Abstract
In this paper we present a complete Magma implementation for solving the discrete logarithm problem (DLP) on a binary GLS curve defined over the field \(\mathbb {F}_{2^{62}}\). For this purpose, we constructed a curve vulnerable against the gGHS Weil descent attack and adapted the algorithm proposed by Enge and Gaudry to solve the DLP on the Jacobian of a genus-32 hyperelliptic curve. Furthermore, we describe a mechanism to check whether a randomly selected binary GLS curve is vulnerable against the gGHS attack. Such method works with all curves defined over binary fields and can be applied to each element of the isogeny class.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Barbulescu, R., Gaudry, P., Joux, A., Thomé, E.: A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 1–16. Springer, Heidelberg (2014)
Bos, J.W., Costello, C., Hisil, H., Lauter, K.: High-performance scalar multiplication using 8-dimensional GLV/GLS decomposition. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 331–348. Springer, Heidelberg (2013)
Cohen, H., Frey, G., Avanzi, R., Doche, C., Lange, T., Nguyen, K., Vercauteren, F.: Handbook of Elliptic and Hyperelliptic Curve Cryptography, (2nd edn). Chapman & Hall/CRC (2012)
Diem, C.: On the discrete logarithm problem in elliptic curves. Compositio Mathematica 147, 75–104 (2011)
Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard) (2008). http://www.ietf.org/rfc/rfc5246.txt
Enge, A., Gaudry, P.: A general framework for subexponential discrete logarithm algorithms. Acta Arithmetica 102(1), 83–103 (2002)
Faugère, J.-C., Perret, L., Petit, C., Renault, G.: Improving the complexity of index calculus algorithms in elliptic curves over binary fields. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 27–44. Springer, Heidelberg (2012)
Faz-Hernández, A., Longa, P., Sánchez, A.H.: Efficient and secure algorithms for GLV-based scalar multiplication and their implementation on GLV-GLS curves. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 1–27. Springer, Heidelberg (2014)
Frey, G.: How to disguise an elliptic curve. In: Talk at ECC 1998 (Workshop on Elliptic Curve Cryptography), Waterloo (1998). http://www.cacr.math.uwaterloo.ca/conferences/1998/ecc98/frey.ps
Galbraith, S.D.: Mathematics of Public Key Cryptography, 1st edn. Cambridge University Press, New York, NY, USA (2012)
Galbraith, S.D., Hess, F., Smart, N.P.: Extending the GHS Weil Descent Attack. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 29–44. Springer, Heidelberg (2002)
Galbraith, S.D., Lin, X., Scott, M.: Endomorphisms for Faster Elliptic Curve Cryptography on a Large Class of Curves. J. Cryptology 24(3), 446–469 (2011)
Galbraith, S.D., Smart, N.P.: A cryptographic application of weil descent. In: Walker, M. (ed.) Cryptography and Coding 1999. LNCS, vol. 1746, pp. 191–200. Springer, Heidelberg (1999)
Gallant, R.P., Lambert, R.J., Vanstone, S.A.: Faster point multiplication on elliptic curves with efficient endomorphisms. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 190–200. Springer, Heidelberg (2001)
Gaudry, P.: An Algorithm for Solving the Discrete Log Problem on Hyperelliptic Curves. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 19–34. Springer, Heidelberg (2000)
Gaudry, P.: Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem. J. Symbolic Comput. 44(12), 1690–1702 (2009)
Gaudry, P., Hess, F., Smart, N.P.: Constructive and destructive facets of Weil descent on elliptic curves. J. Cryptology 15(1), 19–46 (2002)
Gaudry, P., Thomé, E., Thériault, N., Diem, C.: A double large prime variation for small genus hyperelliptic index calculus. Math. Comput. 76, 475–492 (2007)
Hankerson, D., Karabina, K., Menezes, A.: Analyzing the Galbraith-Lin-Scott point multiplication method for elliptic curves over binary fields. IEEE Trans. Comput. 58(10), 1411–1420 (2009)
Hess, F.: Generalising the GHS attack on the elliptic curve discrete logarithm problem. LMS J. Comput. Math. 7, 167–192 (2004)
Hu, Z., Longa, P., Xu, M.: Implementing the 4-dimensional GLV method on GLS elliptic curves with j-invariant 0. Des. Codes Crypt. 63(3), 331–343 (2012)
Joux, A., Vitse, V.: Cover and decomposition index calculus on elliptic curves made practical. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 9–26. Springer, Heidelberg (2012)
Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48(177), 203–209 (1987)
Longa, P., Sica, F.: Four-dimensional Gallant-Lambert-Vanstone scalar multiplication. J. Cryptology 27(2), 248–283 (2014)
Menezes, A., Qu, M.: Analysis of the Weil descent attack of Gaudry, Hess and Smart. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 308–318. Springer, Heidelberg (2001)
Menezes, A., Teske, E., Weng, A.: Weak Fields for ECC. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 366–386. Springer, Heidelberg (2004)
Menezes, A.J., Okamoto, T., Vanstone, S.A.: Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inf. Theor. 39(5), 1639–1646 (1993)
Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986)
Nagao, K.: Decomposition attack for the Jacobian of a hyperelliptic curve over an extension field. In: Hanrot, G., Morain, F., Thomé, E. (eds.) ANTS-IX. LNCS, vol. 6197, pp. 285–300. Springer, Heidelberg (2010)
National Institute of Standards and Technology: FIPS PUB 186–4. Digital Signature Standard (DSS), Department of Commerce, U.S (2013)
Oliveira, T., López, J., Aranha, D.F., Rodríguez-Henríquez, F.: Two is the fastest prime: lambda coordinates for binary elliptic curves. J. Cryptographic Eng. 4(1), 3–17 (2014)
Pollard, J.: Monte Carlo methods for index computation (mod p). Math. Comput. 32, 918–924 (1978)
Sarkar, P., Singh, S.: A New Method for Decomposition in the Jacobian of Small Genus Hyperelliptic Curves. Cryptology ePrint Archive, Report 2014/815 (2014). http://eprint.iacr.org/
Sarkar, P., Singh, S.: A simple method for obtaining relations among factor basis elements for special hyperelliptic curves. Cryptology ePrint Archive, Report 2015/179 (2015). http://eprint.iacr.org/
Semaev, I.: Summation polynomials and the discrete logarithm problem on elliptic curves. Cryptology ePrint Archive, Report 2004/031 (2004). http://eprint.iacr.org/
Stebila, D.: Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer. RFC 5656 (Proposed Standard) (2009). http://www.ietf.org/rfc/rfc5656.txt
Tate, J.: Endomorphisms of abelian varieties over finite fields. Inventiones math. 2(2), 134–144 (1966)
Teske, E.: Speeding up Pollard’s Rho method for computing discrete logarithms. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 541–554. Springer, Heidelberg (1998)
Acknowledgments
The authors would like to thank Sorina Ionica, Gora Adj and the reviewers for their valuable comments and suggestions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Analyzing the Enge-Gaudry Algorithm Balance
A Analyzing the Enge-Gaudry Algorithm Balance
In this Section, we analyzed the balance between the relations collection and the linear algebra phases of the dynamic-base Enge-Gaudry algorithm over a Jacobian of a hyperelliptic curve of genus 45 defined over \(\mathbb {F}_{2^2}\). The subgroup of interest is of size \(r = 2934347646102267239451433\) of approximately 81.27 bits.
After performing the theoretical balancing computations presented in Sect. 6, we saw that our factor base should be composed by irreducible polynomials of degree up to \(m = [5,8]\). For that reason, we used this range as a reference for our factor base limit selection. The results are presented below (Table 6).
Compared with the example in Sect. 6, we had a large number of factors per relation. As a result, more irreducible polynomials were added to the factor base and consequently, the relations collection phase became more costly. In addition, the ratios \(\alpha / \beta \) were greater than the ones presented in the genus-32 example (see Table 5).
Timings for the Enge-Gaudry algorithm with dynamic factor base
The most efficient configuration (\(d = 10\)) was unbalanced, the relations collection was about 36 times slower than the linear algebra phase. However, the genus-45 example provided a more balanced Enge-Gaudry algorithm, since the best setting for the genus-32 curve was unbalanced by a factor of 253. One possible reason is that, here, each linear algebra steps computed over operands of about 81 bits, which are \(2^{30}\) bigger than the operands processed in the genus-32 linear algebra steps.
We expect that, for curves with larger genus, with respectively larger subgroups, a fully balanced configuration can be found. The results for each setting in the 45-genus example is shown in Fig. 3.
The ratio of the matrix columns (polynomials in the factor base) and rows (valid relations) per time. The relation collections phase ends when the ratio is equal to one.
In Fig. 4, we show the progression of the ratio \(\dfrac{\text {number of valid relations}}{\text {factor base size}}\) during the relations collection phase. Similarly to the genus-32, for bigger d values, the rate of the factor base growth stalled the progress of the relations collection algorithm. Again, one potential solution to this issue is to impose limits on the factor base size.
The challenge for obtaining an optimal relations collection phase is to find a balance between the average timing per relation and the factor base growth rate. The goal is to have a graph which, after the initial vertical rise, directs toward the ratio one as a linear function, such as the \(d = 8, 10\) cases.
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Chi, JJ., Oliveira, T. (2015). Attacking a Binary GLS Elliptic Curve with Magma. In: Lauter, K., Rodríguez-Henríquez, F. (eds) Progress in Cryptology -- LATINCRYPT 2015. LATINCRYPT 2015. Lecture Notes in Computer Science(), vol 9230. Springer, Cham. https://doi.org/10.1007/978-3-319-22174-8_17
Download citation
DOI: https://doi.org/10.1007/978-3-319-22174-8_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-22173-1
Online ISBN: 978-3-319-22174-8
eBook Packages: Computer ScienceComputer Science (R0)