Hyperelliptic curve discrete log problem (HCDLP)

The security of several cryptosystems is related to the difficulty of computing discrete logarithms modulo a large prime number p; i.e. given two numbers (g mod p) and (g^x mod p), it seems to be infeasible to compute x when p is large enough.

Instead of using the DLP modulo a large prime p as the basis of cryptographic protocols, one can consider the DLP in an arbitrary group that admits an efficient

element representation and group law.

Definition 3.7 (DLP)

Let G be a finite cyclic group G= <g> of order n, and given an element h∈G..

The discrete logarithm problem is to find the integer x∈[0, n-1], such that g^x=h.

Since the Jacobian of a hyperelliptic curve is also a finite abelian group, based on the difficulty of the DLP, it can be designed for cryptographic use.

Definition 3.8 (HCDLP)

Let C be a hyperelliptic curve over a finite field Fq and JC(Fq) its Jacobian with order # JC(Fq) = n. Given two reduced divisors D1, D2∈JC(Fq) and D2∈<D1>.

The hyperelliptic curve discrete logarithm problem is to find the integer λ∈[0, n-1], such that λD1=D2.

Example 3.2

Consider the genus 2 hyperelliptic curve: C: y2 = x5 + 2x4 + 1 in F3[x, y]. The partial derivatives are 2x⁴ + 2x³=0 and 2y=0. Since there are no points in F F× which satisfy C and the partial derivatives, the hyperelliptic curve is non-singular.

Although the divisors are defined over F3, the points in the support of a divisor are in F . 32

The finite field 2

2

3 3[ ]/( 1) {0,1 , 2 ,1 2 , 2, 2 2 , , 2 ,1}

F ≅F x x + = +i i + i + i i +i . The F -rational points are P32 1 = (0, 1), P2 = (1, 2), P3 = (1, 1), P4 = (0, 2), P5 = (2+i, 2+2i), P6 = (2+2i, 2+i), P7 = (i, 2+i), P8 = (2i, 2+2i),

P9 = (i, 1+2i), P10 = (2i, 1+i), P11 = (2+i, 1+i), P12 = (2+2i, 1+2i), ∞.

The order of Jacobian #JC(F3) = 17.

Let D1 = div(x², 1). We can use D1 as the generator of the group, and use

Cantor’s algorithm to generate the group elements.

1 D1 = div(x², 1) = P1 + P1 - 2∞

2 D1 = div(x+2, 2) = P2 - ∞ 3 D1 = div(x²+2x+2, 2x+1) = P5 + P6 - 2∞

4 D1 = div(x²+x+1, x+1) = P2 + P2 - 2∞

5 D1 = div(x²+1, x+1) = P9 + P10 - 2∞

6 D1 = div(x²+2x, 2x+2) = P3 + P4 - 2∞

7 D1 = div(x²+2x, 1) = P1 + P3 - 2∞

8 D1 = div(x, 2) = P4 - ∞ 9 D1 = div(x, 1) = P1 - ∞ 10D1 = div(x²+2x, 2) = P2 + P4 - 2∞

11D1 = div(x²+2x, x+1) = P1 + P2 - 2∞

12D1 = div(x²+1, x+2) = P7 + P8 - 2∞

13D1 = div(x²+x+1, 2x+2) = P3 + P3 - 2∞

14D1 = div(x²+2x+2, x+2) = P11 + P12 - 2∞

15D1 = div(x²+2, 1) = P3 - ∞ 16D1 = div(x², 2) = P4 + P4 - 2∞

17D1 = div(1, 0)

Chapter 4

Algorithms for HCDLP

4.1 Introduction

The best known algorithm for solving the DLP in generic groups is Pollard’s rho algorithm. Pollard’s algorithm has an exponential expected running time of

2 πn group operations and negligible storage requirements. In order to prevent such square-root attacks, the group order n must have a large prime factor. There are faster algorithms for the DLP than Pollard’s rho method. The most powerful is the index calculus method which yields subexponential-time algorithms for the DLP in some groups.

The first subexponential-time algorithm to compute discrete logarithms over hyperelliptic curves of large genus is introduced by Adleman, DeMassais and Huang [1] in 1994. This algorithm was rather theoretical, and some improvements on it were done by other researchers. Flassenberg and Paulus [9] implemented a sieve version of this algorithm, but the consequence for cryptographical applications is not clear. Enge [6] improved the original algorithm and gave a precise evaluation of the running time, but did not implement his ideas. Muller, Stein and Thiel [26] extended the resultsto the real quadratic congruence function fields. Smart and Galbraith [12]

also gave some ideas in the context of the Weil descent, following ideas of Frey; they dealt with general curves (not hyperelliptic). We will not discuss those in details but list them as references.

When the index calculus algorithm is applied on the small genus HCDLP, even the fastest variation is not faster than Pollard’s rho method for the genus less than 3.

Hence the use of hyperelliptic curves in public-key cryptography appears as an alternative to the use of elliptic curves, with the advantage that it can be used in a smaller base field for the same level of security. In order to analyze the security of such systems, we need to know how the index calculus method works for solving small genus HCDLP.

In 2000, Gaudry [13] first presented a variation of index calculus attack for a hyperelliptic curve of genus g over Fq that could solve the HCDLP in time O q( )² . And Harley [13] improved this algorithm with reduced factor base such that HCDLP

can be solved in time almost-smooth divisor which contains exactly one large prime. Theriault’s

algorithm [32] works in time

2 4

By considering double large prime, the time complexity of hyperelliptic index

calculus algorithm can be reduced to

2 2 independently by Gaudry et al. [16] and Naogo [28] in 2004. They used different tricks to handle large primes, but got the same time complexity. We discuss these variations of index calculus algorithm for small genus HCDLP in section 4.2.

However, the double large prime variation can not be applied on genus 2 hyperelliptic curves. We propose an algorithm that can solve the genus 2 HCDLP with time complexity O(q) in Chapter 5 which can be comparable to Pollard’s rho method. Table 4.1 shows the comparison between these algorithms described above.

Our algorithm has the same time complexity as Pollard’s rho method but smaller

hiding constant term. We also have detailed analysis in Chapter 5.

Table 4.1 Time complexity of algorithms solving HCDLP

Genus g 2 3 4 5 6

4.2 Index calculus algorithm for small genus HCDLP

A reduced divisor in the Jacobian JC(K) is represented by two polynomials (a, b), and the factorization of a as polynomial in K[x] is compatible with the Jacobian group law. This is the key stone for defining a smooth divisor and then the index calculus algorithm.

Fact 4.1 (Factorization)

Let C be a hyperelliptic curve over a finite field Fq. Let D=div(a, b) be a

∏

irreducible factors of a(x) in Fq[x]. Let bi(x) = b(x) (mod ai(x)).

Then Di = div(ai, bi) is a reduced divisor and D=D=

∑

D_i ^{in JC(Fq).}

Remark 4.1

To factor polynomials over finite fields we can use the Cantor-Zassenhaus algorithm, which is invented by D. Cantor and Hans Zassenhaus in 1981 [3]. It is currently implemented in many well-known computer algebra systems.

With this result in Fact 4.1, a reduced divisor can be rewritten as the sum of reduced divisors of smaller deg(ai), and deg( )a =

∑

deg( )a_i . If the a-polynomial of a reduced divisor D is irreducible then it can not be rewritten as their decomposition.

We call them primes in JC(Fq).

Definition 4.1 (Prime)

A reduced divisor D=div(a, b) ∈ JC(Fq) is said to be prime if the polynomial a is irreducible in Fq[x].

Definition 4.2 (B-smooth)

Let B be an integer. A divisor is said to be B-smooth if all the prime divisors in its factorization of a-polynomial have degree at most B. When B= 1, a 1-smooth divisor will be a divisor for which the polynomial a splits completely over Fq.

We give a sketch of the index calculus algorithm in the following. Several improvements described in this section are based on this algorithm.

Algorithm 4.1 Hyperelliptic index calculus algorithm

Input: A divisor D1 in JC(F_q) with know order n = ord(D1),

and a divisor D2∈<D1>.

Output: An integer λ sucht that D2=λD1.

1. Fix smoothness bound B and construct the factor base F.

2. While not enough relations have been found do:

Pick a random element R=αD1+βD2.

If R is smooth, record the corresponding relation.

3. Solve the linear algebra system over Zn. 4. Return λ.

The factor base F contains all the prime reduced divisors which a-polynomial has degree at most B: F ={D∈J_C( ) :F_q D=div a b is prime( , ) , deg( )a ≤B} . For convenience, we use gi for i=1,2,…,#F to denote the element in F. To find all the prime divisors in F, it suffices to test all the monic polynomial a(x) of degree at most B, checking if it is irreducible and if there exists a polynomial b(x) such that

div(a, b)∈JC(Fq).

While searching the smooth relations in step 2, a naive way to select a random element R=αD1+βD2 is costly: two integers α and β are randomly chosen in [0, n-1]

and then two scalar multiplications have to be done. It costs O(log n) group operations. We can use a pseudo random walk instead, so that each new random element R costs just one group operation.

Let R₀ =α₀D₁+β₀D₂ be the starting point of the walk where α0 and β0 are random integers in [0, n-1]. For j from 1 to r, we compute random divisors T =a D +b D . The walk Ri+1 will then be given by adding one of the Tj to Ri.

The index j∈[1, r] is given by a hush function H evaluated at Ri. In other words, Ri+1=Ri+Tj where j=H(Ri)∈ [1, r], and αi+1=αi +aj, βi+1 = βi+ bj. Once the initialization is finished, we can compute a new pseudo-random element Ri+1 at the cost of one addition in the Jacobian. Practical experiments suggest that by taking r=

20 the pseudo random walk behaves almost like a purely random walk.

For each Ri of the random walk, test its smoothness by factoring the a-polynomial of Ri. If all its irreducible factors have degree at most B (then it is smooth), express it on the factor base; otherwise, throw it away. Thus we collect a subsequence of the sequence (Ri) where all the divisors are smooth. We denote this subsequence by (Sk) with kth smooth element Sk=αkD1+βkD2. Hence we can put the result of this computation in a matrix M, each column representing an element of the factor base, and each row being a reduced divisor Sk expressed on the basis: for a row

k, we have _{1 2}

Using linear algebra, we find a non-zero vector (γk) of this kernel, which

corresponds to a relation between the Sk’s. So that

( ) (

¹

)

²

discrete logarithm is now found with high probability, because the denominator is zero with probability 1

n.

In this algorithm, there are two crucial points: one is to search enough smooth relations, and another is to solve the large linear system. In the matrix obtained in the algorithm, each row is a smooth divisor written as sum of at most g elements of the factor base. Hence the matrix is very sparse, and we have at most g terms in

each row. For such a sparse matrix, Lanczos’s [21] or Wiedemann’s [33][5]

algorithm can be used, in order to get a solution in time quadratic in the number of rows, instead of cubic by Gaussian elimination.

We know that the index calculus algorithm can solve HCDLP in a

subexponential time 1 most 9), the theoretical optimal smoothness bound 1

log , 2

2

q qg

B=⎡⎢⎢ L ⎛⎜⎝ ⎞⎟⎠⎤⎥⎥ which tends to 0. In this case, B= 1 is the best choice. The first index calculus algorithm for hyperelliptic curve of small genus was proposed by Gaudry in 2000. We summarize in the following algorithm.

Algorithm 4.2 Index calculus algorithm for small genus HCDLP

Input: A hyperelliptic curve C of small genus g over Fq,

2. /* Initialization of the random walk */

For j from 1 to 20, select aj and bj at random in [0, n-1], and compute Tj := ajD1 + bjD2.

Select α0 and β0 at random in [0, n-1] and compute R0 := α0D1 +β0D2.

Set k to 1.

3. /* Main loop */

(a) /* Look for a smooth divisor */

Compute j := H(R0), R0 := R0 + Tj, α0 := α0 + aj mod n, andβ0 := β0 + bj mod n.

Repeat this step until R0 is a smooth divisor.

(b) /* Express R0 on the factor base F */

Factor a0(u) over Fq, and determine the positions of the factors in the basis G..

Store the result as a row Rk =

∑

m g_{ki i} of a matrix M = (mki).

Store the coefficients αk = α0 and βk = β0.

If k < #F + 1, then set k := k + 1, and return to step 3.a.

4. /* Linear algebra */

Find a non-zero vector (γk) of the kernel of the transpose of the matrix M.

The computation can be done in Zn.

The proportion of smooth divisors in the Jacobian of a curve of genus g over Fq

tends to 1

! g . Proof:

By the Hasse-Weil bound, #F= #C(Fq) = O(q) and #JC(Fq) = O(q^g). The smooth divisors can be written as the sum of at most g points in C(Fq), hence we have about

In step 1, we need to perform q times a resolution of an equation of degree 2 over

Fq. Step 2 requires a constant number of Jacobian operations. Step 3 is a loop of O(q) times to find enough smooth relations. In step 4, this linear algebra step consists in finding a vector of the kernel in a sparse matrix of size O(q), and of weight O(gq); the coefficient are in Zn. Hence Lanczos's algorithm provides a solution with cost O(gq²). This last step requires only O(q) multiplications modulo n, and one inversion. When q is large, we can regard g and logq as small constant. Then the complexity of this algorithm is O(q²).

Theorem 4.1 [13]

Let C be a hyperelliptic curve of genus g over the finite field Fq. If q>g! then the discrete logarithms in JC(Fq) can be computed in expected time ^{O g q}

(

^{3 2+ε}

)

^.

Example 4.1

Given a genus 2 hyperelliptic curve C: y² = x⁵ + 2x⁴ + 1 over F3. This curve is also used as an example in Example 3.2. Let D1 = div(x², 1) with ord(D1) = 17, and D2 = div(x²+1, x+2) ∈<D1>. We can use the index calculus algorithm described in Algorithm 4.2 to find an integer λ such that D2=λD1.

1. Construct factor base

F = {g1=div(x, 1), g2=div(x+2, 2), g3=div(x+2, 1), g4=div(x, 2)}.

2. Initialize the pseudo-random walk:

T1 = 2D1+ 10D2 = div(x²+2x+2, 2x+1) T2 = 13D1 + 5D2 = div(x²+1, x+1) T3 = 3D1 + 7D2 = div(x+2, 2)

3. Search enough smooth relations by using a pseudo random walk:

R0 = 1D1+1D2 = div(x²+x+1, 2x+2) = 2g3. R1 = R0+T2 =14D1+6D2 = div(x², 1) = 2g1. R2 = R1+T1 =16D1+16D2 = div(x²+x+1,x+1) = 2g2. R3 = R2+T1 = 1D1+9D2 = div(x²+2x, 1) = g1+g3. R4 = R3+T3 = 4D1+16D2 = div(x,1) = g1.

If Ri is smooth we can store it in a matrix M, otherwise discard it.

These smooth relations are stored in a matrix M:

4. When there is enough(#F+1 = 5) smooth relations, we can find a non-trivial kernel r of M, such that rM=0. We have r =(0, 1, 0, 0, -2)^T.

Because the running time for Gaudry’s algorithm is dominated by the cost of solving the linear algebra, a natural approach to improve the algorithm is to reduce the cost of linear algebra part. Hence we need to reduce the size of the linear system, which means reducing the size of factor base. This was first introduced by Robert Harley. We can choose the factor base F with |F|=q^r where r is a real number in the interval (0, 1). This increases the cost of searching relation, because it also reduces the proportion of the smooth divisors in the Jacobian. To balance the cost of the relation search and linear algebra

1

complexity of the index calculus algorithm with reduced factor base is

Let C be a hyperelliptic curve of genus g over the finite field Fq. If q>g! then

the discrete logarithms in JC(Fq) can be computed in expected time

2 2

4.2.2 Single large prime variation

As the index calculus algorithm for the multiplicative group of a finite field, the hyperelliptic index calculus algorithm can be improved by using large primes.

Definition 4.3 (Large prime)

Definition 4.4 (1-almost smooth divisor)

A reduced divisor D=

∑

m P_{i i}− ∞m is said to be 1-almost smooth if all but exactly one of the Pi’s are in F and the remaining Pi is a large prime.

Definition 4.5 (2-almost smooth divisor)

A reduced divisor D=

∑

m P_{i i}− ∞m is said to be 2-almost smooth if all but exactly two of the Pi’s are in F and the remaining Pi’s are two large primes.

Simple combinatorial arguments give good estimates for the probabilities of obtaining almost smooth divisors in the relation search.

Lemma 4.2

The probability for a random divisor to be smooth is approximately

( 1) The probability for a random divisor to be 1-almost smooth is approximately

( 1)( 1)

− . The probability for a random divisor to be 2-almost smooth is approximately

We now consider the single large prime variation of the index calculus algorithm.

In order to take advantage of the high number of 1-almost smooth divisors, we must find pairs of these divisors with the same large prime. For example, given two 1-almost smooth divisors _{1 1} *

i The following algorithm shows how this method can be applied in the relation search of the original index calculus algorithm.

Algorithm 4.4.5: Searching relation with single large prime

Input: A hyperelliptic curve C of small genus g over Fq,

a divisor D1 in JC(Fq) with know order n = ord(D1),

a divisor D2∈<D1>,

a factor base F, and the set of large primes L.

Output: A system of k smooth divisors of the form R_i =α_iD₁+β_iD₂. 1. /* Initialization of the random walk */

For j from 1 to 20, select aj and bj at random in [0, n-1], and compute Tj := ajD1 + bjD2.

Select α and β at random in [0, n-1] and compute R:= αD1 +βD2. PÅ{}

iÅ1

2. /* Main loop */

While i k do{≦

RÅR+Tj for some randomly chosen j, update α and β.

Decompose R into prime divisors If R is smooth then

RiÅR iÅi+1

If R is 1-almost smooth with a large prime Q then If Q is already in P then

Obtain a smooth divisor R by cancelling the large prime Q RiÅR

iÅi+1

else (Q is not in P)

Add Q to the set P with the associated relation R }

Return {R1, R2, …, Rk}

According to Theriault’s analysis, by choosing the factor base F such that

Let C be a hyperelliptic curve of genus g over the finite field Fq. If q>g! then

the discrete logarithms in J_C(F_q) can be computed in expected time

2 4

Given the same HCDLP as in Example 4.1.

Let C: y² = x⁵ + 2x⁴ + 1 over F3.

D1 = div(x², 1) with ord(D1) = 17, and D2 = div(x²+1, x+2) ∈<D1>. We want to find an integer λ such that D2=λD1.

1. Construct factor base F = {g1=div(x, 1), g2=div(x+2, 2), g3=div(x+2, 1)}, and the set of large primes is {g4=div(x, 2)}.

2. Initialize the pseudo-random walk:

T1 = 2D1+ 10D2 = div(x²+2x+2, 2x+1) T2 = 13D1 + 5D2 = div(x²+1, x+1) T3 = 3D1 + 7D2 = div(x+2, 2)

3. Search enough smooth relations by using a pseudo random walk:

R0 = 16D1+8D2= div(x²+2x, 2) = g2+g4.

These smooth relations are stored in a matrix M:

4. When there is enough(#F+1 = 4) smooth relations, we can find a non-trivial

4.2.3 Double large prime variation

Since 1-almost smooth divisors can be used to produce relations so much faster, it is natural to also consider 2-almost smooth divisors. By the definition of 2-almost smooth divisor, the smallest genus g of a hyperelliptic curve is 3 such that a reduced divisor which is 2-almost smooth is of the form D=P+Q1+Q2-3∞ where P is in factor base and Qi are large primes. Here is an example to cancel the large primes.

Example 4.3

Let C be a hyperelliptic curve of genus g=3. D1=P1+Q1+Q2-3∞, D2=P2+Q2+Q3-3∞, and D3=P3+Q3+Q1-3∞ where Pi are in the factor base and Qi are large primes. We can cancel the large primes by multiplying the divisors by a

αi

relative constant and adding them together. In this example, the constants are 1 or -1.

Hence D₁−D₂+D₃ = − + +P₁ P₂ P₃ 2Q₁− ∞ is a 1-almost smooth divisor. If we 3 have another 1-almost smooth divisor D4=P4+Q1-2∞ then we can get a smooth divisor by D₁−D₂+D₃−2D₄ = − + −P₁ P₂ P₃ 2P₄+ ∞ .

To manipulate the chain of almost smooth divisors, Gaudry and Thome introduce the graph of large prime relations (LP-graph, in short). LP-graph is an undirected acyclic graph with 1+#L vertices, corresponding to the elements of the set of large primes L and the special vertex 1. All edges of the LP-graph are labeled with a relation. An edge between vertex 1 and vertex Qi represents a 1-almost smooth divisor with the large prime Qi, and an edge between vertex Qi and Qj represents a 2-almost smooth divisor with these two large primes.

Algorithm 4.3 Searching relation with double large primes

Input: A hyperelliptic curve C of small genus g 3 over F≧ q,

a divisor D1 in JC(Fq) with know order n = ord(D1), a divisor D2∈<D1>,

a factor base F, and the set of large primes L.

Output: a system of k smooth divisors of the form R_i =α_iD₁+β_iD₂. 1. /* Initialization of the random walk */

For j from 1 to 20, select aj and bj at random in [0, n-1], and compute Tj := ajD1 + bjD2.

Select α and β at random in [0, n-1] and compute R:= αD1 +βD2. GÅempty graph

iÅ1

2. /* Main loop */

While i k do{≦

RÅR+Tj for some randomly chosen j, update α and β.

Decompose R into prime divisors

If R is smooth then

then obtain a new smooth divisor R.

RiÅR

To test if adding an edge would create a cycle, we can use the union-and-find

component).

Theorem 4.4 [16]

Let C be a hyperelliptic curve of genus g 3 over the finite field F≧ q. If q>g!

then the discrete logarithms in JC(Fq) can be computed in expected time

2 2

4.3.1 Solving large sparse linear system

The last step in the index calculus algorithm is to solve a large sparse linear system over finite field. We implemented Lanczos’s algorithm to do this work.

Here is the Lanczos’s algorithm to solve the system Ax=w for a column n-vector x, where A is a n×n matrix and w is a column n-vector.

Algorithm 4.4 Lanczos’s algorithm

Input: A n×n matrix A and a column n-vector w Output: A column n-vector x for the system Ax = w.

1. w0 = w,

v_i+1= Aw_i,

In Algorithm 4.4, the notation (,) denote the inner product of two vectors.

In general, the systems we need to solve are not symmetric, and are of the form Bx = u, where B is m×n matrix, m n, x is an unknown column n≧ -vector, and u is a given column m-vector. Suppose we need to solve the system Bx = u over field K.

Let D be a m×m diagonal matrix with the diagonal elements randomly selected from K\{0}, and let

2

A=B D BT ,

2

w=B D uT .

We can expect that with high probability a solution to the system Ax=w is a solution to the system Bx=u.

4.3.2 Curve selection

To select a suitable hyperelliptic curve, we need to check if the order of Jacobian has a large prime factor in order to avoid the square root attacks. Koblitz first described a method of calculating the number of points on the Jacobian of a hyperelliptic curve of genus 2 and of small characteristic, by using zeta functions.

Sakai and Sakurai [30] improved the method by proposing a point counting method for curves of small characteristic but of arbitrary genus.

Algorithm 4.5 Sakai and Sakurai method

Input: A hyperelliptic curve C of genus 2 over the field F . qn

Output: ^#JC

( )

^{Fqn .}

1. Determine Nr, the number of points on the curve over F for r=1,…,g. qr

2. Determine the coefficients of

2 only suitable for fields of small characteristic.

We have implemented the Sakai and Sakurai method to select the suitable Jacobian of a hyperelliptic curve having an order which containing a large prime factor.

Example 4.4 lists the test data we use to test the index calculus algorithms for solving HCDLP in section 4.3.3 and section 5.4.

Example 4.4

Genus 2 hyperelliptic curves:

(a) C:y²+ =y x⁵+x⁴+ over x³ F , 211 #J_C(F211) 4196353 7 599479= = × .

(b) C:y²+(x +x+1)² y=x⁵+ over x⁴ F , 213

213

#J_C(F ) 66695006 2 7 4763929= = × × .

(c) C:y²+ =y x⁵+ over x³ F , 217 #J_C(F213) 17247109633 13 1326700741= = × . (d) C:y²+(x +x+1)² y=x⁵+ over x⁴ F , 219

219

#J_C(F ) 274720225346 2 7 19622873239= = × × . Genus 3 hyperelliptic curves:

(e) C:y²+(x +x +1)^{3 2} y=x⁷+ over 1 F , 211

211

#J_C(F ) 8589762730 2 5 858976273= = × × . (f) C:y²+(x +x +1)^{3 2} y=x⁷+ over 1 F , 213

213

#J_C(F ) 549756909530 2 5 131 419661763= = × × × . (g) C:y²+(x +x +1)^{3 2} y=x⁷+x⁶+ over x⁵ F , 217

17

4

#J_C(F2 ) 2255872542702704 2 140992033918919= = × . (h) C:^y2+

(

^x3+x2+1

)

^{y=x7+ over 1} F , 2¹⁹

219

#J_C(F )=144115188252574570 = 2 5 14411518825257457× × . Genus 4 hyperelliptic curves:

(i) C:y²+x y³ =x⁹+ over x F , 211

11

4

#J_C(F2 ) 18566518893488 = 2 1160407430843= × . (j) C:y²+x y³ =x⁹+ over x F , 213

13

4

#J_C(F2 ) 4546690000751824 = = 2 ×284168125046989.

4.3.3 Comparisons

We have implemented the index calculus algorithms and several variations described in section 4.2 including original index calculus, index calculus with reduced factor base, index calculus with single large prime, index calculus with double large primes. In order to implement these algorithms we use the C++ library NTL [31] to manipulate the operations over finite field. NTL (Number Theory Library) is a high-performance, portable C++ library providing data structures and algorithms for manipulating signed, arbitrary length integers, and for vectors, matrices, and polynomials over the integers and over finite fields.

We ran our programs on the computer with 1800 MHz CPU and 1G ram to generate the results in Table 4.2.

Table 4.2 Running time (seconds) of hyperelliptic index calculus

Genus g 2 3 4

Genus g 2 3 4

在文檔中 超橢圓曲線密碼攻擊之研究 (頁 33-0)