Attacking the Elliptic Curve Discrete Logarithm Problem

Definition 1.1. Given a finite abelian group G written multiplicatively and elements b and g in G, the discrete logarithm problem (DLP) consists of finding an integer n such that bn = g, if such an n exists. The difficulty involved in computing the discrete logarithm varies with the choice of G. For example, in the additive group of integers modulo n, (Z/nZ)+, the problem can be solved efficiently. Given b and g such that 0 ≤ b, g ≤ n − 1 and kb ≡ g mod n for some integer k, then the Extended Euclidean Algorithm can be used to quickly compute a such that ba ≡ 1 mod n, so that akb ≡ k mod n. See [3] for a more detailed explanation. For the purposes of cryptography, a group in which the discrete logoarithm is difficult to compute is desirable. In such a context, the discrete logarithm becomes a trapdoor, or one-way, function, since exponentiation (the inverse operation) can always be performed efficiently through repeated squaring. There are two widely used groups in public key cryptosystems based on the discrete logarithm problem, the multiplicative group of integers (Z/pZ)∗ and the elliptic curve group E(Z/nZ). The first popular public key cryptosystems were based on the DLP in (Z/nZ)∗. Systems based on E(Z/nZ) have drawn substantial interest more recently due to the DLP being harder in that context. In this paper, we focus on the DLP in E(Z/nZ).