Journal of Cryptology

, Volume 27, Issue 4, pp 595–635 | Cite as

Using Symmetries in the Index Calculus for Elliptic Curves Discrete Logarithm

  • Jean-Charles Faugère
  • Pierrick Gaudry
  • Louise Huot
  • Guénaël Renault
Article

Abstract

In 2004, an algorithm is introduced to solve the DLP for elliptic curves defined over a non-prime finite field \(\mathbb{F}_{q^{n}}\). One of the main steps of this algorithm requires decomposing points of the curve \(E(\mathbb{F}_{q^{n}})\) with respect to a factor base, this problem is denoted PDP. In this paper, we will apply this algorithm to the case of Edwards curves, the well-known family of elliptic curves that allow faster arithmetic as shown by Bernstein and Lange. More precisely, we show how to take advantage of some symmetries of twisted Edwards and twisted Jacobi intersections curves to gain an exponential factor 2ω(n−1) to solve the corresponding PDP where ω is the exponent in the complexity of multiplying two dense matrices. Practical experiments supporting the theoretical result are also given. For instance, the complexity of solving the ECDLP for twisted Edwards curves defined over \(\mathbb{F}_{q^{5}}\), with q≈264, is supposed to be ∼ 2160 operations in \(E(\mathbb{F}_{q^{5}})\) using generic algorithms compared to 2130 operations (multiplications of two 32-bits words) with our method. For these parameters the PDP is intractable with the original algorithm.

The main tool to achieve these results relies on the use of the symmetries and the quasi-homogeneous structure induced by these symmetries during the polynomial system solving step. Also, we use a recent work on a new algorithm for the change of ordering of a Gröbner basis which provides a better heuristic complexity of the total solving process.

Key words

ECDLP Edwards curves Elliptic curves Decomposition attack Gröbner basis with symmetries Index calculus Jacobi intersections curves 

Notes

Acknowledgements

The authors would like to thank the reviewers for their fruitful remarks which helped us to improve the complexity analysis and practical results of this work. This work was partly supported by the HPAC grant of the French National Research Agency (HPAC ANR-11-BS02-013).

References

  1. [1]
    L. Adleman, J. DeMarrais, A subexponential algorithm for discrete logarithms over all finite fields, in Advances in Cryptology—CRYPTO’93 (Springer, Berlin, 1994), pp. 147–158 Google Scholar
  2. [2]
    L. Adleman, J. DeMarrais, M.-D. Huang, A subexponential algorithm for discrete logarithms over the rational subgroup of the Jacobians of large genus hyper-elliptic curves over finite fields, in Algorithmic Number Theory. Lecture Notes in Comput. Sci., vol. 877 (Springer, Berlin, 1994). 6th International Symposium CrossRefGoogle Scholar
  3. [3]
    M. Bardet, J.-C. Faugère, B. Salvy, On the complexity of gröbner basis computation of semi-regular overdetermined algebraic equations, in International Conference on Polynomial System Solving—ICPSS, (2004), pp. 71–75 Google Scholar
  4. [4]
    D. Bernstein, P. Birkner, M. Joye, T. Lange, C. Peters, Twisted Edwards curves, in Proceedings of the Cryptology in Africa 1st International Conference on Progress in Cryptology, AFRICACRYPT’08 (Springer, Berlin, 2008), pp. 389–405 CrossRefGoogle Scholar
  5. [5]
    D.J. Bernstein, T. Lange, Faster addition and doubling on elliptic curves, in Advances in Cryptology: ASIACRYPT 2007. Lecture Notes in Computer Science, vol. 4833 (Springer, Berlin, 2007), pp. 29–50 Google Scholar
  6. [6]
    L. Bettale, J.-C. Faugère, L. Perret, Hybrid approach for solving multivariate systems over finite fields. J. Math. Cryptol. 3(issue(3), 177–197 (2009) Google Scholar
  7. [7]
    W. Bosma, J. Cannon, C. Playoust, The Magma algebra system. I. The user language. J. Symb. Comput. 24(3–4), 235–265 (1997) CrossRefMATHMathSciNetGoogle Scholar
  8. [8]
    C. Chevalley, Invariants of finite groups generated by reflections. Am. J. Math. 77(4), 778–782 (1955) CrossRefMATHMathSciNetGoogle Scholar
  9. [9]
    D. Chudnovsky, G. Chudnovsky, Sequences of numbers generated by addition in formal groups and new primality and factorization tests. Adv. Appl. Math. 7(4), 385–434 (1986) CrossRefMATHMathSciNetGoogle Scholar
  10. [10]
    A. Cohen, H. Cuypers, H. Sterk, Some Tapas of Computer Algebra. Algorithms and Computation in Mathematics Series (Springer, Berlin, 2011) Google Scholar
  11. [11]
    J.-M. Couveignes, Algebraic groups and discrete logarithm, in Public-Key Cryptography and Computational Number Theory, (2001), pp. 17–27 Google Scholar
  12. [12]
    J.-M. Couveignes, R. Lercier, Galois invariant smoothness basis, in Series on Number Theory and Its Applications, vol. 5 (World Scientific, Singapore, 2008), pp. 142–167 Google Scholar
  13. [13]
    D.A. Cox, J. Little, D. O’Shea, Ideals, Varieties, and Algorithms—An Introduction to Computational Algebraic Geometry and Commutative Algebra, 2nd edn. Undergraduate Texts in Mathematics (Springer, Berlin, 1997) Google Scholar
  14. [14]
    C. Diem, An index calculus algorithm for plane curves of small degree, in Algorithmic Number Theory ANTS-VII. Lecture Notes in Computer Science, vol. 4076 (Springer, Berlin, 2006), pp. 543–557 CrossRefGoogle Scholar
  15. [15]
    C. Diem, On the discrete logarithm problem in class groups of curves. Math. Comput. 80, 443–475 (2011) CrossRefMATHMathSciNetGoogle Scholar
  16. [16]
    C. Diem, On the discrete logarithm problem in elliptic curves. Compos. Math. 147, 75–104 (2011) CrossRefMATHMathSciNetGoogle Scholar
  17. [17]
    C. Diem, E. Thomé, Index calculus in class groups of non-hyperelliptic curves of genus three. J. Cryptol. 21(4), 593–611 (2008) CrossRefMATHGoogle Scholar
  18. [18]
    H. Edwards, A normal form for elliptic curves. Bull. Am. Math. Soc. 44, 393–422 (2007) CrossRefMATHGoogle Scholar
  19. [19]
    A. Enge, P. Gaudry, A general framework for subexponential discrete logarithm algorithms. Acta Arith. 102(1), 83–103 (2002) CrossRefMATHMathSciNetGoogle Scholar
  20. [20]
    A. Enge, P. Gaudry, An l(1/3+ε) algorithm for the discrete logarithm problem for low degree curves, in Advances in Cryptology—EUROCRYPT 2007 (Springer, Berlin, 2007), pp. 379–393 CrossRefGoogle Scholar
  21. [21]
    J.-C. Faugère, A new efficient algorithm for computing Gröbner bases (F4). J. Pure Appl. Algebra 139(1–3), 61–88 (1999) CrossRefMATHMathSciNetGoogle Scholar
  22. [22]
    J.-C. Faugère, A new efficient algorithm for computing Gröbner bases without reduction to zero (F5), in Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation, ISSAC’02 (ACM, New York, 2002), pp. 75–83 CrossRefGoogle Scholar
  23. [23]
    J.-C. Faugère, FGb: a library for computing Gröbner bases, in Mathematical Software—ICMS 2010, ed. by K. Fukuda, J. Hoeven, M. Joswig, N. Takayama. Lecture Notes in Computer Science, vol. 6327 (Springer, Berlin, 2010), pp. 84–87 CrossRefGoogle Scholar
  24. [24]
    J.-C. Faugère, P. Gaudry, L. Huot, G. Renault, Fast change of ordering with exponent ω. ACM Commun. Comput. Algebr. 46, 92–93 (2012) CrossRefGoogle Scholar
  25. [25]
    J.-C. Faugère, P. Gianni, D. Lazard, T. Mora, Efficient computation of zero-dimensional Gröbner bases by change of ordering. J. Symb. Comput. 16(4), 329–344 (1993) CrossRefMATHGoogle Scholar
  26. [26]
    J.-C. Faugère, C. Mou, Fast algorithm for change of ordering of zero-dimensional Gröbner bases with sparse multiplication matrices, in Proceedings of the 2011 International Symposium on Symbolic and Algebraic Computation, ISSAC’11 (ACM, New York, 2011), pp. 1–8 Google Scholar
  27. [27]
    J.-C. Faugère, S. Rahmany, Solving systems of polynomial equations with symmetries using SAGBI-Gröbner bases, in Proceedings of the 2009 International Symposium on Symbolic and Algebraic Computation, ISSAC’09 (ACM, New York, 2009), pp. 151–158 CrossRefGoogle Scholar
  28. [28]
    J.-C. Faugère, M. Safey El Din, T. Verron, On the complexity of computing Gröbner bases for quasi-homogeneous systems, in Proceedings of the 38th International Symposium on Symbolic and Algebraic Computation, ISSAC’13 (ACM, New York, 2013), pp. 189–196 CrossRefGoogle Scholar
  29. [29]
    R. Feng, M. Nie, H. Wu, Twisted Jacobi intersections curves, in Theory and Applications of Models of Computation, (2010), pp. 199–210 CrossRefGoogle Scholar
  30. [30]
    G. Frey, Applications of arithmetical geometry to cryptographic constructions, in International Conference on Finite Fields and Applications, (2001), pp. 128–161 CrossRefGoogle Scholar
  31. [31]
    P. Gaudry, Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem. J. Symb. Comput. 44(12), 1690–1702 (2009) CrossRefMATHMathSciNetGoogle Scholar
  32. [32]
    P. Gaudry, E. Thomé, N. Thériault, C. Diem, A double large prime variation for small genus hyperelliptic index calculus. Math. Comput. 76, 475–492 (2007) CrossRefMATHGoogle Scholar
  33. [33]
    F. Hess, Computing relations in divisor class groups of algebraic curves over finite fields (2004). Preprint Google Scholar
  34. [34]
    A. Joux, V. Vitse, Elliptic curve discrete logarithm problem over small degree extension fields. J. Cryptol. 26(1), 119–143 (2013) CrossRefMATHMathSciNetGoogle Scholar
  35. [35]
    R. Kane, Reflection Groups and Invariant Theory (Springer, Berlin, 2001) CrossRefMATHGoogle Scholar
  36. [36]
    N. Koblitz, Elliptic curve cryptosystems. Math. Comput. 48(177), 203–209 (1987) CrossRefMATHMathSciNetGoogle Scholar
  37. [37]
    N. Koblitz, Hyperelliptic cryptosystems. J. Cryptol. 1, 139–150 (1989) CrossRefMATHMathSciNetGoogle Scholar
  38. [38]
    D. Lazard, Gröbner bases, Gaussian elimination and resolution of systems of algebraic equations, in Computer Algebra, ed. by J. van Hulzen. Lecture Notes in Computer Science, vol. 162 (Springer, Berlin, 1983), pp. 146–156 CrossRefGoogle Scholar
  39. [39]
    V. Miller, Use of elliptic curves in cryptography, in Advances in Cryptology—CRYPTO 85. Lecture Notes in Computer Sciences, vol. 218 (Springer, New York, 1986), pp. 417–426 Google Scholar
  40. [40]
    P. Montgomery, Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243–264 (1987) CrossRefMATHGoogle Scholar
  41. [41]
    K. Nagao, Decomposed attack for the Jacobian of a hyperelliptic curve over an extension field, in Algorithmic Number Theory, ed. by G. Hanrot, F. Morain, E. Thomé. Lecture Notes in Comput. Sci., vol. 6197 (Springer, Berlin, 2010). Proceedings of the 9th International Symposium, Nancy, France, ANTS-IX, July 19–23, 2010 CrossRefGoogle Scholar
  42. [42]
    N.I. of, Standards and technology. Digital signature standard (dss). Technical Report FIPS PUB 186-3, US Department of Commerce (2009) Google Scholar
  43. [43]
    J. Pollard, Monte Carlo methods for index computation mod p. Math. Comput. 32(143), 918–924 (1978) MATHMathSciNetGoogle Scholar
  44. [44]
    I. Semaev, Summation polynomials and the discrete logarithm problem on elliptic curves. Cryptology ePrint archive, report 2004/031 (2004). http://eprint.iacr.org/
  45. [45]
    G.C. Shephard, J.A. Todd, Finite unitary reflection groups. Can. J. Math. 6, 274–304 (1954) CrossRefMATHMathSciNetGoogle Scholar
  46. [46]
    V. Shoup, Lower bounds for discrete logarithms and related problems, in Proceedings of the 16th Annual International Conference on Theory and Application of Cryptographic Techniques (Springer, Berlin, 1997), pp. 256–266 Google Scholar
  47. [47]
    B. Sturmfels, Algorithms in Invariant Theory (Texts and Monographs in Symbolic Computation), 2nd edn. (Springer, Berlin, 2008) Google Scholar
  48. [48]
    N. Thériault, Index calculus attack for hyperelliptic curves of small genus, in Advances in Cryptology: ASIACRYPT 2003. Lecture Notes in Computer Science, vol. 2894, (2003), pp. 75–92 Google Scholar
  49. [49]
    J. von zur Gathen, J. Gerhard, Modern Computer Algebra (Cambridge University Press, Cambridge, 2002) Google Scholar
  50. [50]
    D. Wiedemann, Solving sparse linear equations over finite fields. IEEE Trans. Inf. Theory 32(1), 54–62 (1986) CrossRefMATHMathSciNetGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  • Jean-Charles Faugère
    • 1
  • Pierrick Gaudry
    • 2
  • Louise Huot
    • 1
  • Guénaël Renault
    • 1
  1. 1.PolSys project INRIA Paris-RocquencourtUPMC Univ. Paris 06, CNRS, UMR 7606, LIP6ParisFrance
  2. 2.CARAMEL project INRIA Grand-EstUniversité de Lorraine, CNRS, UMR 7503, LORIANancyFrance

Personalised recommendations