Results 1  10
of
16
Hyperelliptic Curve Cryptosystems: Closing the Performance Gap to Elliptic Curves
 Workshop on Cryptographic Hardware and Embedded Systems — CHES 2003
, 2003
"... For most of the time since they were proposed, it was widely believed that hyperelliptic curve cryptosystems (HECC) carry a substantial performance penalty compared to elliptic curve cryptosystems (ECC) and are, thus, not too attractive for practical applications. Only quite recently improvements ha ..."
Abstract

Cited by 44 (12 self)
 Add to MetaCart
(Show Context)
For most of the time since they were proposed, it was widely believed that hyperelliptic curve cryptosystems (HECC) carry a substantial performance penalty compared to elliptic curve cryptosystems (ECC) and are, thus, not too attractive for practical applications. Only quite recently improvements have been made, mainly restricted to curves of genus 2. The work at hand advances the stateoftheart considerably in several aspects. First, we generalize and improve the closed formulae for the group operation of genus 3 for HEC defined over fields of characteristic two. For certain curves we achieve over 50% complexity improvement compared to the best previously published results. Second, we introduce a new complexity metric for ECC and HECC defined over characteristic two fields which allow performance comparisons of practical relevance. It can be shown that the HECC performance is in the range of the performance of an ECC; for specific parameters HECC can even possess a lower complexity than an ECC at the same security level. Third, we describe the first implementation of a HEC cryptosystem on an embedded (ARM7) processor. Since HEC are particularly attractive for constrained environments, such a case study should be of relevance.
Low Cost Security: Explicit Formulae for Genus 4 Hyperelliptic Curves
, 2003
"... It is widely believed that genus four hyperelliptic curve cryptosystems (HECC) are not attractive for practical applications because of their complexity compared to systems based on lower genera, especially elliptic curves. Our contribution shows that for low cost security applications genus4 hyper ..."
Abstract

Cited by 26 (11 self)
 Add to MetaCart
It is widely believed that genus four hyperelliptic curve cryptosystems (HECC) are not attractive for practical applications because of their complexity compared to systems based on lower genera, especially elliptic curves. Our contribution shows that for low cost security applications genus4 hyperelliptic curves (HEC) can outperform genus2 HEC and that we can achieve a performance similar to genus3 HEC. Furthermore our implementation results show that a genus4 HECC is an alternative cryptosystem to systems based on elliptic curves. In the work at hand...
Fast arithmetic on Jacobians of Picard curves
 PUBLIC KEY CRYPTOGRAPHY  PKC 2004, VOLUME 2947 OF LNCS
, 2004
"... In this paper we present a fast addition algorithm in the Jacobian of a Picard curve over a finite field Fq of characteristic different from 3. This algorithm has a nice geometric interpretation, comparable to the classic "chord and tangent" law for the elliptic curves. Computational cost ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
(Show Context)
In this paper we present a fast addition algorithm in the Jacobian of a Picard curve over a finite field Fq of characteristic different from 3. This algorithm has a nice geometric interpretation, comparable to the classic "chord and tangent" law for the elliptic curves. Computational cost for addition is 144M + 12SQ + 2I and 158M + 16SQ + 2I for doubling.
High Performance Arithmetic for Hyperelliptic Curve Cryptosystems of Genus Two
, 2003
"... Nowadays, there exists a manifold variety of cryptographic applications: from low level embedded crypto implementations up to high end cryptographic engines for servers. The latter require a exible implementation of a variety of cryptographic primitives in order to be capable of communicating wi ..."
Abstract

Cited by 13 (6 self)
 Add to MetaCart
Nowadays, there exists a manifold variety of cryptographic applications: from low level embedded crypto implementations up to high end cryptographic engines for servers. The latter require a exible implementation of a variety of cryptographic primitives in order to be capable of communicating with several clients. On the other hand, on the client it only requires an implementation of one speci c algorithm with xed parameters such as a xed eld size or xed curve parameters if using ECC/ HECC. In particular for embedded environments like PDAs or mobile communication devices, xing these parameters can be crucial regarding speed and power consumption. In this contribution, we propose a highly ecient algorithm for a hyperelliptic curve cryptosystem of genus two, well suited for these constraint devices.
Elliptic & hyperelliptic curves on embedded µp
 ACM Transactions in Embedded Computing Systems (TECS), 2003. Special Issue on Embedded Systems and Security
"... To appear in the special issue on Embedded Systems and Security of the ..."
Abstract

Cited by 11 (4 self)
 Add to MetaCart
(Show Context)
To appear in the special issue on Embedded Systems and Security of the
Rethinking low genus hyperelliptic jacobian arithmetic over binary fields: Interplay of field arithmetic and explicit formulae
"... Abstract. In this paper, we present several improvements on the best known explicit formulæ for hyperelliptic curves of genus three and four in characteristic two, including the issue of reducing memory requirements. To show the effectiveness of these improvements and to allow a fair comparison of t ..."
Abstract

Cited by 11 (4 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we present several improvements on the best known explicit formulæ for hyperelliptic curves of genus three and four in characteristic two, including the issue of reducing memory requirements. To show the effectiveness of these improvements and to allow a fair comparison of the curves of different genera, we implement all formulæ using a highly optimized software library for arithmetic in binary fields. This library was designed to minimize the impact of a whole series of overheads which have a larger significance as the genus of the curves increases. The current state of the art in attacks against the discrete logarithm problem is taken into account for the choice of the field and group sizes. Performance tests are done on two personal computers with very different architectures. Our results can be shortly summarized as follows: Curves of genus three provide performance similar, or better, to that of curves of genus two, and these two types of curves can perform faster than elliptic curves – indeed on some processors often twice as fast. Curves of genus four attain a performance level comparable to elliptic curves. A large choice of curves is therefore available for the deployment of curvebased cryptography, with curves of genus three and four providing their own advantages as larger cofactors can be allowed for the group order.
Novel efficient implementations of hyperelliptic curve cryptosystems using degenerate divisors
 In Information Security Applications – WISA’2004
, 2005
"... Abstract. It has recently been reported that the performance of hyperelliptic curve cryptosystems (HECC) is competitive to that of elliptic curve cryptosystems (ECC). However, it is expected that HECC still can be improved due to their mathematically rich structure. We consider here the application ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
Abstract. It has recently been reported that the performance of hyperelliptic curve cryptosystems (HECC) is competitive to that of elliptic curve cryptosystems (ECC). However, it is expected that HECC still can be improved due to their mathematically rich structure. We consider here the application of degenerate divisors of HECC to scalar multiplication. We investigate the operations of the degenerate divisors in the Harley algorithm and the Cantor algorithm of genus 2. The timings of these operations are reported. We then present a novel efficient scalar multiplication method using the degenerate divisors. This method is applicable to cryptosystems with fixed base point, e.g., ElGamaltype encryption, sender of DiffieHellman, and DSA. Using a Xeon processor, we found that the doubleandaddalways method using the degenerate base point can achieve about a 20 % increase in speed for a 160bit HECC. However, we mounted an timing attack using the time difference to designate the degenerate divisors. The attack assumes that the secret key is fixed and the base point can be freely chosen by the attacker. Therefore, the attack is applicable to ElGamaltype decryption and singlepass DiffieHellman — SSL using a hyperelliptic curve could be vulnerable to the proposed attack. Our experimental results show that one bit of the secret key for a 160bit HECC can be recovered by calling the decryption oracle 500 times.
Fast addition on nonhyperelliptic genus 3 curves
"... We present a fast addition algorithm in the Jacobian of a genus 3 nonhyperelliptic curve over a field k of any characteristic. When the curve has a rational flex and k is a finite field of characteristic greater than 5, the computational cost for addition is 163M+2I and 185M+2I for doubling. We stud ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
(Show Context)
We present a fast addition algorithm in the Jacobian of a genus 3 nonhyperelliptic curve over a field k of any characteristic. When the curve has a rational flex and k is a finite field of characteristic greater than 5, the computational cost for addition is 163M+2I and 185M+2I for doubling. We study also the rationality of intersection points of a line with a quartic and give geometric characterizations of C3,4 curves and Picard curves. To conclude, an appendix gives a formula to compute flexes in all characteristics.
High Performance Arithmetic for Special Hyperelliptic Curve Cryptosystems of Genus Two
 In International Conference on Information Technology: Coding and Computing  ITCC 2004. IEEE Computer Society
, 2004
"... Regarding the overall speed and power consumption, cryptographic applications in embedded environments like PDAs or mobile communication devices can benefit from specially designed cryptosystems with fixed parameters. In this contribution, we propose a highly efficient algorithm for a hyperelliptic ..."
Abstract

Cited by 7 (4 self)
 Add to MetaCart
Regarding the overall speed and power consumption, cryptographic applications in embedded environments like PDAs or mobile communication devices can benefit from specially designed cryptosystems with fixed parameters. In this contribution, we propose a highly efficient algorithm for a hyperelliptic curve cryptosystem (HECC) of genus two, well suited for these applications on constrained devices. This work presents a major improvement of HECC arithmetic for certain nonsupersingular curves defined over fields of characteristic two. We optimized the group doubling operation and managed to speed up the whole cryptosystem by approximately 27 % compared to the previously known most efficient case. Furthermore, an actual implementation of the new formulae on an embedded processor shows its practical relevance. A scalar multiplication can be performed in approximately 50¢¤ £ on an 80MHz embedded device. 1.
A Complete Divisor Class Halving Algorithm for Hyperelliptic Curve Cryptosystems of Genus Two
 In Information Security and Privacy – ACISP 2005
, 2005
"... Abstract. We deal with a divisor class halving algorithm on hyperelliptic curve cryptosystems (HECC), which can be used for scalar multiplication, instead of a doubling algorithm. It is not obvious how to construct a halving algorithm, due to the complicated addition formula of hyperelliptic curves. ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
Abstract. We deal with a divisor class halving algorithm on hyperelliptic curve cryptosystems (HECC), which can be used for scalar multiplication, instead of a doubling algorithm. It is not obvious how to construct a halving algorithm, due to the complicated addition formula of hyperelliptic curves. In this paper, we propose the first halving algorithm used for HECC of genus 2, which is as efficient as the previously known doubling algorithm. From the explicit formula of the doubling algorithm, we can generate some equations whose common solutions contain the halved value. From these equations we derive four specific equations and show an algorithm that selects the proper halved value using two trace computations in the worst case. If a base point is fixed, we can reduce these extra field operations by using a precomputed table which shows the correct halving divisor class — the improvement over the previously known fastest doubling algorithm is up to about 10%. This halving algorithm is applicable to DSA and DH scheme based on HECC. Finally, we present the divisor class halving algorithms for not only the most frequent case but also other exceptional cases.