Index Calculus in the Trace Zero Variety

We discuss how to apply Gaudry's index calculus algorithm for abelian varieties to solve the discrete logarithm problem in the trace zero variety of an elliptic curve. We treat in particular the practically relevant cases of field extensions of degree 3 or 5. Our theoretical analysis is compared to other algorithms present in the literature, and is complemented by results from a prototype implementation.


Introduction
Given an elliptic curve E defined over a finite field F q , consider the group E(F q n ) of rational points over a field extension of prime degree n. Since E is defined over F q , the group E(F q n ) contains the subgroup E(F q ) of F q -rational points of E. Moreover, it contains the subgroup T n of points P ∈ E(F q n ) whose trace P + ϕ(P ) + . . . + ϕ n−1 (P ) is zero, where ϕ denotes the Frobenius homomorphism on E. The group T n is called the trace zero subgroup of E(F q n ), and it is the group of F q -rational points of the trace zero variety relative to the field extension F q n |F q .
In this paper, we study the hardness of the DLP in the trace zero variety. Our interest in this question has several motivations. First of all, supersingular trace zero varieties can achieve higher security per bit than supersingular elliptic curves, as shown by Rubin and Silverberg in [RS02,RS09] and by Avanzi and Cesena in [AC07,Ces10]. Ideally, in pairing-based protocols the embedding degree k is such that the DLP in T n and in F * q kn have the same complexity. In order to achieve this, an accurate assessment of the complexity of the DLP in T n is necessary. Moreover, since T n is isomorphic to E(F q n )/E(F q ), the DLP in E(F q n ) has the same complexity as the DLP in T n . This provides another motivation to study the hardness of the DLP in T n . A further motivation comes from the fact that the trace zero subgroup itself can be used within asymmetric cryptographic protocols using the DLP as a primitive, as proposed by Frey in [Fre98].
Using trace zero varieties in cryptographic protocols presents some advantages with respect to elliptic curves. In fact, a clever use of the Frobenius endomorphism allows us to compute the group operation more efficiently than for an elliptic curve of about the same cardinality, leading to more efficient scalar multiplication in the group (see [Fre99,Lan01,Lan04,AC07] or [ACD + 06, Section 15.3.2]). This technique is analogous to the one for Koblitz curves [Kob91] and was later applied to GLV-GLS curves [GLV01,GLS11]. Another advantage is that for groups of cryptographically relevant size, the order of the group can simply be calculated using the characteristic polynomial of the Frobenius endomorphism. This allows for more efficient computation of the group order in comparison to the group of rational points of an elliptic curve over a prime field of comparable size (see [ACD + 06, Section 15.3.1]). Finally, in the recent papers [GM14] and [GM13] we proposed new efficient representations for the elements of T n , for any n. More precisely, we can represent the elements of the group with (n − 1) log 2 q + 1 bits, which is optimal since |T n | ∼ q n−1 . We refer the interested reader to [Gor11] for a discussion of the relevance of efficient representations.
In this paper, we discuss how to apply Gaudry's index calculus algorithm for abelian varieties to solve the discrete logarithm problem in T n . Gaudry's algorithm first appeared in [Gau09], and proposes a general framework to do index calculus on a general abelian variety. A main difficulty of running an index calculus attack on an abelian variety is producing the relations. When the abelian variety is an elliptic curve, Gaudry proposes to use Semaev polynomials ( [Sem04]) to build a system of polynomial equations, such that a solution to the system corresponds to a relation.
The systems can be solved by Gröbner bases methods. The complexity of this attack depends on the size of F q and the dimension of the abelian variety: Asymptotically in q, and regarding n as a constant, it has complexityÕ(q 2−2/(n−1) ), which is lower than that of generic attacks on T n and on E(F q n ) for n ≥ 5. This leads to the lowest-complexity attack on the DLP in E(F q n ) for prime n. Other attacks, of comparable or lower complexity but which only apply to specific elliptic curves, are discussed in [GHS02,Die03,Die06,DK13,DS]. We apply Gaudry's index calculus algorithm to T n , and demonstrate that it is feasible for n = 3 and q up to about 30 bits. For n = 5 we show that the bottleneck of the algorithm is the Gröbner basis computation. Using some tricks from [BFP08,JV12] we are able to produce relations and to solve a DLP for very small q, but the attack this yields is not feasible over fields of cryptographic size, therefore it is presently not a threat to the DLP in T 5 or E(F q 5 ).
We also analyze the algorithm asymptotically in n and q, and we see that the complexity is exponential in n. This is mostly due to the fact that in order to produce relations, the algorithm solves polynomial systems whose size (number of equations, number of indeterminates, degrees of the equations) depends on n, and that the Gröbner basis methods have a large complexity in these parameters. We conclude that one can only hope to produce relations with this method for small values of n.
The paper is organized as follows. We recall the functionality of index calculus algorithms and the most important definitions in connection with the trace zero variety in Section 2. Then we describe the application of Gaudry's algorithm to the trace zero variety in Section 3, and we analyze its complexity in Section 4. In Section 5, we present explicit equations and Magma experiments for n = 3, 5. Finally, we compare the index calculus attack with other attacks on the DLP in T n in Section 6, and discuss the implications of our results for trace zero elliptic curve cryptosystems in Section 7.
2. Relation collection: Construct relations of the form α j P + β j Q = k i=1 m ij P i for j = 1, . . . , r > k. 3. Linear algebra: Given the matrix M = (m ij ) ∈ (Z/ ord(P )Z) k×r , compute a non-zero column vector γ = (γ 1 , . . . , γ r ) ⊺ in the right kernel of M . 4. Individual logarithm: It is easy to see that this gives the correct result: Since γ is in the right kernel of M , we have M γ = 0, or equivalently r j=1 m ij γ j = 0 for all i = 1, . . . , k.
Multiplying all relations from step 2 by γ j , summing over j, and using the above equality gives Algorithms that function in this way have been used for many years to compute discrete logarithms in groups where a concept of factorization is available. However, it was not until 2009 that Gaudry [Gau09] published an algorithm that works in abelian varieties of dimension at least 2. His idea is to translate the condition for a relation into a system of polynomial equations and to solve the system with Gröbner basis methods in order to obtain relations. We give more details on his approach in Section 3, where we apply it to the trace zero variety. The heuristic complexity of his attack isÕ(q 2−2/d ) asymptotically for q → ∞, where the dimension d ≥ 2 and all other parameters associated to the variety (like the degrees of the defining equations and the size of the representation) are assumed to be constant or bounded by constants.
Since its publication, Gaudry's algorithm has been applied mostly to the Weil restriction of elliptic curves defined over extension fields. In fact, Gaudry suggests this application himself in his original article [Gau09]. A similar algorithm for elliptic curves was developed independently by Diem [Die11]. The algorithm of Gaudry and Diem was implemented by Joux and Vitse [JV12]. With several further improvements and variations, including a specialized implementation of the Gröbner basis algorithm F4 [JV11] using an idea of Traverso [Tra88], they were able to solve an instance of an oracle-assisted static Diffie-Hellman problem in E(F 2 155 ), which is related to, but easier than, the DLP in the same group [GJV10]. Faugère, Perret, Petit, and Renault [FPPR12], Petit and Quisquater [PQ12], and Shantz and Teske [ST13] studied the polynomial systems that arise during this attack. They come to the conclusion that these systems are of a special shape and that special-purpose Gröbner basis techniques may lead to a significant speed-up. The application of the algorithm to Edwards curves was studied by Faugère, Gaudry, Huot, and Renault in [FGHR12,FGHR13].
Notice that this approach only threatens elliptic curves defined over extension fields and does not affect groups E(F p ) where p is a prime. The best attack on such groups is the Pollard-Rho attack, and the current record for computing a discrete logarithm in E(F p ), for p a 112-bit prime, is held by Bos, Kaihara, Kleinjung, Lenstra, and Montgomery [BKK + 09], using a parallelized version of the Pollard-Rho Algorithm. Some improvements which take into account the use of the negation map in running the Pollard-Rho Algorithm are discussed in [BLS11].
Besides elliptic curves, Gaudry's algorithm for abelian varieties has been applied to the Weil restriction of hyperelliptic curves of small genus by Nagao [Nag10] and to algebraic tori by Granger and Vercauteren [GV05]. In this paper, we apply Gaudry's attack to the trace zero variety.
2.2. The Trace Zero Variety. Throughout this paper, let E be a smooth elliptic curve defined over a finite field F q by an affine Weierstraß equation. For any extension field F of F q , the Frational points E(F) on E form a group with neutral element O, the point at infinity. When F = F q n , n ≥ 1, is a finite extension, E(F q n ) is a finite group of order about q n . We denote by + the group operation and by ϕ the Frobenius endomorphism on E Throughout the paper, we denote field elements by uppercase and indeterminates by lowercase letters.
Definition 2.2. For a field extension F q n |F q of degree n > 1, the trace map is defined by When n is prime, the kernel of the trace map is called the trace zero subgroup of E(F q n ). We denote it by T n .
The trace zero subgroup is isomorphic to the group of F q -rational points of the trace zero variety V n , which is an (n − 1)-dimensional subvariety of the Weil restriction of E: Fixing a basis In this paper, we consider the case n ≥ 3, when the trace zero variety has dimension at least 2.
We study the hardness of the DLP in T n , which is of interest in cryptography for various reasons, as explained in the Introduction. In particular, the DLP in T n is as hard as the DLP in E(F q n ). This is shown for the analogous case of algebraic tori in [GV05], and more generally for exact sequences of abelian varieties in [GS06]. The result as we state it here is Proposition 2.4 in [GM13].
Proposition 2.3. Let E be an elliptic curve defined over F q , and let T n be the trace zero subgroup of E(F q n ) for some prime number n. Then the sequence is exact, and the DLP in E(F q n ) has the same complexity as the DLP in T n .
In [GM14] we wrote an equation for the x-coordinates of the points in T n using the Semaev polynomial. We briefly summarize how to write such an equation, starting with the definition and the main result from [Sem04].
Definition 2.4. Let F q be a finite field of characteristic at least 5, and let E be a smooth elliptic curve defined over F q by the affine equation The m-th summation polynomial or Semaev polynomial f n is defined recursively by for m ≥ 4 and m − 3 ≥ k ≥ 1, where Res denotes the resultant.
. Furthermore, f m is absolutely irreducible and symmetric of degree 2 m−2 in each variable. The total degree is (m − 1)2 m−2 .
Remark 2.6. The original definition from [Sem04] is for elliptic curves defined over fields of characteristic at least 5. However, polynomials with the same properties can be defined also for characteristic 2 and 3. Therefore, all results of this paper hold, with the appropriate adjustments, over finite fields of any characteristic.
The Semaev polynomial is used in [GM14] to give the following equation for the x-coordinates of the points of T n .
Proposition 2.7 ([GM14, Proposition 3, Remark 5]). Let n be an odd prime, and let T n be the trace zero subgroup of E(F q n ). Then Moreover, we have In the case when n = 3 or 5, for any root X ∈ F q n of f n (x, x q , . . . , x q n−1 ) = 0 it can be decided efficiently whether (X, Y ) ∈ T n by checking Y ∈ F q n and, if n = 5, by checking in addition that X / As discussed in [GM14] at the end of Section 3, Weil restriction of f n (x, x q , . . . , x q n−1 ) = 0 with respect to the coordinates x = x 0 ζ 0 + . . . + x n−1 ζ n−1 y = y 0 ζ 0 + . . . + y n−1 ζ n−1 and reduction modulo the polynomials x q i − x i yield exactly one equation (2)f n (x 0 , . . . , x n−1 ) = 0.
Its zeros describe the x-coordinates of the points of V n (F q ) as given by Proposition 2.7 and via the isomorphism (1). Therefore, we henceforth use (2) as an equation for the trace zero subgroup. It has total degree (n − 1)2 n−2 .
3. An index calculus algorithm for the trace zero variety Following the ideas of Gaudry [Gau09], we propose the following index calculus algorithm to compute discrete logarithms in T n . When n = 2, then V n is one-dimensional, and the attack cannot be applied. Therefore, we only consider n ≥ 3. Furthermore, we assume that T n is cyclic, which is the most relevant case in cryptography.
Remark 3.1. When T n is not cyclic, some of the probability estimates in Section 4 may be wrong and the algorithm may not function as expected. However, these problems can be overcome using classical randomization techniques (see [Gau09, Remark 2], [EG02]).
The algorithm takes as input two points P, Q ∈ T n such that T n = P , and it outputs the discrete logarithm log P Q, i.e. a number ℓ = log P Q ∈ Z/ ord(P )Z such that ℓP = Q in T n . Below, we describe the different steps of the algorithm in detail. We always identify T n and V n (F q ) via the isomorphism (1).
3.1. Setup. Following the suggestion of Semaev [Sem04], we carry out the index calculus algorithm working only with the x-coordinates of points in T n . We choose a basis {ζ 0 , . . . , ζ n−1 } of the extension F q n |F q and represent an affine point P = (X, Y ) ∈ T n via the coordinates P = (X 0 , . . . , X n−1 ), where X = X 0 ζ 0 + X 1 ζ 1 + . . . + X n−1 ζ n−1 . So by writing (X 0 , . . . , X n−1 ) ∈ T n we mean that there exists a Y such that (X, Y ) ∈ T n . We use (2) as an equation for T n .
These are the F q -rational points of a curve C in V n obtained by intersecting V n with the hyperplanes {x 0 = 0}, . . . , {x n−3 = 0}. Since V n has dimension n − 1, intersecting with n − 2 hyperplanes generically gives a curve C. Thus F = C(F q ) has about q elements by the Theorem of Hasse-Weil, provided that C is absolutely irreducible.
Remark 3.2. Important properties of the factor base are that it has about q elements (this will be used in the complexity analysis, see Section 4) and that its elements can be described via algebraic equations (this will allow us to describe relations via a polynomial system, see Section 3.3). A further very important property is that the factor base must generate a large part of T n , so that many elements of T n decompose over the factor base. For this reason, the curve C should not be contained in any proper abelian subvariety of V n . Notice that this can easily be detected in practice, since the algorithm will find practically no relations when C is an abelian subvariety of V n .
Moreover, the fact that |F | ≈ q can be proven (with the Theorem of Hasse-Weil) only if we assume that C is smooth and absolutely irreducible. In practice, if setting x 0 = . . . = x n−3 = 0 does not produce a factor base with the desired properties, we simply make a different choice of hyperplanes. In our exposition we assume that the choice we have made is a good one. This is true in all our experiments.

Relation collection.
Since V n has dimension n − 1, we search for relations of the form where R = αP + βQ ∈ T n is given and P 0 , . . . , P n−2 ∈ F are to be found. We write U = Following [Sem04], we use the Semaev polynomial to describe a relation. If the points P 0 , . . . , P n−2 with x-coordinates X P0 , . . . , X Pn−2 are given, then according to Theorem 2.5 they satisfy (4) if and only if f n (X P0 , . . . , X Pn−2 , U ) = 0. Therefore, candidates for x-coordinates of the P i can be found by solving for the x Pi . We apply Weil restriction to equation (5) using the coordinates and obtain n equations (6) F j (x 0,0 , . . . , x n−2,n−1 , U 0 , . . . , U n−1 ) = 0, j = 0, . . . , n − 1.
Solving this system over F q is equivalent to solving equation (5) over F q n , and yields possible x-coordinates for the points P i . In addition to requiring that the P i 's sum to R, we must ensure that they belong to the factor base. Therefore, we set x i,0 = . . . = x i,n−3 = 0 for i = 0, . . . , n − 1, and we include an equation of the form (3) in system (6) for each P i . This means that in order to find a relation, we solve the system over F q . The system has 2n − 1 equations in 2(n − 1) indeterminates, two indeterminates for each of the P i 's. The first n equations are the Weil descent of the n-th Semaev polynomial, where a constant has been plugged in for the last indeterminate. Therefore, they each have total degree at most (n − 1)2 n−2 . They describe the condition that the points P i sum to R. The last n − 1 equations also have total degree at most (n − 1)2 n−2 . They guarantee that the solution points P i belong to the factor base.
Since the system has more equations than unknowns, one would expect that it generically has no solutions over the algebraic closure and that, when it has solutions, then it is zero-dimensional. This is verified in our experiments. Then, by the Shape Lemma (see e.g. [KR00, Theorem 3.7.25]), the system may be solved by computing a lexicographic Gröbner basis and then finding the F q -roots of a univariate polynomial. Notice that, in order to find the F q -roots of a polynomial f (x) ∈ F q [x], one would first find the divisor g(x) of f (x) which is the product of all linear factors of f (x) over F q , then factor g(x), whose degree equals the number of solutions of the system over F q . Again, this is the case only after a generic change of coordinates. In the examples we computed however, a change of coordinates was never needed.
Whenever a given point R decomposes over the factor base, i.e. when a relation of the form (4) exists, this gives a solution of system (7). The converse, however, is not true. For example, when the solutions of the system give x-coordinates where one of the corresponding y-coordinates is not in F q n , then this does not produce a valid relation. In theory, it is also possible that a system produces more than one relation. However, we expect this to be extremely rare, since it would produce a relation among the elements of the factor base. In accordance with this intuition, we never encountered a system with more than one solution in our experiments.
Remark 3.3. Joux and Vitse [JV12] propose considering relations that involve one factor base point less than suggested by Gaudry, i.e. only n−2 points in our case. This reduces the probability of finding relations by a factor q, but in some cases it can make the difference between a manageable and an unmanageable system. We consider this idea in Section 5.2.
Finally, we need to produce more relations than there are factor base elements, i.e. about q, by solving the system sufficiently many times (see Section 4 for an estimate) for different random points R.
3.4. Linear algebra. The relation collection phase of the algorithm produces a sparse matrix of size about q × q with entries 0 or 1. Notice that, while it is theoretically possible to have a row whose entries are positive numbers greater than 1, this should be extremely rare and in fact we never encountered such a relation in our experiments. The rows of the matrix correspond to the factor base elements, and the columns correspond to the different relations. Generically a column has n − 1 non-zero entries, one for each factor base element that appears in the corresponding relation. Assuming that more relations have been produced than there are factor base elements, the matrix has more columns than rows. Therefore, there exists a non-zero vector in its right kernel. The task of the linear algebra step is to find such a vector, where the computations must be performed not over Z, but modulo the order of P in T n . Standard methods to solve such sparse linear systems are Wiedemann's Algorithm and Lanczos' Algorithm (see [Wie86,LO90]).
Remark 3.4. Since there are efficient and well-studied methods for solving sparse linear systems, we do not treat this step in detail. Notice however that the efficient implementation of the linear algebra step is far from trivial, especially since the algorithms are hard to parallelize. One recent record-breaking implementation on GPUs is presented in [Jel13,Jel14]. Moreover, in practice a filtering step can make a big difference, see e.g. [Bou12]. This is a preprocessing of the matrix, where duplicate relations are removed, points that appear in only one relation (corresponding to rows with only one nonzero entry) are removed, and excess relations are removed until there are exactly |F | + 1 of them left. We do not employ such sophisticated techniques in our experiments, since we treat only small examples and our emphasis is on finding relations and not on the linear algebra step.
3.5. Individual logarithm. Once the linear system has been solved, computing the actual discrete logarithm is easy. Denoting by (γ 1 , . . . , γ r ) the vector in the kernel of the matrix computed in the previous step and by α j , β j the values of α, β corresponding to the j-th relation we have provided that γ j β j is invertible modulo the order or P . If not, one must collect more relations in order to produce a different matrix and find a different vector γ. Notice that γ j β j is invertible with high probability, especially if ord(P ) is prime.

Complexity analysis
We now analyze the complexity of the index calculus algorithm presented in the previous section. We make the same heuristic assumptions as Gaudry [Gau09] and other work based on Gaudry's results, e.g. [GV05,JV12]. Our analysis is in q and n and therefore more precise than that of Gaudry, who disregards the dependency on n. By disregarding the dependency on n in our analysis, one obtains the result of Gaudry. For simplicity we use theÕ-notation, which ignores logarithmic factors in both n and q.
4.1. Setup. Diem [Die11] shows that the n-th Semaev polynomial and its Weil restriction can be computed with a randomized algorithm in expected time polynomial inÕ(e n 2 ).
Remark 4.1. We do not have to compute the full Weil restriction of , since we only need to evaluate the polynomials on the x-coordinates of points in the factor base. Therefore, when computing the Weil restriction, we work with the coordinates x Pi = x i,n−2 ζ n−2 + x i,n−1 ζ n−1 . In practice, this procedure is much quicker than first computing the usual Weil restriction and then setting x i0 = . . . = x i,n−3 = 0, and the complexity is lower than the one given in [Die11]. However, since this term will not dominate the final complexity of the index calculus algorithm, the complexity estimate by Diem suffices for our purposes.
We choose to treat u, the x-coordinate of R, as an indeterminate. Then we only have to compute the Weil restriction once to obtain system (7). Each time we plug a value for the x-coordinate of R into system (7), we obtain a system which possibly produces a relation.

4.2.
Factor base. In order to enumerate the factor base, we go through all values X n−2 ∈ F q , compute the solutions off n (0, . . . , 0, X n−2 , x n−1 ) = 0 over F q , and check whether the solution gives a point in T n . Since the degree off n in x n−1 is bounded by (n − 1)2 n−2 , computing all solutions takesÕ((n − 1)2 n−2 ) operations in F q (see [GvzG99,Corollary 14.16]). Typically, there are only few solutions. Checking whether the y-coordinate corresponding to X = X n−2 ζ n−2 + X n−1 ζ n−1 is in F q n is much cheaper. Altogether, enumerating the factor base costs O(q(n − 1)2 n−2 ).

Relation generation.
Assuming that most different unordered (n − 1)-tuples of factor base elements sum to different points in T n , then |F | n−1 /(n − 1)! points of T n decompose over the factor base. Since T n has about q n−1 elements, this means that the probability of a point R ∈ T n splitting over the factor base is 1/(n − 1)!. Therefore, in order to generate q relations, we expect to have to try to decompose q(n − 1)! points, i.e. solve q(n − 1)! systems.
In order to solve each system, we follow the approach that is most efficient in practice: We first compute a Gröbner basis with respect to the degree reverse lexicographic term order, and we then use a Gröbner walk algorithm to convert it to a lexicographic Gröbner basis. Afterwards, we factor a univariate polynomial. The complexity of the last step is negligible compared to the first two.
To estimate the complexity of the Gröbner basis computation, we use the bound on the complexity of Faugère's F5 algorithm [Fau02]. We assume that the system is semi-regular, which is true generically. Then according to [BFSY05,Proposition 6], the complexity of computing a degree reverse lexicographic Gröbner basis of our system is where 2 ≤ ω ≤ 3 is the linear algebra constant (i.e. the exponent in the complexity of matrix multiplication) and d reg is the degree of regularity of the system (this is also called the regularity index, see [KR05, Definition 5.1.8]). We estimate d reg using a standard bound from commutative algebra d reg ≤ (2n − 2)((n − 1)2 n−2 − 1) + 1 = (2n − 2)(n − 1)2 n−2 − 2n + 3.
Hence the complexity of computing a degree reverse lexicographic Gröbner basis of our system is Now using the FGLM algorithm [FGLM93], we may compute from this basis a lexicographic Gröbner basis in where D is the degree of the ideal generated by the degree reverse lexicographic Gröbner basis (i.e. the number of solutions counted with multiplicity in F q ). Using as a bound on D the product of the degrees of 2n − 2 of the equations of the system, we get Therefore, this is not more expensive than F5.
Taking into account that we have to do this q(n − 1)! times, the total cost of the relation collection step is 4.4. Linear algebra. Using Lanczos' or Wiedemann's Algorithm, the cost of solving a sparse linear system of size about q × q, where each column has n − 1 non-zero entries, is (see e.g. [EK97]).
4.5. Individual logarithm. The cost of computing the individual logarithm is negligible compared to the complexities above.
Hence we have proven the following heuristic result.
Theorem 4.2. Let T n , n ≥ 3, be the trace zero subgroup of an elliptic curve. Then there exists a probabilistic algorithm that computes discrete logarithms in T n in heuristic timẽ where n is constant and q tends to infinity. The constant in theÕ does not depend on q or n.
The heuristic nature of Theorem 4.2 is due to the following heuristic assumptions, which are standard assumptions in this context, see e.g. [Gau09]. First of all, we assume that (after a randomization of coordinates) there is a choice of hyperplanes which, upon intersection with V n , produce an absolutely irreducible smooth curve in V n , whose F q -rational points define a factor base of cardinality about q (see Remark 3.2), and so that the sums of n − 1 factor base points produce about q n−1 /(n−1)! different elements of V n (F q ). Secondly, we assume that the systems to be solved are either empty or zero-dimensional, and semi-regular. Finally, we assume that (after a randomization of coordinates), T n is cyclic, as explained in Remark 3.1.
If we allow the constant in theÕ to depend on n but not on q, Theorem 4.2 gives the heuristic complexity ofÕ(q 2−2/(n−1) ) from [Gau09]. Our analysis makes the exponential dependency on n explicit. The exponential dependency of the complexity on n was already pointed out by Gaudry and is due to the cost of the Gröbner basis computation. Notice that one cannot hope to get subexponential complexity in n for generic systems, due to the complexity bound for F5, which is exponential in n in our situation.

Explicit equations and experiments
We now study the systems of polynomial equations that describe the relations and the overall behavior of our algorithm for n = 3, 5. All computations were done with Magma version 2.19.3 [BCP97] on one core of an Intel Xeon X7550 Processor (2.00 GHz) on a Fujitsu Primergy RX900S1. Our implementation is only meant to be a proof of concept. It is a straightforward implementation of the algorithm described in Section 3, and we use the built-in Magma routines wherever possible, e.g. for Gröbner basis computation, polynomial factorization, and linear algebra. Our timings are only meant as an indication, and they could be improved significantly by a special-purpose implementation, using current state-of-the-art methods such as [BBD + 14], and by choosing convenient parameters, such as finite fields where particularly efficient arithmetic is possible. We concentrate mostly on the computation of the equations of the trace zero subgroup, the factor base, and the relation generation. In particular, we did not implement any filtering (except for not allowing duplicate relations), we did not implement the double large prime variation, and our implementation is not parallelized. 5.1. Explicit equations for n = 3. When n = 3, the trace zero variety has dimension 2. Therefore, the index calculus attack on T 3 is not more efficient than generic (square root) attacks on T 3 . Since n = 3 is the case where all equations are small enough to be written down explicitly, we present them nevertheless, together with some experimental data that allows us to make predictions on the feasibility of this attack for different values of q.
For simplicity, we assume that 3 | q − 1 and write F q 3 = F q [ζ]/(ζ 3 − µ) as a Kummer extension of F q with basis 1, ζ, ζ 2 . For cases where this is not possible, one may use a normal basis, which gives similar equations. We also assume that F q does not have characteristic 2 or 3 and that E is given by an equation in short Weierstraß form E : y 2 = x 3 + Ax + B.
Our approach also works when F q has characteristic 2 or 3, but in this case the definition of the Semaev polynomial and all equations given below must be adjusted (see Remark 2.6).
If A = 0, then this is equivalent to X 1 X 2 = 0, and it is particularly easy to enumerate the factor base: One simply checks which x-coordinates (0, X 1 , 0) and (0, 0, X 2 ), for X 1 , X 2 ∈ F q , give points in T 3 . If, on the other hand, A = 0, then every solution of (8) satisfies X 1 = 0, and moreover (8) is equivalent to In this case, it is also fairly easy to enumerate the factor base: For every X 1 ∈ F * q , one computes X 2 according to (9) and checks whether this yields a point of T 3 . Now we need to find relations of the form where R with x-coordinate U = U 0 + U 1 ζ + U 2 ζ 2 is given and P 1 , P 2 are in F . We denote by x P0 = x 01 ζ + x 02 ζ 2 the indeterminates representing the x-coordinate of P 0 and by x P1 = x 11 ζ + x 12 ζ 2 those representing the x-coordinate of P 1 . Then we have to solve or equivalently, its Weil restriction. Assuming that A = 0, which is the general case, from (9) we get Plugging this into the above system and multiplying the first two equations by 27µx 2 01 x 2 11 and the third equation by 81µ 2 x 2 01 x 2 11 allows us to eliminate the two indeterminates x 02 and x 12 from the system that describes a relation. We obtain This system only involves the two indeterminates x 01 , x 11 . All equations have degree 4 in both x 01 and x 11 . The first and third equations have total degree 7, and the second equation has total degree 8. We have computed that the system (10) has regularity 14 for almost all points R (and regularity 12 or 13 for some special choices of R). This means that the highest degree of all polynomials appearing during the Gröbner basis computation is at most 14. This moderate number suggests that the Gröbner basis computation is not very costly, and our experiments (see below) show that this is indeed true. For a given x-coordinate U of a point R ∈ T n , the F q -solutions (X 01 , X 11 ) of the above system with X 01 , X 11 = 0 give candidates for x-coordinates of the points P 0 , P 1 in the relation.
We get X 01 = 1770, X 11 = 1515, and from these we compute X 02 = 338, X 12 = 3029, which gives a relation P 0 + P 1 = R for some choice of y-coordinates. After collecting 4002 more such relations and solving the linear system, we obtain log P Q = 419.
Finally, we present implementation results for fields of different size in Table 1. For primes q of 10, 12, 14, 16, 18, 20, 30, 40, 50, 60, 70, and 80 bits, we chose the smallest possible value µ, and we chose curves E, given by the coefficients A, B, that yield cyclic trace zero subgroups T 3 of prime order. Where we were able to compute it, we list the exact size of the factor base. In all cases, it is close to q − q 1/2 . We also list the number of points R we had to try in order to find |F | + 1 distinct relations.
Times are given in seconds, and numbers in normal font stand for computations that we were able to perform, while numbers in bold represent expected times, extrapolated from timings we were able to obtain. For example, when we are able to compute one relation, this allows us to predict the time it would take to collect q relations (experimentally this requires solving about 2q polynomial systems). Where we were not able to carry out a computation or make a prediction, we write "-".
For all field sizes, we were able to solve the system at least a few times. For comparison, we give the time taken to compute a lexicographic Gröbner basis of the straightforward system consisting of 5 equations in 4 indeterminates ("large system"), as well as the time taken to compute a lexicographic Gröbner basis of system (10) consisting of 3 equations in 2 indeterminates ("small system"). This shows that this little trick to simplify the system saves a considerable amount of time in practice. Therefore, in the following, we work with the small system. Next we list in the table the average time taken to solve the small system once. This includes computing the lexicographic Gröbner basis, factoring a univariate polynomial (of degree 6 in our experiments), which gives the value(s) of one indeterminate, and computing the corresponding value(s) of the other indeterminate. For the Gröbner basis computation, we use Magma's GroebnerBasis(), which computes a degree reverse lexicographic Gröbner basis using Faugère's F4 algorithm [Fau99] and subsequently a lexicographic Gröbner basis using the FGLM algorithm [FGLM93].
Finally, we give the actual or extrapolated times for the full execution of the different steps of our algorithm. First we give the time to enumerate the factor base, then the time to collect |F | + 1 relations, and then the time to solve the linear system, using the sparse linear algebra routine ModularSolution(Lanczos:=true) of Magma, which is an implementation of Lanczos' algorithm. We also give the total time to compute one discrete logarithm with our algorithm.
We see that the largest trace zero subgroup where we can compute a full discrete logarithm with our prototype implementation has 36-bit size. The attack takes approximately 15 minutes. For the 40-bit trace zero subgroup, we can compute sufficiently many relations in about 47 minutes, but we are not able to solve the linear system of size about 2 20 × 2 20 in Magma. A specialized implementation presented in [BBD + 14, Jel13, Jel14] solves a linear system of size about 2 22 × 2 22 in less than 5 days using a sophisticated implementation of Lanczos' algorithm, running on a high performance computer. This means that our attack is certainly feasible for a 40-bit trace zero subgroup. However, we can do much better by rebalancing the cost of relation collection and linear algebra.
Let us consider e.g. the group T 3 of 60 bits, with q ≈ 2 30 , as given in Table 1. We rebalance the complexity with a relatively straightforward approach. Using a factor base of q r = 2 30r elements, where 0 < r < 1, the probability of finding a relation becomes q 2r−2 /2. Hence in order to find q r relations, we need to solve 2q 2−r = 2 61−30r systems. Since we know that solving a linear system of size 2 22 × 2 22 is possible, we set q r = 2 22 and get r = 0.73. This means that we would have to collect 2 39 relations, which would take 2 39.8 seconds or about 30 years. Assuming that solving a linear system of size 2 23 ×2 23 is possible, we would need about 15 years to collect relations, etc. We stress that these predictions correspond to the time required by our simple implementation. With an optimized and parallel implementation of the relation collection step (notice that the relation search can trivially be parallelized), it would become faster by a considerable factor. Hence we conclude that with an optimized implementation, computing a discrete logarithm in a 60-bit trace zero subgroup with this index calculus algorithm is feasible. 5.2. Explicit equations for n = 5. We proceed simliarly for n = 5, but we do not write down the equations in this case because they are too large. We assume that 5 | q − 1 and write F q 5 = F q (ζ)/(ζ 5 − µ). Then 1, ζ, ζ 2 , ζ 3 , ζ 4 is a basis of F q 5 |F q , which we use for Weil restriction.
The fifth Semaev polynomial f 5 has total degree 32. The same is true forf 5 (x 0 , . . . , x 4 ), which we use as an equation for T 5 . The factor base is and all its elements satisfy the equation It has total degree 32 and degree 30 in each x 3 and x 4 . Although this polynomial does not have such a simple shape as the corresponding one for n = 3, it is still easy to enumerate the factor base: For every X 3 ∈ F q , solvef 5 (0, 0, 0, X 3 , x 4 ) = 0 for x 4 in F q .
Following an idea of Joux and Vitse [JV12] (see Remark 3.3), we look for relations of the form where P 0 , P 1 , P 2 are elements of the factor base. We obtain a system of 8 equations in 6 indeterminates: The first 5 equations are the Weil restriction of f 4 (x P0 , x P1 , x P2 , U ) and correspond to (12). They have total degree 12 and degree 4 in each indeterminate. The last 3 equations correspond to the condition that the points belong to the factor base and are of the form (11). For a given U , we solve this system in order to obtain possible relations. However, the system is too large to be solved with Magma. Even over the relatively small field F 1021 , our computation did not finish after several weeks of computation and using more than 300 GB of memory. Hence we use a hybrid approach along the lines of [YCC04,BFP08]. This allows us to find some relations, but it is not fast enough for an attack of realistic cryptographic size. Nevertheless, we give some experimental results, timings, and extrapolations. The hybrid method is often used where a direct Gröbner basis computation is too costly, since it is a trade-off between exhaustive search and Gröbner basis techniques. The main idea is to choose fixed values for a small number of variables and to solve the system in the remaining indeterminates. In order to find all solutions of the system, all choices for the fixed variables have to be tried. Therefore, this requires computing many Gröbner bases of smaller systems instead of computing one Gröbner basis of a large system.
In our case, it is enough to choose one fixed value in order to solve the system readily. We fix x 03 = X 03 ∈ F q and use the factor base equationf 5 (0, 0, 0, X 03 , x 04 ) = 0 to determine possible values of x 04 . Although this equation has degree 30 in x 04 , there are usually only very few solutions, most frequently 1, 2, or 3. In every case where x 04 = X 04 gives a point in the factor base, we plug x 03 = X 03 and x 04 = X 04 into the system to obtain a new system of 7 equations in the 4 indeterminates x 13 , x 14 , x 23 , x 24 . The first five equations each have total degree 8 and degree 4 in every indeterminate. By trying all X 03 ∈ F q , we find out whether R decomposes over the factor base.
We give some timings and extrapolations in Table 2. As before, numbers in normal font are times we measured, and numbers in bold are predictions. After giving the parameters of the fields and curves we used, we indicate the number of points R which we tried to decompose (we expect 6q), the total number of polynomial systems to be solved for this (we expect 6q 2 ), the time for the solution of one system (this is equal to the time for computing a Gröbner basis, since the rest of the computation to solve the system is negligible), the time to enumerate the factor base, the time to collect about q relations, the time for the linear algebra step, and the time for the total attack. The numbers show that we are able to compute a discrete logarithm in the 27-bit group T 5 in about 2 days and that a discrete logarithm in the 32-bit, 36-bit, and 40-bit groups T 5 can be computed in about 10, 44, and 165 days, respectively. Clearly, this approach is far from feasible for any group of cryptographic size.
We see that it is very costly to find a relation with this approach, for two reasons. Firstly, we are searching for relations that involve only 3 points of the factor base. While the probability that a point decomposes into a sum of 4 points of the factor base is 1/4! = 1/24, the probability that it decomposes into a sum of 3 points of the factor base is 1/(3!q) = 1/(6q) (see Section 4). This means that we expect to have to try about 6q points R in order to find one that decomposes. Notice that we can still hope to find enough relations, even though the probability of finding a relation has decreased by a factor q (Joux and Vitse [JV12] have shown that such an approach is indeed advantageous in certain situations): Assuming that most distinct unordered 3-tuples of factor base elements sum to distinct points of T 5 , this means that about q 3 /6 points R ∈ T 5 decompose into a sum of 3 factor base elements. This number is much larger than q. Therefore, it is a realistic assumption that we find about q relations.
Secondly, every time we wish to check whether a given point R decomposes into a sum of 3 factor base points, we do not have to solve one system, but O(q) systems, namely a small number of systems for every X 03 ∈ F q . In practice, not all X 03 yield valid X 04 , therefore the number of systems to be solved is actually smaller.

Comparison with other attacks and discussion
We now compare the index calculus attack on the DLP in T n with other known attacks.
6.1. Pollard-Rho. Assuming that T n is cyclic of prime order, the Pollard-Rho Algorithm performs O(q (n−1)/2 ) steps, and each step consists essentially of a point addition and hence has complexityÕ(1). Comparing this to the complexity of the index calculus algorithm in q, which is O(q 2−2/(n−1) ), we see that the index calculus algorithm has smaller complexity for n ≥ 5. More precisely, when n = 3 then Pollard-Rho and index calculus have the same complexity, when n = 5 the advantage of the index calculus attack comes only from the large prime variation (because without the large prime variation, index calculus has complexityÕ(q 2 )), and when n > 5, the index calculus method always has lower complexity, independently of the large prime trick. The larger n, the larger the advantage of the index calculus algorithm over Pollard-Rho in this analysis.
However, the Pollard-Rho Algorithm has to perform only an elliptic curve point addition in each step, while the index calculus algorithm has to compute a Gröbner basis, which is much more expensive. Even in the case n = 3, where the system is much more manageable than for larger n, we can solve less than a thousand systems per second (cf. Table 1), whereas elliptic curve point addition can be performed at a rate of 25000 to 150000 per second (depending on the size of the field; we measured this by adding random points of T 3 in Magma, an optimized implementation can achieve much better values). For larger values of n, the difference becomes much more extreme, since the cost of elliptic curve point addition increases only at the same rate as that of finite field arithmetic in F q n , whereas the cost of the Gröbner basis computation increases considerably. In fact the degree of the equations grows exponentially and the number of equations and variables grows linearly in n. This is reflected in the large complexity in n of the index calculus algorithm (see Theorem 4.2).
We conclude that in practice index calculus can be more efficient than Pollard-Rho only for moderate values of n > 3 and very large values of q. We do not know the precise crossover point.
Notice also that the variant of the index calculus algorithm for T 5 that uses the trick of Joux and Vitse and the hybrid approach has complexityÕ(q 3 ) in q, therefore it is not better than the Pollard-Rho Algorithm for n = 5. It would be better only for n > 5.
6.2. Index calculus on the whole curve. The index calculus algorithm of Gaudry may also be used to compute discrete logarithms in E(F q n ) by working in the n-dimensional Weil restriction of E with respect to F q n |F q . This is one of the original applications suggested by Gaudry in [Gau09]. From a complexity theoretic point of view, it does not make sense to attack the DLP in E(F q n ) when one wants to solve a DLP in T n , since the complexity of Gaudry's algorithm in q depends on the dimension of the variety and therefore has complexityÕ(q 2−2/n ) in E(F q n ) and complexitỹ O(q 2−2/(n−1) ) in T n .
From a practical point of view, however, the systems one gets when performing index calculus on the whole curve may be more manageable, since they consist only of the Weil restriction of the Semaev polynomial, whereas in our approach, the system contains also the equations of the factor base. Moreover, when working in the whole curve, the Semaev polynomial may easily be symmetrized, which gives a system of smaller degree and with fewer solutions, whereas it is not obvious how to do this in our case. Also, when working in the whole curve, factor base elements may be represented by one F q -coordinate only, where we need two for the trace zero variety. Therefore, our system has twice as many indeterminates. On the other hand, the advantage of working in the trace zero variety is that relations contain n − 1 factor base elements, and therefore one uses f n to describe relations, whereas when working on the whole curve, relations contain n factor base elements, thus one has to use f n+1 . Summarizing, when working on the whole curve, one has a system of n equations in n indeterminates of total degree 2 n−1 . In contrast, when working in the trace zero variety one has a system of 2n − 1 equations in 2n − 2 indeterminates of total degree (n − 1)2 n−2 .
Such subtleties are not evident in the original complexity analysis of Gaudry, which is only in q (and n is taken to be constant) and where the Gröbner basis computation thus has constant complexity. When performing an analysis similar to the one of Section 4 for Gaudry's algorithm on the whole curve, one obtainsÕ n2 n−1 + 1 n ω n!q 2−2/n , which is smaller in n. Therefore, which attack performs better depends on the relation between q and n.
In both cases the feasibility of the Gröbner basis computation plays an important role in practice.
6.3. Cover attacks. Cover attacks, also referred to as transfer attacks, were first proposed by Frey [Fre99] and further studied by many authors, including Galbraith and Smart [GS99], Gaudry, Hess, and Smart [GHS02], and Diem [Die03]. The aim of such attacks is to transfer the DLP from the algebraic variety one is considering to the Picard group of a curve of larger (but still rather low) genus, where the DLP is then solved using index calculus methods. There exist different constructions, each of them specific to a certain type of curve or variety, and there are constructions for cover attacks on E(F q n ) and on T n directly.
For example, combining the results of [Die03] and [DK13], it is sometimes possible to map the DLP to the Picard group of a genus 5 curve (which is usually not hyperelliptic), where it can be solved inÕ(q 4/3 ) . This is better than Gaudry's index calculus in E(F q 5 ), which has complexitỹ O(q 8/5 ), and the index calculus attack on T 5 , which has complexityÕ(q 3/2 ). However, the index calculus attack on T 5 applies to all curves, whereas only a very small proportion of curves is affected by the cover attack.
Diem and Scholten [DS,DS03] propose a cover attack for the trace zero variety directly. It works best for trace zero varieties of genus 2 curves, but it also applies to some trace zero varieties of elliptic curves. Namely, when g = 1 and n = 5, the DLP may sometimes be transferred to a curve of genus 4, where it can be solved inÕ(q 4/3 ). Again, this is better than the complexity of the index calculus attack, but it only affects a small number of curves (in fact, in [DS03] the authors find only one curve vulnerable to this attack). The same is true for g = 1 and n = 7, where the DLP may sometimes be mapped to a curve of genus 8 (in this case the authors cannot find any examples, although they can prove that vulnerable curves exist).

Conclusions on the hardness of the DLP
We conclude that applying Gaudry's index calculus algorithm for abelian varieties to the trace zero variety, as presented in this paper, yields an attack in T n that has smaller complexity than generic algorithms whenever n ≥ 5 when the complexity is measured asymptotically in q. Although there sometimes exist cover attacks with even better complexity, the index calculus attack can be applied to trace zero varieties of all elliptic curves, while cover attacks apply only to a small proportion of curves.
Since the DLP in T n has the same complexity as the DLP in E(F q n ), we get that the DLP in E(F q n ) may be attacked in complexityÕ(q 2−2/(n−1) ) when E is defined over F q . This is better than all known direct attacks on the DLP in E(F q n ) for n ≥ 5.
For general n, we have seen that the complexity of our index calculus attack on T n depends exponentially on n and that it becomes infeasible for rather small values of n. This is due to the fact that the algorithm has to solve many polynomial systems, whose size (i.e. number of equations, number of indeterminates, degrees of the equations) depends on n, and that a Gröbner basis computation quickly becomes unmanageable. In fact, already for n = 5 we cannot solve the system with standard Gröbner basis software. By using some tricks (namely, considering relations that involve one point less, using a hybrid approach), we were nevertheless able to produce relations. However this does not yield a practical attack, since it multiplies the complexity of the relation search by a factor q 2 .
Specialized Gröbner basis techniques in the spirit of [JV11, FPPR12, PQ12] would be needed in order to efficiently solve the systems that arise in this index calculus attack, and more research needs to be done on this topic in order to make our index calculus attack feasible in practice.