Extending the GHS Weil Descent Attack
In this paper we extend the Weil descent attack due to Gaudry, Hess and Smart (GHS) to a much larger class of elliptic curves. This extended attack applies to fields of composite degree over F 2. The principle behind the extended attack is to use isogenies to find an elliptic curve for which the GHS attack is effective. The discrete logarithm problem on the target curve can be transformed into a discrete logarithm problem on the isogenous curve.
A further contribution of the paper is to give an improvement to an algorithm of Galbraith for constructing isogenies between elliptic curves, and this is of independent interest in elliptic curve cryptography. We show that a larger proportion than previously thought of elliptic curves over F 2155 should be considered weak.
KeywordsElliptic Curve Elliptic Curf Discrete Logarithm Endomorphism Ring Hyperelliptic Curve
- 1.IETF. The Oakley Key Determination Protocol. IETF RFC 2412, Nov 1998.Google Scholar
- 2.D.J. Bernstein. Bounds on Ψ (x, y). http://cr.yp.to/psibound.html.
- 3.I.F. Blake, G. Seroussi and N.P. Smart. Elliptic Curves in Cryptography. Cambridge University Press, 1999.Google Scholar
- 4.H. Cohen, A course in computational number theory. Springer GTM 138 1993.Google Scholar
- 5.J.-M. Couveignes. Computing l-isogenies using the p-torsion. Algorithmic Number Theory Symposium-ANTS II, Springer-Verlag LNCS 1122, 59–65, 1996.Google Scholar
- 6.G. Frey. How to disguise an elliptic curve. Talk at ECC’ 98, Waterloo.Google Scholar
- 12.D. Kohel. Endormorphism rings of elliptic curves over finite fields. Phd Thesis, Berkeley, 1996.Google Scholar
- 13.R. Lercier. Computing isogenies in F 2 n. Algorithmic Number Theory Symposium-ANTS II, Springer-Verlag LNCS 1122, 197–212, 1996.Google Scholar
- 18.N.P. Smart. How secure are elliptic curves over composite extension fields? EUROCRYPT’ 01, Springer-Verlag LNCS 2045, 30–39, 2001.Google Scholar
- 19.J. Vélu. Isogénies entre courbes elliptiques. Comptes Rendus l’Acad. Sci. Paris, Ser. A, 273, 238–241 1971.Google Scholar