Abstract
AbstractSince Semaev introduced summation polynomials in 2004, a number of studies have been devoted to improving the index calculus method for solving the elliptic curve discrete logarithm problem (ECDLP) with better complexity than generic methods such as Pollard’s rho method and the baby-step and giant-step method (BSGS). In this paper, we provide a deep analysis of Gröbner basis computation for solving polynomial systems appearing in the point decomposition problem (PDP) in Semaev’s naive index calculus method. Our analysis relies on linear algebra under simple statistical assumptions on summation polynomials. We show that the ideal derived from PDP has a special structure and Gröbner basis computation for the ideal is regarded as an extension of the extended Euclidean algorithm. This enables us to obtain a lower bound on the cost of Gröbner basis computation. With the lower bound, we prove that the naive index calculus method cannot be more efficient than generic methods.
Highlights
The RSA cryptosystem [30] and the elliptic curve cryptography (ECC) [20, 25] are the most widely used systems in modern information society
We provide a deep analysis of Gröbner basis computation for solving polynomial systems appearing in the point decomposition problem (PDP) in Semaev’s naive index calculus method
The security of RSA is based on the hardness of the integer factorization problem (IFP), whereas that of ECC is based on the hardness of the elliptic curve discrete logarithm problem (ECDLP)
Summary
The RSA cryptosystem [30] and the elliptic curve cryptography (ECC) [20, 25] are the most widely used systems in modern information society. Petit and Quisquater [28] revisited Faugère et al.’s work to claim the subexponentiality for ECDLP over any binary field under the heuristic assumption of the first fall degree (FFD) regarding the behavior of Gröbner basis algorithms. In 2015, Huang et al [19] provided computational evidence that raised doubt on the validity of the FFD assumption and introduced another notion called the last fall degree (LFD) to develop complexity bounds for solving a polynomial system. We provide a deep analysis of Gröbner basis computations for a polynomial system using the naive index calculus method with Semaev’s summation polynomials. Considering the special structure of the ideal associated with the index calculus method, we regard its Gröbner basis computation using Spolynomials as an extension of the Euclidean algorithm for the polynomial greatest common divisor (GCD). Based on our experimental observations, it cannot be more efficient than even the brute force method
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
