Faster Attacks on Elliptic Curve Cryptosystems

The previously best attack known on elliptic curve cryptosystems used in practice was the parallel collision search based on Pollard's-method. The complexity of this attack is the square root of the prime order of the generating point used. For arbitrary curves, typically deened over GF(p) or GF(2 m), the attack time can be reduced by a factor or p 2, a small improvement. For subbeld curves, those deened over GF(2 ed) with coeecients deening the curve restricted to GF(2 e), the attack time can be reduced by a factor of p 2d. In particular for curves over GF(2 m) with coeecients in GF(2), called anomalous binary curves or Koblitz curves, the attack time can be reduced by a factor of p 2m. These curves have structure which allows faster cryptosystem computations. Unfortunately, this structure also helps the attacker. In an example, the time required to compute an elliptic curve logarithm on an anomalous binary curve over GF(2 163) is reduced from 2 81 to 2 77 elliptic curve operations.