On the security of generalized Jacobian cryptosystems (Q2470818)

Generalized Jacobians have been proposed as a setting for public-key cryptosystems by \textit{I. Déchène} [Lect. Notes Comput. Sci. 4076, 421--435 (2006; Zbl 1151.14312)], where arithmetic in the special case formed by extending the group of points on an elliptic curve over a finite field with a modulus consisting of the sum of two points on the curve is described. In this paper, the security of this type of generalized Jacobian is examined by considering the discrete logarithm problem in a subgroup \(\mathbb{F}_{q^r}^* \times \langle B \rangle,\) where \(B \in E(\mathbb{F}_q)\) has order \(l.\) The main result is that computing a discrete logarithm in this subgroup is polynomial-time equivalent to solving discrete logarithm problems in \(\mathbb{F}_{q^r}^*\) and \(E(\mathbb{F}_q),\) from which the author concludes that, although not optimal in terms of efficiency/security ratio, these types of generalized Jacobians are sufficiently secure for cryptographic purposes. In addition, the author shows that in order to compute discrete logarithms in \(\mathbb{F}_{q^r}^* \times \langle B \rangle,\) the discrete logarithm in \(\mathbb{F}_{q^r}^*\) and \(E(\mathbb{F}_q)\) may be computed separately in parallel in the case that \(l \nmid (q^r - 1),\) whereas in the case of pairing-friendly curves, for which \(l ~| ~ (q^r - 1),\) it is not known how to do this without completely solving the discrete logarithm problem in \(E(\mathbb{F}_q)\) first.