Algebraic curves and cryptography

Steven Galbraith, Alfred Menezes
<span title="">2005</span> <i title="Elsevier BV"> <a target="_blank" rel="noopener" href="https://fatcat.wiki/container/vppj2ymhunarjnozole4nystdi" style="color: black;">Finite Fields and Their Applications</a> </i> &nbsp;
Algebraic curves over finite fields are being extensively used in the design of public-key cryptographic schemes. This paper surveys some topics in algebraic curve cryptography, with an emphasis on recent developments in algorithms for the elliptic and hyperelliptic curve discrete logarithm problems, and computational problems in pairing-based cryptography. problems. In particular, we describe some families of curves whose DLP is easier than the general case. Protocols using bilinear pairings
more &raquo; ... d some related computational problems are covered in §5. Finally, §6 discusses some avenues for future research. Curves and groups Recall that a cyclic group G is suitable for implementing DL protocols if (i) group elements can be compactly represented; (ii) the group operation can be performed efficiently; and (iii) the discrete logarithm problem (and Diffie-Hellman problem) in G is intractable. We first consider groups arising from algebraic curves that satisfy conditions (i) and (ii), and then discuss condition (iii). Throughout the paper we denote by C a projective, non-singular algebraic curve over a finite field (see [112] for definitions). Often C is written as an affine curve, but we always work with the associated projective, non-singular curve. Let K = F q denote the finite field of order q, and let C be defined over K. The (degree zero) divisor class group Pic 0 K (C) of C over K, also known as the Picard group of C, is the quotient group of degree zero divisors (defined over K) modulo the principal divisors (defined over K). Since Pic 0 K (C) is a finite abelian group, cyclic subgroups of it are candidates for implementing DL protocols. The algorithms known for performing the group addition in Pic 0 K (C) for general curves C (e.g., see [64, 123, 61] ) are too inefficient for cryptographic applications, although they can be used for the index-calculus algorithms on general curves which we will sometimes require when discussing Weil descent attacks (cf. §4.4). Instead, one looks for special classes of curves which admit faster group addition. Suppose now that C a is a non-singular affine curve over K and that C is the smooth projective curve associated with C a . Suppose that C has exactly one point at infinity (i.e., there is exactly one point on C which does not lie on C a ), and suppose that this point is defined over K. We denote this point by ∞. Then Pic 0 K (C) is isomorphic to the ideal class group of the affine coordinate ring of C a over K. Working with the ideal class group is more convenient as it enables a compact representation for elements of Pic 0 K (C) and fast algorithms for group addition. Families of such curves for which the group addition is fast enough for cryptographic applications include hyperelliptic curves [25], superelliptic curves [51], C ab curves [5] , and Picard curves [10, 39] . 1 In the remainder of this paper, we restrict our attention to hyperelliptic curves. A hyperelliptic curve C of genus g 1 over K can be defined by a non-singular equation of the form where f, h ∈ K[x], f is monic, deg f = 2g + 1, and deg h g. A representation of a hyperelliptic curve in this form is sometimes called 'imaginary' since the function field has a single ramified point at infinity, just like imaginary quadratic number fields. If 1 The restriction to curves with a single point at infinity is not essential and there have been several papers such as [94, 117] that give efficient implementation results in the more general case.
<span class="external-identifiers"> <a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.1016/j.ffa.2005.05.001">doi:10.1016/j.ffa.2005.05.001</a> <a target="_blank" rel="external noopener" href="https://fatcat.wiki/release/o3oxj44uyfa33p3krkkhr2rrva">fatcat:o3oxj44uyfa33p3krkkhr2rrva</a> </span>
<a target="_blank" rel="noopener" href="https://web.archive.org/web/20170922092745/http://publisher-connector.core.ac.uk/resourcesync/data/elsevier/pdf/015/aHR0cDovL2FwaS5lbHNldmllci5jb20vY29udGVudC9hcnRpY2xlL3BpaS9zMTA3MTU3OTcwNTAwMDMyOA%3D%3D.pdf" title="fulltext PDF download" data-goatcounter-click="serp-fulltext" data-goatcounter-title="serp-fulltext"> <button class="ui simple right pointing dropdown compact black labeled icon button serp-button"> <i class="icon ia-icon"></i> Web Archive [PDF] <div class="menu fulltext-thumbnail"> <img src="https://blobs.fatcat.wiki/thumbnail/pdf/79/97/7997e401da781fc931234a7b649a536b5cca170c.180px.jpg" alt="fulltext thumbnail" loading="lazy"> </div> </button> </a> <a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.1016/j.ffa.2005.05.001"> <button class="ui left aligned compact blue labeled icon button serp-button"> <i class="external alternate icon"></i> elsevier.com </button> </a>