Koh-ichi Nagao

Improving Group Law Algorithms for Jacobians of Hyperelliptic Curves

In this paper, we propose three ideas to speed up the computation of the group operation in the Jacobian of a hyperelliptic curve:

Decomposition Attack for the Jacobian of a Hyperelliptic Curve over an Extension Field

We propose some kind of new attack which gives the solution of the discrete logarithm problem for the Jacobian of a curve defined over an extension field \(\mathbb{F}_{q^{n}}\), considering the set of the union of factor basis and large primes B 0 given by points of the curve whose x-coordinates lie in \(\mathbb{F}_q\). In this attack, an element of the divisor group which is written by a sum of some elements of factor basis and large primes is called (potentially) decomposed and the set of the factors that appear in the sum, is called decomposed factors. So, it will be called decomposition attack. In order to analyze the running of the decomposition attack, a test for the (potential) decomposedness and the computation of the decomposed factors are needed. Here, we show that the test to determine if an element of the Jacobian (i.e., reduced divisor) is written by an ng sum of the elements of the decomposed factors and the computation of decomposed factors are reduced to the problem of solving some multivariable polynomial system of equations by using the Riemann-Roch theorem. In particular, in the case of hyperelliptic curves of genus g, we construct a concrete system of equations, which satisfies these properties and consists of (n 2 − n)g quadratic equations. Moreover, in the case of (g,n) = (1,3),(2,2) and (3,2), we give examples of the concrete computation of the decomposed factors by using the computer algebra system Magma.

Index Calculus Attack for Jacobian of Hyperelliptic Curves of Small Genus Using Two Large Primes

This paper introduces a fast algorithm for solving the DLP of Jacobian of hyperelliptic curve of small genus. To solve the DLP, Gaudry first shows that the idea of index calculus is effective, if a subset of the points of the hyperelliptic curve of the base field is taken by the smooth elements of index calculus. In an index calculus theory, a special element (in our case it is the point of hyperelliptic curve), which is not a smooth element, is called a large prime. A divisor, written by the sum of several smooth elements and one large prime, is called an almost smooth divisor. By the use of the almost smooth divisor, Thériault improved this index calculus. In this paper, a divisor, written by the sum of several smooth elements and two large primes, is called a 2-almost smooth divisor. By use of the 2-almost smooth divisor, we are able to give more improvements. The algorithm of this attack consists of the following seven parts: 1) Preparing, 2) Collecting reduced divisors, 3) Making sufficiently large sets of almost smooth divisors, 4) Making sufficiently large sets of smooth divisors, 5) Solving the linear algebra, 6) Finding a relation of collected reduced divisors, and 7) Computing a discreet logarithm. Parts 3) and 4) need complicated eliminations of the large prime, which is the key idea presented within this paper. Before the tasks in these parts are completed, two sub-algorithms for the eliminations of the large prime have been prepared. To explain how this process works, we prove the probability that this algorithm does not work to be negligible, and we present the expected complexity and the expected storage of the attack.

A Weil Descent Attack against Elliptic Curve Cryptosystems over Quartic Extension Fields

This paper proposes a Weil descent attack against elliptic curve cryptosystems over quartic extension fields. The scenario of the attack is as follows: First, one reduces a DLP on a Weierstrass form over the quartic extention of a finite field k to a DLP on a special form, called Scholten form, over the same field. Second, one reduces the DLP on the Scholten form to a DLP on a genus two hyperelliptic curve over the quadratic extension of k. Then, one reduces the DLP on the hyperelliptic curve to one on a Cab model over k. Finally, one obtains the discrete-log of original DLP by applying the Gaudry method to the DLP on the Cab model. In order to carry out the scenario, this paper shows that many of elliptic curve discrete-log problems over quartic extension fields of odd characteristics are reduced to genus two hyperelliptic curve discrete-log problems over quadratic extension fields, and that almost all of the genus two hyperelliptic curve discrete-log problems over quadratic extension fields of odd characteristics come under Weil descent attack. This means that many of elliptic curve cryptosystems over quartic extension fields of odd characteristics can be attacked uniformly.