Paper 2013/644

Elliptic and Hyperelliptic Curves: a Practical Security Analysis

Joppe W. Bos and Craig Costello and Andrea Miele

Abstract

Motivated by the advantages of using elliptic curves for discrete logarithm-based public-key cryptography, there is an active research area investigating the potential of using hyperelliptic curves of genus 2. For both types of curves, the best known algorithms to solve the discrete logarithm problem are generic attacks such as Pollard rho, for which it is well-known that the algorithm can be sped up when the target curve comes equipped with an efficiently computable automorphism. For the first time, we perform a systematic security assessment of elliptic curves and hyperelliptic curves of genus~2, by incorporating all of the known optimizations. We use our software framework to give concrete estimates on the number of core years required to solve the discrete logarithm problem on four curves that target the 128-bit security level: on the standardized NIST CurveP-256, on a popular curve from the Barreto-Naehrig family, and on their respective analogues in genus 2.