Optimizing the Menezes-Okamoto-Vanstone (MOV) Algorithm for Non-supersingular Elliptic Curves
نویسندگان
چکیده
We address the Menezes-Okamoto-Vanstone (MOV) algorithm for attacking elliptic curve cryptosystems which is completed in subexponential time for supersingular elliptic curves. There exist two hurdles to clear, from an algorithmic point of view, in applying the MOV reduction to general elliptic curves: the problem of explicitly determining the minimum extension degree k such that E[n] E(F q k) and that of eciently nding an n-torsion point needed to evaluate the Weil pair-ing, where n is the order of a cyclic group of the elliptic curve discrete logarithm problem. We can nd an answer to the rst problem in a recent paper by Balasubramanian and Koblitz. On the other hand, the second problem is important as well, since the reduction might require exponential time even for small k. In this paper, we actually construct a novel method of eciently nding an n-torsion point, which leads to a solution of the second problem. In addition, our contribution allows us to draw the conclusion that the MOV reduction is indeed as powerful as the Frey-R uck reduction under n 6 jq 0 1, not only from the viewpoint of the minimum extension degree but also from that of the eectiveness of algorithms.
منابع مشابه
Comparing the MOV and FR Reductions in Elliptic Curve Cryptography
This paper addresses the discrete logarithm problem in elliptic curve cryptography. In particular, we generalize the Menezes, Okamoto, and Vanstone (MOV) reduction so that it can be applied to some non-supersingular elliptic curves (ECs); decrypt Frey and Rück (FR)’s idea to describe the detail of the FR reduction and to implement it for actual elliptic curves with finite fields on a practical ...
متن کاملOptimizing the Menezes - Okamoto - Vanstone ( MOV ) Algorithm for Non - SupersingularEllipti Curves ?
متن کامل
Supersingular Curves in Cryptography
Frey and Rück gave a method to transform the discrete logarithm problem in the divisor class group of a curve over Fq into a discrete logarithm problem in some finite field extension Fqk . The discrete logarithm problem can therefore be solved using index calculus algorithms as long as k is small. In the elliptic curve case it was shown by Menezes, Okamoto and Vanstone that for supersingular cu...
متن کاملSolving a 676-Bit Discrete Logarithm Problem in GF(36n)
Pairings on elliptic curves over finite fields are crucial for constructing various cryptographic schemes. The ηT pairing on supersingular curves over GF(3) is particularly popular since it is efficiently implementable. Taking into account the Menezes-Okamoto-Vanstone (MOV) attack, the discrete logarithm problem (DLP) in GF(3) becomes a concern for the security of cryptosystems using ηT pairing...
متن کاملRemarks on Elliptic Curve Discrete Logarithm Problems
The MOV and FR algorithms, which are representative attacks on elliptic curve cryptosystems, reduce the elliptic curve discrete logarithm problem (ECDLP) to the discrete logarithm problem in a finite field. This paper studies these algorithms and introduces the following three results. First, we show an explicit condition under which the MOV algorithm can be applied to non-supersingular ellipti...
متن کامل