Evidence that XTR Is More Secure than Supersingular Elliptic Curve Cryptosystems

@article{Verheul2004EvidenceTX,
  title={Evidence that XTR Is More Secure than Supersingular Elliptic Curve Cryptosystems},
  author={Eric R. Verheul},
  journal={Journal of Cryptology},
  year={2004},
  volume={17},
  pages={277-296}
}
We show that finding an efficiently computable injective homomorphism from the XTR subgroup into the group of points over GF(p2) of a particular type of supersingular elliptic curve is at least as hard as solving the Diffie–Hellman problem in the XTR subgroup. This provides strong evidence for a negative answer to the question posed by Vanstone and Menezes at the Crypto 2000 Rump Session on the possibility of efficiently inverting the MOV embedding into the XTR subgroup. As a side result we… CONTINUE READING