On the effectiveness of isogeny walks for extending cover attacks on elliptic curves

Cryptographic systems based on the elliptic curve discrete logarithm problem (ECDLP) are widely deployed in the world today. In order for such a system to guarantee a particular security level, the elliptic curve selected must be such that it avoids a number of well-known attacks. Beyond this, one also needs to be wary of attacks whose reach can be extended via the use of isogenies. It is an open problem as to whether there exists a field for which the isogeny walk strategy can render all elliptic curves unsuitable for cryptographic use. This thesis provides a survey of the theory of elliptic curves from a cryptographic perspective and overviews a few of the well-known algorithms for computing elliptic curve discrete logarithms. We perform some experimental verification for the assumptions used in the analysis of the isogeny walk strategy for extending Weil descent-type cover attacks, and explore its applicability to elliptic curves of cryptographic size. In particular, we demonstrate for the first time that the field F_2^{150} is partially weak for elliptic curve cryptography

On general multi-quadratic function field extensions in the GHS attack

To date, elliptic curves offer the most efficient cryptographic solution. Particularly efficient among elliptic curves, are those defined over binary composite finite fields, such as GF ((2 r ) n ). These curves were no longer considered secure when, in 1998, Gerhard Frey innovated a concept which paved the road for the GHS attack. The idea behind the GHS attack is to map the Discrete Logarithm Problem (DLP) over such a curve to an equivalent DLP over the jacobian of another curve, defined over the smaller field GF (2 r ). In this thesis, we study the theoretical structure of the GHS attack for elliptic curves defined over fields of arbitrary characteristics. We study the GHS attack using general quadratic extensions for elliptic curves defined over composite fields of even characteristic and we estimate the genus of resulting function field. We also implement the GHS attack and present some computational results. Keywords . GHS Attack, Elliptic Curve Cryptography, Function Field

A classification of elliptic curves with respect to the GHS attack in odd characteristic

The GHS attack is known to solve discrete logarithm problems (DLP) in the Jacobian of a curve C_0 defined over the d degree extension field k_d of k:=GF(q) by mapping it to the DLP in the Jacobian of a covering curve C of C_0 over k. Recently, classifications for all elliptic curves and hyperelliptic curves C_0/k_d of genus 2,3 which possess (2,...,2)-covering C/k of P^1 were shown under an isogeny condition (i.e. when g(C) = d * g(C_0)). This paper presents a systematic classification procedure for hyperelliptic curves in the odd characteristic case. In particular, we show a complete classification of elliptic curves C_0 over k_d which have (2,...,2)-covering C/k of P^1 for d=2,3,5,7. It has been reported by Diem that the GHS attack fails for elliptic curves C_0 over odd characteristic definition field k_d with prime extension degree d greater than or equal to 11 since g(C) become very large. Therefore, for elliptic curves over k_d with prime extension degree d, it is sufficient to analyze cases of d=2,3,5,7. As a result, a complete list of all elliptic curves C_0/k which possess (2,...,2)-covering C/k of P^1 thus are subjected to the GHS attack with odd characteristic and prime extension degree d is obtained

Recent progress on the elliptic curve discrete logarithm problem

International audienceWe survey recent work on the elliptic curve discrete logarithm problem. In particular we review index calculus algorithms using summation polynomials, and claims about their complexity

A Generic Approach to Searching for Jacobians

We consider the problem of finding cryptographically suitable Jacobians. By applying a probabilistic generic algorithm to compute the zeta functions of low genus curves drawn from an arbitrary family, we can search for Jacobians containing a large subgroup of prime order. For a suitable distribution of curves, the complexity is subexponential in genus 2, and O(N^{1/12}) in genus 3. We give examples of genus 2 and genus 3 hyperelliptic curves over prime fields with group orders over 180 bits in size, improving previous results. Our approach is particularly effective over low-degree extension fields, where in genus 2 we find Jacobians over F_{p^2) and trace zero varieties over F_{p^3} with near-prime orders up to 372 bits in size. For p = 2^{61}-1, the average time to find a group with 244-bit near-prime order is under an hour on a PC.Comment: 22 pages, to appear in Mathematics of Computatio

Computing endomorphism rings of elliptic curves under the GRH

We design a probabilistic algorithm for computing endomorphism rings of ordinary elliptic curves defined over finite fields that we prove has a subexponential runtime in the size of the base field, assuming solely the generalized Riemann hypothesis. Additionally, we improve the asymptotic complexity of previously known, heuristic, subexponential methods by describing a faster isogeny-computing routine.Comment: 11 pages, 1 figur

Koblitz curves over quadratic fields

In this work, we retake an old idea that Koblitz presented in his landmark paper, where he suggested the possibility of defining anomalous elliptic curves over the base field F4. We present a careful implementation of the base and quadratic field arithmetic required for computing the scalar multiplication operation in such curves. We also introduce two ordinary Koblitz-like elliptic curves defined over F4 that are equipped with efficient endomorphisms. To the best of our knowledge these endomorphisms have not been reported before. In order to achieve a fast reduction procedure, we adopted a redundant trinomial strategy that embeds elements of the field F4^m, with m a prime number, into a ring of higher order defined by an almost irreducible trinomial. We also present a number of techniques that allow us to take full advantage of the native vector instructions of high-end microprocessors. Our software library achieves the fastest timings reported for the computation of the timing-protected scalar multiplication on Koblitz curves, and competitive timings with respect to the speed records established recently in the computation of the scalar multiplication over binary and prime fields