Cryptographic implications of Hess' generalized GHS attack

A finite field K is said to be weak for elliptic curve cryptography if all instances of the discrete logarithm problem for all elliptic curves over K can be solved in significantly less time than it takes Pollard's rho method to solve the hardest instances. By considering the GHS Weil descent attack, it was previously shown that characteristic two finite fields are weak. In this paper, we examine characteristic two finite fields for weakness under Hess' generalization of the GHS attack. We show that the fields are potentially partially weak in the sense that any instance of the discrete logarithm problem for half of all elliptic curves over , namely those curves E for which is divisible by 4, can likely be solved in significantly less time than it takes Pollard's rho method to solve the hardest instances. We also show that the fields are partially weak, that the fields are potentially weak, and that the fields are potentially partially weak. Finally, we argue that the other fields where N is not divisible by 3, 5, 6, 7 or 8, are not weak under Hess' generalized GHS attack.

[1]  Pierrick Gaudry,et al.  Index calculus for abelian varieties and the elliptic curve discrete logarithm problem , 2004, IACR Cryptol. ePrint Arch..

[2]  Alfred Menezes,et al.  Analysis of the Weil Descent Attack of Gaudry, Hess and Smart , 2001, CT-RSA.

[3]  G. Frey,et al.  A remark concerning m -divisibility and the discrete logarithm in the divisor class group of curves , 1994 .

[4]  Pierrick Gaudry,et al.  An Algorithm for Solving the Discrete Log Problem on Hyperelliptic Curves , 2000, EUROCRYPT.

[5]  Ian F. Blake,et al.  Advances in Elliptic Curve Cryptography: Frontmatter , 2005 .

[6]  F. Hess,et al.  Advances in Elliptic Curve Cryptography: Weil Descent Attacks , 2005 .

[7]  F. Hess Generalising the GHS attack on the elliptic curve discrete logarithm problem , 2004 .

[8]  Alfred Menezes,et al.  Reducing elliptic curve logarithms to logarithms in a finite field , 1991, STOC '91.

[9]  S. Galbraith Constructing Isogenies between Elliptic Curves Over Finite Fields , 1999 .

[10]  Nigel P. Smart,et al.  The Discrete Logarithm Problem on Elliptic Curves of Trace One , 1999, Journal of Cryptology.

[11]  Alfred Menezes,et al.  Analysis of the GHS Weil Descent Attack on the ECDLP over Characteristic Two Finite Fields of Composite Degree , 2001, INDOCRYPT.

[12]  P. Gaudry,et al.  A general framework for subexponential discrete logarithm algorithms , 2002 .

[13]  Edlyn Teske On random walks for Pollard's rho method , 2001, Math. Comput..

[14]  Leonard M. Adleman,et al.  A subexponential algorithm for discrete logarithms over the rational subgroup of the jacobians of large genus hyperelliptic curves over finite fields , 1994, ANTS.

[15]  Igor A. Semaev,et al.  Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p , 1998, Math. Comput..

[16]  J. Pollard,et al.  Monte Carlo methods for index computation () , 1978 .

[17]  D. Kohel Endomorphism rings of elliptic curves over finite fields , 1996 .

[18]  Takakazu Satoh,et al.  Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves , 1998 .

[19]  Florian Hess,et al.  Computing Riemann-Roch Spaces in Algebraic Function Fields and Related Topics , 2002, J. Symb. Comput..

[20]  Nigel P. Smart,et al.  Constructive and destructive facets of Weil descent on elliptic curves , 2002, Journal of Cryptology.

[21]  Nicolas Thériault,et al.  A double large prime variation for small genus hyperelliptic index calculus , 2004, Math. Comput..

[22]  Alfred Menezes,et al.  Weak Fields for ECC , 2004, CT-RSA.

[23]  G. Frey Applications of Arithmetical Geometry to Cryptographic Constructions , 2001 .

[24]  Steven D. Galbraith,et al.  Extending the GHS Weil Descent Attack , 2002, EUROCRYPT.