Hyperelliptic curve cryptography

Last updated June 19, 2024

Hyperelliptic curve cryptography is similar to elliptic curve cryptography (ECC) insofar as the Jacobian of a hyperelliptic curve is an abelian group in which to do arithmetic, just as we use the group of points on an elliptic curve in ECC.

Definition

An (imaginary) hyperelliptic curve of genus $g$ over a field $K$ is given by the equation $C:y^{2}+h(x)y=f(x)\in K[x,y]$ where $h(x)\in K[x]$ is a polynomial of degree not larger than $g$ and $f(x)\in K[x]$ is a monic polynomial of degree $2g+1$ . From this definition it follows that elliptic curves are hyperelliptic curves of genus 1. In hyperelliptic curve cryptography $K$ is often a finite field. The Jacobian of $C$ , denoted $J(C)$ , is a quotient group, thus the elements of the Jacobian are not points, they are equivalence classes of divisors of degree 0 under the relation of linear equivalence. This agrees with the elliptic curve case, because it can be shown that the Jacobian of an elliptic curve is isomorphic with the group of points on the elliptic curve.^[1] The use of hyperelliptic curves in cryptography came about in 1989 from Neal Koblitz. Although introduced only 3 years after ECC, not many cryptosystems implement hyperelliptic curves because the implementation of the arithmetic isn't as efficient as with cryptosystems based on elliptic curves or factoring (RSA). The efficiency of implementing the arithmetic depends on the underlying finite field $K$ , in practice it turns out that finite fields of characteristic 2 are a good choice for hardware implementations while software is usually faster in odd characteristic.^[2]

The Jacobian on a hyperelliptic curve is an Abelian group and as such it can serve as group for the discrete logarithm problem (DLP). In short, suppose we have an Abelian group $G$ and $g$ an element of $G$ , the DLP on $G$ entails finding the integer $a$ given two elements of $G$ , namely $g$ and $g^{a}$ . The first type of group used was the multiplicative group of a finite field, later also Jacobians of (hyper)elliptic curves were used. If the hyperelliptic curve is chosen with care, then Pollard's rho method is the most efficient way to solve DLP. This means that, if the Jacobian has $n$ elements, that the running time is exponential in $\log(n)$ . This makes it possible to use Jacobians of a fairly small order, thus making the system more efficient. But if the hyperelliptic curve is chosen poorly, the DLP will become quite easy to solve. In this case there are known attacks which are more efficient than generic discrete logarithm solvers^[3] or even subexponential.^[4] Hence these hyperelliptic curves must be avoided. Considering various attacks on DLP, it is possible to list the features of hyperelliptic curves that should be avoided.

Attacks against the DLP

All generic attacks on the discrete logarithm problem in finite abelian groups such as the Pohlig–Hellman algorithm and Pollard's rho method can be used to attack the DLP in the Jacobian of hyperelliptic curves. The Pohlig-Hellman attack reduces the difficulty of the DLP by looking at the order of the group we are working with. Suppose the group $G$ that is used has $n=p_{1}^{r_{1}}\cdots p_{k}^{r_{k}}$ elements, where $p_{1}^{r_{1}}\cdots p_{k}^{r_{k}}$ is the prime factorization of $n$ . Pohlig-Hellman reduces the DLP in $G$ to DLPs in subgroups of order $p_{i}$ for $i=1,...,k$ . So for $p$ the largest prime divisor of $n$ , the DLP in $G$ is just as hard to solve as the DLP in the subgroup of order $p$ . Therefore, we would like to choose $G$ such that the largest prime divisor $p$ of $\#G=n$ is almost equal to $n$ itself. Requiring ${\textstyle {\frac {n}{p}}\leq 4}$ usually suffices.

The index calculus algorithm is another algorithm that can be used to solve DLP under some circumstances. For Jacobians of (hyper)elliptic curves there exists an index calculus attack on DLP. If the genus of the curve becomes too high, the attack will be more efficient than Pollard's rho. Today it is known that even a genus of $g=3$ cannot assure security.^[5] Hence we are left with elliptic curves and hyperelliptic curves of genus 2.

Another restriction on the hyperelliptic curves we can use comes from the Menezes-Okamoto-Vanstone-attack / Frey-Rück-attack. The first, often called MOV for short, was developed in 1993, the second came about in 1994. Consider a (hyper)elliptic curve $C$ over a finite field $\mathbb {F} _{q}$ where $q$ is the power of a prime number. Suppose the Jacobian of the curve has $n$ elements and $p$ is the largest prime divisor of $n$ . For $k$ the smallest positive integer such that $p|q^{k}-1$ there exists a computable injective group homomorphism from the subgroup of $J(C)$ of order $p$ to $\mathbb {F} _{q^{k}}^{*}$ . If $k$ is small, we can solve DLP in $J(C)$ by using the index calculus attack in ${\textstyle \mathbb {F} _{q^{k}}^{*}}$ . For arbitrary curves $k$ is very large (around the size of $q^{g}$ ); so even though the index calculus attack is quite fast for multiplicative groups of finite fields this attack is not a threat for most curves. The injective function used in this attack is a pairing and there are some applications in cryptography that make use of them. In such applications it is important to balance the hardness of the DLP in $J(C)$ and ${\textstyle \mathbb {F} _{q^{k}}^{*}}$ ; depending on the security level values of $k$ between 6 and 12 are useful. The subgroup of ${\textstyle \mathbb {F} _{q^{k}}^{*}}$ is a torus. There exists some independent usage in torus based cryptography.

We also have a problem, if $p$ , the largest prime divisor of the order of the Jacobian, is equal to the characteristic of $\mathbb {F} _{q}.$ By a different injective map we could then consider the DLP in the additive group $\mathbb {F} _{q}$ instead of DLP on the Jacobian. However, DLP in this additive group is trivial to solve, as can easily be seen. So also these curves, called anomalous curves, are not to be used in DLP.

Order of the Jacobian

Hence, in order to choose a good curve and a good underlying finite field, it is important to know the order of the Jacobian. Consider a hyperelliptic curve ${\textstyle C}$ of genus ${\textstyle g}$ over the field ${\textstyle \mathbb {F} _{q}}$ where ${\textstyle q}$ is the power of a prime number and define ${\textstyle C_{k}}$ as ${\textstyle C}$ but now over the field ${\textstyle \mathbb {F} _{q^{k}}}$ . It can be shown that the order of the Jacobian of ${\textstyle C_{k}}$ lies in the interval ${\textstyle [({\sqrt {q}}^{k}-1)^{2g},({\sqrt {q}}^{k}+1)^{2g}]}$ , called the Hasse-Weil interval.^[6]

But there is more, we can compute the order using the zeta-function on hyperelliptic curves. Let ${\textstyle A_{k}}$ be the number of points on ${\textstyle C_{k}}$ . Then we define the zeta-function of ${\textstyle C=C_{1}}$ as ${\textstyle Z_{C}(t)=\exp(\sum _{i=1}^{\infty }{A_{i}{\frac {t^{i}}{i}}})}$ . For this zeta-function it can be shown that ${\textstyle Z_{C}(t)={\frac {P(t)}{(1-t)(1-qt)}}}$ where ${\textstyle P(t)}$ is a polynomial of degree ${\textstyle 2g}$ with coefficients in ${\textstyle \mathbb {Z} }$ .^[7] Furthermore ${\textstyle P(t)}$ factors as ${\textstyle P(t)=\prod _{i=1}^{g}{(1-a_{i}t)(1-{\bar {a_{i}}}t)}}$ where ${\textstyle a_{i}\in \mathbb {C} }$ for all ${\textstyle i=1,...,g}$ . Here ${\textstyle {\bar {a}}}$ denotes the complex conjugate of $a$ . Finally we have that the order of ${\textstyle J(C_{k})}$ equals ${\textstyle \prod _{i=1}^{g}{|1-a_{i}^{k}|^{2}}}$ . Hence orders of Jacobians can be found by computing the roots of ${\textstyle P(t)}$ .

Related Research Articles

Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys to provide equivalent security, compared to cryptosystems based on modular exponentiation in Galois fields, such as the RSA cryptosystem and ElGamal cryptosystem.

<span class="mw-page-title-main">Elliptic curve</span> Algebraic curve

In mathematics, an elliptic curve is a smooth, projective, algebraic curve of genus one, on which there is a specified point $O$ . An elliptic curve is defined over a field $K$ and describes points in $K 2$ , the Cartesian product of $K$ with itself. If the field's characteristic is different from 2 and 3, then the curve can be described as a plane algebraic curve which consists of solutions $(x, y)$ for:

The Lenstra elliptic-curve factorization or the elliptic-curve factorization method (ECM) is a fast, sub-exponential running time, algorithm for integer factorization, which employs elliptic curves. For general-purpose factoring, ECM is the third-fastest known factoring method. The second-fastest is the multiple polynomial quadratic sieve, and the fastest is the general number field sieve. The Lenstra elliptic-curve factorization is named after Hendrik Lenstra.

In mathematics, particularly in algebraic geometry, complex analysis and algebraic number theory, an abelian variety is a projective algebraic variety that is also an algebraic group, i.e., has a group law that can be defined by regular functions. Abelian varieties are at the same time among the most studied objects in algebraic geometry and indispensable tools for research on other topics in algebraic geometry and number theory.

In algebraic geometry, a projective variety over an algebraically closed field k is a subset of some projective n-space $over k that is the zero-locus of some finite family of homogeneous polynomials of n + 1 variables with coefficients in k, that generate a prime ideal, the defining ideal of the variety. Equivalently, an algebraic variety is projective if it can be embedded as a Zariski closed subvariety of .$

In mathematics, restriction of scalars is a functor which, for any finite extension of fields L/k and any algebraic variety X over L, produces another variety Res_L/kX, defined over k. It is useful for reducing questions about varieties over large fields to questions about more complicated varieties over smaller fields.

In algebraic geometry, a Kummer quartic surface, first studied by Ernst Kummer, is an irreducible nodal surface of degree 4 in with the maximal possible number of 16 double points. Any such surface is the Kummer variety of the Jacobian variety of a smooth hyperelliptic curve of genus 2; i.e. a quotient of the Jacobian by the Kummer involution x ↦ −x. The Kummer involution has 16 fixed points: the 16 2-torsion point of the Jacobian, and they are the 16 singular points of the quartic surface. Resolving the 16 double points of the quotient of a torus by the Kummer involution gives a K3 surface with 16 disjoint rational curves; these K3 surfaces are also sometimes called Kummer surfaces.

In mathematics, the canonical bundle of a non-singular algebraic variety $of dimension over a field is the line bundle, which is the n th exterior power of the cotangent bundle on .$

In mathematics, the Weil pairing is a pairing on the points of order dividing n of an elliptic curve E, taking values in nth roots of unity. More generally there is a similar Weil pairing between points of order n of an abelian variety and its dual. It was introduced by André Weil for Jacobians of curves, who gave an abstract algebraic definition; the corresponding results for elliptic functions were known, and can be expressed simply by use of the Weierstrass sigma function.

The decisional Diffie–Hellman (DDH) assumption is a computational hardness assumption about a certain problem involving discrete logarithms in cyclic groups. It is used as the basis to prove the security of many cryptographic protocols, most notably the ElGamal and Cramer–Shoup cryptosystems.

In computational number theory, the index calculus algorithm is a probabilistic algorithm for computing discrete logarithms. Dedicated to the discrete logarithm in $where is a prime, index calculus leads to a family of algorithms adapted to finite fields and to some families of elliptic curves. The algorithm collects relations among the discrete logarithms of small primes, computes them by a linear algebra procedure and finally expresses the desired discrete logarithm with respect to the discrete logarithms of small primes.$

In arithmetic geometry, the Mordell–Weil group is an abelian group associated to any abelian variety $defined over a number field . It is an arithmetic invariant of the Abelian variety. It is simply the group of -points of, so is the Mordell-Weil group pg 207 . The main structure theorem about this group is the Mordell-Weil theorem which shows this group is in fact a finitely-generated abelian group. Moreover, there are many conjectures related to this group, such as the Birch and Swinnerton-Dyer conjecture which relates the rank of to the zero of the associated L-function at a special point.$

In mathematics, the Abel–Jacobi map is a construction of algebraic geometry which relates an algebraic curve to its Jacobian variety. In Riemannian geometry, it is a more general construction mapping a manifold to its Jacobi torus. The name derives from the theorem of Abel and Jacobi that two effective divisors are linearly equivalent if and only if they are indistinguishable under the Abel–Jacobi map.

In 1998 Gerhard Frey firstly proposed using trace zero varieties for cryptographic purpose. These varieties are subgroups of the divisor class group on a low genus hyperelliptic curve defined over a finite field. These groups can be used to establish asymmetric cryptography using the discrete logarithm problem as cryptographic primitive.

A hyperelliptic curve is a particular kind of algebraic curve. There exist hyperelliptic curves of every genus $. If the genus of a hyperelliptic curve equals 1, we simply call the curve an elliptic curve. Hence we can see hyperelliptic curves as generalizations of elliptic curves. There is a well-known group structure on the set of points lying on an elliptic curve over some field, which we can describe geometrically with chords and tangents. Generalizing this group structure to the hyperelliptic case is not straightforward. We cannot define the same group law on the set of points lying on a hyperelliptic curve, instead a group structure can be defined on the so-called Jacobian of a hyperelliptic curve. The computations differ depending on the number of points at infinity. Imaginary hyperelliptic curves are hyperelliptic curves with exactly 1 point at infinity: real hyperelliptic curves have two points at infinity.$

An important aspect in the study of elliptic curves is devising effective ways of counting points on the curve. There have been several approaches to do so, and the algorithms devised have proved to be useful tools in the study of various fields such as number theory, and more recently in cryptography and Digital Signature Authentication. While in number theory they have important consequences in the solving of Diophantine equations, with respect to cryptography, they enable us to make effective use of the difficulty of the discrete logarithm problem (DLP) for the group $, of elliptic curves over a finite field, where q = p k and p is a prime. The DLP, as it has come to be known, is a widely used approach to public key cryptography, and the difficulty in solving this problem determines the level of security of the cryptosystem. This article covers algorithms to count points on elliptic curves over fields of large characteristic, in particular p > 3. For curves over fields of small characteristic more efficient algorithms based on p -adic methods exist.$

In mathematics the Function Field Sieve is one of the most efficient algorithms to solve the Discrete Logarithm Problem (DLP) in a finite field. It has heuristic subexponential complexity. Leonard Adleman developed it in 1994 and then elaborated it together with M. D. Huang in 1999. Previous work includes the work of D. Coppersmith about the DLP in fields of characteristic two.

In mathematics, there are two types of hyperelliptic curves, a class of algebraic curves: real hyperelliptic curves and imaginary hyperelliptic curves which differ by the number of points at infinity. Hyperelliptic curves exist for every genus $. The general formula of Hyperelliptic curve over a finite field is given by$

Network coding has been shown to optimally use bandwidth in a network, maximizing information flow but the scheme is very inherently vulnerable to pollution attacks by malicious nodes in the network. A node injecting garbage can quickly affect many receivers. The pollution of network packets spreads quickly since the output of honest node is corrupted if at least one of the incoming packets is corrupted.

This is a glossary of algebraic geometry.

References

↑ Déchène, Isabelle (2007). "The Picard Group, or how to build a group from a set" (PDF). Tutorial on Elliptic and Hyperelliptic Curve Cryptography 2007.
↑ Gaudry, P.; Lubicz, D. (2009). "The arithmetic of characteristic 2 Kummer surfaces and of elliptic Kummer lines". Finite Fields and Their Applications. 15 (2): 246–260. doi: 10.1016/j.ffa.2008.12.006 .
↑ Th'eriault, N. (2003). "Index calculus attack for hyperelliptic curves of small genus". Advances in Cryptology - ASIACRYPT 2003. New York: Springer. ISBN 978-3540406747.
↑ Enge, Andreas (2002). "Computing discrete logarithms in high-genus hyperelliptic Jacobians in provably subexponential time". Mathematics of Computation. 71 (238): 729–742. Bibcode:2002MaCom..71..729E. doi: 10.1090/S0025-5718-01-01363-1 .
↑ Jasper Scholten and Frederik Vercauteren, An Introduction to Elliptic and Hyperelliptic Curve Cryptography and the NTRU Cryptosystem, section 4
↑ Alfred J. Menezes, Yi-Hong Wu, Robert J. Zuccherato, An elementary introduction to hyperelliptic curves, page 30
↑ Alfred J. Menezes, Yi-Hong Wu, Robert J. Zuccherato, An elementary introduction to hyperelliptic curves, page 29

External links

Colm Ó hÉigeartaigh Implementation of some hyperelliptic curves algorithms using MIRACL
DJ Bernstein Surface1271: high-speed genus-2-hyperelliptic-curve cryptography – incomplete work from 2006 intending to produce a Diffie–Hellman variant, but stalled due to difficulties in choosing surfaces (in turn because point-counting for large surfaces is unavailable). Contains software for the Pentium M scalar multiplication on a Kummer surface.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Déchène, Isabelle (2007). "The Picard Group, or how to build a group from a set" (PDF). Tutorial on Elliptic and Hyperelliptic Curve Cryptography 2007.

[2] Gaudry, P.; Lubicz, D. (2009). "The arithmetic of characteristic 2 Kummer surfaces and of elliptic Kummer lines". Finite Fields and Their Applications. 15 (2): 246–260. doi: 10.1016/j.ffa.2008.12.006 .

[3] Th'eriault, N. (2003). "Index calculus attack for hyperelliptic curves of small genus". Advances in Cryptology - ASIACRYPT 2003. New York: Springer. ISBN 978-3540406747.

[4] Enge, Andreas (2002). "Computing discrete logarithms in high-genus hyperelliptic Jacobians in provably subexponential time". Mathematics of Computation. 71 (238): 729–742. Bibcode:2002MaCom..71..729E. doi: 10.1090/S0025-5718-01-01363-1 .

[5] Jasper Scholten and Frederik Vercauteren, An Introduction to Elliptic and Hyperelliptic Curve Cryptography and the NTRU Cryptosystem, section 4

[6] Alfred J. Menezes, Yi-Hong Wu, Robert J. Zuccherato, An elementary introduction to hyperelliptic curves, page 30

[7] Alfred J. Menezes, Yi-Hong Wu, Robert J. Zuccherato, An elementary introduction to hyperelliptic curves, page 29

[1]

[2]

[3]

[4]

[5]

[6]

[7]