
176
and returns a global minimal model $E$ (in \kbd{ellinit} form, over $\Q$) for
177
$e$ suitable for analytic computations related to the curve $L$ series: it
178
contains \kbd{ellglobalred} data, as well as global and local root numbers. If
179
\kbd{v} is not \kbd{NULL}, set \kbd{*v} to the needed change of variable:
180
\kbd{NULL} if $e$ was already the standard minimal model, such that $E =
181
\kbd{ellchangecurve(e,v)}$ otherwise. Compared to the direct use of
182
\kbd{ellchangecurve} followed by \kbd{ellrootno}, this function avoids
183
converting unneeded dynamic data and avoids potential memory leaks
184
(the changed curve would have had to be deleted using \tet{obj_free}). The
185
original curve $e$ is updated as well with the same information.
186

187
\fun{GEN}{ellanal_globalred_all}{GEN e, GEN *v, GEN *N, GEN *tam} as
188
\tet{ellanal_globalred}; further set \kbd{*N} to the curve conductor
189
and \kbd{*tam} to the product of the local Tamagawa numbers, including
190
the factor at infinity (multiply by the number of connected components
191
of $e(\R)$).
192

193
\fun{GEN}{ellintegralmodel}{GEN e, GEN *pv} return an integral model
194
for $e$ (in \kbd{ellinit} form, over $\Q$). Set $v = \kbd{NULL}$ (already
195
integral, we returned $e$ itself), else to the variable change
196
$[u,0,0,0]$ making $e$ integral. We have $u = 1/t$, $t > 1$.
197

198
\fun{GEN}{ellintegralmodel_i}{GEN e, GEN *pv} shallow version of
199
 \kbd{ellintegralmodel}.
200

201
\fun{GEN}{ellQtwist_bsdperiod}{GEN E, long s} let $E$ be a rational elliptic
202
curve given by a minimal model, $\Lambda_E$ its period lattice, and
203
$s\in\{-1,1\}$. Let $\Omega_E^\pm$ be the canonical periods in
204
$\sqrt{\pm 1}\R^+$ generating $\Lambda_E \cap \sqrt{\pm 1} \R$.
205
Return $\Omega_E^+$ if $s = 1$ and $\Omega_E^-$ if $s = -1$.
206

207
\fun{GEN}{elltors_psylow}{GEN e, ulong p} as \kbd{elltors}, but return the
208
$p$-Sylow subgroup of the torsion group.
209

210
\misctitle{Deprecated routines}
211

212
\fun{GEN}{elltors0}{GEN e, long flag} this function is deprecated; use
213
\tet{elltors}
214

215
\subsubsec{Curves over a number field \var{nf}}
216

217
Let $K$ be the number field over which $E$ is defined, given by
218
a \var{nf} or \var{bnf} structure.
219

220
\fun{GEN}{ellnf_get_nf}{GEN E} returns the underlying \kbd{nf}.
221

222
\fun{GEN}{ellnf_get_bnf}{GEN x} returns \kbd{NULL} if $K$ does not contain
223
a \var{bnf} structure, else return the \var{bnf}.
224

225
\fun{GEN}{ellnf_vecarea}{GEN E} returns the vector of the period lattices areas
226
of all the complex embeddings of \kbd{E} in the same order as \kbd{E.nf.roots}.
227

228
\fun{GEN}{ellnf_veceta}{GEN E} returns the vector of the quasi-periods of
229
all the complex embeddings of \kbd{E} in the same order as \kbd{E.nf.roots}.
230

231
\fun{GEN}{ellnf_vecomega}{GEN E} returns the vector of the periods of
232
all the complex embeddings of \kbd{E} in the same order as \kbd{E.nf.roots}.
233

234
\subsubsec{Curves over $\Q_p$}
235

236
\fun{GEN}{ellQp_get_p}{GEN E} returns $p$
237

238
\fun{long}{ellQp_get_prec}{GEN E} returns the default $p$-adic accuracy to
239
which we must compute approximate results attached to $E$.
240

241
\fun{GEN}{ellQp_get_zero}{GEN x} returns $O(p^n)$, where $n$ is the default
242
$p$-adic accuracy as above.
243

244
The following functions are only defined when $E$ has multiplicative
245
reduction (Tate curves):
246

247
\fun{GEN}{ellQp_Tate_uniformization}{GEN E, long prec} returns a
248
\typ{VEC} containing $u^2, u, q, [a,b]$, at $p$-adic precision \kbd{prec}.
249

250
\fun{GEN}{ellQp_u}{GEN E, long prec} returns $u$.
251

252
\fun{GEN}{ellQp_u2}{GEN E, long prec} returns $u^2$.
253

254
\fun{GEN}{ellQp_q}{GEN E, long prec} returns the Tate period $q$.
255

256
\fun{GEN}{ellQp_ab}{GEN E, long prec} returns $[a,b]$.
257

258
\fun{GEN}{ellQp_AGM}{GEN E, long prec} returns $[a,b,R,v]$, where
259
$v$ is an integer, $a, b, R$ are vectors describing the sequence of
260
$2$-isogenous curves $E_i: y^2 = x(x+A_i)(x+A_i-B_i)$, $i \geq 1$
261
converging to the singular curve $E_\infty: y^2 = x^2(x+M)$. We have
262
$a[i] = A[i] p^v$, $b[i] = B[i] p^v$, $R[i] = A_i - B_i$. These are used in
263
\kbd{ellpointtoz} and \kbd{ellztopoint}.
264

265
\fun{GEN}{ellQp_L}{GEN E, long prec} returns the ${\cal L}$-invariant $L$.
266

267
\fun{GEN}{ellQp_root}{GEN E, long prec} returns $e_1$.
268

269
\subsubsec{Curves over a finite field $\F_q$}
270

271
\fun{GEN}{ellff_get_p}{GEN E} returns the characteristic
272

273
\fun{GEN}{ellff_get_field}{GEN E} returns $p$ if $\F_q$ is a prime field, and
274
a \typ{FFELT} belonging to $\F_q$ otherwise.
275

276
\fun{GEN}{ellff_get_card}{GEN E} returns $\#E(\F_q)$
277

278
\fun{GEN}{ellff_get_gens}{GEN E} returns a minimal set of generators for
279
$E(\F_q)$.
280

281
\fun{GEN}{ellff_get_group}{GEN E} returns \kbd{ellgroup}$(E)$.
282

283
\fun{GEN}{ellff_get_m}{GEN E} returns the \typ{INT} $m$ as needed by the
284
\kbd{gen\_ellgroup} function (the order of the pairing required to verify a
285
generating set).
286

287
\fun{GEN}{ellff_get_o}{GEN E} returns $[d, \kbd{factor{d}}]$, where $d$ is
288
the exponent of $E(\F_q)$.
289

290
\fun{GEN}{ellff_get_D}{GEN E} returns the elementary divisors for $E(\F_q)$
291
in a form suitable for \tet{gen_ellgens}: either $[d_1]$ or $[d_1,d_2]$,
292
where $d_1$ is in \tet{elff_get_o} format.
293

294
$[d, \kbd{factor{d}}]$, where $d$ is
295
the exponent of $E(\F_q)$.
296

297
\fun{GEN}{ellff_get_a4a6}{GEN E} returns a canonical ``short model'' for $E$,
298
and the corresponding change of variable $[u,r,s,t]$. For $p\neq 2,3$,
299
this is $[A_4,A_6,[u,r,s,t]]$, corresponding to $y^2 = x^3 + A_4x + A_6$,
300
where $A_4 = -27c_4$, $A_6 = -54c_6$, $[u,r,s,t] = [6, 3b_2,3a_1,108a_3]$.
301

302
\item If $p = 3$ and the curve is ordinary ($b_2\neq 0$), this is
303
$[[b_2], A_6, [1,v,-a_1,-a_3]]$, corresponding to
304
$$y^2 = x^3 + b_2 x^2 + A_6,$$
305
where $v = b_4/b_2$, $A_6 = b_6 - v(b_4+v^2)$.
306

307
\item If $p = 3$ and the curve is supersingular ($b_2 = 0$), this is
308
$[-b_4, b_6, [1,0,-a_1,-a_3]]$, corresponding to
309
$$y^2 = x^3 + 2b_4 x + b_6.$$
310

311
\item If $p = 2$ and the curve is ordinary ($a_1 \neq 0$), return
312
$[A_2,A_6,[a_1^{-1}, da_1^{-2}, 0, (a_4+d^2)a_1^{-1}]]$, corresponding to
313
$$ y^2 + xy = x^3 + A_2 x^2 + A_6,$$
314
where
315
$d = a_3/a_1$, $a_1^2 A_2 = (a_2 + d)$ and
316
$$ a_1^6 A_6 = d^3 + a_2 d^2 + a_4 d + a_6 + (a_4^2 + d^4)a_1^{-2}.$$
317

318
\item If $p = 2$ and the curve is supersingular ($a_1 = 0$, $a_3\neq 0$), return
319
$[[a_3, A_4, 1/a_3], A_6, [1,a_2,0,0]]$, corresponding to
320
$$ y^2 + a_3 y = x^3 + A_4 x + A_6,$$
321
where $A_4 = a_2^2 + a_4$, $ A_6 = a_2a_4 + a_6$. The value $1/a_3$ is
322
included in the vector since it is frequently needed in computations.
323

324
\subsubsec{Curves over $\C$} (This includes curves over $\Q$!)
325

326
\fun{long}{ellR_get_prec}{GEN E} return the default accuracy to
327
which we must compute approximate results attached to $E$.
328

329
\fun{GEN}{ellR_ab}{GEN E, long prec} return $[a,b]$
330

331
\fun{GEN}{ellR_omega}{GEN x, long prec} return periods
332
$[\omega_1,\omega_2]$.
333

334
\fun{GEN}{ellR_eta}{GEN E, long prec} return quasi-periods
335
$[\eta_1,\eta_2]$.
336

337
\fun{GEN}{ellR_area}{GEN x, long prec} return the area
338
$(\Im(\omega_1\*\overline{\omega_2}))$.
339

340
\fun{GEN}{ellR_roots}{GEN E, long prec} return $[e_1,e_2,e_3]$. If $E$ is
341
defined over $\R$, then $e_1$ is real. If furthermore $\disc E > 0$, then
342
$e_1 > e_2 > e_3$.
343

344
\fun{long}{ellR_get_sign}{GEN E} if $E$ is defined over $\R$ returns the
345
signe of its discriminant, otherwise return $0$.
346

347
\subsec{Points}
348

349
\fun{int}{ell_is_inf}{GEN z} tests whether the point $z$ is the point at
350
infinity.
351

352
\fun{GEN}{ellinf}{} returns the point at infinity \kbd{[0]}.
353

354
\subsec{Change of variables}
355

356
\fun{GEN}{ellchangeinvert}{GEN w} given a change of variables $w =
357
[u,r,s,t]$, returns the inverse change of variables $w'$, such that if $E' =
358
\kbd{ellchangecurve(E, w)}$, then $E = \kbd{ellchangecurve}(E, w')$.
359

360
\subsec{Generic helper functions}
361

362
The naming scheme assumes an affine equation
363
$F(x,y) = f(x) - (y^2 + h(x)y) = 0$
364
in standard Weierstrass form: $f = x^3+a_2x^2+a_4x+a_6$, $h = a_1x + a_3$.
365
Unless mentionned otherwise, these routine assume that all arguments are
366
compatible with generic functions of \kbd{gadd} or \kbd{gmul} type. In
367
particular they do not handle elements in number field in \kbd{nfalgtobasis}
368
format.
369

370
\fun{GEN}{ellbasechar}{GEN E} returns the characteristic of the base ring over
371
which $E$ is defined.
372

373
\fun{GEN}{ec_bmodel}{GEN E} returns the polynomial $4x^3 + b_2x^2 + 2b_4x +
374
b_6$.
375

376
\fun{GEN}{ec_phi2}{GEN E} returns the polynomial $x^4 - b_4x^2 - 2b_6*X - b_8$.
377

378
\fun{GEN}{ec_f_evalx}{GEN E, GEN x} returns $f(x)$.
379

380
\fun{GEN}{ec_h_evalx}{GEN E, GEN x} returns $h(x)$.
381

382
\fun{GEN}{ec_dFdx_evalQ}{GEN E, GEN Q} returns $3x^2 + 2a_2x + a_4 -a_1y$,
383
where $Q = [x,y]$.
384

385
\fun{GEN}{ec_dFdy_evalQ}{GEN E, GEN Q} returns $-(2y + a_1 x + a_3)$,
386
where $Q = [x,y]$.
387

388
\fun{GEN}{ec_dmFdy_evalQ}{GEN e, GEN Q} returns $2y + a_1 x + a_3$,
389
where $Q = [x,y]$.
390

391
\fun{GEN}{ec_2divpol_evalx}{GEN E, GEN x} returns
392
$4x^3 + b_2\*x^2 + 2\*b_4x + b_6$. This function supports inputs
393
in \kbd{nfalgtobasis} format.
394

395
\fun{GEN}{ec_half_deriv_2divpol_evalx}{GEN E, GEN x} returns
396
$6\*x^2 + b_2\*x + b_4$.
397

398
\fun{GEN}{ec_3divpol_evalx}{GEN E, GEN x} returns
399
$3\*x^4 + b_2\*x^2 + 3\*b_4\*x^2 + 3\*b_6\*x + b_8$.
400

401
\subsec{Functions to handle elliptic curves over finite fields}
402

403
\subsubsec{Tolerant routines}
404

405
\fun{GEN}{ellap}{GEN E, GEN p} given a prime number $p$ and an elliptic curve
406
defined over $\Q$ or $\Q_p$ (assumed integral and minimal at $p$), computes
407
the  trace of  Frobenius  $a_p = p+1 - \#E(\F_p)$. If $E$ is defined over
408
a nonprime finite field $\F_q$, ignore $p$ and return $q+1 - \#E(\F_q)$.
409
When $p$ is implied ($E$ defined over $\Q_p$ or a finite field), $p$ can be
410
omitted (set to \kbd{NULL}).
411

412
\subsubsec{Curves defined a nonprime finite field}
413
In this subsection, we assume that \tet{ell_get_type}$(E)$ is \tet{t_ELL_Fq}.
414
(As noted above, a curve defined over $\Z/p\Z$ can be represented as a
415
\tet{t_ELL_Fq}.)
416

417
\fun{GEN}{FF_elltwist}{GEN E} returns the coefficients
418
$[a_1,a_2,a_3,a_4,a_6]$ of the quadratic twist of $E$.
419

420
\fun{GEN}{FF_ellmul}{GEN E, GEN P, GEN n} returns $[n]P$ where $n$ is an
421
integer and $P$ is a point on the curve $E$.
422

423
\fun{GEN}{FF_ellrandom}{GEN E} returns a random point in $E(\F_q)$.
424
This function never returns the point at infinity, unless this is the
425
only point on the curve.
426

427
\fun{GEN}{FF_ellorder}{GEN E, GEN P, GEN o} returns the order of the point
428
$P$, where $o$ is a multiple of the order of $P$, or its factorization.
429

430
\fun{GEN}{FF_ellcard}{GEN E} returns $\#E(\F_q)$.
431

432
\fun{GEN}{FF_ellcard_SEA}{GEN E, long s}
433
This function returns $\#E(\F_q)$, using the Schoof-Elkies-Atkin
434
algorithm.  Assume $p\neq 2,3$.
435
The parameter $s$ has the same meaning as in \kbd{Fp\_ellcard\_SEA}.
436

437
\fun{GEN}{FF_ellgens}{GEN E} returns the generators of the group $E(\F_q)$.
438

439
\fun{GEN}{FF_elllog}{GEN E, GEN P, GEN G, GEN o} Let \kbd{G} be a point of
440
order \kbd{o}, return $e$ such that $[e]P=G$. If $e$ does not exists, the
441
result is undefined.
442

443
\fun{GEN}{FF_ellgroup}{GEN E, GEN *pm} returns the structure of the Abelian
444
group $E(\F_q)$ and set \kbd{*pm} to $m$ (see \kbd{gen\_ellgens}).
445

446
\fun{GEN}{FF_ellweilpairing}{GEN E, GEN P, GEN Q, GEN m} returns the
447
Weil pairing of the points of $m$-torsion $P$ and $Q$.
448

449
\fun{GEN}{FF_elltatepairing}{GEN E, GEN P, GEN Q, GEN m} returns the Tate
450
pairing of $P$ and $Q$, where $[m]P = 0$.
451

452
\section{Arithmetic on elliptic curve over a finite field in simple form}
453

454
The functions in this section no longer operate on elliptic curve structures,
455
as seen up to now. They are used to implement those higher-level functions
456
without using cached information and thus require suitable explicitly
457
enumerated data.
458

459
\subsec{Helper functions}
460

461
\fun{GEN}{elltrace_extension}{GEN t, long n, GEN q} Let $E$ some elliptic curve
462
over $\F_q$ such that the trace of the Frobenius is $t$, returns the trace of
463
the Frobenius over $\F_q^n$.
464

465
\subsec{Elliptic curves over $\F_p$, $p>3$}
466

467
Let $p$ a prime number and $E$ the elliptic curve given by the equation
468
$E:y^2=x^3+a_4\*x+a_6$, with $a_4$ and $a_6$ in $\F_p$. A \kbd{FpE} is a
469
point of $E(\F_p)$.  Since an affine point and $a_4$ determine an unique
470
$a6$, most functions do not take $a_6$ as an argument. A \kbd{FpE} is either
471
the point at infinity (\kbd{ellinf()}) or a $FpV$ whith two components. The
472
parameters $a_4$ and $a_6$ are given as \typ{INT}s when required.
473

474
\fun{GEN}{Fp_ellj}{GEN a4, GEN a6, GEN p}
475
returns the $j$-invariant of the curve $E$.
476

477
\fun{int}{Fp_elljissupersingular}{GEN j, GEN p} returns $1$ if $j$ is the
478
$j$-invariant of a supersingular curve over $\F_p$, $0$ otherwise.
479

480
\fun{GEN}{Fp_ellcard}{GEN a4, GEN a6, GEN p} returns the cardinality of the
481
group $E(\F_p)$.
482

483
\fun{GEN}{Fp_ellcard_SEA}{GEN a4, GEN a6, GEN p, long s}
484
This function returns $\#E(\F_p)$, using the Schoof-Elkies-Atkin algorithm.
485
If the \kbd{seadata} package is installed, the function will be faster.
486

487
The extra flag \kbd{s}, if set to a nonzero value, causes the computation to
488
return \kbd{gen\_0} (an impossible cardinality) if one of the small primes
489
$\ell$ divides the curve order but does not divide $s$.
490
For cryptographic applications, where one is usually interested in curves of
491
prime order, setting $s=1$ efficiently weeds out most uninteresting curves; if
492
curves of order a power of $2$ times a prime are acceptable, set $s=2$.
493
If moreover \kbd{s} is negative, similar checks are performed for the
494
twist of the curve.
495

496
\fun{GEN}{Fp_ffellcard}{GEN a4, GEN a6, GEN q, long n, GEN p} returns the
497
cardinality of the group $E(\F_q)$ where $q=p^n$.
498

499
\fun{GEN}{Fp_ellgroup}{GEN a4, GEN a6, GEN N, GEN p, GEN *pm} returns the
500
group structure $D$ of the group $E(\F_p)$, which is assumed to be of order $N$
501
and set \kbd{*pm} to $m$.
502

503
\fun{GEN}{Fp_ellgens}{GEN a4, GEN a6, GEN ch, GEN D, GEN m, GEN p} returns
504
generators of the group $E(\F_p)$ with the base change \kbd{ch} (see
505
\kbd{FpE\_changepoint}), where $D$ and $m$ are as returned by
506
\kbd{Fp\_ellgroup}.
507

508
\fun{GEN}{Fp_elldivpol}{GEN a4, GEN a6, long n, GEN p} returns the $n$-division
509
polynomial of the elliptic curve $E$.
510

511
\fun{void}{Fp_elltwist}{GEN a4, GEN a6, GEN p, GEN *pA4, GEN *pA6}
512
sets \kbd{*pA4} and \kbd{*pA6} to the corresponding parameters for the
513
quadratic twist of $E$.
514

515
\subsec{\kbd{FpE}}
516

517
\fun{GEN}{FpE_add}{GEN P, GEN Q, GEN a4, GEN p} returns the sum $P+Q$
518
in the group $E(\F_p)$, where $E$ is defined by $E:y^2=x^3+a_4\*x+a_6$,
519
for any value of $a_6$ compatible with the points given.
520

521
\fun{GEN}{FpE_sub}{GEN P, GEN Q, GEN a4, GEN p} returns $P-Q$.
522

523
\fun{GEN}{FpE_dbl}{GEN P, GEN a4, GEN p} returns $2.P$.
524

525
\fun{GEN}{FpE_neg}{GEN P, GEN p} returns $-P$.
526

527
\fun{GEN}{FpE_mul}{GEN P, GEN n, GEN a4, GEN p} return $n.P$.
528

529
\fun{GEN}{FpE_changepoint}{GEN P, GEN m, GEN a4, GEN p} returns the image
530
$Q$ of the point $P$ on the curve $E:y^2=x^3+a_4\*x+a_6$ by the coordinate
531
change $m$ (which is a \kbd{FpV}).
532

533
\fun{GEN}{FpE_changepointinv}{GEN P, GEN m, GEN a4, GEN p} returns the image
534
$Q$ on the curve $E:y^2=x^3+a_4\*x+a_6$ of the point $P$ by the inverse of the
535
coordinate change $m$ (which is a \kbd{FpV}).
536

537
\fun{GEN}{random_FpE}{GEN a4, GEN a6, GEN p} returns a random point on
538
$E(\F_p)$, where $E$ is defined by $E:y^2=x^3+a_4\*x+a_6$.
539

540
\fun{GEN}{FpE_order}{GEN P, GEN o, GEN a4, GEN p} returns the order of $P$ in
541
the group $E(\F_p)$, where $o$ is a multiple of the order of $P$, or its
542
factorization.
543

544
\fun{GEN}{FpE_log}{GEN P, GEN G, GEN o, GEN a4, GEN p} Let \kbd{G} be a
545
point of order \kbd{o}, return $e$ such that $e.P=G$. If $e$ does not exists,
546
the result is currently undefined.
547

548
\fun{GEN}{FpE_tatepairing}{GEN P, GEN Q, GEN m, GEN a4, GEN p} returns the
549
Tate pairing of the point of $m$-torsion $P$ and the point $Q$.
550

551
\fun{GEN}{FpE_weilpairing}{GEN P, GEN Q, GEN m, GEN a4, GEN p} returns the
552
Weil pairing of the points of $m$-torsion $P$ and $Q$.
553

554
\fun{GEN}{FpE_to_mod}{GEN P, GEN p} returns $P$ as a vector of \typ{INTMOD}s.
555

556
\fun{GEN}{RgE_to_FpE}{GEN P, GEN p} returns the \kbd{FpE} obtained by applying
557
\kbd{Rg\_to\_Fp} coefficientwise.
558

559
\subsec{\kbd{Fle}}
560
Let $p$ be a prime \kbd{ulong}, and $E$ the elliptic curve given by the
561
equation $E:y^2=x^3+a_4\*x+a_6$, where $a_4$ and $a_6$ are \kbd{ulong}.
562
A \kbd{Fle} is either the point at infinity (\kbd{ellinf()}), or a \kbd{Flv}
563
with two components $[x,y]$.
564

565
\fun{long}{Fl_elltrace}{ulong a4, ulong a6, ulong p} returns the trace $t$ of
566
the Frobenius of $E(\F_p)$. The cardinality of $E(\F_p)$ is thus $p+1-t$,
567
which might not fit in an \kbd{ulong}.
568

569
\fun{long}{Fl_elltrace_CM}{long CM, ulong a4, ulong a6, ulong p} as
570
\tet{Fl_elltrace}. If \kbd{CM} is $0$, use the standard algorithm; otherwise
571
assume the curve has CM by a principal imaginary quadratic order of
572
discriminant \kbd{CM} and use a faster algorithm. Useful when the curve is
573
the reduction of $E/\Q$, which has CM by a principal order, and we need the
574
trace of Frobenius for many distinct $p$, see \tet{ellQ_get_CM}.
575

576
\fun{ulong}{Fl_elldisc}{ulong a4, ulong a6, ulong p}
577
returns the discriminant of the curve $E$.
578

579
\fun{ulong}{Fl_elldisc_pre}{ulong a4, ulong a6, ulong p, ulong pi}
580
returns the discriminant of the curve $E$, assuming $pi$ is the pseudo inverse
581
of $p$.
582

583
\fun{ulong}{Fl_ellj}{ulong a4, ulong a6, ulong p}
584
returns the $j$-invariant of the curve $E$.
585

586
\fun{ulong}{Fl_ellj_pre}{ulong a4, ulong a6, ulong p, ulong pi}
587
returns the $j$-invariant of the curve $E$, assuming $pi$ is the pseudo inverse
588
of $p$.
589

590
\fun{void}{Fl_ellj_to_a4a6}{ulong j, ulong p, ulong *pa4, ulong *pa6}
591
sets \kbd{*pa4} to $a_4$ and \kbd{*pa6} to $a_6$ where $a_4$ and $a_6$
592
define a fixed elliptic curve with $j$-invariant $j$.
593

594
\fun{void}{Fl_elltwist}{ulong a4, ulong a6, ulong p, ulong *pA4, ulong *pA6}
595
set \kbd{*pA4} to $A_4$ and \kbd{*pA6} to $A_6$ where $A_4$ and $A_6$
596
define the twist of $E$.
597

598
\fun{void}{Fl_elltwist_disc}{ulong a4, ulong a6, ulong D, ulong p, ulong *pA4,
599
ulong *pA6}
600
sets \kbd{*pA4} to $A_4$ and \kbd{*pA6} to $A_6$ where $A_4$ and $A_6$
601
define the twist of $E$ by the discriminant $D$.
602

603
\fun{GEN}{Fl_ellptors}{ulong l, ulong N, ulong a4, ulong a6, ulong p}
604
return a basis of the $l$-torsion subgroup of $E$.
605

606
\fun{GEN}{Fle_add}{GEN P, GEN Q, ulong a4, ulong p}
607

608
\fun{GEN}{Fle_dbl}{GEN P, ulong a4, ulong p}
609

610
\fun{GEN}{Fle_sub}{GEN P, GEN Q, ulong a4, ulong p}
611

612
\fun{GEN}{Fle_mul}{GEN P, GEN n, ulong a4, ulong p}
613

614
\fun{GEN}{Fle_mulu}{GEN P, ulong n, ulong a4, ulong p}
615

616
\fun{GEN}{Fle_order}{GEN P, GEN o, ulong a4, ulong p}
617

618
\fun{GEN}{Fle_log}{GEN P, GEN G, GEN o, ulong a4, ulong p}
619

620
\fun{GEN}{Fle_tatepairing}{GEN P, GEN Q, ulong m, ulong a4, ulong p}
621

622
\fun{GEN}{Fle_weilpairing}{GEN P, GEN Q, ulong m, ulong a4, ulong p}
623

624
\fun{GEN}{random_Fle}{ulong a4, ulong a6, ulong p}
625

626
\fun{GEN}{random_Fle_pre}{ulong a4, ulong a6, ulong p, ulong pi}
627

628
\fun{GEN}{Fle_changepoint}{GEN x, GEN ch, ulong p}, \kbd{ch} is assumed
629
to give the change of coordinates $[u,r,s,t]$ as a \typ{VECSMALL}.
630

631
\fun{GEN}{Fle_changepointinv}{GEN x, GEN ch, ulong p}, as \tet{Fle_changepoint}
632

633
\subsec{\kbd{FpJ}}
634

635
Let $p$ be a prime \typ{INT}, and $E$ the elliptic curve given by the
636
equation $E:y^2=x^3+a_4\*x+a_6$, where $a_4$ and $a_6$ are \typ{INT}.
637
A \kbd{FpJ} is a \kbd{FpV} with three components $[x,y,z]$, representing
638
the affine point $[x/z^2,y/z^3]$ in Jacobian coordinates, the point at
639
infinity being represented by $[1, 1, 0]$. The following must holds:
640
$y^2=x^3+a_4\*x\*z^4+a_6\*z^6$. For all nonzero $u$, the points
641
$[u^2\*x,u^3\*y,u\*z]$ and $[x,y,z]$ are representing the same affine point.
642

643
\fun{GEN}{FpJ_add}{GEN P, GEN Q, GEN a4, GEN p}
644

645
\fun{GEN}{FpJ_dbl}{GEN P, GEN a4, GEN p}
646

647
\fun{GEN}{FpJ_mul}{GEN P, GEN n, GEN a4, GEN p};
648

649
\fun{GEN}{FpJ_neg}{GEN P, GEN p} return $-P$.
650

651
\fun{GEN}{FpJ_to_FpE}{GEN P, GEN p} return the corresponding \kbd{FpE}.
652

653
\fun{GEN}{FpE_to_FpJ}{GEN P} return the corresponding \kbd{FpJ}.
654

655
\subsec{\kbd{Flj}}
656

657
Below, \kbd{pi} is assumed to be the precomputed inverse of $p$.
658

659
\fun{GEN}{Fle_to_Flj}{GEN P} convert a \kbd{Fle} to an equivalent \kbd{Flj}.
660

661
\fun{GEN}{Flj_to_Fle}{GEN P, ulong p} convert a \kbd{Flj} to the equivalent
662
\kbd{Fle}.
663

664
\fun{GEN}{Flj_to_Fle_pre}{GEN P, ulong p, ulong pi} convert a \kbd{Flj} to the
665
equivalent \kbd{Fle}.
666

667
\fun{GEN}{Flj_add_pre}{GEN P, GEN Q, ulong a4, ulong p, ulong pi}
668

669
\fun{GEN}{Flj_dbl_pre}{GEN P, ulong a4, ulong p, ulong pi}
670

671
\fun{GEN}{Flj_neg}{GEN P, ulong p} return $-P$.
672

673
\fun{GEN}{Flj_mulu_pre}{GEN P, ulong n, ulong a4, ulong p, ulong pi}
674

675
\fun{GEN}{random_Flj_pre}{ulong a4, ulong a6, ulong p, ulong pi}
676

677
\fun{GEN}{Flj_changepointinv_pre}{GEN P, GEN ch, ulong p, ulong pi}
678
where \kbd{ch} is the \kbd{Flv} $[u,r,s,t]$.
679

680
\fun{GEN}{FljV_factorback_pre}{GEN P, GEN L, ulong p, ulong pi}
681

682
\subsec{Elliptic curves over $\F_{2^n}$}
683
Let $T$ be an irreducible \kbd{F2x} and $E$ the
684
elliptic curve given by either the equation
685
$E:y^2+x*y=x^3+a_2\*x^2+a_6$, where $a_2, a_6$ are \kbd{F2x} in
686
$\F_2[X]/(T)$ (ordinary case) or $E:y^2+a_3*y=x^3+a_4\*x+a_6$, where
687
$a_3, a_4, a_6$ are \kbd{F2x} in $\F_2[X]/(T)$ (supersingular case).
688

689
A \kbd{F2xqE} is a point of $E(\F_2[X]/(T))$.  In the supersingular case, the
690
parameter \kbd{a2} is actually the \typ{VEC} $[a_3,a_4,a_3^{-1}]$.
691

692
\fun{GEN}{F2xq_ellcard}{GEN a2, GEN a6, GEN T}
693
Return the order of the group $E(\F_2[X]/(T))$.
694

695
\fun{GEN}{F2xq_ellgroup}{GEN a2, GEN a6, GEN N, GEN T, GEN *pm}
696
Return the group structure $D$ of the group $E(\F_2[X]/(T))$,
697
which is assumed to be of order $N$ and set \kbd{*pm} to $m$.
698

699
\fun{GEN}{F2xq_ellgens}{GEN a2, GEN a6, GEN ch, GEN D, GEN m, GEN T}
700
Returns generators of the group $E(\F_2[X]/(T))$ with the base change \kbd{ch}
701
(see \kbd{F2xqE\_changepoint}), where $D$ and $m$ are as returned by
702
\kbd{F2xq\_ellgroup}.
703

704
\fun{void}{F2xq_elltwist}{GEN a4, GEN a6, GEN T, GEN *a4t, GEN *a6t}
705
sets \kbd{*a4t} and \kbd{*a6t} to the parameters of the quadratic twist of $E$.
706

707
\subsec{\kbd{F2xqE}}
708

709
\fun{GEN}{F2xqE_changepoint}{GEN P, GEN m, GEN a2, GEN T} returns the image
710
$Q$ of the point $P$ on the curve $E:y^2+x*y=x^3+a_2\*x^2+a_6$ by the coordinate
711
change $m$ (which is a \kbd{F2xqV}).
712

713
\fun{GEN}{F2xqE_changepointinv}{GEN P, GEN m, GEN a2, GEN T} returns the image
714
$Q$ on the curve $E:y^2=x^3+a_4\*x+a_6$ of the point $P$ by the inverse of the
715
coordinate change $m$ (which is a \kbd{F2xqV}).
716

717
\fun{GEN}{F2xqE_add}{GEN P, GEN Q, GEN a2, GEN T}
718

719
\fun{GEN}{F2xqE_sub}{GEN P, GEN Q, GEN a2, GEN T}
720

721
\fun{GEN}{F2xqE_dbl}{GEN P, GEN a2, GEN T}
722

723
\fun{GEN}{F2xqE_neg}{GEN P, GEN a2, GEN T}
724

725
\fun{GEN}{F2xqE_mul}{GEN P, GEN n, GEN a2, GEN T}
726

727
\fun{GEN}{random_F2xqE}{GEN a2, GEN a6, GEN T}
728

729
\fun{GEN}{F2xqE_order}{GEN P, GEN o, GEN a2, GEN T} returns the order of $P$ in
730
the group $E(\F_2[X]/(T))$, where $o$ is a multiple of the order of $P$, or its
731
factorization.
732

733
\fun{GEN}{F2xqE_log}{GEN P, GEN G, GEN o, GEN a2, GEN T} Let \kbd{G} be a
734
point of order \kbd{o}, return $e$ such that $e.P=G$. If $e$ does not exists,
735
the result is currently undefined.
736

737
\fun{GEN}{F2xqE_tatepairing}{GEN P, GEN Q, GEN m, GEN a2, GEN T} returns the
738
Tate pairing of the point of $m$-torsion $P$ and the point $Q$.
739

740
\fun{GEN}{F2xqE_weilpairing}{GEN Q, GEN Q, GEN m, GEN a2, GEN T} returns the
741
Weil pairing of the points of $m$-torsion $P$ and $Q$.
742

743
\fun{GEN}{RgE_to_F2xqE}{GEN P, GEN T} returns the \kbd{F2xqE} obtained by
744
applying \kbd{Rg\_to\_F2xq} coefficientwise.
745

746
\subsec{Elliptic curves over $\F_q$, small characteristic $p>2$ }
747
Let $p > 2$ be a prime \kbd{ulong}, $T$ an irreducible \kbd{Flx} mod $p$, and
748
$E$ the elliptic curve given by the equation $E:y^2=x^3+a_4\*x+a_6$, where $a_4$
749
and $a_6$ are \kbd{Flx} in $\F_p[X]/(T)$.  A \kbd{FlxqE} is a point of
750
$E(\F_p[X]/(T))$.
751

752
In the special case $p = 3$, ordinary elliptic curves ($j(E)\neq 0$) cannot
753
be represented as above, but admit a model $E:y^2 = x^3+a_2\*x^2+a_6$ with
754
$a_2$ and $a_6$ being \kbd{Flx} in $\F_3[X]/(T)$. In that case, the parameter
755
\kbd{a2} is actually stored as a \typ{VEC}, $[a_2]$, to avoid ambiguities.
756

757
\fun{GEN}{Flxq_ellj}{GEN a4, GEN a6, GEN T, ulong p}
758
returns the $j$-invariant of the curve $E$.
759

760
\fun{void}{Flxq_ellj_to_a4a6}{GEN j, GEN T, ulong p, GEN *pa4, GEN *pa6}
761
sets \kbd{*pa4} to $a_4$ and \kbd{*pa6} to $a_6$ where $a_4$ and $a_6$
762
define a fixed elliptic curve with $j$-invariant $j$.
763

764
\fun{GEN}{Flxq_ellcard}{GEN a4, GEN a6, GEN T, ulong p}
765
returns the order of $E(\F_p[X]/(T))$.
766

767
\fun{GEN}{Flxq_ellgroup}{GEN a4, GEN a6, GEN N, GEN T, ulong p, GEN *pm}
768
returns the group structure $D$ of the group $E(\F_p[X]/(T))$,
769
which is assumed to be of order $N$ and sets \kbd{*pm} to $m$.
770

771
\fun{GEN}{Flxq_ellgens}{GEN a4, GEN a6, GEN ch, GEN D, GEN m, GEN T, ulong p}
772
returns generators of the group $E(\F_p[X]/(T))$ with the base change \kbd{ch}
773
(see \kbd{FlxqE\_changepoint}), where $D$ and $m$ are as returned by
774
\kbd{Flxq\_ellgroup}.
775

776
\fun{void}{Flxq_elltwist}{GEN a4, GEN a6, GEN T, ulong p, GEN *pA4, GEN *pA6}
777
sets \kbd{*pA4} and \kbd{*pA6} to the corresponding parameters for the
778
quadratic twist of $E$.
779

780
\subsec{\kbd{FlxqE}}
781

782
Let $p > 2$ be a prime number.
783

784
\fun{GEN}{FlxqE_changepoint}{GEN P, GEN m, GEN a4, GEN T, ulong p} returns
785
the image $Q$ of the point $P$ on the curve $E:y^2=x^3+a_4\*x+a_6$ by the
786
coordinate change $m$ (which is a \kbd{FlxqV}).
787

788
\fun{GEN}{FlxqE_changepointinv}{GEN P, GEN m, GEN a4, GEN T, ulong p} returns
789
the image $Q$ on the curve $E:y^2=x^3+a_4\*x+a_6$ of the point $P$ by the
790
inverse of the coordinate change $m$ (which is a \kbd{FlxqV}).
791

792
\fun{GEN}{FlxqE_add}{GEN P, GEN Q, GEN a4, GEN T, ulong p}
793

794
\fun{GEN}{FlxqE_sub}{GEN P, GEN Q, GEN a4, GEN T, ulong p}
795

796
\fun{GEN}{FlxqE_dbl}{GEN P, GEN a4, GEN T, ulong p}
797

798
\fun{GEN}{FlxqE_neg}{GEN P, GEN T, ulong p}
799

800
\fun{GEN}{FlxqE_mul}{GEN P, GEN n, GEN a4, GEN T, ulong p}
801

802
\fun{GEN}{random_FlxqE}{GEN a4, GEN a6, GEN T, ulong p}
803

804
\fun{GEN}{FlxqE_order}{GEN P, GEN o, GEN a4, GEN T, ulong p} returns the
805
order of $P$ in the group $E(\F_p[X]/(T))$, where $o$ is a multiple of the
806
order of $P$, or its factorization.
807

808
\fun{GEN}{FlxqE_log}{GEN P, GEN G, GEN o, GEN a4, GEN T, ulong p} Let \kbd{G}
809
be a point of order \kbd{o}, return $e$ such that $e.P=G$. If $e$ does not
810
exists, the result is currently undefined.
811

812
\fun{GEN}{FlxqE_tatepairing}{GEN P, GEN Q, GEN m, GEN a4, GEN T, ulong p}
813
returns the Tate pairing of the point of $m$-torsion $P$ and the point $Q$.
814

815
\fun{GEN}{FlxqE_weilpairing}{GEN P, GEN Q, GEN m, GEN a4, GEN T, ulong p}
816
returns the Weil pairing of the points of $m$-torsion $P$ and $Q$.
817

818
\fun{GEN}{RgE_to_FlxqE}{GEN P, GEN T, ulong p} returns the \kbd{FlxqE}
819
obtained by applying \kbd{Rg\_to\_Flxq} coefficientwise.
820

821
\subsec{Elliptic curves over $\F_q$, large characteristic }
822

823
Let $p > 3$ be a prime number, $T$ an irreducible polynomial mod $p$, and $E$
824
the elliptic curve given by the equation $E:y^2=x^3+a_4\*x+a_6$ with $a_4$ and
825
$a_6$ in $\F_p[X]/(T)$.  A \kbd{FpXQE} is a point of $E(\F_p[X]/(T))$.
826

827
\fun{GEN}{FpXQ_ellj}{GEN a4, GEN a6, GEN T, GEN p}
828
returns the $j$-invariant of the curve $E$.
829

830
\fun{int}{FpXQ_elljissupersingular}{GEN j, GEN T, GEN p} returns $1$ if $j$ is
831
the $j$-invariant of a supersingular curve over $\F_p[X]/(T)$, $0$ otherwise.
832

833
\fun{GEN}{FpXQ_ellcard}{GEN a4, GEN a6, GEN T, GEN p}
834
returns the order of $E(\F_p[X]/(T))$.
835

836
\fun{GEN}{Fq_ellcard_SEA}{GEN a4, GEN a6, GEN q, GEN T, GEN p, long s}
837
This function returns $\#E(\F_p[X]/(T))$, using the Schoof-Elkies-Atkin
838
algorithm.
839
Assume $p\neq 2,3$, and $q$ is the cardinality of $\F_p[X]/(T)$.
840
The parameter $s$ has the same meaning as in \kbd{Fp\_ellcard\_SEA}.
841
If the \kbd{seadata} package is installed, the function will be faster.
842

843
\fun{GEN}{FpXQ_ellgroup}{GEN a4, GEN a6, GEN N, GEN T, GEN p, GEN *pm}
844
Return the group structure $D$ of the group $E(\F_p[X]/(T))$,
845
which is assumed to be of order $N$ and set \kbd{*pm} to $m$.
846

847
\fun{GEN}{FpXQ_ellgens}{GEN a4, GEN a6, GEN ch, GEN D, GEN m, GEN T, GEN p}
848
Returns generators of the group $E(\F_p[X]/(T))$ with the base change \kbd{ch}
849
(see \kbd{FpXQE\_changepoint}), where $D$ and $m$ are as returned by
850
\kbd{FpXQ\_ellgroup}.
851

852
\fun{GEN}{FpXQ_elldivpol}{GEN a4, GEN a6, long n, GEN T, GEN p} returns the
853
$n$-division polynomial of the elliptic curve $E$.
854

855
\fun{GEN}{Fq_elldivpolmod}{GEN a4,GEN a6, long n, GEN h, GEN T, GEN p}
856
returns the $n$-division polynomial of the elliptic curve $E$ modulo the
857
polynomial $h$.
858

859
\fun{void}{FpXQ_elltwist}{GEN a4, GEN a6, GEN T, GEN p, GEN *pA4, GEN *pA6}
860
sets \kbd{*pA4} and \kbd{*pA6} to the corresponding parameters for the
861
quadratic twist of $E$.
862

863
\subsec{\kbd{FpXQE}}
864

865
\fun{GEN}{FpXQE_changepoint}{GEN P, GEN m, GEN a4, GEN T, GEN p} returns the
866
image $Q$ of the point $P$ on the curve $E:y^2=x^3+a_4\*x+a_6$ by the
867
coordinate change $m$ (which is a \kbd{FpXQV}).
868

869
\fun{GEN}{FpXQE_changepointinv}{GEN P, GEN m, GEN a4, GEN T, GEN p} returns
870
the image $Q$ on the curve $E:y^2=x^3+a_4\*x+a_6$ of the point $P$ by the
871
inverse of the coordinate change $m$ (which is a \kbd{FpXQV}).
872

873
\fun{GEN}{FpXQE_add}{GEN P, GEN Q, GEN a4, GEN T, GEN p}
874

875
\fun{GEN}{FpXQE_sub}{GEN P, GEN Q, GEN a4, GEN T, GEN p}
876

877
\fun{GEN}{FpXQE_dbl}{GEN P, GEN a4, GEN T, GEN p}
878

879
\fun{GEN}{FpXQE_neg}{GEN P, GEN T, GEN p}
880

881
\fun{GEN}{FpXQE_mul}{GEN P, GEN n, GEN a4, GEN T, GEN p}
882

883
\fun{GEN}{random_FpXQE}{GEN a4, GEN a6, GEN T, GEN p}
884

885
\fun{GEN}{FpXQE_log}{GEN P, GEN G, GEN o, GEN a4, GEN T, GEN p} Let \kbd{G} be a
886
point of order \kbd{o}, return $e$ such that $e.P=G$. If $e$ does not exists,
887
the result is currently undefined.
888

889
\fun{GEN}{FpXQE_order}{GEN P, GEN o, GEN a4, GEN T, GEN p} returns the order
890
of $P$ in the group $E(\F_p[X]/(T))$, where $o$ is a multiple of the order of
891
$P$, or its factorization.
892

893
\fun{GEN}{FpXQE_tatepairing}{GEN P,GEN Q, GEN m, GEN a4, GEN T, GEN p}
894
returns the Tate pairing of the point of $m$-torsion $P$ and the point $Q$.
895

896
\fun{GEN}{FpXQE_weilpairing}{GEN P,GEN Q, GEN m, GEN a4, GEN T, GEN p}
897
returns the Weil pairing of the points of $m$-torsion $P$ and $Q$.
898

899
\fun{GEN}{RgE_to_FpXQE}{GEN P, GEN T, GEN p} returns the \kbd{FpXQE} obtained
900
by applying \kbd{Rg\_to\_FpXQ} coefficientwise.
901

902
\section{Functions related to modular polynomials}
903

904
Variants of \tet{polmodular}, returning the modular polynomial of prime
905
level $L$ for the invariant coded by \kbd{inv} (0: $j$, 1: Weber-$f$, see
906
\tet{polclass} for the full list).
907

908
\fun{GEN}{polmodular_ZXX}{long L, long inv, long xvar, long yvar}
909
returns a bivariate polynomial in variables \kbd{xvar} and
910
\kbd{yvar}.
911

912
\fun{GEN}{polmodular_ZM}{long L, long inv} returns a matrix of
913
(integral) coefficients.
914

915
\fun{GEN}{Fp_polmodular_evalx}{long L, long inv, GEN J, GEN p, long v,
916
int derivs} returns the modular polynomial evaluated
917
at $J$ modulo the prime $p$ in the variable $v$ (if \kbd{derivs} is nonzero,
918
returns a vector containing the modular polynomial and its first and second
919
derivatives, all evaluated at $J$ modulo~$p$).
920

921
\subsec{Functions related to modular invariants}
922

923
\fun{void}{check_modinv}{long inv} report an error if \kbd{inv} is not a
924
valid code for a mdular invariant.
925

926
\fun{int}{modinv_good_disc}{long inv, long D} test whether the
927
invariant \kbd{inv} is defined for the discriminant \kbd{D}.
928

929
\fun{int}{modinv_good_prime}{long inv, long D} test whether the
930
invariant \kbd{inv} is defined for the prime \kbd{p}.
931

932
\fun{long}{modinv_height_factor}{long inv} return the height factor
933
of the modular invariant \kbd{inv} with respect to the $j$-invariant.
934
This is an integer $n$ such that the $j$-invariant is asymptotically
935
of the order of the $n$-th power of the invariant \kbd{inv}.
936

937
\fun{long}{modinv_is_Weber}{long inv} test whether the invariant
938
\kbd{inv} is a power of Weber $f$.
939

940
\fun{long}{modinv_is_double_eta}{long inv} test whether the invariant
941
\kbd{inv} is a double $\eta$ quotient.
942

943
\fun{long}{disc_best_modinv}{long D} the integer $D$ being a negative discriminant,
944
return the modular invariant compatible with $D$ with the highest height
945
factor.
946

947
\fun{GEN}{Fp_modinv_to_j}{GEN x, long inv, GEN p} Let $\Phi$ the modular equation
948
between $j$ and the modular invariant \kbd{inv}, return $y$ such that
949
$\Phi(y,x)=0\pmod{p}$.
950

951
\section{Other curves}
952

953
The following functions deal with hyperelliptic curves in weighted projective
954
space $\P_{(1,d,1)}$, with coordinates $(x,y,z)$ and a model of the form
955
$ y^2 = T(x,z)$, where $T$ is homogeneous of degree $2d$, and squarefree.
956
Thus the curve is nonsingular of genus $d-1$.
957

958
\fun{long}{hyperell_locally_soluble}{GEN T, GEN p} assumes that $T\in\Z[X]$ is
959
integral. Returns $1$ if the curve is locally soluble over $\Q_p$, $0$
960
otherwise.
961

962
\fun{long}{nf_hyperell_locally_soluble}{GEN nf, GEN T, GEN pr} let $K$
963
be a number field, attached to \kbd{nf}, \kbd{pr} a \var{prid} attached
964
to some maximal ideal $\goth{p}$; assumes that $T\in\Z_K[X]$ is integral.
965
Returns $1$ if the curve is locally soluble over $K_{\goth{p}}$.
966

967
\newpage
968

969