Results 1 
4 of
4
Point decomposition problem in binary elliptic curves. Cryptology ePrint Archive: Report 2015/319
, 2015
"... Abstract. We analyze the point decomposition problem (PDP) in binary elliptic curves. It is known that PDP in an elliptic curve group can be reduced to solving a particular system of multivariate nonlinear system of equations derived from the so called Semaev summation polynomials. We modify the un ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We analyze the point decomposition problem (PDP) in binary elliptic curves. It is known that PDP in an elliptic curve group can be reduced to solving a particular system of multivariate nonlinear system of equations derived from the so called Semaev summation polynomials. We modify the underlying system of equations by introducing some auxiliary variables. We argue that the tradeoff between lowering the degree of Semaev polynomials and increasing the number of variables provides a significant speedup.
A RIDDLE WRAPPED IN AN ENIGMA
"... released a major policy statement on the need for postquantum cryptography (PQC). This announcement will be a great stimulus to the development, standardization, and commercialization of new quantumsafe algorithms. However, certain peculiarities in the wording and timing of the statement have pu ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
released a major policy statement on the need for postquantum cryptography (PQC). This announcement will be a great stimulus to the development, standardization, and commercialization of new quantumsafe algorithms. However, certain peculiarities in the wording and timing of the statement have puzzled many people and given rise to much speculation concerning the NSA, elliptic curve cryptography (ECC), and quantumsafe cryptography. Our purpose is to attempt to evaluate some of the theories that have been proposed. “It is a riddle wrapped in a mystery inside an enigma; but perhaps there is a key.” —Winston Churchill, 1939 (in reference to the Soviet Union)
On Generalized First Fall Degree Assumptions
"... Abstract. The first fall degree assumption provides a complexity approximation of Gröbner basis algorithms when the degree of regularity of a polynomial system cannot be precisely evaluated. Most importantly, this assumption was recently used by Petit and Quisquater’s to conjecture that the ellipti ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. The first fall degree assumption provides a complexity approximation of Gröbner basis algorithms when the degree of regularity of a polynomial system cannot be precisely evaluated. Most importantly, this assumption was recently used by Petit and Quisquater’s to conjecture that the elliptic curve discrete logarithm problem can be solved in subexponential time for binary fields (binary ECDLP). The validity of the assumption may however depend on the systems in play. In this paper, we theoretically and experimentally study the first fall degree assumption for a class of polynomial systems including those considered in Petit and Quisquater’s analysis. In some cases, we show that the first fall degree assumption seems to hold and we deduce complexity improvements on previous binary ECDLP algorithms. On the other hand, we also show that the assumption is unlikely to hold in other cases where it would have very unexpected consequences. Our results shed light on a Gröbner basis assumption with major consequences on several cryptanalysis problems, including binary ECDLP.