Improving the complexity of index calculus algorithms in elliptic curves over binary fields

Authors:
Jean-Charles Faugère;Ludovic Perret;Christophe Petit;Guénaël Renault
Affiliations:
Centre Paris-Rocquencourt, PolSys Project-team CNRS, UMR 7606, LIP6, UPMC, Université Paris 06, LIP6, INRIA, Paris, Cedex 5, France;Centre Paris-Rocquencourt, PolSys Project-team CNRS, UMR 7606, LIP6, UPMC, Université Paris 06, LIP6, INRIA, Paris, Cedex 5, France;UCL Crypto Group, Université catholique de Louvain, Louvain-la-Neuve, Belgium;Centre Paris-Rocquencourt, PolSys Project-team CNRS, UMR 7606, LIP6, UPMC, Université Paris 06, LIP6, INRIA, Paris, Cedex 5, France
Venue:
EUROCRYPT'12 Proceedings of the 31st Annual international conference on Theory and Applications of Cryptographic Techniques
Year:
2012

Citing 20
Cited 3

Use of elliptic curves in cryptography

Lecture notes in computer sciences; 218 on Advances in cryptology---CRYPTO 85
Function field sieve method for discrete logarithms over finite fields

Information and Computation
Solving degenerate sparse polynomial systems faster

Journal of Symbolic Computation - Special issue on polynomial elimination—algorithms and applications
Gröbner-Bases, Gaussian elimination and resolution of systems of algebraic equations

EUROCAL '83 Proceedings of the European Computer Algebra Conference on Computer Algebra
Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization

CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
The function field sieve

ANTS-I Proceedings of the First International Symposium on Algorithmic Number Theory
A subexponential algorithm for discrete logarithms over the rational subgroup of the jacobians of large genus hyperelliptic curves over finite fields

ANTS-I Proceedings of the First International Symposium on Algorithmic Number Theory
A new efficient algorithm for computing Gröbner bases without reduction to zero (F5)

Proceedings of the 2002 international symposium on Symbolic and algebraic computation
A subexponential algorithm for the discrete logarithm problem with applications to cryptography

SFCS '79 Proceedings of the 20th Annual Symposium on Foundations of Computer Science
Cryptanalysis of MinRank

CRYPTO 2008 Proceedings of the 28th Annual conference on Cryptology: Advances in Cryptology
Solving systems of polynomial equations with symmetries using SAGBI-Gröbner bases

Proceedings of the 2009 international symposium on Symbolic and algebraic computation
Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem

Journal of Symbolic Computation
Hidden fields equations (HFE) and isomorphisms of polynomials (IP): Two new families of asymmetric algorithms

EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
An algorithm for solving the discrete log problem on hyperelliptic curves

EUROCRYPT'00 Proceedings of the 19th international conference on Theory and application of cryptographic techniques
Computing loci of rank defects of linear matrices using Gröbner bases and applications to cryptology

Proceedings of the 2010 International Symposium on Symbolic and Algebraic Computation
FGb: a library for computing Gröbner bases

ICMS'10 Proceedings of the Third international congress conference on Mathematical software
Gröbner bases of bihomogeneous ideals generated by polynomials of bidegree (1,1): Algorithms and complexity

Journal of Symbolic Computation
Algebraic cryptanalysis of mceliece variants with compact keys

EUROCRYPT'10 Proceedings of the 29th Annual international conference on Theory and Applications of Cryptographic Techniques
Inverting HFE is quasipolynomial

CRYPTO'06 Proceedings of the 26th annual international conference on Advances in Cryptology
The function field sieve in the medium prime case

EUROCRYPT'06 Proceedings of the 24th annual international conference on The Theory and Applications of Cryptographic Techniques

Solving quadratic equations with XL on parallel architectures

CHES'12 Proceedings of the 14th international conference on Cryptographic Hardware and Embedded Systems
On polynomial systems arising from a weil descent

ASIACRYPT'12 Proceedings of the 18th international conference on The Theory and Application of Cryptology and Information Security
Elligator: elliptic-curve points indistinguishable from uniform random strings

Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

Quantified Score

Hi-index	0.00

Visualization

Abstract

The goal of this paper is to further study the index calculus method that was first introduced by Semaev for solving the ECDLP and later developed by Gaudry and Diem. In particular, we focus on the step which consists in decomposing points of the curve with respect to an appropriately chosen factor basis. This part can be nicely reformulated as a purely algebraic problem consisting in finding solutions to a multivariate polynomial f(x1,…,xm)=0 such that x1,…,xm all belong to some vector subspace of F2n/F2. Our main contribution is the identification of particular structures inherent to such polynomial systems and a dedicated method for tackling this problem. We solve it by means of Gröbner basis techniques and analyze its complexity using the multi-homogeneous structure of the equations. A direct consequence of our results is an index calculus algorithm solving ECDLP over any binary field F2n in time O(2ωt) , with t≈n/2 (provided that a certain heuristic assumption holds). This has to be compared with Diem's [14] index calculus based approach for solving ECDLP over F1n which has complexity exp(O(n log(n)1/2)) for q=2 and n a prime (but this holds without any heuristic assumption). We emphasize that the complexity obtained here is very conservative in comparison to experimental results. We hope the new ideas provided here may lead to efficient index calculus based methods for solving ECDLP in theory and practice.