Elliptic and Hyperelliptic Curves: A Practical Security Analysis
Motivated by the advantages of using elliptic curves for discrete logarithm-based public-key cryptography, there is an active research area investigating the potential of using hyperelliptic curves of genus 2. For both types of curves, the best known algorithms to solve the discrete logarithm problem are generic attacks such as Pollard rho, for which it is well-known that the algorithm can be sped up when the target curve comes equipped with an efficiently computable automorphism. In this paper we incorporate all of the known optimizations (including those relating to the automorphism group) in order to perform a systematic security assessment of two elliptic curves and two hyperelliptic curves of genus 2. We use our software framework to give concrete estimates on the number of core years required to solve the discrete logarithm problem on four curves that target the 128-bit security level: on the standardized NIST CurveP-256, on a popular curve from the Barreto-Naehrig family, and on their respective analogues in genus 2.
Unable to display preview. Download preview PDF.
- 2.Bailey, D.V., Batina, L., Bernstein, D.J., Birkner, P., Bos, J.W., Chen, H.-C., Cheng, C.-M., van Damme, G., de Meulenaer, G., Perez, L.J.D., Fan, J., Güneysu, T., Gurkaynak, F., Kleinjung, T., Lange, T., Mentens, N., Niederhagen, R., Paar, C., Regazzoni, F., Schwabe, P., Uhsadel, L., Herrewege, A.V., Yang, B.-Y.: Breaking ECC2K-130. Cryptology ePrint Archive, Report 2009/541 (2009), http://eprint.iacr.org/2009/541
- 5.Bernstein, D.J.: Elliptic vs. Hyperelliptic, part I. Talk at the ECC (September 2006), slides at http://cr.yp.to/talks/2006.09.20/slides.pdf
- 12.Certicom. Press release: Certicom announces elliptic curve cryptosystem (ECC) challenge winner (2002), http://www.certicom.com/index.php/2002-press-releases/38-2002-press-releases/340-notre-dame-mathematician-solves-eccp-109-encryption-key-problem-issued-in-1997
- 13.Certicom Research. Standards for efficient cryptography 2: Recommended elliptic curve domain parameters. Standard SEC2, Certicom (2000)Google Scholar
- 16.Galbraith, S.D.: Mathematics of public key cryptography. Cambridge University Press (2012)Google Scholar
- 22.Harley, R.: Elliptic curve discrete logarithms project, http://pauillac.inria.fr/~harley/
- 24.Hisil, H.: Elliptic curves, group law, and efficient computation. PhD thesis (2010)Google Scholar
- 27.Lange, T.: Elliptic vs. Hyperelliptic, part II. Talk at the ECC (September 2006), slides at http://www.hyperelliptic.org/tanja/vortraege/ECC_06.ps
- 29.Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986)Google Scholar
- 32.Nakamoto, S.: Bitcoin: A peer-to-peer electronic cash system (2009), http://bitcoin.org/bitcoin.pdf
- 36.U.S. Department of Commerce/National Institute of Standards and Technology. Digital Signature Standard (DSS). FIPS-186-4 (2013), http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf