Journal of Cryptology

, Volume 19, Issue 1, pp 115–133

An Elliptic Curve Trapdoor System


DOI: 10.1007/s00145-004-0328-3

Cite this article as:
Teske, E. J Cryptology (2006) 19: 115. doi:10.1007/s00145-004-0328-3


We propose an elliptic curve trapdoor system which is of interest in key escrow applications. In this system, a pair (Es, Epb) of elliptic curves over F2161 is constructed with the following properties: (i) the Gaudry-Hess-Smart Weil descent attack reduces the elliptic curve discrete logarithm problem (ECDLP) in Es(F2161) to a hyperelliptic curve DLP in the Jacobian of a curve of genus 7 or 8, which is computationally feasible, but by far not trivial; (ii) Es is isogenous to Es; (iii) the best attack on the ECDLP in Es(F2161) is the parallelized Pollard rho method. The curve Es is used just as usual in elliptic curve cryptosystems. The curve Es is submitted to a trusted authority for the purpose of key escrow. The crucial difference from other key escrow scenarios is that the trusted authority has to invest a considerable amount of computation to compromise a user's private key, which makes applications such as widespread wire-tapping impossible.

Elliptic curve cryptography Weil descent Isogenies Trapdoor functions Key escrow 

Copyright information

© Springer 2005

Authors and Affiliations

  1. 1.Department of Combinatorics and Optimization, University of Waterloo, Waterloo, Ontario N2L 3G1Canada