IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 45, NO.

5, JULY 1999 1717

TABLE I At the next step we have

THE NUMBER OF DEPENDENT AND INDEPENDENT ERROR
PATTERNS IN RANDOMLY GENERATED PATTERNS WITH A GIVEN
0M +2 = f 2 6M +1 j  m + 2 and m + 2 0  2 6M +1 g:
NUMBER OF POINTS FROM THE HERMITIAN CURVE OVER 64 Here there are two possibilities.
Points Total Patterns Dependent Independent If  +1 2 1M +1 = 1M then 0M +2 is empty and there are no
votes at all, but this situation corresponds to the situation we have
analyzed above (with i = 1), so it happens in at most in a fraction
2 10000 142 9858

of 1=(q 0 1) of the cases.

5 10000 169 9831
10 10000 154 9846
20 10000 158 9842 If  +1 2 6M +1 then 0M +2 = f ;  +1 g and f gives a (correct)
50 10000 153 9847 vote, but the function h 2 FM +1 with (h) =  +1 also gives the
100 10000 135 9865
correct vote since if not we would have span (h) = m + 2 0  +1 =
 , contradicting the fact that  2= 1r . Therefore, in this case the
150 10000 157 9843
200 10000 166 9834
250 10000 147 9853 algorithm works correctly.

V. CONCLUSIONS AND OPEN PROBLEMS

The system of equations
n We have shown that the decoding algorithm fails if the error points
f` (Pj )yj = 0; ` = 1; 1 1 1 ;  + i 0 1 are independent, except for high rates where it performs quite well.
j =1 We believe, and experiments support this (see Table I), that this is
n indeed the typical situation, but we have no proofs. From the analysis
f +i (Pj )yj = 1 we also see that in the cases where the true minimum distance exceeds
j =1 the Feng–Rao distance the current decoding algorithms do not correct
therefore, has a nonzero solution with y1 = 1 1 1 = y 0 = 0 and up to half the minimum distance.
y +i+1 = 1 1 1 = yn = 0. But then y 2 C nC with a nonzero
coordinate at a position greater than  00 contradicting the definition REFERENCES
of a, therefore, we get that L has dimension  0 0 0 1. 0
[1] M. E. O’Sullivan, “Decoding Hermitian codes beyond (dmin 1)=2,” in
We will now prove the theorem. For a fixed e 2 ( 3q ) we consider
Proc. 1997 IEEE Int. Symp. Information Theory (Ulm, Germany, June

the map e : L ! q 0 defined by

= (e1 f (P1 ); 1 1 1 ; e 0 f (P 0 )):
e (f )
This is injective since
ker e = ff 2 Ljf (Pi ) = 0; 1  i   0 0 g
= ff 2 L( 01 Q 0 (P1 + 1 1 1 + P ))g = f0g
so the dimension of its image is  0 0 0 1 and the dimension
of e01 (a;  2 q ) is either 0 or 1. On the other hand, if
20–July 4, 1997).
[2] , “Decoding of codes defined by a single point on a curve,” IEEE
Trans. Inform. Theory, vol. 41, pp. 1709–1719, Nov. 1995.
[3] M. A. Shokrollahi and H. Wassermann, “Decoding algebraic-geometric
codes beyond the error-correction bound,” Univ. Berkeley, Berkeley,
CA, Aug. 1997, preprint.
[4] M. Sudan, “Decoding of Reed Solomon codes beyond the error-
correction bound,” J. Complexity, vol. 13, pp. 180–193, 1997.
[5] S. Sakata, H. Elbrønd Jensen, and T. Høholdt, “Generalized
Berlekamp–Massey decoding of algebraic-geometric codes up to half
the Feng–Rao bound,” IEEE Trans. Inform. Theory, vol. 41, pp.

(e1 ; 1 1 1 ; e 0 ) 6= (^e1 ; 1 1 1 ; e^ 0 ) then

1762–1768, Nov. 1995.

01 01
e (a;  2 q ) \ e^ (a;  2 q ) = 0
since, otherwise, we would have for some f 2 L that ei f (Pi ) =
e^i f (Pi ) for i = 1; 1 1 1 ;  0 0 and, therefore, ei = e^i since
f (Pi ) = ai , i = 1; 1 1 1 ;  0 0 .
This implies that the number of e’s in ( 3q ) for which there exists
an f 2 FM with (f )   01 is at most (q 0 1) 0 01 (q 0 1) ,
so the probability of getting such an e is at most
(q 0 1) 01 = 1 :
(q 0 1) q01
Let us now consider the situation where f 2 FM , (f ) =  but
f 2= Fr . This implies that span (f ) > m 0  = (m 0 1)=2 =  01 ,
so span (f ) =  +i . But we have just calculated the probability for
this so f 2 Fr with probability 1 0 (1=(q 0 1)), this also concludes
the proof of Theorem 8.
Let us finally consider the situation where we have f 2 FM ,
(f ) =  , f 2 6r , and 1M  f1 ; 1 1 1 ;  01 g. At Step 4 in the
algorithm we get
0M +1 = f 2 6M j  m + 1 and m + 1 0  2 6M g:
Since  = (m + 1)=2 we have  2 0M +1 so f gives a (correct)
vote, and this is the only one, so 1M +1 = 1M and FM +1 = FM .
The Tate Pairing and the Discrete Logarithm
Applied to Elliptic Curve Cryptosystems
Gerhard Frey, Michael Müller, and Hans-Georg Rück
Abstract— The Tate pairing is used to reduce the discrete logarithm
(DL) problem on certain elliptic curves to the DL in the multiplicative
group of finite fields.
Index Terms— Cryptography, discrete logarithm, elliptic curves, Tate
pairing.
I. THE TATE–LICHTENBAUM PAIRING
In [2] it is shown how the Tate pairing on Abelian varieties in
Lichtenbaum’s version can be used to relate the discrete logarithm
in the group Jm ( q ) of m-torsion points of the Mordell–Weil group
Manuscript received October 1, 1998; revised November 30, 1998.
The authors are with the Institute for Experimental Mathematics, University
of Essen, 45326 Essen, Germany.
Communicated by I. Blake, Associate Editor for Coding Theory.
Publisher Item Identifier S 0018-9448(99)04733-1.

0018–9448/99$10.00  1999 IEEE

1718 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 45, NO. 5, JULY 1999

of the Jacobian J of a curve over a finite field q to the discrete E is given in Weierstrass normal form, one chooses 1 to be the
logarithm in 3q if q 0 is divisible by m.1
1 point “at infinity”).
More precisely, the main result of [2] can be stated as follows. It is well known [7, Proposition 3.4, p. 66] that the group E q ( )
is isomorphic to the class group of divisors of degree zero on E .
Theorem 1.1: Let m be a natural number prime to q , and let
m ( )
q be the group of roots of unity in q whose order divides m.
( )
By this isomorphism a point P 2 E q is mapped to the class
( )
We assume that J q contains a point of order m.
( ) ( )
of P 0 1 . Since it is an isomorphism of groups, one sees that
( + ) ( )
for the points r 1 P , s 1 P , and r s 1 P in E q the divisors
1) There is a surjective pairing ( ) ( )+(
r1P 0 1 ) ( ) (( + ) ) ( )
s 1 P 0 1 and r s 1 P 0 1 are in the
m : Jm ( ) 2 J ( q )=mJ ( q ) ! m( q ):
q
same class.
Now we want to evaluate the Tate–Lichtenbaum pairing m of
2) m is computable in O (log (q)) steps, where one step is points P 2 Em q and P 0 2 E q . Let DP and DP be coprime
( ) ( )
equivalent to the addition in J . divisors in the class of P 0 1 and P 0 0 1 , respectively.
( ) ( ) ( ) ( )
3) Given a cyclic subgroup Cm of order m in Jm ( q ) then the Since m 1 P =0
E , we see that m 1 DP is the divisor of a function
probability of finding a point P 0 in J ( q ) with FD on E . Then the Tate–Lichtenbaum pairing is given by
fm (P; P 0 ); P 2 Cm g = m ( q ) m : (P; P 0 ) 7! (FD (DP )) q0
( 1)=m
2 m( q ):
is positive (and depends on dim(J ) and m). The above remarks show that we can choose DP to be equal to
( ) (( 1) )
k 1 P 0 k 0 1 P for any k 2 .
It may be useful for designers of discrete logarithm cryptosystems In order to get the pairing we have at first to find the function
based on elliptic curves to have an explicit description of m in the FD and evaluate it at DP . Doing these steps separately has
special case that J is an elliptic curve E . In addition, it is helpful to a big disadvantage, because FD is a function whose degree is
know the probability of finding a point P 0 as in the theorem. approximately m.
We want to stress that a very similar procedure can be used to Instead, we consider the following group structure.
compute m in the case that J is the Jacobian of a hyperelliptic We choose DP =( ) ( )
P 0 1 . At first we assume that the divisor
curve or, more generally, in all cases in which an effective version ( ) 0
DP is prime to all prime divisors r 1 P for  r < m. We define
of the theorem of Riemann–Roch is available. ;0
on the set fr 1 P  r < mg 2 3q the following group law:
II. APPLICATION TO ELLIPTIC CURVES
(r 1 P; a ) 8 (r 1 P; a ): = ((r + r ) 1 P; a a h(DP ))
1 1 2 2 1 2 1 2

We assume now that E is an elliptic curve defined over q . As where h is a function whose divisor satisfies
( )
above, let m be prime to q and suppose that E q contains a point
(h) = (r 1 P ) + (r 1 P ) 0 ((r + r ) 1 P ) 0 (1):
of order m. 1 2 1 2

Proposition 2.1: If the trace of the Frobenius endomorphism of This function h can be evaluated using the addition formulas on the
the elliptic curve E over q is congruent to 2
modulo m, then elliptic curve. One can show that this indeed defines a group structure.
( )
the discrete logarithm in Em q can be reduced to the discrete And by induction we easily get the following rule:
logarithm in 3q “probabilistically” in polynomial time by using the
m  (P; 1) = (0E ; FD (DP )): (1)
Tate–Lichtenbaum pairing.
Proof: We can apply Theorem 1.1 if and only if q contains Hence in this group by repeated doubling and adding one can evaluate
the mth roots of unity. The trace t of the Frobenius endomorphism FD (DP )
in O (log )
m steps.
# ( )
and E q , the number of q -rational points on E , are related by In addition, it is clear that for evaluating FD DP we do not ( )
the well-known formula need the whole group. Hence the divisor DP does not have to be
#E ( q ) = q + 1 0 t: ( )
prime to all prime divisors r 1 P , but only to those which occur
( )
in the repeated doubling process. Let S m be the set of those
( )
Since E q contains a point of order m and since t  2 mod m, ( )
integers i such that i 1 P occurs in this process. The set S m ( )
1
we see that q 0 is divisible by m. has size O (log )
m and can be computed without knowing DP . So
( )
we can precompute S m at first and then choose the divisor DP
Remark 2.2: The proposition clearly shows that the Tate–Lichten- appropriately.
baum pairing can be applied in cases in which the Weil pairing does If, for example, P 0 = P , we just take any k such that k,
not work. Hence these two pairings should be distinguished carefully. 1 ( )
k 0 62 S m (such a k always exists if m is large enough) and
In fact, the fast algorithm used to compute the Weil pairing following choose DP = ( ) (( 1) )
k 1 P 0 k 0 1 P . Then
m (P; P ) = (FD (DP )) q0
Miller [4] consists of a twofold computation of the Tate–Lichtenbaum
1)=m
pairing (cf. Menezes, Okamoto, and Vanstone [3]).
(
: (2)

Remark 2.4: In contrast to the Weil pairing h ; im , where the value

Remark 2.3: In some cases, which are the most important ones for
cryptographic reasons, one can delete the word “probabilistically” in
hP; P im is always trivial, the value of the Tate–Lichtenbaum pairing
m (P; P ) can be nontrivial. Hence it can play an important role in
Proposition 2.1. This will be explained later.
We assume from now on that the conditions of Proposition 2.1
( )
are satisfied, i.e., E q contains a point of order m and q 0 is 1 the computation of discrete logarithms, as will be seen in the next
steps.
divisible by m.
( ) ( )
For a point P 2 E q we denote by P the associated prime
=
We look at the following special case: Let m pk , where p is an
1 ( )
divisor of degree . Let 1 be a fixed point on E q (usually when
odd prime number, and let pl be the exact p-power dividing E q . # ( )
( )
We assume that Ep q is cyclic. Let P be a point of order pk and
11 In [5] it is explained how to treat the case when m is a power of the let Q be a multiple of P , we want to evaluate the integer n with
characteristic of q , in the case of elliptic curves see [6]. =
Q n 1 P . We consider two different cases.
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 45, NO. 5, JULY 1999 1719

In the first case let k = l. Then we choose P 0 =

P . So So we can use the Tate–Lichtenbaum pairing to reduce the discrete
in this case the word “probabilistic” can be dropped in Theorem logarithm problem for elliptic curves to a discrete logarithm problem
( )
1.1. We evaluate p P; P according to (1) and (2). In this case, in 3q . Since E q does not contain all points of order p, we cannot
( )
( )
p P; P is a primitive pk th root of unity. Furthermore, we try use the Weil pairing. The point
( )
to compute p Q; P with the divisors DQ =( ) ( )
Q 0 1 and
DP = (2 ) ( )
1 P 0 P . Either we succeed in this attempt, in which P = (x; y): = (797482; 1369997) 2 E ( q ) has exact order p
case we reduce the calculation of n to the discrete logarithm problem
( )= ( )
p Q; P p P; P n in 3q . Or we have no success, but then = 804833:
in our calculations we explicitly obtain an integer i such that P or
2 1 P equals i 1 Q.
In the second case, let k < l. Then we choose any point P 0 2
We choose
E q of order pl randomly. Then p P; P 0 is a primitive pk th
( ) ( )
root of unity. The probability of finding such a P 0 is 0 p1 (see below).
1 Q: = n 1 P = (822050; 1036146) 2 E ( q )
Now we calculate p P; P 0 and p Q; P 0 with the divisors
( ) ( )
DP =( ) ( )
P 0 1 , DQ =( ) ( )
Q 0 1 , and DP 1 P0 0 P0 .
= (2 ) ( )
2 0 0
Here 1 P or P can never be i 1 P or j 1 Q, so we can calculate the = 89865
with n 5 6
. The points 1 P and 1 P do not occur in the
pairings without any problems and get as above the discrete logarithm 56 ()
calculation of p 1 P (i.e., ; 62 S p ). In our example, where
p Q; P 0
( )= ( p P; P 0 n in 3q .
) = =1
k l ( )
(see above), we calculate p P; P with the divisors
Dp =( ) ( )
P 0 1 and DP = (6 ) (5 )
1 P 0 1 P , and we calculate
Remark 2.5: This first case is the “usual” case for elliptic curve
= =1 ( )
p Q; P in the same way as in our earlier general description of
cryptosystems, mostly one has k l .
Now we show how we find a point P 0 of order pl randomly with
=
the case k l. We get
1
probability 0 p1 . Let the elliptic curve E be given in Weierstrass
form p (P; P ) = 822530(q01)=p = 1293131 2 m ( q )
E : Y 2 = f (X ): p (Q; P ) = 824368(q01)=p = 508028 2 m ( q ):
We choose x 2 q randomly. Then there are two possibilities.
()
If f x is a square in q , then we can compute y 2 q with Hence in order to compute n, we have to solve the discrete logarithm
= ()
y2 f x by the probabilistic Shanks algorithm (see [1, pp. 33]) in problem
polynomial time. We define P 00 := ( )
x; y , then
P 0: =
#E ( q ) 1 P 00 1293131n = 508028 mod q: (3)
pl
( )
is a point of order pj in E q with j  l. (Of course, we can check in this example that n = 89865 is a solution
()
If f x is not a square in q , then the point P 00 : = (x; f (x)) is of (3).)
( )
an element of E q . Since
#E ( q ) = #E ( q )(0#E ( q ) + 2(q 0 1) + 4) REFERENCES
the p-primary parts of E ( q ) and E ( q ) are the same. Then again [1] H. Cohen, A Course in Computational Algebraic Number Theory, GTM

P0 =
#E ( q ) 1 P 00 138. Heidelberg, Germany: Springer-Verlag, 1993.
m
[2] G. Frey and H. G. Rück, “A remark concerning -divisibility and the
pl discrete logarithm in the divisor class group of curves,” Math. Comput.,
vol. 62, pp. 865–874, 1994.
( )
is a point in E q of order pj with j  l. [3] A. Menezes, T. Okamoto, and S. A. Vanstone, “Reducing elliptic curve
Hence for every choice of x 2 q we find a point of order pj logarithms to logarithms in a finite field,” IEEE Trans. Inform. Theory,
with j  l. And the probability of finding a generator of the cyclic
vol. 39, pp. 1639–1646, 1993.
( )
group Ep q is equal to
[4] V. Miller, “Short programs for function on curves,” unpublished, 1996.
[5] H. G. Rück, “On the discrete logarithm in the divisor class group of
pl 0 pl01
= 1 0 p1 :
curves,” Math. Comput., to be published.
p
[6] I. A. Semaev, “Evaluation of discrete logarithms in a group of -torsion
pl p
points of an elliptic curve in characteristic ,” Math. Comput., vol. 67,
pp. 353–356, 1998.
[7] J. H. Silverman, Arithmetic of Elliptic Curves, GTM 106. Heidelberg,
III. AN EXAMPLE Germany: Springer-Verlag, 1986.
With a simple Maple program, we can calculate the Tate–Lichten-
baum pairing (and the Weil pairing c.f. Remark 2.2). All the com-
putations were done on a Linux PC with a Pentium 133 processor
(which is slow by today’s standards) in a few seconds.
Example 3.1: Consider the elliptic curve
E: Y 2 + Y = X 0 X 0 10X 0 7
3 2

defined over the finite field q with q = 1609667 elements. By

counting points on E we find that #E ( q ) = q 0 1 = 2 1 804833,
therefore, the trace of the Frobenius endomorphism is equal to 2. This
implies that for m = p = 804833 the mth roots of unity are in q .