Team tanc

Overall Objectives
Scientific Foundations
Application Domains
New Results
Contracts and Grants with Industry
Other Grants and Activities
Inria / Raweb 2004
Project: tanc

Project : tanc

Section: New Results

The discrete logarithm in jacobians of curves

Participant : Pierrick Gaudry.

Attacking elliptic curves over small degree extension fields

P. Gaudry [23] has developped an algorithm that can solve the discrete logarithm problem in elliptic curves defined over a finite field of the form GF(qn), when n3 is a small integer. His algorithm lies in the family of the so-called Weil-descent attacks. The main difference with previously known algorithms is that the use of the theory of function fields is replaced by Gröbner basis computations. As a consequence, the range of application of the algorithm is less restrictive than previously known attacks (that often worked only for small classes of curves). On the other hand, the dependance in n is so bad that only the case n=3 and n=4 are meaningful in practice.

It is important to stress that the two cases widely used in practice, which are GF(p) and GF(2n) with a prime n, are not vulnerable to this approach. Gaudry's result can be viewed as a confirmation about ``bad feelings'' that most researcher had about the security of curves over small degree extension fields.

Attacking low genus hyperelliptic curves

P. Gaudry, E. Thomé and N. Thériault [34] have improved index calculus algorithms for computing discrete logarithms in jacobians of hyperelliptic curves of low genus at least 3. Their attack is based on the addition of a double large prime variation to a previously known algorithm. The surprise is that in the case of discrete logarithm of curves, the complexity is improved, whereas in all other application ranges of double large prime variations, the gain is only by a constant factor. Hence, the main difficulty for this work was to provide a complexity analysis that was also validated by numerous computer experiments.

As a consequence, curves of genus 3 and larger than 3 should be used with extreme care when deployed in a cryptosystem. At the very least, a cryptosystem based on a genus 3 curves must have a key-size about 12% larger than an elliptic cryptosystem to offer the same level of security.


Logo Inria