On the first fall degree of summation polynomials

Stavros Kousidis; Andreas Wiemers

doi:10.1515/jmc-2017-0022

Article Open Access

On the first fall degree of summation polynomials

Stavros Kousidis and Andreas Wiemers

Published/Copyright: June 21, 2019

Published by

Become an author with De Gruyter Brill

Submit Manuscript Author Information

From the journal Journal of Mathematical Cryptology Volume 13 Issue 3-4

Abstract

We improve on the first fall degree bound of polynomial systems that arise from a Weil descent along Semaev’s summation polynomials relevant to the solution of the Elliptic Curve Discrete Logarithm Problem via Gröbner basis algorithms.

Keywords: Polynomial systems; Gröbner bases; discrete logarithm problem; elliptic curve cryptosystem

MSC 2010: 13P15; 13P10; 14H52

1 Introduction

Finding solutions to algebraic equations is a fundamental task. A common approach is a Gröbner basis computation via an algorithm such as Faugère’s F⁢4 and F⁢5 (see [4, 5]). In recent applications, Gröbner basis techniques have become relevant to the solution of the Elliptic Curve Discrete Logarithm Problem (ECDLP). Here one seeks solutions to polynomial equations arising from a Weil descent along Semaev’s summation polynomials [13] which represents a crucial step in an index calculus method for the ECDLP; see, e.g., [12, 14]. The efficiency of Gröbner basis algorithms is governed by a so-called degree of regularity, that is, the highest degree occurring along the subsequent computation of algebraic relations. It is widely believed that this often intractable complexity parameter is closely approximated by the degree of the first non-trivial algebraic relation, the first fall degree. In particular, the algorithms for the ECDLP of Petit and Quisquater [12] are sub-exponential under the assumption that this approximation is in o⁢(1).

In the present paper, we will improve Petit’s and Quisquater’s [12] first fall degree bound m2+1 for the system arising from the Weil descent along Semaev’s (m+1)-th summation polynomial. That is, we prove that a degree fall occurs at degree m2-m+1 by exhibiting the highest degree homogeneous part of that polynomial system. In fact, this degree is m2-m, so that we expect the bound to be sharp except for the somewhat pathological case m=2 that has been discussed by Kosters and Yeo [10]. This allows us to sharpen the asymptotic run time of the index calculus algorithm for the ECDLP as exhibited in the complexity analysis of Petit and Quisquater [12].

2 The first fall degree

The notion of the first fall has been described by Faugère and Joux [6, Section 5.1], Granboulan, Joux and Stern [7, Section 3], Dubois and Gama [3, Section 2.2] and Ding and Hodges [2, Section 3]. Although the concept of the first fall degree has been called minimal degree [6] and degree of regularity [2, 3, 7], we actually adopt the terminology and definition of Hodges, Petit and Schlather [8]. For readability reasons we include a brief and tailored account of the first fall degree and refer the reader to [8, Section 2] for details and greater generality.

Our considerations take place over a degree n extension 𝔽2n of the binary field 𝔽2. Consider the decomposition of the graded ring

S=𝔽2n⁢[X0,…,XN-1]/(X02,…,XN-12)

into its homogeneous components

S=S0⊕S1⊕⋯⊕SN.

Each Sj is the 𝔽2n-vector space generated by the monomials of degree j. Let I be an ideal in S generated by homogeneous polynomials h1,…,hr∈Sd all of the same degree d. Then we have a surjective map

ϕ:Sr→I,(g1,…,gr)↦g1⁢h1+⋯+gr⁢hr.

Without loss of generality we furthermore assume

0<r=dim𝔽2n⁡∑j=1r𝔽2n⁢hj.

Let ei denote the canonical i-th basis element of the free S-module Sr. The S-module U generated by the elements

hj⁢ei+hi⁢ej and hk⁢ek,where ⁢i,j,k=1,…,r,

is a subset of ker⁡(ϕ). If we restrict ϕ to the 𝔽2n-subvector space Sj-dr⊂Sr, we obtain a surjective map

ϕj-d:Sj-dr→I∩Sj

whose kernel contains the 𝔽2n-subvector space Uj-d=U∩Sj-dr and hence factors through

ϕ¯j-d:Sj-dr/Uj-d→I∩Sj.

Definition 2.1 (cf. [8, Definition 2.1]).

The first fall degree of a homogeneous system h1,…,hr∈Sd and its linear span ∑j=1r𝔽2n⁢hj, respectively, is the smallest j such that the induced 𝔽2n-linear map ϕ¯j-d is not injective, that is, the smallest j such that dim𝔽2n⁡(I∩Sj)<dim𝔽2n⁡(Sj-dr/Uj-d). It is denoted by Df⁢f⁢(∑j=1r𝔽2n⁢hj).

Following [8], we now consider the ring of functions

A𝔽2n=𝔽2n⁢[X0,…,XN-1]/(X02-X0,…,XN-12-XN-1)

as a finite-dimensional filtered algebra whose filtration components [A𝔽2n]d, d∈ℕ, are given by the polynomials up to degree d. The associated graded ring of A𝔽2n is

Gr⁢(A𝔽2n)=𝔽2n⁢[X0,…,XN-1]/(X02,…,XN-12),

whose graded components

[Gr⁢(A𝔽2n)]d=[A𝔽2n]d/[A𝔽2n]d-1 for ⁢d∈ℕ

are given by the homogeneous polynomials of degree d. Any linear subspace V⊂[A𝔽2n]d induces a homogeneous linear subspace V¯⊂[Gr⁢(A𝔽2n)]d via the canonical projection πd:[A𝔽2n]d→[Gr⁢(A𝔽2n)]d.

Definition 2.2 (cf. [8, Definition 2.2]).

Consider a polynomial system p1,…,pr∈[A𝔽2n]d and its linear span V=∑j=1r𝔽2n⁢pj⊂[A𝔽2n]d, respectively. We assume without loss of generality that dim𝔽2n⁡V=r>0. The first fall degree of V is

Df⁢f⁢(V)={d,dim𝔽2n⁡V¯<dim𝔽2n⁡V,Df⁢f⁢(V¯)else,

where Df⁢f(V¯=∑j=1r𝔽2nπd(pj)) is given in Definition 2.1.

3 Weil descent along summation polynomials

We prove that the first fall degree of the polynomial system that arises from a Weil descent along Semaev’s summation polynomial Sm+1 is bounded from above by m2-m+1. This is an improvement over m2+1 that results from [8, Theorem 5.2] and [12, Section 4]. Let us briefly introduce the summation polynomials and describe the Weil descent.

Semaev [13] introduced the m-th summation polynomial Sm⁢(x1,…,xm)∈𝕂⁢[x1,…,xm] on an elliptic curve E:y2=x3+a4⁢x+a6 over a finite field 𝕂 with char⁢(𝕂)≠2,3 by the following defining property: for elements x1,…,xm in the algebraic closure 𝕂¯ one has Sm⁢(x1,…,xm)=0 if and only if there exist y1,…,ym∈𝕂¯ such that (x1,y1),…,(xm,ym)∈E⁢(K¯) and (x1,y1)+⋯+(xm,ym)=0 on E. Semaev gave a recursive formula based on resultants to compute those polynomials and described some properties [13, Theorem 1]. The summation polynomials can also be given in characteristic 2. We consider 𝕂=𝔽2n, an ordinary, i.e. non-singular, elliptic curve E:y2+x⁢y=x3+a2⁢x2+a6, and the projection to the x-coordinate x⁢(Pi)=x⁢(xi,yi)=xi of Pi∈E. Then still

S2⁢(x1,x2)=x1-x2,

and from Diem’s general description [1, Lemma 3.4, Lemma 3.5] one can deduce

S3⁢(x1,x2,x3)=(x12+x22)⁢x32+x1⁢x2⁢x3+x12⁢x22+a6

Sm+1⁢(x1⁢…,xm,xm+1)=ResX⁡(Sm⁢(x1,…,xm-1,X),S3⁢(xm,xm+1,X))

and the degree of Sm+1 in each variable xi is 2m-1. Note that these formulas have also been outlined by Petit and Quisquater [12, Section 5] who also refer to Diem [1].

To describe the Weil descent along those summation polynomials (see, e.g., [12, Section 4]) we fix a basis 1,z,…,zn-1 of 𝔽2n over 𝔽2 and let W be a subvector space in 𝔽2n of dimension n′ and basis ν1,…,νn′ over 𝔽2. We introduce m⁢n′ variables yi⁢j that model the linear constraints

xi=∑l=1n′yi⁢l⁢νl,

set xm+1 to an arbitrary element c∈𝔽2n, and obtain the equation system

Sm+1⁢(x1,…,xm,c)=Sm+1⁢(∑l=1n′y1⁢l⁢νl,…,∑l=1n′ym⁢l⁢νl,c)=f0⁢(yi⁢j)+z⁢f1⁢(yi⁢j)+⋯+zn-1⁢fn-1⁢(yi⁢j).

The first fall degree of interest is that of the reduced polynomial system

(3.1)sk≡fkmod(y112-y11,…,ym⁢n′2-ym⁢n′),where ⁢k=0,…,n-1.

Note that s0,…,sn-1∈𝔽2⁢[y11,…,ym⁢n′]/(y112-y11,…,ym⁢n′2-ym⁢n′).

By the definition of the first fall degree, we are interested in the highest degree homogeneous part of s0,…,sn-1 whose degree can be determined as follows.

Lemma 3.1.

Let m≥3. The highest degree homogeneous part of the polynomial system

s0,…,sn-1∈𝔽2⁢[y11,…,ym⁢n′]/(y112-y11,…,ym⁢n′2-ym⁢n′)

from equation (3.1) is induced by the monomial

(x1⁢⋯⁢xm)2m-1-1⋅xm+1

in the summation polynomial Sm+1⁢(x1,…,xm,xm+1), and hence its degree is less than or equal to m2-m.

Proof.

First, we show the existence of the monomial (x1⁢⋯⁢xm)2m-1-1⋅xm+1 in Sm+1⁢(x1,…,xm,xm+1). We have

S3⁢(x1,x2,x3)=(x12+x22)⁢x32+x1⁢x2⁢x3+x12⁢x22+a6

Sm+1⁢(x1⁢…,xm,xm+1)=ResX⁡(Sm⁢(x1,…,xm-1,X),S3⁢(xm,xm+1,X))

and the degree of Sm+1 in each variable xi is 2m-1. The resultant of f,g∈𝔽2n⁢[X] of degree k and l is the determinant of the Sylvester matrix

ResX⁡(f,g)=det⁡(Syl⁡(f,g))=det⁡(fk⋯f0fk⋯f0⋱⋱fk⋯f0gl⋯g0gl⋯g0⋱⋱gl⋯g0).

That is, with

S3⁢(xm,xm+1,X)=(xm2+xm+12)⁢X2+xm⁢xm+1⁢X+xm2⁢xm+12+a6

Sm⁢(x1,…,xm-1,X)=c2m-2,m⁢X2m-2+⋯+c0,m,

where each ci,m∈𝔽2n⁢[x1,…,xm-1], we have

Sm+1⁢(x1⁢…,xm,xm+1)=det⁡(Syl⁡(Sm,S3)).

To be concrete, Syl⁡(Sm,S3) is the matrix

(c2m-2,mc2m-2-1,m⋯c0,m00c2m-2,m⋯c1,mc0,mxm2+xm+12xm⁢xm+1xm2⁢xm+12+t⋱⋱xm2+xm+12xm⁢xm+1xm2⁢xm+12+t)

with a total of 2m-2+2 rows and columns. In order to prove our claim we have to identify specific summands in the Leibniz formula of the determinant. That is, we consider

(3.2)det(Syl(Sm,S3))=∑πsgn(π)∏i=12m-2+2Syl(Sm,S3)i,πi

and argue that for the relevant summands no cancellation over 𝔽2n occurs. Note that the sign of a permutation is 1∈𝔽2n.

Step 1: Prove by induction (start with x12⁢x22 in S3) that Sm+1 contains the monomial (x1⁢⋯⁢xm)2m-1 in its term c0,m+1. For that we consider the permutation

(3.3)σ=(σ1,…,σ2m-2+2)=(2m-2+1,2m-2+2,1,2,…,2m-2)

and obtain

Sm+1(x1…,xm,xm+1)=sgn(σ)∏i=12m-2+2Syl(Sm,S3)i,σi+⋯

=c0,m⁢c0,m⁢∏i=12m-2(xm2+xm+12)+⋯

=((x1⁢⋯⁢xm-1)2m-2)2⋅xm2m-1+⋯

=(x1⁢⋯⁢xm-1⁢xm)2m-1+⋯.

Note that specifying σ1=2m-2+1 and σ2=2m-2+2 determines σ since the remaining entries in Syl⁡(Sm,S3) form an upper triangular matrix with xm2+xm+12 on the diagonal.

Step 2: Prove by induction (start with x1⁢x2⁢x3 in S3) that Sm+1 contains the monomial (x1⁢⋯⁢xm)2m-1-1⋅xm+1, i.e. (x1⁢⋯⁢xm)2m-1-1 in its term c1,m+1. For that we consider the permutation

(3.4)τ=(τ1,…,τ2m-2+2)=(2m-2,2m-2+2,1,…,2m-2-1,2m-2+1)

and obtain

Sm+1(x1…,xm,xm+1)=sgn(τ)∏i=12m-2+2Syl(Sm,S3)i,τi+⋯

=c1,m⁢c0,m⋅xm⁢xm+1⁢∏i=12m-2-1(xm2+xm+12)+⋯

=(x1⁢⋯⁢xm-1)2m-2-1⋅(x1⁢⋯⁢xm-1)2m-2⋅xm⁢xm+1⁢(xm2)2m-2-1+⋯

=(x1⁢⋯⁢xm-1⁢xm)2m-1-1⋅xm+1+⋯.

Note that specifying τ1=2m-2 and τ2=2m-2+2 determines τ since the remaining entries in Syl⁡(Sm,S3) form an upper triangular matrix with xm2+xm+12,…,xm2+xm+12,xm⁢xm+1 on the diagonal.

Second, in order to exclude potential cancellations we have to show that the permutations σ in (3.3) and τ in (3.4) are the only possible choices to produce the monomials (x1⁢⋯⁢xm)2m-1 and (x1⁢⋯⁢xm)2m-1-1⋅xm+1 in Sm+1, respectively. For that, we prove by induction (start with x1⁢x2 in S3) that the only multiples of (x1⁢⋯⁢xm)2m-1-1 in the coefficients of Sm+1 are (x1⁢⋯⁢xm)2m-1 in c0,m+1 and (x1⁢⋯⁢xm)2m-1-1 in c1,m+1. Indeed, the factor (x1⁢⋯⁢xm-1)2m-1-1 in the variables x1,…,xm-1 can only be produced by products ci,m⋅cj,m of entries taken from the first two rows of the Sylvester matrix Syl⁡(Sm,S3). Since the degree of Sm in each variable x1,…,xm-1 is 2m-2, each of the entries c0,m,…,c2m-2,m is a sum of monomials in the variables x1,…,xm-1 where each monomial is either

no multiple of (x1⁢⋯⁢xm-1)2m-2-1 or
a multiple (x1⁢⋯⁢xm-1)2m-2-1⋅x1δ1⁢⋯⁢xm-1δm-1, with δi∈{0,1}.

Therefore, the monomials in the products ci,m⋅cj,m that contribute to the determinant (3.2) occur in the following forms:

(3.5)((x1⁢⋯⁢xm-1)2m-2-1)2⋅x1δ1+δ1′⁢⋯⁢xm-1δm-1+δm-1′,

(3.6)(x1⁢⋯⁢xm-1)2m-2-1⋅x1δ1⁢⋯⁢xm-1δm-1⋅μ,

(3.7)μ⋅μ′,

where μ and μ′ denote elements that are no multiples of (x1⁢⋯⁢xm-1)2m-2-1. Consequently, a monomial in the product ci,m⋅cj,m that is now a multiple of (x1⁢⋯⁢xm-1)2m-1-1 can only arise in case (3.5) if for each k=1,…,m-1 the following condition holds:

2⋅(2m-2-1)+δk+δk′≥2m-1-1 ⇔ δk+δk′≥1.

Due to the degree restriction of Sm, a product ci,m⋅cj,m where the monomials in ci,m and cj,m are all of the form (3.6) or (3.7) cannot produce a multiple of (x1⁢⋯⁢xm-1)2m-1-1. Therefore, we are left with products of the terms c0,m and c1,m by the induction hypothesis. Since c1,m⋅c1,m only produces (x1⁢⋯⁢xm-1)2m-1-2, the permutations π=(π1,π2,…,π2m-2+2) in the Leibniz formula (3.2) that produce multiples of the monomial (x1⁢⋯⁢xm-1)2m-1-1 must have either (π1,π2)=(σ1,σ2) or (π1,π2)=(τ1,τ2) as given in (3.3) and (3.4), respectively. This determines our permutations σ and τ completely.

To finish the proof, our degree claim in Lemma 3.1 is argued as follows. The variables yi⁢j of the sk are over 𝔽2, where taking squares is a linear operation. Therefore, the degrees of the homogeneous parts of the system s0,…,sn-1 depend only on the Hamming weight wt⁡(x1α1⁢⋯⁢xmαm)=∑wt⁡(αi) of a monomial in Sm+1. Since the degree of Sm+1 in each variable xi is 2m-1, the monomial (x1⁢⋯⁢xm)2m-1-1⋅xm+1, when xm+1 is set to an element c∈𝔽2n, produces the highest Hamming weight ∑i=1mwt⁡(2m-1-1)=m⁢(m-1). To be precise, we consider

xi2j=(∑l=1n′yi⁢l⁢νl)2j=∑l=1n′yi⁢l⁢νl2j

and obtain

(3.8)(x1⁢⋯⁢xm)2m-1-1⋅c=c⁢∏i=1m∏j=0m-2∑l=1n′yi⁢l⁢νl2j,

which is of degree less than or equal to m⁢(m-1) in the variables yi⁢j. ∎

We are ready to prove the main result.

Theorem 3.2.

Let n′≥m≥3 and c∈F2n∖{0}, and consider the polynomial system

s0,…,sn-1∈𝔽2⁢[y11,…,ym⁢n′]/(y112-y11,…,ym⁢n′2-ym⁢n′)

from equation (3.1), that results from the Weil descent along the summation polynomial Sm+1⁢(x1,…,xm,c). The first fall degree of s0,…,sn-1 is less than or equal to m2-m+1.

Proof.

Consider the finite-dimensional filtered algebra

A𝔽2=𝔽2⁢[y11,…,ym⁢n′]/(y112-y11,…,ym⁢n′2-ym⁢n′).

The linear span

∑j=0n-1𝔽2⁢sj

is inside the degree d=m2-m subspace of the filtered algebra A𝔽2 due to Lemma 3.1. By [8, Corollary 2.4], an extension of the base field, i.e.

A𝔽2n=𝔽2n⁢[y11,…,ym⁢n′]/(y112-y11,…,ym⁢n′2-ym⁢n′),

does not affect the first fall degree. That is,

Df⁢f⁢(∑j=0n-1𝔽2⁢sj)=Df⁢f⁢(∑j=0n-1𝔽2n⁢sj).

By [8, Definition 2.2], the first fall degree of the subspace ∑j=0n-1𝔽2n⁢sj of A𝔽2n is

Df⁢f⁢(∑j=0n-1𝔽2n⁢sj)={d=m2-m,dim𝔽2n⁡V¯<dim𝔽2n⁡VDf⁢f⁢(V¯)else,

where V¯ denotes the induced homogeneous subspace of ∑j=0n-1𝔽2n⁢sj in the associated graded ring

Gr⁢(A𝔽2n)=𝔽2n⁢[y11,…,ym⁢n′]/(y112,…,ym⁢n′2).

If dim𝔽2n⁡V¯<dim𝔽2n⁡V, our claim follows. Otherwise we consider the polynomial

P0=c⁢∏i=1m∏j=0m-2∑l=1n′yi⁢l⁢νl2j,

which is an element of the homogeneous subspace V¯ by Lemma 3.1, and in particular equation (3.8). Now, for any

xk=∑l=1n′yk⁢l⁢νl

we have a non-trivial relation

xk⁢P0=c⁢∑l=1n′yk⁢l2⁢νl2⋅∏j=1m-2∑l=1n′yk⁢l⁢νl2j⋅∏i=1,i≠km∏j=0m-2∑l=1n′yi⁢l⁢νl2j=0∈Gr⁢(A𝔽2n)

of degree d+1=m2-m+1 unless P0=0∈Gr⁢(A𝔽2n). Therefore, it remains to show that P0≠0. For that purpose, we recall that c∈𝔽2n∖{0}, v1,…,vn′ are linearly independent, and n′≥m. Consider the linear change of variables

Yi⁢j=xi2j=(∑l=1n′yi⁢l⁢νl)2j=∑l=1n′yi⁢l⁢νl2j.

This is induced by the m×n′ matrix

(ν1⋯νn′ν12⋯νn′2⋮⋱⋮ν12m-2⋯νn′2m-2)

that can be completed to an invertible linear transform by [11, Lemma 3.51] since we have assumed v1,…,vn′ to be linearly independent and n′≥m. By using such an invertible linear transform on any block of variables

yi⁢1,…,yi⁢n′,

we get new variables

Y10,…,Ym,n′-1.

Under this change of variables, P0 is mapped to the non-zero element

c⁢∏i=1m∏j=0m-2Yi⁢j∈𝔽2n⁢[Y10,…,Ym,n′-1]/(Y102,…,Ym,n′-12).∎

Remark 3.3.

Our Theorem 3.2 remains true also in the case m=2 with first fall degree less than or equal to 2⋅1+1=3. This bound is not sharp though, in fact the first fall degree in the case m=2 equals 2 [10, Corollary 4.11 and Remark 4.12].

4 Experiments and conclusion

In the light of the first fall degree bound given in Theorem 3.2, we computed a Gröbner basis for the ideal resulting from the Weil descent along the summation polynomial Sm+1⁢(x1,…,xm,xm+1) for m=2,3,4 on an AMD Opteron CPU with Magma’s GroebnerBasis() function. Again, we set the verbose level to 1 and extracted the empirical first fall degree Df⁢f as the step degree of the first step where new lower degree (i.e. less than step degree) polynomials are added. The empirical degree of regularity Dreg is the highest step degree that appears during the Gröbner basis computation. In each experiment we chose a random non-singular elliptic curve over 𝔽2n, a random subvector space of dimension n′=⌈n/m⌉ as the factor basis, and set xm+1 to the x-coordinate of a random point on the curve. The experimental results that extend the ones present in the literature by Petit and Quisquater [12] and Kosters and Yeo [10] are displayed in Table 1.

Table 1

Empirical data for the Weil descent along the summation polynomial Sm+1 over 𝔽2n with n′-dimensional factor basis. Displayed are the observed first fall degree Df⁢f, degree of regularity Dreg, the time in seconds s and space requirement in gigabyte GB. All values are averaged over 10 repetitions. For the case m=2 see also Remark 3.3.

m	n	n′	m⁢(m-1)+1	Df⁢f	Dreg	s	GB
2	34	17	3	2	4	188	1.2
	35	18	3	2	4	1 237	16.1
	36	18	3	2	4	1 342	16.4
	37	19	3	2	5	2 542	29.2
	38	19	3	2	5	2 815	25.2
	39	20	3	2	5	4 785	45.6
	40	20	3	2	5	4 858	46.3
	41	21	3	2	5	7 930	65.3
	42	21	3	2	5	8 901	66.7
	43	22	3	2	5	16 816	95.5
	44	22	3	2	5	15 690	96.8
	45	23	3	2	5	38 352	140.0
	46	23	3	2	5	31 735	140.7
	47	24	3	2	5	103 200	207.7
	48	24	3	2	5	86 636	208.2
3	13	5	7	7	7	14	0.6
	14	5	7	7	7	14	0.7
	15	5	7	7	7	14	0.7
	16	6	7	7	7	597	13.5
	17	6	7	7	7	656	13.3
	18	6	7	7	7	729	34.1
	19	7	7	7	7	16 571	92.2
	20	7	7	7	7	17 684	101.2
	21	7	7	7	7	17 681	90.2
4	13	4	13	13	13	467	25.0
	14	4	13	13	13	487	25.8
	15	4	13	13	13	592	26.3
	16	4	13	13	13	755	27.6

Like Kosters and Yeo [10, Section 5], we observed a raise in the regularity degree for m=2 in our experiments and were able to verify their observation that with the low degree polynomials W=span⁡{1,z,…,zn′} chosen as the factor basis (cf. [14, Section 4.5]) the raise in the regularity degree was produced for slightly greater n=45. It would be very interesting to observe a raise in the degree of regularity for higher Semaev polynomials, but time and memory amounts become a serious issue for m≥3. However, such observations might neither falsify [12, Assumption 2] that Dreg=Df⁢f+o⁢(1) nor lead to further evidence that the gap between the degree of regularity and the first fall degree depends on n as discussed in [9, Section 5.2].

However, we believe our first fall degree bound m2-m+1 for Semaev polynomials to be sharp for m≥3, and rephrase [12, Assumption 2] as the following question:

(4.1)Dreg=m2-m+1+o⁢(1)⁢ ?

Note that our upper bound on the first fall degree of summation polynomials is a first step towards answering this question. The first fall degree generically bounds the degree of regularity from below. Hence, any further lower bound on the degree of regularity associated to the specific case of a Weil descent along summation polynomials can potentially answer (4.1).

Assuming an affirmative answer to (4.1), we can furthermore sharpen the asymptotic complexity of the index calculus algorithm for the ECDLP as presented by Petit and Quisquater [12, Section 5]. In the paragraph A new complexity analysis of [12, Section 5] it is argued that the complexity of the index calculus approach via summation polynomials is dominated by the Gröbner basis computation. Under the assumption that the degree of regularity is approximated closely by the first fall degree [12, Assumption 2], Petit and Quisquater derive [12, Proposition 4], i.e. that the discrete logarithm can asymptotically be solved in sub-exponential time

(4.2)𝒪⁢(2c⁢log⁡(n)⁢(n2/3+1)),

where c=2⁢ω3, ω is the linear algebra constant (ω=log⁡(7)/log⁡(2) is used in the following estimates), and n2/3+1 is an upper bound for the first fall degree of the m-th summation polynomial when m=n1/3 [12, Proposition 1]. They state that, by following this analysis, the index calculus approach beats generic algorithms with run time 𝒪⁢(2n/2) for any n≥N where N is an integer approximately equal to 2 000. Now, based on Theorem 3.2, we assume Dreg≈m2-m+1=n2/3-n1/3+1 and sharpen (4.2) to

𝒪⁢(2c⁢log⁡(n)⁢(n2/3-n1/3+1)).

Hence, the turning point to solve the ECDLP faster than a generic algorithm is an integer approximately equal to 1 250. Note that this is still far from cryptographically relevant sizes of n up to 521.

Communicated by María González Vasco

References

[1] C. Diem, On the discrete logarithm problem in elliptic curves, Compos. Math. 147 (2011), no. 1, 75–104. 10.1112/S0010437X10005075Search in Google Scholar

[2] J. Ding and T. J. Hodges, Inverting HFE systems is quasi-polynomial for all fields, Advances in Cryptology—CRYPTO 2011, Springer, Berlin (2011), 724–742. 10.1007/978-3-642-22792-9_41Search in Google Scholar

[3] V. Dubois and N. Gama, The degree of regularity of HFEsystems, Advances in Cryptology—ASIACRYPT 2010, Springer, Berlin (2010), 557–576. 10.1007/978-3-642-17373-8_32Search in Google Scholar

[4] J.-C. Faugère, A new efficient algorithm for computing Gröbner bases (F4), J. Pure Appl. Algebra 139 (1999), no. 1–3, 61–88. 10.1016/S0022-4049(99)00005-5Search in Google Scholar

[5] J.-C. Faugère, A new efficient algorithm for computing Gröbner bases without reduction to zero (F5), Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation—ISSAC ’02, IEEE Press, Piscataway (2002), 75–83. 10.1145/780506.780516Search in Google Scholar

[6] J.-C. Faugère and A. Joux, Algebraic cryptanalysis of hidden field equation (HFE) cryptosystems using Gröbner bases, Advances in Cryptology—CRYPTO 2003, Springer, Berlin (2003), 44–60. 10.1007/978-3-540-45146-4_3Search in Google Scholar

[7] L. Granboulan, A. Joux and J. Stern, Inverting HFE is quasipolynomial, Advances in Cryptology—CRYPTO, Springer, Berlin (2006), 345–356. 10.1007/11818175_20Search in Google Scholar

[8] T. J. Hodges, C. Petit and J. Schlather, First fall degree and Weil descent, Finite Fields Appl. 30 (2014), 155–177. 10.1016/j.ffa.2014.07.001Search in Google Scholar

[9] M.-D. Huang, M. Kosters and S. L. Yeo, Last fall degree, HFE, and Weil descent attacks on ECDLP, Advances in Cryptology—CRYPTO 2015, Springer, Berlin 2015, 581–600. 10.1007/978-3-662-47989-6_28Search in Google Scholar

[10] M. Kosters and S. L. Yeo, Notes on summation polynomials, preprint (2015), http://arxiv.org/abs/1505.02532. Search in Google Scholar

[11] R. Lidl and H. Niederreiter, Introduction to Finite Fields and Their Applications, Cambridge University, New York, 1986. Search in Google Scholar

[12] C. Petit and J.-J. Quisquater, On polynomial systems arising from a Weil descent, Advances in Cryptology – ASIACRYPT 2012, Springer, Berlin (2012), 451–466. 10.1007/978-3-642-34961-4_28Search in Google Scholar

[13] I. Semaev, Summation polynomials and the discrete logarithm problem on elliptic curves, IACR Cryptology ePrint Archive (2004), https://eprint.iacr.org/2004/031.pdf. Search in Google Scholar

[14] I. Semaev, New algorithm for the discrete logarithm problem on elliptic curves, preprint (2015), http://arxiv.org/abs/1504.01175. Search in Google Scholar

Received: 2017-04-26

Revised: 2019-03-22

Accepted: 2019-05-17

Published Online: 2019-06-21

Published in Print: 2019-10-01

This article is distributed under the terms of the Creative Commons Attribution Non-Commercial License, which permits unrestricted non-commercial use, distribution, and reproduction in any medium, provided the original work is properly cited.

Articles in the same Issue

https://doi.org/10.1515/jmc-2017-0022

Keywords for this article

Polynomial systems; Gröbner bases; discrete logarithm problem; elliptic curve cryptosystem

Creative Commons

BY-NC-ND 3.0