## An algorithm for solving the discrete log problem on hyperelliptic curves (2000)

Citations: | 86 - 7 self |

### BibTeX

@INPROCEEDINGS{Gaudry00analgorithm,

author = {Pierrick Gaudry},

title = {An algorithm for solving the discrete log problem on hyperelliptic curves},

booktitle = {},

year = {2000},

pages = {pages},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. We present an index-calculus algorithm for the computation of discrete logarithms in the Jacobian of hyperelliptic curves defined over finite fields. The complexity predicts that it is faster than the Rho method for genus greater than 4. To demonstrate the efficiency of our approach, we describe our breaking of a cryptosystem based on a curve of genus 6 recently proposed by Koblitz. 1

### Citations

762 |
Elliptic curve cryptosystems
- Koblitz
(Show Context)
Citation Context ...y proposed by Koblitz. 1 Introduction The use of hyperelliptic curves in public-key cryptography was first proposed by Koblitz in 1989 [24]. It appears as an alternative to the use of elliptic curves =-=[23]-=- [31], with the advantage that it uses a smaller base field for the same level of security. Several authors have given ways to build hyperelliptic cryptosystems efficiently. The security of such syste... |

575 |
Use of Elliptic Curve in Cryptography
- Miller
- 1985
(Show Context)
Citation Context ...posed by Koblitz. 1 Introduction The use of hyperelliptic curves in public-key cryptography was first proposed by Koblitz in 1989 [24]. It appears as an alternative to the use of elliptic curves [23] =-=[31]-=-, with the advantage that it uses a smaller base field for the same level of security. Several authors have given ways to build hyperelliptic cryptosystems efficiently. The security of such systems re... |

310 |
Reducing elliptic curve logarithms to logarithms in a ¯nite ¯eld
- Menezes, Okamoto, et al.
- 1993
(Show Context)
Citation Context ...e most important examples [34], [46], [17]. For the elliptic curve discrete logarithm problem, there are some particular cases where a solution can be found with a complexity better than O( √ n). See =-=[30]-=-, [38], [40], [37]. Similar cases were discovered for hyperelliptic curves [14], [35]. However they are very particular and can be easily avoided when designing a cryptosystem. In 1994, Adleman, DeMar... |

244 |
Monte Carlo methods for index computation mod p
- Pollard
- 1978
(Show Context)
Citation Context ...with such a complexity exist for generic groups and can be applied to hyperelliptic curves, but are still exponential. The Pollard Rho method and its parallel variants are the most important examples =-=[34]-=-, [46], [17]. For the elliptic curve discrete logarithm problem, there are some particular cases where a solution can be found with a complexity better than O( √ n). See [30], [38], [40], [37]. Simila... |

232 | Lower bounds for discrete logarithms and related problems
- Shoup
(Show Context)
Citation Context ...ficulty of solving the discrete logarithm problem in the Jacobian of hyperelliptic curves. If an algorithm tries to solve this problem performing “simple” group operations only, it was shown by Shoup =-=[39]-=- that the complexity is at least Ω( √ n), where n is the largest prime dividing the order of the group. Algorithms with such a complexity exist for generic groups and can be applied to hyperelliptic c... |

214 |
A subexponential algorithm for discrete logarithms over the rational subgroup of the jacobians of large genus hyperelliptic curves over finite fields”, Algorithmic Number Theory
- Adleman, DeMarrais, et al.
- 1994
(Show Context)
Citation Context ...37]. Similar cases were discovered for hyperelliptic curves [14], [35]. However they are very particular and can be easily avoided when designing a cryptosystem. In 1994, Adleman, DeMarrais and Huang =-=[1]-=- published the first algorithm (ADH for short) to compute discrete logs which runs in subexponential time when the genus is sufficiently large compared to the size of the ground field. This algorithm ... |

205 |
A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves
- Frey, Ruck
- 1994
(Show Context)
Citation Context ...arithm problem, there are some particular cases where a solution can be found with a complexity better than O( √ n). See [30], [38], [40], [37]. Similar cases were discovered for hyperelliptic curves =-=[14]-=-, [35]. However they are very particular and can be easily avoided when designing a cryptosystem. In 1994, Adleman, DeMarrais and Huang [1] published the first algorithm (ADH for short) to compute dis... |

185 |
Solving Sparse Linear Equations over Finite Fields
- Wiedemann
- 1986
(Show Context)
Citation Context ... basis can be performed. The linear algebra is the last crucial point. The matrix obtained is sparse, and we have at most g terms in each row. Then sparse technique like Lanczos’s [27] or Wiedemann’s =-=[47]-=- algorithm can be used, in order to get a solution in time quadratic in the number of rows (instead of cubic by Gaussian elimination). Some other optimizations can be done to speed up the computation.... |

166 |
Computing in the Jacobian of a hyperelliptic curve
- Cantor
- 1987
(Show Context)
Citation Context ... our experiments with Koblitz’s curve. 2 Description of the Algorithm 2.1 Hyperelliptic Curves We give an overview of the theory of hyperelliptic curves. More precise statements can be found in [24], =-=[4]-=-, [15]. We will restrict ourselves to the so-called imaginary quadratic case. A hyperelliptic curve C of genus g over a field K is a smooth plane projective curve which admits an affine equation of th... |

156 |
Hyperelliptic cryptosystems
- Koblitz
- 1989
(Show Context)
Citation Context ...ur breaking of a cryptosystem based on a curve of genus 6 recently proposed by Koblitz. 1 Introduction The use of hyperelliptic curves in public-key cryptography was first proposed by Koblitz in 1989 =-=[24]-=-. It appears as an alternative to the use of elliptic curves [23] [31], with the advantage that it uses a smaller base field for the same level of security. Several authors have given ways to build hy... |

156 | Parallel collision search with cryptanalytic applications
- Oorschot, Wiener
- 1999
(Show Context)
Citation Context ...uch a complexity exist for generic groups and can be applied to hyperelliptic curves, but are still exponential. The Pollard Rho method and its parallel variants are the most important examples [34], =-=[46]-=-, [17]. For the elliptic curve discrete logarithm problem, there are some particular cases where a solution can be found with a complexity better than O( √ n). See [30], [38], [40], [37]. Similar case... |

135 |
Handbook of Magma functions
- Bosma, Cannon
- 2007
(Show Context)
Citation Context ...the same. 5 Implementation and Results We have implemented the algorithm in two distinct parts. The first one deals with the building of the matrix and is written in the computer algebra system Magma =-=[2]-=-, which is a very good compromise between high level programming and efficiency. The second part is our optimized implementation of the Lanczos algorithm written in C. 5.1 Implementation of the Search... |

91 | The Discrete Logarithm Problem on Elliptic Curves of Trace One
- Smart
- 1999
(Show Context)
Citation Context ...tant examples [34], [46], [17]. For the elliptic curve discrete logarithm problem, there are some particular cases where a solution can be found with a complexity better than O( √ n). See [30], [38], =-=[40]-=-, [37]. Similar cases were discovered for hyperelliptic curves [14], [35]. However they are very particular and can be easily avoided when designing a cryptosystem. In 1994, Adleman, DeMarrais and Hua... |

85 |
Algebraic curves
- Fulton
- 1969
(Show Context)
Citation Context ...experiments with Koblitz’s curve. 2 Description of the Algorithm 2.1 Hyperelliptic Curves We give an overview of the theory of hyperelliptic curves. More precise statements can be found in [24], [4], =-=[15]-=-. We will restrict ourselves to the so-called imaginary quadratic case. A hyperelliptic curve C of genus g over a field K is a smooth plane projective curve which admits an affine equation of the form... |

80 |
The GNU multiple precision arithmetic library, edition 2.0.2, Free Software Foundation
- Granlund
- 1996
(Show Context)
Citation Context ... that are called a linear number of times), and for others (i.e. operations in the matrix-vector multiplication and scalar products), we used direct calls to some assembly routines taken from the GMP =-=[18]-=- and BigNum [20] packages. Indeed our compact representation of the matrix led to an overcost when using the ZEN functions. We used a classical representation (we could probably obtain a better effici... |

78 | Solving large sparse linear systems over finite fields
- LaMacchia, Odlyzko
- 1991
(Show Context)
Citation Context ... the elements of the basis can be performed. The linear algebra is the last crucial point. The matrix obtained is sparse, and we have at most g terms in each row. Then sparse technique like Lanczos’s =-=[27]-=- or Wiedemann’s [47] algorithm can be used, in order to get a solution in time quadratic in the number of rows (instead of cubic by Gaussian elimination). Some other optimizations can be done to speed... |

78 |
Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves
- Araki, Satoh
- 1998
(Show Context)
Citation Context ...xamples [34], [46], [17]. For the elliptic curve discrete logarithm problem, there are some particular cases where a solution can be found with a complexity better than O( √ n). See [30], [38], [40], =-=[37]-=-. Similar cases were discovered for hyperelliptic curves [14], [35]. However they are very particular and can be easily avoided when designing a cryptosystem. In 1994, Adleman, DeMarrais and Huang [1]... |

69 | Improving the parallelized pollard lambda search on anomalous binary curves
- Gallant, Lambert, et al.
- 2000
(Show Context)
Citation Context ...complexity exist for generic groups and can be applied to hyperelliptic curves, but are still exponential. The Pollard Rho method and its parallel variants are the most important examples [34], [46], =-=[17]-=-. For the elliptic curve discrete logarithm problem, there are some particular cases where a solution can be found with a complexity better than O( √ n). See [30], [38], [40], [37]. Similar cases were... |

63 | Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p
- Semaev
- 1998
(Show Context)
Citation Context ... important examples [34], [46], [17]. For the elliptic curve discrete logarithm problem, there are some particular cases where a solution can be found with a complexity better than O( √ n). See [30], =-=[38]-=-, [40], [37]. Similar cases were discovered for hyperelliptic curves [14], [35]. However they are very particular and can be easily avoided when designing a cryptosystem. In 1994, Adleman, DeMarrais a... |

62 | Faster attacks on elliptic curve cryptosystems
- Wiener, Zuccherato
- 1998
(Show Context)
Citation Context ...ters, curve and base field, when building a cryptosystem. Moreover, the presence of an automorphism of order m on the curve can be used to speed up the computation, just as in the Rho method [9] [17] =-=[48]-=-. This is the case in almost all the examples in the literature. The gain in the Rho method is a factor √ m, but the gain obtained here is a factor m 2 , which is very significant in practice. The org... |

61 |
A rigorous subexponential algorithm for computation of class groups
- Hafner, McCurley
- 1989
(Show Context)
Citation Context ...of the Weil descent, following ideas of Frey; they dealt with general curves (not hyperelliptic). Our purpose is to present a variant of existing index-calculus algorithms like ADH or Hafner-McCurley =-=[19]-=-, which allowed us to break a cryptosystem based on a curve of genus 6 recently proposed by Koblitz. The main improvement is due to the fact that the costly HNF computation in classical algorithms is ... |

56 | A general framework for subexponential discrete logarithm algorithms
- Enge, Gaudry
(Show Context)
Citation Context ...o one), and we obtain a subexponential algorithm with expected running time Lq g[1/2, √ 2]. This result is part of a work with Andreas Enge, where a general framework for this kind of attack is given =-=[12]-=-. Acknowledgements I am most indebted to François Morain for many fruitful discussions and comments. I would like to thank Emmanuel Thomé, particularly for his help for linear algebra. I am also grate... |

54 |
Frobenius maps of Abelian varieties and finding roots of unity in finite fields
- Pila
- 1990
(Show Context)
Citation Context ...tic curves, the Schoof-Elkies-Atkin algorithm allows to compute quickly this order for random curves (see [29] [28] [22] ). For random hyperelliptic curves, a similar polynomial time algorithm exists =-=[33]-=-, however it is still unusable in practice (see recent progress on this subject [21] [43]). That is the reason why the curves that we can find in the literature are very particular: they are built in ... |

54 |
Factorization of polynomials over finite fields
- Swan
- 1962
(Show Context)
Citation Context ...tation was not optimized: it can be done in parallel and it is not the limiting phase. However an interesting optimization suggested by François Morain has been tested. It is based on a paper by Swan =-=[44]-=-, where a theorem is given which relates the parity of the number of irreducible factors of a polynomial over a finite field and the fact that its discriminant is a square or not in the corresponding ... |

46 |
A Family of Jacobians Suitable for Discrete Log Cryptosystems
- Koblitz
- 1988
(Show Context)
Citation Context ...rivial automorphisms, and the order obtained by combining them together with the hyperelliptic involution. Table 1. Examples of curves Author Equation of curve Field Automorphisms Order Koblitz [24], =-=[25]-=- Y 2 + Y = X 2g+1 + X Y F2n Frobenius 2n 2 + Y = X 2g+1 Buhler Koblitz [3] Y F2n Frobenius 2n 2 + Y = X 2g+1 Fp with mult by ζ2g+1 2(2g + 1) Chao et al. [7] (and twists) p ≡ 1 (2g + 1) Frobenius and S... |

46 | Speeding up Pollard’s rho method for computing discrete logarithms”, Algorithmic Number Theory
- Teske
- 1998
(Show Context)
Citation Context ...bgroup of large prime order (this is always the case in cryptography). Let n = ord(D1) be this prime order, and D2 be the element for which we search the log. We introduce a pseudo-random walk (as in =-=[45]-=-) in the subgroup generated by D1: Let R0 = α0D1 + β0D2 be the starting point of the walk, where R0 is the reduced divisor obtained by Cantor’s algorithm, and α0 and β0 are random integers. For j from... |

40 | A cryptographic application of Weil descent
- Galbraith, Smart
- 1999
(Show Context)
Citation Context ...gave a precise evaluation of the running time, but did not implement his ideas. Müller, Stein and Thiel [32] extended the results to the real quadratic congruence function fields. Smart and Galbraith =-=[16]-=- also gave some ideas in the context of the Weil descent, following ideas of Frey; they dealt with general curves (not hyperelliptic). Our purpose is to present a variant of existing index-calculus al... |

40 | Computing discrete logarithms in real quadratic congruence function fields of large genus
- Stein, Müller, et al.
- 1999
(Show Context)
Citation Context ...es for cryptographical applications is not clear. Enge [11] improved the original algorithm and gave a precise evaluation of the running time, but did not implement his ideas. Müller, Stein and Thiel =-=[32]-=- extended the results to the real quadratic congruence function fields. Smart and Galbraith [16] also gave some ideas in the context of the Weil descent, following ideas of Frey; they dealt with gener... |

38 |
Kurven vom Geschlecht 2 und ihre Anwendung
- Spallek
- 1994
(Show Context)
Citation Context ...defined by x ↦→ xq , which can be applied to each coordinate of a point of the curve and gives therefore an automorphism of order n. Another construction, which is a bit harder than the previous (see =-=[42]-=- [7] [3], comes from the theory of complex multiplication. This theory allows to build a curve starting from its ring of endomorphisms. In some cases, this ring contains units of finite order, and the... |

37 | Computing discrete logarithms in high-genus hyperelliptic Jacobians in provably subexponential time
- Enge
(Show Context)
Citation Context ...his work was supported by Action COURBES of INRIA (action coopérative de la direction scientifique de l’INRIA).s20 Pierrick Gaudry the consequences for cryptographical applications is not clear. Enge =-=[11]-=- improved the original algorithm and gave a precise evaluation of the running time, but did not implement his ideas. Müller, Stein and Thiel [32] extended the results to the real quadratic congruence ... |

35 | Counting the number of points on elliptic curves over finite fields: strategies and performances
- Lercier, Morain
- 1995
(Show Context)
Citation Context ...cols use the group order; moreover it is necessary to be sure that it is not smooth. For elliptic curves, the Schoof-Elkies-Atkin algorithm allows to compute quickly this order for random curves (see =-=[29]-=- [28] [22] ). For random hyperelliptic curves, a similar polynomial time algorithm exists [33], however it is still unusable in practice (see recent progress on this subject [21] [43]). That is the re... |

32 | Speeding up the Discrete Log Computation on Curves with Automorphisms
- Duursma, Gaudry, et al.
- 1999
(Show Context)
Citation Context ...he parameters, curve and base field, when building a cryptosystem. Moreover, the presence of an automorphism of order m on the curve can be used to speed up the computation, just as in the Rho method =-=[9]-=- [17] [48]. This is the case in almost all the examples in the literature. The gain in the Rho method is a factor √ m, but the gain obtained here is a factor m 2 , which is very significant in practic... |

32 | Bignum: a portable efficient package for arbitrary-precision arithmetic
- Hervé, Serpette, et al.
- 1989
(Show Context)
Citation Context ... a linear number of times), and for others (i.e. operations in the matrix-vector multiplication and scalar products), we used direct calls to some assembly routines taken from the GMP [18] and BigNum =-=[20]-=- packages. Indeed our compact representation of the matrix led to an overcost when using the ZEN functions. We used a classical representation (we could probably obtain a better efficiency with Montgo... |

31 | On the Performance of Hyperelliptic Cryptosystems
- Smart
- 1999
(Show Context)
Citation Context ...F2n Frobenius 2n 2 + Y = X 2g+1 Buhler Koblitz [3] Y F2n Frobenius 2n 2 + Y = X 2g+1 Fp with mult by ζ2g+1 2(2g + 1) Chao et al. [7] (and twists) p ≡ 1 (2g + 1) Frobenius and Sakai Sakurai [36] Smart =-=[41]-=- Y 2 + Y = X 13 + X 11 + X 9 + X 5 + 1 F 2 29 Duursma Sakurai [10] Y 2 = X p − X + 1 Fp n ⎧ ⎨ X ↦→ X + 1 Y ↦→ Y + X ⎩ 6 + X 5 + X 4 + X 3 + X 2 �Frobenius and X ↦→ X + 1 Y ↦→ Y 4 × 29 2npsAn Algorithm... |

27 |
On the Discrete Logarithm in the Divisor Class Group of
- Rück
- 1999
(Show Context)
Citation Context ... problem, there are some particular cases where a solution can be found with a complexity better than O( √ n). See [30], [38], [40], [37]. Similar cases were discovered for hyperelliptic curves [14], =-=[35]-=-. However they are very particular and can be easily avoided when designing a cryptosystem. In 1994, Adleman, DeMarrais and Huang [1] published the first algorithm (ADH for short) to compute discrete ... |

26 |
The solution of mccurley’s discrete log challenge
- Denny
- 1998
(Show Context)
Citation Context ...overcost when using the ZEN functions. We used a classical representation (we could probably obtain a better efficiency with Montgomery representation), with the lazy reduction technique explained in =-=[8]-=-. Before running Lanczos’s algorithm, a preprocessing can be done on the matrix (see [8] [5]). This filtering step (also called structured Gaussian elimination) consists in the following tasks: – Dele... |

20 |
Algorithmique de courbes elliptiques dans les corps fi nis
- Lercier
- 1997
(Show Context)
Citation Context ...use the group order; moreover it is necessary to be sure that it is not smooth. For elliptic curves, the Schoof-Elkies-Atkin algorithm allows to compute quickly this order for random curves (see [29] =-=[28]-=- [22] ). For random hyperelliptic curves, a similar polynomial time algorithm exists [33], however it is still unusable in practice (see recent progress on this subject [21] [43]). That is the reason ... |

18 |
Lattice Basis Reduction, Jacobi Sums and Hyperelliptic Cryptosystems
- Buhler, Koblitz
- 1998
(Show Context)
Citation Context ...y x ↦→ xq , which can be applied to each coordinate of a point of the curve and gives therefore an automorphism of order n. Another construction, which is a bit harder than the previous (see [42] [7] =-=[3]-=-, comes from the theory of complex multiplication. This theory allows to build a curve starting from its ring of endomorphisms. In some cases, this ring contains units of finite order, and then there ... |

14 | Design of Hyperelliptic Cryptosystems in Small Characteristic and a Software Implementation over
- Sakai, Sakurai
- 1998
(Show Context)
Citation Context ...2g+1 + X Y F2n Frobenius 2n 2 + Y = X 2g+1 Buhler Koblitz [3] Y F2n Frobenius 2n 2 + Y = X 2g+1 Fp with mult by ζ2g+1 2(2g + 1) Chao et al. [7] (and twists) p ≡ 1 (2g + 1) Frobenius and Sakai Sakurai =-=[36]-=- Smart [41] Y 2 + Y = X 13 + X 11 + X 9 + X 5 + 1 F 2 29 Duursma Sakurai [10] Y 2 = X p − X + 1 Fp n ⎧ ⎨ X ↦→ X + 1 Y ↦→ Y + X ⎩ 6 + X 5 + X 4 + X 3 + X 2 �Frobenius and X ↦→ X + 1 Y ↦→ Y 4 × 29 2npsA... |

13 |
Counting points on curves over finite fields
- Huang, Ierardi
- 1998
(Show Context)
Citation Context ...or random curves (see [29] [28] [22] ). For random hyperelliptic curves, a similar polynomial time algorithm exists [33], however it is still unusable in practice (see recent progress on this subject =-=[21]-=- [43]). That is the reason why the curves that we can find in the literature are very particular: they are built in such a way that the order of their Jacobian is easy to compute. A first way to build... |

13 |
Algebraic Aspects of Cryptography, volume 3 of Algorithms and Computation in Mathematics
- Koblitz
- 1998
(Show Context)
Citation Context ...blem on Hyperelliptic Curves 29 5.3 Timings for Real Life Curves The first example is a cryptosystem recently proposed by Buhler and Koblitz [3]. We took the values recommended by Koblitz in his book =-=[26]-=-, i.e. we have worked on the curve y 2 + y = x 13 , with a prime base field of order p greater than 5, 000, 000, with p ≡ 1 mod 13. This curve has an automorphism of order 13 coming from complex multi... |

10 |
Efficient algorithms for the Jacobian variety of hyperelliptic curves y2 = xp − x+ 1 over a finite field of odd characteristic p.” Coding theory, cryptography and related areas
- Duursma, Sakurai
- 1998
(Show Context)
Citation Context ... 2n 2 + Y = X 2g+1 Fp with mult by ζ2g+1 2(2g + 1) Chao et al. [7] (and twists) p ≡ 1 (2g + 1) Frobenius and Sakai Sakurai [36] Smart [41] Y 2 + Y = X 13 + X 11 + X 9 + X 5 + 1 F 2 29 Duursma Sakurai =-=[10]-=- Y 2 = X p − X + 1 Fp n ⎧ ⎨ X ↦→ X + 1 Y ↦→ Y + X ⎩ 6 + X 5 + X 4 + X 3 + X 2 �Frobenius and X ↦→ X + 1 Y ↦→ Y 4 × 29 2npsAn Algorithm for Solving the Discrete Log Problem on Hyperelliptic Curves 27 4... |

5 | Efficient implementation of Schoof’s algorithm
- Izu, Kogure, et al.
- 1998
(Show Context)
Citation Context ...he group order; moreover it is necessary to be sure that it is not smooth. For elliptic curves, the Schoof-Elkies-Atkin algorithm allows to compute quickly this order for random curves (see [29] [28] =-=[22]-=- ). For random hyperelliptic curves, a similar polynomial time algorithm exists [33], however it is still unusable in practice (see recent progress on this subject [21] [43]). That is the reason why t... |

4 | Catching kangaroos in function fields
- Stein, Teske
- 1999
(Show Context)
Citation Context ...ndom curves (see [29] [28] [22] ). For random hyperelliptic curves, a similar polynomial time algorithm exists [33], however it is still unusable in practice (see recent progress on this subject [21] =-=[43]-=-). That is the reason why the curves that we can find in the literature are very particular: they are built in such a way that the order of their Jacobian is easy to compute. A first way to build such... |

2 |
Sieving in function fields. Preprint; available at ftp://ftp.informatik.tu-darmstadt.de/pub/TI
- Flassenberg, Paulus
- 1997
(Show Context)
Citation Context ...subexponential time when the genus is sufficiently large compared to the size of the ground field. This algorithm was rather theoretical, and some improvements to it were done. Flassenberg and Paulus =-=[13]-=- implemented a sieve version of this algorithm, but ⋆ This work was supported by Action COURBES of INRIA (action coopérative de la direction scientifique de l’INRIA).s20 Pierrick Gaudry the consequenc... |

1 |
Strategies in filtering in the Number Field Sieve. Extended abstract, conference MPKC
- Cavallar
- 1999
(Show Context)
Citation Context ... obtain a better efficiency with Montgomery representation), with the lazy reduction technique explained in [8]. Before running Lanczos’s algorithm, a preprocessing can be done on the matrix (see [8] =-=[5]-=-). This filtering step (also called structured Gaussian elimination) consists in the following tasks: – Delete the empty columns. – Delete the columns with exactly one term and the corresponding row. ... |

1 |
ZEN, A new toolbox for computing in finite extensions of finite rings
- Chabaud, Lercier
- 1998
(Show Context)
Citation Context ...non negligible amount of time spent in computing some scalar products. We refer to [27] for a precise comparison of these two algorithms. We wrote our program in the C language, using the ZEN library =-=[6]-=- for things which were not critical (i.e. operations that are called a linear number of times), and for others (i.e. operations in the matrix-vector multiplication and scalar products), we used direct... |

1 |
Cryptosystems based on CM abelian variety
- Chao, Matsuda, et al.
(Show Context)
Citation Context ...ed by x ↦→ xq , which can be applied to each coordinate of a point of the curve and gives therefore an automorphism of order n. Another construction, which is a bit harder than the previous (see [42] =-=[7]-=- [3], comes from the theory of complex multiplication. This theory allows to build a curve starting from its ring of endomorphisms. In some cases, this ring contains units of finite order, and then th... |

1 | Algorithm for Solving the Discrete Log Problem on Hyperelliptic Curves 33 - Barbara, August - 1988 |