Abstract. The discrete logarithm problem forms the basis of numerous cryptographic systems. The most effective attack on the discrete logarithm problem in the multiplicative group of a finite field is via the index calculus, but no such method is known for elliptic curve discrete logarithms. Indeed, Miller [23] has given a brief heuristic argument as to why no such method can exist. IN this note we give a detailed analysis of the index calculus for elliptic curve discrete logarithms, amplifying and extending miller's remarks. Our conclusions fully support his contention that the natural generalization of the index calculus to the elliptic curve discrete logarithm problem yields an algorithm with is less efficient than a brute-force search algorithm.
IntroductionThe discrete logarithm problem for the multiplicative group * q of a finite field can be solved in subexponential time using the Index Calculus method, which appears to have been first discovered by Kraitchik [14, 15] in the 1920's and subsequently rediscovered and extended by many mathematicians. (See, for example, [1] and [43], and for a nice summary of the current state-of-the-art, see [29].) For this reason, it was proposed independently by Miller [23] and Koblitz [12] that for cryptographic purposes, one should replace * q by the group of rational points E( q ) on an elliptic curve, thus leading to the Elliptic Curve Discrete Logarithm Problem, which we abbreviate as the ECDL problem. Indeed, Victor Miller gives in his article [23, page 423] two reasons why "it is extremely unlikely that an 'index calculus' attack on elliptic curves will ever be able to work." Miller's reasons may be briefly summarized as follows:(1) It is difficult to find elliptic curves E/É with a large number of small rational points. This observation may be split into two pieces. (a) It is difficult to find elliptic curves E/É with high rank. (b) It is difficult to find elliptic curves E/É generated by points of small height.