Cover attacks for elliptic curves with cofactor two

For cryptographic applications, in order to avoid a reduction of the discrete logarithm problem via the Chinese remainder theorem, one usually considers elliptic curves over finite fields whose order is a prime times a small so-called cofactor c. It is, however, possible to attack specific curves with this property via dedicated attacks. Particularly, if an elliptic curve $$E/\mathbb {F}_{q^n}$$E/Fqn is given, one might try to use the idea of cover attacks to reduce the problem to the corresponding problem in the Jacobian of a curve of genus $$g \ge n$$g≥n over $$\mathbb {F}_q$$Fq. In the given situation, the only attack so far which follows this idea is the GHS attack, this attack requires that the cofactor c is divisible by 4 as otherwise the genus of the resulting curve is too large. We present an algorithm for finding genus 3 hyperelliptic covers for the case $$c=2$$c=2. The construction works in odd characteristic and the resulting cover map has degree 3. As an application, two explicit examples of elliptic curves whose order are respectively 2 times a 149-bit prime and 2 times a 256-bit prime vulnerable to the attack are given.

[1]  John J. Cannon,et al.  The Magma Algebra System I: The User Language , 1997, J. Symb. Comput..

[2]  Damien Robert,et al.  Computing (l, l)-isogenies in polynomial time on Jacobians of genus 2 curves , 2011, IACR Cryptol. ePrint Arch..

[3]  Joseph H. Silverman,et al.  The arithmetic of elliptic curves , 1986, Graduate texts in mathematics.

[4]  Claus Diem,et al.  On the discrete logarithm problem for plane curves , 2012 .

[5]  John Tate,et al.  Classes d'isogénie des variétés abéliennes sur un corps fini (d'après T. Honda) , 1969 .

[6]  Claus Diem On the discrete logarithm problem in class groups of curves , 2011, Math. Comput..

[7]  C. Diem On the discrete logarithm problem in elliptic curves , 2010, Compositio Mathematica.

[8]  Jinhui Chao,et al.  Elliptic curves with weak coverings over cubic extensions of finite fields with odd characteristics , 2009, IACR Cryptol. ePrint Arch..

[9]  Koh-ichi Nagao Decomposition Attack for the Jacobian of a Hyperelliptic Curve over an Extension Field , 2010, ANTS.

[10]  Pierrick Gaudry,et al.  Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem , 2009, J. Symb. Comput..

[11]  Nigel P. Smart,et al.  Constructive and destructive facets of Weil descent on elliptic curves , 2002, Journal of Cryptology.

[12]  R. Kuhn Curves of genus 2 with split Jacobian , 1988 .

[13]  Nicolas Thériault,et al.  A double large prime variation for small genus hyperelliptic index calculus , 2004, Math. Comput..

[14]  Steven D. Galbraith,et al.  Extending the GHS Weil Descent Attack , 2002, EUROCRYPT.

[15]  D. Mumford Tata Lectures on Theta I , 1982 .

[16]  Jinhui Chao,et al.  Scholten Forms and Elliptic/Hyperelliptic Curves with Weak Weil Restrictions , 2005, IACR Cryptol. ePrint Arch..

[17]  Benjamin A. Smith Isogenies and the Discrete Logarithm Problem in Jacobians of Genus 3 Hyperelliptic Curves, , 2008, Journal of Cryptology.

[18]  W. J. Harvey,et al.  TATA LECTURES ON THETA I (Progress in Mathematics, 28) , 1986 .

[19]  Antoine Joux,et al.  Cover and Decomposition Index Calculus on Elliptic Curves Made Practical - Application to a Previously Unreachable Curve over $\mathbb{F}_{p^6}$ , 2012, EUROCRYPT.