IJMSI v4n2p55 en
IJMSI v4n2p55 en
IJMSI v4n2p55 en
1. Introduction
Let G be an additive finite group, x ∈ G and y ∈ x. The discrete logarithm
problem (DLP ) on G is to find the number k such that y = kx. The integer k
is called the discrete logarithm of y to the base x. If G is the group of points
on an elliptic curve over a finite field, then the discrete logarithm problem on
G is called the elliptic curve discrete logarithm problem (ECDLP ).
∗ Corresponding Author
Koblitz [6] and Miller [7] in 1985 independently proposed using the group of
points on an elliptic curve defined over a finite field to devise discrete logarithm
cryptographic schemes. The security of these cryptosystems is based upon the
presumed intractability of computing logarithms in the elliptic curve group.
Our main result is the following theorem which reduces the ECDLP to
DLP on the underlying field.
Theorem Let E be an elliptic curve over a finite field Fq and E(Fq ) be
the set of Fq rational points of E. Also let E[n](Fq ) be the group of n-torsion
points of E defined over Fq . If n | q − 1, then solving the discrete logarithm
problem on F∗q is at least as hard as solving the discrete logarithm problem on
E[n](Fq ).
The remainder of the paper is organized as follows. The next section provides
the definition of the usual and generalized jacobians and necessary results about
them. We will prove the above theorem in section 3 (Theorem 3.3) using the
theory of generalized jacobian of the elliptic curve E. Finally an example,
which shows how to apply our method is given in the last section.
Theorem 2.1. Let E be an elliptic curve over a field K. Then the map
P −→ [(P ) − (O)] is a group isomorphism between E and P ic0 (E)with well-
defined inverse [ P ∈E nP (P )] −→ P ∈E nP P .
Proof. The proof of this theorem can be found in ([13] Proposition III.2.6). For
a more complete treatment, one can see [16].
Definition 2.3. Let m be an effective divisor and let D and D be two divisors
with supports disjoint from the support of m. We say that D and D are m-
equivalent, and write D ∼m D , if there is a function f ∈ K(C)∗ such that
div(f ) = D − D and f ≡ 1 (mod m).
a commutative algebraic group Jm isomorphic to the group P ic0m (C). The di-
mension π of Jm is given by
g if m = 0,
π=
g + deg(m) − 1 otherwise.
Proof. See [10] and ([11] chapter V. Proposition 2. and Theorem 1.)
Definition 2.5. The algebraic group Jm is called the generalized jacobian of
the curve C with respect to the modulus m.
To obtain a representation of the elements of the generalized jacobian we
need the following theorem.
Theorem 2.6. Let (G, +) be a group and (A, ·) be an abelian group. Let also
p
1 −→ A −→ G −→ G −→ 0
be a short exact sequence defining a group extension G of G by A. Denote by
⊕ the group operation on G. Then,
1: Let s : G −→ G be a (set-theoretic) section for p (i.e. p ◦ s = 1G ).
Then the map
A × G −→ G
(a, σ) a ⊕ s(σ)
is a bijection of sets. Hence, each element of G can be represented as
a pair (a, σ), where a ∈ A and σ ∈ G.
2: There is a well-defined natural action of G on A given by
A × G −→ A
(a, σ) aσ := x ⊕ a x
where x is any element of G satisfying p(x) = σ and x denotes the
inverse of x in G.
3: In fact, the group operation ⊕ : G × G −→ G can be expressed in terms
of this action:
(a, σ) + (b, τ ) = (a · bσ · c(σ, τ ), σ + τ )
where c : G × G −→ A must satisfy the following condition
(2.1) c(σ, τ ) · c(σ + τ, ρ) = c(τ, ρ)σ · c(σ, τ + ρ).
(A function c satisfying (2.1) is called a 2-cocycle on G with values in A.)
Proof. see ([4] chapter III) and ([17] chapter 5)
In the case that G is commutative, (2.1) can be rewritten as
c(σ, τ ) · c(σ + τ, ρ) = c(τ, ρ) · c(σ, τ + ρ).
Moreover we have the following Lemma.
Generalized Jacobian and Discrete Logarithm Problem on Elliptic Curves 59
Proof. See ([5] Lemma 7.1) and [14] for a more complete treatment.
Theorems 2.2 and 2.4 and the epimorphism σ : P ic0m (C) −→ P ic0 (C) implies
that there exists an epimorphism τ : Jm −→ J. Let Lm be the kernel of τ , then
the short exact sequence
τ
1 −→ Lm −→ Jm −→ J −→ 0
defines the group extension Jm of J by Lm . It then follows from Theorem 2.6
that the elements of Jm could be seen as pairs (k, P ), where k ∈ Lm and P ∈ J.
Using this representation, the group law on Jm could be expressed in terms of
the group laws on Lm and on J, and also involves a 2-cocycle on J with values
in Lm .
Moreover the short exact sequence
ι ρ
1 −→ Lm −→ Lm × J −→ J −→ 0
with obvious maps ι and ρ also defines another group extension Lm × J of J
by Lm . But can Jm be the direct product Lm × J? Rosenlicht answers this
question in the following theorem.
Now let E be an elliptic curve defined over the finite field K = Fq with q
elements and let m = (M ) + (N ), where M and N are distinct nonzero points
of E(Fq ).
Finally, let Jm be the generalized jacobian of E with respect to m. In the light
of Theorems 2.8 and 2.9, this choice of parameters implies that this generalized
jacobian will be an extension of the elliptic curve E by the multiplicative group
Gm . We already know that there is a bijection of sets between Jm and Gm × E.
Hence, each element of Jm can be represented as a pair (k, P ), where k ∈ Gm
and P ∈ E Indeed, we have by construction that Jm is isomorphic to P ic0m (E),
and so an explicit bijection of sets ϕ : P ic0m (E) −→ Gm × E could be used to
transport the known group law on P ic0m (E) to Gm × E.
Déchène ([1] Chapter 5, Propositions 5.1 and 5.4) has proved the following
two theorems which represent the elements of Jm using the isomorphism be-
tween P ic0m (E) and Gm × E and obtaining a formula for the group operation
on Gm × E.
We here present a small collection of the basic properties of the group law
in these generalized jacobians, which are easily derived from Theorem (2.11).
Generalized Jacobian and Discrete Logarithm Problem on Elliptic Curves 61
At first
nk(1, P ) = n(k(1, P )) = n(αk (P ), kP ) = n(αk (P ), Q)
= (αk (P )n αn (Q), nQ) = (αk (P )n αn (Q), O)
thus αnk (P ) = αk (P )n αn (Q). Also
nk(1, P ) = k(n(1, P )) = k(αn (P ), nP )
= k(αn (P ), O) = (αn (P )k , O)
thus αnk (P ) = αn (P )k . Comparing these two last equation implies that
(3.2) αk (P )n αn (Q) = αn (P )k
and from this we have
q−1 q−1
αn (Q) n = (αn (P ) n )k .
Now let k < 0. From Lemma 2.7 cm (R, S)cm (−R, R + S) = 1 for all R, S ∈ E
then
cm (Q, Q)cm (−Q, 2Q) = 1
cm (Q, 2Q)cm (−Q, 3Q) = 1
..
.
cm (Q, (n − 1)Q)cm (−Q, O) = 1
cm (Q, O)cm (−Q, Q) = 1.
Multiplying the above equations gives αn (Q)αn (−Q) = 1 that implies αn (−Q) =
(αn (Q))−1 and the proof is now complete.
Remark 3.5. In the generalized jacobian Jm let (a, P ) and (b, Q) be the repre-
sentation of two elements of Jm such that (b, Q) = k(a, P ). Also let Ord(P ) =
n. In this case b = ak αk (P ) and therefore from (3.2)
bn αn (Q) = akn αk (P )n αn (Q) = akn αn (P )k = (an αn (P ))k . If an αn (P ) is a
primitive root of unity in F∗q , then the equation bn αn (Q) = (an αn (P ))k gives
a discrete logarithm problem in F∗q .
Generalized Jacobian and Discrete Logarithm Problem on Elliptic Curves 63
4. An Example
With a simple PARI program we can calculate αn (P ) and αn (Q) very fast
(in logarithmic time).
Consider the elliptic curve
E : y 2 + xy + y = x3 + 2x2 + 6x + 7
defined over the finite field Fq with q = 152617819 elements. We reduce the
discrete logarithm problem on this elliptic curve to a discrete logarithm problem
in F∗q .
Consider P = (23658750, 133471885) ∈ E(Fq ) , Q = kP = (129045381, 133258769)
with k = 4276384. The order of P is Ord(P ) = 25436303. The points M = 4P and
N = 5P do not occur in the calculation αn (P ) and αn (Q) by repeated doubling
process. We get
q−1
αn (P ) n = αn (P )6 = 76904832,
q−1
αn (Q) n = αn (Q)6 = 95183794.
Hence in order to compute k we have to solve the discrete logarithm problem
(4.1) 95183794 ≡ 76904832k (mod q).
Of course one can check in this example that k is a solution of the equation (4.1).
References
[1] Isabelle Déchène, Generalized Jacobians in Cryptography, PhD thesis, McGill University,
2005.
[2] Isabelle Déchène, Arithmetic of generalized Jacobians, in ”Algorithmic Number Theory
Symposium ANTS VII” (eds. F. Hess, S. Pauli and M. Post), 4076, Springer-Verlag,
2006, 421-435.
[3] Isabelle Déchène, On the security of generalized jacobian cryptosystems, Advances in
Mathematics of Communications, 1 (4) (2007), 413-426.
[4] Peter Hilton and Urs Stammbach, Course in Homological Algebra, Number 4 in Grad-
uate Texts in Mathematics. Springer-Verlag, New York, 1971.
[5] J. Scott Carter, Daniel Jelsovsky, Seiichi Kamada, Laurel Langford and Masahico Saito,
Quandle Cohomology and State-sum Invariants of Knotted Curves and Surfaces, Trans.
Amer. Math. Soc., 355 (2003), 3947-3989.
[6] N. Koblitz, Elliptic curve cryptosystems, Mathematics of Computation, 48 (1987), 203-
209.
[7] V. Miller, Use of elliptic curves in cryptography, Advances in CryptologyCRYPTO, 85
(LNCS 218, [483]) (1986), 417-426.
[8] G. C. Pohlig and M. E. Hellman, An improved algorithm for computing logarithms
over GF (p) and its cryptographic significance, IEEE Trans. Info. Theory, 24 (1978),
106-110.
[9] Maxwell Rosenlicht, Equivalence relations on algebraic curves, Annals of Mathematics,
56 (1952), 169-191.
[10] Maxwell Rosenlicht, Generalized Jacobian varieties, Annals of Mathematics, 59 (1954),
505-530.
[11] Jean-Pierre Serre, Algebraic groups and class fields, Vol. 117 of Graduate texts in math-
ematics, Springer-Verlag, New-York, 1988.
64 H. Daghigh and M. Bahramian
[12] Joseph H. Silverman, The arithmetic of elliptic curves, Vol. 106 of Graduate Texts in
Mathematics, Springer-Verlag, New York, 1986.
[13] Joseph H. Silverman, Advanced topics in the arithmetic of elliptic curves, Vol. 151 of
Graduate Texts in Mathematics, Springer-Verlag, New York, 1994.
[14] M. Wakui, On Dijkgraaf-Witten invariant for 3-manifolds, Osaka J. Math., 29 (1992),
675-696.
[15] L. C. Washington, Elliptic Curves, Number Theory and Cryptography, Chapman and
Hall / CRC, 2003.
[16] André Weil, Variétés abéliennes et courbes algébriques, Vol. 1064 of Actualités Sci. Ind.
Hermann and Cie, Paris, 1948.
[17] Edwin Weiss, Cohomology of groups, Pure and Applied Mathematics, Vol. 34, Academic
Press, New York, 1969.