Notes on summation polynomials

Abstract

In these short notes, we will show the following. Let Fq be a finite field and let E/q be an elliptic curve. Let Sr be the rth summation/Semaev polynomial for E. Under an assumption, we show that it is NP-complete to check if Sr evaluates to zero on some input. Unconditionally, we prove a similar result for summation polynomials over singular curves. This suggests limitations in the usage of summation polynomials in for example algorithms to solve the elliptic curve discrete logarithm problem. Assume that q is a power of 2. We show that the Weil descent to F2 of S3 for ordinary curves in general has first fall degree 2, which is much lower than expected. The reason is the existence of a group morphism to F2 which gives a linear polynomial after Weil descent. We want to raise awareness of its existence and raise doubt on certain Groebner basis heuristics which claim that the first fall degree is close to the degree of regularity. Furthermore, this morphism can be used to speed up the relation generation to solve the elliptic curve discrete logarithm problem.