Evidence that XTR is more secure than supersingular elliptic curve cryptosystems

Abstract

We show that finding an efficiently computable injective homomorphism from the XTR subgroup into the group of points over GF(p2) of a particular type of supersingular elliptic curve is at least as hard as solving the Diffie-Hellman problem in the XTR subgroup. This provides strong evidence for a negative answer to the question posed by Vanstone and Menezes at the Crypto 2000 Rump Session on the possibility of efficiently inverting the MOV embedding into the XTR subgroup. As a side result we show that the Decision Diffie-Hellman problem in the group of points on this type of supersingular elliptic curves is efficiently computable, which provides an example of a group where the Decision Diffie-Hellman problem is simple, while the Diffie-Hellman and discrete logarithm problems are presumably not. So-called distortion maps on groups of points on elliptic curves that play an important role in our cryptanalysis also lead to cryptographic applications of independent interest. These applications are an improvement of Joux's one round protocol for tripartite Diffie-Hellman key exchange and a non-refutable digital signature scheme that supports escrowable encryption. We also discuss the applicability of our methods to general elliptic curves defined over finite fields which includes a classification of elliptic curve groups where distortion maps exist. © 2004 International Association for Cryptologic Research.