## Construction of secure random curves of genus 2 over prime fields (2004)

### Cached

### Download Links

- [www.csd.uwo.ca]
- [www.csd.uwo.ca]
- [ftp.csd.uwo.ca]
- DBLP

### Other Repositories/Bibliography

Venue: | Advances in Cryptology – EUROCRYPT 2004, volume 3027 of Lecture Notes in Comput. Sci |

Citations: | 37 - 12 self |

### BibTeX

@INPROCEEDINGS{Gaudry04constructionof,

author = {Pierrick Gaudry and Éric Schost},

title = {Construction of secure random curves of genus 2 over prime fields},

booktitle = {Advances in Cryptology – EUROCRYPT 2004, volume 3027 of Lecture Notes in Comput. Sci},

year = {2004},

pages = {239--256},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. For counting points of Jacobians of genus 2 curves defined over large prime fields, the best known method is a variant of Schoof’s algorithm. We present several improvements on the algorithms described by Gaudry and Harley in 2000. In particular we rebuild the symmetry that had been broken by the use of Cantor’s division polynomials and design a faster division by 2 and a division by 3. Combined with the algorithm by Matsuo, Chao and Tsujii, our implementation can count the points on a Jacobian of size 164 bits within about one week on a PC. 1

### Citations

430 |
zur Gathen and
- von
- 1999
(Show Context)
Citation Context ...ke the classical assumptions on M (see for instance [32, Definition 8.26]). In the sequel,s4 Pierrick Gaudry and Éric Schost if no precise reference is given for an algorithm, then it can be found in =-=[32]-=-, together with a complexity analysis in terms of M. 3 Computation modulo a small prime ℓ In the classical Schoof algorithm for elliptic curves, a formal ℓ-torsion point is used: the computations are ... |

170 |
Elliptic curves over finite fields and the computation of square roots mod p
- Schoof
- 1985
(Show Context)
Citation Context ...1T 3 + s2T 2 − ps1T + p 2 , where s1 and s2 are integers such that |s1| ≤ 4 √ p and |s2| ≤ 6p. Furthermore #J(C) = χ(1) = p 2 + 1 − s1(p + 1) + s2. In point-counting algorithms based on Schoof’s idea =-=[27]-=-, the torsion elements of J(C) play an important role. If N is a positive integer, the subgroup of N-torsion elements of J(C/Fp) is a finite group denoted by J(C)[N]; it is isomorphic to (Z/NZ) 4 and ... |

155 |
Computing in Jacobian of a Hyperelliptic Curve,” in
- Cantor
- 1987
(Show Context)
Citation Context ...ves defined on K and Fp, by denoting them C/K and C/Fp; the Jacobians are correspondingly denoted by J(C/K) and J(C/Fp). For precise definitions and algorithms for the group law, we refer to [22] and =-=[7, 19]-=-. Let Fp be an algebraic closure of Fp and let us consider the Frobenius endomorphism on J(C/Fp) denoted by π. By Weil’s theorem (see [24]), the characteristic polynomial χ(T ) of π has the form χ(T )... |

126 |
Handbook of MAGMA functions
- Bosma, Cannon
- 1994
(Show Context)
Citation Context ...Implementation and Experiments We implemented a whole point-counting algorithm including all the abovementioned improvements and the MCT algorithm [21], first within the Magma computer algebra system =-=[3]-=-. Then, the critical parts of the computation modulo small primes and the MCT algorithm were implemented in C++ using the NTL library [29]. The communication between different parts of the program is ... |

112 | Abelian varieties
- Milne
- 1986
(Show Context)
Citation Context ...ons and algorithms for the group law, we refer to [22] and [7, 19]. Let Fp be an algebraic closure of Fp and let us consider the Frobenius endomorphism on J(C/Fp) denoted by π. By Weil’s theorem (see =-=[24]-=-), the characteristic polynomial χ(T ) of π has the form χ(T ) = T 4 − s1T 3 + s2T 2 − ps1T + p 2 , where s1 and s2 are integers such that |s1| ≤ 4 √ p and |s2| ≤ 6p. Furthermore #J(C) = χ(1) = p 2 + ... |

102 | Fast algorithms for manipulating formal power series
- Brent, Kung
- 1978
(Show Context)
Citation Context ... complexity of extracting a square root in F p d is O(C(d) log(d) + M(d) log(p)) operations in Fp, where C(d) denotes the cost of modular composition in degree d, so that C(d) ∈ O(d 2 + √ dM(d)), see =-=[6]-=-. One should note that this whole process only saves a constant factor over the factorization of M1 from scratch; however, it was quite significant in practice. In the worst case, after k lifting step... |

71 |
NTL: A library for doing number theory. http://www.shoup.net/ntl
- Shoup
- 2003
(Show Context)
Citation Context ...algorithm [21], first within the Magma computer algebra system [3]. Then, the critical parts of the computation modulo small primes and the MCT algorithm were implemented in C++ using the NTL library =-=[29]-=-. The communication between different parts of the program is done using files for small communications or named pipes in the case of a heavy interaction. For instance, the analysis of the factorizati... |

63 | A new polynomial factorization algorithm and its implementation
- Shoup
- 1995
(Show Context)
Citation Context ...terns for the next smallest possible degree and try directly to catch factors of that degree. If there is a large gap between the current degree and the next one, the Baby-step/Giant-step strategy of =-=[30]-=- using modular compositions can yield a significant speed-up compared to the classical powering algorithm. As another application of the factorization patterns, we mention the influence of the choice ... |

58 | Counting Points on Hyperelliptic Curves over Finite Fields
- Gaudry, Harley
- 2000
(Show Context)
Citation Context ...ierrick Gaudry and Éric Schost For large p, the best known algorithms are variants of Schoof’s algorithm, theoretical descriptions of which can be found in [26, 18, 1, 16]. In 2000, Gaudry and Harley =-=[11]-=- designed and implemented the first practical genus 2 Schoof algorithm, making use of Cantor’s division polynomials [8]. To reach reasonable sizes, however, it was necessary to combine the Schoof appr... |

58 |
An Elementary Introduction to Hyperelliptic Curves
- Menezes, Wu, et al.
- 1998
(Show Context)
Citation Context ...h the curves defined on K and Fp, by denoting them C/K and C/Fp; the Jacobians are correspondingly denoted by J(C/K) and J(C/Fp). For precise definitions and algorithms for the group law, we refer to =-=[22]-=- and [7, 19]. Let Fp be an algebraic closure of Fp and let us consider the Frobenius endomorphism on J(C/Fp) denoted by π. By Weil’s theorem (see [24]), the characteristic polynomial χ(T ) of π has th... |

50 |
Frobenius maps of abelian varieties and finding roots of unity in finite fields
- Pila
- 1990
(Show Context)
Citation Context ...s too large (say, a few thousands [10]).s2 Pierrick Gaudry and Éric Schost For large p, the best known algorithms are variants of Schoof’s algorithm, theoretical descriptions of which can be found in =-=[26, 18, 1, 16]-=-. In 2000, Gaudry and Harley [11] designed and implemented the first practical genus 2 Schoof algorithm, making use of Cantor’s division polynomials [8]. To reach reasonable sizes, however, it was nec... |

49 | Formulae for Arithmetic on Genus 2 Hyperelliptic Curves,” September 2003. http://www.ruhr-uni-bochum.de/itsc/ tanja/preprints/expl sub.pdf
- Lange
(Show Context)
Citation Context ...rmore the size of the base field in which the computations take place is twice smaller. During the last years, efforts in improving the group law algorithms made these cryptosystems quite competitive =-=[19, 25]-=-. To ensure the security of the system, it is required to have a group of large prime order. Until recently, for the Jacobian of a genus 2 curve, only specific constructions provided curves with known... |

41 | Hyperelliptic Curve Cryptosystems: Closing the Performance Gap to Elliptic Curves
- Pelzl, Wollinger, et al.
(Show Context)
Citation Context ...rmore the size of the base field in which the computations take place is twice smaller. During the last years, efforts in improving the group law algorithms made these cryptosystems quite competitive =-=[19, 25]-=-. To ensure the security of the system, it is required to have a group of large prime order. Until recently, for the Jacobian of a genus 2 curve, only specific constructions provided curves with known... |

30 | Constructing hyperelliptic curves of genus 2 suitable for cryptography
- WENG
(Show Context)
Citation Context ...a group of large prime order. Until recently, for the Jacobian of a genus 2 curve, only specific constructions provided curves with known Jacobian order, namely the complex multiplication (CM) method =-=[34]-=- and the Koblitz curves. These curves have a very special structure; although nobody knows if they are weaker than general curves, it is pertinent to consider random curves as well. This raises the pr... |

28 |
Evaluating polynomials at fixed sets of points
- Aho, Steiglitz, et al.
- 1975
(Show Context)
Citation Context ...e: If h is a polynomial of degree N in Fp[X] and a is a scalar in Fp, then the coefficients of h(X + a) can be deduced from the coefficients of h(X) for one polynomial multiplication in degree N, see =-=[2]-=-. We call this primitive var-shift. The main idea is now to rewrite the relation X 2 + u1X + U0 = 0 in the form (X + u1/2) 2 = u 2 1/4 − U0. Let Y = X + u1/2, and k in Fp[X] such that h(X) = k(Y ). We... |

28 |
On the analogue of the division polynomials for hyperelliptic curves
- Cantor
- 1994
(Show Context)
Citation Context ...scriptions of which can be found in [26, 18, 1, 16]. In 2000, Gaudry and Harley [11] designed and implemented the first practical genus 2 Schoof algorithm, making use of Cantor’s division polynomials =-=[8]-=-. To reach reasonable sizes, however, it was necessary to combine the Schoof approach with a Pollard lambda method. Their record was a random genus 2 curve over a prime field of size about 10 19 , thu... |

24 | Complexity results for triangular sets
- Schost
- 2003
(Show Context)
Citation Context ...esp. v1). Systems like Fgen that involve free variables are difficult to handle. A direct application of a Gröbner basis algorithm over Fp(u1, u0) fails by lack of memory, so we used the algorithm of =-=[28]-=-, dedicated to such situations, to compute T . Once T is known, it can be specialized on the coordinates of the divisor Dk, realizing its division by 2. The solution presented in [11] followed the sam... |

21 | Linear recurrences with polynomial coefficients and computation of the Cartier-Manin operator on hyperelliptic curves
- Bostan, Gaudry, et al.
- 2004
(Show Context)
Citation Context ...or “medium characteristic”, they also proposed to use the Cartier-Manin operator to get additional information that can be combined with others. Therefore, for medium characteristic p (say 10 9 , see =-=[5]-=-), point counting is easier than for very large p. We mentioned that in the non-small characteristic case, once the group order has been computed modulo some large integer, the computation is finished... |

20 | Fast polynomial factorization over high algebraic extensions of finite fields
- Kaltofen, Shoup
- 1997
(Show Context)
Citation Context ...uppose that q = p d ; then all polynomials T3, T2, T1, TU can be computed in O(M(d)) operations in Fp. For square-root extraction, we used a factorization algorithm quite similar to those of [33] and =-=[17]-=-. Using such algorithms, the expected complexity of extracting a square root in F p d is O(C(d) log(d) + M(d) log(p)) operations in Fp, where C(d) denotes the cost of modular composition in degree d, ... |

17 |
Lubicz : A quasi quadratic time algorithm for hyperelliptic curve point counting. Available online at http://www.medicis.polytechnique.fr∼lercier/preprints/riemann.pdf
- Lercier, D
(Show Context)
Citation Context ...easy” means fast and does not mean that the theoretical tools are simple). In the case of genus 2 curves in small characteristic p, the point counting problem was recently solved using p-adic methods =-=[31, 23, 20]-=-. The particular case where p = 2 is in fact treated almost as quickly as in genus 1. Unfortunately, these dramatic improvements do not apply when p becomes too large (say, a few thousands [10]).s2 Pi... |

17 |
An improved baby step giant step algorithm for point counting of hyperelliptic curves over finite fields
- Matsuo, Chao, et al.
- 2002
(Show Context)
Citation Context ...on-small characteristic case, once the group order has been computed modulo some large integer, the computation is finished using a Pollard lambda method. For this last phase, Matsuo, Chao and Tsujii =-=[21]-=- proposed a Baby-step/Giant-step algorithm that speeds up this phase. With this device and using the Cartier-Manin trick, they performed a point counting computation of cryptographical size for a medi... |

15 |
Counting points in medium characteristic using Kedlaya’s algorithm
- Gaudry, Gürel
(Show Context)
Citation Context ...31, 23, 20]. The particular case where p = 2 is in fact treated almost as quickly as in genus 1. Unfortunately, these dramatic improvements do not apply when p becomes too large (say, a few thousands =-=[10]-=-).s2 Pierrick Gaudry and Éric Schost For large p, the best known algorithms are variants of Schoof’s algorithm, theoretical descriptions of which can be found in [26, 18, 1, 16]. In 2000, Gaudry and H... |

13 |
Counting points on curves over finite fields
- Huang, Ierardi
- 1998
(Show Context)
Citation Context ...s too large (say, a few thousands [10]).s2 Pierrick Gaudry and Éric Schost For large p, the best known algorithms are variants of Schoof’s algorithm, theoretical descriptions of which can be found in =-=[26, 18, 1, 16]-=-. In 2000, Gaudry and Harley [11] designed and implemented the first practical genus 2 Schoof algorithm, making use of Cantor’s division polynomials [8]. To reach reasonable sizes, however, it was nec... |

12 |
Counting points on curves and Abelian varieties over finite fields
- Adleman, Huang
- 2001
(Show Context)
Citation Context ...s too large (say, a few thousands [10]).s2 Pierrick Gaudry and Éric Schost For large p, the best known algorithms are variants of Schoof’s algorithm, theoretical descriptions of which can be found in =-=[26, 18, 1, 16]-=-. In 2000, Gaudry and Harley [11] designed and implemented the first practical genus 2 Schoof algorithm, making use of Cantor’s division polynomials [8]. To reach reasonable sizes, however, it was nec... |

11 | Modular equations for hyperelliptic curves
- Gaudry, Schost
(Show Context)
Citation Context ...e at most (ℓ 2 + 1)/2, compared to possibly O(ℓ 4 ) in the general case. We do not give details on the determination of the possible patterns for lack of space. The idea is similar to the one used in =-=[12]-=- for modular equations. 3.5 Complexity We start by evaluating the cost in Fp-operations of one iteration of Step 1 in Algorithm 2. Using Algorithm 3, the cost of computing A0(d0), A1(d0), A0(d1), A1(d... |

9 | Diophantine Geometry: an Introduction, volume 201 of Graduate Texts in Mathematics - Hindry, Silverman - 2000 |

9 | Computing Zeta Functions of Hyperelliptic Curves over Finite Fields of Characteristic 2
- Vercauteren
- 2002
(Show Context)
Citation Context ...easy” means fast and does not mean that the theoretical tools are simple). In the case of genus 2 curves in small characteristic p, the point counting problem was recently solved using p-adic methods =-=[31, 23, 20]-=-. The particular case where p = 2 is in fact treated almost as quickly as in genus 1. Unfortunately, these dramatic improvements do not apply when p becomes too large (say, a few thousands [10]).s2 Pi... |

8 | Fast computation with two algebraic numbers. Research Report 4579, Institut National de Recherche en Informatique et en Automatique
- Bostan, Flajolet, et al.
- 2002
(Show Context)
Citation Context ...is a parasite, as generically it does not lead to any ℓ-torsion divisor. Then ρ divides R1 but not R1, so we lose nothing in eliminating it from R1. The polynomial ρ is computed using an algorithm of =-=[4]-=- dedicated to such questions. � .s8 Pierrick Gaudry and Éric Schost Then Step 2. in Algorithm 2 is replaced by the interpolation of R1/ρ from the pairs (u1, R1(u1)/ρ(u1)). The degree of ρ is 4ℓ 4 −12ℓ... |

5 |
Explizite Gleichungen für Jacobische Varietäten hyperelliptischer Kurven
- Kampkotter
- 1991
(Show Context)
Citation Context |

4 | Solvability by radicals from an algorithmic point of view
- Hanrot, Morain
- 2001
(Show Context)
Citation Context ...putations presented below, Fq had degree up to 1280 on its prime field. We now show how to simplify this factorization, using the natural action of the 2-torsion group J(C)[2] on Vk, in the spirit of =-=[14]-=-. Let us see U1 as a coordinate function on the set of weight 2 divisors (the choice of U1 is arbitrary, but makes the computation easier). To any subgroup G of J(C)[2], we associate the averaging ope... |

3 |
Utilisation de l’AGM pour le calcul de E(F2n). Lettre adressée à Gaudry et Harley, Décembre 2000
- Mestre
(Show Context)
Citation Context ...easy” means fast and does not mean that the theoretical tools are simple). In the case of genus 2 curves in small characteristic p, the point counting problem was recently solved using p-adic methods =-=[31, 23, 20]-=-. The particular case where p = 2 is in fact treated almost as quickly as in genus 1. Unfortunately, these dramatic improvements do not apply when p becomes too large (say, a few thousands [10]).s2 Pi... |

1 |
NTLJac2, Tools for genus 2
- Gaudry
(Show Context)
Citation Context ..., with interactions between Magma and NTL interacting led us to add this simplification that made our code more reliable. Our NTL implementation of the Schoof-like part has been made freely available =-=[9]-=-. The Magma implementation of the division algorithms is not stable enough to be exported in the present state. 6 Conclusion and Perspectives In this paper, we have detailed algorithms used to compute... |

1 |
and Éric Schost. A low-memory parallel version of Matsuo, Chao and Tsujii’s algorithm
- Gaudry
(Show Context)
Citation Context ...r lifting the 3-torsion are still quite crude, as we would like it to be as efficient as that of 2-torsion. We have designed a birthday paradox version of the MCT algorithm, to be described elsewhere =-=[13]-=-, that loses a constant factor in runtime but is highly parallelisable and requires almost no memory. In future work, we also plan to use it on top of our torsion computation algorithms. Acknowledgmen... |