橢圓曲線密碼系統之曲線安全性研究

國立臺灣大學理學院數學系 碩士論文

Department of Mathematics College of Science

National Taiwan University Master Thesis

橢圓曲線密碼系統之曲線安全性研究

The Security of Curves for Elliptic Curve Cryptosystems

研究生 ^: 江前佑

Student: Chien-Yeo Chiang

指導教授 ^: 陳君明 博士

Advisor: Jiun-Ming Chen, Ph.D.

中華民國九十七年六月

June, 2008

誌謝

首先要感謝我的指導教授陳君明老師。 從開始請他指導以來^, 每星期固定的討論^, 使我從 對橢圓曲線一無所知^, 到現在有個大致上的了解^, 真是收穫匪淺。 此外我也從老師身上^,學 到許多做事的態度與方法^, 表達能力方面也因此有所進步。 在論文方面^, 當我遇到問題時^, 老師花了許多時間和我一起討論^, 同時也指引我一些方向^, 並在寫作上給了我許多寶貴的 建議^, 這篇論文才得以誕生。 另外也要感謝在我寫論文的過程中^, 和我一起討論的同學們 以及在背後默默支持我的家人們。

摘要

現今許多密碼系統的安全性^, 是以橢圓曲線離散對數問題^(ECDLP)的困難度為基礎。 這 些密碼系統的安全性^, 通常取決於曲線的選擇。 在這篇論文中^, 我們對現在針對橢圓曲線 離散對數問題的攻擊法做一個整理^, 找出弱曲線的條件^, 也提出一些安全曲線應該有的條 件。 另外^,我們也會討論一些其他的攻擊法^, 這些攻擊法對 ^ECDLP 是失敗的。

關鍵字^: 橢圓曲線密碼學^; 橢圓曲線離散對數^;弱曲線^; 索引演算^; 離散對數。

Abstract

The elliptic curve discrete logarithm problem (ECDLP) forms the basis of numerous cryptosystems today. The security of these cryptosystems usually depends on the choice of curves. In this thesis, we give a summary of recent attacks on the ECDLP, find the criteria of weak curves, and suggest the con- ditions that a secure curve should have. We will also discuss some attacks which works on the DLP but may fail to the ECDLP.

Key words: elliptic curve cryptography; elliptic curve discrete logarithm;

weak curve; index calculus; discrete logarithm.

Contents

口試委員會審定書 ⁱ

致謝 ⁱⁱ

Abstract in Chinese iii

Abstract in English iv

1 Introduction 1

2 General Attacks on the ECDLP 4

2.1 Baby Step, Giant Step . . . 4

2.2 The Pollard Method . . . 5

2.2.1 Pollard’s ρ Method . . . . 5

2.2.2 Pollard’s λ Method . . . . 9

2.3 Pohlig-Hellman Attack . . . 11

3 Isomorphism Attacks on the ECDLP 15 3.1 Attacks on Anomalous Curves . . . 15

3.1.1 Smart’s Method . . . 15

3.1.2 Semaev’s Method . . . 18

3.2 MOV Attack . . . 22

3.3 Tate Pairing Attack . . . 26

3.4 Weil Descent . . . 29

4 Other Attacks 33 4.1 Index Calculus on the ECDLP . . . 33

4.2 Xedni Calculus on the ECDLP . . . 36

4.3 Semaev’s Summation Polynomials . . . 44

4.4 Further Results . . . 47

5 Conclusions 50

References 52

A Computation of the Parings 57

1 Introduction

The discrete logarithm problem (DLP) in an abelian group G is that given two elements α and β in G, we want to find an integer k such that β = α^k. Provided that such k exists, we denote k = log_αβ. In particular, a discrete logarithm problem on an elliptic curve group is called an elliptic curve discrete logarithm problem (ECDLP). The difficulty of the ECDLP depends on the choice of the curve and the base field. Therefore, it is important to use a good curve in an elliptic curve cryptosystem. In this thesis, we give a summary of recent attacks on the ECDLP to find the criteria of weak curves and weak base fields. Except for the brute force attack, recent cryptanalysis on the ECDLP can be roughly categorized into two classes: general attacks and isomorphism attacks.

The baby step, giant step method [31] can be used to solve the DLP in any finite abelian group, thus it solves the ECDLP as well. However, it has space and time complexity O(√

n) where n is the order of the base point P . By using some random walks, Pollard [25] reduced the space to a constant amount and maintained the time complexity O(√

n). Therefore, we can circumvent the Pollard method by a sufficiently large n. Pohlig and Hellman [24] also noticed that to solve the DLP in a finite abelian group G one needs only to solve the DLP in subgroups of a prime power order of G. The original DLP is then solved by using the Chinese Remainder Theorem (CRT). Our choice of curves can be reduced to a simple case: the curve has a base point P whose order n is a prime larger than 2¹⁶³.

If G is a group of prime order n, G andP  are both cyclic, hence isomorphic. The main idea of the isomorphism attack is to find an efficiently computable isomorphism fromP  to G. If there exist subexponential-time (or faster) algorithms to the DLP

in G, we can reduce the ECDLP to the DLP on G. The known isomorphism attacks are the following.

• The attack on anomalous curves (the elliptic curves with prime order p), due to Smart [35], Satoh and Araki [26], uses lifting and p-adic logarithm to reduce the ECDLP defined over prime field F_p to the DLP in F_p⁺. The discrete logarithm can be solved efficiently by using the extended Euclidean algorithm.

This method has been generalized by Semaev [29] to the case that an elliptic curve group which has a subgroup of prime order p.

• The Weil and Tate pairing attacks both establish an isomorphism from P  to the subgroup μ_n of F_ql for some integer l, where q = p or q = 2^m. The former attack was developed by Menezes, Okamoto and Vanstone (MOV) [20]

with an additional constraint n  (q − 1), and the latter attack was developed by Frey and R¨uck [4] without this additional constraint. The ECDLP can be reduced to the DLP in F_q^∗_l where there exists subexponential-time algorithms.

• Gaudry, Hess and Smart (GHS) [9] proposed an efficient algorithm that reduces ECDLP instances in E(F2^m), the elliptic curve defined over a binary field, to instances of the hyperelliptic curve discrete logarithm problem (HCDLP).

Menezes and Qu [19] further showed that GHS attack fail to all cryptographi- cally interesting elliptic curves over F₂m for all prime m∈ [160, 600]. Maurer, Menezes and Teske [17] completed the analysis of the GHS attack by identi- fying and enumerating the isomorphism classes of the elliptic curves over F₂m

for composite m∈ [160, 600].

To avoid the above attacks, one needs to compute the order of the elliptic curve group. There is a polynomial-time algorithm proposed by Schoof [27] to do this.

This method is improved by Atkins and Elkis [1].

The remainder of this thesis is organized as follows. In Section 2, we review the general attacks and set up some basic requirements of the curve. In section 3, we introduce the isomorphism attacks which is useful on some special curves. In section 4, we give an introduction to the index method, xedni method and their failure on ECDLP. We will also introduce a new idea which transforms the original ECDLP to a system of polynomial equations. In section 5, we give a summary of the weak curves and certain base fields which should not be used in an elliptic curve cryptosystem.

2 General Attacks on the ECDLP

The following notations will be used throughout this article.

F_p the finite field of p elements, where p is a prime.

F₂m the finite field of 2^m elements, also called binary field.

F_q the finite field of q elements.

E(K) the elliptic curve group defined over a field K, given by points on E : y² + a1xy + a3y = x³ + a2x² + a4x + a6, where a_i ∈ K,

together with point at infinity ∞.

N the order of E(K)

n the order of the base point P ∈ E(K)

E[n] the set of points of order dividing n with coordinates in the algebraic closure K.

The elliptic curve discrete logarithm problem is that given Q ∈ P , to find an integer k such that Q = kP ∈ E(K). Note that we only concern about the cases that the base field K is F_p or F2^m, since they are widely used in practice.

2.1 Baby Step, Giant Step

Shanks [31] developed a method which requires approximately √

N steps and √ N storage. Given a point P on an elliptic curve group, it is easy to compute its inverse.

With this in mind, the algorithm is modified as follows.

1. Choose an integer s≥√

N and compute sP

2. Calculate the x-coordinate of iP for 0≤ i < s/2 and store them as a list.

3. Compute the points Q− jsP for j = 0, 1, ..., s until the x-coordinate of one of them matches a point from the list. Set i = i0 and j = j0 for this match.

4. Using the y-coordinate to decide Q− j0sP = i₀P or Q− j0sP =−i0P .

5. If Q− j0sP = i₀P , we have k≡ i0+ j₀s (mod N ).

If Q− j0sP =−i0P , we have k≡ −i0+ j₀s (mod N ).

The above algorithm requires approximately√

N /2 steps and√

N /2 storage. There- fore we would like to choose the size N (usually with the same size as the key) of E(K) is larger than 2²²⁴ bits in comparison with 2²⁰⁴⁸ which is the key size rec- ommended for public-key schemes such as RSA. In practical implementation N is selected to be greater than 2¹⁶⁰.

To apply BSGS, although we have mentioned that the order of the elliptic curve group N = |E(Fq)| can be computed by Schoof algorithm [27], we do not need to know the exact order N . The reason is that there is an upper bound of N by Hasse’s theorem, so the number s can be chosen by satisfying s² ≥ q + 1 + 2√q. Notice also that although our discussion here is on N , a similar discussion on the order n of the base point P gives the same result.

2.2 The Pollard Method

2.2.1 Pollard’s ρ Method

The main idea behind the Pollard method is to find distinct pairs (a^, b^) and (a, b) modulo n such that a^P + b^Q = aP + bQ. Then (a^− a)P = (b − b^)Q = (b− b^)kP implies

k = log_PQ≡ (a^− a)(b − b^)⁻¹ (mod n),

provided (b− b^)⁻¹ exists.

At first glance, randomly selecting the pairs takes about 

πn/2 ≈ 1.2533√ n as the expected number of iterations to find a collision according to the birthday

paradox. It takes also 3

πn/2≈ 3.7599√

n storage, Pollard’s method gives roughly the same expected time, but needs very little storage.

The subgroup P  of E(K) is first partitioned into three subsets S1, S2, S3 of roughly the same size by using the partition function H. We write H(X) = j if X ∈ Sj. The idea of Pollard is to use an iterating function f to find a collision. The iterating function f :P  → P  is defined by

f (X) =

⎧⎪

⎪⎪

⎪⎪

⎪⎨

⎪⎪

⎪⎪

⎪⎪

⎩

X + Q if H(X) = 1 2X if H(X) = 2 X + P if H(X) = 3

If we start at a point X1 = a1P + b1Q, we can generate a sequence of points recursively by X_i+1 = f (X_i). Then two integer sequences {ai} and {bi} satisfying X_i+1= a_i+1P + b_i+1Q for i≥ 0 can be computed by

a_i+1=

⎧⎪

⎪⎪

⎪⎪

⎪⎨

⎪⎪

⎪⎪

⎪⎪

⎩

a_i (mod n) if H(X_i) = 1 2a_i (mod n) if H(X_i) = 2 a_i+ 1 (mod n) if H(X_i) = 3

b_i+1=

⎧⎪

⎪⎪

⎪⎪

⎪⎨

⎪⎪

⎪⎪

⎪⎪

⎩

b_i+ 1 (mod n) if H(X_i) = 1 2b_i (mod n) if H(X_i) = 2 b_i (mod n) if H(X_i) = 3

We store the pair (X₁, X₂) and iteratively compute pairs (X_i, X_2i) until X_i = X_2i for some i. Since P  is finite, this collision does happen. Hence we have a relation a_iP + b_iQ = a_2iP + b_2iQ, which means (a_i − a2i)P = (b_2i− bi)Q = (b_2i − bi)kP . Therefore

k = log_PQ≡ (ai− a2i)(b_2i− bi)⁻¹(mod n)

when b2i− bi is relative prime to n.

We summarize the Pollard’s ρ method [25] to the ECDLP as follows.

1. Select a partition function H :P  → {1, 2, 3}.

2. Select a₁, b₁ ∈ [0, n − 1] and compute the initial point X1 = a₁P + b₁Q.

3. Repeat

(a) Compute X_i+1= f (X_i) and X_2i+2 = f (f (X_2i)).

(b) Compute a_i, b_i, a2i and b2i.

until X_i = X2i.

4. If b_i = b2i then go back to 2, else compute k≡ (ai− a2i)(b2i− bi)⁻¹ (mod n)

Gallant, Lambert and Vanstone [6] and Wiener and Zuccherato [38] indepen- dently discovered the method to speed Pollard’s method by using automorphisms.

The main idea is to reduce the size of the set in the Pollard method, then the time required to find a collision is less.

Suppose ψ :P  → P  is an automorphism which can be computed efficiently.

SinceP  is finite, ψ is finite of order t. That is, t is the smallest number such that ψ^t(R) = R for all R∈ P . We then use this automorphism to define an equivalence relation∼ on P  by

R₁ ∼ R2 if and only if R₁ = ψ^j(R₂) for some j ∈ [0, t − 1].

The only difficulty is to construct a random walk which is well defined among the equivalence classes. We may choose a representative which has the minimal x- coordinate in each equivalence class (with ties broken by selecting the point with a smaller y-coordinate), denoted by R. Then an iterating function g defined by g(R) = f (R) is modified from f to be well-defined on these representatives.

Since ψ is an automorphism, we have ψ(P ) = λP for some λ∈ [0, n−1]. Suppose we know this integer λ, then ψ(R) = λR for all R∈ P . Thus, if we start at a point X1 = a1P + b1Q, it will be easy to compute the representative X1 of equivalence class which contains X1. Namely, if X1 = ψ^j(X1) = aP + bQ for some integer j, then a≡ λ^ja1 (mod n) and b≡ λ^jb1 (mod n) [12].

Now g can be used as the iterating function on the representatives of equivalence classes with roughly n/t elements. Set the initial point X₁^ = X1 and apply the Pollard method with X_i+1^ = g(X_i^) for i ≥ 1, then the expect number of iterations to find a collision is about

nπ/2t.

We close this section by some examples which shows the security may be affected by this method.

Example 2.1. Suppose p ≡ 1 (mod 3) is a prime, then there exists an element β ∈ Fp of order 3. For the elliptic curve E : y² = x³+ b defined over F_p, the map φ : E(F_p)→ E(Fp) defined by

φ(x, y) = (βx,−y) and φ(∞) = ∞

is an endomorphism of order 6. For a prime field of size 2¹⁶⁰, we require a work of

nπ 2t =

 πn

2· 6 ≈ 2⁷⁹

to solve an ECDLP. The security reduced one bit in comparison with 2⁸⁰ of the ordinary Pollard method.

Example 2.2. Consider the Koblitz curves (anomalous binary curve) defined over F2^m of the form y² + xy = x³ + ax² + 1 where a ∈ {0, 1}. The Frobenius map φ : E(F2^m)→ E(F2^m) defined by

φ(x, y) = (x², y²) and φ(∞) = ∞

is an endomorphism of order m. This method can reduce the security of the Koblitz curve over F₂163 by an effort of approximately

nπ 2m =

 πn

2· 163 ≈ 2⁷⁷

to break the ECDLP, rather than approximately 2⁸¹of the ordinary Pollard method.

2.2.2 Pollard’s λ Method

Pollard [25] also describes another λ-method which can be parallelized to solve an ECDLP. With a little more information than usual, he finds a collision by keeping track of two kangaroos. Each kangaroo is a random walk using the same iterating function but starting at different initial points [36]. One is called the tame kangaroo and another is the wild kangaroo. The main idea is to use the tame kangaroo to set up some traps to catch the wild kangaroo. Once the wild kangaroo falls into a trap set up by the tame kangaroo, it will then follow the footprints of the tame kangaroo.

Eventually, the ECDLP is solved.

The following is a small variant of the Pollard method from [1]. As in the ρ- method, first we select a partition function H from P  → {1, 2, . . . , L} where L is usually around 16. Let S = {M1, M2, . . . , M_L}. Each jump of a kangaroo depends on the point from which the kangaroo jumps and in a distance that is randomly selected from the set S. A natural choice of M_j may be of the form

M_j = s_jP + t_jQ

where s_j, t_j are randomly selected from [0, n− 1].

Our iteration function f :P  → P  is then defined by

f (X) = X + M_j where H(X) = j.

So, if X_i = a_iP + b_iQ, then it will be easy to compute X_i+1= f (X_i) = a_i+1P + b_i+1Q where

X_i+1 = X_i+ M_j with H(X_i) = j a_i+1= a_i+ s_j (mod n)

b_i+1 = b_i+ t_j (mod n)

The remaining problem is that if we start with the tame kangaroo at T1 = a1P +b1Q and the wild kangaroo at W1 = a^₁P +b^₁Q, we must store all the computed points T_i+1= f (T_i) and W_i+1= f (W_i) until a collision is found. This requires O(√

n) storage. How do we find a collision without using too much storage? An idea is to use the distinguishing property. A point is called distinguished if it satisfies some property which can be tested easily, such as the last digit of its x-coordinate being zero. We just look for the collision point which is distinguished. The algorithm is summarized as follows.

1. Select a partition function H :P  → {1, 2, . . . , L}.

2. Construct S ={M1, M2, . . . , M_L}

3. Select a1, b1 ∈ [0, n − 1] and compute the initial point T1 = a1P + b1Q.

4. Select a^₁, b^₁ ∈ [0, n − 1] and compute the initial point W1 = a^₁P + b^₁Q.

5. Repeat

(a) If T_i or W_i is distinguished then store (a_i, b_i, T_i) or (a^_i, b^_i, T_i^) (b) Compute T_i+1 = f (T_i) and W_i+1= f (W_i)).

(c) Compute a_i+1, b_i+1, a^_i+1 and b^_i+1.

until the processor stores some distinguished point Y for the second time. Let (c, d, Y ) and (c^, d^, Y ) be the two triples associated with Y .

6. If d = d^ then go back to 3, else compute k≡ (c − c^)(d− d^)⁻¹ (mod n)

Note that the above algorithm can be easily parallelized if we compute the tame and the wild kangaroo in different processors. Whenever a processor encounters a distinguished point, it transmits the point to a central server which stores it in a sorted list. In addition, starting with more than two initial points gives more kangaroos. Then it will be faster to find a collision. In fact, if we have u processors, this yields a speedup of factor u. Let θ be the proportion of points inP  with this distinguishing property. One expects the random walk taking another 1/θ steps in the worst case before a collision occurs. So the expect number of finding a collision of distinguished point is

1 u

nπ 2 + 1

θ.

Remark 2.3. The above algorithm is a generalization of the Pollard method. In the original Pollard method, he assumes that k ∈ [a, b] ⊂ [0, n − 1] such that b − a is a fairly manageable quantity. The tame kangaroo is chosen to start at bP , wild kangaroo is chosen to start at Q, and H = log2(b− a). Another choice of the iterating function is also available.

2.3 Pohlig-Hellman Attack

If the order of P can be factorized by

n =

i

p^e_iⁱ

where p_i are small primes such that the Pollard’s method works in attacking the ECDLP of E(F_pi). The idea of Pohlig and Hellman [24] attack is to find k (mod p^e_iⁱ), then use the CRT to combine these results to obtain k (mod n). We will write

k in expansion of base p_i as

k = k₀+ k₁p_i+ . . . + k_ei−1p^e_iⁱ⁻¹(mod p^e_iⁱ),

then k (mod p^e_iⁱ) is evaluated by successively determining k₀, k₁, . . . , k_ei−1.

1. Compute _pⁿ

iP . 2. Compute Q₀ = _pⁿ

iQ

3. Solve the discrete logarithm k₀ of Q₀ to the base _pⁿ

iP by the Pollard method.

4. If e_i = 1, stop. Otherwise, continue.

5. From j = 1, let Q_j = Q_j−1− kj−1p^j−1_i P .

6. Solve the discrete logarithm k_j of ⁿ

p^j+1_i Q_j to the base _pⁿ

iP by the Pollard method.

7. Repeat until j = e_i− 1.

Then k≡ k0+ k₁p_i+ . . . + k_ei−1p^e_iⁱ⁻¹ (mod p^ei). We can check the above algorithm by

n

p_iQ = n

p_ikP ≡ n

p_i(k₀+ k₁p_i+ . . . + k_ei−1p^e_iⁱ⁻¹)P

≡ k0n

p_iP + (k1+ . . . + k_ei−1p^e_iⁱ⁻²)nP

≡ k0n

p_iP (mod p^e_iⁱ).

Therefore we have indeed found k₀ in the algorithm. It is similar to k_i for i = 1, . . . , e_i− 1.

It is obvious that the Pohlig-Hellman attack works well if the prime factors p_i of n are small. If there is a large prime number dividing n≥ 2¹⁶⁰, then the Pollard

method can not work, which implies that the Pohlig-Hellman attack is of little use.

For this reason, if a cryptosystem is based on the ECDLP, we would like to choose the order of the elliptic curve group contains a large (≥ 2¹⁶⁰) prime factor.

We close this section with an easy example which can be found in [1]. It solves the ECDLP by Pohlig-Hellam attack combined with the Pollard method.

Example 2.4. Consider the elliptic curve E : y² = x³+ 71x + 602 defined over the finite field F₁₀₀₉, then N = 1060 = 2²· 5 · 53. We want to find k such that Q = kP , where P = (1, 237) and Q = (190, 271), with the order of P is 530. First we use the reduction of Pohlig and Hellman to compute k modulo 2, 5 and 53.

• k (mod 2). Compute the points

(530/2)P = 265P = (50, 0) and Q₀ = (530/2)Q = 265Q = (50, 0),

then solve Q0 to the base of (530/2)P . It is clearly k ≡ 1 (mod 2).

• k (mod 3). Compute the points

(530/5)P = 106P = (639, 160) and Q0 = (530/5)Q = 106Q = (639, 849),

then solve Q0 to the base of (530/5)P . We can see that Q0 = −(530/5)P , which means k ≡ −1 ≡ 4 (mod 5).

• k (mod 53). Compute the points

P^ = (530/53)P = 10P = (32, 737) and Q0 = (530/53)Q = 10Q = (592, 97),

then solve Q₀ to the base of (530/5)P . First we select a partition function

H : E(F1009)−→ {1, 2, 3}.

(x, y)→ x(mod 3) + 1

Construct the set S as

M1 = 2P^ + 0Q0 = (8, 623), M2 = 1P^ + 1Q0 = (654, 118), M3 = 3P^ + 4Q0 = (555, 82).

Now we set T1 = 1P^ + 0Q0 and W1 = 0P^ + 1Q0. Since H(T1) = 3 and H(W1) = 2, we obtain

T2 = f (T1) = T1+ M3 = 4P^+ 4Q0 = (200, 357), W2 = f (W1) = W1 + M2 = 1P^ + 2Q0 = (817, 136).

All T_i and W_i can be computed in the same way. After collecting enough T_i and W_i, we have found that the tame kangaroo has crossed its own path 7P^+ 8Q0 = T3 = T6 = 12P^+ 9Q0. We get k ≡ −5 ≡ 48 (mod 53).

After using the Chinese Reminder theorem with the above conclusion, we know that k≡ 368 (mod 530).

3 Isomorphism Attacks on the ECDLP

3.1 Attacks on Anomalous Curves

An elliptic curve defined over a prime field E(F_p) is called anomalous if |E(Fp)| = p, which implies that E(F_p) is isomorphic to F_p⁺, the additive group of F_p. The problem is how to define an isomorphism which can be computed efficiently. In 1997, Smart [35], Satoh, Araki [26] and Semaev [29] proposed three different attacks on anomalous curves independently. Each attack gives an isomorphism from E(F_p) to F_p⁺, which can be used to reduce an ECDLP on E(F_p) to a DLP on F_p⁺. Then a DLP on F_p⁺ can be solved efficiently by using the extended Euclidean algorithm. In this section, we will introduce the methods presented by Smart and Semaev which gives a running time O(log p), and demonstrate an easy example.

3.1.1 Smart’s Method

Smart’s idea [35] is to use the standard logarithm map for the subgroup of the elliptic curve group defined over the field of p-adic numberQp. Suppose E(F_p) is an anomalous elliptic curve defined over the field F_p. Given P, Q ∈ E(Fp). We want to find k such that Q = kP . In order to apply the standard logarithm map, first we need to lift P and Q to the points ˜P and ˜Q on ˜E(Q).

Definition 3.1. Suppose R is a ring and I ⊆ R is an ideal with

iIⁱ = {0}. Let I^ν be given. A sequence {an} ⊆ R is a Cauchy sequence, if there exists some l ∈ N such that

a_i− aj ∈ I^ν whenever i, j ≥ l.

The ring R is complete with respect to I, if every Cauchy sequence of I converges.

The lifting process can be done by the following lemma.

Lemma 3.2 (Hensel’s Lemma). Let R be a ring which is complete with respect to some ideal I ⊂ R, and let F (w) ∈ R[w] be a polynomial. Suppose that a ∈ R satisfies (for some integer i≥ 1)

F (a)∈ Iⁱ and F^(a)∈ R^∗.

Then for any α∈ R satisfying α ≡ F^(a) (mod I), the sequence {wn} with

w0 =, w_m+1 = w_m− F (wm)/α for m≥ 1

converges to an element b∈ R satisfying

F (b) = 0 and b≡ a (mod Iⁱ)

If R is an integral domain, then these conditions determine b uniquely.

Proof. ( [32], IV.1)

After lifting the points to the elliptic curve ˜E(Qp), the next step is to construct the isomorphism from E(F_p) to F_p⁺. Define the reduction map π : ˜E(Qp)→ E(Fp) by π(x, y) = (x, y) (mod p). Assume the elliptic curve ˜E(Qp) has good reduction at p, that is, the reduction map reduces ˜E(Qp) to a nonsingular curve E(F_p). The set of points in ˜E(Qp) which reduce modulo p to points of E(F_p) is denoted by ˜E₀(Qp), and the set of points in ˜E(Qp) which reduce to zero is denoted by ˜E₁(Qp). We have the following theorem.

Theorem 3.3. There are exact sequences of abelian groups

0→ ˜E₁(Qp)→ ˜E₀(Qp)→ E(Fp)→ 0

0→ ˜E2(Qp)→ ˜E1(Qp)→ F_p⁺→ 0

where ˜E2(Qp) ={ ˜P ∈ ˜E(Qp)|v(x_P^˜)≤ −4} and v(x_P^˜) is the p-adic valuation of the x-coordinate of P .

Proof. The maps in the first exact sequence are the reduction modulo p. Their proof can be found in [32] VII.2.

Since E(F_p) ∼= F_p⁺, the above theorem gives us the following isomorphism,

E(F_p) ∼= ˜E0(Qp)/ ˜E1(Qp) ∼= ˜E1(Qp)/ ˜E2(Qp) ∼= F_p⁺.

We start with the points ˜P , ˜Q ∈ ˜E0(Qp), then compute ˜P1 = p ˜P and ˜Q1 = p ˜Q.

We will get ˜P1, ˜Q1 ∈ ˜E1(Qp), since π(p ˜P ) = pπ( ˜P ) = ∞. Now we can apply the logarithm

ϑ_p(x, y) = p⁻¹−x

y (mod p)

to the points ˜P1, ˜Q1 when they are not in ˜E2(Qp). The algorithm is as follows.

1. Lift the points P, Q∈ E(Fp) to the points ˜P , ˜Q∈ ˜E(Qp) by Hensel’s lemma.

2. Compute ˜P1 = p ˜P and ˜Q1 = p ˜Q.

3. If ˜P1 ∈ ˜E2(Qp), then choose new ˜E, ˜P , ˜Q and try again. Otherwise, compute k ≡ ϑp( ˜P1)/ϑ_p( ˜Q1) (mod p).

Let’s check why it works. Let ˜R = k ˜P − ˜Q. We have

∞ = kP − Q = π(k ˜P − ˜Q) = π( ˜R)

This means ˜R ∈ ˜E1(Qp). Therefore ϑ_p( ˜R) is defined and ϑ_p(p ˜R) = pϑ_p( ˜R) ≡ 0 (mod p). Consequently,

kϑ_p( ˜P1)− ϑp( ˜Q1) = kϑ_p(p ˜P )− ϑp(p ˜Q)

= ϑ_p(kp ˜P − p ˜Q) = ϑ_p(p ˜R)≡ 0 (mod p)

⇒ k ≡ ϑ_p( ˜Q1)

ϑ_p( ˜P₁) (mod p).

Notice that the non-trivial parts are the computations of ˜P₁ and ˜Q₁, which take O(log p) operations.

The above algorithm shows that we need only concern the numbers modulo p². We will write O(pⁱ) to represent a rational number of the form pⁱz with v_p(z) ≥ 0 when it doest not have any ambiguity.

Example 3.4. Consider an elliptic curve E : y² = x³+ 39x²+ x + 41 over F43, we want to solve an ECDLP

Q = (10, 36) = kP = k(0, 16)

The group can be easily verified to have order 43, so it is an anomalous curve. Now P and Q are lifted by Hensel’s lemma.

P = (0, 16 + 20˜ · 43 + O(43²)) Q = (10, 36 + 40˜ · 43 + O(43²))

We then need to compute ˜P₁ and ˜Q₁.

P˜1 = (38· 43⁻²+ O(43⁻¹), 41· 43⁻³+ O(43⁻²)) Q˜1 = (24· 43⁻²+ O(43⁻¹), 35· 43⁻³+ O(43⁻²))

Therefore,

ϑ_p( ˜P₁) = 19 (mod 43) and ϑ_p( ˜Q₁) = 3 (mod 43).

Consequently,

k≡ ϑ_p( ˜Q1) ϑ_p( ˜P1) ≡ 19

3 ≡ 16 (mod 43).

3.1.2 Semaev’s Method

Semaev constructs an isomorphism different from Smart’s. He uses the functions defined on an elliptic curve to derive an isomorphism. In order to proceed, we first

briefly give an introduction to divisors which can be found in any standard textbook such as [32], [37] and [16] (for the case of hyperelliptic curve).

Definition 3.5. A divisor is a formal sum of points in E(K), abbreviated as E,

D =

S∈E

n_S[S],

where n_S = 0 for all but finitely many points S. The degree of D is the integer

deg(D) = n_S,

and the sum of D is the sum of all the points in D

sum(D) =

n_SS.

The collection of all divisors, denoted by Div(E), forms a group with operation of formal sum. Its subgroup of elements of degree 0 is denoted by Div⁰(E).

Since y²−x³−ax−b is irreducible over K for some a, b ∈ K, the ideal (y²−x³− ax− b) is a prime ideal. So the quotient ring K[x, y]/(y²− x³− ax − b) is an integral domain. We then consider its field of quotient, denoted by K(x, y). A function on E is a rational function f (x, y)∈ K(x, y) defined for at least one point in E(K). We denote these functions by K(E), a similar notation to K(E). A function f is said to have a zero or a pole at a point P if it takes the value 0 or ∞ at P respectively.

Suppose u_P is a function which takes the value 0 or ∞ at P . It can be shown that every f can be written in the form f = u^s_Pg with s ∈ Z and g(P ) is neither 0 nor

∞, so we have the following definition.

Definition 3.6. Suppose f is written in the form f = u^s_Pg with s∈ Z and g(P ) =

0,∞. Define the order of f at P by

ord_P(f ) = s.

The divisor of f is defined by

div(f ) =

P∈E

ord_P(f )[P ].

A divisor D is principal if there is some function f such that div(f ) = D.

A useful property that we will frequently use is the following.

Proposition 3.7. Let D be a divisor on E with deg(D) = 0, then D is principal if and only if sum(D) =∞.

Now we focus on the Semaev’s method. Semaev’s method can be used not only in an elliptic curve group of order p but also in a subgroup (the subgroup generated by P ) of an elliptic curve group of order p. Since there is nothing to do in a subgroup of order 2, we assume p > 2. We only concern that the elliptic curve group defined over a prime field contains a subgroup of order p.

The main idea behind this method is to use the notation of a derivative. Suppose f is a rational function in F_q(E), the definition of the derivative of f is the formal derivative of f just as the techniques we have learned in a calculus course. This gives the following definition.

Definition 3.8. Suppose f ∈ Fq(E). The derivative of f respect to x is defined by

f^ = df dx+ df

dy dy dx,

where _dx^df and _dy^df are ordinary derivative with respect to x and y, and dy

dx = 3x²+ a 2y .

Suppose D_Q is a divisor with sum which equals Q, and f_Q is the function such that div(f_Q) = pD_Q. Assume n =|P | = p, then the following theorem establishes the isomorphic embedding betweenP  and F_q⁺. This can be found in [29].

Theorem 3.9. Suppose R ∈ P  − {∞} is a point which is not in the support of D_Q (points in D_Q with nonzero coefficient) for any point Q∈ P . Define

φ :P  → F_q⁺ Q→ f_Q^

f_Q(R)

Then the value φ(Q) is well defined. The map φ is an isomorphic embedding of P  into the additive of Fq.

Proof. Let D_Q^ be another divisor representing Q. There is a function g such that div(g) = D_Q− D_Q^ . If div(f ) = pD_Q^ , then cg^pf = f_Q for some constant c. We have

f_Q^

f_Q = (cg^pf )^

cg^pf = pg^p−1g^f

g^pf + g^pf^ g^pf = f^

f. So φ(Q) is well defined.

Now we show that φ is a homomorphism. Let Q₁, Q₂ ∈ P  and div(fQ_i) = pD_Qi for i = 1, 2. Notice that D_Q1+ D_Q2 is a divisor with sum which is equal to Q₁+ Q₂, so we can take D_Q1+Q2 = D_Q1 + D_Q2. This implies

div(f_Q1+Q2) = pD_Q1+Q2 = pD_Q1+ pD_Q2 = div(f_Q1f_Q2),

so the functions f_Q1+Q2 and f_Q1, f_Q2 are equal up to a multiplicative constant. Con- sequently,

f_Q^_1+Q2

f_Q1+Q₂ = (f_Q1f_Q2)^

(f_Q1f_Q2) = f_Q^₁f_Q2

f_Q1f_Q2 + f_Q1f_Q^₂

f_Q1f_Q2 = f_Q^₁

f_Q1 +f_Q^₂ f_Q2

implies φ is a homomorphism. Besides, φ is injective which follows from the assump- tion that R is not in the support of D_Q for any Q∈ P .

In order to find k such that Q = kP , we compute φ(Q) and φ(P ). The discrete logarithm k can be computed by k = φ(Q)φ(P )⁻¹ in F_q.

3.2 MOV Attack

MOV attack, named after Menezes, Okamoto and Vanstone, solves the ECDLP by using the Weil pairing e_n to construct an isomorphism from P  to μn, where μ_n is the set of n-th roots of unity. Notice that there exists a subexponential-time algorithm for DLP on a multiplicative group of a finite field. If we can choose some l such that μ_n is contained in F_ql, then solving an ECDLP is equivalent to solving a DLP on F_q^∗_l. In order to proceed, we introduce some important theorems. A complete discussion can be found in [20]. The following theorem that can be found in ( [28], 4.2) determines whether or not an elliptic curve of a certain order exists.

Theorem 3.10. There exists an elliptic curve of order N = q + 1− a over Fq if and only if the following conditions hold:

• a ≡ 0 (mod p) and a² ≤ 4q.

• m is odd and one of the following holds.

1. a = 0.

2. a² = 2q and p = 2.

3. a² = 3q and p = 3.

• m is even and one of the following holds:

1. a² = 4q.

2. a² = q and p ≡ 1 (mod 3).

3. a = 0 and p≡ 1 (mod 4).

An elliptic curve E(F_q) is supersingular if p divides a. From the preceding result, we deduce that E(F_q) is supersingular if and only if a² = 0, q, 2q, 3q, 4q. Our goal is

to show that this attack works when the elliptic curve is supersingular or the trace a = 2. We will use the Weil pairing to derive the isomorphism between P  and μn. The following theorem describes the existence of the Weil pairing and some related properties.

Theorem 3.11. Suppose p is a prime. If n is relative prime to p, then there is a map

e_n : E[n]× E[n] → μn

called the Weil pairing, which satisfies the following properties:

1. Identity: For all P ∈ E[n], en(P, P ) = 1.

2. Alternation: For all P1, P2 ∈ E[n], en(P1, P2) = e_n(P2, P₁⁻¹).

3. Bilinearity: For all P1, P₂, and P₃ ∈ E[n]

e_n(P₁+ P₂, P₃) = e_n(P₁, P₃)e_n(P₂, P₃) e_n(P₁, P₂+ P₃) = e_n(P₁, P₂)e_n(P₁, P₃)

4. Non-degeneracy: If P1 ∈ E[n] and en(P1, P2) = 1 for all P2 ∈ E[n], then P1 =∞. If P2 ∈ E[n] and en(P1, P2) = 1 for all P1 ∈ E[n], then P2 =∞

5. If E[n]⊆ E(Fq^l), then μ_n⊆ F_q^∗l. Proof. ( [32], III.8)

The MOV attack can only applied under some constraints. The following propo- sition provides necessary and sufficient conditions.

Proposition 3.12. Let E be an elliptic curve over F_q. Let n be a prime such that n| N, E[n] ⊆ E(Fq), and n q(q − 1). Then

E[n]⊆ E(Fq^l) if and only if q^l ≡ 1 (mod n)

Proof. [37] P.155.

The set E[n] is partitioned into cosets ofP  by the following lemma.

Lemma 3.13. Let E(F_q) be an elliptic curve such that E[n] ⊆ E(Fq), where n is relative prime to p. Let P ∈ E[n] be a point of order n. Then for all P1, P2 ∈ E[n], P1

and P2 are in the same coset ofP  within E[n] if and only if en(P, P1) = e_n(P, P2).

We are ready to introduce the algorithm of the MOV attack. The following is from [20].

1. Choose smallest integer l such that E[n]⊆ E(Fq^l).

2. Find R ∈ E[n] such that α = en(P, R) has order n.

3. Compute β = e_n(Q, R).

4. Compute k, the discrete logarithm of β to the base α in F_ql, that is k = log_αβ.

It is not difficult to show that E[n] ∼= Zn⊕ Zn when gcd(n, p) = 1. This implies E[n] is finite. The existence of l follows from the fact that all points in E[n] have coordinate in F_q = 

i≥1F_pi. Suppose n  q − 1. We can use Proposition 3.12 to determine the integer l such that n| q^l− 1 in Step 1.

In Step 2, we need to check the existence of the point R.

Theorem 3.14. There exists R ∈ E[n] such that en(P, R) is a primitive n-th root of unity for all P ∈ E[n].

The choice of R is modified as following. Choose a random point R1 ∈ E(Fq^l), and compute the order M of R1. Let d = gcd(M, n) and let R = (M/d)R1. Then R has order d, which divides n, so R∈ E[n]. This will give k (mod d). We repeat this

process until the least common multiple of the various d’s is n, then we can use the Chinese Remainder Theorem to compute k (mod n).

The above modification works well since d= 1 occurs very often. By the funda- mental theorem of finite abelian groups, we know that E(F_ql) ∼= Z_n1 ⊕ Zn2 for some integer n1, n2 where n1|n2. Since n2 is the largest possible order of an element in E(F_ql), we get n|n2. Let {T1, T2} be a basis of E(Fq^l) where the order of T1 is n1

and the order of T2 is n2. We have R1 = a1T1+ a2T2. Suppose s^e is a power of a prime dividing n, then s^f divides n2 with some integer f ≥ e. If s  a2, we have s^f divides M . We can show this by dividing M by s^f, which implies M = s^fq1+ r for some quotient q1 and 0≤ r < s^f. Thus,

M R1 =∞ ⇒ M(a1T1+ a2T2) =∞ ⇒ Ma2T2 =∞

⇒ (s^fq₁+ r)a₂T₂ =∞

⇒ s^f|n2|(s^fq1+ r)a2

Since s  a2, we have r = 0 and s^f|M. As a result, s^e divides gcd(M, n). Since the probability that s a2 is 1− 1/s, the probability of d = 1 is as high as that the full power s^e is in d.

The isomorphism betweenP  and μn in Step 4 is from the following theorem.

Theorem 3.15. Suppose f : P  → μn is defined by f (Q) = en(Q, R) for those R∈ E[n] in Step 2, then f is a group isomorphism.

Proof. The reason why f is a homomorphism follows from the bilinearity of the Weil pairing. The existence of R ∈ E[n] such that en(Q, R) is a primitive n-th root of unity implies that f is surjective. SinceP  and μn are both of order n, we have f is injective. Therefore f is an isomorphism.

Notice that the computation of the Weil pairing can be done in a probabilistic polynomial-time algorithm proposed by Miller [23]. The MOV attack then can be carried out in probabilistic subexponential-time. We will introduce the computation of the pairings in the appendix.

3.3 Tate Pairing Attack

Frey and R¨uck [4] showed that in some situations, the Tate pairing can be used to solve the ECDLP. This method is similar to the MOV attack which uses some kind of pairing to reduce the ECDLP to the DLP on F_ql. The Tate pairing attack is generally faster than the MOV attack. The following theorem describes the existence of the Tate-Lichtenbaum Pairing. We can use it to construct an isomorphism from

P  to μn.

Theorem 3.16. Let E be an elliptic curve over F_q. Suppose n is an integer such that n|q − 1. Let E(Fq)[n] denote the elements of E(F_q) of order dividing n, and let μ_n ={x ∈ Fq^∗|xⁿ = 1}. Assume E(Fq) contains an element of order n. Then there exist non-degenerate bilinear maps

·, ·n: E(F_q)[n]× E(Fq)/nE(F_q)→ F_q^∗/(F_q^∗)ⁿ

and

τ_n: E(F_q)[n]× E(Fq)/nE(F_q)→ μn

Proof. The construction of the first pairing can be found in [37] 11.3. Since F_q^∗ is cyclic of order q− 1, the (q − 1)/n-th power map gives an isomorphism from F_q^∗/(F_q^∗)ⁿ to μ_n. Therefore, the second pairing is defined by

τ_n(S, T ) =S, T ^(q−1)/n_n .