Open Access Published by De Gruyter August 18, 2020

Can we Beat the Square Root Bound for ECDLP over 𝔽_p² via Representation?

Claire Delaplace and Alexander May

From the journal Journal of Mathematical Cryptology

https://doi.org/10.1515/jmc-2019-0025

Abstract

We give a 4-list algorithm for solving the Elliptic Curve Discrete Logarithm (ECDLP) over some quadratic field 𝔽_p². Using the representation technique, we reduce ECDLP to a multivariate polynomial zero testing problem. Our solution of this problem using bivariate polynomial multi-evaluation yields a p^1.314-algorithm for ECDLP. While this is inferior to Pollard’s Rho algorithm with square root (in the field size) complexity 𝓞(p), it still has the potential to open a path to an o(p)-algorithm for ECDLP, since all involved lists are of size as small as p34, only their computation is yet too costly.

Keywords: ECDLP; Representations; Multivariate polynomial zero-testing

MSC 2010: 11Y99; 11T06; 11T71

1 Introduction

Given an elliptic curve E, defined over a finite field 𝔽_q and two points P and Q on this curve, the elliptic curve discrete logarithm problem (ECDLP) consists in recovering k modulo order of P such that Q = kP, if it exists.

Nowadays, ECDLP-based cryptosystems are omnipresent in everyday life cryptography, as they are widely spread in cryptographic suites such as TLS.

Many algorithms for ECDLP have been proposed in the literature from Shanks Baby-Step Giant-Step [19], to Weil descent and index calculus methods [2, 4, 5, 6, 7]. Other algorithms have been designed for particular cases, such as elliptic curves over a field 𝔽_p of group order exactly p [14, 20], or in a subgroup of order p [17]. We refer the reader to [3] for an overview of ECDLP algorithms.

Pollard’s Rho algorithm offers the best time and space complexity for elliptic curves defined over a finite field 𝔽_p, where p is prime, with a running time of O(p) and constant memory (e.g. using Floyd’s cycle finding algorithm). Pollard’s Rho method basically creates a sequence (R_i)_i≥1 of elements of 〈P〉 with R₀ = O and R_i+1 = g(R_i) for a well chosen function g, such that each R_i satisfies R_i = a_iP + b_iQ. Once a collision appears between two elements R_i and R_j, we have (a_i − a_j) P = (b_j − b_i) Q. Provided that b_i ≠ b_j, it follows that Q=ai−ajbj−biP.

When the elliptic curve is defined over 𝔽_pⁿ for n ≥ 2, and p being a prime or a power of a prime, it is possible to perform what is called a Weil Descent. The core idea of Gaudry’s algebraic factor-base algorithm [6] for 𝔽_pⁿ is to split a point into an n-sum of points from a factor base that is defined over the base field 𝔽_p. Using Semaev’s summation polynomials [18], the split can be computed via a Gröbner basis computation. Such a computation yields a relation between factor base elements. If at least q – the size of the factor base – such relations are collected, ECDLP can be solved via linear algebra. In total, Gaudry’s method runs in time Op2−2n, which is for n = 2 no better than Pollard’s Rho algorithm. Moreover, with a factor base of size p, there is no hope to obtain an o(p)-algorithm. Yet, variations of the factor base might be possible as demonstrated in Petit et al. [13].

Our contribution

Our (ultimate) goal is to break the square root bound for ECDLP over 𝔽_p² by designing a 4-list algorithm using the representation technique. The representation technique already proved to be useful to break the square-root barrier in the context of the subset-sum problem [1, 8].

We define a problem, called Zero-Join (ZJ–Problem), which given two lists A and B of points of Fp2, and a polynomial f ∈ 𝔽_p[X₁,X₂,X₃,X₄] consists in returning a list C of all ((x₁, y₁), (x₂,y₂)) ∈ A × B such that f(x₁,y₁, x₂, y₂) = 0.

We show that A and B are such that ∣A∣ ⋅ ∣B∣ = p32. Moreover, we show that any algorithm which solves the ZJ–Problem in time T and in memory M also solves ECDLP over 𝔽_p² in time T and memory M. In particular, if ∣A∣ = ∣B∣ = p34, and in (the extreme) case that the ZJ–Problem could be solved in time linear in ∣A∣ and ∣B∣, ECDLP could be solved in Op34. A trivial solution to the ZJ–Problem can be achieved in quadratic time which results in a p32-algorithm. However, we show that the ZJ–Problem admits sub-quadratic solutions. When using multi-evaluation techniques for bivariate polynomials, we achieve a p^1.314-algorithm. We leave it as an open problem whether this can be further improved.

Organisation of the paper

In Section 3, we present our new ECDLP 4-list algorithm for an elliptic curve defined over 𝔽_p², for any prime p > 3. We also show that ECDLP reduces to the ZJ–Problem. Finally, we present a sub-quadratic algorithm to solve the ZJ–Problem in Section 4, resulting in our p^1.314-algorithm.

2 Preliminaries

For any integer r, we denote by ℤ_r the ring ℤ/rℤ. For any two integers a < b ∈ ℤ, we denote by [a, b] the set of all integers a ≤ k ≤ b and by [a, b) the set of all integers a ≤ k < b. For any n > 0, we denote by log n the logarithm in basis 2 of n. For any real x, we denote by ⌊x⌉ the rounding to the closest integer to x, when tied, we round to the greater one. Let us denote 𝔽_p the finite field with p elements. Let x be an element of 𝔽_p², x = x⁽⁰⁾ + αx⁽¹⁾, such that there exists β ∈ 𝔽_p and α is a root of X² − β, which is irreducible over 𝔽_p. Let 𝓑 be a basis of Fp2 with respect to α. The vector (x⁽⁰⁾, x⁽¹⁾) ∈ Fp2 in basis 𝓑 is uniquely associated to x.

Let q = pⁿ for n ≥ 1, and p > 3 prime. Let 𝔽_q be a finite field and let E be an elliptic curve over 𝔽_q. We denote by O the point at infinity of E. The group E(𝔽_q) is the group of all the points in E. As p > 3, we can define E in Weierstraß form. In particular, there is a function f : 𝔽_q → 𝔽_q that maps elements x to f(x) = x³ + ax + b, for some a, b ∈ 𝔽_q such that the set of points E(𝔽_q) equals {P = (x, y) ∈ Fq2 : y² = f(x)} ∪ {O}. Although there are other ways to represent an elliptic curve, in this paper, we focus on the Weierstraß model.

Let 𝓢₁ and 𝓢₂ be subsets of ℕ, we denote by 𝓢₁ + 𝓢₂ the set of integers z such that z = x + y with x ∈ 𝓢₁ and y ∈ 𝓢₂, and for all ℓ ∈ ℕ, we denote by ℓ 𝓢₁ the set of integers z such that z = ℓx with x ∈ 𝓢₁.

Let L be a list. We consider L as a tuple (ℓ₀, …, ℓ_N−1), where N = ∣L∣ ≥ 0. We denote by L[i] the (i + 1)-th element of the list. Given two lists L₁ = (ℓ₀, …, ℓ_N) and L₂ = (t₀, …, t_M), we denote by L₁ + L₂ the list (ℓ₀+t₀, ℓ₀ + t₁ … ℓ₀ + t_M … ℓ_N + t_M). An empty list is denoted by ⊥.

Complexities

We use the standard Landau notations to describe the complexities presented in this paper. The time complexities are given in number of elementary operations (negation, addition, multiplication, inverse) over 𝔽_p, and the memory complexities in number of elements of 𝔽_p that are to be stored. Using this convention, elementary operations over 𝔽_p² and sum of two points of the group E(𝔽_p²) are performed in time 𝓞(1), and storing an element of 𝔽_p² or a point of E(𝔽_p²) requires 𝓞(1) memory.

Discrete logarithm over an elliptic curve

Let E be an elliptic curve over a finite field 𝔽_q. Let us denote by ∣E(𝔽_q)∣ the order of the group (i.e. the cardinality of E(𝔽_q)). By Hasse’s Theorem, we know that ∣E(𝔽_q)∣ = 𝓞(q). Let P be a point of E(𝔽_q). The orderr of P is the cardinality of the cyclic group 〈P〉 = {O, P, 2P, …, (r − 1)P}. It is also the first integer ℓ > 0 such that ℓP = O. As 〈P〉 is a subgroup of E(𝔽_q), it is clear that r ≤ ∣E(𝔽_q)∣.

Definition 2.1

(ECDLP). Let 𝔽_q be a finite field, and let E be an elliptic curve over 𝔽_q. Let P be a point of E(𝔽_q) of prime order r = 𝓞(q). Let G = 〈P〉. Given P and Q in G, solving the discrete logarithm problem overE consists in recovering k ∈ ℤ_r such that kP = Q.

We are interested in the case where q = p², for a prime p > 3. We call this particular variant p²–ECDLP.

Representation Technique

In [8], Howgrave-Graham and Joux introduced the representation technique to improve methods for the subset-sum problem. Given a vector a ∈ ℤⁿ and a target t in ℤ the problem basically consists in finding a vector e ∈ {0, 1}ⁿ such that 〈a, e〉 = t. When the solution e consists exactly of n/2 non-zero coefficients, Howgrave-Graham and Joux noticed that it can be split into sums of two vectors e = e₁ + e₂, where e₁ and e₂ both consist of n/4 one coefficients, in n/2n/4 different ways. It is enough to find only one of these representations to recover a solution to the problem, thus additional constraints can be enforced on the dot products 〈a, e₁〉 and 〈a, e₂〉, so that only one of these representation survives. This yields a 2^0.337n algorithm for subset-sum that breaks the square root bound.

We would like to transfer this idea to the p²–ECDLP problem.

Definition 2.2

(Representation). Let ℓ > 0, r ∈ ℕ, k ∈ ℤ_r, and let 𝓢₁, … 𝓢_ℓ be subsets of ℕ. A tuple (k₁, …, k_ℓ) ∈ 𝓢₁ × … × 𝓢_ℓ is a representation of k if k = k₁ + … +k_ℓ mod r.

3 New ideas to solve p²–ECDLP

Let E(𝔽_p²) be an elliptic curve defined over 𝔽_p², with p > 3. Let r be the order of E(𝔽_p²), which can be computed in time polynomial in log p with Schoof’s algorithm [15, 16]. Since we are interested in cryptographic applications we assume that r is prime. By Hasse’s theorem we know that r ≈ p². Let P generate E(𝔽_p²) and let Q = kP for some unknown k ∈ ℤ_r that we want to compute.

First notice that for all (k₁, k₂) ∈ Zr2, (k₁+ k₂) P = Q is equivalent to k₁P = Q − k₂P. In the following we try to recover such a tuple (k₁, k₂).

Heuristic

For the complexity analysis of our algorithm, we assume that the points of E(𝔽_p²) are uniformly distributed over Fp22. The results of Kim, Tibouchi [9] provide some theoretical justification for our assumption.

3.1 Solving p²–ECDLP Using the Representation Technique

First note that every positive integer s can be uniquely decomposed as

s=s0+s1⌊p⌉+s2p,(1)

by computing first the integer division of s = s₂p + s̄ by p, and then the integer division of s̄ = s₀ + s₁⌊p⌉ by ⌊p⌉. In this case, s₀, s₁, s₂ are in ℕ such that 0≤s0<⌊p⌉,0≤s1<p⋅⌊p⌉−1 and s₂ ≥ 0.

With respect to this decomposition, we denote by 𝓢₁ and 𝓢₂ the subsets of [0, r) such that

S1={s=s0+s2p},S2={s=s1⌊p⌉+s2p}.

Informally, the bits of the elements of 𝓢₁ and 𝓢₂ are dispatched as shown in Figure 1a. We consider k as the sum k₁ + k₂ where k₁ ∈ 𝓢₁ and k₂ ∈ 𝓢₂. Since k₁, k₂ overlap in log⁡(rp) bits we expect that each k has at least rp ≈ p representations as a sum k₁ + k₂. This is shown more formally in the following lemma.

Figure 1

Bits repartition of the elements of 𝓢_i and 𝓣_j for i ∈ [1, 2], j ∈ [1, 3].

Lemma 3.1

There are at leastp − 1 representations ofkas the sumk₁ + k₂with (k₁, k₂) ∈ 𝓢₁ × 𝓢₂.

Proof

Let k = k₀ + k₁⌊p⌉ + k₂p ∈ [0, r) be such that k (mod r) = k, and let k̂ = k + r = k̂₀ + k̂₁⌊p⌉ + k̂₂p when decomposed as in Equation 1. We denote by 𝓢₁₁ the subset of 𝓢₁ of the elements s = k₀ + s₂p, and by 𝓢₁₂ the subset of 𝓢₁ of the elements s = k̂₀ + s₂p.

We first show that for any k₁ ∈ 𝓢₁₁ such that k₁ ≤ k, there exists some k₂ ∈ 𝓢₂ such that k₁ + k₂ = k. Then we claim that for any k₁ ∈ 𝓢₁₂, such that k₁ > k, there is a k₂ ∈ 𝓢₂ such that k₁ + k₂ = k̂.

Let k₁ ∈ 𝓢₁₁ be arbitrary such that k₁ ≤ k. From the definition of 𝓢₁₁, k₁ = k₀ + k₁₂p. In particular k₁ ≤ k means that k₂ − k₁₂ ≥ 0, and as k < r, k − k₁ ∈ [0, r). Finally we have

k¯−k1=k¯0+k¯1⌊p⌉+k¯2p−k¯0−k12p=k¯1⌊p⌉+(k¯2−k12)p∈S2.

Let now k₁ ∈ 𝓢₁₂, such that k₁ > k. First note that k₁ < r < k̂. From the definition of 𝓢₁₂, k₁ = k̂₀ + k₁₂p, and k̂ − k₁ ≥ 0 means that in particular k̂₂- k₁₂ ≥ 0. Furthermore as k₁ > k, k̂ − k₁ = r + k − k₁ ∈ [0, r). Finally

k^−k1=k^0+k^1⌊p⌉+k^2p−k^0−k12p=k^1⌊p⌉+(k^2−k12)p∈S2.

It follows that the number of representations (k₁, k₂) ∈ 𝓢₁ × 𝓢₂ of k is at least equal to the number N₁ of elements of 𝓢₁₁ that are smaller than k plus the number N₂ of elements of 𝓢₁₂ that are bigger than k. N₁ is the number of k₁ = k₀ + k₁₂p such that 0 ≤ k₁₂ ≤ k₂, meaning that N₁ = k₂ + 1. N₂ is the number of k₁ = k̂₀ + k₁₂p such that k₂ ≤ k₁₂ < rp. From Hasse’s Theorem, r ≥ p² − 2p. It follows that r/p ≥ p − 2, and thus N₂ ≥ p − 2 − k₁₂. It follows that there is at least p − 1 representations of k in 𝓢₁ × 𝓢₂.

□

Out of the p − 1 representations of k as k₁ + k₂, (k₁, k₂) ∈ 𝓢₁ × 𝓢₂ it suffices to compute a single one. Therefore, computing only a 1p-fraction of all points (P₁, P₂)=(k₁P, Q − k₂P) should be sufficient to compute k. In order to compute a 1p-fraction we restrict to those points (P₁, P₂) whose x-coordinate lies in the base field (i.e. P_i = (x, y) with x ∈ 𝔽_p). ^[1]

More precisely, we proceed as follows. We compute a list L of all P₁ = k₁P = (x, y) such that x ∈ 𝔽_p and k₁ ∈ 𝓢₁. Moreover, we compute a list L′ of all P₂ = Q − k₂P = (x′, y′) for k₂ ∈ 𝓢₂ such that x′ ∈ 𝔽_p. Then we search for a collision in L and L′. This gives us k as the sum of the corresponding k₁ and k₂.

This results in RepECDLP, described in Algorithm 2. Notice that the resulting lists L, L′ have expected size only p^1/2, since we impose a 1p restriction on a search space of size p^2/3.

Now let us turn to the tricky part, the computation of L, L′. Let {0 ≤ λ ≤ 12 be a fixed parameter to be determined later, and let 𝓣₁, 𝓣₂, 𝓣₃ be three sets of elements of [0, r) such that

T1=s=s0+ps2∈S1:s2∈0,pλT2=s=ps2∈S1∩S2:s2=tpλ∈0,pT3=s=s1⌊p⌉+ps2∈S2:s2∈0,pλ

The bit repartition of the elements of 𝓣₁, 𝓣₂ and 𝓣₃ is given by Figure 1b. The reader is advised to use the illustration in Figure 2 for the following description.

Figure 2

Illustration of RepECDLP.

It has already been argued that all s ∈ ℕ can be uniquely split as s = s₀ + ⌊p⌉s₁ + ps₂. Following the same argument, for any fixed λ, s₂ can be uniquely written as s2=s20+⌊pλ⌉s21, where s₂₀ < ⌊pλ⌉ by computing the integer division of s₂ by ⌊pλ⌉. It follows that, in particular, every s ∈ 𝓢₁ can be uniquely written as s = s₀ + p (s₂₀ + s₂₁p^λ), or in other words every s ∈ 𝓢₁ can be uniquely written as s = k₁ + k₂, where k₁ = s₀ + ps₂₀ ∈ 𝓣₁ and k₂ = p⌊pλ⌉ ∈ 𝓣₂. A similar argument can be applied to show that every s′ ∈ 𝓢₂ can be uniquely written as s′ = k₃ + k₄, where k₃ ∈ 𝓣₃ and k₄ ∈ 𝓣₂.

We create the list L₁ of (P₁, k₁) such that P₁ = k₁P for all k₁ ∈ 𝓣₁, the list L₂ of (P₂, k₂) such that P₂ = k₂P for all k₂ ∈ 𝓣₂, the list L₃ of (P₃, k₃) with P₃ = Q − k₃P for all k₃ ∈ 𝓣₃, and the list L₄ of (P₄, k₄) with P₄ = −k₄P for all k₄ ∈ 𝓣₂. From here, we compute the list L = {(P₁₂, k₁ + k₂) : (P₁, k₁) ∈ L₁, (P₂, k₂) ∈ L₂, P₁₂ = P₁ + P₂ = (x, y) with x ∈ 𝔽_p}. In particular, from the argument above, L consists of all the points k₁₂P = (x, y) such that x ∈ L and k₁₂ ∈ 𝓢₁. Then for all (x′, y′) = P₃ + P₄ with x′ ∈ 𝔽_p we check if (x′, y′) ∈ L, and if so return the sum of the corresponding k₁, k₂, k₃, k₄. In other words, we consider the following problem.

Problem 3.2

Given two lists L₁ and L₂ of points P ∈ E(𝔽_p²), compute the list L = {(x, y) = P₁ + P₂, P₁ ∈ L₁, P₂ ∈ L₂, x ∈ 𝔽_p

We claim that any algorithm solving Problem 3.2 can be used as the main routine to solve the p²–ECDLP problem. Our whole RepECDLP algorithm is summarised in Algorithm 2. The BuildLists algorithm, described in Algorithm 1 builds the lists L_i for i ∈ [1, 4] and we denote by ECJoin an algorithm solving Problem 3.2, with a slight modification that does not influence the run time: the input lists contain tuples (P_i, k_i), where k_i is an element of [0, r), the output list must also contain tuples (P₁ + P₂, k₁ + k₂).

The following lemma gives the complexities of BuildLists.

Algorithm 1

BuildLists(E, P)

Require: An elliptic curve E over 𝔽_p², a point P ∈ E(𝔽_p²).

Ensure: L₁, L₂, L₃, L₄.

1: fori ∈ [1, 4] do

2: L_i ← ⊥

3: (k₁, k₂) ← (1, 0)

4: P₂ = O

5: for 1 ≤ i ≤ p^λ ▹ Build lists L₁ and L₃

6: P₁ ← P + P₂

7: for 1 ≤ j < p12do

8: L₁ ← L₁ ∪ {(P₁, k₁)}

9: P₁ ← P₁ + P; k₁ ← k₁ + 1

10: ifi = 1 ▹ Only on the first iteration

11: P₀ ← P₁, k₀ ← k₁

12: P₂ ← P₁; k₂ ← k₁

13: for 1 ≤ j < p12do

14: L₃ ← L₃ ∪ {(Q − P₂, k₂)}

15: P₂ ← P₂ + P₀; k₂ ← k₂ + k₀

16: ifi < p^λ ▹ In all iterations except the last one

17: L₁ ← L₁ ∪ {(P₂, k₂)}

18: L₃ ← L₃ ∪ {(Q − P₂, k₂)}

19: P₁ ← P₂, k₁ ← k₂

20: for 0 ≤ i < rp^−(1+λ) ▹ Build lists L₂ and L₄

21: L₂ ← L₂ ∪ {(P₂, k₂)}

22: L₄ ← L₄ ∪ {(−P₂, k₂)}

23: P₂ ← P₂ + P₁, k₂ ← k₂ + k₁

Algorithm 2

RepECDLP(E, P, Q)

Require: An elliptic curve E over 𝔽_p², two points P, Q ∈ E(𝔽_p²).

Ensure: k such that Q = kP.

1: (L₁, L₂, L₃, L₄) ← BuildLists(E, P)

2: L ← ECJoin(L₁, L₂)

3: L′ ← ECJoin(L₃, L₄)

4: for allP₃₄ : ∃ k₃₄, (P₃₄, k₃₄) ∈ L′ do

5: if ∃ (P₁₂, k₁₂) ∈ L such that P₃₄ = P₁₂then

6: returnk₁₂ + k₃₄

return ⊥

Lemma 3.3

The BuildLists procedure constructs lists of sizes

|L1|=|L3|=p12+λand|L2|=|L4|=p(1−λ)

inOmaxp12+λ,p(1−λ)field operations using memoryOmaxp12+λ,p(1−λ).

Proof

We start by proving the time complexity. It is dominated by the runtime of the two main for-loops: the one at line 5, which fills L₁ and L₃, and the one at line 20, which fills L₂ and L₄. The first one is iterated p^λ times, and each iteration takes time p^1/2. Indeed, each iteration consists in a constant number of elementary operations in 𝔽_p and two for-loops which are each iterated p^1/2, and whose iterations consist in 𝓞(1) elementary operations in 𝔽_p. Thus the whole execution of the for-loop line 5 requires to perform Op12+λ operations. The for-loop line 20 is iterated rp^−(1+λ) times, and each iterations consists in a constant number of elementary operations over 𝔽_p. The claimed complexity follows.

We now show that the memory required is indeed Omax(p12+λ,rp−(1+λ)). The memory complexity is dominated by the storage of the four lists. Now, for i ∈ [1, 4], L_i contains 𝓞(∣L_i∣) elements of 𝔽_p. As such, the memory complexity of the whole procedure is 𝓞(max_i (∣L_i∣)). Furthermore, |L1|=|L3|=p12+λ and ∣L₂∣ = ∣L₄∣ = rp^−(1+λ). As r = 𝓞(p²), ∣L₂∣ = ∣L₄∣ = 𝓞(p^1−λ), which proves the given complexities.□

Remark 3.4

Notice that the choice λ = 14 implies that all lists have size Op34. However, as we will discuss in section 4, unbalanced list sizes might lead to time improvements.

3.2 Computing the Join

We now need to find a way to check whether a point (x, y) = P₁ + P₂ satisfies x ∈ 𝔽_p, knowing only the coordinates (x₁, y₁) of P₁ and (x₂, y₂) of P₂. We have

x=(y1−y2)2(x1−x2)2−x1−x2,and therefore(x1−x2)2(x1+x2+x)=y12+y22−2y1y2

Using Weierstraß’ equation to discard the y₁ and y₂ terms, we obtain

(x1−x2)2(x1+x2+x)−f(x1)−f(x2)2=4f(x1)f(x2).(2)

We denote x = x⁽⁰⁾ + αx⁽¹⁾ where x⁽⁰⁾, x⁽¹⁾ are in 𝔽_p and where α satisfies α² = β for some β quadratic non-residue modulo p, and we denote x1=x1(0)+αx1(1),2=x2(0)+αx2(1) accordingly. Having x ∈ 𝔽_p implies x⁽¹⁾ = 0. Let us denote by G ∈ 𝔽_p²[Y₁, Y₂, Y₃] the polynomial

G(Y1,Y2,Y3)=((Y1−Y2)2(Y1+Y2+Y3)−f(Y1)−f(Y2))2−4f(Y1)f(Y2).

As each Y_i can be expressed as Y_i = X_2i−1 + αX_2i where the X_j variables are over 𝔽_p. It follows that there exists a pair of unique polynomials g₀ and g₁ of 𝔽_p[X₁ … X₆] such that

g0(X1,…,X6)+αg1(X1…X6)=G(X1+αX2,X3+αX4,X5+αX6).

Now, for any x₁, x₂, x ∈ 𝔽_p² satisfying Equation (2)

g0(x1(0),x1(1),x2(0),…,x(1))+αg1(x1(0),…,x(1))=0.

Taking into account that x = x⁽⁰⁾ ∈ 𝔽_p, we come up with the following polynomial system in five variables

g0′x1(0),x1(1),x2(0),x2(1),x(0):=g0x1(0),x1(1),x2(0),x2(1),x(0),0=0g1′x1(0),x1(1),x2(0),x2(1),x(0):=g1x1(0),x1(1),x2(0),x2(1),x(0),0=0.

Computing the elimination ideal of 〈g′₀, g′₁〉, in the variable x⁽⁰⁾, we obtain a polynomial f of constant degree such that for all P₁ = (x₁, y₁), P₂ = (x₂, y₂) summing up to (x, y) with x ∈ 𝔽_p, we have

fx1(0),x1(1),x2(0),x2(1)=0.

Remark 3.5

Speaking in terms of ideal and algebraic varieties, we claim that (x1(0),x1(1),x2(0),x2(1)) ∈ V(〈f〉) = {(z₁, …, z₄) ∈ Fp4, f(z₁, … z₄) = 0}. This comes from the fact that by definition 〈f〉 ⊆ 〈g′₀, g′₁〉, It follows that V(〈g′₀, g′₁〉) ⊆ V(〈f〉). Since by construction of g′₀ and g1′,1(0),x1(1),x2(0),x2(1))∈V(〈g0′,g1′〉), our claim follows.

We are now ready to define the ZJ–Problem, which lies at the heart of our ECDLP algorithm.

Problem 3.6

(ZJ–Problem). Given two lists A and B respectively of points (x_A, y_A) and (x_B, y_B) in Fp2, and given a polynomial f of 𝔽_p[X₁, … X₄] compute the list C of all ((x_A, y_A),(x_B, y_B)) ∈ A × B such that f(x_A, y_A, x_B, y_B) = 0.

We claim that any algorithm solving the ZJ–Problem can be used as the main routine to solve Problem 3.2. Indeed, given our lists L₁ and L₂ respectively of points P₁ = (x₁, y₁) and P₂ = (x₂, y₂), and given the polynomial f defined as above, we compute the list A of all (x1(0),x1(1)) where x1=x1(0)+αx1(1). Then we compute the list B of all (x2(0),x2(1)) where x2=x2(0)+αx2(1). Now, let us denote by ZeroJoin any algorithm solving the ZJ–Problem. Let C = ZeroJoin(A, B, f).

We claim that for every P₁, P₂ satisfying P₁ + P₂ = (x, y) with x∈Fp,((x1(0),x1(1)),(x2(0),x2(1)))∈C. This comes from the definition of f. However, there may be false positives — meaning tuples ((x1(0),x1(1)),(x2(0),x2(1))) for which f(x1(0)…x2(1))=0 holds, but P₁ + P₂ = (x, y) with x ∉ 𝔽_p. Therefore, we need to check the corresponding sum (x, y), while computing the list L. In other words, for all ((x1(0),x1(1)),(x2(0),x2(1)))∈C, we first retrieve the corresponding (P₁, P₂) ∈ A × B. Then we compute (x, y) = P₁ + P₂. If x ∈ 𝔽_p, we add (x, y) to L.

This is summarized in Algorithm 3. The following lemma provides a reduction from the ZJ–Problem to Problem 3.2.

Algorithm 3

ECJoin(E, f, L₁, L₂)

Require: An elliptic curve E over 𝔽_p², two lists of point L₁, L₂, the polynomial f associated to E.

Ensure: L = {(P₀, k₁ + k₂) : P₀ = P₁ + P₂ = (x, y), (P_i, k_i) ∈ L_i, i ∈ [1, 2], x ∈ 𝔽_p}.

1: A, B, L ← ⊥

2: for all (P₁, k₁) ∈ L₁do

3: A←A∪{((x1(0),x1(1)),k1)}, where P₁ = (x₁, y₁)

4: for all (P₂, k₂) ∈ L₂do

5: B←B∪{((x2(0),x2(1)),k2)}, where (x₂, y₂) = P₂

6: C ← ZeroJoin(A, B, f)

7: for all (i, j) ∈ Cdo

8: (P₁, k₁) ← L₁[i], (P₂, k₂) ← L₂[j]

9: P₀ = (x, y) ← P₁ + P₂

10: ifx ∈ 𝔽_pthen

11: L ← L ∪ {(P₀, k₁ + k₂)}

Lemma 3.7

If ZeroJoin solves the ZJ–Problem in time T and memory M, The ECJoin algorithm solves Problem 3.2 in time T and memory M.

Proof

Let us denote by T_ECJoin the time complexity of the ECJoin algorithm. This algorithm consists of three for-loops and the ZeroJoin procedure. The first for-loop is iterated ∣L₁∣ times, and each iteration takes time 𝓞(1). The second for-loop is iterated ∣L₂∣ times. Once again each iteration requires a constant number of field operations. Then comes the ZeroJoin procedure which has a runtime T. Finally, the last for-loop requires to perform ∣C∣ iterations, each of them consisting of constant time operations. It follows that:

TECJoin=Omax(|L1|,|L2|,T,|C|).

It is clear that T ≥ ∣C∣, as the list C is built during the ZeroJoin procedure. We claim that T also satisfies T ≥ ∣L₁∣ + ∣L₂∣, as each of the ∣L₁∣ polynomial and each of the ∣L₂∣ point have to be considered at least once in order to create C. It follows that

TECJoin=T.

Let us focus on the memory. We denote by M_ECJoin the memory required by the ECJoin procedure. We have:

MECJoin=Omax(|L1|,|L2|,M,|C|).

Once again it is clear that M ≥ ∣C∣. We also claim that M ≥ ∣L₁∣ + ∣L₂∣ as our algorithm requires to store lists A and B of respective size ∣L₁∣ and ∣L₂∣. It follows that M_ECJoin = M.□

We now reduce the ZJ–Problem to p²–ECDLP.

Theorem 3.8

Under our heuristic, if there exists an algorithm ZeroJoin solving the ZJ–Problem in timeT and memory M, then RepECDLP solves the p²–ECDLP problem in time T and memory M.

Proof

We start by proving the time complexity. The RepECDLP algorithm consists basically of three steps. In the first step the lists L_i for i ∈ [1, 4] are created using the BuildLists procedure. According to Lemma 3.3 this can be done in time 𝓞(max_i(∣L_i∣)). The second step consists in creating both the join of L₁ and L₂, and of L₃ and L₄. According to Lemma 3.7, this takes time T. It remains to search for a collision between two lists. This can be done in time proportional to the size of the two lists provided that they are sorted according to the first component. Under our heuristic, we can assume that the points (x, y) contained in the lists are uniformly distributed over 𝔽_p × 𝔽_p², as such the sorting step can be done in time proportional to the size of lists. Recall that T ≥ max(∣L_i∣, ∣L∣, ∣L′∣) for the same argument than the one given in the proof of Lemma 3.7. It follows that the time complexity of the whole algorithm is dominated by T.

We claim that the memory complexity is dominated by the one of the ECJoin routines. Indeed as explained before, the space M required by this routine is at least Omax(p12+λ,p1−λ,|L|,|L′|), which is enough to prove our claim.

For completeness, we now prove that this procedure actually solves the p²–ECDLP problem. For simplicity, we consider only the first component of the lists elements. By construction

Li={kiP,ki∈Ti}if i∈{1,3}{Q−kiP,ki∈Ti}if i=2{−kiP,ki∈Ti}if i=4.

We claim that L = ECJoin(L₁, L₂) is the list

L={k12P=(x,y),k12∈S1,x∈Fp}.(3)

Indeed, by construction, it is obvious that ∀ (x, y) ∈ L, x ∈ 𝔽_p. Furthermore (x, y) = k₁₂P for some k₁₂ ∈ 𝓢₁ as (x, y) = k₁P + k₂P = (k₁ + k₂) P for some (k₁, k₂) ∈ L₁ × L₂. It follows that L ⊆ {k₁₂P = (x, y), k₁₂ ∈ 𝓢₁, x ∈ 𝔽_p}. We show that this is indeed an equality.

Recall that f ∈ 𝔽_p [X₁, X₂, X₃, X₄] is constructed so that, for all points P₁ = (x₁, y₁), P₂ = (x₂, y₂) ∈ E(𝔽_p²), if (x, y) = P₁ + P₂ satisfies x ∈ 𝔽_p then f(x1(0),x1(1),x2(0),x2(1))=0. Now for any P_i = (x_i, y_j), let us consider the polynomial f_i ∈ 𝔽_p[X, Y] such that fi(X,Y)=f(xi(0),xi(1),X,Y). It is clear that, for all P_j = (x_j, y_j) such that P_i + P_j = (x, y) with x∈Fp,fi(xj(0),xj(1))=0. As A is the set of the f_i polynomials for all (x_i, y_i) ∈ L₁, and B is the set of the (xj(0),xj(1)) tuples for all (x_j, y_j) ∈ L₂, it follows, from the definition of the ZeroJoin procedure, that if P_i + P_j = (x, y) satisfies that x ∈ 𝔽_p, then (i, j) ∈ C = ZeroJoin(A, B). As such {k₁₂P = (x, y), k₁₂ ∈ 𝓢₁, x ∈ 𝔽_p} ⊆ {P_i + P_j, (i, j) ∈ C}, only those points which indeed satisfy x ∈ 𝔽_p are kept in L. A similar argument is used to show that

L′={Q−k34P=(x′,y′),k34∈S2,x∈Fp}.

It remains to show that a representation (k₁₂, k₃₄) of our solution k is contained in the list L × L′. We argue that our algorithm succeeds in solving p²–ECDLP if there is a representation (k₁₂, k₃₄) ∈ 𝓢₁ + 𝓢₂ of k such that k₁₂P = (x, y) with x ∈ 𝔽_p.

It is clear that if there is no such representation of k our procedure fails, as only k₁₂ ∈ 𝓢₁ for which k₁₂P = (x, y) with x ∈ 𝔽_p are considered. Now, if such a k₁₂ exists, according to Equation 3, k₁₂P is in L. Similarly, if k₃₄ satisfies that Q − k₃₄P = (x′, y′) with x′ ∈ 𝔽_p, then k₃₄ is in L′. Furthermore, as k₁₂P = Q − k₃₄P, it is enough to know that k₁₂ satisfying k₁₂P = (x, y) with x ∈ 𝔽_p exists, to ensure that the algorithm recovers the solution.

We also claim that if the elements of E(𝔽_p²) are uniformly distributed (as we assume by our heuristic), then on expectation, there exists a representation (k₁₂, k₃₄) which satisfies k₁₂P = (x, y) with x ∈ 𝔽_p. First note that the uniform distribution implies

P[x∈Fp|(x,y)=ℓP,ℓ∈S1]=P[x∈Fp]=1p.

We denote by N_rep the number of representation of k as the sum k₁₂ + k₃₄, k₁₂ ∈ 𝓢₁, k₃₄ ∈ 𝓢₂. In other words N_rep is the number of elements k₁₂ ∈ 𝓢₁ such that there exists k₃₄ ∈ 𝓢₂, with k₁₂ + k₃₄ = k. We denote by Y the number of surviving representations in L + L′. In other words, Y is the number of k₁₂ ∈ 𝓢₁ such that there exists k₃₄ ∈ 𝓢₂ with k₁₂ + k₃₄ = k, and such that k₁₂P = (x, y) with x ∈ 𝔽_p. By Lemma 3.1, we have

E[Y]=Nrep1p≥1−1p.

Therefore for sufficiently large p we expect that one representation survives.□

4 Solving the ZJ–Problem

The running time of our new p²–ECDLP algorithm is dominated by solving the ZJ–Problem. Recall that in the ZJ–Problem we are given two lists A and B consisting respectively of N points (x₁₁, y₁₁) … (x_1N, y_1N) ∈ Fp2 and M points (x₂₁, y₂₁) … (x_2M, y_2M) ∈ Fp2, and a polynomial f for which we have to find all roots ((x_1i, y_1i), (x_2j, y_2j)) in our lists, that is f(x_1i, y_1i, x_2j, y_2j) = 0.

Naively, we can solve the ZJ–Problem in time T = 𝓞(NM). Namely, from the first list A of points (x_i, y_i) we construct a list Ā of bivariate polynomials

fi(X,Y)=fx1i,y1i,X,Y.

Then we successively evaluate all f_i(X, Y) in all M points (x₁, y₁) … (x_M, y_M) ∈ Fp2 from the second list B. As each polynomial has constant degree, each of the NM evaluations costs time 𝓞(1). As a result we obtain a list C of all the (f_i, (x_j, y_j)) ∈ Ā × B, such that f_i(x_j, y_j) = 0. Since we have NM = p32, this gives us an ECDLP algorithm with run time O(p32).

Fast Polynomial multiplication

Let I ⊂ [1, M]. Obviously, if

FI(X,Y)=∏i∈Ifi(X,Y)=0,

then there is an i ∈ I with f_i (x, y) = 0. This gives rise to the following algorithm.

Partition the set A of polynomials into buckets A_I₁, A_I₂, … A_{I_k}, for some k ≥ 1, such that f_i ∈ A_{I_ℓ} iff i ∈ I_ℓ.
For each I_ℓ, compute the set B_{I_ℓ} of points (x_j, y_j) ∈ B, such that F_{I_ℓ}(x_i, y_j) = 0.
For each f_i ∈ A_{I_ℓ}, find all (x_j, y_j) ∈ B_{I_ℓ}, such that f_i(x_j, y_j) = 0.

Our solution uses fast bivariate polynomial multi-point evaluation, that has on optimal choice N = p, M = p, for which only a single F_I = F has to be computed. This special case is given in Algorithm 4. The following multi-point evaluation result is due to Nüsken and Ziegler [12].

Lemma 4.1

([12, Result 4]). For any fixedϵ > 0, a bivariate polynomialf ∈ 𝔽_p[X, Y] of degree inX, Y ≤ d, specified by its coefficients, can be evaluated simultaneously atMgiven points (x, y) ∈ Fp2, with pair-wise differentx-coordinates usingO(M+d2)dω22−1+ϵoperations in 𝔽_p, whereω₂ ≤ 3.257 is the exponent ofn × nbyn × n²matrices multiplications.

We make use of the Schwartz-Zippel Lemma, from which we derive an upper bound on the number of zeroes of F in B in Algorithm 4.

Lemma 4.2

(Schwartz-Zippel). Given a polynomial F ∈ 𝔽_p[X, Y] of degree at mostdinX, Y, a random point (x, y) ∈ Fp2is a zero of F with probability

P[F(x,y)=0]≤dp.

Theorem 4.3

RepECDLP in combination with MultiEval solves p²–ECDLP in time

Algorithm 4

MultiEval(A, B)

Require: A list A of N polynomials of 𝔽_p[X, Y] and a list B of p points of Fp2.

Ensure: The list C of all the (f_i, (x_j, y_j)) ∈ A × B such that f_i (x_j, y_j) = 0.

1: B′, C ← ⊥

2: F←∏i=1pfi.

3: E ← BivariatePolynomialMultipointEvaluation(F, B)

4: for all 1 ≤ j ≤ p: E[j] = 0 do

5: B′ ← B′ ∪ {(x_j, y_j)}

6: for all f_i ∈ Ado

7: for all (x_j, y_j) ∈ B′ do

8: if f_i(x_j, y_j) = 0 then

9: C ← C ∪ (f_i, (x_j, y_j))

returnC

Proof

We start by showing that the time complexity of MultiEval is dominated by the bivariate polynomial multi-point evaluation line 3. At this aim, we denote by T_F, T_E, T_B′ and T_C respectively the time complexity required to compute F at line 2, to perform the multi-point evaluation at line 3, to execute the for-loop in line 4 and to execute the for-loop in line 6. The total runtime of the MultiEval procedure is given by

T=max(TF,TE,TB′,TC).(4)

First we estimate T_F. Notice that the degree of F in X and in Y is bounded by a constant c times p, since F is the product of p polynomials of constant degree in X and Y. It follows that F can be computed in T_F = 𝓞̃(p) operations, using fast polynomial multiplication algorithms, where logarithmic factors are hidden in the 𝓞̃.

Next, we have to evaluate this polynomial simultaneously in all the p points. From Lemma 4.1, this takes time Op12(1+ω22)+ϵ for any fixed ϵ > 0.

There is a small twist, however as lemma 4.1 can only be applied for a list of points (x, y) with pair-wise different x-coordinates. Considering that all x are in 𝔽_p and that ∣B∣ = p, this condition implies that all elements of 𝔽_p are present once and only once as the x-coordinate of an element of B. This is very unlikely. In fact, we proceed as follows. We partition B according to the x-coordinate and apply the Nüsken-Ziegler algorithm with one element of each partition of B. We restart until all elements of each partitions have been processed.

The number of time we have to restart is bounded by the size of the largest partition of B. If the x-coordinated are uniformly distributed over 𝔽_p, we can estimate this size, using maximum-load results [11]. We obtain that the number of time we have to restart is with high probability bounded by a constant times log⁡ploglog⁡p. Replacing ω₂ by the best known bound 3.257 [10], and for ϵ < 10⁻⁴, its follows that T_E = 𝓞̃(p^1.314).

We may assume that for each evaluated value E[j] we kept track of the corresponding (x_j, y_j). Then building B′ from E requires only to scan through each entry of E once, and add (x_j, y_j) in B′ for all E[j] = 0 that are encountered. The runtime of this step is thus linear in ∣E∣ = ∣B∣, and therefore T_B′ = 𝓞(p).

The last step consists in evaluating all f_i simultaneously in all the point of B′. We proceed in a naive way by taking all the polynomials, one by one, and evaluating each of them simultaneously in all the point of B′. This results in the two entwined for-loops in line 6 and 7. The first one iterates over all the polynomials and thus is iterated p times. The second one iterates over all the points of B′ and thus is iterated ∣B′∣ times. Each iteration of the second loop can be performed in 𝓞(1) as all the f_i are of constant degree. It follows that T_C= 𝓞(p ∣B′∣).

It remains to estimate ∣B′∣. From Lemma 4.2, for any random (x, y) ∈ Fp2

P[F(x,y)=0]≤pp.

Assuming that the points of B are uniformly distributed over Fp2, it follows that the expected size Z of B′ satisfies

E[Z]=p,

and thus the expected time complexity of this third step is 𝓞(p). From Equation 4, it follows that

T=Omax(p,p1.314)=Op1.314.

Building the list A of the polynomials f_i from the list A of points (x_i, y_i) and the polynomial f can be done in time linear in ∣A∣ = p, since f has constant total degree. Thus the ZJ–Problem can be solved in time T too. From Theorem 3.8, we can conclude that RepECDLP solves p²–ECDLP in time 𝓞(p^1.314).□

We hope that the result of Theorem 4.3 may be further improved. A possible direction is to replace the (unnecessary) multi-evaluation of F by some presumably more efficient zero testing method. An other research direction, as pointed out by one of the reviewers, could be to have a look at a different elliptic curve model than the one of Weierstraß (e.g. Edwards Curve). However, we are not sure whether the problem would become easier in this case.

A. May is funded by DFG under Germany’s Excellence Strategy - EXC 2092 CASA - 390781972.

Acknowledgement

The authors would like to thank the reviewers of NuTMiC 2019 for their useful comments, as well as Andre Esser for proof-reading this paper.

References

[1] Anja Becker, Jean-Sébastien Coron and Antoine Joux, Improved Generic Algorithms for Hard Knapsacks, in: Advances in Cryptology – EUROCRYPT 2011 (Kenneth G. Paterson, ed.), Lecture Notes in Computer Science 6632, pp. 364–385, Springer, Heidelberg, Germany, Tallinn, Estonia, May 15–19, 2011.10.1007/978-3-642-20465-4_21Search in Google Scholar

[2] Gerhard Frey and Herbert Gangl, How to disguise an elliptic curve (Weil descent), Talk at ECC98 (1998), 128–161.Search in Google Scholar

[3] Steven D Galbraith and Pierrick Gaudry, Recent progress on the elliptic curve discrete logarithm problem, Designs, Codes and Cryptography78 (2016), 51–72.10.1007/s10623-015-0146-7Search in Google Scholar

[4] Steven D. Galbraith, Florian Hess and Nigel P. Smart, Extending the GHS Weil Descent Attack, in: Advances in Cryptology – EUROCRYPT 2002 (Lars R. Knudsen, ed.), Lecture Notes in Computer Science 2332, pp. 29–44, Springer, Heidelberg, Germany, Amsterdam, The Netherlands, April 28 – May 2, 2002.10.1007/3-540-46035-7_3Search in Google Scholar

[5] Steven D. Galbraith and Nigel P. Smart, A Cryptographic Application of Weil Descent, in: 7th IMA International Conference on Cryptography and Coding (Michael Walker, ed.), Lecture Notes in Computer Science 1746, pp. 191–200, Springer, Heidelberg, Germany, Cirencester, UK, December 20–22, 1999.10.1007/3-540-46665-7_23Search in Google Scholar

[6] Pierrick Gaudry, Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem, Journal of Symbolic Computation44 (2009), 1690 – 1702, Gröbner Bases in Cryptography, Coding Theory, and Algebraic Combinatorics.10.1016/j.jsc.2008.08.005Search in Google Scholar

[7] Pierrick Gaudry, Florian Hess and Nigel P. Smart, Constructive and Destructive Facets of Weil Descent on Elliptic Curves, Journal of Cryptology15 (2002), 19–46.10.1007/s00145-001-0011-xSearch in Google Scholar

[8] Nick Howgrave-Graham and Antoine Joux, New Generic Algorithms for Hard Knapsacks, in: Advances in Cryptology – EUROCRYPT 2010 (Henri Gilbert, ed.), Lecture Notes in Computer Science 6110, pp. 235–256, Springer, Heidelberg, Germany, French Riviera, May 30 – June 3, 2010.10.1007/978-3-642-13190-5_12Search in Google Scholar

[9] Taechan Kim and Mehdi Tibouchi, Equidistribution Among Cosets of Elliptic Curve Points in Intervals, 2019, Accepted at NutMic 2019.Search in Google Scholar

[10] François Le Gall, Powers of tensors and fast matrix multiplication, in: Proceedings of the 39th international symposium on symbolic and algebraic computation, ACM, pp. 296–303, 2014.10.1145/2608628.2608664Search in Google Scholar

[11] Michael David Mitzenmacher, The power of two random choices in randomized load balancing, Ph.D. thesis, PhD thesis, Graduate Division of the University of California at Berkley, 1996.Search in Google Scholar

[12] Michael Nüsken and Martin Ziegler, Fast multipoint evaluation of bivariate polynomials, in: European Symposium on Algorithms, Springer, pp. 544–555, 2004.10.1007/978-3-540-30140-0_49Search in Google Scholar

[13] Christophe Petit, Michiel Kosters and Ange Messeng, Algebraic Approaches for the Elliptic Curve Discrete Logarithm Problem over Prime Fields, in: PKC 2016: 19th International Conference on Theory and Practice of Public Key Cryptography, Part II (Chen-Mou Cheng, Kai-Min Chung, Giuseppe Persiano and Bo-Yin Yang, eds.), Lecture Notes in Computer Science 9615, pp. 3–18, Springer, Heidelberg, Germany, Taipei, Taiwan, March 6–9, 2016.10.1007/978-3-662-49387-8_1Search in Google Scholar

[14] Takakazu Satoh, Kiyomichi Araki et al., Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves, Rikkyo Daigaku sugaku zasshi47 (1998), 81–92.Search in Google Scholar

[15] René Schoof, Elliptic curves over finite fields and the computation of square roots mod p, Mathematics of computation44 (1985), 483–494.10.1090/S0025-5718-1985-0777280-6Search in Google Scholar

[16] René Schoof, Counting points on elliptic curves over finite fields, Journal de théorie des nombres de Bordeaux7 (1995), 219–254.10.5802/jtnb.142Search in Google Scholar

[17] Igor Semaev, Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p, Mathematics of Computation of the American Mathematical Society67 (1998), 353–356.10.1090/S0025-5718-98-00887-4Search in Google Scholar

[18] Igor Semaev, Summation polynomials and the discrete logarithm problem on elliptic curves, Cryptology ePrint Archive, Report 2004/031, 2004, http://eprint.iacr.org/2004/031.Search in Google Scholar

[19] Daniel Shanks, Class number, a theory of factorization, and genera, in: Proc. of Symp. Math. Soc., 1971, 20, pp. 41–440, 1971.10.1090/pspum/020/0316385Search in Google Scholar

[20] Nigel P. Smart, The Discrete Logarithm Problem on Elliptic Curves of Trace One, Journal of Cryptology12 (1999), 193–196.10.1007/s001459900052Search in Google Scholar

Received: 2019-07-10

Accepted: 2020-04-30

Published Online: 2020-08-18

This work is licensed under the Creative Commons Attribution 4.0 International License.

Can we Beat the Square Root Bound for ECDLP over 𝔽_p² via Representation?

Abstract

1 Introduction

Our contribution

Organisation of the paper

2 Preliminaries

Complexities

Discrete logarithm over an elliptic curve

Definition 2.1

Representation Technique

Definition 2.2

3 New ideas to solve p²–ECDLP

3.1 Solving p²–ECDLP Using the Representation Technique

Lemma 3.1

Proof

Problem 3.2

Algorithm 1

Algorithm 2

Lemma 3.3

Proof

Remark 3.4

3.2 Computing the Join

Remark 3.5

Problem 3.6

Algorithm 3

Lemma 3.7

Proof

Theorem 3.8

Proof

4 Solving the ZJ–Problem

Fast Polynomial multiplication

Lemma 4.1

Lemma 4.2

Theorem 4.3

Algorithm 4

Proof

Acknowledgement

References

Journal and Issue

Articles in the same Issue

Can we Beat the Square Root Bound for ECDLP over 𝔽p2 via Representation?

Abstract

1 Introduction

Our contribution

Organisation of the paper

2 Preliminaries

Complexities

Discrete logarithm over an elliptic curve

Definition 2.1

Representation Technique

Definition 2.2

3 New ideas to solve p2–ECDLP

3.1 Solving p2–ECDLP Using the Representation Technique

Lemma 3.1

Proof

Problem 3.2

Algorithm 1

Algorithm 2

Lemma 3.3

Proof

Remark 3.4

3.2 Computing the Join

Remark 3.5

Problem 3.6

Algorithm 3

Lemma 3.7

Proof

Theorem 3.8

Proof

4 Solving the ZJ–Problem

Fast Polynomial multiplication

Lemma 4.1

Lemma 4.2

Theorem 4.3

Algorithm 4

Proof

Acknowledgement

References

Journal and Issue

Articles in the same Issue

Can we Beat the Square Root Bound for ECDLP over 𝔽_p² via Representation?

3 New ideas to solve p²–ECDLP

3.1 Solving p²–ECDLP Using the Representation Technique