Cryptology ePrint Archive: Report 2004/312

Ramanujan Graphs and the Random Reducibility of Discrete Log on Isogenous Elliptic Curves

David Jao and Stephen D. Miller and Ramarathnam Venkatesan

Abstract: Cryptographic applications using an elliptic curve over a finite field filter curves for suitability using their order as the primary criterion: e.g. checking that their order has a large prime divisor before accepting it. It is therefore natural to ask whether the discrete log problem (DLOG) has the same difficulty for all curves with the same order; if so it would justify the above practice. We prove that this is essentially true by showing random reducibility of dlog among such curves, assuming the Generalized Riemann Hypothesis (GRH). Our reduction proof works for curves with (nearly) the same endomorphism rings, but it is unclear if such a reduction exists in general. This suggests that in addition to the order, the conductor of its endomorphism ring may play a role. The random self-reducibility for dlog over finite fields is well known; the non-trivial part here is that one must relate non-isomorphic algebraic groups of two isogenous curves. We construct certain expander graphs with elliptic curves as nodes and low degree isogenies as edges, and utilize the rapid mixing of random walks on this graph. We also briefly look at some recommended curves, compare “random” type NIST FIPS 186-2 curves to other special curves from this standpoint, and suggest a parameter to measure how generic a given curve is.

Category / Keywords: foundations / random reducibility, discrete log, elliptic curves, isogenies, modular forms, L-functions, generalized Riemann hypothesis, Ramanujan graphs, expanders, rapid mixing

Date: received 16 Nov 2004

Contact author: miller at math rutgers edu

Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation

Version: 20041116:230508 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]