# Using Symmetries in the Index Calculus for Elliptic Curves Discrete Logarithm

- 613 Downloads
- 8 Citations

## Abstract

In 2004, an algorithm is introduced to solve the DLP for elliptic curves defined over a non-prime finite field \(\mathbb{F}_{q^{n}}\). One of the main steps of this algorithm requires decomposing points of the curve \(E(\mathbb{F}_{q^{n}})\) with respect to a factor base, this problem is denoted PDP. In this paper, we will apply this algorithm to the case of Edwards curves, the well-known family of elliptic curves that allow faster arithmetic as shown by Bernstein and Lange. More precisely, we show how to take advantage of some symmetries of twisted Edwards and twisted Jacobi intersections curves to gain an exponential factor 2^{ ω(n−1)} to solve the corresponding PDP where *ω* is the exponent in the complexity of multiplying two dense matrices. Practical experiments supporting the theoretical result are also given. For instance, the complexity of solving the ECDLP for twisted Edwards curves defined over \(\mathbb{F}_{q^{5}}\), with *q*≈2^{64}, is supposed to be ∼ 2^{160} operations in \(E(\mathbb{F}_{q^{5}})\) using generic algorithms compared to 2^{130} operations (multiplications of two 32-bits words) with our method. For these parameters the PDP is intractable with the original algorithm.

The main tool to achieve these results relies on the use of the symmetries and the quasi-homogeneous structure induced by these symmetries during the polynomial system solving step. Also, we use a recent work on a new algorithm for the change of ordering of a Gröbner basis which provides a better heuristic complexity of the total solving process.

## Key words

ECDLP Edwards curves Elliptic curves Decomposition attack Gröbner basis with symmetries Index calculus Jacobi intersections curves## Notes

### Acknowledgements

The authors would like to thank the reviewers for their fruitful remarks which helped us to improve the complexity analysis and practical results of this work. This work was partly supported by the HPAC grant of the French National Research Agency (HPAC ANR-11-BS02-013).

## References

- [1]L. Adleman, J. DeMarrais, A subexponential algorithm for discrete logarithms over all finite fields, in
*Advances in Cryptology—CRYPTO’93*(Springer, Berlin, 1994), pp. 147–158 Google Scholar - [2]L. Adleman, J. DeMarrais, M.-D. Huang, A subexponential algorithm for discrete logarithms over the rational subgroup of the Jacobians of large genus hyper-elliptic curves over finite fields, in
*Algorithmic Number Theory*. Lecture Notes in Comput. Sci., vol. 877 (Springer, Berlin, 1994). 6th International Symposium CrossRefGoogle Scholar - [3]M. Bardet, J.-C. Faugère, B. Salvy, On the complexity of gröbner basis computation of semi-regular overdetermined algebraic equations, in
*International Conference on Polynomial System Solving—ICPSS*, (2004), pp. 71–75 Google Scholar - [4]D. Bernstein, P. Birkner, M. Joye, T. Lange, C. Peters, Twisted Edwards curves, in
*Proceedings of the Cryptology in Africa 1st International Conference on Progress in Cryptology, AFRICACRYPT’08*(Springer, Berlin, 2008), pp. 389–405 CrossRefGoogle Scholar - [5]D.J. Bernstein, T. Lange, Faster addition and doubling on elliptic curves, in
*Advances in Cryptology: ASIACRYPT 2007*. Lecture Notes in Computer Science, vol. 4833 (Springer, Berlin, 2007), pp. 29–50 Google Scholar - [6]L. Bettale, J.-C. Faugère, L. Perret, Hybrid approach for solving multivariate systems over finite fields.
*J. Math. Cryptol.***3(issue**(3), 177–197 (2009) Google Scholar - [7]W. Bosma, J. Cannon, C. Playoust, The Magma algebra system. I. The user language.
*J. Symb. Comput.***24**(3–4), 235–265 (1997) CrossRefzbMATHMathSciNetGoogle Scholar - [8]C. Chevalley, Invariants of finite groups generated by reflections.
*Am. J. Math.***77**(4), 778–782 (1955) CrossRefzbMATHMathSciNetGoogle Scholar - [9]D. Chudnovsky, G. Chudnovsky, Sequences of numbers generated by addition in formal groups and new primality and factorization tests.
*Adv. Appl. Math.***7**(4), 385–434 (1986) CrossRefzbMATHMathSciNetGoogle Scholar - [10]A. Cohen, H. Cuypers, H. Sterk,
*Some Tapas of Computer Algebra*. Algorithms and Computation in Mathematics Series (Springer, Berlin, 2011) Google Scholar - [11]J.-M. Couveignes, Algebraic groups and discrete logarithm, in
*Public-Key Cryptography and Computational Number Theory*, (2001), pp. 17–27 Google Scholar - [12]J.-M. Couveignes, R. Lercier, Galois invariant smoothness basis, in
*Series on Number Theory and Its Applications*, vol. 5 (World Scientific, Singapore, 2008), pp. 142–167 Google Scholar - [13]D.A. Cox, J. Little, D. O’Shea,
*Ideals, Varieties, and Algorithms—An Introduction to Computational Algebraic Geometry and Commutative Algebra*, 2nd edn. Undergraduate Texts in Mathematics (Springer, Berlin, 1997) Google Scholar - [14]C. Diem, An index calculus algorithm for plane curves of small degree, in
*Algorithmic Number Theory ANTS-VII*. Lecture Notes in Computer Science, vol. 4076 (Springer, Berlin, 2006), pp. 543–557 CrossRefGoogle Scholar - [15]C. Diem, On the discrete logarithm problem in class groups of curves.
*Math. Comput.***80**, 443–475 (2011) CrossRefzbMATHMathSciNetGoogle Scholar - [16]C. Diem, On the discrete logarithm problem in elliptic curves.
*Compos. Math.***147**, 75–104 (2011) CrossRefzbMATHMathSciNetGoogle Scholar - [17]C. Diem, E. Thomé, Index calculus in class groups of non-hyperelliptic curves of genus three.
*J. Cryptol.***21**(4), 593–611 (2008) CrossRefzbMATHGoogle Scholar - [18]H. Edwards, A normal form for elliptic curves.
*Bull. Am. Math. Soc.***44**, 393–422 (2007) CrossRefzbMATHGoogle Scholar - [19]A. Enge, P. Gaudry, A general framework for subexponential discrete logarithm algorithms.
*Acta Arith.***102**(1), 83–103 (2002) CrossRefzbMATHMathSciNetGoogle Scholar - [20]A. Enge, P. Gaudry, An
*l*(1/3+*ε*) algorithm for the discrete logarithm problem for low degree curves, in*Advances in Cryptology—EUROCRYPT 2007*(Springer, Berlin, 2007), pp. 379–393 CrossRefGoogle Scholar - [21]J.-C. Faugère, A new efficient algorithm for computing Gröbner bases (F4).
*J. Pure Appl. Algebra***139**(1–3), 61–88 (1999) CrossRefzbMATHMathSciNetGoogle Scholar - [22]J.-C. Faugère, A new efficient algorithm for computing Gröbner bases without reduction to zero (F5), in
*Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation, ISSAC’02*(ACM, New York, 2002), pp. 75–83 CrossRefGoogle Scholar - [23]J.-C. Faugère, FGb: a library for computing Gröbner bases, in
*Mathematical Software—ICMS 2010*, ed. by K. Fukuda, J. Hoeven, M. Joswig, N. Takayama. Lecture Notes in Computer Science, vol. 6327 (Springer, Berlin, 2010), pp. 84–87 CrossRefGoogle Scholar - [24]J.-C. Faugère, P. Gaudry, L. Huot, G. Renault, Fast change of ordering with exponent
*ω*.*ACM Commun. Comput. Algebr.***46**, 92–93 (2012) CrossRefGoogle Scholar - [25]J.-C. Faugère, P. Gianni, D. Lazard, T. Mora, Efficient computation of zero-dimensional Gröbner bases by change of ordering.
*J. Symb. Comput.***16**(4), 329–344 (1993) CrossRefzbMATHGoogle Scholar - [26]J.-C. Faugère, C. Mou, Fast algorithm for change of ordering of zero-dimensional Gröbner bases with sparse multiplication matrices, in
*Proceedings of the 2011 International Symposium on Symbolic and Algebraic Computation, ISSAC’11*(ACM, New York, 2011), pp. 1–8 Google Scholar - [27]J.-C. Faugère, S. Rahmany, Solving systems of polynomial equations with symmetries using SAGBI-Gröbner bases, in
*Proceedings of the 2009 International Symposium on Symbolic and Algebraic Computation, ISSAC’09*(ACM, New York, 2009), pp. 151–158 CrossRefGoogle Scholar - [28]J.-C. Faugère, M. Safey El Din, T. Verron, On the complexity of computing Gröbner bases for quasi-homogeneous systems, in
*Proceedings of the 38th International Symposium on Symbolic and Algebraic Computation, ISSAC’13*(ACM, New York, 2013), pp. 189–196 CrossRefGoogle Scholar - [29]R. Feng, M. Nie, H. Wu, Twisted Jacobi intersections curves, in
*Theory and Applications of Models of Computation*, (2010), pp. 199–210 CrossRefGoogle Scholar - [30]G. Frey, Applications of arithmetical geometry to cryptographic constructions, in
*International Conference on Finite Fields and Applications*, (2001), pp. 128–161 CrossRefGoogle Scholar - [31]P. Gaudry, Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem.
*J. Symb. Comput.***44**(12), 1690–1702 (2009) CrossRefzbMATHMathSciNetGoogle Scholar - [32]P. Gaudry, E. Thomé, N. Thériault, C. Diem, A double large prime variation for small genus hyperelliptic index calculus.
*Math. Comput.***76**, 475–492 (2007) CrossRefzbMATHGoogle Scholar - [33]F. Hess, Computing relations in divisor class groups of algebraic curves over finite fields (2004). Preprint Google Scholar
- [34]A. Joux, V. Vitse, Elliptic curve discrete logarithm problem over small degree extension fields.
*J. Cryptol.***26**(1), 119–143 (2013) CrossRefzbMATHMathSciNetGoogle Scholar - [35]R. Kane,
*Reflection Groups and Invariant Theory*(Springer, Berlin, 2001) CrossRefzbMATHGoogle Scholar - [36]N. Koblitz, Elliptic curve cryptosystems.
*Math. Comput.***48**(177), 203–209 (1987) CrossRefzbMATHMathSciNetGoogle Scholar - [37]N. Koblitz, Hyperelliptic cryptosystems.
*J. Cryptol.***1**, 139–150 (1989) CrossRefzbMATHMathSciNetGoogle Scholar - [38]D. Lazard, Gröbner bases, Gaussian elimination and resolution of systems of algebraic equations, in
*Computer Algebra*, ed. by J. van Hulzen. Lecture Notes in Computer Science, vol. 162 (Springer, Berlin, 1983), pp. 146–156 CrossRefGoogle Scholar - [39]V. Miller, Use of elliptic curves in cryptography, in
*Advances in Cryptology—CRYPTO 85*. Lecture Notes in Computer Sciences, vol. 218 (Springer, New York, 1986), pp. 417–426 Google Scholar - [40]P. Montgomery, Speeding the Pollard and elliptic curve methods of factorization.
*Math. Comput.***48**(177), 243–264 (1987) CrossRefzbMATHGoogle Scholar - [41]K. Nagao, Decomposed attack for the Jacobian of a hyperelliptic curve over an extension field, in
*Algorithmic Number Theory*, ed. by G. Hanrot, F. Morain, E. Thomé. Lecture Notes in Comput. Sci., vol. 6197 (Springer, Berlin, 2010). Proceedings of the 9th International Symposium, Nancy, France, ANTS-IX, July 19–23, 2010 CrossRefGoogle Scholar - [42]N.I. of, Standards and technology. Digital signature standard (dss). Technical Report FIPS PUB 186-3, US Department of Commerce (2009) Google Scholar
- [43]J. Pollard, Monte Carlo methods for index computation mod p.
*Math. Comput.***32**(143), 918–924 (1978) zbMATHMathSciNetGoogle Scholar - [44]I. Semaev, Summation polynomials and the discrete logarithm problem on elliptic curves. Cryptology ePrint archive, report 2004/031 (2004). http://eprint.iacr.org/
- [45]G.C. Shephard, J.A. Todd, Finite unitary reflection groups.
*Can. J. Math.***6**, 274–304 (1954) CrossRefzbMATHMathSciNetGoogle Scholar - [46]V. Shoup, Lower bounds for discrete logarithms and related problems, in
*Proceedings of the 16th Annual International Conference on Theory and Application of Cryptographic Techniques*(Springer, Berlin, 1997), pp. 256–266 Google Scholar - [47]B. Sturmfels,
*Algorithms in Invariant Theory (Texts and Monographs in Symbolic Computation)*, 2nd edn. (Springer, Berlin, 2008) Google Scholar - [48]N. Thériault, Index calculus attack for hyperelliptic curves of small genus, in
*Advances in Cryptology: ASIACRYPT 2003*. Lecture Notes in Computer Science, vol. 2894, (2003), pp. 75–92 Google Scholar - [49]J. von zur Gathen, J. Gerhard,
*Modern Computer Algebra*(Cambridge University Press, Cambridge, 2002) Google Scholar - [50]D. Wiedemann, Solving sparse linear equations over finite fields.
*IEEE Trans. Inf. Theory***32**(1), 54–62 (1986) CrossRefzbMATHMathSciNetGoogle Scholar