Abstract
A significant amount of effort has been devoted to improving divisor arithmetic on low-genus hyperelliptic curves via explicit versions of generic algorithms. Moderate and high genus curves also arise in cryptographic applications, for example, via the Weil descent attack on the elliptic curve discrete logarithm problem, but for these curves, the generic algorithms are to date the most efficient available. Nagao [22] described how some of the techniques used in deriving efficient explicit formulas can be used to speed up divisor arithmetic using Cantor's algorithm on curves of arbitrary genus. In this paper, we describe how Nagao's methods, together with a sub-quadratic complexity partial extended Euclidean algorithm using the half-gcd algorithm can be applied to improve arithmetic in the degree zero divisor class group. We present numerical results showing which combination of techniques is more efficient for hyperelliptic curves over $\mathbb{F}_{2^n}$ of various genera.
Highlights
Hyperelliptic curves defined over finite fields were first proposed for cryptographic use by Koblitz [18] in 1989, with the special case of genus one curves having been proposed earlier by Koblitz and Miller independently [19, 17]
The performance becomes significantly better as the half-gcd threshold for partial XGCD are surpassed
Our results show that the methods used by Nagao, in particular partial multiplication and computing extended GCDs using pseudodivision are only effective for certain parameter ranges
Summary
Hyperelliptic curves defined over finite fields were first proposed for cryptographic use by Koblitz [18] in 1989, with the special case of genus one curves (elliptic curves) having been proposed earlier by Koblitz and Miller independently [19, 17]. One recommended set of parameters results in a hyperelliptic curve of genus 7 or 8 defined over F223 For all these cases, explicit formulas have not been developed for the group arithmetic, so Cantor’s algorithm or its variants would have to be used. Our second motivation was to optimize divisor class group arithmetic in general, by learning how the different algorithms and optimizations perform as functions of the genus and finite field sizes. The NUCOMP algorithm of Shanks, adapted to hyperelliptic curves [14, 13], seeks to reduce the sizes of the intermediate operands by carrying out a reduction on them before completing the addition step.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
