Improvement of Faugère et al.'s Method to Solve ECDLP

Solving the elliptic curve discrete logarithm problem (ECDLP) by using Gr¨obner basis has recently appeared as a new threat to the security of elliptic curve cryptography and pairing-based cryptosystems. At Eurocrypt 2012, Faug`ere, Perret, Petit and Renault proposed a new method using a multivariable polynomial system to solve ECDLP over finite fields of characteristic 2. At Asiacrypt 2012, Petit and Quisquater showed that this method may beat generic algorithms for extension degrees larger than about 2000. In this paper, we propose a variant of Faug`ere et al.’s attack that practically reduces the computation time and memory required. Our variant is based on the idea of symmetrization. This idea already provided practical improvements in several previous works for composite-degree extension fields, but its application to prime-degree extension fields has been more challenging. To exploit symmetries in an efficient way in that case, we specialize the definition of factor basis used in Faug`ere et al.’s attack to replace the original polynomial system by a new and simpler one. We provide theoretical and experimental evidence that our method is faster and requires less memory than Faug`ere et al.’s method when the extension degree is large enough.

[1]  Claus Diem,et al.  An Index Calculus Algorithm for Plane Curves of Small Degree , 2006, ANTS.

[2]  D. Shanks Class number, a theory of factorization, and genera , 1971 .

[3]  Pierrick Gaudry,et al.  Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem , 2009, J. Symb. Comput..

[4]  Igor A. Semaev Summation polynomials and the discrete logarithm problem on elliptic curves , 2004, IACR Cryptol. ePrint Arch..

[5]  Richard P. Brent,et al.  An improved Monte Carlo factorization algorithm , 1980 .

[6]  C. Diem On the discrete logarithm problem in elliptic curves , 2010, Compositio Mathematica.

[7]  J. Pollard A monte carlo method for factorization , 1975 .

[8]  Jean-Charles Faugère,et al.  Using Symmetries and Fast Change of Ordering in the Index Calculus for Elliptic Curves Discrete Logarithm , 2012 .

[9]  Antoine Joux,et al.  Elliptic Curve Discrete Logarithm Problem over Small Degree Extension Fields , 2011, Journal of Cryptology.

[10]  Jean-Jacques Quisquater,et al.  On Polynomial Systems Arising from a Weil Descent , 2012, ASIACRYPT.

[11]  Jean-Charles Faugère,et al.  Improving the Complexity of Index Calculus Algorithms in Elliptic Curves over Binary Fields , 2012, EUROCRYPT.

[12]  J. Faugère A new efficient algorithm for computing Gröbner bases (F4) , 1999 .

[13]  Antoine Joux,et al.  A Variant of the F4 Algorithm , 2011, CT-RSA.

[14]  Jean-Charles Faugère,et al.  Efficient Computation of Zero-Dimensional Gröbner Bases by Change of Ordering , 1993, J. Symb. Comput..

[15]  Jean-Charles Faugère,et al.  Using Symmetries in the Index Calculus for Elliptic Curves Discrete Logarithm , 2014, Journal of Cryptology.

[16]  Jean Charles Faugère,et al.  A new efficient algorithm for computing Gröbner bases without reduction to zero (F5) , 2002, ISSAC '02.

[17]  John M. Pollard,et al.  Kangaroos, Monopoly and Discrete Logarithms , 2015, Journal of Cryptology.

[18]  Antoine Joux,et al.  Cover and Decomposition Index Calculus on Elliptic Curves Made Practical - Application to a Previously Unreachable Curve over $\mathbb{F}_{p^6}$ , 2012, EUROCRYPT.