No.6 Selection of Secure HC of g = divisors D 1, D 2 defined on J(C; F q n) over F q n, to determine the integer m such that D 2 = md 1 (if such

Transcription

1 Vol.17 No.6 J. Comput. Sci. & Technol. Nov Selection of Secure Hyperelliptic Curves of g = 2 Based on a Subfield ZHANG Fangguo ( ) 1, ZHANG Futai ( Ξ) 1;2 and WANG Yumin(Π±Λ) 1 1 P.O.Box 119 Key Laboratory on ISN, Xidian University, Xi'an , P.R. China 2 College of Mathematics and Computer Science, Nanjing Normal University, Nanjing , P.R. China fgzh@hotmail.com Received September 12, 2000; revised October 15, Abstract In the implementation of hyperelliptic curve cryptosystems, a siginificant step is the selection of secure hyperelliptic curves on which the Jacobian is constructed. In this paper, we discuss the hyperelliptic curves of g = 2 such as v 2 + uv = f and v 2 + v = f(u) defined on GF (2 r ). The curves defined on GF (4) and GF (8) are expanded to the curves defined on GF(4) k and GF (8) t respectively, where 38 < k < 70, 25 < t < 50. We also find out all the secure curves of g = 2 that are suitable for establishing cryptosystems. Keywords hyperelliptic curve cryptosystems, Jacobian, subfield 1 Introduction Since the public key cryptosystem based on elliptic curves (ECC) was proposed by Neal Koblitz [1] and Victor Miller in mid-1980's, it has been studied for more than ten years. And now it has been used in practice. ECC is based on the discrete logarithm problem on elliptic curves over finite fields. As an extension, Neal Koblitz [2] proposed the hyperelliptic curve cryptosystem (HCC) in 1989, which is based on the discrete logarithm problem on the Jacobian of hyperelliptic curves over finite fields. Cantor's algorithm [3] provided us with an efficient method to implement the group operation on the Jacobian of a hyperelliptic curve. At the same level of security, the underlying field of HCC is smaller than that of ECC, and almost all the standard discrete logarithm based protocols such as the digital signature algorithm (DSA) and ElGamal can be planted to HCC. So it is estimated that hyperelliptic curves will be the foundation of cryptosystems for the next decade. By now, many theoretical results on elliptic curves are known, however, the known results on hyperelliptic curves are still not enough for the construction of efficient cryptosystems. For these reasons, the study on HCCs has been drawing the attentions of more and more researchers in recent years. The current research on HCC concentrates on finding construction methods for secure hyperelliptic curves and speeding up the arithmetic needed in HCCs. At present, the common method used to compute the order of Jacobian is the Weil conjecture method. How to find a suitable hyperelliptic curve efficiently is still a major open problem in the study and implementation of HCCs. Koblitz [1] discussed the hyperelliptic curves with g = 2 based on GF (2), but the curves were attacked by Frey [4] and they were thought as insecure. Yasuyuki Sakai [5] tried to find out the secure hyperelliptic curves with g = 2 based on GF (2), but failed. In this paper, we discuss the hyperelliptic curves of g = 2 with the form of v 2 + uv = f(u) or v 2 + v = f(u). We extend two types of curves defined on GF (4) and GF (8) to GF (4) k and GF (8) t respectively. We also find out all the secure curves suitable for establishing cryptosystems, where 36 < k < 70, 25 < t < Secure Hyperelliptic Curves A hyperelliptic curve C of genus g is a curve defined on a finite field F q (q = p r and p is a prime), and its Jacobian J(C; F q n) over F q n is an abelian group, and ( p q n 1) 2g» #J(C; F q n)» ( p q n +1) 2g. More details can be found in [2, 6, 7]. The discrete algorithm problem in J(C; F q n) is: given two This work is supported by the National NKBRSF `973' Program of China (Grant No.G ).

2 No.6 Selection of Secure HC of g = divisors D 1, D 2 defined on J(C; F q n) over F q n, to determine the integer m such that D 2 = md 1 (if such an m exists). If the order of the Jacobian group of a hyperelliptic curve is the same as the order of the group of rational points on an elliptic curve, the security of the cryptosystems established on the two groups will be the same. From the view point of complexity, HCDLP is a problem of NP co-am [8]. The security of an HCC is based on the difficulty of solving the discrete logarithm problem in the Jacobian of the curve, taking into account the existing attacks to the discrete logarithm in the Jacobian of a hyperelliptic curve, to establish a secure HCC, we should select the hyperelliptic curve so that its Jacobian satisfies the following conditions: 1) #J(C; F q n) should have a large prime factor so as to prevent the attacks of Shanks' Baby-step- Giant-step and Pohlig-Hellman's methods. Since the time complexity of Pohlig-Hellman's method is proportional to the square root of the largest prime factor of #J(C; F q n), so far it is demanded that this largest prime factor should be at least 160 bits in length. 2) In order to prevent the attack of Frey [4] which uses the Tate pairing generation of MOV attacks, the large prime factor of #J(C; F q n) should not divides (q n ) k 1, here k < (log q n ) 2. 3) 2g +1» log q n. Adleman-DeMarrais-Huang [9] found a subexponent time algorithm to solve the DL in the Jacobian of hyperelliptic curves of a big genus over a finite field in According to the discussion of P. Gaudry [10], it is sufficient for us to consider the case when g» 4. 4) The Jacobian of a hyperelliptic curve over the large prime field GF (p) should not have p-order subgroup to prevent the attack generated by Ruck [11] which is similar to the attack on the elliptic curve with the traces of the Frobenius map. 3 Using Weil Conjecture to Construct Secure Jacobian In order to construct secure hyperelliptic curve cryptosystems, we must compute the order of the Jacobian first. A hyperelliptic curve, C, of genus g = 2 defined over a finite field F q has the form: v 2 + (h 2 u 2 + h 1 u + h 0 )v = u 5 + f 4 u 4 + f 3 u 3 + f 2 u 2 + f 1 u + f 0, where h i and f i 2 F q. We will use the Weil conjecture to compute the order of the Jacobian [6]. And in the following, we will modify the algorithm in [6]. Algorithm 1. 1) First we find out the discriminant that the hyperelliptic curve has no singular points. 2) Go through all the values of C 0 coefficients h i and f i that satisfy, and compute the number of rational points M 1 and M 2 of the hyperelliptic curve over F q on F q and F q 2. 3) Compute a 1 = M 1 1 q, a 2 = (M 2 1 q 2 + a 2 1)=2. 4) Compute the numerator P (x) = x 4 + a 1x 3 + a 2x 2 + qa 1 x + q 2 of the Zate function. From the Weil conjecture method of computing orders, we can know that #J(C; F q n) is completely determined by P (x). So, the curves defined on F q with the same (M 1, M 2) has the same #J(C; F q n). For this reason, the Jacobian of hyperelliptic curves with the same (M 1, M 2) defined on F q are isomorphic since they have the same order. In the result of upper computation, we list out all the (M 1;M 2) and (a 1;a 2) corresponding to different P (x). 5) For each pair of (M 1, M 2), decide whether P (x) is irreducible or not, if reducible, decide the next pair of (M 1, M 2). 6) Solve quartic equation P (x) = 0 in a complex field and get roots ff 1;ff 2;ff 3;ff 4. 7) For each n satisfying (n; r) = 1, compute N n = j1 ff n 1 jj1 ff n 2 jj1 ff n 3 jj1 ff n 4 j; where N n is #J(C; F q n), jj means getting the absolute value for real numbers and the module for complex numbers. 8) Compute factor N n and check whether it has a prime factor larger than which is about a decimal length of 44, if not, return to 5). 9) Verify the FR condition deduced by the Frey verification, that is, to check if the prime factor got in 8) cannot divide (q n ) s 1, where s < (log q n ) 2. 10) Output (M 1;M 2), n, N n and the result of factorization.

3 838 ZHANG Fangguo, ZHANG Futai et al. Vol.17 We complete Steps 1) 4) of the algorithm by C-programming and output the result into a file, and we complete Steps 5) 10) by Mathematical-programming, because Mathematical has the function of sign operation. With respect to hyperelliptic curves of the form v 2 +h(u)v = f(u), it is easy to see that the simpler the polynomial h(u), the simpler the group operation of the Jacobian, and hence the more efficient in its implementation. By Lemma 2 of [7], in the equation of hyperelliptic curves over a finite field of characteristic 2, we have h(u) 6= 0. So we choose h(u) = 1 and h(u) = u in GF (2 n ). 4 Computation Result 4.1 Curves v 2 + uv = f(u) over GF (4) The discriminant that hyperelliptic curves v 2 + uv = u 5 + f 4 u 4 + f 3 u 3 + f 2 u 2 + f 1 u + f 0 have no singular points is f 2 6= f 1 0. There are 768 curves with the form v 2 + uv = f(u) over GF (4), and there are 6 types of curves with different Jacobians by our computation. Since the M 1 and M 2 of each curve completely determine its Jacobian, we treat the curves with the same M 1 and M 2 as isomorphic. In the following table, (f 0 ;f 1 ;f 2 ;f 3 ;f 4 ) represents the hyperelliptic curve v 2 + uv = u 5 + f 4 u 4 + f 3 u 3 + f 2 u 2 + f 1 u + f 0. Extending the hyperelliptic curves with the form v 2 + uv = f(u) over GF (4) to curves over GF (4 n ), where 38 < n < 70, we get some secure hyperelliptic curves (we consider only the case when P (x) is irreducible in the rational number field, since from the discussion of Koblitz [3], we know that the order of the Jacobian of the curve has no such a prime factor if P (x) is reducible in the rational number field). The results are also listed in the table: Table 1. Computation Results of Hyperelliptic Curves with the Form v 2 + uv = f(u) over GF (4) Example P (x) and its reducibility Number of Extension degree n for (f 0 f 1 f 2 f 3 f 4 ) in the rational number field curves which there exist secure curves 4, 24 (01000) x 4 x 3 +4x 2 4x +16irreducible 96 non 8, 24 (12012) x 4 +3x 3 +8x 2 +12x +16reducible 96 // 4, 16 (01002) x 4 x 3 4x +16irreducible , 61, 67 6, 24 (01200) x 4 + x 3 +4x 2 +4x +16irreducible 96 41, 47, 49, 53, 67 2, 24 (12312) x 4 3x 3 +8x 2 12x +16reducible 96 // 6, 16 (01202) x 4 + x 3 +4x +16irreducible , 61 Now, taking the curve (01200) (or (01211) or (01111)) with M 1 = 6 and M 2 = 24 as an example, we list out the order of the Jacobian of the curve over the extended field of GF (4) and its factorization: (n is the extension degree) Table 2. #J(C; GF(4 n )) and Its Factorization of Curves with M 1 = 6 and M 2 = 24 n #J(C; GF(4 n )) and its factorization =2Λ 13 2 Λ 53 Λ 157 Λ 6553 Λ Λ Λ =2Λ 13 Λ =2Λ 13 Λ Λ =2Λ 3 12 Λ 13 Λ 157 Λ 461 Λ 829 Λ Λ Λ Λ =2Λ 13 Λ Λ =2Λ 13 Λ 421 Λ Λ =2Λ 13 Λ 157 Λ 613 Λ 1021 Λ 3877 Λ Λ Λ Λ =2Λ 13 Λ Λ =3 4 Λ 26 Λ 461 Λ Λ =26Λ 157 Λ 229 Λ 457 Λ Λ Λ Λ Λ Λ to be continued

4 No.6 Selection of Secure HC of g = continuation of Table =2Λ 13 Λ 1181 Λ Λ Λ = 2Λ 13 Λ Λ Λ =26Λ 157 Λ 421 Λ 829 Λ Λ Λ Λ Λ =2Λ 3 4 Λ 13 2 Λ 53 Λ 461 Λ 6553 Λ Λ Λ =26Λ 3217 Λ Λ = 2Λ 13 Λ 157 Λ Λ Λ Λ Of all the orders of the Jacobians listed above, only when the extension degree n is 41, 47, 49, 53, 55, 63 and 67, does #J(C; GF (4 n )) have a prime factor bigger than which is of a decimal length 44. By the FR condition (s = 2000) generated by the Frey checking, these curves are all suitable for cryptosystems. But when n is 63, the co-factor of #J(C; GF (4 63 )) corresponding to the prime factor is so big (about a decimal length 31) that it is difficult to select the base point, so it is not suitable for cryptosystems. 4.2 Curves v 2 +v=f(u) over GF (4) The discriminant for the curve v 2 + v = u 5 + f 4 u 4 + f 3 u 3 + f 2 u 2 + f 1 u + f 0 to have no singular points over GF (4) is that there is no solution over GF (4 4 ) to the system of equations: ρ v 2 + v = + f u5 4 u 4 + f 3 u 3 + f 2 u 2 + f 1 u + f 0 u 4 + f 3 u 3 + f 1 = 0 There are 528 curves with the form v 2 + v = f(u) over GF (4) and 6 types of curves with different Jacobians by our computation. Table 3. Computation Results About Hyperelliptic Curves with the Form v 2 + v = f(u) over GF (4) Example P (x) and its reducibility Number Extension degree n for which (f 0 f 1 f 2 f 3 f 4 ) in rational number field of curves there exist secure curves 5, 33 (01001) x 4 +8x reducible 32 // 5, 17 (11301) x irreducible 64 non 5, 9 (11212) x 4 4x irreducible 48 non 5, 25 (11210) x 4 +4x reducible 64 // 7, 21 (11232) x 4 +2x 3 +4x 2 +8x +16 irreducible 128 non 3, 21 (12210) x 4 2x 3 +4x 2 8x +16 irreducible 192 non There are 192 curves of the form v 2 + v = f(u) defined over GF (4) with the same M 1 = 3 and M 2 = 21, for example, (11233), (20033) and (20123) etc., the order of their Jacobian when extended to the 59th extended field of GF (4) is: #J(C; GF (4 59 )) = =11 Λ But the prime factor of #J(C; GF (4 59 )) cannot pass the FR check. In fact, when i = 5, its large prime factor divides (4 59 ) 5 1. So the curves (11233), (20033) and (20123) over the 59th extended field of GF (4) is insecure. 4.3 Curves v 2 +uv=f(u) over GF (8) The discriminant for curves v 2 + uv = u 5 + f 4 u 4 + f 3 u 3 + f 2 u 2 + f 1 u + f 0 over GF (8) to have no singular points is the same as over GF (4), that is f 2 6= f 1 0. There are curves with the form v 2 + uv = f(u) over GF (8) and 40 types of them have different Jacobians. We extend the curves

5 840 ZHANG Fangguo, ZHANG Futai et al. Vol.17 v 2 + uv = f(u) over GF (8) to GF (8 n ), where 25 < n < 50, and list out all the secure curves we get in the following table (we only consider the case where P (x) is irreducible in the rational number field): Table 4. Computation Results About Hyperelliptic Curves with the Form v 2 + uv = f(u) over GF (8) Example P (x) and its reducibility Number Extension degree n for which (f 0 f 1 f 2 f 3 f 4 ) in the rational number field of curves there exist secure curves 16, 64 (01011) x 4 +7x 3 +24x 2 +56x +64 irreducible 64 non 8, 56 (12215) x 4 x 3 4x 2 8x +64 reducible 448 // 8, 72 (05016) x 4 x 3 +4x 2 8x +64 reducible 2208 // 8, 80 (10207) x 4 x 3 +8x 2 8x +64 irreducible 1728 non 2, 64 (10173) x 4 7x 3 +24x 2 56x +64 irreducible 64 non 10, 56 (01101) x 4 + x 3 4x 2 +8x +64 irreducible 448 non 10, 72 (04527) x 4 + x 3 +4x 2 +8x +64 reducible 2208 // 10, 80 (04524) x 4 + x 3 +8x 2 +8x +64 irreducible , 37 12, 88 (05037) x 4 +3x 3 +16x 2 +24x +64 reducible 912 // 4, 64 (02002) x 4 5x 3 +12x 2 40x +64 irreducible 288 non 8, 48 (02003) x 4 x 3 8x 2 8x +64 irreducible , 37, 41 12, 72 (12244) x 4 +3x 3 +8x 2 +24x +64 irreducible , 31, 37, 47 12, 80 (13417) x 4 +3x 3 +12x 2 +24x +64 reducible 864 // 4, 72 (13426) x 4 5x 3 +16x 2 40x +64 reducible 432 // 12, 48 (13422) x 4 +3x 3 4x 2 +24x +64 irreducible , 41, 47 12, 64 (13447) x 4 +3x 3 +4x 2 +24x +64 irreducible , 37, 43 8, 88 (12077) x 4 x 3 +12x 2 8x +64 irreducible , 31, 37 4, 48 (02055) x 4 5x 3 +4x 2 40x +64 irreducible 96 31, 49 6, 88 (12122) x 4 3x 3 +16x 2 24x +64 reducible 912 // 14, 64 (04520) x 4 +5x 3 +12x 2 +40x +64 irreducible , 48 (04505) x 4 + x 3 8x 2 +8x +64 irreducible , 37, 43, 47 6, 72 (04507) x 4 3x 3 +8x 2 24x +64 irreducible , 80 (13117) x 4 3x 3 +12x 2 24x +64 reducible 864 // 14,72 (04515) x 4 +5x 3 +16x 2 +40x +64 reducible 432 // 6, 48 (13122) x 4 3x 3 4x 2 24x +64 irreducible , 64 (12103) x 4 3x 3 +4x 2 24x +64 irreducible , 49 10, 88 (12353) x 4 + x 3 +12x 2 +8x +64 irreducible , 31, 37 14, 48 (02337) x 4 +5x 3 +4x 2 +40x +64 irreducible , 64 (12414) x 4 x 3 8x +64 irreducible , 43, 47 12, 56 (14043) x 4 +3x 3 +24x +64 irreducible , 31, 37, 41 4, 88 (14012) x 4 5x 3 +24x 2 40x +64 irreducible , 31, 47 10, 64 (13120) x 4 + x 3 +8x +64 irreducible , 49 6, 56 (12106) x 4 3x 3 24x +64 irreducible , 43 14, 88 (12116) x 4 +5x 3 +24x 2 +40x +64 irreducible , 37, 43 4, 80 (12432) x 4 5x 3 +20x 2 40x +64 reducible 288 // 14, 80 (12132) x 4 +5x 3 +20x 2 +40x +64 reducible 288 // 4, 56 (35602) x 4 5x 3 +8x 2 40x +64 irreducible 96 non 14, 56 (32345) x 4 +5x 3 +8x 2 +40x +64 irreducible 96 29, 31, 37, 41, 43, 49 16, 80 (36057) x 4 +7x 3 +32x 2 +56x +64 irreducible , 80 (27700) x 4 7x 3 +32x 2 56x +64 irreducible , 43, 47 We only take the curves with M 1 = 12 and M 2 = 72 as examples. There are 1200 curves v 2 + uv = f(u) with the same M 1 = 12 and M 2 = 72 defined over GF (8), for example, (12244), (12261) and (12275), etc., the order of their Jacobian when extended to the 31st extended field of GF (8) is: #J(C; GF (8 31 )) = =4 Λ 25 Λ 1117 Λ It passes the FR check (s = 2000) successfully and hence these curves are secure. 4.4 Curves v 2 +v=f(u) over GF (8) The discriminant for the curve v 2 + v = u 5 + f 4 u 4 + f 3 u 3 + f 2 u 2 + f 1 u + f 0 over GF (8 4 ) to have no singular points is the same as that over GF (4). There are curves of the form v 2 + v = f(u) over GF (8). They can be divided into 12 types of curves with different Jacobians.

6 No.6 Selection of Secure HC of g = Table 5. Computation Results About Hyperelliptic Curves with the Form v 2 + v = f(u) over GF (8) Example P (x) and its reducibility in Number Extension degree n for which (f 0 f 1 f 2 f 3 f 4 ) a rational number field of curves there exist secure curves 5, 81 (01000) x 4 4x 3 +16x 2 32x +64 reducible 2592 // 9, 65 (01001) x reducible 5104 // 13, 65 (01002) x 4 +4x 3 +8x 2 +32x +64 irreducible 3040 non 9, 81 (01003) x 4 +8x irreducible 4608 non 9, 33 (01010) x 4 16x reducible 280 // 17, 65 (01011) x 4 +8x 3 +32x 2 +64x +64 reducible 80 // 9, 97 (01017) x 4 +16x reducible 888 // 13, 81 (01035) x 4 +4x 3 +16x 2 +16x +64 reducible 1504 // 5, 65 (01043) x 4 4x 3 +8x 2 16x +64 irreducible 2784 non 1, 97 (15217) x 4 8x +48x 2 64x irreducible 72 non 1, 65 (10315) x 4 8x 3 +32x 2 64x +64 reducible 160 // 1, 33 (14216) x 4 8x 3 +16x 2 64x +64 reducible 24 // For M 1 = 13 and M 2 = 65, there are 3040 curves v 2 + v = f(u) defined over GF (8). (01002), (03343), and (03776), etc. are examples. The orders of their Jacobians when extended to the 29th, 31st, 35th and 49th extended fields of GF (8) all have a prime factor larger than 2 150, but they cannot pass the FR check. Note that #J(C; GF (8 29 )) = =109 Λ but divides (8 29 ) From Tables 5 and 3, we notice that there is no hyperelliptic curve of the form v 2 + v = f(u) over GF (4) and GF (8) that is suitable for establishing cryptosystems. The reason is that this kind of hyperelliptic curves over a finite field of characteristic 2 is supersingular hyperelliptic curves. This conclusion has been proved by D. Galbraith [12] recently. The FR reduction attack is subexpotential time for supersingular hyperelliptic curves, since in this case, the HCDLP can be converted to DLP over the finite field GF (q k(g) ), here the extension degree k(g) is an integer determined by the genus of the hyperelliptic curve, for examples, k(g) = 6 when g = 1, k(g) = 12 when g = 2, and k(g) = 30 when g = 3, etc. [12]. 5 Conclusion At the same level of security, the underlying field of a hyperelliptic curve is smaller than that of an elliptic curve. So HCCs have advantages over the existing public key cryptosystems and are more suitable for security products such as smart cards if we can find suitable hyperelliptic curves and fast operations on their Jacobians. In this paper, we have discussed the hyperelliptic curves of g = 2 such as v 2 + uv = f and v 2 + v = f(u) and expanded the curves from finite fields GF (4) and GF (8) to GF (4) k and GF (8) t respectively using the Weil's conjecture. We have also found out all the secure curves suitable for cryptosystems for 38 < k < 70 and 25 < t < 50. HCC is an interesting research field. Many people have been paying attention to it. For the results of HCCs to be put into practical use, there are still many problems remain to be solved, such as finding more efficient methods to select secure hyperelliptic curves and fast operations on the Jacobians. Our further study will focus on these problems. References [1] Koblitz N. Elliptic curve cryptosystems. Mathematics of Computation, 1987, 48(177): [2] Koblitz N. Hyperelliptic cryptography. Journal of Cryptology, 1989, (1): [3] Cantor D G. Computing in the Jacobian of a hyperelliptic curve. Mathematics of Computation, 1987, 48: [4] Frey G, Rück H. A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves. Mathematics of Computation, 1994, 62:

7 842 ZHANG Fangguo, ZHANG Futai et al. Vol.17 [5] Sakai Y, Sakurai K, Ishizuka H. Secure hyperelliptic cryptosystems and their performance. In PKC'98, Imai H, Zheng Y (eds.), Springer-Verlag, LNCS 1431, Pacifico Yokohama, Japan, February, 1998, pp [6] Koblitz N. Algebraic Aspects of Cryptography. New York: Springer-Verlag, [7] Menezes A, Wu Y, Zuccherato R. An elementary introduction to hyperelliptic curves. Available at reports97.html [8] Itoh Toshiya, Sakurai Kouichi, Shizuya Hiruki. On the complexity of hyperelliptic discrete logarithm problem. In Advances in EUROCRYPT'91, LNCS 547, Springer-Verlag, Brighton, UK, 1991, pp [9] Adleman L, DeMarrais J, Huang M. A subexponential algorithm for discrete logarithms over the rational subgroup of the Jacobians of large genus hyperelliptic curves over finite fields. In Algorithmic Number Theory (ANTS-1), LNCS 877, Springer-Verlag, Ithaca, New York, 1994, pp [10] Gaudry P. An algorithm for solving the discrete log problem on hyperelliptic curves. In Eurocrypt 2000, Preneel B (ed.), LNCS 1807, Springer-Verlag, Bruges, Belgium, May, 2000, pp [11] Ruck H G. On the discrete logarithms in the divosor class group of curves. Mathematics Computation, 1999, 68: [12] Galbraith S D. Supersingular curves in cryptography. Available at ZHANG Fangguo was born in He received the B.S. degree in mathematics from Yantai Teachers' University in 1996 and the M.S. degree in applied mathematics from Tongji University in He is currently a Ph.D. candidate in cryptography at Xidian University. His research interests are electronic commerce, elliptic curve cryptography and hyperelliptic curve cryptography. ZHANG Futai was born in He received the M.S. degree in fundamental mathematics from Shanxi Normal University in He is currently a Ph.D. candidate in cryptography at Xidian University. His research interests are information security, cryptography and electronic commerce. WANG Yumin was born in He is now a professor, a Ph.D. supervisor in Xidian University, and a member of IEEE. His research interests are the philosophy of communication, information theory, coding and cryptography.