2002
DOI: 10.1007/3-540-46035-7_3
|View full text |Cite
|
Sign up to set email alerts
|

Extending the GHS Weil Descent Attack

Abstract: Abstract. In this paper we extend the Weil descent attack due to Gaudry, Hess and Smart (GHS) to a much larger class of elliptic curves. This extended attack applies to fields of composite degree over F2. The principle behind the extended attack is to use isogenies to find an elliptic curve for which the GHS attack is effective. The discrete logarithm problem on the target curve can be transformed into a discrete logarithm problem on the isogenous curve. A further contribution of the paper is to give an improv… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

1
77
0
2

Year Published

2002
2002
2013
2013

Publication Types

Select...
6
3

Relationship

1
8

Authors

Journals

citations
Cited by 74 publications
(80 citation statements)
references
References 13 publications
1
77
0
2
Order By: Relevance
“…Taking A = 4, we see that the gGHS attack can be useful for at most q 16 log 2 n+O(1) elliptic curves over F q n as n → ∞. As first observed by Galbraith, Hess and Smart [8], the class of vulnerable elliptic curves can potentially be enlarged by mapping the ECDLP for a given elliptic curve E/F q n to an isogenous elliptic curve E/F q n (if one exists) for which the gGHS attack is effective. The attack on E will also be effective provided that E and an isogeny from E to E can be found in less time than it takes to mount the gGHS attack on E. Since an isogeny class contains at most q n/2+O(log n) elliptic curves [15], the number of vulnerable curves is at most q n/2+O(log n) ; this is negligible compared to the number 2(q n − 1) of elliptic curves over F q n .…”
Section: Bounds On the Genus Of The Weil Descent Curvesupporting
confidence: 62%
“…Taking A = 4, we see that the gGHS attack can be useful for at most q 16 log 2 n+O(1) elliptic curves over F q n as n → ∞. As first observed by Galbraith, Hess and Smart [8], the class of vulnerable elliptic curves can potentially be enlarged by mapping the ECDLP for a given elliptic curve E/F q n to an isogenous elliptic curve E/F q n (if one exists) for which the gGHS attack is effective. The attack on E will also be effective provided that E and an isogeny from E to E can be found in less time than it takes to mount the gGHS attack on E. Since an isogeny class contains at most q n/2+O(log n) elliptic curves [15], the number of vulnerable curves is at most q n/2+O(log n) ; this is negligible compared to the number 2(q n − 1) of elliptic curves over F q n .…”
Section: Bounds On the Genus Of The Weil Descent Curvesupporting
confidence: 62%
“…Weil descent proposed by Frey [13] aims at transferring the DLP from E(F q m ) to the Jacobian of a curve C over F q and then computes the logarithm on this Jacobian by using index calculus. Many researches [15,17,14,20,28] have studied on the scope of this technique on the vulnerable curves over binary fields. Diem [9] extended this attack in odd characteristic.…”
Section: Suitable Extension Field For Pairing-based Cryptographymentioning
confidence: 99%
“…A low-memory variant was later given in [12] which produces an exponentially long chain of low-degree isogenies; from that, a linearly long chain of isogenies of subexponential degree may be derived by smoothing the corresponding ideal in cl(O) using variants of the method of Hafner and McCurley. Alternatively, our low-memory algorithm can be used to derive a chain of low-degree isogenies with length linear in log |D|; since isogenies are much more time consuming to evaluate than class group operations, finding the long chain dominates the overall cost.…”
Section: Short Isogeniesmentioning
confidence: 99%
“…4.3). For the latter, our method combines the advantages of [11,12] in that it requires little memory and finds an isogeny that can subsequently be evaluated in polynomial time.…”
mentioning
confidence: 99%