## Fast genus 2 arithmetic based on theta functions

Venue: | J.Math.Cryptol.1 (2007), 243–265. MR2372155 (2009f:11156 |

Citations: | 20 - 6 self |

### BibTeX

@INPROCEEDINGS{Gaudry_fastgenus,

author = {P. Gaudry and Communicated Gerhard Frey},

title = {Fast genus 2 arithmetic based on theta functions},

booktitle = {J.Math.Cryptol.1 (2007), 243–265. MR2372155 (2009f:11156},

year = {}

}

### OpenURL

### Abstract

Abstract. In 1986, D. V. Chudnovsky and G. V. Chudnovsky proposed to use formulae coming from Theta functions for the arithmetic in Jacobians of genus 2 curves. We follow this idea and derive fast formulae for the scalar multiplication in the Kummer surface associated to a genus 2 curve, using a Montgomery ladder. Our formulae can be used to design very efficient genus 2 cryptosystems that should be faster than elliptic curve cryptosystems in some hardware configurations.

### Citations

155 |
Computing in Jacobian of a Hyperelliptic Curve,” in
- Cantor
- 1987
(Show Context)
Citation Context ... some advantages and some drawbacks of this approach. The main advantage is that the formulae are compact, elegant and very efficient compared to the formulae that are derived from Cantor’s algorithm =-=[2]-=- or from the bilinear maps of [3]. The main drawback is that the formulae with Theta functions are valid a priori only over the complex numbers. Some work is required to 1sapply them over a finite fie... |

126 |
Handbook of MAGMA functions
- Bosma, Cannon
- 1994
(Show Context)
Citation Context ...a functions with characteristics give trivial Theta constants. For a fixed Ω in H2, we give shorter names to the 16 Theta functions with characteristics: we denote them simply by ϑi(z), where i is in =-=[1,10]-=- for the even functions and i is in [11,16] for the odd functions. The full correspondance for the 16 characteristics is given in the Appendix. In the main part of the paper, we shall use only 4 of th... |

102 |
Sequences of numbers generated by addition in formal groups and new primality and factoring tests
- Chudnovsky, Chudnovsky
- 1987
(Show Context)
Citation Context ...ed to design very efficient genus 2 cryptosystems that should be faster than elliptic curve cryptosystems in some hardware configurations. 1 Introduction In 1986 D. V. Chudnovsky and G. V. Chudnovsky =-=[4]-=- published an article containing many formulae for computing in an elliptic curve, with a view towards primality proving and factorization. At the very end of the paper, they mention that it might be ... |

94 |
Prolegomena to a middlebrow arithmetic of curves of genus 2
- Cassels, Flynn
- 1996
(Show Context)
Citation Context ...ks of this approach. The main advantage is that the formulae are compact, elegant and very efficient compared to the formulae that are derived from Cantor’s algorithm [2] or from the bilinear maps of =-=[3]-=-. The main drawback is that the formulae with Theta functions are valid a priori only over the complex numbers. Some work is required to 1sapply them over a finite field and there is some rationality ... |

81 | Counting points on hyperelliptic curves using Monsky-Washnitzer cohomology
- Kedlaya
(Show Context)
Citation Context ...dom points with no zero coordinate in K until one is found that has order p. The most complicated task is the point-counting, that can be done using a Schoof-like algorithm [6] or Kedlaya’s algorithm =-=[9]-=- if the characteristic is small enough. The complex multiplication approach [20] is also compatible with this approach. 5.4 Security Thanks to the explicit map between a Kummer surface and the Jacobia... |

51 |
Construction de courbes de genre 2 à partir de leurs modules, Effective Methods in Algebraic Geometry (Castiglioncello
- Mestre
- 1990
(Show Context)
Citation Context ...r Fq whereas the corresponding curve can be defined only over F q 2 can look strange. This rationality condition is an obstruction analogous to the one we can observe when applying Mestre’s algorithm =-=[14]-=- for computing an equation for a curve for which Igusa invariants are given. Indeed, a,b,c,d (or at least the squares of their ratios) can be seen as invariants, and requiring them to be rational is n... |

49 | Formulae for Arithmetic on Genus 2 Hyperelliptic Curves,” September 2003. http://www.ruhr-uni-bochum.de/itsc/ tanja/preprints/expl sub.pdf
- Lange
(Show Context)
Citation Context ...f the scalar multiplication is very low compared to the state of the art in explicit formulae for odd characteristic genus 2 arithmetic, since we need only 25 multiplications per bit. For instance in =-=[13]-=-, using classical affine coordinates, an addition requires 1 inversion, 22 multiplications and 3 squares, and a doubling requires 1 inversion, 22 multiplications and 5 squares. If one wants to avoid i... |

37 | Construction of secure random curves of genus 2 over prime fields
- Gaudry, Schost
- 2004
(Show Context)
Citation Context ...imes a prime p. 4. Pick random points with no zero coordinate in K until one is found that has order p. The most complicated task is the point-counting, that can be done using a Schoof-like algorithm =-=[6]-=- or Kedlaya’s algorithm [9] if the characteristic is small enough. The complex multiplication approach [20] is also compatible with this approach. 5.4 Security Thanks to the explicit map between a Kum... |

30 | The montgomery powering ladder
- Joye, Yen
- 2002
(Show Context)
Citation Context ... kind of parallelism is available. Note that for this kind of scalar multiplication algorithm, NAF and other windowing methods are not available, but some other speed-up strategies might be available =-=[8]-=-. Remark 5 If P is of known odd order p and if P has a coordinate that is zero. Then one can double P until the point Q = 2 k · P is found to have no zero coordinate. Then n · P is equal to (n/2 k mod... |

29 | Constructing hyperelliptic curves of genus 2 suitable for cryptography. Mathematics of Computation, 72(241):435–458, 2002. A Parameters produced by Algorithm 1 ( Here are some parameters found by Algorithm 1 for the CM field K = Q i √ 2− √ ) 2 and embeddi
- Weng
(Show Context)
Citation Context ...e most complicated task is the point-counting, that can be done using a Schoof-like algorithm [6] or Kedlaya’s algorithm [9] if the characteristic is small enough. The complex multiplication approach =-=[20]-=- is also compatible with this approach. 5.4 Security Thanks to the explicit map between a Kummer surface and the Jacobian of the associated curve, the discrete logarithm problem in Kummer surfaces is ... |

25 |
Introductory lectures on Siegel modular forms, volume 20 of Cambridge studies in advanced mathematics
- Klingen
- 1990
(Show Context)
Citation Context ...a functions with characteristics give trivial Theta constants. For a fixed Ω in H2, we give shorter names to the 16 Theta functions with characteristics: we denote them simply by ϑi(z), where i is in =-=[1,10]-=- for the even functions and i is in [11,16] for the odd functions. The full correspondance for the 16 characteristics is given in the Appendix. In the main part of the paper, we shall use only 4 of th... |

21 |
Complex abelian varieties, volume 302 of Grundlehren der Mathematischen Wissenschaften
- Lange, Birkenhake
- 1992
(Show Context)
Citation Context ...ial Theta constants. For a fixed Ω in H2, we give shorter names to the 16 Theta functions with characteristics: we denote them simply by ϑi(z), where i is in [1,10] for the even functions and i is in =-=[11,16]-=- for the odd functions. The full correspondance for the 16 characteristics is given in the Appendix. In the main part of the paper, we shall use only 4 of them that we call fundamental Theta functions... |

11 |
lectures on theta I, volume 28
- Tata
- 1983
(Show Context)
Citation Context ...ng comments on draft versions. I thank Régis Dupont for sharing with me his knowledge about Theta constants. 2 Theta functions and theta constants in genus 2 We adopt the notations of Mumford’s books =-=[15, 16]-=-. Let Ω be a matrix in the 2-dimensional Siegel upper-half-space H2, the set of symmetric 2×2 complex matrices with positive definite imaginary part. The Riemann Theta function is a function associate... |

9 |
lectures on theta II, volume 43
- Tata
- 1984
(Show Context)
Citation Context ...ng comments on draft versions. I thank Régis Dupont for sharing with me his knowledge about Theta constants. 2 Theta functions and theta constants in genus 2 We adopt the notations of Mumford’s books =-=[15, 16]-=-. Let Ω be a matrix in the 2-dimensional Siegel upper-half-space H2, the set of symmetric 2×2 complex matrices with positive definite imaginary part. The Riemann Theta function is a function associate... |

6 | K.: Efficient Elliptic Curve Cryptosystems from a Scalar Multiplication Algorithm with Recovery of the y-Coordinate on a Montgomery-Form Elliptic Curve. Cryptographic Hardware and Embedded Systems, LNCS 2162 - Okeya, Sakurai - 2001 |

3 |
Equations for the Jacobian of a hyperelliptic curve
- Wamelen
- 1999
(Show Context)
Citation Context ...nly the knowledge of the same ratio than for the equation of the curve. Therefore, in principle the choice to be made is only among two and not among 8 possibilities. Remark 6 The work of van Wamelen =-=[19]-=- shows that we can use a different map ϕ from C 2 to P 3 (C) that makes the Kummer surface and the curve in Rosenhain form defined over the same base field. This map is slightly more complicated, so w... |

2 |
scalar multiplication for genus 2 curves
- Montgomery
- 2004
(Show Context)
Citation Context ...dder with abscissa only representation is widely used. A first generalization to Kummer surfaces of genus 2 curves was given [18] in 1999, and recently there has been some more work in that direction =-=[5, 12]-=-. In our case, following Chudnovsky and Chudnovsky, we use formulae for the arithmetic in the Kummer surface that comes from the theory of Theta functions. There are some advantages and some drawbacks... |

2 |
Theta functions, volume 194 of Die Grundlehren der mathematischen Wissenschaften
- Igusa
- 1972
(Show Context)
Citation Context ... easy to relate to ours. That is the reason why we put them here for the convenience of the reader, with our notations and specialized to the genus 2 case. A reference for the duplication formulae is =-=[7]-=-, page 141, Corollary of Theorem 2 of Chapter IV. The other formulae that are given here are easy consequences of the Frobenius’ theta formula that can be found in Section 7 of Chapter IIIa in [16]. 7... |

1 |
addition for genus two curves
- Montgomery
- 2004
(Show Context)
Citation Context ...dder with abscissa only representation is widely used. A first generalization to Kummer surfaces of genus 2 curves was given [18] in 1999, and recently there has been some more work in that direction =-=[5, 12]-=-. In our case, following Chudnovsky and Chudnovsky, we use formulae for the arithmetic in the Kummer surface that comes from the theory of Theta functions. There are some advantages and some drawbacks... |

1 |
A fast Diffie-Hellman protocol in genus 2
- Smart, Siksek
- 1999
(Show Context)
Citation Context ... the evaluation of Lucas sequences). For elliptic curves, the Montgomery ladder with abscissa only representation is widely used. A first generalization to Kummer surfaces of genus 2 curves was given =-=[18]-=- in 1999, and recently there has been some more work in that direction [5, 12]. In our case, following Chudnovsky and Chudnovsky, we use formulae for the arithmetic in the Kummer surface that comes fr... |