The Discrete Logarithm Problem on the p-torsion Subgroup of Elliptic Curves

An ongoing challenge in cryptography is to find groups in which the DLP is computationally infeasible, that is, for which the best known attack is exponential in log(N). Such a group can be used as the setting for many cryptographic protocols, from Diffie-Hellman key exchange to El Gamal encryption ([14], 159). The most prominent example, first proposed in 1985, is a subgroup of points of an elliptic curve E over a finite field Fq of prime orderN . ForN ≈ 1080, with current computing power, it is infeasible to solve the elliptic curve DLP, or ECDLP; in other words, it is not possible to determine n. However, in the early 1990’s, supersingular elliptic curves, those curves over fields of positive characteristic which have no p-torsion, were discovered to be susceptible to the MOV attack, which used the Weil pairing to reduce the ECDLP to the DLP in Fq , the multiplicative group of the finite field, where subexponential attacks such as the index calculus are possible ([14], 144).Thus, for cryptographic purposes, it is necessary to restrict to ordinary elliptic curves, where E[p](K̄) ' Z/pZ. However, certain subgroups of ordinary elliptic curves, those N = p, are even more insecure than supersingular curves. The ECDLP in the p-torsion subgroup of E(Fq) can be reduced to the DLP in Fq , which is easily solved by the Euclidean algorithm. For q = p, these curves are known as trace one or anomalous curves. The purpose of this paper is to describe the distinct approaches to solving the DLP in the p-torsion subgroup of elliptic curves, as well the related theoretical framework. Throughout, we letE denote an ordinary elliptic curve E over Fq with characteristic p 6= 2, 3 and we assume E[p] ' Z/pZ ⊂ E(Fq). The motivating problem is to explicitly determine a “logarithm” for the group of points E[p], that is, a homomorphism E[p]→ Fp . In Section 2, we describe an algorithm due to Semaev [8], based on the divisor group of the elliptic curve. In Section 3, we describe a theoretical approach based on descent by p-isogeny. We also discuss its relation to the classical Weierstrass elliptic functions and the Semaev algorithm. In Section 4, we describe another algorithm due to Smart [10], based on the p-adic elliptic logarithm.