Supersingular Curves in Cryptography

  • Steven D. Galbraith
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2248)


Frey and Rück gave a method to transform the discrete logarithm problem in the divisor class group of a curve over \( \mathbb{F}_q \) into a discrete logarithm problem in some finite field extension \( \mathbb{F}_{q^k } \) . The discrete logarithm problem can therefore be solved using index calculus algorithms as long as k is small.

In the elliptic curve case it was shown by Menezes, Okamoto and Vanstone that for supersingular curves one has k ⪯ 6. In this paper curves of higher genus are studied. Bounds on the possible values for k in the case of supersingular curves are given which imply that supersingular curves are weaker than the general case for cryptography. Ways to ensure that a curve is not supersingular are also discussed.

A constructive application of supersingular curves to cryptography is given, by generalising an identity-based cryptosystem due to Boneh and Franklin. The generalised scheme provides a significant reduction in bandwidth compared with the original scheme.


Elliptic Curve Elliptic Curf Abelian Variety Hyperelliptic Curve Elliptic Curve Cryptosystems 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    R. Balasubramanian and N. Koblitz, The improbability that an elliptic curve has subexponential discrete log problem under the Menezes-Okamoto-Vanstone algorithm., J. Cryptology, 11 no. 2 (1998) 141–145.zbMATHCrossRefMathSciNetGoogle Scholar
  2. 2.
    D. Boneh and M. Franklin, Identity-based encryption from the Weil pairing, in J. Kilian (ed.), Crypto 2001, Springer LNCS 2139 (2001) 213–229.CrossRefGoogle Scholar
  3. 3.
    J. Buhler and N. Koblitz, Lattice basis reduction, Jacobi sums and hyperelliptic cryptosystems, Bull. Aust. Math. Soc., 58, No.1 (1998) 147–154.zbMATHMathSciNetGoogle Scholar
  4. 4.
    D. G. Cantor, Computing in the Jacobian of a hyperelliptic curve, Math. Comp., 48 (1987) 95–101.zbMATHCrossRefMathSciNetGoogle Scholar
  5. 5.
    H. Cohen, A course in computational number theory, Springer GTM 138 (1993).Google Scholar
  6. 6.
    I. Duursma, P. Gaudry and F. Morain, Speeding up the discrete log computation on curves with automorphisms, in K. Y. Lam et al (eds.), Asiacrypt’ 99, Springer LNCS 1716, (1999) 103–121.Google Scholar
  7. 7.
    A. Enge, The extended Euclidean algorithm on polynomials and the computational efficiency of hyperelliptic cryptosystems, Designs, Codes and Cryptography, 23 (2001) 53–74.zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    G. Frey, H.-G. Rück, A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves, Math. Comp., 62, No.206 (1994) 865–874.zbMATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    G. Frey, M. Müller and H.-G. Rück, The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems, IEEE Trans. Inform. Theory, 45, no. 5 (1999) 1717–1719.zbMATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    S. D. Galbraith, S. Paulus and N. P. Smart, Arithmetic on superelliptic curves, To appear in Math. Comp. Google Scholar
  11. 11.
    S. D. Galbraith, Supersingular curves in cryptography (full version), available from the author’s web pages.Google Scholar
  12. 12.
    P. Gaudry, An algorithm for solving the discrete log problem on hyperelliptic curves, in B. Preneel (ed.), Eurocrypt 2000, Springer, LNCS 1807 (2000) 19–34.CrossRefGoogle Scholar
  13. 13.
    R. Harley, Rump session talk, Eurocrypt 2001, (2001).Google Scholar
  14. 14.
    A. Joux, A one round protocol for tripartite Diffie-Hellman, in W. Bosma (ed.), ANTS-IV, Springer LNCS 1838 (2000) 385–393.Google Scholar
  15. 15.
    K. S. Kedlaya, Counting points on hyperelliptic curves using Monsky-Washnitzer cohomology, preprint (2001).Google Scholar
  16. 16.
    N. Koblitz, Hyperelliptic cryptosystems, J. Cryptology, 1, no. 3 (1989) 139–150.zbMATHCrossRefMathSciNetGoogle Scholar
  17. 17.
    N. Koblitz, A family of jacobians suitable for discrete log cryptosystems, in S. Goldwasser (ed.), Crypto’ 88, Springer LNCS 403 (1990) 94–99.Google Scholar
  18. 18.
    N. Koblitz, An elliptic curve implementation of the finite field digital signature algorithm, in H. Krawczyk (ed.), Crypto’ 98, Springer LNCS 1462 (1998) 327–337.Google Scholar
  19. 19.
    S. Lang, Algebra, 3rd ed., Addison-Wesley, 1993.Google Scholar
  20. 20.
    K.-Z. Li and F. Oort, Moduli of supersingular abelian varieties, Springer LNM 1680 (1998).Google Scholar
  21. 21.
    Yu. I. Manin, The theory of commutative formal groups over fields of finite characteristic, Russ. Math. Surv., 18, No. 6 (1963) 1–83.zbMATHCrossRefMathSciNetGoogle Scholar
  22. 22.
    Yu. I. Manin, The Hasse-Witt matrix of an algebraic curve, Translations, II Ser., Am. Math. Soc., 45 (1965) 245–264.Google Scholar
  23. 23.
    A. J. Menezes, T. Okamoto and S. A. Vanstone, Reducing elliptic curve logarithms to logarithms in a finite field, IEEE Trans. Inf. Theory, 39, No. 5 (1993) 1639–1646.zbMATHCrossRefMathSciNetGoogle Scholar
  24. 24.
    F. Oort, Subvarieties of moduli spaces, Inv. Math., 24 (1970) 95–119.CrossRefMathSciNetGoogle Scholar
  25. 25.
    H.-G. Rück, Abelsche varietäten niderer dimension über endlichen körpern, Habilitation Thesis, University of Essen (1990).Google Scholar
  26. 26.
    H.-G. Rück, On the discrete logarithm in the divisor class group of curves, Math. Comp., 68, No.226 (1999) 805–806.zbMATHCrossRefMathSciNetGoogle Scholar
  27. 27.
    Y. Sakai, K. Sakurai and H. Ishizuka, Secure hyperelliptic cryptosystems and their performance, in H. Imai et al. (eds.), Pkc’ 98, Springer LNCS 1431 (1998) 164–181.Google Scholar
  28. 28.
    A. Shamir, Identity-based cryptosystems and signature schemes, In G.R. Blakley and D. Chaum (eds.), Crypto’ 84, Springer LNCS 196 (1985) 47–53.Google Scholar
  29. 29.
    J. H. Silverman, The arithmetic of elliptic curves, Springer GTM 106, (1986).Google Scholar
  30. 30.
    N. Smart, On the performance of hyperelliptic cryptosystems, in J. Stern (ed.), Eurocrypt’ 99, Springer LNCS 1592 (1999) 165–175.Google Scholar
  31. 31.
    A. Stein and E. Teske, Explicit bounds and heuristics on class numbers in hyperelliptic function fields, To appear in Math. Comp., University of Waterloo technical report CORR 99-26 (1999).Google Scholar
  32. 32.
    H. Stichtenoth, Die Hasse-Witt-invariante eines kongruenzfunktionenkörpers, Arch. Math., 33, No. 4 (1980) 357–360.MathSciNetGoogle Scholar
  33. 33.
    H. Stichtenoth, Algebraic function fields and codes, Springer Universitext (1993).Google Scholar
  34. 34.
    H. Stichtenoth and C. Xing, On the structure of the divisor class group of a class of curves over finite fields, Arch. Math., Vol. 65 (1995) 141–150.zbMATHCrossRefMathSciNetGoogle Scholar
  35. 35.
    J. Tate, Classes d’isogénie de variétés abéliennes sur un corps fini (d’après T. Honda), Sém. Bourbaki, Exp. 352, Springer LNM 179 (1971) 95–110.Google Scholar
  36. 36.
    E. R. Verheul, Evidence that XTR is more secure than supersingular elliptic curve cryptosystems, in B. Pfitzmann (ed.), Eurocrypt 2001, Springer LNCS 2045 (2001) 195–210.CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Steven D. Galbraith
    • 1
  1. 1.Mathematics DepartmentRoyal Holloway University of LondonEgham, SurreyUK

Personalised recommendations