Reducing

Elliptic

Curve
A1ed

Logarithms
Menezes &

to Logarithms
Scott Vanstone University N2L 3G1.

in a Finite

Field

Dept.

of Combinatorics Waterloo,

and Optimization, Ontario, Canada,

of Waterloo

Tatsuaki NTT Take, Yokosuka-Shi,

Okamoto Laboratories 238-03 Japan.

Abstract
Previously, known that paper curve in the lar tic tic key ran for no the in better general-purpose elliptic than problem e field. the time time, curve exponential the reduction group algorithm logarithm time. was problem In this problem of the

In [8] and the group field tems. upon The this tacks nite the the matic arithms field The

[12], Koblitz

and Miller public

described

how

of points security logarithms algorithms

on an elliptic of these

curve

over a finite is based of group. solving root atto that dralogcurve is choprime time. reduces E is the by probThis between n dea finite

can be used to construct the presumed best (for group order intractability in the that see [13])

key cryptosys-

cryptosystems elliptic known apply factor curve for square

of the problem

we demonstrate logarithm multiplicative hit curves,

of the elliptic

computing problem,

to the logarithm of an extension takes for

are

are the

exponential that time prime [12], which

underlying elliptic polynomial

For the class of supersingureduction thus algorithm probabilisthe former providing a probabilisto public

example, root of the

to any fidividing

and have a running of the largest group. k methods, multiplicative do not

proportional argues

the square

subexponential The cryptography

Miller

problem.

implications

of our results

index-calculus results in (the

produced of discrete of) curve

are discussed.

in the

computation extend elliptic

group

1
The group and

Introduction
discrete G can that the logarithm be stated such problem as follows: z such exists. for that The a general a 6 G @ = a=, integer

(see [3], [13]), Consequently, its order even the best

to elliptic by a large exponential paper, logarithm Fgk of Fg.

groups. then, The the lem <F>,

if the attacks

sen so that

is divisible take

Given

~ c G, find

an integer an integer

method curve field

we propose logarithm extension

in this problem field

provided z is called a. In this

elliptic

in a curve

discrete curve

logarithm consider l?, group

of ~ to the base the case where where a is a and

over a finite achieved the subgroup the Weil Since ing that

Fq to the discrete

paper,

we shall

in a suitable subgroup

G is an elliptic point P C l?.

by establishing of nth roots of P. pairing. the index-calculus in a finite of computing k is small. classes

an isomorphism of unity The

of 2? generated isomorphism

by P, and is given

in Fqk, where

not es the order

methods field elliptic This have the reduction curve

for running

computtimes for case the

logarithms

are subexponential, that

is useful logarithms the

Permission provided commercial publication

to copy without that the copies advantage,

fee atl or part of this material are not made or distributed copyright

is granted for direct is by

the purpose provided for special

the ACM

notice and the title of the Machinery. specific To copy other-

is indeed

and its date appear, and notice is given that copying for Computing requires a fee and/or percussion,

of elliptic

curves,

including

permission of the Association wise, or to republish,

01991

ACM

089791-397-3/91/0004/0080

$1.50

80

curves [8], [6], foIlowing

recommended [2], and two [9]. results

for More about

implement precisely, the

ation

in

[12], the

with dition by the

az, ae not defined

G F*, equal and

aS to

# O.

O, if There

the

curve that and

has

jad-

we prove

invariant

is a natural

reduction.

on the points chord operations of E(Fq) Hasses n2), curve 4.2)

of E(Fq) method, in Fq. form

is given involves

Theorem curve, arithm problem (in then problem in Fqk

11

If

J?3(Fq) is a supersingular
of the elliptic to the discrete curve logtime logarithm

tangent

the reduction in E(Fq)

a few arithmetic dition, of rank the more or not Lemma curve (i) (ii) the points

Under this dgroup order The of type the

an abelian

is a probabilistic

polynomial

1 or 2. By is (nl,

Theorem, It/ < 2~. n2 Inl,

in q) reduction. Corollary 12 Let P be an element E(Fg), of order and let or if then

group

is q + 1 t, where where result

of the group elliptic in E(Fq). q = pm, curve where

and furtherwhether exists. elliptic only if order an and

n2 Iq 1. The next an elliptic 1 ([18], of order (mod

determines

n in a supersingular R = 1P be a point q is a pnme subexponential The lows. remainder In Section curves the some some power time. the new algomthm

of a certain There

If q is a prime, p is small,

ezists Fq if holds:

can determine

1 in probabilistic

q + 1 t over conditions and t2 ~ 4q. p)

one of the following paper we will and for Finally, curves is organized of the In in use. as fol3, t $0 m is odd and (1) t =

of the that

2, we list reduction, useful.

some

properties Section the 4, we reduc5, we for

one of the following = 2. = 3.

holds:

of elliptic we describe mention tion discuss

o.

Section

(2) t2 = 2q andp (3) t2 = 3q andp (ii) m is even (1) t and = 4q,

special

which of our

is especially

in Section

one of the following 1 (mod (mod4). 3). I the

holds:

of the implications

results

crypt ography.

(2) t2 = q andp$ (3)t=Oandp#l

Background Curves

on

Elliptic

Let curve. vides

#E(Fq) 13(Fq) t. that From E(Fq)

= q + 1 t denote is said the is preceding supersingular following of the group Let result,

order we can

of a deif gives

to be supersingular if and result

if p dionly curves.

In

this

Section, curves

we review over finite [19].

some fields

of the

theory

of use.

duce the

elliptic book Let field E(Fq) affine

which

we will

t2 = O, q, 2q, 3q, or 4q. The group structure the cyclic 4.8) either
@ ~fi+l,

For further

information,

we refer

the reader

to the

supersingular on n elements. #E(Fq) E(Fq) depending

by Silverman E(Fg)

Zn denotes curve over Fq, the finite where than p is the 3, then Lemma (i) (ii)

be an elliptic Let of Fq. set of all

2 ([18],

= q + 1 t. is cyclic. (II Zfi-l on whether then 4), E(F,) is

on q elements. is the equation

q = pm,

If t2 = q, 2q, or 3q, then If t2 = 4q, then =

~fi+l

characteristic

If p is greater solutions

E(Fq)

~ Z~_l

in Fq x Fq to an

or E(Fq) t=2&ort= (iii)

2/ij O and q # If t = is cyclic, curve over one E any to Let O and

respectively. 3 (mod 4), q s 3 (mod % Zfq+l]/2 be viewed field The #E(Fqk q + 1 K Weil #E(Fq). then either

If t =

y2=z3+az+b, with infinity. is 92 + aay with aa, a4, ae c Fq, equal = x3 +

a4x + a6,

(1) O, together called the equation with point an at

cyclic. E(Fq) The curve is enables

a, b 6 Fq, 4a3 + 27b2 # identity Ifp element 0, = 2, then an affine

or E(Fq) can of also

@ Zz.

additive

as an elliptic of F*; E(Fq) #E(Fg) Then of Conjecture

for E(Fq) (2)

extension E(K). compute

a subgroup

) from

as #

O, if the

curve

has j-

as follows. #.E(F,, plex rnunbers

t =

invariant

to O, and = ~3 + az~2 + a6, (3)

) = qk + 1 CYk @, determined from

where

a, @ are com-

the factorization

y2 + ~y

1 K!+ qT2 = (1 cdl)(1

PT).

81

An O. for sure E[n] Let points

n-torsion E(l?g)[n] in E(F), of lq.

point where where If n and Ifn

F is a point the

satisfying write prime, 11~] ~

~Pe

nP

For the rithm

a brief Appendix.

description An SYMA, result the the cosets

of Millers implementation is given from elements

algorithm, of the

see algo-

denote

subgroup the either

of n-torsion

n + 0. We wi~ q are relatively

E[~l
CIOthen ~ {O}
if ~ is

in MAC following into

in [7]. a method curve of order. curve all coset

P2).

l?(~)[n], ~ zn@z~.

Fq denotes = P, then

algebraic

The for E(Fq) E(Fq) Lemma

gTOUp

[7] provides the

partitioning generated 4 Let

of an elliptic ~ of maxim~ elliptic let P for

of < P>,

subgroup

if E is supersingular, non-supersingular. The ficient terms Lemma E[n] (i) n following conditions points in condition 3 ([18], result for in (iii), 3.7) and

or else ~b]

by a point E(Fq) (nl, orde~ n), nl. =

provides E(.Fg) to For see [18]. If only

necessary contain defition ~

and

suf-

be an and Then

with E

of the of the

structure P1 and only next

be an element P1, P2 of <P>

n-t orsion

E(~).

of

maximum

E(Fg), if and q) = 1, then three The proof, it here.

Pz are in

the same e~l(p, to,

if e~l (P, PI) result

gcd(n, if

E(FQ) hold:

if

the following

is similar 4. For

and

has a similar we include

co-nditions (ii)nlq-1 (iii) Let The Eithe~

as Lemma

completeness,

I #E(Fq)

~ ~ Z or 8 (~) integer

C EndF,(E). relatively prime

s
to q.

Lemma that E[n] Then PI)

5 Let ~ E(Fq), for all

E(Fg) and

be an where

elliptic

curve

such inte-

n is a positive be a point PI E[n] and if and

n be a positive Weil pairing

en

gev copmme n. the same

to q. Let P c E[n] P1, P2 E E[n], within Pz). then

of order P2 are in only if

is a function : E[n] of the x E[n] Weil + ~. see the Ap-

coizet of <P> = en(P,

en(P, Proof.

For

a definition We list

pairing, properties

pendix. pairing. (i) (ii) en(Fl, (iii)

P2, P3)

some usefid

of the Weil

If P1 = Pz + kP, en(P, PI) = =

clearly P)k

en(P, en(P,

Pz)en(P, Pz).

ldentit~

For

all F E E[n], For Pl)l. all R,

e~(f2, $3). P2,

e~(P, PI,

P)
F2

= 1.
E E[n],

Alternation P) = en(l%, For

P3)

all

Conversely,
l3 c and E[n], e~(R, ett(~l l2 + +

suppose + aQ,

that

P1 and p E[n]. Then where

me in different we can write a2Q # O. then

l?zlineatit~
I3) = = en(Pl, e~(pl,

cosets P1 P pair for If blP

of < P > within = alP E[n] ~ Z. @ Z.,

~3),

where and

(P, Q) is a generating

P2)en(Pl,

(iv) en(P1,

Non-degeneracy P2) = 1 for

If

PI

< then

E[n],

and

if

+ b2Q is any point + hQ) =

in E[n],

all 1% E -E[n],

l1 = O.

en(a2Q, hp

e~(a2Q, p)ble~(Q,
en(P, by that azQ)-bl. the

Q)a2b2

(v) E E[nl
all Pl,l Miller pairing rithm, expected mial in

Q E(Fqk),
< E[n].

then

%(pl,

l%)

C lqk, for

=
If e~(P, aQ ) of = 1 then we have en(P, en(P, en(P,

has [11].

developed algorithm By

an

efficient

probabilistic the Weil algowhose a polynoa

non-degeneracy = O, a con-

polynomial-time we mean running the

for computing polynomial algorithm by By input

property tradiction. en(P,

en, Thus

a2Q

a probabilistic a randomized time algorithm input. with with and

a2Q ) # 1. Finally, P2)en(P, P). that curve This P)l en(P, a2Q)

is bounded

PI)

= #

size of the algorithm

a probabilistic z, we mean running time For that tic randomly the

s
follow, it is essential and

sub exponential randomized L[a, z], where

expected

algorithms on an elliptic time.

O < a <1

we are able polynomial

to pick

points can

P uniformly be

E (F.q ) in probabilisaccomplished

82

as follows. Z1 c Fq. in E(Fq), E(F~) There mial

We fist If q then is the

randomly

choose that

an element point VI) c in I?q. (m,

unique provided Since that en(P,

integer that e.(~,

1, 0 S Z < n 1, such such P) = an integer exists.

that

R = 1P,

z-coordinate yl such finding

of some

we can find

1, we deduce fandordyifnlt which time.

from

Lemma =0

4 and in

by solving
are various time; yl)

a root
techniques over

problem

lte<~>i polynomial R c <P>.

for finding probabilistic power. curve

the roots polynoand set

1?) = 1, conditions that

can be checked Henceforth,

of a polynomial [15] if q is a prime P = (zl,

Fq in

probabilistic assume

we will

for example, or (zl, yl)

see [1] if q is a prime, We then if the yl)

or a prime

has equation
and

We first tial that arithm

describe

an algorithm field order. F

for obtaining a discrete in the itself,

parlogcase

(1) (respectively,
~ = (ZI, YI) or

P = (izl,
(CI, V1 + z1)

or (21, Y1 +~3),

information problem

about in the

1 by solving

tion bility E(Fq)

(2) or that is just

(3)). From
al is the 1/2 described least

Hasses

if the curve has equatheorem, the probaof some point Note that with of picking of picking three in the a

P has maximum 1 An R= An of nz. a random point element 1P. integer

z-coordinate 11~.

at

Algorithm Input: nl, and Output: divisor (i) Pick (ii) (iii)

method point any points

the probability the probability there

P c E(Fq) 1 s 1 (mod

of maximum n), where

order n! is a

of order other point, of order

2 is twice however 2.

are at most

T E E(Fq). L3 = en, (R, 2). of ~ to the logarithm

Finally, ing results. Lemma ~$_l ha; (i) (ii) pifli order &Pi

for future

reference,

we state

the follow-

Compute Compute

a = e., (P, 2) and 1, discrete

base a in Fq. 6 Let G be a group be the prime n if and # 1 for 7 Let If only if and a 6 G. of n. Let n = Then a Theorem (mod n), 8 Algorithm where Let 1 correctly divisor computes of n2. n2 of 1 s 1 factomzation

n is some

cP = 1, and each i, 1 ~ i ~ k. G from be an {CYi} G, abelian are the H group elements

s
of type {ccq) of the

Proof. because be an points C2G.

n denote following of order

the order reasons. n2 such E(Fq),

of a; n divides Let that the pair

of the element

G E E(Fq)

Lemma (en, en). and

elements distributed

selected

uniformly

(P, G) generates Then

ana =

and

let 2 = CIP +

randomly

then about

are uniformly subgwup

the elements

of G of type (n, n).

enl (P, T)a enl (P, P)cln2 en, (P, O) 1. enl (P, c2n2G)

3
Let field n2 Inl. can ing mine teger ther that Let divides is the

The
E(F~) Fq, Given

Reduction
be with an group the #E(F~) algorithm due elliptic defining curve Znl equation [17]. to Miller Also, [11], q) = over for the finite where we ustime the inwe can then logarithm Since of order We R, logarithm n, where assume that the problem n We furfollows b= by Now, since

= =

structure

@ ?&z, time we can given 1; it

E (Fq),

compute Schoofs nl and

in polynomial

en,

(R, 2)

= =

en, al

(Zpj~)

deter-

=
=

en, (P, T)z cX1 ,

nz in probabilistic of gcd(#E(F*), gcd(#E(Fq),

polynomial q 1).

by an algorithm factorization assume E[nl] that

determine of ~ to the

1 by computing base a in Fg. of <P>

the discrete

s
within however, any 13(F), that then signifiof this

~ Znl @ Ztal. be a point let elliptic Given curve P and

there from

are nz cosets Lemma

F c E(l$) nl, and The

we deduce this cant method

4 that provide

the probability us with

R c J?2(Fg).

n = n2 is ~(nz )/nz. does not about information

If n2 is small

n is known.

following:

determine

1. In the remainder

83

Section, modulo Let

we describe n. k be the

a technique

for

computing

Remarks The reduction time not large for described in general. provided the finding in this Algorithm methods point section Q. section takes exponential tially (in in q) in general, as k is exponen2 is incomplete for We determining shall accomsupersingular

smallest

positive that

integer such

such

that k

E[n] G E(Fqh exists. Theorem en(P, Proof. the Weil Q) 9

); it is clear

an integer

as we have k, and plish elliptic this

There ezids Q G E[n],

nth root of unity.

such

that

in the next

for the

is a primitive Let Q < E[n].

curves.

Then, that

by the bilinearity

of

pairing, en(P,

we have Q) = = =

4
nQ) O)

Supersingular
this Section, 3 takes we prove probabilistic curves, time logarithms

Curves
that the in for reduction time of for el-

e.(P, en(P, 1. p.

In

Section denotes in Fqk. within E[n], em(P, Q) The result and by the varies now among the sub-

polynomial

supersingular subexponential liptic Let and curve E(F~)

resulting algorithm in these

a probabilistic computing

Thus group There Lemma

en(.P, Q ) c pfi, of the are nth roots

where of unity that

curves. elliptic following curve of or1 of

n cosets atives

of <P>

be a supersingular into one of the

5 we deduce all of the

as Q varies n cosets, of pn.

der q+lt curves. (I)

over F*, and let q = pm.

By Lemmas classes

represent among follows. Let

of these elements

2, E falls

s
Q c E[n] of unity. 10 H can now curve problem 2 An An element integer the ~ E[n] P E E(Fq) that of order R = 1P. k such = em(P, Q) that n, and describe logarithm the method field. for reducing such The Let f Q). that next en(P, result * Q ) is a primitive is easy to prove. P. be defined isomor-

t = O and O ~d 4)).

E(F,) E(F,)

~ Z,. ~ Z(,+i)/Z @
~2 (ad q =

(11) t = (mod (III) (IV) (V) (VI) Let nl

nth root Theorem

t2 = q (and t2 = 2q (and t2 = 3q (and t2 = 4q (and

P be

m is even). p = 2 and p = 3 and m is even). of order n in E(Fq). Since m is odd). m is odd).

: < P > Then f

by f : R w phism. We

en(R,

is a group

a point andp Weil that

the elliptic logarithm Algorithm Input: R G<P>. Output: (i) E[n] (ii) order (iii) (iv) base Note since

problem

to the discrete

I (q+lt), the k such

[ t, we have gcd(nl, conjecture the S E[nl] and using ), smallest E(Fqk

q) = 1. By Lemma positive and 2, inhence

in a finite

applying teger

one can easily

determine

1 such smallest such

E[n] C ~(Fqk ). For convenience, the relevant information in Table for now each class form of curves, Ztil to give @ Zax, the for is of the

we summarize 1. Note that of E(Fq&) c. We of the

Determine S E(Fqk). Find n. Compute Compute a in Fk. that the Q

integer that a

structure appropriate

has

proceed

a detailed

description

reduction. @ = e~(li, 1, the Q). logarithm of @ to the Algorithm Input: curve output of Algorithm 2 is correct Output: (i) (ii) P = = e~(Jp, en(.p, Q) Pick E(Fq), An 3 An element and integer k and P of order R ~<P>. 1 such c from point that R = iP. 1. and set Q = Q). Table n in a supersingular

discrete

Determine

a random

Q c E(Fqk) Q) and

(cnl/n)Q. (iii) (iv) Compute Compute a = e.(~, the discrete ~ = e.(l?, logarithm 1 of @ to the

Q)J

a.

84

Class curve I II III I

I

of

Group structure

nl

Type E(F~k)

of

o o
*& I *./2a .1 .

cyclic
cyclic I 1 q+ la 1
-.!*

Q+l

2 2

(~+1,9+1) (f7+l, (. fi+ l.., ~+l)

1 2

l+@

IV

Cvclic
.

+ 1 T d2a

/3
I

14 6 1

Iv
I

izs&
Table 1: Some information VP = R. If this the is so, then order of a Otherwise,

k
about supersingular curves Note that nential point in discrete we obtain Proof ing the be solved n, where that the discrete in (iv) logarithm The problem in Fqk subexpothat the we solve has a base element probabilistic field require 12. of findF~k can time time as usof [3], [4] and in a finite Using a of order n < qk 1. algorithms logarithms the proof of Corollary logarithm We first in probabilistic obtain

base a in Fqk. (v) must Check whether 1 = 1 and we are done.

be less than that Note Lemma within

n, so go to (ii). 7, Q is a random that This there n is #(n)/n. the facts that there

[5] for computing these algorithms,

Note E[n]. element from elements of <P>

by Lemma also that order 5 and E[n].

the probability

the field follows are ~(n)

base element

be primitive.

a has of order

of Corollary 12.

The problem base integer a in

n in Fqk, and

are n cosets

of J3 to the the

subexponential subexponential

We now proceed Section. Proof given. Fq. time, method have This To

to prove

the main

result

of this

follows. ing

factorization for int ea practical analysis, running have the

of qk 1 in probabilistic one of the with many (for

techniques example with that

available [20] for time a rigorous we apriori of qk 1:

of Theorem
do arithmetic polynomial can be done

11. in

We assume field Fk, we need of degree given power). denotes the isomorphic and k ~

that to find

ger factorization algorithm and time [14] for analysis). partial

basis of the field an irreducible

Fg over its prime ~(z)

is explicitly k over

a heuristic Observe

running

an algorithm factorization = (q+ l)(q

in probabilistic for prime lf

polynomial in [15] (the fields, the but is We then ideal polyto Fq. poly6, and time. in probalgorithm.

following (I), (Iv) (v)g-l l/w(!?2 We then has order

for example

by the method q is a prime where Note that form Q

in [15] is described when

Fq[Z]/Ij,

(11) q -1 q-l

1). -@(q+ l+@. l+~). l-@)(q+l+

also applicable
F. =

(m)q3-l

=(q-l)(q+l = (q-l) =(q-l)(q+l)(q+ + !2 + 1). select random

(q+l)(q+l-~)(q+

generated nomials The then The Since abilistic point Q nomial

by

~(z).

constant

in Fq[z] time can

a subfield E E(Fk) in by

Q can be chosen since be determined time

in probabilistic polynomial Millers

elements expected

7 in Fk, number

until

7 is

qk 1; the

of trials

elements

a and

~ can be computed

(qk l)/#(qk 1) which is O(ln in q) since The order of 7 can be checked in polynomial using t,o<s, Since ~ (mod v=(q~
(s/w) -l(~/w)

k s 6. time s and ~ = 7t. st and = let 1 =

polynomial

Lemma t<qk =

6. By solving

two discrete

logarithm

problems <61nlnn +;)

in Fqk, we find 1, such we obtain Let be w the v). =

the unique that the gcd(s, order

integers

a = 78 and congruence qk 1), of a.

aZ, 1)/w

(see [16]), fore O (/n tested we find in n).

the

expected that

number e.(P, that and

of iterations Q) has order that n = O(q).

ben is

qk 1).

a Q such Finally,

Then

observe time,

2P = R can be s

(mod

in polynomial

The logarithms

in FQ. can be computed

in prob-

85

abilistic quently ample, power In

subexponential also subexponential the algorithm and of a small solving the one fmd 13[n] Q, until

time

in /n qk (and in in q) using,

consefor ex-

Elliptic block the current nentiation

curve

cryptosystems efficiently security. studying such field, The that an elliptic the must the as RSA block 1,000 some curve for

have with (This such and bits)

the potential small With expowas, of course,

to be implemented size, and high motivation schemes, (and

relatively systems.) discrete

in [4] if q is prime k >1,

and k = 1,

[5] if q is prime

or [3] if q is the proper

prime. elliptic would we

s
curve first logarithm n. the n. problem Using order This fact this of a. avoids

in a finite security.

sizes in excess of are necessary be exerfield. where It of the preceding over a finite with RSA

500 bits section This is now

preferably

in practice, factorization, Thus points the 1. logarithm Note different rithm bilistic logarithm The puting running small We the more these (A) (B) prime, (mod (C) to in

factor check

for adequate

results

we can easily

demonstrate is not clear unlike numbers that

care must

repeatedly

choose several

random

cised in selecting the prime

a has order
to this solve modified before

situation curve

possibility however from 3, and

of having that the in

discrete
equal in to is

be judiciously

chosen.

problems

1 is in

reduction Algoa probadiscrete

reduction time

described is no longer to the

y+y=z

particular in a finite

polynomial problem dominant discrete time prime. conclude tractable special that than elliptic

reduction field.

over group pears

F2rn is no more of non-zero that the than existing the 4. curve y+ cost the

secure

than

using

the Since

cyclic it apcurve F2Z-, are (D) of

elements cost systems.

in F2Z~.

of computations of computations for cryptographic Similar (B), of curves

on the in

step of the algorithm paragraph logarithms of the and algorithm is the final in Fq&.

as modified stage of comThe expected qk] if of a

is higher to other valid for Section The

in the previous

such a curve

is inferior classes

purposes and

statements (C)

is thus

L[l/2, power

q is a prime,

L[l/3,

qk] if q is the

y = Z3 over [8]. values logarithm very these In

F2*

was first curve authors

considcrypsug-

for

the

supersingular logarithm believed.

curves, problem Among is

ered for the implementation tosystems gested Since

~2122

of elliptic [2], the problem using are The

elliptic

curve

discrete curves

by Koblitz discrete
Fz2.4 are

previously

the particular the and for

m = 61 and

m = 127. the indexinadein [9]. comclass Miller crypparticular

are the following: m odd where (class p > I). 3 is a

in the fields clearly

tractable curves purposes.

y+ y

g = z = z

+ b over over

F2_, F,,

az I).

calculus quate values These ments [12].

methods,

a is a quadratic 4) (class az over residue b over

non-residue FP, where

in FP, and p s 3 p >3 is a prime, 4)

cryptographic should and

m = 191 and m = 251 were suggested curves made (B) Finally, also be avoided paragraph. suggested (D) the of elliptic [6] for number over z+ Fz~ z (C) were by the The by curve in the previous

yz = z II). y

a is a quadratic (class (D) = X3+

in FP, and p s 3 (mod F,, where I). fi.rrther p >3

of curves

is a prime,

the class of curves and by Kaliski pseudorandom

was suggested implementagenerators. (m odd)

in [2] for the implementation tosystems, tion of secure following El

and p s 2 (mod We will section. discuss

3) (class these

curves

in the next

The

Cyclic curves
:y+y=

5
In

Cryptographic
order to implement protocols is relatively for which the easy discrete the to

Implications
and Diffie-Helhnan like a cyclic in, problem exponentiate logarithm and El are much plementable that
grOUP

E2 more

: y2+y attractive [9]),

23+2 they

+1 are easily multiplicative imlevel

Garnal which one

[8], one would

group and is

since and

(see

give

a security

is apparently
Of F24?n

equivalent

to the

intractable.

(k = 4).

86

It

should to

be

noted over this

that F2_ does

although received not mean

the the

supermost the Some of nonover Fg,

other 1988. 8. N. 209. 9. A.

tools,

PhD

thesis,

M.

L T.,

January

singular attention more work g odd,

curves

have

date,

that

general has been and

class of curves curves this will over

is unattractive. curves

Koblitz,

Elliptic

curve

cryptosystems, 48 (1987), 203-

done on the implementation F2m and be reported in [10].

Mathematics

of Computation,

supersingular

Menezes of in

and

S. Vanstone, curve Notes

The crypt

imple-

ment ation 6 We that ing

elliptic

osyst ems, of Sci-

Acknowledgements
wish to thank Neal Koblitz Victor for conjecturing k value. for send[11].

Advances Auscrypt ence, 453

Cryptology

Proceedings in Computer 2-13. Elliptic

90, Lecture (1990), and

Springer-Verlag, S. Vanstone, their

the supersingular us a copy

curves

have a small Miller manuscript

We would

also like to thank

10. A.

Menezes

curve in

of his unpublished

crypt

os yst ems and

implementation,

preparation. 11. V. Miller, Short unpublished Uses Advances 218 (1986), programs for functions 1986. in cryptog- Proceedings Sci417-426. and Advances of Eurocrypt Science, their in 84, 209 on

References
1. L. Adleman, taking the 20th tions 2. A. roots K. Manders in tit and G. Miller, Proceedings on the Founda(1979), 175-178. On the On of

curves, 12. V. Miller, raphy, of Crypto ence, 13. A.

manuscript, curves

e fields, Science G.

of elliptic Notes

Annual

Symposium

in Cryptology Springer-Verlag, logarithms

of Computer Bender and of in

85, Lecture

in Computer

Castagnoli, curve Cryptology Notes

implementation tems, ence, 3. D. Advances 435 (1990), of Crypto

elliptic

cryptosysSci-

Odlyzko, ographic Notes

Discrete Proceedings in

- Proceedings in Computer 417-426. of two, Theory, logaL%%?-? IT-30 14.

crypt

significance, Computer 224-314. rigorous

89, Lecture

Cryptology Lecture (1985),

Springer-Verlag, Fast evaluation

Springer-Verlag, Fast, logarithms and

Coppersmith, in fields 587-594.

rithms (1984),

of characteristic

C. and

Pomerance, discrete

factorization Discrete 119-143. in fi9

Transactions

on Information

algorithms, (1987), algorithms on

Algorithms A. Odlyzko logarithms 1-15. subexponential-time discrete logarithms algoover in and R. SchroepAlgo15. M. nite Rabin, fields,

Complexity

4. D. Coppersmith, pel, Discrete rithrnica, 5. T. 1 (1986), A

Probabilistic SIAM Journal

GF(p),

Computing,

(1980),

273-280. and for Illinois 64-94. Elliptic curves over finite fields p, 483L. some Schoentleld, functions of Approximate of prime Mathematics, num6

EIGamal, for

16. J. Rosser formulas bers, (1962),

rithm GF(p2), Theory, 6. B.

computing IEEE IT-31 A elliptic (1985),

Transactions 473-481.

on Information

Journal

Kaliski, on Notes

pseudorandom logarithms, Science,

bit

generator in 86, Lec(1987),

17. R. and 494. 18. R. over

Schoof, the

based ture

Advances 293

computation

of square

roots

mod

Cryptology

- Proceedings in Computer 84-103.

of Crypto

Mathematics

of Computation,

44 (1985),

Springer-Verlag,

Schoof, finite A

Nonsingular fields, 46 Journal (1987),

plane of 183-211.

cubic

curves

7. B.
phy:

Kaliski, A

~~Ewptic pseudorandom

curves bit

and

cryptograand

Combinatom.al

generator

Theory,

87

19.

J.

Silverman,

The

Arithmetic New multiple of York,

of

Elliptic 1986. let

Now, P,Q A~(P)(0)

let e

be

an

integer Let A, B Let (~~)

coprime ~ Do

to such and

q and that Aand be the

Curves, 20. R.

Springer-Verlag, The 329-339.

E[m].

and.B~(Q)-(0), disjoint supports. and Q ) is fA(B) . fB(A) fA, f~ = rnB. (~A ) = mA em(~,

Silverman, sieve, (1987), 48

polynomial Computa-

B have such Weil that

G F(E) Then

quadratic
tiO?t,

Mathematics

pairing

em(P,

Q)

Appendix
We give a brief visors, algorithm more to [19] and Let sure. the K Let define for thorough [11].

(Weil

Pairing)
to the theory and outline Weil pairing. subject, of diMillers For we refer a D2 Let = DI, (Pz) D2 c Do (0) with + (fZ), Then DI

introduction pairing, the

D1 = (Pi) where + Dz

(0)

+ (fI), and

the Weil computing

P1, Pz = (P,)

G E -

~1, fz

c F(E).

(0)+

treatment

of this

(fl fzfs), where 1 is the equation v is the equation

P3 = P1 + P2, and of the line through of the vertical

f3 = Z/v, where PI and P2, and through then by P3. we first

line

= .Fq and

let

denote curve K, curve

its algebraic defined E(L) over then whose

cloK. If D = ~ nP(P) can edly in l?, that D, tations method may itself find D using if then P f = the c ~(1.3) ~ np((P) method term for and in K. each 6 E(K) ~ c E(.E), take place the D. is that input the ~ by program that writing is a principal such that (0)), D divisor, = (f) then and previous summation. P in the intermediate problem rational size, instead relative

E be an elliptic containing on the We will write

If L is any field set of points in L. D finitely are both A D for =

denotes

coordinates

repeatNotice

E for .E(~). sum np of points

of the of the eaeh all

paragraph support with function to of this ~ the

to compute divisor zP@ all but is a formal where many The denoted # O}. by the equation jield ~(z, K(E) lCIZ, y) = O, ~ c of E over y] /If. of T[a, Y]/It. i.e. ~ E K Simrip(p), ~ np. group, I np C Z, and The The of degree support

np

= O

compu-

P c E. divisors Do.

degree of D O form of D

The

is the integer an additive is the set {P

bivariate Hence down

be of exponential i.e. writing and

size of the explicitly, efficients straight-line and time of the line at most occurring To pick (P find random + T) j

If E is defined K[z, ilarly, Let ~(11). or n to (~)

principat

all of the non-zero monomials program.

of writing ~ coof f, The size,

y], then ~(l?)

the function is the field

corresponding a straight-line will f(P) at points construction, ~ may supports

is the field

of fractions

of the ring of fractions function

we represent

be of polynomial is defined).

~ be a non-zero <0 and

in F(E), vp(f) of order can

can be evaluated (provided method of this representing

P in polynomial As a result the of the straighton divisors

For each P c E, deiine We associate denote it by (f).

to be n >0 n at P, that to be One only if ~ oP(f)(P) verify

if ~ has a zero or a pole One

respectively. /,

the divisor

program

be undefined

all points in the fA (T),

of the intermediate fB = to T, U

~ Do. also

A divisor if D = (f) verify that

is said D = ~ nP(P) for some f c ~(l?). D is principal if and

steps. compute e E(K). (U). for Finally, fA e~(p, Let We and Q), A fB we = by then

and points B

can

~nP=Oand~nPP=O. Let Then D that If such Dz denote Dz forms D1 there w the D2 exists (0). is a divisor (~) have disjoint f(P)nP. and f E ~(11) then if set of all D1 D2 a unique principal E D1. point P divisors. For each

(Q + U) programs above.

compute the method

straight-line described

a subgroup

of Do.

If .DI, Dz c Do, 6 E such

we compute

we write G Do

em(P,

Q)

tA(Q
fl?(p

+ u)f~(~)
+ ~) fA(u) addition em (P, Q ) that P + T

D w (P) D =

~ nP(P) D and f(D)

Let chain will

1 =

al, az, ....at

= m be a fixed
The value provided

that

supports,

for m, where be computed

t s log2 m. successfully

we define

= ~pc~

88

and also

T are distinct Q + U for and

from U are

ai U and distinct

ai(U from The N

+ Q), a~T number

and and of

ai(p
pairs ditions Hence pair

+ T),

each

i, 1 ~ i ~ t. do not 8tJV, where that = 0(N), satisfy then

of points above the

(2, U) which is at most

satisfy

the conselected probabilis and we pick

= #l?(K).

probability Thus if m Q)

a randomly the then

of points e~(.P, pair

(T, U) does not is not

the conditions successfully ~ E(K)

is 8t/N. ityy that negligible. a new repeat.

computed fails, T, U points

If the

computation

of random

89