An Analysis of the Vector Decomposition Problem

  • Steven D. Galbraith
  • Eric R. Verheul
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4939)


The vector decomposition problem (VDP) has been proposed as a computational problem on which to base the security of public key cryptosystems. We give a generalisation and simplification of the results of Yoshida on the VDP. We then show that, for the supersingular elliptic curves which can be used in practice, the VDP is equivalent to the computational Diffie-Hellman problem (CDH) in a cyclic group. For the broader class of pairing-friendly elliptic curves we relate VDP to various co-CDH problems and also to a generalised discrete logarithm problem 2-DL which in turn is often related to discrete logarithm problems in cyclic groups.


Vector decomposition problem elliptic curves Diffie-Hellman problem generalised discrete logarithm problem 


  1. 1.
    Balasubramanian, R., Koblitz, N.: The improbability that an elliptic curve has subexponential discrete log problem under the Menezes-Okamoto-Vanstone algorithm. J. Cryptology 11(2), 141–145 (1998)zbMATHCrossRefMathSciNetGoogle Scholar
  2. 2.
    Bao, F., Deng, R.H., Zhu, H.: Variations of Diffie-Hellman Problem. In: Qing, S., Gollmann, D., Zhou, J. (eds.) ICICS 2003. LNCS, vol. 2836, pp. 301–312. Springer, Heidelberg (2003)Google Scholar
  3. 3.
    Barreto, P.S.L.M., Kim, H.Y., Lynn, B., Scott, M.: Efficient algorithms for pairing-based cryptosystems. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 354–368. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  4. 4.
    Blake, I., Seroussi, G., Smart, N.P. (eds.): Advances in elliptic curve cryptography. Cambridge University Press, Cambridge (2005)zbMATHGoogle Scholar
  5. 5.
    Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. Journal of Cryptology 7, 297–319 (2004)MathSciNetGoogle Scholar
  6. 6.
    Brands, S.: An efficient off-line electronic cash system based on the representation problem, CWI Technical Report CS-R9323 (1993)Google Scholar
  7. 7.
    Charles, D.: On the existence of distortion maps on ordinary elliptic curves, arXiv:math/0603724 (2006)Google Scholar
  8. 8.
    Cohen, H., Frey, G. (eds.): Handbook of elliptic and hyperelliptic curve cryptography. CRC Press, Boca Raton (2006)zbMATHGoogle Scholar
  9. 9.
    Duursma, I., Kiyavash, N.: The vector decomposition problem for elliptic and hyperelliptic curves. J. Ramanujan Math. Soc. 20(1), 59–76 (2005)zbMATHMathSciNetGoogle Scholar
  10. 10.
    Duursma, I.M., Park, S.K.: ElGamal type signature schemes for n-dimensional vector spaces, eprint 2006/311Google Scholar
  11. 11.
    Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing-friendly elliptic curves (2006)Google Scholar
  12. 12.
    Frey, G., Rück, H.-G.: A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves. Math. Comp. 62, 865–874 (1994)zbMATHCrossRefMathSciNetGoogle Scholar
  13. 13.
    Galbraith, S.D.: Supersingular curves in cryptography. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 495–513. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  14. 14.
    Galbraith, S.D., Rotger, V.: Easy decision Diffie-Hellman groups. LMS J. Comput. Math. 7, 201–218 (2004)zbMATHMathSciNetGoogle Scholar
  15. 15.
    Maurer, U.: Towards the equivalence of breaking the Diffie-Hellman protocol and computing discrete logarithms. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 271–281. Springer, Heidelberg (1994)Google Scholar
  16. 16.
    Maurer, U., Wolf, S.: The relationship between breaking the Diffie-Hellman protocol and computing discrete logarithms. SIAM Journal on Computing 28(5), 1689–1721 (1999)zbMATHCrossRefMathSciNetGoogle Scholar
  17. 17.
    McKee, J.F., Pinch, R.G.E.: Further attacks on server-aided RSA cryptosystems, unpublished manuscript (1998)Google Scholar
  18. 18.
    Menezes, A.J.: Elliptic curve public key cryptosystems. Springer, Heidelberg (1993)zbMATHGoogle Scholar
  19. 19.
    Silverman, J.H.: The arithmetic of elliptic curves. Springer, Heidelberg (1986)zbMATHGoogle Scholar
  20. 20.
    Verheul, E.R.: Evidence that XTR Is More Secure than Supersingular Elliptic Curve Cryptosystems. J. Cryptology 17(4), 277–296 (2004)zbMATHCrossRefMathSciNetGoogle Scholar
  21. 21.
    Waterhouse, W.C.: Abelian varieties over finite fields. Annales Scientifiques de l’École Normale Supérieure 4 (1969)Google Scholar
  22. 22.
    Yoshida, M., Mitsunari, S., Fujiwara, T.: Vector decomposition problem and the trapdoor inseparable multiplex transmission scheme based the problem. In: Proceedings of the 2003 Symposium on Cryptography and Information Security (SCIS), pp. 491–496 (2003)Google Scholar
  23. 23.
    Yoshida, M.: Inseparable multiplex transmission using the pairing on elliptic curves and its application to watermarking. In: Proc. Fifth Conference on Algebraic Geometry, Number Theory, Coding Theory and Cryptography, University of Tokyo (2003),

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Steven D. Galbraith
    • 1
  • Eric R. Verheul
    • 2
  1. 1.Mathematics DepartmentUniversity of LondonEghamUnited Kingdom
  2. 2.PricewaterhouseCoopers AdvisoryRadboud University NijmegenAmsterdamThe Netherlands

Personalised recommendations