...
> It's the same deal with Weil descent attacks. We know Weil descent > works in principle in arbitrary characteristic, but most of the > detailed examples and algorithms in the literature are > characteristic-2 specific (going back to the Gaudry--Hess--Smart > paper). While a more general treatment looks more trouble than it's > worth, that *doesn't* mean that an elliptic curve over GF(p^3) can't > be easily attacked using the general theory and ad-hoc > algorithms---and that's why nobody uses those curves. > > Cheers, > > ben > Hi Ben! If I get your message correctly, we actually do use curves over GF(p^3) in the context of pairing-based cryptography. For example, Kachisa-Schaeffer-Scott are curves with embedding degree 18 and a sextic twist, thus group G_2 becomes a curve over GF(p^3): https://eprint.iacr.org/2012/232.pdf Could a DLP in G_2 have complexity lower than 2^192 for such parameters? Thanks! -- Diego de Freitas Aranha Institute of Computing - University of Campinas http://www.ic.unicamp.br/~dfaranha
_______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
