Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography...
Transcript of Elliptic and Hyperelliptic Curve Cryptography · Elliptic and Hyperelliptic Curve Cryptography...
Elliptic and Hyperelliptic CurveCryptography
Renate Scheidler
Research supported in part by NSERC of Canada
Comprehensive Source
Handbook of Elliptic and Hyperelliptic Curve Cryptography
Overview
L Motivation
L Elliptic Curve Arithmetic
L Hyperelliptic Curve Arithmetic
L Point Counting
L Discrete Logarithm Algorithms
L Other Models
Motivation — Why (Hyper-)Elliptic Cryptography?
Requirements on groups for discrete log based cryptography
L Large group order (plus other restrictions)
L Compact representation of group elements
L Fast group operation
L Hard Diffie-Hellman/discrete logarithm problem
Elliptic and low genus hyperelliptic curves do well on all of these!
Motivation — Why (Hyper-)Elliptic Cryptography?
Requirements on groups for discrete log based cryptography
L Large group order (plus other restrictions)
L Compact representation of group elements
L Fast group operation
L Hard Diffie-Hellman/discrete logarithm problem
Elliptic and low genus hyperelliptic curves do well on all of these!
Elliptic Curves
Let K be a field (in crypto, K � Fq with q prime or q � 2n)
Weierstraß equation over K :
E � y 2 � a1xy � a3y � x3 � a2x2 � a4x � a6 ���with a1, a2, a3, a4, a6 > K
Elliptic curve: Weierstraß equation & non-singularity condition:there are no simultaneous solutions to ��� and
2y � a1x � a3 � 0
a1y � 3x2 � 2a2x � a4
Non-singularity � ∆ x 0 where ∆ is the discriminant of E
Elliptic Curves
Let K be a field (in crypto, K � Fq with q prime or q � 2n)
Weierstraß equation over K :
E � y 2 � a1xy � a3y � x3 � a2x2 � a4x � a6 ���with a1, a2, a3, a4, a6 > K
Elliptic curve: Weierstraß equation & non-singularity condition:there are no simultaneous solutions to ��� and
2y � a1x � a3 � 0
a1y � 3x2 � 2a2x � a4
Non-singularity � ∆ x 0 where ∆ is the discriminant of E
Elliptic Curves
Let K be a field (in crypto, K � Fq with q prime or q � 2n)
Weierstraß equation over K :
E � y 2 � a1xy � a3y � x3 � a2x2 � a4x � a6 ���with a1, a2, a3, a4, a6 > K
Elliptic curve: Weierstraß equation & non-singularity condition:there are no simultaneous solutions to ��� and
2y � a1x � a3 � 0
a1y � 3x2 � 2a2x � a4
Non-singularity � ∆ x 0 where ∆ is the discriminant of E
Elliptic Curves
Let K be a field (in crypto, K � Fq with q prime or q � 2n)
Weierstraß equation over K :
E � y 2 � a1xy � a3y � x3 � a2x2 � a4x � a6 ���with a1, a2, a3, a4, a6 > K
Elliptic curve: Weierstraß equation & non-singularity condition:there are no simultaneous solutions to ��� and
2y � a1x � a3 � 0
a1y � 3x2 � 2a2x � a4
Non-singularity � ∆ x 0 where ∆ is the discriminant of E
Non-Examples
Two Weierstraß equations with a singularity at �0,0�y 2
� x3
-1
-0.5
0
0.5
1
0 0.2 0.4 0.6 0.8 1
y 2� x2�x � 1�
-1
-0.5
0
0.5
1
-1 -0.5 0 0.5 1
An Example
E � y 2� x3 � 5x over Q
-10
-5
0
5
10
-3 -2 -1 0 1 2 3 4 5 6
Elliptic Curves, char�K� x 2, 3
The variable transformations
y � y � �a1x � a3�~2, then x � x � �a21 � 4a2�~12 �
yield an elliptic curve in short Weierstraß form:
E � y 2� x3 � Ax � B �A,B > K�
Discriminant ∆ � 4A3 � 27B2x 0 �cubic in x has distinct roots)
For any field L with K b L b K :
E�L� � ��x0, y0� > L � L S y 20 � x3
0 � Ax0 � B� 8 �ª�set of L-rational points on E
Elliptic Curves, char�K� x 2, 3
The variable transformations
y � y � �a1x � a3�~2, then x � x � �a21 � 4a2�~12 �
yield an elliptic curve in short Weierstraß form:
E � y 2� x3 � Ax � B �A,B > K�
Discriminant ∆ � 4A3 � 27B2x 0 �cubic in x has distinct roots)
For any field L with K b L b K :
E�L� � ��x0, y0� > L � L S y 20 � x3
0 � Ax0 � B� 8 �ª�set of L-rational points on E
An Example
E�Q� � ��x0, y0� > Q �Q S y 20 � x3
0 � 5x0� 8 �ª�P1 � ��1,2�, P2 � �0,0� > E�Q�
-10
-5
0
5
10
-3 -2 -1 0 1 2 3 4 5 6
The Mysterious Point at Infinity
In E , replace x by x~z , y by y~z , then multiply by z3:
Eproj � y 2z � x3 � Axz2 � Bz3
Points on Eproj:
�x � y � z� x �0 � 0 � 0� normalized so the last non-zero entry is 1
Affine Points Projective Points
�x , y� � �x � y � 1�ª � �0 � 1 � 0�
The Mysterious Point at Infinity
In E , replace x by x~z , y by y~z , then multiply by z3:
Eproj � y 2z � x3 � Axz2 � Bz3
Points on Eproj:
�x � y � z� x �0 � 0 � 0� normalized so the last non-zero entry is 1
Affine Points Projective Points
�x , y� � �x � y � 1�ª � �0 � 1 � 0�
The Mysterious Point at Infinity
In E , replace x by x~z , y by y~z , then multiply by z3:
Eproj � y 2z � x3 � Axz2 � Bz3
Points on Eproj:
�x � y � z� x �0 � 0 � 0� normalized so the last non-zero entry is 1
Affine Points Projective Points
�x , y� � �x � y � 1�ª � �0 � 1 � 0�
Arithmetic on E
Goal: Make E�L� into an additive (Abelian) group
The identity is the point at infinity
By Bezout’s Theorem, any line intersects E in three points
L Need to count multiplicities
L If one of the points is ª, the line is “vertical”
Motto: “Any three collinear points on E sum to zero”
AKA Chord & Tangent Addition Law
Arithmetic on E
Goal: Make E�L� into an additive (Abelian) group
The identity is the point at infinity
By Bezout’s Theorem, any line intersects E in three points
L Need to count multiplicities
L If one of the points is ª, the line is “vertical”
Motto: “Any three collinear points on E sum to zero”
AKA Chord & Tangent Addition Law
Arithmetic on E
Goal: Make E�L� into an additive (Abelian) group
The identity is the point at infinity
By Bezout’s Theorem, any line intersects E in three points
L Need to count multiplicities
L If one of the points is ª, the line is “vertical”
Motto: “Any three collinear points on E sum to zero”
AKA Chord & Tangent Addition Law
Arithmetic on E — Inverses
E � y 2� x3 � 5x over Q, P � ��1,�2�
-10
-5
0
5
10
-3 -2 -1 0 1 2 3 4 5 6
The line through P and ª is x � �1
Arithmetic on E — Inverses
E � y 2� x3 � 5x over Q, P � ��1,�2�
-10
-5
0
5
10
-3 -2 -1 0 1 2 3 4 5 6
It intersects E in the third point R � ��1,2� � �P
Arithmetic on E — Addition
E � y 2� x3 � 5x over Q, P1 � ��1,�2�, P2 � �0,0�
-10
-5
0
5
10
-3 -2 -1 0 1 2 3 4 5 6
The line through P1 and P2 is y � 2x
Arithmetic on E — Addition
E � y 2� x3 � 5x over Q, P1 � ��1,�2�, P2 � �0,0�
-10
-5
0
5
10
-3 -2 -1 0 1 2 3 4 5 6
It intersects E in the third point G � �5,10�
Arithmetic on E — Addition
E � y 2� x3 � 5x over Q, P1 � ��1,�2�, P2 � �0,0�
-10
-5
0
5
10
-3 -2 -1 0 1 2 3 4 5 6
The sum R is the inverse of G , i.e. R � �G � �5,�10� � P � Q
Arithmetic on E — Doubling
E � y 2� x3 � 5x over Q, P � ��1,�2�
-10
-5
0
5
10
-3 -2 -1 0 1 2 3 4 5 6
The line tangent to E at P is y �1926 x � 33
26
Arithmetic on E — Doubling
E � y 2� x3 � 5x over Q, P � ��1,�2�
-10
-5
0
5
10
-3 -2 -1 0 1 2 3 4 5 6
It intersects E in the third point G � �94 ,
38�
Arithmetic on E — Doubling
E � y 2� x3 � 5x over Q, P � ��1,�2�
-10
-5
0
5
10
-3 -2 -1 0 1 2 3 4 5 6
The sum R is the inverse of G , i.e. R � �G � �94 ,�
38� � 2P
Arithmetic on Short Weierstraß Form — Summary
P1 � �x1, y1�, P2 � �x2, y2� (P1 x �P2; P1,P2 xª)
�P1 � ��x1, y1�
P1 � P2 � �λ2 � x1 � x2, �λ3 � λ�x1 � x2� � µ� where
λ �
¢̈̈̈̈¨̈¦̈̈̈¨̈̈¤
y2 � y1
x2 � x1if P1 x P2
3x21 � A
2y1if P1 � P2
µ �
¢̈̈̈̈¨̈¦̈̈̈¨̈̈¤
y1x2 � y2x1
x2 � x1if P1 x P2
�x31 � Ax1 � 2B
2y1if P1 � P2
Beyond Elliptic Curves
Recall Weierstraß equation:
E � y 2 � �a1x � a3´¹¹¹¹¹¹¹¹¹¹¹¸¹¹¹¹¹¹¹¹¹¹¹¶h�x�
�y � x3 � a2x2 � a4x � a6´¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¸¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¶f �x�
deg�f � � 3 � 2 � 1 � 1 odd
deg�h� � 1 for char�K� � 2; h � 0 for char�K� x 2
Generalization: deg�f � � 2g � 1, deg�h� B g
g is the genus of the curve
g � 1: elliptic curves
g � 2: deg�f � � 5, deg�h� B 2 — also good for crypto
Beyond Elliptic Curves
Recall Weierstraß equation:
E � y 2 � �a1x � a3´¹¹¹¹¹¹¹¹¹¹¹¸¹¹¹¹¹¹¹¹¹¹¹¶h�x�
�y � x3 � a2x2 � a4x � a6´¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¸¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¶f �x�
deg�f � � 3 � 2 � 1 � 1 odd
deg�h� � 1 for char�K� � 2; h � 0 for char�K� x 2
Generalization: deg�f � � 2g � 1, deg�h� B g
g is the genus of the curve
g � 1: elliptic curves
g � 2: deg�f � � 5, deg�h� B 2 — also good for crypto
Beyond Elliptic Curves
Recall Weierstraß equation:
E � y 2 � �a1x � a3´¹¹¹¹¹¹¹¹¹¹¹¸¹¹¹¹¹¹¹¹¹¹¹¶h�x�
�y � x3 � a2x2 � a4x � a6´¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¸¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¶f �x�
deg�f � � 3 � 2 � 1 � 1 odd
deg�h� � 1 for char�K� � 2; h � 0 for char�K� x 2
Generalization: deg�f � � 2g � 1, deg�h� B g
g is the genus of the curve
g � 1: elliptic curves
g � 2: deg�f � � 5, deg�h� B 2 — also good for crypto
Hyperelliptic Curves
Hyperelliptic curve of genus g over K :
H � y 2 � h�x�y � f �x�L h�x�, f �x� > K �x�L f �x� monic and deg�f � � 2g � 1 is odd
L deg�h� B g if char�K� � 2; h�x� � 0 if char�K� x 2
L non-singularity
char�K� x 2: y 2� f �x�, f �x� monic, of odd degree, square-free
Set of L-rational points on H (K b L b K ):
H�L� � ��x0, y0� > L � L S y 20 � h�x0�y � f �x0�� 8 �ª�
Hyperelliptic Curves
Hyperelliptic curve of genus g over K :
H � y 2 � h�x�y � f �x�L h�x�, f �x� > K �x�L f �x� monic and deg�f � � 2g � 1 is odd
L deg�h� B g if char�K� � 2; h�x� � 0 if char�K� x 2
L non-singularity
char�K� x 2: y 2� f �x�, f �x� monic, of odd degree, square-free
Set of L-rational points on H (K b L b K ):
H�L� � ��x0, y0� > L � L S y 20 � h�x0�y � f �x0�� 8 �ª�
Hyperelliptic Curves
Hyperelliptic curve of genus g over K :
H � y 2 � h�x�y � f �x�L h�x�, f �x� > K �x�L f �x� monic and deg�f � � 2g � 1 is odd
L deg�h� B g if char�K� � 2; h�x� � 0 if char�K� x 2
L non-singularity
char�K� x 2: y 2� f �x�, f �x� monic, of odd degree, square-free
Set of L-rational points on H (K b L b K ):
H�L� � ��x0, y0� > L � L S y 20 � h�x0�y � f �x0�� 8 �ª�
An Example
H � y 2� x5 � 5x3 � 4x � 1 over Q, genus g � 2
-10
-5
0
5
10
-3 -2 -1 0 1 2 3
An Example
��2,�1�, �2,�1�, �3,�11� > H�Q�
-10
-5
0
5
10
-3 -2 -1 0 1 2 3
Divisors
L Group of divisors on H:
DivH�K� � `H�K�e � �Qfinite
mPP S mP > Z, P > H�K�¡
L Subgroup of DivH�K� of degree zero divisors on H:
Div0H�K� � `�P� S P > H�K�e � �Q
finite
mP�P� S mP > Z, P > H�K�¡
where �P� � P �ª
L Subgroup of Div0H�K� of principal divisors on H:
PrinH�K� � �Qfinite
vP�α��P� S α > K�x , y�, P > H�K�¡
Divisors
L Group of divisors on H:
DivH�K� � `H�K�e � �Qfinite
mPP S mP > Z, P > H�K�¡
L Subgroup of DivH�K� of degree zero divisors on H:
Div0H�K� � `�P� S P > H�K�e � �Q
finite
mP�P� S mP > Z, P > H�K�¡
where �P� � P �ª
L Subgroup of Div0H�K� of principal divisors on H:
PrinH�K� � �Qfinite
vP�α��P� S α > K�x , y�, P > H�K�¡
Divisors
L Group of divisors on H:
DivH�K� � `H�K�e � �Qfinite
mPP S mP > Z, P > H�K�¡
L Subgroup of DivH�K� of degree zero divisors on H:
Div0H�K� � `�P� S P > H�K�e � �Q
finite
mP�P� S mP > Z, P > H�K�¡
where �P� � P �ª
L Subgroup of Div0H�K� of principal divisors on H:
PrinH�K� � �Qfinite
vP�α��P� S α > K�x , y�, P > H�K�¡
The Jacobian
Jacobian of H: JacH�K� � Div0H�K�~PrinH�K�
Motto: “Any complete collection of points on a function sums tozero”
H�K� 0 JacH�K� via P ( �P�For elliptic curves: E�K� � JacE�K� (� E�K� is a group)
Identity: �ª� �ª�ª
Inverses: The points
P � �x0, y0� and P � �x0,�y0 � h�x0��on H both lie on the function x � x0, so
��P� � �P�
The Jacobian
Jacobian of H: JacH�K� � Div0H�K�~PrinH�K�
Motto: “Any complete collection of points on a function sums tozero”
H�K� 0 JacH�K� via P ( �P�
For elliptic curves: E�K� � JacE�K� (� E�K� is a group)
Identity: �ª� �ª�ª
Inverses: The points
P � �x0, y0� and P � �x0,�y0 � h�x0��on H both lie on the function x � x0, so
��P� � �P�
The Jacobian
Jacobian of H: JacH�K� � Div0H�K�~PrinH�K�
Motto: “Any complete collection of points on a function sums tozero”
H�K� 0 JacH�K� via P ( �P�For elliptic curves: E�K� � JacE�K� (� E�K� is a group)
Identity: �ª� �ª�ª
Inverses: The points
P � �x0, y0� and P � �x0,�y0 � h�x0��on H both lie on the function x � x0, so
��P� � �P�
The Jacobian
Jacobian of H: JacH�K� � Div0H�K�~PrinH�K�
Motto: “Any complete collection of points on a function sums tozero”
H�K� 0 JacH�K� via P ( �P�For elliptic curves: E�K� � JacE�K� (� E�K� is a group)
Identity: �ª� �ª�ª
Inverses: The points
P � �x0, y0� and P � �x0,�y0 � h�x0��on H both lie on the function x � x0, so
��P� � �P�
The Jacobian
Jacobian of H: JacH�K� � Div0H�K�~PrinH�K�
Motto: “Any complete collection of points on a function sums tozero”
H�K� 0 JacH�K� via P ( �P�For elliptic curves: E�K� � JacE�K� (� E�K� is a group)
Identity: �ª� �ª�ª
Inverses: The points
P � �x0, y0� and P � �x0,�y0 � h�x0��on H both lie on the function x � x0, so
��P� � �P�
Semi-Reduced and Reduced Divisors
Every class in JacH�K� contains a divisor Qfinite
mP�P� such that
L all mP A 0 (replace ��P� by �P�)L if P � P, then mP � 1 (as 2�P� � 0)
L if P x P, then only one of P, Pcan appear in the sum (as �P� � �P� � 0)
Such a divisor is semi-reduced. If PmP B g , then it is reduced.
TheoremEvery class in JacH�K� contains a unique reduced divisor.
Semi-Reduced and Reduced Divisors
Every class in JacH�K� contains a divisor Qfinite
mP�P� such that
L all mP A 0 (replace ��P� by �P�)L if P � P, then mP � 1 (as 2�P� � 0)
L if P x P, then only one of P, Pcan appear in the sum (as �P� � �P� � 0)
Such a divisor is semi-reduced.
If PmP B g , then it is reduced.
TheoremEvery class in JacH�K� contains a unique reduced divisor.
Semi-Reduced and Reduced Divisors
Every class in JacH�K� contains a divisor Qfinite
mP�P� such that
L all mP A 0 (replace ��P� by �P�)L if P � P, then mP � 1 (as 2�P� � 0)
L if P x P, then only one of P, Pcan appear in the sum (as �P� � �P� � 0)
Such a divisor is semi-reduced. If PmP B g , then it is reduced.
TheoremEvery class in JacH�K� contains a unique reduced divisor.
Semi-Reduced and Reduced Divisors
Every class in JacH�K� contains a divisor Qfinite
mP�P� such that
L all mP A 0 (replace ��P� by �P�)L if P � P, then mP � 1 (as 2�P� � 0)
L if P x P, then only one of P, Pcan appear in the sum (as �P� � �P� � 0)
Such a divisor is semi-reduced. If PmP B g , then it is reduced.
TheoremEvery class in JacH�K� contains a unique reduced divisor.
Example — Reduction
H � y 2� x5 � 5x3 � 4x � 1 over Q, D � �R1� � �R2� � �R3� with
R1 � ��2,�1�, R2 � �2,�1�, R3 � �3,�11�
-10
-5
0
5
10
-3 -2 -1 0 1 2 3
Example — Reduction
R1,R2,R3 all lie on the quadratic y � �2x2 � 7
-10
-5
0
5
10
-3 -2 -1 0 1 2 3
Example — Reduction
This quadratic meets H in the two additional points G1,G2 where
G1 � �12�1 �
º17�,�2 �
º17�, G2 � �1
2�1 �º
17�,�2 �º
17�Thus, �R1� � �R2� � R3� � �G1� � �G2� � 0 in JacH�Q�
-10
-5
0
5
10
-3 -2 -1 0 1 2 3
Example — Reduction
�R1� � �R2� � R3� � �B1� � �B2� with B1 � �G1�, B2 � �G2�The reduced divisor in the class of D is E � �B1� � B2� where
B1 � �12�1 �
º17�, 2 �
º17�, B2 � �1
2�1 �º
17�, 2 �º
17�,
-10
-5
0
5
10
-3 -2 -1 0 1 2 3
Reduction in General
Let D �
r
Qi�1
�Pi � be a semi-reduced divisor on y 2 � h�x�y � f �x�
The r points Pi all lie on a curve y � v�x� with deg�v� � r � 1
v�x�2 � h�x�h�x� � f �x� polynomial of degree max�2r � 2, 2g � 1�Case r C g � 2: replace the r points P1, . . . ,Pr in D by the inversesof the other �2r � 2� � r � r � 2 points on this degree 2r � 2polynomial
Case r � g � 1: replace the g � 1 points P1, . . . ,Pr in D by theinverses of the other 2g � 1 � �g � 1� � g points on this degree2g � 2 polynomial
After � r � g
2� steps a reduced divisor is obtained ��
�
Reduction in General
Let D �
r
Qi�1
�Pi � be a semi-reduced divisor on y 2 � h�x�y � f �x�The r points Pi all lie on a curve y � v�x� with deg�v� � r � 1
v�x�2 � h�x�h�x� � f �x� polynomial of degree max�2r � 2, 2g � 1�Case r C g � 2: replace the r points P1, . . . ,Pr in D by the inversesof the other �2r � 2� � r � r � 2 points on this degree 2r � 2polynomial
Case r � g � 1: replace the g � 1 points P1, . . . ,Pr in D by theinverses of the other 2g � 1 � �g � 1� � g points on this degree2g � 2 polynomial
After � r � g
2� steps a reduced divisor is obtained ��
�
Reduction in General
Let D �
r
Qi�1
�Pi � be a semi-reduced divisor on y 2 � h�x�y � f �x�The r points Pi all lie on a curve y � v�x� with deg�v� � r � 1
v�x�2 � h�x�h�x� � f �x� polynomial of degree max�2r � 2, 2g � 1�
Case r C g � 2: replace the r points P1, . . . ,Pr in D by the inversesof the other �2r � 2� � r � r � 2 points on this degree 2r � 2polynomial
Case r � g � 1: replace the g � 1 points P1, . . . ,Pr in D by theinverses of the other 2g � 1 � �g � 1� � g points on this degree2g � 2 polynomial
After � r � g
2� steps a reduced divisor is obtained ��
�
Reduction in General
Let D �
r
Qi�1
�Pi � be a semi-reduced divisor on y 2 � h�x�y � f �x�The r points Pi all lie on a curve y � v�x� with deg�v� � r � 1
v�x�2 � h�x�h�x� � f �x� polynomial of degree max�2r � 2, 2g � 1�Case r C g � 2: replace the r points P1, . . . ,Pr in D by the inversesof the other �2r � 2� � r � r � 2 points on this degree 2r � 2polynomial
Case r � g � 1: replace the g � 1 points P1, . . . ,Pr in D by theinverses of the other 2g � 1 � �g � 1� � g points on this degree2g � 2 polynomial
After � r � g
2� steps a reduced divisor is obtained ��
�
Reduction in General
Let D �
r
Qi�1
�Pi � be a semi-reduced divisor on y 2 � h�x�y � f �x�The r points Pi all lie on a curve y � v�x� with deg�v� � r � 1
v�x�2 � h�x�h�x� � f �x� polynomial of degree max�2r � 2, 2g � 1�Case r C g � 2: replace the r points P1, . . . ,Pr in D by the inversesof the other �2r � 2� � r � r � 2 points on this degree 2r � 2polynomial
Case r � g � 1: replace the g � 1 points P1, . . . ,Pr in D by theinverses of the other 2g � 1 � �g � 1� � g points on this degree2g � 2 polynomial
After � r � g
2� steps a reduced divisor is obtained ��
�
Reduction in General
Let D �
r
Qi�1
�Pi � be a semi-reduced divisor on y 2 � h�x�y � f �x�The r points Pi all lie on a curve y � v�x� with deg�v� � r � 1
v�x�2 � h�x�h�x� � f �x� polynomial of degree max�2r � 2, 2g � 1�Case r C g � 2: replace the r points P1, . . . ,Pr in D by the inversesof the other �2r � 2� � r � r � 2 points on this degree 2r � 2polynomial
Case r � g � 1: replace the g � 1 points P1, . . . ,Pr in D by theinverses of the other 2g � 1 � �g � 1� � g points on this degree2g � 2 polynomial
After � r � g
2� steps a reduced divisor is obtained ��
�
Mumford Representation
Let D �
r
Qi�1
mi �Pi � be a semi-reduced divisor, Pi � �xi , yi�The Mumford representation of D is D � �u�x�, v�x�� where
u�x�, v�x� > K �x�, u monic, deg�v� @ deg�u�, u S v 2 � hv � f
u�x� � r
Mi�1
�x � xi�mi
� d
dx�j �v�x�2 � v�x�h�x� � f �x��
x�xi� 0 �0 B j B mi � 1�
So u�xi� � 0 and v�xi� � yi with multiplicity mi for 1 B i B r
Mumford representation uniquely determines D
Example: If P � �x0, y0�, then D � �P� � �x � x0, y0�
Mumford Representation
Let D �
r
Qi�1
mi �Pi � be a semi-reduced divisor, Pi � �xi , yi�The Mumford representation of D is D � �u�x�, v�x�� where
u�x�, v�x� > K �x�, u monic, deg�v� @ deg�u�, u S v 2 � hv � f
u�x� � r
Mi�1
�x � xi�mi
� d
dx�j �v�x�2 � v�x�h�x� � f �x��
x�xi� 0 �0 B j B mi � 1�
So u�xi� � 0 and v�xi� � yi with multiplicity mi for 1 B i B r
Mumford representation uniquely determines D
Example: If P � �x0, y0�, then D � �P� � �x � x0, y0�
Mumford Representation
Let D �
r
Qi�1
mi �Pi � be a semi-reduced divisor, Pi � �xi , yi�The Mumford representation of D is D � �u�x�, v�x�� where
u�x�, v�x� > K �x�, u monic, deg�v� @ deg�u�, u S v 2 � hv � f
u�x� � r
Mi�1
�x � xi�mi
� d
dx�j �v�x�2 � v�x�h�x� � f �x��
x�xi� 0 �0 B j B mi � 1�
So u�xi� � 0 and v�xi� � yi with multiplicity mi for 1 B i B r
Mumford representation uniquely determines D
Example: If P � �x0, y0�, then D � �P� � �x � x0, y0�
Mumford Representation
Let D �
r
Qi�1
mi �Pi � be a semi-reduced divisor, Pi � �xi , yi�The Mumford representation of D is D � �u�x�, v�x�� where
u�x�, v�x� > K �x�, u monic, deg�v� @ deg�u�, u S v 2 � hv � f
u�x� � r
Mi�1
�x � xi�mi
� d
dx�j �v�x�2 � v�x�h�x� � f �x��
x�xi� 0 �0 B j B mi � 1�
So u�xi� � 0 and v�xi� � yi with multiplicity mi for 1 B i B r
Mumford representation uniquely determines D
Example: If P � �x0, y0�, then D � �P� � �x � x0, y0�
Divisor Reduction Using Mumford Representations
Input: D � �u, v�Output: The reduced divisor D �
� �u�, v �� in the class of D
while deg�u� A g do
u��
f � vh � v 2
u, v �
� �v � h �mod u��u � u�, v � v �
end while
return�u�, v ��
Divisor Reduction Using Mumford Representations
Input: D � �u, v�Output: The reduced divisor D �
� �u�, v �� in the class of D
while deg�u� A g do
u��
f � vh � v 2
u, v �
� �v � h �mod u��u � u�, v � v �
end while
return�u�, v ��
Divisor Reduction — Example
H � y 2� x5 � 5x3 � 4x � 1 over Q
D � ���2,�1�� � ��2,1�� � ��3,�11�� � �u, v�
with
u�x� � �x � 2��x � 2��x � 3� � x3 � 3x2 � 4x � 2
v�x� � �2x2 � 7 (from before)
u��x� ��x5 � 5x3 � 4x � 1� � ��2x2 � 7�2
x3 � 3x2 � 4x � 2� x2 � x � 4
v ��x� � ���2x2 � 7� �mod x2 � x � 4� � 2x � 1
D �� �u�, v �� is the reduced divisor in the class of D
Recall D �� � �1
2�1 �
º17�, 2 �
º17� ��� �1
2�1 �
º17�, 2 �
º17� �
Divisor Reduction — Example
H � y 2� x5 � 5x3 � 4x � 1 over Q
D � ���2,�1�� � ��2,1�� � ��3,�11�� � �u, v� with
u�x� � �x � 2��x � 2��x � 3� � x3 � 3x2 � 4x � 2
v�x� � �2x2 � 7 (from before)
u��x� ��x5 � 5x3 � 4x � 1� � ��2x2 � 7�2
x3 � 3x2 � 4x � 2� x2 � x � 4
v ��x� � ���2x2 � 7� �mod x2 � x � 4� � 2x � 1
D �� �u�, v �� is the reduced divisor in the class of D
Recall D �� � �1
2�1 �
º17�, 2 �
º17� ��� �1
2�1 �
º17�, 2 �
º17� �
Divisor Reduction — Example
H � y 2� x5 � 5x3 � 4x � 1 over Q
D � ���2,�1�� � ��2,1�� � ��3,�11�� � �u, v� with
u�x� � �x � 2��x � 2��x � 3� � x3 � 3x2 � 4x � 2
v�x� � �2x2 � 7 (from before)
u��x� ��x5 � 5x3 � 4x � 1� � ��2x2 � 7�2
x3 � 3x2 � 4x � 2� x2 � x � 4
v ��x� � ���2x2 � 7� �mod x2 � x � 4� � 2x � 1
D �� �u�, v �� is the reduced divisor in the class of D
Recall D �� � �1
2�1 �
º17�, 2 �
º17� ��� �1
2�1 �
º17�, 2 �
º17� �
Divisor Reduction — Example
H � y 2� x5 � 5x3 � 4x � 1 over Q
D � ���2,�1�� � ��2,1�� � ��3,�11�� � �u, v� with
u�x� � �x � 2��x � 2��x � 3� � x3 � 3x2 � 4x � 2
v�x� � �2x2 � 7 (from before)
u��x� ��x5 � 5x3 � 4x � 1� � ��2x2 � 7�2
x3 � 3x2 � 4x � 2� x2 � x � 4
v ��x� � ���2x2 � 7� �mod x2 � x � 4� � 2x � 1
D �� �u�, v �� is the reduced divisor in the class of D
Recall D �� � �1
2�1 �
º17�, 2 �
º17� ��� �1
2�1 �
º17�, 2 �
º17� �
Divisor Addition Using Mumford Representations
D1 � �u1, v1�, D2 � �u2, v2� divisors on H � y 2 � h�x�y � f �x�
Simplest case: for any �P� occurring in D1, �P� does not occur inD2 and vice versa — then D1 � D2 is semi-reduced
Then D1 � D2 � �u, v� where u � u1u2 and v �
¢̈̈¦̈̈¤v1 �mod u1�v2 �mod u2�
In general: suppose P � �x0, y0� occurs in D1 and P occurs in D2.
Then u1�x0� � u2�x0� � 0 and v1�x0� � y0 � �v2�x0� � h�x0�, sox � x0 S u1�x�, u2�x�, v1�x� � v2�x� � h�x�
d � gcd�u1,u2, v1 � v2 �h� � s1u1 � s2u2 � s3�v1 � v2 �h�u �
u1u2
d2
v �1
d�s1u1v2 � s2u2v1 � s3�v1v2 � f �� �mod u�
(In the simplest case above, d � 1 and s3 � 0)
Divisor Addition Using Mumford Representations
D1 � �u1, v1�, D2 � �u2, v2� divisors on H � y 2 � h�x�y � f �x�Simplest case: for any �P� occurring in D1, �P� does not occur inD2 and vice versa — then D1 � D2 is semi-reduced
Then D1 � D2 � �u, v� where u � u1u2 and v �
¢̈̈¦̈̈¤v1 �mod u1�v2 �mod u2�
In general: suppose P � �x0, y0� occurs in D1 and P occurs in D2.
Then u1�x0� � u2�x0� � 0 and v1�x0� � y0 � �v2�x0� � h�x0�, sox � x0 S u1�x�, u2�x�, v1�x� � v2�x� � h�x�
d � gcd�u1,u2, v1 � v2 �h� � s1u1 � s2u2 � s3�v1 � v2 �h�u �
u1u2
d2
v �1
d�s1u1v2 � s2u2v1 � s3�v1v2 � f �� �mod u�
(In the simplest case above, d � 1 and s3 � 0)
Divisor Addition Using Mumford Representations
D1 � �u1, v1�, D2 � �u2, v2� divisors on H � y 2 � h�x�y � f �x�Simplest case: for any �P� occurring in D1, �P� does not occur inD2 and vice versa — then D1 � D2 is semi-reduced
Then D1 � D2 � �u, v� where u � u1u2 and v �
¢̈̈¦̈̈¤v1 �mod u1�v2 �mod u2�
In general: suppose P � �x0, y0� occurs in D1 and P occurs in D2.
Then u1�x0� � u2�x0� � 0 and v1�x0� � y0 � �v2�x0� � h�x0�, sox � x0 S u1�x�, u2�x�, v1�x� � v2�x� � h�x�
d � gcd�u1,u2, v1 � v2 �h� � s1u1 � s2u2 � s3�v1 � v2 �h�u �
u1u2
d2
v �1
d�s1u1v2 � s2u2v1 � s3�v1v2 � f �� �mod u�
(In the simplest case above, d � 1 and s3 � 0)
Divisor Addition Using Mumford Representations
D1 � �u1, v1�, D2 � �u2, v2� divisors on H � y 2 � h�x�y � f �x�Simplest case: for any �P� occurring in D1, �P� does not occur inD2 and vice versa — then D1 � D2 is semi-reduced
Then D1 � D2 � �u, v� where u � u1u2 and v �
¢̈̈¦̈̈¤v1 �mod u1�v2 �mod u2�
In general: suppose P � �x0, y0� occurs in D1 and P occurs in D2.
Then u1�x0� � u2�x0� � 0 and v1�x0� � y0 � �v2�x0� � h�x0�, sox � x0 S u1�x�, u2�x�, v1�x� � v2�x� � h�x�
d � gcd�u1,u2, v1 � v2 �h� � s1u1 � s2u2 � s3�v1 � v2 �h�u �
u1u2
d2
v �1
d�s1u1v2 � s2u2v1 � s3�v1v2 � f �� �mod u�
(In the simplest case above, d � 1 and s3 � 0)
Divisor Addition Using Mumford Representations
D1 � �u1, v1�, D2 � �u2, v2� divisors on H � y 2 � h�x�y � f �x�Simplest case: for any �P� occurring in D1, �P� does not occur inD2 and vice versa — then D1 � D2 is semi-reduced
Then D1 � D2 � �u, v� where u � u1u2 and v �
¢̈̈¦̈̈¤v1 �mod u1�v2 �mod u2�
In general: suppose P � �x0, y0� occurs in D1 and P occurs in D2.
Then u1�x0� � u2�x0� � 0 and v1�x0� � y0 � �v2�x0� � h�x0�, sox � x0 S u1�x�, u2�x�, v1�x� � v2�x� � h�x�
d � gcd�u1,u2, v1 � v2 �h� � s1u1 � s2u2 � s3�v1 � v2 �h�u �
u1u2
d2
v �1
d�s1u1v2 � s2u2v1 � s3�v1v2 � f �� �mod u�
(In the simplest case above, d � 1 and s3 � 0)
Divisor Addition Using Mumford Representations
D1 � �u1, v1�, D2 � �u2, v2� divisors on H � y 2 � h�x�y � f �x�Simplest case: for any �P� occurring in D1, �P� does not occur inD2 and vice versa — then D1 � D2 is semi-reduced
Then D1 � D2 � �u, v� where u � u1u2 and v �
¢̈̈¦̈̈¤v1 �mod u1�v2 �mod u2�
In general: suppose P � �x0, y0� occurs in D1 and P occurs in D2.
Then u1�x0� � u2�x0� � 0 and v1�x0� � y0 � �v2�x0� � h�x0�, sox � x0 S u1�x�, u2�x�, v1�x� � v2�x� � h�x�
d � gcd�u1,u2, v1 � v2 �h� � s1u1 � s2u2 � s3�v1 � v2 �h�u �
u1u2
d2
v �1
d�s1u1v2 � s2u2v1 � s3�v1v2 � f �� �mod u�
(In the simplest case above, d � 1 and s3 � 0)
Arithmetic in JacH�K�
Input: D1 � �u1, v1�, D2 � �u2, v2� reduced
Output: The reduced divisor D �� �u�, v �� in the class of D1 � D2
1. Addition: compute a semi-reduced divisor D � �u, v� in theclass of D1 � D2
2. Reduction: compute the reduced divisor D �� �u�, v �� in the
class of D
Methods
L “Vanilla” method just discussed
L Cantor’s algorithm (“improved vanilla”)
L NUCOMP
L Explicit formulas (if g is small, say g � 2,3,4)
Arithmetic in JacH�K�
Input: D1 � �u1, v1�, D2 � �u2, v2� reduced
Output: The reduced divisor D �� �u�, v �� in the class of D1 � D2
1. Addition: compute a semi-reduced divisor D � �u, v� in theclass of D1 � D2
2. Reduction: compute the reduced divisor D �� �u�, v �� in the
class of D
Methods
L “Vanilla” method just discussed
L Cantor’s algorithm (“improved vanilla”)
L NUCOMP
L Explicit formulas (if g is small, say g � 2,3,4)
Arithmetic in JacH�K�
Input: D1 � �u1, v1�, D2 � �u2, v2� reduced
Output: The reduced divisor D �� �u�, v �� in the class of D1 � D2
1. Addition: compute a semi-reduced divisor D � �u, v� in theclass of D1 � D2
2. Reduction: compute the reduced divisor D �� �u�, v �� in the
class of D
Methods
L “Vanilla” method just discussed
L Cantor’s algorithm (“improved vanilla”)
L NUCOMP
L Explicit formulas (if g is small, say g � 2,3,4)
Divisors defined over K
Let φ > Gal�K~K� (for K � Fq, think of Frobenius φ�α� � αq)
φ acts on points on H: if P � �x0, y0�, then φ�P� � �φ�x0�, φ�y0��φ acts on divisors: if D �QmP�P�, then φ�D� �QmP�φ�P��A divisor D is defined over K if φ�D� � D
Example:
D � �x2 � x � 4, 2x � 1� on H � y 2� x5 � 5x3 � 4x � 1 over Q
� � �1
2�1 �
º17�, 2 �
º17� � � � �1
2�1 �
º17�, 2 �
º17� �
is defined over Q (invariant under automorphismº
17( �º
17)
TheoremD � �u, v� is defined over K if and only if u�x�, v�x� > K �x�.Corollary
The group JacH�Fq� of divisor classes defined over Fq is finite.
Divisors defined over K
Let φ > Gal�K~K� (for K � Fq, think of Frobenius φ�α� � αq)
φ acts on points on H: if P � �x0, y0�, then φ�P� � �φ�x0�, φ�y0��
φ acts on divisors: if D �QmP�P�, then φ�D� �QmP�φ�P��A divisor D is defined over K if φ�D� � D
Example:
D � �x2 � x � 4, 2x � 1� on H � y 2� x5 � 5x3 � 4x � 1 over Q
� � �1
2�1 �
º17�, 2 �
º17� � � � �1
2�1 �
º17�, 2 �
º17� �
is defined over Q (invariant under automorphismº
17( �º
17)
TheoremD � �u, v� is defined over K if and only if u�x�, v�x� > K �x�.Corollary
The group JacH�Fq� of divisor classes defined over Fq is finite.
Divisors defined over K
Let φ > Gal�K~K� (for K � Fq, think of Frobenius φ�α� � αq)
φ acts on points on H: if P � �x0, y0�, then φ�P� � �φ�x0�, φ�y0��φ acts on divisors: if D �QmP�P�, then φ�D� �QmP�φ�P��
A divisor D is defined over K if φ�D� � D
Example:
D � �x2 � x � 4, 2x � 1� on H � y 2� x5 � 5x3 � 4x � 1 over Q
� � �1
2�1 �
º17�, 2 �
º17� � � � �1
2�1 �
º17�, 2 �
º17� �
is defined over Q (invariant under automorphismº
17( �º
17)
TheoremD � �u, v� is defined over K if and only if u�x�, v�x� > K �x�.Corollary
The group JacH�Fq� of divisor classes defined over Fq is finite.
Divisors defined over K
Let φ > Gal�K~K� (for K � Fq, think of Frobenius φ�α� � αq)
φ acts on points on H: if P � �x0, y0�, then φ�P� � �φ�x0�, φ�y0��φ acts on divisors: if D �QmP�P�, then φ�D� �QmP�φ�P��A divisor D is defined over K if φ�D� � D
Example:
D � �x2 � x � 4, 2x � 1� on H � y 2� x5 � 5x3 � 4x � 1 over Q
� � �1
2�1 �
º17�, 2 �
º17� � � � �1
2�1 �
º17�, 2 �
º17� �
is defined over Q (invariant under automorphismº
17( �º
17)
TheoremD � �u, v� is defined over K if and only if u�x�, v�x� > K �x�.Corollary
The group JacH�Fq� of divisor classes defined over Fq is finite.
Divisors defined over K
Let φ > Gal�K~K� (for K � Fq, think of Frobenius φ�α� � αq)
φ acts on points on H: if P � �x0, y0�, then φ�P� � �φ�x0�, φ�y0��φ acts on divisors: if D �QmP�P�, then φ�D� �QmP�φ�P��A divisor D is defined over K if φ�D� � D
Example:
D � �x2 � x � 4, 2x � 1� on H � y 2� x5 � 5x3 � 4x � 1 over Q
� � �1
2�1 �
º17�, 2 �
º17� � � � �1
2�1 �
º17�, 2 �
º17� �
is defined over Q (invariant under automorphismº
17( �º
17)
TheoremD � �u, v� is defined over K if and only if u�x�, v�x� > K �x�.Corollary
The group JacH�Fq� of divisor classes defined over Fq is finite.
Divisors defined over K
Let φ > Gal�K~K� (for K � Fq, think of Frobenius φ�α� � αq)
φ acts on points on H: if P � �x0, y0�, then φ�P� � �φ�x0�, φ�y0��φ acts on divisors: if D �QmP�P�, then φ�D� �QmP�φ�P��A divisor D is defined over K if φ�D� � D
Example:
D � �x2 � x � 4, 2x � 1� on H � y 2� x5 � 5x3 � 4x � 1 over Q
� � �1
2�1 �
º17�, 2 �
º17� � � � �1
2�1 �
º17�, 2 �
º17� �
is defined over Q (invariant under automorphismº
17( �º
17)
TheoremD � �u, v� is defined over K if and only if u�x�, v�x� > K �x�.
Corollary
The group JacH�Fq� of divisor classes defined over Fq is finite.
Divisors defined over K
Let φ > Gal�K~K� (for K � Fq, think of Frobenius φ�α� � αq)
φ acts on points on H: if P � �x0, y0�, then φ�P� � �φ�x0�, φ�y0��φ acts on divisors: if D �QmP�P�, then φ�D� �QmP�φ�P��A divisor D is defined over K if φ�D� � D
Example:
D � �x2 � x � 4, 2x � 1� on H � y 2� x5 � 5x3 � 4x � 1 over Q
� � �1
2�1 �
º17�, 2 �
º17� � � � �1
2�1 �
º17�, 2 �
º17� �
is defined over Q (invariant under automorphismº
17( �º
17)
TheoremD � �u, v� is defined over K if and only if u�x�, v�x� > K �x�.Corollary
The group JacH�Fq� of divisor classes defined over Fq is finite.
Group Structure and Size
E�Fq� � Z~nZ �Z~mZ where n S gcd�m,q � 1�
Via a hand-wavy argument, y 2� f �x� should have � q � 1 points
Hasse: SE�Fq�S � q � 1 � t with St S B 2º
q
Hasse-Weil: SH�Fq�S � q � 1 � t with St S B 2gº
qSerre: St S B g2ºq�For the Jacobian:
�ºq � 1�2gB SJacH�Fq�S B �ºq � 1�2g
So SJacH�Fq�S � qg
If we want qg� 2160: g 1 2 3 4
q 2160 280 253.33 240
Group Structure and Size
E�Fq� � Z~nZ �Z~mZ where n S gcd�m,q � 1�Via a hand-wavy argument, y 2
� f �x� should have � q � 1 points
Hasse: SE�Fq�S � q � 1 � t with St S B 2º
q
Hasse-Weil: SH�Fq�S � q � 1 � t with St S B 2gº
qSerre: St S B g2ºq�For the Jacobian:
�ºq � 1�2gB SJacH�Fq�S B �ºq � 1�2g
So SJacH�Fq�S � qg
If we want qg� 2160: g 1 2 3 4
q 2160 280 253.33 240
Group Structure and Size
E�Fq� � Z~nZ �Z~mZ where n S gcd�m,q � 1�Via a hand-wavy argument, y 2
� f �x� should have � q � 1 points
Hasse: SE�Fq�S � q � 1 � t with St S B 2º
q
Hasse-Weil: SH�Fq�S � q � 1 � t with St S B 2gº
qSerre: St S B g2ºq�
For the Jacobian:
�ºq � 1�2gB SJacH�Fq�S B �ºq � 1�2g
So SJacH�Fq�S � qg
If we want qg� 2160: g 1 2 3 4
q 2160 280 253.33 240
Group Structure and Size
E�Fq� � Z~nZ �Z~mZ where n S gcd�m,q � 1�Via a hand-wavy argument, y 2
� f �x� should have � q � 1 points
Hasse: SE�Fq�S � q � 1 � t with St S B 2º
q
Hasse-Weil: SH�Fq�S � q � 1 � t with St S B 2gº
qSerre: St S B g2ºq�For the Jacobian:
�ºq � 1�2gB SJacH�Fq�S B �ºq � 1�2g
So SJacH�Fq�S � qg
If we want qg� 2160: g 1 2 3 4
q 2160 280 253.33 240
Group Structure and Size
E�Fq� � Z~nZ �Z~mZ where n S gcd�m,q � 1�Via a hand-wavy argument, y 2
� f �x� should have � q � 1 points
Hasse: SE�Fq�S � q � 1 � t with St S B 2º
q
Hasse-Weil: SH�Fq�S � q � 1 � t with St S B 2gº
qSerre: St S B g2ºq�For the Jacobian:
�ºq � 1�2gB SJacH�Fq�S B �ºq � 1�2g
So SJacH�Fq�S � qg
If we want qg� 2160: g 1 2 3 4
q 2160 280 253.33 240
Point Counting Algorithms
Stay for next week’s workshop to learn more . . .
K � Fq, q � pn
L Square Root MethodsPollard kangarooCartier-Manin
L `-adic Methods (n � 1, polynomial in log�p�)
SEA and generalizations
L p-adic Methods (p small, polynomial in n)
Canonical lifts (Satoh, AGM)Deformation theoryCohomology
Point counting on certain curves is easy (e.g. Koblitz curves)
Can also construct curves with good group orders via CM method(see Thursday’s talks by Drew Sutherland and Bianca Viray)
Point Counting Algorithms
Stay for next week’s workshop to learn more . . .
K � Fq, q � pn
L Square Root MethodsPollard kangarooCartier-Manin
L `-adic Methods (n � 1, polynomial in log�p�)
SEA and generalizations
L p-adic Methods (p small, polynomial in n)
Canonical lifts (Satoh, AGM)Deformation theoryCohomology
Point counting on certain curves is easy (e.g. Koblitz curves)
Can also construct curves with good group orders via CM method(see Thursday’s talks by Drew Sutherland and Bianca Viray)
Point Counting Algorithms
Stay for next week’s workshop to learn more . . .
K � Fq, q � pn
L Square Root MethodsPollard kangarooCartier-Manin
L `-adic Methods (n � 1, polynomial in log�p�)
SEA and generalizations
L p-adic Methods (p small, polynomial in n)
Canonical lifts (Satoh, AGM)Deformation theoryCohomology
Point counting on certain curves is easy (e.g. Koblitz curves)
Can also construct curves with good group orders via CM method(see Thursday’s talks by Drew Sutherland and Bianca Viray)
Point Counting Algorithms
Stay for next week’s workshop to learn more . . .
K � Fq, q � pn
L Square Root MethodsPollard kangarooCartier-Manin
L `-adic Methods (n � 1, polynomial in log�p�)
SEA and generalizations
L p-adic Methods (p small, polynomial in n)
Canonical lifts (Satoh, AGM)Deformation theoryCohomology
Point counting on certain curves is easy (e.g. Koblitz curves)
Can also construct curves with good group orders via CM method(see Thursday’s talks by Drew Sutherland and Bianca Viray)
Discrete Logarithms
Elliptic Curve DLP: given P,Q > E�Fq� with Q � mP, find m
Hyperelliptic Curve DLP: given reduced divisors D,E so that Eis equivalent to mD, find m
Generic Methods — Complexity O�qg~2� group operations
L Baby step giant step — also requires O�qg~2� space
L Pollard rho
L Pollard lambda (kangaroo)
Index Calculus Methods
L g â log�q� — sub-exponential
L 3 B g á log�q� — O�q2�2~g�For g � 1,2, generic methods are best! (As far as we know . . . )
Discrete Logarithms
Elliptic Curve DLP: given P,Q > E�Fq� with Q � mP, find m
Hyperelliptic Curve DLP: given reduced divisors D,E so that Eis equivalent to mD, find m
Generic Methods — Complexity O�qg~2� group operations
L Baby step giant step — also requires O�qg~2� space
L Pollard rho
L Pollard lambda (kangaroo)
Index Calculus Methods
L g â log�q� — sub-exponential
L 3 B g á log�q� — O�q2�2~g�For g � 1,2, generic methods are best! (As far as we know . . . )
Discrete Logarithms
Elliptic Curve DLP: given P,Q > E�Fq� with Q � mP, find m
Hyperelliptic Curve DLP: given reduced divisors D,E so that Eis equivalent to mD, find m
Generic Methods — Complexity O�qg~2� group operations
L Baby step giant step — also requires O�qg~2� space
L Pollard rho
L Pollard lambda (kangaroo)
Index Calculus Methods
L g â log�q� — sub-exponential
L 3 B g á log�q� — O�q2�2~g�For g � 1,2, generic methods are best! (As far as we know . . . )
Discrete Logarithms
Elliptic Curve DLP: given P,Q > E�Fq� with Q � mP, find m
Hyperelliptic Curve DLP: given reduced divisors D,E so that Eis equivalent to mD, find m
Generic Methods — Complexity O�qg~2� group operations
L Baby step giant step — also requires O�qg~2� space
L Pollard rho
L Pollard lambda (kangaroo)
Index Calculus Methods
L g â log�q� — sub-exponential
L 3 B g á log�q� — O�q2�2~g�
For g � 1,2, generic methods are best! (As far as we know . . . )
Discrete Logarithms
Elliptic Curve DLP: given P,Q > E�Fq� with Q � mP, find m
Hyperelliptic Curve DLP: given reduced divisors D,E so that Eis equivalent to mD, find m
Generic Methods — Complexity O�qg~2� group operations
L Baby step giant step — also requires O�qg~2� space
L Pollard rho
L Pollard lambda (kangaroo)
Index Calculus Methods
L g â log�q� — sub-exponential
L 3 B g á log�q� — O�q2�2~g�For g � 1,2, generic methods are best! (As far as we know . . . )
Other Attacks & Parameter Choices
K � Fq with q � pn
L Pohlig-Hellman — ensure that SJacH�Fq�S has a large primefactor
L Additive Reduction: if p divides SJacH�Fq�S, then there is an
explicit homomorphism JacH�Fq��p�� �F2g�1q ,�� — ensure
that gcd�q, SJacH�Fq�S� � 1
L Multiplicative Reduction (MOV): pairings can be used tomap the DLP in JacH�Fq� into �F�
qk,�� where qk
� 1 �mod r�for a prime r dividing SJacH�Fq�S — ensure that k is large
(For pairing-based crypto, however, we want k small — seeTuesday’s and Wednesday’s talks)
L Weil Descent: If n � kd is composite, one may haveJacH�Fpkd �0 JacC�Fpd � where C has higher genus — usen � 1 or n prime
Other Attacks & Parameter Choices
K � Fq with q � pn
L Pohlig-Hellman — ensure that SJacH�Fq�S has a large primefactor
L Additive Reduction: if p divides SJacH�Fq�S, then there is an
explicit homomorphism JacH�Fq��p�� �F2g�1q ,�� — ensure
that gcd�q, SJacH�Fq�S� � 1
L Multiplicative Reduction (MOV): pairings can be used tomap the DLP in JacH�Fq� into �F�
qk,�� where qk
� 1 �mod r�for a prime r dividing SJacH�Fq�S — ensure that k is large
(For pairing-based crypto, however, we want k small — seeTuesday’s and Wednesday’s talks)
L Weil Descent: If n � kd is composite, one may haveJacH�Fpkd �0 JacC�Fpd � where C has higher genus — usen � 1 or n prime
Other Attacks & Parameter Choices
K � Fq with q � pn
L Pohlig-Hellman — ensure that SJacH�Fq�S has a large primefactor
L Additive Reduction: if p divides SJacH�Fq�S, then there is an
explicit homomorphism JacH�Fq��p�� �F2g�1q ,�� — ensure
that gcd�q, SJacH�Fq�S� � 1
L Multiplicative Reduction (MOV): pairings can be used tomap the DLP in JacH�Fq� into �F�
qk,�� where qk
� 1 �mod r�for a prime r dividing SJacH�Fq�S — ensure that k is large
(For pairing-based crypto, however, we want k small — seeTuesday’s and Wednesday’s talks)
L Weil Descent: If n � kd is composite, one may haveJacH�Fpkd �0 JacC�Fpd � where C has higher genus — usen � 1 or n prime
Other Attacks & Parameter Choices
K � Fq with q � pn
L Pohlig-Hellman — ensure that SJacH�Fq�S has a large primefactor
L Additive Reduction: if p divides SJacH�Fq�S, then there is an
explicit homomorphism JacH�Fq��p�� �F2g�1q ,�� — ensure
that gcd�q, SJacH�Fq�S� � 1
L Multiplicative Reduction (MOV): pairings can be used tomap the DLP in JacH�Fq� into �F�
qk,�� where qk
� 1 �mod r�for a prime r dividing SJacH�Fq�S — ensure that k is large
(For pairing-based crypto, however, we want k small — seeTuesday’s and Wednesday’s talks)
L Weil Descent: If n � kd is composite, one may haveJacH�Fpkd �0 JacC�Fpd � where C has higher genus — usen � 1 or n prime
Some Other Models
L Hessians: x3 � y 3 � 3dxy � 1
L Edwards models: x2 � y 2� c2�1 � dx2y 2� (q odd) and
variations
x3 � y 3� 1
-4
-3
-2
-1
0
1
2
3
4
-4 -3 -2 -1 0 1 2 3 4
x2�y 2� 10�1�x2y 2�
-4
-3
-2
-1
0
1
2
3
4
-4 -3 -2 -1 0 1 2 3 4
Even Degree Models
H � y 2 � h�x�y � f �x�L h�x�, f �x� > K �x�L deg�h� � g � 1 if char�K� � 2; h�x� � 0 if char�K� x 2
L deg�f � � 2g � 2 is even
L sgn�f � � s2 � s with s > K if char�K� � 2; f �x� is monic ifchar�K� x 2
L non-singularity
char�K� x 2: y 2� f �x�, f �x� monic, of even degree, square-free
Elliptic quartic, char�K� x 2,3:
y 2� x4 � ax2 � bx � c �a,b, c > K�
(b � 0: Jacobi Quartic)
Even Degree Models
H � y 2 � h�x�y � f �x�L h�x�, f �x� > K �x�L deg�h� � g � 1 if char�K� � 2; h�x� � 0 if char�K� x 2
L deg�f � � 2g � 2 is even
L sgn�f � � s2 � s with s > K if char�K� � 2; f �x� is monic ifchar�K� x 2
L non-singularity
char�K� x 2: y 2� f �x�, f �x� monic, of even degree, square-free
Elliptic quartic, char�K� x 2,3:
y 2� x4 � ax2 � bx � c �a,b, c > K�
(b � 0: Jacobi Quartic)
Even Degree Models
H � y 2 � h�x�y � f �x�L h�x�, f �x� > K �x�L deg�h� � g � 1 if char�K� � 2; h�x� � 0 if char�K� x 2
L deg�f � � 2g � 2 is even
L sgn�f � � s2 � s with s > K if char�K� � 2; f �x� is monic ifchar�K� x 2
L non-singularity
char�K� x 2: y 2� f �x�, f �x� monic, of even degree, square-free
Elliptic quartic, char�K� x 2,3:
y 2� x4 � ax2 � bx � c �a,b, c > K�
(b � 0: Jacobi Quartic)
Examples
E � y 2� x4 � 6x2 � x � 6
g � 1
-6
-4
-2
0
2
4
6
-3 -2 -1 0 1 2 3
H � y 2� x6�13x4�44x2�4x�1
g � 2
-10
-5
0
5
10
-4 -3 -2 -1 0 1 2 3 4
Conclusion
L Genus 1 and genus 2 curves over Fq represent a very goodsetting for DLP based cryptography
L Use q prime or q � 2n
L Good parameter choices are known and easy
L Cryptographically suitable curves can be constructed inpractice
� � � Thank You! � � �
Conclusion
L Genus 1 and genus 2 curves over Fq represent a very goodsetting for DLP based cryptography
L Use q prime or q � 2n
L Good parameter choices are known and easy
L Cryptographically suitable curves can be constructed inpractice
� � � Thank You! � � �
Conclusion
L Genus 1 and genus 2 curves over Fq represent a very goodsetting for DLP based cryptography
L Use q prime or q � 2n
L Good parameter choices are known and easy
L Cryptographically suitable curves can be constructed inpractice
� � � Thank You! � � �
Conclusion
L Genus 1 and genus 2 curves over Fq represent a very goodsetting for DLP based cryptography
L Use q prime or q � 2n
L Good parameter choices are known and easy
L Cryptographically suitable curves can be constructed inpractice
� � � Thank You! � � �
Conclusion
L Genus 1 and genus 2 curves over Fq represent a very goodsetting for DLP based cryptography
L Use q prime or q � 2n
L Good parameter choices are known and easy
L Cryptographically suitable curves can be constructed inpractice
� � � Thank You! � � �