Xedni Calculus on the ECDLP

The index calculus method fails to solve an ECDLP because of the height/rank obstruction and the lifting obstruction. Silverman presented a new attack in [34]

which avoid these two obstructions. Instead of lifting the elliptic curve E(F_p) and the related points jP , his idea is to lift the points first, then construct an elliptic

curve E(Q) which passes through these points. That is why it is called the ”xedni calculus” method. Eventually, the lifting problem becomes a linear algebra problem.

However, this attack later been proved not practical [14] in solving the ECDLP by a work group at the University of Waterloo. In this section, we will introduce it for a complete overview of all possible attacks, then explain the reason of its failure.

Suppose P1, P2, . . . , P_r ∈ E(Fp) are of the form P_i = s_iP − tiQ, where s_i, t_i are randomly chosen in [1, n− 1] for i = 1, . . . , r. We can also choose Q1, . . . , Q_r with integer coordinates by using projective coordinates such that P1, P2, . . . , P_r are the reduction modulo p points of Q1, . . . , Q_r. Our main goal is to construct an elliptic curve E(Q) passing through Q1, . . . , Q_r. If the points Q1, . . . , Q_r are dependent, there is a nontrivial relation

n₁Q₁+ n₂Q₂+ . . . + n_rQ_r =∞

for some nonzero n_i. By taking modulo p, we get

(n1(t1P − s1Q)) + (n1(t1P − s1Q)) + . . . + (n_r(t_rP − srQ)) =∞. Silverman introduces a method related to a conjecture called the Birch-Swinnerton-Dyer Conjecture. If we write N_l =|E(Fl)| = l + 1 − al where l is a prime and a_l is the trace related to l, the conjecture comes from the idea of measuring the number of points N_l as l varies. One forms the product

 l

N_l = l l + 1− al

= 1

1− al· l⁻¹+ l· l⁻²,

which is formally equal to the value of the Euler product L(E, s) at s = 1 (see [32], P.362). This conjecture states that L(E, s) vanishes at s = 1 if and only if the rank of the group E(Q) is positive. In addition, the rank is equal to the order of the zero at s = 1. Even some of important partial results have been proved in support of this fundamental conjecture; it remains a very difficult unsolved problem in its general form [14].

If we expect the rank of an elliptic curve E(Q) being large, so is the order of zero at s = 1. It would be reasonable to expect that the first few terms of this product are small. Thus, the first few numbers N_l are large. Mestre [21] applies this idea to generate curves with large rank, but Silverman uses it in an opposite way. He expects|E(Fl)| being as small as possible such that |E(Fl)| = l + 1 − 2√

l for the first few primes l. The resulting rank of E(Q) is smaller than the expected rank.

We hope that this will increase the dependence of the lifting points. We call it the reverse Mestre conditions.

The problem of constructing this elliptic curve over Q will be a linear algebra problem. We consider a general cubic curve which can be determined by no more than 9 points in projective coordinates. For any set of r triples P_i = [x_i, y_i, z_i], define

Therefore, the coefficient of the cubic curve can be found by computing the kernel of the matrix B. The associated cubic curve will be of the form

u1x³+ u2x²y + u3xy²+ u4y³+ u5x²z + u6xyz + u7y²z + u8xz²+ u9yz²+ u10z³ = 0.

Now we give a summary of the xedni calculus algorithm [34]. The optional steps are omitted.

Step 1. Choose an integer r with 2≤ r ≤ 9 and an integer M which is a product of small primes l ∈ [7, 100]. We shall assume p  M. The integer r is the number of points to be lifted.

Step 2. Choose r points P_M,i = [x_M,i, y_M,i, z_M,i] for 1 ≤ i ≤ r, where the coordi-nates are integers. These points satisfy:

• The first four points are [1, 0, 0], [0, 1, 0], [0, 0, 1], [1, 1, 1].

• For every prime l|M, the matrix B = B(PM,1, . . . , P_M,r) has the maximal rank modulo l.

These points P_M,i can be found by choosing P_l,i for each l|M, then we use the Chinese Remainder Theorem. Also choose a mod-M coefficient vector (u_M,1, . . . , u_M,10) that is in the kernel of the matrix B such that the reducing modulo l curve E(F_l) has fewest points for each l|M. We will get a cubic curve with coefficients u_M,i.

Step 3. Choose r random pairs of integers (s_i, t_i) satisfying 1 ≤ si, t_i ≤ n for i = 1, . . . , r. Compute the points P_p,i by P_p,i = s_iP − tiQ∈ E(Fp).

Step 4. Make a change of variable so that the first four points of P_p,i become P_p,1 = [1, 0, 0], P_p,2 = [0, 1, 0], P_p,3 = [0, 0, 1] and P_p,4 = [1, 1, 1]. In this case u_p,i for i = 1, . . . , r are the coefficients of the resulting equation for E(F_p).

Step 5. Use the Chinese Remainder Theorem to find u^₁, . . . , u^₁₀ satisfying

u^_i ≡ up,i (mod p) and u^_i ≡ uM,i (mod M )

for i = 1, . . . , r.

Step 6. Lift the chosen points to P²(Q). In other words, choose points Pi = [x_i, y_i, z_i] for i = 1, . . . , r with integer coordinate satisfying

P_i ≡ Pp,i (mod p) and P_i ≡ PM,i (mod M ).

In particular, P₁ = [1, 0, 0], P₂ = [0, 1, 0], P₃ = [0, 0, 1], and P₄ = [1, 1, 1].

Step 7. Form the matrix B(P₁, . . . , P_r) by using the r points P_i in Step 6. Find a solution u = (u₁, u₂, . . . , u_n) such that Bu = 0 and u_i ≡ u^_i (mod M p). Let C_u denote the associated cubic curve.

Step 8. Make a change of coordinates to put C_u into standard minimal Weierstrass form with the point P₁ = [1, 0, 0] the point at infinity. Write the resulting equation as

E_u : y²+ a1xy + a3y = x³ + a2x² + a4x + a6

with a₁, . . . , a₆ ∈ Z, and let Q1, Q₂, . . . , Q_r denote the image under this change of variable.

Step 9. Test the points Q₁, . . . , Q_r for the dependence. This process can be done by using the Descent Method or the Height Method (see [34]). If they are independent, return to Step 2 or 3.

Step 10. Compute

s = r

i=1

n_is_i and t = r

i=1

n_it_i,

then log_PQ ≡ s⁻¹t (mod n), provided it exists. Otherwise, return to Step 2 or Step 3.

Jacobson, Koblitz, Silverman, Stein, and Teske [14] combined the theoretical and empirical points of view to show that the xedni calculus is impractical for p in the range used in elliptic curve cryptography today. On the theoretical side the main idea is the following:

Lemma 4.1. Assume that log|Δ| ≥ C1max_i=1,...,rˆh(P_i) for the lifted curves in the xedni algorithm, where Δ is the discriminant of the lifted curve, Pi are the lifted points, ˆh is the canonical logarithmic height, and C₁ is a positive absolute constant.

Then, under Lang’s conjecture, if the lifted points are dependent, then they satisfy a nontrivial relation with coefficients bounded from above by an absolute constant C2.

This lemma is proved by directly counting the number of points of the subgroup which is spanned by the lifted points P1, . . . , P_r. The canonical logarithmic height of the points in this subgroup are bounded above by some constant B. Followed by a conjecture of Lang which states that there exists a positive absolute constant C3

such that for all non-torsion points S, we have

m = min ˆh(S) > C₃log|Δ|.

Consequently, the constant C₂ can be found by the following inequality

C₂ ≥ T c(r − 1)r 2

_r−1

(C₁)(C₃)^−(r−1)/2

where T ≤ 16 and c is a function related to r. Since 1 ≤ r ≤ 9, we can determine an absolute constant C2.

If there is any relation among the lifted points P1, . . . , P_r, then these points can be reduced modulo p to get a relation of the original points P_p,1, . . . , P_p,r with the same coefficients. Hence, if the coefficients of the relation of the lifted points are bounded by some constant C2, then so is true for the original points. Thus, if those original

points P_p,i do not satisfy any relation with coefficients less than the upper bound in the lemma, then the lifted points will be independent regardless how we use the reverse Mestre conditions. Therefore, the probability of success of the xedni calculus is less than the probability of the original points P_p,1, . . . , P_p,r satisfying a relation with coefficients bounded by C2. Consider the map from r-tuples of integers less than the absolute value of C2 to E(F_p) given by (n1, . . . , n_r)→ n1P_p,1+ . . . + n_rP_p,r. The image is a set of ≈ (2C2)^r randomly distributed points. The probability that the image contains∞ is approximately (2C2)^r/p. This proves the following theorem with C0 = (2C2)^r.

Theorem 4.2. Under certain plausible assumptions, there exists an absolute con-stant C0 such that the probability of success of the xedni algorithm in finding a discrete logarithm on an elliptic curve over Fp is less than C0/p.

The quantity C0 determines whether the xedni calculus is successful or failed, so we need to examine the constant C0. Jacobson, Koblitz, Silverman, Stein, and Teske [14] estimated C0 under some reasonable assumption which is related to the number r and the coefficients of the curve. They derived the following result.

r rough value for C0

2 10⁴

3 10¹²

4 10²³

5 10³⁸

6 10⁵⁴

7 10⁶⁵

8 10⁸⁴

9 10¹⁰⁰

Since p≈ 10⁵⁰ in practical elliptic curve cryptosystems, this result rules out the use of the algorithm with r≤ 5. For the case r = 6, 7, 8, 9, the authors took some exper-iments whose purpose is to see which parameter has an impact on the probability of dependence. They found that these theoretical bounds are far too generous. Fur-thermore, in the absence of other considerations, the reverse Mestre conditions do increase the likelihood of dependence. Unfortunately, they also cause the discrimi-nant increase, and this makes the probability of a dependence decrease. This means the net effect of the reverse Mestre condition is doing more harm than help [14].

Another explanation is given by M. D. Huang, K. Kueh, and K. S. Tan [13] who made a easier description of Theorem 4.2. Suppose D is the minimal discriminant of the lifted curves E(Q). The probability of success of the xedni calculus is bounded by

2^O(r3)(h/ log|D|)^O(r2) p

where the lifted points are P₀, . . . , P_r inP  with the canonical heights bounded by h. In order to achieve a subexponential running time O(e^{c(log p)1/2}(log log p)^1/2), it is

necessary that r²log h > c^log p for some constant c^. Even if we allow the lifted points with height about e^{c(log p)1/2}(log log p)^1/2, the number of r + 1 lifted points still needs to be at least in the order of (log p)^1/4 as p grows. This is true regardless how we use the reverse Mestre’s conditions. In addition, we require the number of lifted points being at most 9. So the probability of success tends to zero asymptotically.

Hence, the xedni calculus cannot work in subexponential time asymptotically.

For the index calculus, the fact that the rank of E(Q) need to grow at least (log p)^1/4 as p grows is already a difficulty which leads to failure.