Orders of CM elliptic curves modulo p with at most two primes
Tipus de documentArticle
Condicions d'accésAccés restringit per política de l'editorial
Nowadays the generation of cryptosystems requires two main aspects. First the security, and then the size of the keys involved in the construction and comunication process. About the former one needs a di±cult mathematical assumption which ensures your system will not be broken unless a well known di±cult problem is solved. In this context one of the most famous assumption underlying a wide variety of cryptosystems is the computation of logarithms in ¯nite ¯elds and the Di±e Hellman assumption. However it is also well known that elliptic curves provide good examples of representation of abelian groups reducing the size of keys needed to guarantee the same level of security as in the ¯nite ¯eld case. The ¯rst thing one needs to perform elliptic logarithms which are computationaly secure is to ¯x a ¯nite ¯eld, Fp, and one curve, E=Fp de¯ned over the ¯eld, such that jE(Fp)j has a prime factor as large as possible. In practice the problem of ¯nding such a pair, of curve and ¯eld, seems simple, just take a curve with integer coe±cients and a prime p of good reduction at random and see if jE(Fp)j has a big prime factor. However the theory that makes the previous algorithm useful is by no means obvious, neither clear or complete. For example it is well known that supersingular elliptic curves have to be avoided in the previous process since they reduce the security of any cryptosystem based on the Di±e Hellman assumption on the elliptic logarithm. But more importantly, the process will be feasible whenever the probability to ¯nd a pair, (E; p), with a big prime factor qj jE(Fp)j is big enough. One problem arises naturally from the above.
CitacióIwaniec, H.; Jimenez, J. Orders of CM elliptic curves modulo p with at most two primes. "Annali della Scuola Normale Superiore di Pisa. Classe di scienze", 2010, vol. 9, núm. 4, p. 815-832.