如何計算secp256k1的階數？

橢圓曲線secp256k1定義為 $ y^2 = x^3 + 7 $ . 該欄位的素數設置為：

p = 115792089237316195423570985008687907853269984665640564039457584007908834671663

所以現在，應該可以使用 Schoof 算法來計算訂單。這裡提供了一個 Python 實現：https ://github.com/pdinges/python-schoof

但是，計算大素數的階似乎太耗時了。此外，對於如此大的素數，該實現似乎無法計算它。

root@78774381cc80:/home/python-schoof# python3 reduced_computation_schoof.py 17 0 7
Counting points of y^2 = x^3 + 0x + 7 over GF<17>: 18
root@78774381cc80:/home/python-schoof# python3 reduced_computation_schoof.py 115792089237316195423570985008687907853269984665640564039457584007908834671663 0 7
Counting points of y^2 = x^3 + 0x + 7 over GF<115792089237316195423570985008687907853269984665640564039457584007908834671663>: Traceback (most recent call last):
 File "reduced_computation_schoof.py", line 268, in <module>
   runner.run()
 File "/home/python-schoof/support/running.py", line 498, in run
   result = self.__algorithm( *item, output=self.__output)
 File "reduced_computation_schoof.py", line 258, in reduced_computation_schoof_algorithm
   order = p + 1 - frobenius_trace( EllipticCurve( FiniteField(p), A, B ) )
 File "reduced_computation_schoof.py", line 55, in frobenius_trace
   len(search_range),
OverflowError: Python int too large to convert to C ssize_t

有人知道它是計算出來的以及如何重現它嗎？對於如此大的數字，是否有更好的 Schoof 算法實現？

PARI包括（除其他外）Schoof 算法（更具體地說是 Schoof-Elkies-Atkin 算法）的實現。

? p = 115792089237316195423570985008687907853269984665640564039457584007908834671663
%1 = 115792089237316195423570985008687907853269984665640564039457584007908834671663
? ellcard(ellinit([0,7], p))
%2 = 115792089237316195423570985008687907852837564279074904382605163141518161494337

它是開源的，因此您可以輕鬆查看內部。

如果您不想安裝 PARI，CoCalc允許您在瀏覽器中執行 PARI（或 Sage）。只需啟動一個新項目，然後在新的 Linux 終端中輸入“gp”，您就可以在 PARI 中執行。

或者，您可以直接在Sage中進行計算（您也可以通過 CoCalc：New → Sage 工作表執行），但這並沒有給您任何新的實現，因為 Sage 只是為此函式呼叫 PARI：

sage: p = 115792089237316195423570985008687907853269984665640564039457584007908834671663
sage: EllipticCurve(GF(p), [0,7]).order()
115792089237316195423570985008687907852837564279074904382605163141518161494337

對於 PARI 中的文件：

? ?ellcard
ellcard(E,{p}): given an elliptic curve E defined over a finite field Fq, 
return the order of the group E(Fq); for other fields of definition K, p must 
define a finite residue field, (p prime for K = Qp or Q; p a maximal ideal for 
K a number field), return the order of the (non-singular) reduction of E.

Sage 中的文件：

sage: E = EllipticCurve(GF(p), [0,7])
sage: E.order?
sage: E.order??

引用自：https://crypto.stackexchange.com/questions/93679