The output of the Tate pairing on an elliptic curve over a nite eld is an element in the multiplicative group of an extension eld modulo a particular subgroup. One ordinarily powers this element to obtain a unique representative for the output coset, and performs any further necessary arithmetic in the extension eld. Rather than an obstruction, we show to the contrary that one can exploit this quotient group to eliminate the nal powering, to speed up exponentiations and to obtain a simple compression of pairing values which is useful during interactive identity-based cryptographic protocols. Speci cally we demonstrate that methods available for fast point multiplication on elliptic curves such as mixed addition, signed digit representations and Frobenius expansions, all transfer easily to the quotient group, and provide a signi cant improvement over the arithmetic of the extension eld.

Abstract. In this paper, we present several improvements on the best known explicit formulæ for hyperelliptic curves of genus three and four in characteristic two, including the issue of reducing memory requirements. To show the effectiveness of these improvements and to allow a fair comparison of the curves of different genera, we implement all formulæ using a highly optimized software library for arithmetic in binary fields. This library was designed to minimize the impact of a whole series of overheads which have a larger significance as the genus of the curves increases. The current state of the art in attacks against the discrete logarithm problem is taken into account for the choice of the field and group sizes. Performance tests are done on two personal computers with very different architectures. Our results can be shortly summarized as follows: Curves of genus three provide performance similar, or better, to that of curves of genus two, and these two types of curves can perform faster than elliptic curves – indeed on some processors often twice as fast. Curves of genus four attain a performance level comparable to elliptic curves. A large choice of curves is therefore available for the deployment of curve-based cryptography, with curves of genus three and four providing their own advantages as larger cofactors can be allowed for the group order.

Over a period of sixteen years elliptic curve cryptography went from being an approach that many people mistrusted or misunderstood to being a public key technology that enjoys almost unquestioned acceptance. We describe the sometimes surprising twists and turns in this paradigm shift, and compare this story with the commonly accepted Ideal Model of how research and development function in cryptography. We also discuss to what extent the ideas in the literature on “social construction of technology” can contribute to a better understanding of this history.

Abstract. Using a recent idea of Gaudry and exploiting rational representations of algebraic tori, we present an index calculus type algorithm for solving the discrete logarithm problem that works directly in these groups. Using a prototype implementation, we obtain practical upper bounds for the difficulty of solving the DLP in the tori T2(Fpm)and T6(Fpm) for various p and m. Our results do not affect the security of the cryptosystems LUC, XTR, or CEILIDH over prime fields. However, the practical efficiency of our method against other methods needs further examining, for certain choices of p and m in regions of cryptographic interest. 1

A finite field K is said to be weak for elliptic curve cryptography if all instances of the discrete logarithm problem for all elliptic curves over K can be solved in significantly less time than it takes Pollard 's rho method to solve the hardest instances. By considering the GHS Weil descent attack, it was previously shown that characteristic two finite fields F q 5 are weak. In this paper, we examine characteristic two finite fields Fq n for weakness under Hess' generalization of the GHS attack. We show that the fields F q 7 are potentially partially weak in the sense that any instance of the discrete logarithm problem for half of all elliptic curves over F q 7 , namely those curves E for which #E(F q 7) is divisible by 4, can likely be solved in significantly less time than it takes Pollard's rho method to solve the hardest instances. We also show that the fields F q 3 are partially weak, that the fields F q 6 are potentially weak, and that the fields F q 8 are potentially partially weak. Finally, we argue that the other fields F 2 N where N is not divisible by 3, 5, 6, 7 or 8, are not weak under Hess' generalized GHS attack.

Abstract. We give details of a compression/decompression algorithm for points in trace zero subgroups of elliptic curves over Fqr, for r = 3 and 5. 1.

This paper is dedicated to the memory of the cat Ceilidh. Abstract. We present efficient compression algorithms for subgroups of multiplicative groups of finite fields, we use our compression algorithms to construct efficient public key cryptosystems called T2 and CEILIDH, we disprove some conjectures, and we use the theory of algebraic tori to give a better understanding of our cryptosystems, the Lucas-based, XTR and Gong-Harn cryptosystems, and conjectured generalizations. 1.

We consider the problem of finding cryptographically suitable Jacobians. By applying a probabilistic generic algorithm to compute the zeta functions of low genus curves drawn from an arbitrary family, we can search for Jacobians containing a large subgroup of prime order. For a suitable distribution of curves, the complexity is subexponential in genus 2, and O(N 1/12) in genus 3. We give examples of genus 2 and genus 3 hyperelliptic curves over prime fields with group orders over 180 bits in size, improving previous results. Our approach is particularly effective over low-degree extension fields, where in genus 2 we find Jacobians over F p 2 and trace zero varieties over F p 3 with near-prime orders up to 372 bits in size. For p =2 61 − 1, the average time to find a group with 244-bit near-prime order is under an hour on a PC.

(Communicated by the associate editor name) Abstract. In this article, we deal with fast arithmetic in the Picard group of hyperelliptic curves of genus 3 over binary fields. We investigate both the optimal performance curves, where h(x) = 1, and the more general curves where the degree of h(x) is 1, 2 or 3. For the optimal performance curves, we provide explicit halving and doubling formulas; not only for the most frequent case but also for all possible special cases that may occur when performing arithmetic on the proposed curves. In this situation, we show that halving offers equivalent performance to that of doubling when computing scalar multiples (by means of an halve-and-add algorithm) in the divisor class group. For the other types of curves where halving may give performance gains (when the group order is twice an odd number), we give explicit halving formulas which outperform the corresponding doubling formulas by about 10 to 20 field multiplications per halving. These savings more than justify the use of halvings for these curves, making them significantly more efficient than previously thought. For halving on genus 3 curves there is no previous work published so far. 1.

the security of pairing-friendly abelian