Group structure of elliptic curves over ℤ/Nℤ

Massimiliano Sala; Daniele Taufer

doi:10.1515/jmc-2023-0025

Artikel Open Access

Group structure of elliptic curves over ℤ/Nℤ

Massimiliano Sala und Daniele Taufer

Veröffentlicht/Copyright: 14. Februar 2024

Veröffentlicht von

Veröffentlichen auch Sie bei De Gruyter Brill

Manuskript einreichen Informationen für Autor*innen

Aus der Zeitschrift Journal of Mathematical Cryptology Band 18 Heft 1

Abstract

We characterize the possible groups E ( Z ∕ N Z ) arising from elliptic curves over Z ∕ N Z in terms of the groups E ( F p ) , with p varying among the prime divisors of N . This classification is achieved by showing that the infinity part of any elliptic curves over Z ∕ p e Z is a Z ∕ p e Z -torsor, of which a generator is exhibited. As a first consequence, when E ( Z ∕ N Z ) is a p -group, we provide an explicit and sharp bound on its rank. As a second consequence, when N = p e is a prime power and the projected curve E ( F p ) has trace one, we provide an isomorphism attack to the elliptic curve discrete logarithm problem, which works only by means of finite ring arithmetic.

Keywords: group structure; elliptic curves; ECDLP

MSC 2010: 11T71; 13B25; 14H52

1 Introduction

Elliptic curves have been providing number theory with a fertile field of intense research for the last century, from theoretic [1–4], algorithmic [5,6], and applied [7–10] sides. In their basic definition, these objects consist of non-singular plane projective cubics, defined as the zero-set of a Weierstrass polynomial over a given base field. It is well known that these curves are actually abelian varieties with the chord-tangent sum [11–13]. The study of the group structure arising from this operation has attracted huge attention, and its grasp has proven to be remarkably challenging. Beyond its indisputable algebraic interest, the security of cryptographic protocols based on these curves relies upon the nature of their addition operation; hence, the investigation of these groups has received impetus in the last few decades.

When the underlying field is finite, any group that may be realized as the point group of an elliptic curve is known [14,15]. Nevertheless, both their distribution [16] and their efficient explicit description [17] are lines of open research. We refer to the study by Sala and Taufer [18] for an overview of the known classification of groups arising from curves with a Weierstrass model.

Elliptic curves may also be defined over rings, among which Z ∕ N Z is a significant instance both from a theoretical perspective [19] and for cryptographic applications [20,21]. In this study, we are mainly interested in their algebraic, especially groupal, properties: we classify all the possible groups arising from elliptic curves over any residue ring Z ∕ N Z in terms of their projected components modulo the prime divisors of N . More precisely, if p is a prime integer and v p ( N ) is the p -adic valuation of N , the Chinese reminder theorem provides a group isomorphism:

E ( Z ∕ N Z ) ≃ ⊕ p ∣ N E ( Z ∕ p v p ( N ) Z ) ,

whose components are known [12,19] to split as:

E ( Z ∕ p v p ( N ) Z ) = H ⊕ E ( F p ) .

The subgroup at infinity H , given by the kernel of the canonical projection, is known to be a p -group, since ∣ H ∣ = p v p ( N ) − 1 [19]. However, the structure of this group was only recently determined in terms of 0-layers of elliptic loops [22].

In this work, we provide a complete classification result based only on the arithmetic of curves over Z ∕ N Z . In particular, we prove the following group isomorphism:

E ( Z ∕ N Z ) ≃ ⊕ p ∣ N ∣ E ( F p ) ∣ ≠ p E ( F p ) ⊕ Z ∕ p v p ( N ) − 1 Z ⊕ ⊕ p ∣ N ∣ E ( F p ) ∣ = p G p ,

where every G p may be either Z ∕ p v p ( N ) Z (cyclic case) or F p ⊕ Z ∕ p v p ( N ) − 1 Z (split case). This result is obtained by proving that the infinity part of E ( Z ∕ p e Z ) is a Z ∕ p e Z -torsor, which is far from holding over generic local rings [23]. By proving it, we refine the case t = 0 of [22, Proposition 10.3], as we explicitly exhibit a generator of this cyclic subgroup.

From the aforementioned classification, we derive some consequences. First, we give an explicit bound on the rank of E ( Z ∕ N Z ) when the points of such curve form a p -group. This bound is sharp and depends only on p , determining as a corollary infinitely many groups that cannot arise from such curves. The proof of this bound also provides a systematic way for generating such p -curves of admissible ranks. Second, we exhibit a polynomial-time isomorphism attack to the elliptic curve discrete logarithm problem (ECDLP) over anomalous curves. Although similar attacks have already appeared [24,25], we find this approach noteworthy as its correctness and execution may be elaborated with only finite ring arithmetic, which makes it slightly more elementary.

This article is organized as follows. In Section 2, we recall some known results and definitions, including the group structure of elliptic curves over finite fields and the definition of such curves over rings. In Section 3, the group structure of elliptic curves over Z ∕ N Z is investigated and we derive our main result (Theorem 2). Consequently, in Section 4, we present a bound to the rank of p -groups that may arise from elliptic curves over Z ∕ N Z . An isomorphism attack to the ECDLP over anomalous curves is described in Section 5. Finally, conclusions and further work are discussed in Section 6.

2 Preliminaries

In this study, R always denotes a commutative ring with unity and R * is the set of its invertible elements. We use capital letters X , Y , and Z to denote the elements of R , while lowercase ones are variables in R [ x , y , z ] .

Definition 1

(Primitivity) A finite collection { X i } i ∈ { 0 , … , n } ⊆ R n + 1 is called primitive if the ideal ( { X i } i ∈ { 0 , … , n } ) R is R itself.

2.1 Elliptic curves over finite fields

The trace t of any elliptic curve over a finite field F q is constrained by the Hasse bound [11, Theorem V.1.1], i.e.,

t = q + 1 − ∣ E ( F q ) ∣

is bounded by

− 2 q ≤ t ≤ 2 q .

Not every possible integer t in the aforementioned interval occurs as the trace of an elliptic curve over F q , as detailed in [26, Theorem 4.1]. However, the same theorem shows that every such t may be achieved if q is a pure prime, i.e., the Hasse interval over prime fields is full. From this work, a complete characterization of the possible point groups for elliptic curves over finite fields has seen the light, independently discovered by two authors [14,15].

By virtue of these works, we know all the possible groups arising from elliptic curves over finite fields, which we will use in Section 3 to characterize those of curves over Z ∕ N Z .

2.2 Strong rank

To deal with matrices over commutative rings, it is worth introducing a stronger notion of matrix rank.

Definition 2

(Minor ideal) Let n , m ∈ Z ≥ 1 and A ∈ M n , m ( R ) . For every integer 1 ≤ t ≤ min { n , m } , we define the t-minor ideal I t ( A ) as the ideal generated by the t × t minors of A . We also define by convention I 0 ( A ) = R and for every t > min { n , m } , we set I t ( A ) = ( 0 ) .

Definition 3

(Strong rank) Let n , m ∈ Z ≥ 1 and A ∈ M n , m ( R ) . We define the strong rank of A as:

rk ( A ) = max { t ∈ Z ≥ 0 ∣ I t ( A ) ≠ ( 0 ) } .

This notion of rank is easily shown to be never lower than the usual notion of rank over rings [27, Chapter 4]. The convenience of using this rank relies on the following result.

Lemma 1

Let n , m ∈ Z ≥ 1 and A ∈ M n , m ( R ) be a matrix whose entries are primitive, then the following are equivalent.

rk ( A ) = 1 .
The 2 × 2 minors of A vanish.
All the primitive vectors of R n that may be obtained from an R -linear combination among the columns of A are equal up to R * -multiples.

Proof

Let A = ( a i , k ) 1 ≤ i ≤ n 1 ≤ k ≤ m .

[ i ⇒ i i ] Since rk ( A ) = 1 , then I 2 ( A ) = ( 0 ) ; hence, all the generators of I 2 ( A ) vanish.

[ i i ⇒ i i i ] Let v 1 = ( v 11 , … , v 1 n ) and v 2 = ( v 21 , … , v 2 n ) be two primitive column combinations. Since v 1 is primitive, there are α 1 , … , α n ∈ R with

∑ i = 1 n α i v 1 i = 1 ∈ R .

Any 2 × 2 minor of the ( n × 2 )-matrix ( v 1 ∣ v 2 ) , whose columns are v 1 and v 2 , is an R -linear combination of the 2 × 2 minors of A ; hence, it vanishes. Thus, for every i , j ∈ { 1 , … , n } , we have v 1 i v 2 j = v 1 j v 2 i , then

v 2 = 1 ⋅ v 2 = ∑ i = 1 n α i v 1 i v 2 j 1 ≤ j ≤ n = ∑ i = 1 n α i v 1 j v 2 i 1 ≤ j ≤ n = ∑ i = 1 n α i v 2 i v 1 .

This proves that v 2 is a multiple of v 1 , and since also v 2 is primitive, then the scalar factor has to be a unit, i.e., ∑ i = 1 n α i v 2 i ∈ R * .

[ i i i ⇒ i ] For every pair of columns c k and c h of A , there is r k h ∈ R * such that c h = r k h c k . Therefore, for every 1 ≤ i , j ≤ n , we have

a i k a j h − a i h a j k = r k h ( a i k a j k − a i k a j k ) = 0 ,

which shows that I 2 ( A ) = ( 0 ) . Moreover, since the entries of A are primitive, we have I 1 ( A ) = R , so that rk ( A ) = 1 .□

2.3 Elliptic curves over rings

Let n be a non-negative integer. The projective n -space over R is defined in order to respect projections on any non-zero quotient of R , as follows.

Definition 4

(Projective n -space) The projective n-space over R is the set of orbits of primitive tuples in R n + 1 under the action of elements u ∈ R * given by:

u ( X 0 , … , X n ) = ( u X 0 , … , u X n ) .

It is denoted by P n ( R ) , while ( X 0 : ⋯ : X n ) ∈ P n ( R ) represents the orbit of ( X 0 , … , X n ) ∈ R n + 1 .

An elliptic curve over R may be defined [19] to properly extend a family of elliptic curves over R ∕ m , for m ranging among all the maximal ideals of R , provided that this ring satisfies the following condition.

Condition I [19] For every pair n , m ∈ Z ≥ 1 and every matrix

A = ( a i j ) 1 ≤ i ≤ n 1 ≤ j ≤ m ∈ M n , m ( R )

with strong rank rk ( A ) = 1 and primitive entries, there exists an R -linear combination of the columns of A whose entries are primitive.

In this work, we will only deal with elliptic curves that may be defined via their short Weierstrass equation, which is not restrictive when 6 ∈ R * .

Definition 5

(Elliptic curve over R ) Let R be a commutative ring with unity satisfying Condition I and let A , B ∈ R such that

Δ A , B = − ( 4 A 3 + 27 B 2 ) ∈ R * .

The elliptic curve E A , B ( R ) is defined as:

E A , B ( R ) = { ( X : Y : Z ) ∈ P 2 ( R ) ∣ Y 2 Z = X 3 + A X Z 2 + B Z 3 } .

Given an elliptic curve E = E A , B ( R ) , we denote by O = ( 0 : 1 : 0 ) ∈ E its zero element, with E a = E ∩ P aff 2 ( R ) its affine points and with E ∞ the remaining points, which are called points at infinity.

On these curves, a sum operation may be explicitly defined on an open covering of E A , B ( R ) × E A , B ( R ) by means of ( 2 , 2 ) -bidegree polynomials [28,29]. This operation extends the usual point addition with respect to projections, i.e., for every proper ideal I ⊊ R , we have a well defined group homomorphism:

π : E A , B ( R ) ↠ E A , B ( R ∕ I ) .

We recall for convenience the two addition laws we use in this work: the sum of P 1 = ( X 1 : Y 1 : Z 1 ) and P 2 = ( X 2 : Y 2 : Z 2 ) is given by any primitive linear combination of ( S 1 : S 2 : S 3 ) and ( T 1 : T 2 : T 3 ) , where^[1]

S 1 = ( X 1 Y 2 − X 2 Y 1 ) ( Y 1 Z 2 + Y 2 Z 1 ) + ( X 1 Z 2 − X 2 Z 1 ) Y 1 Y 2 − A ( X 1 Z 2 − X 2 Z 1 ) ( X 1 Z 2 + X 2 Z 1 ) − 3 B ( X 1 Z 2 − X 2 Z 1 ) Z 1 Z 2 , S 2 = − 3 X 1 X 2 ( X 1 Y 2 − X 2 Y 1 ) − Y 1 Y 2 ( Y 1 Z 2 − Y 2 Z 1 ) − A ( X 1 Y 2 − X 2 Y 1 ) Z 1 Z 2 + A ( Y 1 Z 2 − Y 2 Z 1 ) ( X 1 Z 2 + X 2 Z 1 ) + 3 B ( Y 1 Z 2 − Y 2 Z 1 ) Z 1 Z 2 , S 3 = 3 X 1 X 2 ( X 1 Z 2 − X 2 Z 1 ) − ( Y 1 Z 2 − Y 2 Z 1 ) ( Y 1 Z 2 + Y 2 Z 1 ) + A ( X 1 Z 2 − X 2 Z 1 ) Z 1 Z 2

and

T 1 = Y 1 Y 2 ( X 1 Y 2 + X 2 Y 1 ) − A X 1 X 2 ( Y 1 Z 2 + Y 2 Z 1 ) − A ( X 1 Y 2 + X 2 Y 1 ) ( X 1 Z 2 + X 2 Z 1 ) − 3 B ( X 1 Y 2 + X 2 Y 1 ) Z 1 Z 2 − 3 B ( X 1 Z 2 + X 2 Z 1 ) ( Y 1 Z 2 + Y 2 Z 1 ) + A 2 ( Y 1 Z 2 + Y 2 Z 1 ) Z 1 Z 2 , T 2 = Y 1 2 Y 2 2 + 3 A X 1 2 X 2 2 + 9 B X 1 X 2 ( X 1 Z 2 + X 2 Z 1 ) − A 2 X 1 Z 2 ( X 1 Z 2 + 2 X 2 Z 1 ) − A 2 X 2 Z 1 ( 2 X 1 Z 2 + X 2 Z 1 ) − 3 A B Z 1 Z 2 ( X 1 Z 2 + X 2 Z 1 ) − ( A 3 + 9 B 2 ) Z 1 2 Z 2 2 , T 3 = 3 X 1 X 2 ( X 1 Y 2 + X 2 Y 1 ) + Y 1 Y 2 ( Y 1 Z 2 + Y 2 Z 1 ) + A ( X 1 Y 2 + X 2 Y 1 ) Z 1 Z 2 + A ( X 1 Z 2 + X 2 Z 1 ) ( Y 1 Z 2 + Y 2 Z 1 ) + 3 B ( Y 1 Z 2 + Y 2 Z 1 ) Z 1 Z 2 .

A compact and efficient way for computing the latter addition law may be found in [22, Lemma 2.1]. Similar concise formulas over any characteristics were established in [23, Proposition 3.2].

3 Elliptic curves over Z ∕ N Z

Let N ∈ Z ≥ 2 be an integer. Hereafter, we consider elliptic curves defined over the ring R = Z ∕ N Z , which satisfies Condition I. More generally, in the study by Lenstra [19], this condition has been proved to hold for every ring with a finite number of maximal ideals. Here, we show that Z ∕ N Z underlies a condition even stronger than Condition I.

Lemma 2

Let N ∈ Z ≥ 2 be an integer and A be a matrix over Z ∕ N Z whose entries are primitive; then, there exists a linear combination of the columns of A that is primitive. In particular, R = Z ∕ N Z satisfies Condition I.

Proof

Let A = ( c 1 ∣ c 2 ∣ … ∣ c m ) be the columns of the considered matrix. Since A is primitive, for every prime p ∣ N , there are coefficients α 1 ( p ) , … , α m ( p ) ∈ Z ∕ p Z such that the vector

v ( p ) = ∑ i = 1 m α i ( p ) c i

is primitive over Z ∕ p Z . By the Chinese reminder theorem, we may find integers β 1 , … , β m ∈ Z solving, for every prime divisor p of N , the congruence system:

β i ≡ α i ( p ) mod p .

Therefore, ∑ i = 1 m β i c i is easily seen to be a primitive combination of the columns of A .□

We now recall how the group of points of an elliptic curve over Z ∕ N Z can be described by the curve projections over the p -components of this ring, with p ranging among the prime divisors of N .

Proposition 1

[12, Corollary 2.32] Let N 1 and N 2 be coprime integers and let A , B ∈ Z such that Δ A , B ∈ ( Z ∕ N 1 N 2 Z ) * . Then, the canonical projections induce a group isomorphism:

E A , B ( Z ∕ N 1 N 2 Z ) ≃ E A , B ( Z ∕ N 1 Z ) ⊕ E A , B ( Z ∕ N 2 Z ) .

Thus, it is sufficient to study the structure of elliptic curves E A , B ( Z ∕ p e Z ) for any prime p and positive integer e , which is the main goal of this section. We begin by noting that the points P ∈ E = E A , B ( Z ∕ p e Z ) of such curves have prescribed representatives:

If P ∈ E a , then there are X , Y ∈ Z ∕ p e Z such that
P = ( X : Y : 1 ) .
If P ∈ E ∞ , then there are X , Z ∈ p ( Z ∕ p e Z ) such that
P = ( X : 1 : Z ) .

The size of these curves is known, as reported in the next lemma.

Lemma 3

[19, Section 4] Let p be a prime, e ∈ Z ≥ 1 , and

π : E A , B ( Z ∕ p e Z ) → E A , B ( F p )

be the canonical projection. Then, for every P ∈ E A , B ( F p ) , we have

∣ π − 1 ( P ) ∣ = p e − 1 .

In particular:

The size of the curve is ∣ E A , B ( Z ∕ p e Z ) ∣ = p e − 1 ∣ E A , B ( F p ) ∣ ,
ker π is a subgroup of E A , B ( Z ∕ p e Z ) , whose size is p e − 1 .

The coordinates of points at infinity satisfy the following relation, which we prove by adapting the idea of expansion around O [11, Chapter IV].

Proposition 2

Let p be a prime, e ∈ Z ≥ 1 , and E = E A , B ( Z ∕ p e Z ) . There is a polynomial f ∈ Z [ x ] of degree at most e − 1 such that for every P ∈ E ∞ , there is X ∈ p ( Z ∕ p e Z ) satisfying

P = ( X : 1 : f ( X ) ) .

Moreover, we have

f ( X ) ≡ X 3 + A X 7 + B X 9 mod p 10 .

Proof

Since P ∈ E ∞ , it may be represented in the form ( X : 1 : Z ) , with X , Z ∈ p ( Z ∕ p e Z ) that satisfy

Z ≡ X 3 + A X Z 2 + B Z 3 mod p e .

We recursively define the following sequence of polynomials in Z [ x , z ] :

F 0 ( x , z ) = x 3 + A x z 2 + B z 3 , ∀ i ∈ Z ≥ 1 : F i ( x , z ) = F i − 1 ( x , F 0 ( x , z ) ) .

It is easy to see by induction on i ∈ Z ≥ 0 that this sequence satisfies

Z ≡ F i ( X , Z ) mod p e .

Moreover, every F i for i ∈ Z ≥ 1 is obtained from F i − 1 by substituting all the occurrences of z with F 0 ( x , z ) , which contains only terms of degree 3; hence, the total degree of terms involving z in F i is strictly increasing while increasing i . This means that there exist M ∈ Z ≥ 0 and g ∈ Z [ x , z ] such that

F M ( x , z ) = f ( x ) + g ( x , z ) ,

with g ∈ ( x , z ) e Z [ x , z ] and deg ( f ) < e . Since both X and Z are divisible by p , then

Z ≡ F M ( X , Z ) ≡ f ( X ) mod p e ,

so that f ∈ Z [ x ] is the required polynomial. A direct computation shows that

F 3 = x 3 + A x 7 + B x 9 + ( terms of degree ≥ 11 ) ,

which proves the moreover part.□

Remark 1

Although finite local rings are complete with respect to the topology induced by their maximal ideal, they may well not be domains (e.g., Z ∕ N Z ). For this reason, we found it appropriate to explicitly compute f instead of considering the truncation to the correct exponent of the classical series [11, Chapter IV].

To simplify the exposition, for any X ∈ Z ∕ p e Z and any positive integer t we write p t ∣ X or X ≡ 0 mod p t in place of the more precise X ∈ p t ( Z ∕ p e Z ) . In the same spirit, we assign a p -adic valuation to any X ∈ Z ∕ p e Z by writing

v p ( X ) = t , if X ∈ p t ( Z ∕ p e Z ) \ p t + 1 ( Z ∕ p e Z ) , e , if X = 0 .

From Proposition 2, it is possible to derive a description of the first-order approximation of the sum of two points at infinity.

Proposition 3

Let p be a prime, e ∈ Z ≥ 1 , E = E A , B ( Z ∕ p e Z ) , and f ∈ Z [ x ] be the polynomial arising from E as in Proposition 2. Let also

P 1 = ( X 1 : 1 : f ( X 1 ) ) a n d P 2 = ( X 2 : 1 : f ( X 2 ) ) ∈ E ∞ ,

with e 1 = v p ( X 1 ) and e 2 = v p ( X 2 ) . Then,

P 1 + P 2 = ( X 3 : 1 : f ( X 3 ) ) , where X 3 ≡ X 1 + X 2 mod p 5 min { e 1 , e 2 } .

Proof

As π is a group homomorphism, P 1 + P 2 lies in E ∞ , which implies that these points are never exceptional for the addition law + ( 0 : 1 : 0 ) corresponding to ( 0 : 1 : 0 ) [28, Theorem 2]. A straightforward computation with + ( 0 : 1 : 0 ) shows that, modulo monomials in X 1 and X 2 of total degree at least 5 (i.e., modulo p 5 min { e 1 , e 2 } ), we have

P 1 + P 2 = ( X 1 + X 2 : 1 + 3 A X 1 2 X 2 2 : ( X 1 + X 2 ) 3 ) ,

which is equal to ( X 1 + X 2 : 1 : ( X 1 + X 2 ) 3 ) as we verify by multiplying its entries by 1 − 3 A X 1 2 X 2 2 ∈ ( Z ∕ p 5 min { e 1 , e 2 } Z ) * .□

We can now prove that the infinity group is cyclic, which provides a structure theorem for elliptic curves over Z ∕ N Z .

Theorem 1

Let p be a prime, e ∈ Z ≥ 1 , and f ∈ Z [ x ] be the polynomial arising from E A , B ( Z ∕ p e Z ) as in Proposition 2. Then,

0 → ⟨ ( p : 1 : f ( p ) ) ⟩ ↪ ι E A , B ( Z ∕ p e Z ) → π E A , B ( F p ) → 0 ,

is a short exact sequence of groups.

Proof

We know that the canonical projection π : E A , B ( Z ∕ p e Z ) ↠ E A , B ( F p ) is a surjective group homomorphism and that ∣ ker π ∣ = p e − 1 by Lemma 3. Thus, it is sufficient to prove that P = ( p : 1 : f ( p ) ) ∈ ker π has order p e − 1 . Since P lies over O ∈ E A , B ( F p ) , then its order is a power of p ( ker π is a p -group). We prove by induction on 0 ≤ ε ≤ e − 1 that

p ε P = ( X : 1 : f ( X ) ) with v p ( X ) = ε + 1 .

In particular, the minimal ε such that X ≡ 0 mod p e is ε = e − 1 .

[ ε = 0 ] It is trivially seen that

p 0 P = ( p : 1 : f ( p ) ) and v p ( p ) = 1 .

[ ε → ε + 1 ] By the inductive hypothesis, we know that

p ε + 1 P = p ( p ε P ) = p ( X : 1 : f ( X ) ) and v p ( X ) = ε + 1 .

By Proposition 3 and induction on α ∈ { 1 , … , p − 1 } , we have

( X : 1 : f ( X ) ) + ( α X : 1 : f ( α X ) ) = ( X 2 : 1 : f ( X 2 ) ) ,

with

X 2 ≡ ( α + 1 ) X mod p 5 ( ε + 1 ) .

Thus, by specializing the aforementioned result for α = p − 1 , the p -adic valuation of the first component of p ( X : 1 : f ( X ) ) is proved to be v p ( X ) + 1 = ε + 2 .□

The aforementioned theorem shows that the infinity part of any elliptic curve over Z ∕ p e Z is a Z ∕ p e Z -torsor with respect to the standard multiplication action. This agrees with [22, Proposition 10.3], and it is sufficient to determine the group structure of these curves when their projection is not anomalous.

Corollary 1

Let p be a prime, e ∈ Z ≥ 1 , and E A , B ( Z ∕ p e Z ) be an elliptic curve such that ∣ E A , B ( F p ) ∣ ≠ p . Then,

E A , B ( Z ∕ p e Z ) ≃ E A , B ( F p ) ⊕ Z ∕ p e − 1 Z .

Proof

It is sufficient to show that the short exact sequence of Theorem 1 splits, which by the splitting lemma amounts to proving that it is left split. Since q = ∣ E A , B ( F p ) ∣ ≠ p is in the Hasse bound of p , then ( p , q ) = 1 , which implies the existence of a k ∈ Z satisfying

k ≡ 1 mod p e − 1 , k ≡ 0 mod q .

By Theorem 1, we have E A , B ∞ ( Z ∕ p e Z ) = π − 1 ( O ) = ⟨ ( p : 1 : f ( p ) ) ⟩ . Thus, since k ≡ 0 mod q , the map

E A , B ( Z ∕ p e Z ) → ⋅ k ⟨ ( p : 1 : f ( p ) ) ⟩

is a well defined group homomorphism. Moreover, since k ≡ 1 mod p e − 1 , the cyclic group ⟨ ( p : 1 : f ( p ) ) ⟩ is fixed under this map; hence, the multiplication-by- k is a left section for the considered sequence.□

Despite forming a cyclic group, the algebra of points at infinity may be rather involved [23]. However, when e is small, an explicit group isomorphism may also be exhibited. The key point is the simplified description of X 3 as X 1 + X 2 given by Proposition 3, when the exponent of p does not exceed 5. We also remark that in the more general setting of elliptic loops, 5 is the exponent threshold for associativity of the projective part [22, Lemma 8.3, 8.4].

Proposition 4

Let p be a prime, 1 ≤ e ≤ 5 be an integer, E A , B ( Z ∕ p e Z ) be an elliptic curve, and q = ∣ E A , B ( F p ) ∣ be the size of its projected curve. Then,

Φ : E A , B ( Z ∕ p e Z ) → E A , B ( F p ) ⊕ Z ∕ p e − 1 Z , P ↦ π ( P ) , 1 p ( q P ) x ( q P ) y

is a well defined group homomorphism. Moreover, if q ≠ p , then Φ is a group isomorphism.

Proof

It is easy to see that Φ ( P ) does not depend on the projective representative of P . Moreover, as π is a group homomorphism, we have

π ( q P ) = q π ( P ) = O ∈ E A , B ( F p ) .

Hence, by Proposition 2, we have q P = ( X : 1 : f ( X ) ) with X ∈ p ( Z ∕ p e Z ) . Therefore, ( q P ) x ( q P ) y ∈ p ( Z ∕ p e Z ) , which is canonically isomorphic to Z ∕ p e − 1 Z . Thus, Φ is a well defined map between groups having, by Lemma 3, the same size. It also respects the sum, as for every pair P 1 , P 2 ∈ E A , B ( Z ∕ p e Z ) , we compute

Φ ( P 1 ) + Φ ( P 2 ) = π ( P 1 + P 2 ) , 1 p ( q P 1 ) x ( q P 1 ) y + ( q P 2 ) x ( q P 2 ) y ,

and since e ≤ 5 min { v p ( ( q P 1 ) x ) , v p ( ( q P 2 ) x ) } , then by Proposition 3, we have

( q P 1 ) x ( q P 1 ) y + ( q P 2 ) x ( q P 2 ) y = ( q P 1 + q P 2 ) x ( q P 1 + q P 2 ) y = ( q ( P 1 + P 2 ) ) x ( q ( P 1 + P 2 ) ) y .

As for the moreover part, it is sufficient to prove that ker Φ = { O } when q ≠ p . Let Φ ( P ) = ( O , 0 ) , then there exists X ∈ p ( Z ∕ p e Z ) such that P = ( X : 1 : f ( X ) ) and

q X p ≡ ( q P ) x p ≡ 0 mod p e − 1 .

Since q lies in the Hasse interval of p , then q ≠ p implies ( p , q ) = 1 , and we conclude that X ≡ 0 mod p e ; hence, the kernel of Φ is trivial.□

When the restricted curve E A , B ( F p ) is anomalous, two different scenarios may occur. By Theorem 1, the curve E A , B ( Z ∕ p e Z ) is guaranteed to contain a cyclic subgroup of order p e − 1 ; therefore, it may be either cyclic

(Cyclic) E A , B ( Z ∕ p e Z ) ≃ Z ∕ p e Z ,

or split, i.e.,

(Split) E A , B ( Z ∕ p e Z ) ≃ F p ⊕ Z ∕ p e − 1 Z .

Even if the cyclic case occurs over Z ∕ p e Z with an overwhelming probability of p − 1 p [25], both may take place. For instance, one may check that

E 7 , 3 ( Z ∕ 1 3 2 Z ) ≃ ⟨ ( 0 : 61 : 1 ) ⟩ , while E 1 , 6 ( Z ∕ 1 3 2 Z ) ≃ ⟨ ( 2 : 4 : 1 ) ⟩ ⊕ ⟨ ( 13 : 1 : 0 ) ⟩ .

The aforementioned discussion leads to the classification theorem.

Theorem 2

Let N be a positive integer and let A and B be integers such that Δ A , B is coprime to N. Then, we have

E A , B ( Z ∕ N Z ) ≃ ⊕ p ∣ N ∣ E A , B ( F p ) ∣ ≠ p E A , B ( F p ) ⊕ Z ∕ p v p ( N ) − 1 Z ⊕ ⊕ p ∣ N ∣ E A , B ( F p ) ∣ = p G p ,

where every G p may be either Z ∕ p v p ( N ) Z or F p ⊕ Z ∕ p v p ( N ) − 1 Z .

Proof

By Proposition 1, we know that

E A , B ( Z ∕ N Z ) ≃ ⊕ p ∣ N E A , B ( Z ∕ p v p ( N ) Z ) .

By Corollary 1, for every p such that E A , B ( F p ) is not anomalous, we have

E A , B ( Z ∕ p e Z ) ≃ E A , B ( F p ) ⊕ Z ∕ p v p ( N ) − 1 Z .

On the other side, we have seen that

G p = F p ⊕ Z ∕ p v p ( N ) − 1 Z or G p = Z ∕ p v p ( N ) Z

may both occur as group structure of E A , B ( Z ∕ p v p ( N ) Z ) when E A , B ( F p ) is anomalous, which completes the study cases.□

Remark 2

Given a finite collection of elliptic curves { E A l , B l ( R l ) } 1 ≤ l ≤ k , we may define an elliptic curve over their product ring ∏ l = 1 k R l with the componentwise operation, and by [19, Section 4], we have

E ( A 1 , … , A k ) , ( B 1 , … , B k ) ∏ l = 1 k R l ≃ ∏ l = 1 k E A l , B l ( R l ) .

Thus, Theorem 2 provides the group structures of every elliptic curve defined over a ring isomorphic to a finite product of integer residue rings.

Remark 3

We note that Theorem 1 heavily relies on the behavior of elliptic curves over Z ∕ p e Z . Let us consider another local ring, namely, R = F 5 [ x ] ∕ ( x 4 ) , and let ε be a generator of its maximal ideal. Again, we have a canonical projection:

R → F 5 , X 0 + X 1 ε + X 2 ε 2 + X 3 ε 3 ↦ X 0 ,

so we have an elliptic curve E 1 , 2 ( R ) defined as in Section 2.3, together with a canonical projection onto E 1 , 2 ( F 5 ) .

This curve may appear similar to E 1 , 2 ( Z ∕ 5 4 Z ) at first glance, but one can directly verify that the point group of E 1 , 2 ( R ) is given by:

⟨ ( 2 ε 3 + ε : 1 : ε 3 ) ⟩ ⊕ ⟨ ( 3 ε 3 + 3 ε 2 + 2 ε : 1 : 3 ε 3 ) ⟩ ⊕ ⟨ ( ε 3 + ε + 3 : ε 3 + 3 ε 2 + 4 ε + 3 : 1 ) ⟩ ,

so that E 1 , 2 ( R ) ≃ Z ∕ 5 Z ⊕ Z ∕ 5 Z ⊕ Z ∕ 35 Z . This is due to the different structure of the infinity parts, as E 1 , 2 ∞ ( R ) ≃ ( Z ∕ 5 Z ) ⊕ 3 , while E 1 , 2 ∞ ( Z ∕ 5 4 Z ) ≃ Z ∕ 5 3 Z as prescribed by our previous results. A detailed study of the latter type of rings may be found in the study by Invernizzi and Taufer [23].

4 Rank of p -groups from elliptic curves

We know that groups arising from elliptic curves defined over finite fields have prescribed constraints [14,15], e.g., their rank cannot exceed 2. This restriction can be relaxed for curves defined over Z ∕ N Z , as their rank may be arbitrarily large, but it may still be bounded in terms of the number of primes inside a Hasse interval.

Definition 6

( ℋ p ) Given an integer p ∈ Z , we define

ℋ p = ∣ { q ∈ Z ∣ q is prime and p + 1 − 2 p ≤ q ≤ p + 1 + 2 p } ∣ .

The following result provides a sharp bound on the rank that elliptic curves over Z ∕ N Z may have if their point group are p -groups, which, in particular, shows that there are infinitely many groups that cannot arise as a point group for an elliptic curve over an integer residue ring.

Proposition 5

Let p ≥ 5 be a prime, N ∈ Z ≥ 2 , and E = E A , B ( Z ∕ N Z ) be an elliptic curve that is a p-group. Then, by defining

χ p = 2 , if t h e r e i s a p r i m e q s u c h t h a t E A , B ( F q ) ≃ F p ⊕ F p , 0 , otherwise ,

we have

rk ( E ) ≤ ℋ p + χ p + 1 .

Proof

By Theorem 2, we have

E ≃ ⊕ q ∣ N ∣ E A , B ( F q ) ∣ ≠ q E A , B ( F q ) ⊕ Z ∕ q v q ( N ) − 1 Z ⊕ ⊕ q ∣ N ∣ E A , B ( F q ) ∣ = q G q ,

where every G q may be either Z ∕ q v q ( N ) Z or F q ⊕ Z ∕ q v q ( N ) − 1 Z . It is easy to see that G q is a p -group only if q = p ; hence, we have

rk ⊕ q ∣ N ∣ E A , B ( F q ) ∣ = q G q ≤ 2 .

Similarly, we note that Z ∕ q v q ( N ) − 1 Z is a p -group only if q = p , but E A , B ( F p ) is a p -group if and only if ∣ E A , B ( F p ) ∣ = p . Thus, we have

⊕ q ∣ N ∣ E A , B ( F q ) ∣ ≠ q E A , B ( F q ) ⊕ Z ∕ q v q ( N ) − 1 Z ≃ ⊕ q ∣ N q ≠ p E A , B ( F q ) .

Moreover, since the rank of E A , B ( F q ) is at most 2 [12, Theorem 4.1], then it is a p -group only if

either E A , B ( F q ) ≃ F p or E A , B ( F q ) ≃ F p ⊕ F p .

Since the Hasse bound over a prime field is full, then E A , B ( F q ) may be isomorphic to F p for every prime q inside the Hasse interval of p .

On the other side, by [12, Prop.4.16], we know that E A , B ( F q ) ≃ F p ⊕ F p may occur only if

q ∈ { p 2 + 1 , p 2 ± p + 1 , p 2 ± 2 p + 1 } .

However, both p and q are odd primes; hence, only q = p 2 ± p + 1 may occur. Furthermore, since p > 3 , it is easy to see that either 3 ∣ p 2 + p + 1 or 3 ∣ p 2 − p + 1 ; therefore, only one of them can be prime. We conclude that there is at most one prime q such that E A , B ( F q ) ≃ F p ⊕ F p , so that

rk ⊕ q ∣ N q ≠ p E A , B ( F q ) ≤ ( ℋ p − 1 ) + χ p .

Collecting the aforementioned rank bounds, the statement follows.□

Example 1

Let p = 11 . None of 1 1 2 ± 11 + 1 is prime, then we have χ 11 = 0 ; therefore, by Proposition 5, regardless of N ∈ Z ≥ 2 , the rank of any elliptic curve over Z ∕ N Z that is a 11-group is bounded by ℋ 11 + 1 = 5 . We also note that this bound is sharp, as

E 167707 , 21664 ( Z ∕ 187187 Z ) ≃ F 11 ⊕ F 11 ⊕ F 11 ⊕ F 11 ⊕ F 11 .

Example 2

Let p = 13 . We note that 1 3 2 − 13 + 1 = 157 is prime and

E 0 , 15 ( F 157 ) ≃ F 13 ⊕ F 13 .

Therefore, we have χ 13 = 2 . By means of Proposition 5, we know that any elliptic curve over Z ∕ N Z that is a 13-group has rank-bounded by ℋ 13 + 3 = 8 . We note again that this bound is sharp, as

E 63707931 , 239467091 ( Z ∕ 659902243 Z ) ≃ ( F 13 ) ⊕ 8 .

5 Another isomorphism attack to anomalous ECDLP

Given an additive group G and a base element g ∈ G , the discrete logarithm problem (DLP) on G consists of computing for any given h ∈ G a positive integer N , if existent, such that h = N ⋅ g = g + g + ⋯ + g . When G is the point group of an elliptic curve (ECDLP), this problem is known to be computationally feasible only in special cases, such as the anomalous ones [24,25,30].

From the knowledge of the group structure provided by Theorem 1, we have another way of efficiently solving the ECDLP on anomalous curves using any cyclic curve that projects onto it.

Proposition 6

Let p be a prime, e ∈ Z ≥ 2 , and E = E A , B ( Z ∕ p e Z ) be an elliptic curve, whose point group is cyclic of order p e . Then, the map

Θ : E → F p , P ↦ 1 p e − 1 ( p e − 1 P ) x ( p e − 1 P ) y

is a well defined surjective group homomorphism, whose kernel is

ker Θ = ⟨ ( p : 1 : f ( p ) ) ⟩ .

Proof

For every P ∈ E , the point p e − 1 P is a p -torsion point of E ; hence,

p e − 1 P = ( X : 1 : f ( X ) ) , with v p ( X ) ≥ e − 1 .

Therefore, Θ ( P ) = X p e − 1 ∈ F p is well defined. Let G ∈ E be a generator of the point group of E ; then, for every integer m ∈ Z , we have

p e − 1 m G = m ( X : 1 : f ( X ) ) = ( m X : 1 : f ( m X ) ) ,

where the last equality follows from Proposition 3, as for every e ≥ 2 , the point p e − 1 G lies in ⟨ ( p e − 1 : 1 : 0 ) ⟩ . Thus, Θ ( m G ) = m Θ ( G ) , so that Θ is a group homomorphism. Moreover, from the aforementioned equation, it follows that

ker Θ = { m p G ∣ m ∈ Z } = ⟨ ( p : 1 : f ( p ) ) ⟩ .

By comparing the size of these groups, the surjectivity follows.□

From the aforementioned proposition, the discrete logarithm over anomalous curves may be immediately recovered.

Corollary 2

Let p be a prime, e ∈ Z ≥ 2 , and E A , B ( Z ∕ p e Z ) be an elliptic curve, whose point group is cyclic of order p e . Then, the map

Θ ∘ π − 1 : E A , B ( F p ) → F p

is a well defined group isomorphism.

Proof

By Theorem 1, the projection π induces a group isomorphism E A , B ( Z ∕ p e Z ) ∕ ⟨ ( p : 1 : f ( p ) ) ⟩ ≃ E ( F p ) , whereas the map Θ arisen from Proposition 6 induces a group isomorphism E A , B ( Z ∕ p e Z ) ∕ ⟨ ( p : 1 : f ( p ) ) ⟩ ≃ F p . By composing those isomorphisms, the result follows.□

Finding any lift of a given point is computationally costless; therefore, the complexity of the isomorphism attack given by Corollary 2 only depends on the cost of computing Θ , which is O ( log p ) . This approach is not faster than previously known attacks to the same family of curves [24,25,30], but it has the advantage of involving only finite precision objects.

Example 3

Let us consider an anomalous curve as constructed in the study by Leprévost et al. [31]:

p = 730750818665451459112596905638433048232067471723 , A = 425706413842211054102700238164133538302169176474 , B = 203362936548826936673264444982866339953265530166 .

We consider on E A , B ( F p ) the points

P = ( 1 : 310536468939899693718962354338996655381367569020 : 1 ) , Q = ( 3 : 38292783053156441019740319553956376819943854515 : 1 ) .

To find their discrete logarithm, it is sufficient to compute any lifts, such as

P ↑ = ( 1 : P y + α p : 1 ) , Q ↑ = ( 3 : Q y + β p : 1 ) ∈ E A , B ( Z ∕ p 2 Z ) ,

where

α = 1 + A + B − P y 2 2 p P y mod p 2 , and β = 27 + 3 A + B − Q y 2 2 p Q y mod p 2 ,

and to apply them, the group homomorphism Θ of Proposition 6:

Θ ( P ↑ ) = 343088892565802863386490109374548044078624360215 , Θ ( Q ↑ ) = 470974712001084540433398653921983741661987449793 .

This way we obtain the discrete logarithm N such that Q = N ⋅ P as:

N = Θ ( Q ↑ ) Θ ( P ↑ ) mod p = 113690975836469390483838646646828917131453128585 .

We remark that such a discrete logarithm would be infeasible to be computed with generic logarithm techniques, as one can directly verify that the Log routine of Magma [32] does not terminate in a reasonable time.

6 Conclusions and open problems

In this work, we have provided the classification of groups arising from elliptic curves over Z ∕ N Z and exploited it to obtain a bound for their rank and an attack on the ECDLP over anomalous elliptic curves.

The key ingredient is Theorem 1, which might still hold for more general classes of rings, even though the kernel generator may be less explicit. Finding other instances or even classifying all the rings over which the infinity group is cyclic is still an open line of research.

From a cryptographic perspective, Theorem 1 shows that the difficulty of the ECDLP depends on the difficulty of the same problem over the base field and in the group of points at infinity. Whenever these two groups are linked (as in the case of the anomalous curves), the discrete logarithm on one group may be read from the other.

Finally, in this work, we only considered genus-1 curves for their theoretical and historical relevance, but it is reasonable to ask which other abelian varieties admit such an extension to Z ∕ N Z and, when it is the case, if analogous group decompositions over these rings hold.

Acknowledgement

This work has been accepted for presentation at CIFRIS23, the Congress of the Italian association of cryptography “De Componendis Cifris.”

Funding information: MS acknowledges the support from Ripple’s University Blockchain Research Initiative. DT was supported in part by the European Union’s H2020 Programme under grant agreement number ERC-669891, and in part by the Research Foundation – Flanders (FWO), project 12ZZC23N, and travel grant V425623N.
Author contributions: All authors have accepted responsibility for the entire content of this manuscript and approved its submission.
Conflict of interest: Prof. Massimiliano Sala is the Editor-in-Chief of the Journal of Mathematical Cryptology but was not involved in the review process of this article.

References

[1] Breuil C, Conrad B, Diamond F, Taylor R. On the modularity of elliptic curves over Q: wild 3-adic exercises. J Amer Math Soc. 2001;14:843–939. 10.1090/S0894-0347-01-00370-8Suche in Google Scholar

[2] Merel L. Bornes pour la torsion des courbes elliptiques sur les corps de nombres. Invent Math. 1996;124:437–49. 10.1007/s002220050059Suche in Google Scholar

[3] Mordell LJ. On the rational solutions of the indeterminate equations of the third and fourth degrees. Proc Camb Phil Soc. 1922;21:179–92. Suche in Google Scholar

[4] Wiles A. Modular elliptic curves and Fermat’s last theorem. Ann Math. 1995;142:443–551. 10.2307/2118559Suche in Google Scholar

[5] Bosma W. Primality testing using elliptic curves. Math Instituut, Univ Amsterdam, volume Tech Rep. 1985. p. 85–12. Suche in Google Scholar

[6] Schoof R. Elliptic curves over finite fields and the computation of square roots mod p. Math Comp. 1985;44:483–94. 10.1090/S0025-5718-1985-0777280-6Suche in Google Scholar

[7] Johnson D, Menezes A, Vanstone S. The Elliptic Curve Digital Signature Algorithm (ECDSA). Int J Inf Secur. 2001;1:36–63. 10.1007/s102070100002Suche in Google Scholar

[8] Koblitz N. Elliptic curve cryptosystems. Math Comp. 1987;48:203–9. 10.1090/S0025-5718-1987-0866109-5Suche in Google Scholar

[9] Miller VS. Use of elliptic curves in cryptography. Adv Cryptol. 1985;218:417–26. 10.1007/3-540-39799-X_31Suche in Google Scholar

[10] Shparlinski IE. Pseudorandom number generators from elliptic curves. Contemp Math. 2009;477:121–42. 10.1090/conm/477/09305Suche in Google Scholar

[11] Silverman JH. The arithmetic of elliptic curves, Springer-Verlag, 1986. 10.1007/978-1-4757-1920-8Suche in Google Scholar

[12] Washington LC. Elliptic curves, number theory and cryptography. London: Chapman & Hall/CRC; 2008. Suche in Google Scholar

[13] Husemöller D. Elliptic curves. Graduate Texts in Mathematics. Vol. 111. Berlin: Springer-Verlag; 1987. 10.1007/978-1-4757-5119-2Suche in Google Scholar

[14] Rück HG. A note on elliptic curves over finite fields. Math Comp. 1987;49:301–4. 10.1090/S0025-5718-1987-0890272-3Suche in Google Scholar

[15] Voloch JF. A note on elliptic curves over finite fields. Bull Soc Math France. 1988;116:455–8. 10.24033/bsmf.2107Suche in Google Scholar

[16] Banks WD, Pappalardi F, Shparlinski IE. On group structures realized by elliptic curves over arbitrary finite fields. Experiment Math. 2012;21:11–25. 10.1080/10586458.2011.606075Suche in Google Scholar

[17] Kohel DR, Shparlinski IE. On exponential sums and group generators for elliptic curves over finite fields. Lecture Notes Comput Sci. 2000;21:395–404. 10.1007/10722028_24Suche in Google Scholar

[18] Sala M, Taufer D. A survey on the group of points arising from elliptic curves with a Weierstrass model over a ring. Int J Group Theory. 2023;12:177–96. Suche in Google Scholar

[19] Lenstra HW. Elliptic curves and number-theoretic algorithms. Proceedings of the International Congress of Mathematicians; 1986. p. 99–120. Suche in Google Scholar

[20] Lenstra HW. Factoring integers with elliptic curves. Ann Math. 1987;126:649–73. 10.2307/1971363Suche in Google Scholar

[21] Koyama K, Maurer UM, Okamoto T, Vanstone SA. New public-key schemes based on elliptic curves over the ring Zn. Adv Cryptol. 1991;576:252–66. 10.1007/3-540-46766-1_20Suche in Google Scholar

[22] Sala M, Taufer D. Elliptic loops. J Pure Appl Algebra. 2023;227(12):107417. 10.1016/j.jpaa.2023.107417Suche in Google Scholar

[23] Invernizzi R, Taufer D. Multiplication polynomials for elliptic curves over finite local rings. In ACM’s International Conference Proceedings Series (ISSAC 2023); 2023. p. 335–44. 10.1145/3597066.3597068Suche in Google Scholar

[24] Satoh T, Araki K. Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves. Comm Math Univ Sancti Pauli. 1998;47:81–92. Suche in Google Scholar

[25] Smart N. The discrete logarithm on elliptic curves of trace one. J Cryptology. 1999;12:193–6. 10.1007/s001459900052Suche in Google Scholar

[26] Waterhouse WC. Abelian varieties over finite fields. Ann. Sci. École Norm. Sup. 1969;4:521–60. 10.24033/asens.1183Suche in Google Scholar

[27] Brown WC. Matrices over commutative rings. New York: Marcel Dekker; 1986. Suche in Google Scholar

[28] Bosma W, Lenstra HW. Complete systems of two addition laws for elliptic curves. J Number Theory. 1995;53:229–40. 10.1006/jnth.1995.1088Suche in Google Scholar

[29] Lange H, Ruppert W. Complete systems of addition laws on abelian varieties. Invent Math. 1985;79:603–10. 10.1007/BF01388526Suche in Google Scholar

[30] Semaev IA. Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p. Math Comp. 1998;67:353–6. 10.1090/S0025-5718-98-00887-4Suche in Google Scholar

[31] Leprévost F, Monnerat J, Varrette S, Vaudenay S. Generating anomalous elliptic curves. Inform Process Lett. 2005;93:225–30. 10.1016/j.ipl.2004.11.008Suche in Google Scholar

[32] Bosma W, Cannon J, Playoust C. The Magma algebra system. I. The user language. J Symbolic Comput. 1997;24:235–65. 10.1006/jsco.1996.0125Suche in Google Scholar

Received: 2023-09-05

Revised: 2023-10-02

Accepted: 2023-10-18

Published Online: 2024-02-14

This work is licensed under the Creative Commons Attribution 4.0 International License.

Artikel in diesem Heft

https://doi.org/10.1515/jmc-2023-0025

Schlagwörter für diesen Artikel

group structure; elliptic curves; ECDLP

Creative Commons

BY 4.0