Supersingular curves in cryptography

Abstract

Frey and Rück gave a method to transform the discrete logarithm problem in the divisor class group of a curve over (Formula Presented)q into a discrete logarithm problem in some finite field extension (Formula Presented)qk. The discrete logarithm problem can therefore be solved using index calculus algorithms as long as k is small. In the elliptic curve case it was shown by Menezes, Okamoto and Vanstone that for supersingular curves one has k ≤ 6. In this paper curves of higher genus are studied. Bounds on the possible values for k in the case of supersingular curves are given which imply that supersingular curves are weaker than the general case for cryptography. Ways to ensure that a curve is not supersingular are also discussed. A constructive application of supersingular curves to cryptography is given, by generalising an identity-based cryptosystem due to Boneh and Franklin. The generalised scheme provides a significant reduction in bandwidth compared with the original scheme.