**On the complexity of Decomposition Attack**

*Koh-ichi Nagao*

**Abstract: **In recent researches, it is discovered that index calculus is
useful for solving the discrete logarithm problems (DLP) of the groups of the Jacobian of curves (including elliptic curve) over finite field, which are widely used to cryptosystems. In these cases, the probability that an element of the group is written by the summation of N elements of large primes and factor bases is O(1) where N is some pre-fixed constant. So the situation is little different to the normal index calculus and it is proposed that it should be called another name, ”decomposition attack”. In decomposition attack, first, some relations are collected and the graph, whose vertexes are the set of large primes and whose edges are the relations, is considered and the elimination of large prime is done by using this graph.
However, in the proposed algorithm, the randomness of the
graph, which is difficult to define, is needed. In this paper, we first formulate the decomposition attack and next propose a new algorithm, which does not require the randomness of the graph and its worst complexity can be estimated.

**Category / Keywords: **foundations / Discrete logarithm problem

**Date: **received 6 Oct 2010, last revised 11 Dec 2010

**Contact author: **nagao at kanto-gakuin ac jp

**Available format(s): **PDF | BibTeX Citation

**Version: **20101211:213106 (All versions of this report)

**Short URL: **ia.cr/2010/511

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]