Paper 2013/644

Elliptic and Hyperelliptic Curves: a Practical Security Analysis

Joppe W. Bos, Craig Costello, and Andrea Miele


Motivated by the advantages of using elliptic curves for discrete logarithm-based public-key cryptography, there is an active research area investigating the potential of using hyperelliptic curves of genus 2. For both types of curves, the best known algorithms to solve the discrete logarithm problem are generic attacks such as Pollard rho, for which it is well-known that the algorithm can be sped up when the target curve comes equipped with an efficiently computable automorphism. In this paper we incorporate all of the known optimizations (including those relating to the automorphism group) in order to perform a systematic security assessment of two elliptic curves and two hyperelliptic curves of genus 2. We use our software framework to give concrete estimates on the number of core years required to solve the discrete logarithm problem on four curves that target the 128-bit security level: on the standardized NIST CurveP-256, on a popular curve from the Barreto-Naehrig family, and on their respective analogues in genus 2.

Available format(s)
Public-key cryptography
Publication info
Published by the IACR in PKC 2014
Contact author(s)
jbos @ microsoft com
2014-01-14: revised
2013-10-10: received
See all versions
Short URL
Creative Commons Attribution


      author = {Joppe W.  Bos and Craig Costello and Andrea Miele},
      title = {Elliptic and Hyperelliptic Curves: a Practical Security Analysis},
      howpublished = {Cryptology ePrint Archive, Paper 2013/644},
      year = {2013},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.