Elliptic and Hyperelliptic Curve Cryptography

Size: px

Start display at page:

Download "Elliptic and Hyperelliptic Curve Cryptography"

Lester McCormick
5 years ago
Views:

1 Elliptic and Hyperelliptic Curve Cryptography Renate Scheidler Research supported in part by NSERC of Canada

2 Comprehensive Source Handbook of Elliptic and Hyperelliptic Curve Cryptography

3 Overview Motivation Elliptic Curve Arithmetic Hyperelliptic Curve Arithmetic Point Counting Discrete ogarithm Algorithms Other Models

4 Motivation Why (Hyper-)Elliptic Cryptography? Requirements on groups for discrete log based cryptography arge group order (plus other restrictions) Compact representation of group elements Fast group operation Hard Diffie-Hellman/discrete logarithm problem

5 Motivation Why (Hyper-)Elliptic Cryptography? Requirements on groups for discrete log based cryptography arge group order (plus other restrictions) Compact representation of group elements Fast group operation Hard Diffie-Hellman/discrete logarithm problem Elliptic and low genus hyperelliptic curves do well on all of these!

6 Elliptic Curves et K be a field (in crypto, K F q with q prime or q 2 n )

7 Elliptic Curves et K be a field (in crypto, K F q with q prime or q 2 n ) Weierstraß equation over K: E y 2 a 1 xy a 3 y x 3 a 2 x 2 a 4 x a 6 ˆ with a 1, a 2, a 3, a 4, a 6 > K

8 Elliptic Curves et K be a field (in crypto, K F q with q prime or q 2 n ) Weierstraß equation over K: E y 2 a 1 xy a 3 y x 3 a 2 x 2 a 4 x a 6 ˆ with a 1, a 2, a 3, a 4, a 6 > K Elliptic curve: Weierstraß equation & non-singularity condition: there are no simultaneous solutions to ˆ and 2y a 1 x a 3 0 a 1 y 3x 2 2a 2 x a 4

9 Elliptic Curves et K be a field (in crypto, K F q with q prime or q 2 n ) Weierstraß equation over K: E y 2 a 1 xy a 3 y x 3 a 2 x 2 a 4 x a 6 ˆ with a 1, a 2, a 3, a 4, a 6 > K Elliptic curve: Weierstraß equation & non-singularity condition: there are no simultaneous solutions to ˆ and 2y a 1 x a 3 0 a 1 y 3x 2 2a 2 x a 4 Non-singularity x 0 where is the discriminant of E

10 Non-Examples Two Weierstraß equations with a singularity at ˆ0, 0 y 2 x 3 y 2 x 2ˆx

11 An Example E y 2 x 3 5x over Q

12 Elliptic Curves, charˆk x 2, 3 The variable transformations y y ˆa 1 x a 3 ~2, then x x ˆa 2 1 4a 2 ~12 yield an elliptic curve in short Weierstraß form: E y 2 x 3 Ax B ˆA, B > K Discriminant 4A 3 27B 2 x 0 ˆcubic in x has distinct roots)

13 Elliptic Curves, charˆk x 2, 3 The variable transformations y y ˆa 1 x a 3 ~2, then x x ˆa 2 1 4a 2 ~12 yield an elliptic curve in short Weierstraß form: E y 2 x 3 Ax B ˆA, B > K Discriminant 4A 3 27B 2 x 0 ˆcubic in x has distinct roots) For any field with K b b K: Eˆ ˆx 0, y 0 > S y0 2 x 0 3 Ax 0 B 8 ª set of -rational points on E

14 An Example EˆQ ˆx 0, y 0 > Q Q S y0 2 x ª 3 5x P 1 ˆ1, 2, P 2 ˆ0, 0 > EˆQ

15 The Mysterious Point at Infinity In E, replace x by x~z, y by y~z, then multiply by z 3 : E proj y 2 z x 3 Axz 2 Bz 3

16 The Mysterious Point at Infinity In E, replace x by x~z, y by y~z, then multiply by z 3 : E proj y 2 z x 3 Axz 2 Bz 3 Points on E proj : x y z x normalized so the last non-zero entry is 1

17 The Mysterious Point at Infinity In E, replace x by x~z, y by y~z, then multiply by z 3 : E proj y 2 z x 3 Axz 2 Bz 3 Points on E proj : x y z x normalized so the last non-zero entry is 1 Affine Points Projective Points ˆx, y x y 1 ª 0 1 0

18 Arithmetic on E Goal: Make Eˆ into an additive (Abelian) group The identity is the point at infinity

19 Arithmetic on E Goal: Make Eˆ into an additive (Abelian) group The identity is the point at infinity By Bezout s Theorem, any line intersects E in three points Need to count multiplicities If one of the points is ª, the line is vertical

20 Arithmetic on E Goal: Make Eˆ into an additive (Abelian) group The identity is the point at infinity By Bezout s Theorem, any line intersects E in three points Need to count multiplicities If one of the points is ª, the line is vertical Motto: Any three collinear points on E sum to zero AKA Chord & Tangent Addition aw

21 Arithmetic on E Inverses E y 2 x 3 5x over Q, P ˆ1, The line through P and ª is x 1

22 Arithmetic on E Inverses E y 2 x 3 5x over Q, P ˆ1, It intersects E in the third point R ˆ1, 2 P

23 Arithmetic on E Addition E y 2 x 3 5x over Q, P 1 ˆ1, 2, P 2 ˆ0, The line through P 1 and P 2 is y 2x

24 Arithmetic on E Addition E y 2 x 3 5x over Q, P 1 ˆ1, 2, P 2 ˆ0, It intersects E in the third point G ˆ5, 10

25 Arithmetic on E Addition E y 2 x 3 5x over Q, P 1 ˆ1, 2, P 2 ˆ0, The sum R is the inverse of G, i.e. R G ˆ5, 10 P Q

26 Arithmetic on E Doubling E y 2 x 3 5x over Q, P ˆ1, The line tangent to E at P is y x 33 26

27 Arithmetic on E Doubling E y 2 x 3 5x over Q, P ˆ1, It intersects E in the third point G , 3 8Ž

28 Arithmetic on E Doubling E y 2 x 3 5x over Q, P ˆ1, The sum R is the inverse of G, i.e. R G 9 4, 3 8Ž 2P

29 Arithmetic on Short Weierstraß Form Summary P 1 ˆx 1, y 1, P 2 ˆx 2, y 2 (P 1 x P 2 ; P 1, P 2 x ª) P 1 ˆx 1, y 1 P 1 P 2 ˆλ 2 x 1 x 2, λ 3 λˆx 1 x 2 µ where λ y 2 y 1 x 2 x 1 if P 1 x P 2 3x 2 1 A 2y 1 if P 1 P 2 µ y 1 x 2 y 2 x 1 x 2 x 1 if P 1 x P 2 x 3 1 Ax 1 2B 2y 1 if P 1 P 2

30 Beyond Elliptic Curves Recall Weierstraß equation: ¹¹¹¹¹¹¹¹¹¹¹ ¹¹¹¹¹¹¹¹¹¹¹ hˆx ¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹ ¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹ f ˆx E y 2 ˆa 1 x a 3 y x 3 a 2 x 2 a 4 x a 6 degˆf odd degˆh 1 for charˆk 2; h 0 for charˆk x 2

31 Beyond Elliptic Curves Recall Weierstraß equation: ¹¹¹¹¹¹¹¹¹¹¹ ¹¹¹¹¹¹¹¹¹¹¹ hˆx ¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹ ¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹ f ˆx E y 2 ˆa 1 x a 3 y x 3 a 2 x 2 a 4 x a 6 degˆf odd degˆh 1 for charˆk 2; h 0 for charˆk x 2 Generalization: degˆf 2g 1, degˆh B g g is the genus of the curve

32 Beyond Elliptic Curves Recall Weierstraß equation: ¹¹¹¹¹¹¹¹¹¹¹ ¹¹¹¹¹¹¹¹¹¹¹ hˆx ¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹ ¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹ f ˆx E y 2 ˆa 1 x a 3 y x 3 a 2 x 2 a 4 x a 6 degˆf odd degˆh 1 for charˆk 2; h 0 for charˆk x 2 Generalization: degˆf 2g 1, degˆh B g g is the genus of the curve g 1: elliptic curves g 2: degˆf 5, degˆh B 2 also good for crypto

33 Hyperelliptic Curves Hyperelliptic curve of genus g over K: fˆx H y 2 hˆx y hˆx, fˆx > K x fˆx monic and degˆf 2g 1 is odd degˆh B g if charˆk 2; hˆx 0 if charˆk x 2 non-singularity

34 Hyperelliptic Curves Hyperelliptic curve of genus g over K: fˆx H y 2 hˆx y hˆx, fˆx > K x fˆx monic and degˆf 2g 1 is odd degˆh B g if charˆk 2; hˆx 0 if charˆk x 2 non-singularity charˆk x 2: y 2 fˆx, fˆx monic, of odd degree, square-free

35 Hyperelliptic Curves Hyperelliptic curve of genus g over K: fˆx H y 2 hˆx y hˆx, fˆx > K x fˆx monic and degˆf 2g 1 is odd degˆh B g if charˆk 2; hˆx 0 if charˆk x 2 non-singularity charˆk x 2: y 2 fˆx, fˆx monic, of odd degree, square-free Set of -rational points on H (K b b K): Hˆ ˆx 0, y 0 > S y0 2 hˆx 0 y fˆx 0 8 ª

36 An Example H y 2 x 5 5x 3 4x 1 over Q, genus g

37 An Example ˆ2, 1,ˆ2, 1,ˆ3, 11 > HˆQ

38 Divisors Group of divisors on H: Div HˆK `HˆK e œ Q m P P S m P > Z, P > HˆK finite

39 Divisors Group of divisors on H: Div HˆK `HˆK e œ Q m P P S m P > Z, P > HˆK finite Subgroup of Div HˆK of degree zero divisors on H: DivHˆK ` 0 P SP > HˆK e where P P ª œ Q finite m P P Sm P > Z, P > HˆK

40 Divisors Group of divisors on H: Div HˆK `HˆK e œ Q m P P S m P > Z, P > HˆK finite Subgroup of Div HˆK of degree zero divisors on H: DivHˆK ` 0 P SP > HˆK e where P P ª œ Q finite Subgroup of Div 0 HˆK of principal divisors on H: Prin HˆK œ Q finite m P P Sm P > Z, P > HˆK v Pˆα P S α > Kˆx, y, P > HˆK

41 The Jacobian Jacobian of H: Jac HˆK Div 0 HˆK ~Prin HˆK Motto: Any complete collection of points on a function sums to zero

42 The Jacobian Jacobian of H: Jac HˆK Div 0 HˆK ~Prin HˆK Motto: Any complete collection of points on a function sums to zero HˆK 0 Jac HˆK via P ( P

43 The Jacobian Jacobian of H: Jac HˆK Div 0 HˆK ~Prin HˆK Motto: Any complete collection of points on a function sums to zero HˆK 0 Jac HˆK via P ( P For elliptic curves: EˆK Jac EˆK ( EˆK is a group)

44 The Jacobian Jacobian of H: Jac HˆK Div 0 HˆK ~Prin HˆK Motto: Any complete collection of points on a function sums to zero HˆK 0 Jac HˆK via P ( P For elliptic curves: EˆK Jac EˆK ( EˆK is a group) Identity: ª ª ª

45 The Jacobian Jacobian of H: Jac HˆK Div 0 HˆK ~Prin HˆK Motto: Any complete collection of points on a function sums to zero HˆK 0 Jac HˆK via P ( P For elliptic curves: EˆK Jac EˆK ( EˆK is a group) Identity: ª ª ª Inverses: The points P ˆx 0, y 0 and P ˆx 0, y 0 hˆx 0 on H both lie on the function x x 0, so P P

46 Semi-Reduced and Reduced Divisors Every class in Jac HˆK contains a divisor Q m P P such that finite all m P A 0 (replace P by P ) if P P, then m P 1 (as 2 P 0) if P x P, then only one of P, P can appear in the sum (as P P 0)

47 Semi-Reduced and Reduced Divisors Every class in Jac HˆK contains a divisor Q m P P such that finite all m P A 0 (replace P by P ) if P P, then m P 1 (as 2 P 0) if P x P, then only one of P, P can appear in the sum (as P P 0) Such a divisor is semi-reduced.

48 Semi-Reduced and Reduced Divisors Every class in Jac HˆK contains a divisor Q m P P such that finite all m P A 0 (replace P by P ) if P P, then m P 1 (as 2 P 0) if P x P, then only one of P, P can appear in the sum (as P P 0) Such a divisor is semi-reduced. If P m P B g, then it is reduced.

49 Semi-Reduced and Reduced Divisors Every class in Jac HˆK contains a divisor Q m P P such that finite all m P A 0 (replace P by P ) if P P, then m P 1 (as 2 P 0) if P x P, then only one of P, P can appear in the sum (as P P 0) Such a divisor is semi-reduced. If P m P B g, then it is reduced. Theorem Every class in Jac HˆK contains a unique reduced divisor.

50 Example Reduction H y 2 x 5 5x 3 4x 1 over Q, D R 1 R 2 R 3 with R 1 ˆ2, 1, R 2 ˆ2, 1, R 3 ˆ3,

51 Example Reduction R 1, R 2, R 3 all lie on the quadratic y 2x

52 Example Reduction This quadratic meets H in the two additional points G 1, G 2 where G 1 º º 1 2ˆ1 17, 2 17Ž, G 2 º º 1 2ˆ1 17, 2 17Ž Thus, R 1 R 2 R 3 G 1 G 2 0 in Jac HˆQ

53 Example Reduction R 1 R 2 R 3 B 1 B 2 with B 1 G 1, B 2 G 2 The reduced divisor in the class of D is E B 1 B 2 where B 1 1 2ˆ1 º 17, 2 º 17Ž, B 2 1 2ˆ1 º 17, 2 º 17Ž,

54 Reduction in General et D r Q i 1 P i be a semi-reduced divisor on y 2 hˆx y fˆx

55 Reduction in General et D r Q i 1 P i be a semi-reduced divisor on y 2 hˆx y fˆx The r points P i all lie on a curve y vˆx with degˆv r 1

56 Reduction in General et D r Q i 1 P i be a semi-reduced divisor on y 2 hˆx y fˆx The r points P i all lie on a curve y vˆx with degˆv r 1 vˆx 2 hˆx hˆx fˆx polynomial of degree max 2r 2, 2g 1

57 Reduction in General et D r Q i 1 P i be a semi-reduced divisor on y 2 hˆx y fˆx The r points P i all lie on a curve y vˆx with degˆv r 1 vˆx 2 hˆx hˆx fˆx polynomial of degree max 2r 2, 2g 1 Case r C g 2: replace the r points P 1,..., P r in D by the inverses of the other ˆ2r 2 r r 2 points on this degree 2r 2 polynomial

58 Reduction in General et D r Q i 1 P i be a semi-reduced divisor on y 2 hˆx y fˆx The r points P i all lie on a curve y vˆx with degˆv r 1 vˆx 2 hˆx hˆx fˆx polynomial of degree max 2r 2, 2g 1 Case r C g 2: replace the r points P 1,..., P r in D by the inverses of the other ˆ2r 2 r r 2 points on this degree 2r 2 polynomial Case r g 1: replace the g 1 points P 1,..., P r in D by the g points on this degree 2g 2 polynomial inverses of the other 2g 1 ˆg 1

59 Reduction in General et D r Q i 1 P i be a semi-reduced divisor on y 2 hˆx y fˆx The r points P i all lie on a curve y vˆx with degˆv r 1 vˆx 2 hˆx hˆx fˆx polynomial of degree max 2r 2, 2g 1 Case r C g 2: replace the r points P 1,..., P r in D by the inverses of the other ˆ2r 2 r r 2 points on this degree 2r 2 polynomial Case r g 1: replace the g 1 points P 1,..., P r in D by the g points on this degree 2g 2 polynomial inverses of the other 2g 1 ˆg 1 After r g 2 steps a reduced divisor is obtained

60 Mumford Representation et D r Q i 1 m i P i be a semi-reduced divisor, P i The Mumford representation of D is D uˆx, vˆx > ˆx i, y i ˆuˆx, vˆx where K x, u monic, degˆu, us v 2 hv f

61 Mumford Representation et D r Q i 1 m i P i be a semi-reduced divisor, P i The Mumford representation of D is D uˆx, vˆx > ˆx i, y i ˆuˆx, vˆx where K x, u monic, degˆu, us v 2 hv f r uˆx M x i i 1ˆx m i d vˆx dx j 2 vˆx hˆx fˆx x xi 0 ˆ0 B j B m i 1 So uˆx i 0 and vˆx i y i with multiplicity m i for 1 B i B r

62 Mumford Representation et D r Q i 1 m i P i be a semi-reduced divisor, P i The Mumford representation of D is D uˆx, vˆx > ˆx i, y i ˆuˆx, vˆx where K x, u monic, degˆu, us v 2 hv f r uˆx M x i i 1ˆx m i d vˆx dx j 2 vˆx hˆx fˆx x xi 0 ˆ0 B j B m i 1 So uˆx i 0 and vˆx i y i with multiplicity m i for 1 B i B r Mumford representation uniquely determines D

63 Mumford Representation et D r Q i 1 m i P i be a semi-reduced divisor, P i The Mumford representation of D is D uˆx, vˆx > ˆx i, y i ˆuˆx, vˆx where K x, u monic, degˆu, us v 2 hv f r uˆx M x i i 1ˆx m i d vˆx dx j 2 vˆx hˆx fˆx x xi 0 ˆ0 B j B m i 1 So uˆx i 0 and vˆx i y i with multiplicity m i for 1 B i B r Mumford representation uniquely determines D Example: If P ˆx 0, y 0, then D P ˆx x 0, y 0

64 Divisor Reduction Using Mumford Representations Input: D ˆu, v Output: The reduced divisor D œ ˆu œ, v œ in the class of D

65 Divisor Reduction Using Mumford Representations Input: D ˆu, v Output: The reduced divisor D œ ˆu œ, v œ in the class of D while degˆu A g do œ f vh v 2 u œ, v œ v h ˆmod u u u u œ, v v œ end while œ returnˆu œ, v

66 Divisor Reduction Example H y 2 x 5 5x 3 4x 1 over Q D ˆ2, 1 ˆ2, 1 ˆ3, 11 ˆu, v

67 Divisor Reduction Example H y 2 x 5 5x 3 4x 1 over Q D ˆ2, 1 ˆ2, 1 ˆ3, 11 ˆu, v with uˆx ˆx 2 ˆx 2 ˆx 3 x 3 3x 2 4x 2 vˆx 2x 2 7 (from before)

68 Divisor Reduction Example H y 2 x 5 5x 3 4x 1 over Q D ˆ2, 1 ˆ2, 1 ˆ3, 11 ˆu, v with uˆx ˆx 2 ˆx 2 ˆx 3 x 3 3x 2 4x 2 vˆx 2x 2 7 (from before) œˆx ˆx 5 5x 3 4x 1 ˆ2x u œˆx x 3 3x 2 4x 2 v ˆ2x 2 7 ˆmod x 2 x 4 2x 1 x 2 x 4 D œ ˆu œ, v œ is the reduced divisor in the class of D

69 Divisor Reduction Example H y 2 x 5 5x 3 4x 1 over Q D ˆ2, 1 ˆ2, 1 ˆ3, 11 ˆu, v with uˆx ˆx 2 ˆx 2 ˆx 3 x 3 3x 2 4x 2 vˆx 2x 2 7 (from before) œˆx ˆx 5 5x 3 4x 1 ˆ2x u œˆx x 3 3x 2 4x 2 v ˆ2x 2 7 ˆmod x 2 x 4 2x 1 x 2 x 4 D œ Recall D œ œ ˆu œ, v is the reduced divisor in the class of D 2ˆ1 1 º º 17, º º 2ˆ1 17, 2 17

70 Divisor Addition Using Mumford Representations D 1 ˆu 1, v 1, D 2 ˆu 2, v 2 divisors on H y 2 hˆx y fˆx

71 Divisor Addition Using Mumford Representations D 1 ˆu 1, v 1, D 2 ˆu 2, v 2 divisors on H y 2 hˆx y fˆx Simplest case: for any P occurring in D 1, P does not occur in D 2 and vice versa then D 1 D 2 is semi-reduced

72 Divisor Addition Using Mumford Representations D 1 ˆu 1, v 1, D 2 ˆu 2, v 2 divisors on H y 2 hˆx y fˆx Simplest case: for any P occurring in D 1, P does not occur in D 2 and vice versa then D 1 D 2 is semi-reduced Then D 1 D 2 ˆu, v where u u 1 u 2 and v v 1 ˆmod u 1 v 2 ˆmod u 2

73 Divisor Addition Using Mumford Representations D 1 ˆu 1, v 1, D 2 ˆu 2, v 2 divisors on H y 2 hˆx y fˆx Simplest case: for any P occurring in D 1, P does not occur in D 2 and vice versa then D 1 D 2 is semi-reduced Then D 1 D 2 ˆu, v where u u 1 u 2 and v v 1 ˆmod u 1 v 2 ˆmod u 2 In general: suppose P ˆx 0, y 0 occurs in D 1 and P occurs in D 2.

74 Divisor Addition Using Mumford Representations D 1 ˆu 1, v 1, D 2 ˆu 2, v 2 divisors on H y 2 hˆx y fˆx Simplest case: for any P occurring in D 1, P does not occur in D 2 and vice versa then D 1 D 2 is semi-reduced Then D 1 D 2 ˆu, v where u u 1 u 2 and v v 1 ˆmod u 1 v 2 ˆmod u 2 In general: suppose P ˆx 0, y 0 occurs in D 1 and P occurs in D 2. Then u 1ˆx 0 u 2ˆx 0 0 and v 1ˆx 0 y 0 v 2ˆx 0 hˆx 0, so x x 0 S u 1ˆx, u 2ˆx, v 1ˆx v 2ˆx hˆx

75 Divisor Addition Using Mumford Representations D 1 ˆu 1, v 1, D 2 ˆu 2, v 2 divisors on H y 2 hˆx y fˆx Simplest case: for any P occurring in D 1, P does not occur in D 2 and vice versa then D 1 D 2 is semi-reduced Then D 1 D 2 ˆu, v where u u 1 u 2 and v v 1 ˆmod u 1 v 2 ˆmod u 2 In general: suppose P ˆx 0, y 0 occurs in D 1 and P occurs in D 2. Then u 1ˆx 0 u 2ˆx 0 0 and v 1ˆx 0 y 0 v 2ˆx 0 hˆx 0, so x x 0 S u 1ˆx, u 2ˆx, v 1ˆx v 2ˆx hˆx d gcdˆu 1, u 2, v 1 v 2 h s 1 u 1 s 2 u 2 s 3ˆv 1 v 2 h u v u 1 u 2 d 2 1 d s 1u 1 v 2 s 2 u 2 v 1 s 3ˆv 1 v 2 f Ž ˆmod u (In the simplest case above, d 1 and s 3 0)

76 Arithmetic in Jac H ˆK Input: D 1 ˆu 1, v 1, D 2 ˆu 2, v 2 reduced Output: The reduced divisor D œ ˆu œ, v œ in the class of D 1 D 2

77 Arithmetic in Jac H ˆK Input: D 1 ˆu 1, v 1, D 2 ˆu 2, v 2 reduced Output: The reduced divisor D œ ˆu œ, v œ in the class of D 1 D 2 1. Addition: compute a semi-reduced divisor D ˆu, v in the class of D 1 D 2 2. Reduction: compute the reduced divisor D œ œ ˆu œ, v in the class of D

78 Arithmetic in Jac H ˆK Input: D 1 ˆu 1, v 1, D 2 ˆu 2, v 2 reduced Output: The reduced divisor D œ ˆu œ, v œ in the class of D 1 D 2 1. Addition: compute a semi-reduced divisor D ˆu, v in the class of D 1 D 2 2. Reduction: compute the reduced divisor D œ œ ˆu œ, v in the class of D Methods Vanilla method just discussed Cantor s algorithm ( improved vanilla ) NUCOMP Explicit formulas (if g is small, say g 2, 3, 4)

79 Divisors defined over K et φ > GalˆK~K (for K F q, think of Frobenius φˆα α q )

80 Divisors defined over K et φ > GalˆK~K (for K F q, think of Frobenius φˆα α q ) φ acts on points on H: if P ˆx 0, y 0, then φˆp ˆφˆx 0, φˆy 0

81 Divisors defined over K et φ > GalˆK~K (for K F q, think of Frobenius φˆα α q ) φ acts on points on H: if P ˆx 0, y 0, then φˆp ˆφˆx 0, φˆy 0 φ acts on divisors: if D Q m P P, then φˆd Q m P φˆp

82 Divisors defined over K et φ > GalˆK~K (for K F q, think of Frobenius φˆα α q ) φ acts on points on H: if P ˆx 0, y 0, then φˆp ˆφˆx 0, φˆy 0 φ acts on divisors: if D Q m P P, then φˆd Q m P φˆp A divisor D is defined over K if φˆd D

83 Divisors defined over K et φ > GalˆK~K (for K F q, think of Frobenius φˆα α q ) φ acts on points on H: if P ˆx 0, y 0, then φˆp ˆφˆx 0, φˆy 0 φ acts on divisors: if D Q m P P, then φˆd Q m P φˆp A divisor D is defined over K if φˆd Example: D ˆx 2 x 4, 2x 1 on H y 2 x 5 5x 3 4x 1 over Q 1 2ˆ1 º 17, 2 º ˆ1 º 17, 2 º 17 is defined over Q (invariant under automorphism º 17 ( º 17) D

84 Divisors defined over K et φ > GalˆK~K (for K F q, think of Frobenius φˆα α q ) φ acts on points on H: if P ˆx 0, y 0, then φˆp ˆφˆx 0, φˆy 0 φ acts on divisors: if D Q m P P, then φˆd Q m P φˆp A divisor D is defined over K if φˆd Example: D ˆx 2 x 4, 2x 1 on H y 2 x 5 5x 3 4x 1 over Q 1 2ˆ1 º 17, 2 º ˆ1 º 17, 2 º 17 is defined over Q (invariant under automorphism º 17 ( º 17) Theorem D ˆu, v is defined over K if and only if uˆx, vˆx > K x. D

85 Divisors defined over K et φ > GalˆK~K (for K F q, think of Frobenius φˆα α q ) φ acts on points on H: if P ˆx 0, y 0, then φˆp ˆφˆx 0, φˆy 0 φ acts on divisors: if D Q m P P, then φˆd Q m P φˆp A divisor D is defined over K if φˆd Example: D ˆx 2 x 4, 2x 1 on H y 2 x 5 5x 3 4x 1 over Q 1 2ˆ1 º 17, 2 º ˆ1 º 17, 2 º 17 is defined over Q (invariant under automorphism º 17 ( º 17) Theorem D ˆu, v is defined over K if and only if uˆx, vˆx > K x. Corollary The group Jac HˆF q of divisor classes defined over F q is finite. D

86 Group Structure and Size EˆF q Z~nZ Z~mZ where nsgcdˆm, q 1

87 Group Structure and Size EˆF q Z~nZ Z~mZ where nsgcdˆm, q 1 Via a hand-wavy argument, y 2 fˆx should have q 1 points

88 Group Structure and Size EˆF q Z~nZ Z~mZ where nsgcdˆm, q 1 Via a hand-wavy argument, y 2 fˆx should have q 1 points 2º q Hasse: SEˆF q S q 1 t with StS B Hasse-Weil: SHˆF q S q 1 t with StS B 2gº q Serre: StS B g2º q

89 Group Structure and Size EˆF q Z~nZ Z~mZ where nsgcdˆm, q 1 Via a hand-wavy argument, y 2 fˆx should have q 1 points 2º q Hasse: SEˆF q S q 1 t with StS B Hasse-Weil: SHˆF q S q 1 t with StS B 2gº q Serre: StS B g2º q For the Jacobian: So ˆºq 1 2g BSJac HˆF q S Bˆºq 1 2g SJac HˆF q S q g

90 Group Structure and Size EˆF q Z~nZ Z~mZ where nsgcdˆm, q 1 Via a hand-wavy argument, y 2 fˆx should have q 1 points 2º q Hasse: SEˆF q S q 1 t with StS B Hasse-Weil: SHˆF q S q 1 t with StS B 2gº q Serre: StS B g2º q For the Jacobian: So ˆºq 1 2g BSJac HˆF q S Bˆºq 1 2g SJac HˆF q S q g If we want q g : g q

91 Point Counting Algorithms Stay for next week s workshop to learn more...

92 Point Counting Algorithms Stay for next week s workshop to learn more... K F q, q p n Square Root Methods Pollard kangaroo Cartier-Manin l-adic Methods (n 1, polynomial in logˆp ) SEA and generalizations p-adic Methods (p small, polynomial in n) Canonical lifts (Satoh, AGM) Deformation theory Cohomology

93 Point Counting Algorithms Stay for next week s workshop to learn more... K F q, q p n Square Root Methods Pollard kangaroo Cartier-Manin l-adic Methods (n 1, polynomial in logˆp ) SEA and generalizations p-adic Methods (p small, polynomial in n) Canonical lifts (Satoh, AGM) Deformation theory Cohomology Point counting on certain curves is easy (e.g. Koblitz curves)

94 Point Counting Algorithms Stay for next week s workshop to learn more... K F q, q p n Square Root Methods Pollard kangaroo Cartier-Manin l-adic Methods (n 1, polynomial in logˆp ) SEA and generalizations p-adic Methods (p small, polynomial in n) Canonical lifts (Satoh, AGM) Deformation theory Cohomology Point counting on certain curves is easy (e.g. Koblitz curves) Can also construct curves with good group orders via CM method (see Thursday s talks by Drew Sutherland and Bianca Viray)

95 Discrete ogarithms Elliptic Curve DP: given P, Q > EˆF q with Q mp, find m

96 Discrete ogarithms Elliptic Curve DP: given P, Q > EˆF q with Q mp, find m Hyperelliptic Curve DP: given reduced divisors D, E so that E is equivalent to md, find m

97 Discrete ogarithms Elliptic Curve DP: given P, Q > EˆF q with Q mp, find m Hyperelliptic Curve DP: given reduced divisors D, E so that E is equivalent to md, find m Generic Methods Complexity Oˆq g ~2 group operations Baby step giant step also requires Oˆq g ~2 space Pollard rho Pollard lambda (kangaroo)

98 Discrete ogarithms Elliptic Curve DP: given P, Q > EˆF q with Q mp, find m Hyperelliptic Curve DP: given reduced divisors D, E so that E is equivalent to md, find m Generic Methods Complexity Oˆq g ~2 group operations Baby step giant step also requires Oˆq g ~2 space Pollard rho Pollard lambda (kangaroo) Index Calculus Methods g â logˆq sub-exponential 3 B g á logˆq Oˆq 22~g

99 Discrete ogarithms Elliptic Curve DP: given P, Q > EˆF q with Q mp, find m Hyperelliptic Curve DP: given reduced divisors D, E so that E is equivalent to md, find m Generic Methods Complexity Oˆq g ~2 group operations Baby step giant step also requires Oˆq g ~2 space Pollard rho Pollard lambda (kangaroo) Index Calculus Methods g â logˆq sub-exponential 3 B g á logˆq Oˆq 22~g For g 1, 2, generic methods are best! (As far as we know... )

100 Other Attacks & Parameter Choices K F q with q p n Pohlig-Hellman ensure that SJac HˆF q S has a large prime factor

101 Other Attacks & Parameter Choices K F q with q p n Pohlig-Hellman ensure that SJac HˆF q S has a large prime factor Additive Reduction: if p divides SJac HˆF q S, then there is an 2g 1 explicit homomorphism Jac HˆF q p ˆFq, ensure that gcdˆq,sjac HˆF q S 1

102 Other Attacks & Parameter Choices K F q with q p n Pohlig-Hellman ensure that SJac HˆF q S has a large prime factor Additive Reduction: if p divides SJac HˆF q S, then there is an 2g 1 explicit homomorphism Jac HˆF q p ˆFq, ensure that gcdˆq,sjac HˆF q S 1 Multiplicative Reduction (MOV): pairings can be used to map the DP in Jac HˆF q intoˆf, where q k q k 1 ˆmod r for a prime r dividing SJac HˆF q S ensure that k is large (For pairing-based crypto, however, we want k small see Tuesday s and Wednesday s talks)

103 Other Attacks & Parameter Choices K F q with q p n Pohlig-Hellman ensure that SJac HˆF q S has a large prime factor Additive Reduction: if p divides SJac HˆF q S, then there is an 2g 1 explicit homomorphism Jac HˆF q p ˆFq, ensure that gcdˆq,sjac HˆF q S 1 Multiplicative Reduction (MOV): pairings can be used to map the DP in Jac HˆF q intoˆf, where q k q k 1 ˆmod r for a prime r dividing SJac HˆF q S ensure that k is large (For pairing-based crypto, however, we want k small see Tuesday s and Wednesday s talks) Weil Descent: If n kd is composite, one may have Jac HˆF p kd 0 Jac CˆF p d where C has higher genus use n 1 or n prime

104 Some Other Models Hessians: x 3 y 3 3dxy 1 Edwards models: x 2 y 2 c 2ˆ1 dx 2 y 2 (q odd) and variations x 3 y 3 1 x 2 y 2 10ˆ1x 2 y

105 Even Degree Models hˆx, fˆx > K x H y 2 hˆx y fˆx degˆh g 1 if charˆk 2; hˆx 0 if charˆk x 2 degˆf 2g 2 is even sgnˆf s 2 s with s > K if charˆk 2; fˆx is monic if charˆk x 2 non-singularity

106 Even Degree Models hˆx, fˆx > K x H y 2 hˆx y fˆx degˆh g 1 if charˆk 2; hˆx 0 if charˆk x 2 degˆf 2g 2 is even sgnˆf s 2 s with s > K if charˆk 2; fˆx is monic if charˆk x 2 non-singularity charˆk x 2: y 2 fˆx, fˆx monic, of even degree, square-free

107 Even Degree Models hˆx, fˆx > K x H y 2 hˆx y fˆx degˆh g 1 if charˆk 2; hˆx 0 if charˆk x 2 degˆf 2g 2 is even sgnˆf s 2 s with s > K if charˆk 2; fˆx is monic if charˆk x 2 non-singularity charˆk x 2: y 2 fˆx, fˆx monic, of even degree, square-free Elliptic quartic, charˆk x 2, 3: (b 0: Jacobi Quartic) y 2 x 4 ax 2 bx c ˆa, b, c > K

108 Examples E y 2 x 4 6x 2 x 6 H y 2 x 6 13x 4 44x 2 4x1 g 1 g

109 Conclusion Genus 1 and genus 2 curves over F q represent a very good setting for DP based cryptography

110 Conclusion Genus 1 and genus 2 curves over F q represent a very good setting for DP based cryptography Use q prime or q 2 n

111 Conclusion Genus 1 and genus 2 curves over F q represent a very good setting for DP based cryptography Use q prime or q 2 n Good parameter choices are known and easy

112 Conclusion Genus 1 and genus 2 curves over F q represent a very good setting for DP based cryptography Use q prime or q 2 n Good parameter choices are known and easy Cryptographically suitable curves can be constructed in practice

113 Conclusion Genus 1 and genus 2 curves over F q represent a very good setting for DP based cryptography Use q prime or q 2 n Good parameter choices are known and easy Cryptographically suitable curves can be constructed in practice Thank You!

Cyclic Groups in Cryptography

Cyclic Groups in Cryptography p. 1/6 Cyclic Groups in Cryptography Palash Sarkar Indian Statistical Institute Cyclic Groups in Cryptography p. 2/6 Structure of Presentation Exponentiation in General Cyclic