David R. Kohel

Efficient scalar multiplication by isogeny decompositions

On an elliptic curve, the degree of an isogeny corresponds essentially to the degrees of the polynomial expressions involved in its application. The multiplication–by–l map [l] has degree l2, therefore the complexity to directly evaluate [l](p) is O(l2). For a small prime l (= 2, 3) such that the additive binary representation provides no better performance, this represents the true cost of application of scalar multiplication. If an elliptic curve admits an isogeny ϕ of degree l then the costs of computing ϕ(P) should in contrast be O(l) field operations. Since we then have a product expression [l]=

On Exponential Sums and Group Generators for Elliptic Curves over Finite Fields

\hat{\varphi}\varphi

The 2-adic CM method for genus 2 curves with application to cryptography

, the existence of an l-isogeny ϕ on an elliptic curve yields a theoretical improvement from O(l2) to O(l) field operations for the evaluation of [l](p) by naive application of the defining polynomials. In this work we investigate actual improvements for small l of this asymptotic complexity. For this purpose, we describe the general construction of families of curves with a suitable decomposition [l]=

Double-Base Number System for Multi-scalar Multiplications

\hat{\varphi}\varphi

Secret-sharing with a class of ternary codes

, and provide explicit examples of such a family of curves with simple decomposition for [3]. Finally we derive a new tripling algorithm to find complexity improvements to triplication on a curve in certain projective coordinate systems, then combine this new operation to non-adjacent forms for l-adic expansions in order to obtain an improved strategy for scalar multiplication on elliptic curves.

Split group codes

In the paper an upper bound is established for certain exponential sums, analogous to Gaussian sums, defined on the points of an elliptic curve over a prime finite field. The bound is applied to prove the existence of group generators for the set of points on an elliptic curve over \(\mathbb{F}_{q}\) among certain sets of bounded size. We apply this estimate to obtain a deterministic O(q 1/2 + e) algorithm for finding generators of the group in echelon form, and in particular to determine its group structure.

Counting points on genus 2 curves with real multiplication

The complex multiplication (CM) method for genus 2 is currently the most efficient way of generating genus 2 hyperelliptic curves defined over large prime fields and suitable for cryptography. Since low class number might be seen as a potential threat, it is of interest to push the method as far as possible. We have thus designed a new algorithm for the construction of CM invariants of genus 2 curves, using 2-adic lifting of an input curve over a small finite field. This provides a numerically stable alternative to the complex analytic method in the first phase of the CM method for genus 2. As an example we compute an irreducible factor of the Igusa class polynomial system for the quartic CM field ℚ (i√(75 + 12√(17))), whose class number is 50. We also introduce a new representation to describe the CM curves: a set of polynomials in (j1,j2,j3) which vanish on the precise set of triples which are the Igusa invariants of curves whose Jacobians have CM by a prescribed field. The new representation provides a speedup in the second phase, which uses Mestres algorithm to construct a genus 2 Jacobian of prime order over a large prime field for use in cryptography.

The AGM-X0(N) Heegner Point Lifting Algorithm and Elliptic Curve Point Counting

The Joint Sparse Form is currently the standard representation system to perform multi-scalar multiplications of the form [n ]P + m [Q ]. We introduce the concept of Joint Double-Base Chain, a generalization of the Double-Base Number System to represent simultaneously n and m . This concept is relevant because of the high redundancy of Double-Base systems, which ensures that we can find a chain of reasonable length that uses exactly the same terms to compute both n and m . Furthermore, we discuss an algorithm to produce such a Joint Double-Base Chain. Because of its simplicity, this algorithm is straightforward to implement, efficient, and also quite easy to analyze. Namely, in our main result we show that the average number of terms in the expansion is less than 0.3945log2 n . With respect to the Joint Sparse Form, this induces a reduction by more than 20% of the number of additions. As a consequence, the total number of multiplications required for a scalar multiplications is minimal for our method, across all the methods using two precomputations, P + Q and P *** Q . This is the case even with coordinate systems offering very cheap doublings, in contrast with recent results on scalar multiplications. Several variants are discussed, including methods using more precomputed points and a generalization relevant for Koblitz curves. Our second contribution is a new way to evaluate

Elementary 2-group character codes

\widehat\phi

On the quaternion l-isogeny path problem

, the dual endomorphism of the Frobenius. Namely, we propose formulae to compute