Complexity Bound on Semaev’s Naive Index Calculus Method for ECDLP

. Since Semaev introduced summation polynomials, a number of works have been devoted to improve and analyze index calculus algorithms for solving the elliptic curve discrete logarithm problem (ECDLP) with better complexity than generic algorithms such as the rho method. In this paper, we give a deep analysis on Gr(cid:127)obner basis computation for a polynomial system appearing in the point decomposition problem (PDP) in a naive index calculus method. Our analysis is based on linear algebra under simple statistical assumptions on Semaev’s summation polynomials. Speci(cid:12)cally, we show that the ideal derived from the PDP has a special structure, and regard Gr(cid:127)obner basis computation for the ideal as an extension of the extended Euclidean algorithm to estimate its cost. This approach allows us to obtain a precise analysis on a lower bound on the cost of Gr(cid:127)obner basis computation. We also prove that the naive index calculus cannot be more eﬃcient than even the brute force method for the ECDLP over arbitrary (cid:12)nite (cid:12)eld.


Introduction
In public-key cryptography, the RSA cryptosystem [31] and elliptic curve cryptography (ECC) [19,26] have been most widely used in modern information society.The securities of RSA and ECC are based on the hardness of the integer factorization problem (IFP) and the ECDLP, respectively.While there exist sub-exponential time algorithms to solve the IFP, no such algorithm exists to solve the ECDLP for cryptographic parameters.The best algorithm for solving the ECDLP is Pollard's rho method [30] except special cases such as supersingular [25] and anomalous curves [32,33,37], and its complexity is the square-root of the order of an elliptic curve over a finite field.(See also textbooks [3,16].)Currently known largest records for the ECDLP are 112-bit over prime fields [4], 117.35-bit over binary fields [2], and 113-bit over Koblitz curves [41], which were all solved by the parallelized rho method.(As a special case of prime fields, a 114-bit ECDLP over a Barreto-Naehrig curve was solved in [22].) The index calculus method (ICM) is useful to solve the DLP over a general cyclic group, and its idea is to reduce the DLP to linear algebra by collecting relations over so-called a factor base.After Semaev [34] introduced summation polynomials associated with an elliptic curve, one can solve the ECDLP in the index calculus framework.In particular, finding a relation is reduced to a problem of solving a system including Semaev's polynomials, in order to decompose a point of an elliptic curve into a sum of points of a factor base.Semaev's paper [34] triggered many works aiming to develop index calculus algorithms with better complexity than the rho method.As typical works, Gaudry [14] and Diem [7] fully developed Semaev's approach based on Weil descent for the ECDLP over a finite field F q n with small extension degree n.In 2012, Faugère et al. [12] showed that a system arising in algorithms based on Weil descent has special structures, making it easier to solve the system by Gröbner basis algorithms such as F 4 and F 5 [9,10].Shortly after that, Petit and Quisquater [29] revisited Faugère et al.'s work to claim the subexponentiality for the ECDLP over any binary field, under the heuristic assumption of first fall degree (FFD) about the behavior of Gröbner basis algorithms.However, Huang et al. [18] in 2015 provided computational evidence that raises doubt on the validity of the FFD assumption, and also introduced another notion called the last fall degree (LFD) to develop complexity bounds on solving a polynomial system.At present, as mentioned in a survey [13], there is no consensus (not at all definitive) whether there exists a sub-exponential time algorithm to solve the ECDLP over binary fields, since the FFD assumption is too optimistic while the LFD approach looks more precise but much harder to estimate.On the other hand, for prime fields F p , Petit et al. [28] in 2016 provided an approach of index calculus, which works when p − 1 has a smooth factor.In 2018, Amadori et al. [1] proposed a variant of index calculus for solving arbitrary ECDLP to decrease the required number of Gröbner basis computations.An experimental study of [21] showed that both methods of [1,28] do not outperform generic algorithms such as the BSGS [36] and the rho methods for solving the ECDLP over prime fields.
In this paper, we give a deep analysis on Gröbner basis computation for a polynomial system appearing a naive index calculus using Semaev's polynomials, as the first step for investigating the complexity of Gröbner basis computation used in the ICM.Looking the special structure of the ideal associated to the ICM, we regard its Gröbner basis computation as an extension of the Euclidean algorithm for polynomial GCD, and use the shape of the coefficient polynomial (see Equation (5)) to count the number of operations in Gröbner basis computation.Especially, we observe that leading monomials of coefficient polynomials can bring precise information on S-polynomials.Under simple statistical assumptions on the behavior of Semaev's polynomials, the sequence of S-polynomials behaves like regular polynomial reminder sequences in GCD computation.This enables us to obtain a lower bound on the complexity of Gröbner basis computation (Sections 4.1 and 4.2), under such assumptions.(Compared to assumptions on fall degrees in [18,29], ours are simple and reasonable to hold in practice.)Our analysis also gives precise results related to notions of degree bound and degree fall (Lemma 3 and Proposition 12).These results are applicable directly to other variants of index calculus like [1,28].
Finally, with our complexity bounds, we prove that the naive index calculus method cannot be more efficient than even the brute force method for solving the ECDLP over arbitrary finite field.This might be a known fact by seeing existing upper bounds on the complexity.(See [24].)However, it should be emphasized that our bound is a lower one, by which some hope for getting better actual complexity are vanished.We think that our approach can be applied to estimate some lower bound on advanced algebraic methods using Weil descent.Making good use of algebraic structures is very important to investigate precisely the complexity of Gröbner basis computation, and our trial shall be one of successful examples.
We remark that our approach is based on extended GCD and heavily related to resultant theory.Such GCD and resultant theory (or Bezout's theory) were already applied in [18,27] to analyze the complexity of algebraic computations for solving ECDLP or Hidden Field Equation(HFE).But, it was used for obtaining some upper bounds on degrees of polynomials appearing in algebraic computations, such as Gröbner basis.On the other hand, to obtain a lower bound, it is more important not to estimate the largest degree, but to analyze monomials appearing in coefficient polynomials.

Index Calculus Method for ECDLP
Here we recall the ECDLP and the index calculus method (ICM) based on Semaev's summation polynomials.
Definition 1 (ECDLP) Let F q be the finite field of order q, E an elliptic curve defined over F q and E(F q ) the group of rational points of E over F q .We call the following the elliptic curve discrete logarithm problem (ECDLP) on E: Here we assume that Q belongs to the additive group ⟨P ⟩ generated by P .Such a positive integer ℓ with 0 ≤ ℓ < ord(P ) is denoted by log P (Q), where ord(P ) denotes the order of P in the group E(F q ).We give a general form of the ICM for solving the ECDLP.We note A ≈ B implies that A is almost the same as B, that is, A = B 1+ε for a number ε with |ε| ≪ 1, and A ⪆ B implies that A ≈ B or A > B.
(Step 1) Take a subset B of E(F q ), which is called a factor base.In our naive setting, we first take a subset V of We number elements of B as B = {B 1 , . . ., B t }.Here we denote the size #B by t and we also denote by d that of V .(Step 2) Generate randomly two integers a, b such that 0 ≤ a, b < ord(P ), and find the following decomposition; where we fix m in advance.When it succeeds, one has the following linear congruence: We call this computational problem the point decomposition problem (PDP).(Step 3) After collecting enough number of linear congruences, compute log P (Q) by linear algebra.In fact, after collecting t + 1 linearly independent congruences, log p (Q) can be determined uniquely.

Semaev's Summation Polynomials
Here we revisit an approach for solving the PDP by Semaev [34], where the PDP can be reduced to finding zeros of the system of algebraic equations derived from so-called Semaev's summation polynomial.
From now on, we fix the finite field F q and an elliptic curve E defined over F q .Moreover, let B be a factor base and V = {x(P ) ∈ F q | P ∈ B}, where x(P ) denotes the x-coordinate of a point P of E. We denote the algebraic closure of F q by F q , the total degree of a polynomial f by deg(f ) and its degree with respect to a variable x i by deg xi (f ), Definition 2 (Summation Polynomial) Let r be a positive integer greater than 1.A polynomial S r (x 1 , . . ., x r ) over F q in r variables x 1 , . . ., x r is called a summation polynomial of order r if it satisfies the following: For any zero (b 1 , . . ., b r ) of S r , that is, S r (b 1 , . . ., b r ) = 0, there exist points P 1 , . . ., P r of E(F q ) such that Semaev gave a method for constructing summation polynomials by resultant in a recursive manner, which we also call Semaev's summation polynomials (SSPs).The SSP of order r can be computed by the previously computed SSP of order r − 1 and the SSP of order 3 as follows: where Res y (f, g) denotes the resultant of two polynomials f, g with respect to a variable y.The correctness of this construction can be shown easily, by which the existence of SSPs is guaranteed.We can also generalize this construction by S r+k = Res y (S r+1 (x 1 , . . ., x r , y), S k+1 (x r+1 , . . ., x r+k , y)).
We note that, over any field, SSPs can be defined and computed.

Remark 1
The polynomial S r has its total degree (r − 1)2 r−2 .Also, by our experiment, it is observed that S(x 1 , . . ., x r−1 , a) is a dense polynomial for almost every a in F q .This implies certain difficulty on its computation by naive resultant computation.Actually, it is very hard to compute S r for r > 7. On the other hand, by making good use of its symmetrical property in variables, its simplified modification (called symmetrized summation polynomial) is proposed in [11], where the polynomial of order 8 is computed.Also, the cost of computation of S r requires O(2 (r−1) 2 ) arithmetic operations over F q .

Solving PDP by SSP
The PDP in Step 2 can be reduced to a problem for finding zeros of a system of algebraic equations by using S m+1 .For randomly chosen a, b of F q , finding B 1 , . . ., B m in B such that aP , we have the following system of algebraic equations, which we denote by S a,b .
Since B is a subset of E(F q ), V is also a subset of F q and F (x) is a factor of x q − x over F q .Thus, solving the PDP for aP + bQ is reduced to computing zeros of the system S a,b .As we need exact zeros, we have to apply a symbolic and algebraic method for their computation.Among such algebraic methods, Gröbner basis is very suited and supposed to be the most efficient.Now we let I m (a, b) be the ideal associated to the system of equations, that is, where ⟨A⟩ denotes the ideal generated by a subset A in the polynomial ring Then, all zeros are rational, that is, they belong to F m q , if exist.Thus, I m (a, b) is trivial or 0-dimensional.As the ideal has very special shape, here we give a special name to it, by which we can handle any variant (modification) of SSP.
Definition 3 An ideal is said to be of special type, if it is generated by separable univariate polynomials F (x 1 ), . . ., F (x m ) and one multivariate polynomial.

General Estimation on Complexity of Index Calculus Method
Here we give a general but brief discussion on the cost (complexity) of the ICM given in the previous subsection.We note that, although there are several improvements on ICM, we set the simplest one due to making our analysis more precise and also comprehensive.
The efficiency of the ICM heavily depends on the choice of m and t = #B.So, we have to optimize the values m and t (or equivalently d) for making the complexity smaller.We give rather simple estimation on the complexity for optimizing the parameters.
1. Let Prob PDP be the probability (or ratio) of success of solving PDP for randomly chosen a, b in F q , that is, S a,b has a zero.Then Prob PDP can be estimated approximately as More 2. Let C dec be the average cost of solving the PDP for randomly chosen aP +bQ at Step 2 which includes the average cost, written by cost(S a,b ), of solving the system of algebraic equations and the cost of making S m+1 (x 1 , . . ., x m , x(aP + bQ)).We note that the PDP has γ solutions in average.Among γ solutions, the number of essential ones which give distinct points can be estimated roughly as γ m! due to the symmetry on solutions.Since we need approximately t (linearly independent) solutions, the total cost (on the number of arithmetic operations over F q ) for solving the ECDLP can be estimated as where Lin(t) denotes the cost for solving a system of O(t) linear equations in O(t) variables and it can be estimated as O(t ω ) for the linear algebra constant ω, where 2 < ω < 3. 3.If we set t large enough so that Prob PDP ≈ 1, the total complexity shall be ) .
For such case, we have to set t m ≥ γq.
Remark 2 It can be shown that the probability (ratio) that I m+1 (a, b) has a zero is almost equal to Prob PDP .See the detail in [35].We also remark that, although the estimations are given by big O-notation, they can be considered as the average estimation.

Further Remarks on General Estimation
Here we give more details on the estimation of the cost of the ICM for the ECDLP.(See [13].)We note that for computation of S m+1 , it costs O(2 m 2 ) arithmetic operations over F q .
Here we consider the case where Prob PDP is smaller than 1.(In this case, we may assume that t m < m!q.Then, as t m m!q = o(1), we have γ ≈ m! and Prob PDP ≈ t m m!q .See [7,35].)Let t = q n ′ , that is, n ′ = log q (t).Then, the total cost can be estimated as For making the ICM efficient, the cost function should be at most q 1/2 , the cost of generic algorithms for DLP such as the BSGS and the Pollard's rho methods.Then, as the construction of S m+1 (x 1 , . . ., x m , x(aP + bQ)) requires O(2 m 2 ), it follows that m = O(log(q) c ) for some constant c < 1.Also, from the first term m!q 1−n ′ (m−1) C dec , it follows that 1 − n ′ (m − 1) < 1  2 and C dec should be also much smaller than q 1/2 .From the last term q n ′ ω , n ′ ≤ 1 2ω .
Remark 3 Basically, the setting t = p n ′ is designed for the extension field case, where q = p n and F q /F p is the extension of degree n.In this case, V is set as a subfield of F q .When F q is a prime field, that is, q is prime, it is quite natural to set V as a multiplicative subgroup of F × q .In this setting, we have This idea is discussed in [28].However, we cannot apply the Weil descent technique.On the other hand, it is rather suited to analyze computational behaviors of Gröbner basis computation, since those behaviors might be the same as those for the extension field case.

Gröbner Basis Computation for Ideal of Special Type
Here we present precise analysis on a lower bound of the computational cost of Gröbner basis computation of the ideal I m (a, b) generated by For the fundamentals on theory of Gröbner basis, see textbooks [5,20].We follow [5] for the terminology on monomials and ordering.
To simplify our notation and argument, we consider an ideal of special type whose generating set has a similar shape as that of S a,b .Replacing the summation polynomial S m+1 (x 1 , . . ., x m , x(aP + bQ)) with a polynomial S(x 1 , . . ., x m ), we let where F is a square-free univariate polynomial, and consider the ideal I generated by F in the polynomial ring R = K[x 1 , . . ., x m ] over a field K. (We mainly consider K = F q .)We also consider the ideal J generated by G 0 .By Buchberger's criterion (see [5]), since leading monomials of F (x 1 ), . . ., F (x m ) are co-prime to each other, G 0 is the reduced Gröbner basis of J with respect to any monomial ordering.Moreover we also assume that S is reduced with respect to G 0 and S ̸ = 0. Then I is strictly larger than J.We denote the set of all zeros of the ideal J by V (J) and that of I by V (I).As I ̸ = J, V (I) is a proper subset of V (J).We note that, since each F (x i ) is square-free, J and I are radical ideals.
For simplicity, we write d for deg(F ) and d S for deg(S).Then #V (J) = d m .

Remark 4
As an ideal of special type, we may replace G 0 with a Gröbner basis of a 0-dimension radical ideal in R with respect to the specified ordering ≺.Even for this setting, many arguments below can be applied directly, and the same results might be obtained.
From now on, we use the following as our setting and notations related to Gröbner basis theory.We denote the set of all monomials by M and fix a reverse lexicographical monomial ordering ≺ on M as it produces the most efficient computation in both theory and practice.For a polynomial f , we denote the set of monomials appearing in f by supp(f ), that is, where each a t is the coefficient of the monomial t and a t ̸ = 0. We also denote the leading monomial of f by LM (f ) and the leading coefficient of f by LC(f ).For a subset U of R, we denote the set of leading monomials Then we will show that it requires, at least, (approximately) md m−1 arithmetic operations over K to compute the reduced Gröbner basis of I under certain generic property which is considered as an extension of the notion "regularity" of polynomial remainder sequence appearing in GCD computation.(See Assumption 2 in Section 3.4.)The idea comes from certain similarity among algorithms for Gröbner basis and the Euclidean algorithm for GCD of two univariate polynomials.

Remark 5
Since the algebraic structure depends on the number of its zeros, our analysis on Trivial Ideal Case, where the ideal I has no zero, can give more precise estimation on the complexity as the easiest case.We also remark that existing works for estimating the complexity of the ICM concentrated on the case where I has some zeros.But, in Step 2 of our naive ICM, when the ratio of success is not exactly 1, the cost for handling failure cases becomes unignorable for estimating the total cost.

Remark 6
Basically, to compute zeros of a 0-dimensional ideal, its Gröbner basis with respect to a lexicographical ordering should be suited.However, in a computational view point, it is better to apply change of basis strategy, where we first compute the reduced Gröbner basis of I with respect to a reverse lexicographical ordering and then we convert it to one with respect to a lexicographical ordering.This conversion can be done very efficiently by the famous FGLM method.(See Chapter 10 in [5].)

Euclidean Algorithm and Polynomial Remainder Sequence
We recall the Euclidean algorithm for GCD of two univariate polynomials f and g.As gcd(f, g) belongs to the ideal generated by f, g, it can be written as for some polynomials A, B.Here we call A, B the coefficients polynomials in the representation (3) of gcd(f, g).Tracing the Euclidean algorithm, we have its polynomial remainder sequence (PRS), where q i−1 is the quotient.By the extended Euclidean algorithm, for each f i , its coefficient polynomials A i , B i are computed;

Remark 7 We can translate the computation of GCD to that of Gröbner basis. The division (4) exactly corresponds to producing a new element in Buchberger's algorithm. The S-polynomial of g
and some a ∈ K \ {0}, and its remainder on division by {f 1 , . . ., f i } corresponds to f i+1 .
Our computation of a Gröbner basis can be considered as certain extension of GCD and it may be quite natural to focus on the representation for each element g of a computed Gröbner basis and use the "shape" of T for our complexity analysis.
Let us consider the costs of algorithms.The total degree deg(Af ) is useful for giving an upper bound on the total cost of GCD computation.(This exactly corresponds to the regularity of the ideal and so it gives a degree bound.See Section 5.) Because, the computation of gcd(f, g) can be reduced to solving a linear system by introducing indeterminate coefficients for possible A and B. We may extend this approach to the computation of Gröbner basis, by which we may estimate some upper bound of the complexity.See [12] for example.
On the other hand, monomials of A and B may be considered as data containing all history on which monomial multiplications are used in steps of the Euclidean algorithm.Also, they can tell which S-polynomials appear in the computation of Gröbner basis.Especially, leading monomials of A i and B i also give further data on the polynomial divisions appearing the whole procedure.
Example 1 (Simple Example) We show a trivial example.Suppose that f = x n+1 + 1 and g = x n for some n ∈ N. In this case, gcd(f, g) = 1 and the upper bound on the total degree of A is n.However, we have A = 1 and B = −x and the GCD computation terminates within 1 step.Thus, it is important to analyze the shape of A for getting a precise estimation on the cost.

Example 2 (Regular PRS)
We say that the generated PRS is regular, if This case is considered as the worst case for the Euclidean algorithm.For simplicity, we assume that deg and there are d − D polynomial divisions.

Remark 8
As mentioned in Section 1, the idea using GCD or resultant theory (or Bezout's theory) was already applied in [18,27] to analyze the complexity of algebraic computations for solving ECDLP or HFE.It actually works for obtaining some upper bounds on degrees of polynomials appearing in algebraic computations, such as Gröbner basis.

Representation of Elements of Gröbner Basis and Signature
Here we give some details on representation of elements of the computed Gröbner basis of I by F. Eliminating unnecessary elements from it, we can extract the reduced Gröbner basis which we denote by G.As S is assumed to be reduced with respect to G 0 , each F (x i ) cannot reduce S and thus, we have deg xi (S) < d = deg(F ).Now we consider certain minimal representation of elements of I with respect to F, by which we can make precise analysis on the cost of computing Gröbner basis.For this purpose, the notion signature is very useful.(See [10,8,39] for details on signature.) Let f be an arbitrary element in I \ J.By the definition of I, there are polynomials T, A 1 , . . ., A m such that We call T, A 1 , . . ., A m the coefficient polynomials in the representation (5) of f .

Definition 4 (Syzygy)
We consider the ideal quotient of J by S; As each element h in (J : S) gives a syzygy among S, F (x 1 ), . . ., F (x m ), that is, hS here we call the ideal the syzygy ideal with respect to S, and denote it by Syz.We also denote by G0 its Gröbner basis with respect to the ordering ≺.Then, the set M of monomials is divided into two subsets; We also denote M \ LM (J) by M red .Then We note that N S(Syz) ⊂ M red , as LM (J) ⊂ LM (Syz) = LM (J : S).
Using the ideal Syz, we can refine the representation ( 5).Let T be the normal form (remainder) of T with respect to G0 .Then T − T belongs to Syz and so T S − T S belongs to J. Therefore, f − T S also belongs to J. Considering the standard representation of f − T S with respect to G 0 , there are polynomials Ã1 , . . ., Ãm such that from which we can show the following directly.
Lemma 2 For each f ∈ I \ J, we consider its representation (5).Then, there exist some T , A i , . . ., A m ∈ R such that supp( T ) ⊂ N S(Syz) and where A 1 , . . ., A m can be taken from the standard representation of f − T S ∈ J with respect to its Gröbner basis G 0 .T is determined uniquely and T is the normal form of T with respect to G.Moreover, if f is reduced with respect to G 0 , LM ( T S) ⪰ LM (f ).
Here we call the representation (6) the standard form of f .Definition 5 (Signature) For each f ∈ I \ J, we call the coefficient T in (6) the reduced S-coefficient of f and denote it by RSC(f ).Moreover, we call its leading monomial LM (RSC(f )) the signature of f and denote it by sig(f ).For each f ∈ J, we set its signature as 0.
Remark 9 As another definition, the signature of f is defined by keeping its computational record, and sometimes it differs from our definition.Thus, the signature by our definition may be called the minimal signature.However, by carefully handling S-polynomials as smallest as possible in the procedure, we keep that they coincide.Anyway, in order to minimize the number of S-polynomials, it is suited to use our definition.
Therefore, for each g ∈ G, as it is reduced with respect to G 0 , if g ∈ J, then g = F (x i ) for some i, and otherwise, LM (RSC(g)S) ⪰ LM (g) by Lemma 2. Thus, in this case, we have

Now we set
Reg = md + d S − m as an important number for our analysis which is related to certain regularity coming from Hilbert polynomial.We will discuss it in Section 5.As a direct consequence, we have the following which can be easily extended to the homogenized ideal.(See Section 5.2 and Proposition 12.) Lemma 3 For each element g of the reduced Gröbner basis G of I, its total degree does not exceed Reg.

Now we estimate #N S(Syz)
. By the well-known decomposition formula, we have (See chapters related to primary decomposition in [15,40].) As J is radical, we also have From this, the following exact sequence can be deduced: (See Exercise 5.3.3 in [15].)Here we recall that for each 0-dimensional ideal L of R, the linear dimension of the residue class ring R/L coincides with the number of monomials in M \ LM (L).Also, if L is radical, the linear dimension coincides with the number of its zeros.Using this fact, we have Let f be an arbitrary element of R. By interpolation technique, see Section 5.2, we can show that there is an element As S(α) = 0 for α ∈ V (I), it follows that S(f − hS) vanishes on all α in V (J).By Hilbert's Nullstellensatz, as J is radical, S(f − hS) belongs to J and f − hS belongs to (J : S).
On the other hand, hS belongs to I = J + ⟨S⟩.Then f can be expressed as where f − hS ∈ (J : S) and hS ∈ I.This implies that f belongs to I + (J : S) and R = I + (J : S).

The Number of Monomials in #RSC(g) for g in G
We discuss on the number of monomials in RSC(g) for each g in G.We set For each g ∈ G \ J, we consider its standard form where deg(A ≤ Reg and RSC(g) is reduced with respect to G0 .
Let RSC(g) = ∑ N i=1 c i t i .Considering c i as an indeterminate for each t i , we have a system of linear equations derived from the following: Letting M be the N × N matrix whose i-th row is (t i (α (1) ), . . ., t i (α (N ) )), we have ( g(α (1) ) S(α (1) ) , . . ., g(α Lemma 5 M is an invertible matrix. Proof.We show that the system (7) has a unique solution, form which M is proved to be invertible.
Let its arbitrary solution be c ′ = (c ′ 1 , . . ., c ′ N ), and set Thus, it follows that g − T c ′ S belongs to J and so RSC(g)S − T c ′ S also belongs to J by Hilbert's Nullstellensatz.In the end, we have Since both RSC(g) and T c ′ are reduced with respect to the Gröbner basis G0 of (J : S), we have RSC(g) = T c ′ and the system has a unique solution.
Thus, roughly in average, we may expect #supp(RSC(g)) ≈ #N S(Syz) When the property ( 9) holds for g we call it the genericness of non-zero coefficients of g.
Moreover, in a similar manner, we can extend our argument for any Scoefficient T of g not necessary reduced with respect to G0 .In this case, we also expect the following for T : We call this property (10) the extended genericness of non-zero coefficients of g.

Assumption 1a.
For almost every a, b in F q , the reduced Gröbner basis G of the ideal I m (a, b) has some element g for which the extended genericness of non-zero coefficients holds.

The Number of S-polynomials
Here we extend the notion regular PRS in GCD computation to Gröbner basis computation in our case, by which we can estimate the number of S-polynomials computed during Gröbner basis computation.To do so, it is very useful to consider so-called signature-based algorithms (the F 5 algorithm and its variants) which can avoid unnecessary S-polynomials as many as possible.(See [10] for the original F 5 algorithm and also see the most recent survey [8].)Although it is not proven rigidly, such signature-based algorithms, along with the F 4 technique ( [9]) for reduction step, are recognized as the fastest available algorithms nowadays.

Definition 6 (S-reduction
and LM (g) ≺ LM (f ).In this case, h (or t • h) is called an S-reducer of f and signatures are stable through S-reduction as sig(f ) = sig(g).For f ∈ I which has no S-reducer, we say that f is S-irreducible.
Using S-reduction, we can show the following.(This is a translation of Proposition 2.13 in [39].)Lemma 6 For each s ∈ N S(Syz), there is an element in I whose signature is s.Among such elements, there is an element, say f , which has the smallest leading monomial, say t.Then f is S-irreducible and any S-irreducible element with signature s has the same leading monomial t.
Next we give the definition of S-Gröbner basis for our case in a form suited for our discussion.

Definition 7 (S-Gröbner Basis) A finite subset H is called an S-Gröbner basis of I if the following holds;
(1) H contains a Gröbner basis of J, (2) for each s ∈ N S(Syz), there exist t ∈ M and g ∈ H such that t × sig(g) = s and tg is S-irreducible.
Remark 10 (S-polynomial and F 5 criterion) For each s ∈ N S(Syz), if any pair (t, g) in (M \ {1}) × H does not satisfy the condition in (2) of Definition 7, an S-polynomial with signature s appears, from which an element of H can be computed.In more detail, there exist g 1 , g 2 ∈ H, t 1 , t 2 ∈ M such that s = sig(t 1 g 1 ) = t 1 sig(g 1 ) ≻ sig(t 2 g 2 ) = t 2 sig(g 2 ) and LM (t 1 g 1 ) = LM (t 2 g 2 ).Then, their S-polynomial is written as 1 LC(g1) t 1 g 1 − 1 LC(g2) t 2 g 2 .By applying S-reduction to the S-polynomial, we obtain an S-irreducible element with signature s which is added to H.Such a pair (g 1 , g 2 ) is called a normal pair, and this procedure exactly corresponds to the F 5 criterion.
In actual computation of S-Gröbner basis, we deal with S-polynomials in ascending order of their signatures.In this way, polynomials which are Sirreducible are computed.By carefully dealing polynomials in ascending order of their signatures, we know their signatures correctly.(See [39,38] for precise algorithms.)Now we consider a signature for which some S-polynomial is computed during S-Gröbner basis computation.Suppose that we have computed a S-Gröbner basis H s up to a signature s.As S is the unique element of H s with signature 1, sig(sS) = s × sig(S) = s and thus {ug | u ∈ T \ {1}, g ∈ H s , usig(g) = s} ̸ = ∅.Take an element, say u 1 g 1 , from {ug | u ∈ T \ {1}, g ∈ H s , usig(g) = s} which has the smallest leading monomial.If s is unnecessary, then u 1 g 1 should be S-irreducible and Φ(s But, for s = u 1 sig(g 1 ) with u 1 ≻ 1, it is highly expected that Φ(sig(g 1 )) ≻ Φ(s) and LM (u which implies that s is necessary.Because, and therefore, it seems that the larger s becomes, the smaller Φ(s) becomes in general.We will discuss about this behavior in the next subsection.

Definition 8
We say that I is regular with respect to the signature, if the following holds: For a subset A of N S(Syz), if the condition ( * ) holds for almost every distinct pair s, s ′ ∈ A, we say that I is A-semi-regular.As an extremal case, we say that I is strongly regular with respect to the signature, if Φ(s) ≻ Φ(s ′ ) holds for any distinct signature s, s ′ with s ≺ s ′ .
If I is regular, for every s ∈ N S(Syz), some S-polynomial with signature s appears.Thus, its S-Gröbner basis H computed by a signature-based algorithm should contain the following set; where N S(Syz) = {s 1 , . . ., s N }.Thus, at least, (N − 1) S-polynomials are computed.
To give more precise estimation for the case d > deg xi (S), we have to consider the effect of S whose signature is 1.Because, for smaller t, tS tends to break the condition ( * ) in Definition 8. Actually, unnecessary signatures for S-polynomials are detected at the beginning stage of Gröbner basis computation.Here we assume that S is symmetric in variables, . This condition holds for almost every S m+1 (x 1 , . . ., x m , x(aP + bQ)).Moreover we assume that S is not a sparce polynomial.

Lemma 7 We assume that
) is a useless signature for S-Gröbner basis computation, that is, no S-polynomials with signature t appears.
As any F (x i ) cannot reduce tS, we can show that t does not belong to LM (Syz) and tS has its signature t.
Suppose that tS is not S-irreducible.Then, there is a polynomial T such that LM (T ) ≺ t and the normal form of T S with respect to G 0 has its leading monomial LM (tS).Since LM (T S) ≺ LM (tS), it can be shown that deg xi (T S) < e i + δ for some i.But, in this case, any F (x i ) cannot reduce T S and so LM (T S) cannot coincides with LM (tS).This is a contradiction and thus, tS is S-irreducible.

⊓ ⊔
Now we set We note that it is very difficult to pick up all unnecessary signatures theoretically.Thus we define the set N S(Syz) as an easy approximation.
Assumption on Semi-Regularity: Now we return to our original problem.For S = S m+1 (x 1 , . . ., x m , x(aP + bQ)), we may consider the value x(aP + bQ) as a parameter z.Then, for distinct signatures s, s ′ such that s = us ′ for u ∈ M\{1}, the condition uΦ(s ′ ) = Φ(s) can be translated as some condition defined by a system of (semi) algebraic equations in z. (See Section 3.5.) We note that we can consider the ideal generated by S m+1 (x 1 , . . ., x m , z) and F (x 1 ), . . ., F (x m ) over Q.If the ideal is N S(Syz)-semi-regular for some value z and modulo a prime p, then for almost every value of z in Q and a prime p, the ideal over F p is N S(Syz)-semi-regular.
Under Assumption 2, the number of elements of the computed S-Gröbner basis H has the same order as #N S(Syz) ≈ d m − (d − δ) m + 1.More precisely, there is some small constant ε ≪ 1 such that #H = #N S(Syz) Since the number of S-polynomials is at least that of elements of the S-Gröbner basis, the number of S-polynomials is at least (d m − (d − δ) m + 1) 1−ε .
We consider another algorithm for Gröbner basis computation not based on signature.Although it is not proven rigidly, the F 5 algorithm or its variant, along with the F 4 technique for reduction step, is recognized as the fastest ones available nowadays.This suggests that signature-based-algorithms can handle smaller number of S-polynomials compared with non-signature-based-algorithms.
Moreover, in our case, as our experimental results suggest, algorithms using two efficient techniques, normal selection strategy and sugar degree, compute Spolynomials in ascending order of total-degrees of their signature.This behavior is heavily related to the semi-regularity analyzed in Section 3.5.Because, in the normal strategy with sugar degree, at each step, a S-polynomial with smallest leading monomial is chosen.(See Page 116 in [5] for details.) Therefore, if Assumption 2 holds, this implies that such an S-polynomial has the smallest total degree of the signature.Thus, it is expected that the number of S-polynomials is at least Assumption 2a: For almost every a, b in F q , any efficient algorithm for Gröbner basis of

Remark 11 When d is larger than δ, the following inequality can be shown by induction argument on
In our experiment shown in Section 4.3, the number of S-polynomials which are not reduced to 0 is close to 2 × md m−1 .This might suggest #H > c × md m−1 for some constant c > 1.

Linear Algebra Related to Sub-Resultant Theory
Here we analyze the condition ( * ) in Definition 8 by using linear algebraic methods related to subresultant theory.(See [6].)To make our argument simple and clear, we concentrate on Trivial Ideal Case, where N S(Syz) = M red and G0 = G 0 .We arrange all monomials in M red in descending order.Thus, ) As additional notations, for each polynomial f , we denote its normal form with respect to G 0 by NF G0 (f ).Also, for each polynomial f reduced with respect to G 0 , we define its corresponding vector as follows and denote it by [f ]; Moreover, for a positive integer k ≤ N , we write [f ] k = [a 1 , . . ., a k ] for the vector consisting of the first k components.
For each signature s in M red , we consider an element f in I with signature s which is reduced with respect to G 0 , and its standard form; where supp(T ) ⊂ M red and LM (T ) = s.Thus, for t L = s, T is written as where c i is the coefficient of t i in T .As f is reduced with respect to G 0 , it follows that NF G0 (T S) = f.

Now we consider vectors [NF(t L S)], . . . , [NF(t N S)
] and let M s be an (N − L + 1) × N matrix whose i-th row is [NF(t L+i−1 S)], and (M s ) k the matrix whose i-th row is [NF(t L+i−1 S)] k .Then, for the coefficient vector c = (c L , . . ., c N ), we have As a typical matrix, let Ms = (M s ) N −L+1 which is a square matrix.
In our original case, each M s is a matrix with a parameter z, and det( Ms ) is a polynomial in z.So, if det( Ms ) ̸ = 0 for some value x(aP + bQ), deg( Ms ) is a non-trivial polynomial in z over K.We give two typical cases: 1.If Ms and Ms ′ are regular (invertible), where s ′ = t L+1 (the previous element of s), it follows that any non-zero vector of size N − L + 1 whose last component is zero cannot make the first N − L components zero but some vector with non-zero last component can make them zero Thus, in this case, we have Φ(s) = t N −L+1 .Moreover, if Ms is regular for every s ∈ N S(Syz), then I is strongly regular.This behavior was seen in the case δ = d − 1 in our experiment.

Complexity of Gröbner Basis Computation and ICM
Here we give lower bounds on complexity of computation of Gröbner basis for an ideal of special type which satisfies special properties discussed in Section 3.Then, we give those for the naive ICM for the ECDLP.We consider an efficient algorithm for computing a Gröbner basis of I, and let G * be the computed Gröbner basis from which the reduced one G is obtained.

Lower Bound Based on the Number of S-polynomials
We assume that the ideal I is N S(Syz)-semi-regular.Then the number of Spolynomials which produce new elements added to (From the setting of our original ideal I m (a, b), we may assume that the degree d is much larger than δ, as S has more than δ m monomials.)By Remark 11, we may use the bound (11); Thus, in this case, it requires at least (md m−1 ) 1−ε S-polynomials and so the computational cost exceeds (md m−1 ) 1−ε arithmetic operations.

Proposition 8 Under Assumption 2a, for computing a Gröbner basis of
Case where Trivial Ideals mainly handled: In our setting in Section 2, we may assume d ≈ t and the cost C dec requires at least (approximately) mt m−1 .Then, as long as the ratio of failure is not ignorable, that is, larger than some constant, it follows that in the total estimation the first term exceeds m!q under Assumption 2a.(More precisely, it exceeds m!q 1−ε .)We remark that, although the estimation is given by big O-notation, it can be considered as the average estimation.Hence, in this setting, we conclude that the naive ICM cannot be more efficient than the brute force method.Here we remark that by the brute force method, we mean not to search zeros of S m+1 (x 1 , . . ., x m , x(aP +bQ)) but to search m points in B satisfying (1) directly.
Case where Non-Trivial Ideals mainly handled: In this case, we assume that t ≈ d and t m ⪆ γq.Under Assumption 2a, it appears a term m!q in the total estimation ) .
Hence, we conclude the same as Trivial-Ideal Case, that is, the ICM cannot be more efficient than the brute force method.

Another Lower Bound Based on #supp(T )
Here we discuss another approach for possible estimation which does not depend on any algorithm for Gröbner basis.We recall that during the Gröbner basis computation, at each step (in any algorithm based on Buchberger's criterion or its extension like F 5 criterion), a new polynomial is generated by multiplying some monomial to one already computed polynomial and by reducing it with respect to the set of already computed polynomials.Therefore, by accumulating (recording) this arithmetic procedures, such a computed polynomial, say f , is expressed as where m,actual are polynomials and they depend on the actual computation (algorithm).Here we call T (f ) actual the actual coefficient of T for computing f .At the end, for each g in G, we have Then, each monomial of T (g) actual can be constructed by monomial multiplication or monomial reduction at each step.Thus, the number of monomials can represent a lower bound on how many such arithmetic operations have occurred during the whole computation.
In more detail, at some step in the middle of computation, from the computed set G ′ for the Gröbner basis, a pair (g 1 , g 2 ) is chosen and a new element g 3 is generated by the reduction of the S-polynomial u 1 g 1 − u 2 g 2 by G ′ , where u i = lcm(LM (g1),LM (g2))

LC(gi)LM (gi)
. Then, we have where g i belongs to G ′ and c t,i 's are coefficients.This means that every monomial in the coefficient of T comes from some multiplication of a monomial and an already computed polynomial occurring this procedure.So, for each newly appearing monomial in the T -coefficient, there must occur one such multiplication.Thus, we may guess the following.
Conjecture: For producing g during the Gröbner basis computation for I, it requires at least #supp(T (g) actual ) times of multiplications of one monomial and some polynomials appearing in the computation.
In our experiment, the number of such multiplication became much larger than #supp(T (g) actual ).To give a theoretical proof for Conjecture should be our next work.
Case where Trivial Ideals mainly handled: In this case, the reduced Gröbner basis is {1}.Then, we consider the representation of 1; Under Assumption 1a, we have and so C dec ⪆ d m , which is larger than the estimation in Section 4.1.Hence, under Conjecture we conclude that the ICM here is worse than the brute force method.
Case where Non-Trivial Ideals mainly handled: Under Assumption 1a, there is an element g in G\J such that the extended genericness of non-zero coefficients of T (g) actual holds.Then, for such an element g, we have #supp(T Hence, we conclude that the ICM here is worse than the brute force method under Conjecture.

Experimental Data
Here we show experimental data which support our assumptions.For m = 3 or 4, we generated primes p = 2 B + α with very small α, and picked up integers k which divide p − 1.We also set F (x) = x k − 1 for the binomial case, and F (x) = x k−1 + • • • + 1 for the non-binomial case.(Thus, the degree d of F (x) is either k or k − 1. and all zeors of V (J) are rational over F p .)Next we generated elliptic curves with prime order over F p , their points P, Q and then generated randomly a, b in F p for the point aP + bQ.Finally we computed reduced Gröbner bases of ideals I m (a, b) by a computer algebra system Risa/Asir.Its function nd gr with options gentrace=1 and gensyz=1 records all history telling how elements of the computed Gröbner basis were constructed.As each of them comes from some S-polynomial, the number of them implies the number of necessary S-polynomails which are reduced to non-zero polynomials.As results, our assumptions (Assumption 1a, and Assumption 2a) seem to hold for all examples, even for cases d m is much smaller than p.Moreover, from our exepriment, it is also observed that the number of multiplications of monomials and polynomials occured in reduction of S-polynomial (see (13)) became very huge compared with #N S(Syz).

Remark 12
We note the function nd gr does use neither F 4 nor F 5 , but it uses the normal selection strategy and sugar degree.Thus, although it may compute unnecessary S-polynomials, its computational behavior on selection of Spolynomials becomes close to signature-based algorithms.

The Number of S-polynomials:
Here we show our data for counting the number of S-polynomials.We denote by G * the computed (non-reduced) Gröbner basis, from which the reduced Gröbner basis G is computed.All elements in G * are computed from some necessary S-polynomials.Of course, there might be other unnecessary S-polynomials which are reduced to 0. But, to estimate some lower bound on the number of S-polynomials, we have to exclude those, and we count the number of such elements.In our experiment, we used F (x) = We note that we could not deal with larger d in this case, since the computation requires huge memories.
In Trivial Ideal Case, from our experiment, it is observed that #N S(Syz) = d m coincides with #G * for d ≤ δ = 8 and #N S(Syz) is very close to #G * for d ≥ δ = 8.Thus, all ideals in Trivial Ideal Case are considered to be strongly regular or N S(Syz)-semi-regular.
In Non-Trivial Ideal Case, it is also observed that #V (I) is very small and #N S(Syz)(= d m − #V (I)) is very close to #G * .Thus, all ideals in Non-Trivial Case are considered to be N S(Syz)-semi-regular.The Number of Monomials: Our experiment shows that the extended genericness of non-zero coefficients holds for our examples.Also the distribution of GS m+1 (a, b) seems very close to that of randomly generated vectors.We made a preliminary experiment on the the distribution in a stastical view point for parameters m = 3, 4 and B = 10, 15, 20, 25 to examine that it is very close to the uniform distribution.

Trivial-Ideal
The details on our experiment is shown below, where for each parameters (m, b, d) we computed N samples.

Further Discussion on Degree Bound and Degree Fall
Here we remark two important notions, degree bound and degree fall, which are considered as fundamental tools for estimating the complexity of Gröbner basis computation.In our setting, we can apply very simple arguments for them and find more precise estimation.

Homogenization and Degree Fall
In general, it is hard to give a precise estimation on the complexity of Gröbner basis computation.However, for homogeneous ideals with a graded ordering such as a reverse lexicographical ordering, we can use properties of their graded structure such as Hilbert polynomials and its related regularities.(For definitions, see Chapter 2 and Chapter 9 in [5] or Chapter 5 in [20].)For analyzing the complexity of Gröbner basis computation for such ideals, the degree bound on elements of Gröbner basis is the most important.Because, by considering Macaulay matrices, an upper bound on the complexity can be easily calculated.Then, many of existing estimations on degree bounds were obtained by examining certain regularities.For a non-homogeneous ideal, its computational cost can be reduced to that of its homogenized ideal.
We begin by recalling some useful properties related to homogenization technique.(See [20] for details and proofs of propositions.)Then we define our fall degree which is much different from existing ones but does not depend on any algorithm for Gröbner basis computation.Our fall degree is defined for each element of the given ideal and, if the ideal has a smaller Gröbner basis, its maximal fall degree is expected to be close to the regularity.Now we give a brief explanation for homogenization technique, where we introduce a new variable y and consider a ring K[x 1 , . . ., x n , y].For a polynomial f (x 1 , . . ., x n ) ∈ K[x 1 , . . ., x n ], its homogenization, denoted by f h , is defined as f h (x 1 , . . ., x n , y) = y deg(f ) f (x 1 /y, . . ., x n /y).
Moreover, for a subset H of K[x 1 , . . ., x n ], its homogenization, denoted by H h , is defined by H h = {f h | f ∈ H}.Conversely, for a homogeneous polynomial f (x 1 , . . ., x n , y), its dehomogenization is defined as f (x 1 , . . ., x n , 1) and denoted by f | y=1 .In the same manner, the dehomogenization of a set of homogeneous polynomials is defined.Also, for an ideal L of K[x 1 , . . ., x n ], its homogenization L h as an ideal is defined as the ideal of K[x 1 , . . ., x n , y] generated by {f h | f ∈ L}.For a graded ordering ≺ on the set of monomials in {x 1 , . . ., x n }, its homogenization ≺ h is also defined as follows: For monomials Now we consider a subset H of K[x 1 , . . ., x n ], its homogenization H h and a graded ordering ≺.Let L be the ideal generated by H. Proposition 9 Let H be a Gröbner basis of ⟨H h ⟩ with respect to ≺ h .Then, H consists of homogeneous polynomials and its dehomogenization Proposition 9 means that, for a non-homogeneous ideal, its total cost of Gröbner basis computation can be reduced to that of its homogenized ideal.
Proposition 10 Let L h be the homogenization of L as an ideal.Then, there is a positive integer ℓ such that Therefore, for each element f of L, there exists a non-negative integer u ≤ ℓ such that f h y u belongs to ⟨H h ⟩. (For saturation, see Chapter 4 in [5].) Now we give the definition of fall degree in our setting.

Definition 9
For each f in L, the smallest positive integer u such that f h y u belongs to ⟨H h ⟩ is called the fall degree of f .If u > 0, we say that there occurs a degree-fall at f .Moreover, the smallest positive integer ℓ satisfying the formula (14) can be considered as the maximal fall degree of Gröbner basis computation, as there is an element in the reduced Gröbner basis with fall degree ℓ.
We remark about efficient techniques, normal selection strategy and sugar degree, again.In Section 3.4, we mentioned that those techniques may make the computational behavior close to those of signature-based algorithms.Also, at the same time, these techniques make the computational behavior close to that of the homogenized ideal.For each f in the ideal, the fall-degree indicates the gap between the actual degree of f and the total degree of its image in the homogenized ideal.(See also Chapter 2 in [5].)

On Degree Bound
In Section 3, the number Reg gives an upper bound on the total degree of elements of the reduced Gröbner basis.In fact, Reg just coincides with the wellknown upper bound based on the regularity of the ideal I.
We begin by recalling the well-known upper bound based on regularity.By the word regularity, we may mean either the Hilbert regularity or the Castelnuovo-Mumford one.(See [17] for details and some extension of the following.)

and its reduced Gröbner basis G L with respect to a revlex ordering. If the projective dimension of the homogeneous ideal
In our case, it can be easily seen that Reg = md + d S − m coincides with the bound in Proposition 11.
On the other hand, for Trivial Ideal Case, Reg coincides with e, where y e is the unique element in F q [y] of the reduced Gröbner basis of the homogeneous ideal Ĩ generated by F h , with high possibility under Assumption 1.Moreover, for the ideal Ĩ in Non-Trivial Ideal Case, we can show that Reg − 1 gives a more tight bound by very simple arguments.
Trivial Ideal Case: Suppose that I has no zero, that is, its reduced Gröbner basis is {1}.Then the reduced Gröbner basis G of Ĩ contains y e for some positive integer e.We consider the standard form of 1; where T = RSC(1) and deg(T S) ≥ deg(A i F (x i )) for any i.Also, there are homogeneous polynomials T , Ã1 , . . ., Ãm such that where T is reduced with respect to F h (x 1 ), . . ., F h (x m ).Then it can be shown directly that T | y=1 = T .In appearance, the leading monomial of T is whose coefficient, say C S , can be calculated as , where F ′ denotes the derivative of F , by the following interpolation; Under Assumption 1, we may expect that C S does not vanish with high probability.In this case, deg( T ) = deg(T ) = m(d − 1) and hence, e coincides with Reg = md + d S − m.

Remark 13
By our experiments shown in Section 4.3, we have also examined that the total degree of T red coincides with Reg for every examples in Trivial Ideal Case.Thus, in this case, the signature of 1 is proved to be Non-Trivial Ideal Case: Next we consider the case where I is non-trivial, that is, its reduced Gröbner basis G is not equal to {1}.For each element g of G \ J, we consider its standard form; where deg(A Since (J : S) ⊋ J, dim K R/(J : S) > dim K R/J and thus, there is some element h in G0 whose leading monomial belongs to M red .
On the other hand, x d−1 is the unique element in M red whose total degree is m(d − 1), and any element in M red divides x d−1

On Degree Fall
When I is trivial or has a few zeros, its reduced Gröbner basis is small, that is, its elements have smaller degrees.Such elements appear due to non-trivial syzygies among the generating polynomials S, F (x 1 ), . . ., F (x m ) and our degree falls occur.Moreover the maximal fall degree is very close to the last fall degree defined in [18].
In our simple analysis under statistical assumptions, for Trivial Ideal Case, where I has no zero, the generation of 1 as the unique element of the reduced Gröbner basis exactly corresponds to that of y e as an element of the reduced Gröbner basis of ⟨F h ⟩, and with high possibility, e coincides with the bound Reg under our assumption.This implies that for such a case, at the final step, there occurs the largest degree fall, and Reg shall be the last fall degree of F defined in [18].(See Definition 10 below.)Because, 1 belongs to V max(e,deg(1)) = V e and so, for any element f in I with deg(f ) ≤ e, f also belongs to V e .This exactly supports the last fall degree assumption [18].Definition 10 For a finite subset S and the ideal I of a polynomial ring R generated by S, the last fall degree is defined as the smallest integer c such that for all f in I, f belongs to V max(c,deg(f )) , where V i is the smallest K-vector space satisfying the following; (1) all f ∈ S with deg(f ) ≤ i are included in V i , (2) for g ∈ V i and h ∈ R, if deg(gh) ≤ i, then gh belongs to V i .Remark 14 Shapes of ideals appearing in improved ICMs using the Weil descent technique are different from ours, and analysis on fall degrees and that on degree bound become complicated and difficult.By the Weil descent technique, Semaev's summation polynomials are divided into n distinct polynomials which essentially give the same solutions of the PDP.(Here, the PDP is defined over F p n .)As the effect of such division, the upper bound on the degree in Proposition 11 becomes smaller than that of ours.Also, for smaller binary fields, an interesting behavior was observed, where the first fall degree coincided with the actual regularity, and it is called the first fall degree assumption.Some authors tried to estimate the complexity based on the assumption.(See [29,35].)But, counter examples were also reported in [18].
By our approach, we may focus on coefficient polynomials T and a lower bound on the cost of the Gröbner basis computation shall be estimated by #N S(Syz), where Syz is some ideal in the R-module defined by syzygies among S m+1,1 , . . ., S m+1,n .We believe that our simple arguments may investigate deep insights on the subject.

Concluding Remarks
In this paper, we brought new simple arguments for giving a lower bound on the complexity of Gröbner basis computation of the ideal derived from the PDP, the dominant part of the ICM.As the first step of obtaining a meaningful bound, we considered an ICM of very naive form as our target.To do it, we extracted certain essential properties of the ideals appearing in solving the PDP.As such ideals have very special shape (named of special type here), we applied rather simple and easy arguments for analyzing behaviors of Gröbner basis computation.As a result, under simple statistical assumptions on Semaev's summation polynomials, we succeeded in getting a lower bound on Gröbner basis computation.By our experiments, the validity of assumptions was examined.By the obtained bound we concluded that the complexity of the naive ICM cannot be O(q), where it is defined over F q , and thus, the naive ICM cannot be more efficient than the brute force method.We remark that when the ideal has no zero, that is, the PDP fails, computation of the Gröbner basis means producing the unique element 1 at the final stage.In this case, there occurs a huge degree fall at the final step of the computation, which exactly corresponds to the last fall degree assumption.
As our next work, we will be trying to make more experiments on larger examples in order to examine our statistical assumptions and make our arguments valid for any algorithm for Gröbner basis computation.Also we will be also applying our simple arguments to several improvements on ICM, as discussed in Section 5.3.If the system of algebraic equations still has the same special shape, our arguments can be applied directly.Therefore, our next target shall be other methods (e.g.[14,7,35]) based on the Weil descent for the ECDLP over binary extension fields.For such methods, the corresponding ideals have different shapes, that is, they are generated by polynomials defining the x-coordinate of points in the factor base and number of multivariate polynomials.By applying our arguments to those complicated ideals, we are thinking that certain new insights on the behavior of Gröbner basis computation of ideals can be extracted.

Assumption 1 .
and N S(Syz) = M red and N = d m .When I m (a, b) is non-trivial, N S(Syz) differs corresponding to V (I).So, in this case, we consider to embed GS m+1 (a, b) in a vector of size d m whose components correspond to monomials in M red .The distribution {GS m+1 (a, b) | a, b ∈ F q } coincides with that of randomly chosen vectors.And, for almost every a, b in F q , the reduced Gröbner basis G of the ideal I m (a, b) has some element g for which the genericness of nonzero coefficients holds.
x d − 1 and computed 5 examples for each parameter (B, d).In tables below, the symbol [#G] means the average of #G −#G 0 and that Ratio means the ratio [#G] #N S(Syz) or [#G] [#N S(Syz)] .The symbol [P A] means the average of the number of multiplications of monomials and polynomials occured in reduction of S-polynomial.In Non-Trivial Ideal Case, symbols [#N S(Syz)] and [#N S(Syz)] mean their averages.(I) For m = 4, we chose examples where d is close to δ.(In this case, δ = 8.) 20 * 5, . . ., 8 * 5 non-binomial 3 15, 20 4, . . ., 10 20 Non-Trivial binomial 3 10, 15 6, . . ., 11 5 ( * ) For m = 4 and B = 20 in Trivial Case we used the total degree ordering (not the reverse lexicographical ordering) and computed up to d = 7.Note on Trivial Ideal Case: For all examples, #supp(T (1) red ) coincides with d m .Also, #supp(T (1) actual ) is close to (m + 1) × d m for Binomial Case.Note on Non-Trivial Ideal Case: For every g in G except g = F (x i ) for some i, #supp(T (g) actual ) is much larger than d m and #supp((T (g) actual ) red ) is almost equal to d m .Also, for 53 examples among 60 ones, we have # actual ) red ) = d m and the largest gap between those values is 4, which appears at one example with d = 11 and b = 10.Moreover, in our examples, the largest gap between #supp((T (g) actual ) red ) and d m is 18 which appears at one example with d = 8 and b = 10.In some examples, some F (x i ) still remains in G.

1 x d−1 2 •Proposition 12
• • x d−1 m .Thus, it follows that the largest total degree of elements in N S(Syz) is strictly less than m(d − 1), and deg(g) ≤ deg(RCS(g)S) = deg(RSC(g)) + deg(S) ≤ md + d S − m − 1.For each element g of the reduced Gröbner basis G of I, if I has a zero, its total degree does not exceed md + d S − m − 1.The same holds for the homogeneous ideal Ĩ generated by F h .