Aspects of Hyperelliptic Curves over Large Prime Fields in Software Implementations

We present an implementation of elliptic curves and of hyperelliptic curves of genus 2 and 3 over prime fields. To achieve a fair comparison between the different types of groups, we developed an ad-hoc arithmetic library, designed to remove most of the overheads that penalize implementations of curve-based cryptography over prime fields. These overheads get worse for smaller fields, and thus for larger genera for a fixed group size. We also use techniques for delaying modular reductions to reduce the amount of modular reductions in the formulae for the group operations. The result is that the performance of hyperelliptic curves of genus 2 over prime fields is much closer to the performance of elliptic curves than previously thought. For groups of 192 and 256 bits the difference is about 14% and 15% respectively.

[1]  Atsuko Miyaji,et al.  Efficient Elliptic Curve Exponentiation Using Mixed Coordinates , 1998, ASIACRYPT.

[2]  Joos Vandewalle,et al.  Comparison of Three Modular Reduction Functions , 1993, CRYPTO.

[3]  Tanja Lange,et al.  Efficient Arithmetic on Genus 2 Hyperelliptic Curves over Finite Fields via Explicit Formulae , 2002, IACR Cryptol. ePrint Arch..

[4]  Jan Pelzl,et al.  Elliptic & Hyperelliptic Curves on Embedded "P , 2003 .

[5]  Christof Paar,et al.  Hyperelliptic Curve Cryptosystems: Closing the Performance Gap to Elliptic Curves , 2003, CHES.

[6]  Erkay Savas,et al.  The Montgomery Modular Inverse-Revisited , 2000, IEEE Trans. Computers.

[7]  Pierrick Gaudry,et al.  An Algorithm for Solving the Discrete Log Problem on Hyperelliptic Curves , 2000, EUROCRYPT.

[8]  Alan G. B. Lauder,et al.  Counting points on varieties over finite fields of small characteristic , 2006, math/0612147.

[9]  J. Pollard,et al.  Monte Carlo methods for index computation () , 1978 .

[10]  Neal Koblitz,et al.  Hyperelliptic cryptosystems , 1989, Journal of Cryptology.

[11]  Leonard M. Adleman,et al.  A subexponential algorithm for discrete logarithms over the rational subgroup of the jacobians of large genus hyperelliptic curves over finite fields , 1994, ANTS.

[12]  Robert Harley,et al.  Counting Points on Hyperelliptic Curves over Finite Fields , 2000, ANTS.

[13]  Daniel M. Gordon,et al.  A Survey of Fast Exponentiation Methods , 1998, J. Algorithms.

[14]  D. Cantor Computing in the Jacobian of a hyperelliptic curve , 1987 .

[15]  Nicolas Thériault,et al.  Index Calculus Attack for Hyperelliptic Curves of Small Genus , 2003, ASIACRYPT.

[16]  Don Coppersmith,et al.  Fast evaluation of logarithms in fields of characteristic two , 1984, IEEE Trans. Inf. Theory.

[17]  L. Adleman,et al.  A Subexponential Algorithm for Discrete Logarithms over All Finite Fields , 1993, Annual International Cryptology Conference.

[18]  Arjen K. Lenstra,et al.  The number field sieve , 1990, STOC '90.

[19]  Frederik Vercauteren,et al.  Computing Zeta Functions of Hyperelliptic Curves over Finite Fields of Characteristic 2 , 2002, CRYPTO.

[20]  Jerome A. Solinas An Improved Algorithm for Arithmetic on a Family of Elliptic Curves , 1997, CRYPTO.

[21]  R. Zuccherato,et al.  An elementary introduction to hyperelliptic curves , 1996 .

[22]  Tanja Lange,et al.  Formulae for Arithmetic on Genus 2 Hyperelliptic Curves , 2005, Applicable Algebra in Engineering, Communication and Computing.

[23]  D. Mumford Tata Lectures on Theta I , 1982 .

[24]  Roberto Maria Avanzi A Note on the Signed Sliding Window Integer Recoding and a Left-to-Right Analogue , 2004, Selected Areas in Cryptography.

[25]  Anatolij A. Karatsuba,et al.  Multiplication of Multidigit Numbers on Automata , 1963 .

[26]  Kazumaro Aoki,et al.  Improvements of Addition Algorithm on Genus 3 Hyperelliptic Curves and Their Implementation , 2005, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[27]  Jean-François Mestre,et al.  Construction de courbes de genre 2 à partir de leurs modules , 1991 .

[28]  Kazuto Matsuo,et al.  Fast Genus Three Hyperelliptic Curve Cryptosystems , 2002 .

[29]  Atsuko Miyaji,et al.  Efficient elliptic curve exponentiation , 1997, ICICS.

[30]  Kouichi Sakurai,et al.  Secure Hyperelliptic Cryptosystems and Their Performances , 1998, Public Key Cryptography.

[31]  K. Kedlaya Counting Points on Hyperelliptic Curves using Monsky-Washnitzer Cohomology , 2001, math/0105031.

[32]  Paul G. Comba,et al.  Exponentiation Cryptosystems on the IBM PC , 1990, IBM Syst. J..

[33]  Roberto Maria Avanzi,et al.  Countermeasures against Differential Power Analysis for Hyperelliptic Curve Cryptosystems , 2003, CHES.

[34]  Takakazu Satoh,et al.  Fast computation of canonical lifts of elliptic curves and its application to point counting , 2003 .

[35]  Alfred Menezes,et al.  Software Implementation of the NIST Elliptic Curves Over Prime Fields , 2001, CT-RSA.

[36]  Tanja Lange Weighted Coordinates on Genus 2 Hyperelliptic Curves , 2002, IACR Cryptol. ePrint Arch..

[37]  Daniel M. Gordon,et al.  Discrete Logarithms in GF(P) Using the Number Field Sieve , 1993, SIAM J. Discret. Math..

[38]  Nigel P. Smart On the Performance of Hyperelliptic Cryptosystems , 1999, EUROCRYPT.

[39]  Neal Koblitz,et al.  Algebraic aspects of cryptography , 1998, Algorithms and computation in mathematics.

[40]  Kazuto Matsuo,et al.  An Improved Baby Step Giant Step Algorithm for Point Counting of Hyperelliptic Curves over Finite Fields , 2002, ANTS.

[41]  Tudor Jebelean A Double-Digit Lehmer-Euclid Algorithm for Finding the GCD of Long Integers , 1995, J. Symb. Comput..

[42]  Burton S. Kaliski,et al.  A Cryptographic Library for the Motorola DSP56000 , 1991, EUROCRYPT.

[43]  Chae Hoon Lim,et al.  Fast Implementation of Elliptic Curve Arithmetic in GF(pn) , 2000, Public Key Cryptography.

[44]  Roberto Maria Avanzi,et al.  Generic Efficient Arithmetic Algorithms for PAFFs (Processor Adequate Finite Fields) and Related Algebraic Structures (Extended Abstract) , 2003, Selected Areas in Cryptography.

[45]  Tudor Jebelean,et al.  A generalization of the binary GCD algorithm , 1993, ISSAC '93.

[46]  P. Gaudry,et al.  A general framework for subexponential discrete logarithm algorithms , 2002 .

[47]  Arjen K. Lenstra,et al.  Selecting Cryptographic Key Sizes , 2000, Journal of Cryptology.

[48]  Joos Vandewalle,et al.  A Memory Efficient Version of Satoh's Algorithm , 2001, EUROCRYPT.

[49]  Tanja Lange Inversion-Free Arithmetic on Genus 2 Hyperelliptic Curves , 2002, IACR Cryptol. ePrint Arch..

[50]  Reynald Lercier,et al.  Algorithmique des courbes elliptiques dans les corps finis. (Algorithms for elliptic curves over finite fields) , 1997 .

[51]  P. L. Montgomery Modular multiplication without trial division , 1985 .

[52]  Kouichi Sakurai,et al.  On the practical performance of hyperelliptic curve cryptosystems in software implementation , 2000 .

[53]  Carl Pomerance,et al.  The Development of the Number Field Sieve , 1994 .

[54]  Éric Schost,et al.  Construction of Secure Random Curves of Genus 2 over Prime Fields , 2004, EUROCRYPT.

[55]  Burton S. Kaliski,et al.  The Montgomery Inverse and Its Applications , 1995, IEEE Trans. Computers.

[56]  George W. Reitwiesner,et al.  Binary Arithmetic , 1960, Adv. Comput..