## Hyperelliptic Curve Cryptosystems: Closing the Performance Gap to Elliptic Curves (2003)

### Cached

### Download Links

- [www.crypto.ruhr-uni-bochum.de]
- [eprint.iacr.org]
- [eprint.iacr.org]
- [www.crypto.ruhr-uni-bochum.de]
- DBLP

### Other Repositories/Bibliography

Venue: | Workshop on Cryptographic Hardware and Embedded Systems — CHES 2003 |

Citations: | 41 - 12 self |

### BibTeX

@INPROCEEDINGS{Pelzl03hyperellipticcurve,

author = {Jan Pelzl and Thomas Wollinger and Jorge Guajardo and Christof Paar},

title = {Hyperelliptic Curve Cryptosystems: Closing the Performance Gap to Elliptic Curves},

booktitle = {Workshop on Cryptographic Hardware and Embedded Systems — CHES 2003},

year = {2003},

pages = {351--365},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

For most of the time since they were proposed, it was widely believed that hyperelliptic curve cryptosystems (HECC) carry a substantial performance penalty compared to elliptic curve cryptosystems (ECC) and are, thus, not too attractive for practical applications. Only quite recently improvements have been made, mainly restricted to curves of genus 2. The work at hand advances the state-of-the-art considerably in several aspects. First, we generalize and improve the closed formulae for the group operation of genus 3 for HEC defined over fields of characteristic two. For certain curves we achieve over 50% complexity improvement compared to the best previously published results. Second, we introduce a new complexity metric for ECC and HECC defined over characteristic two fields which allow performance comparisons of practical relevance. It can be shown that the HECC performance is in the range of the performance of an ECC; for specific parameters HECC can even possess a lower complexity than an ECC at the same security level. Third, we describe the first implementation of a HEC cryptosystem on an embedded (ARM7) processor. Since HEC are particularly attractive for constrained environments, such a case study should be of relevance.

### Citations

2924 | New directions in cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ... environments, such a case study should be of relevance. Keywords: hyperelliptic curves, explicit formulae, comparison HECC vs. ECC, efficient implementation 1 Introduction In 1976 Diffie and Hellman =-=[DH76]-=- revolutionized the field of cryptography by introducing the concept of public-key cryptography. Their key exchange protocol is based on the difficulty of solving the discrete logarithm (DL) problem o... |

2679 | Handbook of applied cryptography - Menezes, Oorschot, et al. - 1997 |

762 | Elliptic curve cryptosystems - Koblitz |

575 | Use of Elliptic Curve in Cryptography - Miller - 1985 |

268 | New directions in cryptography - Di±e, Hellman - 1976 |

244 | Monte Carlo methods for index computation mod p - Pollard - 1978 |

214 |
A subexponential algorithm for discrete logarithms over the rational subgroup of the jacobians of large genus hyperelliptic curves over finite fields”, Algorithmic Number Theory
- Adleman, DeMarrais, et al.
- 1994
(Show Context)
Citation Context ... discovered in [FR94,Rüc99], which can be attacked with complexity better than O( √ n). The first algorithm which computes the DL in subexponential time for sufficiently large genera was published =-=in [ADH94]. -=-The algorithm was improved and implemented e.g. in [FS97,Eng99a,Gau00b,EG02]. This algorithm has a better complexity than the Pollard’s rho method for g > 4. In [FR94], the authors described the map... |

205 |
A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves
- Frey, Ruck
- 1994
(Show Context)
Citation Context ...large genera was published in [ADH94]. The algorithm was improved and implemented e.g. in [FS97,Eng99a,Gau00b,EG02]. This algorithm has a better complexity than the Pollard’s rho method for g > 4. I=-=n [FR94], -=-the authors described the mapping of the Tate pairing on the divisor class group of a curve C over a finite field Fq into the multiplicative group F∗ qk. Hence, for small k the DLP in the divisor cl... |

185 | Solving Sparse Linear Equations over Finite Fields - Wiedemann - 1986 |

180 |
Multiplication of multidigit numbers on automata
- Karatsuba, Ofman
- 1963
(Show Context)
Citation Context ...ed to add/double divisors by distinguishing between possible cases according to the properties of the input divisors. This technique is combined with the use of the Karatsuba multiplication algorithm =-=[KO63]-=- and the Chinese remainder theorem to further reduce the complexity of the overall group operations. The work of [GH00] was generalized by [KGM + 02] to genus-3 curves defined over odd characteristic ... |

169 | A survey of fast exponentiation methods - Gordon - 1996 |

166 |
Computing in the Jacobian of a hyperelliptic curve
- Cantor
- 1987
(Show Context)
Citation Context ...lled a F-divisor or rational divisor) if D σ = � miP σ i is equal to D for all automorphisms σ of F over F. Notice that this does not mean that each P σ i is equal to Pi, σ may permute the poin=-=ts. In [Can87], Cantor -=-shows that each element of the Jacobian can be represented in the form D = � r i=1 Pi−r·∞ such that for all i �= j, Pi and Pj are not symmetric points. Such a divisor is called a semi-reduced... |

160 | Software Implementation of Elliptic Curve Cryptography Over Binary Fields
- Hankerson, Hernandez, et al.
- 2000
(Show Context)
Citation Context ... depends on the chosen coordinate system. For completeness we summarize the number of required operations given the MI-ratio k in Table 4. Table 4. Field operations required in each coordinate system =-=[HHM00]-=- Coordinate system EC Addition EC Doubling general mixed coord. Affine coordinates 1I + 2M 1I + 2M (2 + k)M (2 + k)M Standard projective coordinates [CC87,CMO98] 13M 12M 7M Jacobian projective coordin... |

157 | Efficient elliptic curve exponentiation using mixed coordinates - Cohen, Miyaji, et al. - 1998 |

156 | Hyperelliptic cryptosystems - Koblitz - 1989 |

156 | Parallel collision search with cryptanalytic applications - Oorschot, Wiener - 1999 |

107 | Sequences of numbers generated by addition in formal groups and new primality and factorization tests - Chudnovsky, Chudnovsky - 1986 |

90 | Supersingular curves in cryptography
- Galbraith
- 2001
(Show Context)
Citation Context .... Hence, this comparison is processor independent and can be adapted to any platform. HECC Implementations Since HEC cryptosystems were proposed, there have been several software implementations on 1 =-=[Gal01]-=- gives some arguments against using supersingular hyperelliptic curves in cryptographic applications. 2 mixed additionsHyperelliptic Curve Cryptosystems: Closing the Performance Gap to Elliptic Curves... |

86 | An algorithm for solving the discrete log problem on hyperelliptic curves
- Gaudry
(Show Context)
Citation Context ...lgorithm to compute the discrete logarithm in generic groups such as the Jacobian of a HEC is Pollard’s rho method or one of its parallel variants [Pol78,vOW99]. For curves of genus higher than four=-=, [Gau00a]-=- showed that there exists an algorithm with complexity O(q 2 ) where Fq is the field over which the HEC is defined. Thus, in this work, we only consider HEC of genus less than four, as curves of highe... |

69 | Improving the parallelized pollard lambda search on anomalous binary curves - Gallant, Lambert, et al. - 2000 |

62 | Counting points on hyperelliptic curves over finite
- Gaudry, Harley
- 2000
(Show Context)
Citation Context ...plicit formulae for the group operations of a HECC [Spa94]. Six years later a major breakthrough for the speed of the group operations in the Jacobian of genus-2 hyperelliptic curves was published in =-=[GH00]-=-, in the context of algorithms which determine the group order of Jacobians of HEC. [GH00] noticed that one can derive different explicit formulae for the group operations depending on the weights of ... |

56 | A general framework for subexponential discrete logarithm algorithms - Enge, Gaudry |

51 | Improved Algorithms for Elliptic Curve Arithmetic
- López, Dahab
- 1998
(Show Context)
Citation Context ...ixed coord. Affine coordinates 1I + 2M 1I + 2M (2 + k)M (2 + k)M Standard projective coordinates [CC87,CMO98] 13M 12M 7M Jacobian projective coordinates [CC87,CMO98] 15M 5M New projective coordinates =-=[LD99]-=- 14M 9M 4M Table 5 states the total number of AOPS for the group operations of the cryptosystems with different MI-ratios. In terms of ECC, affine coordinates, Jacobian projective coordinates and new ... |

46 |
A Family of Jacobians Suitable for Discrete Log Cryptosystems
- Koblitz
- 1988
(Show Context)
Citation Context ...ell suited for small processors and memory constrained environments. In 1988 Koblitz suggested for the first time the generalization of EC to curves of higher genus, namely hyperelliptic curves (HEC) =-=[Kob88]. -=-In contrast to the EC case, it has only been until recently that Koblitz’s idea to use HEC for cryptographic applications, has been analyzed and implemented both in software [Kri97,SS98,SSI98,Eng99b... |

38 |
Kurven vom Geschlecht 2 und ihre Anwendung
- Spallek
- 1994
(Show Context)
Citation Context ...omparisons between ECC and HECC, and other HECC implementations. Improvements to HECC Group Operations Spallek was the first who attempted to find explicit formulae for the group operations of a HECC =-=[Spa94]-=-. Six years later a major breakthrough for the speed of the group operations in the Jacobian of genus-2 hyperelliptic curves was published in [GH00], in the context of algorithms which determine the g... |

37 | Computing discrete logarithms in high-genus hyperelliptic Jacobians in provably subexponential time - Enge |

32 | Efficient Arithmetic on Genus 2 Hyperelliptic Curves over Finite Fields via Explicit Formulae, Cryptology ePrint Archive, Report 2002/121
- Lange
- 2002
(Show Context)
Citation Context ...ak02] one multiplication was saved through a displacement of one operation. All these improvements are for genus-2 curves and odd characteristic. The generalization to even characteristic was done in =-=[Lan02a]-=- where improved formulae for characteristic 2 curves are also given. There was also some effort to find explicit formulae to perform the group operation for HECC without using inversions for genus-2 c... |

31 | On the Performance of Hyperelliptic Cryptosystems
- Smart
- 1999
(Show Context)
Citation Context ...se HEC for cryptographic applications, has been analyzed and implemented both in software [Kri97,SS98,SSI98,Eng99b,SS00] and in more hardware-oriented platforms such as FPGAs [Wol01,BCLW02]. In 1999, =-=[Sma99]-=- concluded that there seems to be 1s2 Jan Pelzl, Thomas Wollinger, Jorge Guajardo, and Christof Paar little practical benefit in using HEC, because of the difficulty of finding hyperelliptic curves an... |

29 | Algebraic Aspects of Cryptography.” Algorithms and Computation - Koblitz - 1998 |

27 | On the Discrete Logarithm in the Divisor Class Group of - Rück - 1999 |

24 | June: Hyperelliptic curves in characteristic 2
- Scholten, Zhu
(Show Context)
Citation Context ...ne also has to consider criteria to ensure that a curve is not supersingular [Gal01]. However, there are no hyperelliptic supersingular curves of genus 2n − 1 and characteristic 2 for any integer ��=-=� 2 [SZ02]. -=-Thus, to our knowledge the best attacks against HEC of the form suggested in this contribution have complexity O( √ n). 4 Speed-up for Genus-3 Curves In this section we briefly outline the ideas of ... |

22 |
Improving Harley Algorithms for Jacobians of Genus 2 Hyperelliptic Curves
- Takahashi
(Show Context)
Citation Context ...ements were made by [MDM + 02,Tak02]. In [MDM + 02], the authors were able to replace the two field inversions by only one, with the help of Montgomery’s trick for simultaneous inversions [Coh93]. I=-=n [Tak02]-=- one multiplication was saved through a displacement of one operation. All these improvements are for genus-2 curves and odd characteristic. The generalization to even characteristic was done in [Lan0... |

21 | Genus two hyperelliptic curve coprocessor
- Boston, Clancy, et al.
- 2002
(Show Context)
Citation Context ...z 3 � 2 61 −1 0.932 [Lan02a] Pentium-IV@1.5GHz 2 � 2 160 18.875 2 � 2 180 25.215 2 �p(log 2 p = 160) 5.663 2 �p(log 2 p = 180) 8.162 The first HECC hardware architectures were proposed in =-=[Wol01]. In [BCLW02]-=-, performance results of a hardware-based genus two hyperelliptic curve coprocessor over F 2 113 were presented. The FPGA was clocked at 45 MHz and required 4750 clock cycles for a group addition and ... |

21 | Algorithmique des courbes hyperelliptiques et applications à la cryptologie, Ph.D. thesis, École polytechnique - Gaudry - 2000 |

21 | A Fast Addition Algorithm of Genus Two Hyperelliptic Curve - Miyamoto, Doi, et al. |

21 | Efficient arithmetic on hyperelliptic curves - Lange - 2001 |

19 | Inversion-Free Arithmetic on Genus 2 Hyperelliptic Curves. Cryptology ePrint Archive, Report 2002/147
- Lange
- 2002
(Show Context)
Citation Context ...] odd h(x) = 0 2I + 27M/S 2I + 30M/S Matsuo et al.[MCT01] odd h(x) = 0 2I + 25M/S 2I + 27M/S Miyamoto et al. [MDM + 02] odd h(x) = 0, f4 = 0 I + 26M/S I + 27M/S Takahashi [Tak02] Lange [Lan02a] Lange =-=[Lan02b] odd general-=- two general h(x) = 0 I + 25M/S I + 29M/S hi ∈ �2, f4 = 0 I + 22M + 3S I + 22M + 5S hi ∈ �2, f4 = 0 I + 22M + 2S I + 20M + 4S hi ∈ �2, f4 = 0 47M + 4S(40M + 3S) 2 Lange [Lan02c] two odd 40... |

19 |
Secure Hyperelliptic Cryptosystems and their Performance
- Sakai, Sakurai, et al.
- 1998
(Show Context)
Citation Context ...M + 02,Har00] to obtain the speed-up. The operation complexity for genus-3 curves is summarized in Table 3.s4 Jan Pelzl, Thomas Wollinger, Jorge Guajardo, and Christof Paar Theoretical Comparisons In =-=[SSI98]-=-, the authors clarified practical advantages of hyperelliptic cryptosystems when compared to ECC and to RSA. To our knowledge this is the first and only contribution that investigates in detail the th... |

18 | Fast Genus Three Hyperelliptic Curve Cryptosystems - Kuroki, Gonda, et al. |

15 |
A course in Computational Number Theory, Graduate Texts
- Cohen
- 2000
(Show Context)
Citation Context ...rther improvements were made by [MDM + 02,Tak02]. In [MDM + 02], the authors were able to replace the two field inversions by only one, with the help of Montgomery’s trick for simultaneous inversion=-=s [Coh93]-=-. In [Tak02] one multiplication was saved through a displacement of one operation. All these improvements are for genus-2 curves and odd characteristic. The generalization to even characteristic was d... |

15 | Weighted Coordinates on Genus 2 Hyperelliptic Curves. Cryptology ePrint Archive, Report 2002/153
- Lange
- 2002
(Show Context)
Citation Context ...02a] Lange [Lan02b] odd general two general h(x) = 0 I + 25M/S I + 29M/S hi ∈ �2, f4 = 0 I + 22M + 3S I + 22M + 5S hi ∈ �2, f4 = 0 I + 22M + 2S I + 20M + 4S hi ∈ �2, f4 = 0 47M + 4S(40M + =-=3S) 2 Lange [Lan02c] two odd 40M + 6S -=-hi ∈ �2, f4 = 0 46M + 2S 33M + 6S hi ∈ �2, f4 = 0 47M + 7S(36M + 5S) 2 even 34M + 7S h2 �= 0, hi ∈ �2, f4 = 0 46M + 4S(35M + 5S) 2 even 35M + 6S h2 = 0, hi ∈ �2, f4 = 0 44M + 6S(34M ... |

15 |
Computer Architecture for Cryptosystems based on hyperelliptic curves”, Thesis. Worcester polytechnique Institute
- Wollinger
- 2001
(Show Context)
Citation Context ...a21264@667MHz 3 � 2 61 −1 0.932 [Lan02a] Pentium-IV@1.5GHz 2 � 2 160 18.875 2 � 2 180 25.215 2 �p(log 2 p = 160) 5.663 2 �p(log 2 p = 180) 8.162 The first HECC hardware architectures were =-=proposed in [Wol01]-=-. In [BCLW02], performance results of a hardware-based genus two hyperelliptic curve coprocessor over F 2 113 were presented. The FPGA was clocked at 45 MHz and required 4750 clock cycles for a group ... |

14 |
Fast genus two hyperelliptic curve cryptosystems
- Matsuo, Chao, et al.
- 2001
(Show Context)
Citation Context ...stic properties addition doubling Cantor [Nag00] Nagao [Nag00] general odd h(x) = 0, fi ∈ �2 3I + 70M/S 1I + 55M/S 3I + 76M/S 1I + 55M/S Harley [Har00] odd h(x) = 0 2I + 27M/S 2I + 30M/S Matsuo et=-= al.[MCT01]-=- odd h(x) = 0 2I + 25M/S 2I + 27M/S Miyamoto et al. [MDM + 02] odd h(x) = 0, f4 = 0 I + 26M/S I + 27M/S Takahashi [Tak02] Lange [Lan02a] Lange [Lan02b] odd general two general h(x) = 0 I + 25M/S I + 2... |

14 |
Improving Group Law Algorithms for Jacobians of Hyperelliptic Curves
- Nagao
(Show Context)
Citation Context ...omials are co-prime with probability 1 − O(1/q), where the polynomials are defined over Fq. Thus, in practice it is only necessary to consider the most frequent occurring case. In the same year Naga=-=o [Nag00] p-=-roposed a polynomial division algorithm without field inversions and an algorithm to calculate the extended gcd algorithm while only using one field inversion, both geared to improve Cantor’s algori... |

14 | Design of Hyperelliptic Cryptosystems in Small Characteristic and a Software Implementation over - Sakai, Sakurai - 1998 |

13 |
On the Practical Performance of Hyperelliptic Curve Cryptosystems
- Sakai, Sakurai
- 2000
(Show Context)
Citation Context ... following years further analyses of the complexity of HECC were published. A theoretical analysis of the computational efficiency of the arithmetic on hyperelliptic curves is derived in [Eng99b]. In =-=[SS00]-=-, the authors implemented hyperelliptic curve cryptosystems and analyzed the complexity of the group law on Jacobians JC(Fp) and JC(F2n). Moreover, they verified their theoretical complexity estimates... |

12 |
The Extended Euclidean Algorithm on Polynomials, and the Computational Efficiency of Hyperelliptic Cryptosystems,Des
- Enge
(Show Context)
Citation Context ...M + 6S In the following years further analyses of the complexity of HECC were published. A theoretical analysis of the computational efficiency of the arithmetic on hyperelliptic curves is derived in =-=[Eng99b]-=-. In [SS00], the authors implemented hyperelliptic curve cryptosystems and analyzed the complexity of the group law on Jacobians JC(Fp) and JC(F2n). Moreover, they verified their theoretical complexit... |

9 | Vector Elimination: A Technique for the Implicitization - Goldman, Sederberg, et al. - 1984 |

8 |
Fast arithmetic on genus two curves. Available at: http://cristal.inria.fr/ ˜ harley/hyper
- Harley
- 2000
(Show Context)
Citation Context ...lliptic curves of genus two. field curve cost characteristic properties addition doubling Cantor [Nag00] Nagao [Nag00] general odd h(x) = 0, fi ∈ �2 3I + 70M/S 1I + 55M/S 3I + 76M/S 1I + 55M/S Har=-=ley [Har00]-=- odd h(x) = 0 2I + 27M/S 2I + 30M/S Matsuo et al.[MCT01] odd h(x) = 0 2I + 25M/S 2I + 27M/S Miyamoto et al. [MDM + 02] odd h(x) = 0, f4 = 0 I + 26M/S I + 27M/S Takahashi [Tak02] Lange [Lan02a] Lange [... |

8 |
Lectures on Theta II
- Tata
- 1984
(Show Context)
Citation Context ...he Jacobian can be represented as a pair of polynomials a(u) and b(u) with deg b(u) < deg a(u) ≤ g, with a(u) dividing v 2 + h(u)v − f(u) and where the coefficients of a(u) and b(u) are elements o=-=f F [Mum84]-=- (notice that in our particular application F is a finite field). In the remainder of this paper, a divisor D represented by polynomials will be denoted by div(a, b). 3.2 Group Operations on a Jacobia... |