Cantor versus Harley: optimization and analysis of explicit formulae for hyperelliptic curve cryptosystems

Hyperelliptic curves (HEC) look promising for cryptographic applications, because of their short operand size compared to other public-key schemes. The operand sizes seem well suited for small processor architectures, where memory and speed are constrained. However, the group operation has been believed to be too complex and, thus, HEC have not been used in this context so far. In recent years, a lot of effort has been made to speed up group operation of genus-2 HEC. In this paper, we increase the efficiency of the genus-2 and genus-3 hyperelliptic curve cryptosystems (HECC). For certain genus-3 curves, we can gain almost 80 percent performance for a group doubling. This work not only improves Gaudry and Harley's algorithm, but also improves the original algorithm introduced by Cantor [1987]. Contrary to common belief, we show that it is also practical for certain curves to use Cantor's algorithm to obtain the highest efficiency for the group operation. In addition, we introduce a general reduction method for polynomials according to Karatsuba. We implemented our most efficient group operations on Pentium and ARM microprocessors.

[1]  Douglas H. Wiedemann Solving sparse linear equations over finite fields , 1986, IEEE Trans. Inf. Theory.

[2]  Tanja Lange,et al.  Efficient Arithmetic on Genus 2 Hyperelliptic Curves over Finite Fields via Explicit Formulae , 2002, IACR Cryptol. ePrint Arch..

[3]  Doré Subrao,et al.  The p-rank of Artin-Schreier curves , 1975 .

[4]  Christof Paar,et al.  Hyperelliptic Curve Cryptosystems: Closing the Performance Gap to Elliptic Curves , 2003, CHES.

[5]  Jan Pelzl,et al.  Elliptic & Hyperelliptic Curves on Embedded "P , 2003 .

[6]  Christof Paar,et al.  Low Cost Security: Explicit Formulae for Genus-4 Hyperelliptic Curves , 2003, Selected Areas in Cryptography.

[7]  Roberto Maria Avanzi,et al.  Countermeasures against Differential Power Analysis for Hyperelliptic Curve Cryptosystems , 2003, CHES.

[8]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[9]  Leonard M. Adleman,et al.  A subexponential algorithm for discrete logarithms over the rational subgroup of the jacobians of large genus hyperelliptic curves over finite fields , 1994, ANTS.

[10]  Kazuto Matsuo,et al.  Fast Genus Three Hyperelliptic Curve Cryptosystems , 2002 .

[11]  Anatolij A. Karatsuba,et al.  Multiplication of Multidigit Numbers on Automata , 1963 .

[12]  Jasper Scholten,et al.  Hyperelliptic Curves in Characteristic 2 , 2000 .

[13]  Kouichi Sakurai,et al.  Design of Hyperelliptic Cryptosystems in Small Characteristic and a Software Implementation over F2n , 1998, ASIACRYPT.

[14]  Christof Paar,et al.  Hardware architectures proposed for cryptosystems based on hyperelliptic curves , 2002, 9th International Conference on Electronics, Circuits and Systems.

[15]  Nigel P. Smart On the Performance of Hyperelliptic Cryptosystems , 1999, EUROCRYPT.

[16]  H. Niederreiter,et al.  Finite Fields: Encyclopedia of Mathematics and Its Applications. , 1997 .

[17]  Henri Cohen,et al.  A course in computational algebraic number theory , 1993, Graduate texts in mathematics.

[18]  Joachim von zur Gathen,et al.  Modern Computer Algebra , 1998 .

[19]  Abraham Lempel,et al.  On the Complexity of Multiplication in Finite Fields , 1983, Theor. Comput. Sci..

[20]  Roberto Maria Avanzi,et al.  Aspects of Hyperelliptic Curves over Large Prime Fields in Software Implementations , 2004, CHES.

[21]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[22]  Koh-ichi Nagao Improving Group Law Algorithms for Jacobians of Hyperelliptic Curves , 2000, ANTS.

[23]  Ian F. Blake,et al.  Elliptic curves in cryptography , 1999 .

[24]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[25]  Tanja Lange Weighted Coordinates on Genus 2 Hyperelliptic Curves , 2002, IACR Cryptol. ePrint Arch..

[26]  Victor S. Miller,et al.  Use of Elliptic Curves in Cryptography , 1985, CRYPTO.

[27]  Pierrick Gaudry,et al.  Algorithmique des courbes hyperelliptiques et applications à la cryptologie , 2000 .

[28]  G. Frey,et al.  A remark concerning m -divisibility and the discrete logarithm in the divisor class group of curves , 1994 .

[29]  Kouichi Sakurai,et al.  Secure Hyperelliptic Cryptosystems and Their Performances , 1998, Public Key Cryptography.

[30]  D. Mumford Tata Lectures on Theta I , 1982 .

[31]  Neal Koblitz,et al.  Algebraic aspects of cryptography , 1998, Algorithms and computation in mathematics.

[32]  Christof Paar,et al.  Elliptic and hyperelliptic curves on embedded μP , 2004, TECS.

[33]  Tanja Lange Efficient Arithmetic on Hyperelliptic Curves , 2002, IACR Cryptol. ePrint Arch..

[34]  R. Gallant,et al.  Improving the Parallelized Pollard Lambda Search on Binary Anomalous Curves , 1998 .

[35]  Shmuel Winograd Some bilinear forms whose multiplicative complexity depends on the field of constants , 2005, Mathematical systems theory.

[36]  Daniel M. Gordon,et al.  A Survey of Fast Exponentiation Methods , 1998, J. Algorithms.

[37]  Steven D. Galbraith,et al.  Supersingular Curves in Cryptography , 2001, ASIACRYPT.

[38]  Hans-Georg Rück,et al.  On the discrete logarithm in the divisor class group of curves , 1999, Math. Comput..

[39]  Nicolas Thériault,et al.  Index Calculus Attack for Hyperelliptic Curves of Small Genus , 2003, ASIACRYPT.

[40]  Tanja Lange,et al.  Formulae for Arithmetic on Genus 2 Hyperelliptic Curves , 2005, Applicable Algebra in Engineering, Communication and Computing.

[41]  Donald E. Knuth,et al.  The art of computer programming. Vol.2: Seminumerical algorithms , 1981 .

[42]  Donald Ervin Knuth,et al.  The Art of Computer Programming , 1968 .

[43]  P. Gaudry,et al.  A general framework for subexponential discrete logarithm algorithms , 2002 .

[44]  Andreas Enge,et al.  Computing discrete logarithms in high-genus hyperelliptic Jacobians in provably subexponential time , 2002, Math. Comput..

[45]  Kazumaro Aoki,et al.  Improvements of Addition Algorithm on Genus 3 Hyperelliptic Curves and Their Implementation , 2005, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[46]  D. Cantor Computing in the Jacobian of a hyperelliptic curve , 1987 .

[47]  Pierrick Gaudry,et al.  An Algorithm for Solving the Discrete Log Problem on Hyperelliptic Curves , 2000, EUROCRYPT.

[48]  Christof Paar,et al.  Efficient Algorithms for Elliptic Curve Cryptosystems , 1997, CRYPTO.

[49]  T. Charles Clancy,et al.  Genus Two Hyperelliptic Curve Coprocessor , 2002, CHES.

[50]  J. Pollard,et al.  Monte Carlo methods for index computation () , 1978 .

[51]  Robert Harley,et al.  Counting Points on Hyperelliptic Curves over Finite Fields , 2000, ANTS.

[52]  Sachar Paulus Sieving in Function Fields , 2005, Encyclopedia of Cryptography and Security.

[53]  Tanja Lange,et al.  Efficient Doubling on Genus Two Curves over Binary Fields , 2004, Selected Areas in Cryptography.

[54]  Neal Koblitz,et al.  A Family of Jacobians Suitable for Discrete Log Cryptosystems , 1988, CRYPTO.

[55]  Tanja Lange Inversion-Free Arithmetic on Genus 2 Hyperelliptic Curves , 2002, IACR Cryptol. ePrint Arch..

[56]  Servaas Vandenberghe,et al.  A Fast Software Implementation for Arithmetic Operations in GF(2n) , 1996, ASIACRYPT.

[57]  Kouichi Sakurai,et al.  On the practical performance of hyperelliptic curve cryptosystems in software implementation , 2000 .

[58]  Neal Koblitz,et al.  Hyperelliptic cryptosystems , 1989, Journal of Cryptology.

[59]  Thomas Josef Wollinger,et al.  Computer Architectures for Cryptosystems Based on Hyperelliptic Curves , 2001 .

[60]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[61]  Christof Paar,et al.  Hyperelliptic Curve Coprocessors on a FPGA , 2004, WISA.

[62]  Nigel P. Smart,et al.  Constructive and destructive facets of Weil descent on elliptic curves , 2002, Journal of Cryptology.

[63]  Christof Paar,et al.  High Performance Arithmetic for Hyperelliptic Curve Cryptosystems of Genus Two , 2003, IACR Cryptol. ePrint Arch..