Cover and Decomposition Index Calculus on Elliptic Curves Made Practical

Application to a Previously Unreachable Curve over \(\mathbb{F}_{p^6}\)
  • Antoine Joux
  • Vanessa Vitse
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7237)


We present a new “cover and decomposition” attack on the elliptic curve discrete logarithm problem, that combines Weil descent and decomposition-based index calculus into a single discrete logarithm algorithm. This attack applies, at least theoretically, to all composite degree extension fields, and is particularly well-suited for curves defined over \(\mathbb{F}_{p^6}\). We give a real-size example of discrete logarithm computations on a curve over a 151-bit degree 6 extension field, which would not have been practically attackable using previously known algorithms.


elliptic curve discrete logarithm index calculus Weil descent decomposition attack 


  1. 1.
    Adleman, L.M.: The Function Field Sieve. In: Huang, M.-D.A., Adleman, L.M. (eds.) ANTS 1994. LNCS, vol. 877, pp. 108–121. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  2. 2.
    Adleman, L.M., DeMarrais, J., Huang, M.-D.: A Subexponential Algorithm for Discrete Logarithms over the Rational Subgroup of the Jacobians of Large Genus Hyperelliptic Curves over Finite Fields. In: Huang, M.-D.A., Adleman, L.M. (eds.) ANTS 1994. LNCS, vol. 877, pp. 28–40. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  3. 3.
    Arita, S., Matsuo, K., Nagao, K.-I., Shimura, M.: A Weil descent attack against elliptic curve cryptosystems over quartic extension fields. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. E89-A, 1246–1254 (2006)CrossRefGoogle Scholar
  4. 4.
    Bailey, D.V., Paar, C.: Efficient arithmetic in finite field extensions with application in elliptic curve cryptography. J. Cryptology 14(3), 153–176 (2001)MathSciNetzbMATHGoogle Scholar
  5. 5.
    Blake, I.F., Seroussi, G., Smart, N.P. (eds.): Advances in elliptic curve cryptography. London Mathematical Society Lecture Note Series, vol. 317. Cambridge University Press, Cambridge (2005)zbMATHGoogle Scholar
  6. 6.
    Bosma, W., Cannon, J., Playoust, C.: The Magma algebra system. I. The user language. J. Symbolic Comput. 24(3-4), 235–265 (1997)MathSciNetzbMATHCrossRefGoogle Scholar
  7. 7.
    Diem, C.: The GHS attack in odd characteristic. J. Ramanujan Math. Soc. 18(1), 1–32 (2003)MathSciNetzbMATHGoogle Scholar
  8. 8.
    Diem, C.: An Index Calculus Algorithm for Plane Curves of Small Degree. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 543–557. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  9. 9.
    Diem, C.: On the discrete logarithm problem in elliptic curves. Compos. Math. 147(1), 75–104 (2011)MathSciNetzbMATHCrossRefGoogle Scholar
  10. 10.
    Frey, G.: How to disguise an elliptic curve (Weil descent). Talk at the 2nd Elliptic Curve Cryptography Workshop (ECC) (1998)Google Scholar
  11. 11.
    Galbraith, S.D., Hess, F., Smart, N.P.: Extending the GHS Weil Descent Attack. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 29–44. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Gaudry, P.: An Algorithm for Solving the Discrete Log Problem on Hyperelliptic Curves. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 19–34. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  13. 13.
    Gaudry, P.: Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem. J. Symbolic Comput. 44(12), 1690–1702 (2008)MathSciNetCrossRefGoogle Scholar
  14. 14.
    Gaudry, P., Hess, F., Smart, N.P.: Constructive and destructive facets of Weil descent on elliptic curves. J. Cryptology 15(1), 19–46 (2002)MathSciNetCrossRefGoogle Scholar
  15. 15.
    Gaudry, P., Thomé, E., Thériault, N., Diem, C.: A double large prime variation for small genus hyperelliptic index calculus. Math. Comp. 76, 475–492 (2007)MathSciNetzbMATHCrossRefGoogle Scholar
  16. 16.
    Hess, F.: Generalising the GHS attack on the elliptic curve discrete logarithm problem. LMS J. Comput. Math. 7, 167–192 (2004) (electronic)MathSciNetzbMATHGoogle Scholar
  17. 17.
    Hess, F.: Weil descent attacks. In: Advances in Elliptic Curve Cryptography. London Math. Soc. Lecture Note Ser, vol. 317, pp. 151–180. Cambridge Univ. Press, Cambridge (2005)CrossRefGoogle Scholar
  18. 18.
    Joux, A., Vitse, V.: Elliptic curve discrete logarithm problem over small degree extension fields. J. Cryptology, 1–25 (2011), doi:10.1007/s00145-011-9116-zGoogle Scholar
  19. 19.
    Joux, A., Vitse, V.: A Variant of the F4 Algorithm. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 356–375. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  20. 20.
    Koblitz, N.: Elliptic curve cryptosystems. Math. Comp. 48(177), 203–209 (1987)MathSciNetzbMATHCrossRefGoogle Scholar
  21. 21.
    LaMacchia, B.A., Odlyzko, A.M.: Computation of discrete logarithms in prime fields. Des. Codes Cryptogr. 1(1), 47–62 (1991)MathSciNetzbMATHCrossRefGoogle Scholar
  22. 22.
    Lenstra, A.K., Lenstra Jr., H.W. (eds.): The development of the number field sieve. Lecture Notes in Math., vol. 1554. Springer, Berlin (1993)zbMATHGoogle Scholar
  23. 23.
    Menezes, A., Teske, E., Weng, A.: Weak Fields for ECC. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 366–386. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  24. 24.
    Miller, V.S.: Use of Elliptic Curves in Cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986)Google Scholar
  25. 25.
    Momose, F., Chao, J.: Scholten forms and elliptic/hyperelliptic curves with weak Weil restrictions. Cryptology ePrint Archive, Report 2005/277 (2005)Google Scholar
  26. 26.
    Nagao, K.-i.: Decomposition Attack for the Jacobian of a Hyperelliptic Curve over an Extension Field. In: Hanrot, G., Morain, F., Thomé, E. (eds.) ANTS-IX. LNCS, vol. 6197, pp. 285–300. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  27. 27.
    Nart, E., Ritzenthaler, C.: Genus 3 curves with many involutions and application to maximal curves in characteristic 2. In: Arithmetic, Geometry, Cryptography and Coding Theory 2009. Contemp. Math., vol. 521, pp. 71–85. Amer. Math. Soc., Providence (2010)CrossRefGoogle Scholar
  28. 28.
    Pollard, J.M.: Monte Carlo methods for index computation \(({\rm mod}\ p)\). Math. Comp. 32(143), 918–924 (1978)MathSciNetzbMATHGoogle Scholar
  29. 29.
    Scholten, J.: Weil restriction of an elliptic curve over a quadratic extension,
  30. 30.
    Semaev, I.A.: Summation polynomials and the discrete logarithm problem on elliptic curves. Cryptology ePrint Archive, Report 2004/031 (2004)Google Scholar
  31. 31.
    Shoup, V.: Lower Bounds for Discrete Logarithms and Related Problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997)Google Scholar
  32. 32.
    Thériault, N.: Weil descent attack for Kummer extensions. J. Ramanujan Math. Soc. 18(3), 281–312 (2003)MathSciNetzbMATHGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2012

Authors and Affiliations

  • Antoine Joux
    • 1
  • Vanessa Vitse
    • 2
  1. 1.Laboratoire PRISMDGA and Université de Versailles Saint-QuentinVersailles CedexFrance
  2. 2.Laboratoire PRISMUniversité de Versailles Saint-QuentinVersailles CedexFrance

Personalised recommendations