Improvement of Faugère et al.’s Method to Solve ECDLP

  • Yun-Ju Huang
  • Christophe Petit
  • Naoyuki Shinohara
  • Tsuyoshi Takagi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8231)


Solving the elliptic curve discrete logarithm problem (ECDLP) by using Gröbner basis has recently appeared as a new threat to the security of elliptic curve cryptography and pairing-based cryptosystems. At Eurocrypt 2012, Faugère, Perret, Petit and Renault proposed a new method using a multivariable polynomial system to solve ECDLP over finite fields of characteristic 2. At Asiacrypt 2012, Petit and Quisquater showed that this method may beat generic algorithms for extension degrees larger than about 2000.

In this paper, we propose a variant of Faugère et al.’s attack that practically reduces the computation time and memory required. Our variant is based on the idea of symmetrization. This idea already provided practical improvements in several previous works for composite-degree extension fields, but its application to prime-degree extension fields has been more challenging. To exploit symmetries in an efficient way in that case, we specialize the definition of factor basis used in Faugère et al.’s attack to replace the original polynomial system by a new and simpler one. We provide theoretical and experimental evidence that our method is faster and requires less memory than Faugère et al.’s method when the extension degree is large enough.


Elliptic curve Discrete logarithm problem Index calculus Multivariable polynomial system Gröbner basis 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    National Security Agency: The case for elliptic curve cryptography (January 2009),
  2. 2.
    Shanks, D.: Class number, A theory of factorization, and genera. In: 1969 Number Theory Institute (Proc. Sympos. Pure Math., vol. XX, State Univ. New York, Stony Brook, N.Y., 1969), Providence, R.I., pp. 415–440 (1971)Google Scholar
  3. 3.
    Pollard, J.M.: A Monte Carlo method for factorization. BIT Numerical Mathematics 15(3), 331–334 (1975)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Brent, R.P.: An improved Monte Carlo factorization algorithm. BIT Numerical Mathematics 20, 176–184 (1980)MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Pollard, J.M.: Kangaroos, monopoly and discrete logarithms. Journal of Cryptology 13, 437–447 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Diem, C.: An index calculus algorithm for plane curves of small degree. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 543–557. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  7. 7.
    Gaudry, P.: Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem. Journal of Symbolic Computation 44(12), 1690–1702 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Diem, C.: On the discrete logarithm problem in elliptic curves. Compositio Mathematica 147, 75–104 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Faugère, J.-C., Perret, L., Petit, C., Renault, G.: Improving the complexity of index calculus algorithms in elliptic curves over binary fields. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 27–44. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  10. 10.
    Petit, C., Quisquater, J.-J.: On polynomial systems arising from a Weil descent. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 451–466. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  11. 11.
    Joux, A., Vitse, V.: Elliptic curve discrete logarithm problem over small degree extension fields. Journal of Cryptology, 1–25 (2011)Google Scholar
  12. 12.
    Faugère, J.C., Gaudry, P., Huot, L., Renault, G.: Using symmetries in the index calculus for elliptic curves discrete logarithm. IACR Cryptology ePrint Archive 2012, 199 (2012)Google Scholar
  13. 13.
    Semaev, I.: Summation polynomials and the discrete logarithm problem on elliptic curves. IACR Cryptology ePrint Archive 2004, 31 (2004)Google Scholar
  14. 14.
    Faugère, J.C.: A new efficient algorithm for computing Gröbner bases (F4). Journal of Pure and Applied Algebra 139(1-3), 61–88 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Faugère, J.C.: A new efficient algorithm for computing Gröbner bases without reduction to zero (F5). In: Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation, ISSAC 2002, pp. 75–83. ACM, New York (2002)CrossRefGoogle Scholar
  16. 16.
    Faugère, J., Gianni, P., Lazard, D., Mora, T.: Efficient computation of zero-dimensional Gröbner bases by change of ordering. Journal of Symbolic Computation 16(4), 329–344 (1993)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Joux, A., Vitse, V.: Cover and decomposition index calculus on elliptic curves made practical - application to a previously unreachable curve over \(\mathbb{F}_{p^6}\). In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 9–26. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  18. 18.
    Joux, A., Vitse, V.: A variant of the F4 algorithm. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 356–375. Springer, Heidelberg (2011)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Yun-Ju Huang
    • 1
  • Christophe Petit
    • 2
  • Naoyuki Shinohara
    • 3
  • Tsuyoshi Takagi
    • 4
  1. 1.Graduate School of MathematicsKyushu UniversityJapan
  2. 2.UCL Crypto GroupBelgium
  3. 3.NICTJapan
  4. 4.Institute of Mathematics for IndustryKyushu UniversityJapan

Personalised recommendations