Journal of Cryptology

, Volume 15, Issue 1, pp 19-46

First online:

Constructive and destructive facets of Weil descent on elliptic curves

  • P. GaudryAffiliated withLIX, École Polytechnique
  • , F. HessAffiliated withSchool of Mathematics and Statistics F07, University of Sydney
  • , N. P. SmartAffiliated withComputer Science Department, University of Bristol

Rent the article at a discount

Rent now

* Final gross prices may vary according to local VAT.

Get Access


In this paper we look in detail at the curves which arise in the method of Galbraith and Smart for producing curves in the Weil restriction of an elliptic curve over a finite field of characteristic 2 of composite degree. We explain how this method can be used to construct hyperelliptic cryptosystems which could be as secure as cryptosystems based on the original elliptic curve. On the other hand, we show that the same technique may provide a way of attacking the original elliptic curve cryptosystem using recent advances in the study of the discrete logarithm problem on hyperelliptic curves.

We examine the resulting higher genus curves in some detail and propose an additional check on elliptic curve systems defined over fields of characteristic 2 so as to make them immune from the methods in this paper.

Key words

Function fields Divisor class group Cryptography Elliptic curves