Complexity of ECDLP under the First Fall Degree Assumption

Semaev [14] shows that under the first fall degree assumption, the complexity of ECDLP over F2n , where n is the input size, is O(2 1/2+o(1) ). In his manuscript, the cost for solving equations system is O((nm)), where m (2 ≤ m ≤ n) is the number of decomposition and w ∼ 2.7 is the linear algebra constant. It is remarkable that the cost for solving equations system under the first fall degree assumption, is poly in input size n. He uses normal factor base and the revalance of ”Probability that the decomposition success” and ”size of factor base” is done. Here, using disjoint factor base to his method, ”Probability that the decomposition success becomes ∼ 1 and taking the very small size factor base is useful for complexity point of view. Thus we have the result that states ”Under the first fall degree assumption, the cost of ECDLP over F2n , where n is the input size, is O(n).” Moreover, using the authors results in [11], in the case of the field characteristic ≥ 3, the first fall degree of desired equation system is estimated by ≤ 3p+1. (In p = 2 case, Semaev shows it is ≤ 4. But it is exceptional.) So we have similar result that states ”Under the first fall degree assumption, the cost of ECDLP over Fpn , where n is the input size and (small) p is a constant, is O(n). ”