Function: ellsea
Section: elliptic_curves
C-Name: ellsea
Prototype: GD0,U,
Help: ellsea(E,{tors=0}): computes the order of the group E(Fq)
 for the elliptic curve E, defined over a finite field,
 using SEA algorithm, with early abort for curves with non prime orders.
Doc: Let $E$ be an \var{ell} structure as output by \kbd{ellinit}, defined over
 a finite field $\F_q$. This function computes the order of the group
 $E(\F_q)$ using the SEA algorithm and the \kbd{tors} argument allows to
 speed up a search for curves having almost prime order.

 \item If the characteristic is too small ($p \leq 7$) the generic algorithm
 \kbd{ellcard} is used instead and the \kbd{tors} argument is ignored.

 \item When \kbd{tors} is set to a non-zero value, the function returns $0$
 as soon as it detects that the order has a small prime factor not dividing
 \kbd{tors}; SEA considers modular polynomials of increasing prime degree
 $\ell$ and we return $0$ as soon as we hit an $\ell$ (coprime to \kbd{tors})
 dividing $\#E(\F_q)$.

 In particular, you should set \kbd{tors} to $1$ if you want a curve with
 prime order, to $2$ if you want to allow a cofacteur which is a power of two
 (e.g. for Edwards's curves), etc.

 The availability of the \kbd{seadata} package will speed up the computation,
 and is strongly recommended.

 The following function returns a curve of prime order over $\F_p$.
 \bprog
 cryptocurve(p) =
 {
   while(1,
     my(E, N, j = Mod(random(p), p));
     E = ellinit(ellfromj(j));
     N = ellsea(E, 1); if(!N, continue);
     if (isprime(N), return(E));
     \\ try the quadratic twist for free
     if (isprime(2*p+2 - N), return(ellinit(elltwist(E))));
   );
 }
 ? p = randomprime([2^255, 2^256]);
 ? E = cryptocurve(p); \\ insist on prime order
 %2 = 47,447ms
 @eprog\noindent The same example without early abort (using \kbd{ellsea(E,1)}
 instead of \kbd{ellsea(E)}) runs for about 5 minutes before finding a
 suitable curve.
