@@ -173,8 +173,10 @@ Only known approach: compute multiplication-by-$k$ map $m_k(x_1)$ and substitute
Possible improvement can be done by searching for small $l$ ($m_l$ is computable) such that $lk$ is small as well and solve $f(m_l(x_1),m_{lk}(x_1))$. However, the probability (assume uniform) that $lk<2^b$ is $2^{b-256}$. Although we have $2^b$ candidates for $l$, the chance is negligible.
Sources:
[Formula for disaster](https://link.springer.com/content/pdf/10.1007/978-3-030-92062-3_5.pdf)
@@ -202,15 +204,15 @@ Let $E:y^2=x^3+b \to E':y^2=x^3+u^6b$ be an isomorphism given by $\mu_u: (x,y) \
- if $f=x_1+x_2$:
then if $P,Q$ is a solution to DCP(k) on $E$ then $\mu_u(P), \mu_u(Q)$ is a solution to DCP(k) on $E'$. This follows from $x_1+x_2=0$ $\iff$ $u^2x_1+u^2x_2=0$. Hence if we solve DCP on any curve iso to E then we have a solution on E.
*The problem is to solve this anywhere in the isomorphism class*
-*The problem is to solve this anywhere in the isomorphism class*
- if $f=x_1x_2+1$ and $P,Q=kP$ are any points on $E$ such that $-x_1x_2$ is a quadratic residue, i.e. $-x_1x_2=u^2$, then $\mu_{u^{-1/2}}(P)$, $\mu_{u^{-1/2}}(Q)$ is a solution of DCP(k) on $E': y^2=x^3+u^3b$ (this is possibly a twist depending on whether $u$ is a square). We can therefore find a solution of DCP on some curve in the isomorphism class of $E$ but we have no control on which curve.
*The problem is to solve this exactly on curve $E$*
*It is easy to find a solution on some curve in the isomorphism class*
- *The problem is to solve this exactly on curve $E$*
- *It is easy to find a solution on some curve in the isomorphism class*
- if $f=y_1+y_2$ then $x_1^3=x_2^3$ and hence $x_1 = \beta x_2$, $x_1 = \beta^2 x_2$ or $x_1 = x_2$ which means that $k \in \{\pm 1, \pm \lambda, \pm \lambda^2\}$.
*The problem is easy but almost always has no solution*
- *The problem is easy but almost always has no solution*
```sage
#help(dcp_instance)
...
...
@@ -316,6 +318,40 @@ The DCP problem for $f=x_1+x_2$ is easy on curves $E:y^2=x^3+ax$ over $\mathbb{F
For $f=x_1+x_2$ and curves $E:y^2=x^3+ax$ over $\mathbb{F}_p$ with $p=3\pmod 4$, the DCP doesn't have a solution as $y_1^2=-y_2^2$ but $-1$ is not a quadratic residue.
<!-- #region -->
#### DCLP
(assume that the elliptic curve group is cyclic or deal with some minor problems)
Another problem related to DCP problem is the following (DCLP) problem:
- Given $G_1, G_2$, $k$ satisfying $G_2 = kG_1$ and $f$, find scalar $l$ such that $f(lG_1,lG_2)=0$.
The DCP problem reduces to DCLP:
- Given $k$ and $f$, pick any generator $G_1$. Then any $P,Q$ such that $kP=Q$ can be expressed as $P=lG_1$ and $Q=lG_2$ and $f(P,Q)=0$ is equivalent to $f(lG_1,lG_2)=0$.
The DCLP problem reduces to DCP assuming DLP is easy:
- Given $G_1, G_2$, $k$ and $f$, solce DCP for $k$,$f$. For resulting points $P,Q$, solve the DLP for one of the pairs $(Q,G_2)$ or $(P,G_1)$. The solution is the scalar $l$.
The DLP problem reduces to DCLP:
- Given $P,Q$ solve DCLP for $G_1=G_2=P$, $k=1$, $f=x_1-Q_x$. The resulting scalar $l$ is the DL for $P,Q$.
Statements above imply that DCLP and DCP are equivalent if DLP is easy. In particular this is the case of:
- Curves with smooth order
- Curves with small embedding degree
- Anomalous curves
Conversely: If DCP is easy then DCLP and DLP are equivalent. For now, we know only about two cases for which DCP is easy (above):
- If $f=y_1+y_2$ and $E:y^2=x^3+b$
- If $f=x_1+x_2$ and $E:y^2=x^3+ax$
- Both the cases from above are a special case of $f$ representing scalar multiplication (up to sign). More precisely, the DCP is easy if $f=u(x_1)-x_2v(x_1)$ where $u(x)/v(x)$ is the x-coordinate representation of $k$-scalar multiplication (it could be any $l$-scalar multiplication but this would require $Q=kP=lP$).
**Idea**: Does it make sense to talk about equivalence: "DCLP and DCP are equivalent iff.." and if so, does it hold?
