## An Extension of Kedlaya's Algorithm to Hyperelliptic Curves in Characteristic 2 (2002)

### Cached

### Download Links

Citations: | 16 - 5 self |

### BibTeX

@MISC{Denef02anextension,

author = {Jan Denef and Frederik Vercauteren},

title = {An Extension of Kedlaya's Algorithm to Hyperelliptic Curves in Characteristic 2},

year = {2002}

}

### OpenURL

### Abstract

We present an algorithm for computing the zeta function of an arbitrary hyperelliptic curve over a finite field Fq of characteristic 2, thereby extending the algorithm of Kedlaya for odd characteristic. For a genus g hyperelliptic curve defined over F2 n , the average-case time complexity is O(g ) and the average-case space complexity is O(g ), whereas the worst-case time and space complexities are O(g ) and ) respectively.

### Citations

973 |
A Course in Computational Algebraic Number Theory
- Cohen
- 1993
(Show Context)
Citation Context ...− 2 and c the leading coefficient of h(x). Note that c is a unit in R. Integrating with respect to t and dividing by 2 gives � γ ′ jt j = j≥− max(2r+2g+3,6g+1) N� Ai(t −2i−2g−1 N�=-= +· · · )+ i=0 i=0 � (6) Ai 2 (c t−2i−2 deg-=- h +· · · ), (7) with γ ′ j ∈ K for all j and γ′ j ∈ R when j < −6g − 1. Indeed the integration process introduces denominators which become integral after multiplication with 2⌊log... |

762 |
Elliptic curve cryptosystems
- Koblitz
(Show Context)
Citation Context ...d O(g 4 n 3 ) respectively. Keywords: Hyperelliptic curves, cryptography, Kedlaya’s algorithm, MonskyWashnitzer cohomology 1 Introduction Since elliptic curve cryptosystems were introduced by Koblit=-=z [18]-=- and Miller [27], various other systems based on the discrete logarithm problem in the Jacobian of curves have been proposed such as hyperelliptic curves [19], superelliptic curves [12] and Cab curves... |

575 |
Use of Elliptic Curve in Cryptography
- Miller
- 1985
(Show Context)
Citation Context ...spectively. Keywords: Hyperelliptic curves, cryptography, Kedlaya’s algorithm, MonskyWashnitzer cohomology 1 Introduction Since elliptic curve cryptosystems were introduced by Koblitz [18] and Mille=-=r [27]-=-, various other systems based on the discrete logarithm problem in the Jacobian of curves have been proposed such as hyperelliptic curves [19], superelliptic curves [12] and Cab curves [2]. One of the... |

310 | Reducing elliptic curve logarithms to logarithms in a ¯nite ¯eld - Menezes, Okamoto, et al. - 1993 |

205 | A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves - Frey, Ruck - 1994 |

181 |
Elliptic curves over finite fields and the computation of square roots mod p
- Schoof
- 1985
(Show Context)
Citation Context ... modulo sufficient small primes l by working in l-torsion subgroups of the Jacobian and the final result is determined using the Chinese remainder theorem. This approach was first described by Schoof =-=[36] f-=-or ellipticscurves and leads to a polynomial time algorithm in all characteristics. A detailed description of Schoof’s algorithm and the improvements by Atkin [3] and Elkies [9] can be found in [4] ... |

180 |
Multiplication of multidigit numbers on automata
- Karatsuba, Ofman
- 1963
(Show Context)
Citation Context ... n irreducible polynomial, which we chose to be either a trinomial or a pentanomial. For multiplication of elements in RN , polynomials over RN and Laurent series over RN[x] we used Karatsuba’s tric=-=k [16]-=-, which allows to multiply two m-bit integers in time O(m log 2 3 ). Redoing the complexity analysis then results in an average-case time complexity of O(n 4.75 g 5.17 ) bit-operations. 5.1 Running Ti... |

173 |
Elliptic curves in cryptography
- Blake, Seroussi, et al.
- 1999
(Show Context)
Citation Context ...[36] for ellipticscurves and leads to a polynomial time algorithm in all characteristics. A detailed description of Schoof’s algorithm and the improvements by Atkin [3] and Elkies [9] can be found i=-=n [4] a-=-nd [23]. Pila [33] and later Adleman and Huang [1] extended Schoof’s algorithm to higher genus curves. Currently, only the genus 2 version of this algorithm is practical [14, 15]. The second approac... |

156 |
Hyperelliptic cryptosystems
- Koblitz
- 1989
(Show Context)
Citation Context ... cryptosystems were introduced by Koblitz [18] and Miller [27], various other systems based on the discrete logarithm problem in the Jacobian of curves have been proposed such as hyperelliptic curves =-=[19]-=-, superelliptic curves [12] and Cab curves [2]. One of the main initialization steps of these cryptosystems is to generate a suitable curve defined over a given finite field. To ensure the security of... |

98 |
Schnelle Multiplikation grosser Zahlen
- Schonhage, Strassen
- 1971
(Show Context)
Citation Context ...3 Complexity In this section we analyze the space and time requirements of Algorithm 1 for a genus g hyperelliptic curve over F2n assuming fast arithmetic, i.e. using the Schönhage-Strassen algorithm=-= [35] tha-=-t computes the product of two m-bit integers in time O(m1+ε ) for any constant ε ∈ R>0. Before proceeding through the individual steps of the algorithm, we analyze the complexity of the basic oper... |

90 | Supersingular curves in cryptography
- Galbraith
- 2001
(Show Context)
Citation Context ... order and verifying that the result is principal, i.e. is the zero element in the Jacobian JC �(Fq). It is clear that the given curves are non-supersingular, since the coefficient ag of χ(T ) is o=-=dd [11]. Let α = �-=-n−1 i=0 αiti ∈ F2n, then α is represented by the integer �n−1 i=0 αi2i written in hexadecimal notation. 22sGenus 2 hyperelliptic curve over F2 83 Let F283 be defined as F2[t]/P (t) with P (... |

86 | Counting points on hyperelliptic curves using Monsky–Washinitzer cohomology, preprint
- Kedlaya
- 2001
(Show Context)
Citation Context ...ithm is very efficient as long as the genus is small; this is due to the exponential dependence on the genus. The second strategy computes the action of Frobenius on p-adic cohomology groups. Kedlaya =-=[17] d-=-escribed such an algorithm for hyperelliptic curves over finite fields of small odd characteristic, using the theory of Monsky-Washnitzer cohomology. The running time of the algorithm is O(g4+εn3+ε ... |

66 |
The canonical lift of an ordinary elliptic curve over a finite field and its point counting
- SATOH
(Show Context)
Citation Context ...lgorithms come in two flavours. The first strategy computes a p-adic approximation of the SerreTate canonical lift and the action of Frobenius on this lift. This approach was first described by Satoh =-=[34] for e-=-lliptic curves. An overview of the many variants and further optimizations of Satoh’s algorithm can be found in [39]. Mestre [25] presented a “dual” algorithm using the Arithmetic-Geometric mean... |

62 |
Elliptic and modular curves over finite fields and related computational issues, Computational perspectives on number theory
- Elkies
- 1995
(Show Context)
Citation Context ...described by Schoof [36] for ellipticscurves and leads to a polynomial time algorithm in all characteristics. A detailed description of Schoof’s algorithm and the improvements by Atkin [3] and Elkie=-=s [9] c-=-an be found in [4] and [23]. Pila [33] and later Adleman and Huang [1] extended Schoof’s algorithm to higher genus curves. Currently, only the genus 2 version of this algorithm is practical [14, 15]... |

62 | Counting points on hyperelliptic curves over finite
- Gaudry, Harley
- 2000
(Show Context)
Citation Context ...kies [9] can be found in [4] and [23]. Pila [33] and later Adleman and Huang [1] extended Schoof’s algorithm to higher genus curves. Currently, only the genus 2 version of this algorithm is practica=-=l [14, 15]-=-. The second approach is p-adic in nature and is especially efficient for algebraic varieties over finite fields of small characteristic. These p-adic algorithms come in two flavours. The first strate... |

54 |
Frobenius maps of Abelian varieties and finding roots of unity in finite fields
- Pila
- 1990
(Show Context)
Citation Context ...urves and leads to a polynomial time algorithm in all characteristics. A detailed description of Schoof’s algorithm and the improvements by Atkin [3] and Elkies [9] can be found in [4] and [23]. Pil=-=a [33] a-=-nd later Adleman and Huang [1] extended Schoof’s algorithm to higher genus curves. Currently, only the genus 2 version of this algorithm is practical [14, 15]. The second approach is p-adic in natur... |

53 |
The number of points on an elliptic curve modulo a prime. Series of e-mails to the NMBRTHRY mailing list
- Atkin
- 1992
(Show Context)
Citation Context ...oach was first described by Schoof [36] for ellipticscurves and leads to a polynomial time algorithm in all characteristics. A detailed description of Schoof’s algorithm and the improvements by Atki=-=n [3] a-=-nd Elkies [9] can be found in [4] and [23]. Pila [33] and later Adleman and Huang [1] extended Schoof’s algorithm to higher genus curves. Currently, only the genus 2 version of this algorithm is pra... |

39 |
Solutions d’équations à coefficients dans un anneau hensélien
- Elkik
- 1974
(Show Context)
Citation Context ... coordinate ring of X by A. Let R be the ring of Witt vectors of Fq, i.e. the degree n unramified extension of the p-adic integers Zp with residue field Fq and let K be the fraction field of R. Elkik =-=[10] sho-=-wed that there always exists a smooth finitely generated R-algebra A such that A⊗R Fq ∼ = A. In general A does not allow a lift of the Frobenius endomorphism F on A; Monsky and Washnitzer solve th... |

39 | Arithmetic on superelliptic curves
- Galbraith, Paulus, et al.
(Show Context)
Citation Context ...ced by Koblitz [18] and Miller [27], various other systems based on the discrete logarithm problem in the Jacobian of curves have been proposed such as hyperelliptic curves [19], superelliptic curves =-=[12]-=- and Cab curves [2]. One of the main initialization steps of these cryptosystems is to generate a suitable curve defined over a given finite field. To ensure the security of the system, the curve must... |

38 | Construction of secure random curves of genus 2 over prime fields
- Gaudry, Schost
- 2004
(Show Context)
Citation Context ...kies [9] can be found in [4] and [23]. Pila [33] and later Adleman and Huang [1] extended Schoof’s algorithm to higher genus curves. Currently, only the genus 2 version of this algorithm is practica=-=l [14, 15]-=-. The second approach is p-adic in nature and is especially efficient for algebraic varieties over finite fields of small characteristic. These p-adic algorithms come in two flavours. The first strate... |

36 | Formal cohomology - Monsky, Washnitzer - 1968 |

30 |
Fast computation of Gcds
- Moenck
- 1973
(Show Context)
Citation Context ... multiplications of polynomials over RN of degree O(g) and the extended GCD computation of two such polynomials. The former operation clearly takes time O(g1+εn1+εN 1+ε ) and using Moenck’s algor=-=ithm [28] the lat-=-ter operation can also be performed in time O(g1+εn1+εN 1+ε ). Lemma 1 implies that these operations have to be repeated O(gν N) times, so the time complexity of step 3 is O(g1+ν+εn1+εN 2+ε ).... |

22 |
Counting rational points on curves and Abelian varieties over finite
- Adleman, Huang
- 1996
(Show Context)
Citation Context ...ime algorithm in all characteristics. A detailed description of Schoof’s algorithm and the improvements by Atkin [3] and Elkies [9] can be found in [4] and [23]. Pila [33] and later Adleman and Huan=-=g [1] e-=-xtended Schoof’s algorithm to higher genus curves. Currently, only the genus 2 version of this algorithm is practical [14, 15]. The second approach is p-adic in nature and is especially efficient fo... |

20 |
Algorithmique de courbes elliptiques dans les corps fi nis
- Lercier
- 1997
(Show Context)
Citation Context ... ellipticscurves and leads to a polynomial time algorithm in all characteristics. A detailed description of Schoof’s algorithm and the improvements by Atkin [3] and Elkies [9] can be found in [4] an=-=d [23]. -=-Pila [33] and later Adleman and Huang [1] extended Schoof’s algorithm to higher genus curves. Currently, only the genus 2 version of this algorithm is practical [14, 15]. The second approach is p-ad... |

19 | A quasi-quadratic time algorithm for hyperelliptic curve point counting. unpublished, available at http://www.math.u-bordeaux.fr/lubicz
- Lercier, Lubicz
- 2003
(Show Context)
Citation Context ... found in [39]. Mestre [25] presented a “dual” algorithm using the Arithmetic-Geometric mean and sketched how it could be extended to ordinary hyperelliptic curves [26]. Results by Lercier and Lub=-=icz [24]-=- show that this algorithm is very efficient as long as the genus is small; this is due to the exponential dependence on the genus. The second strategy computes the action of Frobenius on p-adic cohomo... |

18 |
computing Zeta functions of curves over finite fields
- Vercauteren
- 2003
(Show Context)
Citation Context ... action of Frobenius on this lift. This approach was first described by Satoh [34] for elliptic curves. An overview of the many variants and further optimizations of Satoh’s algorithm can be found i=-=n [39]. Me-=-stre [25] presented a “dual” algorithm using the Arithmetic-Geometric mean and sketched how it could be extended to ordinary hyperelliptic curves [26]. Results by Lercier and Lubicz [24] show that... |

17 |
p-Adic Analysis and Zeta Functions
- Monsky
- 1970
(Show Context)
Citation Context ...hnitzer Cohomology In this section we briefly recall the definition of Monsky-Washnitzer cohomology as introduced by Monsky and Washnitzer [29–31]; more details can be found in the lectures by Monsk=-=y [32]-=- and the survey by van der Put [37]. Let X be a smooth affine variety over a finite field k := Fq with q = p n elements. Denote the coordinate ring of X by A. Let R be the ring of Witt vectors of Fq, ... |

17 | Elliptic curves over and the computation of square roots modulo p - Schoof - 1985 |

16 |
Computing Zeta functions of Artin-Schreier curves over finite fields ii
- LAUDER, WAN
- 2004
(Show Context)
Citation Context ...ary algebraic variety over a finite field. Despite its polynomial time complexity, a first implementation indicates that cryptographical sizes are out of reach. Using Dwork cohomology, Lauder and Wan =-=[21, 22] spe-=-cialised their original algorithm to Artin-Schreier curves, leading to an O(g5+εn3+ε ) time algorithm. In [7], we described an extension of Kedlaya’s algorithm to Artin-Schreier curves in characte... |

15 | Fast computation of canonical lifts of elliptic curves and its application to point counting - Satoh, Skjernaa, et al. - 2003 |

14 | Computational aspects of curves of genus at least 2 - Poonen - 1996 |

13 | Elliptic and modular curves over and related computational issues - Elkies - 1998 |

12 | An extension of Kedlaya’s algorithm to Artin-Schreier curves in characteristic 2
- Denef, Vercauteren
- 2002
(Show Context)
Citation Context ...at cryptographical sizes are out of reach. Using Dwork cohomology, Lauder and Wan [21, 22] specialised their original algorithm to Artin-Schreier curves, leading to an O(g5+εn3+ε ) time algorithm. I=-=n [7], we-=- described an extension of Kedlaya’s algorithm to Artin-Schreier curves in characteristic 2 with the same time complexity. In this paper we extend Kedlaya’s algorithm to arbitrary hyperelliptic cu... |

12 | Formal cohomology. II. The cohomology sequence of a pair - Monsky - 1968 |

11 | Formal cohomology III: Fixed point theorems - Monsky - 1971 |

11 | On Satoh’s algorithm and its implementation - Fouquet, Gaudry, et al. |

10 | On p-adic point counting algorithms for elliptic curves over finite fields - Satoh - 2002 |

9 | Computing Zeta Functions of Hyperelliptic Curves over Finite Fields of Characteristic 2
- Vercauteren
- 2002
(Show Context)
Citation Context ...g 5+ε n 3+ε ) and O(g 4 n 3 ) respectively. An implementation in the C programming language shows that cryptographical sizes are now feasible for any genus g. This paper is the theoretical version o=-=f [38]-=-: it provides a detailed description of the underlying mathematics, presents all missing proofs and corrects the complexity analysis. The remainder of the paper is organized as follows: Section 2 revi... |

7 |
Algorithms for computations in Jacobians of Cab curve and their application to discrete-log-based public key cryptosystems
- Arita
(Show Context)
Citation Context ...and Miller [27], various other systems based on the discrete logarithm problem in the Jacobian of curves have been proposed such as hyperelliptic curves [19], superelliptic curves [12] and Cab curves =-=[2]-=-. One of the main initialization steps of these cryptosystems is to generate a suitable curve defined over a given finite field. To ensure the security of the system, the curve must be chosen such tha... |

7 |
A rigid analytic version of M. Artin’s theorem on analytic equations
- BOSCH
- 1981
(Show Context)
Citation Context ...denominator in the above formula is invertible in A ∞ . Contrary to the odd characteristic case it is not immediately clear that the solution W := limk→+∞ Wk is an element of A † . A theorem b=-=y Bosch [5]-=- guarantees the existence of such a solution, but does not provide bounds on the rate of convergence. Since these bounds are needed in the complexity analysis, we prove the following lemma. Lemma 1 Fo... |

6 | Counting points on Cab curves using MonskyWashnitzer cohomology
- Denef, Vercauteren
(Show Context)
Citation Context ... v(x) + i=0 where � 2g� Aiix i−1 i=0 F (x) := 2 m−1 x r v(x) − N� i=2g+1 � i=0 = N� Aiix i−1 N� v(x) + Aix i w(x). v(x) + � 2g� Aix i i=0 Aiix i−1 v(x) − N� � i=2g+1 i==-=0 w(x) d(2y+h(x)) w(x) = F (x), (8) Aix i w(x) -=-(9) is a polynomial over R, since Ai ∈ R for all i > 2g. From equations (8) and (9) it follows that �2g i=0 Aiθi k has valuation ≥ 0 for each root θk of H(x), because v(θk) = 0 and w(θk) �... |

6 | Satoh’s algorithm in characteristic 2 - Skjernaa - 2003 |

5 |
An extension of Kedlaya’s algorithm for counting points on superelliptic curves
- Gaudry, Gürel
- 2001
(Show Context)
Citation Context ...zer cohomology. The running time of the algorithm is O(g4+εn3+ε ) for a hyperelliptic curve of genus g over Fpn. The algorithm readily generalizes to superelliptic curves as shown by Gaudry and Gür=-=el [13]. -=-A related approach by Lauder and Wan [20] is based on Dwork’s proof of the rationality of the zeta function and results in a polynomial time algorithm to compute the zeta function of an arbitrary al... |

5 |
der Put. The cohomology of Monsky and
- van
- 1986
(Show Context)
Citation Context ...we briefly recall the definition of Monsky-Washnitzer cohomology as introduced by Monsky and Washnitzer [29–31]; more details can be found in the lectures by Monsky [32] and the survey by van der Pu=-=t [37]-=-. Let X be a smooth affine variety over a finite field k := Fq with q = p n elements. Denote the coordinate ring of X by A. Let R be the ring of Witt vectors of Fq, i.e. the degree n unramified extens... |

5 | Solutions d'equations a coecients dans un anneau henselien - Elkik - 1973 |

4 |
Lettre adressée à Gaudry et Harley
- Mestre
- 2000
(Show Context)
Citation Context ...obenius on this lift. This approach was first described by Satoh [34] for elliptic curves. An overview of the many variants and further optimizations of Satoh’s algorithm can be found in [39]. Mestr=-=e [25] pre-=-sented a “dual” algorithm using the Arithmetic-Geometric mean and sketched how it could be extended to ordinary hyperelliptic curves [26]. Results by Lercier and Lubicz [24] show that this algorit... |

4 | Counting points on hyperelliptic curves over - Gaudry, Harley - 2000 |

4 | Counting points on varieties over of small characteristic - Lauder, Wan - 2001 |

3 |
Algorithmes pour compter des points en petite caracteristique en genre 1 et 2. unpublished, redige par D. Lubicz, available at http://www.math.univ-rennes1.fr/crypto/2001-02/mestre.ps
- Mestre
- 2002
(Show Context)
Citation Context ...izations of Satoh’s algorithm can be found in [39]. Mestre [25] presented a “dual” algorithm using the Arithmetic-Geometric mean and sketched how it could be extended to ordinary hyperelliptic c=-=urves [26]-=-. Results by Lercier and Lubicz [24] show that this algorithm is very efficient as long as the genus is small; this is due to the exponential dependence on the genus. The second strategy computes the ... |

3 | Frobenius maps of abelian varieties and roots of unity in - Pila - 1990 |