Analysis of the Ghs Weil Descent Attack on the Ecdlp Over Characteristic Two Finite Fields of Composite Degree
Total Page:16
File Type:pdf, Size:1020Kb
London Mathematical Society ISSN 1461–1570 ANALYSIS OF THE GHS WEIL DESCENT ATTACK ON THE ECDLP OVER CHARACTERISTIC TWO FINITE FIELDS OF COMPOSITE DEGREE MARKUS MAURER, ALFRED MENEZES and EDLYN TESKE Abstract In this paper, the authors analyze the Gaudry–Hess–Smart (GHS) Weil descent attack on the elliptic curve discrete logarithm prob- lem (ECDLP) for elliptic curves defined over characteristic two fi- F nite fields of composite extension degree. For each such field 2N , N ∈[100, 600], elliptic curve parameters are identified such that: (i) there should exist a cryptographically interesting elliptic curve E F over 2N with these parameters; and (ii) the GHS attack is more effi- E(F ) cient for solving the ECDLP in 2N than for solving the ECDLP F on any other cryptographically interesting elliptic curve over 2N . The feasibility of the GHS attack on the specific elliptic curves is ex- F F F F F amined over 2176 , 2208 , 2272 , 2304 and 2368 , which are provided as examples in the ANSI X9.62 standard for the elliptic curve signature scheme ECDSA. Finally, several concrete instances are provided of F N the ECDLP over 2N , composite, of increasing difficulty; these resist all previously known attacks, but are within reach of the GHS attack. 1. Introduction E K = F Let be an elliptic curve defined over a finite field 2N . The elliptic curve discrete logarithm problem (ECDLP) in E(K) is as follows: given E, P ∈ E(K), r = ord(P ) and Q ∈hP i, find the integer λ ∈[0,r − 1] such that Q = λP . We write λ = logP Q. The ECDLP is of interest because its apparent intractability forms the basis for the security of elliptic curve cryptographic schemes. The elliptic curve parameters have to be carefully chosen in order to circumvent some E F known attacks on the ECDLP. We say that an elliptic curve over 2N is cryptographically E(F ) E(F ) = rd r interesting if: (i) # 2N is almost prime (that is, # 2N , where is prime and d ∈{2, 4}) in order to provide maximum resistance to the Pohlig–Hellman [28] and Pollard’s rho [29, 26] attacks; and (ii) r does not divide 2Nj − 1 for each j ∈[1,J], where J F is large enough so that it is computationally infeasible to find discrete logarithms in 2NJ – in order to resist the Weil pairing [24] and Tate pairing [11] attacks. Frey [10] first proposed using Weil descent as a means to reduce the ECDLP in elliptic F curves over 2N to the discrete logarithm problem in an abelian variety over a proper subfield F F 2l of 2N . Frey’s method, which we refer to as the Weil descent attack methodology,was further elaborated by Galbraith and Smart [13]. In 2000, Gaudry, Hess and Smart (GHS) [17] showed how Frey’s methodology could be used (in most cases) to reduce any instance of the Received 12 October 2001, revised 9 September 2002; published 15 November 2002. 2000 Mathematics Subject Classification 94A60, 11Y16, 68W40, 14H52 © 2002, Markus Maurer, Alfred Menezes and Edlyn Teske Downloaded from https://www.cambridge.org/core. IP address: 170.106.202.226, on 27 Sep 2021 at 22:23:44, subject to the Cambridge Core terms of use, available at LMShttps://www.cambridge.org/core/terms J. Comput. Math. 5 (2002) 127–. https://doi.org/10.1112/S1461157000000723174 Analysis of the GHS Weil descent attack ECDLP to an instance of the discrete logarithm problem in the Jacobian of a hyperelliptic F curve over 2l . Since subexponential-time algorithms for the hyperelliptic curve discrete logarithm problem (HCDLP) are known, this could have important implications for the security of elliptic curve cryptographic schemes. The GHS attack was analyzed in [17, 23]. It was proven to fail for all cryptographically F N ∈[ , ] interesting elliptic curves over 2N , where 160 600 is prime. In other words, the hyperelliptic curves C that are produced either have genus too small (whence JC(F2) is too E(F ) small to yield any non-trivial information about the ECDLP in 2N ), or have genus too 16 large (g > 2 − 1, whence the HCDLP in JC(F2) is infeasible). The purpose of this paper is to investigate the applicability of the GHS attack on the ECDLP for cryptographically F N ∈[ , ] interesting elliptic curves over 2N for composite 100 600 . The remainder of this paper is organized as follows. Section 2 provides a brief introduc- tion to the relevant theory of hyperelliptic curves. The GHS Weil descent attack is outlined in Section 3, and an overview of the best methods known for solving the ECDLP and HCDLP is given in Section 4. Our analysis of the applicability of the GHS attack on the ECDLP over characteristic two finite fields of composite extension degree is presented in Section 5. In Section 6, a detailed analysis is presented of the feasibility of the GHS attack on certain elliptic curves specified in the ANSI X9.62 standard. Section 7 lists some ECDLP ‘challenges’ of increasing difficulty, which should resist all previously known attacks, but which are within reach of the GHS attack. Our conclusions are stated in Section 8. 2. Hyperelliptic curves We provide a brief overview of the theory of hyperelliptic curves, relevant to this paper. 2.1. Hyperelliptic curves S Let k = Fq denote the finite field of order q. The algebraic closure of Fq is k = F n C g k n>1 q .Ahyperelliptic curve of genus over is defined by a non-singular equation v2 + h(u)v = f (u), (1) where h, f ∈ k[u],degf = 2g + 1, and deg h 6 g. Let L be an extension field of k. The set of L-rational points on C is C(L) ={(x, y) : x,y ∈ L, y2 + h(x)y = f(x)} ∪ {∞}. The opposite of P = (x, y) ∈ C(L) is Pe = (x, −y − h(x)); we also define ∞=∞e . Note that Pe ∈ C(L). Except for the case g = 1 (since a genus 1 hyperelliptic curve is precisely an elliptic curve), there is no natural group law on the set of points C(L). Instead, one considers the Jacobian of C over k, which is a finite group. 2.2. The Jacobian of a hyperelliptic curve P D0 C m P The setP of degree zero divisors of is the set of formal sums P ∈C(k) P , where mP ∈ Z, mP = 0, and only a finite number of the values of mP are non-zero. D0 is a group under the addition rule X X X mP P + nP P = (mP + nP )P. q Let σ : k → k be the Frobenius map defined by xP7→ x . The mapP σ extends to C(k) by σ σ σ σ (x, y) 7→ (x ,y ) and ∞ 7→ ∞, and to D0 by mP P 7→ mP P . The set of zero Downloaded from https://www.cambridge.org/core. IP address: 170.106.202.226, on 27 Sep 2021 at 22:23:44, subject to the Cambridge Core terms of use, available at https://www.cambridge.org/core/terms128 . https://doi.org/10.1112/S1461157000000723 Analysis of the GHS Weil descent attack divisors defined over k is 0 0 σ Dk ={D ∈ D : D = D}. The function field of C over k, denoted k(C), is the field of fractions of the integral domain 2 of polynomialP functions k[u, v]/(v + h(u)v − f (u)).Forz ∈ k(C), the divisor of z is div(z) = P ∈C(k) vP (z)P , where vP (z) denotes the multiplicity of P as a root of z.Now 0 the set Prink ={div(z) : z ∈ k(C)} is a subgroup of Dk . The Jacobian of C (over k)isthe 0 quotient group JC(k) = Dk /Prink. 2.3. Properties of the Jacobian JC(k) is a finite group. A theorem of Weil’s implies that √ √ 2g 2g ( q − 1) 6 #JC(k) 6 ( q + 1) . (2) If D1 and D2 are in the same equivalence class of divisors in JC(k), we write D1 ∼ D P2. Each equivalenceP class has a unique divisor in reduced form – that is, a divisor m P − ( m )∞ m > P m > P 6=∞ P P 6=∞ P satisfying: (i) P 0 for all ; (ii)P if P 1 and e e P 6= P , then mPe = 0; (iii) mP is equal to 0 or 1 if P = P ; and (iv) mP 6 g. Such a reduced divisor D can be uniquely represented by a pair of polynomials a,b ∈ k[u], where: (i) deg b<deg a 6 g; (ii) a is monic; and (iii) a|(b2 + bh − f). We write D =Pdiv(a, b) to meanP that D = gcd(divP(a), div(b − v))P, where the gcd of two divi- sorsP P 6=∞ mP P − ( P 6=∞PmP )∞ and P 6=∞ nP P − ( P 6=∞ nP )∞ is defined to be P 6=∞ min(mP ,nP )P − ( P 6=∞ min(mP ,nP ))∞. The degree of D is deg a. Cantor’s algorithm [4, 22] can be used to compute the sum of two reduced divisors efficiently, and to express the sum in reduced form. 2.4. Artin’s bound In the above, we considered only the imaginary form of a hyperelliptic curve, and not the real form, for which deg(f ) = 2g + 2 in the defining equation (1). Let C be a hyperelliptic curve (real or imaginary) of genus g over k = Fp with p an odd prime. Then h = 0in(1). Artin [3] showed that (P 2g ν= τν, if deg f = 2g + 1; #JC(k) = P0 − 2g+1 ντ , f = g + .