Elliptic curves have been intensively studied in number theory and algebraic geometry for over 100 years and there is an enormous amount of literature on the subject. To quote the mathematician Serge Lang: It is possible to write endlessly on elliptic curves. (This is not a threat.) Elliptic curves also figured prominently in the recent proof of Fermat's Last Theorem by Andrew Wiles. Originally pursued for purely aesthetic reasons, elliptic curves have recently been utilized in devising algorithms for factoring integers, primality proving, and in public-key cryptography. In this article, we aim to give the reader an introduction to elliptic curve cryptosystems, and to demonstrate why these systems provide relatively small block sizes, high-speed software and hardware implementations, and offer the highest strength-per-key-bit of any known public-key scheme.

Abstract. For counting points of Jacobians of genus 2 curves defined over large prime fields, the best known method is a variant of Schoof’s algorithm. We present several improvements on the algorithms described by Gaudry and Harley in 2000. In particular we rebuild the symmetry that had been broken by the use of Cantor’s division polynomials and design a faster division by 2 and a division by 3. Combined with the algorithm by Matsuo, Chao and Tsujii, our implementation can count the points on a Jacobian of size 164 bits within about one week on a PC. 1

Abstract. — We present a new method for constructing genus 2 curves over a finite field Fn with a given number of points on its Jacobian. This method has important applications in cryptography, where groups of prime order are used as the basis for discrete-log based cryptosystems. Our algorithm provides an alternative to the traditional CM method for constructing genus 2 curves. For a quartic CM field K with primitive CM type, we compute the Igusa class polynomials modulo p for certain small primes p and then use the Chinese remainder theorem (CRT) and a bound on the denominators to construct the class polynomials. We also provide an algorithm for determining endomorphism rings of ordinary Jacobians of genus 2 curves over finite fields, generalizing the work of Kohel for elliptic curves. Résumé (Un algorithme fondé sur le théorème chinois pour construire des courbes de genre 2 sur des corps finis) Nous présentons une nouvelle méthode pour construire des courbes de genre 2 sur un corps fini Fn avec un nombre donné de points sur sa jacobienne. Cette méthode a des applications importantes en cryptographie, où des groupes d’ordre premier sont employés pour former des cryptosystèmes fondés sur le logarithme discret. Notre algorithme fournit une alternative à la méthode traditionnelle de multiplication complexe pour construire des courbes de genre 2. Pour un corps quartique K à multiplication complexe de type primitif, nous calculons les polynômes de classe d’Igusa modulo p pour certain petit premiers p et employons le théorème chinois et une borne sur les dénominateurs pour construire les polynômes de classe. Nous fournissons également un algorithme pour déterminer les anneaux d’endomorphismes des jacobiennes de courbes ordinaires de genre 2 sur des corps finis, généralisant le travail de Kohel pour les courbes elliptiques.

Abstract. In 1986, D. V. Chudnovsky and G. V. Chudnovsky proposed to use formulae coming from Theta functions for the arithmetic in Jacobians of genus 2 curves. We follow this idea and derive fast formulae for the scalar multiplication in the Kummer surface associated to a genus 2 curve, using a Montgomery ladder. Our formulae can be used to design very efficient genus 2 cryptosystems that should be faster than elliptic curve cryptosystems in some hardware configurations.

Abstract. We provide the first explicit construction of genus 2 curves over finite fields whose Jacobians are ordinary, have large prime-order subgroups, and have small embedding degree. Our algorithm is modeled on the Cocks-Pinch method for constructing pairing-friendly elliptic curves [5], and works for arbitrary embedding degrees k and prime subgroup orders r. The resulting abelian surfaces are defined over prime fields Fq with q ≈ r 4. We also provide an algorithm for constructing genus 2 curves over prime fields Fq with ordinary Jacobians J having the property that J[r] ⊂ J(Fq) or J[r] ⊂ J(F q k) for any even k. 1

Abstract. We present probabilistic algorithms which, given a genus 2 curve C defined over a finite field and a quartic CM field K, determine whether the endomorphism ring of the Jacobian J of C is the full ring of integers in K. In particular, we present algorithms for computing the field of definition of, and the action of Frobenius on, the subgroups J[ℓ d] for prime powers ℓ d. We use these algorithms to create the first implementation of Eisenträger and Lauter’s algorithm for computing Igusa class polynomials via the Chinese Remainder Theorem [EL], and we demonstrate the algorithm for a few small examples. We observe that in practice the running time of the CRT algorithm is dominated not by the endomorphism ring computation but rather by the need to compute p 3 curves for many small primes p. 1.

Abstract. We present an algorithm that, on input of a CM-field K, an integer k ≥ 1, and a prime r ≡ 1 mod k, constructs a q-Weil number π ∈ OK corresponding to an ordinary, simple abelian variety A over the field F of q elements that has an F-rational point of order r and embedding degree k with respect to r. We then discuss how CM-methods over K can be used to explicitly construct A. 1

Abstract. One can define class invariants for a quartic primitive CM field K as special values of certain Siegel (or Hilbert) modular functions at CM points corresponding to K. Such constructions were given in [DSG] and [Lau]. We provide explicit bounds on the primes appearing in the denominators of these algebraic numbers. This allows us, in particular, to construct S-units in certain abelian extensions of a reflex field of K, where S is effectively determined by K, and to bound the primes appearing in the denominators of the Igusa class polynomials arising in the construction of genus 2 curves with CM, as conjectured in [Lau]. 1.

r the main operation on an elliptic curve { computing m-folds { Koblitz [11] proposed the use of a special kind of curves. These Koblitz or sub eld curves are curves de ned over a comparably small nite eld F q . They are then considered as curves over a large extension eld F q n , where n is prime. The arithmetic makes use of the fact that if the curve C is de ned over F q and P = (x; y) 2 F q n F q n lies on C then the point (P ) = (x q ; y q ) lies on C, too. is an endomorphism of the curve called the Frobenius endomorphism. These curves have thoroughly been studied by Koblitz [11, 12], Meier and

The purpose of this note is to suggest an analogue for genus 2 curves of part of Gross and Zagier’s work on elliptic curves [GZ84]. Experimentally, for genus 2 curves with CM by a quartic CM field K, it appears that primes dividing the denominators of the discriminants of the Igusa class polynomials all have the property