Consider a finite group G of prime order N. The discrete logarithm problem, or DLP, is: Given P, Q ∈ G, with P = n · Q, find n. An ongoing challenge in cryptography is to find groups in which the DLP is computationally infeasible, that is, for which the best known attack is exponential in log(N). Such a group can be used as the setting for many cryptographic protocols, from Diffie-Hellman key exchange to El Gamal encryption ([14], 159). The most prominent example, first proposed in 1985, is a subgroup of points of an elliptic curve E over a finite field Fq of prime order N. For N ≈ 10 80, with current computing power, it is infeasible to solve the elliptic curve DLP, or ECDLP; in other words, it is not possible to determine n. However, in the early 1990’s, supersingular elliptic curves, those curves over fields of positive characteristic which have no p-torsion, were discovered to be susceptible to the MOV attack, which used the Weil pairing to reduce the ECDLP to the DLP in F ∗ q, the multiplicative group of the finite field, where subexponential attacks such as the index calculus are possible ([14], 144).Thus, for cryptographic purposes, it is necessary to restrict to ordinary elliptic curves, where E[p] ( ¯ K) ≃ Z/pZ. However, certain subgroups of ordinary elliptic curves, those N = p, are even more insecure than supersingular curves. The ECDLP in the p-torsion subgroup of E(Fq) can be reduced to the DLP in F + q,

Number theoretic algorithms for elliptic curves with cryptographic applications An elliptic curve over a field K is given by an equation of the form y 2 = x 3 + Ax + B. There is a natural way to add any two points on the curve to get a third point, and therefore the set of points of the curve with coordinates in K form a group, denoted E(K). Elliptic curves have long fascinated mathematicians, as they can be approached from many angles, including complex analysis, number theory and algebraic geometry. In the past twenty years, elliptic curves have gained even more attention: elliptic curves over Q play a key role in the proof of Fermat’s Last Theorem, while elliptic curves over finite fields come into play when we exchange private information securely over the internet. My work relates directly to this latter role, the use of elliptic curves in cryptography. Since first proposed in 1985, much research has been devoted to the problem of constructing “cryptographic ” elliptic curves. For a finite field K of p elements, the group E(K) is finite, of order N roughly the same size as the prime p. The discrete logarithm problem (DLP) is: Given elements P, Q ∈ E(K) with Q = m · P, find the integer m. Loosely speaking, a cryptographic curve is one for which the DLP in E(K) is “hard, ” that is to say, computationally infeasible. Such curves can be used as a secure setting for many cryptographic protocols, from

1. 1 Approaches to Getting Innitesimals............................... 2

For large prime numbers p, computing discrete logarithms of elements of the multiplicative group (Z/pZ) ∗ is at present a very difficult problem. The security of certain cryptosystems is based on the difficulty of this computation. In this expository paper we discuss several generalizations of the discrete logarithm problem and we describe various algorithms to compute discrete logarithms.