Skip to main content
SpringerLink
Log in

The point decomposition problem over hyperelliptic curves

Toward efficient computation of discrete logarithms in even characteristic

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

Computing discrete logarithms is generically a difficult problem. For divisor class groups of curves defined over extension fields, a variant of the Index-Calculus called decomposition attack is used, and it can be faster than generic approaches. In this situation, collecting the relations is done by solving multiple instances of the point m-decomposition problem (PDP\(_m\)). An instance of this problem can be modelled as a zero-dimensional polynomial system. Solving is done with Gröbner bases algorithms, where the number of solutions of the system is a good indicator for the time complexity of the solving process. For systems arising from a PDP\(_m\) context, this number grows exponentially fast with the extension degree. To achieve an efficient harvesting, this number must be reduced as much as possible. Extending the elliptic case, we introduce a notion of summation ideals to describe PDP\(_m\) instances over higher genus curves, and compare to Nagao’s general approach to PDP\(_m\) solving. In even characteristic we obtain reductions of the number of solutions for both approaches, depending on the curve’s equation. In the best cases, for a hyperelliptic curve of genus g, we can divide the number of solutions by \(2^{(n-1)(g+1)}\). For instance, for a type II genus 2 curve defined over \(\mathbb {F}_{2^{93}}\) whose divisor class group has cardinality a near-prime 184 bits integer, the number of solutions is reduced from 4096 to 64. This is enough to build the matrix of relations in around 7 days with 8000 cores using a dedicated implementation.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

Notes

  1. Throughout the article we usually consider elliptic curves as hyperelliptic curves of genus 1. It makes no differences in our contributions.

  2. Under a reasonable heuristic assumption of “regular behaviour”, bounding the degree of regularity by \(n2^{n-1}\) gives this estimation up to logarithmic factors in n.

  3. It was already observed in [27].

  4. In particular, summation ideals depend on the choice of the double cover. When \(g=1\), the authors of [17] use the fact that different covers can be obtained by action of \(\hbox {Aut}(\mathbb {P}^1)=\hbox {PGL}_2\) to find a cover having a good behaviour with respect to the group of symmetry of the m-summation variety and to compute summation polynomials associated to this cover.

  5. We did not try a more recent version.

  6. If the input divisor is not of weight 2, then it is discarded and a new one is computed. This happens with negligible probability, and never happened in our experiments.

References

  1. Bardet M., Faugère J.-C., Salvy B.: On the complexity of the \(F5\) Gröbner basis algorithm. J. Symb. Comput., pp. 1–24 (2014).

  2. Bosma W., Cannon J.: The Magma algebra system. I. The user language. J. Symb. Comput. 24(3–4), 235–265 (1997). Computational algebra and number theory (London, 1993).

    Article  MathSciNet  MATH  Google Scholar 

  3. Bouvier C.: The filtering step of discrete logarithm and integer factorization algorithms. Preprint. http://hal.inria.fr/hal-00734654 (2013).

  4. Byramjee B., Duquesne S.: Classification of genus 2 curves over \({\cal{F}}_{2}^{n}\) and optimization of their arithmetic. Cryptology ePrint Archive, Report 2004/107 (2004).

  5. Choie Y., Yun D.: Isomorphism classes of hyperelliptic curves of genus \(2\) over \({\cal{F}}_{2}^{n}\). In: Proceedings of the ACISP 2002. LNCS, vol. 2384, pp. 190–202 (2002).

  6. Childers G.: Factorization of a 1061-bit number by the special number field sieve. Cryptology ePrint Archive, Report 2012/444 (2012).

  7. Chung P.N., Costello C., Smith B.: Fast, uniform, and compact scalar multiplication for elliptic curves and genus 2 Jacobians with fast Kummers. SAC (2016).

  8. Cox D.A., Little J., O’Shea D.: Ideals, Varieties, and Algorithms: An Introduction to Computational Algebraic Geometry and Commutative Algebra, 3/e (Undergraduate Texts in Mathematics). Springer, New York (2007).

    Book  MATH  Google Scholar 

  9. Diem C.: An index calculus algorithm for plane curves of small degree. In :Algorithmic Number Theory. Lecture Notes in Computer Science, vol. 4076, pp. 543–557. Springer, Berlin (2006).

  10. Diem C.: On the discrete logarithm problem in elliptic curves. Compositio Mathematica 147, 75–104 (2011).

    Article  MathSciNet  MATH  Google Scholar 

  11. Diem C.: The GHS attack in odd characteristic. J. Ramanujan Math. Soc. 18(1), 1–32 (2003).

    MathSciNet  MATH  Google Scholar 

  12. Faugère J.-C.: FGb: a library for computing Grböner bases. In: Fukuda K., Hoeven J., Joswig M., Takayama N. (eds.) Mathematical Software ICMS 2010. Lecture Notes in Computer Science, vol. 6327, pp. 84–87. Springer, Berlin (2010).

  13. Faugère J.-C., Gianni P.M., Lazard D., Mora T.: Efficient computation of zero-dimensional Gröbner bases by change of ordering. J. Symb. Comput. 16(4), 329–344 (1993).

    Article  MATH  Google Scholar 

  14. Faugère J.-C.: A new efficient algorithm for computing Gröbner bases (F4). J. Pure Appl. Algebra 139(1), 6188 (1999).

    Google Scholar 

  15. Faugère J.C.: A new efficient algorithm for computing Gröbner bases without reduction to zero (F5). In: Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation, ISSAC ’02 (2002).

  16. Faugère J.-C., Gaudry P., Huot L., Renault G.: Using symmetries in the index calculus for elliptic curves discrete logarithm. J. Cryptol. 27(4), 595–635 (2014).

    Article  MathSciNet  MATH  Google Scholar 

  17. Faugère J-C., Huot L., Joux A., Renault G., Vitse V.: Symmetrized summation polynomials: using small order torsion points to speed up elliptic curve index calculus. In: Proceedings of the Advances in Cryptology—EUROCRYPT 2014—33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, 11–15 May, pp. 40–57 (2014).

  18. Faugère J.C., Mou C.: Fast algorithm for change of ordering of zero-dimensional Gröbner bases with sparse multiplication matrices. In: Proceedings of the Symbolic and Algebraic Computation, International Symposium, ISSAC, 2011, Co-located with FCRC, San Jose, CA, USA, 7–11 June, pp. 115–122 (2011).

  19. Frey G., Müller M., Rück H.-G.: The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems. IEEE Trans. Inf. Theory 45, 1717–1719 (1999).

    Article  MathSciNet  MATH  Google Scholar 

  20. Galbraith S.D., Gaudry P.: Recent progress on the elliptic curve discrete logarithm problem In Des. Codes Cryptogr. 78–1, 51–72 (2016).

    Article  MATH  Google Scholar 

  21. Galbraith S.D., Gebregiyorgis S.W.: Summation polynomial algorithms for elliptic curves in characteristic two. In: Proceedings of the Progress in Cryptology—INDOCRYPT 2014—15th International Conference on Cryptology in India, New Delhi, India, 14–17 Dec, pp. 409–427 (2014).

  22. Gaudry P.: Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem. J. Symb. Comput. 44(12), 1690–1702 (2009).

    Article  MathSciNet  MATH  Google Scholar 

  23. Gaudry P.: An algorithm for solving the discrete log problem on hyperelliptic curves. In: Advances in Cryptology—EUROCRYPT 2000. Lecture Notes in Computer Science, vol. 1807, pp. 19–34. Springer, Berlin (2000).

  24. Gaudry P.: Fast genus 2 arithmetic based on Theta functions. J. Math. Cryptol. 1–3, 243–265 (2007).

    MathSciNet  MATH  Google Scholar 

  25. Gaudry P., Lubicz D.: The arithmetic of characteristic 2 Kummer surfaces and of elliptic Kummer lines. Finite Fields Appl. 15–2, 246–260 (2009).

    Article  MathSciNet  MATH  Google Scholar 

  26. Joux A., Vitse V.: Cover and decomposition index calculus on elliptic curves made practical: application to a previously unreachable curve over \({\cal{F}}_{q}^{6}\). In: Advances in Cryptology—EUROCRYPT 2012. Lecture Notes in Computer Science, vol. 7237, pp. 9–26. Springer, Berlin (2012).

  27. Joux A., Vitse V.: Elliptic curve discrete logarithm problem over small degree extension fields—application to the static Diffie-Hellman problem on \(E({\cal{F}}_{q}^{5})\). J. Cryptol. 26, 119–143 (2013).

    Article  MATH  Google Scholar 

  28. Kemper G.: Hilbert Series and Dimension. Springer, Berlin (2011).

    Book  Google Scholar 

  29. Kleinjung T., Aoki K., Franke J., Lenstra A.K., Thomé E., Bos J.W., Gaudry P., Kruppa A., Montgomery P.L., Osvik D.A., te Riele H.J.J., Timofeev A., Zimmermann P.: Factorization of a 768-Bit RSA Modulus. In: Proceedings of the Advances in Cryptology—CRYPTO 2010, 30th Annual Cryptology Conference, Santa Barbara, CA, USA, 15–19 Aug, pp. 333–350 (2010).

  30. Kleinjung T., Diem C., Lenstra A.K., Priplata C., Stahlke C.: Computation of a \(768\) bits prime field discrete logarithm. In: Proceedings of the Advances in Cryptology—EUROCRYPT 2017—36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Paris, France, Apr 30–May 4.

  31. Lenstra A.K., Lenstra Jr H.W., Manasse M.S., Pollard J.M.: The number field sieve. In: Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, 13–17 May 1990, Baltimore, pp. 564–572 (1990).

  32. Lidl R., Niederreiter H.: Finite Fields, Encyclopedia of Mathematics and its Applications 20 (Second ed., 1997). Cambridge University Press, Cambridge. ISBN 0-521-39231-4, Zbl 0866.11069.

  33. Lubicz D., Robert D.: Arithmetic of Abelian and Kummer varieties. Finite Fields Appl. 39, 130–158 (2016).

    Article  MathSciNet  MATH  Google Scholar 

  34. Mullen Gary L., Panario D.: Handbook of Finite Fields. CRC Press, Boca Raton. ISBN 978-1-4398-7378-6.

  35. Nagao K.-I.: Decomposition attack for the Jacobian of a hyperelliptic curve over an extension field. In: Proceedings of the Algorithmic Number Theory, 9th International Symposium, ANTS-IX, Nancy, France, 19–23 July, pp. 285–300 (2010).

  36. Renes J., Schwabe P., Smith B., Batina L.: \(\mu \)-Kummer: efficient hyperelliptic signatures and key exchange on microcontrollers. In: Proceedings of the Cryptographic Hardware and Embedded Systems—CHES 2016—18th International Conference, Santa Barbara, CA, USA, 17–19 Aug (2016).

  37. Semaev I.: Summation polynomials and the discrete logarithm problem on elliptic curves. IACR Cryptology ePrint Archive (2004).

  38. Shoup V.: Lower Bounds for Discrete Logarithms and Related Problems. In: Proceedings of the Advances in Cryptology—EUROCRYPT ’97, International Conference on the Theory and Application of Cryptographic Techniques, Konstanz, Germany, 11–15 May, pp. 256–266 (1997).

  39. Shoup V.: NTL: A Library for Doing Number Theory. New York University, Courant Institute, New York (2005).

    Google Scholar 

  40. The CADO-NFS Development Team. CADO-NFS, An Implementation of the Number Field Sieve Algorithm. http://cado-nfs.gforge.inria.fr/, Release 2.2.0 (2015).

  41. Tran C.: Formules d’addition sur les jacobiennes de courbes hyperelliptiques : applicationà la cryptographie Ph. D. Thesis, (2014).

  42. Vercauteren F.: Computing zeta functions of hyperelliptic curves over finite fields of characteristic \(2\). Advances in Cryptology–CRYPTO 2002. LNCS, vol. 2442, pp. 369–384. Springer, Berlin (2002).

  43. Verron T.: Régularisation du calcul de bases de Gröbner pour des systèmes avec poids et déterminantiels, et applications en imagerie médicale. Ph. D. Thesis (2016).

Download references

Acknowledgements

We want to thank the anonymous reviewers for their useful suggestions and insights towards the improvement of this article, as well as pointing out valuable references.

Author information

Authors and Affiliations

  1. Sorbonnes Universités, UPMC Univ Paris 06, CNRS, INRIA, Laboratoire d’Informatique de Paris 6 (LIP6), Equipe PolSys, 4 place Jussieu, 75005, Paris, France

    Jean-Charles Faugère & Alexandre Wallet

Authors
  1. Jean-Charles Faugère
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alexandre Wallet
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alexandre Wallet.

Additional information

Communicated by A. Enge.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Faugère, JC., Wallet, A. The point decomposition problem over hyperelliptic curves. Des. Codes Cryptogr. 86, 2279–2314 (2018). https://doi.org/10.1007/s10623-017-0449-y

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-017-0449-y

Keywords

Mathematics Subject Classification

Search

Navigation