Computing Elliptic Curve Discrete Logarithms with Improved Baby-step Giant-step Algorithm

The negation map can be used to speed up the computation of elliptic curve discrete logarithms using either the baby-step giant-step algorithm (BSGS) or Pollard rho. Montgomery\u27s simultaneous modular inversion can also be used to speed up Pollard rho when running many walks in parallel. We generalize these ideas and exploit the fact that for any two elliptic curve points $X$ and $Y$, we can efficiently get $X-Y$ when we compute $X+Y$. We apply these ideas to speed up the baby-step giant-step algorithm. Compared to the previous methods, the new methods can achieve a significant speedup for computing elliptic curve discrete logarithms in small groups or small intervals. Another contribution of our paper is to give an analysis of the average-case running time of Bernstein and Lange\u27s ``grumpy giants and a baby\u27\u27 algorithm, and also to consider this algorithm in the case of groups with efficient inversion. Our conclusion is that, in the fully-optimised context, both the interleaved BSGS and grumpy-giants algorithms have superior average-case running time compared with Pollard rho. Furthermore, for the discrete logarithm problem in an interval, the interleaved BSGS algorithm is considerably faster than the Pollard kangaroo or Gaudry-Schost methods

A Generic Approach to Searching for Jacobians

We consider the problem of finding cryptographically suitable Jacobians. By applying a probabilistic generic algorithm to compute the zeta functions of low genus curves drawn from an arbitrary family, we can search for Jacobians containing a large subgroup of prime order. For a suitable distribution of curves, the complexity is subexponential in genus 2, and O(N^{1/12}) in genus 3. We give examples of genus 2 and genus 3 hyperelliptic curves over prime fields with group orders over 180 bits in size, improving previous results. Our approach is particularly effective over low-degree extension fields, where in genus 2 we find Jacobians over F_{p^2) and trace zero varieties over F_{p^3} with near-prime orders up to 372 bits in size. For p = 2^{61}-1, the average time to find a group with 244-bit near-prime order is under an hour on a PC.Comment: 22 pages, to appear in Mathematics of Computatio

Removable Weak Keys for Discrete Logarithm Based Cryptography

We describe a novel type of weak cryptographic private key that can exist in any discrete logarithm based public-key cryptosystem set in a group of prime order $p$ where $p-1$ has small divisors. Unlike the weak private keys based on \textit{numerical size} (such as smaller private keys, or private keys lying in an interval) that will \textit{always} exist in any DLP cryptosystems, our type of weak private keys occurs purely due to parameter choice of $p$, and hence, can be removed with appropriate value of $p$. Using the theory of implicit group representations, we present algorithms that can determine whether a key is weak, and if so, recover the private key from the corresponding public key. We analyze several elliptic curves proposed in the literature and in various standards, giving counts of the number of keys that can be broken with relatively small amounts of computation. Our results show that many of these curves, including some from standards, have a considerable number of such weak private keys. We also use our methods to show that none of the 14 outstanding Certicom Challenge problem instances are weak in our sense, up to a certain weakness bound

Discrete logarithms in curves over finite fields

A survey on algorithms for computing discrete logarithms in Jacobians of curves over finite fields

A usability study of elliptic curves

In the recent years, the need of information security has rapidly increased due to an enormous growth of data transmission. In this thesis, we study the uses of elliptic curves in the cryptography. We discuss the elliptic curves over finite fields, attempts to attack; discrete logarithm, Pollard’s rho algorithm, baby-step giant-step algorithm, Pohlig-Hellman algorithm, function field sieve, and number field sieve. The main cryptographic reason to use elliptic curves over finite fields is to provide arbitrarily large finite cyclic groups having a computationally difficult discrete logarithm problem

Groups from Cyclic Infrastructures and Pohlig-Hellman in Certain Infrastructures

In discrete logarithm based cryptography, a method by Pohlig and Hellman allows solving the discrete logarithm problem efficiently if the group order is known and has no large prime factors. The consequence is that such groups are avoided. In the past, there have been proposals for cryptography based on cyclic infrastructures. We will show that the Pohlig-Hellman method can be adapted to certain cyclic infrastructures, which similarly implies that certain infrastructures should not be used for cryptography. This generalizes a result by M\"uller, Vanstone and Zuccherato for infrastructures obtained from hyperelliptic function fields. We recall the Pohlig-Hellman method, define the concept of a cyclic infrastructure and briefly describe how to obtain such infrastructures from certain function fields of unit rank one. Then, we describe how to obtain cyclic groups from discrete cyclic infrastructures and how to apply the Pohlig-Hellman method to compute absolute distances, which is in general a computationally hard problem for cyclic infrastructures. Moreover, we give an algorithm which allows to test whether an infrastructure satisfies certain requirements needed for applying the Pohlig-Hellman method, and discuss whether the Pohlig-Hellman method is applicable in infrastructures obtained from number fields. Finally, we discuss how this influences cryptography based on cyclic infrastructures.Comment: 14 page

Algorithms for Determining the Order of the Group of Points on an EllipticCurve with Application in Cryptography

Eliptické křivky jsou rovinné křivky, jejíž body vyhovují Weierstrassově rovnici. Jejich hlavní využití je v kryptografii, kde představují důležitý nástroj k tvorbě těžko rozluštitelných kódů bez znalosti klíče, který je v porovnání s ostatními šifrovacími systémy krátký. Díky těmto přednostem jsou hojně využívány. Abychom mohli kódovat a dekódovat zprávy v systému eliptických křivek, musíme znát řád dané eliptické křivky. K jeho získání se mimo jiné používá Shanksův algoritmus a jeho vylepšená varianta, Mestreho algoritmus.The elliptic curves are plane curves whose points satisfy the Weierstrass equation. Their main application is in the cryptography, where they represent an important device for creating code which is hard to break without knowing the key and which is short in comparison with other encoding methods. The elliptic curves are widely used thanks to these advantages. To be able to code and decode in the elliptic curve cryptography we must know the order of the given elliptic curve. The Shank's algorithm and its improved version, the Mestre's algorithm, are used for its determining.

Recent progress on the elliptic curve discrete logarithm problem

International audienceWe survey recent work on the elliptic curve discrete logarithm problem. In particular we review index calculus algorithms using summation polynomials, and claims about their complexity