91 research outputs found
Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem
International audienceWe propose an index calculus algorithm for the discrete logarithm problem on general abelian varieties of small dimension. The main difference with the previous approaches is that we do not make use of any embedding into the Jacobian of a well-suited curve. We apply this algorithm to the Weil restriction of elliptic curves and hyperelliptic curves over small degree extension fields. In particular, our attack can solve an elliptic curve discrete logarithm problem defined over GF(q^3) in heuristic asymptotic running time O~(q^(4/3)); and an elliptic problem over GF(q^4) or a genus 2 problem over GF(q^2) in heuristic asymptotic running time O~(q^(3/2))
Discrete logarithms in curves over finite fields
A survey on algorithms for computing discrete logarithms in Jacobians of
curves over finite fields
Point compression for the trace zero subgroup over a small degree extension field
Using Semaev's summation polynomials, we derive a new equation for the
-rational points of the trace zero variety of an elliptic curve
defined over . Using this equation, we produce an optimal-size
representation for such points. Our representation is compatible with scalar
multiplication. We give a point compression algorithm to compute the
representation and a decompression algorithm to recover the original point (up
to some small ambiguity). The algorithms are efficient for trace zero varieties
coming from small degree extension fields. We give explicit equations and
discuss in detail the practically relevant cases of cubic and quintic field
extensions.Comment: 23 pages, to appear in Designs, Codes and Cryptograph
Secure elliptic curves in cryptography
Elliptic Curve Cryptography (ECC) is a branch of public-key cryptography based on the arithmetic of elliptic curves. In the short life of ECC, most standards have proposed curves defined over prime finite fields using the short Weierstrass form. However, some researchers have started to propose as a more secure alternative the use of Edwards and Montgomery elliptic curves, which could have an impact in current ECC deployments. This chapter presents the different types of elliptic curves used in Cryptography together with the best-known procedure for generating secure elliptic curves, Brainpool. The contribution is completed with the examination of the latest proposals regarding secure elliptic curves analyzed by the SafeCurves initiative.Acknowledgements: This work has been partly supported by Ministerio de EconomĂa y Competitividad (Spain) under the project TIN2014-55325-C2-1-R (ProCriCiS), and by Comunidad de Madrid (Spain) under the project S2013/ICE-3095-CM (CIBERDINE), cofinanced with the European Union FEDER funds
A Generic Approach to Searching for Jacobians
We consider the problem of finding cryptographically suitable Jacobians. By
applying a probabilistic generic algorithm to compute the zeta functions of low
genus curves drawn from an arbitrary family, we can search for Jacobians
containing a large subgroup of prime order. For a suitable distribution of
curves, the complexity is subexponential in genus 2, and O(N^{1/12}) in genus
3. We give examples of genus 2 and genus 3 hyperelliptic curves over prime
fields with group orders over 180 bits in size, improving previous results. Our
approach is particularly effective over low-degree extension fields, where in
genus 2 we find Jacobians over F_{p^2) and trace zero varieties over F_{p^3}
with near-prime orders up to 372 bits in size. For p = 2^{61}-1, the average
time to find a group with 244-bit near-prime order is under an hour on a PC.Comment: 22 pages, to appear in Mathematics of Computatio
A comparison of different finite fields for elliptic curve cryptosystems
AbstractWe examine the relative efficiency of four methods for finite field representation in the context of elliptic curve cryptography (ECC). We conclude that a set of fields called the optimized extension fields (OEFs) give greater performance, even when used with affine coordinates, when compared against the type of fields recommended in the emerging ECC standards. Although this performance advantage is only marginal, and hence, there is probably no need to change the current standards to allow OEF fields in standards compliant implementations
Last fall degree, HFE, and Weil descent attacks on ECDLP
Weil descent methods have recently been applied to attack the Hidden Field Equation (HFE) public key systems and solve the elliptic curve discrete logarithm problem (ECDLP) in small characteristic. However the claims of quasi-polynomial time attacks on the HFE systems and the subexponential time algorithm for the ECDLP depend on various heuristic assumptions.
In this paper we introduce the notion of the last fall degree of a polynomial system, which is independent of choice of a monomial order. We then develop complexity bounds on solving polynomial systems based on this last fall degree.
We prove that HFE systems have a small last fall degree, by showing that one can do division with remainder after Weil descent. This allows us to solve HFE systems unconditionally in polynomial time if the degree of the defining polynomial and the cardinality of the base field are fixed.
For the ECDLP over a finite field of characteristic 2, we provide computational evidence that raises doubt on the validity of the first fall degree assumption, which was widely adopted in earlier works and which promises sub-exponential algorithms for ECDLP. In addition, we construct a Weil descent system from a set of summation polynomials in which the first fall degree assumption is unlikely to hold. These examples suggest that greater care needs to be exercised when applying this heuristic assumption to arrive at complexity estimates.
These results taken together underscore the importance of rigorously bounding last fall degrees of Weil descent systems, which remains an interesting but challenging open problem
- …