Security of an identity-based cryptosystem and the related reductions

Abstract

Recently an efficient solution to the discrete logarithm problem on elliptic curves over Fp with p points (p: prime), so-called anomalous curves, was independently discovered by Semaev [14], Smart [17], and Satoh and Araki [12]. Since the solution is very efficient, i.e., O(¦p¦3), the Semaev-Smart-Satoh-Araki (SSSA) algorithm implies the possibility of realizing a trapdoor for the discrete logarithm problem, and we have tried to utilize the SSSA algorithm for constructing a cryptographic scheme. One of our trials was to realize an identity-based cryptosystem (key-distribution) which has been proven to be as secure as a primitive problem, called the Diffie-Hellman problem on an elliptic curve over Z/nZ (n = pq, p and q are primes) where Ep and Eq are anomalous curves (anomalous En-Diffie-Hellman problem). Unfortunately we have found that the anomalous En-Diffie-Hellman problem is not secure (namely, our scheme is not secure). First, this paper introduces our trial of realizing an identity-based cryptosystem based on the SSSA algorithm, and then shows why the anomalous En-Diffie-Hellman problem is not secure. In addition, we generalize the observation of our breaking algorithm and present reductions of factoring n to computing the order2 of an elliptic curve over Z/nZ. (These reductions roughly imply the equivalence of intractability between factoring and computing elliptic curve's order.) The algorithm of breaking our identity-based cryptosystem is considered to be a special case of these reductions, and the essential reason why our system was broken can be clarified through these reductions: En in our system is a very specific curve such that the order of En(i.e., n) is trivially known.