The Discrete Logarithm Problem on the p-torsion Subgroup of Elliptic Curves

نویسنده

  • Juliana V. Belding
چکیده

An ongoing challenge in cryptography is to find groups in which the DLP is computationally infeasible, that is, for which the best known attack is exponential in log(N). Such a group can be used as the setting for many cryptographic protocols, from Diffie-Hellman key exchange to El Gamal encryption ([14], 159). The most prominent example, first proposed in 1985, is a subgroup of points of an elliptic curve E over a finite field Fq of prime orderN . ForN ≈ 1080, with current computing power, it is infeasible to solve the elliptic curve DLP, or ECDLP; in other words, it is not possible to determine n. However, in the early 1990’s, supersingular elliptic curves, those curves over fields of positive characteristic which have no p-torsion, were discovered to be susceptible to the MOV attack, which used the Weil pairing to reduce the ECDLP to the DLP in Fq , the multiplicative group of the finite field, where subexponential attacks such as the index calculus are possible ([14], 144).Thus, for cryptographic purposes, it is necessary to restrict to ordinary elliptic curves, where E[p](K̄) ' Z/pZ. However, certain subgroups of ordinary elliptic curves, those N = p, are even more insecure than supersingular curves. The ECDLP in the p-torsion subgroup of E(Fq) can be reduced to the DLP in Fq , which is easily solved by the Euclidean algorithm. For q = p, these curves are known as trace one or anomalous curves. The purpose of this paper is to describe the distinct approaches to solving the DLP in the p-torsion subgroup of elliptic curves, as well the related theoretical framework. Throughout, we letE denote an ordinary elliptic curve E over Fq with characteristic p 6= 2, 3 and we assume E[p] ' Z/pZ ⊂ E(Fq). The motivating problem is to explicitly determine a “logarithm” for the group of points E[p], that is, a homomorphism E[p]→ Fp . In Section 2, we describe an algorithm due to Semaev [8], based on the divisor group of the elliptic curve. In Section 3, we describe a theoretical approach based on descent by p-isogeny. We also discuss its relation to the classical Weierstrass elliptic functions and the Semaev algorithm. In Section 4, we describe another algorithm due to Smart [10], based on the p-adic elliptic logarithm.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Generalized Jacobian and Discrete Logarithm Problem on Elliptic Curves

Let E be an elliptic curve over the finite field F_{q}, P a point in E(F_{q}) of order n, and Q a point in the group generated by P. The discrete logarithm problem on E is to find the number k such that Q = kP. In this paper we reduce the discrete logarithm problem on E[n] to the discrete logarithm on the group F*_{q} , the multiplicative group of nonzero elements of Fq, in the case where n | q...

متن کامل

An Efficient Threshold Verifiable Multi-Secret Sharing Scheme Using Generalized Jacobian of Elliptic Curves

‎In a (t,n)-threshold secret sharing scheme‎, ‎a secret s is distributed among n participants such that any group of t or more participants can reconstruct the secret together‎, ‎but no group of fewer than t participants can do‎. In this paper, we propose a verifiable (t,n)-threshold multi-secret sharing scheme based on Shao and Cao‎, ‎and the intractability of the elliptic curve discrete logar...

متن کامل

An efficient blind signature scheme based on the elliptic curve discrete logarithm problem

Elliptic Curve Cryptosystems (ECC) have recently received significant attention by researchers due to their high performance such as low computational cost and small key size. In this paper a novel untraceable blind signature scheme is presented. Since the security of proposed method is based on difficulty of solving discrete logarithm over an elliptic curve, performance of the proposed scheme ...

متن کامل

The new protocol blind digital signature based on the discrete logarithm problem on elliptic curve

In recent years it has been trying that with regard to the question of computational complexity of discrete logarithm more strength and less in the elliptic curve than other hard issues, applications such as elliptic curve cryptography, a blind  digital signature method, other methods such as encryption replacement DLP. In this paper, a new blind digital signature scheme based on elliptic curve...

متن کامل

A Weil pairing on the p-torsion of ordinary elliptic curves over K[ ]

For an elliptic curve E over any field K, the Weil pairing en is a bilinear map on n-torsion. For K of characteristic p > 0, the map en is degenerate if and only if n is divisible by p. In this paper, we consider E over the dual numbers K[ ] and define a non-degenerate “Weil pairing on p-torsion” which shares many of the same properties of the Weil pairing. We also show that the discrete logari...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2007