real hyperelliptic curves - fields institutereal hyperelliptic curves renate scheidler...
TRANSCRIPT
![Page 1: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/1.jpg)
Real Hyperelliptic CurvesRenate Scheidler
C I S Centre for nformation ecurity nd ryptography
C I S Centre for nformation ecurity nd ryptography
C I S Centre for nformation ecurity nd ryptography
Fields Institute Workshop on New Directions in Cryptography, June 25-27, 2008, University of Ottawa
Joint work with
Mike Jacobson (University of Calgary) and Andreas Stein (University of Oldenburg)
Research supported in part by NSERC of Canada
– p.
![Page 2: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/2.jpg)
Hyperelliptic Curves over Fq
– p.
![Page 3: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/3.jpg)
Hyperelliptic Curves over Fq
C : y2 + h(x)y = f(x)
– p.
![Page 4: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/4.jpg)
Hyperelliptic Curves over Fq
C : y2 + h(x)y = f(x)
f, h ∈ Fq[x]; h = 0 if q odd;absolutely irreducible; non-singular; of genus g
– p.
![Page 5: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/5.jpg)
Hyperelliptic Curves over Fq
C : y2 + h(x)y = f(x)
f, h ∈ Fq[x]; h = 0 if q odd;absolutely irreducible; non-singular; of genus g
Imaginary Modelf monic and deg(f) = 2g + 1
deg(h) ≤ g if q even
– p.
![Page 6: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/6.jpg)
Hyperelliptic Curves over Fq
C : y2 + h(x)y = f(x)
f, h ∈ Fq[x]; h = 0 if q odd;absolutely irreducible; non-singular; of genus g
Imaginary Modelf monic and deg(f) = 2g + 1
deg(h) ≤ g if q even
Real ModelIf q odd: f monic and deg(f) = 2g + 2
If q even: h monic, deg(h) = g + 1 anddeg(f) ≤ 2g + 1 ordeg(f) = 2g + 2, sgn(f) = e2 + e (e ∈ F
∗
q)
– p.
![Page 7: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/7.jpg)
Degree 0 Divisors ( C Imaginary)
– p.
![Page 8: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/8.jpg)
Degree 0 Divisors ( C Imaginary)J = JacFq
(C): degree zero divisor class group of C over Fq
– p.
![Page 9: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/9.jpg)
Degree 0 Divisors ( C Imaginary)J = JacFq
(C): degree zero divisor class group of C over Fq
Representation of degree zero divisors : D = (s; a, b):
s, a, b ∈ Fq[x], s and a monics and a unique, b (mod a) uniquea | f + hb − b2
– p.
![Page 10: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/10.jpg)
Degree 0 Divisors ( C Imaginary)J = JacFq
(C): degree zero divisor class group of C over Fq
Representation of degree zero divisors : D = (s; a, b):
s, a, b ∈ Fq[x], s and a monics and a unique, b (mod a) uniquea | f + hb − b2
D semi-reduced : s = 1D reduced : s = 1 and deg(a) ≤ g.
– p.
![Page 11: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/11.jpg)
Degree 0 Divisors ( C Imaginary)J = JacFq
(C): degree zero divisor class group of C over Fq
Representation of degree zero divisors : D = (s; a, b):
s, a, b ∈ Fq[x], s and a monics and a unique, b (mod a) uniquea | f + hb − b2
D semi-reduced : s = 1D reduced : s = 1 and deg(a) ≤ g.
Theorem : Every class [D] ∈ J has a unique reducedrepresentative Red(D)
– p.
![Page 12: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/12.jpg)
Degree 0 Divisors ( C Imaginary)J = JacFq
(C): degree zero divisor class group of C over Fq
Representation of degree zero divisors : D = (s; a, b):
s, a, b ∈ Fq[x], s and a monics and a unique, b (mod a) uniquea | f + hb − b2
D semi-reduced : s = 1D reduced : s = 1 and deg(a) ≤ g.
Theorem : Every class [D] ∈ J has a unique reducedrepresentative Red(D)
Arithmetic in J via reduced representatives (giant steps ):
Red(D′) ⊕ Red(D′′)def= Red(D′ + D′′)
– p.
![Page 13: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/13.jpg)
Giant Step Arithmetic
– p.
![Page 14: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/14.jpg)
Giant Step ArithmeticCantor’s algorithm (Cantor 1987)divisor addition with subsequent reduction steps17g2 + O(g) operations in Fq (Stein 2001)
– p.
![Page 15: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/15.jpg)
Giant Step ArithmeticCantor’s algorithm (Cantor 1987)divisor addition with subsequent reduction steps17g2 + O(g) operations in Fq (Stein 2001)
NUCOMP (Shanks-Atkin 1989, van der Poorten 2003)Cg2 operation in Fq, C < 17
– p.
![Page 16: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/16.jpg)
Giant Step ArithmeticCantor’s algorithm (Cantor 1987)divisor addition with subsequent reduction steps17g2 + O(g) operations in Fq (Stein 2001)
NUCOMP (Shanks-Atkin 1989, van der Poorten 2003)Cg2 operation in Fq, C < 17
Explicit formulas for low genus curves:
– p.
![Page 17: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/17.jpg)
Giant Step ArithmeticCantor’s algorithm (Cantor 1987)divisor addition with subsequent reduction steps17g2 + O(g) operations in Fq (Stein 2001)
NUCOMP (Shanks-Atkin 1989, van der Poorten 2003)Cg2 operation in Fq, C < 17
Explicit formulas for low genus curves:Imaginary: g = 2, 3, 4www.hyperelliptic.org/EFD/
– p.
![Page 18: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/18.jpg)
Giant Step ArithmeticCantor’s algorithm (Cantor 1987)divisor addition with subsequent reduction steps17g2 + O(g) operations in Fq (Stein 2001)
NUCOMP (Shanks-Atkin 1989, van der Poorten 2003)Cg2 operation in Fq, C < 17
Explicit formulas for low genus curves:Imaginary: g = 2, 3, 4www.hyperelliptic.org/EFD/
Real: g = 2, affine coordinatesErickson-Jacobson-Shang-Shen-Stein, WAIFI 2007
– p.
![Page 19: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/19.jpg)
Key Agreement in J (Koblitz 1989)
– p.
![Page 20: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/20.jpg)
Key Agreement in J (Koblitz 1989)Alice and Bob agree on q, C imaginary, a reduced divisor D
– p.
![Page 21: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/21.jpg)
Key Agreement in J (Koblitz 1989)Alice and Bob agree on q, C imaginary, a reduced divisor D
Alice Bob
1. Generates m ∈R ]1, ord(D)[ Generates n ∈R ]1, ord(D)[
// Fixed base scenario //2. Sends Dm = Red(mD) to Bob Sends Dn = Red(nD) to Alice
// Variable base scenario //3. Computes K = Red(mDn) Computes K = Red(nDm)
– p.
![Page 22: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/22.jpg)
Key Agreement in J (Koblitz 1989)Alice and Bob agree on q, C imaginary, a reduced divisor D
Alice Bob
1. Generates m ∈R ]1, ord(D)[ Generates n ∈R ]1, ord(D)[
// Fixed base scenario //2. Sends Dm = Red(mD) to Bob Sends Dn = Red(nD) to Alice
// Variable base scenario //3. Computes K = Red(mDn) Computes K = Red(nDm)
The secret is the reduced divisor K = Red(mnD)
– p.
![Page 23: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/23.jpg)
Key Agreement in J (Koblitz 1989)Alice and Bob agree on q, C imaginary, a reduced divisor D
Alice Bob
1. Generates m ∈R ]1, ord(D)[ Generates n ∈R ]1, ord(D)[
// Fixed base scenario //2. Sends Dm = Red(mD) to Bob Sends Dn = Red(nD) to Alice
// Variable base scenario //3. Computes K = Red(mDn) Computes K = Red(nDm)
The secret is the reduced divisor K = Red(mnD)
〈D〉 ≈ |J | ≈ qg (exponentially large in the size of C)
– p.
![Page 24: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/24.jpg)
Key Agreement in J (Koblitz 1989)Alice and Bob agree on q, C imaginary, a reduced divisor D
Alice Bob
1. Generates m ∈R ]1, ord(D)[ Generates n ∈R ]1, ord(D)[
// Fixed base scenario //2. Sends Dm = Red(mD) to Bob Sends Dn = Red(nD) to Alice
// Variable base scenario //3. Computes K = Red(mDn) Computes K = Red(nDm)
The secret is the reduced divisor K = Red(mnD)
〈D〉 ≈ |J | ≈ qg (exponentially large in the size of C)
DLP is exponential for small g
(g = 2 is best; DLP complexity O(q) = O(√
|J |))
– p.
![Page 25: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/25.jpg)
Degree 0 Divisors ( C Real)
– p.
![Page 26: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/26.jpg)
Degree 0 Divisors ( C Real)Representation of degree zero divisors : D = (s; a, b; v):
s, a, b as beforev ∈ Z
– p.
![Page 27: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/27.jpg)
Degree 0 Divisors ( C Real)Representation of degree zero divisors : D = (s; a, b; v):
s, a, b as beforev ∈ Z
Semi-reduced and reduced defined as before – norestrictions on v
– p.
![Page 28: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/28.jpg)
Degree 0 Divisors ( C Real)Representation of degree zero divisors : D = (s; a, b; v):
s, a, b as beforev ∈ Z
Semi-reduced and reduced defined as before – norestrictions on v
Fact: Reduced representatives of divisor classes are nolonger unique
– p.
![Page 29: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/29.jpg)
Degree 0 Divisors ( C Real)Representation of degree zero divisors : D = (s; a, b; v):
s, a, b as beforev ∈ Z
Semi-reduced and reduced defined as before – norestrictions on v
Fact: Reduced representatives of divisor classes are nolonger unique
Theorem : Every class [D] ∈ J has a unique reducedrepresentative Red’(D) = (a, b, v) where v is restricted to asuitable interval of length g − deg(a) + 1
(Paulus-Rück 1999; Galbraith-Harrison-Mireless 2008)
– p.
![Page 30: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/30.jpg)
Degree 0 Divisors ( C Real)Representation of degree zero divisors : D = (s; a, b; v):
s, a, b as beforev ∈ Z
Semi-reduced and reduced defined as before – norestrictions on v
Fact: Reduced representatives of divisor classes are nolonger unique
Theorem : Every class [D] ∈ J has a unique reducedrepresentative Red’(D) = (a, b, v) where v is restricted to asuitable interval of length g − deg(a) + 1
(Paulus-Rück 1999; Galbraith-Harrison-Mireless 2008)
Could use this again for arithmetic in J
– p.
![Page 31: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/31.jpg)
Computing Red’ (D)
– p.
![Page 32: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/32.jpg)
Computing Red’ (D)
Compute D′ ⊕ D′′ = Red(D′ + D′′) as in the imaginarycase using a giant step — Cg2 operations in Fq
– p.
![Page 33: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/33.jpg)
Computing Red’ (D)
Compute D′ ⊕ D′′ = Red(D′ + D′′) as in the imaginarycase using a giant step — Cg2 operations in Fq
Apply further reduction steps to until Red’(D) isreached — up to C ′g2 operations in Fq
– p.
![Page 34: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/34.jpg)
Computing Red’ (D)
Compute D′ ⊕ D′′ = Red(D′ + D′′) as in the imaginarycase using a giant step — Cg2 operations in Fq
Apply further reduction steps to until Red’(D) isreached — up to C ′g2 operations in Fq
(C + C ′)g2 field operations — slower than imaginaryJacobian arithmetic
– p.
![Page 35: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/35.jpg)
Computing Red’ (D)
Compute D′ ⊕ D′′ = Red(D′ + D′′) as in the imaginarycase using a giant step — Cg2 operations in Fq
Apply further reduction steps to until Red’(D) isreached — up to C ′g2 operations in Fq
(C + C ′)g2 field operations — slower than imaginaryJacobian arithmetic
Henceforth, let C be real. Then |J | = HR where
– p.
![Page 36: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/36.jpg)
Computing Red’ (D)
Compute D′ ⊕ D′′ = Red(D′ + D′′) as in the imaginarycase using a giant step — Cg2 operations in Fq
Apply further reduction steps to until Red’(D) isreached — up to C ′g2 operations in Fq
(C + C ′)g2 field operations — slower than imaginaryJacobian arithmetic
Henceforth, let C be real. Then |J | = HR where
H is the order of the ideal class group of the coordinatering of C; usually very small
– p.
![Page 37: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/37.jpg)
Computing Red’ (D)
Compute D′ ⊕ D′′ = Red(D′ + D′′) as in the imaginarycase using a giant step — Cg2 operations in Fq
Apply further reduction steps to until Red’(D) isreached — up to C ′g2 operations in Fq
(C + C ′)g2 field operations — slower than imaginaryJacobian arithmetic
Henceforth, let C be real. Then |J | = HR where
H is the order of the ideal class group of the coordinatering of C; usually very small
R is the regulator of C, i.e. the order of the divisor classof ∞1 −∞2 where ∞1 and ∞2 are the two points atinfinity; usually R ≈ |J | ≈ qg
– p.
![Page 38: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/38.jpg)
Infrastructure
– p.
![Page 39: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/39.jpg)
InfrastructureInfrastructure :
R = {D | D is a reduced principal divisor with 0 ≤ −v < R}
– p.
![Page 40: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/40.jpg)
InfrastructureInfrastructure :
R = {D | D is a reduced principal divisor with 0 ≤ −v < R}
Properties
– p.
![Page 41: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/41.jpg)
InfrastructureInfrastructure :
R = {D | D is a reduced principal divisor with 0 ≤ −v < R}
Properties
R is finite and of cardinality ≈ R ≈ qg
– p.
![Page 42: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/42.jpg)
InfrastructureInfrastructure :
R = {D | D is a reduced principal divisor with 0 ≤ −v < R}
Properties
R is finite and of cardinality ≈ R ≈ qg
R is ordered by distance: δ(D) = −v, so
R = {D1 = 0, D2, . . . , Dr}, Di+1 = Di − div(
ai + y
bi
)
– p.
![Page 43: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/43.jpg)
InfrastructureInfrastructure :
R = {D | D is a reduced principal divisor with 0 ≤ −v < R}
Properties
R is finite and of cardinality ≈ R ≈ qg
R is ordered by distance: δ(D) = −v, so
R = {D1 = 0, D2, . . . , Dr}, Di+1 = Di − div(
ai + y
bi
)
0 = δ1 < δ2 < · · · < δr < R
– p.
![Page 44: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/44.jpg)
InfrastructureInfrastructure :
R = {D | D is a reduced principal divisor with 0 ≤ −v < R}
Properties
R is finite and of cardinality ≈ R ≈ qg
R is ordered by distance: δ(D) = −v, so
R = {D1 = 0, D2, . . . , Dr}, Di+1 = Di − div(
ai + y
bi
)
0 = δ1 < δ2 < · · · < δr < R
δ1 = 0, δ2 = g + 1, 1 ≤ δi+1 − δi ≤ g for 2 ≤ i ≤ r − 1
– p.
![Page 45: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/45.jpg)
InfrastructureInfrastructure :
R = {D | D is a reduced principal divisor with 0 ≤ −v < R}
Properties
R is finite and of cardinality ≈ R ≈ qg
R is ordered by distance: δ(D) = −v, so
R = {D1 = 0, D2, . . . , Dr}, Di+1 = Di − div(
ai + y
bi
)
0 = δ1 < δ2 < · · · < δr < R
δ1 = 0, δ2 = g + 1, 1 ≤ δi+1 − δi ≤ g for 2 ≤ i ≤ r − 1
A reduction step moves from Di to Di+1 and is alsoknown as a baby step — O(g) operations in Fq
– p.
![Page 46: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/46.jpg)
InfrastructureInfrastructure :
R = {D | D is a reduced principal divisor with 0 ≤ −v < R}
Properties
R is finite and of cardinality ≈ R ≈ qg
R is ordered by distance: δ(D) = −v, so
R = {D1 = 0, D2, . . . , Dr}, Di+1 = Di − div(
ai + y
bi
)
0 = δ1 < δ2 < · · · < δr < R
δ1 = 0, δ2 = g + 1, 1 ≤ δi+1 − δi ≤ g for 2 ≤ i ≤ r − 1
A reduction step moves from Di to Di+1 and is alsoknown as a baby step — O(g) operations in Fq
Dmr+i = Di + mR(∞1 −∞2) for m ∈ N and 1 ≤ i ≤ r
– p.
![Page 47: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/47.jpg)
Infra-STRUCTURE
– p.
![Page 48: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/48.jpg)
Infra-STRUCTURER is “almost” an Abelian group under giant steps:
– p.
![Page 49: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/49.jpg)
Infra-STRUCTURER is “almost” an Abelian group under giant steps:
Closure: D′, D′′ ∈ R ⇒ D′ ⊕ D′′ ∈ R
– p.
![Page 50: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/50.jpg)
Infra-STRUCTURER is “almost” an Abelian group under giant steps:
Closure: D′, D′′ ∈ R ⇒ D′ ⊕ D′′ ∈ R
Identity: D1 = 0 = (1, 0; 0)
– p.
![Page 51: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/51.jpg)
Infra-STRUCTURER is “almost” an Abelian group under giant steps:
Closure: D′, D′′ ∈ R ⇒ D′ ⊕ D′′ ∈ R
Identity: D1 = 0 = (1, 0; 0)
Inverses: The inverse of D = (a, b; v) is−D = (a,−h − b;− deg(a) − v)
– p.
![Page 52: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/52.jpg)
Infra-STRUCTURER is “almost” an Abelian group under giant steps:
Closure: D′, D′′ ∈ R ⇒ D′ ⊕ D′′ ∈ R
Identity: D1 = 0 = (1, 0; 0)
Inverses: The inverse of D = (a, b; v) is−D = (a,−h − b;− deg(a) − v)
Commutativity: D′ ⊕ D′′ = D′′ ⊕ D′
– p.
![Page 53: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/53.jpg)
Infra-STRUCTURER is “almost” an Abelian group under giant steps:
Closure: D′, D′′ ∈ R ⇒ D′ ⊕ D′′ ∈ R
Identity: D1 = 0 = (1, 0; 0)
Inverses: The inverse of D = (a, b; v) is−D = (a,−h − b;− deg(a) − v)
Commutativity: D′ ⊕ D′′ = D′′ ⊕ D′
“Almost” associative:
δ(D′ ⊕ D′′) = δ(D′) + δ(D′′) − d with 0 ≤ d ≤ 2g
– p.
![Page 54: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/54.jpg)
Infra-STRUCTURER is “almost” an Abelian group under giant steps:
Closure: D′, D′′ ∈ R ⇒ D′ ⊕ D′′ ∈ R
Identity: D1 = 0 = (1, 0; 0)
Inverses: The inverse of D = (a, b; v) is−D = (a,−h − b;− deg(a) − v)
Commutativity: D′ ⊕ D′′ = D′′ ⊕ D′
“Almost” associative:
δ(D′ ⊕ D′′) = δ(D′) + δ(D′′) − d with 0 ≤ d ≤ 2g
So D ⊕ (D′ ⊕ D′′) is “close to” (D ⊕ D′) ⊕ D′′
(within 4g in distance)
– p.
![Page 55: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/55.jpg)
More on Infrastructure
– p. 10
![Page 56: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/56.jpg)
More on InfrastructureIf D = (a, b; v) ∈ R, then (a, b) determines v = −δ(D)uniquely and vice versa. So we can write D = (a, b)
– p. 10
![Page 57: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/57.jpg)
More on InfrastructureIf D = (a, b; v) ∈ R, then (a, b) determines v = −δ(D)uniquely and vice versa. So we can write D = (a, b)
Given D = (a, b) ∈ R, it is computationally infeasible tofind δ(D) — infrastructure discrete log problem
– p. 10
![Page 58: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/58.jpg)
More on InfrastructureIf D = (a, b; v) ∈ R, then (a, b) determines v = −δ(D)uniquely and vice versa. So we can write D = (a, b)
Given D = (a, b) ∈ R, it is computationally infeasible tofind δ(D) — infrastructure discrete log problem
Divisors of Fixed Distance:
– p. 10
![Page 59: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/59.jpg)
More on InfrastructureIf D = (a, b; v) ∈ R, then (a, b) determines v = −δ(D)uniquely and vice versa. So we can write D = (a, b)
Given D = (a, b) ∈ R, it is computationally infeasible tofind δ(D) — infrastructure discrete log problem
Divisors of Fixed Distance: For n ∈ [0, R), the divisorD(n) ∈ R below n is the divisor Di ∈ R such that
δi ≤ n < δi+1
– p. 10
![Page 60: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/60.jpg)
More on InfrastructureIf D = (a, b; v) ∈ R, then (a, b) determines v = −δ(D)uniquely and vice versa. So we can write D = (a, b)
Given D = (a, b) ∈ R, it is computationally infeasible tofind δ(D) — infrastructure discrete log problem
Divisors of Fixed Distance: For n ∈ [0, R), the divisorD(n) ∈ R below n is the divisor Di ∈ R such that
δi ≤ n < δi+1
Key Point: n D(n) easy, D δ(D) hard
– p. 10
![Page 61: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/61.jpg)
Key Agreement in R
– p. 11
![Page 62: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/62.jpg)
Key Agreement in R
(S.-Stein-Williams 1996) Alice and Bob agree on a realhyperelliptic curve C over a finite field Fq with regulator R
– p. 11
![Page 63: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/63.jpg)
Key Agreement in R
(S.-Stein-Williams 1996) Alice and Bob agree on a realhyperelliptic curve C over a finite field Fq with regulator R
Alice Bob
1. Generates m ∈R ]1, R[ Generates n ∈R ]1, R[
// Fixed base scenario //2. Sends D(m) to Bob Sends D(n) to Alice
// Variable base scenario //3. Computes D(nm) Computes D(mn)
from D(n) and m from D(m) and n
– p. 11
![Page 64: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/64.jpg)
Key Agreement in R
(S.-Stein-Williams 1996) Alice and Bob agree on a realhyperelliptic curve C over a finite field Fq with regulator R
Alice Bob
1. Generates m ∈R ]1, R[ Generates n ∈R ]1, R[
// Fixed base scenario //2. Sends D(m) to Bob Sends D(n) to Alice
// Variable base scenario //3. Computes D(nm) Computes D(mn)
from D(n) and m from D(m) and n
The secret is K = D(mn)
– p. 11
![Page 65: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/65.jpg)
Key Agreement in R
(S.-Stein-Williams 1996) Alice and Bob agree on a realhyperelliptic curve C over a finite field Fq with regulator R
Alice Bob
1. Generates m ∈R ]1, R[ Generates n ∈R ]1, R[
// Fixed base scenario //2. Sends D(m) to Bob Sends D(n) to Alice
// Variable base scenario //3. Computes D(nm) Computes D(mn)
from D(n) and m from D(m) and n
The secret is K = D(mn)
Same size key space and security as imaginary scenario,but slower – as this simply mimics real Jacobian arithmetic
– p. 11
![Page 66: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/66.jpg)
Non-Adjacent Form
– p. 12
![Page 67: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/67.jpg)
Non-Adjacent FormUseful for scalar multiplication in groups where computinginverses is cheap (note: D = (a, b) ⇒ −D = (a,−h − b))
– p. 12
![Page 68: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/68.jpg)
Non-Adjacent FormUseful for scalar multiplication in groups where computinginverses is cheap (note: D = (a, b) ⇒ −D = (a,−h − b))
The non-adjacent form of n ∈ N is n =l
∑
i=0
bi2l−i
b0 = 1, bi ∈ {±1, 0}, no two consecutive bi are non-zero
– p. 12
![Page 69: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/69.jpg)
Non-Adjacent FormUseful for scalar multiplication in groups where computinginverses is cheap (note: D = (a, b) ⇒ −D = (a,−h − b))
The non-adjacent form of n ∈ N is n =l
∑
i=0
bi2l−i
b0 = 1, bi ∈ {±1, 0}, no two consecutive bi are non-zero
Idea: 2i+1 + 2i = 2i+2 − 2i
– p. 12
![Page 70: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/70.jpg)
Non-Adjacent FormUseful for scalar multiplication in groups where computinginverses is cheap (note: D = (a, b) ⇒ −D = (a,−h − b))
The non-adjacent form of n ∈ N is n =l
∑
i=0
bi2l−i
b0 = 1, bi ∈ {±1, 0}, no two consecutive bi are non-zero
Idea: 2i+1 + 2i = 2i+2 − 2i
Properties
– p. 12
![Page 71: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/71.jpg)
Non-Adjacent FormUseful for scalar multiplication in groups where computinginverses is cheap (note: D = (a, b) ⇒ −D = (a,−h − b))
The non-adjacent form of n ∈ N is n =l
∑
i=0
bi2l−i
b0 = 1, bi ∈ {±1, 0}, no two consecutive bi are non-zero
Idea: 2i+1 + 2i = 2i+2 − 2i
Properties
For any n ∈ N, NAF exists and is unique
– p. 12
![Page 72: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/72.jpg)
Non-Adjacent FormUseful for scalar multiplication in groups where computinginverses is cheap (note: D = (a, b) ⇒ −D = (a,−h − b))
The non-adjacent form of n ∈ N is n =l
∑
i=0
bi2l−i
b0 = 1, bi ∈ {±1, 0}, no two consecutive bi are non-zero
Idea: 2i+1 + 2i = 2i+2 − 2i
Properties
For any n ∈ N, NAF exists and is unique2l+1 < 3n < 2l+2, so NAF length is at most one morethan the binary length of n
– p. 12
![Page 73: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/73.jpg)
Non-Adjacent FormUseful for scalar multiplication in groups where computinginverses is cheap (note: D = (a, b) ⇒ −D = (a,−h − b))
The non-adjacent form of n ∈ N is n =l
∑
i=0
bi2l−i
b0 = 1, bi ∈ {±1, 0}, no two consecutive bi are non-zero
Idea: 2i+1 + 2i = 2i+2 − 2i
Properties
For any n ∈ N, NAF exists and is unique2l+1 < 3n < 2l+2, so NAF length is at most one morethan the binary length of nOnly 1/3 of all the digits is expected to be non-zero (asopposed to 1/2 of the ordinary bits of n)
– p. 12
![Page 74: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/74.jpg)
Non-Adjacent FormUseful for scalar multiplication in groups where computinginverses is cheap (note: D = (a, b) ⇒ −D = (a,−h − b))
The non-adjacent form of n ∈ N is n =l
∑
i=0
bi2l−i
b0 = 1, bi ∈ {±1, 0}, no two consecutive bi are non-zero
Idea: 2i+1 + 2i = 2i+2 − 2i
Properties
For any n ∈ N, NAF exists and is unique2l+1 < 3n < 2l+2, so NAF length is at most one morethan the binary length of nOnly 1/3 of all the digits is expected to be non-zero (asopposed to 1/2 of the ordinary bits of n)NAF is easily computable (almost for free)
– p. 12
![Page 75: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/75.jpg)
Scalar Multiplication in J
– p. 13
![Page 76: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/76.jpg)
Scalar Multiplication in J
Input: a reduced divisor D and a scalar n =
l∑
i=0
bi2l−i in NAF
– p. 13
![Page 77: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/77.jpg)
Scalar Multiplication in J
Input: a reduced divisor D and a scalar n =
l∑
i=0
bi2l−i in NAF
Output: the reduced divisor Red(nD)
– p. 13
![Page 78: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/78.jpg)
Scalar Multiplication in J
Input: a reduced divisor D and a scalar n =
l∑
i=0
bi2l−i in NAF
Output: the reduced divisor Red(nD)
Algorithm:
1. Set E = D
2. For i = 1 to l do// Double Replace E by E ⊕ E
// Add If bi = 1, replace E by E ⊕ DIf bi = −1, replace E by E ⊕ (−D)
3. Output E
– p. 13
![Page 79: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/79.jpg)
Scalar Multiplication in J
Input: a reduced divisor D and a scalar n =
l∑
i=0
bi2l−i in NAF
Output: the reduced divisor Red(nD)
Algorithm:
1. Set E = D
2. For i = 1 to l do// Double Replace E by E ⊕ E
// Add If bi = 1, replace E by E ⊕ DIf bi = −1, replace E by E ⊕ (−D)
3. Output E
l doubles, l/3 adds
– p. 13
![Page 80: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/80.jpg)
Variable Base Scalar Mult. in R
– p. 14
![Page 81: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/81.jpg)
Variable Base Scalar Mult. in R
Input: D ∈ R and n =∑
bi2l−i in NAF
– p. 14
![Page 82: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/82.jpg)
Variable Base Scalar Mult. in R
Input: D ∈ R and n =∑
bi2l−i in NAF
Output: The divisor E below nδ(D)
– p. 14
![Page 83: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/83.jpg)
Variable Base Scalar Mult. in R
Input: D ∈ R and n =∑
bi2l−i in NAF
Output: The divisor E below nδ(D)Algorithm:
1. Set E = D2. For i = 1 to l do
// Double Replace E by E ⊕ E// Adjust Replace E by D(2δ(E))If bi 6= 0 then
If bi = 1, set D′ = DIf bi = −1, set D′ = −D// Add replace E by E ⊕ D′
// Adjust Replace E by D(δ(E) + δ(D′))3. Output E
– p. 14
![Page 84: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/84.jpg)
Variable Base Scalar Mult. in R
Input: D ∈ R and n =∑
bi2l−i in NAF
Output: The divisor E below nδ(D)Algorithm:
1. Set E = D2. For i = 1 to l do
// Double Replace E by E ⊕ E// Adjust Replace E by D(2δ(E))If bi 6= 0 then
If bi = 1, set D′ = DIf bi = −1, set D′ = −D// Add replace E by E ⊕ D′
// Adjust Replace E by D(δ(E) + δ(D′))3. Output E
l doubles, l/3 adds, up to (l + l/3) · 2g = (8g/3)l baby steps
– p. 14
![Page 85: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/85.jpg)
Fixed Base Scalar Mult. in R
– p. 15
![Page 86: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/86.jpg)
Fixed Base Scalar Mult. in R
Input: n ∈ N, s = ⌊n/(g + 1)⌋ in NAF
– p. 15
![Page 87: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/87.jpg)
Fixed Base Scalar Mult. in R
Input: n ∈ N, s = ⌊n/(g + 1)⌋ in NAFOutput: The divisor D(n) ∈ R below n
– p. 15
![Page 88: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/88.jpg)
Fixed Base Scalar Mult. in R
Input: n ∈ N, s = ⌊n/(g + 1)⌋ in NAFOutput: The divisor D(n) ∈ R below n
Algorithm:
1. Compute E′ = D(s(g + 1) by calling the previousalgorithm on inputs D2 and s
2. Apply at most n − s(g + 1) baby steps to E′ to computeD(n)
3. Output E
– p. 15
![Page 89: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/89.jpg)
Fixed Base Scalar Mult. in R
Input: n ∈ N, s = ⌊n/(g + 1)⌋ in NAFOutput: The divisor D(n) ∈ R below n
Algorithm:
1. Compute E′ = D(s(g + 1) by calling the previousalgorithm on inputs D2 and s
2. Apply at most n − s(g + 1) baby steps to E′ to computeD(n)
3. Output E
one integer division with remainder
all the operations from previous algorithm
at most g baby steps
– p. 15
![Page 90: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/90.jpg)
Heuristics, Real Model
– p. 16
![Page 91: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/91.jpg)
Heuristics, Real ModelHeuristics : with probability 1 − O(q−1):
– p. 16
![Page 92: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/92.jpg)
Heuristics, Real ModelHeuristics : with probability 1 − O(q−1):
δi+1 − δi = 1 for 2 ≤ i ≤ r
– p. 16
![Page 93: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/93.jpg)
Heuristics, Real ModelHeuristics : with probability 1 − O(q−1):
δi+1 − δi = 1 for 2 ≤ i ≤ r
δ(D′ ⊕ D′′) = δ(D′) + δ(D′′) − ⌈g/2⌉
– p. 16
![Page 94: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/94.jpg)
Heuristics, Real ModelHeuristics : with probability 1 − O(q−1):
δi+1 − δi = 1 for 2 ≤ i ≤ r
δ(D′ ⊕ D′′) = δ(D′) + δ(D′′) − ⌈g/2⌉
Consequences: with probability 1 − O(q−1):
– p. 16
![Page 95: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/95.jpg)
Heuristics, Real ModelHeuristics : with probability 1 − O(q−1):
δi+1 − δi = 1 for 2 ≤ i ≤ r
δ(D′ ⊕ D′′) = δ(D′) + δ(D′′) − ⌈g/2⌉
Consequences: with probability 1 − O(q−1):
If Di = (ai, bi) then
deg(ai) = deg(bi+1 + bi − h) − deg(ci) = (g + 1) − 1 = g
– p. 16
![Page 96: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/96.jpg)
Heuristics, Real ModelHeuristics : with probability 1 − O(q−1):
δi+1 − δi = 1 for 2 ≤ i ≤ r
δ(D′ ⊕ D′′) = δ(D′) + δ(D′′) − ⌈g/2⌉
Consequences: with probability 1 − O(q−1):
If Di = (ai, bi) then
deg(ai) = deg(bi+1 + bi − h) − deg(ci) = (g + 1) − 1 = g
Relative distances (distance advancements) for bothbaby steps and giant steps are known and need nolonger be kept track of
– p. 16
![Page 97: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/97.jpg)
Improvements, Infrastructure
– p. 17
![Page 98: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/98.jpg)
Improvements, InfrastructureVariable Base Scenario
– p. 17
![Page 99: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/99.jpg)
Improvements, InfrastructureVariable Base Scenario
Eliminate all adjustment steps, at the expense ofd = ⌈g/2⌉ baby steps at the beginning (independent ofthe NAF length l of the scalars m,n)
– p. 17
![Page 100: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/100.jpg)
Improvements, InfrastructureVariable Base Scenario
Eliminate all adjustment steps, at the expense ofd = ⌈g/2⌉ baby steps at the beginning (independent ofthe NAF length l of the scalars m,n)
Fixed Base Scenario
– p. 17
![Page 101: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/101.jpg)
Improvements, InfrastructureVariable Base Scenario
Eliminate all adjustment steps, at the expense ofd = ⌈g/2⌉ baby steps at the beginning (independent ofthe NAF length l of the scalars m,n)
Fixed Base Scenario
Replace all adds by baby steps
– p. 17
![Page 102: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/102.jpg)
Improvements, InfrastructureVariable Base Scenario
Eliminate all adjustment steps, at the expense ofd = ⌈g/2⌉ baby steps at the beginning (independent ofthe NAF length l of the scalars m,n)
Fixed Base Scenario
Replace all adds by baby stepsEliminate all adjustment steps, at the expense of thefollowing pre-computation (g + 2 baby steps, l doubles):
D∗ with δ(D∗) = 2l(g + 1) + gd + 1 baby steps applied to D1 to obtain Dd+2
l doubles, starting with Dd+2: gets to distance2l(g + 1) + dg − d baby steps
Dd+3 with δd+3 = d + g + 2: one baby step from Dd+2
– p. 17
![Page 103: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/103.jpg)
Improvements, Variable Base
– p. 18
![Page 104: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/104.jpg)
Improvements, Variable BaseInput: D ∈ R, n =
∑
bi2l−i in NAF
– p. 18
![Page 105: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/105.jpg)
Improvements, Variable BaseInput: D ∈ R, n =
∑
bi2l−i in NAF
Output: The divisor E ∈ R of distance nδ(D) + d
– p. 18
![Page 106: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/106.jpg)
Improvements, Variable BaseInput: D ∈ R, n =
∑
bi2l−i in NAF
Output: The divisor E ∈ R of distance nδ(D) + dAlgorithm:1. E1 = D2. For i = 1 to d − 1 do // d − 1 baby steps
Replace Ei by Ei+1
3. // Now Ei = Ed Set D′ = Ei, D′′ = Ei+1, E = Ei+1
4. For i = 1 to l do// Double Replace E by E ⊕ E// Add If bi = 1, replace E by E ⊕ D′′
If bi = −1 and g is even, replace E by E ⊕D′′
If bi = −1 and g is odd, replace E by E ⊕ D′
5. Output E
– p. 18
![Page 107: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/107.jpg)
Improvements, Variable BaseInput: D ∈ R, n =
∑
bi2l−i in NAF
Output: The divisor E ∈ R of distance nδ(D) + dAlgorithm:1. E1 = D2. For i = 1 to d − 1 do // d − 1 baby steps
Replace Ei by Ei+1
3. // Now Ei = Ed Set D′ = Ei, D′′ = Ei+1, E = Ei+1
4. For i = 1 to l do// Double Replace E by E ⊕ E// Add If bi = 1, replace E by E ⊕ D′′
If bi = −1 and g is even, replace E by E ⊕D′′
If bi = −1 and g is odd, replace E by E ⊕ D′
5. Output E
l doubles, l/3 adds, d baby steps
– p. 18
![Page 108: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/108.jpg)
Improvements, Fixed Base
– p. 19
![Page 109: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/109.jpg)
Improvements, Fixed BasePre-Computation: D∗, Dd+3
– p. 19
![Page 110: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/110.jpg)
Improvements, Fixed BasePre-Computation: D∗, Dd+3
Input: n =∑
bi2l−i in NAF
– p. 19
![Page 111: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/111.jpg)
Improvements, Fixed BasePre-Computation: D∗, Dd+3
Input: n =∑
bi2l−i in NAF
Output: The divisor E = D(n) ∈ R of distance n
– p. 19
![Page 112: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/112.jpg)
Improvements, Fixed BasePre-Computation: D∗, Dd+3
Input: n =∑
bi2l−i in NAF
Output: The divisor E = D(n) ∈ R of distance nAlgorithm:
1. Set E = Dd+3
2. For i = 1 to l do// Double Replace E by E ⊕ E// Baby Step If bi = 1 then apply a baby step to E
If bi = −1 then apply a backwardbaby step to E
3. // Now at distance 2l+1 + n + dCompute D = E ⊕ (−D∗)
4. Output D
– p. 19
![Page 113: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/113.jpg)
Improvements, Fixed BasePre-Computation: D∗, Dd+3
Input: n =∑
bi2l−i in NAF
Output: The divisor E = D(n) ∈ R of distance nAlgorithm:
1. Set E = Dd+3
2. For i = 1 to l do// Double Replace E by E ⊕ E// Baby Step If bi = 1 then apply a baby step to E
If bi = −1 then apply a backwardbaby step to E
3. // Now at distance 2l+1 + n + dCompute D = E ⊕ (−D∗)
4. Output D
l doubles, one add, l/3 baby steps
– p. 19
![Page 114: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/114.jpg)
Analysis
– p. 20
![Page 115: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/115.jpg)
Analysis
Operation Count Doubles Adds Baby StepsImaginary l l/3 −
Real, Variable Base l l/3 d
Real, Fixed Base l 1 l/3
– p. 20
![Page 116: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/116.jpg)
Analysis
Operation Count Doubles Adds Baby StepsImaginary l l/3 −
Real, Variable Base l l/3 d
Real, Fixed Base l 1 l/3
Naive Analysis:
– p. 20
![Page 117: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/117.jpg)
Analysis
Operation Count Doubles Adds Baby StepsImaginary l l/3 −
Real, Variable Base l l/3 d
Real, Fixed Base l 1 l/3
Naive Analysis:
Real variable base scenario has about the same speedas imaginary model (neglecting the cost of baby steps)
– p. 20
![Page 118: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/118.jpg)
Analysis
Operation Count Doubles Adds Baby StepsImaginary l l/3 −
Real, Variable Base l l/3 d
Real, Fixed Base l 1 l/3
Naive Analysis:
Real variable base scenario has about the same speedas imaginary model (neglecting the cost of baby steps)Real model fixed base scenario is about 25 percentfaster than imaginary model (factor 3/4)
– p. 20
![Page 119: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/119.jpg)
Analysis
Operation Count Doubles Adds Baby StepsImaginary l l/3 −
Real, Variable Base l l/3 d
Real, Fixed Base l 1 l/3
Naive Analysis:
Real variable base scenario has about the same speedas imaginary model (neglecting the cost of baby steps)Real model fixed base scenario is about 25 percentfaster than imaginary model (factor 3/4)Key agreement is about 12.5 percent faster (factor 7/8)
– p. 20
![Page 120: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/120.jpg)
Analysis
Operation Count Doubles Adds Baby StepsImaginary l l/3 −
Real, Variable Base l l/3 d
Real, Fixed Base l 1 l/3
Naive Analysis:
Real variable base scenario has about the same speedas imaginary model (neglecting the cost of baby steps)Real model fixed base scenario is about 25 percentfaster than imaginary model (factor 3/4)Key agreement is about 12.5 percent faster (factor 7/8)
Supported by numerical data, but not quite fair comparison:imaginary model could use a “point” divisor D = P −∞ asbase divisor (Katagi, Kitamura, Akishita & Takagi 2005)
– p. 20
![Page 121: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/121.jpg)
Discrete Logarithm Problem
– p. 21
![Page 122: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/122.jpg)
Discrete Logarithm Problem
Imaginary Model – Jacobian DLP
– p. 21
![Page 123: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/123.jpg)
Discrete Logarithm Problem
Imaginary Model – Jacobian DLP
Given a reduced divisor D and the reduced divisor inthe divisor class of nD, find n
– p. 21
![Page 124: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/124.jpg)
Discrete Logarithm Problem
Imaginary Model – Jacobian DLP
Given a reduced divisor D and the reduced divisor inthe divisor class of nD, find n
Real Model – Infrastructure DLP
– p. 21
![Page 125: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/125.jpg)
Discrete Logarithm Problem
Imaginary Model – Jacobian DLP
Given a reduced divisor D and the reduced divisor inthe divisor class of nD, find n
Real Model – Infrastructure DLP
Given a divisor D ∈ R and the divisor E ∈ R belownδ(D), find n
– p. 21
![Page 126: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/126.jpg)
Discrete Logarithm Problem
Imaginary Model – Jacobian DLP
Given a reduced divisor D and the reduced divisor inthe divisor class of nD, find n
Real Model – Infrastructure DLP
Given a divisor D ∈ R and the divisor E ∈ R belownδ(D), find n
Given the divisor D(n) ∈ R below n, find suitable n
– p. 21
![Page 127: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/127.jpg)
Discrete Logarithm Problem
Imaginary Model – Jacobian DLP
Given a reduced divisor D and the reduced divisor inthe divisor class of nD, find n
Real Model – Infrastructure DLP
Given a divisor D ∈ R and the divisor E ∈ R belownδ(D), find n
Given the divisor D(n) ∈ R below n, find suitable n
Given a divisor D ∈ R, find δ(D)
– p. 21
![Page 128: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/128.jpg)
Discrete Logarithm Problem
Imaginary Model – Jacobian DLP
Given a reduced divisor D and the reduced divisor inthe divisor class of nD, find n
Real Model – Infrastructure DLP
Given a divisor D ∈ R and the divisor E ∈ R belownδ(D), find n
Given the divisor D(n) ∈ R below n, find suitable n
Given a divisor D ∈ R, find δ(D)
Given a reduced principal ideal in the coordinate ring ofC, find a generator (Principal Ideal Problem)
– p. 21
![Page 129: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/129.jpg)
Discrete Logarithm Problem
Imaginary Model – Jacobian DLP
Given a reduced divisor D and the reduced divisor inthe divisor class of nD, find n
Real Model – Infrastructure DLP
Given a divisor D ∈ R and the divisor E ∈ R belownδ(D), find n
Given the divisor D(n) ∈ R below n, find suitable n
Given a divisor D ∈ R, find δ(D)
Given a reduced principal ideal in the coordinate ring ofC, find a generator (Principal Ideal Problem)
Security of both DLPs seems to be the same – exponential
– p. 21
![Page 130: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/130.jpg)
Summary and Further Research
– p. 22
![Page 131: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/131.jpg)
Summary and Further ResearchIdea: Replace giant steps by baby steps where possible
– p. 22
![Page 132: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/132.jpg)
Summary and Further ResearchIdea: Replace giant steps by baby steps where possible
Present and Future Work
– p. 22
![Page 133: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/133.jpg)
Summary and Further ResearchIdea: Replace giant steps by baby steps where possible
Present and Future Work
NUCOMP – exact operation count and comparison withCantor giant steps
– p. 22
![Page 134: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/134.jpg)
Summary and Further ResearchIdea: Replace giant steps by baby steps where possible
Present and Future Work
NUCOMP – exact operation count and comparison withCantor giant steps
Explicit formulas for low genus giant steps, real model
– p. 22
![Page 135: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/135.jpg)
Summary and Further ResearchIdea: Replace giant steps by baby steps where possible
Present and Future Work
NUCOMP – exact operation count and comparison withCantor giant steps
Explicit formulas for low genus giant steps, real model
Explicit formulas for low genus giant steps, based onNUCOMP, both models
– p. 22
![Page 136: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/136.jpg)
Summary and Further ResearchIdea: Replace giant steps by baby steps where possible
Present and Future Work
NUCOMP – exact operation count and comparison withCantor giant steps
Explicit formulas for low genus giant steps, real model
Explicit formulas for low genus giant steps, based onNUCOMP, both models
Use the baby step giant step framework to to speed upthe DLP in R or in J ? And to find R or |J |?
– p. 22
![Page 137: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/137.jpg)
Summary and Further ResearchIdea: Replace giant steps by baby steps where possible
Present and Future Work
NUCOMP – exact operation count and comparison withCantor giant steps
Explicit formulas for low genus giant steps, real model
Explicit formulas for low genus giant steps, based onNUCOMP, both models
Use the baby step giant step framework to to speed upthe DLP in R or in J ? And to find R or |J |?
Structural relationship between R and J ?
– p. 22
![Page 138: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/138.jpg)
Summary and Further ResearchIdea: Replace giant steps by baby steps where possible
Present and Future Work
NUCOMP – exact operation count and comparison withCantor giant steps
Explicit formulas for low genus giant steps, real model
Explicit formulas for low genus giant steps, based onNUCOMP, both models
Use the baby step giant step framework to to speed upthe DLP in R or in J ? And to find R or |J |?
Structural relationship between R and J ?
Special types of curves?
– p. 22
![Page 139: Real Hyperelliptic Curves - Fields InstituteReal Hyperelliptic Curves Renate Scheidler rscheidl@math.ucalgary.ca Centrefor Information Security nd Cryptography Centrefor Information](https://reader036.vdocuments.us/reader036/viewer/2022081619/60fa8cd802f3df5a927a24bc/html5/thumbnails/139.jpg)
Some General References1. H. Cohen, G. Frey, R. Avanzi, C. Doche, T. Lange, K. Nguyen and F. Vercouteren,
Handbook of Elliptic and Hyperelliptic Curve Cryptography, Chapman & Hall/CRC,Boca Raton (Florida), 2006
2. M. J. Jacobson, Jr., A. J. Menezes and A. Stein, Hyperelliptic curves and cryptography,in High Primes and Misdemeanors: Lectures in Honour of the 60th Birthday of HughCowie Williams, Fields Institute Communications 41, American Mathematical Society,Providence (Rhode Island) 2004, 255-282
3. M. J. Jacobson, Jr., R. Scheidler and A. Stein, Cryptographic protocols on realhyperelliptic curves. Advances in Mathematics of Communications 1 (2007), 197-221
4. M. J. Jacobson, Jr., R. Scheidler and A. Stein, Fast arithmetic on hyperelliptic curvesvia continued fraction expansions. Advances in Coding Theory and Cryptology, Serieson Coding Theory and Cryptology 2, World Scientific Publishing Co. Pte. Ltd.,Hackensack (New Jersey) 2007, 201-244
5. A. J. Menezes, Y.-H. Wu and R. J. Zuccherato, An elementary introduction tohyperelliptic curves, in Algebraic Aspects of Cryptography, Algorithms andComputation in Mathematics 3, Springer, Berlin (Germany) 1998, 155-178
6. R. Scheidler, A. Stein and H. C. Williams, Key exchange in real quadratic congruencefunction fields. Designs, Codes and Cryptography 7 (1996), 153-174
– p. 23