Equivalence of Counting the Number of Points on Elliptic Curve over the Ring Zn and Factoring n

1 I n t r o d u c t i o n Elliptic curves can be applied to public-key cryptosystems, and as such several schemes have been proposed [3, 4, 5, 6, 9, 11]. There are two typical elliptic curve cryptosystems: E1Gamal-type scheme [4, 11] and RSA-type schemes [3, 5, 6]. The security of the EIGamal-type elliptic curve cryptosystem is based on the difficulty of solving a discrete logarithm over elliptic curve modulo a prime. However, the security of an RSA-type elliptic curve cryptosystem is based on the difficulty of factoring a large composite. It has been conjectured that completely breaking the original RSA is computationally equivalent to the factoring the used composite, although this has NOT been proved yet. In a certain RSA-type elliptic curve (or cubic curve) cryptosystem proposed in [6], however, this equivalence between the two problems was proved. In general RSA-type elliptic curve cryptosystems, including RSA-type cubic curve cryptosystems, the equivalence has not been proved. As the order r of Z* for a composite n have played a significant role in analyzing the security of the original RSA scheme, it is important to evaluate the complexity of counting the number of points on an elliptic curve over the ring Z,~ for RSA-type elliptic curve cryptosystems. We are interested in reductions of factoring to other problems in elliptic curve theory over Z~. In this paper, we will consider the following problems. F C T ( n ) : Given composite n, find the complete prime factorization of n. C O M P ( r : Given composite n, compute the Euler phi function r -IZ*I, which is the number of integers in the interval [1, n], each of which are relatively prime to n. C O M P ( ~ E , . , ( a , b ) ) : Given composite n and integers a and b, compute # E n ( a , b), which is the number of points over an elliptic curve E,~ : y2 _x 3 + ax + b (mod n).