Journal of Cryptology

, Volume 19, Issue 1, pp 115-133

First online:

An Elliptic Curve Trapdoor System

  • Edlyn TeskeAffiliated withDepartment of Combinatorics and Optimization, University of Waterloo, Waterloo, Ontario N2L 3G1 Email author 

Rent the article at a discount

Rent now

* Final gross prices may vary according to local VAT.

Get Access


We propose an elliptic curve trapdoor system which is of interest in key escrow applications. In this system, a pair (Es, Epb) of elliptic curves over F2 161 is constructed with the following properties: (i) the Gaudry-Hess-Smart Weil descent attack reduces the elliptic curve discrete logarithm problem (ECDLP) in Es(F2 161) to a hyperelliptic curve DLP in the Jacobian of a curve of genus 7 or 8, which is computationally feasible, but by far not trivial; (ii) Es is isogenous to Es; (iii) the best attack on the ECDLP in Es(F2 161) is the parallelized Pollard rho method. The curve Es is used just as usual in elliptic curve cryptosystems. The curve Es is submitted to a trusted authority for the purpose of key escrow. The crucial difference from other key escrow scenarios is that the trusted authority has to invest a considerable amount of computation to compromise a user's private key, which makes applications such as widespread wire-tapping impossible.

Elliptic curve cryptography Weil descent Isogenies Trapdoor functions Key escrow