New algorithm for the elliptic curve discrete logarithm problem with auxiliary inputs

Abstract

The discrete logarithm problem with auxiliary inputs (DLP-wAI) is a special discrete logarithm problem. Cheon first proposed a novel algorithm to solve the discrete logarithm problem with auxiliary inputs. Given a cyclic group \({\mathbb {G}}=\langle P\rangle \) of order p and some elements \(P,\alpha P,\alpha ^2 P,\ldots , \alpha ^d P\in {\mathbb {G}}\), an attacker can recover \(\alpha \in {\mathbb {Z}}_p^*\) in the case of \(d|(p\pm 1)\) with running time of \({\mathcal {O}}(\sqrt{(p\pm 1)/d}+d^i)\) group operations by using \({\mathcal {O}}(\text {max}\{\sqrt{(p\pm 1)/d}, \sqrt{d}\})\) storage (\(i=\frac{1}{2}\) or 1 for \(d|(p-1)\) case or \(d|(p+1)\) case, respectively). In this paper, we propose a new algorithm to solve another form of elliptic curve discrete logarithm problem with auxiliary inputs (ECDLP-wAI). We show that if some points \(P,\alpha P,\alpha ^k P,\alpha ^{k^2} P,\alpha ^{k^3} P,\ldots ,\alpha ^{k^{\varphi (d)-1}}P\in {\mathbb {G}}\) and multiplicative cyclic group \(K=\langle k \rangle \) are given, where d is a prime, \(\varphi (d)\) is the order of K and \(\varphi \) is the Euler totient function, the secret key \(\alpha \in {\mathbb {Z}}_p^*\) can be solved in \({\mathcal {O}}(\sqrt{(p-1)/d}+d)\) group operations by using \({\mathcal {O}}(\sqrt{(p-1)/d})\) storage.