Handbook of Elliptic and hyperelliptic curve cryptography present introduction to public-key cryptography; mathematical background; algebraic background; background on p-adic numbers; background on curves and jacobians; varieties over special fields; background on pairings; background on weil descent; cohomological background on point counting...
Handbook of Elliptic and Hyperelliptic Curve Cryptography DISCRETE MATHEMATICS and ITS APPLICATIONS Series Editor Kenneth H Rosen, Ph.D Juergen Bierbrauer, Introduction to Coding Theory Kun-Mao Chao and Bang Ye Wu, Spanning Trees and Optimization Problems Charalambos A Charalambides, Enumerative Combinatorics Henri Cohen, Gerhard Frey, et al., Handbook of Elliptic and Hyperelliptic Curve Cryptography Charles J Colbourn and Jeffrey H Dinitz, The CRC Handbook of Combinatorial Designs Steven Furino, Ying Miao, and Jianxing Yin, Frames and Resolvable Designs: Uses, Constructions, and Existence Randy Goldberg and Lance Riek, A Practical Handbook of Speech Coders Jacob E Goodman and Joseph O’Rourke, Handbook of Discrete and Computational Geometry, Second Edition Jonathan Gross and Jay Yellen, Graph Theory and Its Applications Jonathan Gross and Jay Yellen, Handbook of Graph Theory Darrel R Hankerson, Greg A Harris, and Peter D Johnson, Introduction to Information Theory and Data Compression, Second Edition Daryl D Harms, Miroslav Kraetzl, Charles J Colbourn, and John S Devitt, Network Reliability: Experiments with a Symbolic Algebra Environment Derek F Holt with Bettina Eick and Eamonn A O’Brien, Handbook of Computational Group Theory David M Jackson and Terry I Visentin, An Atlas of Smaller Maps in Orientable and Nonorientable Surfaces Richard E Klima, Ernest Stitzinger, and Neil P Sigmon, Abstract Algebra Applications with Maple Patrick Knupp and Kambiz Salari, Verification of Computer Codes in Computational Science and Engineering William Kocay and Donald L Kreher, Graphs, Algorithms, and Optimization Donald L Kreher and Douglas R Stinson, Combinatorial Algorithms: Generation Enumeration and Search Charles C Lindner and Christopher A Rodgers, Design Theory Alfred J Menezes, Paul C van Oorschot, and Scott A Vanstone, Handbook of Applied Cryptography Continued Titles Richard A Mollin, Algebraic Number Theory Richard A Mollin, Codes: The Guide to Secrecy from Ancient to Modern Times Richard A Mollin, Fundamental Number Theory with Applications Richard A Mollin, An Introduction to Cryptography Richard A Mollin, Quadratics Richard A Mollin, RSA and Public-Key Cryptography Kenneth H Rosen, Handbook of Discrete and Combinatorial Mathematics Douglas R Shier and K.T Wallenius, Applied Mathematical Modeling: A Multidisciplinary Approach Jörn Steuding, Diophantine Analysis Douglas R Stinson, Cryptography: Theory and Practice, Second Edition Roberto Togneri and Christopher J deSilva, Fundamentals of Information Theory and Coding Design Lawrence C Washington, Elliptic Curves: Number Theory and Cryptography DISCRETE MATHEMATICS AND ITS APPLICATIONS Series Editor KENNETH H ROSEN Handbook of Elliptic and Hyperelliptic Curve Cryptography Henri Cohen Gerhard Frey Roberto Avanzi, Christophe Doche, Tanja Lange, Kim Nguyen, and Frederik Vercauteren Boca Raton London New York Singapore Published in 2006 by Chapman & Hall/CRC Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2006 by Taylor & Francis Group, LLC Chapman & Hall/CRC is an imprint of Taylor & Francis Group No claim to original U.S Government works Printed in the United States of America on acid-free paper 10 International Standard Book Number-10: 1-58488-518-1 (Hardcover) International Standard Book Number-13: 978-1-58488-518-4 (Hardcover) Library of Congress Card Number 2005041841 This book contains information obtained from authentic and highly regarded sources Reprinted material is quoted with permission, and sources are indicated A wide variety of references are listed Reasonable efforts have been made to publish reliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materials or for the consequences of their use No part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc (CCC) 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400 CCC is a not-for-profit organization that provides licenses and registration for a variety of users For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe Library of Congress Cataloging-in-Publication Data Handbook of elliptic and hyperelliptic curve cryptography / Scientific editors, Henri Cohen & Gerard Frey ; authors, Roberto M Avanzi … [et al.] p cm – (Discrete mathematics and its applications) Includes bibliographical references and index ISBN 1-58488-518-1 (alk paper) 1.Curves, Elliptic – Handbooks, manuals, etc Cryptography – mathematics handbooks, manuals, etc Machine theory – Handbooks, manuals etc I Cohen, Henri II Frey, Gerhard, 1994- III Avanzi, Roberto M IV Series QA567.2.E44H36 2005 516.’52 – dc22 2005041841 Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com Taylor & Francis Group is the Academic Division of T&F Informa plc and the CRC Press Web site at http://www.crcpress.com Dr Henri Cohen is Professor of Mathematics at the University of Bordeaux, France His research interests are number theory in general, and computational number theory in particular Dr Gerhard Frey holds a chair for number theory at the Institute for Experimental Mathematics at the University of Duisburg-Essen, Germany His research interests are number theory and arithmetical geometry as well as applications to coding theory and cryptography Dr Christophe Doche is lecturer at Macquarie University, Sydney, Australia His research is focused on analytic and algorithmic number theory as well as cryptography Dr Roberto M Avanzi is currently Junior Professor at the Ruhr-University, Bochum His research interests include arithmetic and algorithmic aspects of curve-based cryptography, integer recodings and addition chains, sidechannel analysis, and diophantine analysis Dr Tanja Lange is Associate Professor of Mathematics at the Technical University of Denmark in Copenhagen Her research covers mathematical aspects of public-key cryptography and computational number theory with focus on curve cryptography Dr Kim Nguyen received a Ph.D in number theory and cryptography in 2001 at the University of Essen His first position outside academia was with the Cryptology Competence Center of Philips Semiconductors Hamburg He currently works for the Bundesdruckerei GmbH in Berlin, Germany Dr Frederik Vercauteren is a Post-Doc at the Katholieke Universiteit Leuven, Belgium His research interests are computational algebraic geometry and number theory, with applications to cryptography Scientific Editors: Henri Cohen and Gerhard Frey Executive Editor: Christophe Doche Authors: Roberto M Avanzi, Henri Cohen, Christophe Doche, Gerhard Frey, Tanja Lange, Kim Nguyen, and Frederik Vercauteren Contributors: Bertrand Byramjee, Jean-Christophe Courrège, Sylvain Duquesne, Bent Feix, Reynald Lercier, David Lubicz, Nicolas Thériault, and Andrew Weigl Roberto M Avanzi Faculty of Mathematics and Horst Görtz Institute for IT-Security Ruhr University Bochum, Germany Bertrand Byramjee bbyramjee@libertysurf.fr Roberto.Avanzi@ruhr-uni-bochum.de Henri Cohen Jean-Christophe Courrège Université Bordeaux I Laboratoire A2X, France CEACI, Toulouse, France Jean-Christophe.Courrege@cnes.fr Henri.Cohen@math.u-bordeaux1.fr Christophe Doche Sylvain Duquesne Macquarie University Department of Computing, Australia Université Montpellier II Laboratoire I3M, France doche@ics.mq.edu.au duquesne@math.univ-montp2.fr Bent Feix Gerhard Frey CEACI, Toulouse, France University of Duisburg-Essen IEM, Germany Benoit.Feix@cnes.fr frey@iem.uni-due.de Tanja Lange Reynald Lercier Technical University of Denmark Department of Mathematics Centre d’ÉLectronique de l’ARmement France t.lange@mat.dtu.dk Reynald.Lercier@m4x.org David Lubicz Kim Nguyen nguyen.kim@web.de Centre d’ÉLectronique de l’ARmement France david.lubicz@math.univ-rennes1.fr Nicolas Thériault Frederik Vercauteren University of Waterloo, Department of Combinatorics and Optimization, Canada Katholieke Universiteit Leuven COSIC - Electrical Engineering Belgium ntheriau@uwaterloo.ca fvercaut@esat.kuleuven.be Andrew Weigl University of Bremen ITEM, Germany a.s.weigl@ieee.org 794 General Index hyperelliptic curve, 109, 310 characteristic polynomial, 310 eigenvalues, 311 Koblitz, 367 trace, 564 variety characteristic polynomial, 109–110 eigenvalues, 110, 111 trace, 110, 111 Frobenius morphism, 53, 59, 109, 133 see also Frobenius endomorphism Frobenius substitution, 43, 240, 250–252, 423 full adder, 627 full-graph method, 522–523 function field, 51 ideal class group, 81, 84, 306 variety, 51 fundamental domain, 416 fundamental unit, 31, 463 G Galois extension, 28 Galois field, see finite field Galois group, 28 Gap-Diffie–Hellman group, 10, 574 Gauß period, 34 general , 35 Gaudry’s algorithm, 517 see also index calculus Gauß sum, 599 Gaussian normal basis, 35, 240 p-adic field, 240, 252, 261, 433 see also optimal normal basis gcd integer, 190–197 binary extended, 195 Euclid extended, 191 generalized binary, 195 Lehmer extended, 192 polynomial, 222 general number field sieve (GNFS), 612 generalized binary gcd, 195 generalized projective coordinates, 271 generated carry, 629 generating set, 24 generic algorithm, 478, 554 genus, 68, 304 Hurwitz formula, 68 hyperelliptic curve, 73, 304 ˜ ghost bit basis, 217 GHS algorithm, 131, 531, 538 Artin–Schreier curve, 536 magic number, 532 see also Weil descent glitch attack, 683 GLV curve, 377–380 basis of the endomorphism ring, 378 combination with Koblitz curves, 381 computation of expansion, 379 countermeasures against side-channel attacks, 713–714 elliptic curve, 377 generalizations, 380–381 hyperelliptic curve, 380 GMP, 169, 176 GNFS, see general number field sieve Goldwasser–Killian test, 598 Goubin’s refined power analysis, 680–682 greatest common divisor, see gcd group, 19, 19–21 abelian, 20 action, 21 cyclic, 20 Galois, 28 homomorphism, 21 kernel, 21 index, 20 inverse, 20 normal, 20 order, 20 quotient, 20 subgroup, 20 unit element, 20 H half adder, 628 halve and add scalar multiplication algorithm, 301 halving map, 299 Hamming weight, 147, 158, 234, 393, 491, 558, 677 hardware addition, see addition in hardware binary field, see binary field in hardware inversion, 645–646 modular reduction, see modular reduction in hardware multiplication, see multiplication in hardware General Index hardware random number generator, 721 hash function, 12 hash function on the Jacobian, 590 Hasse–Weil interval, 112, 410 Hasse–Weil theorem, 110, 112, 278, 310 HECDSA, see hyperelliptic curve digital signature algorithm Hensel odd division, 180 see also Montgomery reduction Hessian form of an elliptic curve, 275–276 heuristics of class number, 564 hidden field equations (HFE), 15 higher order differential power analysis, 680 Hilbert class field, 99 Hilbert class polynomial, 99, 456 computation, 457 holomorphic differential, 76 homogeneous coordinates, 46, 69 see also projective coordinates ideal, 47 polynomial, 46 homomorphism abelian variety, 57 complex, 29 connected component of the unity of ker(ϕ), 58 field, 23 group, 21 kernel, 21 real, 29 homothetic lattices, 97 Horner-like scheme, 227 Hurwitz genus formula, 68 hyperelliptic curve, 73, 303, 552–553 addition in atomic blocks, 694 addition law, 304, 308 arithmetic genus 2, 313–347 genus in even characteristic, 334– 347 genus in odd characteristic, 320–334 genus 3, 348–352 BH curve, 381 canonical lift, 442 Cantor’s algorithm, 308, 552 cardinality, 310–311 Hasse–Weil interval, 410 Hasse–Weil theorem, 110, 112, 310 795 characteristic polynomial of the Frobenius, 310 class polynomial, 107, 462, 463, 465, 466, 472 computation, 462, 472 comparison of coordinate systems, 325, 344 complex multiplication, 104, 310, 460– 473 computation of theta constant, 465 construction, 469 curve with automorphisms, 471 Mestre’s algorithm, 468 compression, 311–313 computation of Igusa invariants, 465 coordinates, see coordinates for hyperelliptic curves divisor class group Pic0C of C of degree zero, 306 doubling in atomic blocks, 694 dual isogeny, 309 eigenvalues of the Frobenius endomorphism, 311 endomorphism, 310 Frobenius endomorphism, 109, 310 genus, 73, 304 group law, 304 group structure of the Fq -rational points JC (Fq )[n], 111 ideal class group, 83–85, 306 Igusa invariants, 101, 107, 462 index calculus method, 511 isogeny, 309 isomorphism, 74, 308 Koblitz curve, 367–376 Mestre’s invariants, 102, 468 Montgomery like form, 329 nonsingular, 304 p-rank of a hyperelliptic curve, 310 pairing, 122, 390–392, 394, 398 embedding degree, 123, 390, 573 Tate–Lichtenbaum, 398 period lattice, 462 period matrix, 100, 462, 463 Picard group, 306 random divisor class, 307 Riemann theta divisor, 100 Rosenhain model, 104, 472 Serre bound, 112 Shioda invariants, 104, 472 796 smooth, 304 supersingular, 310, 584, 585 arithmetic, 340 theta characteristic, 100, 444 theta constants, 100, 444, 463 torsion point, 309 trace zero variety, 383–387 Weierstraß equation, 74, 83, 304 Weierstraß point, 73, 304 hyperelliptic curve digital signature algorithm (HECDSA) generation, 570 verification, 570 hyperelliptic involution, 73, 512 hypersurface, 47 I ID-based cryptography, 576–578 decryption, 577 encryption, 576 parameters, 382 ideal, 21 above pZ, 31 coprime, 22 finitely generated, 22 fractional, 30, 549 homogeneous, 47 inert, 31 maximal, 22 prime, 22 principal, 22 product, 30 ramified, 31 split, 31 ideal class group, 81–83 hyperelliptic curve, 83–85, 306 Mumford representation, 84, 306 relation with divisor class group, 81, 306 identity-based, see ID-based Igusa invariants, 101, 107, 462 computation, 465 imaginary quadratic curve, 83, 304 incompletely reduced number, 202 index calculus, 495–527, 554–555 arithmetical formation, 496–497 automorphism of the group, 505–506 factor base, 496 filtering, 503–505 General Index merging, 504–505 pruning, 504 finite field, 506–507 hyperelliptic curve, 511–527 Adleman–DeMarrais–Huang algorithm, 512–516 B-smooth divisor, 512 concentric circles method, 525–527 double large primes, 521–522 Enge–Gaudry’s theorem, 516 factor base, 512, 515, 517 full-graph method, 522–523 Gaudry’s algorithm, 517 general algorithm, 511–512 harvesting, 518–519 hyperelliptic involution, 512 refined factor base, 517–518 relation search, 513–514 simplified graph method, 523–525 single large prime, 520–521 large primes, 507–509 large prime, 507–508 , 508–509 more , 509 linear algebra, 500–503 see also Lanczos’ method and Wiedemann’s method prime, 496 relation search, 499–500 parallelization, 500 smoothness bound, 496 via hyperplane sections, 541 Waterloo variant, 508 index of a group, 20 indistinguishability, 729 induced morphism, 52 industrial-grade prime, 591 inert ideal, 31 inertia degree, 43 integer arithmetic, 169–199 addition, 173 concatenation, 187 division, see division of integers exact division, 189, 204 gcd, see gcd of integers integer square root, 198 multiplication, see multiplication of integers reduction, see modular reduction square root, 198 ˜ ˜ General Index squaring, see squaring of integers subtraction, 173 integer factorization problem, 1, 7, 479 integer ring of a number field, 29 integral basis, 29 integral domain, 21 integrally closed ring, 30 interleaved multiplication-reduction, 203 invalid curve attack, 569, 706 invasive attacks, 670–673 inverse limit, 40 inverse of a fractional ideal, 30 inverse of a group element, 20 inverse of a ring element, 23 inverse square root of p-adic numbers, 248 inversion binary field, 222–225 binary method, 223 extended gcd, 222 Itoh and Tsujii algorithm, 225 Lagrange’s theorem, 224 hardware, 645–646 integers, see division of integers optimal extension field, 233–234, 237 p-adic numbers, 247 prime field, 205–209 almost Montgomery inverse, 208 Montgomery inverse, 208 plus-minus method, 206 simultaneous, 209, 283, 296, 327 Thomas et al method, 207 involution of a hyperelliptic curve, 73, 512 irreducible subset of a topological space, 48 isogeny abelian variety, 58 over C, 94 degree, 59, 277 dual, 277 elliptic curve, 277, 282 point counting, 415, 419, 420, 424, 435, 439 Vélu’s formulas, 415 hyperelliptic curve, 309 purely inseparable, 59 separable, 59 isomorphism abelian variety, 58 elliptic curve, 71, 273–276 admissible change of variables, 274 Hessian form, 275–276 797 Jacobi model, 275, 696 Legendre form, 275 field, 25 hyperelliptic curve, 74, 308 variety, 52 Itoh and Tsujii inversion, 225 J j-function, 97, 417 j-invariant, 71, 72, 97, 268 Jacobi criterion, 64 Jacobi model, 275, 696 Jacobi sum, 600 Jacobian coordinates, 282, 292–295, 297 see also Chudnovsky Jacobian coordinates, modified Jacobian coordinates, and simplified Chudnovsky Jacobian coordinates Jacobian variety, 78, 77–80 Java Card, 659 Jebelean exact division, 189, 204 joint Hamming weight, 156 joint sparse form, see JSF JSF, 155 simple, 156 τ JSF, 365 K Karatsuba integer division, 188 integer multiplication, 176, 202 integer squaring, 178 polynomial multiplication, 220, 227, 236, 244, 317 Kedlaya’s algorithm, 449 kernel of a group homomorphism, 21 key exchange contributory, 575 multiparty, 574 noncontributory, 575 key generation, 11 Knapsack problem, 14 Koblitz curve τ -adic expansion, 358, 368 alternative generation of τ -adic expansion, 375 combination with GLV method, 381 countermeasures against 798 differential side-channel attacks, 711– 713 simple side-channel attacks, 709–711 elliptic curve, 356–367 τ JSF, 365 length reduction of the τ -adic expansion, 359–362 main subgroup membership, 359 τ NAF, 358 τ NAFw , 363 hyperelliptic curve, 367–376 length reduction of the τ -adic expansion, 371–373 Koyama–Tsuruoka recoding, 152 Kronecker relation, 425 Kronecker–Jacobi symbol, 36 Kummer surface, 329 L -adic Tate module, 61 L-polynomial of a curve, 135, 407 L-rational points, 46 Lanczos’ method, 500–503, 517 LCG, see linear congruential generator least significant digit, 170 left-to-right binary method, 146, 210, 253, 261 Legendre form, 275 Legendre symbol, 36, 210 Legendre–Kronecker–Jacobi symbol, 36, 235 Lehmer extended gcd, 192 Lempel–Ziv compression algorithm, 160 Lercier–Lubicz’ algorithm, 253, 434 library and software apecs, 267 BigNum, 169 FreeLip, 169 GMP, 169, 176 Lidia, 201 Magma, 201, 267 Maple, 267 NTL, 201 PARI/GP, 267, 467 SIMATH, 267 ZEN, 201 Lidia, 201 lift of an element in a valuation ring, 41 lift of p-adic numbers Hensel, 250, 249–250, 428 General Index Newton, 246–249 generalized, 257, 447 Teichmüller, 241, 257, 258 light attack, 684 linear complexity of a sequence, 732 linear congruential generator (LCG), 720 linearly independent vectors, 24 little endian, 171 local ring of a point, 64 local Tate pairing, 118 López–Dahab coordinates, 293–295, 297 Lubin–Serre–Tate theorem, 423 Lucas pseudoprime, 595 Lucas pseudoprime test, 595 Lucas sequence, 357 M Möbius function, 33 magic number, 532 Magma, 201, 267 man-in-the-middle attack, 10 Maple, 267 apecs, 267 Massey–Omura multiplier, 643 Mastrovito multiplier, 642 match and sort, 421 see also SEA algorithm maximal ideal, 22 maximal order, 30 memory management unit, 655 memory only card, see synchronous card Mersenne prime, 182, 207, 533, 556, 640 pseudo- , 230 Mestre’s algorithm for complex multiplication, 468 Mestre’s invariants, 102, 468 micromodule, 648 microprocessor card, see asynchronous card Miller’s pairing computation algorithm, 122, 392 minimal 2-torsion for an elliptic curve, 299 minimal polynomial of an algebraic element, 25 mixed coordinates elliptic curve, 283–285, 296–298 hyperelliptic curve, 325–328, 344–345 modified Jacobian coordinates, 282–284 modular function, 97 modular polynomial, 416–419 ˜ General Index canonical, 418 classical, 418 Kronecker relation, 425 modular reduction, 178–184 Barrett method, 179, 182, 202, 203, 210, 606 hardware, 638–641 incomplete reduction, 640 special moduli, 640 modulo several primes, 184 remainder tree, 184 scaled remainder tree, 184 modulo special integers, 183, 182–184 Mersenne prime, 182 NIST prime, 183 Montgomery reduction, 181, 180–182 Montgomery representation, 180 residue number system arithmetic, 197 see also interleaved multiplication-reduction module, 24 monobit test, 726 Monsky–Washnitzer cohomology, 136, 139, 451, 567 Montgomery almost inverse, 208 exponentiation, 210 inversion, 208 multiplication, 204 reduction, 181, 180–182 coarsely integrated operand scanning method, 640 hardware, 639–640 representation, 180 Montgomery coordinates on an elliptic curve, 285–288, 696 Montgomery form of an elliptic curve, 285, 286, 288 Montgomery like form of hyperelliptic curve, 329 Montgomery’s ladder, 148, 287, 298, 328, 331, 401, 676, 697 morphism affine variety, 52 Frobenius, 53, 59, 109, 133 see also Frobenius endomorphism from An to A1 , 52 from An to Am , 52 from V ⊂ An to a variety W ⊂ Am , 52 induced, 52 799 projective variety, 55 most significant digit, 170 MOV attack, 530 MPQS, see multiple polynomial quadratic sieve multi-exponentiation, 154–157, 164, 377 multi-stack algorithm, 487 multiple polynomial quadratic sieve (MPQS), 611 multiplication binary field, 218–221 optimal normal basis, 220–221 polynomial basis, 218–220 hardware using left shift, 623 using right shift, 624 integers, 174–177 FFT, 177 Karatsuba method, 176, 202 schoolbook method, 174 Toom–Cook, 177 optimal extension field, 231, 236–237 p-adic numbers, 244 prime field, 202–205 interleaved with reduction, 203 Montgomery method, 204 see also squaring multiplication matrix of a normal basis, 220 density, 221 multiplicative group, 32 multiplier recoding Booth method, 625 radix-4 signed digit, 626 multiprecision, 171 multiprecision library BigNum, 169 FreeLip, 169 GMP, 169, 176 Mumford representation, 84, 306 N n-word integer, 171 NAF, 151 NAFw , 153 Naor–Reingold generator, 734 new coordinates for hyperelliptic curves of genus 2, 323, 342 Newton–Girard formula, 229, 408 NFS, see number field sieve 800 Noetherian ring, 30 non-adjacent form, see NAF non-invasive attacks, 673–685 see also side-channel attacks nonempty affine part of a variety, 50 nonsingular curve, 64, 65 elliptic curve, 268 hyperelliptic curve, 304 nonsingular point, 64, 65, 268, 304 nonsupersingular elliptic curve, 273, 584 norm algebraic number, 29 endomorphism, 377 field, 26 finite field, 33 p-adic number, 41, 261–263 normal basis, 34, 224, 228 density, 221 hardware, 643–645 multiplication matrix, 220 self-complementary, 35 see also optimal normal basis normal element, 34, 218 normal extension, 27 normal group, 20 normalized valuation of a place, 65 NTL, 201 NTRU encryption system, 14 null hypothesis, 723 number field, 29, 29–31 class number, 30, 457, 480, 598 fundamental unit, 31, 463 ideal class group, 30 ideal decomposition, 31 integer ring, 29 maximal order, 30 norm, 29 order, 30 signature, 29 totally complex, 29 totally real, 29 trace, 29 number field sieve (NFS), 7, 613, 612–614 O O-notation, o-notation, OEF, see optimal extension field ONB, see optimal normal basis General Index one’s complement, 621 one-parameter quadratic-base test (OPQBT), 596 one-way function, OPQBT, see one-parameter quadratic-base test optimal extension field (OEF) arithmetic, 229–237 exponentiation, 231–233 inversion, 233–234, 237 multiplication, 231, 236–237 specific improvements, 235–237 square root, 234–235 trace, 235 type I, 230 type II, 230 optimal normal basis (ONB), 217–218, 221, 220–221 density, 221 multiplication matrix, 220 palindromic representation, 221 type I, 217 type II, 218 see also Gaussian normal basis oracle, 10, 478 random model, 577 order of a group, 20 order of a number field, 30 order of an element finite, 20 infinite, 20 ordinary abelian variety, 60 curve for pairings, 586–588 elliptic curve, 273, 289, 290, 584 P p-adic exponential, 259 p-adic field absolute ramification index, 43 inertia degree, 43 unramified extension, 43, 136, 138, 239, 428, 436 p-adic integer ring, 40 p-adic logarithm, 258 p-adic norm, 41 p-adic numbers arithmetic, 239–263 fast division with remainder, 245 General Index inverse, 247 inverse square root, 248 multiplication, 244 square root, 249 exponential, 259 Frobenius substitution, 43, 240, 250–252, 423 generalized Newton lifting, 257, 447 Hensel lifting, 250, 249–250, 428 logarithm, 258 Newton lifting, 246–249 norm, 261–263 representation Gaussian normal basis, 240, 252, 261, 433 sparse modulus, 240 Teichmüller modulus, 240 Teichmüller lift, 241, 256, 257, 258 Teichmüller modulus increment, 242 trace, 260 p-adic valuation, 41 p-rank abelian variety, 61 hyperelliptic curve, 310 padding, 170 pairing comparison of ordinary and supersingular curves, 589 computation in characteristic 3, 580 distortion map, 582 elliptic curve, 123, 396, 397 embedding degree, 123, 390, 573, 585 hyperelliptic curve, 398 improvements for elliptic curves, 400 local Tate, 118 Miller’s algorithm, 122, 392 ordinary curve, 586–588 over local fields, 118 security parameter, 585 short signature protocol, 578, 589 supersingular curve, 580, 584 Tate, 116 Tate–Lichtenbaum, 122, 390–392, 394 comparison with Weil pairing, 395 efficient computation, 400 elimination of divisions, 400 elliptic curve, 396 hyperelliptic curve, 398 subfield computations, 401 transfer of DLP, 530, 555 801 Weil, 115 comparison with Tate–Lichtenbaum pairing, 395 palindromic representation, 221 PARI/GP, 267, 467 pentanomial, 214 perfect field, 28 period lattice of a curve, 91, 95, 462 period matrix abelian variety, 93 curve, 93 hyperelliptic curve, 100, 462, 463 period of a pseudorandom sequence, 730 Picard curve, 83, 352, 473 Picard group curve, 76 hyperelliptic curve, 306 PID, see principal ideal domain Pila’s algorithm, 422 Pippenger’s exponentiation algorithm, 166 place of a function field, 65 plus-minus inversion method, 206 Pocklington–Lehmer test, 597 Poincaré upper half plane, 97, 416 point at infinity, 50, 74, 269–271, 306 point counting AGM, see AGM algorithm Cartier–Manin method, 411 enumeration, 407 Kedlaya’s algorithm, 449 -adic methods, 413–422 p-adic methods, 422–453 Pila’s algorithm, 422 Satoh’s algorithm, 430, 423–434, 437 Schoof’s algorithm, 413 SEA, see SEA algorithm square root algorithms, 410–411 subfield curve, 409 point halving, 299, 299–302, 365 points at infinity, 50, 550 Pollard’s kangaroo, 491–494 automorphism, 494 lambda method, 492–493 parallelization, 493–494 tame kangaroo, 492 trap, 492 wild kangaroo, 492 Pollard’s p − factoring method, 603 Pollard’s rho, 483–491 automorphisms, 490–491 802 collision, 483 distinguished point technique, 488, 489 factoring method, 601–603 for discrete logarithms, 488–489 match, 483 multi-stack algorithm, 487 parallelization, 489–490 random mapping, 483, 486, 489 polynomial basis, 34, 218–220, 225–226 all one polynomial, 215 anomalous, 217 ghost bit basis, 217 hardware, 642–643 pentanomial, 214 redundant, 34 redundant trinomial, 217, 228 sedimentary, 215 sparse, 34, 214, 216 trinomial, 214 polynomial complexity, 4, 548 Poulet number, 593 power consumption analysis, 675 power tree method, 160 powering, see exponentiation precision of an integer, 170 preperiod of a pseudorandom sequence, 730 primality certificate, 597 primality test, 596–601 AKS, 600 APRCL Jacobi sum, 599 Atkin–Morain ECPP, 597, 601 fastECPP, 601 Goldwasser–Killian, 598 Pocklington–Lehmer, 597 primality certificate, 597 see also compositeness test prime divisor, 66 prime field, 32 arithmetic, 201–213 exponentiation, see exponentiation in a prime field inversion, see inversion in a prime field multiplication, see multiplication in a prime field quadratic nonresidue, 36 quadratic residue, 36 reduction, see modular reduction representative of a class, 202 square root, see square root in a prime field General Index squaring, 205 prime ideal, 22 prime number theorem, prime of an arithmetical formation, 496 primitive element, 32, 215, 217, 230 primitive polynomial, 34 principal divisor, 67, 306, 550 principal ideal, 22 principal ideal domain (PID), 22 principally polarized abelian variety, 93 probing, 671 projective closure of an affine set, 50 projective coordinates elliptic curve, 281, 283, 284, 292, 294–295, 297 hyperelliptic curve, 321, 341, 346 see also homogeneous coordinates projective point, 46, 270, 271 projective space, 46, 49 closed set, 46 open set, 46 standard covering, 50 projective variety, 48 PROM, 652 propagated carry, 629 protocols, 9, 569–571 ECDSA, 570 HECDSA, 570 ID-based cryptography, 576–578 decryption, 577 encryption, 576 multiparty key exchange, 574 short signature, 578, 589 pseudoprime, 593 Lucas, 595 strong, 594 strong Lucas, 595 pseudorandom number generator, 718–719, 729–735 public-key cryptography, public-key infrastructure, 11, 575 pure transcendental extension, 26 purely inseparable isogeny, 59 Q quadratic nonresidue, 36 quadratic reciprocity law Legendre symbol, 36 General Index Legendre–Kronecker–Jacobi symbol, 37 quadratic residue, 36 quadratic sieve, 508, 609–610 quadratic twist, 71, 99, 274, 279, 378, 459, 568, 735 quotient group, 20 R Rabin polynomial irreducibility test, 214 Rabin–Miller compositeness test, 594, 596 radix, 170 radix complement, 620 RAM, 651 ramified ideal, 31 random mapping, 483, 486, 489 random oracle model, 577 random walk, 484, 489 r-adding walk, 489, 492 randomization curve equation, 700 group elements, 700 scalar, 699 randomized GLV method, 713 randomness ∞-distributed sequence, 716 autocorrelation of a sequence, 731 autocorrelation test, 729 balance of a sequence, 730 crosscorrelation of two sequences, 731 discrepancy of a sequence, 731 frequency block test, 728 hardware random number generator, 721 indistinguishability, 729 l-distributed sequence, 716 linear complexity of a sequence, 732 monobit test, 726 null hypothesis, 723 period of a pseudorandom sequence, 730 preperiod of a pseudorandom sequence, 730 pseudorandom number generator, 718– 719, 729–735 Blum–Blum–Shub generator, 720 elliptic curve power generator, 733 linear congruential generator, 720 Naor–Reingold generator, 734 RANDU, 720 random number generator, 717–721 ANSI-C, 720 803 random sequence, 716 random walk, 727 runs test, 728 seed, 490, 719 Shannon entropy function, 716 statistical model, 723 statistical tests, 723–724 true random number generator, 718 turning point test, 728 unpredictability, 729 RANDU generator, 720 rational function, 53 divisor, 67, 306, 550 pole, 67 regular at point P , 54 zero, 67 rational map, 53 birational, 53 dominant, 53 regular at point P , 54 rational point elliptic curve, 272 hyperelliptic curve, 306 variety, 46 real homomorphism, 29 recent coordinates for hyperelliptic curves of genus 2, 346 reciprocal integer, 178 recursive integer division, 188 recursive middle product, 188 reduced divisor, 84, 307, 552 redundant trinomial basis, 217, 228 refined factor base, 517–518 register, 170, 172 remainder tree, 184 representation finite field, 33–35 integer in base b, 170 see also basis representative of a congruence class, 202 canonical, 21 centered, 21 incompletely reduced number, 202 residual logarithm, 610 residue field, 41 of a point, 64 residue number system arithmetic, 197 reverse engineering, 670 Riemann form, 93 Riemann theta divisor, 100 804 Riemann–Roch theorem, 68 right-to-left binary method, 146 rigid cohomology, 136 ring, 21, 21–23 characteristic, 22 commutative, 21 Dedekind, 30 ideal, 21 integrally closed, 30 inverse, 23 invertible element, 23 Noetherian, 30 p-adic integers, 40 regular functions, 64 unit, 23 ROM, 651 Rosenhain model, 104, 472 RSA, RSA assumption, RSA problem, Rück attack, 529 runs test, 728 S Sarrus number, 593 Satoh’s algorithm, 430, 423–434, 437 SCA, see side-channel attacks scalar, 24 scalar multiplication curve with endomorphism, 376–383 elliptic curve halve and add, 301 GLV curve elliptic curve, 377–380 hyperelliptic curve, 380–381 Koblitz curve elliptic curve, 356–367 hyperelliptic curve, 367–376 Montgomery’s ladder, 287, 298, 328, 331, 401, 676 sliding window, 271, 284, 356, 678, 704 trace zero variety, 383–387 triple and add, 581 tripling, 580 see also arithmetic, elliptic curve, hyperelliptic curve, exponentiation, and special curve scalar randomization, 699 scalar restriction, 125 General Index scaled remainder tree, 184 scanning electron microscope, 672 Schoof’s algorithm, 413 Schoof–Elkies–Atkin’s algorithm, see SEA algorithm SEA algorithm, 421, 414–422, 566 Atkin prime, 414, 415 canonical modular polynomial, 418 classical modular polynomial, 418 early abort, 468 Elkies prime, 414, 416, 419 match and sort, 421 security parameter, 585 sedimentary polynomial, 215 seed, 490, 719 self-complementary normal basis, 35 self-dual basis, 35 separable extension of a field, 27 separable isogeny, 59 Serre bound, 112 Shannon entropy function, 716 shift integer multiplication using left , 623 integer multiplication using right , 624 left, 172 right, 172 Shioda invariants, 104, 472 short signature, 578, 589 Shoup exponentiation algorithm, 227 side-channel atomicity, 691 elliptic curve addition, 690, 693 doubling, 690, 692 hyperelliptic curve addition, 694 doubling, 694 side-channel attacks (SCA), 285, 288, 328, 673–685 Bellcore attack, 683 correlation power analysis, 680 differential electromagnetic analysis, 682 differential fault analysis, 683–685 differential power analysis, 677–678 electromagnetic analysis, 682–683 fault injection, 683–685 glitch attack, 683 Goubin’s refined power analysis, 680– 682 ˜ ˜ General Index 805 higher order differential power analysis, 680 light attack, 684 power consumption analysis, 675 simple power analysis, 675–677 timing attack, 673–675 see also countermeasures against signature of a number field, 29 signature scheme, 12 signature verification, 13 signed fractional window method, 154 signed-binary representation, 151 signed-digit representation, 151 signed-magnitude representation, 171 Silver–Pohlig–Hellman attack, see Chinese remaindering attack SIMATH, 267 simple abelian variety, 60 simple joint sparse form, 156 simple power analysis, 675–677 simple side-channel attacks (SSCA), 688 see also side-channel attacks and countermeasures against simplified Chudnovsky Jacobian coordinates, 401 simplified graph method, 523–525 simultaneous inversion modulo p, 209, 283, 296, 327 single precision integer, 171 singular point, 64, 65, 268, 304 size map, 496 sliding window exponentiation algorithm, 150, 163 scalar multiplication algorithm, 271, 284, 356, 678, 704 small subgroup attack, 569 smart card asynchronous card, 665 card system, 656 combi-card, 650 contact card, 649 contactless card, 649 coprocessor, 666 electrical properties, 650 floating gate, 652 host system, 656 invasive attacks, 670–673 memory, 651–656 EEPROM, 653 EPROM, 652 ˜ ˜ flash EEPROM, 654 FRAM, 654 PROM, 652 RAM, 651 ROM, 651 memory management unit, 655 memory only card, see synchronous card metal layers, 670 micromodule, 648 microprocessor card, see asynchronous card non-invasive attacks, 673–685 see also side-channel attacks operating system, 657 Java Card, 659 Multos, 657 Windows, 657 physical properties, 648 preprogrammed state, 652 probing, 671 reverse engineering, 670 synchronous card, 664 transmission protocol, 659–663 UART, 663 USB, 664 smooth curve, 64, 65 elliptic curve, 268 hyperelliptic curve, 304 smoothness bound, 496 SNFS, see special number field sieve Solovay–Strassen compositeness test, 595 space complexity, sparse modulus representation, 240 sparse polynomial basis, 34, 214, 216 special curve, 355–387 countermeasures against side-channel attacks, 709–714 see also GLV curve, Koblitz curve, and trace zero variety special number field sieve (SNFS), 612 splitting field, 27 splitting ideal, 31 square and multiply, see left-to-right binary method square root binary field, 228–229 integers, 198 optimal extension field, 231, 234–235 p-adic numbers, 249 806 prime field, 212, 213 Tonnelli and Shanks square root algorithm, 212 squaring binary field, 221 integers Karatsuba method, 178 schoolbook method, 177 prime field, 205 SSCA, see simple side-channel attacks standard covering of a projective space, 50 star addition chain, 157, 225 statistical model, 723 Straus–Shamir’s trick, 155, 387, 713 see also multi-exponentiation strong Lucas pseudoprime, 595 strong pseudoprime, 594 subexponential complexity, 4, 548 subgroup, 20 subgroup generated by an element, 20 subtraction binary field, 218 integers, 173 optimal extension field, 231 prime field, 202 summation polynomial, 541 supersingular abelian variety, 61 security parameter, 585 elliptic curve, 123, 273, 279, 289, 556, 574, 580, 583 attack via pairing, 530 distortion map, 582 security parameter, 585 use in pairings, 580 hyperelliptic curve, 310, 584, 585 arithmetic, 340 security parameter, 585 use in pairings, 584 Jacobian, 310 symmetric key cryptography, synchronous card, 664 system parameter, 569 T τ -adic expansion alternative generation, 375 comparison, 374 elliptic curve General Index computation, 358 length reduction, 359–362 windowing methods, 363 hyperelliptic curve computation, 368 length reduction, 371–373 see also τ NAF, τ NAFw , and τ JSF τ -adic joint sparse form, see τ JSF τ -adic non-adjacent form, see τ NAF τ JSF, 365 τ NAF, 358 τ NAFw , 363 Tate pairing, 116, 117, 119 see also Tate–Lichtenbaum paring Tate–Lichtenbaum pairing, 122, 390, 392 characteristic 3, 580 comparison with Weil pairing, 395 computation, 391, 394 efficient computation, 400 elimination of divisions, 400 elliptic curve, 123, 396, 397 hyperelliptic curve, 398 ordinary curve, 586–588 subfield computations, 401 supersingular curve, 580, 584 Teichmüller lift, 256 Teichmüller modulus increment, 242 Teichmüller modulus representation, 240 theta characteristic, 100, 444 theta constant, 100, 444, 463 computation, 465 even, 100 odd, 100 Thomae formula, 446 Thurber’s algorithm for addition chain, 158 time complexity, timing attack, 673–675 Tonnelli and Shanks square root algorithm, 212 Toom–Cook multiplication, 177 torsion point abelian variety, 60 elliptic curve, 273, 413, 414 minimal 2-torsion, 299 hyperelliptic curve, 309 torus, 92 totally complex number field, 29 totally real number field, 29 trace algebraic number, 29 General Index binary field, 35 efficient computation, 229 endomorphism, 377 field, 26 finite field, 33 Frobenius endomorphism, 110, 111, 413, 426, 564 p-adic number, 260 trace zero variety, 130, 383–387, 539, 557 arithmetic, 385–387 background, 384 transcendence degree, 26 transcendental element, 26 transcendental extension, 26 transfer of DLP, 9, 529, 555–557 by pairings, 530, 555 by Weil descent, 530–543, 556 in odd characteristic, 536 to Fq -vector spaces, 529 via covers, 538 translation by point P , 57 trial division, 592 trinomial, 214 tripartite key exchange, 14 triple and add scalar multiplication algorithm, 581 tripling on an elliptic curve, 580 true random number generator, 718 trusted authority, 576 turning point test, 728 twist of an elliptic curve, 71, 99, 274, 279, 378, 459, 568, 735 see also isomorphism of elliptic curves twisted cover, 539 two’s complement, 171, 620 807 unramified extension of a p-adic field, 43, 136, 138, 239, 428, 436 USB, see universal serial bus V valuation at a point, 65 valuation ring, 41 variety absolutely irreducible, 48 birational equivalence, 53 coordinate ring, 51 dimension, 49 function field, 51 vector space, 24 basis, 24 dimension, 24 generating set, 24 linearly independent vectors, 24 scalar, 24 vector, 24 vectorial addition chain, 158, 164 Vélu’s formulas, 415 Verschiebung abelian variety, 61 elliptic curve, 427, 443 W Wallace tree, 635, 638 Waterloo variant, 508 weak completion, see dagger ring Weierstraß equation elliptic curve, 69, 73, 268 short, 70, 73, 268 hyperelliptic curve, 74, 83, 304 Weierstraß ℘-function, 96 Weierstraß point, 73, 83, 304 U Weil descent, 90, 125, 127, 530–543, 556 unified arithmetic for elliptic curves, 694 in odd characteristic, 536 Hessian form, 696 index calculus Jacobi model, 696 via hyperplane sections, 541 unified multipliers, 644–645 over C, 89 uniformizer for the curve C at the point P , 65 trace zero variety, 539 uniformizing element, 41, 44 transfer of DLP, 530–543, 556 unit element of a group, 20 via GHS, 131, 531, 538 unit of a ring, 23 Weil pairing, 115 universal asynchronous receiver transmitter (UART), comparison with Tate–Lichtenbaum 663 pairing, 395 universal serial bus (USB), 664 see also Tate paring and Tate–Lichtenunpredictability, 729 baum paring 808 width-w τ -adic non-adjacent form, see τ NAFw width-w non-adjacent form, see NAFw Wiedemann’s method, 500–503, 517 Witt vector, 44 X X OR, see exclusive disjunction Y Yacobi’s exponentiation method, 160 Yao’s exponentiation method, 165, 227 Z Zariski topology, 46, 47 Zech’s logarithm, 33 ZEN, 201 zeta function, 134, 408, 422, 451 General Index ... 14 Arithmetic of Hyperelliptic Curves 14.1 Summary of background on hyperelliptic curves 14.1.1 Group law for hyperelliptic curves 14.1.2 Divisor class... method Elliptic curve AGM Univariate elliptic curve AGM Hyperelliptic curve AGM Kedlaya’s point counting method for p 18.4 18.5 18.12 Cornacchia’s algorithm Construction of elliptic curves... Chapter 13 this is done for elliptic curves, and in Chapter 14 one finds the results concerning hyperelliptic curves Chapter 15 is devoted to elliptic and hyperelliptic curves, which have an extra