Designs, Codes and Cryptography

, Volume 78, Issue 1, pp 51–72 | Cite as

Recent progress on the elliptic curve discrete logarithm problem

  • Steven D. Galbraith
  • Pierrick Gaudry


We survey recent work on the elliptic curve discrete logarithm problem. In particular we review index calculus algorithms using summation polynomials, and claims about their complexity.


Elliptic curve discrete logarithm problem (ECDLP) Summation polynomials Pollard rho Index calculus 

Mathematics Subject Classification

11Y16 11G20 14G15 13P10 14G50 11T71 14H52 



We thank Claus Diem, Michiel Kosters, Christophe Petit, Peter Wild and an anonymous referee for helpful comments on the draft of this article. The second author also thanks Maike Massierer, Pierre-Jean Spaenlehauer and Vanessa Vitse for various discussions on the topic.


  1. 1.
    Adleman L., DeMarrais J., Huang M.D.: A subexponential algorithm for discrete logarithms over the rational subgroup of the Jacobians of large genus hyperelliptic curves over finite fields. In: Adleman L.M., Huang M.D. (eds.) ANTS I. LNCS, vol. 877, pp. 28–40. Springer, Heidelberg (1994)Google Scholar
  2. 2.
    Augot D., Morain F.: Discrete logarithm computations over finite fields using Reed-Solomon codes. arXiv:1202.4361 (2012)
  3. 3.
    Avanzi R., Cohen H., Doche C., Frey G., Lange T., Nguyen K., Vercauteren F.: Handbook of Elliptic and Hyperelliptic Cryptography. Chapman and Hall/CRC, Boca Raton (2006)Google Scholar
  4. 4.
    Babai L., Szemerédi E.: On the complexity of matrix group problems I. Found. Comput. Sci. (FOCS) 229–240 (1996)Google Scholar
  5. 5.
    Bailey D.V., Batina L., Bernstein D.J., Birkner P., Bos J.W., Chen H.C., Cheng C.M., van Damme G., de Meulenaer G., Perez L.J.D., Fan J., Güneysu T., Gurkaynak F., Kleinjung T., Lange T., Mentens N., Niederhagen R., Paar C., Regazzoni F., Schwabe P., Uhsadel L., Herrewege A.V., Yang B.Y.: Breaking ECC2K-130, Cryptology ePrint Archive: Report 2009/541. (2009)
  6. 6.
    Bernstein D.J., Lange T.: Computing small discrete logarithms faster. In: Galbraith S.D., Nandi M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 317–338. Springer, Brelin (2012)Google Scholar
  7. 7.
    Bernstein D.J., Lange T.: Non-uniform cracks in the concrete: the power of free precomputation. In: Sako K., Sarkar P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 321–340. Springer, Berlin (2013)Google Scholar
  8. 8.
    Bernstein D.J., Lange T.: Two grumpy giants and a baby. In: Howe E.W., Kedlaya K.S., (eds.) Proceedings of the Tenth Algorithmic Number Theory Symposium. Open Book Series, vol. 1, pp. 87–111. MSP (2013)Google Scholar
  9. 9.
    Bernstein D.J., Lange T., Farashahi R.R.: Binary edwards curves. In: Oswald E., Rohatgi P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 244–265. Springer, Berlin (2008)Google Scholar
  10. 10.
    Bernstein D.J., Lange T., Schwabe P.: On the correct use of the negation map in the Pollard rho method. In: Catalano D., Fazio N., Gennaro R., Nicolosi A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 128–146. Springer, Berlin (2011)Google Scholar
  11. 11.
    Blackburn S.R., Murphy S.: The number of partitions in Pollard rho. Unpublished manuscript (1998)Google Scholar
  12. 12.
    Blake I.F., Seroussi G., Smart N.P.: Elliptic Curves in Cryptography. Cambridge University Press, Cambridge (1999)Google Scholar
  13. 13.
    Blake I.F., Seroussi G., Smart N.P.: Advances in Elliptic Curve Cryptography. Cambridge University Press, Cambridge (2005)Google Scholar
  14. 14.
    Boneh D., Boyen X.: Short signatures without random oracles. In: C. Cachin, J. Camenisch (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Berlin (2004)Google Scholar
  15. 15.
    Bos J.W., Costello C., Miele A.: Elliptic and hyperelliptic curves: a practical security analysis. In: Krawczyk H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 203–220. Springer, Berlin (2014)Google Scholar
  16. 16.
    Bos J.W., Kaihara M.E., Kleinjung T., Lenstra A.K., Montgomery P.L.: Solving a 112-bit prime elliptic curve discrete logarithm problem on game consoles using sloppy reduction. IJACT 2(3), 212–228 (2012)Google Scholar
  17. 17.
    Bos J.W., Kleinjung T., Lenstra A.K.: On the use of the negation map in the Pollard Rho method. In: Hanrot G., Morain F., Thomé E. (eds.) ANTS IX. LNCS, vol. 6197, pp. 66–82. Springer, Berlin (2010)Google Scholar
  18. 18.
    Brown D.R.L., Gallant R.P.: The static Diffie-Hellman problem. Cryptology ePrint Archives: Reports 2004/306 (2004)Google Scholar
  19. 19.
    Certicom Research: Certicom ECC challenge. Updated in Nov 10 (2009)
  20. 20.
    Chateauneuf M., Ling A.C.H., Stinson D.R.: Slope packings and coverings, and generic algorithms for the discrete logarithm problem. J. Comb. Des. 11(1), 36–50 (2003)Google Scholar
  21. 21.
    Cheng Q.: Hard problems of algebraic geometry codes. IEEE Trans. Inf. Theory 54(1), 404–406 (2008)Google Scholar
  22. 22.
    Cheon J.H.: Security analysis of the strong Diffie-Hellman problem. In: Vaudenay S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 1–11. Springer, Berlin (2006)Google Scholar
  23. 23.
    Cheon J.H.: Discrete logarithm problem with auxiliary inputs. J. Cryptol. 23(3), 457–476 (2010)Google Scholar
  24. 24.
    Cheon J.H., Kim T., Song Y.S.: A group action on \({\mathbb{Z}}_{p}^{*}\) and the generalized DLP with auxiliary inputs. In: Lange T., Lauter K.E., Lisonek P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 121–135. Springer, Berlin (2014)Google Scholar
  25. 25.
    Diem C.: The GHS-attack in odd characteristic. J. Ramanujan Math. Soc. 18(1), 1–32 (2003)Google Scholar
  26. 26.
    Diem C.: An index calculus algorithm for plane curves of small degree. In: Hess F., Pauli S., Pohst M.E. (eds.) ANTS VII. LNCS, vol. 4076, pp. 543–557. Springer, Berlin (2006)Google Scholar
  27. 27.
    Diem C.: On the discrete logarithm problem in class groups of curves. Math. Comp. 80(273), 443–475 (2011)Google Scholar
  28. 28.
    Diem C.: On the discrete logarithm problem in elliptic curves. Compos. Math. 147, 75–104 (2011)Google Scholar
  29. 29.
    Diem C.: On the discrete logarithm problem in elliptic curves II. Algebra Number Theory 7(6), 1281–1323 (2013)Google Scholar
  30. 30.
    Diem C., Kochinke S.: Computing discrete logarithms with special linear systems. Preprint (2013)Google Scholar
  31. 31.
    Diem C., Scholten J.: Cover attacks—a report for the AREHCC project. Preprint (2003)Google Scholar
  32. 32.
    Driencourt Y., Michon J.F.: Elliptic codes over fields of characteristics 2. J. Pure Appl. Algebra 45(1), 15–39 (1987)Google Scholar
  33. 33.
    Faugère J., Gianni P., Lazard D., Mora T.: Efficient computation of zero-dimensional Gröbner bases by change of ordering. J. Symb. Comput. 16(4), 329–344 (1993)Google Scholar
  34. 34.
    Faugère J.C., Perret L., Petit C., Renault G.: Improving the complexity of index calculus algorithms in elliptic curves over binary fields. In: Pointcheval D., Johansson T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 27–44. Springer, Berlin (2012)Google Scholar
  35. 35.
    Faugère J., Gaudry P., Huot L., Renault G.: Sub-cubic change of ordering for Gröbner basis: a probabilistic approach. In: ISSAC 2014, pp. 170–177. ACM, New York (2014)Google Scholar
  36. 36.
    Faugère J.C., Gaudry P., Huot L., Renault G.: Using symmetries in the index calculus for elliptic curves discrete logarithm. J. Cryptol. 27(4), 595–635 (2014)Google Scholar
  37. 37.
    Faugère J., Huot L., Joux A., Renault G., Vitse V.: Symmetrized summation polynomials: using small order torsion points to speed up elliptic curve index calculus. In: Nguyen P.Q., Oswald E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 40–57. Springer, Berlin (2014)Google Scholar
  38. 38.
    Fouque P., Joux A., Mavromati C.: Multi-user collisions: applications to discrete logarithm, Even-Mansour and PRINCE. In: Sarkar P., Iwata T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 420–438. Springer, Berlin (2014)Google Scholar
  39. 39.
    Frey G.: Applications of arithmetic geometry to cryptographic constructions. In: Jungnickel D., Niederreiter N. (eds.) Finite Fields and Applications, pp. 128–161. Springer, Berlin (2001)Google Scholar
  40. 40.
    Frey G.: On the relation between Brauer groups and discrete logarithms. Tatra Mt. Math. Publ. 35, 1–29 (2006)Google Scholar
  41. 41.
    Galbraith S.D.: Constructing isogenies between elliptic curves over finite fields. LMS J. Comput. Math. 2, 118–138 (1999)Google Scholar
  42. 42.
    Galbraith S.D.: Mathematics of Public Key Cryptography. Cambridge University Press, Cambridge (2012)Google Scholar
  43. 43.
    Galbraith S.D., Gebregiyorgis S.W.: Summation polynomial algorithms for elliptic curves in characteristic two. In: Meier W., Mukhopadhyay D. (eds.) INDOCRYPT 2014. LNCS, vol. 8885, pp. 409–427. Springer, Berlin (2014)Google Scholar
  44. 44.
    Galbraith S.D., Ruprai R.S.: Using equivalence classes to accelerate solving the discrete logarithm problem in a short interval. In: Nguyen P.Q., Pointcheval D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 368–383. Springer, Berlin (2010)Google Scholar
  45. 45.
    Galbraith S.D., Smart N.P.: A cryptographic application of Weil descent. In: Walker M. (ed.) IMA Cryptography and Coding. LNCS, vol. 1746, pp. 191–200. Springer, Berlin (1999)Google Scholar
  46. 46.
    Galbraith S.D., Hess F., Smart N.P.: Extending the GHS Weil descent attack. In: Knudsen L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 29–44. Springer, Berlin (2002)Google Scholar
  47. 47.
    Galbraith S.D., Pollard J.M., Ruprai R.S.: Computing discrete logarithms in an interval. Math. Comp. 82(282), 1181–1195 (2013)Google Scholar
  48. 48.
    Galbraith S.D., Wang P., Zhang F.: Computing elliptic curve discrete logarithms with improved baby-step giant-step algorithm, eprint 2015/605Google Scholar
  49. 49.
    Gallant R.P., Lambert R.J., Vanstone S.A.: Improving the parallelized Pollard lambda search on binary anomalous curves. Math. Comp. 69(232), 1699–1705 (2000)Google Scholar
  50. 50.
    Gaudry P.: Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem. J. Symb. Comput. 44(12), 1690–1702 (2009)Google Scholar
  51. 51.
    Gaudry P., Hess F., Smart N.P.: Constructive and destructive facets of Weil descent on elliptic curves. J. Cryptol. 15(1), 19–46 (2002)Google Scholar
  52. 52.
    Gaudry P., Schost É.: A low-memory parallel version of Matsuo, Chao, and Tsujii’s algorithm. In: Buell D.A. (ed.) ANTS VI. LNCS, vol. 3076, pp. 208–222. Springer, Berlin (2004)Google Scholar
  53. 53.
    Gaudry P., Thomé E., Thériault N., Diem C.: A double large prime variation for small genus hyperelliptic index calculus. Math. Comp. 76(257), 475–492 (2007)Google Scholar
  54. 54.
    Gorla E., Massierer M.: Index calculus in the trace zero variety. Cryptology ePrint Archives Reports 2014/318. Adv. Math. Commun. (2014). arXiv:1405.1059
  55. 55.
    Granger R.: On the static Diffie-Hellman problem on elliptic curves over extension fields. In: Abe M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 283–302. Springer, Berlin (2010)Google Scholar
  56. 56.
    Granger R., Joux A., Vitse V.: New timings for oracle-assisted SDHP on the IPSEC Oakley “well known group” 3 curve. Announcement on the NMBRTHRY mailing list (2010)Google Scholar
  57. 57.
    Guy R.K.: The strong law of small numbers. Am. Math. Mon. 95(8), 697–712 (1988)Google Scholar
  58. 58.
    Hankerson D., Menezes A., Vanstone S.: Guide to Elliptic Curve Cryptography. Springer, Berlin (2004)Google Scholar
  59. 59.
    Hess F.: Computing relations in divisor class groups of algebraic curves over finite fields. Preprint (2003)Google Scholar
  60. 60.
    Hess F.: Generalising the GHS attack on the elliptic curve discrete logarithm problem. LMS J. Comput. Math. 7, 167–192 (2004)Google Scholar
  61. 61.
    Hitchcock Y., Montague P., Carter G., Dawson E.: The efficiency of solving multiple discrete logarithm problems and the implications for the security of fixed elliptic curves. Int. J. Inf. Secur. 3, 86–98 (2004)Google Scholar
  62. 62.
    Hodges T.J., Petit C., Schlather J.: First fall degree and Weil descent. Finite Fields Appl. 30, 155–177 (2014)Google Scholar
  63. 63.
    Hong J., Lee H.: Analysis of possible pre-computation aided DLP solving algorithms. J. Korean Math. Soc. 52(4), 797–819 (2015)Google Scholar
  64. 64.
    Huang M.D., Raskind W.: Global duality, signature calculus and the discrete logarithm problem. LMS J. Comput. Math. 12, 228–263 (2009)Google Scholar
  65. 65.
    Huang Y., Petit C., Shinohara N., Takagi T.: Improvement of Faugère et al.’s method to solve ECDLP. In: Sakiyama K., Terada M. (eds.) IWSEC 2013. LNCS, vol. 8231, pp. 115–132. Springer, Berlin (2013)Google Scholar
  66. 66.
    Huang M.A., Kosters M., Yeo S.L.: Last fall degree, HFE, and Weil descent attacks on ECDLP. In: Gennaro R., Robshaw M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 581–600. Springer, Berlin (2015)Google Scholar
  67. 67.
    Huang M.D.A., Kosters M., Yang Y., Yeo S.L.: On the last fall degree of zero-dimensional Weil descent systems (2015). arXiv:1505.02532
  68. 68.
    Huang Y., Petit C., Shinohara N., Takagi T.: On generalized first fall degree assumptions. Cryptology ePrint Archive: Report 2015/358 (2015)Google Scholar
  69. 69.
    Hyung T.L., Jung H., Cheon J.H.: Accelerating ID-based encryption based on trapdoor DL using pre-computation. Cryptology ePrint Archive: Report 2011/187 (2011)Google Scholar
  70. 70.
    Iijima T., Momose F., Chao J.: A classification of elliptic curves with respect to the GHS attack in odd characteristic (2015). Cryptology ePrint Archive: Report 2015/805Google Scholar
  71. 71.
    Kim J.-H., Montenegro R., Peres Y., Tetali P.: A birthday paradox for Markov chains, with an optimal bound for collision in the Pollard rho algorithm for discrete logarithm. Ann. Appl. Probab. 20(2), 295–521 (2010)Google Scholar
  72. 72.
    Jacobson Jr. M.J., Koblitz N., Silverman J.H., Stein A., Teske E.: Analysis of the Xedni calculus attack. Des. Codes Cryptogr. 20(1), 41–64 (2000)Google Scholar
  73. 73.
    Jao D., Miller S.D., Venkatesan R.: Do all elliptic curves of the same order have the same difficulty of discrete log? In: Roy B.K. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 21–40. Springer, Berlin (2005)Google Scholar
  74. 74.
    Joux A.: Algorithmic Cryptanalysis. Chapman & Hall/CRC, Boca Raton (2009)Google Scholar
  75. 75.
    Joux A., Vitse V.: Cover and decomposition index calculus on elliptic curves made practical—application to a previously unreachable curve over \( {\mathbb{F}}_{{p}^{6}}\). In: Adv. Cryptol.– EUROCRYPT 2012. LNCS, vol. 7237, pp. 9–26. Springer, Berlin (2012)Google Scholar
  76. 76.
    Joux A., Vitse V.: Elliptic curve discrete logarithm problem over small degree extension fields—application to the static Diffie-Hellman problem on \({E}({\mathbb{F}}_{{q}^{5}})\). J. Cryptol. 26(1), 119–143 (2013)Google Scholar
  77. 77.
    Joux A., Lercier R., Naccache D., Thomé E.: Oracle-assisted static Diffie-Hellman is easier than discrete logarithms. In: Parker M.G. (ed.) Cryptography and Coding, 12th IMA International Conference. LNCS, vol. 5921, pp. 351–367. Springer, Berlin (2009)Google Scholar
  78. 78.
    Karabina K.: Point decomposition problem in binary elliptic curves. Cryptology ePrint Archive: Report 2015/319 (2015)Google Scholar
  79. 79.
    Kijima S., Montenegro R.: Collision of random walks and a refined analysis of attacks on the discrete logarithm problem. In: Katz J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 127–149. Springer, Berlin (2015)Google Scholar
  80. 80.
    Kim T., Cheon J.H.: A new approach to the discrete logarithm problem with auxiliary inputs. Cryptology ePrint Archive: Report 2012/609 (2012)Google Scholar
  81. 81.
    Kim J.H., Montenegro R., Tetali P.: Near optimal bounds for collision in Pollard rho for discrete log. Found. Comput. Sci. (FOCS) 215–223. (2007)Google Scholar
  82. 82.
    Kim M., Cheon J.H., Lee I.S.: Analysis on a generalized algorithm for the strong discrete logarithm problem with auxiliary inputs. Math. Comput. 83(288), 1993–2004 (2014)Google Scholar
  83. 83.
    Koblitz N., Menezes A.: Another look at non-standard discrete log and Diffie-Hellman problems. J. Math. Cryptol. 2(4), 311–326 (2008)Google Scholar
  84. 84.
    Koblitz N., Menezes A.: Intractable problems in cryptography. In: McGuire G., Mullen G.L., Panario D., Shparlinski I.E., (eds.) Finite Fields: Theory and Applications. Contemporary Mathematics, vol. 518, pp. 279–300. AMS, Providence (2010)Google Scholar
  85. 85.
    Kohel, D.R., Shparlinski, I.E.: On exponential sums and group generators for elliptic curves over finite fields. In: Bosma, W. (ed.) ANTS IV. LNCS, vol. 1838, pp. 395–404. Springer, Berlin (2000)Google Scholar
  86. 86.
    Kosters M.: Deterministically generating Picard groups of hyperelliptic curves over finite fields. arXiv:1402.6579 (2014)
  87. 87.
    Kosters M., Yeo S.L.: Notes on summation polynomials. arXiv:1503.08001 (2015)
  88. 88.
    Kozaki S., Kutsuma T., Matsuo K.: Remarks on Cheon’s algorithms for pairing-related problems. In: Takagi T., Okamoto T., Okamoto E., Okamoto T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 302–316. Springer, Berlin (2007)Google Scholar
  89. 89.
    Kuhn F., Struik R.: Random walks revisited: extensions of Pollard’s rho algorithm for computing multiple discrete logarithms. In: Vaudenay S., Youssef A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 212–229. Springer, Berlin (2001)Google Scholar
  90. 90.
    Massierer M.: Some experiments investigating a possible \({L}(1/4)\) algorithm for the discrete logarithm problem in algebraic curves (2014). Cryptology ePrint Archive: Report 2014/996Google Scholar
  91. 91.
    May A., Ozerov I.: A generic algorithm for small weight discrete logarithms in composite groups. In: Joux A., Youssef A.M. (eds.) SAC 2014. LNCS, vol. 8781, pp. 278–289. Springer, Berlin (2014)Google Scholar
  92. 92.
    Menezes A., Qu M.: Analysis of the Weil descent attack of Gaudry, Hess and Smart. In: Naccache D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 308–318. Springer, Berlin (2001)Google Scholar
  93. 93.
    Momose F., Chao J.: Elliptic curves with weak coverings over cubic extensions of finite fields with odd characteristics. J. Ramanujan Math. Soc. 28(3), 299–357 (2013)Google Scholar
  94. 94.
    Montenegro R., Tetali P.: How long does it take to catch a wild kangaroo? In: Symposium on Theory of Computing (STOC), pp. 553–559 (2009)Google Scholar
  95. 95.
    Nagao K.I.: Decomposition attack for the Jacobian of a hyperelliptic curve over an extension field. In: Hanrot G., Morain F., Thomé E. (eds.) ANTS-IX: Algorithmic Number Theory. LNCS, vol. 6197, pp. 285–300. Springer, Berlin (2010)Google Scholar
  96. 96.
    Nagao K.I.: Decomposition formula of the Jacobian group of plane curve. Cryptology ePrint Archive: Report 2013/548 (2013)Google Scholar
  97. 97.
    Nechaev V.I.: Complexity of a determinate algorithm for the discrete logarithm. Math. Notes 55(2), 165–172 (1994)Google Scholar
  98. 98.
    Nguyen K.: Explicit arithmetic of Brauer groups, ray class fields and index calculus. Ph.D. Thesis, University Essen (2001)Google Scholar
  99. 99.
    Oorschot P., Wiener M.J.: Parallel collision search with cryptanalytic applications. J. Cryptol. 12(1), 1–28 (1999)Google Scholar
  100. 100.
    Petit C., Quisquater J.J.: On polynomial systems arising from a Weil descent. In: Wang X., Sako K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 451–466. Springer, Berlin (2012)Google Scholar
  101. 101.
    Pollard J.M.: Kangaroos, monopoly and discrete logarithms. J. Cryptol. 13(4), 437–447 (2000)Google Scholar
  102. 102.
    Pomerance C.: Fast, rigorous factorization and discrete logarithm algorithms. In: Johnson D.S., Nishizeki T., Nozaki A., Wolf H.S. (eds.) Discrete algorithms and complexity. Proceedings of the Japan-US Joint Seminar, 4–6 June, 1986, Kyoto, Japan. Perspectives in Computing, pp. 119–143. Academic Press, Orlando (1987)Google Scholar
  103. 103.
    Sakemi Y., Hanaoka G., Izu T., Takenaka M., Yasuda M.: Solving a discrete logarithm problem with auxiliary input on a 160-bit elliptic curve. In: Fischlin M., Buchmann J.A., Manulis M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 595–608. Springer, Berlin (2012)Google Scholar
  104. 104.
    Sarkar P., Singh S.: A simple method for obtaining relations among factor basis elements for special hyperelliptic curves. Cryptology ePrint Archive: Report 2015/179 (2015)Google Scholar
  105. 105.
    Satoh T.: On generalization of Cheon’s algorithm. Cryptology ePrint Archive: Report 2009/058 (2009)Google Scholar
  106. 106.
    Semaev I.: New algorithm for the discrete logarithm problem on elliptic curves. Cryptology ePrint Archive: Report 2015/310 (2015)Google Scholar
  107. 107.
    Semaev I.A.: Summation polynomials and the discrete logarithm problem on elliptic curves. Cryptology ePrint Archive: Report 2004/031 (2004)Google Scholar
  108. 108.
    Shantz M., Teske E.: Solving the elliptic curve discrete logarithm problem using Semaev polynomials, Weil descent and Gröbner basis methods—an experimental study. In: Number Theory and Cryptography. LNCS, vol. 8260, pp. 94–107. Springer, Berlin (2013)Google Scholar
  109. 109.
    Shoup V.: Lower bounds for discrete logarithms and related problems. In: Fumy W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Berlin (1997)Google Scholar
  110. 110.
    Shparlinski I.E., Voloch J.F.: Generators of elliptic curves over finite fields. Bull. Inst. Math. Acad. Sin. 9(4), 657–670 (2014)Google Scholar
  111. 111.
    Thériault N.: Index calculus attack for hyperelliptic curves of small genus. In: Laih C.S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 75–92. Springer, Berlin (2003)Google Scholar
  112. 112.
    Thériault N.: Weil descent attack for Kummer extentions. J. Ramanujan Math. Soc. 18(3), 281–312 (2003)Google Scholar
  113. 113.
    Vitse V.: Summation polynomials and symmetries for the ECDLP over extension fields. Talk given at the DLP 2014 workshop, Ascona (2014)Google Scholar
  114. 114.
    Washington L.C.: Elliptic Curves: Number Theory and Cryptography, 2nd edn. CRC Press, London (2008)Google Scholar
  115. 115.
    Wenger E., Wolfger P.: Solving the discrete logarithm of a 113-bit Koblitz curve with an FPGA cluster. In: Joux A., Youssef A.M. (eds.) SAC 2014. LNCS, vol. 8781, pp. 363–379. Springer, Berlin (2014)Google Scholar
  116. 116.
    Wenger E., Wolfger P.: Harder, better, faster, stronger—elliptic curve discrete logarithm computations on FPGAs. Cryptology ePrint Archive: Report 2015/143 (2015)Google Scholar
  117. 117.
    Wiener M.J., Zuccherato R.J.: Faster attacks on elliptic curve cryptosystems. In: Tavares S.E., Meijer H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 190–200. Springer, Berlin (1998)Google Scholar
  118. 118.
    Yun A.: Generic hardness of the multiple discrete logarithm problem. In: Oswald E., Fischlin M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 817–836. Springer, Berlin (2015)Google Scholar
  119. 119.
    Zhang F., Wang P.: Speeding up elliptic curve discrete logarithm computations with point halving. Des. Codes Cryptogr. 67(2), 197–208 (2013)Google Scholar

Copyright information

© Springer Science+Business Media New York 2015

Authors and Affiliations

  1. 1.University of AucklandAucklandNew Zealand
  2. 2.CNRS, Université de Lorraine and InriaNancyFrance

Personalised recommendations