On the Computational Complexity of ECDLP for Elliptic Curves in Various Forms Using Index Calculus
The security of elliptic curve cryptography is closely related to the computational complexity of the elliptic curve discrete logarithm problem (ECDLP). Today, the best practical attacks against ECDLP are exponential-time, generic discrete logarithm algorithms such as Pollard’s rho method. Recently, there is a line of research on index calculus for ECDLP started by Semaev, Gaudry, and Diem. Under certain heuristic assumptions, such algorithms could lead to subexponential attacks to ECDLP in some cases. In this paper, we investigate the computational complexity of ECDLP for elliptic curves in various forms—including Hessian, Montgomery, (twisted) Edwards, and Weierstrass using index calculus. The research question we would like to answer is: Using index calculus, is there any significant difference in the computational complexity of ECDLP for elliptic curves in various forms? We will provide some empirical evidence and insights showing an affirmative answer in this paper.
KeywordsSecurity evaluation ECDLP Index calculus Summation polynomial Point decomposition problem
This work is partially supported by JSPS KAKENHI Grant (C)(JP15K00183) and (JP15K00189) and Japan Science and Technology Agency, CREST and Infrastructure Development for Promoting International S&T Cooperation and Project for Establishing a Nationwide Practical Education Network for IT Human Resources Development, Education Network for Practical Information Technologies.
- 3.Bernstein, D.J., Birkner, P., Joye, M., Lange, T., Peters, C.: Twisted Edwards curves. IACR Cryptology ePrint Archive, 2008:13 (2008)Google Scholar
- 4.Bernstein, D.J., Lange, T.: Faster addition and doubling on elliptic curves. IACR Cryptology ePrint Archive, 2007:286 (2007)Google Scholar
- 7.Faugère, J.-C., Perret, L., Petit, C., Renault, G.: Improving the complexity of index calculus algorithms in elliptic curves over binary fields. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 27–44. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_4 CrossRefGoogle Scholar
- 12.Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48, 243–264 (1987). http://links.jstor.org/sici?sici=0025-5718(198701)48:177<243:STPAEC>2.0.CO;2-3
- 13.Petit, C., Quisquater, J.: On polynomial systems arising from a Weil descent. IACR Cryptology ePrint Archive 2012:146 (2012)Google Scholar
- 15.Semaev, I.A.: Summation polynomials and the discrete logarithm problem on elliptic curves. IACR Cryptology ePrint Archive 2004:31 (2004)Google Scholar