elliptic and hyperelliptic curve cryptography · elliptic and hyperelliptic curve cryptography...

Elliptic and Hyperelliptic CurveCryptography

Renate Scheidler

Research supported in part by NSERC of Canada

Comprehensive Source

Handbook of Elliptic and Hyperelliptic Curve Cryptography

Overview

L Motivation

L Elliptic Curve Arithmetic

L Hyperelliptic Curve Arithmetic

L Point Counting

L Discrete Logarithm Algorithms

L Other Models

Motivation — Why (Hyper-)Elliptic Cryptography?

Requirements on groups for discrete log based cryptography

L Large group order (plus other restrictions)

L Compact representation of group elements

L Fast group operation

L Hard Diffie-Hellman/discrete logarithm problem

Elliptic and low genus hyperelliptic curves do well on all of these!

Motivation — Why (Hyper-)Elliptic Cryptography?

Requirements on groups for discrete log based cryptography

L Large group order (plus other restrictions)

L Compact representation of group elements

L Fast group operation

L Hard Diffie-Hellman/discrete logarithm problem

Elliptic and low genus hyperelliptic curves do well on all of these!

Elliptic Curves

Let K be a field (in crypto, K � Fq with q prime or q � 2n)

Weierstraß equation over K :

E � y 2 � a1xy � a3y � x3 � a2x2 � a4x � a6 ���with a1, a2, a3, a4, a6 > K

Elliptic curve: Weierstraß equation & non-singularity condition:there are no simultaneous solutions to ��� and

2y � a1x � a3 � 0

a1y � 3x2 � 2a2x � a4

Non-singularity � ∆ x 0 where ∆ is the discriminant of E

Elliptic Curves

Let K be a field (in crypto, K � Fq with q prime or q � 2n)

Weierstraß equation over K :

E � y 2 � a1xy � a3y � x3 � a2x2 � a4x � a6 ���with a1, a2, a3, a4, a6 > K

Elliptic curve: Weierstraß equation & non-singularity condition:there are no simultaneous solutions to ��� and

2y � a1x � a3 � 0

a1y � 3x2 � 2a2x � a4

Non-singularity � ∆ x 0 where ∆ is the discriminant of E

Elliptic Curves

Let K be a field (in crypto, K � Fq with q prime or q � 2n)

Weierstraß equation over K :

E � y 2 � a1xy � a3y � x3 � a2x2 � a4x � a6 ���with a1, a2, a3, a4, a6 > K

Elliptic curve: Weierstraß equation & non-singularity condition:there are no simultaneous solutions to ��� and

2y � a1x � a3 � 0

a1y � 3x2 � 2a2x � a4

Non-singularity � ∆ x 0 where ∆ is the discriminant of E

Elliptic Curves

Let K be a field (in crypto, K � Fq with q prime or q � 2n)

Weierstraß equation over K :

E � y 2 � a1xy � a3y � x3 � a2x2 � a4x � a6 ���with a1, a2, a3, a4, a6 > K

Elliptic curve: Weierstraß equation & non-singularity condition:there are no simultaneous solutions to ��� and

2y � a1x � a3 � 0

a1y � 3x2 � 2a2x � a4

Non-singularity � ∆ x 0 where ∆ is the discriminant of E

Non-Examples

Two Weierstraß equations with a singularity at �0,0�y 2

� x3

-1

-0.5

0

0.5

1

0 0.2 0.4 0.6 0.8 1

y 2� x2�x � 1�

-1

-0.5

0

0.5

1

-1 -0.5 0 0.5 1

An Example

E � y 2� x3 � 5x over Q

-10

-5

0

5

10

-3 -2 -1 0 1 2 3 4 5 6

Elliptic Curves, char�K� x 2, 3

The variable transformations

y � y � �a1x � a3�~2, then x � x � �a21 � 4a2�~12 �

yield an elliptic curve in short Weierstraß form:

E � y 2� x3 � Ax � B �A,B > K�

Discriminant ∆ � 4A3 � 27B2x 0 �cubic in x has distinct roots)

For any field L with K b L b K :

E�L� � ��x0, y0� > L � L S y 20 � x3

0 � Ax0 � B� 8 �ª�set of L-rational points on E

Elliptic Curves, char�K� x 2, 3

The variable transformations

y � y � �a1x � a3�~2, then x � x � �a21 � 4a2�~12 �

yield an elliptic curve in short Weierstraß form:

E � y 2� x3 � Ax � B �A,B > K�

Discriminant ∆ � 4A3 � 27B2x 0 �cubic in x has distinct roots)

For any field L with K b L b K :

E�L� � ��x0, y0� > L � L S y 20 � x3

0 � Ax0 � B� 8 �ª�set of L-rational points on E

An Example

E�Q� � ��x0, y0� > Q �Q S y 20 � x3

0 � 5x0� 8 �ª�P1 � ��1,2�, P2 � �0,0� > E�Q�

-10

-5

0

5

10

-3 -2 -1 0 1 2 3 4 5 6

The Mysterious Point at Infinity

In E , replace x by x~z , y by y~z , then multiply by z3:

Eproj � y 2z � x3 � Axz2 � Bz3

Points on Eproj:

�x � y � z� x �0 � 0 � 0� normalized so the last non-zero entry is 1

Affine Points Projective Points

�x , y� � �x � y � 1�ª � �0 � 1 � 0�

The Mysterious Point at Infinity

In E , replace x by x~z , y by y~z , then multiply by z3:

Eproj � y 2z � x3 � Axz2 � Bz3

Points on Eproj:

�x � y � z� x �0 � 0 � 0� normalized so the last non-zero entry is 1

Affine Points Projective Points

�x , y� � �x � y � 1�ª � �0 � 1 � 0�

The Mysterious Point at Infinity

In E , replace x by x~z , y by y~z , then multiply by z3:

Eproj � y 2z � x3 � Axz2 � Bz3

Points on Eproj:

�x � y � z� x �0 � 0 � 0� normalized so the last non-zero entry is 1

Affine Points Projective Points

�x , y� � �x � y � 1�ª � �0 � 1 � 0�

Arithmetic on E

Goal: Make E�L� into an additive (Abelian) group

The identity is the point at infinity

By Bezout’s Theorem, any line intersects E in three points

L Need to count multiplicities

L If one of the points is ª, the line is “vertical”

Motto: “Any three collinear points on E sum to zero”

AKA Chord & Tangent Addition Law

Arithmetic on E

Goal: Make E�L� into an additive (Abelian) group

The identity is the point at infinity

By Bezout’s Theorem, any line intersects E in three points

L Need to count multiplicities

L If one of the points is ª, the line is “vertical”

Motto: “Any three collinear points on E sum to zero”

AKA Chord & Tangent Addition Law

Arithmetic on E

Goal: Make E�L� into an additive (Abelian) group

The identity is the point at infinity

By Bezout’s Theorem, any line intersects E in three points

L Need to count multiplicities

L If one of the points is ª, the line is “vertical”

Motto: “Any three collinear points on E sum to zero”

AKA Chord & Tangent Addition Law

Arithmetic on E — Inverses

E � y 2� x3 � 5x over Q, P � ��1,�2�

-10

-5

0

5

10

-3 -2 -1 0 1 2 3 4 5 6

The line through P and ª is x � �1

Arithmetic on E — Inverses

E � y 2� x3 � 5x over Q, P � ��1,�2�

-10

-5

0

5

10

-3 -2 -1 0 1 2 3 4 5 6

It intersects E in the third point R � ��1,2� � �P

Arithmetic on E — Addition

E � y 2� x3 � 5x over Q, P1 � ��1,�2�, P2 � �0,0�

-10

-5

0

5

10

-3 -2 -1 0 1 2 3 4 5 6

The line through P1 and P2 is y � 2x

Arithmetic on E — Addition

E � y 2� x3 � 5x over Q, P1 � ��1,�2�, P2 � �0,0�

-10

-5

0

5

10

-3 -2 -1 0 1 2 3 4 5 6

It intersects E in the third point G � �5,10�

Arithmetic on E — Addition

E � y 2� x3 � 5x over Q, P1 � ��1,�2�, P2 � �0,0�

-10

-5

0

5

10

-3 -2 -1 0 1 2 3 4 5 6

The sum R is the inverse of G , i.e. R � �G � �5,�10� � P � Q

Arithmetic on E — Doubling

E � y 2� x3 � 5x over Q, P � ��1,�2�

-10

-5

0

5

10

-3 -2 -1 0 1 2 3 4 5 6

The line tangent to E at P is y �1926 x � 33

26

Arithmetic on E — Doubling

E � y 2� x3 � 5x over Q, P � ��1,�2�

-10

-5

0

5

10

-3 -2 -1 0 1 2 3 4 5 6

It intersects E in the third point G � �94 ,

38�

Arithmetic on E — Doubling

E � y 2� x3 � 5x over Q, P � ��1,�2�

-10

-5

0

5

10

-3 -2 -1 0 1 2 3 4 5 6

The sum R is the inverse of G , i.e. R � �G � �94 ,�

38� � 2P

Arithmetic on Short Weierstraß Form — Summary

P1 � �x1, y1�, P2 � �x2, y2� (P1 x �P2; P1,P2 xª)

�P1 � ��x1, y1�

P1 � P2 � �λ2 � x1 � x2, �λ3 � λ�x1 � x2� � µ� where

λ �

¢̈̈̈̈¨̈¦̈̈̈¨̈̈¤

y2 � y1

x2 � x1if P1 x P2

3x21 � A

2y1if P1 � P2

µ �

¢̈̈̈̈¨̈¦̈̈̈¨̈̈¤

y1x2 � y2x1

x2 � x1if P1 x P2

�x31 � Ax1 � 2B

2y1if P1 � P2

Beyond Elliptic Curves

Recall Weierstraß equation:

E � y 2 � �a1x � a3´¹¹¹¹¹¹¹¹¹¹¹¸¹¹¹¹¹¹¹¹¹¹¹¶h�x�

�y � x3 � a2x2 � a4x � a6´¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¸¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¶f �x�

deg�f � � 3 � 2 � 1 � 1 odd

deg�h� � 1 for char�K� � 2; h � 0 for char�K� x 2

Generalization: deg�f � � 2g � 1, deg�h� B g

g is the genus of the curve

g � 1: elliptic curves

g � 2: deg�f � � 5, deg�h� B 2 — also good for crypto

Beyond Elliptic Curves

Recall Weierstraß equation:

E � y 2 � �a1x � a3´¹¹¹¹¹¹¹¹¹¹¹¸¹¹¹¹¹¹¹¹¹¹¹¶h�x�

�y � x3 � a2x2 � a4x � a6´¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¸¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¶f �x�

deg�f � � 3 � 2 � 1 � 1 odd

deg�h� � 1 for char�K� � 2; h � 0 for char�K� x 2

Generalization: deg�f � � 2g � 1, deg�h� B g

g is the genus of the curve

g � 1: elliptic curves

g � 2: deg�f � � 5, deg�h� B 2 — also good for crypto

Beyond Elliptic Curves

Recall Weierstraß equation:

E � y 2 � �a1x � a3´¹¹¹¹¹¹¹¹¹¹¹¸¹¹¹¹¹¹¹¹¹¹¹¶h�x�

�y � x3 � a2x2 � a4x � a6´¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¸¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¹¶f �x�

deg�f � � 3 � 2 � 1 � 1 odd

deg�h� � 1 for char�K� � 2; h � 0 for char�K� x 2

Generalization: deg�f � � 2g � 1, deg�h� B g

g is the genus of the curve

g � 1: elliptic curves

g � 2: deg�f � � 5, deg�h� B 2 — also good for crypto

Hyperelliptic Curves

Hyperelliptic curve of genus g over K :

H � y 2 � h�x�y � f �x�L h�x�, f �x� > K �x�L f �x� monic and deg�f � � 2g � 1 is odd

L deg�h� B g if char�K� � 2; h�x� � 0 if char�K� x 2

L non-singularity

char�K� x 2: y 2� f �x�, f �x� monic, of odd degree, square-free

Set of L-rational points on H (K b L b K ):

H�L� � ��x0, y0� > L � L S y 20 � h�x0�y � f �x0�� 8 �ª�

Hyperelliptic Curves

Hyperelliptic curve of genus g over K :

H � y 2 � h�x�y � f �x�L h�x�, f �x� > K �x�L f �x� monic and deg�f � � 2g � 1 is odd

L deg�h� B g if char�K� � 2; h�x� � 0 if char�K� x 2

L non-singularity

char�K� x 2: y 2� f �x�, f �x� monic, of odd degree, square-free

Set of L-rational points on H (K b L b K ):

H�L� � ��x0, y0� > L � L S y 20 � h�x0�y � f �x0�� 8 �ª�

Hyperelliptic Curves

Hyperelliptic curve of genus g over K :

H � y 2 � h�x�y � f �x�L h�x�, f �x� > K �x�L f �x� monic and deg�f � � 2g � 1 is odd

L deg�h� B g if char�K� � 2; h�x� � 0 if char�K� x 2

L non-singularity

char�K� x 2: y 2� f �x�, f �x� monic, of odd degree, square-free

Set of L-rational points on H (K b L b K ):

H�L� � ��x0, y0� > L � L S y 20 � h�x0�y � f �x0�� 8 �ª�

An Example

H � y 2� x5 � 5x3 � 4x � 1 over Q, genus g � 2

-10

-5

0

5

10

-3 -2 -1 0 1 2 3

An Example

��2,�1�, �2,�1�, �3,�11� > H�Q�

-10

-5

0

5

10

-3 -2 -1 0 1 2 3

Divisors

L Group of divisors on H:

DivH�K� � `H�K�e � �Qfinite

mPP S mP > Z, P > H�K�¡

L Subgroup of DivH�K� of degree zero divisors on H:

Div0H�K� � `�P� S P > H�K�e � �Q

finite

mP�P� S mP > Z, P > H�K�¡

where �P� � P �ª

L Subgroup of Div0H�K� of principal divisors on H:

PrinH�K� � �Qfinite

vP�α��P� S α > K�x , y�, P > H�K�¡

Divisors

L Group of divisors on H:

DivH�K� � `H�K�e � �Qfinite

mPP S mP > Z, P > H�K�¡

L Subgroup of DivH�K� of degree zero divisors on H:

Div0H�K� � `�P� S P > H�K�e � �Q

finite

mP�P� S mP > Z, P > H�K�¡

where �P� � P �ª

L Subgroup of Div0H�K� of principal divisors on H:

PrinH�K� � �Qfinite

vP�α��P� S α > K�x , y�, P > H�K�¡

Divisors

L Group of divisors on H:

DivH�K� � `H�K�e � �Qfinite

mPP S mP > Z, P > H�K�¡

L Subgroup of DivH�K� of degree zero divisors on H:

Div0H�K� � `�P� S P > H�K�e � �Q

finite

mP�P� S mP > Z, P > H�K�¡

where �P� � P �ª

L Subgroup of Div0H�K� of principal divisors on H:

PrinH�K� � �Qfinite

vP�α��P� S α > K�x , y�, P > H�K�¡

The Jacobian

Jacobian of H: JacH�K� � Div0H�K�~PrinH�K�

Motto: “Any complete collection of points on a function sums tozero”

H�K� 0 JacH�K� via P ( �P�For elliptic curves: E�K� � JacE�K� (� E�K� is a group)

Identity: �ª� �ª�ª

Inverses: The points

P � �x0, y0� and P � �x0,�y0 � h�x0��on H both lie on the function x � x0, so

��P� � �P�

The Jacobian

Jacobian of H: JacH�K� � Div0H�K�~PrinH�K�

Motto: “Any complete collection of points on a function sums tozero”

H�K� 0 JacH�K� via P ( �P�

For elliptic curves: E�K� � JacE�K� (� E�K� is a group)

Identity: �ª� �ª�ª

Inverses: The points

P � �x0, y0� and P � �x0,�y0 � h�x0��on H both lie on the function x � x0, so

��P� � �P�

The Jacobian

Jacobian of H: JacH�K� � Div0H�K�~PrinH�K�

Motto: “Any complete collection of points on a function sums tozero”

H�K� 0 JacH�K� via P ( �P�For elliptic curves: E�K� � JacE�K� (� E�K� is a group)

Identity: �ª� �ª�ª

Inverses: The points

P � �x0, y0� and P � �x0,�y0 � h�x0��on H both lie on the function x � x0, so

��P� � �P�

The Jacobian

Jacobian of H: JacH�K� � Div0H�K�~PrinH�K�

Motto: “Any complete collection of points on a function sums tozero”

H�K� 0 JacH�K� via P ( �P�For elliptic curves: E�K� � JacE�K� (� E�K� is a group)

Identity: �ª� �ª�ª

Inverses: The points

P � �x0, y0� and P � �x0,�y0 � h�x0��on H both lie on the function x � x0, so

��P� � �P�

The Jacobian

Jacobian of H: JacH�K� � Div0H�K�~PrinH�K�

Motto: “Any complete collection of points on a function sums tozero”

H�K� 0 JacH�K� via P ( �P�For elliptic curves: E�K� � JacE�K� (� E�K� is a group)

Identity: �ª� �ª�ª

Inverses: The points

P � �x0, y0� and P � �x0,�y0 � h�x0��on H both lie on the function x � x0, so

��P� � �P�

Semi-Reduced and Reduced Divisors

Every class in JacH�K� contains a divisor Qfinite

mP�P� such that

L all mP A 0 (replace ��P� by �P�)L if P � P, then mP � 1 (as 2�P� � 0)

L if P x P, then only one of P, Pcan appear in the sum (as �P� � �P� � 0)

Such a divisor is semi-reduced. If PmP B g , then it is reduced.

TheoremEvery class in JacH�K� contains a unique reduced divisor.

Semi-Reduced and Reduced Divisors

Every class in JacH�K� contains a divisor Qfinite

mP�P� such that

L all mP A 0 (replace ��P� by �P�)L if P � P, then mP � 1 (as 2�P� � 0)

L if P x P, then only one of P, Pcan appear in the sum (as �P� � �P� � 0)

Such a divisor is semi-reduced.

If PmP B g , then it is reduced.

TheoremEvery class in JacH�K� contains a unique reduced divisor.

Semi-Reduced and Reduced Divisors

Every class in JacH�K� contains a divisor Qfinite

mP�P� such that

L all mP A 0 (replace ��P� by �P�)L if P � P, then mP � 1 (as 2�P� � 0)

L if P x P, then only one of P, Pcan appear in the sum (as �P� � �P� � 0)

Such a divisor is semi-reduced. If PmP B g , then it is reduced.

TheoremEvery class in JacH�K� contains a unique reduced divisor.

Semi-Reduced and Reduced Divisors

Every class in JacH�K� contains a divisor Qfinite

mP�P� such that

L all mP A 0 (replace ��P� by �P�)L if P � P, then mP � 1 (as 2�P� � 0)

L if P x P, then only one of P, Pcan appear in the sum (as �P� � �P� � 0)

Such a divisor is semi-reduced. If PmP B g , then it is reduced.

TheoremEvery class in JacH�K� contains a unique reduced divisor.

Example — Reduction

H � y 2� x5 � 5x3 � 4x � 1 over Q, D � �R1� � �R2� � �R3� with

R1 � ��2,�1�, R2 � �2,�1�, R3 � �3,�11�

-10

-5

0

5

10

-3 -2 -1 0 1 2 3

Example — Reduction

R1,R2,R3 all lie on the quadratic y � �2x2 � 7

-10

-5

0

5

10

-3 -2 -1 0 1 2 3

Example — Reduction

This quadratic meets H in the two additional points G1,G2 where

G1 � �12�1 �

º17�,�2 �

º17�, G2 � �1

2�1 �º

17�,�2 �º

17�Thus, �R1� � �R2� � R3� � �G1� � �G2� � 0 in JacH�Q�

-10

-5

0

5

10

-3 -2 -1 0 1 2 3

Example — Reduction

�R1� � �R2� � R3� � �B1� � �B2� with B1 � �G1�, B2 � �G2�The reduced divisor in the class of D is E � �B1� � B2� where

B1 � �12�1 �

º17�, 2 �

º17�, B2 � �1

2�1 �º

17�, 2 �º

17�,

-10

-5

0

5

10

-3 -2 -1 0 1 2 3

Reduction in General

Let D �

r

Qi�1

�Pi � be a semi-reduced divisor on y 2 � h�x�y � f �x�

The r points Pi all lie on a curve y � v�x� with deg�v� � r � 1

v�x�2 � h�x�h�x� � f �x� polynomial of degree max�2r � 2, 2g � 1�Case r C g � 2: replace the r points P1, . . . ,Pr in D by the inversesof the other �2r � 2� � r � r � 2 points on this degree 2r � 2polynomial

Case r � g � 1: replace the g � 1 points P1, . . . ,Pr in D by theinverses of the other 2g � 1 � �g � 1� � g points on this degree2g � 2 polynomial

After � r � g

2� steps a reduced divisor is obtained ��

�

Reduction in General

Let D �

r

Qi�1

�Pi � be a semi-reduced divisor on y 2 � h�x�y � f �x�The r points Pi all lie on a curve y � v�x� with deg�v� � r � 1

v�x�2 � h�x�h�x� � f �x� polynomial of degree max�2r � 2, 2g � 1�Case r C g � 2: replace the r points P1, . . . ,Pr in D by the inversesof the other �2r � 2� � r � r � 2 points on this degree 2r � 2polynomial

Case r � g � 1: replace the g � 1 points P1, . . . ,Pr in D by theinverses of the other 2g � 1 � �g � 1� � g points on this degree2g � 2 polynomial

After � r � g

2� steps a reduced divisor is obtained ��

�

Reduction in General

Let D �

r

Qi�1

�Pi � be a semi-reduced divisor on y 2 � h�x�y � f �x�The r points Pi all lie on a curve y � v�x� with deg�v� � r � 1

v�x�2 � h�x�h�x� � f �x� polynomial of degree max�2r � 2, 2g � 1�

Case r C g � 2: replace the r points P1, . . . ,Pr in D by the inversesof the other �2r � 2� � r � r � 2 points on this degree 2r � 2polynomial

Case r � g � 1: replace the g � 1 points P1, . . . ,Pr in D by theinverses of the other 2g � 1 � �g � 1� � g points on this degree2g � 2 polynomial

After � r � g

2� steps a reduced divisor is obtained ��

�

Reduction in General

Let D �

r

Qi�1

�Pi � be a semi-reduced divisor on y 2 � h�x�y � f �x�The r points Pi all lie on a curve y � v�x� with deg�v� � r � 1

v�x�2 � h�x�h�x� � f �x� polynomial of degree max�2r � 2, 2g � 1�Case r C g � 2: replace the r points P1, . . . ,Pr in D by the inversesof the other �2r � 2� � r � r � 2 points on this degree 2r � 2polynomial

Case r � g � 1: replace the g � 1 points P1, . . . ,Pr in D by theinverses of the other 2g � 1 � �g � 1� � g points on this degree2g � 2 polynomial

After � r � g

2� steps a reduced divisor is obtained ��

�

Reduction in General

Let D �

r

Qi�1

�Pi � be a semi-reduced divisor on y 2 � h�x�y � f �x�The r points Pi all lie on a curve y � v�x� with deg�v� � r � 1

v�x�2 � h�x�h�x� � f �x� polynomial of degree max�2r � 2, 2g � 1�Case r C g � 2: replace the r points P1, . . . ,Pr in D by the inversesof the other �2r � 2� � r � r � 2 points on this degree 2r � 2polynomial

Case r � g � 1: replace the g � 1 points P1, . . . ,Pr in D by theinverses of the other 2g � 1 � �g � 1� � g points on this degree2g � 2 polynomial

After � r � g

2� steps a reduced divisor is obtained ��

�

Reduction in General

Let D �

r

Qi�1

�Pi � be a semi-reduced divisor on y 2 � h�x�y � f �x�The r points Pi all lie on a curve y � v�x� with deg�v� � r � 1

v�x�2 � h�x�h�x� � f �x� polynomial of degree max�2r � 2, 2g � 1�Case r C g � 2: replace the r points P1, . . . ,Pr in D by the inversesof the other �2r � 2� � r � r � 2 points on this degree 2r � 2polynomial

Case r � g � 1: replace the g � 1 points P1, . . . ,Pr in D by theinverses of the other 2g � 1 � �g � 1� � g points on this degree2g � 2 polynomial

After � r � g

2� steps a reduced divisor is obtained ��

�

Mumford Representation

Let D �

r

Qi�1

mi �Pi � be a semi-reduced divisor, Pi � �xi , yi�The Mumford representation of D is D � �u�x�, v�x�� where

u�x�, v�x� > K �x�, u monic, deg�v� @ deg�u�, u S v 2 � hv � f

u�x� � r

Mi�1

�x � xi�mi

� d

dx�j �v�x�2 � v�x�h�x� � f �x��

x�xi� 0 �0 B j B mi � 1�

So u�xi� � 0 and v�xi� � yi with multiplicity mi for 1 B i B r

Mumford representation uniquely determines D

Example: If P � �x0, y0�, then D � �P� � �x � x0, y0�

Mumford Representation

Let D �

r

Qi�1

mi �Pi � be a semi-reduced divisor, Pi � �xi , yi�The Mumford representation of D is D � �u�x�, v�x�� where

u�x�, v�x� > K �x�, u monic, deg�v� @ deg�u�, u S v 2 � hv � f

u�x� � r

Mi�1

�x � xi�mi

� d

dx�j �v�x�2 � v�x�h�x� � f �x��

x�xi� 0 �0 B j B mi � 1�

So u�xi� � 0 and v�xi� � yi with multiplicity mi for 1 B i B r

Mumford representation uniquely determines D

Example: If P � �x0, y0�, then D � �P� � �x � x0, y0�

Mumford Representation

Let D �

r

Qi�1

mi �Pi � be a semi-reduced divisor, Pi � �xi , yi�The Mumford representation of D is D � �u�x�, v�x�� where

u�x�, v�x� > K �x�, u monic, deg�v� @ deg�u�, u S v 2 � hv � f

u�x� � r

Mi�1

�x � xi�mi

� d

dx�j �v�x�2 � v�x�h�x� � f �x��

x�xi� 0 �0 B j B mi � 1�

So u�xi� � 0 and v�xi� � yi with multiplicity mi for 1 B i B r

Mumford representation uniquely determines D

Example: If P � �x0, y0�, then D � �P� � �x � x0, y0�

Mumford Representation

Let D �

r

Qi�1

mi �Pi � be a semi-reduced divisor, Pi � �xi , yi�The Mumford representation of D is D � �u�x�, v�x�� where

u�x�, v�x� > K �x�, u monic, deg�v� @ deg�u�, u S v 2 � hv � f

u�x� � r

Mi�1

�x � xi�mi

� d

dx�j �v�x�2 � v�x�h�x� � f �x��

x�xi� 0 �0 B j B mi � 1�

So u�xi� � 0 and v�xi� � yi with multiplicity mi for 1 B i B r

Mumford representation uniquely determines D

Example: If P � �x0, y0�, then D � �P� � �x � x0, y0�

Divisor Reduction Using Mumford Representations

Input: D � �u, v�Output: The reduced divisor D �

� �u�, v �� in the class of D

while deg�u� A g do

u��

f � vh � v 2

u, v �

� �v � h �mod u��u � u�, v � v �

end while

return�u�, v ��

Divisor Reduction Using Mumford Representations

Input: D � �u, v�Output: The reduced divisor D �

� �u�, v �� in the class of D

while deg�u� A g do

u��

f � vh � v 2

u, v �

� �v � h �mod u��u � u�, v � v �

end while

return�u�, v ��

Divisor Reduction — Example

H � y 2� x5 � 5x3 � 4x � 1 over Q

D � ���2,�1�� � ��2,1�� � ��3,�11�� � �u, v�

with

u�x� � �x � 2��x � 2��x � 3� � x3 � 3x2 � 4x � 2

v�x� � �2x2 � 7 (from before)

u��x� ��x5 � 5x3 � 4x � 1� � ��2x2 � 7�2

x3 � 3x2 � 4x � 2� x2 � x � 4

v ��x� � ���2x2 � 7� �mod x2 � x � 4� � 2x � 1

D �� �u�, v �� is the reduced divisor in the class of D

Recall D �� � �1

2�1 �

º17�, 2 �

º17� ��� �1

2�1 �

º17�, 2 �

º17� �

Divisor Reduction — Example

H � y 2� x5 � 5x3 � 4x � 1 over Q

D � ���2,�1�� � ��2,1�� � ��3,�11�� � �u, v� with

u�x� � �x � 2��x � 2��x � 3� � x3 � 3x2 � 4x � 2

v�x� � �2x2 � 7 (from before)

u��x� ��x5 � 5x3 � 4x � 1� � ��2x2 � 7�2

x3 � 3x2 � 4x � 2� x2 � x � 4

v ��x� � ���2x2 � 7� �mod x2 � x � 4� � 2x � 1

D �� �u�, v �� is the reduced divisor in the class of D

Recall D �� � �1

2�1 �

º17�, 2 �

º17� ��� �1

2�1 �

º17�, 2 �

º17� �

Divisor Reduction — Example

H � y 2� x5 � 5x3 � 4x � 1 over Q

D � ���2,�1�� � ��2,1�� � ��3,�11�� � �u, v� with

u�x� � �x � 2��x � 2��x � 3� � x3 � 3x2 � 4x � 2

v�x� � �2x2 � 7 (from before)

u��x� ��x5 � 5x3 � 4x � 1� � ��2x2 � 7�2

x3 � 3x2 � 4x � 2� x2 � x � 4

v ��x� � ���2x2 � 7� �mod x2 � x � 4� � 2x � 1

D �� �u�, v �� is the reduced divisor in the class of D

Recall D �� � �1

2�1 �

º17�, 2 �

º17� ��� �1

2�1 �

º17�, 2 �

º17� �

Divisor Reduction — Example

H � y 2� x5 � 5x3 � 4x � 1 over Q

D � ���2,�1�� � ��2,1�� � ��3,�11�� � �u, v� with

u�x� � �x � 2��x � 2��x � 3� � x3 � 3x2 � 4x � 2

v�x� � �2x2 � 7 (from before)

u��x� ��x5 � 5x3 � 4x � 1� � ��2x2 � 7�2

x3 � 3x2 � 4x � 2� x2 � x � 4

v ��x� � ���2x2 � 7� �mod x2 � x � 4� � 2x � 1

D �� �u�, v �� is the reduced divisor in the class of D

Recall D �� � �1

2�1 �

º17�, 2 �

º17� ��� �1

2�1 �

º17�, 2 �

º17� �

Divisor Addition Using Mumford Representations

D1 � �u1, v1�, D2 � �u2, v2� divisors on H � y 2 � h�x�y � f �x�

Simplest case: for any �P� occurring in D1, �P� does not occur inD2 and vice versa — then D1 � D2 is semi-reduced

Then D1 � D2 � �u, v� where u � u1u2 and v �

¢̈̈¦̈̈¤v1 �mod u1�v2 �mod u2�

In general: suppose P � �x0, y0� occurs in D1 and P occurs in D2.

Then u1�x0� � u2�x0� � 0 and v1�x0� � y0 � �v2�x0� � h�x0�, sox � x0 S u1�x�, u2�x�, v1�x� � v2�x� � h�x�

d � gcd�u1,u2, v1 � v2 �h� � s1u1 � s2u2 � s3�v1 � v2 �h�u �

u1u2

d2

v �1

d�s1u1v2 � s2u2v1 � s3�v1v2 � f �� �mod u�

(In the simplest case above, d � 1 and s3 � 0)

Divisor Addition Using Mumford Representations

D1 � �u1, v1�, D2 � �u2, v2� divisors on H � y 2 � h�x�y � f �x�Simplest case: for any �P� occurring in D1, �P� does not occur inD2 and vice versa — then D1 � D2 is semi-reduced

Then D1 � D2 � �u, v� where u � u1u2 and v �

¢̈̈¦̈̈¤v1 �mod u1�v2 �mod u2�

In general: suppose P � �x0, y0� occurs in D1 and P occurs in D2.

Then u1�x0� � u2�x0� � 0 and v1�x0� � y0 � �v2�x0� � h�x0�, sox � x0 S u1�x�, u2�x�, v1�x� � v2�x� � h�x�

d � gcd�u1,u2, v1 � v2 �h� � s1u1 � s2u2 � s3�v1 � v2 �h�u �

u1u2

d2

v �1

d�s1u1v2 � s2u2v1 � s3�v1v2 � f �� �mod u�

(In the simplest case above, d � 1 and s3 � 0)

Divisor Addition Using Mumford Representations

D1 � �u1, v1�, D2 � �u2, v2� divisors on H � y 2 � h�x�y � f �x�Simplest case: for any �P� occurring in D1, �P� does not occur inD2 and vice versa — then D1 � D2 is semi-reduced

Then D1 � D2 � �u, v� where u � u1u2 and v �

¢̈̈¦̈̈¤v1 �mod u1�v2 �mod u2�

In general: suppose P � �x0, y0� occurs in D1 and P occurs in D2.

Then u1�x0� � u2�x0� � 0 and v1�x0� � y0 � �v2�x0� � h�x0�, sox � x0 S u1�x�, u2�x�, v1�x� � v2�x� � h�x�

d � gcd�u1,u2, v1 � v2 �h� � s1u1 � s2u2 � s3�v1 � v2 �h�u �

u1u2

d2

v �1

d�s1u1v2 � s2u2v1 � s3�v1v2 � f �� �mod u�

(In the simplest case above, d � 1 and s3 � 0)

Divisor Addition Using Mumford Representations

D1 � �u1, v1�, D2 � �u2, v2� divisors on H � y 2 � h�x�y � f �x�Simplest case: for any �P� occurring in D1, �P� does not occur inD2 and vice versa — then D1 � D2 is semi-reduced

Then D1 � D2 � �u, v� where u � u1u2 and v �

¢̈̈¦̈̈¤v1 �mod u1�v2 �mod u2�

In general: suppose P � �x0, y0� occurs in D1 and P occurs in D2.

Then u1�x0� � u2�x0� � 0 and v1�x0� � y0 � �v2�x0� � h�x0�, sox � x0 S u1�x�, u2�x�, v1�x� � v2�x� � h�x�

d � gcd�u1,u2, v1 � v2 �h� � s1u1 � s2u2 � s3�v1 � v2 �h�u �

u1u2

d2

v �1

d�s1u1v2 � s2u2v1 � s3�v1v2 � f �� �mod u�

(In the simplest case above, d � 1 and s3 � 0)

Divisor Addition Using Mumford Representations

D1 � �u1, v1�, D2 � �u2, v2� divisors on H � y 2 � h�x�y � f �x�Simplest case: for any �P� occurring in D1, �P� does not occur inD2 and vice versa — then D1 � D2 is semi-reduced

Then D1 � D2 � �u, v� where u � u1u2 and v �

¢̈̈¦̈̈¤v1 �mod u1�v2 �mod u2�

In general: suppose P � �x0, y0� occurs in D1 and P occurs in D2.

Then u1�x0� � u2�x0� � 0 and v1�x0� � y0 � �v2�x0� � h�x0�, sox � x0 S u1�x�, u2�x�, v1�x� � v2�x� � h�x�

d � gcd�u1,u2, v1 � v2 �h� � s1u1 � s2u2 � s3�v1 � v2 �h�u �

u1u2

d2

v �1

d�s1u1v2 � s2u2v1 � s3�v1v2 � f �� �mod u�

(In the simplest case above, d � 1 and s3 � 0)

Divisor Addition Using Mumford Representations

D1 � �u1, v1�, D2 � �u2, v2� divisors on H � y 2 � h�x�y � f �x�Simplest case: for any �P� occurring in D1, �P� does not occur inD2 and vice versa — then D1 � D2 is semi-reduced

Then D1 � D2 � �u, v� where u � u1u2 and v �

¢̈̈¦̈̈¤v1 �mod u1�v2 �mod u2�

In general: suppose P � �x0, y0� occurs in D1 and P occurs in D2.

Then u1�x0� � u2�x0� � 0 and v1�x0� � y0 � �v2�x0� � h�x0�, sox � x0 S u1�x�, u2�x�, v1�x� � v2�x� � h�x�

d � gcd�u1,u2, v1 � v2 �h� � s1u1 � s2u2 � s3�v1 � v2 �h�u �

u1u2

d2

v �1

d�s1u1v2 � s2u2v1 � s3�v1v2 � f �� �mod u�

(In the simplest case above, d � 1 and s3 � 0)

Arithmetic in JacH�K�

Input: D1 � �u1, v1�, D2 � �u2, v2� reduced

Output: The reduced divisor D �� �u�, v �� in the class of D1 � D2

1. Addition: compute a semi-reduced divisor D � �u, v� in theclass of D1 � D2

2. Reduction: compute the reduced divisor D �� �u�, v �� in the

class of D

Methods

L “Vanilla” method just discussed

L Cantor’s algorithm (“improved vanilla”)

L NUCOMP

L Explicit formulas (if g is small, say g � 2,3,4)

Arithmetic in JacH�K�

Input: D1 � �u1, v1�, D2 � �u2, v2� reduced

Output: The reduced divisor D �� �u�, v �� in the class of D1 � D2

1. Addition: compute a semi-reduced divisor D � �u, v� in theclass of D1 � D2

2. Reduction: compute the reduced divisor D �� �u�, v �� in the

class of D

Methods

L “Vanilla” method just discussed

L Cantor’s algorithm (“improved vanilla”)

L NUCOMP

L Explicit formulas (if g is small, say g � 2,3,4)

Arithmetic in JacH�K�

Input: D1 � �u1, v1�, D2 � �u2, v2� reduced

Output: The reduced divisor D �� �u�, v �� in the class of D1 � D2

1. Addition: compute a semi-reduced divisor D � �u, v� in theclass of D1 � D2

2. Reduction: compute the reduced divisor D �� �u�, v �� in the

class of D

Methods

L “Vanilla” method just discussed

L Cantor’s algorithm (“improved vanilla”)

L NUCOMP

L Explicit formulas (if g is small, say g � 2,3,4)

Divisors defined over K

Let φ > Gal�K~K� (for K � Fq, think of Frobenius φ�α� � αq)

φ acts on points on H: if P � �x0, y0�, then φ�P� � �φ�x0�, φ�y0��φ acts on divisors: if D �QmP�P�, then φ�D� �QmP�φ�P��A divisor D is defined over K if φ�D� � D

Example:

D � �x2 � x � 4, 2x � 1� on H � y 2� x5 � 5x3 � 4x � 1 over Q

� � �1

2�1 �

º17�, 2 �

º17� � � � �1

2�1 �

º17�, 2 �

º17� �

is defined over Q (invariant under automorphismº

17( �º

17)

TheoremD � �u, v� is defined over K if and only if u�x�, v�x� > K �x�.Corollary

The group JacH�Fq� of divisor classes defined over Fq is finite.

Divisors defined over K

Let φ > Gal�K~K� (for K � Fq, think of Frobenius φ�α� � αq)

φ acts on points on H: if P � �x0, y0�, then φ�P� � �φ�x0�, φ�y0��

φ acts on divisors: if D �QmP�P�, then φ�D� �QmP�φ�P��A divisor D is defined over K if φ�D� � D

Example:

D � �x2 � x � 4, 2x � 1� on H � y 2� x5 � 5x3 � 4x � 1 over Q

� � �1

2�1 �

º17�, 2 �

º17� � � � �1

2�1 �

º17�, 2 �

º17� �

is defined over Q (invariant under automorphismº

17( �º

17)

TheoremD � �u, v� is defined over K if and only if u�x�, v�x� > K �x�.Corollary

The group JacH�Fq� of divisor classes defined over Fq is finite.

Divisors defined over K

Let φ > Gal�K~K� (for K � Fq, think of Frobenius φ�α� � αq)

φ acts on points on H: if P � �x0, y0�, then φ�P� � �φ�x0�, φ�y0��φ acts on divisors: if D �QmP�P�, then φ�D� �QmP�φ�P��

A divisor D is defined over K if φ�D� � D

Example:

D � �x2 � x � 4, 2x � 1� on H � y 2� x5 � 5x3 � 4x � 1 over Q

� � �1

2�1 �

º17�, 2 �

º17� � � � �1

2�1 �

º17�, 2 �

º17� �

is defined over Q (invariant under automorphismº

17( �º

17)

TheoremD � �u, v� is defined over K if and only if u�x�, v�x� > K �x�.Corollary

The group JacH�Fq� of divisor classes defined over Fq is finite.

Divisors defined over K

Let φ > Gal�K~K� (for K � Fq, think of Frobenius φ�α� � αq)

φ acts on points on H: if P � �x0, y0�, then φ�P� � �φ�x0�, φ�y0��φ acts on divisors: if D �QmP�P�, then φ�D� �QmP�φ�P��A divisor D is defined over K if φ�D� � D

Example:

D � �x2 � x � 4, 2x � 1� on H � y 2� x5 � 5x3 � 4x � 1 over Q

� � �1

2�1 �

º17�, 2 �

º17� � � � �1

2�1 �

º17�, 2 �

º17� �

is defined over Q (invariant under automorphismº

17( �º

17)

TheoremD � �u, v� is defined over K if and only if u�x�, v�x� > K �x�.Corollary

The group JacH�Fq� of divisor classes defined over Fq is finite.

Divisors defined over K

Let φ > Gal�K~K� (for K � Fq, think of Frobenius φ�α� � αq)

φ acts on points on H: if P � �x0, y0�, then φ�P� � �φ�x0�, φ�y0��φ acts on divisors: if D �QmP�P�, then φ�D� �QmP�φ�P��A divisor D is defined over K if φ�D� � D

Example:

D � �x2 � x � 4, 2x � 1� on H � y 2� x5 � 5x3 � 4x � 1 over Q

� � �1

2�1 �

º17�, 2 �

º17� � � � �1

2�1 �

º17�, 2 �

º17� �

is defined over Q (invariant under automorphismº

17( �º

17)

TheoremD � �u, v� is defined over K if and only if u�x�, v�x� > K �x�.Corollary

The group JacH�Fq� of divisor classes defined over Fq is finite.

Divisors defined over K

Let φ > Gal�K~K� (for K � Fq, think of Frobenius φ�α� � αq)

φ acts on points on H: if P � �x0, y0�, then φ�P� � �φ�x0�, φ�y0��φ acts on divisors: if D �QmP�P�, then φ�D� �QmP�φ�P��A divisor D is defined over K if φ�D� � D

Example:

D � �x2 � x � 4, 2x � 1� on H � y 2� x5 � 5x3 � 4x � 1 over Q

� � �1

2�1 �

º17�, 2 �

º17� � � � �1

2�1 �

º17�, 2 �

º17� �

is defined over Q (invariant under automorphismº

17( �º

17)

TheoremD � �u, v� is defined over K if and only if u�x�, v�x� > K �x�.

Corollary

The group JacH�Fq� of divisor classes defined over Fq is finite.

Divisors defined over K

Let φ > Gal�K~K� (for K � Fq, think of Frobenius φ�α� � αq)

φ acts on points on H: if P � �x0, y0�, then φ�P� � �φ�x0�, φ�y0��φ acts on divisors: if D �QmP�P�, then φ�D� �QmP�φ�P��A divisor D is defined over K if φ�D� � D

Example:

D � �x2 � x � 4, 2x � 1� on H � y 2� x5 � 5x3 � 4x � 1 over Q

� � �1

2�1 �

º17�, 2 �

º17� � � � �1

2�1 �

º17�, 2 �

º17� �

is defined over Q (invariant under automorphismº

17( �º

17)

TheoremD � �u, v� is defined over K if and only if u�x�, v�x� > K �x�.Corollary

The group JacH�Fq� of divisor classes defined over Fq is finite.

Group Structure and Size

E�Fq� � Z~nZ �Z~mZ where n S gcd�m,q � 1�

Via a hand-wavy argument, y 2� f �x� should have � q � 1 points

Hasse: SE�Fq�S � q � 1 � t with St S B 2º

q

Hasse-Weil: SH�Fq�S � q � 1 � t with St S B 2gº

qSerre: St S B g2ºq�For the Jacobian:

�ºq � 1�2gB SJacH�Fq�S B �ºq � 1�2g

So SJacH�Fq�S � qg

If we want qg� 2160: g 1 2 3 4

q 2160 280 253.33 240

Group Structure and Size

E�Fq� � Z~nZ �Z~mZ where n S gcd�m,q � 1�Via a hand-wavy argument, y 2

� f �x� should have � q � 1 points

Hasse: SE�Fq�S � q � 1 � t with St S B 2º

q

Hasse-Weil: SH�Fq�S � q � 1 � t with St S B 2gº

qSerre: St S B g2ºq�For the Jacobian:

�ºq � 1�2gB SJacH�Fq�S B �ºq � 1�2g

So SJacH�Fq�S � qg

If we want qg� 2160: g 1 2 3 4

q 2160 280 253.33 240

Group Structure and Size

E�Fq� � Z~nZ �Z~mZ where n S gcd�m,q � 1�Via a hand-wavy argument, y 2

� f �x� should have � q � 1 points

Hasse: SE�Fq�S � q � 1 � t with St S B 2º

q

Hasse-Weil: SH�Fq�S � q � 1 � t with St S B 2gº

qSerre: St S B g2ºq�

For the Jacobian:

�ºq � 1�2gB SJacH�Fq�S B �ºq � 1�2g

So SJacH�Fq�S � qg

If we want qg� 2160: g 1 2 3 4

q 2160 280 253.33 240

Group Structure and Size

E�Fq� � Z~nZ �Z~mZ where n S gcd�m,q � 1�Via a hand-wavy argument, y 2

� f �x� should have � q � 1 points

Hasse: SE�Fq�S � q � 1 � t with St S B 2º

q

Hasse-Weil: SH�Fq�S � q � 1 � t with St S B 2gº

qSerre: St S B g2ºq�For the Jacobian:

�ºq � 1�2gB SJacH�Fq�S B �ºq � 1�2g

So SJacH�Fq�S � qg

If we want qg� 2160: g 1 2 3 4

q 2160 280 253.33 240

Group Structure and Size

E�Fq� � Z~nZ �Z~mZ where n S gcd�m,q � 1�Via a hand-wavy argument, y 2

� f �x� should have � q � 1 points

Hasse: SE�Fq�S � q � 1 � t with St S B 2º

q

Hasse-Weil: SH�Fq�S � q � 1 � t with St S B 2gº

qSerre: St S B g2ºq�For the Jacobian:

�ºq � 1�2gB SJacH�Fq�S B �ºq � 1�2g

So SJacH�Fq�S � qg

If we want qg� 2160: g 1 2 3 4

q 2160 280 253.33 240

Point Counting Algorithms

Stay for next week’s workshop to learn more . . .

K � Fq, q � pn

L Square Root MethodsPollard kangarooCartier-Manin

L `-adic Methods (n � 1, polynomial in log�p�)

SEA and generalizations

L p-adic Methods (p small, polynomial in n)

Canonical lifts (Satoh, AGM)Deformation theoryCohomology

Point counting on certain curves is easy (e.g. Koblitz curves)

Can also construct curves with good group orders via CM method(see Thursday’s talks by Drew Sutherland and Bianca Viray)

Point Counting Algorithms

Stay for next week’s workshop to learn more . . .

K � Fq, q � pn

L Square Root MethodsPollard kangarooCartier-Manin

L `-adic Methods (n � 1, polynomial in log�p�)

SEA and generalizations

L p-adic Methods (p small, polynomial in n)

Canonical lifts (Satoh, AGM)Deformation theoryCohomology

Point counting on certain curves is easy (e.g. Koblitz curves)

Can also construct curves with good group orders via CM method(see Thursday’s talks by Drew Sutherland and Bianca Viray)

Point Counting Algorithms

Stay for next week’s workshop to learn more . . .

K � Fq, q � pn

L Square Root MethodsPollard kangarooCartier-Manin

L `-adic Methods (n � 1, polynomial in log�p�)

SEA and generalizations

L p-adic Methods (p small, polynomial in n)

Canonical lifts (Satoh, AGM)Deformation theoryCohomology

Point counting on certain curves is easy (e.g. Koblitz curves)

Can also construct curves with good group orders via CM method(see Thursday’s talks by Drew Sutherland and Bianca Viray)

Point Counting Algorithms

Stay for next week’s workshop to learn more . . .

K � Fq, q � pn

L Square Root MethodsPollard kangarooCartier-Manin

L `-adic Methods (n � 1, polynomial in log�p�)

SEA and generalizations

L p-adic Methods (p small, polynomial in n)

Canonical lifts (Satoh, AGM)Deformation theoryCohomology

Point counting on certain curves is easy (e.g. Koblitz curves)

Can also construct curves with good group orders via CM method(see Thursday’s talks by Drew Sutherland and Bianca Viray)

Discrete Logarithms

Elliptic Curve DLP: given P,Q > E�Fq� with Q � mP, find m

Hyperelliptic Curve DLP: given reduced divisors D,E so that Eis equivalent to mD, find m

Generic Methods — Complexity O�qg~2� group operations

L Baby step giant step — also requires O�qg~2� space

L Pollard rho

L Pollard lambda (kangaroo)

Index Calculus Methods

L g â log�q� — sub-exponential

L 3 B g á log�q� — O�q2�2~g�For g � 1,2, generic methods are best! (As far as we know . . . )

Discrete Logarithms

Elliptic Curve DLP: given P,Q > E�Fq� with Q � mP, find m

Hyperelliptic Curve DLP: given reduced divisors D,E so that Eis equivalent to mD, find m

Generic Methods — Complexity O�qg~2� group operations

L Baby step giant step — also requires O�qg~2� space

L Pollard rho

L Pollard lambda (kangaroo)

Index Calculus Methods

L g â log�q� — sub-exponential

L 3 B g á log�q� — O�q2�2~g�For g � 1,2, generic methods are best! (As far as we know . . . )

Discrete Logarithms

Elliptic Curve DLP: given P,Q > E�Fq� with Q � mP, find m

Hyperelliptic Curve DLP: given reduced divisors D,E so that Eis equivalent to mD, find m

Generic Methods — Complexity O�qg~2� group operations

L Baby step giant step — also requires O�qg~2� space

L Pollard rho

L Pollard lambda (kangaroo)

Index Calculus Methods

L g â log�q� — sub-exponential

L 3 B g á log�q� — O�q2�2~g�For g � 1,2, generic methods are best! (As far as we know . . . )

Discrete Logarithms

Elliptic Curve DLP: given P,Q > E�Fq� with Q � mP, find m

Hyperelliptic Curve DLP: given reduced divisors D,E so that Eis equivalent to mD, find m

Generic Methods — Complexity O�qg~2� group operations

L Baby step giant step — also requires O�qg~2� space

L Pollard rho

L Pollard lambda (kangaroo)

Index Calculus Methods

L g â log�q� — sub-exponential

L 3 B g á log�q� — O�q2�2~g�

For g � 1,2, generic methods are best! (As far as we know . . . )

Discrete Logarithms

Elliptic Curve DLP: given P,Q > E�Fq� with Q � mP, find m

Hyperelliptic Curve DLP: given reduced divisors D,E so that Eis equivalent to mD, find m

Generic Methods — Complexity O�qg~2� group operations

L Baby step giant step — also requires O�qg~2� space

L Pollard rho

L Pollard lambda (kangaroo)

Index Calculus Methods

L g â log�q� — sub-exponential

L 3 B g á log�q� — O�q2�2~g�For g � 1,2, generic methods are best! (As far as we know . . . )

Other Attacks & Parameter Choices

K � Fq with q � pn

L Pohlig-Hellman — ensure that SJacH�Fq�S has a large primefactor

L Additive Reduction: if p divides SJacH�Fq�S, then there is an

explicit homomorphism JacH�Fq��p�� �F2g�1q ,�� — ensure

that gcd�q, SJacH�Fq�S� � 1

L Multiplicative Reduction (MOV): pairings can be used tomap the DLP in JacH�Fq� into �F�

qk,�� where qk

� 1 �mod r�for a prime r dividing SJacH�Fq�S — ensure that k is large

(For pairing-based crypto, however, we want k small — seeTuesday’s and Wednesday’s talks)

L Weil Descent: If n � kd is composite, one may haveJacH�Fpkd �0 JacC�Fpd � where C has higher genus — usen � 1 or n prime

Other Attacks & Parameter Choices

K � Fq with q � pn

L Pohlig-Hellman — ensure that SJacH�Fq�S has a large primefactor

L Additive Reduction: if p divides SJacH�Fq�S, then there is an

explicit homomorphism JacH�Fq��p�� �F2g�1q ,�� — ensure

that gcd�q, SJacH�Fq�S� � 1

L Multiplicative Reduction (MOV): pairings can be used tomap the DLP in JacH�Fq� into �F�

qk,�� where qk

� 1 �mod r�for a prime r dividing SJacH�Fq�S — ensure that k is large

(For pairing-based crypto, however, we want k small — seeTuesday’s and Wednesday’s talks)

L Weil Descent: If n � kd is composite, one may haveJacH�Fpkd �0 JacC�Fpd � where C has higher genus — usen � 1 or n prime

Other Attacks & Parameter Choices

K � Fq with q � pn

L Pohlig-Hellman — ensure that SJacH�Fq�S has a large primefactor

L Additive Reduction: if p divides SJacH�Fq�S, then there is an

explicit homomorphism JacH�Fq��p�� �F2g�1q ,�� — ensure

that gcd�q, SJacH�Fq�S� � 1

L Multiplicative Reduction (MOV): pairings can be used tomap the DLP in JacH�Fq� into �F�

qk,�� where qk

� 1 �mod r�for a prime r dividing SJacH�Fq�S — ensure that k is large

(For pairing-based crypto, however, we want k small — seeTuesday’s and Wednesday’s talks)

L Weil Descent: If n � kd is composite, one may haveJacH�Fpkd �0 JacC�Fpd � where C has higher genus — usen � 1 or n prime

Other Attacks & Parameter Choices

K � Fq with q � pn

L Pohlig-Hellman — ensure that SJacH�Fq�S has a large primefactor

L Additive Reduction: if p divides SJacH�Fq�S, then there is an

explicit homomorphism JacH�Fq��p�� �F2g�1q ,�� — ensure

that gcd�q, SJacH�Fq�S� � 1

L Multiplicative Reduction (MOV): pairings can be used tomap the DLP in JacH�Fq� into �F�

qk,�� where qk

� 1 �mod r�for a prime r dividing SJacH�Fq�S — ensure that k is large

(For pairing-based crypto, however, we want k small — seeTuesday’s and Wednesday’s talks)

L Weil Descent: If n � kd is composite, one may haveJacH�Fpkd �0 JacC�Fpd � where C has higher genus — usen � 1 or n prime

Some Other Models

L Hessians: x3 � y 3 � 3dxy � 1

L Edwards models: x2 � y 2� c2�1 � dx2y 2� (q odd) and

variations

x3 � y 3� 1

-4

-3

-2

-1

0

1

2

3

4

-4 -3 -2 -1 0 1 2 3 4

x2�y 2� 10�1�x2y 2�

-4

-3

-2

-1

0

1

2

3

4

-4 -3 -2 -1 0 1 2 3 4

Even Degree Models

H � y 2 � h�x�y � f �x�L h�x�, f �x� > K �x�L deg�h� � g � 1 if char�K� � 2; h�x� � 0 if char�K� x 2

L deg�f � � 2g � 2 is even

L sgn�f � � s2 � s with s > K if char�K� � 2; f �x� is monic ifchar�K� x 2

L non-singularity

char�K� x 2: y 2� f �x�, f �x� monic, of even degree, square-free

Elliptic quartic, char�K� x 2,3:

y 2� x4 � ax2 � bx � c �a,b, c > K�

(b � 0: Jacobi Quartic)

Even Degree Models

H � y 2 � h�x�y � f �x�L h�x�, f �x� > K �x�L deg�h� � g � 1 if char�K� � 2; h�x� � 0 if char�K� x 2

L deg�f � � 2g � 2 is even

L sgn�f � � s2 � s with s > K if char�K� � 2; f �x� is monic ifchar�K� x 2

L non-singularity

char�K� x 2: y 2� f �x�, f �x� monic, of even degree, square-free

Elliptic quartic, char�K� x 2,3:

y 2� x4 � ax2 � bx � c �a,b, c > K�

(b � 0: Jacobi Quartic)

Even Degree Models

H � y 2 � h�x�y � f �x�L h�x�, f �x� > K �x�L deg�h� � g � 1 if char�K� � 2; h�x� � 0 if char�K� x 2

L deg�f � � 2g � 2 is even

L sgn�f � � s2 � s with s > K if char�K� � 2; f �x� is monic ifchar�K� x 2

L non-singularity

char�K� x 2: y 2� f �x�, f �x� monic, of even degree, square-free

Elliptic quartic, char�K� x 2,3:

y 2� x4 � ax2 � bx � c �a,b, c > K�

(b � 0: Jacobi Quartic)

Examples

E � y 2� x4 � 6x2 � x � 6

g � 1

-6

-4

-2

0

2

4

6

-3 -2 -1 0 1 2 3

H � y 2� x6�13x4�44x2�4x�1

g � 2

-10

-5

0

5

10

-4 -3 -2 -1 0 1 2 3 4

Conclusion

L Genus 1 and genus 2 curves over Fq represent a very goodsetting for DLP based cryptography

L Use q prime or q � 2n

L Good parameter choices are known and easy

L Cryptographically suitable curves can be constructed inpractice

� � � Thank You! � � �

Conclusion

L Genus 1 and genus 2 curves over Fq represent a very goodsetting for DLP based cryptography

L Use q prime or q � 2n

L Good parameter choices are known and easy

L Cryptographically suitable curves can be constructed inpractice

� � � Thank You! � � �

Conclusion

L Genus 1 and genus 2 curves over Fq represent a very goodsetting for DLP based cryptography

L Use q prime or q � 2n

L Good parameter choices are known and easy

L Cryptographically suitable curves can be constructed inpractice

� � � Thank You! � � �

Conclusion

L Genus 1 and genus 2 curves over Fq represent a very goodsetting for DLP based cryptography

L Use q prime or q � 2n

L Good parameter choices are known and easy

L Cryptographically suitable curves can be constructed inpractice

� � � Thank You! � � �

Conclusion

L Genus 1 and genus 2 curves over Fq represent a very goodsetting for DLP based cryptography

L Use q prime or q � 2n

L Good parameter choices are known and easy

L Cryptographically suitable curves can be constructed inpractice

� � � Thank You! � � �