Nicolas Thériault

Effects of Optimizations for Software Implementations of Small Binary Field Arithmetic

We describe an implementation of binary field arithmetic written in the C programming language. Even though the implementation targets 32-bit CPUs, the results can be applied also to CPUs with different granularity. We begin with separate routines for each operand size in wordsto minimize performance penalties that have a bigger relative impact for shorter operands --- such as those used to implement modern curve based cryptography. We then proceed to use techniques specific to operand size in bitsfor several field sizes. This results in an implementation of field arithmetic where the curve representing field multiplication performance closely resembles the theoretical quadratic bit-complexity that can be expected for small inputs. This has important practical consequences: For instance, it will allow us to compare the performance of the arithmetic on curves of different genera and defined over fields of different sizes without worrying about penalties introduced by field arithmetic and concentrating on the curve arithmetic itself. Moreover, the cost of field inversion is very low, making the use of affine coordinates in curve arithmetic more interesting. These applications will be mentioned.

Faster Halvings in Genus 2

We study divisor class halving for hyperelliptic curves of genus 2 over binary fields. We present explicit halving formulas for the most interesting curves (from a cryptographic perspective), as well as all other curves whose group order is not divisible by 4. Each type of curve is characterized by the degree and factorization form of the polynomial h(x) in the curve equation. For each of these curves, we provide explicit halving formulae for all possible divisor classes, and not only the most frequent case where the degree of the first polynomial in the Mumford representation is 2. In the optimal performance case, where h(x) = x, we also improve on the state-of-the-art and when h(x) is irreducible of degree 2, we achieve significant savings over both the doubling as well as the previously fastest halving formulas.

Trisection for non-supersingular genus 2 curves in characteristic 2

We study division by 3 in Jacobians of genus 2 curves over binary fields with a 2-torsion subgroup of rank 1 or 2. We characterize the 3-torsion divisors and provide, for every , a formula for the coordinates of the divisors in the set .

Bisection and squares in genus 2

We show how to compute the pre-images of multiplication-by-2 in Jacobians of genus 2 curves C : y 2 = f ( x ) over F q with q odd. We characterize D = u ( x ) , v ( x ) ? 2 Jac ( C ) ( F q ) in terms of the quadratic character of u ( x ) at the roots of f ( x ) in imaginary models, and in terms of the quadratic character of the quotients of u ( x ) at pairs of roots of f ( x ) in real models. Our method reduces the problem to the computation of at most 5 square roots over the splitting field of f ( x ) plus the solution of a system of linear equations.

Group arithmetic in C3,5 curves

Abstract In this paper we present a fast addition algorithm in the Jacobian of a C 3 , 5 curve over a finite field F q . We give formulae for D 1 ⊕ D 2 = − ( D 1 + D 2 ) which require 2 I + 264 M + 10 S when D 1 ≠ D 2 and 2 I + 297 M + 13 S when D 1 = D 2 ; and for the computation of −D which require 2 I + 41 M + 3 S . The ⊕ operation is sufficient to compute scalar multiplications after performing a single (initial) −D. Computing the scalar multiplication [ k ] D , based on the previous fact combined with our algorithm for computing D 1 ⊕ D 2 , is to date the fastest one performing this operation for C 3 , 5 curves. These formulae can be easily combined to compute the full group addition and doubling in 3 I + 308 M + 13 S and 3 I + 341 M + 16 S respectively, which compares favorably with previously presented formulae.