Discrete Logarithms for Torsion Points on Elliptic Curve of Embedding Degree \(1\)

Abstract

Recent efficient pairings such as Ate pairing use two efficient subgroups of rational point such that \(\pi (P)=P\) and \(\pi (Q)=[p]Q\), where \(\pi \), \(p\), \(P\), and \(Q\) are the Frobenius map for rational point, the characteristic of definition field, and torsion points for pairing, respectively. This relation accelerates not only pairing but also pairing–related operations such as scalar multiplications. It holds in the case that the embedding degree \(k\) divides \(r-1\), where \(r\) is the order of torsion rational points. Thus, such a case has been well studied. Alternatively, this paper focuses on the case that the degree divides \(r+1\) but not \(r-1\). First, this paper shows a transitive representation for \(r\)–torsion points based on the fact that the characteristic polynomial \(f(\pi )\) becomes irreducible over \(\mathbb {F}_{r}\) for which \(\pi \) also plays a role of variable. In other words, this paper proposes an elliptic curve discrete logarithm on such a torsion group. After that, together with some example parameters, it is shown how to prepare such pairing–friendly elliptic curves.

Appendices

A Torsion Structure When \(n\mid (r+1)\)

As introduced in this paper, when \(d\) or \(n\) divides \(r+1\), the characteristic polynomial \(f_d({\hat{\pi }}_d)\) or \(f(\pi )\) becomes irreducible over \(\mathbb {F}_{r}\). Thus, \(\pi \) does not correspond to any scalar multiplications in \(E(\mathbb {F}_{p^{n}})[r]\). In other words, let \(P\) be a rational point of order \(r\) that belongs to a cyclic group \(_{P}\) in \(E(\mathbb {F}_{p^{n}})[r]\), then \(\pi (P)\) has the same order \(r\) but it does not belong to \(_{P}\). Thus, \(\pi (P)\) needs to belong to another cyclic group \(_{\pi (P)}\not =_{P}\) and accordingly \(E(\mathbb {F}_{p^{n}})[r]\) needs to have a torsion structure of rank \(2\). In the case of \(E_d(\mathbb {F}_{p})\) with twist degree \(d\), it is shown in the same way.

B \(r\mid (p^l-1)\), \(l=1\) or \(2\)

Let \(l\) be the minimal positive integer such that

$$\begin{aligned} r\mid (p^l-1). \end{aligned}$$

(34)

According to Fermat’s little theorem, \(l\mid (r-1)\). According to the property of pairing, \(r\mid (p^d-1)\). Thus,

$$\begin{aligned} l\mid d. \end{aligned}$$

(35)

On the other hand, \(d\) needs to satisfy \(d\mid (r+1)\) in this paper. Therefore,

$$\begin{aligned} l\mid \gcd (r-1,r+1). \end{aligned}$$

(36)

If \(r\) is an odd prime number, \(\gcd (r-1,r+1)=2\) and thus it is shown that \(l\) is equal to \(1\) or \(2\). Moreover, if \(d\) is odd such as \(3\), \(l=1\) from Eq. (35). It is found that \(l\) corresponds to the extension degree of the minimal embedding field \(\mathbb {F}_{p^{l}}\). In the case of \(E(\mathbb {F}_{p^{n}})\) with extension degree \(n\), it is shown in the same way. Note here that \(l=1\) in the same when \(n\) is odd.

C Proof of \(t_d\equiv -1\pmod {r}\)

According to Morain’s report [17], in the case of \(d=3\), \(t_d\) that is the Frobenius trace of \(E_d(\mathbb {F}_{p})\) is given as

$$\begin{aligned} t_d=(\pm 3v-t)/2,\ t^2-4p=-3v^2. \end{aligned}$$

(37)

Since \(p\equiv 1\pmod {r}\) and \(t\equiv 2\pmod {r}\) in this paper, the following relation is obtained.

$$\begin{aligned} t_d\equiv -1\pmod {r}. \end{aligned}$$

(38)