Elliptic Curve Discrete Logarithms

and the Index Calculus

Joseph H. Silverman1 and Joe Suzuki2

1
Mathematics Department, Box 1917, Brown University,
Providence, RI 02912 USA
[email protected]
2
Department of Mathematics, Osaka University, Toyonaka,
Osaka 560 Japan
[email protected]

Abstract. The discrete logarithm problem forms the basis of numerous

cryptographic systems. The most effective attack on the discrete logarithm
problem in the multiplicative group of a finite field is via the index calculus,
but no such method is known for elliptic curve discrete logarithms. Indeed,
Miller [23] has given a brief heuristic argument as to why no such method
can exist. IN this note we give a detailed analysis of the index calculus
for elliptic curve discrete logarithms, amplifying and extending miller’s
remarks. Our conclusions fully support his contention that the natural
generalization of the index calculus to the elliptic curve discrete logarithm
problem yields an algorithm with is less efficient than a brute-force search
algorithm.

0. Introduction
The discrete logarithm problem for the multiplicative group ∗q of a finite field
can be solved in subexponential time using the Index Calculus method, which
appears to have been first discovered by Kraitchik [14, 15] in the 1920’s and
subsequently rediscovered and extended by many mathematicians. (See, for
example, [1] and [43], and for a nice summary of the current state-of-the-art,
see [29].) For this reason, it was proposed independently by Miller [23] and
Koblitz [12] that for cryptographic purposes, one should replace ∗q by the group
of rational points E( q ) on an elliptic curve, thus leading to the Elliptic Curve
Discrete Logarithm Problem, which we abbreviate as the ECDL problem. Indeed,
Victor Miller gives in his article [23, page 423] two reasons why “it is extremely
unlikely that an ‘index calculus’ attack on elliptic curves will ever be able to
work.” Miller’s reasons may be briefly summarized as follows:
(1) It is difficult to find elliptic curves E/
with a large number of small
rational points. This observation may be split into two pieces.
(a) It is difficult to find elliptic curves E/
with high rank.
(b) It is difficult to find elliptic curves E/
generated by points of small
height.

K. Ohta and D. Pei (Eds.): ASIACRYPT’98, LNCS 1514, pp. 110-125, 1998.


c Springer-Verlag Berlin Heidelberg 1998
 Elliptic Curve Discrete Logarithms and the Index Calculus 111

(2) Given an elliptic curve E/
, a large prime p, and a point S ∈ E( p ) in the
image of the reduction map E(
) → E( p ), it is difficult to lift S to a
point of E(
).
Miller [23] devotes three paragraphs giving some rough heuristic reasons to
justify these assertions. This lack of an index calculus for the ECDL problem is
often cited as a reason for the high security of modern cryptosystems based on
ECDL’s, as for example in the following excerpt [6].
Most significantly, no index-calculus-type algorithms are known for the
ECDL problem as for the DLP (discrete logarithm problem). For this
reason, the ECDL problem is believed to be much harder than either the
IFP (integer factorization problem) or the DLP in that no subexponential-
time general-purpose algorithm is known.
In view of the importance of the ECDL problem in modern cryptography, it
seems worthwhile making a more detailed and in-depth analysis of the possibility
of an index calculus for the ECDL problem. That is the purpose of this paper.
We will explain how, using a method of Mestre, it is possible to lift an elliptic
curve E modulo p to an elliptic curve E over
of moderately high rank possessing
generators of moderately low height. We will further give both numerical and
theoretical evidence which suggests that if p is large, then it will never be possible
to use the index calculus on such a curve E to solve the discrete logarithm
problem in E( p ). The fundamental reason, already alluded to in Miller’s paper,
but which we will make much more precise, is that the generators P1 , . . . , Pr on
a lifted curve E/
of rank r will necessarily have (logarithmic) height at least
ĥ(Pi ) ≥ A + B log(p) + Cr log(r)
for certain positive constants A, B, C. By way of contrast, the generators (factor
basis) for the multiplicative group consists of the first r primes p1 , p2 , . . . , pr
whose (logarithmic) heights
h(pn ) = log(pn ) ≤ log(pr ) ≤ C log(r)
are exponentially smaller (as a function of r) than in the elliptic curve situation.
In summary, our theoretical and numerical work fully supports Miller’s con-
clusion that the natural generalization of the index calculus to the elliptic curve
discrete logarithm problem yields an algorithm which is less efficient than a
brute-force search algorithm.
The detailed contents of this paper are as follows:
Section 1. A brief description of the discrete logarithm problem and the index
calculus for the multiplicative group.
Section 2. A discussion of the discrete logarithm problem for elliptic curves and
a more detailed description of Miller’s obstructions.
Section 3. A theoretical discussion of elliptic curves of high rank, the size of
their generators, and the number of points of bounded height.
Section 4. Mestre’s method for constructing curves of moderately high rank with
generating points of moderately low height, in theory and in practice.
Section 5. The problem of lifing curves and points modulo p to points in E(
).
112 J.H. Silverman and J. Suzuki

1. The Index Calculus for the Multiplicative Group

In this section we briefly review the index calculus method for solving the discrete
logarithm problem in the multiplicative group ∗p of a finite field p , where p is
a fixed large prime. The discrete logarithm problem (DLP) asks:

∗
Given two elements α, β ∈ p,
(DLP)
find k such that αk = β.

Assuming it exists, the value of k satisfying αk = β is denoted by

k = logα (β).

The first step in the index calculus is to choose what is known as a factor
basis consisting of the first r primes,

Fr = {2, 3, 5, 7, 11, . . . , pr },

where we will choose r later. We write Fr  for the semi-group generated by Fr ;
that is, Fr  consists of all integers whose prime divisors are all less than or equal
to pr . Numbers in Fr  are usually called pr -smooth, and it is vitally important
to have an accurate count of how many smooth numbers there are, so we let

N (Fr , B) = #{a ∈ Fr  : 1 ≤ a ≤ B}.

(This slightly non-classical notation will be useful for comparison with the elliptic
curve situation. In the more usual notation, N (Fr , B) equals Ψ(B, pr ).)
If B is large in comparison to r, then it is quite easy to estimate the size
of N (Fr , B) as the volume of an r-dimensional simplex. Thus


e 1 , . . . , er ≥ 0 1 (log B)r
N (Fr , B) = # (e1 , . . . , er ) : ∼  .
e1 log p1 + · · · er log pr ≤ log B r! i log pi

Then using Stirlings’ formula and the prime number theorem (in the form pi ∼
i log i) yields
 r
1 e log B
N (Fr , B) ∼ √ for B r. (1)
2πr r log r

We have derived this formula for N (Fr , B) not because it is useful for the index
calculus, it isn’t, but for later comparison with the elliptic case.
The index calculus begins by computing the powers α, α2 , α3 , . . . and lifting
each of these values from p to , say

αj ≡ aj (mod p) with 1 ≤ aj < p.

 Elliptic Curve Discrete Logarithms and the Index Calculus 113

Each aj is then checked against Fr , and if it is in this semi-group, we record

the value
r
e (j)
aj = pi i . (2)
i=1
j ∗ ∗
Notice that since aj = α in p, and since p has order p − 1, each relation (2)
gives a linear equation
r

j≡ ei (j) logα (pi ) (mod p − 1). (3)
i=1

We continue computing the powers of α until we obtain r independent linear

relations (3), at which point the equations can be solved for the r unknowns
logα (p1 ), . . . , logα (pr ). [Remark. We will neglect the fact that, in practice, the
value of r will generally be sufficiently large so as to make it extremely difficult
to solve the resulting system of r linear equations, even though they tend to be
extremely sparse.]
The final step is to lift the quantities β, αβ, α2 β, . . . to , say

αj β ≡ bj (mod p) with 1 ≤ bj < p,

until we find a single value of j for which bj lies in Fr , say

r

bj = pfi i .
i=1

Since bj = αj β in ∗
p, this yields

r

j + logα (β) ≡ fi logα (pi ) (mod p − 1),
i=1

and since we already know the values of the logα (pi )’s, we recover the desired
value of logα (β).
The key question in implementing the index calculus method is the choice of
the number r of primes in the factor base. If r is too small, then it is very unlikely
that the aj ’s will lie in Fr ; while if r is too large, it will be computationally
difficult to determine if a given aj lies in Fr . Notice that the latter problem
is that of finding the complete factorization of a number a < p by primes at
most pr , which shows how the factorization problem is closely tied into the
index calculus.
The probability that a given 1 ≤ a < p lies in Fr  is approximately equal
to N (Fr , p)/(p − 1). Using the approximation (1) and taking B p, we find
that this quantity is maximized for r log p/ log log p, which unfortunately
leads to a probability which is p−1 · pC/ log log p , far too small to be useful.
However, it turns out that (1) is not a good approximation in our situation,
114 J.H. Silverman and J. Suzuki

because for moderately large values of r, most of the numbers in N (Fr , p) are
of the form pe11 pe22 · · · perr with many of the ei ’s equal to 0, and the rest quite
small. In geometric terms, most of the numbers in N (Fr , p) represent points
which lie on the boundary of the simplex whose volume is being approximated
in the formula (1).
We will not give a detailed analysis here, since the final counting result,
although by no means easy, is well-known and amply described in many sources.
For example, it is proven in [5] that

Ψ x, L(x)a ≈ xL(x)−1/2a , where L(x) = exp( log x log log x).
(Here, as usual, Ψ(x, y) is the number of positive integers less than x whose
prime factors are all at most y.) Using a weak form of this result, which suffices
for comparison with the elliptic curve case, we see that
√ 1
√
log p
If r ≈ e , then N (Fr , p) > p · e− 2 log p
.
Thus a sub-exponential value for r (i.e., r is smaller than any power of p) suffices
to give a sub-exponential probability of hitting an element in Fr . The reason
that N (Fr , p) becomes this large is because the primes p1 , p2 , . . . , pr in the rank r
factor base are small, satisfying
log pi ≈ log i ≤ log r. (4)
We want to emphasize this point because it is fundamentally different from what
occurs for elliptic curves, where the elements of a rank r factor base have size
on the order of r log r.
Remark.. There are various improvements that are typically used to supple-
ment the index calculus, including storing large factors of the aj ’s not factorable
in the factor base so as to take advantage of overlaps (birthday phenomenon)
and using fancier factorization methods (e.g., based on the number field sieve).
At present, we don’t see analogous methods for elliptic curves, but even if they
exist, they are unlikely to affect our overall analysis, since even saving a square
root does not substantially change an exponential running time.

2. The Discrete Logarithm Problem for Elliptic Curves

The discrete logrithm problem for an elliptic curve E over a finite field p is
virtually identical to the analogous problem for the multiplicative group. We
change notation slightly from the multiplicative case to reflect the fact that the
addition law on an elliptic curve is always written additively. We thus assume
that our elliptic curve E is given by a Weierstrass equation
E : y 2 + a1 xy + a3 x = x3 + a2 x2 + a4 x + a6
whose coefficients lie in the finite field p. The discrete logarithm problem for
elliptic curves (ECDLP) asks:

Given two points S, T ∈ E( p ), (ECDLP)

find m such that S = mT .
 Elliptic Curve Discrete Logarithms and the Index Calculus 115

Note that group operation is addition in E( p ), and we are being asked to

compute the integer m = logT (S). We also let

N = Np = #E( p)

denote the order of the finite group E( p ). There is a polynomial-time algo-

rithm for computing N due to Schoof [30], with improvements by Elkies [8] and
Atkins [3], which makes it quite practical to compute N for moderate values
of p, say for p ≤ 2200 , and certainly possible for even larger values.
There are various special cases for which the ECDL problem can be solved,
including the following:
(1) If N = p + 1, the so-called “supersingular” case, then the ECDL problem
can be reduced to the discrete logarithm problem on the multiplicative
group. More generally, if N divides pk − 1, then the ECDL problem can
be reduced to the discrete logarithm problem on the multiplicative group
of the finite field with pk elements. Of course, this is only practical if k
is not too large. For details, see [20] and [9].
(2) If N = p, the so-called “anomalous” case, then the ECDL problem can
be reduced to simple addition in p , essentially by lifting the curve mod-
ulo p2 . See [31], [39], and [28].
(3) If N is divisible by only small primes, then one can use the method
of Pohlig and Hellman [25] and √ Pollard [26] which solves the discrete
logarithm problem in time O( p ), where p is the largest prime divisor
of N .
(4) Although not directly relevant, we also mention that the discrete loga-
rithm problem can be solved on the Jacobian J of a curve of genus g pro-
vided that g p [2]. The reason is that in this situation, the group J( p )
is highly non-cyclic. For cryptographic applications of the elliptic case,
one normally chooses E so that E( p ) is cyclic of prime order.
Assuming that none of these methods is applicable, it is tempting to try to
adapt the index calculus method described in Section 1 directly to the elliptic
curve case. Here’s a brief summary of how such an index calculus would work.
(1) Choose an elliptic curve E/
which reduces to E/ p and which has a rea-
sonably large number of independent rational points, say P1 , P2 , . . . , Pr .
(2) Compute the multiples S, 2S, 3S, . . . in E( p ), and for each j, try to
lift jS to a rational point Sj ∈ E(
). That is, Sj ≡ jS (mod p). If this
is successful, then write Sj as a linear combination
r

Sj = nj Pj in E(
).
i=1

(3) After r of the jS’s have been lifted, we have r linear equations
r

j= nj logS (Pj )
i=1
116 J.H. Silverman and J. Suzuki

which can be solved for the individual logS (Pj )’s.

(4) Next try to lift T, T + S, T + 2S, T + 3S, . . . to E(
), say that T + jS
lifts to Tj . Write

r

Tj = mj Pj in E(
).
i=1

Then
r

logS (T ) + j = mj logS (Pj ),
i=1

and since we know the values of the logS (Pj )’s, we recover the desired
value of logS (T ).
There are a number of possible difficulties with putting the above outline into
practice. Victor Miller [23, page 423] has given two reasons why “it is extremely
unlikely that an ‘index calculus’ attack on elliptic curves will ever be able to
work.” His reasons can be briefly summarized as follows (where all quotes are
from [23]):
Rank/Height Obstruction. “Unless the rank of the curve can be made very
large, and the regulator made fairly small,the probability of a point of E( p )
lifting to a point on Ê(
) whose height is bounded by something reasonable (say
a polynomial in log p) is vanishingly small.”
Lifting Obstruction. “Even if one could somehow get around the barrier men-
tioned above, there is still the problem of actually lifting a point.” One can try
to lift first to a point (x1 , y1 ) ∈ Ê(/pk), but ”there are many possible choices
for (x1 , y1 ). . . . Thus, unless there is a new idea, it would seem that this is
another barrier, difficult to surmount.”
In the remainder of this paper, we are going to analyze in more detail the
elliptic index calculus and the obstructions noted by Miller. We begin in the
next section with a discussion of the heights of points on elliptic curves.

3. Counting Points on Elliptic Curves Over

For this section we briefly forget about elliptic curves over finite fields and discuss
the distribution (theoretical, practical, and conjectural) of the rational points
on elliptic curves defined over
. For basic facts about elliptic curves, see for
example [18, 33, 34].
Let E/
be an elliptic curve given by a minimal Weierstrass equation

E : y 2 + a1 xy + a3 x = x3 + a2 x2 + a4 x + a6

and discriminant ∆(E). Recall that the height of a rational number r/s ∈
is
defined to be
H(r/s) = max |r|, |s| .
 Elliptic Curve Discrete Logarithms and the Index Calculus 117

The canonical height of a point P ∈ E(
) is then defined to be

1 1
ĥ(P ) = lim log H(x(nP )),
2 n→∞ n2
and the associated inner product for P, Q ∈ E(
) is
1
P, Q = ĥ(P + Q) − ĥ(P ) − ĥ(Q) .
2
This inner product is positive definite on E(
) ⊗ , and the elliptic regulator of
a set of points P1 , . . . , Pr ∈ E(
) is defined to be

Reg(E) = det Pi , Pj  1≤i,j≤r .

(Generally, P1 , . . . , Pr will be set of generators for E(
)/(tors), or in numerical

examples, an explicitly given set of points. If the set of points is not clear from
the context, we will write Reg(E, P1 , . . . , Pr ).)
We are interested in counting the number of points in E(
) of bounded height,
so we set

N (E, B) = #{P ∈ E(
) : H(x(P )) ≤ B}.

T (E) = #E(
)tors .
r = r(E) = rank E(
).
αr = π r/2 /((r/2)Γ(r/2)) = Volume of unit ball in r .

Using Sterlings’ formula, we have the useful approximation

 r/2
1 2πe
αr ≈ √ . (5)
πr r

The ordinary and canonical heights are related by

1
ĥ(P ) = log H(x(P )) + OE (1). (6)
2
We will say more later about the dependence of the big-O constant on E, but
for now we will ignore its effect (which is negligble in the numerical examples
presented below). Then we can estimate N (E, B) by simply counting lattice
points in r relative to the canonical height inner product. Thus

N (E, B) = #{P ∈ E(
) : H(x(P )) ≤ B}

≈ T (E)#{P ∈ E(
) : ĥ(P ) ≤ 12 log B} from (6),
αr 1 r/2
≈ T (E) 2 log B
Reg(E)
 r/2
1 πe log B
≈ T (E) √ from (5).
πr r · Reg(E)1/r
118 J.H. Silverman and J. Suzuki

We mention that T (E) ≤ 16 by Mazur’s Theorem [33, VIII.7.5], so the effect from
torsion is negligible. In practice, our curves will have trivial torsion, because it
has been observed experimentally that the presence of rational torsion makes it
more difficult to obtain high rank.
The above formula says that we shouldn’t expect to get very many points
until log B and Reg(E)1/r are of a comparable size, so we need to study the
magnitude of the regulator.
A basic result from the geometry of numbers says that (see [17, chapter 5,
corollary 7.8])
√ r−1
1/r 3
Reg(E) ≥ min ĥ(P ). (7)
2 P ∈E ( )
ĥ(P )=0

Further, there is a conjecture of Lang [18, page 92] which says that for non-
torsion points P ∈ E(
),
ĥ(P ) ≥ c log |∆(E)|,
where the constant c is independent of E. This conjecture has been largely
proven [11, 35], albeit with extremely small constants c. Thus, as Miller already
observes in [23], it is not possible to get N (E, B) large unless one chooses

log B r log |∆|.

But if E is the lift of an elliptic curve over p , then we’ll certainly have log |∆|
log p. Then there’s the further difficulty that Mestre proves (subject to various
“standard” conjectures)
log |∆| r log r,
so if we make r large, then the value of ∆ (and hence B) will be enormous.
The next step is to see how this theoretical analysis, which is essentially given
by Miller [23], compares to actual practice.

4. High Rank Curves With Small Height Points

It is difficult to find elliptic curves over
with high rank, as witnessed by the
fact that no curves of rank 12 were known before 1982 [22], and even today the
highest rank known is 23 [19].
Currently the most successful method for finding curves of high rank is to
start on a one or two-parameter family such that every member of the family
already contains many independent points, and then specialize to find certain
members which possess even higher rank. However, this method is not suitable
for our purposes, because we are starting with a curve over p that we want
to lift, so we need more freedom than is provided by such a family. Thus we
are going to consider an earlier method of Mestre which can be applied in great
generality. Mestre’s idea is simple to state, although the justification for why it
should yield high rank curves depends on much deep mathematics and several
unproven conjectures:
 Elliptic Curve Discrete Logarithms and the Index Calculus 119

Mestre’s Construction
In order to produce a curve E/
of high rank, use congruence con-
ditions to choose the coefficients of E so that #E(  ) is maximized
for all (small) primes  = 2, 3, 5, . . . , 0 , and then so that the dis-
criminant |∆(E)| is more-or-less minimized subject to the congruence
conditions. Then search for integer points lying close to the right-
most real two-torsion point (e1 , 0), say searching for points (x, y)
with e1 < x < e1 + 5000. We will call a curve chosen according to
these criteria a Mestre curve. The precise algorithm for construct-
ing Mestre curves is described in [22], and some justification for the
algorithm is given in [21].
In his original paper [22], Mestre lists the smallest curves of ranks 4 to 12
which he found using the above method. Two of the listings appear to have
typographical errors, and for the remaining curves we gather some information
in Table 1, where P1 , . . . , Pr denotes a basis for E(
).

Table 1. Data for Mestre’s moderate rank curves

(Reg E)1/r ĥ(Pi ) ĥ(Pi ) log |∆|
r 1 min 1 max 1
12 log |∆|
i
12log |∆| i
12 log |∆| r log r
4 0.612 0.772 0.844 2.382
5 0.627 0.840 0.941 2.362
6 0.600 0.937 0.994 2.295
7 0.696 1.032 1.063 2.116
8 0.776 1.103 1.128 2.111
9 0.543 1.051 1.073 2.311
10 0.756 1.091 1.106 2.271
12 0.674 0.916 0.923 2.273
14 0.585 1.018 1.025 2.341

A first observation (from Mestre’s paper) is that the curves constructed by his
method generally have square-free, or almost square-free, discriminant. This is
very reasonable, because Mestre’s bound for the rank alluded to above actually
has the form
r log r log(Cond E),
where the conductor Cond E is (essentially) the square-free part of ∆. Thus
having a large square dividing the discriminant will make it more difficult for
the curve to have large rank.
A second observation, this time from Table 1, is that the independent points
constructed by Mestre’s method seem to satisfy
1
ĥ(Pi ) ≈ log |∆|.
12
120 J.H. Silverman and J. Suzuki

We can justify this observation as follows. Mestre’s method yields points P =

(x, y) ∈ E(
) which have integer coordinates x, y ∈  and which are fairly close
to the 2-torsion point T = (e1 , 0). The local decomposition of the canonical
height says that 
ĥ(P ) = λ̂∞ (P ) + λ̂p (P ).
p

(See [34, chapter VI] for the definition and basic properties of the local height
functions λ̂p .) Assuming that the discriminant ∆ is (mostly) square-free and
that the coordinates of P are integers, the p-adic local heights add up to give
1
(approximately) 12 log |∆|, see [34, VI.4.1]. Further, the fact that P is close to T
means that λ̂∞ (P ) ≈ λ̂∞ (T ), which yields
1
ĥ(P ) ≈ λ̂∞ (T ) + log |∆|.
12

Finally, the explicit formula [34, VI.3.4] for λ̂∞ shows that

λ̂∞ (T ) = log+ |j(E)| + O(1),

which will tend to be fairly small. (For explicit estimates, see [36, 37].)
1
An additional point to make is that the value 12 log |∆| is essentially the small-
est possible value for ĥ(P ) on a Mestre curve, since the fact that the discriminant
is square-free means that all of the λ̂p (P )’s satisfy

1
λ̂p (P ) ≥ ordp (∆) log p,
12
and if the coordinates of P have denominators and/or P moves further away
from e1 , then the value of ĥ(P ) will tend to increase. It is thus not surprising
that the points constructed by Mestre’s method tend to be independent, since
they represent vectors of approximately the same length L in a lattice whose
smallest non-zero vector also has length L. To see why this is true, consider s
vectors v1 , v2 , . . . , vs ∈ r satisfying |vi − vj | ≥ L and |vi | = L for all i = j.
Then the balls of radius L around each |vi | are disjoint, and they are contained in
a ball of radius 2L, so a simple volume counting argument shows that r ≥ log2 (s).
The data in Table 1 indicates that
1 1 1
min ĥ(P ) ≈ log |∆(E)| and log |∆(E)| ≤ Reg(E)1/r ≤ log |∆(E)|.
12 24 15
(8)
A reasonable assumption, based on this data, would be that it is possible to find
Mestre curves of various ranks with
1
Reg(E)1/r ≈ log |∆(E)|. (9)
20
Using this and the other material described above, we obtain the following
(heuristic) result:
 Elliptic Curve Discrete Logarithms and the Index Calculus 121

Heuristic Bound. Based on the numerical data contained in [21] and the above
theoretical analysis, it appears to be possible to use Mestre’s method to produce
elliptic curves E/
so that the number of rational points

N (E, B) = #{P ∈ E(
) : H(x(P )) ≤ B}

in E(
) grows like

 r/2
1 20πe log B
N (E, B) ≈ √ . (10)
πr r · log |∆(E)|

Further, it is probably not possible to find elliptic curves such that N (E, B) grows
significantly faster than this rate.
Remark.. We also observe from Table 1 that the discriminant tends to satisfy

2r log r ≤ log |∆(E)| ≤ 3r log r,

but since for the ECDL problem we will need to impose an extra congruence
condition modulo a “large” prime p, we will not use this condition directly. How-
ever, it is important to point out that this estimate implies that the generating
points on a Mestre curve generally satisfy

1 r log r
ĥ(P ) ≈ log |∆(E)| ≥ .
12 6
Comparing this to the analogous estimate (4) for the multiplicative group, we
see that the size of the generating elements for a rank r group is exponentially
worse in the elliptic curve case!

5. Lifting Mod p Curves to High Rank Curves

It’s now time to put into practice the theoretical material contained in the pre-
vious sections. Table 2 lists the results of some experiments we performed using
Mestre’s method to lift a curve over p to a curve of moderate rank. We chose
to use p = 173 and more-or-less randomly took the curve

E : y 2 = x3 + 42x + 86.

(We did choose E so that #E( 173 ) = 158 is small, which has the effect of
making Mestre’s method a little less efficient.) Although not strictly necessary,
the algorithm described in [22] uses curves of a slightly different form, so we
changed coordinates to the isomorphic curve

E : y 2 + y = x3 + 42x + 129

over the field 173 . We then used Mestre’s method to look for lifts of this curve
which have the maximum number of points modulo all primes ≤ 23, and among
122 J.H. Silverman and J. Suzuki

these curves looked for independent integral points on the ones having small
discriminant. The result was that of 269280 curves tested, there were three
examples of rank 6 and three examples of rank 7. The relevant data for these
six curves is listed in Table 2.

Table 2. Lifting From Mod 173 To Moderate Rank

(Reg E)1/r ĥ(Pi ) ĥ(Pi ) log |∆|
r 1 min 1 max 1
12 log |∆|
i
12log |∆| i
12 log |∆| r log r
6 0.702 0.849 0.948 5.823
6 0.722 0.890 0.965 5.859
6 0.673 0.854 0.942 6.252
7 0.670 0.908 0.937 4.651
7 0.686 0.891 0.952 4.712
7 0.672 0.861 0.971 4.956

Comparing Table 2 to Table 1, we see that the relationship between the regu-
lator, the discriminant, and the minimal and maximal heights of the generators
are more-or-less the same in both tables. Not surprisingly, what has changed is
that for a given rank, the discriminant is much larger in Table 2 than it is in
Table 1. This is very reasonable, since Table 1 imposes no prior restrictions on
the coefficients of E, while in Table 2 we are forcing the coefficients of E to have
specific values modulo 173. This means that the discriminant of E should be
forced upwards by some power of p.
A reasonable assumption is that log |∆| will grow linearly in both log p and
in r log r (the latter from Mestre’s results and Table 1), say

log |∆| ≈ c1 log p + c2 r log r.

Fitting the data in Table 2 to this formula (note p = 173), we find the best fit is

log |∆| ≈ 11.93 log p + 0.26r log r. (11)

(Note that for our subsequent analysis, it would make little difference if c1 were
to be reduced to, say, 5.)
Now suppose we want to solve the ECDL problem for a given prime p by
using Mestre’s method to lift E/ p to a curve E/
of moderately large rank.
Looking at the Heuristic Bound (10), in order to have a reasonable chance of
lifting a point of E( p ) to a point of E(
) of height at most B, we need N (E, B)
fairly close to p, say N (E, B) ≥ p/210 . Then (10) and (11) give us the lower
bound  √ 2/r
r log(p11.93 r0.26r ) p πr
log B ≥ . (12)
20πe 210
 Elliptic Curve Discrete Logarithms and the Index Calculus 123

The following table gives, for various values of p, the value of r which minimizes
this lower bound and the corresponding lower bound for B.

Table 3. Best Lower Bound for B in (12)

p r B≥ B≥
20 72.63
2 15 2 p3.63
240 40 2398.08 p9.95
280 87 21823.54 p22.79
2120 134 24297.13 p35.81
2160 180 27830.74 p48.94

We thus see that for any reasonable size prime p (for cryptographic purposes,
one would certainly never use a prime smaller than 280 ), the smallest allowable B
is a substantial power of p. For the sake of argument, we will make the optimistic
assumption that we can take B = p20 , but as the table makes clear, the true value
of B is likely to be much larger. We will also suppose, again being optimistic,
that it is possible to find a suitable lift E/
whose rank is on the order of 100
to 200, despite the fact that no curves of rank ≥ 24 are currently known.
However, even for B = p20 and a curve E/
with known generators P1 , . . . , Pr ,
we are confronted with the second enormous challenge posed in Miller’s paper.
Namely, how do we lift a given point on E( p ) to a point on E(
), even if we
know that there is such a lift with height less  than p20 ? Certainly we don’t
want to check all suitable linear combinations ni Pi , since this is no better
than a brute-force search through a set with N (E, B) elements, and we’ve cho-
sen B so that N (E, B) p. On the other hand, we could try to lift the given
point p-adically, that is, first lift mod p2 , then mod p3 , etc. If we could do this
correctly, then when we lift modulo p20 , we will have found the desired point
in E(
), since we know that the x-coordinate of the desired point has height less
than p20 . Unfortunately, as Miller points out, at each step in this p-adic lifting
process, we are faced with p possible lifts for each lift in the previous step. Since
there is no (known) method for deciding a priori which of the lifts will lead to
an actual point in E(
), this method leads to a tree with p20 nodes to check,
clearly not a feasible task.
Of course, if the lifting problem could be efficiently solved for (say) p ≈ 2160
and B = p100 ≈ 216000 , either by p-adic or other methods, then it might be
feasible to solve ”real-world” ECDL problems using the index calculus. However,
the numbers involved are so staggeringly large that it seems very unlikely that
this lifting problem has a practical solution.
The key point here is that it is necessary to choose B to be a substantial
power of p in order to have enough points of height ≤ B to cover most of E( p ),
and for such a large B, there is no method other than a brute force search to find
the desired lift of a given point in E( p ). If it had been possible to cover E( p )
√
with points of E(
) having height at most (say) p, which is essentially what
happens for the discrete logarithm problem in the multiplicative group, or even
124 J.H. Silverman and J. Suzuki

height at most p, then quite possibly there is a good (i.e., efficient) way of lifting
points. But the fact that the generators for E(
) have height r log r, as
compared with height log r in the multiplicative case, means that we cannot
hope to cover E( p ) with points of E(
) having such small height. This, then,
explains why it is very unlikely that there is an index calculus for elliptic curve
discrete logarithms which is directly analogous to the classical index calculus for
the multiplicative group.

References
1. Adleman, L., A subexponential algorithm for the discrete logarithm problem with applica-
tions to cryptography, Proc. 20th IEEE Found. Comp. Sci. Symp., 1979, pp. 55–60.
2. L. Adleman, J. DeMarrais and M. Huang,, A subexponential algorithm for discrete loga-
rithms over the rational subgroup of the jacobians of large genus hyperelliptic curves over
finite fields, Algorithmic Number Theory, Lecture Notes in Computer Science, volume 877,
Springer-Verlag, 1994, pp. 28–40.
3. A.O. Atkins, The number of points on an elliptic curve modulo a prime, preprint, 1988.
4. R. Balasubramanian and N. Koblitz,, The improbability that an elliptic curve has subex-
ponential discrete log problem under the Menezes-Okamoto-Vanstone algorithm, Journal
of Cryptology (to appear).
5. Canfield, E.R., Erdös, P., Pomerance, C., On a problem of Oppenheim concerning ‘Fac-
torisation Numerorum’, Journal Number Theory 17 (1983), 1–28.
6. Certicom White Paper, Remarks on the security of the elliptic curve cryptosystem,
www.certicom.com/ecc/wecc3.htm .
7. T. ElGamal, A public-key cryptosystem and a signature scheme based on discrete loga-
rithms, IEEE Transactions on Information Theory 31 (1985), 469–472.
8. N. Elkies, Explicit isogenies, preprint, 1991.
9. G. Frey and H. Rück, A remark concerning m-divisibility and the discrete logarithm in
the divisor class group of curves, Mathematics of Computation 62 (1994), 865–874.
10. D. Gordon, Discrete logarithms in GF(p) using the number field sieve, SIAM Journal on
Discrete Mathematics 6 (1993), 124–138.
11. M. Hindry and J. Silverman, The canonical height and integral points on elliptic curves,
Invent. Math. 93 (1988), 419–450.
12. N. Koblitz, Elliptic curve cryptosystems, Mathematics of Computation 48 (1987), 203–
209.
13. , CM-curves with good cryptographic properties, Advances in Cryptology - CRYP-
TO ’91, Lecture Notes in Computer Science, volume 576, Springler-Verlag, 1992, pp. 279–
287.
14. Kraitchik, M., Théorie des Nombres, volume 1, Gauthier-Villars, 1922.
15. , Reserches sur la théorie des nombres, Gauthier-Villars, 1924.
16. B.A. LaMacchia and A.M. Odlyzko, Computation of discrete logarithms in prime fields,
Designs, Codes and Cryptography 1 (1991), 47–62.
17. S. Lang, Fundamentals of Diophantine Geometry, Springer-Verlag, New York, 1983.
18. , Elliptic Curves: Diophantine Analysis, Springer-Verlag, New York, 1978.
19. R. Martin and W. McMillen, An elliptic curve over with rank at least 23, announcement,
June 1997.
20. A. Menezes, T. Okamoto and S. Vanstone, Reducing elliptic curve logarithms to logarithms
in a finite field, IEEE Transactions on Information Theory 39 (1993), 1639–1646.
21. J.F. Mestre, Formules explicites et minoration de conducteurs de variétés algébriques,
Compositio Math. 58 (1986), 209–232.
22. , Constructiuon d’une courbe elliptique de rang ≥ 12, C.R. Acad. Sc. Paris t. 295
(1982), 643–644.
 Elliptic Curve Discrete Logarithms and the Index Calculus 125

23. V.S. Miller, Use of elliptic curves in cryptography, Advances in Cryptology CRYPTO ’85
(Lecture Notes in Computer Science, vol. 218), Springer-Verlag, 1986, pp. 417–426.
24. A. Miyaji, On ordinary elliptic curve cryptosystems, Advances in Cryptology - ASI-
ACRYPT ’91, Lecture Notes in Computer Science, volume 218, Springer-Verlag, 1993,
pp. 460–469.
25. S. Pohlig and M. Hellman, An improved algorithm for computing logarithms over GF(p)
and its cryptographic significance, IEEE Transactions on Information Theory 24 (1978),
106–110.
26. J. Pollard, Monte Carlo methods for index computation mod p, Mathematics of Compu-
tation 32 (1978), 918–924.
27. H. H. Rück, On the discrete logarithms on some elliptic curves, preprint, 1997.
28. T. Satoh and K. Araki, Fermat quotients and the polynomial time discrete log algorithm
for anomalous elliptic curves, preprint.
29. O. Schirokauer, D. Weber, and Th. Denny, Discrete logarithms: The effectiveness of the
index calculus method, Algorithmic Number Theory, (ANTS-II, Talence, France, 1996),
Lect. Notes in Computer Sci., vol. 1122, Springer-Verlag, 1996, pp. 337–362.
30. R. Schoof, Elliptic curves over finite fields and the computation of square roots modulo p,
Math. Comp. 44 (1985), 483–494.
31. I. Semaev, Evaluation of discrete logarithms in a group of p-torsion points of an elliptic
curve in characteristic p, Mathematics of Computation 67 (1998), 353–356.
32. V. Shoup, Lower bounds for discrete logarithms and related problems, Advances in Cryp-
tology - EUROCRYPT ’97, Lecture Notes in Computer Science, volume 1233, Springer-
Verlag, 1997, pp. 256–266.
33. J.H. Silverman, The Arithmetic of Elliptic Curves, Graduate Texts in Math., vol. 106,
Springer-Verlag, Berlin and New York, 1986.
34. , Advanced Topics in the Arithmetic of Elliptic Curves, Graduate Texts in Math.,
vol. 151, Springer-Verlag, Berlin and New York, 1994.
35. , Lower bound for the canonical height on elliptic curves, Duke Math. J. 48 (1981),
633–648.
36. , The difference between the Weil height and the canonical height on elliptic curves,
Math. Comp. 192 (1990), 723–743.
37. , Computing heights on elliptic curves, Math. Comp. 51 (1988), 339–358.
38. , Computing canonical heights with little (or no) factorization, Math. Comp. 66
(1997), 787–805.
39. N. Smart, Announcement of an attack on the ECDLP for anomalous elliptic curves,
preprint, 1997.
40. J. Solinas, An improved algorithm for arithmetic on a family of elliptic curves, Advances
in Cryptology - CRYPTO ’97, Lecture Notes in Computer Science, volume 1294, Springer-
Verlag, 1997, pp. 357–371.
41. J. Voloch, The discrete logarithm problem on elliptic curves and descents, preprint, 1997.
42. Weber, D., Computing discrete logarithms with the general number field sieve, Algorithmic
Number Theory, (ANTS-II, Talence, France, 1996), Lect. Notes in Computer Sci., vol.
1122, Springer-Verlag, 1996, pp. 391–403.
43. A.E. Western and J.C.P. Miller, Tables of Indices and Primitive Roots, Royal Society
Mathematical Tables, vol. 9, Cambridge Univ. Press, 1968.