Weak Fields for Elliptic

Curve Cryptography

Edlyn Teske, Alfred J. Menezes

University of Waterloo
Annegret Weng
J. Gutenberg-Universität Mainz

CT-RSA 2004
ECDLP

E = elliptic curve over finite field Fq.

Elliptic Curve Discrete Logarithm Problem (ECDLP):

Given E,
P ∈ E(Fq), such that r =ord(P) a large prime,
and Q ∈ <P>,
find s ∈ [0,r-1] such that:
Q = sP .

The apparent intractability of the ECDLP forms the basis

for the security of elliptic curve cryptosystems.
Weak Fields for ECC

Definition 1: A finite field Fq is weak for ECC if:

For some elliptic curves E over Fq, solving the ECDLP
in E(Fq) using Pollard's rho method is intractable
using existing computer technology.
Algorithms are known for which any ECDLP instance
for any elliptic curve over Fq can be solved in
significantly less time than it takes Pollard's rho method
to solve the hardest ECDLP instances over Fq.
Definition 2: A finite field Fq is bad for ECC if:
(same as for weak fields)
Algorithms are known which can feasibly solve
(using existing computer technology) any ECDLP instance
for any elliptic curve over Fq .
Motivation

Advantage of ECC: Over each finite field,

there are an enormous number of curves to choose from.
Each user can select their own elliptic curve parameters.
Parameters can be changed if some curves are found
to be weak (e.g. supersingular curves, or prime-field anomalous
curves).
Standards bodies recommend a small selection of finite fields.
Special hardware is built to support elliptic curves
over these fields.
Wide deployment of special hardware makes it difficult
to change fields in the future.
Thus, the fields selected must not be weak.
Our Result

All fields:
F2N
with
N ∈ [185,600]
and
N ≡ 0 (mod 5)
are weak.

F2210 is particularly weak. (Since 210 ≡ 0 (mod 6).)

Weakness of F2N with N=5l

F2N=Fq5 with q=2l.

Let E be an elliptic curve defined over F25l.
1. Two possibilities:
E is isomorphic to curve defined over F2l.
Then #E(F2l) divides #E(F25l),
and the Pohlig-Hellman method applies.
Certainly faster than Pollard rho for the
hardest ECDLP instances over F2l.
Weakness of F2N with N=5l (cont)

2. Otherwise, use the

Gaudry-Hess-Smart (GHS) Weil descent attack:
Explicit construction (<1 minute)
that reduces instance of ECDLP in F25l
to instance of DLP in the Jacobian JC(F2l)
of a hyperelliptic curve C over F2l,
where C is of genus 15 or 16.
→ HCDLP, the hyperelliptic curve
discrete logarithm problem.
Weakness of F2N with N=5l (cont)

So focus on second case:

For HCDLP, use the
Enge-Gaudry index calculus algorithm:
1. Creation of factor base. Fast.
2. Relation generation stage.
Exact running time: RRG.
3. Linear algebra stage.
Exact running time: RLA.

Compare with exact running time

for Pollard's rho method: Rρ.
Hardest ECDLP instance if
# E(F2N) = 2r, with r prime.
Weakness of F2N with N=5l (cont)

N l RRG RLA Rρ δ Nequiv

185 37 292 279 298 26 173
210 42 297 289 2110.5 213.5 183
255 51 2107 2107 2133 226 202

Unit for running times RRG, RLA, Rρ:

1 multiplication in F2l on PII 400 MHz.
δ = Rρ / max(RRG,RLA).
Nequiv: Use of F2N equiv yields equivalent security.
Particular Weakness of F2210

210 ≡ 0 (mod 6). Then F2210 = Fq6 with q=235.

For ≈ 2175 (out of 2211) isomorphism classes:
GHS Weil descent attack reduces ECDLP to HCDLP with
genus 15 or 16 curve over F235.
Then
RRG ≈ 290 , RLA ≈ 278 , Rρ ≈ 2110.5 ops. in F235.
Thus, GHS Weil descent is
δ ≈ 220
times faster than Pollard rho for hardest instances in E(F2210),
and
Nequiv=169.
Particular Weakness of F2210 (cont)

Aim: Extend attack beyond those 2175 isomorphism classes.

But note: This GHS attack only works if

TrF2210/F2(a) = 0 ,
and yields genus 15 or 16 curve only if

TrF2210/F2(b) = 0 .

Which, given TrF2210/F2(a)=0,

is equivalent to
#E(F2210) ≡ 0 (mod 8) .
Extension to all elliptic curves E over F2210
with #E(F2210) ≡ 0 (mod 8)

With the Extended GHS Weil descent attack (Eurocrypt 2002).

1. Given E(F2210), do pseudo-random walk
in the isogeny class of E,
until we find curve E’ for which GHS Weil descent yields
genus 15 or 16 hyperelliptic curve.
2. Compute explicit isogeny E → E’.
3. Map ECDLP in E(F2210) to ECDLP in E’ (F2210).
Extension to all E over F2210 (cont)

Cost of this extension:

Cost to find E’ :
≈ 260 operations in F2210 .
Cost to compute explicit isogeny E → E’ :
const x 253 bit operations .

These costs are negligible

compared to the costs RRG ≈ 290 and RLA ≈ 278 (ops. in F235)
to solve the resulting HCDLP.
Summary: Weakness of F2210

N = 210 = nl

n l RRG RLA Rρ δ Nequiv

5 42 297 289 2110.5 213.5 183

6 35 290 275 2110.5 220.5 169

Recall:
n=6 data only apply when #E(F2210) ≡ 0 mod 8,
that is, to ≈ 1/4 of all E(F2210).
Summary: Weakness of F2210 (cont)

Remark 1:
For almost* all E(F2210), the ECDLP in E(F2210) can be
reduced to a DLP in the Jacobian variety of a curve
of genus ≤ 14.
Subexponential algorithms for solving this DLP apply.
(F. Hess: The GHS attack revisited, Eurocrypt 2003).

Remark 2:
Results analogous to the above apply to all finite fields
F2N with N=6l.

*Exceptional set: those 2106 isomorphism classes of

curves over F2210 with TrF2210/F2105(b) = 0.
Conclusions

The fields F2N, where N ∈ [185,600] is divisible by 5,

are weak for ECC.

F2210 is even weaker, because 6 | 210.

Fields F24l exhibit some signs of being weak.
Are there bad fields for ECC?

But note: the fields F2p , where p ∈ [128,600] is a prime,

are safe choices – the GHS attack fails
(Menezes/Qu: Analysis of the Weil descent attack of Gaudry,
Hess and Smart, CT-RSA 2001).