This document summarizes research on using elliptic curve cryptography based on imaginary quadratic orders. It shows that for elliptic curves over a finite field Fq, if q satisfies certain conditions, the elliptic curve discrete logarithm problem can be reduced to the discrete logarithm problem over the finite field Fp2. This allows the elliptic curve discrete logarithm problem to potentially be solved faster. It then provides examples of how to construct "weak curves" that satisfy the necessary conditions.

1. Elliptic Curve Weak Class
Identification for the Security
of Cryptosystem
Intan Muchtadi,
Ahmad Muchlis and Fajar Yuliawan
Algebra Research Group,
Institut Teknologi Bandung (ITB),
Indonesia

2. Elliptic Curve
 In 1985 both Koblitz and Miller independently
suggested the use of Elliptic Curves in the
development of a new type of public key cipher.
 An Elliptic Curve is a simple equation of the form:
y2 = x3 +ax+b
a,b in F of characteristic p ≠ 2,3 and 4a3 + 27b2 ≠ 0

3. Elliptic curve
y2 = x3 − x

4. y2 = x3 − ½x + ½

5. y2 = x3 − 4/3x + 16/27

6. Elliptic curve over F23
y2 = x3 + x + 1
24
23
22
21
20
19
18
17
16
15
14
13
12
11
10
9
8
7
6
5
4
3
2
1
0
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

7. Elliptic Curve Addition
Q
P
P+Q

8. Multiples in Elliptic Curves 1
 The interest in Elliptic Curve Addition is the
process of adding a point to itself.
 That is given a point P find the point P+P or 2P.
 This is done by drawing a line tangent to P and
reflecting the point at which it intercepts the
curve
 P can be added to itself k times resulting in a
point W = kP.

9. Multiples in Elliptic Curves 1
P+P = 2P
P

10. Multiples in Elliptic Curves 2
 Finding the value of 3P:
P+P = 2P
3P
P

11. Discrete Logarithm Problem
1. A and B agree on a finite group G
and some fixed element g.
2. A selects an integer x at random and
transmits b = gx to B.
3. B selects an integer y at random and
transmits c = gy to A.
4. A determines k = cx , B determines k =
by , k is then used as the secret key.

12. Elliptic Curve Cryptography
Based on the discrete logarithm
problem applied to Abelian group
E(Fp) formed by the points of an
elliptic curve over a finite field
E(Fp)={(x,y)∈(Fp)²:y²=x³+ax+b}∪{O}

13. Elliptic Curve Cryptosystem
 There are several ways in which the ECDLP
can be imbedded in a cipher system.
 One method begins by selecting an Elliptic Curve
and a point P on the curve and a secret number
d which will be the private key.
 The public key is P and Q where Q = dP
 A message is encrypted by converting the
plaintext into a number m, selecting a random
number k, and finding a point M on the curve
where the difference of the x and the y co-
ordinates equals m.
 the ciphertext consists of two points on the curve:
(C1,C2) = (kP, M + kQ)

14. Decipher
 The secret key, d is used to decipher
the ciphertext
Multiply the first point by d and subtract
the result from the second point:
M = C2-dC1= M+kQ –dkP= M + kdP - dkP

15. Elliptic Curve Security
 The security of the Elliptic Curve
algorithm is based on the fact that it is
very difficult (as difficult as factoring)
to solve the Elliptic Curve Discrete
Logarithm Problem:
Given two points P and Q where Q = kP,
find the value of k

16. Imaginary Quadratic Orders

17. Maximal Orders and
Non-maximal Orders
 If Δ is squarefree, then OΔ is the maximal order of
the quadratic number field Q(√Δ) and Δ is called a
fundamental discriminant.
 The non-maximal order of conductor p>1 with (non-
fundamental) discriminant Δp=Δp² is denoted by OΔp.
Assume that the conductor p is prime.
 Let IΔ = The group of invertible OΔ-ideals and
 PΔ = The set of principal OΔ-ideals.
 The class group of OΔ = Cl(Δ) = IΔ/PΔ is a finite
abelian group with neutral element OΔ
 The class number of OΔ = h(Δ) = | Cl(Δ)|.

18. Imaginary Quadratic Orders
 In 1988 Buchmann and William use the
class groups of imaginary quadratic
orders Cl∆ for the construction of
cryptosystem.

19. Reducing the DLP
 Huhnlein et al showed that for totally
non-maximal imaginary quadratic
orders (i.e., h∆ =1), the DLP can be
reduced to the DLP in some finite field.

20. Problem
 Can we find a condition for elliptic
curves such that the DLP for those
curves can be reduced to the DLP of
some finite fields?

21. The 1st Relation
 If E is an elliptic curve over Fq, then
endomorphism ring of E is an
imaginary quadratic order O∆ if and
only if |E(Fq)| ≠ q+1.
 Moreover, there exists a π ∈ O∆ such
that |E(Fq)| = q + 1 – (π + π ), where π
is the conjugate of π, and π is the
Frobenius endomorphism
 π(x,y) = (xq,yq) for all (x,y) ∈ E(Fq).

22. Consequence
 If q satisfies 4q=m²-Δn², for some
m,n∈Z, then π =±(m+n√Δ)/2,
 As π²-tπ +q=0, we get t = π + π =±m.
 Therefore |E(Fq)| = q +1 ± m
 If m=1, then |E(Fq)| = q or q+2.
 The case |E(Fq)|=q is
cryptographycally weak
 We consider the case where |E(Fq)|
=q+2.

23. The Result: Reducing the ECDLP
Main Theorem
Let q be a prime satisfies 4q=1-Δn², for
some n∈Z, such that p=q+2 is also a
prime, and let E be an elliptic curve
over Fq with |E(Fq)|=p.
Then the DLP in E(Fq) can be reduced to
the DLP in Fp² as additive group.

24. The method in [Huhnlein et al]

25. The 2 nd
Relation

26. Auxiliary Result

27. The proof
E(Fq) ≈ O∆ /(π-1) O∆
↑
O∆ /pO∆ ≈ Fp2
 given G and P∈E(Fq) with P=[m]G,
 compute the corresponding elements α+(π-1) O∆ and γ+(π-1)
O∆ ∈ O∆ /(π-1) O∆
 compute the corresponding α +pO∆ and γ +pO∆ ∈ O∆ /pO∆
 compute the corresponding elements in Fp²
 Then compute the discrete logarithm there or determine that
it does not exist.

28. Conclusion
 For q a prime satisfies 4q=1-Δn², for
some n∈Z, such that p=q+2 is also a
prime, the ECDLP in E(Fq) whose order
is p can be reduced to the DLP in finite
field of order p² as additive group.

29. Question of Existence
 How to construct such
cryptographically weak curves.
Answer
 By using the construction of
anomalous elliptic curves (i.e. where |
E(Fq)|=q).

30. Recall
 If q satisfies 4q=m²-Δn², for some
m,n∈Z, then π =±(m+n√Δ)/2,
 As π²-tπ +q=0, we get t = π + π =±m.
 Therefore |E(Fq)| = q +1 ± m
 If m=1, then |E(Fq)| = q or q+2.

31. Construction of Anomalous Curves
(based on [Leprevost et al])
 Step 1 :
 Choose ∆ < 0 a fundamental
discriminant of an imaginary quadratic
field K = Q(√∆) such that order of K has
class number 1.
∆ ∈ {-3, -4, -7, -8, -11, -19, -43, -67, -163} [Cox,
Theorem 7.30]

32. Step 1(contd)
 Choose an odd prime q such that
4q = 1- ∆n2 for an integer n.
 We can show that
1. -∆ ≡ 3 mod 8 (∆ ∈ {-3, -11, -19, -43, -67,
-163} )
2. q = - ∆u(u+1)+ (- ∆+1)/4 for some
integer u

33. Step 2
 OK = O∆=Z[(∆ + √∆)/2
 Let j(OK) be the j-invariant of OK. For
class number = 1 the j-invariant is given
as following ∆ j(O )k
-3 0
-11 -323
-19 -963
-43 -9603
-67 -52803
-163 -6403203
[Cox, p.261]

34. Step 3
 Choose an elliptic curve over
L=K(j(OK)) with j-invariant j0 = j(OK) :
 Since j(E) = 1728(4a3/(4a3+27b2)), then we
can choose
E: y2 = x3 + ax + b
where a=3j0/(1728-j0) and b=2j0/(1728-j0)

35. Step 4
 Reduce E to
E : y2 = x3 + [a]x + [b]
over Fq
 We can show that |E(Fq)|∈{q,q+2}
 If |E(Fq)|=q+2, a prime, then we’re
done.

36. Step 5
 If |E(Fq)|=q, define
E’:y2=x3+d2[a]x+d3[b],
where d ∈ Fq a non-quadratic element.
 |E’(Fq)| = q+2
 If q+2 is prime, then we’re done.

37. Problem
 It’s not easy to find a prime q such that
 4q = 1- ∆n2 for an integer n
 q+2 is also a prime

38. Example
 For ∆ = -11 dan u = 257 743 850 762 632
419 871 495,
 q = 11u(u + 1) +(11+1)/4
= 730 750 818 665 451 459 112 596 905 638
433 048 232 067 471 723
 j(OK)=-323

39. Example (contd)
 E: y2 = x3 + ax + b
 a= 3(-323)/(1728-(-323))
=425 706 413 842 211 054 102 700 238 164 133
538 302 169 176 474
 b= 2(-323)/(1728-(-323))
= 527 387 882 116 624 522 439 332 460 655 566
708 278 801 941 557

40. Example(contd)
 #E(Fq) = q+2
BUT
 q + 2 = 730 750 818 665 451 459 112 596
905 638 433 048 232 067 471 725
= 33 x 52 x 4217 x 20 016 645 573 637
x 2413 234 030 223 5314 x607 504 832 341
is not a prime

41. Twin Prime Conjecture
 There are infinitely many primes q such
that q + 2 is also prime.

42. Next?
 Find examples of “weak curves”, i.e
twin primes that satisfy the condition in
the Main Theorem.
 Does the result in this work have any
relevance to the ECDLP for elliptic
curves whose endomorphism ring is a
totally non-maximal order?

43. References
[1] H.Baier (2002), Efficient algorithms for generating elliptic
curves over finite fields suitable for use in cryptography, PhD
Dissertation.
[2] I. F. Blake, G. Seroussi, and N. P. Smart (2000), Elliptic curves in
cryptography, volume 265 of London Mathematical Society
Lecture Note Series,Cambridge University Press, Cambridge.
[3] I. F. Blake, G. Seroussi, and N. P. Smart (2005), Advances in
elliptic curve cryptography, volume 317 of London
Mathematical Society Lecture Note Series, Cambridge
University Press, Cambridge.
[4]J.Buchmann dan H.C.Williams (1988), A key exchange system
based on imaginary quadratic field, Journal of Cryptology, 1,
107-118.

44. References (contd)
[5] J. Buchmann (2004), Introduction to cryptography, Springer.
[6] H. Cohen and G. Frey (2006), Handbook of elliptic and hyper
elliptic curve cryptography, Hall and Chapman, Taylor and
Francis Group.
[7] D. A. Cox (1989), Primes of the forms x2 + ny2, John Wiley and
Sons, New York.
[8] W. Diffie and M. Hellman (1976), New directions in
cryptography, IEEE Transactions on Information Theory, 22,
472-492.
[9] A. Enge (2001), Elliptic curves and their applications to
cryptography : an introduction, Kluwer Academic Publishers.
[10] D.Hankerson, A.J. Menezes, S. Vanstone (2004), Guide to
elliptic curve cryptography, Springer-Verlag, New York.

45. References (contd)
[11] D.Huhnlein, M.J. Jacobson, S. Paulus and T.Takagi (1998), A
cryptosystem based on non-maximal imaginary quadratic
order with fast decryption, in Advances in Cryptology, LNCS
1403, Springer, 294-307.
[12] D.Huhnlein, M.J. Jacobson, D. Weber (2003), Towards
Practical Non-Interactive Public-Key Cryptosystems Using Non-
Maximal Imaginary Quadratics Orders, Designs, Codes and
Cryptography, 30, Issue 3, 281-299.
[13] D.Huhnlein, T.Takagi (1999), Reducing logarithms in totally
non-maximal imaginary quadratic orders to logarithms in nite
elds, ASIACRYPT, 219-231.
[14] N.Koblitz (1987), Elliptic curve cryptosystem, Mathematics of
Computation 48, 203-209.

46. References (contd)
[15] H.W.Lenstra (1996), Complex multiplication structure of
elliptic curves, Journal of Number Theory, 56, No. 2, 227-241.
[16] F. Leprevost, J.Monnerat, S. Varrette, S.Vaudenay (2005),
Generating anomalous elliptic curves, Information Processing
Letters, 93, 225-230.
[17] K. S. McCurley (1988), A Key Distribution System Equivalent to
Factoring, Journal of Cryptology 1, 95-105.
[18] V.S. Miller (1986), Use of elliptic curve in cryptography, in
Advances in Cryptology - CRYPTO '85, Springer-Verlag, LNCS
218, 417-426.
[19] J.H. Silverman (1986), The arithmetic of elliptic curves,
Springer-Verlag, NewYork.
[20] L.C. Washington (2008) Elliptic curves, number theory and
cryptography,Chapman and Hall/CRC, Taylor and Francis
Group.

47. Thank you