The Discrete Logarithm Problem on Elliptic Curves of Trace One

Nigel P. Smart Network Systems Department HP Laboratories Bristol HPL-97-128 October, 1997

elliptic curves, In this short note we describe an elementary technique cryptography which leads to a linear algorithm for solving the discrete logarithm problem on elliptic curves of trace one. In practice the method described means that when choosing elliptic curves to use in cryptography one has to eliminate all curves whose group orders are equal to the order of the finite field.

Internal Accession Date Only

Ó Copyright Hewlett-Packard Company 1997

THE DISCRETE LOGARITHM PROBLEM ON ELLIPTIC

CURVES OF TRACE ONE

N.P. SMART

Abstract. In this short note we describ e an elementary technique which leads

to a linear algorithm for solving the discrete logarithm problem on elliptic

curves of trace one. In practice the metho d describ ed means that when cho os-

ing elliptic curves to use in cryptography one has to eliminate all curves whose

group orders are equal to the order of the nite eld.

Recently attention in cryptography has fo cused on the use of elliptic curves in

public key cryptography, starting with the work of Koblitz, [1], and Miller, [3].

This is b ecause there is no known sub-exp onential typ e algorithm to solve the

discrete logarithm problem on a general elliptic curve. The standard proto cols in

cryptography which make use of the discrete logarithm problem in nite elds, such

as Die-Hellman key exchange, El Gamal and Massey-Omura, can all b e made to

work in the elliptic curve case.

Due to work of Menezes, Okamoto and Vanstone, [2], it is already known that

one must avoid elliptic curves which are sup ersingular, these are the curves which

have trace of frob enius equal to zero. Menezes, Okamoto and Vanstone reduce the

discrete logarithm problem on sup ersingular elliptic curves to the discrete logarithm

problem in a nite eld. They hence reduce the problem to one which is known to

have sub-exp onential complexity. In this pap er we shall show that one must also

avoid the use of curves for which the group order is equal to the order of the nite

eld, in other words curves for which the trace of Frob enius is equal to one. In

addition our metho d runs for solving the discrete logarithm problem on this curve

runs in linear time when time is measured in terms of the numb er of basic group

op erations that one must p erform.

The metho d of attack has more the just academic interest as elliptic curves of

trace one have b een prop osed as curves to be used in practical systems, [4]. At

rst sight this seems a go o d idea as if a curve is de ned over a prime base eld of

p elements and the curve has order p then clearly the standard square ro ot attacks

on the discrete logarithm problem will not b e e ective, at least if p is large enough.

However such curves have addition structure which renders the systems very weak

as we shall now show.

We shall assume that our elliptic curve, E , is de ned over a prime nite eld,

F , and that the numb er of p oints on E is equal to p. Hence the trace of Frob enius

p

P and Q, and wewant is equal to one. Supp ose wehavetwo p oints on the curve,

to solve the following discrete logarithm problem on E F ,

p

Q =[m]P;

for some integer m. We rst compute an arbitrary lift of P and Q to p oints, P and

Q, on the same elliptic curve but considered as a curveover Q . This is trivial in

p 1

practice as, b ecause neither P nor Q are p oints of order two, we can write P =x; y 

where x is the x-co ordinate of P and y is computed via Hensel's Lemma.

We then have

P [m]Q = R 2 E Q ;

1 p

where the groups E Q  are as de ned in [5][Chapter VI I]. We note

n p

+

 

E Q =E Q  E F  and E Q =E Q  F :

= =

0 p 1 p p 1 p 2 p

p

+

But the groups E F  and F have the same order by assumption, namely p. So

p

p

wehave

[p]P [m][p]Q=[p]R 2E Q :

2 p

If we then take the p-adic elliptic logarithm,  , of every term in the previous

p

equation we obtain

2

 [p]P  m [p]Q= [p]R  0 mo d p :

p p p

This is p ossible as for any p oint P 2 E Q wehave[p]P 2 E Q , as p = jE F j,

p 1 p p

and the p-adic elliptic logarithm is de ned on all p oints in E Q . Computing the

1 p

p-adic elliptic logarithm is an easy matter, see for instance [5][Chapter IV] or [6].

So hence

 [p]P 

p

m mo d p:

 [p]Q

p

Clearly, on the assumption that one knows the group order, the ab ove observation

will solve the discrete logarithm problem in linear time. To see this notice that the

only non-trivial computation which needs to b e p erformed is to compute [p]P and

[p]Q, b oth of which take log p group op erations on E .

1. Example

To explain the metho d I will use a curveover a small eld, namely F . We shall

43

take the curve

2 3 2

E : Y = X 4X 128X 432:

The group E F  can be readily veri ed to have 43 elements. On this curvewe

43

would like to solve the discrete logarithm problem given by

Q =[m]P

where P =0;16 and Q = 12; 1. We nd the following \lifts" of these p oints to

elements of E Q  using Hensel's Lemma,

p

2 3 4 5 6 7 8

P = 0; 16 + 21:43 + 22:43 +20:43 +26:43 +8:43 +35:43 +36:43 + O 43 ;

2 3 4 5 6 7 8

Q = 12; 1+ 12:43 + 35:43 +29:43 +18:43 +36:43 +14:43 +14:43 + O 43 :

We then need to compute [43]P and [43]Q, whichwe nd to b e equal to

2 1 2 3

[43]P = 10:43 +10:43 +16+31:43 + 34:43 + O 43 ;

3 2 1 2 3

21:43 +40:43 +17:43 +29+22:43 + 37:43 + O 43 ;

2 1 2 3

[43]Q = 13:43 +41:43 +9+9:43 + 24:43 + O 43 ;

3 2 1 2 3

41:43 +14:43 +42:43 +15+30:43 + 28:43 + O 43 :

We then nd that

2 3 4

 [43]P  = 20:43 + 6:43 +32:43 + O 43 ;

43

2 3 4

 [43]Q = 28:43 + 15:43 +22:43 + O 43 :

43 2

Hence

 [43]Q

43

m = =10+O43:

 [43]P 

43

And we conclude that m is equal to 10, which can b e easily veri ed to b e the correct

solution.

References

[1] N. Koblitz. Elliptic curve cryptosystems. Math. Comp., 48:203{209, 1987.

[2] A. Menezes, T. Okamoto, and S. Vanstone. Reducing elliptic curve logarithms to a nite eld.

IEEE Transactions on Information Theory, 39:1639{1646, 1993.

[3] V. Miller. Use of elliptic curves in cryptography.InAdvances in Cryptology, CRYPTO 85,

pages 417{426. Springer Verlag, LNCS 218, 1986.

[4] A. Miya ji. Elliptic curves over F suitable for cryptosystems. In Advances in Cryptology,

p

AUSCRYPT 92, pages 479{491. Springer Verlag, LNCS 718, 1993.

[5] J.H. Silverman. The Arithmetic Of El liptic Curves. Springer-Verlag, GTM 106, 1986.

[6] N.P. Smart. S -integral p oints on elliptic curves. Proc. Camb. Phil. Soc., 116:391{399, 1994.

Hewlett-Packard Laboratories,Filton Road, Stoke Gifford, Bristol BS12 6QZ, U.K.

E-mail address : [email protected] 3