The Discrete Logarithm Problem on the p-torsion Subgroup of Elliptic Curves

Transcription

1 The Discrete Logarithm Problem on the p-torsion Subgroup of Elliptic Curves Juliana V. Belding May 4, 2007 The discrete logarithm problem on elliptic curves Consider a finite group G of prime order N. The discrete logarithm problem, or DLP, is: Given P, Q G, with P = n Q, find n. An ongoing challenge in cryptography is to find groups in which the DLP is computationally infeasible, that is, for which the best known attack is exponential in log(n). Such a group can be used as the setting for many cryptographic protocols, from Diffie-Hellman key exchange to El Gamal encryption ([4], 59). The most prominent example, first proposed in 985, is a subgroup of points of an elliptic curve E over a finite field F q of prime order N. For N 0 80, with current computing power, it is infeasible to solve the elliptic curve DLP, or ECDLP; in other words, it is not possible to determine n. However, in the early 990 s, supersingular elliptic curves, those curves over fields of positive characteristic which have no p-torsion, were discovered to be susceptible to the MOV attack, which used the Weil pairing to reduce the ECDLP to the DLP in F q, the multiplicative group of the finite field, where subexponential attacks such as the index calculus are possible ([4], 44).Thus, for cryptographic purposes, it is necessary to restrict to ordinary elliptic curves, where E[p]( K) Z/pZ. However, certain subgroups of ordinary elliptic curves, those N = p, are even more insecure than supersingular curves. The ECDLP in the p-torsion subgroup of E(F q ) can be reduced to the DLP in F + q, which is easily solved by the Euclidean algorithm. For q = p, these curves are known as trace one or anomalous curves. The purpose of this paper is to describe the distinct approaches to solving the DLP in the p-torsion subgroup of elliptic curves, as well the related theoretical framework. Throughout, we let E denote an ordinary elliptic curve E over F q with characteristic p 2, 3 and we assume E[p] Z/pZ E(F q ). The motivating problem is to explicitly determine a logarithm for the group of points E[p], that is, a homomorphism E[p] F + p. In Section 2, we describe an algorithm due to Semaev [8], based on the divisor group of the elliptic curve. In Section 3, we describe a theoretical approach based on descent by p-isogeny. We also discuss its relation to the classical Weierstrass elliptic functions and the Semaev algorithm. In Section 4, we describe another algorithm due to Smart [0], based on the p-adic elliptic logarithm. 2 An approach using the divisor class group of E In 998, Semaev proposed a method to solve the ECDLP in the p-torsion subgroup using the natural identification of points of E[p] with elements of the divisor class group of E over F q. This was generalized to the DLP in Jacobians of higher genus curves by Rück (see [6]).

2 Let K = F q. The divisor group of E, denoted Div(E), is the free abelian group on the points of E. That is, every element of Div(E) is a formal linear combination over Z of points of E, called a divisor. Given a function f : E K, we associate to it the divisor ord P (f)(p ) P E( K) where ord P (f) is the order of the zero or pole of f at P. (Note that since a rational function has finitely many zeros and poles ([9], 22), ord P (f) = 0 for all but finitely many points.) The degree of a divisor is the sum of the coefficients. In particular, we consider the subgroup of divisors of degree 0, denoted DivK 0. Since the number of poles equals the number of zeros of a function on E ([9], 32), the set of functions of E can naturally be viewed as a subgroup of DivK 0. Consider the map sum : DivK 0 (E) E(K) i n i(p i ) i n ip i The kernel of this map is precisely the subgroup of divisors corresponding to rational functions f : E K ([9], 44). (This is the analogue of the Abel-Jacobi Theorem for functions defined on C/Λ which says those linear combinations of points which sum to a point on the lattice and whose coefficients sum to zero correspond exactly with doubly periodic functions f : C C. See [9], p. 53) Thus we have the exact sequence: K (E)/K DivK(E) 0 sum E(K) 0. The surjectivity follows from the fact that for any point Q, the degree 0 divisor (Q) (P ) sums to Q. The injectivity requires a more technical proof ([9], 44). For Q E[p], let D Q be any divisor such that sum(d Q ) = Q, for example D Q = (Q) (P ). Since sum(pd Q ) = 0, by the above exact sequence, there is a function f Q K (E), unique up to c K, such that div (f Q ) = pd Q. We use this to define a logarithm map as follows: Definition 2. Fix a point R E[p] with R P. where f Q (R) = df Q/dx. l : E[p] F + q Q f Q f Q (R) P 0 Remark: To compute the derivative of a rational function of E at a point R, we expand the function in a power series around a uniformizer for R, formally differentiate and evaluate at R. As R / E[2], t R = x x R is a uniformizer for R. Since d(x x R ) = dx, it is unambiguous to write f Q (R). The following proposition shows that this map is indeed a homomorphism. Proposition 2.2 The map l : E[p] F + q is a well-defined, injective homomorphism. Proof: We follow the proof in [8]. First we show that the value f f (R) is defined and non-zero for any Q E[p] with Q P. Let f be any rational function with div (f Q ) = pd Q. Let P be any point, with t its uniformizer. Write f = t pl (c 0 + c t + c 2 t ) with c 0 0. (Note that l > 0 if f has a zero at P, l < 0 if f has a pole, and l = 0 if f has neither). 2

3 = (c +c 2 t+...)dt Then since the characteristic is p, df = t pl (c + c 2 t +...)dt and so df f c 0 +c t+.... Hence df f (P ) = ( c c 0 )dt, and so df f is well-defined everywhere. Since, by the Riemann Roch theorem, differentials of rational functions on elliptic curves have the same number of zeros as poles, df f can have no zeros. The function x on E has a double zero at each point of order 2 and a double pole at P. Therefore dx has zeros at each point of order 2 and a triple pole at P. Thus f f (P ) where f = df dx is well-defined and non-zero at any point not of order 2 or P. Furthermore, the map is independent of the choice of D Q. (This is more than a theoretical nicety, since the actual computation of l uses a more complicated divisor of Q [8]) Any two divisors which sum to Q must differ by the divisor of a rational function. Consider D Q and D Q +div(g) for some g K(E). Choose rational functions f Q and h Q corresponding to the divisors pd Q and p(d Q + div(g)). Then Since h Q f Q = cg p for some c K, f Q f Q div (h Q ) = p div (g) + div (f Q ) = div (g p f Q ). = h Q h Q and the map is independent of choice of divisor for Q. Finally, we show the map is a homomorphism. For Q, Q 2 E[p] with div (f Qi ) = pd Qi, the divisor D S = D Q + D Q2 sums to the point S = Q + Q 2. Choosing f S such that div (f S ) = pd S, we see that f S = cf Q f Q2 for some c K. Thus, f S f S = f Q f Q + f Q 2 f Q2. Since l is a homomorphism and f f (R) 0 for R E[p] with R P, l is injective. This completes the proof. In more theoretical terms, this logarithm map follows from a connection between the divisor class group of E, P ic 0 K (E), and the space of holomorphic differentials on E ([6]). For any curve, Ω K (E) is a one dimensional K(C)-vector space. For any point P C with uniformizer t, dt is a basis for the space ([9], 35). Let L div (dt) denote the K-vector space of functions g such that div (g) + div (dt) 0. Note g L div (dt) if and only if g dt is holomorphic. Furthermore, since dt is a basis of Ω(E), every holomorphic differential can be expressed uniquely as g dt for some g. Thus Ω K (E) L div (dt) ω ω/dt is an isomorphism. Let Q E[p], with Q P. Let f Q be as defined above. As shown in the proof of Proposition 2.2, the differential df Q f Q has no poles. Hence for g = df Q dtf Q, g L div (dt). Furthermore, df Q f Q has no zeros. Thus, if t is a uniformizer for the point at infinity, g = df Q dtf Q is defined and non-zero at P. The map is then E[p] P ic 0 K (E)[p] Ω K(E) L div (dt) K Q D Q df Q f Q df Q dtf Q df Q dtf Q (P ) (Note that for Q = P, the associated divisor is the empty sum, hence f Q = 0, and df Q dtf Q (P ) = 0.) This gives a slightly different value than l, namely df Q dtf Q (P ) = 2y R l(r) (see []). Finally, we show how the map l (or Rück s variant) may be used to solve the ECDLP in E[p]. Given Q = n P, apply the map l to P and Q to get l(q) = nl(p ), which is an instance of the DLP in F + q. Since l is non-zero on non-infinity points, we can compute the inverse of l(p ) F + Q and solve for n. This 3

4 is polynomial time, using Euclid s algorithm. The computation of f Q f Q (R) takes O(ln(p)) operations, using a variant of Miller s algorithm ([8], [5]). Remark: Miller s algorithm was developed to compute the Weil-pairing on n-torsion where (n, p) =. The Weil pairing is a bilinear map E[n] E[n] µ n, the n th roots of unity. The key of the MOV attack is to work in F q r where all n-torsion exists, and transfer the ECDLP to the DLP in F qr. However, the Weil pairing is trivial on p-torsion, since the group of p th roots of unity in any field of characteristic p is trivial. However, using a lift of E to the dual numbers of F p, denoted F p [ɛ], we can define a Weil pairing on the p-torsion of E(F p [ɛ]) based on Miller s algorithm. The resulting pairing is directly related to the map l, and thus Semaev s attack on the ECDLP may be viewed as a Weil-pairing-based analogous to MOV. See [] for more details. 3 An approach using the technique of p-descent In this section, we present another approach to solve the DLP on elliptic curves, using the technique of descent. Classically, in the theory of elliptic curves, the technique of descent is used to compute the weak Mordell-Weil group E(K)/[m]E(K) where K is a number field. In [2], Voloch shows how the technique of p-descent may be used to identify E(K)/[p]E(K) explicitly with F + p, thus giving a logarithm map for E[p]. In fact, this homomorphism is related to l : E[p] F + p as defined in the previous section, via an analogue of the classical elliptic Weierstrass ζ-function in characteristic p. In particular, the two homomorphisms agree when E is anomalous. Let E be an ordinary elliptic curve over K = F q given by y 2 = x 3 + Ax + B with p 2, 3. Then E[p](K) F + p. Furthermore, assume E(K) = pn where (n, p) =. Thus, E[p] E(K). We first outline the theoretical descent procedure on E for the isogeny V, the dual of the Frobenius, which gives a homomorphism E(K)/[p]E(K) α F + p. Then, using Artin-Schrier theory and a result of Deuring, we give an explicit polynomial expression for the map α. We then define the classical ζ-function, define its analogue in characteristic p, and finally establish the connection of α to l. 3. p-descent on E(K) The Frobenius map (x, y) (x p, y p ) is an injective homomorphism from E to E (p), the elliptic curve given by y 2 = x 3 + A p x + B p. The dual isogeny of F V : E (p) E is the unique rational map, defined over K, such that F V = V F = [p], the multiplication-by-p endomorphism of E. The map [p] has degree p 2, thus since F is of degree p, V is also of degree p. The injectivity of the Frobenius map implies that the ker V E[p]. Furthermore, as we are assuming E[p](K) E(K), ker V (K) E(K). Using descent, we establish an isomorphism E[p] F + p. Consider the exact sequence 0 ker V (K) E (p) (K) V E(K) 0. () 4

5 and let G = Gal(K, K). Taking the Galois cohomology of (), we get the long exact sequence 0 ker V (K) E (p) (K) V E(K) H (G, ker V (K)) H (G, E (p) (K))... Since ker V (K) E(K), H (G, ker V ) = Hom(G, ker V ), and we have E(K)/V (E (p) (K)) Hom(G, ker V ) P [σ Q σ Q] (2) where Q is any point such that V (Q) = P. Since V (E (p) (K)) = V F (E(K)) = [p]e(k), the domain of this map can be canonically identified with E[p], the p-torsion of E(K). As ker V F + p, Hom(G, ker V ) Hom(G, F + p ). (3) Let ϕ : K + K + be the homomorphism z z p. Taking the Galois cohomology of 0 F + p K + ϕ K + 0 and using the fact that H (G, K + ) = 0 (by the additive version of Hilbert s Theorem 90 ([3], 292)), we have Hom(G, F + p ) K + /ϕ(k + ). (4) Again by Hilbert s Theorem 90, the trace map T r K/Fp gives an isomorphism Composing the maps (2) - (5) gives us an injective homomorphism K + /ϕ(k + ) F + p. (5) α : E(K)/V (E (p) (K)) F + p. (6) The remarkable fact is that this map α can be given explicitly in terms of a particular polynomial directly related to the Weierstrass equation of E. 3.2 An Explicit Description of α The surjective map E (p) V E induces a map on function fields: K(E) V K(E (p) ). As V is separable and ker V E (p) (K), this gives a degree p Galois extension ([9], 76): K(E (p) )/V (K(E)) (7) where the automorphisms fixing the base field are given by composition with translation by P ker V. This gives a natural identification ker V Gal(K(E (p) ), V (K(E))) P τp = translation by P We now introduce a model of this Galois extension, which allows us to make explicit the isomorphism ker V F + p, and from that, the isomorphism α. By Artin-Schreier theory, in characteristic p, a field extension L /L of degree p is of the form L = L(ζ) where ζ is a root of z p z = g for some g L/ϕ(L). In the case of the extension (7), a result of Deuring gives g V (K(E)) explicitly. 5

6 Let K(x, y) and K(x, y ) denote the function fields K(E) and K(E (p) respectively. Let M(x), U(x) K(x, y) be defined by y p = (x 3 + Ax + B) (p )/2 = x p M(x) + Hx p + U(x). (8) Here H is the Hasse invariant of E, which is non-zero for E ordinary [9]. (Note that (x 3 + Ax + B) (p )/2, evaluated at an x F p, is the value of the Legendre symbol. That is, it is ± depending on whether or not there exists a point with that x-coordinate on the curve over F p.) The following proposition gives an explicit model for the Galois extension (7). Proposition 3. Let ζ be a solution of Z p HZ = ym(x). Then the function field extension K(E)(ζ)/K(E) is a degree p, separable unramified extension corresponding to the rational map of curves φ : C E. Furthermore, C is an elliptic curve, isomorphic to E (p), and ζ K(x, y ). Proof: Given the extension K(E)(ζ)/K(E), there exists a rational map over K, φ : C E where C is a smooth curve and K(E)(ζ) = K(C). This is due to an equivalence of categories ([9], 26). (Note that technically, φ corresponds to the extension φ (K(E))(ζ)/φ (K(E)).) Since H 0, the polynomial f(z) = Z p HZ ym(x) K(E)[Z] has non-zero constant derivative, thus is separable. By Artin-Schreier theory, f(z) is irreducible over K(x, y) or it factors completely ([3], 292). Thus, it suffices to show f(z) can have no root in K(x, y). Note that ym(x) is a polynomial and thus only has a pole P. Since M(x) is of degree p 3 2, this pole at P is of order p. Therefore, since f(z) = Z p HZ ym(x), any solution must have a simple pole at P and no other poles. However, a solution in K(x, y) is a function on an elliptic curve, and thus must have at least two poles. (In the situation of E over C, this follows from the fact that the sum of the residues is 0. ([9], 5))Therefore, f(z) is irreducible over K(x, y), and hence the function field extension K(E)(ζ)/K(E) is degree p and separable. The curve C is not a priori an elliptic curve, so we must verify directly that the isogeny φ is unramified. Let P C, with φ(p ) = Q E(K) and Q P. We want to show that the ramification index of P is. Since locally E and C may be considered as affine varieties, the local rings are simply the coordinate rings localized at the ideal generated by a uniformizer of the point. Let S = K[C] P and R = K[E] Q, and let m Q, m P denote their maximal ideals. Since E, C are curves, S and R are Dedekind domains. Since ym(x) is a polynomial, f(z) = Z p HZ ym(x) is in R[Z], and so R[ζ] S. By definition, P C is unramified if the prime ideal m Q is unramified in the ring S. In an extension of Dedekind domains, a prime ideal ramifies if and only if it divides the discriminant of the extension. Since the discriminant of R[ζ] divides that of S, it suffices to show that the discriminant of R[ζ] is not divisible by m Q. The discriminant of R[ζ is the norm of the different, which equals f (ζ) = H. Since H R, N S/R (H) = H p. Hence, a point P ramifies if and only if the ideal m Q divides the constant H p, which is clearly not possible. It remains to check the point at infinity P C. Note that K(E)(ζ y/x) = K(E)(ζ). Thus we work with ζ y/x which has minimal polynomial g(z) = (Z) p H(Z) U(x)(y/x p ). This follows from multiplying both sides of (8) by y/x p. Since deg U(x) p 2, U(x)(y/z p ) is regular at P, hence g(z) is in the local ring at P. Since the norm of the different g (ζ y/x) is H p 0, the point P doesn t ramify. Therefore the isogeny is unramified. By Hurwitz s genus theorem ([9], 4), since φ is a separable, unramified map of smooth curves in characteristic p, C must be an elliptic curve. Since φ is a degree p separable isogeny of elliptic curves, its dual isogeny is a degree p inseparable map, which must be the Frobenius up to isomorphism. Therefore C E (p). It can be shown that this isomorphism is defined over K [3]. Thus ζ K(C) can be expressed as a function over K in the coordinates x, y of E (p). 6

7 Now we have an explicit model for (7), namely K(x, y ) = K(x, y)(ζ), for ζ K(x, y ) with ζ p Hζ = ym(x) V. Note that to view functions of E as functions of E (p), we must first apply V. Corollary 3.2 For any P ker V, (ζ y/x V )(P ) is a (p ) st root of H, and if E[p] E(K), this root exists in K. Furthermore, given a fixed choice of generator P 0, there is an isomorphism where c K is a fixed (p ) st root of H. Gal(K(E (p) )/V (K(E))) F + p τjp 0 = [σ : ζ ζ + jc] jc Proof: Recall from the proof of the previous proposition, we have that ζ satisfies (Z y/x) p H(Z y/x) = U(x)(y/x p ). Since U has degree p 2, U(x)(y/x p ) has a zero at P. Thus U(x)(y/x p ) V vanishes on all points of ker V. So (ζ y/x V )(P ) is a solution of w p = Hw, for each P ker V. That is, (ζ y/x V )(P ) is a (p ) st root of H. Furthermore, if E[p] E(K), then ker V E (p) (K), and thus since ζ and V are defined over K, (ζ y/x V )(P ) K. Since C E (p), Gal(K(E (p) )/V (K(E))) = Gal(K(C)/φ (K(E)). Thus, the automorphism τ P 0 corresponds to ζ ζ + c, for some c K such that c p = H. This proves the claim. From the corollary, we get an explicit map η, defined over K: η : ker V F + p jp 0 jc (9) Note that, for Q E (p) and P ker V, ζ(q + P ) = ζ τ P (Q) = ζ(q) + η(p ). Thus ζ is quasi-periodic with respect to the kernel of V. Proposition 3.3 Let α : E(K)/V (E (p) (K)) F + p be the map (6) from Section 3.. Then α(p ) = T r K/Fp ym(x)(p ). cp Proof: Let P E(K)/V (E (p) (K)) and let Q E (p) (K) be such that V (Q) = P. Recall from Section 3. that α is the composition of the trace map with the maps (2) - (5). Let σ G = Gal(K, K). By the quasi-periodicity of ζ on ker V and the fact that ζ K(x, y ), Using this, (3) - (5) becomes c η(qσ Q) = c (ζ(qσ ) ζ(q)) = c ζ(q)σ c ζ(q). Hom(G, Ker (V )) Hom(G, F + p ) K + /ϕ(k + ) [σ Q σ Q] [σ c η(qσ Q)] = [σ c ζ(q)σ c ζ(q)] ( c ζ(q))p c ζ(q) Now using the definition of ζ, we have ( c ζ(q))p c ζ(q) = ( c (ζ(q)) p c p ζ(q) ) p ( = c (ζ(q)) p Hζ(Q) ) p = = c ym(x)(v (P )) p c ym(x)(p ). p Thus α(p ) = T r K/Fp ( ( c ζ(q))p c ζ(q)) = T r K/Fp c p ym(x)(p ), as claimed. 7

8 3.3 An Analogy to the Weierstrass ζ-function Using the technique of descent, and an explicit model for the function field extension, we have obtained another log function, α : E[p] F + p, based on the functions ζ and η. To understand how η : ker V F + P relates to Semaev s log map l : E[p] F + p, we turn to the case of elliptic curves over C. Recall that an elliptic curve over C is determined by a lattice Λ and a choice of the origin P. The correspondence C/Λ E/C is given by the Weierstrass -function, a doubly periodic function (z), whose periods correspond to the generators of the lattice: (z) = z ω Λ (z ω) 2 ω 2. Let ζ be a function such that dζ/dz =, call it the Weierstrass ζ function. More specifically, let ζ(z) = z z 0 (t)dt. Note that ζ is well-defined (path-independent), since has residue zero at its poles. Furthermore, since has double poles at every point of Λ with residue, ζ has simple poles on Λ with residue. Finally note, is even, so ζ is odd. Let ω be a lattice point and define η(ω) := z 0 +ω (t)dt. Then ζ(z) = z z 0 (t)dt = z+ω z 0 +ω (t)dt = z 0 z+ω z 0 (t)dt z0 +ω z 0 (t)dt = ζ(z + ω) + η(ω) Note that η, the quasi-period of the ζ function, defines a linear map η(λ) C, since is periodic on the lattice. For E over C, E[p] Z/p Z/p, which forms a lattice pλ which is similar to and contains the lattice Λ. The quasi-period η then gives a homomorphism on the p-torsion of E(C) as follows: E[p] p Λ p Λ η C + z pz η(pz) In characteristic p, there is not a lattice corresponding to E. However, we can think of ker V as a rough analogue, being the image of E[p] under the Frobenius F. Recall that η : ker V F + p given in (9) is the quasi-period of a function ζ. Proposition 3.4 Let ζ be as in Proposition 3.. Then ζ K(E (p) ) is the unique odd function with simple poles exactly at ker V with residue one. Proof: ym(x) is regular except at P, thus since ζ p ζ = ym(x) V, the only poles of ζ must lie above P, that is, they must be in ker V. As shown in the proof of Corollary 3.2, U(x)(y/x p ) V (P ) is either 0 or a (p ) st root of H. Thus, we can translate ζ so that (ζ y/x V )(P ) = 0 and the (p ) st roots of H are precisely the values of ζ y/x at the nontrivial kernel points. Thus (ζ y/x V )(P ) = η(p ) on ker V, where η is given in (9). Furthermore, since y/x has a simple pole at each point in ker V of residue and (ζ y/x V )(P ) is defined, ζ must have simple poles of residue at ker V. Lastly, since ζ p ζ = ym(x) V, which is an odd function, ζ is odd. By the theory of rational functions on curves, this uniquely characterizes ζ. Thus ζ can be characterized as the unique odd function with simple poles of residue one at points of ker V, just as, in the complex situation, ζ is characterized as the unique odd function with simple poles of residue one on the lattice Λ. This is the analogy that Voloch makes in []. 8

9 3.4 The descent attack and Semaev s l map In this section, we relate the functions α and η to the homomorphism l from Section 2. The Weierstrass σ-function is defined as the function σ such that σ σ = ζ. Note that σ has simple zeros at each lattice point. Its use in classical elliptic function theory is to construct functions with a specified set of zeros and poles ([9], 56). Using an analogue to σ in characteristic p, we show that the map l defined by Semaev is in fact η, the quasi-period of ζ. Let ω = dx y, the invariant differential of K(E(p) ). Consider a function σ K(E (p) ) with div (σ) = P i ker V (P i ) p(p ). Note that dσ ωσ has a simple pole at P. Normalizing σ so that each pole of ker V has residue, we see that σ may be considered the analogue to the classical Weierstrass σ-function. (This is actually a simplification of the analogue of the σ function as defined by Mazur and Tate. See [].) The following proposition, in the case of E defined over F p, will imply that l and η are in fact the same function. Proposition 3.5 Let f = Proof: First note that div (f) = div (σ) τ P div (σ) = σ σ τ P, where P ker V. Then df ωf P i ker V = η(p ). (P i ) p(p ) P i ker V (P i + P ) + p(p + P ). Since P ker V, P i (P i + P ) is just a permutation of P i (P i ) and hence div (f) = p(p ) p(p ). Now using the definition of f, we have This completes the proof. df ωf = dσ ωσ d(σ τ P ) ω σ τ P = dσ ωσ d(σ τ P ) ω τ P = dσ ωσ dσ ω τ P = ζ ζ τ P = η( P ) = η(p ) σ τ P σ τ P Corollary 3.6 Let E be an anomalous elliptic curve. That is, E is defined over F p and E[p] E(F p ). Then l and η are the same function of E. Proof: Since E is defined over F p, E (p) = E, and so f F p (E (p) ), the function defined in Proposition 3.5, is in fact function of E. Since f and f P have the same divisor, they are the same function up to constant. Therefore, df P /ωf P = df/ωf and l = η. We also note that in the case of anomalous elliptic curves, the maps α and η agree up to sign on the p-torsion subgroup, E[p]. Proposition 3.7 Let E be an anomalous elliptic curve. Then α(p ) = η(p ) for all P E[p]. 9

10 Proof: We know show that α(p ) = η(p ). Recall that since E[p] E(K), there exists u F p such that u p = H. But u p = for all u F p, hence H = for anomalous curves. Let P ker V and Q E(F p ) be such that V (Q) = P. Note that Q p Q is a point of p-torsion. Since ζ is defined over F p, α(p ) = ym(x)(p ) = ym(x) V (Q) = (ζ(q)) p ζ(q) = ζ(q p ) ζ(q) = ζ(q p Q + Q) ζ(q) = η(q p Q) Since η is odd, η( P ) = η(p ), thus it remains to show Q p Q = P. Note that Q E[p 2 ] since [p 2 ](Q) = [p] F V (Q) = [p] F (P ) = F ([p]p ) = P. Since the trace of an anomalous curve is, the Frobenius satisfies F 2 F + [p] = 0. Furthermore, since E[p] E(F p ), F Id 0 on E[p]. Thus F Id = ax on E[p 2 ] Z/p 2 Z, where a is divisible by p. Then (F Id) 2 0 on E[p 2 ]. So on E[p 2 ], and thus F Id [p] on E[p 2 ]. Therefore and thus α(p ) = η(p ). 0 (F Id) 2 = F 2 [2]F + Id = [p] F + Id Q p Q = F (Q) Q = (Id [p])(q) Q = [p](q) = P Remark: The p-descent approach may be extended to E(K) with order p r n for r >. As opposed to using descent on V, we use descent on V r, the dual isogeny of the r th power of Frobenius, F r. The framework is the same, however the actual calculations involve some more technicalities, namely using Witt vectors and the canonical lift of E. For details, see [2]. 4 An approach based on the p-adic elliptic logarithm In this section, let E be an anomalous elliptic curve. In other words, the curve E is defined over F p and E[p] E(F p ). In fact, for p > 5, E[p] = E(F p ), by Hasse s theorem. In R, with the operation of multipication, we apply the natural logarithm to solve the equation α = β n for n. The natural logarithm is the integral of the differential xdx, which is invariant under scalar multiplication. Its invariance under the group operation makes the natural logarithm a homomorphism. For elliptic curves, the invariant differential is ω = dx 2y, which, as its name suggests, is invariant under addition. To solve the ECDLP, it is natural to try the analogous approach and integrate this differential. However, there are some technical issues. First of all, integration introduces denominators which, if divisible by p, would not be defined over F p. Secondly, to integrate the differential it is more convenient to work with an expression for ω in terms of a single variable. Thus, we work with the formal group of the elliptic curve Ẽ, which is a lift of E to a field of characteristic zero, namely the p-adic field Q p. Here the p-adic elliptic logarithm is a well-defined power series in the parameter z and can be used to solve the ECDLP. In practice, we will see it is only necessary to lift E to a curve over the ring Z/p 2 Z and use a truncated version of the logarithm. This is the algorithm that was proposed independently by Satoh and Araki, and Smart around 999 ([7], [0]). 0

11 4. The p-adic elliptic logarithm The formal group of an elliptic curve E arises from expanding everything associated to E (the Weierstrass equation, the coordinate functions, the group law) around the point at infinity. Using z = x y as a uniformizer for P, we get a change of coordinates (x, y) ( x/y, /y) = (z, w(z)) taking P to (0, 0). (The reason for this choice of uniformizer is best understood in the complex context C/Λ. There z = 0 corresponds to P and (x, y) = ( (z), 2 (z)), for the Weierstrass- function with double poles at z = 0.) Rewriting the Weierstrass equation in terms of z and w(z), and solving recursively for w(z), we get x(z) = +... and y(z) = +... This is called a formal group, since points are pairs of elements z 2 z 3 of the field of fractions of the ring of formal power series in z, where (x(z), y(z)) satisfy the Weierstrass equation. For values of z in an arbitrary field K, these formal power series do not necessarily converge, and hence may not correspond to actual points on the curve. However, if Ẽ is a curve over Q p, the coordinate series will converge for z pz p, yielding the injection φ pz p Ẽ/Qp z (x(z) : y(z) : ) Let E = φ(pz p ). This is known as the group associated to the formal group of Ẽ/Q p. Note that E = {(x, y) Ẽ/Q p : v p (x) 2} where v p is the p-adic valuation. Thus, if we reduce a point in E mod p, we get P. Hence E is the kernel of the reduction mod p map. In the case when E has good reduction, (for example, if it is a lift of a curve E over F p ), we have the short exact sequence E Ẽ(Q p) red p E(F p ) Now consider the invariant differential ω = dx 2y. This differential has no zeros or poles and is unique up to non-zero constant. The fact that ω is translation invariant can be proved by a straightforward calculation or by using divisors of differentials ([9], 80). In the formal group, for the curve y 2 = x 3 + Ax + B, ω(z) = ( + i c i z i )dz = ( + Az )dz, where c i Z[A, B]. Integrating, we get log F (z) := ω(z) = z + A 5 z The function log F (z) converges since p z and A, B Z p, and it is a homomorphism from E to Q p since ω is translation invariant. Thus, for P E Ẽ, we have a logarithm map. 4.2 The DLP attack Now we show how this can be used to solve the ECDLP on anomalous curves. First lift the curve E to Q p. That is, choose Ã, B Z p such that y 2 = x 3 + Ãx + B reduces modulo p to the original curve. Next lift the points P and Q with Q = np to Z p by Hensel s lemma. There are infinitely many lifts, since for any x Z p such that x x mod p, by Hensel s lemma, there is a unique ỹ satisfying the Weierstrass equation such that ỹ y modulo p.

12 The points P, Q may no longer be dependent, however, since np = Q (mod p), R = n P Q must reduce to P (mod p), and so R E. Since P, Q are points of p-torsion, p P, p Q E. Thus applying the formal logarithm to both sides of pn P p Q = p R, we get n log F (p P ) log F (p Q) = log F (p R). Note that p R E 2 = {(x, y) E/Q p : v p (x) 4}. Therefore, p 2 divides log F (φ (p R)). Thus, reducing modulo p 2, we get n log F (p P ) log F (p Q) 0(mod p 2 ). Provided that log F (p P ) 0(mod p 2 ), we can divide by p and solve n log F (p P ) log F (p Q)(mod p) for n Z/pZ. Working modulo p 2, the p-adic logarithm is truncated to yield the homomorphism E pz p λ Zp /p 2 Z p Z/p 2 Z (x, y) z = x y log F (z)(mod p 2 ) z(mod p 2 ) which is trivial to calculate. It is also possible to show by direct calculation that the map (x, y) x y is a homomorphism from E[p] to F + p ([4], 90). This approach fails only if log F (p P ) = 0 mod p 2. We discuss this case in the next section. The only significant computations are p Q and p P which take O(ln p) group operations. Thus we have a polynomial time algorithm for solving the ECDLP on anomalous elliptic curves. The calculations are done over the ring Z/p 2 Z, using the addition laws on projective coordinates for elliptic curves over rings, which extend the classical addition laws for working over fields. (Note that the classical addition laws, which involve the slope of the line through the points, do not suffice, since some denominators may not be invertible mod p 2. ) In particular, for a point (x, y) E, x (respectively y) has p 2 (p 3 ) in the denominator. Thus, to view these points over Z/p 2 Z we use projective coordinates (x : y : v) to remove all powers of p from the denominator. We get (x, y) ( x p 2 : y p 3 : ) = (px : y : p 3 ) where x, y are invertible in Z p. Using projective coordinates also makes sense since we do not need the particular x or y values, only their ratio x y. 4.3 The canonical lift of E mod p 2 Consider the elliptic curve E over F 5, given by y 2 = x 3 + 3x + 2. The points Q = (, 4) and P = (, ) are inverses so we know Q = 4P. We now use the ECDLP attack above to see this as well. Lift to Ẽ : y 2 = x 3 + 3x + 2 over Z/5 2 Z. Q = (, 4) ( : 9 : ) P = (, ) ( : 6 : ) 5 (0 : : 0) mod 25 5 (0 : : 0) mod 25 Note that in this case, Q, P are p-torsion points mod p 2. That is, p Q, p P E 2, so log F (p P ) = 0 mod p 2. Choosing different lifts of P and Q will not remedy the situation, as we now show. 2

13 Proposition 4. Let Ẽ be a lift of E to Z/p 2 Z. Then all lifts of a particular point Q E[p] are either p-torsion mod p 2 or not. Furthermore, all points of E[p] lift either all to E or all to E 2. In the latter case, we call the canonical lift of E mod p 2. Proof: Fix a lift Ẽ, and let Q, Q 2 be two lifts of Q. Then Q Q 2 E which implies that p Q p Q 2 E 2. Hence Q is p-torsion mod p 2 if and only if Q 2 is. By the dependence of P and Q mod E, pn P p Q = p R E 2. Thus p Q E 2 if and only if p P E 2, for every P, Q E[p]. Thus, if p Q = P for any Q E[p], we have chosen the canonical lift mod p 2, and therefore can obtain no information. Since a curve is characterized by its j-invariant up to isomorphism over F p, lifting the curve corresponds to lifting the j-invariant to Z/p 2 Z. Thus, there are p lifts of a curve to Z/p 2 Z, only one of which will be canonical mod p 2. (This last fact is related to a result of which says there is a unique elliptic curve Ẽ over Q p (up to j-invariant) such that the p-torsion of E lifts to p-torsion in Ẽ [4]. It also follows from a result of Deuring which establishes a bijection between elliptic curves over Q p and those over F p with the same endomorphism ring [3]. Note however, that if we happen to choose the canonical lift mod p 2, we can simply choose another lift of the curve to solve the DLP. For example, consider the lift Ẽ : y 2 = x 3 + 8x + 2. Q = (, 4) ( : 9 : ) P = (, ) ( : 6 : ) 5 (0 : 23 : 0) 5 (0 : 20 : 0) λ λ 0 23 mod 25 4 mod mod 25 mod 5 and n = λ (5 Q)/λ (5 P ) = 4 mod 5. Remark: It is important to note why this approach does not extend to elliptic curves of order prime-to-p. For Q, P, m-torsion points with Q = np, m Q, m P E so we may apply the formal logarithm mod p 2. However, the logarithm of m R = m( Q n P ) will not be zero mod p 2 as before, since (m, p) = and E /E 2 F + p. Thus, without knowing R, we can t compute n. But knowing R requires knowing n, so no information can be gained. Remark: There is a completely analogous approach, based on lifting to F p [ɛ], the dual numbers of F p []. This version has the advantage of being more efficient, as computations in F p [ɛ] are more straightforward than in Z/p 2 Z. It may present another advantage as well. Calculations suggest that the only canonical lifts to F p [ɛ] are those with j F p. Presuming this, it is easy to avoid a lift to F p [ɛ] for which P and Q are p-torsion simply by choosing a lift with j-invariant j / F p. This differs from the case of lifting to Z/p 2 Z, since (to the author s knowledge), there is no analogously simple way to determine from the j-invariant j Z/p 2 Z whether or not the lift is canonical. References [] Belding, Juliana, A Weil pairing on the p-torsion of ordinary elliptic curves over K[ɛ], preprint, [2] Lang, S. Algebra, 3 rd edition, Springer, [3] Lang, S. Elliptic Functions, Addison-Wesley, 973. [4] Lubin, J., Serre, J.P., Tate, J. Elliptic curves and formal groups, Proceedings of the Woods Hole Institute in Algebraic Geometry, 964. (Unpublished, available at 3

14 [5] Miller, V. The Weil pairing, and its efficient calculation, Journal of Cryptology, Vol 7, pp , [6] Rück, H. On the discrete logarithm in the divisor class group of curves, Mathematics of Computation, Vol 68, No 226, pp , 999. [7] Satoh T. and Araki K., Fermat quotients and the polynomial time discrete log algorithm for anamolous elliptic curves. Comm. Math. Univ. Sancti. Pauli., 47:8-92, 998. [8] Semaev, I.A. Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p, Mathematics of Computation, 67: ,998. [9] Silverman, J. The Arithmetic of Elliptic Curves, Springer-Verlag, 986. [0] Smart, N. The discrete logarithm problem on elliptic curves of trace one, Journal of Cryptology, 2:93-96,999. [] Voloch, J. An analogue of the Weierstrass ζ-function in characteristic p, Acta Arithmetica, 76:-6, 997. [2] Voloch, J. The discrete log problem on elliptic curves and descents. (Unpublished, available at [3] Voloch, J. Explicit p-descent for elliptic curves in characteristic p, Compositio Mathematica, 74: , 990. [4] Washington, L. Elliptic Curves: Number Theory and Cryptography, Chapman & Hall/CRC,