Time complexity

In order to analyze the time complexity of this algorithm, we refer to Flajolet, Knuth and Pittel’s work [8], which provides comprehensive knowledge of the cycle appearance in random graphs. We quote some of their results in [8].

Definition 5.1 (Uniform model)

The uniform model is a procedure to enrich an initially empty graph on the vertices {1,2,…,n}. At each step we generate an ordered pair <x, y>, where x and y are uniformly distributed between 1 and n, and all n² pairs are equally likely. The (undirected edge) x－y is then added to the graph. In this way we obtain a multi-graph, which may have duplicate edges or self-loops x－x.

A bicyclic component in a graph is a component with more than one cycle.

Corollary 5.1 (Expected time) [8]

In the uniform model, the first cycle appears at the expected time 3

m≈ steps. n

And at this time, the expected cycle length is of order

1

n , and the size of the 6

component containing the first cycle will be

1

n2

θ^⎛_⎜ ^⎞_⎟

⎝ ⎠. The waiting time for the first bicyclic component is approximately

2n .

The graph constructed in our algorithm can be viewed as the uniform model with

|F|=O(q) vertices. At each step of pseudo random walk, the relation R=αD1+βD2 is smooth with probability 1

2. In other words, it is half chance to add an edge into the graph at each step. By Corollary 5.1, the first bicyclic component will appear in the graph after about

2q edges have been added. This requires about q steps of the pseudo random walk. Hence, we conclude our algorithm solving the genus 2 HCDLP in expected time of O(q) Jacobian operations.

A practical comparison between Pollard’s method and our algorithm is given in section 5.4.

5.4 Computational comparison

In this section, we implement our algorithm for solving genus 2 HCDLP, and use the implementation of Pollard’s rho algorithm by Niels Lubbes [23] to be the comparison. We execute both programs on the same computer to generate the following results. The comparison between our algorithm and Pollard’s rho algorithm are showed in Table 5.1, and the results are averages from 10 times running the tests.

Table 5.1 Comparison between Pollard’s rho and our algorithm

Field size q = |Fq| 2¹¹ 2¹³ 2¹⁷ 2¹⁹

Average time (sec)

1.238 5.502 113.391 827.459

Average iterations 923.4 2642.8 50239.5 236119.6 Pollard’s Average iterations 699.4 2350.4 40222 137832 Average number of

smooth divisors

351.4 1169.2 20222.3 74338.8

Graph size 1024 4071 65792 261993

As we can see in Table 5.1, the average number of iterations in our algorithm needed for solving genus 2 HCDLP is less than the average number of iterations in Pollard’s rho algorithm, and the running time of our algorithm is also less than the running time of Pollard’s algorithm. For example, in the case of base field GF(2¹⁹), Pollard’s rho algorithm takes 827.459 seconds to run 236119.6 iterations in average for solving the given HCDLP, and it meets 2.2 useless collisions before the solution is found. While running our algorithm in the same case, it takes only 80.809 seconds to solve the given HCDLP. After 137832 iterations in average there are 74338.8 smooth divisors which can be added in the graph, and then average 2.9 cycles are found. The rate of 74338.8

0.539

137832 ≈ is about a half chance to get a smooth divisor as in Lemma 4.1. And the graph size dividing the number of edges

74338.8

0.284

261993 ≈ is less than the expected time estimated in Corollary 5.1.

Chapter 6

Conclusion and Future Research

6.1 Summary

We introduced the additive group Jacobian on a hyperelliptic curve and Cantor’s algorithm for computing group law in Chapter 3. For a hyperelliptic curve of genus g over finite field Fq, the group order of Jacobian is ( )O q^g . And the group order of a elliptic curve over finite field Fq is ( )O q . Therefore, the advantage of hyperelliptic curves over elliptic curves is that a smaller base field can be used in order to obtain the same level of security. But the disadvantage is that there exists an algorithm, the hyperelliptic index calculus algorithm, solving HCDLP in subexponential time complexity when the genus becomes large enough. Hence, the small genus hyperelliptic curves are preferred for constructing a hyperelliptic curve cryptosystem. According to Table 4.1, we can extend Table 1.1 to the following Table 6.1.

In Chapter 4, we described several variations of hyperelliptic index calculus algorithm. The settings of test data are given in section 4.3. And a computational comparison between these variations is shown in Table 4.2.

We also proposed a better algorithm for solving genus 2 HCDLP in Chapter 5.

The implementation results can be found in section 5.4. In Table 5.1, detailed comparisons between our algorithm and Pollard’s rho algorithm are given. It is shown that our algorithm is faster than Pollard’s rho algorithm in practice.

Table 6.1 Suggested key size for hyperelliptic curve cryptography.

Minimum size (bits) of public keys HECC

Security

(bits) ECC

Genus 2 Genus 3 Genus 4 Genus 5

80 160 80 60 54 50 112 224 112 84 75 70 128 256 128 96 86 80 192 382 192 144 128 120 256 512 256 192 171 160

6.2 Future work

There are several interesting topics for further research.

1. Solving large sparse linear system over finite field:

This is one of the crucial parts in the index calculus algorithm. An improvement of the algorithm for solving large sparse linear system over finite field implies an improvement of the index calculus algorithm.

2. Reduce the space requirement

The disadvantage of our algorithm compared with Pollard’s rho method is the space requirement. It takes O(q) memory space in our algorithm.

Perhaps, there are other methods which can save the space requirement.

3. Algorithm design:

Design a systematic index calculus algorithm which can extensively use more large primes without much overhead. And analyze how many large primes is the optimal value for collecting enough smooth relations.

Bibliography

[1] L. Adleman, J. DeMarrais and M. Huang, “A Subexponential Algorithm for Discrete Logarithms over the Rational Subgroup of the Jacobians of Large Genus Hyperelliptic Curves over Finite Fields,” Algorithmic Number Theory, LNCS 877 (1994), 28-40.

[2] D. Cantor, “Computing in the Jacobian of a Hyperelliptic Curve,” Mathematics of Computation, 48 (1987), 95-101.

[3] David G. Cantor and Hans Zassenhaus, “A New Algorithm for Factoring Polynomials Over Finite Fields,” Mathematics of Computation, 36:587-592, 1981.

[4] H. Cohen and G. Frey, Handbook of Elliptic and Hyperelliptic Curve Cryptography, Chapman & Hall/CRC, 2006.

[5] D. Coppersmith, “Solving Linear Equations over GF(2) via Block Wiedemann Algorithm,” Math. Comp., 62(205):333-350, 1994.

[6] A. Enge, “Computing Discrete Logarithms in High-genus Hyperelliptic Jacobians in Provably Subexponential Time,” Math. Comp., 71, no. 238, pp. 729-742, 2002.

[7] A. Enge and P. Gaudry, “A General Framework for Subexponential Discrete Logarithm Algorithms”, Acta Arithmetica, 102 (2002), 83-103.

[8] P. Flajolet, D. Knuth and B. Pittel, “The First Cycles in an Evolving Graph,”

Discrete Math., 75:167-215, 1989.

[9] R. Flassenberg and S. Paulu, “Sieving in function fields,” Experimental Mathematics, 8, No. 4, 339-349, 1999.

[10] John B. Fraleigh, A First Course in Abstract Algebra, seventh edition, Addison-Wesley, 2003.

[11] W. Fulton, Algebraic Curves, Benjamin, New York, 1969.

[12] S.D. Galbraith and N.P. Smart, “A Cryptographic Application of Weil Descent,”

Cryptography and Coding, 7th IMA Conference. LNCS 1746, pp. 191–200.

Springer-Verlag, Berlin, 1999.

[13] P. Gaudry, “An Algorithm for Solving the Discrete Log Problem on Hyperelliptic Curves,” Advances in Cryptology－EUROCRYPT 2000, LNCS 1807 (2000), 19-34.

[14] P. Gaudry and R. Harley, “Counting Points on Hyperelliptic Curves over Finite Fields,” Algorithmic Number Theory－ANSI-IV, LNCS 1838 (2000), 313-332.

[15] P. Gaudry, F. Hess, and N. Smart, “Constructive and Destructive Facets of Weil Descent on Elliptic Curves,” Journal of Cryptology, 15:19-46, 2002.

[16] P. Gaudry and E. Thomé, “A Double Large Prime Variation for Small Genus Hyperelliptic Index Calculus,” Crypto ePrint Archive, Report 2004/153.

[17] C. Guyot, K. Kaveh, V.M. Patankar, “Explicit Algorithm for The Arithmetic on The Hyperelliptic Jacobians of Genus 3,” Journal of Ramanujan Mathematical Society, 19 (2004), No.2, 119-159.

[18] M. Jacobson and A. van der Poorten, “Computational Aspects of NUCOMP,”

Algorithmic Number Theory－ANTS-IV, LNCS 2369 (2002), 120-133.

[19] N. Koblitz, “Elliptic Curve Cryptosystems,” Mathematics of Computation, 48 (1987), 203-209.

[20] N. Koblitz, “Hyperelliptic Cryptosystems,” Journal of Cryptology, 1 (1989), 139-150.

[21] B. A. LaMacchia and A. M. Odlyzko, “Solving Large Sparse Linear Systems over Finite Fields,” In A. J. Menezes and S. A. Vanstone, editors, Advances in Cryptology, volume 537 of Lecture Notes in Comput. Sci., pages 109–133.

Springer–Verlag, 1990. Proc. Crypto ’90, Santa Barbara, August 11–15, 1988.

[22] T. Lange, “Efficient Arithmetic on Genus 2 Hyperelliptic Curves over Finite

[23] Niels Lubbes, “The Hyperelliptic Curve Discrete Logarithm Problem,” Master’s thesis, Universiteit van Amsterdam, 2004.

[24] A. Menezes, Elliptic Curve Public Key Cryptosystems, Kluwer Academic Publishers, 1993.

[25] A. Menezes, Y. Wu and R. Zuccherato, “An Elementary Introduction to Hyperelliptic Curves” appendix in Algebraic Aspects of Cryptography by N.

Koblitz, Springer-Verlag, 1998, 155-178.

[26] V. Muller, A. Stein, and C. Thiel, “Computing Discrete Logarithms in Real Quadratic Congruence Function Fields of large genus,” Math. Comp., 68(226):807–822, 1999.

[27] D. Mumford, Tata Lectures on Theta II, Birkhauser, Boston, 1984.

[28] K. Nagao, “Improvement of Thériault Algorithm of Index Calculus for Jacobian of Hyperelliptic Curves of Small Genus,” Cryptology ePrint Achieve, Report 2004/161.

[29] J. Pelzl, T. Wollinger, and C. Paar, “Low cost security: Explicit formulae for genus-4 hyperelliptic curves,” In M. Matsui and R. Zuccherato, editors, Selected Areas in Cryptography -- SAC 2003, volume 3006 of LNCS, pages 1--16.

Springer-Verlag, 2004.

[30] Sakai, Y., and K. Sakurai, “On the Practical Performance of Hyperelliptic Curve Cryptosystems in Software Implementation,” IECE Trans. Fundamentals, vol.

E83-A, No. 4, April 2000.

[31] Victor Shoup, NTL: A Library for doing Number Theory, available on web http://shoup.net/ntl/.

[32] N. Thériault, “Index Calculus Attack for Hyperelliptic Curves of Small Genus,”

Advances in Cryptology－ASIACRYPT 2003, LNCS 2894 (2003), 75-92.

[33] D. H. Wiedemann, “Solving Sparse Linear Equations over Finite Fields,” IEEE

Trans. Inform. Theory, IT-32(1):54-62, 1986.