[curves] The genus 3 setting

Diego Aranha dfaranha at gmail.com
Wed Apr 16 07:47:33 PDT 2014


...


> It's the same deal with Weil descent attacks.  We know Weil descent
> works in principle in arbitrary characteristic, but most of the
> detailed examples and algorithms in the literature are
> characteristic-2 specific (going back to the Gaudry--Hess--Smart
> paper).  While a more general treatment looks more trouble than it's
> worth, that *doesn't* mean that an elliptic curve over GF(p^3) can't
> be easily attacked using the general theory and ad-hoc
> algorithms---and that's why nobody uses those curves.
>
> Cheers,
>
> ben
>

Hi Ben!

If I get your message correctly, we actually do use curves over GF(p^3) in
the context of pairing-based cryptography. For example,
Kachisa-Schaeffer-Scott are curves with embedding degree 18 and a sextic
twist, thus group G_2 becomes a curve over GF(p^3):

https://eprint.iacr.org/2012/232.pdf

Could a DLP in G_2 have complexity lower than 2^192 for such parameters?

Thanks!
--
Diego de Freitas Aranha
Institute of Computing - University of Campinas
http://www.ic.unicamp.br/~dfaranha
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20140416/75102484/attachment.html>


More information about the Curves mailing list