Overview
There are two different categories of attacks on the ECDLP, namely generic attacks that work in general, regardless of the properties of an elliptic curve, and attacks that work for elliptic curves with special properties. We outline these attacks in order to determine how to select curves with good cryptographic properties. This is discussed in detail by
In the following description, let be an elliptic curve over a finite field. Furthermore, we suppose that has order and We want to solve the ECDLP .
- Baby-Step Giant-Step (BSGS) attack: This generic attack was proposed by
and combines computational power and storage in order to attack the ECDLP. The method requires approximately operations and storage and hence its deterministic running time is . The major disadvantage of this method is that it requires a lot of storage. Let . According to the division algorithmShanks Daniel Shanks. Class number, a theory of factorization and genera. Proceedings of Symposium of Pure Mathematics, volume 20, pages 415-40, 1996. , we can write as with uniquely determined integers and . Since: Division_Algorithm it follows that
Now, the idea is as follows: we compute and store the whole list of the right side of the equation (i.e., of the baby steps ), and then calculate the possible values of (the giant steps) until we get a match. Once we find a corresponding point, we know , and , and hence .
- Fix an integer and compute .
- Construct and store a list of for .
- Compute the points for until one point matches an entry from the list.
- If , we obtain with .
An efficient way to compute the solution is to calculate each point by adding to (a baby step) and to add to (a giant step).
Example:
We want to solve the ECDLP in , where a prime, , and .
We put . First, we compute . Then, we compute and store the list of baby steps for (see Table 1). In the next step, we compute the giant steps, i.e., the points , as shown in Table 2 (for this, we first compute jmP, then reverse the sign of the -component in order to get the inverse , which we then add to Q), and compare the results with the entries in Table 1. We can see that there is a match for and , which means that . Hence, it follows that .
Table 1
List of baby steps for
0 | |
1 | |
2 | |
3 | |
4 | |
5 | |
6 |
Table 2
List of giant steps (at the far-right row of the table)
0 | 0 | |||
1 | 7 | |||
2 | 14 | |||
3 | 21 |
Get hands-on with 1400+ tech skills courses.