No.6 Selection of Secure HC of g = divisors D 1, D 2 defined on J(C; F q n) over F q n, to determine the integer m such that D 2 = md 1 (if such

Similar documents
Design of Hyperelliptic Cryptosystems in Small Characteristic and a Software Implementation over F 2

Non-generic attacks on elliptic curve DLPs

Solving Elliptic Curve Discrete Logarithm Problems Using Weil Descent

Hyperelliptic Curve Cryptography

A message recovery signature scheme equivalent to DSA over elliptic curves

Computing Elliptic Curve Discrete Logarithms with the Negation Map

Skew-Frobenius maps on hyperelliptic curves

The Decisional Diffie-Hellman Problem and the Uniform Boundedness Theorem

Efficient Tate Pairing Computation Using Double-Base Chains

Two Topics in Hyperelliptic Cryptography

ElGamal type signature schemes for n-dimensional vector spaces

Elliptic Curve Cryptography

Discrete Logarithm Problem

SEMINAR SECURITY - REPORT ELLIPTIC CURVE CRYPTOGRAPHY

A Note on Scalar Multiplication Using Division Polynomials

On the complexity of computing discrete logarithms in the field F

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

On the Big Gap Between p and q in DSA

Minal Wankhede Barsagade, Dr. Suchitra Meshram

Elliptic Curve Discrete Logarithm Problem

Hyperelliptic curves

Polynomial Interpolation in the Elliptic Curve Cryptosystem

Generating more Kawazoe-Takahashi Genus 2 Pairing-friendly Hyperelliptic Curves

Discrete Logarithm Computation in Hyperelliptic Function Fields

190 R. Harasawa, J. Shikata, J. Suzuki, and H. Imai generally requires an exponential time in log q to solve it (V. Miller [15], and J. Silverman and

Supersingular Curves in Cryptography

CPSC 467b: Cryptography and Computer Security

Comparing the MOV and FR Reductions in Elliptic Curve Cryptography

A Remark on Implementing the Weil Pairing

Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms

Hyperelliptic Curves and Cryptography

CPSC 467: Cryptography and Computer Security

Definition of a finite group

Modular Multiplication in GF (p k ) using Lagrange Representation

Elliptic Curve Cryptography with Derive

Efficient Algorithms for Pairing-Based Cryptosystems

Performance of Finite Field Arithmetic in an Elliptic Curve Cryptosystem

Julio López and Ricardo Dahab. Institute of Computing (IC) UNICAMP. April,

Blind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems

Generating more MNT elliptic curves

Finite fields and cryptology

Elliptic Curve Cryptosystems and Scalar Multiplication

Implementing Pairing-Based Cryptosystems

The only method currently known for inverting nf-exp requires computing shortest vectors in lattices whose dimension is the degree of the number eld.

Hidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV *

Elliptic Curves I. The first three sections introduce and explain the properties of elliptic curves.

A new conic curve digital signature scheme with message recovery and without one-way hash functions

Public Key Cryptography with a Group of Unknown Order

Fast arithmetic and pairing evaluation on genus 2 curves

Constructing Abelian Varieties for Pairing-Based Cryptography

Constructing Families of Pairing-Friendly Elliptic Curves

The Elliptic Curve in https

Optimised versions of the Ate and Twisted Ate Pairings

Elliptic Curve Public-Key Cryptosystems An Introduction

Efficient Computation of Tate Pairing in Projective Coordinate Over General Characteristic Fields

SM9 identity-based cryptographic algorithms Part 1: General

Elliptic Curve Cryptosystems

On the Discrete Logarithm Problem on Algebraic Tori

Safer parameters for the Chor-Rivest cryptosystem

Pairings for Cryptographers

The Computational Square-Root Exponent Problem- Revisited

Fast Simultaneous Scalar Multiplication on Elliptic Curve with Montgomery Form

2.2. The Weil Pairing on Elliptic Curves If A and B are r-torsion points on some elliptic curve E(F q d ), let us denote the r-weil pairing of A and B

Introduction to Elliptic Curve Cryptography

An Algorithm for Solving the Discrete Log Problem on Hyperelliptic Curves

Hidden pairings and trapdoor DDH groups. Alexander W. Dent Joint work with Steven D. Galbraith

The Application of the Mordell-Weil Group to Cryptographic Systems

The State of Elliptic Curve Cryptography

New Variant of ElGamal Signature Scheme

Efficient Key Agreement and Signature Schemes Using Compact Representations in GF (p 10 )

The GHS Attack for Cyclic Extensions of Arbitrary Function Fields

Efficient Doubling on Genus Two Curves over. binary fields.

Constructing Abelian Varieties for Pairing-Based Cryptography. David Stephen Freeman. A.B. (Harvard University) 2002

A brief overwiev of pairings

A heuristic quasi-polynomial algorithm for discrete logarithm in small characteristic

GENERATORS OF JACOBIANS OF GENUS TWO CURVES

An Introduction to Elliptic and Hyperelliptic Curve Cryptography and the NTRU Cryptosystem

On Partial Lifting and the Elliptic Curve Discrete Logarithm Problem

Problème du logarithme discret sur courbes elliptiques

Arithmétique et Cryptographie Asymétrique

Secure Bilinear Diffie-Hellman Bits

Constructing Pairing-Friendly Elliptic Curves for Cryptography

Little Dragon Two: An efficient Multivariate Public Key Cryptosystem

FINDING COMPOSITE ORDER ORDINARY ELLIPTIC CURVES USING THE COCKS-PINCH METHOD

An Introduction to Pairings in Cryptography

Short signatures from the Weil pairing

Mapping an Arbitrary Message to an Elliptic Curve when Defined over GF (2 n )

APPLICATION OF ELLIPTIC CURVES IN CRYPTOGRAPHY-A REVIEW

Cyclic Groups in Cryptography

Efficient Algorithms for Pairing-Based Cryptosystems

Optimal TNFS-secure pairings on elliptic curves with even embedding degree

6. ELLIPTIC CURVE CRYPTOGRAPHY (ECC)

Arithmetic operators for pairing-based cryptography

Solving Discrete Logarithms on a 170-bit MNT Curve by Pairing Reduction

Decomposed Attack for the Jacobian of a Hyperelliptic Curve over an Extension Field

Elliptic Curves and Cryptography

Background of Pairings

Public Key Algorithms

Elliptic Curves and Their Applications to Cryptography: An Introduction. Andreas Enge

Transcription:

Vol.17 No.6 J. Comput. Sci. & Technol. Nov. 2002 Selection of Secure Hyperelliptic Curves of g = 2 Based on a Subfield ZHANG Fangguo ( ) 1, ZHANG Futai ( Ξ) 1;2 and WANG Yumin(Π±Λ) 1 1 P.O.Box 119 Key Laboratory on ISN, Xidian University, Xi'an 710071, P.R. China 2 College of Mathematics and Computer Science, Nanjing Normal University, Nanjing 210097, P.R. China E-mail: fgzh@hotmail.com Received September 12, 2000; revised October 15, 2001. Abstract In the implementation of hyperelliptic curve cryptosystems, a siginificant step is the selection of secure hyperelliptic curves on which the Jacobian is constructed. In this paper, we discuss the hyperelliptic curves of g = 2 such as v 2 + uv = f and v 2 + v = f(u) defined on GF (2 r ). The curves defined on GF (4) and GF (8) are expanded to the curves defined on GF(4) k and GF (8) t respectively, where 38 < k < 70, 25 < t < 50. We also find out all the secure curves of g = 2 that are suitable for establishing cryptosystems. Keywords hyperelliptic curve cryptosystems, Jacobian, subfield 1 Introduction Since the public key cryptosystem based on elliptic curves (ECC) was proposed by Neal Koblitz [1] and Victor Miller in mid-1980's, it has been studied for more than ten years. And now it has been used in practice. ECC is based on the discrete logarithm problem on elliptic curves over finite fields. As an extension, Neal Koblitz [2] proposed the hyperelliptic curve cryptosystem (HCC) in 1989, which is based on the discrete logarithm problem on the Jacobian of hyperelliptic curves over finite fields. Cantor's algorithm [3] provided us with an efficient method to implement the group operation on the Jacobian of a hyperelliptic curve. At the same level of security, the underlying field of HCC is smaller than that of ECC, and almost all the standard discrete logarithm based protocols such as the digital signature algorithm (DSA) and ElGamal can be planted to HCC. So it is estimated that hyperelliptic curves will be the foundation of cryptosystems for the next decade. By now, many theoretical results on elliptic curves are known, however, the known results on hyperelliptic curves are still not enough for the construction of efficient cryptosystems. For these reasons, the study on HCCs has been drawing the attentions of more and more researchers in recent years. The current research on HCC concentrates on finding construction methods for secure hyperelliptic curves and speeding up the arithmetic needed in HCCs. At present, the common method used to compute the order of Jacobian is the Weil conjecture method. How to find a suitable hyperelliptic curve efficiently is still a major open problem in the study and implementation of HCCs. Koblitz [1] discussed the hyperelliptic curves with g = 2 based on GF (2), but the curves were attacked by Frey [4] and they were thought as insecure. Yasuyuki Sakai [5] tried to find out the secure hyperelliptic curves with g = 2 based on GF (2), but failed. In this paper, we discuss the hyperelliptic curves of g = 2 with the form of v 2 + uv = f(u) or v 2 + v = f(u). We extend two types of curves defined on GF (4) and GF (8) to GF (4) k and GF (8) t respectively. We also find out all the secure curves suitable for establishing cryptosystems, where 36 < k < 70, 25 < t < 50. 2 Secure Hyperelliptic Curves A hyperelliptic curve C of genus g is a curve defined on a finite field F q (q = p r and p is a prime), and its Jacobian J(C; F q n) over F q n is an abelian group, and ( p q n 1) 2g» #J(C; F q n)» ( p q n +1) 2g. More details can be found in [2, 6, 7]. The discrete algorithm problem in J(C; F q n) is: given two This work is supported by the National NKBRSF `973' Program of China (Grant No.G1999035804).

No.6 Selection of Secure HC of g = 2 837 divisors D 1, D 2 defined on J(C; F q n) over F q n, to determine the integer m such that D 2 = md 1 (if such an m exists). If the order of the Jacobian group of a hyperelliptic curve is the same as the order of the group of rational points on an elliptic curve, the security of the cryptosystems established on the two groups will be the same. From the view point of complexity, HCDLP is a problem of NP co-am [8]. The security of an HCC is based on the difficulty of solving the discrete logarithm problem in the Jacobian of the curve, taking into account the existing attacks to the discrete logarithm in the Jacobian of a hyperelliptic curve, to establish a secure HCC, we should select the hyperelliptic curve so that its Jacobian satisfies the following conditions: 1) #J(C; F q n) should have a large prime factor so as to prevent the attacks of Shanks' Baby-step- Giant-step and Pohlig-Hellman's methods. Since the time complexity of Pohlig-Hellman's method is proportional to the square root of the largest prime factor of #J(C; F q n), so far it is demanded that this largest prime factor should be at least 160 bits in length. 2) In order to prevent the attack of Frey [4] which uses the Tate pairing generation of MOV attacks, the large prime factor of #J(C; F q n) should not divides (q n ) k 1, here k < (log q n ) 2. 3) 2g +1» log q n. Adleman-DeMarrais-Huang [9] found a subexponent time algorithm to solve the DL in the Jacobian of hyperelliptic curves of a big genus over a finite field in 1994. According to the discussion of P. Gaudry [10], it is sufficient for us to consider the case when g» 4. 4) The Jacobian of a hyperelliptic curve over the large prime field GF (p) should not have p-order subgroup to prevent the attack generated by Ruck [11] which is similar to the attack on the elliptic curve with the traces of the Frobenius map. 3 Using Weil Conjecture to Construct Secure Jacobian In order to construct secure hyperelliptic curve cryptosystems, we must compute the order of the Jacobian first. A hyperelliptic curve, C, of genus g = 2 defined over a finite field F q has the form: v 2 + (h 2 u 2 + h 1 u + h 0 )v = u 5 + f 4 u 4 + f 3 u 3 + f 2 u 2 + f 1 u + f 0, where h i and f i 2 F q. We will use the Weil conjecture to compute the order of the Jacobian [6]. And in the following, we will modify the algorithm in [6]. Algorithm 1. 1) First we find out the discriminant that the hyperelliptic curve has no singular points. 2) Go through all the values of C 0 coefficients h i and f i that satisfy, and compute the number of rational points M 1 and M 2 of the hyperelliptic curve over F q on F q and F q 2. 3) Compute a 1 = M 1 1 q, a 2 = (M 2 1 q 2 + a 2 1)=2. 4) Compute the numerator P (x) = x 4 + a 1x 3 + a 2x 2 + qa 1 x + q 2 of the Zate function. From the Weil conjecture method of computing orders, we can know that #J(C; F q n) is completely determined by P (x). So, the curves defined on F q with the same (M 1, M 2) has the same #J(C; F q n). For this reason, the Jacobian of hyperelliptic curves with the same (M 1, M 2) defined on F q are isomorphic since they have the same order. In the result of upper computation, we list out all the (M 1;M 2) and (a 1;a 2) corresponding to different P (x). 5) For each pair of (M 1, M 2), decide whether P (x) is irreducible or not, if reducible, decide the next pair of (M 1, M 2). 6) Solve quartic equation P (x) = 0 in a complex field and get roots ff 1;ff 2;ff 3;ff 4. 7) For each n satisfying (n; r) = 1, compute N n = j1 ff n 1 jj1 ff n 2 jj1 ff n 3 jj1 ff n 4 j; where N n is #J(C; F q n), jj means getting the absolute value for real numbers and the module for complex numbers. 8) Compute factor N n and check whether it has a prime factor larger than 2 150 which is about a decimal length of 44, if not, return to 5). 9) Verify the FR condition deduced by the Frey verification, that is, to check if the prime factor got in 8) cannot divide (q n ) s 1, where s < (log q n ) 2. 10) Output (M 1;M 2), n, N n and the result of factorization.

838 ZHANG Fangguo, ZHANG Futai et al. Vol.17 We complete Steps 1) 4) of the algorithm by C-programming and output the result into a file, and we complete Steps 5) 10) by Mathematical-programming, because Mathematical has the function of sign operation. With respect to hyperelliptic curves of the form v 2 +h(u)v = f(u), it is easy to see that the simpler the polynomial h(u), the simpler the group operation of the Jacobian, and hence the more efficient in its implementation. By Lemma 2 of [7], in the equation of hyperelliptic curves over a finite field of characteristic 2, we have h(u) 6= 0. So we choose h(u) = 1 and h(u) = u in GF (2 n ). 4 Computation Result 4.1 Curves v 2 + uv = f(u) over GF (4) The discriminant that hyperelliptic curves v 2 + uv = u 5 + f 4 u 4 + f 3 u 3 + f 2 u 2 + f 1 u + f 0 have no singular points is f 2 6= f 1 0. There are 768 curves with the form v 2 + uv = f(u) over GF (4), and there are 6 types of curves with different Jacobians by our computation. Since the M 1 and M 2 of each curve completely determine its Jacobian, we treat the curves with the same M 1 and M 2 as isomorphic. In the following table, (f 0 ;f 1 ;f 2 ;f 3 ;f 4 ) represents the hyperelliptic curve v 2 + uv = u 5 + f 4 u 4 + f 3 u 3 + f 2 u 2 + f 1 u + f 0. Extending the hyperelliptic curves with the form v 2 + uv = f(u) over GF (4) to curves over GF (4 n ), where 38 < n < 70, we get some secure hyperelliptic curves (we consider only the case when P (x) is irreducible in the rational number field, since from the discussion of Koblitz [3], we know that the order of the Jacobian of the curve has no such a prime factor if P (x) is reducible in the rational number field). The results are also listed in the table: Table 1. Computation Results of Hyperelliptic Curves with the Form v 2 + uv = f(u) over GF (4) Example P (x) and its reducibility Number of Extension degree n for (f 0 f 1 f 2 f 3 f 4 ) in the rational number field curves which there exist secure curves 4, 24 (01000) x 4 x 3 +4x 2 4x +16irreducible 96 non 8, 24 (12012) x 4 +3x 3 +8x 2 +12x +16reducible 96 // 4, 16 (01002) x 4 x 3 4x +16irreducible 192 41, 61, 67 6, 24 (01200) x 4 + x 3 +4x 2 +4x +16irreducible 96 41, 47, 49, 53, 67 2, 24 (12312) x 4 3x 3 +8x 2 12x +16reducible 96 // 6, 16 (01202) x 4 + x 3 +4x +16irreducible 192 59, 61 Now, taking the curve (01200) (or (01211) or (01111)) with M 1 = 6 and M 2 = 24 as an example, we list out the order of the Jacobian of the curve over the extended field of GF (4) and its factorization: (n is the extension degree) Table 2. #J(C; GF(4 n )) and Its Factorization of Curves with M 1 = 6 and M 2 = 24 n #J(C; GF(4 n )) and its factorization 39 91343852332897775891682687201065441946318582866 =2Λ 13 2 Λ 53 Λ 157 Λ 6553 Λ 38376053 Λ 2050107986629 Λ 62995552690420897 41 23384026197304053835194299745350506742950078254002 =2Λ 13 Λ 899385622973232839815165374821173336267310702077 43 5986310706507378025251935015278739122112158751164178 =2Λ 13 Λ 26238352118417 Λ 8775044958690183823207066206966881309 45 1532495540865939258033973585152211299508649021744653938 =2Λ 3 12 Λ 13 Λ 157 Λ 461 Λ 829 Λ 20341 Λ 623881 Λ 93383701 Λ 1559805923143337117401 47 392318858461662258001630109464939958876077298382883318226 =2Λ 13 Λ 102461 Λ 147267612690780754103674009347248806441204007221841 49 100433627766186807548571004439102125463573785126262913683762 =2Λ 13 Λ 421 Λ 25033 Λ 366531080366887780297268721454689221751402109114609 51 25711008708143884943489462963235792124959867697541550598118546 =2Λ 13 Λ 157 Λ 613 Λ 1021 Λ 3877 Λ 9929364753 Λ 3069929 Λ 10669024595839741 Λ 21882990230881201 53 6582018229284822076881433223186867611701648014393340406683765746 =2Λ 13 Λ 40355261 Λ 6273148556273380675085702936064298084666703645666251361 55 1684996666696914933955752975908982154258487102845660453548120170322 =3 4 Λ 26 Λ 461 Λ 675345977197 Λ 2569883503410063539943132593207046982128030595861 57 431359146674410246918843698409167657118811289155730428375966471607986 =26Λ 157 Λ 229 Λ 457 Λ 1287289 Λ 4814449 Λ 21320053 Λ 122574853 Λ 136307159119321 Λ 457386510903524029 to be continued

No.6 Selection of Secure HC of g = 2 839 continuation of Table 2 59 110427941548649020280496665956206902518724133347028660967350569534190098 =2Λ 13 Λ 1181 Λ 3512389 Λ 356990701119529279373 Λ 2868112742357464241987915386435725164689 61 28269553036454149264013670959731659707544914489897298985688639852919697778 = 2Λ 13 Λ 88817 Λ 136009256470248177480156461 Λ 90007982620468514006958481354932814925569 63 7237005577332262214489496371611290898727383610433509981707750093522584999122 =26Λ 157 Λ 421 Λ 829 Λ 20341 Λ 25033 Λ 821941 Λ 547029841 Λ 22187706827938533564719336710224201359158033 65 1852673427797059126789632844278577538910875884900573643397434700370224717700146 =2Λ 3 4 Λ 13 2 Λ 53 Λ 461 Λ 6553 Λ 38376053 Λ 28516174799731323057838753321 Λ 386214537542725386011654355661 67 474284397516047136457878082081180463420003550093565025718174020812082044112422802 =26Λ 3217 Λ 27337 Λ 207426183309568661241498329816682946849926313915179392511448209642253813 69 121416805764108066931929580569145024775083339952973053938664086477548931910409524978 = 2Λ 13 Λ 157 Λ 12973 Λ 503408731578096692153483329 Λ 310240689350813772687980293 Λ 14680670253969827459809 Of all the orders of the Jacobians listed above, only when the extension degree n is 41, 47, 49, 53, 55, 63 and 67, does #J(C; GF (4 n )) have a prime factor bigger than 2 150 which is of a decimal length 44. By the FR condition (s = 2000) generated by the Frey checking, these curves are all suitable for cryptosystems. But when n is 63, the co-factor of #J(C; GF (4 63 )) corresponding to the prime factor is so big (about a decimal length 31) that it is difficult to select the base point, so it is not suitable for cryptosystems. 4.2 Curves v 2 +v=f(u) over GF (4) The discriminant for the curve v 2 + v = u 5 + f 4 u 4 + f 3 u 3 + f 2 u 2 + f 1 u + f 0 to have no singular points over GF (4) is that there is no solution over GF (4 4 ) to the system of equations: ρ v 2 + v = + f u5 4 u 4 + f 3 u 3 + f 2 u 2 + f 1 u + f 0 u 4 + f 3 u 3 + f 1 = 0 There are 528 curves with the form v 2 + v = f(u) over GF (4) and 6 types of curves with different Jacobians by our computation. Table 3. Computation Results About Hyperelliptic Curves with the Form v 2 + v = f(u) over GF (4) Example P (x) and its reducibility Number Extension degree n for which (f 0 f 1 f 2 f 3 f 4 ) in rational number field of curves there exist secure curves 5, 33 (01001) x 4 +8x 2 +16 reducible 32 // 5, 17 (11301) x 4 +16 irreducible 64 non 5, 9 (11212) x 4 4x 2 +16 irreducible 48 non 5, 25 (11210) x 4 +4x 2 +16 reducible 64 // 7, 21 (11232) x 4 +2x 3 +4x 2 +8x +16 irreducible 128 non 3, 21 (12210) x 4 2x 3 +4x 2 8x +16 irreducible 192 non There are 192 curves of the form v 2 + v = f(u) defined over GF (4) with the same M 1 = 3 and M 2 = 21, for example, (11233), (20033) and (20123) etc., the order of their Jacobian when extended to the 59th extended field of GF (4) is: #J(C; GF (4 59 )) =110427941548649020407394151188196300276731364107166504579749010074501121 =11 Λ 10038903777149910946126741017108754570611942191560591325431728188591011 But the prime factor of #J(C; GF (4 59 )) cannot pass the FR check. In fact, when i = 5, its large prime factor divides (4 59 ) 5 1. So the curves (11233), (20033) and (20123) over the 59th extended field of GF (4) is insecure. 4.3 Curves v 2 +uv=f(u) over GF (8) The discriminant for curves v 2 + uv = u 5 + f 4 u 4 + f 3 u 3 + f 2 u 2 + f 1 u + f 0 over GF (8) to have no singular points is the same as over GF (4), that is f 2 6= f 1 0. There are 28672 curves with the form v 2 + uv = f(u) over GF (8) and 40 types of them have different Jacobians. We extend the curves

840 ZHANG Fangguo, ZHANG Futai et al. Vol.17 v 2 + uv = f(u) over GF (8) to GF (8 n ), where 25 < n < 50, and list out all the secure curves we get in the following table (we only consider the case where P (x) is irreducible in the rational number field): Table 4. Computation Results About Hyperelliptic Curves with the Form v 2 + uv = f(u) over GF (8) Example P (x) and its reducibility Number Extension degree n for which (f 0 f 1 f 2 f 3 f 4 ) in the rational number field of curves there exist secure curves 16, 64 (01011) x 4 +7x 3 +24x 2 +56x +64 irreducible 64 non 8, 56 (12215) x 4 x 3 4x 2 8x +64 reducible 448 // 8, 72 (05016) x 4 x 3 +4x 2 8x +64 reducible 2208 // 8, 80 (10207) x 4 x 3 +8x 2 8x +64 irreducible 1728 non 2, 64 (10173) x 4 7x 3 +24x 2 56x +64 irreducible 64 non 10, 56 (01101) x 4 + x 3 4x 2 +8x +64 irreducible 448 non 10, 72 (04527) x 4 + x 3 +4x 2 +8x +64 reducible 2208 // 10, 80 (04524) x 4 + x 3 +8x 2 +8x +64 irreducible 1728 31, 37 12, 88 (05037) x 4 +3x 3 +16x 2 +24x +64 reducible 912 // 4, 64 (02002) x 4 5x 3 +12x 2 40x +64 irreducible 288 non 8, 48 (02003) x 4 x 3 8x 2 8x +64 irreducible 384 29, 37, 41 12, 72 (12244) x 4 +3x 3 +8x 2 +24x +64 irreducible 1200 29, 31, 37, 47 12, 80 (13417) x 4 +3x 3 +12x 2 +24x +64 reducible 864 // 4, 72 (13426) x 4 5x 3 +16x 2 40x +64 reducible 432 // 12, 48 (13422) x 4 +3x 3 4x 2 +24x +64 irreducible 288 37, 41, 47 12, 64 (13447) x 4 +3x 3 +4x 2 +24x +64 irreducible 864 29, 37, 43 8, 88 (12077) x 4 x 3 +12x 2 8x +64 irreducible 1056 29, 31, 37 4, 48 (02055) x 4 5x 3 +4x 2 40x +64 irreducible 96 31, 49 6, 88 (12122) x 4 3x 3 +16x 2 24x +64 reducible 912 // 14, 64 (04520) x 4 +5x 3 +12x 2 +40x +64 irreducible 288 43 10, 48 (04505) x 4 + x 3 8x 2 +8x +64 irreducible 384 29, 37, 43, 47 6, 72 (04507) x 4 3x 3 +8x 2 24x +64 irreducible 1200 49 6, 80 (13117) x 4 3x 3 +12x 2 24x +64 reducible 864 // 14,72 (04515) x 4 +5x 3 +16x 2 +40x +64 reducible 432 // 6, 48 (13122) x 4 3x 3 4x 2 24x +64 irreducible 288 49 6, 64 (12103) x 4 3x 3 +4x 2 24x +64 irreducible 864 31, 49 10, 88 (12353) x 4 + x 3 +12x 2 +8x +64 irreducible 1056 29, 31, 37 14, 48 (02337) x 4 +5x 3 +4x 2 +40x +64 irreducible 96 37 8, 64 (12414) x 4 x 3 8x +64 irreducible 2112 41, 43, 47 12, 56 (14043) x 4 +3x 3 +24x +64 irreducible 480 29, 31, 37, 41 4, 88 (14012) x 4 5x 3 +24x 2 40x +64 irreducible 336 29, 31, 47 10, 64 (13120) x 4 + x 3 +8x +64 irreducible 2112 31, 49 6, 56 (12106) x 4 3x 3 24x +64 irreducible 480 41, 43 14, 88 (12116) x 4 +5x 3 +24x 2 +40x +64 irreducible 336 29, 37, 43 4, 80 (12432) x 4 5x 3 +20x 2 40x +64 reducible 288 // 14, 80 (12132) x 4 +5x 3 +20x 2 +40x +64 reducible 288 // 4, 56 (35602) x 4 5x 3 +8x 2 40x +64 irreducible 96 non 14, 56 (32345) x 4 +5x 3 +8x 2 +40x +64 irreducible 96 29, 31, 37, 41, 43, 49 16, 80 (36057) x 4 +7x 3 +32x 2 +56x +64 irreducible 192 41 2, 80 (27700) x 4 7x 3 +32x 2 56x +64 irreducible 192 41, 43, 47 We only take the curves with M 1 = 12 and M 2 = 72 as examples. There are 1200 curves v 2 + uv = f(u) with the same M 1 = 12 and M 2 = 72 defined over GF (8), for example, (12244), (12261) and (12275), etc., the order of their Jacobian when extended to the 31st extended field of GF (8) is: #J(C; GF (8 31 )) = 98079714615418454727873639724442711877916329902650878700 =4 Λ 25 Λ 1117 Λ 878063693960773990401433569601098584403906265914511 It passes the FR check (s = 2000) successfully and hence these curves are secure. 4.4 Curves v 2 +v=f(u) over GF (8) The discriminant for the curve v 2 + v = u 5 + f 4 u 4 + f 3 u 3 + f 2 u 2 + f 1 u + f 0 over GF (8 4 ) to have no singular points is the same as that over GF (4). There are 21136 curves of the form v 2 + v = f(u) over GF (8). They can be divided into 12 types of curves with different Jacobians.

No.6 Selection of Secure HC of g = 2 841 Table 5. Computation Results About Hyperelliptic Curves with the Form v 2 + v = f(u) over GF (8) Example P (x) and its reducibility in Number Extension degree n for which (f 0 f 1 f 2 f 3 f 4 ) a rational number field of curves there exist secure curves 5, 81 (01000) x 4 4x 3 +16x 2 32x +64 reducible 2592 // 9, 65 (01001) x 4 +64 reducible 5104 // 13, 65 (01002) x 4 +4x 3 +8x 2 +32x +64 irreducible 3040 non 9, 81 (01003) x 4 +8x 2 +64 irreducible 4608 non 9, 33 (01010) x 4 16x 2 +64 reducible 280 // 17, 65 (01011) x 4 +8x 3 +32x 2 +64x +64 reducible 80 // 9, 97 (01017) x 4 +16x 2 +64 reducible 888 // 13, 81 (01035) x 4 +4x 3 +16x 2 +16x +64 reducible 1504 // 5, 65 (01043) x 4 4x 3 +8x 2 16x +64 irreducible 2784 non 1, 97 (15217) x 4 8x +48x 2 64x 3 +64 irreducible 72 non 1, 65 (10315) x 4 8x 3 +32x 2 64x +64 reducible 160 // 1, 33 (14216) x 4 8x 3 +16x 2 64x +64 reducible 24 // For M 1 = 13 and M 2 = 65, there are 3040 curves v 2 + v = f(u) defined over GF (8). (01002), (03343), and (03776), etc. are examples. The orders of their Jacobians when extended to the 29th, 31st, 35th and 49th extended fields of GF (8) all have a prime factor larger than 2 150, but they cannot pass the FR check. Note that #J(C; GF (8 29 )) =23945242826026791152913804946258378907838286814773249 =109 Λ 219681126844282487641411054552829164292094374447461 but 219681126844282487641411054552829164292094374447461 divides (8 29 ) 12 1. From Tables 5 and 3, we notice that there is no hyperelliptic curve of the form v 2 + v = f(u) over GF (4) and GF (8) that is suitable for establishing cryptosystems. The reason is that this kind of hyperelliptic curves over a finite field of characteristic 2 is supersingular hyperelliptic curves. This conclusion has been proved by D. Galbraith [12] recently. The FR reduction attack is subexpotential time for supersingular hyperelliptic curves, since in this case, the HCDLP can be converted to DLP over the finite field GF (q k(g) ), here the extension degree k(g) is an integer determined by the genus of the hyperelliptic curve, for examples, k(g) = 6 when g = 1, k(g) = 12 when g = 2, and k(g) = 30 when g = 3, etc. [12]. 5 Conclusion At the same level of security, the underlying field of a hyperelliptic curve is smaller than that of an elliptic curve. So HCCs have advantages over the existing public key cryptosystems and are more suitable for security products such as smart cards if we can find suitable hyperelliptic curves and fast operations on their Jacobians. In this paper, we have discussed the hyperelliptic curves of g = 2 such as v 2 + uv = f and v 2 + v = f(u) and expanded the curves from finite fields GF (4) and GF (8) to GF (4) k and GF (8) t respectively using the Weil's conjecture. We have also found out all the secure curves suitable for cryptosystems for 38 < k < 70 and 25 < t < 50. HCC is an interesting research field. Many people have been paying attention to it. For the results of HCCs to be put into practical use, there are still many problems remain to be solved, such as finding more efficient methods to select secure hyperelliptic curves and fast operations on the Jacobians. Our further study will focus on these problems. References [1] Koblitz N. Elliptic curve cryptosystems. Mathematics of Computation, 1987, 48(177): 203 209. [2] Koblitz N. Hyperelliptic cryptography. Journal of Cryptology, 1989, (1): 139 150. [3] Cantor D G. Computing in the Jacobian of a hyperelliptic curve. Mathematics of Computation, 1987, 48: 95 101. [4] Frey G, Rück H. A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves. Mathematics of Computation, 1994, 62: 865 874.

842 ZHANG Fangguo, ZHANG Futai et al. Vol.17 [5] Sakai Y, Sakurai K, Ishizuka H. Secure hyperelliptic cryptosystems and their performance. In PKC'98, Imai H, Zheng Y (eds.), Springer-Verlag, LNCS 1431, Pacifico Yokohama, Japan, February, 1998, pp.164 181. [6] Koblitz N. Algebraic Aspects of Cryptography. New York: Springer-Verlag, 1998. [7] Menezes A, Wu Y, Zuccherato R. An elementary introduction to hyperelliptic curves. Available at http://www.cacr.math.uwaterloo.ca/techreports/1997/tech reports97.html [8] Itoh Toshiya, Sakurai Kouichi, Shizuya Hiruki. On the complexity of hyperelliptic discrete logarithm problem. In Advances in EUROCRYPT'91, LNCS 547, Springer-Verlag, Brighton, UK, 1991, pp.337 351. [9] Adleman L, DeMarrais J, Huang M. A subexponential algorithm for discrete logarithms over the rational subgroup of the Jacobians of large genus hyperelliptic curves over finite fields. In Algorithmic Number Theory (ANTS-1), LNCS 877, Springer-Verlag, Ithaca, New York, 1994, pp.28 40. [10] Gaudry P. An algorithm for solving the discrete log problem on hyperelliptic curves. In Eurocrypt 2000, Preneel B (ed.), LNCS 1807, Springer-Verlag, Bruges, Belgium, May, 2000, pp.19 34. [11] Ruck H G. On the discrete logarithms in the divosor class group of curves. Mathematics Computation, 1999, 68: 805 806. [12] Galbraith S D. Supersingular curves in cryptography. Available at http://www.cs.bris.ac.uk/οstenve ZHANG Fangguo was born in 1972. He received the B.S. degree in mathematics from Yantai Teachers' University in 1996 and the M.S. degree in applied mathematics from Tongji University in 1999. He is currently a Ph.D. candidate in cryptography at Xidian University. His research interests are electronic commerce, elliptic curve cryptography and hyperelliptic curve cryptography. ZHANG Futai was born in 1965. He received the M.S. degree in fundamental mathematics from Shanxi Normal University in 1990. He is currently a Ph.D. candidate in cryptography at Xidian University. His research interests are information security, cryptography and electronic commerce. WANG Yumin was born in 1936. He is now a professor, a Ph.D. supervisor in Xidian University, and a member of IEEE. His research interests are the philosophy of communication, information theory, coding and cryptography.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback