Elliptic curves have been intensively studied in number theory and algebraic geometry for over 100 years and there is an enormous amount of literature on the subject. To quote the mathematician Serge Lang: It is possible to write endlessly on elliptic curves. (This is not a threat.) Elliptic curves also figured prominently in the recent proof of Fermat's Last Theorem by Andrew Wiles. Originally pursued for purely aesthetic reasons, elliptic curves have recently been utilized in devising algorithms for factoring integers, primality proving, and in public-key cryptography. In this article, we aim to give the reader an introduction to elliptic curve cryptosystems, and to demonstrate why these systems provide relatively small block sizes, high-speed software and hardware implementations, and offer the highest strength-per-key-bit of any known public-key scheme.

Frey and Rück gave a method to map the discrete logarithm problem in the divisor class group of a curve over  ¢¡ into a finite field discrete logarithm problem in some extension. The discrete logarithm problem in the divisor class group can therefore be solved as long ¥ as is small. In the elliptic curve case it is known that for supersingular curves one ¥§¦© ¨ has. In this paper curves of higher genus are studied. Bounds on the possible values ¥ for in the case of supersingular curves are given. Ways to ensure that a curve is not supersingular are also given. 1.

Abstract. Recently, several algorithms have been suggested for solving the discrete logarithm problem in the Jacobians of high-genus hyperelliptic curves over finite fields. Some of them have a provable subexponential running time and are using the fact that smooth reduced ideals are sufficiently dense. We explicitly show how these density results can be derived. All proofs are purely combinatorial and do not exploit analytic properties of generating functions. 1.

Abstract. We show how to use the parallelized kangaroo method for computing invariants in real quadratic function fields. Specifically, we show how to apply the kangaroo method to the infrastructure in these fields. We also show how to speed up the computation by using heuristics on the distribution of the divisor class number, and by using the relatively inexpensive baby steps in the real quadratic model of a hyperelliptic function field. Furthermore, we provide examples for regulators and class numbers of hyperelliptic function fields of genus 3 that are larger than those ever reported before. 1.

r the main operation on an elliptic curve { computing m-folds { Koblitz [11] proposed the use of a special kind of curves. These Koblitz or sub eld curves are curves de ned over a comparably small nite eld F q . They are then considered as curves over a large extension eld F q n , where n is prime. The arithmetic makes use of the fact that if the curve C is de ned over F q and P = (x; y) 2 F q n F q n lies on C then the point (P ) = (x q ; y q ) lies on C, too. is an endomorphism of the curve called the Frobenius endomorphism. These curves have thoroughly been studied by Koblitz [11, 12], Meier and

Abstract. We present an algorithm for computing the cardinality of the Jacobian of a random Picard curve over a finite field. If the underlying field is a prime field Fp, the algorithm has complexity O ( √ p). 1.

We present several explicit constructions of hyperelliptic function fields whose Jacobian or ideal class group has large 3-rank. Our focus is on finding examples for which the genus and the base field are as small as possible. Most of our methods are adapted from analogous techniques used for generating quadratic number fields whose ideal class groups have high 3-rank, but one method, applicable to finding large l-ranks for odd primes l ≥ 3, is new and unique to function fields. Algorithms, examples, and numerical data are included.

Abstract. We provide a number of results that can be used to derive approximations for the Euler product representation of the zeta function of an arbitrary algebraic function field. Three such approximations are given here. Our results have two main applications. They lead to a computationally suitable algorithm for computing the class number of an arbitrary function field. The ideas underlying the class number algorithms in turn can be used to analyze the distribution of the zeros of its zeta function. 1.

Abstract. We give an explicit treatment of cubic function fields of characteristic at least five. This includes an efficient technique for converting such a field into standard form, formulae for the field discriminant and the genus, simple necessary and sufficient criteria for non-singularity of the defining curve, and a characterization of all triangular integral bases. Our main result is a description of the signature of any rational place in a cubic extension that involves only the defining curve and the order of the base field. All these quantities only require simple polynomial arithmetic as well as a few square-free polynomial factorizations and, in some cases, square and cube root extraction modulo an irreducible polynomial. We also illustrate why and how signature computation plays an important role in computing the class number of the function field. This in turn has applications to the study of zeros of zeta functions of function fields. 1.

. The baby-step giant-step algorithm, due to Shanks, may be used to solve the discrete logarithm problem in arbitrary groups. The paper explores a generalisation of this algorithm, where extra baby steps may be computed after carrying out giant steps (thus increasing the giant step size). The paper considers the problem of deciding how many, and when, extra baby steps should be computed so that the expected cost of the generalised algorithm is minimised. When the logarithms are uniformly distributed over an interval of length n, the expected cost of the generalised algorithm is 6% lower than that of Shanks (achieved at the expense of a slightly larger worst case cost). In some situations where logarithms are far from uniformly distributed, any baby-step giant-step algorithm that computes all its baby steps before taking a giant step must have innite expected cost, but the generalised algorithm has nite expected cost. The results are heuristic, but are supported by eviden...