The organization of the thesis

1.2 The organization of the thesis

The rest of this thesis is organized as follows.

In Chapter 2, we first review some important background in algebra, and introduce algebraic geometry including variety, algebraic curves, and so on. We also

elliptic curves [24]. The group on a hyperelliptic curve is also based on the divisors.

In Chapter 3, we define the hyperelliptic curves over a finite field and the additive group Jacobian associated with a hyperelliptic curve. After defining Jacobian group, we describe the Mumford representation which is used in Cantor’s algorithm to compute the group operation.

In Chapter 4, we describe the index calculus algorithm to solve hyperelliptic curve discrete logarithm problems and several improvements in recent years including the ideas of reduced factor base and large primes. The double large prime variation of hyperelliptic curve index calculus is better than others, and even better than Pollard’s rho method when the genus of the hyperelliptic curve is larger than 2.

In the case of genus 2 curves, Pollard’s rho algorithm is faster than index calculus algorithm. In Chapter 5, we propose an algorithm for solving genus 2 HCDLP which has the same time complexity as Pollard’s rho method. Several computational comparisons are given in section 5.4 to shows that our algorithm is faster than Pollard’s rho method in practice.

Finally, we summarize our results and propose future work in Chapter 6.

Chapter 2

Mathematical Background

This chapter introduces some elementary mathematical background used in this thesis, including definitions and theorems in abstract algebra and algebraic geometry.

If the readers are interested in more of the background, [10] and [11] give good introductions. In section 2.3, we introduce the divisor theory which is the basis of hyperelliptic curve group law. For more details on divisor theory, the reader is referred to [24][25].

2.1 Abstract algebra

Definition 2.1 (Group)

A group (G, *) is a set G with a binary operation * that satisfies the following four axioms:

¾ Closure: For all a, b in G, the result of a * b is also in G.

¾ Associativity: For all a, b and c in G, (a * b) * c = a * (b * c).

¾ Identity element: There exists an element e in G such that for all a in G, e*a=

a*e= a.

¾ Inverse element: For each a in G, there exists an element b in G such that a* b=

b* a = e, where e is an identity element.

Definition 2.2 (Abelian group)

A group G is said to be an abelian group (or commutative) if the operation is commutative, that is, for all a, b in G, a * b = b * a.

Definition 2.3 (Cyclic group)

A cyclic group is a group whose elements can be generated by successive composition of the group operation being applied to a single element of that group.

This single element is called the generator or primitive element of the group.

Example 2.1

<Z5, +> is an additive group under the addition modulo 5. The group is cyclic since it can be generated by a single element “1”, i.e. Z5 = <1> = {1, 2, 3, 4, 0}.

Theorem 2.1 (Lagrange’s theorem)

For any finite group G, the order (number of elements) of every subgroup H of G divides the order of G.

Proof:

This can be shown using the concept of left cosets of H in G. The left cosets are the equivalence classes of a certain equivalence relation on G and therefore form a partition of G. If we can show that all cosets of H have the same number of elements, then we are done, since H itself is a coset of H. Now, if aH and bH are two left cosets of H, we can define a map f : aH → bH by setting f(x) = ba^-1x. This map is bijective because its inverse is given by f ^-1(y) = ab^-1y.

This proof also shows that the quotient of the orders |G| / |H| is equal to the index [G:H] (the number of left cosets of H in G). If we write this statement as |G| = [G:H] ·

|H|.

Definition 2.4 (Ring)

A ring is a set R equipped with two binary operations + and · , called addition

and multiplication, such that:

¾ (R, +) is an abelian group with identity element 0,

¾ Multiplication is associative,

¾ Multiplication distributes over addition:

„ a·(b + c) = (a·b) + (a·c)

„ (a + b)·c = (a·c) + (b·c)

Definition 2.5 (Ideal)

An additive subgroup I of a ring R satisfying the properties: rx∈I, xr∈I for x∈I and r∈R is an ideal.

Example 2.2

„ The set of integers is a ring, and the set of even integers 2 is an ideal of .

„ The set R[x] of all polynomials in one variable x with coefficients in a ring R is a ring under polynomial addition and multiplication.

Definition 2.6 (Integral domain)

An integral domain is a commutative ring with 0 ≠ 1 such that ab = 0 implies that either a = 0 or b = 0 (the zero-product property). That is to say, it is a nontrivial ring without left or right zero divisors.

Definition 2.7 (Field)

A field (F, +, *) is defined by these properties:

¾ (F, +) is an abelian group with the additive identity 0.

¾ (F\{0}, *) is an abelian group with the multiplicative identity 1.

¾ The operation * is distributive over the operation +. For all a, b, c, belonging to

F, a * (b + c) = (a * b) + (a * c).

Definition 2.8 (Subfield, extension field)

A subset K of a field L is a subfield of L if K is itself a field with respect to the operations of L. L is said to be an extension field of K.

Fact 2.1 (Existence and uniqueness of finite fields)

1. If K is a finite field, then K contains p^d elements with p prime and d >= 1.

2. For every prime power order p^d, there is a unique (up to isomorphism) finite field of order p^d. It is an algebraic extension of degree d of Fp. The notation for a finite field of order q is Fq with q = p^d.

Definition 2.9 (Algebraic closure)

A field K is said to be algebraically closed if every polynomial f∈K[x] has a zero in K. Such a polynomial splits into linear factors over K.

Fact 2.2 (Algebraic closure of F

p

)

The algebraic closure F of a finite field F_q q is given by:

1

q qk

k

F F

∞

=

=

∪

Lemma 2.1 (Frobenius Automorphism)

Let Fq be a finite field with q=p^d. Then we have:

(i) a = a^p with a∈Fp

(ii) (a‧b)^p = a^p‧b^p for a, b∈Fq

(iii) (a+b)^p = a^p+b^p for a, b∈Fq

Consequently the following mapping is an automorphism:

σ: FqÆ Fq where σ(a) = a^p for a∈Fq

It is called the Frobenius Automorphism of Fq.

Proof:

(i) Since F_p^* is a cyclic group of order p-1, we have a^p-1 = 1 for all a∈F_p^*. Thus a^p = a for all a∈Fp.

(ii) It’s true since the operation ‧ is commutative.

(iii)

Notice that the binomial coefficients p i

⎛ ⎞⎜ ⎟

⎝ ⎠ for i = 1,…,p-1 are multiples of the characteristic p and reduce to zero.

Definition 2.10 (Galois Group)

The Galois Group is the group of all automorphisms acting on the field Fq, which leave the points of Fp invariant. It is a cyclic group of order d given by 1, σ, …, σ^d-1. That is the Galois Group Gal(Fq/Fp) = {1, σ, …, σ^d-1}.

2.2 Algebraic geometry

Let K be an algebraic closed field, we can define the following terms.

Definition 2.11 (Affine n-space)

The affine n-space is the set of n-tuples called points:

{ ( ,..., ) :1 }

n n

n i

A =AK = p= x x x ∈K .

Definition 2.12 (Affine algebraic set)

For each subset S of K x[ ,..., ]₁ x_n , define the zero-locus of S to be the set of points in Aⁿ on which the functions in S vanish:

( ) {Z S = p∈Aⁿ| ( ) 0 f p = for all f }∈S .

A subset V of Aⁿ is called an affine algebraic set if V = Z(S) for some S.

Definition 2.13 (Affine variety)

A nonempty affine algebraic set V is called irreducible if it cannot be written as the union of two proper affine algebraic subsets. An irreducible affine algebraic set is called an affine variety.

Definition 2.14 (Ideal of an affine variety)

Given a subset V of Aⁿ, let I(V) be the ideal of all functions vanishing on V:

{

¹

}

( ) [ ,..., ] | ( ) 0 _n

I V = f ∈K x x f p = for all p V∈ .

Similarly, we can define projective variety in projective space.

Definition 2.15 (Projective n-space)

The projective n-space over K , denoted P_kⁿ, or simply P , is the set of ⁿ equivalence classes of (n+1)-tuples

(

x0,...,x_n

)

of elements of K , not all zero, under

the equivalence relation given by

(

x0,...,x_n

)

~

(

λx0,...,λx_n

)

for all λ∈K, λ≠0. An element of Pⁿ is called a point. If P is a point, then any (n+1)-tuple

(

x0,...,x_n

)

in the equivalence class P is called a set of homogeneous coordinates for P.

Definition 2.16 (Homogeneous polynomial)

A polynomial f ∈K x[ ,..., ]₀ x_n is a homogeneous polynomial if

(

0,... _n

)

^{deg( )f}

(

0,... _n

)

f λx λx =λ f x x .

Definition 2.17 (Homogeneous ideal)

An ideal I ⊂K x[ ,..., ]₀ x_n is a homogeneous ideal if it is generated by homogeneous polynomials.

The homogeneity of the polynomial ensures that this construction is well-defined.

Definition 2.18 (Projective algebraic set, projective variety)

For each set S of homogeneous polynomials, define the zero-locus of S to be the set of points in Pⁿ on which the functions in S vanish:

( ) {Z S = p∈Pⁿ| ( ) 0 f p = for all f }∈S .

A subset V of Pⁿ is called a projective algebraic set if V = Z(S) for some S. An irreducible projective algebraic set is called a projective variety.

Definition 2.19 (Ideal of a projective variety)

Given a subset V of Pⁿ, let I(V) be the ideal generated by all homogeneous polynomials vanishing on V: I V^{( )}=

{

f ∈K x[ ,..., ] | ( ) 0 ⁰ x_n f p = for all p V∈

}

Definition 2.20 (Algebraic curve)

An algebraic curve over a field K is an equation f(x, y) =0, where f(x, y) is a polynomial in x and y with coefficients in K. A point on an algebraic curve is simply a solution of the equation of the curve. A K-rational point is a point (x, y) on the curve, where x and y are in the field K.

Definition 2.21 (Points at infinity)

Each affine space can be identified with a unique projective space. The points in Pⁿ, which are not defined in the corresponding affine space Aⁿ are called points at infinity.

For example, an affine variety C(I) is called an algebraic curve when I(C) consists of one polynomial in two variables which by definition of variety is irreducible. We will use C as the notation of an affine variety for which is an algebraic curve.

Definition 2.22 (Coordinate ring, polynomial function)

The coordinate ring of C is the quotient ring given by: [ ] ^{[ , ]} ( ) K x y K C = I C . Similarly the coordinate ring of C/K is the quotient ring given by: [ , ]

[ ] ( )

K x y K C = I C . An element of K C[ ] is called a polynomial function on C.

Definition 2.23 (Function field, rational function)

The function field K C( ) is given by the field of fractions of [ ]K C :

is said to have a pole at P. In this case we write ( )f P = ∞.

Definition 2.25 (Order)

The order of a polynomial function g∈K C[ ] at a point P∈C is the intersection multiplicity at that point and denoted by order ord_P( )g . Notice that P is a zero of g if and only if ord_P( )g > 0, and P is a pole of g if and only if ord_P( )g < 0.

The order of a rational function f =g h/ ∈K C( ) at a point P∈C is defined as

( ) ( ) ( )

P P P

ord f =ord g −ord h .

Theorem 2.2

Let f ∈K C( ) be a rational function. Then _P( ) 0

P C

ord f

∈

∑

= ^. This proof can be found in [24].

2.3 Divisor theory

Divisors are useful for keeping track of the zeros and poles of a rational function.

In this section we give the basic definitions and properties of divisors. For simplicity, we are working in an algebraic closure K . Later we will give the definitions over a finite field K in chapter 3.

Definition 2.26 (Divisor, degree, order, support)

A divisor D is a formal sum of points in C: _P

P C

D m P

∈

=

∑

^{, mP}∈ , where only a finite number of mP is non-zero.

The degree of D is the integer deg( ) _P

The set of all divisors, denoted by D, forms an additive group under the addition rule:

Definition 2.28 (Gcd of divisors)

Let _{1 P} is indeed a finite formal sum and has degree 0.

Definition 2.30 (Principal divisor group)

The group of principal divisors is a subgroup of D⁰ and is defined by:

( ) { ( ) | ( )}

P=P C = div R R∈K C . We have that P⊂D⁰ ⊂ . D

Definition 2.31 (Jacobian)

The Jacobian of the curve C is defined by the quotient group:

J = J(C) = D⁰/P.

If D1, D2∈ D⁰ then we write D1~ D₂ if D₁- D₂∈P; D1 and D2 are said to be equivalent divisors.

Example 2.3 (Elliptic curve)

Consider the following algebraic curve in affine space:

I(CR) : f x y( , )=y²−(x³− + in [ , ]x 1) x y

Figure 2.1

An elliptic curve C and rational function L1 over

The algebraic closure of is the field of the complex numbers; we still denote it as K .

The affine variety over K is given by ( ) {( , ) | ,I C = x y x y∈K f x y, ( , ) 0}= . The coordinate ring of C is given by the quotient ring :

(

^{2 3}

)

[ ] [ , ]/ ( 1)

K C =K x y y − x − +x . P

Q

R

R

x3

L1(x, y)=x-y+1

C:

The function field of C is given by: ( ) g| , [ ]

The line through the point P, Q is a rational function given by L1(x, y).

( )1 3 ( ) ( ) ( )

Hence D1+D2~D3, the Jacobian group law is the same as point addition on an elliptic curve.

Chapter 3

Hyperelliptic Curves

Hyperelliptic curve is a kind of algebraic curve, and elliptic curve is a special case of hyperelliptic curve. In chapter 2, we defined the function field of an algebraic curve. The Jacobian is the group of degree zero divisors modulo principal divisors, i.e. the quotient group J = D⁰/P over an algebraic closed field K . Since the implementation of arithmetic on a hyperelliptic curve works with the base field K, we need to know the definitions over K.

Let C be a hyperelliptic curve defined over a finite field K. Let P = (x, y) ∈C, and let σ be an automorphism of K over K which means σ is an isomorphism from K to itself and σ(x) = x for all x ∈K. Then P^σ : ( ,= x^σ y^σ) is also a point on C, and ∞ = ∞ . ^σ

Definition 3.1 (Field of definition of a divisor)

A divisor D=

∑

m P_P is said to be defined over K if D^σ :=

∑

m P_P ^σ is equal to D for all automorphisms of K over K.

Notice that the set of all automorphisms of K over K is the Galois Group

(

^/

)

Gal K K defined in Definition 2.10 (Galois Group).

If a divisor D is defined over K, it does not mean that each point in the support of D is a K-rational point. A principal divisor is defined over K if and only if it is a

divisors defined over K in J is a subgroup of J.

Since each element of the Jacobian is a coset, we need a unique representation for the divisors in the Jacobian. Such divisors exist and are called reduced divisor, which is introduced in section 3.2. In section 3.3, we introduce the Mumford’s representation [27]: a reduced divisor can be represented by the gcd of two polynomials a(x) and y- b(x). The points associated to the corresponding divisor are the roots of both a(x) and y- b(x). These two polynomials can also be seen as ideals modulo principal ideals. The equivalence classes are called ideal classes. Adding divisors in the Jacobian is the same as composing ideals. Cantor’s algorithm [2] can efficiently compute the group operation of two divisors in the Jacobian.

3.1 Definitions and properties

We use K to denote a field and K to denote the algebraic closure of K in this chapter.

Definition 3.2 (Hyperelliptic curve)

A hyperelliptic curve of genus g over K is an equation of the form

C: y²+h x y( ) = f x( ) in K[x, y], where deg(h(x)) ≦ g, deg(f(x)) = 2g+1, f(x) is a monic polynomial, and the integer g ≧ 1. A hyperelliptic curve C should be non-singular, that is, there are no solutions (x, y)∈ × on curve C which satisfy K K both partial derivative equations 2y+h x( ) 0= and '( )h x y− f x'( ) 0= .

Definition 3.3 (K-rational points)

The set ^{C K( )=}

{

^{( , ) | ,x y x y∈K y, 2+h x y( ) = f x( )}

}

∪ ∞ is called the set of ^{{ }}

K-rational points on C. The point ∞ is called the point at infinity.

Definition 3.4 (Opposite, special and ordinary points)

For P=(x, y) ∈C the opposite of P is the point P=( ,x − −y h x( )). If P= P then it is called special point, otherwise it is called ordinary. The opposite of the point at infinity ∞ is defined as ∞ = ∞ , hence is a special point.

Under the change of variables xÆx, yÆ(y-h(x)/2), the equation of C is

transformed to ( ) ² ( )

= 2g+1 and deg(a(x)+b(x)) = deg(h(x)) ≦g which is impossible.

3.2 Reduced divisors

We defined the Jacobian of curves in chapter 2, and with the definitions in section 3.1, we know that the Jacobian of a hyperelliptic curve C is J = D⁰/P. Note that two divisors D1 and D2 in J are said to be equivalent if they are in the same equivalence class, i.e. D1-D2∈P, denoted by D1~D2. In the following we introduce reduced divisor to uniquely represent the divisors in the same equivalence class of J.

Definition 3.5 (Semi-reduced divisor)

A semi-reduced divisor is a degree zero divisor of the form

\ \ then D is called a reduced divisor.

Lemma 3.3

For each divisor D∈D⁰ there exists a semi-reduced divisor D1∈D⁰ such that D~D1.

Proof:

Let

When we implement a hyperelliptic curve cryptosystem, we work over a finite field K. In the following, we introduce the computational representation of reduced divisors of the Jacobian defined over K, which is so-called Mumford representation [27].

Fact 3.1 (Mumford representation)

For a hyperelliptic curve C: y²+h x y( ) = f y( ) in K x y[ , ] , and

( , )

( )

i i i

i i i

P x y C

D m P m

= ∈

=

∑

−

∑

∞ be a semi-reduced divisor, we can use two

polynomials a(x), b(x) ∈K x[ ] to uniquely represent D. Let a x( )=

∏

(x−x_i)^mi. Let b(x) be the unique polynomial satisfying:

(i) degx(b) < degx(a),

(ii) b(xi) = yi for all i which mi ≠0,

(iii) a(x) divides (b x( )²+b x h x( ) ( )− f x( )).

Then D = gcd(div(a(x)), div(b(x)-y)); we usually simplify the notation as div(a, b).

If D=div(a, b) is a reduced divisor, then deg ( )_x a =

∑

m_i ≤genus^.

The zero divisor, the identity of JC(K), is represented by div(1, 0). The opposite of a divisor div(a, b) is given by div(a, -h-b), which is also called involution.

This means div(a, b) + div(a, -h-b) ~ div(1, 0) under the Jacobian group law.

Fact 3.2 (Hasse-Weil Bound)

Let C be a hyperelliptic curve of genus g defined over Fq. Then the bound of the order of JC(Fq) is given by:

(

^q−1

)

^{2g ≤#JC( )Fq ≤}

(

^q+1

)

^2g,

and the number of Fq-rational points is:

1 2 # ( )_q 1 2

q+ − g q≤ C F ≤ + +q g q.

As a result, we know that #J_C( )F_q ≈q^g and # ( )C F_q ≈ . q

3.4 Group law

By using Mumford representation described in the previous section, Cantor’s algorithm [2] can compute the group operation of JC(K) efficiently.

Algorithm 3.1 (Cantor’s algorithm)

In Cantor’s algorithm, the composition phase gives a semi-reduced divisor div(a, b) ~ D1+D2, and the reduction phase reduces a semi-reduced divisor to the unique reduced divisor.

Example 3.1

Since deg(a)=1≦2, the divisor div(a, b) is already reduced.

Then, we have D1+ D2 = div(x+1, 0) + div(x²+1, x) = div(x+1, 1).

In recent years, several researchers have derived the explicit formulas for small genus hyperelliptic curves from Cantor’s algorithm. They investigate what can be the input of Cantor’s algorithm and proceed in considering these different cases.

With careful analysis, some redundant field operations can be omitted in explicit formulas. For example, Lange [22] presents explicit formulas for the group law of genus 2 hyperelliptic curves, and the most common case in the addition of two reduced divisor requires 1 inversion, 12 multiplications, and 2 squarings. The

explicit formulas for genus 3 hyperelliptic curves can be found in [17]. When genus becomes higher than 4, the explicit formulas is getting too complicated and may not be possibly derived by hand.

3.5 Hyperelliptic curve discrete log problem (HCDLP)

The security of several cryptosystems is related to the difficulty of computing discrete logarithms modulo a large prime number p; i.e. given two numbers (g mod p) and (g^x mod p), it seems to be infeasible to compute x when p is large enough.

Instead of using the DLP modulo a large prime p as the basis of cryptographic protocols, one can consider the DLP in an arbitrary group that admits an efficient

element representation and group law.

Definition 3.7 (DLP)

Let G be a finite cyclic group G= <g> of order n, and given an element h∈G..

The discrete logarithm problem is to find the integer x∈[0, n-1], such that g^x=h.

Since the Jacobian of a hyperelliptic curve is also a finite abelian group, based on the difficulty of the DLP, it can be designed for cryptographic use.

Definition 3.8 (HCDLP)

Let C be a hyperelliptic curve over a finite field Fq and JC(Fq) its Jacobian with order # JC(Fq) = n. Given two reduced divisors D1, D2∈JC(Fq) and D2∈<D1>.

The hyperelliptic curve discrete logarithm problem is to find the integer λ∈[0, n-1], such that λD1=D2.

Example 3.2

Consider the genus 2 hyperelliptic curve: C: y2 = x5 + 2x4 + 1 in F3[x, y]. The partial derivatives are 2x⁴ + 2x³=0 and 2y=0. Since there are no points in F F× which satisfy C and the partial derivatives, the hyperelliptic curve is non-singular.

Although the divisors are defined over F3, the points in the support of a divisor are in F . 32

The finite field 2

2

3 3[ ]/( 1) {0,1 , 2 ,1 2 , 2, 2 2 , , 2 ,1}

F ≅F x x + = +i i + i + i i +i . The F -rational points are P32 1 = (0, 1), P2 = (1, 2), P3 = (1, 1), P4 = (0, 2), P5 = (2+i, 2+2i), P6 = (2+2i, 2+i), P7 = (i, 2+i), P8 = (2i, 2+2i),

P9 = (i, 1+2i), P10 = (2i, 1+i), P11 = (2+i, 1+i), P12 = (2+2i, 1+2i), ∞.

The order of Jacobian #JC(F3) = 17.

Let D1 = div(x², 1). We can use D1 as the generator of the group, and use

Cantor’s algorithm to generate the group elements.

1 D1 = div(x², 1) = P1 + P1 - 2∞

2 D1 = div(x+2, 2) = P2 - ∞ 3 D1 = div(x²+2x+2, 2x+1) = P5 + P6 - 2∞

4 D1 = div(x²+x+1, x+1) = P2 + P2 - 2∞

5 D1 = div(x²+1, x+1) = P9 + P10 - 2∞

6 D1 = div(x²+2x, 2x+2) = P3 + P4 - 2∞

7 D1 = div(x²+2x, 1) = P1 + P3 - 2∞

8 D1 = div(x, 2) = P4 - ∞ 9 D1 = div(x, 1) = P1 - ∞ 10D1 = div(x²+2x, 2) = P2 + P4 - 2∞

11D1 = div(x²+2x, x+1) = P1 + P2 - 2∞

12D1 = div(x²+1, x+2) = P7 + P8 - 2∞

13D1 = div(x²+x+1, 2x+2) = P3 + P3 - 2∞

14D1 = div(x²+2x+2, x+2) = P11 + P12 - 2∞

15D1 = div(x²+2, 1) = P3 - ∞ 16D1 = div(x², 2) = P4 + P4 - 2∞

17D1 = div(1, 0)

Chapter 4

Algorithms for HCDLP

4.1 Introduction

The best known algorithm for solving the DLP in generic groups is Pollard’s rho algorithm. Pollard’s algorithm has an exponential expected running time of

2 πn group operations and negligible storage requirements. In order to prevent such square-root attacks, the group order n must have a large prime factor. There are faster algorithms for the DLP than Pollard’s rho method. The most powerful is the index calculus method which yields subexponential-time algorithms for the DLP in some groups.

The first subexponential-time algorithm to compute discrete logarithms over hyperelliptic curves of large genus is introduced by Adleman, DeMassais and Huang [1] in 1994. This algorithm was rather theoretical, and some improvements on it were done by other researchers. Flassenberg and Paulus [9] implemented a sieve version of this algorithm, but the consequence for cryptographical applications is not clear. Enge [6] improved the original algorithm and gave a precise evaluation of the running time, but did not implement his ideas. Muller, Stein and Thiel [26] extended the resultsto the real quadratic congruence function fields. Smart and Galbraith [12]

also gave some ideas in the context of the Weil descent, following ideas of Frey; they dealt with general curves (not hyperelliptic). We will not discuss those in details but list them as references.

When the index calculus algorithm is applied on the small genus HCDLP, even the fastest variation is not faster than Pollard’s rho method for the genus less than 3.

Hence the use of hyperelliptic curves in public-key cryptography appears as an alternative to the use of elliptic curves, with the advantage that it can be used in a smaller base field for the same level of security. In order to analyze the security of such systems, we need to know how the index calculus method works for solving small genus HCDLP.

In 2000, Gaudry [13] first presented a variation of index calculus attack for a hyperelliptic curve of genus g over Fq that could solve the HCDLP in time O q( )² . And Harley [13] improved this algorithm with reduced factor base such that HCDLP

can be solved in time almost-smooth divisor which contains exactly one large prime. Theriault’s

algorithm [32] works in time

2 4

By considering double large prime, the time complexity of hyperelliptic index

calculus algorithm can be reduced to

2 2 independently by Gaudry et al. [16] and Naogo [28] in 2004. They used different tricks to handle large primes, but got the same time complexity. We discuss these variations of index calculus algorithm for small genus HCDLP in section 4.2.

However, the double large prime variation can not be applied on genus 2 hyperelliptic curves. We propose an algorithm that can solve the genus 2 HCDLP with time complexity O(q) in Chapter 5 which can be comparable to Pollard’s rho method. Table 4.1 shows the comparison between these algorithms described above.

Our algorithm has the same time complexity as Pollard’s rho method but smaller

hiding constant term. We also have detailed analysis in Chapter 5.

Table 4.1 Time complexity of algorithms solving HCDLP

Genus g 2 3 4 5 6

4.2 Index calculus algorithm for small genus HCDLP

A reduced divisor in the Jacobian JC(K) is represented by two polynomials (a, b), and the factorization of a as polynomial in K[x] is compatible with the Jacobian group law. This is the key stone for defining a smooth divisor and then the index calculus algorithm.

Fact 4.1 (Factorization)

Let C be a hyperelliptic curve over a finite field Fq. Let D=div(a, b) be a

Let C be a hyperelliptic curve over a finite field Fq. Let D=div(a, b) be a

在文檔中 超橢圓曲線密碼攻擊之研究 (頁 12-0)