Index Calculus Attacks on Hyperelliptic Curves
Abstract
Hyperelliptic curves could be considered against elliptic curves for cryptography by virtue of using smaller fields and therefore being faster, but they have several weaknesses. Index calculus attacks are effective against hyperelliptic curves of higher genus, only $g=2$ is considered safe at the moment. Hyperelliptic curves have more involved group operations, and the potential speed gain is dependent on hardware configurations fully utilizing the small fields. Lastly, hyperelliptic curve cryptography is relatively new and untested. Elliptic curve cryptography has been around for a long time, and there is no compelling argument for switching to hyperelliptic curves. Index calculus attacks on hyperelliptic curves are quite effective compared to general discrete log algorithms for genus higher than 4. However, they are of limited use when applied to hyperelliptic curve cryptosystems, as high genus curves are not used here. Their function is more one of guiding, eliminating curves and fields for use in applications. The Weil descent attack on elliptic curves is again interesting, but not too relevant in practice. The fields for which it is possible are avoided in serious use. Again, the main function of the attack is as a reminder on which fields not to use.