A Cryptographic Application of Weil Descent

Nigel Smart, Steve Galbraith† Extended Enterprise Laboratory HP Laboratories Bristol HPL-1999-70 26 May, 1999*

function fields, This paper gives some details about how Weil descent divisor class group, can be used to solve the discrete logarithm problem on cryptography, elliptic curves which are defined over finite fields of elliptic curves small characteristic. The original ideas were first introduced into cryptography by Frey. We discuss whether these ideas are a threat to existing public key systems based on elliptic curves.

† Royal Holloway College, University of London, Egham, UK *Internal Accession Date Only Ó Copyright Hewlett-Packard Company 1999

A CRYPTOGRAPHIC APPLICATION OF WEIL DESCENT

S.D. GALBRAITH AND N.P. SMART

Abstract. This pap er gives some details ab out howWeil descent can b e used

to solve the discrete logarithm problem on elliptic curves which are de ned over

nite elds of small characteristic. The original ideas were rst intro duced into

cryptographybyFrey.We discuss whether these ideas are a threat to existing

public key systems based on elliptic curves.

1. Introduction

Frey [4] intro duced the cryptographic community to the notion of \Weil descent",

which applies to elliptic curves de ned over nite elds of the form F with n>1.

This pap er gives further details on how these ideas might be applied to give an

attack on the elliptic curve discrete logarithm problem. We also discuss which

curves are most likely to b e vulnerable to such an attack.

The basic strategy consists of the following four stages which will b e explained

in detail in the remainder of the pap er.

1. Construct the Weil restriction of scalars, A,ofEF .

2. Find a curve, C , de ned over F which lies on A.

3. Pull the discrete logarithm problem back from E F toJacCF .

q q

4. Solve the discrete logarithm problem on JacCF using an index calculus

metho d, based on the Hafner-McCurley algorithm.

Wemust emphasize that this pap er do es not represent a fully develop ed attack

on the elliptic curve discrete logarithm problem. In fact the metho d describ ed here

is rather akin to the Xedni calculus explained by Silverman, see [18] and [10], for

curves over large prime elds of odd characteristic, since although the metho d is

available in theory in practice it is unlikely to ever b e made to work, in the authors

opinion, for curves of cryptographic interest.

In the rst sections we give some details ab out ab elian varieties, curves and the

\Weil restriction" which is an ab elian variety. We also provide more details ab out

the rst 3 stages ab ove. The ideas in these sections are well-known in algebraic

geometry, but they are not well understo o d among the cryptographic community.

In Sections 4 we describ e solutions to some of the underlying problems that

the metho d presents. In Section 5 we give a down to earth explanation of the

whole approach with a very simple example. In this example we construct the Weil

restriction over F of an elliptic curve E over F .

In Section 6 we describ e how the discrete logarithm problem in the divisor class

group of a curve can be solved in heuristic sub-exp onential time relative to the

genus of the curve.

1991 Mathematics Subject Classi cation. Primary: 94A60, 11T71, Secondary: 11Y99, 14H52,

14Q15.

Key words and phrases. function elds, divisor class group, cryptography, elliptic curves. 1

In the nal section we discuss some op en problems and give an argumentofwhy

we do not exp ect most elliptic curves to be vulnerable to a Weil descent attack.

In particular we will explain whywe b elieve comp osite values of n maybeweaker

than prime values, thus p ossibly explaining the choice of some standards b o dies in

precluding comp osite values of n.

2. Curves, Divisor Class Groups and Jacobians

We gather a few relevant facts from algebraic geometry. The main references we

use are Hartshorne [7], Mumford [15] and Milne [12].

A curve C over a eld k is a complete, non-singular variety of dimension 1 over

k . We often deal with curves which are given as a sp eci c ane mo del, which can

cause problems. For instance in this setting the curves are often singular, but we will

nevertheless still call them curves. The usual approach for handling singularities

on a curve, C=k,istotake a sequence of blow-ups, to pro duce a non-singular curve.

This pro cess mayinvolve enlarging the ground eld k . Nevertheless, for any C there

is a non-singular curve, C , called the normalisation see [7], Ex. I I.3.8, whichis

de ned over the same eld k , and a degree one rational map C ! C .

The genus g of a non-singular curve is an imp ortantinvariant of the curve. For

a singular curve one may de ne the geometric genus see [7], Section I I.8, whichis

a birational invariant, as the genus of the normalisation of the curve.

The Jacobian variety JacC of a non-singular curve C of genus g ,over a eld

k , is an ab elian varietyover k of dimension g . One construction of the Jacobian is

as a subset of the g th symmetric p ower, C , of the curve see [12]. We gather

two imp ortant facts ab out the Jacobian of a curve.

Prop osition 1. Suppose C is a non-singular curve over a eld k with a point P

de ned over k . The fol lowing properties hold.

1. Canonical map from C into JacC There is a canonical map f : C !

JacC which takes the point P to the identity element of JacC.

2. Universal property Suppose A is an abelian variety over k and suppose there

is some mapping of varieties : C ! A such that P =0 , then thereisa

unique homomorphism : JacC ! A such that = f .

The divisor class group Pic C of a curve is the group of degree zero divisors

on C , which are de ned over k , mo dulo principal divisors. If C is a non-singular

C are isomorphic as ab elian curveover k with a k -p oint, P , then JacC and Pic

varieties see [12], Theorem 7.6. It is convenient to view prime divisors on the

normalisation as places of the function eld. Since the function eld of a singular

curve is isomorphic to the function eld of its normalisation it follows that we can

de ne the divisor class group of a singular curve C and that it will b e isomorphic

to the divisor class group of its normalisation.

An ab elian variety A over k is simple if it has no prop er ab elian sub-varieties

de ned over k . An ab elian varietyisabsolutely simple if, even when considered over

the algebraic closure k , it is simple. An isogeny is a mapping of ab elian varieties

and so is, in particular, a group homomorphism with nite kernel.

We require the following result.

Prop osition 2 see [15], page 173, Theorem 1. Let A be an abelian variety over

a eld k and let B beanabelian subvariety of A. Then thereisanabelian subvariety

C of A such that A is isogenous to the product B C . 2

A corollary of this statement is the fact that every ab elian variety is isogenous

to a pro duct of simple ab elian varieties in a unique way up to ordering.

Wenow give an application of this prop erty also see [12], p. 199. Supp ose that

A is a simple ab elian variety of dimension d and that we are given a curve C and a

map : C ! A in this pap er the maps maps we will consider will usually have

degree one and we will use the phrase \C lies on A" to represent this situation.

Since the image of the map : JacC ! A is an ab elian subvarietyof A it follows

from the fact that A is simple that the map is surjective and that A is an ab elian

subvarietyof JacC. In other words, one has the following result.

Corollary 3. Let A be a simple abelian variety of dimension d over eld k . Sup-

pose we have a map : C ! A from a non-singular curve C to A. Then the genus

of C is at least d. Furthermore, g C = d if and only if A is isogenous to the

Jacobian of C .

3. Weil Descent

Let k denote a nite eld and K denote a Galois extension of degree n. For

m n

and K = F with example, we could have k = F and K = F or k = F

2 2 2 2

m = n n, which are the two most imp ortant cases for the applications. Let E K

denote some elliptic curveover K ,we assume we wish to solve a discrete logarithm

problem in E K given by

P =[]P ; with P ;P 2 EK:

2 1 1 2

We include the case where E is de ned over k in our discussion, this is the case of

Koblitz curves. Koblitz curves are used in real life situations since they pro duce

ecient cryptographic systems.

The \Weil restriction of scalars" of E over K is an ab elian variety W E of

K=k

dimension n over the smaller eld k .

The pro of that such an ob ject exists is fairly deep. Nevertheless, we can easily

show how W E can be constructed in our case a sp eci c example will be

K=k

given later. First take a basis of K over k and expand the co ordinate functions

on the ane curve E K in terms of the new basis, thus using 2n variables over k .

Expanding out the formulae for the elliptic curve E K and equating co ecients of

the basis of K over k ,we obtain n equations linking our 2n variables. This ane

variety de nes W E and the group law is induced from the group law on the

K=k

elliptic curve.

The following result is stated in [4];

Lemma 4. If E is de ned over k then

W E E k V

K=k

where V is an abelian variety of dimension n 1. If n is coprime to E k then

we have,

V = fP 2 W E :Tr P =Og

K=k K=k

where the traceiscomputed using the mapping from W E to E K .

K=k

Proof. If E is de ned over k then it is clearly an ab elian subvarietyof W E .

K=k

By Prop osition 2 it follows that there is an ab elian subvariety B over k such that

W E is isogenous to E B .

K=k 3

The construction of the Weil restriction implies that a generic p ointofW E

K=k

is ; ;::: ; where is a generic p oint of E=K . It follows that the

subvariety V of W E has co dimension 1.

K=k

Finally, one sees that V is an ab elian subvarietyof W E and, since n is co-

K=k

prime to E k , the subvariety V k has trivial intersection with E k . Therefore,

V is isogenous to B .

We let A denote the `interesting' ab elian variety, de ned over k , on which the

discrete logarithm problem on E K actually lies. In other words

De nition 1. De ne A by

If E is not de ned over k , then set A = W E . Hence dim A = n.

K=k

If E is de ned over k , then set A = V ,from Lemma 4. Hence dim A = n 1.

In general we exp ect the ab elian variety A to b e simple. Indeed, since the original

elliptic curve will have order divisible by a large prime, it is clear by considering

the numberofpoints on A that there must b e a large simple ab elian subvarietyof

We may now give a sketch of the \Weil descent" attack on the elliptic curve

discrete logarithm problem: Given an elliptic curve E over K construct the ab elian

variety A over k as ab ove. Next nd a p ossibly singular curve C de ned over

k lying on A such that C has a k -p oint P at the p oint at in nity of A. By

the universal prop erty of Jacobians there is a mapping of ab elian varieties :

0 0

JacC ! A, where C is the normalisation of C .

The p oints P and P of the discrete logarithm problem in E K corresp ond to

1 2

p oints on Ak inanobvious way, and these p oints may b e pulled-back under to

obtain divisors D and D in Pic Ck whose supp ort is only on the non-singular

1 2

p oints of C such that D =P . Finally, the discrete logarithm problem of D

i i 2

with resp ect to D on Pic C can b e solved using an index calculus metho d.

There are three main problems whichmust b e overcome in order to apply this

metho d.

1. It is necessary to nd curves of small genus on A.

2. It is necessary to pull back p oints on A to divisors on C .

3. It is necessary to have an index calculus metho d for general divisor class

groups.

The main contribution of this pap er is to provide solutions to the latter two of these

problems. The rst problem is the very signi cant and we discuss it further at the

end of the pap er.

4. Pulling Back Along

We shall need to describ e the mapping more explicitly. Let C b e a curveof

genus g over k and let : C ! A be the mapping of C into the ab elian variety

A. Supp ose P is the k -p ointonC whichwe shall assume lies at in nity which

P 0

maps under f = f to the identity elementofA. Recall that elements of Pic C

may b e represented in the form D = E dP where E = Q is an e ective

0 i

i=1

divisor of degree d and where the Q are p oints on C k such that, as a divisor, E

is de ned over k . Note that one usually restricts to d g but the pro cess describ ed

b elowworks for arbitrary values of d. 4

Prop osition 5. The map : Pic C ! Ak is given by

E dP = Q

0 i

i=1

where the addition on the right hand side is addition on the abelian variety A which

can be eciently computed via the addition law on E K .

Proof. The divisor E dP is equal to the sum on Pic C of the divisors

C has the prop erty that f Q = Q P . The canonical map f : C k ! Pic

i i 0

Q P . The mapping : Pic C ! A has the universal prop erty that = f

i 0

and so Q P = Q 2 Ak . Since is a group homomorphism which

i 0 i

preserves the action of the Galois group Gal k=k the result follows.

In practice we will b e using a singular equation for the curve C . The mapping

ab ove still gives a complete description of the map from Pic C to A for the

divisors whose supp ort lies on the non-singular p oints of C .

Toinvert the map wehave to nd a divisor which maps under to a given

p oint, P ,ofA. Wenow describ e how to nd such a divisor.

We will nd p non-singular p oints on C k , where p is to b e determined later.

Call these fP ;::: ;P g and map them to the variety A via the map , to obtain

1 p

Q = P ; i =1;::: ;p:

i i

Thinking of the co ordinates of the p oints as variables, we see that we obtain p

equations in 2p unknowns. Formally using the group law on A applied to these

p oints Q we determine the equations for the co ordinates of the sum

i=1

and then equate this to the given element P . Since A has dimension n this gives

us, roughly, another n equations.

Hence in total wehavep+nequations in 2p unknowns, which de nes a variety

V . So as so on as p > n we exp ect that this de nes a variety of dimension at

least p n. For example, a curve when p = n + 1 and a surface when p = n +2.

Finding a p oint on this variety will pro duce the p oints P and in general these will

b e non-singular p oints on C .

Finding p oints on varieties in high-dimensional spaces is not a computationally

trivial matter. There may also be computational issues which arise when con-

structing this variety. Nevertheless, we do not think that these would b e the main

obstacle to the success of our metho d, since nding a suitable curve, C , on A is

more likely to provide an obstacle to the practicality of our metho d.

We construct the divisors D =Q P , in Pic C, and then

i i 0

D =P;

i=1

as required. A di erent p oint on the variety V will give rise to di erent divisors

D .

0 0

Supp ose now that wehave found two divisors, D and D ,inPic C such that

1 2

0 0

D =P and D =P Let g denote the genus of C and let q denote the size

1 2

1 2 5

of the eld k . We let h = Pic C then by the Weil conjectures we know that

p p

2g 2g

1 q h = 1 ! 1 + q :

i=1

For the moment supp ose wehave determined h. This numb er can b e computed in

p olynomial time using the algorithm due to Pila [17] also see [2] and [9]. The fact

that we know that h is divisible byEK gives us some extra information ab out

h. In any case the value of h will come out in the wash of the metho d describ ed

in Section 6. We shall make the reasonable assumption that E K do es not

divide h.

We compute D =[h=E K ]D in Pic C , and attempt to solve the discrete

logarithm problem

D =[]D

2 1

for the unknown discrete logarithm , in the group Pic C . This is then the

solution to the original discrete logarithm problem on E K .

5. An Example

We give an example to illustrate some of the ideas describ ed ab ove. Let k = F

and let K b e such that K has a Typ e-1 Optimal Normal Basis over k . This means

should b e primitive in the nite eld that n + 1 should b e a prime and that 2

F . Then the n ro ots of

n+1

n+1 n n1

x 1=x 1 = x + x + + x +1

form an Optimal Normal Basis of K over k .

2 4 8

As an example we take a eld with n = 4, for simplicity. Let f ; ; ; g denote

4 3 2

the Optimal Normal Basis of K over k ,sowehave + + + + 1 = 0 and the

2 4 8

element12K is given, in terms of the basis, by1= + + + . Consider the

following elliptic curve de ned over K ,

2 3

Y + XY = X + b 1

where b 6= 0 and b is given by

2 4 8

b = b + b + b + b :

0 1 2 3

By setting

2 4 8

X = x + x + x + x ;

0 1 2 3

2 4 8

Y = y + y + y + y ;

0 1 2 3

where x ;y 2 k, substituting into 1 and equating powers of we obtain four

i i

equations in the eight unknowns, fx ;::: ;x ;y ;::: ;y g. This de nes the ab elian

0 3 0 3

variety A as a 4-dimensional variety in 8-dimensional ane space. Note that if one

tries to construct a pro jective equation for A in the obvious manner then there are

to o many p oints at in nity. For the application wemust rememb er that there is

some pro jective equation for A which only has one p oint which do es not lie on our

ane equation.

The group lawon Acan b e evaluated by translating a p oint

x ;x ;x ;x ;y ;y ;y ;y 2 Ak

0 1 2 3 0 1 2 3

back to the p oint

2 4 8 2 4 8

x + x + x + x ;y + y + y + y 2 EK

0 1 2 3 0 1 2 3 6

and then using the addition formulae on the elliptic curve.

If weintersect A with dim A 1hyp erplanes, in general p osition, which all pass

through the zero elementof A, then we should end up with a variety of dimension

one. By using elimination theory we can then write down the equation of this

variety.

In our example wehave dim A = 4, and the obvious hyp erplanes to cho ose, given

that wewant the degree of the resulting curve to b e small, are

x = x = x = x :

0 1 2 3

Intersecting these with our variety A,we obtain the variety

2 3

y + y x + x + b =0;

0 0 0

3 0

2 3

y +y x +x +b =0;

1 0 1

0 0

V :

2 3

y +y x +x +b =0;

2 0 2

1 0

2 3

y +y x +x +b =0:

3 0 3

2 0

If we then eliminate y by taking the resultant of the rst and fourth of these

equations, and eliminate y by taking the resultant of the second and third, then

we obtain the variety:

4 6 2 3 5 2

y + x + b + y x + x + b x =0;

0 0

2 0 3 0 0 0

V :

4 6 2 3 5 2

y +x +b +y x +x +b x =0:

2 2

0 0 1 0 0 0

Finally by eliminating y from these two equations and setting x = x and y = y

2 0 0

we obtain the ane curve

16 15 24 20 18 17 14 2 12 4 8 8

C : y + x y +x + x + x + x + b x + b x + b x + b :

3 2 1

The only singular p oint on this ane mo del is the p ointatx; y =0;0. There is

also a singularity at the p oint at in nity,above which there will b e several p oints

and one of these will corresp ond to the unique p oint at in nity on the variety A.

The other p oints will corresp ond to p oints on the ane part of A.

To get a feel for this curve, take k = F , this is far to o small for real examples

but it allows us to compute some invariants. We computed the genus, g , for this

curve for all the p ossible values of the b , using the KANT package [3]. For the

following values of the b , which represent exactly half of all p ossible values, we

found that the genus was equal to 8

0; 0; 0; 1; 0; 0; 1; 0; 0; 1; 0; 0; 0; 1; 1; 1;

b ;b ;b ;b =

0 1 2 3

1; 0; 0; 0; 1; 0; 1; 1; 1; 1; 0; 1; 1; 1; 1; 0:

In addition the unit rank was always 3 and the rami cation at in nity was wild.

The value of 0; 0; 0; 0 is precluded since the original elliptic curvemust b e non-

singular. The other values of b ;b ;b ;b pro duce curves which are reducible. As

0 1 2 3

an example, consider b ;b ;b ;b =0;0;1;1, in this case we obtain an irreducible

0 1 2 3

factor given by the curve

8 4 4 6 2 7 12 9 4

C : y + x y + x y + x y + x + x + x =0:

This curve has genus 4, unit rank two and again the place at in nity is wildly

rami ed. Notice that since C has genus four and the dimension of A is four, the

Jacobian of the normalisation of C must b e isogenous to A.

1 7

6. Solving The Discrete Logarithm Problem in the Divisor Class

Group of Certain Curves

Let k b e a nite eld of q elements and let C x; y 2 k [x; y ] denote some irre-

ducible multinomial such that

deg C = N .

C is monic and separable in y .

There is a k -rational p oint, P ,onC at in nity.

We think of C x; y as determining a curvein P , which is p ossibly singular.

We let F = k x[y ]=C denote the function eld of C x; y . The place at in nity,

1,of kx decomp oses in F in the form

1 = 1 ;

i=1

with 1 having inertia degree f . For later use we set e = lcme ;::: ;e and, by

i i 1 s

our third assumption ab ove, wehavef = gcdf ;::: ;f =1.

1 s

Let O denote the integral closure of k [x]inF and let Cl denote the ideal class

group of O and Ker denote the subgroup of Pic C generated by the divisor

classes of all the degree zero divisors with supp ort only at in nity. Since f =1 we

obtain the isomorphism

Pic C Cl Ker;

where an ideal a 2 Cl corresp onds to the degree zero divisor class

D deg aP ;

a 0

where D is the e ective divisor asso ciated to a in the obvious manner.

In this section we shall prove

Theorem 6. If D and D are elements of Pic C such that D =[m]D then

1 2 2 1

we can nd m, i.e. solve the discrete logarithm problem in Pic C , in heuristic

expected running time

O N L 1=2; 3:54 log q ;

as g !1.

Crucial to our algorithm is the following theorem which guarantees that the

factor base weeventually cho ose will generate the whole of Pic C .

Theorem 7. The group Pic C is generated, under the isomorphism above, by

the group Ker and the prime ideals B lying above primes p 2 k [x] with

2 log4g 2

f deg p d e

log q

where f is the inertia degreeof Band g is the genus of K .

Proof. The pro of of the analogous result in [14] extends to our more general situa-

tion.

We set

1=2

g log g

= d e

2 log q 8

and let S denote the set of places i.e. prime ideals, B, lying ab ove a prime

p 2 k [x] such that

deg p :

Since for all B wehavef 1, we can, for suciently large values of g , assume that

the set of such ideals, S , along with the group Ker, generate the group Pic C

under the ab ove isomorphism.

For each irreducible p olynomial p 2 k [x] there are at most N nite places lying

ab ove p. Letting N i denoting the number of monic irreducible p olynomials in

k [x] of degree less than or equal to ,we obtain

X X

q q N

: S N N i N = O q

f q

i=0 i=0

Let S denote the set of places ab ove 1 and set S = S [ S . The set of S -units

1 f 1

of F , i.e. the functions whose supp ort lies solely on S , is denoted by O . Setting

t =S and letting S = S nfB g, for some xed place B 2 S e.g., B = P ,

1 1 1 1 0

we consider the map

O ! Z

f 7! f v f deg p ;

B B

B2S

where v denotes the valuation function at the place B. It is easy to see that the

image of is a lattice 2 Z isomorphic to Pic C and with determinant

Pic C

det = :

f deg p

B2S

6.1. Smo othing a divisor. For our purp oses a divisor will b e called smooth if its

supp ort lies wholly on the set S . In this section let D denote some given divisor of

degree zero which represents some class in Pic C . We wish to construct a divisor

0 0 0

D and a function such that SuppD S and D = D + div .

The basic idea is to add to D a random sum, R , of divisors of degree zero with

supp ort in S ,soD =D+R. We then `reduce' the resulting divisor to obtain a

divisor, D , and a function, , such that D = D + R + div . If we are `lucky'

2 2

then the supp ort of D will lie in S and we will have obtained the required smo oth

divisor D R D . If we are not lucky then we need to take another random sum,

R .

To detect whether D has supp ort on S we can ignore the in nite comp onent and

concentrate on the nite part. Determining the supp ort is then simply a matter of

p olynomial factorization over nite elds which can b e p erformed in probabilistic

p olynomial time.

All that we need now do is explain the metho d of reduction, and how this e ects

the degree of the resulting ideal which corresp onds to D .

Under our assumption on the existence of a p oint P at in nity, the Riemann-

Ro ch theorem then tells us that every element of Pic C is represented by a divisor

of the form

E g P ;

where E is an e ective divisor of degree g . Hence, by using an ecient e ective

Riemann-Ro ch algorithm see for instance, [8] or [19] the divisor D can b e made

to have the form D = E g P where deg E = g . The divisor D is therefore

2 0 2

smo oth if the p olynomial in k [x] of degree at most g , corresp onding to the nite 9

part of E factors into a pro duct of irreducibles all with degree less than or equal to

If q g log g and

over the factor base in one iteration of our smo othing algorithm is given by see

[11]

1+o1g=

Pr =

as !1 and g= !1. Since this is the probability that a p olynomial of degree

g , de ned over k , has all its factors of degree less than or equal to .

6.2. Generating the lattice of relations. We shall describ e a metho d of solving

the discrete logarithm problem which isavariant of the Hafner-McCurley metho d

used in quadratic number and function elds, see [6] and [16]. The analogous

metho d based on the NFS/FFS can b e deduced in an analogous wayby extending

the work of [1] and [5]. In practice the NFS/FFS style metho d may b e more ecient

since one can p erform sieving with this metho d whilst it is hard to see howtodo

this with the Hafner-McCurley based variant. However it is simpler to analyze the

Hafner-McCurley based variant whichwe shall now describ e.

We rep eat the following steps until we obtain a lattice of full rank whose deter-

minant do es not decrease up on running the following algorithm a few more times.

Indeed at this p ointwe can use any partial information wehave from our discus-

sion in Section 3 on the group order of Pic C . This will giveusaneven stricter

stopping criteria and will determine the size of Pic C asaby pro duct.

1. We apply our smo othing algorithm to the trivial divisor D = 0 to obtain a

function and a divisor D such that = div D and SuppD S .

2. Note 2 O so we can compute the image of under and so obtain

an element of the lattice . The valuations of at in nity can be easily

computed in the case of tame rami cation at in nity, i.e when e is coprime

to the characteristic of k , via Puiseux expansions. For the non-tame case

Hamburger-No ether expansions need to b e used.

We exp ect to require just over S elements of the lattice until we obtain a

lattice of full rank, hence we exp ect to need to take in total around T random

power pro ducts in the smo othing algorithm b efore we are nished, where

1+o1g=

N q N g

T = = q :

P r

We notice that

1=2

g g

;

2 log q log g

and so we deduce that

g g

log T = log N log + log q +1+o1 log

1=2 1=2

g log g 2g log q 1

+1+o1 log g log N +

2 log q log g 2

1=2

: 2 log q + o1 log N +glog g 10

Hence the time needed to compute a full lattice of relations is

O N L 1=2; 2 log q + o1 :

We store each computed lattice vector as a column in a matrix A. Hence, at the

end of the algorithm, we hop e that wehave

=fAx: x2Z g

where c is the column dimension of A.

We need to then compute the Hermite Normal Form of A, to obtain a matrix H

which spans the same lattice as A but which is in upp er triangular form. This can

essentially b e done in time, [13],

2 2

O cr r + c log r jAj

where jAj = max ja j, and r is the row dimension of A, whichwe assume to b e

i;j i;j

also equal to the rank of A. Since we are using the Hafner-McCurley metho d we

cannot assume that our matrix will b e sparse. And as wehave

cr=S 1 O q ;

the time needed to p erform the matrix step is,

1=2

log q

O q = L 1=2; 5 :

6.3. Computing Individual Logarithms. Given the one-o cost of computing

the matrix H ab ovewe can then solveany discrete logarithm problem in Pic C

with relative ease. We are given D ;D 2 Pic C and we wish to nd the integer

1 2

m such that

D =[m]D :

2 1

For i =1and2we use our smo othing metho d to obtain a function such that

D div is a divisor with supp ort only on S . Hence in Pic C we can write

i i

D d B :

i j j

B 2S

We then set d =d and compute the matrix

i j B 2S

0 1

1 0 0

@ A

0 1 0

B =

d d H

1 2

Using an analogue of the Hermite Normal Form algorithm we determine a matrix

C , and hence a unimo dular matrix V such that

1 0

z x

A @

: C = BV = 0 y

0 0

We then know that D has order dividing z in the group Pic C . Indeed we exp ect

that z is the order of D in Pic C , and in practice we can assume that z is a large

prime numb er. We also deduce from the matrix C that

[x]D +[y]D 0:

1 2 11

But we know D =[m]D and so

2 1

[x + ym]D 0:

So we obtain the linear congruence for m,

m = x=y mo d z :

Therefore, we can determine a unique solution for m if gcdy; z = 1. Since in

practice we can assume that z is a large prime, we will obtain m unless z divides

y . But this can only happ en if either the matrix A of the earlier section do es not

generate the full lattice or the group Pic C has order divisible by z .

It is reasonable to assume that neither z divides Pic C nor that A generates

a sublattice, hence we conclude that wehave determined the unique solution to our

discrete logarithm problem.

6.4. Discussion. We b elieve that the ab ove algorithm can be proved rigorously

to have sub-exp onential b ehaviour using the standard techniques applied to the

Hafner-McCurley algorithm. We do not do this here since such a result has only

theoretical interest, the existence of a heuristic pro of is enough for the purp oses of

this article.

7. Open Problems and Conclusion

In this pap er wehave outlined a strategy for solving the elliptic curve discrete

logarithm problem and have given some details ab out each of the main steps in this

pro cess. We now address the issue of whether such a strategy is a threat to the

elliptic curve cryptosystems used in practice.

One imp ortant observation is that everything in this pap er only applies to the

case of elliptic curves over elds of the form F with n>1. Elliptic curves over

prime elds are totally immune to these ideas.

The metho d can be broken down into 4 main stages see the Intro duction.

Stage 1 computing an ane equation for the Weil restriction causes no practical

problems.

The actual solution of the discrete logarithm comes from Stage 4, where the index

calculus algorithm describ ed in Section 6 is applied. The motivating problem is to

solve a discrete logarithm problem on an elliptic curve which has approximately q

p oints, but we do this by solving a related discrete logarithm problem in a group

of size q , where g is the genus of the curve C .

If g is very large compared to n then the discrete logarithm problem has b een

buried in a much larger group and so the metho d is not useful. For the Weil

descent to be a danger it is therefore necessary that the genus, g , not grow to o

large in relation to the original degree, n. On the other hand, the index calculus

metho d is sub exp onential only asymptotically i.e., when the eld size is xed at

q and when the value of g is \suciently large". Therefore, for the Weil descent

attacktowork, the values of n and g must strike a balance b etween these con icting

forces.

For Stage 2 it is necessary to nd a curve lying on the ab elian variety A. As

wehave seen, it is imp ortant for Stage 4 that the genus g of C b e large, but not

to o large compared with n. The metho d used in our example to nd such a curve

involves eliminating variables. This leads to a curve whose degree is exp onential

in n and so we exp ect the genus to also be exp onential as long as C is not to o 12

singular. If the genus of C grows exp onentially with n then the complexity of the

Weil descent attackwould b e sub exp onential in q but this is exp onential in terms

of the elliptic curve group size q .

It is not known to the authors what values might b e exp ected for the smallest

p ossible genus for a curve C on suchan A. This question is equivalent to asking

ab out the exp ected dimension for a Jacobian with a given ab elian variety as a

factor. It is therefore an interesting problem to determine if there is a curve C of

genus O n onany such A for some xed d. If such curves exist then it would b e

very interesting to have a metho d for obtaining equations for them in terms of the

variables describing the variety A. When n is small there is a higher chance that

there will b e small genus curves lying on the ab elian variety A this was seen in our

example, when half the time A was actually a Jacobian. When n is large it seems

to b e very unlikely that A have curves on it of genus close to n and so it is unlikely

that the Weil descent metho d would give a practical attack.

For Stage 3 it is necessary to nd a p oint on a large dimensional varietyover

a small nite eld. When n is small then this problem is not dicult to solve. It

is not known to the authors how dicult this is to achieve when n is large. This

question deserves further study.

The Hafner-McCurley style algorithm we describ ed may not be as ecient as

a function eld sievestyle metho d. Also, the algorithm we prop ose requires very

ecient algorithms to add divisors on arbitrary curves. There is still much research

to b e done b efore these problems have truly ecient solutions.

In conclusion, there are several problems which require further analysis b efore

the Weil descent metho d can be fully assessed. We exp ect that, for a random

elliptic curve E over a eld F with n reasonably large, it will b e p ossible to show

that there is a low probability that there are relatively small genus curves on the

Weil restriction of E over F . This means that it is unlikely that the metho d could

ever b e used to solve the elliptic curve discrete logarithm problem on the sort of

curves used in practice. Nevertheless, it seems that the Weil descent is most likely

to succeed for elliptic curves de ned over F where the degree n has a small factor

say of size around 5{15. This may explain why some standards b o dies have only

recommended the use of elliptic curves over prime elds F and elds of the form

form F for prime p.

References

[1] L. Adleman, J. De Marrais, and M.-D. Huang. A sub exp onential algorithm for discrete log-

arithms over the rational subgroup of the Jacobians of large genus hyp erelliptic curves over

nite elds. In ANTS-1 : Algorithmic Number Theory, L.M. Adleman and M-D. Huang,

editors. Springer-Verlag, LNCS 877, 28{40, 1994.

[2] L.M. Adleman, M.-D. Huang. Primality testing and ab elian varieties over nite elds.

Springer LNM 1512, 1992.

[3] M. Dab erkow, C. Fieker, J. Kluners, M. Pohst, K. Ro egner, M. Schornig, and K. Wildanger.

KANT V4. J. Symbolic Computation, 24, 267{283, 1997.

[4] G. Frey. Weil descent. Talk at Waterlo o workshop on the ECDLP, 1998.

http://cacr.math.uwaterlo o.ca/conferences/1998/ecc98/slides.html

[5] S.D. Galbraith, S. Paulus and N.P. Smart. Arithmetic on sup er-elliptic curves. Preprint, 1998.

[6] J.L. Hafner and K.S. McCurley. A rigorous sub exp onential algorithm for computation of class

groups. J. AMS, 2, 837{850, 1989.

[7] R. Hartshorne. Algebraic geometry. Springer GTM 52, 1977.

[8] M.-D. Huang, D. Ierardi. Ecient algorithms for the Riemann-Ro ch problem and for addition

in the Jacobian of a curve. J. Symb olic Computation, 18, 519{539, 1994. 13

[9] M.-D. Huang, D. Ierardi. Counting p oints on curves over nite elds. J. Symb olic Computa-

tion, 25, 1{21, 1998.

[10] M. Jacobson, N. Koblitz, J.H. Silverman, A. Stein and E. Teske. Analysis of the Xedni

calculus attack. Preprint, 1999.

[11] R. Lovorn Bender and C. Pomerance. Rigourous discrete logarithm computations in nite

elds via smo oth p olynomials. In Computational Perspectives on Number Theory. Proc. of a

Conference in honor of A.O.L. Atkin Vol 7 of AMS/International Press Studies in Advanced

Mathematics, Providence, 221{232, 1998.

[12] J.S. Milne. Jacobian Varieties. In Arithmetic Geometry, G. Cornell and J.H. Silverman, edi-

tors. Springer-Verlag, 167{212, 1986.

[13] A. Muller. Eziente Algorithmen fur Probleme der linearen Algebraub er Z. Masters Thesis,

Universitat Saarlandes, Saabrucken, 1994.

[14] V. Muller, A. Stein and C. Thiel. Computing discrete logarithms in real quadratic function

elds of large genus. Math. Comp., 68, 807{822, 1999.

[15] D. Mumford. Ab elian varieties. Oxford, 1970.

[16] S. Paulus. An algorithm of sub-exp onential typ e computing the class group of quadratic

orders over principal ideal domains. In ANTS-2 : Algorithmic Number Theory, H. Cohen,

editor. Springer-Verlag, LNCS 1122, 243{257, 1996.

[17] J. Pila. Frob enius maps of ab elian varieties and nding ro ots of unity in nite elds. Math.

Comp., 55, 745{763, 1990.

[18] J.H. Silverman. The Xedni calculus and the elliptic curve discrete logarithm problem.

Preprint, 1998.

[19] E.J. Volcheck. Computing in the Jacobian of a plane algebraic curve. in ANTS-I, Springer

LNCS 877, 221-233, 1994.

E-mail address : [email protected]. uk

Mathematics Department, Royal Holloway University of London, Egham, Surrey

TW20 0EX, U.K.

E-mail address : [email protected]

Hewlett-Packard Laboratories, Filton Road, Stoke Gifford, Bristol, BS12 6QZ,

United Kingdom 14