An Elliptic Curve Trapdoor System
- First Online:
- Cite this article as:
- Teske, E. J Cryptology (2006) 19: 115. doi:10.1007/s00145-004-0328-3
- 181 Downloads
We propose an elliptic curve trapdoor system which is of interest in key escrow applications. In this system, a pair (Es, Epb) of elliptic curves over F2161 is constructed with the following properties: (i) the Gaudry-Hess-Smart Weil descent attack reduces the elliptic curve discrete logarithm problem (ECDLP) in Es(F2161) to a hyperelliptic curve DLP in the Jacobian of a curve of genus 7 or 8, which is computationally feasible, but by far not trivial; (ii) Es is isogenous to Es; (iii) the best attack on the ECDLP in Es(F2161) is the parallelized Pollard rho method. The curve Es is used just as usual in elliptic curve cryptosystems. The curve Es is submitted to a trusted authority for the purpose of key escrow. The crucial difference from other key escrow scenarios is that the trusted authority has to invest a considerable amount of computation to compromise a user's private key, which makes applications such as widespread wire-tapping impossible.