On ordinary elliptic curve cryptosystems

  • Atsuko Miyaji
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 739)


Recently, a method, reducing the elliptic curve discrete logarithm problem(EDLP) to the discrete logarithm problem(DLP) in a finite field, was proposed. But this reducing is valid only when Weil pairing can be defined over the m-torsion group which includes the base point of EDLP. If an elliptic curve is ordinary, there exists EDLP to which we cannot apply the reducing. In this paper, we investigate the condition for which this reducing is invalid. We show the next two main results.

(1) For any elliptic curve E defined over F2r, we can reduce EDLP on E, in an expected polynomial time, to EDLP that we can apply the MOV reduction to and whose size is same as or less than the original EDLP. (2) For an ordinary elliptic curve E defined over F p (p is a large prime), EDLP on E cannot be reduced to DLP in any extension field of F p by any embedding. We also show an algorithm that constructs such ordinary elliptic curves E defined over F p that makes reducing EDLP on E to DLP by embedding impossible.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [At-Mo]
    A. O. L. Atkin and F. Morain, “Elliptic curves and primality proving”, Research Report 1256, INRIA, Juin 1990. Submitted to Math. Comp.Google Scholar
  2. [Be-Ca]
    A. Bender and G. Castagnoli, “On the implementation of elliptic curve cryptosystems”, Advances in Cryptology — Proceedings of Crypto '89, Lecture Notes in Computer Science, 435 (1990), Springer-Verlag, 186–192.Google Scholar
  3. [Be-Sc]
    T. Beth and F. Schaefer, “Non supersingular elliptic curves for public key cryptosystems”, Abstracts for Eurocrypto 91, Brighton, U.K. 155–159.Google Scholar
  4. [Deu]
    M. Deuring, “Die Typen der Multiplikatorenringe elliptischer Funktionenkörper”, Abh. Math. Sem. Hamburg 14 (1941), 197–272.Google Scholar
  5. [Ko1]
    N. Koblitz, “Elliptic curve cryptosystems”, Math. Comp. 48(1987), 203–209.Google Scholar
  6. [Ko2]
    N. Koblitz, “A course in Number Theory and Cryptography”, GTM114, Springer-Verlag, New York(1987).Google Scholar
  7. [La1]
    S. Lang, “Algebraic Number Theory”, GTM110, Springer-Verlag, New York(1986).Google Scholar
  8. [La2]
    S. Lang, “Elliptic Functions”, Addison-Wesley, 1973.Google Scholar
  9. [Mil]
    V. S. Miller, “Use of elliptic curves in cryptography”, Advances in Cryptology-Proceedings of Crypto'85, Lecture Notes in Computer Science, 218 (1986), Springer-Verlag, 417–426.Google Scholar
  10. [Me-Va]
    A. Menezes and S. Vanstone, “The implementaion of elliptic curve cryptosystems”, Advances in Cryptology — Proceedings of Auscrypt'90, Lecture Notes in Computer Science, 453(1990), Springer-Verlag, 2–13.Google Scholar
  11. [Mo]
    F. Morain, “Building cyclic elliptic curves modulo large primes”, Abstracts for Eurocrypto91, Brighton, U.K. 160–164.Google Scholar
  12. [MOV]
    A. Menezes, S. Vanstone and T. Okamoto, “Reducing elliptic curve logarithms to logarithms in a finite field”, to appear in Proc. STOC'91.Google Scholar
  13. [Ri]
    P. Ribenboim, “The book of prime number records”, Springer-Verlag, New-York, 1988.Google Scholar
  14. [Sil]
    J. H. Silverman, “The Arithmetic of Elliptic Curves”, GTM106, Springer-Verlag, New York, 1986Google Scholar
  15. [SIS]
    H. Shizuya, T. Itoh and K. Sakurai, “On the Complexity of Hyperelliptic Discrete Logarithm Problem”, Proc. Eurocrypt'91, Lecture Notes in Computer Science, Springer-Verlag (to appear).Google Scholar
  16. [Ta]
    T. Takagi, “Syotou seisuuronn kougi”, Kyouritu Syuppan.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1993

Authors and Affiliations

  • Atsuko Miyaji
    • 1
  1. 1.Matsushita Electric Industrial Co., LTD.OsakaJapan

Personalised recommendations