ANÁLISIS DEL CUESTIONARIO LIKERT (POST TEST)

LetEbe an elliptic curve defined over a finite fieldFq, and let P∈E(Fq)have prime ordern. LetGbe a group of ordern. Sincenis prime,PandG are both cyclic and hence isomorphic. If one could efficiently compute an isomorphism

ψ: P →G, (4.10)

then ECDLP instances inPcould be efficiently reduced to instances of the DLP in

G. Namely, givenPandQ∈ P, we have

log_PQ=log_ψ(P)ψ(Q). (4.11)

Isomorphism attacks reduce the ECDLP to the DLP in groups G for which

subexponential-time (or faster) algorithms are known. These attacks are special- purposein that they result in ECDLP solvers that are faster than Pollard’s rho algorithm only for special classes of elliptic curves. The isomorphism attacks that have been devised are the following:

(i) Theattack on prime-field-anomalous curvesreduces the ECDLP in an elliptic curve of orderpdefined over the prime fieldFpto the DLP in the additive group

F+p of integers modulop.

(ii) In the case gcd(n,q)=1, theWeil and Tate pairing attacksestablish an isomor- phism betweenPand a subgroup of ordernof the multiplicative groupF∗_qk of

some extension fieldFqk.

(iii) TheGHS Weil descent attackattempts to reduce the ECDLP in an elliptic curve defined over a binary fieldF2m _{to the DLP in the jacobian of a hyperelliptic curve}

defined over a proper subfield ofF2m_.

Since a polynomial-time algorithm is known for solving the DLP in F+_p, and since subexponential-time algorithms are known for the DLP in the multiplicative group of a finite field and for the jacobian of high-genus hyperelliptic curves, these isomorphism attacks can have important implications to the security of elliptic curve cryptographic schemes. We next discuss the cryptographic implications of and countermeasures to these attacks.

Attack on prime-field-anomalous curves

An elliptic curve Edefined over a prime fieldFp is said to beprime-field-anomalous if #E(Fp)= p. The group E(Fp)is cyclic since it has prime order, and henceE(Fp)

is isomorphic to theadditivegroupF+_p of integers modulo p. Now, the DLP inF+_p is the following: given p,a∈F+_p,a =0, andb∈F+_p, findl∈ [0,p−1]such thatla≡b (mod p). Sincel=ba−1 modp, the DLP inF+_p can be efficiently solved by using the extended Euclidean algorithm (Algorithm 2.20) to computea−1mod p.

In 1997, Araki, Satoh, Semaev and Smart showed than an isomorphism

ψ:E(Fp)→F+p

can be efficiently computed for prime-field-anomalous elliptic curves. Consequently, the ECDLP in such curves can be efficiently solved and hence these elliptic curves must not be used in cryptographic protocols. Since it is easy to determine whether an elliptic curve Eover a prime fieldFp is prime-field-anomalous (by checking whether #E(Fp)= p), the Araki-Satoh-Semaev-Smart attack can easily be circumvented in practice.

Weil and Tate pairing attacks

Suppose now that the prime ordernofP∈E(Fq)satisfies gcd(n,q)=1. Letkbe the smallest positive integer such thatqk≡1 (modn); the integerkis the multiplicative order of q modulon and therefore is a divisor of n−1. Sincen divides qk−1, the multiplicative groupF∗_qk of the extension fieldF_qk _{has a unique subgroupGof ordern.}

The Weil pairing attack constructs an isomorphism fromPtoGwhen the additional constraintn(q−1)is satisfied, while the Tate pairing attack constructs an isomor- phism betweenPandGwithout requiring this additional constraint. The integerkis called theembedding degree.

For most elliptic curves one expects thatk≈n. In this case the Weil and Tate pairing attacks do not yield an efficient ECDLP solver since the finite fieldFqk has exponential

size relative to the size of the ECDLP parameters. (The ECDLP parameters have size

O(logq)bits, while elements ofFqk have sizeO(klogq)bits.) However, some special elliptic curves do have small embedding degrees k. For these curves, the Weil and Tate pairing reductions take polynomial time. Since subexponential-time algorithms are known for the DLP inF∗_qk, this results in a subexponential-time algorithm for the

ECDLP in these special elliptic curves.

The special classes of elliptic curves with small embedding degree include super- singular curves (Definition 3.10) and elliptic curves of trace 2 (with #E(Fq)=q−1). These curves have k≤6 and consequently should not be used in the elliptic curve protocols discussed in this book unless the underlying finite field is large enough so that the DLP inF∗_qk is considered intractable. We note that constructive applications

have recently been discovered for supersingular elliptic curves, including the design of identity-based public-key encryption schemes (see page 199 for references).

To ensure that an elliptic curve E defined overFq is immune to the Weil and Tate pairing attacks, it is sufficient to check thatn, the order of the base point P∈E(Fq), does not divideqk−1 for all smallkfor which the DLP inF∗_qk is considered tractable.

Weil descent

Suppose that E is a non-supersingular elliptic curve defined over a binary fieldK = F2m_{, and suppose that #E}(F2m)=_{nh wherenis prime andhis small (e.g.,h}=_{2 or} h=4). In 1998, Frey proposed using Weil descent to reduce the ECDLP in E(F2m)

to the DLP in the jacobian variety of a curve of larger genus defined over a proper subfieldk=F2l of K. Letd=m/l. In Frey’s method, referred to as theWeil descent attack methodology, one first constructs the so-called Weil restrictionWK/k of scalars ofE, which is ad-dimensional abelian variety overk. One then attempts to find a curve

C defined overkinWK/k such that (i) there are algorithms for solving the DLP in the jacobian JC(k)ofC overkthat are faster than Pollard’s rho method; and (ii) ECDLP instances in E(K)can be efficiently mapped to DLP instances inJC(k).

Gaudry, Hess and Smart (GHS) showed how the Weil restrictionWK/k can be in- tersected withn−1 hyperplanes to eventually obtain a hyperelliptic curveCof genus

gdefined overkfrom an irreducible component in the intersection. Furthermore, they gave an efficient algorithm that (in most cases) reduces ECDLP instances in E(K)

to instances of the hyperelliptic curve discrete logarithm problem (HCDLP) in JC(k). Now, the Enge-Gaudry index-calculus algorithm for the HCDLP in a genus-g hyper- elliptic curve over Fq has a subexponential expected running time of Lqg[√2] bit

operations forg/logq → ∞. Thus, provided that gis not too large, the GHS attack yields a subexponential-time algorithm for the original ECDLP.

It was subsequently shown that the GHS attack fails forallcryptographically inter- esting elliptic curves overF2m forallprimem∈ [160,600]. Note that such fields have

only one proper subfield, namelyF2. In particular, it was shown that the hyperelliptic curvesC produced by the GHS attack either have genus too small (whence JC(F2)is too small to yield any non-trivial information about the ECDLP in E(F2m)), or have

genus too large (g≥216−1, whence the HCDLP in JC(F2)is infeasible using known methods for solving the HCDLP). The GHS attack has also been shown to fail for all elliptic curves over certain fieldsF2m _wherem∈ [₁₆₀,₆₀₀] _{is composite; such fields}

includeF2169,F2209andF2247.

However, the GHS attackiseffective for solving the ECDLP insomeelliptic curves over F2m _wherem ∈ [₁₆₀,₆₀₀] _{is composite. For example, the ECDLP in approxi-}

mately 294of the 2162isomorphism classes of elliptic curves overF₂161 can be solved

in about 248 steps by using the GHS attack to reduce the problem to an instance of the HCDLP in a genus-8 hyperelliptic curve over the subfieldF223. Since Pollard’s rho

method takes roughly 280steps for solving the ECDLP in cryptographically interesting elliptic curves overF₂161, the GHS attack is deemed to be successful for the 294elliptic

curves.

LetF2m, where m∈ [160,600] is composite, be a binary field for which the GHS

attack exhibits some success. Then the proportion of elliptic curves overF2m _{that suc-}

cumb to the GHS attack is relatively small. Thus, if one selects an elliptic curve over

F2m at random, then there is a very high probability that the elliptic curve will resist

descent attack methodology—there may be other useful curves which lie on the Weil restriction that were not constructed by the GHS method. Thus, to account for poten- tial future developments in the Weil descent attack methodology, it seems prudent to altogether avoid using elliptic curves overF2m _{wheremis composite.}