Using Symmetries and Fast Change of Ordering in the Index Calculus for Elliptic Curves Discrete Logarithm

This abstract presents results on polynomial systems involved in an algebraic attack on elliptic curves cryptosystems. The security of these cryptosystems is based on the difficulty to solve the elliptic curves discrete logarithm problem (ECDLP): let E be an elliptic curve defined over a finite field K. The set of its rational points forms a commutative group, E(K). Given two points P and Q of E(K) the ECDLP is to find if it exists, an integer x such that Q = [x]P . The notation [x]P denotes, as usual, the multiplication of P by x. Except for few weak curves (as curves with small enough embedding degree or curves defined over Fp of order p), the best known algorithms to solve the ECDLP are generic algorithms. A generic algorithm is an algorithm to solve the DLP in any group. A result from Shoup [18] shows that these algorithms are exponential in general. Among this algorithms, the Pollard rho method [17] is the most optimal and its complexity is given, up to a constant factor, by the square root of the order of the curve. In [11], it is proposed an index calculus attack to solve the ECDLP defined over a non prime finite field Fqn where n > 1. Later on, Diem [2,1] obtained rigorous proofs that for some particular families of curves the discrete logarithm problem can be solved in subexponential time. Let us recall the principle of the algorithm: given P and Q, two points of E(Fqn), we look for x, if it exists, such that Q = [x]P 1. Compute the factor base F = {(x, y) ∈ E(Fqn) | x ∈ Fq}. 2. Look for at least #F +1 relations of the form: [aj ]P ⊕ [bj ]Q = P1⊕· · ·⊕Pn, where P1, · · · , Pn ∈ F and aj and bj are randomly picked up in Z. 3. Finally, by using linear algebra, recover the discrete logarithm x.