MASTERS THESIS IN MATHEMATICS

The Use of Elliptic Curves in Cryptography

Tibor Juhas

May, 2007

FACULTY OF SCIENCE
Department of Mathematics
University of Troms

Contents
1

Introduction to cryptography

1.1 The objectives of cryptography

1.2 Symmetric key algorithms

1.3 Public key algorithms

Introduction to elliptic curves

2.1 Elliptic curves over finite fields

12

2.2 Curves in fields of characteristic p > 3

13

2.3 Curves in fields of characteristic 2

13

General attacks on the ECDLP

15

3.1 The Pohlig-Hellman and BSGS attacks

15

3.2 Pollards algorithm

17

3.3 Better random walks

19

3.3.1 Linear and combined walk

19

3.4 Parallel collision search

22

3.5 Improving the algorithm

23

3.6 Anomalous binary curves

24

3.7 Further improvement and practice

26

3.8 Pollards algorithm

28

3.9 The Wiener-van Oorschot parallelization

of the algorithm

31

3.10 Pollards parallelization of the algorithm

34

Special attacks for solving the ECDLP

37

4.1 Pairing based attacks on ECDLP

37

4.1.1 Divisor theory

37

4.1.2 The Weil pairing

39

4.1.3 The MOV reduction

44
1

4.1.4 The modified MOV algorithm

45

4.1.5 Application of the algorithm to general

elliptic curves

47

4.1.6 The Tate-Lichtenbaum pairing

47

4.1.7 The Frey-Ruck attack

49

4.1.8 Comparing the pairing attacks

50

4.2 The Smart attacks against anomalous curves

51

4.2.1 Introduction to the padic numbers

51

4.2.2 Theoretical tools necessary for the attack

52

4.2.3 The reduction

55

The use of hyperelliptic curves in attacking

the ECDLP

57

5.1 Basic definitions and properties

57

5.2 The discrete logarithm problem on

hyperelliptic curves

63

5.3 The Gaudry, Hess and Smart (GHS) attack

on the ECDLP

64

Summary

68

References

69

Introduction to cryptography

1.1

The objectives of cryptography

Suppose that someone wants to send a message either by letter or electronically

to a receiver, and wants to be sure that no-one else can read the message.
However, there is the possibility that someone else opens the letter or reads
the electronic communication. The solution to this problem is cryptography.
Cryptography enables us to store sensitive information or transmit it across
insecure networks, like the Internet, so that it cannot be read by anyone else
except the intended recipient. Cryptography is the science of using mathematics to encrypt and decrypt messages. In cryptographic terminology, the
original, undisguised message is called plain text or cleartext. Encoding the
contents of the message in such a way that it hides its contents from outsiders is called encryption. The encrypted message is called ciphertext. The
process of retrieving the plaintext from the ciphertext is called decryption.
Modern cryptography, as applied in the commercial world, is concerned with
a number of problems. The most important of these are:
1) Confidentiality, which is the process of keeping information private
and secret so that only the intended recipient is able to understand it.
2) Authentication, which is the process of providing proof of identity of
the sender to the recipient, so that the recipient can be assured that the
person sending the information is who or what he or she claims to be.
3) Integrity, which is the method to ensure that information is not tempered with during its transit or its storage on the network.
4) Non-repudiation, which is the method to ensure that information cannot be disowned. Once the non-repudiation process is in place, the sender
cannot deny being the originator of the information.
3

1.2

Symmetric key algorithms

Both encryption and decryption make use of a key and are parts of a cryptographic algorithm or system. There are two classes of key based algorithms,
symmetric or secret-key and asymmetric or public key algorithms. The difference is that symmetric algorithms use the same key for both encryption
and decryption (or the decryption key is easily derived from the encryption
key), whereas the asymmetric algorithms use a dierent key for encryption
and decryption, and the decryption key cannot be derived from the encryption key. Symmetric algorithms can be divided into stream ciphers and block
ciphers. Stream ciphers encrypt a single bit of plaintext at a time, whereas
block ciphers take a number of bits (typically 64 bits in modern ciphers)
and encrypt them as a single unit. The most studied and probably the
most widely spread symmetric cipher is DES or Data Encryption Standard.
Because of the increase in the computing power of computers, the basic version of DES cannot be considered suciently safe anymore. Therefore a
new, more powerful cipher called AES or Advanced Encryption Standard
was standardized in 2001. Other popular and respected algorithms include
Twofish, Serpent, CAST5, RC4, TDES and IDEA.
The main problem with symmetric key algorithms is that since the sender
and the receiver have to agree on a common key, a secure channel is required
between them in order to exchange the key. Transferring the key over the
Internet either in an e-mail message or through simple IRC services is insecure. Verbally communicating the key over a phone line runs the risk of
eavesdropping. Similarly, snail mail runs the risk of possible interception.
The security risks that are involved in secret key cryptography have been, to
a large extent, overcome in public key cryptography.
4

1.3

Public key algorithms

Public key cryptography uses a key pair instead of just one secret key. Of
this key pair, one key, known as the private key, is always kept secret by the
key holder and is used for decryption. The private key is not transferred to
anyone and is stored securely by the holder. The key used for encryption is
the public key and is freely distributable, for instance it can be placed on one
of the many public key repositories on the Internet. Over the past 30 years,
public key cryptography has become a mainstay for secure communications
over the Internet and throughout many other forms of communications. It
provides the foundation for both digital signatures and key management.
For digital signatures, public key cryptography is used to authenticate the
origin of data and protect the integrity of that data. In key management,
public key cryptography is used to distribute the secret keys used in other
cryptographic algorithms (e.g. DES). The technique is to use a public key
algorithm to encrypt a randomly generated encryption key, and the random
key is used to encrypt the actual message using a symmetric algorithm. This
combined technique is used widely. It is used for Secure Shell (SSH), which is
used to secure communication between a client and a server and PGP (Pretty
Good Privacy) for sending messages. Above all, it is the heart of SSL (Secure
Socket Layer), which is the most widely deployed and used security protocol on the Internet today. The protocol has withstood years of scrutiny by
the security community and is now trusted to secure virtually all sensitive
web-based applications ranging from on-line banking and stock trading to
e-commerce. SSL oers encryption, source authentication and integrity protection for data exchanged over insecure, public networks. It operates above
a reliable transport service like TCP and has the flexibility to accommodate
dierent cryptographic algorithms for key agreement, encryption and hashing. However, the specification does recommend particular combinations of
these algorithms, called cipher suites, which have wellunderstood security
5

properties. For example, a cipher suite such as RSA-RC4-SHA would indicate RSA as the key exchange mechanism, RC4 for bulk encryption, and
SHA as the hashing function. Here we note that hashing function are very
fast cryptographic functions that take a message of arbitrary length and produce a message digest of specified size. The two main components of SSL
are the Handshake protocol and the Record Layer protocol. The Handshake
protocol allows an SSL client and server to negotiate a common cipher suite,
authenticate each other, and establish a shared master secret using public
key cryptographic algorithms. The Record Layer derives symmetric-keys
from the master secret and uses them with faster symmetric-key algorithms
for bulk encryption and authentication of application data. Public key cryptographic operations are the most computationally expensive portion of SSL
processing. SSL allows the re-use of a previously established master secret,
resulting in an abbreviated handshake that does not involve any public key
cryptography, and requires fewer and shorter messages. However, a client and
server must perform a full handshake on their first interaction. Moreover,
practical issues such as server load, limited session cache and naive Client
authentication are optional. Only the server is typically authenticated at the
SSL layer and client authentication is achieved at the application layer, e.g.
through the use of passwords sent over an SSL-protected channel.
The two most important first generation public key algorithms used to
secure the Internet today are known as RSA and Die-Hellman (DH). The
security of the first is based on the diculty of factoring the product of two
large primes. The second is related to a problem known as the discrete logarithm problem for finite groups. Both are based on the use of elementary
number theory. The majority of public key systems in use today use 1024bit parameters for RSA and Die-Hellman. The US National Institute for
Standards and Technology has recommended that these 1024-bit systems are
sucient for use until 2010. After that, NIST recommends that they be up6

graded to something providing more security. The question is what should

these systems be changed to? One option is to simply increase the public
key parameter size to a level appropriate for another decade of use. Another option is to take advantage of the past 30 years of public key research
and analysis and move from first generation public key algorithms and on
to elliptic curves. The length of a key, in bits, for a conventional encryption algorithm is a common measure of security. The following table taken
from [63] gives the key sizes recommended by the National Institute of Standards and Technology to protect keys used in conventional encryption algorithms like the (DES) and (AES) together with the key sizes for RSA, DieHellman and elliptic curves that are needed to provide equivalent security:
Table 1: Comparison of key sizes
Symmetric key
size (bits)
80
112
128
192
256

RSA and Die-Hellman

key size (bits)
1024
2048
3072
7680
15360

Elliptic curve
key size (bits)
160
.
224
256
384
512

To use RSA or Die-Hellman to protect 128-bit AES keys one should use
3072-bit parameters: three times the size in use throughout the Internet
today. The equivalent key size for elliptic curves is only 256 bits. We can
see that as symmetric key sizes increase the required key sizes for RSA and
Die-Hellman increase at a much faster rate than the required key sizes for
elliptic curve cryptosystems. Hence, elliptic curve systems oer more security per bit increase in key size than either RSA or Die-Hellman public key
systems.
The mathematical problems that RSA and Die-Hellman owe their security are the problem of integer factorization and the discrete logarithm
problem, respectively. The reason why such a large keys are necessary in
7

the implementation of RSA and Die-Hellman cryptosystems is that there

are well known sub-exponential time attacks on the mathematical problems
which these systems are based upon.
The mathematical problem that elliptic curve cryptosystems rely on is
the discrete logarithm problem over elliptic curves or ECDLP. The reason
why such short key lengths may be used in the implementation of cryptosystems based on elliptic curves is that there is no known sub-exponential time
attack on the underlying mathematical problem when it is applied over a
generic elliptic curve. The objective of this thesis is to try and prove this
last statement.
The reminder of this thesis is organized as follows. Section 2 presents
a short introduction to the parts of the theory of elliptic curves that are
relevant for our work. Section 3 present an overview of attacks that are
applicable for general elliptic curves. The focus will be on the in depth
presentation and analysis of attacks proposed by Pollard. These are the best
known attacks on ECDLP over general elliptic curves. Section 4 present
purpose built attacks that exploit weaknesses in special type of elliptic curves.
Section 5 present an introduction to the theory of hyperelliptic curves and
their application in attacking the ECDLP.

Introduction to elliptic curves

We will now introduce some basic facts about the elliptic curves. This introduction will describe those parts of the theory of elliptic curves which are
relevant for cryptography and the definitions will be given from a cryptographic point of view. A profound treatment of the general theory of elliptic
curves is given in [52] and [53].
Let k be a field, k its algebraic closure and k its multiplicative group.
The projective plane P2 (k) over k is the set of equivalence classes of the
relation acting on k3 \{(0, 0, 0)}, where (x1 , y1 , z1 ) (x2 , y2 , z2 ) if and only
if there exists u k such that x1 = ux2 , y1 = uy2 , and z1 = uz2 .

Definition 1 An elliptic curve over k is defined as the set of solutions in

the projective plane P2 (k) of a homogeneous Weirstrass equation of the form
E : Y 2 Z+a1 XY Z+a3 Y Z 2 = X 3 +a2 X 2 Z+a4 XZ 2 +a6 Z 3
with a1 , a2 , a3 , a4 , a6 k. This equation is referred to as the long Weierstrass

form.

Such a curve should be non-singular in the sense that, if the equation is

written in the form F (X, Y, Z) = 0, then the partial derivatives of the curve
equation F/X, F/Y and F/Z should not vanish simultaneously at
any point on the curve. If all three partial derivatives vanish at some point
P , then P is called a singular point and the equation is said to be singular.
The curve has exactly one point with Z - coordinate equal to 0, namely
(0, 1, 0). This point is called the point at infinity and is denoted by O.
For convenience reasons it is usual to write the Weierstrass equation using
ane coordinates x = X/Z, y = Y /Z,
y 2 +a1 xy+a3 y = x3 +a2 x2 +a4 x+a6 .
An elliptic curve E is then the set of solutions to this equation in the ane
9

plane A2 (k) = k k, together with the extra point at the infinity O. If the
coecients of the equation are in k, then E is said to be defined over k, and
this is denoted as E/k. If E is defined over k, then the set of k - rational
points of E, denoted E(k), is the set of points whose both coordinates lie in
k, together with the point O.
Let E be a curve given by the ane Weierstrass equation. We define the
quantities
d2 = a21 + 4a2
d4 = 2a4 + a1 a3
d6 = a23 + 4a6
d8 = a21 a6 + 4a2 a6 a1 a3 a4 + a2 a23 a24
c4 = d22 24d4

= d22 d8 8d34 27d26 + 9d2 d4 d6

j(E) = c34 /.

Definition 2 Discriminant and jinvariant

The quantity is called the discriminant of the Weierstrass equation,
while j(E) is called the j-invariant of E if 6= 0.
The Weierstrass equation is non-singular if and only if 6= 0. The
jinvariant is closely related to the notion of elliptic curve isomorphism.
Two elliptic curves, E1 /k and E2 /k that are isomorphic over k have the
same jinvariant, i.e. j(E1 ) = j(E2 ). Conversely, two curves with the same
jinvariant are isomorphic over k.
Definition 3 Point addition
The points on an elliptic curve form an abelian group under a certain
addition. The addition operation of two points P, Q E(k) is defined as
follows:
10

1. draw a line through P and Q which intersects the curve at a point T .

2. draw a vertical line through T which intersects the curve at a point R
and define P + Q = R.

If P = Q 6= O then the line in step 1 is the tangent line of the curve

through P . Adding P to O means that the line drawn in step 1 is the vertical
line passing through P , because O is infinitely far and the vertical line in step
2 is the same as the line in step 1, which intersects the curve at the same point
P . This means that P +O = P and O+P = P and O is the identity element.
The inverse of P , denoted P , requires P + (P ) = O. According to the
addition rule we can find that P = (x1 , y1 a1 x1 a3 ). The formal definition
of addition in E(k) is as follows. Suppose P = (x1 , y1 ) and Q = (x2 , y2 ) are
points on E other than O. If x1 = x2 and y1 + y2 + a1 x2 + a3 = 0, then
P + Q = O. Otherwise P + Q = (x3 , y3 ), where
x3 = 2 + a1 a2 x1 x2
y3 = (+a1 )x3 a3

and

y y
2
1

x2 x1

if P 6= Q.

y x y x
1 2
2 1

x2 x1

if P 6= Q.

3x21 + 2a2 x1 + a4 a1 y1

, if P = Q.
2y1 + a1 x1 + a3

x31 + a4 x1 + 2a6 a3 y1

, if P = Q.
2y1 + a1 x1 + a3
11

2.1

Elliptic curves over finite fields

Over a finite field Fq , E(Fq ) is an abelian group of rank 1 or 2. The type of the
group is (n1 , n2 ), i.e., E(Fq )e
=Zn1 Zn2 , where n2 | n1 , and furthermore n2 |
(q1).
The number of rational points on a curve is finite, and it will be denoted by
#E(Fq ).

Definition 4 Trace of the Frobenius

The quantity t, defined by
t = q + 1 #E(Fq )
is called the trace of Frobenius at q. The trace of Frobenius satisfies
| t | 2q. The Frobenius endomorphism is a map which sends (x, y)

to (xq , y q ) and fixes O.

The problem of determining the order of the group of points on an elliptic

curve over a finite field is of critical importance in cryptographic applications. This is because the best method for generating elliptic curves suitable
for cryptography depends on the ability of solving this problem. There are
several approaches, but the best known algorithm is due to Schoof [47]. Although the original algorithm has polynomial running time, it is inecient
in practice. It was further developed thanks to the ideas and improvements
of Elkies [10] and Atkin [2].
Practical implementations of elliptic curve cryptosystems are usually based
on either the field Fp , where p is a large prime number, or F2n , fields with
characteristic 2.
12

2.2

Curves in fields of characteristic p > 3

Assume that k = Fq , where q = pn for a prime p > 3 and an integer

n 1. The curve equation over k in this case can be simplified to the short
Weierstrass form
E : y 2 = x3 +ax+b.
The discriminant of the curve then reduces to = 16(4a3 + 27b2 ), and its
jinvariant to j(E) = 1728 (4a)3 /. The inverse of the point P = (x1 , y1 )

is now P = (x1 , y1 ). The addition rules are as follows: for the points
P = (x1 , y1 ) and Q = (x2 , y2 ) the coordinates of the point P + Q = (x3 , y3 ),
Q 6= P , are given as
x3 = 2 x1 x2
y3 = (x1 x3 )y1
where

2.3

y y
2
1

x2 x1

if P 6= Q.

3x21 + a

, if P = Q.
2y1

Curves in fields of characteristic 2

We assume now that k = Fq , where q = 2n , for an integer n 1. In this case,

the expression for the jinvariant reduces to j(E) = a12

1 /. In characteristic
2 we can dierentiate between two cases, j(E) = 0, i.e. a1 = 0 and j(E) 6=
0. The condition j(E) = 0 is equivalent to the curve being supersingular.
This is a type of curves avoided in cryptography for reasons to be explained
later. We will even though describe this case for reasons of completeness.
If j(E) 6= 0 then the curve equation over k reduces to
E : y 2 +xy = x3 +a2 x2 +a6 .
13

The discriminant of the curve then reduces to = a6 , and its jinvariant

to j(E) = 1/a6 . The inverse of the point P = (x1 , y1 ) is given as P =
(x1 , y1 + x1 ).

The coordinates of the sum P + Q = (x3 , y3 ) of P and

Q = (x2 , y2 ), Q 6= P , are given as

2
y1 + y2
y1 + y2

x1 + x2 + x1 + x2 + x1 + x2 + a2 , if P 6= Q.
x3 =

if P = Q.
x21 + a6 ,
x21

and

y
+
y

1
2

(x1 + x3 ) + x3 + y1 , if P =

6 Q.

x1 + x2
y3 =

y1

2
if P = Q.

x3 + x3 ,
x1 + x1 +
x1

If j(E) = 0 then the curve equation over k reduces to

E : y 2 +a3 y = x3 +a4 x+a6 .

The discriminant of the curve then reduces to = a43 . The inverse of the
point P = (x1 , y1 ) is given as P = (x1 , y1 + a3 ). The coordinates of the
sum P + Q = (x3 , y3 ) of P and Q = (x2 , y2 ), Q 6= P are given as

2
y1 + y2

+ x1 + x2 , if P 6= Q.

x1 + x2
x3 =

x4 + a2

if P = Q.

1 2 4,
a3
and

y3 =

y
+
y

1
2

(x1 + x3 ) + y1 + a3 , if P 6= Q.

x1 + x2
2

x1 + a4

(x1 + x3 ) + y1 + a3 ,

a3
14

if P = Q.

General attacks on the ECDLP

The attack in this section are general in the sense that they can be applied to
attack the ECDLP over any elliptic curve, they do not exploit any possible
weaknesses on the curve. The main focus of the section is to give an in depth
analysis of the best known attacks, namely the parallelized Pollard and
methods.

3.1

The Pohlig-Hellman and BSGS attack

We start by examining the algorithms that work for any cyclic finite abelian
groups. But, first of all we have to define the elliptic curve discrete logarithm
problem: Let E(k) be an elliptic curve defined over the ground field k =Fq
and P a point of order n from the curve. Given another point Q E(k) we
have to find such that Q = P, 0 n 1, if such an integer exists.
The most obvious method of solving the ECDLP is exhaustive search.
One computes R = []P for = 1, 2, 3, ..., and checks whether R = Q.
When equality is reached we conclude = . The algorithm has no storage
requirements, but has a running time of O(N), where N is the order of the
group, in both the average and worst case.
Pohlig and Hellman have observed that the DLP in a group G is only as
hard as the discrete logarithm problem in the largest prime subgroup of G.
A very important consequence of this is that for elliptic curve cryptography
we select elliptic curves such that #E(k) = N = h l, where l is a large
prime an the cofactor h is very small, usually h = 1, 2 or 4. The details of
the algorithm can be found in [5].
As a consequence of the Pohlig-Hellman simplification we can concentrate
on solving the DLP in groups of prime order. One way to do this is to use
Shanks the Baby-step/Giant-step, BSGS, algorithm.
For the start we have a group G = hP i, which we now assume to have
prime order l. As before we are given Q G, and we want to find (mod l)
15

such that Q = []P .

We define as:

= 0 +1 d le

Since l, we know that 0 0 , 1 < d le. We compute the Baby-steps

as

Pi = [i]P

for 0 i d le.

The pairs (Pi , i) are stored in a table so that one can easily search for items
indexed by the first entry in the pair. One way to do this is to use a hash
table. A hash table is a database accessed by one or more hash functions.

The computation of Baby-steps takes O(d le) time, but there is a similar
amount of storage requirement. We start the computation of Giant-steps by

writing P 0 = [d le]P , followed by the computation of

Qj = Q[j]P 0
for 0 j d le.

The time required to compute the Giant-steps is at most O(d le). The next
step is to try to find a match for Qi in the table of Baby-steps. If we find a
value of Pi such that Pi = Qj , then 0 = i and 1 = j, since

[i]P = Qj[d le]P

and

[i+j d le]P = Q.

The running time of the algorithm is O( l), in both the average and worst

case. The main problem with the algorithm is the requirement of O( l)

storage space. For this reason the algorithm is infeasible in practice.
It has been shown that the BSGS algorithm is the fastest possible method
for solving the DLP in a black box group [48]. Black box groups are a
theoretical tool which allow the analysis of algorithms in idealized setting. A
black box group is modelled in such a way that the representations of field
elements provide no structure.
16

3.2

Pollards algorithm

Pollard based his algorithm on the birthday paradox. That is, if we choose
elements at random from a set of S numbered elements, we only need to

choose S elements in order to get a repetition, also called a collision. Just

as with other methods that are based on a collision search, the goal is to
take a given function f and find two dierent inputs that produce the same
output. The best attack known on the general ECDLP is the parallel collision
search based on Pollards method. But we start with the simple processor
case. We are given a finite cyclic group G of order N, which we as a result
of Pohlig-Hellman assume to be of prime order, and a function f : G G,
which we call the iterating function. We select a starting value Z0 G and
then generate successive terms by the rule Zk+1 = f (Zk ), for k = 0, 1, 2....
Since G is finite, this sequence, also called a walk, eventually begins to
cycle. Since the sequence is a walk, each application of the iterating function
is called a step. One simple approach to detecting a collision with Pollards
method is to use Brents algorithm [8]. That is, there exist two uniquely
determined smallest integers 0 and 1 such that Zk = Zk+ for
all k > . We call the preperiod or tail and the period or cycle.
For performance reasons we wish the function f to be a random mapping,
meaning the function f should be equally probable among all functions in
form G G. The probability that no collision is found after selecting k

2
inputs is (1 N1 )(1 N2 )...(1 k1
) ek /2N for large N and k = O( N).
N
Let E( + ) denote the expected value of the sum of the tail and cycle of
the sequence (Zi ), i.e. the expected number of steps taken on the pseudorandom walk before a collision occurs. Then, under the assumption that f
q
p
|G|
is a random mapping, the value of E( + ) =

1,
253
|G| [61].
2

Using Brents algorithm the collision is found after an expected number of

p
1, 97 |G| iterations [59].
The idea behind the iterating function used by Pollard is the following:
17

we partition the group G into 3 distinct subsets of roughly equal size, S1 ,

S2 and S3 based on some easily testable property. Pollards original method
was developed to solve the DLP and implemented for finite fields of the type
Fp . In the ECDLP, we are dealing with a cyclic subgroup of points hP i of
order l, with generator P and group element Q. When adapted for elliptic
curves the original iterating function becomes the following:

Z + P , if Z S1 .
2Z, if Z S2 .
f (Z) =

Z + Q, if Z S3 .

The resulting terms are expressed as Zk = ak P + bk Q, where the scalars ak ,

bk {0, ..., l 1} are computed as:
a0 = 1, b0 = 0
ak+1 = ak + 1, ak+1 2ak (mod l), ak+1 = ak
bk+1 = bk , bk+1 2bk (mod l), bk+1 = bk +1

for k = 0, 1, 2...

for k = 0, 1, 2...

according to the three cases above.

Because the number of points in the group is finite, the sequence of points
must begin to repeat. Upon detection of a collision, that is Zi = Zj , we have
ai P +bi Q = aj P +bj Q
Since Q = P , we have
ai P +bi P = aj P +bj P
Using modular arithmetic, we get
ai +bi (aj +bj )(mod l)
and

ai aj
bj bi

(mod l)

unless we are very unlucky and bi bj (mod l). So the method is a Monte

Carlo method, since there is no guarantee of success. Since l has no other

factors others than 1 and itself, the only time gcd(bj bi , l) > 1 holds is if
bj bi is a multiple of l. Given that the size of l in practice is greater than

2160 , this is extremely unlikely.

18

3.3

Better random walks

We have said in the beginning that we wish the iterating function f to be

a random mapping. The original method uses an iterating function with
3 clauses. In 2 clauses we perform point addition, Z + P and Z + Q and
are thus taking small steps. Under the third clause, we are performing point
doubling, 2Z, so we are taking a good size step. Unless Q is a small scalar
multiple of P it will take considerable time to walk through the tail and the
cycle and find a match. On the other hand, always taking large steps could
lead to skipping over several terms in the cycle and not obtain a match right
away, which is our objective. It was shown [61] that the value of E( + )

using Pollards original walk is approximately 1, 596 l, which is considerably

slower than the expected value of 1, 253 l. In the following we are going to
look at the work done by Teske on improving this result.
3.3.1

Linear and combined walk

The original Pollard algorithm does not achieve the performance of a random walk. Teske [61] investigated the eect of changing the number of subgroup partitions and therefore function clauses on the performance of the
method. Two types of better random walks were suggested: linear walk and
combined walk. Linear walks use an iterating function that contains a fixed
number r of clauses, each of which defines a point addition operation unique
to its partition. The question is how should the parameter r be chosen? In
her work Teske experimented with elliptic curve subgroups of prime order
up to 13 digits. The experiments showed that r = 20 is a good choice. It
was also established [61] that taking r = 20 is suitable for simulating random
walks for any size of group orders. Thus, when performing the linear walk we
first partition the group G into 20 sets, S1 ,...S20 . The next step is to define
a set of multipliers Mi , these are produced by generating random integers
si , ti [1, ..., l 1] and then computing
19

Mi = [si ]P +[ti ]Q

i = 1, ..., 20.

The iterating function is defined as

f (Z) = Z+Mi

for Z Si .

As before the resulting terms are expressed as Zk = ak P + bk Q, where the

scalars ak , bk {0, ..., l 1} are computed as:
ak+1 (ak +si )(mod l) and bk+1 (bk +ti )(mod l).
Through the experiments Teske found that when using linear walk the run
ning time of the algorithm is E( + ) 1, 292 l, which is very close to the

expected value of 1, 253 l.

Similar to linear walks, combined walks use a fixed number of partitions,
r + q. The iterating function contains r rules that specify point addition
operations and q rules that specify point doubling operations, making a total
of r + q rules. The experimental findings [62] indicate that the best results
is obtained if the ratio of doublings and addings is between 1/4 and 1/2,
while the performance gets worse if the ratio gets much larger than 1. To
explain how to perform this type of walk we choose the values of r = 16
and q = 4. This means that the group G is again partitioned into 20 sets,
S1 ,...S20 . We choose 4 pairwise distinct numbers u1 , ..., u4 between 1 and 20
and again define a set of multipliers Mi ,
Mi = [si ]P +[ti ]Q

where i = {1, ..., 20} \ {u1 , ..., u4 }.

The iterating function is defined as

Z + Mi , if i
/ {u1 , ..., u4 } and Z Si .
.
f (Z) =
2Z,
otherwise.
The scalars ak and bk are computed as:
ak+1 (ak + si )(mod l) or

ak+1 = 2ak (mod l).

bk+1 (bk +ti )(mod l)

bk+1 = 2bk (mod l).

or

20

The reason behind including point doubling is to take bigger steps in our
walk and thus move faster through the tail and cycle to obtain a solution.
Through the experiments it was found that although the combined walk is
slightly faster than the linear walk for small values of p, the latter is to prefer
as p grows. In Teske experiments [61] the expected number of steps to be

taken with this walk is approximately 1, 3 l.

So far we have not defined how the partition is done. In practice its
usual to map an input point Z hP i to a partition number between 1 and

r with a hash function of the form h : hP i {1, ..., r}. This hash function
uses an arithmetic operation that is very fast. This ensures the eciency of

the iterating function at every evaluation of a new term. The hash function
used is:

1,
if 0 < x < k.

2,
if k < x < 2k.
h(Z) =
......

r,
if (r 1)k < x < rk.

where k = 2m /r.

We can base on the hash function on either coordinate without eecting

the performance of the algorithm. Here our hash function is based on the x
coordinate when treated as a binary value. The boundary value k = 2m /r is
used to slice the space of binary strings of fixed length into r subsets of equal
size. Now the k smallest binary values are mapped to the first partition, the
k next largest to the second, and so on until the k largest values, which are
mapped to the last partition r. For the linear walk this means that we should
still compute the set of multipliers Mi as before, but the iterating function
is given by
f (Z) = Z+Mh(Pi )

for Z Si

and the scalars are given as:

ak+1 (ak + sh(Pi ) )(mod l)
bk+1 (bk + th(Pi ) )(mod l).
21

3.4

Parallel collision search

The parallelized version of Pollards method is the method of choice when

solving the ECDLP in practice. The algorithm is though inherently serial in
nature and cannot be directly parallelized over several processors eciently.
One must wait for a given application of the function f to complete before
the next can start. One way to parallelize the algorithm is to start each
processor with a dierent starting value Z0 and wait until one of them finds
a collision. If m processors run the algorithm in this way, the speed-up we

get is only about m. It was Wiener and Van Oorschot [42] who presented
an ecient way of parallelization which was based on distinguished points.
A distinguished point is a group element with an easily testable property. An
often used distinguishing property is whether a points binary representation
has a certain number of leading zeros. Several processors each create their
own starting point Z0 and iterate until a distinguished points Zd is reached.
When Zk = ak P + bk Q is a distinguished point, the triple (Zk , ak , bk ) is
sent and stored in a central list common to all processors. As soon as a
point occurs in two iterations, the remainder of those two iteration trails
will be the same and thus lead to the same distinguished point. Therefore,
by performing the iterations, all processors calculate random group elements
and as soon as the same element has been calculated twice, we are going to
get the same distinguished point twice, as well. If the two representations of
the point, where the trails collided, are dierent, the representation of the
distinguished point are dierent too, and therefore we are able to calculate
. If we denote the number of processors involved in the search by m and
suppose that each processor will send a distinguished point to the central
list every 1/ group operations on average, where denotes the proportion
of the points that constitute the distinguished points, the expected running
q
time of the parallel Pollard method is E( + ) = l2 /m + 1/ [42].
The great advantage of the parallelized method is that storage require22

ment is negligible. The reason for this is that it is only the distinguished
points that are stored rather than all points encountered in the search. The
q
expected space needed in the central list is E(S) = mE( + ) = l2 + m

distinguished points. We see that for the memory requirements to be as

small as possible, we have to chose as small as possible. But, as gets

smaller, the running time of the algorithm gets bigger. We see that there is
a time-space trade-o. In practice the space requirement is chosen in such a
way that the central server has enough memory, and that single processors
can produce distinguished points at an convenient rate, for example one or
two distinguished points each day.

3.5

Improving the algorithm

One way of speeding up the algorithm is to reduce the size of the space that
is being searched by a factor of 2. This can be done by replacing Zi by Zi at
each step, here Zi being the negative of Zi . We can do this by choosing the
point which has a smallest y coordinate when it is interpreted as an integer.
When performing the search Zi , ai and bi should be computed as normal, but
this time we compute Zi as well. The point with the smallest y coordinate
is taken to be Zi . If it is Zi , then we have the usual triple (Zi , ai , bi ). Should
Zi be used our triple becomes (Zi , ai , bi ), i.e. ai is replaced by ai
and bi is replaced by bi . Doing this we restrict our search to the points that
have a smaller y coordinate than their negative. Since it yields exactly half
of the points, 6= O, we reduce the search space by a factor of 2. We have to
remember that computing which of Zi and Zi to use also takes some time,

so the running time of the algorithm is reduced by 2.

A problem that we might encounter is the appearance of trivial 2cycles.
Suppose that Zi and Zi both belong to the same Sj and that in both cases
after f is applied, the negative of the resulting point is used. This is when
Zi+1 = (Zi + cj P + dj Q) and Zi+2 = (Zi+1 + cj P + dj Q) = Zi . The
23

occurrence of these 2 cycles is reduced by using the linear walk. To reduce

their occurrence we can usee the look-ahead technique which proceeds as

follows. We define fw (Z) Z + cw + dw Q and suppose that Zi Sj . Then
f (Zi ) = fj (Zi ). We begin by computing R = fj (Zi ), a candidate for Zi+1 .
If R
/ Sj then Zi+1 = R. If R Sj , then we treat Zi as though it were

in Sj+1 (where j + 1 is reduced modulo 20) and compute a new candidate

R = fj+1 (Zi ). If R
/ Sj+1 , then Zi+1 = R, otherwise we continue trying

j + 2, j + 3, ... If all 20 choices fail, which is highly unlikely to happen, then

we just use Zi+1 = fj (Zi ). The idea is to reduce the probability that two

successive points will belong to the same set. We also note that Zi+1 depends
solely on Zi , which is a requirement for parallel collision search to work.
The method for speeding up the parallel collision search described above

can be applied to elliptic curves over any field. Further improvements are
possible if we use special classes of elliptic curves.

3.6

Anomalous binary curves

We say that we are using a subfield curve when the elliptic curve we are going
to use is defined over the field Fqn , n > 1, but the coecients of the curve
are in Fq . The value of n should be chosen either to be a prime or a product
of a small factor and a large prime to allow for a large enough prime divisor
of #E(Fqn ). This because if n factors non-trivially as n = n1 n1 , then both
#E(Fqn1 ) and #E(Fqn2 ) divide #E(Fqn ), limiting the range of the largest
prime divisor of #E(Fqn ). In practical implementations it is most usual to use
a class of elliptic curves over F2n whose defining equations have coecients
in F2 . Since it is required that a6 6= 0, they must be defined by either the

equation

y 2 +xy = x3 +1
or the equation
y 2 +xy = x3 +x2 +1.
24

These curves are called anomalous binary curves or Koblitz curves, although
lately, the term Koblitz curve is used for any elliptic curve which has
a special endomorphism structure which enables ecient implementations.
( It is very important not to confuse these curves with anomalous curves over
prime fields). The reason for the extended use of these curves are:
1) It is easy to compute the group order #E(F2n ).
2) The arithmetic can be made faster by using the Frobenius endomorphism. The Weil theorem enables us to compute the number of points on an
elliptic curve over an extension field, #E(Fqn ) for n 2, from #E(Fq ) as
follows:
Theorem 5 Let E be an elliptic curve defined over Fq and the trace of the
Frobenius endomorphism t = q + 1 #E(Fq ). Then #E(Fqn ) = q n + 1

n n , where and are complex numbers, | |=| |= q, determined

from the factorization of 1 tT + qT 2 = 0.
Proof. See [52].
An alternative formulation, also leading to an ecient computation is as
follows:
Let #E(Fqn ) = q n + 1 an , n 1. Then the coecients ai are given by
a0 = 2, a1 = 1, ai+1 = ai qai1 .
For the second part, from section 2 we know that the Frobenius endomorphism acts as : (x, y) (xq , y q ) on the curve E. In our case : (x, y)

(x2 , y 2 ), since the ground field is F2 . On points Z = (x, y) E(F2n ) we have

n

n (Z) = (x2 , y 2 ) = Z. Actually, there is an integer , 0 l 1 such

that (Z) = []Z for every point Z = (x, y) E(F2n ). This integer is called
the eigenvalue of the Frobenius endomorphism.
2

n1

Now we let (, 2 , 2 , ..., 2

) be a normal basis of F2n over F2 , for some

F2n . Such a basis always exists for all n 1. Using a normal basis is
25

very ecient, because squaring a field element can than be accomplished by

a cyclic shift of the coecients of each point coordinate. As it was explained
in [27] this leads to considerable improvements for point multiplication.
This improvement leads to very ecient implementations in both hardware and software and is the reason behind the popularity of anomalous binary curves. One important note is that the Koblitz curves are resistent to all
the known special attacks which are to be discussed later.
Now we can look at the improvements in Pollards algorithm oered by the
use of Koblitz curves.

3.7

Further improvements and practice

The principle behind the improvement is to use equivalence classes, that is, if
there is a convenient equivalence relation on the set, then we can consider a
random walk on the set of equivalence classes rather than the whole set. This
principle can be applied on subfield curves as well, but it is on the anomalous
binary curves that we get the best improvement.
We will use a parallel collision search and compute Zk , ak , bk as usual.
n

Since we know that n (Z) = (x2 , y 2 ) = Z, we can also compute the 2n

dierent points j (Zk ), for 0 j n 1. We would now like to choose a
representative element from this set. We will first consider the n points j (Zk )

and use the one whose x is minimal subject to an ordering condition, we can
for instance choose x such that its binary representation has smallest value
when interpreted as an integer. We can then either choose that point or its
negative, applying the same ordering condition used on x to its y coordinate.
This point will replace Zi . If we have chosen j (Zk ) to replace Zk , we must

then replace ak with j ak and also replace bk with j bk to maintain the

relationship Zk = ak P +bk Q. The powers of j can be precomputed to obtain

further eciency. The iteration function must be chosen carefully to avoid
the appearance of trivial cycles. Experimentation carried out by Wiener and
Zuccherato shows that if the parallel walk is used, the occurrence of these
26

trivial cycles is reduced suciently for practical purposes. By using the

method just described we reduce the search space by a factor of 2n, which

reduces the expected running time by a factor of 2n, meaning that the
p
running time of the algorithm is now l/4n.
The SEC standard [56] gives 20 predefined curves in characteristic 2 and

six of these are Koblitz curves, meaning that they have a convenient endomorphism which can be used to speed up the group law. The curves are labelled sect163k1, sect233k1, sect239k1, sect283k1, sect409k1 and sect571k1.
The existence of the technic above means that these curves are not as secure as general curves over the same field. For example one would expect
to need approximately 281 operations to break a general elliptic curve over
F163 while the Koblitz curve requires 277 operations. This improvement although modest, means that we should choose another curve if a security
level of 280 is wanted. In a table taken from [56], we can see the dierence between the security of a general curve and a Koblitz curve for the
field sizes in the mentioned standard. It is assumed that the cofactor is
two for the general curves, as this is the most common case in practice.
Table 2: Information on Koblitz vs general curve security
Curves
sect163k1
sect233k1
sect239k1
sect283k1
sect409k1
sect571k1

Field size Cofactor

2163
2233
2239
2283
2409
2571

2
4
4
4
4
4

General curve
security
281
2116
2119
2141
2204
2285

Koblitz curve
security
277
2111
.
2114
2136
2198
2279

In 1997 Certicom [9] announced a series of elliptic curve challenges. The last
break came in April 2004, when the ECC2-109 was solved. This problem, as
well as all the solved problems before that, was done by using the Pollard algorithm with distinguished points and the ideas of Teske. The problem was
27

distributed over the internet and there was approximately 2600 users who
contributed in the work. The distinguished points were chosen so that approximately one of every 230 points on the curve would be distinguished. The
team that won began their work in November 2002, which means that the
solution was found some 17 months later. This also means that the field sizes
that are used in practice oer long time security. Actually, we can draw a table, taken from [28], that shows the MIPS estimates for the ECDLP over fields
considered for practical use:
Table 3: MIPS years to solve a generic ECDLP using the parallel Pollard

q
160
186
234
354
426

3.8

method
p
q/2 MIP S years
280
8, 5 1011
93
2
7, 0 1015
.
2117
1, 2 1023
2177
1, 3 1041
213
2
9, 2 1051

Pollards algorithm

Pollard developed this method in order to solve the so called interval-[a,b]discrete logarithm problem. The problem at hand is the following: Let G =
hP i be a cyclic group of order g and Q a point from the group such that Q =
P x . We have to find the exponent x, for which we know that x [a, b] [0, g].

In practice it is usual to choose a = 0 and b g, so that a certain number

of high-order bits of x are known to be zero. The reason why to choose x of

such a form is that the exponentiation P x is faster than for randomly chosen
x. But, as we shall see later, this leads to reduced security and one should
thus be careful when choosing x from such intervals.
Originally, the algorithm was called as the method for catching kangaroos, as it is described through two kangaroos, a tame and a wild one. It
is also called the method because if the terms of the sequences of both
kangaroos are drawn on a piece of paper, then the figure obtains the shape of
28

the Greek letter lambda. In the following we will use the latter. We shall now
describe the algorithm in both its original form and in the version given by
Wiener and van Oorschot. First we give the setup for the methods as it is the
same for them both:
We define a set of jump distances S = {s1 , ..., sr } with si > 0 and a set of

jumps J = {P s1 , ..., P sr } and let the mean of the values from S be . Just

as in the method, we find a hash function G {1, ..., r} that divides G

into r disjoint sets M1 , ..., Mr , which give the rules of the kangaroos jumps.
We can, for example, use the same hash function as before. We denote the
tame kangaroo with T and the wild kangaroo with W , T s position with tk
and W 0 s position with wk . The travel of the kangaroos consists of jumps,
where each jump is a multiplication of the kangaroos current position by
some P si J. The sequences htk i and hwk i for k = 0, 1, 2... are given as
tk+1 = tk P si

when tk Mi

wk+1 = wk P sj

when wk Mj .

We denote the distances travelled by the kangaroos with dk,tame and dk,wild .
With starting distances dk,tame = dk,wild = 0, we define the sequences as
dk+1,tame = dk,tame +si when tk Mi
dk+1,wild = dk,wild +sj

when wk Mj .

Now to the algorithms: in Pollards version , T is set o from the position

at the end of the interval, t0 = P b and we let it make C jumps, where C is
a constant. We mark the final spot of T with (tN , dN ). This position is our
trap. In terms of the exponents of P , at each time we know the position
of T . Then W is set o from w0 = Q. Since we do not know x, we do
not know the exact location of W , that is why it is called wild. If the path
of W meets that of T , he continues down the same path and falls into the
trap. If we denote W s position at the trap with wM , then tN = wM , that is
29

P b P dN,tame = P x P dM,wild . From here we can compute x as

x (b+dN,tame dM,wild )(mod g).
If the method fails, we set o another wild kangaroo with a starting point
w0 = Q P z , for some small known z. Now we determine the running time

of this method. After passing P b , the wild kangaroo makes approximately

C jumps before catching up with the tame kangaroo. The probability of

landing on the tame kangaroos trail is 1/ for each jump. The probability of
success after C jumps is approximately 1(11/)C 1eC . The trap
T made is at a distance of about b + C2 form P 0 . W jumps an approximate

(b a)/ + C times to come this far and has it not yet landed on the trail
of T it can be stopped, because it must have passed T , without landing on
its trail. Because the expected starting point for W is P (a+b)/2 , when the algorithm succeeds, the expected number of jumps is (b a)/2 + C. Now we
know that in the algorithm T is sent on its way once and makes C jumps,
while W succeeds once and fails 1/(1 eC ) 1 times. The total running
time of the algorithm is thus C (b a)/2 + (C + (b a)/)/(1 eC ).

Wiener and van Oorschot calculated [42] that this is minimized when
s

1 + eC
.
= ba
2C(2 eC )
Evaluating this expression they find that the running time of the algorithm

is minimal when C 1, 39 and 0, 51 b a, and is approximately

3, 3 b a group iterations. All we have to store in this version of the algorithm is the set of jumps and the current position of the two kangaroos. If
we allow more storage, we can use the alternative approach by Wiener and
van Oorschot. They again used the distinguished point technique, but this
time even for the single processor case. We can use the same distinguishing
property as before: a point from the group is distinguished if the points
binary representation has a certain number of leading zeros. Now T is set
30

o from t0 = P

a+b
2

and w0 = Q. After each jump of the kangaroos we check

whether the current terms are distinguished points. If this is the case, they
are stored in a hash table. We can check whether a collision has occurred
each time we store a distinguished point. If we come across a distinguished
point such that tN = wM , with N 6= M, then P

a+b
2

P dN,tame = P x P dM,wild

and
+dN,tame dM,wild )(mod g).
x ( a+b
2
For the estimation of the running time we let denote the proportion of group

. It is expected
elements that are distinguished and assume that = ba
2

that the kangaroos trail will collide after 2 b a jumps and it will take additional 2/ iterations to find the distinguished point. In general, the time

until a collision occurs is between b a, when the solution is near the mid
dle of the interval, and 3 b a, when it is near the ends. Thus, the running

time is 2 b a + 2/ group iterations. The expected storage requirement is

2 b a.
Just as the algorithm, the algorithm can also be parallelized so that
we get linear speed up. In fact, there are two dierent ways of paralellization,
one by Wiener and van Oorschot and another by Pollard.

3.9

The Wiener-van Oorschot parallelization of the

algorithm

For a start we assume that we have m processors, with m even. The single
processor case given by Wiener and van Oorschot is actually just a special
case of their parallelization of the algorithm. It corresponds to m = 2, with
two processors simulated on one machine. If m is odd or indefinite, we can
simulate m0 = 2m virtual processors by having one pair of wild and tame
kangaroos on each processor and letting them jump alternately.
Instead of one tame and one wild kangaroo, we will now work with a
herd of m/2 tame kangaroos and a herd of m/2 wild kangaroos, with one
31

kangaroo on each processor. We use the same setup as before and assume

that the mean value of the jump lenghts is m b a/4. We will count
the running time in terms of iterations, where one iteration comprises one
kangaroo jump on each processor. There is a couple of important variables
we have to discuss before we start our kangaroos. One of them is the choice of
jump distances si . There are two good choices: the first is to choose si to be
powers of two starting with si = 1 up to sr = 2r1 , where r is such that the

mean value of the si is close to the optimal value of = m b a/4. Because

varies with the number of processors and the length of the interval [a, b],
so does r as well. The second good choice consists of k integers {q1 , ..., qk }
randomly chosen from the interval [1, 2]. The values of qi must be pairwise
distinct and gcd{q1 , ..., qk } = 1. Based on the experience from the method,
we may choose k = 20 in order to get suciently random kangaroo paths.
The other important variable to consider is the distance between members of the same herd. It is not desirable to choose either too small or
too big. If the distance is too small, it could easily cause collisions between
members of the same herd. The colliding kangaroos would follow the same
path and the herd would eectively be reduced by one member for each such
collision. On the other hand, if the distance was too big, the gap between
the members of the herd in the front and those at the back would eventually
get so big that it would not be possible to view the herd as a group, rather
it would be a collection of kangaroos travelling individually. Experiments
in [60] show that should be chosen so that 2/m. The m/2 tame
kangaroos, T1 , ..., Tm/2 , are set o from
t0 (T0 ) = P

a+b
+(i1)
2

the m/2 wild kangaroos , W1 , ..., Wm/2 , from

w0 (Wi ) = QP (i1)
where i = 1, ..., m/2, on each processor.
32

The initial travel distances are d0,tame (Ti ) = d0,wild (Wi ) = (i 1), and each
kangaroo gets a tag which indicates whether it is a tame or wild. As before, after each jump of the kangaroos it is checked whether some of the new
spots are distinguished points. If we find some distinguished point, we send
it to the central list, together with the corresponding travel distance and
the tame/wild tag. Here it is checked whether there is a reoccurrence of a
distinguished point, and if it is the case the solution is found in a manner
already described.
An unwanted occurrence in this version of parallelization are collisions
between members of the same herd. Such collisions are called useless. There
are

m m
(
2 2

1) possible pairs for useless collisions among the each of the

herds. It is expected that there will be at most two useless collisions. This
expected value is confirmed through experiments in [60]. The impact of
useless collisions on the running time of the algorithm can be divided into
two cases: m = 4 and m > 4. In general, there are (m/2)2 possible pairs for
m m
( 1).
2 2
either m2 ( m2
( m2 1)2 if it

useful collisions. The first useless collision reduces this number to

The second useless collision reduces further this number to
2) if it happened in the same herd as the first one, or to

happened in dierent herds. This means that the running time is decreased
by a factor of at most

m m
(
2 2

2). For m > 4 and specially m 4 the eect

of useless collisions is only marginal. For the case m = 4 however, there

is an increase of the running time due to useless collisions. This is because
after the first useless collision the number of useful ones decreases from 4 to
2. Experimental results in [60] show that the running time in this case is
noticeably larger. Therefore, if we only have a network of 4 processors, it is
desirable to work with more than one kangaroo on each of them. It should
also be mentioned that for some choices of the sets of jumps and distances
, the occurrence of useless collisions is higher then expected. See [60] for
further comments on this subject.
33

To calculate the expected running time of the algorithm, we can divide

the movement of the herds into three parts: the time while they travel in
separate regions, the time while they travel in a common region and a useful
collision occurs and the time until this collision is detected. Since we do not
know which of the herds lies further to the right on the interval [a, b], in this
analysis we will simply talk about a leading and a following herd, rather than
herds of tame and wild kangaroos.
The initial distance between the herds is between 0 and
pected separation when the algorithm succeeds is
takes about

ba
4

a+b
.
4

a+b
.
2

The ex-

This means that it

jumps for the trailing herd to catch up with the one in the

front. After this has happened, the trailing herd enter a region where the
herd of leading kangaroos already landed on m/2 spots. On each step,
the probability that one of the m/2 trailing kangaroos lands on one of these
spots is m2 /4. The expected number of jumps for each kangaroo before this
happens is 4/m2 . Thus, the expected running time until a useful collision

occurs is ba
+ 4/m2 iterations. This value is at its minimum of 2 b a/m
4
for =

m ba
,
4

which is in correspondence with the assumption from the

start. In general this part of the running time will be somewhere between

b a/m iterations, when the solution is near the middle of the interval,

and 3 b a/m iterations, when it is near the ends. By adding 1/, the time
needed to reach the next distinguished point after a useful collision occurred,

to this, we get the expected overall running time of T = 2 b a/m + 1/

iterations.

3.10

Pollards parallelization of the algorithm

Again, we use the same setup as before and let denote the proportion of
distinguished points. The main dierence between the two parallelization
methods is that in this one there is no possibility of useless collisions. We
will work with u tame and v wild kangaroos, where u and v are coprime. If
34

the number of processors involved is m, we will choose u and v such that

u v m/2, as this gives the best running time, and u + v m. We choose
the r jump distances as si = qi uv. Again, we can choose qi to be either
powers of two starting from q1 = 1 up to qr = 2r1 , or random integers from
the interval [1, 2]. The mean value of the jump distances should be close to
q
= ba
/2. We set o the tame kangaroos from
uv
t0 = P

a+b
+iv
2

where i = 0, ..., u1

and the wild kangaroos from

w0 = QP ju where j = 0, ..., v1.
This implies that any two tame or any two wild kangaroos travel with travel
distances that are in pairwise distinct residue classes modulo uv. Since the
equation
( a+b
+iv x+ju)(mod uv)
2
has a unique solution in i and j, there is just one pair of tame and wild kangaroos that travel in the same residue class modulo uv. This means that this
is the only pair that can collide.
As before, we keep track of the distinguished points and when some has
been stored twice, we can find the solution we are looking for. The analysis of
the running time is similar to that from the previous parallelization method,
the only adjustment that has to be done is to replace the interval [a, b] with
[a, b]/uv and to put m = 2, as we only have to consider the expected number
of jumps of the two kangaroos that are destined to collide, and they travel
in a fixed residue class modulo uv. The expected overall running time is
p
T = (b a)/uv + 1/ iterations on each processor. This is approximately

the same running time as for the Wiener-van Oorschot parallelization, provided that we stick too our assumption that u v m/2. This version of

parallelization is easier to handle because we do not have to deal with use35

less collisions and a proper choice of spacing. However, it only works if the
number of processors is known in advance and all processors take part in the
computation until the end. Since from the beginning of the computation it
is determined which pair of kangaroos is the one to collide, a failure of one of
the two corresponding processors would lead to the computation not being
finished.
At the end, we should note that we might use the method to solve
the general discrete logarithm problem. But, it is approximately 1, 6 times
slower than the method if a = 0 and b = ord(G). It becomes faster than
the method when b a < /8 ord(G) [60].

36

Special methods for solving the ECDLP

The attacks that will be analyzed in this section are special in the sense that
they exploit weaknesses in special types of curves.

4.1

Pairing based attacks on ECDLP

Menezes, Okamoto and Vanstone [36] showed how the Weil pairing can be
used to eciently reduce the ECDLP in E(Fq ) to the discrete logarithm
problem in the multiplicative group of an extension field Fqn , where subexponential running time index calculus methods are known. We refer to
their attack as the MOV-attack. Frey and Ruck [14] proposed a similar
method, but based on the Tate pairing. In the following we will both analyze
the methods and describe an important part of the theory of elliptic curves,
namely the divisor theory.
4.1.1

Divisor theory

For the remainder of this section we let k = Fq , where q is a power of a prime

p and let E be an elliptic curve defined over k.
Definition 6 Divisors
The divisor group of the curve E, denoted by D(E), is the free abelian
group generated by the points on E. Thus a divisor D D(E) is a
P
nP (P ), where nP Z are 0 for all but finitely many
formal sum D =
P.

P E

The quantity nP specifies the zero/pole property of a point P and its

respective order. Inequality nP > 0 indicates that a point P is a zero, and
nP < 0 indicates that P is a pole.
37

Definition 7 Group operation, degree , order and support of a divisor

P
The group operation on the divisor group is given by D1 + D2 =
nP (P )
P E
P
P
mP (P ) =
(nP + mP )(P ), where D1 , D2 D(E). The degree of
+
P E
P E
P
nP . The divisors of degree 0 form a subgroup
D is defined by deg D =
P E

of D(E), which we denote by D0 (E) = {D D(E) | deg D = 0}. The

order of D at P is nP , ordP (D) = nP . The support of a divisor D,

denoted supp(D), is the set of points {P E | nP 6= 0}.
If E is defined by the Weierstrass equation r(x, y) = y 2 + a1 xy + a3 y

x3 a2 x2 a4 x a6 = 0, where r k[x, y], then the coordinate ring of E

over k, denoted k[E], is the integral domain k[E] = k[x, y]/(r), where (r)
denotes the ideal generated by r. The function field k(E) of E over k is the
field of fractions of k[E]. Now let k = n1 Fqn be the algebraic closure of
k. Then k[E] = k[x, y]/(r) and k(E), the function field of E over k, is the
field of fractions of k[E]. The elements of k(E) are called rational functions.
Let now f k(E) be a non-zero rational function and P E\{O}. For
each point P E there exists a rational function u k(E), u(P ) = 0 such

that if f k(E) , then we can write f = ud s, where s k(E), s(P ) 6= 0, .

The integer d does not depend on the choice of u. The function u is called a
uniformizing parameter for P . The order of f at P is defined to be d, and
we write ordP (f ) = d. The point P is a zero of f if and only if ordP (f ) > 0
and P is a pole if and only if ordP (f ) < 0.
We can define div(f ), the divisor of f , as div(f ) =

P E

ordP (f )(P ). If

f k(E) , then div(f ) D0 and div(f ) = 0 if and only if f k . For

two rational functions f1 and f2 , we have div(f1 ) + div(f2 ) = div(f1 f2 ) and
div(f1 ) div(f2 ) = div(f1 /f2 ).
38

Definition 8 Principal divisors

A divisor D D0 (E) is defined to be principal if D = div(f ) for some

f k(E) . Another way of defining principality is to say that a divisor

P
P
nP (P ) of degree 0 is principal if and only if
[nP ](P ) = O.
D=
P E

P E

P
nP (P ) is defined by f (D) =
The evaluation of f on a divisor D =
P E
Q
f (P )nP . Two divisors are equivalent, denoted D1 D2 , if D1 D2

P sup p(D)

is principal. The set Dprinc = {div(f ) | f k(E) } of all principal divisors

form a subgroup of D0 . The degree 0 part divisor class group or Picard

group of E, denoted P ic0 (E), is the quotient of D0 (E) by the subgroup

of principal divisors. Further, P ic0k (E) is the subgroup of P ic0 (E) fixed
by Galk/k . Similarly, P ic(E) is the quotient of D(E) by the subgroup of
principal divisors and P ick (E) is the subgroup of P ic(E) fixed by Galk/k .
For each D D 0 (E), there exists a unique point Q E such that D
(Q) (O). Another way to represent a degree 0 divisor D is in its canonical
form, D = (Q) (O) + div(f ), for a unique point Q E and some f k(E).
The function f is determined up to multiplication by a non-zero element of
k. In order to compute the Weil pairing we must be able to perform two
important computations: firstly, we must know how to add two divisors
written in the canonical form and express the result in canonical form, and
P
nP (P ), we must be able to find
secondly, given a principal divisor D =
P E

f k(E) such that D = div(f ).

4.1.2

The Weil pairing

Now we introduce a formula for adding two divisors in canonical form, such
that the result is still in canonical form. This formula provides a method
of finding a rational function f such that div(f ) = D for a given divisor D,
and is critical for computing the Weil pairing. Let D1 , D2 D0 (E) be given
39

by D1 = (P1 ) (O) + div(f1 ) and D2 = (P2 ) (O) + div(f2 ). Assume that

P1 +P2 = P3 . Let hP1 ,P2 (x, y) = ay+bx+c be the equation of the straight line
passing through P1 and P2 , and hP3 (x, y) = x + d be the equation of vertical
line passing through P3 . (Note that if P1 = P2 , hP1 ,P2 (x, y) is the line tangent
to P1 , and if P3 = O, we have hP3 (x, y) = 1, a constant equation). Then we
have div(hP1 ,P2 ) = (P1 )+(P2 )+(P3 )3(O), where P1 , P2 , and P3 are zeros
because they are on line hP1 ,P2 , and div(hP3 ) = (P3 ) + (P3 ) 2(O) where
P3 , P3 are zeros because they are on line hP3 . From the above discussion,
the sum of divisors D1 + D2 is written as:
D1 + D2 = (P1 ) + (P2 ) 2(O) + div(f1 f2 )
= (P3 ) (O) + div(f1 f2 ) + div(hP1 ,P2 ) div(hP3 )
= (P3 )(O)+div(f1 f2 hP1 ,P2 /hP3 ).
Before we can discuss the Weil pairing, we need to define the group of ntorsion points.
Definition 9 Torsion point and torsion subgroup
An n-torsion point P is a point satisfying n(P ) = O, n Z. The set of
ntorsion points forms a subgroup of E, denoted by E[n].

Let E(k)[n] denote the subgroup of n-torsion points in E(k), where n 6= 0.

From now on we will write E[n] for E(k)[n], where k denotes the algebraic
closure of k. If gcd(n, q) = 1, then E[n] ' Zn Zn . If n = pe , then either
E[pe ] ' {O} if E is supersingular or E[pe ] ' Zpe if E is non-supersingular.
The notion of supersingularity will be explained in the following subsections.
The following result provides necessary and sucient conditions for E(k) to
contain all of the n-torsion points in E(k).
40

Theorem 10 If gcd(n, q) = 1, then the following is equivalent

i)
ii)

E[n] E(k)

2
t 4q
Endk (E).
n | q + 1 t, n | q 1 and either Z or
n2
2

Here t is the trace of the Frobenius endomorphism , is the order of the

2

t 4q
discriminant
and Endk (E) the ring of k-endomorphisms of E.
n2

2
t 4q
is
Proof. The proof and the explanation how the quantity
n2
deduced can be found in [46].
Now we turn our attention to the definition of the Weil-pairing. Let n

be a positive integer coprime to p and n k be the group of n-th roots of

unity, n = {u k | un = 1}. Given P, Q E[n], there exist divisors DP ,

DQ D0 (E) such that DP (P ) (O) and DQ (Q) (O). As n(P ) =

n(Q) = O, divisors nDP and nDQ are principal and there exist rational

functions fP , fQ such that div(fP ) = nDP and div(fQ ) = nDQ . Suppose

that DP and DQ have disjoint supports, i.e., supp(DP ) supp(DQ ) = .

Definition 11 Weil pairing
The Weil pairing, denoted en , is a function en : E[n] E[n] n and is
defined as

en (P, Q) =

fP (DQ )
.
fQ (DP )

The value of en (P, Q) is independent of the choice of DP , Dq , fP and fQ .

The Weil pairing has the following properties:
1)

Identity: For all P E[n], en (P, P ) = 1.

2)

Alternation: P, Q E[n], en (P, Q) = en (Q, P )1 .

3)

Bilinearity: P, Q, R E[n], en (P + Q, R) = en (P, R)en (Q, R), and

en (P, Q + R) = en (P, Q)en (P, R).
41

4)

Non-degeneracy: If P E[n] then en (P, O) = 1. Moreover, if

en (P, Q) = 1 for all Q E[n], then P = O.

5)

Compatible: If P E[n] and Q E[nn0 ], then enn0 (P, Q) =

en (P, n0 Q).

6)

If E[n] E(k), then en (P, Q) k for all P, Q E[n].

In order to compute the Weil pairing we will proceed using the following
three steps:
1. Pick points T , U E such that P + T 6= U, Q + U and T 6= U , Q + U. Let
DP = (P +T )(T ) and DQ = (Q+U)(U). Then DP (P )(O) and DQ
(Q)(O).
Step 2. Use an evaluation algorithm to compute fP (Q+U), fP (U ), fQ (P +T )
and fq (T ) with div(fP ) = nDP and div(fQ ) = nDQ .
Step 3. Compute
en (P, Q) =

fP ((Q + U) (U ))
fP (Q + U)fQ (T )
fP (DQ )
=
=
.
fQ (DP )
fQ ((P + T ) (T ))
fQ (P + T )fP (U)

A crucial part in the evaluation algorithm in Step 2. For each integer m, there
exists a rational function fm such that div(fm ) = m(P +T )m(T )(mP )+
(O).
If m = n, then div(fn ) = n(P +T )n(T )(nP )+(O), and fP = fn . For any
points R, S, let hR,S and hR be linear functions, where hR,S (x, y) = 0 is the
straight line passing through R, S, and hR (x, y) = 0 is the vertical line passing
through R.
Notice that
div(hm1 P,m2 P ) = (m1 P )+(m2 P )+((m1 +m2 )P )3(O)
and
div(h(m1 +m2 )P ) = ((m1 +m2 )P )+((m1 +m2 )P )2(O).
42

Then we have
div(fm1 +m2 ) = (m1 + m2 )(P + T ) (m1 + m2 )(T ) ((m1 + m2 )P ) + (O) =

m1 (P +T )m1 (T )(m1 P )+(O)+m2 (P +T )m2 (T )(m2 P )+(O)+(m1 P )+

(m2 P ) + ((m1 + m2 )P ) 3(O) [((m1 + m2 )P ) + ((m1 + m2 )P ) 2(O)] =

div(fm1 ) + div(fm2 ) + div(hm1 P,m2 P ) div(h(m1 +m2 )P ) and hence

fm1 +m2 =

fm1 fm2 hm1 P,m2 P

.
h(m1 +m2 )P

hP +T
,
hP,T
since div(f1 ) = (P + T ) (T ) (P ) + (O) = (P + T ) + ((P + T )) 2(O)

The last equation is recursive with initial conditions f0 = 1 and f1 =

[(P ) + (T ) + ((P + T )) 3(O)] = div(hP +T ) div(hP,T ). The following,

more formal description of Millers algorithm is given in [7]:
Algorithm 12 Millers algorithm
Input: Integer n =

t
P

i=0

S E.

bi 2i with bi {0, 1} and bt = 1, and a point

Output: f = fn (S).
f f1 ; Z P ;

For j t 1, t 2, ..., 1, 0 do
hZ,Z (S)
; Z 2Z;
f f2
h2Z (S)
if bj = 1 then
hZ,P (S)
; Z Z + P;
f f1 f
hZ+P (S)
Endif
Endfor

Return f
In the same article, three refinements to the algorithm are presented and
the interested reader is invited to study them closely. With all the necessary
computational prerequisites in place we are now ready to take a look at the
MOV-reduction.
43

4.1.3

The MOV reduction

Before looking at the reduction itself however, we need to further explore the
theoretical background:
Theorem 13 If P E(k) is a point of order n, then there exists Q E[n],
such that en (P, Q) is a primitive n-th root of unity.

Proof. Let Q E[n]. From the Weil pairing we have that en (P, Q)n =

en (P, [n]Q) = en (P, O) = 1. Thus en (P, Q) n , where n the subgroup of

the n-th roots of unity in Fql . Now there are n cosets of the subgroup gener-

ated by P , and by the above lemma, as Q varies among the representatives

of these n cosets, en (P, Q) varies among the elements of n .
Thus if we let Q E[n] such that en (P, Q) is a primitive nth root of

unity we get the following map and theorem:

Theorem 14 The map
f : hP i n

R en (R, Q)
is a group isomorphism.
Proof. Clearly f is a homomorphism due to the properties of the Weil
pairing. Suppose that en (R, Q) = en (R0 , Q), then en (R, Q)en (R0 , Q)1 =
1 = en (R, Q)en (R0 , Q) = 1 = en (R R0 , Q) = 1 = R R0 = O =

R = R0 , thus f is injective. Now since both hP i and n are finite of order n,

this implies that f is surjective and hence bijective. Therefore hP i ' n as

required.

Now to the reduction: let P E(k) be a point of order n, n is an odd

prime number, gcd(n, q) = 1, such that #E(k) = nv and n #E(k), and

Q E(k). As usual we want to find , 0 n 1, such that Q = P . It

is easy to check whether a solution exists: Q hP i if and only if n(Q) = O

and en (P, Q) = 1. We can now describe the method for reducing the ECDLP
to the DLP in a finite field in four steps:
44

Algorithm 15 The MOV reduction

Input: An element P E(k) of order n and Q hP i.
Output: An integer such that Q = P .
1)

Determine the smallest integer l such that E[n] E(Fql ).

2)

Find R E[n] such that = en (P, R) has order n.

3)

Compute = en (Q, R).

4)

Compute , the discrete logarithm of to the base in Fql .

The output of the algorithm is correct since = en (Q, R) = en (P, R) =

en (P, R) = . The discrete logarithm problem in a finite field may then be
solved the subexponential running time index calculus method [58].
There are two major issues we have to deal with in order to be able to apply
the algorithm:
1) the problem of explicitly determining the minimum positive integer l such
that E[n] E(Fql ).
2) the problem of eciently finding n-torsion point R such that en (P, R) has
order n.
4.1.4

The modified MOV algorithm

The authors of the algorithm have presented successful solutions for both
problems for the class of supersingular elliptic curves. But before looking at
the modified algorithm, we have to define supersingularity:
Definition 16 Supersingularity
An elliptic curve E(k) is supersingular if p divides t.
Here p is a characteristic of the field and t is a trace of Frobenius
endomorphism.

45

Equivalently, it can be shown that a curve over k with characteristic p

is supersingular if and only if ( i) p = 2, 3 and j(E) = 0 or ( ii) p 5 and
t = 0, [5]. Supersingularity imposes limitations on the dierent group structures E(k) can assume. It turns out supersingular curves have corresponding
groups that are either cyclic of order q or isomorphic to either Zq+1 Zq+1 ,

Zq1 Zq1 or Z(q+1)/2 Z2 . This means that supersingular curves can

be divided into 6 categories. For each category we can precompute l such

that E[n] E(Fql ). Table 1 of [36] summarizes all the relevant information
on supersingular curves. This takes care finding l. To find R we again take
advantage of the limited group structures. From section 2 we recall that
elliptic curve groups are, in general of the form Zn1 Zn2 . The extensions
of each category of supersingular curve will be of the form Zcn1 Zcn1 for
appropriate c. This will help limit our choices for R. The modified algorithm
is as follows:
Algorithm 17 The MOV reduction for supersingular curves
Input: An element P E(k) of order n and Q hP i.
Output: An integer such that Q = P .
1)

Determine the smallest integer l such that E[n] E(Fql ) and the
appropriate value of c by using the table from [36].

2)

Pick a random point R0 E(Fql ) and set R = (cn1 /n)R0 .

3)

Compute = en (P, R) and = en (Q, R).

4)

Compute the discrete logarithm 0 of to the base in Fql .

5)

Check whether 0 P = R. If this is so, then = 0 and we are

done. Otherwise, the order of must be less than n, so go to 2).

For supersingular curves the reduction runs in probabilistic polynomial

time in log q. The detailed calculation of the running time can be found in
[37].
46

4.1.5

Application of the algorithm to general elliptic curves

In the previous subsection we saw how the algorithm was completed for the
class of supersingular elliptic curves. Finding solutions to steps 1) and 2)
of the algorithm is however significantly more dicult when working with
general, non-supersingular curves. For the first problem, the answer can be
found in an article by Balasubramanian and Koblitz [3]. They proved that
if n - (q 1), then E[n] E(Fql ) if and only if l is the minimum integer

such that n | q l 1. Hence by verifying that n does not divide q l 1 for all
integers l [1, c], where c is chosen so that the DLP problem in kc is deemed

to be intractable, the Weil pairing attack can be circumvented. In the same

paper, they also suggested that we need l = n if n | (q 1) and E[n] * E(k).
Thus, when n is much larger than log q, we may give up applying the MOV
reduction since the extension degree in this case is too large in order for the
reduced DLP in Fql to be solved in subexponential time in log q.
Possible solutions for the problem of finding adequate torsion points have
been suggested in [50]. The authors have proposed three dierent methods.
The first one is the simple brute force approach of repeatedly choosing
points from the curve, until a good point is found. The second one is a
method using the multiplication by constant maps. Both of these methods
require exponential time in l log q. There is however a third method which,
under the assumptions that n - q and n - q 1, actually is completed in
probabilistic polynomial time in l log q. The method is too detailed to be
presented here, but can be found in its entirety in [50].
4.1.6

The Tate-Lichtenbaum pairing

The Frey-Ruck attack is quite similar in nature to the MOV attack, but uses
the Tate-Lichtenbaum pairing instead of the Weil pairing. Just like the MOV
attack, the Frey-Ruck attack attempts to reduce the ECDLP to the DLP in
a suitable extension field over which the elliptic curve in question is defined,
47

where the DLP can be solved with subexponential algorithms.

In the construction of the Tate-Lichtenbaum pairing we will need the
following theorem:
Theorem 18 Weil Reciprocity:
Let f and g be non-zero constant functions defined on a curve E over k,
with div(f ) and div(g) having disjoint support. Then
f ((g)) = g((f )).
Proof. See [5].
Let E be an elliptic curve defined over k, n a positive integer which is
coprime to q and points P , Q E(k). Let l be a positive integer such that

the field Fql contains the nth roots of unity, i.e. n | ql 1. From now on we

let Fql = K. Let E[n] denote the subgroup of n torsion points in E(K) and
nE(K) = {n(P ) | E(K)}. Notice that nE(K) is a subgroup of E(K), and

hence we can look at the quotient group E(K)/nE(K). We are now going to
define a pairing on E[n] E(K)/nE(K), but we need a place to map to. If
we define the following set, (K )n = {un | u K }, we can form the quotient
K /(K )n , which is a group of exponent n and is isomorphic to n .

Now let P E[n] and Q E(K)/nE(K). Here we notice that technically

we should be writing Q as a coset in the second group, instead we will simply

think of Q are representative of an equivalence class. Now since n(P ) = O,
we can find a function f such that div(f ) = n(P ) n(O). Take D to be

a degree zero divisor equivalent to (Q) (O), and such that D is defined

over Fql with disjoint support from div(f ). To do this we can simply choose
a random S E(K) and define D = (Q + S) (S). Since both div(f )

and D are defined over K, the value f (D) K. Since div(f ) and D were

constructed to have disjoint support, f (D) 6= 0, thus f (D) K. We now

define the Tate-Lichtenbaum pairing:

48

Definition 19 The Tate-Lichtenbaum pairing

Let E be an elliptic curve defined over k. Let n be a positive integer with
P
nP (P ). The map
gcd(n, q) = 1 and D =
P E

h, i : E[n] E(K)/nE(K) K /(K )n

Q
hP, Qi
f (D) = f (P )nP
P

is called the Tate-Lichtenbaum pairing and satisfies the following properties:

1)

Well defined: hO, Qi (K )n for all Q E(K), hP, Qi (K )n for

all P E[n] and all Q nE(K).

2)

Non degeneracy: For each point P E[n] {0}there is some

point Q E(K) such that hP, Qi

/ (K )n .
3)

Bilinearity: For any integer t, h[t]P, Qi hP, [t]Qi hP, Qit modulo
n-th powers.

In general there is no relationship between the Tate and Weil pairing,

however when E is an elliptic curve such that n2 | #E(K) and P , Q are
independent points in E[n] then we have en (P, Q) = hP, Qi/hQ, P i.
4.1.7

The Frey-Ruck attack

For the pourpose of the attack we will use what is referred to as a modified
Tate-Lichtenbaum pairing. We note that the group K /(K )n is isomorphic
to the group of roots of unity n and thus an instance of the ECDLP on
E(K) can be mapped to an instance of the DLP in n . Now we can define
n to be the following bilinear map:
n (, ) : E[n] E(K)/nE(K) n
n (P, Q)

= hP, Qi(q1)/n .
49

Although the setting is exactly the same, the second setup is more desirable
since it will yield a definite answer instead of a coset in K modulo nth
powers. Again, since we are mapping into the group of nth roots of unity,
we are mapping into a suitable extension field K such that n K. Now we
describe the Frey-Ruck algorithm as given in [22]:
Algorithm 20 The Frey-Ruck algorithm
Input: An element P E(k) of order n and Q hP i.
Output: An integer such that Q = P .
1)
2)
3)

Determine the smallest integer l such that n | q l 1 and set K = Fql .

Pick S; T E(K) randomly.

Compute the element f K(E) such that div(f ) = n((P ) (O))

and compute = f (S)/f (T ).

4)

Compute the element = (q 1)/n . If = 1, then go to 2).

5)

Compute the element g K(E) such that div(g) = n((Q) (O))

l

and compute = g(S)/g(T ), and = (q 1)/n .

6)

Solve the DLP = in K , i.e. the logarithm of to the base in

K .

4.1.8

Comparing the pairing attacks

From the above considerations, we can measure the eectiveness of the FreyRuck algorithm by the extension degree l, which is the smallest integer such
that n | (ql 1), while we can measure that of MOV algorithm by l, which

is the smallest integer such that E(k)[n] E(Fql ). Although, the conditions
of the extension degree for the Frey-Ruck algorithm is usually weaker than

that for the MOV algorithm, the work of Balasubramanian and Koblitz shows
that the condition n | (q l 1) is equivalent to the condition E(k)[n] E(Fql )

if n - (q 1), i.e. the eectiveness of the MOV algorithm is the same as that

for the Frey-Ruck algorithm if n - (q 1). It was shown in [26] that elliptic
curves of trace 2 are the only case for which this is not true. For these

curves the MOV algorithm is exponential, while the Frey-Ruck algorithm is

subexponential.
50

4.2

The Smart attack against anomalous elliptic curves

In order to avoid the MOV-attack Miyaji [41] proposed the use of anomalous
elliptic curves over Fp which are such that #E(Fp ) = p. However, such
curves are themselves weak. Methods to attack the anomalous curves have
independently been proposed by Smart [55], Satoh and Araki, and Semaev
[49]. We will outline the method proposed by N. Smart. It uses the theory
of elliptic curves defined over the field of padic numbers Qp . Details from
the theory that are important for the attack will be given here.
4.2.1

Introduction to the p-adic numbers

We introduce here the padic numbers and their basic properties. Let p be
a prime number and a a rational number. The number a can be expressed as
m
a = pr , where r N and m, n Z are not divisible by p. We then define:
n
Definition 21 The norm:
r
p , if a 6= 0.
.
ordp (a) = r and |a|p =
0,
if a = 0.
The function |.|p : Q [0, ) is a norm on Q , i.e.
i)

|a|p = 0 a = 0.

ii) |ab|p = |a|p |b|p .

iii) |a + b|p |a|p + |b|p .
This norm induces a metric dp (., .) on Q defined by dp (a, b) = |a b|p .

The field Qp of p adic numbers is the completion of Q for the metric

dp , i.e. a Qp if and only if there exists a sequence (an ), n N, such

that |an a|p 0 as n . The natural representation of padic num-

bers is by an infinite series of the form cn pn + ... + c0 + ... + cm pm + ...,

where the ci s are integers such that 0 ci p 1. An element a

Qp is called a p adic integer, if ordp (a) 0. The set of padic in-

tegers is denoted as Zp . ( The latter must not be confused with Z/pZ).

For more details on padic numbers, see [29].
51

4.2.2

Theoretical tools necessary for the attack

We consider an elliptic curve E defined over k, where k = Fq . We would like

to represent the points of E with one parameter in k. In order to do this,
we make the change of variables:

1
1
z
x
so x =
and y =
z = and w =
y
y
w
w
The coordinate z has no connection with the projective coordinate Z. The
point O is now represented as the pair (0, 0) in the (z, w)-plane. The usual
Weierstrass equation for E becomes
w = z 3 +a1 zw+a2 z 2 w+a3 w2 +a4 zw2 +a6 w3 (= f (z, w)).
As the next step, we substitute the equation into itself recursively and obtain
as a power series in z:
w(z) = z 3 + (a1 z + a2 z 2 )w + (a3 + a4 z)w2 + a6 w3
= z 3 + (a1 z + a2 z 2 )[z 3 + (a1 z + a2 z 2 )w + (a3 + a4 z)w2 + a6 w3 ]
+(a3 + a4 z)[z 3 + (a1 z + a2 z 2 )w + (a3 + a4 z)w2 + a6 w3 ]2
+a6 [z 3 + (a1 z + a2 z 2 )w + (a3 + a4 z)w2 + a6 w3 ]3 + ...
= z 3 + a1 z 4 + (a21 + a2 )z 5 + (a31 + 2a1 a2 + a3 )z 6
+(a41 + 3a21 a2 + 3a1 a3 + a22 + a4 )z 7 + ...
= z 3 (1+A1 z+A2 z 2 +...)
where An Z[a1 , ..., a6 ] is a polynomial in the coecients of E. In [52] it is
shown that this recursion converges to a power series. Using the power series
w(z), we find the Laurent series for x and y.
x(z) =

1
a1
z
= 2
a2 a3 z (a4 + a1 a3 )z 2 ...
w(z)
z
z

y(z) =

1 a1 a2
1
= 3 + 2 + +a3 +(a4 +a1 a3 )z+...
w(z)
z z
z
52

Thus, we see that the pair x(z),y(z) yields a solution in the sense of formal

power series, i.e. if we substitute the formal power series x(z), y(z) into the
equation for E, we get the same formal power series on each side. Then, if
we want to produce some points on E(k) using the zcoordinate, we have
to verify that the series x(z), y(z) converge in the field k. In the field Qp , it
is the case if ordp (z) 1, i.e. z pZp and the coecients a1 , a2 , a3 , a4 and
a6 lie in Zp . This gives an injection pZp E(Qp ).
There is an addition law on the formal power series that corresponds to
the addition law on E(k). Let (z1 , w1 ), (z2 , w2 ) two points of E in the (z, w)plane, then the zcoordinate of the sum of these points z3 is obtained as a
power series in z1 and z2
z3 = F (z1 , z2 ) = z1 + z2 a1 z1 z2 a2 (z12 z2 + z1 z22 ) (2a3 z13 z2 (a1 a2
3a3 )z12 z22 +2a3 z1 z23 )+... Z [a1 , ..., a6 ][z1 , z2 ]
The development used to find F is explained in [52].
From now on, we assume that E is defined over Qp . In the following we will
define various groups and isomorphisms.
b
The first group to be defined is E(pZ
p ); it is essentially the set pZp with the

addition law x y = F (x, y) for all x, y pZp , where F is the formal power

b n Zp ) is the set pn Zp with this addition law

series defined before. Similarly, E(p
for all x, y pn Zp .

Let now be a function that reduces padic integers modulo p, i.e.

:

Zp

Fp

a0 +a1 p+... a0
e p obtained after reThe reduction of E modulo p is the elliptic curve E/F
ducing the coecients of E modulo p. A point P E can be represented

as (x1 , y1 , z1 ) with x1 , y1 , z1 Zp and at least one of x1 , y1 , z1 in Zp /pZp .

The reduced point Pe of P is obtained by reducing every projective co53

ordinate of P modulo p, namely Pe =

(x1 ), (y1 ), (z1 ) = (e

x1 , ye1 , ze1 ).

The nth subgroup of E is defined as En (Qp ) = {P E(Qp ) | ordp (Px )

2n}{O}, where Px denotes the xcoordinate of the point P .

The three subsets of E important for us are:
e p )}, contains the points which
i) The set E0 (Qp ) = {P E(Qp ) | Pe E(F
reduce modulo p to an element of E(Fp ).

e contains the points which

ii) The set E1 (Qp ) = {P E(Qp ) | Pe = O},
reduce modulo p to the identity element.

iii) The set E2 (Qp ) = {P E(Qp ) | ordp (Px ) 4}{O}.

There are two exact sequences defined by these subgroups:
0 E1 (Qp ) E0 (Qp ) E(Fp ) 0
which means that multiplying an element of E0 (Qp ) by a multiple of p will
produce a result which lies in E1 (Qp ).
0 E2 (Qp ) E1 (Qp ) F+
p 0
where F+
p denotes the additive group of Fp . This sequence tells us that if we
multiply an element in E1 (Qp ) by a multiple of p we will obtain an element of
E2 (Qp ).
We will now define three important isomorphism:
Definition 22 Three isomorphisms:
b
Isomorphism 1: p : E(pZ
p ) E1 (Qp ).

1
z
,
.
z

w(z) w(z)
b n Zp ) ' En (Qp ).
In general, E(p

Isomorphism 2: The formal logarithm logF induces an isomorphism

b
b
between E(pZ
p ) and pZp : logF : E(pZp ) pZp .
54

logF (z) =

(z) = z +

c1 2 c2 3
z + z + ...
2
3

where (z) = (1 + c1 z + c2 z 2 + c3 z 3 + ...)dz is the invariant dierential on

b
E(pZ
p ).

b n Zp ) ' pn Zp through logF .

In general, E(p
Isomorphism 3: p : E1 (Qp ) pZp .
P

logF 1
p (P ).

In general, En (Qp ) ' pn Zp .

4.2.3

The reduction

e be a curve of trace one defined over a finite field Fp with p prime, i.e.
We let E

e p ) = p. Since p is a prime, E(F

e p ) is cyclic group and therefore E(F
e p) '
#E(F

e e e
e
F+
p . As usual we are given P , Q E(Fp ) and we want to find , such that Q =
Pe.

Before looking at the reduction itself, we present two isomorphisms that are
of crucial importance for the method:
Theorem 23 Two isomorphisms:
e p ) and E0 (Qp )/E1 (Qp ) ' E1 (Qp )/E2 (Qp ) ' F+
E(Qp )/E1 (Qp ) ' E(F
p.

Proof. In order to prove the first one it suces to consider the reduction
e p ) and its kernel E1 (Qp ). The isomorphism
map modulo p, : E(Qp ) E(F
is given by applying the first isomorphism theorem of the group theory on .

The second one is a consequence of the isomorphisms 1, 2 and 3 given earlier.

The first step is to compute the lifts P, Q E(Qp ) of the points Pe and

e A point P E(Qp ) is said to be a lift of Pe if it reduces to Pe modulo p.

Q.
A method for computing a lift is given in [32]. It follows that
QP = R E1 (Qp )
55

The next step is to multiply both sides of the last expression by p. This gives
[p]Q([p]P ) = [p]R E2 (Qp )
Since [p]P and [p]Q lie in E1 (Qp ), we can apply isomorphism 3 from Definition 22. Then we get
p ([p]Q) p ([p]P ) p2 Zp .
So, this expression can be written in the form
c1 p+c2 p2 +...(d1 p+d2 p2 +...) = b2 p2 +b3 p3 +...
where the c1 s are the coecients of the padic expansion of p ([p]Q) and
the d1 s are the coecients of the padic expansion of p ([p]P ). Finally, we
obtain
=

p ([p]Q)
c1
mod p.
mod p =
p ([p]P )
d1

Now it suces to show how p (P ) can be computed for a point P E1 (Qp ).

In order to find , we only have to compute this modulo p2 . According to the

Px
b
definition of p , we have 1
E(pZ
p ), where Px , Py denote the
p (P ) =
Py

x, ycoordinate of P . Hence, using the definitions of the formal logarithm

and of p , we get
p (P )

Px
(mod p2 ).
Py

The algorithm requires O(log p) group operations on E(Qp ) [5]. With probability 1/p the above method will fail to find the required discrete logarithm
as we will obtain p ([p]P ) 0. However, a dierent curve E(Qp ) can then
e p ) modulo p and the method repeated.
be chosen which reduces to E(F

56

The use of hyperelliptic curves in attacking

the ECDLP

5.1

Basic definitions and properties

Hyperelliptic curves are a special class of algebraic curves and can be viewed
as generalizations of elliptic curves. There are hyperelliptic curves of every
genus g 1. A hyperelliptic curve of genus g = 1 is an elliptic curve. We

start by giving a formal definition of hyperelliptic curves:

Definition 24 Hyperelliptic curve

Let k be a field and k its algebraic closure. A hyperelliptic curve C of

genus g over k (g 1) is an equation of the form
C : v2 + h(u)v = f (u) in k[u, v]

(1)

where h(u) k[u] is a polynomial of degree at most g, f (u) k[u] is a

monic polynomial of degree 2g+1 and there are no solutions (x, y) kk

which simultaneously satisfy the equation y 2 +h(x)y = f (x) and the partial
derivative equations 2y + h(x) = 0 and h0 (x)y f 0 (x) = 0.
A singular point on C is a solution (x, y) k k which simultaneously

satisfies the equation y 2 + h(x)y = f (x) and the partial derivative equations

2y + h(x) = 0 and h0 (x)y f 0 (x) = 0. This means that hyperelliptic curves

are by definition non-singular.

Lemma 25 Let C be a hyperelliptic curve over k defined by equation (1).

1) If h(u) = 0, then char(k) 6= 2.
2) If char(k) 6= 2, then the change of variables u u, v (v h(u)/2)
transforms C to the form v 2 = f (u), where degu = 2g + 1.

3) Let C be an equation of the form (1) with h(u) = 0 and char(k) 6= 2.

Then C is a hyperelliptic curve if and only if f (u) has no repeated
roots in k.
57

Proof. 1) Suppose that h(u) = 0 and char(k) = 2. Then the partial

derivative equations reduce to f 0 (u) = 0. Note that degu f 0 (u) = 2g. Let
x k be a root of the equation f 0 (u) = 0 and let y k be a root of the

equation v2 = f (x). Then the point (x, y) is a singular point on C.

Statement 1) now follows.

2) Under this change of variables the equation (1) is transformed to

(v h(u)/2)2 + h(u)(v h(u)/2) = f (u)
which simplifies to v 2 = f (u) + h(u)2 /4. We note that degu (f + h2 /4) =
2g + 1.
3) A singular point (x, y) on C must satisfy y 2 = f (x), 2y = 0 and
f 0 (x) = 0. Hence y = 0 and x is a repeated root of the polynomial
f (u).
We continue the presentation of hyperelliptic curves by defining some
important properties.
Definition 26 Rational points, point at infinity, finite points, opposite, special and ordinary points
Let K be an extension field of k. The set of K rational points on C
denoted C(K) is the set of all points P = (x, y) K K which satisfy
the equation (1) of the curve C together with a special point at infinity
denoted O. K is called the base field. The set of points C(k) will simply
be denoted by C. The points in C other than O are called finite points.
For P = (x, y) C the inverse (or conjugate) of P is the point

Pe = (x, y h(x)). When P satisfies P = Pe it is called a special

(or ramified) point. Otherwise the point is called ordinary. The point at
e
infinity O is a special point O = O.
58

Next we define the Jacobian of an hyperelliptic curve over k. As we

will see later, this quantity plays a crucial role in the implementation of
hyperelliptic curve cryptosystems. In analogy with the divisor theory for the
elliptic curves, we let D0 denote the divisors of degree 0 and the set of all
principal divisors by Dprinc .
Definition 27 The Jacobian of the curve C over k
The quotient group JC (k) = D0 /Dprinc is called the Jacobian of the curve
C over k.
Here we note that a divisor D =
D =

nP (P ) is said to be defined over k if

P C

nP (P ) = D for all automorphisms of k over k. If D is defined

P C

over k, it does not mean that each point in the support of D is krational.
A principal divisor is defined over k if and only if it is a divisor of a rational
function that has coecients in k.

In order to have a unique representation for the divisors in J(C) we introduce

reduced and semi-reduced divisors:
Definition 28 Semi-reduced and reduced divisors
A semi-reduced divisor is a degree 0 divisor of the form
P
P
D=
nP (P ) (
nP )O with the following properties:
P C\O

P C\O

(1) nP 0.
(2) if P 6= Pe and nP > 0, then nPe = 0.
(3) if P 6= Pe and nP > 0, then nP = 1.

A semi-reduced divisor is called a reduced divisor when additionally:

P
nP genus.
4)
P C

59

Lemma 29 For each divisor D D0 there exists a semi reduced divisor D1

(D1 D0 ) such that D D1 .
Proof. Let D =

nP (P ). Let (C1 , C2 ) be a partition of the set

P C

of ordinary points on C such that

1) P C1 if and only if Pe C2
2) if P C1 then nP nPe .

Let C0 be the set of special points on C. Then we can write

P
P
P
D=
nP (P ) +
nP (P ) +
nP (P ) n(O).
P C1

P C2

P C0

We consider the following divisor:

nP
D1 = D
nP div(u x)
div(u x).
P =(x,y)C2
P =(x,y)C0 2
P

This in turn equals:

P
ne
(nP nPe )(P ) +
(nP 2 P )(P )
nP (O).
D1 =
2
P C1
P C3
P sup p(D1 )
P

Thus it follows that every divisor D D0 can be modified by principal

divisors to obtain a semi-reduced D1 D.
Lemma 30 For each divisor D D0 there exists a unique reduced divisor
D1 , D1 D0 , such that D D1 .

Proof. The proof of both the existence and uniqeness can be found in
[39].
The statement of the last lemma means that each equivalence class contains a unique reduced divisor and the set of reduced divisors of C over k
forms a complete system of representatives for the Jacobian of C over k.
P
P
Each semi-reduced divisor D =
nP (P ) (
nP )O defined over k
P C\O

60

P C\O

can be uniquely represented by a pair of polynomials a, b k[u], where

Q
(u xP )nP is monic, and b(u) is the unique polynomial such that:
a(u) =
P C

(i) deg b < deg a

(ii) for all P C; if nP 6= 0, then b(xP ) = yP
(iii) a divides b2 +bhf .
In this case, D = gcd(div(a), div(b v)), and we write D = div(a, b). Therefore, each reduced divisor D defined over k has a unique representation of
the form D = div(a, b), where a, b k[u] with a monic, deg b < deg a < g,
and a divides b2 + bh f . The degree of D is deg a. We notice that the
opposite of D = div(a, b) is given by D = div(a, h b).
For hyperelliptic curves of genus g 2, there is no natural group law
for a curve C defined over k. A group law is defined via JC (k). If k is a
finite field, there are only finitely many divisor class representatives of the
form div(a, b), and JC (k) is a finite abelian group. If k has order q and
the curve C is of genus g over k, then the theorem of Weil implies that

( q 1)2g #JC (k) ( q + 1)2g , so #JC (k) q g . Cantor developed

an ecient algorithm for calculating the group law on specific hyperelliptic
curves. The restrictions of this algorithm were the assumptions that h(u) = 0
and char(k) 6= 2. This algorithm was later generalized by Koblitz. Koblitzs
algorithm makes use of the unique reduced representation of the elements of
JC (k). The algorithm contains two steps. Let D1 = div(a1 , b1 ) and D2 =
div(a2 , b2 ) be reduced divisors defined over k, so a1 , b1 , a2 , b2 k[u]. The
first part of the algorithm finds a semi-reduced D = (a, b) with a, b k[u],
such that D D1 + D2 . The second part of the algorithm reduces D to an
equivalent reduced divisor D0 .
61

Algorithm 31 Computation of the composition

Input: Reduced divisors D1 = div(a1 , b1 ) and D2 = div(a2 , b2 ).
Output: A semi-reduced divisor D = div(a, b) such that D D1 + D2 .
1) Compute d1 = gcd(a1 , a2 ) = e1 a1 + e2 a2 .
2) Compute d = gcd(d1 , b1 + b2 + h) = c1 d1 + c2 (b1 + b2 + h).
3) Let s1 = c1 e1 , s2 = c1 e2 and s3 = c2 so that
d = s1 a1 + s2 a2 + s3 (b1 + b1 + h).
4) Set
a=
and

a1 a2
d2

s1 a1 b2 + s2 a2 b1 + s3 (b1 b2 + f )
mod a.
b=
d

The complete proof that this part of the algorithm works can be found
in [39].
Algorithm 32 Computation of the reduction
Input: A semi-reduced divisor D = (a, b).
Output: The unique reduced divisor D0 = div(a0 , b0 ) such that D0 D.
1) Set

f bh b2
a =
a
0

and
b0 = (h b) mod a0 .
2) If deg(a0 ) > genus then go to step 1).
3) Make a0 monic.
Once again, the complete proof that this part of the algorithm works can
be found in [39].
62

5.2

The discrete logarithm problem on hyperelliptic

curves

We will in the following make a short review of the attacks which are specific
to hyperelliptic curves. The description and analysis of these attacks is not
the objective of this paper and we will limit us to give the expected running
times of the various attacks. The reason to list them is that they are used
in the final stage of the GHS attack on the ECDLP which will be described
in the next subsection. Now we describe the discrete logarithm problem
on hyperelliptic curve or HCDLP. Let C be a hyperelliptic curve of genus
g over k = Fq . The HCDLP is defined as follows: given C, D1 JC (k),
r = ord(D1 ), and D2 hD1 i, find the integer [0, r 1] such that
D2 = D1 .
Since the HCDLP is a generalization of the ECDLP it is no surprise that
all of the known attack on the ECDLP can be extended to an attack on
the HCDLP. This includes the Pohlig and Hellmann, the BSGS, the MOV
and the Frey-Ruck attacks. But just as for the ECDLP, these methods only
have limited success in solving the HCDLP. And again, the first method that
poses a real threat is Pollards method. The expected running time of the
algorithm is O(g 2 qn/2 log2 q/m) [24], where, as before, m denotes the number
of processors involved. However, since the group operations in E(k) can be
performed faster than the group operations in JC (k), it is more ecient to
apply the method directly in E(K).
The other alternative is to use index-calculus algorithms. Adleman, DeMarrais and Huang (ADH) [1] presented the first index-calculus algorithm
for solving the HCDLP. Their algorithm was described for the case q an odd
prime, but this was later extended in [4] to arbitrary q. The algorithm has
an expected running time of Lq2g+1 [c] for g and log q (2g + 1)0,98 ,

where c < 2, 313 and Ln [c] = O(exp((c + o(1)) log n log log n)) [24]. The
algorithm does not assume that the group order #JC (k) is known.
63

Building on the ADH algorithm, Gaudry presented an algorithm [20]

which has an expected running time of O(g 3 q2 log2 q + g2 g!q log2 q). If g is
fixed, then this running time is O(q 2+ ) and the algorithm can be modified
2g

to one with running time O(q g+1 ) as q [19]. Gaudrys algorithm is

2g
n
[35], but becomes impractical for
faster than the method when >
2
g+1
large genera, g 10, because of the large multiplicative factor g!.
For larger g, the algorithm of Gaudry and Enge [11] should be employed.

This algorithm has an expected running time of Lqg [ 2] = Lq2g+1 [1] bit oper

ations for g/ log q , where Ln [c] = O(exp((c + o(1)) log n log log n)).
Since its running time is subexponential in qg , this algorithm is infeasible

when q g is very large, i.e. q g 21024 [35]. The main reason for the improved running time over the ADH is that the order and structure of JC (k)
is assumed to be known.

5.3

The Gaudry, Hess and Smart (GHS) attack on the

ECDLP

The technique of Weil descent to solve the ECDLP was first proposed by Frey
[13]. This strategy was detailed further by Galbraith and Smart [16]. These
papers were rather general in their scope, but were not detailed enough to
give precise and ecient algorithms to solve the ECDLP for specific curves.
The work of Gaudry, Hess and Smart [19] was less general than the earlier
works but gave much more powerful and ecient techniques. We refer to the
method as the GHS attack. We will in the following give an overview of the
attack. More detailed analyses can be found in papers from the references.
Before describing the method we note that almost all research on Weil
descent has been performed in characteristic 2. The ideas are easily applied
to finite fields Fpn , where p is odd and n < 1, but the results in these cases
are not as strong as in the case of characteristic 2.
We start now the description of the algorithm. Let l and n be positive
64

integers. For the remainder of the section we let q = 2l , k = Fq and K =

Fqn be the field extension, with kbasis { 0 , 1 , ..., n1 }. We consider the
elliptic curve E defined over K by the equation
E : y+xy = x3 +ax2 +b, a K, b K .
Let : K K be the Frobenius automorphism defined by q , and let

bi = i (b) for 0 i n 1. We define

p

m = m(b) = dimF2 (SpanF2 {(1, b0 ), (1, b1 ), ..., (1, bn1 )})

and assume one of the following conditions

i) n is odd, or ii) m(b) = n, or iii) T rK/F2 (a) = 0 [19].

The first step of the in the process is to construct the Weil restriction
WE/k of scalars of E over k. We set
a = 0 0 + 1 1 + ... + n1 n1
b = 0 0 + 1 1 + ... + n1 n1
x = x0 0 + x1 1 + ... + xn1 n1
y = y0 0 + y1 1 + ... + yn1 n1
where i , i k are given and xi , yi k are variables. Substituting these

equations into the equation for our elliptic curve and equating coecients
of i , we obtain WE/k , which is an ndimensional abelian variety defined

over k, the group law on WE/k being given by the group law on E(K). This
process is called Weil descent.
The next step is to intersect WE/k with n1 carefully chosen hyperplanes
to obtain the hyperelliptic curve C. The genus g of C is either 2m1 or
2m1 1, where m = m(b).

The final step of the method is to construct an explicit group homomor-

phism
: E(K) JC (k).
65

It was argued in [19] that assuming #E(K) = rd, r a prime and d a small
integer, it is highly unlikely that the kernel of will contain the subgroup of
order r of E(K) unless E is defined over a proper subfield of K containing
k. Thus, can be used to reduce instances of the ECDLP to instances of
the HCDLP. Namely, given P and Q hP i, then logP Q = log(P ) (Q).

Now, the GHS attack is deemed to be successful if the genus g of C is

small enough so that either Gaudrys or Gaudry and Enges algorithm is

more ecient than Pollards algorithm. The GHS attack fails if either q g is
too large, say q g 21024 , or if g = 1, in which case JC (k) is isogenous with
E(K). For the case q = 2 this translates to m 11 or m = 1 [35].

Menezes and Qu [35] proved the following theorem which characterizes

the smallest values of m > 1 and the elliptic curves which give rise to such
m.
Theorem 33 Let n be an odd prime, t the multiplicative order of 2 modulo
n and s = (n 1)/t.
i) The polynomial xn 1 factors over F2 as (x 1)f1 f2 ...fs , where the
fi s are distinct irreducible polynomials of degree t. For 1 i s
define

Bi = {b K | ( 1)fi ()b = 0}.

ii) For all 1 i s and all b Bi , the elliptic curves
y 2 + xy = x3 + x2 + b
y 2 + xy = x3 + b
have m(b) t + 1, where is a fixed element of K of trace one.
iii) If m(b) = t + 1 then E must be one of the previous curves for some i
and some b Bi .
iv) The cardinality of the set

i=1..s

Bi is qs(q t 1) + q.

66

Proof. See [35].

It was also shown in [35] that if n is a prime in the range 160 n
600 and q = 2 then the GHS attack will be infeasible. Since F2n with n
prime are the field dimensions of interest when implementing elliptic curve
cryptography schemes, we might conclude that the GHS is ineective on
real-life implementations. However, there are a few deployed elliptic curve
systems that use the fields F2155 and F2185 in some standards. Curves over the
field F2155 were examined in [24] and it was established that the GHS attack
could be used to attack approximately 232 isomorphism classes of elliptic
curves defined over this field. Since there are about 2156 isomorphism classes
of elliptic curves over F2155 , the probability of finding one where the GHS
attack is applicable is negligible. Further analysis of the GHS attack has
been given in [33].
A new approach to Weil descent was given in [15]. It was shown that we
can sometimes apply the GHS attack to a curve which has a large value of
m(b). The idea is to find an isogenous curve E 0 (K) which has a small value
of m(b0 ) and an isogeny E(K) E 0 (K). The discrete logarithm problem in
E(K) can then be mapped in to the discrete logarithm problem in E 0 (K) and

then this can be mapped using the GHS method to the discrete logarithm
problem in the Jacobian of a hyperelliptic curve of low genus. Ecient
methods to find the isogenous curve and the isogeny are given in [15], as
well as a study as to how eective this extension to the GHS method is in
practice. This extension to the original attack can still not solve real life
problems, but as it was pointed out in [33], the failure of the GHS method
does not imply a failure of the Weil descent methodology, there may be other
useful curves which lie on the Weil restriction WE/k that are not constructed
by the GHS method.

67

Summary
In this thesis we presented the known algorithms for attacking the discrete logarithm problem over the elliptic curves, the ECDLP. We started by
presenting some basic definitions and facts from the theory of elliptic curves.
We proceeded to describe the generic attacks, i.e. algorithms that may be
used to solve the ECDLP over general elliptic curves. An in depth analysis
of Pollards and algorithms were given. The analysis included both the
original method of Pollard and the improvements given by Teske. In addition we have shown the way to parallelize the algorithms, i.e. how to run
the attack over a number of processors. The parallelized algorithm is the
method of choice when trying to solve the ECDLP in practice. It was used
to solve to ECDLP challenges set by the Certicom company.
We have also presented special algorithms for solving the ECDLP. These
attacks are special in the sense that they are designed to exploit weaknesses
in the structure of some classes of elliptic curves. The algorithms that
were analyzed included the Menezes-Okamoto-Vanstone (MOV) algorithm
based on the Weil pairing, the Frey-Ruck (FR) algorithm based on the TateLichtenbaum pairing, the algorithm of Smart on the anomalous curves and
the relatively new algorithm of Gaudry, Hess and Smart (GHS) based on the
Weil descent methodology. These algorithms are eective in attacking classes
of elliptic curves which they were designed for, but are easily circumvented
in actual implementations.

68

References

1. L. M. Adleman, J. DeMarrais, M.-D. A. Huang: A Subexponential

Algorithm for Discrete Logarithms over Hyperelliptic Curves of Large
Genus over GF(q), TCS 226(1-2) 7-18(1999)
2. A. O. Atkin: The number of points on an elliptic curve modulo a
prime, Draft, 1998
3. R. Balasubramanian, N. Koblitz: Improbability that an elliptic curve
has subexponential discrete logarithm problem under the MenezesOkamoto-Vanstone algorithm, Journal of Cryptology, vol. 11, p. 141145, 1998
4. M. Bauer: A subexponential algorithm for solving the discrete logarithm problem in the Jacobian of high genus hyperelliptic curves over
arbitrary finite fields, 2000
5. I.F Blake, G. Seroussi and N.P. Smart: Elliptic curves in cryptography, Cambridge University Press, 1999
6. I.F Blake, G. Seroussi and N.P. Smart: Advances in elliptic curve
cryptography, Cambridge University Press, 2005
7. I. Blake, K. Murty, G. Xu: Refinements of Millers algortihm for computing Weil/Tate pairing, 2003,
http://eprint.iacr.org/2004/065.pdf
8. R. P. Brent: An improved Monte Carlo factorization algorithm, BIT
20, p. 176-184, 1980
9. Certicom Corp, http://www.certicom.com
10. N. D. Elkies: Elliptic and modular curves over finite fields and related
computational issues, Computational perspectives on number theory,
Stud. Adv. Math., vol. 7, AMS/ IP, p. 21-76, 1998
11. A. Enge, P. Gaudry: A general framework for subexponential discrete
logarithm algorithms, Acta arith., 102, p. 83-103, 2002
69

12. A. Enge: Computing discrete logarithms in high genus hyperelliptic

jacobians in provably subexponential time, Mathematics of computation, Volume 71, Nr. 238, p. 729-742
13. G. Frey: How to disguise an elliptic curve,
http://cacr.math.uwaterloo.ca/conferences/1998/ecc98/frey.ps
14. G. Frey, M Muller, H.-G. Ruck: The Tate pairing and discrete logarithm apllied to elliptic curve cryptosystems, 1998
15. S. D. Galbraith, F. Hess, N. P. Smart: Extending the GHS Weil
descent attack, Advances in Cryptology - EUROCRYPT 2002, p. 29
44. Springer-Verlag, 2002
16. S.D. Galbraith, N. P. Smart: A cryptographic application of Weil
descent, Cryptography and Coding Theory, LNCS 1746, p. 191200.
Springer-Verlag, 1999
17. D. Galbraith, K. Harrison, D. Soldera: Implementing the Tate pairing, 2002
http://www.hpl.hp.com/techreports/2002/HPL-2002-23.pdf
18. R. Gallant, R. Lambert and S. Vanstone: Improving the parallelized
Pollard lambda search on anomalous binary curves, Mathematics of
Computation, Vol. 69, No. 232, p. 1699-1705, 1999
19. P. Gaudry, F. Hess, N. P. Smart: Constructive and destructive facets
of Weil descent on elliptic curves, 2000
http://www.hpl.hp.com/techreports/2002/HPL-2002-23.pdf
20. P. Gaudry: An algorithm for solving the discrete log problem on hyperelliptic curves, Eurocrypt 2000
21. D. Hankerson, A. Menezes: Elliptic curve discret logarithm problem,
Auburn University, 2003
22. R. Harasawa, J. Shikata, J. Suzuki, H. Imai: Comparing the MOV and
FR reductions in elliptic curve cryptography, Advances in CryptologyEurocrypt, Springer-Verlag, 1999
23. F. Hess: Generalising the GHS attack on the elliptic curve discrete
logarithm problem, LMS J. Comput. Math. 7, p. 167-192, 2004
70

24. M. Jacobson, A. Menezes, A. Stein: Solving elliptic curve discrete

logarithm problems using Weil descent, 2001
http://eprint.iacr.org/2001/041.pdf
25. M. Jacobson, A. Menezes, A. Stein: Hyperelliptic curves and cryptography, 2002
http://www.math.uwaterloo.ca/ajmeneze/publications/hcc.pdf
26. N. Kanayama, T. Kobayashi, T. Saito, Sh. Uchiyama: Remarks on
elliptic curve discrete logarithm problem, IEICE Trans. fundamentals,
Vol. E83-A, No. 1, 2000
27. N. Koblitz: CM-Curves with good cryptographic properties, Advances in Cryptology - CRYPTO 91. Springer-Verlag 576, p. 279-287,
1992
28. N. Koblitz, A. Menezes, S. Vanstone: The state of the elliptic curve
cryptography, Designs, codes and cryptography, 19, p. 173-193, 2000
29. N. Koblitz: P-adic numbers, p-adic analysis and zeta functions,
Graduate texts in mathematics, Vol. 58, Springer-Verlag, 1996
30. N. Koblitz, Elliptic curve cryptosystems, Math. Comp., 1987
31. F. Kuhn, R. Struik: Random walks revisited: Extension of Pollards
rho algorithm for computing multiple discrete logarithms, 2001
http://cr.yp.to/bib/2001/kuhn-rho.pdf
32. F. Leprevost, J. Monnerat. S. Varrette, S. Vaudenay: Generating
anomalous elliptic curves, 2004
http://lasecwww.epfl.ch/pub/lasec/doc/LMVV05.pdf
33. M. Maurer, A. Menezes, E. Teske: Analysis of the GHS Weil descent
attack on the ECDLP over characteristic two finite fields of composite
degree, 2001
http://eprint.iacr.org/2001/084.ps.gz.
34. A. Menezes, E. Teske: Cryptographic implications of Hess generalized
GHS attack, Applicable algebra in Engineering, communication and
computing, Vol. 16, No. 6, p. 439-460, Springer-Verlag, 2006
71

35. A. Menezes, M. Qu: Analysis of the Weil descent attack of Gaudry,

Hess and Smart, 2001
www.cacr.math.uwaterloo.ca/techreports/2000/corr2000-48.ps
36. A. Menezes, T. Okamoto, S. Vanstone: Reducing elliptic curve logarithms to logarithms in a finite field, Information theory, IEEE Transactions, Vol. 39, No. 5, p. 1639-1646, 1993
37. A. Menezes: Elliptic curve public key cryptosystems, Kluwer Academic Publishers, 1993
38. A. Menezes: The elliptic curve discrete logarithm problem (ECDLP),
2001,
www.ipa.go.jp/security/enc/CRYPTREC/fy15/doc/1028 ecdlp.pdf
39. A. Menezes, Y.-H. Wu, R. Zuccherato: An elementary introduction
to hyperelliptic curves, 1996
http://www.certification.tn/fileadmin/Ecolecrypto/Avanzi/Menezes
Wu Zuccherato - Introduction to Hyperelliptic Curves.pdf
40. V. Miller: Use of elliptic curves in cryptography, Advances in cryptology, CRYPTO85, Springer-Verlag, 1986
41. A. Miyaji: Curves over Fp suitable for cryptosystems, Lecture notes
in computer science, Vol. 718, 1992
42. P. C. van Oorschot, M. J. Wiener: Parallel collision search with cryptanalytic applications, Journal of Cryptology, 1999
43. J. M. Pollard: Kangaroos, Monopoly and Discrete Logarithms, Journal of cryptology, 2000
44. H. G. Ruck: The Tate pairing on elliptic curves, ECC98, Waterloo,
1998
45. T. Saito, Sh. Uchiyama: A remark on the MOV algorithm for nonsupersingular elliptic curves, 2001
http://cnscenter.future.co.kr/resource/crypto/algorithm/ecc/e84-a 5 1266.pdf
46. R. Schoof: Nonsingular plane cubic curves over finite fields, Journal
of combinatorial theory, Series A, Vol. 46, No. 2, 1987
72

47. Rene Schoof: Counting points on elliptic curves over finite fields,
Journal de Theorie des Nombres, tome 7, nr. 1 (1995), p. 219-254
48. V. Schoup: Lower bounds for discrete logarithm and related problems, Advances in Cryptology-EUROCRYPT 97, Springer-Verlag LNCS,
p. 313-328, 1997
49. I. A. Semaev: Evaluation of discrete logarithms in a group of p-torsion
points of an elliptic curve in characteristic p, Mathematics of computation, Vol. 67, No. 221, 1998
50. J. Shikata, Y. Zheng, J. Suzuki, H. Imai: Optimizing the MenezesOkamoto-Vanstone (MOV) algorithm for non-supersingular elliptic curves,
Advances in cryptology-Asiacrypt 99, p. 86-102, 1999
51. J. Shikata, Y. Zheng, J. Suzuki, H. Imai: Realizing the MenezesOkamoto-Vanstone (MOV) reduction for ordinary elliptic curves, 2000
http://www.sis.uncc.edu/yzheng/publications/files/ieiceE83-2k-4.pdf
52. J. H. Silverman: The arithmetic of elliptic curves, GTM 106, SpringerVerlag, 1986
53. J. H. Silverman: Advanced Topics in the Arithmetic of Elliptic Curves,
Springer-Verlag, 1995
54. N.P. Smart: How secure are elliptic curves over composite extension
fields, 2000
http://www.iacr.org/archive/eurocrypt2001/20450030.pdf
55. N. P. Smart: The discrete logarithm problem on elliptic curves of trace
one, Journal of cryptology, Vol. 12, No. 3, 1999
56. Standards for ecient cryptography. SEC2: Recomended elliptic curve
domain parameters. Version 1.0, http://www.secg.org/, 2000
57. M. Stobauer: Ecient algorithms for pairing based cryptosystems,
diploma thesis, Darmstad university of technology, 2004
58. C. Studholme: The discrete logarithm problem, 2001
http://www.cs.toronto.edu/cvs/dlog/research paper.pdf
59. E. Teske: Square-root algorithms for the discrete logarithm problem,
2001
www.math.uwaterloo.ca/eteske/squareroots.ps
73

60. E. Teske: Computing discrete logarithms with the parallelized kangaroo method, 2001
http://www.cacr.math.uwaterloo.ca/techreports/2001/corr2001-01.ps
61. E. Teske: Speeding up Pollards rho method for computing discrete
logarithms, Technical report No. TI-1/98, Technische Hochschule
Darmstadt, 1998
62. E. Teske: On random walks for Pollards rho method, Mathematics
of computation, Vol. 70, p. 809-825, 2001
63. S. Vanstone: ECC Holds Key to Next-Gen Cryptography, Certicom
Corporation, 2004

74