## A GENERIC APPROACH TO SEARCHING FOR JACOBIANS (2007)

Citations: | 1 - 1 self |

### BibTeX

@MISC{Sutherland07ageneric,

author = {Andrew V. Sutherland},

title = { A GENERIC APPROACH TO SEARCHING FOR JACOBIANS},

year = {2007}

}

### OpenURL

### Abstract

We consider the problem of finding cryptographically suitable Jacobians. By applying a probabilistic generic algorithm to compute the zeta functions of low genus curves drawn from an arbitrary family, we can search for Jacobians containing a large subgroup of prime order. For a suitable distribution of curves, the complexity is subexponential in genus 2, and O(N 1/12) in genus 3. We give examples of genus 2 and genus 3 hyperelliptic curves over prime fields with group orders over 180 bits in size, improving previous results. Our approach is particularly effective over low-degree extension fields, where in genus 2 we find Jacobians over F p 2 and trace zero varieties over F p 3 with near-prime orders up to 372 bits in size. For p = 2 61 − 1, the average time to find a group with 244-bit near-prime order is under an hour on a PC.

### Citations

2724 | S.A Vanstone,"Handbook of Applied Cryptography
- Menezes, Oorschot
- 1997
(Show Context)
Citation Context ...lications for the Mersenne primes 2 61 −1 and 2 89 −1 were specifically optimized, but otherwise we used a Montgomery representation [44], and Montgomery inversion was used in all cases (see [11] and =-=[42]-=- for algorithms). Performance metrics appear in Table 1. Parallel exponentiation. Both asymptotically and in practice, the exponentiation performed in Step 1 of Algorithm 2 dominates the total running... |

987 |
A Course in Computational Algebraic Number Theory
- Cohen
- 1996
(Show Context)
Citation Context ...ms 14.52-53 (genus 3) in [11]. The black box executes several group operations up to the point where a field inversion is required, performs a single combined field inversion using Montgomery’s trick =-=[10]-=-, then completes the group operations. With this approach the amortized cost of a field inversion is 3 field multiplications (3M), and the effective cost of a group operation is then 28M in genus 2 an... |

459 | Modular multiplication without trial division - Montgomery - 1985 |

251 |
Factoring integers with elliptic curves
- Lenstra
- 1987
(Show Context)
Citation Context ...t. By applying a bounded amount of computation to each group in a family, we can hope to find one whose order is easily computed. This approach is similar to some algorithms for integer factorization =-=[39, 50]-=-, and has been successfully applied to compute ideal class groups of imaginary quadratic number fields with 100-digit discriminants. For a suitable distribution of group orders, the complexity is sube... |

184 |
Elliptic curves over finite fields and the computation of square roots mod p
- Schoof
- 1985
(Show Context)
Citation Context ...it is necessary to know its order. For curves of genus 1 (elliptic curves), several effective point-counting algorithms are available. The most general are ℓ-adic methods, based on Schoof’s algorithm =-=[51, 52]-=-, and for small characteristic fields there are more efficient p-adic methods [31, 32, 43, 49]. The p-adic methods, particularly Kedlaya’s algorithm [31], readily extend to higher genus curves, and ha... |

169 |
Computing in the Jacobian of a hyperelliptic curve
- Cantor
- 1987
(Show Context)
Citation Context ...and group elements (space). We assume the availability of a black box that uniquely identifies group elements, a requirement easily met by Jacobian arithmetic based on a Cantor-Mumford representation =-=[9]-=-. We also require access to randomly generated group elements, which may be obtained via the methods detailed in [11, 14.1-2]. We presuppose a uniform distribution, however this assumption can typical... |

144 | Constructive and Destructive Facets of Weil Descent on Elliptic Curves
- Gaudry, Hess, et al.
- 2000
(Show Context)
Citation Context ...2(C) is then the (internal) product of the subgroups J(C) and J( ˜ C), hence J 2/1(C) ∼ = J2(C)/J(C) ∼ = J( ˜ C). � Finally, we note results that impact the effective security of hyperelliptic curves =-=[14, 16, 23, 24, 25, 54, 60, 61]-=-. Taking a pessimistic view, we list the strongest potential attacks known at the time of writing. Proposition 1. Let C be a hyperelliptic curve of genus g over Fq = Fp n. (1) Discrete logarithms in J... |

137 | The Art of Computer Programming, Volume III: Sorting and Searching - Knuth - 1973 |

120 |
Handbook of Elliptic and Hyperelliptic Curve Cryptography
- Cohen, Frey
- 2005
(Show Context)
Citation Context ... near-prime orders in the range 2 160 to 2 256 , and we also consider subgroups of Jacobians that offer comparable (perhaps superior) performance and security parameters, such as trace zero varieties =-=[11, 21, 36]-=-. The existence of various index calculus algorithms has centered attention on hyperelliptic curves of genus g ≤ 3 [15, 18, 24]. We similarly focus on the hyperelliptic case, although our results may ... |

98 |
Algebraic Aspects of Cryptography
- Koblitz
- 1998
(Show Context)
Citation Context ...s 2 curve over F p 2 we require a ratio of 14/9. Considering (2) and (3), for the trace zero variety T(C/F p 3), the comparable ratio is 5/4 when 3 divides #J(C/F p 2) and 6/5 otherwise. See [11] and =-=[35]-=- for further background on hyperelliptic curve cryptography. 4 The black boxes we use assume f is monic and d = 2g + 1 but our results do not require this. 5 We use “lg” to denote binary logarithms an... |

86 | Counting points on hyperelliptic curves using Monsky-Washnitzer cohomology
- Kedlaya
(Show Context)
Citation Context ...fective point-counting algorithms are available. The most general are ℓ-adic methods, based on Schoof’s algorithm [51, 52], and for small characteristic fields there are more efficient p-adic methods =-=[31, 32, 43, 49]-=-. The p-adic methods, particularly Kedlaya’s algorithm [31], readily extend to higher genus curves, and have proven effective over small and medium characteristic fields [28, 62]. Generalization of th... |

80 |
On a problem of Oppenheim concerning factorisatio numerorum
- Canfield, Erdös, et al.
- 1983
(Show Context)
Citation Context ... with exponent E. If a reject occurs, goto Step 1. 5. Set N ← NN ′ and increment t. If t < c then goto Step 4. Output λ(G) = N. 7 One uses σ(u) ≥ ρ(u) = u −u+o(1) , where ρ(u) is the Dickman function =-=[1, 8, 13]-=-.s8 ANDREW V. SUTHERLAND The order computation in Step 2 is a bounded search for |β| ≤ B2 , which may be performed by a standard birthday-paradox algorithm or by Algorithm 4 below. The order computati... |

75 |
Theorems on factorization and primality testing
- Pollard
- 1974
(Show Context)
Citation Context ... slow to effectively compute the order of a large group, even when fairly tight bounds on the order are known (as in [56]). Alternatively, one may apply a generic version of Pollard’s p − 1 technique =-=[47]-=-, exponentiating by many small primes. This can be quite effective if the group order happens to be smooth (no large prime factors), but the worst case complexity is Θ(N). Surprisingly, a combination ... |

71 |
Numbers of solutions of equations in finite fields
- Weil
- 1949
(Show Context)
Citation Context ...count the points on C in P(Fqk). The zeta function of C is the formal power series � ∞� (3.1) Z(C/Fq, z) = exp Nkz k � /k . Our interest in the zeta function stems from the well-known theorem of Weil =-=[63]-=-, which we restrict here to projective curves defined over Fq. Henceforth we assume all curves are non-singular and irreducible over the algebraic closure Fq. k=1 Theorem 1 (Weil). Let C be a genus g ... |

66 |
The canonical lift of an ordinary elliptic curve over a finite field and its point counting
- Satoh
(Show Context)
Citation Context ...fective point-counting algorithms are available. The most general are ℓ-adic methods, based on Schoof’s algorithm [51, 52], and for small characteristic fields there are more efficient p-adic methods =-=[31, 32, 43, 49]-=-. The p-adic methods, particularly Kedlaya’s algorithm [31], readily extend to higher genus curves, and have proven effective over small and medium characteristic fields [28, 62]. Generalization of th... |

62 |
Elliptic and modular curves over finite fields and related computational issues
- Elkies
- 1995
(Show Context)
Citation Context ...locality of reference, as described in Section 5. 4.1. Recovering the zeta function. Having computed #J(C), we need to determine the zeta function of C. This problem (and many others) is discussed in =-=[17]-=-. We provide explicit details here for the genus 2 and 3 cases and analyze the cost of determining the zeta function once #J(C) is known. Lemma 4. Let P(z) denote the L-polynomial of a non-singular, i... |

59 | A double large prime variation for small genus hyperelliptic index calculus
- Gaudry, Thomé, et al.
(Show Context)
Citation Context ...erior) performance and security parameters, such as trace zero varieties [11, 21, 36]. The existence of various index calculus algorithms has centered attention on hyperelliptic curves of genus g ≤ 3 =-=[15, 18, 24]-=-. We similarly focus on the hyperelliptic case, although our results may be applied to any family of low genus curves. To assess the cryptographic suitability of a group, it is necessary to know its o... |

54 |
Frobenius maps of Abelian varieties and finding roots of unity in finite fields
- Pila
- 1990
(Show Context)
Citation Context ...lmost trivial in genus 2, and in genus 3 we give a generic algorithm requiring O(N 1/12 ) group operations. 2 1 There is a polynomial-time ℓ-adic algorithm due to Pila for arbitrary abelian varieties =-=[46]-=-, but it is not practical for groups of cryptographic size. 2 This is asymptotically exponential, but negligible for the size groups we consider.sA GENERIC APPROACH TO SEARCHING FOR JACOBIANS 3 With P... |

50 |
On the frequency of numbers containing prime factors of a certain relative magnitude
- Dickman
- 1930
(Show Context)
Citation Context ... with exponent E. If a reject occurs, goto Step 1. 5. Set N ← NN ′ and increment t. If t < c then goto Step 4. Output λ(G) = N. 7 One uses σ(u) ≥ ρ(u) = u −u+o(1) , where ρ(u) is the Dickman function =-=[1, 8, 13]-=-.s8 ANDREW V. SUTHERLAND The order computation in Step 2 is a bounded search for |β| ≤ B2 , which may be performed by a standard birthday-paradox algorithm or by Algorithm 4 below. The order computati... |

49 | Index calculus attack for hyperelliptic curves of small genus
- Thériault
- 2003
(Show Context)
Citation Context ...2(C) is then the (internal) product of the subgroups J(C) and J( ˜ C), hence J 2/1(C) ∼ = J2(C)/J(C) ∼ = J( ˜ C). � Finally, we note results that impact the effective security of hyperelliptic curves =-=[14, 16, 23, 24, 25, 54, 60, 61]-=-. Taking a pessimistic view, we list the strongest potential attacks known at the time of writing. Proposition 1. Let C be a hyperelliptic curve of genus g over Fq = Fp n. (1) Discrete logarithms in J... |

44 | Applications of arithmetical geometry to cryptographic constructions, Finite fields and applications
- Frey
- 1999
(Show Context)
Citation Context ... near-prime orders in the range 2 160 to 2 256 , and we also consider subgroups of Jacobians that offer comparable (perhaps superior) performance and security parameters, such as trace zero varieties =-=[11, 21, 36]-=-. The existence of various index calculus algorithms has centered attention on hyperelliptic curves of genus g ≤ 3 [15, 18, 24]. We similarly focus on the hyperelliptic case, although our results may ... |

39 | Computing discrete logarithms in high genus hyperelliptic jacobeans in provably subexponential time
- Enge
(Show Context)
Citation Context ...erior) performance and security parameters, such as trace zero varieties [11, 21, 36]. The existence of various index calculus algorithms has centered attention on hyperelliptic curves of genus g ≤ 3 =-=[15, 18, 24]-=-. We similarly focus on the hyperelliptic case, although our results may be applied to any family of low genus curves. To assess the cryptographic suitability of a group, it is necessary to know its o... |

38 | GHS attack in odd characteristic
- Diem
(Show Context)
Citation Context ...2(C) is then the (internal) product of the subgroups J(C) and J( ˜ C), hence J 2/1(C) ∼ = J2(C)/J(C) ∼ = J( ˜ C). � Finally, we note results that impact the effective security of hyperelliptic curves =-=[14, 16, 23, 24, 25, 54, 60, 61]-=-. Taking a pessimistic view, we list the strongest potential attacks known at the time of writing. Proposition 1. Let C be a hyperelliptic curve of genus g over Fq = Fp n. (1) Discrete logarithms in J... |

24 | On some computational problems in finite abelian groups
- Buchmann, Jacobson, et al.
- 1997
(Show Context)
Citation Context ...e of any finite abelian group. When |G| is a random integer, the median complexity is O(N 0.344 ). This approach can be much faster than other generic algorithms for computing abelian group structure =-=[6, 7, 58, 59]-=-. To search for Jacobians, we estimate |G| ≈ 2 n based on the Weil interval (3.3), then pick a fixed B = 2 n/u that minimizes B/σ(u), where σ(u) estimates the probability that a random integer x is x ... |

24 | Fast genus 2 arithmetic based on Theta functions - Gaudry |

23 | Index calculus for abelian varieties and the elliptic curve discrete logarithm problem
- Gaudry
- 2004
(Show Context)
Citation Context |

22 | Asymptotic semi-smoothness probabilities
- Bach, Peralta
- 1992
(Show Context)
Citation Context ...u) estimates the probability that a random integer x is x 1/u -easy. Asymptotically, we may use σ(u) = G(1/u, 2/u), where G(s, t) is the semismooth probability function defined by Bach and Peralta in =-=[1]-=- (the impact of prime-power factors is negligible). This yields an L(1/2, √ 2/2) bound on both 1/σ(u) and B, leading to an L(1/2, √ 2) bound on the entire search, based on the heuristic assumption tha... |

22 | The arithmetic of Jacobian groups of superelliptic cubics
- Basiri, Enge, et al.
- 2005
(Show Context)
Citation Context .... This has spurred the development of highly efficient algorithms for group computation that are now available for many types of curves, including hyperelliptic, superelliptic, Picard, and Cab curves =-=[2, 3, 19, 20, 26, 33, 37, 66]-=-. The group of interest consists of the Fq-rational points on the Jacobian variety of a curve C, or, equivalently, the divisor class group of degree 0, Pic 0 (C). We denote this group J(C/Fq), or simp... |

21 |
An Invitation to Arithmetic Geometry
- Lorenzini
- 1996
(Show Context)
Citation Context ...ger coefficients satisfying a0 = 1 and a2g−i = q g−i ai, for 0 ≤ i < g. (2) P(z) = � 2g i=1 (1 − αiz), with |αi| = √ q. (3) Nk = q k + 1 − � 2g i=1 αk i . A proof can be found in chapters 8 and 10 of =-=[40]-=-. We call P(z) the L-polynomial of the curve C. From (2) we obtain the bounds � � 2g (3.2) |ai| ≤ q i i/2 . Let J(C/F q k) denote the group of F q k-rational points on the Jacobian variety of C. We wr... |

20 |
A Monte Carlo factoring algorithm with linear storage
- Schnorr, Lenstra
- 1984
(Show Context)
Citation Context ...t. By applying a bounded amount of computation to each group in a family, we can hope to find one whose order is easily computed. This approach is similar to some algorithms for integer factorization =-=[39, 50]-=-, and has been successfully applied to compute ideal class groups of imaginary quadratic number fields with 100-digit discriminants. For a suitable distribution of group orders, the complexity is sube... |

18 |
An improved baby step giant step algorithm for point counting of hyperelliptic curves over finite fields
- Matsuo, Chao, et al.
(Show Context)
Citation Context ...ymptotic complexity of O(B/ √ log log B). 9 Applying optimized baby-step giant-step methods given constraints on |β| is not new; this technique is often used in conjunction with ℓ-adic methods, as in =-=[41]-=-. The novelty here is that the constraints are obtained generically. In the example above we could have used P5 rather than P4, and set m to 1. We intentionally use a slightly suboptimal value of P an... |

18 |
computing Zeta functions of curves over finite fields
- Vercauteren
- 2003
(Show Context)
Citation Context ...-adic methods [31, 32, 43, 49]. The p-adic methods, particularly Kedlaya’s algorithm [31], readily extend to higher genus curves, and have proven effective over small and medium characteristic fields =-=[28, 62]-=-. Generalization of the ℓ-adic methods has been more difficult. The best results for genus 2 curves over prime fields report roughly a week to compute the order of a group of size ≈ 2 164 [27]. In gen... |

18 | Software and Hardware Implementation of Hyperelliptic Curve Cryptosystems. Europäischer Universitätsverlag
- Wollinger
- 2004
(Show Context)
Citation Context .... This has spurred the development of highly efficient algorithms for group computation that are now available for many types of curves, including hyperelliptic, superelliptic, Picard, and Cab curves =-=[2, 3, 19, 20, 26, 33, 37, 66]-=-. The group of interest consists of the Fq-rational points on the Jacobian variety of a curve C, or, equivalently, the divisor class group of degree 0, Pic 0 (C). We denote this group J(C/Fq), or simp... |

17 | A space efficient algorithm for group structure computation
- Teske
- 1998
(Show Context)
Citation Context ...e of any finite abelian group. When |G| is a random integer, the median complexity is O(N 0.344 ). This approach can be much faster than other generic algorithms for computing abelian group structure =-=[6, 7, 58, 59]-=-. To search for Jacobians, we estimate |G| ≈ 2 n based on the Weil interval (3.3), then pick a fixed B = 2 n/u that minimizes B/σ(u), where σ(u) estimates the probability that a random integer x is x ... |

15 | Explicit bounds and heuristics on class numbers in hyperelliptic function fields
- Stein, Teske
(Show Context)
Citation Context ...s rho method [48] and Shanks’ baby-steps giant-steps algorithm [53], makes them too slow to effectively compute the order of a large group, even when fairly tight bounds on the order are known (as in =-=[56]-=-). Alternatively, one may apply a generic version of Pollard’s p − 1 technique [47], exponentiating by many small primes. This can be quite effective if the group order happens to be smooth (no large ... |

12 | Computing the structure of a finite abelian group
- Buchmann, Schmidt
(Show Context)
Citation Context ...e of any finite abelian group. When |G| is a random integer, the median complexity is O(N 0.344 ). This approach can be much faster than other generic algorithms for computing abelian group structure =-=[6, 7, 58, 59]-=-. To search for Jacobians, we estimate |G| ≈ 2 n based on the Weil interval (3.3), then pick a fixed B = 2 n/u that minimizes B/σ(u), where σ(u) estimates the probability that a random integer x is x ... |

12 |
et al. GNU multiple precision arithmetic library 4.1.2
- Granlund
- 2002
(Show Context)
Citation Context ...bit Linux operating system. We ran eight of these systems in parallel in the larger tests. The algorithms were implemented using the GNU C compiler [55] and the GMP multi-precision arithmetic library =-=[29]-=-. Black Boxes. The parallel group operation enabled by Algorithm 4 is most advantageous to a black box based on an affine representation of the Jacobian. We used modified versions of Algorithms 14.19-... |

12 | Asymptotically fast group operations on Jacobians of general curves
- Khuri-Makdisi
(Show Context)
Citation Context .... This has spurred the development of highly efficient algorithms for group computation that are now available for many types of curves, including hyperelliptic, superelliptic, Picard, and Cab curves =-=[2, 3, 19, 20, 26, 33, 37, 66]-=-. The group of interest consists of the Fq-rational points on the Jacobian variety of a curve C, or, equivalently, the divisor class group of degree 0, Pic 0 (C). We denote this group J(C/Fq), or simp... |

12 | Isogenies and the discrete logarithm problem in jacobians of genus 3 hyperelliptic curves
- Smith
- 2009
(Show Context)
Citation Context |

11 | Kedlaya’s algorithm in larger characteristic
- Harvey
(Show Context)
Citation Context ...o effective ℓ-adic methods are available, however, recent work on extending p-adic methods to larger characteristic fields has enabled computation of group orders up to size ≈ 2 150 over prime fields =-=[5, 30]-=-. In both cases the algorithms are memory intensive, limiting their applicability to larger groups. There are other methods for curves with special properties [22, 64, 65], but for general curves of g... |

9 | Order Computations in Generic Groups
- Sutherland
- 2007
(Show Context)
Citation Context ...rder happens to be smooth (no large prime factors), but the worst case complexity is Θ(N). Surprisingly, a combination of these two generic approaches is faster than either alone. The author’s thesis =-=[57]-=- presents a o( √ N) algorithm to compute the order of an element in any finite group. For a family of abelian groups with orders uniformly distributed over a large interval, the average running time i... |

9 | Isogeny classes of abelian varieties with no principal polarizations - Howe - 2001 |

7 |
Eric Schost, Linear recurrences with polynomial coefficients and application to integer factorization and Cartier-Manin operator
- Bostan, Gaudry
(Show Context)
Citation Context ...o effective ℓ-adic methods are available, however, recent work on extending p-adic methods to larger characteristic fields has enabled computation of group orders up to size ≈ 2 150 over prime fields =-=[5, 30]-=-. In both cases the algorithms are memory intensive, limiting their applicability to larger groups. There are other methods for curves with special properties [22, 64, 65], but for general curves of g... |

7 |
Cover attacks, a report for the AREHCC project”, preprint
- Diem, Scholten
- 2003
(Show Context)
Citation Context |

5 | Fast addition on non-hyperelliptic genus 3 curves. Algebraic geometry and its applications
- Flon, Oyono
(Show Context)
Citation Context |

5 |
Hyperelliptic CM-curves of genus 3
- Weng
(Show Context)
Citation Context ...to size ≈ 2 150 over prime fields [5, 30]. In both cases the algorithms are memory intensive, limiting their applicability to larger groups. There are other methods for curves with special properties =-=[22, 64, 65]-=-, but for general curves of genus g > 1 over large characteristic fields, efficiently finding cryptographically suitable Jacobians remains an open problem [11, 38]. 1 The solution we propose is probab... |

4 |
Algorithmes pour compter des points de courbes en petite caractéristique et en petit genre. Talk given in Rennes in March 2002. Notes written by
- Mestre
(Show Context)
Citation Context ...fective point-counting algorithms are available. The most general are ℓ-adic methods, based on Schoof’s algorithm [51, 52], and for small characteristic fields there are more efficient p-adic methods =-=[31, 32, 43, 49]-=-. The p-adic methods, particularly Kedlaya’s algorithm [31], readily extend to higher genus curves, and have proven effective over small and medium characteristic fields [28, 62]. Generalization of th... |

4 |
Carlo methods for index computation (mod p
- Monte
- 1978
(Show Context)
Citation Context ...ment the group law. As a result of the work cited above, we have many highly efficient black boxes at our disposal. The Θ( √ N) complexity of birthday-paradox algorithms, such as Pollard’s rho method =-=[48]-=- and Shanks’ baby-steps giant-steps algorithm [53], makes them too slow to effectively compute the order of a large group, even when fairly tight bounds on the order are known (as in [56]). Alternativ... |

4 |
a theory of factorization and genera, Analytic Number Theory
- Shanks, number
- 1971
(Show Context)
Citation Context ...above, we have many highly efficient black boxes at our disposal. The Θ( √ N) complexity of birthday-paradox algorithms, such as Pollard’s rho method [48] and Shanks’ baby-steps giant-steps algorithm =-=[53]-=-, makes them too slow to effectively compute the order of a large group, even when fairly tight bounds on the order are known (as in [56]). Alternatively, one may apply a generic version of Pollard’s ... |

3 |
genus 2 arithmetic based on theta functions
- Fast
(Show Context)
Citation Context |