real hyperelliptic curves - fields institutereal hyperelliptic curves renate scheidler...

Real Hyperelliptic CurvesRenate Scheidler

rscheidl@math.ucalgary.ca

C I S Centre for nformation ecurity nd ryptography

C I S Centre for nformation ecurity nd ryptography

C I S Centre for nformation ecurity nd ryptography

Fields Institute Workshop on New Directions in Cryptography, June 25-27, 2008, University of Ottawa

Joint work with

Mike Jacobson (University of Calgary) and Andreas Stein (University of Oldenburg)

Research supported in part by NSERC of Canada

– p.

Hyperelliptic Curves over Fq

– p.

Hyperelliptic Curves over Fq

C : y2 + h(x)y = f(x)

– p.

Hyperelliptic Curves over Fq

C : y2 + h(x)y = f(x)

f, h ∈ Fq[x]; h = 0 if q odd;absolutely irreducible; non-singular; of genus g

– p.

Hyperelliptic Curves over Fq

C : y2 + h(x)y = f(x)

f, h ∈ Fq[x]; h = 0 if q odd;absolutely irreducible; non-singular; of genus g

Imaginary Modelf monic and deg(f) = 2g + 1

deg(h) ≤ g if q even

– p.

Hyperelliptic Curves over Fq

C : y2 + h(x)y = f(x)

f, h ∈ Fq[x]; h = 0 if q odd;absolutely irreducible; non-singular; of genus g

Imaginary Modelf monic and deg(f) = 2g + 1

deg(h) ≤ g if q even

Real ModelIf q odd: f monic and deg(f) = 2g + 2

If q even: h monic, deg(h) = g + 1 anddeg(f) ≤ 2g + 1 ordeg(f) = 2g + 2, sgn(f) = e2 + e (e ∈ F

∗

q)

– p.

Degree 0 Divisors ( C Imaginary)

– p.

Degree 0 Divisors ( C Imaginary)J = JacFq

(C): degree zero divisor class group of C over Fq

– p.

Degree 0 Divisors ( C Imaginary)J = JacFq

(C): degree zero divisor class group of C over Fq

Representation of degree zero divisors : D = (s; a, b):

s, a, b ∈ Fq[x], s and a monics and a unique, b (mod a) uniquea | f + hb − b2

– p.

Degree 0 Divisors ( C Imaginary)J = JacFq

(C): degree zero divisor class group of C over Fq

Representation of degree zero divisors : D = (s; a, b):

s, a, b ∈ Fq[x], s and a monics and a unique, b (mod a) uniquea | f + hb − b2

D semi-reduced : s = 1D reduced : s = 1 and deg(a) ≤ g.

– p.

Degree 0 Divisors ( C Imaginary)J = JacFq

(C): degree zero divisor class group of C over Fq

Representation of degree zero divisors : D = (s; a, b):

s, a, b ∈ Fq[x], s and a monics and a unique, b (mod a) uniquea | f + hb − b2

D semi-reduced : s = 1D reduced : s = 1 and deg(a) ≤ g.

Theorem : Every class [D] ∈ J has a unique reducedrepresentative Red(D)

– p.

Degree 0 Divisors ( C Imaginary)J = JacFq

(C): degree zero divisor class group of C over Fq

Representation of degree zero divisors : D = (s; a, b):

s, a, b ∈ Fq[x], s and a monics and a unique, b (mod a) uniquea | f + hb − b2

D semi-reduced : s = 1D reduced : s = 1 and deg(a) ≤ g.

Theorem : Every class [D] ∈ J has a unique reducedrepresentative Red(D)

Arithmetic in J via reduced representatives (giant steps ):

Red(D′) ⊕ Red(D′′)def= Red(D′ + D′′)

– p.

Giant Step Arithmetic

– p.

Giant Step ArithmeticCantor’s algorithm (Cantor 1987)divisor addition with subsequent reduction steps17g2 + O(g) operations in Fq (Stein 2001)

– p.

Giant Step ArithmeticCantor’s algorithm (Cantor 1987)divisor addition with subsequent reduction steps17g2 + O(g) operations in Fq (Stein 2001)

NUCOMP (Shanks-Atkin 1989, van der Poorten 2003)Cg2 operation in Fq, C < 17

– p.

Giant Step ArithmeticCantor’s algorithm (Cantor 1987)divisor addition with subsequent reduction steps17g2 + O(g) operations in Fq (Stein 2001)

NUCOMP (Shanks-Atkin 1989, van der Poorten 2003)Cg2 operation in Fq, C < 17

Explicit formulas for low genus curves:

– p.

Giant Step ArithmeticCantor’s algorithm (Cantor 1987)divisor addition with subsequent reduction steps17g2 + O(g) operations in Fq (Stein 2001)

NUCOMP (Shanks-Atkin 1989, van der Poorten 2003)Cg2 operation in Fq, C < 17

Explicit formulas for low genus curves:Imaginary: g = 2, 3, 4www.hyperelliptic.org/EFD/

– p.

Giant Step ArithmeticCantor’s algorithm (Cantor 1987)divisor addition with subsequent reduction steps17g2 + O(g) operations in Fq (Stein 2001)

NUCOMP (Shanks-Atkin 1989, van der Poorten 2003)Cg2 operation in Fq, C < 17

Explicit formulas for low genus curves:Imaginary: g = 2, 3, 4www.hyperelliptic.org/EFD/

Real: g = 2, affine coordinatesErickson-Jacobson-Shang-Shen-Stein, WAIFI 2007

– p.

Key Agreement in J (Koblitz 1989)

– p.

Key Agreement in J (Koblitz 1989)Alice and Bob agree on q, C imaginary, a reduced divisor D

– p.

Key Agreement in J (Koblitz 1989)Alice and Bob agree on q, C imaginary, a reduced divisor D

Alice Bob

1. Generates m ∈R ]1, ord(D)[ Generates n ∈R ]1, ord(D)[

// Fixed base scenario //2. Sends Dm = Red(mD) to Bob Sends Dn = Red(nD) to Alice

// Variable base scenario //3. Computes K = Red(mDn) Computes K = Red(nDm)

– p.

Key Agreement in J (Koblitz 1989)Alice and Bob agree on q, C imaginary, a reduced divisor D

Alice Bob

1. Generates m ∈R ]1, ord(D)[ Generates n ∈R ]1, ord(D)[

// Fixed base scenario //2. Sends Dm = Red(mD) to Bob Sends Dn = Red(nD) to Alice

// Variable base scenario //3. Computes K = Red(mDn) Computes K = Red(nDm)

The secret is the reduced divisor K = Red(mnD)

– p.

Key Agreement in J (Koblitz 1989)Alice and Bob agree on q, C imaginary, a reduced divisor D

Alice Bob

1. Generates m ∈R ]1, ord(D)[ Generates n ∈R ]1, ord(D)[

// Fixed base scenario //2. Sends Dm = Red(mD) to Bob Sends Dn = Red(nD) to Alice

// Variable base scenario //3. Computes K = Red(mDn) Computes K = Red(nDm)

The secret is the reduced divisor K = Red(mnD)

〈D〉 ≈ |J | ≈ qg (exponentially large in the size of C)

– p.

Key Agreement in J (Koblitz 1989)Alice and Bob agree on q, C imaginary, a reduced divisor D

Alice Bob

1. Generates m ∈R ]1, ord(D)[ Generates n ∈R ]1, ord(D)[

// Fixed base scenario //2. Sends Dm = Red(mD) to Bob Sends Dn = Red(nD) to Alice

// Variable base scenario //3. Computes K = Red(mDn) Computes K = Red(nDm)

The secret is the reduced divisor K = Red(mnD)

〈D〉 ≈ |J | ≈ qg (exponentially large in the size of C)

DLP is exponential for small g

(g = 2 is best; DLP complexity O(q) = O(√

|J |))

– p.

Degree 0 Divisors ( C Real)

– p.

Degree 0 Divisors ( C Real)Representation of degree zero divisors : D = (s; a, b; v):

s, a, b as beforev ∈ Z

– p.

Degree 0 Divisors ( C Real)Representation of degree zero divisors : D = (s; a, b; v):

s, a, b as beforev ∈ Z

Semi-reduced and reduced defined as before – norestrictions on v

– p.

Degree 0 Divisors ( C Real)Representation of degree zero divisors : D = (s; a, b; v):

s, a, b as beforev ∈ Z

Semi-reduced and reduced defined as before – norestrictions on v

Fact: Reduced representatives of divisor classes are nolonger unique

– p.

Degree 0 Divisors ( C Real)Representation of degree zero divisors : D = (s; a, b; v):

s, a, b as beforev ∈ Z

Semi-reduced and reduced defined as before – norestrictions on v

Fact: Reduced representatives of divisor classes are nolonger unique

Theorem : Every class [D] ∈ J has a unique reducedrepresentative Red’(D) = (a, b, v) where v is restricted to asuitable interval of length g − deg(a) + 1

(Paulus-Rück 1999; Galbraith-Harrison-Mireless 2008)

– p.

Degree 0 Divisors ( C Real)Representation of degree zero divisors : D = (s; a, b; v):

s, a, b as beforev ∈ Z

Semi-reduced and reduced defined as before – norestrictions on v

Fact: Reduced representatives of divisor classes are nolonger unique

Theorem : Every class [D] ∈ J has a unique reducedrepresentative Red’(D) = (a, b, v) where v is restricted to asuitable interval of length g − deg(a) + 1

(Paulus-Rück 1999; Galbraith-Harrison-Mireless 2008)

Could use this again for arithmetic in J

– p.

Computing Red’ (D)

– p.

Computing Red’ (D)

Compute D′ ⊕ D′′ = Red(D′ + D′′) as in the imaginarycase using a giant step — Cg2 operations in Fq

– p.

Computing Red’ (D)

Compute D′ ⊕ D′′ = Red(D′ + D′′) as in the imaginarycase using a giant step — Cg2 operations in Fq

Apply further reduction steps to until Red’(D) isreached — up to C ′g2 operations in Fq

– p.

Computing Red’ (D)

Compute D′ ⊕ D′′ = Red(D′ + D′′) as in the imaginarycase using a giant step — Cg2 operations in Fq

Apply further reduction steps to until Red’(D) isreached — up to C ′g2 operations in Fq

(C + C ′)g2 field operations — slower than imaginaryJacobian arithmetic

– p.

Computing Red’ (D)

Compute D′ ⊕ D′′ = Red(D′ + D′′) as in the imaginarycase using a giant step — Cg2 operations in Fq

Apply further reduction steps to until Red’(D) isreached — up to C ′g2 operations in Fq

(C + C ′)g2 field operations — slower than imaginaryJacobian arithmetic

Henceforth, let C be real. Then |J | = HR where

– p.

Computing Red’ (D)

Compute D′ ⊕ D′′ = Red(D′ + D′′) as in the imaginarycase using a giant step — Cg2 operations in Fq

Apply further reduction steps to until Red’(D) isreached — up to C ′g2 operations in Fq

(C + C ′)g2 field operations — slower than imaginaryJacobian arithmetic

Henceforth, let C be real. Then |J | = HR where

H is the order of the ideal class group of the coordinatering of C; usually very small

– p.

Computing Red’ (D)

Compute D′ ⊕ D′′ = Red(D′ + D′′) as in the imaginarycase using a giant step — Cg2 operations in Fq

Apply further reduction steps to until Red’(D) isreached — up to C ′g2 operations in Fq

(C + C ′)g2 field operations — slower than imaginaryJacobian arithmetic

Henceforth, let C be real. Then |J | = HR where

H is the order of the ideal class group of the coordinatering of C; usually very small

R is the regulator of C, i.e. the order of the divisor classof ∞1 −∞2 where ∞1 and ∞2 are the two points atinfinity; usually R ≈ |J | ≈ qg

– p.

Infrastructure

– p.

InfrastructureInfrastructure :

R = {D | D is a reduced principal divisor with 0 ≤ −v < R}

– p.

InfrastructureInfrastructure :

R = {D | D is a reduced principal divisor with 0 ≤ −v < R}

Properties

– p.

InfrastructureInfrastructure :

R = {D | D is a reduced principal divisor with 0 ≤ −v < R}

Properties

R is finite and of cardinality ≈ R ≈ qg

– p.

InfrastructureInfrastructure :

R = {D | D is a reduced principal divisor with 0 ≤ −v < R}

Properties

R is finite and of cardinality ≈ R ≈ qg

R is ordered by distance: δ(D) = −v, so

R = {D1 = 0, D2, . . . , Dr}, Di+1 = Di − div(

ai + y

bi

)

– p.

InfrastructureInfrastructure :

R = {D | D is a reduced principal divisor with 0 ≤ −v < R}

Properties

R is finite and of cardinality ≈ R ≈ qg

R is ordered by distance: δ(D) = −v, so

R = {D1 = 0, D2, . . . , Dr}, Di+1 = Di − div(

ai + y

bi

)

0 = δ1 < δ2 < · · · < δr < R

– p.

InfrastructureInfrastructure :

R = {D | D is a reduced principal divisor with 0 ≤ −v < R}

Properties

R is finite and of cardinality ≈ R ≈ qg

R is ordered by distance: δ(D) = −v, so

R = {D1 = 0, D2, . . . , Dr}, Di+1 = Di − div(

ai + y

bi

)

0 = δ1 < δ2 < · · · < δr < R

δ1 = 0, δ2 = g + 1, 1 ≤ δi+1 − δi ≤ g for 2 ≤ i ≤ r − 1

– p.

InfrastructureInfrastructure :

R = {D | D is a reduced principal divisor with 0 ≤ −v < R}

Properties

R is finite and of cardinality ≈ R ≈ qg

R is ordered by distance: δ(D) = −v, so

R = {D1 = 0, D2, . . . , Dr}, Di+1 = Di − div(

ai + y

bi

)

0 = δ1 < δ2 < · · · < δr < R

δ1 = 0, δ2 = g + 1, 1 ≤ δi+1 − δi ≤ g for 2 ≤ i ≤ r − 1

A reduction step moves from Di to Di+1 and is alsoknown as a baby step — O(g) operations in Fq

– p.

InfrastructureInfrastructure :

R = {D | D is a reduced principal divisor with 0 ≤ −v < R}

Properties

R is finite and of cardinality ≈ R ≈ qg

R is ordered by distance: δ(D) = −v, so

R = {D1 = 0, D2, . . . , Dr}, Di+1 = Di − div(

ai + y

bi

)

0 = δ1 < δ2 < · · · < δr < R

δ1 = 0, δ2 = g + 1, 1 ≤ δi+1 − δi ≤ g for 2 ≤ i ≤ r − 1

A reduction step moves from Di to Di+1 and is alsoknown as a baby step — O(g) operations in Fq

Dmr+i = Di + mR(∞1 −∞2) for m ∈ N and 1 ≤ i ≤ r

– p.

Infra-STRUCTURE

– p.

Infra-STRUCTURER is “almost” an Abelian group under giant steps:

– p.

Infra-STRUCTURER is “almost” an Abelian group under giant steps:

Closure: D′, D′′ ∈ R ⇒ D′ ⊕ D′′ ∈ R

– p.

Infra-STRUCTURER is “almost” an Abelian group under giant steps:

Closure: D′, D′′ ∈ R ⇒ D′ ⊕ D′′ ∈ R

Identity: D1 = 0 = (1, 0; 0)

– p.

Infra-STRUCTURER is “almost” an Abelian group under giant steps:

Closure: D′, D′′ ∈ R ⇒ D′ ⊕ D′′ ∈ R

Identity: D1 = 0 = (1, 0; 0)

Inverses: The inverse of D = (a, b; v) is−D = (a,−h − b;− deg(a) − v)

– p.

Infra-STRUCTURER is “almost” an Abelian group under giant steps:

Closure: D′, D′′ ∈ R ⇒ D′ ⊕ D′′ ∈ R

Identity: D1 = 0 = (1, 0; 0)

Inverses: The inverse of D = (a, b; v) is−D = (a,−h − b;− deg(a) − v)

Commutativity: D′ ⊕ D′′ = D′′ ⊕ D′

– p.

Infra-STRUCTURER is “almost” an Abelian group under giant steps:

Closure: D′, D′′ ∈ R ⇒ D′ ⊕ D′′ ∈ R

Identity: D1 = 0 = (1, 0; 0)

Inverses: The inverse of D = (a, b; v) is−D = (a,−h − b;− deg(a) − v)

Commutativity: D′ ⊕ D′′ = D′′ ⊕ D′

“Almost” associative:

δ(D′ ⊕ D′′) = δ(D′) + δ(D′′) − d with 0 ≤ d ≤ 2g

– p.

Infra-STRUCTURER is “almost” an Abelian group under giant steps:

Closure: D′, D′′ ∈ R ⇒ D′ ⊕ D′′ ∈ R

Identity: D1 = 0 = (1, 0; 0)

Inverses: The inverse of D = (a, b; v) is−D = (a,−h − b;− deg(a) − v)

Commutativity: D′ ⊕ D′′ = D′′ ⊕ D′

“Almost” associative:

δ(D′ ⊕ D′′) = δ(D′) + δ(D′′) − d with 0 ≤ d ≤ 2g

So D ⊕ (D′ ⊕ D′′) is “close to” (D ⊕ D′) ⊕ D′′

(within 4g in distance)

– p.

More on Infrastructure

– p. 10

More on InfrastructureIf D = (a, b; v) ∈ R, then (a, b) determines v = −δ(D)uniquely and vice versa. So we can write D = (a, b)

– p. 10

More on InfrastructureIf D = (a, b; v) ∈ R, then (a, b) determines v = −δ(D)uniquely and vice versa. So we can write D = (a, b)

Given D = (a, b) ∈ R, it is computationally infeasible tofind δ(D) — infrastructure discrete log problem

– p. 10

More on InfrastructureIf D = (a, b; v) ∈ R, then (a, b) determines v = −δ(D)uniquely and vice versa. So we can write D = (a, b)

Given D = (a, b) ∈ R, it is computationally infeasible tofind δ(D) — infrastructure discrete log problem

Divisors of Fixed Distance:

– p. 10

More on InfrastructureIf D = (a, b; v) ∈ R, then (a, b) determines v = −δ(D)uniquely and vice versa. So we can write D = (a, b)

Given D = (a, b) ∈ R, it is computationally infeasible tofind δ(D) — infrastructure discrete log problem

Divisors of Fixed Distance: For n ∈ [0, R), the divisorD(n) ∈ R below n is the divisor Di ∈ R such that

δi ≤ n < δi+1

– p. 10

More on InfrastructureIf D = (a, b; v) ∈ R, then (a, b) determines v = −δ(D)uniquely and vice versa. So we can write D = (a, b)

Given D = (a, b) ∈ R, it is computationally infeasible tofind δ(D) — infrastructure discrete log problem

Divisors of Fixed Distance: For n ∈ [0, R), the divisorD(n) ∈ R below n is the divisor Di ∈ R such that

δi ≤ n < δi+1

Key Point: n D(n) easy, D δ(D) hard

– p. 10

Key Agreement in R

– p. 11

Key Agreement in R

(S.-Stein-Williams 1996) Alice and Bob agree on a realhyperelliptic curve C over a finite field Fq with regulator R

– p. 11

Key Agreement in R

(S.-Stein-Williams 1996) Alice and Bob agree on a realhyperelliptic curve C over a finite field Fq with regulator R

Alice Bob

1. Generates m ∈R ]1, R[ Generates n ∈R ]1, R[

// Fixed base scenario //2. Sends D(m) to Bob Sends D(n) to Alice

// Variable base scenario //3. Computes D(nm) Computes D(mn)

from D(n) and m from D(m) and n

– p. 11

Key Agreement in R

(S.-Stein-Williams 1996) Alice and Bob agree on a realhyperelliptic curve C over a finite field Fq with regulator R

Alice Bob

1. Generates m ∈R ]1, R[ Generates n ∈R ]1, R[

// Fixed base scenario //2. Sends D(m) to Bob Sends D(n) to Alice

// Variable base scenario //3. Computes D(nm) Computes D(mn)

from D(n) and m from D(m) and n

The secret is K = D(mn)

– p. 11

Key Agreement in R

(S.-Stein-Williams 1996) Alice and Bob agree on a realhyperelliptic curve C over a finite field Fq with regulator R

Alice Bob

1. Generates m ∈R ]1, R[ Generates n ∈R ]1, R[

// Fixed base scenario //2. Sends D(m) to Bob Sends D(n) to Alice

// Variable base scenario //3. Computes D(nm) Computes D(mn)

from D(n) and m from D(m) and n

The secret is K = D(mn)

Same size key space and security as imaginary scenario,but slower – as this simply mimics real Jacobian arithmetic

– p. 11

Non-Adjacent Form

– p. 12

Non-Adjacent FormUseful for scalar multiplication in groups where computinginverses is cheap (note: D = (a, b) ⇒ −D = (a,−h − b))

– p. 12

Non-Adjacent FormUseful for scalar multiplication in groups where computinginverses is cheap (note: D = (a, b) ⇒ −D = (a,−h − b))

The non-adjacent form of n ∈ N is n =l

∑

i=0

bi2l−i

b0 = 1, bi ∈ {±1, 0}, no two consecutive bi are non-zero

– p. 12

Non-Adjacent FormUseful for scalar multiplication in groups where computinginverses is cheap (note: D = (a, b) ⇒ −D = (a,−h − b))

The non-adjacent form of n ∈ N is n =l

∑

i=0

bi2l−i

b0 = 1, bi ∈ {±1, 0}, no two consecutive bi are non-zero

Idea: 2i+1 + 2i = 2i+2 − 2i

– p. 12

Non-Adjacent FormUseful for scalar multiplication in groups where computinginverses is cheap (note: D = (a, b) ⇒ −D = (a,−h − b))

The non-adjacent form of n ∈ N is n =l

∑

i=0

bi2l−i

b0 = 1, bi ∈ {±1, 0}, no two consecutive bi are non-zero

Idea: 2i+1 + 2i = 2i+2 − 2i

Properties

– p. 12

Non-Adjacent FormUseful for scalar multiplication in groups where computinginverses is cheap (note: D = (a, b) ⇒ −D = (a,−h − b))

The non-adjacent form of n ∈ N is n =l

∑

i=0

bi2l−i

b0 = 1, bi ∈ {±1, 0}, no two consecutive bi are non-zero

Idea: 2i+1 + 2i = 2i+2 − 2i

Properties

For any n ∈ N, NAF exists and is unique

– p. 12

Non-Adjacent FormUseful for scalar multiplication in groups where computinginverses is cheap (note: D = (a, b) ⇒ −D = (a,−h − b))

The non-adjacent form of n ∈ N is n =l

∑

i=0

bi2l−i

b0 = 1, bi ∈ {±1, 0}, no two consecutive bi are non-zero

Idea: 2i+1 + 2i = 2i+2 − 2i

Properties

For any n ∈ N, NAF exists and is unique2l+1 < 3n < 2l+2, so NAF length is at most one morethan the binary length of n

– p. 12

Non-Adjacent FormUseful for scalar multiplication in groups where computinginverses is cheap (note: D = (a, b) ⇒ −D = (a,−h − b))

The non-adjacent form of n ∈ N is n =l

∑

i=0

bi2l−i

b0 = 1, bi ∈ {±1, 0}, no two consecutive bi are non-zero

Idea: 2i+1 + 2i = 2i+2 − 2i

Properties

For any n ∈ N, NAF exists and is unique2l+1 < 3n < 2l+2, so NAF length is at most one morethan the binary length of nOnly 1/3 of all the digits is expected to be non-zero (asopposed to 1/2 of the ordinary bits of n)

– p. 12

Non-Adjacent FormUseful for scalar multiplication in groups where computinginverses is cheap (note: D = (a, b) ⇒ −D = (a,−h − b))

The non-adjacent form of n ∈ N is n =l

∑

i=0

bi2l−i

b0 = 1, bi ∈ {±1, 0}, no two consecutive bi are non-zero

Idea: 2i+1 + 2i = 2i+2 − 2i

Properties

For any n ∈ N, NAF exists and is unique2l+1 < 3n < 2l+2, so NAF length is at most one morethan the binary length of nOnly 1/3 of all the digits is expected to be non-zero (asopposed to 1/2 of the ordinary bits of n)NAF is easily computable (almost for free)

– p. 12

Scalar Multiplication in J

– p. 13

Scalar Multiplication in J

Input: a reduced divisor D and a scalar n =

l∑

i=0

bi2l−i in NAF

– p. 13

Scalar Multiplication in J

Input: a reduced divisor D and a scalar n =

l∑

i=0

bi2l−i in NAF

Output: the reduced divisor Red(nD)

– p. 13

Scalar Multiplication in J

Input: a reduced divisor D and a scalar n =

l∑

i=0

bi2l−i in NAF

Output: the reduced divisor Red(nD)

Algorithm:

1. Set E = D

2. For i = 1 to l do// Double Replace E by E ⊕ E

// Add If bi = 1, replace E by E ⊕ DIf bi = −1, replace E by E ⊕ (−D)

3. Output E

– p. 13

Scalar Multiplication in J

Input: a reduced divisor D and a scalar n =

l∑

i=0

bi2l−i in NAF

Output: the reduced divisor Red(nD)

Algorithm:

1. Set E = D

2. For i = 1 to l do// Double Replace E by E ⊕ E

// Add If bi = 1, replace E by E ⊕ DIf bi = −1, replace E by E ⊕ (−D)

3. Output E

l doubles, l/3 adds

– p. 13

Variable Base Scalar Mult. in R

– p. 14

Variable Base Scalar Mult. in R

Input: D ∈ R and n =∑

bi2l−i in NAF

– p. 14

Variable Base Scalar Mult. in R

Input: D ∈ R and n =∑

bi2l−i in NAF

Output: The divisor E below nδ(D)

– p. 14

Variable Base Scalar Mult. in R

Input: D ∈ R and n =∑

bi2l−i in NAF

Output: The divisor E below nδ(D)Algorithm:

1. Set E = D2. For i = 1 to l do

// Double Replace E by E ⊕ E// Adjust Replace E by D(2δ(E))If bi 6= 0 then

If bi = 1, set D′ = DIf bi = −1, set D′ = −D// Add replace E by E ⊕ D′

// Adjust Replace E by D(δ(E) + δ(D′))3. Output E

– p. 14

Variable Base Scalar Mult. in R

Input: D ∈ R and n =∑

bi2l−i in NAF

Output: The divisor E below nδ(D)Algorithm:

1. Set E = D2. For i = 1 to l do

// Double Replace E by E ⊕ E// Adjust Replace E by D(2δ(E))If bi 6= 0 then

If bi = 1, set D′ = DIf bi = −1, set D′ = −D// Add replace E by E ⊕ D′

// Adjust Replace E by D(δ(E) + δ(D′))3. Output E

l doubles, l/3 adds, up to (l + l/3) · 2g = (8g/3)l baby steps

– p. 14

Fixed Base Scalar Mult. in R

– p. 15

Fixed Base Scalar Mult. in R

Input: n ∈ N, s = ⌊n/(g + 1)⌋ in NAF

– p. 15

Fixed Base Scalar Mult. in R

Input: n ∈ N, s = ⌊n/(g + 1)⌋ in NAFOutput: The divisor D(n) ∈ R below n

– p. 15

Fixed Base Scalar Mult. in R

Input: n ∈ N, s = ⌊n/(g + 1)⌋ in NAFOutput: The divisor D(n) ∈ R below n

Algorithm:

1. Compute E′ = D(s(g + 1) by calling the previousalgorithm on inputs D2 and s

2. Apply at most n − s(g + 1) baby steps to E′ to computeD(n)

3. Output E

– p. 15

Fixed Base Scalar Mult. in R

Input: n ∈ N, s = ⌊n/(g + 1)⌋ in NAFOutput: The divisor D(n) ∈ R below n

Algorithm:

1. Compute E′ = D(s(g + 1) by calling the previousalgorithm on inputs D2 and s

2. Apply at most n − s(g + 1) baby steps to E′ to computeD(n)

3. Output E

one integer division with remainder

all the operations from previous algorithm

at most g baby steps

– p. 15

Heuristics, Real Model

– p. 16

Heuristics, Real ModelHeuristics : with probability 1 − O(q−1):

– p. 16

Heuristics, Real ModelHeuristics : with probability 1 − O(q−1):

δi+1 − δi = 1 for 2 ≤ i ≤ r

– p. 16

Heuristics, Real ModelHeuristics : with probability 1 − O(q−1):

δi+1 − δi = 1 for 2 ≤ i ≤ r

δ(D′ ⊕ D′′) = δ(D′) + δ(D′′) − ⌈g/2⌉

– p. 16

Heuristics, Real ModelHeuristics : with probability 1 − O(q−1):

δi+1 − δi = 1 for 2 ≤ i ≤ r

δ(D′ ⊕ D′′) = δ(D′) + δ(D′′) − ⌈g/2⌉

Consequences: with probability 1 − O(q−1):

– p. 16

Heuristics, Real ModelHeuristics : with probability 1 − O(q−1):

δi+1 − δi = 1 for 2 ≤ i ≤ r

δ(D′ ⊕ D′′) = δ(D′) + δ(D′′) − ⌈g/2⌉

Consequences: with probability 1 − O(q−1):

If Di = (ai, bi) then

deg(ai) = deg(bi+1 + bi − h) − deg(ci) = (g + 1) − 1 = g

– p. 16

Heuristics, Real ModelHeuristics : with probability 1 − O(q−1):

δi+1 − δi = 1 for 2 ≤ i ≤ r

δ(D′ ⊕ D′′) = δ(D′) + δ(D′′) − ⌈g/2⌉

Consequences: with probability 1 − O(q−1):

If Di = (ai, bi) then

deg(ai) = deg(bi+1 + bi − h) − deg(ci) = (g + 1) − 1 = g

Relative distances (distance advancements) for bothbaby steps and giant steps are known and need nolonger be kept track of

– p. 16

Improvements, Infrastructure

– p. 17

Improvements, InfrastructureVariable Base Scenario

– p. 17

Improvements, InfrastructureVariable Base Scenario

Eliminate all adjustment steps, at the expense ofd = ⌈g/2⌉ baby steps at the beginning (independent ofthe NAF length l of the scalars m,n)

– p. 17

Improvements, InfrastructureVariable Base Scenario

Eliminate all adjustment steps, at the expense ofd = ⌈g/2⌉ baby steps at the beginning (independent ofthe NAF length l of the scalars m,n)

Fixed Base Scenario

– p. 17

Improvements, InfrastructureVariable Base Scenario

Eliminate all adjustment steps, at the expense ofd = ⌈g/2⌉ baby steps at the beginning (independent ofthe NAF length l of the scalars m,n)

Fixed Base Scenario

Replace all adds by baby steps

– p. 17

Improvements, InfrastructureVariable Base Scenario

Eliminate all adjustment steps, at the expense ofd = ⌈g/2⌉ baby steps at the beginning (independent ofthe NAF length l of the scalars m,n)

Fixed Base Scenario

Replace all adds by baby stepsEliminate all adjustment steps, at the expense of thefollowing pre-computation (g + 2 baby steps, l doubles):

D∗ with δ(D∗) = 2l(g + 1) + gd + 1 baby steps applied to D1 to obtain Dd+2

l doubles, starting with Dd+2: gets to distance2l(g + 1) + dg − d baby steps

Dd+3 with δd+3 = d + g + 2: one baby step from Dd+2

– p. 17

Improvements, Variable Base

– p. 18

Improvements, Variable BaseInput: D ∈ R, n =

∑

bi2l−i in NAF

– p. 18

Improvements, Variable BaseInput: D ∈ R, n =

∑

bi2l−i in NAF

Output: The divisor E ∈ R of distance nδ(D) + d

– p. 18

Improvements, Variable BaseInput: D ∈ R, n =

∑

bi2l−i in NAF

Output: The divisor E ∈ R of distance nδ(D) + dAlgorithm:1. E1 = D2. For i = 1 to d − 1 do // d − 1 baby steps

Replace Ei by Ei+1

3. // Now Ei = Ed Set D′ = Ei, D′′ = Ei+1, E = Ei+1

4. For i = 1 to l do// Double Replace E by E ⊕ E// Add If bi = 1, replace E by E ⊕ D′′

If bi = −1 and g is even, replace E by E ⊕D′′

If bi = −1 and g is odd, replace E by E ⊕ D′

5. Output E

– p. 18

Improvements, Variable BaseInput: D ∈ R, n =

∑

bi2l−i in NAF

Output: The divisor E ∈ R of distance nδ(D) + dAlgorithm:1. E1 = D2. For i = 1 to d − 1 do // d − 1 baby steps

Replace Ei by Ei+1

3. // Now Ei = Ed Set D′ = Ei, D′′ = Ei+1, E = Ei+1

4. For i = 1 to l do// Double Replace E by E ⊕ E// Add If bi = 1, replace E by E ⊕ D′′

If bi = −1 and g is even, replace E by E ⊕D′′

If bi = −1 and g is odd, replace E by E ⊕ D′

5. Output E

l doubles, l/3 adds, d baby steps

– p. 18

Improvements, Fixed Base

– p. 19

Improvements, Fixed BasePre-Computation: D∗, Dd+3

– p. 19

Improvements, Fixed BasePre-Computation: D∗, Dd+3

Input: n =∑

bi2l−i in NAF

– p. 19

Improvements, Fixed BasePre-Computation: D∗, Dd+3

Input: n =∑

bi2l−i in NAF

Output: The divisor E = D(n) ∈ R of distance n

– p. 19

Improvements, Fixed BasePre-Computation: D∗, Dd+3

Input: n =∑

bi2l−i in NAF

Output: The divisor E = D(n) ∈ R of distance nAlgorithm:

1. Set E = Dd+3

2. For i = 1 to l do// Double Replace E by E ⊕ E// Baby Step If bi = 1 then apply a baby step to E

If bi = −1 then apply a backwardbaby step to E

3. // Now at distance 2l+1 + n + dCompute D = E ⊕ (−D∗)

4. Output D

– p. 19

Improvements, Fixed BasePre-Computation: D∗, Dd+3

Input: n =∑

bi2l−i in NAF

Output: The divisor E = D(n) ∈ R of distance nAlgorithm:

1. Set E = Dd+3

2. For i = 1 to l do// Double Replace E by E ⊕ E// Baby Step If bi = 1 then apply a baby step to E

If bi = −1 then apply a backwardbaby step to E

3. // Now at distance 2l+1 + n + dCompute D = E ⊕ (−D∗)

4. Output D

l doubles, one add, l/3 baby steps

– p. 19

Analysis

– p. 20

Analysis

Operation Count Doubles Adds Baby StepsImaginary l l/3 −

Real, Variable Base l l/3 d

Real, Fixed Base l 1 l/3

– p. 20

Analysis

Operation Count Doubles Adds Baby StepsImaginary l l/3 −

Real, Variable Base l l/3 d

Real, Fixed Base l 1 l/3

Naive Analysis:

– p. 20

Analysis

Operation Count Doubles Adds Baby StepsImaginary l l/3 −

Real, Variable Base l l/3 d

Real, Fixed Base l 1 l/3

Naive Analysis:

Real variable base scenario has about the same speedas imaginary model (neglecting the cost of baby steps)

– p. 20

Analysis

Operation Count Doubles Adds Baby StepsImaginary l l/3 −

Real, Variable Base l l/3 d

Real, Fixed Base l 1 l/3

Naive Analysis:

Real variable base scenario has about the same speedas imaginary model (neglecting the cost of baby steps)Real model fixed base scenario is about 25 percentfaster than imaginary model (factor 3/4)

– p. 20

Analysis

Operation Count Doubles Adds Baby StepsImaginary l l/3 −

Real, Variable Base l l/3 d

Real, Fixed Base l 1 l/3

Naive Analysis:

Real variable base scenario has about the same speedas imaginary model (neglecting the cost of baby steps)Real model fixed base scenario is about 25 percentfaster than imaginary model (factor 3/4)Key agreement is about 12.5 percent faster (factor 7/8)

– p. 20

Analysis

Operation Count Doubles Adds Baby StepsImaginary l l/3 −

Real, Variable Base l l/3 d

Real, Fixed Base l 1 l/3

Naive Analysis:

Real variable base scenario has about the same speedas imaginary model (neglecting the cost of baby steps)Real model fixed base scenario is about 25 percentfaster than imaginary model (factor 3/4)Key agreement is about 12.5 percent faster (factor 7/8)

Supported by numerical data, but not quite fair comparison:imaginary model could use a “point” divisor D = P −∞ asbase divisor (Katagi, Kitamura, Akishita & Takagi 2005)

– p. 20

Discrete Logarithm Problem

– p. 21

Discrete Logarithm Problem

Imaginary Model – Jacobian DLP

– p. 21

Discrete Logarithm Problem

Imaginary Model – Jacobian DLP

Given a reduced divisor D and the reduced divisor inthe divisor class of nD, find n

– p. 21

Discrete Logarithm Problem

Imaginary Model – Jacobian DLP

Given a reduced divisor D and the reduced divisor inthe divisor class of nD, find n

Real Model – Infrastructure DLP

– p. 21

Discrete Logarithm Problem

Imaginary Model – Jacobian DLP

Given a reduced divisor D and the reduced divisor inthe divisor class of nD, find n

Real Model – Infrastructure DLP

Given a divisor D ∈ R and the divisor E ∈ R belownδ(D), find n

– p. 21

Discrete Logarithm Problem

Imaginary Model – Jacobian DLP

Given a reduced divisor D and the reduced divisor inthe divisor class of nD, find n

Real Model – Infrastructure DLP

Given a divisor D ∈ R and the divisor E ∈ R belownδ(D), find n

Given the divisor D(n) ∈ R below n, find suitable n

– p. 21

Discrete Logarithm Problem

Imaginary Model – Jacobian DLP

Given a reduced divisor D and the reduced divisor inthe divisor class of nD, find n

Real Model – Infrastructure DLP

Given a divisor D ∈ R and the divisor E ∈ R belownδ(D), find n

Given the divisor D(n) ∈ R below n, find suitable n

Given a divisor D ∈ R, find δ(D)

– p. 21

Discrete Logarithm Problem

Imaginary Model – Jacobian DLP

Given a reduced divisor D and the reduced divisor inthe divisor class of nD, find n

Real Model – Infrastructure DLP

Given a divisor D ∈ R and the divisor E ∈ R belownδ(D), find n

Given the divisor D(n) ∈ R below n, find suitable n

Given a divisor D ∈ R, find δ(D)

Given a reduced principal ideal in the coordinate ring ofC, find a generator (Principal Ideal Problem)

– p. 21

Discrete Logarithm Problem

Imaginary Model – Jacobian DLP

Given a reduced divisor D and the reduced divisor inthe divisor class of nD, find n

Real Model – Infrastructure DLP

Given a divisor D ∈ R and the divisor E ∈ R belownδ(D), find n

Given the divisor D(n) ∈ R below n, find suitable n

Given a divisor D ∈ R, find δ(D)

Given a reduced principal ideal in the coordinate ring ofC, find a generator (Principal Ideal Problem)

Security of both DLPs seems to be the same – exponential

– p. 21

Summary and Further Research

– p. 22

Summary and Further ResearchIdea: Replace giant steps by baby steps where possible

– p. 22

Summary and Further ResearchIdea: Replace giant steps by baby steps where possible

Present and Future Work

– p. 22

Summary and Further ResearchIdea: Replace giant steps by baby steps where possible

Present and Future Work

NUCOMP – exact operation count and comparison withCantor giant steps

– p. 22

Summary and Further ResearchIdea: Replace giant steps by baby steps where possible

Present and Future Work

NUCOMP – exact operation count and comparison withCantor giant steps

Explicit formulas for low genus giant steps, real model

– p. 22

Summary and Further ResearchIdea: Replace giant steps by baby steps where possible

Present and Future Work

NUCOMP – exact operation count and comparison withCantor giant steps

Explicit formulas for low genus giant steps, real model

Explicit formulas for low genus giant steps, based onNUCOMP, both models

– p. 22

Summary and Further ResearchIdea: Replace giant steps by baby steps where possible

Present and Future Work

NUCOMP – exact operation count and comparison withCantor giant steps

Explicit formulas for low genus giant steps, real model

Explicit formulas for low genus giant steps, based onNUCOMP, both models

Use the baby step giant step framework to to speed upthe DLP in R or in J ? And to find R or |J |?

– p. 22

Summary and Further ResearchIdea: Replace giant steps by baby steps where possible

Present and Future Work

NUCOMP – exact operation count and comparison withCantor giant steps

Explicit formulas for low genus giant steps, real model

Explicit formulas for low genus giant steps, based onNUCOMP, both models

Use the baby step giant step framework to to speed upthe DLP in R or in J ? And to find R or |J |?

Structural relationship between R and J ?

– p. 22

Summary and Further ResearchIdea: Replace giant steps by baby steps where possible

Present and Future Work

NUCOMP – exact operation count and comparison withCantor giant steps

Explicit formulas for low genus giant steps, real model

Explicit formulas for low genus giant steps, based onNUCOMP, both models

Use the baby step giant step framework to to speed upthe DLP in R or in J ? And to find R or |J |?

Structural relationship between R and J ?

Special types of curves?

– p. 22

Some General References1. H. Cohen, G. Frey, R. Avanzi, C. Doche, T. Lange, K. Nguyen and F. Vercouteren,

Handbook of Elliptic and Hyperelliptic Curve Cryptography, Chapman & Hall/CRC,Boca Raton (Florida), 2006

2. M. J. Jacobson, Jr., A. J. Menezes and A. Stein, Hyperelliptic curves and cryptography,in High Primes and Misdemeanors: Lectures in Honour of the 60th Birthday of HughCowie Williams, Fields Institute Communications 41, American Mathematical Society,Providence (Rhode Island) 2004, 255-282

3. M. J. Jacobson, Jr., R. Scheidler and A. Stein, Cryptographic protocols on realhyperelliptic curves. Advances in Mathematics of Communications 1 (2007), 197-221

4. M. J. Jacobson, Jr., R. Scheidler and A. Stein, Fast arithmetic on hyperelliptic curvesvia continued fraction expansions. Advances in Coding Theory and Cryptology, Serieson Coding Theory and Cryptology 2, World Scientific Publishing Co. Pte. Ltd.,Hackensack (New Jersey) 2007, 201-244

5. A. J. Menezes, Y.-H. Wu and R. J. Zuccherato, An elementary introduction tohyperelliptic curves, in Algebraic Aspects of Cryptography, Algorithms andComputation in Mathematics 3, Springer, Berlin (Germany) 1998, 155-178

6. R. Scheidler, A. Stein and H. C. Williams, Key exchange in real quadratic congruencefunction fields. Designs, Codes and Cryptography 7 (1996), 153-174

– p. 23