Algorithm for solving discrete log problem in anomaluos groups
Algorithm for solving discrete log problem in
anomaluos groups
Algorithm for solving discrete log problem in anomaluos groups
Solving equations modulo p
Example
Find all solutions x, y , z in Z11 of the following system of
equations:
3x + 2y − 3z ≡ 1 mod 11
2x +
z ≡ 0 mod 11
Algorithm for solving discrete log problem in anomaluos groups
Solving equations modulo n
Theorem
Let n = p r1 p r2 ...p rk , where the pk s are distinct primes. Let f (x) be
a polynomial with integer coefficients. Then the equation
f (x) ≡ 0 mod n
has a solution if and only if all the equations f (xi ) ≡ 0 mod p ri for
i = 1, 2, ..., k have solutions.
Algorithm for solving discrete log problem in anomaluos groups
Solving equations modulo n
Theorem
Let n = p r1 p r2 ...p rk , where the pk s are distinct primes. Let f (x) be
a polynomial with integer coefficients. Then the equation
f (x) ≡ 0 mod n
has a solution if and only if all the equations f (xi ) ≡ 0 mod p ri for
i = 1, 2, ..., k have solutions.
Each sequence of solutions in Zpri gives a unique solution x in Zn
of f (x) ≡ 0 mod n satisfying x ≡ xi mod p ri for each i.
Algorithm for solving discrete log problem in anomaluos groups
Solving modulo p r
Assume that we know the solution to the equation
f (x) ≡ 0 mod p. Let x1 be that solution. Can we find a solution
xr to
Polynomial congruence
f (xr ) ≡ 0 mod p r
such that xr ≡ x1 mod p?
Algorithm for solving discrete log problem in anomaluos groups
Solving modulo p r
Assume that we know the solution to the equation
f (x) ≡ 0 mod p. Let x1 be that solution. Can we find a solution
xr to
Polynomial congruence
f (xr ) ≡ 0 mod p r
such that xr ≡ x1 mod p?
Such an xr is called a lift of x1 modulo p r .
Algorithm for solving discrete log problem in anomaluos groups
Solving modulo p r
Assume that we know the solution to the equation
f (x) ≡ 0 mod p. Let x1 be that solution. Can we find a solution
xr to
Polynomial congruence
f (xr ) ≡ 0 mod p r
such that xr ≡ x1 mod p?
Such an xr is called a lift of x1 modulo p r .
Example
We know that x = 2 and x = 3 are solutions to the equation
x 2 + 1 ≡ 0 mod 5. Can we find the solutions to the equation
x 2 + 1 ≡ 0 mod 52 ?
Algorithm for solving discrete log problem in anomaluos groups
Hensel’s Lemma (short version)
Let f (x) be a polynomial with integers coefficients, p a prime and
k ∈ N. Suppose that x1 is a solution to f (x) ≡ 0 mod p k and
f 0 (x) has an inverse modulo p. Let u be the inverse of f 0 (x)
modulo p and let x2 = x1 − u · f (x). Then
x2 = x1 mod p k and f (x2 ) ≡ 0 mod p k+1
We say that x2 is a lift of x1 modulo p k+1 .
Algorithm for solving discrete log problem in anomaluos groups
Hensel’s Lemma
Theorem
Let f (x) be a polynomial with integers coefficients, p a prime and
k ∈ N. Suppose that x1 , x2 , ....xm for some m ∈ N are all of the
solutions of f (x) ≡ 0 mod p k , where 0 ≤ xi < p k for each
i = 1, 2, 3, ..., m. If a ∈ Z is a solution to the equation
f (x) ≡ 0 mod p k+1
then there is a q ∈ Zp and there is an i ∈ {1, 2, ..., m} such that
1
a = qp k + xi and
2
f (xi ) + qf 0 (xi )p k ≡ 0 mod p k+1
where q ≡ − f p(xki ) (f 0 (xi ))−1 mod p.
Algorithm for solving discrete log problem in anomaluos groups
Number of solutions to the equation f (x) ≡ 0 mod p k
Algorithm for solving discrete log problem in anomaluos groups
Number of solutions to the equation f (x) ≡ 0 mod p k
1
If f 0 (xi ) ≡ 0 mod p and f (xi ) 6= mod p k+1 then the equation
f (x) ≡ 0 mod p k+1 does not have a solution.
Algorithm for solving discrete log problem in anomaluos groups
Number of solutions to the equation f (x) ≡ 0 mod p k
1
2
If f 0 (xi ) ≡ 0 mod p and f (xi ) 6= mod p k+1 then the equation
f (x) ≡ 0 mod p k+1 does not have a solution.
If f 0 (xi ) ≡ 0 mod p and f (xi ) ≡ 0 mod p k+1 , then for every
q ∈ Zp , f (qp k + xi ) ≡ 0 mod p k+1 .
Algorithm for solving discrete log problem in anomaluos groups
Number of solutions to the equation f (x) ≡ 0 mod p k
1
2
3
If f 0 (xi ) ≡ 0 mod p and f (xi ) 6= mod p k+1 then the equation
f (x) ≡ 0 mod p k+1 does not have a solution.
If f 0 (xi ) ≡ 0 mod p and f (xi ) ≡ 0 mod p k+1 , then for every
q ∈ Zp , f (qp k + xi ) ≡ 0 mod p k+1 .
If f 0 (xi ) 6= mod p, then there is a unique a for this xi and q
i)
is computed as q = −p −k ff 0(x
(xi ) mod p.
Algorithm for solving discrete log problem in anomaluos groups
Number of solutions to the equation f (x) ≡ 0 mod p k
1
2
3
If f 0 (xi ) ≡ 0 mod p and f (xi ) 6= mod p k+1 then the equation
f (x) ≡ 0 mod p k+1 does not have a solution.
If f 0 (xi ) ≡ 0 mod p and f (xi ) ≡ 0 mod p k+1 , then for every
q ∈ Zp , f (qp k + xi ) ≡ 0 mod p k+1 .
If f 0 (xi ) 6= mod p, then there is a unique a for this xi and q
i)
is computed as q = −p −k ff 0(x
(xi ) mod p.
Moreover, x = x1 + x2 p + x3 p 2 + .... + xn p n−1 is a solution to
f (x) ≡ 0 mod p n .
Algorithm for solving discrete log problem in anomaluos groups
Number of solutions to the equation f (x) ≡ 0 mod p k
1
2
3
If f 0 (xi ) ≡ 0 mod p and f (xi ) 6= mod p k+1 then the equation
f (x) ≡ 0 mod p k+1 does not have a solution.
If f 0 (xi ) ≡ 0 mod p and f (xi ) ≡ 0 mod p k+1 , then for every
q ∈ Zp , f (qp k + xi ) ≡ 0 mod p k+1 .
If f 0 (xi ) 6= mod p, then there is a unique a for this xi and q
i)
is computed as q = −p −k ff 0(x
(xi ) mod p.
Moreover, x = x1 + x2 p + x3 p 2 + .... + xn p n−1 is a solution to
f (x) ≡ 0 mod p n .
Example
Solve f (x) ≡ 0 mod 73 if f (x) = x 3 + 5x 2 + 1.
Algorithm for solving discrete log problem in anomaluos groups
Number of solutions to the equation f (x) ≡ 0 mod p k
1
2
3
If f 0 (xi ) ≡ 0 mod p and f (xi ) 6= mod p k+1 then the equation
f (x) ≡ 0 mod p k+1 does not have a solution.
If f 0 (xi ) ≡ 0 mod p and f (xi ) ≡ 0 mod p k+1 , then for every
q ∈ Zp , f (qp k + xi ) ≡ 0 mod p k+1 .
If f 0 (xi ) 6= mod p, then there is a unique a for this xi and q
i)
is computed as q = −p −k ff 0(x
(xi ) mod p.
Moreover, x = x1 + x2 p + x3 p 2 + .... + xn p n−1 is a solution to
f (x) ≡ 0 mod p n .
Example
Solve f (x) ≡ 0 mod 73 if f (x) = x 3 + 5x 2 + 1.
Maple commands: rootp(f , p) and ratvaluep(rootp(f , p), k).
Algorithm for solving discrete log problem in anomaluos groups
p-adic numbers
Algorithm for solving discrete log problem in anomaluos groups
p-adic numbers
Definition
The values x =
P∞
j=0 xj+1 p
j
are called p-adic numbers.
Algorithm for solving discrete log problem in anomaluos groups
p-adic numbers
Definition
The values x =
P∞
j=0 xj+1 p
j
are called p-adic numbers.
Algorithm for solving discrete log problem in anomaluos groups
p-adic numbers
Definition
The values x =
P∞
j=0 xj+1 p
j
are called p-adic numbers.
In general, we allow a finite numbers of negative powers of p. So,
any expression of the form
x−m p −m−1 + ... + x1 + x2 p + .... + xn p n−1 + .... for m, n ∈ N
is called a p-adic number.
Algorithm for solving discrete log problem in anomaluos groups
p-adic expansions
Let
number. Any positive integer x can be written as
Pp be a prime
k , a ∈ {0, 1, ..., p − 1}.
a ∞
a
p
k
k
k=0
P
k
We say that ∞
k=0 ak p is a p-adic expansion of x and we denote
x by its digits i.e. x = a1 a2 a3 ...an .
Algorithm for solving discrete log problem in anomaluos groups
p-adic expansions
Let
number. Any positive integer x can be written as
Pp be a prime
k , a ∈ {0, 1, ..., p − 1}.
a ∞
a
p
k
k
k=0
P
k
We say that ∞
k=0 ak p is a p-adic expansion of x and we denote
x by its digits i.e. x = a1 a2 a3 ...an .
Example:
233 = 1 · 27 + 1 · 26 + 1 · 25 + 0 · 24 + 1 · 23 + 0 · 22 + 0 · 21 + 1 · 20
is the 2-adic expansion of 233.
Algorithm for solving discrete log problem in anomaluos groups
p-adic expansions
Let
number. Any positive integer x can be written as
Pp be a prime
k , a ∈ {0, 1, ..., p − 1}.
a ∞
a
p
k
k
k=0
P
k
We say that ∞
k=0 ak p is a p-adic expansion of x and we denote
x by its digits i.e. x = a1 a2 a3 ...an .
Example:
233 = 1 · 27 + 1 · 26 + 1 · 25 + 0 · 24 + 1 · 23 + 0 · 22 + 0 · 21 + 1 · 20
is the 2-adic expansion of 233.
Maple command: evalp( ba , p)
Let p be a prime number. Any rational number y can be written in
the form
Algorithm for solving discrete log problem in anomaluos groups
p-adic expansions
Let
number. Any positive integer x can be written as
Pp be a prime
k , a ∈ {0, 1, ..., p − 1}.
a ∞
a
p
k
k
k=0
P
k
We say that ∞
k=0 ak p is a p-adic expansion of x and we denote
x by its digits i.e. x = a1 a2 a3 ...an .
Example:
233 = 1 · 27 + 1 · 26 + 1 · 25 + 0 · 24 + 1 · 23 + 0 · 22 + 0 · 21 + 1 · 20
is the 2-adic expansion of 233.
Maple command: evalp( ba , p)
Let p be a prime number. Any rational number y can be written in
the form
P∞
k
k=m ak p , where m ∈ Z and ak ∈ {0, 1, ..., p − 1}
Algorithm for solving discrete log problem in anomaluos groups
p-adic expansions
Let
number. Any positive integer x can be written as
Pp be a prime
k , a ∈ {0, 1, ..., p − 1}.
a ∞
a
p
k
k
k=0
P
k
We say that ∞
k=0 ak p is a p-adic expansion of x and we denote
x by its digits i.e. x = a1 a2 a3 ...an .
Example:
233 = 1 · 27 + 1 · 26 + 1 · 25 + 0 · 24 + 1 · 23 + 0 · 22 + 0 · 21 + 1 · 20
is the 2-adic expansion of 233.
Maple command: evalp( ba , p)
Let p be a prime number. Any rational number y can be written in
the form
P∞
k
k=m ak p , where m ∈ Z and ak ∈ {0, 1, ..., p − 1}
Algorithm for solving discrete log problem in anomaluos groups
p-adic expansions
Let
number. Any positive integer x can be written as
Pp be a prime
k , a ∈ {0, 1, ..., p − 1}.
a ∞
a
p
k
k
k=0
P
k
We say that ∞
k=0 ak p is a p-adic expansion of x and we denote
x by its digits i.e. x = a1 a2 a3 ...an .
Example:
233 = 1 · 27 + 1 · 26 + 1 · 25 + 0 · 24 + 1 · 23 + 0 · 22 + 0 · 21 + 1 · 20
is the 2-adic expansion of 233.
Maple command: evalp( ba , p)
Let p be a prime number. Any rational number y can be written in
the form
P∞
k
k=m ak p , where m ∈ Z and ak ∈ {0, 1, ..., p − 1}
Example: Find a 5-adic expansion of
24
7 .
Algorithm for solving discrete log problem in anomaluos groups
Valuations
Let Q be the set of rationals and v : Q → Q be a function that
satisfy the following conditions:
v (x) ≥ 0 with equality iff x = 0
v (xy ) = v (x)v (y ) for any x, y ∈ Q
v (x + y ) ≤ v (x) + v (y ) for any x, y ∈ Q
then v is called a valuation on Q.
Algorithm for solving discrete log problem in anomaluos groups
p-adic valuations
Algorithm for solving discrete log problem in anomaluos groups
p-adic valuations
Given x ∈ Q, write
Algorithm for solving discrete log problem in anomaluos groups
p-adic valuations
Given x ∈ Q, write x = p n ba for a, b, n ∈ Z where the prime p
divides neither a nor b.
Algorithm for solving discrete log problem in anomaluos groups
p-adic valuations
Given x ∈ Q, write x = p n ba for a, b, n ∈ Z where the prime p
divides neither a nor b. The integer n is called p-adic valuation of
x and it is denoted by n = vp (x). We introduce that vp (0) = ∞.
Algorithm for solving discrete log problem in anomaluos groups
p-adic valuations
Given x ∈ Q, write x = p n ba for a, b, n ∈ Z where the prime p
divides neither a nor b. The integer n is called p-adic valuation of
x and it is denoted by n = vp (x). We introduce that vp (0) = ∞.
Example:
7
7
) = −3 since 40
= 2−3 · 75 .
v2 ( 40
Algorithm for solving discrete log problem in anomaluos groups
p-adic valuations
Given x ∈ Q, write x = p n ba for a, b, n ∈ Z where the prime p
divides neither a nor b. The integer n is called p-adic valuation of
x and it is denoted by n = vp (x). We introduce that vp (0) = ∞.
Example:
7
7
) = −3 since 40
= 2−3 · 75 .
v2 ( 40
Maple command: ord( ba , p).
Algorithm for solving discrete log problem in anomaluos groups
p-adic valuations
Given x ∈ Q, write x = p n ba for a, b, n ∈ Z where the prime p
divides neither a nor b. The integer n is called p-adic valuation of
x and it is denoted by n = vp (x). We introduce that vp (0) = ∞.
Example:
7
7
) = −3 since 40
= 2−3 · 75 .
v2 ( 40
Maple command: ord( ba , p).
Theorem
If x, y ∈ Q, the vp has the following properties:
vp (xy ) = vp (x)vp (y ).
vp (x + y ) ≥ min{vp (x), vp (y )}.
Algorithm for solving discrete log problem in anomaluos groups
p-adic norm
The p-adic norm of x is defined to be:
Algorithm for solving discrete log problem in anomaluos groups
p-adic norm
The p-adic norm of x is defined to be:
|x|p =
1
pn
(|x|p = p −vp (x) ) if x 6= 0 and
|x|p = 0 when x = 0
Algorithm for solving discrete log problem in anomaluos groups
p-adic norm
The p-adic norm of x is defined to be:
|x|p =
1
pn
(|x|p = p −vp (x) ) if x 6= 0 and
|x|p = 0 when x = 0
Example:
|75|5 = 25
Algorithm for solving discrete log problem in anomaluos groups
p-adic norm
The p-adic norm of x is defined to be:
|x|p =
1
pn
(|x|p = p −vp (x) ) if x 6= 0 and
|x|p = 0 when x = 0
Example:
|75|5 = 25
−2
| 12
7 |2 = 2
Algorithm for solving discrete log problem in anomaluos groups
p-adic norm
The p-adic norm of x is defined to be:
|x|p =
1
pn
(|x|p = p −vp (x) ) if x 6= 0 and
|x|p = 0 when x = 0
Example:
|75|5 = 25
−2
| 12
7 |2 = 2
| 12
7 |5 = 0
Algorithm for solving discrete log problem in anomaluos groups
p-adic norm
The p-adic norm of x is defined to be:
|x|p =
1
pn
(|x|p = p −vp (x) ) if x 6= 0 and
|x|p = 0 when x = 0
Example:
|75|5 = 25
−2
| 12
7 |2 = 2
| 12
7 |5 = 0
Algorithm for solving discrete log problem in anomaluos groups
p-adic norm
The p-adic norm of x is defined to be:
|x|p =
1
pn
(|x|p = p −vp (x) ) if x 6= 0 and
|x|p = 0 when x = 0
Example:
|75|5 = 25
−2
| 12
7 |2 = 2
| 12
7 |5 = 0
Maple command: valuep( ba , p)
Algorithm for solving discrete log problem in anomaluos groups
p-adic norm
The p-adic norm of x is defined to be:
|x|p =
1
pn
(|x|p = p −vp (x) ) if x 6= 0 and
|x|p = 0 when x = 0
Example:
|75|5 = 25
−2
| 12
7 |2 = 2
| 12
7 |5 = 0
Maple command: valuep( ba , p)
Theorem
The function | |p : Q → R+ has the following properties
|x|p = 0 iff x = 0
|xy |p = |x|p |y |p
|x|p ≤ max{|x|p , |y |p }
Algorithm for solving discrete log problem in anomaluos groups
The field Qp
Let dp be a function from the set of rationals Q to the set positive
real numbers R+ defined as dp (a, b) = |a − b|p .
Algorithm for solving discrete log problem in anomaluos groups
The field Qp
Let dp be a function from the set of rationals Q to the set positive
real numbers R+ defined as dp (a, b) = |a − b|p .
Theorem
dp (a, b) = |a − b|p is a metric on the set of rationals Q.
Algorithm for solving discrete log problem in anomaluos groups
The field Qp
Let dp be a function from the set of rationals Q to the set positive
real numbers R+ defined as dp (a, b) = |a − b|p .
Theorem
dp (a, b) = |a − b|p is a metric on the set of rationals Q.
The set of p-adic numbers Qp is defined as the completion of Q
with respect to the metric dp .
Algorithm for solving discrete log problem in anomaluos groups
Anomalous groups and Discrete Log Problem
An Elliptic Curve group over Fq is called anomalous if its order is
equal to q.
Algorithm for solving discrete log problem in anomaluos groups
Anomalous groups and Discrete Log Problem
An Elliptic Curve group over Fq is called anomalous if its order is
equal to q.
The following theorems will be used:
Theorem
E˜r = {(x, y ) ∈ E˜ (Q) : vp (x) ≤ −2r , vp (y ) ≤ −3r } ∪ {∞} is a
subgroup of E˜ (Q).
Theorem
The mapping logr : E˜r /E˜5r → Zp4r defined as
−r x
p y mod p 4r
if (x, y ) 6= ∞
logr (x, y ) =
0
otherwise.
is homomorphism.
Algorithm for solving discrete log problem in anomaluos groups
Anomalous groups and Discrete Log Problem
Theorem
The mapping redp : E˜ (Q) → E˜ (Fp ) defined as
(x, y ) mod p if (x, y ) ∈
/ E˜1
redp (x, y ) =
∞
otherwise.
is homomorphism.
Algorithm for solving discrete log problem in anomaluos groups
Lifting points in Elliptic Curves
Let E be an Elliptic curve over Zp and let P, Q ∈ E (Zp ). We
assume E is given by the Weierstrass equation
y 2 = x 3 + A · x + B mod p.
Algorithm for solving discrete log problem in anomaluos groups
Lifting points in Elliptic Curves
Let E be an Elliptic curve over Zp and let P, Q ∈ E (Zp ). We
assume E is given by the Weierstrass equation
y 2 = x 3 + A · x + B mod p. We can “lift” the points P and Q to
a p-adic point P 0 and Q 0 on an elliptic curve E 0 over Qp .
Algorithm for solving discrete log problem in anomaluos groups
Lifting points in Elliptic Curves
Let E be an Elliptic curve over Zp and let P, Q ∈ E (Zp ). We
assume E is given by the Weierstrass equation
y 2 = x 3 + A · x + B mod p. We can “lift” the points P and Q to
a p-adic point P 0 and Q 0 on an elliptic curve E 0 over Qp . The idea
is as follows:
Algorithm for solving discrete log problem in anomaluos groups
Lifting points in Elliptic Curves
Let E be an Elliptic curve over Zp and let P, Q ∈ E (Zp ). We
assume E is given by the Weierstrass equation
y 2 = x 3 + A · x + B mod p. We can “lift” the points P and Q to
a p-adic point P 0 and Q 0 on an elliptic curve E 0 over Qp . The idea
is as follows:
Step 1: Lift the points P and Q to an elliptic curve over Zp to an
elliptic curve over Q as follows:
Choose integers x1 and x2 such that x1 , x2 mod p give the
x-coordinates of P, Q.
Algorithm for solving discrete log problem in anomaluos groups
Lifting points in Elliptic Curves
Let E be an Elliptic curve over Zp and let P, Q ∈ E (Zp ). We
assume E is given by the Weierstrass equation
y 2 = x 3 + A · x + B mod p. We can “lift” the points P and Q to
a p-adic point P 0 and Q 0 on an elliptic curve E 0 over Qp . The idea
is as follows:
Step 1: Lift the points P and Q to an elliptic curve over Zp to an
elliptic curve over Q as follows:
Choose integers x1 and x2 such that x1 , x2 mod p give the
x-coordinates of P, Q.
Assume that x1 6= x2 mod p. Choose y1 such that
˜ = (x1 , y1 ) reduces to P mod p.
P
Algorithm for solving discrete log problem in anomaluos groups
Lifting points in Elliptic Curves
Let E be an Elliptic curve over Zp and let P, Q ∈ E (Zp ). We
assume E is given by the Weierstrass equation
y 2 = x 3 + A · x + B mod p. We can “lift” the points P and Q to
a p-adic point P 0 and Q 0 on an elliptic curve E 0 over Qp . The idea
is as follows:
Step 1: Lift the points P and Q to an elliptic curve over Zp to an
elliptic curve over Q as follows:
Choose integers x1 and x2 such that x1 , x2 mod p give the
x-coordinates of P, Q.
Assume that x1 6= x2 mod p. Choose y1 such that
˜ = (x1 , y1 ) reduces to P mod p.
P
Using the Chinese Remainder Theorem find an integer y2 such
that y2 2 = y1 2 mod (x2 − x1 ) and (x2 , y2 ) = Q mod p.
Algorithm for solving discrete log problem in anomaluos groups
Lifting points in Elliptic Curves
Let E be an Elliptic curve over Zp and let P, Q ∈ E (Zp ). We
assume E is given by the Weierstrass equation
y 2 = x 3 + A · x + B mod p. We can “lift” the points P and Q to
a p-adic point P 0 and Q 0 on an elliptic curve E 0 over Qp . The idea
is as follows:
Step 1: Lift the points P and Q to an elliptic curve over Zp to an
elliptic curve over Q as follows:
Choose integers x1 and x2 such that x1 , x2 mod p give the
x-coordinates of P, Q.
Assume that x1 6= x2 mod p. Choose y1 such that
˜ = (x1 , y1 ) reduces to P mod p.
P
Using the Chinese Remainder Theorem find an integer y2 such
that y2 2 = y1 2 mod (x2 − x1 ) and (x2 , y2 ) = Q mod p.
Algorithm for solving discrete log problem in anomaluos groups
Lifting points in Elliptic Curves
˜ = y2 2 −y1 2 − x2 3 −x1 3 , B
˜ = y1 2 − x1 3 − Ax
˜ 1 . The points
Find A
x2 −x1
x2 −x1
˜ and Q
˜ lie on the curve y 2 = x 3 + A
˜ · x + B.
˜
P
Algorithm for solving discrete log problem in anomaluos groups
Lifting points in Elliptic Curves
˜ = y2 2 −y1 2 − x2 3 −x1 3 , B
˜ = y1 2 − x1 3 − Ax
˜ 1 . The points
Find A
x2 −x1
x2 −x1
˜ and Q
˜ lie on the curve y 2 = x 3 + A
˜ · x + B.
˜
P
In the case when x1 = x2 mod p take x1 = x2 and choose y1
such that y1 mod p is the y -coordinate of P. Choose an
˜ = A mod p and B
˜ = y2 − x3 − A
˜ · x1 . The points
integer A
1
1
˜
˜
˜
˜ +B
˜
P = (x1 , y1 ) and Q = −P lie on the curve y 2 = x 3 + Ax
Algorithm for solving discrete log problem in anomaluos groups
Lifting points in Elliptic Curves
˜ = y2 2 −y1 2 − x2 3 −x1 3 , B
˜ = y1 2 − x1 3 − Ax
˜ 1 . The points
Find A
x2 −x1
x2 −x1
˜ and Q
˜ lie on the curve y 2 = x 3 + A
˜ · x + B.
˜
P
In the case when x1 = x2 mod p take x1 = x2 and choose y1
such that y1 mod p is the y -coordinate of P. Choose an
˜ = A mod p and B
˜ = y2 − x3 − A
˜ · x1 . The points
integer A
1
1
˜
˜
˜
˜ +B
˜
P = (x1 , y1 ) and Q = −P lie on the curve y 2 = x 3 + Ax
˜ and Q
˜ to a points P˜0 = (x˜0 1 , y˜0 1 ) and
Step 2: Lift the points P
0
0
0
Q˜ = (x˜ 1 , y˜ 1 ) such that
vp (x˜0 1 ) ≤ −2, vp (x˜0 2 ) ≤ −2,vp (y˜0 1 ) ≤ −3 and vp (y˜0 2 ) ≤ −3.
Algorithm for solving discrete log problem in anomaluos groups
Smart’s algorithm for solving DLP in anomalous groups
Suppose we have two points P and Q and we want to solve
Q = x ∗ P in Elliptic curve group over Zp of order p, where p is
prime.
˜0
1 We first compute an arbitrary lift of P and Q to points, P
0
and Q˜ , on the same elliptic curve but considered as a curve
over Qp .
y˜0 1 −y1
x˜0 1 −x1
and m2 = p ·
y˜0 2 −y2
x˜2 −x2 .
2
Compute m1 = p ·
3
If the p-adic valuation of m1 or m2 is negative, then choose
another E˜ . Otherwise, compute k = m1
m2 mod p.
The integer k is a solution of the DLP: Q = x ∗ P.
Algorithm for solving discrete log problem in anomaluos groups
© Copyright 2025