Optimizing the Menezes-Okamoto-Vanstone (MOV) Algorithm for Non-supersingular Elliptic Curves

We address the Menezes-Okamoto-Vanstone (MOV) algorithm for attacking elliptic curve cryptosystems which is completed in subexponential time for supersingular elliptic curves. There exist two hurdles to clear, from an algorithmic point of view, in applying the MOV reduction to general elliptic curves: the problem of explicitly determining the minimum extension degree k such that $E[n]\subset E(F_{q^k})$ and that of efficiently finding an n-torsion point needed to evaluate the Weil pairing, where n is the order of a cyclic group of the elliptic curve discrete logarithm problem. We can find an answer to the first problem in a recent paper by Balasubramanian and Koblitz. On the other hand, the second problem is important as well, since the reduction might require exponential time even for small k. In this paper, we actually construct a novel method of efficiently finding an n-torsion point, which leads to a solution of the second problem. In addition, our contribution allows us to draw the conclusion that the MOV reduction is indeed as powerful as the Frey-Rück reduction under $n\not\vert q-1$, not only from the viewpoint of the minimum extension degree but also from that of the effectiveness of algorithms.