Cryptology ePrint Archive: Report 2015/358

On Generalized First Fall Degree Assumptions

Yun-Ju Huang and Christophe Petit and Naoyuki Shinohara and Tsuyoshi Takagi

Abstract: The first fall degree assumption provides a complexity approximation of Gr\"obner basis algorithms when the degree of regularity of a polynomial system cannot be precisely evaluated. Most importantly, this assumption was recently used by Petit and Quisquater's to conjecture that the elliptic curve discrete logarithm problem can be solved in subexponential time for binary fields (binary ECDLP). The validity of the assumption may however depend on the systems in play.

In this paper, we theoretically and experimentally study the first fall degree assumption for a class of polynomial systems including those considered in Petit and Quisquater's analysis. In some cases, we show that the first fall degree assumption seems to hold and we deduce complexity improvements on previous binary ECDLP algorithms. On the other hand, we also show that the assumption is unlikely to hold in other cases where it would have very unexpected consequences.

Our results shed light on a Gr\"obner basis assumption with major consequences on several cryptanalysis problems, including binary ECDLP.

Category / Keywords: public-key cryptography / elliptic curve cryptosystem, discrete logarithm problem, index calculus, Semaev’s summation polynomials, multivariate polynomial systems, Gr\"obner basis