Elliptic Curve Discrete Logarithms and the Index Calculus

The discrete logarithm problem forms the basis of numerous cryptographic systems. The most eeective attack on the discrete logarithm problem in the multiplicative group of a nite eld is via the index calculus, but no such method is known for elliptic curve discrete logarithms. Indeed, Miller 23] has given a brief heuristic argument as to why no such method can exist. IN this note we give a detailed analysis of the index calculus for elliptic curve discrete logarithms, amplifying and extending miller's remarks. Our conclusions fully support his contention that the natural generalization of the index calculus to the elliptic curve discrete logarithm problem yields an algorithm with is less eecient than a brute-force search algorithm. 0. Introduction The discrete logarithm problem for the multiplicative group F q of a nite eld can be solved in subexponential time using the Index Calculus method, which appears to have been rst discovered by Kraitchik 14, 15] in the 1920's and subsequently rediscovered and extended by many mathematicians. (See, for example, 1] and 43], and for a nice summary of the current state-of-the-art, see 29].) For this reason, it was proposed independently by Miller 23] and Koblitz 12] that for cryptographic purposes, one should replace F q by the group of rational points E(F q) on an elliptic curve, thus leading to the Elliptic Curve Discrete Logarithm Problem, which we abbreviate as the ECDL problem. Indeed, Victor Miller gives in his article 23, page 423] two reasons why \it is extremely unlikely that anìndex calculus' attack on elliptic curves will ever be able to work." Miller's reasons may be brieey summarized as follows: (1) It is diicult to nd elliptic curves E=Q with a large number of small rational points. This observation may be split into two pieces. (a) It is diicult to nd elliptic curves E=Q with high rank. (b) It is diicult to nd elliptic curves E=Q generated by points of small height.