Cover and Decomposition Index Calculus on Elliptic Curves Made Practical - Application to a Previously Unreachable Curve over $\mathbb{F}_{p^6}$

@inproceedings{Joux2012CoverAD,
  title={Cover and Decomposition Index Calculus on Elliptic Curves Made Practical - Application to a Previously Unreachable Curve over \$\mathbb\{F\}\_\{p^6\}\$},
  author={Antoine Joux and Vanessa Vitse},
  booktitle={EUROCRYPT},
  year={2012}
}
We present a new "cover and decomposition" attack on the elliptic curve discrete logarithm problem, that combines Weil descent and decomposition-based index calculus into a single discrete logarithm algorithm. This attack applies, at least theoretically, to all composite degree extension fields, and is particularly well-suited for curves defined over Fp6. We give a real-size example of discrete logarithm computations on a curve over a 151-bit degree 6 extension field, which would not have been… 
View via Publisher
link.springer.com
40 Citations
Highly Influential Citations
2
Background Citations
7
Methods Citations
9

40 Citations

Citation Type

Citation Type

Cover and Decomposition Index Calculus on Elliptic Curves made practical. Application to a seemingly secure curve over Fp6
We present a new “cover and decomposition” attack on the elliptic curve discrete logarithm problem, that combines Weil descent and decomposition-based index calculus into a single discrete logarithm
Summation Polynomial Algorithms for Elliptic Curves in Characteristic Two
TLDR
A new choice of variables for binary Edwards curves to lower the degree of the summation polynomials and a choice of factor base that “breaks symmetry” and increases the probability of finding a relation are considered.
New algorithm for the discrete logarithm problem on elliptic curves
  • I. Semaev
  • Computer Science, Mathematics
    IACR Cryptol. ePrint Arch.
  • 2015
TLDR
For several binary elliptic curves recommended by FIPS the new method performs better than Pollard's and is based on a new method to find zeroes of summation polynomials.
Cover attacks for elliptic curves with cofactor two
TLDR
This work presents an algorithm for finding genus 3 hyperelliptic covers for the case of c=2, and presents two explicit examples of elliptic curves whose order are respectively 2 once a 149-bit prime and 2 times a 256- bit prime vulnerable to the attack.
Constructing Hyperelliptic Covers for Elliptic Curves over Quadratic Extension Fields
TLDR
A method to generate genus 2 curves for which the point counting problems can be easily solved with efficient algorithms for elliptic curves.
Attacking a Binary GLS Elliptic Curve with Magma
TLDR
A mechanism to check whether a randomly selected binary GLS curve is vulnerable against the gGHS attack is described, which works with all curves defined over binary fields and can be applied to each element of the isogeny class.
Solving the Elliptic Curve Discrete Logarithm Problem Using Semaev Polynomials, Weil Descent and Gröbner Basis Methods - An Experimental Study
TLDR
A subexponential-time index-calculus type algorithm for the Elliptic Curve Discrete Logarithm Problem (ECDLP) in characteristic two fields using Semaev polynomials and Weil Descent to create a system of polynomial equations that subsequently is to be solved with Grobner basis methods.
On Polynomial Systems Arising from a Weil Descent
TLDR
This paper revisits a class of polynomial systems introduced by Faugere, Perret, Petit and Renault and conjecture that their degrees of regularity are only slightly larger than the original degrees of the equations, resulting in a very low complexity compared to generic systems.
Models of Curves from GHS Attack in Odd Characteristic
TLDR
This paper shows that the Diem method, based on a formula for the embedding of rational subfield of the function field of (hyper)elliptic curve in that of the hyperelliptic covering, works without a condition under which explicit defining equations for some coverings are computed.
The Point Decomposition Problem over Hyperelliptic Curves: toward efficient computations of Discrete Logarithms in even characteristic
TLDR
A notion of Summation Ideals is introduced to describe PDP m instances over higher genus curves, and the number of solutions is reduced for both approaches, and it is suggested that Type II curves are weaker than expected against Decomposition attacks.
...
...

References

SHOWING 1-10 OF 41 REFERENCES
Elliptic Curve Discrete Logarithm Problem over Small Degree Extension Fields
TLDR
A variation of Faugère’s Gröbner basis algorithm F4, which significantly speeds up the relation computation, and it is shown how this index calculus also applies to oracle-assisted resolutions of the static Diffie–Hellman problem on these elliptic curves.
Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem
  • P. Gaudry
  • Mathematics, Computer Science
    J. Symb. Comput.
  • 2009
Constructive and destructive facets of Weil descent on elliptic curves
TLDR
It is shown that the same technique may provide a way of attacking the original elliptic curve cryptosystem using recent advances in the study of the discrete logarithm problem on hyperelliptic curves.
Generalising the GHS attack on the elliptic curve discrete logarithm problem
  • F. Hess
  • Mathematics, Computer Science
  • 2004
TLDR
The Weil descent construction of the GHS attack on the elliptic curve discrete logarithm problem (ECDLP) is generalised to arbitrary Artin-Schreier extensions and a formula for the characteristic polynomial of Frobenius of the obtained curves is given.
On the discrete logarithm problem in elliptic curves
  • C. Diem
  • Mathematics
    Compositio Mathematica
  • 2010
Abstract We study the elliptic curve discrete logarithm problem over finite extension fields. We show that for any sequences of prime powers (qi)i∈ℕ and natural numbers (ni)i∈ℕ with ni⟶∞ and ni/log
Weak Fields for ECC
We demonstrate that some finite fields, including \(\mathbb{F}_{{2}^{210}}\), are weak for elliptic curve cryptography in the sense that any instance of the elliptic curve discrete logarithm problem
An Index Calculus Algorithm for Plane Curves of Small Degree
  • C. Diem
  • Mathematics, Computer Science
    ANTS
  • 2006
TLDR
It is concluded that on heuristic grounds, “almost all” instances of the DLP in degree 0 class groups of (non-hyperelliptic) curves of a fixed genus g ≥3 (represented initially by plane models of bounded degree) can be solved in an expected time of $\tilde{O}(q^{2 -2/(g-1)})$.
Elliptic curve cryptosystems
TLDR
The question of primitive points on an elliptic curve modulo p is discussed, and a theorem on nonsmoothness of the order of the cyclic subgroup generated by a global point is given.
Scholten Forms and Elliptic/Hyperelliptic Curves with Weak Weil Restrictions
TLDR
This paper shows explicitly the classes of elliptic and hyperelliptic curves of low genera dened over extension elds, which have weak coverings, and how to construct such curves from these curves and analyze density of the curves for them such construction is possible.
Extending the GHS Weil Descent Attack
TLDR
The Weil descent attack due to Gaudry, Hess and Smart (GHS) is extended to a much larger class of elliptic curves and it is shown that a larger proportion than previously thought of elliptIC curves over F2155 should be considered weak.
...
...