A Complete Divisor Class Halving Algorithm for Hyperelliptic Curve Cryptosystems of Genus Two
We deal with a divisor class halving algorithm on hyperelliptic curve cryptosystems (HECC), which can be used for scalar multiplication, instead of a doubling algorithm. It is not obvious how to construct a halving algorithm, due to the complicated addition formula of hyperelliptic curves. In this paper, we propose the first halving algorithm used for HECC of genus 2, which is as efficient as the previously known doubling algorithm. From the explicit formula of the doubling algorithm, we can generate some equations whose common solutions contain the halved value. From these equations we derive four specific equations and show an algorithm that selects the proper halved value using two trace computations in the worst case. If a base point is fixed, we can reduce these extra field operations by using a pre-computed table which shows the correct halving divisor class — the improvement over the previously known fastest doubling algorithm is up to about 10%. This halving algorithm is applicable to DSA and DH based on HECC. Finally, we present the divisor class halving algorithms for not only the most frequent case but also other exceptional cases.
KeywordsElliptic Curf Scalar Multiplication General Curve Hyperelliptic Curve Divisor Class
Unable to display preview. Download preview PDF.
- [FHL+03]Fong, K., Hankerson, D., López, J., Menezes, A.: Field inversion and point halving revised, Technical Report CORR2003-18, http://www.cacr.math.uwaterloo.ca/techreports/2003/corr2003-18.pdf
- [Har00a]Harley, R.: Adding.txt (2000), http://cristal.inria.fr/~harley/hyper/
- [Har00b]Harley, R.: Doubling.c (2000), http://cristal.inria.fr/~harley/hyper/
- [KKT05]Kitamura, I., Katagi, M., Takagi, T.: A Complete Divisor Class Halving Algorithm for Hyperelliptic Curve Cryptosystems of Genus Two, Cryptology ePrint Archive, 2004/255, IACR, (2004)Google Scholar
- [Lan02a]Lange, T.: Efficient Arithmetic on Genus 2 Hyperelliptic Curves over Finite Fields via Explicit Formulae, Cryptology ePrint Archive, 2002/121, IACR (2002)Google Scholar
- [Lan02b]Lange, T.: Inversion-Free Arithmetic on Genus 2 Hyperelliptic Curves, Cryptology ePrint Archive, 2002/147, IACR (2002)Google Scholar
- [Lan02c]Lange, T.: Weighted Coordinates on Genus 2 Hyperelliptic Curves, Cryptology ePrint Archive, 2002/153, IACR (2002)Google Scholar
- [Mum84]Mumford, D.: Tata Lectures on Theta II, Progress in Mathematics, vol. 43. Birkhäuser, Basel (1984)Google Scholar
- [MCT01]Matsuo, K., Chao, J., Tsuji, S.: Fast Genus Two Hyperelliptic Curve Cryptosystems. Technical Report ISEC2001-31, IEICE Japan, pp.89–96 (2001)Google Scholar
- [PWP03]Pelzl, J., Wollinger, T., Paar, C.: High Performance Arithmetic for Hyperelliptic Curve Cryptosystems of Genus Two, Cryptology ePrint Archive, 2003/212, IACR (2003)Google Scholar
- [Sch00]Schroeppel, R.: Elliptic curve point halving wins big. In: 2nd Midwest Arithmetic Geometry in Cryptography Workshop, Urbana, Illinois (November 2000)Google Scholar
- [SMC+02]Sugizaki, T., Matsuo, K., Chao, J., Tsujii, S.: An Extension of Harley Addition Algorithm for Hyperelliptic Curves over Finite Fields of Characteristic Two, Technical Report ISEC2002-9, IEICE Japan, pp.49–56 (2002)Google Scholar