Quasi-subfield Polynomials and the Elliptic Curve Discrete Logarithm Problem

Abstract We initiate the study of a new class of polynomials which we call quasi-subfield polynomials. First, we show that this class of polynomials could lead to more efficient attacks for the elliptic curve discrete logarithm problem via the index calculus approach. Specifically, we use these polynomials to construct factor bases for the index calculus approach and we provide explicit complexity bounds. Next, we investigate the existence of quasi-subfield polynomials.


Introduction
The hardness of the discrete logarithm problem (DLP) in cyclic groups has been one of the key mathematical problems underlying many public key cryptosystems in use today. In its most general form, given a generator g of a cyclic group G = ⟨g⟩ of order N, and an arbitrary element h ∈ G, DLP seeks for the smallest integer k such that h = g k (or h = kg in the additive notation). For the purposes of cryptographic applications, the most common cyclic groups used are multiplicative subgroups of finite fields as well as subgroups of rational points on elliptic curves over finite fields.
The discrete logarithm problem in multiplicative groups of finite fields was the basis for one of the earliest public-key protocols, namely the Diffie-Hellman key exchange protocol [5]. Since then, remarkable progress has been made to improve the complexity of solving this problem. First, in [1], index calculus methods were proposed to solve DLP over finite fields in sub-exponential time. More impressive results were obtained in recent years with heuristic quasi-polynomial time bounds in the case of finite field of small characteristics [2].
By contrast, the elliptic curve discrete logarithm problem (ECDLP) has so far been more resistant to efficient attacks and the best attacks for groups of N rational points are generic algorithms such as Pollard's rho and Baby-Step-Giant-Step algorithms with a number of group operations proportional to √ N. In this paper, we refer to the complexity bounds from these generic algorithms as generic bounds. In 2004, Semaev proposed an index calculus approach to solve ECDLP [23]. This inspired several subsequent works leading to sub-exponential attacks for some families of elliptic curves [4].
Essentially, the index calculus method seeks for a good factor basis that gives rise to an efficient relation search. Semaev's work converts this relation search into a problem of solving polynomial equations over finite fields. Factor bases that have been proposed include sets of elliptic curve points with the x-coordinates from finite subfields [4,14] or more generally, vector spaces [11,21]. The corresponding polynomial systems are typically solved via Weil descent, that is, transformed into polynomial systems over the base field and then solved using one of the existing polynomial solving methods such as Rojas' algorithm [22], Gröbner basis algorithms [8,9] or resultants. Thus far, this approach works well for finite fields F q n with q being large. For q small and n a prime, heuristic sub-exponential results were proposed in [21]. However, experimental results in [16] gave some evidence against the heuristic assumption used. In other words, the best proven attack for the important class of elliptic curves over F 2 n for n prime are the generic attacks.
One therefore wonders if there exist factor bases that directly give rise to a more efficient polynomial solving technique. In this paper, we propose factor bases constructed from roots of polynomials of the form X q n ′ − λ(X) which split completely in F q n . When deg(λ) is small enough, we call X q n ′ − λ(X) a quasi-subfield polynomial, by extension of the subfield case which has λ(X) = X. Using these polynomials, we construct a polynomial system over the field F q n such that the zero set gives a relation for the index calculus method. By employing Rojas's algorithm to solve this polynomial system, we give precise complexity results for our index calculus algorithm.
The next interesting question is to ask for the existence of the quasi-subfield polynomials. Apart from the above mentioned links to efficient attacks on the elliptic curve discrete logarithm problem, this problem is an interesting mathematical problem in its own right. What we are able to prove so far is that there exists a class of quasi-subfield polynomials such that our algorithm yields a time complexity that beats exhaustive search (exhaustive search runs in O(N) steps). In addition, we investigate this problem by considering additive and multiplicative subgroups of fields. Statistical arguments suggest that for arbitrary q and n in general these groups are unlikely to give rise to quasi-subfield polynomials to achieve a time complexity better than generic bounds for ECDLP over F q n . An interesting question is whether special families of {q, n} can be identified where these groups do give rise to quasi-subfield polynomials. The search of quasi-subfield polynomials in general remains an open problem.
In Section 2 we recall previous ECDLP algorithms for elliptic curves defined over extension fields. In Section 3 we describe our new algorithm and we analyze its complexity depending on its various parameters. In Section 4 we discuss the existence of suitable parameters for our approach. We finally conclude the paper in Section 5.

Index Calculus Algorithms for ECDLP over Extension Fields
For the remainder of this paper, let q be a prime, K = F q n be a finite field with q n elements, and let E be an elliptic curve defined over K. Let P be a rational point on E, and let Q be randomly chosen in the subgroup generated by P. As this is standard in cryptographic contexts, we assume that P generates a subgroup of large prime order N. We are interested in algorithms to compute the discrete logarithm of Q with respect to P, namely an integer s such that Q = [s]P. We are particularly interested in the case where q is a very small prime.
Given q, n, E, P, Q, we first choose parameters m, n ′ and a vector space V of dimension n ′ over Fq. We then define a factor basis Following standard index calculus algorithms for the discrete logarithm problem over finite fields, we then collect sufficiently many relations of the form with a i , b i randomly chosen and P ij ∈ F. Finally, we perform linear algebra operations modulo N on the relations to obtain a new relation of the form aP + bQ = 0 from which one (almost always) deduces the discrete logarithm value s = −a/b mod N.
In this algorithm, for every index i, we need to solve an instance of the following problem: This is typically done using Semaev's summation polynomials [23], a Weil descent strategy, and an algorithm to solve systems of multivariate polynomial equations. For every index r ≥ 2, the summation polynomial Sr ∈ K[X 1 , X 2 , . . . , Xr] is a polynomial depending on E such that Sr(x 1 , x 2 , . . . , xr) = 0 if and only if there exist y i ∈ K and (x i , y i ) ∈ E(K) with (x 1 , y 1 ) + (x 2 , y 2 ) + . . . + (xr , yr) = 0 on E(K). This is a symmetric polynomial with degree 2 r−2 in each variable.
In order to solve the point decomposition problem above, we can solve where x R is the X coordinate of R, and for each of these solutions x 1 , . . . , xm, one checks whether all the y i are in K. This problem is further reduced to a polynomial system as follows. We fix a basis {θ 1 , . . . , θn} of K over When q is reasonably large compared to n, one can take V := Fq. The system is then solved using resultants or a Groebner basis algorithm [4,14]. On the other hand when q is small, one adds the so-called field equations x q ij − x ij = 0 to the system, and solves it using a Groebner basis algorithm [11,21].

Complexity Analysis
The analysis of these algorithms has so far required several heuristic assumptions. Fix a positive integer m. Heuristically, one can expect that roughly half of the values in V are the xcoordinates of exactly two points on the curve, and hence we approximate |F| ≈ q n ′ . Moreover, assuming that most (unordered) tuples of m points in F produce a distinct sum, the probability that the randomly chosen point R i := a i P + b i Q can be split as a sum of m points in F is heuristically estimated by These heuristic assumptions appear reasonable, and they are common in the literature. Furthermore, we need about |F| decompositions to solve the discrete logarithm problem.
If we let C(q, n, m, n ′ ) be the expected cost of Solving Problem 1, the relation search phase of the algorithm then has an expected cost of q n ′ m! q n ′ m−n C(q, n, m, n ′ ) = m! · q n−n ′ m+n ′ C(q, n, m, n ′ ).
In practice m will be small compared to q n ′ , so a sparse linear algebra algorithm will be used for the linear algebra phase of the algorithm [25]. The expected cost of this phase can therefore be approximated by mq 2n ′ . We then have: Under plausible heuristic assumptions, the total cost of solving a discrete logarithm problem for a curve defined over K can be approximated by where C is as above.
Evaluating the cost C(q, n, m, n ′ ) of solving Problem 1 has proven to be very difficult. The polynomial systems obtained after the Weil descent procedure are solved with Groebner basis or multivariate resultant algorithms. These algorithms reduce polynomial system solving to linear algebra. The main issue in estimating the cost of Problem 1 is estimating the size of this linear algebra problem. Existing upper bounds seem to provide a good approximation for the cost of solving generic systems of polynomial equations, but have often been of little value for systems with special structure, and in particular those coming from cryptography [10,16,19].
For some ranges of the parameters n and q, these bounds suffice to show that the algorithm above with V = Fq outperforms generic algorithms [4,14] and in the best case the algorithm has subexponential complexity. In the important case q = 2 and n prime, the bounds lead to an overall cost above the cost of generic algorithms [11], but studies of the polynomial systems suggest that the actual complexity of solving them may be lower [12,17,21,24]. In [21] it was shown that under the first fall degree assumption, a heuristic previously used in other cryptanalysis work [6,7,10,15], the overall cost of ECDLP over characteristic 2 fields would be subexponential. Since then Huang et al. [16] have provided some evidence against the first fall degree assumption, and the actual cost of the algorithm remains unknown.

Current Challenges
There are two main challenges related to the family of index calculus algorithm sketched in this section: -Complexity estimates: the complexity of these algorithms is hard to analyze. -Practical efficiency: solving ECDLP for curves used in cryptography is still very hard in practice. This is in contrast to the particular case V = Fq where for some range of parameters, improvements over generic algorithms have been demonstrated both in theory and in practice [4,14].

A new ECDLP Algorithm
The particular vector space V = Fq can be equivalently described as the set of elements x ∈ K such that x q = x. Let m := n in this case. From the problem we easily derive n equations Clearly, all the equations above can be chosen to have the same degree. We thus have a system of n equations (letting i = 0, 1, . . . , n − 1) in n variables. The system can be solved using resultants or Groebner basis algorithms, leading to the good complexity results mentioned above. Motivated by these ideas, we consider factor bases whose elements are roots of some "nice" polynomials. Concretely, our main idea in this paper is to replace the vector space V by the set of points satisfying an equation of the form x q n ′ = λ(x) where λ is a polynomial of small degree.

Our Algorithm
Let q, n, E, P, Q as above, and suppose we want to solve the corresponding discrete logarithm problem. Furthermore, fix λ(x) ∈ K[X] and positive integers n ′ and m. Let M be the set of monomials in K[X 1 , . . . , Xm]. For a positive integer i and f = ∑︀ Observe that we have Our algorithm has three steps: 1. Choice of a "factor basis": Set }︂ and a "factor basis" We solve the polynomial system S = {S (k) } m−1 k=0 using Rojas' sparse resultant algorithm [22] and a univariate polynomial root finding algorithm. Given a solution (x 1 , . . . , xm), we check whether all the x values correspond to points in the factor basis in two steps: We then find signs such that the relation R i = ∑︀ m j=1 ±(x j , y j ) holds. Once a solution is found, we store the corresponding relation. 3. Linear algebra: as in previous algorithms, we perform linear algebra operations on the relations to derive a relation of the form aP + bQ = 0, from which we deduce the discrete logarithm value.
Our goal in the relation search step is to solve the equation S m+1 (x 1 , . . . , xm , x R ) = 0 with x i ∈ V, i = 1, . . . , m. This is equivalent to finding the zeros of the system In this paper we consider the system S, which might have more solutions than the system T. We make the assumption that S is zero-dimensional. We refer to Appendix B for an argument in support of this assumption.
We observe that a randomly chosen polynomial λ with small degree will usually result in a very small factor basis F (and in an impractically large m), while a randomly chosen set of around q n ′ elements from K will lead to a polynomial λ of large degree. The existence and construction of suitable parameters will be further discussed in Section 4.
As in previous algorithms, we heuristically approximate |F| ≈ |V| and we assume |V| ≈ q n ′ . Under the assumptions recalled above, we can therefore evaluate the cost of our algorithm as follows: An ideal polynomial λ in our attack will have a small degree d. The case V = Fq is used in Diem and Gaudry's algorithms [4,14], and it corresponds to d = n ′ = 1. Concretely, we have m = n and |V| = q. Theorem 3.2 gives the time complexity of n! · q ·Õ (︁ n 5.188 3 4.876n 2 )︁ + nq 2 arithmetic steps. By letting n and q vary in a particular way, one can get a sub-exponential complexity (see [4]). Definition 3.1. In view of Remark 3.1, we call polynomials X q n ′ − λ(X) ∈ K[X] dividing X q n − X with log q (d) = log q (deg(λ)) < n ′2 /n quasi-subfield polynomials.

Finding Suitable Parameters and constructions
We now discuss the existence and computation of suitable parameters for our attack. We first give a general existential result. Then we focus on the case of additive subgroups of the finite field. We give a probabilistic argument in that context, followed by an explicit construction. In Appendix C we further study additive subgroups for Mersenne prime extensions of characteristic 2 fields, and we investigate multiplicative subgroups of the finite field.

Lower Bounds on deg λ
Let q, n, n ′ , m, d and λ be as above, and suppose that deg λ > 1. Assume that L(X) = X q n ′ − λ(X) splits over K, so that |V| = q n ′ . The following lemma (proved in Appendix A.2) shows that deg λ cannot be too small.
One can prove a similar result when L(X) splits almost completely over K (see Lemma C.2). Remark that the above lemma does not apply when λ is linear. The above constraints on ℓ = log q deg λ are more strict when n mod n ′ is smaller. When n mod n ′ is too small, we see that our algorithm is often worse than generic algorithms by Remark 3.1.
We remark that random polynomials dividing X q n − X are unlikely to be such that ℓ is small. On the other hand, a random polynomial of the shape of L with ℓ small is unlikely to have many roots in K. We will therefore need ad hoc constructions to build these polynomials. Perhaps, the most natural constructions are to consider additive and multiplicative subgroups of K. In what follows, we argue that these constructions may not provide us with the sparse polynomials we seek.

Additive Subgroups
In the remaining of this section we focus on polynomials L such that the corresponding set V : }︀ is a vector space over Fq. The factor bases considered are therefore a subset of the factor bases considered in [11,21] and follow-up works, though of course our algorithm computes relations in a different way.
We recall that for any vector space V over Fq, the associated polynomial L(X) = ∏︀ α∈V (X − α) is a monic linearized polynomial, namely its only non-zero coefficients are coefficients of power of q terms [3,Ch. 11]. Any two distinct vector spaces correspond to distinct linearized polynomials, but not every linearized polynomial corresponds to a vector space. In fact, as shown in Appendix A.3, we have: Let N(q, n, n ′ ) be the number of distinct vector spaces over Fq of dimension n ′ that are contained in K. Assume n ≥ n ′ ≥ 1. Then: q n ′ (n−n ′ ) · (1 − n ′ q −(n−n ′ +1) ) ≤ N(q, n, n ′ ) ≤ q n ′ (n−n ′ +1) .
If n is large in comparison to n ′ , the previous lemma essentially tells us that there are about q n ′ (n−n ′ ) subspaces of K of dimension n ′ . There are exactly q nn ′ monic linearized polynomials of degree q n ′ over K, and there are q nℓ such polynomials with deg λ ≤ q ℓ . Heuristically, we may expect that linearized polynomials associated to vector spaces are as likely to have small d than other polynomials. We would therefore expect that the number of vector spaces of dimension n ′ such that deg λ ≤ q ℓ is about q n ′ (n−n ′ ) q n(ℓ−n ′ ) = q nℓ−n ′2 .
In particular, we would expect no such polynomial to exist whenever ℓ << n ′2 n . On the other hand, as in Remark 3.1 parameters with ℓ > n ′2 n will result in a time complexity worse than brute force. Hence this approach might only work well for exceptional families of parameters. Indeed an exceptional family where the heuristic analysis does fail is where n ′ |n and λ(x) = x, thus ℓ = 0 < n ′2 n , and the subspace is none other than the subfield of degree n ′ over Fq. The work of Diem [4] shows that there is an infinite family of such n and q where the ECDLP can be solved in subexponential time in that case.
In the next section we provide an explicit infinite family of parameters giving quasi-subfield polynomials. In Appendix C.1, we further study the case of parameters where n is a Mersenne prime.

A Particular Family
Let F be a field of characteristic p. We recall that to any polynomial f = ∑︀ ℓ i=0 f i X i ∈ F[X], one can associate a linearized polynomial L f (X) = ∑︀ ℓ i=0 f i X q i ∈ F [X]. Moreover this association is such that given any two where ∘ denotes the polynomial composition [3,Ch. 11]. The polynomial f ∈ F[X] divides X n − 1 if and only if L f (X) divides X q n − X.
, where F is any field of characteristic p, one has for k ≥ 0: Proof. One has p k+1 = q ′ p k + 1. Let f = 1 + ∑︀ k i=0 X p i . Modulo f we find: We apply the construction in the above lemma to the case F = K = F q n with n = p k+1 . Note that deg(X + ∑︀ k i=0 X q p i ) = q p k and that n ′ = p k . Furthermore, note that Hence our construction gives rise to quasi-subfield polynomials. By picking the right parameters, Remark 3.1 implies that our algorithm will run faster than brute force search. Note that since n ≡ 1 (mod n ′ ), we are in the worst case scenario of Lemma 4.1. We hope that there are better constructions giving rise to better complexity estimates.

Conclusion and Open Problems
In this paper we introduced quasi-subfield polynomials, which are polynomials over a finite field F q n of the form X q n ′ − λ(X) which are nearly split and where λ has small degree. We showed that such polynomials could lead to faster algorithms for the elliptic curve discrete logarithm problem (ECDLP) over composite fields when deg λ is small enough. Finally, we investigated the existence of these polynomials, and provided one particular family leading to an ECDLP algorithm more efficient than exhaustive search.
It remains an open problem to find (or rule out) the existence of quasi-subfield polynomials where deg λ is small enough to improve on the best (generic) algorithms for ECDLP. A question of particular interest is whether the bound on deg λ provided by Lemma 4.1 is tight: in fact removing the term n mod n ′ in this bound would show that our approach cannot beat generic algorithms. Besides the construction of better families of quasi-subfield polynomials, one may hope to beat generic algorithms by generalizing our approach in various directions: such generalizations could include using a rational function for λ, using an isogeny map for L (as in [20]), or adapting various tricks also used in other index calculus algorithms such as double large prime, unsymmetrized and unbalanced variations [12,13,18]. We hope that our paper will motivate further work in these directions.

A.1 Proof of Lemma 3.1
Proof. The polynomial system has m equations S (k) = 0 in m variables. The summation polynomial S m+1 has degree 2 m−1 in each variable, and each application of φ increases the degree by a factor d in each variable, so the polynomial S (k) has degree d k−1 2 m−1 in each variable.
We compute the quantities M(E), R(Ē) and S(Ē) in Theorem 2.1 of [22]. Following the notations of [22] paper, E k is the fundamental hypercube of dimension m and length d k−1 2 m , and E m+1 = △ is the pyramid whose edges are all fundamental vectors. For k = 1, . . . , m, let λ k = d k−1 2 m−1 , and let λ m+1 = (m!) −1 . We have We have We finally have Applying [22,  The univariate polynomials produced by Rojas' algorithm are of degree bounded by M(E). Over finite fields, root-finding is quasi-linear in this degree, and its cost can be neglected in the overall complexity estimation.

A.2 Proof of Lemma 4.1
Proof. To simplify notations, let us assume that λ is defined over Fq (the general proof follows the same lines).
One has Recursively, we have where λ is composed k times with itself in this formula. We then have where λ is composed ⌊ n n ′ ⌋ times with itself in this formula. Since X q n ≡ X mod L(X), we deduce the result.

A.3 Proof of Lemma 4.2
Proof. We have N(q, n, n ′ ) = N1(q,n,n ′ ) N2(q,n,n ′ ) , where N 1 is the number of choices of n ′ elements over F n q that are linearly independent over Fq, and N 2 is the number of such choices defining the same vector space. One has Also, one finds, using that for 0 ≤ ϵ ≤ 1 one has (1 − ϵ) n ≥ 1 − nϵ: Furthermore, one finds Since N = N 1 /N 2 , the result follows.

B On the dimension of our polynomial systems
Throughout this section we let K = F q n , K the algebraic closure of K, and Here S (0) (X 1 , X 2 , . . . , Xm) = S m+1 (X 1 , X 2 , . . . , Xm , ξ R ) where ξ R is the x-coordinate of a point R which is a random linear combination of the points P and Q, and inductively , . . . , λ(Xm)), which is a ring morphism. Here F raises the coefficients of a polynomial to the power q, and λ is a polynomial. In the main text we make the heuristic assumption that for random R, Z(S) is likely finite. The goal of this section is to provide theoretical analysis in support of this heuristic assumption.
If I be an ideal of A, then Iφ denotes the ideal generated by φ(I). Let I (0) = I and inductively I (i+1) = (I (i) )φ for i ≥ 0. Let J i be the ideal generated by I (0) ∪ . . . ∪ I (i) for i ≥ 0. Our goal is to characterize when dim Z(J m−1 ) is 0. The situation considered in our algorithm is a special case where I is the ideal generated by S m+1 (X 1 , X 2 , . . . , Xm , ξ R ).
For u, v ∈ SpecA, we write u φ → v if dim u = dim v and vφ ⊂ u. We will show that for every u ∈ SpecA, there is a unique v such that u φ → v. In fact v = φ −1 (u). We say that a sequence of prime ideals u 0 , ..., u i in SpecA is a φ-chain of length i led by u 0 if u 0 There are only finitely many minimal primes in V(I). In general it is likely the case that there are no minimal primes u and v in V(I) such that u φ → v, in which case dim J 1 < dim I. Inductively there are finitely many minimal prime ideals in V(J i ), each leading a φ-chain of length i. It is likely that there are no minimal primes u and v in V(J i ) such that u φ → v, in which case no minimal prime in V(J i ) leads a φ-chain of length i + 1, hence dim J i+1 < dim J i . Consequently J m−1 is likely of dimension 0.
In our situation I is the ideal generated by S m+1 (X 1 , X 2 , . . . , Xm , ξ R ), and the heuristic assumption is that for R being a random combination of P and Q the ideal I is likely in the good case hence J m−1 is likely of dimension 0.
The rest of this section is devoted to proving the above-mentioned property of φ-chains and characterization of J i in terms of φ-chains in V(I).
It is easy to see that φ : A → A is an integral ring morphism, that is A is integral over φ(A). Therefore if u ∈ SpecA, φ −1 (u) ∈ SpecA and dim u = dim φ −1 (u).
Let w ∈ SpecA. If dim w = dim u and wφ ⊂ u. Then φ(w) ⊂ u. So w ⊂ φ −1 u = v. Since dim w = dim u = dim v, we must have w = v. We have proved the following: To prove the theorem, observe that for ℘ ∈ SpecA, ℘ ∈ V(J) if and only ℘ ∈ V(I) and ℘ ∈ V(Iφ).
It is straightforward to verify that for ℘ ∈ SpecA, From Lemma B.1 it follows that The theorem is proved.
The main result of this section is the next theorem. Applying induction to ℘, u 1 , ..., u i−1 we conclude that ℘ ∈ V(J i−1 ). Similarly applying induction to u 1 , ..., u i we conclude that u 1 ∈ V(J i−1 ). Since ℘ φ → u 1 , Theorem B.2 implies that ℘ ∈ V(J i ). This completes the proof of the theorem.

C Further comments on the existence of quasi-subfield polynomials
In this section we further develop our analysis of additive subgroups of F q n , specializing to the case of Mersenne prime degree extensions when q = 2. We also investigate the case of multiplicative subgroups of F * q n .

C.1 Mersenne Prime Degree Extensions over F 2
We first expand on the construction of Section 4.2. A plausible attempt for finding good parameters is to seek for parameters such that the polynomial X n − 1 has many small degree factors over Fq. This polynomial is then a priori more likely to have a large number of (non necessarily irreducible) factors of degree n ′ , maximizing the chance that one of these factors is sparse enough. We would then take L as the linearized polynomial corresponding to that factor.
Mersenne prime degree extensions of F 2 look particularly promising in that respect. Indeed when n = 2 k − 1 is prime, the polynomial (X n − 1)/(X − 1) has (n − 1)/k irreducible factors of degree k over F 2 .