Whenever I read about elliptic curve cryptography (ECC), the writer always works over a finite field. But as I understand it there is no group-theoretic reason not to use $\mathbb{Q}$ as the underlying field (you still get an abelian group, lots of things about this group are still unknown).
Is there any reason why nobody does ECC over $\mathbb{Q}$? Is there some known attack that makes it insecure? Is it just too inefficient?
You are right. The computation is just too inefficient. The best known attack on ECDLP, the pollard rho attack, would be useless against elliptic curves over the rationals.
Consider this, if you were to do the computations over a finite field of say
512-bits, you will only have to deal with512-bitintermediate values along the way. Considering the same elliptic curve over the rationals and using the same operations (computing $[k]P$, say) would give us the same security (computing $[k]P$ over a finite field and computing $[k]P$ over the rationals then converting into the finite field equivalent is the same!).Although I do agree that over the rationals, there are highly desirable qualities, such as an infinite abelian group, it is just too bothersome to be implemented.