Kazuto Matsuo

An Improved Baby Step Giant Step Algorithm for Point Counting of Hyperelliptic Curves over Finite Fields

Counting the number of points of Jacobian varieties of hyperelliptic curves over finite fields is necessary for construction of hyperelliptic curve cryptosystems. Recently Gaudry and Harley proposed a practical algorithm for point counting of hyperelliptic curves. Their algorithm consists of two parts: firstly to compute the residue modulo an integer m of the order of a given Jacobian variety, and then search for the order by a square-root algorithm. In particular, the parallelized Pollards lambda-method was used as the square-root algorithm, which took 50CPU days to compute an order of 127 bits.This paper shows a new variation of the baby step giant step algorithm to improve the square-root algorithm part in the Gaudry-Harley algorithm. With knowledge of the residue modulo m of the characteristic polynomial of the Frobenius endomorphism of a Jacobian variety, the proposed algorithm provides a speed up by a factor m, instead of ?m in square-root algorithms. Moreover, implementation results of the proposed algorithm is presented including a 135-bit prime order computed in 16 hours on Alpha 21264/667MHz.

Remarks on Cheon's algorithms for pairing-related problems

In EUROCRYPT 2006, Cheon proposed breakthrough algorithms for pairing-related problems such as the q-weak/strong Diffie-Hellman problem. Using that the exponents of an element in an abelian group G of prime order p form the ring Z/pZ structure even if G is a generic group, Cheons algorithms reduce their complexity by Pohlig-Hellman like method over (Z/pZ)* or its extension. The algorithms are more efficient than solving the relative discrete logarithm problems in certain cases. This paper shows that Cheons algorithms are faster than the result obtained by the complexity analysis in Cheons paper, i.e. the algorithms can be done within O(√p/d +√d) group operations, where d is a positive divisor of p - 1 with d ≤ q or a positive divisor of p + 1 with 2d < q, instead of O(log p(√p/d + √d)) group operations shown by Cheon. This paper also shows an improvement of one of the algorithms for q-weak Diffie-Hellman problem. The improvement can be done within O(e√p/d) group operations, where e = min(2/(1 - logp d), log p). Moreover, this paper discusses how to choose the group order so that the algorithms are inefficient and also shows a condition for the group order and the probability that an order satisfies the condition.

Skew-Frobenius Maps on Hyperelliptic Curves

Scalar multiplication methods using the Frobenius maps are known for efficient methods to speed up (hyper)elliptic curve cryptosystems. However, those methods are not efficient for the cryptosystems constructed on fields of small extension degrees due to costs of the field operations. Iijima et al. showed that one can use certain automorphisms on the quadratic twists of elliptic curves for fast scalar multiplications without the drawback of the Frobenius maps. This paper shows an extension of the automorphisms on the Jacobians of hyperelliptic curves of arbitrary genus.

Construction of Hyperelliptic Curves with CM and Its Application to Cryptosystems

Construction of secure hyperelliptic curves is of most important yet most difficult problem in design of cryptosystems based on the discrete logarithm problems on hyperelliptic curves. Presently the only accessible approach is to use CM curves. However, to find models of the CM curves is nontrivial. The popular approach uses theta functions to derive a projective embedding of the Jacobian varieties, which needs to calculate the theta functions to very high precision. As we show in this paper, it costs computation time of an exponential function in the discriminant of the CM field. This paper presents new algorithms to find explicit models of hyperelliptic curves with CM. Algorithms for CM test of Jacobian varieties of algebraic curves and to lift from small finite fields both the models and the invariants of CM curves are presented. We also show that the proposed algorithm for invariants lifting has complexity of a polynomial time in the discriminant of the CM field.

A Weil Descent Attack against Elliptic Curve Cryptosystems over Quartic Extension Fields

This paper proposes a Weil descent attack against elliptic curve cryptosystems over quartic extension fields. The scenario of the attack is as follows: First, one reduces a DLP on a Weierstrass form over the quartic extention of a finite field k to a DLP on a special form, called Scholten form, over the same field. Second, one reduces the DLP on the Scholten form to a DLP on a genus two hyperelliptic curve over the quadratic extension of k. Then, one reduces the DLP on the hyperelliptic curve to one on a Cab model over k. Finally, one obtains the discrete-log of original DLP by applying the Gaudry method to the DLP on the Cab model. In order to carry out the scenario, this paper shows that many of elliptic curve discrete-log problems over quartic extension fields of odd characteristics are reduced to genus two hyperelliptic curve discrete-log problems over quadratic extension fields, and that almost all of the genus two hyperelliptic curve discrete-log problems over quadratic extension fields of odd characteristics come under Weil descent attack. This means that many of elliptic curve cryptosystems over quartic extension fields of odd characteristics can be attacked uniformly.

Fast Construction of Secure Discrete Logarithm Problems over Jacobian Varieties

Jacobian varieties of hyperelliptic curves have been recently used in cryptosystems. However, lacking of efficient point-counting algorithms for such varieties over finite fields makes the design of secure cryptosystems very difficult. This paper presents efficient algorithms to calculate the CM type and ideal factorization of Frobenius endomorphisms of Jacobian varieties over finite fields F p in polynomial time of log p. Then we show how to construct secure hyperelliptic curves of small genera over large prime fields F p in polynomial time of log p.