Handbook of elliptic and hyperelliptic curve cryptography: Part 1

Handbook of Elliptic and Hyperelliptic Curve Cryptography DISCRETE MATHEMATICS and ITS APPLICATIONS Series Editor Kenneth H Rosen, Ph.D Juergen Bierbrauer, Introduction to Coding Theory Kun-Mao Chao and Bang Ye Wu, Spanning Trees and Optimization Problems Charalambos A Charalambides, Enumerative Combinatorics Henri Cohen, Gerhard Frey, et al., Handbook of Elliptic and Hyperelliptic Curve Cryptography Charles J Colbourn and Jeffrey H Dinitz, The CRC Handbook of Combinatorial Designs Steven Furino, Ying Miao, and Jianxing Yin, Frames and Resolvable Designs: Uses, Constructions, and Existence Randy Goldberg and Lance Riek, A Practical Handbook of Speech Coders Jacob E Goodman and Joseph O’Rourke, Handbook of Discrete and Computational Geometry, Second Edition Jonathan Gross and Jay Yellen, Graph Theory and Its Applications Jonathan Gross and Jay Yellen, Handbook of Graph Theory Darrel R Hankerson, Greg A Harris, and Peter D Johnson, Introduction to Information Theory and Data Compression, Second Edition Daryl D Harms, Miroslav Kraetzl, Charles J Colbourn, and John S Devitt, Network Reliability: Experiments with a Symbolic Algebra Environment Derek F Holt with Bettina Eick and Eamonn A O’Brien, Handbook of Computational Group Theory David M Jackson and Terry I Visentin, An Atlas of Smaller Maps in Orientable and Nonorientable Surfaces Richard E Klima, Ernest Stitzinger, and Neil P Sigmon, Abstract Algebra Applications with Maple Patrick Knupp and Kambiz Salari, Verification of Computer Codes in Computational Science and Engineering William Kocay and Donald L Kreher, Graphs, Algorithms, and Optimization Donald L Kreher and Douglas R Stinson, Combinatorial Algorithms: Generation Enumeration and Search Charles C Lindner and Christopher A Rodgers, Design Theory Alfred J Menezes, Paul C van Oorschot, and Scott A Vanstone, Handbook of Applied Cryptography Continued Titles Richard A Mollin, Algebraic Number Theory Richard A Mollin, Codes: The Guide to Secrecy from Ancient to Modern Times Richard A Mollin, Fundamental Number Theory with Applications Richard A Mollin, An Introduction to Cryptography Richard A Mollin, Quadratics Richard A Mollin, RSA and Public-Key Cryptography Kenneth H Rosen, Handbook of Discrete and Combinatorial Mathematics Douglas R Shier and K.T Wallenius, Applied Mathematical Modeling: A Multidisciplinary Approach Jörn Steuding, Diophantine Analysis Douglas R Stinson, Cryptography: Theory and Practice, Second Edition Roberto Togneri and Christopher J deSilva, Fundamentals of Information Theory and Coding Design Lawrence C Washington, Elliptic Curves: Number Theory and Cryptography DISCRETE MATHEMATICS AND ITS APPLICATIONS Series Editor KENNETH H ROSEN Handbook of Elliptic and Hyperelliptic Curve Cryptography Henri Cohen Gerhard Frey Roberto Avanzi, Christophe Doche, Tanja Lange, Kim Nguyen, and Frederik Vercauteren Boca Raton London New York Singapore Published in 2006 by Chapman & Hall/CRC Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2006 by Taylor & Francis Group, LLC Chapman & Hall/CRC is an imprint of Taylor & Francis Group No claim to original U.S Government works Printed in the United States of America on acid-free paper 10 International Standard Book Number-10: 1-58488-518-1 (Hardcover) International Standard Book Number-13: 978-1-58488-518-4 (Hardcover) Library of Congress Card Number 2005041841 This book contains information obtained from authentic and highly regarded sources Reprinted material is quoted with permission, and sources are indicated A wide variety of references are listed Reasonable efforts have been made to publish reliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materials or for the consequences of their use No part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc (CCC) 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400 CCC is a not-for-profit organization that provides licenses and registration for a variety of users For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe Library of Congress Cataloging-in-Publication Data Handbook of elliptic and hyperelliptic curve cryptography / Scientific editors, Henri Cohen & Gerard Frey ; authors, Roberto M Avanzi … [et al.] p cm – (Discrete mathematics and its applications) Includes bibliographical references and index ISBN 1-58488-518-1 (alk paper) 1.Curves, Elliptic – Handbooks, manuals, etc Cryptography – mathematics handbooks, manuals, etc Machine theory – Handbooks, manuals etc I Cohen, Henri II Frey, Gerhard, 1994- III Avanzi, Roberto M IV Series QA567.2.E44H36 2005 516.’52 – dc22 2005041841 Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com Taylor & Francis Group is the Academic Division of T&F Informa plc and the CRC Press Web site at http://www.crcpress.com Dr Henri Cohen is Professor of Mathematics at the University of Bordeaux, France His research interests are number theory in general, and computational number theory in particular Dr Gerhard Frey holds a chair for number theory at the Institute for Experimental Mathematics at the University of Duisburg-Essen, Germany His research interests are number theory and arithmetical geometry as well as applications to coding theory and cryptography Dr Christophe Doche is lecturer at Macquarie University, Sydney, Australia His research is focused on analytic and algorithmic number theory as well as cryptography Dr Roberto M Avanzi is currently Junior Professor at the Ruhr-University, Bochum His research interests include arithmetic and algorithmic aspects of curve-based cryptography, integer recodings and addition chains, sidechannel analysis, and diophantine analysis Dr Tanja Lange is Associate Professor of Mathematics at the Technical University of Denmark in Copenhagen Her research covers mathematical aspects of public-key cryptography and computational number theory with focus on curve cryptography Dr Kim Nguyen received a Ph.D in number theory and cryptography in 2001 at the University of Essen His first position outside academia was with the Cryptology Competence Center of Philips Semiconductors Hamburg He currently works for the Bundesdruckerei GmbH in Berlin, Germany Dr Frederik Vercauteren is a Post-Doc at the Katholieke Universiteit Leuven, Belgium His research interests are computational algebraic geometry and number theory, with applications to cryptography Scientific Editors: Henri Cohen and Gerhard Frey Executive Editor: Christophe Doche Authors: Roberto M Avanzi, Henri Cohen, Christophe Doche, Gerhard Frey, Tanja Lange, Kim Nguyen, and Frederik Vercauteren Contributors: Bertrand Byramjee, Jean-Christophe Courrège, Sylvain Duquesne, Bent Feix, Reynald Lercier, David Lubicz, Nicolas Thériault, and Andrew Weigl Roberto M Avanzi Faculty of Mathematics and Horst Görtz Institute for IT-Security Ruhr University Bochum, Germany Bertrand Byramjee bbyramjee@libertysurf.fr Roberto.Avanzi@ruhr-uni-bochum.de Henri Cohen Jean-Christophe Courrège Université Bordeaux I Laboratoire A2X, France CEACI, Toulouse, France Jean-Christophe.Courrege@cnes.fr Henri.Cohen@math.u-bordeaux1.fr Christophe Doche Sylvain Duquesne Macquarie University Department of Computing, Australia Université Montpellier II Laboratoire I3M, France doche@ics.mq.edu.au duquesne@math.univ-montp2.fr Bent Feix Gerhard Frey CEACI, Toulouse, France University of Duisburg-Essen IEM, Germany Benoit.Feix@cnes.fr frey@iem.uni-due.de Tanja Lange Reynald Lercier Technical University of Denmark Department of Mathematics Centre d’ÉLectronique de l’ARmement France t.lange@mat.dtu.dk Reynald.Lercier@m4x.org David Lubicz Kim Nguyen nguyen.kim@web.de Centre d’ÉLectronique de l’ARmement France david.lubicz@math.univ-rennes1.fr Nicolas Thériault Frederik Vercauteren University of Waterloo, Department of Combinatorics and Optimization, Canada Katholieke Universiteit Leuven COSIC - Electrical Engineering Belgium ntheriau@uwaterloo.ca fvercaut@esat.kuleuven.be Andrew Weigl University of Bremen ITEM, Germany a.s.weigl@ieee.org § 14.5 Arithmetic on genus curves in even characteristic • 335 Type III if deg h = We will first find equations for these types of curves with the minimal number of nonzero coefficients In other words, we give an analogue of the short Weierstraß equations for elliptic curves Thanks to a change of variables of the form x → µ2 x + λ and y → µ5 y + µ4 αx2 + µ2 βx + γ (14.18) after dividing the new equation by µ10 , we can eliminate some coefficients from the equation (14.1) Proposition 14.35 A genus curve of Type I defined over F2d by an equation of the form (14.1) is isomorphic to a curve defined by an equation of one of the following forms: Type Ia Type Ib : y + (x2 + h1 x + th21 )y = x5 + εtx4 + f1 x + f0 , : y + x(x + h1 )y = x5 + εtx4 + f1 x + f0 , where ε ∈ F2 and t denotes an element of trace (t = if d is odd) The isomorphism is explicit and uses the solution of quadratic equations in characteristic explained in detail in Section 11.2.6 It is obtained using the change of variables (14.18) with ã ã ã ã ã = h2 , λ a root of h, if the Type is Ib (i.e., if Tr(h0 h2 h−2 ) = 0) and a solution of h(x) = −2 , if the Type is Ia (i.e., if Tr(h h h ) = 1), th21 h−1 2 α a root of x2 + h2 x + f4 + λ + εth−2 with ε = Tr (f4 + λ)h2 , β = (f3 + h1 α)h−1 , γ = β + h1 β + αh(λ) + f3 λ + f2 h−1 Remark 14.36 For curves of Type I, the three parameters h1 , f1 and f0 are free so that this change of variables provides 4q isomorphism classes (with q = 2d ) Proposition 14.37 A genus curve of Type II defined over F2d by an equation of the form (14.1) is isomorphic to a curve defined by an equation of the form y + xy = x5 + f3 x3 + εx2 + f0 , y + h1 xy = x5 + ε x3 + εth21 x2 + f0 , if d is odd if d is even where ε and ε are in F2 and t denotes an element of trace The isomorphism is explicit and it is obtained using the change of variables (14.18) with ã ã ã ã ã such that µ3 = h1 if d is odd and µ4 = f3 + h1 α if d is even, λ = h0 h−1 √ α = λ + f4 , and t = if d is β a root of x2 + h1 x + f2 + f3 λ + εth21 with ε = Tr (f2 + f3 λ)h−2 odd, γ = λ2 f3 + λ4 + f1 h−1 336 Ch 14 Arithmetic of Hyperelliptic Curves Remarks 14.38 (i) Finding an element µ such that µ3 = h1 is always possible if d is odd, as then 2d − (cf Remark 2.94) Even though d odd is the most common case in cryptographic applications (because of the Weil descent attack, Section 22.3), we also consider the case where d is even In this case, if h1 is not a cube, an element b can be chosen in F2d such that h1 b is a cube Moreover, the probability that this element can be chosen “small” is very high so that multiplications by b are almost for free In this case one can obtain an isomorphic curve given by an equation that is very similar to the one obtained if d is odd [L A S T 2005]: y + b−1 xy = x5 + f3 x3 + εts−2 x2 + f0 (14.19) (ii) There are only two free parameters, f3 and f0 in the first form and h1 and f0 in the second one, as opposed to three in the general case showing that this type is indeed special Thus, we obtain at most 2q isomorphism classes of curves of Type II defined over Fq if d is odd and 4q if not (iii) It is also possible to have f3 zero at the cost of a nonzero h0 , but we will see later that it is much more useful to have h0 zero For curves of Type Ib the group order is always divisible by since there exist three divisor classes of order resulting from the points with x1 = and x1 = h1 Over F2d the group order of Type Ia curves is divisible by but not by 4, which needs a quadratic extension Both types have full 2-rank, i.e., JC [2] Z/2Z × Z/2Z Type II curves have group order divisible by as h has a single root These curves have 2-rank Type III curves have 2-rank as h is constant and are thus supersingular (cf Definition 4.74 and the remark thereafter) This makes them weak under the Frey–Rück attack [F R R Ü 1994] as they always have a small embedding degree (cf Section 24.2.2 and Galbraith [G AL 2001a]) Hence, they should be avoided for discrete logarithm systems However, such curves have found an application in pairing based cryptography so that they must be considered Proposition 14.39 A genus curve of Type III defined over F2d by an equation of the form (14.1) is isomorphic to a curve defined by an equation of the form y + b−1 y = x5 + f3 x3 + f1 x + εts−2 , where we may assume that b is a “small” element of F2d such that bh0 is a fifth power and ε is in F2 For odd d we can again achieve b = Remark 14.40 With this form we not get a unique representative equation for each isomorphism class, because it is proven in [C H Y U 2002] that there are between 2q and 32q isomorphism classes for curves of Type III and the form presented here has two free parameters (f3 and f1 ) In fact, a further change of variables leads to restrictions on f1 but this involves equations of degree 16 14.5.2 Explicit formulas in even characteristic in affine coordinates (A ) The classification of the previous section allows some improvements in the formulas for the doubling Addition works the same as in the general case given in Section 14.3.2.a Of course, as some coefficients of the curve become zero or “small”, some multiplications can be easily saved in the formulas We now show how the doubling Algorithm 14.21 can be sped up for the individual types In the following, the element t of trace will always be chosen “small” and multiplications by t are not taken into account when listing the costs per step § 14.5 Arithmetic on genus curves in even characteristic 337 The major speedup is obtained when h0 = which holds for curves of Type Ib and II Lange and Stevens noticed in [L A S T 2005] that r, the resultant computed in the general formulas (see Section 14.3.2.c for more details) will simplify to the form r = u0 r˜ for some r˜ This allows us to cancel r in the expressions, so its inverse is no longer needed Moreover, they use the equation f + hv + v = ut + u2 (x + f4 ), (14.20) to avoid the computation of t0 and also the exact computation of s0 is not necessary We will now give explicit formulas for doubling an element [u, v] with deg u = (this is the general case) on each type of curve in affine coordinates In Algorithm 14.41 we give doubling formulas for a curve of Type Ia given by an equation of the form as in Proposition 14.35 In this case, h0 = so that the improvement of [L A S T 2005] cannot be used However, it is possible to use the equation (14.20) to trade off a multiplication for a squaring (which is usually more efficient in characteristic 2) as explained in [L A S T 2005] Finally, we use the fact that h0 = th21 to save a multiplication compared to the doubling formulas in [L A S T 2005] Formulas for such curves contain a lot of multiplications by h1 so that it is interesting for efficiency’s sake to choose h1 “small” For h1 = and thus h0 = t, only 15 multiplications, squarings and inversion are required for doubling Algorithm 14.41 Doubling on Type Ia curves (g = and q even) INPUT: A divisor class [u, v] with u = x2 + u1 x + u0 , v = v1 x + v0 , h21 and t with Tr(t) = OUTPUT: The divisor class [u , v ] = [2][u, v] compute t1 and precomputations z0 ← u20 , z1 ← u21 and w0 ← h1 v1 (h1 + v1 ) t1 ← z1 + v1 and w1 ← h1 u1 [3M + 2S] v , u) compute resultant r = Res(˜ r ← (u0 + th21 )(u0 + th21 + w1 ) + h21 (u0 + tz1 ) [2M] compute s1 and almost ´ ` s0 s1 ← f1 + z0 + w1 t1 + t(w1 + εu1 ) + w0 y ← f0 + εtz0 + (v0 + εtw1 )2 + h1 (u0 t1 + tw0 ) If s1 = see below [3M + S] compute s ← x + s0 /s1 and s1 w1 ← 1/(rs1 ), w2 ← rw1 and w3 ← s2 w1 w4 ← rw2 , w5 ← w42 and s0 ← u1 + yw2 note that w1 = 1/r s1 , w2 = 1/s1 , w3 = s1 and w4 = 1/s1 compute l l2 ← u1 + s0 , l1 ← u1 s0 + u0 and l0 ← u0 s0 [2M] compute u u0 ← s0 + w4 (s0 + u1 + h1 ) + εtw5 and u1 ← w4 + w5 compute v w1 ← l2 + u1 and w2 ← u1 w1 + u0 + l1 v1 ← w2 w3 + v1 + h1 + u1 w2 ← u0 w1 + l0 and v0 ← w2 w3 + v0 + h0 + u0 return [u , v ] [I + 5M + 2S] [M + S] [4M] [total complexity: I + 20M + 6S] 338 Ch 14 Arithmetic of Hyperelliptic Curves In case s = s0 , one replaces Lines 4–7 by the following lines 4’ 5’ 6’ compute s and precomputations w1 ← 1/r, s0 ← yw1 and w2 ← u0 s0 + v0 + h0 compute u u0 ← s20 + s0 + εt compute v w1 ← s0 (u1 + u0 ) + u0 + v1 + h1 and v0 ← u0 w1 + w2 [I + 2M] [S] [2M] In this case the total complexity drops to I + 12M + 4S In Algorithm 14.42 we give doubling formulas for a curve of Type Ib given by an equation of the form given in Proposition 14.35, assuming that h21 is precomputed There are, again, a lot of multiplications by h1 so that we can get many more operations for free if we are willing to choose h1 “small” Therefore we also include this possibility in parentheses Algorithm 14.42 Doubling on Type Ib curves (g = and q even) INPUT: A divisor class [u, v] with u = x2 + u1 x + u0 , v = v1 x + v0 and h21 OUTPUT: The divisor class [u , v ] = [2][u, v] compute t1 and precomputations z0 ← u20 , z1 ← u21 and w0 ← v1 (h1 + v1 ) t1 ← z1 + v1 , z2 ← h1 u1 and z3 ← εtu1 [2M + 2S (3S)] v , u) compute resultant r = Res(˜ r˜ ← u0 + h21 + z2 note that r˜ = r/u0 compute s1 and almost s0 w2 ← u1 (t1 + z3 ) + w0 and w3 ← v0 + h1 t1 s1 ← f1 + z0 + h1 w2 m0 ← w2 + w3 note that m0 = (s0 − u1 s1 )/u0 If s1 = see below [3M (M)] compute s = x + s0 /s1 and s1 w2 ← 1/(s1 ) and w3 ← u0 w2 w4 ← r˜w3 and w5 ← w42 s0 ← u1 + m0 w3 note that w2 = 1/rs1 and w4 = 1/s1 [I + 3M + S] compute u z4 ← εtw4 and u1 ← w4 + w5 u0 ← s2 + w4 (s0 + h1 + u1 + z4 ) [M + S] compute`v ´ z5 ← w2 m20 + t1 (s1 + h1 m0 ) z6 ← s0 + h1 + z4 + z5 v0 ← v0 + z2 + z1 + w4 (u0 + z3 ) + s0 z6 v1 ← v1 + w4 (u1 + s0 + εt + u1 ) + z5 return [u , v ] [6M + S (5M + S)] [total complexity: I + 15M + 5S (I + 10M + 6S)] In case s = s0 , one replaces Lines 4–6 by the following lines 4’ 5’ compute s and precomputations r , s0 ← m0 w1 and w2 ← u0 s0 + v0 w1 ← 1/˜ compute u u0 ← s20 + s0 [I + 2M] [S] § 14.5 Arithmetic on genus curves in even characteristic 6’ 339 compute v w1 ← s0 (u1 + u0 ) + u0 + v1 + h1 and v0 ← u0 w1 + w2 [2M] In this case the total complexity drops to I + 9M + 3S, resp I + 5M + 4S In Algorithm 14.43 we give doubling formulas for a curve of Type II given by an equation of the form y + h1 xy = x5 + f3 x3 + f2 x2 + f0 The number of operations required for each step is given for d odd (since it is the most frequently used case) and in parentheses for d even If d is even, h21 is precomputed Algorithm 14.43 Doubling on Type II curves (g = and q even) INPUT: A divisor class [u, v] with u = x2 + u1 x + u0 , v = v1 x + v0 , h−1 , and h1 OUTPUT: The divisor class [u , v ] = [2][u, v] compute rs1 z0 ← u20 and t1 ← u21 + f3 w0 ← f0 + v02 note that w0 = rs1 /h31 If w0 = see below [3S] compute 1/s1 and s w1 ← (1/w0 )z0 note that w1 = h1 /s1 z1 ← t1 w1 and s0 ← z1 + u1 compute u w2 ← h21 w1 , u1 ← w2 w1 and u0 ← s2 + w2 [I + 2M] [2S (2M + S)] compute v [3M + S (5M + S)] w3 ← w2 + t1 −1 v1 ← h−1 (w3 z1 + w2 u1 + f2 + v1 ) and v0 ← h1 (w3 u0 + z0 ) return [u , v ] [total complexity: I + 5M + 6S (I + 9M + 5S)] If h−1 is small then the complexity drops down by 2M in Line In case w0 = 0, one replaces Lines 2–4 by the following lines 2’ 3’ 4’ compute s and precomputations s0 ← h−1 t1 and w1 ← u0 s0 + v0 compute u u0 ← s20 compute v w2 ← s0 (u1 + u0 ) + v1 + h1 and v0 ← u0 w2 + w1 [M (2M)] [S] [2M] In this case the total complexity is 3M + 4S for h−1 = or small and 4M + 4S otherwise Summary The classification of the different types of genus curves in characteristic allows significant speedups in the formulas for doublings given in Section 14.3.2.c for general curves Indeed, the formulas for general curves in the general case require I + 22M + 5S ([L AN 2005b]) (in affine coordinates) whereas only I + 5M + 6S are needed for h(x) = x We summarize the results in Table 14.8 listing only the general cases; for h of degree and general h the case “f4 not small” does not apply, since then f4 = 340 Ch 14 Arithmetic of Hyperelliptic Curves Table 14.8 Overview h=x h = h1 x with h−1 small h = h1 x h = x2 + h1 x with h−1 small Type Ib Type Ia, h1 = Type Ia f4 small f4 not small I + 5M + 6S I + 7M + 5S I + 9M + 5S I + 10M + 6S I + 15M + 5S I + 15M + 7S I + 20M + 6S n a n a n a I + 12M + 6S I + 17M + 5S n a n a Supersingular curves Finally, Algorithm 14.44 presents the doubling formulas for supersingular curves, i.e., curves of Type III This case is included due to the recent work done with supersingular curves and identity based encryption (cf Chapter 24) The Tate–Lichtenbaum pairing on these curves (cf Chapter 16) builds on addition and doubling The costs of the doubling are given for h−1 = as for d odd this case can always be achieved Otherwise we include h−1 in the curve parameters We state the costs below for arbitrary h0 in parentheses and comment on small h−1 Algorithm 14.44 Doubling on Type III curves (g = and q even) INPUT: A divisor class [u, v] with u = x2 + u1 x + u0 , v = v1 x + v0 and h−1 OUTPUT: The divisor class [u , v ] = [2][u, v] compute s1 z0 ← u21 and z1 ← v12 w0 ← f3 + z0 note that w0 ← s1 /h0 If w0 = see below [2S] compute 1/s1 and s w1 ← 1/w0 note that w1 ← h0 /s1 s0 ← (f2 + z1 )w1 + u1 and z3 ← s2 [I + M + S] compute u w2 ← h20 w1 , u1 ← w2 w1 and u0 ← z3 [S (2M) ] compute v` ´ v1 ← h−1 + s0 ) `f1 + u0 + u0 w0 + w2 (u1 + u ´ f0 + v02 + u0 (f2 + z1 + w2 ) + h0 v0 ← h−1 return [u , v ] [3M + 2S (5M + 2S)] [total complexity: I + 4M + 6S (I + 8M + 5S)] For small h−1 we save 2M in Line In case w0 = 0, one replaces Lines 2–4 by the following lines 2’ 3’ 4’ compute s and precomputations s0 ← h−1 (f2 + z1 ) and w1 ← u0 s0 + v0 + h0 compute u u0 ← s20 compute v w2 ← s0 (u1 + u0 ) + v1 and v0 ← u0 w2 + w1 [M (2M)] [S] [2M] § 14.5 Arithmetic on genus curves in even characteristic 341 In this case the total complexity drops to 4M + S for arbitrary h0 and 3M + 3S for h−1 small including the case h0 = 14.5.3 Inversion-free systems for even characteristic when h2 = In this section we discuss inversion-free coordinate systems starting with some comments on projective coordinates It is also possible to design formulas for the Types Ia and Ib separately resulting in slightly better results All considerations for deg(h) = are postponed until the next section 14.5.4 Projective coordinates (P) Addition in projective coordinates works almost the same as in Algorithm 14.22 In Line one ˜ = h1 Z The expressions for the output change 21 ) and h additionally computes w4 = s1 (w1 + U to ˜ + r(z1 + f4 Z) U0 ← s20 + s1 z1 w4 + z2 S + R h2 (s0 + w4 ) + s1 h + h2 R + R U1 ← Sz V0 V1 V 20 + h0 Z ← w0 + h2 u0 + R ˜ 1) V 21 + h ← w1 + h2 U + R( The doubling algorithm differs so much that we give the general formulas for even characteristic only For the counting we assume h2 = and f4 = f3 = f2 = as this can be reached for each curve of Type I by a slightly different change of variables for x and allowing an arbitrary h0 Algorithm 14.45 Doubling in projective coordinates (g = 2, h2 = 0, and q even) INPUT: A divisor class represented by [U1 , U0 , V1 , V0 , Z] OUTPUT: The divisor class [U1 , U0 , V1 , V0 , Z ] = [2][U1 , U0 , V1 , V0 , Z] compute resultant and precomputations ˜ + h2 U1 ˜ ← h1 Z , ˜ h h0 ← h0 Z , Z2 ← Z and Ve1 ← h 2 ˜ e V ← h0 + h2 U0 , w0 ← V1 , w1 ← U1 and w2 ← Ve21 w3 ← Ve0 Z + U1 Ve1 and r ← Ve0 w3 + w2 U0 compute almost inverse inv1 ← Ve1 and inv0 ← w3 compute t [5M] t1 ← w1 + f3 Z2 + Zh2 V1 see Remark 14.46 ` ´ ` ´ t0 ← U1 Z(f4 U1 + h2 V1 ) + w1 + f3 Z2 + Z Z(f2 Z + V1 h1 + V0 h2 ) + w0 compute s w0 ← t0 inv0 and w1 ← t1 inv1 s3 ← (inv0 + inv1 )(t0 + t1 ) + w0 + (1 + U1 )w1 s1 ← s3 Z and s0 ← w0 + ZU0 w1 precomputations e ← Rs1 , S1 ← s21 , S0 ← s20 and w2 ← h2 s0 R ← Z2 r , R b ← Rs e s1 ← s1 s3 , s0 ← s0 s3 , S ← s0 Z and R compute l l2 ← U1 s1 , l0 ← U0 s0 and l1 ← (s1 + s0 )(U1 + U0 ) + l2 + l0 [6M + 4S] [7M] [6M + 2S] [3M] 342 Ch 14 Arithmetic of Hyperelliptic Curves compute U ` ´ ˜ ) + w2 + f4 R and U1 ← h2 R e + R2 U0 ← S0 + R s3 (h2 U1 + h [2M + S] precomputations l2 ← l2 + S + U1 , w0 ← U0 l2 + S1 l0 and w1 ← U1 l2 + S1 (U0 + l1 ) [4M] adjust e, U1 ← RU e 1 and U0 ← RU e 0 Z ← S1 R [3M] compute V ˜1) b 0+˜ b 1+h h0 ) and V1 ← w1 + h2 U1 + R(V V0 ← w0 + h2 U0 + R(V [2M] 10 11 return [U1 , U0 , V1 , V0 , Z ] [total complexity: 38M + 7S] Remark 14.46 In fact if f4 = f3 = f2 = one computes t0 differently as t0 = U1 t1 + Z2 (h2 V0 + h1 V1 ) + Zw0 using t1 = w1 + h2 ZV1 as precomputation 14.5.4.a New coordinates in even characteristic (N ) To achieve better performance in inversion-free coordinates one can introduce weighted coordinates In the following we present Lange’s [L AN 2002d, L AN 2005b] new coordinates For the general case in even characteristic it is most useful to use the set of coordinates extended by some precomputations and let N denote [U1 , U0 , V1 , V0 , Z1 , Z2 , z1 , z2 , z3 , z4 ] with ui = Ui /Z12 , vi = Vi /(Z13 Z2 ) and the precomputations z1 = Z12 , z2 = Z22 , z3 = Z1 Z2 and z4 = z1 z3 The latter is useful for additions only and leaves the costs for doublings unchanged The formulas show that Z1 and Z2 are no longer used separately Therefore they can be left out leading again to coordinates only As p = and h2 = 0, we assume f3 = f2 = 0, h2 = and include them in the algorithm (but not in the counting) only for the sake of completeness; f4 is left out completely For the addition we assume that both classes are in N If one is in A the costs are given in brackets A dedicated algorithm for N + A = N needs 37M + 5S (see [L AN 2002d]) Algorithm 14.47 Addition in new coordinates (g = 2, h2 = 0, and q even) INPUT: Two divisor classes D and D represented by D1 = [U11 , U10 , V11 , V10 , Z11 , Z12 , z11 , z12 , z13 , z14 ] and D2 = [U 21 , U20 , V21 , V20 , Z21 , Z22 , z21 , z22 , z23 , z24 ] OUTPUT: The divisor class D = [U1 , U0 , V1 , V0 , Z1 , Z2 , z1 , z2 , z3 , z4 ] = D ⊕ D precomputations e20 ← U20 z11 , Ve21 ← V21 z14 and Ve20 ← V20 z14 e21 ← U21 z11 , U U Z1 ← z11 z21 and Z3 ← z13 z23 [8M + S (7M + S)] compute resultant r = Res(U1 , U2 ) e21 , y2 ← U10 z21 + U e20 and y3 ← U11 y1 + y2 z11 y1 ← U11 z21 + U r ← y2 y3 + y12 U10 , Ze2 ← rZ3 and Z2 ← Ze2 Z1 compute almost inverse of u2 modulo u1 inv1 ← y1 and inv0 ← y3 compute s [8M (7M)] w0 ← V10 z24 + Ve20 , w1 ← V11 z24 + Ve21 , w2 ← inv0 w0 and w3 ← inv1 w1 s1 ← (inv0 + z11 inv1 )(w0 + w1 ) + w2 + w3 (z11 + U11 ) s0 ← w2 + U10 w3 precomputations s˜0 ← s0 Z1 , S0 ← s˜20 , Z1 ← s1 Z1 and R ← rZ1 [6M (none)] [10M + 3S] § 14.5 Arithmetic on genus curves in even characteristic 343 ˜21 ), U1 ← y1 s1 , s1 ← s1 Z1 and s0 ← s0 Z1 y4 ← s1 (y1 + U ˜ ← h1 z3 z1 ← Z12 , z2 ← Z22 , z3 ← Z1 Z2 , z4 ← z1 z3 and h compute l e21 , l0 ← s0 U e20 and l1 ← (s0 + s1 )(U e20 + U e21 ) + l0 + l2 l2 ← s U [3M] compute U ` ´ ˜1 s0 + y4 ) + y1 Ze2 + h U0 ← S0 + y4 U1 + y2 s1 + Z2 h2 (˜ U1 ← U1 Z1 + h2 z3 + z2 [5M] precomputations l2 ← l2 + Z1 s˜0 + h2 z3 + U1 , w0 ← l2 U0 and w1 ← l2 U1 [3M] compute V [5M] ˜ ) and V0 ← w0 + z1 (l0 + RVe20 ) + h0 z4 V1 ← w1 + z1 (l1 + RVe21 + U0 + h D ← [U1 , U0 , V1 , V0 , Z1 , Z2 , z1 , z2 , z3 , z4 ] 10 return D [total complexity: 48M + 4S (40M + 4S)] Now we consider doublings Algorithm 14.48 Doubling in new coordinates (g = 2, h2 = 0, and q even) INPUT: A divisor class represented by D = [U1 , U0 , V1 , V0 , Z1 , Z2 , z1 , z , z3 , z4 ] OUTPUT: The divisor class [U1 , U0 , V1 , V0 , Z1 , Z2 , z1 , z2 , z3 , z4 ] = [2]D compute resultant and precomputations ˜ ← z1 h0 ˜ ← z1 h1 and h h ˜ + h2 U1 and Ve0 ← h ˜ + h2 U0 Ve1 ← h ˜ 21 + h22 w1 w0 ← V12 , w1 ← U12 and w2 ← h ˜ ) + h2 w1 w3 ← z1 (h1 U1 + h2 U0 + h [8M + 3S] r ← w2 U0 + Ve0 w3 , Ze2 ← z3 r and Z2 ← Ze2 z4 compute almost inverse inv1 ← Ve1 and inv0 ← w3 compute t [5M] w3 ← f3 z12 + w1 and t1 ← w3 z2 + V1 h2 z3 t0 ← U1 t1 + w0 + z4 (V1 h1 + V0 h2 + f2 z4 ) compute s = (t inv) mod u w0 ← t0 inv0 and w1 ← t1 inv1 s1 ← (inv0 + inv1 )(t0 + t1 ) + w0 + w1 (1 + U1 ) s0 ← w0 + U0 w1 z1 precomputations ˜ ), Z1 ← s1 z1 , S0 ← s20 and z1 ← Z1 y ← h2 s0 + s1 (h2 U1 + h S ← s0 Z1 , R ← Ze2 Z1 , s0 ← s0 s1 and s1 ← Z1 s1 z2 ← Z2 , z3 ← Z1 Z2 and z4 ← z1 z3 compute l l2 ← s1 U1 , l0 ← s0 U0 and l1 ← (s1 + s0 )(U1 + U0 ) + l0 + l2 l2 ← l2 + S + h2 z3 compute U U0 ← S0 + Z2 y and U1 ← z2 + h2 z3 [6M] [8M + 3S] [3M] [M] 344 Ch 14 Arithmetic of Hyperelliptic Curves precomputations l2 ← l2 + U1 , w0 ← l2 U0 and w1 ← l2 U1 [2M] compute V [6M] V1 V0 10 ← w1 + ← w0 + z1 (l1 z1 (l0 + + RV1 + U0 ) + RV0 ) + z4 h0 z4 h1 return [U1 , U0 , V1 , V0 , Z1 , Z2 , z1 , z2 , z3 , z4 ] [total complexity: 39M + 6S] 14.5.4.b Different sets of coordinates Using the same abbreviations as in odd characteristic, we state the costs for the operations in different coordinate systems in Table 14.9 Note that contrary to the odd characteristic case the advantage of using the new coordinates is smaller We state the operation count for curves of Type Ia If in fact h has a root it is possible to design faster algorithms Table 14.9 Addition and doubling in different systems and in even characteristic with h2 = Doubling Addition Operation Costs Operation Costs 2N = P 2P = P 2N = N 2P = N 39M + 6S 38M + 7S 37M + 6S 36M + 7S — — — — — — — — — — — — 2A = A I + 20M + 6S N +P =P N +N =P N +P =N P +P =P N +N =N P +P =N A+N =P A+P =P A+P =N A+N =N A+A=A 51M + 4S 50M + 4S 49M + 4S 49M + 4S 48M + 4S 47M + 4S 39M + 5S 39M + 4S 37M + 4S 37M + 5S I + 22M + 3S 14.5.4.c Computation of scalar multiples We follow the same lines as in the odd characteristic and distinguish between precomputations and no precomputations No precomputation For cheap inversions one again uses the affine system alone If one wants to avoid inversions and has an affine input (or can allow one I to achieve this) we perform the doublings as 2N = N and the addition as A + N = N For non-normalized input we use the new coordinates for doublings and as non-normalized input system if necessary § 14.5 Arithmetic on genus curves in even characteristic 345 Table 14.10 Without precomputations in even characteristic with h2 = Systems Cost 2A = A, A + A = A 2N = N , A + N = N 2N = N , N + N = N l (4I + 82M + 21S) l (148M + 23S) l (159M + 22S) Windowing methods To obtain the table of precomputed values we need one doubling and 2w−2 − additions Here it is advantageous to choose either C3 = A or C3 = N Table 14.11 Precomputations in even characteristic with h2 = I System M A A w−1 A P 22 × w−2 25 × w−2 S w−2 −2 + 20w − 68 51 × w−2 − 17 48 × w−2 − 11 3×2 3×2 w−2 w−2 +3 + 6w − 15 4×2 w−2 +2 4×2 w−2 +2 The costs of computing scalar multiples are listed in Table 14.12 for the most useful matches of sets of coordinates We use the same abbreviations as in the odd characteristic case Again we leave out the costs for the initial conversions and mention that some constant number of operations can be saved if one considers in more detail the first doubling and the final addition/doubling Table 14.12 Windowing method in even characteristic with h2 = Systems 2A = A, A + A = A 2N = N , A + N = N 2N = N , N + N = N I l1 + K + l1 −K w+1 M S −K 20(l1 + K) + 22 lw+1 −K 37 (l1 + K) + lw+1 −K 6(l1 + K) + lw+1 −K 37(l1 + K) + 48 lw+1 −K 6(l1 + K) + lw+1 −K 6(l1 + K) + lw+1 Compared to the results in odd characteristic this case is a bit more expensive On the other hand the arithmetic in binary fields is easier to implement and usually faster and there is space for improvements taking into account the different types of curves 14.5.5 Inversion-free systems for even characteristic when h2 = Obviously this case can be considered as a special case of the previous section, but as in affine coordinates specialized doubling algorithms are much faster For the whole section we assume that the curve is given by an affine equation of the form (14.19) 346 Ch 14 Arithmetic of Hyperelliptic Curves 14.5.5.a Doubling in projective coordinates For the additions the changes are quite obvious and are simply obtained by fixing the respective curve parameters to be zero Hence, we only treat doublings in the following Algorithm 14.49 Doubling in projective coordinates (g = 2, h2 = 0, and q even) INPUT: A divisor class represented by D = [U1 , U0 , V1 , V0 , Z] and the precomputed values h21 and h−1 OUTPUT: The divisor class [U1 , U0 , V1 , V0 , Z ] = [2][U1 , U0 , V1 , V0 , Z] precomputations [9M + 4S] Z2 ← Z , z0 ← U02 , t1 ← U12 + f3 Z2 , w0 ← f0 Z2 + V02 and w1 ← z0 Z2 z1 ← t1 z0 , w2 ← h21 w1 , w3 ← w2 + t1 w0 and w4 ← w0 Z s0 ← z1 + U1 w4 and w4 ← w4 Z compute U U1 ← w1 w2 and U0 ← s20 + w2 w4 [2M + S] compute V ` ` ´ ´ w2 U1 + w3 z1 + (f2 Z2 + V12 )w5 w4 w5 ← w0 w4 and V1 ← h−1 w5 ← w5 w4 and V0 ← h−1 (w3 U0 + z0 w5 ) [11M + S] adjust Z ← w5 Z2 , U1 ← U1 w4 and U0 ← U0 w4 [3M] return [U1 , U0 , V1 , V0 , Z ] [total complexity: 25M + 6S] If h−1 is small one saves 2M, and if h1 = — as one can always achieve for odd extension degrees — 22M + 6S are used in total 14.5.5.b Recent coordinates in even characteristic (R) For h2 = we follow [L AN 2005a] and use [U1 , U0 , V1 , V0 , Z, z] with ui = Ui /Z, vi = Vi /Z and the precomputation z = Z These coordinates have the advantage of allowing faster doublings while the additions are more expensive However, usually mixed additions are chosen for implementations They are not too much slower, and furthermore, in windowing methods the number of additions is reduced considerably The formulas for new coordinates (in the sense of section 14.5.4.a) can be found in [L AN 2005b] An addition N + N takes 44M + 6S and in mixed coordinates A + N = N one needs 36M + 4S Using the conditions on the curve parameters given in (14.19) for extension of odd degrees the costs for a doubling reduce to 28M + 7S The results in brackets refer to the case in which the second input is in affine coordinates Algorithm 14.50 Addition in recent coordinates (g = 2, h2 = 0, and q even) I NPUT: Two divisor classes D and D represented by D = [U11 , U10 , V11 , V10 , Z1 , z1 ] and D = [U21 , U20 , V21 , V20 , Z2 , z2 ] OUTPUT: The divisor class [U1 , U0 , V1 , V0 , Z , z ] = D1 ⊕ D2 precomputations e21 ← U21 Z1 and U e20 ← U20 Z1 Z ← Z1 Z2 , z ← Z , U Ve21 ← V21 z1 and Ve20 ← V20 z1 compute resultant r = Res(U1 , U2 ) e21 and y2 ← U10 Z2 + U e20 y1 ← U11 Z2 + U y3 ← U11 y1 + y2 Z1 and r ← y2 y3 + y12 U10 [5M + S (none)] [6M + S (5M + S)] § 14.5 Arithmetic on genus curves in even characteristic 347 compute almost inverse of u2 modulo u1 inv1 ← y1 and inv0 ← y3 compute s w0 ← V10 z2 + Ve20 and w1 ← V11 z2 + Ve21 w2 ← inv0 w0 and w3 ← inv1 w1 s1 ← (inv0 + inv1 Z1 )(w0 + w1 ) + w2 + w3 (Z1 + U11 ) s0 ← w2 + U10 w3 precomputations Z ← s1 r , w4 ← rZ , w5 ← w42 , S ← s0 Z and Z ← Z Z s˜0 ← s0 Z , s¯1 ← s1 Z and s˜1 ← s¯1 Z compute l e21 , l2 ← L2 Z and l0 ← s˜0 U e20 L2 ← s¯1 U e21 + U e20 )(˜ l1 ← ( U s0 + s˜1 ) + l2 + l0 , l2 ← L2 + s˜0 and ˜ h1 ← h1 z 10 [8M (7M)] compute U e21 ) + Zw5 ) + ˜ h1 Z ) + y2 s˜1 U0 ← r(S + y1 (s21 (y1 + U U1 ← y1 s¯1 + w4 w5 [5M] [8M + 2S] precomputations , Z ← Z Z and l0 ← l0 Z w1 ← l2 + U1 , U1 ← U1 w w2 ← U1 w1 + (U0 + l1 ) Z and Z ← Z [5M + S] compute V ˜ ) Z , U0 ← U0 r and w2 ← U0 w1 + l0 V1 ← w2 s1 + (Ve21 + h V0 ← w2 s1 + Ve20 Z , Z ← Z 2 and z ← Z 2 return [U1 , U0 , V1 , V0 , Z , z ] [7M + S] [6M + 2S] [total complexity: 50M + 8S (43M + 7S)] If h1 = as we can always assume for d odd one more multiplication is saved in Line Algorithm 14.51 Doubling in recent coordinates (g = 2, h2 = 0, and q even) INPUT: A divisor class [U1 , U0 , V1 , V0 , Z, z] and the precomputed values h21 and h−1 OUTPUT: The divisor class [U1 , U0 , V1 , V0 , Z , z ] = [2][U1 , U0 , V1 , V0 , Z, z] precomputations Z4 ← z , y0 ← U02 , t1 ← U12 + f3 z and w0 ← Z4 f0 + V02 Z¯ ← zw0 , w1 ← y0 Z4 , y1 ← t1 y0 z and s0 ← y1 + U1 w0 Z w2 ← h21 w1 and w3 ← w2 + t1 w0 compute U U1 ← w2 w1 , w2 ← w2 Z¯ and U0 ← s20 + w2 [2M + S] compute V ` ´ V1 ← h−1 w2 U1´ + (w3 y1 + f2 Z + (V1 w0 )2 )Z Z ← Z¯ and ` ¯ U0 + y0 w0 Z ) , z ← Z 2 Z(w V0 ← h−1 return [U1 , U0 , V1 , V0 , Z , z ] [10M + 4S] [11M + 3S] [total complexity: 23M + 8S] For small h−1 we save 2M, if even h1 = a total of only 20M + 8S is needed A comparison of different sets of coordinates is given in [L AN 2005a] It also contains formulas for operations in [U1 , U0 , V1 , V0 , Z, Z Z ] in which the doublings are less efficient than in R but the additions not introduce such a big overhead In general, for curves of form (14.19) inversionfree systems will be useful only for very expensive inversions and when combined with windowing methods 348 14.6 Ch 14 Arithmetic of Hyperelliptic Curves Arithmetic on genus curves Cantor’s algorithm applies to hyperelliptic curves of arbitrary genus In this section we study arithmetic on curves of genus Again the most frequent input for addition consists of two divisor classes represented by [u1 , v1 ], [u2 , v2 ], where deg(u1 ) = deg(u2 ) = and gcd(u1 , u2 ) = These conditions guarantee that the associated reduced divisors D1 , D2 not have any point or its opposite in common and both divisors have affine points in the support For the doubling we may assume that the class is represented by [u1 , v1 ] with deg(u1 ) = and that gcd(h + 2v1 , u1 ) = This means that the support of D1 contains no Weierstraß point and there are affine points We omit the complete case study here It can be found in [P EL 2002, W OL 2004] There exists a generalization of projective coordinates to genus curves [FAWA 2004] such that one does not need inversions for the group operations, but we only state arithmetic in affine coordinates For smaller fields an inversion is less expensive in terms of multiplications and on the other hand more multiplications are needed to save the one remaining inversion The following sections give algorithms for addition of general divisor classes and for doubling of a general class For these we allow arbitrary equations of the curve and arbitrary finite ground fields Note that the number of operations might still depend on this For even characteristic we additionally state doubling formulas for one special curve As for genus 2, the addition formulas barely change with the equation of the curve but the doubling needs far fewer field operations for special equations These formulas were taken from [W OL 2004] Formulas for genus curves can also be found in [G O M A+ 2005, K U G O+ 2002] and [G U K A+ 2004] 14.6.1 Addition in most common case This section treats the addition of two different divisor classes In odd characteristic we can transform to an isomorphic curve y = f (x) In even characteristic we assume for simplicity that h(x) ∈ F2 [x] For other values of the hi some operations should be performed differently Algorithm 14.52 Addition on curves of genus in the general case INPUT: Two divisor classes [u1 , v1 ] and [u2 , v2 ] with ui = x3 + ui2 x2 + ui1 x + ui0 , vi = vi2 x2 + vi1 x + vi0 OUTPUT: The divisor class [u , v ] = [u1 , v1 ]⊕[u2 , v2 ] with u = x3 +u x +u1 x+u0 , v = v2 x + v1 x + v0 compute resultant r = Res(u1 , u2 ) (Bezout) [12M + 2S] t1 ← u12 u21 , t2 ← u11 u22 , t3 ← u11 u20 , t4 ← u10 u21 and t5 ← u12 u20 t6 ← u10 u22 , t7 ← (u20 − u10 )2 , t8 ← (u21 − u11 )2 and t9 ← (u22 − u12 )(t3 − t4 ) t10 ← (u22 − u12 )(t5 − t6 ) and t11 ← (u21 − u11 )(u20 − u10 ) r ← (u20 − u10 + t1 − t2 )(t7 − t9 ) + (t5 − t6 )(t10 − 2t11 ) + t8 (t3 − t4 ) If r ← perform Cantor’s Algorithm 14.7 compute almost inverse inv = r/u1 mod u2 [4M] inv2 ← (t1 − t2 − u10 + u20 )(u22 − u12 ) − t8 and inv1 ← inv2 u22 − t10 + t11 inv0 ← inv2 u21 − u22 (t10 − t11 ) + t9 − t7 compute s = rs ≡ (v2 − v1 )inv (mod u2 ) (Karatsuba) t12 ← (inv1 + inv2 )(v22 − v12 + v21 − v11 ) and t13 ← (v21 − v11 )inv1 [11M] § 14.6 Arithmetic on genus curves 349 t14 ← (inv0 + inv2 )(v22 − v12 + v20 − v10 ) and t15 ← (v20 − v10 )inv0 t16 ← (inv0 + inv1 )(v21 − v11 + v20 − v10 ) and t17 ← (v22 − v12 )inv2 r0 ← t15 , r1 ← t16 − t13 − t15 and r2 ← t13 + t14 − t15 − t17 r3 ← t12 − t13 − t17 , r4 ← t17 and t18 ← u22 r4 − r3 t15 ← u20 t18 , t16 ← u21 r4 and s0 ← r0 + t15 s1 ← r1 − (u21 + u20 )(r4 − t18 ) + t16 − t15 s2 ← r2 − t16 + u22 t18 If s2 = perform Cantor’s Algorithm 14.7 compute s = (s /r) and make s monic [I + 6M + 2S] w1 ← (rs2 )−1 , w2 ← rw1 , w3 ← w1 s2 , w4 ← rw2 and w5 ← w42 s0 ← w2 s0 and s1 ← w2 s1 compute z = su1 z0 ← s0 u10 , z1 ← s1 u10 + s0 u11 and z2 ← s0 u12 + s1 u11 + u10 z3 ← s1 u12 + s0 + u11 and z4 ← u12 + s1 compute u = [s(z + w4 (h + 2v1 )) − w5 ((u20 − v1 h − v12 )/u1 )]/u2 u3 u1 u0 u2 [6M] [15M] −u22 u3 ← z4 + s1 − u22 and ← − u21 + z3 + s0 + w4 h3 + s1 z4 ← w4 (h2 + 2v12 + s1 h3 ) + s1 z3 + s0 z4 + z2 − w5 − u22 u2 − u21 u3 − u20 ← w4 (s1 h2 + h1 + 2v11 + 2s1 v12 + s0 h3 ) + s1 z2 + z1 + s0 z3 + w5 (u12 − f6 ) − u22 u1 − u21 u2 − u20 u3 compute v = −(w3 z + h + v1 ) mod u [8M] t1 ← u3 − z4 and v0 ← −w3 (u0 t1 + z0 ) − h0 − v0 v1 ← −w3 (u1 t1 − u0 + z1 ) − h1 − v11 v2 ← −w3 (u2 t1 − u1 + z2 ) − h2 − v12 v3 ← −w3 (u3 t1 − u2 + z3 ) − h3 reduce u , i.e., u = (f − v h − v 2 )/u [5M + 2S] u2 ← f6 − u3 − v3 − v3 h3 u1 ← −u2 − u2 u3 + f5 − 2v2 v3 − v3 h2 − v2 h3 u0 ← −u1 − u2 u2 − u1 u3 + f4 − 2v1 v3 − v2 − v2 h2 − v3 h1 − v1 h3 compute v = −(v + h) mod u3 [3M] v2 ← −v2 + (v3 + h3 )u2 − h2 v1 ← −v1 + (v3 + h3 )u1 − h1 v0 ← −v0 + (v3 + h3 )u0 − h0 10 return [u , v ] [total complexity: I + 70M + 6S] If char(Fq ) is even, h(x) ∈ F2 [x], and f6 = then the total complexity reduces to I + 65M + 6S 14.6.2 Doubling in most common case We now state the formulas to double on general curves Compared to the addition the formulas depend much more on the equation of the curve We give the number of operations for arbitrary characteristic including characteristic For the counting we assume for simplicity that h(x) ∈ F2 [x] and f6 = For other values of the hi some operations should be performed differently The special case of h(x) = will be discussed in more detail in the next section