Known ECDLP attacks

Some known weaknesses in elliptic curve cryptography algorithms will be explained in this section. The purpose of these attacks is to solve the elliptic curve discrete logarithm problem (ECDLP), which was described in section 2.6.1. Some of the points have been mentioned briefly previously in this chapter, more explanations will be given in this chapter. [81] and [82] provides a good overview on this topic.

1. Naive exhaustive search

This method requires the attacker to compute successive multiples of P: P, 2P,

3P, 4P... until the public key is obtained. This attack is impractical for high

order cryptosystem.

2. Pohlig-Hellman algorithm [83]

This attack exploits the factorization of the order of the point P, n. This algorithm reduces the complexity of recovering the discrete logarithm k of Q to the base P to the problem of recovering k modulo each of the prime factors of n, where k can then be recovered by using the Chinese Remainder Theorem. In order to construct the most difficult case of the ECDLP, the order of the elliptic curve chosen must be divisible by a large prime n, e.g., n> 2160 bits. Preferably, this order should be a prime number or almost a prime, which means that a large prime number times a small integer.

3. Baby-step giant-step algorithm

This attack is a time-memory trade-off of exhaustive search. Instead of the worst case of up to n steps required by traditional exhaustive search, only Vrz steps in the worst case but requires memory for Vm points, where m denotes the memory size.

4. Pollard’s Rho algorithm [84]

This algorithm is generally regarded as the best general-purpose algorithm known for solving ECDLP [82]. This is essentially a randomized version of baby-step giant stop algorithm. The running time of this algorithm is very similar to that of baby-step giant-step algorithm, however, it requires less memory space. Teske [85] provided an improved version, which has an expected running time of yjm ! 2 and negligible storage requirements. This

algorithm is most effective for factoring integers with small factors, therefore, this can be avoided by using a high order number.

5. Parallelized Pollard’s Pho algorithm [86]

Van Oorschot and Wiener described the method to parallelise the Pollard’s Rho algorithm. When the algorithm is run in parallel using r processors, it

6. Multiple logarithms [87]

Silverman and Stapleton suggested that successive logarithms become easier to solve once the first instance of the ECDLP has been worked out. The method to avoid this occurring is to ensure that the elliptic curve parameters are chosen so that the first instance is infeasible to solve.

7. Supersingular Elliptic curves [66] [88] [89]

Supersingular curve is an elliptic curve E over Fq where the trace t of E is divisible by the characteristic p of Fq. It is known that supersingular curves are of some extension field Fqk where k < 6 and a subexponential-time algorithm exists for the ECDLP in singular curves.

In general, under mild assumptions, the ECDLP in an elliptic curve E defined over a finite field Fq can be reduced to the ordinary DLP in the multiplicative group of some extension field Fq for some k > 1, where the number field sieve algorithm applies. This is known as the Weil and Tate pairing attacks. In order to ensure the reduction algorithm does not apply to a particular curve, the order n of the point P should not divide qk - 1 for all small k for which the DLP in Fq is tractable.

8. Weil Descent [90] [91] [92]

Weil descent is efficient for reducing the ECDLP in an elliptic curve E over a characteristic two finite field F™ to the discrete logarithm problem in the jacobian Jc(F i) of an algebraic curve C defined over a subfield F-fi of F™

[91].

Let k - Fq denote some finite field of characteristic two, and let n > 2 denote an integer, where n is quite small and q is large such that qn > 2160 in practice. Let K denote the field extension Fqn, with &-basis {y/o, y/\, y/n-i}- Given an

elliptic curve E over K:

Y 2+ X Y = X 3+fi (3.56)

where f i e K. Assume that E(Fq‘") contains a subgroup of prime order p with p

* q \

fi = b0y/ 0 + bxy/x +... + bn_xy/n_x (3.57)

X = x0i/ / 0 + xxy/x +... + xn_xy/n_x (3.58)

^ = ^ 0 + ^ 1 + - + ^ -1 ^ - 1 (3.59)

By substituting Equation 3.57, 3.58 and 3.59 into Equation 3.56 and equating coefficients of y/i, an abelian variety A define over k of dimension n is obtained. The abelian variety A is called the Weil restriction and the process shown above, where the abelian variety A could be achieved, is called Weil decent.

Gaudry Hess and Smart [92] gave an explicit algorithm for the case where the algebraic curve C is a hyperelliptic curve of genus g defined over F i . The variation of attack is known as GHS attack.

In order to prevent these attacks, the use of elliptic curves over finite fields

F2m where m is composite should be avoided.

9. Prime field anomalous curves

[93] [94] [95] showed ECDLP can be solved efficiently for prime field anomalous curves where the number of point of an elliptic curve E over FP,

#E(FP) is equal to p. Therefore, the number of points on an elliptic curve must

not equal to the cardinality of the underlying field

10. Hyperelliptic curves

Hyperelliptic curves are a family of algebraic curves of arbitrary genus that includes elliptic curves, therefore an elliptic curve is effectively a hyperelliptic curve of genus 1. The definition of hyper elliptic curve is as follows:

Let Fq be a finite field. A hyperelliptic curve C of genus g over Fq (g > 1) is a non-singular curve given by an equation of the form:

y2+ h(x)y = f ( x ) (3.60)

where h(x) e Fq[x] is a polynomial of degree < g and^x) e Fq[x\ is a monic polynomial of degree 2g+l.

Adleman, DeMarrais and Huang [96] presented a subexponential-time algorithm for DLP in the jacobian of a large genus hyperelliptic curve over a finite field of prime characteristic. Enge [97] provided a subexponential algorithm for solving the discrete logarithm problem in Jacobians of high- genus hyperelliptic curves over any finite fields. Therefore high-genus hyperelliptic curves should be avoided.

No general subexponential-time algorithm has been discovered yet. [53] and [98] provided arguments for why the index-calculus algorithms may be applicable to the ECDLP.

In summary, the general methods to avoid these attacks are to avoid using certain known curves and also the size of the modulus should abide to the recommended minimal size (see Table 2.3).