Improving the Complexity of Index Calculus Algorithms in Elliptic Curves over Binary Fields

  • Jean-Charles Faugère
  • Ludovic Perret
  • Christophe Petit
  • Guénaël Renault
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7237)


The goal of this paper is to further study the index calculus method that was first introduced by Semaev for solving the ECDLP and later developed by Gaudry and Diem. In particular, we focus on the step which consists in decomposing points of the curve with respect to an appropriately chosen factor basis. This part can be nicely reformulated as a purely algebraic problem consisting in finding solutions to a multivariate polynomial f(x 1,…,x m ) = 0 such that x 1,…,x m all belong to some vector subspace of \(\mathbb{F}_{2^n}/\mathbb{F}_2\). Our main contribution is the identification of particular structures inherent to such polynomial systems and a dedicated method for tackling this problem. We solve it by means of Gröbner basis techniques and analyze its complexity using the multi-homogeneous structure of the equations. A direct consequence of our results is an index calculus algorithm solving ECDLP over any binary field \(\mathbb{F}_{2^n}\) in time O(2 ω t ) , with t ≈ n/2 (provided that a certain heuristic assumption holds). This has to be compared with Diem’s [14] index calculus based approach for solving ECDLP over \(\mathbb{F}_{q^n}\) which has complexity \(\mathrm{exp}\big({O(n\log(n)^{{1}/{2}})}\big)\) for q = 2 and n a prime (but this holds without any heuristic assumption). We emphasize that the complexity obtained here is very conservative in comparison to experimental results. We hope the new ideas provided here may lead to efficient index calculus based methods for solving ECDLP in theory and practice.


Elliptic Curve Cryptography Index Calculus Polynomial System Solving 


  1. 1.
    Adleman, L.M.: A Subexponential Algorithm for the Discrete Logarithm Problem with Applications to Cryptography. In: Proceedings of the 20th Annual Symposium on Foundations of Computer Science, SFCS 1979, pp. 55–60. IEEE Computer Society, Washington, DC, USA (1979)CrossRefGoogle Scholar
  2. 2.
    Adleman, L.M.: The Function Field Sieve. In: Huang, M.-D.A., Adleman, L.M. (eds.) ANTS 1994. LNCS, vol. 877, pp. 108–121. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  3. 3.
    Adleman, L.M., DeMarrais, J., Huang, M.: A Subexponential Algorithm for Discrete Logarithms over the Rational Subgroup of the Jacobians of Large Genus Hyperelliptic Curves over Finite Fields. In: Huang, M.-D.A., Adleman, L.M. (eds.) ANTS 1994. LNCS, vol. 877, pp. 28–40. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  4. 4.
    Adleman, L.M., Huang, M.: Function Field Sieve Method for Discrete Logarithms over Finite Fields. Inform. and Comput. 151(1-2), 5–16 (1999)MathSciNetzbMATHCrossRefGoogle Scholar
  5. 5.
    Bardet, M.: Étude des Systèmes Algébriques Surdéterminés. Applications aux codes Correcteurs et à la Cryptographie. PhD thesis, Université Paris VI (2004)Google Scholar
  6. 6.
    Bardet, M., Faugère, J.-C., Salvy, B.: Complexity of Gröbner Basis Computation for Semi-Regular Overdetermined Sequences over F 2 with Solutions in F 2. Technical Report 5049, INRIA (December 2003),
  7. 7.
    Bardet, M., Faugère, J.-C., Salvy, B., Yang, B.-Y.: Asymptotic Expansion of the Degree of Regularity for Semi-Regular Systems of Equations. In: Gianni, P. (ed.) The Effective Methods in Algebraic Geometry Conference, Mega 2005, pp. 1–14 (May 2005)Google Scholar
  8. 8.
    Bettale, L., Faugère, J.-C., Perret, L.: Hybrid Approach for Solving Multivariate Systems over Finite Fields. Journal of Math. Cryptology 3(3), 177–197 (2010)CrossRefGoogle Scholar
  9. 9.
    Bettale, L., Faugère, J.-C., Perret, L.: Cryptanalysis of HFE, multi-HFE and Variants for Odd and Even Characteristic. Des. Codes Cryptography, 1–46 (2012)Google Scholar
  10. 10.
    Buchberger, B.: Ein Algorithmus zum Auffinden der Basiselemente des Restklassenringes nach einem nulldimensionalen Polynomideal. PhD thesis, Universität Innsbruck (1965)Google Scholar
  11. 11.
    Cohen, H., Frey, G. (eds.): Handbook of Elliptic and Hyperelliptic Curve Cryptography. Discrete Mathematics and its Applications. Chapman & Hall/CRC (2005)Google Scholar
  12. 12.
    Coppersmith, D.: Fast Evaluation of Logarithms in Fields of Characteristic Two. IEEE Transactions on Information Theory 30(4), 587–593 (1984)MathSciNetzbMATHCrossRefGoogle Scholar
  13. 13.
    Diem, C.: On the Discrete Logarithm Problem in Elliptic Curves. Compositio Mathematica 147, 75–104 (2011)MathSciNetzbMATHCrossRefGoogle Scholar
  14. 14.
    Diem, C.: On the Discrete Logarithm Problem in Elliptic Curves II. Presented at ECC 2011 (2011),
  15. 15.
    Enge, A., Gaudry, P.: A General Framework for Subexponential Discrete Logarithm Algorithms. Acta Arith. 102(1), 83–103 (2002)MathSciNetzbMATHCrossRefGoogle Scholar
  16. 16.
    Faugère, J.-C.: A New Efficient Algorithm for Computing Gröbner Basis (F4). Journal of Pure and Applied Algebra 139(1-3), 61–88 (1999)MathSciNetzbMATHCrossRefGoogle Scholar
  17. 17.
    Faugère, J.-C.: A New Efficient Algorithm for Computing Gröbner Bases without Reduction to Zero (F5). In: Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation, ISSAC 2002, pp. 75–83. ACM, New York (2002)CrossRefGoogle Scholar
  18. 18.
    Faugère, J.-C., Joux, A.: Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems Using Gröbner Bases. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 44–60. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  19. 19.
    Faugère, J.-C., Otmani, A., Perret, L., Tillich, J.-P.: Algebraic Cryptanalysis of McEliece Variants with Compact Keys. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 279–298. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  20. 20.
    Faugère, J.-C.: FGb: A Library for Computing Gröbner Bases. In: Fukuda, K., van der Hoeven, J., Joswig, M., Takayama, N. (eds.) ICMS 2010. LNCS, vol. 6327, pp. 84–87. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  21. 21.
    Faugère, J.-C., Levy-dit-Vehel, F., Perret, L.: Cryptanalysis of MinRank. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 280–296. Springer, Heidelberg (2008)Google Scholar
  22. 22.
    Faugère, J.-C., Perret, L., Petit, C., Renault, G.: New Subexponential Algorithms for Factoring in \(SL(2,\mathbb{F}_2^n)\). Preprint (2011) Google Scholar
  23. 23.
    Faugère, J.-C., Safey El Din, M., Spaenlehauer, P.-J.: Computing Loci of Rank Defects of Linear Matrices using Gröbner Bases and Applications to Cryptology. In: ISSAC 2010: Proceedings of the 2010 International Symposium on Symbolic and Algebraic Computation, ISSAC 2010, pp. 257–264. ACM, New York (2010)CrossRefGoogle Scholar
  24. 24.
    Faugère, J.-C., Safey El Din, M., Spaenlehauer, P.-J.: Gröbner Bases of Bihomogeneous Ideals Generated by Polynomials of Bidegree (1,1): Algorithms and Complexity. Journal of Symbolic Computation 46(4), 406–437 (2011)MathSciNetzbMATHCrossRefGoogle Scholar
  25. 25.
    Faugère, J.-C., Rahmany, S.: Solving Systems of Polynomial Equations with Symmetries using SAGBI-Gröbner bases. In: ISSAC 2009: Proceedings of the 2009 International Symposium on Symbolic and Algebraic Computation, ISSAC 2009, pp. 151–158. ACM, New York (2009)CrossRefGoogle Scholar
  26. 26.
    Gaudry, P., Thomé, E., Thériault, N., Diem, C.: A Double Large Prime Variation for Small Genus Hyperelliptic Index Calculus. Math. Comp. 76(257), 475–492 (electronic) (2007)MathSciNetzbMATHCrossRefGoogle Scholar
  27. 27.
    Gaudry, P.: An Algorithm for Solving the Discrete Log Problem on Hyperelliptic Curves. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 19–34. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  28. 28.
    Gaudry, P.: Index Calculus for Abelian Varieties of Small Simension and the Elliptic Curve Discrete Logarithm Problem. J. Symb. Comput. 44(12), 1690–1702 (2009)MathSciNetzbMATHCrossRefGoogle Scholar
  29. 29.
    Granboulan, L., Joux, A., Stern, J.: Inverting HFE Is Quasipolynomial. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 345–356. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  30. 30.
    Joux, A., Lercier, R.: The Function Field Sieve in the Medium Prime Case. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 254–270. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  31. 31.
    Kipnis, A., Shamir, A.: Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization. In: Wiener, M.J. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 19–30. Springer, Heidelberg (1999)Google Scholar
  32. 32.
    Koblitz, N.: Elliptic Curve Cryptosystems. Mathematics of Computation 48, 203–209 (1987)MathSciNetzbMATHCrossRefGoogle Scholar
  33. 33.
    Kraitchik, M.: Théorie des Nombres. Gauthier–Villards (1922)Google Scholar
  34. 34.
    Lazard, D.: Gröbner-Bases, Gaussian Elimination and Resolution of Systems of Algebraic Equations. In: van Hulzen, J.A. (ed.) EUROCAL 1983. LNCS, vol. 162, pp. 146–156. Springer, Heidelberg (1983)CrossRefGoogle Scholar
  35. 35.
    Macaulay, F.S.: The Algebraic Theory of Modular Systems. Cambridge Mathematical Library, vol. xxxi. Cambridge University Press (1916)Google Scholar
  36. 36.
    Macaulay, F.S.: Some Properties of Enumeration in the Theory of Modular Systems. Proc. London Math. Soc. 26, 531–555 (1927)zbMATHCrossRefGoogle Scholar
  37. 37.
    Miller, V.S.: Use of Elliptic Curves in Cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986)Google Scholar
  38. 38.
    Patarin, J.: Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996)Google Scholar
  39. 39.
    Rojas, J.M.: Solving Degenerate Sparse Polynomial Systems Faster. J. Symbolic Computation 28, 155–186 (1999)MathSciNetzbMATHCrossRefGoogle Scholar
  40. 40.
    Semaev, I.: Summation Polynomials and the Discrete Logarithm Problem on Elliptic Curves (2004),

Copyright information

© International Association for Cryptologic Research 2012

Authors and Affiliations

  • Jean-Charles Faugère
    • 1
  • Ludovic Perret
    • 1
  • Christophe Petit
    • 2
  • Guénaël Renault
    • 1
  1. 1.Centre Paris-Rocquencourt, PolSys Project-team CNRS, UMR 7606, LIP6UPMC, Université Paris 06, LIP6, INRIAParis, Cedex 5France
  2. 2.UCL Crypto GroupUniversité catholique de LouvainLouvain-la-NeuveBelgium

Personalised recommendations