## Applications of Arithmetical Geometry to Cryptographic Constructions (0)

Venue: | Proceedings of the Fifth International Conference on Finite Fields and Applications |

Citations: | 44 - 1 self |

### BibTeX

@INPROCEEDINGS{Frey_applicationsof,

author = {Gerhard Frey},

title = {Applications of Arithmetical Geometry to Cryptographic Constructions},

booktitle = {Proceedings of the Fifth International Conference on Finite Fields and Applications},

year = {},

pages = {128--161},

publisher = {Springer}

}

### Years of Citing Articles

### OpenURL

### Abstract

Public key cryptosystems are very important tools for data transmission. Their performance and security depend on the underlying crypto primitives. In this paper we describe one such primitive: The Discrete Logarithm (DL) in cyclic groups of prime order (Section 1). To construct DL-systems we use methods from algebraic and arithmetic geometry and especially the theory of abelian varieties over finite fields. It is explained why Jacobian varieties of hyperelliptic curves of genus 4 are candidates for cryptographically "good" abelian varieties (Section 2). In the third section we describe the (constructive and destructive) role played by Galois theory: Local and global Galois representation theory is used to count points on abelian varieties over finite fields and we give some applications of Weil descent and Tate duality.

### Citations

2717 | Handbook of Applied Cryptography
- Menezes, Oorschot, et al.
- 1997
(Show Context)
Citation Context ...em depends on this rather vague statement we would feel much better if we could use for f a one way function in the sense of information theory, or a trap door one way function (for the denition cf. [=-=MOV]). Bu-=-t since we even don't know whether such functions exist we have to use what we have and to be very sensitive to new developments in technology ( e.g. \quantum computers" (cf. [Sho])) and to new r... |

898 |
The Arithmetic of Elliptic Curves
- Silverman
- 1982
(Show Context)
Citation Context ...mples for abelian varieties and at the same time, the most important ones in theory and applications today. Only for the sake of simplicity we shall assume here that char(K) is not equal to 2; 3 (see =-=[Si]-=- for the general case). Like in 2.) we use a curve as underlying scheme. But this time it is a curve in the projective plane given by one cubic equation. If we use homogeneous coordinates (X; Y; Z) th... |

575 |
Introduction to the Arithmetic Theory of Automorphic Functions
- Shimura
- 1971
(Show Context)
Citation Context ...their L-series over residueselds. In other words one needs the local factors of the global L-series. Again the theory of cusp forms and their relation to representations of the Galois group of Q (cf. =-=[Sh-=-]) becomes crucial: For all prime numbers l not dividing N there are special endomorphisms, Hecke operators T l , of A, and knowing T l is as good as knowing the Frobenius l because of the Eichler-Sh... |

350 |
lectures on theta
- Mumford, Tata
- 1983
(Show Context)
Citation Context ...rix of the Jacobian from the beginning and Mestre's method. The given CM-eld can be used to compute the period matrix of an abelian variety. It can be tested whether it is principally polarized (cf. [=-=Mu3-=-]). But a principally polarized abelian variety of dimension 4 need not to be the Jacobian of a curve (Schottky problem) and even if so, the chance ofsnding a hyperelliptic curve becomes dramatically... |

281 |
Abelian varieties
- Mumford
- 1970
(Show Context)
Citation Context ...ial properties which are not at all clear from the denition. For instance their addition law has to be commutative. (This and much more of the fascinating theory of abelian varieties can be found in [=-=Mu2]-=-.) 2.2 One-dimensional examples 1. The additive group G a is the ane line. We can take one variable X as coordinate function, the relation set is empty. m is given by the function R(X;Y ) = X + Y , i(... |

271 |
New directions in cryptography
- Die, Hellman
- 1976
(Show Context)
Citation Context ...me a very interesting and inspiring event. geometry over specialselds can be used to construct them and to give estimates (or hints) for their reliability. The basic ideas go back to Die and Hellman (=-=[DH]). Th-=-e main aim is the construction of a function f mapping the natural numbers N (or, in practice, asnite subset of N) to asnite set A of N satisfying some \functional equations" and with the most im... |

217 |
subexponential algorithm for discrete logarithms over the rational subgroup of the Jacobians of large genus hyperelliptic curves over finite fields”, Algorithmic Number Theory, LNCS 877
- Adleman, Huang
- 1994
(Show Context)
Citation Context ...ted by polynomials of small degrees as factor base! It is to be expected that (forsxedseld F q ) this method becomes more and more eective with increasing g. And indeed Adleman, DeMarrais and Huang ([=-=ADH]-=-) proposed an index-calculus algorithm for hyperelliptic curves with subexponential complexity in g. This was made precise in [MST] and [E] andsnally settled by a smoothnessness result in [ES]: Propos... |

207 |
A remark concerning m-divisibility and the discrete logarithm problem in the divisor class group of curves
- Frey, Ruck
- 1976
(Show Context)
Citation Context ...tation of Proposition 3.17) Corollary 3.18. The Tate-Lichtenbaum pairing induces a non-degenerate pairings>: JC (F q )[n] JC (F q )[n] ! n (F q ) given bys1 ; P 2 >:= f 1 (D 2 ) q 1 n : Onesnds in [F=-=R-=-] how this pairing can be computed in O(log(q)) addition steps and so it reduces the discrete logarithm in JC (F q )[n] to the discrete logarithm in n (F q ). In general the conditions that F q contai... |

159 |
Hyperelliptic cryptosystems
- Koblitz
- 1989
(Show Context)
Citation Context ...q)) is not optimal. So mostly the method of constantseld extensions is used only for very small q 0 and large prime m. The typical examples are Koblitz curves dened overselds with 2-power order (cf. [=-=Ko]-=-). In Subsection 3.2 we shall present another method to construct admissible abelian varieties using constantseld extensions in the situation that q 0 is as big as possible and m small. It uses the ob... |

95 |
Algebraische Zahlentheorie
- Neukirch
- 1992
(Show Context)
Citation Context ...o Q=Z, the isomorphism is given by the so called invariant map inv K . This and the explicit determination (called Artin's reciprocity law) of the invariant are the key to local classseld theory (cf. =-=[Ne-=-]): One can describe the Brauer group of K by using cocycles dened by cyclic extensions L of K of degree n in the following way: Theorem 3.11. Let K be an l adicseld with normed valuation v l : Let L=... |

73 |
Complex multiplication of abelian varieties and its applications to number theory, Second printing corrected
- Shimura, Taniyama
- 1975
(Show Context)
Citation Context ...ism ring is an order in aseld K = Q( p d) with ds0. More generally: Classseld theory relates endomorphisms of special abelian varieties AK to elements in orders OK in CM-elds K (Shimura - Taniyama) ([=-=ST-=-]): We can determine (in principle explicitly, see examples) an abelian variety AK dened over a knownsniteseld extension L of Q such that the reduction of AK modulo (suitably chosen) prime ideals q in... |

59 | The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems - Frey, Müller, et al. - 1999 |

58 | general framework for subexponential discrete logarithm algorithms
- Enge, Gaudry
(Show Context)
Citation Context ...ve methods in numberselds), in counting points on elliptic curves oversniteselds (cf. [Sch2] and the references therein) and in applying index-calculus methods to Discrete Logarithm Systems ([Ga] and =-=[EG-=-]). Acknowledgment I would like to thank A. Enge and M. Muller for their help and the many valuable comments they gave. 1.2 Exponential and Discrete Logarithm Systems Let A be asnite subset of N. For ... |

54 |
Construction de courbes de genre 2 à partir de leur modules. Effective Methods in Algebraic Geometry
- Mestre
- 1991
(Show Context)
Citation Context ...tem of three polynomial equations in 6 variables of degree > 1 over the ring of integers of a numberseld or 4. much better: Mestre's method intersecting invariant forms (with one of them a conic, cf. =-=[Me]-=-). The implementation of the algorithm is relatively easy, it works eciently. We give one example computed by Spallek in 1993: As CMseld take Q( p 2 p 2). The resulting curve is C : Y 2 = X 5 140X 3 +... |

42 | Computing discrete logarithms in real quadratic congruence functions fields of large genus
- Muller, Thiel
- 1999
(Show Context)
Citation Context ...eective with increasing g. And indeed Adleman, DeMarrais and Huang ([ADH]) proposed an index-calculus algorithm for hyperelliptic curves with subexponential complexity in g. This was made precise in [=-=MST-=-] and [E] andsnally settled by a smoothnessness result in [ES]: Proposition 2.5. ([E]) For g= log(q) > t the discrete logarithm in the divisor class group of a hyperelliptic curve of genus g dened ove... |

40 | A cryptographic application of Weil descent
- Galbraith, Smart
- 1999
(Show Context)
Citation Context ...abelian varieties over F q which are manageable but not secure. Below we describe in detail an example. Example The Weil descent of elliptic curves with m = 4 was worked out by Galbraith and Smart in =-=[GS-=-]. We take m = 3 and A = E an elliptic curve given by the equation Y 2 = X 3 +AX +B: We are interested in the case that q is odd. We assume that q 1 mod 3. So we can use Kummer theory to describe F q... |

39 | Computing discrete logarithms in high genus hyperelliptic jacobeans in provably subexponential time
- Enge
(Show Context)
Citation Context ...ith increasing g. And indeed Adleman, DeMarrais and Huang ([ADH]) proposed an index-calculus algorithm for hyperelliptic curves with subexponential complexity in g. This was made precise in [MST] and =-=[E-=-] andsnally settled by a smoothnessness result in [ES]: Proposition 2.5. ([E]) For g= log(q) > t the discrete logarithm in the divisor class group of a hyperelliptic curve of genus g dened over F q ca... |

38 |
Kurven vom Geschlecht 2 und ihre Anwendung
- Spallek
- 1994
(Show Context)
Citation Context ...lemented as algorithm. In both cases we need an ecient arithmetic in polynomial rings over F q (and nothing more). Implementations of both variants and data concerning the performance can be found in =-=[Sp]-=- (for g = 2) and in [Kr] in general. It is not surprising that for elliptic curves the formulas are faster than the algorithm, for genus 2 both methods seem to be equivalent, and for higher genus the ... |

37 |
Calcul du nombre de points sur une courbe elliptique dans un corps fini: aspects algorithmiques. Journal de Théorie des Nombres de
- Morain
- 1995
(Show Context)
Citation Context ...lobal objects in number theory: Orders in numberselds, modular curves and corresponding Galois representations! Based on these considerations Schoof's algorithm for elliptic curves E has been rened ([=-=Mo-=-]): Proposition 3.7. ( cf. [Mo]) Let be a positive real number. Let E be an elliptic curve over F q and l a prime which is split in RE . Then LE (T ) modulo l can be computed with probabilistic compl... |

17 |
Elliptic curves over and the computation of square roots modulo p
- Schoof
- 1985
(Show Context)
Citation Context ...ion points of order n of A. Since it has integral coecients (of size depending on q and dim(A) only) it is determined by this action for small n. This is the starting point of Schoof's algorithm (cf. =-=[Sch1-=-]) for computing the number of points of elliptic curves over F q . It is made eective by another ingredient: It is well known that there is a linear recurrency between the n-division polynomials of e... |

11 |
A variant of the Adleman–DeMarrais–Huang algorithm and its application to small genera. Laboratoire d’ Informatique Preprint LIX/RR/99/04
- Gaudry
- 1999
(Show Context)
Citation Context ...s (by sieve methods in numberselds), in counting points on elliptic curves oversniteselds (cf. [Sch2] and the references therein) and in applying index-calculus methods to Discrete Logarithm Systems (=-=[Ga-=-] and [EG]). Acknowledgment I would like to thank A. Enge and M. Muller for their help and the many valuable comments they gave. 1.2 Exponential and Discrete Logarithm Systems Let A be asnite subset o... |

7 |
Counting points on elliptic curves over
- Schoof
- 1995
(Show Context)
Citation Context ...results in mathematics. We refer to the rather spectacular progress in recent years in factorizing numbers (by sieve methods in numberselds), in counting points on elliptic curves oversniteselds (cf. =-=[Sch2-=-] and the references therein) and in applying index-calculus methods to Discrete Logarithm Systems ([Ga] and [EG]). Acknowledgment I would like to thank A. Enge and M. Muller for their help and the ma... |

6 |
Explizite Gleichungen für Jacobische Varietäten hyperelliptischer Kurven
- Kampkotter
- 1991
(Show Context)
Citation Context ...to generalize this idea to arbitrary abelian varieties. One main task is tosnd a way of computing division polynomials. Kampkotter has done this in the case of Jacobians of hyperelliptic curves (cf. [=-=Ka]-=-) proving that forsxed g the computation of the L-series has polynomial complexity (similar results are due to Pila). But Schoof's algorithm is too slow for practical applications, and the same is tru... |

6 |
Duality Theorems for Curves over p-adic
- Lichtenbaum
- 1969
(Show Context)
Citation Context ...K s ))[n] ! H 2 (GK ; n ) (where n is the group generated by the n-th roots of unity in K s ) given bys+ nA(K);s>K= (P + nA(K)) [ 1 ( ): For computational reasons it is important that Lichtenbaum [Li] gave a denition ofs>K in the case that A is the Jacobian of a curve C which uses functions and points on C for the computation ofs>K (see 3.3). The group H 2 (GK ; n ) is very important for the ari... |

5 |
Algorithmus zur Berechnung von Hecke-Operatoren Anwendung auf modulare Kurven, Dissertation Essen
- Basmaji, Em
- 1996
(Show Context)
Citation Context ...a relation: 2 l + T l l + l = 0: So the fast computation of T l is crucial both for the computation of the period matrix and for the local L-series of A. By methods of Basmaji (thesis Essen 1996) [Ba] and M. Muller this can be done for N 10000 and l 10 11 . Example (Weber) Take N = 284. The new part of J 0 (284) has dimension 6 and splits into two simple factors of dimension 3, one of them, A... |

5 |
bounds on generic algorithms
- Maurer, Wolf, et al.
- 1998
(Show Context)
Citation Context ...available to attack crypto systems which use \just" groups and the resulting DL-problems. For a very interesting discussion of dierent types of information which can weaken the protocols we refer=-= to [MW]-=-. Of course the worst case is that the discrete logarithm can be computed. Here the amazing fact is that we can do much better than brute force attacks: The Baby-Step-Giant-Step method of Shanks as we... |

4 |
Anwendung hyperelliptischer Kurven in der Kryptographie
- Krieger
- 1997
(Show Context)
Citation Context ...n both cases we need an ecient arithmetic in polynomial rings over F q (and nothing more). Implementations of both variants and data concerning the performance can be found in [Sp] (for g = 2) and in =-=[Kr]-=- in general. It is not surprising that for elliptic curves the formulas are faster than the algorithm, for genus 2 both methods seem to be equivalent, and for higher genus the algorithm is the only fe... |

4 |
Complete systems of addition laws on abelian varieties
- Lange, Ruppert
(Show Context)
Citation Context ...rieties A: The number of coordinate functions and the degree of the addition formulas both grow exponentially with the dimension of the abelian variety (cf. results of Mumford [Mu1] and Lange-Ruppert =-=[LR]-=-) and so we have to use special abelian varieties. Thesrst specialisation is to take A as Jacobian variety JC of a curve C. The big advantage is that both the coordinates and the addition can use obje... |

4 |
On the equations de abelian varieties I
- Mumford
- 1966
(Show Context)
Citation Context ... with general abelian varieties A: The number of coordinate functions and the degree of the addition formulas both grow exponentially with the dimension of the abelian variety (cf. results of Mumford =-=[Mu1]-=- and Lange-Ruppert [LR]) and so we have to use special abelian varieties. Thesrst specialisation is to take A as Jacobian variety JC of a curve C. The big advantage is that both the coordinates and th... |

3 |
Exponents of class groups of quadratic fields
- Murty
- 1997
(Show Context)
Citation Context ...istribution of traces of Frobenius elements (Lang-Trotter) and about the distribution of class groups generalizing heuristics of Cohen-Lenstra. Recent interesting work on these topics can be found in =-=[Mur]-=-. We shall present some methods to solve thesrst item. They all use more or less sophisticated properties of L-series and Frobenius automorphisms. 1.) Constant Field Extensions This approach is the si... |

2 |
The arithmetic variety of genus two
- Igusa
- 1960
(Show Context)
Citation Context ...mented by A.M. Spallek in her thesis, Essen 1994, and uses 1. classseld theory ofselds of degree 2 over real quadraticselds (non-Galois over Q), 7 2. Invariant theory which is explicit and \easy"=-= (cf [Ig]-=-) and 3. either elimination theory to solve a system of three polynomial equations in 6 variables of degree > 1 over the ring of integers of a numberseld or 4. much better: Mestre's method intersectin... |

1 |
Constructive and Destructive
- Gaudry, Hess, et al.
- 2000
(Show Context)
Citation Context ...positively or negatively) to the DL-problem if m is large. But for small m or specialselds F q one has to expect a dierent picture. Here is one such example. It is due to Gaudry, Hess and Smart (cf. [=-=G-=-HS]). Theorem 3.9. Take q = 2 n and m prime to n. Let E be an elliptic curve dened over F q m and assume that E is not dened over a proper subeld of F q m . Assume that Z=p can be embedded into E(F q ... |

1 | Selecting Cryptographic Key Sizes, manuscript - Lenstra, Verheul - 1999 |

1 |
Weil-Restriktion Abelscher Varietaten, Diplomarbeit Essen
- Naumann
- 1999
(Show Context)
Citation Context ... of restricting scalars (Weil-descent) at least in special cases. Scalar Restriction Here is a short description of this procedure (for a detailed exposition and the strict geometric construction cf. =-=[Na-=-]): Take aseld K and asnite separableseld extension L=K. Let V be a quasiprojective variety (i.e. V can be embedded into a projective space) dened over L. Then there is a quasi-projective variety W V ... |

1 |
Brauer Groups of Local and Global Fields and Discrete Logarithms, in preparation
- Nguyen
(Show Context)
Citation Context ...the Frobenius automorphism. In both cases one checks that in order to compute inv(c) we have to compute discrete logarithms in the residueseld of L. ( Details of these considerations will be found in =-=[Ng]-=-). Hence there is a close connection between the discrete logarithm in this residueseld and Br(K)[n] which is especially easy in the following case: Proposition 3.12. Assume that n is a number prime t... |

1 | On the Discrete Logarithm in the Divisor - Ruck - 1999 |

1 |
Hyperelliptic Simple Factors of J0 (N) with dimension at least 3
- Weber
- 1997
(Show Context)
Citation Context ...need not to be the Jacobian of a curve (Schottky problem) and even if so, the chance ofsnding a hyperelliptic curve becomes dramatically smaller if the genus increases. In his thesis (Essen 1995)(cf. =-=[We-=-]) Weber used results of Mumford and Poor and succeeded in overcoming the computational diculties for g 5. He implemented an algorithm which decides whether a given period matrix belongs to a hyperel... |