Complexity of ECDLP under the First Fall Degree Assumption

Semaev shows that under the first fall degree assumption, the complexity of ECDLP over \bF_{2^n}, where $n$ is the input size, is $O(2^{n^{1/2+o(1)}})$. In his manuscript, the cost for solving equations system is $O((nm)^{4w})$, where $m$ ($2 \le m \le n$) is the number of decomposition and $w \sim 2.7$ is the linear algebra constant. It is remarkable that the cost for solving equations system under the first fall degree assumption, is poly in input size $n$. He uses normal factor base and the revalance of Probability that the decomposition success and size of factor base is done. %So that the result is induced. Here, using disjoint factor base to his method, Probability that the decomposition success becomes $\sim 1$ and taking the very small size factor base is useful for complexity point of view. Thus we have the result that states \\ Under the first fall degree assumption, the cost of ECDLP over \bF_{2^n}, where $n$ is the input size, is $O(n^{8w+1})$. Moreover, using the authors results, in the case of the field characteristic $\ge 3$, the first fall degree of desired equation system is estimated by $\le 3p+1$. (In $p=2$ case, Semaev shows it is $\le 4$. But it is exceptional.) So we have similar result that states \\ Under the first fall degree assumption, the cost of ECDLP over \bF_{p^n}, where $n$ is the input size and (small) $p$ is a constant, is $O(n^{(6p+2)w+1})$

Polynomial time reduction from 3SAT to solving low first fall degree multivariable cubic equations system

Koster shows that the problem for deciding whether the value of Semaev\u27s formula $S_m(x_1,...,x_m)$ is $0$ or not, is NP-complete. This result directly does not means ECDLP being NP-complete, but, it suggests ECDLP being NP-complete. Further, Semaev shows that the equations system using $m-2$ number of $S_3(x_1,x_2,x_3)$, which is equivalent to decide whether the value of Semaev\u27s formula $S_m(x_1,...,x_m)$ is $0$ or not, has constant(not depend on $m$ and $n$) first fall degree. So, under the first fall degree assumption, its complexity is poly in $n$ ($O(n^{Const})$).And so, suppose $P\ne NP$, which almost all researcher assume this, it has a contradiction and we see that first fall degree assumption is not true. Koster shows the NP-completeness from the group belonging problem, which is NP-complete, reduces to the problem for deciding whether the value of Semaev\u27s formula $S_m(x_1,...,x_m)$ is $0$ or not, in polynomial time. In this paper, from another point of view, we discuss this situation. Here, we construct some equations system defined over arbitrary field $K$ and its first fall degree is small, from any 3SAT problem. The cost for solving this equations system is polynomial times under the first fall degree assumption. So, 3SAT problem, which is NP-complete, reduced to the problem in P under the first fall degree assumption. Almost all researcher assume $P \ne NP$, and so, it concludes that the first fall degree assumption is not true. However, we can take K=\bR(not finite field. It means that 3SAT reduces to solving multivariable equations system defined over $\R$ and there are many method for solving this by numerical computation. So, I must point out the very small possibility that NP complete problem is reduces to solving cubic equations equations system over \bR which can be solved in polynomial time

Bit Coincidence Mining Algorithm II

In 2012, Petit et al. shows that under the algebraic geometrical assumption named First Fall degree Assumption , the complexity of ECDLP over binary extension field ${\bf F}_{2^n}$ is in $O(exp(n^{2/3+o(1)}))$ where $\lim_{n \to \infty} o(1)=0$ and there are many generalizations and improvements for the complexity of ECDLP under this assumption. In 2015, the author proposes the bit coincidence mining algorithm, which states that under the heuristic assumption of the complexity of xL algorithm, the complexity of ECDLP $E/{\bf F}_q$ over arbitrary finite field including prime field, is in $O(exp(n^{1/2+o(1)}))$ where $n \sim \log_2 \#E({\bf F}_q) \sim \log_2 q$. It is the first (heuristic) algorithm for solving ECDLP over prime field in subexponential complexity. In both researches, ECDLP reduces to solving large equations system and from each assumption, the complexity for solving reduced equations system is subexponential (or polynomial) complexity. However, the obtained equations system is too large for solving in practical time and space, they are only the results for the complexity. xL algorithm, is the algorithm for solving quadratic equations system, which consists of $n$ variables and $m$ equations. Here, $n$ and $m$ are considered as parameters. Put $D=D(n,m)$ by the maximal degree of the polynomials, which appears in the computation of solving equations system by xL. Courtois et al. observe and assume the following assumption; 1) There are small integer $C_0$, such that $D(n,n+C_0)$ is usually in $O(\sqrt{n})$, and the cost for solving equations system is in $O(exp(n^{1/2+0(1)}))$. However, this observation is optimistic and it must have the following assumption 2) The equations system have small number of the solutions over algebraic closure. (In this draft we assume the number of the solutions is 0 or 1) In the previous version\u27s bit coincidence mining algorithm (in 2015), the number of the solutions of the desired equations system over algebraic closure is small and it can be probabilistically controlled to be 1 and the assumption 2) is indirectly true. For my sense, the reason that xL algorithm, which is the beautiful heuristic, is not widely used is that the general equations system over finite field does not satisfy the assumption 2) (there are many solutions over algebraic closure) and is complexity is much larger. In the previous draft, I show that the ECDLP of $E({\bf F}_q)$ reduces to solving equations system consists of $d-1$ variables and $d+C_0-1$ equations where $C_0$ is an arbitrary positive integer and $d \sim C_0 \times \log_2 q$. So, the complexity for solving ECDLP is in subexponential under the following assumption a) There are some positive integer $C_0$ independent from $n$, such that solving quadratic equations system consists of $n$ variables and $m=n+C_0$ equations (and we must assume the assumption 2)) by xL algorithm, the maximum degree of the polynomials $D=D(n,m)$, appears in this routine is in $O(\sqrt{n})$ in high probability. Here, we propose the new algorithm that ECDLP of $E({\bf F}_q)$ is essentially reducing to solving equations system consists of $d-1$ variables and $\frac{b_0}{2}d$ equations where $b_0(\ge 2)$ is an arbitrary positive integer named block size and $d \sim (b_0-1)\log_{b_0} q$. Here, we mainly treat the case block size $b_0=3$. In this case, ECDLP is essentially reducing to solving equations system consists of about $2 \log_3 q$ variables and $3 \log_3 q$ equations. So that the desired assumption 1) is always true. Moreover, the number of the solutions (over algebraic closure) of this equations system can be probabilistically controlled to be 1 and the desired assumption 2) is also true. In the former part of this manuscript, the author states the algorithm for the construction of equations system that ECDLP is reduced and in the latter part of this manuscript, the author state the ideas and devices in order for increasing the number of the equations, which means the obtained equations system is easily solved by xL algorithm

On the first fall degree of summation polynomials

We improve on the first fall degree bound of polynomial systems that arise from a Weil descent along Semaev's summation polynomials relevant to the solution of the Elliptic Curve Discrete Logarithm Problem via Gr\"obner basis algorithms.Comment: 12 pages, fina

On Index Calculus Algorithms for Subfield Curves

In this paper we further the study of index calculus methods for solving the elliptic curve discrete logarithm problem (ECDLP). We focus on the index calculus for subfield curves, also called Koblitz curves, defined over Fq with ECDLP in Fqn. Instead of accelerating the solution of polynomial systems during index calculus as was predominantly done in previous work, we define factor bases that are invariant under the q-power Frobenius automorphism of the field Fqn, reducing the number of polynomial systems that need to be solved. A reduction by a factor of 1/n is the best one could hope for. We show how to choose factor bases to achieve this, while simultaneously accelerating the linear algebra step of the index calculus method for Koblitz curves by a factor n2. Furthermore, we show how to use the Frobenius endomorphism to improve symmetry breaking for Koblitz curves. We provide constructions of factor bases with the desired properties, and we study their impact on the polynomial system solving costs experimentally.SCOPUS: cp.kinfo:eu-repo/semantics/publishe

Last fall degree, HFE, and Weil descent attacks on ECDLP

Weil descent methods have recently been applied to attack the Hidden Field Equation (HFE) public key systems and solve the elliptic curve discrete logarithm problem (ECDLP) in small characteristic. However the claims of quasi-polynomial time attacks on the HFE systems and the subexponential time algorithm for the ECDLP depend on various heuristic assumptions. In this paper we introduce the notion of the last fall degree of a polynomial system, which is independent of choice of a monomial order. We then develop complexity bounds on solving polynomial systems based on this last fall degree. We prove that HFE systems have a small last fall degree, by showing that one can do division with remainder after Weil descent. This allows us to solve HFE systems unconditionally in polynomial time if the degree of the defining polynomial and the cardinality of the base field are fixed. For the ECDLP over a finite field of characteristic 2, we provide computational evidence that raises doubt on the validity of the first fall degree assumption, which was widely adopted in earlier works and which promises sub-exponential algorithms for ECDLP. In addition, we construct a Weil descent system from a set of summation polynomials in which the first fall degree assumption is unlikely to hold. These examples suggest that greater care needs to be exercised when applying this heuristic assumption to arrive at complexity estimates. These results taken together underscore the importance of rigorously bounding last fall degrees of Weil descent systems, which remains an interesting but challenging open problem

Bit Coincidence Mining Algorithm

Here, we propose new algorithm for solving ECDLP named Bit Coincidence Mining Algorithm! , from which ECDLP is reduced to solving some quadratic equations system. In this algorithm, ECDLP of an elliptic curve $E$ defined over \bF_q ($q$ is prime or power of primes) reduces to solving quadratic equations system of $d-1$ variables and $d+C_0-1$ equations where $C_0$ is small natural number and $d \sim C_0 \, \log_2 q$. This equations system is too large and it can not be solved by computer. However, we can show theoritically the cost for solving this equations system by xL algorithm is subexponential under the reasonable assumption of xL algorithm