Advertisement

An Algorithm for Solving the Discrete Log Problem on Hyperelliptic Curves

  • Pierrick Gaudry
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1807)

Abstract

We present an index-calculus algorithm for the computation of discrete logarithms in the Jacobian of hyperelliptic curves defined over finite fields. The complexity predicts that it is faster than the Rho method for genus greater than 4. To demonstrate the efficiency of our approach, we describe our breaking of a cryptosystem based on a curve of genus 6 recently proposed by Koblitz.

Keywords

Elliptic Curf Prime Divisor Discrete Logarithm Hyperelliptic Curve Elliptic Curve Discrete Logarithm Problem 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    L. M. Adleman, J. DeMarrais, and M.-D. Huang. A subexponential algorithm for discrete logarithms over the rational subgroup of the jacobians of large genus hyperelliptic curves over finite fields. In L. Adleman and M.-D. Huang, editors, ANTS-I, volume 877 of Lecture Notes in Comput. Sci., pages 28–40. Springer-Verlag, 1994. 1st Algorithmic Number Theory Symposium-Cornell University, May 6–9, 1994.Google Scholar
  2. 2.
    W. Bosma and J. Cannon. Handbook of Magma functions, 1997. Sydney, http://www.maths.usyd.edu.au:8000/u/magma/.
  3. 3.
    J. Buhler and N. Koblitz. Lattice basis reduction, Jacobi sums and hyperellitic cryptosystems. Bull. Austral. Math. Soc., 58:147–154, 1998.zbMATHMathSciNetCrossRefGoogle Scholar
  4. 4.
    D. G. Cantor. Computing in the Jacobian of an hyperelliptic curve. Math. Comp., 48(177):95–101, 1987.zbMATHCrossRefMathSciNetGoogle Scholar
  5. 5.
    S. Cavallar. Strategies in filtering in the Number Field Sieve. Extended abstract, conference MPKC, Toronto, June 1999.Google Scholar
  6. 6.
    F. Chabaud and R. Lercier. ZEN, A new toolbox for computing in finite extensions of finite rings, February 1998. distributed with the ZEN package at http://www.dmi.ens.fr/~zen.
  7. 7.
    J. Chao, N. Matsuda, O. Nakamura, and S. Tsujii. Cryptosystems based on CM abelian variety. In Proc. Symposium on Cryptography and Information Security, 1997.Google Scholar
  8. 8.
    T. Denny and D. Weber. The solution of McCurley’s discrete log challenge. In H. Krawczyk, editor, Proc. of CRYPTO’98”, volume 1462 of Lecture Notes in Comput. Sci., pages 458–471, 1998.Google Scholar
  9. 9.
    I. Duursma, P. Gaudry, and F. Morain. Speeding up the discrete log computation on curves with automorphisms. In K.Y. Lam, E. Okamoto, and C. Xing, editors, Advances in Cryptology — ASIACRYPT’ 99, volume 1716 of Lecture Notes in Comput. Sci., pages 103–121. Springer-Verlag, 1999. International Conference on the Theory and Applications of Cryptology and Information Security, Singapore, November 1999, Proceedings.Google Scholar
  10. 10.
    I. Duursma and K. Sakurai. Efficient algorithms for the jacobian variety of hyperelliptic curves y 2 = x px + 1 over a finite field of odd characteristic p. In Proceedings of the “International Conference on Coding Theory, Cryptography and Related Areas”, Lecture Notes in Comput. Sci., 1999. Guanajuato, Mexico on April, 1998.Google Scholar
  11. 11.
    A. Enge. Computing discrete logarithms in high-genus hyperelliptic jacobians in provably subexponential time. Preprint; available at http://www.math.uwaterloo.ca/CandO_Dept/CORR/corr99.html, 1999.
  12. 12.
    A. Enge and P. Gaudry. A general framework for subexponential discrete logarithm algorithms. In preparation, 1999.Google Scholar
  13. 13.
    R. Flassenberg and S. Paulus. Sieving in function fields. Preprint; available at ftp://ftp.informatik.tu-darmstadt.de/pub/TI/TR/TI-97-13.rafla.ps.gz, 1997.
  14. 14.
    G. Frey and H.-G. Rück. A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves. Math. Comp., 62(206):865–874, April 1994.zbMATHCrossRefMathSciNetGoogle Scholar
  15. 15.
    W. Fulton. Algebraic curves. Math. Lec. Note Series. W. A. Benjamin Inc, 1969.Google Scholar
  16. 16.
    S. D. Galbraith and N. Smart. A cryptographic application of Weil descent. Preprint HP-LABS Technical Report (Number HPL-1999-70)., 1999.Google Scholar
  17. 17.
    R. Gallant, R. Lambert, and S. Vanstone. Improving the parallelized Pollard lambda search on binary anomalous curves. http://www.certicom.com/chal/download/paper.ps, 1998.
  18. 18.
    T. Granlund. The GNU Multiple Precision arithmetic library — 2.0.2. GNU, 1996. distributed with the gmp package at ftp://prep.ai.mit.edu/pub/gnu/gmp-M.N.tar.gz.
  19. 19.
    J. L. Haffner and K. S. McCurley. A rigorous subexponential algorithm for computation of class groups. J. Amer. Math. Soc., 2(4):837–850, 1989.CrossRefMathSciNetGoogle Scholar
  20. 20.
    J.-C. Hervé, B. Serpette, and J. Vuillemin. BigNum: A portable and efficient package for arbitrary-precision arithmetic. Technical Report 2, Digital Paris Research Laboratory, May 1989.Google Scholar
  21. 21.
    M.-D. Huang and D. Ierardi. Counting points on curves over finite fields. J. Symbolic Comput., 25:1–21, 1998.CrossRefMathSciNetGoogle Scholar
  22. 22.
    T. Izu, J. Kogure, M. Noro, and K. Yokoyama. Efficient implementation of Schoof’s algorithm. In K. Ohta and D. Pei, editors, Advances in Cryptology — ASIACRYPT’ 98, volume 1514 of Lecture Notes in Comput. Sci., pages 66–79. Springer-Verlag, 1998. International Conference on the theory and application of cryptology and information security, Beijing, China, October 1998.Google Scholar
  23. 23.
    N. Koblitz. Elliptic curve cryptosystems. Math. Comp., 48(177):203–209, January 1987.zbMATHCrossRefMathSciNetGoogle Scholar
  24. 24.
    N. Koblitz. Hyperelliptic cryptosystems. J. of Cryptology, 1:139–150, 1989.zbMATHCrossRefMathSciNetGoogle Scholar
  25. 25.
    N. Koblitz. A family of jacobians suitable for discrete log cryptosystems. In S. Goldwasser, editor, Advances in Cryptology — CRYPTO’ 88, volume 403 of Lecture Notes in Comput. Sci., pages 94–99. Springer-Verlag, 1990. Proceedings of a conference on the theory and application of cryptography held at the University of California, Santa Barbara, August 21–25, 1988.Google Scholar
  26. 26.
    N. Koblitz. Algebraic aspects of cryptography, volume 3 of Algorithms and Computation in Mathematics. Springer-Verlag, 1998.Google Scholar
  27. 27.
    B. A. LaMacchia and A. M. Odlyzko. Solving large sparse linear systems over finite fields. In A. J. Menezes and S. A. Vanstone, editors, Advances in Cryptology, volume 537 of Lecture Notes in Comput. Sci., pages 109–133. Springer-Verlag, 1990. Proc. Crypto’ 90, Santa Barbara, August 11–15, 1988.Google Scholar
  28. 28.
    R. Lercier. Algorithmique des courbes elliptiques dans les corps finis. Thèse, École polytechnique, June 1997.Google Scholar
  29. 29.
    R. Lercier and F. Morain. Counting the number of points on elliptic curves over finite fields: strategies and performances. In L. C. Guillou and J.-J. Quisquater, editors, Advances in Cryptology — EUROCRYPT’ 95, volume 921 of Lecture Notes in Comput. Sci., pages 79–94, 1995. Saint-Malo, France, May 1995, Proceedings.Google Scholar
  30. 30.
    A. Menezes, T. Okamoto, and S. A. Vanstone. Reducing elliptic curves logarithms to logarithms in a finite field. IEEE Trans. Inform. Theory, 39(5):1639–1646, September 1993.zbMATHCrossRefMathSciNetGoogle Scholar
  31. 31.
    V. Miller. Use of elliptic curves in cryptography. In A.M. Odlyzko, editor, Advances in Cryptology — CRYPTO’ 86, volume 263 of Lecture Notes in Comput. Sci., pages 417–426. Springer-Verlag, 1987. Proceedings, Santa Barbara (USA), August 11–15, 1986.Google Scholar
  32. 32.
    V. Müller, A. Stein, and C. Thiel. Computing discrete logarithms in real quadratic congruence function fields of large genus. Math. Comp., 68(226):807–822, 1999.zbMATHCrossRefMathSciNetGoogle Scholar
  33. 33.
    J. Pila. Frobenius maps of abelian varieties and finding roots of unity in finite fields. Math. Comp., 55(192):745–763, October 1990.zbMATHCrossRefMathSciNetGoogle Scholar
  34. 34.
    J. M. Pollard. Monte Carlo methods for index computation mod p. Math. Comp., 32(143):918–924, July 1978.zbMATHCrossRefMathSciNetGoogle Scholar
  35. 35.
    H. G. Rück. On the discrete logarithm in the divisor class group of curves. Math. Comp., 68(226):805–806, 1999.zbMATHCrossRefMathSciNetGoogle Scholar
  36. 36.
    Y. Sakai and K. Sakurai. Design of hyperelliptic cryptosystems in small charatcteristic and a software implementation over \( \mathbb{F}_{2^n } \). In K. Ohta and D. Pei, editors, Advances in Cryptology, volume 1514 of Lecture Notes in Comput. Sci., pages 80–94. Springer-Verlag, 1998. Proc. Asiacrypt’ 98, Beijing, October, 1998.Google Scholar
  37. 37.
    T. Satoh and K. Araki. Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves. Comment. Math. Helv., 47(1):81–92, 1998.zbMATHMathSciNetGoogle Scholar
  38. 38.
    I. A. Semaev. Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curves in characteristic p. Math. Comp., 67(221):353–356, January 1998.zbMATHCrossRefMathSciNetGoogle Scholar
  39. 39.
    V. Shoup. Lower bounds for discrete logarithms and related problems. In W. Fumy, editor, Advances in Cryptology — EUROCRYPT’ 97, volume 1233 of Lecture Notes in Comput. Sci., pages 256–266. Springer-Verlag, 1997. International Conference on the Theory and Application of Cryptographic Techniques, Konstanz, Germany, May 1997, Proceedings.Google Scholar
  40. 40.
    N. Smart. The discrete logarithm problem on elliptic curves of trace one. J. of Cryptology, 12(3):193–196, 1999.zbMATHCrossRefMathSciNetGoogle Scholar
  41. 41.
    N. Smart. On the performance of hyperelliptic cryptosystems. In J. Stern, editor, Advances in Cryptology — EUROCRYPT’ 99, volume 1592 of Lecture Notes in Comput. Sci., pages 165–175. Springer-Verlag, 1999. International Conference on the Theory and Application of Cryptographic Techniques, Prague, Czech Republic, May 1999, Proceedings.Google Scholar
  42. 42.
    A.-M. Spallek. Kurven vom Geschlecht 2 und ihre Anwendung in Public-Key-Kryptosystemen. PhD thesis, Universität Gesamthochschule Essen, July 1994.Google Scholar
  43. 43.
    A. Stein and E. Teske. Catching kangaroos in function fields. Preprint, March 1999.Google Scholar
  44. 44.
    R. G. Swan. Factorization of polynomials over finite fields. Pacific J. Math., 12:1099–1106, 1962.zbMATHMathSciNetGoogle Scholar
  45. 45.
    E. Teske. Speeding up Pollard’s rho method for computing discrete logarithms. In J. P. Buhler, editor, Algorithmic Number Theory, volume 1423 of Lecture Notes in Comput. Sci., pages 541–554. Springer-Verlag, 1998. Third International Symposium, ANTS-III, Portland, Oregon, june 1998, Proceedings.Google Scholar
  46. 46.
    P. C. van Oorschot and M. J. Wiener. Parallel collision search with cryptanalytic applications. J. of Cryptology, 12:1–28, 1999.zbMATHCrossRefGoogle Scholar
  47. 47.
    D. H. Wiedemann. Solving sparse linear equations over finite fields. IEEE Trans. Inform. Theory, IT-32(1):54–62, 1986.CrossRefMathSciNetGoogle Scholar
  48. 48.
    M. J. Wiener and R. J. Zuccherato. Faster attacks on elliptic curve cryptosystems. In S. Tavares and H. Meijer, editors, Selected Areas in Cryptography’ 98, volume 1556 of Lecture Notes in Comput. Sci. Springer-Verlag, 1999. 5th Annual International Workshop, SAC’98, Kingston, Ontario, Canada, August 17–18, 1998, Proceedings.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  • Pierrick Gaudry
    • 1
  1. 1.LIXÉcole PolytechniquePalaiseau CedexFrance

Personalised recommendations