Bit Coincidence Mining Algorithm II (Draft)

In [14], Petit et al. shows that under the algebraic geometrical assumption named ”First Fall degree Assumption”, the complexity of ECDLP over binary extension field F2n is in O(exp(n)) where limn→∞ o(1) = 0 and there are many generalizations and improvements for the complexity of ECDLP under this assumption [10], [11], [5], [16]. In [13], the author proposes the bit coincidence mining algorithm, which states that under the heuristic assumption of the complexity of xL algorithm, the complexity of ECDLP E/Fq over arbitrary finite field including prime field, is in O(exp(n)) where n ∼ log2 #E(Fq) ∼ log2 q. It is the first (heuristic) algorithm for solving ECDLP over prime field in subexponential complexity. In both researches, ECDLP reduces to solving large equations system and from each assumption, the complexity for solving reduced equations system is subexponential (or polynomial) complexity. However, the obtained equations system is too large for solving in practical time and space, they are only the results for the complexity. xL algorithm [2], is the algorithm for solving quadratic equations system, which consists of n variables and m equations. Here, n and m are considered as parameters. Put D = D(n,m) by the maximal degree of the polynomials, which appears in the computation of solving equations system by xL. Courtois et al. observe and assume the following assumption; 1) There are small integer C0, such that D(n, n + C0) is usually in O( √ n), and the cost for solving equations system is in O(exp(n)). However, this observation is optimistic and it must have the following assumption 2) The equations system have small number of the solutions over algebraic closure. 1 (In this draft we assume the number of the solutions is 0 or 1) In the previous version’s bit coincidence mining algorithm [13], the number of the solutions of the desired equations system over algebraic closure is small and it can be probabilistically controlled to be 1 and the assumption 2) is indirectly true. For my sense, the reason that xL algorithm, which is the beautiful heuristic, is not widely used is that the general equations system over finite field does not satisfy the assumption 2) (there are many solutions over algebraic closure) and is complexity is much larger. In the previous draft [13], I show that the ECDLP of E(Fq) reduces to solving equations system consists of d − 1 variables and d + C0 − 1 equations where C0 is an arbitrary positive integer and d ∼ C0 × log2 q. So, the complexity for solving ECDLP is in subexponential under the following assumption a) There are some positive integer C0 independent from n, such that solving quadratic equations system consists of n variables and m = n + C0 equations (and we must assume the assumption 2)) by xL algorithm, the maximum degree of the polynomials D = D(n,m), appears in this routine is in O( √ n) in high probability. Here, we propose the new algorithm that ECDLP of E(Fq) is essentially reducing to solving equations system consists of d − 1 variables and b0 2 d equations where b0(≥ 2) is an arbitrary positive integer named block size and d ∼ (b0 − 1) logb0 q. Here, we mainly treat the case block size b0 = 3. In this case, ECDLP is essentially reducing to 1 Generally, the number of the equations m is much larger than the number of the variables n, the number of the solutions seems to be true. However it is not true and the assumption 2) must be needed. For example considering the equations system consists of the union of random quadratic equations p1( −→ X ) = ... = pn/2( −→ X ) = 0, pi ∈ F2[x1, ..., xn] and field equations x1 − x1 = ... = xn − xn = 0 where n is even number and −→ X = (x1, .., xn). From the probabilistic discussion, the average number of the solution of this equations system is 2, although the number of the equations is much larger than the number of the variables. solving equations system consists of about 2 log3 q variables and 3 log3 q equations. So that the desired assumption 1) is always true. Moreover, the number of the solutions (over algebraic closure) of this equations system can be probabilistically controlled to be 1 and the desired assumption 2) is also true. In the former part of this manuscript, the author states the algorithm for the construction of equations system that ECDLP is reduced and in the latter part of this manuscript, the author state the ideas and devices in order for increasing the number of the equations, which means the obtained equations system is easily solved by xL algorithm.