Advertisement

Symmetrized Summation Polynomials: Using Small Order Torsion Points to Speed Up Elliptic Curve Index Calculus

  • Jean-Charles Faugère
  • Louise Huot
  • Antoine Joux
  • Guénaël Renault
  • Vanessa Vitse
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8441)

Abstract

Decomposition-based index calculus methods are currently efficient only for elliptic curves E defined over non-prime finite fields of very small extension degree n. This corresponds to the fact that the Semaev summation polynomials, which encode the relation search (or “sieving”), grow over-exponentially with n. Actually, even their computation is a first stumbling block and the largest Semaev polynomial ever computed is the 6-th. Following ideas from Faugère, Gaudry, Huot and Renault, our goal is to use the existence of small order torsion points on E to define new summation polynomials whose symmetrized expressions are much more compact and easier to compute. This setting allows to consider smaller factor bases, and the high sparsity of the new summation polynomials provides a very efficient decomposition step. In this paper the focus is on 2-torsion points, as it is the most important case in practice. We obtain records of two kinds: we successfully compute up to the 8-th symmetrized summation polynomial and give new timings for the computation of relations with degree 5 extension fields.

Keywords

ECDLP elliptic curves decomposition method index calculus Semaev polynomials multivariate polynomial systems invariant theory 

References

  1. 1.
    Bosma, W., Cannon, J., Playoust, C.: The Magma algebra system. I. The user language. J. Symbolic Comput. 24(3-4), 235–265 (1997); Computational algebra and number theory, London (1993)Google Scholar
  2. 2.
    Diem, C.: On the discrete logarithm problem in elliptic curves. Compos. Math. 147(1), 75–104 (2011)CrossRefzbMATHMathSciNetGoogle Scholar
  3. 3.
    Faugère, J.-C.: FGb: A Library for Computing Gröbner Bases. In: Fukuda, K., van der Hoeven, J., Joswig, M., Takayama, N. (eds.) ICMS 2010. LNCS, vol. 6327, pp. 84–87. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  4. 4.
    Faugère, J.-C., Gaudry, P., Huot, L., Renault, G.: Using symmetries in the index calculus for elliptic curves discrete logarithm. J. Cryptology, 1–41 (2013), doi:10.1007/s00145-013-9158-5.Google Scholar
  5. 5.
    Faugère, J.-C., Gianni, P., Lazard, D., Mora, T.: Efficient computation of zero-dimensional Gröbner bases by change of ordering. J. Symbolic Comput. 16(4), 329–344 (1993)CrossRefzbMATHMathSciNetGoogle Scholar
  6. 6.
    Gaudry, P.: Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem. J. Symbolic Comput. 44(12), 1690–1702 (2008)CrossRefMathSciNetGoogle Scholar
  7. 7.
    Gaudry, P., Hess, F., Smart, N.P.: Constructive and destructive facets of Weil descent on elliptic curves. J. Cryptology 15(1), 19–46 (2002)CrossRefMathSciNetGoogle Scholar
  8. 8.
    Granger, R., Joux, A., Vitse, V.: New timings for oracle-assisted SDHP on the IPSEC Oakley ’Well Known Group’ 3 curve. Announcement on the NBRTHRY Mailing List (July 2010), http://listserv.nodak.edu/archives/nmbrthry.html
  9. 9.
    IETF. The Oakley key determination protocol. IETF RFC 2412 (1998)Google Scholar
  10. 10.
    Joux, A., Vitse, V.: Cover and Decomposition Index Calculus on Elliptic Curves made practical: Application to a seemingly secure curve over \(\mathbb{F}_{p^6}\). In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 9–26. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  11. 11.
    Joux, A., Vitse, V.: Elliptic curve discrete logarithm problem over small degree extension fields. J. Cryptology 26(1), 119–143 (2013)CrossRefzbMATHMathSciNetGoogle Scholar
  12. 12.
    Koblitz, N., Menezes, A.: Another look at non-standard discrete log and Diffie-Hellman problems. J. Math. Cryptol. 2(4), 311–326 (2008)CrossRefzbMATHMathSciNetGoogle Scholar
  13. 13.
    Semaev, I.A.: Summation polynomials and the discrete logarithm problem on elliptic curves. Cryptology ePrint Archive, Report 2004/031 (2004)Google Scholar
  14. 14.
    Serre, J.-P.: Propriétés galoisiennes des points d’ordre fini des courbes elliptiques. Invent. Math. 15(4), 259–331 (1972)CrossRefzbMATHMathSciNetGoogle Scholar
  15. 15.
    Zippel, R.: Interpolating polynomials from their values. Journal of Symbolic Computation 9(3), 375–403 (1990)CrossRefzbMATHMathSciNetGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2014

Authors and Affiliations

  • Jean-Charles Faugère
    • 1
    • 2
    • 3
  • Louise Huot
    • 2
    • 1
    • 3
  • Antoine Joux
    • 4
    • 5
    • 2
    • 3
  • Guénaël Renault
    • 2
    • 1
    • 3
  • Vanessa Vitse
    • 6
  1. 1.INRIA, POLSYSCentre Paris-RocquencourtLe ChesnayFrance
  2. 2.Sorbonne Universités, UPMC Univ Paris 06, LIP6 UPMCParisFrance
  3. 3.CNRS, UMR 7606, LIP6 UPMCParisFrance
  4. 4.CryptoExpertsParisFrance
  5. 5.Chaire de Cryptologie de la Fondation UPMCFrance
  6. 6.Institut FourierUniversité Joseph Fourier, Grenoble IFrance

Personalised recommendations