Advertisement

Journal of Cryptology

, Volume 26, Issue 1, pp 119–143 | Cite as

Elliptic Curve Discrete Logarithm Problem over Small Degree Extension Fields

Application to the Static Diffie–Hellman Problem on \(E(\mathbb{F}_{q^{5}})\)
  • Antoine Joux
  • Vanessa Vitse
Article

Abstract

In 2008 and 2009, Gaudry and Diem proposed an index calculus method for the resolution of the discrete logarithm on the group of points of an elliptic curve defined over a small degree extension field \(\mathbb{F}_{q^{n}}\). In this paper, we study a variation of this index calculus method, improving the overall asymptotic complexity when \(n = \varOmega(\sqrt [3]{\log_{2} q})\). In particular, we are able to successfully obtain relations on \(E(\mathbb{F}_{q^{5}})\), whereas the more expensive computational complexity of Gaudry and Diem’s initial algorithm makes it impractical in this case. An important ingredient of this result is a variation of Faugère’s Gröbner basis algorithm F4, which significantly speeds up the relation computation. We show how this index calculus also applies to oracle-assisted resolutions of the static Diffie–Hellman problem on these elliptic curves.

Key words

Elliptic curve Discrete logarithm problem (DLP) Index calculus Gröbner basis computation Summation polynomials Static Diffie–Hellman problem (SDHP) 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [1]
    M. Bardet, Étude des systèmes algébriques surdéterminés. Applications aux codes correcteurs et à la cryptographie. PhD thesis, Université Pierre et Marie Curie, Paris VI, 2004 Google Scholar
  2. [2]
    M. Bardet, J.-C. Faugère, B. Salvy, B.-Y. Yang, Asymptotic behaviour of the degree of regularity of semi-regular polynomial systems. Presented at MEGA’05, Eighth International Symposium on Effective Methods in Algebraic Geometry, 2005 Google Scholar
  3. [3]
    E. Becker, M.G. Marinari, T. Mora, C. Traverso, The shape of the shape lemma, in Proceedings of ISSAC’94, Oxford, 1994 (ACM, New York, 1994), pp. 129–133 Google Scholar
  4. [4]
    L. Bettale, J.-C. Faugère, L. Perret, Hybrid approach for solving multivariate systems over finite fields. J. Math. Cryptol. 3(3), 177–197 (2010) Google Scholar
  5. [5]
    W. Bosma, J. Cannon, C. Playoust, The Magma algebra system. I. The user language. J. Symb. Comput. 24(3–4), 235–265 (1997). Computational algebra and number theory (London, 1993) MathSciNetzbMATHCrossRefGoogle Scholar
  6. [6]
    D.R.L. Brown, R.P. Gallant, The static Diffie–Hellman problem. Cryptology ePrint Archive, Report 2004/306, 2004 Google Scholar
  7. [7]
    B. Buchberger, Gröbner bases: an algorithmic method in polynomial ideal theory, in Multidimensional Systems Theory, Progress, Directions and Open Problems, ed. by N. Bose. Math. Appl., vol. 16 (Reidel, Dordrecht, 1985), pp. 184–232 Google Scholar
  8. [8]
    H. Cohen, G. Frey, R. Avanzi, C. Doche, T. Lange, K. Nguyen, F. Vercauteren (eds.), Handbook of Elliptic and Hyperelliptic Curve Cryptography. Discrete Mathematics and Its Applications (Chapman & Hall/CRC, Boca Raton, 2006) zbMATHGoogle Scholar
  9. [9]
    A. Colin, Solving a system of algebraic equations with symmetries. J. Pure Appl. Algebra 117/118, 195–215 (1997) MathSciNetCrossRefGoogle Scholar
  10. [10]
    D. Cox, J. Little, D. O’Shea, Ideals, Varieties, and Algorithms, 3rd edn. Undergraduate Texts in Mathematics (Springer, New York, 2007) zbMATHCrossRefGoogle Scholar
  11. [11]
    C. Diem, On the discrete logarithm problem in elliptic curves. Compos. Math. 147(1), 75–104 (2011) MathSciNetzbMATHCrossRefGoogle Scholar
  12. [12]
    W. Diffie, M.E. Hellman, New directions in cryptography. IEEE Trans. Inf. Theory IT-22(6), 644–654 (1976) MathSciNetCrossRefGoogle Scholar
  13. [13]
    C. Eder, J. Perry, F5C: a variant of Faugère’s F5 algorithm with reduced Gröbner bases. J. Symb. Comput. 45(12), 1442–1458 (2010) MathSciNetzbMATHCrossRefGoogle Scholar
  14. [14]
    T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms, in Advances in Cryptology—CRYPTO 1984. Lecture Notes in Comput. Sci., vol. 196 (Springer, Berlin, 1985), pp. 10–18 CrossRefGoogle Scholar
  15. [15]
    J.-C. Faugère, A new efficient algorithm for computing Gröbner bases (F4). J. Pure Appl. Algebra 139(1-3), 61–88 (1999) MathSciNetzbMATHCrossRefGoogle Scholar
  16. [16]
    J.-C. Faugère, A new efficient algorithm for computing Gröbner bases without reduction to zero (F5), in Proceedings of ISSAC’02 (ACM, New York, 2002), pp. 75–83 Google Scholar
  17. [17]
    J.-C. Faugère, L. Perret, Algebraic cryptanalysis of Curry and Flurry using correlated messages, in Inscrypt 2009, ed. by M. Yung, F. Bao, vol. 6151 (Springer, Berlin, 2010), pp. 266–277 Google Scholar
  18. [18]
    J.-C. Faugère, P. Gianni, D. Lazard, T. Mora, Efficient computation of zero-dimensional Gröbner bases by change of ordering. J. Symb. Comput. 16(4), 329–344 (1993) zbMATHCrossRefGoogle Scholar
  19. [19]
    G. Frey, H.-G. Rück, A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves. Math. Comput. 62(206), 865–874 (1994) zbMATHGoogle Scholar
  20. [20]
    P. Gaudry, Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem. J. Symb. Comput. 44(12), 1690–1702 (2008) MathSciNetCrossRefGoogle Scholar
  21. [21]
    P. Gaudry, F. Hess, N.P. Smart, Constructive and destructive facets of Weil descent on elliptic curves. J. Cryptol. 15(1), 19–46 (2002) MathSciNetCrossRefGoogle Scholar
  22. [22]
    P. Gaudry, E. Thomé, N. Thériault, C. Diem, A double large prime variation for small genus hyperelliptic index calculus. Math. Comput. 76, 475–492 (2007) zbMATHCrossRefGoogle Scholar
  23. [23]
    R. Gebauer, H.M. Möller, On an installation of Buchberger’s algorithm. J. Symb. Comput. 6(2–3), 275–286 (1988) zbMATHCrossRefGoogle Scholar
  24. [24]
    R. Granger, On the static Diffie–Hellman problem on elliptic curves over extension fields, in Advances in Cryptology—ASIACRYPT 2010. Lecture Notes in Comput. Sci., vol. 6477 (2010), pp. 283–302 CrossRefGoogle Scholar
  25. [25]
    R. Granger, A. Joux, V. Vitse, New timings for oracle-assisted SDHP on the IPSEC Oakley ‘Well Known Group’ 3 curve. Announcement on the NBRTHRY mailing list, July 2010. http://listserv.nodak.edu/archives/nmbrthry.html
  26. [26]
    F. Hess, Weil descent attacks, in Advances in Elliptic Curve Cryptography. London Math. Soc. Lecture Note Ser., vol. 317 (Cambridge Univ. Press, Cambridge, 2005), pp. 151–180 CrossRefGoogle Scholar
  27. [27]
    A. Joux, V. Vitse, A variant of the F4 algorithm, in Topics in Cryptology—CT-RSA 2011, ed. by A. Kiayias. Lecture Notes in Comput. Sci., vol. 6558 (Springer, Berlin, 2011), pp. 356–375 CrossRefGoogle Scholar
  28. [28]
    A. Joux, R. Lercier, D. Naccache, E. Thomé, Oracle assisted static Diffie–Hellman is easier than discrete logarithms, in IMA Int. Conf, ed. by M.G. Parker. Lecture Notes in Comput. Sci., vol. 5921 (Springer, Berlin, 2009), pp. 351–367 Google Scholar
  29. [29]
    N. Koblitz, Elliptic curve cryptosystems. Math. Comput. 48(177), 203–209 (1987) MathSciNetzbMATHCrossRefGoogle Scholar
  30. [30]
    N. Koblitz, A. Menezes, Another look at non-standard discrete log and Diffie–Hellman problems. J. Math. Cryptol. 2(4), 311–326 (2008) MathSciNetzbMATHGoogle Scholar
  31. [31]
    D. Lazard, Gröbner bases, Gaussian elimination and resolution of systems of algebraic equations, in Computer Algebra, London, 1983. Lecture Notes in Comput. Sci., vol. 162 (Springer, Berlin, 1983), pp. 146–156 CrossRefGoogle Scholar
  32. [32]
    A.J. Menezes, T. Okamoto, S.A. Vanstone, Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inf. Theory 39(5), 1639–1646 (1993) MathSciNetzbMATHCrossRefGoogle Scholar
  33. [33]
    V.S. Miller, Use of elliptic curves in cryptography, in Advances in Cryptology—CRYPTO 1985. Lecture Notes in Comput. Sci., vol. 218 (Springer, Berlin, 1986), pp. 417–426 Google Scholar
  34. [34]
    V.S. Miller, The Weil pairing, and its efficient calculation. J. Cryptol. 17(4), 235–261 (2004) zbMATHCrossRefGoogle Scholar
  35. [35]
    S. Pohlig, M. Hellman, An improved algorithm for computing logarithms over GF(p) and its cryptographic significance. IEEE Trans. Inf. Theory IT-24, 106–110 (1978) MathSciNetCrossRefGoogle Scholar
  36. [36]
    J.M. Pollard, Monte Carlo methods for index computation (modp). Math. Comput. 32(143), 918–924 (1978) MathSciNetzbMATHGoogle Scholar
  37. [37]
    J.M. Pollard, Kangaroos, monopoly and discrete logarithms. J. Cryptol. 13(4), 437–447 (2000) MathSciNetzbMATHCrossRefGoogle Scholar
  38. [38]
    T. Satoh, K. Araki, Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves. Comment. Math. Univ. St. Pauli 47(1), 81–92 (1998) MathSciNetzbMATHGoogle Scholar
  39. [39]
    I.A. Semaev, Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p. Math. Comput. 67(221), 353–356 (1998) MathSciNetzbMATHCrossRefGoogle Scholar
  40. [40]
    I.A. Semaev, Summation polynomials and the discrete logarithm problem on elliptic curves. Cryptology ePrint Archive, Report 2004/031, 2004 Google Scholar
  41. [41]
    D. Shanks, Class number, a theory of factorization, and genera, in 1969 Number Theory Institute (Proc. Sympos. Pure Math., Vol. XX, State Univ. New York, Stony Brook, N.Y., 1969) (Amer. Math. Soc., Providence, 1971), pp. 415–440 Google Scholar
  42. [42]
    J.H. Silverman, The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics, vol. 106 (Springer, New York, 1986) zbMATHGoogle Scholar
  43. [43]
    N.P. Smart, The discrete logarithm problem on elliptic curves of trace one. J. Cryptol. 12(3), 193–196 (1999) MathSciNetzbMATHCrossRefGoogle Scholar
  44. [44]
    N. Thériault, Index calculus attack for hyperelliptic curves of small genus, in Advances in Cryptology—ASIACRYPT 2003, ed. by Heidelberg. Lecture Notes in Comput. Sci., vol. 2894 (Springer, Berlin, 2003), pp. 75–92 CrossRefGoogle Scholar
  45. [45]
    N.M. Thiéry, Computing minimal generating sets of invariant rings of permutation groups with SAGBI-Gröbner basis, in DM-CCG 2001, ed. by R. Cori, J. Mazoyer, M. Morvan, R. Mosseri. DMTCS Proceedings, vol. AA (2001), pp. 315–328 Google Scholar
  46. [46]
    J. von zur Gathen, J. Gerhard, Modern Computer Algebra, 2nd edn. (Cambridge University Press, Cambridge, 2003) zbMATHGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  1. 1.DGABruzFrance
  2. 2.Laboratoire PRISMUniversité de Versailles Saint-QuentinVersailles cedexFrance

Personalised recommendations