Constructive and destructive facets of Weil descent on elliptic curves. (English) Zbl 0996.94036
Following previous ideas of G. Frey [ECC ’98, Waterloo (1998)] and S. D. Galbraith and N. P. Smart [7th IMA Conference, Lect. Notes Comput. Sci. 1746, 191-200 (1999; Zbl 0981.94025)] the authors use the Weil descent technique to translate the discrete logarithm problem on an elliptic curve \(E\) over a finite field \(F_{q^n}\) to the discrete logarithm problem on the Jacobian of a hyperelliptic curve \(C\), built by intersecting \(n-1\) hyperplanes associated to the Weil restriction of \(E\) with an \(n\)-dimensional variety over \(F_q\).
The paper studies the case \(q=2^r\), \(r>1\) (the characteristic 2 assumption is crucial in the proof). Nevertheless, at the end of the paper, the authors discuss the situation in the cases \(q=2\), \(n\) prime (the common case in cryptography) and \(q\) odd.
As the title suggests, the paper studies two antagonistic applications of this technique: design of hyperelliptic cryptosystems and cryptanalytic attacks on the original elliptic cryptosystem. The cryptographic implications of the second possibility are obvious, however the authors stress that their method does “not appear to be a threat to standards compliant elliptic curve systems in the real world”.
The GHS attack has been further analysed in other papers. For instance M. Jacobson, A. Menezes and A. Stein [J. Ramanujan Math. Soc. 16, 231-260 (2001; Zbl 1017.11030)] show, for the particular case \(q= 2^5\), \(n=31\), that the method could be successful only with \(2^{33}\) out of the \(2^{156}\) total isomorphism classes of elliptic curves. However S. D. Galbraith, F. Hess and N. P. Smart [EUROCRYPT 2002, Lect. Notes Comput. Sci. 2332, 29-44 (2002)] extend the GHS attack to a much larger class of elliptic curves (in the example of Jacobson, Menezes and Stein to around \(2^{104}\) curves). This seems to strengthen the idea of the cryptographic weakness of the elliptic curves over composite extension fields.
The paper studies the case \(q=2^r\), \(r>1\) (the characteristic 2 assumption is crucial in the proof). Nevertheless, at the end of the paper, the authors discuss the situation in the cases \(q=2\), \(n\) prime (the common case in cryptography) and \(q\) odd.
As the title suggests, the paper studies two antagonistic applications of this technique: design of hyperelliptic cryptosystems and cryptanalytic attacks on the original elliptic cryptosystem. The cryptographic implications of the second possibility are obvious, however the authors stress that their method does “not appear to be a threat to standards compliant elliptic curve systems in the real world”.
The GHS attack has been further analysed in other papers. For instance M. Jacobson, A. Menezes and A. Stein [J. Ramanujan Math. Soc. 16, 231-260 (2001; Zbl 1017.11030)] show, for the particular case \(q= 2^5\), \(n=31\), that the method could be successful only with \(2^{33}\) out of the \(2^{156}\) total isomorphism classes of elliptic curves. However S. D. Galbraith, F. Hess and N. P. Smart [EUROCRYPT 2002, Lect. Notes Comput. Sci. 2332, 29-44 (2002)] extend the GHS attack to a much larger class of elliptic curves (in the example of Jacobson, Menezes and Stein to around \(2^{104}\) curves). This seems to strengthen the idea of the cryptographic weakness of the elliptic curves over composite extension fields.
Reviewer: Juan Tena Ayuso (Valladoli)
MSC:
| 94A60 | Cryptography |
| 14G50 | Applications to coding theory and cryptography of arithmetic geometry |
| 11G07 | Elliptic curves over local fields |
| 11T71 | Algebraic coding theory; cryptography (number-theoretic aspects) |
Keywords:
Weil descent; discrete logarithm problem; elliptic curve; Jacobian; hyperelliptic curve; hyperelliptic cryptosystems; cryptanalytic attacksReferences:
| [1] | Adleman, L.; Marrais, J.; Huang, M.-D.; Adleman, L. M. (ed.); Huang, M-D. (ed.), A subexponential algorithm for discrete logarithms over the rational subgroup of the Jacobians of large genus hyperelliptic curves over finite fields, No. 877, 28-40 (1994), Berlin · Zbl 0829.11068 · doi:10.1007/3-540-58691-1_39 |
| [2] | E. Artin and J. Tate. Class Field Theory. Benjamin, New York, 1967. · Zbl 0681.12003 |
| [3] | I.F. Blake, G. Seroussi and N.P. Smart. Elliptic Curves in Cryptography. Cambridge University Press, Cambridge, 1999. · Zbl 0937.94008 · doi:10.1017/CBO9781107360211 |
| [4] | D.G. Cantor. Computing in the Jacobian of a hyperelliptic curve. Math. Comp., 48, 95-101, 1987. · Zbl 0613.14022 · doi:10.1090/S0025-5718-1987-0866101-0 |
| [5] | C. Chevalley. Introduction to the Theory of Algebraic Functions of One Variable. Mathematical Surveys Number VI. American Mathematical Society, Providence, RI, 1951. · Zbl 0045.32301 · doi:10.1090/surv/006 |
| [6] | A. Enge and P. Gaudry. A general framework for the discrete logarithm index calculus. To appear in Acta Arith. · Zbl 1028.11079 |
| [7] | G. Frey. How to disguise an elliptic curve. Talk at Waterloo workshop on the ECDLP, 1998. http://cacr.math.uwaterloo.ca/conferences/1998/ecc98/slides.html. |
| [8] | G. Frey and H.-G. Rück. A remark concerning m-divisibility and the discrete logarithm problem in the divisor class group of curves. Math. Comp., 62, 865-874, 1994. · Zbl 0813.14045 |
| [9] | Galbraith, S. D.; Smart, N. P., A cryptographic application of Weil descent, No. 1746, 191-200 (1999), Berlin · Zbl 0981.94025 · doi:10.1007/3-540-46665-7_23 |
| [10] | Gaudry, P., An algorithm for solving the discrete logarithm problem on hyperelliptic curves, No. 1807, 19-34 (2000), Berlin · Zbl 1082.94517 · doi:10.1007/3-540-45539-6_2 |
| [11] | F. Heß. Zur Divisorenklassengruppenberechnung in globalen Funktionenkörpern. Dissertation, TU Berlin, 1999. · Zbl 0982.11059 |
| [12] | R. Lidl and H. Niederreiter. Finite Fields. Addison-Wesley, Reading, MA, 1983. · Zbl 0554.12010 |
| [13] | V. Müller, A. Stein and C. Thiel. Computing discrete logarithms in real quadratic function fields of large genus. Math. Comp., 68, 807-822, 1999. · Zbl 1036.11064 · doi:10.1090/S0025-5718-99-01040-6 |
| [14] | J. Neukirch. Algebraic Number Theory. Springer-Verlag, New York, 1999. · Zbl 0956.11021 · doi:10.1007/978-3-662-03983-0 |
| [15] | R. Schoof. Elliptic curves over finite fields and the computation of square roots mod p. Math. Comp., 44, 483-494, 1985. · Zbl 0579.14025 |
| [16] | J. H. Silverman. The Arithmetic of Elliptic Curves. GTM 106. Springer-Verlag, New York, 1986. · Zbl 0585.14026 |
| [17] | Smart, N. P., On the performance of hyperelliptic cryptosystems, No. 1592, 165-175 (1999), Berlin · Zbl 0938.94010 · doi:10.1007/3-540-48910-X_12 |
| [18] | H. Stichtenoth. Algebraic Function Fields and Codes. Springer-Verlag, New York, 1993. · Zbl 0816.14011 |
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.
