CONOCIENDO NUESTRO AMBIENTE (CUARTA ACTIVIDAD)

Index-calculus algorithms are the most powerful methods known for computing dis- crete logarithms in some groups including the multiplicative groupF∗_q of a finite field, the jacobian JC(Fq)of a hyperelliptic curve C of high genus gdefined over a finite fieldFq, and the class group of an imaginary quadratic number field. It is natural then to ask whether index-calculus methods can lead to subexponential-time algorithms for the ECDLP.

We begin by outlining the index-calculus method in the general setting of an arbitrary cyclic group and illustrate how the method can be adapted to the multiplicative group of a prime field or binary field. We then explain why the natural ways to extend the index- calculus methods to elliptic curve groups are highly unlikely to yield subexponential- time algorithms for the ECDLP.

The main idea behind index-calculus methods

LetGbe a cyclic group of orderngenerated byα. Suppose that we wish to find log_αβ forβ∈G. The index-calculus method is the following.

1. Factor base selection. Choose a subsetS= {p1,p2,...,pt}ofG, called thefac-

tor base, such that a “significant” proportion of elements inG can be efficiently expressed as a product of elements from S. The choice ofSwill depend on the characteristics of the particular groupG.

2. Compute logarithms of elements in S. Select random integersk∈ [0,n−1]until

αk _{can be written as a product of elements inS:}

αk₌ t 6 i=1 pci i , whereci ≥0. (4.6)

Taking logarithms to the base αof both sides of (4.6) yields a linear equation where the unknowns are the logarithms of factor base elements:

k≡

t i=1

cilog_αpi (modn). (4.7)

This procedure is repeated until slightly more thant such equations have been obtained. The resulting linear system of equations can then be solved to obtain log_αpi for 1≤i ≤t.

3. Computelog_αβ. Select random integerskuntilαkβcan be written as a product of elements inS: αk_β= t 6 i=1 pdi i , wheredi ≥0. (4.8)

Taking logarithms to the baseαof both sides of (4.8) yields the desired logarithm ofβ: log_αβ= −k+ t i=1 dilogαpi modn. (4.9)

The running time of the index-calculus algorithm depends critically on the choice of the factor baseS. There is also a trade-off in the sizet ofS. Largert are preferred because then the probability of a random group element factoring overSis expected to be larger. On the other hand, smallert are preferred because then the number of linear equations that need to be collected is smaller. The optimum choice oftdepends on the proportion of elements inGthat factor overS.

Consider now the caseG=F∗_p, the multiplicative group of a prime field. The ele- ments ofF∗_pcan be regarded as the integers in[1,p−1]. There is a natural choice forS, namely the prime numbers≤Bfor some boundB. An element ofF∗_pfactors overSif it isB-smooth, that is, all its prime factors are≤B. The optimal factor base size depends on the distribution ofB-smooth integers in[1,p−1], and yields a subexponential-time algorithm for the DLP inF∗_p. The fastest variant of this algorithm is the number field sieve (NFS) and has an expected running time ofLp[1₃,1.923].

Consider next the caseG=F∗₂m, the multiplicative group of a binary field. The el-

ements ofF∗₂m can be regarded as the nonzero binary polynomials of degree less than m. Hence there is a natural choice forS, namely the irreducible binary polynomials of degree≤B for some bound B. An element ofF∗₂m factors over S if it is B-smooth,

that is, all its irreducible factors have degree≤B. The optimal factor base size depends on the distribution of B-smooth polynomials among the binary polynomials of degree

≤B, and yields a subexponential-time algorithm for the DLP inF∗₂m. The fastest vari-

ant of this algorithm is Coppersmith’s algorithm and has an expected running time of

L2m[1

3,c]for some constantc<1.587.

Failure of index-calculus attacks on the ECLDP

Suppose that we wish to solve instances of the ECDLP in E(Fp) where E : y2 =

x3+ax+bis an elliptic curve defined over the prime fieldFp. For simplicity, suppose thatE(Fp)has prime order so thatE(Fp)= Pfor some P∈E(Fp). The most natural index-calculus approach would first lift E to a curve E defined over the field Q of rational numbers, that is, to a curve E: y2=x3+ax+b wherea,b∈Q anda=

amod pandb=bmod p. Then, thelift of a point R∈E(Fp)is a point R∈E(Q) whose coordinates reduce modulo p to those of R. This lifting process is analogous to the ones used in the index-calculus method described above for computing discrete logarithms in F∗_p and F∗₂m, where elements of F∗_p are “lifted” to integers in Z, and

elements ofF∗₂m are “lifted” to polynomials inF2[z].

The celebrated Mordell-Weil Theorem states that the group structure of E(Q) is

Etors×Zr, where Etors is the set of points in E(Q) of finite order, andr is a non-

negative integer called the rank of E. Furthermore, a theorem of Mazur states that

Etorshas small size—in fact #Etors≤16. Thus a natural choice for the factor base is a

set of points P1,P2,...,Prsuch that P1,P2,...,Pr are linearly independent inE(Q). Relations of the form (4.6) can then be found by selecting multiplesk PofPinE(Fp) until the liftk P7 can be written as an integer linear combination of the basis points in

E(Q):

7

k P=c1P1+c2P2+ ··· +crPr.

Then, reducing the coordinates of the points modulo pyields a desired relation

k P=c1P1+c2P2+ ··· +crPr inE(Fp).

There are two main reasons why this index-calculus approach is doomed to fail. The first is that no one knows how to efficiently lift points inE(Fp)toE(Q). Certainly, for a lifting procedure to be feasible, the lifted points should have smallheight. (Roughly speaking, the height of a pointP∈E(Q)is the number of bits needed to write down the coordinates of P.) However, it has been proven (under some reasonable assumptions) that the number of points of small height in any elliptic curveE(Q)is extremely small, so that only an insignificant proportion of points in E(Fp)can possibly be lifted to points of small height in E(Q)—this is the second reason for unavoidable failure of this index-calculus approach.

For the ECDLP in elliptic curves E over non-prime fieldsFq, one could consider liftingEto an elliptic curve over a number field, or to an elliptic curve over a function

field. These approaches are also destined to fail for the same reasons as for the prime field case.

Of course there may be other ways of applying the index-calculus methodology for solving the ECDLP. Thus far, no one has found an approach that yields a general subexponential-time (or better) algorithm for the ECDLP.