Essentially all subexponential time algorithms for the discrete logarithm problem over finite fields are based on the index calculus idea. In proposing cryptosystems based on the elliptic curve discrete logarithm problem (ECDLP) Miller [6] also gave heuristic reasoning as to why the index calculus idea may not extend to solve the analogous problem on elliptic curves. A careful analysis by Silverman and Suzuki provides strong theoretical and numerical evidence in support of Miller's arguments. An alternative approach recently proposed by Silverman, dubbed 'xedni calculus', for attacking the ECDLP was also shown unlikely to work asymptotically by Silverman himself and others in a subsequent analysis. The results in this paper strengthen the observations of Miller, Silverman and others by deriving necessary but difficult-to-satisfy conditions for index-calculus type of methods to solve the ECDLP in subexponential time. Our analysis highlights the fundamental obstruction as being the necessity to lift an asymptotically increasing number of random points on an elliptic curve over a finite field to rational points of reasonably bounded height on an elliptic curve over Q. This difficulty is underscored by the fact that a method that meets the requirement implies, by virtue of a theorem we prove, a method for constructing elliptic curves over Q of arbitrarily large rank.
展开▼
