On the Vector Decomposition Problem for m-torsion points on an Elliptic Curve Negar Kiyavash1 and Iwan Duursma Coordinated Science Laboratory, 1308 W.Main st., Urbana, IL - 61801 {kiyavash,duursma}@uiuc.edu

I. Introduction Yoshida et al.[1] proposed a new hard problem; that of vector decomposition (VDP). Yoshida proves sufficient conditions for which the VDP on a two-dimensional vector space is at least as hard as the Computational Diffie-Hellman Problem (CDHP) on a one-dimensional subspace. We prove that any elliptic curve for which the sufficient conditions hold is bound to be supersingular. Furthermore we give a family of hyperelliptic curves of genus two that are suitable for the VDP. Definition 1 The VDP on V (a two-dimensional vector space over F) is “given e1 , e2 , v ∈ V such that {e1 , e2 } is an Fbasis for V, find the vector u ∈ V such that u ∈ he1 i and v − u ∈ he2 i”. On the other hand, CDHP on V 0 , a one-dimensional vector space, is “given e ∈ V 0 \ {0} and ae, be ∈ hei, find abe ∈ hei”. Theorem 1 (Yoshida et al.[1]): The VDP on V is at least as hard as the CDHP on V 0 ⊂ V if for any e ∈ V 0 there are linear isomorphisms ψe , φe : V → V which satisfy the following three conditions: (1) For any v ∈ V, ψe (v) and φe (v) are effectively defined and can be computed in polynomial time. (2) {e, ψe (e)} is an F-basis for V. (3) There are α1 , α2 , α3 ∈ F with φe (e) = α1 e and φ(ψe (e)) = α2 e + α3 ψe (e), where α1 , α2 , α3 6= 0. The elements α1 , α2 , α3 and their inverses can be calculated in polynomial time. The conditions stated in the theorem are stronger than what is necessary. Indeed it is enough to have two linear endomorphisms that satisfy the condition stated above. Studying then the endomorphism ring of the curve classifies all the possibilities for the linear endomorphisms ψe , φe : V → V.

II. main results Yoshida et al.[1] proposes to choose V = E[m], the group of m-torsion points on an elliptic curve, and V 0 = E(Fp ) ∩ E[m], the subgroup of rational torsion points, where p ≡ 2 (mod 3) is a prime and E : y 2 = x3 + 1 is an elliptic curve over Fp . The integer m is chosen to be a prime such that 6m = p + 1 and E[m] = {P |mP = 0} ⊂ E(Fp2 ). Moreover the map ψ is chosen to be ψ(x, y) = (ςx, y), where ς 2 + ς + 1 = 0 and φ(x, y) = (xp , y p ) is the Frobenius map. But E : y 2 = x3 +1 is supersingular and thus susceptible to the MOV attack. This is not a mere incidence of a bad choice but a general case. Theorem 2: Any elliptic curve with the two linear endomorphisms ψe , φe : V → V satisfying the conditions of Theorem 1, where V is chosen to be E[m], the group of m-torsion points, is supersingular. The difficulty of the vector decomposition problem is based on Theorem 1 above. Thus, the vector decomposition problem is difficult if the Diffie-Hellman problem on a one-dimensional subspace is difficult. If we choose the group Z/mZ × Z/mZ as a subgroup of the m-torsion points in the Jacobian of a higher 1 Supported

by Motorola Grant 558910-239016.

genus curve then we can avoid the MOV and the Frey-R¨ uck attack [2] and we can satisfy the conditions of Theorem 1 for curves that are not supersingular. A special case of genus-two curves are those of the form y 2 = (x3 −u6 )(x3 −v 6 ), where u6 and v 6 are scalars in Fp . The curves form a one-parameter family in the three-parameter moduli space of genus two curves [3]. The curves in the family have as common properties that the Jacobian of the curve is (2,2)-isogenous to a product E1 × E2 of elliptic curves such that E1 and E2 are 3-isogenous. We give the j-invariants of E1 and E2 . Lemma 1: The Jacobian of the hyperelliptic curve C : y 2 = (x3 − u6 )(x3 − v 6 ) is isogenous to a product of elliptic curves E1 and E2 . (a − b)2 3 E1,2 : y 2 = x + (3x − 1)2 ab 3 (2a+b)3 ab with j-invariants j1,2 = −4 · 1728 (a+2b) (a−b)6 (a+b)2 for a = u3 , b = ±v 3 , respectively. The isogeny of the elliptic curves E1 and E2 is defined over an extension of Fp that contains the third roots of unity. Over the extension field, both E1 and E2 have the same number of points. The setup for the VDP is now as follows. We choose C starting from an elliptic curve E1 that has a large cyclic subgroup Z/mZ of rational points over Fp , for p ≡ 2 (mod 3). Then we choose as two-dimensional vector space V the mtorsion Z/mZ × Z/mZ in the Jacobian of the hyperelliptic curve C : y 2 = (x3 − u6 )(x3 − v 6 ) over the extension field Fp2 . And we choose as one-dimensional subspace V 0 the subspace Z/mZ of V that is rational over Fp .Then the map ψ is chosen to be ψ : (x, y) → (ςx, y) where ς 2 + ς + 1 = 0, and φ : (x, y) is the Frobenius map. Lemma 2: For any element e ∈ Jac(C)(Fp ), then φ(ψ(e)) = −e − ψ(e) Theorem 3: Let C : y 2 = (x3 − u6 )(x3 − v 6 ) be a hyperelliptic curve, and let V and V 0 be vector spaces of dimensions two and one, respectively. For any 0 6= e ∈ V 0 , the two-dimensional vector space V has a basis {e, ψ(e)} such that φ(e) = e andφ(ψ(e)) = −e − ψ(e), where e = (x, y) is a point on the curve over Fp .Then the VDP on V, with respect to the basis {e, ψ(e)}, is at least as hard as the computational Diffie-Hellman problem in V 0 : ”given (e, ae, be) compute abe”.

References [1] M. Yoshida, S. Mitsunari, and T. Fujiwara, “Inseprable multiplex transmision scheme using the pairing on elliptic curves”, ISEC 2002-65, 2002. uck, “A remark concerning m-divisibility [2] G. Frey, and H.-G. R¨ and the discrete logarithm in the divisor class group of curves”. Math. Comp. 62 (1994), no. 206, pp. 865–874. ´ Schost, “On the invariants of the quotients of [3] P. Gaudry and E. the Jacobian of a curve of genus 2”, Applied Algebra, Algebraic Algorithms and Error-Correcting Codes, LNCS 2227,pp. 373386, Springer-Verlag, 2001.

On the Vector Decomposition Problem for m-torsion ...

the extension field, both E1 and E2 have the same number of points. The setup for the ... Z/mZ of V that is rational over Fp.Then the map ψ is chosen to be ψ : (x, ...

104KB Sizes 8 Downloads 253 Views

Recommend Documents

Automated Problem Decomposition in Evolutionary ...
Automated Problem Decomposition in Evolutionary Algorithms. Sherri Goings. Department of Computer Science and Engineering. Michigan State University. 1.

Notes on Decomposition Methods - CiteSeerX
Feb 12, 2007 - Some recent reference on decomposition applied to networking problems ...... where di is the degree of net i, i.e., the number of subsystems ...

Notes on Decomposition Methods - CiteSeerX
Feb 12, 2007 - matrix inversion lemma (see [BV04, App. C]). The core idea .... this trick is so simple that most people would not call it decomposition.) The basic ...

Notes on Decomposition Methods - CiteSeerX
Feb 12, 2007 - is adjacent to only two nodes, we call it a link. A link corresponds to a shared ..... exponential service time with rate cj. The conjugate of this ...

Automatic Problem Decomposition using Co-evolution ...
Problem Decomposition. •. Interdependencies between subcomponents. •. Credit Assignment. •. Maintenance of diversity. •. Adding subcomponents ...

A Domain Decomposition Method based on the ...
Nov 1, 2007 - In this article a new approach is proposed for constructing a domain decomposition method based on the iterative operator splitting method.

Are Tensor Decomposition Solutions Unique? On The ...
widely used in machine learning and data mining. They decompose input matrix and ... solutions found by these algorithms global optimal? Surprisingly, we pro-.

Are Tensor Decomposition Solutions Unique? On The ...
tion approaches, such as bioinformatics[3], social network [4], and even ... error bounds of HOSVD have been derived [16] and the equivalence between ten-.

Research on I-Vector Combination for Speaker ...
Department of Electronic Engineering, Tsinghua University, Beijing 100084, China. Email: [email protected], {wqzhang, liuj}@tsinghua.edu.cn. Abstract—I-vector has been ... GMM are two stat-of-art technologies in SRE. Especially the i-

On the Dirichlet-Neumann boundary problem for scalar ...
Abstract: We consider a Dirichlet-Neumann boundary problem in a bounded domain for scalar conservation laws. We construct an approximate solution to the ...

ON THE Lp MINKOWSKI PROBLEM FOR POLYTOPES ...
solution to the Lp Minkowski problem when the data is even was given in [11]. ...... International Conference in ”Stochastic Geometry, Convex Bodies, Empirical ...

On the growth problem for skew and symmetric ...
Abstract. C. Koukouvinos, M. Mitrouli and Jennifer Seberry, in “Growth in Gaussian elimi- nation for weighing matrices, W(n, n − 1)”, Linear Algebra and its Appl., 306 (2000),. 189-202, conjectured that the growth factor for Gaussian eliminatio

ON THE SEPARABILITY PROBLEM FOR ISOMETRIC ...
X must have the countable chain condition (see [10, Theorem 1.4] or [21, Lemma ..... and the Monotone Convergence Theorem imply that ∫. C+ fdm = 0, and.

Stochastic Processes on Vector Lattices
where both the independence of families from the Riesz space and of band projections with repect to a given conditional expectation operator are considered.

On Sketching Matrix Norms and the Top Singular Vector
Sketching is an algorithmic tool for handling big data. A ... to [11] for graph applications for p = 0, to differential ... linear algebra applications have this form.

NOTE ON THE CHARACTERISTIC RANK OF VECTOR ...
integer t such that there exist classes xi ∈ H∗(X; Z2), deg(xi) ≥ 1, such that the cup product x1 ·x2 ··· xt = 0. We mention in passing that the Z2-cup-length is well known to have connections with the Lyusternik-Shnirel'man category of the

On the Use of Singular Value Decomposition for a Fast ...
will differ from the normal activity. However, such systems have a very high. 3 .... In this way, processes sharing the common system calls will become more.

RESEARCH ARTICLE Newton Vector Fields on the ...
Email: [email protected]. ISSN: print/ISSN online ... that a method, first presented in [3] for visualising rational vector fields, can be extended to all Newton ...

Hierarchical Decomposition Theorems for Choquet ...
Tokyo Institute of Technology,. 4259 Nagatsuta, Midori-ku, ..... function fL on F ≡ { ⋃ k∈Ij. {Ck}}j∈J is defined by. fL( ⋃ k∈Ij. {Ck}) ≡ (C) ∫. ⋃k∈Ij. {Ck}. fMdλj.

Novel Target Decomposition Method based on ...
California Institute of Technology, Pasadena, 1985. 2. Evans D. L., Farr T. G., Van Zyl J. J. and Zebker H. A., “Radar polarimetry: Analysis tools and applica-.

decomposition approximations for time-dependent ...
Nov 11, 1997 - plex telephone call centers containing a network of interactive voice ... Hence, if there tend to be ample servers, a network of infinite-server ...

Towards Policy Decomposition for Autonomic Systems Governance ...
Policy-based management systems use declarative rules to govern their ... definition of goals and constraints for the systems, i.e. defining 'what' the system ...

Domain Decomposition Methods for the Helmholtz ...
is a Dirac function at the point (6000,6760,10). To discretize the problem (1) on a coarser mesh, the velocity is sub-sampled to less number of cells such that every cell has a constant velocity and contains one or more mesh elements. Then the proble

Towards the use of Policy Decomposition for Composite Service ...
management for complex systems remains the lack of an automated mechanism to ... customer services manager is in charge of a business process to track ...