Hyperelliptic Curve Cryptography - Attacks Against The DLP

Attacks Against The DLP

All generic attacks on the discrete logarithm problem in finite abelian groups such as the Pohlig-Hellman algorithm and Pollard's rho method can be used to attack the DLP in the Jacobian of hyperelliptic curves. The Pohlig-Hellman attack reduces the difficulty of the DLP by looking at the order of the group we are working with. Suppose the group that is used has elements, where is the prime factorization of . Pohlig-Hellman reduces the DLP in to DLPs in subgroups of order for . So for the largest prime divisor of, the DLP in is just as hard to solve as the DLP in the subgroup of order . Therefore we would like to choose such that the largest prime divisor of is almost equal to itself. Requiring usually suffices.

The index calculus algorithm is another algorithm that can be used to solve DLP under some circumstances. For Jacobians of (hyper)elliptic curves there exists an index calculus attack on DLP. If the genus of the curve becomes too high, the attack will be more efficient than Pollard's rho. Today it is known that even a genus of cannot assure security. Hence we are left with elliptic curves and hyperelliptic curves of genus 2.

Another restriction on the hyperelliptic curves we can use comes from the Menezes-Okamoto-Vanstone-attack / Frey-Rück-attack. The first, often called MOV for short, was developed in 1993, the second came about in 1994. Consider a (hyper)elliptic curve over a finite field where is the power of a prime number. Suppose the Jacobian of the curve has elements and is the largest prime divisor of . For the smallest positive integer such that there exists a computable injective group homomorphism from the subgroup of of order to . If is small, we can solve DLP in by using the index calculus attack in . For arbitrary curves is very large (around the size of ); so even though the index calculus attack is quite fast for multiplicative groups of finite fields this attack is not a threat for most curves. The injective function used in this attack is a pairing and there are some applications in cryptography that make use of them. In such applications it is important to balance the hardness of the DLP in and ; depending on the security level values of between 6 and 12 are useful. The subgroup of is a torus. There exists some independent usage in torus based cryptography.

We also have a problem, if, the largest prime divisor of the order of the Jacobian, is equal to the characteristic of By a different injective map we could then consider the DLP in the additive group instead of DLP on the Jacobian. However, DLP in this additive group is trivial to solve, as can easily be seen. So also these curves, called anomalous curves, are not to be used in DLP.