## Aspects of Hyperelliptic Curves over Large Prime Fields in Software Implementations (2004)

### Cached

### Download Links

- [www.certification.tn]
- [eprint.iacr.org]
- [caccioppoli.mac.rub.de]
- DBLP

### Other Repositories/Bibliography

Citations: | 36 - 5 self |

### BibTeX

@INPROCEEDINGS{Avanzi04aspectsof,

author = {Roberto Maria Avanzi},

title = {Aspects of Hyperelliptic Curves over Large Prime Fields in Software Implementations},

booktitle = {},

year = {2004},

pages = {148--162},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

Abstract. We present an implementation of elliptic curves and of hyperelliptic curves of genus 2 and 3 over prime fields. To achieve a fair comparison between the different types of groups, we developed an ad-hoc arithmetic library, designed to remove most of the overheads that penalize implementations of curve-based cryptography over prime fields. These overheads get worse for smaller fields, and thus for larger genera for a fixed group size. We also use techniques for delaying modular reductions to reduce the amount of modular reductions in the formulae for the group operations. The result is that the performance of hyperelliptic curves of genus 2 over prime fields is much closer to the performance of elliptic curves than previously thought. For groups of 192 and 256 bits the difference is about 14 % and 15 % respectively.

### Citations

413 |
Modular Multiplication Without Trial Division
- Montgomery
- 1985
(Show Context)
Citation Context ...ned to allow efficient reference implementations of EC and HEC over prime fields. It implements arithmetic operations in rings Z/NZ with N odd, with the elements stored in Montgomery’s representation =-=[31]-=-, and the reduction algorithm is Montgomery’s REDC function – see § 2.1.3 for some more details. Many optimization techniques employed are similar to those in [6]. nuMONGO is written in C++ to take ad... |

255 | Selecting Cryptographic Key Sizes
- Lenstra, Verheul
(Show Context)
Citation Context ...HEC. Cryptosystems based on EC need a much shorter key than RSA or systems based on the DLP in finite fields: A 160-bit EC key is considered to offer security equivalent to that of a 1024-bit RSA key =-=[25]-=-. Since the best known methods to solve the DLP on EC and on HEC of genus smaller than 4 have the same complexity, these curves offer the same security level, but HEC of genus 4 or higher offer less s... |

201 | A subexponential algorithm for discrete logarithms over all finite fields - Adleman, DeMarrais - 1993 |

155 |
Computing in Jacobian of a Hyperelliptic Curve,” in
- Cantor
- 1987
(Show Context)
Citation Context ...+1. In general, the points on C do not form a group. Instead, the ideal class group is used, which is isomorphic to the Jacobian variety of C. Its elements are represented by pairs of polynomials and =-=[7]-=- showed how to compute with group elements in this form. A generic ideal class is represented by a pair ofsTable 2. Costs of Group Operations on EC and HEC Doubling Addition operation costs operation ... |

154 | A survey of fast exponentiation methods
- Gordon
- 1998
(Show Context)
Citation Context ... in the addition and 14 in the doubling (see Table 2).s2.4 Scalar Multiplication There are many methods for computing a scalar multiplication in a generic group, which can be used for EC and HEC. See =-=[15]-=- for a survey. A simple method for computing s · D for an integer s and a ideal class D is based on the binary representation of s. If s = ∑ n−1 i=0 si2i where each si = 0 or 1, then n · D can be comp... |

145 |
Hyperelliptic cryptosystems
- Koblitz
- 1989
(Show Context)
Citation Context ...nd 15% respectively. Keywords. Elliptic and hyperelliptic curves, cryptography, efficient implementation, prime field arithmetic, lazy and incomplete modular reduction. 1 Introduction In 1988 Koblitz =-=[21]-=- proposed to use hyperelliptic curves (HEC) as an alternative to elliptic curves (EC) for designing cryptosystems based on the discrete logarithm problem (DLP). EC are just the genus 1 HEC. Cryptosyst... |

143 | T.: Efficient elliptic curve exponentiation using mixed coordinates
- Cohen, Miyaji, et al.
- 1998
(Show Context)
Citation Context ...here the polynomial x 3 + a4x + a6 has no multiple roots. The set of points of E over (any extension of) the field F and the point at infinity O form a group. There are 5 different coordinate systems =-=[9]-=-: affine (A), the finite points “being” the pairs (x,y) that satisfy (1); projective (P ), also called homogeneous, (1)swhere a point [X,Y,Z] corresponds to (X/Z,Y/Z) in affine coordinates; Jacobian (... |

89 | Fast evaluation of logarithms in fields of characteristic two - Coppersmith - 1984 |

86 |
A.: An improved algorithm for arithmetic on a family of elliptic curves
- Solinas
- 1997
(Show Context)
Citation Context ... n i=0 si2 i with si ∈ {0,±1} and sisi+1 = 0. This leads to a method needing n doublings and on average n/3 − 1 additions or subtractions. A generalization of the NAF uses “sliding windows”: The wNAF =-=[37, 8]-=- of the integer s is a representation s = ∑ n j=0 s j 2 j where the integers s j satisfy the following two conditions: (i) either s j = 0 or s j is odd and |s j| � 2 w ; (ii) of any w+1 consecutive co... |

80 |
Binary arithmetic
- Reitwiesner
- 1960
(Show Context)
Citation Context ...ge n/2 − 1 additions on the curve (the first addition is replaced by an assignment). On EC and HEC, adding and subtracting an element have the same cost. Hence one can use the non adjacent form (NAF) =-=[34]-=-, which is an expansion s = ∑ n i=0 si2 i with si ∈ {0,±1} and sisi+1 = 0. This leads to a method needing n doublings and on average n/3 − 1 additions or subtractions. A generalization of the NAF uses... |

78 | An algorithm for solving the discrete log problem on hyperelliptic curves
- Gaudry
(Show Context)
Citation Context ...the best known methods to solve the DLP on EC and on HEC of genus smaller than 4 have the same complexity, these curves offer the same security level, but HEC of genus 4 or higher offer less security =-=[12, 38]-=-. Until recently, HEC have been considered not practical [36] because of the difficulty of finding suitable curves and their poor performance with respect to EC. In the subsequent years the situation ... |

58 |
An Elementary Introduction to Hyperelliptic Curves
- Menezes, Wu, et al.
- 1998
(Show Context)
Citation Context ...noted by 2C1 = C2. The number of REDCs is given separately from the multiplications and squarings. 2.3.2 Hyperelliptic Curves. An excellent, low brow, introduction to hyperelliptic curves is given in =-=[28]-=-, including proofs of the facts used below. A hyperelliptic curve C of genus g over a finite field Fq of odd characteristic is defined by a Weierstrass equation y 2 = f (x), where f is a monic, square... |

58 | Counting Points on Hyperelliptic Curves over Finite Fields - Gaudry, Harley - 2000 |

54 | Software implementation of the NIST elliptic curves over prime field
- Brown, Hankerson, et al.
- 2001
(Show Context)
Citation Context ...tored in Montgomery’s representation [31], and the reduction algorithm is Montgomery’s REDC function – see § 2.1.3 for some more details. Many optimization techniques employed are similar to those in =-=[6]-=-. nuMONGO is written in C++ to take advantage of inline functions, overloaded functions statically resolved at compile time for clarity of coding, and operator overloading for I/O only. All arithmetic... |

54 | A general framework for subexponential discrete logarithm algorithms - Enge, Gaudry |

50 |
Construction de courbes de genre 2 à partir de leurs modules
- Mestre
- 1991
(Show Context)
Citation Context ... 2 and 3 HEC whose Jacobian has almost prime order of cryptographic relevance. Over prime fields one can either count points in genus 2 [13], or use the complex multiplication (CM) method for genus 2 =-=[29, 39]-=- and 3 [39]. ⋆ This research has been supported by the Commission of the European Communities through the IST Programme under Contract IST-2001-32613 (see http://www.arehcc.com).sSecondly, the perform... |

49 | Formulae for Arithmetic on Genus 2 Hyperelliptic Curves,” September 2003. http://www.ruhr-uni-bochum.de/itsc/ tanja/preprints/expl sub.pdf
- Lange
(Show Context)
Citation Context ...mance of the HEC group operations has been considerably improved. For genus 2 the first results were due to Harley [17]. The state of the art is now represented by the explicit formulae of Lange: see =-=[23, 24]-=- and further references therein. For genus 3, see [32, 33] (and also [14]). HEC are attractive to designers of embedded hardware since they require smaller fields than EC: The order of the Jacobian of... |

47 |
A Cryptographic Library for the Motorola DSP560001
- Dussé, S
- 1991
(Show Context)
Citation Context ...somewhat more expensive, but still much faster than the naive reduction involving long divisions. We did not use the interleaved multiplication with reduction [31]: It usually performs better on DSPs =-=[11]-=-, but not on generalpurpose CPUs with few registers. 2.1.4 Inversion. With the exception of 32-bit operands, inversion is based on the extended binary GCD, and uses an almost-inverse technique [19] wi... |

44 | Index calculus attack for hyperelliptic curves of small genus
- Thériault
- 2003
(Show Context)
Citation Context ...the best known methods to solve the DLP on EC and on HEC of genus smaller than 4 have the same complexity, these curves offer the same security level, but HEC of genus 4 or higher offer less security =-=[12, 38]-=-. Until recently, HEC have been considered not practical [36] because of the difficulty of finding suitable curves and their poor performance with respect to EC. In the subsequent years the situation ... |

41 | Hyperelliptic Curve Cryptosystems: Closing the Performance Gap to Elliptic Curves
- Pelzl, Wollinger, et al.
(Show Context)
Citation Context ...proved. For genus 2 the first results were due to Harley [17]. The state of the art is now represented by the explicit formulae of Lange: see [23, 24] and further references therein. For genus 3, see =-=[32, 33]-=- (and also [14]). HEC are attractive to designers of embedded hardware since they require smaller fields than EC: The order of the Jacobian of a HEC of genus g over a field with q elements is ≈ q g . ... |

39 | Efficient Elliptic Curve Exponentiation
- Miyaji, Ono, et al.
- 1997
(Show Context)
Citation Context ... n i=0 si2 i with si ∈ {0,±1} and sisi+1 = 0. This leads to a method needing n doublings and on average n/3 − 1 additions or subtractions. A generalization of the NAF uses “sliding windows”: The wNAF =-=[37, 8]-=- of the integer s is a representation s = ∑ n j=0 s j 2 j where the integers s j satisfy the following two conditions: (i) either s j = 0 or s j is odd and |s j| � 2 w ; (ii) of any w+1 consecutive co... |

37 | Construction of secure random curves of genus 2 over prime fields
- Gaudry, Schost
- 2004
(Show Context)
Citation Context ...nged. Firstly, it is now possible to efficiently construct genus 2 and 3 HEC whose Jacobian has almost prime order of cryptographic relevance. Over prime fields one can either count points in genus 2 =-=[13]-=-, or use the complex multiplication (CM) method for genus 2 [29, 39] and 3 [39]. ⋆ This research has been supported by the Commission of the European Communities through the IST Programme under Contra... |

30 | Efficient Arithmetic on Genus 2 Hyperelliptic Curves over Finite Fields via Explicit Formulae.” Cryptology ePrint Archive, Report 2002/121
- Lange
- 2002
(Show Context)
Citation Context ...mance of the HEC group operations has been considerably improved. For genus 2 the first results were due to Harley [17]. The state of the art is now represented by the explicit formulae of Lange: see =-=[23, 24]-=- and further references therein. For genus 3, see [32, 33] (and also [14]). HEC are attractive to designers of embedded hardware since they require smaller fields than EC: The order of the Jacobian of... |

30 | On the performance of hyperelliptic cryptosystems
- Smart
- 1999
(Show Context)
Citation Context ... smaller than 4 have the same complexity, these curves offer the same security level, but HEC of genus 4 or higher offer less security [12, 38]. Until recently, HEC have been considered not practical =-=[36]-=- because of the difficulty of finding suitable curves and their poor performance with respect to EC. In the subsequent years the situation changed. Firstly, it is now possible to efficiently construct... |

27 | Comparison of three modular reduction functions
- Bosselaers, Govaerts, et al.
- 1994
(Show Context)
Citation Context ... hence R 2 mod N should be computed during system initialization. Now ¯x ¯y ≡ xRyR ≡ xyR mod N, so xy = REDC(xy) can be computed without any division by N. We implemented REDC by the following method =-=[5]-=-, which requires the inverse n ′ 0 of N modulo the machine radix β = 232 . Function REDC(x) INPUT: A 2ℓ-word integer x = (x2ℓ−1,...,x1,x0), and N, n ′ 0 and β as above. OUTPUT: The ℓ-word integer y su... |

21 |
A Fast Addition Algorithm of Genus Two Hyperelliptic Curve
- Miyamoto, Doi, et al.
(Show Context)
Citation Context ...f (x)). The affine coordinates are the 2g-tuple [Ug−1,... ,U1,U0,Vg−1,...,V1,V0]. 2.3.2.1 Genus 2. For genus 2 there are two more coordinate systems besides affine (A): in projective coordinates (P ) =-=[30]-=-: a quintuple [U1,U0,V1,V0,Z] corresponds to the ideal class represented by [x 2 +U1/Z x +U0/Z,V1/Z x +V0/Z]; with Lange’s new coordinates (N ) [24], the sextuple [U1,U0,V1,V0,Z1,Z2] corresponds to th... |

19 |
A generalization of the binary gcd algorithm
- Jebelean
- 1993
(Show Context)
Citation Context ...r hyperelliptic curves, fields are quite small (32 to 128 bits in most cases), hence our inversion routines have optimal performance anyway. Therefore, Lehmer’s method or the improvements by Jebelean =-=[18]-=- or Lercier [26] have not been included in the final version of the library. 2.1.5 Performance. In Table 1 we show some timings of basic operations with gmp version 4.1 and nuMONGO. The timings have b... |

18 |
Algorithmique des courbes elliptiques dans les corps finis
- Lercier
- 1997
(Show Context)
Citation Context ...curves, fields are quite small (32 to 128 bits in most cases), hence our inversion routines have optimal performance anyway. Therefore, Lehmer’s method or the improvements by Jebelean [18] or Lercier =-=[26]-=- have not been included in the final version of the library. 2.1.5 Performance. In Table 1 we show some timings of basic operations with gmp version 4.1 and nuMONGO. The timings have been measured on ... |

14 | Fast implementation of elliptic curve arithmetic
- Lim, Hwang
- 2000
(Show Context)
Citation Context ...C. To use most modular reduction algorithms, including Montgomery’s, at the end of the summation, we have to make sure that all partial sums of ∑aibi are smaller than p2 w . Some authors (for example =-=[27]-=-) suggested to use small primes, to guarantee that the condition ∑aibi < p2 w is 1 In some cases gcc 2.95.3 produced the fastest code when optimizing nuMONGO for size (-Os), not for speed! This seems ... |

13 |
On the Practical Performance of Hyperelliptic Curve Cryptosystems
- Sakai, Sakurai
- 2000
(Show Context)
Citation Context ... of curves or in the use of prime moduli of special form. There have been several software implementations of HEC on personal computers and workstations. Most of those are in even characteristic (see =-=[35, 32]-=-, [33], and also [40, 41]), but some are over prime fields [22, 35]. It is now known that in even characteristic, HEC can offer performance comparable to EC. Until now there have been no concrete resu... |

13 |
Konstruktion kryptographisch geeigneter Kurven mit komplexer Multiplikation
- Weng
- 2001
(Show Context)
Citation Context ... 2 and 3 HEC whose Jacobian has almost prime order of cryptographic relevance. Over prime fields one can either count points in genus 2 [13], or use the complex multiplication (CM) method for genus 2 =-=[29, 39]-=- and 3 [39]. ⋆ This research has been supported by the Commission of the European Communities through the IST Programme under Contract IST-2001-32613 (see http://www.arehcc.com).sSecondly, the perform... |

11 |
Countermeasures Against Differential Power Analysis for Hyperelliptic Curve Cryptosystems
- Avanzi
- 2003
(Show Context)
Citation Context ...y an HEC of genus 2 with q ≈ 2 80 , and genus 3 with q ≈ 2 53 . There has been also research on securing implementations of HEC on embedded devices against differential and Goubin-type power analysis =-=[2]-=-. The purpose of this paper is to present a thorough, fair and unbiased comparison of the relative performance merits of generic EC and HEC of small genus 2 or 3 over prime fields. We are not interest... |

10 |
Exponentiation cryptosystems on the IBM PC
- Comba
- 1990
(Show Context)
Citation Context ...ut gave no speed-up over the 96 and 128-bit routines). 2.1.2 Multiplication. We begin with two algorithms to multiply “smallish” multi-precision operands: Schoolbook multiplication and Comba’s method =-=[10]-=-. The next two algorithms take as input two ℓ-word integers u = (uℓ−1,..., u1,u0) and v = (vℓ−1,...,v0), and output the 2ℓ-word integer r = (r2ℓ−1,...,r0) such that r = uv. Schoolbook multiplication 1... |

9 | Generic Efficient Arithmetic Algorithms for PAFFs (Processor Adequate Finite Fields) and Related Algebraic Structures
- Avanzi, Mihălescu
- 2003
(Show Context)
Citation Context ...(m+R) ratio than gmp. This shows how big the overheads in general purpose libraries are for such small inputs. 2.2 Lazy and Incomplete reduction Lazy and incomplete modular reduction are described in =-=[3]-=-. Here, we give a short treatment. Let p < 2 w be a prime, where w is a fixed integer. We consider expressions of the form ∑ d i=1 aibi mod p with 0 � ai,bi < p. Such expressions occur in the explicit... |

9 |
Improvements Of Addition Algorithm On Genus 3 Hyperelliptic Curves And Their Implementations
- Gonda, Matsuo, et al.
- 2004
(Show Context)
Citation Context ... the first results were due to Harley [17]. The state of the art is now represented by the explicit formulae of Lange: see [23, 24] and further references therein. For genus 3, see [32, 33] (and also =-=[14]-=-). HEC are attractive to designers of embedded hardware since they require smaller fields than EC: The order of the Jacobian of a HEC of genus g over a field with q elements is ≈ q g . This means that... |

8 |
Fast arithmetic on genus two curves. Available at: http://cristal.inria.fr/ ˜ harley/hyper
- Harley
- 2000
(Show Context)
Citation Context ...ramme under Contract IST-2001-32613 (see http://www.arehcc.com).sSecondly, the performance of the HEC group operations has been considerably improved. For genus 2 the first results were due to Harley =-=[17]-=-. The state of the art is now represented by the explicit formulae of Lange: see [23, 24] and further references therein. For genus 3, see [32, 33] (and also [14]). HEC are attractive to designers of ... |

7 | A subexponential algorithm for solving the discrete logarithm problem in the Jacobian of high genus hyperelliptic curves over arbitrary finite fields - Bauer - 1998 |

7 | Cardinality of a genus 2 hyperelliptic curve over GF(5 - Gaudry - 2002 |

6 |
The Montgomery inverse and its applications
- Jr
- 1995
(Show Context)
Citation Context ...Ps [11], but not on generalpurpose CPUs with few registers. 2.1.4 Inversion. With the exception of 32-bit operands, inversion is based on the extended binary GCD, and uses an almost-inverse technique =-=[19]-=- with final multiplication from a table of precomputed powers of 2 mod N. This was the fastest approach up to about 192 bits. For 32-bit operands we got better performance with the extended Euclidean ... |

6 |
Fast Hyperelliptic Curve Cryptosystems for Embedded Processors
- Pelzl
- 2002
(Show Context)
Citation Context ...proved. For genus 2 the first results were due to Harley [17]. The state of the art is now represented by the explicit formulae of Lange: see [23, 24] and further references therein. For genus 3, see =-=[32, 33]-=- (and also [14]). HEC are attractive to designers of embedded hardware since they require smaller fields than EC: The order of the Jacobian of a HEC of genus g over a field with q elements is ≈ q g . ... |

4 |
A Note on the Sliding Window Integer Recoding and its Left-To-Right Analogue
- Avanzi
(Show Context)
Citation Context ...d on the wNAF one first precomputes the ideal classes D, 3D,...,(2 w − 1)D, and then performs a double-and-add step like (2). A leftto-right recoding with the same density as the wNAF can be found in =-=[4]-=-. 3 Results, Comparisons and Conclusions Table 4 reports the timings of our implementation. Since nuMONGO provides support only for moduli up to 256 bits, EC are tested only on fields up to that size.... |

4 |
Anwendung hyperelliptischer Kurven in der Kryptographie
- Krieger
- 1997
(Show Context)
Citation Context ...e been several software implementations of HEC on personal computers and workstations. Most of those are in even characteristic (see [35, 32], [33], and also [40, 41]), but some are over prime fields =-=[22, 35]-=-. It is now known that in even characteristic, HEC can offer performance comparable to EC. Until now there have been no concrete results showing the same for prime fields. Traditional implementations ... |

2 |
A software library for arbitrary precision integers. Available from http://www.swox.com/gmp
- GMP
(Show Context)
Citation Context ...omparable to EC. Until now there have been no concrete results showing the same for prime fields. Traditional implementations such as [22] are based on general purpose software libraries, such as gmp =-=[16]-=-. These libraries introduce overheads which are quite significant for small operands such as those occurring in curve cryptography, and get worse as the fields get smaller. Moreover, gmp has no native... |

1 |
AMD-K6-2 Processor Data Sheet. http://www.amd.com/us-en/assets/content type/white papers and tech docs/21850.pdf
- Corporation
(Show Context)
Citation Context ...ur experience, Comba’s method did not perform better than the schoolbook method (on the ARM the situation is different). This may be due to the fact that the Athlon CPU has a write-back level 1 cache =-=[1]-=-, hence several close writes to the same memory location cost little more than one generic write. For n = 192 and n = 256 we reduced a n-bit multiplication to three n/2-bit multiplications by means of... |

1 |
Engineering Aspects of Hyperelliptic Curves
- Wollinger
- 2004
(Show Context)
Citation Context ...of prime moduli of special form. There have been several software implementations of HEC on personal computers and workstations. Most of those are in even characteristic (see [35, 32], [33], and also =-=[40, 41]-=-), but some are over prime fields [22, 35]. It is now known that in even characteristic, HEC can offer performance comparable to EC. Until now there have been no concrete results showing the same for ... |

1 |
Fast Arithmetic on Genus Two Curves. Available athttp://cristal.inria.fr/~harley/hyper
- Harley
(Show Context)
Citation Context ...gramme under Contract IST-2001-32613 (seehttp://www.arehcc.com).sSecondly, the performance of the HEC group operations has been considerably improved. For genus 2 the first results were due to Harley =-=[17]-=-. The state of the art is now represented by the explicit formulae of Lange: see [23, 24] and further references therein. For genus 3, see [32, 33] (and also [14]). HEC are attractive to designers of ... |

1 |
Anwendung hyperelliptischer Kurven in der Kryptographie
- c
(Show Context)
Citation Context ...e been several software implementations of HEC on personal computers and workstations. Most of those are in even characteristic (see [35, 32], [33], and also [40, 41]), but some are over prime fields =-=[22, 35]-=-. It is now known that in even characteristic, HEC can offer performance comparable to EC. Until now there have been no concrete results showing the same for prime fields. Traditional implementations ... |

1 | nuMONGO and Description and Use of the nuMONGO Library. A software library and related documentation. Available from the author - Avanzi |

1 | On Satoh’s algorithm and its implementation. Lix/RR/00/06 - Fouquet, Gaudry, et al. - 2000 |