Cover Attacks A report for the AREHCC project

In this report, we give an overview of a certain class of attacks on elliptic and hyperelliptic curve cryptography. The attacks we will discuss are only applicable if one considers discrete logarithms in class groups of elliptic or hyperelliptic curves over finite non-prime fields. Let us state the general idea of the class of attacks we will consider: Let H/K be a elliptic or hyperelliptic curve (or even a more general curve) defined over a finite non-prime field K. Assume that the DLP in the divisor class group Cl(H/K) = Jac(H)(K) of H/K (of degree 0) is used as a cryptographic primitive. (Note that if E is an elliptic curve, one has a canonical isomorphism E(K) ≃ Cl(E/K), thus we consider in particular the DLP in elliptic curves.) The assumption that the DLP is used as a cryptographic primitive means in particular that Cl(H/K) contains a large subgroup of prime order. We will use this fact in the following. If the genus of H would be ≥ 4 (and maybe ≥ 3), index calculus attacks on Cl(H/K) would be more efficient than “generic attacks” like Pollard ρ. If however the genus of H is 1 or 2, generic attacks are more efficient than index calculus attacks; c.f. [4], [7], [17]. The idea is now to transfer the DLP in Cl(H/K) in a DLP in the class group of a curve of higher genus over a smaller field. Let us assume that K is an extension of another finite field k. (The field k need not be a prime field.) Let us fix explicitly that char(k) = p, k = Fq and K = Fqn , i.e. [K : k] = n. Assume that we have an explicitely given curve C/k defined over k and an explicitely given cover c : C −→ H defined over K. (A non-constant morphism between two curves is called a cover.) Then we have the conorm or pull-back map c : Cl(H/K) −→ Cl(C/K), and we also have the norm map N : Cl(C/K) −→ Cl(C/k). By composing