Analysis of the Weil Descent Attack of Gaudry, Hess and Smart

  • Alfred Menezes
  • Minghua Qu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2020)


We analyze the Weil descent attack of Gaudry, Hess and Smart [11] on the elliptic curve discrete logarithm problem for elliptic curves defined over finite fields of characteristic two.


Elliptic Curve Elliptic Curf Hyperelliptic Curve Discrete Logarithm Problem Elliptic Curve Discrete Logarithm Problem 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    L. Adleman, J. DeMarrais and M. Huang, “A subexponential algorithm for discrete logarithms over the rational subgroup of the jacobians of large genus hyperelliptic curves over finite fields”, Algorithmic Number Theory, LNCS 877, 1994, 28–40.Google Scholar
  2. 2.
    D. Cantor, “Computing in the jacobian of a hyperelliptic curve”, Mathematics of Computation, 48 (1987), 95–101.zbMATHCrossRefMathSciNetGoogle Scholar
  3. 3.
    A. Enge, “The extended Euclidean algorithm on polynomials, and the efficiency of hyperelliptic cryptosystems”, Designs, Codes and Cryptography, to appear.Google Scholar
  4. 4.
    A. Enge and P. Gaudry, “A general framework for subexponential discrete logarithm algorithms”, Rapport de Recherche Lix/RR/00/04, June 2000. Available from
  5. 5.
    G. Frey, “How to disguise an elliptic curve (Weil descent) ”, Talk at ECC’ 98, Waterloo, 1998. Slides available from
  6. 6.
    G. Frey, “Applications of arithmetical geometry to cryptographic constructions”, Proceedings of the Fifth International Conference on Finite Fields and Applications, to appear. Also available from
  7. 7.
    G. Frey and H. Rück, “A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves”, Mathematics of Computation, 62 (1994), 865–874.Google Scholar
  8. 8.
    S. Galbraith and N. Smart, “A cryptographic application of Weil descent”, Codes and Cryptography, LNCS 1746, 1999, 191–200.CrossRefGoogle Scholar
  9. 9.
    R. Gallant, R. Lambert and S. Vanstone, “Improving the parallelized Pollard lambda search on binary anomalous curves”, to appear in Mathematics of Computation.Google Scholar
  10. 10.
    P. Gaudry, “An algorithm for solving the discrete log problem on hyperelliptic curves”, Advances in Cryptology — Eurocrypt 2000, LNCS 1807, 2000, 19–34.CrossRefGoogle Scholar
  11. 11.
    P. Gaudry, F. Hess and N. Smart, “Constructive and destructive facets of Weil descent on elliptic curves”, preprint, January 2000. Available from
  12. 12.
    Internet Engineering Task Force, The OAKLEY Key Determination Protocol, IETF RFC 2412, November 1998.Google Scholar
  13. 13.
    N. Koblitz, “CM-curves with good cryptographic properties”, Advances in Cryptology — Crypto’ 91, LNCS 576, 1992, 279–287.CrossRefGoogle Scholar
  14. 14.
    A. Menezes, T. Okamoto and S. Vanstone, “Reducing elliptic curve logarithms to logarithms in a finite field”, tiIEEE Transactions on Information Theory, 39 (1993), 1639–1646.Google Scholar
  15. 15.
    National Institute of Standards and Technology, Digital Signature Standard, FIPS Publication 186-2, February 2000.Google Scholar
  16. 16.
    P. van Oorschot and M. Wiener, “Parallel collision search with cryptanalytic applications”, Journal of Cryptology, 12 (1999), 1–28.zbMATHCrossRefGoogle Scholar
  17. 17.
    S. Paulus and A. Stein, “Comparing real and imaginary arithmetics for divisor class groups of hyperelliptic curves”, Algorithmic Number Theory, LNCS 1423, 1998, 576–591.CrossRefGoogle Scholar
  18. 18.
    S. Pohlig and M. Hellman, “An improved algorithm for computing logarithms over GF(p) and its cryptographic significance”, IEEE Transactions on Information Theory, 24 (1978), 106–110.zbMATHCrossRefMathSciNetGoogle Scholar
  19. 19.
    J. Pollard, “Monte Carlo methods for index computation mod p”, Mathematics of Computation, 32 (1978), 918–924.zbMATHCrossRefMathSciNetGoogle Scholar
  20. 20.
    T. Satoh and K. Araki, “Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves”, Commentarii Mathematici Universitatis Sancti Pauli, 47 (1998), 81–92.zbMATHMathSciNetGoogle Scholar
  21. 21.
    I. Semaev, “Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p”, Mathematics of Computation, 67 (1998), 353–356.zbMATHCrossRefMathSciNetGoogle Scholar
  22. 22.
    N. Smart, “The discrete logarithm problem on elliptic curves of trace one”, Journal of Cryptology, 12 (1999), 193–196.zbMATHCrossRefMathSciNetGoogle Scholar
  23. 23.
    J. Solinas, “Eficient arithmetic on Koblitz curves”, Designs, Codes and Cryptography, 19 (2000), 195–249.zbMATHCrossRefMathSciNetGoogle Scholar
  24. 24.
    M. Wiener and R. Zuccherato, “Faster attacks on elliptic curve cryptosystems”, Selected Areas in Cryptography, LNCS 1556, 1999, 190–200.CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Heidelberg 1999

Authors and Affiliations

  • Alfred Menezes
    • 1
    • 2
  • Minghua Qu
    • 2
  1. 1.Dept. of Combinatorics and OptimizationUniversity of WaterlooCanada
  2. 2.Certicom ResearchCanada

Personalised recommendations