# Constructive and destructive facets of Weil descent on elliptic curves

## Abstract

In this paper we look in detail at the curves which arise in the method of Galbraith and Smart for producing curves in the Weil restriction of an elliptic curve over a finite field of characteristic 2 of composite degree. We explain how this method can be used to construct hyperelliptic cryptosystems which could be as secure as cryptosystems based on the original elliptic curve. On the other hand, we show that the same technique may provide a way of attacking the original elliptic curve cryptosystem using recent advances in the study of the discrete logarithm problem on hyperelliptic curves.

We examine the resulting higher genus curves in some detail and propose an additional check on elliptic curve systems defined over fields of characteristic 2 so as to make them immune from the methods in this paper.

## Key words

Function fields Divisor class group Cryptography Elliptic curves## Preview

Unable to display preview. Download preview PDF.

## References

- [1]L. Adleman, J. De Marrais and M.-D. Huang. A subexponential algorithm for discrete logarithms over the rational subgroup of the Jacobians of large genus hyperelliptic curves over finite fields. In
*ANTS*-1:*Algorithmic Number Theory*, L.M. Adleman and M-D. Huang, editors. LNCS 877, pp. 28–40. Springer-Verlag, Berlin, 1994.CrossRefGoogle Scholar - [2]E. Artin and J. Tate.
*Class Field Theory*. Benjamin, New York, 1967.Google Scholar - [3]I.F. Blake, G. Seroussi and N.P. Smart.
*Elliptic Curves in Cryptography*. Cambridge University Press, Cambridge, 1999.CrossRefMATHGoogle Scholar - [4]D.G. Cantor. Computing in the Jacobian of a hyperelliptic curve.
*Math. Comp.*,**48**, 95–101, 1987.MathSciNetCrossRefGoogle Scholar - [5]C. Chevalley.
*Introduction to the Theory of Algebraic Functions of One Variable*. Mathematical Surveys Number VI. American Mathematical Society, Providence, RI, 1951.CrossRefMATHGoogle Scholar - [6]A. Enge and P. Gaudry. A general framework for the discrete logarithm index calculus. To appear in
*Acta Arith*.Google Scholar - [7]G. Frey. How to disguise an elliptic curve. Talk at Waterloo workshop on the ECDLP, 1998. http://cacr.math.uwaterloo.ca/conferences/1998/ecc98/slides.html.Google Scholar
- [8]G. Frey and H.-G. Rück. A remark concerning
*m*-divisibility and the discrete logarithm problem in the divisor class group of curves.*Math. Comp.*,**62**, 865–874, 1994.MathSciNetGoogle Scholar - [9]S.D. Galbraith and N.P. Smart. A cryptographic application of Weil descent. In
*Cryptography and Coding, 7th IMA Conference*. LNCS 1746, pp. 191–200. Springer-Verlag, Berlin, 1999. The full version of the paper is HP Labs Technical Report HPL-1999-70.CrossRefGoogle Scholar - [10]P. Gaudry. An algorithm for solving the discrete logarithm problem on hyperelliptic curves. In
*Advanced in Cryptology — EUROCRYPT*2000. LNCS 1807, pp. 19–34. Springer-Verlag, Berlin, 2000.CrossRefGoogle Scholar - [11]F. Heß. Zur Divisorenklassengruppenberechnung in globalen Funktionenkörpern. Dissertation, TU Berlin, 1999.Google Scholar
- [12]R. Lidl and H. Niederreiter.
*Finite Fields*. Addison-Wesley, Reading, MA, 1983.Google Scholar - [13]V. Müller, A. Stein and C. Thiel. Computing discrete logarithms in real quadratic function fields of large genus.
*Math. Comp.*,**68**, 807–822, 1999.MathSciNetCrossRefMATHGoogle Scholar - [14]J. Neukirch.
*Algebraic Number Theory*. Springer-Verlag, New York, 1999.CrossRefMATHGoogle Scholar - [15]R. Schoof. Elliptic curves over finite fields and the computation of square roots mod
*p*.*Math. Comp.*,**44**, 483–494, 1985.MathSciNetMATHGoogle Scholar - [16]J. H. Silverman.
*The Arithmetic of Elliptic Curves*. GTM 106. Springer-Verlag, New York, 1986.MATHGoogle Scholar - [17]N.P. Smart. On the performance of hyperelliptic cryptosystems. In
*Advances in Cryptology, EUROCRYPT*’99. LNCS 1592, pp. 165–175. Springer-Verlag, Berlin, 1999.CrossRefGoogle Scholar - [18]H. Stichtenoth.
*Algebraic Function Fields and Codes*. Springer-Verlag, New York, 1993.MATHGoogle Scholar