Results 1  10
of
72
Short signatures from the Weil pairing
, 2001
"... Abstract. We introduce a short signature scheme based on the Computational DiffieHellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signa ..."
Abstract

Cited by 560 (31 self)
 Add to MetaCart
Abstract. We introduce a short signature scheme based on the Computational DiffieHellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signatures are typed in by a human or signatures are sent over a lowbandwidth channel. 1
Faltings, Degeneration of abelian varieties
, 1990
"... An abelian variety A defined over a finite field Fq admits sufficiently many complex multiplications, as Tate showed in [27]. For some details about complex multiplication, see §1.1. Is A the reduction of an abelian variety with sufficiently many complex multiplications in characteristic zero? We fo ..."
Abstract

Cited by 108 (6 self)
 Add to MetaCart
An abelian variety A defined over a finite field Fq admits sufficiently many complex multiplications, as Tate showed in [27]. For some details about complex multiplication, see §1.1. Is A the reduction of an abelian variety with sufficiently many complex multiplications in characteristic zero? We formulate several versions of this “CMlifting problem ” in §1.2. Honda
Supersingular curves in cryptography
, 2001
"... Frey and Rück gave a method to map the discrete logarithm problem in the divisor class group of a curve over ¢¡ into a finite field discrete logarithm problem in some extension. The discrete logarithm problem in the divisor class group can therefore be solved as long ¥ as is small. In the elliptic ..."
Abstract

Cited by 88 (9 self)
 Add to MetaCart
Frey and Rück gave a method to map the discrete logarithm problem in the divisor class group of a curve over ¢¡ into a finite field discrete logarithm problem in some extension. The discrete logarithm problem in the divisor class group can therefore be solved as long ¥ as is small. In the elliptic curve case it is known that for supersingular curves one ¥§¦© ¨ has. In this paper curves of higher genus are studied. Bounds on the possible values ¥ for in the case of supersingular curves are given. Ways to ensure that a curve is not supersingular are also given. 1.
Cycles of quadratic polynomials and rational points on a genus 2 curve
, 1996
"... Abstract. It has been conjectured that for N sufficiently large, there are no quadratic polynomials in Q[z] with rational periodic points of period N. Morton proved there were none with N = 4, by showing that the genus 2 algebraic curve that classifies periodic points of period 4 is birational to X1 ..."
Abstract

Cited by 32 (13 self)
 Add to MetaCart
Abstract. It has been conjectured that for N sufficiently large, there are no quadratic polynomials in Q[z] with rational periodic points of period N. Morton proved there were none with N = 4, by showing that the genus 2 algebraic curve that classifies periodic points of period 4 is birational to X1(16), whose rational points had been previously computed. We prove there are none with N = 5. Here the relevant curve has genus 14, but it has a genus 2 quotient, whose rational points we compute by performing a 2descent on its Jacobian and applying a refinement of the method of Chabauty and Coleman. We hope that our computation will serve as a model for others who need to compute rational points on hyperelliptic curves. We also describe the three possible Gal(Q/Q)stable 5cycles, and show that there exist Gal(Q/Q)stable Ncycles for infinitely many N. Furthermore, we answer a question of Morton by showing that the genus 14 curve and its quotient are not modular. Finally, we mention some partial results for N = 6. 1.
Oort – Moduli of abelian varieties and pdivisible groups: density of Hecke orbits and a conjecture by Grothendieck
 In: Arithmetic Geometry. Clay Mathematics Summer School, Arithmetic Geometry, July 17–August 11, 2006, Göttingen July (Editors
"... In the week 7 – 11 August 2006 we gave a course, and here are notes for that course. Our main topic is: geometry and arithmetic of Ag ⊗ Fp, the moduli space of polarized abelian varieties of dimension g in positive characteristic. We illustrate properties, and some of the available techniques by tre ..."
Abstract

Cited by 13 (10 self)
 Add to MetaCart
In the week 7 – 11 August 2006 we gave a course, and here are notes for that course. Our main topic is: geometry and arithmetic of Ag ⊗ Fp, the moduli space of polarized abelian varieties of dimension g in positive characteristic. We illustrate properties, and some of the available techniques by treating two topics: and
Constructing pairingfriendly genus 2 curves over prime fields with ordinary Jacobians
 In: proceedings of Pairing 2007, LNCS 4575
, 2007
"... Abstract. We provide the first explicit construction of genus 2 curves over finite fields whose Jacobians are ordinary, have large primeorder subgroups, and have small embedding degree. Our algorithm is modeled on the CocksPinch method for constructing pairingfriendly elliptic curves [5], and wor ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
Abstract. We provide the first explicit construction of genus 2 curves over finite fields whose Jacobians are ordinary, have large primeorder subgroups, and have small embedding degree. Our algorithm is modeled on the CocksPinch method for constructing pairingfriendly elliptic curves [5], and works for arbitrary embedding degrees k and prime subgroup orders r. The resulting abelian surfaces are defined over prime fields Fq with q ≈ r 4. We also provide an algorithm for constructing genus 2 curves over prime fields Fq with ordinary Jacobians J having the property that J[r] ⊂ J(Fq) or J[r] ⊂ J(F q k) for any even k. 1
On the minimal embedding field
 In PairingBased Cryptography – Pairing 2007
"... Abstract. We discuss the underlying mathematics that causes the embedding degree of a curve of any genus to not necessarily correspond to the minimal embedding field, and hence why it may fail to capture the security of a pairingbased cryptosystem. Let C be a curve of genus g defined over a finite ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
Abstract. We discuss the underlying mathematics that causes the embedding degree of a curve of any genus to not necessarily correspond to the minimal embedding field, and hence why it may fail to capture the security of a pairingbased cryptosystem. Let C be a curve of genus g defined over a finite field Fq, where q = p m for a prime p. The Jacobian of the curve is an abelian variety, JC(Fq), of dimension g defined over Fq. For some prime N, coprime to p, the embedding degree of JC(Fq)[N] is defined to be the smallest positive integer k such that N divides q k − 1. Hence, F ∗ qk contains a subgroup of order N. To determine the security level of a pairingbased cryptosystem, it is important to know the minimal field containing the Nth roots of unity, since the discrete logarithm problem can be transported from the curve to this field, where one can perform index calculus. We show that it is possible to have a dramatic (unbounded) difference between the size of the field given by the embedding degree, Fpmk, and the minimal embedding field that contains the Nth roots of unity, Fpd, where d  mk. The embedding degree has utility as it indicates the field one must work over to compute the pairing, while a security parameter should indicate the minimal field containing the embedding. We discuss a way of measuring the difference between the size of the two fields and we advocate the use of two separate parameters. We offer a possible security parameter, k ′ = ordN p, and we present examples of elliptic g curves and genus 2 curves which highlight the difference between them. While our observation provides a proper theoretical understanding of minimal embedding fields in pairingbased cryptography, it is unlikely to affect curves used in practice, as a discrepancy may only occur when q is nonprime. Nevertheless, it is an important point to keep in mind and a motivation to recognize two separate parameters when describing a pairingbased cryptosystem.
Computing Hilbert Class Polynomials
"... Abstract. We present and analyze two algorithms for computing the Hilbert class polynomial HD. The first is a padic lifting algorithm for inert primes p in the order of discriminant D < 0. The second is an improved Chinese remainder algorithm which uses the class group action on CMcurves over fini ..."
Abstract

Cited by 11 (6 self)
 Add to MetaCart
Abstract. We present and analyze two algorithms for computing the Hilbert class polynomial HD. The first is a padic lifting algorithm for inert primes p in the order of discriminant D < 0. The second is an improved Chinese remainder algorithm which uses the class group action on CMcurves over finite fields. Our run time analysis gives tighter bounds for the complexity of all known algorithms for computing HD, and we show that all methods have comparable run times. 1
Abelian varieties with prescribed embedding degree
"... Abstract. We present an algorithm that, on input of a CMfield K, an integer k ≥ 1, and a prime r ≡ 1 mod k, constructs a qWeil number π ∈ OK corresponding to an ordinary, simple abelian variety A over the field F of q elements that has an Frational point of order r and embedding degree k with res ..."
Abstract

Cited by 11 (4 self)
 Add to MetaCart
Abstract. We present an algorithm that, on input of a CMfield K, an integer k ≥ 1, and a prime r ≡ 1 mod k, constructs a qWeil number π ∈ OK corresponding to an ordinary, simple abelian variety A over the field F of q elements that has an Frational point of order r and embedding degree k with respect to r. We then discuss how CMmethods over K can be used to explicitly construct A. 1