Summation polynomial algorithms for elliptic curves in characteristic two

Abstract

The paper is about the discrete logarithm problem for elliptic curves over characteristic 2 finite fields F2n of prime degree n. We consider practical issues about index calculus attacks using summation polynomials in this setting. The contributions of the paper include: a new choice of variables for binary Edwards curves (invariant under the action of a relatively large group) to lower the degree of the summation polynomials; a choice of factor base that “breaks symmetry” and increases the probability of finding a relation; an experimental investigation of the use of SAT solvers rather than Gröbner basis methods for solving multivariate polynomial equations over F2. We show that our new choice of variables gives a significant improvement to previous work in this case. The symmetry-breaking factor base and use of SAT solvers seem to give some benefits in practice, but our experimental results are not conclusive. Our work indicates that Pollard rho is still much faster than index calculus algorithms for the ECDLP over prime extension fields F2n of reasonable size.