2.1 The index calculus method
For a given point P∈E
α,β
, let Q be a point in 〈P〉. The index calculus method can be adapted to elliptic curves to compute the discrete logarithm of Q with respect to P.
As shown in Algorithm 1, we first select a factor base
F⊂E
α,β
and we perform a relation search expressed as the loop between the line 3 and 7 of Algorithm 1. This part is currently the efficiency bottleneck of the algorithm. For each step in the loop, we compute R:= [ a]P+[ b]Q for random integers a and b and we apply the Decompose function on R to find all tuples (s
o
l
m
) of m elements \(P_{j_{\ell }} \in F\) such that \(P_{j_{1}}+P_{j_{2}} + \cdots + P_{j_{m}} + R = O\). Note that we may obtain several decompositions for each point R. In the line 6, the AddRelationToMatrix function encodes every decomposition of a point R into a row vector of the matrix M. More precisely, the first #
F columns of M correspond to the elements of F, the last two columns correspond to P and Q, and the coefficients corresponding to these points are encoded in the matrix. In the line 8, the ReducedRowEchelonForm function reduces M into a row echelon form. When the rank of M reaches #
F+1, the last row of the reduced M is of the form (0,⋯,0,a
′,b
′), which implies that [ a
′]P+[ b
′]Q=O. From this relation, we obtain k=−a
′/b
′ mod #〈P〉.
A straightforward method to implement the Decompose function would be to exhaustively compute the sums of all m-tuples of points in F and to compare these sums to R. However, this method would not be efficient enough.
2.2 Semaev’s polynomials
Semaev’s polynomials [18] allow replacing the complicated addition law involved in the point decomposition problem by a somewhat simpler polynomial equation over \(\mathbb {F}_{2^{n}}\).
Definition 1.
The m-th Semaev’s polynomial s
m
for E
α,β
is defined as follows:
s
2:=x
1+x
2,
s
3:=(x
1
x
2+x
1
x
3+x
2
x
3)2+x
1
x
2
x
3+β, and
s
m
:=R
e
s
X
(s
j+1(x
1,…,x
j
,X),s
m−j+1(x
j+1,…,x
m
,X))
for m≥4, 2≤j≤m−2.
The polynomial s
m
is symmetric and has degree 2m−2 with respect to each variable. Definition 1 provides a straightforward method to compute it. In practice, computing large Semaev’s polynomials may not be a trivial task, even if the symmetry of the polynomials can be used to accelerate it [12]. Semaev’s polynomials have the following property:
Proposition 1.
We have s
m
(x
1,x
2,…,x
m
)=0 if and only if there exist \(y_{j}\in \mathbb {F}_{2^{n}}\) such that P
j
=(x
j
,y
j
)∈E
α,β
and P
1+P
2+…+P
m
=O.
In his seminal paper [18], Semaev proposed to choose the factor base F in Algorithm 1 as
$$F_{V}:=\{(x,y)\in E_{\alpha,\beta} | x\in V\} $$
where V is some subset of the base field of the curve. According to Proposition 1, finding a decomposition of a given point R= [ a]P+[ b]Q is then reduced to first finding x
i
∈V such that
$$s_{m+1}(x_{1}, x_{2},\ldots, x_{m}, x(R)) = 0, $$
and then finding the corresponding points P
j
=(x
j
,y
j
)∈F
V
.
A straightforward Decompose function using Semaev’s polynomials is described in Algorithm 2.
In this algorithm, Semaev’s polynomials are solved by a naive exhaustive search method. Since every x-coordinate corresponds to at most two points on the elliptic curve E
α,β
, each solution of s
m+1(x
1,x
2,…,x
m
,x(R))=0 may correspond to up to 2m possible solutions in E
α,β
. These potential solutions are tested in the line 5 of Algorithm 2. As such, Algorithm 2 still involves some exhaustive search and can clearly not solve ECDLP faster than generic algorithms.
2.3 FPPR method
At Eurocrypt 2012, following similar approaches by Gaudry [9] and Diem [2,3], FPPR method provided V with the structure of a vector space, to reduce the resolution of Semaev’s polynomial to a system of multivariate polynomial equations. They then solved this system using Gröbner basis algorithms [7].
More precisely, FPPR method suggested to fix V as a random vector subspace of \(\mathbb {F}_{2^{n}}/\mathbb {F}_{2}\phantom {\dot {i}\!}\) with dimension n
′. If \(\{v_{1},\ldots,v_{n^{\prime }}\}\phantom {\dot {i}\!}\) is a basis of this vector space, the resolution of Semaev’s polynomial is then reduced to a polynomial system as follows. For any fixed P
′∈F
V
, we can write x(P
′) as
$$x(P')=\bar{c}_{1}v_{1} + \bar{c}_{2}v_{2} + \ldots + \bar{c}_{n'}v_{n'} $$
where \(\bar {c}_{\ell }\in \mathbb {F}_{2}\phantom {\dot {i}\!}\) are known elements. Similarly, we can write all the variables x
j
∈V in \(s_{m+1}\mid _{x_{m+1} = x(R)}\phantom {\dot {i}\!}\) as
$$\left\{\begin{array}{ll} x_{j} = c_{j,1}v_{1} + c_{j,2}v_{2} + \ldots +c_{j,n'}v_{n'}, & 1 \le j \le m,\\ x_{m+1} = r_{1}v_{1} + r_{2}v_{2} + \ldots + r_{n-1}v_{n}, & \end{array}\right. $$
where c
j,ℓ
are binary variables and \(r_{\ell }\in \mathbb {F}_{2}\) are known. Using these equations to substitute the variables x
j
in s
m+1, we obtain an equation
$$s_{m+1} = f_{1}(c_{j,\ell})v_{1} + f_{2}(c_{j,\ell})v_{2} + \ldots +f_{n}(c_{j,\ell})v_{n}, $$
where f
1,f
1,…,f
n
are polynomials in the binary variables c
j,ℓ
, 1≤j≤m, 1≤ℓ≤n
′.
We have \(s_{m+1}\mid _{x_{m+1} = x(R)} = 0\phantom {\dot {i}\!}\) if and only if each binary coefficient polynomial f
ℓ
is equal to 0. Solving Semaev’s polynomial s
m+1 is now equivalent to solving the binary multivariable polynomial system f
1=f
2=…=f
m
=0 in the variables c
j,ℓ
, 1≤j≤m,1≤ℓ≤n
′.
The Decompose function using this system is described in Algorithm 3.
We first substitute x
m+1 with x(R) in s
m+1. The TransFromSemaevToBinaryWithSym function transforms the equation \(s_{m+1}\mid _{x_{m+1} = x(R)}=0\phantom {\dot {i}\!}\) into system f
1,f
2,…,f
m
as described above. To solve this system, we compute its Gröbner basis with respect to a lexicographic ordering using an algorithm such as F
4 or F
5 algorithm [4,5]. A Gröbner basis of the system we solved here always contains some univariate polynomial (the polynomial 1 when there is no solution) with lexicographic ordering, and the solutions of f
1,f
2,…,f
m
can be obtained from the roots of this polynomial. However, since it is much more efficient to compute a Gröbner basis for a graded-reversed lexicographic order than for a lexicographic ordering, a Gröbner basis of f
1,f
2,…,f
m
is first computed for a graded-reverse lexicographic ordering and then transformed into a Gröbner basis for a lexicographic ordering using FGLM algorithm [6].
After getting the solutions of f
1,f
2,…,f
m
, we find the corresponding solutions over E
α,β
. As before, this requires to check whether P
1+P
2+…+P
m
+R=O for all the potential solutions in the line 6 of Algorithm 3.
Although FPPR approach provides a systematic way to solve Semaev’s polynomials, their algorithm is still not practical. Petit and Quisquater estimated that the method could beat generic algorithms for extension degrees n larger than about 2000 [15]. This number is much larger than the parameter n=160 that is currently used in applications. In fact, the degrees of the equations in f
1,f
2,…,f
m
grow quadratically with m, and the number of monomial terms in the equations is exponential in this degree. In practice, the sole computation of the Semaev’s polynomial s
m+1 seems to be a challenging task for m larger than 7. Because of the large computation costs (both in time and memory), no experimental result has been provided in [7] for n larger than 20.
In this work, we provide a variant of FPPR method that practically improves its complexity. Our method exploits the symmetry of Semaev’s polynomials to reduce both the degree of the equations and the number of monomial terms appearing during the computation of a Gröbner basis of the system f
1,f
2,…,f
m
.
2.4 Use of symmetries in previous works
The symmetry of Semaev’s polynomials has been exploited in previous works, but always for finite fields \(\mathbb {F}_{p^{n}}\) with composite extension degrees n. The approach was already described by Gaudry [9] as a mean to accelerate the Gröbner basis computations. The symmetry of Semaev’s polynomials has also been used by Joux and Vitse’s to establish new ECDLP records for composite extension degree fields [12,13]. Extra symmetries resulting from the existence of a rational 2-torsion point have also been exploited by Faugère et al. for twisted Edward curves and twisted Jacobi curves [8]. In all these approaches, exploiting the symmetries of the system allows reducing the degrees of the equations and the number of monomials involved in the Gröbner basis computation, hence it reduces both the time and the memory costs.
To exploit the symmetry in ECDLP index calculus algorithms, we first rewrite Semaev’s polynomial s
m+1 with the elementary symmetric polynomials.
Definition 2.
Let x
1,x
2,…,x
m
be m variables, then the elementary symmetric polynomials are defined as
$$ \left\{ \begin{array}{l} \sigma_{1} := \sum_{1\le j_{1} \le m}{x_{j_{1}}} \\ \sigma_{2} := \sum_{1\le j_{1} < j_{2} \le m}{x_{j_{1}}x_{j_{2}}} \\ \sigma_{3} := \sum_{1\le j_{1} < j_{2} < j_{3} \le m}{x_{j_{1}}x_{j_{2}}x_{j_{3}}} \\ \hspace*{3em}\vdots \\ \sigma_{m} := \prod_{1\le j \le m}{x_{j}} \\ \end{array}\right. $$
(1)
Any symmetric polynomial can be written as an algebraic combination of these elementary symmetric polynomials. We denote the symmetrized version of Semaev’s polynomial s
m
by \(s^{\prime }_{m}\). For example for the curve E
α,β
in characteristic 2, we have
$$s_{3} = (x_{1}x_{2} + x_{1}x_{3} + x_{2}x_{3})^{2} + x_{1}x_{2}x_{3} + \beta, $$
where x
3 is supposed to be fixed to some x(R). The elementary symmetric polynomials are
$$\left\{ \begin{array}{l} \sigma_{1} = x_{1} + x_{2}, \\ \sigma_{2} = x_{1}x_{2}. \\ \end{array}\right. $$
The symmetrized version of s
3 is therefore
$$s_{3}' = (\sigma_{2}+\sigma_{1}x_{3})^{2} + \sigma_{2}x_{3} + \beta.$$
Since x
3 is fixed and the squaring is a linear operation over \(\mathbb {F}_{2}\), we see that symmetrization leads to a much simpler polynomial.
Let us now assume that n is a composite number with a non-trivial factor n
′. In this case, we can fix the vector space V as the subfield \(\mathbb {F}_{p^{n^{\prime }}}\phantom {\dot {i}\!}\) of \(\mathbb {F}_{p^{n}}\). We note that all arithmetic operations are closed on the elements of V for this special choice. In particular, we have
$$ if\kern1em {x}_i\in V\kern1em then\kern1em {\sigma}_i\in V\kern1em . $$
(2)
Let now \(\{v_{1}, v_{2}, \ldots, v_{n/n^{\prime }}\}\phantom {\dot {i}\!}\) be a basis of \(\mathbb {F}_{p^{n}} / \mathbb {F}_{p^{n'}}\phantom {\dot {i}\!}\). We can write
$$\begin{array}{ll} \sigma_{j} = d_{j,0}\ for\ 1 \le j \le m, \\ x_{m+1} = r_{1}v_{1} + r_{2}v_{2} + \ldots + r_{n/n'}v_{n/n'},& \\ \end{array} $$
where \(r_{\ell }\in \mathbb {F}_{p^{n'}}\) are known and the variables d
j,0 are defined over \(\mathbb {F}_{p^{n'}}\). These relations can be substituted in the equation \(s^{\prime }_{m+1}\mid _{x_{m+1} = x(R)}=0\) to obtain a system of n/n
′ equations in the m variables d
j,0 only. Since the total degree and the degree of \(s^{\prime }_{m}\) with respect to each symmetric variable σ
i
are lower than those of s
m
with respect to all non-symmetric variables x
i
, the degrees of the equations in the resulting system are also lower and the system is easier to solve. As long as n/n
′≈m, the system has a reasonable chance to have a solution.
Given a solution (σ
1,…,σ
m
) for this system, we can recover all possible corresponding values for the variables x
1,…,x
m
(if there is any) by solving the system given in Definition 2, or equivalently by solving the symmetric polynomial equation
$$ x^{m}+\sum_{i=1}^{m}\sigma_{i}x^{m-i}=x^{m}+\sigma_{1}x^{m-1}+\sigma_{2}x^{m-2}+\ldots+\sigma_{m}. $$
Note that the existence of a non-trivial factor of n and the special choice for V are crucial here. Indeed, they allow building a new system that only involves symmetric variables and that is significantly simpler to solve than the previous one.
