Abstract
We demonstrate that some finite fields, including \(\mathbb{F}_{{2}^{210}}\), are weak for elliptic curve cryptography in the sense that any instance of the elliptic curve discrete logarithm problem for any elliptic curve over these fields can be solved in significantly less time than it takes Pollard’s rho method to solve the hardest instances. We discuss the implications of our observations to elliptic curve cryptography, and list some open problems.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Adleman, L., DeMarrais, J., Huang, M.: A subexponential algorithm for discrete logarithms over the rational subgroup of the jacobians of large genus hyperelliptic curves over finite fields. In: Huang, M.-D.A., Adleman, L.M. (eds.) ANTS 1994. LNCS, vol. 877, pp. 28–40. Springer, Heidelberg (1994)
Barrett, P.: Implementing the Rivest Shamir and Adleman public key encryption algorithm on a standard digital signal processor. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 311–323. Springer, Heidelberg (1987)
Bernstein, D.: Circuits for integer factorization: A proposal, preprint (2001)
Cantor, D.: Computing in the jacobian of a hyperelliptic curve. Math. Comp. 48, 95–101 (1987)
Cantor, D., Zassenhaus, H.: A new algorithm for factoring polynomials over finite fields. Math. Comp. 36, 587–592 (1981)
Coppersmith, D., Odlyzko, A., Schroeppel, R.: Discrete logarithms in GF(p). Algorithmica 1, 1–15 (1986)
Enge, A., Gaudry, P.: A general framework for subexponential discrete logarithm algorithms. Acta Arithmetica 102, 83–103 (2002)
FIPS 186-2, Digital signature standard (DSS), Federal Information Processing Standards Publication 186–2, National Institute of Standards and Technology (2000)
Flassenberg, R., Paulus, S.: Sieving in function fields. Experimental Mathematics 8, 339–349 (1999)
Fouquet, M.: Anneau d’endomorphismes et cardinalité des courbes elliptiques: aspects algorithmiques, PhD thesis, École polytechnique, Palaiseau Cedex (2001)
Frey, G.: Applications of arithmetical geometry to cryptographic constructions. In: Proceedings of the Fifth International Conference on Finite Fields and Applications, Springer-Verlag, pp. 128–161. Springer, Heidelberg (2001)
Frey, G., Rück, H.: A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves. Math. Comp. 62, 865–874 (1994)
Galbraith, S.: Constructing isogenies between elliptic curves over finite fields. LMS Journal of Computation and Mathematics 2, 118–138 (1999)
Galbraith, S.: Weil descent of jacobians. Discrete Applied Mathematics 12, 165–180 (2003)
Galbraith, S., Hess, F., Smart, N.: Extending the GHS Weil descent attack. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 29–44. Springer, Heidelberg (2002)
Gallant, R., Lambert, R., Vanstone, S.: Improving the parallelized Pollard lambda search on anomalous binary curves. Math. Comp. 69, 1699–1705 (2000)
Gaudry, P.: An algorithm for solving the discrete log problem in hyperelliptic curves. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 19–34. Springer, Heidelberg (2000)
Gaudry, P., Hess, F., Smart, N.: Constructive and destructive facets of Weil descent on elliptic curves. J. Cryptology 15, 19–46 (2002)
Hankerson, D.: personal communication (2003)
Hess, F.: The GHS attack revisited. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 374–387. Springer, Heidelberg (2003)
Hess, F.: personal communication (2003)
Jacobson, M.: personal communication (2003)
Jacobson, M., Menezes, A., Stein, A.: Solving elliptic curve discrete logarithm problems using Weil descent. Journal of the Ramanujan Mathematical Society 16, 231–260 (2001)
Jacobson, M., van der Poorten, A.: Computational aspects of NUCOMP. In: Fieker, C., Kohel, D.R. (eds.) ANTS 2002. LNCS, vol. 2369, pp. 120–133. Springer, Heidelberg (2002)
Kohel, D.: Endomorphism rings of elliptic curves over finite fields, PhD thesis, University of California, Berkeley (1996)
Kuhn, F., Struik, R.: Random walks revisited: Extensions of Pollard’s rho algorithm for computing multiple discrete logarithms. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 212–229. Springer, Heidelberg (2001)
López, J., Dahab, R.: High-speed software multiplication in \(\mathbb{F}\) 2 m. In: Roy, B., Okamoto, E. (eds.) INDOCRYPT 2000. LNCS, vol. 1977, pp. 203–212. Springer, Heidelberg (2000)
Maurer, M., Menezes, A., Teske, E.: Analysis of the GHS Weil descent attack on the ECDLP over characteristic two finite fields of composite degree. LMS Journal of Computation and Mathematics 5, 127–174 (2002)
Menezes, A., Okamoto, T., Vanstone, S.: Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Transactions on Information Theory 39, 1639–1646 (1993)
Menezes, A., Qu, M.: Analysis of the Weil descent attack of Gaudry, Hess and Smart. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 308–318. Springer, Heidelberg (2001)
van Oorschot, P., Wiener, M.: Parallel collision search with cryptanalytic applications. J. Cryptology 12, 1–28 (1999)
Orman, H.: The OAKLEY key determination protocol. RFC 2412 (1998), Available from http://www.ietf.org
Paulus, S., Stein, A.: Comparing real and imaginary arithmetics for divisor class groups of hyperelliptic curves. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 576–591. Springer, Heidelberg (1998)
Pollard, J.: Monte Carlo methods for index computation mod p. Math. Comp. 32, 918–924 (1978)
Satoh, T., Araki, K.: Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves. Commentarii Mathematici Universitatis Sancti Pauli 47, 81–92 (1998)
Semaev, I.: Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p. Math. Comp. 67, 353–356 (1998)
Shoup, V.: NTL: A library for doing Number Theory, Available from http://shoup.net/ntl
Smart, N.: The discrete logarithm problem on elliptic curves of trace one. J. Cryptology 12, 193–196 (1999)
Smart, N.P.: How secure are elliptic curves over composite extension fields? In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 30–39. Springer, Heidelberg (2001)
Solinas, J.: Efficient arithmetic on Koblitz curves. Designs, Codes and Cryptography 19, 195–249 (2000)
Teske, E.: Speeding up Pollard’s rho method for computing discrete logarithms. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 541–554. Springer, Heidelberg (1998)
Teske, E.: On random walks for Pollard’s rho method. Math. Comp. 70, 809–825 (2000)
Teske, E.: An elliptic curve trapdoor system, Cryptology ePrint Archive Report 2003/058 (2003)
Wiener, M.: The full cost of cryptanalytic attacks. J. Cryptology (to appear)
Wiener, M., Zuccherato, R.: Faster attacks on elliptic curve cryptosystems. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 190–200. Springer, Heidelberg (1999)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Menezes, A., Teske, E., Weng, A. (2004). Weak Fields for ECC. In: Okamoto, T. (eds) Topics in Cryptology – CT-RSA 2004. CT-RSA 2004. Lecture Notes in Computer Science, vol 2964. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-24660-2_28
Download citation
DOI: https://doi.org/10.1007/978-3-540-24660-2_28
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-20996-6
Online ISBN: 978-3-540-24660-2
eBook Packages: Springer Book Archive