Numerical Results

The computing environment we use is Intel Xeon 3040 Processor with 1.86GHz, 2G RAM on FreeBSD 7.0 with the MIRACL library version 5.3.2. At first, we calculated the order of 50, 40, 30, 20, 10 different elliptic curves corresponding to the prime of 160-bit, 192-bit, 256-bit, 384-bit, and 512-bit by use of the original SEA algorithm. The average time is listed in Table 5.2.

Bits of q 160 192 256 384 512

Average time(s) 9.91 26.51 90.73 607.8 2654 Table 5.2: Average computing time of original SEA algorithm

Next, we calculated the order of the same elliptic curves as before by applying the Atkin selection heuristic. The average time and the improvement rate compared with the original one are in Table 5.3.

# bits of q 160 192 256 384 512

Average time(s) 9.68 26.02 87.20 574.9 2412 Improve rate(%) 2.33 1.84 3.89 5.42 9.10

Table 5.3: Average computing time when applying Atkin selection heuristic

When the number of bits of q increases, we need to use more primes. Hence, we encounter more Atkin primes, which are almost useless for us. The Atkin selection heuristic can save the

time, whose complexity is O^pℓ³log³q^q, to find out the rℓ of the ‘bad’ Atkin primes. Therefore, the impact is more evident when q is large.

Table 5.4 shows the numerical result of applying the Elkies isogeny heuristic.

# bits of q 160 192 256 384 512

Average time(s) 9.68 25.27 83.95 557.0 2296 Improve rate(%) 2.30 4.67 7.47 8.37 13.48

Table 5.4: Average computing time when applying Elkies isogeny heuristic

The effect of the isogeny cycle is to reuse the Elkies primes. This is necessary if q is larger because of the increasing number of the encountered Atkin primes. So, the result presents that the improvement is obvious when q is large.

The result of the improvement of the polynomial-time BSGS heuristic is shown in Table 5.5.

# bits of q 160 192 256 384 512

Average time(s) 9.49 25.43 80.02 545.1 2278 Improve rate(%) 4.19 4.07 11.81 10.31 14.16

Table 5.5: Average computing time when applying polynomial-time BSGS heuristic

# bits of q 160 192 256 384 512

Average time(s) 9.11 23.86 73.18 464.3 1899 Improve rate(%) 8.03 10.01 19.34 23.61 28.43 Table 5.6: Average computing time when applying three heuristics

This heuristic brings an effective way to improve the algorithm as we can see. The result

also tells that it can prevent from the use of larger primes, and can detect whether C is too big, indeed.

Finally, if the three heuristics are applied to original SEA algorithm, then we get the result in Table 5.6.

Chapter 6

Conclusion & Future Work

In this thesis, we propose three heuristics to speed up the SEA algorithm. These three heuristics are more effective for large q. Besides, we use the pre-computation skill to speed up the part of BSGS strategy. And we also propose the negative checking for the isogeny cycles.

Although our implementation is for the elliptic curves defined over prime fields, the heuris-tics can be applied to the SEA algorithm for elliptic curves defined over binary fieldsFq, where q^2ⁿ. Furthermore, the idea of analysis in the Atkin selection heuristic and also in the Elkies isogeny heuristic may be applied to others.

There are some improvements that mentioned by Couveignes[4]. It can help find a factor of the division polynomial of smaller degree.

In the future, we will prepare to implement SEA algorithm for elliptic curves defined over binary fields. Also, we will study the theoretical part of elliptic curves, especially the part related to SEA algorithm. Moreover, there exists Satoh’s method[19], which uses p-adic analysis to find the order of elliptic curves defined over finite fields of small characteristic, such as binary fields.

Bibliography

[1] A. O. L. Atkin and F. Morain. Elliptic curves and primality proving. Mathematics of Computation, 61(203):29–68, 1993.

[2] M. Bellare and P. Rogaway. Minimizing the use of random oracles in authenticated en-cryption schemes. In ICIS: International Conference on Information and Communications Security (ICIS), LNCS, 1997.

[3] I. F. Blake and and N. P. Smart C. Seroussi. Elliptic Curves in Cryptography. Cambridge University Press, 2000.

[4] J. Couveignes, L. Dewaghe, and F. Morain. Isogeny cycles and the Schoof-Elkies-Atkin algorithm, LIX/RR/96/03, 1996.

[5] J. Couveignes and F. Morain. Schoof’s algorithm and isogeny cycles. In ANTS, pages 43–58, 1994.

[6] G. Frey. Applications of arithmetical geometry to cryptographic constructions. In Pro-ceedings of the Fifth International Conference on Finite Fields and Applications, 2001. to appear. Also available from http://www.exp-math.uni-essen.de/.

[7] G. Frey and H. R¨uck. A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves. Mathematics of Computation, 62(206):865–874, 1994.

[8] P. Gaudry. Index calculus for abelian varieties and the elliptic curve dis-crete logarithm problem. Cryptology ePrint Archive, Report 2004/073, 2004.

http://eprint.iacr.org/2004/073/.

[9] T. Izu, J. Kogure, M. Noro, and K. Yokoyama. Parameters for secure elliptic curve cryp-tosystem - improvements on schoof’s algorithm. In Public Key Cryptography, volume 1431, pages 253–257, 1998.

[10] T. Izu, J. Kogure, M. Noro, and K. Yokoyama. Efficient implementation of Schoof’s algorithm , Advances in Cryptology – Asiacrypt ’98, Lecture Notes in Computer Science, 1514 (1999), Springer-Verlag, 66–79.

[11] D. Johnson and A. Menezes. D. Johnson and A. Menezes, The Elliptic Curve Digital Signature Algorithm (ECDSA), Univ. of Waterloo, 1999, http://cacr.math.waterloo.ca

[12] A. Joux and R. Lercier. “chinese match”, an alternative to atkin’s “match and sort” method used in the sea algorithm.

[13] N. Koblitz. Elliptic curve cryptosystems. Mathematics of Computation, 48(177):203–209, 1987.

[14] L. Law, A. Menezes, M. Qu, J. Solinas, and S. Vanstone. An efficient protocol for authen-ticated key agreement. Des. Codes Cryptography, 28(2):119–134, 2003.

[15] V. M^:uller. Ein Algorithmus zur Bestimmung der Punktzahl elliptischer Kurven ^:uber endlichen K^:orpern der Charackteristik gr^:osser drei. PhD thesis, Universit^:at des Saar-landes, 1995.

[16] A. Menezes, S. Vanstone, and T. Okamoto. Reducing elliptic curve logarithms to loga-rithms in a finite field. In STOC ’91: Proceedings of the twenty-third annual ACM sympo-sium on Theory of computing, pages 80–89, New York, NY, USA, 1991. ACM.

[17] V. Miller. Use of elliptic curves in cryptography. In CRYPTO ’85: Advances in Cryptology, pages 417–426, London, UK, 1986. Springer-Verlag.

[18] H. R¨uck. On the discrete logarithm in the divisor class group of curves. Mathematics of Computation, 68(226):805–806, 1999.

[19] T. Satoh. The canonical lift of an ordinary elliptic curve over a prime field and its point counting. Journal of the Ramanujan Mathematical Society, 15:247–270, 2000.

[20] R. Schoof. Elliptic curves over finite fields and the computation of square roots mod p.

Mathematics of Computation, 44(170):483–494, 1985.

[21] R. Schoof. Counting points on elliptic curves over finite fields. J. Th’eor. Nombres Bor-deaux 7 (1995), 219–254.

[22] D. Shanks. Class number, a theory of factorization, and genera. Proceedings of Symposia in Pure Mathematics, 20:415–440, 1971.

[23] J. H. Silverman. The Arithmetic of Elliptic Curves. Springer, 1994.

[24] N. P. Smart. The discrete logarithm problem on elliptic curves of trace one. Journal of Cryptology: the journal of the International Association for Cryptologic Research, 12(3):193–196, 1999.

[25] N. P. Smart. Elliptic curve cryptosystems over small fields of odd characteristic. Journal of Cryptology, 12(2):141–151, 1999.

[26] NIST Recommended Key Sizes http://www.nsa.gov/ia/industry/crypto elliptic curve.cfm [27] MIRACL (Multiprecision Integer and Rational Arithmetic C/C++ Library)

http://www.shamus.ie/