This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Cantor versus Harley: Optimization and Analysis of Explicit Formulae for Hyperelliptic Curve Cryptosystems
July 2005 (vol. 54 no. 7)
pp. 861-872
Web Extra: View supplemental material
Hyperelliptic curves (HEC) look promising for cryptographic applications, because of their short operand size compared to other public-key schemes. The operand sizes seem well suited for small processor architectures, where memory and speed are constrained. However, the group operation has been believed to be too complex and, thus, HEC have not been used in this context so far. In recent years, a lot of effort has been made to speed up group operation of genus-2 HEC. In this paper, we increase the efficiency of the genus-2 and genus-3 hyperelliptic curve cryptosystems (HECC). For certain genus-3 curves, we can gain almost 80 percent performance for a group doubling. This work not only improves Gaudry and Harley's algorithm [1], but also improves the original algorithm introduced by Cantor [2]. Contrary to common belief, we show that it is also practical for certain curves to use Cantor's algorithm to obtain the highest efficiency for the group operation. In addition, we introduce a general reduction method for polynomials according to Karatsuba. We implemented our most efficient group operations on Pentium and ARM microprocessors.

[1] P. Gaudry and R. Harley, “Counting Points on Hyperelliptic Curves over Finite Fields,” Proc. Symp. Algorithmic Number Theory IV, W. Bosma, ed., pp. 297-312, 2000.
[2] D. Cantor, “Computing in Jacobian of a Hyperelliptic Curve,” Math. Computation, vol. 48, no. 177, pp. 95-101, Jan. 1987.
[3] W. Diffie and M.E. Hellman, “New Directions in Cryptography,” IEEE Trans. Information Theory, vol. 22, pp. 644-654, 1976.
[4] R.L. Rivest, A. Shamir, and L. Adleman, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,” Comm. ACM, vol. 21, no. 2, pp. 120-126, Feb. 1978.
[5] N. Koblitz, “Elliptic Curve Cryptosystems,” Math. Computation, vol. 48, pp. 203-209, 1987.
[6] V. Miller, “Uses of Elliptic Curves in Cryptography,” Advances in Cryptology— Proc. CRYPTO '85, H.C. Williams, ed., pp. 417-426, 1986.
[7] N. Koblitz, “A Family of Jacobians Suitable for Discrete Log Cryptosystems,” Advances in Cryptology— Crypto '88, S. Goldwasser, ed., pp. 94-99, 1988.
[8] U. Krieger, “signature.c,” Master's thesis, Mathematik und Informatik, Universität Essen, Fachbereich 6, Essen, Germany, Feb. 1997.
[9] Y. Sakai and K. Sakurai, “Design of Hyperelliptic Cryptosystems in Small Characteristic and a Software Implementation over ${\hbox{\rlap{I}}\kern 2.0pt{\hbox{F}}}_{2^n}$ ,” Advances in Cryptology— Proc. ASIACRYPT '98, K. Ohta and D. Pei, eds., pp. 80-94, 1998.
[10] Y. Sakai, K. Sakurai, and H. Ishizuka, “Secure Hyperelliptic Cryptosystems and Their Performance,” Public Key Cryptography: Proc. First Int'l Workshop Practice and Theory in Public Key Cryptography (PKC '98), H. Imai and Y. Zheng, eds., pp. 164-181, 1998.
[11] N. Smart, “On the Performance of Hyperelliptic Cryptosystems,” Advances in Cryptology— Proc. EUROCRYPT '99, J. Stern, ed., pp. 165-175, 1999.
[12] Y. Sakai and K. Sakurai, “On the Practical Performance of Hyperelliptic Curve Cryptosystems in Software Implementation,” IEICE Trans. Fundamentals of Electronics, Comm., and Computer Sciences, vol. E83-A, no. 4, pp. 692-703, Apr. 2000.
[13] J. Pelzl, “Hyperelliptic Cryptosystems on Embedded Microprocessor,” master's thesis, Dept. of Electrical Eng. and Information Sciences, Ruhr-Universitaet Bochum, Bochum, Germany, Sept. 2002.
[14] T. Lange, “Efficient Arithmetic on Genus 2 Hyperelliptic Curves over Finite Fields via Explicit Formulae,” Cryptology ePrint Archive, Report 2002/121, 2002, http:/eprint.iacr.org/.
[15] M. Goda, K. Matsuo, K. Aoki, J. Chao, and S. Tsujii, “Improvements of Addition Algorithm on Gemus 3 Hyperelliptic Curves and Their Implementations,” Proc. 2004 Symp. Cryptography and Information Security, Japan (SCIS 2004), Jan. 2004.
[16] R.M. Avanzi, “Aspects of Hyperelliptic Curves over Large Prime Fields in Software Implementations,” Proc. Workshop Cryptographic Hardware and Embedded Systems (CHES 2004), M. Joye and J.-J. Quisquater, eds., pp. 148-162, 2004.
[17] T. Wollinger, “Computer Architectures for Cryptosystems Based on Hyperelliptic Curves,” master's thesis, Electrical and Computer Eng. Dept., Worcester Polytechnic Inst., Worcester, Mass., May 2001.
[18] T. Wollinger and C. Paar, “Hardware Architectures Proposed for Cryptosystems Based on Hyperelliptic Curves,” Proc. Ninth IEEE Int'l Conf. Electronics, Circuits, and Systems (ICECS 2002), vol. III, pp. 1159-1163, Sept. 2002.
[19] N. Boston, T. Clancy, Y. Liow, and J. Webster, “Genus Two Hyperelliptic Curve Coprocessor,” Proc. Cryptographic Hardware and Embedded Systems (CHES 2002), B.S. Kaliski, Ç.K. Koç, and C. Paar, eds., pp. 529-539, 2002, updated version available at http://www.cs.umd.edu/clancy/docshec-ches2002.pdf .
[20] T. Clancy, “Analysis of FPGA-Based Hyperelliptic Curve Cryptosystems,” master's thesis, Univ. of Illinois Urbana-Champaign, Dec. 2002.
[21] G. Elias, A. Miri, and T.H. Yeap, “High-Performance, FPGA-Based Hyperelliptic Curve Cryptosystems,” Proc. 22nd Biennial Symp. Comm., May 2004.
[22] H. Kim, T. Wollinger, Y. Choi, K. Chung, and C. Paar, “Hyperelliptic Curve Coprocessors on a FPGA,” Proc. Workshop Information Security Applications (WISA), 2004.
[23] K. Matsuo, J. Chao, and S. Tsujii, “Fast Genus Two Hyperelliptic Curve Cryptosystems,” Proc. Second Int'l Symp. Electronic Commerce (ISEC 2001), 2001.
[24] T. Lange, “Efficient Arithmetic on Hyperelliptic Curves,” PhD dissertation, Inst. for Experimental Math., Univ. of Essen, Essen, Germany, 2001.
[25] Y. Miyamoto, H. Doi, K. Matsuo, J. Chao, and S. Tsuji, “A Fast Addition Algorithm of Genus Two Hyperelliptic Curve,” Proc. 2002 Symp. Cryptography and Information Security (SCIS 2002), pp. 497-502, 2002, in Japanese.
[26] M. Takahashi, “Improving Harley Algorithms for Jacobians of Genus 2 Hyperelliptic Curves,” Proc. Int'l Conf. Cryptography and Information Security, Japan (SCIS), 2002, in Japanese.
[27] T. Lange, “Inversion-Free Arithmetic on Genus 2 Hyperelliptic Curves,” Cryptology ePrint Archive, Report 2002/147, 2002, http:/eprint.iacr.org.
[28] T. Lange, “Weighted Coordinates on Genus 2 Hyperelliptic Curves,” Cryptology ePrint Archive, Report 2002/153, 2002, http:/eprint.iacr.org.
[29] J. Kuroki, M. Gonda, K. Matsuo, J. Chao, and S. Tsujii, “Fast Genus Three Hyperelliptic Curve Cryptosystems,” Proc. 2002 Symp. Cryptography and Information Security, Japan (SCIS 2002), Jan. 2002.
[30] J. Pelzl, T. Wollinger, J. Guajardo, and C. Paar, “Hyperelliptic Curve Cryptosystems: Closing the Performance Gap to Elliptic Curves,” Proc. Workshop Cryptographic Hardware and Embedded Systems (CHES 2003), C.D. Walter, Ç.K. Koç, and C. Paar, eds., pp. 349-365, Sept. 2003.
[31] J. Pelzl, T. Wollinger, and C. Paar, “High Performance Arithmetic for Special Hyperelliptic Curve Cryptosystems of Genus Two,” Proc. Int'l Conf. Information Technology: Coding and Computing (ITCC 2004), Apr. 2004.
[32] D. Mumford, “Tata Lectures on Theta II,” Prog. Math., vol. 43, 1984.
[33] K. Nagao, “Improving Group Law Algorithms for Jacobians of Hyperelliptic Curves,” Proc. Algorithmic Number Theory Symp. IV, W. Bosma, ed., pp. 439-448, 2000.
[34] A. Karatsuba and Y. Ofman, “Multiplication of Multidigit Numbers on Automata,” Sov. Phys. Dokl. (English translation), vol. 7, no. 7, pp. 595-596, 1963.
[35] H. Sugizaki, K. Matsuo, J. Chao, and S. Tsujii, “An Extension of Harley Addition Algorithm for Hyperelliptic Curves over Finite Fields of Characteristic Two,” Technical Report ISEC2002-9, IEICE Japan, May 2002.
[36] T. Lange, “Formulae for Arithmetic on Genus 2 Hyperelliptic Curves,” J. Applied Algebra, Algebraic Algorithms, and Error Correcting Codes, Sept. 2003.
[37] R. Harley, “Fast Arithmetic on Genus Two Curves,” http://cristal. inria.fr/harleyhyper/, 2000.
[38] N. Koblitz, “Hyperelliptic Cryptosystems,” J. Cryptology, vol. 1, no. 3, pp. 129-150, 1989.
[39] N. Koblitz, Algebraic Aspects of Cryptography, first ed. Berlin: Springer-Verlag, 1998.
[40] A.J. Menezes, P.C. van Oorschot, and S.A. Vanstone, Handbook of Applied Cryptography. Boca Raton, Fla.: CRC Press, 1997.
[41] D.M. Gordon, “A Survey of Fast Exponentiation Methods,” J. Algorithms, vol. 27, pp. 129-146, 1998.
[42] R. Gallant, R. Lambert, and S. Vanstone, “Improving the Parallelized Pollard Lambda Search on Binary Anomalous Curves,” http://www.certicom.com/chal/downloadpaper.ps , 1998.
[43] J.M. Pollard, “Monte Carlo Methods for Index Computation mod $p$ ,” Math. Computation, vol. 32, no. 143, pp. 918-924, July 1978.
[44] D.H. Wiedemann, “Solving Sparse Linear Equations over Finite Fields,” IEEE Trans. Information Theory, vol. 32, no. 1, pp. 54-62, Jan. 1986.
[45] G. Frey and H.-G. Rück, “A Remark Concerning $m$ -Divisibility and the Discrete Logarithm in the Divisor Class Group of Curves,” Math. Computation, vol. 62, no. 206, pp. 865-874, Apr. 1994.
[46] H.-G. Rück, “On the Discrete Logarithm in the Divisor Class Group of Curves,” Math. Computation, vol. 68, no. 226, pp. 805-806, 1999.
[47] L. Adlemann, J. DeMarrais, and M.-D. Huang, “A Subexponential Algorithm for Discrete Logarithms over the Rational Subgroup of the Jacobians of Large Genus Hyperelliptic Curves over Finite Fields,” Proc. First Int'l Symp. Algorithmic Number Theory (ANTS-I), L. Adleman and M.-D. Huang, eds., pp. 28-40, May 1994.
[48] R. Flassenberg and S. Paulus, “Sieving in Function Fields,” ftp://ftp. informatik.tu-darmstadt.de/pub/ TI/TRTI-97-13.rafla.ps.gz, 1997, preprint.
[49] P. Gaudry, “Algorithmique des Courbes Hyperelliptiques et Applications à la Cryptologie,” PhD dissertation, France, 2000.
[50] P. Gaudry, “An Algorithm for Solving the Discrete Log Problem on Hyperelliptic Curves,” Advances in Cryptology— Proc. EUROCRYPT 2000, B. Preneel, ed., pp. 19-34, 2000.
[51] A. Enge and P. Gaudry, “A General Framework for Subexponential Discrete Logarithm Algorithms,” Acta Arithmetica, vol. 102, pp. 83-103, 2002.
[52] N. Thériault, “Index Calculus Attack for Hyperelliptic Curves of Small Genus,” Advances in Cryptology— Proc. ASIACRYPT '03, G. Goos, J. Hartmanis, and J. van Leeuwen, eds., pp. 79-92, 2003.
[53] S. Galbraith, “Supersingular Curves in Cryptography,” Advances in Cryptology— Proc. ASIACRYPT '03, C. Boyd, ed., pp. 495-517, 2001.
[54] J. Scholten and J. Zhu, “Hyperelliptic Curves in Characteristic 2,” Int'l Math. Research Notices, vol. 2002, no. 17, pp. 905-917, 2002.
[55] D. Subrao, “The p-Rank of Artin-Schreier Curves,” Manuscripta Math., vol. 16, pp. 169-193, 1975.
[56] R.M. Avanzi, “Countermeasures against Differential Power Analysis for Hyperelliptic Curve Cryptosystems,” Proc. Workshop Cryptographic Hardware and Embedded Systems (CHES 2003), C.D. Walter, Ç.K. Koç, and C. Paar, eds., pp. 366-381, 2003.
[57] G. Frey, “How to Disguise an Elliptic Curve,” Talk at ECC 1998, 1998, http://cacr.math.uwaterloo.ca/conferences/ 1998/ecc98slides.html.
[58] P. Gaudry, F. Hess, and N.P. Smart, “Constructive and Destructive Facets of Weil Descent on Elliptic Curves,” J. Cryptology, vol. 15, no. 1, pp. 19-46, 2002.
[59] E.D. Win, A. Bosselaers, S. Vandenberghe, P.D. Gersem, and J. Vandewalle, “A Fast Software Implementation for Arithmetic Operations in $GF(2^n)$ ,” Proc. Asiacrypt '96, pp. 65-76, 1996.
[60] J. Guajardo and C. Paar, “Efficient Algorithms for Elliptic Curve Cryptosystems,” Advances in Cryptology— Proc. CRYPTO '97, B. Kaliski, ed., pp. 342-356, Aug. 1997.
[61] H. Cohen, A Course in Computational Algebraic Number Theory. Berlin: Springer-Verlag, 1993, third corrected printing 1996.
[62] D.E. Knuth, The Art of Computer Programming: Volume 2: Seminumerical Algorithms, second ed. Reading, Mass.: Addison-Wesley, 1981.
[63] A. Lempel, G. Seroussi, and S. Winograd, “On the Complexity of Multiplication in Finite Fields,” Theoretical Computer Science, vol. 22, pp. 285-296, 1983.
[64] S. Winograd, “Some Bilinear Forms Whose Multiplicative Complexity Depends on the Field of Constants,” Math. Systems Theory, vol. 10, pp. 169-180, 1977.
[65] D.J. Bernstein, “Multidigit Multiplication for Mathematicians,” Advances in Applied Math., 2001, http://cr.yp.topapers.html.
[66] A. Weimerskirch and C. Paar, “Generalizations of the Karatsuba Algorithm for Polynomail Multiplication,” technical report, Ruhr-Univ. Bochum, Germany, 2003, http://www.crypto.rub.de/Publikationen/texte kaweb.pdf.
[67] J. von zur Gathen and J. Gerhard, Modern Computer Algebra. Cambridge Univ. Press, 1999.
[68] M. Stevens and T. Lange, “Arithmetic on Hyperelliptic Curves of Genus 1 and 2,” http://www.crypto.rub.de/geseminar, HGI Seminar, 2004.
[69] M. Stevens and T. Lange, “Efficient Doubling on Genus Two Curves over Binary Fields,” Proc. 11th Ann. Workshop Selected Areas in Cryptography, Aug. 2004.
[70] V. Shoup, “NTL: A Library for Doing Number Theory (version 5.0c),” 2001, http://www.shoup.net/ntlindex.html.
[71] T. Wollinger, J. Pelzl, V. Wittelsberger, C. Paar, G. Saldamli, and Ç.K. Koç, “Elliptic & Hyperelliptic Curves on Embedded $\mu$ P,” ACM Trans. Embedded Computing Systems (TECS), special issue on embedded systems and security, 2004.

Index Terms:
Index Terms- Hyperelliptic curves, explicit formulae, Harley's algorithm, Cantor, efficient implementation, embedded implementation.
Citation:
Thomas Wollinger, Jan Pelzl, Christof Paar, "Cantor versus Harley: Optimization and Analysis of Explicit Formulae for Hyperelliptic Curve Cryptosystems," IEEE Transactions on Computers, vol. 54, no. 7, pp. 861-872, July 2005, doi:10.1109/TC.2005.109
Usage of this product signifies your acceptance of the Terms of Use.