Divisor theory

P P P

ord f =ord g −ord h .

Theorem 2.2

Let f ∈K C( ) be a rational function. Then _P( ) 0

P C

ord f

∈

∑

= ^. This proof can be found in [24].

2.3 Divisor theory

Divisors are useful for keeping track of the zeros and poles of a rational function.

In this section we give the basic definitions and properties of divisors. For simplicity, we are working in an algebraic closure K . Later we will give the definitions over a finite field K in chapter 3.

Definition 2.26 (Divisor, degree, order, support)

A divisor D is a formal sum of points in C: _P

P C

D m P

∈

=

∑

^{, mP}∈ , where only a finite number of mP is non-zero.

The degree of D is the integer deg( ) _P

The set of all divisors, denoted by D, forms an additive group under the addition rule:

Definition 2.28 (Gcd of divisors)

Let _{1 P} is indeed a finite formal sum and has degree 0.

Definition 2.30 (Principal divisor group)

The group of principal divisors is a subgroup of D⁰ and is defined by:

( ) { ( ) | ( )}

P=P C = div R R∈K C . We have that P⊂D⁰ ⊂ . D

Definition 2.31 (Jacobian)

The Jacobian of the curve C is defined by the quotient group:

J = J(C) = D⁰/P.

If D1, D2∈ D⁰ then we write D1~ D₂ if D₁- D₂∈P; D1 and D2 are said to be equivalent divisors.

Example 2.3 (Elliptic curve)

Consider the following algebraic curve in affine space:

I(CR) : f x y( , )=y²−(x³− + in [ , ]x 1) x y

Figure 2.1

An elliptic curve C and rational function L1 over

The algebraic closure of is the field of the complex numbers; we still denote it as K .

The affine variety over K is given by ( ) {( , ) | ,I C = x y x y∈K f x y, ( , ) 0}= . The coordinate ring of C is given by the quotient ring :

(

^{2 3}

)

[ ] [ , ]/ ( 1)

K C =K x y y − x − +x . P

Q

R

R

x3

L1(x, y)=x-y+1

C:

The function field of C is given by: ( ) g| , [ ]

The line through the point P, Q is a rational function given by L1(x, y).

( )1 3 ( ) ( ) ( )

Hence D1+D2~D3, the Jacobian group law is the same as point addition on an elliptic curve.

Chapter 3

Hyperelliptic Curves

Hyperelliptic curve is a kind of algebraic curve, and elliptic curve is a special case of hyperelliptic curve. In chapter 2, we defined the function field of an algebraic curve. The Jacobian is the group of degree zero divisors modulo principal divisors, i.e. the quotient group J = D⁰/P over an algebraic closed field K . Since the implementation of arithmetic on a hyperelliptic curve works with the base field K, we need to know the definitions over K.

Let C be a hyperelliptic curve defined over a finite field K. Let P = (x, y) ∈C, and let σ be an automorphism of K over K which means σ is an isomorphism from K to itself and σ(x) = x for all x ∈K. Then P^σ : ( ,= x^σ y^σ) is also a point on C, and ∞ = ∞ . ^σ

Definition 3.1 (Field of definition of a divisor)

A divisor D=

∑

m P_P is said to be defined over K if D^σ :=

∑

m P_P ^σ is equal to D for all automorphisms of K over K.

Notice that the set of all automorphisms of K over K is the Galois Group

(

^/

)

Gal K K defined in Definition 2.10 (Galois Group).

If a divisor D is defined over K, it does not mean that each point in the support of D is a K-rational point. A principal divisor is defined over K if and only if it is a

divisors defined over K in J is a subgroup of J.

Since each element of the Jacobian is a coset, we need a unique representation for the divisors in the Jacobian. Such divisors exist and are called reduced divisor, which is introduced in section 3.2. In section 3.3, we introduce the Mumford’s representation [27]: a reduced divisor can be represented by the gcd of two polynomials a(x) and y- b(x). The points associated to the corresponding divisor are the roots of both a(x) and y- b(x). These two polynomials can also be seen as ideals modulo principal ideals. The equivalence classes are called ideal classes. Adding divisors in the Jacobian is the same as composing ideals. Cantor’s algorithm [2] can efficiently compute the group operation of two divisors in the Jacobian.

3.1 Definitions and properties

We use K to denote a field and K to denote the algebraic closure of K in this chapter.

Definition 3.2 (Hyperelliptic curve)

A hyperelliptic curve of genus g over K is an equation of the form

C: y²+h x y( ) = f x( ) in K[x, y], where deg(h(x)) ≦ g, deg(f(x)) = 2g+1, f(x) is a monic polynomial, and the integer g ≧ 1. A hyperelliptic curve C should be non-singular, that is, there are no solutions (x, y)∈ × on curve C which satisfy K K both partial derivative equations 2y+h x( ) 0= and '( )h x y− f x'( ) 0= .

Definition 3.3 (K-rational points)

The set ^{C K( )=}

{

^{( , ) | ,x y x y∈K y, 2+h x y( ) = f x( )}

}

∪ ∞ is called the set of ^{{ }}

K-rational points on C. The point ∞ is called the point at infinity.

Definition 3.4 (Opposite, special and ordinary points)

For P=(x, y) ∈C the opposite of P is the point P=( ,x − −y h x( )). If P= P then it is called special point, otherwise it is called ordinary. The opposite of the point at infinity ∞ is defined as ∞ = ∞ , hence is a special point.

Under the change of variables xÆx, yÆ(y-h(x)/2), the equation of C is

transformed to ( ) ² ( )

= 2g+1 and deg(a(x)+b(x)) = deg(h(x)) ≦g which is impossible.

3.2 Reduced divisors

We defined the Jacobian of curves in chapter 2, and with the definitions in section 3.1, we know that the Jacobian of a hyperelliptic curve C is J = D⁰/P. Note that two divisors D1 and D2 in J are said to be equivalent if they are in the same equivalence class, i.e. D1-D2∈P, denoted by D1~D2. In the following we introduce reduced divisor to uniquely represent the divisors in the same equivalence class of J.

Definition 3.5 (Semi-reduced divisor)

A semi-reduced divisor is a degree zero divisor of the form

\ \ then D is called a reduced divisor.

Lemma 3.3

For each divisor D∈D⁰ there exists a semi-reduced divisor D1∈D⁰ such that D~D1.

Proof:

Let

When we implement a hyperelliptic curve cryptosystem, we work over a finite field K. In the following, we introduce the computational representation of reduced divisors of the Jacobian defined over K, which is so-called Mumford representation [27].

Fact 3.1 (Mumford representation)

For a hyperelliptic curve C: y²+h x y( ) = f y( ) in K x y[ , ] , and

( , )

( )

i i i

i i i

P x y C

D m P m

= ∈

=

∑

−

∑

∞ be a semi-reduced divisor, we can use two

polynomials a(x), b(x) ∈K x[ ] to uniquely represent D. Let a x( )=

∏

(x−x_i)^mi. Let b(x) be the unique polynomial satisfying:

(i) degx(b) < degx(a),

(ii) b(xi) = yi for all i which mi ≠0,

(iii) a(x) divides (b x( )²+b x h x( ) ( )− f x( )).

Then D = gcd(div(a(x)), div(b(x)-y)); we usually simplify the notation as div(a, b).

If D=div(a, b) is a reduced divisor, then deg ( )_x a =

∑

m_i ≤genus^.

The zero divisor, the identity of JC(K), is represented by div(1, 0). The opposite of a divisor div(a, b) is given by div(a, -h-b), which is also called involution.

This means div(a, b) + div(a, -h-b) ~ div(1, 0) under the Jacobian group law.

Fact 3.2 (Hasse-Weil Bound)

Let C be a hyperelliptic curve of genus g defined over Fq. Then the bound of the order of JC(Fq) is given by:

(

^q−1

)

^{2g ≤#JC( )Fq ≤}

(

^q+1

)

^2g,

and the number of Fq-rational points is:

1 2 # ( )_q 1 2

q+ − g q≤ C F ≤ + +q g q.

As a result, we know that #J_C( )F_q ≈q^g and # ( )C F_q ≈ . q

3.4 Group law

By using Mumford representation described in the previous section, Cantor’s algorithm [2] can compute the group operation of JC(K) efficiently.

Algorithm 3.1 (Cantor’s algorithm)

In Cantor’s algorithm, the composition phase gives a semi-reduced divisor div(a, b) ~ D1+D2, and the reduction phase reduces a semi-reduced divisor to the unique reduced divisor.

Example 3.1

Since deg(a)=1≦2, the divisor div(a, b) is already reduced.

Then, we have D1+ D2 = div(x+1, 0) + div(x²+1, x) = div(x+1, 1).

In recent years, several researchers have derived the explicit formulas for small genus hyperelliptic curves from Cantor’s algorithm. They investigate what can be the input of Cantor’s algorithm and proceed in considering these different cases.

With careful analysis, some redundant field operations can be omitted in explicit formulas. For example, Lange [22] presents explicit formulas for the group law of genus 2 hyperelliptic curves, and the most common case in the addition of two reduced divisor requires 1 inversion, 12 multiplications, and 2 squarings. The

explicit formulas for genus 3 hyperelliptic curves can be found in [17]. When genus becomes higher than 4, the explicit formulas is getting too complicated and may not be possibly derived by hand.

3.5 Hyperelliptic curve discrete log problem (HCDLP)

The security of several cryptosystems is related to the difficulty of computing discrete logarithms modulo a large prime number p; i.e. given two numbers (g mod p) and (g^x mod p), it seems to be infeasible to compute x when p is large enough.

Instead of using the DLP modulo a large prime p as the basis of cryptographic protocols, one can consider the DLP in an arbitrary group that admits an efficient

element representation and group law.

Definition 3.7 (DLP)

Let G be a finite cyclic group G= <g> of order n, and given an element h∈G..

The discrete logarithm problem is to find the integer x∈[0, n-1], such that g^x=h.

Since the Jacobian of a hyperelliptic curve is also a finite abelian group, based on the difficulty of the DLP, it can be designed for cryptographic use.

Definition 3.8 (HCDLP)

Let C be a hyperelliptic curve over a finite field Fq and JC(Fq) its Jacobian with order # JC(Fq) = n. Given two reduced divisors D1, D2∈JC(Fq) and D2∈<D1>.

The hyperelliptic curve discrete logarithm problem is to find the integer λ∈[0, n-1], such that λD1=D2.

Example 3.2

Consider the genus 2 hyperelliptic curve: C: y2 = x5 + 2x4 + 1 in F3[x, y]. The partial derivatives are 2x⁴ + 2x³=0 and 2y=0. Since there are no points in F F× which satisfy C and the partial derivatives, the hyperelliptic curve is non-singular.

Although the divisors are defined over F3, the points in the support of a divisor are in F . 32

The finite field 2

2

3 3[ ]/( 1) {0,1 , 2 ,1 2 , 2, 2 2 , , 2 ,1}

F ≅F x x + = +i i + i + i i +i . The F -rational points are P32 1 = (0, 1), P2 = (1, 2), P3 = (1, 1), P4 = (0, 2), P5 = (2+i, 2+2i), P6 = (2+2i, 2+i), P7 = (i, 2+i), P8 = (2i, 2+2i),

P9 = (i, 1+2i), P10 = (2i, 1+i), P11 = (2+i, 1+i), P12 = (2+2i, 1+2i), ∞.

The order of Jacobian #JC(F3) = 17.

Let D1 = div(x², 1). We can use D1 as the generator of the group, and use

Cantor’s algorithm to generate the group elements.

1 D1 = div(x², 1) = P1 + P1 - 2∞

2 D1 = div(x+2, 2) = P2 - ∞ 3 D1 = div(x²+2x+2, 2x+1) = P5 + P6 - 2∞

4 D1 = div(x²+x+1, x+1) = P2 + P2 - 2∞

5 D1 = div(x²+1, x+1) = P9 + P10 - 2∞

6 D1 = div(x²+2x, 2x+2) = P3 + P4 - 2∞

7 D1 = div(x²+2x, 1) = P1 + P3 - 2∞

8 D1 = div(x, 2) = P4 - ∞ 9 D1 = div(x, 1) = P1 - ∞ 10D1 = div(x²+2x, 2) = P2 + P4 - 2∞

11D1 = div(x²+2x, x+1) = P1 + P2 - 2∞

12D1 = div(x²+1, x+2) = P7 + P8 - 2∞

13D1 = div(x²+x+1, 2x+2) = P3 + P3 - 2∞

14D1 = div(x²+2x+2, x+2) = P11 + P12 - 2∞

15D1 = div(x²+2, 1) = P3 - ∞ 16D1 = div(x², 2) = P4 + P4 - 2∞

17D1 = div(1, 0)

Chapter 4

Algorithms for HCDLP

4.1 Introduction

The best known algorithm for solving the DLP in generic groups is Pollard’s rho algorithm. Pollard’s algorithm has an exponential expected running time of

2 πn group operations and negligible storage requirements. In order to prevent such square-root attacks, the group order n must have a large prime factor. There are faster algorithms for the DLP than Pollard’s rho method. The most powerful is the index calculus method which yields subexponential-time algorithms for the DLP in some groups.

The first subexponential-time algorithm to compute discrete logarithms over hyperelliptic curves of large genus is introduced by Adleman, DeMassais and Huang [1] in 1994. This algorithm was rather theoretical, and some improvements on it were done by other researchers. Flassenberg and Paulus [9] implemented a sieve version of this algorithm, but the consequence for cryptographical applications is not clear. Enge [6] improved the original algorithm and gave a precise evaluation of the running time, but did not implement his ideas. Muller, Stein and Thiel [26] extended the resultsto the real quadratic congruence function fields. Smart and Galbraith [12]

also gave some ideas in the context of the Weil descent, following ideas of Frey; they dealt with general curves (not hyperelliptic). We will not discuss those in details but list them as references.

When the index calculus algorithm is applied on the small genus HCDLP, even the fastest variation is not faster than Pollard’s rho method for the genus less than 3.

Hence the use of hyperelliptic curves in public-key cryptography appears as an alternative to the use of elliptic curves, with the advantage that it can be used in a smaller base field for the same level of security. In order to analyze the security of such systems, we need to know how the index calculus method works for solving small genus HCDLP.

In 2000, Gaudry [13] first presented a variation of index calculus attack for a hyperelliptic curve of genus g over Fq that could solve the HCDLP in time O q( )² . And Harley [13] improved this algorithm with reduced factor base such that HCDLP

can be solved in time almost-smooth divisor which contains exactly one large prime. Theriault’s

algorithm [32] works in time

2 4

By considering double large prime, the time complexity of hyperelliptic index

calculus algorithm can be reduced to

2 2 independently by Gaudry et al. [16] and Naogo [28] in 2004. They used different tricks to handle large primes, but got the same time complexity. We discuss these variations of index calculus algorithm for small genus HCDLP in section 4.2.

However, the double large prime variation can not be applied on genus 2 hyperelliptic curves. We propose an algorithm that can solve the genus 2 HCDLP with time complexity O(q) in Chapter 5 which can be comparable to Pollard’s rho method. Table 4.1 shows the comparison between these algorithms described above.

Our algorithm has the same time complexity as Pollard’s rho method but smaller

hiding constant term. We also have detailed analysis in Chapter 5.

Table 4.1 Time complexity of algorithms solving HCDLP

Genus g 2 3 4 5 6

4.2 Index calculus algorithm for small genus HCDLP

A reduced divisor in the Jacobian JC(K) is represented by two polynomials (a, b), and the factorization of a as polynomial in K[x] is compatible with the Jacobian group law. This is the key stone for defining a smooth divisor and then the index calculus algorithm.

Fact 4.1 (Factorization)

Let C be a hyperelliptic curve over a finite field Fq. Let D=div(a, b) be a

∏

irreducible factors of a(x) in Fq[x]. Let bi(x) = b(x) (mod ai(x)).

Then Di = div(ai, bi) is a reduced divisor and D=D=

∑

D_i ^{in JC(Fq).}

Remark 4.1

To factor polynomials over finite fields we can use the Cantor-Zassenhaus algorithm, which is invented by D. Cantor and Hans Zassenhaus in 1981 [3]. It is currently implemented in many well-known computer algebra systems.

With this result in Fact 4.1, a reduced divisor can be rewritten as the sum of reduced divisors of smaller deg(ai), and deg( )a =

∑

deg( )a_i . If the a-polynomial of a reduced divisor D is irreducible then it can not be rewritten as their decomposition.

We call them primes in JC(Fq).

Definition 4.1 (Prime)

A reduced divisor D=div(a, b) ∈ JC(Fq) is said to be prime if the polynomial a is irreducible in Fq[x].

Definition 4.2 (B-smooth)

Let B be an integer. A divisor is said to be B-smooth if all the prime divisors in its factorization of a-polynomial have degree at most B. When B= 1, a 1-smooth divisor will be a divisor for which the polynomial a splits completely over Fq.

We give a sketch of the index calculus algorithm in the following. Several improvements described in this section are based on this algorithm.

Algorithm 4.1 Hyperelliptic index calculus algorithm

Input: A divisor D1 in JC(F_q) with know order n = ord(D1),

and a divisor D2∈<D1>.

Output: An integer λ sucht that D2=λD1.

1. Fix smoothness bound B and construct the factor base F.

2. While not enough relations have been found do:

Pick a random element R=αD1+βD2.

If R is smooth, record the corresponding relation.

3. Solve the linear algebra system over Zn. 4. Return λ.

The factor base F contains all the prime reduced divisors which a-polynomial has degree at most B: F ={D∈J_C( ) :F_q D=div a b is prime( , ) , deg( )a ≤B} . For convenience, we use gi for i=1,2,…,#F to denote the element in F. To find all the prime divisors in F, it suffices to test all the monic polynomial a(x) of degree at most B, checking if it is irreducible and if there exists a polynomial b(x) such that

div(a, b)∈JC(Fq).

While searching the smooth relations in step 2, a naive way to select a random element R=αD1+βD2 is costly: two integers α and β are randomly chosen in [0, n-1]

and then two scalar multiplications have to be done. It costs O(log n) group operations. We can use a pseudo random walk instead, so that each new random element R costs just one group operation.

Let R₀ =α₀D₁+β₀D₂ be the starting point of the walk where α0 and β0 are random integers in [0, n-1]. For j from 1 to r, we compute random divisors T =a D +b D . The walk Ri+1 will then be given by adding one of the Tj to Ri.

The index j∈[1, r] is given by a hush function H evaluated at Ri. In other words, Ri+1=Ri+Tj where j=H(Ri)∈ [1, r], and αi+1=αi +aj, βi+1 = βi+ bj. Once the initialization is finished, we can compute a new pseudo-random element Ri+1 at the cost of one addition in the Jacobian. Practical experiments suggest that by taking r=

20 the pseudo random walk behaves almost like a purely random walk.

For each Ri of the random walk, test its smoothness by factoring the a-polynomial of Ri. If all its irreducible factors have degree at most B (then it is smooth), express it on the factor base; otherwise, throw it away. Thus we collect a subsequence of the sequence (Ri) where all the divisors are smooth. We denote this subsequence by (Sk) with kth smooth element Sk=αkD1+βkD2. Hence we can put the result of this computation in a matrix M, each column representing an element of the factor base, and each row being a reduced divisor Sk expressed on the basis: for a row

k, we have _{1 2}

Using linear algebra, we find a non-zero vector (γk) of this kernel, which

corresponds to a relation between the Sk’s. So that

( ) (

¹

)

²

discrete logarithm is now found with high probability, because the denominator is zero with probability 1

n.

In this algorithm, there are two crucial points: one is to search enough smooth relations, and another is to solve the large linear system. In the matrix obtained in the algorithm, each row is a smooth divisor written as sum of at most g elements of the factor base. Hence the matrix is very sparse, and we have at most g terms in

each row. For such a sparse matrix, Lanczos’s [21] or Wiedemann’s [33][5]

algorithm can be used, in order to get a solution in time quadratic in the number of rows, instead of cubic by Gaussian elimination.

We know that the index calculus algorithm can solve HCDLP in a

subexponential time 1 most 9), the theoretical optimal smoothness bound 1

log , 2

2

q qg

B=⎡⎢⎢ L ⎛⎜⎝ ⎞⎟⎠⎤⎥⎥ which tends to 0. In this case, B= 1 is the best choice. The first index calculus algorithm for hyperelliptic curve of small genus was proposed by Gaudry in 2000. We summarize in the following algorithm.

Algorithm 4.2 Index calculus algorithm for small genus HCDLP

Input: A hyperelliptic curve C of small genus g over Fq,

2. /* Initialization of the random walk */

For j from 1 to 20, select aj and bj at random in [0, n-1], and compute Tj := ajD1 + bjD2.

Select α0 and β0 at random in [0, n-1] and compute R0 := α0D1 +β0D2.

Set k to 1.

3. /* Main loop */

(a) /* Look for a smooth divisor */

Compute j := H(R0), R0 := R0 + Tj, α0 := α0 + aj mod n, andβ0 := β0 + bj mod n.

Repeat this step until R0 is a smooth divisor.

(b) /* Express R0 on the factor base F */

Factor a0(u) over Fq, and determine the positions of the factors in the basis G..

Store the result as a row Rk =

∑

m g_{ki i} of a matrix M = (mki).

Store the coefficients αk = α0 and βk = β0.

If k < #F + 1, then set k := k + 1, and return to step 3.a.

4. /* Linear algebra */

Find a non-zero vector (γk) of the kernel of the transpose of the matrix M.

The computation can be done in Zn.

The proportion of smooth divisors in the Jacobian of a curve of genus g over Fq

tends to 1

! g . Proof:

By the Hasse-Weil bound, #F= #C(Fq) = O(q) and #JC(Fq) = O(q^g). The smooth divisors can be written as the sum of at most g points in C(Fq), hence we have about

In step 1, we need to perform q times a resolution of an equation of degree 2 over

Fq. Step 2 requires a constant number of Jacobian operations. Step 3 is a loop of O(q) times to find enough smooth relations. In step 4, this linear algebra step consists in finding a vector of the kernel in a sparse matrix of size O(q), and of weight O(gq); the coefficient are in Zn. Hence Lanczos's algorithm provides a solution with cost O(gq²). This last step requires only O(q) multiplications modulo n, and one inversion. When q is large, we can regard g and logq as small constant. Then the complexity of this algorithm is O(q²).

Theorem 4.1 [13]

Let C be a hyperelliptic curve of genus g over the finite field Fq. If q>g! then the discrete logarithms in JC(Fq) can be computed in expected time ^{O g q}

(

^{3 2+ε}

)

^.

Example 4.1

Given a genus 2 hyperelliptic curve C: y² = x⁵ + 2x⁴ + 1 over F3. This curve is also used as an example in Example 3.2. Let D1 = div(x², 1) with ord(D1) = 17, and D2 = div(x²+1, x+2) ∈<D1>. We can use the index calculus algorithm described in Algorithm 4.2 to find an integer λ such that D2=λD1.

1. Construct factor base

F = {g1=div(x, 1), g2=div(x+2, 2), g3=div(x+2, 1), g4=div(x, 2)}.

2. Initialize the pseudo-random walk:

T1 = 2D1+ 10D2 = div(x²+2x+2, 2x+1) T2 = 13D1 + 5D2 = div(x²+1, x+1) T3 = 3D1 + 7D2 = div(x+2, 2)

3. Search enough smooth relations by using a pseudo random walk:

R0 = 1D1+1D2 = div(x²+x+1, 2x+2) = 2g3. R1 = R0+T2 =14D1+6D2 = div(x², 1) = 2g1. R2 = R1+T1 =16D1+16D2 = div(x²+x+1,x+1) = 2g2. R3 = R2+T1 = 1D1+9D2 = div(x²+2x, 1) = g1+g3. R4 = R3+T3 = 4D1+16D2 = div(x,1) = g1.

If Ri is smooth we can store it in a matrix M, otherwise discard it.

These smooth relations are stored in a matrix M:

4. When there is enough(#F+1 = 5) smooth relations, we can find a non-trivial kernel r of M, such that rM=0. We have r =(0, 1, 0, 0, -2)^T.

Because the running time for Gaudry’s algorithm is dominated by the cost of solving the linear algebra, a natural approach to improve the algorithm is to reduce the cost of linear algebra part. Hence we need to reduce the size of the linear system, which means reducing the size of factor base. This was first introduced by Robert Harley. We can choose the factor base F with |F|=q^r where r is a real number in the interval (0, 1). This increases the cost of searching relation, because it also reduces the proportion of the smooth divisors in the Jacobian. To balance the cost of the relation search and linear algebra

1

complexity of the index calculus algorithm with reduced factor base is

Let C be a hyperelliptic curve of genus g over the finite field Fq. If q>g! then

the discrete logarithms in JC(Fq) can be computed in expected time

2 2

4.2.2 Single large prime variation

As the index calculus algorithm for the multiplicative group of a finite field, the hyperelliptic index calculus algorithm can be improved by using large primes.

Definition 4.3 (Large prime)

Definition 4.4 (1-almost smooth divisor)

A reduced divisor D=

∑

m P_{i i}− ∞m is said to be 1-almost smooth if all but exactly one of the Pi’s are in F and the remaining Pi is a large prime.

Definition 4.5 (2-almost smooth divisor)

A reduced divisor D=

∑

m P_{i i}− ∞m is said to be 2-almost smooth if all but exactly two of the Pi’s are in F and the remaining Pi’s are two large primes.

Simple combinatorial arguments give good estimates for the probabilities of obtaining almost smooth divisors in the relation search.

Lemma 4.2

The probability for a random divisor to be smooth is approximately

( 1) The probability for a random divisor to be 1-almost smooth is approximately

( 1)( 1)

− . The probability for a random divisor to be 2-almost smooth is approximately

We now consider the single large prime variation of the index calculus algorithm.

In order to take advantage of the high number of 1-almost smooth divisors, we must

In order to take advantage of the high number of 1-almost smooth divisors, we must

在文檔中 超橢圓曲線密碼攻擊之研究 (頁 22-0)