Journal of Cryptology

, Volume 11, Issue 2, pp 141–145

The Improbability That an Elliptic Curve Has Subexponential Discrete Log Problem under the Menezes—Okamoto—Vanstone Algorithm

  • R. Balasubramanian
  • Neal Koblitz

DOI: 10.1007/s001459900040

Cite this article as:
Balasubramanian, R. & Koblitz, N. J. Cryptology (1998) 11: 141. doi:10.1007/s001459900040


The security of elliptic curve cryptosystems is based on the presumed intractability of the discrete logarithm problem on the curve. Other than algorithms that work in an arbitrary group and are exponential in the general case, the only general-purpose algorithm that has ever been proposed for the elliptic curve discrete logarithm is that of Menezes—Okamoto—Vanstone (MOV). The MOV algorithm, which embeds an elliptic curve group of prime order l in the multiplicative group of a field Fqk, is subexponential only under special circumstances, however. In this paper we first prove that, under a mild condition that always holds in practical applications, the condition that l|(qk-1) , which is obviously necessary for realizing the MOV algorithm, is also sufficient. We next give an improved upper bound for the frequency of occurrence of pairs of primes l, p such that l|(pk-1) for k small, where l is in the Hasse interval \([p+1-2\sqrt{p},p+1+2\sqrt{p}]\) .

Key words. Discrete logarithm, Elliptic curve, Weil pairing.

Copyright information

© International Association for Cryptologic Research 1998

Authors and Affiliations

  • R. Balasubramanian
    • 1
  • Neal Koblitz
    • 2
  1. 1.Institute of Mathematical SciencesMadrasIndia
  2. 2.Department of MathematicsUniversity of WashingtonSeattleU.S.A.