Elliptic Congruence Function Fields

Recently, the well-known Diie-Hellman key exchange protocol was extended to real quadratic congruence function elds in a non-group based setting. Here, the underlying key space was the set of reduced principal ideals. This set does not possess a group structure, but instead exhibits a so-called infrastructure. The techniques are the same as in the protocol based on real quadratic number elds. As always, the security of the protocol depends on a certain discrete logarithm problem (DLP). It can be shown that for elliptic congruence function elds this DLP is equivalent to the DLP for elliptic curves over nite elds. In this paper, we present the arithmetic of reduced principal ideals in elliptic congruence function elds, which is the base for the equivalence, and prove some properties which have no analogies for real quadratic number elds. 1 Background and Motivation In 7], a new key exchange system is proposed, similar in concept to that of Diie-Hellman, which is based on the infrastructure (see Shanks 9]) of the principal ideal class of a real quadratic congruence function eld. It uses the same techniques as in the protocol based on real quadratic number elds (see 6]). The security of both protocols depends on the diiculty of the so-called discrete logarithm problem (DLP). In 1], Abel shows that the DLP in a real quadratic number eld Q(p) can be solved subexponentially in log. It can be seen from 12], that the DLP for elliptic curves is equivalent to the DLP in real quadratic congruence function elds of genus 1, which we call (real) elliptic congruence function elds. In this paper, we explain the main properties of the set of reduced principal ideals in elliptic congruence function elds based on the infrastructure ideas of 9] which are extended in 11]. The underlying structure of the key exchange protocols in 6] and 7] is the set of reduced principal ideals. In either case, this set does not form a group, however, it is \almost" a group. For elliptic congruence function elds, we will prove (Theorem 8) that the set of reduced principal ideals is even \closer" to a group, but it still fails to be a group (Theorem 9). Furthermore, for real quadratic congruence function elds of arbitrary genus and for real quadratic number elds, we know (see 16], 3], 11]) that the distance function is asymptotically linear in almost all cases, i.e., there is a …