Cover attacks for elliptic curves with cofactor two

For cryptographic applications, in order to avoid a reduction of the discrete logarithm problem via the Chinese remainder theorem, one usually considers elliptic curves over finite fields whose order is a prime times a small so-called cofactor c. It is, however, possible to attack specific curves with this property via dedicated attacks. Particularly, if an elliptic curve \(E/\mathbb {F}_{q^n}\) is given, one might try to use the idea of cover attacks to reduce the problem to the corresponding problem in the Jacobian of a curve of genus \(g \ge n\) over \(\mathbb {F}_q\). In the given situation, the only attack so far which follows this idea is the GHS attack, this attack requires that the cofactor c is divisible by 4 as otherwise the genus of the resulting curve is too large. We present an algorithm for finding genus 3 hyperelliptic covers for the case \(c=2\). The construction works in odd characteristic and the resulting cover map has degree 3. As an application, two explicit examples of elliptic curves whose order are respectively 2 times a 149-bit prime and 2 times a 256-bit prime vulnerable to the attack are given.