Cover and Decomposition Index Calculus on Elliptic Curves made practical. Application to a seemingly secure curve over Fp6

We present a new “cover and decomposition” attack on the elliptic curve discrete logarithm problem, that combines Weil descent and decomposition-based index calculus into a single discrete logarithm algorithm. This attack applies, at least theoretically, to all composite degree extension fields, and is particularly well-suited for curves defined over Fp6 . We give a real-size example 3 of discrete logarithm computations on a curve over a 156-bit degree 6 extension field, which would not have been practically attackable using previously known algorithms. A shorter version of this work was presented at the EUROCRYPT 2012 conference.

[1]  Antoine Joux,et al.  Elliptic Curve Discrete Logarithm Problem over Small Degree Extension Fields , 2011, Journal of Cryptology.

[2]  Koh-ichi Nagao Decomposition Attack for the Jacobian of a Hyperelliptic Curve over an Extension Field , 2010, ANTS.

[3]  Victor S. Miller,et al.  Use of Elliptic Curves in Cryptography , 1985, CRYPTO.

[4]  Pierrick Gaudry,et al.  An Algorithm for Solving the Discrete Log Problem on Hyperelliptic Curves , 2000, EUROCRYPT.

[5]  Pierrick Gaudry,et al.  Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem , 2009, J. Symb. Comput..

[6]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[7]  Nicolas Thériault,et al.  A double large prime variation for small genus hyperelliptic index calculus , 2004, Math. Comput..

[8]  Alfred Menezes,et al.  Weak Fields for ECC , 2004, CT-RSA.

[9]  Leonard M. Adleman,et al.  The function field sieve , 1994, ANTS.

[10]  Claus Diem,et al.  An Index Calculus Algorithm for Plane Curves of Small Degree , 2006, ANTS.

[11]  Igor A. Semaev Summation polynomials and the discrete logarithm problem on elliptic curves , 2004, IACR Cryptol. ePrint Arch..

[12]  Jinhui Chao,et al.  Scholten Forms and Elliptic/Hyperelliptic Curves with Weak Weil Restrictions , 2005, IACR Cryptol. ePrint Arch..

[13]  Seigo Arita,et al.  A Weil Descent Attack against Elliptic Curve Cryptosystems over Quartic Extension Fields , 2006, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[14]  Steven D. Galbraith,et al.  Extending the GHS Weil Descent Attack , 2002, EUROCRYPT.

[15]  Enric Nart,et al.  Genus 3 curves with many involutions and application to maximal curves in characteristic 2 , 2009 .

[16]  C. Diem On the discrete logarithm problem in elliptic curves , 2010, Compositio Mathematica.

[17]  Emmanuel Thomé,et al.  Subquadratic Computation of Vector Generating Polynomials and Improvement of the Block Wiedemann Algorithm , 2002, J. Symb. Comput..

[18]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[19]  C. Diem The GHS-attack in odd characteristic , 2003 .

[20]  Andrew M. Odlyzko,et al.  Computation of discrete logarithms in prime fields , 1991, Des. Codes Cryptogr..

[21]  Leonard M. Adleman,et al.  A subexponential algorithm for discrete logarithms over the rational subgroup of the jacobians of large genus hyperelliptic curves over finite fields , 1994, ANTS.

[22]  F. Hess Generalising the GHS attack on the elliptic curve discrete logarithm problem , 2004 .

[23]  N. Thériault Weil descent attack for Kummer extensions , 2003 .

[24]  Nigel P. Smart,et al.  Constructive and destructive facets of Weil descent on elliptic curves , 2002, Journal of Cryptology.

[25]  Antoine Joux,et al.  A Variant of the F4 Algorithm , 2011, CT-RSA.

[26]  John J. Cannon,et al.  The Magma Algebra System I: The User Language , 1997, J. Symb. Comput..

[27]  Antoine Joux,et al.  Cover and Decomposition Index Calculus on Elliptic Curves Made Practical - Application to a Previously Unreachable Curve over $\mathbb{F}_{p^6}$ , 2012, EUROCRYPT.