## Constructing hyperelliptic curves of genus 2 suitable for cryptography (2003)

### Cached

### Download Links

- [www.ams.org]
- [www.ams.org]
- [www.ams.org]
- DBLP

### Other Repositories/Bibliography

Venue: | Math. Comp |

Citations: | 29 - 2 self |

### BibTeX

@ARTICLE{Weng03constructinghyperelliptic,

author = {Annegret Weng},

title = {Constructing hyperelliptic curves of genus 2 suitable for cryptography},

journal = {Math. Comp},

year = {2003},

volume = {72},

pages = {435--458}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. In this article we show how to generalize the CM-method for elliptic curves to genus two. We describe the algorithm in detail and discuss the results of our implementation. 1.

### Citations

333 |
lectures on theta
- Mumford, “Tata
- 1984
(Show Context)
Citation Context ...ve (see [19], [10], [9], [21]). Now we adapt the theory to our situation: Note that Jacobians of hyperelliptic curves of genus 2 are exactly the principally polarized abelian varieties of dimension 2 =-=[13]-=-. Let K0 = Q( √ d), d ∈ N, be a real quadratic number field of class number one. Suppose α = a + b √ d is squarefree and totally positive (i.e., a ± b √ d>0). Then K = Q(i √ α) is a CM-field of degree... |

310 |
The Art of Computer Programming. Vol. 2. Seminumerical Algorithms
- Knuth
- 1997
(Show Context)
Citation Context ...thmetic. We used the library NTL written in C++ (http://www.shoup.net/ntl/). 11. Statistics 11.1. Primes interesting for implementations. Some primes are especially well suited for implementions (see =-=[6]-=-, [20]). In Table 3 we give a list of Mersenne primes and generalized Mersenne primes. We tested whether they split in a given CM-field or not, and whether the corresponding group order contains a lar... |

302 | An improved algorithm for computing logarithms over GF(p) and its cryptographic significance
- Pohlig, Hellman
(Show Context)
Citation Context ...as some advantages. To ensure the security of a cryptosystem based on the discrete logarithm problem in a finite abelian group, we have to make sure that the group order contains a large prime factor =-=[18]-=-. More precisely, the group order should either be prime or a product of a prime and a small number. For hyperelliptic curves, finding the group order of the Jacobian seems to be a nontrivial task. Up... |

162 | Elliptic curves and primality proving
- Atkin, Morain
(Show Context)
Citation Context ... part of his algorithm deals with the construction of elliptic curves with given group order. It is based on the theory of complex multiplication and was investigated in detail by Atkin and Morain in =-=[2]-=-. The complex multiplication method (short: CM-method) turned out to be a very efficient algorithm for producing elliptic curves used for cryptosystems. Although point counting on randomly chosen elli... |

100 |
Algorithmic algebraic number theory
- Pohst, Zassenhaus
- 1989
(Show Context)
Citation Context ...3 1 10 17 12 19 12 29 12 47 12 61 12 For demonstration we list a few CM-fields with class number 5 and 6 and the denominator of H1(X)inTable5. Appendix This algorithm is a generalization of (3.15) in =-=[17]-=-. Given a symmetric matrix A ∈ Rk2 C ∈ R, it finds the set of vectors x ∈ Zk such that (4) , a fixed vector ɛ ∈ (R + ) k and a constant (x + ɛ) t A(x + ɛ) ≤ C. First we compute an upper triangular mat... |

91 |
Abelian Varieties With Complex Multiplication And Modular Functions
- Shimura
- 1998
(Show Context)
Citation Context ...rom now on we assume that K does not contain a cyclotomic field. Then there are two, resp. four possibilities for the group order. 3. Complex multiplication In this section we refer to the literature =-=[19]-=-, [10], [9], [21]. We will only give the definitions that are necessary to understand the algorithm. Every abelian variety of dimension n over C is isomorphic to C n /L for some lattice L. Further, we... |

58 | Counting Points on Hyperelliptic Curves over Finite Fields
- Gaudry, Harley
- 2000
(Show Context)
Citation Context ...0 ). Gaudry and Harley have recently implemented a generalisation of Schoof-Atkin-Elkies and were able to determine the order of the Jacobian of a curve of genus two defined over Fp where p =10 19 +51=-=[4]-=-. Received by the editor January 19, 2001 and, in revised form, March 29, 2001. 2000 Mathematics Subject Classification. Primary 11Y16, 11Y40, 94A60; Secondary 14K22, 14H45. This work was supported by... |

53 |
Arithmetic variety of moduli for genus two
- Igusa
- 1960
(Show Context)
Citation Context ...hreejinvariants are rational generators of the field of absolute invariants. Two principally polarized abelian varieties of dimension two are isomorphic if and only if they have the same j-invariants =-=[5]-=-. These are given by h10 j1 := I5 2 , j2 := I10 I4I3 2 , j3 := I10 I6I2 2 . I10 6. From Igusa’s invariants to Mestre’s invariants Since the absolute Igusa invariants j1,j2,j3 are rational generators o... |

51 |
The number of points on an elliptic curve modulo a prime. manuscript
- Atkin
- 1988
(Show Context)
Citation Context ...this article we show how to generalize the CM-method for elliptic curves to genus two. We describe the algorithm in detail and discuss the results of our implementation. 1. Introduction In 1986 Atkin =-=[1]-=- proposed an algorithm for primality proving using elliptic curves. An important part of his algorithm deals with the construction of elliptic curves with given group order. It is based on the theory ... |

50 |
Construction de courbes de genre 2 à partir de leurs modules
- Mestre
- 1991
(Show Context)
Citation Context ...e case of genus two. Spallek gave two examples with class number one in her thesis. Wang [23] and Weber [24] suggested replacing the computation of Gröbner bases with an efficient algorithm by Mestre =-=[12]-=-. Based on Spallek’s work, van Wamelen constructed all curves defined over Q having complex multiplication [22]. A complete description and implementation of the CM-method for g =2does not yet exist i... |

46 | Generalized Mersenne numbers
- Solinas
- 1999
(Show Context)
Citation Context ...ic. We used the library NTL written in C++ (http://www.shoup.net/ntl/). 11. Statistics 11.1. Primes interesting for implementations. Some primes are especially well suited for implementions (see [6], =-=[20]-=-). In Table 3 we give a list of Mersenne primes and generalized Mersenne primes. We tested whether they split in a given CM-field or not, and whether the corresponding group order contains a large pri... |

37 |
Kurven vom Geschlecht 2 und ihre Anwendung in Public-KeyKryptosystemen
- Spallek
- 1994
(Show Context)
Citation Context ... possible solution to the group order problem on hyperelliptic curves over finite fields. There exists a generalisation of the elliptic curve algorithm with complex multiplication by Frey and Spallek =-=[21]-=- in the case of genus two. Spallek gave two examples with class number one in her thesis. Wang [23] and Weber [24] suggested replacing the computation of Gröbner bases with an efficient algorithm by M... |

32 |
Introduction to Algebraic and Abelian Functions
- Lang
- 1982
(Show Context)
Citation Context ...e assume that K does not contain a cyclotomic field. Then there are two, resp. four possibilities for the group order. 3. Complex multiplication In this section we refer to the literature [19], [10], =-=[9]-=-, [21]. We will only give the definitions that are necessary to understand the algorithm. Every abelian variety of dimension n over C is isomorphic to C n /L for some lattice L. Further, we know that ... |

22 |
Primality of the number of points on an elliptic curve over a finite field
- Koblitz
- 1988
(Show Context)
Citation Context ... on the group order. In the case where OK = OK0 +ηOK0 with a purely imaginary element η ∈OK, the group order can easily be seen to be a multiple of 4. It is possible to generalize the heuristics from =-=[7]-=-, p. 162, on the probability of prime group order to hyperelliptic curves with complex multiplication. This requires more theoretical background, and will be covered by the author in a forthcoming pap... |

15 |
Comparing real and imaginary arithmetics for divisor class groups of hyperelliptic curves
- Paulus, Stein
(Show Context)
Citation Context ...class polynomial. In most cases s equals 2hK. Especially we have to compute s3 scalar multiplications on a hyperelliptic Jacobian. Every scalar multiplication takes O(g 2 log p) field operations (see =-=[16]-=- for the complexity of a single composition on a hyperelliptic Jacobian). Thus as an overall complexity (once the class polynomial is computed) we get O((2hK) 3 log p) operations in Fp. Table 2. CM-fi... |

13 |
Wamelen, Examples of genus two CM curves defined over the rationals
- van
- 1999
(Show Context)
Citation Context ...nts and generalizations of the CM-method, as well as the computational limits. First we would like to mention an idea of van Wamelen to speed up the computation of the theta constants. He suggests in =-=[22]-=- to apply generators of the group Sp2(Z)totheperiodmatrixΩi in order to maximize the first successive minima of Ωi. We would like to mention that our method does not work for fields of small character... |

10 |
zur Gathen and Victor Shoup, Computing Frobenius maps and factoring polynomials
- von
- 1992
(Show Context)
Citation Context ...polynomial of a CM-fields of class number 10. The second part is the application of Mestre’s algorithm. First we have to factor the class polynomial. There exists an efficient probabilistic algorithm =-=[3]-=- which takes O(n 2+ɛ + n log p) operations in Fp, wherenis the degree of the polynomial. In our situation the degree of the polynomial is bounded and small. So we can estimate the number of operations... |

10 |
2-dimensional simple factors of J0(N
- Wang
- 1995
(Show Context)
Citation Context ...sts a generalisation of the elliptic curve algorithm with complex multiplication by Frey and Spallek [21] in the case of genus two. Spallek gave two examples with class number one in her thesis. Wang =-=[23]-=- and Weber [24] suggested replacing the computation of Gröbner bases with an efficient algorithm by Mestre [12]. Based on Spallek’s work, van Wamelen constructed all curves defined over Q having compl... |

8 |
Determination of all non-normal quartic CM-fields and of all non-abelian normal octic CM-fields with class number one
- Louboutin, Okazaki
- 1994
(Show Context)
Citation Context ...venth column gives the precision which is necessary for the computations to get the right result. The eighth column gives thetimeinseconds. Some of the CM-fields are taken from the tables in [15] and =-=[11]-=-. We were able to compute the class polynomial of a CM-fields of class number 10. The second part is the application of Mestre’s algorithm. First we have to factor the class polynomial. There exists a... |

6 |
On evaluation of L-functions over real quadratic fields
- Okazaki
- 1991
(Show Context)
Citation Context ...l. The seventh column gives the precision which is necessary for the computations to get the right result. The eighth column gives thetimeinseconds. Some of the CM-fields are taken from the tables in =-=[15]-=- and [11]. We were able to compute the class polynomial of a CM-fields of class number 10. The second part is the application of Mestre’s algorithm. First we have to factor the class polynomial. There... |

3 |
Hyperelliptic simple factors of J0(N) with dimension at least 3. Experiment
- Weber
- 1997
(Show Context)
Citation Context ...ation of the elliptic curve algorithm with complex multiplication by Frey and Spallek [21] in the case of genus two. Spallek gave two examples with class number one in her thesis. Wang [23] and Weber =-=[24]-=- suggested replacing the computation of Gröbner bases with an efficient algorithm by Mestre [12]. Based on Spallek’s work, van Wamelen constructed all curves defined over Q having complex multiplicati... |

1 |
lecture on theta,vol.1,Birkhäuser
- Mumford, Tata
- 1983
(Show Context)
Citation Context ...ve (see [19], [10], [9], [21]). Now we adapt the theory to our situation: Note that Jacobians of hyperelliptic curves of genus 2 are exactly the principally polarized abelian varieties of dimension 2 =-=[13]-=-. Let K0 = Q( √ d), d ∈ N, be a real quadratic number field of class number one. Suppose α = a + b √ d is squarefree and totally positive (i.e., a ± b √ d>0). Then K = Q(i √ α) is a CM-field of degree... |

1 |
lecture on theta,vol.2,Birkhäuser
- Tata
- 1984
(Show Context)
Citation Context ...al polarization the lattice can be given by Z n +ΩZ n , where Ω lies in the Siegel upper half plane Hn = {z ∈ Mn(C),z t = z,Imz positive definite}. Every Jacobian variety has a principal polarization =-=[14]-=-. Let End(A) be the endomorphism ring of a simple abelian variety over C. The field End(A) ⊗ Q is either a totally real number field or an imaginary quadratic extension of a totally real number field ... |