On the discrete logarithm problem in elliptic curves Claus Diem - - PowerPoint PPT Presentation

On the discrete logarithm problem in elliptic curves

Claus Diem University of Leipzig

On the discrete logarithm problem in elliptic curves – p.1/37

Some history

At ECC 2004 in Bochum, Pierrick Gaudry presented an index calculus algorithm for the ECDLP over extension fields:

Heuristic claim

Let n ∈ N, n ≥ 2 be fixed. Then the ECDLP over fields of the form Fqn can be solved in an expected time of

O(q2− 2

n) .

On the discrete logarithm problem in elliptic curves – p.2/37

Some history

At ECC 2004 in Bochum, Pierrick Gaudry presented an index calculus algorithm for the ECDLP over extension fields:

Heuristic claim

Let n ∈ N, n ≥ 2 be fixed. Then the ECDLP over fields of the form Fqn can be solved in an expected time of

O(q2− 2

n) .

He mentioned that I have an L[3/4]-algorithm for elliptic curves over some fields.

On the discrete logarithm problem in elliptic curves – p.2/37

Some history

At ECC 2004 in Bochum, Pierrick Gaudry presented an index calculus algorithm for the ECDLP over extension fields:

Heuristic claim

Let n ∈ N, n ≥ 2 be fixed. Then the ECDLP over fields of the form Fqn can be solved in an expected time of

O(q2− 2

n) .

He mentioned that I have an L[3/4]-algorithm for elliptic curves over some fields. On the next day, I claimed:

On the discrete logarithm problem in elliptic curves – p.2/37

Some history

Claim.

There exists a randomized algorithm which takes as input a tuple (q, n, E/Fqn, A, B), where q is a prime power, n a natural number, E/Fqn an elliptic curve and

A, B ∈ E(Fqn) with B ∈ A, which computes the DLP with

respect to A and B and has the following property: Let us fix a, b ∈ R with 0 < a < b and let us consider all instances with

a log2(q) ≤ n ≤ b log2(q).

Then restricted to these instances, the algorithm has an expected running time of

O

• 2D·(n·log2(q))3/4

for D = 4b + ǫ

a3/4 .

On the discrete logarithm problem in elliptic curves – p.3/37

Some history

And I continued ...

On the discrete logarithm problem in elliptic curves – p.4/37

Some history

And I continued ...

Please note.

• 1. I do not have a complete proof of this statement.
• 2. The algorithm is not practical.

On the discrete logarithm problem in elliptic curves – p.4/37

The good (and the bad) news

There is now a proven result:

On the discrete logarithm problem in elliptic curves – p.5/37

The good (and the bad) news

There is now a proven result: For fixed a, b > 0 and instances with

a log(q)1/3 ≤ n ≤ b log(b)

we have an expected time of

eO((log(qn))3/4) .

On the discrete logarithm problem in elliptic curves – p.5/37

The good (and the bad) news

There is now a proven result: For fixed a, b > 0 and instances with

a log(q)1/3 ≤ n ≤ b log(b)

we have an expected time of

eO((log(qn))3/4) .

The algorithm is still not practical.

On the discrete logarithm problem in elliptic curves – p.5/37

A preliminary algorithm

Let an instance E/Fqn, A, B be given, E in Weierstraß-Form. Let us for simplicity assume that #E(Fqn) is prime. Let k := Fq, K := Fqn, and let x : E −

→ P1

K be as usual.

On the discrete logarithm problem in elliptic curves – p.6/37

A preliminary algorithm

• 1. Determine N := #E(K).

On the discrete logarithm problem in elliptic curves – p.7/37

A preliminary algorithm

• 1. Determine N := #E(K).
• 2. Determine some m ≤ n and c ≤ n.
• 3. Choose some c-dimensional k-vector subspace U of

K.

• 4. Define a so-called factor base

F := {P ∈ E(K) | x(P) ∈ U}

Let F = {F1, . . . , Fk}.

On the discrete logarithm problem in elliptic curves – p.7/37

A preliminary algorithm

• 5. For i = 1, . . . , k + 1 do

Repeat Choose αi, βi ∈ Z/NZ uniformly randomly and try to determine a relation

P1 + · · · + Pm = αiA + βiB

with P1, . . . , Pm ∈ F. Until this was successful. Rewrite the relation as

k

• j=1

ri,jFj = αiA + βiB .

On the discrete logarithm problem in elliptic curves – p.8/37

A preliminary algorithm

• 6. Determine some γ ∈ (Z/NZ)k+1 : γR = 0, γ = 0.

We have

(

• i

γiαi)a + (

• i

γiβi)b = 0

and thus

b = −

i γiαi

• i γiβi

a .

On the discrete logarithm problem in elliptic curves – p.9/37

Relation generation

Given C (= αA + βB) ∈ E(K), we want to find a relation

P1 + · · · + Pm = C

with P1, . . . , Pm ∈ F. For this we try to solve systems of multivariate polynomial equations over k.

On the discrete logarithm problem in elliptic curves – p.10/37

Relation generation

• Idea. For P1, . . . , Pm ∈ E(K), the condition P1 + · · · + Pm = C

can be expressed algebraically over K. We try to find relations by solving systems of polynomial equations over k. The space of tuples (P1, . . . , Pm) ∈ Fm has mc degrees

• f freedom over k.

The space of points C ∈ E(K) has n degrees of freedom over k.

On the discrete logarithm problem in elliptic curves – p.11/37

Relation generation

• Idea. For P1, . . . , Pm ∈ E(K), the condition P1 + · · · + Pm = C

can be expressed algebraically over K. We try to find relations by solving systems of polynomial equations over k. The space of tuples (P1, . . . , Pm) ∈ Fm has mc degrees

• f freedom over k.

The space of points C ∈ E(K) has n degrees of freedom over k.

= ⇒ Let δ := mc − n. Then for fixed C the relations / solutions (P1, . . . , Pm) ∈ Fm with P1 + · · · + Pm = C vary in a δ-dimensional space over k.

On the discrete logarithm problem in elliptic curves – p.11/37

Relation generation

• Idea. For P1, . . . , Pm ∈ E(K), the condition P1 + · · · + Pm = C

can be expressed algebraically over K. We try to find relations by solving systems of polynomial equations over k. The space of tuples (P1, . . . , Pm) ∈ Fm has mc degrees

• f freedom over k.

The space of points C ∈ E(K) has n degrees of freedom over k.

= ⇒ Let δ := mc − n. Then for fixed C the relations / solutions (P1, . . . , Pm) ∈ Fm with P1 + · · · + Pm = C vary in a δ-dimensional space over k.

We want that δ = 0 ...

On the discrete logarithm problem in elliptic curves – p.11/37

A new preliminary algorithm

• 1. Determine N := #E(K).
• 2. Determine some m ≤ n, let c := ⌈ n

m⌉ and δ := mc − n.

We thus have n = mc − δ = (m − δ) · c + δ · (c − 1).

• 3. Choose some c-dimensional k-vector subspace U of K

and some c − 1-dimensional k-vector subspace U′ of U.

• 4. Define a factor base

F := {P ∈ E(K) | x(P) ∈ U}

and also

F′ := {P ∈ E(K) | x(P) ∈ U′} .

Let F = {F1, F2, . . . , Fk}.

On the discrete logarithm problem in elliptic curves – p.12/37

A new preliminary algorithm

• 5. For i = 1, . . . , k + 1 do

Repeat Choose αi, βi ∈ Z/NZ uniformly randomly and try to determine a relation

P1 + · · · + Pm = αiA + βiB

with P1, . . . , Pδ ∈ F′, Pδ+1, . . . , Pm ∈ F. Until this was successful. Rewrite the relation as

k

• j=1

ri,jFj = αiA + βiB .

On the discrete logarithm problem in elliptic curves – p.13/37

A new preliminary algorithm

• 6. Determine some γ ∈ (Z/NZ)k+1 : γR = 0, γ = 0.

We have

(

• i

γiαi)a + (

• i

γiβi)b = 0

and thus

b = −

i γiαi

• i γiβi

a .

On the discrete logarithm problem in elliptic curves – p.14/37

Decomposition

We need a procedure to compute relations or “decompositions”.

• Input. C ∈ E(K).
• Output. A relation

P1 + · · · + Pm = C

with

P1, . . . , Pδ ∈ F′, Pδ+1, . . . , Pm ∈ F ,

that is,

x(P1), . . . , x(Pδ) ∈ U′, x(Pδ+1), . . . , x(Pm) ∈ U .

On the discrete logarithm problem in elliptic curves – p.15/37

Decomposition

Let P1, . . . , Pm ∈ E(K). Equivalent are:

P1 + · · · + Pm = C

On the discrete logarithm problem in elliptic curves – p.16/37

Decomposition

Let P1, . . . , Pm ∈ E(K). Equivalent are:

P1 + · · · + Pm = C (P1) + · · · + (Pm) + (−C) ∼ (m + 1) · O

On the discrete logarithm problem in elliptic curves – p.16/37

Decomposition

Let P1, . . . , Pm ∈ E(K). Equivalent are:

P1 + · · · + Pm = C (P1) + · · · + (Pm) + (−C) ∼ (m + 1) · O ∃f ∈ K(E)∗ : (f) = (P1)+· · ·+(Pm)+(−C)−(m+1)·(O). ∃f ∈ L((m + 1) · O − (−C)) : (f) = (P1) + · · · + (Pm) + (−C) − (m + 1) · (O).

On the discrete logarithm problem in elliptic curves – p.16/37

Decomposition

Let P1, . . . , Pm ∈ E(K). Let P1, . . . , Pm, C, O be distinct. Equivalent are:

P1 + · · · + Pm = C (P1) + · · · + (Pm) + (−C) ∼ (m + 1) · O ∃f ∈ K(E)∗ : (f) = (P1)+· · ·+(Pm)+(−C)−(m+1)·(O). ∃f ∈ L((m + 1) · O − (−C)) : (f) = (P1) + · · · + (Pm) + (−C) − (m + 1) · (O). ∃f ∈ L((m + 1) · O − (−C)) : ∀i = 1, . . . , m : f(Pi) = 0.

On the discrete logarithm problem in elliptic curves – p.16/37

Decomposition

Let P1, . . . , Pm ∈ E(K). Let P1, . . . , Pm, C, O be distinct. Equivalent are:

P1 + · · · + Pm = C (P1) + · · · + (Pm) + (−C) ∼ (m + 1) · O ∃f ∈ K(E)∗ : (f) = (P1)+· · ·+(Pm)+(−C)−(m+1)·(O). ∃f ∈ L((m + 1) · O − (−C)) : (f) = (P1) + · · · + (Pm) + (−C) − (m + 1) · (O). ∃f ∈ L((m + 1) · O − (−C)) : ∀i = 1, . . . , m : f(Pi) = 0.

Now: Choose a basis of L((m + 1) · O − (−C)), expand this

• ver k, restrict x(Pi) to U or to U′ ...

On the discrete logarithm problem in elliptic curves – p.16/37

Decompositions

Let C, P1, . . . , Pm ∈ E(K). Let P1, . . . , Pm, C, O be distinct. Let b1, . . . , bm be a basis of L((m + 1) · O − (−C)). Equivalent are:

P1 + · · · + Pm = C ∃α1, . . . , αm ∈ K : ∀i = 1, . . . , m : (

ℓ αℓbℓ)(Pi) = 0

For varying P1, . . . , Pm, we have

2m variables for the Pi and m equations of degree 3 m − 1 variables for the α1, . . . , αm−1 and m equations of

low degree. Over k, we have

n m + n variables and n m equations for the Pi n m − n variables and n m additional equations.

On the discrete logarithm problem in elliptic curves – p.17/37

Solving the systems

Over k, we have

n m + n variables and n m equations for the Pi n m − n variables and n m additional equations.

In total: 2nm variables and 2nm equations of low degree

• ver k.

= ⇒ We can expect that the system has 0-dimensional

solution set.

On the discrete logarithm problem in elliptic curves – p.18/37

Solving the systems

Over k, we have

n m + n variables and n m equations for the Pi n m − n variables and n m additional equations.

In total: 2nm variables and 2nm equations of low degree

• ver k.

= ⇒ We can expect that the system has 0-dimensional

solution set. (Or maybe not?)

On the discrete logarithm problem in elliptic curves – p.18/37

Solving the systems

There are algorithms to determine all k-rational isolated solutions of multivariate systems. (Details omitted.) A point of an algebraic set / scheme is called isolated if it is equal to its connected component. The expected running time is eO(nm) · log(q)O(1). (Again details omitted.) Assume that for varying C ∈ E(K), “most” k-rational solutions are isolated. Then the expected running time for the relation generation is

m! · eO(nm) · qc .

On the discrete logarithm problem in elliptic curves – p.19/37

Solving the systems

There are algorithms to determine all k-rational isolated solutions of multivariate systems. (Details omitted.) A point of an algebraic set / scheme is called isolated if it is equal to its connected component. The expected running time is eO(nm) · log(q)O(1). (Again details omitted.) Assume that for varying C ∈ E(K), “most” k-rational solutions are isolated. Then the expected running time for the relation generation is

eO(nm+ n

m·log(q)) .

On the discrete logarithm problem in elliptic curves – p.19/37

The heuristic running time

We have

eO(nm+ n

m·log(q)) .

for the relation generation and just eO( n

m·log(q)) for the linear

algebra. For m = min(⌈

• log(q)⌉, n) we have

eO(max(n·√

log(q) , log(q))) .

On the discrete logarithm problem in elliptic curves – p.20/37

Applications

Let us assume an expected running time of

eO(max(n·√

log(q) , log(q))) .

Then: For n ≤ b ·

• log(q) we have qO(1).

For

a

• log(q) ≤ n ≤ b log(q)

we have

eO((log(qn))2/3) .

On the discrete logarithm problem in elliptic curves – p.21/37

Applications

Let us assume an expected running time of

eO(max(n·√

log(q) , log(q))) .

Then: For n ≤ b ·

• log(q) we have qO(1).

For

a

• log(q) ≤ n ≤ b log(q)

we have

eO((log(qn))2/3) . q = elog(q) = e(log(q)3/2)2/3 = e(√

log(q)·log(q))2/3 ≤ e( 1

an log(q))2/3

On the discrete logarithm problem in elliptic curves – p.21/37

Applications

Let us assume an expected running time of

eO(max(n·√

log(q),log(q))) .

Then: For

a log(q) ≤ n ≤ b log(q)

we have

eO((log(qn))3/4) .

On the discrete logarithm problem in elliptic curves – p.22/37

Geometry

Let ResK|k(E) be the Weil restriction of E w.r.t. K|k. This is an n-dimensional abelian variety over k with

ResK|k(E)(k) ≃ E(K) .

More generally, for any k-scheme S,

ResK|k(E)(S) ≃ E(S ×k K) .

On the discrete logarithm problem in elliptic curves – p.23/37

Geometry

Let ResK|k(E) be the Weil restriction of E w.r.t. K|k. This is an n-dimensional abelian variety over k with

ResK|k(E)(k) ≃ E(K) .

More generally, for any k-scheme S,

ResK|k(E)(S) ≃ E(S ×k K) .

We also have ResK|k(A1

K) with

ResK|k(A1

K)(k) ≃ K .

We have ResK|k(A1

K)(k) ≃ An

• k. Such an isomorphism

corresponds to an isomorphism K ≃ kn.

On the discrete logarithm problem in elliptic curves – p.23/37

Geometry

Let Ea := x−1(A1

K) be the “affine part” of E.

The covering x : Ea −

→ A1

K induces a covering

Res(x) : ResK|k(Ea) − → ResK|k(A1

K)

• f degree 2n.

On the discrete logarithm problem in elliptic curves – p.24/37

Geometry

Let Ea := x−1(A1

K) be the “affine part” of E.

The covering x : Ea −

→ A1

K induces a covering

Res(x) : ResK|k(Ea) − → ResK|k(A1

K)

• f degree 2n.

U ≤ K corresponds to a subgroup-variety A of ResK|k(A1

K)

with

A(k) = U .

On the discrete logarithm problem in elliptic curves – p.24/37

Geometry

Let Ea := x−1(A1

K) be the “affine part” of E.

The covering x : Ea −

→ A1

K induces a covering

Res(x) : ResK|k(Ea) − → ResK|k(A1

K)

• f degree 2n.

U ≤ K corresponds to a subgroup-variety A of ResK|k(A1

K)

with

A(k) = U .

Likewise U′ corresponds to a subgroup-variety A′ of A with

A′(k) = U′ .

On the discrete logarithm problem in elliptic curves – p.24/37

Geometry

Let V be defined by the following diagram being Cartesian.

V

• ResK|k(Ea)

Res(x)

• A

ResK|k(A1

K) .

We have F ≃ V (k). Let V ′ be defined similarly. Then also F ≃ V ′(k).

On the discrete logarithm problem in elliptic curves – p.25/37

Geometry

The addition map (F′)δ × Fm−δ −

→ E(K) corresponds to

the addition map

V ′(k)δ × V (k)m−δ(k) − → ResK|k(E)(k) .

Let

am : (V ′)δ × V (k)m−δ − → ResK|k(E) .

be the addition map.

On the discrete logarithm problem in elliptic curves – p.26/37

Geometry

The addition map (F′)δ × Fm−δ −

→ E(K) corresponds to

the addition map

V ′(k)δ × V (k)m−δ(k) − → ResK|k(E)(k) .

Let

am : (V ′)δ × V (k)m−δ − → ResK|k(E) .

be the addition map. For C ∈ E(K) ≃ ResK|k(E)(k) we want to study the preimage of C in (V ′)δ × V m−δ.

On the discrete logarithm problem in elliptic curves – p.26/37

Geometry

The addition map (F′)δ × Fm−δ −

→ E(K) corresponds to

the addition map

V ′(k)δ × V (k)m−δ(k) − → ResK|k(E)(k) .

Let

am : (V ′)δ × V (k)m−δ − → ResK|k(E) .

be the addition map. For C ∈ E(K) ≃ ResK|k(E)(k) we want to study the preimage of C in (V ′)δ × V m−δ. This is called the fiber at C.

On the discrete logarithm problem in elliptic curves – p.26/37

Geometry

Let still

am : (V ′)δ × V m−δ − → ResK|k(E) .

Main task. Let C ∈ E(K) be uniformly distributed. Give now a suitable lower bound on the probability that the fiber of C contains an isolated k-rational point!

On the discrete logarithm problem in elliptic curves – p.27/37

Geometry

Let still

am : (V ′)δ × V m−δ − → ResK|k(E) .

Main task. Let C ∈ E(K) be uniformly distributed. Give now a suitable lower bound on the probability that the fiber of C contains an isolated k-rational point! Note: ResK|k(E)(k) and (V ′)δ × V m−δ have dimension n.

On the discrete logarithm problem in elliptic curves – p.27/37

Geometry

Let still

am : (V ′)δ × V m−δ − → ResK|k(E) .

Main task. Let C ∈ E(K) be uniformly distributed. Give now a suitable lower bound on the probability that the fiber of C contains an isolated k-rational point! Note: ResK|k(E)(k) and (V ′)δ × V m−δ have dimension n.

• Question. Is am : (V ′)δ × V m−δ −

→ ResK|k(E) surjective?

On the discrete logarithm problem in elliptic curves – p.27/37

Geometry

Let still

am : (V ′)δ × V m−δ − → ResK|k(E) .

Main task. Let C ∈ E(K) be uniformly distributed. Give now a suitable lower bound on the probability that the fiber of C contains an isolated k-rational point! Note: ResK|k(E)(k) and (V ′)δ × V m−δ have dimension n.

• Question. Is am : (V ′)δ × V m−δ −

→ ResK|k(E) surjective on

every irreducibility component of (V ′)δ × V m−δ?

On the discrete logarithm problem in elliptic curves – p.27/37

Geometry

Let still

am : (V ′)δ × V m−δ − → ResK|k(E) .

Main task. Let C ∈ E(K) be uniformly distributed. Give now a suitable lower bound on the probability that the fiber of C contains an isolated k-rational point! Note: ResK|k(E)(k) and (V ′)δ × V m−δ have dimension n.

• Question. Is am : (V ′)δ × V m−δ −

→ ResK|k(E) surjective on

every irreducibility component of (V ′)δ × V m−δ? Difficult!

On the discrete logarithm problem in elliptic curves – p.27/37

Geometry

Let still

am : (V ′)δ × V m−δ − → ResK|k(E) .

• Observation. Let (P1, . . . , Pm) ∈ ((V ′)δ × V m−δ)(k),

C := P1 + · · · + Pm.

Equivalent are:

(P1, . . . , Pm) is isolated and reduced in the fiber of C. am is unramified at (P1, . . . , Pm). (am)∗ : T(P1,...,Pm)((V ′)δ × V m−δ) − → TC(ResK|k(E)) is

injective. Moreover, “unramifiedness” is an open property ...

On the discrete logarithm problem in elliptic curves – p.28/37

New algorithm

Choose a decomposition

K =

m

• i=1

Ui .

Let

Fi := {P ∈ E(K) | x(P) ∈ Ui}

and

F :=

m

• i=1

Fi .

On the discrete logarithm problem in elliptic curves – p.29/37

New algorithm

Choose a decomposition

K =

m

• i=1

Ui .

Let

Fi := {P ∈ E(K) | x(P) ∈ Ui}

and

F :=

m

• i=1

Fi .

We want to find relations of the form

P1 + · · · + Pm = C with Pi ∈ Fi .

On the discrete logarithm problem in elliptic curves – p.29/37

New algorithm

The decomposition

K =

m

• i=1

Ui

corresponds to a decomposition

An

k ≃ ResK|k(A1 K) = m

• i=1

Ai .

Let Vi be as V above. We thus have

Vi(k) ≃ Fi .

On the discrete logarithm problem in elliptic curves – p.30/37

New algorithm

Let 0 ∈ A1(K) be unramified and split under x : Ea −

→ A1

K;

let P0 ∈ E(K) be a preimage. Now Res(x) : ResK|k(Ea) −

→ ResK|k(A1

K) is unramified at

P0 ∈ ResK|k(E)(k).

On the discrete logarithm problem in elliptic curves – p.31/37

New algorithm

Let 0 ∈ A1(K) be unramified and split under x : Ea −

→ A1

K;

let P0 ∈ E(K) be a preimage. Now Res(x) : ResK|k(Ea) −

→ ResK|k(A1

K) is unramified at

P0 ∈ ResK|k(E)(k).

We want to study the fibers of the map

am : V1 × · · · × Vm − → ResK|k(E) .

On the discrete logarithm problem in elliptic curves – p.31/37

New algorithm

Let 0 ∈ A1(K) be unramified and split under x : Ea −

→ A1

K;

let P0 ∈ E(K) be a preimage. Now Res(x) : ResK|k(Ea) −

→ ResK|k(A1

K) is unramified at

P0 ∈ ResK|k(E)(k).

We want to study the fibers of the map

am : V1 × · · · × Vm − → ResK|k(E) .

• Claim. This map is unramified at

(P0, . . . , P0) ∈ (V1 × · · · × Vm)(k). = ⇒ If the Vi are irreducible, the map is

generically unramified, thus generically quasi-finite.

On the discrete logarithm problem in elliptic curves – p.31/37

New algorithm

Proof of claim. We have

am : V1 × · · · × Vm − → ResK|k(E) .

This morphism is unramified at (P0, . . . , P0) if and only if the map

(am)∗ : T(P0,...,P0)(V1 × · · · × Vm) − → TmP0(ResK|k(E))

is injective.

On the discrete logarithm problem in elliptic curves – p.32/37

New algorithm

We have

T(P0,...,P0)(V1 × · · · × Vm)

(am)∗

• TmP0(ResK|k(E))

TP0(V1) × · · · × TP0(Vm)

P

• TP0(ResK|k(E))

(τ((m−1)P0))∗

• Res(x)∗
• T0(A1) × · · · × T0(Am)
• P

T0(ResK|k(A1

K))

U1 × · · · × Um

P

K .

On the discrete logarithm problem in elliptic curves – p.33/37

New algorithm

Let now (P1, . . . , Pm) ∈ V1(k) × · · · × Vm(k). Then the map

am : V1 × · · · × Vm − → ResK|k(E)

is unramified at (P1, . . . , Pm) if and only if we have

TP0(ResK|k(E)) =

m

• i=1

(τ(P0−Pi))∗(TPi(Vi)) .

This can be studied explicitly.

On the discrete logarithm problem in elliptic curves – p.34/37

New algorithm

Let now (P1, . . . , Pm) ∈ V1(k) × · · · × Vm(k). Then the map

am : V1 × · · · × Vm − → ResK|k(E)

is unramified at (P1, . . . , Pm) if and only if we have

TP0(ResK|k(E)) =

m

• i=1

(τ(P0−Pi))∗(TPi(Vi)) .

This can be studied explicitly. Let char(k) be odd. We have the holomorphic differential dx

y and the holomorphic tangent vector field

ytx.

On the discrete logarithm problem in elliptic curves – p.34/37

New algorithm

Let now (P1, . . . , Pm) ∈ V1(k) × · · · × Vm(k). Then the map

am : V1 × · · · × Vm − → ResK|k(E)

is unramified at (P1, . . . , Pm) if and only if we have

TP0(ResK|k(E)) =

m

• i=1

(τ(P0−Pi))∗(TPi(Vi)) .

This can be studied explicitly. Let char(k) be even, E non-supersingular. We have dx

x

and xtx.

On the discrete logarithm problem in elliptic curves – p.34/37

New algorithm

Let now (P1, . . . , Pm) ∈ V1(k) × · · · × Vm(k). Then the map

am : V1 × · · · × Vm − → ResK|k(E)

is unramified at (P1, . . . , Pm) if and only if we have

TP0(ResK|k(E)) =

m

• i=1

(τ(P0−Pi))∗(TPi(Vi)) .

This can be studied explicitly. Let char(k) be even and E supersingular. We have dx and tx.

On the discrete logarithm problem in elliptic curves – p.34/37

And some conditions

Additionally, we have some conditions:

#Vi(k) should have at least 1

4 · qdim(Vi) elements.

For odd characteristic, the Vi have to be irreducible.

On the discrete logarithm problem in elliptic curves – p.35/37

The results

Theorem.

The discrete logarithm problem in the groups of rational points of elliptic curves over fields Fqn can be solved in an expected time of

eO(max(log(q),n·log(q)1/2,n3/2)) .

Under the condition that q is even it can be solved in an expected time of

eO(max(log(q),n·log(q)1/2,n·log(n)1/2)) .

On the discrete logarithm problem in elliptic curves – p.36/37

My works

Habilitation thesis: On arithmetic and the discrete logarithm problem in class groups of curves, 2008 On the discrete logarithm problem in elliptic curves. Compositio Mathematica No. 147, 2011 On the discrete logarithm problem in elliptic curves II. Submitted, 2011

On the discrete logarithm problem in elliptic curves – p.37/37