TY - CHAP
T1 - Arithmetic of hyperelliptic curves
AU - Duquesne, S.
AU - Lange, T.
PY - 2006
Y1 - 2006
N2 - In Chapter 1 we introduced the discrete logarithm problem and showed that the main operation in a public-key cryptosystem is the computation of scalar multiples in a cyclic group. Chapter 9 showed how the computation of scalar multiples can be reduced to a sequence of additions and doublings in the group. Hence, for an efficient system we need to have groups with efficient group laws. In Chapter 13 we detailed the arithmetic on elliptic curves. This chapter deals with hyperelliptic curves, which can be seen as a generalization of elliptic curves. We first give a brief overview of the main properties of hyperelliptic curves repeating the definitions for the convenience of the reader. The details can be found in Chapter 4 . In the applications, group elements must be stored and transmitted. For restricted environments or restricted bandwidth it might be useful to use compression
even though recovering the original coordinates needs some efforts. Accordingly, we consider compression techniques.
The main emphasis of this chapter is put on the arithmetic properties, i.e., on algorithms to perform the group operation. We state Cantor’s algorithm, which works for arbitrary ground field and genus of the curve. To obtain better performance one needs to fix the genus and develop explicit formulas as for elliptic curves (cf. Chapters 13.2 and 13.3). We first specialize to considering curves of genus 2 , separately over finite fields of odd and then of even characteristic. For both cases we give formulas for different coordinate systems, namely affine, projective, and new coordinates. The latter two systems allow us to avoid inversions in the group operation. For odd characteristic we also state two possible generalizations of Montgomery coordinates (cf. Section 13.2.3); for even characteristic there is no such generalization yet. Also for genus 3 hyperelliptic curves, explicit formulas have been proposed. We give explicit formulas in affine coordinates in Section 14.6. Also nonhyperelliptic curves of genus 3 have been proposed for cryptographic applications. The final section gives references to these publications and
also for genus 4 hyperelliptic curves before we conclude with a comparison and timings.
AB - In Chapter 1 we introduced the discrete logarithm problem and showed that the main operation in a public-key cryptosystem is the computation of scalar multiples in a cyclic group. Chapter 9 showed how the computation of scalar multiples can be reduced to a sequence of additions and doublings in the group. Hence, for an efficient system we need to have groups with efficient group laws. In Chapter 13 we detailed the arithmetic on elliptic curves. This chapter deals with hyperelliptic curves, which can be seen as a generalization of elliptic curves. We first give a brief overview of the main properties of hyperelliptic curves repeating the definitions for the convenience of the reader. The details can be found in Chapter 4 . In the applications, group elements must be stored and transmitted. For restricted environments or restricted bandwidth it might be useful to use compression
even though recovering the original coordinates needs some efforts. Accordingly, we consider compression techniques.
The main emphasis of this chapter is put on the arithmetic properties, i.e., on algorithms to perform the group operation. We state Cantor’s algorithm, which works for arbitrary ground field and genus of the curve. To obtain better performance one needs to fix the genus and develop explicit formulas as for elliptic curves (cf. Chapters 13.2 and 13.3). We first specialize to considering curves of genus 2 , separately over finite fields of odd and then of even characteristic. For both cases we give formulas for different coordinate systems, namely affine, projective, and new coordinates. The latter two systems allow us to avoid inversions in the group operation. For odd characteristic we also state two possible generalizations of Montgomery coordinates (cf. Section 13.2.3); for even characteristic there is no such generalization yet. Also for genus 3 hyperelliptic curves, explicit formulas have been proposed. We give explicit formulas in affine coordinates in Section 14.6. Also nonhyperelliptic curves of genus 3 have been proposed for cryptographic applications. The final section gives references to these publications and
also for genus 4 hyperelliptic curves before we conclude with a comparison and timings.
U2 - 10.1201/9781420034981.ch14
DO - 10.1201/9781420034981.ch14
M3 - Chapter
SN - 1-58488-518-1
T3 - Discrete Mathematics and Its Applications
SP - 303
EP - 353
BT - Handbook of Elliptic and Hyperelliptic Curve Cryptography
A2 - Cohen, H.
A2 - Frey, G.
PB - Chapman & Hall/CRC Press
CY - Boca Raton FL, USA
ER -