elliptic and hyperelliptic curve cryptography · elliptic and hyperelliptic curve cryptography...

Elliptic and Hyperelliptic CurveCryptography

Renate Scheidler

Research supported in part by NSERC of Canada

Comprehensive Source

Handbook of Elliptic and Hyperelliptic Curve Cryptography

Overview

L Motivation

L Elliptic Curve Arithmetic

L Hyperelliptic Curve Arithmetic

L Point Counting

L Discrete Logarithm Algorithms

L Other Models

Motivation — Why (Hyper-)Elliptic Cryptography?

Requirements on groups for discrete log based cryptography

L Large group order (plus other restrictions)

L Compact representation of group elements

L Fast group operation

L Hard Diffie-Hellman/discrete logarithm problem

Elliptic and low genus hyperelliptic curves do well on all of these!

Motivation — Why (Hyper-)Elliptic Cryptography?

Requirements on groups for discrete log based cryptography

L Large group order (plus other restrictions)

L Compact representation of group elements

L Fast group operation

L Hard Diffie-Hellman/discrete logarithm problem

Elliptic and low genus hyperelliptic curves do well on all of these!

Elliptic Curves

Let K be a field (in crypto, K � Fq with q prime or q � 2n)

Weierstraß equation over K :

E � y 2 � a1xy � a3y � x3 � a2x2 � a4x � a6 ��with a1, a2, a3, a4, a6 > K

Elliptic curve: Weierstraß equation & non-singularity condition:there are no simultaneous solutions to �� and

2y � a1x � a3 � 0

a1y � 3x2 � 2a2x � a4

Non-singularity � ∆ x 0 where ∆ is the discriminant of E

Elliptic Curves

2y � a1x � a3 � 0

a1y � 3x2 � 2a2x � a4

Elliptic Curves

2y � a1x � a3 � 0

a1y � 3x2 � 2a2x � a4

Elliptic Curves

2y � a1x � a3 � 0

a1y � 3x2 � 2a2x � a4

Non-Examples

Two Weierstraß equations with a singularity at �0,0�y 2

� x3

0 0.2 0.4 0.6 0.8 1

y 2� x2�x � 1�

-1 -0.5 0 0.5 1

An Example

E � y 2� x3 � 5x over Q

-3 -2 -1 0 1 2 3 4 5 6

Elliptic Curves, char�K� x 2, 3

The variable transformations

y � y � �a1x � a3�~2, then x � x � �a21 � 4a2�~12 �

yield an elliptic curve in short Weierstraß form:

E � y 2� x3 � Ax � B �A,B > K�

Discriminant ∆ � 4A3 � 27B2x 0 �cubic in x has distinct roots)

For any field L with K b L b K :

E�L� � ��x0, y0� > L � L S y 20 � x3

0 � Ax0 � B� 8 �ª�set of L-rational points on E

Elliptic Curves, char�K� x 2, 3

The variable transformations

y � y � �a1x � a3�~2, then x � x � �a21 � 4a2�~12 �

yield an elliptic curve in short Weierstraß form:

E � y 2� x3 � Ax � B �A,B > K�

Discriminant ∆ � 4A3 � 27B2x 0 �cubic in x has distinct roots)

For any field L with K b L b K :

E�L� � ��x0, y0� > L � L S y 20 � x3

0 � Ax0 � B� 8 �ª�set of L-rational points on E

An Example

E�Q� � ��x0, y0� > Q �Q S y 20 � x3

0 � 5x0� 8 �ª�P1 � ��1,2�, P2 � �0,0� > E�Q�

-3 -2 -1 0 1 2 3 4 5 6

The Mysterious Point at Infinity

In E , replace x by x~z , y by y~z , then multiply by z3:

Eproj � y 2z � x3 � Axz2 � Bz3

Points on Eproj:

�x � y � z� x �0 � 0 � 0� normalized so the last non-zero entry is 1

Affine Points Projective Points

�x , y� � �x � y � 1�ª � �0 � 1 � 0�

Points on Eproj:

�x , y� � �x � y � 1�ª � �0 � 1 � 0�

Points on Eproj:

�x , y� � �x � y � 1�ª � �0 � 1 � 0�

Arithmetic on E

Goal: Make E�L� into an additive (Abelian) group

The identity is the point at infinity

By Bezout’s Theorem, any line intersects E in three points

L Need to count multiplicities

L If one of the points is ª, the line is “vertical”

Motto: “Any three collinear points on E sum to zero”

AKA Chord & Tangent Addition Law

Arithmetic on E

Arithmetic on E — Inverses

E � y 2� x3 � 5x over Q, P � ��1,�2�

-3 -2 -1 0 1 2 3 4 5 6

The line through P and ª is x � �1

Arithmetic on E — Inverses

E � y 2� x3 � 5x over Q, P � ��1,�2�

-3 -2 -1 0 1 2 3 4 5 6

It intersects E in the third point R � ��1,2� � �P

Arithmetic on E — Addition

E � y 2� x3 � 5x over Q, P1 � ��1,�2�, P2 � �0,0�

-3 -2 -1 0 1 2 3 4 5 6

The line through P1 and P2 is y � 2x

E � y 2� x3 � 5x over Q, P1 � ��1,�2�, P2 � �0,0�

-3 -2 -1 0 1 2 3 4 5 6

It intersects E in the third point G � �5,10�

E � y 2� x3 � 5x over Q, P1 � ��1,�2�, P2 � �0,0�

-3 -2 -1 0 1 2 3 4 5 6

The sum R is the inverse of G , i.e. R � �G � �5,�10� � P � Q

Arithmetic on E — Doubling

E � y 2� x3 � 5x over Q, P � ��1,�2�

-3 -2 -1 0 1 2 3 4 5 6

The line tangent to E at P is y �1926 x � 33

E � y 2� x3 � 5x over Q, P � ��1,�2�

-3 -2 -1 0 1 2 3 4 5 6

It intersects E in the third point G � �94 ,

E � y 2� x3 � 5x over Q, P � ��1,�2�

-3 -2 -1 0 1 2 3 4 5 6

The sum R is the inverse of G , i.e. R � �G � �94 ,�

38� � 2P

Arithmetic on Short Weierstraß Form — Summary

P1 � �x1, y1�, P2 � �x2, y2� (P1 x �P2; P1,P2 xª)

�P1 � ��x1, y1�

P1 � P2 � �λ2 � x1 � x2, �λ3 � λ�x1 � x2� � µ� where

λ �

¢̈̈̈̈¨̈¦̈̈̈¨̈̈¤

y2 � y1

x2 � x1if P1 x P2

3x21 � A

2y1if P1 � P2

µ �

¢̈̈̈̈¨̈¦̈̈̈¨̈̈¤

y1x2 � y2x1

x2 � x1if P1 x P2

�x31 � Ax1 � 2B

2y1if P1 � P2

Beyond Elliptic Curves

Recall Weierstraß equation:

E � y 2 � �a1x � a3´¹¹¹¹¹¹¹¹¹¹¹¸¹¹¹¹¹¹¹¹¹¹¹¶h�x�

�y � x3 � a2x2 � a4x � a6´¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¸¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¶f �x�

deg�f � � 3 � 2 � 1 � 1 odd

deg�h� � 1 for char�K� � 2; h � 0 for char�K� x 2

Generalization: deg�f � � 2g � 1, deg�h� B g

g is the genus of the curve

g � 1: elliptic curves

g � 2: deg�f � � 5, deg�h� B 2 — also good for crypto

E � y 2 � �a1x � a3´¹¹¹¹¹¹¹¹¹¹¹¸¹¹¹¹¹¹¹¹¹¹¹¶h�x�

�y � x3 � a2x2 � a4x � a6´¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¸¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¶f �x�

deg�f � � 3 � 2 � 1 � 1 odd

E � y 2 � �a1x � a3´¹¹¹¹¹¹¹¹¹¹¹¸¹¹¹¹¹¹¹¹¹¹¹¶h�x�

�y � x3 � a2x2 � a4x � a6´¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¸¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¶f �x�

deg�f � � 3 � 2 � 1 � 1 odd

Hyperelliptic Curves

Hyperelliptic curve of genus g over K :

H � y 2 � h�x�y � f �x�L h�x�, f �x� > K �x�L f �x� monic and deg�f � � 2g � 1 is odd

L deg�h� B g if char�K� � 2; h�x� � 0 if char�K� x 2

L non-singularity

char�K� x 2: y 2� f �x�, f �x� monic, of odd degree, square-free

Set of L-rational points on H (K b L b K ):

H�L� � ��x0, y0� > L � L S y 20 � h�x0�y � f �x0�� 8 �ª�

L non-singularity

H�L� � ��x0, y0� > L � L S y 20 � h�x0�y � f �x0�� 8 �ª�

L non-singularity

H�L� � ��x0, y0� > L � L S y 20 � h�x0�y � f �x0�� 8 �ª�

An Example

H � y 2� x5 � 5x3 � 4x � 1 over Q, genus g � 2

-3 -2 -1 0 1 2 3

An Example

��2,�1�, �2,�1�, �3,�11� > H�Q�

-3 -2 -1 0 1 2 3

Divisors

L Group of divisors on H:

DivH�K� � `H�K�e � �Qfinite

mPP S mP > Z, P > H�K�¡

L Subgroup of DivH�K� of degree zero divisors on H:

Div0H�K� � `�P� S P > H�K�e � �Q

finite

mP�P� S mP > Z, P > H�K�¡

where �P� � P �ª

L Subgroup of Div0H�K� of principal divisors on H:

PrinH�K� � �Qfinite

vP�α��P� S α > K�x , y�, P > H�K�¡

Divisors

Div0H�K� � `�P� S P > H�K�e � �Q

finite

vP�α��P� S α > K�x , y�, P > H�K�¡

Divisors

Div0H�K� � `�P� S P > H�K�e � �Q

finite

vP�α��P� S α > K�x , y�, P > H�K�¡

The Jacobian

Jacobian of H: JacH�K� � Div0H�K�~PrinH�K�

Motto: “Any complete collection of points on a function sums tozero”

H�K� 0 JacH�K� via P ( �P�For elliptic curves: E�K� � JacE�K� (� E�K� is a group)

Identity: �ª� �ª�ª

Inverses: The points

P � �x0, y0� and P � �x0,�y0 � h�x0��on H both lie on the function x � x0, so

��P� � �P�

The Jacobian

H�K� 0 JacH�K� via P ( �P�

For elliptic curves: E�K� � JacE�K� (� E�K� is a group)

��P� � �P�

The Jacobian

��P� � �P�

The Jacobian

��P� � �P�

The Jacobian

��P� � �P�

Semi-Reduced and Reduced Divisors

Every class in JacH�K� contains a divisor Qfinite

mP�P� such that

L all mP A 0 (replace ��P� by �P�)L if P � P, then mP � 1 (as 2�P� � 0)

L if P x P, then only one of P, Pcan appear in the sum (as �P� � �P� � 0)

Such a divisor is semi-reduced. If PmP B g , then it is reduced.

TheoremEvery class in JacH�K� contains a unique reduced divisor.

mP�P� such that

Such a divisor is semi-reduced.

If PmP B g , then it is reduced.

mP�P� such that

Example — Reduction

H � y 2� x5 � 5x3 � 4x � 1 over Q, D � �R1� � �R2� � �R3� with

R1 � ��2,�1�, R2 � �2,�1�, R3 � �3,�11�

-3 -2 -1 0 1 2 3

R1,R2,R3 all lie on the quadratic y � �2x2 � 7

-3 -2 -1 0 1 2 3

This quadratic meets H in the two additional points G1,G2 where

G1 � �12�1 �

º17�,�2 �

º17�, G2 � �1

2�1 �º

17�,�2 �º

17�Thus, �R1� � �R2� � R3� � �G1� � �G2� � 0 in JacH�Q�

-3 -2 -1 0 1 2 3

�R1� � �R2� � R3� � �B1� � �B2� with B1 � �G1�, B2 � �G2�The reduced divisor in the class of D is E � �B1� � B2� where

B1 � �12�1 �

º17�, 2 �

º17�, B2 � �1

2�1 �º

17�, 2 �º

17�,

-3 -2 -1 0 1 2 3

Reduction in General

Let D �

Qi�1

�Pi � be a semi-reduced divisor on y 2 � h�x�y � f �x�

The r points Pi all lie on a curve y � v�x� with deg�v� � r � 1

v�x�2 � h�x�h�x� � f �x� polynomial of degree max�2r � 2, 2g � 1�Case r C g � 2: replace the r points P1, . . . ,Pr in D by the inversesof the other �2r � 2� � r � r � 2 points on this degree 2r � 2polynomial

Case r � g � 1: replace the g � 1 points P1, . . . ,Pr in D by theinverses of the other 2g � 1 � �g � 1� � g points on this degree2g � 2 polynomial

After � r � g

2� steps a reduced divisor is obtained ��

Let D �

Qi�1

�Pi � be a semi-reduced divisor on y 2 � h�x�y � f �x�The r points Pi all lie on a curve y � v�x� with deg�v� � r � 1

After � r � g

Let D �

Qi�1

v�x�2 � h�x�h�x� � f �x� polynomial of degree max�2r � 2, 2g � 1�

Case r C g � 2: replace the r points P1, . . . ,Pr in D by the inversesof the other �2r � 2� � r � r � 2 points on this degree 2r � 2polynomial

After � r � g

Let D �

Qi�1

After � r � g

Let D �

Qi�1

After � r � g

Let D �

Qi�1

After � r � g

Mumford Representation

Let D �

Qi�1

mi �Pi � be a semi-reduced divisor, Pi � �xi , yi�The Mumford representation of D is D � �u�x�, v�x�� where

u�x�, v�x� > K �x�, u monic, deg�v� @ deg�u�, u S v 2 � hv � f

u�x� � r

Mi�1

�x � xi�mi

dx�j �v�x�2 � v�x�h�x� � f �x��

x�xi� 0 �0 B j B mi � 1�

So u�xi� � 0 and v�xi� � yi with multiplicity mi for 1 B i B r

Mumford representation uniquely determines D

Example: If P � �x0, y0�, then D � �P� � �x � x0, y0�

Let D �

Qi�1

u�x� � r

Mi�1

�x � xi�mi

dx�j �v�x�2 � v�x�h�x� � f �x��

x�xi� 0 �0 B j B mi � 1�

Let D �

Qi�1

u�x� � r

Mi�1

�x � xi�mi

dx�j �v�x�2 � v�x�h�x� � f �x��

x�xi� 0 �0 B j B mi � 1�

Let D �

Qi�1

u�x� � r

Mi�1

�x � xi�mi

dx�j �v�x�2 � v�x�h�x� � f �x��

x�xi� 0 �0 B j B mi � 1�

Divisor Reduction Using Mumford Representations

Input: D � �u, v�Output: The reduced divisor D �

� �u�, v �� in the class of D

while deg�u� A g do

u��

f � vh � v 2

u, v �

� �v � h �mod u��u � u�, v � v �

end while

return�u�, v ��

Divisor Reduction Using Mumford Representations

Input: D � �u, v�Output: The reduced divisor D �

� �u�, v �� in the class of D

while deg�u� A g do

u��

f � vh � v 2

u, v �

� �v � h �mod u��u � u�, v � v �

end while

return�u�, v ��

Divisor Reduction — Example

H � y 2� x5 � 5x3 � 4x � 1 over Q

D � ��2,�1�� 2,1�� 3,�11�� u, v�

u�x� � �x � 2��x � 2��x � 3� � x3 � 3x2 � 4x � 2

v�x� � �2x2 � 7 (from before)

u��x� ��x5 � 5x3 � 4x � 1� � ��2x2 � 7�2

x3 � 3x2 � 4x � 2� x2 � x � 4

v ��x� � ��2x2 � 7� �mod x2 � x � 4� � 2x � 1

D �� u�, v �� is the reduced divisor in the class of D

Recall D �� 1

2�1 �

º17�, 2 �

º17� �� 1

2�1 �

º17�, 2 �

º17� �

H � y 2� x5 � 5x3 � 4x � 1 over Q

D � ��2,�1�� 2,1�� 3,�11�� u, v� with

u�x� � �x � 2��x � 2��x � 3� � x3 � 3x2 � 4x � 2

u��x� ��x5 � 5x3 � 4x � 1� � ��2x2 � 7�2

x3 � 3x2 � 4x � 2� x2 � x � 4

v ��x� � ��2x2 � 7� �mod x2 � x � 4� � 2x � 1

Recall D �� 1

2�1 �

º17�, 2 �

º17� �� 1

2�1 �

º17�, 2 �

º17� �

H � y 2� x5 � 5x3 � 4x � 1 over Q

D � ��2,�1�� 2,1�� 3,�11�� u, v� with

u�x� � �x � 2��x � 2��x � 3� � x3 � 3x2 � 4x � 2

u��x� ��x5 � 5x3 � 4x � 1� � ��2x2 � 7�2

x3 � 3x2 � 4x � 2� x2 � x � 4

v ��x� � ��2x2 � 7� �mod x2 � x � 4� � 2x � 1

Recall D �� 1

2�1 �

º17�, 2 �

º17� �� 1

2�1 �

º17�, 2 �

º17� �

H � y 2� x5 � 5x3 � 4x � 1 over Q

D � ��2,�1�� 2,1�� 3,�11�� u, v� with

u�x� � �x � 2��x � 2��x � 3� � x3 � 3x2 � 4x � 2

u��x� ��x5 � 5x3 � 4x � 1� � ��2x2 � 7�2

x3 � 3x2 � 4x � 2� x2 � x � 4

v ��x� � ��2x2 � 7� �mod x2 � x � 4� � 2x � 1

Recall D �� 1

2�1 �

º17�, 2 �

º17� �� 1

2�1 �

º17�, 2 �

º17� �

Divisor Addition Using Mumford Representations

D1 � �u1, v1�, D2 � �u2, v2� divisors on H � y 2 � h�x�y � f �x�

Simplest case: for any �P� occurring in D1, �P� does not occur inD2 and vice versa — then D1 � D2 is semi-reduced

Then D1 � D2 � �u, v� where u � u1u2 and v �

¢̈̈¦̈̈¤v1 �mod u1�v2 �mod u2�

In general: suppose P � �x0, y0� occurs in D1 and P occurs in D2.

Then u1�x0� � u2�x0� � 0 and v1�x0� � y0 � �v2�x0� � h�x0�, sox � x0 S u1�x�, u2�x�, v1�x� � v2�x� � h�x�

d � gcd�u1,u2, v1 � v2 �h� � s1u1 � s2u2 � s3�v1 � v2 �h�u �

v �1

d�s1u1v2 � s2u2v1 � s3�v1v2 � f �� mod u�

(In the simplest case above, d � 1 and s3 � 0)

D1 � �u1, v1�, D2 � �u2, v2� divisors on H � y 2 � h�x�y � f �x�Simplest case: for any �P� occurring in D1, �P� does not occur inD2 and vice versa — then D1 � D2 is semi-reduced

¢̈̈¦̈̈¤v1 �mod u1�v2 �mod u2�

v �1

¢̈̈¦̈̈¤v1 �mod u1�v2 �mod u2�

v �1

¢̈̈¦̈̈¤v1 �mod u1�v2 �mod u2�

v �1

¢̈̈¦̈̈¤v1 �mod u1�v2 �mod u2�

v �1

¢̈̈¦̈̈¤v1 �mod u1�v2 �mod u2�

v �1

Arithmetic in JacH�K�

Input: D1 � �u1, v1�, D2 � �u2, v2� reduced

Output: The reduced divisor D �� u�, v �� in the class of D1 � D2

1. Addition: compute a semi-reduced divisor D � �u, v� in theclass of D1 � D2

2. Reduction: compute the reduced divisor D �� u�, v �� in the

class of D

Methods

L “Vanilla” method just discussed

L Cantor’s algorithm (“improved vanilla”)

L NUCOMP

L Explicit formulas (if g is small, say g � 2,3,4)

class of D

Methods

L NUCOMP

class of D

Methods

L NUCOMP

Divisors defined over K

Let φ > Gal�K~K� (for K � Fq, think of Frobenius φ�α� � αq)

φ acts on points on H: if P � �x0, y0�, then φ�P� � �φ�x0�, φ�y0��φ acts on divisors: if D �QmP�P�, then φ�D� �QmP�φ�P��A divisor D is defined over K if φ�D� � D

Example:

D � �x2 � x � 4, 2x � 1� on H � y 2� x5 � 5x3 � 4x � 1 over Q

� � �1

2�1 �

º17�, 2 �

º17� � � � �1

2�1 �

º17�, 2 �

º17� �

is defined over Q (invariant under automorphismº

17( �º

TheoremD � �u, v� is defined over K if and only if u�x�, v�x� > K �x�.Corollary

The group JacH�Fq� of divisor classes defined over Fq is finite.

φ acts on points on H: if P � �x0, y0�, then φ�P� � �φ�x0�, φ�y0��

φ acts on divisors: if D �QmP�P�, then φ�D� �QmP�φ�P��A divisor D is defined over K if φ�D� � D

Example:

� � �1

2�1 �

º17�, 2 �

º17� � � � �1

2�1 �

º17�, 2 �

º17� �

17( �º

φ acts on points on H: if P � �x0, y0�, then φ�P� � �φ�x0�, φ�y0��φ acts on divisors: if D �QmP�P�, then φ�D� �QmP�φ�P��

A divisor D is defined over K if φ�D� � D

Example:

� � �1

2�1 �

º17�, 2 �

º17� � � � �1

2�1 �

º17�, 2 �

º17� �

17( �º

Example:

� � �1

2�1 �

º17�, 2 �

º17� � � � �1

2�1 �

º17�, 2 �

º17� �

17( �º

Example:

� � �1

2�1 �

º17�, 2 �

º17� � � � �1

2�1 �

º17�, 2 �

º17� �

17( �º

Example:

� � �1

2�1 �

º17�, 2 �

º17� � � � �1

2�1 �

º17�, 2 �

º17� �

17( �º

TheoremD � �u, v� is defined over K if and only if u�x�, v�x� > K �x�.

Corollary

Example:

� � �1

2�1 �

º17�, 2 �

º17� � � � �1

2�1 �

º17�, 2 �

º17� �

17( �º

Group Structure and Size

E�Fq� � Z~nZ �Z~mZ where n S gcd�m,q � 1�

Via a hand-wavy argument, y 2� f �x� should have � q � 1 points

Hasse: SE�Fq�S � q � 1 � t with St S B 2º

Hasse-Weil: SH�Fq�S � q � 1 � t with St S B 2gº

qSerre: St S B g2ºq�For the Jacobian:

�ºq � 1�2gB SJacH�Fq�S B �ºq � 1�2g

So SJacH�Fq�S � qg

If we want qg� 2160: g 1 2 3 4

q 2160 280 253.33 240

E�Fq� � Z~nZ �Z~mZ where n S gcd�m,q � 1�Via a hand-wavy argument, y 2

� f �x� should have � q � 1 points

If we want qg� 2160: g 1 2 3 4

q 2160 280 253.33 240

qSerre: St S B g2ºq�

For the Jacobian:

If we want qg� 2160: g 1 2 3 4

q 2160 280 253.33 240

If we want qg� 2160: g 1 2 3 4

q 2160 280 253.33 240

If we want qg� 2160: g 1 2 3 4

q 2160 280 253.33 240

Point Counting Algorithms

Stay for next week’s workshop to learn more . . .

K � Fq, q � pn

L Square Root MethodsPollard kangarooCartier-Manin

L `-adic Methods (n � 1, polynomial in log�p�)

SEA and generalizations

L p-adic Methods (p small, polynomial in n)

Canonical lifts (Satoh, AGM)Deformation theoryCohomology

Point counting on certain curves is easy (e.g. Koblitz curves)

Can also construct curves with good group orders via CM method(see Thursday’s talks by Drew Sutherland and Bianca Viray)

K � Fq, q � pn

Discrete Logarithms

Elliptic Curve DLP: given P,Q > E�Fq� with Q � mP, find m

Hyperelliptic Curve DLP: given reduced divisors D,E so that Eis equivalent to mD, find m

Generic Methods — Complexity O�qg~2� group operations

L Baby step giant step — also requires O�qg~2� space

L Pollard rho

L Pollard lambda (kangaroo)

Index Calculus Methods

L g â log�q� — sub-exponential

L 3 B g á log�q� — O�q2�2~g�For g � 1,2, generic methods are best! (As far as we know . . . )

Discrete Logarithms

L Pollard rho

Discrete Logarithms

L Pollard rho

Discrete Logarithms

L Pollard rho

L 3 B g á log�q� — O�q2�2~g�

For g � 1,2, generic methods are best! (As far as we know . . . )

Discrete Logarithms

L Pollard rho

Other Attacks & Parameter Choices

K � Fq with q � pn

L Pohlig-Hellman — ensure that SJacH�Fq�S has a large primefactor

L Additive Reduction: if p divides SJacH�Fq�S, then there is an

explicit homomorphism JacH�Fq��p�� F2g�1q ,�� — ensure

that gcd�q, SJacH�Fq�S� � 1

L Multiplicative Reduction (MOV): pairings can be used tomap the DLP in JacH�Fq� into �F�

qk,�� where qk

� 1 �mod r�for a prime r dividing SJacH�Fq�S — ensure that k is large

(For pairing-based crypto, however, we want k small — seeTuesday’s and Wednesday’s talks)

L Weil Descent: If n � kd is composite, one may haveJacH�Fpkd �0 JacC�Fpd � where C has higher genus — usen � 1 or n prime

qk,�� where qk

Some Other Models

L Hessians: x3 � y 3 � 3dxy � 1

L Edwards models: x2 � y 2� c2�1 � dx2y 2� (q odd) and

variations

x3 � y 3� 1

-4 -3 -2 -1 0 1 2 3 4

x2�y 2� 10�1�x2y 2�

-4 -3 -2 -1 0 1 2 3 4

Even Degree Models

H � y 2 � h�x�y � f �x�L h�x�, f �x� > K �x�L deg�h� � g � 1 if char�K� � 2; h�x� � 0 if char�K� x 2

L deg�f � � 2g � 2 is even

L sgn�f � � s2 � s with s > K if char�K� � 2; f �x� is monic ifchar�K� x 2

L non-singularity

char�K� x 2: y 2� f �x�, f �x� monic, of even degree, square-free

Elliptic quartic, char�K� x 2,3:

y 2� x4 � ax2 � bx � c �a,b, c > K�

(b � 0: Jacobi Quartic)

Even Degree Models

L non-singularity

y 2� x4 � ax2 � bx � c �a,b, c > K�

Even Degree Models

L non-singularity

y 2� x4 � ax2 � bx � c �a,b, c > K�

Examples

E � y 2� x4 � 6x2 � x � 6

g � 1

-3 -2 -1 0 1 2 3

H � y 2� x6�13x4�44x2�4x�1

g � 2

-4 -3 -2 -1 0 1 2 3 4

Conclusion

L Genus 1 and genus 2 curves over Fq represent a very goodsetting for DLP based cryptography

L Use q prime or q � 2n

L Good parameter choices are known and easy

L Cryptographically suitable curves can be constructed inpractice

� � � Thank You! � � �

Conclusion

� � � Thank You! � � �

Conclusion

� � � Thank You! � � �

Conclusion

� � � Thank You! � � �

Conclusion

� � � Thank You! � � �

elliptic and hyperelliptic curve cryptography · elliptic and hyperelliptic curve cryptography...

Documents