elliptic and hyperelliptic curve cryptography · elliptic and hyperelliptic curve cryptography...
TRANSCRIPT
![Page 1: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/1.jpg)
Elliptic and Hyperelliptic CurveCryptography
Renate Scheidler
Research supported in part by NSERC of Canada
![Page 2: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/2.jpg)
Comprehensive Source
Handbook of Elliptic and Hyperelliptic Curve Cryptography
![Page 3: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/3.jpg)
Overview
L Motivation
L Elliptic Curve Arithmetic
L Hyperelliptic Curve Arithmetic
L Point Counting
L Discrete Logarithm Algorithms
L Other Models
![Page 4: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/4.jpg)
Motivation — Why (Hyper-)Elliptic Cryptography?
Requirements on groups for discrete log based cryptography
L Large group order (plus other restrictions)
L Compact representation of group elements
L Fast group operation
L Hard Diffie-Hellman/discrete logarithm problem
Elliptic and low genus hyperelliptic curves do well on all of these!
![Page 5: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/5.jpg)
Motivation — Why (Hyper-)Elliptic Cryptography?
Requirements on groups for discrete log based cryptography
L Large group order (plus other restrictions)
L Compact representation of group elements
L Fast group operation
L Hard Diffie-Hellman/discrete logarithm problem
Elliptic and low genus hyperelliptic curves do well on all of these!
![Page 6: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/6.jpg)
Elliptic Curves
Let K be a field (in crypto, K � Fq with q prime or q � 2n)
Weierstraß equation over K :
E � y 2 � a1xy � a3y � x3 � a2x2 � a4x � a6 ���with a1, a2, a3, a4, a6 > K
Elliptic curve: Weierstraß equation & non-singularity condition:there are no simultaneous solutions to ��� and
2y � a1x � a3 � 0
a1y � 3x2 � 2a2x � a4
Non-singularity � ∆ x 0 where ∆ is the discriminant of E
![Page 7: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/7.jpg)
Elliptic Curves
Let K be a field (in crypto, K � Fq with q prime or q � 2n)
Weierstraß equation over K :
E � y 2 � a1xy � a3y � x3 � a2x2 � a4x � a6 ���with a1, a2, a3, a4, a6 > K
Elliptic curve: Weierstraß equation & non-singularity condition:there are no simultaneous solutions to ��� and
2y � a1x � a3 � 0
a1y � 3x2 � 2a2x � a4
Non-singularity � ∆ x 0 where ∆ is the discriminant of E
![Page 8: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/8.jpg)
Elliptic Curves
Let K be a field (in crypto, K � Fq with q prime or q � 2n)
Weierstraß equation over K :
E � y 2 � a1xy � a3y � x3 � a2x2 � a4x � a6 ���with a1, a2, a3, a4, a6 > K
Elliptic curve: Weierstraß equation & non-singularity condition:there are no simultaneous solutions to ��� and
2y � a1x � a3 � 0
a1y � 3x2 � 2a2x � a4
Non-singularity � ∆ x 0 where ∆ is the discriminant of E
![Page 9: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/9.jpg)
Elliptic Curves
Let K be a field (in crypto, K � Fq with q prime or q � 2n)
Weierstraß equation over K :
E � y 2 � a1xy � a3y � x3 � a2x2 � a4x � a6 ���with a1, a2, a3, a4, a6 > K
Elliptic curve: Weierstraß equation & non-singularity condition:there are no simultaneous solutions to ��� and
2y � a1x � a3 � 0
a1y � 3x2 � 2a2x � a4
Non-singularity � ∆ x 0 where ∆ is the discriminant of E
![Page 10: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/10.jpg)
Non-Examples
Two Weierstraß equations with a singularity at �0,0�y 2
� x3
-1
-0.5
0
0.5
1
0 0.2 0.4 0.6 0.8 1
y 2� x2�x � 1�
-1
-0.5
0
0.5
1
-1 -0.5 0 0.5 1
![Page 11: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/11.jpg)
An Example
E � y 2� x3 � 5x over Q
-10
-5
0
5
10
-3 -2 -1 0 1 2 3 4 5 6
![Page 12: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/12.jpg)
Elliptic Curves, char�K� x 2, 3
The variable transformations
y � y � �a1x � a3�~2, then x � x � �a21 � 4a2�~12 �
yield an elliptic curve in short Weierstraß form:
E � y 2� x3 � Ax � B �A,B > K�
Discriminant ∆ � 4A3 � 27B2x 0 �cubic in x has distinct roots)
For any field L with K b L b K :
E�L� � ��x0, y0� > L � L S y 20 � x3
0 � Ax0 � B� 8 �ª�set of L-rational points on E
![Page 13: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/13.jpg)
Elliptic Curves, char�K� x 2, 3
The variable transformations
y � y � �a1x � a3�~2, then x � x � �a21 � 4a2�~12 �
yield an elliptic curve in short Weierstraß form:
E � y 2� x3 � Ax � B �A,B > K�
Discriminant ∆ � 4A3 � 27B2x 0 �cubic in x has distinct roots)
For any field L with K b L b K :
E�L� � ��x0, y0� > L � L S y 20 � x3
0 � Ax0 � B� 8 �ª�set of L-rational points on E
![Page 14: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/14.jpg)
An Example
E�Q� � ��x0, y0� > Q �Q S y 20 � x3
0 � 5x0� 8 �ª�P1 � ��1,2�, P2 � �0,0� > E�Q�
-10
-5
0
5
10
-3 -2 -1 0 1 2 3 4 5 6
![Page 15: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/15.jpg)
The Mysterious Point at Infinity
In E , replace x by x~z , y by y~z , then multiply by z3:
Eproj � y 2z � x3 � Axz2 � Bz3
Points on Eproj:
�x � y � z� x �0 � 0 � 0� normalized so the last non-zero entry is 1
Affine Points Projective Points
�x , y� � �x � y � 1�ª � �0 � 1 � 0�
![Page 16: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/16.jpg)
The Mysterious Point at Infinity
In E , replace x by x~z , y by y~z , then multiply by z3:
Eproj � y 2z � x3 � Axz2 � Bz3
Points on Eproj:
�x � y � z� x �0 � 0 � 0� normalized so the last non-zero entry is 1
Affine Points Projective Points
�x , y� � �x � y � 1�ª � �0 � 1 � 0�
![Page 17: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/17.jpg)
The Mysterious Point at Infinity
In E , replace x by x~z , y by y~z , then multiply by z3:
Eproj � y 2z � x3 � Axz2 � Bz3
Points on Eproj:
�x � y � z� x �0 � 0 � 0� normalized so the last non-zero entry is 1
Affine Points Projective Points
�x , y� � �x � y � 1�ª � �0 � 1 � 0�
![Page 18: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/18.jpg)
Arithmetic on E
Goal: Make E�L� into an additive (Abelian) group
The identity is the point at infinity
By Bezout’s Theorem, any line intersects E in three points
L Need to count multiplicities
L If one of the points is ª, the line is “vertical”
Motto: “Any three collinear points on E sum to zero”
AKA Chord & Tangent Addition Law
![Page 19: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/19.jpg)
Arithmetic on E
Goal: Make E�L� into an additive (Abelian) group
The identity is the point at infinity
By Bezout’s Theorem, any line intersects E in three points
L Need to count multiplicities
L If one of the points is ª, the line is “vertical”
Motto: “Any three collinear points on E sum to zero”
AKA Chord & Tangent Addition Law
![Page 20: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/20.jpg)
Arithmetic on E
Goal: Make E�L� into an additive (Abelian) group
The identity is the point at infinity
By Bezout’s Theorem, any line intersects E in three points
L Need to count multiplicities
L If one of the points is ª, the line is “vertical”
Motto: “Any three collinear points on E sum to zero”
AKA Chord & Tangent Addition Law
![Page 21: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/21.jpg)
Arithmetic on E — Inverses
E � y 2� x3 � 5x over Q, P � ��1,�2�
-10
-5
0
5
10
-3 -2 -1 0 1 2 3 4 5 6
The line through P and ª is x � �1
![Page 22: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/22.jpg)
Arithmetic on E — Inverses
E � y 2� x3 � 5x over Q, P � ��1,�2�
-10
-5
0
5
10
-3 -2 -1 0 1 2 3 4 5 6
It intersects E in the third point R � ��1,2� � �P
![Page 23: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/23.jpg)
Arithmetic on E — Addition
E � y 2� x3 � 5x over Q, P1 � ��1,�2�, P2 � �0,0�
-10
-5
0
5
10
-3 -2 -1 0 1 2 3 4 5 6
The line through P1 and P2 is y � 2x
![Page 24: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/24.jpg)
Arithmetic on E — Addition
E � y 2� x3 � 5x over Q, P1 � ��1,�2�, P2 � �0,0�
-10
-5
0
5
10
-3 -2 -1 0 1 2 3 4 5 6
It intersects E in the third point G � �5,10�
![Page 25: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/25.jpg)
Arithmetic on E — Addition
E � y 2� x3 � 5x over Q, P1 � ��1,�2�, P2 � �0,0�
-10
-5
0
5
10
-3 -2 -1 0 1 2 3 4 5 6
The sum R is the inverse of G , i.e. R � �G � �5,�10� � P � Q
![Page 26: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/26.jpg)
Arithmetic on E — Doubling
E � y 2� x3 � 5x over Q, P � ��1,�2�
-10
-5
0
5
10
-3 -2 -1 0 1 2 3 4 5 6
The line tangent to E at P is y �1926 x � 33
26
![Page 27: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/27.jpg)
Arithmetic on E — Doubling
E � y 2� x3 � 5x over Q, P � ��1,�2�
-10
-5
0
5
10
-3 -2 -1 0 1 2 3 4 5 6
It intersects E in the third point G � �94 ,
38�
![Page 28: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/28.jpg)
Arithmetic on E — Doubling
E � y 2� x3 � 5x over Q, P � ��1,�2�
-10
-5
0
5
10
-3 -2 -1 0 1 2 3 4 5 6
The sum R is the inverse of G , i.e. R � �G � �94 ,�
38� � 2P
![Page 29: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/29.jpg)
Arithmetic on Short Weierstraß Form — Summary
P1 � �x1, y1�, P2 � �x2, y2� (P1 x �P2; P1,P2 xª)
�P1 � ��x1, y1�
P1 � P2 � �λ2 � x1 � x2, �λ3 � λ�x1 � x2� � µ� where
λ �
¢̈̈̈̈¨̈¦̈̈̈¨̈̈¤
y2 � y1
x2 � x1if P1 x P2
3x21 � A
2y1if P1 � P2
µ �
¢̈̈̈̈¨̈¦̈̈̈¨̈̈¤
y1x2 � y2x1
x2 � x1if P1 x P2
�x31 � Ax1 � 2B
2y1if P1 � P2
![Page 30: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/30.jpg)
Beyond Elliptic Curves
Recall Weierstraß equation:
E � y 2 � �a1x � a3´¹¹¹¹¹¹¹¹¹¹¹¸¹¹¹¹¹¹¹¹¹¹¹¶h�x�
�y � x3 � a2x2 � a4x � a6´¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¸¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¶f �x�
deg�f � � 3 � 2 � 1 � 1 odd
deg�h� � 1 for char�K� � 2; h � 0 for char�K� x 2
Generalization: deg�f � � 2g � 1, deg�h� B g
g is the genus of the curve
g � 1: elliptic curves
g � 2: deg�f � � 5, deg�h� B 2 — also good for crypto
![Page 31: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/31.jpg)
Beyond Elliptic Curves
Recall Weierstraß equation:
E � y 2 � �a1x � a3´¹¹¹¹¹¹¹¹¹¹¹¸¹¹¹¹¹¹¹¹¹¹¹¶h�x�
�y � x3 � a2x2 � a4x � a6´¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¸¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¶f �x�
deg�f � � 3 � 2 � 1 � 1 odd
deg�h� � 1 for char�K� � 2; h � 0 for char�K� x 2
Generalization: deg�f � � 2g � 1, deg�h� B g
g is the genus of the curve
g � 1: elliptic curves
g � 2: deg�f � � 5, deg�h� B 2 — also good for crypto
![Page 32: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/32.jpg)
Beyond Elliptic Curves
Recall Weierstraß equation:
E � y 2 � �a1x � a3´¹¹¹¹¹¹¹¹¹¹¹¸¹¹¹¹¹¹¹¹¹¹¹¶h�x�
�y � x3 � a2x2 � a4x � a6´¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¸¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¶f �x�
deg�f � � 3 � 2 � 1 � 1 odd
deg�h� � 1 for char�K� � 2; h � 0 for char�K� x 2
Generalization: deg�f � � 2g � 1, deg�h� B g
g is the genus of the curve
g � 1: elliptic curves
g � 2: deg�f � � 5, deg�h� B 2 — also good for crypto
![Page 33: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/33.jpg)
Hyperelliptic Curves
Hyperelliptic curve of genus g over K :
H � y 2 � h�x�y � f �x�L h�x�, f �x� > K �x�L f �x� monic and deg�f � � 2g � 1 is odd
L deg�h� B g if char�K� � 2; h�x� � 0 if char�K� x 2
L non-singularity
char�K� x 2: y 2� f �x�, f �x� monic, of odd degree, square-free
Set of L-rational points on H (K b L b K ):
H�L� � ��x0, y0� > L � L S y 20 � h�x0�y � f �x0�� 8 �ª�
![Page 34: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/34.jpg)
Hyperelliptic Curves
Hyperelliptic curve of genus g over K :
H � y 2 � h�x�y � f �x�L h�x�, f �x� > K �x�L f �x� monic and deg�f � � 2g � 1 is odd
L deg�h� B g if char�K� � 2; h�x� � 0 if char�K� x 2
L non-singularity
char�K� x 2: y 2� f �x�, f �x� monic, of odd degree, square-free
Set of L-rational points on H (K b L b K ):
H�L� � ��x0, y0� > L � L S y 20 � h�x0�y � f �x0�� 8 �ª�
![Page 35: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/35.jpg)
Hyperelliptic Curves
Hyperelliptic curve of genus g over K :
H � y 2 � h�x�y � f �x�L h�x�, f �x� > K �x�L f �x� monic and deg�f � � 2g � 1 is odd
L deg�h� B g if char�K� � 2; h�x� � 0 if char�K� x 2
L non-singularity
char�K� x 2: y 2� f �x�, f �x� monic, of odd degree, square-free
Set of L-rational points on H (K b L b K ):
H�L� � ��x0, y0� > L � L S y 20 � h�x0�y � f �x0�� 8 �ª�
![Page 36: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/36.jpg)
An Example
H � y 2� x5 � 5x3 � 4x � 1 over Q, genus g � 2
-10
-5
0
5
10
-3 -2 -1 0 1 2 3
![Page 37: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/37.jpg)
An Example
��2,�1�, �2,�1�, �3,�11� > H�Q�
-10
-5
0
5
10
-3 -2 -1 0 1 2 3
![Page 38: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/38.jpg)
Divisors
L Group of divisors on H:
DivH�K� � `H�K�e � �Qfinite
mPP S mP > Z, P > H�K�¡
L Subgroup of DivH�K� of degree zero divisors on H:
Div0H�K� � `�P� S P > H�K�e � �Q
finite
mP�P� S mP > Z, P > H�K�¡
where �P� � P �ª
L Subgroup of Div0H�K� of principal divisors on H:
PrinH�K� � �Qfinite
vP�α��P� S α > K�x , y�, P > H�K�¡
![Page 39: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/39.jpg)
Divisors
L Group of divisors on H:
DivH�K� � `H�K�e � �Qfinite
mPP S mP > Z, P > H�K�¡
L Subgroup of DivH�K� of degree zero divisors on H:
Div0H�K� � `�P� S P > H�K�e � �Q
finite
mP�P� S mP > Z, P > H�K�¡
where �P� � P �ª
L Subgroup of Div0H�K� of principal divisors on H:
PrinH�K� � �Qfinite
vP�α��P� S α > K�x , y�, P > H�K�¡
![Page 40: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/40.jpg)
Divisors
L Group of divisors on H:
DivH�K� � `H�K�e � �Qfinite
mPP S mP > Z, P > H�K�¡
L Subgroup of DivH�K� of degree zero divisors on H:
Div0H�K� � `�P� S P > H�K�e � �Q
finite
mP�P� S mP > Z, P > H�K�¡
where �P� � P �ª
L Subgroup of Div0H�K� of principal divisors on H:
PrinH�K� � �Qfinite
vP�α��P� S α > K�x , y�, P > H�K�¡
![Page 41: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/41.jpg)
The Jacobian
Jacobian of H: JacH�K� � Div0H�K�~PrinH�K�
Motto: “Any complete collection of points on a function sums tozero”
H�K� 0 JacH�K� via P ( �P�For elliptic curves: E�K� � JacE�K� (� E�K� is a group)
Identity: �ª� �ª�ª
Inverses: The points
P � �x0, y0� and P � �x0,�y0 � h�x0��on H both lie on the function x � x0, so
��P� � �P�
![Page 42: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/42.jpg)
The Jacobian
Jacobian of H: JacH�K� � Div0H�K�~PrinH�K�
Motto: “Any complete collection of points on a function sums tozero”
H�K� 0 JacH�K� via P ( �P�
For elliptic curves: E�K� � JacE�K� (� E�K� is a group)
Identity: �ª� �ª�ª
Inverses: The points
P � �x0, y0� and P � �x0,�y0 � h�x0��on H both lie on the function x � x0, so
��P� � �P�
![Page 43: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/43.jpg)
The Jacobian
Jacobian of H: JacH�K� � Div0H�K�~PrinH�K�
Motto: “Any complete collection of points on a function sums tozero”
H�K� 0 JacH�K� via P ( �P�For elliptic curves: E�K� � JacE�K� (� E�K� is a group)
Identity: �ª� �ª�ª
Inverses: The points
P � �x0, y0� and P � �x0,�y0 � h�x0��on H both lie on the function x � x0, so
��P� � �P�
![Page 44: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/44.jpg)
The Jacobian
Jacobian of H: JacH�K� � Div0H�K�~PrinH�K�
Motto: “Any complete collection of points on a function sums tozero”
H�K� 0 JacH�K� via P ( �P�For elliptic curves: E�K� � JacE�K� (� E�K� is a group)
Identity: �ª� �ª�ª
Inverses: The points
P � �x0, y0� and P � �x0,�y0 � h�x0��on H both lie on the function x � x0, so
��P� � �P�
![Page 45: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/45.jpg)
The Jacobian
Jacobian of H: JacH�K� � Div0H�K�~PrinH�K�
Motto: “Any complete collection of points on a function sums tozero”
H�K� 0 JacH�K� via P ( �P�For elliptic curves: E�K� � JacE�K� (� E�K� is a group)
Identity: �ª� �ª�ª
Inverses: The points
P � �x0, y0� and P � �x0,�y0 � h�x0��on H both lie on the function x � x0, so
��P� � �P�
![Page 46: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/46.jpg)
Semi-Reduced and Reduced Divisors
Every class in JacH�K� contains a divisor Qfinite
mP�P� such that
L all mP A 0 (replace ��P� by �P�)L if P � P, then mP � 1 (as 2�P� � 0)
L if P x P, then only one of P, Pcan appear in the sum (as �P� � �P� � 0)
Such a divisor is semi-reduced. If PmP B g , then it is reduced.
TheoremEvery class in JacH�K� contains a unique reduced divisor.
![Page 47: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/47.jpg)
Semi-Reduced and Reduced Divisors
Every class in JacH�K� contains a divisor Qfinite
mP�P� such that
L all mP A 0 (replace ��P� by �P�)L if P � P, then mP � 1 (as 2�P� � 0)
L if P x P, then only one of P, Pcan appear in the sum (as �P� � �P� � 0)
Such a divisor is semi-reduced.
If PmP B g , then it is reduced.
TheoremEvery class in JacH�K� contains a unique reduced divisor.
![Page 48: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/48.jpg)
Semi-Reduced and Reduced Divisors
Every class in JacH�K� contains a divisor Qfinite
mP�P� such that
L all mP A 0 (replace ��P� by �P�)L if P � P, then mP � 1 (as 2�P� � 0)
L if P x P, then only one of P, Pcan appear in the sum (as �P� � �P� � 0)
Such a divisor is semi-reduced. If PmP B g , then it is reduced.
TheoremEvery class in JacH�K� contains a unique reduced divisor.
![Page 49: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/49.jpg)
Semi-Reduced and Reduced Divisors
Every class in JacH�K� contains a divisor Qfinite
mP�P� such that
L all mP A 0 (replace ��P� by �P�)L if P � P, then mP � 1 (as 2�P� � 0)
L if P x P, then only one of P, Pcan appear in the sum (as �P� � �P� � 0)
Such a divisor is semi-reduced. If PmP B g , then it is reduced.
TheoremEvery class in JacH�K� contains a unique reduced divisor.
![Page 50: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/50.jpg)
Example — Reduction
H � y 2� x5 � 5x3 � 4x � 1 over Q, D � �R1� � �R2� � �R3� with
R1 � ��2,�1�, R2 � �2,�1�, R3 � �3,�11�
-10
-5
0
5
10
-3 -2 -1 0 1 2 3
![Page 51: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/51.jpg)
Example — Reduction
R1,R2,R3 all lie on the quadratic y � �2x2 � 7
-10
-5
0
5
10
-3 -2 -1 0 1 2 3
![Page 52: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/52.jpg)
Example — Reduction
This quadratic meets H in the two additional points G1,G2 where
G1 � �12�1 �
º17�,�2 �
º17�, G2 � �1
2�1 �º
17�,�2 �º
17�Thus, �R1� � �R2� � R3� � �G1� � �G2� � 0 in JacH�Q�
-10
-5
0
5
10
-3 -2 -1 0 1 2 3
![Page 53: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/53.jpg)
Example — Reduction
�R1� � �R2� � R3� � �B1� � �B2� with B1 � �G1�, B2 � �G2�The reduced divisor in the class of D is E � �B1� � B2� where
B1 � �12�1 �
º17�, 2 �
º17�, B2 � �1
2�1 �º
17�, 2 �º
17�,
-10
-5
0
5
10
-3 -2 -1 0 1 2 3
![Page 54: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/54.jpg)
Reduction in General
Let D �
r
Qi�1
�Pi � be a semi-reduced divisor on y 2 � h�x�y � f �x�
The r points Pi all lie on a curve y � v�x� with deg�v� � r � 1
v�x�2 � h�x�h�x� � f �x� polynomial of degree max�2r � 2, 2g � 1�Case r C g � 2: replace the r points P1, . . . ,Pr in D by the inversesof the other �2r � 2� � r � r � 2 points on this degree 2r � 2polynomial
Case r � g � 1: replace the g � 1 points P1, . . . ,Pr in D by theinverses of the other 2g � 1 � �g � 1� � g points on this degree2g � 2 polynomial
After � r � g
2� steps a reduced divisor is obtained ��
�
![Page 55: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/55.jpg)
Reduction in General
Let D �
r
Qi�1
�Pi � be a semi-reduced divisor on y 2 � h�x�y � f �x�The r points Pi all lie on a curve y � v�x� with deg�v� � r � 1
v�x�2 � h�x�h�x� � f �x� polynomial of degree max�2r � 2, 2g � 1�Case r C g � 2: replace the r points P1, . . . ,Pr in D by the inversesof the other �2r � 2� � r � r � 2 points on this degree 2r � 2polynomial
Case r � g � 1: replace the g � 1 points P1, . . . ,Pr in D by theinverses of the other 2g � 1 � �g � 1� � g points on this degree2g � 2 polynomial
After � r � g
2� steps a reduced divisor is obtained ��
�
![Page 56: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/56.jpg)
Reduction in General
Let D �
r
Qi�1
�Pi � be a semi-reduced divisor on y 2 � h�x�y � f �x�The r points Pi all lie on a curve y � v�x� with deg�v� � r � 1
v�x�2 � h�x�h�x� � f �x� polynomial of degree max�2r � 2, 2g � 1�
Case r C g � 2: replace the r points P1, . . . ,Pr in D by the inversesof the other �2r � 2� � r � r � 2 points on this degree 2r � 2polynomial
Case r � g � 1: replace the g � 1 points P1, . . . ,Pr in D by theinverses of the other 2g � 1 � �g � 1� � g points on this degree2g � 2 polynomial
After � r � g
2� steps a reduced divisor is obtained ��
�
![Page 57: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/57.jpg)
Reduction in General
Let D �
r
Qi�1
�Pi � be a semi-reduced divisor on y 2 � h�x�y � f �x�The r points Pi all lie on a curve y � v�x� with deg�v� � r � 1
v�x�2 � h�x�h�x� � f �x� polynomial of degree max�2r � 2, 2g � 1�Case r C g � 2: replace the r points P1, . . . ,Pr in D by the inversesof the other �2r � 2� � r � r � 2 points on this degree 2r � 2polynomial
Case r � g � 1: replace the g � 1 points P1, . . . ,Pr in D by theinverses of the other 2g � 1 � �g � 1� � g points on this degree2g � 2 polynomial
After � r � g
2� steps a reduced divisor is obtained ��
�
![Page 58: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/58.jpg)
Reduction in General
Let D �
r
Qi�1
�Pi � be a semi-reduced divisor on y 2 � h�x�y � f �x�The r points Pi all lie on a curve y � v�x� with deg�v� � r � 1
v�x�2 � h�x�h�x� � f �x� polynomial of degree max�2r � 2, 2g � 1�Case r C g � 2: replace the r points P1, . . . ,Pr in D by the inversesof the other �2r � 2� � r � r � 2 points on this degree 2r � 2polynomial
Case r � g � 1: replace the g � 1 points P1, . . . ,Pr in D by theinverses of the other 2g � 1 � �g � 1� � g points on this degree2g � 2 polynomial
After � r � g
2� steps a reduced divisor is obtained ��
�
![Page 59: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/59.jpg)
Reduction in General
Let D �
r
Qi�1
�Pi � be a semi-reduced divisor on y 2 � h�x�y � f �x�The r points Pi all lie on a curve y � v�x� with deg�v� � r � 1
v�x�2 � h�x�h�x� � f �x� polynomial of degree max�2r � 2, 2g � 1�Case r C g � 2: replace the r points P1, . . . ,Pr in D by the inversesof the other �2r � 2� � r � r � 2 points on this degree 2r � 2polynomial
Case r � g � 1: replace the g � 1 points P1, . . . ,Pr in D by theinverses of the other 2g � 1 � �g � 1� � g points on this degree2g � 2 polynomial
After � r � g
2� steps a reduced divisor is obtained ��
�
![Page 60: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/60.jpg)
Mumford Representation
Let D �
r
Qi�1
mi �Pi � be a semi-reduced divisor, Pi � �xi , yi�The Mumford representation of D is D � �u�x�, v�x�� where
u�x�, v�x� > K �x�, u monic, deg�v� @ deg�u�, u S v 2 � hv � f
u�x� � r
Mi�1
�x � xi�mi
� d
dx�j �v�x�2 � v�x�h�x� � f �x��
x�xi� 0 �0 B j B mi � 1�
So u�xi� � 0 and v�xi� � yi with multiplicity mi for 1 B i B r
Mumford representation uniquely determines D
Example: If P � �x0, y0�, then D � �P� � �x � x0, y0�
![Page 61: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/61.jpg)
Mumford Representation
Let D �
r
Qi�1
mi �Pi � be a semi-reduced divisor, Pi � �xi , yi�The Mumford representation of D is D � �u�x�, v�x�� where
u�x�, v�x� > K �x�, u monic, deg�v� @ deg�u�, u S v 2 � hv � f
u�x� � r
Mi�1
�x � xi�mi
� d
dx�j �v�x�2 � v�x�h�x� � f �x��
x�xi� 0 �0 B j B mi � 1�
So u�xi� � 0 and v�xi� � yi with multiplicity mi for 1 B i B r
Mumford representation uniquely determines D
Example: If P � �x0, y0�, then D � �P� � �x � x0, y0�
![Page 62: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/62.jpg)
Mumford Representation
Let D �
r
Qi�1
mi �Pi � be a semi-reduced divisor, Pi � �xi , yi�The Mumford representation of D is D � �u�x�, v�x�� where
u�x�, v�x� > K �x�, u monic, deg�v� @ deg�u�, u S v 2 � hv � f
u�x� � r
Mi�1
�x � xi�mi
� d
dx�j �v�x�2 � v�x�h�x� � f �x��
x�xi� 0 �0 B j B mi � 1�
So u�xi� � 0 and v�xi� � yi with multiplicity mi for 1 B i B r
Mumford representation uniquely determines D
Example: If P � �x0, y0�, then D � �P� � �x � x0, y0�
![Page 63: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/63.jpg)
Mumford Representation
Let D �
r
Qi�1
mi �Pi � be a semi-reduced divisor, Pi � �xi , yi�The Mumford representation of D is D � �u�x�, v�x�� where
u�x�, v�x� > K �x�, u monic, deg�v� @ deg�u�, u S v 2 � hv � f
u�x� � r
Mi�1
�x � xi�mi
� d
dx�j �v�x�2 � v�x�h�x� � f �x��
x�xi� 0 �0 B j B mi � 1�
So u�xi� � 0 and v�xi� � yi with multiplicity mi for 1 B i B r
Mumford representation uniquely determines D
Example: If P � �x0, y0�, then D � �P� � �x � x0, y0�
![Page 64: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/64.jpg)
Divisor Reduction Using Mumford Representations
Input: D � �u, v�Output: The reduced divisor D �
� �u�, v �� in the class of D
while deg�u� A g do
u��
f � vh � v 2
u, v �
� �v � h �mod u��u � u�, v � v �
end while
return�u�, v ��
![Page 65: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/65.jpg)
Divisor Reduction Using Mumford Representations
Input: D � �u, v�Output: The reduced divisor D �
� �u�, v �� in the class of D
while deg�u� A g do
u��
f � vh � v 2
u, v �
� �v � h �mod u��u � u�, v � v �
end while
return�u�, v ��
![Page 66: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/66.jpg)
Divisor Reduction — Example
H � y 2� x5 � 5x3 � 4x � 1 over Q
D � ���2,�1�� � ��2,1�� � ��3,�11�� � �u, v�
with
u�x� � �x � 2��x � 2��x � 3� � x3 � 3x2 � 4x � 2
v�x� � �2x2 � 7 (from before)
u��x� ��x5 � 5x3 � 4x � 1� � ��2x2 � 7�2
x3 � 3x2 � 4x � 2� x2 � x � 4
v ��x� � ���2x2 � 7� �mod x2 � x � 4� � 2x � 1
D �� �u�, v �� is the reduced divisor in the class of D
Recall D �� � �1
2�1 �
º17�, 2 �
º17� ��� �1
2�1 �
º17�, 2 �
º17� �
![Page 67: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/67.jpg)
Divisor Reduction — Example
H � y 2� x5 � 5x3 � 4x � 1 over Q
D � ���2,�1�� � ��2,1�� � ��3,�11�� � �u, v� with
u�x� � �x � 2��x � 2��x � 3� � x3 � 3x2 � 4x � 2
v�x� � �2x2 � 7 (from before)
u��x� ��x5 � 5x3 � 4x � 1� � ��2x2 � 7�2
x3 � 3x2 � 4x � 2� x2 � x � 4
v ��x� � ���2x2 � 7� �mod x2 � x � 4� � 2x � 1
D �� �u�, v �� is the reduced divisor in the class of D
Recall D �� � �1
2�1 �
º17�, 2 �
º17� ��� �1
2�1 �
º17�, 2 �
º17� �
![Page 68: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/68.jpg)
Divisor Reduction — Example
H � y 2� x5 � 5x3 � 4x � 1 over Q
D � ���2,�1�� � ��2,1�� � ��3,�11�� � �u, v� with
u�x� � �x � 2��x � 2��x � 3� � x3 � 3x2 � 4x � 2
v�x� � �2x2 � 7 (from before)
u��x� ��x5 � 5x3 � 4x � 1� � ��2x2 � 7�2
x3 � 3x2 � 4x � 2� x2 � x � 4
v ��x� � ���2x2 � 7� �mod x2 � x � 4� � 2x � 1
D �� �u�, v �� is the reduced divisor in the class of D
Recall D �� � �1
2�1 �
º17�, 2 �
º17� ��� �1
2�1 �
º17�, 2 �
º17� �
![Page 69: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/69.jpg)
Divisor Reduction — Example
H � y 2� x5 � 5x3 � 4x � 1 over Q
D � ���2,�1�� � ��2,1�� � ��3,�11�� � �u, v� with
u�x� � �x � 2��x � 2��x � 3� � x3 � 3x2 � 4x � 2
v�x� � �2x2 � 7 (from before)
u��x� ��x5 � 5x3 � 4x � 1� � ��2x2 � 7�2
x3 � 3x2 � 4x � 2� x2 � x � 4
v ��x� � ���2x2 � 7� �mod x2 � x � 4� � 2x � 1
D �� �u�, v �� is the reduced divisor in the class of D
Recall D �� � �1
2�1 �
º17�, 2 �
º17� ��� �1
2�1 �
º17�, 2 �
º17� �
![Page 70: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/70.jpg)
Divisor Addition Using Mumford Representations
D1 � �u1, v1�, D2 � �u2, v2� divisors on H � y 2 � h�x�y � f �x�
Simplest case: for any �P� occurring in D1, �P� does not occur inD2 and vice versa — then D1 � D2 is semi-reduced
Then D1 � D2 � �u, v� where u � u1u2 and v �
¢̈̈¦̈̈¤v1 �mod u1�v2 �mod u2�
In general: suppose P � �x0, y0� occurs in D1 and P occurs in D2.
Then u1�x0� � u2�x0� � 0 and v1�x0� � y0 � �v2�x0� � h�x0�, sox � x0 S u1�x�, u2�x�, v1�x� � v2�x� � h�x�
d � gcd�u1,u2, v1 � v2 �h� � s1u1 � s2u2 � s3�v1 � v2 �h�u �
u1u2
d2
v �1
d�s1u1v2 � s2u2v1 � s3�v1v2 � f �� �mod u�
(In the simplest case above, d � 1 and s3 � 0)
![Page 71: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/71.jpg)
Divisor Addition Using Mumford Representations
D1 � �u1, v1�, D2 � �u2, v2� divisors on H � y 2 � h�x�y � f �x�Simplest case: for any �P� occurring in D1, �P� does not occur inD2 and vice versa — then D1 � D2 is semi-reduced
Then D1 � D2 � �u, v� where u � u1u2 and v �
¢̈̈¦̈̈¤v1 �mod u1�v2 �mod u2�
In general: suppose P � �x0, y0� occurs in D1 and P occurs in D2.
Then u1�x0� � u2�x0� � 0 and v1�x0� � y0 � �v2�x0� � h�x0�, sox � x0 S u1�x�, u2�x�, v1�x� � v2�x� � h�x�
d � gcd�u1,u2, v1 � v2 �h� � s1u1 � s2u2 � s3�v1 � v2 �h�u �
u1u2
d2
v �1
d�s1u1v2 � s2u2v1 � s3�v1v2 � f �� �mod u�
(In the simplest case above, d � 1 and s3 � 0)
![Page 72: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/72.jpg)
Divisor Addition Using Mumford Representations
D1 � �u1, v1�, D2 � �u2, v2� divisors on H � y 2 � h�x�y � f �x�Simplest case: for any �P� occurring in D1, �P� does not occur inD2 and vice versa — then D1 � D2 is semi-reduced
Then D1 � D2 � �u, v� where u � u1u2 and v �
¢̈̈¦̈̈¤v1 �mod u1�v2 �mod u2�
In general: suppose P � �x0, y0� occurs in D1 and P occurs in D2.
Then u1�x0� � u2�x0� � 0 and v1�x0� � y0 � �v2�x0� � h�x0�, sox � x0 S u1�x�, u2�x�, v1�x� � v2�x� � h�x�
d � gcd�u1,u2, v1 � v2 �h� � s1u1 � s2u2 � s3�v1 � v2 �h�u �
u1u2
d2
v �1
d�s1u1v2 � s2u2v1 � s3�v1v2 � f �� �mod u�
(In the simplest case above, d � 1 and s3 � 0)
![Page 73: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/73.jpg)
Divisor Addition Using Mumford Representations
D1 � �u1, v1�, D2 � �u2, v2� divisors on H � y 2 � h�x�y � f �x�Simplest case: for any �P� occurring in D1, �P� does not occur inD2 and vice versa — then D1 � D2 is semi-reduced
Then D1 � D2 � �u, v� where u � u1u2 and v �
¢̈̈¦̈̈¤v1 �mod u1�v2 �mod u2�
In general: suppose P � �x0, y0� occurs in D1 and P occurs in D2.
Then u1�x0� � u2�x0� � 0 and v1�x0� � y0 � �v2�x0� � h�x0�, sox � x0 S u1�x�, u2�x�, v1�x� � v2�x� � h�x�
d � gcd�u1,u2, v1 � v2 �h� � s1u1 � s2u2 � s3�v1 � v2 �h�u �
u1u2
d2
v �1
d�s1u1v2 � s2u2v1 � s3�v1v2 � f �� �mod u�
(In the simplest case above, d � 1 and s3 � 0)
![Page 74: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/74.jpg)
Divisor Addition Using Mumford Representations
D1 � �u1, v1�, D2 � �u2, v2� divisors on H � y 2 � h�x�y � f �x�Simplest case: for any �P� occurring in D1, �P� does not occur inD2 and vice versa — then D1 � D2 is semi-reduced
Then D1 � D2 � �u, v� where u � u1u2 and v �
¢̈̈¦̈̈¤v1 �mod u1�v2 �mod u2�
In general: suppose P � �x0, y0� occurs in D1 and P occurs in D2.
Then u1�x0� � u2�x0� � 0 and v1�x0� � y0 � �v2�x0� � h�x0�, sox � x0 S u1�x�, u2�x�, v1�x� � v2�x� � h�x�
d � gcd�u1,u2, v1 � v2 �h� � s1u1 � s2u2 � s3�v1 � v2 �h�u �
u1u2
d2
v �1
d�s1u1v2 � s2u2v1 � s3�v1v2 � f �� �mod u�
(In the simplest case above, d � 1 and s3 � 0)
![Page 75: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/75.jpg)
Divisor Addition Using Mumford Representations
D1 � �u1, v1�, D2 � �u2, v2� divisors on H � y 2 � h�x�y � f �x�Simplest case: for any �P� occurring in D1, �P� does not occur inD2 and vice versa — then D1 � D2 is semi-reduced
Then D1 � D2 � �u, v� where u � u1u2 and v �
¢̈̈¦̈̈¤v1 �mod u1�v2 �mod u2�
In general: suppose P � �x0, y0� occurs in D1 and P occurs in D2.
Then u1�x0� � u2�x0� � 0 and v1�x0� � y0 � �v2�x0� � h�x0�, sox � x0 S u1�x�, u2�x�, v1�x� � v2�x� � h�x�
d � gcd�u1,u2, v1 � v2 �h� � s1u1 � s2u2 � s3�v1 � v2 �h�u �
u1u2
d2
v �1
d�s1u1v2 � s2u2v1 � s3�v1v2 � f �� �mod u�
(In the simplest case above, d � 1 and s3 � 0)
![Page 76: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/76.jpg)
Arithmetic in JacH�K�
Input: D1 � �u1, v1�, D2 � �u2, v2� reduced
Output: The reduced divisor D �� �u�, v �� in the class of D1 � D2
1. Addition: compute a semi-reduced divisor D � �u, v� in theclass of D1 � D2
2. Reduction: compute the reduced divisor D �� �u�, v �� in the
class of D
Methods
L “Vanilla” method just discussed
L Cantor’s algorithm (“improved vanilla”)
L NUCOMP
L Explicit formulas (if g is small, say g � 2,3,4)
![Page 77: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/77.jpg)
Arithmetic in JacH�K�
Input: D1 � �u1, v1�, D2 � �u2, v2� reduced
Output: The reduced divisor D �� �u�, v �� in the class of D1 � D2
1. Addition: compute a semi-reduced divisor D � �u, v� in theclass of D1 � D2
2. Reduction: compute the reduced divisor D �� �u�, v �� in the
class of D
Methods
L “Vanilla” method just discussed
L Cantor’s algorithm (“improved vanilla”)
L NUCOMP
L Explicit formulas (if g is small, say g � 2,3,4)
![Page 78: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/78.jpg)
Arithmetic in JacH�K�
Input: D1 � �u1, v1�, D2 � �u2, v2� reduced
Output: The reduced divisor D �� �u�, v �� in the class of D1 � D2
1. Addition: compute a semi-reduced divisor D � �u, v� in theclass of D1 � D2
2. Reduction: compute the reduced divisor D �� �u�, v �� in the
class of D
Methods
L “Vanilla” method just discussed
L Cantor’s algorithm (“improved vanilla”)
L NUCOMP
L Explicit formulas (if g is small, say g � 2,3,4)
![Page 79: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/79.jpg)
Divisors defined over K
Let φ > Gal�K~K� (for K � Fq, think of Frobenius φ�α� � αq)
φ acts on points on H: if P � �x0, y0�, then φ�P� � �φ�x0�, φ�y0��φ acts on divisors: if D �QmP�P�, then φ�D� �QmP�φ�P��A divisor D is defined over K if φ�D� � D
Example:
D � �x2 � x � 4, 2x � 1� on H � y 2� x5 � 5x3 � 4x � 1 over Q
� � �1
2�1 �
º17�, 2 �
º17� � � � �1
2�1 �
º17�, 2 �
º17� �
is defined over Q (invariant under automorphismº
17( �º
17)
TheoremD � �u, v� is defined over K if and only if u�x�, v�x� > K �x�.Corollary
The group JacH�Fq� of divisor classes defined over Fq is finite.
![Page 80: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/80.jpg)
Divisors defined over K
Let φ > Gal�K~K� (for K � Fq, think of Frobenius φ�α� � αq)
φ acts on points on H: if P � �x0, y0�, then φ�P� � �φ�x0�, φ�y0��
φ acts on divisors: if D �QmP�P�, then φ�D� �QmP�φ�P��A divisor D is defined over K if φ�D� � D
Example:
D � �x2 � x � 4, 2x � 1� on H � y 2� x5 � 5x3 � 4x � 1 over Q
� � �1
2�1 �
º17�, 2 �
º17� � � � �1
2�1 �
º17�, 2 �
º17� �
is defined over Q (invariant under automorphismº
17( �º
17)
TheoremD � �u, v� is defined over K if and only if u�x�, v�x� > K �x�.Corollary
The group JacH�Fq� of divisor classes defined over Fq is finite.
![Page 81: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/81.jpg)
Divisors defined over K
Let φ > Gal�K~K� (for K � Fq, think of Frobenius φ�α� � αq)
φ acts on points on H: if P � �x0, y0�, then φ�P� � �φ�x0�, φ�y0��φ acts on divisors: if D �QmP�P�, then φ�D� �QmP�φ�P��
A divisor D is defined over K if φ�D� � D
Example:
D � �x2 � x � 4, 2x � 1� on H � y 2� x5 � 5x3 � 4x � 1 over Q
� � �1
2�1 �
º17�, 2 �
º17� � � � �1
2�1 �
º17�, 2 �
º17� �
is defined over Q (invariant under automorphismº
17( �º
17)
TheoremD � �u, v� is defined over K if and only if u�x�, v�x� > K �x�.Corollary
The group JacH�Fq� of divisor classes defined over Fq is finite.
![Page 82: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/82.jpg)
Divisors defined over K
Let φ > Gal�K~K� (for K � Fq, think of Frobenius φ�α� � αq)
φ acts on points on H: if P � �x0, y0�, then φ�P� � �φ�x0�, φ�y0��φ acts on divisors: if D �QmP�P�, then φ�D� �QmP�φ�P��A divisor D is defined over K if φ�D� � D
Example:
D � �x2 � x � 4, 2x � 1� on H � y 2� x5 � 5x3 � 4x � 1 over Q
� � �1
2�1 �
º17�, 2 �
º17� � � � �1
2�1 �
º17�, 2 �
º17� �
is defined over Q (invariant under automorphismº
17( �º
17)
TheoremD � �u, v� is defined over K if and only if u�x�, v�x� > K �x�.Corollary
The group JacH�Fq� of divisor classes defined over Fq is finite.
![Page 83: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/83.jpg)
Divisors defined over K
Let φ > Gal�K~K� (for K � Fq, think of Frobenius φ�α� � αq)
φ acts on points on H: if P � �x0, y0�, then φ�P� � �φ�x0�, φ�y0��φ acts on divisors: if D �QmP�P�, then φ�D� �QmP�φ�P��A divisor D is defined over K if φ�D� � D
Example:
D � �x2 � x � 4, 2x � 1� on H � y 2� x5 � 5x3 � 4x � 1 over Q
� � �1
2�1 �
º17�, 2 �
º17� � � � �1
2�1 �
º17�, 2 �
º17� �
is defined over Q (invariant under automorphismº
17( �º
17)
TheoremD � �u, v� is defined over K if and only if u�x�, v�x� > K �x�.Corollary
The group JacH�Fq� of divisor classes defined over Fq is finite.
![Page 84: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/84.jpg)
Divisors defined over K
Let φ > Gal�K~K� (for K � Fq, think of Frobenius φ�α� � αq)
φ acts on points on H: if P � �x0, y0�, then φ�P� � �φ�x0�, φ�y0��φ acts on divisors: if D �QmP�P�, then φ�D� �QmP�φ�P��A divisor D is defined over K if φ�D� � D
Example:
D � �x2 � x � 4, 2x � 1� on H � y 2� x5 � 5x3 � 4x � 1 over Q
� � �1
2�1 �
º17�, 2 �
º17� � � � �1
2�1 �
º17�, 2 �
º17� �
is defined over Q (invariant under automorphismº
17( �º
17)
TheoremD � �u, v� is defined over K if and only if u�x�, v�x� > K �x�.
Corollary
The group JacH�Fq� of divisor classes defined over Fq is finite.
![Page 85: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/85.jpg)
Divisors defined over K
Let φ > Gal�K~K� (for K � Fq, think of Frobenius φ�α� � αq)
φ acts on points on H: if P � �x0, y0�, then φ�P� � �φ�x0�, φ�y0��φ acts on divisors: if D �QmP�P�, then φ�D� �QmP�φ�P��A divisor D is defined over K if φ�D� � D
Example:
D � �x2 � x � 4, 2x � 1� on H � y 2� x5 � 5x3 � 4x � 1 over Q
� � �1
2�1 �
º17�, 2 �
º17� � � � �1
2�1 �
º17�, 2 �
º17� �
is defined over Q (invariant under automorphismº
17( �º
17)
TheoremD � �u, v� is defined over K if and only if u�x�, v�x� > K �x�.Corollary
The group JacH�Fq� of divisor classes defined over Fq is finite.
![Page 86: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/86.jpg)
Group Structure and Size
E�Fq� � Z~nZ �Z~mZ where n S gcd�m,q � 1�
Via a hand-wavy argument, y 2� f �x� should have � q � 1 points
Hasse: SE�Fq�S � q � 1 � t with St S B 2º
q
Hasse-Weil: SH�Fq�S � q � 1 � t with St S B 2gº
qSerre: St S B g2ºq�For the Jacobian:
�ºq � 1�2gB SJacH�Fq�S B �ºq � 1�2g
So SJacH�Fq�S � qg
If we want qg� 2160: g 1 2 3 4
q 2160 280 253.33 240
![Page 87: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/87.jpg)
Group Structure and Size
E�Fq� � Z~nZ �Z~mZ where n S gcd�m,q � 1�Via a hand-wavy argument, y 2
� f �x� should have � q � 1 points
Hasse: SE�Fq�S � q � 1 � t with St S B 2º
q
Hasse-Weil: SH�Fq�S � q � 1 � t with St S B 2gº
qSerre: St S B g2ºq�For the Jacobian:
�ºq � 1�2gB SJacH�Fq�S B �ºq � 1�2g
So SJacH�Fq�S � qg
If we want qg� 2160: g 1 2 3 4
q 2160 280 253.33 240
![Page 88: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/88.jpg)
Group Structure and Size
E�Fq� � Z~nZ �Z~mZ where n S gcd�m,q � 1�Via a hand-wavy argument, y 2
� f �x� should have � q � 1 points
Hasse: SE�Fq�S � q � 1 � t with St S B 2º
q
Hasse-Weil: SH�Fq�S � q � 1 � t with St S B 2gº
qSerre: St S B g2ºq�
For the Jacobian:
�ºq � 1�2gB SJacH�Fq�S B �ºq � 1�2g
So SJacH�Fq�S � qg
If we want qg� 2160: g 1 2 3 4
q 2160 280 253.33 240
![Page 89: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/89.jpg)
Group Structure and Size
E�Fq� � Z~nZ �Z~mZ where n S gcd�m,q � 1�Via a hand-wavy argument, y 2
� f �x� should have � q � 1 points
Hasse: SE�Fq�S � q � 1 � t with St S B 2º
q
Hasse-Weil: SH�Fq�S � q � 1 � t with St S B 2gº
qSerre: St S B g2ºq�For the Jacobian:
�ºq � 1�2gB SJacH�Fq�S B �ºq � 1�2g
So SJacH�Fq�S � qg
If we want qg� 2160: g 1 2 3 4
q 2160 280 253.33 240
![Page 90: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/90.jpg)
Group Structure and Size
E�Fq� � Z~nZ �Z~mZ where n S gcd�m,q � 1�Via a hand-wavy argument, y 2
� f �x� should have � q � 1 points
Hasse: SE�Fq�S � q � 1 � t with St S B 2º
q
Hasse-Weil: SH�Fq�S � q � 1 � t with St S B 2gº
qSerre: St S B g2ºq�For the Jacobian:
�ºq � 1�2gB SJacH�Fq�S B �ºq � 1�2g
So SJacH�Fq�S � qg
If we want qg� 2160: g 1 2 3 4
q 2160 280 253.33 240
![Page 91: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/91.jpg)
Point Counting Algorithms
Stay for next week’s workshop to learn more . . .
K � Fq, q � pn
L Square Root MethodsPollard kangarooCartier-Manin
L `-adic Methods (n � 1, polynomial in log�p�)
SEA and generalizations
L p-adic Methods (p small, polynomial in n)
Canonical lifts (Satoh, AGM)Deformation theoryCohomology
Point counting on certain curves is easy (e.g. Koblitz curves)
Can also construct curves with good group orders via CM method(see Thursday’s talks by Drew Sutherland and Bianca Viray)
![Page 92: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/92.jpg)
Point Counting Algorithms
Stay for next week’s workshop to learn more . . .
K � Fq, q � pn
L Square Root MethodsPollard kangarooCartier-Manin
L `-adic Methods (n � 1, polynomial in log�p�)
SEA and generalizations
L p-adic Methods (p small, polynomial in n)
Canonical lifts (Satoh, AGM)Deformation theoryCohomology
Point counting on certain curves is easy (e.g. Koblitz curves)
Can also construct curves with good group orders via CM method(see Thursday’s talks by Drew Sutherland and Bianca Viray)
![Page 93: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/93.jpg)
Point Counting Algorithms
Stay for next week’s workshop to learn more . . .
K � Fq, q � pn
L Square Root MethodsPollard kangarooCartier-Manin
L `-adic Methods (n � 1, polynomial in log�p�)
SEA and generalizations
L p-adic Methods (p small, polynomial in n)
Canonical lifts (Satoh, AGM)Deformation theoryCohomology
Point counting on certain curves is easy (e.g. Koblitz curves)
Can also construct curves with good group orders via CM method(see Thursday’s talks by Drew Sutherland and Bianca Viray)
![Page 94: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/94.jpg)
Point Counting Algorithms
Stay for next week’s workshop to learn more . . .
K � Fq, q � pn
L Square Root MethodsPollard kangarooCartier-Manin
L `-adic Methods (n � 1, polynomial in log�p�)
SEA and generalizations
L p-adic Methods (p small, polynomial in n)
Canonical lifts (Satoh, AGM)Deformation theoryCohomology
Point counting on certain curves is easy (e.g. Koblitz curves)
Can also construct curves with good group orders via CM method(see Thursday’s talks by Drew Sutherland and Bianca Viray)
![Page 95: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/95.jpg)
Discrete Logarithms
Elliptic Curve DLP: given P,Q > E�Fq� with Q � mP, find m
Hyperelliptic Curve DLP: given reduced divisors D,E so that Eis equivalent to mD, find m
Generic Methods — Complexity O�qg~2� group operations
L Baby step giant step — also requires O�qg~2� space
L Pollard rho
L Pollard lambda (kangaroo)
Index Calculus Methods
L g â log�q� — sub-exponential
L 3 B g á log�q� — O�q2�2~g�For g � 1,2, generic methods are best! (As far as we know . . . )
![Page 96: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/96.jpg)
Discrete Logarithms
Elliptic Curve DLP: given P,Q > E�Fq� with Q � mP, find m
Hyperelliptic Curve DLP: given reduced divisors D,E so that Eis equivalent to mD, find m
Generic Methods — Complexity O�qg~2� group operations
L Baby step giant step — also requires O�qg~2� space
L Pollard rho
L Pollard lambda (kangaroo)
Index Calculus Methods
L g â log�q� — sub-exponential
L 3 B g á log�q� — O�q2�2~g�For g � 1,2, generic methods are best! (As far as we know . . . )
![Page 97: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/97.jpg)
Discrete Logarithms
Elliptic Curve DLP: given P,Q > E�Fq� with Q � mP, find m
Hyperelliptic Curve DLP: given reduced divisors D,E so that Eis equivalent to mD, find m
Generic Methods — Complexity O�qg~2� group operations
L Baby step giant step — also requires O�qg~2� space
L Pollard rho
L Pollard lambda (kangaroo)
Index Calculus Methods
L g â log�q� — sub-exponential
L 3 B g á log�q� — O�q2�2~g�For g � 1,2, generic methods are best! (As far as we know . . . )
![Page 98: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/98.jpg)
Discrete Logarithms
Elliptic Curve DLP: given P,Q > E�Fq� with Q � mP, find m
Hyperelliptic Curve DLP: given reduced divisors D,E so that Eis equivalent to mD, find m
Generic Methods — Complexity O�qg~2� group operations
L Baby step giant step — also requires O�qg~2� space
L Pollard rho
L Pollard lambda (kangaroo)
Index Calculus Methods
L g â log�q� — sub-exponential
L 3 B g á log�q� — O�q2�2~g�
For g � 1,2, generic methods are best! (As far as we know . . . )
![Page 99: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/99.jpg)
Discrete Logarithms
Elliptic Curve DLP: given P,Q > E�Fq� with Q � mP, find m
Hyperelliptic Curve DLP: given reduced divisors D,E so that Eis equivalent to mD, find m
Generic Methods — Complexity O�qg~2� group operations
L Baby step giant step — also requires O�qg~2� space
L Pollard rho
L Pollard lambda (kangaroo)
Index Calculus Methods
L g â log�q� — sub-exponential
L 3 B g á log�q� — O�q2�2~g�For g � 1,2, generic methods are best! (As far as we know . . . )
![Page 100: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/100.jpg)
Other Attacks & Parameter Choices
K � Fq with q � pn
L Pohlig-Hellman — ensure that SJacH�Fq�S has a large primefactor
L Additive Reduction: if p divides SJacH�Fq�S, then there is an
explicit homomorphism JacH�Fq��p�� �F2g�1q ,�� — ensure
that gcd�q, SJacH�Fq�S� � 1
L Multiplicative Reduction (MOV): pairings can be used tomap the DLP in JacH�Fq� into �F�
qk,�� where qk
� 1 �mod r�for a prime r dividing SJacH�Fq�S — ensure that k is large
(For pairing-based crypto, however, we want k small — seeTuesday’s and Wednesday’s talks)
L Weil Descent: If n � kd is composite, one may haveJacH�Fpkd �0 JacC�Fpd � where C has higher genus — usen � 1 or n prime
![Page 101: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/101.jpg)
Other Attacks & Parameter Choices
K � Fq with q � pn
L Pohlig-Hellman — ensure that SJacH�Fq�S has a large primefactor
L Additive Reduction: if p divides SJacH�Fq�S, then there is an
explicit homomorphism JacH�Fq��p�� �F2g�1q ,�� — ensure
that gcd�q, SJacH�Fq�S� � 1
L Multiplicative Reduction (MOV): pairings can be used tomap the DLP in JacH�Fq� into �F�
qk,�� where qk
� 1 �mod r�for a prime r dividing SJacH�Fq�S — ensure that k is large
(For pairing-based crypto, however, we want k small — seeTuesday’s and Wednesday’s talks)
L Weil Descent: If n � kd is composite, one may haveJacH�Fpkd �0 JacC�Fpd � where C has higher genus — usen � 1 or n prime
![Page 102: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/102.jpg)
Other Attacks & Parameter Choices
K � Fq with q � pn
L Pohlig-Hellman — ensure that SJacH�Fq�S has a large primefactor
L Additive Reduction: if p divides SJacH�Fq�S, then there is an
explicit homomorphism JacH�Fq��p�� �F2g�1q ,�� — ensure
that gcd�q, SJacH�Fq�S� � 1
L Multiplicative Reduction (MOV): pairings can be used tomap the DLP in JacH�Fq� into �F�
qk,�� where qk
� 1 �mod r�for a prime r dividing SJacH�Fq�S — ensure that k is large
(For pairing-based crypto, however, we want k small — seeTuesday’s and Wednesday’s talks)
L Weil Descent: If n � kd is composite, one may haveJacH�Fpkd �0 JacC�Fpd � where C has higher genus — usen � 1 or n prime
![Page 103: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/103.jpg)
Other Attacks & Parameter Choices
K � Fq with q � pn
L Pohlig-Hellman — ensure that SJacH�Fq�S has a large primefactor
L Additive Reduction: if p divides SJacH�Fq�S, then there is an
explicit homomorphism JacH�Fq��p�� �F2g�1q ,�� — ensure
that gcd�q, SJacH�Fq�S� � 1
L Multiplicative Reduction (MOV): pairings can be used tomap the DLP in JacH�Fq� into �F�
qk,�� where qk
� 1 �mod r�for a prime r dividing SJacH�Fq�S — ensure that k is large
(For pairing-based crypto, however, we want k small — seeTuesday’s and Wednesday’s talks)
L Weil Descent: If n � kd is composite, one may haveJacH�Fpkd �0 JacC�Fpd � where C has higher genus — usen � 1 or n prime
![Page 104: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/104.jpg)
Some Other Models
L Hessians: x3 � y 3 � 3dxy � 1
L Edwards models: x2 � y 2� c2�1 � dx2y 2� (q odd) and
variations
x3 � y 3� 1
-4
-3
-2
-1
0
1
2
3
4
-4 -3 -2 -1 0 1 2 3 4
x2�y 2� 10�1�x2y 2�
-4
-3
-2
-1
0
1
2
3
4
-4 -3 -2 -1 0 1 2 3 4
![Page 105: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/105.jpg)
Even Degree Models
H � y 2 � h�x�y � f �x�L h�x�, f �x� > K �x�L deg�h� � g � 1 if char�K� � 2; h�x� � 0 if char�K� x 2
L deg�f � � 2g � 2 is even
L sgn�f � � s2 � s with s > K if char�K� � 2; f �x� is monic ifchar�K� x 2
L non-singularity
char�K� x 2: y 2� f �x�, f �x� monic, of even degree, square-free
Elliptic quartic, char�K� x 2,3:
y 2� x4 � ax2 � bx � c �a,b, c > K�
(b � 0: Jacobi Quartic)
![Page 106: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/106.jpg)
Even Degree Models
H � y 2 � h�x�y � f �x�L h�x�, f �x� > K �x�L deg�h� � g � 1 if char�K� � 2; h�x� � 0 if char�K� x 2
L deg�f � � 2g � 2 is even
L sgn�f � � s2 � s with s > K if char�K� � 2; f �x� is monic ifchar�K� x 2
L non-singularity
char�K� x 2: y 2� f �x�, f �x� monic, of even degree, square-free
Elliptic quartic, char�K� x 2,3:
y 2� x4 � ax2 � bx � c �a,b, c > K�
(b � 0: Jacobi Quartic)
![Page 107: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/107.jpg)
Even Degree Models
H � y 2 � h�x�y � f �x�L h�x�, f �x� > K �x�L deg�h� � g � 1 if char�K� � 2; h�x� � 0 if char�K� x 2
L deg�f � � 2g � 2 is even
L sgn�f � � s2 � s with s > K if char�K� � 2; f �x� is monic ifchar�K� x 2
L non-singularity
char�K� x 2: y 2� f �x�, f �x� monic, of even degree, square-free
Elliptic quartic, char�K� x 2,3:
y 2� x4 � ax2 � bx � c �a,b, c > K�
(b � 0: Jacobi Quartic)
![Page 108: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/108.jpg)
Examples
E � y 2� x4 � 6x2 � x � 6
g � 1
-6
-4
-2
0
2
4
6
-3 -2 -1 0 1 2 3
H � y 2� x6�13x4�44x2�4x�1
g � 2
-10
-5
0
5
10
-4 -3 -2 -1 0 1 2 3 4
![Page 109: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/109.jpg)
Conclusion
L Genus 1 and genus 2 curves over Fq represent a very goodsetting for DLP based cryptography
L Use q prime or q � 2n
L Good parameter choices are known and easy
L Cryptographically suitable curves can be constructed inpractice
� � � Thank You! � � �
![Page 110: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/110.jpg)
Conclusion
L Genus 1 and genus 2 curves over Fq represent a very goodsetting for DLP based cryptography
L Use q prime or q � 2n
L Good parameter choices are known and easy
L Cryptographically suitable curves can be constructed inpractice
� � � Thank You! � � �
![Page 111: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/111.jpg)
Conclusion
L Genus 1 and genus 2 curves over Fq represent a very goodsetting for DLP based cryptography
L Use q prime or q � 2n
L Good parameter choices are known and easy
L Cryptographically suitable curves can be constructed inpractice
� � � Thank You! � � �
![Page 112: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/112.jpg)
Conclusion
L Genus 1 and genus 2 curves over Fq represent a very goodsetting for DLP based cryptography
L Use q prime or q � 2n
L Good parameter choices are known and easy
L Cryptographically suitable curves can be constructed inpractice
� � � Thank You! � � �
![Page 113: Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada](https://reader031.vdocuments.us/reader031/viewer/2022021622/5b79c1767f8b9a7f378e4e49/html5/thumbnails/113.jpg)
Conclusion
L Genus 1 and genus 2 curves over Fq represent a very goodsetting for DLP based cryptography
L Use q prime or q � 2n
L Good parameter choices are known and easy
L Cryptographically suitable curves can be constructed inpractice
� � � Thank You! � � �