Weil Descent

The Weil descent method applies to elliptic curves over the field extensions F_qs over F_q for some s > 1, where q is a prime or prime power. Although it also works for the field of odd characteristic, we will only concern the case of characteristic two. This method was first proposed by Frey [5], then Galbraith and Smart [7] detailed that how this method might apply to the ECDLP. Finally, the GHS attack, named after Gaudry, Hess and Smart [9], gave a complete description of reducing the ECDLP to the discrete logarithm problem on a Jacobian of a hyperelliptic curve over F_q. Since there exist subexponential-time algorithms to solve the DLPs in high-genus curves, this gives a possible method against the ECDLP. First, we give some definitions.

Definition 3.19. A hyperelliptic curve C of genus g over F_q is defined by a non-singular equation

v²+ h(u)v = f (u),

where h, f ∈ Fq[u], deg(f ) = 2g + 1, and deg(h)≤ g.

The definitions of divisors and rational functions on a hyperelliptic curve are similar to the definitions on an elliptic curve as we have mentioned in section 3.1.2.

Definition 3.20. Let Div⁰(C) be the set of all divisors of degree 0 of a hyperelliptic curve. The set of all principal divisors, denoted by P ic(C), is a subgroup of Div⁰(C).

The Jacobian J of C is defined by J(C) = Div⁰(C)/P ic(C).

Suppose F_qs is a field extension of F_q, where q = 2^l for some integers s and l.

We assume the curve given by

E : y²+ xy = x³+ ax² + b where a∈ {0, 1}, b ∈ F_q^∗s.

This kind of curves is called the Koblitz curves, which is widely used in elliptic curve cryptosystems. We will focus on these curves, but remark that it can be extended to general cases.

The first step is to construct the Weil restriction of scalars of E(F_q^s). Choose a basis of F_q^s over F_q. Since x, y, and b belong to F_q^s, we can write them in expansions of this basis. After substituting into the original Weierstrass equation and equating the coefficient of each term of the basis, we obtain s equations with 2s variables over F_q. These s equations form an affine variety of dimension s over F_q, denoted by W_Fqs/Fq. The variety W_Fqs/Fq is then intersected with s− 1 chosen hyperplanes to get a hyperelliptic curve C with genus g over F_q.

In addition, the GHS attack constructs an explicit group homomorphism form E(F_qs) to J(C). Now we can translate the ECDLP to the DLP on J(C). However, this method only works for a significant proportion of all elliptic curves over F_qs. It depends on the resulting genus g of the curve C. If g is too small, the Jacobian J(C) contains no subgroup of order n. If g is too large, the computations in J(C) will be an infeasible work. The following theorem determines g. Define σ : F_qs → Fq^s be the q-th power Frobenius automorphism.

Theorem 3.21. (Gaudry, Hess, and Smart [9]) The genus of C is equal to either 2^m−1 or 2^m−1− 1, where m is derived as follows. Let bi = σⁱ(b), then m is given by

m = m(b) = dim_F2(Span_F2{(1, b^1/20 ), . . . , (1, b^1/2_s−1)}

There are some algorithms which can be used to solve the DLP on J(C) such as the Pollard method [25], the Gaudry’s algorithm [11], and Enge and Gaudry’s algorithm [3]. We remark that the GHS attack is successful if the genus g of C is small enough so that either Gaudry’s algorithm, or Enge and Gaudry’s algorithm

is more efficient than the Pollard method. After comparing their expected running time, we say that the GHS attack fails if q^g ≥ 2¹⁰²⁴ or g = 1. For the case q = 2, these conditions translate to m≥ 11 or m = 1.

Menezes and Qu [19] proved that the smallest value m(b) in Theorem 3.21 is M (s) = ord_s(2) + 1 where ord_s(2) is the multiplicative order of 2 modulo s. They found M (s) ≥ 17 for all primes s ∈ [160, 600] when q = 2. Consequently, the GHS attack is infeasible for all elliptic curves defined over F2^s, where s is a prime in the range of 160≤ s ≤ 600.

An isogeny is a rational map between curves E1 and E2 such that |E1| = |E2|.

Galbraith, Hess, and Smart [10] extended the GHS attack by using isogenies. We call it the generalized GHS attack. If the resulting value m(b) of a curve E over F2^s

is large, the idea is to find an isogenous curve E^ which has small value m. Then the ECDLP on E can be mapped to the ECDLP on E^, and the ECDLP on E^ can be solved by GHS attack. The authors not only gave how these isogenies can be constructed but also showed that F_q7 is weak under the generalized GHS attack.

Further analysis of the GHS attack has been done by looking over the finite fields suggested in many standards. Jacobson, Menezes, and Stein [15] examined the field extension F₂155 over F5 and concluded that only 2³³ of 2¹⁵⁶ isomorphism classes of elliptic curves can be attacked by this strategy. The probability of finding one curve threaten by the GHS attack is rather small. However, the generalized GHS attack increases this probability from 1/2¹²² to 1/2⁵². We call a field F₂s partially weak if the ECDLP can be solved faster than the Pollard method for only a non-negligible proportion of all elliptic curves. So, the field F₂155 should be considered weak.

Finally, Menezes and Teske [18] concluded that the fields F₂5l and F₂6l are weak.

The fields F₂3l, F₂7l, and F₂8l for some l are partially weak under the generalized GHS attack.

4 Other Attacks

In this section, we discuss the index calculus method and the xedni calculus method which both fail to solve the ECDLP. However, there are interesting ideas beyond them, so we give a brief introduction to them. In the third part of this section, we introduce the idea of summation polynomial. The author establishes a connection between the operations in the elliptic curve group and explicit modular multivariate polynomial equations. These ideas give us some new thoughts for further research.

4.1 Index Calculus on the ECDLP

It is well known that the discrete logarithm problem in the multiplicative group F_p^∗ of a finite field can be solved in subexponential time using the index calculus method, which has been discovered in 1920’s. Miller [22] noticed that it is better to use the elliptic curve group instead of F_p^∗ in a cryptosystem, since the index calculus method is extremely unlikely able to solve the ECDLP. The main reasons are “rank/height obstruction” and “lifting obstruction”. The first one is the problem of finding an elliptic curve with large number of small rational points. The second one is the problem of lifting a point in E(F_p) to a point in E(Q). We remark that the lifting here can be thought as a lifting into the p-adic integerZp, then applying the reduction modulo map. We will introduce the index calculus attack on the ECDLP and discuss why it fails, which comes from Silverman’s work [33].

1. Choose an elliptic curve E(Q) which reduces to E(Fp). It has a large number of independent rational points, say ˜P1, ˜P2, . . . , ˜P_r∈ E(Q).

2. Compute the multiples P, 2P, 3P . . . in E(F_p). For each j, try to lift jP to a rational point ˜jP in E(Q). That is, jP ≡ ˜jP (mod p). If this is successful,

then write ˜jP as a linear combination jP =˜

r i=1

n_iP˜_i in E(Q).

Reducing the coordinates of the points modulo p yields a desired relation

jP = r

i=1

n_iP_i in E(F_p).

3. After r of the jP ’s have been lifted, we have r linear equations

j = r

i=1

n_ilog_P(P_i).

Each log_P(P_i) can be solved by these r linear equations.

4. Try to lift Q, Q + P, Q + 2P, Q + 3P, . . . , to E(Q). We say that Q+jP is lifted

implies that we can recover the desired value of log_P Q by these log_P(P_i).

The above algorithm works well if we can find a lifting elliptic curve E(Q) which has a lot of independent points with small number of bits need to write down for the coordinates. Unfortunately, Silverman and Suzuki in [33] gave an analysis which showed that this kind of curves is rare. This is the first rank/height obstruction we have mentioned above. Now we turn our discussion to the elliptic curve overQ. Let the number r in the above algorithm be the rank of the elliptic curve E(Q). Recall that the height of a rational number t/s ∈ Q is defined by H(t/s) = max(|t|, |s|).

The canonical height of a point P ∈ E(Q) is then defined by ˆh(P ) = 1

2 lim

n→∞

1

n² log H(x_nP),

with associated inner product for P, Q∈ E(Q)

P, Q = 1

2(ˆh(P + Q)− ˆh(P ) − ˆh(Q)).

Suppose N (E, B) is the number of points with bounded height B in E(Q). This value is estimated by counting the lattice points in R^r relative to the canonical height inner product. Under some reasonable assumption, based on the data from Mestre [21], the result follows [33].

Heuristic Bound. Based on the numerical data contained in [21] and the above theoretical analysis, it appears to be possible to use Mestre’s method to produce elliptic curves E(Q) so that the number of rational points

N (E, B) = #{P ∈ E(Q)|H(xP)≤ B}

in E(Q) grows like

N (E, B)≈ 1

√πr

20πe log B r· log |Δ|

_r/2 ,

where Δ is the discriminant of the minimal Weierstrass equation. Further, it is probably not possible to find elliptic curves such that N (E, B) grows significantly faster than this rate.

It is impossible to get N (E, B) large unless one chooses

log B  r log |Δ|

in this formula. If we make r large, then the value of B is also enormous. It does not help us solving an ECDLP, since we want B to be small and N (E, B) to be large.

Silverman and Suzuki further estimated the quantity log|Δ| by some exper-iments. They chose an elliptic curve over a fixed finite field and use Mestre’s method [21] to look for lifts of this curve. Finally, they looked for independent integral points on the ones having small discriminant among all lifts. After observ-ing the relevant data, they had an approximation on log|Δ| which grows linearly in both log p and r log r. Under the assumption of N (E, B) ≥ p/2¹⁰, they found that the value of r minimizes the lower bound. If p ≥ 2¹⁶⁰, the rank r is 180 such that the lower bound B ≥ 2^7830.74 ≈ p^48.94. Note that no curves of rank ≥ 24 are currently known [33]. Another explanation can be found in [13]. We will introduce it at the end of the next section.

Even if we have a curve with large number of independent points of bounded height, how do we lift a point in E(F_p) to a point in E(Q)? A natural choice is to lift points p-adically. That is, lift mod p² first, then lift mod p³, etc. However we have p possible lifts at each step but do not know which leads to an actual point in E(Q). To check all the possibilities is clearly an infeasible task. This is the lifting obstruction we have mentioned. Even if there is another method for lifting, the numbers involved are so large that it seems unlikely that the lifting problem has a practical solution. These problems cause the failure of the index calculus method to the ECDLP.