I'm trying to solve the discrete log problem in this context : I have a curve given by a short Weirstrass equation : $y^2 = x^3+ax +b$ where the point addition and scalar multiplication are done modulo $p^2$, $p$ is a large prime number on 256 bits.
The Diffie-Hellman key integer $d$ is randomly chosen with $d<p$. I can send an x-coordinate $x_0$ and the server returns the x-coordinate of $d \cdot P$ where $P$ is a point of x-coordinate $x_0$ (whether it exists or not on the curve).
With Sage, I can check that the order of $E(\mathbf{F}_p)$ is another large prime number $q$, and so any twist of $E(\mathbf{F}_p)$ has order $2p+2-q$ which is also a (different) prime in my case.
So the potential vulnerability lies in the computations modulo $p^2$ and the server implementation that doesn't check that the initial point is on the curve.
I think the group structure of $E(\mathbf{Z}/p^2\mathbf{Z})$ is $E(\mathbf{F}_p) \times E_1$, where $E_1$ is the kernel of reduction mod $p^2$ and is isomorphic to $(\mathbf{F}_p,+)$, but I am not sure about that. The context is somewhat similar to that of the Smart Attack but in my case $\left|E(\mathbf{F}_p)\right|$ is not $p$.
Is the p-adic way with a formal log the right way here or is there a simpler approach that cleverly uses the computations mod $p^2$ ?
