Elliptic Curve Discrete Logarithms and the Index Calculus

The discrete logarithm problem forms the basis of numerous cryptographic systems. The most effective attack on the discrete logarithm problem in the multiplicative group of a finite field is via the index calculus, but no such method is known for elliptic curve discrete logarithms. Indeed, Miller [23] has given a brief heuristic argument as to why no such method can exist. IN this note we give a detailed analysis of the index calculus for elliptic curve discrete logarithms, amplifying and extending miller's remarks. Our conclusions fully support his contention that the natural generalization of the index calculus to the elliptic curve discrete logarithm problem yields an algorithm with is less efficient than a brute-force search algorithm.

[1]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[2]  N. Mulvany,et al.  Remarks on the Security of the Elliptic Curve Cryptosystem 2 , 1997 .

[3]  J. Pollard,et al.  Monte Carlo methods for index computation () , 1978 .

[4]  P. Erdös,et al.  On a problem of Oppenheim concerning “factorisatio numerorum” , 1983 .

[5]  Daniel M. Gordon,et al.  Discrete Logarithms in GF(P) Using the Number Field Sieve , 1993, SIAM J. Discret. Math..

[6]  Neal Koblitz,et al.  CM-Curves with Good Cryptographic Properties , 1991, CRYPTO.

[7]  Joseph H. Silverman,et al.  Computing heights on elliptic curves , 1988 .

[8]  Joseph H. Silverman,et al.  Lower bound for the canonical height on elliptic curves , 1981 .

[9]  Joseph H. Silverman,et al.  The canonical height and integral points on elliptic curves , 1988 .

[10]  Victor S. Miller,et al.  Use of Elliptic Curves in Cryptography , 1985, CRYPTO.

[11]  Joseph H. Silverman,et al.  The difference between the Weil height and the canonical height on elliptic curves , 1990 .

[12]  G. Frey,et al.  A remark concerning m -divisibility and the discrete logarithm in the divisor class group of curves , 1994 .

[13]  Damian Weber,et al.  Computing Discrete Logarithms with the General Number Field Sieve , 1996, ANTS.

[14]  Oliver Schirokauer,et al.  Discrete Logarithms: The Effectiveness of the Index Calculus Method , 1996, ANTS.

[15]  A. B.,et al.  Computation of Discrete Logarithms in Prime Fields , 2022 .

[16]  A. E. Western,et al.  Tables of indices and primitive roots , 1968 .

[17]  Leonard M. Adleman,et al.  A subexponential algorithm for the discrete logarithm problem with applications to cryptography , 1979, 20th Annual Symposium on Foundations of Computer Science (sfcs 1979).

[18]  Joseph H. Silverman,et al.  Computing canonical heights with little (or no) factorization , 1997, Math. Comput..

[19]  Martin E. Hellman,et al.  An improved algorithm for computing logarithms over GF(p) and its cryptographic significance (Corresp.) , 1978, IEEE Trans. Inf. Theory.

[20]  S. Lang,et al.  Elliptic Curves: Diophantine Analysis , 1978 .

[21]  Stephen C. Pohlig,et al.  An Improved Algorithm for Computing Logarithms over GF(p) and Its Cryptographic Significance , 2022, IEEE Trans. Inf. Theory.

[22]  Igor A. Semaev,et al.  Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p , 1998, Math. Comput..

[23]  Alfred Menezes,et al.  Reducing elliptic curve logarithms to logarithms in a finite field , 1993, IEEE Trans. Inf. Theory.

[24]  R. Schoof Elliptic Curves Over Finite Fields and the Computation of Square Roots mod p , 1985 .

[25]  Jean-François Mestre,et al.  Formules explicites et minoration de conducteurs de vari'et'es alg'ebriques , 1986 .

[26]  R. Balasubramanian,et al.  The Improbability That an Elliptic Curve Has Subexponential Discrete Log Problem under the Menezes—Okamoto—Vanstone Algorithm , 1998, Journal of Cryptology.

[27]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[28]  Jerome A. Solinas An Improved Algorithm for Arithmetic on a Family of Elliptic Curves , 1997, CRYPTO.

[29]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[30]  J. Silverman Advanced Topics in the Arithmetic of Elliptic Curves , 1994 .

[31]  N. Elkies ABC implies Mordell , 1991 .

[32]  Andrew M. Odlyzko,et al.  Computation of discrete logarithms in prime fields , 1991, Des. Codes Cryptogr..

[33]  Leonard M. Adleman,et al.  A subexponential algorithm for discrete logarithms over the rational subgroup of the jacobians of large genus hyperelliptic curves over finite fields , 1994, ANTS.

[34]  Joseph H. Silverman,et al.  The arithmetic of elliptic curves , 1986, Graduate texts in mathematics.

[35]  Atsuko Miyaji,et al.  On Ordinary Elliptic Curve Cryptosystems , 1991, ASIACRYPT.

[36]  Takakazu Satoh,et al.  Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves , 1998 .