A Study of General Attacks on Elliptic Curve Discrete Logarithm Problem over Prime Field and Binary Field

 Abstract — This paper begins by describing basic properties of finite field and elliptic curve cryptography over prime field and binary field. Then we discuss the discrete logarithm problem for elliptic curves and its properties. We study the general common attacks on elliptic curve discrete logarithm problem such as the Baby Step, Giant Step method, Pollard’s rho method and Pohlig-Hellman method, and describe in detail experiments of these attacks over prime field and binary field. The paper finishes by describing expected running time of the attacks and suggesting strong elliptic curves that are not susceptible to these attacks.


I. INTRODUCTION
LLIPTIC Curve Cryptography (ECC) is an alternative approach for implementing public-key cryptography (PKC) in which each entity (user or device) taking part in the communication generally has a couple of keys, a public key and a private key to perform cryptographic operations such as encryption decryption, signing, verification and authentication. The particular entity keeps the private key in secret but the public key is distributed to all entities taking part in the communication [1]. ECC can be used for providing the following security services: o confidentiality, o authentication, o data integrity, o non-repudiation, o authenticated key exchange.
Nowadays, ECC becomes a leader in the industry of information security technology. It replaces other public key cryptosystems such as RSA and DSA. It becomes the industrial standard. This is a result of an increase in speed and lower power consumption during implementation due to less memory usage and smaller key sizes. Its security depends on the difficulty of solving the Elliptic Curve Discrete Logarithm Problem (ECDLP). Although the ECDLP is thought to be an intractable problem, it has not stopped attackers/intruders attempting to attack on elliptic curve cryptosystems. Various attacks have been invented, tested and analyzed by many mathematicians over the years, in efforts to find flaws in elliptic curve cryptosystems. Some attacks have been partially successful, but others have not.
The purpose of this paper is to study the general common attacks against the ECDLP and to apply the knowledge of Tun Myat Aung and Ni Ni Hla are with the University of Computer Studies, Yangon (UCSY), Myanmar (e-mail: tma.mephi@gmail.com). them in an effort to choose cryptographically strong elliptic curves over prime field and binary field under large integer. The organization of this paper is as follows. Section II includes finite field and its properties. In Section III, we discuss ECC over prime field and binary field and its geometric properties. Section IV describes in details the ECDLP, its properties and its general common attacks. In Section V, we discuss our attack experiments over prime field and binary field. Finally, in Section VI we conclude our discussion by describing expected running time of the attacks and by suggesting strong curves for secure implementation of ECC systems.

II. FINITE FIELD ARITHMETIC
A finite field, denoted by F, is a field containing a finite number of elements. Fields are used to number systems such as the rational numbers, the real numbers, and the complex numbers. They consist of a set of elements that can perform two arithmetic operations: addition denoted by (+) and multiplication denoted by (·). They satisfy the following arithmetic properties: o (F,+) is a finite group with additive identity denoted by 0. o (F\{0}, ·) is a finite group with multiplicative identity denoted by 1. o Elements of finite group follow the distributive law: (a+b) · c = (a · c) + (b · c) for all a, b, c ∈ F. If the elements of the field are finite, then the field is said to be finite [3]. Galois presented that the elements in the field to be finite and the number of elements should be p m , where p is a prime number called the characteristic of the field and m is a positive integer. The finite fields are usually called Galois fields and also denoted as GF(p m ). If m = 1, then the field GF(p) is called a prime field. If m ≥ 2, then the field GF(p m ) is called an extension field. The number of elements in a finite field is the order of the field. Any two fields are isomorphic if their orders are the same [11].

A. Field Operations
A finite field F has two arithmetic operations, addition and multiplication. However, the subtraction of elements in a finite field is defined in the expression of addition. For instance, let a, b ∈ F, a −b is defined as a +(−b), in this case −b is the single element in the field such that b+(−b) = 0. −b is called additive inverse of b. Similarly, the division of elements in a finite field is defined in the expression of multiplication. For instance, let a, b ∈ F with b ≠ 0, a/b is defined as a · b −1 , in this case b −1 is the single element in the field such that b · b −1 = 1 [3]. b −1 is called the multiplicative inverse of b.

B. Prime Field
Let p be a prime number. A set of integer elements modulo p, consisting of the integers {0,1,2,..., p−1} with addition and multiplication performed modulo p, is a finite field of prime order p. It is called prime field denoted by GF(p) and p is called the modulus of GF(p). For any integer a, a mod p denotes the integer remainder r obtained upon dividing a by p. This operation is called reduction modulo p. The remainder r is the single integer element between 0 and p−1, i.e. 0 ≤r ≤ p−1 [3].

C. Binary Field
A finite field of order 2 m is called binary field denoted by GF(2 m ). It also refers to the finite field with characteristic-two. One approach to construct GF(2 m ) is to apply a polynomial basis representation denoted by (1). In this case, the elements of GF(2 m ) are the binary polynomials of degree at most m −1.
An irreducible binary polynomial f (x) of degree m is chosen. Irreducibility of f(x) means that f(x) cannot be factored as a product of binary polynomials each of degree less than m. Addition of binary field elements is the usual addition of polynomials, with coefficient arithmetic performed modulo 2. Multiplication of binary field elements is performed modulo the reduction polynomial f(x). For any binary polynomial a(x), a(x) mod f(x) shall denote the unique remainder polynomial r(x) of degree less than m obtained upon long division of a(x) by f(x); this operation is called reduction modulo f(x) [3]. Example 2. (Binary Field GF(2 4 )). In Table I, the elements of GF (2 4 ) are the 16 binary polynomials of degree at most 3.

A. Elliptic Curves over Prime Field -GF(p)
The elliptic curve over finite field E(GF) is a cubic curve defined by the general Weierstrass equation: over GF where ∈ and GF is a finite field. The following elliptic curves are adopted from the general Weierstrass equation. The elliptic curve E(GF(p)) over prime field GF(p) is defined by (2) [2]: 3 is a prime and , ∈ satisfy that the discriminant 4 27 0 (a 1 = a 2 = a 3 = 0; a 4 = a and a 6 = b corresponding to the general Weierstrass equation).

1). Points on E(GF(p))
The elliptic curve E(GF(p)) consists of a set of points , | , , , , ∈ together with a point at infinity denoted as O. Every point on the curve has its inverse. The inverse of a point (x, y) on E(GF(p)) is (x, -y). The number of points on the curve, including a point at infinity, is called its order #E. The pseudocode for finding the points on the elliptic curve E(GF(p)) is shown in Algorithm (1).
Algorithm (1). Pseudocode for finding the points on the elliptic curve E(GF(p)) Input: a, b, p Output: ,

2). Arithmetic Operations on E(GF(p))
The chord-and-tangent rule is applied for adding two points on an elliptic curve E(GF(p)) to give a third point on the curve. Using this addition operation with the points on E(GF(p)) generates a group with point at infinity O serving as its identity. It is the group that is used in the construction of elliptic curve cryptosystems [5]. The addition rule is the best to explain geometrically. Let  The following algebraic methods for the addition of two points and the doubling of a point can be resulted from the geometric description [2].
. The point (x, -y) denoted by (-P) is called the inverse of P; -P is a point on the curve.

B. Elliptic Curves over Binary Field -GF(2 m )
A reduction polynomial must be firstly chosen to construct a binary field GF(2 m ). The elements generated by the reduction polynomial are applied to construct an elliptic curve E(GF(2 m )). The elliptic curve E(GF(2 m )) over binary field GF(2 m ) is defined by (3) [2]: where , ∈ 2 and 0.
1). Points on E(GF(2 m )) The elliptic curve E(GF(2 m )) consists of a set of points: , | , , , , ∈ 2 together with a point at infinity denoted as O. Every point on the curve has its inverse. The inverse of a point (x, y) on E(GF(2 m )) is , ⨁ . The number of points on the curve, including a point at infinity, is called its order #E. The pseudocode for finding the points on the elliptic curve E(GF(2 m )) is shown in Algorithm (2).
Algorithm (2). Pseudocode for finding the points on the elliptic curve E(GF(2 m )) Input: a, b, Output: ,    Fig. 3. The points on the curve and its graph are shown in Figs. 3 (a) and (b). The order of the elliptic curve : is 22.  TABLE III  POWER REPRESENTATION OF ELEMENTS  0010  0110  1010  1101  0100  1100  0111  1001  1000  1011  1110  0001  0011  0101  1111 2). Arithmetic Operations on E(GF(2 m )) As with elliptic curves over GF(p), the chord-and-tangent rule is also applied for adding two points on an elliptic curve E(GF(2 m )) to give a third point on the curve. Using this addition operation with points on E(GF(2 m )) generates a group with O serving as its identity [5]. The algebraic methods for the addition of two points and the doubling of a point are the following [2].

III. ELLIPTIC CURVE DISCRETE LOGARITHM PROBLEM
The security of ECC depends on the ability to solve ECDLP. Let P be a point on an elliptic curve and point Q is a point on the curve such that Q = kP, where k is an integer. Given two points, P and Q, it is not able to compute k, if the group order of the points is sufficiently large. k is called the discrete logarithm of Q to the base P.

A. Point Multiplication
Another main operation involved in ECC is point multiplication. The multiplication of a scalar k with any point P on the curve generates another point Q on the curve [1]. This is achieved by repeating point addition and doubling operations based on binary representation of integer k. The binary representation of integer k is shown as (4) where 1 and ∈ 0, 1 , 0, 1, 2, … , 1. This method is called binary method [3] which scans the bits of k either from left-to-right or right-to-left. Algorithm 3 given illustrates the computation of kP using binary method. It can be used for both elliptic curves over prime field GF(p) and binary field GF(2 m ). The cost of multiplication depends on the number of 1s in binary representation of k. The number of 1s is called the Hamming Weight of scalar. In an average, binary method requires (n-1) point doublings and (n-1)/2 point additions. For each bit .1., we need to perform point doubling and point addition, if the bit is .0., we need only point doubling operation. Therefore, reducing the number of 1s in the binary representation will improve the speed of elliptic curve scalar multiplication [4].

B. Order of Points
Let P ∈ E(GF(p)). The order of P is the smallest positive integer, N, such that NP = O where O is the group identity. Hasse's theorem proved (5) [7].

C. Attacks on ECDLP
The discrete logarithm problem is fundamentally important to the area of PKC. Almost all of the most commonly used public key cryptographic systems are based on the assumption that the discrete logarithm is extremely difficult to compute; the more difficult it is, the more security it supports. One way to increase the difficulty of the discrete logarithm problem is to base the public key cryptosystems on a larger group order under large integer.
The following algorithms can solve the elliptic curve discrete logarithm under small integer. General attacks on the ECDLP can be grouped into three classes [8]: 1). Algorithms based on random walks, such as the exhaustive search method and the Baby-Step Giant-Step method, 2). Algorithms based on random walks with special conditions, like Pollard's rho method and Pollard's lambda method, and 3). Algorithms based on multiplicative groups, such as the Index Calculus method and Pohlig-Hellman method. We studied the following general common attacks on the ECDLP.

1). Baby-Step Giant-Step Method
This method was developed by D. Shanks for computations in algebraic number theory. Let P,Q ∈ E(GF(p)). Suppose that we want to solve Q = [k]P. P has prime order N. First, we need to find the order N of P. The method requires approximately √ steps and around √ storage. Therefore it only works well for moderate sized N. The procedure is as follows [7]. 1. Define an integer m such that √ and compute mP. 2. Compute and keep a list of iP for 0 ≤ i < m. 3. Compute the points such that Q − jmP for j = 0, 1, • • •, m − 1 until one of resulting points matches one from the stored list. 4. If iP = Q − jmP, then Q = kP with k ≡ i + jm (mod N). The points for iP are calculated by adding P (a "baby step") to (i − 1)P. The points for Q − jmP are computed by adding −mP (a "giant step") to Q − (j −1)mP. The algorithm as presented above may require roughly m steps to find a match and expected running time is √ [7].
2). Pollard's Rho Method Let E(GF(p)) be an elliptic curve and ∈ . Suppose that P has order N, where N is prime, and let ∈ . Suppose that we want to solve Q = [k]P. In this attack we will attempt to find distinct pairs of integers (a, b) and , modulo N such that . One method for finding these pairs of integers is to simply select , ∈ 0, -1 uniformly at random, compute the point [a]P + [b]Q, and then store the triple (a, b, [a]P + [b]Q). We continue to generate pairs (a, b) uniformly at random and check these against all previously stored triples until we find a pair , with where , , . When this happens we have solved the ECDLP and as mentioned above, we can rearrange (6) (6) as , and thus ≡ . This first method gives an expected running time of √ /2 [7], but unfortunately requires approximately √ /2 amount of storage for the triples that we have computed.
A second approach that has roughly the same running time, but uses less storage is also known. Instead of storing a list of triples, we define a function : → so that for any ∈ and , ∈ 0, 1 with , we can easily compute and , ∈ 0, 1 with . One way to define such a function is to partition < P > into L sets of roughly equal size, say , , … , . We define a second function H so that H(X) = j if ∈ . Then , ∈ 0, 1 are chosen uniformly at random for 1 . Now our function : → is defined by (7) , .
So, if , then where and . This then determines a sequence of points in < P >. Since < P > is finite we will eventually obtain a collision, thus obtaining our pairs of  integers (a, b) and , , and so enabling us to solve the ECDLP. As mentioned, this approach has a similar running time to the first, but requires less storage, since we are no longer required to store ordered triples in order to find a collision. The diagram of the sequence looks like the Greek letter ρ. That is why this method is called the Pollard-Rho method.

3). Pohlig-Hellman Method
This method is a special purpose algorithm used for computing discrete logarithms in a multiplicative group with order of smooth integer.
Let P and Q be points on an elliptic curve. Suppose that we want to solve an integer k such that Q = [k]P. In this attack we know the order N of P and we first compute the prime factorization of N satisfied by (8): The idea of this algorithm is to find k (mod ) for each i, use the Chinese Remainder theorem [6] to combine them and then obtain k (mod N). Let q be a prime, and let be the exact power of q dividing N. Write k in its base q expansion as (9) where 0 . We will evaluate by successively determining , , , . . . . , 1  . Therefore we find . Similarly, the method produces , , ….We have to stop after r = e-1. The expected running time of this algorithm is [7], where q is the largest prime divisor of N. In practice this attack becomes infeasible when N has a large prime divisor. If this is the case, it then becomes difficult to make and store the list T to find matches.

V. EXPERIMENTS
We implemented well-known general common attacks such as Baby-Step Giant-Step algorithm, Pollard's rho method and the Pohlig-Hellman method by using our implementations of finite field arithmetic operations [9] and elliptic curve arithmetic operations [12] under java BigInteger class.

A. Baby-Step Giant-Step Attack
Prime Field: Let an elliptic curve be : 5 4 over GF(13), P = (0, 2) and Q = (6,4). We suppose that we determine the unique integer k such that Q = [k]P by using Baby-Step, Giant-Step method. P has order 17. We first compute √17 4. The points iP for 1 ≤ i ≤ 4 are (0, 2), (4, 6), (10, 1), (6,9). We calculate Q − jmP for j = 0, 1, 2, 3, … and obtain (6,4), (11,5), (8,6), (0, 2) at which point we stop since this fourth point matches P. Since j = 3 yielded the match, we have (6, 4) = (1 + 3 • 4)P = 13P.Therefore k = 13. Binary Field: Let an elliptic curve be : over GF(2 4 ), P = , 1 and Q = , . We suppose that we determine the unique integer k such that Q = [k]P by using Baby-Step, Giant-Step method. P has order 11. We first compute √11 4.  Binary Field: Let an elliptic curve be : over GF(2 4 ), P = , 1 and Q = , . We suppose that we determine the unique integer k such that Q = [k]P by using Pollard's rho method. The base point P has prime order 11. We choose uniformly at random , ∈ 0, 11 , calculate and store the triple (a, b, R) until such time we encounter a second triple , , such that or . We have that [10]  When implementing the elliptic curve cryptosystem, the following several classes of elliptic curves should be used if we want to achieve the maximum possible security level of the cryptosystems. T The National Institute of Standards and Technology (NIST) submitted a report to recommend a set of elliptic curves with larger key sizes for federal government use [10].
NIST recommends the following fifteen elliptic curves. o Five elliptic curves over prime fields GF(p) for certain primes p of sizes 192, 224, 256, 384, and 521 bits. [10]. o Five elliptic curves over binary fields GF(2 m ) for m equal 163, 233, 283, 409, and 571. For each of the binary fields, one Koblitz curve is recommended [10]. The NIST recommendation thus contains a total of five prime curves and ten binary curves. These curves should be chosen for optimal security and implementation efficiency. The group order for each of these curves is large and has large prime factors. Therefore, these curves are resistant to the attacks described above.