## Arithmetic On Superelliptic Curves (2000)

### Cached

### Download Links

- [www.exp-math.uni-essen.de]
- [ftp.informatik.tu-darmstadt.de]
- DBLP

### Other Repositories/Bibliography

Venue: | Math. Comp |

Citations: | 37 - 4 self |

### BibTeX

@ARTICLE{Galbraith00arithmeticon,

author = {S. D. Galbraith and S.M. Paulus and N. P. Smart},

title = {Arithmetic On Superelliptic Curves},

journal = {Math. Comp},

year = {2000},

volume = {71},

pages = {393--405}

}

### Years of Citing Articles

### OpenURL

### Abstract

This paper is concerned with algorithms for computing in the divisor class group of a nonsingular plane curve of the form y n = c(x) which has only one point at infinity. Divisors are represented as ideals and an ideal reduction algorithm based on lattice reduction is given. We obtain a unique representative for each divisor class and the algorithms for addition and reduction of divisors run in polynomial time. An algorithm is also given for solving the discrete logarithm problem when the curve is defined over a finite field.

### Citations

911 |
A course in computational algebraic number theory, volume 138 of Graduate Texts in Mathematics
- Cohen
- 1993
(Show Context)
Citation Context ...volving these ideals. 3. Arithmetic on ideals 3.1. Representation of ideals. It is necessary to have a good representation for the ideals under consideration. Following the numberseld case (see Cohen =-=[6]-=- Section 4.7) we will represent integral O-ideals as k[x]-modules in Hermite Normal Form (HNF). The details follow immediately from [6] so we merely state thesnal result. Proposition 4. Every integral... |

336 |
Algebraic function fields and codes
- Stichtenoth
- 1993
(Show Context)
Citation Context ... SMART Let l(x) be some irreducible factor of c(x). The minimal polynomial of y is y n \Gamma c(x) and this is an Eisenstein polynomial at l(x). We now appeal to [11] Theorem 24 (also see Stichtenoth =-=[22]-=- III.5.12) which implies that l(x) is totally ramified in K=k(x) and that, locally at l(x), the index of k[x; y] in O is 1. 4. The Divisor Class Group as an Ideal Class Group Let C=k be a curve satisf... |

212 |
Algebraic curves
- Walker
- 1962
(Show Context)
Citation Context ...there exist n distinct elements 1 ; : : : ; n 2 K := kn hx 1=n i such that n i = c(x). The n distinct choices y 7! i induce n distinct homomorphismssi from k(C) to K . For the proof see Walker [23] or Theorem 9 of [17]. The elements i dier from each other only by powers of n . The embeddings of elements of k(C) into K give rise to an embedding of ideals in the following way. Let a be an O-... |

201 |
A subexponential algorithm for discrete logarithms over all finite fields
- Adleman, DeMarrais
- 1993
(Show Context)
Citation Context ... due to A. Lenstra can be used as an ingredient for our ideal reduction method. In Section 5 we restrict to the case where k is asniteseld and we modify the algorithm of Adleman, De Marrais and Huang =-=[1]-=- to obtain a heuristic method for solving the discrete logarithm problem in the divisor class group of a superelliptic curve in expected subexponential time. 2. Divisor class groups of superelliptic c... |

189 |
A remark concerning m-divisibility and the discrete logarithm problem in the divisor class group of curves
- Frey, Rück
- 1994
(Show Context)
Citation Context ...lar. For cryptographic purposes, supersingular abelian varieties must be avoided, as their discrete logarithms may be reduced to those in a finite field using the Tate pairing attack of Frey and Ruck =-=[10]-=-. We now consider the function field K = k(C) as a degree n extension of k(x). The condition imposed earlier that (n; chark) = 1 ensures that this algebraic extension of fields is separable. The discr... |

155 |
Computing in Jacobian of a Hyperelliptic Curve,” in
- Cantor
- 1987
(Show Context)
Citation Context ...ore ecient algorithms may be obtained if one restricts to a less general class of curves. The case of hyperelliptic curves (i.e., quadratic functionselds) has been handled very successfully by Cantor =-=[-=-4] and Scheidler, Stein and Williams [18] (also see Paulus and Ruck [16]). Some algorithms for cubic functionselds have been given by Scheidler and Stein [19] and [20]. A specic case of genus three cu... |

154 |
Factoring polynomials over large finite fields
- Berlekamp
- 1971
(Show Context)
Citation Context ...(x) and b(x) are random polynomials of degree less than or equal to S 2 . Since factoring polynomials over finite fields (and hence factoring N OE ) can be accomplished in random polynomial time, see =-=[3]-=- and the discussion in [2], this is no theoretical barrier to our method. We will need to produce a little over #F such relations. However once this has been accomplished the discrete logarithm proble... |

82 |
Algebraic Curves
- Fulton
- 1989
(Show Context)
Citation Context ...a degree zero divisor in Div 0 k (C). Then there is an effective divisor E over k of degree g such that D is equivalent to E \Gamma gP1 . Proof. By the Riemann-Roch theorem (see, for instance, Fulton =-=[12]-=-) l(D + gP1 ) = l( \Gamma D \Gamma gP1 ) + deg(D + gP1 ) + 1 \Gamma gs1: This means there is a function f 2 k(C) such that (f)s\GammaD \Gamma gP1 . Define E := (f) + D + gP1s0. Then E is effective and... |

81 |
Algebraische Zahlentheorie
- Neukirch
- 1992
(Show Context)
Citation Context ...(Cohen [6] Section 4.8.4). Precompute an n n matrix T = (Tr k(C)=k(x) (y i+j )) n 1 i;j=0 . Also precompute the dierent which is known in this case to be the principal ideal (y n 1 ) (see Neukirch [1=-=3]-=- Satz III.2.4). Given an ideal a, represented as a matrix A in HNF, compute the matrix (A t T ) 1 as a matrix in k(x) (i.e., the entries will be ratios of polynomials in k[x]). The columns can be take... |

36 | Computing discrete logarithms in real quadratic congruence function fields of large genus
- Müller, Stein, et al.
(Show Context)
Citation Context ...y of prime divisors with these properties. It is important that the factor base generate the full divisor class group so we need the following modied version of Theorem 2 of Muller, Stein and Thiel [1=-=-=-4]. Theorem 14. Let C be any curve over F q . Dene next_prime(x) to be the smallest prime p x. The divisor class group of C is generated by the set of prime divisors of residue class degree one whose... |

35 |
Algorithmic Number Theory, Volume 1: Efficient Algorithms
- Bach, Shallit
- 1996
(Show Context)
Citation Context ...lynomials of degree less than or equal to S 2 . Since factoring polynomials over finite fields (and hence factoring N OE ) can be accomplished in random polynomial time, see [3] and the discussion in =-=[2]-=-, this is no theoretical barrier to our method. We will need to produce a little over #F such relations. However once this has been accomplished the discrete logarithm problem can be solved using stan... |

28 |
Efficient algorithms for the Riemann-Roch problem and for addition in the Jacobian of a curve
- Huang, Ierardi
- 1994
(Show Context)
Citation Context ...teseld. 1. Introduction There is great interest in algorithms for computing in the divisor class group of an algebraic curve. Algorithms for general curves have been given by Coates [5], Huang-Ieradi =-=[10]-=- and Volcheck [22] but they tend not to be very suitable for practical implementation. More ecient algorithms may be obtained if one restricts to a less general class of curves. The case of hyperellip... |

28 | Key-exchange in real quadratic congruence function elds
- Scheidler, Stein, et al.
- 1996
(Show Context)
Citation Context ...if one restricts to a less general class of curves. The case of hyperelliptic curves (i.e., quadratic functionselds) has been handled very successfully by Cantor [4] and Scheidler, Stein and Williams =-=[1-=-8] (also see Paulus and Ruck [16]). Some algorithms for cubic functionselds have been given by Scheidler and Stein [19] and [20]. A specic case of genus three cubic extensions has been given by Barrei... |

23 |
Computing in the Jacobian of a plane algebraic curve
- Volcheck
(Show Context)
Citation Context ...ction There is great interest in algorithms for computing in the divisor class group of an algebraic curve. Algorithms for general curves have been given by Coates [5], Huang-Ieradi [10] and Volcheck =-=[22]-=- but they tend not to be very suitable for practical implementation. More ecient algorithms may be obtained if one restricts to a less general class of curves. The case of hyperelliptic curves (i.e., ... |

20 |
An analogue to Minkowski’s Geometry of numbers in a field of series
- Mahler
(Show Context)
Citation Context ...gs of the numberseld into C and then perform lattice reduction using the usual absolute value as a notion of size. The functionseld analogue of Minkowski's geometry of numbers was developed by Mahler =-=[12]-=-. In our case we use the fact that k(C) may be embedded in a certainseld of Puiseux series. We also use the fact that Puiseux series are equipped with a norm which arises from the natural extension of... |

19 |
Rigorous discrete logarithm computations in finite fields via smooth polynomials
- Bender, Pomerance
- 1998
(Show Context)
Citation Context ...h have all their irreducible ARITHMETIC ON SUPERELLIPTIC CURVES 19 factors of degree less than or equal to s. The complexity will depend heavily on the following result of Lovorn-Bender and Pomerance =-=[14]-=- Theorem 18 (Lovorn-Bender and Pomerance). Let u = r=s and assume that 1sssr. Then, uniformly for all prime powers such that qs(r log 2 r) 1=s , we have N q (r; s) = q r =u (1+o(1))u as s !1 and u !1.... |

18 |
Construction of rational functions on a curve
- Coates
- 1970
(Show Context)
Citation Context ...s dened over asniteseld. 1. Introduction There is great interest in algorithms for computing in the divisor class group of an algebraic curve. Algorithms for general curves have been given by Coates [=-=5]-=-, Huang-Ieradi [10] and Volcheck [22] but they tend not to be very suitable for practical implementation. More ecient algorithms may be obtained if one restricts to a less general class of curves. The... |

16 | Ideal arithmetic and infrastructure in purely cubic function fields
- Scheidler
(Show Context)
Citation Context ...andled very successfully by Cantor [4] and Scheidler, Stein and Williams [18] (also see Paulus and Ruck [16]). Some algorithms for cubic functionselds have been given by Scheidler and Stein [19] and [=-=20-=-]. A specic case of genus three cubic extensions has been given by Barreiro, Cherdieu and Sarlabous [3] using geometric methods. An algorithm for general plane curves has also been recently given by H... |

15 |
Algebraic Number Theory, Cambridge studies in advanced mathematics 27
- Fröhlich, Taylor
- 1991
(Show Context)
Citation Context ...= k(C) is k[x; y]. Proof. Write O for the integral closure of k[x] in K. The element y is integral over k(x) and so the O must contain k[x; y] with finite index (see, for instance, Frolich and Taylor =-=[11]-=- I.2.2). The only primes which can effect this index are ones arising from square factors of the discriminant of K=k(x) (in other words, powers of primes dividing c(x)). 6 S.D. GALBRAITH, S. PAULUS, A... |

14 | Voronoi’s algorithm in purely cubic congruence function fields of unit rank 1
- Scheidler, Stein
(Show Context)
Citation Context ...as been handled very successfully by Cantor [4] and Scheidler, Stein and Williams [18] (also see Paulus and Ruck [16]). Some algorithms for cubic functionselds have been given by Scheidler and Stein [=-=19-=-] and [20]. A specic case of genus three cubic extensions has been given by Barreiro, Cherdieu and Sarlabous [3] using geometric methods. An algorithm for general plane curves has also been recently g... |

13 |
An algorithm of sub-exponential type computing the class group of quadratic orders over principal ideal domains
- Paulus
(Show Context)
Citation Context ...gorithm In this section we shall describe a method (based on that of Adleman-DeMarraisHuang [1]) for solving discrete logarithms on Pic 0 k (C). A variant of the HafnerMcCurley method as described in =-=[17]-=- could also be applied to solve this problem. This would involve composing random multiples of divisors, reducing them and then factoring them over the given factor base. The Hafner-McCurley method is... |

11 |
and imaginary quadratic representations of hyperelliptic function elds
- Real
(Show Context)
Citation Context ...al class of curves. The case of hyperelliptic curves (i.e., quadratic functionselds) has been handled very successfully by Cantor [4] and Scheidler, Stein and Williams [18] (also see Paulus and Ruck [=-=16-=-]). Some algorithms for cubic functionselds have been given by Scheidler and Stein [19] and [20]. A specic case of genus three cubic extensions has been given by Barreiro, Cherdieu and Sarlabous [3] u... |

7 |
Zur Divisorenklassengruppenberechnung in globalen Funktionenkörpern
- Hess
- 1999
(Show Context)
Citation Context ...specic case of genus three cubic extensions has been given by Barreiro, Cherdieu and Sarlabous [3] using geometric methods. An algorithm for general plane curves has also been recently given by Hess [=-=9-=-]. A method, using Groebner bases, for plane curves with a single rational point at innity has been given by Arita [2]. This paper will give an algorithm for computing with the following class of curv... |

6 | Sieving in function fields
- Flassenberg, Paulus
- 1999
(Show Context)
Citation Context ... The method we propose will produce sparse matrices. 2. In function fields of degree greater than two it appears unlikely that an efficient sieving technique like that applied in degree two fields in =-=[9]-=- can be found. The method below does allow efficient sieving strategies to be employed. 3. The factor base for the Hafner-McCurley style method is the set of all prime ideals of norm less than some bo... |

6 | Lattice basis reduction in function fields
- Paulus
(Show Context)
Citation Context ...required for the lattice reduction (the word "norm" would be more appropriate, but also more confusing). Furthermore, we modify the lattice basis reduction algorithm and corresponding invari=-=ants from [18]-=- in such a way that they work with the new metric. In this way, we can compute a element of an ideal whose norm is of smallest degree. All these computations are exact and do not need any computation ... |

5 | On integral basis reduction in global function elds
- Pohst, Schornig
(Show Context)
Citation Context ...t elements 1 ; : : : ; n 2 K := kn hx 1=n i such that n i = c(x). The n distinct choices y 7! i induce n distinct homomorphismssi from k(C) to K . For the proof see Walker [23] or Theorem 9 of [17]. The elements i dier from each other only by powers of n . The embeddings of elements of k(C) into K give rise to an embedding of ideals in the following way. Let a be an O-ideal and consider th... |

5 |
Algebraic function and codes
- Stichtenoth
- 1991
(Show Context)
Citation Context ... a superelliptic curve in expected subexponential time. 2. Divisor class groups of superelliptic curves Details of algebraic curves, their functionselds, and divisor class groups can be found in [8], =-=[21-=-]. In particular we use the notation Div 0 k (C) for the set of degree zero divisors on the curve C which are dened over k, and the notation Pic 0 k (C) for the divisor class group Div 0 k (C) modulo ... |

4 |
Sieving in function
- Flassenberg, Paulus
- 1999
(Show Context)
Citation Context ... full set of relations amongst elements of F . This is done by attempting to decompose random functions as in [1]. This step can be speeded up by using a sieving operation like the one described in [=-=7]-=-. Once enough relations have been found then sparse linear algebra modulo L is performed to obtain the solution to the discrete logarithm problem. It is clear that, if it terminates, the algorithm wil... |

4 |
Factoring multivariate polynomials over
- Lenstra
- 1985
(Show Context)
Citation Context ...g the shortest vector in the lattices(a) K n with respect to the norm on K n . The shortest vector can be eciently found using a modied version of the lattice reduction algorithm due to A. Lenstra [1=-=1]-=- (also see [15]). We note that in this case it is known that the lattice reduction algorithm always yields a minimum of the lattice (unlike in the numberseld case where it can only be proven that a ra... |

3 |
Ecient reduction on the jacobian variety of Picard curves", Coding Theory, Cryptography and Related Areas
- Barreiro, Sarlabous, et al.
- 2000
(Show Context)
Citation Context ... [16]). Some algorithms for cubic functionselds have been given by Scheidler and Stein [19] and [20]. A specic case of genus three cubic extensions has been given by Barreiro, Cherdieu and Sarlabous [=-=3-=-] using geometric methods. An algorithm for general plane curves has also been recently given by Hess [9]. A method, using Groebner bases, for plane curves with a single rational point at innity has b... |

2 | Algorithms for computations in Jacobian group of C a;b curve and their application to discrete-log-based public key cryptosystems. in The mathematics of public key cryptography - Arita - 1999 |

2 |
On integral bsis reduction in global function fields
- Pohst, Sch6rning
- 1996
(Show Context)
Citation Context ...x expansion fields. In this paper, we limit ourselves to the situation of a curve with a totally ramified prime at infinity. The more general theory goes back to Mahler [15]; we adopt the notation of =-=[20]-=-. Let l 2 N. We call khx 1=l i := ( m X i=\Gamma1 i i x i=l j i i 2 k; i m 6= 0 ) the field of puiseux series in x 1=l over k. A slightly non-standard valuation deg on khx 1=l i is given by deg / m X ... |

1 |
Lattice basis reduction in function
- Paulus
- 1998
(Show Context)
Citation Context ...vector in the lattices(a) K n with respect to the norm on K n . The shortest vector can be eciently found using a modied version of the lattice reduction algorithm due to A. Lenstra [11] (also see [1=-=5]-=-). We note that in this case it is known that the lattice reduction algorithm always yields a minimum of the lattice (unlike in the numberseld case where it can only be proven that a rather small vect... |

1 |
A one-way functionc based on ideal arithmetic in number fields
- Buchmann, Paulus
- 1997
(Show Context)
Citation Context ...e problem of reduction of divisors comes down to the problem of reduction of ideals. We will solve this problem by using similar ideas to those developed for number field arithmetic (see Cohen [8] or =-=[4]). Unlike -=-the number field situation, we can prove that our algorithm always computes the "smallest" reduced ideal (with respect to the degree of the norm). The strategy is as follows: Assume that we ... |

1 |
Computing the HNF of sparse integer matrices
- Buchmann, Squirrel, et al.
- 1998
(Show Context)
Citation Context ...rix techniques. Given that our matrices will be sparse we can even apply sparse matrix techniques. Since this step is common to all index calculus methods we shall not explain it further here but see =-=[5]-=-. 9.3. The Overall Complexity. We let N q (r; s) denote the number of monic polynomials of degree less than or equal to r over F q which have all their irreducible ARITHMETIC ON SUPERELLIPTIC CURVES 1... |

1 |
Experiments using an analogue of the Number Field Sieve algorithm to solve the discrete logarithm problem in the Jacobians of hyperelliptic curves. HP-Labs
- Smart
- 1997
(Show Context)
Citation Context ... its irreducible factors having degree less than S 1 , we can store the relation and continue. This last step can be speeded up using techniques from factoring algorithms such as lattice sieving, see =-=[21]-=- for details in the context of the current paper. Lattice sieving will allow us to hopefully force any rogue factor base element into a relation and hence using lattice sieving increases the chances o... |