Computation of the discrete logarithm on elliptic curves of trace one ? Tutorial

The security of several elliptic curve cryptosystems is based on the difficulty to compute the discrete logarithm problem. The motivation of using elliptic curves in cryptography is that there is no known sub-exponential algorithm which solves the Elliptic Curve Discrete Logarithm Problem (ECDLP) in general. However, it has been shown that some special curves do not possess a difficult ECDLP. In 1999, an article of Nigel Smart provides a very efficient method for solving the ECDLP when the underlying elliptic curve is of trace one. In this note, we describe this method in more details and recall the mathematical background in order to understand it. 1 The elliptic curves We recall here the definition of an elliptic curve and its group law. In order to do this, we introduce the projective space. Definition 1. Let K be a field. The projective n-space P(K) over K is the set of equivalence classes ( K\{(0, . . . , 0)} ) / ∼, where (x0, . . . , xn) ∼ (y0, . . . , yn) if and only if there exists a λ ∈ K∗ such that yi = λxi for all 0 ≤ i ≤ n. ? This is the report of a Graduate School project supervised by Prof. Serge Vaudenay. Technical report EPFL/IC/2002/49 Notation An equivalence class containing (x0, x1 . . . , xn) is denoted by (x0 : x1 : . . . : xn). Definition 2. Let K be the algebraic closure of the field K. A Weierstrass equation is a homogeneous equation of degree 3 of the form Y Z + a1XY Z + a2Y Z 2 = X + a2X Z + a4XZ 2 + a6Z , where a1, a2, a3, a4, a6 are elements of K. Moreover, the Weierstrass equation is said to be non-singular if for all projective points P = (X : Y : Z) ∈ P(K) satisfying F (X,Y, Z) := Y Z+a1XY Z+a2Y Z −X−a2XZ−a4XZ−a6Z = 0, at least one of the three partial derivatives ∂F ∂X , ∂F ∂Y , ∂F ∂Z is non-zero at P . If it is not the case for a point P , the Weierstrass equation is said to be singular and P is called a singular point. Definition 3. An elliptic curve E is the set of all solutions in P(K̄) of a Weierstrass equation. We see that, there is exactly one point in E whose Z-coordinate is equal to 0, namely (0 : 1 : 0). This point is called the point at infinity and is denoted by O. Definition 4. Let K̂ be a field satisfying K ⊂ K̂ ⊂ K. A point (X, Y, Z) is K̂-rational if there exist λ ∈ K and (X̂, Ŷ , Ẑ) ∈ K̂ such that (X, Y, Z) = λ(X̂, Ŷ , Ẑ). The set of the K̂ -rational points of an elliptic curve E is denoted by E(K̂). By using the non homogeneous coordinates x = X/Z, y = Y/Z, the Weierstrass equation has the form y + a1xy + a3y = x 3 + a2x 2 + a4x+ a6. (1) We notice that an elliptic curve E is then the set of all solutions of the equation (1) in the affine plane K ×K together with O. If the coefficients a1, a2, a3, a4, a6 lie in K, we say that E is defined over K and we write E/K. We remark too that the set E(K̂) is composed of the solutions of (1) in K̂ and the infinity point O.