We present and analyze an elliptic curve trapdoor system which is of interest in key escrow applications. In this system, a pair (E_s, E_pb) of elliptic curves over GF(2^161) is constructed with the following properties:
(i) the Gaudry-Hess-Smart Weil descent attack reduces the elliptic curve discrete logarithm problem (ECDLP) in E_s(GF(2^161)) to a hyperelliptic curve DLP in the Jacobian of a curve of genus 7 or 8, which is computationally feasible, but by far not trivial;
(ii) E_pb is isogenous to E_s;
(iii) the best attack on the ECDLP in E_pb(GF(2^161)) is the parallelized Pollard rho method.
The curve E_pb is used just as usual in elliptic curve cryptosystems. The curve E_s is submitted to a trusted authority for the purpose of key escrow. The crucial difference from other key escrow scenarios is that the trusted authority has to invest a considerable amount of computation to compromise a user's private key, which makes applications such as widespread wire-tapping impossible.
The paper underlying this talk has appeared in the Journal of Cryptology.