# The MOV Attack

## 数学代写|密码学Cryptography Theory代考|The MOV Attack

Let $\overline{\mathbb{F}}_q$ denote an algebraic closure of $\mathbb{F}_q$. Let $n \geq 1$, and let
$$E(n)=\left{P \in E\left(\overline{\mathbb{F}}_q\right) \text { : the order of } P \text { in } E\left(\overline{\mathbb{F}}_q\right) \text { divides } n\right} .$$

Using the formula
$$\overline{\mathbb{F}}q=\bigcup{i=1}^{\infty} \mathbb{F}{q^i},$$ one sees that there exists a smallest positive integer $m$ for which $$E(n) \subseteq E\left(\mathbb{F}{q^m}\right) .$$
Thus, by Washington [63, Corollary $3.11], \mathbb{F}{q^m}$ contains the group $\mu_n$ of the $n$th roots of unity, i.e., $\mathbb{F}{q^m}$ contains all of the roots of the equation $x^n-1$. Since $\mu_n$ is a subgroup of $\mathbb{F}_{q^m}^{\times}$
$$q^m \equiv 1(\bmod n),$$
and thus $m$ is a multiple of the order of $(q \bmod n)$ in $U\left(\mathbb{Z}_n\right)$.

## 数学代写|密码学Cryptography Theory代考|Supersingular Curves

An elliptic curve $E\left(\mathbb{F}q\right)$ is supersingular if $p \mid t$, where $t$ is the trace of the curve. If $q=p$ and $p \geq 5$, then $E\left(\mathbb{F}_p\right)$ is supersingular if and only if $t=0$ (use Hasse’s theorem). For example, the elliptic curve $E\left(\mathbb{F}{151}\right)$ defined by
$$y^2=x^3+2 x$$
is supersingular, $\left|E\left(\mathbb{F}{151}\right)\right|=152$ and $t=0$. Let $E\left(\mathbb{F}_p\right), p \geq 5$, be a supersingular elliptic curve, and suppose that $P$ is a point of $E\left(\mathbb{F}_p\right)$ of order $n$. Then $n$ divides $p+1=\left|E\left(\mathbb{F}_p\right)\right|$ and so, $\operatorname{gcd}(n, p)=1$. Now, by Washington [63, Proposition 5.3], $E(n) \subseteq E\left(\mathbb{F}{p^2}\right)$ and so $m=1$ or 2 .
So, under the MOV attack, solving the ECDLP in $\langle P\rangle$ is no harder than solving
Thus for use in ECKEP, an elliptic curve $E\left(\mathbb{F}_p\right), p \geq 5$, should not be supersingular, else we lose the main advantage of ECKEP over DHKEP: there are no Index Calculus methods for ECDLP.

