Chapter Implementation of Pairings Sylvain Duquesne and Gerhard Frey Contents in Brief 16.1 The basic algorithm 389 The setting • Preparation • The pairing computation algorithm • The case of nontrivial embedding degree k • Comparison with the Weil pairing 16.2 Elliptic curves 396 The basic step • The representation • The pairing algorithm • Example 16.3 Hyperelliptic curves of genus 398 The basic step • Representation for k > 16.4 Improving the pairing algorithm 400 Elimination of divisions • Choice of the representation • Precomputations 16.5 Specific improvements for elliptic curves 400 Systems of coordinates • Subfield computations • Even embedding degree • Example 16.1 The basic algorithm In this chapter, we will be dealing with the computation of the Tate–Lichtenbaum pairing on Jacobians JC of hyperelliptic curves C of genus g defined over some finite field Fq of characteristic p It is defined in Definition 6.16 The mathematical background can be found in Chapter The idea to use pairings for cryptographic purposes was introduced during the 1990s, and because of the importance for applications a lot of valuable work was done to make the computation of these pairings as efficient as possible There is a vast and rapidly growing literature; here we restrict ourselves to mentioning [G A H A+ 2002, BA K I+ 2002, BA LY+ 2004b] and recommending a visit to the most interesting crypto lounge of Barreto [BAR ] which provides a very complete source of information For simplicity, we assume that C has an Fq -rational Weierstraß point, which we choose as the point at infinity P∞ That implies that we can describe the affine part of C by an equation y + h(x)y = f (x) with a polynomial f of odd degree As explained in Section 4.4.6.a, we can represent elements in JC (Fqk ), or alternatively divisor classes D of degree in Pic0C·F k , by divisors of the form q D − gP∞ 389 390 Ch 16 Implementation of Pairings with D an effective divisor of C of degree g rational over Fqk If we assume that D is reduced (see Section 4.4.6.a) the representation of D depends only on the choice of the Weierstraß point We will first specify the context we are interested in and recall the definition of the Tate–Lichtenbaum pairing in this context 16.1.1 The setting As usual in cryptographic applications, we shall work in a cyclic subgroup of prime order  We shall assume that  is large The most interesting case is that 2 does not divides the order of JC (Fq ) We shall assume this in the future Let k be the smallest integer such that  divides q k − Thus, Fqk is obtained by adjoining the -th roots of unity to Fq The number k is called the embedding degree (with respect to ) In most of the constructive applications of the Tate pairing we have k > The following remarks are easy but important consequences of our definitions and assumptions Remarks 16.1 (i) For e < k there are no -th roots of unity in the field Fqe and so every element in Fqe is an -th power (ii) The group JC (Fqk ) has no element of order 2 More generally, it may happen that we have to deal with the whole group JC (Fq ) In this case, k is chosen such that the exponent of JC (Fq ) divides q k − Using Remarks 16.1, we can identify JC (Fqk )/JC (Fqk ) with JC (Fqk )[] But on the other side we have great freedom to choose a convenient representative in the class Q + JC (Fqk ), which can be used to simplify computations, and we shall this rather often in the following So, even when we are interested in computing the Tate–Lichtenbaum pairing T
over the field Fqk between elements P of order  in JC (Fq ) and elements Q of order  in JC (Fqk ), we shall identify Q with a class in JC (Fqk )/JC (Fqk ) Since the value of the pairing does not depend on the choice of the representative of the class, we can give up the condition that Q has order  and define the Tate–Lichtenbaum pairing for arbitrary Q ∈ JC (Fqk ) without changing notation Next we remark that by definition q k is congruent to modulo  This implies that the subgroup J0 ⊂ JC (Fqk ) (defined as in Theorem 6.15 but with respect to the ground field Fqk ) is equal to JC (Fqk )[]), and so contains JC (Fq )[] Hence, we interpret (without changing the notation) the Tate–Lichtenbaum pairing for our purposes as pairing T
: JC (Fq )[] × JC (Fqk ) → F∗qk /(F∗qk )
Here is its explicit description Take P ∈ JC (Fq )[] and Q ∈ JC (Fqk ) Represent P by an Fq -rational divisor DP of degree Let fP be a function on C with div(fP ) = (DP ) Represent Q by and evaluate fP (DQ ) Recall
a divisor DQ of degree coprime to DP  that for D = R∈C nR R the value fP (D) is defined by R∈C fP (R)nR Remark 16.2 In this form, the value set of the pairing consists of classes modulo -th powers To get as value set the elements of order  in Fqk we compose the pairing with the exponentiation map k with exponent q
−1 · In the following, we shall always assume that we use this slight modification of the Tate–Lichtenbaum pairing without changing the notation § 16.1 The basic algorithm 391 16.1.2 Preparation To implement this pairing we shall need a result following from the Riemann–Roch theorem Lemma 16.3 Let C be as above and k ∈ N Let s ∈ N with s
O(lg q) and take effective divisors D1 , , Ds of degree
g rational over Fq Let D be an effective divisor of degree g rational over Fqk and D2 a randomly chosen effective Fq -rational divisor of C with a high probability (depending on q) the divisor D1 := D ⊕ D2 is relatively prime to
Then, s j D + P∞ j=1 Remark 16.4 This lemma is of no real practical importance In the cases that are important for cryptographic applications we shall see directly how to choose D2 Using a variant of Lemma 16.3, we give a heuristic algorithm to represent a divisor class (D − gP∞ ) in JC (Fqk ) by a difference D1 − D2 of effective divisors (with D2 being Fq -rational) and D1 + D2 prime to a finite set of Fq -rational divisors D1 , , Ds of degree
g with s = O(lg q) Algorithm 16.5 Relative prime representation INPUT: Effective divisors D, D1 , , Ds of degree g Ps OUTPUT: Divisors D1 , D2 with D1 − D2 = D − gP∞ and D1 + D2 prime to P∞ + j=1 Dj repeat choose P ∈ C(Fq ) and m ∈ N such that m
|JC (Fq )| compute D2 effective with D2 − gP∞ = m(P − P∞ ) compute D1 such that (D − gP∞ ) − (D2 − D1 ) = until D1 + D2 is prime to return (D1 , D2 ) Ps j=1 Dj + P∞ Remarks 16.6 (i) By Lines and 3, we get a “nearly random” element in the set of effective divisors of degree g on C Note that for many instances these steps can be done by a precomputation (ii) In very rare cases (D1 , D2 ) will not satisfy the relative primeness condition So the choice of another random pair (P, m) will never be necessary in practice 16.1.3 The pairing computation algorithm We shall give a procedure to compute the Tate–Lichtenbaum pairing that works in the general case 16.1.3.a The basic step To compute the Tate–Lichtenbaum pairing we first have to compute the function fP and then evaluate it at DQ The basic step for the computation of fP consists of solving the following task, which is also the key ingredient for the addition law in the Jacobian For given effective divisors A, A of degree g and rational over Fq , find an effective divisor B of degree g and a function G on C such that A + A − B − gP∞ = div(G) 392 Ch 16 Implementation of Pairings We remark that G is a function on C defined over Fq , whose zero divisor and pole divisor have degree
2g We shall always assume that the divisor B is reduced By adding a suitable multiple of P∞ we can and will assume that B has degree g 16.1.3.b Representation of elements We want to compute T
(P, Q) with P ∈ JC (Fq )[] and Q ∈ JC (Fqk ) We give P by a representative DP − gP∞ with DP reduced of degree g For every multiple [i]P,
i
 we choose the same type of representation: [i]P is given by DPi − gP∞ with DPi an Fq -rational effective divisor of degree g So we have an identity of divisors DPi + DPj − DPi+j − gP∞ = div(hi,j ) for i + j
 and DPi ⊕ DPj = DPi+j By using Algorithm 16.5 we choose a representative DQ = D1 −D2 for Q with D2 an Fq -rational effective divisor on C such that D1 + D2 is prime to DP + P∞ Remark 16.7 The reader should not be confused: It can happen that P = Q Nevertheless, we choose different representations according to the different roles the elements play in the pairing 16.1.3.c The pairing algorithm We get the following algorithm for the computation of the Tate–Lichtenbaum pairing For elliptic curves this algorithm was proposed by Miller to compute the Weil pairing [M IL 1986, M IL 2004] Algorithm 16.8 Tate–Lichtenbaum pairing INPUT: The integer
= (
l−1
0 )2 with
l−1 = 1, a point P ∈ JC (Fq )[
], the divisor DP with P = DP − gP∞ , and Q = DQ − gP∞ ∈ JC (Fqk ) OUTPUT: The Tate–Lichtenbaum pairing T
(P, Q) compute D1 , D2 DQ ← D1 − D2 T ← DP and f ← for i = l − down to T ← [2]T f ← f G(DQ ) if
i = then [div(G) = 2T − [2]T − gP∞ ] T ← T ⊕ DP f ← f G(DQ ) 10 [using Algorithm 16.5 on DQ ] return (f ) [div(G) = T + DP − (T ⊕ DP ) − gP∞ ] qk −1
Remarks 16.9 (i) In Algorithm 16.8, we have to evaluate several functions G at DQ They have zeroes and poles at P∞ and DPi for indices i occurring in the addition chain, depending only on the binary expansion of  We need the divisor DQ to be prime to the divisors of § 16.1 The basic algorithm 393 these functions By Lemma 16.3 we know that we have a very good chance that this is satisfied; or else we have to choose a new random representation for Q (ii) The algorithm is presented here in a double and add form and requires O(lg ) basic steps to evaluate fP at DQ (i.e., to compute the Tate–Lichtenbaum pairing) In the following, for clarity, we will always use this form, but the reader must keep in mind that better algorithms are available and must be used in practice These algorithms (window methods, recoding of the exponent, use of endomorphisms of special curves if available) are described in Chapters and 15 and can be applied to our situation for pairings without difficulties (iii) While executing Algorithm 16.8 we have to evaluate quotients of polynomials and so inversions occur But, as is easily seen, we can postpone these inversions by multiplying and squaring denominators, and then we have to execute just one inversion in Fqk at the end of the algorithm (iv) The algorithm depends heavily on the Hamming weight of , and if we have the opportunity to have an  with small Hamming weight, such as a Solinas prime [S OL 1999a], for instance, it should be taken In fact, the same remark applies if the order N of JC (Fq ) has low Hamming weight [G A H A+ 2002] We replace -elements by the whole Mordell–Weil group JC (Fq ) If N/ is sufficiently small such a choice provides computational savings But be careful: we need more roots of unity and so k would be much larger in general (without any positive effect for security) In constructive applications we are often in a context that k > g For g = this just means that k is larger than In applications to g  the assumption on k is reasonable, too In the following section we explain which accelerations this implies 16.1.4 The case of nontrivial embedding degree k In this section we shall assume that k > g As always we assume that the element P is rational over Fq and has order  It is useful to recall that for any element P  in JC (Fqe ) with e < k we get that T
(P, P  ) = This can be seen by either using Example 6.10 or directly in the following way Remember we are computing the Tate–Lichtenbaum pairing over Fqk by using Algorithm 16.8 So, we have to take a representation of P  by divisors prime to (the representation of multiples of) DP − gP∞ This can be done over Fqe Then the result of the evaluation lies in Fqe and hence (Remarks 16.1) is an -th power Hence, we get for all elements Q ∈ JC (Fqk ) T
(P, Q) = T
(P, Q + P  ) Now assume that Q ∈ JC (Fqk )
JC (Fqe ) for all e < k Let P be represented by DP − gP∞ and Q by DQ − gP∞ We choose a random point P0 ∈ C(Fq ) Since q is assumed to be large we can assume that P0 is different from P∞ and prime to the divisors DPj , which occur in the addition chain during the execution of Algorithm 16.8 Let Q be the class of DQ −gP0 Since DQ −gP0 = (DQ −gP∞ )+(gP∞ −gP0 ) and gP∞ −gP0 defines an Fq -rational element in JC (Fq ) we get T
(P, Q) = T
(P, Q ) 394 Ch 16 Implementation of Pairings Let P  be a point on C(Fq ), which appears in DPj =: Dj (for some j) as well as in DQ Then all conjugates of P  appear in Dj and so P  is rational over a field Fqe with e < k First assume that e | k Then the divisor class of P  − P0 lies in JC (Fqe ) and so we can subtract P  − P0 from DQ − gP0 without changing the Tate–Lichtenbaum pairing (see discussion above) Assume now that e does not divide k and define e1 = k , gcd(k, e) k1 = e · gcd(k, e) So Fqe1 is a proper subfield of Fqk and the composite field of Fqk with Fqe is equal to Fqkk1 It follows that the conjugates of P  over Fqe1 are the same as the conjugates of P  over Fqk and so the divisor k1  φjqe1 P  − k1 P0 j=1 is an Fqe1 -rational sub-summand of DQ − gP0 Hence, it can be subtracted from DQ − gP0 without changing the Tate–Lichtenbaum pairing We summarize and get the following proposition Proposition 16.10 Let • • • • C be a hyperelliptic curve of genus g defined over Fq such that  | |JC (Fq )| and 2 does not divide |JC (Fq )| k be the smallest integer such that  | (q k − 1) and assume that k > g  P ∈ JC (Fq )[], Q ∈ JC (Fqk ), P and Q represented by DP − gP∞ resp DQ − gP∞  DQ be the divisor obtained from DQ by removing all sub-summands that are rational over Fqe for some e < k Then the divisor DQ is prime to all divisors DPj + P∞ where DPj occurs as positive part in the standard representation of [j]P the Tate–Lichtenbaum pairing satisfies   qk −1 T
(P, Q) = fP (DQ )
 by DQ in AlgoTo prove Proposition 16.10, we use the discussion from above to replace DQ rithm 16.8 To get rid of P0 we remark that any factor in the evaluation of the functions G in the pairing algorithm that arises by evaluating Fq -rational divisors can be omitted since we are only interested in values modulo -th powers So we get a much simpler and faster algorithm Algorithm 16.11 Tate–Lichtenbaum pairing if k > g INPUT: The integer
= (
l−1
0 )2 with
l−1 = 1, P = DP − gP∞ ∈ JC (Fq )[
], Q =   DQ − gP∞ ∈ JC (Fqk ), DQ effective of degree g OUTPUT: The Tate–Lichtenbaum pairing T
(P, Q)  compute DQ from DQ by removing all sub-summands rational over Fqe with e < k T ← DP and f ← for i = l − down to T ← [2]T § 16.1 The basic algorithm f ← f G(DQ ) if
i = then 395 [div(G) = 2T − [2]T − gP∞ ] T ← T ⊕ DP f ← f G(DQ ) qk −1
return (f ) [div(G) = T + DP − (T ⊕ DP ) − gP∞ ] The remaining computations in the pairing algorithm are performed in Fq with the exception of the evaluations of the functions G at DQ , which are executed by multiplications of elements of Fq with elements of Fqk , since the coefficients of the functions G are in Fq For implementation of extension field arithmetic, we refer to Chapter 11 16.1.5 Comparison with the Weil pairing Both in a destructive manner [M E O K+ 1993] and in a constructive manner [B O F R 2001], the use of pairings in cryptography first appeared through the use of the Weil pairing It is defined by W
: JC (Fq )[] × JC (Fq )[] → µ
fP (DQ ) (P, Q) → fQ (DP ) where µ
is the multiplicative groups of the -th roots of unity in the algebraic closure Fq of Fq Note that no final powering is required for the Weil pairing To evaluate the pairing, we have to work in a finite field Fqk
We can take k  as the degree of the smallest extension of Fq over which the rank of -torsion elements is larger than g It follows that k
k  In most cases, k is equal to k  (for instance, for elliptic curves such that  does not divide q − [BA KO 1998]) but there are cases in which we have inequality even for elliptic curves and so the underlying field used for the Tate–Lichtenbaum pairing is smaller Related to this is the following observation: by definition W
(P, P ) is always trivial This is not always the case for the Tate–Lichtenbaum pairing [F R M Ü+ 1999] This point will be discussed in more detail in Section 24.2.1.b This first advantage of the Tate–Lichtenbaum pairing concerns mostly its destructive role On the constructive side, we want k to be different from The computation of the Weil pairing evidently requires two evaluations of functions, whereas only one is required for the Tate pairing so that it is usually assumed that the computation of the Weil pairing takes roughly twice as long as the computation of the Tate–Lichtenbaum pairing The situation is in fact worse if we take the results in Section 16.1.4 into account The accelerations obtained there crucially depend on the fact that P is defined over Fq It shows that the evaluation of fP (Q) modulo -th powers is faster than the evaluation of fQ (P ) if k > or even k > g Moreover, in the Weil pairing we must take Q as an element of order  not lying in the cyclic group generated by P To find such an element it is often necessary to take a random element in JC (Fqk ) and then to multiply it by |JC (Fqk )|/, which corresponds to the final exponentiation in the Tate– Lichtenbaum pairing In any case we cannot use the freedom to choose a suitable representative in the class of Q modulo JC (Fqk ), which enabled us to considerably simplify the pairing algorithm There is one additional step when we compute the Tate–Lichtenbaum pairing: the final exponentiation Since it is costly it should be postponed whenever possible, and in fact this can be done in many protocols (cf Chapter 24) So, there are reasons to prefer the Tate–Lichtenbaum pairing for cryptographic use We shall now 396 Ch 16 Implementation of Pairings give more explicit details for this algorithm, first in the case of elliptic curves and second in the case of hyperelliptic curves of genus 16.2 Elliptic curves In this section, E will denote an elliptic curve defined over Fq In this case the Tate–Lichtenbaum pairing is described in full detail in [F R M Ü+ 1999] The special situation is that E can be identified with its Jacobian (after the choice of P∞ as zero point) 16.2.1 The basic step As we know, every divisor class of degree in E(Fq ) can be uniquely represented by a divisor P − P∞ with P ∈ E(Fq ) We will describe how to find the function G that occurs in the basic step of the computation Take P and P  in E(Fq ) We have to find a point B on E and a function G such that we have the divisor identity P + P  − B − P∞ = div(G) We observe that B = P ⊕ P  is in fact the usual sum of P with P  on E, and G is given by the equations of the lines used to compute B Let L1 be the line through P and P  (which is the tangent to the curve at P if P = P  ) This line intersects E at a third point C Let L2 be the (vertical) line through C and P∞ The equations of these two lines induce two functions on the curve, the function G is nothing but L1 /L2 In fact div(L1 ) = P + P  + C − 3P∞ div(L2 ) = div(L1 /L2 ) = C + B − 2P∞ P + P  − B − P∞ To clarify, we choose the usual affine coordinates and assume that P = (x1 , y1 ) and Q = (x2 , y2 ) and that x1 = x2 We get G= Y − λ(X − x1 ) − y1 y1 − y2 where λ = · X + (x1 + x2 ) − λ2 x1 − x2 If P = Q we have to replace λ by the slope of the tangent to E at P to get G We remark that we can avoid the inversion needed to compute λ by using homogeneous coordinates We cannot avoid that G is a rational function, so divisions occur when we evaluate the functions G at a point R But we can reduce them easily to one inversion at the end of the addition chain (for the cost of one multiplication and, in some instances, one squaring in addition, at each step of the pairing algorithm) 16.2.2 The representation We restrict ourselves to the most interesting case and assume that k > As usual, we represent points R on E by the divisor R − P∞ So, points on E play an ambiguous role, being interpreted as prime divisors or as elements on the Jacobian of E associated to the class R − P∞ § 16.2 Elliptic curves 397 As  is given, the pairing algorithm involves a fixed set of prime divisors [dj ]P (denoted by DPj in the general case) whose number s is of size O(lg ) Let Q be given in the standard form Q − P∞ with Q an Fqk -rational point on E which is not rational over Fqe for e < k In particular, Q is prime to P∞ and [dj ]P To justify the following algorithm we choose a number m
 − different from all of the numbers dj and take P0 = [m]P So P0 is prime to all divisors occurring in the pairing algorithm In the evaluation only the existence of the point P0 is needed 16.2.3 The pairing algorithm We now give the algorithm for computing the Tate–Lichtenbaum pairing We refer to the remark that the inversion operation in each step of the algorithm can be postponed till the end and we write down the algorithm in this version Afterwards we give a baby example Algorithm 16.12 Tate–Lichtenbaum pairing for g = if k > INPUT: The integer
= (
l−1
0 )2 with
l−1 = 1, the points P = (x1 , y1 ) ∈ E(Fq )[
] and Q = (x2 , y2 ) ∈ E(Fqk ) OUTPUT: The Tate–Lichtenbaum pairing T
(P, Q) T ← P , f1 ← and f2 ← for i = l − down to T ← [2]T λ ← the slope of the tangent of E at T f1 ← f12 (y2 − λ(x2 − x3 ) − y3 ) f2 ← f22 (x2 + (x1 + x3 ) − λ2 ) if
i = then [T = (x3 , y3 )] T ←T ⊕P λ ← the slope of the line through T and P f1 ← f1 (y2 − λ(x2 − x3 ) − y3 ) 10 11 12 return f2 ← f2 (x2 + (x3 + x1 ) − λ2 ) ` f1 ´ qk −1
f2 16.2.4 Example Consider the elliptic curve E defined over F13 by y = x3 + Its order is  = = (111)2 and E(F13 ) is generated by the point P = (2, 1) In the addition chain, there occur T = P, T = [2]P, T = [3]P, T = [6]P We can choose P0 = [5]P The embedding degree is because divides 132 − but not 13 − Since is not a square in F13 , F132  F13 [α] where α2 = We want to compute the Tate–Lichtenbaum pairing of P and Q = (10+3α, 11+2α) Let us apply Algorithm 16.12 First, initialize f1 = f2 = and T = (2, 1) 398 Ch 16 Implementation of Pairings Then i = We compute the lines L1 and L2 arising in the doubling of T = (x3 , y3 ): λ = 3x23 /2y3 = 6, L1 = y − y3 − λ(x − x3 ) = y + 7x + 11, L2 = x + 2x3 − λ2 = x + Then, we evaluate these functions at Q:   L1 (Q) = 11 + 2α + 7(10 + 3α) + 11 = + 10α, L2 (Q) = (10 + 3α) + = + 3α, so that T = [2]P = (6, 1) and f1 f2 = L1 (Q) = + 10α, = L2 (Q) = + 3α Since 1 = 1, we compute now the lines arising in the addition of T and P : L1 = y + 12 and L2 = x + 8, so that T = [3]P = (5, 12) and f1 = f1 L1 (Q) = (1 + 10α)(10 + 2α) = 11 + 11α, f2 = f2 L2 (Q) = (4 + 3α)(5 + 3α) = 12 + α The next value of i is We compute the lines L1 and L2 arising in the doubling of T : L1 = y + 5x + and L2 = x + 11, so that T = [6]P = (2, 12) and f1 f2 = f12 L1 (Q) = (11 + 11α)2 (11 + 4α) = + 6α, = f22 L2 (Q) = (12 + α)2 (8 + 3α) = 12 + 6α Since 0 = 1, we now compute the lines arising in the addition of T and P : L1 = x − and L2 = 1, so that T = 7P = P∞ , f1 = (1 + 6α)(8 + 3α) = + 12α and f2 = 12 + 6α Thus the Tate–Lichtenbaum pairing of P and Q is 24  + 12α = + α 12 + 6α 16.3 Hyperelliptic curves of genus In Section 16.1.3.c, it is shown how to evaluate the Tate–Lichtenbaum pairing on the Jacobian of a curve, assuming an explicit reduction algorithm for divisors on the curve For hyperelliptic curves, such an algorithm can be given by Cantor’s algorithm or by explicit formulas (see Chapter 14) We shall make this a bit more explicit in the case that g =  , &   
 , Scalar multiplication on Koblitz & 2005]
 
 curves using the Frobenius endomorphism and its combination with point halving: extensions and mathematical analysis, preprint, 2004 http://finanz.math.tu-graz.ac.at/~cheub/publications/tauext.pdf   & & #  , Cryptographic applications of trace zero varieties,    preprint, 2005 & 2004]   & &   3 , Generic efficient arithmetic algorithms for PAFFs &# 2004]   & &  #4 , Random walks and filtering strategies for index     (Processor Adequate Finite Fields) and related algebraic structures, Selected Areas in Cryptography – SAC 2003, Lecture Notes in Comput Sci., vol 3006, Springer-Verlag, Berlin, 2004, 320–334  

  calculus, Manuscripts, 2004  + 2004]   ',  " ,    ,  #  , &  5 , The [   sorcerer’s apprentice guide to fault attacks, Workshop on Fault Diagnosis and Tolerance in Cryptography – FDTC 2004, 2004 http://www.elet.polimi.it/res/FDTC04/Naccache.pdf  + 2004]    ,   , &  " , Provably secure authenticated tree based [
 group key agreement protocol using pairing, preprint, 2004 http://eprint.iacr.org/2004/90/  ' + 2002] [  ' + 2004] [     '   1 6   $7  , , ,& , The arithmetic of Jacobian groups of superelliptic cubics, Tech report, INRIA – RR-4618, 2002 
 , Implementing the arithmetic of C3,4 curves, Algorithmic Number Theory Symposium – ANTS VI, Lecture Notes in Comput Sci., vol 3076, Springer-Verlag, Berlin, 2004, 87–101 
   1998]  o  " & $