Further Results

i=0

φ_i(X₁, X₂, . . . , X_l)tⁱ = 0

for some polynomials φ_i. Each coefficient of tⁱ equals to 0, so we have l equations in l variables. This might gives solutions to f_l+1 ≡ 0 (mod p). The author expected that it is a polynomial time or a subexponential-time algorithm which yields a good time complexity in solving an ECDLP [30].

4.4 Further Results

P. Gaudry [8] proposed an index calculus algorithm to the discrete logarithm prob-lem on general abelian varieties by using summation polynomials to simplify calcu-lations. He applied his method to the Weil restriction of the elliptic curves and the hyperelliptic curves over small degree extension fields. He got a smaller complexity than Pollard’s method.

Claus Diem [2] further showed that an ECDLP can be solved if one can de-cide whether certain systems of multivariate quadratic polynomial equations have a solution in the algebraic closure of the underlying field K. The main idea is the natural correspondence between the operations in E(K) and the operations in other

algebraic structure.

Let P₁, P₂ ∈ E(K). If P1+ P₂ = R, there exists a function f ∈ K(E) such that div(f ) = [P1] + [P2]− [R] − [∞] ∈ Div⁰(E) by Property 3.7. It is equivalent that there exists a function f which satisfies

f ∈ L([R] + [∞] − [P1]− [P2])⊂ K(E)

and

f⁻¹ ∈ L([P1] + [P2]− [R] − [∞]) ⊂ K(E)

where L(D) is the Riemann-Roch space corresponding to some D ∈ Div(E). Let t = (log₂n) + 1 and let s be an integer with 3≤ s ≤ t − 2 . By the above property,

i=0e_i. By the Riemann-Roch Theorem, the space L(D) is a K-vector space, so we can write the functions f and f⁻¹ in the linear combination of the related basis respectively.

Finally, let K(E) = K(X)[Y ] where Y satisfies an equation of degree 2 over the rational function field, expand “everything” with respect to the basis 1, Y , and compare the coefficients of the polynomials of the basis with respect to L(D). We will have a system of quadratic equations with t− 1 unknowns. The number of equations depends on the polynomials’ degree of the basis of Riemann-Roch spaces.

Once one can find a solution to the system, one can construct the class f ∈ K(E)^∗/K^∗ corresponding to the solution and check whether f has a zero at 2ⁱP for i = 0, 1, . . . , t−1. Then the corresponding tuple e ∈ {0, 1}{0,...,t−1}with (_t−1

i=0e_i2ⁱ)· P = Q can be derived. Therefore, we can solve the ECDLP if we can solve the above quadratic systems.

We observe that the original ECDLP in the research has been transformed into a problem of solving multivariate polynomial equations. This means some thoughts behind the elliptic curve cryptography, a public key cryptography, is getting close to the multivariate polynomial equations which often appears in the symmetric key cryptography. Further research may lead to the construction of these systems of multivariate polynomials. It requires finding an algebraic structure which is related to the operations on an elliptic curve with a computable basis. Another way may lead to a deeper study of the algorithms of solving these systems, such as the computation of Gr¨obner basis, the implementation of the F4, F5 algorithms or the XL algorithm.

5 Conclusions

After looking back the possible methods to solve an ECDLP in modern elliptic curve cryptography, we conclude some criteria. In order to have a difficult ECDLP, the parameter of an elliptic curve should be chosen to satisfy the following properties.

Assume

N =|E(Fq)| = n · s

where n is the order of the base point P , then we have the following criteria.

• n should be a prime

• n ≥ 2¹⁶⁰

• n = p

• n should not divide q^l− 1 for l ≤ 30

• q should be a large prime or a prime power of two

Since there exist efficiently computable endomorphisms to decrease the security of an ECDLP by constructing an equivalence relation among E(F_q), this reduction should be taken into account. For example, we have mentioned Koblitz curves and other special type of curves (Example 2.1). Therefore, we need to choose the parameters carefully in order to reach the desired security.

On the opposite side, we conclude the criteria of weak curves and weak fields.

• If n is not a prime, we can reduce to ECDLPs of subgroups of P .

• If n < 2¹⁶⁰, the ECDLP can be solved by Pollard’s method.

• The elliptic curve is prime-field-anomalous.

• If n = p, the ECDLP can be solved by Semaev’s method.

• The elliptic curve is supersingular.

• If n divide q^l− 1 for some l ≤ 30, we can apply the pairing attacks.

• The base field of the form F2^5l or F₂6l for some l is weak under generalized GHS attack.

• The base field of the form F2^3l, F₂7l, or F₂8l for some l is partially weak under the generalized GHS attack.

To choose a situation where the ECDLP is hard, we should avoid these weak curves and base fields.

References

[1] I.F. Blake, G. Seroussi and N.P. Smart. Elliptic curve in cryptography. Chapter VII volume 265 of London Mathematical Society Lecture Note Series. Cam-bridge University Press, CamCam-bridge, 2000.

[2] C. Diem. Systems of polynomial equations associated to elliptic curve discrete logarithm problems. Preprint, 2004.

[3] A. Enge and P. Gaudry. A general framework for subexponential discrete loga-rithm algologa-rithms. Rapport de Recherche Lix/PR/00/04, June 2000.

[4] G. Frey and H. R¨uck. A remark concerning m-divisibility and the discrete loga-rithm in the divisor class group of curves. Mathematics of Computation, 62:865-874, 1994.

[5] G. Frey. Applications of Arithmetical Geometry to Cryptographic Constructions.

Finite Fields and Applications, 128-161, Springer, 1999.

[6] R. Gallant, R. Lambert and S. Vanstone. Improving the parallelized Pollard lambda search on anomalous binary curves. Mathematics of Computation, 69:1699-1705, 2000.

[7] S. Galbraith, and N. Smart. A Cryptographic application of Weil descent Cryp-tography and Coding, (LNCS 1176) 191-200. Springer-Verlag, 1999.

[8] P. Gaudry. Index calculus for abelian varieties and the elliptic curve discrete logarithm problem. Preprint, 2004.

[9] P. Gaudry, F. Hess, and N. Smart. Constructive and destructive facets of Weil descent on elliptic curves. Journal of Cryptology, 15:19-46, 2002.

[10] S. Galbraith, F. Hess, and N. Smart. Extending the GHS Weil descent attack.

Advances in Cryptology-EUROCRYPT 2002 (LNCS 2332)[248], 29-44, 2002.

[11] P. Gaudry. An algorithm for solving the discrete log problem on hyperelliptic curves. Advances in Cryptology-EUROCRYPT 2000 (LNCS 1807), 19-34, 2000.

[12] D. Hankerson, A. Menezes, and S. Vanstone. Guide to Elliptic Curve Cryptog-raphy. Springer, 2003.

[13] M.-D. Huang, K. Kueh, and K.-S. Tan. Lifting elliptic curves and solving the elliptic curve discrete logarithm problem. ANTS (LNCS 877), 377-384, Springer-Verlag, 2000.

[14] M. Jacobson, N. Koblitz, J. Silverman, A. Stein, and E. Teske. Analysis of the xedni calculus attack. Design, Codes, and Cryptography, 20:41-64, 2000.

[15] M. Jacobson, A. Menezes and A. Stein. Solving elliptic curve discrete logarithm problems using Weil descent. Preprint, 2001.

[16] N. Koblitz, A. Menezes, Y. H. Wu, and R. Zuccherato. Algebraic aspects of Cryptography. Springer. 1998.

[17] M. Maurer, A. Menezes, and E. Teske. Analysis of the GHS Weil descent attack on the ECDLP over characteristic two finite fields of composite degree. LMS Journal of Computation and Mathematics, 5:127-174, 2002.

[18] A. Menezes and E. Teske. Cryptographic implications of Hess’ generalized GHS attack. http://www.cacr.math.uwaterloo.ca/ajmeneze/research/html De-cember, 2004.

[19] A. Menezes and M. Qu. Analysis of the Weil descent attack of Gaudry, Hess and Smart. Topics in Cryptology CT-RSA 2001 (LNCS 2020)[338], 308-318, 2001.

[20] A. Meneze, S. Vanstone and T. Okamoto. Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Transactions on Information Theory, 39:1639-1646, 1993

[21] J.F. Mestre. Formules explicites et minoration de conducteurs de varietes alge-briques. Compositio Math. 58(1986), 209-232.

[22] V. Miller. Use of elliptic curves in Cryptography. Advances in Cryptology CRYPTO ’85. (LNCS 218) 417-426, Springer, 1986.

[23] V. Miller. Short programs for functions on curves. Unpublished manuscript, 1986.

[24] S. Pohlig and M. Hellman. An improved algorithm for computing logarithms over GF (p) and its cryptographic significance. IEEE Transactions on Informa-tion Theory, 24:106-110, 1978.

[25] J. M. Pollard. Monte Carlo methods for index computation (mod p). Mathe-matics of Computation, 32, 918-924, 1978.

[26] T. Satoh and K. Araki. Fermat quotients and the polynomial time discrete log algorithm for anomalous curve. Commentarii Mathematici Universitatis Sancti Pauli, 47:81-92, 1998.

[27] R. Schoof. Elliptic curves over finite fields and the computation of square roots mod p. Mathematics of Computation. 44(170):483-494, 1985.

[28] R. Schoof. Nonsingular plane cubic curves over finite fields. Journal of Combi-natorial Theory, A 46(1987), 183-211.

[29] I. Semaev. Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p. Mathematics of Computation, 67:353-356, 1998.

[30] I. Semaev. Summation polynomials and the discrete logarithm problem on ellip-tic curves. Preprint, February 5 2004.

[31] D. Shanks. Class number, a theory of factorization, and genera. 1969 Number Theory Institute, page 415-440. American Mathematical Society, Providence, RI, 1971.

[32] J. Silverman. The Arithmetic of Elliptic Curves. Springer-Verlag. GTM 106.

[33] J. Silverman and J. Suzuki. Elliptic curve discrete logarithms and the index calculus. Advances in Cryptology-ASIACRYPT ’98(LNCS 1514)[352], 110-125, 1998.

[34] J. Silverman. The xedni calculus and the elliptic curve discrete logarithm prob-lem. Designs, Codes, and Cryptography, 20:5-40, 2000.

[35] N. Smart. The discrete logarithm problem on elliptic curve of trace one. Journal of Cryptology, 12:193-196, 1999.

[36] P. Van Oorschot and M. Wiener. Parallel collision search with cryptanalytic applications. Journal of Cryptology, 12:1-28, 1999.

[37] L. Washington. Elliptic curves. Number theory and Cryptography. Chapman and Hall, 2003.

[38] M. Wiener and R. Zuccherato. Faster attacks on elliptic curve cryptosystems.

Selected Areas in Cryptography-SAC ’98 (LNCS1556)[457], 190-200, 1999.

A Computation of the Parings

In this appendix, we briefly introduce a method used to compute the Weil pairing and the Tate-Lichtenbaum pairing. This algorithm is presented by Miller [23]. The following theorem gives us a way to compute the Weil pairing.

Theorem A.1. Let S, T ∈ E[n]. Suppose that DS and DT are divisors of degree 0 with no points in common. Let fS and fT be functions such that

div(f_S) = nD_S and div(fT) = nD_T.

Then the Weil pairing is given by

e_n(S, T ) = f_T(D_S) f_S(D_T).

Choose D_S = [S]− [∞], DT = [T + R]− [R], for some R ∈ (K). We have

e_n(S, T ) = f_S(R)f_T(S) f_S(T + R)f_T(∞).

Suppose g is a function such that div(g) = nD_S. We can calculate the Tate-Lichetenbaum pairing in section 3.3 as

S, T n = g(D_T) = g(T + R) g(R) ∈ F_q^∗

for any point R ∈ E(Fq). Therefore, computing these pairings both involve evalu-ating f (Q1)/f (Q2) for some Q1, Q2, where f is a function depending on P .

Now we are ready to introduce Miller’s algorithm. Our goal is to find f such that div(f ) = nD_P and to compute f (D_Q). Write D_P = [P + R1] − [R1] and D_Q = [Q + R2]− [R2] = [Q1]− [Q2], for some R1, R2 ∈ E(K). We want to compute f (D_Q) = f (Q1)/f (Q2). First, we introduce the divisors

D_j = j[P + R1]− j[R1]− [jP ] + [∞]

for all j < n. Since sum(D_j) = ∞ and deg(Dj) = 0, we can find a function f_j such that div(f_j) = D_j. Let v_j = f_j(Q₁)/f_j(Q₂). The idea behind the algorithm is to compute all the v_j associated with D_j where j is a power of two. Accumulate these v_j until we find v_n. We will have

div(f_n) = n[P + R₁]− n[R1]− [nP ] + [∞] = n[P + R1]− n[R1].

Consequently, the function f_n will be the function we want to find. This leads to f (D_Q) = v_n = f_n(Q₁)

f_n(Q2). The algorithm is as follows.

1. Write n = (n_t−1, . . . , n2, n0)2 in base 2.

2. Let j = 0, s = 1 and f0 = 1. Compute f1 by the divisor D1 = [P + R]− [P ] − [R] + [∞].

3. Compute v₀, v₁.

4. For i from 0 to t− 1 do

• If ni = 1, then compute v_j ← vj+s and change j to j + s.

• compute vs← v2s and change s to 2s.

5. Output v_n = f_n(Q1)/f_n(Q2).

The only part we did not explain is the computation of v_j+swhen we have already known v_j and v_s. This process can also be used to compute v2s. Let ax + by + c = 0 be the line through jP and sP , and let x + d = 0 be the vertical line through (j + s)P . We obtain

div(ax + by + c) = [jP ] + [sP ] + [−(jP + sP )] − 3[∞]

div(x + d) = [jP + sP ] + [−(jP + sP )] − 2[∞].

So,

6. Since n₂ = 1, compute v_j+s= v₇ = (−2) (mod 29).

7. Output v₇

So τ_n(P, Q)≡ (−2)⁴ ≡ 16 (mod 29). A similar computation shows

τ_n(P, P )≡ 7 (mod 29)