EllipticHyperelliptic-CohenFrey

Handbook ofElliptic andHyperellipticCurve Cryptography

DISCRETEMATHEMATICSandITS APPLICATIONSSeries EditorKenneth H. Rosen, Ph.D.Juergen Bierbrauer, Introduction to Coding TheoryKun-Mao Chao and Bang Ye Wu, Spanning Trees and Optimization ProblemsCharalambos A. Charalambides, Enumerative CombinatoricsHenri Cohen, Gerhard Frey, et al., Handbook of Elliptic and Hyperelliptic Curve CryptographyCharles J. Colbourn and Jeffrey H. Dinitz, The CRC Handbook of Combinatorial DesignsSteven Furino, Ying Miao, and Jianxing Yin, Frames and Resolvable Designs: Uses,Constructions, and ExistenceRandy Goldberg and Lance Riek, A Practical Handbook of Speech CodersJacob E. Goodman and Joseph O’Rourke, Handbook of Discrete and Computational Geometry,Second EditionJonathan Gross and Jay Yellen, Graph Theory and Its ApplicationsJonathan Gross and Jay Yellen, Handbook of Graph TheoryDarrel R. Hankerson, Greg A. Harris, and Peter D. Johnson, Introduction to InformationTheory and Data Compression, Second EditionDaryl D. Harms, Miroslav Kraetzl, Charles J. Colbourn, and John S. Devitt, Network Reliability:Experiments with a Symbolic Algebra EnvironmentDerek F. Holt with Bettina Eick and Eamonn A. O’Brien, Handbook of Computational Group TheoryDavid M. Jackson and Terry I. Visentin, An Atlas of Smaller Maps in Orientable andNonorientable SurfacesRichard E. Klima, Ernest Stitzinger, and Neil P. Sigmon, Abstract Algebra Applicationswith MaplePatrick Knupp and Kambiz Salari, Verification of Computer Codes in Computational Scienceand EngineeringWilliam Kocay and Donald L. Kreher, Graphs, Algorithms, and OptimizationDonald L. Kreher and Douglas R. Stinson, Combinatorial Algorithms: Generation Enumerationand SearchCharles C. Lindner and Christopher A. Rodgers, Design TheoryAlfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone, Handbook of AppliedCryptography

Richard A. Mollin, Algebraic Number TheoryContinued TitlesRichard A. Mollin, Codes: The Guide to Secrecy from Ancient to Modern TimesRichard A. Mollin, Fundamental Number Theory with ApplicationsRichard A. Mollin, An Introduction to CryptographyRichard A. Mollin, QuadraticsRichard A. Mollin, RSA and Public-Key CryptographyKenneth H. Rosen, Handbook of Discrete and Combinatorial MathematicsDouglas R. Shier and K.T. Wallenius, Applied Mathematical Modeling: A MultidisciplinaryApproachJörn Steuding, Diophantine AnalysisDouglas R. Stinson, Cryptography: Theory and Practice, Second EditionRoberto Togneri and Christopher J. deSilva, Fundamentals of Information Theory andCoding DesignLawrence C. Washington, Elliptic Curves: Number Theory and Cryptography

DISCRETE MATHEMATICS AND ITS APPLICATIONSSeries Editor KENNETH H. ROSENHandbook ofElliptic andHyperellipticCurve CryptographyHenri CohenGerhard FreyRoberto Avanzi, Christophe Doche, Tanja Lange,Kim Nguyen, and Frederik VercauterenBoca Raton London New York Singapore

Published in 2006 byChapman & Hall/CRCTaylor & Francis Group6000 Broken Sound Parkway NW, Suite 300Boca Raton, FL 33487-2742© 2006 by Taylor & Francis Group, LLCChapman & Hall/CRC is an imprint of Taylor & Francis GroupNo claim to original U.S. Government worksPrinted in the United States of America on acid-free paper10987654321International Standard Book Number-10: 1-58488-518-1 (Hardcover)International Standard Book Number-13: 978-1-58488-518-4 (Hardcover)Library of Congress Card Number 2005041841This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted withpermission, and sources are indicated. A wide variety of references are listed. Reasonable efforts have been made to publishreliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materialsor for the consequences of their use.No part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, orother means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any informationstorage or retrieval system, without written permission from the publishers.For permission to photocopy or use material electronically from this work, please access www.copyright.com(http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC) 222 Rosewood Drive, Danvers, MA01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. Fororganizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only foridentification and explanation without intent to infringe.Library of Congress Cataloging-in-Publication DataHandbook of elliptic and hyperelliptic curve cryptography / Scientific editors, Henri Cohen & GerardFrey ; authors, Roberto M Avanzi … [et. al.].p. cm. – (Discrete mathematics and its applications)Includes bibliographical references and index.ISBN 1-58488-518-1 (alk. paper)1.Curves, Elliptic – Handbooks, manuals, etc. 2. Cryptography – mathematics -- handbooks, manuals,etc. 3. Machine theory – Handbooks, manuals etc. I. Cohen, Henri. II. Frey, Gerhard, 1994- III. Avanzi,Roberto M. IV. Series.QA567.2.E44H36 2005516.’52 – dc22 2005041841Taylor & Francis Groupis the Academic Division of T&F Informa plc.Visit the Taylor & Francis Web site athttp://www.taylorandfrancis.comand the CRC Press Web site athttp://www.crcpress.com

Dr. Henri Cohen is Professor of Mathematics at the University of Bordeaux,France. His research interests are number theory in general, and computationalnumber theory in particular.Dr. Gerhard Frey holds a chair for number theory at the Institute for ExperimentalMathematics at the University of Duisburg-Essen, Germany. Hisresearch interests are number theory and arithmetical geometry as well asapplications to coding theory and cryptography.Dr. Christophe Doche is lecturer at Macquarie University, Sydney, Australia.His research is focused on analytic and algorithmic number theory as wellas cryptography.Dr. Roberto M. Avanzi is currently Junior Professor at the Ruhr-University,Bochum. His research interests include arithmetic and algorithmic aspectsof curve-based cryptography, integer recodings and addition chains, sidechannelanalysis, and diophantine analysis.Dr. Tanja Lange is Associate Professor of Mathematics at the TechnicalUniversity of Denmark in Copenhagen. Her research covers mathematicalaspects of public-key cryptography and computational number theory withfocus on curve cryptography.Dr. Kim Nguyen received a Ph.D. in number theory and cryptography in 2001at the University of Essen. His first position outside academia was with theCryptology Competence Center of Philips Semiconductors Hamburg. Hecurrently works for the Bundesdruckerei GmbH in Berlin, Germany.Dr. Frederik Vercauteren is a Post-Doc at the Katholieke Universiteit Leuven,Belgium. His research interests are computational algebraic geometry andnumber theory, with applications to cryptography.

Scientific Editors: Henri Cohen and Gerhard FreyExecutive Editor: Christophe DocheAuthors: Roberto M. Avanzi, Henri Cohen, Christophe Doche,Gerhard Frey, Tanja Lange, Kim Nguyen, and Frederik VercauterenContributors: Bertrand Byramjee, Jean-Christophe Courrège,Sylvain Duquesne, Benoît Feix, Reynald Lercier, David Lubicz,Nicolas Thériault, and Andrew Weigl

Roberto M. AvanziFaculty of Mathematics andHorst Görtz Institute for IT-SecurityRuhr University Bochum, GermanyRoberto.Avanzi@ruhr-uni-bochum.deHenri CohenUniversité Bordeaux ILaboratoire A2X, FranceHenri.Cohen@math.u-bordeaux1.frChristophe DocheMacquarie UniversityDepartment of Computing, Australiadoche@ics.mq.edu.auBenoît FeixCEACI, Toulouse, FranceBenoit.Feix@cnes.frTanja LangeTechnical University of DenmarkDepartment of Mathematicst.lange@mat.dtu.dkDavid LubiczCentre d’ÉLectronique de l’ARmementFrancedavid.lubicz@math.univ-rennes1.frNicolas ThériaultUniversity of Waterloo,Department of Combinatoricsand Optimization, Canadantheriau@uwaterloo.caBertrand Byramjeebbyramjee@libertysurf.frJean-Christophe CourrègeCEACI, Toulouse, FranceJean-Christophe.Courrege@cnes.frSylvain DuquesneUniversité Montpellier IILaboratoire I3M, Franceduquesne@math.univ-montp2.frGerhard FreyUniversity of Duisburg-EssenIEM, Germanyfrey@iem.uni-due.deReynald LercierCentre d’ÉLectronique de l’ARmementFranceReynald.Lercier@m4x.orgKim Nguyennguyen.kim@web.deFrederik VercauterenKatholieke Universiteit LeuvenCOSIC - Electrical EngineeringBelgiumfvercaut@esat.kuleuven.beAndrew WeiglUniversity of BremenITEM, Germanya.s.weigl@ieee.org

Table of ContentsList of Algorithms . . . . . . . . . . . . . xxiiiPreface . . . . . . . . . . . . . . . xxix1 Introduction to Public-Key Cryptography . . . . . . . . 11.1 Cryptography . . . . . . . . . . . . . 21.2 Complexity . . . . . . . . . . . . . 21.3 Public-key cryptography . . . . . . . . . . . 51.4 Factorization and primality . . . . . . . . . . 61.4.1 Primality . . . . . . . . . . . . . 61.4.2 Complexity of factoring . . . . . . . . . 61.4.3 RSA. . . . . . . . . . . . . . 71.5 Discrete logarithm systems . . . . . . . . . . 81.5.1 Generic discrete logarithm systems . . . . . . . . 81.5.2 Discrete logarithm systems with bilinear structure . . . . 91.6 Protocols . . . . . . . . . . . . . . 91.6.1 Diffie–Hellman key exchange . . . . . . . . 101.6.2 Asymmetric Diffie–Hellman and ElGamal encryption . . . . 101.6.3 Signature scheme of ElGamal-type . . . . . . . 121.6.4 Tripartite key exchange . . . . . . . . . . 131.7 Other problems . . . . . . . . . . . . 14I Mathematical Background2 Algebraic Background . . . . . . . . . . . . 192.1 Elementary algebraic structures . . . . . . . . . . 192.1.1 Groups . . . . . . . . . . . . 192.1.2 Rings . . . . . . . . . . . . . 212.1.3 Fields . . . . . . . . . . . . . 232.1.4 Vector spaces . . . . . . . . . . . . 242.2 Introduction to number theory . . . . . . . . . . 242.2.1 Extension of fields . . . . . . . . . . . 252.2.2 Algebraic closure . . . . . . . . . . . 272.2.3 Galois theory . . . . . . . . . . . . 272.2.4 Number fields . . . . . . . . . . . 292.3 Finite fields . . . . . . . . . . . . . . 312.3.1 First properties . . . . . . . . . . . 312.3.2 Algebraic extensions of a finite field . . . . . . . . 322.3.3 Finite field representations . . . . . . . . . 332.3.4 Finite field characters . . . . . . . . . . 35xi

xiiTable of Contents3 Background on p-adic Numbers . . . . . . . . . . 393.1 Definition of Q p and first properties . . . . . . . . . 393.2 Complete discrete valuation rings and fields . . . . . . . 413.2.1 First properties . . . . . . . . . . . 413.2.2 Lifting a solution of a polynomial equation . . . . . . 423.3 The field Q p and its extensions . . . . . . . . . 433.3.1 Unramified extensions . . . . . . . . . . 433.3.2 Totally ramified extensions . . . . . . . . . 433.3.3 Multiplicative system of representatives . . . . . . . 443.3.4 Witt vectors . . . . . . . . . . . . 444 Background on Curves and Jacobians . . . . . . . . 454.1 Algebraic varieties . . . . . . . . . . . . 454.1.1 Affine and projective varieties . . . . . . . . 464.2 Function fields . . . . . . . . . . . . . 514.2.1 Morphisms of affine varieties . . . . . . . . 524.2.2 Rational maps of affine varieties . . . . . . . . 534.2.3 Regular functions. . . . . . . . . . . 544.2.4 Generalization to projective varieties . . . . . . . 554.3 Abelian varieties . . . . . . . . . . . . 554.3.1 Algebraic groups . . . . . . . . . . . 554.3.2 Birational group laws . . . . . . . . . . 564.3.3 Homomorphisms of abelian varieties . . . . . . . 574.3.4 Isomorphisms and isogenies . . . . . . . . 584.3.5 Points of finite order and Tate modules . . . . . . . 604.3.6 Background on l-adic representations . . . . . . . 614.3.7 Complex multiplication . . . . . . . . . . 634.4 Arithmetic of curves. . . . . . . . . . . . 644.4.1 Local rings and smoothness . . . . . . . . . 644.4.2 Genus and Riemann–Roch theorem . . . . . . . 664.4.3 Divisor class group . . . . . . . . . . . 764.4.4 The Jacobian variety of curves . . . . . . . . 774.4.5 Jacobian variety of elliptic curves and group law . . . . . 794.4.6 Ideal class group . . . . . . . . . . . 814.4.7 Class groups of hyperelliptic curves . . . . . . . . 835 Varieties over Special Fields . . . . . . . . . . . 875.1 Varieties over the field of complex numbers . . . . . . . 875.1.1 Analytic varieties . . . . . . . . . . . 875.1.2 Curves over C . . . . . . . . . . . 895.1.3 Complex tori and abelian varieties . . . . . . . . 925.1.4 Isogenies of abelian varieties over C . . . . . . . 945.1.5 Elliptic curves over C . . . . . . . . . . 955.1.6 Hyperelliptic curves over C . . . . . . . . . 1005.2 Varieties over finite fields . . . . . . . . . . . 1085.2.1 The Frobenius morphism . . . . . . . . . 1095.2.2 The characteristic polynomial of the Frobenius endomorphism . . 1095.2.3 The theorem of Hasse–Weil for Jacobians . . . . . . 1105.2.4 Tate’s isogeny theorem . . . . . . . . . . 112

Table of Contentsxiii6 Background on Pairings . . . . . . . . . . . . 1156.1 General duality results . . . . . . . . . . . 1156.2 The Tate pairing . . . . . . . . . . . . . 1166.3 Pairings over local fields . . . . . . . . . . . 1176.3.1 The local Tate pairing . . . . . . . . . . 1186.3.2 The Lichtenbaum pairing on Jacobian varieties . . . . . 1196.4 An explicit pairing . . . . . . . . . . . . 1226.4.1 The Tate–Lichtenbaum pairing . . . . . . . . 1226.4.2 Size of the embedding degree . . . . . . . . . 1237 Background on Weil Descent . . . . . . . . . . . 1257.1 Affine Weil descent . . . . . . . . . . . . 1257.2 The projective Weil descent. . . . . . . . . . . 1277.3 Descent by Galois theory . . . . . . . . . . 1287.4 Zariski closed subsets inside of the Weil descent . . . . . . 1297.4.1 Hyperplane sections . . . . . . . . . . 1297.4.2 Trace zero varieties . . . . . . . . . . . 1307.4.3 Covers of curves . . . . . . . . . . . 1317.4.4 The GHS approach . . . . . . . . . . . 1318 Cohomological Background on Point Counting . . . . . . . 1338.1 General principle . . . . . . . . . . . . 1338.1.1 Zeta function and the Weil conjectures . . . . . . . 1348.1.2 Cohomology and Lefschetz fixed point formula . . . . . 1358.2 Overview of l-adic methods. . . . . . . . . . . 1378.3 Overview of p-adic methods . . . . . . . . . . 1388.3.1 Serre–Tate canonical lift . . . . . . . . . . 1388.3.2 Monsky–Washnitzer cohomology. . . . . . . . 139II Elementary Arithmetic9 Exponentiation . . . . . . . . . . . . . 1459.1 Generic methods. . . . . . . . . . . . . 1469.1.1 Binary methods . . . . . . . . . . . 1469.1.2 Left-to-right 2 k -ary algorithm . . . . . . . . . 1489.1.3 Sliding window method . . . . . . . . . 1499.1.4 Signed-digit recoding . . . . . . . . . . 1509.1.5 Multi-exponentiation . . . . . . . . . . 1549.2 Fixed exponent . . . . . . . . . . . . . 1579.2.1 Introduction to addition chains . . . . . . . . 1579.2.2 Short addition chains search . . . . . . . . . 1609.2.3 Exponentiation using addition chains . . . . . . . 1639.3 Fixed base point . . . . . . . . . . . . . 1649.3.1 Yao’s method . . . . . . . . . . . 1659.3.2 Euclidean method . . . . . . . . . . . 1669.3.3 Fixed-base comb method . . . . . . . . . 166

xivTable of Contents10 Integer Arithmetic . . . . . . . . . . . . . 16910.1 Multiprecision integers. . . . . . . . . . . . 17010.1.1 Introduction . . . . . . . . . . . . 17010.1.2 Internal representation . . . . . . . . . . 17110.1.3 Elementary operations. . . . . . . . . . 17210.2 Addition and subtraction . . . . . . . . . . . 17210.3 Multiplication . . . . . . . . . . . . . 17410.3.1 Schoolbook multiplication . . . . . . . . . 17410.3.2 Karatsuba multiplication . . . . . . . . . 17610.3.3 Squaring . . . . . . . . . . . . . 17710.4 Modular reduction . . . . . . . . . . . . 17810.4.1 Barrett method. . . . . . . . . . . . 17810.4.2 Montgomery reduction. . . . . . . . . . 18010.4.3 Special moduli . . . . . . . . . . . . 18210.4.4 Reduction modulo several primes . . . . . . . 18410.5 Division . . . . . . . . . . . . . . 18410.5.1 Schoolbook division . . . . . . . . . . 18510.5.2 Recursive division . . . . . . . . . . . 18710.5.3 Exact division . . . . . . . . . . . 18910.6 Greatest common divisor . . . . . . . . . . . 19010.6.1 Euclid extended gcd . . . . . . . . . . 19110.6.2 Lehmer extended gcd . . . . . . . . . . 19210.6.3 Binary extended gcd . . . . . . . . . . 19410.6.4 Chinese remainder theorem . . . . . . . . . 19610.7 Square root . . . . . . . . . . . . . 19710.7.1 Integer square root . . . . . . . . . . . 19710.7.2 Perfect square detection . . . . . . . . . 19811 Finite Field Arithmetic . . . . . . . . . . . . 20111.1 Prime fields of odd characteristic . . . . . . . . . . 20111.1.1 Representations and reductions . . . . . . . . 20211.1.2 Multiplication . . . . . . . . . . . . 20211.1.3 Inversion and division . . . . . . . . . . 20511.1.4 Exponentiation. . . . . . . . . . . . 20911.1.5 Squares and square roots . . . . . . . . . 21011.2 Finite fields of characteristic 2 . . . . . . . . . . 21311.2.1 Representation . . . . . . . . . . . 21311.2.2 Multiplication . . . . . . . . . . . . 21811.2.3 Squaring . . . . . . . . . . . . 22111.2.4 Inversion and division . . . . . . . . . . 22211.2.5 Exponentiation . . . . . . . . . . . 22511.2.6 Square roots and quadratic equations . . . . . . . 22811.3 Optimal extension fields . . . . . . . . . . . 22911.3.1 Introduction . . . . . . . . . . . . 22911.3.2 Multiplication . . . . . . . . . . . 23111.3.3 Exponentiation. . . . . . . . . . . . 23111.3.4 Inversion . . . . . . . . . . . . 23311.3.5 Squares and square roots . . . . . . . . . 23411.3.6 Specific improvements for degrees 3 and 5 . . . . . . 235

Table of Contentsxv12 Arithmetic of p-adic Numbers . . . . . . . . . . 23912.1 Representation . . . . . . . . . . . . . 23912.1.1 Introduction . . . . . . . . . . . . 23912.1.2 Computing the Teichmüller modulus . . . . . . . 24012.2 Modular arithmetic . . . . . . . . . . . . 24412.2.1 Modular multiplication . . . . . . . . . . 24412.2.2 Fast division with remainder. . . . . . . . . 24412.3 Newton lifting . . . . . . . . . . . . . 24612.3.1 Inverse . . . . . . . . . . . . 24712.3.2 Inverse square root . . . . . . . . . . . 24812.3.3 Square root . . . . . . . . . . . . 24912.4 Hensel lifting . . . . . . . . . . . . . 24912.5 Frobenius substitution . . . . . . . . . . . 25012.5.1 Sparse modulus . . . . . . . . . . . 25112.5.2 Teichmüller modulus . . . . . . . . . . 25212.5.3 Gaussian normal basis . . . . . . . . . . 25212.6 Artin–Schreier equations . . . . . . . . . . . 25212.6.1 Lercier–Lubicz algorithm . . . . . . . . . . 25312.6.2 Harley’s algorithm . . . . . . . . . . 25412.7 Generalized Newton lifting . . . . . . . . . . . 25612.8 Applications . . . . . . . . . . . . . 25712.8.1 Teichmüller lift . . . . . . . . . . . . 25712.8.2 Logarithm . . . . . . . . . . . . 25812.8.3 Exponential . . . . . . . . . . . . 25912.8.4 Trace . . . . . . . . . . . . . 26012.8.5 Norm . . . . . . . . . . . . . 261III Arithmetic of Curves13 Arithmetic of Elliptic Curves . . . . . . . . . . . 26713.1 Summary of background on elliptic curves . . . . . . . 26813.1.1 First properties and group law . . . . . . . . . 26813.1.2 Scalar multiplication . . . . . . . . . . 27113.1.3 Rational points. . . . . . . . . . . . 27213.1.4 Torsion points . . . . . . . . . . . 27313.1.5 Isomorphisms . . . . . . . . . . . . 27313.1.6 Isogenies . . . . . . . . . . . . 27713.1.7 Endomorphisms . . . . . . . . . . . 27713.1.8 Cardinality . . . . . . . . . . . . 27813.2 Arithmetic of elliptic curves defined over F p . . . . . . . . 28013.2.1 Choice of the coordinates . . . . . . . . . 28013.2.2 Mixed coordinates . . . . . . . . . . . 28313.2.3 Montgomery scalar multiplication. . . . . . . . 28513.2.4 Parallel implementations . . . . . . . . . . 28813.2.5 Compression of points . . . . . . . . . . 28813.3 Arithmetic of elliptic curves defined over F 2 d . . . . . . . 28913.3.1 Choice of the coordinates . . . . . . . . . 29113.3.2 Faster doublings in affine coordinates . . . . . . . 295

xviTable of Contents13.3.3 Mixed coordinates . . . . . . . . . . 29613.3.4 Montgomery scalar multiplication . . . . . . . . 29813.3.5 Point halving and applications . . . . . . . . 29913.3.6 Parallel implementation . . . . . . . . . . 30213.3.7 Compression of points . . . . . . . . . . 30214 Arithmetic of Hyperelliptic Curves . . . . . . . . . 30314.1 Summary of background on hyperelliptic curves . . . . . . . 30414.1.1 Group law for hyperelliptic curves . . . . . . . 30414.1.2 Divisor class group and ideal class group . . . . . . 30614.1.3 Isomorphisms and isogenies . . . . . . . . 30814.1.4 Torsion elements . . . . . . . . . . . 30914.1.5 Endomorphisms . . . . . . . . . . . 31014.1.6 Cardinality . . . . . . . . . . . . 31014.2 Compression techniques . . . . . . . . . . . 31114.2.1 Compression in odd characteristic . . . . . . . . 31114.2.2 Compression in even characteristic . . . . . . . 31314.3 Arithmetic on genus 2 curves over arbitrary characteristic . . . . . 31314.3.1 Different cases . . . . . . . . . . . 31414.3.2 Addition and doubling in affine coordinates . . . . . . 31614.4 Arithmetic on genus 2 curves in odd characteristic . . . . . . 32014.4.1 Projective coordinates . . . . . . . . . . 32114.4.2 New coordinates in odd characteristic . . . . . . . 32314.4.3 Different sets of coordinates in odd characteristic . . . . . 32514.4.4 Montgomery arithmetic for genus 2 curves in odd characteristic . . 32814.5 Arithmetic on genus 2 curves in even characteristic . . . . . . 33414.5.1 Classification of genus 2 curves in even characteristic . . . . 33414.5.2 Explicit formulas in even characteristic in affine coordinates . . . 33614.5.3 Inversion-free systems for even characteristic when h 2 ̸= 0. . . 34114.5.4 Projective coordinates . . . . . . . . . . 34114.5.5 Inversion-free systems for even characteristic when h 2 =0. . . 34514.6 Arithmetic on genus 3 curves . . . . . . . . . . 34814.6.1 Addition in most common case . . . . . . . . 34814.6.2 Doubling in most common case . . . . . . . . 34914.6.3 Doubling on genus 3 curves for even characteristic when h(x) =1 . 35114.7 Other curves and comparison . . . . . . . . . . 35215 Arithmetic of Special Curves . . . . . . . . . . . 35515.1 Koblitz curves . . . . . . . . . . . . . 35515.1.1 Elliptic binary Koblitz curves . . . . . . . . . 35615.1.2 Generalized Koblitz curves . . . . . . . . . 36715.1.3 Alternative setup . . . . . . . . . . . 37515.2 Scalar multiplication using endomorphisms . . . . . . . 37615.2.1 GLV method . . . . . . . . . . . . 37715.2.2 Generalizations . . . . . . . . . . . 38015.2.3 Combination of GLV and Koblitz curve strategies . . . . . 38115.2.4 Curves with endomorphisms for identity-based parameters . . . 38215.3 Trace zero varieties . . . . . . . . . . . . 38315.3.1 Background on trace zero varieties . . . . . . . 38415.3.2 Arithmetic in G. . . . . . . . . . . . 385

Table of Contentsxvii16 Implementation of Pairings . . . . . . . . . . . 38916.1 The basic algorithm . . . . . . . . . . . . 38916.1.1 The setting . . . . . . . . . . . . 39016.1.2 Preparation . . . . . . . . . . . . 39116.1.3 The pairing computation algorithm . . . . . . . . 39116.1.4 The case of nontrivial embedding degree k . . . . . . 39316.1.5 Comparison with the Weil pairing . . . . . . . . 39516.2 Elliptic curves . . . . . . . . . . . . . 39616.2.1 The basic step . . . . . . . . . . . . 39616.2.2 The representation . . . . . . . . . . 39616.2.3 The pairing algorithm . . . . . . . . . . 39716.2.4 Example . . . . . . . . . . . . 39716.3 Hyperelliptic curves of genus 2 . . . . . . . . . . 39816.3.1 The basic step . . . . . . . . . . . 39916.3.2 Representation for k>2 . . . . . . . . . . 39916.4 Improving the pairing algorithm . . . . . . . . . 40016.4.1 Elimination of divisions . . . . . . . . . . 40016.4.2 Choice of the representation . . . . . . . . 40016.4.3 Precomputations . . . . . . . . . . . 40016.5 Specific improvements for elliptic curves . . . . . . . . 40016.5.1 Systems of coordinates . . . . . . . . . . 40116.5.2 Subfield computations . . . . . . . . . . 40116.5.3 Even embedding degree . . . . . . . . . . 40216.5.4 Example . . . . . . . . . . . . 403IV Point Counting17 Point Counting on Elliptic and Hyperelliptic Curves . . . . . . 40717.1 Elementary methods . . . . . . . . . . . . 40717.1.1 Enumeration . . . . . . . . . . . 40717.1.2 Subfield curves . . . . . . . . . . . 40917.1.3 Square root algorithms . . . . . . . . . 41017.1.4 Cartier–Manin operator . . . . . . . . . . 41117.2 Overview of l-adic methods . . . . . . . . . . 41317.2.1 Schoof’s algorithm . . . . . . . . . . . 41317.2.2 Schoof–Elkies–Atkin’s algorithm . . . . . . . . 41417.2.3 Modular polynomials . . . . . . . . . . 41617.2.4 Computing separable isogenies in finite fields of large characteristic . 41917.2.5 Complete SEA algorithm . . . . . . . . . . 42117.3 Overview of p-adic methods . . . . . . . . . . 42217.3.1 Satoh’s algorithm . . . . . . . . . . . 42317.3.2 Arithmetic–Geometric–Mean algorithm . . . . . . 43417.3.3 Kedlaya’s algorithm . . . . . . . . . . . 449

xviiiTable of Contents18 Complex Multiplication . . . . . . . . . . . . 45518.1 CM for elliptic curves . . . . . . . . . . . 45618.1.1 Summary of background . . . . . . . . . . 45618.1.2 Outline of the algorithm . . . . . . . . . 45618.1.3 Computation of class polynomials . . . . . . . . 45718.1.4 Computation of norms . . . . . . . . . . 45818.1.5 The algorithm . . . . . . . . . . . . 45918.1.6 Experimental results . . . . . . . . . . 45918.2 CM for curves of genus 2 . . . . . . . . . . . 46018.2.1 Summary of background . . . . . . . . . 46218.2.2 Outline of the algorithm . . . . . . . . . . 46218.2.3 CM-types and period matrices . . . . . . . . 46318.2.4 Computation of the class polynomials . . . . . . . 46518.2.5 Finding a curve . . . . . . . . . . . 46718.2.6 The algorithm . . . . . . . . . . . . 46918.3 CM for larger genera . . . . . . . . . . . 47018.3.1 Strategy and difficulties in the general case . . . . . . 47018.3.2 Hyperelliptic curves with automorphisms . . . . . . 47118.3.3 The case of genus 3 . . . . . . . . . . 472V Computation of Discrete Logarithms19 Generic Algorithms for Computing Discrete Logarithms . . . . . 47719.1 Introduction . . . . . . . . . . . . . 47819.2 Brute force . . . . . . . . . . . . . . 47919.3 Chinese remaindering . . . . . . . . . . . 47919.4 Baby-step giant-step . . . . . . . . . . . . 48019.4.1 Adaptive giant-step width . . . . . . . . . 48119.4.2 Search in intervals and parallelization . . . . . . . 48219.4.3 Congruence classes . . . . . . . . . . 48319.5 Pollard’s rho method . . . . . . . . . . . . 48319.5.1 Cycle detection . . . . . . . . . . . 48419.5.2 Application to DL . . . . . . . . . . . 48819.5.3 More on random walks. . . . . . . . . . 48919.5.4 Parallelization . . . . . . . . . . . . 48919.5.5 Automorphisms of the group . . . . . . . . 49019.6 Pollard’s kangaroo method . . . . . . . . . . . 49119.6.1 The lambda method . . . . . . . . . . 49219.6.2 Parallelization . . . . . . . . . . . . 49319.6.3 Automorphisms of the group . . . . . . . . 49420 Index Calculus . . . . . . . . . . . . . 49520.1 Introduction . . . . . . . . . . . . . . 49520.2 Arithmetical formations . . . . . . . . . . . 49620.2.1 Examples of formations . . . . . . . . . . 49720.3 The algorithm . . . . . . . . . . . . . 49820.3.1 On the relation search . . . . . . . . . . 49920.3.2 Parallelization of the relation search . . . . . . . 500

Table of Contentsxix20.3.3 On the linear algebra . . . . . . . . . . 50020.3.4 Filtering . . . . . . . . . . . . 50320.3.5 Automorphisms of the group . . . . . . . . . 50520.4 An important example: finite fields . . . . . . . . . 50620.5 Large primes . . . . . . . . . . . . . 50720.5.1 One large prime . . . . . . . . . . . 50720.5.2 Two large primes . . . . . . . . . . . 50820.5.3 More large primes . . . . . . . . . . 50921 Index Calculus for Hyperelliptic Curves . . . . . . . . 51121.1 General algorithm . . . . . . . . . . . . 51121.1.1 Hyperelliptic involution . . . . . . . . . . 51221.1.2 Adleman–DeMarrais–Huang . . . . . . . . . 51221.1.3 Enge–Gaudry . . . . . . . . . . . 51621.2 Curves of small genus . . . . . . . . . . . . 51621.2.1 Gaudry’s algorithm . . . . . . . . . . 51721.2.2 Refined factor base . . . . . . . . . . . 51721.2.3 Harvesting . . . . . . . . . . . . 51821.3 Large prime methods . . . . . . . . . . . . 51921.3.1 Single large prime . . . . . . . . . . 52021.3.2 Double large primes. . . . . . . . . . . 52122 Transfer of Discrete Logarithms . . . . . . . . . . 52922.1 Transfer of discrete logarithms to F q -vector spaces . . . . . . 52922.2 Transfer of discrete logarithms by pairings . . . . . . . . 53022.3 Transfer of discrete logarithms by Weil descent . . . . . . 53022.3.1 Summary of background . . . . . . . . . . 53122.3.2 The GHS algorithm . . . . . . . . . . 53122.3.3 Odd characteristic . . . . . . . . . . . 53622.3.4 Transfer via covers . . . . . . . . . . 53822.3.5 Index calculus method via hyperplane sections . . . . . 541VI Applications23 Algebraic Realizations of DL Systems . . . . . . . . . 54723.1 Candidates for secure DL systems . . . . . . . . . 54723.1.1 Groups with numeration and the DLP . . . . . . . 54823.1.2 Ideal class groups and divisor class groups . . . . . . 54823.1.3 Examples: elliptic and hyperelliptic curves . . . . . . 55123.1.4 Conclusion . . . . . . . . . . . . 55323.2 Security of systems based on Pic 0 C . . . . . . . . . 55423.2.1 Security under index calculus attacks . . . . . . . 55423.2.2 Transfers by Galois theory . . . . . . . . . 55523.3 Efficient systems . . . . . . . . . . . . 55723.3.1 Choice of the finite field . . . . . . . . . . 55823.3.2 Choice of genus and curve equation . . . . . . . 56023.3.3 Special choices of curves and scalar multiplication . . . . . 56323.4 Construction of systems . . . . . . . . . . . 564

xxTable of Contents23.4.1 Heuristics of class group orders . . . . . . . . 56423.4.2 Finding groups of suitable size . . . . . . . . 56523.5 Protocols . . . . . . . . . . . . . . 56923.5.1 System parameters . . . . . . . . . . 56923.5.2 Protocols on Pic 0 C . . . . . . . . . . . 57023.6 Summary . . . . . . . . . . . . . 57124 Pairing-Based Cryptography . . . . . . . . . . 57324.1 Protocols . . . . . . . . . . . . . . 57324.1.1 Multiparty key exchange . . . . . . . . . 57424.1.2 Identity-based cryptography . . . . . . . . . 57624.1.3 Short signatures . . . . . . . . . . . 57824.2 Realization . . . . . . . . . . . . . . 57924.2.1 Supersingular elliptic curves . . . . . . . . 58024.2.2 Supersingular hyperelliptic curves . . . . . . . . 58424.2.3 Ordinary curves with small embedding degree . . . . . 58624.2.4 Performance . . . . . . . . . . . . 58924.2.5 Hash functions on the Jacobian . . . . . . . . 59025 Compositeness and Primality Testing – Factoring . . . . . . 59125.1 Compositeness tests . . . . . . . . . . . . 59225.1.1 Trial division. . . . . . . . . . . . 59225.1.2 Fermat tests . . . . . . . . . . . . 59325.1.3 Rabin–Miller test . . . . . . . . . . . 59425.1.4 Lucas pseudoprime tests . . . . . . . . . . 59525.1.5 BPSW tests . . . . . . . . . . . . 59625.2 Primality tests . . . . . . . . . . . . . 59625.2.1 Introduction . . . . . . . . . . . . 59625.2.2 Atkin–Morain ECPP test . . . . . . . . . . 59725.2.3 APRCL Jacobi sum test . . . . . . . . . 59925.2.4 Theoretical considerations and the AKS test . . . . . . 60025.3 Factoring . . . . . . . . . . . . . . 60125.3.1 Pollard’s rho method . . . . . . . . . . 60125.3.2 Pollard’s p − 1 method. . . . . . . . . . 60325.3.3 Factoring with elliptic curves . . . . . . . . . 60425.3.4 Fermat–Morrison–Brillhart approach . . . . . . . 607VII Realization of Discrete Logarithm Systems26 Fast Arithmetic in Hardware . . . . . . . . . . . 61726.1 Design of cryptographic coprocessors . . . . . . . . . 61826.1.1 Design criterions . . . . . . . . . . . 61826.2 Complement representations of signed numbers . . . . . . . 62026.3 The operation XY + Z . . . . . . . . . . . 62226.3.1 Multiplication using left shifts . . . . . . . . . 62326.3.2 Multiplication using right shifts . . . . . . . . 62426.4 Reducing the number of partial products . . . . . . . . 62526.4.1 Booth or signed digit encoding . . . . . . . . 625

Table of Contentsxxi26.4.2 Advanced recoding techniques . . . . . . . . 62626.5 Accumulation of partial products . . . . . . . . . 62726.5.1 Full adders . . . . . . . . . . . . 62726.5.2 Faster carry propagation . . . . . . . . . 62826.5.3 Analysis of carry propagation . . . . . . . . . 63126.5.4 Multi-operand operations . . . . . . . . . 63326.6 Modular reduction in hardware . . . . . . . . . . 63826.7 Finite fields of characteristic 2 . . . . . . . . . . 64126.7.1 Polynomial basis . . . . . . . . . . . 64226.7.2 Normal basis . . . . . . . . . . . 64326.8 Unified multipliers . . . . . . . . . . . . 64426.9 Modular inversion in hardware . . . . . . . . . . 64527 Smart Cards . . . . . . . . . . . . . . 64727.1 History. . . . . . . . . . . . . . . 64727.2 Smart card properties . . . . . . . . . . . 64827.2.1 Physical properties . . . . . . . . . . . 64827.2.2 Electrical properties . . . . . . . . . . 65027.2.3 Memory . . . . . . . . . . . . . 65127.2.4 Environment and software . . . . . . . . . 65627.3 Smart card interfaces . . . . . . . . . . . . 65927.3.1 Transmission protocols . . . . . . . . . 65927.3.2 Physical interfaces . . . . . . . . . . . 66327.4 Types of smart cards . . . . . . . . . . . 66427.4.1 Memory only cards (synchronous cards) . . . . . . . 66427.4.2 Microprocessor cards (asynchronous cards) . . . . . 66528 Practical Attacks on Smart Cards . . . . . . . . . 66928.1 Introduction . . . . . . . . . . . . . . 66928.2 Invasive attacks . . . . . . . . . . . . 67028.2.1 Gaining access to the chip . . . . . . . . . 67028.2.2 Reconstitution of the layers . . . . . . . . . 67028.2.3 Reading the memories . . . . . . . . . . 67128.2.4 Probing . . . . . . . . . . . . 67128.2.5 FIB and test engineers scheme flaws . . . . . . . 67228.3 Non-invasive attacks . . . . . . . . . . . 67328.3.1 Timing attacks . . . . . . . . . . . . 67328.3.2 Power consumption analysis . . . . . . . . 67528.3.3 Electromagnetic radiation attacks . . . . . . . . 68228.3.4 Differential fault analysis (DFA) and fault injection attacks . . . 68329 Mathematical Countermeasures against Side-Channel Attacks . . . 68729.1 Countermeasures against simple SCA . . . . . . . . 68829.1.1 Dummy arithmetic instructions . . . . . . . . 68929.1.2 Unified addition formulas . . . . . . . . . . 69429.1.3 Montgomery arithmetic . . . . . . . . . 69629.2 Countermeasures against differential SCA . . . . . . . . 69729.2.1 Implementation of DSCA . . . . . . . . . 69829.2.2 Scalar randomization . . . . . . . . . . 69929.2.3 Randomization of group elements . . . . . . . 700

xxiiTable of Contents29.2.4 Randomization of the curve equation . . . . . . . 70029.3 Countermeasures against Goubin type attacks . . . . . . 70329.4 Countermeasures against higher order differential SCA . . . . . 70429.5 Countermeasures against timing attacks . . . . . . . . 70529.6 Countermeasures against fault attacks . . . . . . . . 70529.6.1 Countermeasures against simple fault analysis . . . . . 70629.6.2 Countermeasures against differential fault analysis . . . . . 70629.6.3 Conclusion on fault induction . . . . . . . . 70829.7 Countermeasures for special curves . . . . . . . . . 70929.7.1 Countermeasures against SSCA on Koblitz curves . . . . 70929.7.2 Countermeasures against DSCA on Koblitz curves . . . . . 71129.7.3 Countermeasures for GLV curves . . . . . . . 71330 Random Numbers – Generation and Testing . . . . . . . 71530.1 Definition of a random sequence . . . . . . . . . . 71530.2 Random number generators . . . . . . . . . . 71730.2.1 History . . . . . . . . . . . . . 71730.2.2 Properties of random number generators . . . . . . 71830.2.3 Types of random number generators . . . . . . . 71830.2.4 Popular random number generators . . . . . . . 72030.3 Testing of random number generators . . . . . . . . . 72230.4 Testing a device . . . . . . . . . . . . 72230.5 Statistical (empirical) tests . . . . . . . . . . . 72330.6 Some examples of statistical models on Σ n . . . . . . . 72530.7 Hypothesis testings and random sequences . . . . . . . 72630.8 Empirical test examples for binary sequences . . . . . . . 72730.8.1 Random walk . . . . . . . . . . . . 72730.8.2 Runs . . . . . . . . . . . . . 72830.8.3 Autocorrelation . . . . . . . . . . . 72830.9 Pseudorandom number generators . . . . . . . . . 72930.9.1 Relevant measures . . . . . . . . . . . 73030.9.2 Pseudorandom number generators from curves . . . . . 73230.9.3 Other applications . . . . . . . . . . . 735References . . . . . . . . . . . . . . . 737Notation Index . . . . . . . . . . . . . . 777General Index . . . . . . . . . . . . . . . 785

xxivList of Algorithms10.55 Integer square root . . . . . . . . . . . . 19811.1 Interleaved multiplication-reduction of multiprecision integers . . . . 20311.3 Multiplication in Montgomery representation . . . . . . . 20411.6 Plus-minus inversion method . . . . . . . . . . 20611.9 Prime field inversion. . . . . . . . . . . . 20711.12 Montgomery inverse in Montgomery representation . . . . . . 20811.15 Simultaneous inversion modulo p . . . . . . . . . 20911.17 Binary exponentiation using Montgomery representation . . . . . 21011.19 Legendre symbol . . . . . . . . . . . . 21011.23 Tonelli and Shanks square root computation . . . . . . . 21211.26 Square root computation . . . . . . . . . . . 21311.31 Division by a sparse polynomial . . . . . . . . . . 21411.34 Multiplication of polynomials in F 2 [X] . . . . . . . . 21811.37 Multiplication of polynomials in F 2 [X] using window technique . . . . 21911.41 Euclid extended polynomial gcd . . . . . . . . . 22211.44 Inverse of an element of F ∗ 2in polynomial representation d . . . . . 22311.47 Inverse of an element of F ∗ q d using Lagrange’s theorem . . . . . 22411.50 Modular composition of Brent and Kung . . . . . . . . 22611.53 Shoup exponentiation algorithm . . . . . . . . . 22711.66 OEF inversion . . . . . . . . . . . . . 23411.69 Legendre–Kronecker–Jacobi symbol . . . . . . . . 23512.2 Teichmüller modulus . . . . . . . . . . . 24212.3 Teichmüller modulus increment . . . . . . . . . . 24212.5 Polynomial inversion . . . . . . . . . . . 24512.6 Fast division with remainder . . . . . . . . . . . 24512.9 Newton iteration . . . . . . . . . . . . 24612.10 Inverse. . . . . . . . . . . . . . . 24712.12 Inverse square root (p =2) . . . . . . . . . . 24812.15 Hensel lift iteration . . . . . . . . . . . . 24912.16 Hensel lift. . . . . . . . . . . . . . 25012.18 Artin–Schreier root square multiply . . . . . . . . . 25312.19 Artin–Schreier root I. . . . . . . . . . . . 25412.21 Artin–Schreier root II . . . . . . . . . . . . 25512.23 Generalized Newton lift . . . . . . . . . . . 25712.24 Teichmüller lift . . . . . . . . . . . . . 25812.33 Norm I . . . . . . . . . . . . . . 26112.35 Norm II. . . . . . . . . . . . . . . 26213.6 Sliding window scalar multiplication on elliptic curves . . . . . . 27113.35 Scalar multiplication using Montgomery’s ladder . . . . . . 28713.42 Repeated doublings . . . . . . . . . . . . 29513.45 Point halving . . . . . . . . . . . . . 30013.48 Halve and add scalar multiplication . . . . . . . . . 30114.7 Cantor’s algorithm . . . . . . . . . . . . 30814.19 Addition (g =2and deg u 1 =degu 2 =2) . . . . . . . 31714.20 Addition (g =2, deg u 1 =1, and deg u 2 =2) . . . . . . . 31814.21 Doubling (g =2and deg u =2) . . . . . . . . . 319

List of Algorithmsxxv14.22 Addition in projective coordinates (g =2and q odd) . . . . . . 32114.23 Doubling in projective coordinates (g =2and q odd) . . . . . 32214.25 Addition in new coordinates (g =2and q odd) . . . . . . . 32414.26 Doubling in new coordinates (g =2and q odd) . . . . . . 32514.30 Montgomery scalar multiplication for genus 2 curves . . . . . . 33114.41 Doubling on Type Ia curves (g =2and q even) . . . . . . 33714.42 Doubling on Type Ib curves (g =2and q even) . . . . . . . 33814.43 Doubling on Type II curves (g =2and q even) . . . . . . . 33914.44 Doubling on Type III curves (g =2and q even) . . . . . . . 34014.45 Doubling in projective coordinates (g =2, h 2 ̸= 0, and q even). . . . 34114.47 Addition in new coordinates (g =2, h 2 ̸= 0, and q even) . . . . . 34214.48 Doubling in new coordinates (g =2, h 2 ̸= 0, and q even) . . . . . 34314.49 Doubling in projective coordinates (g =2, h 2 =0, and q even) . . . . 34614.50 Addition in recent coordinates (g =2, h 2 =0, and q even) . . . . 34614.51 Doubling in recent coordinates (g =2, h 2 =0, and q even) . . . . . 34714.52 Addition on curves of genus 3 in the general case . . . . . . 34814.53 Doubling on curves of genus 3 in the general case . . . . . . 35014.54 Doubling on curves of genus 3 with h(x) =1 . . . . . . . 35115.6 τNAF representation . . . . . . . . . . . 35915.9 Rounding-off of an element of Q[τ] . . . . . . . . . 36115.11 Division with remainder in Z[τ]. . . . . . . . . . 36115.13 Reduction of n modulo δ . . . . . . . . . . . 36215.17 τNAF w representation . . . . . . . . . . . 36415.21 Recoding in τ-adic joint sparse form . . . . . . . . . 36515.28 Expansion in τ-adic form . . . . . . . . . . . 37015.34 Representation of δ =(τ k − 1)/(τ − 1) in Z[τ] . . . . . . . 37215.35 Computation of n-folds using τ-adic expansions . . . . . . 37315.41 GLV representation . . . . . . . . . . . . 37916.5 Relative prime representation . . . . . . . . . . 39116.8 Tate–Lichtenbaum pairing . . . . . . . . . . 39216.11 Tate–Lichtenbaum pairing if k>g . . . . . . . . . 39416.12 Tate–Lichtenbaum pairing for g =1if k>1 . . . . . . . 39716.16 Tate–Lichtenbaum pairing for g =1if k>1 and k = k 1 e . . . . . 40216.17 Tate–Lichtenbaum pairing for g =1and k =2e . . . . . . 40217.25 SEA . . . . . . . . . . . . . . . 42117.31 Lift j-invariants . . . . . . . . . . . . . 42517.36 Lift kernel . . . . . . . . . . . . . . 42817.38 Satoh’s point counting method . . . . . . . . . . 43017.54 Elliptic curve AGM . . . . . . . . . . . . 43917.58 Univariate elliptic curve AGM . . . . . . . . . . 44117.71 Hyperelliptic curve AGM . . . . . . . . . . . 44617.80 Kedlaya’s point counting method for p 3 . . . . . . . . 45218.4 Cornacchia’s algorithm. . . . . . . . . . . . 45818.5 Construction of elliptic curves via CM . . . . . . . . 45918.12 Construction of genus 2 curves via CM . . . . . . . . 469

xxviList of Algorithms19.5 Shanks’ baby-step giant-step algorithm . . . . . . . . 48019.7 BJT variant of the baby-step giant-step algorithm . . . . . . 48119.9 Terr’s variant of the baby-step giant-step algorithm . . . . . . 48219.10 Baby-step giant-step algorithm in an interval . . . . . . . 48219.12 Floyd’s cycle-finding algorithm . . . . . . . . . . 48419.13 Gosper’s cycle finding algorithm . . . . . . . . . 48519.14 Brent’s cycle-finding algorithm . . . . . . . . . . 48519.16 Brent’s improved cycle-finding algorithm . . . . . . . . 48619.17 Nivash’ cycle-finding algorithm . . . . . . . . . . 48820.3 Index calculus . . . . . . . . . . . . . 49821.1 Divisor decomposition . . . . . . . . . . . . 51121.5 Computing the factor base . . . . . . . . . . 51321.6 Smoothing a prime divisor . . . . . . . . . . . 51321.7 Finding smooth principal divisors . . . . . . . . . 51421.8 Decomposition into unramified primes . . . . . . . . . 51421.9 Adleman–DeMarrais–Huang . . . . . . . . . . 51521.12 Relation search . . . . . . . . . . . . . 51721.16 Single large prime . . . . . . . . . . . . 52021.18 Double large primes . . . . . . . . . . . . 52121.19 Full graph method . . . . . . . . . . . . 52221.21 Simplified graph method . . . . . . . . . . . 52421.24 Concentric circles method . . . . . . . . . . 52522.7 Weil descent of C via GHS . . . . . . . . . . 53523.2 Cantor’s algorithm . . . . . . . . . . . . 55223.12 Elliptic curve AGM . . . . . . . . . . . . 56623.13 Construction of elliptic curves via CM . . . . . . . . 56723.14 HECDSA – Signature generation . . . . . . . . . . 57023.15 HECDSA – Signature verification . . . . . . . . . 57124.2 Tripartite key exchange . . . . . . . . . . . 57524.3 Identity-based encryption . . . . . . . . . . . 57724.4 Private-key extraction . . . . . . . . . . . 57724.5 Identity-based decryption . . . . . . . . . . . 57724.6 Signature in short signature scheme . . . . . . . . 57824.7 Signature verification in short signature scheme . . . . . . . 57824.10 Triple and add scalar multiplication . . . . . . . . . 58124.12 Tate–Lichtenbaum pairing in characteristic 3 . . . . . . . 58224.15 Construction of elliptic curves with prescribed embedding degree . . . 58725.7 Pollard’s rho with Brent’s cycle detection . . . . . . . . 60325.12 Fermat–Morrison–Brillhart factoring algorithm . . . . . . . 60825.14 Sieve method . . . . . . . . . . . . . 60925.15 The number field sieve . . . . . . . . . . . . 61326.9 Sequential multiplication of two integers using left shift . . . . . 62326.11 Sequential multiplication of two integers using right shift . . . . . 624

List of Algorithmsxxvii26.14 Recoding the multiplier in signed-digit representation . . . . . . 62526.17 Recoding the multiplier in radix-4 SD representation . . . . . 62626.22 Addition using full adders . . . . . . . . . . . 62826.49 Least-significant-digit-first shift-and-add multiplication in F 2 d . . . . 64328.1 Modular reduction . . . . . . . . . . . . 67428.2 Modular reduction against timing attacks . . . . . . . . 67428.3 Double and add always . . . . . . . . . . . 67629.1 Atomic addition-doubling formulas . . . . . . . . . 69129.2 Elliptic curve doubling in atomic blocks. . . . . . . . . 69229.3 Elliptic curve addition in atomic blocks . . . . . . . . 69329.4 Montgomery’s ladder . . . . . . . . . . . . 69729.6 Right to left binary exponentiation . . . . . . . . . 70729.7 SSCA and DSCA by random assignment . . . . . . . . 71029.8 Randomized GLV method . . . . . . . . . . 71430.4 A pseudorandom number generator. . . . . . . . . 719

PrefaceInformation security is of the greatest importance in a world in which communication over opennetworks and storage of data in digital form play a key role in daily life. The science of cryptographyprovides efficient tools to secure information. In [MEOO + 1996] one finds an excellent definitionof cryptography as “the study of mathematical techniques related to aspects of information securitysuch as confidentiality, data integrity, entity identification, and data origin authentication”aswellas a thorough description of these information security objectives and how cryptography addressesthese goals.Historically, cryptography has mainly dealt with methods to transmit information in a confidentialmanner such that a third party (called the adversary) cannot read the information, even if thetransmission is done through an insecure channel such as a public telephone line. This shouldnot be confused with coding theory, the goal of which is, on the contrary, to add some redundantinformation to a message so that even if it is slightly garbled, it can still be decoded correctly.To achieve secure transmission, one can use the oldest, and by far the fastest, type of cryptography,secret-key cryptography, also called symmetric-key cryptography. This is essentially basedon the sharing of a secret key between the people who want to communicate. This secret key isused both in the encryption process, in which the ciphertext is computed from the cleartext and thekey, and also in the decryption process. This is why the method is called symmetric. The currentstandardized method of this type is the AES symmetric-key cryptosystem. Almost all methodsof this type are based on bit manipulations between the bits of the message (after the messagehas been translated into binary digits) and the bits of the secret key. Decryption is simply done byreversing these bit manipulations. All these operations are thus very fast. The main disadvantages ofsymmetric-key cryptography are that one shared secret key per pair must be exchanged beforehandin a secure way, and that key management is more tricky in a large network.At the end of the 1970’s the revolutionary new notion of public-key cryptography, also calledasymmetric cryptography, appeared. It emerged from the the pioneering work of Diffie and Hellmanpublished 1976 in the paper “New directions in cryptography” [DIHE 1976].Public-key cryptography is based on the idea of one-way functions: in rough terms these arefunctions, whose inverse functions cannot be computed in any reasonable amount of time. If we usesuch a function for encryption, an adversary will in principle not be able to decrypt the encryptedmessages. This will be the case even if the function is public knowledge. In fact, having theencryption public has many advantages such as enabling protocols for authentication, signature,etc., which are typical of public-key cryptosystems; see Chapter 1.All known methods for public-key cryptography are rather slow, at least compared to secret-keycryptography, and the situation will probably always stay that way. Thus public-key cryptographyis used as a complement to secret-key cryptography, either for signatures or authentication, or forkey exchange, since the messages to be transmitted in all these cases are quite short.There remains the major problem of finding suitable public-key cryptosystems. Many proposalshave been made in the 25 years since the invention of the concept, but we can reasonably say thatonly two types of methods have survived. The first and by far the most widely used methods arevariants of the RSA cryptosystem. These are based on the asymmetrical fact that it is very easy tocreate at will, quite large prime numbers (for instance 768 or 1024-bit is a typical cryptographic sizefor reasonable security), but it is totally impossible (at the time this book is being written), exceptxxix

xxxPrefaceby some incredible stroke of luck (or bad choice of the primes) to factor the product of two primesof this size, in other words a 1536 or 2048-bit number. The present world record for factoring anRSA type number is the factoring of the 576-bit RSA challenge integer. The remarkable fact isthat this result was obtained without an enormous effort of thousands of PC’s interconnected via theInternet. Using today’s algorithms and computer technologies it seems possible to factor 700-bitnumbers. Of course, this is much smaller than the number of bits that we mention. But we will seein Chapter 25 that there are many subexponential algorithms for factoring which, although not asefficient as polynomial time algorithms, are still much faster than naïve factoring approaches. Theexistence of these subexponential algorithms explains the necessity of using 768 or 1024-bit primesas mentioned above, in other words very large keys.The second type of method is based on the discrete logarithm problem (DLP) in cyclic groupsof prime order that are embedded in elliptic curves or more generally Jacobians of curves (or evengeneral abelian varieties) over finite fields. In short, if G is a group, g ∈ G, k ∈ Z and h = g k ,the DLP in G consists in computing k knowing g and h. In the case where G =(Z/nZ) ∗ it canbe shown that the subexponential methods used for factoring can be adapted to give subexponentialmethods for the DLP in G, so the security of such methods is analogous to the security of RSA,and in particular one needs very large keys. On the other hand for elliptic curves no subexponentialalgorithm is known for the DLP, and this is also the case for Jacobians of curves of small genus.In other words the only attacks known for the DLP working on all elliptic curves are generic (seeChapter 19). This is bad from an algorithmic point of view, but is of course very good news forthe cryptographer, since it means that she can use much smaller keys than in cryptosystems such asRSA for which there exist subexponential attacks. Typically, to have the same security as 2048-bitRSA one estimates that an elliptic curve (or the Jacobian of a curve of small genus) over a finitefield should have a number of points equal to a small multiple of a prime of 224 or perhaps 256 bits.Even though the basic operations on elliptic curves and on Jacobians are more complicated than in(Z/nZ) ∗ , the small key size largely compensates for this, especially in restricted environments suchas smart cards (cf. Chapter 27) where silicon space is small.Aim of the bookThe goal of this book is to explain in great detail the theory and algorithms involved in ellipticand hyperelliptic curve cryptography. The reader is strongly advised to read carefully what followsbefore reading the rest of the book, otherwise she may be discouraged by some parts.The intended audience is broad: our book is targeted both at students and at professionals,whether they have a mathematical, computer science, or engineering background. It is not atextbook,and in particular contains very few proofs. On the other hand it is reasonably self-contained,in that essentially all of the mathematical background is explained quite precisely. This book containsmany algorithms, of which some appear for the first time in book form. They have been writtenin such a way that they can be immediately implemented by anyone wanting to go as fast as possibleto the bottom line, without bothering about the detailed understanding of the algorithm or itsmathematical background, when there is one. This is why this book is a handbook. On the otherhand, it is not a cookbook: we have not been content with giving the algorithms, but for the moremathematically minded ones we have given in great detail all the necessary definitions, theorems,and justifications for the understanding of the algorithm.Thus this book can be read at several levels, and the reader can make her choice depending onher interests and background.

PrefacexxxiThe reader may be primarily interested in the mathematical parts, and how some quite abstractmathematical notions are transformed into very practical algorithms. For instance, particular mentionshould be made of point counting algorithms, where apparently quite abstract cohomologytheories and classical results from explicit class field theory are used for efficient implementationsto count points on hyperelliptic curves. A most striking example is the use of p-adic methods. Kedlaya’salgorithm is a very practical implementation of the Monsky–Washnitzer cohomology, andSatoh’s algorithm together with its successors are very practical uses of the notion of canonicalp-adic liftings. Another example is the Tate duality of abelian varieties which provides the mostefficient realization of a bilinear structure opening new possibilities for public-key protocols. Thusthe reader may read this book to learn about the mathematics involved in elliptic and hyperellipticcurve cryptography.On the other hand the reader may be primarily interested in having the algorithms implementedas fast as possible. In that case, she can usually implement the algorithms directly as they arewritten, even though some of them are quite complex. She even can use the book to look forappropriate solutions for a concrete problem in data security, find optimal instances correspondingto the computational environment and then delve deeper into the background.To achieve these aims we present almost all topics at different levels which are linked by numerousreferences but which can be read independently (with the exception that one should at least havesome idea about the principles of public-key cryptography as explained in Chapter 1 and that oneknows the basic algebraic structures described in Chapter 2).Mathematical backgroundThe first level is the mathematical background concerning the needed tools from algebraic geometryand arithmetic. This constitutes the first part of the book. We define the elementary algebraicstructures and the basic facts on number theory including finite fields and p-adic numbers in Chapters2 and 3. The basic results about curves and the necessary concepts from algebraic geometry aregiven in Chapter 4. In Chapter 5 we consider the special cases in which the ground field is a finitefield or equal to the complex numbers. In Chapters 6, 7, and 8 we explain the importance of Galoistheory and especially of the Frobenius automorphism for the arithmetic of curves over finite fieldsand develop the background for pairings, Weil descent, and point counting.On the one hand a mathematically experienced reader will find many topics well-known to her.On the other hand some chapters in this part may not be easy to grasp for a reader not having asufficient mathematical background. In both cases we encourage the reader to skip (parts of) Part Ion first reading and we hope that she will come back to it after being motivated by applications andimplementations.This skipping is possible since in later parts dealing with implementations we always repeat thecrucial notions and results in a summary at the beginning of the chapters.Algorithms and their implementationIn Part II of the book, we treat exponentiation techniques in Chapter 9. Chapters 10, 11, and 12present in a very concrete way the arithmetic in the ring of integers, in finite fields and in p-adicfields. The algorithms developed in these chapters are amongst the key ingredients if one wants tohave fast algorithms on algebraic objects like polynomial rings and so their careful use is necessaryfor implementations of algorithms developed in the next part.In Part III, we give in great detail the algorithms that are necessary for addition in groups con-

xxxiiPrefacesisting of points of elliptic curves and of Jacobian varieties of hyperelliptic curves. Both genericand special cases are treated, and the advantages and disadvantages of different coordinate systemsare discussed. In Chapter 13 this is done for elliptic curves, and in Chapter 14 one finds the resultsconcerning hyperelliptic curves. Chapter 15 is devoted to elliptic and hyperelliptic curves, whichhave an extra structure like fast computable endomorphisms. The reader who plans to implement asystem based on discrete logarithms should read these chapters very carefully. The tables countingthe necessary field operations will be of special interest for her, and in conjunction with the arithmeticof finite fields she will be able to choose an optimal system adapted to the given or plannedenvironment. (At this place we already mention that security issues must not be neglected, and as arule, special structures will allow more attacks. So Part V or the conclusions in Chapter 23 shouldbe consulted.) Since all necessary definitions and results from the mathematical background arerestated in Part III it can be read independently of the chapters before. But of course we hope thatdesigners of systems will become curious to learn more about the foundations.The same remarks apply to the next Chapter, 16. It is necessary if one wants to use protocolsbased on bilinear structures like tripartite-key exchange or identity-based cryptography. It beginswith a down-to-earth definition of a variant of the Tate pairing under the conditions that make itpracticable nowadays and then describe algorithms that become very simple in concrete situations.Again it should be interesting not only for mathematicians which general structures are fundamentaland so a glimpse at Chapter 6 is recommended.In Part IV of the book, it is more difficult to separate the background from the implementation.Nevertheless we get as results concrete and effective algorithms to count the number of points onhyperelliptic curves and their Jacobian varieties over finite fields. We present a complete version ofthe Schoof–Elkies–Atkin algorithm, which counts the number of rational points on random ellipticcurves in Section 17.2 in the most efficient version known today. The p-adic methods for ellipticand hyperelliptic curves over fields with small characteristics are given in Section 17.3 and themethod using complex multiplication is described in Chapter 18 for the relevant cases of curvesof genus 1, 2, and 3. In the end of this part, one finds algorithms in such a detailed manner thatit should be possible to implement point counting without understanding all mathematical details,but some experience with computational number theory is necessary to get efficient algorithms,and for instance in Chapter 18 it is advised that for some precomputations like determining classpolynomials a published list should be used. For readers who do not want to go into these detailsa way out could be to use standard curves instead of generating their own. For mathematiciansinterested in computational aspects this part of the book should provide a very interesting lectureafter they have read the mathematical background part. All readers should be convinced by Part IVthat there are efficient algorithms that provide in abundance instances for discrete logarithm systemsusable for public-key cryptography.Until now the constructive point of view was in the center. Now we have to discuss security issuesand investigate how hard it is to compute discrete logarithms. In Part V we discuss these methodsin detail. The most important and fastest algorithms rely on the index calculus method which is inabstract form presented in Chapter 20. In Chapter 21 it is implemented in the most efficient wayknown nowadays for hyperelliptic curves. Contrary to the algorithms considered in the constructivepart it has a high complexity. But the computation is feasible even nowadays in wide ranges andits subexponential complexity has as a consequence that it will become applicable to much largerinstances in the near future — if one does not avoid curves of genus 4 and if one is not carefulabout the choice of parameters for curves of genus 3. In Chapter 22 we describe how results fromthe mathematical background like Weil descent or pairings can result in algorithms that transferthe discrete logarithm from seemingly secure instances to the ones endangered by index calculusmethods. Though the topics of Part V are not as easily accessible as the results and algorithms inPart III, every designer of cryptosystems based on the discrete logarithm problem should have alook at least at the type of algorithms used and the complexity obtained by index calculus methods,

Prefacexxxiiiand to make this task easier we have given a digest of all the results obtained until now in the thirdlevel of the book.ApplicationsIn Part VI of the book we reach the third level and discuss how to find cryptographic primitivesthat can be used in appropriate protocols such that the desired level of security and efficiency isobtained. In Chapter 23 this is done for DL systems, and Chapter 24 deals with protocols usingbilinear structures. Again these chapters are self-contained but necessarily in the style of a digestwith many references to earlier chapters. One finds the mathematical nature of the groups used ascryptographic primitives, how to compute inside of them, a security analysis, and how to obtainefficient implementations. Moreover, it is explained how to transfer the abstract protocols, forinstance, signature schemes, from Chapter 1 to real protocols using elliptic and hyperelliptic curvesin a most efficient and secure way. The summary at the end of Chapter 23 is a scenario as to howthis book could be used as an aid in developing a system. At the same time it could give one (a bitextreme) way how to read the book. Begin with Section 23.6 and take it as hints for reading theprevious sections of this chapter. If an algorithm is found to be interesting or important go to thecorresponding chapters and sections cited there; proceed to chapters in Parts II, III, IV and V butnot necessarily in this order and not necessarily in an exhaustive way. And then, just for fun andbetter understanding, read the background chapters on which the implementations rely.If the reader is interested in applications involving bilinear structures she can use the same recipeas above but beginning in Chapter 24.A not so direct but important application of elliptic curves and (at a minor level) hyperellipticcurves in cryptography is their use in algorithms for primality testing and factoring. Because of theimportance of these algorithms for public-key cryptography we present the state of the art informationon these topics in Chapter 25.Realization of Discrete Logarithm systemsUntil now our topics were totally inside of mathematics with a strong emphasis on computationalaspects and some hints coming from the need of protocols. But on several occasions we havementioned already the importance of the computational environment as basis for optimal choicesof DL systems and their parameters. To understand the conditions and restrictions enforced by thephysical realization of the system one has to understand its architecture and the properties of theused hardware. In Part VII, mathematics is at backstage and in the foreground are methods usedto implement discrete logarithm systems based on elliptic and hyperelliptic curves in hardware andespecially in restricted environments such as smart cards.In Chapter 26 it is shown how the arithmetic over finite fields is realized in hardware. In Chapter27 one finds a detailed description of a restricted environment in which DL systems will havetheir most important applications, namely smart cards. The physical realization of the systemsopens new lines of attacks, so called side-channel attacks, not computing the discrete logarithm tobreak the system but relying, for instance, on the analysis of timings and power consumption duringthe computational processes. The background for such attacks is explained in Chapter 28 whileChapter 29 shows how mathematical methods can be used to develop countermeasures.A most important ingredient in all variants of protocols used in public-key cryptography is randomization.So one has to have (pseudo-)random number generators of high quality at hand. Thisproblem and possible solutions are discussed in Chapter 30. As a side-result it is shown that ellipticor hyperelliptic curves can be used with good success.

xxxivPrefaceAcknowledgmentsWe would like to thank the following people for their great help:For Chapter 1, we thank David Lubicz. For Chapter 2, we thank Jean-Luc Stehlé. For Chapter 11,we thank Guerric Meurice de Dormale. For Chapter 14, we thank Jan Pelzl and Colin Stahlke. ForChapter 19, we thank Edlyn Teske. For Chapter 22, we thank Claus Diem and Jasper Scholten. ForChapter 25, we thank Scott Contini. For Chapter 26, we thank Johann Großschädl. For Chapter 27,we thank Benoît Feix, Christian Gorecki, and Ralf Jährig. For Chapter 28, we thank Vanessa Chazal,Mathieu Ciet, and Guillaume Poupard. For Chapter 30, we thank Peter Beelen, Igor Shparlinski,and Johann Großschädl.Photos in Figure 28.2 are courtesy of Oliver Kömmerling and Markus Kuhn.We would like to thank Alfred J. Menezes and Igor Shparlinski for their useful advice.Roberto M. Avanzi expresses his gratitude to the Institute of Experimental Mathematics (IEM)at the University of Duisburg-Essen and the Communication Security Group (COSY) at the Ruhr-University Bochum for providing very simulating environments. The present book was writtenwhile he was affiliated with the IEM, then with COSY.Christophe Doche would like to thank the A2X department at the University of Bordeaux forproviding excellent working conditions. Some parts of this book were written while he was affiliatedin Bordeaux. He is also grateful to Alejandra M. O’Donnell for careful proofreading.Tanja Lange would like to thank the Faculty of Mathematics at the Ruhr-University Bochum forcreating a good working atmosphere. This book was written while she was affiliated with Bochum.Frederik Vercauteren would like to thank his former colleagues at the CS department of the Universityof Bristol for their encouragement and support. This book was written while he was affiliatedwith Bristol.Andrew Weigl would like to thank Professor Walter Anheier and the Institute for ElectromagneticTheory and Microelectronics at the University of Bremen for their support on this project.Jean-Christophe Courrège and Benoît Feix would like to thank people from the CEACI, the CNESand the DCSSI.This book grew out of a report for the European Commission in the scope of the AREHCC (AdvancedResearch in Elliptic and Hyperelliptic Curves Cryptography) project. The work describedin this book has been supported by the Commission of the European Communities through the ISTProgramme under Contract IST-2001-32613 (see http://www.arehcc.com). As the momentumaround this project built up, some new people joined the core team as contributors.The information in this document is provided as is, and no guarantee or warranty is given orimplied that the information is fit for any particular purpose. The user thereof uses the informationat its sole risk and liability. The views expressed are those of the authors and do not represent anofficial view or position of the AREHCC project (as a whole).Henri Cohen and Gerhard Frey

Chapter ½Introduction to Public-KeyCryptographyRoberto M. Avanzi and Tanja LangeContents in Brief1.1 Cryptography 21.2 Complexity 21.3 Public-key cryptography 51.4 Factorization and primality 6Primality • Complexity of factoring • RSA1.5 Discrete logarithm systems 8Generic discrete logarithm systems • Discrete logarithm systems with bilinearstructure1.6 Protocols 9Diffie–Hellman key exchange • Asymmetric Diffie–Hellman and ElGamalencryption • Signature scheme of ElGamal-type • Tripartite key exchange1.7 Other problems 14In this chapter we introduce the basic building blocks for cryptography based on the discrete logarithmproblem that will constitute the main motivation for considering the groups studied in thisbook. We also briefly introduce the RSA cryptosystem as for use in practice it is still an importantpublic-key cryptosystem.Assume a situation where two people, called Alice and Bob in the sequel (the names had beenused since the beginning of cryptography because they allow using the letters A and B as handyabbreviations), want to communicate via an insecure channel in a secure manner. In other words, aneavesdropper Eve (abbreviated as E) listening to the encrypted conversation should not be able toread the cleartext or change it. To achieve these aims one uses cryptographic primitives basedonaproblem that should be easy to set up by either Alice, or Bob, or by both, but impossible to solve forEve. Loosely speaking, infeasibility means computational infeasibility for Eve if she does not haveat least partial access to the secret information exploited by Alice and Bob to set up the problem.Examples of such primitives are RSA, cf. [PKCS], which could be solved if the integer factorizationproblem was easy, i.e., if one could find a nontrivial factor of a composite integer n, andthediscrete logarithm problem, i.e., the problem of finding an integer k with [k]P = Q where P is agenerator of a cyclic group (G, ⊕) and Q ∈ G. These primitives are reviewed in Sections 1.4.31

2 Ch. 1 Introduction to Public-Key Cryptographyand 1.5. They are applied in a prescribed way given by protocols. We will only briefly state thenecessary problems and hardness assumptions in Section 1.6 but not go into the details.Then we go briefly into issues of primality proving and integer factorization. The next sectionis devoted to discrete logarithm systems. This is the category of cryptographic primitives in whichelliptic and hyperelliptic curves are applied. Finally, we consider protocols, i.e., algorithms usingthe cryptographic primitive to establish a common key, encrypt a message for a receiver, or signelectronically.1.1 CryptographyIn ancient times, the use of cryptography was restricted to a small community essentially formed bythe military and the secret service. The keys were distributed secretly by a courier and the same keyallowed to encipher and, later, decipher the messages. These symmetric systems include the ancientCaesar’s cipher, Enigma, and other rotor machines. Today’s standard symmetric cipher is the AES(Advanced Encryption Standard) [FIPS 197]. Symmetric systems still are by far the fastest meansto communicate secretly – provided that a joint key is established.In order to thrive, e-commerce requires the possibility of secure transactions on an electronicallyconnected global network. Therefore, it is necessary to rely on mechanisms that allow a key exchangebetween two or more parties that have not met each other before. One of the main featuresof public-key cryptography is to relax the security requirement of the channel used to perform akey exchange: in the case of symmetric cryptography it must be protected in integrity and confidentialitythough integrity suffices in public-key cryptography. It allows for building easier-to-set-upand more scalable secured networks. It also provides cryptographic services like signatures withnon-repudiation, which are not available in symmetric cryptography. The security of public-keycryptography relies on the evaluation of the computational difficulty of some families of mathematicalproblems and their classification with respect to their complexity.1.2 ComplexityThe aim of complexity theory is to define formal models for the processors and algorithms that weuse in our everyday computers and to provide a classification of the algorithms with respect to theirmemory or time consumption.Surprisingly all the complex computations carried out with a computer can be simulated by an automatongiven by a very simple mathematical structure called a Turing machine. A Turing machineis defined by a finite set of states: an initial state, a finite set of symbols, and a transition function. ATuring machine proceeds step-by-step following the rules given by the transition function and canwrite symbols on a memory string. It is then easy to define the execution time of an algorithm asthe number of steps between its beginning and end and the memory consumption as the number ofsymbols written on the memory string. For convenience, in the course of this book we will use aslightly stronger model of computation, called a Random Access Machine because it is very close tothe behavior of our everyday microprocessors. Then determining the execution time of an algorithmboils down to counting the number of basic operations on machine words needed for its execution.For more details, the reader should refer to [PAP 1994].The security of protocols is often linked to the assumed hardness of some problems. In the theoryof computation a problem is a set of finite-length questions (strings) with associated finite-lengthanswers (strings). In our context the input will usually consist of mathematical objects like integersor group elements coded with a string. The problems can be loosely classified into problems to

§ 1.2 Complexity 3compute something, e.g., a further group element and problems that ask for a yes or no answer.Definition 1.1 A problem is called a decision problem if the problem is to decide whether a statementabout an input is true or false.A problem is called a computation problem if it asks to compute an output maybe more elaboratethan true or false on a certain set of inputs.One can formulate a computation problem from a decision problem. Many protocols base theirsecurity on a decision problem rather than on a computation problem.Example 1.2 The problem to compute the square root of 16 is a computation problem whereas thequestion, whether 4 is a square root of 16, is a decision problem. Here, the decision problem can beanswered by just computing the square 4 2 =16and comparing the answers.A further decision problem in this context is also to answer whether 16 is a square. Clearly thisdecision problem can be answered by solving the above computation problem.Example 1.3 A second important example that we will discuss in the next section is the problem todecide whether a certain integer m is a prime. This is related to the computation problem of findingthe factorization of m.Given a model of computation, one can attach a certain function f to an algorithm that boundsa certain resource used for the computations given the length of the input called the complexityparameter. If the resource considered is the execution time (resp. the memory consumption) of thealgorithm, f measures its time complexity (resp. space complexity). In fact, in order to state thecomplexity independently from the specific processor used it is convenient to express the cost of analgorithm only “up to a constant factor.” In other words, what is given is not the exact operationcount as a function of the input size, but the growth rate of this count.The Schoolbook multiplication of n-digit integers, for example, is an “n 2 algorithm.” By this it isunderstood that, in order to multiply two n-digit integers, no more than cn 2 single-digit multiplicationsare necessary, for some real constant c — but we are not interested in c. The “big-O” notationis one way of formalizing this “sloppiness,” as [GAGE 1999] put it.Definition 1.4 Let f and g be two real functions of s variables. The function g(N 1 ,...,N s ) is oforder f(N 1 ,...,N s ) denoted by O ( f(N 1 ,...,N s ) ) if for a positive constant c one has|g(N 1 ,...,N s )| cf(N 1 ,...,N s ),with N i >Nfor some constant N. Sometimes a finite set of values of the tuples (N 1 ,...,N s ) isexcluded, for example those for which the functions f and g have no meaning or are not defined.Additional to this “big-O” notation one needs the “small-o”notation.The function g(N 1 ,...,N s ) is of order o ( f(N 1 ,...,N s ) ) if one hasg(N 1 ,...,N s )limN 1,...,N s→∞ f(N 1 ,...,N s ) =0.Finally we write f(n) =Õ ( g(n) ) as a shorthand for f(n) =O ( g(n)lg k g(n) ) for some k.Note that we denote by lg the logarithm to base 2 and by ln the natural logarithm. As these expressionsdiffer only by constants the big-O expressions always contain the binary logarithm. Incase other bases are needed we use log a b to denote the logarithm of b to base a. This must not beconfused with the discrete logarithm introduced in Section 1.5 but the meaning should be clear fromthe context.

4 Ch. 1 Introduction to Public-Key CryptographyExample 1.5 Consider g(N) =10N 2 +30N + 5000. ItisoforderO(N 2 ) as for c = 5040 onehas g(N) cN 2 for all N. We may write g(N) =O(N 2 ). In addition g(N) is o(N 3 ).Example 1.6 Consider the task of computing the n-fold of some integer m. Instead of computingn × m = m + m + ···+ m (n-times) we can do much better reducing the complexity of scalarmultiplication from O(n) to O(lg n). We make the following observation: we have 4m =2(2m)and a doubling takes about the same time as an addition of two distinct elements. Hence, the numberof operations is reduced from 3 to 2. This idea can be extended to other scalars: 5m =2(2m)+mneeding 3 operations instead of 4. In more generality let n = ∑ l−1i=0 n i2 i ,n i ∈{0, 1} be the binaryexpansion of n with l − 1=⌊lg n⌋. Thenn × m =2(2(···2(2(2m + n l−2 m)+n l−3 m)+···+ n 2 m)+n 1 m)+n 0 m.This way of computing n × m needs l − 1 doublings and ∑ l−1i=0 n i l additions. Hence, thealgorithm has complexity O(lg n). Furthermore, we can bound the constant c from above by 2.Algorithms achieving a smaller constant are treated in Chapter 9 together with a general study ofscalar multiplication.An algorithm has running time exponential in N if its running time can be bounded from aboveand below by e f(N) and e g(N) for some polynomials f,g. In particular, its running time is of orderO ( e f(N)) . Its running time is polynomial in N if it is of order O ( f(N) ) . Algorithms belongingto the first category are computationally hard, those of the second are easy. Note that the involvedconstants can imply that for a certain chosen small N an exponential-time algorithm may take lesstime than a polynomial-time one. However, the growth of N to achieve a certain increase in therunning time is smaller in the case of exponential running time.Definition 1.7 For the complexity of algorithms depending on N we define the shorthandL N (α, c) :=exp ( (c + o(1))(ln N) α (ln ln N) 1−α)with 0 α 1 and c>0. Theo(1) refers to the asymptotic behavior of N. If the second parameteris omitted, it is understood that it equals 1/2.The parameter α is the more important one. Depending on it, L N (α, c) interpolates between polynomialcomplexity for α =0and exponential complexity for α =1.Forα

§ 1.3 Public-key cryptography 51.3 Public-key cryptographyIn public-key cryptography, each participant possesses two keys — a public key and a private key.These are linked in a unique manner by a one-way function.Definition 1.8 Let Σ ∗ be the set of binary strings and f be a function from Σ ∗ to Σ ∗ . We say thatf is a one-way function if• the function f is one-on-one and for all x ∈ Σ ∗ , f(x) is at most polynomially longer orshorter than x• for all x ∈ Σ ∗ , f(x) can be computed in polynomial time• there is no polynomial-time algorithm which for all y ∈ Σ ∗ returns either “no” ify/∈ Im(f) or x ∈ Σ ∗ such that y = f(x).Remark 1.9 So far, there is no proof of the existence of a one-way function. In fact, it is easyto see that it would imply that P ≠ NP, which is a far reaching conjecture of complexity theory.This means in particular that the security of public-key cryptosystems always relies on the unprovenhypothesis of the hardness of some computational problem. But in the course of this book, we aregoing to present some families of functions that are widely believed to be good candidates for beinga one-way function and we now give an example of such a function.Example 1.10 Let Σ={0, 1, ✷} be the alphabet with three letters. Note that even if a computermanipulates only bits of information, that is an alphabet with two letters, it is easy by grouping thebits by packets of ⌈lg |Σ|⌉ to simulate computations on Σ. The character ✷ will serve as separator inour data structure. Let s be the function that assigns to each integer n ∈ N its binary representation.It is then possible to define a function f from Σ ∗ to Σ ∗ such that for all couples of prime numbers(p, q) the function evaluates as f ( s(p) || ✷ || s(q) ) = s(pq) with || the concatenation. As there existsa polynomial-time algorithm to multiply two integers, f satisfies clearly the two first conditions ofa one-way function. It is also widely believed that there is no polynomial-time algorithm to invertf but up to now there is no proof of such an assumption. The next section gives some details on thecomplexity of the best algorithms known in order to invert this function.Given a one-way function one can choose as the private key an a ∈ Σ ∗ and obtains the publickey f(a). This value can be published since it is computationally infeasible to defer a from it.Complexity theory considered in the previous section gives a mathematical measure to define whatis meant by “computationally infeasible.” For some applications it will be necessary to have aspecial class of computational one-way functions that can be inverted if one possesses additionalinformation. These functions are called trapdoor one-way functions.If an encrypted message is transmitted, the cryptographic framework has to ensure that no otherparty can obtain any information on the message or change it without being noticed. To map thepaper and pencil based world to electronic processes, other issues have to be solved in order toallow electronic commerce and contracts. Just as a handwritten signature is bound to the signer bythe uniqueness of his handwriting, the message as signature and text are linked by physical means,and any change of the message would be visible, an electronic signature needs to guarantee thefollowing:• Reliability: The signature is bound uniquely to the signer.• Non-repudiation: The signer cannot deny his signature.• Unforgeability: The signature is bound to the signed text.More details for all material treated in this section can be found in [MEOO + 1996, STI 1995,SCH 1996].

6 Ch. 1 Introduction to Public-Key Cryptography1.4 Factorization and primalityThis section is devoted to prime numbers. We need them to construct finite fields and the cryptosystemsin which we are interested are designed around groups of prime order. The prime numbertheorem gives an estimate on the number π(x) of primes less than x.Theorem 1.11 (Prime number theorem) Asymptotically there existπ(x) ∼∫ x2dyln yprime numbers less than x. A slightly worse estimate that is easier to remember isπ(x) ∼xln x ·1.4.1 PrimalityIn the applications we envision we must be sure that a given integer N is prime. The most obviousway is to try for all integers n √ N whether N ≡ 0(modn) in which case one even has found adivisor of N. However, this method requires O( √ N) modular reductions, which is far too large forthe size of N encountered in practice.In fact, it is too time-consuming to prove primality, or for that matter compositeness, of a giveninteger by failing or succeeding to find a proper factor of it. The best primality test algorithmsdescribed in Chapter 25 will only prove N to be prime and will not output any divisor in case it isnot. Most algorithms will be probabilistic in nature in the sense that one output is always true whilethe other is only true with a certain probability. Iterating this algorithm allows us to enlarge theprobability that the answer that was given only with a certain probability actually holds true. Thesetechniques offer quite good performance.To prove primality using probabilistic algorithms one usually starts with some iterations of analgorithm whose output “nonprime” is always correct while the output “prime” is true only with acertain probability. After passing some rounds one uses an algorithm that is correct when it outputs“prime.”The reason for this order is that usually the algorithms of the first type have a shorter runningtime and allow us to detect composite integers very efficiently. Factoring algorithms, on the otherhand, are usually much slower.1.4.2 Complexity of factoringEven though we shall return to this matter in Chapter 25 we briefly recall the complexity of findingfactors of composite numbers.By brute force one can check divisibility by 2, 3, 5, 7, 11, and so on in succession. Even if Nis 1000 decimal digits long (about 3222 bits), it takes only a few seconds on a modern personalcomputer to divide it by all integers up to 10 7 . Checking whether a large number N is divisibleby n (where N is much larger than n) by trial division requires at most O ( lg(n)lg(N) ) operationsassuming simple techniques and()1+ɛ lg(N)O lg(n) = O ( lg(n) ɛ lg(N) )lg(n)asymptotically.

§ 1.4 Factorization and primality 7The elliptic curve method (ECM) of factorization given in Section 25.3.3 has expected complexityL p ( 1 2 , √ 2) for finding the smallest prime factor p of N. It is expected that in the near future thismethod will be able to find 60-digits, i.e., 200-bit factors.Boosted by RSA challenges [RSA] (see below) there has been a lot of research on the numberfield sieve methods for factoring integers. In theory the number field sieve should be able to factorany number in heuristic expected time(1L , ( ) )64 1/3N 3 9where ( )64 1/39 ≈ 1.923.This algorithm was long thought not to be practical, but recent years have seen tremendous successin its implementation and its improvements. The largest RSA modulus factored so far is the 200-digit RSA challenge integer, a feat achieved by Franke and Kleinjung [WEI 2005, CON 2005].1.4.3 RSAWe give only the schoolbook method here. It is understood that one should not implement RSA thisway. The RSA cryptosystem [RISH + 1978] usesanintegerN = pq which is the product of twoprimes p and q. The system uses the modular relation m (p−1)(q−1) ≡ 1(modpq), which holds forevery m coprime to N. This relation will be proved in Section 2.1.2 in a more general context.Alice’s public and secret keys are two integers e and d such that ed ≡ 1(mod(p − 1)(q − 1))(this alone implies that e must be relatively prime to p − 1 and q − 1). If Bob wants to send amessage m to Alice, where we assume that m is a natural number smaller than pq, he computesc = m e mod n. To recover the message, Alice simply computesc d = m ed = m 1+k(p−1)(q−1) ≡ m (mod N)by the relation above. In the RSA cryptosystem, the one-way function is thus m ↦→ m e mod N.The security is based on the RSA assumption, namely the assumption that given e, m e mod Nand N one cannot recover m. This would be easy if one were able to compute d from the giveninformation, e.g., if (p − 1)(q − 1) would be known. Apparently this could be done if one couldfactor N. However, factoring is not easy as shown in the previous section.The primes p and q are usually chosen of similar bit length, in order to prevent as much aspossible attacks arising from future development of algorithms whose complexity depends on thesmallest prime. At the same time p and q cannot be too close, otherwise if p = ⌊ √ N⌋ + a, q =⌊ √ N⌋−b for some small a, b one has N = pq = ⌊ √ N⌋ 2 +(a − b)⌊ √ N⌋−ab. From this one getsN −⌊ √ N⌋ 2 =(a − b)⌊ √ N⌋−ab. Performing a division with remainder by ⌊ √ N⌋ one obtains aband a − b provided they are smaller than ⌊ √ N⌋.It is not clear whether the RSA problem, which can be loosely formulated as inverting the functionm ↦→ m e mod N, is equivalent to the factorization problem. It is possible, in theory, that there issome way of computing m from m e that does not involve determining p and q. In the original RSApaper, the authors say:“It may be possible to prove that any general method of breaking our scheme yieldsan efficient factoring algorithm. This would establish that any way of breaking ourscheme must be as difficult as factoring. We have not been able to prove this conjecture,however.”However, as of today, if p and q are large enough, the cryptosystem can be considered secure. Largeenough currently means that the two numbers are of at least 500 bits and that their product has about1024 bits.

8 Ch. 1 Introduction to Public-Key Cryptography1.5 Discrete logarithm systemsIn this section we introduce a second kind of problem where hard instances can be constructed. Inpractice a discrete logarithm (DL) system is usually based on a cyclic group of prime order. Forsome protocols considered later on, a commutative semigroup would be enough.In this book, we are mainly concerned with cryptographic use of elliptic and hyperelliptic curvesand there one works in a group, hence, we restrict our attention to this case here as well. For thedefinition of a group and the examples used in the sequel, we refer to Chapter 2.1.5.1 Generic discrete logarithm systemsLet (G, ⊕) be a cyclic group of prime order l and let P be a generator of G. Themapϕ : Z → Gn → [n]P = P ⊕ P ⊕···⊕P} {{ }n-timeshas kernel lZ, thus ϕ leads to an isomorphism between (G, ⊕) and (Z/lZ, +). The problem ofcomputing the inverse map is called the discrete logarithm problem (DLP) to the base of P .Itisthe problem given P and Q to determine k ∈ Z such that Q =[k]P , i.e., to find k ∈ N such thatϕ(k) =Q. Thediscrete logarithm of Q to the base of P is denoted by log P (Q). Note, that it isunique only modulo the group order l. The complexity of this problem depends on the choice of Gand ⊕. To show the dependency on the generator P of G we speak of the DL system (G, ⊕,P).Example 1.12 Let (G, ⊕) =(Z/lZ, +) with generator 1+lZ. The discrete logarithm of n + lZis simply given by n. Also, if the generator is chosen to be a + lZ for some integer a, this problemis easy to solve as it is nothing but computing the inverse modulo l. In Chapter 10 this is shown tohave complexity polynomial in the size of the operands, i.e., in lg l.Hence, this group cannot be used in cryptographic applications.Example 1.13 Choose a prime p such that l divides p − 1. Choose ζ ≠1in Z/pZ with ζ l =1(i.e., ζ is a primitive l-th root of unity). Then (G, ⊕) =(〈ζ〉, ×) and ϕ(n) =ζ n .In Chapter 19, we will show that this DLP is of subexponential complexity, thus harder than inthe previous example but not optimal.An obvious generalization is to work in extension fields F q , with q = p d ,l | p d − 1 for p prime.To represent the finite field F p d one fixes an irreducible polynomial m(X) ∈ F p [X] of degreed and uses the isomorphism F p d ≃ F p [X]/ ( m(X) ) . For an introduction to finite fields and theirarithmetic see Chapters 2 and 11.Systems based on the DLP in the multiplicative group of finite fields are easy to construct. Startingwith a prime l of appropriate size one searches for p and d such that l | p d − 1. For appropriatelychosen subgroups, compression methods based on traces such as LUC [SMSK 1995] andXTR [LEVE 2000] can be used to represent the subgroup elements. These groups additionallyallow faster group operations.The groups associated to elliptic and hyperelliptic curves of small genus that will be studied in thesequel of the book are believed to have a DLP of exponential complexity.To efficiently implement a DL system one needs to find good instances of groups in which theDLP is hard: in order to put aside easy instances this implies in particular that the group size canbe efficiently computed to ensure that there exists a large prime order subgroup (G, ⊕,P). Wealso

§ 1.6 Protocols 9need to have a short representation of group elements needing O(lg l) space and the group operationQ ⊕ R needs to be performed efficiently for any input Q, R ∈ G. The complexity of computingthe DL is studied in Chapter 19. Note that the computation of the order of P is a special instancefor the DLP, namely ord(P )=log P 1,where1 is the neutral element in G. Techniques for scalarmultiplication are studied in Chapter 9. For groups based on elliptic and hyperelliptic curves, seeChapters 13 and 14.1.5.2 Discrete logarithm systems with bilinear structureSome groups have an additional structure that can either be considered a weakness, as it allowstransfers (see below), or an advantage, as it can be used constructively in special protocols (cf.Section 24.1.2).Definition 1.14 Assume that a DL system is given by (G, ⊕) a group of prime order l and thatthere is a group (G ′ , ⊕ ′ ) of the same order l in which we can compute “as fast” as in G. Assumemoreover that (H, ⊞) is another DL system and that a mapsatisfies the following requirements:e : G × G ′ → H• the map e is computable in polynomial time (this includes that the elements in H needonly O(lg l) space),• for all n 1 ,n 2 ∈ N and random elements (P 1 ,P ′ 2 ) ∈ G × G′ we havee([n 1 ]P 1 , [n 2 ]P ′ 2 )=[n 1n 2 ]e(P 1 ,P ′ 2 ),• the map e is nondegenerate. Hence, for random P ′ ∈ G ′ we have e(P 1 ,P ′ )=e(P 2 ,P ′ )if and only if P 1 = P 2 .Then we call (G, e) a DL system with bilinear structure.There are two immediate consequences:• Assume that G = G ′ and hencee(P, P) ≠0.Then for all triples (P 1 ,P 2 ,P 3 ) ∈ 〈P 〉 3 one can decide in time polynomial in lg lwhetherlog P (P 3 )=log P (P 1 )log P (P 2 ).• The DL system G is at most as secure as the system H. EvenifG ≠ G ′ one can transferthe DLP in G to a DLP in H, provided that one can find an element P ′ ∈ G ′ such thatthe map P → e(P, P ′ ) is injective, i.e., it induces an injective homomorphism of G intoa subgroup of H. Hence, instead of solving the DLP in G one transfers the problem toH where it might be easier to solve.1.6 ProtocolsThis book is concerned with cryptographic applications of elliptic and hyperelliptic curves. So farwe have described DL systems in an abstract setting. In this section we motivate that groups are agood choice and show how two or more parties can agree on a joint secret key, exchange encrypted

10 Ch. 1 Introduction to Public-Key Cryptographydata, and sign electronically. We also show how the identity of a participant can be used to form hispublic key.But this book is not mainly concerned with protocols. We just show the bare-bones schoolbookprotocols. Their use is twofold: they should motivate the reader to consider DL systems in moredetail and at the same time highlight which computational problems need to be solved in order toget fast cryptographic systems. For an actual implementation one needs to take care not to weakenthe system in applying a flawed protocol. For a great overview consider [MEOO + 1996].1.6.1 Diffie–Hellman key exchangeThe publication of Diffie and Hellman’s seminal paper New directions in cryptography [DIHE 1976]can be seen as the start of public-key cryptography in public. We describe the Diffie–Hellman(DH)protocol for an abstract group (G, ⊕). In their paper they proposed the multiplicative group ofa finite prime field (cf. Example 1.13).The two parties Alice (A) andBob(B) have the public parameters (G, ⊕,P) and want to agreeon a joint key that is a group element. Once they are in the possession of such a joint secret P k theycan use a key derivation function to derive a bit-string useful as a key in a symmetric system. Tothis aim A secretly and randomly chooses a A ∈ R N (∈ R means choosing at random) and computesP A = [a A ]P while B ends up with P B = [a B ]P . They publicly exchange these intermediateresults. If the DLP (cf. Section 1.5) is hard in G one cannot extract a A from P A or a B from P B .Upon receiving P B , A computes P k =[a A ]P B =[a A a B ]P .NowB can obtain the same result as[a B ]P A =[a B a A ]P , thus they are both in possession of a group element P k , which should not becomputable from the public values P A and P B .Clearly, this last assumption does not hold if the DLP in (G, ⊕) is easy. The problem of computing[a A a B ]P given [a A ]P and [a B ]P is called the computational Diffie–Hellman problem (CDHP).Maurer and Wolf [MAWO 1999] study the equivalence of the CDHP and the DLP. An importanttool in their proof are elliptic curves of split group order. They show that if such curves can befound, then an oracle to solve the CDHP can be used to solve DLP in polynomially many steps. Forgroups related to elliptic curves this question is studied in [MUSM + 2004].In most DL systems it is also hard to verify whether a proposed solution to the CDHP is correct.The problem given [a A ]P, [a B ]P and [c]P to decide whether [c]P =[a A a B ]P is called the decisionDiffie–Hellman problem (DDHP). Obviously, it is no harder than CDHP. For the DLP a decisionversion is not useful to consider as one could simply try the pretended solution.If (G, ⊕) is a DL system with bilinear structure (Section 1.5.2), the DDHP can easily be solvedby comparing e([a A ]P, [a B ]P )=[a A a B ](e(P, P)) to e(P, [c]P )=[c](e(P, P)). Groups in whichthe CDHP is assumed to be hard while the DDHP is easy are called Gap-Diffie–Hellman groups.As usual the presented version is not ready to implement. An eavesdropper Eve (E) could interceptthe communication and act as Bob for Alice sending [a E ]P to her and as Alice for Bob sendingher key to him as well. Then she would have a joint key P k,A with Alice and one with Bob P k,B .Hence, she can decipher any message from Alice intended for Bob and encipher it again for Bobusing P k,B . This way, no party would notice her presence and she could read any message. Thisattack is called the man-in-the-middle attack.1.6.2 Asymmetric Diffie–Hellman and ElGamal encryptionThe Diffie–Hellman key exchange requires that both parties to work online, i.e., they are both activeat the same time. The following two protocols are asymmetric also in the sense that the senderand the receiver perform different steps and that there are two different keys — a private key and apublic key.

§ 1.6 Protocols 11If the DLP is hard in (G, ⊕) then Alice could just as well publish her public key P A =[a A ]P in adirectory. The process of computing the public and private key pair is called key generation. Thesystems described in this section require that the receiver of the message has already set up andpublished his public key. The problem of how to make accessible this data and put confidence in thelink between A and her public key is considered in the literature on public-key infrastructure (PKI).Algorithm 1.15 Key generationINPUT: The public parameters (G, ⊕,P).OUTPUT: The public key P A and private key a A.1. a A ∈ R N [choose a at random in N]2. P A ← [a A]P3. return P A and a AThe random choice should be done by the computing device to avoid biases introduced by humans,like choosing small numbers to facilitate the computations. In Chapter 30 we deal with randomnumber generators.If Bob wants to send the message m to Alice, he looks up her public key in a directory. He canperform an asymmetric version of the Diffie–Hellman key exchange if there is a map ψ : G →K from the group to the keyspace K and a symmetric cipher E κ depending on the key κ. Thedecryption function, i.e., the inverse of E κ , is denoted by D κ .Algorithm 1.16 Asymmetric Diffie–Hellman encryptionINPUT: A message m, the public parameters (G, ⊕,P) and the public key P A ∈ G.OUTPUT: The encrypted message (Q, c).1. k ∈ R N2. Q ← [k]P3. P k ← [k]P A4. κ ← ψ(P k )5. c ← E κ(m)6. return (Q, c)To decrypt, Alice computes P k =[a A ]Q, using her private key a A , from which she determinesκ = ψ(P k ). She recovers the plaintext as m = D κ (c).The randomly chosen nonce k ∈ R N makesthisarandomized encryption.If there is an invertible map ϕ from the message space M to G one can also use ElGamal encryption.Algorithm 1.17 ElGamal encryptionINPUT: A message m, the public parameters (G, ⊕,P) and the public key P A ∈ G.OUTPUT: The encrypted message (Q, c).1. k ∈ R N2. Q ← [k]P3. P k ← [k]P A

12 Ch. 1 Introduction to Public-Key Cryptography4. R ← P k ⊕ ϕ(m)5. return (Q, R)To decrypt, Alice uses P k =[a A ]Q and computes m = ϕ −1 (R ⊖ P k ).Note that by this method one can only encrypt messages of size at most lg l,wherel is the orderof G. It is possible to encrypt longer messages using a mode of operation making multiple callsto the Algorithm 1.17; however, this is hardly ever done because of the relative slowness of thisencryption scheme. Instead the transmitted message m will act as a secret key in some followingsymmetric encryption.1.6.3 Signature scheme of ElGamal-typeAn electronic signature should bind the signer to the content of the signed message. A hash function(see [MEOO + 1996]) is a map h : S → T between two sets S, T , where usually |S| > |T |,e.g.,theinput is a bit-string of arbitrary length and the output has fixed length.Additional properties are required from cryptographic hash functions:• Preimage resistant: for essentially all outputs t ∈ T it is computationally infeasible tofind any s ∈ S such that t = h(s).• 2nd-preimage resistant: for any given s 1 ∈ S it is computationally infeasible to find adifferent s 2 ∈ S such that h(s 1 )=h(s 2 ).• Collision resistant: it is computationally infeasible to find any distinct inputs s 1 ,s 2 suchthat h(s 1 )=h(s 2 ).For practical use one requires the signature to be of fixed length no matter how long the signedmessage is. Therefore, one only signs the hash of the message. The hash function should becollision resistant as otherwise a malicious party could ask to sign some innocent message m 1 anduse the signature, which only depends on h(m 1 ), as a signature for a different message m 2 withh(m 1 )=h(m 2 ). We shall also apply hash functions to elements of the group G. Here, we assumethat these are represented via a bit-string and thus write h(Q) for Q ∈ G.To compute an electronic signature, Alice must have performed Algorithm 1.15 in advance.Algorithm 1.18 ElGamal signatureINPUT: A message m, the public parameters (G, ⊕,P) with |G| = l and the private key a A ∈ G.OUTPUT: The signature (Q, s) on m.1. k ∈ R N2. Q ← [k]P3. s ← (k −1`h(m) − a Ah(Q)´ mod l)4. return (Q, s)

§ 1.6 Protocols 13Remarks 1.19(i) In the signature scheme the short term secret, i.e., the random nonce k, mustbekeptsecret as otherwise the long-term secret, the private key a A , can be recovered asa A ≡ h(Q) −1 (h(m) − sk)(mod l).(ii) There are many variants of ElGamal signature schemes. Some have the advantage thatone need not invert k modulo the group order. This is especially interesting if one isconcerned with restricted environments (cf. Chapters 27 and 26) as this way one avoidsimplementing modular arithmetic for two different moduli (finite field arithmetic forthe group arithmetic and computations modulo l). An overview of different schemes isprovided in [MEOO + 1996, Note 11.6]; e.g., the signature can also be given bywith notations as above.A signature can be verified by everybody.s = ( kh(m)+a A h(Q) ) mod lAlgorithm 1.20 Signature verificationINPUT: A message m, its signature (Q, s) from Algorithm 1.18, the public parameters (G, ⊕,P)where |G| = l, and the public key P A.OUTPUT: Acceptance or rejection of signature.1. R 1 ← [h(Q)]P A ⊕ [s]Q2. R 2 ← [h(m)]P3. if R 1 = R 2 return “acceptance” else return “rejection”The algorithm is valid as a correct signature gets accepted. Namely,R 1 =[h(Q)]P A ⊕[s]Q =[a A h(Q)]P ⊕[ks]P =[a A h(Q)+h(m)−a A h(Q)]P =[h(m)]P = R 2 .In Line 1 one can apply simultaneous multiplication techniques (cf. Chapter 9).Depending on the special properties of the group it might be possible to transmit only some partof Q. The standard for digital signatures (DSA) works in a subgroup of the multiplicative group ofa finite field. For elliptic curves the standard is called the elliptic curve digital signature algorithm(ECDSA) [ANSI X9.62], an adaption of Algorithm 1.18. The German standard GECDSA avoidsinversions modulo the group order. So far, there is no standard for hyperelliptic curves. A versionanalogous to the ECDSA can be found in [AVLA 2005].1.6.4 Tripartite key exchangeWe now give an example of how the additional structure of a DL system with bilinear structure canbe used in protocols. We come back to this study in Chapter 24 where we apply special bilinearmaps for elliptic and hyperelliptic curves. Here, we show how three persons can agree on a jointsecret group element using using two DL systems, (G, ⊕) and (H, ⊞), ande, a bilinear map fromG × G into H and needing only one round [JOU 2000]. Note that there are other protocols basedon the usual DH protocol to solve this for arbitrarily many group members, but in two rounds[BUDE 1995, BUDE 1997], and clearly the protocol as such is a schoolbook version that can easilybe attacked by a man-in-the-middle attack.

14 Ch. 1 Introduction to Public-Key CryptographyThe following algorithm shows the computations done by person A.Algorithm 1.21 Three party key exchangeINPUT: The public parameters (G, ⊕,H,⊞,P,e) with the bilinear map e.OUTPUT: The joint key K ∈ H.1. a A ∈ R N2. P A ← [a A]P3. send P A to B, C4. receive P B,P C from B, C5. K ← [a A]`e(P B,P C)´6. return KApplying this algorithm, A, B,andC obtain the same element of H as[a A ] ( e(P B ,P C ) ) =[a A a B a C ] ( e(P, P) ) =[a B ](e(P A ,P C )) = [a C ] ( e(P A ,P B ) ) .Obviously, this protocol can be extended to more parties by the same methods as the DH protocol.1.7 Other problemsFew problems have been investigated as thoroughly as the RSA and discrete logarithm problem.Furthermore, these problems are suitable for designing schemes that address most of today’s needs:key exchange, en- and decryption, and generation and verification of digital signatures. After morethan 20 years of research, they still stand as hard ones, with discrete logarithms in the Jacobians ofcurves offering the advantage of shorter keys compared to RSA and the gap becomes larger as thesecurity demands increase. In a certain sense, curves offer balanced systems: they allow to designprotocols for all applications, offering good performance.Besides RSA and DLP some other computationally hard problems have been proposed as a basisfor cryptosystems. Some of the systems designed around these problems require an extremelycareful choice of parameters in order to attain security: the parameters had to be redefined severaltimes as new attacks have been discovered. Therefore, we do not go into the details here but onlylist them with some references.• The Knapsack (subset sum) problem is to determine a subset of a given set of integerssuch that the sum of the elements equals a given integer s. The corresponding decisionproblem is to decide whether there exists such a sum leading to s.Cryptosystems based on the knapsack problem [SAH 1975, IBKI 1975] were very wellreceived when they were created, because they were the first alternative to RSA. Butthe fact that in a cryptosystem the hard problem should be easy to set up, impliesthat not all types of subset-sum problems are suitable for cryptography. In particular,the first proposals using knapsacks of low density have been broken in polynomialtime [ODL 1990]. There exist some proposals that have not been broken so far but theyare hardly ever applied.• The NTRU encryption [HOPI + 1998] and the NTRU-Sign [HOHO + 2003] signaturesystem, see [NTRU], are systems based on the problem of recovering a sparse polynomialthat is a factor of a polynomial modulo X N − 1 in the polynomial ring of some

§ 1.7 Other problems 15finite field F q . This problem can be transferred to the setting of lattices where Coppersmithand Shamir [COSH 1997] showed that this problem can be reduced to a shortestvector problem. Even though the latter is in general a hard problem, many instances ofit arising from NTRU systems have been proved easy to solve. Since the NTRU systempossesses a remarkable speed, there is a lot of interest in finding the parameters thatmake it secure. An excellent survey on the subject is [GESM 2003].• In the last two decades, several public-key schemes based on the difficulty of solvingMultivariate Quadratic equations (MQ) have been proposed [MAIM 1988, PAT 1996,KIPA + 1999, KIPA + 2003]. As it often happens, even though the general MQ problemis NP-complete, many instances that have been proposed for designing cryptosystemshave been revealed solvable. In spite of the recent progress in Gröbner bases computation[FAJO 2003] there are some signature schemes based on enhanced versions of thehidden field equations (HFE) system [PAT 1996] that are believed to be secure. It is stillan active area of research to devise provably secure variants of HFE cryptosystems.• McEliece proposed the first system based on algebraic coding theory [MCE 1978]. Hisintent was to take advantage of the very efficient encoding and decoding algorithmsfor the binary Goppa codes to propose a very fast asymmetric encryption scheme. Thesecurity was related to the difficulty of decoding in a linear code [BEMC + 1978]: thisproblem is NP-hard. In 1986 Niederreiter proposed a dual version [NIE 1986] ofthesystem, with an equivalent security [LIDE + 1994]. A specialized version of the latterbased on Reed–Muller code was also proposed in 1994 [SID 1994]. The first digitalsignature scheme using codes was presented in 2001 [COFI + 2001].• Braid groups B m are a special class of noncommutative groups. This allows us todefine the conjugacy problem, namely the problem of finding an a ∈ B m for givenx, y ∈ B m such that y = axa −1 . The systems based on this problem [KOLE + 2000,ANAN + 1999] have been broken completely in [CHJU 2003] by showing a polynomialtimealgorithm to determine the secret information from the data made public for keyexchange and encryption.Noncommutative groups still receive some interest, but at the moment we are not awareof any proposed cryptoscheme.

ÁMathematicalBackground

Chapter ¾Algebraic BackgroundChristophe Doche and David LubiczContents in Brief2.1 Elementary algebraic structures 19Groups • Rings • Fields • Vector spaces2.2 Introduction to number theory 24Extension of fields • Algebraic closure • Galois theory • Number fields2.3 Finite fields 31First properties • Algebraic extensions of a finite field • Finite fieldrepresentations • Finite field charactersIn the first part we state definitions and simple properties of the algebraic structures we shall useconstantly in the remainder of the book. More details can be found in [LAN 2002a].The next section deals with number theory. We shall give at this occasion an introduction toextension of fields, including the algebraic closure, Galois theory, and number fields. We refermainly to [LAN 2002a] and [FRTA 1991] for this part.Finally, we conclude with an elementary theory of finite fields that are of crucial importance forelliptic and hyperelliptic curve cryptography. Finite fields are extensively discussed in [LINI 1997].2.1 Elementary algebraic structuresWe shall recall here basic properties of groups, rings, fields, and vector spaces.2.1.1 GroupsDefinition 2.1 Given a set S, acomposition law × of S into itself is a mapping from the Cartesianproduct S × S to S. Common notations for the image of (x, y) under this mapping are x × y, x.yor simply xy. When the law is commutative, i.e., when the images of (x, y) and (y, x) under thecomposition law are the same for all x, y ∈ S, it is customary to denote it by +.Definition 2.2 A group G is a set with a composition law × such that19

20 Ch. 2 Algebraic Background• × is associative, that is for all x, y, z ∈ G we have (xy)z = x(yz)• × has a unit element e, i.e., for all x ∈ G we have xe = ex = x• for every x ∈ G there exists y,aninverse of x such that xy = yx = e.Remarks 2.3(i) The group G is said to be commutative or abelian, if the composition law is commutative.As previously mentioned, the law is often denoted by + or ⊕ and the unit elementby 0 in this case.(ii) The unit of a group G is necessarily unique as well as the inverse of an element x that isdenoted by x −1 .IfG is commutative the inverse of x is usually denoted by −x.(iii) The cardinality of a group G is also called its order. The group G is finite if its order isfinite.Definition 2.4 Let G be a group. A subgroup H of G is a subset of G containing the unit elemente andsuchthat• for all x, y ∈ H one has xy ∈ H• if x ∈ H then also x −1 ∈ H.Example 2.5 Let x ∈ G. Theset{x n | n ∈ Z} is the subgroup of G generated by x. It is denotedby 〈x〉.Definition 2.6 Let G be a group. An element x ∈ G is of finite order if 〈x〉 is finite. In this case,the order of x is |〈x〉|, that is, the smallest positive integer n such that x n = e. Otherwise,x is ofinfinite order.Definition 2.7 A group G is cyclic if there is x ∈ G such that 〈x〉 = G. If such an element x exists,it is called a generator of G.Remark 2.8 Every subgroup of a cyclic group G is also cyclic. More precisely, if the order of G isn, then for each divisor d of n, G contains exactly one cyclic subgroup of order d.Definition 2.9 Let G be a group and H be a subgroup of G. For all x, y ∈ G, the relationx ∼ y ∈ H, if and only if x −1 y ∈ H, respectively x ∼ y if and only if yx −1 ∈ H, is an equivalencerelation. An equivalence class for this relation is denoted by xH = {xh | h ∈ H}, respectivelyHx = {hx | h ∈ H} and are called respectively left and right cosets of H. The numbers of classesfor both relations are the same. This invariant is called the index of H in G and is denoted by[G : H].Theorem 2.10 (Lagrange) Let G be a finite group and H be a subgroup of G. Then the order of Hdivides the order of G. As a consequence, the order of every element also divides the order of G.Since all the classes modulo H have the same cardinality |H| and form a partition of G, wehavethe more precise result |G| =[G : H]|H|.Definition 2.11 Let G be a group. A subgroup H is normal if for all x ∈ G, xH = Hx. Inthiscase G/H can be endowed with a group structure such that (xH)(yH) =xyH.For example, the group G =(Z, +) is abelian. Hence the group of multiples of n, called nZ isa normal subgroup of G for every integer n, and one can consider the quotient group Z/nZ ={x + nZ | x ∈ Z}. An element of Z/nZ is a class modulo n. Two integers x and y are congruent

§ 2.1 Elementary algebraic structures 21modulo n if they belong to the same class modulo n, i.e., if and only if x − y ∈ nZ. In this case, wewrite x ≡ y (mod n).For every integer x, there is a unique integer r in the interval [0,n− 1], which belongs to theclass of x. This integer r is called the canonical representative of x and we write r = x mod n.Therefore we haveZ/nZ = { r + nZ | r ∈ [0,n− 1] } .But other choices are possible. For example, to minimize the absolute value of the representatives,we write x mods n for the unique integer in [⌊−n/2⌋ +1, ⌊n/2⌋] congruent to x modulo n.Definition 2.12 Let G and G ′ be two groups with respective laws × and ⊗ and units e and e ′ .• A group homomorphism ψ between G and G ′ is a map from G to G ′ such that for allx, y ∈ G, ψ(x × y) =ψ(x) ⊗ ψ(y).• The kernel of ψ is ker ψ = {x ∈ G | ψ(x) =e ′ }.Remark 2.13 The kernel of ψ is never empty as it is easy to see that ψ(e) =e ′ . In addition, ker ψis always a subgroup of G, which is in addition normal.Definition 2.14 Let S be a set and G be a group. The group G acts on S if there is a map σ fromG × S into S such that• σ(e, t) =t,forallt ∈ S• σ ( x, σ(y, t) ) = σ(xy, t), forallt ∈ S and for all x, y ∈ G.2.1.2 RingsDefinition 2.15 A ring R is a set together with two composition laws + and × such that• R is a commutative group with respect to +• × is associative and has a unit element 1, which is different from 0, the unit of +• × is distributive over +, that is for all x, y, z ∈ R, x(y + z) =xy + xz and (y + z)x =yx + zx.Remarks 2.16(i) The ring R is said to be commutative,ifthelaw× is commutative.(ii) A commutative ring R such that for all x, y ∈ R, the equality xy =0implies that x =0or y =0is called an integral domain.Example 2.17 The set Z of integers together with the usual addition and multiplication is a ring.The set Z[X] of polynomials with coefficients in Z together with the addition and multiplication ofpolynomials is a ring.Definition 2.18 Let R and R ′ be two rings with the respective operations +, × and ⊕, ⊗. Aringhomomorphism ψ is an application from R to R ′ such that for all x, y ∈ R• ψ(x + y) =ψ(x) ⊕ ψ(y)• ψ(x × y) =ψ(x) ⊗ ψ(y)• ψ(1) = 1.Definition 2.19 Let R be a ring, I is an ideal of R if it is a nonempty subset of R such that

22 Ch. 2 Algebraic Background• I is a subgroup of R with respect to the law +• for all x ∈ R and all y ∈ I, xy ∈ I and yx ∈ I.The ideal I R is prime if for all x, y ∈ R with xy ∈ I one obtains x ∈ I or y ∈ I.The ideal I R is maximal if for any ideal J of R the inclusion I ⊂ J implies J = I or J = R.Two ideals I and J of R are coprime if I + J = {i + j | i ∈ I and j ∈ J} is equal to R.Remark 2.20 It is easy to prove that a maximal ideal is also prime. The converse is not true ingeneral.Definition 2.21 An ideal I of a ring R is finitely generated if there are elements a 1 ,...,a n suchthat every x ∈ I can be written x = x 1 a 1 + ···+ x n a n with x 1 ,...,x n ∈ R.The ideal I is principal if I = aR and R is a principal ideal domain (PID) if it is an integraldomain and if every ideal of R is principal.Example 2.22 The integer ring Z and the polynomial ring K[X] where K is a field are principalideal domains.Theorem 2.23 (Chinese remainder theorem) Let I 1 ,...,I k be pairwise coprime ideals of R.Thenk∏ k∏R/ I i ≃ R/I i .i=1Corollary 2.24 Let n 1 ,...,n k be pairwise coprime integers, i.e., such that gcd(n i ,n j )=1fori ≠ j. Then, for any integers x i , there exists an integer x such that⎧x ≡ x 1 (mod n 1 )⎪⎨ x ≡ x 2 (mod n 2 )Furthermore, x is unique modulo⎪⎩k∏n i .i=1i=1.x ≡ x k (mod n k ).Remark 2.25 See Algorithm 10.52 for an efficient method to compute x given the x i ’s.Next we define an important arithmetic invariant. Let R be a ring and let ψ be the natural ringhomomorphism from Z to R. So{1+···+1 n times if n 0ψ(n) =(2.1)−(1 + ···+1) −n times otherwise.The kernel of ψ is an ideal of Z and if the multiples of 1 are all different then ker ψ = {0}.Otherwise, for example if R is finite, some multiples of 1 must be zero. In other words, the kernelof ψ is generated by a positive integer m.Definition 2.26 Let R bearingandψ defined as above. The kernel of ψ is of the form mZ, forsome nonnegative integer m, which is called the characteristic of R and is denoted by char(R).Remark 2.27 In a commutative ring R of prime characteristic p, the binomial formula simplifies to(α + β) pn = α pn + β pn for all α, β ∈ R and n ∈ N. (2.2)

§ 2.1 Elementary algebraic structures 23Definition 2.28 Let R be a ring. An element x ∈ R is said to be invertible if there is an element ysatisfying xy = yx =1.Suchaninverse y, also called a unit, is necessarily unique and is denotedby x −1 . The set of all the invertible elements is a group under multiplication denoted by R ∗ .Example 2.29 Take a positive integer N and consider the ring Z/N Z obtained as the quotient ofthe usual integer ring Z by the ideal NZ. The invertible elements of Z/N Z are in one-to-onecorrespondence with the canonical representatives coprime with N. The inverse of an element isgiven by an extended gcd computation, cf. Section 10.6.Definition 2.30 Let N 1 and let us denote |(Z/N Z) ∗ | by ϕ(N). The function ϕ is called theEuler totient function and one has ϕ(N) =|{x | 1 x N, gcd(x, N) =1}|.From Lagrange’s Theorem 2.10, it is easy to prove the following.Theorem 2.31 (Euler) Let N and x be integers such that x is coprime to N, thenx ϕ(N) ≡ 1(mod N).This result was first proved by Fermat when the modulus N is a prime p. In this case, Theorem 2.31reduces to x p−1 ≡ 1(modp) for x prime to p. Therefore this restricted version if often referred toas Fermat’s little theorem.The ring Z/pZ has many other marvelous properties. In particular, every nonzero element has aninverse, which means that Z/pZ is a field.2.1.3 FieldsDefinition 2.32 A field K is a commutative ring such that every nonzero element is invertible.Example 2.33 The set of rational numbers Q with the usual addition and multiplication law is afield. The quotient set Z/pZ with the induced integer addition and multiplication is also a field forany prime number p.An easy consequence of Definition 2.32 is that a field is an integral domain. Now, quotienting Kby the kernel of ψ as defined by (2.1), we see that K contains a field isomorphic to Z/ char(K)Z.These two facts imply the following result.Proposition 2.34 The characteristic of a field is either 0 or a prime number p.As a corollary, a field K contains a subfield which is isomorphic to Q or Z/pZ.Given an integral domain R, a common way to obtain a field is to add to R the formal inversesof all the elements of R. The set obtained is the field of fractions of R. For instance, K(X) is thefield of fractions of the polynomial ring K[X]. Next proposition is also very much used in practiceto construct fields.Proposition 2.35 Let R be a ring and I an ideal of R. Then the quotient set R/I is a field if andonly if I is maximal.Definition 2.36 Let K and L be fields. A homomorphism of fields is a ring homomorphism betweenK and L.We remark that a homomorphism of fields is always injective, for it is immediate that its kernel isreduced to {0}.

24 Ch. 2 Algebraic Background2.1.4 Vector spacesIn the remainder of this part, K will denote a field.Definition 2.37 A vector space V over K is an abelian group for a first operation denoted by +,together with a scalar multiplication from K × V into V , which sends (λ, x) on λx andsuchthatfor all x, y ∈ V ,forallλ, µ ∈ K we have• λ(x + y) =λx + λy• (λ + µ)x = λx + µx• (λµ)x = λ(µx)• 1x = x.An element x of V is a vector whereas an element λ of K is called a scalar.Definition 2.38 A K-basis of a vector space V is a subset S ⊂ V which• is linearly independent over K, i.e., for any finite subset {x 1 ,...,x n }⊂S and anyλ 1 ,...,λ n ∈ K, one has thatn∑λ i x i =0 implies that λ i =0 for all ii=1• generates V over K, i.e., for all x ∈ V there exist finitely many vectors x 1 ,...,x n andscalars λ 1 ,...,λ n such thatn∑x = λ i x i .i=1Theorem 2.39 Let V be a vector space over K. IfV is different from {0} then V has a K-basis.Definition 2.40 Two bases of a vector space V over K have the same cardinality. This invariant iscalled the K-dimension of V or simply the dimension of V . Note that the dimension is allowed tobe infinite.Example 2.41 The set of complex numbers C together with the usual addition and coefficient wisemultiplication with elements of R is a vector space over R of dimension 2. A real basis is forinstance {1,i}.Example 2.42 The set K[X] of polynomials in one variable over a field K is an infinite dimensionalvector space with the usual addition of polynomials and multiplications with elements from K. Abasisisgivenby{1,X,X 2 ,...,X n ,...}Remark 2.43 When the field K is replaced by a ring R, the axioms of Definition 2.37 give rise to amodule over the ring R.2.2 Introduction to number theoryWe refer to Section 2.1 for an elementary presentation of groups, rings, and fields. More details canbe found in [LAN 2002a].In this section, we review the construction of an extension of a field K by formally adding someelements to it. Then we describe some properties of algebraic extensions of fields in order to be ableto state the main result of Galois theory. We conclude with a brief presentation of number fields.

§ 2.2 Introduction to number theory 252.2.1 Extension of fieldsDefinition 2.44 Let K and L be fields, we say that L is an extension field of K if there exists a fieldhomomorphism from K into L. Such an extension field is denoted by L/K.Remark 2.45 As said before, a field homomorphism is always injective, so we shall identify Kwith the corresponding subfield of L when considering L/K.Example 2.46 Let R be the field of real numbers with usual addition and multiplication. Obviously,R is an extension of Q. Now, let us describe a less trivial example. Consider the element √ 2 ∈ Rand the subset of R of the elements of the form a + √ 2b with a, b ∈ Q. If we put for a + √ 2b anda ′ + √ 2b ′ (a + √ 2b)+(a ′ + √ 2b ′ )=a + a ′ + √ 2(b + b ′ )and(a + √ 2b) × (a ′ + √ 2b ′ )=aa ′ +2bb ′ + √ 2(ab ′ + a ′ b),it is easy to see that we obtain a field denoted by Q( √ 2), which is an extension of Q.Definition 2.47 Let L and L ′ be two extension fields of K and σ a field isomorphism from L to L ′ .One says that σ is a K-isomorphism if σ(x) =x for all x ∈ K.Definition 2.48 Let L/K be a field extension then L can be considered as a K-vector space. Thedimension of L/K is called the degree of L/K denoted by [L : K] or deg(L/K). If the degree ofL/K is finite then we say that the extension L/K is finite.The following result is straightforward.Proposition 2.49 Let K ⊂ L ⊂ F be a tower of extension fields thendeg(F/K)=deg(F/L)deg(L/K).Now, let L/K be a field extension and let x be an element of L. There is a unique ring homomorphismψ : K[X] → L such that ψ(X) =x and for all z ∈ K, ψ(z) =z. We can consider thekernel of this homomorphism which is either {0} or a maximal ideal I of K[X].Definition 2.50 Suppose that I as defined above is nonzero. As K[X] is a principal ideal domain,there exists a unique monic irreducible polynomialm(X) =X d + a d−1 X d−1 + ···+ a 0such that I = m(X)K[X]. We say that x is an algebraic element of L of degree d and that m(X)is the minimal polynomial of x.Quotienting by ker ψ, one sees that ψ gives rise to a field inclusion ψ of K[X]/ ( m(X)K[X] ) intoL. LetK[x] ={f(x) | f(X) ∈ K[X]} be the image of ψ in L. It is an extension field of K andthe monic polynomial m(X) is an invariant of the extension: in fact, if there exists y ∈ L such thatK[x] ≃ K[y] then by construction x and y have the same minimal polynomials.Definition 2.51 If every element of L is algebraic over K, we say that L is an algebraic extensionof K.

26 Ch. 2 Algebraic BackgroundIt is easy to see that K[x]/K is a finite extension and d =deg(m) is equal to its degree: in fact ψgives a bijective map from the K-vector space of polynomials with coefficients in K of degree lessthan d to K[x]. This bijection ψ is called a polynomial representation of K[x]/K.Not all algebraic extensions are finite, but a finite extension is always algebraic, and if L/K isa finite extension then there exists a finite sequence of elements x 1 ,...,x n ∈ L such that L =K[x 1 ,...,x n ].IfL = K[x] we say that L is a monogenic extension of K.Definition 2.52 Let L/K be a finite algebraic extension and let x ∈ L. The application of rightmultiplication by x from L to L considered as a K-vector space is linear. The trace and the norm ofthis endomorphism of L are called respectively the trace and norm of x and denoted by Tr L/K (x)and N L/K (x). We use the notations Tr(x) and N(x) when no confusion is likely to arise.If x is a generating element of L/K with minimal polynomial m(X) =X d +a d−1 X d−1 +···+a 0then Tr(x) =−a d−1 and N(x) =(−1) d a 0 .The trace and norm are both maps of L to K. We have the basic properties:Lemma 2.53 Let L/K be a degree d finite algebraic extension. For x, y ∈ L and a ∈ K we haveTr(x + y) = Tr(x)+Tr(y), N(xy) = N(x)N(y)Tr(a) = da, N(a) = a dTr(ax) = a Tr(x), N(x) =0 ⇒ x =0.Let K ⊂ L ⊂ F be a tower of finite algebraic extensions, let x be an element of F thenTr F/K (x) =Tr L/K(TrF/L (x) ) and N F/K (x) =N L/K(NF/L (x) ) .When x is not a root of any polynomial equation with coefficients in K one needs a new notion.Definition 2.54 If the kernel of ψ is equal to {0} we say that x is a transcendental element of L. Ifevery element of L is transcendental over K, we say that L is a pure transcendental extension overK. More generally, if there exists an element of L which is not algebraic over K, thenL/K is atranscendental extension of K.In this case, one can extend ψ to an inclusion ˜ψ of the fraction field K(X) into L by setting˜ψ(1/X) =1/x. LetK(x) be the image of ˜ψ in L. IfL is not an algebraic extension over K(x)then putting x 1 = x we can find x 2 , a transcendental element of L/K(x 1 ) which is not in K(x 1 ),and build in the same way an inclusion of K(X 1 ,X 2 ) into L. Iterating this process we can findn ∈ N ∪{∞}the maximum number such that K(x 1 ,...,x n ) is a subfield of L isomorphic toK(X 1 ,...,X n ). It can be shown that n is independent of the sequence of transcendental elementsx 1 ,...,x n of L over K chosen.Definition 2.55 The number n defined above is called the transcendence degree of L over K.It is quite clear from the previous discussion that every extension K → L can be written as thecomposition K → K trans → K alg where K trans is a pure transcendental extension of K and K alg isan algebraic extension over K trans .Example 2.56 Let Q(X) be the field of rational functions over Q; then obviously Q(X)/Q is apure transcendental extension of Q of transcendence degree equal to 1. NowletQ be the algebraicclosure of Q, then by definition Q/Q is an algebraic extension but it is not a finite extension. FinallyQ(X, √ 2)/Q is a transcendental extension that can be written as Q → Q(X) → Q(X, √ 2).

§ 2.2 Introduction to number theory 272.2.2 Algebraic closureLet K be a field and consider a monogenic algebraic extension K[x] of K defined by a polynomialm(X) irreducible over K. The polynomial m(X) can be written as a product ∏ m i (X) of irreduciblepolynomials over K[x]. As by construction x is a root of m(X) in K[x] then (X − x) is anirreducible factor of m(X) and as a consequence for each i, deg m i < deg m. Ifthem i (X)’s areall of degree 1 then we say that m(X) splits completely in K[x].If m(X) does not split completely over K[x] then there exists m i1 (X), an irreducible polynomialof degree greater than or equal to 2 and we can consider the extension K[x, y] over K[x] definedby m i1 (X). Repeating this process, one can build recursively an extension field over which m(X)splits completely.Definition 2.57 The smallest extension of K over which m(X) completely splits is called the splittingfield of m(X). It is unique up to a K-isomorphism.It is well known that every polynomial with coefficients in R splits completely in C. More generally,if K is a field, we would like to consider a maximal algebraic extension of K in which every algebraicextension of K could be embedded. Such an extension has the property that every polynomialof K[X] splits completely in K. The following theorem [STE 1910] asserts its existence.Theorem 2.58 (Steinitz) There exists a unique algebraic extension of K in which every polynomialm(X) ∈ K[X] splits completely. This extension called the algebraic closure of K and denoted byK is unique up to a K-isomorphism.Next, we review some basic properties of algebraic extensions in order to state the main theorem ofGalois theory.2.2.3 Galois theoryFor most parts of the book we consider finite algebraic extension fields. Therefore we restrict thediscussion of Galois theory to this important case.Definition 2.59 An extension L over K is said to be normal if every irreducible polynomial overK that has a root in L splits completely in L.As an immediate consequence every field automorphism of L fixing K leaves L invariant. Let Kbe a field, K its algebraic closure, σ an embedding of K into K and for x ∈ K, K[x] an algebraicmonogenic extension of K defined by a polynomial m(X) of degree d. Letx = x 1 ,x 2 ...,x s bethe different roots of m(X) in K. Then for i =1,...,s, it is possible to define the unique fieldinclusion σ i of K[x] into K imposing that the restriction of σ i on K is σ and σ i (x) =x i .Theσ i ’sare all the inclusion homomorphisms of K[x] in K, the restriction of which is given by σ on K.We remark that s is always less than or equal to d, the degree of K[x]/K. This integer s is calledthe degree of separability of K[x 1 ] over K or the degree of separability of x 1 . More generally, wehave:Definition 2.60 Let L be a finite algebraic extension of K, K be the algebraic closure of K and σan inclusion of K into K. Then the degree of separability of L over K denoted by deg s (L/K) isthe number s of different field inclusions σ i , i =1,...,s of L into K restricting to σ over K. Ifdeg s (L/K) =deg(L/K), we say that L/K is separable.If x ∈ L, the elements σ i (x) ∈ K are called the conjugates of x.An immediate consequence of the definition and the preceding discussion is:

28 Ch. 2 Algebraic BackgroundLemma 2.61 A monogenic algebraic extension K[x] defined by a minimal polynomial m(X) isseparable if and only if m(X) is prime to its derivative m ′ (X).Concerning the composition of degree of separability we haveProposition 2.62 Let L/K and F/K be a tower of extension fields, thenWe have the basic factdeg s (F/K)=deg s (F/L)deg s (L/K).Fact 2.63 Let F/L and L/K be field extensions and let x ∈ F be separable over K; thenitisseparable over L.From the previous proposition, we deduce that an algebraic finite extension is separable if andonly if it can be written as the composition of monogenic separable extensions. From this and thepreceding fact, we can stateProposition 2.64 A finite algebraic extension L/K is separable if and only if every x ∈ L isseparable over K.Then the criterion of Proposition 2.61 tells us that every algebraic extension over a field of characteristic0 is separable. We have the following definitionDefinition 2.65 A field over which every algebraic extension is separable is called a perfect field.A field is perfect if and only if every irreducible polynomial is prime to its derivative. We saw thatevery field of characteristic zero is perfect. More generally, we haveProposition 2.66 AfieldK is a perfect field if and only if one the the following conditions isrealized• char(K) =0,• char(K) =p and K p = K.As a consequence of this proposition, we shall see that every finite field is perfect. The followingtheorem shows that every finite algebraic separable extension is in fact monogenic.Theorem 2.67 If L/K is a separable finite algebraic extension of K then L/K is monogenic, i.e.,there exists x ∈ L such that L = K[x] and x is called a defining element.Definition 2.68 An extension L/K is a Galois extension if it is normal and separable. We definethe Galois group of L over K denoted by G L/K or Gal(L/K) to be the group of K-automorphismsof L. There is a natural action of G L/K on L defined for g ∈ G L/K and x ∈ L by g · x = g(x). Byits very definition, this action leaves the elements of K invariant.If H is a subgroup of G, we denote by L H the set of elements of L invariant under the action ofH. It is easy to see that L H is a subfield of L. Moreover, L H is a Galois extension of K if and onlyif H is a normal subgroup of G.Obviously, the separability condition of Galois extensions implies that the order of the Galois groupof L/K is equal to the degree of this extension. Then, we have the following result, which is thestarting point of Galois theoryTheorem 2.69 Let L/K be a finite Galois extension. Then there is a one-to-one correspondencebetween the set of subfields of L containing K and the subgroups of G L/K . To a subgroup H ofG L/K this correspondence associates the field L H .

§ 2.2 Introduction to number theory 292.2.4 Number fieldsDefinition 2.70 A number field K is an algebraic extension of Q of finite degree. An element of Kis called an algebraic number.Remarks 2.71(i) There are number fields of any degree d, since, for instance, the polynomial X d − 2 isirreducible over Q for every positive integer d.(ii) As a consequence of Theorem 2.67, for every number field K, there is an algebraicnumber θ ∈ K such that K = Q(θ).(iii) The degree d of K/Q is equal to the number of field homomorphisms σ i from K to C.Thus if K = Q(θ), the degree d is equal to the number of conjugates σ i (θ) of θ andcorresponds to the degree of the minimal polynomial of θ.Definition 2.72 Let ψ be a homomorphism from K to C. Iftheimageofψ is in fact included in Rthen ψ is a real homomorphism. Otherwiseψ is called a complex homomorphism.Definition 2.73 The numbers of real and complex homomorphisms of K/Q, respectively denotedby r 1 and 2r 2 , satisfy d = r 1 +2r 2 .Ifr 2 =0then K/Q is said to be totally real. In case r 1 =0then K/Q is totally complex. The ordered pair (r 1 ,r 2 ) is called the signature of K/Q.Fact 2.74 It is clear that a Galois extension must be totally real or totally complex.Remark 2.75 The signature of K/Q can be found easily. Let us write K = Q(θ) and let m(X)be the minimal polynomial of θ. Thenr 1 and 2r 2 are respectively the numbers of real and nonrealroots of m(X).Example 2.76 The signature of the totally real field Q( √ 2) of degree 2 is (2, 0).The extension Q(i) generated by X 2 +1is totally complex and its signature is (0, 1).The signature of Q(θ) where θ is the unique real root of the polynomial X 3 − X − 1 is (1, 1).Proposition 2.77 Let K/Q be a number field of degree d, letσ 1 ,...,σ d be the field homomorphismsof K to C and let α be an algebraic number in K. Following Definition 2.52, the trace andnorm of α are explicitly given byTr K/Q (α) =d∑σ i (α) and N K/Q (α) =i=1d∏σ i (α).Definition 2.78 Let K/Q be a number field. An algebraic number α is called integral over Z or analgebraic integer if α is a zero of a monic polynomial with coefficients in Z.The set of all the algebraic integers of K under the addition and the multiplication of K is a ring,called the integer ring of K and is denoted by O K .Remarks 2.79(i) If K = Q(θ) is of degree d then the ring O K is a Z-module having an integral basis,that is a set of integral elements {α 1 ,...,α d } such that every α ∈O K can be written asi=1α = a 1 α 1 + ···+ a d α d for some a i ∈ Z.(ii) The ring Z[θ] ={f(θ) | f(X) ∈ Z[X]} is a subring of O K . In general it is differentfrom O K .

30 Ch. 2 Algebraic BackgroundExample 2.80 Let α be an algebraic integer such that α 2 = n with n ∈ Z different from 0, 1, andsquarefree. Then O K is explicitly determined.• If n ≡ 1(mod4)then O K = Z [ 1+α]·• If n ≡ 2, 3(mod4)then O K = Z[α].2Definition 2.81 Let K be a number field of degree d. Anorder of K is a subring of O K of finiteindex which contains an integral basis of length d. The ring O K is itself an order known as themaximal order of K.Theorem 2.82 The ring O K is a Dedekind ring,inotherwords• it is Noetherian, i.e., every ideal a of O K is finitely generated• it is integrally closed, that is, the set of all the roots of polynomials with coefficients inO K is equal to O K itself• every nonzero prime ideal is maximal in O K .In a Dedekind ring, an element has not necessarily a unique factorization. For instance, in the fieldQ(i √ 5) the ring of integers is Z[i √ 5] and one has21 = 3 × 7= (1+2i √ 5)(1 − 2i √ 5).However, if we consider ideals instead, we have unique factorization. First, we define the productof two ideals a and b by{∑}ab = a i b i | a i ∈ a,b i ∈ b .iTheorem 2.83 Let O be a Dedekind ring and a be an ideal of O different from (0) and (1). Thenaadmits a factorizationa = p 1 ...p rwhere the p i ’s are nonzero prime ideals. The factorization is unique up to the order of the factors.Definition 2.84 Let K be a number field and let an order O be a Dedekind ring. A fractional idealof K is a submodule of K over O.Remark 2.85 An O-submodule a is a fractional ideal of K if and only if there exists c ∈Osuchthat ca ⊂O.The fractional ideals form a group J K under the product defined above and the inverse of a fractionalideal a in J K is the fractional ideala −1 = {x ∈ K | xa ⊂O}.The fractional principal ideals, i.e., fractional ideals of the form aO for a ∈ K ∗ form a subgroupP K of J K .Definition 2.86 Let K beafield.Theclass group of O K is the quotient group Cl K = J K /P K .Theorem 2.87 For any number field K, the class group Cl K is a finite abelian group. Its cardinality,called the class number is denoted by h(K).

§ 2.3 Finite fields 31Theorem 2.88 Let K/Q be a number field whose signature is (s, t), letO K be its integer ring andlet r = s + t − 1. Then there are units ε 0 ,ε 1 ,...,ε r such that• the unit ε 0 is of finite order w(K) and generates the group of roots of unity in K• every unit ε ∈OK ∗ can be written in a unique way asε =∏0irwith 0 n 0 1. The corresponding ideal p i is said to beramified as well.• p splits in K if pO K is the product of distinct prime ideals. In this case g = d and e i =1for all i.• p is inert in K,ifpO K is again a prime ideal, i.e., g =1and e 1 =1.2.3 Finite fieldsFinite fields are central objects in cryptography, because they enjoy very special properties. Forinstance, their multiplicative group is cyclic and their Galois structure is remarkably simple. Initiallythey were the core of cryptosystems such as ElGamal’s which relies on the difficulty to solve thediscrete logarithm problem in the group of units of a well chosen finite field. For our purpose theyserve as elementary blocks since elliptic and hyperelliptic curves used in cryptography are alwaysdefined over finite fields. We refer mainly to [LINI 1997] for this section.2.3.1 First propertiesDefinition 2.90 A finite field is a field whose order is finite. Finite fields are also referred to asGalois fields.Let K be a finite field. From Proposition 2.34, we know that the characteristic of K is necessarilya prime number p, since otherwise K would be of characteristic 0 and would contain Q. Thecardinality of K is precisely determined as well. Indeed, if we factorize ψ as defined by (2.1), wesee that K contains a subfield we shall identify with Z/pZ. ThisimpliesthatitisaZ/pZ-vectorspace of finite dimension d. In particular, the order of K is equal to p d . The following theoremclassifies all the finite fields.Theorem 2.91 For any prime p and any positive integer d there exists a finite field with q = p delements. This field is unique up to isomorphism and is denoted by F q or GF (q).

32 Ch. 2 Algebraic BackgroundThis result can be proved using the uniqueness of the splitting field of X pd − X in the algebraicclosure of Z/pZ.Definition 2.92 A finite field that does not contain any proper subfield is called a prime field.It is clear that F p is the only prime field of characteristic p. More generally, there is a bijectionbetween the subfields of F p d and the divisors of d sinceAs a consequenceF p c ⊂ F p d if and only if c | d.F p d 1 ∩ F p d 2 = F p gcd(d 1 ,d 2 ) and F p d 1 .F p d 2 = F p lcm(d 1 ,d 2 ).The multiplicative group of nonzero elements of F q is, as usual, denoted by F ∗ q . Lagrange’s theoremshows thatα q−1 =1for every α ∈ F ∗ q .This generalizes Fermat’s theorem and has many important consequences. For example, it impliesthat no finite field is algebraically closed. Indeed the polynomial X q − X +1∈ F q [X] has no rootsin F q . Using the property that a polynomial of degree n with coefficients in F q has at most n rootsin F q one can show the following.Theorem 2.93 Let F q be a finite field. The group F ∗ q is cyclic.A generator γ of F ∗ q , i.e., an element such that F∗ q = 〈γ〉, is called a primitive element.Remark 2.94 It is easy to see that there are ϕ(q − 1) primitive elements, where ϕ is the Euler’stotient function, as given in Definition 2.30. More generally, if e | q − 1 then there are exactlyϕ(e) elements of order e in F ∗ q. Note also that the map f(α) =α e is a bijection if and only ifgcd(e, q − 1) = 1.Finite fields do have transcendental extensions. For example F q (X) is an extension field of F q ,which is not algebraic over F q . However, in the remainder we shall only describe algebraic extensionsof a finite field.2.3.2 Algebraic extensions of a finite fieldThere are algebraic extensions of F q of infinite degree, the first example being F q , the algebraicclosure of F q . Concerning finite extensions, the field F q being perfect, see Definition 2.65 andProposition 2.66, this implies that F q k/F q can always be written F q (θ) where θ is algebraic ofdegree k over F q , cf. Theorem 2.67.The polynomial representation of an extension of F q gives a practical way to construct F q k.Since there is a unique finite field of cardinality q k , it is sufficient to find a polynomial of degree kirreducible over F q .Gauß established the equalityX qk − X = ∏ ∏P (X) (2.3)j|k P ∈I jwhere I j is the set of all the irreducible monic polynomials of degree j in F q [X]. It follows that thenumber of monic irreducible polynomials of degree k over F q is given by the formula1k∑µ(j)q k/j (2.4)j|k

§ 2.3 Finite fields 33where µ is the Möbius function. As a consequence, there is at least one irreducible polynomial ofdegree k over F q ,forallk 1.Relation (2.2) shows that the map that sends α to α p is an automorphism of any field of characteristicp. Furthermoreα p = α for every α ∈ F p .Definition 2.95 Let α ∈ F q k.Themapφ p , which sends α to α p ,isaF p -automorphism called theabsolute Frobenius automorphism of F q k. More generally, the applicationφ q : F q k → F q kα ↦→ α qis an F q -automorphism of F q k called the relative Frobenius automorphism of F q k/F q .The following important result was proved by Galois.Theorem 2.96 Every finite extension F q k/F q is Galois and Gal(F q k/F q ) is a cyclic group of orderk generated by φ q .If m(X) ∈ F q [X] is an irreducible polynomial of degree k then it splits completely in F q k.Ifα is aroot of m(X) in F q k, one sees by direct calculation that the conjugates of α are the distinct elementsα, α q ,α q2 ,...,α qk−1 of F q k. In case α ∈ F q k is not of degree k, the conjugates of α are no longerdistinct since α qj = α, forsomej dividing k. In any case, we have the following result similar toProposition 2.77.Proposition 2.97 Let α ∈ F q k. The trace and the norm of α are given by the formulasTr Fq k /F q(α) =k∑α qi and N Fq k /F q(α) =i=1k∏α qi .i=12.3.3 Finite field representationsIn Section 2.3.1, we have seen that the multiplicative group of a finite field is cyclic. This allowsus to easily describe the multiplication in F ∗ q. Likewise, considering F q as a vector space over itsprime field F p with respect to some basis allows us to add efficiently in F q . However, the interplaybetween these structures needs to be investigated.The notion of Zech’s logarithm can be used for prime fields as well as for extension fields. Itrelies on the multiplicative structure of F ∗ q . Let γ be a primitive element of F q. For α = γ n putlog γ α = n, the discrete logarithm of α to the base of γ, wheren is defined modulo q − 1 andlog γ 0=∞. This representation is well adapted to products sincelog γ α 1 α 2 =log γ α 1 +log γ α 2 = n 1 + n 2 ,but computing log γ (α 1 +α 2 )=n 1 log γ (1+γ n2−n1 ) is not straightforward. For n ∈ N, one definesZech’s logarithm Z(n) of γ n to be the discrete logarithm of 1+γ n , namely1+γ n = γ Z(n) .Note that Z(0) = ∞ if q is even and Z ( (q − 1)/2 ) = ∞ if q is odd. In practice, we have toprecompute Zech’s logarithm of each element of the field. So this representation is only useful forfields of small order.Concerning prime fields, an element of F p is usually represented by an integer between 0 andp−1 and computations are done modulo p. More details and efficiency considerations can be foundin Section 11.1.1.

34 Ch. 2 Algebraic BackgroundConcerning extension fields, elements of F q n are represented using the F q -vector space structurewith respect to some basis. Additions are performed coefficient wise. However, to multiply oneneeds to know about the dependencies between the elements of this basis. For an efficiency focuseddiscussion, we refer to Section 11.2.1. The following two bases are the most common ones.2.3.3.aPolynomial representationAn element α ∈ F q k can be represented as a polynomial with coefficients in F q modulo an irreduciblepolynomial m(X) ∈ F q [X] of degree k. Ifθ is a root of m(X) then {1,θ,θ 2 ,...,θ k−1 }is a basis of F q k over F q . Such a basis is called a polynomial basis; see Section 11.2.2.a. Note thatone deduces from (2.4) that there are approximately q k /k irreducible monic polynomials of degreek in F q [X]. Addition, subtraction, and multiplication are made modulo m(X). Usually, inversionis obtained with an extended gcd computation in F q [X]. As the field polynomial m(X) is irreducibleand the polynomial a(X) representing the field element α is of degree less than k, one canfind a polynomials u(X) and v(X) of degree less than k such that a(X)u(X)+m(X)v(X) =1.Accordingly, u(X) =a(x) −1 mod m(X). In some cases we can also use the identity α qk =1.Any irreducible polynomial of degree k can be used to define F q k but in practice polynomials withspecial properties are chosen. One one hand, it can be useful to consider an irreducible polynomialhaving a primitive element, that is a generator of F ∗ q, among its roots. Such a polynomial is calledka primitive polynomial and there are exactly ϕ(q k − 1)/k monic primitive polynomials of degreek in F q [X]. On the other hand, a sparse polynomial, that is a polynomial with only a few nonzerocoefficients, allows a fast reduction; see Algorithm 11.31. So irreducible binomials, trinomials,and pentanomials are commonly used to define extensions of a finite field, cf. Section 11.2.1.a andDefinition 11.60. Some polynomials enjoy these two properties, e.g., the trinomial X 167 + X 6 +1in F 2 [X] is both primitive and sparse.Finally, note that in some cases it can be more efficient to use a reducible polynomial, that is toembed the field F q k into a ring where the computations are done. This variant gives a so-calledredundant polynomial basis. The representation of a field element is no longer unique but thereduction can be cheaper, see Section 11.2.1.b.2.3.3.bNormal basis representationDefinition 2.98 The element α ∈ F q k is said to be normal over F q if α, α q ,...,α qk−1 are linearlyindependent over F q . In this case { α, φ q (α),...,φ k−1q (α) } is a basis of F q k/F q which is called anormal basis of F q k over F q .The element α is normal if and only ifgcd ( X k − 1,αX k−1 + φ q (α)X k−2 + ···+ φ k−2q (α)X + φ k−1q (α) ) =1.Hensel proved that there always exists a normal basis of F q k over F q .Forβ ∈ F q k, the computationof β q is very easy with this representation since it is simply a cyclic shift of the coordinates of βrepresented with respect to {α, φ q (α),...,φ k−1q (α)}. This is especially interesting when q =2because, then in the usual exponentiation using square and multiply, the squarings can simply bereplaced by these far less expensive shiftings. Multiplying two elements is more painful and requiresprecomputing a table, cf. Section 11.2.2.b. To actually build a normal basis, Gauß periods are veryconvenient.Proposition 2.99 Let r = kn +1be a prime number, let K be the unique subgroup of order n of(Z/rZ) ∗ and ζ be a primitive r-th root of unity. Then the Gauß period of type (n, k)α = ∑ a∈Kζ a

§ 2.3 Finite fields 35generates a normal basis ( α, α q ,...,α qk−1 )of Fq k over F q if and only if kn/e is prime to k,wheree is the order of q in (Z/rZ) ∗ .Forq =2 d and a given k this holds true for some n ∈ N if and onlyif gcd(k, d) =1and 8 ∤ k, [GAO 2001]. For q =2, the obtained normal basis is called a Gaussiannormal basis of type n and leads to optimal normal basis when n =1or 2, cf. Section 11.2.1.c.There is also a definition of general Gauß periods of type (k, K) for any integer r [FEGA + 1999,NÖC 2001]. In this case K is an explicit subgroup of (Z/rZ) ∗ of order n with ϕ(r) =kn.Let r = p v11 ...pvt t where the p i ’s are prime and p i ≠ p j for i ≠ j. We denote by ζ r aprimitive r-th root of unity and let r = r 1 r 2 where r 1 is the squarefree part of r, i.e., r = p 1 ...p t .Definition 2.100 With these settings, the general Gauß period of type (k, K) isα = ∑ ( ∏ ∑ )ζrar2ζ ar/ps ir .a∈K1s2 is self-dual if and only if n iseven and divisible by the characteristic of F q . See also [BLGA + 1994b] for an explicit constructionin one of the following cases:• k is equal to the characteristic of F q ,or• k | (q − 1) and k is odd, or• k | (q +1)and k is odd.2.3.4 Finite field charactersDefinition 2.101 A character of the finite field F q is a group homomorphism from F ∗ q into C ∗ .In this part, we assume that the characteristic of F q is an odd prime number p and we shall only describetwo examples of characters, namely the Legendre symbol, and its generalization to extensionfields, the Legendre–Kronecker–Jacobi symbol.

36 Ch. 2 Algebraic Background2.3.4.aThe Legendre symbolTake an integer a and let us consider the equationx 2 ≡ a (mod p). (2.5)If a ≡ 0(modp) then x =0is the only solution. When a ≢ 0(modp), a is said to be a quadraticnonresidue if equation (2.5) has no solution. Otherwise, there are two solutions and a is a quadraticresidue. Obviously, there are (p − 1)/2 quadratic residues in F p and the same number of quadraticnonresidues.Definition 2.102 The Legendre symbol ( )ap is precisely the number of solutions of the above equationminus 1. Namely⎧( ) a⎪⎨ −1 if a is a quadratic nonresidue= 0 if a ≡ 0(modp)p ⎪⎩1 if a is a quadratic residue.Theorem 2.103 The Legendre symbol satisfies the following properties( ) a≡ a (p−1)/2 (mod p)p( ) ( )( ab a b=p p p)( ) −1= (−1) (p−1)/2p( 2= (−1)p)(p2−1)/8 .If p and q are both odd primes then one has the quadratic reciprocity law( )( p q=(−1)q p)(p−1)(q−1)/4 . (2.6)The Legendre symbol can be extended to the Kronecker–Jacobi symbol ( )ab where a, b ∈ Z. Weshall only use it when b = ∏ i pνi i is odd. Its main feature is( a)= ∏ ( ) νia·b pi iWith these settings the reciprocity law (2.6) can be extended to any odd integers p and q and leadsto an efficient method to compute the Legendre symbol, cf. Algorithm 11.19.2.3.4.bThe Legendre–Kronecker–Jacobi symbolThe case of extension fields of odd characteristic is very similar to prime fields of odd characteristic.Let m(X) be an irreducible polynomial of degree d such that F p [X]/ ( m(X) ) is isomorphic to F q .There is a generalization of the Legendre symbol for an element f(X) ∈ F p [X] denoted by( ) f(X)m(X)

§ 2.3 Finite fields 37which is equal to 0 if m(X) | f(X), 1 if f(X) is a nonzero square mod m(X) and −1 if it isnot a square mod m(X). The Legendre symbol can be extended to the Kronecker–Jacobi symbolwhen m(X) is not irreducible. This is useful because of an analogue of the reciprocity law (2.6)independently discovered by Kühne [KÜH 1902], Schmidt [SCH 1927], and Carlitz [CAR 1932].Theorem 2.104 Let f(X) and m(X) be monic polynomials of F p [X]. Then⎧ ( )( ) f(X)⎨ m(X)f(X)if q ≡ 1(mod4)or if deg m(X) or deg f(X) is even= )m(X) ⎩− otherwise.(m(X)f(X)(2.7)Algorithm 11.69 makes use of the law (2.7) to compute the Legendre–Kronecker–Jacobi symbol.

Chapter ¿Background on p-adic NumbersDavid LubiczContents in BriefQ p3.1 Definition of Q p and first properties 393.2 Complete discrete valuation rings and fields 41First properties • Lifting a solution of a polynomial equation3.3 The field Q p and its extensions 43Unramified extensions • Totally ramified extensions • Multiplicative system ofrepresentatives • Witt vectorsThe p-adic numbers play an important role in algebraic number theory. Many of the fruitful propertiesthey enjoy stem from Hensel’s lemma that allows one to lift the modulo p factorization of apolynomial. As a consequence, although Q p is a characteristic zero field, its absolutely unramifiedextensions reflect the same structure as the algebraic extensions of the finite field F p . On the otherhand, the completion of the algebraic closure of Q p can be embedded as a field, but not as a valuationfield, into C. Consequently, p-adic numbers are used to bridge the gap between finite fieldalgebraic geometry and complex algebraic geometry by the use of the so-called Lefschetz principle.In this chapter, we review the definition and basic properties of p-adic numbers. More details canbe found in the excellent book by Serre [SER 1979].Q p3.1 Definition of Q p andfirstpropertiesFirst, we introduce the notion of inverse limit of a directed family, which is useful in the constructionof the p-adic numbers.Definition 3.1 Let I be a set with a partial ordering relation , i.e., for all i, j, k ∈ I we have• i i,• if i j and j k then i k,• if i j and j i then i = j.Then I is a directed set if for all i, j there exists a k ∈ I such that k i and k j.Definition 3.2 A directed family of groups is given by39

40 Ch. 3 Background on p-adic Numbers• a directed set I• for each i ∈ I a group A i and for i, j ∈ I, i j a morphism of groups p ij : A i → A jsatisfying the compatibility relation: for all i, j, k ∈ I with i j k, p jk ◦ p ij = p ik .We denote by (A i , {p ij } j∈I ) such a directed family.Definition 3.3 Let (A i , {p ij } j∈I ) be a directed family of groups and let A be a group, together witha set of morphisms {p i : A → A i } i∈I compatible with the p ij , i.e., p j = p ij ◦ p i for i j, thatsatisfies the following universal property: let B be a group and let {φ i } i∈I be a set of morphismsφ i : B → A i such that the following diagram commutes for i jB φi A ip ijφ j A jthen there is a morphism φ such that for all i, j ∈ I, the following diagramB φ A p jφ j is commutative. The group A is called the inverse limit of (A i , {p ij } j∈I ) and is denoted by lim ←−A i .The universal property implies that lim ←−A i is unique up to isomorphism.Proposition 3.4 Let (A i , {p ij } j∈I ) be a directed family of groups with I = N ∗ .LetA = ∏ A ibe the product of the family. Note that A itself is a group where the group law is defined componentwise.Consider the subset Γ of A consisting of all elements (a i ) with a i ∈ A i and for i j,p ij (a i )=a j . It is easily verified that Γ is a subgroup of A which is isomorphic to lim ←−A i where theprojections p k for k ∈ N ∗ are given by p k :(a i ) ↦→ a k . In particular, the inverse limit of a directedfamily of groups always exists. Moreover, if the A i are rings, then lim ←−A i is a ring, where the ringoperations are defined componentwise.Definition 3.5 Let p be a prime number and I = N ∗ .Fori j ∈ I, letp ij : Z/p i Z → Z/p j Z bethe natural projections given by reduction modulo p j ,then(Z/p i Z, {p ij } j∈I ) is a directed family.Its inverse limit lim ←−Z/p i Z, denoted by Z p , is called the ring of p-adic integers.The natural morphism of rings ψ : Z → Z p with ψ(1 Z )=1 Zp is injective, which implies thatchar Z p =0. The invertible elements in Z p are characterized by the following proposition.Proposition 3.6 An element z ∈ Z p is invertible if and only if z is not in the kernel of p 1 . Forevery nonzero element z ∈ Z p there exists a unique v p (z) ∈ N such that z = uψ(p) vp(z) with u aninvertible element in Z p . The integer v p (z) is called the p-adic valuation of z and we extend themap v p to Z p by defining v p (0) = −∞.Definition 3.7 Let R be a ring and let v : R→Z be a map such that for all x, y ∈R,• v(xy) =v(x)v(y);• v(x + y) min ( v(x),v(y) ) with equality when v(x) ≠ v(y).A map with the above properties is called a discrete valuation.A j

§ 3.2 Complete discrete valuation rings and fields 41Lemma 3.8 The map v p is a discrete valuation.The ring Z p is an integral domain and Q p denotes its field of fractions. The p-adic valuation v p canbe extended to Q p by defining v p (1/x) =−v p (x) for x ∈ Z p . Similarly, the natural embeddingψ : Z → Z p can also be extended to the embedding Q → Q p by defining ψ(1/x) =1/ψ(x), forx ∈ Z.The valuation of Q p induces a map defined by |x| p = p −vp(x) for x ∈ Q p . The properties of v pimply that |·| p is a norm on Q p , which is called the p-adic norm. The p-adic norm also defines anorm on Z and on Q via the map ψ. Forx ∈ Z, the norm is given by |x| p = p −ν with ν the powerof p in the prime factorization of x. Forx/y ∈ Q, the norm is given by |x/y| p = |x| p /|y| p .Thesetψ(Q) is a dense subset of Q p for |·| p . In fact, Q p can also be defined as the completion of Q withrespect to |·| p . This definition is similar to the definition of R as the completion of Q endowed withthe usual archimedean norm.3.2 Complete discrete valuation rings and fields3.2.1 First propertiesDefinition 3.9 AfieldK is a complete discrete valuation field if• K is endowed with a discrete valuation v K• the valuation induces a norm |·| K on K by defining |x| K = λ −vK (x) with λ>1• every sequence in K which is Cauchy for |·| K has a limit in K.Remark 3.10 The topology induced by the norm |x| K = λ −vK (x) does not depend on λ.It is easy to see that the subset R = {x ∈ K ||x| K 1} is a ring. This ring is an integral domainwhich is integrally closed, i.e., if x ∈ K is a zero of a monic polynomial with coefficients in R thenx ∈R. The ring R is called the valuation ring of K. Clearly, M = {x ∈R||x| K < 1} is theunique maximal ideal of R. ThefieldK = R/M is called the residue field of K. In the remainderof this chapter, we will assume that the residue field is finite.Proposition 3.11 An element x ∈Ris invertible in R if and only if x is not in M.Note that if K is a complete discrete valuation field with valuation ring R and maximal ideal M,then the rings A i = R/M i together with the natural projections p ij : A i → A j for i j form adirected family of rings. It is easy to see that R is isomorphic to lim ←−A i .Example 3.12 The field Q p is a complete discrete valuation field with residue field F p .Definition 3.13 An element π ∈Ris called a uniformizing element if v K (π) =1.Letp 1 be thecanonical projection from R to K. Amapω : K→Ris a system of representatives of K if for allx ∈Kwe have p 1(ω(x))= x.Definition 3.14 An element x ∈Ris called a lift of an element x 0 ∈Kif p 1 (x) =x 0 . Consequently,for all x ∈K, ω(x) is a lift of x.Now, let π be a uniformizing element, ω a system of representatives of K in R and x ∈R. Letn = ( v K (x), thenx/π n is an invertible element of R and there exists a unique x n ∈Ksuch thatv K x − π n ω(x n ) ) = n +1. Iterating this process and using the Cauchy property of K we obtainthe existence of the unique sequence (x i ) i0 of elements of K such that∞∑x = ω(x i )π i .i=0

42 Ch. 3 Background on p-adic NumbersThe following theorem classifies the complete discrete valuation fields.Theorem 3.15 Let K be a complete discrete valuation field with valuation ring R and residuefield K, assumed finite of characteristic p. Ifchar K = p then R is isomorphic to a power seriesring K[[X 1 ,X 2 ,...]]. Ifchar K =0then K is an algebraic extension of Q p .From now on, we restrict ourselves to complete discrete valuation ring of characteristic 0 with afinite residue field. By Theorem 3.15, any such ring can be viewed as the valuation ring of analgebraic extension of Q p .3.2.2 Lifting a solution of a polynomial equationLet K be a complete discrete valuation field with norm |·| K and let R be its valuation ring. LetR[X] denote the univariate polynomial ring over R. The main result of this section is Newton’salgorithm which provides an efficient way to compute a zero of a polynomial f ∈R[X] to arbitraryprecision starting from an approximate solution.Proposition 3.16 Let K be a complete discrete valuation field with valuation ring R and norm|·| K .Letf ∈R[X] and let x 0 ∈Rbe such that|f(x 0 )| K < |f ′ (x 0 )| 2 Kthen the sequenceconverges quadratically towards a zero of f in R.x n+1 = x n − f(x n)f ′ (x n )(3.1)The quadratic convergence implies that the precision of the approximation nearly doubles at eachiteration. More precisely, let k = v K(f ′ (x 0 ) ) and let x be the limit of the sequence (3.1). Supposethat x i is an approximation of x to precision n,i.e.,(x−x i ) ∈M n ,thenx i+1 = x i −f(x i )/f ′ (x i )is an approximation of x to precision 2n − k. Very closely related to the problem of lifting thesolution of a polynomial equation is Hensel’s lemma that enables one to lift the factorization of apolynomial.Lemma 3.17 (Hensel) Let f,A k ,B k ,U,V be polynomials with coefficients in R such that• f ≡ A k B k (mod M k ),• U(X)A k (X) +V (X)B k (X) =1, with A k monic and deg U(X) < deg B k (X) anddeg V (X) < deg A k (X)then there exist polynomials A k+1 and B k+1 satisfying the same conditions as above with k replacedby k +1andA k+1 ≡ A k (mod M k ), B k+1 ≡ B k (mod M k ).Iterating this lemma, we obtain an algorithm to compute a factor of a polynomial over R given afactor modulo M.Corollary 3.18 With the notation of Proposition 3.16, let f ∈R[X] be a polynomial and x 0 ∈Ksuch that x 0 is a simple zero of the polynomial f 0 = p 1 (f). Then there exists an element x ∈Rsuch that p 1 (x) =x 0 and x is a zero of f.

§3.3 Thefield Q p and its extensions 43Q p3.3 The field Q p and its extensionsLet K be a finite algebraic extension of Q p defined by an irreducible polynomial m ∈ Q p [X]. Itcan be shown that there exists a unique norm |·| K on K extending the p-adic norm on Q p . LetR = {x ∈ K ||x| K 1} denote the valuation ring of K and let M = {x ∈R||x| K < 1} be theunique maximal ideal of R. ThenK = R/M is an algebraic extension of F p , the degree of whichis called the inertia degree of K and is denoted by f. Theabsolute ramification index of K is theinteger e = v K(ψ(p)). The extension degree [K : Qp ], the inertia degree f, and the ramificationindex satisfy the following fundamental relation.Theorem 3.19 Let d be the degree of K/Q p ,thend = ef.3.3.1 Unramified extensionsDefinition 3.20 Let K/Q p be a finite algebraic extension, then K is called absolutely unramifiedif e =1. An absolutely unramified extension of degree d is denoted by Q q with q = p d and itsvaluation ring by Z q .Proposition 3.21 Denote by P 1 the reduction morphism R[X] →K[X] induced by p 1 and let mbe the irreducible polynomial defined by P 1 (m). The extension K/Q p is absolutely unramified ifand only if deg m =degm. Letd =degm and F q = F p d the finite field defined by m, thenwehave p 1 (R) =F q .LetK 1 and K 2 be two unramified extensions of Q p defined respectively by m 1and m 2 then K 1 ≃ K 2 if and only if deg m 1 =degm 2 .As a consequence, every unramified extension of Q p is isomorphic to Q p [X]/(m(X)) with m beingan arbitrary degree d lift of an irreducible polynomial over F p of degree d. Let ω : F q → Z q bea system of representatives of F q ; every element x of Z q can be written as a power series x =∑ ∞i=0 ω(x i)p i with (x i ) i0 a sequence of elements of F q .Proposition 3.22 An unramified extension of Q p is Galois and its Galois group is cyclic generatedby an element Σ that reduces to the Frobenius morphism on the residue field. We call thisautomorphism the Frobenius substitution on K.3.3.2 Totally ramified extensionsDefinition 3.23 Let K/Q p be a finite algebraic extension, then K is called totally ramified if f =1.Definition 3.24 A monic degree d polynomial P (X) = ∑ di=0 a iX i in Q p [X] is an Eisensteinpolynomial if it satisfies• v p (a 0 )=1,• v p (a i ) > 1,fori =1,...,d− 1.Such a polynomial is irreducible.Proposition 3.25 Let K be a totally ramified extension of Q p ; then there exists an Eisenstein polynomialP such that K is isomorphic to Q p [X]/(P ).

44 Ch. 3 Background on p-adic Numbers3.3.3 Multiplicative system of representativesLet K be a complete discrete valuation field of characteristic zero, with valuation ring R and residuefield K, assumed finite of characteristic p. ThenK is isomorphic to an algebraic extension of Q p .Proposition 3.26 There exists a unique system of representatives ω which commutes with p-thpowering, i.e., for all x ∈K, ω(x p )=ω(x) p . This system ω is multiplicative in the following way:for all x, y ∈Kwe have ω(xy) =ω(x)ω(y).Such a system can be obtained as follows. Let x 0 ∈K.SinceK is a perfect field, for each r ∈ Nthere exists x r ∈Ksuch that x prr = x 0 . Set X r = {x ∈R|p 1 (x) =x r } and let Y r be theset { }x pr | x ∈ X r . It is easy to see that for all y ∈ Yr , p 1 (y) =x 0 . Moreover, we have for allx, y ∈ Y r , v K (x − y) r. This means by the Cauchy property that there exists a unique elementz ∈Rsuch that z ∈ Y r ,forallr. Then simply define ω(x 0 )=z. The system of representativesdefined in this way is exactly the unique system that commutes with p-th powering.Let π be a uniformizing element of R and let ω be the multiplicative system of representatives ofK in R that commutes with p-th powering. Write x ∈Ras x = ∑ ∞i=0 ω(x i)π i with (x i ) i0 theunique sequence of elements of K as defined in Section 3.2. Let Σ be the Frobenius substitution onK;thenwehave∞∑Σ(x) = ω(x i ) p π i .i=03.3.4 Witt vectorsDefinition 3.27 Let p be a prime number and (X i ) i∈N a sequence of indeterminates. The Wittpolynomials W n ∈ Z[X 0 ,...,X n ] are defined asW 0 = X 0 ,W 1 = X p 0 + pX 1,W n =n∑p i X pn−ii .i=0Theorem 3.28 Let (Y i ) i∈N be a sequence of indeterminates, then for every Φ(X, Y ) ∈ Z[X, Y ]there exists a unique sequence (φ i ) i∈N ∈ Z[X 0 ,X 1 ,...; Y 0 ,Y 1 ,...] such that for all n 0W n(φ0 ,...,φ n)=Φ(Wn (X 0 ,...,X n ),W n (Y 0 ,...,Y n ) ) .Let (S i ) i∈N ,resp.(P i ) i∈N , be the sequence of polynomials (φ i ) i∈N associated via Theorem 3.28with the polynomials Φ(X, Y )=X + Y ,resp.Φ(X, Y )=X × Y . Then for any commutative ringR, we can define two composition laws on R N :leta =(a i ) i∈N ∈R N and b =(b i ) i∈N ∈R N ,thena + b = ( S i (a, b) ) i∈Nand a × b = ( P i (a, b) ) i∈N .Definition 3.29 The set R N endowed with the two previous composition laws is a ring called thering of Witt vectors with coefficients in R and is denoted by W (R).The relation with p-adic numbers is the following. Let F q with q = p d be a finite field of characteristicp,thenW (F q ) is canonically isomorphic to the valuation ring of the unramified extension of degreed of Q p . Via this isomorphism, the map F : W (F q ) → W (F q ) given by F ( )(a i ) i∈N =(api ) i∈Ncorresponds to the Frobenius substitution Σ.

Chapter Background on Curves andJacobiansGerhard Frey and Tanja LangeContents in Brief4.1 Algebraic varieties 45Affine and projective varieties4.2 Function fields 51Morphisms of affine varieties • Rational maps of affine varieties • Regularfunctions • Generalization to projective varieties4.3 Abelian varieties 55Algebraic groups • Birational group laws • Homomorphisms of abelianvarieties • Isomorphisms and isogenies • Points of finite order and Tatemodules • Background on l-adic representations • Complex multiplication4.4 Arithmetic of curves 64Local rings and smoothness • Genus and Riemann–Roch theorem • Divisorclass group • The Jacobian variety of curves • Jacobian variety of ellipticcurves and group law • Ideal class group • Class groups of hyperelliptic curvesThis chapter introduces the main characters of this book — curves and their Jacobians. To thisaim we give a brief introduction to algebraic and arithmetic geometry. We first deal with arbitraryvarieties and abelian varieties to give the general definitions in a concise way. Then we concentrateon Jacobians of curves and their arithmetic properties, where we highlight elliptic and hyperellipticcurves as main examples. The reader not interested in the mathematical background may skipthe complete chapter as the chapters on implementation summarize the necessary mathematicalproperties. For full details and proofs we refer the interested reader to the books [CAFL 1996,FUL 1969, LOR 1996, SIL 1986, STI 1993, ZASA 1976].Throughout this chapter let K denote a perfect field (cf. Chapter 2) and K its algebraic closure.Let L be an extension field of K. Its absolute Galois group Aut L (L) is denoted by G L .4.1 Algebraic varietiesWe first introduce the basic notions of algebraic geometry in projective and affine spaces.45

46 Ch. 4 Background on Curves and Jacobians4.1.1 Affine and projective varietiesBefore we can define curves we need to introduce the space where they are defined and it is alsouseful to have coordinates at hand.4.1.1.aProjective spaceWe shall fix a field K as above. As a first approximation of the n-dimensional projective spaceP n /K := P n over K we describe its set of K-rational points as the set of (n +1)-tuplesP n (K) := { (X 0 : X 1 : ...: X n ) | X i ∈ K, at least one X i is nonzero } / ∼where ∼ is the equivalence relation(X 0 : X 1 : ...: X n ) ∼ (Y 0 : Y 1 : ...: Y n ) ⇐⇒ ∃ λ ∈ K ∀i : X i = λY i .The coordinates are called homogeneous coordinates. The equivalence classes are called projectivepoints. Next we endow this set with a K-rational structure by using Galois theory.Definition 4.1 Let L be an extension field of K contained in K. Its absolute Galois group G Loperates on P n (K) via the action on the coordinates. Obviously, this preserves the equivalenceclasses of ∼. ThesetofL-rational points P n (L) is defined to be equal to the subset of P n fixed byG L . In terms of coordinates this means:P n (L) := { (X 0 : ...: X n ) ∈ P n |∃λ ∈ K ∀i : λX i ∈ L } .Note that in this definition for an L-rational point one does not automatically have X i ∈ L. However,if X j ≠0then ∀i : X i /X j ∈ L.Let P ∈ P n (K). The smallest extension field L of K such that P ∈ P n (L) is denoted by K(P )and called the field of definition of P . One hasK(P )=⋂L.G L·P =PLet S ⊂ P n (K) and L be a subfield of K containing K. ThenS is called defined over L if and onlyif for all P ∈ S the field K(P ) is contained in L, or, equivalently, G L · S = S.Remark 4.2 Let L be any extension field of K, not necessarily contained in K. We can definepoints in the n-dimensional projective space over L in an analogous way and an embedding of Kinto L induces a natural inclusion of points of the projective space over K to the one over L. Thisis a special case of base change.To be more rigorous, one should not only look at the points of P n over extension fields of K as sets,but endow P n with the structure of a topological space with respect to the Zariski topology. Thiswill explain the role of the base field K much better.First recall that a polynomial f(X 0 ,...,X n ) ∈ K[X 0 ,...,X n ] is called homogeneous of degreed if it is the sum of monomials of the same degree d. This is equivalent to requiring thatf(λX 0 ,...,λX n )=λ d f(X 0 ,...,X n ) for all λ ∈ K. Especially, this implies that the setD f (L) :={P ∈ P n (L) | f(P ) ≠0}is well defined.One defines a topology on P n (K) by taking the sets D f (K) =:D f as basic open sets. TheLrationalpoints are denoted by D f (L) =P n (L) ⋂ D f . To describe closed sets we need the notion

§ 4.1 Algebraic varieties 47of homogeneous ideals. An ideal I ⊆ K[X 0 ,X 1 ,...,X n ] is homogeneous if it is generated byhomogeneous polynomials. For I ≠ 〈X 0 ,...,X n 〉,defineV I := {P ∈ P n (K) | f(P )=0, ∀f ∈ I}and V I (L) =V I⋂ P n (L). One sees immediately that V I is well defined. So a subset S ⊂ P n (K)is closed with respect to the Zariski topology attached to the projective space over K if it is the setof simultaneous zeroes of homogeneous polynomials lying in K[X 0 ,...,X n ].Example 4.3 The set of points of the projective n-space P n and the empty set ∅ are closed sets asthey are the roots of the constant polynomials 0 and 1. By the same argument they are also opensets.Example 4.4 Let f ∈ K[X 0 ,X 1 ,...,X n ] be a homogeneous polynomial. The closed set V (f) iscalled a hypersurface.Example 4.5 Define U i := D Xi , thusand let W i := V (Xi) withThe U i are open sets, the W i are closed.U i (L) = { (X 0 : X 1 : ...: X n ) ∈ P n (L) | X i ≠0 }W i (L) = { (X 0 : X 1 : ...: X n ) ∈ P n (L) | X i =0 } .Example 4.6 Let (k 0 ,...,k n ) ∈ K n+1 and not all k i =0.Takef ij (X 0 ,...,X n ):=k j X i −k i X jand I = ( {f ij | 0 i, j n} ) . Obviously, I is a homogeneous ideal and taking (k 0 : ...: k n ) asa homogeneous point, I is independent of the representative. Then V I (L) = { (k 0 : ...: k n ) } , ∀L.This shows that K-rational points are closed with respect to the Zariski topology. This is not true ifP is not defined over K. The smallest closed set containing P is the G K -orbit G K · P .From now on we write X for (X 0 ,...,X n ). If T ⊂ K[X] is a finite set of homogeneouspolynomials we define V (T ) to be the intersection of the V (fi),f i ∈ T .LetI =(T ) be the idealgenerated by the f i .ThenV (T )=V I .4.1.1.bAffine spaceAs in the projective space we begin with the set of K-rational points of the affine space of dimensionn over K given by the set of n-tuplesThe set of L-rational points is given byA n := { (x 1 ,...,x n ) | x i ∈ K } .A n (L) := { (x 1 ,...,x n ) | x i ∈ L }which is the set of G L -invariant points in A n (K) under the natural action on the coordinates.As in the projective case one has to consider A n as a topologic space with respect to the Zariskitopology, defined now in the following way: For f ∈ K[x 1 ,...,x n ] letD f (L) :={P ∈ A n (L) | f(P ) ≠0}and take these sets as base for the open sets.Closed sets are given in the following way: for an ideal I ⊆ K[x 1 ,...,x n ] letV I (L) ={P ∈ A n (L) | f(P )=0, ∀f ∈ I}.AsetS ⊂ A n is closed if there is an ideal I ⊆ K[x 1 ,...,x n ] with S = V I .

48 Ch. 4 Background on Curves and JacobiansExample 4.7 Let (k 1 ,...,k n ) ∈ A n (K) and put f i = x i − k i and I = ( {f i | 1 i n} ) .ThenV I = { (k 1 ,...,k n ) } . Hence, the K-rational points are closed.Please note, if P ∈ A n A n (K) the set {P } is not closed.Remark 4.8 For closed S ⊂ A n assume that S = V I . The ideal I is not uniquely determined byS. Obviously there is a maximal choice for such an ideal, and it is equal to the radical ideal (cf.[ZASA 1976, pp. 164]) defined as√I ={f ∈ K[x1 ,...,x n ] |∃k ∈ N with f k ∈ I } .As in the projective case we take x as a shorthand for (x 1 ,...,x n ).4.1.1.cVarieties and dimensionTo define varieties we use the definition of irreducible sets. A subset S of a topological space iscalled irreducible if it cannot be expressed as the union S = S 1 ∪ S 2 of two proper subsets closedin S. We additionally define that the empty set is not irreducible.Definition 4.9 Let V be an affine (projective) closed set. One calls V an affine (projective) varietyif it is irreducible.Example 4.10 The affine 1-space A 1 is irreducible because K[x 1 ] is a principal ideal domain andso every closed set is the set of zeroes of a polynomial in x 1 . Therefore, any closed set is eitherfinite or equal to A 1 .SinceA 1 is infinite it cannot be the union of two proper closed subsets.From commutative algebra we get a criterion for when a closed set is a variety.Proposition 4.11 A subset V of A n (resp. P n ) is an affine (projective) variety if and only if V = V Iwith I a (homogeneous) prime ideal in K[x] (resp. K[X]).We recall that the Zariski topology is defined relative to the ground field K. For extension fields Land given embeddings σ of K into L fixing K we have induced embeddings of P n /K → P n /L.Due to the obvious embedding of K[X] into L[X] and as the topology depends on these polynomialrings, we can try to compare the Zariski topologies of affine and projective spaces over K withcorresponding ones over L.If L is arbitrary, a closed set in the space over K may not remain closed in the space over L.But if L is algebraic over K and if S is closed in the affine (projective) space over K thenits embedding σ · S is closed over L. Namely, if S = V I with I ⊆ K[x] (resp. K[X]) thenσ · S = V I·L[x] (resp. σ · S = V I·L[X] ).But varieties over K do not have to be varieties over L since for prime ideals I in K[x] it maynot be true that I · L[x] is a prime ideal.Example 4.12 Consider I =(x 2 1 − 2x2 2 ) ⊆ Q[x 1,x 2 ].OverQ( √ 2) the variety V I splits becausex 2 1 − 2x2 2 =(x 1 − √ 2x 2 )(x 1 + √ 2x 2 ). Therefore, the property of a closed set being a varietydepends on the field of consideration.Example 4.13 Let V be an affine variety, i.e., a closed set in some A n for which the defining ideal Iis prime in K[x]. Them-fold Cartesian product V m is also a variety, embedded in the affine spaceA nm . For affine coordinates choose (x 1 1 ,...,x1 n ,...,xm 1 ,...,xm n ),defineI i ⊆ K[x i ] obtainedfrom I by replacing x j by x i j . Then the ideal of V m is given by 〈I 1 ,...,I m 〉.Definition 4.14 A variety V of the affine (projective) space A n ( P n ) over K is called absolutelyirreducible if it is irreducible as closed set with respect to the Zariski topology of the correspondingspaces over K.

§ 4.1 Algebraic varieties 49Example 4.15(i) The n-dimensional spaces A n and P n are absolutely irreducible varieties as they correspondto the prime ideal (0).(ii) The sets V (f) and V (F ) with f ∈ K[x] and F ∈ K[X] are absolutely irreducible if andonly if f and F are absolutely irreducible polynomials, i.e., they are irreducible over K.(iii) Let S be a finite set in an affine or projective space over K. The set S is absolutelyirreducible if and only if it consists of one (K-rational) point.Example 4.16 Let f(x 1 ,x 2 )=x 2 2 − x 3 1 − a 4 x 1 − a 6 ∈ K[x 1 ,x 2 ]. This polynomial is absolutelyirreducible, hence V (f) is an irreducible variety over K and over any extension field of K containedin K.The affine and the projective n-spaces are Noetherian, which means that any sequence of closedsubsets S 1 ⊇ S 2 ⊇ ... will eventually become stationary, i.e., there exists an index r such thatS r = S r+1 = .... This holds true as any closed set corresponds to an ideal of K[x] or K[X],respectively, and these rings are Noetherian.Definition 4.17 Let V be an affine (projective) variety. The dimension dim(V ) is defined to be thesupremum on the lengths of all chains S 0 ⊃ S 1 ⊃···⊃S n of distinct irreducible closed subspacesS i of V . A variety is called a curve if it is a variety of dimension 1.Example 4.18 The dimension of A 1 is 1 as the only irreducible subsets correspond to nonzeroirreducible polynomials in 1 variable. In general, A n and P n are varieties of dimension n.Example 4.19 Let 0, 1 ≠ f ∈ K[x 1 ,x 2 ] be absolutely irreducible. Then V (f) is an affine curve asthe only proper subvarieties are points P ∈ A 2 satisfying f(P )=0.Example 4.20 Let V be an affine variety of dimension d. Then the Cartesian product (cf. Example4.13) V m has dimension md by concatenating the chains of varieties.4.1.1.dRelations between affine and projective spaceHere we show how the topologies introduced for P n and A n are made compatible. For both spaceswe defined open and closed sets via polynomials and ideals, respectively.Let F ∈ K[X 0 ,X 1 ,...,X n ] be a homogeneous polynomial of degree d. The process of replacingF (X 0 ,X 1 ,...,X n ) by F i := F (x 1 ,...,x i , 1,x i+1 ,...,x n ) ∈ K[x 1 ,...,x n ]is called dehomogenization with respect to X i . The reverse process takes a polynomial f ∈ K[x]and maps it tof i := X d i f(X 0 /X i ,X 1 /X i ,...,X i−1 /X i ,X i+1 /X i ,...,X n /X i ),where d is minimal such that f i is a polynomial in K[X]. By applying these transformations, werelate homogeneous (prime) ideals in K[X] to (prime) ideals in K[x] and conversely. So we canexpect that we can relate affine spaces with projective spaces including properties of the Zariskitopologies.Example 4.21 The open sets U i = D Xi ⊂ P n are mapped to A n by dehomogenizing their definingpolynomial X i with respect to X i . The inverse mappings are given byφ i : A n → U i(x 1 ,...,x n ) ↦→ (x 1 : ...: x i :1:x i+1 : ...: x n )

50 Ch. 4 Background on Curves and JacobiansTherefore, for any 0 i n we have a canonical bijection between U i and A n which is a homeomorphismas it maps closed sets of U i to closed sets in A n .The sets U 0 ,...,U n cover the projective space P n . This covering is called the standard covering.The maps φ i can be seen as inclusions A n ⊂ P n .If V is a projective closed set such that V = V I(V ) with homogeneous ideal I(V ) ⊆ K[X 0 ,...,X n ]we denote by V i the set φ −1i (V ∩ U i ) for 0 i n. The resulting set is a closed affine set withideal obtained by dehomogenizing all polynomials in I(V ) with respect to X i . This way, V iscovered by the n +1sets φ i (V i ).For the inverse process we need a further definition:Definition 4.22 Let V I ⊆ A n be an affine closed set. Using one of the φ i ,embedV I into P n byV I ⊂ A n → φiP n .The projective closure V I of V I is the closed projective set defined by the ideal _ I generated by thehomogenized polynomials {f i | f ∈ I}.The points added to get the projective closure are called points at infinity. Note that in the definitionwe need to use the ideal generated by the f i ’s, a set of generators of I does not automaticallyhomogenize to a set of generators of _ I . These processes lead to the following lemma that describesthe relation between affine and projective varieties.Lemma 4.23 We choose one embedding φ i from A n to P n and identify A n with its image. LetV ⊆ A n be an affine variety, then V is a projective variety andV = V ∩ A n .Let V ⊆ P n be a projective variety, then V ∩ A n is an affine variety and eitherV ∩ A n = ∅ or V = V ∩ A n .If V is a projective variety defined over K then V ∩ A n is empty or an affine variety defined overK. There is always at least one i such that V ∩ φ i A n =: V (i) is nonempty. We call V (i) a nonemptyaffine part of V .For example, let C ⊂ P n be a projective curve. The intersections C ∩ U i lead to affine curvesC (i) . Starting from an affine curve C a ⊂ A n one can embed the points of C a into P n via φ i .Theresult will not be closed in the Zariski topology of P n so one needs to include points from P n U ito obtain the projective closure C __a .Example 4.24 Consider the projective line P 1 . It is covered by two copies of the affine line A 1 .When embedding A 1 in P 1 via φ 0 we miss a single point (0 : 1) which is called the point at infinitydenoted by ∞.Example 4.25 Let V be a projective variety embedded in P n .Todefinethem-fold Cartesian productone uses the construction for affine varieties (cf. Example 4.13) for affine parts V a and “gluesthem together.”Warning: it is not possible to embed V m in P mn in general. One has to use constructions due toSegre [HAR 1977, pp. 13] and ends up in a higher dimensional space.

§ 4.2 Function fields 514.2 Function fieldsDefinition 4.26 Let V be an affine variety in the n-dimensional space A n over K with correspondingprime ideal I. Denote byK[V ]:=K[x 1 ,...,x n ]/Ithe quotient ring of K[x 1 ,...,x n ] modulo the ideal I. This is an integral domain, called the coordinatering of V .Thefunction field K(V ) of V is the quotient fieldK(V ):=Quot(K[V ]).The maximal algebraic extension of the field K contained in K(V ) is called the field of constantsof K(V )/K.Definition 4.27 Let V be a projective variety over K. LetV a ⊆ A n be a nonempty affine part ofV . Then the function field K(V ) is defined as K(V a ).One can check that K(V ) is independent of the choice of the affine part V a . Thus, the notationK(V ) makes sense. But note that K[V a ] depends on the choice of V a .Obviously, the elements f ∈ K(V ) can be represented by fractions of polynomials f = g/h,f,g ∈ K[x 1 ,...,x n ] or as fractions of homogeneous polynomials of the same degree f = g/h,f,g ∈ K[X 0 ,X 1 ,...,X n ]. Then functions f 1 = g 1 /h 1 and f 2 = g 2 /h 2 are equal if g 1 h 2 −g 2 h 1 ∈I(V ).In Example 4.12, the splitting was induced by an algebraic extension of the ground field. We canformulate a criterion for V to be absolutely irreducible:Proposition 4.28 A variety V is absolutely irreducible if and only if K is algebraically closed inK(V ), i.e.,K is the full constant field of K(V ) (cf. [STI 1993, Cor. III.6.7]).Example 4.29 Consider A n as affine part of P n . Its coordinate ring K[A n ]=K[x 1 ,...,x n ] isthe polynomial ring in n variables. The function field of P n is the field of rational functions in nvariables.From now on, we assume that V is absolutely irreducible.Let L be an algebraic extension field of K. As pointed out above the set V is closed under theZariski topology related to the new ground field L and again irreducible by assumption. We denotethis variety by V L .WegetProposition 4.30 If V is affine then K[V L ]=K[V ] · L. IfV is affine or projective then K(V L )=K(V ) · L.The proof of this proposition follows immediately from the fact that for affine V with correspondingprime ideal I we get V L = V I·L[x] .Example 4.31 Consider the projective curve C = P 1 and the affine part C a = A 1 . For any fieldK ⊆ L ⊆ K the coordinate ring of C a is the polynomial ring in one variable L[C a ]=L[x 1 ] andthe function field is the function field in one variable L(x 1 ).A function field K(V ) of a projective variety V is finitely generated. Since K is perfect the extensionis also separably generated. Therefore, the transcendence degree of K(V )/K is finite.Lemma 4.32 Let K(V ) be the function field corresponding to the projective variety V . The dimensionof V is equal to the transcendence degree of K(V ).

52 Ch. 4 Background on Curves and Jacobians4.2.1 Morphisms of affine varietiesWe want to define maps between affine varieties that are continuous with respect to the Zariskitopologies. We shall call such maps morphisms. We begin with V = A n .Definition 4.33 A morphism ϕ from A n to the affine line A 1 is given by a polynomial f(x) ∈ K[x]and defined byϕ : A n → A 1P =(a 1 ,...,a n ) ↦→ f ( (a 1 ,...,a n ) ) =: f(P ).One sees immediately that f is uniquely determined by ϕ.To ease notation we shall identify f with ϕ. Hence the set of morphisms from A n to the affineline is identified with K[x]. In fact we can make the set of morphisms to a K-algebra in the usualway by adding and multiplying values. As K-algebra it is then isomorphic to K[x].As desired, the map f is continuous with respect to the Zariski topology. It maps closed sets toclosed sets, varieties to varieties, and for extension fields L of K we get f ( A n (L) ) ⊂ A 1 (L).Definition 4.34 A morphism ϕ from A n to A m (for n, m ∈ N) is given by an m-tuple(f1 (x),...,f m (x) )of polynomials in K[x] mapping P ∈ A n to ( f 1 (P ),...,f m (P ) ) .Since ϕ is determined by f 1 ,...,f m , the set of morphisms from A n to A m can be identified withK[x] m . Again one checks without difficulty that morphisms are continuous with respect to theZariski topology and map varieties to varieties.Let V be an affine variety in A n with corresponding prime ideal I ⊂ K[x].Definition 4.35 A morphism from V ⊂ A n to a variety W ⊂ A m is given by the restriction to Vof a morphism from A n to A m with image in W .We denote the set of morphisms from V to W by Mor K (V,W).Example 4.36 As basic example take W = A 1 .ForV = A 1 we already have Mor K (A 1 , A 1 )=K[x]. For an arbitrary variety V = V I one has that Mor K (V,A 1 ) is as K-algebra isomorphic toK[V ]=K[x]/I.Remark 4.37 Take ϕ ∈ Mor K (V,W) and f ∈ Mor K (W, A 1 )=K[W ]. Thenf ◦ ϕ is an elementof Mor K (V,A 1 )=K[V ], and so we get an induced K-algebra morphismϕ ∗ : K[W ] → K[V ].The morphism ϕ ∗ is injective if and only if ϕ is surjective. If ϕ ∗ is surjective then ϕ is injective.Definition 4.38 The map ϕ is an isomorphism if and only if ϕ ∗ is an isomorphism. This means thatthe inverse map of ϕ is again a morphism, i.e., given by polynomials.Two varieties V and W are called isomorphic if there exists an isomorphism from V to W ,andwe have seen that this is equivalent to the fact that K[V ] is isomorphic to K[W ] as K-algebra.Example 4.39 Assume that char(K) =p>0. Then the exponentiation with p is an automorphismφ p of K since K is assumed to be perfect. The map φ p is called the (absolute) Frobeniusautomorphism of K (cf. Section 2.3.2).

§ 4.2 Function fields 53We can extend φ p to points of projective spaces over K by sending the point (X 0 ,...,X n ) to(X p 0 ,...,Xp n ). We apply φ p to polynomials over K by applying it to the coefficients.If V is a projective variety over K with ideal I we can apply φ p to I and get a variety φ p (V ) withideal φ p (I). The points of V are mapped to points on φ p (V ).The corresponding morphism from V to φ p (V ) is called the Frobenius morphism and is againdenoted by φ p . We note that φ p is not an isomorphism as the polynomial rings K[V ]/K[φ p (V )]form a proper inseparable extension.4.2.2 Rational maps of affine varietiesLet V ⊂ A n be an affine variety with ideal I = I(V ) and take ϕ ∈ K[V ] with representing elementf ∈ K[x].By definition, the set D f consists of the points P in A n in which f(P ) ≠0. It is open in theZariski topology of A n , and hence U ϕ := D f ∩ V is open in V . Its complement V ϕ in V is the zerolocus of ϕ. It is not equal to V if and only if U ϕ is not empty, and this is equivalent to f/∈ I.We assume now that f/∈ I. ForP ∈ U ϕ define (1/ϕ)(P ):=f(P ) −1 .Definition 4.40 Assume that U is a nonempty open set of an affine variety V and let the map r U begiven byr U : U → A 1P ↦→ (ψ/ϕ)(P )for some ψ, ϕ ∈ K[V ] and U ⊂ U ϕ .Thenr U is a rational map from V to A 1 with definition set U.We introduce an equivalence relation on rational maps: for given V the rational map r U is equivalentto r U ′ if for all points P ∈ U ∩ U ′ we have: r ′ U (P )=r U ′ ′(P ).Definition 4.41 The equivalence class of a rational map from V to A 1 is called a rational functionon V .Proposition 4.42 Let V be an affine variety. The set of rational functions on V is equal to K(V ).The addition (resp. multiplication) in K(V ) corresponds to the addition (resp. multiplication) ofrational functions defined by addition (resp. multiplication) of the values.Let V ⊂ A n . As in the case of morphisms we can extend the notion of rational maps from the caseW = A 1 to the general case that W ⊂ A m is a variety:Definition 4.43 A rational map r from V to W is an m-tuple of rational functions (r 1 ,...,r m )with r i ∈ K(V ) having representatives R i defined on a nonempty open set U ⊂ V with R(U) :=(R1 (U),...,R m (U) ) ⊂ W .A rational map r from V to W is dominant if (with the notation from above) R(U) is dense inW , i.e., if the smallest closed subset in W containing R(U) is equal to W .A rational map r : V → W is birational if there exists an inverse rational map r ′ : W → V suchthat r ′ ◦ r is equivalent to Id V and r ◦ r ′ is equivalent to Id W .If there exists a birational map from V to W the varieties are called birationally equivalent.Example 4.44 Consider the rational mapsr ij : A n → A n ,r ij =(r ij1 ,...,rij n ),

54 Ch. 4 Background on Curves and Jacobianswhere (for i j)⎧⎪⎨r ijk (x 1,...,x n ):=⎪⎩x k /x j , k < i1/x j , k = ix k−1 /x j , i < k jx k /x j , j < k.The case i>jworks just the same. For fixed j and arbitrary i the maps r ij are defined on D xj .Using the embeddings φ i of A n into P n one has the descriptionr ij = φ −1j ◦ φ i .The inverse map is just r ji and so r ij represents a birational map regular on D xj ∩ D xi . It describesthe coordinate transition of affine coordinates with respect to φ i to affine coordinates with respectto φ j on P n .Proposition 4.45 Assume that the rational map r from V to W is dominant. Then the compositionof r with elements in K(W ) induces a field embedding r ∗ of K(W ) into K(V ) fixing elements inK, generalizing the definition made for morphisms in Remark 4.37.If r is birational then K(V ) is isomorphic to K(W ) as K-algebra.Example 4.46 A projective curve C corresponds to a function field of transcendence degree 1.Since K is perfect, there are elements x 1 ,x 2 ∈ K(C) and an irreducible polynomial f(x 1 ,x 2 )such that K(C) =Quot ( K[x 1 ,x 2 ]/ ( f(x 1 ,x 2 ) )) . Hence, C (and every affine part of dimension1 of C) is birationally equivalent to the plane curve V (f) and of course to its projective closureV (f) ⊂ P 2 .Example 4.47 We consider again the Frobenius morphism φ p from Example 4.39. The mapφ ∗ p : K ( φ p (V ) ) → K(V )has as its image K(V ) p since the coordinate functions of V are exponentiated by p under the mapφ p .4.2.3 Regular functionsWe continue to assume that V is an affine variety.Definition 4.48 A rational function f ∈ K(V ) is regular at a point P ∈ V if f has as representativea rational map ˜f with set of definition U containing P .In other words f is regular at P ∈ V if there is an open neighborhood U of P where f |U =(g/h) |Ufor g, h ∈ K[x] and P ∈ D h . If this is the case we say that f is defined at P with value f(P )=g(P )/h(P ).Definition 4.49 For two varieties V ⊂ A n ,W⊂ A m a rational map r : V → W is regular at P ifthere is a nonempty open set U of V containing P such that the restriction of r to U isgivenbyanm-tuple of rational maps defined on U.In other words: a map r is regular if locally it can be represented via m-tuples of quotients ofpolynomials in K[x] which are defined at P ∈ U.

§ 4.3 Abelian varieties 554.2.4 Generalization to projective varietiesWe want to generalize the definitions of morphisms to projective varieties.Definition 4.50 Let V ⊂ P n and W ⊂ P m be projective varieties. Let ϕ beamapfromV to Wsuch that the following holds:(i) The set V = ⋃ ni=1 V i with V i = V ∩ U i the standard affine parts of V .(ii) The morphism ϕ i := ϕ |Vi is an affine morphism to an affine part W i of W .(iii) The polynomials ( f1(x),...,f i m(x) ) i describing ϕ on V i with respect to the standardaffine coordinates are transformed into the polynomials ( f j 1 (x),...,fj m (x)) describingϕ j in the standard affine coordinates related to V j under the coordinate transformationconsidered in Example 4.44.Then ϕ is a morphism from V to W : ϕ ∈ Mor K (V,W).The notions of rational functions of projective varieties V and of regularity in a point P of suchfunctions are easier to define since they are local definitions.We define rational maps as equivalence classes of rational maps defined on the affine parts of Vcompatible with the transition maps on intersections of standard affine pieces U i (cf. Example 4.44).To define regularity at P we first choose an affine part V i of V containing P and then require thatthere is an open neighborhood U of P in V i such that the rational map obtained by restriction isdefined on U.A rational map from W to P 1 is called a rational function of V .Proposition 4.51 The set of rational functions on a projective variety V forms a field isomorphicto K(V ) which is equal to the field of rational functions on a nonempty affine part of V .A function f : V → K is regular at P ∈ V if there is an open neighborhood U of P wheref = g/h for homogeneous polynomials g, h ∈ K[X] of the same degree and h(Q) ≠0, ∀Q ∈ U.4.3 Abelian varietiesWe want to use the concepts introduced above for a structure that will become most important forthe purposes of the book.Remark 4.52 Already in the definition we shall restrict ourselves to the cases that will be consideredin the sequel. So we shall assume throughout the whole section that all varieties are defined over Kand are absolutely irreducible.4.3.1 Algebraic groupsWe combine the concept of groups with the concept of varieties in a functorial way.Definition 4.53 An (absolutely irreducible) algebraic group G over a field K is an (affine or projective)absolutely irreducible variety defined over K together with three additional ingredients:(i) the addition, i.e., a morphism(ii) the inverse, i.e., a morphismm : G×G→G,i : G→G,

56 Ch. 4 Background on Curves and Jacobians(iii) the neutral element, i.e., a K-rational pointsatisfying the usual group laws:0 ∈G(K),m ◦ (Id G ×m) =m ◦ (m × Id G ) (associativity),m |{0}×G = p 2 ,where p 2 is the projection of G×Gon the second argument, andm ◦ (i × Id G ) ◦ δ G = c 0 ,where δ G is the diagonal map from G to G×Gand c 0 is the map which sends G to 0.Let L be an extension field of K. LetG(L) denote the set of L-rational points. The set G(L) is agroup in which the sum and the inverse of elements are computed by evaluating morphisms that aredefined over K, that do not depend on L, and in which the neutral element is the point 0.A surprising fact is that if G is a projective variety the group law m is necessarily commutative.Definition 4.54 Projective algebraic groups are called abelian varieties.From now on we shall require m to be commutative. We can use a classification theorem whichyields that G is an extension of an abelian variety by an affine (i.e., the underlying variety is affine)algebraic group. So, for cryptographic purposes we can assume that G is either affine or an abelianvariety as by Theorem 2.23 one is interested only in (sub)groups of prime order.Affine commutative group schemes that are interesting for cryptography are called tori. Thereader can find the definition and an interesting discussion on how to use them for DL systemsin [SIRU 2004].Remark 4.55 To make the connection with abelian groups more obvious we replace “m(P, Q)”with the notation P ⊕ Q for P, Q ∈G(K) and i(P ) by −P .We shall concentrate on abelian varieties from now on and shall use as standard notation A insteadof G.4.3.2 Birational group lawsAssume that we are given an abelian variety A. Since we want to use A for DL systems we shallnot only need structural properties of A but explicitly compute with its points. In general this seemsto be hopeless. Results of Mumford [MUM 1966] and Lange–Ruppert [LARU 1985] show that thenumber of coordinate functions and the degree of the addition formulas both grow exponentiallywith the dimension of the abelian variety. Therefore, we have to use special abelian varieties onwhich we can describe the addition at least on open affine parts.By definition A can be covered by affine subvarieties V i . Choose one such V := V i .Forl dependingon V one finds coordinate functions X 1 ,...,X l defining V by polynomial relations{f1 (X 1 ,...,X l ),...,f k (X 1 ,...,X l ) } .The L-rational points V (L) ⊂A(L) are the elements (x 1 ,...,x l ) ∈ L l , where the polynomials f ivanish simultaneously. The addition law can be restricted to V × V and induces a morphismm V : V × V →A.

§ 4.3 Abelian varieties 57For generic points of V × V the image of m V is again contained in V .Som V is given by additionfunctions R i ∈ K(X 1 ,...,X l ; Y 1 ,...,Y l ) such that for pairs of L-rational points in V × V we get((x1 ,...,x l ) ⊕ (y 1 ,...,y l ) ) = ( R 1 (x 1 ,...,x l ; y 1 ,...,y l ),...,R l (x 1 ,...x l ; y 1 ,...,y l ) ) .Remark 4.56 This is a birational description of the addition law that is true outside proper closedsubvarieties of V × V . The set of points where this map is not defined is of small dimension andhence with high probability one will not run into it by chance. But it can happen that we use pairsof points on purpose (e.g., lying on the diagonal in V × V ) for which we need an extra descriptionof m.We shall encounter examples of abelian varieties with birational description of the group law in laterchapters. In fact it will be shown that one can define abelian varieties from elliptic and hyperellipticcurves — they constitute even the main topics of this book.4.3.3 Homomorphisms of abelian varietiesWe assume that A and B are abelian varieties over K with addition laws ⊕ (resp. ⊕ ′ ). Let ϕ be anelement of Mor K (A, B).Example 4.57 Let P ∈A(K) and definet P : A → AQ ↦→ P ⊕ Q.Here, t P is called the translation by P and lies in Mor K (A, A).A surprising fact is that for all ϕ ∈ Mor K (A, B) we haveϕ(P ⊕ Q) =ϕ(P ) ⊕ ′ ϕ(Q)for all points P, Q of A if and only if ϕ(0) is the neutral element of B. In other words everymorphism from A to B is a homomorphism with respect to the addition laws up to the translationmap t −(ϕ(0)) in B. The set of homomorphisms from A to B is denoted by Hom K (A, B).Let L be an extension field of K and take ϕ ∈ Hom K (A, B). We get a group homomorphismϕ L : A(L) →B(L) which is given by evaluating polynomials with coefficients in K. An importantobservation is that ϕ L commutes with the action of the Galois group G K of K.The set of homomorphisms Hom K (A, B) becomes a Z-module in the usual way: for ϕ 1 ,ϕ 2 ∈Hom K (A, B) and points P of A define(ϕ 1 + ϕ 2 )(P ):= ( ϕ 1 (P ) ⊕ ϕ 2 (P ) ) .In many cases it is useful to deal with vector spaces instead of modules, and so we defineHom K (A, B) 0 := Hom K (A, B) ⊗ Z Q.In the next chapter we shall see that Hom K (A, B) 0 is a finite dimensional vector space over Q.Remark 4.58 Homomorphisms of abelian varieties behave in a natural way under base change: letL be an extension field of K and let A L , B L be the abelian varieties obtained by scalar extension toL, Hom L (A, B) :=Hom L (A L , B L ). The Galois group G L acts in a natural way on Mor L (A L , B L )and hence on Hom L (A, B).

§ 4.3 Abelian varieties 59Definition 4.64 Let ϕ be an isogeny from A to B. Thedegree of ϕ is defined as [K(A) :ϕ ∗( K(B) ) ].The isogeny ϕ is called separable if and only if K(A)/ϕ ∗( K(B) ) is a separable extension. It iscalled (purely) inseparable if K(A)/ϕ ∗( K(B) ) is purely inseparable. In this case ker(ϕ) ={0}but nevertheless ϕ is not an isomorphism in general.As for abelian groups we can describe the abelian varieties that are isomorphic to a homomorphicimage of A.Let C be a closed set (with respect to the Zariski topology) in A with C(K) a subgroup of A(K).Then there exists an (up to K-isomorphisms unique) abelian variety B defined over K and a uniqueπ := π C ∈ Hom K (A, B) such that• Im(π) =B,• ker(π) =C and• K ( A)/π ∗ (K(B) ) is separable.Definition 4.65 With the notation from above we call B =: A/C the quotient of A modulo C.Hence, B(K) =A(K)/C(K).For general homomorphisms ϕ ∈ Hom K (A, B) we get:ϕ = ψ ◦ π ker(ϕ)where ψ is a purely inseparable isogeny from A/ ker(ϕ) to Im(ϕ).Hence we can classify all abelian varieties defined over K that are separably isogenous to A upto isomorphisms:Proposition 4.66 The K-isomorphism classes of abelian varieties that are K-separably isogenousto A correspond one-to-one to the finite subgroups C ⊆A(K) that are invariant under the action ofG K . They are isomorphic to A/C. ThefieldK(A) is a separable extension of π ∗( K(A/C) ) ,whichis a Galois extension with Galois group canonically isomorphic to C: the automorphisms of K(A)fixing π ∗( K(A/C) ) are induced by translation maps t P with P ∈ ker(π), i.e., π ∗( K(A/C) )consists of the functions on A that are invariant under translations of the argument by points in C.To describe all abelian varieties that are K-isogenous to A we have to compose separable isogenieswith purely inseparable ones. As seen the notion of finite subgroups of A(K) is not sufficient forthis; we would have to go to the category of group schemes to repair this deficiency. This is beyondthe scope of this introduction. For details see e.g., [MUM 1974, pp. 93].For our purposes there is a most prominent inseparable isogeny, the Frobenius homomorphism.Assume that char(K) =p>0. We recall that we have defined the Frobenius morphism φ p (cf.Example 4.39) for varieties over K. It is easily checked that φ p (A) is again an abelian variety overK. By the description of φ ∗ p it follows at once that φ p is a purely inseparable isogeny of degreep dim(A) and its kernel is {0}.Now we consider the special case that B = A.Definition 4.67 The homomorphisms End K (A) :=Hom K (A, A) are the endomorphisms of A.The set End K (A) is a ring with composition as multiplicative structure.Example 4.68 Assume that K = F p . Then φ p induces the identity map on polynomials over Kand so φ p (A) =A. Therefore, φ p ∈ End K (A). It is called the Frobenius endomorphism.A slight but important generalization is to consider K = F q with q = p d . Then φ q := φ d p isthe relative Frobenius automorphism fixing K element wise. We can apply the considerations madeabove to φ q and get a totally inseparable endomorphism of A of degree p d dim(A) which is calledthe (relative) Frobenius endomorphism of A.

60 Ch. 4 Background on Curves and JacobiansTo avoid quotient groups we introduce a further definition.Definition 4.69 An abelian variety is simple if and only if it does not contain a proper abeliansubvariety.Assume that A is simple. It follows that ϕ ∈ Hom K (A, B) is either the zero map or has a finitekernel, hence its image is isogenous to A.Proposition 4.70 If A is simple then End K (A) is a ring without zero divisors and End K (A) 0 :=End K (A) ⊗ Q is a skew field.One proves by induction with respect to the dimension that every abelian variety is isogenous to thedirect product of simple abelian varieties. So we getCorollary 4.71 End K (A) 0 is isomorphic to a product of matrix rings over skew fields.4.3.5 Points of finite order and Tate modulesWe come to most simple but important examples of elements in End K (A).For n ∈ N define[n] :A→Aas the (n − 1)-fold application of the addition ⊕ to the point P ∈A. For n =0define [0] aszero map, and for n < 0 define [n] := −[|n|]. By identifying n with [n] we get an injectivehomomorphism of Z into End K (A).By definition [n] commutes with every element in End K (A) and with G K and so lies in thecenter of the G K -module End K (A).The kernel of [n] is finite if and only if n ≠0. Hence [n] is an isogeny for n ≠0. It is anisomorphism if |n| =1.Definition 4.72 Let n ∈ N.(i) The kernel of [n] is denoted by A[n].(ii) The points in A[n] are called n-torsion points.(iii) There exists a homogeneous ideal defined over K such that A[n](K) is the set of pointson A(K) at which the ideal vanishes. It is called the n-division ideal.For the latter we recall that A is a projective variety with a fixed embedding into a projective space.For elliptic curves (cf. Section 4.4.2.a) which are abelian varieties of dimension one the n-divisionideal is a principal ideal. The generating polynomial is called the n-division polynomial. We willgive the division polynomials explicitly in Section 4.4.5.a together with a recursive construction.A fundamental result isTheorem 4.73 The degree of [n] is equal to n 2dim(A) . The isogeny [n] is separable if and only if nis prime to char(K). In this case A[n](K) ≃ (Z/nZ) 2dim(A) .Ifn = p s with p =char(K) thenA[p s ](K) =Z/p ts Z with t dim(A) independent of s.A proof of these facts can be found in [MUM 1974, p. 64].Definition 4.74 Let p =char(K).(i) The variety A is called ordinary if A[p s ](K) =Z/p ts Z with t =dim(A).

§ 4.3 Abelian varieties 61(ii) If A[p s ](K) =Z/p ts Z then the abelian variety A has p-rank t.(iii) If A is an elliptic curve, i.e., an abelian variety of dimension 1 (cf. Section 4.4.2.a), it iscalled supersingular if it has p-rank 0.(iv) The abelian variety A is supersingular if it is isogenous to a product of supersingularelliptic curves.Remark 4.75 If an abelian variety A is supersingular then it has p-rank 0. The converse is only truefor abelian varieties of dimension 2.Corollary 4.76 Let ϕ be an isogeny from A to B of degree n = ∏ ti=1 lki i with l i primes.(i) There is a sequence ϕ i of isogenies from abelian varieties A i to A i+1 with A 1 = A andA t+1 = B with deg(ϕ i )=l kii and ϕ = ϕ t ◦ ϕ t−1 ◦···◦ϕ 1 .(ii) Assume that n is prime to char(K). LetB n = ϕ ( A[n](K) ) .ThenB n is G K -invariant,B/B n is isomorphic to A and π Bn ◦ ϕ =[n].(iii) If A is ordinary then taking ϕ = φ p[p] =φ p ◦ π A[p] = π φp(A[p]) ◦ φ p .Example 4.77 Assume that K = F p and that A is an ordinary abelian variety over K. Then thereis a uniquely determined separable endomorphism V p ∈ End K (A) called Verschiebung with[p] =φ p ◦ V p = V p ◦ φ pof degree p dim(A) ,whereφ p is the absolute Frobenius endomorphismCorollary 4.78 Let l be a prime different from char(K) and k ∈ N. Then[l]A[l k+1 ]=A[l k ].We can interpret this result in the following way: the collection of groups...A[l k+i ],...,A[l k ],...forms a projective system with connecting maps [l i ] and so we can form their projective limitlim ←−A[l k ]. The reader should recall that the system with groups Z/l k Z has as projective limitthe l-adic integers Z l (cf. Chapter 3). In fact there is a close connection:Definition 4.79 Let l be a prime different from char(K). Thel-adic Tate module of A isT l (A) := lim ←−A[l k ].Corollary 4.80 The Tate module T l (A) is (as Z l -module) isomorphic to Z 2dim(A)l.4.3.6 Background on l-adic representationsThe torsion points and the Tate modules of abelian varieties are used to construct most importantrepresentations. The basic fact provided by Proposition 4.73 is that for all n ∈ N prime tochar(K) the groups A[n](K) are free Z/nZ-modules and for primes l different from char(K)the Tate modules T l (A) are free Z l -modules each of them having rank equal to 2dim(A). HenceAut K (A[n]), respectively Aut Zl(Tl (A) ) , can be identified (by choosing bases) with the group

62 Ch. 4 Background on Curves and Jacobiansof invertible 2dim(A) × 2dim(A)-matrices over Z/nZ, respectively Z l . Likewise one can identifyEnd K (A[n]) and End Zl(Tl (A) ) with the 2dim(A) × 2dim(A)-matrices over Z/nZ or Z l ,respectively.The first type of these representations relates the arithmetic of K to the arithmetic of A via Galoistheory. This will become very important in the case that K is a finite field or a finite algebraicextension of either Q or a p-adic field Q p .The Galois action of G K on A(K) maps A[l k ] into itself and extends in a natural way to T l (A).Hence both the groups of points in A[n] and in T l (A) carry the structure of a G K -module and sothey give rise to representations of G K .Definition 4.81 For a natural number n prime to char(K) the representation induced by the actionof G K on A[n] is denoted by ρ A,n .For primes l prime to char(K) the representation induced by the action on T l (A) is denoted by˜ρ A,l and is called the l-adic Galois representation attached to A.Second, we take ϕ ∈ End K (A). It commutes with [n] for all natural numbers and so it operateson T l (A) continuously with respect to the l-adic topology. Let T l (ϕ) denote the correspondingelement in End Zl(Tl (A) ) .With the results about abelian varieties we have mentioned already, it is not difficult to see thatthe set of points of l-power order in A(K) is Zariski-dense, i.e., the only Zariski-closed subvarietyof A containing all points of l-power order is equal to A itself.It follows that T l (ϕ) =0if and only if ϕ =0and so we get an injective homomorphism T l fromEnd K (A) into End Zl(Tl (A) ) .Much deeper and stronger is the following result:Theorem 4.82 We use the notation from above. The Tate module, T l induces a continuous Z l -module monomorphism, again denoted by T l , from End Zl(Tl (A) ) ⊗ Z Z l into End Zl(Tl (A) ) .For the proof see [MUM 1974, pp. 176].It follows that End K (A) is a free finitely generated Z-module of rank ( 2dim(A) ) 2and soEnd K (A) ⊗ Q is a finite dimensional semisimple algebra over Q. There is an extensive theoryabout such algebras and a complete classification. For more details see again [MUM 1974, pp.193].Moreover we can associate to ϕ the characteristic polynomialχ ( T l (ϕ) ) (T ):=det ( T − T l (ϕ) ) ,which is a monic polynomial of degree 2dim(A) with coefficients in Z l by definition.But here another fundamental result steps in:Theorem 4.83 The characteristic polynomial χ ( T l (ϕ) ) (T ) does not depend on the prime numberl and has coefficients in Z, hence it is a monic polynomial of degree 2dim(A) in Z[T ].For the proof see [MUM 1974, p. 181].Because of this result the following definition makes sense.Definition 4.84 Let ϕ be an element in End K (A). The characteristic polynomial χ(ϕ) A (T ) isequal to the characteristic polynomial of T l (ϕ) for any l different from char(K).Corollary 4.85 We getdeg(ϕ) =χ(ϕ) A (0)

§ 4.3 Abelian varieties 63and more generallydeg([n] − ϕ) =χ(ϕ) A (n).For n prime to char(K) the restriction of ϕ to A[n] has the characteristic polynomialχ(ϕ) A (T )(mod n).There is an important refinement of Theorem 4.82 taking into account the Galois action. As seen G Kis mapped into End Zl(Tl (A) ) by the representation ˜ρ A,l . By definition the image of T l commuteswith the image of ˜ρ A,l and hence we get:Corollary 4.86 Moving to the Tate module T l induces a map from End K (A) to End Zl [G K](Tl (A) ) .Example 4.87 Let K = F p and let A be an abelian variety defined over K.The Frobenius automorphism of K has a Galois l-adic representation ˜ρ A,l (φ p ) and a representationas endomorphism of A in End Zl(Tl (A) ) . By the very definition both images in End Zl(Tl (A) )coincide.It follows that the endomorphism φ p attached to the Frobenius automorphism of K commuteswith every element in End K (A).Moreover its characteristic polynomial χ(φ p ) A (T ) is equal to the characteristic polynomial of˜ρ A,l (φ p ) for all l prime to char(K).For n prime to char(K), the kernel of [n] − φ p has order χ(φ p ) A (n).4.3.7 Complex multiplicationThe results of the section above are the key ingredients for the study of End K (A).For instance, it follows for simple abelian varieties A that a maximal subfield F of End K (A)⊗Qis a number field of degree at most 2dim(A) over Q,cf.[MUM 1974, p. 182].Definition 4.88 A simple abelian variety A over K has complex multiplication if End K (A) ⊗ Qcontains a number field F of degree 2dim(A) over Q.If an F of this maximal degree exists then it has to be a field of CM-type. That means that it is aquadratic extension of degree 2 of a totally real field F 0 (i.e., every embedding of F 0 into C lies inR), and no embedding of F into C is contained in R. Therefore, F =End K (A) ⊗ Q.If K is a field of characteristic 0 we get more:Proposition 4.89 Let K be a field of characteristic 0. Let A be a simple abelian variety definedover K with complex multiplication. Then End K (A) ⊗ Q is equal to a number field F of degree2dim(A) which is of CM-type. The ring End K (A) is an order (cf. Definition 2.81) in F .Example 4.90 Let K be a field of characteristic 0 and let E be an elliptic curve over K (cf. Section4.4.2.a). Then either End K (E) = {[n] | n ∈ Z} or E has complex multiplication andEnd K (E) is an order in an imaginary quadratic field. In either case the ring of endomorphismsof E is commutative.The results both of the proposition and of the example are wrong if char(K) > 0.For instance, take a supersingular curve E defined over a finite field F p 2 (cf. Definition 4.74).Then the center of End Fp 2(E) ⊗ Q is equal to Q,andEnd Fp 2(E) ⊗ Q is a quaternion algebra overan imaginary quadratic number field F (in fact there are infinitely many such quadratic numberfields). Hence E has complex multiplication but End Fp 2(E) ⊗ Q is not commutative and not anorder in F .

64 Ch. 4 Background on Curves and JacobiansRemark 4.91 For elliptic curves (cf. Section 4.4.2.a) it is a strong requirement to have complexmultiplication. If K has characteristic 0 we shall see that E has to be defined over a number fieldK 0 , and its absolute invariant j E which will be defined in Corollary 4.118 has to be an algebraicinteger in K 0 (satisfying more conditions as we shall see in Theorem 5.47).If char(K) =p>0 a necessary condition is that j E lies in a finite field. After at most a quadraticextension of K this condition becomes sufficient.4.4 Arithmetic of curvesFrom now on we concentrate on curves.4.4.1 Local rings and smoothnessDefinition 4.92 Let P be a point on an affine curve C. The set of rational functions that are regularat P form a subring O P of K(C).In fact, O P is a local ring with maximal idealIt is called the local ring of P .The residue field of P is defined as O P /m P .m P = {f ∈O P | f(P )=0}.One has K(P )=O P /m P , hence, deg(P )=[K(P ):K].For S ⊂ C define O S := ⋂ P ∈S O P .Itisthering of regular functions on S. IfS is closed thenO S is the localization of K[C] with respect to the ideal defining S.A rational function r on C is a morphism if and only if r ∈O C = K[C].For a projective curve, the ring of rational functions on C that are regular at P is equal to O P ,the local ring of P in a nonempty affine part of C.Definition 4.93 Let P ∈ C for a projective curve C. The point P is nonsingular if O P is integrallyclosed in K(C). Otherwise the point is called singular. A curve is called nonsingular or smooth ifevery point of C(K) is nonsingular.A smooth curve satisfies that K[C a ] is integrally closed in K(C) for any choice of C a . If C isprojective but not smooth we take an affine covering C i and define ˜C i as affine curve correspondingto the integral closure of K[C i ]. By the uniqueness of the integral closure we can glue together thecurves ˜C i to a projective curve ˜C called the desingularization of the curve C. Note that in generaleven for C a plane curve, ˜C shall not be plane.There is a morphism ϕ : ˜C → C that is a bijection on the nonsingular points of C. Henceprojective smooth curves that are birationally equivalent are isomorphic.Therefore, irreducible projective nonsingular curves are in one-to-one correspondence to functionfields of dimension 1 over K.To have a criterion for smoothness that can be verified more easily we restrict ourselves to affineparts of curves.Lemma 4.94 (Jacobi criterion) Let C a ⊆ A n be an affine curve, let f 1 ,...,f d ∈ K[x] be generatorsof I(C a ),andletP ∈ C a (K). If the rank of the matrix ( (∂f i /∂x j )(P ) ) is n − 1 then thei,jcurve is nonsingular at P .

§ 4.4 Arithmetic of curves 65Using this lemma one can show that there are only finitely many singular points on a curve.For a nonsingular point P the dimension of m P /m 2 P is one. Therefore, the local ring O P is adiscrete valuation ring.Definition 4.95 Let C be a curve and P ∈ C be nonsingular. The valuation at P on O P is given byv P : O P →{0, 1, 2,...}∪{∞},v P (f) =max{i ∈ Z | f ∈ m i P }.The valuation is extended to K(C) by putting v P (g/h) =v P (g) − v P (h). The value group of v Pis equal to Z.The valuation v P is a non-archimedean discrete normalized valuation (cf. Chapter 3).A function t with v(t) =1is called uniformizer for C at P .Let P 1 and P 2 be nonsingular points. Then v P1 = v P2 if and only if P 1 ∈ G K · P 2 .Example 4.96 Let C = P 1 /K and choose P ∈ A 1 . Let f ∈ K(x). The value v P (f) of f atP =(a) ∈ K equals the multiplicity of a as a root of f. Ifa is a pole of f, the pole-multiplicity istaken with negative sign as it is the zero-multiplicity of 1/f.This leads to a correspondence of Galois orbits of nonsingular points of C to normalized valuationsof K(C) that are trivial on K. For a nonsingular curve this is even a bijection. Namely, toeach valuation v of K(C) corresponds a local ring defined by O v := {f ∈ K(C) | v(f) 0}with maximal ideal m v .IfC is smooth, there exists a maximal ideal M v ⊂ K[C a ],whereC a ischosen such that K[C a ] ⊂O v , satisfying O v = O p . Over the algebraic closure there exist pointsP 1 ,...,P d such that O v equals O Pi and the P i form an orbit under G K . The degree of M v is[K[C a ]/M v : K] =[O v /m v : K]. It is equal to the order of G K · P i of one of the correspondingpoints on C.Two valuations of v 1 ,v 2 of K(C) are called equivalent if there exists a number c ∈ R >0 withv 1 = cv 2 .Definition 4.97 The equivalence class of a valuation v of K(C) which is trivial on K is called aplace p of K(C). The set of places of F/K is denoted by Σ F/K .In every place there is one valuation with value group Z. It is called the normalized valuation ofp and denoted by v p .We have seen:Lemma 4.98 Let F/K be a function field and let C/K be a smooth projective absolute irreduciblecurve such that F ≃ K(C) with an isomorphism ϕ fixing each element of K.There is a natural one-to-one correspondence induced by ϕ between the places of F/K and theGalois orbits of points on C.Example 4.99 Consider the function field K(x 1 ) with associated smooth curve P 1 /K and affinecoordinate ring K[x 1 ]. The normalized valuations in Σ K(C)/K for which the valuation ring containsK[x 1 ] correspond one-to-one to the irreducible monic polynomials in K[x 1 ]. There is one additionalvaluation with negative value at x 1 , called v ∞ , which is equal to the negative degree valuation,corresponding to the valuation at p ∞ (t) =t in K[t] =K[1/x 1 ]. Geometrically v ∞ corresponds toP 1 A 1 .

66 Ch. 4 Background on Curves and Jacobians4.4.2 Genus and Riemann–Roch theoremWe want to define a group associated to the points of a curve C.Definition 4.100 Let C/K be a curve. The divisor group Div C of C is the free abelian group overthe places of K(C)/K. AnelementD ∈ Div C is called a divisor. ItisgivenbyD = ∑p i∈Σ K(C)/Kn i p i ,where n i ∈ Z and n i =0for almost all i.The divisor D is called a prime divisor if D = p with p a place of K(C)/K.The degree deg(D) of a divisor D is given bydeg : Div C → ZD ↦→ deg(D) = ∑p i∈Σ K(C)/Kn i deg(p i ).A divisor is called effective if all n i 0. ByE D one means that E − D is effective.For D ∈ Div C putD 0 = ∑n i p i and D ∞ = ∑−n i p i ,p i ∈Σ K(C)/Kn i 0p i ∈Σ K(C)/Kn i 0thus D = D 0 − D ∞ .Recall that over K each place p i corresponds to a Galois orbit of points on the projective nonsingularcurve attached to K(C). Thus, D can also be given in the formD = ∑n i P iP i∈Cwith n i ∈ Z, almost all n i =0and n i = n j if P i ∈ P j · G K .Assume now that C is absolutely irreducible. Then we can make a base change from K to K. Asa result we get again an irreducible curve C · K (given by the same equations as C but interpretedover K) with function field K(C) · K.Applying the results from above we get{ ∑}Div C·K= n i P iwith n i ∈ Z and almost all n i =0. For all fields L between K and K the Galois group G L operatesby linear extension of the operation on points.Proposition 4.101 Assume that C/K is a projective nonsingular absolutely irreducible curve. LetL be a field between K and K and denote by Div C·L the group of divisors of the curve over Lobtained by base change from K to L. ThenEspecially: Div C =Div GKC·K .P i∈CDiv C·L = {D ∈ Div C·K| σ(D) =D, for all σ ∈ G L }.

§ 4.4 Arithmetic of curves 67Important examples of divisors of C are associated to functions. We use the relation between normalizedvaluations of K(C) which are trivial on K and prime divisors.Definition 4.102 Let C/K beacurveandf ∈ K(C) ∗ .Thedivisor div(f) of f is given bydiv : K(C) → Div Cf ↦→ div(f) = ∑p i∈Σ K(C)/Kv pi (f)p i .A divisor associated to a function is called a principal divisor. The set of principal divisors forms agroup Princ C .We have a presentation of div(f) as difference of effective divisors as above:div(f) =div(f) 0 − div(f) ∞ .The points occurring in div(f) 0 (resp. in div(f) ∞ ) with nonzero coefficient are called zeroes (resp.poles) of f.Example 4.103 Recall the setting of Example 4.99 for the curve C = P 1 . Since polynomials ofdegree d over fields have d zeroes (counted with multiplicities) over K we get immediately fromthe definition:deg(f) =0, for all f ∈ K(x 1 ) ∗ .Now let C be arbitrary. Take f ∈ K(C) ∗ . For constant f ∈ K ∗ the divisor is div(f) = 0.Otherwise K(f) is of transcendence degree 1 over K and can be interpreted as function field ofthe projective line (with affine coordinate f) over K. By commutative algebra (cf. [ZASA 1976])we learn about the close connection between valuations in K(f) and K(C), the latter being a finitealgebraic extension of K(f). Namely, div(f) ∞ is the conorm of the negative degree valuation onK(f) and hence has degree [K(C) :K(f)] (cf. [STI 1993, p. 106]).Since div(f) 0 =div(f −1 ) ∞ we get:Proposition 4.104 Let C be an absolutely irreducible curve with function field K(C) and f ∈K(C) ∗ .(i) deg ( div(f) 0)=0if and only if f ∈ K ∗ .(ii) If f ∈ K(C) K then [K(C) :K(f)] = deg ( div(f) ∞)=deg(div(f)0).(iii) For all f ∈ K(C) ∗ we get: deg ( div(f) ) =0.So the principal divisors form a subgroup of the group Div 0 C of degree zero divisors.To each divisor D we associate a vector space consisting of those functions with pole order atplaces p i bounded by the coefficients n i of D.Definition 4.105 Let D ∈ Div C .DefineL(D) :={f ∈ K(C) | div(f) −D}.It is not difficult to see that L(D) is a finite dimensional K-vector space. Put l(D) =dim K(L(D)).The Theorem of Riemann–Roch gives a very important connection between deg(D) and l(D).We give a simplified version of this theorem, which is sufficient for our purposes. The interestedreader can find the complete version in [STI 1993, Theorem I.5.15].

68 Ch. 4 Background on Curves and JacobiansTheorem 4.106 (Riemann–Roch) Let C/K be an absolutely irreducible curve with function fieldK(C). There exists an integer g 0 such that for every divisor D ∈ Div Cl(D) deg(D) − g +1.For all D ∈ Div C with deg(D) > 2g − 2 one even has equality l(D) =deg(D) − g +1.Definition 4.107 The number g from Theorem 4.106 is called the genus of K(C) or the geometricgenus of C. IfC is projective nonsingular then g is called the genus of C.The Riemann–Roch theorem guarantees the existence of functions with prescribed poles and zeroesprovided that the number of required zeroes is at most 2g −2 less than the number of poles. Namely,if n i > 0 at p i then f ∈ L(D) is allowed to have a pole of order at most n i at p i . Vice versa anegative n i requires a zero of multiplicity at least n i at p i .As an important application we get:Lemma 4.108 Let C/K be a nonsingular curve and let D = ∑ n i p i be a K-rational divisor of Cof degree g. Then there is a function f ∈ K(C) which has poles of order at most n i (hence zeroesof order at least −n i if n i < 0) in the points P i ∈ C corresponding to p i and no poles elsewhere. Inother words: the divisor D +(f) is effective.Example 4.109 For the function field K(x 1 ), Lagrange interpolation allows to find quotients ofpolynomials for any given zeroes and poles. This leads to l(D) =deg(D)+1.ThecurveP 1 /Khas genus 0.The Hurwitz genus formula relates the genus of algebraic extensions F ′ /F/K. It is given in aspecial case in the following theorem (cf. [STI 1993, Theorem III.4.12] for the general case).Theorem 4.110 (Hurwitz Genus Formula) Let F ′ /F be a tame finite separable extension of algebraicfunction fields having the same constant field K. Letg (resp. g ′ ) denote the genus of F/K(resp. F ′ /K). Then∑2g ′ − 2=[F ′ (: F ](2g − 2)e(p ′ |p) − 1 ) deg(p ′ ).∑p∈Σ F/K p ′ |pOne of the most important applications of the Riemann–Roch theorem is to find affine equations fora curve with given function field. We shall demonstrate this in two special cases which will be thecenter of interest later on.4.4.2.aElliptic curvesDefinition 4.111 A nonsingular absolutely irreducible projective curve defined over K of genus 1with at least one K-rational point is called an elliptic curve.Let C be such a smooth absolutely irreducible curve of genus 1 with at least one K-rational pointP ∞ and let F/K be its function field. As l(P ∞ )=1we have thus L(P ∞ )=K.Theorem 4.106 guarantees l(2P ∞ )=2, hence there exists a function x ∈ F such that {1,x} is abasis of L(2P ∞ ) over K. There also exists y ∈ F such that {1,x,y} is a basis of L(3P ∞ ) over K.We easily find that {1,x,y,x 2 } is a basis of L(4P ∞ ) and that L(5P ∞ ) has basis {1,x,y,x 2 ,xy}.The space L(6P ∞ ) ⊃〈{1,x,y,x 2 ,xy,x 3 ,y 2 }〉 has dimension six, hence there must be a lineardependence between these seven functions. In this relation y 2 has to have a nontrivial coefficienta. By multiplying the relation with a and by replacing y by a −1 y we can assume that a =1.The

§ 4.4 Arithmetic of curves 69function x 3 has to appear nontrivially, too, with some coefficient b. Multiply the relation by b 2 andreplace x by b −1 x, y by b −1 y. Then the coefficients of y 2 and x 3 are equal to 1 and we get a relationy 2 + a 1 xy + a 3 y − x 3 − a 2 x 2 − a 4 x − a 6 ,a i ∈ K.This is the equation of an absolutely irreducible plane affine curve. It is a fact (again obtained bythe use of the theorem of Riemann–Roch) that this curve is smooth.The projective closure C of C is given byY 2 Z + a 1 XY Z + a 3 YZ 2 − X 3 − a 2 X 2 Z − a 4 XZ 2 − a 6 Z 3 ,a i ∈ Kwith plane projective coordinates (X : Y : Z). One sees at once that C C = {(0:1:0)} andthat P ∞ := (0 : 1 : 0) is smooth. Hence C is a nonsingular absolutely irreducible plane projectivecurve of genus 1.Again by using the Riemann–Roch theorem one can prove that the converse holds, too. The projectivecurve given byY 2 Z + a 1 XY Z + a 3 YZ 2 − X 3 − a 2 X 2 Z − a 4 XZ 2 − a 6 Z 3 ,a i ∈ Kis a curve of genus 1 if and only if it is smooth.We have seen that the Riemann–Roch theorem yieldsTheorem 4.112 A function field F/K of genus 1 with a prime divisor of degree 1 is the functionfield of an elliptic curve E. This curve is isomorphic to a smooth plane projective curve given by aWeierstraß equationE : Y 2 Z + a 1 XY Z + a 3 YZ 2 − X 3 − a 2 X 2 Z − a 4 XZ 2 − a 6 Z 3 ,a i ∈ K.A plane nonsingular affine part E a of E is given byy 2 + a 1 xy + a 3 y − x 3 − a 2 x 2 − a 4 x − a 6 ,a i ∈ K.E E a consists of one point with homogeneous coordinates (0 : 1 : 0).Conversely nonsingular curves given by equationsE : Y 2 Z + a 1 XYZ + a 3 YZ 2 − X 3 − a 2 X 2 Z − a 4 XZ 2 − a 6 Z 3 ,a i ∈ Khave function fields of genus 1 with at least one prime divisor of degree 1 and so are elliptic curves.In the remainder of the book E will be a standard notation for an elliptic curve given by a Weierstraßequation, and we shall often abuse notation and denote by E the affine part E a , too. Since ellipticcurves are one of the central topics of this book we use the opportunity to study their equations inmore detail.Short normal forms and invariantsLet E be an elliptic curve defined over K with affine Weierstraß equationE : y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 .We shall simplify this equation under assumptions about the characteristic of K. To achieve this weshall map (x, y) to (x ′ ,y ′ ) by invertible linear transformations. These transformations correspondto morphisms of the affine part of E to the affine part of another elliptic curve E ′ , and since theinfinite point remains unchanged we get an isomorphism between E and E ′ . Having done the

70 Ch. 4 Background on Curves and Jacobianstransformation we change notation and denote the transformed curve by E with coordinates (x, y)again.First assume that the characteristic of K is odd. We make the following transformationsx ↦→ x ′ = x and y ↦→ y ′ = y + 1 2(a 1 x + a 32The equation of E expressed in the coordinates (x ′ ,y ′ ) and then, following our convention to changenotation and to write x for x ′ and y for y ′ is:E : y 2 = x 3 + b 24 x2 + b 42 x + b 64where b 2 = a 2 1 +4a 2,b 4 =2a 4 + a 1 a 3 and b 6 = a 2 3 +4a 6.Now we assume in addition that the characteristic of K is prime to 6. We transformx ↦→ x ′ = x + b 212 and y ↦→ y′ = yand — applying our conventions — get the equationE : y 2 = x 3 − c 448 x − c 6864 ,where c 4 and c 6 areexpressedinanobviouswayintermsofb 2 ,b 4 ,b 6 as)·c 4 = b 2 2 − 24b 4 and c 6 = −b 3 2 +36b 2b 4 − 216b 6 .So if char(K) is prime to 6, we can always assume that an elliptic curve is given by a short Weierstraßequation of the typey 2 = x 3 + a 4 x + a 6 .Next we have to decide which Weierstraß equations define isomorphic elliptic curves. We can andwill restrict ourselves to isomorphisms that fix the point at infinity, i.e., we fix one rational point onE or equivalently we fix one place of degree 1 in the function field of E, which is the place P ∞used when we derived the equation in Section 4.4.2.a.To make the discussion not too complicated we shall continue to assume that the characteristic ofK is prime to 6 and so we have to look for invertible transformations of the affine coordinates forwhich the transformed equation is again a short Weierstraß equation.So let E be given byE : y 2 = x 3 + a 4 x + a 6 .One sees immediately that the conditions imposed on the transformations implyx ↦→ x ′ = u −2 x andwith u ∈ K ∗ , and that the resulting equation isy ↦→ y ′ = u −3 yE ′ : y ′2 = x ′3 + u 4 a 4 x + u 6 a 6 .Proposition 4.113 Assume that the characteristic of K is prime to 6 and let E be an elliptic curvedefined over K. LetE be given by a short Weierstraß equationE : y 2 = x 3 + a 4 x + a 6 .• If a 4 =0then the coefficient of x is equal to 0 in all short Weierstraß equations for E,and a 6 is determined up to a sixth power in K ∗ .• If a 6 =0then the absolute term in all short Weierstraß equations for E is equal to 0 anda 4 is determined up to a forth power in K ∗ .• If a4a 6 ≠0then a 6 /a 4 is determined up to a square in K ∗ .

§ 4.4 Arithmetic of curves 71Conversely:• If a 4 =0then E is isomorphic to E ′ if in a short Weierstraß form of E ′ the coefficienta ′ 4 of x is equal to 0 and a′ 6 /a 6 is a sixth power in K ∗ .• If a 6 =0then E is isomorphic to E ′ if in a short Weierstraß form of E ′ the absoluteterm is equal to 0 and a ′ 4 /a 4 is a fourth power in K ∗ .• If a 4 a 6 ≠0then E is isomorphic to E ′ if in a short Weierstraß form of E ′ we have:there is an element v ∈ K ∗ with a ′ 4 = v2 a 4 and a ′ 6 = v3 a 6 .Corollary 4.114 Assume that the characteristic of K is prime to 6 and let E be given by a shortWeierstraß equationE : y 2 = x 3 + a 4 x + a 6 .• If a 4 =0then for every a ′ 6 ∈ K∗ the curve E is isomorphic toE ′ : y 2 = x 3 + a ′ 6 over K ( (a 6 /a ′ 6) 1/6) .• If a 6 =0then for every a ′ 4 ∈ K∗ the curve E is isomorphic toE ′ : y 2 = x 3 + a ′ 4x over K ( (a 4 /a ′ 4) 1/4) .• If a 4 a 6 ≠0then for every v ∈ K ∗ the curve E is isomorphic toẼ v : y 2 = x 3 + a ′ 4 x + a′ 6 with a′ 4 = v2 a 4 and a ′ 6 = v3 a 6 over K( √ v).The curves occurring in the Corollary are called twists of E. The curves Ẽv are called quadratictwists of E. Note that E is isomorphic to Ẽv over K if and only if v is a square in K ∗ . Thereforeup to isomorphisms there is only one quadratic twist of a curve with a 4 a 6 ≠0.We want to translate the results of the proposition and of the lemma into “invariants” of E thatcan be read off from any Weierstraß equation.Recall that a crucial part of the definition of elliptic curves was that the affine part has no singularpoints. This is translated into the condition that the discriminant of the equation of E is not equal to0. This discriminant is a polynomial in the coefficients a i , which is particularly easy to write downif we have a short Weierstraß equation. So let E be given byE : y 2 = x 3 + a 4 x + a 6 := f(x).Definition 4.115 The discriminant ∆ E of E is equal to the polynomial discriminant of f(x) whichis (up to a sign) the product of the differences of the zeroes of f(x), which we endow with a constantfor historical reasons:∆ E = −16(4a 3 4 +27a2 6 ).We note that this definition is to be taken with caution: it depends on the chosen Weierstraß equationand not only on the isomorphism class of E. To make the discriminant well defined we have toconsider it modulo 12-th powers in K ∗ .To get an invariant of the isomorphism class of E we use the transformations of a 4 ,a 6 ,and∆ Eunder transformations of Weierstraß forms.Definition 4.116 The absolute invariant (sometimes called j-invariant) j E of E is defined byj E =12 3 −4a3 4∆ E.

72 Ch. 4 Background on Curves and JacobiansLemma 4.117 Assume that the characteristic of K is prime to 6 and let E be given by a shortWeierstraß equationE : y 2 = x 3 + a 4 x + a 6 .The absolute invariant j E depends only on the isomorphism class of E.(i) We have j E =0if and only if a 4 =0.(ii) We have j E =12 3 if and only if a 6 =0.(iii) If j ∈ K is not equal to 0, 12 3 then E is a quadratic twist of the elliptic curveE j : y 2 = x 3 −27j4(j − 12 3 ) x + 27j4(j − 12 3 )·Corollary 4.118 Assume that the characteristic of K is prime to 6. The isomorphism classes ofelliptic curves E over K are, up to twists, uniquely determined by the absolute invariants j E ,andfor every j ∈ K there exists an elliptic curve with absolute invariant j.If K is algebraically closed then the isomorphism classes of elliptic curves over K correspondone-to-one to the elements in K via the map E ↦→ j E .Of course it is annoying that we have to restrict ourselves to fields whose characteristic is prime to 6.In fact this is not necessary at all; completely analogous discussions can be done for characteristics2 and 3 and can be found in [SIL 1986] and also in Chapter 13.We give a very short sketch of the discussions there.We start with a general Weierstraß equation for E over a field with odd characteristic.E : y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 ,and recall the definitions of b 2 = a 2 1 +4a 2, b 4 =2a 4 + a 1 a 3 , b 6 = a 2 3 +4a 6,andc 4 = b 2 2 − 24b 4.In addition we defineDefinition 4.119 The discriminant of E isb 8 = a 2 1 a 6 − a 1 a 3 a 4 +4a 2 a 6 + a 2 a 2 3 − a2 4 .∆ E := −b 2 2b 8 − 8b 3 4 − 27b 2 6 +9b 2 b 4 b 6and the absolute invariant of E isj E = c 3 4/∆ E .If the characteristic of K is equal to 2 one also finds normal forms for E (cf. Section 13.3). Eithera 1 =0and then j E := 0. Otherwise we can find an equation for E with a 3 = a 4 =0and a 1 =1.Then j E = a −16 .We summarize the definitions in Table 4.1. Using these extra considerations one easily seesthat the conclusions of Corollary 4.118 hold without any restrictions about the characteristic of theground field.Theorem 4.120 Let K be a field. The isomorphism classes of elliptic curves E over K are, upto twists, uniquely determined by the absolute invariants j E , and for every j ∈ K there exists anelliptic curve E with absolute invariant j E = j.If K is algebraically closed then the isomorphism classes of elliptic curves over K correspondone-to-one to the elements in K via the map E ↦→ j E .

§ 4.4 Arithmetic of curves 73Table 4.1 Short Weierstraß equations.char K Equation ∆ j≠2, 3 y 2 = x 3 + a 4 x + a 6 −16(4a 3 4 +27a2 6 ) 1728a3 4 /4∆3 y 2 = x 3 + a 4 x + a 6 −a 3 4 03 y 2 = x 3 + a 2 x 2 + a 6 −a 3 2 a 6 −a 3 2 /a 62 y 2 + a 3 y = x 3 + a 4 x + a 6 a 4 3 02 y 2 + xy = x 3 + a 2 x 2 + a 6 a 6 1/a 64.4.2.bHyperelliptic curvesDefinition 4.121 A nonsingular curve C/K of genus g>1 is called a hyperelliptic curve if thefunction field K(C) is a separable extension of degree 2 of the rational function field K(x) for somefunction x. Letω denote the nontrivial automorphism of this extension. It induces an involution ω ∗on C with quotient P 1 . The fixed points P 1 ,...,P 2g+2 of ω ∗ are called Weierstraß points.From a geometrical point of view, C is a hyperelliptic curve if there exists a generically étalemorphism π of degree 2 to P 1 . The Weierstraß points are exactly the points in which π is ramified.Classically, elliptic curves are not subsumed under hyperelliptic curves. The main difference is thatfor g>1 the rational subfield of index 2 is unique. That implies that the function x is uniquelydetermined up to transformationsx ↦→ ax + bcx + dwith a, b, c, d ∈ K and ad − bc ≠0.For elliptic curves this is wrong. If, for instance, K is algebraically closed then there exist infinitelymany rational subfields of index 2. In this book we will often consider elliptic curves as hyperellipticcurves of genus one since most of the arithmetic properties we are interested in are the same.We now use the Riemann–Roch theorem to find an equation describing a plane affine part of C.The definition implies that there exists a divisor D of degree 2, which is the conorm of thenegative degree valuation on K(x) (cf. [STI 1993, p. 106]).From the construction we have that L(D) has basis {1,x} and, hence, l(D) =2.For1 j gwe have that l(jD) 2j and the elements {1,x,...,x j } are linearly independent in L(jD). Asdeg ( (g +1)D ) =2(g +1)> 2g − 2, Theorem 4.106 implies thatl ( (g +1)D ) =deg ( (g +1)D ) − g +1=g +3.Hence, besides the g+2 elements 1,x,...,x g+1 there must be a (g+3)-th function y ∈ L ( (g+1)D )independent of the powers of x.Therefore, y ∉ K[x]. The space L ( 2(g +1)D ) has dimension 3g +3. It contains the 3g +4functions1,x,...,x g+1 ,y,x g+2 ,xy,...,x 2(g+1) ,x g+1 y, y 2 .Therefore there must exist a linear combination defined over K among them. In this relation y 2has to have some nontrivial coefficient a as y ∉ K[x]. By multiplying the relation with a and byreplacing y by a −1 y we can assume that a =1.This leads to an equationwhere deg(h) g +1and deg(f) 2g +2.y 2 + h(x)y = f(x), h(x),f(x) ∈ K[x],

74 Ch. 4 Background on Curves and JacobiansTo determine the exact degrees we use the Hurwitz genus formula stated in Theorem 4.110. In ourcase [K(C) :K(x)] = 2 and thus e(p ′ |p) 2. To simplify we shall assume that the characteristicof K is odd. After applying the usual transformation y ↦→ y −h(x)/2 we can assume that h(x) =0.Then the fixed points of ω ∗ are points with y-coordinate equal to 0 or are points lying over x = ∞.The latter case occurs if and only if D is a divisor of the form 2P ∞ , i.e., if there is only one pointP ∞ lying over ∞ on the nonsingular curve with function field K(C). Moreover the x-coordinatesof these points correspond to the places of K(x) which ramify in the extension K(C)/K(x).By the genus formula the number of the ramified points has to be equal to 2g +2. Hence f(x)has to have 2g +2different zeroes if ∞ is not ramified, and 2g +1different zeroes if ∞ is ramified.As a result we get: the degree of f(x) is equal to 2g +2if D = P 1 + P 2 with different P 1 ,P 2 andequal to 2g +1if D =2P ∞ ,andf(x) has no double zeroes.Moreover the affine curve given by the equationis nonsingular.C a : y 2 + h(x)y = f(x), h(x),f(x) ∈ K[x]Theorem 4.122 A function field F/K of genus g>1 with an automorphism ω ∗ of order 2 withrational fixed field is the function field of a plane affine curve given by an equationC : y 2 + h(x)y = f(x), h(x),f(x) ∈ K[x], (4.1)where 2g +1 deg f 2g +2and deg h g +1without singularities.Conversely the nonsingular projective curve birationally isomorphic to an affine nonsingularcurve given by an equation of this type is a hyperelliptic curve of genus g.The homogenized equation has a singularity at infinity exactly if there is a single point in π −1 (∞)and then the degree of f(x) is equal to 2g +1. In this case we can achieve a monic f. Letb be theleading coefficient. Multiplying the equation by b 2g and replacing y ↦→ y/b g ,x↦→ x/b 2 we obtainC a : y 2 + h(x)y = f(x) with h(x),f(x) ∈ K[x], deg(f) =2g +1, deg(h) g and f monic.In the sequel we shall always characterize hyperelliptic curves by their affine plane parts and assumethem given by equations of the form (4.1).Short Weierstraß equationsLater on we shall concentrate on the case that deg(f) =2g +1, i.e., curves having a K-rationalWeierstraß point. In this case we can simplify the equations analogously to the case of ellipticcurves. We distinguish between the case of K having odd or even characteristic.Let C be a hyperelliptic curve of genus g defined over a field of characteristic ≠2by an equationof the form (4.1) with deg(f) =2g +1. The transformation y ↦→ y −h(x)/2 leads to an isomorphiccurve given byC : y 2 = f(x),f ∈ K[x] and deg(f) =2g +1. (4.2)The Jacobi criterion (cf. Lemma 4.94) states that C is nonsingular if and only if no point on thecurve satisfies both partial derivative equations 2y =0and f ′ (x) =0. The points with y =0arejust the points P i =(x i , 0), wheref(x i )=0. The second condition shows that the singular pointsare just the Weierstraß points for which the first coordinate is a multiple root of f. Therefore, anecessary and sufficient criterion for (4.2) to be nonsingular is that f has only simple roots over thealgebraic closure.Letf(x) =x 2g+1 +2g∑i=0f i x i .

§ 4.4 Arithmetic of curves 75If additionally char(K) is coprime to 2g, the transformation x ↦→ x − f 2g /(2g) allows to givef(x) =x 2g+1 + f 2g−1 x 2g−1 + ···+ f 1 x + f 0 with f i ∈ K.Let C be a hyperelliptic curve of genus g over a field of characteristic 2. Assume first that h(x) =0,i.e., y 2 = f(x) like above.The partial derivatives are 2y =0and f ′ (x). Anyofthe2g +1roots x P of f ′ can be extended toa point (x P ,y P ) satisfying y 2 P = f(x P ) and both partial derivatives. Hence, h(x) =0immediatelyleads to a singular point and so we must have h(x) ≠0.4.4.2.cDifferentialsWe shall now give another application of the theorem of Riemann–Roch. For this we have tointroduce differentials. We shall do this in the abstract setting of function fields. If the ground fieldK is equal to C this concept coincides with the “usual” notion of differentials known from calculus.Let K(C) be the function field of a curve C defined over K. Toeveryf ∈ K(C) we attach asymbol df ,thedifferential of f lying in a K(C)-vector space Ω ( K(C) ) , which is the free vectorspace generated by the symbols df modulo the following relations.For f,g ∈ K(C) and λ ∈ K we have(R1) d(λf + g) = λdf + dg(R2) d(fg) = fdg + gdf.Recall that a derivation of K(C) is a K-linear mapvanishing on K withD : K(C) → K(C)D(fg)=D(f)g + D(g)f.Let x ∈ K(C) be such that K(C) is a finite separable extension of K(x). Then there is exactly onederivation D of K(C) with D(x) =1(cf. [ZASA 1976]) call this derivation the partial derivativewith respect to x and denote the image of f ∈ K(C) under this derivation by ∂f/∂x.The relation between derivations and differentials is given by the chain rule.Lemma 4.123 (Chain rule) Let x be as above and f ∈ K(C). Thendf =(∂f/∂x)dx.Corollary 4.124 The K(C)-vector space of differentials Ω(K(C)) has dimension 1.It is generated by dx for any x ∈ K(C) for which K(C)/K(x) is finite separable.Let P be a point on C. Take a uniformizer for C at P , i.e., a function t P ∈ K(C) that generatesthe maximal ideal M P of the place associated to P . So t P is a function that vanishes at P withmultiplicity 1. It follows that K(C)/K(t P ) is finite separable.Let ω ∈ Ω ( K(C) ) be a differential of C. Weattachadivisordiv(ω) = ∑ P ∈C n P P givenby the following recipe: for P ∈ C choose a uniformizer t P and express ω by ω = f P dt P withf P ∈ K(C). Thenn P = v P (f P ).Lemma 4.125 The sum div(ω) = ∑ P ∈C n P P defines a divisor of C that is independent of thechoice of the uniformizers t P . The degree of div(ω) is equal to 2g − 2.For a proof of the lemma see [STI 1993].

76 Ch. 4 Background on Curves and JacobiansDefinition 4.126 A differential ω is holomorphic if div(ω) is an effective divisor.The set of holomorphic differentials of C forms a K-vector space Ω 0 (K(C)).A consequence of the Riemann–Roch theorem is:Theorem 4.127 The K-vector space Ω 0( K(C) ) has dimension g.Example 4.128 Let E be an elliptic curve defined over K and given by an affine Weierstraß equationG(x, y) =0,whereG(x, y) =y 2 + a 1 xy + a 3 y − x 3 − a 2 x 2 − a 4 x − a 6 , with a i ∈ K.The differential 1/ ( ∂G(x, y)/∂y ) dx is holomorphic, and up to a multiplicative constant it is theunique holomorphic differential of E. Note that it has neither poles nor zeroes.4.4.3 Divisor class groupIn this section we shall attach an abelian group to each nonsingular curve starting from the group ofdivisors as defined in Section 4.4.2. This construction will give us an intimate relation between thearithmetic of curves and abelian varieties.Let C/K be an absolutely irreducible smooth projective curve. Let Div 0 C denote the group ofK-rational divisors of C of degree 0.Recall that principal divisors have degree zero and form a subgroup Princ C ⊆ Div 0 C .Definition 4.129 The divisor class group Pic 0 C of C of degree zero is the quotient of the group ofdegree zero divisors Div 0 C by the principal divisors. It is also called the Picard group of C.Hence, two divisors D 1 and D 2 are in the same class if there exists an f ∈ K(C) with div(f) =D 1 − D 2 .Example 4.130 Let ω and ω ′ be two differentials of C that are not equal to 0. Thendiv(ω) is in thesame class as div(ω ′ ).In contrast to the group of divisors, the divisor class group has many torsion elements. If the fieldK is finite, it is even a finite group.We now give an example of how to deal with torsion elements.4.4.3.aDivisor classes of order equal to char(K)We assume that K is a field of characteristic p>0. LetC be a projective absolutely irreduciblenonsingular curve of genus g defined over K. LetPic 0 C[p] be the group of divisor classes of C withorder dividing p.In [SER 1958] we find the following result.Proposition 4.131 There is a monomorphism α from Pic 0 C[p] into Ω 0 (C), theK-vector space ofholomorphic differentials on C given by the following rule: choose a K-rational divisor D withpD =div(f) where f is a function on C. Then the divisor class D __of D is mapped under α to theholomorphic differential (1/f)df .Note that (1/f)df is holomorphic since the multiplicity of the zeroes of f is divisible by p =char(K). Next we choose a point P 0 ∈ C(K). Lett be a uniformizer of C at P 0 (i.e., t ∈ K(C)with t(P 0 )=0and ∂f/∂t(P 0 ) ≠0). We take (1/f)df as in the proposition and express it via thechain rule in the form ( (∂f/∂t)/f ) dt. Let(a 0 ,a 1 ,...,a 2g−2 )(f) be the tuple whose coordinates

§ 4.4 Arithmetic of curves 77are first coefficients of the power series expansion of (∂f/∂t)/f at P 0 and assume that there isanother holomorphic differential hdt with h having the same power series expansion as (∂f/∂t)/fmodulo t 2g−1 . Then (1/f)df − hdt is a holomorphic differential whose divisor has a coefficient 2g − 1 at P 0 and so its degree is 2g − 1. But this implies that it is equal to 0 and so (1/f)df =hdt.HencewegetProposition 4.132 Let K be a field of characteristic p>0 and C a curve of genus g defined over K.For divisor classes D __∈ Pic 0 C[p] choose a divisor D ∈ D __and take f ∈ K(C) with pD =div(f).The mapis an injective homomorphism.Φ:Pic 0 C[p] → K 2g−1__D ↦→ (a 0 ,a 1 ,...,a 2g−2 )(f)Remark 4.133 For applications later on we shall be interested mostly in the case that K is a finitefield F q . Moreover, computational aspects will become important. If we want to use Proposition4.132 in practice to identify Pic 0 C[p](F q ) with a subgroup of F 2g−1q we must be able to computethe first coefficients of the power series expansion of (1/f)df at P 0 fast. The problem is that thedegree of f can be very large. Nevertheless this can be done in polynomial time (depending on gand lg q). The method is similar to the one we shall use later on for computing the Tate pairing (seeChapter 16) and so we refer here to [RÜC 1999] for details.4.4.4 The Jacobian variety of curvesWe come back to a projective absolutely irreducible curve C defined over the field K and the studyof its divisor class group.A first and easily verified observation is that G K acts in a natural way on Pic 0 and thatC·KPic 0 C =(Pic 0 C·K )GKwhere Pic 0 is the divisor class group of degree 0 of the curve over K obtained by base changeC·Kfrom C.More generally, take any field L between K and K. ThenPic 0 C·L =(Pic0 .C·K )GLIn the language of categories this means that for a fixed curve C, the Picard groups correspondingto curves obtained from C by base change define a functor Pic 0 from the set of intermediate fieldsL between K and K to the category of abelian groups.It is very important that this functor can be represented by an absolutely irreducible smoothprojective variety J C defined over K. For all fields L between K and K we have that the functorsof sets L ↦→ J C (L), thesetofL-rational points of J C , can be identified in a natural way withL ↦→ Pic 0 C·L.But even more is true: J C has the structure of an algebraic group. Since J C is projective andabsolutely irreducible this means that J C is an abelian variety.In particular, this implies that J C (L) is a group in which the group composition ⊕ is given bythe evaluation of rational functions (if one takes affine coordinates) or polynomials (in projectivecoordinates) with coefficients in K on pairs (P 1 ,P 2 ) ∈ J C (L) 2 .As a result we can introduce coordinates for elements in Pic 0 C and compute by using algebraicformulas.

78 Ch. 4 Background on Curves and JacobiansDefinition 4.134 The variety J C is called the Jacobian (variety) of C.By using Theorem 4.106 we can give a birational description of J C , which (essentially) proves itsexistence and makes it accessible for computations. It is based on the following lemma.Lemma 4.135 Let C/K be a nonsingular, projective, absolutely irreducible curve of genus g with aK-rational point P ∞ corresponding to the place p ∞ .ForeveryK-rational divisor class D __of degree0 of C there exists an effective divisor D of degree deg(D) =g such that D − g p ∞ ∈ D.__Proof. Take any D ′ ∈ D __with D ′ = D 1 − D 2 as difference of two effective K-rational divisors. Inthe first step we choose l large enough so that l − deg(D 2 ) >gand by Lemma 4.108 find a functionf 1 such that −D 2 +(f 1 )+l p ∞ is effective.By replacing D ′ by D ′ +(f 1 ) we can assume that D ′ = D − k p ∞ with D effective and k =deg(D). Ifk>g(otherwise we are done) we apply Lemma 4.108 to the divisor D−(k−g) p ∞ andfind a function f such that D −(k −g) p ∞ +(f) :=D 0 is effective and therefore D +(f)−k p ∞ =D 0 − g p ∞ is an element of D __of the required form.Let C be as in Lemma 4.135 and take the g-fold Cartesian product C g of C. As per Example 4.25,C g is a projective variety of dimension g. Recall that an affine part of it is given in the followingway:Take C a as a nonempty affine part of C in some affine space A n with affine coordinates (x 1 ,...,x n )and denote by C (i) an isomorphic copy of C with coordinates (x i 1,...,x i n). Then Ca g can beembedded into the affine space A gn with coordinates (x 1 1 ,...,x1 n ,...,xg 1 ,...,xg n ).Let S g be the symmetric group acting on {1,...,g}. It acts in a natural way on C g by permutingthe factors. On the affine part described above this action is given by permuting the sections(x i 1 ,...,xi n ). The action of S g defines an equivalence relation on C g . We denote the quotient byC g /S g .It is not difficult to see that C g /S g is a projective variety defined over K. On the affine part Ca g/S gone proves this as follows: take the ring of polynomials K[x 1 ,...,x g ] where x j is shorthand for then variables x j 1 ,...,xj n. On this ring, the group S g acts by permuting {x 1 ,...,x g }. The polynomialsfixed under S g are symmetric and form a ring R = K[x 1 ,...,x g ] Sg . By a theorem of Noether (cf.[ZASA 1976]) there is a number m and an ideal I in K[Y 1 ,...,Y m ] with R = K[Y 1 ,...,Y m ]/I.Hence, Ca g/S g is isomorphic to V I ⊂ A m .Let P be a point in C g /S g (L) for a field L between K and K. ThenP is the equivalence class ofa g-tuple (P 1 ,...,P g ) with P i ∈ C and for all σ ∈ G L we get: there is a permutation π ∈ S g suchthat (σP 1 ,...,σP g )=(P π(1) ,...,P π(g) ).This means that for any P i the tuple (P 1 ,...,P g ) contains the whole Galois orbit G L·P i . Assumethat it consists of k disjoint G L -orbits, each of them corresponding to a place p 1 ,...,p k of K(C)·L.Hence the formal sum P 1 + ···+ P g corresponds to the L-rational divisor p 1 + ···+ p k which ispositive and of degree g.This way we get a map φ L from C g (L) to Pic 0 C·L defined byφ L (P ) ↦→ (p 1 + ···+ p k − g p ∞ ),where (p 1 + ···+ p k − g p ∞ ) is the divisor class of degree zero associated to p 1 + ···+ p k .Using the alternative description of L-rational divisors as sums of points on C that consist of Galoisorbits under G L we get a more elegant description of φ L :let(P 1 ,...,P g ) ∈ C g be a representativeof P ∈ C g /S g .Defineφ(P ) as the divisor class of P 1 + ···+ P g − gP ∞ in Pic 0 C·K .Thenφ L isthe restriction of φ to Pic 0 C·L .

§ 4.4 Arithmetic of curves 79Theorem 4.136 Assume that C is a curve of genus g > 0 with a K-rational point P ∞ . ThenC g /S g is birationally isomorphic to J C ,andthemapφ defined above represents a birational partof the functorial isomorphism between J C (L) and Pic 0 C·L . It maps the symmetry class P ∞ of thepoint (P ∞ ,...,P ∞ ) to the zero class and so P ∞ corresponds to the neutral element of the algebraicgroup J C .4.4.5 Jacobian variety of elliptic curves and group lawWe come back to elliptic curves as introduced in Definition 4.111 and make concrete all of theconsiderations discussed above.Assume that E is an elliptic curve with function field K(E). Hence, E can be given as planeprojective cubic without singularities and with (at least) one K-rational point P ∞ . Clearly E 1 /S 1 =E.Let D __∈ Pic 0 E be a divisor class of degree 0, D ∈ D __a K-rational divisor. By the Riemann–Roch theorem 4.106 the space L(D + P ∞ ) has dimension 1. So there is an effective divisor in theclass of D + P ∞ , and since this divisor has degree 1 it is a prime divisor corresponding to a pointP ∈ E(K), andφ K (P )= D. __So,E(K) is mapped bijectively to Pic 0 E , the preimage of a divisorclass D __is the point P on E corresponding to the uniquely determined prime divisor in the class ofD + P ∞ with D ∈ D.__This implies that E is isomorphic to its Jacobian as projective curve. So E(K) itself is an abeliangroup with the chosen point P ∞ as neutral element, and the addition of two points is given byrational functions in the coordinates in the points.Hence E is an abelian variety of dimension 1 (and vice versa) and we can apply all the structuralproperties of abelian varieties discussed above to study the structure of E(K) (in dependence ofK). This and the description of the addition with respect to carefully chosen equations for E willbe among the central parts of the algorithmic and applied parts of the book (cf. Chapter 13).Let P =(x 1 ,y 1 ) and Q =(x 2 ,y 2 ) be two points with x 1 ≠ x 2 of the affine curveE : y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 .The isomorphism maps them to divisor classes with representatives D P = P − P ∞ and D Q =Q − P ∞ of degree 0. The space L(D P + D Q + P ∞ ) has dimension 1 by Riemann–Roch. Hence,there exists a function passing through P and Q and having a pole of order at most 1 in P ∞ .Sucha function is given by the line l(x, y) =y − λx − µ =0connecting P and Q. Ithasλ = y 2 − y 1x 2 − x 1and µ = y 1 − λx 1 .As D P + D Q + P ∞ = P + Q − P ∞ has degree 1 and l ∈ L(D P + D Q + P ∞ ), there exists aneffective divisor in this class that we denote by R and which is a prime divisor. Hence, in the divisorclass group we have D __P + D __Q = R __+ P __∞ , which is equivalent to P ⊕ Q = R on E using theisomorphism from above.Choosing P ≠ Q with x 1 = x 2 we apply the same geometric construction and get as connectingline the parallel to the y-axis x = x 1 . Hence, the third intersection point has to be interpretedas the point P ∞ . This associates to each point P ∈ E an inverse point −P which has the samex-coordinate.In the remaining case P = Q one can use the considerations above. The function l ∈ L(2P −P ∞ )passes through P with multiplicity 2, i.e., it is the tangent line to the curve at P . In formulas thismeansλ = 3x2 1 +2a 2x 1 + a 4 − a 1 y 1and µ = y 1 − λx 1 .2y 1 + a 1 x 1 + a 3

80 Ch. 4 Background on Curves and Jacobians4.4.5.aDivision polynomialsBy Theorem 4.73 we know the structure of the group of n-torsion points on E. In that context weshowed that for each n there exists a polynomial ψ n such that the x-coordinates of n-torsion pointsare the roots of ψ n . These polynomials are called division polynomials.If char(K) ≠2, putf 0 (x) =0,f 1 (x) =1,f 2 (x) =1,f 3 (x) =3x 4 + b 2 x 3 +3b 4 x 2 +3b 6 x + b 8 ,f 4 (x) =2x 6 + b 2 x 5 +5b 4 x 4 +10b 6 x 3 +10b 8 x 2 +(b 2 b 8 − b 4 b 6 )x +(b 4 b 8 − b 2 6 )where the b i ’s are defined as in Section 4.4.2.a and for n 5f 2n = f n (f n+2 f 2 n−1 − f n−2f 2 n+1 ),f 2n+1 ={ ˜f 2 f n+2 f 3 n − f n−1 f 3 n+1) if n is even,f n+2 f 3 n − ˜f 2 f n−1 f 3 n+1 )otherwise.with ˜f(x) =4x 3 + b 2 x 2 +2b 4 x + b 6 .If char(K) =2and E : y 2 + xy = x 3 + a 2 x 2 + a 6 then setf 0 (x) =0,f 1 (x) =1,f 2 (x) =x,Otherwise E : y 2 + a 3 y = x 3 + a 4 x + a 6 and putf 3 (x) =x 4 + x 3 + a 6 ,f 4 (x) =x 6 + x 2 a 6 .f 0 (x) =0,f 1 (x) =1,f 2 (x) =a 3 ,f 3 (x) =x 4 + a 2 3x + a 2 4,f 4 (x) =a 5 3.For n 5, they can be computed recursively in both cases with the formulasf 2n+1 = f n+2 f 3 n − f n−1 f 3 n+1,f 2 f 2n = f n+2 f n f 2 n−1 − f n−2f n f 2 n+1 .Now if P =(x 1 ,y 1 ) ∈ E(K) is not a 2-torsion point then P ∈ E[n] if and only if P = P ∞ orf n (x) =0.In addition there are explicit formulas for [n] when char(K) is different from 2, namely[n] :E → E⎧⎨P ( ∞P ↦→ [n]P = φn (x, y)⎩ψn 2(x, y) , ω )n(x, y)ψn 3(x, y)if P ∈ E[n],if P ∈ E(K) E[n].whereψ n ={(2y + a 1 x + a 3 )f n if n is even,f notherwiseandφ n = xψn 2 − ψ n−1 ψ n+1 and 2ψ n ω n = ψ 2n − ψn(a 2 1 φ n + a 3 ψn).2Note that in general these formulas are not used to compute [n]P for given n and P .

§ 4.4 Arithmetic of curves 814.4.6 Ideal class groupThe divisor class group relies on the projective curve and leads to points on an abelian variety.For computational reasons it is sometimes easier to work with affine parts and the arithmetic ofcorresponding affine algebras O.The objects corresponding to divisors are ideals of O and the objects corresponding to divisorclasses are ideal classes of O. The purpose of this section is to discuss the relation between thesegroups.Let C be an affine smooth curve with function field K(C) and coordinate ring O = K[C].We recall that O is a Dedekind ring and so every ideal ≠(0)is a product of powers of maximalideals M in a unique way and every maximal ideal M corresponds to a place p M of K(C).The ideals ≠0of O form a semigroup freely generated by the maximal ideals. To get a groupone generalizes O-ideals:Definition 4.137 The set B ⊂ K(C) is a fractional O-ideal if there exists a function f ∈ K(C) ∗such that fB is an ideal of O. For a maximal ideal M ⊂Odefine v M (B) :=max{k ∈ Z | B ⊂M k }.Then∏B =M maximal in OvM (B)Mand B ⊂Oif and only if all v M (B) 0.To form the ideal class group we let two O-ideals B 1 and B 2 be equivalent if and only if thereexists a function f ∈ K(C) with v M (B 1 )=v M (B 2 )+v M((f))for all maximal ideals M of O.The group of O-ideal classes is denoted by Cl(O).4.4.6.aRelation between divisor and ideal class groupsHere we want to explain the relation between ideal class groups of rings of regular functions ofaffine parts of absolutely irreducible smooth projective curves C and the divisor class group of C(hence points of the Jacobian J C ).For the simplicity of our presentation we shall assume that there is a K-rational point P ∞ .Letx 1 be a nonconstant function on C with pole divisordiv(x 1 ) ∞ = m ∞ P ∞ + ∑m j P ∞j ,2jtand t 0, m ∞ > 0, m j > 0 and P ∞j ∈ C(K). PutP ∞1 = P ∞ .LetO be the ring of functionson C that are regular outside of the points P ∞j .SoO is the intersection of the valuation rings O pof all places p of K(C) with v p (x 1 ) 0.It follows that O is the integral closure of the polynomial ring K[x 1 ] in K(C). It is the coordinatering of the affine curve C O with C O (K) =C(K) {P ∞1 ,...,P ∞t }.The inclusion K[x 1 ] → O corresponds to a morphism C O → A 1 , which extends to a mapπ : C → P 1 with π −1 (∞) ={P ∞1 ,...,P ∞t }. To describe a relation between points on J C andelements of Cl(O), we state that every place of K(C) is either equal to p M for some maximal idealM of O or to an extension of the infinite place on P 1 to C.Hence, there is a one-to-one correspondence between proper ideals A ⊂Oand effective K-rational divisors D of C in which only points of C O occur, given by∑ni p i ↔ ∏ Mp nii,where the p i are not extensions of p ∞ . If A corresponds to D then deg(D) = deg(A). Thiscorrespondence extends naturally to fractional ideals and arbitrary divisors.Now we apply the theorem of Riemann–Roch to ideal classes of O to get

82 Ch. 4 Background on Curves and JacobiansLemma 4.138 With notation as above let C be a curve of genus g. Letc be an element of Cl(O).Then c contains an ideal A ⊂Owith deg(A) g.Proof. Let A ′ ∈ c be an O-ideal and assume that deg(A ′ ) >g. Take the effective divisor D A ′associated to A ′ and a function f such that D ′ := (f)+D A ′ − ( deg(A ′ ) − g ) P ∞ is effective ofdegree g. LetD ′′ be the divisor obtained from D ′ by removing points in π −1 (∞) and let A be theideal obtained from D ′′ .ThenA ∈ c and deg(A) g.Note that principal divisors are mapped to principal ideals. Therefore, one can consider the correspondencebetween divisor classes and ideal classes. We are now ready to define a homomorphismfrom J C to the ideal class group Cl(O).Define φ : J C (K) → Cl(O) by the following rule: in the divisor class c take a representative D ′of the form D ′ = D − gP ∞ , D effective. Remove from D all points in π −1 (∞) and define A asideal in O like above. Then φ(c) is the class of A in Cl(O). By Lemma 4.138 φ is surjective.For applications one is usually interested in the case that the kernel of φ is trivial, i.e., in choicesfor C and O such that Cl(O) ≃ Pic 0 C. This allows us to use the interpretation via ideal classes ofpolynomial orders O for the computations whereas the interpretation as points on the Jacobian of Cis used for the structural background.So let us describe the kernel of φ: letc be a divisor class of degree 0 represented by the divisorD = D 1 + D 2 − gP ∞1 ,whereD i are effective divisors and D 1 = ∑ n i P i with P i /∈ π −1 {∞}and D 2 = ∑ m j P ∞j with P ∞j ∈ π −1 {∞}. If φ(c) =0then ∏ M niP iis a principal ideal (f)with f ∈O. Hence, all prime divisors occurring in the pole divisor of f correspond to points inπ −1 {∞} and we can replace D by an equivalent divisor D − (f) of degree 0, which is a sum ofprime divisors all corresponding to points in π −1 {∞}.Proposition 4.139 We use the notation from above. The homomorphismφ : J C (K) → Cl(O)is surjective.The kernel of φ is equal to the divisor classes of degree 0 in{∑mj P ∞j | ∑ m j =0 and all P ∞j ∈ π −1 {∞}}.Proposition 4.140 Assume that there is a coverϕ : C → P 1 ,in which one point P ∞ is totally ramified and induces the place v ∞ in the function field K(x 1 ) ofP 1 .LetO be the integral closure of K[x 1 ] in the function field of C. Thenφ is an isomorphismand, hence, the ideal class group of O is (in a natural way) isomorphic to the divisor class group ofC.This gives a very nice relation of the projective algebraic geometry and the ideal theory in Dedekindrings. Due to the isomorphism the ideal class group can be used for arithmetic while the divisorclass group setting provides structural background.Definition 4.141 A nonsingular curve C/K for which there exists a cover ϕ in which one K-pointP ∞ ∈ C is totally ramified is called a C ab -curve.If the functions x and y have pole divisor aP ∞ and bP ∞ , respectively, one finds an equation overK given byC : α b,0 x b + α 0,1 + ∑α i,j x i y j , with α i,j ∈ K,with α b,0 ,α 0,1 ≠0.ia+jb

§ 4.4 Arithmetic of curves 83In particular, hyperelliptic curves are C ab curves if they have a K-rational Weierstraß point and ifwe take as affine part the curve given by a Weierstraß equation (4.1). This relation is the topic ofthe following section.Example 4.142 An interesting class of curves are the Picard curves of genus 3. Over a field ofcharacteristic char(K) ≠3containing the third roots of unity they can by given by an equation ofthe formy 3 = f(x),where f(x) ∈ K[x] is monic of degree 4 and has only simple roots over K.4.4.7 Class groups of hyperelliptic curvesThe type of hyperelliptic curves C we consider in this book additionally satisfies that there existsone K-rational Weierstraß point of C. This point is totally ramified under a cover φ and is denotedby P ∞ . By the considerations of the previous paragraph these curves satisfy that the ideal classgroup and the divisor class group are isomorphic. In Chapter 14 on the arithmetic of hyperellipticcurves we will use the ideal class group for the efficient computations inside the group. To fixnotation we still speak of divisor classes usually implying this isomorphism. In Section 4.4.2.b wehave shown how one can use the definition and the Riemann–Roch theorem to derive an affine planeequation. The K-rational point P ∞ allows us to use the divisor of degree one in the construction.Recall that a hyperelliptic curve over K of genus g with at least one K-rational Weierstraß pointcan be given by a Weierstraß equationy 2 + h(x)y = f(x), with h(x) and f(x) ∈ K[x], (4.3)where f is monic of degree 2g +1and deg(h) g. By abuse of language we denote affine curvesgiven by such an equation as imaginary quadratic curves.We use the equation of such curves C to describe explicitly their ideal class group.Theorem 4.143 Let C/K be an imaginary quadratic hyperelliptic curve of genus g and let ω denotethe nontrivial automorphism of K(C) over K(x) with a K-rational Weierstraß point P ∞ lying overthe place x ∞ of K(x). LetO = K[x, y]/ ( y 2 + h(x)y − f(x) ) .(i) In every nontrivial ideal class c of Cl(O) there is exactly one ideal I ⊆Oof degree t gwith the property: the only prime ideals that could divide both I and ω(I) are those resultingfrom Weierstraß points.(ii) Let I be as above. Then I = K[x]u(x)+K[x] ( v(x) − y ) with u(x),v(x) ∈ K[x], u monicof degree t, deg(v)

84 Ch. 4 Background on Curves and Jacobians(ii). Let I ∈ O be an ideal of degree t. Recall that {1,y} is a basis of O as K[x]-module. We chooseany basis {w 1 = f 1 (x)+f 2 (x)y, w 2 = g 1 (x)+g 2 (x)y} of I as K[x]-module. We find relativelyprime polynomials h 1 ,h 2 with f 2 h 1 − g 2 h 2 =0and choose u 1 ,u 2 ∈ K[x] with u 1 h 1 − u 2 h 2 =1.Now take u ′ := h 1 w 1 + h 2 w 2 ,w ′ 2 = u 2 w 1 + u 1 w 2 . Since the determinant of this transformationis 1 the pair {u ′ (x),w ′ 2 = v 1(x) +v 2 (x)y} is again a basis of I. Since the rank of I is 2, v 2 (x)is not equal to 0. So I ⋂ K[X] is generated by u ′ . Since I is reduced, the degree of I is equalto the degree of u ′ and we can and will take u monic. Now write v 1 = au + v with deg v

§ 4.4 Arithmetic of curves 85By Hermite reduction from the generating system we obtain a basis {u ′ 3(x),v ′ 3(x) +w ′ 3(x)y}.This ideal lies in the class of the product of the ideal classes but is usually not yet reduced. Toreduce it one recursively applies the fact that u | v 2 + hv − f. This procedure is formalized andapplied to arbitrary inputs in Cantor’s algorithm, which we state in Chapter 14 on the arithmetic ofhyperelliptic curves.

Chapter Varieties over Special FieldsGerhard Frey and Tanja LangeContents in Brief5.1 Varieties over the field of complex numbers 87Analytic varieties • Curves over C • Complex tori and abelian varieties •Isogenies of abelian varieties over C • Elliptic curves over C • Hyperellipticcurves over C5.2 Varieties over finite fields 108The Frobenius morphism • The characteristic polynomial of the Frobeniusendomorphism • The theorem of Hasse–Weil for Jacobians • Tate’s isogenytheoremIn the previous chapter we dealt with algebraic and geometric objects over arbitrary fields. In thischapter we explain additional properties of these objects when considered over special fields. Weconcentrate on varieties over the complex numbers and finite fields.5.1 Varieties over the field of complex numbersIn the whole section we take ground field K as the field of complex numbers C. SinceC is algebraicallyclosed we can identify the affine space A n (respectively the projective space P n ) with theset of points in C n (respectively the homogeneous classes of (n +1)-tuples in C n+1 ) together withthe topological structure induced by the Zariski topology. Recall that closed sets are given as zeroesof polynomial equations.The absolute value |·|makes C n to a metric space and hence induces a “natural” topology. Sincepolynomial functions are continuous in this topology it follows that Zariski closed sets are alsoclosed in this topology.5.1.1 Analytic varietiesFirst we shall describe very briefly the analytic structure on A n (respectively P n ): the key notionsare holomorphic functions. Locally, holomorphic functions are given by power series converging inan open ball.87

88 Ch. 5 Varieties over Special FieldsFor open sets U ⊂ P n one can globalize to get holomorphic functions by gluing together the local“germs.” So a holomorphic function f on U is a complex valued function defined on U such thatfor all P ∈ U there is an open ball around P on which f is given by a convergent power series.Examples for holomorphic functions are polynomials (for U = A n ) and rational functions (for Uequal to the set of definition).Meromorphic functions on U are defined as quotients of holomorphic functions. Locally theyare given by Laurent series with finite negative part. To a meromorphic function f on U and toany point P ∈ U we can associate the order of vanishing n P (f) of f at P .Itisnegativeiff hasa pole of order |n P (f)| at P , and positive if f has a zero of order n P (f) at P . If n P (f) =0there is a neighborhood of P in U such that the restriction of f is invertible in this neighborhoodas a holomorphic function. In particular, it follows that the set of zeroes and poles of meromorphicfunctions on U does not have a limit point in U. The (analytic) divisor div an (f) is equal to theformal sum div an (f) = ∑ P ∈U n P (f)P .One can differentiate and integrate holomorphic and meromorphic functions and as usual one hasmeromorphic differentials ω on U. Locally at a point P ∈ U they are of the form f P (x)dx 1 ···dx nwith f P meromorphic and (x 1 ,...,x n ) a local system of coordinates (mapping the chosen neighborhoodto an open ball in C n with 0 as image of P ). Their divisor is div an (ω) = ∑ P ∈U n P (f P )P .One sees that ω is holomorphic on U if and only if the divisor of ω has only nonnegative coefficients.In the sequel we shall need a further concept, namely analytic varieties. For the notion of analyticvarieties (without boundary) in projective spaces we refer to [GRHA 1978].One essential property of analytic varieties V an ⊆ P n is that there exists a number d n suchthat V an is locally isomorphic to a ball in an affine space A d , or equivalently: every point P ∈ V anhas an open neighborhood U P (with respect to the topology on V an induced by the restriction ofthe topology on P n to V an ) and local coordinate functions (holomorphic in U P )whichmapU Pbijectively to a ball in C d with 0 as image of P .Using this local analytic structure one defines holomorphic functions on open subsets of V an ,meromorphic functions on V an , holomorphic (respectively meromorphic) differentials and holomorphic(respectively meromorphic) maps between two analytic varieties. The number d is thedimension of V an .Now assume that V is an (affine or projective) algebraic variety of algebraic dimension d embeddedin P n . First of all the underlying set is closed. Next, all points of V are nonsingular, andthe Jacobi criterion (cf. Lemma 4.94) for the local (algebraic) coordinate functions together withthe implicit function theorem ensures that this set satisfies the conditions of analytic varieties beinglocally isomorphic to C d . So we can give V the structure of an analytic variety of dimension ddenoted by V an . Note that rational functions on V are meromorphic functions on V an . Of course, theconverse does not have to hold true.But there is a very important special case. Assume that V is a projective algebraic variety. Thenthe underlying set is compact in P n . It follows that meromorphic functions on V an have only finitelymany zeroes and poles. Therefore, they are rational functions on V . So the field of meromorphicfunctions on V an is equal to K(V ) and has transcendental degree d over C.The converse of this remark is true, too. So we can state the following fundamental result.Theorem 5.1 Let V an be a compact analytic variety in P n of dimension d. There is an algebraicprojective variety V ⊂ P n such that the induced analytic variety is equal to V an ,andthefieldofmeromorphic functions on V an has transcendence degree d over C and hence is equal to K(V ).The next lemma gives a slight generalization of the above facts about functions on varieties.Lemma 5.2 Let V,W be projective algebraic varieties. Then the set of holomorphic maps from V anto W an is (in a natural way) identical with Hom C (V,W).

§ 5.1 Varieties over the field of complex numbers 89As a consequence of these comparison results, we can use the full power of complex analysis to getpurely algebraic properties of objects related to varieties defined over the complex numbers.Before discussing the two examples that are the most important for us we will conclude this sectionwith a remark.Remark 5.3 It is well-known in number theory that the interpretation of number fields K as subfieldsof C is in a most fruitful way generalized to the study of number fields as subfields of p-adicfields. The same is true if we want to study objects of algebraic geometry by analytic methods.As counterpart of C one uses the completion of the algebraic closure of Q p .Overthesefieldswehave the highly developed machinery of rigid analytic geometry. In Chapter 17 we shall have touse parts of this theory as background for discussing p-adic point counting methods on curves overfinite fields, which have become important in recent years.5.1.2 Curves over CAnalytic curves C an are one-dimensional analytic varieties embedded into a projective space over C.From now on we shall assume that C an is compact. Then there is a nonsingular projective irreduciblecurve C such that C an is the corresponding analytic curve. Hence, from an abstract point of viewthe rational functions on C cannot be distinguished from the meromorphic functions on C an .One uses this to produce functions on C by analytic methods: locally there are many more meromorphicfunctions given by converging Laurent series, and by the gluing process we can hope to getglobal meromorphic functions that turn out to be algebraic.In the previous section we introduced the notion of divisors on analytic curves C an in a wayanalogous to the algebraic case. The finiteness condition for coefficients not equal to 0 is replacedby the condition that poles and zeroes have no limit point. But since we have assumed that C an iscompact this is exactly the same condition as in the algebraic case. Therefore, analytic divisors canbe identified with algebraic divisors in a canonical way. The same is true for divisor class groups.(Note again that the situation changes totally if we go to affine parts of C.)We introduced differentials for algebraic curves in Section 4.4.2.c. We now look at them fromthe analytic point of view. Here the usual calculus methods are used to construct the meromorphicdifferentials. Again we get:Proposition 5.4 Meromorphic (respectively holomorphic) differentials on C an can be identifiedwith meromorphic (respectively holomorphic) differentials on C.We have defined the genus g of C with the help of the theorem of Riemann–Roch (cf. Theorem4.106). This theorem also holds for the divisor theory of C an . (In fact its original versionwas proved in this context.) One of its consequences is that the holomorphic differentials Ω C onC an (or on C)formag-dimensional vector space over C and that these differentials can be identifiedwith algebraic differentials with effective divisors. Let us choose a basis {ω 1 ,...,ω g }.Togetthefull power of analytic methods we have to go one step further and go to real surfaces.Digression: the easiest example of Weil descentNext we use an additional special property of C: it is a two-dimensional vector space over the fieldof real numbers R with basis {1,i} where as usual i 2 = −1.Replacing a complex variable z by two real variables x, y using z = x + iy identifies the metricvector space C n with the usual Euclidean space R 2n . By this process we lose the analytic structurebut have a differentiable structure from usual real calculus again compatible with the Zariskitopology. Applying this to algebraic varieties V of dimension d in A n C we find in a natural way anaffine variety W R ⊂ A 2nRof dimension 2d with W (R) =V (C): we replace the n complex affine

90 Ch. 5 Varieties over Special Fieldscoordinates (X 1 ,...,X n ) by the real coordinates (U 1 ,V 1 ,...,U n ,V n ) with X j = U j + iV j ,plugthem into the equations ( f 1 (X),...,f m (X) ) defining V and separate the resulting polynomialsinto their real and imaginary part f k (U, V )=g k (U, V )+ih k (U, V ), whereg k and h k are definedover R. ThenW is the variety defined by (g k ,h k ).By a gluing process we can apply this procedure to projective algebraic varieties. So we attach toevery affine or projective variety V of dimension d defined over C an affine (respectively projective)algebraic variety W V of dimension 2d defined over R with W V (R) =V (C). It is a nice exercise toshow that W V · C is isomorphic to V × V as algebraic variety over C.What we have sketched above is the most simple example of scalar (or Weil-) restriction of varietiesdefined over a finite algebraic extension field L of a field K to varieties over K. This constructionwill play an important role later (cf. Chapter 7 on Weil descent).Riemann surfacesWe apply Weil descent to irreducible nonsingular projective curves C defined over C and get anirreducible two-dimensional projective variety W C defined over R. The analytic structure of Cinduces a differentiable real structure that makes W C locally isomorphic to a unit ball in R 2 .Thatmeans that for every P ∈ W C (R) there is an open neighborhood U P ∈ W C and real differentiablefunctions f 1 ,f 2 defined on U P mapping U P to the open unit disc in R 2 and sending P to (0, 0).Since C(C) is compact, it follows that W C is compact in the real topology.As result we get that the projective curve C carries in a natural way the structure of a compactRiemann surface. We remark that the converse is true, too: every compact Riemann surface is theWeil descent of a projective nonsingular irreducible curve defined over C.Riemann surfaces R are classical and very well studied objects in geometry. One key ingredientis the study of paths on them up to homology (cf. [GRHA 1978]). They can be used to definethe topological genus g top of R. Namely fixing a base point P 0 and composing closed paths in anatural way we turn the set of points P into a group. By identifying homologous paths we get thefundamental group Π R of R as quotient of P. It is generated by 2g top paths satisfying one relationwhich lies in the commutator subgroup of the fundamental group. This implies that the maximalabelian factor group of Π R , the first homology group H 1 (R, Z), is a free abelian group with 2g topgenerators (α 1 ,...,α 2gtop ).We come back to the case that R = W C with C a projective curve over C.Proposition 5.5 The genus g of C is equal to the topological genus g top of W C .Using well-known results from (real and complex) calculus we do integration on W C using holomorphicdifferentials ω on C andclosedpathsα on W C . As above we choose a base point P 0 onW C and get the group P by composing closed (continuous) paths beginning in P 0 .Lemma 5.6 Wehaveamap〈· , ·〉 0 : P×Ω C → Cdefined by 〈α, ω〉 0 := ∫ α ω where ∫ is the line integral along the path α.αMoreover, 〈· , ·〉 0 is independent of the homology class of α and vanishes when restricted to thecommutator subgroup of P in the first component.Corollary 5.7 The map 〈· , ·〉 0 induces a pairing, that is denoted by 〈· , ·〉, between the Z-moduleH 1 (W C , Z) and the C-vector space Ω C .

§ 5.1 Varieties over the field of complex numbers 91Recall that we have chosen a basis (ω 1 ,...,ω g ) of the space of holomorphic differentials on C. Wedefine the mapwhere α is a path in the class of τ.φ : H 1 (W C , Z) −→ C gτ ↦−→ (∫ α ω 1,..., ∫ α ω )gProposition 5.8 The image Λ C of φ is a full lattice in C g , i.e., a discrete free Z-module of rank 2gin C g .By this proposition we can associate a full rank lattice to each curve over C. The following lemmadescribes what quotients of lattices look like.Lemma 5.9 Let Λ be a lattice of full rank in C g and let C g /Λ be the quotient group with quotienttopology. Then C g /Λ is compact and locally isomorphic (as topological space) to the unit ball inC g .Corollary 5.10 The set C g /Λ C is a compact topological space with respect to the quotient topologyinherited from C g . It is locally homeomorphic to the unit ball in C g .Definition 5.11 The lattice Λ C is called the period lattice of C (with respect to the basis {ω 1 ,...,ω g } of the holomorphic differentials).We are now ready to define the Abel–Jacobi map. We fix the base point P 0 ∈ C(C). ForP ∈ C(C)choose a path γ from P 0 to P and define J γ (P ):= (∫ γ ω 1,..., ∫ γ ω n)∈ C g . The tuple J γ (P ) will— in general — depend on the choice of γ. Ifγ ′ is another path from P 0 to P then γ and γ ′ differby a closed path beginning in P 0 and so J γ (P ) − J γ ′(P ) is an element of Λ C .Definition 5.12 The Abel–Jacobi map is defined byJ : C(C) → C g /Λ CP ↦→ J γ (P )+Λ C .We can generalize this definition to divisors on C by linear extension. We denote the correspondingmap again by J.Theorem 5.13 (Abel–Jacobi)(i) Let D be a principal divisor of C. ThenJ(D) =0. So J induces a map ¯J from Pic 0 C toC g /Λ C .(ii) The map ¯J is a group isomorphism.By Lemma 5.9 the group C g /Λ C carries an analytic structure since it is locally homeomorphic totheunitballinC g . The group Pic 0 C carries the structure of an abelian variety, namely the Jacobianvariety J C of C (see Definition 4.134). Hence, it has an analytic structure, too. The theorem ofAbel–Jacobi includes that ¯J is an analytic isomorphism.So the structure of J C as analytic variety is rather simple and described by C g /Λ.

92 Ch. 5 Varieties over Special Fields5.1.3 Complex tori and abelian varietiesAn important part of the introduction to the objects relevant for cryptography were the connectedprojective algebraic groups called abelian varieties (cf. Section 4.3). The analytic counterpart areconnected compact complex Lie groups (cf. e.g., Lang [LAN 2002a]).We give the most simple example of a complex Lie group: take C d with the usual complexstructure and with vector addition + as group composition. It is obvious that the addition + as wellas the inversion − are holomorphic. The group C d is not compact but we can easily find quotientsthat are compact.For this we choose a lattice (always assumed to be of full rank) Λ ⊂ C d , i.e., there is a basis{µ 1 ,...,µ 2d } of C d as real vector space such that{ 2d}∑Λ= z j µ j | z j ∈ Z .j=1Equivalently we have: Λ is a Z-submodule of C d of rank 2d which is discrete, i.e., in every boundedsubset of C d there are only finitely many elements of Λ.We can endow C d /Λ with an analytic structure in a natural way. Let the U j be open sets coveringC d /Λ such that each U j is homeomorphic via bijective continuous maps ϕ j to balls B j in C d .Themaps ϕ j are assumed to be compatible with restrictions to intersections of the sets U j .Wedefineholomorphic functions on U j as functions f j : U j → C such that f j ◦ ϕ −1j are holomorphic onB j and come to global functions by gluing local holomorphic functions. Meromorphic functionsare defined as quotients of holomorphic functions. It is an immediate consequence from thesedefinitions that C d /Λ carries the structure of a complex connected Lie group that is a quotient (asLie group) of C d /Λ.Definition 5.14 A complex Lie group isomorphic to C d /Λ is called a complex d-dimensional torus.A fundamental result is:Proposition 5.15 Let X be a connected compact complex Lie group of dimension d. ThenX isisomorphic to a torus T := C d /Λ.For the proof see [MUM 1974,p.2].We apply this to an abelian variety A of dimension d defined over C. The associated analyticvariety A an is connected and compact. Since addition and inversion on A are given by polynomials,A an is a torus and, hence, is isomorphic to the Lie group C d /Λ for some lattice Λ. Note that by thisisomorphism the addition on A is transferred into a very easy form. It is just the vector addition inC d modulo Λ.Next we shall study the converse. We want to decide whether T is the analytic companion of analgebraic variety. By Chow’s theorem this is equivalent to the question whether we can embed Tinto a projective space such that the analytic structures are compatible.If this is possible we shall find d algebraically independent meromorphic functions on T .Bystandardmethods of algebraic theory (the key word is “ample line bundle”) one sees that the converse istrue, too. So one has to construct meromorphic functions on T , or equivalently, meromorphic functionson C d which are periodic with respect to Λ. There are well-known methods for this (for d =1one uses results like the Weierstraß product theorem or the Mittag–Leffler theorem). In general themain ingredients are theta functions attached to Λ. We shall need them later on (cf. Chapter 18)and then deal explicitly with the case that is most interesting for us, and so we do not give a formaldefinition here.In [MUM 1974, pp. 24-35] one finds the discussion what additional properties Λ has to have inorder to have enough periodic functions.

§ 5.1 Varieties over the field of complex numbers 93First recall that a Hermitian form H on C d × C d can be decomposed asH(x, y) =E(ix, y)+iE(x, y)where E is a skew symmetric real form on C d satisfying E(ix, iy) =E(x, y). The form E is calledthe imaginary part Im(H) of H. (Since these notations are rather standard we find it convenientnot to change them though the letter E is used for elliptic curves in most cases. We hope that thisdoes not give rise to confusion.)Theorem 5.16 The torus T = C d /Λ can be embedded into a projective space and, hence, equalsthe analytic variety attached to an abelian variety if and only if there exists a positive definiteHermitian form H on C d with E = Im(H) such that E restricted to Λ × Λ has values in Z.We use the structure theorems for Hermitian forms and getCorollary 5.17 Let T = C d /Λ be a complex torus attached to an abelian variety A. Then Λ isisomorphic to Z d ⊕ Ω · Z d ,wherethe(d × d)-matrix Ω is symmetric and has a positive definiteimaginary part, i.e., lies in the Siegel upper half plane H g .Corollary 5.18 Assume that d =1, i.e., A is an elliptic curve E. Then the torus associated to E isisomorphic to C/(Z + τZ) where τ is a complex number with positive imaginary part.Definition 5.19 We call Ω the period matrix of A.We continue to assume that T = A an with Hermitian form H and E = Im(H).With the help of E we can define a dual lattice ˆΛ given bŷΛ := { x ∈ C d | E(x, y) ∈ Z, for all y ∈ Λ } .The lattice ̂Λ contains Λ and ̂Λ/Λ is finite. Furthermore, ̂Λ belongs to a torus ̂T , which is attachedto an abelian variety Â. In fact we have just constructed the dual abelian variety to A by analyticmethods over the complex numbers (see [MUM 1974], 82-86). There it is also shown how this dualabelian variety can be constructed by purely algebraic methods over any ground field.For us a special case is most important. Assume that ̂Λ =Λand so A is equal to its dual.Definition 5.20 If ̂Λ =Λthen A is called principally polarized.Corollary 5.21 Let A be a principally polarized abelian variety over C with lattice Λ, Hermitianform H and E = Im(H). Then there exists a basis {µ 1 ,...,µ 2d } of Λ such that[E(µi ,µ j ) ] [ ]1i,j2d = 0 I d.−I d 0Now we come back to the theme of this book, namely projective irreducible nonsingular curves Cand their Jacobians J C .By the theorem of Abel–Jacobi (cf. Theorem 5.13) we have found an isomorphism from Pic 0 C,thedivisor class group of degree 0 of C to C g /Λ C by integrating a basis of holomorphic differentialsalong paths that form a basis of the first homology group of C. So the period lattice of C is attachedto the isomorphism class of (J C ) an .Definition 5.22 The period matrix Ω C of Λ C is called the period matrix of C. The form E(x, y) iscalled the Riemann form.Lemma 5.23 The period matrix Ω C can be computed by integrating a basis of holomorphic differentialsalong paths on the Riemann surface corresponding to C.By duality theorems about differentials and paths on Riemann surfaces one sees:Proposition 5.24 The Jacobian of a projective irreducible nonsingular curve is a principally polarizedabelian variety.

94 Ch. 5 Varieties over Special Fields5.1.4 Isogenies of abelian varieties over CWe can use the torus representation of abelian varieties to find the algebraic results about torsionpoints, isogenies and endomorphisms. So assume that A is analytically given by T = C d /Λ.First we find a result given previously.Proposition 5.25 Let n be a natural number. The points of order dividing n of A, A[n], areisomorphicto the subgroup 1 n Λ/Λ ⊂ Cd /Λ and hence isomorphic to (Z/nZ) 2d .Let G be a subgroup of 1 n Λ/Λ. The inverse image of G in Cd is a lattice Λ G that contains Λ, andhence we get a quotient map from T to C d /Λ G = T/Gwith kernel isomorphic to G. This quotientmap is, by definition of the analytic structure on tori, an analytic map. The Hermitian structure onT induces one on T G that satisfies the condition from Theorem 5.16 and hence T G corresponds toan abelian variety A G .By Lemma 5.2 the quotient map comes from an algebraic morphism that is an isogeny from A toA G with kernel corresponding to G.Proposition 5.26 Let A be an abelian variety defined over C with lattice Λ ⊂ C d . The isogeniesη of degree n of A are, up to isomorphisms, in one-to-one correspondence with lattices Λ η whichcontain Λ and satisfying [Λ η :Λ]=n. The kernel of η is isomorphic to Λ η /Λ.Of special interest are isogenies with image isomorphic to A. For simplicity and since it is in thecenter of our interest we restrict the discussion to simple abelian varieties.We know that in this case the ring End C (A) of endomorphisms of A is a skew field and that allendomorphisms different from the zero map are isogenies.We want to use the results of Proposition 5.26 but look at them from a slightly different point ofview. In the proposition we interpreted isogenies as quotient maps of the identity map on C d withchanging lattices. Now we shall fix the lattice Λ and study holomorphic additive maps α : C d → C d .Such a map α induces an endomorphism of A if and only if it is well defined modulo Λ, i.e.,α(Λ) ⊂ Λ.Example 5.27 We give the most simple example to explain this. Look at the endomorphism [n]obtained by scalar multiplication with n.In the first interpretation we take as lattice of the image the lattice 1 nΛ and take the quotient mapfrom C d /Λ to C d / ( 1n Λ) .In the second interpretation we multiply elements in C d by n and so the subset 1 nΛ is mapped toΛ and hence to the zero element of the torus associated to A.From the condition imposed on α (it has to be continuous) it follows that α is a linear invertiblemap on the real vector space of dimension 2d attached to C d . Hence (after having chosen a basis{µ 1 ,...,µ 2d } of Λ) we can describe α by a real invertible (2d × 2d)-matrix B with the additionalcondition that α maps Λ into itself. But this is equivalent to the condition that B has integers ascoefficients. Hence the characteristic polynomial χ(α) A (T ) of α is a monic polynomial of degree2d with integers as coefficients.Remark 5.28 The reader should recall that we have described endomorphisms α in the algebraicsetting by using Tate modules to produce l-adic representations. One of the crucial results due toWeil is that the characteristic polynomials do not depend on the prime l.Here we use the period lattice to produce an integral representation again of dimension 2d. Itplays the role of Tate modules in the analytic setting. The resulting characteristic polynomial χ α (T )is the same as the corresponding l-adic polynomial. This remark will become important for pointcounting algorithms.

§ 5.1 Varieties over the field of complex numbers 95Until now we have only looked at linear algebra and continuity. But we have to take into accountthe analytic structure that yields holomorphy conditions for α.We shall explain this in the simplest case.Example 5.29 Let A =: E be an elliptic curve. The associated analytic variety is isomorphic toC/(Z + τZ) with τ /∈ R. A holomorphic additive map α is given by a matrix[ ]n 1 n 2B =n 3 n 4over Z if we take {1,τ} as basis, it also represents a multiplication by a complex number β that isdetermined by α(1) =: β = n 1 + n 2 τ. Hence it maps τ to βτ = n 1 τ + n 2 τ 2 = n 3 + n 4 τ.Now assume that n 2 ≠0or, equivalently, that β/∈ Z. Thenτ satisfies the equationn 2 τ 2 +(n 1 − n 4 )τ − n 3 =0and, hence, Q(τ) is an imaginary quadratic field K.The lattice Z + τZ is an ideal A τ of an order of K, and the isogenies correspond to numbersn 1 + n 2 Z that map A τ into itself. But this means that End C (E) is an order (cf. Definition 2.81) inK and that E has complex multiplication.For higher dimensional abelian varieties A, analogous but more complicated considerations lead tothe CM-theory mentioned already in the algebraic part. Again one gets that the lattice of abelianvarieties with complex multiplication is very special and that the period matrix has an algebraicstructure. This combined with class field theory is the key of the CM method used to constructabelian varieties over finite fields with known number of points. We shall be more precise in thenext sections in the case of elliptic and hyperelliptic curves and come to algorithmic details inChapter 18.5.1.5 Elliptic curves over CIn this section we shall apply the theory of curves and their Jacobians over C for elliptic curves E.5.1.5.aThe complex theory of elliptic curvesWe recall Corollary 5.18 that the Jacobian variety of E and hence E itself is analytically isomorphicto C/(Z + τZ) where τ is a complex number with a positive imaginary part.Let E be given by an affine Weierstraß equationE : y 2 = x 3 + a 4 x + a 6 with a 4 ,a 6 ∈ C.As a consequence of the theorem of Abel–Jacobi 5.13 we get: there is an analytic isomorphismbetween the groups E(C) and C/Λ E where Λ E is a lattice Zω 1 + Zω 2 in C.We want to describe explicitly this isomorphism. For this we begin with the lattice Λ=Zω 1 +Zω 2 and then construct the elliptic curve corresponding to it. We shall follow closely [COH 2000,Chapter 7] and [SIL 1986, Chapter VI, section 3]. The first step is to find the meromorphic functions.Definition 5.30 Let ω 1 ,ω 2 ∈ C be linearly independent over R. Anelliptic function with periods{ω 1 ,ω 2 } is a meromorphic function f(x) on C such that for all x ∈ C one has f(x + ω 1 ) =f(x + ω 2 )=f(x).

96 Ch. 5 Varieties over Special FieldsWe shall fix ω 1 ,ω 2 as well as the lattice Λ spanned by them in the following. Elliptic functions willalways be periodic with respect to Λ.The task is to construct nonconstant elliptic functions. It was solved by Weierstraß.Definition 5.31 The Weierstraß ℘-function is defined by the series℘(z,Λ) = 1 z 2 +∑ (1(z + ω)ω∈Λ 2 − 1 )ω 2 · (5.1){0}This series converges uniformly on every compact subset of C Λ. The function ℘ := ℘(z,Λ)defined by (5.1) is a meromorphic function on C with poles (of order 2)inΛ. It is an even function,i.e., ℘(z,Λ) = ℘(−z,Λ) for all z ∈ C Λ.The proofs are straightforward applications of the basics of complex analysis, see e.g., [SIL 1986,Chapter VI, Theorem 3.1].As usual we denote by ℘ ′ := ℘ ′ (z,Λ) the derivative of ℘. Again it is an elliptic function. It can becomputed easily by using the series defining ℘; the result is again a series whose first term is − 2z· 3It follows immediately that ℘ ′ is an odd function, i.e., ℘ ′ (z) =−℘ ′ (−z).Define the Eisenstein series G n := G n (Λ) of weight n for Λ byG n (Λ) :=∑ω −n .ω∈Λ {0}The fundamental observation is:Theorem 5.32 The elliptic functions ℘ an ℘ ′ satisfy the equation℘ ′ (z) 2 =4℘(z) 3 − 60G 4 ℘(z) − 140G 6 .This is the affine equation for an elliptic curve E Λ with function field C(℘, ℘ ′ ).ThemapΦ:C/Λ → E Λ ⊂ P 2{(℘(z) :℘ ′ (z) :1 ) for z/∈ Λz ↦→Φ(Λ)=(0:1:0)is an isomorphism of Riemann surfaces, which is a group homomorphism (using the induced naturaladditive group structure on C/Λ and the elliptic curve group structure on E Λ ).Hence E Λ is the abelian variety attached to the torus C/Λ, and we can interpret the map Φ asthe inverse of the Abel–Jacobi map from E Λ as curve to its Jacobian variety which is isomorphic toE Λ .Remark 5.33 The equation defining E Λ is not quite in the standard Weierstraß form. We obtain itif we replace ℘ ′ by y =1/2℘ ′ and set x = ℘, g 2 := g 2 (Λ) := 15G 4 (Λ) and g 3 := g 3 (Λ) :=35G 6 (Λ). The resulting equation isE Λ : y 2 = x 3 − g 2 x − g 3 .We have seen that for every lattice Λ we can use g 2 (Λ) and g 3 (Λ) to obtain the equation of thecorresponding elliptic curve E Λ . The first question is now to describe in terms of the two latticesΛ, Λ ′ what it means that E Λ is isomorphic to E Λ ′.As we have seen in Lemma 5.2 this is equivalent to the question under which conditions C/Λ isanalytically isomorphic to C Λ ′.

§ 5.1 Varieties over the field of complex numbers 97Example 5.34 Take α ∈ C ∗ and define the map t α from C to C by z ↦→ αz. DefineΛ ′ := αΛ.Then t α induces an analytic isomorphismh α : C/Λ → C/αΛ.Motivated by the example we define that two lattices Λ 1 and Λ 2 are homothetic if there is an α ∈ C ∗such that αΛ 1 =Λ 2 .Theorem 5.35 There is a canonical isomorphism between the set of C-isomorphism classes of ellipticcurves and the set of homothety classes of lattices in C.Corollary 5.36 Let Λ be a lattice in C with basis {ω 1 ,ω 2 }. We can assume (by replacing ω 1 by−ω 1 if necessary) that τ := ω 2 /ω 1 is a complex number with positive imaginary part. Let Λ τ bethe lattice Z + τZ. Then the elliptic curve E Λ is isomorphic to E Λτ .By this result we have attached to every (isomorphism class of) elliptic curves over C a uniquelattice Λ τ := Z + τZ such that E is isomorphic to E Z+τ Z =: E τ with τ ∈ C with imaginary partIm(τ) > 0. Butτ is not uniquely determined by Λ τ .Lemma 5.37 Let τ,τ ′ be complex numbers with positive imaginary part. Then Λ τ =Λ τ ′ if andonly if there exist integers a, b, c, d with ad − bc =1and τ ′ =aτ +bcτ+d·Definition 5.38 A complex function f which is holomorphic on the upper half planeand which satisfiesH := {τ ∈ C |Im(τ) > 0)}f(τ) =f( ) aτ + bcτ + dfor all integers a, b, c, d with ad − bc =1is called a modular function.The set of modular functions forms a field F 1 .Example 5.39 DefineThen j ∈ F 1 .Theorem 5.40j : H → Cτ ↦→g 2 (Λ τ ) 3j(τ) := 17284g 2 (Λ τ ) 3 − 27g 3 (Λ τ ) 2 ·(i) The field of modular functions is equal to C(j).(ii) The elliptic curve E τ is isomorphic to E τ ′ if and only if j(τ) =j(τ ′ ).(iii) Let E be an elliptic curve defined over C with absolute invariant j E (cf. Corollary 4.118)Then there is a τ ∈Hwith j(τ) =j E and E is isomorphic to E τ .Since j ∈ F 1 we have j(τ +1)=j(τ). (Takea =1,b=1,c=0,d=1.) We can use this identityto develop j into a Laurent series “at ∞.”Define q := e 2πiτ and j ∗ (q) :=j(τ). Observe that q approaches 0 when Im(τ) becomes large.It turns out that j ∗ can be extended to a meromorphic function with a pole in 0 of order 1. ItsLaurent series has integer coefficients. It is called the q-expansion of the j-function.

98 Ch. 5 Varieties over Special FieldsProposition 5.41 The q-expansion of the j-function is given byj(q) = (1 + 240 ∑ ∞n=1 σ 3(n)q n ) 3q ∏ n∈N (1 − qn ) 24 ·For a proof we refer to [SIL 1994, Chapter I, Remark 7.4.2].After having an explicit description of isomorphism classes of elliptic curves over C we nowdetermine the isogeny classes again by using the theory of complex tori (see Section 5.26) appliedto elliptic curves and get:Proposition 5.42 Let E and E ′ be two elliptic curves defined over C with lattices Λ (respectivelyΛ ′ ).Then E is isogenous to E ′ if and only if there exists an α ∈ C ∗ with αΛ ⊂ Λ ′ . If so denote byη α the isogeny from E to E ′ . Then the kernel of η α is canonically isomorphic to α −1 Λ ′ /Λ.Corollary 5.43 Assume that E is an elliptic curve over C with j E = j(τ). Then5.1.5.bThe ringEnd C (E) ={α ∈ C | αΛ τ ⊂ Λ τ }.Elliptic curves with complex multiplicationEnd C (E) ={α ∈ C | αΛ τ ⊂ Λ τ }always contains and in general will be equal to Z.We reformulate the definition of complex multiplication (cf. Definition 4.88) applied to ellipticcurves E over C.Definition 5.44 The elliptic curve E has complex multiplication if and only if End C (E) is largerthan Z.In Example 4.90 we have already discussed that this implies:Corollary 5.45 Let E be an elliptic curve defined over C with period τ. Thenτ is a nonrationalinteger in an imaginary quadratic field K τ and End C (E) is the order corresponding to Z + τZ inK τ .The converse is true as well.Proposition 5.46 Let K be an imaginary quadratic field, let O be an order of K, andletA be anideal of O. ThenA ⊂ C is a lattice, the elliptic curve E A := C/A is an elliptic curve with complexmultiplication and End C (E A )=O. For two ideals A, A ′ of O we get: E A is isomorphic to E A ′over C (i.e., the absolute j-invariants are equal) if and only if A and A ′ are in the same ideal class.So elliptic curves with complex multiplication have algebraic periods τ. But even more importantwe get that the absolute invariant j(τ) is a very special algebraic integer, i.e., it is the zero of amonic polynomial over Z, and is obtained as j-invariant of an ideal in an imaginary quadratic field.The exact statement is the key result of class field theory of imaginary quadratic fields.Theorem 5.47 Assume that E is defined over C and has complex multiplication. Let τ be its period.Then Q(τ) is an imaginary quadratic field, End Q(τ ) (E) =End C (E) is an order O E in Q(τ) andthe absolute invariant j(τ) is an algebraic integer that lies in the ring class field H OE over Q(τ).The invariant j(τ) is the j-function evaluated at an ideal of O E .

§ 5.1 Varieties over the field of complex numbers 99Recall that the ring class field of O E is an abelian extension of Q(τ) whose Galois group is isomorphicin a canonical way to the ideal class group of O E . The most important case for us will be thatO E is the ring of integers O of Q(τ). ThenH OE is the Hilbert class field H of Q(τ), the maximalGalois extension of Q(τ), which is unramified and has an abelian Galois group. In particular, weget that the degree of H over Q(τ) is equal to the order of Cl(O), which is called the class numberof Q(τ) .On the other side it follows easily from Theorem 5.35 that j EA depends only on the ideal classgroup of A in Cl(O) and class field theory tells us that all the algebraic numbers j EA are conjugatesunder the action of the Galois group of H over Q(τ). Fromthisweget:Corollary 5.48 Let K = Q( √ −d) be an imaginary quadratic field with ring of integers O. LetEbe an elliptic curve with End C (E) =O. Then the minimal polynomial of j E is the Hilbert classpolynomial∏h d(H d (x) := x − j(Ai ) )i=1where j(A i ) is the j-invariant of the elliptic curve corresponding to A i , the number h d is the orderof the ideal class group of K and A i are representatives of elements of the class group of O. Thecoefficients of the Hilbert class polynomial are rational numbers. As j E is an algebraic integer, theyare integers.For the proof of Theorem 5.47 and Corollary 5.48, see for example [SIL 1986, Appendix C, Theorem11.2], or [LAN 1973, Chapter 10, Theorem 1].Reduction of elliptic curves with complex multiplicationIn Section 5.2 below we shall discuss elliptic curves over finite fields. The determination of theorder of the rational points will be one of the most important topics in this part. Here we can give abridge from elliptic curves over number fields to elliptic curves over finite fields.The class polynomial∏h d(H d (x) := x − j(Ai ) )i=1can be reduced modulo a prime p to a polynomial H d (x) p defined over F p , and it has simple rootsif p does not divide d.Let F p r be the smallest field that contains a root j p of H d (x) p . It is the reduction modulo p ofone of the invariants j(A i ). As the elements j(A i ) are conjugate it follows that all roots of H d (x) pare in this field.By the algebraic theory of elliptic curves we know that there are elliptic curves E p defined overF p r with absolute invariant j p .ThecurveE p is determined up to twists, and if j p ≠0, 12 3 there isexactly one twist of E p .For the sake of simplicity we shall assume now that r =1and that the prime number p is decomposedin Q( √ −d). Class field theory of imaginary quadratic fields gives the following remarkableresult.Theorem 5.49 There is an integer π ∈ Q( √ −d) such that ππ = p and |p +1− (π + π)| is thenumber of F p -rational points on either E p or one of its twists.To understand this theorem one needs the theory of elliptic curves over finite fields and in particularof the Frobenius endomorphism and its related characteristic polynomial (cf. Example 4.87)made explicit in Example 5.83. The theorem then states that the algebraic integer π, interpreted

100 Ch. 5 Varieties over Special Fieldsas endomorphism of E j(Ai) operates modulo p on E p or one of its twists as Frobenius endomorphism,and so the characteristic polynomial of π, interpreted as an algebraic number, is equal to thecharacteristic polynomial of the Frobenius endomorphism.5.1.6 Hyperelliptic curves over C5.1.6.aPeriods and invariantsLet C be a hyperelliptic curve of genus g defined over C with Jacobian variety J C . As we knowJ C is as analytic variety isomorphic to a torus C g /Λ C .SinceJ C is principally polarized Λ C can bechosen in the form Z d ⊕ Ω · Z d ,wherethe(g × g)-matrix Ω is symmetric and has a positive definiteimaginary part, i.e., lies in the Siegel upper half plane H g .The matrix Ω is the period matrix of C. It can be computed by integrating a basis of holomorphicdifferentials along paths on the Riemann surface corresponding to C. Since such a basis is explicitlyknown for hyperelliptic curves (see Chapter 17) it is in principle possible to compute it. For ellipticcurves E this gives the period τ, a complex number with a positive imaginary part.The next step for elliptic curves was to determine the isomorphism class when the period isknown. This task was solved by the j-function whose value at τ is the absolute invariant of E. Toconstruct j we used Eisenstein series as special functions on lattices, i.e., modular forms.Analogous to the elliptic curve case we define values of complex functions to lattices that arenow Siegel modular forms: letΩ ∈ H g the period matrix of a principally polarized abelian varietyand let z ∈ C g be a column vector. The Riemann theta function is given byθ(z,Ω) = ∑ n∈Z g exp ( πi(n t Ωn +2n t z) ) .This function is C-valued, holomorphic and symmetric, i.e., θ(z,Ω) = θ(−z,Ω).For fixed Ω ∈ H g we get a function from C g to C and we define the Riemann theta divisor byΘ (Ω) := { z mod Λ | θ(z,Ω) = 0 } .Recall that τ and τ ′ define isomorphic elliptic curves if and only if τ ′ =cτ+dwith a, b, c, d ∈ Zand ad − bc =1,i.e.,ifτ and τ ′ are equivalent under the action of SL 2 (Z), the group of invertible(2 × 2)-matrices over Z with determinant 1.An analogous result holds for arbitrary dimension. We define Sp(2g, Z) to be the symplecticgroup of dimension g over Z. (For g =1this is SL 2 (Z).) It acts on H g in a natural way (cf.[LAN 1982]).Theorem 5.50 Two period matrices Ω, Ω ′ define isomorphic principally polarized abelian varietiesif and only if they lie on the same orbit under the operation of the symplectic group Sp(g, Z) on H g .For a proof see [LAN 1982].The theta divisors of two equivalent period matrices Ω, Ω ′ do not have to be equal. But if theyare equivalent then there exists an a ∈ Ω ( 12 Zg) + 1 2 Zg such that Θ (Ω′) =Θ (Ω)a where Θ (Ω)a denotesthe translation of Θ (Ω) by a.This motivates the introduction of theta characteristics[ ] δθ (z,Ω) = ∑ ( (exp πi n + 1 ) tɛ 2 δ Ω(n + 1 )2 δ +2(n + 1 ) t (z2 δ + 1 ))2 ɛ (5.2)n∈Z gaτ +bwith column vectors δ and ɛ ∈ (Z/2Z) g .Ifwefixδ, ɛ and set z =0, we obtain functions on H g ,called the theta constants. A theta constant is even, if δ t ɛ ≡ 0(mod2), and odd otherwise. All

§ 5.1 Varieties over the field of complex numbers 101odd theta constants vanish for principally polarized varieties. There are 2 g−1 (2 g +1)even thetaconstants.Theorem 5.51 The complete set of theta constants uniquely determines the isomorphism class of aprincipally polarized abelian variety of dimension g.The proof is given in [IGU 1960].Example 5.52 For g =2there are 10 even theta constants. A list of the vectors δ, ɛ ∈ (Z/2Z) 2used to get them is found in [WEN 2003]. For g =3there are 32 even theta constants.By the theta constants we have found a complete system of invariants for isomorphism classes ofprincipally polarized abelian varieties of dimension g 2. But two things are disturbing. First theseinvariants are not “independent.” Secondly and worse they are defined analytically. But they definepoints in an algebraic variety, the moduli space of isomorphism classes of principally polarizedabelian varieties of dimension g. So we would like to have algebraically defined invariants.For g =2, 3 we can make this precise. Due to results of Weil [WEI 1957] we know that everyprincipally polarized abelian variety A of dimension g 3 is the Jacobian variety of a curveC. Because of the famous theorem of Torelli, the isomorphism class of A with its polarizationis determined uniquely by the isomorphism class of C. So the invariants have to be algebraicexpressions in the coefficients of the equation defining C. Recall that for elliptic curves E we canexpress j E by the coefficients g 2 ,g 3 of a Weierstraß equation.In fact we can find these algebraic invariants for hyperelliptic curves of genus 2 and 3 using workof Igusa [IGU 1960] and Shioda [SHI 1967].5.1.6.b Hyperelliptic curves of genus 2For every principally polarized abelian variety A of dimension two there exist three absolute invariantsj 1 ,j 2 ,andj 3 called Igusa invariants, which determine its isomorphism class. They canbe expressed in terms of the theta constants. The explicit formulas can be found in [WEN 2003,Section 5].Let C : y 2 = x 5 +f 4 x 4 +f 3 x 3 +f 2 x 2 +f 1 x+f 0 be the curve with J C = A. Then the invariantsj i of the Jacobian of C can be expressed byj 1 = I 5 2 /I 10 ,j 2 = I 3 2 I 4 /I 10 and j 3 = I 2 2 I 6 /I 10 , (5.3)where the I i ’s are given below expressed in the coefficients of the curve.By Spallek [SPA 1994, p. 71] the absolute invariants I i are given in terms of the coefficients f jasI 2 = 6f3 2 − 16f 4f 2 +40f 1,I 4 = 4`f4 2 f2 2 − 3f 3f2 2 − 3f4 2 f 3f 1 +9f3 2 f 1 + f 4f 2f 1 − 20f1 4 +12f4 3 f 0 − 45f 4f 3f 0 +75f 2f 0´,I 6 = − 2`−4f4 2 f3 2 f2 2 +12f3 3 f2 2 +12f4 3 f2 3 − 38f 4f 3f2 3 +18f2 4 +12f4 2 f3 3 f 1 − 36f3 4 f 1− 38f4 3 f 3f 2f 1 + 119f 4f3 2 f 2f 1 −14f4 2 f2 2 f 1 −13f 3f2 2 f 1 +18f4 4 f1 2 −13f4 2 f 3f1 2 −88f3 2 f12− 32f 4f 2f1 2 + 160f1 4 − 30f4 3 f3 2 f 0 +99f 4f3 3 f 0 +80f4 4 f 2f 0 − 246f4 2 f 3f 2f 0 − 165f3 2 f 2f 0+ 320f 4f2 2 f 0 − 308f4 3 f 1f 0 + 930f 4f 3f 1f 0 − 800f 2f 1f 0 + 450f4 2 f0 2 − 1125f 3f0 ´,2I 10 = f4 2 f3 2 f2 2 f1 2 − 4f3 3 f2 2 f1 2 − 4f4 3 f2 3 f1 2 +18f 4f 3f2 3 f1 2 − 27f2 4 f1 2 − 4f4 2 f3 3 f1 3 +16f3 4 f13+ 18f4 3 f 3f 2f1 3 − 80f 4f3 2 f 2f1 3 − 6f4 2 f2 2 f1 3 + 144f 3f2 2 f1 3 − 27f4 4 f1 4 + 144f4 2 f 3f14− 128f3 2 f1 4 − 192f 4f 2f1 4 + 256f1 5 − 4f4 2 f3 2 f2 3 f 0 +16f3 3 f2 3 f 0 +16f4 3 f2 4 f 0 − 72f 4f 3f2 4 f 0+ 108f2 5 f 0 + 18f4 2 f3 3 f 2f 1f 0 − 72f3 4 f 2f 1f 0 − 80f4 3 f 3f2 2 f 1f 0 + 356f 4f3 2 f2 2 f 1f 0+ 24f4 2 f2 3 f 1f 0 − 630f 3f2 3 f 1f 0 − 6f4 3 f3 2 f1 2 f 0 + 24f 4f3 3 f1 2 f 0 + 144f4 4 f 2f1 2 f 0− 746f4 2 f 3f 2f1 2 f 0 + 560f3 2 f 2f1 2 f 0 + 1020f 4f2 2 f1 2 f 0 − 36f4 3 f1 3 f 0 + 160f 4f 3f1 3 f 0

102 Ch. 5 Varieties over Special Fields− 1600f 2f 3 1 f 0 − 27f 2 4 f 4 3 f 2 0 + 108f 5 3 f 2 0 + 144f 3 4 f 2 3 f 2f 2 0 − 630f 4f 3 3 f 2f 2 0 − 128f 4 4 f 3 2 f 2 0+ 560f 2 4 f 3f 2 2 f 2 0 + 825f 2 3 f 2 2 f 2 0 − 900f 4f 3 2 f 2 0 − 192f 4 4 f 3f 1f 2 0 + 1020f 2 4 f 2 3 f 1f 2 0− 900f 3 3 f 1f 2 0 + 160f 3 4 f 2f 1f 2 0 − 2050f 4f 3f 2f 1f 2 0 + 2250f 2 2 f 1f 2 0 − 50f 2 4 f 2 1 f 2 0+ 2000f 3f 2 1 f 2 0 + 256f 5 4 f 3 0 − 1600f 3 4 f 3f 3 0 + 2250f 4f 2 3 f 3 0 + 2000f 2 4 f 2f 3 0 − 3750f 3f 2f 3 0− 2500f 4f 1f 3 0 + 3125f 4 0 .Hence we can compute the invariants j i of the curve C if we know either its period matrix or thecurve equation. Conversely, from the invariants we get a system of polynomial equations for thecoefficients of an equation defining C and we can solve this system in principle, e.g., by applyingBuchberger’s algorithm.But there is a much more efficient way due to Mestre [MES 1991].To use it we have to define new invariants, which we call Mestre’s invariants. In his paper, Mestreintroduces the invariants A, B, C, D [MES 1991] and invariants j ′ 1,j ′ 2,j ′ 3 withwhich satisfyj ′ 1 = A 5 /D, j ′ 2 = A 3 B/D and j ′ 3 = A 2 C/Dj ′ 1 = −j 1120 5 , j ′ 2 = 720j′ 16750 − j 2(120 3 × 6750) , j ′ 3 = j 3120 2 × 2025100 + 1080j′ 22025 − 16j′ 1375 ·In addition we needα =−1 ( 14556250 j 1′)+ 62208 + 16j′ 275j 1′ + 16j′ 345j 1′− 2 j′2 23j 1 ′ 2 − 4j′ 2j 3′3j 1′2which relates Mestre’s invariant D with Igusa’s discriminant ∆ by α = D ∆ ·Next one defines a conic Q(j 1 ,j 2 ,j 3 ) by the equation∑Q ik x i x k =0with1i,k3Q 11 = 6j′ 3 + j ′ 2 ,3j ′ 1Q 12 = Q 21 = 2( j 2′ 2 + j 1j 3)′ ′ ,Q 13 = Q 31 = Q 22 α(1 j ′ 32Q 23 = Q 32Q 33 = 1j 1′ 2j 1′ 23j ′ 1(j ′ 1j ′ 2α23j 1′ 2+ 4j′ 2 j′ 39+ 2j′ 2 2 j 3′9j ′ 1)+ 2j′ 23 ,3)+ 2j′ 23 ·9This conic is intersected with a cubic H(j 1 ,j 2 ,j 3 ) given by the equation∑H ikl x i x k x l1i,k,l3

§ 5.1 Varieties over the field of complex numbers 103whereH 111 =“”2 j 1j ′ 3 ′ − 6j 2j ′ 3 ′ +9j 12 ′ α9j 1′ 2H 112 = H 211 = 2j′ 3 2 +4j 1j ′ 2j ′ 3 ′ +12j 1j ′ 3′ 2 + j 1′,9j 1′ 3H 113 = H 311 = H 131 = H 122 = j′ 3 2 +4/3j 1j ′ 2j ′ 3 ′ +4j 2′ 2 j 3 ′ +6j 1j ′ 3′ 2 +3j 1′H 123 =118j ′ 13H 133 = H 313 = H 331 = 118j 1′ 3H 222 =19j 1′ 33 α,9j 1′ 32j 2′ 4+4j ′ 2j 1′ 2 j 3 ′ + 4j′ 1j 3′ 2+4j 2j ′ 32 ′ +3j 12 ′ j 2α ′ +12j 12 ′ j 3α′33j 2′ 4+6j ′j 1′ 2H 223 = H 232 = H 322 = 118j ′ 1H 233 = H 323 = H 332 = 118j 1′ 3H 333 =136j ′ 1− 2j′ 4 2 j 3′ − 4j′ 23 j 1′ 2j 2′ 4j 1′+ 4j′ 2 2 j 3′3+ 16j′ 3 2 j 3′3j 1′2j 3 ′ + 8j′ 1j 3′ 2+2j 2j ′ 32 ′ − 3j 12 ′ j 3α′3− 2j′ 3 2 j 3′33j 1′j 2′ 5j 1′2 j ′ 32j ′ 12 + 2j′ 2+ 26j′ 2j 3′ 23!,2 j 2α′ ,!,+8j ′ 33 +3j ′ 1j ′ 22 α +2j ′ 12 j ′ 3α!− 4j′ 2j 3′ 2− 4j 33 ′ +9j 1j ′ 22 ′ α +8j 12 ′ j 3α′ ,3j ′ 13 j ′ 3− 16j′ 339+ 8j′ 2j 3′ 39+ 2j′ 2 2 j 32 ′ − j3j1j ′ 2j ′ 3α ′ +9j ′ 31′ 1 α!, 2 !− 4j′ 2j 3′ 3+9j 23 ′ α +12j 1j ′ 2j ′ 3α ′ +20j 1j ′ 32 ′ αj 1′Note that this is easily done if the conic has a rational point. Then the set of points on the conic canbe parameterized by a parameter t. So in the worst case we have to go to a quadratic extension ofK to perform this step. The intersection consists of six points that are the zeroes of a polynomialf(t) of degree 6 in the parameter t.Lemma 5.53 (Mestre) The curve C with Igusa invariants {j 1 ,j 2 ,j 3 } can be given by the equationy 2 = f(x).where f is the polynomial of degree 6 constructed above.We note that this is not the standard form for an equation of genus 2. But we can transform one ofthe zeroes of f(x) to be the infinite point on C and then find an equationy 2 = ¯f(x)with ¯f a polynomial of degree 5 for the curve C.Until now we have done all computations over C. But Mestre’s result is a purely algebraic one,andsoweget:Theorem 5.54 Let A be a principally polarized abelian variety defined over C with Igusa invariants{j 1 ,j 2 ,j 3 }.LetK 0 ⊂ C be a field containing these invariants and such that the conic Q(j 1 ,j 2 ,j 3 )has a K 0 -rational point. Then A is the Jacobian variety of a curve C of genus 2 defined over K 0 .Its equation isy 2 = f(x),where f(x) is the polynomial of degree 6 from Lemma 5.53.·!,

104 Ch. 5 Varieties over Special FieldsLet K be an extension field of K 0 such that f(x) has a zero x 0 in K. ThenC as curve over K canbe given by the equationy 2 = ¯f(x)which is obtained by transforming the point (x 0 , 0) to infinity.5.1.6.c Hyperelliptic curves of genus 3Let A be a principally polarized abelian variety of dimension 3. We assume that we know its periodmatrix. So we know the theta constants and, by using a theorem of Mumford–Poor, we can decidewhether it is the Jacobian of a hyperelliptic curve (cf. [WEN 2001a, Theorem 4.3]. If so we want tofind the equation of the corresponding curve given in the formC : y 2 = f(x)where f(x) is a polynomial of degree 7.In principle we can proceed as in the case of genus 2. Only things become more complicated.One way proposed in [WEB 1997] is as follows. First one computes the Rosenhain modely 2 = x(x − λ 1 ) ···(x − λ 7 )of C where the complex numbers λ i are rational expressions in theta constants. Having this equationone computes the Shioda invariants j 1 ,j 3 ,j 5 ,j 7 ,j 9 , which determine the isomorphism class of Cas curve over C.Then a variant of Mestre’s method allows us to find an equation for C that is defined over field ofdegree 2 over Q(j 1 ,j 3 ,j 5 ,j 7 ,j 9 ). For details we refer to [WEB 1997] and[WEN 2001a].Remarks 5.55(i) In [WEB 1997] the theoretical results and the algorithms to compute curves are givenfor hyperelliptic curves of genus 5.(ii) In the elliptic case we went further. By using the Weierstraß ℘ function and its derivativewe were able to make (the inverse of) the Abel–Jacobi map explicit. In [KAM 1991] itis shown that an analogous definition of Weierstraß functions and its higher derivativescan be used to achieve this for hyperelliptic curves of any genus.5.1.6.dHyperelliptic curves of genus 2 and 3 with CMIn the last section we have seen that the knowledge of the period matrix of a hyperelliptic curve Cof genus 2 or 3 makes it possible to compute its invariants and then to determine its equation in analgebraic way.We shall discuss now how the theory of CM-fields makes it possible to determine the invariants inan algebraic way if J C has complex multiplication. Though the ideas are quite analogous to thosethat occurred in the case of complex multiplication of elliptic curves we need considerably moretechnical details. The key ingredients were developed in the important book of Taniyama–Shimura[SHTA 1961]. The reader who is interested in this deep and beautiful theory is encouraged to usethis book as reference for the whole section.We shall begin by giving a very rough sketch of the general CM theory and then we shall apply itto the special case of Jacobian varieties of hyperelliptic curves of genus 2 and 3.

§ 5.1 Varieties over the field of complex numbers 105Abelian varieties to CM-typesA number field K with [K : Q] =2g is called CM-field if K is an imaginary quadratic extensionof a totally real number field K 0 .Let ϕ i , 1 i 2g be the 2g distinct embeddings from K into C. A tuple(K, Φ) := ( K, {ϕ 1 ,ϕ 2 ,...,ϕ g } )is called CM-type, if all embeddings ϕ i are distinct and no two of them are complex conjugate toeach other.Let A≃C g /Λ A be an abelian variety over C with End(A) ⊗ Q ≃ K. Hence A has complexmultiplication with ring of endomorphisms being an order O ⊂ K. Wehavetomaketheidentification of O with End(A) more explicit.Definition 5.56 Assume that the operation of α ∈Oon A is given by the action of⎡⎤ϕ 1 (α)⎢ . .. ⎥⎣⎦ .ϕ g (α)on C g .ThenA is an abelian variety of CM-type (K, Φ) = ( K, {ϕ 1 , ··· ,ϕ g } ) .Proposition 5.57 For every abelian variety A with End(A) ⊗ Q ≃ K there exists a CM-type(K, Φ) = ( K, {ϕ 1 , ··· ,ϕ g } ) .To ease things we restrict ourselves (as in the case of elliptic curves) to the case that End(A) =O K ,the ring of integers in K.Theorem 5.58 Let A be an ideal in O K and let (K, Φ) be a CM-type. Take{ (ϕ1Φ(A) := (α),...,ϕ g (α) ) }t| α ∈ Ain C g .Then Φ(A) is a lattice in C g and the torus C g /Φ(A) is an abelian variety A A,Φ which has complexmultiplication by O K .The action of O K on C g /Φ(A) is given by the action of the g-tuple⎡⎤⎢⎣ϕ 1 (γ). ..ϕ g (γ)⎥⎦ with γ ∈O Kon C g . Conversely every abelian variety A of CM-type (K, Φ) with complex multiplication by O Kis isomorphic to an abelian variety A A,Φ .The proof of this theorem can be found in [SHTA 1961].Principal polarizationsWe are interested in Jacobian varieties and corresponding curves with complex multiplications andso we need a finer structure: we want to construct principally polarized abelian varieties and wehave to determine isomorphism classes of abelian varieties with principal polarizations. For this itis convenient to make an additional assumption that is very often satisfied: the maximal real subfieldK 0 of K has class number 1, i.e., the ring of integers O K0 is principal.

106 Ch. 5 Varieties over Special FieldsLemma 5.59 Assume that the maximal real subfield K 0 in the CM-field K has class number 1. Let(K, Φ) be a CM-type, A an ideal of O K and A A,Φ the abelian variety attached to these data.There exists a basis {α 1 ,...,α 2g } of Φ(A) such that the Riemann form 5.22 is[E(αi ,α j ) ] 1i,j2n = [0 I g−I g 0Hence the period matrix of A A,Φ lies in the Siegel upper half plane H g and we can endow A A,Φwith a principal polarization determined by an element γ in K (cf. [LAN 1982]).For a proof see [WEN 2001b].Definition 5.60 We take the notations as in the Lemma 5.59. We shall write (A A,Φ ,γ) for theabelian variety corresponding to the ideal A, the CM-type Φ and the polarization attached to γ.As in the case of elliptic curves, we now need a characterization of isomorphism classes of abelianvarieties with principal polarization that correspond to a given CM-type (K, Φ).For this we need some notation. Let K be a CM-field with CM-type Φ. We assume that themaximal totally real subfield has class number 1.Let U + denote the totally positive units of K 0 (i.e., units u in O K such that for all 1 j gwe have ϕ i (u) is a positive real number). Let U 1 be the image of the norm map from K to K 0applied to the units in O K . We denote by ɛ 1 ,...,ɛ d a system of representatives for U + /U 1 .Notethat the complex conjugation generates the Galois group of K over K 0 . Using our assumptionthat the class number of K 0 is 1 we get that for any ideal A of K the ideal AA can be interpreted asa principal ideal (α) of K 0 .Definition 5.61 The subgroup Cl ′ (O K ) of the class group Cl(O K ) consists of the ideal classes cthat contain an ideal A with AA = αO K with ϕ i (α) totally positive, i.e., ϕ i (α) is a real positivenumber for every 1 i g. The order of Cl(O K ) ′ is denoted by h ′ K .We have the following theorem:Theorem 5.62 Let (A OK,Φ,γ) be a principally polarized abelian variety attached to O K . LetA 1 ,...,A h ′Kbe a system of representatives for Cl(O K ) ′ with A i A i =(α i ) and α i totally positive. Thereare h ′ kd isomorphism classes of principally polarized abelian varieties with complex multiplicationby O K of CM-type (K, Φ).⋃Let K Φ = d KΦ l withl=1KΦ l = { (A Ai ,ɛ l (α i γ) −1 ) | i =1,...,h ′ }k .The set K Φ is a set of representatives of the isomorphism classes of principally polarized abelianvarieties of CM-type (K, Φ).Warning: principally polarized abelian varieties of different CM-types can be isomorphic.Example 5.63 Consider the case where the principally polarized abelian variety has dimension two.Here, the CM-field is an imaginary quadratic extension of a real quadratic field K 0 .If K is Galois, we get all isomorphism classes of principally polarized abelian varieties withcomplex multiplication with O K by choosing one CM-type.If K is non-normal, we need two CM-types to get all isomorphism classes of principally polarizedabelian varieties.].

§ 5.1 Varieties over the field of complex numbers 107Class polynomials for hyperelliptic curves of genus 2 and 3Recall from the previous paragraph that for elliptic curves with complex multiplication by O K thej-invariant lies in the Hilbert class field of the imaginary quadratic field K. Again the situation isanalogous but more complicated in the higher dimensional case.We need the notion of the reflex CM-field ̂K ([SHI 1998]), which for g =1is equal to K and ingeneral different from K. We shall not need the explicit definition of the reflex CM-field but use thearithmetic information from class field theory to determine minimal polynomials for invariants.Theorem 5.64 Let K be a CM-field of degree 4 over Q.(i) The Igusa invariants j 1 (C),j 2 (C),j 3 (C) for hyperelliptic curves C of genus 2 withcomplex multiplication with the ring of integers O K of K are algebraic numbers that liein a class field over the reflex CM-field ̂K.(ii) For hyperelliptic curves C and C ′ with complex multiplication with O K we get that fork ∈{1, 2, 3} the invariants j k (C) and j k (C ′ ) are Galois conjugates.(iii) Let {C 1 ,...,C s } be a set of representatives of isomorphism classes of curves of genus 2whose Jacobian varieties have complex multiplication with endomorphism ring O K .Wedenote by j k (i) the k-th Igusa invariant belonging to the curve C i .The three class polynomialshave coefficients in Q.H K,k (X) =s∏ ((i)) X − j ,k =1,...,3.For hyperelliptic curves of genus 3 we get a completely analogous result.i=1Theorem 5.65 Let K be a CM-field of degree 6 over Q.(i) The Shioda invariants j 1 (C),j 3 (C),j 5 (C),j 7 (C),j 9 (C) for hyperelliptic curves C ofgenus 3 with complex multiplication with the ring of integers O K of K are algebraicnumbers that lie in a class field over the reflex CM-field ̂K.(ii) For hyperelliptic curves C and C ′ with complex multiplication with O K we get that fork ∈{1, 3, 5, 7, 9} the invariants j k (C) and j k (C ′ ) are Galois conjugate.(iii) Let {C 1 ,...,C s } be a set of representatives of isomorphism classes of curves of genus 3whose Jacobian varieties have complex multiplication with endomorphism ring O K .Wedenote by j k (i) the k-th Igusa invariant belonging to the curve C i .The five class polynomialshave coefficients in Q.H K,k (X) =ks∏ ((i)) X − j , k ∈{1, 3, 5, 7, 9}.i=1kDenominators in the class polynomialsThe careful reader will have remarked that — contrary to the elliptic case — we did not claim inTheorems 5.64 and 5.65 that the class polynomials have integer coefficients. In fact this is wrong.There are two reasons for this. First, small primes occur (for g =2up to 5 and for g =3up to7) because we did not normalize the invariants in a careful enough way. But much more serious isthe second reason: it may happen that the Jacobian of a curve has good reduction modulo a place

108 Ch. 5 Varieties over Special Fieldsp of the field over which it is defined but the curve does not have good reduction. The curve maybecome reducible modulo p.There are famous conjectures about the arithmetic of curves over number fields related to theABC-conjecture that this should occur only for places with moderate norm.In practice this is confirmed. So to compute the coefficients of the class polynomial one computesa real approximation with high precision and then determines the denominator using the continuedfraction algorithm.Reduction of hyperelliptic curves of genus 2 and 3 with complex multiplicationThe invariants of a hyperelliptic curves of genus 2 or 3 with complex multiplication with a CM-fieldK are zeroes of polynomials over Q. Let us choose a prime p that does not divide the denominatorof the coefficients of these polynomials. Then we can reduce the class polynomials modulo p.We can factor the resulting polynomials over F p and find zeroes in an extension field F q . ByGalois theory we see that the class polynomials will split in linear factors over F q . Combining“related” zeroes we get systems of invariants for which the resulting curves C q have a Jacobianvariety with ring of endomorphisms containing an isomorphic copy of O K .So, we have very explicit information about the endomorphisms of the Jacobian variety of C q ,which are defined over (possibly a quadratic extension of) F q . Class field theory of CM-fields canbe used to identify the Frobenius endomorphism.We explain the easiest case, which is the most important one for practical use: we assume thatthe genus of C q is equal to 2 and that q = p.Theorem 5.66 Let K be a CM-field of degree 4 and assume that p is a prime 7, which does notdivide the denominator of the class polynomials H K,k (X) =:H k (X).• For every w ∈O K with ww = p the polynomials H k (X) have a linear factor over F pcorresponding to w.• Let j k be a zero of H k (X) modulo p. TherearetwoF p -isomorphism classes A p,1 andA p,2 of principally polarized abelian varieties over F p with Igusa invariants j k .• The principally polarized abelian varieties A p,1 and A p,2 have complex multiplicationby O K .• The number of F p -rational points of A p,m ,m=1, 2 is given by4∏ (1+(−1) m )w ii=1where w = w 1 and w i are conjugates of w.• The equation ww = p with w ∈O K has (up to conjugacy and sign) at most two differentsolutions, i.e., for every CM-field of degree 4 there are at most four different possibleorders of groups of F p -rational points of principally polarized abelian varieties, definedover F p with complex multiplication by O K .For genus 3 an analogous result holds. We refer the interested reader to Weng [WEN 2001a].5.2 Varieties over finite fieldsIn this section we shall deal with varieties defined over finite fields. We assume that the ground fieldK is equal to F q with q = p d .

§ 5.2 Varieties over finite fields 1095.2.1 The Frobenius morphismIn this section, we consider two extension fields of F p . We assume K = F q with q = p d ,andconsider an arbitrary power φ k p of the absolute Frobenius automorphism, which fixes the elementsof F p k ⊂ F p . We recall the definition of the Frobenius endomorphism and its action on varietiesover F q given in Example 4.39, which we shall need in a slightly more general way.Take k ∈ N and let φ p k be the Frobenius automorphism of the field F p k, sending α ∈ F p kto π k (α) =α pk . We can extend φ p k to points of projective spaces over F q k by sending points(X 0 ,...,X n ) to (X pk0 ,...Xpk n ). We apply φ p to polynomials with coefficients in the algebraickclosure F p of F p by applying it to the coefficients.If V is a projective variety over F q with ideal I we can apply φ p k to I and get a variety φ p k(V )with ideal φ p k (I). The points of V are mapped to points on φ p k(V ).The corresponding morphism from V to φ p k(V ) is called the Frobenius morphism with respectto the field F p k and is again denoted by φ p k.Itisthek-th power of the absolute Frobenius φ p .We note that though φ p k is by definition a Galois group element it induces a morphism from V toφ p k(V ). We recall that in the language of function fields the corresponding rational map φ ∗ pfromkK(φ p k(V )) is given as follows: choose an open affine part of V and affine coordinate functionsx 1 ,...,x n ; then the image of φ ∗ pin K(V ) is generated by x pkk 1 ,...,xpk n .It follows that this rational map is purely inseparable of degree p k dim(V ) .In general φ p k (V ) will not be isomorphic to V .Butifd divides k then V = φ p k (V ) since thenφ p k(I) =I.Proposition 5.67 Let s be a natural number such that ks is divisible by d. Put V 0 := V and fori =1,...,s− 1 define V i := φ p k(V i−1 ).Then we get the chain of morphismsV = V 0φ p k→ V 1φ p k→ ··· φp k→ V s−1φ p k→ V s = Veach being purely inseparable of degree p k dim(V ) .The composite of the morphisms is φ p ks.Hence for k =1we get a decomposition of φ q into a chain in which the absolute Frobeniusendomorphism occurs.5.2.2 The characteristic polynomial of the Frobenius endomorphismWe assume now that C is a projective absolutely irreducible nonsingular curve over F q of genusg 1. As seen above the Frobenius endomorphism operates on the rational functions on C, onthe points of C and — by linear continuation — on the divisors of C. It maps principal divisors toprincipal divisors and preserves the degree of divisors. So it operates in a natural way on Pic 0 C Fq,the divisor class group of degree 0 of the curve C over F q .From the results in the last paragraph and from the fact that the Galois group of F q is (topologically)generated by φ q we get:Proposition 5.68 The Frobenius morphism induces a homomorphism of Pic 0 C Fand hence an endomorphism,also denoted by φ q , of the Jacobian variety J C defined over F q .qThis endomorphism is an isogeny that is purely inseparable of degree q g .The elements fixed by φ q in J are J C(Fq) C(F q )=Pic 0 C. Hence J C (F q ) is the kernel of Id JC −φ qand |Pic 0 C | =deg(Id J C− φ q ).

110 Ch. 5 Varieties over Special FieldsNow recall that for primes l different from p we have attached a Galois l-adic representation ˜ρ JC,linduced by the action of G Fq on points of order l k of J C Theorem 4.82. In fact, we have to replacethe field F p by F q and the absolute Frobenius endomorphism by the relative one φ q but all the resultsabout l-adic representations of Galois elements and endomorphisms remain true after this change.We associate to φ q the characteristic polynomial χ ( T l (φ q ) ) J C(T ) of ˜ρ JC,l(φ q ), which is a monicpolynomial of degree 2g with coefficients in Z and it is independent of the choice of l.Definition 5.69 The polynomial χ(φ q ) JC (T ):=χ ( T l (φ q ) ) J C(T ) is the characteristic polynomialof the Frobenius endomorphism φ q on C and of J C . To simplify notation we also use χ(φ q ) C(T ) todenote it.Since we know that deg([1] − φ q )=χ(φ q ) C (1) we get:Corollary 5.70 The order of Pic 0 C , or equivalently, of J C(F q ) is equal to χ(φ q ) C (1).Hence the determination of the number of elements in Pic 0 C is easy if we can compute the characteristicpolynomial of the Frobenius endomorphism on C.The following remark is very useful if we want to compute this polynomial.Lemma 5.71 For n prime to p the restriction of φ q to J C [n] has the characteristic polynomialχ(φ q ) C (T )(modn).Corollary 5.72 The endomorphism χ(φ q ) C (φ q ) is equal to the zero map on J C .There are two distinguished coefficients of the characteristic polynomial of a linear map: the absolutecoefficient, which is (up to a sign) the determinant of the map, and the second highest coefficient,which is the negative of the sum of the eigenvalues and is called the trace of the map.In our case we know that χ(φ q ) C (0) = q g since the degree of φ q as endomorphism on J C isq dim(JC) .The trace of χ(φ q ) C (T ) is called the trace of the Frobenius endomorphism on C and denoted byTr(φ q ).Example 5.73 Let E be an elliptic curve over F q .Thenχ(φ q ) E (T )=T 2 − Tr(φ q )T + q, and so|E(F q )| = q +1− Tr(φ q ).5.2.3 The theorem of Hasse–Weil for JacobiansThe following results are true for arbitrary abelian varieties over finite fields. We shall state themonly for Jacobians of curves C of genus g>0.Definition 5.74 The zeroes λ 1 ,...,λ 2g of χ(φ q ) C (T ) are called the eigenvalues of the Frobeniusφ q on C and on J C .By definition the eigenvalues of φ q are algebraic integers lying in a number field of degree g.The product is equal to2g∏λ i = q g .i=1Because of the duality on Jacobian varieties (or as a consequence of the theorem of Riemann–Roch [STI 1993]) one can make a finer statement.

§ 5.2 Varieties over finite fields 111Proposition 5.75 We can arrange the eigenvalues of φ q on C such thatfor all i =1,...,g we have λ i λ i+g = q.But there is a much deeper result. It is the analogue of the famous Riemann hypothesis for the Riemannζ-function and it says that the absolute value of each eigenvalue λ i interpreted as a complexnumber is, for every curve C of arbitrary positive genus g, equal to √ q.This result was proved by Hasse for elliptic curves and by Weil for abelian varieties. A generalizationfor arbitrary varieties over finite fields was formulated by Weil. One of the greatestachievements of mathematics in the twentieth century was the proof of these Weil conjectures byDeligne.The general philosophy is that the number of rational points on varieties over finite fields shouldnot differ “too much” from the number of points of the projective spaces of the same dimension, andthe difference is expressed in terms of the size of the trace of the Frobenius endomorphism actingon attached vector spaces like Tate modules, or more generally, cohomology groups.Let us come back to our situation and resume what we know.Theorem 5.76 Let C be a projective absolutely irreducible nonsingular curve of genus g>0 overF q .Letλ 1 ,...,λ 2g be the eigenvalues of the Frobenius endomorphism on C.(i) Each λ i is an algebraic integer of degree 2g.(ii) We can numerate the eigenvalues such that for 1 i g we haveλ i λ i+g = q.(iii) For 1 i 2g take any embedding of λ i into C. Then the complex absolute value |λ i |is equal to √ q.For the proof of these fundamental results about the arithmetic of curves and abelian varieties werefer to [STI 1993] or, in a more general frame, to [MUM 1974, pp. 203–207].Corollary 5.77 Let C/F q be a curve of genus g. Iffor some t>gthenJ C (F q )[n] ⊇ (Z/nZ) tn | q − 1.Proof. We find t linear independent D __1 ,..., D __t elements in J C (F q )[n], which lie in the eigenspaceρ JC,n(φ q ) with eigenvalue 1(modn). Hence, there is a 1 i g such that λ i and λ i+g are bothequivalent to 1 modulo n. Sinceλ i λ i+g = q we have q ≡ 1(modn).We can combine this corollary with Theorem 4.73 to get the following proposition.Proposition 5.78 Let C/F q be a curve of genus g. For the structure of the group of F q -rationalpoints on the Jacobian we haveJ C (F q )[n] ≃ Z/n 1 Z × Z/n 2 Z ×···×Z/n 2g Z,where n i | n i+1 for 1 i

112 Ch. 5 Varieties over Special FieldsCorollary 5.79 Let C be as in Theorem 5.76.Then∣ ∣ ∣∣∣∣ ∣ |Pic 0 ∣∣2g∏C |−qg =i=1(1 − λ i ) − q g ∣ ∣∣∣∣= O(q g−1/2) .Take k ∈ N. Sinceφ q k= φ k q we can extend this result:Corollary 5.80 The number N k of F q k-rational points of J C , or equivalently, the number of elementsin Pic 0 C·F qis estimated byk∣ ∣ ∣∣∣∣∣∣N k − q gk ∣∣2g∏=i=1(1 − λ k i ) − q gk ∣ ∣∣∣∣= O(q k(g−1/2)) .This corollary can be used to compute the ζ-function of the curve C [STI 1993] and to get a boundfor the number of rational points on C.Corollary 5.81 Let C be as above.Then||C(F q )|−q − 1| 2g √ q.The estimates for the number of elements of Pic 0 C and of C(F q) are called the Hasse–Weil bounds.In fact the Serre bound gives the sharper estimate||C(F q )|−q − 1| g⌊2 √ q⌋.When one wants to compute the characteristic polynomial of the Frobenius endomorphism it isvery important that one has ad hoc estimates for the size of the coefficients of this polynomial.Again Theorem 5.76 can be used in an obvious way to getCorollary 5.82 The characteristic polynomial of φ q has a very symmetric shape given byχ(φ q ) C (T )=T 2g + a 1 T 2g−1 + ···+ a g T g + ···+ a 1 q g−1 T + q g ,where a i ∈ Z, 1 i g.The absolute value of the i-th coefficient of χ(φ q ) C (T ) is bounded by ( )2gi q (2g−i)/2 .Example 5.83 Let E be an elliptic curve over F q . The eigenvalues λ 1 and λ 2 of φ q on E arealgebraic integers of degree 2 with absolute value |λ i | = √ q and λ 1 λ 2 = q. The number ofpoints in E(F q ) is estimated by||E(F q )|−q − 1| 2 √ q.The interval [−2 √ q + q +1, 2 √ q + q +1]is called the Hasse–Weil interval. All elliptic curvesdefined over F q are forced to have their number of rational points lying in this interval.5.2.4 Tate’s isogeny theoremWe end this section by stating deep results due to Tate and Tate–Honda [TAT 1966], which demonstratethe importance of characteristic polynomials of Frobenius endomorphisms.

§ 5.2 Varieties over finite fields 113Theorem 5.84(i) Let A and A ′ be abelian varieties over F q .ThenA is isogenous to A ′ over F q if and onlyif χ(φ q ) A (T )=χ(φ q ) A ′(T ).(ii) Assume that λ 1 ,...,λ 2g are algebraic integers lying in a number field of degree 2g andsatisfying the properties of eigenvalues of Frobenius endomorphism as stated in Corollary4.118. Then there is an abelian variety A over F q such that λ 1 ,...,λ 2g are theeigenvalues of the Frobenius endomorphism on A.Note that this abelian variety need not be principally polarized, and if it is, it need not to be aJacobian of a curve.Maisner and Nart [MANA 2002] study the problem to decide whether λ 1 ,...,λ 2g belong to ahyperelliptic curve.

Chapter Background on PairingsSylvain Duquesne and Gerhard FreyContents in Brief6.1 General duality results 1156.2 The Tate pairing 1166.3 Pairings over local fields 117The local Tate pairing • The Lichtenbaum pairing on Jacobian varieties6.4 An explicit pairing 122The Tate–Lichtenbaum pairing • Size of the embedding degree6.1 General duality resultsLet C be a curve of genus g defined over a field K with Jacobian variety J C .As mentioned in Section 5.1.3 there is a duality theory of abelian varieties, and Jacobians areself-dual. Hence, the points of order n form an abelian group V = J C [n] endowed with a naturalbilinear map.We have already treated the case when the characteristic of K is p and n = p (although withoutemphasizing the duality theory behind it) and we have seen in Proposition 4.132 that we can identifyV = J C [p] with a subgroup of the additive group K 2g−1 .We shall therefore assume from now on that n is a natural number prime to p. In this case theduality of J C induces a nondegenerate pairing on J C [n] with values in the group of n-th roots ofunity µ n ,soJ C [n] becomes self-dual with respect to this pairing. In fact this pairing was wellknownalready in “classical times” for K = C. It is related to Riemann forms and is discussed in[MUM 1974, Section 20]. It is defined for arbitrary principally polarized abelian varieties and givenin an explicit form on p. 187 of that book. Using this explicit form it is easy to generalize the pairingin the abstract setting of abelian varieties by the same formulas. In the case of elliptic curves thiscan be found in [SIL 1986]. The resulting pairing is called the Weil pairing.The Weil pairing has very nice properties that can all be found in [MUM 1974]. It is defined aspairing on the group of torsion points of order n prime to p and it is compatible with the naturalmaps from J C [n] to J C [n ′ ] for n ′ dividing n. Hence taking n = l k it can be extended to a pairingof Tate modules T l (J C ).115

116 Ch. 6 Background on PairingsMoreover, the pairing is compatible with the action of the absolute Galois group G K of K. A usefulconsequence is that J C [n] ( K ) = J C (K)[n] implies that K contains the n-th roots of unity. (If Kis a finite field we find another argument in Corollary 5.77 to see this).One disadvantage is that the Weil pairing is skew symmetric. This implies that there are subspacesof dimension g in J C [n] such that the restriction of the pairing vanishes identically (“maximalisotropic subspaces”). So we need the rationality of many n-torsion points in order to get subspacesof J C [n] on which the Weil pairing is nondegenerate.Nevertheless the Weil pairing is a possibility for constructing a bilinear structure on DL systemsinside abelian varieties. In this book however we shall prefer a derived pairing which, for ourpurposes, has nicer properties both from the theoretical and from the computational point of view:the Tate pairing.6.2 The Tate pairingWe shall begin by giving the general background for the construction of the Tate pairing. It involvesGalois cohomology, hence requires some knowledge of nonelementary algebra. We shall then specializemore and more, and in the end we shall obtain a description of the pairing in the cases thatare of interest to us. At this point, it is quite elementary and does not use any advanced ingredients.We advise the reader who is only interested in applications to skip as much of the following as he(dis-)likes and in the worst case to begin reading Section 6.4.After this warning we begin with the theory. We are interested in Jacobians but to define the Tatepairing we use results that are true for arbitrary abelian varieties A defined over K. For simplicitywe shall assume that A is principally polarized and so it is isomorphic to its dual variety (as is truefor Jacobians). The assumption that n is prime to p implies that the Kummer sequence0 → A ( K ) [n] → A ( K ) [n]→ A ( K ) → 0 (6.1)is an exact sequence of G K -modules.We can therefore apply Galois cohomology and obtain the exact sequence0 → A(K)/nA(K) δ → H 1 ( G K ,A ( K ) [n] ) α→ H1 ( G K ,A ( K )) [n] → 0.Since this is an important sequence both in theory and in practice we explain it in more detail.Recall that for a G K -module M the group H n (G K ,M) is a quotient of the group of n-cocycles(i.e., of maps c from the n-fold Cartesian product G n K to M satisfying a combinatorial condition)modulo the subgroup of n-coboundaries. Whenever needed we shall give an explicit description ofthe cohomology groups that occur.Example 6.1 Obviously 1-cocycles are mapssuch that for all σ, τ ∈ G K we haveand 1-coboundaries are mapssuch that there exists an element m ∈ M withfor all σ ∈ G K .c : G K → Mc(στ) =c(σ)+σc(τ)c : G K → Mc(σ) =σ · m − m

§ 6.3 Pairings over local fields 117Let P ∈ A(K). There exists a point Q ∈ A ( K ) such that [n]Q = P .Defineδ ′ (P ):G K → A ( K ) [n]σ ↦→ σ · Q − Q.We easily check that δ ′ (P ) is a 1-cocycle with image in A ( K ) [n] and that another choice of Q ′ with[n]Q ′ = P changes this cocycle by a coboundary and so we get a well defined map from A(K)to H 1 ( G K ,A ( K ) [n] ) . Another immediate check shows that the kernel of this map is exactly[n]A(K). This explains the first part of the Kummer sequence.We now use the injection of A ( K ) [n] into A ( K ) to interpret cocycles with values in A ( K ) [n]as cocycles with values in A ( K ) . Going to the quotient modulo coboundaries gives the map α.Since the arguments of the induced cocycles are points of order n it follows that the image of α iscontained in the subgroup of H 1 ( G K ,A ( K )) , which is annihilated by the map “multiplication byn.”We can check, either directly or by using properties of cohomology, that α is surjective and thatthe kernel of α is equal to the image of δ.Next we use that A ( K ) [n] is self-dual as a G K -module under the Weil pairing, which we denoteby W n . We obtain a cup product∪ : H 1 ( G K ,A ( K ) [n] ) × H 1 ( G K ,A ( K ) [n] ) → H 2( G K , K ∗ )[n]in the following way:Represent ζ 1 ,ζ 2 ∈ H 1 ( G K ,A ( K ) [n] ) by cocycles c 1 ,c 2 .Thenζ 1 ∪ζ 2 is the cohomology classof the 2-cocyclec : G K × G K → K ∗given byc(σ 1 ,σ 2 ):=W n(c1 (σ 1 ),c 2 (σ 2 ) ) .This map ∪ is bilinear.We can apply this to a point P ∈ A(K) and a cohomology class γ ∈ H 1 ( G K ,A ( K )) [n] todefine the Tate pairing〈· , ·〉 T,n : A(K)/nA(K) × H 1 ( G K ,A ( K )) [n] → H 2( G K , K ∗ )[n]by〈P + nA(K),γ〉 T,n = δ ( P + nA(K) ) ∪ α −1 (γ).It is routine to check that 〈· , ·〉 T,n is well defined and bilinear.Remark 6.2 The Tate pairing relates three very interesting groups occurring in Arithmetic Geometry:the Mordell–Weil group of A, the first cohomology group of A, which can be interpretedas group of principally homogeneous spaces over A, andH 2( G K , K ∗ ),theBrauer group of theground field K, which can be interpreted as group of classes of central simple algebras with centerK with the class of full matrix groups as neutral element.6.3 Pairings over local fieldsWe now assume that K is a local field (e.g., a p-adic field) with finite residue field F q .

118 Ch. 6 Background on Pairings6.3.1 The local Tate pairingWe have the beautiful result of Tate [TAT 1958]:Theorem 6.3 Let A be a principally polarized abelian variety over K, e.g., A = J C .Let〈· , ·〉 T,n : A(K)/nA(K) × H 1 ( G K ,A ( K )) [n] → H 2( G K , K ∗ )[n]be the Tate pairing as defined above. Then 〈· , ·〉 T,n is a nondegenerate Z-bilinear map.It is thus certainly worthwhile to study in more detail the groups that are involved.To simplify the situation we shall assume that A has good reduction, i.e., we find equations forA with coefficients in the ring of integers of K whose reductions modulo the valuation ideal of Kagain define an abelian variety over F q . This situation is typical for the applications that we havein mind. In fact we shall begin with an abelian variety over F q and then lift it to an abelian varietyover K. This motivates a change of notation: A ↦→ à and the reduction of à is now denoted by A.Let us consider the first group occurring in Tate duality. Using Hensel’s lemma we getÃ(K)/nÃ(K) ≃ A(F q)/nA(F q ).Remark 6.4 If we assume that n = l is a prime and that A(F q ) has no points of order l 2 thenA(F q )/lA(F q ) is isomorphic to A(F q )[l] in a natural way.We now come to the discussion of H 1 ( G K ,A ( K )) [n]. Since unramified extensions of K do notsplit elements in this group we can use a well-known inflation-restriction sequence to change ourbase field from K to the maximal unramified extension K ur of K, compute the cohomology groupover this larger field, and look for elements that are invariant under the Galois group of K ur /Kwhich is topologically generated by (a canonical lift of) the Frobenius automorphism φ q of F q .Note that this automorphism acts both on G ( K/K ur) and on A[n] =A(K ur )[n].Let K tame be the unique cyclic extension of K ur of degree n (which has to be fully ramified).We obtainProposition 6.5 The first cohomology group H ( 1 G K ,A ( K )) [n] is equal to the group of elementsinHom ( G(K tame /K ur ),A[n] ) ,which are invariant under the natural action of the Frobenius automorphism.After fixing a generator τ of G(K tame /K ur ) we can identifyψ ∈ Hom(G(K tame /K ur ),A[n])withψ(τ) =:P τ ∈ A[n]and hence Hom(G(K tame /K ur ),A[n]) with A[n].Warning: The identification of Hom(G(K tame /K ur ),A[n]) with A[n] is, in general, not compatiblewith Galois actions. Here the cyclotomic character becomes important: over K(µ n ) we canrealize a ramified cyclic extension K n of degree n by choosing an n-th root t of a uniformizing elementπ of K. Sinceτ maps t to ζ n t for some n-th root of unity ζ n and the Frobenius automorphismφ q maps ζ n to ζn q we deduce that φ q operates on 〈τ〉 by conjugation, sending τ to τ −q .Corollary 6.6 The first cohomology group H 1 ( G K ,A ( K )) [n] can be identified with the subgroupA 0 of points in A[n] defined byA 0 = {P ∈ A[n] | φ q (P )=[q]P }.

§ 6.3 Pairings over local fields 119We summarize what we have found up to now in the case where n is a prime l.Proposition 6.7 Let K be a local field with residue field F q ,letA be an abelian variety definedover F q ,letl be a prime number not dividing q, and assume that A(F q ) contains no elements oforder l 2 .DefineA 0 = {P ∈ A[l] | φ q (P )=[q]P }.The Tate pairing induces a nondegenerate pairing〈· , ·〉 T,l : A(F q )[l] × A 0 → Br(K)[l].Corollary 6.8 Under the assumptions of the propositions we get that A 0 is (as an abelian group)isomorphic to A(F q )[l].Example 6.9 Assume that A[l](F q ) is cyclic of order l and generated by P .1. Assume that l | (q − 1). Then A 0 = A[l](F q ),and〈P, P〉 Fq,l ≠0.2. Assume that l ∤ q − 1. Then φ with φ(τ) = P is not in H 1 ( G K ,A ( K )) [l]. Inparticular ”〈P, P〉 T,l ” is not defined. Of course we can extend the ground field untilthe pairing over these larger fields permits the argument (P, P). But the value will thennecessarily be equal to 0.Example 6.10 If A[l](F q ) is not cyclic and l | q − 1 then for all points P, Q ∈ A[l](F q ) we canform 〈P, Q〉 T,l but it is not clear whether there is a P with 〈P, P〉 T,l ≠0.We now come to the discussion of the Brauer group. First one hasTheorem 6.11 The Brauer group of K is (canonically) isomorphic to Q/Z.More precisely, there is a map, the invariant map inv K , such that for all n ∈ N we have anisomorphisminv :Br(K)[n] → Z/nZ.Thus computations in Br(K) boil down to the computation of the invariant map. A further studyof the theory of local fields shows that this is closely related to the computation of the discretelogarithm in F ∗ q (see [NGU 2001]).This becomes more obvious if we replace F q by F q (µ n )=F q k with k minimal such that n |(q k −1). PutK 1 = K(µ n ) and let K n be a cyclic ramified extension of degree n of K 1 .Thevalueofthe Tate pairing is then in H 2 (G(K n /K),Kn ∗ )[n], and elementary computations with cohomologygroups yield that this group is isomorphic (canonically after the choice of τ) toF ∗ q/ ( ) n.F ∗ k q kProposition 6.12 Let n be equal to a prime number l, andletk be as above. Assume that A(F q )contains no points of order l 2 .TheTatepairinginduces a pairing〈· , ·〉 T,l : A[l](F q ) × A[l](F q k) → F ∗ q k/( F ∗ q k ) lwhich is nondegenerate on the left, i.e., if 〈P, Q〉 T,l =0for all Q ∈ A[l](F q k) then P =0.6.3.2 The Lichtenbaum pairing on Jacobian varietiesIn Proposition 6.12 we have described a pairing that can, in principle, be used to transfer the discretelogarithm from A[l](F q ) to F ∗ q k / ( F ∗ q k ) l. However, looking at the conditions formulated inSection 1.5.2 we see that one crucial ingredient is missing: we must be able to compute the pairingvery fast.

120 Ch. 6 Background on PairingsThe next two sections are devoted to this goal in the case that we are interested in.We come back from the general theory of abelian varieties to the special theory of Jacobianvarieties J C of projective curves C of genus g over finite ground fields F q .We want to use the duality theory over local fields and so we lift C to a curve ˜C of genus g overthe local field K with corresponding abelian variety J eC . We remark that the reduction of J eC is J C .The central part of the construction of the Tate pairing was the construction of a 2-cocycle fromG 2 K into K∗ . For a point P ∈ J eC (K) and an element γ ∈ H 1 ( G K ,J eC(K))[n] we choose a1-cocycle c in α −1 (γ) and definec(σ 1 ,σ 2 )=W n(δ ′ (P )(σ 1 ),c(σ 2 ) )where δ ′ and α are the maps defined in Section 6.3.1 and W n is the Weil pairing.In his paper [LIC 1969] Lichtenbaum used sequences of divisor groups of curves to define apairing in the following way.Put C __= ˜C × K. We have discussed the group of divisor classes of degree 0 of C __together withthe action of G K on this group in Section 4.4.4. As a consequence we get the exact sequence ofG − K-modules (see 6.1)1 → Princ __C → Div 0__C → Pic0__ C → 0.We can apply cohomology theory to this sequence and obtain a mapδ 1 : H 1 (G K , Pic 0__C ) → H2 (G K , Princ C)__which associates to γ ∈ H 1 (G K , Pic 0__C ) a 2-cocycle from G2 __K to Princ C.In other words, given γ we find for each pair (σ 1 ,σ 2 ) ∈ G K a function f σ1,σ 2∈ K ( C) __such thatthe class of (f σ1,σ 2;(σ 1 ,σ 2 ) ∈ G K ) is equal to δ 1 (γ).Definition 6.13 The notations are as above. Let c ∈ Pic 0 e Cbe a K-rational divisor class of degree 0with divisor D ∈ c.The Lichtenbaum pairing〈· , ·〉 L :Pic 0 e C× H 1 (G K , Pic 0__C) → H 2 (G K , K ∗ )maps (c, γ) to the class in H 2 (G K , K ∗ ) of the cocyclegiven byG 2 K → K∗(σ 1 ,σ 2 ) ↦→ f σ1,σ 2(D) .(Here D has to be chosen such that it is prime to the set of poles and zeroes of f σ1,σ 2,whichisalways possible.)Since we have seen that J C(K)=Pic0 __C we can compare Tate’s pairing with 〈· , ·〉 L .Itisshownin [LIC 1969, pp. 126-127], that the two pairings are the “same” in the following sense.Proposition 6.14 For all natural numbers n denote by 〈· , ·〉 L,n the pairing induced by 〈· , ·〉 L onPic 0 C e/nPic 0 C e × H 1 (G K , Pic 0__C)[n].Then 〈· , ·〉 L,n is equal (up to sign) to the Tate pairing 〈· , ·〉 T,n applied to the abelian variety J eC .In fact, Lichtenbaum uses this result to prove nondegeneracy of his pairing for a local field K.The importance of Lichtenbaum’s result for our purposes is that we have a description of theTate pairing related to Jacobian varieties that only uses objects directly defined by the curve ˜C. Inparticular the Weil pairing has completely disappeared.

§ 6.3 Pairings over local fields 121We can now use the general considerations given in Section 6.3.1 and come to the final version ofthe pairing in the situation that we are interested in.Thus we come back to a curve C defined over F q , choose a lifting to ˜C over K, and compute thegroups occurring in the pairing. As a result we shall obtain a pairing that only involves the curve Citself.The first group can be identified with Pic 0 C/nPic 0 C. To avoid trivial cases we shall assume thatthis group is nontrivial, i.e., that Pic 0 C contains elements of order n.The group H 1 (G K , Pic 0__C )[n] can be identified with the subgroup J 0 of points in Pic 0__C [n] definedbyJ 0 = { c ∈ Pic 0__C [n] | φ q(c) =[q]c } .A first application of these results is that we can describe the Lichtenbaum pairing by Galois cohomologygroups related to a finite extension of K. We first enlarge K to a field K 1 that is unramifiedand such that over its residue field all elements of J 0 are rational. Automatically K 1 contains then-th roots of unity. It follows that there exists a cyclic ramified extension K n of degree n of K 1 .The image of the pairing 〈·, ·〉 L,n will be contained in H 2 (G(K n /K 1 ),Kn). ∗ Let us fix a generatorτ of the Galois group of K n /K 1 . We identify γ in H 1 (G K , Pic 0__C)[n] with the class of thecocycle ζ from G(K n /K 1 ) given byζ(τ i )=[i]˜c for 0 i n − 1,where ˜c ∈ Pic 0 e C×Kn[n] is a lift of c ∈ J 0 .The image of γ under the map δ 1 will be a 2-cocycle mapping from 〈τ〉 ×〈τ〉 to Princ eC×Knwhich we must describe. Choose a divisor D ∈ ˜c rational over K 1 . Thus iD ∈ ζ ( τ i) .By definitionδ 1 (γ) ( τ i ,τ j) = τ i jD − r i+j D + jDfor 0 i, j n − 1,wherer i+j is the smallest nonnegative residue of i + j modulo n.Since τD = D it follows that δ 1 (γ) ( τ i ,τ j) =0for i + j

122 Ch. 6 Background on Pairings6.4 An explicit pairing6.4.1 The Tate–Lichtenbaum pairingWe have done all the necessary work so as to be able to describe the Tate pairing in the Lichtenbaumversion for abelian varieties, which are Jacobian varieties of projective curves, in a very elementaryand explicit manner as promised in the beginning of this section. In order to use it, no knowledgeof the preceding sections is necessary. In fact, even the proof of the following theorem can be givenwithout using Galois cohomology and liftings to local fields by a clever application of Kummertheory to function fields over finite fields (cf. [HES 2004]). Nevertheless we think that it may beinteresting for some readers to see the structural background involved.Theorem 6.15 Let F q be the field with q elements, let n be a number prime to q, andletk ∈ N beminimal with n | (q k − 1). LetC be a projective irreducible nonsingular curve of genus g definedover F q with a rational point.DefineJ 0 := {c ∈ Pic 0 C×F q[n] | φ q (c) =[q]c}.There exists a nondegenerate bilinear mapT n :Pic 0 C/[n]Pic 0 C × J 0 → F ∗ q k/( F ∗ q k ) ndefined in the following way:For c 1 ∈ Pic 0 C and c 2 ∈ J 0 we choose divisors E ∈ c 1 and D ∈ c 2 rational over F q respectivelyF q k such that no point P of C occurs both in E and in D. Letf D be a function on C rational overF q k with principal divisor nD.ThenT n (c 1 ,c 2 )=f D (E) ( F ∗ ) n.q kDefinition 6.16 The Tate–Lichtenbaum pairing is the bilinear mapdescribed in Theorem 6.15.T n :Pic 0 C /[n]Pic0 C × J 0 → F ∗ q k/( F ∗ q k ) nLet us consider this pairing from a computational point of view. It is not difficult to find divisors Dand E for given c 1 , c 2 .However,forlargen it is not obvious how to find f D and how to evaluate itat E. In Chapter 16 we shall give a polynomial-time algorithm to perform this computation. Herewe describe very briefly the theoretical background of this algorithm.We must solve the following task: Let C be a curve of genus g defined over some ground field Kwith a K-rational point P 0 ,letE be a K-rational divisor of degree 0 on C and c a K-rational divisorclass of degree 0 and of order n on C. LetD 1 = A 1 −gP 0 ∈ c be a divisor, where A 1 is an effectivedivisor of degree g. Any multiple [i]c can be represented in a similar way by D i = A i − gP 0 .Weassume that the support of E is prime to the support of all divisors D i . In particular the divisornD 1 is the principal divisor of a function f on C, which has no poles and zeroes at the points of thesupport of E. Hence c(E) =f(E) is a well defined element of K ∗ .We want to compute this element fast, and we follow an idea that for elliptic curves has beendescribed by Miller in an unpublished manuscript [MIL 1986] (now published in [MIL 2004]), andwhich, in the general case, is inspired by Mumford’s theory of Theta groups of abelian varieties.The basic step for the computation is the following. For given positive divisors A, A ′ of degree gfind a positive divisor B of degree g and a function h on C such that A + A ′ − B − gP 0 =div(h).

§ 6.4 An explicit pairing 123Define the following group law on 〈c〉×K ∗ :(ic, a 1 ) ◦ (jc,a 2 ):= ( (i + j)c, a 1 a 2 h i,j (E) ) ,with A i + A j − A i+j − gP 0 =div(h i,j ). The assumptions on E guarantee that each h i,j (E) ∈ K ∗ ,and the degree of h i,j is at most equal to g. It can be easily seen by induction that m · (c, 1) =(mc, hm−1 (E) ) ,whereh m−1 is a function on C satisfying mA − A m−1 − (m − 1)gP 0 =div(h m−1 ). It follows that repeating n times this process gives the result ( 0,f(E) ) ,wheref isa function on C such that div(f) =nD 1 .We can now use the group structure on 〈c〉×K ∗ and apply the square and multiply algorithm toevaluate f at E in O(lg n) basic steps.Corollary 6.17 The Tate–Lichtenbaum pairing T n can be computed in O(lg n) basic steps over F q k.Remark 6.18 By a clever choice of P 0 we can accelerate the computation. For instance, withhyperelliptic curves, we shall choose the point at infinity P ∞ .6.4.2 Size of the embedding degreeRecall that n is a number prime to q. The embedding degree (with respect to n) is the smallestnumber k such that n | q k − 1.The above result is of practical importance only if k is small.In general, the necessary conditions for C such that Pic 0 C has elements of order l rational over F qwith l in a cryptographically interesting range, and the conditions for q that for a small k the fieldF q k contains l-th roots of unity, will not be satisfied at the same time.To see this we look at χ(φ q k ) C (T ), the characteristic polynomial of φ q k. Its zeroes (λ 1 ,...,λ 2g )are integers in a number field K and we order them so that λ i λ g+i = q for 1 i g, whichisalways possible (cf. Proposition 5.75).Since Pic 0 C has elements of order l there exists an eigenvalue λ i of φ q such that a prime ideal lof K dividing (l) divides (1 − λ i ). Of course this implies that for all natural numbers d the ideal ldivides (1 − λ d i ).Now assume that F q k contains the l-th roots of unity and hence that q k ≡ 1(modl). Sinceλ k i λk g+i = qk ≡ 1(modl) we get that the prime ideal l divides simultaneously (1 − λ k i ) and(1 − λ k g+i ) and so λ k i + λk i+g ≡ 2 (mod l).For elliptic curves this yieldsProposition 6.19 Let E be an elliptic curve defined over F q and l a prime such that l divides|E(F q )|. Let φ q be the Frobenius endomorphism acting on E[l]. The corresponding discretelogarithm in E(F q )[l] can be reduced to the discrete logarithm in F ∗ q k [l] by the use of the Tate–Lichtenbaum pairing if and only if the characteristic polynomial of the endomorphism φ k q on E iscongruent to T 2 − 2T +1modulo l.Avoiding elliptic curves with small k is easy. For randomly chosen elliptic curves E we can expectthat k will be large.But there is an important class of special elliptic curves for which k is always small: the supersingularelliptic curves. The crucial facts that we use are that the characteristic p of F q divides thetrace of the Frobenius acting on supersingular elliptic curves E and that their absolute invariant j Elies either in F p or in F p 2 [LAN 1973].

124 Ch. 6 Background on PairingsLet us discuss the easiest case in detail. We assume that p>3 and j E ∈ F p .LetE 0 be an ellipticcurve defined over F p with invariant j E .LetT 2 − aT + p be the characteristic polynomial of φ p onE 0 . We know that a = λp with λ ∈ Z. The estimate|1 − λp + p| 2 √ p +(p +1) with λ ∈ Zimplies that λ =0, hence the eigenvalues λ 1 ,λ 2 of φ p acting on E 0 satisfyλ 1 = −λ 2and λ 1 λ 2 = p√hence λ i = + − −p.Assume now that q = p d .SinceE becomes isomorphic to E 0 over F q 2 the characteristic polynomialof the Frobenius endomorphism on E over F q 2 is equal toT 2 − (λ 2d1 + λ 2d2 )+q 2 = T 2 − 2λ 2d1 + λ 4d1 =(T − λ 2d1 ) 2 .Since by assumption E(F q ) has elements of order l, we obtain that l divides (1 − λ 2d1 ).Since λ 2 1 = −λ 1λ 2 = −p it follows that l divides 1 − (−p) d . But this implies that k =1if d iseven, and k =2if d is odd.The other cases can be treated by similar considerations. As a result we obtainProposition 6.20 Let E be a supersingular elliptic curve over F q with q = p d . Assume that E hasa F q -rational point of order l. Letk be the smallest natural number such that l | q k − 1. Then• in characteristic 2 we have k 4,• in characteristic 3 we have k 6,• over prime fields F p with p 5 we have k 2,and these bounds are attained.In general we haveTheorem 6.21 There is an integer k(g) such that for all finite fields F q and for all supersingularabelian varieties of dimension g over F q we have k k(g).The number k(g) can be found in [GAL 2001a] and in Section 24.2.2.

Chapter Background on Weil DescentGerhard Frey and Tanja LangeContents in Brief7.1 Affine Weil descent 1257.2 The projective Weil descent 1277.3 Descent by Galois theory 1287.4 Zariski closed subsets inside of the Weil descent 129Hyperplane sections • Trace zero varieties • Covers of curves • The GHSapproachWeil descent — or, as it is alternatively called — scalar restriction, is a well-known technique inalgebraic geometry. It is applicable to all geometric objects like curves, differentials, and Picardgroups, if we work over a separable field L of degree d of a ground field K.It relates t-dimensional objects over L to td-dimensional objects over K. As guideline the readershould use the theory of algebraic curves over C, which become surfaces over R. This example,detailed in Section 5.1.2, already shows that the structure of the objects after scalar restriction canbe much richer: the surfaces we get from algebraic curves carry the structure of a Riemann surfaceand so methods from topology and Kähler manifolds can be applied to questions about curves overC.This was the reason to suggest that Weil descent should be studied with respect to (constructiveand destructive) applications for DL systems [FRE 1998]. We shall come to such applications inSections 15.3 and 22.3.In the next two sections we give a short sketch of the mathematical properties of Weil descent.The purpose is to provide a mathematical basis for the descent and show how to construct it. Fora thorough discussion in the frame of algebraic geometry and using the language of schemes, werefer to [DIE 2001].7.1 Affine Weil descentWe begin with the easiest case. Let V be an affine variety in the affine space A n L over L defined bym equationsF i (x 1 ,...,x n )=0;i =1,...,m125

126 Ch. 7 Background on Weil Descentwith F i (x) ∈ L[x 1 ,...,x n ].WewanttofindanaffinevarietyW L/K (V ) defined over K with the following properties:(W1) For any field K ′ ⊂ K for which the degree of L · K ′ over K ′ is equal to d (i.e., K ′is linearly disjoint from L over K) we have a natural identification of W L/K (V )(K ′ )with V (L · K ′ ).(W2) The variety W L/K (V ) L obtained from W L/K (V ) by base extension from K to L isisomorphic to V d ,thed-fold Cartesian product of V with itself.To achieve this we choose a basis {u 1 ,...,u d } of L as K-vector space. Then we define the ndvariables y i,j byx i = u 1 y 1,i + ···+ u d y d,i , for i =1,...,n.We replace the variables x i in the relations defining V by these expressions.Next we write the coefficients of the resulting relations as K-linear combinations of the basis{u 1 ,...,u d } and order these relations according to this basis. As result we get m equations of theformG i (y) =g i,1 (y)u 1 + ···+ g i,d (y)u d =0with g i,j ∈ K[y 1,1 ,...,y n,d ]. Because of the linear independence of the elements u i and becauseof condition W1 we see that we have to define W as the Zariski closed subset in A nd given by themd equationsg i,j (y) =0.Proposition 7.1 Let V and W be as above. Then W is an affine variety defined over K satisfyingthe conditions W1 and W2. So W is the Weil descent W L/K (V ) of V .Example 7.2 Let V be equal to the affine space of dimension n over L with coordinate functionsx 1 ,...,x n .Then W L/K (V )=A nd with coordinate functions y i,j defined byx i = u 1 y 1,i + ···+ u d y d,i .As a special case, take L = C and K = R, n =1, and take as complex coordinate function thevariable z and as basis of C/R, the elements 1,iwith i 2 = −1.As usual we choose real variables x, y satisfying the identityz = x + iy.A polynomial or more generally a rational function G(z) in z gives rise to a function in G R (x, y)that we can interpret as a function from R 2 to C. We separate its real and imaginary part and getG(z) =g 1 (x, y)+ig 2 (x, y).Example 7.3 Assume that L = K(α) with {1,α,α 2 } abasisofL/K and α 3 = b ∈ K and assumethat char(K) ≠3.Take the affine part of the elliptic curve given by the equationE a : x 2 1 − x3 2 − 1=0.Replace x i by y 1,i + αy 2,i + α 2 y 3,i to get the equation(y1,1 + αy 2,1 + α 2 y 3,1) 2−(y1,2 + αy 2,2 + α 2 y 3,2) 3− 1=0.

§ 7.2 The projective Weil descent 127This yields the following system of equationsy 2 1,1 +2by 2,1 y 3,1 − y 3 2,1 − b 2 y 3 3,2 − by 3 2,3 − 6by 1,2 y 2,2 y 3,2 − 1 = 0by 2 1,3 +2y 1,1 y 2,1 − 3y 2 1,2y 2,2 − 3by 2 2,2y 3,2 − 3by 1,2 y 2 3,2 = 0y 2 1,2 +2y 1,1y 3,1 − 3y 2 1,2 y 3,2 − 3y 1,2 y 2 2,2 − 3by 2,2y 2 3,2 = 0which defines the Weil descent W L/K (E a ) of E a .Remark 7.4 The example is interesting since it is an open affine part of an abelian variety of dimension3 defined over K, whose rational points are in a natural way equal to the L-rational pointsof the elliptic curve E.7.2 The projective Weil descentHaving defined the Weil descent for affine varieties we proceed in the usual way to define it forprojective varieties V defined over L, which are embedded in some projective space P n L .We cover V by affine subvarieties V i and apply the restriction of scalars to the V i to get a collectionof affine varieties W L/K (V i )=:W i over K. The varieties V i are intersecting in Zariskiopen parts of V and there are rational maps from V i to V j induced by the rational maps between thedifferent embeddings of the affine space A n L into Pn L (cf. Example 4.44). By using the functorialityproperties of the Weil descent (or by a direct computation in the respective coordinates as in theexamples) one concludes that the affine varieties W i can be glued together in a projective space(which is the Weil descent of P n L ). If we take the coverings fine enough we get as a result of thegluing process a projective variety W L/K (V ).Warning. Not every cover of V by affine subvarieties V i has the property that the varietiesW L/K (V i ) cover W L/K (V ). For instance let E be a plane projective elliptic curve given by theequationE : Y 2 Z = X 3 + a 4 XZ 2 + a 6 Z 3 .Then E is covered by the affine curves E 1 and E 2 one gets by intersecting P 2 L with the open partsfor which Z ≠0(respectively Y ≠0) holds. But we also need E 3 , which is the intersection ofE with the open part of P 2 defined by X ≠0to get W L/K (E) by the gluing procedure describedabove.There is another complication if we want to describe the projective variety W L/K (V ) explicitlyas a subvariety of the projective space P N : the dimension of this space can become rather large.Here is an estimate for this dimension:Lemma 7.5 Let V be a projective variety embedded into P n L .ThenW L/K(V ) can be embedded (ina canonical way) into P (n+1)d −1 .This lemma follows from the construction via affine covers and the application of the Segre map(cf. Examples 4.13 and 4.25) of products of projective spaces into a projective space.We can summarize our results and get the following theorem:Theorem 7.6 Let L/K be a finite separable field extension of degree d. Let V be an affine ora projective variety defined over L. The Weil restriction W L/K (V ) satisfies the properties W1and W2. If V is affine (respectively projective) and has dimension t then W L/K (V ) is an affine(respectively projective) variety defined over K of dimension td.Again by functoriality properties one can conclude that the Weil restriction of an algebraic group isagain an algebraic group. Hence we get:

128 Ch. 7 Background on Weil DescentCorollary 7.7 The Weil restriction of an abelian variety A over L is an abelian variety W L/K (A)over K.Let A 1 be a Zariski-open nonempty affine subvariety of A. ThenW L/K (A 1 ) is an affine Zariskiopennonempty subvariety of W L/K (A) and hence it is birationally equivalent to W L/K (A).This corollary justifies Remark 7.4.7.3 Descent by Galois theoryIn the last sections we have introduced an explicit method to construct the Weil descent of varietiesby using affine coordinates. The advantage of this approach is the explicit definition of the Weildescent by equations. The disadvantage is that the number of variables and the number of relationsgrow and so the description becomes very complicated. This is especially striking if we want toapply the descent to projective varieties or if the degree of L/K is not small. For many purposesit is enough to have the Weil descent and its properties as background. Then we apply it usingdefinitions by Galois theory as this is much more elegant.This approach becomes most natural if we assume that L/K is a Galois extension with relativeGalois group G(L/K) =G. Note that for us the most important case is that K and L are finitefields and then this assumption is always satisfied.Let V be a variety defined over L and let σ ∈ G be an automorphism of L fixing K.We want to define the image of V under σ. We assume that V is affine. If V is projective one canproceed in a completely analogous way.We choose affine coordinate functions x =(x 1 ,...,x n ) of A n L and define the points on V asthe set of zeroes of the equations defining V as usual. Let I be the prime ideal generated by theseequations in L[x]. We apply σ to the coefficients of rational functions F in L(x) and denote by σ ·Fthe image.The ideal I σ := σ · I is again a prime ideal in L[x] and so it defines an affine variety V σ over L.Let us extend σ to an automorphism ˜σ of K. By definition we get ˜σ · I = σ · I and so V ˜σ = V σdoes not depend on the choice of the extension. Let P be a point in V (K). Then˜σ(P ) is a point inV σ (K) and conversely. So V σ (K) =˜σ · V (K).For all points Q ∈ V σ (K) and f ∈ L(V ) we get the identity(σ · f)(Q) =˜σ ( f (˜σ −1 (Q) )) .In particular, it follows that we can interpret σ · f as rational function on V σ .We apply this to the functions x i . To clarify what we mean, we denote by x i,σ the function onV σ induced by the coordinate function x i , i.e., x i,σ is the image of x i in L[x]/(σ · I). We get: letP be a point in V and let x i (P ) be the value of the i-th coordinate function on V applied to P .Letx i,σ be the i-th coordinate function on V σ .Thenx i,σ = σ · x i and the value of x i,σ applied to ˜σ(P )is equal to ˜σ(x i (P )).All these considerations are near to tautological statements but they allow us to define an actionof the absolute Galois group G K of K on the varietyW := ∏ σ∈GV σ .Indeed let P := (...,P σ ,...) σ∈G , with P σ ∈ V σ (K), be a point in W (K). Let˜τ be an elementof G K whose restriction to L is equal to τ. Then˜τ(P ):=(...,Q σ ,...) σ∈G with Q σ =˜τ(P τ −1 ◦σ).

§ 7.4 Zariski closed subsets inside of the Weil descent 129Theorem 7.8 The variety W is equal to the Weil restriction W L/K (V ).Proof. To prove this theorem we check the properties characterizing the Weil descent.First W is a variety defined over L. As we have seen its set of points is invariant under the actionof G K .SoW is a variety defined over K.A point P ∈ W is K-rational if and only if it is L-rational and for all τ ∈ G we haveτ(P τ −1 ◦σ) =P σ .Taking τ = σ −1 this means that P σ = σ −1 P Id for all σ ∈ G with P ∈ V (L). It follows thatW (K) =V (L).Next we extend the ground field K to L and look at W L . On the Galois theoretic side this meansthat we restrict the Galois action of G K on W to an action of G L . But this group leaves each V σinvariant and so W L is isomorphic to ∏ σ∈G V = V d .We shall be interested in the special case that K = F q and L = F q d.Corollary 7.9 Let V be a (projective or affine) variety defined over F q d of dimension t. For i =0,...,d− 1 let V i be the image of V with respect to φ i q (cf. Proposition 5.67).ThenW (V ):=is a variety defined over F q of dimension td which is K-isomorphic to W Fq d /F q(V ).If V is affine (respectively projective) then W (V ) is an affine (respectively projective) varietydefined over K.If V is an abelian variety over F q d then W (V ) is an abelian variety over F q .The action of φ on W (V ) is given as follows: Let P =(...,P i ,...) be a point in W (V )(K).Then φ q (P )=(...,Q i ,...) with Q i = φ q (P ) (i−1 modd) .Remark 7.10 In general the Weil restriction of a Jacobian variety is not a Jacobian variety.d−1∏i=0V i7.4 Zariski closed subsets inside of the Weil descentAs mentioned already, one main application of the Weil descent method is that in W L/K there areZariski closed subsets which cannot be defined in V .In the following we shall describe strategies to find such subsets.7.4.1 Hyperplane sectionsTo simplify the discussion we assume that V is affine with coordinate functions x 1 ,...,x n and wetake the description of W L/K (V ) given in Proposition 7.1. There we have introduced nd coordinatesfunctions y i,j for W L/K (V ) byx i = u 1 y 1,i + ···+ u d y d,i , for i =1,...,n,where {u 1 ,...,u d } is a basis of L/K. TakeJ ⊂{1,...,d}×{1,...,n} and adjoin the equationsy i,j =0 for (i, j) ∈ J to the equations defining W L/K (V ).The resulting Zariski closed set inside of W L/K (V ) is denoted by W J . It is the intersection ofthe Weil restriction of V with the affine hyperplanes defined by y i,j =0;(i, j) ∈ J.“In general” we can expect that W J is again a variety over K of dimension td −|J|.

130 Ch. 7 Background on Weil DescentExample 7.11 Let E be an elliptic curve defined over L given by a Weierstraß equationE : x 2 1 + a 1 x 1 x 2 + a 3 x 1 = f(x 2 ),where f is monic of degree 3. Take1 m d − 1 and J = {1,...,m}×{2}.Then W J (K) consists of all points in E(L) whose x 2 -coordinate is a K-linear combination ofthe elements u 1 ,...,u m .Remark 7.12 This example is the mathematical background of a subexponential attack to the discretelogarithm in elliptic curves over nonprime fields found recently by Gaudry and Diem (cf.Section 22.3.5).7.4.2 Trace zero varietiesWe assume for simplicity that L = F q d and K = F q and we use the Galois theoretic description ofthe Weil descent.Let V be a variety defined over K. So we get V φq = V . Note that nevertheless W Fq d /F q(V )is not F q -isomorphic to V d because of the twisted Galois operation. But we can embed V intoW Fq d /F q(V ) as diagonal:Map the point P ∈ V (K) to the point (...,φ i q (P ),...) ∈ ∏ d−1i=0V . By this map we can identifyV with a subvariety of W Fq d /F q(V ).Now assume in addition that V = A is an abelian variety. Then we find a complementary abeliansubvariety to A inside of W Fq d /F q(A).We use the existence of an automorphism π of order d of W Fq d /F q(A) defined byP =(...,P i ,...) ↦→ π(P )=(...,Q i ,...) with Q i = P i−1 modd .The map π is obviously an automorphism over F q d. To prove that π is defined over F q we have toshow that π commutes with the action of φ q .Butπ(φ q (P )) = (..., Q ′ i ,...) with Q′ i = φ q(Q i−2 modd )( )and this is equal to φ q π(P ) .Denote by A 0 the kernel of the endomorphism ∑ d−1i=0 πi .ItisanabeliansubvarietyofA and it iscalled the trace zero subvariety of A. Note that the intersection set of A — embedded as diagonalinto W Fq d /F q(A) — with A 0 consists of the points of A of order dividing d, andtheF q -rationalpoints of A 0 are the points P in A(F q d) with Tr(φ q )(P )=0.To see that A and A 0 generate W Fq d /F q(A) we use that A is the kernel of π − Id and that A 0contains (π − Id) ( W Fq d /F q(A) ) .We summarize:Proposition 7.13 Let A be an abelian variety defined over F q . We use the product representationof W Fq d /F q(A) and define π as automorphism induced by a cyclic permutation of the factors. Thenwe have the following results:1. A can be embedded (as diagonal) into W Fq d /F q(A). Its image under this embedding isthe kernel of π − Id.2. The image of π − Id is the trace zero subvariety A 0 .3. The F q -rational points of A 0 are the images of points P ∈A(F q d) with Tr(π)(P )=0.4. Inside of W Fq d /F q(A) the subvarieties A and A 0 intersect in the group of points of A oforder dividing d.

§ 7.4 Zariski closed subsets inside of the Weil descent 131For an example with A = E an elliptic curve and d =3we refer to [FRE 2001]; for A = J C beingthe Jacobian of a hyperelliptic curve C,see[LAN 2004c]. We further investigate these constructiveapplications of Weil descent in Section 15.3.7.4.3 Covers of curvesLet C be a curve defined over F q d with Jacobian variety J C . We want to apply Weil descent to getinformation about Pic 0 C from W Fq d /F q(J C )(F q ).Here we investigate the idea of looking for curves C ′ defined over F q that are embedded intoW Fq d /F q(J C ). Then the Jacobian of C ′ has W Fq d /F q(J C ) as a factor and we can use informationabout Pic 0 C to study ′ Pic0 C. Of course this is only a promising approach if the genus of C ′ is not toolarge.One can try to construct C ′ directly, for instance, by using hyperplane sections. But it is veryimprobable that this will work if we are not in very special situations. Hence, it is not clear whetherthis variant can be used in practice. But this approach leads to interesting mathematical questions:• Which abelian varieties have curves of small genus as sub-schemes?• Which curves can be embedded into Jacobian varieties of modular curves?• Which curves have the scalar restriction of an abelian variety (e.g., an elliptic curve) asJacobian?In [BODI + 2004] one finds families of curves for which the last question is answered positively.7.4.4 The GHS approachIn practice another approach is surprisingly successful. Aprioriit has nothing to do with Weildescent, but as a background and in order to prove results the Weil descent method is useful.Let L be a Galois extension of the field K. In our applications we shall take L = F q d andK = F q . Assume that C is a projective irreducible nonsingular curve defined over L, andD is aprojective irreducible nonsingular curve defined over K.Letϕ : D L → Cbe a nonconstant morphism defined over L. As usual we denote by ϕ ∗ the induced map from Pic 0 Cto Pic 0 D L. It corresponds to the conorm map of divisors in the function fields ϕ ∗( L(C) ) ⊂ L(D L ).Next we use the inclusion K(D) ⊂ L(D L ) to define a correspondence map on divisor classesgiven byψ :Pic 0 (C) → Pic 0 (D)ψ := N L/K ◦ϕ ∗ ,where N L/K is the norm of L/K.Assume that we are interested in a subgroup G (for instance, of large prime order l) inPic 0 Cand assume that we can prove that G ⋂ ker(ψ) ={0}. Then we have transferred the study of Gas subgroup of a Jacobian variety over L to the study of a subgroup of a Jacobian variety over Kwhich may be easier.The relation with the Weil descent method is that by the Weil descent of the cover map ϕ weget an embedding of D into W L/K (J C ). This method is the background of the so-called GHSalgorithm. We shall come to this in more detail in 22.3.2.

132 Ch. 7 Background on Weil DescentThe mathematically interesting aspect of this method is that it relates the study of Picard groupsof curves to the highly interesting theory of fundamental groups of curves over non-algebraicallyclosed ground fields.

Chapter Cohomological Backgroundon Point CountingDavid Lubicz and Frederik VercauterenContents in Brief8.1 General principle 133Zeta function and the Weil conjectures • Cohomology and Lefschetz fixedpoint formula8.2 Overview of l-adic methods 1378.3 Overview of p-adic methods 138Serre–Tate canonical lift • Monsky–Washnitzer cohomology8.1 General principleLet p be a prime and F q a finite field with q = p d elements. Consider a projective nonsingular curveC defined over F q , e.g., an elliptic or hyperelliptic curve. Let F q k be a finite extension of F q ofdegree k, then a point on C is called F q k-rational if a representative of its homogeneous coordinatesis defined over F q k.LetP be a point in C(F q ) and denote with φ q the Frobenius morphism, thenφ q (P )=P if and only if P is F q -rational. More generally, the number of F q k-rational points onC is the number of fixed points of φ k q . A first natural question to ask is thus: how to efficientlycompute |C(F q k)| for any positive k.As described in Section 4.4.4, we can embed C in a projective group variety over F q , called theJacobian variety of C and denoted by J C . The Frobenius morphism φ q then induces an isogeny ofJ C , also denoted by φ q , and clearly J C (F q )=ker(φ q − [1]). A second natural question to ask isthus: how to efficiently compute |J C (F q k)| for any positive k.This chapter shows that the above questions are in fact closely related, and introduces differentapproaches to solving both of them. The general strategy is based on ideas introduced by Weil,Serre, Grothendieck, Dwork, etc. in order to prove the Weil conjectures (see Section 8.1.1). Themain idea is the following: the number of F q k-rational points on C or J C is the number of fixedpoints of φ k q . In the complex setting, there exists a general formula due to Lefschetz for the numberof fixed points of an analytic map.133

134 Ch. 8 Cohomological Background on Point CountingTheorem 8.1 (Lefschetz Fixed Point Theorem) Let M be a compact complex analytic manifoldand f : M → M an analytic map. Assume that f only has isolated nondegenerate fixed points;then∣ ∣ ∑∣{P ∈ M | f(P )=P } = (−1) i Tr ( f ∗ ; HDR(M) i ) .The HDR i (M) in the above theorem are the de Rham cohomology groups of M and are finitedimensional vector spaces over C on which f induces a linear map f ∗ . The number of fixed pointsof f is thus the alternating sum of the traces of the linear map f ∗ on the vector spaces HDR i (M).The dream of Weil was to mimic this situation for varieties over finite fields, i.e., construct a goodcohomology theory (necessarily over a characteristic zero field) such that the number of fixed pointsof the Frobenius morphism is given by a Lefschetz fixed point formula.The different approaches described in this chapter all fit in the following slightly more generalframework: construct vector spaces over some characteristic zero field together with an action ofthe Frobenius morphism φ q that provides information about the number of fixed points of φ q andthus the number of F q -rational points on C or J C .i8.1.1 Zeta function and the Weil conjecturesLet F q be a finite field with q = p d and p prime. For any algebraic variety X defined over F q ,letN k denote the number of F q k-rational points on X.Definition 8.2 The zeta function Z(X/F q ; T ) of X over F q is the generating function( ∞)∑ N kZ(X/F q ; T )=expk T k .The zeta function should be interpreted as a formal power series with coefficients in Q. In 1949,Weil [WEI 1949] stated the following conjectures, all of which have now been proven.Theorem 8.3 (Weil Conjectures) Let X be a smooth projective variety of dimension n definedover a finite field with q elements.k=11. Rationality: Z(X/F q ; T ) ∈ Q[[T ]] is a rational function.2. Functional equation: Z(T )=Z(X/F q ; T ) satisfies( ) 1Zq n = +T − q nE/2 T E Z(T ),with E equal to the Euler–Poincaré characteristic of X, i.e., the intersection number ofthe diagonal with itself in the product X × X.3. Riemann hypothesis: there exist polynomials P i (T ) ∈ Z[T ] for i =0,...,2n, such thatZ(X/F q ; T )= P 1(T ) ···P 2n−1 (T )P 0 (T ) ···P 2n (T )with P 0 (T )=1− T , P 2n (T )=1− q n T and for 1 r 2n − 1∏β rP r (T )= (1 − α r,i T )i=1where the α r,i are algebraic integers of absolute value q r/2 .

§ 8.1 General principle 135Weil [WEI 1948] proved these conjectures for curves and abelian varieties. The rationality of thezeta function of any algebraic variety was settled in 1960 by Dwork [DWO 1960] usingp-adicmethods. Soon after, the Grothendieck school developed l-adic cohomology and gave another proofof the rationality and the functional equation. Finally, in 1973, Deligne [DEL 1974] proved theRiemann hypothesis.Let φ q be the Frobenius endomorphism of J C , then the elements fixed by φ q are exactly J C (F q )or ker(φ q − [1]) = J C (F q ). As introduced in Section 5.2.2, we can associate to φ q its characteristicpolynomial χ(φ q ) C , which is a monic polynomial of degree 2g with coefficients in Z. Furthermore,by Corollary 5.70 we have that |J C (F q )| = χ(φ q ) C (1).The relation between χ(φ q ) C and the zeta function of the smooth projective curve C is as follows:Proposition 8.4 Let C be a smooth projective curve of genus g and let χ(φ q ) C (T ) ∈ Z[T ] be thecharacteristic polynomial of φ q .DefinetheL-polynomial of C by( ) 1L(T )=T 2g χ(φ q ) C,Tthen the zeta function of C is given byZ(C/F q ; T )=L(T )(1 − T )(1 − qT)·Let L(T )=a 0 + a 1 T + ···+ a 2g T 2g , then the functional equation shows that a 2g−i = q g−i a i fori =0,...,g. If we write L(T )= ∏ 2gi=1 (1 − α iT ), then the Riemann hypothesis implies |α i | = √ qand again by the functional equation, we can label the α i such that α i α i+g = q for i =0,...,g.This shows that Theorem 5.76 immediately follows from the Weil conjectures.Taking the logarithm of both expressions for the zeta function leads toln Z(C/F q ; T )=Since ln(1 − sT )=−∞∑k=1N kk T k =2g∑i=1ln(1 − α i T ) − ln(1 − T ) − ln(1 − qT).∞∑ (sT ) k, we conclude that for all positive kki=1N k = q k +1−The zeta function Z(C/F q ; T ) of a curve C contains important geometric information about C andits Jacobian J C . For example, Stichtenoth [STI 1979] proved the following theorem.Theorem 8.5 Let L(T )=a 0 + ···+ a 2g T 2g , then the p-rank of J C is equal to2g∑i=1α k i .max{i | a i ≢ 0(mod p)}Furthermore, Stichtenoth and Xing [STXI 1995] showed that J C is supersingular, i.e., isogenousover F q to a product of supersingular elliptic curves, if and only if p ⌈dk/2⌉ | a k for all 1 k g.8.1.2 Cohomology and Lefschetz fixed point formulaIn this section we indicate how the Weil conjectures, except for the Riemann hypothesis, almost immediatelyfollow from a good cohomology theory. Let X be a projective, smooth algebraic variety

136 Ch. 8 Cohomological Background on Point Countingof dimension n over a finite field F q of characteristic p and let X ⊗ Fq F q denote the correspondingvariety over the algebraic closure F q of F q .Let l denote a prime different from p and let Q l be the field of l-adic numbers. Grothendieckintroduced the l-adic cohomology groups H i (X,Q l ) (see [SGA 4]), which he used to prove therationality and functional equation of the zeta function. The description of these cohomology groupsis far beyond the scope of this book and we will simply state their main properties. However, for X,a smooth projective curve, we have the following theorem.Theorem 8.6 Let C be a smooth projective curve over a finite field F q of characteristic p and let lbe a prime different from p; then there exists an isomorphismH 1 (C, Z l ) ≃ T l (J C ).To prove the rationality of the zeta function and the factorization of its numerator and denominator,we only need the following two properties:• The l-adic cohomology groups H i (X,Q l ) are finite dimensional vector spaces over Q land H i (X,Q l )=0for i2n.• Let f : X → X be a morphism with isolated fixed points and suppose moreover thateach fixed point has multiplicity 1. Then the number N(f,X) of fixed points of f isgiven by a Lefschetz fixed point formula:N(f,X) =2n∑i=0(−1) i Tr ( f ∗ ; H i (X,Q l ) ) .Recall that the number N k of F q k-rational points on X equals the number of fixed points of φ k q withφ q the Frobenius morphism. By the Lefschetz fixed point formula, we haveN k =2n∑i=0(−1) i Tr ( φ k∗q ; Hi (X,Q l ) ) .Substituting this in the definition of the zeta function proves the following theorem.Theorem 8.7 Let X be a projective, smooth algebraic variety over F q of dimension n,thenZ(X/F q ,T)= P 1(T ) ...P 2n−1 (T )P 0 (T ) ...P 2n (T )withP i (T )=det(1− φ ∗ q T ; Hi( X,Q l ) ) .The above theorem constitutes the first cohomological approach to computing the zeta function of aprojective, smooth algebraic variety: construct a basis for the l-adic cohomology groups H i (X,Q l )and compute the characteristic polynomial of the representation of φ q on H i (X,Q l ). Unfortunately,the definition of the H i (X,Q l ) is very abstract and thus useless from an algorithmic point of view.For curves not all is lost, since by Theorem 8.6 we have the isomorphism H 1 (C, Z l ) ≃ T l (J C ).The second cohomological approach constructs p-adic cohomology groups defined over the unramifiedextension Q q of Q p . Several different theories that satisfy a Lefschetz fixed point formulaexist, e.g., Monsky–Washnitzer cohomology [MOWA 1968, MON 1968, MON 1971], Lubkin’s p-adic cohomology [LUB 1968], crystalline cohomology by Grothendieck [GRO 1968] and Berthelot[BER 1974], and finally, rigid cohomology by Berthelot [BER 1986]. The main algorithmicadvantage over the l-adic cohomology theory is the existence of comparison theorems that provide

§ 8.2 Overview of l-adic methods 137an isomorphism with the algebraic de Rham cohomology, i.e., modules of differentials modulo exactdifferentials. The algebraic de Rham cohomology itself is very computational in nature andthus more amenable to computations than l-adic cohomology. The main disadvantage of the p-adicapproach is that the complexity of the resulting algorithms is exponential in p.8.2 Overview of l-adic methodsLet F q be a finite field of characteristic p and let C be a smooth, projective curve defined over F qof genus g. The Jacobian variety J C of C then is an abelian variety over F q of dimension g. Letχ(φ q ) C (T ) ∈ Z[T ] be the characteristic polynomial of the Frobenius endomorphism φ q acting onthe Tate module T l (J C ) for l a prime different from p, then we can writeχ(φ q ) C (T )=2g∑i=0a 2g−i T i with a 0 =1 and a 2g = q g .By the functional equation of the zeta function we have a 2g−i = q g−i a i for i =0,...,g,soitsuffices to determine the a i for i =0,...,g.The main idea of the l-adic methods is to approximate T l (J C ) by the l-torsion points J C [l].Recall that since l ≠ p,thel-torsion is a 2g dimensional vector space over Z/lZ and the restrictionof φ q to J C [l] is a linear transformation of this vector space. Let P l (T ) denote the characteristicpolynomial of this restriction, then by Lemma 5.71 we have P l (T ) ≡ χ(φ q ) C (T )(modl).Furthermore, by the Riemann hypothesis or Corollary 5.82, the coefficients a 0 ,...,a g are boundedby|a i | ( ) 2gq i/2 i( ) 2gq g/2 .gUsing the Chinese remainder theorem, we can therefore uniquely recover χ(φ q ) C from P l (T ) forprimes l H ln q with H a constant such that∏( ) 2gl > 2 q g/2 .gprimes l H ln qgcd(l, q) =1The constant H only depends on the genus g and the prime number theorem implies that H is linearin g.For a given prime l, the polynomial P l can be computed as follows. Assume that J C is embeddedin P N and that an affine part is defined by a system of polynomial equations F 1 ,...,F s ∈ F q [X]with X =(X 1 ,...,X N ). Furthermore, assume that the addition law is explicitly given by an N-tuple of rational functions (G 1 (X, Y ),...,G N (X, Y )) with Y =(Y 1 ,...,Y N ). Using the doubleand add method, we can compute a set of polynomials Q l 1 ,...,Ql k lgenerating the ideal of thesubvariety of l-torsion points of J C . Let I l be the radical ideal of 〈F 1 ,...,F s ,Q l 1 ,...,Ql k l〉;torecover P l we have to find integers 0 a i

138 Ch. 8 Cohomological Background on Point CountingRemark 8.8 Although the above algorithm has a polynomial time complexity in lg q, it is currentlyonly practical for elliptic curves and hyperelliptic curves of genus 2. The reason for this is that thedegrees of the polynomials Q l 1 ,...,Ql k lgrow as O(l 2g ),sinceJ C [l] ≃ (Z/lZ) 2g .However,forelliptic curves, the above algorithm can be improved substantially by restricting to a subgroup ofJ C [l], which is the kernel of an isogeny of degree l. Further details can be found in Section 17.2.8.3 Overview of p-adic methodsThe best known application of p-adic methods in algebraic geometry is undoubtedly Dwork’s ingeniousproof of the rationality of the zeta function [DWO 1960]. Although Dwork’s proof can betransformed easily in an algorithm to compute the zeta function of any algebraic variety, nobodyseemed to realize this and for more than a decade only l-adic algorithms were used.At the end of 1999, Satoh [SAT 2000] introduced the p-adic approach into computational algebraicgeometry by describing a p-adic algorithm to compute the number of points on an ordinaryelliptic curve over a finite field. Following this breakthrough development, many existing p-adictheories were used as the basis for new algorithms:• Dwork’s p-adic analytic methods by Lauder and Wan [LAWA 2002b]• Serre–Tate canonical lift by Satoh [SAT 2000], Mestre [MES 2000b], etc.• Monsky–Washnitzer cohomology by Kedlaya [KED 2001]• Dwork–Reich cohomology by Lauder and Wan [LAWA 2002a, LAWA 2004]• Dwork’s deformation theory by Lauder [LAU 2004].Finally, we note that the use of p-adic methods as the basis for an algorithm to compute the zetafunction of an elliptic curve already appeared in the work of Kato and Lubkin [KALU 1982].In this section we will only review the two p-adic theories that are most important for practicalapplications, namely the Serre–Tate canonical lift and Monsky–Washnitzer cohomology.8.3.1 Serre–Tate canonical liftLet A be an abelian variety defined over F q with q = p d and p aprime.LetQ q be an unramifiedextension of Q p of degree d with valuation ring Z q and residue field Z q /(pZ q ) ≃ F q . Consideran arbitrary lift A of A defined over Z q ,i.e.,A reduces to A modulo p, then in general there willnot exist an endomorphism F∈End(A) that reduces to the q-th power Frobenius endomorphismφ q ∈ End(A).Definition 8.9 A canonical lift of an abelian variety A over F q is an abelian variety A over Q qsuch that A reduces to A modulo p and the ring homomorphism End(A) −→ End(A) induced byreduction modulo p is an isomorphism.This definition implies that if A admits a canonical lift A c , then there exists a lift F∈End(A c )of the Frobenius endomorphism φ q ∈ End(A). In fact, the reverse is also true: let A be a liftof A and assume that F ∈ End(A) reduces to φ q ∈ End(A), thenA is a canonical lift of A.Deuring [DEU 1941] proved that for an ordinary elliptic curve, a canonical lift always exists andis unique up to isomorphism. The question of existence and uniqueness of the canonical lift forgeneral abelian varieties was settled by Lubin, Serre and Tate [LUSE + 1964].Theorem 8.10 (Lubin–Serre–Tate) Let A be an ordinary abelian variety over F q . Then there existsa canonical lift A c of A over Z q and A c is unique up to isomorphism.

§ 8.3 Overview of p-adic methods 139Recall that an abelian variety A is ordinary if it has maximal p-rank, i.e., A[p] =(Z/pZ) dim(A) .The construction of a p-adic approximation of A c given A proceeds as follows: let A 0 be a liftof A to Z q and denote with π : A 0 → A reduction modulo p. Consider the subgroup A 0 [p] loc =A 0 [p]∩ker(π), i.e., the p-torsion points on A 0 that reduce to the neutral element of A. As shown byCarls [CAR 2003], A 1 = A 0 /A 0 [p] loc is again an abelian variety such that its reduction is ordinaryand there exists an isogeny I 0 : A 0 −→ A 1 , which reduces to the p-th power Frobenius morphismσ : A−→A σ . Repeating this construction we can define A i = A i−1 /A i−1 [p] loc for i positive andwe get a sequence of abelian varieties and isogeniesIA0 I0 −→1 IA1 −→2 IA2 −→3A3 −→ ...Clearly we have that A kd for k ∈ N reduces to A modulo p; furthermore, the sequence {A kd } k∈Nconverges to the canonical lift A c and the convergence is linear.Let C be a smooth projective curve defined over F q of genus g, with Jacobian variety J C . Assumingthat J C is ordinary, we can consider its canonical lift A c . Note that A c itself does not have tobe the Jacobian variety of a curve [OOTS 1986]. Since End(A c ) is isomorphic to End(J C ),thereexists a lift F of the Frobenius endomorphism φ q .To recover the characteristic polynomial of φ q , we proceed as follows: let D 0 (A c , Q q ) denotethe space of holomorphic differential forms of degree 1 on A c defined over Q q ,thenwehavedim(D 0(Ac , Q q ) ) = g,sincedim(J C )=g. Given a basis B of D 0 (A c , Q q ), every endomorphismλ ∈ End Qq (A c ) can be represented by a g × g matrix M defined over Q q by considering the actionof λ ∗ on B, i.e.,λ ∗ (B) =MB. The link with the characteristic polynomial of Frobenius χ(φ q ) Cis then given by the following proposition.Proposition 8.11 Let F∈End Qq (A c ) be the lift of the Frobenius endomorphism φ q ∈ End Fq (J C )and let M F be the matrix through which φ ∗ q acts on D 0(A c , Q q ).IfP (T ) ∈ Z q (T ) is the characteristicpolynomial of M F + qM −1F, then the characteristic polynomial χ(φ q) C is given by(χ(φ q ) C (T )=T g P T + q )· (8.1)TNote that we can also write χ(φ q ) C (T )=P 1 (X)P 2 (X) with P 1 the characteristic polynomial ofM F and P 2 the characteristic polynomial of qM −1F .The point-counting algorithms based on the canonical lift thus proceed in two stages: in the firststage, a sufficiently precise approximation of the canonical lift of J C (or its invariants) is computedand in the second stage, the action of the lifted Frobenius endomorphism F is computed onD 0 (A c , Q q ).8.3.2 Monsky–Washnitzer cohomologyIn this section we will specialize the formalism of Monsky–Washnitzer cohomology as described inthe seminal papers by Monsky and Washnitzer [MOWA 1968, MON 1968, MON 1971], to smoothaffine plane curves. Further details can be found in the lectures by Monsky [MON 1970] and in thesurvey by van der Put [PUT 1986].Let C be a smooth affine plane curve over a finite field F q with q = p d elements, and let Q qbe a degree d unramified extension of Q p with valuation ring Z q , such that Z q /pZ q = F q . Theaim of Monsky–Washnitzer cohomology is to express the zeta function of the curve C in terms of aFrobenius operator F acting on p-adic cohomology groups H i (C, Q q ) defined over Q q associatedto C. Note that it is necessary to work over a field of characteristic 0; otherwise, it would only bepossible to obtain the zeta function modulo p. For smooth curves, most of these groups are zero asillustrated in the next proposition.

140 Ch. 8 Cohomological Background on Point CountingProposition 8.12 Let C be a nonsingular affine curve over a finite field F q , then the only nonzeroMonsky–Washnitzer cohomology groups are H 0 (C, Q q ) and H 1 (C, Q q ).In the remainder of this section, we introduce the cohomology groups H 0 (C, Q q ) and H 1 (C, Q q )and review their main properties.Since C is plane, C can be given by a bivariate polynomial equation g(x, y) =0with g ∈ F q [x, y].Let A = F q [x, y]/ ( g(x, y) ) be the coordinate ring of C. Take an arbitrary lift g(x, y) ∈ Z q [x, y] ofg(x, y) and let C be the curve defined by g(x, y) =0with coordinate ring A = Z q [x, y]/ ( g(x, y) ) .To compute the zeta function of C in terms of a Frobenius operator, we need to lift the Frobeniusendomorphism φ q on A to the Z q -algebra A, but as illustrated in the previous section, this is almostnever possible. Furthermore, the Z q -algebra A depends essentially on the choices made in the liftingprocess as the following example illustrates.Example 8.13 Consider C : xy − 1=0over F p with coordinate ring A = F p [x, 1/x], and considerthe two liftsg 1 (x, y) =xy − 1 g 2 (x, y) =x(1 + px)y − 1then we have that A 1 = Z p [x, 1/x] and A 2 = Z p [x, 1/(x(1 + px))], which are not isomorphic.A first attempt to remedy both difficulties is to work with the p-adic completion A ∞ of A, whichisunique up to isomorphism and does admit a lift of φ q to A ∞ . But then a new problem arises sincethe de Rham cohomology of A ∞ , which provides the vector spaces we are looking for, is too big.Example 8.14 Consider the affine line over F q ,thenA = Z q [x] and A ∞ is the ring of power series∞∑i=0r i x i with r i ∈ Z q and limi→∞r i =0.We would like to define H 1 (A, Q q ) as A ∞ dx/d(A ∞ ) ⊗ Zq Q q , but this turns out to be infinitedimensional. For example, it is clear that each term in the differential form ∑ ∞i=0 pi x pi−1 dx is exactbut its sum is not, since ∑ ∞i=0is not in A ∞ . The fundamental problem is that ∑ ∞xpi i=0 pi x pi −1does not converge fast enough for its integral to converge as well.Monsky and Washnitzer therefore work with a subalgebra A † of A ∞ , whose elements satisfy growthconditions.Definition 8.15 Let A = Z q [x, y]/ ( g(x, y) ) , then the dagger ring or weak completion A † is definedas A † = Z q 〈x, y〉 † /(g(x, y)),whereZ q 〈x, y〉 † is the ring of overconvergent power series{∑ri,j x i y j ∈ Z q [[x, y]] |∃δ, ε ∈ R,ε>0, ∀(i, j) : v p (r i,j ) ε(i + j)+δ}.The ring A † satisfies A † /(pA † ) = A and depends up to Z q -isomorphism only on A. Furthermore,Monsky and Washnitzer show that if ϕ is an F q -endomorphism of A, then there exists aZ q -endomorphism ϕ of A † lifting ϕ. In particular, we can lift the Frobenius endomorphism φ q onA to a Z q -endomorphism F on A † .To each element s ∈ A † we can associate the differential ds such that the usual Leibniz ruleapplies: for s, t ∈ A † : d(st) =sdt + tds, which implies that d(a) =0for a ∈ Z q .Thesetofall these differentials clearly is a module over A † and is denoted by D 1 (A † ). The following lemmagives a precise description of this module.Lemma 8.16 The universal module D 1 (A † ) of differentials satisfiesD 1 (A † )= ( A † dx + A † dy )/( ( ))∂gA † ∂gdx +∂x ∂y dy .

§ 8.3 Overview of p-adic methods 141Taking the total differential of the equation g(x, y) =0gives ∂g ∂g∂xdx +∂ydy =0, which explainsthe module A † ( ∂g ∂g∂xdx +∂y dy) in the above lemma. The map d : A† −→ D 1 (A † ) is a well definedderivation, so it makes sense to consider its kernel and cokernel.Definition 8.17 The cohomology groups H 0 (A, Q q ) and H 1 (A, Q q ) are defined byH 0 (A, Q q )=ker(d) ⊗ Zq Q q and H 1 (A, Q q )=coker(d) ⊗ Zq Q q . (8.2)By definition we have H 1 (A, Q q )= ( D 1 (A † )/d(A † ) ) ⊗ Zq Q q ; the elements of d(A † ) are calledexact differentials. One can prove that H 0 (A, Q q ) and H 1 (A, Q q ) are well defined, only depend onA, and are finite dimensional vector spaces over Q q .Proposition 8.18 Let C be a nonsingular affine curve of genus g, thendim ( H 0 (A, Q q ) ) =1anddim ( H 1 (A, Q q ) ) =2g + m − 1, wherem is the number of points needed to complete C to asmooth projective curve.Let F be a lift of the Frobenius endomorphism φ q to A † ,thenF induces an endomorphism F ∗ onthe cohomology groups. The main theorem of Monsky–Washnitzer cohomology is the followingLefschetz fixed point formula.Theorem 8.19 (Lefschetz fixed point formula) Let C/F q be a nonsingular affine curve over F q ,then the number of F q k-rational points on C is equal to∣ C(Fq k) ∣ ( =Tr q k F −k∗ ; H 0 (C, Q q ) ) − Tr ( q k F −k∗ ; H 1 (C, Q q ) ) .Since H 0 (C, Q q ) is a one-dimensional vector space on which F ∗ acts as the identity, we concludethat Tr ( q k F −k∗ ; H 0 (C, Q q ) ) = q k . To count the number of F q k-rational points on C, it thus sufficesto compute the action of F ∗ on H 1 (C, Q q ).The algorithms based on Monsky–Washnitzer cohomology thus also proceed in two stages: in thefirst stage, a sufficiently precise approximation of the lift F is computed and in the second stage, abasis of H 1 (C, Q q ) is constructed together with reduction formulas to express any differential formon this basis. More algorithmic details can be found in Section 17.3.

ÁÁElementary Arithmetic

Chapter ExponentiationChristophe DocheContents in Brief9.1 Generic methods 146Binary methods • Left-to-right 2 k -ary algorithm • Sliding window method •Signed-digit recoding • Multi-exponentiation9.2 Fixed exponent 157Introduction to addition chains • Short addition chains search • Exponentiationusing addition chains9.3 Fixed base point 164Yao’s method • Euclidean method • Fixed-base comb methodGiven an element x of a group (G, ×) and an integer n ∈ Z one describes in this chapter efficientmethods to perform the exponentiation x n . Only positive exponents are considered since x n =(1/x) −n but nothing more is assumed especially regarding the structure and the properties of G.See Chapter 11 for specific improvements concerning finite fields. Two elementary operations areused, namely multiplications and squarings. The distinction is made for performance reasons sincesquarings can often be implemented more efficiently; see Chapters 10 and 11 for details. In thecontext of elliptic and hyperelliptic curves, the computations are done in an abelian group denotedadditively (G, ⊕). The equivalent of the exponentiation x n is the scalar multiplication [n]P .Allthe techniques described in this chapter can be adapted in a trivial way, replacing multiplication byaddition and squaring by doubling. See Chapter 13 for additional details concerning elliptic curvesand Chapter 14 for hyperelliptic curves.Exponentiation is a very important operation in algorithmic number theory. For example, it isintensively used in many primality testing and factoring algorithms. Therefore efficient methodshave been studied over centuries. In cryptosystems based on the discrete logarithm problem (cf.Chapter 1) exponentiation is often the most time-consuming part, and thus determines the efficiencyof cryptographic protocols like key exchange, authentication, and signature.Three typical situations occur. The base point x and the exponent n may both vary from onecomputation to another. Generic methods will be used to get x n in this case. If the same exponentis used several times a closer study of n, especially the search of a short addition chain for n, canlead to substantial improvements. Finally, if different powers of the same element are needed, someprecomputations, whose cost can be neglected, give a noticeable speedup.145

146 Ch. 9 ExponentiationMost of the algorithms described in the remainder of this chapter can be found in [MEOO + 1996,GOR 1998, KNU 1997, STA 2003, BER 2002].9.1 Generic methodsIn this section both x and n may vary. Computing x n naïvely requires n − 1 multiplications, butmuch better methods exist, some of them being very simple.9.1.1 Binary methodsIt is clear that x 2k can be obtained with only k squarings, namely x 2 ,x 4 ,x 8 ,...,x 2k . Building uponthis observation, the following method, known for more than 2000 years, allows us to compute x nin O(lg n) operations, whatever the value of n .Algorithm 9.1 Square and multiply methodINPUT: An element x of G and a nonnegative integer n =(n l−1 ...n 0) 2.OUTPUT: The element x n ∈ G.1. y ← 1 and i ← l − 12. while i 03. y ← y 24. if n i =1 then y ← x × y5. i ← i − 16. return yThis method is based on the equalityx (n l−1... n i+1n i) 2= ( x (n l−1... n i+1) 2) 2× xn i.As the bits are processed from the most to the least significant one, Algorithm 9.1 is also referred toas the left-to-right binary method.There is another method relying onwhich operates from the right to the left.x (nini−1... n0)2 = x ni2i (ni−1... n0)2× xAlgorithm 9.2 Right-to-left binary exponentiationINPUT: An element x of G and a nonnegative integer n =(n l−1 ...n 0) 2.OUTPUT: The element x n ∈ G.1. y ← 1, z ← x and i ← 02. while i l − 1 do3. if n i =1 then y ← y × z

§ 9.1 Generic methods 1474. z ← z 25. i ← i +16. return yRemarks 9.3(i) Algorithm 9.1 is related to Horner’s rule, more precisely computing x n is similar toevaluating the polynomial ∑ l−1i=0 n iX i at X =2with Horner’s rule.(ii) Further enhancements may apply to the products y × x in Algorithm 9.1 since one ofthe operands is fixed during the whole computation. For example, if x is well chosen themultiplication can be computed more efficiently. Such an improvement is impossiblewith Algorithm 9.2 where different terms of approximately the same size are involvedin the products y × z.(iii) In Algorithm 9.2, whatever the value of n, the extra variable z contains the successivesquares x 2 ,x 4 ,... which can be evaluated in parallel to the multiplication.The next example provides a comparison of Algorithms 9.1 and 9.2.Example 9.4 Let us compute x 314 . One has 314 = (100111010) 2 and l =9.Algorithm 9.1i 8 7 6 5 4 3 2 1 0n i 1 0 0 1 1 1 0 1 0y x x 2 x 4 x 9 x 19 x 39 x 78 x 157 x 314Algorithm 9.2i 0 1 2 3 4 5 6 7 8n i 0 1 0 1 1 1 0 0 1z x x 2 x 4 x 8 x 16 x 32 x 64 x 128 x 256y 1 x 2 x 2 x 10 x 26 x 58 x 58 x 58 x 314The number of squarings is the same for both algorithms and equal to the bit length l ∼ lg n of n.In fact this will be the case for all the methods discussed throughout the chapter.The number of required multiplications directly depends on ν(n) the Hamming weight of n, i.e.,the number of nonzero terms in the binary expansion of n. Onaverage 1 2lg n multiplications areneeded.Further improvements introduced below tend to decrease the number of multiplications, leadingto a considerable speedup. Many algorithms also require some precomputations to be done. Inthe case where several exponentiations with the same base have to be performed in a single run,these precomputations need to be done only once per session, and if the base is fixed in a givensystem, they can even be stored, so that their cost might become almost negligible. This is the caseconsidered in Algorithms 9.7, 9.10, and 9.23. Depending on the bit processed, a single squaringor a multiplication and a squaring are performed at each step in both Algorithms 9.1 and 9.2. Thisimplies that it can be possible to retrieve each bit and thus the value of the exponent from an analysisof the computation. This has serious consequences when the exponent is some secret key. SeeChapters 28 and 29 for a description of side-channel attacks. An elegant technique, called Montgomery’sladder, overcomes this issue. Indeed, this variant of Algorithm 9.1 performs a squaringand a multiplication at each step to compute x n .

148 Ch. 9 ExponentiationAlgorithm 9.5 Montgomery’s ladderINPUT: An element x ∈ G and a positive integer n =(n l−1 ...n 0) 2.OUTPUT: The element x n ∈ G.1. x 1 ← x and x 2 ← x 22. for i = l − 2 down to 0 do3. if n i =0 then4. x 1 ← x 2 1 and x 2 ← x 1 × x 25. else6. x 1 ← x 1 × x 2 and x 2 ← x 2 27. return x 1Example 9.6 To illustrate the method, let us compute x 314 using, this time, Algorithm 9.5. Startingfrom (x 1 ,x 2 )=(x, x 2 ), the next values of (x 1 ,x 2 ) are given below.i 7 6 5 4 3 2 1 0n i 0 0 1 1 1 0 1 0(x 1,x 2) (x 2 ,x 3 ) (x 4 ,x 5 ) (x 9 ,x 10 ) (x 19 ,x 20 ) (x 39 ,x 40 ) (x 78 ,x 79 ) (x 157 ,x 158 ) (x 314 ,x 315 )See also Chapter 13, for a description of Montgomery’s ladder in the context of scalar multiplicationon an elliptic curve.2 k9.1.2 Left-to-right 2 k -ary algorithmThe general idea of this method, introduced by Brauer [BRA 1939], is to write the exponent on alarger base b =2 k . Some precomputations are needed but several bits can be processed at a time.In the following the function σ is defined by σ(0) = (k, 0) and σ(m) =(s, u) where m =2 s uwith u odd.Algorithm 9.7 Left-to-right 2 k -ary exponentiationINPUT: An element x of G, a parameter k 1, a nonnegative integer n =(n l−1 ...n 0) 2 k andthe precomputed values x 3 ,x 5 ,...,x 2k−1 .OUTPUT: The element x n ∈ G.1. y ← 1 and i ← l − 12. (s, u) ← σ(n i) [n i =2 s u]3. while i 0 do4. for j =1 to k − s do y ← y 25. y ← y × x u6. for j =1 to s do y ← y 2

§ 9.1 Generic methods 1497. i ← i − 18. return yRemarks 9.8(i) Lines 4 to 6 compute y 2k x ni i.e., the exact analogue of y 2 x ni in Algorithm 9.1. Toreduce the amount of precomputations, note that (y 2k−s x u ) 2s = y 2k x ni is actuallycomputed.(ii) The number of elementary operations performed is lg n +lgn ( 1+o(1) ) lg n/ lg lg n.(iii) For optimal efficiency, k should be equal to the smallest integer satisfyinglg n k(k +1)22k2 k+1 − k − 2·See [COH 2000] for details. This leads to the following table, which gives for all intervalsof bit lengths the appropriate value for k.k 1 2 3 4 5 6 7No. of binary digits [1, 9] [10, 25] [26, 70] [70, 197] [197, 539] [539, 1434] [1434, 3715]Example 9.9 Take n = 11957708941720303968251 whose binary representation is(10100010000011101010001100000111111101011001011110111000000001111111111011) 2 .As its binary length is 74,takek =4. The representation of n in radix 2 4 is( 22×188×18 3 108×1 2×588×112 11513 6 5 144×32×3 2×714 01151511) 2 4.2×7Thus the successive values of y are 1,x,x 2 ,x 4 ,x 5 ,x 10 ,x 20 ,x 40 ,x 80 ,x 81 ,x 162 ,x 324 ,...,x n .Letus denote a multiplication by M and a squaring by S. Then the precomputations cost 7M + S andadditionally one needs 17M + 72S, i.e., 97 elementary operations in total. By way of comparison,Algorithm 9.1 needs 112 operations, 39M + 73S.9.1.3 Sliding window methodThe 2 k -ary method consists of slicing the binary representation of n into pieces using a window oflength k and to process the parts one by one. Letting the window slide allows us to skip strings ofconsecutive zeroes. For instance, let n = 334 = (101001110) 2 . Take a window of length 3 or, inother words, precompute x 3 ,x 5 and x 7 only. The successive values of y computed by Algorithm 9.7are 1,x 5 ,x 10 ,x 20 ,x 40 ,x 41 ,x 82 ,x 164 ,x 167 and x 334 as reflected by334 = (10150011110) 2 .2×3But one could compute 1,x 5 ,x 10 ,x 20 ,x 40 ,x 80 ,x 160 ,x 167 ,x 334 instead. This saves one multiplicationand amounts to allowing non-adjacent windows334 = (1015001110) 27where the strings of many consecutive zeroes are ignored.

150 Ch. 9 ExponentiationHere is the general algorithm.Algorithm 9.10 Sliding window exponentiationINPUT: An element x of G, a nonnegative integer n =(n l−1 ...n 0) 2, a parameter k 1 andthe precomputed values x 3 ,x 5 ,...,x 2k −1 .OUTPUT: The element x n ∈ G.1. y ← 1 and i ← l − 12. while i 0 do3. if n i =0 then y ← y 2 and i ← i − 14. else5. s ← max{i − k +1, 0}6. while n s =0 do s ← s +17. for h =1 to i − s +1 do y ← y 28. u ← (n i ...n s) 2 [n i = n s =1and i − s +1 k]9. y ← y × x u [u is odd so that x u is precomputed]10. i ← s − 111. return yRemarks 9.11(i) In Line 6 the index i is fixed, n i =1and the while loop finds the longest substring(n i ...n s ) of length less than or equal to k such that n s =1.Sou =(n i ...n s ) 2 is oddand belongs to the set of precomputed values.(ii) Only the values x u occurring in Line 9 actually need to be precomputed and not all thevalues x 3 ,x 5 ,...,x 2k −1 .(iii) In certain cases it is possible to skip some squarings at the beginning, at the cost of an additionalmultiplication. For the sake of clarity assume that k =5and that the binary expansionof n is (1000000) 2 . Then Algorithm 9.10 computes x, x 2 ,x 4 ,x 8 ,x 16 ,x 32 ,x 64 .But one could perform x 31 × x instead to obtain x 32 directly, taking advantage of theprecomputations. However, this trick is interesting only if the first value of u is less than2 k−1 .Example 9.12 With n = 11957708941720303968251 and k = 4 the sliding window methodmakes use of the following decomposition( 1015000 1100000 11170 1015000 11 00000 111131511170 1011 00 101111 1111011311 00000000 11113151111 110115 13The successive values of y are 1,x 5 ,x 10 ,x 20 ,x 40 ,x 80 ,x 81 ,x 162 ,x 324 ,x 648 ,...,x n . In this case93 operations are needed, namely 21M + 72S, precomputations included.1 ) 2.19.1.4 Signed-digit recodingWhen inversion in G is fast (or when x is fixed and x −1 precomputed) it can be very efficient tomultiply by either x or x −1 . This can be used to save additional multiplications on the cost ofallowing negative coefficients and hence using the inverse of precomputed values. The extreme

§ 9.1 Generic methods 151example is the computation of x 2k −1 . With the binary method, cf. Algorithm 9.1, one needs k − 1squarings and k − 1 multiplications. But one could also perform k squarings to get x 2k followed bya multiplication by x −1 . This remark leads to the following concept.Definition 9.13 A signed-digit representation of an integer n in radix b is given by∑l−1n = n i b i with |n i |

152 Ch. 9 Exponentiationis particularly interesting for hardware applications, cf. Chapter 26, Joye and Yen designeda left-to-right signed-digit recoding algorithm. The result is not necessarily innon-adjacent form but its Hamming weight is still minimal [JOYE 2000].(iv) Algorithms 9.1, 9.2, 9.7, and 9.10 can be updated in a trivial way to deal with signedbinaryrepresentation.(v) A generalization of the NAF is presented below; see Algorithm 9.20.Example 9.16 Again take n = 11957708941720303968251. Algorithm 9.14 givesn = (10100010000100¯101010010¯1000010000000¯10¯10¯1010¯10000¯100¯1000000010000000000¯10¯1) NAF.Now one can combine this representation to a sliding window algorithm of length 4 to get thefollowing decomposition( 101 000 1 0000 100¯1 0 101 00 10¯1 0000 1 0000000 ¯10¯1 0 ¯101 0 ¯1 0000 ¯100¯1 0000000 1 0000000000 ¯10¯1 ) NAF.5 1 7 5 3 1−5 −3 −1 −91−5The number of operations, precomputations included, is 90, namely 18M + 72S.Koyama and Tsuruoka [KOTS 1993] designed another transformation, getting rid of the conditionn i n i+1 =0but still minimizing the Hamming weight. Its average length of zero runs is 1.42 against1.29 for the NAF.Algorithm 9.17 Koyama–Tsuruoka signed-binary recodingINPUT: The binary representation of n =(n ′ l−1 ...n ′ 0) 2.OUTPUT: The signed-binary representation (n l ...n 0) s of n in Koyama–Tsuruoka form.1. m ← 0, i ← 0, j ← 0, u ← 0, v ← 0, w ← 0, y ← 0 and z ← 02. while i

§ 9.1 Generic methods 15321. while j0.Algorithm 9.20 NAF w representationINPUT: A positive integer n and a parameter w>1.OUTPUT: The NAF w representation (n l−1 ...n 0) NAFw of n.1. i ← 02. while n>0 do3. if n is odd then4. n i ← n mods 2 w5. n ← n − n i6. else n i ← 07. n ← n/2 and i ← i +18. return (n l−1 ...n 0) NAFw

154 Ch. 9 ExponentiationRemarks 9.21(i) The function mods used in Line 4 of Algorithm 9.20 returns the smallest residue inabsolute value. Hence, n mods 2 w belongs to [−2 w−1 +1, 2 w−1 ].(ii) For w =2the NAF w corresponds to the classical NAF, cf. Definition 9.13.(iii) The length of the NAF w of n is at most equal to ⌊lg n⌋ +1. The average density of theNAF w expansion of n is 1/(w +1)as n tends to infinity. For a precise analysis, see[COH 2005].(iv) A left-to-right variant to compute an NAF w expansion of an integer can be found bothin [AVA 2005a] and in [MUST 2005]. The result may differ from the expansion producedby Algorithm 9.20 but they have the same digit set and the same optimal weight.(v) Let w>1 and precompute the values x + − 3 ,...,x + − (2 w−1 −1) . Then in Algorithm 9.1 itis sufficient to replace the statement4. if n i =1 then y ← x × yby4. if n i ≠0 then y ← x ni × yto take advantage of the NAF w expansion of n =(n l−1 ...n 0 ) NAFw to compute x n .(vi) See [MÖL 2003] for a further generalization called the signed fractional window method,where only a subset of { x + − 3 ,...,x + − (2 w−1 −1) } is actually precomputed.Example 9.22 For n = 11957708941720303968251 and w =4one hasn = (500010000000700050000300001000000010005000300010007000000010000000000005) NAFwwhere n i = −n i . With this representation and the modification of Algorithm 9.1 explained abovex n can be obtained with 3M + S for the precomputations and then 12M + 69S,thatis85 operationsin total.9.1.5 Multi-exponentiationThe group G isassumedtobeabelianinthissection.It is often needed in cryptography, for example during a signature verification, cf. Chapter 1, toevaluate x n00 xn1 1 where x 0 ,x 1 ∈ G and n 0 ,n 1 ∈ Z. Instead of computing x n00 and x n11 separatelyand then multiplying these terms, it is suggested in [ELG 1985] to adapt Algorithm 9.1 in thefollowing way, in order to get x n00 xn1 1 in one round. Indeed, start from y ← 1. Scan the bits of n 0and n 1 simultaneously from the left to the right and do y ← y 2 . Then if the current bits of n0n 1are1 , 0 0 1 or 1 1 multiply by x 0, x 1 or x 0 x 1 accordingly.For example, to compute x 510 x 1661 write the binary expansion of 51 and 16651 = (00110011) 2166 = (10100110) 2and apply the rules above so that the successive values of y are at each step 1, x 1 , x 2 1, x 0 x 5 1, x 3 0x 101 ,x 6 0 x20 1 , x12 0 x41 1 , x25 0 x83 1 , and finally x51 0 x166 1 .This trick is often credited to Shamir although it is a special case of an idea of Straus [STR 1964]described below. Note that the binary coefficients of n j are denoted by n j,k . If necessary, theexpansion of n j is padded with zeroes in order to be of length l.

§ 9.1 Generic methods 155Algorithm 9.23 Multi-exponentiation using Straus’ trickINPUT: The elements x 0,...,x r−1 ∈ G and the l-bit positive exponents n 0,...,n r−1. Foreach i =(i r−1 ...i 0) 2 ∈ [0, 2 r − 1], the precomputed value g i = Q r−1j=0 xi jj .OUTPUT: The element x n 00 ···xn r−1r−1 .1. y ← 12. for k = l − 1 down to 0 do3. y ← y 24. i ← P r−1j=0 n j,k2 j [i =(n r−1,k ...n 0,k ) 2]5. y ← y × g i6. return yRemarks 9.24(i) Computing x n00 ...xnr−1in a naïve way requires rl squarings and rl/2 multiplicationson average. With Algorithm 9.23, precomputations cost 2 r − r − 1 multiplications, thenonly l squarings and (1 − 1/2 r )l multiplications are necessary on average. Howeverone needs to store 2 r − r values.(ii) One can use Algorithm 9.23 to compute x n . To do so, write n =(n l−1 ...n 0 ) b inbase b, thensetx i = x bi and compute x n = ∏ l−1i=0 xni i . This approach can be seen as ababy-step giant-step algorithm, where the giant steps x bi are computed first.(iii) All the improvements of Algorithm 9.1 described previously apply to Algorithm 9.23as well. In particular the use of parallel sliding window leads to a faster method; see[AVA 2002, AVA 2005b, BER 2002] for a general overview on multi-exponentiation.Example 9.25 Let us compute x 31021 . One has 31021 = (7 36 45) 64 ,sothatx n = x 450 x36 1 x7 2where x 0 = x, x 1 = x 64 and x 2 = x 642 . First precompute the g i ’sThen one getsi 0 1 2 3 4 5 6 7g i 1 x 0 x 1 x 0x 1 x 2 x 0x 2 x 1x 2 x 0x 1x 2k 5 4 3 2 1 0n 2,k 0 0 0 1 1 1n 1,k 1 0 0 1 0 0n 0,k 1 0 1 1 0 1i 3 0 1 7 4 5y x 0x 1 x 2 0x 2 1 x 5 0x 4 1 x 110 x 9 1x 2 x 220 x 181 x 3 2 x 450 x 361 x 7 2To improve Straus’ method in case of a double exponentiation within a group where inversion canbe performed efficiently, Solinas [SOL 2001] made signed-binary expansions come back into play.Definition 9.26 The joint sparse form, JSF for short, of the l-bit integers n 0 and n 1 is a representationof the form( ) (n0 n0,l ...n 0,0=n 1 n 1,l ...n 1,0)JSF

156 Ch. 9 Exponentiationsuch that• of any three consecutive positions, at least one is a zero column, that is for all i and allpositive j one has n i,j+k = n 1−i,j+k =0, for at least one k in {0, + − 1}• adjacent terms do not have opposite signs, i.e., it is never the case that n i,j n i,j+1 = −1• if n i,j+1 n i,j ≠0then one has n 1−i,j+1 = + − 1 and n 1−i,j =0.The joint Hamming weight is the number of positions different from a zero column.Solinas also gives an algorithm to compute the JSF of two integers.Algorithm 9.27 Joint sparse form recodingINPUT: Nonnegative l-bit integers n 0 and n 1 not both zero.OUTPUT: The joint sparse form of n 0 and n 1.1. j ← 0, S 0 =(), S 1 =(), d 0 ← 0 and d 1 ← 02. while n 0 + d 0 > 0 or n 1 + d 1 > 0 do3. l 0 ← d 0 + n 0 and l 1 ← d 1 + n 14. for i =0 to 1 do5. if l i ≡ 0 (mod 2) then r i ← 06. else7. r i ← l i mods 48. if l i ≡ + − 3 (mod 8) and l 1−i ≡ 2 (mod 4) then r i ←−r i9. S i ← r i || S i [r i prepended to S i]10. for i =0 to 1 do11. if 2d i =1+n ′ i then d i ← 1 − d i12. n i ←⌊n i/2⌋13. j ← j +114. return S 0 and S 1Remarks 9.28(i) The joint sparse form of n 0 and n 1 is unique. The joint Hamming weight of the JSFof n 0 and n 1 is equal to l/2 on average and the JSF is optimal in the sense that it hasthe smallest joint Hamming weight among all joint signed representations of n 0 and n 1[SOL 2001].(ii) The naïve computation of x n00 xn1 1 involving NAF representations of n 0 and n 1 requires2l squarings and 2l/3 multiplications on average. Only l squarings and l/2 multiplicationsare necessary with the JSF, neglecting the cost of the precomputations of x 0 x 1 andx 0 /x 1 . Applying Straus’ trick with two integers in NAF results in a Hamming weightof 5l/9 on average.(iii) In [GRHE + 2004], Grabner et al. introduce the simple joint sparse form whose jointHamming weight is also minimal but which can be obtained in an easier way.

§ 9.2 Fixed exponent 157Example 9.29 Let us compute x 510 x 1661 . The joint NAF expansion of 51 and 166 is51 = (010¯1010¯1) NAF166 = (101010¯10) NAF .Its joint Hamming weight is 8. TheJSFof51 and 166, as given by Algorithm 9.27, is( ) 51=166with a joint Hamming weight equal to 6.( )0010¯1001110¯10¯1¯10¯10 JSFThe next section is devoted to the case when several exponentiations to the same exponent n haveto be performed.9.2 Fixed exponentThe methods considered in this section essentially give better algorithms when the exponent n isfixed. They rely on the concept of addition chains. However, the computation of a short additionchain for a given exponent can be very costly. But if the exponent is to be used several times it isprobably a good investment to carry out this search.In the following, different kinds of addition chains are discussed, then efficient methods to actuallyfind short addition chains are introduced before related exponentiation algorithms are described.9.2.1 Introduction to addition chainsDefinition 9.30 An addition chain computing an integer n is given by two sequences v and w suchthatv = (v 0 ,...,v s ),v 0 =1,v s = nv i = v j + v k for all 1 i s with respect tow = (w 1 ,...,w s ),w i =(j, k) and 0 j, k i − 1. (9.1)The length of the addition chain is s.A star addition chain satisfies the additional property that at each step v i = v i−1 + v k for somek such that 0 k i − 1.Note that one should write v i = v j(i) + v k(i) since the indexes depend on i. They are omitted forthe sake of simplicity. Sometimes only v is given since it is easy to retrieve w from v. For examplev =(1, 2, 3, 6, 7, 14, 15) is an addition chain for 15 of length 6. It is implicit in the computationof x 15 by Algorithm 9.1. In fact binary or window methods can be seen as methods producing andusing special classes of addition chains but it is often possible to do better, that is to find a shorterchain. For instance (1, 2, 3, 6, 12, 15) computes also 15 and is of length 5.For a given n, the smallest s for which there exists an addition chain of length s computing n isdenoted by l(n). It is not hard to see that l(15) = 5 but the determination of l(n) can be a difficultproblem even for rather small n.As complexities of squarings and multiplications are usually slightly different, note that a carefullychosen complexity measure should take into account not only the length of the chain but also therespective numbers of squarings and multiplications involved. For example (1, 2, 4, 5, 6, 11) and

158 Ch. 9 Exponentiation(1, 2, 3, 4, 8, 11) compute 11 and have the same length 5. However the first chain needs 3 multiplicationswhereas the latter requires only 2.There is an abundant literature about addition chains. It is known [SCH 1975, BRA 1939]thatlg(n)+lg ( ν(n) ) − 2.13 l(n) lg(n)+lg(n) ( 1+o(1) ) / lg ( lg(n) ) ,where ν(n) is the Hamming weight of n.As said before, finding an addition chain of the shortest length can be very hard. To make this processeasier, it seems harmless to restrict the search to star addition chains. But Hansen [HAN 1959]proved that for some n, the smallest being n = 12509, there is no star addition chain of minimallength l(n). The shortest length l(n) has been determined for all n up to 2 20 , pruning trees to speedup the search [BLFL]. See also Thurber’s algorithm, which is able to find all the addition chains foragivenn [THU 1999]. The hardness of this search depends primarily on ν(n), so that it is longer tofind the minimal length of 191 = (10111111) 2 than 1048577 = (100000000000000000001) 2 ,butthe running time can be quite long, even for small integers with a rather low density.The concept of addition chain can be extended in at least three different ways.Definition 9.31 An addition-subtraction chain is similar to an addition chain except that the conditionv i = v j + v k is replaced by v i = v j + v k or v i = v j − v k .For example, an addition chain for 314 is v =(1, 2, 4, 8, 9, 19, 38, 39, 78, 156, 157, 314). The addition–subtractionchain v =(1, 2, 4, 5, 10, 20, 40, 39, 78, 156, 157, 314) is one term shorter.Definition 9.32 An addition sequence for the set of integers S = {n 0 ,...,n r−1 } is an additionchain v that contains each element of S. In other words, for all i there is j such that n i = v j .For example, an addition sequence computing {47, 117, 343, 499, 933, 5689} is(1, 2, 4, 8, 10, 11, 18, 36, 47 , 55, 91, 109, 117 , 226, 343 , 434, 489, 499 , 933 , 1422, 2844, 5688, 5689 ).In [YAO 1976], it is shown that the shortest length of an addition sequence computing the set ofintegers {n 0 ,...,n r−1 } is less thanwhere N =max i {n i } and c is some constant.lg N + cr lg N/ lg lg N,Definition 9.33 Let k and s be positive integers. A vectorial addition chain is a sequence V ofk-dimensional vectors of nonnegative integers v i for −k +1 i s together with a sequence w,such thatv −k+1 = [1, 0, 0,...,0, 0]v −k+2 = [0, 1, 0,...,0, 0].v 0 = [0, 0, 0,...,0, 1]v i = v j + v k for all 1 i s with − k +1 j, k i − 1v s = [n 0 ,...,n r−1 ]w = (w 1 ,...,w s ),w i =(j, k). (9.2)For example, a vectorial addition chain for [45, 36, 7] isV = `[1, 0, 0], [0, 1, 0], [0, 0, 1], [1, 1, 0], [2, 2, 0], [4, 4, 0], [5, 4, 0], [10, 8, 0],[11, 9, 0], [11, 9, 1], [22, 18, 2], [22, 18, 3], [44, 36, 6], [45, 36, 6], [45, 36, 7]´

§ 9.2 Fixed exponent 159w = `(−2, −1), (1, 1), (2, 2), (−2, 3), (4, 4), (1, 5), (0, 6), (7, 7), (0, 8), (9, 9), (−2, 10), (0, 11)´.Since k =3, the first three terms of V are v −2 =[1, 0, 0], v −1 =[0, 1, 0], andv 0 =[0, 0, 1]. Thischain is of length 12 and is implicitly produced by Algorithm 9.23.Addition sequences and vectorial addition chains are in some sense dual. We refer the interestedreader to [BER 2002, STA 2003] for details and to [KNPA 1981] for a more general approach.In [OLI 1981] Olivos describes a procedure to transform an addition sequence computing{n 0 ,...,n r−1 } of length l into a vectorial addition chain of length l + r − 1 for [n 0 ,...,n r−1 ].To illustrate his method let us deduce a vectorial addition chain for [45, 36, 7] from the additionsequence v =(1, 2, 4, 6, 7, 9, 18, 36, 45) computing {7, 36, 45}. Let {e j | 0 j k} be thecanonical basis of R k+1 . The idea is then to build an array by induction, starting in the lower rightcorner with a 2-by-2 array, and then processing the successive elements v h of the addition sequence,following two rules:• if v h =2v i then the line to be added on top is the double of line i and the new twocolumns on the left are 2e h and 2e h + e i• if v h satisfies v h = v i + v j then the new line on top is the sum of lines i and j and thetwo columns on the left are e h + e i and e h + e j .The expression of v h in terms of the v i ’s is written on the right. The first steps are:2 2 2 = 1+10 1 1=⇒2 2 4 4 4 = 2+20 1 2 2 2 = 1+10 0 0 1 1=⇒1 1 2 3 6 6 6 = 4+21 0 2 2 4 4 4 = 2+20 1 0 1 2 2 2 = 1+10 0 0 0 0 1 1At the end one has1 1 2 2 4 5 5 5 5 5 5 10 10 20 40 45 45 = 36+9 ←1 0 2 2 4 4 4 4 4 4 4 8 8 16 32 36 36 = 18+18 ←0 0 0 1 2 2 2 2 2 2 2 4 4 8 16 18 18 = 9 + 90 1 0 0 0 1 1 1 1 1 1 2 2 4 8 9 9 = 7+20 0 0 0 0 0 1 0 1 1 1 1 2 3 6 7 7 = 6+1 ←0 0 0 0 0 0 0 0 1 0 1 1 2 3 6 6 6 = 4+20 0 0 0 0 0 0 0 0 0 1 0 2 2 4 4 4 = 2+20 0 0 0 0 0 0 1 0 0 0 1 0 1 2 2 2 = 1+10 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 1Then discard all the lines except the ones marked by an arrow and corresponding to 7, 36, and45.Consider the columns from the left to the right, eliminate redundancies and finally add the canonicalvectors of R r so that a vectorial addition sequence for [45, 36, 7] is([1, 0, 0], [0, 1, 0], [0, 0, 1], [1, 1, 0], [2, 2, 0], [4, 4, 0], [5, 4, 0],[5, 4, 1], [10, 8, 1], [10, 8, 2], [20, 16, 3], [40, 32, 6], [45, 36, 7] ) .Conversely the procedure to get an addition sequence from a vectorial addition exists as well[OLI 1981].Before explaining how to find short chains, let us remark that the set of vectors (n 0 ,...,n r−1 ,l)such that there is an addition sequence of length l containing n 0 ,...,n r−1 has been shown tobe NP-complete [DOLE + 1981]. This does not imply, as it is sometimes claimed, that finding ashortest addition chain for n is NP-complete. However, we have seen that dedicated algorithms tofind a shortest addition chain are in practice limited to small exponents.

160 Ch. 9 Exponentiation9.2.2 Short addition chains searchIn the following, different heuristics to find short addition chains are discussed. They are ratherefficient but do not necessarily find a shortest possible chain. Most of the methods described hereuse the concept of dictionary.Definition 9.34 Given an integer n,adictionary D for n is a set of integers such thatn =k∑b i,d d2 i , with b i,d ∈{0, 1} and d ∈D.i=0Note that all the algorithms introduced in Section 9.1 can be used to produce addition chains andimplicitly use a dictionary. For example, the dictionary associated to window methods of length kis the set {1, 3,...,2 k − 1}. FortheNAF w it is { + − 1, + − 3,..., + − (2 k−1 − 1)}.In [GOHA + 1996, O’CO 2001] the dictionary is simply made of the elements 2 i − 1 for 0

§ 9.2 Fixed exponent 161fits as prefix of the unscanned part of the exponent and concatenate it to the next unscanned digitof the exponent to form a new element of the dictionary. Repeat the process until all the digits areprocessed. There is also a sliding version that skips strings of zeroes.Example 9.36 For n = 587257 one gets (10 00 1111 010 111 11 10 0 1 ) 2 and the dictionary{1, 0, 2, 3, 7, 2, 15, 0, 2}, which actually gives rise to D = {1, 3, 7, 15}. One has n =1× 2 19 +15 × 2 12 +1× 2 10 +7× 2 6 +3× 2 4 +1× 2 3 +1so that an addition chain for n is(1, 2, 3, 4, 7, 8, 15, 16, 32, 64, 128, 143, 286, 572, 573, 1146, 2292, 4584,9168, 9175, 18350, 36700, 36703, 73406, 73407, 146814, 293628, 587256, 587257)whose length is 28.The sliding version returns D = {1, 3, 5, 7} from the decomposition(10000111 101 01 111 11001) 2 .In this case n =1× 2 19 +7× 2 13 +5× 2 10 +1× 2 8 +7× 2 6 +3× 2 3 +1and an addition chainfor n is(1, 2, 3, 5, 7, 8, 16, 32, 64, 71, 142, 284, 568, 573, 1146, 2292, 2293, 4586,9172, 18344, 18351, 36702, 73404, 73407, 146814, 293628, 587256, 587257)of length 27.This method can also be used with signed-digit representations and is particularly efficient when thenumber of zeroes is small.In [BEBE + 1989] continued fractions and the Euclid algorithm are used to produce short additionchains. First let ⊗ and ⊕ be two simple operations on addition chains, defined as follows. Ifv =(v 0 ,...,v s ) and w =(w 0 ,...,w t ) thenv ⊗ w =(v 0 ,...,v s ,v s w 0 ,...,v s w t )and if j is an integerv ⊕ j =(v 0 ,...,v s ,v s + j).Now let 1

162 Ch. 9 Exponentiationminchain(n)1. if n =2 l then return (1, 2, 4,...,2 l )2. if n =3 then return (1, 2, 3)3. return chain ( ⌊lgn, 2n/2⌋)andchain(n, k)1. q ←⌊n/k⌋ and r ←(n mod k)2. if r =0 then return minchain(k) ⊗ minchain(q)3. else return chain(k, r) ⊗ minchain(q) ⊕ rNote that these algorithms are able to find short addition sequences as well.Example 9.37 For n =87, one has k = ⌊87/8⌋ =10and the successive calls arechain(87, 10)chain(10, 7) ⊗ minchain(8) ⊕ 7(chain(7, 3) ⊗ minchain(1) ⊕ 3) ⊗ minchain(8) ⊕ 7((minchain(3) ⊗ minchain(2) ⊕ 1) ⊗ minchain(1) ⊕ 3)⊗ minchain(8) ⊕ 7so that the final result is the optimal addition chain (1, 2, 3, 6, 7, 10, 20, 40, 80, 87).In [BEBE + 1994], the authors generalize this approach, introducing new strategies to determine aset of possible values for k. So the choice of k is no longer deterministic and it is necessary tobacktrack the best possible k. Forthefactor method, see also [KNU 1997], one has{k ∈{n − 1} if n is primek ∈{n − 1,p} if p is the smallest prime dividing n.For the total strategy, k ∈{2, 3,...,n− 1}. Forthedyadic strategy,{⌊ n⌋ }k ∈ ,2 j j =1,... ·Note that only Fermat’s strategy,wherek ∈{⌊ n⌋ }, j =0, 1,...2 2jhas a reasonable complexity and is well suited for large exponents.Example 9.38 The corresponding results for 87 are all optimal and given in the next table.Strategy Initial k ResultFactor 3 (1, 2, 3, 6, 12, 24, 48, 72, 84, 87)Total 17 (1, 2, 4, 8, 16, 17, 34, 68, 85, 87)Dyadic 2 (1, 2, 4, 6, 10, 20, 40, 80, 86, 87)Fermat 5 (1, 2, 3, 5, 10, 20, 40, 80, 85, 87)In [BOCO 1990] Bos and Coster use similar ideas to produce an addition sequence. See also[COSTER]. Starting from 1, 2 and the requested numbers ...,f 2 ,f 1 ,f they replace at each stepthe last term by new elements produced by one of four different methods. A weight function helps

§ 9.2 Fixed exponent 163to decide which rule should be used at each stage. Here is a brief description of these strategies withsome examples.ApproximationCondition 0 f − (f i + f j )=ε with f i f j and ε smallInsert f i + εExample 49 67 85 117 → 49 50 67 85 (because 117 - (49 + 67) = 1)DivisionCondition f is divisible by p ∈{3, 5, 9, 17}. Let(1, 2,...,α r = p) be an addition chain for pInsert f/p,2f/p,...,α r−1 f/pExample 17 48 → 16 17 32 (because 48/3 = 16 and (1,2,3) computes 3)HalvingCondition f/f i 2 u and ⌊f/2 u ⌋ = kInsert k, 2k,...,k2 uExample 14 382 → 14 23 46 92 184 368 (because 382/14 2 4 and ⌊382/2 4 ⌋ = 23)LucasCondition f and f i belong to a Lucas series (f i = u 0 , f = u k , k 3 and u i+1 = u i + u i−1 )Insert u 1 ,u 2 ,...,u k−1Example 4 23→ 4 5 9 14 (because 4,5,9,14,23 is a Lucas series)For faster results use only Approximation and Halving steps. The choice is simpler and does notrequire any weight function.Example 9.39 This method applied to {1, 2, 47, 117, 343, 499, 933, 5689} returns(1, 2, 4, 8, 10, 11, 18, 36, 47 , 55, 91, 109, 117 , 226, 343 , 434, 489, 499 , 933 , 1422, 2844, 5688, 5689 ).The method of Bos and Coster when combined to a sliding window of big length allows us tocompute x n with a dictionary of small size and no precomputation. The following example is takenfrom [BOCO 1990].Example 9.40 Let n = 26235947428953663183191 and take a window of length 10 (except forthe first digit corresponding to a window of length 13). Thenn=(10110001110015689000000111010010193300 1110101117000000 1011114700000 11111001149900 101010111 ) 2343so that the dictionary is D = {47, 117, 343, 499, 933, 5689} and the corresponding addition chainbuilt with D is of length 89. By way of comparison, Algorithms 9.1 and 9.10 need respectively 110and 93 operations.Finally, see [NEMA 2002] for techniques related to genetic algorithms.9.2.3 Exponentiation using addition chainsOnce an addition chain for n is found it is straightforward to deduce x n .

164 Ch. 9 ExponentiationAlgorithm 9.41 Exponentiation using addition chainINPUT: An element x of G and an addition chain computing n i.e., v and w as in (9.1).OUTPUT: The element x n .1. x 1 ← x2. for i =1 to s do x i ← x j × x k [w(i) =(j, k)]3. return x sExample 9.42 Let us compute x 314 , from the addition chain for 314 given belowi 0 1 2 3 4 5 6 7 8 9 10 11 12v i 1 2 4 8 9 18 19 38 39 78 156 157 314w i — (0, 0) (1, 1) (2, 2) (3, 0) (4, 4) (5, 0) (6, 6) (7, 0) (8, 8) (9, 9) (10, 0) (11, 11)x i x x 2 x 4 x 8 x 9 x 18 x 19 x 38 x 39 x 78 x 156 x 157 x 314Vectorial addition chains are well suited to multi-exponentiation. Here again G isassumedtobeabelian.Algorithm 9.43 Multi-exponentiation using vectorial addition chainINPUT: Elements x 0,...,x r−1 of G and a vectorial addition chain of dimension r computing[n 0,...,n r−1] as in (9.2).OUTPUT: The element x n 00 ···xn r−1r−1 .1. for i = −k +1 to 0 do y i ← x i+k−12. for i =1 to s do y i ← y j × y k [w(i) =(j, k)]3. return y sThe vectorial addition chain for [45, 36, 7] implicitly produced by Algorithm 9.23 is of length 12.A careful search reveals a chain of length 10 as it can be seen in the next table, which displays theexecution of Algorithm 9.43 while computing x 450 x36 1 x7 2 with it. Recall that y −2 = x 0 , y −1 = x 1and y 0 = x 2 .i 1 2 3 4 5 6 7 8 9 10w i (−2, −1) (1, 1) (2, 2) (−2, 3) (0, 4) (4, 5) (0, 6) (6, 7) (8, 8) (5, 9)y i x 0x 1 x 2 0x 2 1 x 4 0x 4 1 x 5 0x 4 1 x 5 0x 4 1x 2 x 100 x 8 1x 2 x 100 x 8 1x 2 2 x 200 x 161 x 3 2 x 400 x 321 x 6 2 x 450 x 361 x 7 29.3 Fixed base pointIn some situations the element x is always the same whereas the exponent varies. Precomputationsare the key point here.

§ 9.3 Fixed base point 1659.3.1 Yao’s methodA simpler version of Algorithm 9.44, which can be seen as the dual of the 2 k -ary method, was firstdescribed in [YAO 1976]. A slightly improved form is presented in [KNU 1981, answertoexercise9, Section 4.6.3]. Note that it is identical to the patented BGMW’s algorithm [BRGO + 1993].Let n, n i , b i , l and h be integers. Suppose that∑l−1n = n i b i with 0 n i

166 Ch. 9 Exponentiation9.3.2 Euclidean methodThe Euclidean method was first introduced in [ROO 1995], see also [SEM 1983]. Algorithm 9.47computes x n generalizing a method to compute the double exponentiation x n00 xn1 1 discussed byBergeron et al. [BEBE + 1989] which is similar to the technique introduced in Section 9.2.2 to findshort addition chains. The idea is to recursively use the equalityx n00 xn1(n1 mod n0)1 =(x 0 x q 1 )n0 × x 1 where q = ⌊n 1 /n 0 ⌋.Algorithm 9.47 Euclidean exponentiationINPUT: The element x of G, an exponent n as in (9.4) and the precomputed values x 0 =x b 0,x 1 = x b 1,...,x l−1 = x b l−1.OUTPUT: The element x n .1. while true do2. Find M such that n M n i for all i ∈ [0,l− 1]3. Find N ≠ M such that n N n i for all i ∈ [0,l− 1], i≠ M4. if n N ≠0 then5. q ←⌊n M /n N ⌋, x N ← x M q × x N and n M ← n M mod n N6. else break7. return x n MMExample 9.48 Take the same exponent 2989 = (232231) 4 and let us evaluate x 2989 .n 5 n 4 n 3 n 2 n 1 n 0 M N q x 5 x 4 x 3 x 2 x 1 x 0— — — — — — — — — x 1024 x 256 x 64 x 16 x 4 x2 3 2 2 3 1 4 1 1 x 1024 x 256 x 64 x 16 x 260 x2 0 2 2 3 1 1 2 1 x 1024 x 256 x 64 x 276 x 260 x2 0 2 2 1 1 5 3 1 x 1024 x 256 x 1088 x 276 x 260 x0 0 2 2 1 1 3 2 1 x 1024 x 256 x 1088 x 1364 x 260 x0 0 0 2 1 1 2 1 2 x 1024 x 256 x 1088 x 1364 x 2988 x0 0 0 0 1 1 1 0 1 x 1024 x 256 x 1088 x 1364 x 2988 x 29890 0 0 0 0 1 0 1 — x 1024 x 256 x 1088 x 1364 x 2988 x 29899.3.3 Fixed-base comb methodThis algorithm is a special case of Pippenger’s algorithm [BER 2002,PIP 1979,PIP 1980]. It is alsooften referred to as Lim–Lee method [LILE 1994]. It is essentially a special case of Algorithm 9.23where the different base points are in fact distinct powers of a single base. Suppose that n =(n l−1 ...n 0 ) 2 . Select an integer h ∈ [1,l]. Leta = ⌈l/h⌉ and choose v ∈ [1,a]. Letr = ⌈a/v⌉and write the n i ’s in an array with h rows and a columns as below (pad the representation of n withzeroes if necessary)

§ 9.3 Fixed base point 167a − 1 ··· 1 0n a−1 ··· n 1 n 0n 2a−1 ··· n a+1 n a. . . .n ah−1 ··· n ah−a+1 n ah−aFor each s, the column number s can be read as the binary representation of an integer denoted byI(s). For example the last column I(0) is the binary representation of I(0) = (n ah−a ...n a n 0 ) 2 .The algorithm relies on the following equalitywhereG[j, i] =x n =r−1∏k=0⎛⎞v−1∏⎝ G[j, I(jr + k)] ⎠j=0( h−1) 2jr∏x is2as for j ∈ [0,v− 1] and i =(i h−1 ...i 0 ) 2 ∈ [0, 2 h − 1].s=02 kAlgorithm 9.49 Fixed-base comb exponentiationINPUT: The element x of G and an exponent n. Let h, a, v, r and G[j, i] be as above.OUTPUT: The element x n .1. y ← 1 and k ← r − 12. for k = r − 1 down to 0 do3. y ← y 24. for j = v − 1 down to 0 do5. I ← P h−1s=0 n as+jr+k2 s [I = I(jr + k)]6. y ← y × G[j, I]7. return yExample 9.50 Once again, let us compute x 2989 .Seth =3and v =2so that a =4=rv, hencer =2. Form the following array from the digits of 2989 = (101110101101) 2The precomputed values ares 3 2 1 0n s ...n 0 1 1 0 1n a+s ...n a 1 0 1 0n 2a+s ...n 2a 1 0 1 1I(s) 7 1 6 5i 0 1 2 3 4 5 6 7G[0,i] 1 x x 16 xx 16 x 256 xx 256 x 16 x 256 xx 16 x 256G[1,i] 1 x 4 x 64 x 4 x 64 x 1024 x 4 x 1024 x 64 x 1024 x 4 x 64 x 1024

168 Ch. 9 ExponentiationThe algorithm proceeds as followsRemarks 9.51k 1 1 1 0 0 0j — 1 0 — 1 0jr + k — 3 1 — 2 0I — 7 6 — 1 5G[j, I] — x 1092 x 272 — x 4 x 257y 1 x 1092 x 1364 x 2728 x 2732 x 2989(i) One needs at most a + r − 2 multiplications and v(2 h − 1) precomputed values. Ifsquarings can be achieved efficiently or “on the fly” (for example in finite fields of evencharacteristic represented through normal bases, see Section 11.2.1.c), only 2 h −1 valuesmust be stored.(ii) The adaptation of this method to larger base representations or signed representationssuch as the non-adjacent form is straightforward.

Chapter ½¼Integer ArithmeticChristophe DocheContents in Brief10.1 Multiprecision integers 170Introduction • Internal representation • Elementary operations10.2 Addition and subtraction 17210.3 Multiplication 174Schoolbook multiplication • Karatsuba multiplication • Squaring10.4 Modular reduction 178Barrett method • Montgomery reduction • Special moduli • Reduction moduloseveral primes10.5 Division 184Schoolbook division • Recursive division • Exact division10.6 Greatest common divisor 190Euclid extended gcd • Lehmer extended gcd • Binary extended gcd • Chineseremainder theorem10.7 Square root 197Integer square root • Perfect square detectionIn most of the cases, the integer ring Z is the fundamental mathematical layer of many cryptosystems.Once it is possible to compute with integers, one can build on top of them finite fields, thencurves and even more complicated objects. More generally, rational, real, complex, and p-adicnumbers, but also polynomials with coefficients in these sets, rely on integers and their arithmeticis greatly influenced by the underlying integer algorithms. That is why integer arithmetic is soimportant and should be performed as efficiently as possible.Practical considerations are therefore the core of this chapter. For instance, we first recall someelementary notions on computers to describe how numbers are internally represented and how wecan manipulate them. Then we describe the four operations and related items such as square rootcomputations or extended gcd algorithms.All the techniques for an efficient implementation from scratch are presented in the followingchapter. However, there already exist a great number of libraries that are highly optimized andavailable on the Internet. Most of them are written in C, like GMP [GMP], BigNum [BIGNUM] orFreeLip [FREELIP].169

170 Ch. 10 Integer ArithmeticSometimes, different algorithms are given for the same operation. In this case, the size of theoperands mainly determines which method should be used. The algorithms presented here havebeen directly taken from [MEOO + 1996], [KNU 1997], [CRPO 2001], and [COH 2000].10.1 Multiprecision integersWithout special software or hardware, computers can only operate on rather small integers. Inorder to consider larger quantities, we first need to recall some elementary facts on integers andcomputers.10.1.1 IntroductionLet b 2 be an integer called the base or the radix. Every integer u>0 can be written in a uniqueway as the sumu = u n−1 b n−1 + ···+ u 1 b + u 0provided 0 u i 0. It corresponds to the length n of (u n−1 ...u 0 ) b and is denoted |u| b .Remarks 10.1(i) The base b representation of zero is always (0) b .(ii) It is sometimes useful to add a certain number of zeroes at the beginning of the representationof u, i.e., to consider (0 ...0 u n−1 ...u 0 ) b . This operation, which obviouslydoes not change the value of u, is called padding.In a computer, the base b is usually a power of 2 and a number is internally stored as a sequence of0 and 1 called bits. The important elementary operations on bits are the following. Given two bitsx and y, we can compute the• complement of x denoted by x, which is equal to 1 if and only if x equals 0• conjunction of x and y, x ∧ y, which is equal to 1 if and only if x and y both equal 1• disjunction of x and y, x∨y, which is equal to 1 if and only if at least one of x, y equals 1• exclusive disjunction of x and y, also called XOR. Theresultx XOR y is equal to 1 ifand only if exactly one of the two values x, y equals 1.Usually computers cannot manipulate bits directly. The smallest quantity of main memory thata computer can address is a byte, which is nowadays almost always a sequence of eight bits. Aprocessor can operate on several bytes at the same time by means of a register. This importanthardware component determines very low-level properties of a processor. The size of a register,called a word, is one of the main characteristics of a chip. Modern computers commonly use wordsof 32 or 64 bits, however it is not unusual, especially in the smart card world, to work with 8 or16-bit devices.

§ 10.1 Multiprecision integers 17110.1.2 Internal representationA single precision integer, also called a 1-word integer, orjustasingle needs only a word to berepresented. For 32-bit architectures such integers belong to [0, 2 32 − 1]. The concept of multiprecisionwas introduced in order to manipulate objects that do not fit in a word. In this case, an array ofconsecutive words is allocated and for instance a n-word integer is an integer whose representationrequires n words.There are several ways to store information in the memory of a computer, the order being especiallyimportant. Usually a byte comes with the most significant bit first. To describe the orderingof bytes within a word, there is a specific terminology. Namely, in little endian format the leastsignificant byte is stored first, whereas in big endian representation, the sequence begins with themost significant byte. For instance, on a 32-bit PC, the single 262657 = 2 18 +2 9 +1is representedin little endian format by 00000001 00000010 00000100 00000000. The representation of the sameinteger in big endian, commonly used in RISC architectures, is 00000000 00000100 0000001000000001. To represent multiple precision integers, the same kind of choice occurs for words aswell. Note that when the least significant word comes first, as it is the case for many multiprecisionimplementations, an integer can have different representations with as many high order zeroes aswanted. To illustrate the exposition, we will give examples more classically written with the mostsignificant word first.For example, take u = (1128103691808033) 10 and b =2 32 . Then u has 51 digits in base 2,namelyu =(100000000100000000126265700011011110100011110110100100001) 2466742561so that u = (262657 466742561) 2 32. Thus u is a 2-word integer, also called a double precisioninteger or just a double.We will also have to deal with negative values. They can be represented in two different ways.• In signed-magnitude notation, the sign of an integer is independently coded by a bit,byte, or word. For instance, 0 for positive values and 1,orb − 1 for negative ones. Thusu = ( s, (u n−1 ...u 0 ) b)stands for un−1 b n−1 + ···+ u 0 or −(u n−1 b n−1 + ···+ u 0 )depending on the value of s. Therefore 0 has two representations ( 0, (0 ...0) b)and say(b − 1, (0 ...0)b). As a consequence, the opposite of u is easily obtained since we onlyneed to modify s.• In complement format, if the highest bit of the most significant word is 0 then the integer(u n−1 ...u 0 ) b is nonnegative and must be understood as u n−1 b n−1 + ···+ u 0 .Otherwise (u n−1 ...u 0 ) b is equal to −b n + u n−1 b n−1 + ···+ u 0 which is always negative.The representation (0 ...0) b of 0 is unique and if u is nonzero, the opposite of uis (u n−1 ...u 0 ) b +1where u i = b − 1 − u i is the bitwise complement of u i . Computingthe opposite is therefore more costly with this representation as each bit needs to bechanged. Note also that padding u with zeroes drastically changes the representation ofthe opposite in this case.Example 10.2 With a radix b equal to 4, 152 is represented by (0, (2120) 4 ) in signed-magnitudeformat and −152 is trivially (3, (2120) 4 ). In complement notation, 152 = (02120) 4 and (31213) 4 +1 that is (31220) 4 stands for −4 4 +4 3 +2× 4 2 +2× 4=−152.In base 2, complement notation is called two’s complement notation and the highest bit of an integercodes its sign in both representations. Therefore the same sequence of bits corresponds to differentvalues. For instance (10011000) 2 is equal to −24 in signed-magnitude format whereas it is equalto −104 in two’s complement notation.

172 Ch. 10 Integer Arithmetic10.1.3 Elementary operationsComputers have highly optimized built-in operations for single precision integers. Thus in thesequel we will describe the arithmetic of multiprecision integers, assuming the existence of thefollowing low-level operations:• Comparison of two singles returning a boolean 0 or 1. For instance, the equality = andthe natural ordering < of two integers can be directly determined.• Bitwise complement of a single u,thatisu = b − 1 − u.• Bitwise conjunction, disjunction and exclusive disjunction of the singles u and v, thatisrespectively u ∧ v, u ∨ v and u XOR v.• The right and left shifts of t bits of the single u, respectively denoted by u>>tandu

§ 10.2 Addition and subtraction 173Algorithm 10.3 Addition of nonnegative multiprecision integersINPUT: Two n-word integers u =(u n−1 ...u 0) b and v =(v n−1 ...v 0) b .OUTPUT: The (n +1)-word integer w =(w n ...w 0) b such that w = u + v, w n being 0 or 1.1. k ← 0 [k is the carry]2. for i =0 to n − 1 do3. w i ← (u i + v i + k) modb [0 w i

174 Ch. 10 Integer Arithmetic(iii) One can apply Algorithm 10.5 without checking if u v. Ifk = −1 at the end, thenthe output is related to the complement representation of the negative number u − v. Toobtain |u − v| one can repeat Algorithm 10.5 with u =(0...0) b and v = w. Note thatthe second subtraction is actually a computation of the complement of w and it is fasterimplemented via a simplified version of the algorithm with the value u =0hardwired.Example 10.7 Let us compute u − v when u is smaller than v. Takeu = 2165 and v = 58646.i u i − v i k w 4 w 3 w 2 w 1 w 00 −1 0 — — — — 91 2 −1 — — — 1 92 −5 0 — — 5 1 93 −6 −1 0 3 5 1 94 −5 −1 4 3 5 1 92-nd execution with u = (00000) 10 and v = w0 −9 0 — — — — 11 −1 −1 — — — 8 12 −5 −1 — — 4 8 13 −3 −1 — 6 4 8 14 −4 −1 5 6 4 8 1So |u − v| = 56481 and it can be deduced that u − v = −56481 since k = −1 at the end of theexecution. The complement representation of −56481 is 943519.10.3 MultiplicationMultiplication is a very important operation. Its optimization is crucial since it is the most timeconsumingpart for a wide range of applications. For instance, the efficiency of division algorithmsdepends to a large extent on the speed of the multiplication that is used. The complexity of amultiplication algorithm is therefore an important parameter for a complete arithmetic system. Inthe following, the number of elementary operations necessary to multiply two n-word integers willbe denoted by M(n). In the remainder, we shall often encounter situations where the best algorithmto be used to perform a given task is chosen in a set and determined by parameters such as the sizeof the arguments and the adopted computer architecture. This is the case for multiplication. Wedescribe in detail the schoolbook and the Karatsuba multiplication, which are the only interestingones for the range of integers we consider. However, many other algorithms exist. See [BER 2001a]for a comprehensive presentation of multiplication methods.10.3.1 Schoolbook multiplicationOne starts with the simplest method known for at least four millennia.Algorithm 10.8 Multiplication of positive multiprecision integersINPUT: An m-word integer u =(u m−1 ...u 0) b and an n-word integer v =(v n−1 ...v 0) b .OUTPUT: The (m + n)-word integer w =(w m+n−1 ...w 0) b such that w = uv.1. for i =0 to n − 1 do w i ← 0 [see the remark below]2. for i =0 to n − 1 do

§ 10.3 Multiplication 1753. k ← 0 [k is the carry]4. if v i =0 then w m+i ← 0 [optional test]5. else6. for j =0 to m − 1 do7. t ← v iu j + w i+j + kˆ0 t

176 Ch. 10 Integer Arithmetic10.3.2 Karatsuba multiplicationIn the mid-1950’s, Kolmogorov made the conjecture that the lower estimate of M(n) was of theorder of n 2 , whatever the method used. However, in 1960, one of his students, namely Karatsuba,discovered a method in O(n lg 3 ),wherelg is the logarithm to base 2. The method was later publishedin[KAOF1962]. The interesting genesis of the so-called Karatsuba method is explained in[KAR 1995].For the sake of clarity, set R = b n , d =2n and let u =(u d−1 ...u 0 ) b and v =(v d−1 ...v 0 ) bbe two d-word integers. The method relies on the following observation. Split both u and v in two,namely the least and most significant parts, so that u = U 1 R + U 0 and v = V 1 R + V 0 . Then onecan check thatuv = U 1 V 1 R 2 + ( (U 0 + U 1 )(V 0 + V 1 ) − U 1 V 1 − U 0 V 0)R + U0 V 0 .One needs apriorifour multiplications to compute uv but as a multiplication by R is just a shift, oneperforms actually some additions and only three multiplications, which are U 1 V 1 , (U 1 + U 0 )(V 0 +V 1 ),andU 0 V 0 . Moreover, a recursive approach allows us to reduce the size of the operands untilthey are sufficiently small so that the schoolbook multiplication is faster. In practice, this holds whend becomes smaller than a threshold d 0 , depending essentially on the processor used. Granlundperformed tests with GMP on several architectures to determine the optimal value of d 0 . Resultsspread from 8 up to more than 100 [GRA 2004, GMP].Algorithm 10.11 Karatsuba multiplication of positive multiprecision integersINPUT: An n-word integer u =(u n−1 ...u 0) b ,anm-word integer v =(v m−1 ...v 0) b ,thesized =max{m, n}, and a threshold d 0.OUTPUT: The (m + n)-word integer w =(w m+n−1 ...w 0) b such that w = uv.1. if d d 0 then return uv [use Algorithm 10.8]2. p ←⌊d/2⌋ and q ←⌈d/2⌉3. U 0 ← (u q−1 ...u 0) b and V 0 ← (v q−1 ...v 0) b4. U 1 ← (u p+q−1 ...u q) b and V 1 ← (v p+q−1 ...v q) b [pad with 0’s if necessary]5. U s ← U 0 + U 1 and V s ← V 0 + V 16. compute recursively U 0V 0,U 1V 1 and U sV s [corresponding sizes being q, p and q]7. return U 1V 1b 2q + `(U sV s − U 1V 1 − U 0V 0)´b q + U 0V 0Remark 10.12 The number of elementary operations required by Algorithm 10.11 to multiply twon-word integers shall be denoted by K(n). AsK(n) 3K(n/2) + cn/2 for some constant c, onefinds by induction that K(n) =O(n lg 3 ) ≈ O(n 1.585 ).Example 10.13 Let us multiply u = 564986 and v = 1279871 by Algorithm 10.11 with d 0 =4.So one has d =7, q =4and R =10 4 .PutWith Algorithm 10.8, computeU 1 =56, U 0 = 4986V 1 = 127, V 0 = 9871U s = 5042, V s = 9998.U 0 V 0 = 49216806, U 1 V 1 = 7112 and U s V s = 50409916

§ 10.3 Multiplication 177to obtainuv = 7112 × 10 8 + (50409916 − 7112 − 49216806) × 10 4 + 49216806= 723109196806.Other multiplication algorithms, like Toom–Cook or Fast Fourier Transform methods [KNU 1997]based on interpolation are asymptotically more efficient, but the gain occurs only for very large n,out of the range of the sizes used nowadays for cryptosystems based on elliptic and hyperellipticcurves.10.3.3 SquaringIt seems simpler to square a number than to multiply two arbitrary integers. This feeling is supportedby the existence of a specific algorithm suggested by the formula( n−1) 2∑n−1∑u i b i = u 2 i b2i +2 ∑ u i u j b i+j .i=0i=0i

178 Ch. 10 Integer ArithmeticExample 10.16 Let us follow the computation of the square of u = (769) 10 by Algorithm 10.14.Below are displayed the values of some relevant parameters after Lines 4 and 7 execute.i j u 2 i w 2i 2u iu j w i+j t k w 5 w 4 w 3 w 2 w 1 w 00 — 81 0 — — 81 8 0 0 0 0 0 11 — — 108 0 116 11 0 0 0 0 6 12 — — 126 0 137 13 0 0 13 7 6 11 — 36 7 — — 43 4 0 0 13 3 6 12 — — 84 13 101 10 0 10 1 3 6 12 — 49 10 — — 59 5 5 9 1 3 6 1It is also possible to write a specific squaring procedure inspired by Karatsuba’s idea. Indeed, onecan check that if u = U 1 R + U 0 and U s = U 0 + U 1 , as defined in Section 10.3.2, thenu 2 = U 2 1 R 2 +(U 2 s − U 2 1 − U 2 0 )R + U 2 0so that intermediate steps only require squarings as well. The minimal word size d 1 ,forwhichitisfaster to use, Karatsuba method against a naïve approach, should be greater than the threshold d 0used for Karatsuba multiplication in Algorithm 10.11. Set approximately d 1 =2d 0 [GRA 2004].10.4 Modular reductionIn many situations, only the remainder of a Euclidean division is required. In the following, onedescribes two general methods to reduce a number modulo an integer N. In practice N will oftenbe prime, and the corresponding reduction is an essential operation for prime field arithmetic. Wealso consider moduli of special form and introduce a reduction method modulo several primes.The obvious way to obtain u mod N consists in dividing u by N and computing the remainder.The following methods allow more efficient execution. Sometimes an almost reduced elementwhich is not minimal is accepted as an intermediate result.10.4.1 Barrett methodIf u and N are both real numbers or formal series, there is another method to divide u by N. First,compute the inverse of N to a sufficient precision and then multiply it by u. The inverse is oftencomputed with Newton method, i.e., the iterationx ← x − x(Nx− 1)starting from an initial approximation x 0 . Such a precomputation of N −1 proves useful if manyreductions modulo N are necessary.There is a similar technique for integers. Let N be an n-word integer. We define the reciprocalinteger of N as R(N) = ⌊ b 2n /N ⌋ . Now if u is a 2n-word integer we see that⌊ ⌋⌊uq = is also equal toNu b 2nb n−1 Nb n+1⌋which can be approximated by⌊⌊ u⌋ ⌋b Rˆq =n−1 b n+1 ·

§ 10.4 Modular reduction 179In addition we have q −2 ˆq q and it can be shown that ˆq = q in about 90% of the cases whereasˆq will be 2 in error in only 1% of the cases. This is the so-called Barrett method [BAR 1987]. See[BOGO + 1994] for further improvements.For modular reduction this approximation is sufficient as û = u − ˆqN is in the same residue classmodulo N as u and will be minimal if ˆq = q. Ifû>N, one needs at most 2 subtractions by N toobtain the minimal representative.When a lot of divisions are performed with a fixed divisor, for instance when computing in a finitefield, this approach is very efficient. Indeed R is precomputed and the quotient and remainder of aEuclidean division by some power of b can be trivially determined.Algorithm 10.17 Division-free modulo of positive multiprecision integersINPUT: A 2n-word integer u =(u 2n−1 ...u 0) b and the n-word integer N =(N n−1 ...N 0) bwith N n−1 ≠0. The quantity R = ¨b 2n /N ˝ is precomputed.OUTPUT: The n-word integer r =(r n−1 ...r 0) b such that u ≡ r (mod N).1. ˆq ← ¨⌊(u/b n−1 )⌋R/b n+1˝[q − 2 ˆq q ]2. r 1 ← u mod b n+1 , r 2 ← (ˆqN) modb n+1 and r ← r 1 − r 23. if r

180 Ch. 10 Integer Arithmeticcomplexity as an n-word multiplication [MEOO + 1996, p. 604], cf. also Section 11.1.1.(ii) The number of iterations through Algorithm 10.18 is O ( lg lg(N +2) ) .Example 10.20 Let u = 893994278 and N = 21987 and take b =2. First, one computes Rwith Algorithm 10.18. Since n =15,setR =2 15 and the successive values of R are indicatedbelows R t— 32768 —32768 43549 —43549 48264 —48264 48829 —48829 48836 —48836 48836 —— 48836 −15308— 48835 6679Finally R is 48835. Then the determination of the quotient can be done with Algorithm 10.17.Indeed n =15, u = (1101010100100101 00010100100110) 2 and we can see that ⌊u/2 n−1 ⌋ =(1101010100100101) 2 = 54565. After computing the highest bits of the product of this last termby R, another shift gives an approximation of the quotient ˆq = 40659 whereas the exact valueof q is 40660. Then one computes r 1 = 17702, r 2 = 58393 with another partial product andr = r 1 − r 2 = −40691. Sincer

§ 10.4 Modular reduction 181Algorithm 10.22 Montgomery reduction REDC of multiprecision integersINPUT: An n-word integer N =(N n−1 ...N 0) b such that gcd(N,b) =1, R = b n , N ′ =(−N −1 )modb and a 2n-word integer u =(u 2n−1 ...u 0) b

182 Ch. 10 Integer Arithmeticin base b =2 3 , one first sets N ′ =(−N −1 )mod8=5and the successive steps arei t i k i k i Nb i t— — — — (37126505) 80 5 1 (3733) 8 (37132440) 81 4 4 (175540) 8 (37330200) 82 2 2 (766600) 8 (40317000) 83 7 3 (13621000) 8 (54140000) 8— — — — (5414) 8— — — — (1461) 8In [BOGO + 1994] the authors give the following table that compares the complexities of classical,Barrett, and Montgomery reduction for n-bit integers.Algorithm Classical Barrett MontgomeryMultiplications n(n +2.5) n(n +4) n(n +1)Divisions n 0 0Precomputations Normalization of N ⌊b 2n /N ⌋ ReductionRestrictions None u

§ 10.4 Modular reduction 183One deduces the following algorithm.Algorithm 10.25 Fast reduction for special form moduliINPUT: A positive integer x and a modulus p = b k + c such that |c| b k−1 − 1.OUTPUT: The positive residue x modulo p.1. q 0 ←⌊x/b k ⌋, r 0 ← x − q 0b k , r ← r 0, i =0 and c ′ = |c|2. while q i > 0 do3. q i+1 ←⌊q ic ′ /b k ⌋4. r i+1 ← q ic ′ − q i+1b k5. r ← r +(−1) i+1 r i and i ← i +16. while r p do r ← r − p7. while r

184 Ch. 10 Integer ArithmeticFor example, the field F p where p =2 192 − 2 64 − 1 is recommended by standards for elliptic curvecryptography. If x

§ 10.5 Division 185times as necessary. This process can be sped up with some precomputations, as suggested by thefollowing piece of code for 32-bits architecture. The i-th entry in array T contains the maximalexponent r 5 such that 2 r divides i.1. T ← [5, 0, 1, 0, 2, 0, 1, 0, 3, 0, 1, 0, 2, 0, 1, 0, 4, 0, 1, 0, 2, 0, 1, 0, 3, 0, 1, 0, 2, 0, 1, 0]2. i ← u ∧ 313. u ← u>>T[i]4. while u ∧ 1=0 do u ← u>> 1 and T [i] ← T [i]+1At the end, the even part is 2 T [i] and u holds the odd part. Note that the instructions in the whileloop are performed only in case i =0when 2 k divides u with k>5.Another simple case of interest is when v is a single precision integer. The next algorithm willoften be used in the sequel, at least implicitly.Algorithm 10.28 Short division of positive multiprecision integersINPUT: An n-word integer u =(u n−1 ...u 0) b and a nonzero single v =(v 0) b .OUTPUT: The n-word integer q =(q n−1 ...q 0) b and the single r =(r 0) b such that u = vq+r.1. r 0 ← 0 [r 0 is the remainder]2. for i ← n − 1 down to 0 do3. t ← (r 0b + u i)4. q i ←⌊(r 0b + u i)/v 0⌋ and r 0 ← t mod v 0 [q n−1 may be 0]5. return (q, r)Example 10.29 Let us divide (8789) 10 by 7 using Algorithm 10.28.i u i t q i r 03 8 8 1 12 7 17 2 31 8 38 5 30 9 39 5 4At the end, q = (1255) 10 and r 0 =4as expected since 8789 = 7 × 1255 + 4.10.5.1 Schoolbook divisionThe next algorithm due to Knuth [KNU 1997] is a refined version of the customary method taughtat school for performing division of multidigit numbers.Algorithm 10.30 Schoolbook division of positive multiprecision integersINPUT: An (m + n)-word integer u = (u m+n−1 ...u 0) b and an n-word integerv =(v n−1 ...v 0) b where v n−1 > 0 and n>1.OUTPUT: The (m+1)-word integer q =(q m ...q 0) b and the n-word integer r =(r n−1 ...r 0) bsuch that u = vq + r.1. u m+n ← 0 and d ← 12. while v n−1

186 Ch. 10 Integer Arithmetic4. for i = m down to 0 do5. ˆq ← min(⌊(u i+nb + u i+n−1)/v n−1⌋,b− 1)6. while ˆq(v n−1b + v n−2) > (u i+nb 2 + u i+n−1b + u i+n−2) do7. ˆq ← ˆq − 18. (u i+n ...u i) b ← (u i+n ...u i) b − ˆq(v n−1 ...v 0) b9. if (u i+n ...u i) b < 0 then [occurs with probability 2/b]10. ˆq ← ˆq − 111. (u i+n ...u i) b ← (u i+n ...u i) b +(0v n−1 ...v 0) b12. q i ← ˆq13. r ← u/d [unnormalization]14. return (q, r)Remarks 10.31(i) The for loop computes q i = ⌊ (u i+n ...u i ) b /(v n−1 ...v 0 ) b⌋. These steps are similar tothe Line 4 of Algorithm 10.28. This determination relies on a guess, i.e., the approximationof q i by ˆq, Line 5. One always has q i ˆq.(ii) At the beginning, u and v are multiplied by d, a suitable power of 2, such that v n−1 b/2. This normalization is particularly well suited when the radix is a power of 2. Itensures that ˆq q i +2. Thus the statement ˆq ← ˆq − 1 in Line 7 is encountered at mosttwice. The normalization does not change the quotient whereas the remainder must bedivided by d at the end.Example 10.32 Let us divide (115923) 10 by (344) 10 . So n =3and m =3. Because of thenormalization, one sets u = (231846) 10 , v = (688) 10 and d =2.i 3 2 1 0(u i+n b + u i+n−1 ) 2 23 25 48ˆq =min(⌊(u i+n b + u i+n−1 )/v n−1 ⌋,b− 1) 0 3 4 8u i+n b 2 + u i+n−1 b + u i+n−2 23 231 254 480ˆq(v n−1 b + v n−2 ) 0 3× 68 = 204 4 × 68 = 272 8 × 68 = 544ˆq in Line 8 0 3 3 7(u i+n ...u i ) b 231 2318 2544 4806ˆq(v n−1 ...v 0 ) b 0 3× 688 = 2064 3 × 688 = 2064 7 × 688 = 4816q i 0 3 3 6(u i+n ...u i ) b in Line 12 (0231) 10 (0254) 10 (0480) 10 (0678) 10Finally 231846 = 688 × 336 + 678 so that 115923 = 344 × 336 + 339.

§ 10.5 Division 187Remark 10.33 Another normalization allows us to do less elementary divisions. Following an ideaof Quisquater [QUI 1990, QUI 1992], let v ′ be the smallest multiple of v bigger than b n+1 . Letq ′ = u/v ′ and r ′ = u mod v ′ . The approximation of the digits of q ′ is now trivial since the first twodigits of v ′ are (10) b , but as above, some corrections might be necessary. When q ′ is determined weeasily deduce q and r from q ′ and r ′ .When several divisions by the same v are carried out this technique is even more interesting aswe compute v ′ only once. Therefore this idea is useful to speed up prime field reductions; seeSection 11.1.2.a.Example 10.34 Let u = (797598) 10 and v = (983) 10 ;wehavev ′ =11v = (10813) 10 . We obtainq 1 ′ =7and u − 70v′ = 40688. Then we should set q 0 ′ =4but this approximation is one in excessso that q 0 ′ =3and u − 73v ′ = 8249. Sou = q ′ v ′ + r ′ with q ′ =73 and r ′ = 8249.Now r ′ =8v + 385 so thatu =(11× 73 + 8)v + 385 = 811v + 385.We perform only 2 true divisions instead of n. Whenb is larger the saving is noticeable [ZIM 2001].Another simplification is possible since we can suppose that:the length of u is 2n, the length of v is n, v is normalized, i.e., b/2 v n−1

188 Ch. 10 Integer ArithmeticAlgorithm 10.35 Recursive division of positive multiprecision integersINPUT: A 2n-word u =(u 2n−1 ...u 0) b ,ann-word v =(v n−1 ...v 0) b as in (10.1). The size nis a parameter whereas the threshold n 0 is fixed.OUTPUT: The n-word integers q =(q n−1 ...q 0) b and r =(r n−1 ...r 0) b such that u = vq+r.1. if n n 0 then determine q and r with Algorithm 10.302. p ←⌈n/2⌉ and t ←⌊n/2⌋3. U 1 ← (u 2n−1 ...u 2t) b and U 0 ← (u 2t−1 ...u 0) b [u =(U 1 || U 0) b ]4. V 1 ← (v n−1 ...v t) b and V 0 ← (v t−1 ...v 0) b [v =(V 1 || V 0) b ]5. Q 1 ← (q n−1 ...q t) b and Q 0 ← (q t−1 ...q 0) b [q =(Q 1 || Q 0) b ]6. if U 1

§ 10.5 Division 189Algorithm 10.35. The intermediate steps are as follows:• n =5, p =3, t =2, U 1 = (654123) 10 , U 0 = (7201) 10 , V 1 = (654) 10 and V 0 = (27) 10 .• U 1 1000 × V 1 so Q 1 = 999 and r = u − 999 × 100 × v = 5079 901.• R 1 = (5079) 10 , R 0 = (901) 10 , V 1 ′ = (65) 10 and V 0 ′ = (427) 10.• R 1 < 100 × 65 so we get Q 0 = ⌊5079/65⌋ =78and R 1 = 5079 mod 65 = 9 by arecursive call which reduces in this case to a schoolbook division.• Finally q =(Q 1 || Q 0 ) 10 = 99978, r =(R 1 || R 0 ) 10 =(9|| 901) 10 = 9901 and r −V ′0Q 0 = −23405 < 0.Thus we set r = r + v = 42022 and q = 99977 and terminate the algorithm. It is easy to check thatthese are the correct values.10.5.3 Exact divisionIf u and v are positive numbers, then it is possible to test if v divides u without exactly computingthe remainder u mod v. This is helpful as there are specialized algorithms for exact division.Indeed, first remark that if v | u, the largest power of 2 dividing u must be bigger than the one ofv. So we can assume without loss of generality that v is odd. The idea is now to use Montgomeryreduction REDC modulo v, see Algorithm 10.22. More precisely, set t ← u and repeat t ← REDC(t)until t

190 Ch. 10 Integer Arithmetic3. for i =0 to m do4. q i ← (u 0t) modb5. u ← `(u − vq i)modb m+1−i´/b6. return qRemarks 10.40(i) At the end of the first line gcd(v 0 , 2) = 1. Sinceb =2 l this implies that gcd(v 0 ,b)=1.(ii) The quantity v0 −1 mod b is computed once but is used at each iteration. It can be obtainedin a very efficient way. Indeed, if t =(a −1 )modb then a −1 =(2t − at 2 )modb 2 . This trick used a couple of times after a search in a table of inverses modulo 2 8 givesgood results [JEB 1993a].(iii) A slightly different procedure allows us to compute the quotient ⌊u/v⌋ when the remainderr = u mod v is known. Obviously it is enough to replace the last two statements inthe for loop by q i ← ( (u 0 − r i )t ) mod b and u ← ( (u − r i − vq i )modb m+1−i) /b.(iv) Krandick and Jebelean [KRJE 1996] designed a method to compute the highest digitsof the quotient without computing the remainder. Their method is well suited to computethe first half of the digits of an exact division, the other half being computed byAlgorithm 10.39.Example 10.41 One checks that v = (238019) 10 divides u = (322413634849) 10 . One has n =m =6. Let us find the quotient q = u/v with Algorithm 10.39. The inverse of 9 modulo 10 ist =9. Next table shows the progress of Algorithm 10.39 along the execution of the for loop.i 0 1 2 3 4 5 6q i =(u 0 t)modb 1 7 5 4 5 3 1(u − vq i )modb m+1−i 3396830 673550 77260 55650 15470 87490 70730u 339683 67355 7726 5565 1547 8749 7073Finally q = (1354571) 10 .10.6 Greatest common divisorThe following algorithms are described in [COH 2000, LER 1997]. We introduce Euclid, Lehmerand binary methods and give in fact the extended versions of these variants. Indeed, given two integersx and N, the algorithms given below not only compute d =gcd(x, N) but also the integers uand v such that xu + Nv = d. Usually, this is the preferred method to compute the inverse of an elementin (Z/N Z) ∗ , see also Section 11.1.3 for specific methods to compute such a modular inverse.Another very important application is linked to the Chinese remainder theorem, cf. Corollary 2.24and Algorithm 10.52 below.

§ 10.6 Greatest common divisor 19110.6.1 Euclid extended gcdAlgorithm 10.42 Euclid extended gcd of positive integersINPUT: Two positive integers x and N such that x

192 Ch. 10 Integer ArithmeticMost of the running time is taken by computing the quotient q ←⌊A/B⌋. Moreover, in 41% ofthe cases one obtains q =1, which motivates choosing this value in all cases on the cost of morerounds, as is the case for the binary gcd algorithm, cf. Section 10.6.3. Note that Gordon proposedto use an approximation of the quotient by a suitable power of 2 [GOR 1989]. When x and n aremultiprecision integers a variant due to Lehmer also avoids a full determination of the quotient.10.6.2 Lehmer extended gcdLehmer’s idea [LEH 1938] is to approximate ⌊A/B⌋ with the most significants digits of A and Band to update them when necessary in computing the matrix product[ ]A←B][ ]β Aα ′ β ′ B[α(10.2)which performs several cumulated steps. The single precision integers α, α ′ ,βand β ′ are computedby a subalgorithm successively improved by Collins [COL 1980], Jebelean [JEB 1993b] and Lercier[LER 1997]. Here we state the skeleton of this algorithm, the improvements differ in the way Line3 is performed.Algorithm 10.45 Lehmer extended gcd of multiprecision positive integersINPUT: Two m-word multiprecision positive integers x and N in base b =2 l such that xl do3. compute α, α ′ ,βand β ′ by subalgorithm 10.46 with arguments A and B" # " #" #A α β A4.←B α ′ β ′ B" # " #" #U A α β U A5.←U B α ′ β ′ U B6. compute (u, v, d) by Algorithm 10.42 with arguments A and B7. u ← uU A + vU B, v ← (d − xu)/N8. return (u, v, d)From  and ˆB, i.e., the l most significants bits of A and B expressed in base b =2 l ,Lehmerderives two approximated quotients. Whenever they differ, A and B must be updated as in (10.2).Collins and Jebelean have an equivalent condition to determine α, α ′ , β, andβ ′ with only onequotient. Now experiments show that if the size of  and ˆB is about b then the order of magnitudeof α, α ′ β,β ′ is less than √ b. In order to increase the size of these coefficients Lercier [LER 1997]mixes single and double precision approximations. We present this last improvement now.

§ 10.6 Greatest common divisor 193Sub-algorithm 10.46 Partial gcd of positive multiprecision integers in base b =2 lINPUT: Two positive integers A and B.OUTPUT: Integers α, α ′ ,βand β ′ as above.—1.  ←A2 max(|A| 2)−l,0)—2. ˆB ←B2 max(|A| 2−l,0)3. α ← 1, β ← 0, α ′ ← 0, β ′ ← 1 and T ← 04. if ˆB ≠0 then q ←⌊ Â/ ˆB⌋ and T ←  mod ˆB5. if T 2 l/2 then6. while true do7. q ′ ←⌊ˆB/T⌋ and T ′ ← ˆB mod T8. if T ′ < 2 l/2 then break9.  ← ˆB, ˆB ← T10. T ← α − qα ′ , α ← α ′ and α ′ ← T11. T ← β − qβ ′ , β ← β ′ and β ′ ← T12. T ← T ′ and q ← q ′h ← the l most significants bits of AihˆB might be 0i13. if β =0 then α ← 0, β← 1, α ′ ← 1,β ′ ←−⌊A/B⌋ and return (α, β, α ′ ,β ′ )—i14.  ←Ah ← the 2l most significants bits of A15. ˆB ←—# " " α16. =ˆB α ′—17.  ←18. ˆB ←—2 max(|A| 2−2l,0)B2 max(|A| 2−2l,0)#β#"Âβ ′ ˆB iÂh ← the l most significants bits of Â2 max(|Â| 2−l,0)ˆB2 max(|Â| 2−l,0)and T ← 019. if ˆB ≠0 then q ←⌊ Â/ ˆB⌋ and T ←  mod ˆB20. if T 2 l/2 then21. while true do22. q ′ ←⌊ˆB/T⌋ and T ′ ← ˆB mod T23. if T ′ < 2 l/2 then return (α, β, α ′ ,β ′ )24.  ← ˆB, ˆB ← T25. T ← α − qα ′ , α ← α ′ and α ′ ← T26. T ← β − qβ ′ , β ← β ′ and β ′ ← T27. T ← T ′ and q ← q ′28. return (α, β, α ′ ,β ′ )

194 Ch. 10 Integer ArithmeticRemark 10.47 With Lehmer’s original algorithm [COH 2000] A and B decrease by 13 bits (respectively29 bits) on average for each iteration when b =2 32 (respectively 2 64 ). With Sub-algorithm10.46 the gain is of 22 bits (respectively 53 bits) on average.Example 10.48 With b =2 16 let us compute the extended gcd of N = 26498041357 and x =8378459450. With the initial algorithm of Lehmer, the intermediate steps are" #α βα ′ β ′A B U A U B u v d"1— 26498041357 8378459450 0 1 — — —#−31362663007 202481408 −3 19 — — —−6 19" #−4 2716345988 5668885 525 −1439 — — —11 −74" #−9 26277118 106431 −42139 79436 — — —17 −49" #−3 85 −1320094 1987 761905 −1243363 — — —— — — — — 10055119245 −3179344757 1With Sub-algorithm 10.46 less steps are needed, namely" #α βα ′ β ′A B U A U B u v d— 26498041357 8378459450 0 1 — — —" #−43 13654706849 38360861 136 −389 — — —123 −389" #115 −164106431 64256 79436 −201011 — — —−291 415— — — — — 10055119245 −3179344757 110.6.3 Binary extended gcdTo compute the gcd of two integers A and B one can also repeatedly apply the following rules:• if A and B are both even then gcd(A, B) =2gcd(A/2,B/2)• if A is even and B is odd then gcd(A, B) =gcd(A/2,B)• if A and B are both odd then |A − B| is even so that gcd(A, B) =gcd(A, |A − B|/2).In addition |A − B| max{A, B}.Since A and B are not necessarily of the same order of magnitude, it is wise to reduce the size of theoperands once. So only one division with remainder is required by the following algorithm, whichis therefore especially interesting in computing the gcd of multiprecision integers.

§ 10.6 Greatest common divisor 195Algorithm 10.49 Extended binary gcd of positive integersINPUT: Two positive integers x and N such that x 0 then U B ← U A and A ← t ′ else B ← x − U A and v ′ ←−t ′13. U A ← U B − B and t ′ ← A − v ′14. if U A < 0 then U A ← U A + x15. while t ′ ≡ 0 (mod 2) and t ′ ≠016. t ′ ← t ′ /217. if U A ≡ 0 (mod 2) then U A ← U A/2 else U A ← (U A + x)/218. u ← U B, v ← (A − xu)/N and d ← 2 k A19. if f =1 then T ← u, u ← v and v ← T20. u ← u − vq21. return (u, v, d)We shall not describe here asymptotically faster methods such as the generalized binary algorithms[LER 1997], since they become more efficient for integers larger than 2 600 . This size is completelyout of the range for elliptic and hyperelliptic cryptosystems.Remarks 10.50(i) On average Euclidean quotients in Algorithm 10.42 are small. It is even possible toshow that q =1is the most probable case. The corresponding probability, defined in asuitable sense, is 0.41504 ...,see[COH 2000]. This justifies performing subtractionsinstead of divisions even if the number of steps needed is greater.(ii) Traditionally, to compute (k/x) modN one performs the multiplication of k by theinverse of x whereas a direct computation is possible. Indeed it suffices to set U B ← kinstead of U B ← 1, in Lines 1, 1 and 8 of Algorithms 10.42, 10.45, and 10.49.Example 10.51 Let us compute the extended gcd of x = 67608 and N = 830616 with Algorithm10.49.

196 Ch. 10 Integer ArithmeticIn Line 1, one performs a classical reduction to obtain variables of comparable size. For theseparticular values, this step saves many computations since we have q = ⌊N/x⌋ =12.Theninthewhile loop starting Line 4, we remove the highest power of 2 dividing the gcd, thatisk =3.AfterLine 7, x and N are respectively equal to 2415 and 8451.The next table contains the values of the relevant parameters A, B, U A , U B , t ′ and v ′ before theexecution of Line 12.A B U A U B t ′ v ′8451 2415 0 1 −2415 24158451 2415 604 1 1509 24151509 2415 302 604 −453 24151509 2113 783 604 33 45333 2113 875 783 −105 45333 1540 811 783 −9 10533 1604 803 783 3 93 1604 807 803 −3 9We set u = 803, v =(A − Nu)/x = −2810 and d =2 k A =24. Finally, the value of u iscorrected to take into account the initial reduction, i.e., u = u − vq = 34523. We easily check thatux + vN =24.10.6.4 Chinese remainder theoremSuppose one wants to find a solution to the system⎧x ≡ x 1 (mod n 1 )⎪⎨ x ≡ x 2 (mod n 2 )⎪⎩.x ≡ x k (mod n k )where the n i ’s are pairwise coprime integers and the x i ’s are fixed integers. Corollary 2.24 ensuresthat there is a unique solution modulo N = n 1 n 2 ...n k and in fact, such a solution is easy to find.Let N i = N/n i . Since the n i ’s are pairwise coprime one has gcd(N i ,n i )=1for all i, andanextended gcd computation gives a i such that a i N i ≡ 1(modn i ). Clearly, a solution is then givenbyx = a 1 N 1 x 1 + a 2 N 2 x 2 + ···+ a k N k x k .This is the idea behind the following algorithm, which performs more efficiently and computes xinductively. At each step, given an integer x such that x ≡ x i (mod n i ) for all i j, it finds xsatisfying x ≡ x i (mod n i ) for all i j +1.Algorithm 10.52 Chinese remainder computationINPUT: Pairwise coprime integers n 1,...,n k and integers x i for 1 i k.OUTPUT: An integer x such that x ≡ x i (mod n i), for all 1 i k.1. N ← n 1 and x ← x 12. for i =2 to k do3. compute u and v such that un i + vN =1 [use an extended gcd algorithm]

§ 10.7 Square root 1974. x ← un ix + vNx i5. N ← Nn i6. x ← x mod N7. return xRemarks 10.53(i) Algorithm 10.52 can be generalized in a straightforward way to the polynomial ringK[X] where K is a field.(ii) Another variant due to Garner [GAR 1959] involves precomputations and is well suitedto solve different systems with fixed n i ’s; see for instance [MEOO + 1996]. This isespecially useful for residue number system arithmetic where computations modulo Nare in fact performed modulo several primes p i fitting in a word and such that ∏ i p i >N 2 .See[BLSE + 1999] for instance.Example 10.54 Let us solve the system⎧x ≡ 1 (mod 3)⎪⎨ x ≡ 2 (mod 5)x ≡ 4 (mod 7)x ≡ 5 (mod 11)⎪⎩x ≡ 9 (mod 13).The moduli 3, 5, 7, 11, and 13 prime and thus they are pairwise coprime. Here are the values ofrelevant parameters before we enter the for loop and at the end of it, Line 6.i n i x i N u v x x mod n i1 3 1 3 — — 1 12 5 2 15 −1 2 7 23 7 4 105 −2 1 67 44 11 5 1155 −19 2 907 55 13 9 15015 −533 6 8992 910.7 Square rootFirst let us describe a simple method to compute the integer square root of a positive number u,thatis v = ⌊ √ u⌋.10.7.1 Integer square rootNewton iteration is a powerful tool to find solutions of the equation f(x) =0. Under suitableconditions, the process x i+1 ← x i − f(x i )/f ′ (x i ) starting from an appropriate approximation,converges quadratically to a root of f. Using this method with f(x) =x 2 − u leads to the iterationx i+1 ← (x i + u/x i )/2 to compute √ u. Its discrete version is the basis of Algorithm 10.55.

198 Ch. 10 Integer ArithmeticAlgorithm 10.55 Integer square rootINPUT: A positive n-word integer u.OUTPUT: The positive integer v such that v = ⌊ √ u⌋.1. t ← 2 ⌈lg u/2⌉ [initial approximation]2. repeat3. v ← t4. t ←⌊(v + ⌊u/v⌋)/2⌋ [discrete Newton iteration]5. until t = v6. return vRemarks 10.56(i) If u fits in a word, it is more efficient to perform a binary search, that is guess the bits ofv one by one [BER 1998].(ii) Algorithm 10.55 needs O(lg lg u) iterations to terminate.(iii) Any integer t √ u can be chosen as an initial approximation, but t should be as closeas possible to ⌊ √ u⌋ for efficiency reasons. To ensure a fast convergence, one possibilityis to compute an approximation √ u, using for instance the most significant word of u.(iv) The working precision should be increased dynamically as the computation progresses.(v) If Lines 4 and 5 of Algorithm 10.55 are replaced by4. t ← (v + u/v)/25. until t − v εthen an approximation up to the precision ε of the real √ u is returned instead.Example 10.57 Take (393419390 735536755) 2 32 and let us find v = ⌊ √ u⌋ with Algorithm 10.55.Since u is a 61-bit integer, one takes 2 31 as an initial approximation. Then the successive valuesof t are 1467161214, 1309428509, 1299928331, 1299893617, 1299893616, and again 1299893616which is the expected result. If the initial value is set to t ← ⌈√ 393419390 ⌉ × 2 16 instead, onlytwo iterations are required to get the result.At present, let us examine a related problem.10.7.2 Perfect square detectionTo decide if an integer u is a perfect square or not, one possibility is to compute its integer squareroot v = ⌊ √ u⌋, with the algorithm above, and to compare v 2 to u. However,ifu is not a squaremodulo some integer, it is clear that u cannot be a perfect square. Now, if u is a square moduloseveral integers, for instance 64, 63, 65, and11, then it is very likely (in fact with a probabilitybigger than 99%) that u is a square [COH 2000]. Testing more moduli eliminates more integersu that are not a square. For instance, one can choose small odd moduli and pack them into ahighly composite integer N fitting in a word. Then one has to reduce u modulo N or, as suggestedby Harley [HAR 2002a], use Montgomery reduction, see Section 10.4.2, to derive an appropriateapproximation of the residue. Indeed, if l is the word size, Montgomery reduction REDC of umodulo N, whose cost is very cheap, returns an integer congruent to u/2 l mod N. Nowifu is an n-word integer then n−1 successive applications of REDC will give the single r = u/2 l(n−1) mod N.

§ 10.7 Square root 199From the Chinese remainder theorem, see Section 2.1.2, and the fact that l is even, it is easy to seethat u is a square modulo N if and only if r is a square modulo every prime power p k dividing N.As N has only small prime divisors, this can be tested very efficiently since it is sufficient to look atthe bit of order r mod p k of a precomputed mask m, reflecting the residues that are a square modulop k .Ifu passes all these tests, Algorithm 10.55 is used to ensure that u is really a square.Example 10.58 Take b =2 32 , u = (2937606071 1090932004 1316444929) 2 32 and set the valueof N to the single 3 2 × 5 2 × 7 × 11 × 17 × 19 × 23 × 29 = 3732515325. With the settings ofSection 10.4.2, put R =2 32 and precompute (−1/N )modR. After two successive Montgomeryreductions, one obtains r = 2783108164 = u/2 64 mod N. Now the squares modulo 9 being 0, 1, 4and 7, the value of the mask m is set to 147 = (10010011) 2 .Sincer mod 9 = 4, one looks at thebit of weight 4 of m which is 1.Thismeansthatu is a square modulo 9.This is also the case for all the other prime powers dividing N. For instance, the mask modulo 29is m = (10011110100010010001011110011) 2 and the bit of order r mod 29, thatis1, ofm is 1again. This shows that u has a very high probability (more than 99.54%) to be a square and indeedif one computes v = ⌊ √ u⌋ with Algorithm 10.55 one can check that v 2 = u.Note that a similar idea applies for cubes as well, and more generally for every power k. Bernstein[BER 1998] also developed a different method where a real approximation of v = u 1/k is firstcomputed before the consistency of the assumption u = v k is checked on the first few digits of uand v.

Chapter ½½Finite Field ArithmeticChristophe DocheContents in Brief11.1 Prime fields of odd characteristic 201Representations and reductions • Multiplication • Inversion and division •Exponentiation • Squares and square roots11.2 Finite fields of characteristic 2 213Representation • Multiplication • Squaring • Inversion and division •Exponentiation • Square roots and quadratic equations11.3 Optimal extension fields 229Introduction • Multiplication • Exponentiation • Inversion • Squares and squareroots • Specific improvements for degrees 3 and 5In this chapter, we are mainly interested in performance; see Section 2.3 for a theoretical presentationof finite fields. In the following, we consider three kinds of fields that are of great cryptographicimportance, namely prime fields, extension fields of characteristic 2, and optimal extension fields.We will describe efficient methods for performing elementary operations, such as addition, multiplication,inversion, exponentiation, and square roots. The material that we give is implicitly morerelated to a software approach; see Chapter 26 for a presentation focused on hardware. Efficientfinite field arithmetic is crucial in efficient elliptic or hyperelliptic curve cryptosystems and is thesubject of abundant literature [JUN 1993, LINI 1997, SHP 1999]. See also the preliminary versionof a book written by Shoup and available online [SHO], introducing basic concepts from computationalnumber theory and algebra, and including all the necessary mathematical background.There are some software packages implementing the algorithms described below, such as ZEN[ZEN], which is a set of optimized C libraries dedicated to finite fields. There are also more generallibraries like NTL [NTL] or Lidia [LIDIA]. In addition, several computer algebra systems containfunctions for handling finite fields, for example Magma [MAGMA].11.1 Prime fields of odd characteristicMost of the algorithms detailed here carry through as well to Z/N Z for arbitrary moduli N, usuallywith some obvious modifications. However, here we are mainly interested in prime moduli.Methods to find either an industrial-grade prime or a certified prime number p of the desired sizeare described in Chapter 25.201

202 Ch. 11 Finite Field Arithmetic11.1.1 Representations and reductionsFor representing finite prime fields we usually use the isomorphism between F p and Z/pZ. Elementsof Z/pZ are equivalence classes and we have to choose a representative, that is a particularelement in the class, to perform computations. The most standard choice is to represent x ∈ Z/pZby the unique integer in [0,p− 1], which is in the class of x. We can also use other representativessuch as the ones belonging to [−⌊p/2⌋, ⌊p/2⌋] or even an incompletely reduced number, whichisnot uniquely determined, for it belongs to an interval of length greater than p; see Remark 26.45 (ii)and [YAN 2001, YASA + 2002].Givenanintegeru of arbitrary size we must be able to reduce it, i.e., to find the integer in [0,p−1]which is congruent to u modulo p. Thismodular reduction is achieved by computing the remainderof a Euclidean division.However, since all the reductions are performed modulo the same prime number p, thereexistseveral improvements which, for instance, involve some precomputations. The most popular onesare certainly the Montgomery and the Barrett methods; see Section 10.4. In this case the cost ofa reduction of a 2n-word integer modulo an n-word integer is asymptotically equal to a size nmultiplication.To compute the remainder faster, other ideas include the choice of a special modulus allowinga fast reduction; see Algorithm 10.25 for the use of a different normalization than the one initiallysuggested by Knuth in Algorithm 10.30. Quisquater first proposed this method, which speeds up thedetermination of an approximation of the quotient; see Remark 10.33 and Example 10.34. However,this reduction method will increase the length of the modulus p by at least one digit, resulting inadditional multiplications when performing arithmetic in F p .In the remainder, we address prime field arithmetic itself. Whatever representation is chosen,prime field addition and subtraction algorithms are straightforward in terms of the correspondingmultiprecision algorithms for integers, cf. Algorithms 10.3 and 10.5. For example, with classicalrepresentation, if u, v are integers in [0,p− 1], thenu + v

§ 11.1 Prime fields of odd characteristic 203which can be written( (uv ≡ ... ( (u n−1 v mod p)b + u n−2 v mod p ) )b + ···+ u 1 v mod p)b + u 0 v(mod p).If we set t −1 =0and t i =(t i−1 b + u n−i−1 v)modp then t n−1 ≡ uv (mod p). We deduce thefollowing algorithm:Algorithm 11.1 Interleaved multiplication-reduction of multiprecision integersINPUT: Two n-word integers u =(u n−1 ...u 0) b and v.OUTPUT: An integer t such that t ≡ uv (mod p).1. t ← 02. for i =0 to n − 1 do3. t ← tb + u n−i−1v4. approximate q = ⌊t/p⌋ with ˆq [see methods below]5. t ← t − ˆqp6. return tThe approximation of q can be achieved by Knuth, Barrett, or Quisquater methods. Knuth’s approachhas already been explained, cf. Algorithm 10.30. The last two methods are described indetail by Dhem in [DHE 1998]. See also Section 10.4.1 and Remark 10.33. Barrett writes⌊ ⌊ t⌋2t 2q = =p⌋2nn−1 p2 n+1where n is the number of bits of p, then approximates q by⌊ ⌋⌊ ⌋⎥ t 2⎢2n ⎥⎥⎦2⎣n−1 p2 n+1⌊ ⌋2where we assume that2nphas been precomputed. Dhem introduced a more general variant,namely⌊ ⌋ ⎥ t⎢ R ⎥⎥⎦ ⌊ ⌋2ˆq = ⎣n+β 2n+α2 α−β with R = ·pThese additional parameters allow us to perform corrections on the remainder only at the end of thewhole multiplication process, when they are suitably tuned. Algorithm 11.1 works at a word leveland if b =2 l then optimal results are obtained with α = l +3and β = −2. In this case we haveq−1 ˆq q and the intermediate results grow moderately. More precisely, given u, v < 2 n+1 thent ≡ uv (mod p) returned by Algorithm 11.1 is less than 2 n+1 . To get the final result, at most onesubtraction is needed. This implies also that an exponentiation or any other long computation can bedone with only one correction at the end of the whole process with the same choice of parameters.Quisquater’s method [QUI 1990, QUI 1992] consists in multiplying p by a suitable coefficient δsuch that the reduction modulo δp is easy. Set⌊ ⌋⌊ ⌋2n+l+2tδ =and get ˆq =p2 n+l+2 ·

204 Ch. 11 Finite Field ArithmeticThe (l +2)highest bits of δp are now equal to 1 and the corresponding quotient is obviouslydetermined, since it is simply equal to the most significants bits of t. There is a fast way to computeδ, namely put⌊ ⌋2ˆδ 2l+6= ⌊ ,⌋p2 n−l−3which verifies δ ˆδ δ +1, and a simple test gives the correct value. It is also possible to reducethe size of δ; see[DHE 1998, p. 24]. This normalization avoids overflows in Algorithm 11.1 whilecomputing a multiplication or even a modular exponentiation.Now suppose that one has the result x mod δp while we still want x mod p. For this, we couldperform (x mod δp) modp but since an exact division is faster (see Section 10.5.3) it is better tocomputeδx mod δpx mod p = · (11.1)δNote that this method has been used in several smart cards; see for example [QUWA + 1991] or[FEMA + 1996].11.1.2.bMontgomery multiplicationMontgomery representation, see Section 10.4.2, was in fact introduced to carry out quick modularmultiplications. This property comes from the equality((xR mod p)(yR mod p)R −1 mod p ) =(xyR) modpwhich implies that REDC([x][y]) = [xy]. Recall that Montgomery reduction is also useful to convertelements between normal and Montgomery representations. Indeed, [x] =REDC(xR ′ ) where R ′ =R 2 mod p has been precomputed and stored, and REDC([x]) = x.Example 11.2 Take p = 2011, b =2 3 , R = 4096 so that R ′ = 1454. Letx =45, y =97.ThenOne checks that 45 × 97 ≡ 343 (mod 2011).[x] = REDC(45 × 1454) = 1319 = (2447) 8[y] = REDC(97 × 1454) = 1145 = (2171) 8[x][y] = 1510255[xy] = REDC(1510255) = 1250 = (2342) 8xy = REDC(1250) = 343.Of course, Montgomery method is completely irrelevant when only one product is needed. Instead,operands are converted to and kept in Montgomery representation as long as possible. For instance,if one wants [x 2 y], simply perform REDC([x][xy]).The following algorithm computes directly REDC(uv) given multiprecision integers u and v inMontgomery representation. It combines Algorithms 10.8 and 10.22.Algorithm 11.3 Multiplication in Montgomery representationINPUT: An n-word integer p =(p n−1 ...p 0) b prime to b, R = b n , p ′ = −p −1 mod b and twon-word integers u =(u n−1 ...u 0) b and v =(v n−1 ...v 0) b such that 0 u, v < p.OUTPUT: The n-word integer t =(t n−1 ...t 0) b equal to REDC(uv) =(uvR −1 )modp.1. t ← 02. for i =0 to n − 1 do3. m i ← `(t 0 + u iv 0)p ′´ mod b

§ 11.1 Prime fields of odd characteristic 2054. t ← (t + u iv + m ip)/b5. if t p then t ← t − p6. return tRemarks 11.4(i) If R is chosen such that R > 4p and if u and v are positive and less than 2p thenREDC(uv) is bounded by 2p as well. This means that it is possible to avoid the subtractionin Line 5 of Algorithm 11.1 during long computations as exponentiations. Atthe end of the whole process the result is normalized in Z/pZ at the cost of a singlesubtraction [LEN 2002].(ii) See [KOAC + 1996] for a comparison of different variations of Montgomery method.Example 11.5 Let us perform again the computation of Example 11.2 but at a word level withAlgorithm 11.3. Let u = [45] = 1319 = (2447) 8 and v = [97] = 1145 = (2171) 8 .Theni u i t 0 m i u i v m i p t+ u i v + m i p t— — — — — — — 00 7 0 3 (17517) 8 (13621) 8 (33340) 8 (3334) 81 4 4 0 (10744) 8 0 (14300) 8 (1430) 82 4 0 4 (10744) 8 (17554) 8 (32150) 8 (3215) 83 2 5 3 (4362) 8 (13621) 8 (23420) 8 (2342) 8One obtains REDC(uv) = (2342) 8 =[xy] = 1250 as previously.Concerning modular squaring, the computation of the square of an integer can be achieved faster(see Section 10.3.3); however the reduction takes the same time as in the case of a modular multiplication.Note that there are some dedicated methods like [HOOH + 1996], which are worth beingimplemented if modular exponentiation is to be computed, as squarings are a very frequent operation.11.1.3 Inversion and divisionTo get the inverse of some integer x, we can use the multiplicative structure of F ∗ p which implies thatx p−2 × x = x p−1 ≡ 1(modp). However, Collins [COL 1969] showed that the average number ofarithmetic operations required by this approach is nearly twice as large as for the Euclid extendedalgorithm, which computes integers u, v such that xu + pv =1. See Section 10.6 for an exhaustivepresentation of extended gcd algorithms.In the following section more specific methods are described, including Montgomery inversionand a useful trick to compute several inverses simultaneously.11.1.3.aModular inversionWe start with a simplified and improved version of Algorithm 10.6.3, to compute the inverse of xmodulo p, introduced by Brent and Kung [BRKU 1983] and known as the plus-minus method.

206 Ch. 11 Finite Field ArithmeticAlgorithm 11.6 Plus-minus inversion methodINPUT: An odd modulus p and an integer x 0 do3. while A ≡ 0 (mod 2) do4. A ← A/2, U ← (U/2) mod p and δ ← δ − 15. if δ

§ 11.1 Prime fields of odd characteristic 207Algorithm 11.9 Prime field inversionINPUT: A prime modulus p and an integer x prime to p.OUTPUT: The integer x −1 mod p.1. z ← x mod p and u ← 12. while z ≠1 do3. q ←−⌊p/z⌋4. z ← p + qz5. u ← (qu) modp6. return uRemarks 11.10(i) Algorithm 11.9 is very simple to implement and is reported to be faster than the extendedEuclidean algorithm for some types of primes, for example Mersenne primes. Indeed,in this case, the computation of q in Line 3 can be carried out very efficiently. Note thatthere exists also a dedicated algorithm to compute an inverse modulo a Mersenne prime[CRPO 2001, p. 428].(ii) In general, the number of iterations needed by Algorithm 11.9 is less than for extendedgcd algorithms.(iii) The modular division (k/x) modp can be directly obtained with Algorithms 11.6 and11.9. Namely, modify the first line of each algorithm and replace the statements U A ← 1and u ← 1 respectively by U A ← k and u ← k.Example 11.11 Again, take p =2 7 − 1 = 127 and x =45.Herearethevaluesofq, z,andu at theend of the while loop.q z u−2 37 125−3 16 6−7 15 85−8 7 82−18 1 48Again, we find that the inverse of 45 modulo 127 is 48. In this case only 5 iterations are neededinstead of 7 for Algorithm 11.6, cf. Example 11.8.11.1.3.bMontgomery inversion and divisionMontgomery’s article also deals with inversions and divisions [MON 1985]. Kaliski [KAL 1995]develops specific algorithms to compute them. Recall the settings of Section 10.4.2 and let u bean integer. Then the Montgomery inverse of u is defined as INV(u) =(u −1 R 2 )modp. So ifu =[x] =xR, we see that INV([x]) = (x −1 R)modp =[x −1 ]. Thus we haveREDC([x] INV[x]) = R mod p =[1].

208 Ch. 11 Finite Field ArithmeticAlgorithm 11.12 Montgomery inverse in Montgomery representationINPUT: Two n-word integers u and p such that u ∈ [1,p− 1]. The integer R =2 m = b n andthe precomputed value R ′ = R 2 mod p.OUTPUT: The n-word integer v equal to INV(u) =(u −1 R 2 )modp.1. r ← u, s ← 1, t ← p, v ← 0 and k ← 02. while r>0 do3. if t ≡ 0 (mod 2) then t ← t/2 and s ← 2s4. else if r ≡ 0 (mod 2) then r ← r/2 and v ← 2v5. else if t>r then t ← (t − r)/2, v ← v + s and s ← 2s6. else r ← (r − t)/2, s ← v + s and v ← 2v7. k ← k +18. if v p then v ← v − p9. v ← p − v10. if km then v ← REDC(v) and k ← k − m11. v ← REDC(v2 m−k )(iii) To divide [x] by [y] it suffices to do REDC([x] INV([y]))and get [xy −1 ].Example 11.14 With the settings of Example 10.24, let us compute the Montgomery inverse of[45] = 1319. Sincep = 2011 is a 4-word integer in base 8,wehavem =12.• After Line 9, Algorithm 11.12 has computed the almost Montgomery inverse of 1319,which is 1252, and found k =17.Thismeansthat1319 −1 × 2 17 mod 2011 = 1252.• Lines 10 and 11 compute REDC(1252R ′ ) = 142 and finally REDC(142 × 2 24−17 )=1387, which is the Montgomery inverse of 1319. We check that REDC(1319 × 1387) =74 ≡ R (mod p).• If we want the inverse of 1319 modulo 2011, we perform REDC(1252) = 1267 and setk ← 5. ThenREDC(1267 × 2 12−5 ) = 1485 ≡ 1319 −1 (mod 2011).The next section allows us to compute the inverse of several numbers modulo the same number p.

§ 11.1 Prime fields of odd characteristic 20911.1.3.cSimultaneous inversionOne needs apriorij extended gcd computations to find the inverses of the j elements a 1 ,...,a jmodulo p. Here we present a trick of Montgomery that allows us to do the same with only oneextended gcd and 3j − 3 multiplications modulo p. The basic idea is to get the inverse of ∏ i a i andto multiply it by suitable terms to recover a −1j ,...,a −11 [COH 2000].Algorithm 11.15 Simultaneous inversion modulo pINPUT: A positive integer p and j integers a 1,...,a j not zero modulo p.OUTPUT: The inverses b 1,...,b j of the a 1,...,a j modulo p.1. c 1 ← a 12. for i =2 to j do c i ← a ic i−13. compute (u, v, d) with uc j + vp = d [d is equal to 1]4. for i = j down to 2 do5. b i ← (uc i−1) modp and u ← (ua i)modp6. b 1 ← u7. return (b 1,...,b j)Remarks 11.16(i) Let N be a nonprime modulus. If one tries to apply Algorithm 11.15 to the nonzeroresidues a 1 ,...,a j modulo N, there are two possibilities. If a 1 ,...,a j are all coprimeto N then Algorithm 11.15 returns a −11 ,...,a−1 jmodulo N. If at least one integer isnot coprime to N then the gcd computed in Line 3 is different from 1. In this case, ifthe Lines 4 to 7 of Algorithm 11.15 are replaced by the following statements4. if d = N then5. i ← 16. repeat7. d ← gcd(a i,N) and i ← i +18. until d>19. return dthen a nontrivial factor of N is returned.(ii) This modified algorithm is especially useful for Lenstra’s elliptic curve method, cf. Section25.3.3, where one tries to find factors of N by computing scalar multiples on a curvemodulo N.11.1.4 ExponentiationThis part deals with specific exponentiation methods for finite fields F p . The general introductionto the subject can be found in Chapter 9.11.1.4.aOrdinary exponentiationTo compute x n ,forx ∈ F p , one could perform the exponentiation in Z and then reduce the result.Of course, this approach is completely inefficient even for rather small n. However, a systematic

210 Ch. 11 Finite Field Arithmeticreduction after each intermediate step, i.e., a squaring or a multiplication, seems inadequate aswell since a modular reduction is quite slow. So, a compromise must be found. One can alsouse Barrett or Quisquater multiplication algorithms without the remainder correction steps; seeSection 11.1.2.a. With appropriate settings, intermediate results are kept bounded such that theystill fit in the allocated space, and only at the end of the exponentiation one corrects the result sothat it belongs to [0,p− 1].11.1.4.bMontgomery exponentiationAll algorithms presented in Chapter 9 can be adapted to Montgomery representation. The changesare always the same and rather simple: as explained in Section 11.1.2.b, one converts to and fromMontgomery representation only for input/output, so any amount of operations can be done in between.These ideas are illustrated in the following adaptation of the classical square and multiplyalgorithm, cf. Section 9.1.1.Algorithm 11.17 Binary exponentiation using Montgomery representationINPUT: An element x of F p, a positive integer n =(n t−1 ...n 0) 2 such that n t−1integers R and R ′ = R 2 mod p.OUTPUT: The element x n ∈ F p.=1,the1. y ← R mod p and t ← REDC(xR ′ )2. for i = t − 1 down to 03. y ← REDC(y 2 )4. if n i =1 then y ← REDC(ty)5. return REDC(y)Remark 11.18 Conversion to Montgomery representation is done in Line 1. One has y = [1]and t =[x]. In the for loop at each step a Montgomery squaring and possibly a Montgomerymultiplication is performed. Finally we come back to the standard representation by a Montgomeryreduction. At the end, y =[x n ] so that REDC(y) =x n , as expected. Note that also here incompletereduction can be applied.11.1.5 Squares and square rootsGiven a nonzero integer a modulo p, the Legendre symbol ( ap)defined in Section 2.3.4 is equal to1 if and only a is a quadratic residue modulo p. From the reciprocity law (2.6) and Theorem 2.103,it is easy to derive an efficient way to compute it.Algorithm 11.19 Legendre symbolINPUT: An integer a and an odd prime number p.OUTPUT: The Legendre symbol ` ap´·1. k ← 12. while p ≠1 do3. if a =0 then return 04. v ← 05. while a ≡ 0 (mod 2) do v ← v +1 and a ← a/2

§ 11.1 Prime fields of odd characteristic 2116. if v ≡ 1 (mod 2) and p ≡ + − 3 (mod 8) then k ←−k7. if a ≡ 3 (mod 4) and p ≡ 3 (mod 4) then k ←−k8. r ← a, a ← p mod r and p ← r9. return kRemark 11.20 This algorithm is useful, for example, to determine the number of points lying onan elliptic or hyperelliptic curve defined over a finite field of small prime order, cf. Chapter 17.Example 11.21 Take the prime p = 163841, a = 109608 and let us compute ( ap)with Algorithm11.19. The next table displays the values of r, a, v and k after Line 8.r a v k13701 13130 3 16565 571 1 −1571 284 0 −171 3 2 13 2 0 −11 0 1 1These computations reflect the following sequence of equalities( ) ( )( )1096088 13701=163841163841 163841( ) 13130==13701( ) 571= −6565( ) 284= −571( ) 3=71( ) 2= −3= 1.So, 109608 is a quadratic residue modulo 163841.( 213701)( ) 656513701( )( )4 71= −571 571When it is known that a is a square, it is often required to determine x such that x 2 ≡ a (mod p).For instance, this occurs to actually find a point lying on an elliptic or hyperelliptic curve.Lemma 11.22 Given a quadratic residue a ∈ F p , there are explicit formulas when p ≢ 1(mod8)to determine x ∈ F p such that x 2 ≡ a (mod p). Namely,• x ≡ + − a (p+1)/4 (mod p) if p ≡ 3(mod4)• x ≡ + − a (p+3)/8 (mod p) if p ≡ 5(mod8)and a (p−1)/4 =1• x ≡ + − 2a(4a) (p−5)/8 (mod p) if p ≡ 5(mod8)and a (p−1)/4 = −1.When p ≡ 1(mod8)an algorithm of Tonelli and Shanks solves the problem. In fact, this algorithmis correct for all primes.

212 Ch. 11 Finite Field ArithmeticAlgorithm 11.23 Tonelli and Shanks square root computationINPUT: Aprimep and an integer a such that ` ap´=1.OUTPUT: An integer x such that x 2 ≡ a (mod p).1. write p − 1=2 e r with r odd [see the beginning of Section 10.5, p. 185]2. choose n at random such that ` np´= −13. z ← n r mod p, y ← z, s ← e and x ← a (r−1)/2 mod p4. b ← (ax 2 )modp and x ← (ax) modp5. while b ≢ 1 (mod p)6. m ← 17. while b 2m ≢ 1 (mod p) do m ← m +18. t ← y 2s−m−1 mod p, y ← t 2 mod p and s ← m9. x ← (tx) modp and b ← (yb) modp10. return xRemarks 11.24(i) Algorithm 11.23 works in the maximal 2-group of order 2 e of F ∗ p generated by someelement z. Ifm = s after Line 7, this implies that a is not a quadratic residue modulop. Otherwisea r is a square in this subgroup and there is an even k less than e such thata r z k ≡ 1(modp). The square root is then given by x ≡ a (r+1)/2 z k/2 (mod p). Avariant of Algorithm 11.23 finds k/2 by a bit by bit approach [KOB 1994].(ii) The number of loops performed within the while loop beginning in Line 5 is boundedby e since s is strictly decreasing at each loop.(iii) The expected running time of Algorithm 11.23 is O(e 2 lg 2 p).Example 11.25 Let us compute the square root of 109608 modulo p = 163841 with Algorithm11.23. First one sees that e =15and r =5. The quadratic nonresidue n found at random in Line 2is 6558. In the following, we state the values of the principal variables before the while loop inLine 4 and at the end of it Line 9. One can see also that ab − x 2 , y 2s−1 and b 2s−1 are invariantthroughout the execution of the algorithm.m z y x b t ab x 2 y 2s−1 b 2s−1— 12002 12002 13640 100808 — 90065 90065 −1 113 — 82347 78996 68270 31765 155849 155849 −1 112 — 140942 104389 56092 82347 162252 162252 −1 16 — 81165 18205 57313 52992 135523 135523 −1 15 — 38297 90687 101925 81165 132974 132974 −1 13 — 101925 97748 39338 119418 119748 119748 −1 12 — 39338 121372 163840 101925 54233 54233 −1 11 — 163840 41155 1 39338 109608 109608 −1 1One checks that 41155 2 ≡ 109608 (mod p).

§ 11.2 Finite fields of characteristic 2 213When the 2-adic valuation e of p − 1 is large, as in the previous example, it is better to use anotheralgorithm that works in the quadratic extension F p 2.Algorithm 11.26 Square root computationINPUT: Aprimep and an integer a ` ´ asuch that p =1.OUTPUT: An integer x such that x 2 ≡ a (mod p).1. choose b ` ´ bat random such that 2 −4ap = −12. f(X) ← X 2 − bX + a [f(X) is irreducible over F p]3. x ← X (p+1)/2 (mod f(X))4. return xRemarks 11.27(i) If θ is a root of f(X) then θ p is the other one and therefore θ p+1 = a. So x as definedin Line 3 satisfies x 2 ≡ a (mod f(X)). It remains to show that x is in fact an elementof F p . As a (p−1)/2 =1we have X (p2 −1)/2 ≡ 1 (mod f(X)) so that x p ≡ x(mod f(X)).(ii) The expected running time of Algorithm 11.26 is O(lg 3 p).Example 11.28 With the same initial values as in Example 11.25, Algorithm 11.26 first finds atrandom an irreducible polynomial over F p , in this case, for instance, f(X) =X 2 + 27249X +109608. Then it computes X (p+1)/2 , which is equivalent to 41155 modulo f(X).11.2 Finite fields of characteristic 2See Section 2.3.2 for an introduction to algebraic extension of fields. Arithmetic in extension fieldsof F q where q is some power of 2 relies on elementary computer operations like exclusive disjunctionand shifts. Note that in general q is simply equal to 2. This allows very efficient implementations,especially in hardware, and gives finite fields of characteristic 2 a great importance incryptography.11.2.1 RepresentationSee Section 2.3.3 for a presentation of the different finite field representation systems. In the followingwe shall focus on efficient implementation techniques used in cryptography. As F 2 d is avector space of dimension d over F 2 , an element can be viewed as a sequence of d coefficientsequal to 0 or 1. Therefore it is internally stored as a sequence of bits and the techniques introducedfor multiprecision integers apply with some slight modifications. Two kinds of basis arecommonly used. In polynomial representation, it is (1,X,...,X d−1 ), whereas with a normal basisit is (α, α 2 ,...,α 2d−1 ), cf. Section 2.3.3. Let us first describe polynomial representation.11.2.1.aIrreducible polynomial representationLet m(X) ∈ F q [X] be an irreducible polynomial of degree d and ( m(X) ) the principal idealgenerated by m(X). Then F q [X]/ ( m(X) ) is the finite field with q d elements. Formula (2.4)

214 Ch. 11 Finite Field Arithmeticproves that there exists an irreducible polynomial of degree d for each positive d but the proof isnot constructive. To find such a polynomial, we can consider a random polynomial and test itsirreducibility. Since (2.4) shows that the probability for a monic polynomial of degree d to beirreducible is close to 1/d, we should find one after d attempts on average. There is a variety ofpolynomial irreducibility tests. For example Rabin [RAB 1980] proved the following.Lemma 11.29 Let m(X) ∈ F q [X] of degree d and let p 1 ,...,p k be the prime divisors of d. Thenm(X) is irreducible over F q if and only if• gcd ( m(X),X qd/p i− X ) =1, for i =1,...,k• m(X) divides X qd − X.For a deterministic method to find an irreducible polynomial see [SHO 1994b].Once m(X) has been found, computations are done modulo this irreducible polynomial and reductionis a key operation. For this we need to divide two polynomials with coefficients in a field.Every irreducible polynomial of degree d can be used to build F q d; however, some special polynomialsoffer better performance, e.g., monic sparse polynomials are proposed in [SCOR + 1995].Usually, one uses trinomials or pentanomials since binomials and quadrinomials are always divisibleby X +1and so, except for X +1itself, are never irreducible in F q [X]. The existence forevery d of an irreducible degree d trinomial or pentanomial is still an open question, but this is thecase at least for all d 10000 [SER 1998].A trinomial X d + X k +1is reducible if both d and k are even as then X d + X k +1=(X d/2 +X k/2 +1) 2 . Eliminating this trivial case, Swan [SWA 1962] proves the following.Lemma 11.30 The trinomial X d +X k +1, where at least one of d and k is odd, has an even numberof factors if and only if one of the following holds• d is even, k is odd, d ≠2k and dk 2≡ 0 or 1(mod4)• d is odd, d ≡ + − 3(mod8), k is even and k does not divide 2d• d is odd, d ≡ + − 1(mod8), k is even and k divides 2d.It follows that irreducible trinomials do not exist when d ≡ 0(mod8)and are rather scarce ford ≡ 3 or 5(mod8). In Table 11.1, we give irreducible polynomials over F 2 of degree less than orequal to 500. More precisely, the coefficients d, k 1 in the table stand for the trinomial X d +X k1 +1.In case there is no trinomial of degree d, the sequence d, k 1 ,k 2 ,k 3 is given for the pentanomialX d + X k1 + X k2 + X k3 +1. For each d the coefficient k 1 is chosen to be minimal, then k 2 and soon.For these sparse polynomials there is a specific reduction algorithm [GANÖ 2005]. The nonrecursiveversion is given hereafter.Algorithm 11.31 Division by a sparse polynomialINPUT: Two polynomials m(X) and f(X) with coefficients in a commutative ring, where m(X)is the sparse polynomial X d + P ti=1 aiXb iwith b i

§ 11.2 Finite fields of characteristic 2 2156. u(X) ← u 1(X)X k−d + u(X)7. return (u, v)Remarks 11.32(i) If deg f = d ′ then Algorithm 11.31 needs at most 2t(d ′ − d +1)field additions tocompute u and v such that f = um + v. Ifd ′ 2d − 2, as is the case when performingarithmetic modulo m, then one needs 4(d − 1) additions for a reduction modulo atrinomial and 8(d − 1) additions modulo a pentanomial. The number of loops is at most⌈(d ′ − d +1)/(d − b t − 1)⌉. Again if d ′ 2d − 2, then the number of loops is at mostequal to 2 whatever the value of b t , as long as 1 b t d/2.(ii) To avoid computing the quotient u when it is not required, simply discard Line 6 ofAlgorithm 11.31.(iii) When the modulus is fixed, there is in general an even faster algorithm that exploits theform of the polynomial. This is the case for NIST irreducible polynomials [FIPS 186-2],cf. for example [HAME + 2003, pp. 55–56]Example 11.33 Take m(X) =X 11 + X 2 +1and f(X) =X 20 + X 16 + X 15 + X 12 + X 5 + X 3 +X +1, and let us find the quotient and remainder of the division of f by m with Algorithm 11.31.• First k =12, u 1 (X) =X 8 + X 4 + X 3 +1and w(X) =X 5 + X 3 + X +1.• The new value of v(X) is X 11 + X 9 + X 7 + X 6 + X 4 +1and u(X) =X 9 + X 5 +X 4 + X.• For the next and last loop, k =11, u 1 (X) =1and w(X) =X 9 + X 7 + X 6 + X 4 +1.Finally, v(X) =X 9 + X 7 + X 6 + X 4 + X 2 and u(X) =X 9 + X 5 + X 4 + X +1and one checksthat f(X) =u(X)m(X)+v(X).Instead of trying to minimize the number of nonzero coefficients of the modulus, another option isto do arithmetic modulo a sedimentary polynomial [COP 1984, ODL 1985], that is, a polynomial ofthe form X d + h(X) irreducible over F q such that the degree of h(X) is minimal. For q =2,ithasbeen shown that for all d 600 the degree of h is at most 11 [GOMC 1993]. Algorithm 11.31 canbe slightly modified to perform reduction modulo a sedimentary polynomial. Namely, replace thestatement k ← max{d, deg v − d + b t +1} by k ← max{d, deg v − deg h}.Tests performed in [GANÖ 2005] indicate that sedimentary polynomials are slightly less efficientthan trinomials or pentanomials.11.2.1.bRedundant polynomial representationFor some extensions of even degree there is a better choice, namely all one polynomials. Theyareof the formm(X) =X d + X d−1 + ···+ X +1.For d>1, such a polynomial is irreducible if and only if d +1is prime and 2 is a primitive elementof F d+1 . Now it is clear from the definition of m(X) that m(X)(X +1) = X d+1 +1. Thusan element of F 2 d can be represented on the basis (α, α 2 ,...,α d ) where α is a root of m(X). Inother words, an element of F 2 d is represented by a polynomial of degree at most d without constantcoefficient, 1 being replaced by X + X 2 + ···+ X d . Alternatively, if the representation does notneed to be unique, elements can directly be written on (1,X,X 2 ,...,X d ). In any case, reductions

216 Ch. 11 Finite Field ArithmeticTable 11.1 Irreducible trinomials and pentanomials over F 2 .2,1 3,1 4,1 5,2 6,1 7,1 8,4,3,1 9,1 10,311,2 12,3 13,4,3,1 14,5 15,1 16,5,3,1 17,3 18,3 19,5,2,1 20,321,2 22,1 23,5 24,4,3,1 25,3 26,4,3,1 27,5,2,1 28,1 29,2 30,131,3 32,7,3,2 33,10 34,7 35,2 36,9 37,6,4,1 38,6,5,1 39,4 40,5,4,341,3 42,7 43,6,4,3 44,5 45,4,3,1 46,1 47,5 48,5,3,2 49,9 50,4,3,251,6,3,1 52,3 53,6,2,1 54,9 55,7 56,7,4,2 57,4 58,19 59,7,4,2 60,161,5,2,1 62,29 63,1 64,4,3,1 65,18 66,3 67,5,2,1 68,9 69,6,5,2 70,5,3,171,6 72,10,9,3 73,25 74,35 75,6,3,1 76,21 77,6,5,2 78,6,5,3 79,9 80,9,4,281,4 82,8,3,1 83,7,4,2 84,5 85,8,2,1 86,21 87,13 88,7,6,2 89,38 90,2791,8,5,1 92,21 93,2 94,21 95,11 96,10,9,6 97,6 98,11 99,6,3,1 100,15101,7,6,1 102,29 103,9 104,4,3,1 105,4 106,15 107,9,7,4 108,17 109,5,4,2 110,33111,10 112,5,4,3 113,9 114,5,3,2 115,8,7,5 116,4,2,1 117,5,2,1 118,33 119,8 120,4,3,1121,18 122,6,2,1 123,2 124,19 125,7,6,5 126,21 127,1 128,7,2,1 129,5 130,3131,8,3,2 132,17 133,9,8,2 134,57 135,11 136,5,3,2 137,21 138,8,7,1 139,8,5,3 140,15141,10,4,1 142,21 143,5,3,2 144,7,4,2 145,52 146,71 147,14 148,27 149,10,9,7 150,53151,3 152,6,3,2 153,1 154,15 155,62 156,9 157,6,5,2 158,8,6,5 159,31 160,5,3,2161,18 162,27 163,7,6,3 164,10,8,7 165,9,8,3 166,37 167,6 168,15,3,2 169,34 170,11171,6,5,2 172,1 173,8,5,2 174,13 175,6 176,11,3,2 177,8 178,31 179,4,2,1 180,3181,7,6,1 182,81 183,56 184,9,8,7 185,24 186,11 187,7,6,5 188,6,5,2 189,6,5,2 190,8,7,6191,9 192,7,2,1 193,15 194,87 195,8,3,2 196,3 197,9,4,2 198,9 199,34 200,5,3,2201,14 202,55 203,8,7,1 204,27 205,9,5,2 206,10,9,5 207,43 208,9,3,1 209,6 210,7211,11,10,8 212,105 213,6,5,2 214,73 215,23 216,7,3,1 217,45 218,11 219,8,4,1 220,7221,8,6,2 222,5,4,2 223,33 224,9,8,3 225,32 226,10,7,3 227,10,9,4 228,113 229,10,4,1 230,8,7,6231,26 232,9,4,2 233,74 234,31 235,9,6,1 236,5 237,7,4,1 238,73 239,36 240,8,5,3241,70 242,95 243,8,5,1 244,111 245,6,4,1 246,11,2,1 247,82 248,15,14,10 249,35 250,103251,7,4,2 252,15 253,46 254,7,2,1 255,52 256,10,5,2 257,12 258,71 259,10,6,2 260,15261,7,6,4 262,9,8,4 263,93 264,9,6,2 265,42 266,47 267,8,6,3 268,25 269,7,6,1 270,53271,58 272,9,3,2 273,23 274,67 275,11,10,9 276,63 277,12,6,3 278,5 279,5 280,9,5,2281,93 282,35 283,12,7,5 284,53 285,10,7,5 286,69 287,71 288,11,10,1 289,21 290,5,3,2291,12,11,5 292,37 293,11,6,1 294,33 295,48 296,7,3,2 297,5 298,11,8,4 299,11,6,4 300,5301,9,5,2 302,41 303,1 304,11,2,1 305,102 306,7,3,1 307,8,4,2 308,15 309,10,6,4 310,93311,7,5,3 312,9,7,4 313,79 314,15 315,10,9,1 316,63 317,7,4,2 318,45 319,36 320,4,3,1321,31 322,67 323,10,3,1 324,51 325,10,5,2 326,10,3,1 327,34 328,8,3,1 329,50 330,99331,10,6,2 332,89 333,2 334,5,2,1 335,10,7,2 336,7,4,1 337,55 338,4,3,1 339,16,10,7 340,45341,10,8,6 342,125 343,75 344,7,2,1 345,22 346,63 347,11,10,3 348,103 349,6,5,2 350,53351,34 352,13,11,6 353,69 354,99 355,6,5,1 356,10,9,7 357,11,10,2 358,57 359,68 360,5,3,2361,7,4,1 362,63 363,8,5,3 364,9 365,9,6,5 366,29 367,21 368,7,3,2 369,91 370,139371,8,3,2 372,111 373,8,7,2 374,8,6,5 375,16 376,8,7,5 377,41 378,43 379,10,8,5 380,47381,5,2,1 382,81 383,90 384,12,3,2 385,6 386,83 387,8,7,1 388,159 389,10,9,5 390,9391,28 392,13,10,6 393,7 394,135 395,11,6,5 396,25 397,12,7,6 398,7,6,2 399,26 400,5,3,2401,152 402,171 403,9,8,5 404,65 405,13,8,2 406,141 407,71 408,5,3,2 409,87 410,10,4,3411,12,10,3 412,147 413,10,7,6 414,13 415,102 416,9,5,2 417,107 418,199 419,15,5,4 420,7421,5,4,2 422,149 423,25 424,9,7,2 425,12 426,63 427,11,6,5 428,105 429,10,8,7 430,14,6,1431,120 432,13,4,3 433,33 434,12,11,5 435,12,9,5 436,165 437,6,2,1 438,65 439,49 440,4,3,1441,7 442,7,5,2 443,10,6,1 444,81 445,7,6,4 446,105 447,73 448,11,6,4 449,134 450,47451,16,10,1 452,6,5,4 453,15,6,4 454,8,6,1 455,38 456,18,9,6 457,16 458,203 459,12,5,2 460,19461,7,6,1 462,73 463,93 464,19,18,13 465,31 466,14,11,6 467,11,6,1 468,27 469,9,5,2 470,9471,1 472,11,3,2 473,200 474,191 475,9,8,4 476,9 477,16,15,7 478,121 479,104 480,15,9,6481,138 482,9,6,5 483,9,6,4 484,105 485,17,16,6 486,81 487,94 488,4,3,1 489,83 490,219491,11,6,3 492,7 493,10,5,3 494,17 495,76 496,16,5,2 497,78 498,155 499,11,6,5 500,27

§ 11.2 Finite fields of characteristic 2 217are made modulo X d+1 +1and a squaring is simply a permutation of the coordinates. This idea,first proposed in [ITTS 1989] and rediscovered in [SIL 1999], is known as the anomalous basis orthe ghost bit basis technique.When d>1 is odd, one can always embed F 2 d into some cyclotomic ring F 2 [X]/(X n +1)butonly for some n 2d +1. So the benefits obtained from a cheap reduction are partially offset bya more expensive multiplication [WUHA + 2002]. For elliptic and hyperelliptic curve cryptographyonly extensions of prime degree are relevant, cf. Chapter 22, so the best we can hope for with thisidea is n =2d +1.Adopting the idea of using sparse reducible polynomials with an appropriate irreducible factor,one can use reducible trinomials in case only an irreducible pentanomial exists for some degree d.First, we have to find a trinomial T (X) =X n + X k +1with n slightly bigger than d and suchthat T (X) admits an irreducible factor m(X) of degree d. Such a trinomial is called a redundanttrinomial and the idea is then to embed F 2 d ∼ F 2 [X]/ ( m(X) ) into F 2 d ∼ F 2 [X]/ ( T (X) ) .Intherange [2, 10000], there is no irreducible trinomial in about 50% of the cases (precisely 4853 out of9999 [SER 1998]) but an exhaustive search has shown that there are redundant trinomials for all thecorresponding degrees, see [DOCHE] for a table. In general n − d is small and in more than 85%of the cases the number of 32-bit words required to represent an element of F 2 d are the same with aredundant trinomial of degree n and with an irreducible pentanomial of degree d. This implies alsothat the multiplication has the same cost with both representations, since this operation is usuallyperformed at a word level, cf. Section 11.2.2.a.From a practical point of view an element of F 2 d is represented by a polynomial of degree lessthan n and the computations are done modulo T (X). At the end of the whole computation, one canreduce modulo m(X) and this can be done with only T (X) and δ(X) =T (X)/m(X), sinceforany polynomial f(X) one hasf(X) mod m(X) =f(X)δ(X) mod T (X),δ(X)as in (11.1). Redundant trinomials can speed up an exponentiation by a factor up to 30%, whencompared to irreducible pentanomials, cf. [DOC 2005].Note that this concept is in fact similar to almost irreducible trinomials introduced by Brent andZimmermann in the context of random number generators in [BRZI 2003]. Similar ideas were alsoexplored by Blake et al. [BLGA + 1994a, BLGA + 1996], and Tromp et al. [TRZH + 1997].11.2.1.cNormal and optimal normal basesAnother popular way to represent an element of F q d over F q is to use a normal basis. This isespecially true when q =2, since in this case the squaring of an element is just a cyclic shift of itscoordinates. However, multiplications are more complicated. As a result only special normal bases,called optimal normal bases, ONB for short, are used in practice; see Section 11.2.2.b.Gauß periods of type (n, 1) and (n, 2), generate optimal normal bases (cf. Section 2.3.3.b and[MUON + 1989]), and it has been proved that all the optimal normal bases can be produced by thisconstruction [GALE 1992].For q =2, this occurs1. when d +1is prime and 2 is a primitive element of F d+1 . Then the nontrivial (d +1)-throots of unity form an optimal normal basis of F 2 d, called a Type I ONB.2. when 2d +1is prime and either• 2 is primitive in F 2d+1 or• 2 generates the quadratic residues in F 2d+1 ,thatis2d +1≡ 3(mod4)and theorder of 2 in F 2d+1 is d.

218 Ch. 11 Finite Field ArithmeticThen there is a primitive (2d+1)-th root of unity ζ in F 2 d and ζ+ζ −1 is a normal elementgenerating a Type II ONB. Such a basis can be written (ζ +ζ −1 ,ζ 2 +ζ −2 ,...,ζ d +ζ −d )asshownin[BLRO + 1998].Note that Type I ONB and anomalous bases are equal up to suitable permutations. So it is possibleto enjoy a cheap multiplication and a cheap squaring at the same time. However, as said previously,there is no Type I ONB for an extension of prime degree. The situation is slightly better for TypeII ONB. Indeed, in the range [50, 500] there are 80 extension degrees that are prime and amongthem only 18 have a Type II ONB, namely 53, 83, 89, 113, 131, 173, 179, 191, 233, 239, 251, 281,293, 359, 419, 431, 443, and491. As a consequence, the use of optimal normal bases for cryptographicpurposes is quite constrained in practice.In the remainder of this section one details the arithmetic itself. First it is clear that addition andsubtraction are the same operations in a field of characteristic two. Using polynomial representationor a normal basis one sees that an addition in F q d can be carried out with at most d additions inF q . Ultimately, an addition in F q d reduces to a bitwise-XOR hardware operation, which can beperformed at a word level. Multiplications are also processed using a word-by-word approach.11.2.2 MultiplicationAgain this part mainly deals with software oriented solutions. For a discussion focused on hardware,see Chapter 26.Montgomery representation for prime fields (see Section 10.4.2) can be easily generalized toextension fields of characteristic 2; see for instance [KOAC 1998]. We shall not investigate thisoption further but limit ourselves to multiplications using a polynomial basis and a normal basis.11.2.2.aPolynomial basisThe internal representation of a polynomial is similar to multiprecision integers. Indeed, let l be theword size used by the processor. Then a polynomial u(X) of degree less than d will be representedas the r-word vector (u r−1 ...u 0 ) and the j-th bit of the word u i , that is the coefficient of u(X)of degree il + j, will be denoted by u i [j]. Many operations on polynomials are strongly relatedto integer multiprecision arithmetic. For example, polynomials can be multiplied with a slightlymodified version of Algorithm 10.8. However in general, we do not have the equivalent of singleprecision operations. For example, on computers there is usually no hardware multiplication ofpolynomials in F 2 [X] of bounded degree, even if this operation is simpler than integer multiplication,since there is no carry to handle. Nevertheless, it is possible to perform computations at a wordlevel doing XOR and shifts. Indeed, if v(X)X j has been already computed then it is easy to deducev(X)X il+j . This is the principle of Algorithm 11.34 introduced in [LÓDA 2000a].Algorithm 11.34 Multiplication of polynomials in F 2 [X]INPUT: The polynomials u(X),v(X) ∈ F 2[X] of degree at most d − 1 represented as words ofsize l bits.OUTPUT: The product w(X) =u(X)v(X) of degree at most 2d − 2.1. w(X) ← 0 and r ←⌈deg u/l⌉2. for j =0 to l − 1 do3. for i =0 to r − 14. if u i[j] =1 then w(X) ← w(X)+v(X)X il

§ 11.2 Finite fields of characteristic 2 2195. if j ≠ l − 1 then v(X) ← v(X)X6. return wRemark 11.35 Algorithm 11.34 proceeds the bits of the word u i from the right to the left. A leftto-rightversion exists as well, but it is reported to be a bit less efficient [HAME + 2003].Example 11.36 Let u(X) =X 5 +X 4 +X 2 +X, v(X) =X 10 +X 9 +X 7 +X 6 +X 5 +X 4 +X 3 +1and l =4.Sou = (0011 0110), v = (0110 1111 1001) and r =2. Herearethevaluesofv(X)and w(X) at the end of Line 5 when Algorithm 11.34 executes.j 0 1 2 3v (1101 1111 0010) (0001 1011 1110 0100) (0011 0111 1100 1000) (0110 1111 1001 0000)w (0110 1111 1001 0000) (1011 1101 0100 0010) (1010 0110 1010 0110) (1010 0110 1010 0110)Finally w(X) =X 15 + X 13 + X 10 + X 9 + X 7 + X 5 + X 2 + X.Just as for exponentiation algorithms, precomputations and windowing techniques can be very helpful.The next algorithm scans k bits at a time from left to right and accesses intermediate products bytable lookup. Usually a good compromise between the speedup and the number of precomputationsis to take k =4.Algorithm 11.37 Multiplication of polynomials in F 2 [X] using window techniqueINPUT: The polynomials u(X),v(X) ∈ F 2[X] of degree at most d − 1 represented as words ofsize l bits. The precomputed products t(X)v(X) for all t(X) of degree less than k.OUTPUT: The product w(X) =u(X)v(X) of degree at most 2d − 2.1. w(X) ← 0 and r ←⌈deg u/l⌉2. for j = l/k − 1 down to 0 do3. for i =0 to r − 14. t(X) ← t k−1 X k−1 + ···+ t 0 where t m = u i[jk + m]5. w(X) ← w(X)+t(X)v(X)X il [t(X)v(X) is precomputed]6. if j ≠0 then w(X) ← w(X)X k7. return wRemark 11.38 As for prime fields, cf. Algorithm 11.1, it is possible to modify Algorithm 11.37 andinterleave polynomial reductions with elementary multiplications in order to get the result in F 2 ddirectly at the end.Example 11.39 To illustrate the way Algorithm 11.37 works, let us take k =2, u = (0011 0110),v = (0110 1111 1001) and l =4as for Example 11.36. The successive values of t come from thebits of u in the following way (0011 0110), (0011 0110), (0011 0110), and(0011 0110).

220 Ch. 11 Finite Field Arithmeticj 1 1 0 0i 0 1 0 1t (01) (00) (10) (11)w (0110 1111 1001) (0110 1111 1001) (0001 0110 0001 0110) (1010 0110 1010 0110)The result is of course the same, i.e., w(X) =X 15 + X 13 + X 10 + X 9 + X 7 + X 5 + X 2 + X.Another idea is to emulate single precision multiplications by storing all the elementary products.However, for 32-bit words the number of precomputed values is far too big. That is why an intermediateapproach involving Karatsuba method is often considered instead. In this case, the productof two single precision polynomials of degree less than 32 is computed with 9 multiplications of8-bit blocks, each elementary product being obtained by table lookup [GAGE 1996].Karatsuba method can also be applied to perform the whole product directly. In [GANÖ 2005]the crossover degree between àlaschoolbook and Karatsuba multiplications is reported to be equalto 576. Other more sophisticated techniques like the FFT or Cantor multiplication based on evaluation/interpolationare useful only for even larger degrees. For example, the crossover betweenKaratsuba and Cantor multiplication is for degree 35840 [GANÖ 2005].11.2.2.bOptimal normal basesUnlike additions, multiplications are rather involved with normal bases. The standard way to multiplytwo elements in F q d within a normal basis is to introduce the so-called multiplication matrixT N whose entries t i,h satisfyd−1∑d−1∑α qi × α = t i,h α qh so that α qi × α qj = t i−j,h−j α qh .h=0So if u =(u 0 ,...,u d−1 ) and v =(v 0 ,...,v d−1 ) then the general term w h of w = uv isw h =∑u i v j t i−j,h−j .0i,j

§ 11.2 Finite fields of characteristic 2 221From this and in order to obtain T N , one introduces the matrix⎡⎤0 0 0 1 0 1 1 0 0 0 1 1 0 01 0 0 1 1 1 0 0 0 0 1 0 1 10 1 0 0 0 1 0 1 0 0 1 1 1 0M =0 0 0 0 1 0 1 0 1 0 0 0 1 0⎢ 0 0 1 0 1 1 1 0 0 0 0 1 0 1⎥⎣ 0 0 0 0 1 1 0 0 0 1 0 1 1 1 ⎦0 0 0 1 1 0 0 0 0 0 1 0 1 0where the first and last seven columns give respectively the expression of α qi and of α qi × α onthe basis 1,X,...,X 6 . To get the identity matrix in the left part of M one performs a Gaussianelimination, which gives at the same time the transposed matrix of T N in the right part of M. Hence⎡⎤0 1 0 0 0 0 01 1 0 1 1 1 00 0 0 1 1 0 1T N =0 1 0 1 0 0 0.⎢ 1 0 0 0 0 1 0⎥⎣ 0 1 1 0 1 0 0 ⎦1 0 1 1 1 0 1From this matrix, one deduces for instance that α 2 × α = α + α 2 + α 23 + α 24 + α 25 .The number of nonzero coefficients of the matrix T N is denoted by δ N and called the density ofT N . It is a crucial parameter for the speed of the system since the multiplication of two elements inF q d can be computed with at most 2dδ N multiplications and d(δ N − 1) additions in F q .Onaveragethe density is about (q − 1)d 2 /q [BEGE + 1991] but in fact δ N 2d − 1 [MUON + 1989] and thisbound is sharp. By definition, an optimal normal basis, cf. Section 11.2.1.c, has such a minimaldensity.Concerning F 2 d, recall that a multiplication in a Type I ONB can be in fact performed in thecorresponding anomalous basis. There is a simple way to transform an element into a polynomialand computations are made modulo X d+1 − 1. For Type II ONB, there is a similar idea calledpalindromic representation [BLRO + 1998]. The situation is not as favorable as for Type I ONBsince in this case computations must be made modulo X 2d+1 − 1. Optimal normal bases of Type Iand II appear as special cases of Gauß periods, cf. Section 2.3.3.b.11.2.3 SquaringSquaring is a trivial operation for extensions of F 2 in normal basis representation and it is verysimple in polynomial representation. The absolute Frobenius X ↦→ X 2 being a linear map, one seesthat if u(X) = ∑ u i X i then u 2 (X) = ∑ u i X 2i . Thus, this operation is nothing but inserting 0bits in the internal representation of u and reducing the result modulo m(X). Precomputing a tableof 256 values containing the squares of each byte allows us to speed up the 0-bit insertion process.However, the reduction remains the most time-consuming part of the whole process.To speed up this process a bit, it is possible to split the square ∑ u i X 2i into an even and anodd part so that the number of required bitwise-XOR operations to actually perform the reduction ishalved. See [KIN 2001] for details.

222 Ch. 11 Finite Field Arithmetic11.2.4 Inversion and divisionThere are mainly two ways to compute the inverse of an element α ∈ F q d. The first methodis to perform an extended gcd computation of the polynomial representing α and the irreduciblepolynomial defining F q d. Alternatively, one can exploit the multiplicative structure of the groupF ∗ q d with Lagrange’s theorem. This is especially useful for normal bases.11.2.4.aEuclid extended gcdGiven two nonzero polynomials f and m in F q [X], there are unique polynomials u, v, andg suchthat fu + mv = g where g =gcd(f,m), deg u

§ 11.2 Finite fields of characteristic 2 22311.2.4.bBinary inversionFor extensions of F 2 , there is also a dedicated algorithm inspired by the binary integer version[BRCU + 1993].Algorithm 11.44 Inverse of an element of F ∗ 2 d in polynomial representationINPUT: An irreducible polynomial m(X) ∈ F 2[X] of degree d and a nonzero polynomial f(X) ∈F 2[X] such that deg f

224 Ch. 11 Finite Field ArithmeticExample 11.46 With the values of Example 11.43, the successive steps of Algorithm 11.44 arei u v s δ1 (0010) (0000) (1000 0000 0101) 12 (0100) (0000) (1000 0000 0101) 23 (1000) (0000) (1000 0000 0101) 34 (0100) (1000) (1110 011 1010) 25 (0010) (1000) (1110 0111 0100) 16 (0001) (1010) (1011 1101 1000) 07 (0001 0110) (0001) (1011 1001 1000) 18 (0010 1100) (0001) (1011 1001 1000) 29 (0101 1000) (0001) (1011 1001 1000) 310 (1011 0000) (0001) (1011 1001 1000) 411 (0001 0110 0000) (0001) (1011 1001 1000) 512 (1011 0000) (0001 0110 0001) (0111 0011 0000) 413 (0101 1000) (0001 0110 0001) (1110 0110 0000) 314 (0010 1100) (0001 0011 1001) (1100 1100 0000) 215 (0001 0110) (0001 0001 0101) (1001 1000 0000) 116 (1011) (0001 0000 0011) (0011 0000 0000) 017 (0010 0000 0110) (1011) (1000 0000 0000) 118 (0100 0000 1100) (1011) (1000 0000 0000) 219 (0010 0000 0110) (0100 0000 0111) (1000 0000 0000) 120 (0001 0000 0011) (0110 0000 0001) (1000 0000 0000) 021 (0110 0000 0001) (0001 0000 0011) (1100 0000 0000) 122 (0111 0000 0010) (0111 0000 0010) (1000 0000 0000) 0and the final result is the same, that is, the inverse of f(X) is X 10 + X 9 + X 8 + X.11.2.4.cInversion based on Lagrange’s theoremIt is also possible to use the group structure of F ∗ q d to get the inverse of an element α. This methodhas the same asymptotic complexity as the extended Euclidean one but is reported to be a little faster[NÖC 1996] when a squaring is for free. We know that |F ∗ q d | = q d − 1 with q some power of 2,sayq =2 k .Soα qd −2 =1/α. Nowq d − 2=(q d−1 − 1)q + q − 2,and we can take advantage of the special expression of q d−1 −1 in base q and of the Frobenius, whichmakes the computation of q-th powers easier. For better performance, addition chains, presented inSection 9.2.3, are used as well.Algorithm 11.47 Inverse of an element of F ∗q dusing Lagrange’s theoremINPUT: An element α ∈ F ∗ q d , two addition chains, namely (a 0,a 1,...,a s1 ) for q − 2 and(b 0,b 1,...,b s2 ) for d − 1.OUTPUT: The inverse of α i.e., α qd −2 =1/α.1. y ← α q−2 [using (a 0,a 1,...,a s1 ) and Algorithm 9.41]

§ 11.2 Finite fields of characteristic 2 2252. T [0] ← α × y and i ← 13. while i s do4. t ← T [k] qj where b i = b k + b j5. T [i] ← t × T [j]6. i ← i +1hiT [i] =α qb i −1 for all i7. t ← T [s 2] [b s2 = d − 1]8. return yt qRemarks 11.48(i) Note that exchanging b k and b j , in Line 4, does not alter the correctness of the algorithm.In fact it is better to force b k to be the maximum of b k and b j so that the exponentiationT [b k ] qb jis simpler.(ii) One can obtain the inverse of α ∈ F q d with s 1 + s 2 +2multiplications in F q d and(1 + ∑ i b j) q-th power computations where b j is the integer in b i = b k + b j .Thislastnumber is equal to d − 1 when (b 0 ,b 1 ,...,b s2 ) is a star addition chain, cf. Section 9.2.1.(iii) One of the three methods proposed by Itoh and Tsujii [ITTS 1988] is a special case ofAlgorithm 11.47 when q =2and the addition chain computing d − 1 is derived fromthe square and multiply method.(iv) When q is bigger than 2, another option suggested by Itoh and Tsujii is to write α −1 asα −r × α r−1 where r =(q d − 1)/(q − 1) = q d−1 + ···+ q +1.Asα r ∈ F q , it can beeasily inverted. It is the standard way to compute an inverse in an OEF, cf. Section 11.3.Example 11.49 Suppose that one wants the inverse of α ∈ F 2 19,thatisα 219 −2 . Obviously, one has2 19 − 2=2(2 18 − 1) and an addition chain for 18 is (1, 2, 3, 6, 12, 18).i b i = b k + b j T [k]j× qb T [j] T [i]0 1 — α1 2=1+1 T [0] 21 × T [0] α 2 × α = α 32 3=2+1 T [1] 21 × T [0] α 6 × α = α 73 6=3+3 T [2] 23 × T [2] α 7×8 × α 7 = α 634 12 = 6 + 6 T [3] 26 × T [3] α 63×64 × α 64 = α 40955 18 = 12 + 6 T [4] 26 × T [3] α 4095×64 × α 63 = α 218 −1Finally T [5] 2 = α −1 .11.2.5 ExponentiationIn polynomial representation, a simple trick can greatly speed up exponentiation. Namely, let f(X),m(X) be polynomials in F q [X] and g(X) =X qr . Because of the Frobenius action, it is obviousthat f qr ≡ f(g) (modm). At this point one uses a fast algorithm for modular composition designedby Brent and Kung [BRKU 1978].

226 Ch. 11 Finite Field ArithmeticThe idea, àlababy-step giant-step, is to writef(X) = ∑X ki F i (X) with k = ⌈deg f⌉ and F i (X) =0i

§ 11.2 Finite fields of characteristic 2 227Algorithm 11.53 Shoup exponentiation algorithmINPUT: The polynomials f,m ∈ F q[X] with deg m = d and deg f

228 Ch. 11 Finite Field Arithmetic11.2.6 Square roots and quadratic equationsEvery element α ∈ F 2 d is a square. The square root of α can be easily obtained thanks to themultiplicative structure of F ∗ 2, which implies that √ α = α 2d−1 . In a normal basis the computationdof a square root is therefore immediate. If α is represented by f(X) = ∑ d−1i=0 f iX i on a polynomialbasis, it is better to write√ ∑f(X) = f i X i/2 + √ X ∑ f i X i−12i even i oddwhere √ X has been precomputed modulo m(X). Whenm(X) is the irreducible trinomial X d +X k +1with d odd, note that √ X can be obtained directly. Indeed√X ≡ Xd+12 + X k+12 (mod m(X))if k is odd and √ X ≡ X − d−12 (X k 2 +1) (modm(X)) otherwise. This technique applies to redundanttrinomials as well; see Section 11.2.1.b.Solving quadratic equations in F 2 d is not as straightforward as computing square roots. Indeed,let us solve the equation T 2 + aT + b =0in F 2 d where, by the above, a is assumed to be nonzero.The change of variable T ← T/a yields the simpler equationT 2 + T = c with c = b/a 2 . (11.2)Lemma 11.56 Equation (11.2) has a solution in F 2 d if and only if Tr(c) =0.Ifx is a solution thenx +1is the other one.When d is odd, such a solution is given byx =(d−3)/2∑i=0c 22i+1 . (11.3)When d is even, setx =d−1∑i=0( i∑j=0c 2j )y 2i (11.4)where y ∈ F 2 d is any element of trace 1.Proof. Let x be a solution of (11.2). Then Tr(c) =Tr(x 2 +x) =Tr(x)+Tr(x) =0. The oppositedirection is proved by showing that the proposed solutions actually work. Computing x 2 + x, onehas in the first casex 2 + x = c +Tr(c) =c,and in the second onex 2 + x = y Tr(c)+c Tr(y) =c.Thus x is always a solution of (11.2) as claimed.In practice, several improvements can be considered. First, to check for the existence of a solutionand then to actually compute such a solution.

§ 11.3 Optimal extension fields 229Remarks 11.57(i) There is a unique vector w in F 2 d that is orthogonal to all the elements of trace 0. Ifwis precomputed, it is enough to compute the scalar product w · c in order to deduce thetrace of c [KNU 1999].(ii) When the field F 2 d is defined by an irreducible polynomial of the formX d + a d−1 X d−1 + ···+ a 1 X + a 0 with a j =0 for all j>d/2 (11.5)the trace of an element can also be obtained very efficiently.Let θ be a root of this polynomial. Then using the Newton–Girard formula giving thesum of the conjugates of θ k in terms of the a i ’s and the linearity of the trace map it isimmediate thatd−1∑d−1∑if c = c k θ k then Tr(c) =c 0 + kc k a d−k .k=0As we have seen, moderately large extension fields of characteristic 2 can always bedefined by trinomials or pentanomials of the form (11.5), so that the computation of thetrace is always simple in practice.Example 11.58 In F 2 233 defined by X 233 + X 74 +1we havek=1Tr ( c 232 θ 232 + c 231 θ 231 + ···+ c 1 θ + c 0)= c0 + c 159 .Remark 11.59 Rather than computing a solution using (11.3) or (11.4), it can be faster to use thelinearity of the map λ ↦→ λ 2 + λ defined from F 2 d to F 2 d. Indeed, precomputing the inverse matrixof this operator gives the result in a straightforward way. Additional tricks can be used to reduce thestorage and the amount of computations [KNU 1999].11.3 Optimal extension fieldsOn the one hand, multiplications in extension fields of characteristic 2 are usually performed lessefficiently than in prime fields, due to the lack of a single precision polynomial multiplication onmost processors. On the other hand, inversion in prime fields can be a very expensive operation,especially in hardware. To overcome these two difficulties, optimal extension fields have beenrecently investigated [MIH 1997, BAPA 1998]. They seem to be particularly interesting for smartcards [WOBA + 2000].First, we shall briefly introduce optimal extension fields, and give existence criterions and someexamples before addressing the arithmetic itself. We conclude with the special cases of extensionsof degree 3 and 5.11.3.1 IntroductionLet us take an extension field F p d such that• the characteristic p fits in a machine word and allows a fast reduction in F p• the irreducible polynomial defining F p d allows a fast polynomial reduction.This choice leads to the following concept.

230 Ch. 11 Finite Field ArithmeticDefinition 11.60 An optimal extension field, OEF for short, is an extension field F p d where• p is a pseudo-Mersenne prime,thatisp =2 n + c with |c| 2 ⌊n/2⌋• there is an irreducible binomial m(X) =X d − ω over F p .If c = + − 1 then the field is said to be of Type I and it is of Type II when ω =2.Remark 11.61 Generalizing Definition 11.60, cf. [AVMI 2004], it is possible to consider a prime pof another form provided a fast reduction algorithm exists; see Section 10.4.3 for examples.The cardinality of F p d is approximately equal to 2 nd and in practice, an element α ∈ F p d is representedby the polynomial a d−1 X d−1 + ···+ a 1 X + a 0 where a i ∈ F p . As suggested before, thisimplies that computations in OEFs require two kinds of reduction. Intermediate results have to bereduced modulo the binomial m(X), and for this task Algorithm 11.31 is not even required since areduction modulo m consists simply of replacing X d by ω. Coefficients of the polynomial also haveto be reduced modulo p. For Type I OEF, this operation needs one addition in F p , cf. Section 10.4.3.Otherwise reduction is obtained by Algorithm 10.25 and is more expensive.OEFs are rather easy to find and their search is simplified by the results below on the irreducibilityof X d − ω over F p .Theorem 11.62 Let d 2 be an integer and ω ∈ F ∗ p . The binomial m(X) =X d − ω is irreduciblein F p [X] if and only if the two following conditions hold• each prime factor of d divides the order e of ω but does not divide (p − 1)/e• p ≡ 1(mod4)if d ≡ 0(mod4).As shown in [JUN 1993] one has the sufficient conditionCorollary 11.63 If ω ∈ F ∗ p is a primitive element and d | (p − 1) then the polynomial Xd − ω isirreducible over F p .If d is squarefree and X d − ω irreducible over F p then Theorem 11.62 implies that p ≡ 1(modd).This remark is also useful to speed up the search of OEFs.In Table 11.2 are given all OEFs of Type I, of cryptographic interest sorted with respect to nd.Table 11.2 Type I OEFs.n c d ω nd n c d ω nd n c d ω nd n c d ω nd13 −1 6 7 78 17 −1 5 3 85 13 −1 7 3 91 31 −1 3 5 937 −1 14 3 98 17 −1 6 3 102 19 −1 6 3 114 13 −1 9 7 1177 −1 18 3 126 8 1 16 3 128 16 1 8 3 128 13 −1 10 3 13019 −1 7 3 133 7 −1 21 3 147 17 −1 9 3 153 13 −1 13 2 16917 −1 10 3 170 19 −1 9 3 171 13 −1 14 3 182 61 −1 3 5 18331 −1 6 5 186 7 −1 27 3 189 13 −1 15 11 195 31 −1 7 3 21713 −1 18 7 234 17 −1 15 3 255 8 1 32 3 256 16 1 16 3 25619 −1 14 3 266 13 −1 21 7 273 31 −1 9 5 279 17 −1 17 2 289Table 11.3 contains examples of OEFs of Type II. More precisely, given a size s between 135 and300, for each n 7 dividing s, the unique parameters c ∈ [ −2 ⌊n/2⌋ , 2 ⌊n/2⌋] and d, ifany,aregiven, such that

§ 11.3 Optimal extension fields 231• p =2 n + c is prime• c is minimal in absolute value• d = s/n and X d − 2 is irreducible over F p .Note that when n =8, 16, 32, or 64 only negative values of c are reported so that elements of F pcan be represented with a single word on the corresponding commonly used architectures. Sincethese parameters are of great importance in practice, they appear distinctly in the table.Concerning arithmetic, additions and subtractions are straightforward and do not enjoy specialimprovements, unlike other basic operations we shall describe now.11.3.2 MultiplicationLet two elements α, β ∈ F p d be represented by α = ∑ d−1i=0 a iX i and β = ∑ d−1i=0 b iX i where a iand b i are in F p . Then using the relation X d ≡ ω (mod m(X)), one has∑d−2k∑αβ = c d−1 + (c k + ωc d+k )X k with c k = a i b k−i .k=0Instead of reducing a i b k−i modulo p at each step, it can be faster, especially for OEFs that are notof Type I, to compute c k + ωc d+k as a multiprecision integer and to reduce it only once. As shownin [HAME + 2003], if p =2 n + c is such that lg ( 1+ω(d − 1) ) +2lg|c| n,thenc k + ωc d+k canbe reduced at once with only two multiplications by c.As suggested in [MIH 2000], one can also use convolutions methods, like the FFT, to multiply αand β. This is particularly effective when d is close to a power of 2, or close to the product of smallprimes.As usual, a squaring should be considered independently and computed with a specific procedure.i=011.3.3 ExponentiationThe action of the absolute Frobenius φ p can be computed very efficiently in OEFs [MIH 2000].Indeed, since the coefficients of α = ∑ d−1j=0 a jX j are in F p , one hasd−1∑α pi = a j ω ⌊jpi /d⌋ X ((jpi)modd) .j=0Recall that when d is squarefree, p ≡ 1(modd) so that X ((jp)i mod d) is simply X j . Thus anexponentiation to the power p i only requires us to multiply each coefficient a j by some power of ω,which can be precomputed.Another interesting choice is to take p = kd +1for a given d. In this case, X ((jpi)modd) = X jas well, and ω ⌊jp/d⌋ = ζ j where ζ = ω p−1d ∈ F p is a d-th root of unity.Example 11.64 Let p =2 16 − 165, F p 6 ≃ F p [X]/(X 6 − 2) and take the random elementα = 44048X 5 + 24430X 4 + 54937X 3 + 18304X 2 + 46713X + 63559.One checks that p − 1 ≡ 0(mod6)so that ζ =2 ⌊p/d⌋ is a 6-th primitive root of unity. Precomputingζ,ζ 2 ,ζ 3 ,ζ 4 and ζ 5 modulo p, and multiplying a j by ζ j , one obtainsα p = 23814X 5 + 34492X 4 + 10602X 3 + 7340X 2 + 40911X + 63559.Using the same set of precomputations, the product of α by the ζ 4j ’s, componentwise givesα p4 = 41725X 5 + 34492X 4 + 54937X 3 + 7340X 2 + 24628X + 63559.

232 Ch. 11 Finite Field ArithmeticTable 11.3 Examples of Type II OEFs.n c d nd n c d nd n c d nd n c d nd n c d nd n c d nd n c d nd15 −19 9 135 27 203 5 135 45 −55 3 135 17 29 8 136 34 85 4 136 23 11 6 138 46 −21 3 13810 27 14 140 14 −3 10 140 20 −3 7 140 28 −95 5 140 35 53 4 140 47 5 3 141 11 −19 13 1439 −3 16 144 12 −3 12 144 16 −15 9 144 18 −11 8 144 24 75 6 144 36 117 4 144 48 75 3 14429 39 5 145 21 −21 7 147 49 −139 3 147 37 29 4 148 15 3 10 150 25 35 6 150 30 7 5 15050 −51 3 150 19 −19 8 152 38 13 4 152 17 −13 9 153 51 65 3 153 14 −15 11 154 22 −57 7 15431 413 5 155 12 −39 13 156 13 29 12 156 26 −45 6 156 39 −19 4 156 52 21 3 156 53 41 3 15910 −3 16 160 16 −165 10 160 20 −3 8 160 32 −5 5 160 40 141 4 160 23 11 7 161 9 111816218 3 9 162 27 53 6 162 54 −33 3 162 41 −75 4 164 15 35 11 165 33 29 5 165 55 11 3 16514 −3 12 168 21 −19 8 168 24 −63 7 168 28 3 6 168 42 −11 4 168 56 −57 3 168 13 −1 13 16910 −3 17 170 17 −61 10 170 34 −113 5 170 19 −19 9 171 57 −13 3 171 43 29 4 172 29 −43 6 17458 −63 3 174 7 3 25 175 25 41 7 175 35 53 5 175 11 5 16 176 22 −3 8 176 44 21 4 17659 −55 3 177 12 15 15 180 15 −19 12 180 18 −93 10 180 20 −3 9 180 30 3 6 180 36 −5 5 18045 −139 4 180 60 33 3 180 7 3 26 182 13 27 14 182 14 −3 13182 26 −45 7 182 61 −31 3 18323 −27 8 184 46 165 4 184 37 9 5 185 31 11 6 186 62 −57 3 186 17 −61 11 187 47 5 4 18821 −19 9 189 27 203 7 189 63 −25 3 189 19 −27 10 190 38 7 5 190 12 −3 16192 16 −243 12 19224 −3 8 192 32 −387 6 192 48 21 4 192 64 −189 3 192 13 29 15 195 15 71 13 195 39 23 5 19514 −3 14 196 28 −57 7 196 49 69 4 196 11 5 18 198 18 9 11 198 22 −3 9 198 33 29 6 19810 −3 20 200 20 −5 10 200 25 69 8 200 40 15 5 200 50 −27 4 200 29 −3 7 203 17 29 12 20434 −165 6 204 51 21 4 204 41 −21 5 205 23 11 9 207 13 29 16 208 16 −15 13 208 26 −27 8 20852 21 4 208 11 5 19 209 19 −27 11 209 10 −15 21 210 14 −3 15210 15 21 14 210 21 −21 10 21030 7 7 210 35 53 6 210 42 −33 5 210 53 5 4 212 43 −67 5 215 8 −15 27 216 12 3 18 21618 117 12 216 24 −33 9 216 27 29 8 216 36 117 6 216 54 −131 4 216 31 −85 7 217 20 33 11 22022 67 10 220 44 55 5 220 55 −67 4 220 13 −31 17 221 17 −31 13 221 37 269 6 222 14 −3 16 22416 −155 14 224 28 37 8 224 32 −17 7 224 56 −27 4 224 9 9 25 225 25 35 9 225 45 59 5 22519 −19 12 228 38 −45 6 228 57 141 4 228 10 −11 23 230 23 −27 10 230 46 127 5 230 21 −111 11 23133 35 7 231 29 −3 8 232 58 −27 4 232 13 −13 18 234 18 −11 13 234 26 15 9 234 39 −91 6 23447 −127 5 235 59 −99 4 236 17 −115 14 238 34 −113 7 238 15 −19 16 240 16 −15 15 240 20 −3 12 24024 75 10 240 30 −35 8 240 40 141 6 240 48 −165 5 240 60 −107 4 240 11 21 22 242 22 85 11 2429 11 27 243 27 53 9 243 61 21 4 244 35 −31 7 245 49 69 5 245 41 −133 6 246 13 17 19 24719 81 13 247 31 −19 8 248 62 −171 4 248 10 −3 25 250 25 −61 10 250 50 −113 5 250 12 63 21 25214 −3 18 252 18 −35 14 252 21 −19 12 252 28 3 9 252 36 175 7 252 42 75 6 252 63 29 4 25223 15 11 253 17 −61 15 255 51 −237 5 255 16 −99 16 256 32 −99 8 256 64 −59 4 256 43 −691 6 25837 41 7 259 13 29 20 260 20 57 13 260 26 117 10 260 52 55 5 260 9 1129261 29 −43 9 26111 5 24 264 12 −3 22 264 22 −3 12 264 24 73 11 264 33 29 8 264 44 21 6 264 53 −111 5 26514 33 19 266 19 −85 14 266 38 −45 7 266 10 9 27 270 15 −19 18 270 18 87 15 270 27 203 10 27030 3 9 270 45 −139 6 270 54 −33 5 270 16 −17 17 272 17 29 16 272 34 85 8 272 13 41 21 27321 −69 13 273 39 −7 7 273 25 35 11 275 55 3 5 275 12 −47 23 276 23 29 12 276 46 −21 6 27631 11 9 279 14 −3 20 280 20 −3 14 280 28 −125 10 280 35 53 8 280 40 27 7 280 56 175 5 28047 5 6 282 15 −49 19 285 19 −67 15 285 57 −111 5 285 11 −19 26 286 22 −87 13 286 26 69 11 28641 −31 7 287 9 −3 32 288 12 −3 24 288 16 −165 18 288 18 −11 16 288 24 117 12 288 32 −153 9 28836 117 8 288 48 75 6 288 17 −1 17 289 29 149 10 290 58 −63 5 290 14 −3 21294 21 −21 14 29442 −161 7 294 49 −139 6 294 59 273 5 295 37 29 8 296 11 5 27 297 27 −39 11 297 33 17 9 29723 293 13 299 12 −5 25 300 20 435 15 300 25 77 12 300 30 −83 10 300 50 −51 6 300 60 105 5 300

§ 11.3 Optimal extension fields 233Accordingly, the use of the Frobenius speeds up an exponentiation to a generic power n. Indeed,a traditional approach would require d lg p squarings to get α n , but writing n in basis p, i.e., n =(n l−1 ...n 0 ) p , it is clear thatl−1∏α n = φ i p(αn i).i=0Combined with a right-to-left strategy to compute the α ni ’s, cf. Section 9.1.1, this idea shows thatonly (lg p − 1) squarings are needed, namely α 2 ,α 4 ,...,α 2lg p−1 . In addition, each term α ni canbe computed in parallel.Example 11.65 Let n = 27071851865689547117393862889 and let us compute α n . First remarkthat n = (22388 12209 20770 63238 8078 10838) p . Using the precomputed values α 2 ,α 4 ,...,α 215Algorithm 9.2 givesα n 0= 13812X 5 + 61164X 4 + 49159X 3 + 1927X 2 + 1781X + 31944α n 1= 4807X 5 + 57203X 4 + 62178X 3 + 3283X 2 + 4690X + 33266α n 2= 49155X 5 + 5527X 4 + 47396X 3 + 13274X 2 + 13828X + 60304α n 3= 21607X 5 + 11848X 4 + 23310X 3 + 30303X 2 + 31752X + 44845α n 4= 29730X 5 + 12285X 4 + 27469X 3 + 798X 2 + 9947X + 47295α n 5= 54710X 5 + 18029X 4 + 18950X 3 + 23518X 2 + 10120X + 34955and with the technique explained above one obtainsα n 0= 13812X 5 + 61164X 4 + 49159X 3 + 1927X 2 + 1781X + 31944α pn 1= 60618X 5 + 51323X 4 + 3361X 3 + 4138X 2 + 57415X + 33266α p2 n 2 = 8288X 5 + 43479X 4 + 47396X 3 + 53960X 2 + 58194X + 60304α p3 n 3 = 43932X 5 + 11848X 4 + 42229X 3 + 30303X 2 + 33787X + 44845α p4 n 4 = 46496X 5 + 26171X 4 + 27469X 3 + 28535X 2 + 55771X + 47295α p5 n 5 = 37148X 5 + 9908X 4 + 46589X 3 + 49290X 2 + 55179X + 34955so that the product of all these values isα n = 42336X 5 + 42804X 4 + 21557X 3 + 49577X 2 + 22038X + 4278.11.3.4 InversionAlthough an inverse could be computed with an extended gcd computation in F p d,itismuchfasterto use the Frobenius action and an inversion in F p to compute it.Namely, taker = pd − 1p − 1 = pd−1 + p d−2 + ···+ p +1.Then α r−1 and α r are easily obtained using the Frobenius and in addition α r ∈ F p since it is thenorm of α. Soα r can be easily inverted to obtainα −1 = α r−1 × α −r .Further improvements, reminiscent of an addition chain approach, can be applied to compute theterm α r−1 . As an example, let us consider the extension degree d =6, often used in practice with32-bit architectures. In this case, the successive steps to compute α r−1 areα p ,α p+1 ,α p3 +p 2 ,α p5 +p 4 ,α p5 +p 4 +p 3 +p 2 and α p5 +p 4 +p 3 +p 2 +p .The entire algorithm is as follows.

234 Ch. 11 Finite Field ArithmeticAlgorithm 11.66 OEF inversionINPUT: A nonzero element α ∈ F p d.OUTPUT: The inverse of α in F p d.1. r ← (p d − 1)/(p − 1)2. s ← α r−1 [use an addition-chain-like approach]3. t ← sα [t = α r ∈ F p]4. u ← t −1 [compute the inverse of t in F p]5. return suRemarks 11.67(i) Algorithm 11.66 is in fact a generalization of a method proposed by Itoh and Tsujii[ITTS 1988] for characteristic 2 fields. See also Remark 11.48 (iv).(ii) Since t belongs to F p it is equal to the constant coefficient of the product sα. Thus thismultiplication needs only d multiplications in F p as does the product su.(iii) Let ν(k) be the Hamming weight of k, thenα r−1 can be computed [HAME + 2003]with N M = ⌊lg d − 1⌋ + ν(d − 1) − 1 products in F p d and at most N φp Frobeniuscomputations where{N M +1if d is odd,N φp =⌊lg(d − 1)⌋ + ν(d) otherwise.Example 11.68 Take p, F p 6 and α as defined in Example 11.64 and let us compute the inverse ofα by Algorithm 11.66. First r = p 5 + p 4 + p 3 + p 2 + p +1and α r−1 is obtained by computingsuccessivelyα p = 23814X 5 + 34492X 4 + 10602X 3 + 7340X 2 + 40911X + 63559α p+1 = 27871X 5 + 42246X 4 + 20450X 3 + 8624X 2 + 26549X + 28414α p3 +p 2 = 47216X 5 + 11126X 4 + 20450X 3 + 50936X 2 + 29251X + 28414α p5 +p 4 = 55991X 5 + 12167X 4 + 20450X 3 + 5979X 2 + 9739X + 28414α p5 +p 4 +p 3 +p 2 = 26086X 5 + 2404X 4 + 35019X 3 + 45382X 2 + 45825X + 22132α r−1 = 28310X 5 + 14778X 4 + 7889X 3 + 29498X 2 + 2991X + 44851with 3 multiplications in F p 6 and 3 applications of φ p or φ 2 p. Finally, t = α r−1 α ≡ 42318 (mod p),u = t −1 ≡ 27541 (mod p) andα −1 = α r−1 u = 33766X 5 + 3708X 4 + 9164X 3 + 48513X 2 + 58147X + 27858.11.3.5 Squares and square rootsFor any extension field F p d of odd characteristic, and not only for OEFs, there is a simple methodrelying on Theorem 2.104 and very similar to Algorithm 11.19 to decide if an element of F p d is asquare or not.

§ 11.3 Optimal extension fields 235Algorithm 11.69 Legendre–Kronecker–Jacobi symbolINPUT: A polynomial f(X) ∈ F p[X] and an irreducible polynomial m(X) ∈ F p[X].OUTPUT: The Legendre–Kronecker–Jacobi symbol ` f(X)m(X)´·1. k ← 12. repeat3. if f(X) =0 then return 04. a ← the leading coefficient of f(X)5. f(X) ← f(X)/a´ a6. if deg m ≡ 1 (mod 2) then k ← k` p7. if p deg m ≡ 3 (mod 4) and deg m deg f ≡ 1 (mod 2) then k ←−k8. r(X) ← f(X), f(X) ← m(X) modr(X) and m(X) ← r(X)9. until deg m =010. return kRemark 11.70 Algorithm 11.69 relies on the law (2.7). Since f(X) is not necessarily monic it isfirst divided by its leading coefficient a. Now we remark that a ∈ F p is always a square in anextension ( of even degree. When the degree is odd a is a quadratic residue if and only if a =0ora)p =1.Example 11.71 Take p =7,letm(X) be the irreducible polynomial X 9 +2X 8 + X 7 +2X 6 +2X 5 +4X 2 +6X +6and f(X) =X 6 + X 5 +6X 4 +2X 3 +2X 2 +4X +1, both being elementsof F 7 [X].After Line 8 the values of r, f, a and k are as followsr f a kX 6 +4X 5 +3X 4 + X 3 + X 2 +2X +4 4X 5 +3X 4 +4X 3 +3X 2 +2X +4 1 1X 5 +6X 4 + X 3 +6X 2 +4X +1 4X 3 +2X 2 +2X +6 4 1X 3 +4X 2 +4X +5 2X 2 +3X 4 −1X 2 +5X 2X +5 2 −1X +6 6 2 −11 0 6 1So f(X) is a square modulo m(X). Using a trivial generalization of Algorithm 11.26, one findsthat (3X 3 +6X 2 +2X +1) 2 ≡ f(X) (modm(X)).To conclude this part, let us remark that the computation of the trace of an element in an OEFenjoys the same kind of improvements as in characteristic 2, cf. Remark 11.57 (ii).11.3.6 Specific improvements for degrees 3 and 5For some applications, like the implementation of trace zero varieties, cf. Section 15.3, one needsto work in an extension field F p d of small degree d. In particular, d =3and d =5are interestingthere. Some specific tricks can be used to make multiplication and inversion more efficient.

236 Ch. 11 Finite Field ArithmeticWe use an explicit description of the field extension as F p d = F p [θ], whereθ is a root of an irreduciblebinomial X d − ω. Since d =3or 5 is prime, X d − ω is irreducible whenever p ≡ 1(mod d) and ω is not a d-th power in F p .AsF p contains a d-th root of unity ζ, the roots of X d − ωare θ,ζθ,...,ζ d−1 θ.Remark 11.72 It is very likely that there exists ω of small integer value, which is not a d-th power.In fact, by Čebotarev’s density theorem, we have with probability 1/d that p ≡ 1(modd) andX d − 2 is irreducible over F p . With even larger probability, one can find some small ω such thatX d − ω is irreducible over F p and the multiplication by ω, i.e., the reduction modulo the irreduciblebinomial, can be computed by additions only.We shall write all elements of F p 3, respectively F p 5, as polynomials in θ of degrees at most 2,respectively 4, over F p . Addition, subtraction, and negation of elements of F p d are performedcomponent-wise. If ω is small we can ignore the costs of reducing modulo X d − ω.11.3.6.a Multiplication and squaringMultiplication of elements of F p d is split into multiplication of the corresponding polynomials in θand then reduction of the result using the fact that θ d = ω.Multiplication for d =3Multiplication in degree 3 extensions is done using Karatsuba’s method, which we detail here tohave the exact operation count. Let us multiply α = ∑ 2i=0 a iθ i with β = ∑ 2i=0 b iθ i .Wehaveαβ= a 0 b 0 + ( )(a 0 + a 1 )(b 0 + b 1 ) − a 0 b 0 − a 1 b 1 θ+ ( )(a 0 + a 2 )(b 0 + b 2 ) − a 0 b 0 − a 2 b 2 + a 1 b 1 θ2+ ( )(a 1 + a 2 )(b 1 + b 2 ) − a 1 b 1 − a 2 b 2 θ 3 +(a 2 b 2 )θ 4 .(11.6)It enables us to multiply two degree 2 polynomials by 6 multiplications. By delaying all modularreductions and using incomplete reduction (see [AVMI 2004]), we need to perform 3 modularreductions modulo p.Multiplication for d =5In the degree 5 extension case, to multiply α = ∑ 4i=0 a iθ i with β = ∑ 4i=0 b iθ i we put ξ = θ 3 andlet A 0 = ∑ 2i=0 a iθ i , A 1 = a 3 + a 4 θ, B 0 = ∑ 2i=0 b iθ i ,andB 1 = b 3 + b 4 θ. Karatsuba’s method isthen used to obtainαβ = (A 0 + A 1 ξ)(B 0 + B 1 ξ)= A 0 B 0 + ( )(A 0 + A 1 )(B 0 + B 1 ) − A 0 B 0 − A 1 B 1 ξ + A1 B 1 ξ 2 .The product A 1 B 1 is computed using Karatsuba’s method, and A 0 B 0 and (A 0 + A 1 )(B 0 + B 1 )are both computed using (11.6). Note, however, that having A 0 , B 0 of degree 2 and A 1 , B 1 ofdegree 1, the coefficients of θ 4 in A 0 B 0 and (A 0 + A 1 )(B 0 + B 1 ) are the same, so we can save oneF p -multiplication. The amount of F p -multiplications needed to multiply two degree 4 polynomialsis thus 3+2× 6 − 1=14. By delaying all modular reductions and using incomplete reduction, weneed to compute just 5 modular reductions modulo p.SquaringThe squarings are more efficiently carried out using the schoolbook method, since this reducesthe number of additions significantly and in several libraries, squarings in F p are no cheaper than

§ 11.3 Optimal extension fields 237ordinary multiplications. If this is not the case one should implement both versions (the schoolbookversion and the Karatsuba one) and compare their running time.For d =3, we need 3 squarings and 3 multiplications in F p by(a 0 + a 1 θ + a 2 θ 2 ) 2 = a 2 0 + ωa 1 a 2 +(ωa 2 2 + a 0 a 1 )θ +(a 2 1 + a 0 a 2 )θ 2 .Likewise, for d =5we have 5 squarings and 10 multiplications. The number of modular reductionsare again 3 and 5 as in the case of multiplications.11.3.6.bInversionFor the inversion, the difference from the general OEF approach becomes obvious. To compute theinverse of α ∈ F p d, we can consider the multiplication as a linear map and determine a preimage.This method is faster for d =3and also for d =2but we do not investigate that case any further.Note that for d =5, the general method made explicit is faster.Inversion for d =3Let β = b 0 + b 1 θ + b 2 θ 2 , with b 0 ,b 1 ,b 2 ∈ F p ,betheinverseofα = a 0 + a 1 θ + a 2 θ 2 ∈ F p 3 andusing θ 3 = ω, the relation αβ =1can be written as:⎡⎤ ⎡ ⎤ ⎡ ⎤a 0 a 2 ω a 1 ω b 0 1⎢⎥ ⎢ ⎥ ⎢ ⎥⎣a 1 a 0 a 2 ω⎦⎣b 1 ⎦ = ⎣0⎦ .a 2 a 1 a 0 b 2 0Hence⎡ ⎤ ⎡⎤b 0 a 0 a 2 ω a 1 ω⎢ ⎥ ⎢⎥⎣b 1 ⎦ = ⎣a 1 a 0 a 2 ω⎦b 2 a 2 a 1 a 0−1 ⎡⎤⎡1a 2⎢ ⎥⎣0⎦ =(a 3 0 + ωa 3 1 + ω 2 a 3 2 − 3 ωa 0 a 1 a 2 ) −1 0⎢− ωa ⎤1a 2⎣ωa 2 2 − a ⎥0a 1 ⎦ .0a 2 1 − a 0 a 2From this formula we obtain a method for inverting elements in F p 3, which requires (ignoringmultiplications by 3 and by ω) just one inversion, 3 squarings, and 9 multiplications in F p .This method can be generalized to very small extensions. It is described e.g., in [KOMO + 1999].Inversion for d =5In this case we use the inversion technique described in Algorithm 11.66 but can save a bit bycombining the powers of the Frobenius automorphism, i.e., making the addition chain explicit.Thus we compute the inversion in F p 5 as:α −1 =(αp α p2 (α p α p2 ) p2α ( α p α p2 (α p α p2 ) p2)·Note that if the result of a F p 5-multiplication is known in advance to be in F p (such as the norm), itscomputation requires just 5 F p -multiplications. This way we compute inverses in F p 5 by one inversionand 50 multiplications in F p . This strategy is optimal for d =5and needs less multiplicationsthan the generalization of the linear algebra approach used for d =3.

Chapter ½¾Arithmetic of p-adic NumbersFrederik VercauterenContents in Brief12.1 Representation 239Introduction • Computing the Teichmuller modulus12.2 Modular arithmetic 244Modular multiplication • Fast division with remainder12.3 Newton lifting 246Inverse • Inverse square root • Square root12.4 Hensel lifting 24912.5 Frobenius substitution 250Sparse modulus • Teichmuller modulus • Gaussian normal basis12.6 Artin–Schreier equations 252Lercier–Lubicz algorithm • Harley’s algorithm12.7 Generalized Newton lifting 25612.8 Applications 257Teichmuller lift • Logarithm • Exponential • Trace • NormThis chapter presents efficient algorithms to compute in the ring Z p of p-adic integers and thevaluation ring Z q of an unramified extension of Q p . Many of these algorithms were developedspecifically for the p-adic point counting algorithms described in Chapter 17, but are by no meanslimited to this application. Although most of the lifting algorithms remain valid for more generalp-adic fields, we restrict ourselves to Z p and Z q due to their importance for practical applications.12.1 Representation12.1.1 IntroductionLet Q q be the unramified extension of Q p of degree d, then Proposition 3.21 implies that Q q canbe represented as Q p [X]/ ( M(X) ) with M ∈ Z p [X] of degree d such that m := P 1 (M) ∈ F p [X]is irreducible of degree d. Sincedeg m =degM, the leading coefficient of M is a unit in Z p ,sowithout loss of generality we can assume that M is monic.Let a ∈ Q q be represented by ∑ d−1i=0 a iX i with a i ∈ Q p , then the p-adic valuation v p is given byv p (a) =min 0i

240 Ch. 12 Arithmetic of p-adic Numbersring Z q of Q q can be represented as Z p [X]/ ( M(X) ) . Given a representation of the residue fieldF q ≃ F p [X]/ ( m(X) ) , there exist infinitely many polynomials M ∈ Z p [X] with P 1 (M) =m. Tomake reduction modulo m very efficient, m is usually chosen to be sparse.In practice, one computes with p-adic integers up to some precision N, i.e., an element a ∈ Z pis approximated by p N (a) ∈ Z/p N Z and arithmetic reduces to integer arithmetic modulo p N .Fora given precision N, each element therefore takes O(N lg p) space.This extends in a natural way to Z q :anelementa ∈ Z q represented as ∑ d−1i=0 a iX i with a i ∈ Z pwill be approximated by the polynomial ∑ d−1i=0 p N (a i )X i . Computing in Z q up to precision N thuscorresponds computing in (Z/p N Z)[X]/ ( M N (X) ) , with M N the polynomial obtained by reducingthe coefficients of M modulo p N , i.e., M N = P N (M). The space required to represent such anelement clearly is given by O(dN lg p).Given a modulus m defining F q , there are two common choices for the polynomial M that speedup the arithmetic in Z q : the first choice preserves the sparse structure of m, whereas the secondchoice is especially suited in case an efficient Frobenius substitution is needed.• Sparse modulus representation: Letm(X) = ∑ di=0 m iX i with m i ∈ F p and m d =1.To preserve the sparseness of m, a first natural choice is to define M(X) = ∑ di=0 M iX iwith M i the unique integer between 0 and p − 1 such that M i ≡ m i (mod p). Thereduction modulo M of a polynomial of degree 2(d − 1) then only takes d(w − 1)multiplications of a Z p -element by a small integer and dw subtractions in Z p where wis the number of nonzero coefficients of m.• Teichmüller modulus representation: SinceF q is the splitting field of the polynomialX q − X, the polynomial m divides X q − X. To preserve the simple Galois action onF q , i.e., p-th powering, a second natural choice is to define M as the unique polynomialover Z p with M(X) | X q − X and M(X) ≡ m(X) (modp). Every root θ ∈ Z q ofM(X) clearly is a (q − 1)-th root of unity, therefore also Σ(θ) is a (q − 1)-th root ofunity, with Σ the Frobenius substitution of Z q .SinceΣ(θ) ≡ θ p (mod p), we concludethat Σ(θ) =θ p or by abuse of notation Σ(X) =X p .If the finite field F q admits a Gaussian normal basis, then Kim et al. [KIPA + 2002] showed that thisbasis can be lifted to Z q .Proposition 12.1 Let p be a prime and d, t positive integers such that dt +1is a prime not equalto p. Letγ beaprimitive(dt+1)-th root of unity in some extension field of Q p .Ifgcd(dt/e, d) =1,with e the order of p modulo dt +1, then for any primitive t-th root of unity τ in Z/(dt +1)Z∑t−1θ = γ τ i (12.1)i=0is a normal element and [Q p (θ) :Q p ]=d. Such a basis is called a Gaussian normal basis of type t.Elements of Z q are then represented in a redundant way by computing in the ringZ p [X]/(X dt+1 − 1).For a given precision N, each element therefore requires O(dNt lg p) space.12.1.2 Computing the Teichmüller modulusIn this section we provide all the details of an algorithm first sketched by Harley in [HAR 2002b],to compute the Teichmüller modulus of the defining polynomial of a finite field. Let θ ∈ F q be such

§ 12.1 Representation 241that F q = F p [θ] and let θ ∈ Z q be the Teichmüller lift of θ, i.e., the unique (q − 1)-th root of unitythat reduces to θ. In the previous section we assumed that Z q was represented as Z p [X]/ ( M(X) )with M the minimal polynomial of θ. Sinceθ is a (q − 1)-th root of unity, we have that Σ(θ) =θ pand M(X) = ∏ d−1i=0 (X − θpi ).Letζ p be a formal p-th root of unity, thenM(X p )=p−1∏Indeed, for i =1,...,d− 1 each factor ( X p − θ pi )of M(X p ) splits asi=0(X − θp i−1)( ζ p X − θ pi−1) ···(ζ p−1p X − θ pi−1) .M(ζ i pX). (12.2)Write M as M(X) = ∑ p−1i=0 M i(X p )X i with M i ∈ Z q [X], then (12.2) can be rewritten as(p−1∏ p−1) ∑ ∑p−1M(X p )= ζp ij M i (X p )X i (= h k M0 (X p ),...,M p−1 (X p ) ) X pk ,j=0 i=0with h k ∈ Z q [Y 0 ,...,Y p−1 ] homogeneous polynomials of degree p. This implies that M satisfiesk=0p−1∑ (M(X) = h k M0 (X),...,M p−1 (X) ) X k .k=0The following table lists the first few examples of the polynomials h k (Y 0 ,...,Y p−1 ).ph k2 h 0 = Y02h 1 = −Y123 h 0 = Y03h 1 = Y1 3 − 3Y 0Y 1 Y 2h 2 = Y235 h 0 = Y05h 1 = Y1 5 +5(Y 0 2Y1 2Y3 − Y0 3Y1Y 4 − Y0 3Y2Y 3 + Y0 2Y1Y2 2 − Y 0Y1 3Y2)h 2 = Y2 5 +5(Y0 2 Y 2 Y4 2 + Y0 2 Y3 2 Y 4 + Y 0 Y1 2 Y4 2 − Y 0 Y 1 Y 2 Y 3 Y 4 − Y 0 Y 1 Y33−Y 0 Y2 3Y4 + Y 0 Y2 2Y3 2 − Y 1 3Y3Y 4 + Y1 2Y2 2Y4 + Y1 2Y2Y3 2 − Y 1Y2 3Y3)h 3 = Y3 5 +5(Y 1 Y3 2 Y4 2 − Y 0 Y 3 Y4 3 − Y 1 Y 2 Y4 3 ++Y2 2 Y 3 Y4 2 − Y 2 Y3 3 Y 4 )h 4 = Y45Assume we know M t (X) ≡ M(X) (modp t ) and let δ t (X) = ( M(X) − M t (X) ) /p t . SubstitutingM t (X)+p t δ t (X) in the equationp−1∑ (M(X) − h k M0 (X),...,M p−1 (X) ) X k =0k=0gives a relation that determines δ t modulo p t . For example, consider the case p =2, which leads toδ t (X) − 2 ( M t,0 (X)δ t,0 (X) − XM t,1 (X)δ t,1 (X) ) + V t (X) ≡ 0 (mod 2 t ), (12.3)

242 Ch. 12 Arithmetic of p-adic Numberswith V t (X) ≡ ( M t (X) − M t,0 (X) 2 + XM t,1 (X) 2) /2 t (mod 2 t ). Assume we have an algorithmto compute δ t mod p t′ with t ′ = ⌈t/2⌉, then we can use the same algorithm to compute δ t mod p t .Indeed, substituting δ t = δ t ′ + p t′ ∆ t ′ in (12.3) leads to a similar equation modulo 2 t−t′ with δ treplaced by ∆ t ′ and V t replaced byV t (X)+δ t ′(X) − 2 ( M t,0 (X)δ t′ ,0(X) − XM t,1 (X)δ t′ ,1(X) )2 t′ mod 2 t−t′ .Since t − t ′ t ′ we can use the same algorithm to find ∆ t ′ and thus δ t . This immediately leads toAlgorithms 12.2 and 12.3. Note that for odd extension degree d, Algorithm 12.2 returns −M,sointhis case a final negation is necessary.Algorithm 12.2 Teichmüller modulusINPUT: A monic irreducible polynomial m ∈ F 2[X] of degree d and precision N.OUTPUT: The Teichmüller lift M ∈ Z 2[X] up to precision N, i.e., M(X) | X 2d − X mod 2 Nand M(X) ≡ m(X) (mod 2).1. if N =1 then2. M(X) ← m(X) mod23. else4. N ′ ← ˚ N2ˇ5. M ′ (X) ← Teichmüller modulus (m, N ′ )6. M 0(X 2 ) ← `M ′ (X)+M ′ (−X)´/2 mod2 N7. M 1(X 2 ) ← `M ′ (X) − M ′ (−X)´/(2X) mod2 N8. V (X) ← `M ′ (X) − M 0(X) 2 + XM 1(X) 2´/2 N′ mod 2 N−N′9. δ(X) ← Teichmüller modulus increment (M 0,M 1,V,N − N ′ )10. M(X) ← M ′ (X)+2 N′ δ(X) mod2 N11. return M(X)Algorithm 12.2 relies on a procedure called the Teichmüller modulus increment, which returns δ inZ 2 [X] such thatδ(X) − 2 ( M 0 (X)δ 0 (X) − XM 1 (X)δ 1 (X) ) + V (X) ≡ 0 (mod 2 N ). (12.4)The algorithm is as follows.Algorithm 12.3 Teichmüller modulus incrementINPUT: Polynomials M 0,M 1,V ∈ Z 2[X] and a precision N.OUTPUT: The polynomial δ ∈ Z 2[X] as in (12.4)1. if N =1 then2. δ(X) ←−V (X) mod23. else4. N ′ ← ˚ N2ˇ5. δ ′ (X) ← Teichmüller modulus increment (M 0,M 1,V,N ′ )6. δ 0(X 2 ) ← `δ ′ (X)+δ ′ (−X)´/2 mod2 N

§ 12.1 Representation 2437. δ 1(X 2 ) ← `δ ′ (X) − δ ′ (−X)´/(2X) mod2 N8. V ′ (X) ← V (X)+δ′ (X) − 2`M 0(X)δ 0(X) − XM 1(X)δ 1(X)´mod 2 N−N′2 N′9. ∆(X) ← Teichmüller modulus increment (M 0,M 1,V ′ ,N − N ′ )10. δ(X) ← δ ′ (X)+2 N′ ∆(X) mod2 N11. return δ(X)The complexity of Algorithm 12.2 is determined by the O(1) multiplications in Line 8 and the callto Algorithm 12.3 in Line 9. The complexity of the latter algorithm is determined by the recursivecalls in Lines 5 and 9 and the O(1) multiplications in Line 8. If T (N) is the running time ofAlgorithm 12.3 for precision N, thenwehaveT (N) 2T (⌈N/2⌉)+cT d,N ,for some constant c and T d,N the time to multiply two polynomials in (Z/p N Z)[X] of degreeless than d assuming p is fixed. The above relation implies by induction that the complexity ofAlgorithm 12.3 and thus also of Algorithm 12.2 is O(T d,N lg N).Example 12.4 Let F 2 8 ≃ F 2 [X]/(m(X)) with m(X) =X 8 + X 4 + X 3 + X 2 +1, then on input(m, 10) Algorithm 12.2 computes the following intermediate results:1 M X 8 + X 4 + X 3 + X 2 +12 M 0 X 4 + X 2 + X +1M 1 XV X 6 + X 5 + X 4 + X 2 + Xδ X 6 + X 5 + X 4 + X 2 + XM X 8 +2X 6 +2X 5 +3X 4 + X 3 +3X 2 +2X +13 M 0 X 4 +2X 3 +3X 2 +3X +1M 1 2X 2 + X +2V 3X 7 + X 5 + X 3δ X 7 + X 5 + X 3M X 8 +4X 7 +2X 6 +6X 5 +3X 4 +5X 3 +3X 2 +2X +15 M 0 X 4 +2X 3 +3X 2 +3X +1M 1 4X 3 +6X 2 +5X +2V 2X 7 + X 6 +3X 4 + X 2δ X 6 + X 4 +2X 3 +3X 2 +2XM X 8 +4X 7 +10X 6 +6X 5 +11X 4 +21X 3 +27X 2 +18X +110 M 0 X 4 +10X 3 +11X 2 +27X +1M 1 4X 3 +6X 2 +21X +18V 30X 6 +30X 5 +24X 4 +2X 3 + X 2 +9Xδ 20X 7 +26X 6 +4X 5 +16X 4 +31X 2 +17XM X 8 + 644X 7 + 842X 6 + 134X 5 + 523X 4 +21X 3 + 1019X 2 + 562X +1

244 Ch. 12 Arithmetic of p-adic Numbers12.2 Modular arithmetic12.2.1 Modular multiplicationLet a ∈ Z p and let N be the precision we compute with, then a is approximated by p N (a) ∈Z/p N Z. Arithmetic in Z/p N Z is simply integer arithmetic modulo p N so all methods of Chapter10 apply. Let µ be a constant such that multiplication of two B-bit integers requires O(B µ )bit-operations, for example µ =2for schoolbook multiplication, µ =lg3for Karatsuba multiplication[KAOF 1963], and µ =1+ε, with ε real positive, for Schönhage–Strassen multiplication[SCST 1971]. Since a modular reduction takes the same time as a multiplication, we concludethat modular multiplication up to precision N requires O(N µ ) bit-operations for fixed p.Let Z q be represented as Z p [X]/ ( M(X) ) with M ∈ Z p [X] a monic, irreducible polynomial ofdegree d, then working up to precision N corresponds to computing in(Z/p N Z ) [X]/ ( P N(M(X))).The modular multiplication proceeds in two steps: multiplication of two polynomials of degree lessthan d in (Z/p N Z)[X] and a modular reduction modulo P N (M). The former is well known and requiresT d,N bit-operations for p fixed, e.g., a combination of schoolbook multiplication in the p-adicdimension and Karatsuba multiplication in the polynomial dimension gives T d,N ∈ O(d lg 3 N 2 ).The reduction modulo P N (M) depends on the choice of representation of Z q . In the sparsemodulus representation, the reduction modulo P N (M) requires at most d(w − 1) multiplications inZ/p N Z with w the number of nonzero coefficients of P N (M). In the Teichmüller representation,the polynomial P N(M(X))is no longer sparse and fast reduction methods should be used. The nextsection shows that this requires O(1) multiplications of polynomials of degree less than d. Therefore,we conclude that a modular multiplication in Z q to precision N requires T d,N bit-operations.12.2.2 Fast division with remainderLet R be a commutative ring and a, b ∈ R[X] polynomials of degree k and d respectively andb monic. Since b is monic, there exist unique polynomials q, r ∈ R[X] with a = qb + r anddeg r

§ 12.2 Modular arithmetic 245then we can recover q from( ) 1X k−d qX( ) 1≡ X k a c(X) (mod X k−(d−1) ). (12.7)XThe polynomial c can be computed using a polynomial version of Algorithm 12.10, i.e., using aNewton iteration to find a “root” of the polynomial fY − 1=0.Algorithm 12.5 Polynomial inversionINPUT: A polynomial f ∈ R[X] with f(0) = 1 and a power n ∈ N.OUTPUT: The inverse of f modulo X n .1. if n =1 then2. c ← 13. else4. n ′ ← ˚ ˇ n25. c ← Polynomial inversion (f, n ′ )6. c ← `c + c(1 − fc)´ mod X n7. return cSince the degree of the polynomials doubles in each iteration, the complexity of Algorithm 12.5 isdetermined by the last iteration, which requires O(1) multiplications of polynomials of degree nover R. Therefore, the complexity amounts to O(n µ ) operations in R.Once c has been computed, the quotient q follows easily from (12.7) and the remainder is givenby r = a − bq (mod X d ). This is summarized in Algorithm 12.6.Algorithm 12.6 Fast division with remainderINPUT: Polynomials a, b ∈ R[X] with b monic.OUTPUT: Polynomials q, r ∈ R[X] such that a = qb + r and deg r

246 Ch. 12 Arithmetic of p-adic Numbersa 559X 14 + 781X 13 + 763X 12 + 684X 11 + 133X 10 + 375X 9 + 922X 8 + 776X 7+452X 6 + 214X 5 + 313X 4 + 148X 3 + 646X 2 + 428X + 168b X 8 + 644X 7 + 842X 6 + 134X 5 + 523X 4 +21X 3 + 1019X 2 + 562X +1c 789X 6 + 747X 5 + 169X 4 + 906X 3 + 198X 2 + 380X +1˜q 337X 6 + 755X 5 + 768X 4 + 420X 3 + 673X 2 + 209X + 559q 559X 6 + 209X 5 + 673X 4 + 420X 3 + 768X 2 + 755X + 337r 428X 7 + 728X 6 + 240X 5 + 294X 4 +10X 3 + 165X 2 + 743X + 85512.3 Newton liftingLet f ∈ Z q [X] and assume that a ∈ Z q satisfies v p(f ′ (a) ) = k and v p(f(a))= n + k for somen>k. Proposition 3.16 then implies that there exists a unique root b ∈ Z q of f with b ≡ a(mod p n ). The element a is called an approximate root of f known to precision n. ReformulatingProposition 3.16 leads to the following lemma that shows how to compute an approximate root toprecision 2n − k starting from an approximate root to precision n.Lemma 12.8 Let f ∈ Z q [X] and assume that a ∈ Z q satisfies v p(f ′ (a) ) = k and v p(f(a))= n+kfor some n>k.Letb be the unique root of f with b ≡ a (mod p n ).Thenz = a − f(a)f ′ (a)(12.8)satisfies z ≡ b (mod p 2n−k ), f(z) ≡ 0(modp 2n ) and v p(f ′ (z) ) = k.Given an approximate root a ∈ Z q to precision n, Algorithm 12.9 computes the unique approximateroot z to precision N with z ≡ a (mod n). Note that for such z,wehavef(z) ≡ 0(modp N+k ).Algorithm 12.9 Newton iterationINPUT: The polynomial f ∈ Z q[X], an approximate root a ∈ Z q, the integer k with v p`f ′ (a)´ =k, precision n>ksuch that f(a) ≡ 0 (mod p n+k ) and precision N.OUTPUT: An approximate root z ∈ Z q of f with z ≡ a (mod p n ) and f(z) ≡ 0 (mod p N+k ).1. if N n then2. z ← a3. else4. N ′ ← ˚ N+k25. z ← Newton iteration (f,a,k, N ′ )6. z ← z − f(z)f ′ (z) (mod pN )7. return zˇAn efficient implementation of the above algorithm requires we always compute with the lowestpossible precision. The result in Line 6 has to be correct up to precision N. By induction, thenumerator f(z) in Line 6 satisfies f(z) ≡ 0(modp N ′ +k ) and the denominator f ′ (z) satisfiesv p(f ′ (z) ) = k, which implies that f ′ (z)/p k is a unit in Z q . Dividing the numerator by p N ′ +k ,we conclude that it suffices to compute f(z)/p N ′ +k and f ′ (z)/p k with precision N − N ′ ,which

§ 12.3 Newton lifting 247implies that it suffices to compute f(z) (modp N+k ) and f ′ (z) (modp N ′ +k ). Note that alsothe inverse of f ′ (z)/p k and the product with f(z)/p N ′ +k only has to be computed with precisionN − N ′ .Since in each iteration, the precision we compute with almost doubles, the complexity of Algorithm12.9 is determined by the last iteration. Let T f (N) denote the time to evaluate f at precisionN, then the complexity of Algorithm 12.9 is given by O(max{T f (N),T d,N }), which in most casesreduces to O ( T f (N) ) .12.3.1 InverseLet a ∈ Z q be a unit and assume we have computed the inverse of p 1 (a) ∈ F q using one of thealgorithms given in Chapter 11. Let z 0 be any lift of 1/p 1 (a) to Z q ,thenz 0 is an approximate rootof the polynomial f(X) =1− aX to precision 1, sincef ′ (z 0 )=a is a unit in Z q . ApplyingLemma 12.8 to f leads to the iteration z ← z +(1− az)/a. Since the division by a only has to becomputed at half precision, we can use z instead of 1/a giving the iteration z ← z + z(1 − az).Algorithm 12.10 InverseINPUT: A unit a ∈ Z q and precision N.OUTPUT: The inverse of a to precision N.1. if N =1 then2. z ← 1/a mod p3. else4. z ← Inverse (a, ˚ N25. z ← z + z(1 − az) modp N6. return zˇ)Let e i =1−az i be the error in the i-th iteration. Then, an easy calculation shows that e i+1 = e 2 i ,soconvergence is quadratic, which explains the statement in Line 4. Since evaluating f requires onlyone multiplication at precision N, we conclude that the complexity of Algorithm 12.10 is O(T d,N ).Example 12.11 Assume that Z 2 8 up to precision N =10is represented as (Z/2 10 Z)[X]/ ( M(X) )with M(X) =X 8 + 644X 7 + 842X 6 + 134X 5 + 523X 4 +21X 3 + 1019X 2 + 562X +1,thenAlgorithm 12.10 computes the following intermediate results on input (a, 10) witha = 982X 7 + 303X 6 + 724X 5 + 458X 4 + 918X 3 + 423X 2 + 650X + 591N1 X 6 + X 3 + X 2 + X2 2X 7 + X 6 +3X 3 + X 2 + X3 6X 7 +5X 6 +4X 4 +7X 3 + X 2 + X +45 22X 7 +21X 6 +24X 5 +4X 4 +31X 3 +25X 2 + X +2810 854X 7 + 373X 6 + 760X 5 + 132X 4 + 863X 3 + 697X 2 + 321X +60z

248 Ch. 12 Arithmetic of p-adic Numbers12.3.2 Inverse square rootLet a ∈ Z q and consider the polynomial f(X) =1− aX 2 ,thenifa is an invertible square, 1/ √ ais a root of f. Applying Lemma 12.8 to f leads to the iteration z ← z +(1− az 2 )/(2az), whichneeds a division by az. Note however that this division can be replaced by a multiplication byz, giving the final iteration z ← z + z(1 − az 2 )/2. Let e i =1− azi 2 be the error in the i-thiteration, then an easy calculation shows that e i+1 =(3e 2 i + e3 i )/4. Let n i = v p (e i ) > 0, thenn i+1 =2n i for p 5, n i+1 =2n i +1for p =3and n i+1 =2n i − 2 for p =2. Thus for p =2we need an approximate root to precision 2 to initialize the Newton iteration. Since every elementin a finite field of characteristic 2 is a square, we can always compute z ≡ 1/ √ p 1 (a) (mod2)using finite field arithmetic. Let y = z +2∆,then1 − ay 2 ≡ 0(mod8)iff ∆ is a solutionof ∆ 2 + z∆ ≡ (1/a − z 2 )/4 (mod2). If this equation has no solution then a is not a square;otherwise, z +2∆is an approximate root to precision 2.Algorithm 12.12 Inverse square root (p =2)INPUT: An invertible square a ∈ Z q, an initial approximation z 0 to precision 2 and precision N.OUTPUT: The inverse square root of a to precision N.1. if N 2 then2. z ← z 03. else4. N ′ ← ˚ N+125. z ← Inverse square root (a, x, N ′ )6. z ← z + z(1 − az2 )mod 2 N27. return zˇˆ(1 − az 2 ) computed modulo 2 N+1˜Since evaluating f requires only O(1) multiplications at precision N, we conclude that the complexityof Algorithm 12.12 is O(T d,N ).Example 12.13 Let Z 2 8 up to precision N =10be represented as in Example 12.11. Suppose wewant to compute the inverse square root ofa = 823X 7 + 707X 6 + 860X 5 + 387X 4 + 663X 3 + 183X 2 +12X + 354.The initial approximation to precision 2 is given by z 0 =2X 7 + X 6 +3X 3 + X 2 + X. Since theprecision we compute with is N =10, the unique inverse square root z ≡ z 0 (mod 4) can onlybe determined up to precision N − 1. On input (a, 9), Algorithm 12.12 computes the followingintermediate results:N2 2X 7 + X 6 +3X 3 + X 2 + X3 6X 7 +5X 6 +4X 4 +7X 3 + X 2 + X +45 22X 7 +21X 6 +24X 5 +4X 4 +31X 3 +25X 2 + X +289 342X 7 + 373X 6 + 248X 5 + 132X 4 + 351X 3 + 185X 2 + 321X +60z

§ 12.4 Hensel lifting 24912.3.3 Square rootLet a ∈ Z q be a square in Z q ,thenv = v p (a) must be even and √ a can be computed as p v/2√ a/p vwith a/p v a unit in Z q . Therefore, assume that a is an invertible square in Z q .A trivial method to obtain √ a is simply to compute c =1/ √ a using Algorithm 12.12 and toreturn √ a = ac, which requires one multiplication at full precision. A trick due to Karp andMarkstein [KAMA 1997] can be used to merge this multiplication with the last step of the iterationas follows: compute b ← az mod p N ′and replace Line 6 of Algorithm 12.12 in the last iterationby z ← b + z(a − b 2 )/2 modp N . Note that b is only computed at half precision, whereas the trivialmethod needs a multiplication at full precision.12.4 Hensel liftingLet f ∈ Z q [X] be a polynomial with integral coefficients and assume that the leading coefficientof f is a unit in Z q . The reduction of f modulo p is thus a polynomial P 1 (f) over F q of the samedegree as f. Given a factorization f ≡ gh (mod p) with g, h ∈ Z q such that g and h are coprimemodulo p, Hensel’s lemma 3.17 states that this factorization can be lifted modulo arbitrary powersof p. The following lemma is a reformulation of Hensel’s lemma, but with quadratic convergence.Lemma 12.14 Let f,g k ,h k ,s k ,t k ∈ Z q [X] be polynomials with integral coefficients such thatf ≡ g k h k (mod p k ) and s k g k + t k h k ≡ 1 (mod p k ) ,with deg f =degP 1 (f), the leading coefficient of h k a unit in Z q , deg s k < deg h k and deg t k

250 Ch. 12 Arithmetic of p-adic Numbers6. s 2k ← s k + p k r mod p 2k and t 2k ← t k + p k (et k + qg 2k )modp 2k7. return g 2k ,h 2k ,s 2k ,t 2kUsing Algorithm 12.15 as a subroutine, we easily deduce an algorithm to lift the factorization of apolynomial modulo p to arbitrarily high powers of p.Algorithm 12.16 Hensel liftINPUT: Polynomials f,g,h,s,t ∈ Z q[X] with f ≡ gh (mod p) and sg + th ≡ 1 (mod p),precision N.OUTPUT: Polynomials G, H, S, T ∈ Z q[X] with f ≡ GH (mod p N ) and SG + TH ≡ 1(mod p N ).1. if N =1 then2. G ← g, H ← h, S ← s and T ← t3. else4. k ← ˚ ˇ N25. g k ,h k ,s k ,t k ← Hensel lift (f,g,h,s,t,k)6. G, H, S, T ← Hensel lift iteration (f,g k ,h k ,s k ,t k ,k)7. return G, H, S, TSince the precision we work with doubles in each iteration, the complexity of Algorithm 12.16 isdetermined by the last iteration. Let n =degf, then Algorithm 12.15 requires O(1) multiplicationsof polynomials of degree less than n and O(1) divisions with remainder, both of which requireO(n µ T d,N ) bit-operations.Example 12.17 In this example, we illustrate Algorithm 12.16 for polynomials over Z 2 .Definef(X) =X 10 +321X 9 +293X 8 +93X 7 +843X 6 +699X 5 +972X 4 +781X 3 +772X 2 +129X+376,then clearly f ≡ gh (mod 2) with g = X 6 + X 4 + X 3 +1and h = X 4 + X 3 + X. Using Euclidextended gcd algorithm in the ring F 2 [X], we compute s = X 2 + X +1and t = X 4 + X +1andon input (f,g,h,s,t,10), Algorithm 12.16 computes the following results:G X 6 +44X 5 +19X 4 + 165X 3 +92X 2 + 206X + 529H X 4 + 277X 3 + 374X 2 + 737X + 504S 660X 3 + 893X 2 + 493X + 345T 364X 5 + 311X 4 + 848X 3 + 618X 2 + 979X + 22112.5 Frobenius substitutionIn this section, we present various algorithms to compute the Frobenius substitution Σ on Z q .Dependingon the representation of Z q , different algorithms should be used.

§ 12.5 Frobenius substitution 25112.5.1 Sparse modulusLet Z q ≃ Z p [X]/ ( M(X) ) and assume that M is sparse, monic of degree d and with coefficientsbetween 0 and p − 1. Given any elementwith a i ∈ Z p for 0 i

252 Ch. 12 Arithmetic of p-adic Numbers12.5.2 Teichmüller modulusLet Z q ≃ Z p [X]/ ( M(X) ) and assume that M is a Teichmüller modulus of degree d. Asshownin Section 12.1, this implies that Σ(X) =X p . Given an element a = ∑ d−1i=0 a iX i ∈ Z q , we cansimply compute Σ(a) asd−1∑Σ(a) = a i X ipi=0(mod M(X)).The reduction modulo M(X) takes at most p − 1 multiplications over Z q , thus computing Σ(a)(mod p N ) for a ∈ Z q requires O(pT d,N ) time.The inverse Frobenius substitution can also be computed very efficiently as follows:( d−1) ∑Σ −1 a i X i =i=0(∑p−1∑j=00pk+j

§ 12.6 Artin–Schreier equations 253By imposing the condition v p (β) > 0, the unique solution to (12.12) is always integral. Indeed,writing out the recursive process explicitly shows that the unique solution is given by∑ d−1i=0x =Σi (b 1 ) × ∏ d−1j=i+1 Σj (a 1 )·1 − N Qq/Q p(a 1 )Since v p (a 1 )=v p (β) > 0, we conclude that 1 − N Qq/Q p(a 1 ) is a unit and therefore x ∈ Z q .12.6.1 Lercier–Lubicz algorithmLercier and Lubicz [LELU 2003] use a simple square and multiply algorithm to compute the a k ,b k ∈ Z q based on the formulaΣ k+n (x) =Σ n (a k x + b k )=Σ n (a k )(a n x + b n )+Σ n (b k ).To find a solution to Σ(x) ≡ ax+b (mod p N ) we simply call Algorithm 12.18 on input (a, b, d, N),which returns a d and b d . The complexity of Algorithm 12.18 is determined by Lines 6 and 7 whichneed O(1) multiplications and O(1) repeated Frobenius substitutions in Z q /p N Z q .For fields with a Gaussian normal basis of type t, the Frobenius substitution takes O(dt) bitoperationsas shown in Section 12.5.3. Since the algorithm needs O(lg d) recursive calls, the timeand space complexity for fields with Gaussian normal basis are O(T d,N lg d) and O(dN) respectively.If the field does not admit a Gaussian normal basis, Algorithm 12.18 should be modified to keeptrack of Σ k′ (X). This can be achieved by introducing an extra variable c which equals Σ k (X) and isreturned in Line 11 together with a k and b k .Thevariablec can then be updated by evaluating it at itself,such that c becomes Σ 2k′ (X) and conjugating once if k is odd. Using the Paterson–Stockmeyertrick [PAST 1973], the complexity of Algorithm 12.18 then becomes O ( (d 2 N µ + √ dT d,N )lgd )and the space complexity is O(d 1.5 N).Algorithm 12.18 Artin–Schreier root square multiplyINPUT: Elements a, b ∈ Z q,apowerk and precision N.OUTPUT: Elements a k ,b k ∈ Z q such that Σ k (x) ≡ a k x + b k (mod p N ).1. if k =1 then2. a k ← a mod p N and b k ← b mod p N3. else4. k ′ ← ¨ ˝ k25. a k ′,b k ′ ← Artin–Schreier root square multiply (a, b, k ′ ,N)6. a k ← a k ′Σ k′ (a k ′)modp N7. b k ← b k ′Σ k′ (a k ′)+Σ k′ (b k ′)modp N8. if k ≡ 1 (mod 2) then9. b k ← b Σ(a k )+Σ(b k )modp N10. a k ← a Σ(a k )modp N11. return a k ,b kAlgorithm 12.19 solves the general Artin–Schreier equation (12.12) and clearly has the same timeand space complexity as Algorithm 12.18.

254 Ch. 12 Arithmetic of p-adic NumbersAlgorithm 12.19 Artin–Schreier root IINPUT: Elements α, β, γ ∈ Z q with α a unit in Z q, v p(β) > 0 and precision N.OUTPUT: An element x ∈ Z q such that αΣ(x)+βx + γ ≡ 0 (mod p N ).1. a d ,b d ← Artin–Schreier root square multiply (−β/α, −γ/α,n,N)2. return b d /(1 − a d )modp NExample 12.20 The ring Z 2 10 admits a Gaussian normal basis of type 1 and can be represented asZ 2 [X]/ ( M(X) ) with M(X) =(X 11 − 1)/(X − 1). Anelementa = ∑ 9i=0 a iX i is embedded inthe ring Z 2 [Y ]/(Y 11 − 1) as ã = ∑ 9i=0 a iY i . Assume we want to find the integral solution s to theequation Σ(X)+βX + γ =0whereβ =18X 9 + 804X 8 + 354X 7 +56X 6 + 656X 5 + 892X 4 + 824X 3 + 578X 2 + 942X + 128,γ = 248X 9 + 101X 8 +64X 7 + 955X 6 + 399X 5 + 664X 4 + 313X 3 + 819X 2 + 1012X +32,then Algorithm 12.18 computes the following intermediate results:a 1 1006Y 9 + 220Y 8 + 670Y 7 + 968Y 6 + 368Y 5 + 132Y 4 + 200Y 3 + 446Y 2 +82Y + 896b 1 776Y 9 + 923Y 8 + 960Y 7 +69Y 6 + 625Y 5 + 360Y 4 + 711Y 3 + 205Y 2 +12Y + 992a 2 420Y 10 + 680Y 9 + 324Y 8 + 416Y 7 + 652Y 6 + 388Y 5 + 424Y 4 + 992Y 3 + 100Y 2 + 644Y +96b 2 287Y 10 + 938Y 9 +68Y 8 + 928Y 7 + 583Y 6 + 659Y 5 + 353Y 4 + 268Y 3 + 842Y 2 + 901Y + 698a 5 768Y 10 + 640Y 9 +64Y 8 + 672Y 7 + 256Y 6 + 928Y 5 +96Y 4 + 704Y 3 + 736Y 2 +96Y + 160b 5 969Y 10 +92Y 9 +29Y 8 + 751Y 7 + 782Y 6 + 826Y 5 + 219Y 4 + 919Y 3 + 936Y 2 + 256Y + 954a 10 0b 10 992Y 10 + 232Y 9 + 759Y 8 + 571Y 7 + 986Y 6 + 270Y 5 + 431Y 4 + 701Y 3 + 124Y 2 + 585Y +58Since a 10 ≡ 0(mod2 10 ), the unique solution s is simply the reduction modulo M of b 10 ,i.e.,s = 264X 9 + 791X 8 + 603X 7 + 1018X 6 + 302X 5 + 463X 4 + 733X 3 + 156X 2 + 617X +90.12.6.2 Harley’s algorithmIn an e-mail to the NMBRTHRY list [HAR 2002b], Harley sketched a doubly recursive algorithm tosolve an Artin–Schreier equation of the form (12.12) assuming that v p (β) > 0. Note that thisimplies that the solution is integral.The main idea is as follows: assume we have an algorithm that returns a solution x N ′ to anequation of the form (12.12) to precision N ′ = ⌈N/2⌉. Write x N = x ′ N + pN ′ ∆ N and substitutex N into (12.12), which leads toαΣ(∆ N )+β∆ N + αΣ(x N ′)+βx N ′ + γp N ′ ≡ 0 (mod p N−N ′ ).Since N −N ′ N ′ we can use the same algorithm to determine ∆ N mod p N−N ′ and therefore x N .This immediately leads to a recursive algorithm if we can solve the base case, i.e., find a solutionto (12.12) modulo p. If we assume that v p (β) > 0, then the base case reduces to solvingαΣ(x)+γ ≡ 0(mod p).Since α is a unit, this uniquely determines x ≡ (−γ/α) 1/p(mod p).

§ 12.6 Artin–Schreier equations 255Algorithm 12.21 Artin–Schreier root IIINPUT: Elements α, β, γ ∈ Z q, α a unit in Z q, v p(β) > 0 and precision N.OUTPUT: An element x ∈ Z q such that αΣ(x)+βx + γ ≡ (mod p N ).1. if N =1 then2. x ← (−γ/α) 1/p (mod p)3. else4. N ′ ← ˚ N2ˇ5. x ′ ← Artin–Schreier root II (α, β, γ, N ′ )6. γ ′ ← αΣ(x′ )+βx ′ + γmod p N−N′p N′7. ∆ ′ ← Artin–Schreier root II (α, β, γ ′ ,N − N ′ )8. x ← `x ′ + p N′ ∆ ′´ mod p N9. return xThe p-th root in Line 2 of Algorithm 12.21 should not be computed by naively taking the p d−1 -thpower. Instead, let F q = F p [θ],then( ∑d−1) 1/pa i θ i =i=0(∑p−1∑j=00pk+j

256 Ch. 12 Arithmetic of p-adic NumbersNode N xTLLLL 1 X 7 + X 6 + X 4 + XTLLLR 1 X 7 + X 5 + X 3 + X 2TLLL 2 3X 7 + X 6 +2X 5 + X 4 +2X 3 +2X 2 + XTLLR 1 X 6 + X 5 + X 2 + X +1TLL 3 3X 7 +5X 6 +6X 5 + X 4 +2X 3 +6X 2 +5X +4TLRL 1 X 6 + X 5 + X 4 + X 3 + X +1TLRR 1 X 7 + X 4 + X 3 + X +1TLR 2 2X 7 + X 6 + X 5 +3X 4 +3X 3 +3X +3TL 5 19X 7 +13X 6 +14X 5 +25X 4 +26X 3 +6X 2 +29X +28TRLLL 1 X 6 + X 5 + X 2 + X +1TRLLR 1 X 7 + X 5 + X 3 + X 2 + XTRLL 2 2X 7 + X 6 +3X 5 +2X 3 +3X 2 +3X +1TRLR 1 X 3 + X 2 + XTRL 3 2X 7 + X 6 +3X 5 +6X 3 +7X 2 +7X +1TRRL 1 X 5 + X 4 + X +1TRRR 1 X 6 + X 5 + X 4 + X 3 +1TRR 2 2X 6 +3X 5 +3X 4 +2X 3 + X +3TR 5 2X 7 +17X 6 +27X 5 +24X 4 +22X 3 +7X 2 +15X +25T 10 83X 7 + 557X 6 + 878X 5 + 793X 4 + 730X 3 + 230X 2 + 509X + 82812.7 Generalized Newton liftingIn this section we consider equations of the form φ ( Y,Σ(Y ) ) =0with φ(Y,Z) ∈ Z q [Y,Z]. Theseequations arise naturally in the point counting algorithms described in Section 17.3. However, solvingsuch an equation is also useful for more general applications, e.g., computing the Teichmüllerlift of an element in F q . Indeed, let a ( ∈ F q ,) then the Teichmüller lift ω(a) is the unique solution ofthe equation Y p − Σ(Y )=0with p 1 ω(a) = a.Let x ∈ Z q be a root of φ ( Y,Σ(Y ) ) =0and assume we know x N ≡ x (mod p N ). Defineδ N =(x − x N )/p N , then the Taylor expansion around x N giveswith0=φ ( x, Σ(x) ) = φ ( x N + p N δ N , Σ(x N + p N δ N ) ) (12.13)≡ φ ( x N , Σ(x N ) ) + p N( δ N ∆ y +Σ(δ N )∆ z)(mod p 2N ), (12.14)∆ y ≡ ∂φ∂Y(xN , Σ(x N ) ) (mod p N ) and ∆ z ≡ ∂φ (xN , Σ(x N ) ) (mod p N ).∂ZThis implies that δ N has to be a solution of∆ z Σ(X)+∆ y X + φ( x N , Σ(x N ) )p N ≡ 0 (mod p N ).Let k = v p (∆ z ),thenifv p (∆ y ) >kand v p(φ(xN , Σ(x N ) )) k + N and N>k, we recover theArtin–Schreier equation (12.12) with α =∆ z /p k , β =∆ y /p k and γ = φ ( x N , Σ(x N ) ) /p N+k up

§ 12.8 Applications 257to precision N − k. Note that any solution δ ′ ∈ Z q to the above equation satisfiesδ ′ ≡ δ N (mod p N−k ).Let x 2N−k = x N + p N δ ′ ,thenx 2N−k ≡ x (mod p 2N−k ) and (12.13) implies thatφ ( x 2N−k , Σ(x 2N−k ) ) ≡ 0 (mod p 2N ).Furthermore, since we assumed that N>k,wehave( ∂φ (v p x2N−k , Σ(x 2N−k ) )) ( ∂φ (= k and v p x2N−k , Σ(x 2N−k ) )) k, (12.15)∂Z∂Yso we can repeat the same procedure to find a solution up to arbitrary precision.Algorithm 12.23 Generalized Newton liftINPUT: A polynomial φ(Y,Z) ∈ Z q, an element x 0 ∈ Z q satisfying the relation φ`x 0, Σ(x 0)´ ≡0 (mod p 2k+1 ) with k = v p` ∂φ∂Z`x0, Σ(x 0)´´ and precision N.OUTPUT: An element x N of Z q such that φ`x N, Σ(x N )´ ≡ 0 (mod p N+k ) and x N ≡ x 0(mod p k+1 ).1. if N k +1 then2. x ← x 03. else4. N ′ ← ˚ N+k2ˇ5. x ′ ← Generalized Newton lift (φ, x 0,N ′ )6. y ′ ← Σ(x ′ )modp N+k7. V ← φ(x ′ ,y ′ )modp N+k8. ∆ y ← ∂φ ,y ′´ mod p N′∂Y9. ∆ z ← ∂φ ,y ′´ mod p N′∂Z10. δ ← Artin–Schreier root (∆ z/p k , ∆ y/p k ,V/p N′ +k ,N ′ − k)11. x ← `x ′ + p N′ δ´ mod p N12. return xSince the precision of the computations almost doubles in every step, the complexity of Algorithm12.23 is the same as the complexity of the Artin–Schreier root subroutine in Line 10.12.8 Applications12.8.1 Teichmüller liftRecall that the Teichmüller lift ω(a) of an element a ∈ F q is defined as follows: ω(0) = 0 and fornonzero a ∈ F q , ω(a) is the unique (q − 1)-th root of unity with p 1 (ω(a)) = a.A trivial, but slow algorithm to compute ω(a) modp N uses a simple Newton lifting on the polynomialf(X) =X q−1 − 1. Since evaluating f requires O(d) multiplications for p fixed, the overallcomplexity of this approach is O(dT d,N ).

258 Ch. 12 Arithmetic of p-adic NumbersFor N d there exists a faster algorithm based on repeated p-th powering: assume that a satisfiesp 1 (a) =a and a q−1 − 1 ≡ 0(modp k ), then we can write a q−1 =1+p k ∆ with ∆ ∈ Z q .Takingthe p-th power of both sides then gives (a p ) q−1 =1+p k+1 ∆ ′ , with ∆ ′ = ( (1 + p k ∆) p − 1 ) /p k+1 .Reducing modulo p k+1 shows that a p ≡ ω(a p )(modp k+1 ) and thus is a p , a better approximationof ω(a p ). This immediately leads to Algorithm 12.24, which has complexity O(NT d,N ), and thusis faster than the trivial algorithm for N d.Algorithm 12.24 Teichmüller liftINPUT: An element a ∈ F q and precision N.OUTPUT: The Teichmüller lift z ≡ ω(a) (mod p N ) of a to precision N.1. k ← N − 12. r ← a 1p k[arbitrary lift]3. z ← `a pk´ mod p N4. return zExample 12.25 Let F 2 8 be represented as F 2 [X]/ ( M(X) ) with M(X) =X 8 +X 4 +X 3 +X 2 +1and let a = X 6 +X 2 +X +1. In Line 2 of Algorithm 12.24, we compute the 2 9 -th root r of a whichis given by r = X 7 + X 3 + X 2 + X. Letr be an arbitrary lift of r to Z 2 10 ≃ Z 2 [X]/ ( M(X) ) ,thenω(a) ≡ r 29≡ 64X 7 + 871X 6 + 992X 5 + 784X 4 + 480X 3 + 615X 2 + 675X + 443 (mod 2 10 ).The fastest algorithm, however, is based on the following observation: since the Teichmüller liftω(a) is the unique (q − 1)-th root of unity with p 1(ω(a))= a, it also satisfies Σ(ω(a))= ω(a) p .Indeed, Σ ( ω(a) ) is a (q − 1)-th root of unity and since ω(·) is multiplicative and Σ ( ω(a) ) ≡ a p(mod p), the claim follows. The Teichmüller lift ω(a) can thus be computed as the solution ofΣ(X) − X p =0 and X ≡ a(mod p).Assuming that Z q is represented using the Teichmüller modulus, Algorithm 12.23 then computesω(a) (modp N ) using O(T d,N lg N) bit-operations.12.8.2 LogarithmDefinition 12.26 Let x ∈ Z q then the p-adic logarithmic function of x is defined by∞∑i−1 (x − 1)ilog(x) = (−1) · (12.16)ii=1The function log(x) converges for v p (x − 1) > 0.Assume that a ∈ Z q satisfies v p (a − 1) > 0, then using Horner’s rule, evaluating log(a) up toprecision N takes O(N) multiplications over Z q /p N Z q or O(NT d,N ) bit-operations.Satoh, Skjernaa, and Taguchi [SASK + 2003] solve this problem by noting that a pk for k ∈ N isvery close to unity, i.e., v p (a pk − 1) >k.Ifa ∈ Z q /p N Z q ,thena pk is well defined in Z q /p N+k Z qand can be computed with O(k) multiplications in Z q /p N+k Z q . Furthermore, note thatlog(a) ≡ p −k( log ( a pk) )(mod p N+k ) (mod p N )

§ 12.8 Applications 259and that log ( )a pk (mod p N+k ) can be computed with O(N/k) multiplications over Z q /p N+k Z q .So, if we take k ≃ √ N,thenlog(a) (modp N ) can be computed in O( √ NT √d,N+ N) time.In characteristic 2, Satoh, Skjernaa, and Taguchi suggested a further improvement. Without lossof generality, we can assume that v 2 (a − 1) > 1. Indeed, since v p (a − 1) 1, we conclude thatv p (a 2 − 1) > 1 and log(a 2 ) = 2 log(a). Therefore, assume that v 2 (a − 1) > 1,thenwehavea ≡ 1(mod 2 ν ) for ν 2.Let z = a−1 ∈ 2 ν Z q /2 N Z q and define γ =z2+z ∈ 2ν−1 Z q /2 N−1 Z q ,thena =1+z = 1+γ1 − γand thuslog(a) = log(1 + z) = log(1 + γ) − log(1 − γ) =2∞∑j=1γ 2j−12j − 1 ·Note that all the denominators in the above formula are odd. Reducing this equation modulo 2 Ntherefore leads tolog(a) ≡ log(1 + z) ≡ 2∑1(ν−1)(2j−1) 1/(p − 1).An easy calculation shows thatv p (i!) =B∑ ⌊i/pk ⌋ with B = ⌊ log p i ⌋ .k=1x ii! · (12.17)The valuation v p (i!) can thus be bounded by v p (i!) (i − 1)/(p − 1), which explains the radius ofconvergence. Let a ∈ Z q then we have the following identitieslog ( exp(a) ) = a, for v p (a) > 1/(p − 1),exp ( log(a) ) = a, for v p (a − 1) > 1/(p − 1).First assume that a ∈ Z p ,thensincev p (a) > 1/(p−1),wehavev p (a) 1 for p 3 and v p (a) 2for p =2. So if we precompute exp(p) (modp N ) for p 3 or exp(4) (mod 2 N ) for p =2,thenexp(a) ≡ exp(p) a/p (mod p N ), for p 3,exp(a) ≡ exp(4) a/4 (mod 2 N ), for p =2,and we can use a simple square and multiply algorithm to perform the final exponentiation.

260 Ch. 12 Arithmetic of p-adic NumbersFor a ∈ Z q we simply evaluate the power series of the exponential function (12.17) modulo p N .The bound v p (i!) (i − 1)/(p − 1) implies that we have to computeexp(a) ≡∑1i

§ 12.8 Applications 26112.8.5 NormDefinition 12.32 Let Σ denote the Frobenius substitution on Q q , then the norm of x ∈ Q q isN Qq/Q p(x) =d−1∏Since Σ generates Gal(Q q /Q p ), the norm N Qq/Q p(x) is an element of Q p .i=0Σ i (x). (12.20)In this section we give an overview of the existing algorithms to compute N Qq/Q p(a) for an elementa ∈ Q q .SinceN Qq/Q p(p k a)=p dk N Qq/Q p(a), we can assume that a is a unit in Z q .12.8.5.aNorm computation IKedlaya [KED 2001] suggested a basic square and multiply approach by computingα i+1 =Σ 2i (α i ) α i , for i =0,...,⌊lg d⌋ ,with α 0 = a and to combine these to recover N Qq/Q p(a) =Σ d−1 (a) ···Σ(a)a. Letd = ∑ l−1i=0 d i2 i ,with d i ∈{0, 1} and d l−1 =1, then we can writel−1∏N Qq/Q p(a) = Σ 2i+1 +···+2 l−1 (α dii ),i=0where the sum 2 i+1 + ···+2 l−1 is defined to be zero for i l − 1. This formula immediatelyleads to Algorithm 12.33. Note that this algorithm remains valid for matrices over Z q .Algorithm 12.33 Norm IINPUT: An element a ∈ Z q with q = p d and a precision N.OUTPUT: The norm N Qq/Qp (a) modp N .1. i ← d, j ← 0, r ← 1 and s ← a2. while i>0 do3. if i ≡ 1 (mod 2) then r ← Σ 2j (r) s mod p N4. if i>1 then s ← Σ 2j (s) s mod p N5. j ← j +1and i ←⌊i/2⌋6. return rThis algorithm is particularly attractive for p-adic fields with Gaussian normal basis of small type,due to efficient repeated Frobenius substitutions. In this case the time complexity is determined bythe O(lg d) multiplications in Z q /p N Z q or O ( T d,N lg d ) bit-operations and the space complexity isO(dN).If the field does not admit a Gaussian normal basis, then Algorithm 12.33 should be adapted asfollows: introduce a new variable c that keeps track of Σ 2j (X), i.e., c is initialized with X and inLine 4, c is evaluated at itself, since Σ 2j+1 (X) =Σ 2j (Σ 2j (X)). Computing Σ 2j (r) and Σ 2j (s)in Lines 3 and 4 then simply reduces to an evaluation at c. Using the Paterson–Stockmeyer algorithm[PAST 1973], the complexity of Algorithm 12.33 then becomes O ( (d 2 N µ + √ dT d,N )lgd ) .

262 Ch. 12 Arithmetic of p-adic NumbersExample 12.34 The ring Z 2 10 admits a Gaussian normal basis of type 1 and can be represented asZ 2 [X]/ ( M(X) ) with M(X) =(X 11 − 1)/(X − 1). Anelementa = ∑ 9i=0 a iX i is embedded inthe ring Z 2 [Y ]/(Y 11 − 1) as ã = ∑ 9i=0 a iY i . On input (a, 10) witha =93X 9 + 733X 8 + 164X 7 + 887X 6 + 106X 5 + 493X 4 + 348X 3 +40X 2 + 609X + 603.Algorithm 12.33 computes the following intermediate results at the end of the while loop:r 10 1s 10 93Y 9 + 733Y 8 + 164Y 7 + 887Y 6 + 106Y 5 + 493Y 4 + 348Y 3 +40Y 2 + 609Y + 603r 5 1s 5 112Y 10 + 440Y 9 + 412Y 8 + 752Y 7 + 258Y 6 + 436Y 5 + 756Y 4 + 1007Y 3 + 384Y 2 + 439Y + 524r 2 112Y 10 + 440Y 9 + 412Y 8 + 752Y 7 + 258Y 6 + 436Y 5 + 756Y 4 + 1007Y 3 + 384Y 2 + 439Y + 524s 2 522Y 10 +16Y 9 + 492Y 8 + 255Y 7 + 752Y 6 + 211Y 5 + 325Y 4 + 946Y 3 + 189Y 2 + 984Y + 684r 1 112Y 10 + 440Y 9 + 412Y 8 + 752Y 7 + 258Y 6 + 436Y 5 + 756Y 4 + 1007Y 3 + 384Y 2 + 439Y + 524s 1 15Y 10 + 173Y 9 + 743Y 8 + 648Y 7 +90Y 6 + 712Y 5 + 646Y 4 + 996Y 3 +87Y 2 + 349Y + 661r 0 759Y 10 + 759Y 9 + 759Y 8 + 759Y 7 + 759Y 6 + 759Y 5 + 759Y 4 + 759Y 3 + 759Y 2 + 759Y + 602s 0 15Y 10 + 173Y 9 + 743Y 8 + 648Y 7 +90Y 6 + 712Y 5 + 646Y 4 + 996Y 3 +87Y 2 + 349Y + 661Note that the element r returned by the algorithm needs to be reduced modulo M, which finallygives N Qq/Q p(a) ≡ 867 (mod 2 10 ).12.8.5.bNorm computation IISatoh, Skjernaa, and Taguchi [SASK + 2003] also proposed a fast norm computation algorithmbased on an analytic method. First assume that a is close to unity, i.e., v p (a − 1) > 1/(p − 1),thenN Qq/Q p(a) =exp ( Tr Qq/Q p(log(a))), (12.21)since Σ is continuous and both series converge. Combining the algorithms described in Sections12.8.2, 12.8.3 and 12.8.4, we conclude that if a is close to unity then N Qq/Q p(a) (modp N )can be computed in O( √ NT √d,N+ N) bit-operations and O(dN) space.Algorithm 12.35 computes the norm of an element in 1+2 ν Z q , with q =2 d , assuming thatexp(4) and Tr Qq/Q p(X i ) for i =0,...,d− 1 are precomputed.Algorithm 12.35 Norm IIINPUT: An element a ∈ 1+2 ν Z q with ν 2 and a precision N.OUTPUT: The norm N Qq/Qp (a) mod2 N .1. s ←⌊ √ N/2⌋2. z ← `a 2s − 1´ mod 2 N+s3. w ← `log(1 + z)´ mod 2 N+s4. w ← `2 −s w´ mod 2 N5. u ← `2 −ν Tr Qq/Q p(w)´ mod 2 N−ν6. return `exp(4) u´ mod 2 NExample 12.36 Let Z 2 8 be represented as Z 2 [X]/ ( M(X) ) with M(X) =X 8 +X 4 +X 3 +X 2 +1and let a = 572X 7 + 108X 6 + 660X 5 + 556X 4 + 456X 3 + 748X 2 +36X + 569. ForN =10,Algorithm 12.35 computes the following values: s =1,z = 936X 7 + 568X 6 + 760X 5 + 1880X 4 + 1840X 3 + 1176X 2 + 1656X + 1408,w = 1864X 7 + 248X 6 + 1880X 5 + 728X 4 + 1648X 3 + 1304X 2 +24X + 1632,

§ 12.8 Applications 263u = 163, exp(4) = 333 and finally N Qq/Q p(a) ≡ 725 (mod 2 10 ).Now consider the more general situation where a ∈ Z q is not close to unity. Let ω ( p 1 (a) ) ∈ Z qdenote the Teichmüller lift of p 1 (a), i.e., the unique (q − 1)-th root of unity, which reduces to p 1 (a).Consider the equalityN Qq/Q p(a) =N Qq/Q p(ω(p1 (a) )) N Qq/Q p(ω(p1 (a) ) −1a),then v p(ω(p1 (a)) −1 a − 1 ) 1. Furthermore, note that N Qq/Q p(ω(p1 (a) )) is equal to the Teichmüllerlift of N Fq/F p(p1 (a) ) .Forp 3, (12.21) holds sincev p(ω(p1 (a) ) −1a − 1) 1 > 1/(p − 1).For p =2we need an extra trick: simply square ω ( p 1 (a) ) −1a modulo 2 N+1 , compute the normof the square using Algorithm 12.35 modulo 2 N+1 and take the square root of the norm, which isdetermined modulo 2 N . This shows that N Qq/Q p(a) modp N for any a ∈ Z q can be computed inO( √ NT d,N+√N) bit-operations and O(dN) space.12.8.5.cNorm computation IIIIn an e-mail to the NMBRTHRY list [HAR 2002b], Harley suggested an asymptotically fast normcomputation algorithm based on a formula from number theory that expresses the norm as a resultant.The resultant itself can be computed using an adaptation of Moenck’s fast extended gcdalgorithm [MOE 1973].Let Z q ≃ Z p [X]/ ( M(X) ) with M ∈ Z p [X] a monic irreducible polynomial of degree n. Letθ ∈ Z q be a root of M,thenM splits completely over Z q asd−1∏( M(X) = X − Σ i (θ) ) .i=0For a = ∑ d−1i=0 a iX i ∈ Z q , define the polynomial A(X) = ∑ d−1i=0 a iX i ∈ Z p [X]. By definition ofthe norm and the resultant we haveN Qq/Q p(a) =d−1∏i=0Σ i (a) =d−1∏i=0A ( Σ i (θ) ) =Res ( M(X),A(X) ) .The resultant Res ( M(X),A(X) ) can be computed in softly linear time using a variant of Moenck’sfast extended gcd algorithm [MOE 1973]. The result is an algorithm to compute N Qq/Q p(a) modp N in time O ( (dN) µ lg d ) .Example 12.37 Let Z 2 8 be represented as Z 2 [X]/(M(X)) with M(X) =X 8 +X 4 +X 3 +X 2 +1and let a = 572X 7 + 108X 6 + 660X 5 + 556X 4 + 456X 3 + 748X 2 +36X + 569. Computingthe resultant of M(X) and A(X) as an integer givesRes ( M(X),A(X) ) = 110891016699366462823125 ≡ 725 (mod 2 10 ) ,which gives the same result as in Example 12.36. Of course, in practice we never compute theresultant as an integer, but always reduce modulo 2 10 .

ÁÁÁArithmetic of Curves

Chapter ½¿Arithmetic of Elliptic CurvesChristophe Doche and Tanja LangeContents in Brief13.1 Summary of background on elliptic curves 268First properties and group law • Scalar multiplication • Rational points •Torsion points • Isomorphisms • Isogenies • Endomorphisms • Cardinality13.2 Arithmetic of elliptic curves defined over F p 280Choice of the coordinates • Mixed coordinates • Montgomery scalarmultiplication • Parallel implementations • Compression of points13.3 Arithmetic of elliptic curves defined over F 2 d 289Choice of the coordinates • Faster doublings in affine coordinates • Mixedcoordinates • Montgomery scalar multiplication • Point halving andapplications • Parallel implementation • Compression of pointsElliptic curves constitute one of the main topics of this book. They have been proposed for applicationsin cryptography due to their fast group law and because so far no subexponential attack ontheir discrete logarithm problem (cf. Section 1.5) is known. We deal with security issues in laterchapters and concentrate on the group arithmetic here. In an actual implementation this needs to bebuilt on an efficient implementation of finite field arithmetic (cf. Chapter 11).In the sequel we first review the background on elliptic curves to the extent needed here. For amore general presentation of elliptic curves, see Chapter 4. Then we address the question of efficientimplementation in large odd and in even characteristics. We refer mainly to [HAME + 2003] forthese sections.Note that there are several softwares packages or libraries able to work on elliptic curves, forexample PARI/GP [PARI] anda p ecs [APECS]. The former is a linkable library that also comes withan interactive shell, whereas the latter is a Maple package. Both come with full sources. Thecomputer algebra systems Magma [MAGMA] andSIMATH [SIMATH] can deal with elliptic curves,too.Elliptic curves have received a lot of attention throughout the past almost 20 years and manypapers report experiments and timings for various field sizes and coordinates. We do not wantto repeat the results but refer to [AVA 2004a, COMI + 1998] and Section 14.7 for odd characteristicand [HALÓ + 2000, LÓDA 1998, LÓDA 1999] for even characteristic. Another excellentand comprehensive reference comparing point multiplication costs and implementation results is[HAME + 2003, Tables 3.12, 3.13 and 3.14 and Chap. 5].267

268 Ch. 13 Arithmetic of Elliptic Curves13.1 Summary of background on elliptic curves13.1.1 First properties and group lawWe start with a practical definition of the concept of an elliptic curve.Definition 13.1 An elliptic curve E over a field K denoted by E/K is given by the WeierstraßequationE : y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 (13.1)where the coefficients a 1 ,a 2 ,a 3 ,a 4 ,a 6 ∈ K are such that for each point (x 1 ,y 1 ) with coordinatesin K satisfying (13.1), the partial derivatives 2y 1 + a 1 x 1 + a 3 and 3x 2 1 +2a 2x 1 + a 4 − a 1 y 1 do notvanish simultaneously.The last condition says that an elliptic curve is nonsingular or smooth. A point on a curve is calledsingular if both partial derivatives vanish (cf. the Jacobi criterion 4.94). For shorter reference wegroup the coefficients in (13.1) to the equationE : y 2 + h(x)y = f(x), h(x),f(x) ∈ K[x], deg(h) 1, deg(f) =3 with f monic.The smoothness condition can also be expressed more intrinsically. Indeed, letb 2 = a 2 1 +4a 2, b 4 = a 1 a 3 +2a 4 ,b 6 = a 2 3 +4a 6 , b 8 = a 2 1a 6 − a 1 a 3 a 4 +4a 2 a 6 + a 2 a 2 3 − a 2 4.In odd characteristic, the transformation y ↦→ y − (a 1 x + a 3 )/2 leads to an isomorphic curve givenbyy 2 = x 3 + b 24 x2 + b 42 x + b 64 · (13.2)The cubic polynomial above has only simple roots over the algebraic closure K if and only if itsdiscriminant is nonzero. The equation of the discriminant is therefore useful to determine if (13.2)is an elliptic curve or not. In addition, it is relevant for characteristic 2 fields as well.Definition 13.2 Let E be a curve defined over K by (13.1) and let b 2 ,b 4 ,b 6 and b 8 as above. Thediscriminant of the curve E denoted by ∆ satisfies∆=−b 2 2b 8 − 8b 3 4 − 27b 2 6 +9b 2 b 4 b 6 .The curve E is nonsingular, and thus is an elliptic curve, if and only if ∆ is nonzero. In this case,we introduce the j-invariant of E,thatisj(E) =(b 2 2 − 24b 4 ) 3 /∆.Example 13.3 In F p with p = 2003, an elliptic curve is given byE 1 : y 2 +2xy +8y = x 3 +5x 2 + 1136x + 531. (13.3)Indeed, we have b 2 =24,b 4 = 285, b 6 = 185, ∆ = 1707 ≠0 and j = 171.

§ 13.1 Summary of background on elliptic curves 269We now show how to turn the set of points of E into a group with group operation denoted by ⊕.For this we visualize it over the reals as in Figure 13.1 and assume h(x) =0.Figure 13.1 Group law on elliptic curve y 2 = f(x) over R.P ⊕ QPP−[2]PQ[2]P−(P ⊕ Q)To add two points P =(x 1 ,y 1 ) and Q =(x 2 ,y 2 ) in general position one draws a line connectingthem. There is a third point of intersection. Mirroring this point at the x-axis gives the sum P ⊕ Q.The same construction can be applied to double a point where the connecting line is replaced by thetangent at P .Furthermore, we need to define the sum of two points with the same x-coordinate since for themthe group operation cannot be performed as stated. As y 2 = f(x) there are at most 2 such points(x 1 ,y 1 ) and (x 1 , −y 1 ). Furthermore, we have to find the neutral element of the group.The way out is to include a further point P ∞ called the point at infinity. It can be visualized aslying far out on the y-axis such that any line x = c, for some constant c, parallel to the y-axis passesthrough it. This point is the neutral element of the group. Hence, the line connecting (x 1 ,y 1 ) and(x 1 , −y 1 ) passes through P ∞ . As it serves as the neutral element, the inflection process leaves itunchanged such that (x 1 ,y 1 ) ⊕ (x 1 , −y 1 )=P ∞ , i.e., (x 1 , −y 1 )=−P .This explanation might sound a little like hand-waving and only applicable to R. Wenowderivethe addition formulas for an arbitrary field K, which hold universally. For a proof we refer toChapter 4.Take P ≠ Q with x 1 ≠ x 2 as above and let us compute the coordinates of R = P ⊕Q =(x 3 ,y 3 ).The intersecting line has slopeλ = y 1 − y 2x 1 − x 2and passes through P . Its equation is thus given byy = λx + x 1y 2 − x 2 y 1x 1 − x 2·

270 Ch. 13 Arithmetic of Elliptic CurvesWe denote the constant term by µ and remark µ = y 1 − λx 1 . The intersection points with the curveare obtained by equating the line and E(λx + µ) 2 +(a 1 x + a 3 )(λx + µ) =x 3 + a 2 x 2 + a 4 x + a 6 .This leads to the equation r(x) =0wherer(x) =x 3 +(a 2 − λ 2 − a 1 λ)x 2 +(a 4 − 2λµ − a 3 λ − a 1 µ)x + a 6 − µ 2 − a 3 µ.We already know two roots of r(x), namely the x-coordinates of the other two points. Sincer(x) =(x − x 1 )(x − x 2 )(x − x 3 )one has λ 2 + a 1 λ − a 2 = x 1 + x 2 + x 3 .Asx 1 ,x 2 are defined over K so is x 3 and ỹ 3 = λx 3 + µ.The inflection at the x-axis has to be translated to the condition that the second point has the samex-coordinate and also satisfies the curve equation. We observe that if P =(x 1 ,y 1 ) is on the curvethen so is (x 1 , −y 1 − a 1 x 1 − a 3 ), which corresponds to −P since the point at infinity is the neutralelement for this law. Accordingly, we find y 3 = −λx 3 − µ − a 1 x 3 − a 3 .Doubling P =(x 1 ,y 1 ) works just the same with the slope obtained by implicit derivating. Thuswe have P ⊕ Q =(x 3 ,y 3 ) and−P = (x 1 , −y 1 − a 1 x 1 − a 3 ),P ⊕ Q = (λ 2 + a 1 λ − a 2 − x 1 − x 2 ,λ(x 1 − x 3 ) − y 1 − a 1 x 3 − a 3 ), where⎧y 1 − y 2⎪⎨if P ≠ +x 1 − x − Q,2λ =⎪⎩3x 2 1 +2a 2x 1 + a 4 − a 1 y 12y 1 + a 1 x 1 + a 3if P = Q.It is immediate from the pictorial description that this law is commutative, has the point at infinity asneutral element, and that the inverse of (x 1 ,y 1 ) is given by (x 1 , −y 1 −a 1 x 1 −a 3 ). The associativitycan be shown to hold by simply applying the group law and comparing elements. We leave thelengthy computation to the reader. Note that Chapter 4 gives extensive background showing in anabstract way the group of points on E to form a group. For a more geometrical proof, relying onBezout’s theorem, see e.g., [CAS 1991].Example 13.4 One can easily check that the points P 1 = (1118, 269) and Q 1 = (892, 529) lie onthe curve E 1 /F p as defined by (13.3). Thenare also on E 1 .−P 1 = (1118, 1493),P 1 ⊕ Q 1 = (1681, 1706),[2]P 1 = (1465, 677)The point at infinity can be motivated by giving an alternative description of elliptic curves. Equation(13.1) expresses the curve in affine coordinates. The same elliptic curve E in projective coordinatesis then given by the equationE : Y 2 Z + a 1 XY Z + a 3 YZ 2 = X 3 + a 2 X 2 Z + a 4 XZ 2 + a 6 Z 3 .Let us denote by (X 1 : Y 1 : Z 1 ) an element of the projective 2-space P 2 /K, i.e.,aclassofK 3 {(0, 0, 0)} modulo the relation(X 1 : Y 1 : Z 1 ) ∼ (X 2 : Y 2 : Z 2 ) ⇐⇒ there is λ ∈ K ∗ | X 2 = λX 1 ,Y 2 = λY 1 and Z 2 = λZ 1 .

§ 13.1 Summary of background on elliptic curves 271By abuse of notation, we identify a class with any of its representatives and call (X 1 : Y 1 : Z 1 )a projective point. We remark that only a single point of E satisfies Z 1 =0, namely the point atinfinity, which is in this case P ∞ =(0:1:0).WhenZ 1 ≠0, there is a simple correspondencebetween the projective point (X 1 : Y 1 : Z 1 ) and the affine point (x 1 ,y 1 ) using the formula(x 1 ,y 1 )=(X 1 /Z 1 ,Y 1 /Z 1 ) (13.4)As the representation (X 1 : Y 1 : Z 1 ) is not normalized, one can perform arithmetic in projectivecoordinates without any inversion. Note also that generalized projective coordinates involvingsuitable powers of Z 1 in (13.4) are commonly used, cf. Sections 13.2.1 and 13.3.1.Example 13.5 The point P ′ 1 = (917 : 527 : 687) lies on the curve E 1 of equation (13.3) expressedin projective coordinates, i.e.,E 1 : Y 2 Z +2XY Z +8YZ 2 = X 3 +5X 2 Z + 1136XZ 2 + 531Z 3 .In fact, P ′ 1 is in the same class as (1118 : 269 : 1) and thus corresponds to the affine point P 1 =(1118, 269).13.1.2 Scalar multiplicationTake n ∈ N {0} and let us denote the scalar multiplication by n on E by [n], or[n] E to avoidconfusion. Namely,[n] :E → EP ↦→ [n]P = P ⊕ P ⊕···⊕P .} {{ }n timesThis definition extends trivially to all n ∈ Z, setting [0]P = P ∞ and [n]P =[−n](−P ) for n

272 Ch. 13 Arithmetic of Elliptic Curves10. i ← s − 111. return QRemark 13.7 Since subtractions can be obtained in a straightforward way, signed-digit representationsof n are well suited to compute [n]P , cf. Section 9.1.4.Example 13.8 With the settings of Example 13.4, let us compute [763]P 1 with Algorithm 13.6 anda window of size 3. We precompute [3]P 1 = (1081, 1674), [5]P 1 = (851, 77), [7]P 1 = (663, 1787)and since 763 = (101 111 101 1) 2 , the intermediate values of Q are5 7 5 1[5]P 1 = (851, 77), [10]P 1 =(4, 640), [20]P 1 = (836, 807),[40]P 1 = (1378, 1696), [47]P 1 = (1534, 747), [94]P 1 = (1998, 1094),[188]P 1 = (1602, 1812), [376]P 1 = (478, 1356), [381]P 1 = (1454, 981),[762]P 1 = (1970, 823), [763]P 1 = (1453, 1428).Using the NAF expansion of 763 = (10¯1300000¯10¯1 ) s instead, one obtains−5[3]P 1 = (1081, 1674), [6]P 1 = (255, 1499), [12]P 1 = (459, 1270),[24]P 1 =(41, 1867), [48]P 1 = (1461, 904), [96]P 1 = (1966, 1808),[192]P 1 = (892, 529), [384]P 1 = (1928, 1803), [768]P 1 = (799, 1182),[763]P 1 = (1453, 1428).The last step, namely [763]P 1 = [768]P 1 ⊕ [−5]P 1 , needs [−5]P 1 = (851, 216) which is obtaineddirectly from [5]P 1 .13.1.3 Rational pointsWhen we consider a point P on an elliptic curve E/K, it is implicit that P has its coordinates inK. TostressthatP has its coordinates in K, we introduce a new concept.Definition 13.9 Let E be an elliptic curve defined over K. The points lying on E with coordinatesin K form the set of K-rational points of E denoted by E(K). WehaveE(K) ={(x 1 ,y 1 ) ∈ K 2 | y 2 1 + a 1 x 1 y 1 + a 3 y 1 = x 3 1 + a 2 x 2 1 + a 4 x 1 + a 6 }∪{P ∞ }.The structure of the group of F q -rational points is easy to describe. Indeed, by Corollary 5.77, E(F q )is either cyclic or isomorphic to a product of two cyclic groups, namely E(F q ) ≃ Z/d 1 Z × Z/d 2 Zwhere d 1 | d 2 and d 1 | q − 1.For cryptographic applications one usually works in a subgroup of prime order l. Hence, oneis interested in curves and finite fields such that |E(F q )| = cl for some small cofactor c. See[GAMC 2000] for conjectural probabilities that the number of points is a prime or has a smallcofactor.Finding a random F q -rational point P on an elliptic curve E/F q is quite easy. See Sections 13.2and 13.3 for examples. If the curve has a cofactor c>1 then this random point needs not lie insidethe group of order l. However, the point Q =[c]P either equals P ∞ , in which case one has to trywith a different random point P , or is a point in the prime order subgroup.Example 13.10 Let us consider the curve E 1 as defined by (13.3). One can check that |E 1 (F p )| =1956 = 12 × 163. So,thereare1955 affine points with coordinates in F p and the point at infinityP ∞ lying on E 1 . The point P 1 = (1118, 269) is of order 1956 which implies that the group E 1 (F p )is cyclic generated by P 1 . The point Q 1 = (892, 529) is of prime order 163.

§ 13.1 Summary of background on elliptic curves 27313.1.4 Torsion pointsDefinition 13.11 Let E/K be an elliptic curve and n ∈ Z. The kernel of [n], denoted by E[n],satisfiesE[n] ={P ∈ E(K) | [n]P = P ∞ }.An element P ∈ E[n] is called a n-torsion point.Example 13.12 As E 1 (F p ) is cyclic of order 1956 = 2 2 × 3 × 163, therearen-torsion points inE 1 (F p ) for every n dividing 1956. For instance, R 1 = (1700, 299) on E 1 satisfies R 1 = −R 1 . ThusR 1 is a 2-torsion rational point. If n is not a divisor of 1956, the corresponding n-torsion pointshave coordinates in some extension of F p . For example, there is a 9-torsion point with coordinatesin the field F p 3 ≃ F p [θ] with θ such that θ 3 + θ 2 +2=0. Indeed, we can check thatS 1 = (1239θ 2 + 1872θ + 112, 1263θ 2 + 334θ + 1752) ∈ E 1 (F p 3),[3]S 1 = (520, 1568) ∈ E 1 (F p ),[8]S 1 = (1239θ 2 + 1872θ + 112, 265θ 2 + 1931θ + 19) = −S 1so that S 1 is a 9-torsion point.See also the related notion of division polynomial in Section 4.4.2.a.Theorem 13.13 Let E be an elliptic curve defined over K. If the characteristic of K is either zeroor prime to n thenE[n] ≃ Z/nZ × Z/nZ.Otherwise, when char(K) =p and n = p r , then eitherE[p r ]={P ∞ }, for all r 1 or E[p r ] ≃ Z/p r Z, for all r 1.Definition 13.14 Let char(K) =p and let E be defined over K. IfE[p r ]={P ∞ } for one and infact for all positive integers r, then the curve is called supersingular. Otherwise the curve is calledordinary.A curve defined over a prime field F p ,p > 3 is supersingular if and only if |E(F p )| = p +1,cf. Proposition 13.31. Note also that if char(F q )=2or 3, E is supersingular if and only if itsj-invariant is zero.Example 13.15 The curve E 1 /F p is ordinary. This implies that E 1 [p] is a subgroup of ( E 1 (F p ), ⊕ )isomorphic to (F p , +).13.1.5 IsomorphismsSome changes of variables do not fundamentally alter an elliptic curve. Let us first describe thetransformations that keep the curve in Weierstraß form.13.1.5.aAdmissible change of variables and twistsLet E/K be an elliptic curveE : y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 .The mapsx ↦→ u 2 x ′ + r and y ↦→ u 3 y ′ + u 2 sx ′ + t

274 Ch. 13 Arithmetic of Elliptic Curveswith (u, r, s, t) ∈ K ∗ × K 3 are invertible and transform the curve E intoE ′ : y ′2 + a ′ 1x ′ y ′ + a ′ 3y ′ = x ′3 + a ′ 2x ′2 + a ′ 4x ′ + a ′ 6,where the a ′ i ’s belong to K and can be expressed in terms of the a i’s and u, r, s, t. Via the inversemap, we associate to each point of E a point of E ′ showing that both curves are isomorphic overK. These changes of variables are the only ones leaving invariant the shape of the defining equationand, hence, they are the only admissible change of variables.In case (u, r, s, t) belongs to K ∗ × K 3 whereas the curves E and E ′ , as above, are still definedover K,thenE and E ′ are isomorphic over K or twists of each other.Corollary 13.16 Assume that the characteristic of K is prime to 6 and let E be given by a shortWeierstraß equationE : y 2 = x 3 + a 4 x + a 6 .• If a 4 =0then for every a ′ 6 ∈ K ∗ the curve E is isomorphic to E ′ : y 2 = x 3 + a ′ 6 overK ( (a 6 /a ′ 6 )1/6) .• If a 6 =0then for every a ′ 4 ∈ K ∗ the curve E is isomorphic to E ′ : y 2 = x 3 + a ′ 4x overK ( (a 4 /a ′ 4 )1/4) .• If a 4 a 6 ≠0then for every v ∈ K ∗ the curve E is isomorphic to Ẽv : y 2 = x 3 +a ′ 4 x+a′ 6with a ′ 4 = v 2 a 4 and a ′ 6 = v 3 a 6 over the field K( √ v).The curves Ẽv are called quadratic twists of E. Note that E is isomorphic to Ẽv over K if and onlyif v is a square in K ∗ . Therefore up to isomorphisms there is only one quadratic twist of a curvewith a 4 a 6 ≠0.Remark 13.17 Likewise one can define the quadratic twist of E by a quadratic nonresidue v asẼ v : vy 2 = x 3 + a 4 x + a 6 , which is isomorphic to the above definition, as can be seen by dividingby v 3 and transforming y ↦→ y/v, x ↦→ x/v.From this form one sees that E and Ẽv together contain exactly two points (x, y i ) for each fieldelement x ∈ F q .Proposition 13.18 Let E/K and E ′ /K be two elliptic curves. If E and E ′ are isomorphic over Kthen they have the same j-invariant. Conversely, if j(E) =j(E ′ ) then E and E ′ are isomorphicover K.Using an adequate isomorphism over K, it is always possible to find a short Weierstraß equationthat actually depends on the characteristic of the field and on the value of the j-invariant. All thecases and equations are summarized in Table 13.2.Table 13.2 Short Weierstraß equations.char K Equation ∆ j≠2, 3 y 2 = x 3 + a 4 x + a 6 −16(4a 3 4 +27a2 6 ) 1728a3 4 /4∆3 y 2 = x 3 + a 4 x + a 6 −a 3 4 03 y 2 = x 3 + a 2 x 2 + a 6 −a 3 2 a 6 −a 3 2 /a 62 y 2 + a 3 y = x 3 + a 4 x + a 6 a 4 3 02 y 2 + xy = x 3 + a 2 x 2 + a 6 a 6 1/a 6

§ 13.1 Summary of background on elliptic curves 275Example 13.19 The change of variables (x, y) ↦→ (x − 2,y− x − 2) transforms the curve E 1 givenby (13.3) intoE 2 : y 2 = x 3 + 1132x + 278.The point P 1 = (1118, 269) is mapped to P 2 = (1120, 1391) ∈ E 2 (F p ).Let v be a quadratic nonresidue modulo p = 2003 and let u ∈ F p 2 be a square root of v. Thenthe change of variables (x, y) ↦→ (x/u 2 ,y/u 3 ) is an F p 2-isomorphism betweenand its quadratic twist by v, namelyE 2 : y 2 = x 3 + 1132x + 278.Ẽ 2,v : y 2 = x 3 + 1132v 2 x + 278v 3 .We have ∆(Ẽ2,v) =v 6 ∆(E 2 ) and j(Ẽ2,v) =j(E 2 ) = 171.The curves E 2 and Ẽ2,v are defined over F p whereas the isomorphism has coefficients in F p 2.Remark 13.20 There are many other ways to represent an elliptic curve. For instance, we can citethe Legendre formy 2 = x(x − 1)(x − λ)or the Jacobi modely 2 = x 4 + ax 2 + b.Over a field of characteristic greater than 3, it is also possible to represent an elliptic curve as theintersection of two quadrics with a rational point [CAS 1991]. The resulting Jacobi form is used in[LISM 2001] to prevent SPA/DPA attacks, cf. Section 29.1.2.c. Quite recently, some attention hasbeen given to another representation, namely the Hessian form, which presents some advantagesfrom an algorithmic and cryptographic point of view [SMA 2001, FRI 2001, JOQU 2001].13.1.5.bHessian formLet F q be a finite field where q is a prime power such that q ≡ 2(mod3)and consider an ellipticcurve E over F q with a F q -rational point of order 3. These assumptions are not fundamentallynecessary but they make the construction of the Hessian form easier and let the equation be definedover F q . In particular, one can assume that E is given by the equationE : y 2 + a 1 xy + a 3 y = x 3 ,moving a point of order 3 to the origin, if necessary.Let δ =(a 3 1 − 27a 3 ) so that ∆=a 3 3δ. Nowifq ≡ 2(mod3)every element α ∈ F q is a cube.Thus every α has a unique cube root, denoted by α 1/3 , which is equal to plus or minus the squareroot of α (q+1)/3 . This implies thatµ = 1 3((−27a3 δ 2 − δ 3 ) 1/3 + δ ) ∈ F q .With these settings, to every point (x 1 ,y 1 ) on E corresponds (X 1 : Y 1 : Z 1 ) withX 1 = a 1(2µ − δ)x 1 + y 1 + a 3 , Y 1 = −a 1µ3µ − δ3µ − δ x 1 − y 1 , Z 1 = −a 1µ3µ − δ x 1 − a 3on the cubicH : X 3 + Y 3 + Z 3 = cXY Z where c =3 µ − δµ ·

276 Ch. 13 Arithmetic of Elliptic CurvesDefinition 13.21 The equation H is called the Hessian form of E.One of the main features of elliptic curves expressed in Hessian form is the simplicity of the grouplaw, which is independent of the parameter c.Namely, take P =(X 1 : Y 1 : Z 1 ) and Q =(X 2 : Y 2 : Z 2 ) on H such that P ≠ Q, then the pointwith coordinates (X 3 : Y 3 : Z 3 ) such thatX 3 = Y 21 X 2 Z 2 − Y 22 X 1 Z 1 , Y 3 = X 2 1Y 2 Z 2 − X 2 2 Y 1 Z 1 , Z 3 = Z 2 1X 2 Y 2 − Z 2 2X 1 Y 1is on H and corresponds to P ⊕ Q.One can check that the neutral element for that law is (1 : −1 :0)and that the opposite of P 1 is−P 1 =(Y 1 : X 1 : Z 1 ).The coordinates of [2]P areX 3 = Y 1 (Z 3 1 − X 3 1), Y 3 = X 1 (Y 31 − Z 3 1), Z 3 = Z 1 (X 3 1 − Y 31 ).An addition requires 12 field multiplication and 6 squarings, whereas a doubling needs 6 multiplicationsand 3 squarings and both operations can be implemented in a highly parallel way [SMA 2001].It is also interesting to note that [2]P is equal to (Z 1 : X 1 : Y 1 ) ⊕ (Y 1 : Z 1 : X 1 ). As a consequencethe same formulas can be used to double, add, and subtract points, which makes Hessian curvesinteresting against side-channel attacks [JOQU 2001] (cf. Section 29.1.2.b).To find the Hessian form of an elliptic curve E/F q in the general case [FRI 2001], we remarkthat the j-invariant of H is equal toj =c 3 (c 3 + 216) 3c 9 − 81c 6 + 2187c 3 − 19683·So the Hessian form of E is defined over F q if and only if there exists c ∈ F q such thatwhere j is the j-invariant of E.Example 13.22 Takec 3 (c 3 + 216) 3 − j(c 9 − 81c 6 + 2187c 3 − 19683) = 0E 2 : y 2 = x 3 + 1132x + 278defined over F p with p = 2003. Moving the point (522, 1914) ∈ E 2 (F p ) of order 3 to the origin bythe transformation(x, y) ↦→ (x + 522,y+ 555x + 1914)gives the curveE 3 : y 2 + 1110xy + 1825y = x 3 .So, from above, δ = 1427 and µ = 1322 so that E 3 , consequently E 2 and E 1 , are all isomorphic toH : X 3 + Y 3 + Z 3 = 274XYZ.The point (1118, 269) on E 1 is sent to (1120, 1391) on E 2 , from where it is in turn mapped to(598, 85) on E 3 , which is finally sent to (1451 : 672 : 935) on H.Note that all these transformations respect the group laws of the different curves. Indeed, a K-isomorphism between the curves E and E ′ always gives rise to a group homorphism between E(K)and E ′ (K). However, these notions are different. That is why we introduce a new concept in thefollowing.

§ 13.1 Summary of background on elliptic curves 27713.1.6 IsogeniesDefinition 13.23 Two curves E/K and E ′ /K are isogenous over K if there exists a morphismψ : E → E ′ with coefficients in K mapping the neutral element of E to the neutral element of E ′ .From this simple property, it is possible to show that ψ is a group homomorphism from E(K) toE ′ (K).One important property is that for every isogeny ψ, there exists a unique isogeny ˆψ : E ′ → E calledthe dual isogeny such thatˆψ ◦ ψ =[m] E and ψ ◦ ˆψ =[m] E ′.The degree of the isogeny ψ is equal to this m. For more background on isogenies, we refer toSection 4.3.4Proposition 13.24 Two elliptic curves E and E ′ defined over F q are isogenous over F q if and only|E(F q )| = |E ′ (F q )|.Example 13.25 TakeandE 2 : y 2 = x 3 + 1132x + 278E 4 : y 2 = x 3 + 500x + 1005.These two curves have the same cardinality, |E 2 (F p )| = |E 4 (F p )| = 1956. ThenE 2 and E 4 mustbe isogenous over F 2003 . The isogeny of degree 2 is given by the formula [LER 1997]( x 2 )+ 301x + 527ψ :(x, y) ↦−→, yx2 + 602yx + 1942yx + 301 x 2 ·+ 602x + 466For instance, the points, P 2 = (1120, 1391) and Q 2 = (894, 1425) in E 2 (F p ) are respectivelymapped by ψ on P 4 = (565, 302) and Q 4 = (1818, 1002) which lie on E 4 .NowP 2 ⊕ Q 2 = (1683, 1388),P 4 ⊕ Q 4 = (1339, 821),ψ(P 2 ⊕ Q 2 ) = (1339, 821),= ψ(P 2 ) ⊕ ψ(Q 2 ).Note that E 2 and E 4 are isogenous but not isomorphic since j(E 2 ) = 171 whereas j(E 4 ) = 515.Furthermore, the group structure is different as E 2 (F p ) is cyclic while E 4 (F p ) is the direct productof a group of order 2 generated by (1829, 0) and a group of order 978 generated by (915, 1071).13.1.7 EndomorphismsThe multiplication by n is an endomorphism of the curve E for every n ∈ Z. The set of allendomorphisms of E defined over K will be denoted by End K (E) or more simply by End(E),and thus contains at least Z.Definition 13.26 If End(E) is strictly bigger than Z we say that E has complex multiplication.Let E be a nonsupersingular elliptic curve over F q .SuchanE always has complex multiplication.Indeed, the Frobenius automorphism of F q extends to the points of the curve by sending P ∞ to itselfand P =(x 1 ,y 1 ) to φ q (P )=(x q 1 ,yq 1 ). One can easily check that the point φ q(P ) is again a pointon the curve irrespective of the field of definition of P . Hence, φ q is an endomorphism of E, calledthe Frobenius endomorphism of E/F q . It is different from [n] for all n ∈ Z.

278 Ch. 13 Arithmetic of Elliptic CurvesExample 13.27 Take P 1 = (1120, 391) on E 1 /F p . Since P 1 has coordinates in F p , φ p (P 1 ) issimply equal to P 1 . At present, let us consider a point on E 1 with coordinates in an extension of F p .For instance, in Example 13.10, we give the point S 1 of order 9 in E 1 (F p 3). WehaveS 1 = (1239θ 2 + 1872θ + 112, 1263θ 2 + 334θ + 1752),φ p (S 1 ) = (217θ 2 + 399θ + 1297, 681θ 2 + 811θ + 102),φ 2 p (S 1) = (547θ 2 + 1735θ + 297, 59θ 2 + 858θ + 325),φ 3 p(S 1 ) = (1239θ 2 + 1872θ + 112, 1263θ 2 + 334θ + 1752) = S 1 .All of them are also 9-torsion points.13.1.8 CardinalityThe cardinality of an elliptic curve E over F q , i.e., the number of F q -rational points, is an importantaspect for the security of cryptosystems built on E(F q ), cf. Section 19.3.The theorem of Hasse–Weil relates the number of points to the field size.Theorem 13.28 (Hasse–Weil) Let E be an elliptic curve defined over F q .ThenRemarks 13.29|E(F q )| = q +1− t and |t| 2 √ q.(i) The integer t is called the trace of the Frobenius endomorphism.(ii) For any integer t ∈ [−2 √ p, 2 √ p] there is at least one elliptic curve E defined over F pwhose cardinality is p +1− t.Concerning admissible cardinalities, the more general result is proved in [WAT 1969].Theorem 13.30 Let q = p d . There exists an elliptic curve E defined over F q with |E(F q )| =q +1− t if and only if one of the following conditions holds:1. t ≢ 0(modp) and t 2 4q.2. d is odd and either (i) t =0or (ii) p =2and t 2 =2q or (iii) p =3and t 2 =3q.3. d is even and either (i) t 2 =4q or (ii) p ≢ 1(mod3)and t 2 = q or (iii) p ≢ 1(mod 4) and t =0.One associates to φ q the polynomialχ E (T )=T 2 − tT + q.It is called the characteristic polynomial of the Frobenius endomorphism,sinceSo, for each P ∈ E(F q ),wehaveχ E (φ q )=φ 2 q − [t]φ q +[q] =[0].φ 2 q (P ) ⊕ [−t]φ q(P ) ⊕ [q]P = P ∞ .As points in E(F q ) are fixed under φ q they form the kernel of (Id −φ q ) and |E(F q )| = χ E (1).

§ 13.1 Summary of background on elliptic curves 279From the complex roots τ and τ of χ E (φ q ) one can compute the group order of E(F q k), thatis|E(F q k)| = q k +1− τ k − τ k , for all k 1. (13.5)More explicitly, one has|E(F q k)| = q k +1− t kwhere the sequence (t k ) k∈N satisfies t 0 =2, t 1 = t and t k+1 = tt k − qt k−1 , for k 1.We also have the following properties.Proposition 13.31 Let E be a curve defined over a field F q of characteristic p. The curve E issupersingular if and only if the trace t of the Frobenius satisfiest ≡ 0(mod p).Proposition 13.32 Let E be a curve defined over F q and let Ẽ be the quadratic twist of E. Then|E(F q )| + |Ẽ(F q)| =2q +2.This can be easily seen to hold from Remark 13.17. One immediately gets χ eE (T )=T 2 + tT + q.When one tries to find a curve with a suitable cryptographic order, that is, an order with a large primefactor, Proposition 13.32 is especially useful since it gives two candidates for each computation, cf.Chapter 17.Example 13.33 The cardinality of E 2 (F p ) is 1956. Therefore, φ p satisfiesχ E2 (T )=T 2 − 48T + 2003.Let R 2 = (443θ 2 + 1727θ + 1809, 929θ 2 + 280θ + 946). Thenand one can check thatφ p (R 2 ) = (857θ 2 + 1015θ + 766, 126θ 2 + 1902θ + 419),φ 2 p(R 2 ) = (703θ 2 + 1264θ + 1568, 948θ 2 + 1824θ + 119)φ 2 p (R 2) − [48]φ 2003 (R 2 ) + [2003]R 2 = P ∞ .Also, we deduce that |E 2 (F p 2)| = 4013712 and |E 2 (F p 3)| = 8036231868.Finally the cardinality of the curveẼ 2 : y 2 = x 3 + 774x + 1867which is the twist of E 2 by the quadratic nonresidue 78, satisfies |Ẽ2| = 2052, and the characteristicequation of the Frobenius of Ẽ2/F p isχ eE2 (T )=T 2 +48T + 2003.

280 Ch. 13 Arithmetic of Elliptic CurvesF p13.2 Arithmetic of elliptic curves defined over F pIn this section we consider curves defined over finite prime fields. As they should be used in cryptographicapplications, we can assume p to be large, hence, at least p>3. We remark that allconsiderations in this section hold true for an elliptic curve defined over an arbitrary finite field F qif char(F q ) > 3 and for supersingular curves over field of characteristic 3.We already know that an elliptic curve E can be represented with respect to several coordinatesystems, e.g., affine or projective coordinates. In the following we deal with efficient addition anddoubling in the group of points E. To this aim we introduce five different coordinate systems inwhich the speeds of addition and doubling differ. We measure the time by the number of fieldoperations needed to perform the respective operation.In characteristic p>3, one can always take for E, cf. Table 13.2, an equation of the formE : y 2 = x 3 + a 4 x + a 6 ,where a 4 and a 6 are in F p . The points lying on the curve can have coordinates in F p or in someextension F q /F p , for instance in an optimal extension field, cf. Section 11.3. This has two advantages.First, it is straightforward to obtain the cardinality of E(F q ) using (13.5) and one can use theFrobenius φ p to speed up computations, cf. Section 15.1.In the remainder of this section we deal with addition and doubling in different coordinate systems,give strategies for choosing optimal coordinates for scalar multiplication and introduce Montgomerycoordinates and their arithmetic. Finally, we show how to compress the representation of apoint.An elementary multiplication in F q (resp. a squaring and an inversion) will be abbreviated by M(resp. S and I).13.2.1 Choice of the coordinatesThis section is based on [COMI + 1998].In Section 13.1.1 we explained the group law in general. Here we shall give formulas for thecoordinates of the result of the• addition of two points P and Q ∈ E(F p ) provided P ≠ + − Q,• doubling of P .13.2.1.aAffine coordinates (A)We can assume that E is given byy 2 = x 3 + a 4 x + a 6 .By the arguments above, we know that the opposite of the point (x 1 ,y 1 ) lying on E is (x 1 , −y 1 ).Also we have:AdditionLet P =(x 1 ,y 1 ), Q =(x 2 ,y 2 ) such that P ≠ + − Q and P ⊕ Q =(x 3 ,y 3 ). In this case, addition isgiven byx 3 = λ 2 − x 1 − x 2 , y 3 = λ(x 1 − x 3 ) − y 1 , λ = y 1 − y 2x 1 − x 2·

§ 13.2 Arithmetic of elliptic curves defined over F p 281DoublingLet [2]P =(x 3 ,y 3 ).Thenx 3 = λ 2 − 2x 1 , y 3 = λ(x 1 − x 3 ) − y 1 , λ = 3x2 1 + a 42y 1·For these formulas one can easily read off that an addition and a doubling require I+2M+SandI+2M+2S, respectively.Doubling followed by an additionBuilding on the ideas in [EILA + 2003], the authors of [CIJO + 2003] show how to speed up thecomputation of a doubling followed by an addition using [2]P ⊕ Q as (P ⊕ Q) ⊕ P . The basic idea,i.e., omitting the computation of the intermediate values y 3 and x 3 , saves one multiplication and thenew formulas are more efficient whenever a field inversion is more expensive than 6 multiplications.The formulas are as follows where we assume that P ≠ + − Q and [2]P ≠ −QA =(x 2 − x 1 ) 2 , B =(y 2 − y 1 ) 2 C = A(2x 1 + x 2 ) − B,D = C(x 2 − x 1 ), E = D −1 , λ = CE(y 2 − y 1 ),λ 2 =2y 1 A(x 2 − x 1 )E − λ, x 4 =(λ 2 − λ)(λ + λ 2 )+x 2 , y 4 =(x 1 − x 4 )λ 2 − y 1 ,needing I+9M+2S.13.2.1.bProjective coordinates (P)In projective coordinates, the equation of E isY 2 Z = X 3 + a 4 XZ 2 + a 6 Z 3 .The point (X 1 : Y 1 : Z 1 ) on E corresponds to the affine point (X 1 /Z 1 ,Y 1 /Z 1 ) when Z 1 ≠0and tothe point at infinity P ∞ =(0:1:0)otherwise. The opposite of (X 1 : Y 1 : Z 1 ) is (X 1 : −Y 1 : Z 1 ).AdditionLet P =(X 1 : Y 1 : Z 1 ), Q =(X 2 : Y 2 : Z 2 ) such that P ≠ + − Q and P ⊕ Q =(X 3 : Y 3 : Z 3 ).Then setso thatDoublingA = Y 2 Z 1 − Y 1 Z 2 , B = X 2 Z 1 − X 1 Z 2 , C = A 2 Z 1 Z 2 − B 3 − 2B 2 X 1 Z 2X 3 = BC, Y 3 = A(B 2 X 1 Z 2 − C) − B 3 Y 1 Z 2 , Z 3 = B 3 Z 1 Z 2 .Let [2]P =(X 3 : Y 3 : Z 3 ) then putandA = a 4 Z 2 1 +3X2 1 , B = Y 1Z 1 , C = X 1 Y 1 B, D = A 2 − 8CX 3 =2BD, Y 3 = A(4C − D) − 8Y 21 B 2 , Z 3 =8B 3 .No inversion is needed, and the computation times are 12M+2S for a general addition and 7M+5Sfor a doubling. If one of the input points to the addition is given by (X 2 : Y 2 :1), i.e., directlytransformed from affine coordinates, then the requirements for an addition decrease to 9M + 2S.

282 Ch. 13 Arithmetic of Elliptic Curves13.2.1.cJacobian and Chudnovsky Jacobian coordinates (J and J c )With Jacobian coordinates the curve E is given byY 2 = X 3 + a 4 XZ 4 + a 6 Z 6 .The point (X 1 : Y 1 : Z 1 ) on E corresponds to the affine point (X 1 /Z 2 1 ,Y 1/Z 3 1 ) when Z 1 ≠0and tothe point at infinity P ∞ =(1:1:0)otherwise. The opposite of (X 1 : Y 1 : Z 1 ) is (X 1 : −Y 1 : Z 1 ).AdditionLet P =(X 1 : Y 1 : Z 1 ), Q =(X 2 : Y 2 : Z 2 ) such that P ≠ + − Q and P ⊕ Q =(X 3 : Y 3 : Z 3 ).Then setandA = X 1 Z 2 2, B = X 2 Z 2 1, C = Y 1 Z 3 2, D = Y 2 Z 3 1, E = B − A, F = D − CDoublingX 3 = −E 3 − 2AE 2 + F 2 , Y 3 = −CE 3 + F (AE 2 − X 3 ), Z 3 = Z 1 Z 2 E.Let [2]P =(X 3 : Y 3 : Z 3 ).ThensetandA =4X 1 Y 21 , B =3X2 1 + a 4Z 4 1X 3 = −2A + B 2 , Y 3 = −8Y 41 + B(A − X 3), Z 3 =2Y 1 Z 1 .The complexities are 12M + 4S for an addition and 4M + 6S for a doubling. If one of the points isgiven in the form (X 1 : Y 1 :1)the costs for addition reduce to 8M + 3S.The doubling involves one multiplication by the constant a 4 . If it is small this multiplicationcan be performed by some additions and hence be neglected in the operation count. Especially ifa 4 = −3 one can compute T =3X 2 1 − 3Z 4 1 =3(X 1 − Z 2 1)(X 1 + Z 2 1) leading to only 4M + 4Sfor a doubling. Brier and Joye [BRJO 2003] study the use of isogenies to map a given curve to anisogenous one having this preferable parameter. Their conclusion is that for most randomly chosencurves there exists an isogeny of small degree mapping it to a curve with a 4 = −3, which justifiesthat the curves in the standards have this parameter.The parameter a 4 =0is even more advantageous as the costs drop down to 3M + 4S. However,this choice is far more special and the endomorphism ring End(E) contains a third root of unity.In Jacobian coordinates, doublings are faster and additions slower than for the projective coordinates.To improve additions, a point P can be represented as a quintuple (X 1 ,Y 1 ,Z 1 ,Z 2 1,Z 3 1).These coordinates are called Chudnovsky Jacobian coordinates. Additions and doublings are givenby the same formulas as for J but the complexities are 11M + 3S and 5M + 6S.13.2.1.dModified Jacobian coordinates (J J m )Modified Jacobian coordinates were introduced by Cohen et al. [COMI + 1998]. They are based onJ but the internal representation of a point P is the quadruple (X 1 ,Y 1 ,Z 1 ,a 4 Z1 4 ). The formulasare essentially the same as for J . The main difference is the introduction of C =8Y 4 1 so thatY 3 = B(A − X 3 ) − C and a 4 Z3 4 =2C(a 4 Z1) 4 with the notation of Section 13.2.1.c. An additiontakes 13M + 6S and a doubling 4M + 4S. If one point is in affine coordinates, an addition takes9M + 5S. AsI takes on average between 9 and 40M and S is about 0.8M, this system offers thefastest doubling procedure.J c

§ 13.2 Arithmetic of elliptic curves defined over F p 28313.2.1.eExampleTakeE 2 : y 2 = x 3 + 1132x + 278and let P 2 = (1120, 1391) and Q 2 = (894, 1425) be two affine points on E 2 . We recall belowthe equation and the internal representation of P 2 and Q 2 for each coordinate system. Note that forprojective like systems we put Z to some random value and multiply X and Y by the respectivepowers.System Equation P 2 Q 2A y 2 = x 3 + 1132x + 278 (1120, 1391) (894, 1425)P Y 2 Z = X 3 + 1132XZ 2 + 278Z 3 (450 : 541 : 1449) (1774 : 986 : 1530)J Y 2 = X 3 + 1132XZ 4 + 278Z 6 (1213 : 408 : 601) (1623 : 504 : 1559)J c — (1213, 408, 601, 661, 667) (1623, 504, 1559, 842, 713)J m — (1213, 408, 601, 1794) (1623, 504, 1559, 1232)With these particular values of P 2 and Q 2 , let us compute P 2 ⊕ Q 2 , [2]P 2 and [763]P 2 within thedifferent systems using the double and add method.System P 2 ⊕ Q 2 [2]P 2 [763]P 2A (1683, 1388) (1467, 143) (1455, 882)P (185 : 825 : 1220) (352 : 504 : 956) (931 : 1316 : 1464)J (763 : 440 : 1934) (1800 : 1083 : 1684) (752 : 1146 : 543)J c (763, 440, 1934, 755, 1986) (1800, 1083, 1684, 1611, 862) (752, 1146, 543, 408, 1214)J m (763, 440, 1934, 1850) (1800, 1083, 1684, 1119) (752, 1146, 543, 1017)For each computation, one can check that we obtain a result equivalent to the affine one.13.2.2 Mixed coordinatesTo compute scalar multiples of a point one can use all the methods introduced in Chapter 9, especiallythe signed-digit representations, which are useful, as the negative of P is obtained by simplynegating the y-coordinate.The main idea here is to mix the different systems of coordinates defined above. This idea wasalready mentioned in adding an affine point to one in another system. In general, one can add pointsexpressed in two different systems and give the result in a third one. For example J + J c = J mmeans that we add points in Jacobian and Chudnovsky Jacobian coordinates and express the resultin the modified Jacobian system. So, we are going to choose the most efficient combination foreach action we have to perform. See Table 13.3 on page 284 for a precise count of the requiredoperations.PrecomputationsThe following analysis is given in [COMI + 1998, Section 4]. Suppose that we want to compute[n]P . We shall use the NAF w representation of n; see Section 9.1.4. So, we need to precompute[i]P for each odd i such that 1

284 Ch. 13 Arithmetic of Elliptic CurvesTable 13.3 Operations required for addition and doubling.DoublingAdditionOperation Costs Operation Costs2P 7M + 5S J m + J m 13M + 6S2J c 5M + 6S J m + J c = J m 12M + 5S2J 4M + 6S J + J c = J m 12M + 5S2J m = J c 4M + 5S J + J 12M + 4S2J m 4M + 4S P + P 12M + 2S2A = J c 3M + 5S J c + J c = J m 11M + 4S2J m = J 3M + 4S J c + J c 11M + 3S2A = J m 3M + 4S J c + J = J 11M + 3S2A = J 2M + 4S J c + J c = J 10M + 2S— — J + A = J m 9M + 5S— — J m + A = J m 9M + 5S— — J c + A = J m 8M + 4S— — J c + A = J c 8M + 3S— — J + A = J 8M + 3S— — J m + A = J 8M + 3S— — A + A = J m 5M + 4S— — A + A = J c 5M + 3S2A I+2M+2S A + A I+2M+Sfor the precomputations. Note also that it is possible to avoid some doublings as explained inRemark 9.11 (iii).Scalar multiplicationA scalar multiplication [n]P consists of a sequence of doublings and additions. If a signed windowingmethod is used with precomputations, there are often runs of doublings interfered with onlya few additions. Thus it is worthwhile to distinguish between intermediate doublings, i.e., thosefollowed by a further doubling, and final doublings, which are followed by an addition and choosedifferent coordinate systems for them. Cohen et al. propose to perform the intermediate doublingswithin J m and to express the result of the last doubling in J since the next step is an addition.More explicitly, for each nonzero coefficient in the expansion of n the intermediate variable Q isreplaced in each step by some[2 s ]Q + − [u]P,where [u]P is in the set of precomputed multiples. So, we actually perform (s − 1) doublings ofthe type 2J m = J m , a doubling of the form 2J m = J , and then an addition J + A = J m orJ + J c = J m depending on the coordinates of the precomputed values.Let the windowing work asn =2 n0 (2 n1 (···2 nv−1 (2 nv W [v]+W [v − 1]) ···)+W [0]),where W [i] is an odd integer in the range −2 w−1 +1 W [i] 2 w−1 −1 for all i, W [v] > 0,n 0 0and n i w +1for i 1.

§ 13.2 Arithmetic of elliptic curves defined over F p 285In the main loop we perform u = ∑ vi=0 n i doublings and v additions. Put l 1 = l − (w − 1)/2 andK =1/2 − 1/(w +1).Onaveragel 1 + K doublings and (l 1 − K)/(w +1)additions are used.Then we need approximately(l 1 + K + l 1 − Kw +1) (I+ 2(l 1 + K)+ 2 ) (w +1 (l 1 − K) M+ 2(l 1 + K)+ 2 )w +1 (l 1 − K) Sto compute [n]P excluding the costs for the precomputations if only affine coordinates are used,(4(l 1 + K)+ 8 ) (w +1 (l 1 − K) M+ 4(l 1 + K)+ 5 )w +1 (l 1 − K) Sif the precomputed points are in A and the computations are done without inversions using J andJ m for the intermediate points, and(4(l 1 + K)+ 11 ) (w +1 (l 1 − K) M+ 4(l 1 + K)+ 5 )w +1 (l 1 − K) Sif the precomputed points are in J c . Now depending on the ratio I/M, A or J c should be chosen.For instance, for a 192-bits key length we choose A if I < 33.9M and J c otherwise, cf.[COMI + 1998].13.2.3 Montgomery scalar multiplicationThis technique was first described by Montgomery [MON 1987] for a special type of curve in largecharacteristic and has been generalized to other curves and to even characteristic; see Section 13.3.4.13.2.3.aMontgomery formLet E M be an elliptic curve expressed in Montgomery form,thatisE M : By 2 = x 3 + Ax 2 + x. (13.6)The arithmetic on E M reliesonanefficientx-coordinate only computation and can be easily implementedto resist side-channel attacks, cf. Chapter 29. Indeed, let P =(x 1 ,y 1 ) be a point on E M .In projective coordinates, we write P =(X 1 : Y 1 : Z 1 ) and let [n]P =(X n : Y n : Z n ).Thesum[n + m]P =[n]P ⊕ [m]P is given by the following formulas where Y n never appears.Addition: n ≠ mX m+n = Z m−n((Xm − Z m )(X n + Z n )+(X m + Z m )(X n − Z n ) ) 2,Z m+n = X m−n((Xm − Z m )(X n + Z n ) − (X m + Z m )(X n − Z n ) ) 2.Doubling: n = m4X n Z n = (X n + Z n ) 2 − (X n − Z n ) 2 ,X 2n = (X n + Z n ) 2 (X n − Z n ) 2 ,(Z 2n = 4X n Z n (Xn − Z n ) 2 + ( (A +2)/4 ) (4X n Z n ) ) .Thus an addition takes 4M and 2S whereas a doubling needs only 3M and 2S.

286 Ch. 13 Arithmetic of Elliptic CurvesFor some systems, the x-coordinate x n of [n]P is sufficient but others, like some signature schemes,need the y-coordinate as well, cf. Chapter 1. To recover y n = Y n /Z n , we use the following formula[OKSA 2001]y n = (x 1x n +1)(x 1 + x n +2A) − 2A − (x 1 − x n ) 2 x n+12By 1, (13.7)where P =(x 1 ,y 1 ) and x n and x n+1 are the affine x-coordinates of [n]P and [n +1]P .13.2.3.bGeneral caseBrier et Joye [BRJO 2002] generalized Montgomery’s idea to any curve in short Weierstraß equationE : y 2 = x 3 + a 4 x + a 6 .Their formulas require more elementary operations.Addition: n ≠ mX m+n = Z m−n(−4a6 Z m Z n (X m Z n + X n Z m )+(X m X n − a 4 Z m Z n ) 2) ,Doubling: n = mZ m+n = X m−n (X m Z n − X n Z m ) 2 .X 2n = (X 2 n − a 4 Z 2 n) 2 − 8a 6 X n Z 3 n,Z 2n = 4Z n(Xn (X 2 n + a 4Z 2 n )+a 6Z 3 n).When P is an affine point, an addition requires 9M and 2S whereas a doubling needs 6M and 3S.To recover y n in this case, we apply the formulay n = 2a 6 +(x 1 x n + a 4 )(x 1 + x n ) − (x 1 − x n ) 2 x n+12y 1.13.2.3.cTransformation to Montgomery formIt is always possible to convert a curve in Montgomery form (13.6) into short Weierstraß equation,putting a 4 =1/B 2 − A 2 /3B 2 and a 6 = −A 3 /27B 3 − a 4 A/3B. But the converse is false. Notall elliptic curves can be written in Montgomery form. However, this holds true as soon as p ≡ 1(mod 4) and x 3 + a 4 x + a 6 has three roots in F p . More generally, a curve in short Weierstraß formcan be converted to Montgomery form if and only if• the polynomial x 3 + a 4 x + a 6 has at least one root α in F p ,• the number 3α 2 + a 4 is a quadratic residue in F p .Put A = 3αs, B = s where s is a square root of (3α 2 + a 4 ) −1 and the change of variables(x, y) ↦→ (x/s + α, y/s) is an isomorphism that transforms E into E M . For such curves (0, 0) is apoint of order 2 and |E(F p )| is divisible by 4.Note that recent standards [SEC, NIST] recommend that the cardinality of E should be a primenumber times a cofactor less than or equal to 4. One can state divisibility conditions in terms ofthe Legendre symbol ( ·p)· For a curve in Montgomery form |E(Fp )| is not divisible by 8 in thefollowing cases:

§ 13.2 Arithmetic of elliptic curves defined over F p 287“A+2pp ≡ 1 (mod 4) p ≡ 3 (mod 4)” “ ” “ ” “ ” “ ”A−2pBpA+2pA−2p−1 +1 −1 −1 +1+1 −1 −1+1 +1 −1−1 −1 +1Let v be a quadratic nonresidue and let Ẽ v be the quadratic twist of E by v, cf. Example 13.19. Theneither both E and Ẽv are transformable to Montgomery form or none is. Together with Schoof’spoint counting algorithm (see Section 17.2) this gives an efficient method for generating a curvetransformable to Montgomery form whose cofactor is equal to 4.Example 13.34 Let us show that E 2 /F pE 2 : y 2 = x 3 + 1132x + 278can be expressed in Montgomery form.First, α = 1702 satisfiesα 3 + 1132α + 278 = 0and 3α 2 + a 4 = 527 is a quadratic residue modulo p = 2003. Sinces = 899 is an inverse squareroot of 527, wehaveA = 1421, B = 899 and the isomorphism (x, y) ↦→ ( 899(x − 1702), 899y )maps the points of E 2 on the points ofE 2,M : 899y 2 = x 3 + 1421x 2 + x.For instance, P 2 = (1120, 1391) on E 2 is sent on P 2,M = (1568, 637) on E 2,M .13.2.3.dMontgomery ladderWhatever the form of the curve, we use a modified version of Algorithm 9.5 adapted to scalarmultiplication to compute [n]P .Algorithm 13.35 Scalar multiplication using Montgomery’s ladderINPUT: A point P on E and a positive integer n =(n l−1 ...n 0) 2.OUTPUT: The point [n]P .1. P 1 ← P and P 2 ← [2]P2. for i = l − 2 down to 0 do3. if n i =0 then4. P 1 ← [2]P 1 and P 2 ← P 1 ⊕ P 25. else6. P 1 ← P 1 ⊕ P 2 and P 2 ← [2]P 27. return P 1

288 Ch. 13 Arithmetic of Elliptic CurvesRemarks 13.36(i) At each step, one performs one addition and one doubling, which makes this method interestingagainst side-channel attacks, cf. Chapter 29.(ii) We can check that P 2 ⊖P 1 is equal to P at each step so that Z m−n = Z 1 in the formulas above.If P is expressed in affine coordinates this saves an extra multiplication in the addition. So thetotal complexity to compute [n]P is (6M + 4S)(|n| 2 − 1) for elliptic curves in Montgomeryform and (14M + 5S)(|n| 2 − 1) in short Weierstraß form.Example 13.37 Let us compute [763]P 2,M with Algorithm 13.35. We have 763 = (1011111011) 2and the different steps of the computation are given in the following table where P stands for P 2,Mand the question mark indicates that the y-coordinate is unknown.i n i (P 1,P 2) P 1 P 29 1 (P, [2]P ) (1568 : 637 : 1) (35 : ? : 1887)8 0 ([2]P, [3]P ) (35 : ? : 1887) (1887 : ? : 1248)7 1 ([5]P, [6]P ) (531 : ? : 162) (120 : ? : 1069)6 1 ([11]P, [12]P ) (402 : ? : 1041) (909 : ? : 1578)5 1 ([23]P, [24]P ) (1418 : ? : 1243) (1389 : ? : 1977)4 1 ([47]P, [48]P ) (613 : ? : 37) (1449 : ? : 231)3 1 ([95]P, [96]P ) (1685 : ? : 1191) (1256 : ? : 842)2 0 ([190]P, [191]P ) (119 : ? : 1871) (1501 : ? : 453)1 1 ([381]P, [382]P ) (1438 : ? : 956) (287 : ? : 868)0 1 ([763]P, [764]P ) (568 : ? : 746) (497 : ? : 822)To recover the y-coordinate of [763]P 2,M , we apply (13.7) with x 1 = 1568, y 1 = 637, x n and x n+1respectively equal to 568/746 and 497/822. Finally, [763]P 2,M = (280, 1733).13.2.4 Parallel implementationsFor the addition formulas in affine coordinates only a few field operations are used and, hence,parallelization is not too useful. In the other coordinate systems two processors can be applied toreduce the time for a group operation.For Montgomery coordinates a parallel implementation using two processors is immediate, namelyone can take care of the addition while the other performs the doubling. This is possible as bothoperations need about the same amount of operations, reducing the idle time.Smart [SMA 2001] investigates parallel implementations of Hessian coordinates.For Jacobian coordinates on arbitrary curves, Izu and Takagi [IZTA 2002a] propose a parallelversion that additionally proposes methods for k-fold doubling. It can be implemented togetherwith precomputations and windowing methods for scalar multiplication. Also [FIGI + 2002] dealswith parallel implementation. We come back to efficient parallel implementations in the chapter onside-channel attacks, cf. Chapter 29.13.2.5 Compression of pointsFor some applications it might be desirable to store or transmit as few bits as possible and still keepthe same amount of information.The following technique works for elliptic curves E/F q over arbitrary finite fields F q = F p d =F p (θ) of odd characteristic p (for details on the arithmetic of finite fields we refer to Chapter 11).

§ 13.3 Arithmetic of elliptic curves defined over F 2 d 289For an elliptic curve E : y 2 = x 3 + a 2 x 2 + a 4 x + a 6 there are at most two points with the samex-coordinate, namely P =(x 1 ,y 1 ) and −P =(x 1 , −y 1 ). They are equal if and only if y 1 =0, i.e.,for the Weierstraß points.CompressionTo uniquely identify the point one saves x 1 and one bit b(y 1 ).Itissetto0 if in the field representationy 1 = ∑ d−1i=0 c iθ i the value of c 0 taken as a nonnegative integer is even and set to 1 otherwise.This procedure works as −y 1 has p−c 0 as its least significant coefficient, which is of opposite parityas p is odd. Hence, one simply needs to check for the least significant bit of the least significantcoefficient of y 1 .DecompressionTo recover the y-coordinate from ( x 1 ,b(y 1 ) ) some more work needs to be done. Namely, oneevaluates x 3 1 + a 2x 2 1 + a 4x 1 + a 6 , which has to be a square in F q since x 1 is the x-coordinate of apoint on E. Algorithms for square root computation, cf. Section 11.1.5, allow us to recover the twovalues + − y 1 and the bit b(y 1 ) determines the correct y-coordinate.Example 13.38 On the curve E 2 /F p the point P 2 = (1120, 1391) ∈ E(F p ) is coded by (1120, 1)while R 2 = (443θ 2 + 1727θ + 1809, 929θ 2 + 280θ + 946) ∈ E(F p 3) is represented by (443θ 2 +1727θ + 1809, 0).F 2 d13.3 Arithmetic of elliptic curves defined over F 2dIn this section we consider elliptic curves over F 2 d. We first provide the transfer to short Weierstraßequations and state formulas for the arithmetic on supersingular and ordinary elliptic curves in affinecoordinates. For the remainder of the section we concentrate on ordinary curves. The curves givenin Weierstraß formy 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6can be transformed depending on the value of a 1 .Supersingular curvesIf a 1 =0, we need to have a 3 ≠0as otherwise the curve is singular. The transformation x ↦→ x+a 2leads to the equationE : y 2 + a 3 y = x 3 + a ′ 4 x + a′ 6 ,which is nonsingular as a 3 ≠0.SuchacurveE has no point P =(x 1 ,y 1 ) of order two over F 2 d,as these satisfy P = −P ,i.e.,y 1 = y 1 + a 3 and this would only be true for a 3 =0. Therefore,E[2] = {P ∞ } and E is supersingular by Definition 13.14.In Section 24.2.1, we extensively study supersingular curves as they come with an efficientlycomputable pairing. This has many consequences. For instance, the DLP is easier to solve for thesecurves. However, there also exist constructive aspects of pairings, e.g., see Chapter 24, and thisjustifies to investigate the arithmetic of these curves. Indeed, the arithmetic on the supersingularcurveE : y 2 + a 3 y = x 3 + a 4 x + a 6is given by the following formulas where P =(x 1 ,y 1 ) and Q =(x 2 ,y 2 ) are two points in E(F 2 d)

290 Ch. 13 Arithmetic of Elliptic Curves• −P =(x 1 ,y 1 + a 3 ).• if P ≠ + − Q,wehaveP ⊕ Q =(x 3 ,y 3 ) wherex 3 = λ 2 + x 1 + x 2 , y 3 = λ(x 1 + x 3 )+y 1 + a 3 , λ = y 1 + y 2x 1 + x 2·• if P ≠ −P ,wehave[2]P =(x 3 ,y 3 ) wherex 3 = λ 2 , y 3 = λ(x 1 + x 3 )+y 1 + a 3 , λ = x2 1 + a 4a 3·Example 13.39 Let us consider F 2 11, represented as F 2 (θ) with θ 11 + θ 2 +1=0. The elements ofF 2 11 will be represented using hexadecimal basis. For instance, 0x591 corresponds to the sequenceof bits (0101 1001 0001) and therefore stands for the element θ 10 + θ 8 + θ 7 + θ 4 +1.A supersingular elliptic curve over F 2 11 is given byE 5 : y 2 + a 3 y = x 3 + a 4 x + a 6with a 3 = 0x6EE, a 4 = 0x1CC and a 6 = 0x3F6. The discriminant of E 5 is ∆=0x722 while itsj-invariant is zero.The points P 5 =(0x3DF, 0x171) and Q 5 =(0x732, 0x27D) belong to E 5 (F 2 11) and−P 5 = (0x3DF, 0x79F),P 5 ⊕ Q 5 = (0x314, 0x4BC),[2]P 5 = (0xEF, 0x6C3).The cardinality of E 5 (F 2 11) is equal to 2 11 +2 6 + 1 = 2113 which is prime. Thus the groupE 5 (F 2 11) is cyclic and is generated by any one of its element.Ordinary curvesIf a 1 ≠0, the transformationsy ↦→ a 3 1 y + a2 3 + a 2 1a 4,a 3 x ↦→ a 2 1 x + a 31a 1followed by a division by a 6 1 lead to an isomorphic curve given byy 2 + xy = x 3 + a ′ 2x 2 + a ′ 6,which is nonsingular whenever a ′ 6 ≠0. In this case, the curve is ordinary.Remark 13.40 It is always possible to choose a ′ 2 small in the sense that multiplications by a′ 2 canbe carried out by a few additions only. Let c be an element of absolute trace 0, i.e., Tr F2 d /F 2(c) =0,such that multiplications by a ′ 2 + c can be carried out efficiently. In practice, d should be odd, (cf.Section 23.2.2.c) and in this case if Tr F2 d /F 2(a ′ 2 )=1then Tr F 2 d /F 2(a ′ 2 +1)=0. So in any case, ccan be taken equal to a ′ 2 or a ′ 2 +1with the result that a ′ 2 + c is an element of F 2 .Letλ be such thatλ 2 + λ + c =0. Indeed, (13.8) allows for a further transformationx ↦→ x,y ↦→ y + λx,which leads to the curvey 2 + xy = x 3 +(a ′ 2 + c)x 2 + a ′ 6.

§ 13.3 Arithmetic of elliptic curves defined over F 2 d 291Example 13.41 An ordinary elliptic curve over F 2 11 is given byE 6 : y 2 + xy = x 3 + a 2 x 2 + a 6with a 2 = 0x6EE and a 6 = 0x1CC. As the trace of a 2 is 1 we can put c = a 2 +1which is of trace0 and find λ = 0x51E such that λ 2 + λ = c. Now the change of variables x ↦→ x, y ↦→ y + λx,with λ = 0x68B transforms the curve E 6 intoE 7 : y 2 + xy = x 3 + x 2 + a 6 .The discriminant of E 7 is ∆ = a 6 and its j-invariant is 1/a 6 = 0x37F. The points P 7 =(0x420, 0x5B3) and Q 7 =(0x4B8, 0x167) are on E 7 . The curve E 7 has 2026 rational pointsin F 2 11 and E 7 (F 2 11) is cyclic generated by P 7 .13.3.1 Choice of the coordinatesThe remainder of this chapter is entirely devoted to ordinary curves, i.e., curves given byE : y 2 + xy = x 3 + a 2 x 2 + a 6 , (13.8)with a 2 ,a 6 ∈ F 2 d such that a 6 ≠0. The coefficient a 2 can be chosen with a reduced number ofterms and can even be taken in F 2 when d is odd, cf. Remark 13.40 for explanations.We first give a study on the addition formulas in different coordinate systems and study mixedcoordinate systems, then give a generalization of Montgomery coordinates and introduce a furtherendomorphism on the curve, the point halving. Finally we discuss compression techniques.As in Section 13.2, an elementary multiplication in F 2 d (respectively a squaring and an inversion)will be represented by M (respectively S and I).This section is mainly based on [HALÓ + 2000]. As for curves over prime fields we study differentsystems of coordinates, namely affine, projective, Jacobian and López–Dahab. For these binaryfields some extra tricks are applicable.We shall give formulas for the• addition of two points P and Q ∈ E(F 2 d) provided P ≠ + − Q,• doubling of P .13.3.1.aAffine coordinates (A)Recall that we can choose an elliptic curve of the formE : y 2 + xy = x 3 + a 2 x 2 + a 6 .The opposite of P =(x 1 ,y 1 ) equals −P =(x 1 ,x 1 + y 1 ).AdditionLet P =(x 1 ,y 1 ), Q =(x 2 ,y 2 ) such that P ≠ + − Q then P ⊕ Q =(x 3 ,y 3 ) is given byDoublingx 3 = λ 2 + λ + x 1 + x 2 + a 2 , y 3 = λ(x 1 + x 3 )+x 3 + y 1 , λ = y 1 + y 2x 1 + x 2.Let P =(x 1 ,y 1 ) then [2]P =(x 3 ,y 3 ),wherex 3 = λ 2 + λ + a 2 , y 3 = λ(x 1 + x 3 )+x 3 + y 1 , λ = x 1 + y 1x 1·Thus an addition and a doubling require exactly the same number of operations, that is, I+2M+S.

292 Ch. 13 Arithmetic of Elliptic CurvesDoubling followed by an additionExtending an idea presented in Section 13.2.1.a (see also [EILA + 2003]), Ciet et al. [CIJO + 2003],propose a method to compute [2]P ⊕ Q as as single operation. The formulas are given below wherewe assume that P ≠ + − Q and [2]P ≠ −QA = x 2 + x 1 , B = y 2 + y 1 , C = A 2 (x 2 + a 2 )+B(B + A),D =(AC) −1 , λ = BCD, λ 2 = A 3 Dx 1 + λ +1,x 4 =(λ + λ 2 ) 2 + λ + λ 2 + x 2 , y 4 =(x 1 + x 4 )λ 2 + y 1 + x 4 ,requiring I+9M+2S.13.3.1.bProjective coordinates (P)With projective coordinates the curve is parameterized by the equationY 2 Z + XY Z = X 3 + a 2 X 2 Z + a 6 Z 3 .Like in odd characteristic, we let (X 1 : Y 1 : Z 1 ) represent the affine point (X 1 /Z 1 ,Y 1 /Z 1 ) ifZ 1 ≠0and P ∞ =(0:1:0)otherwise. The opposite of (X 1 : Y 1 : Z 1 ) is (X 1 : X 1 + Y 1 : Z 1 ).AdditionLet P =(X 1 : Y 1 : Z 1 ), Q =(X 2 : Y 2 : Z 2 ) such that P ≠ + − Q then P ⊕ Q =(X 3 : Y 3 : Z 3 ) isgiven byDoublingA = Y 1 Z 2 + Z 1 Y 2 , B = X 1 Z 2 + Z 1 X 2 , C = B 2 ,D = Z 1 Z 2 ,E =(A 2 + AB + a 2 C)D + BC,X 3 = BE, Y 3 = C(AX 1 + Y 1 B)Z 2 +(A + B)E, Z 3 = B 3 D.If P =(X 1 : Y 1 : Z 1 ) then [2]P =(X 3 : Y 3 : Z 3 ) is given byA = X 2 1, B = A + Y 1 Z 1 , C = X 1 Z 1 ,D = C 2 ,E =(B 2 + BC + a 2 D),X 3 = CE, Y 3 =(B + C)E + A 2 C, Z 3 = CD.In projective coordinates, no inversion is needed. An addition needs 16M + 2S and a doublingrequires 8M + 4S.If the addition receives one input point in affine coordinates, i.e., as (X 2 : Y 2 :1),thecostsreduce to 12M + 2S. Suchanaddition in mixed coordinates is studied in larger generality in thenext section.All operations profit from small a 2 as one multiplication is saved.13.3.1.c Jacobian coordinates (J )In Jacobian coordinates, the curve is given by the equationY 2 + XY Z = X 3 + a 2 X 2 Z 2 + a 6 Z 6 .The point represented by (X 1 : Y 1 : Z 1 ) corresponds to the affine point (X 1 /Z 2 1 ,Y 1/Z 3 1 ) whenZ 1 ≠0and to P ∞ =(1:1:0)otherwise. The opposite of (X 1 : Y 1 : Z 1 ) is (X 1 : X 1 Z 1 + Y 1 :Z 1 ).

§ 13.3 Arithmetic of elliptic curves defined over F 2 d 293AdditionLet P =(X 1 : Y 1 : Z 1 ), Q =(X 2 : Y 2 : Z 2 ) such that P ≠ + − Q then P ⊕ Q =(X 3 : Y 3 : Z 3 ) isgiven byDoublingA = X 1 Z 2 2 , B = X 2Z 2 1 , C = Y 1Z 3 2 ,D = Y 2 Z 3 1, E = A + B, F = C + D,G = EZ 1 , H = FX 2 + GY 2 , Z 3 = GZ 2 ,I = F + Z 3 , X 3 = a 2 Z 2 3 + FI + E3 , Y 3 = IX 3 + G 2 H.If P =(X 1 : Y 1 : Z 1 ) then [2]P =(X 3 : Y 3 : Z 3 ) is given byA = X 2 1 , B = A2 , C = Z 2 1 ,X 3 = B + a 6 C 4 , Z 3 = X 1 C, Y 3 = BZ 3 +(A + Y 1 Z 1 + Z 3 )X 3 .In Jacobian coordinates an addition requires 16M + 3S in general and only 11M+ 3S if one input isin affine coordinates. Also if a 2 ∈{0, 1} we need one multiplication less in the addition of points.A doubling needs 5M + 5S including one multiplication by a 6 .13.3.1.dLópez–Dahab coordinates (LDLD)López and Dahab [LÓDA 1998] introduced a further set of coordinates in which the curve is givenby the equationY 2 + XY Z = X 3 Z + a 2 X 2 Z 2 + a 6 Z 4 .The triple (X 1 : Y 1 : Z 1 ) represents the affine point (X 1 /Z 1 ,Y 1 /Z 2 1) when Z 1 ≠0and P ∞ =(1:0:0)otherwise. The opposite of (X 1 : Y 1 : Z 1 ) is (X 1 : X 1 Z 1 + Y 1 : Z 1 ).AdditionLet P =(X 1 : Y 1 : Z 1 ), Q =(X 2 : Y 2 : Z 2 ) such that P ≠ + − Q then P ⊕ Q =(X 3 : Y 3 : Z 3 ) isgiven byA = X 1 Z 2 , B = X 2 Z 1 , C = A 2 ,D = B 2 , E = A + B, F = C + D,G = Y 1 Z 2 2 , H = Y 2Z 2 1 , I = G + H,J = IE, Z 3 = FZ 1 Z 2 , X 3 = A(H + D)+B(C + G),Y 3 =(AJ + FG)F +(J + Z 3 )X 3 .A general addition P ⊕Q in this coordinate system takes 13M+4S as shown by Higuchi and Takagi[HITA 2000]. Note that the original formulas proposed in [LÓDA 1998] need 14M + 6S.Mixed AdditionIf Q is in affine coordinates the costs drop to 10M+ 3S. In fact, it is possible to do a bit better, sinceAl–Daoud et al. [ALMA + 2002] proved that only 9M + 5S are sufficient in this case. The formulasare given below.A = Y 1 + Y 2 Z 2 1, B = X 1 + X 2 Z 1 , C = BZ 1 ,Z 3 = C 2 , D = X 2 Z 3 , X 3 = A 2 + C(A + B 2 + a 2 C),Y 3 =(D + X 3 )(AC + Z 3 )+(Y 2 + X 2 )Z 2 3 .

294 Ch. 13 Arithmetic of Elliptic CurvesNote that when a 2 ∈{0, 1} one further multiplication is saved.DoublingIf P =(X 1 : Y 1 : Z 1 ) then [2]P =(X 3 : Y 3 : Z 3 ) is given by [LÓDA 1998]A = Z 2 1, B = a 6 A 2 , C = X 2 1 ,Z 3 = AC, X 3 = C 2 + B, Y 3 =(Y 21 + a 2 Z 3 + B)X 3 + Z 3 B.To analyze the complexity, first note that in practice a 2 can be chosen in F 2 , cf. Remark 13.40,saving one product.For fixed a 2 and a 6 it is also possible to use less additions if √ a 6 can be precomputed. E.g., fora 2 =1one can useA = X1 2 , B = √ a 6 Z1 2 , C = X 1Z 1 ,Z 3 = C 2 , X 3 =(A + B) 2 , Y 3 = ( AC +(Y 1 + B)(A + B) ) 2requiring 4M + 5S including one multiplication by √ a 6 .For fixed a 2 =0, X 3 and Z 3 are given as above whereas Y 3 = ( BC +(Y 1 + B)(A + B) ) 2,which also requires 4M + 5S including one multiplication by √ a 6 .It is also possible to trade this multiplication by a constant and a squaring for a general multiplication[LAN 2004b], which might be interesting if the curve varies or if √ a 6 is big. The formulasare as followsA = X 1 Z 1 , B = X1 2 , C = B + Y 1, (13.9)D = AC, Z 3 = A 2 , X 3 = C 2 + D + a 2 Z 3 ,Y 3 =(Z 3 + D)X 3 + B 2 Z 3requiring 5M + 4S including one multiplication by a 2 .13.3.1.eExampleTake the curveE 7 : y 2 + xy = x 3 + x 2 + a 6 (13.10)with a 6 = 0x1CC. We recall below the equation of E 7 as well as the coordinates of P 7 =(0x420, 0x681) and Q 7 =(0x4B8, 0x563) on E 7 for each coordinate system. Note that the thirdcoordinate in projective, Jacobian and López–Dahab systems is chosen at random.System Equation P 7 Q 7A y 2 + xy = x 3 + x 2 + a 6 (0x420, 0x5B3) (0x4B8, 0x167)P Y 2 Z + XY Z = X 3 + X 2 Z + a 6Z 3 (0x64F : 0x5BA : 0x1C9) (0x4DD : 0x1F0 : 0x3FA)J Y 2 + XY Z = X 3 + X 2 Z 2 + a 6Z 6 (0x4DA : 0x1F7 : 0x701) (0x383 : 0x5BA : 0x1E1)LD Y 2 + XY Z = X 3 Z + X 2 Z 2 + a 6Z 4 (0x6BE : 0x15F : 0x7B3) (0x757 : 0x3EF : 0xA1C)With these particular values of P 7 and Q 7 , let us compute P 7 ⊕ Q 7 , [2]P 7 and [763]P 7 within thedifferent systems using the double and add method.

§ 13.3 Arithmetic of elliptic curves defined over F 2 d 295System P 7 ⊕ Q 7 [2]P 7 [763]P 7A (0x724, 0x7B3) (0x14D, 0x4CB) (0x84, 0x475)P (0x675 : 0x6D5 : 0x4D5) (0x4D5 : 0x21E : 0x705) (0x582 : 0x14 : 0x543)J (0x12 : 0x46B : 0x5F) (0x5B1 : 0x417 : 0x7D) (0x2F7 : 0x572 : 0x3E2)LD (0x7C5 : 0x1D2 : 0x3D2) (0x444 : 0x4A0 : 0x193) (0x2F : 0x265 : 0x220)For each computation, the obtained result is equivalent to the affine one.13.3.2 Faster doublings in affine coordinatesLet P =(x 1 ,y 1 ) be a point lying on the ordinary curveE : y 2 + xy = x 3 + a 2 x 2 + a 6 .When the solution of a quadratic equation can be quickly found, e.g., if F 2 d is represented by a normalbasis, the following method [SOL 1997] replaces one general multiplication by a multiplicationby the fixed constant a 6 .Namely, compute x 3 = x 2 1 + a 6 /x 2 1, which is also equal to λ 2 + λ + a 2 . Then find µ such thatµ 2 +µ = x 3 +a 2 , see Section 11.2.6. So λ = µ+ε where ε =0or 1. Therefore µx 1 +x 2 1+y 1 = εx 1and we deduce ε from this equation. Note that it is not necessary to perform µx 1 in full but rather tocompute one well chosen coordinate in the product. Thus the computation of λ is almost free and itremains to perform y 3 = x 2 1 +(λ +1)x 3.To perform several doublings in a row of P =(x 1 ,y 1 ), it is faster to store the intermediate values bythe x-coordinate and the slope of the tangent, i.e., to represent [2 i ]P as (x 2 i,λ 2 i). This is possiblebecausex 2 = λ 2 1 + λ 1 + a 2 andλ 2 = λ 2 1 + λ 1 + a 2 + λ 1(x 1 + λ 2 1 + λ 1 + a 2 )+λ 2 1 + λ 1 + a 2 + y 1λ 2 1 + λ 1 + a 2= λ 2 1 + a 2 + a 6x 4 1 + a ·6This idea leads to the following algorithm described in [LÓDA 2000b].Algorithm 13.42 Repeated doublingsINPUT: A point P =(x 1,y 1) on E such that [2 k ]P ≠ P ∞ and an integer k 2.OUTPUT: The point [2 k ]P of coordinates (x 3,y 3).1. λ ← x 1 + y 1/x 1 and u ← x 12. for i =1 to k − 1 do3. x ′ ← λ 2 + λ + a 24. λ ′ ← λ 2 + a 2 + a6u 4 + a 65. u ← x ′ and λ ← λ ′6. x 3 ← λ 2 + λ + a 2 and y 3 ← u 2 +(λ +1)x 37. return (x 3,y 3)

296 Ch. 13 Arithmetic of Elliptic CurvesThis algorithm needs kI+(k +1)M+(3k − 1)S.Example 13.43 Take P 7 on E 7 as defined in Example 13.41 and let us compute [2 5 ]P 7 .Thevaluesof λ and u along the execution of Algorithm 13.42 are given below.At the end, x 3 = 0x67C and y 3 = 0x71C.i — 1 2 3 4λ 0x1C 0x67 0x6F7 0x96 0x719u 0x420 0x14D 0x479 0x344 0x1ABAnother strategy is to use a closed formula to get [2 k ]P directly rather than computing successivedoublings. The interest is to perform only one inversion at the cost of extra multiplications[GUPA 1997]. We do not state these formulas here as the same number of operations can be obtainedby using López–Dahab coordinates for the intermediate doublings and transforming the resultto affine coordinates afterwards.13.3.3 Mixed coordinatesIn the previous part we introduced different representations for the point on E together with thealgorithms to perform addition and doubling. For the additions we also mentioned the number ofoperations needed if one of the input points is in affine coordinates. Like in odd characteristicwe now study arbitrary mixes of coordinates to perform scalar multiplications where we use two(different) systems of coordinates as input and one as output. By J + A = LD we denote theaddition taking as input one point in Jacobian coordinates and one in affine and giving the result inLópez–Dahab coordinates.Additionally we use the abbreviations A ′ to denote the representation by (x, λ) introduced in theprevious section for multiple doublings. For A ′ coordinates the table entry refers to the asymptoticcomplexity of a doubling in a sequence of k consecutive doublings, thus we neglect other marginaloperations. Table 13.4 on page 297 gives the number of field operations needed depending on thecoordinate systems. Compared to the case of odd characteristic, changes between the coordinatesystems are not too interesting and are therefore not listed. We denote the costs for multiplicationwith a 2 by M 2 and concentrate on the most interesting cases. We do not take into account the effectsof small a 6 as this cannot be achieved generically.No precomputationIf the system offers no space to store precomputations one should use A if inversions are affordable,i.e., less than 8 times as expensive as a multiplication, and otherwise use LD for the doublings andLD + A = LD for the additions if the input is in affine coordinates and as LD + LD otherwise.PrecomputationsAlso in even characteristic, using the NAF w representation, cf. Section 9.1.4 is advantageous tocompute scalar multiples [n]P . This requires precomputing all odd multiples [i]P for 1

§ 13.3 Arithmetic of elliptic curves defined over F 2 d 297Table 13.4 Operations required for addition and doubling.DoublingAdditionOperation Costs Operation Costs2P 7M + 4S + M 2 J + J 15M + 3S + M 22J 5M + 5S P + P 15M + 2S + M 22LD 4M + 4S + M 2 LD + LD 13M + 4S2A = P 5M + 2S + M 2 P + A = P 11M + 2S + M 22A = LD 2M + 3S + M 2 J + A = J 10M + 3S + M 22A = J M+2S+M 2 LD + A = LD 8M + 5S + M 2— — A + A = LD 5M + 2S + M 22A I+2M+S A + A = J 4M + S + M 22A ′ I+M+S A + A = A ′ 2I + 3M + S2A ′ = A M+2S A + A I+2M+SIf inversions are prohibitively expensive one should choose LD coordinates as they are the mostefficient inversion-free system, provided that one multiplication is at least as expensive as threesquarings, which is usually the case in binary fields. This way(13 × 2 w−2 − 8 ) M+4× 2 w−2 Sare needed for the precomputations.Using one I and 3(2 w−2 − 2)M the resulting precomputed points can be transformed to affine.Furthermore, the use of precomputations leads to long runs of doublings in the algorithms and theyare much faster in LD than in P, which otherwise would offer the lowest number of operations peraddition.Scalar multiplicationA scalar multiplication consists of a sequence of doublings and additions. If a signed windowingmethod is used with precomputations there are often runs of doublings interfered with only a fewadditions. Thus it is worthwhile to distinguish between intermediate doublings, i.e., those followedby a further doubling, and final doublings, which are followed by an addition, and to choose differentcoordinate systems for them.We first assume that the precomputed points are in A as this leads to the most interesting mixes ofcoordinates. If one inversion per bit of the scalar is affordable one should use A ′ for the intermediatedoublings.More explicitly, the intermediate variable Q is replaced each step by some[2 s ]Q + − [u]P,where [u]P is in the set of precomputed multiples. So we actually perform (s − 1) doublings of thetype 2A ′ = A ′ , a doubling of the form 2A ′ = A and then an addition A + A = A ′ .Let l be the binary length of n,letl 1 = l − (w − 1)/2,andK =1/2 − 1/(w +1).

298 Ch. 13 Arithmetic of Elliptic CurvesIn the main loop, we perform on average l 1 + K − v doublings of the form 2A ′ = A ′ , v doublingsof the form 2A ′ = A,andv additions, where v =(l 1 − K)/(w +1). Then we need approximately(l 1 + K + l ) (1 − KI+ l 1 + K +3 l ) (1 − KM+ l 1 + K +2 l )1 − KS.w +1w +1w +1If the algorithm should not make use of inversions but the precomputed points are in A, Table 13.4shows that the doublings should be performed within LD. This is followed by one addition of thetype LD + A = LD. This needs approximately(4(l 1 + K)+8 l ) (1 − KM+ 4(l 1 + K)+5 l ) (1 − KS+ l 1 + K + l )1 − KM 2 .w +1w +1w +1If the precomputed points are in LD the most efficient way is to choose this coordinate system forall operations. In total this needs asymptotically(4(l 1 + K)+13 l ) (1 − KM+ 4(l 1 + K)+4 l ) ( )1 − KS+ l 1 + K M 2 .w +1w +113.3.4 Montgomery scalar multiplicationLópez and Dahab [LÓDA 1999] generalized Montgomery’s idea, cf. Section 13.2.3, to binarycurves. Let P =(x 1 ,y 1 ) be a point on E. In projective coordinates, we write P =(X 1 : Y 1 : Z 1 )and let [n]P =(X n : Y n : Z n ). The sum [n + m]P =[n]P ⊕ [m]P is given by the followingformulas where Y n does not occur.Addition: n ≠ mDoubling: n = mZ m+n = (X m Z n ) 2 +(X n Z m ) 2 ,X m+n = Z m+n X m−n + X m Z n X n Z m .X 2n = X 4 n + a 6Z 4 n = ( X 2 n + √ a 6 Z 2 n) 2,Z 2n = X 2 n Z2 n .An addition takes 4M and 1S whereas a doubling needs only 2M and 3S, if √ a 6 is precomputed.For the full scalar multiplication [n]P ,weuseMontgomery’s ladder, cf. Algorithm 13.35, whichrequires (6M + 4S)(|n| 2 − 1) in total.To recover the y-coordinate of [n]P =(X n : Y n : Z n ) we first compute the affine x-coordinatesof [n]P and [n +1]P ,thatisx n = X n /Z n and x n+1 = X n+1 /Z n+1 andthenusetheformula[LÓDA 1999, OKSA 2001]y n = (x n + x 1 ) ( (x n + x 1 )(x n+1 + x 1 )+x 2 1 + y )1+ y 1 . (13.11)x 1Example 13.44 Let us compute [763]P 7 with Algorithm 13.35. The different steps of the compu-

§ 13.3 Arithmetic of elliptic curves defined over F 2 d 299tation are given in the following table where P stands for P 7 ∈ E 7 , given by (13.10).i n i (P 1,P 2) P 1 P 29 1 (P, [2]P ) (0x420 : ? : 0x1) (0x158 : ? : 0x605)8 0 ([2]P, [3]P ) (0x158 : ? : 0x605) (0x7E9 : ? : 0x2FD)7 1 ([5]P, [6]P ) (0x295 : ? : 0x56B) (0x620 : ? : 0x43B)6 1 ([11]P, [12]P ) (0x5D0 : ? : 0x247) (0xA6 : ? : 0x6CE)5 1 ([23]P, [24]P ) (0x755 : ? : 0x21B) (0x409 : ? : 0x93)4 1 ([47]P, [48]P ) (0xBD : ? : 0x25E) (0x26 : ? : 0x4BE)3 1 ([95]P, [96]P ) (0x4EE : ? : 0x51D) (0x4D6 : ? : 0x304)2 0 ([190]P, [191]P ) (0x4C1 : ? : 0x58C) (0x553 : ? : 0x386)1 1 ([381]P, [382]P ) (0x613 : ? : 0x7E4) (0x2BB : ? : 0x60B)0 1 ([763]P, [764]P ) (0x6C4 : ? : 0x105) (0x655 : ? : 0x485)To end the computation, we apply (13.11) to obtain that [763]P 7 =(0x84, 0x475).13.3.5 Point halving and applicationsIn this section we introduce a further map on the group of points of an elliptic curve.Let |E(F 2 d)| =2 k l,wherel is odd. If k =1then E is said to have minimal 2-torsion as curvesof the formE : y 2 + xy = x 3 + a 2 x 2 + a 6 (13.12)considered here always have one point of order 2, namely the point T =(0, √ a 6 ). Hence, thedoubling map [2] is not injective. Now assume E to have minimal 2-torsion and let G be a subgroupof odd order. If P belongs to G then there is a unique point Q ∈ G such that P =[2]Q. Thendenote Q = [ 12]P and define the one-to-one halving map by]: G → G[ 12P ↦→ Q such that [2]Q = P.In the following, we shall represent a point P =(x 1 ,y 1 ) as (x 1 ,λ 1 ) where λ 1 = x 1 + y 1 /x 1 .In the context of a scalar multiplication based on halvings, this representation leads to a fasterimplementation as for repeated doublings.In [KNU 1999] Knudsen develops an efficient technique to halve a point in affine coordinateslying on an elliptic curve with minimal 2-torsion. Independently, Schroeppel proposed the samemethod [SCH 2000c].Note that half the curves of the form (13.12) defined over F 2 d have minimal 2-torsion, since thisproperty is equivalent to Tr(a 2 )=1.Let P =(x 1 ,λ 1 ) ∈ G and Q = [ 12]P =(x2 ,λ 2 ). Inverting doubling formulas, one hasλ 2 2 + λ 2 = a 2 + x 1 ,x 2 2 = x 1 (λ 2 +1)+y 1 = x 1 (λ 2 + λ 1 + x 1 +1),y 2 = x 2 (x 2 + λ 2 ).

300 Ch. 13 Arithmetic of Elliptic CurvesThe algorithm is as follows. First find γ such that γ 2 + γ = a 2 + x 1 . The other solution of theequation is then γ +1, cf. Lemma 11.56. One corresponds to λ 2 and Q and the other one to λ 2 +1and Q ⊕ T .IfE has minimal 2-torsion it is possible to determine if γ is equal to λ 2 or not. Indeedonly Q can be halved but not Q ⊕ T . So (x 2 ,λ 2 ) is equal to [ 12]P if and only if the equationX 2 + X = a 2 + x 2 has a solution in F 2 d. This holds true if and only if Tr(a 2 + x 2 )=0. ClearlyTr(a 2 + x 2 )=Tr(a 2 2 + x2 2 ) and this remark saves a square root computation.So one first obtains w = x 1 (γ + λ 1 + x 1 +1), which is a candidate for x 2 2 .IfTr(a2 2 + w) =0then λ 2 = γ and x 2 = √ w.Otherwiseλ 2 = γ +1and x 2 = √ w + x 1 .All these steps are summarized in the following algorithm.Algorithm 13.45 Point halvingINPUT: The point P =(x ] 1,y 1) ∈ G represented as (x 1,λ 1).OUTPUT: The point P =(x2,y 2) represented as (x 2,λ 2).[ 121. compute γ such that γ 2 + γ = a 2 + x 12. w ← x 1(γ + λ 1 + x 1 +1)3. if Tr(a 2 2 + w) =1 then γ ← γ +1and w ← w + x 14. λ 2 ← γ and x 2 ← √ w5. return Q =(x 2,λ 2)Remarks 13.46(i) To determine (x 2 ,λ 2 ) Algorithm 13.45 requires us to compute the solution of a quadraticequation, one square root, one multiplication, and one absolute trace. A further multiplicationis necessary to obtain y 2 .(ii) See Section 11.2.6 for a description of algorithms to compute γ and √ w.(iii) The computation of the trace in Line 3 is straightforward, cf. Remarks 11.57.(iv) Algorithm 13.45 can be easily generalized when E(F 2 d) has a subgroup isomorphic to Z/2 k Zwith k > 1 [KNU 1999]. Nevertheless, it is necessary, in this case, to solve k equations,perform k +1multiplications, one test, and k or k +1square root computations to find(x 2 ,y 2 ), so that in practice the technique is usually not interesting for k>1.Example 13.47 The point P 7 =(0x420, 0x5B3) on E 7 is a point of order 2026. This implies thatR 7 =[2]P 7 =(0x14D, 0x4CB) is a point of odd order l = 1013. Thus in the group G = 〈R 7 〉,the halving map is well defined. Let us compute [ 12]R7 with Algorithm 13.45. First, we haveλ 1 = 0x67. We deduce that γ = 0x1C and w = 0x605. Since the trace of a 2 2 + w is equal to one,the values of γ and w are changed to 0x1D and 0x748. Finally, λ 2 = 0x1D and x 2 = 0x3B8. Itfollows that the unique point S 7 ∈ G such that [2]S 7 = R 7 is (0x3B8, 0x441).We also have P 7 = S 7 ⊕ T 7 where T 7 =(0x0, 0x19A) is the 2-torsion point of E 7 .Now, let us explain how to compute the scalar multiplication [n]P of a point P of odd order l 1 | l.Let m = ⌈lg l 1 ⌉.Thenif2 m−1 n =m−1∑i=0̂n i 2 i mod l 1 , with n i ∈{0, 1}

§ 13.3 Arithmetic of elliptic curves defined over F 2 d 301one hasn ≡m−1∑i=0̂n m−1−i2 i (mod l 1 )and [n]P can be obtained by the following algorithm. We additionally put [ 12]P∞ = P ∞ .Algorithm 13.48 Halve and add scalar multiplicationINPUT: A point P ∈ E(F 2 d) of odd order l 1 and a positive integer n.OUTPUT: The point [n]P .1. m ←⌈lg l 1⌉2. bn ← (2 m−1 n)modl 1 [bn =(bn m−1 ...bn 0) 2]3. Q ← P ∞4. for i =0 to m − 1 do5. Q ← ˆ 12˜Q6. if bn i =1 then Q ← Q ⊕ P7. return QRemarks 13.49(i) All the window and recoding techniques seen in Chapter 9 apply as well. In particular, if∑ mi=0 ̂n i2 i is the NAF w representation of 2 m n modulo l 1 ,thenn ≡m∑i=0̂n m−i2 i (mod l 1 ).(ii) No method is currently known to halve a point in projective coordinates. In [HAME + 2003]two halve-and-add algorithms for the NAF w representation are given. The one operating fromthe right to the left halves the input P rather than the accumulators, which can therefore berepresented in projective coordinates. In this case mixed addition formulas can be used for abetter efficiency.(iii) Point halving can be used to achieve faster scalar multiplication on Koblitz curves; see Chapter15 and [AVCI + 2004].Example 13.50 Let us compute [763]R 7 with Algorithm 13.48. As R 7 is of odd order 1013, wehave m =10and 2 9 × 763 ≡ 651 (mod 1013). Now 651 = (1010001011) 2 which implies that763 ≡ 1 2 9 + 1 2 8 + 1 2 6 + 1 + 1 (mod 1013).22 Thus, the main steps of the computation, expressed in the form (x, λ), are[ 1]2 R7 ⊕ R 7 = (0x1, 0x21D),[ 1] 3R2 7 ⊕ [ ]1 2R2 7 ⊕ R 7 = (0x644, 0x184),] 7R 7 ⊕ [ ]1 6R 7 ⊕ [ 1[ 12[ 12] 9R 7 ⊕ [ 122] 8R 7 ⊕ [ 12] 4R2 7 ⊕ R 7 = (0x77C, 0x3EC),] 6R 7 ⊕ [ ]1 2R2 7 ⊕ R 7 = (0x2EA, 0x281).

302 Ch. 13 Arithmetic of Elliptic CurvesWe deduce that [763]R 7 =(0x2EA, 0x7C8) in affine coordinates.It is also easy to obtain the multiple of a point that does not belong to G. For instance, let uscompute [763]P 7 .WehaveP 7 = [ ]12 R7 ⊕ T 7 and since the maps [ 12]and [n] commute, it followsthat[763]P 7 = [ 12][763]R7 ⊕ T 7 ,= (0x5CF, 0x485) ⊕ (0x0, 0x19A),= (0x84, 0x475).13.3.6 Parallel implementationAlso, for fields of even characteristic, parallel implementations have gained some interest, one ofthe first works being [KOTS 1993]. However, applications using affine coordinates usually try toachieve parallelism on the lower level of field arithmetic.In the chapter on side-channel attacks, cf. Chapter 29, we discuss several parallel implementationsas this is mainly of interest for small devices like smart cards. There, the additional restrictionis that the implementation should be secured against some particular attacks. Common choices areMontgomery coordinates distributed on two processors. We refer the reader to that chapter for detailsand mention here only the work of Mishra [MIS 2004a], who derives a pipelined computationsuch that in a scalar multiplication the average number of clock cycles needed per group operationis only 6 when using two processors.13.3.7 Compression of pointsLet P =(x 1 ,y 1 ) be a point on E/F 2 d : y 2 + xy = f(x). As for odd characteristic, we show howto represent P by ( x 1 ,b(y 1 ) ) ,whereb(y 1 ) is a bit distinguishing P from −P =(x 1 ,y 1 + x 1 ).There exists exactly one Weierstraß point having x 1 =0. For the other points we follow the stepsin the next paragraphs.DecompressionIn even characteristic it is easier to explain decompression first. Thus, assume that P is givenby ( x 1 ,b(y 1 ) ) ,andb(y 1 ) ∈{0, 1}. As x 1 is the x-coordinate of a point, the quadratic equationy 2 + x 1 y + x 3 1 + a 2x 2 1 + a 6 has two solutions. It is clear that such a solution exists if Y 2 + Y +(x 3 1 + a 2x 2 1 + a 6)/x 2 1 has a solution, i.e., if Tr( (x 3 1 + a 2x 2 1 + a 6)/x1) 2 =0, cf. Section 11.2.6. If y′1is one solution then y 1 ′ +1is the other. Hence, for the roots y 1 ′ the least significant bit allows us todistinguish between the solutions and we need to resort to the equation in Y to compute the roots.To find the solutions of the original equation we put y 1 = y 1x ′ 1 for the y 1 ′ determined by b(y 1 ).CompressionWe have just seen that the least significant bit of y 1 ′ = y 1/x 1 should be used as b(y 1 ). Unfortunately,this requires one inversion, hence, some work is also needed to compress a point. This is in contrastto the case of odd characteristic.

Chapter ½Arithmetic of Hyperelliptic CurvesSylvain Duquesne and Tanja LangeContents in Brief14.1 Summary of background on hyperelliptic curves 304Group law for hyperelliptic curves • Divisor class group and ideal class group •Isomorphisms and isogenies • Torsion elements • Endomorphisms •Cardinality14.2 Compression techniques 311Compression in odd characteristic • Compression in even characteristic14.3 Arithmetic on genus 2 curves over arbitrary characteristic 313Different cases • Addition and doubling in affine coordinates14.4 Arithmetic on genus 2 curves in odd characteristic 320Projective coordinates • New coordinates in odd characteristic • Different setsof coordinates in odd characteristic • Montgomery arithmetic for genus 2curves in odd characteristic14.5 Arithmetic on genus 2 curves in even characteristic 334Classification of genus 2 curves in even characteristic • Explicit formulas ineven characteristic in affine coordinates • Inversion-free systems for evencharacteristic when h 2 ̸= 0• Projective coordinates • Inversion-free systemsfor even characteristic when h 2 =014.6 Arithmetic on genus 3 curves 348Addition in most common case • Doubling in most common case • Doublingon genus 3 curves for even characteristic when h(x) =114.7 Other curves and comparison 352In Chapter 1 we introduced the discrete logarithm problem and showed that the main operation in apublic-key cryptosystem is the computation of scalar multiples in a cyclic group. Chapter 9 showedhow the computation of scalar multiples can be reduced to a sequence of additions and doublings inthe group. Hence, for an efficient system we need to have groups with efficient group laws.In Chapter 13 we detailed the arithmetic on elliptic curves. This chapter deals with hyperellipticcurves, which can be seen as a generalization of elliptic curves. We first give a brief overview of themain properties of hyperelliptic curves repeating the definitions for the convenience of the reader.The details can be found in Chapter 4. In the applications, group elements must be stored andtransmitted. For restricted environments or restricted bandwidth it might be useful to use compressioneven though recovering the original coordinates needs some efforts. Accordingly, we considercompression techniques.303

304 Ch. 14 Arithmetic of Hyperelliptic CurvesThe main emphasis of this chapter is put on the arithmetic properties, i.e., on algorithms to performthe group operation. We state Cantor’s algorithm, which works for arbitrary ground field and genusof the curve. To obtain better performance one needs to fix the genus and develop explicit formulasas for elliptic curves (cf. Chapters 13.2 and 13.3). We first specialize to considering curves ofgenus 2, separately over finite fields of odd and then of even characteristic. For both cases we giveformulas for different coordinate systems, namely affine, projective, and new coordinates. The lattertwo systems allow us to avoid inversions in the group operation. For odd characteristic we also statetwo possible generalizations of Montgomery coordinates (cf. Section 13.2.3); for even characteristicthere is no such generalization yet.Also for genus 3 hyperelliptic curves, explicit formulas have been proposed. We give explicitformulas in affine coordinates in Section 14.6. Also nonhyperelliptic curves of genus 3 have beenproposed for cryptographic applications. The final section gives references to these publications andalso for genus 4 hyperelliptic curves before we conclude with a comparison and timings.14.1 Summary of background on hyperelliptic curvesFor cryptographic purposes we concentrate on imaginary quadratic hyperelliptic curves given byan equation, as below. Only in Chapter 18 we need to deal with the most general definition as givenin Definition 4.121.Definition 14.1 A curve given by an equation of the formC : y 2 + h(x)y = f(x), h,f∈ K[x], deg(f) =2g +1, deg(h) g, f monic (14.1)is called a hyperelliptic curve of genus g over K if no point on the curve over the algebraic closureK of K satisfies both partial derivatives 2y + h =0and f ′ − h ′ y =0.The last condition ensures that the curve is nonsingular. The negative of a point P =(x, y) is givenby −P = ( x, −y − h(x) ) . The points fixed under this hyperelliptic involution are called Weierstraßpoints. Elliptic curves are subsumed under this definition as curves of genus one (cf. Definition13.1). Even though this is not entirely standard from the classical viewpoint, the algorithmicproperties that constitute our focus are equal. For a discussion see the remark after Definition 4.121.Example 14.2 Let p = 2003. Over the finite field F p , the equation y 2 = x 5 + 1184x 3 + 1846x 2 +956x + 560 gives a hyperelliptic curve of genus 2.We can check explicitly that the partial derivative 2y equals 0 only if y =0and this leads toa point P =(x 1 , 0) only if f(x 1 )=0. The partial derivative with respect to x gives f ′ (x) =5x 4 + 1549x 2 + 1689x + 956. One can check by direct calculation that no root of f simultaneouslysatisfies f ′ .In general, f ′ evaluates to 0 at a root x 1 of f if and only if x 1 is a multiple root of f. For oddcharacteristic, the equation y 2 = f(x) defines a nonsingular and hence hyperelliptic curve if andonly if f has no multiple roots.14.1.1 Group law for hyperelliptic curvesFor elliptic curves one can take the set of points together with a point at infinity as a group. Forcurves of genus larger than one this is no longer possible. The way out is to take finite sums of pointsas group elements and perform the addition coefficient-wise like (P +Q)⊕(R+Q)=P +2Q+R.This would lead to an infinite group and longer and longer representations of the group elements.The group one actually uses is the quotient group of this group by all sums of points that lie on afunction.

§ 14.1 Summary of background on hyperelliptic curves 305Before stating this as a formal definition we give a pictorial description for a genus 2 curve overthe reals given by an equation y 2 = f(x) with f monic of degree 5. As for elliptic curves, f is notallowed to have multiple roots over the algebraic closure to satisfy the condition of the definition.Figure 14.1 Group law on genus 2 curve over the reals R, y 2 = f(x), deg f =5for (P 1 + P 2 ) ⊕(Q 1 + Q 2 )=R 1 + R 2 .−R 1−R 2P 1P 2Q 1Q 2R 1R 2Figure 14.1 demonstrates again that one cannot continue using the chord-and-tangent method fromelliptic curves as a line intersects in 5 instead of 3 points. To build a group we take the quotientof the group of sums of points on the curve by the subset of those sums where the points lie on afunction, e.g., R 1 =(x R1 ,y R1 ) and −R 1 =(x R1 , −y R1 ) lie on the curve given by x = x R1 and,hence, R 1 ⊕ (−R 1 )=0. Likewise the six points P 1 ,P 2 ,Q 1 ,Q 2 , −R 1 , −R 2 on the cubic add up tozero in the quotient group we consider.This way one sees that each element can be represented by at most two points that do not have thesame x-coordinate and inverse y-coordinate. Namely, any n>1 points give rise to a polynomial ofdegree n − 1. Therearemax{5, 2(n − 1)}−n other points of intersection. As soon as n>2 theinverse of this sum of points, obtained by inflecting all points at the x-axis, contains fewer points.Repeating this process gives a reduced group element with at most 2 points. The second conditioncan be seen to hold as points (x 1 ,y 1 ) and (x 1 , −y 1 ) both lie on the function x = x 1 .Adding two elements is done in two steps. First the formal sum is formed and then it is reduced.In the general case both group elements consist of 2 points given by P 1 + P 2 and Q 1 + Q 2 and the4 points are all different. A function y = s(x) of degree 3 in x passes through all of them having2 more points of intersection with C. The two new points −R 1 and −R 2 are inflected and give theresult of the addition (P 1 + P 2 ) ⊕ (Q 1 + Q 2 )=R 1 + R 2 .As in the case of elliptic curves, one can derive the group law from this description by making allsteps explicit. For genus 2 curves over finite fields this is done in Sections 14.3, 14.4, and 14.5. Ifh ≠0there are still two points with equal x-coordinate but the opposite of P =(x 1 ,y 1 ) is givenby −P = ( x 1 , −y 1 − h(x 1 ) ) .

306 Ch. 14 Arithmetic of Hyperelliptic CurvesFor hyperelliptic curves of arbitrary genus g one obtains that each group element is represented byat most g points and that in the reduction step one might need several rounds to find a minimalrepresentative. Note that so far we did not touch the problem over which fields the points shouldbe defined. In the following an isomorphic representation is introduced, which is advantageous forimplementation purposes.14.1.2 Divisor class group and ideal class groupThe group we described so far is called the divisor class group Pic 0 C of C. To formally define thegroup law we need to take into account a further point P ∞ called the point at infinity. (For curves ofthe form (14.1) there is only a single point at infinity and this is crucial for the way we implementthe arithmetic.) In the picture it can be visualized as lying far out on the y-axis such that any lineparallel to it passes through P ∞ .We repeat the main definitions from Chapter 4.Definition 14.3 Let C be a hyperelliptic curve of genus g over K given by an equation of the form(14.1). The group of divisors of C of degree 0 is given by{Div 0 C = D = ∑ n P P | n P ∈ Z,n P =0 for almost all P ∈ C,P ∈C∑n P =0, andsuchthat σ(D) =D for all σ ∈ G K}.P ∈CThis latter condition means that the divisor is defined over K. This is equivalent to n σ(P ) = n P forall σ ∈ G K , the Galois group of K.Definition 14.4 The divisor class group Pic 0 C of C is the quotient group of Div 0 C by the group ofprincipal divisors, that are divisors of degree zero resulting from functions.Each divisor class can be uniquely represented by a finite sumr∑P i − rP ∞ , P i ∈ C {P ∞ },r g,i=1where for i ≠ j we have P i =(x i ,y i ) ≠ ( x j , −y j − h(x j ) ) = −P j .The following theorem introduces a different representation that is more useful for implementations,and for which one can simply read off the field of definition of the group elements. The theoreticalbackground for this alternative representation is the fact that for curves of the form (14.1) the divisorclass group is isomorphic to the ideal class group of the function field K(C). Furthermore, thedivisor class group is isomorphic to the group of K-rational points of the Jacobian J C of C. (Fordetails see Section 4.4.6.a.) Mumford representation makes explicit this isomorphism and we willuse the representation as an ideal class group for the arithmetic. However, to develop the formulaswe come back to the representation as a finite sum of points. To fix names we keep speaking of thedivisor class group and call the group elements divisor classes even when using the notation as idealclasses.Theorem 14.5 (Mumford representation)Let C be a genus g hyperelliptic curve as in (14.1) given by C : y 2 + h(x)y = f(x), whereh, f ∈ K[x], deg f =2g +1, deg h g. Each nontrivial divisor class over K can be representedvia a unique pair of polynomials u(x) and v(x), u,v∈ K[x] ,where

§ 14.1 Summary of background on hyperelliptic curves 3071. u is monic,2. deg v

308 Ch. 14 Arithmetic of Hyperelliptic CurvesThe amount of work to find v is equal to solving the g quadratic equations in the first approach.However, checking if a u belongs to a class requires more effort. Hence, for an implementation onecan trade off the generality of the class for less work.Example 14.6 On the curve from Example 14.2, a divisor class is given by D __=[x 2 + 376x +245, 1015x + 1368]. Wehave[2] D __=[x 2 + 1226x + 335, 645 + 1117] and [3874361] D __=[1, 0].Using this compact description of the elements, one can transfer the group law that was derivedabove as a sequence of composition and reduction to an algorithm operating on the representingpolynomials and using only polynomial arithmetic over the field of definition K. This algorithmwas described by Cantor [CAN 1987] for odd characteristic and by Koblitz [KOB 1989] for arbitraryfields.Algorithm 14.7 Cantor’s algorithmINPUT: Two divisor classes D __1 =[u 1,v 1] and D __2 =[u 2,v 2] on the curve C : y 2 + h(x)y =f(x).OUTPUT: The unique reduced divisor D such that D __= D __1 ⊕ D __2.1. d 1 ← gcd(u 1,u 2) [d 1 = e 1u 1 + e 2u 2]2. d ← gcd(d 1,v 1 + v 2 + h) [d = c 1d 1 + c 2(v 1 + v 2 + h)]3. s 1 ← c 1e 1,s 2 ← c 1e 2 and s 3 ← c 24. u ← u1u2 s1u1v2 + s2u2v1 + s3(v1v2 + f)d 2 and v ← mod ud5. repeat6. u ′ f − vh − v2←uand v ′ ← (−h − v) modu ′7. u ← u ′ and v ← v ′8. until deg u g9. make u monic10. return [u, v]We remark that Cantor’s algorithm is completely general and holds for any field and genus. It is anice exercise to check that the addition formulas derived in Section 13.1.1 for elliptic curves can beobtained as a special case of Cantor’s algorithm making all steps explicit for g =1.14.1.3 Isomorphisms and isogeniesSome changes of variables do not fundamentally alter the hyperelliptic curve. More precisely, letthe hyperelliptic curve C/K of genus g be given by C : y 2 + h(x)y = f(x). The mapsy ↦→ u 2g+1 y ′ +a g x ′ g +···+a1 x ′ +a 0and x ↦→ u 2 x ′ +b with (a g ,...,a 1 ,a 0 ,b,u) ∈ K g+2 ×K ∗are invertible and map each point of C to a point of C ′ : y ′2 + ˜h(x ′ )y ′ = ˜f(x ′ ),where˜h, ˜f aredefined over K and can be expressed in terms of h, f, a, b, c, d and u. Via the inverse map weassociate to each point of C ′ a point of C showing that both curves are isomorphic. These changesof variables are the only ones leaving invariant the shape of the defining equation and, hence, theyare the only admissible isomorphisms.The following examples study even and odd characteristic separately as they allow us differentisomorphic transformations of the curve equation. These transformations will be useful for thearithmetic of the curves.

§ 14.1 Summary of background on hyperelliptic curves 309Example 14.8 In the case of odd characteristic the transformation y ↦→ y ′ − h(x)/2 allows toconsider an isomorphic curve of the formy ′ 2 = ˜f(x) =x 2g+1 + ˜f 2g x 2g + ···+ ˜f 3 x 3 + ˜f 2 x 2 + ˜f 1 x + ˜f 0 , with ˜f i ∈ K, (14.3)where ˜f has no multiple roots over the algebraic closure K.Furthermore, if char(K) ≠2g+1we can obtain a further coefficient being zero. Namely, puttingx ↦→ x ′ − ˜f 2g /(2g +1)leads toy ′ 2 = ˆf(x ′ )=x ′ 2g+1 + ˆf2g−1 x ′ 2g−1 + ···+ ˆf1 x ′ + ˆf 0 , with ˆf i ∈ K. (14.4)Example 14.9 In the case of even characteristic a nonsingular curve must have h(x) ≠0as will beshown now. The partial derivative equations are given by 2y − h(x) =h(x) and h ′ (x)y − f ′ (x).If h(x) =0identically then the partial derivative for y vanishes completely and the one for xsimplifies to f ′ (x) =0. Over the algebraic closure K this equation has 2g roots. Let x 1 be oneof them. Over K, there exists an y 1 with f(x 1 )=y 2 1 , and, hence, a singular point P =(x 1,y 1 )satisfying the curve equation and both partial derivative equations.Hence, we can always assume h(x) ≠0and the transformation x ↦→ x ′ +f 2g leadstoanequationy 2 + ˜h(x ′ )y = x ′ 2g+1 + ˜f2g−1 x ′ 2g−1 + ···+ ˜f1 x ′ + ˜f 0 , with ˜f i ∈ K.Some more transformations are possible and useful to obtain efficient doublings. We come back tothis in Section 14.5 and Section 14.6.3.Even if the curves are not isomorphic, the Jacobians of C and C ′ might share some common properties.One calls J C and J C ′ isogenous if there exists a morphism ψ : J C → J C ′ mapping [1, 0]to the neutral element of J C ′. One important property of isogenies is that for every isogeny thereexists a unique isogeny ˆψ : J C ′ → J C called the dual isogeny such thatˆψ ◦ ψ =[n] and ψ ◦ ˆψ =[n] ′ ,where [n] ′ denotes the multiplication by n map on J C ′.Thedegree of the isogeny ψ is equal to thisn. For more background on isogenies we refer to Section 4.3.4.By abuse of notation, two curves C/K and C ′ /K are called isogenous if the correspondingJacobian varieties J C and J C ′ are isogenous.14.1.4 Torsion elementsDefinition 14.10 The kernel of [n] on J C is denoted by J C [n]. Anelement D __∈ J C [n] is called anelement of n-torsion.Theorem 14.11 Let C be a hyperelliptic curve defined over K. If the characteristic of K is eitherzero or prime to n thenJ C [n] ≃ (Z/nZ) 2g .Otherwise, when char(K) =p and n = p e thenwith 0 r g,foralle 1.J C [p e ] ≃ (Z/p e Z) r ,The following definition was given for general abelian varieties in Definition 4.74. We repeat it herefor easy reference in the special case of Jacobians of curves.

310 Ch. 14 Arithmetic of Hyperelliptic CurvesDefinition 14.12 Let char(K) =p. The p-rank of C/K is defined to be the integer r in Theorem14.11.An elliptic curve E is called supersingular if it has E[p e ] ≃{P ∞ }, i.e., if it has p-rank 0. AJacobian of a curve is called supersingular if it is the product of supersingular elliptic curves. Thus,especially the p-rank of a supersingular Jacobian variety is 0 but the converse does not have to hold.One also uses the term supersingular curve to denote that the Jacobian of this curve is supersingular.14.1.5 EndomorphismsThe multiplication by n is an endomorphism of J C . The set of all endomorphisms of J C definedover K will be denoted by End K (J C ) or more simply by End(J C ), and contains at least Z.Definition 14.13 If End(J C ) ⊗ Q contains a number field F of degree 2g over Q we say that J Chas complex multiplication.Thus, one has complex multiplication if the endomorphism ring is strictly bigger than Z.Remark 14.14 Let C be a nonsupersingular hyperelliptic curve over F q .ThenJ C always has complexmultiplication. Indeed, the Frobenius automorphism φ q of F q extends to the points of thecurve by sending P ∞ to itself and P =(x 1 ,y 1 ) to (x q 1 ,yq 1 ). One can easily check that the pointφ q (P )=(x q 1 ,yq 1 ) is again a point on the curve irrespective of the field of definition of P .Themapalso extends to the divisors and divisor classes. Hence, φ q is an endomorphism of J C , called theFrobenius endomorphism. It is different from [n] for all n ∈ Z.14.1.6 CardinalityLet the hyperelliptic curve C be defined over a finite field F q . As for elliptic curves we have boundson the number of points over a finite field and on the group order of the divisor class group. Thefollowing bounds depend only on the finite field and the genus of the curve:Theorem 14.15 (Hasse–Weil)(q 1/2 − 1) 2g |Pic 0 C | (q1/2 +1) 2g .The Frobenius endomorphism φ q operates on the points by raising the coordinates to the power ofq. This action is inherited by the divisor class group and there φ q maps the divisor class [u(x),v(x)]to [φ q (u(x)),φ q (v(x))], where it is applied to the coefficients of the polynomials. The Frobeniusendomorphism satisfies a characteristic polynomial defined over the integers.Theorem 14.16 Let C by a hyperelliptic curve of genus g defined over F q .The Frobenius endomorphism satisfies a characteristic polynomial of degree 2g given bywhere a i ∈ Z, 1 i g.χ(φ q ) C (T )=T 2g + a 1 T 2g−1 + ···+ a g T g + ···+ a 1 q g−1 T + q g ,Denote by M r the number of points of C(F q ) that are defined over F q r or a subfield F q s with s | r,and put N k = |Pic 0 C·F q k |. There is a relationship between the N i and the numbers M r for 1 r ggiven by the following theorem, which also provides the characteristic polynomial χ(φ q ) C (T ) ofthe Frobenius endomorphism.

§ 14.2 Compression techniques 311Theorem 14.17 Let C be a hyperelliptic curve of genus g defined over F q and let the factorizationof the characteristic polynomial χ(φ q ) C (T ) of the Frobenius endomorphism over C beThenχ(φ q ) C (T )=2g∏i=1(T − τ i ) with τ i ∈ C.(i) The roots of χ(φ q ) C satisfy |τ i | = √ q for 1 i 2g.(ii) There exists an ordering with τ i+g = τ i , hence, τ i τ i+g = q for 1 i g.(iii) For any integer k,wehaveN k =(iv) Put a 0 =1, then for 1 i g we have2g∏i=1(1 − τ k i ),M k = q k +1−2g∑i=1τ k i ,|M k − (q k +1)| g⌊2q k/2 ⌋.ia i = ( M i − (q i +1) ) a 0 + ( M i−1 − (q i−1 +1) ) a 1 + ···+ ( M 1 − (q +1) ) a i−1 .By the last property one sees that from the first g numbers M i of points on the curve one can obtainthe whole polynomial χ(φ q ) C (T ) and thus the cardinality of Pic 0 C as χ(φ q) C (1). To illustrate thisrelation: for a genus 2 curve we have to count the number of points defined over F q and F q 2 to obtaina 1 = M 1 − q − 1 and a 2 =(M 2 − q 2 − 1+a 2 1 )/2. For curves over large prime fields this posesa nontrivial problem. For details on point counting we refer to Chapter 17. For curves defined oversmall finite fields this way of determining the group order over extension fields is advantageous. Wedeal with such curves, called Koblitz curves, in Section 15.1.14.2 Compression techniquesWe now study the question of how to compress divisor classes [u, v] for a genus g curve given by(14.1). To this aim we fist consider compression of points as done for elliptic curves.We observe that for a point P = (x 1 ,y 1 ) there is at most one more point with the same x-coordinate, namely −P = ( x 1 , −y 1 −h(x 1 ) ) . There is no further point exactly if y 1 = −y 1 −h(x 1 ).Therefore, the x-coordinate determines a point up to the choice of two y-coordinates. This choicecan be given by a further bit, hence, a point can be represented by its x-coordinate and a further bit.The compression technique by Hess, Seroussi, and Smart [HESE + 2001] uses Mumford representation(cf. Theorem 14.5) and recovers the points representing the divisor class [u, v].For our exposition we first follow the approach of Stahlke [STA 2004]. To obtain efficient compressionand decompression techniques we need to study odd and even characteristic independentlyand use the isomorphic transformations from Examples 14.8 and 14.9.14.2.1 Compression in odd characteristicIn this paragraph we show how to compress a representative [u, v] of a divisor class by storing uand some more bits, such that we can reconstruct v. Since the characteristic is odd we can assumeh(x) =0. The same considerations hold in characteristic 0. Assume v to be unknown.

312 Ch. 14 Arithmetic of Hyperelliptic CurvesSince u | v 2 − f, thereisas ∈ K[x] such that us = v 2 − f. This is an equation between twopolynomials of degree 2g +1as deg f =2g +1. The unknowns are the (2g +2−deg u) coefficientsof s and at most deg u coefficients of v. Therefore, by comparison of coefficients we have 2g +2equations with at most 2g +2unknowns. We expect at most 2 g solutions for v in which case thechoice of one solution can be encoded in g bits.This expectation has to be verified in each case, of course. For elliptic curves we get two solutionsfor v and with just one bit we can reconstruct v, which corresponds to calculating the y-coordinatefrom the x-coordinate of a point (cf. Section 13.2.5). By way of illustration, from now on we restrictourselves to genus g =2.Then a curve can be defined byy 2 = x 5 + f 4 x 4 + f 3 x 3 + f 2 x 2 + f 1 x + f 0 ,where f has only simple roots in the algebraic closure. Let f i be the coefficients of f, (respectivelyu i of u, v i of v and s i of s). From us + f = v 2 by comparison of coefficients we getThe discriminant ofs(x) =−x 3 +(u 1 − f 4 )x 2 +(u 0 − u 2 1 + f 4 u 1 − f 3 )x + s 0 .u(x)s(x)+f(x) = ( s 0 + f 2 − f 3 u 1 − f 4 (u 0 − u 2 1)+u 1 (2u 0 − u 2 1) ) x 2 (14.5)+ ( u 1 s 0 + f 1 − f 3 u 0 + f 4 u 0 u 1 + u 0 (u 0 − u 2 1) ) x+ u 0 s 0 + f 0is of degree at most 2 in s 0 and all coefficients are known. It is zero because u(x)s(x)+f(x) is asquare (namely v(x) 2 ). From v(x) 2 = u(x)s(x)+f(x) we get relations for v 0 and v 1 :Compressionv 2 0 = u 0 s 0 + f 0 , (14.6)2v 0 v 1 = u 1 s 0 + f 1 − f 3 u 0 + f 4 u 0 u 1 + u 0 (u 0 − u 2 1 ), (14.7)v1 2 = s 0 + f 2 − f 3 u 1 − f 4 (u 0 − u 2 1)+u 1 (2u 0 − u 2 1). (14.8)The f i , u i and v i are known. Calculate s 0 from (14.6) or (if u 0 =0) from (14.8). Consider theright hand side of (14.5) as polynomial in x and let d(s 0 ) be its discriminant, which we consider aspolynomial in s 0 .Ifu 2 1 − 4u 0 ≠0, consider the discriminant of d and decide which root gives thecorrect value for s 0 . Store this choice in Bit 1 .Asq is odd, the most convenient choice might be totake as Bit 1 the least significant bit of the root (i.e., the parity of a coordinate of the root consideredas number in [0,p− 1]).Exception: If u 2 1 − 4u 0 = 0 then d(s 0 ) is of degree 1 and Bit 1 can be chosen arbitrarily.In fact d(s 0 ) is never of degree 0, otherwise a short calculation shows that f(−u 1 /2) = 0 andf ′ (−u 1 /2) = 0,so−u 1 /2 would be a singular point of the curve.Now store in Bit 2 the correct choice of v 0 as root of u 0 s 0 + f 0 (cf. (14.6)). (Again the mostconvenient choice might be to take as Bit 2 the least significant bit of v 0 .) But if v 0 =0then insteadstore in Bit 2 the correct choice of v 1 as root of the right hand side of (14.8).The compressed point is the tuple (u 0 ,u 1 , Bit 1 , Bit 2 ).DecompressionThe f i and u i are known. Also known are Bit 1 and Bit 2 . We need to recover v 0 and v 1 .Takethediscriminant of u(x)s(x)+f(x) (see (14.5)) and consider this discriminant d(s 0 ) as polynomial ins 0 . Calculate s 0 from d(s 0 )=0according to Bit 1 . Calculate v 0 from (14.6) according to Bit 2 .Ifv 0 ≠0then calculate v 1 from (14.7). If v 0 =0then calculate v 1 from (14.8) according to Bit 2 .

§ 14.3 Arithmetic on genus 2 curves over arbitrary characteristic 31314.2.2 Compression in even characteristicHere, we focus on finite fields of characteristic 2. Thus, we now assume that the genus g curve Cis given by C : y 2 + h(x)y = f(x), with h(x) ≠0and h, f ∈ F 2 d[x] and that the divisor class[u(x),v(x)] has u, v ∈ F 2 d[x]. The following algorithm is a special case of [HESE + 2001] andweprovide the version for arbitrary genus. Hence, one needs to factor the first polynomial u(x). Notethat for fixed genus and type of the curve it is again possible to take advantage of ideas as in theprevious section and work without factoring u(x), as shown for genus g =2in [LAN 2005a].CompressionLet m 1 (x),m 2 (x),...,m l (x) be the factorization of u(x) over F 2 d ordered in some prescribed way.For each factor m i (x) compute r i (x) =v(x) modm i (x) and ˜r i (x) =v(x) +h(x) modm i (x),and determine a bit to carry the correct choice as follows: if r i (x) is smaller than ˜r i (x) accordingto the ordering, then put Bit i to 0, otherwise assign Bit i =1.Remarks 14.18(i) For fixed h(x) it is possible to omit the computation of ˜r i (x) and derive a conditiondepending on r i (x) only to distinguish the two choices.(ii) If two factors m i (x) and m i+1 (x) are equal, the computation of r i needs to be doneonly once and one can put Bit i+1 = Bit i .The class is then represented by [u(x), Bit 1 ,...,Bit l ] needing at most gd + g bits.DecompressionTo recover the full representation one needs to invert the above process. Again one starts withfactoring u(x) into m 1 (x),m 2 (x),...,m l (x).For each polynomial m i (x) one performs the following procedure. Note that these factors areirreducible and hence define a field extension L = F 2 d[x]/(m i (x)) of degree deg(m i ). In particularthis means that one can compute in L and solve quadratic equations in the polynomial ring L[Y ] asexplained in Section 11.2.6.Compute the two solutions r i1 (x) and r i2 (x) of Y 2 + h(x)Y + f(x) (modm i (x)). The resultsare interpreted as polynomials of degree less than deg(m i ) over F 2 d.The bit Bit i determines which one to choose as the solutions correspond exactly to the polynomialsr i (x) and ˜r i (x) computed above.As above, these computations need not be performed if m i = m i+1 .This way one recovers [u(x),v(x)] = [m 1 (x),r 1 (x)] ⊕ [m 2 (x),r 2 (x)] ⊕···⊕[m l (x),r l (x)].Note that these additions do not involve reductions as the combined divisor class is reduced. Thismeans that v(x) can be obtained by interpolation, while u is known directly from the transmittedvalues.14.3 Arithmetic on genus 2 curves over arbitrary characteristicFor elliptic curves the group law can be stated as a sequence of multiplications, squarings, inversions,and additions over the field. For hyperelliptic curves we have Cantor’s algorithm to performaddition and doubling. Here we aim at deriving explicit formulas for genus two curves.The first attempt to find such explicit formulas was done by Spallek [SPA 1994] and by Krieger[KRI 1997]. The first practical formulas were obtained by Harley [HAR 2000], which were generalizedto even characteristic by Lange [LAN 2001a]; an improvement of the former paper can be

314 Ch. 14 Arithmetic of Hyperelliptic Curvesfound in Matsuo, Chao, and Tsujii [MACH + 2001]. A significant improvement was obtained independentlyby Takahashi [TAK 2002] and Miyamoto, Doi, Matsuo, Chao, and Tsujii [MIDO + 2002];this was generalized to even characteristic in [SUMA + 2002] and independently in [LAN 2002b].The second reference allows more general curves and manages to trade more multiplications forsquarings, which is desirable for characteristic 2 implementations.In this section we give the main ingredients to study explicit formulas for the group law for genustwo curves. To this end we first give the case study of [LAN 2001a] investigating what can bethe input of Cantor’s Algorithm 14.7 and proceed in considering these different cases. We statealgorithms for the addition and doubling in the most frequent cases for even and odd characteristic.These formulas involve (at least) 1 inversion per addition or doubling respectively. In someenvironments inversions are extremely time or space critical. In the following two Sections 14.4and 14.5 we consider in more detail the case of odd and even characteristic and also describe othercoordinate systems that avoid inversions on the cost of more multiplications.Unless stated otherwise, the following formulas hold independently of the characteristic, thereforewe take care of the signs; in characteristic 2, 2y is understood as zero.For all following sections we fix the notation to refer to the coefficient of x i in a polynomial l(x)as l i .14.3.1 Different casesConsider the composition step of Cantor’s Algorithm 14.7. The input are two classes represented bytwo polynomials each, namely [u 1 ,v 1 ] and [u 2 ,v 2 ]. Recall that Mumford representation 14.5 linkseach such class to at most two finite points of the curve.Without loss of generality, let deg u 1 deg u 2 .1. If u 1 is of degree 0 then D __1 must be the neutral element [u 1 ,v 1 ]=[1, 0]. The result of thecombination and reduction is the second class [u 2 ,v 2 ].2. If u 1 is of degree 1, then either u 2 is of degree 1 as well or it has full degree.A. Assume deg u 2 =1, i.e., u i = x + u i0 and the v i are constant. Then if u 1 = u 2 weobtain for v 1 = −v 2 − h(−u 10 ) the zero element [1, 0] and for v 1 = v 2 we double thedivisor to obtainu = u 2 1, (14.9)v =(f ′ (−u 10 ) − v 1 h ′ (−u 10 ) ) x + ( f ′ (−u 10 ) − v 1 h ′ (−u 10 ) ) u 10+ v 1 .2v 1 + h(−u 10 )Otherwise the composition leads tou = u 1 u 2 and v = ( (v 2 − v 1 )x + v 2 u 10 − v 1 u 20)/(u10 − u 20 ).In all cases the results are already reduced.B. Now let the second polynomial be of degree 2, i.e., u 2 = x 2 + u 21 x + u 20 . Then thecorresponding divisors are given byD 1 = P 1 − P ∞ and D 2 = P 2 + P 3 − 2P ∞ , with P i ≠ P ∞ .i. If u 2 (−u 10 ) ≠0then P 1 and −P 1 do not occur in D 2 . This case will be dealt withbelow in Section 14.3.2.b.ii. Otherwise if D 2 =2P 1 − 2P ∞ , which holds if u 21 =2u 10 and u 20 = u 2 10 onefirst doubles D 2 as in 3.A.ii and then subtracts D 1 using 2.B.i. If v 2 (−u 10 )=

§ 14.3 Arithmetic on genus 2 curves over arbitrary characteristic 315v 1 + h(−u 10 ) then −P 1 occurs in D 2 and the resulting class is given by u =x + u 21 − u 10 and v = v 2 (−u 21 + u 10 ). Otherwise one first doubles [u 1 ,v 1 ] by(14.9) and then adds[x + u 21 − u 10 ,v 2 (−u 21 + u 10 )],hence, reduces the problem to the case 2.B.i.3. Let deg u 1 =degu 2 =2.A. Let first u 1 = u 2 . This means that for an appropriate orderingD 1 = P 1 + P 2 − 2P ∞ and D 2 = P 3 + P 4 − 2P ∞ ,where the x-coordinates of P i and P i+2 are equal.i. If v 1 ≡−v 2 − h (mod u 1 ) then the result is [1, 0].ii. If v 1 = v 2 then we are in the case in which we double a class of order differentfrom 2 and with first polynomial of full degree. Again we need to consider twosubcases depending on whether a point in the support has order 2.If D 1 = P 1 + P 2 − 2P ∞ where P 1 is equal to its opposite, then the result is 2P 2and can be computed as above. The point P 1 =(x 1 ,y 1 ) is equal to its opposite,if and only if h(x 1 )=−2y 1 . To check for this case we compute the resultant ofh +2v 1 and u 1 .a. If Res(h +2v 1 ,u 1 ) ≠0then we are in the usual case where both points are notequal to their opposite. This will be considered in Section 14.3.2.c.b. Otherwise we compute the gcd(h +2v 1 ,u 1 )=(x − x 1 ) to get the coordinateof P 1 and double [x + u 11 + x 1 ,v 1 (−u 11 − x 1 )].iii. Now we know that without loss of generality P 1 = P 3 and P 2 ≠ P 4 is the oppositeof P 4 .Letv i = v i1 x + v i0 , then the result 2P 1 is obtained by doubling[x − (v10 − v 20 )/(v 21 − v 11 ),v 1((v10 − v 20 )/(v 21 − v 11 ) )]using (14.9).B. For the remaining case u 1 ≠ u 2 , we need to consider the following possibilities:i. If Res(u 1 ,u 2 ) ≠0then no point of D 1 is equal to a point or its opposite in D 2 .This is the most frequent case. We deal with it in Section 14.3.2.a.ii. If the above resultant is zero then gcd(u 1 ,u 2 )=x − x 1 and we know that eitherD 1 = P 1 + P 2 − 2P ∞ ,D 2 = P 1 + P 3 − 2P ∞ or D 2 contains the opposite of P 1instead. This can be checked by inserting x 1 in both v 1 and v 2 .a. If the results are equal then we are in the first case and proceed by computingD ′ =2(P 1 − P ∞ ),thenD ′′ = D ′ + P 2 − P ∞ and finally D = D ′′ + P 3 − P ∞by the formulas in 2. We extract the coordinates of P 2 and P 3 byP 2 = ( −u 11 − x 1 ,v 1 (−u 11 − x 1 ) )P 3 = ( −u 21 − x 1 ,v 2 (−u 21 − x 1 ) ) .b. In case v 1 (x 1 ) ≠ v 2 (x 1 ) the result is P 2 + P 3 − 2P ∞ .If one uses the resultant as recommended in 3.A.ii and 3.B.i then one needs to compute a greatestcommon divisor as well, to extract the coordinates of P 1 when needed. However, most frequentlywe are in the case of nonzero resultant and thus we save on average.

316 Ch. 14 Arithmetic of Hyperelliptic Curves14.3.2 Addition and doubling in affine coordinates (A)We now present in detail the algorithms for the cases left out above. These are the most commoncases. For the complexity estimates we always assume h 2 ∈{0, 1} and f 4 =0as this can always beachieved by isomorphic transformations unless the characteristic is 5. If the curve is not brought tothis form some computations should be performed differently (e.g., s 0 (s 0 +h 2 ) instead of s 2 0 +s 0h 2 ).We would like to stress that the formulas remain correct for other values of h 2 and f 4 , only theoperation count changes. Depending on the equation of the curve and the characteristic some furthertransformations can save operations. Later sections specialize the characteristic and thus obtain alower operation count.Finally, we mention that we only count multiplications, squarings, and inversions because additionsand subtractions are comparably cheap.14.3.2.aAddition in most common caseIn this case the two divisor classes to be combined consist of four points different from each otherand from each other’s negative. The results of the composition in Cantor’s Algorithm 14.7 areu = u 1 u 2 and a polynomial v of degree 3 satisfying u | v 2 + vh − f (see Theorem 14.5).As we started with u i | v 2 i + v ih − f we can obtain v using the Chinese remainder theorem (cf.Section 10.6.4).v ≡ v 1 (mod u 1 ), (14.10)v ≡ v 2 (mod u 2 ).Then we compute the resulting first polynomial u ′ by making (f − vh − v 2 )/(u 1 u 2 ) monic andtaking v ′ =(−h − v) modu ′ .To optimize the computations we do not follow this literally. We now list the needed subexpressionsand then show that in fact we obtain the desired result.t ← (f − v 2 h − v2)/u 2 2s ← ( )(v 1 − v 2 )/u 2 mod u1l ← su 2u ← ( t − s(l + h +2v 2 ) ) /u 1u ′ ← u made monicv ′ ← ( −h − (l + v 2 ) ) mod u ′The divisions made to get t and u are exact divisions due to the definition of the polynomials. Letus first verify that v = l + v 2 = su 2 + v 2 satisfies the system of equations (14.10). This is obviousfor the second equation. For the first one we considerv ≡ su 2 + v 2 ≡ ( (v 1 − v 2 )/u 2)u2 + v 2 ≡ v 1 (mod u 1 ).Now we check that u =(f − vh − v 2 )/(u 1 u 2 ) by expanding outu 1 u 2 u = u 2(t − s(l + h +2v2 ) ) = f − v 2 h − v 2 2 − l(l + h) − 2lv 2 = f − vh − v 2 .In the course of computing we do not need all coefficients of the polynomials defined above. Asf = x 5 + ∑ 4i=0 f ix i is monic and of degree 5, u 2 is monic of degree 2, deg h 2, and deg v 2 =1we have that t(x) =x 3 +(f 4 −u 21 )x 2 +cx+c ′ ,wherec, c ′ are some constants. In the computationof u we divide an expression involving t by a polynomial of degree 2, thus we only need the above

§ 14.3 Arithmetic on genus 2 curves over arbitrary characteristic 317known part of t. In the computation of a product of polynomials we use the following Karatsubastyle formula (cf. Section 10.3.2) to save one multiplication:(ax + b)(cx + d) =acx 2 + ( (a + b)(c + d) − ac − bd ) x + bd.To reduce a polynomial of degree 3 modulo a monic one of degree 2 we useax 3 +bx 2 +cx+d ≡ ( c−(i+j) ( a+(b−ia) ) +ia+j(b−ia) ) x+d−j(b−ia)(mod x 2 +ix+j)using only 3 multiplications instead of 4. Furthermore, we use an almost-inverse in the computationof s and compute rs instead, where r is the resultant of u 1 and u 2 , postponing and combining theinversion of r with that of s. This leads us to consider a further subcase, namely deg s =1.In the following table we list the intermediate steps together with the number of multiplications,squarings and inversions needed (respectively denoted by M, S and I). The names of the intermediatevariables refer to the above computations. A prime ′ indicates relative changes. For anactual implementation less variables are needed. However, we favored readability by humans in thisexposition.In the case study we have already computed the resultant of u 1 and u 2 when we arrive at thisalgorithm. Hence, we can assume that ũ 2 = u 2 (mod u 1 ) and Res(ũ 2 ,u 1 ) are known. However,we include the costs in the table, as we use these expressions to compute 1/ũ 2 mod u 1 .The following Algorithm 14.19 presents the complete addition formula. We apply the trick introducedby Takahashi [TAK 2002] to use a monic s ′′ . Note that the following algorithm needs thesame number of operations (assuming M=S) as his but manages to trade one more multiplicationfor a squaring, which might be advantageous for implementations.For even characteristic the independent work [SUMA + 2002] needs the same number of operationsbut considers only the case of deg h =2. Furthermore, in even characteristic squarings aremuch cheaper than multiplications and therefore our algorithm is faster. If h 1 =1the algorithmpresented now saves one multiplication in Line 6. The complexity for each step is given in brackets.Algorithm 14.19 Addition (g =2and deg u 1 =degu 2 =2)INPUT: Two divisor classes [u 1,v 1], [u 2,v 2] with u i = x 2 + u i1x + u i0 and v i = v i1x + v i0.OUTPUT: The divisor class [u ′ ,v ′ ]=[u 1,v 1] ⊕ [u 2,v 2].1. compute r =Res(u 1,u 2) [3M + S]z 1 ← u 11 − u 21, z 2 ← u 20 − u 10, z 3 ← u 11z 1 + z 2 and r ← z 2z 3 + z1u 2 102. compute almost inverse of u 2 modulo u 1 , i.e., inv = (r/u 2)modu 1inv 1 ← z 1 and inv 0 ← z 33. compute s ′ = rs = `(v 1 − v 2)inv´ mod u 1[5M]w 0 ← v 10 − v 20, w 1 ← v 11 − v 21, w 2 ← inv 0w 0 and w 3 ← inv 1w 1s ′ 1 ← (inv 0 +inv 1)(w 0 + w 1) − w 2 − w 3(1 + u 11) and s ′ 0 ← w 2 − u 10w 3if s ′ 1 =0 see below4. compute s ′′ = x + s 0/s 1 = x + s ′ 0/s ′ 1 and s 1 [I + 5M + 2S]w 1 ← (rs ′ 1) −1 , w 2 ← rw 1 and w 3 ← s ′ 12 w 1w 4 ← rw 2, w 5 ← w4 2 and s ′′0 ← s ′ 0w 2we have w 1 =1/r 2 s 1, w 2 =1/s ′ 1, w 3 = s 1 and w 4 =1/s 15. compute l ′ = s ′′ u 2 = x 3 + l 2x ′ 2 + l 1x ′ + l 0′l 2 ′ ← u 21 + s ′′0 , l 1 ′ ← u 21s ′′0 + u 20 and l 0 ′ ← u 20s ′′06. compute u ′ =(s(l + h +2v 2) − t)/u 1 = x 2 + u ′ 1x + u ′ 0u ′ 0 ← (s ′′0 − u 11)(s ′′0 − z 1 + h 2w 4) − u 10u ′ 0 ← u ′ 0 + l 1 ′ +(h 1 +2v 21)w 4 +(2u 21 + z 1 − f 4)w 5u ′ 1 ← 2s ′′0 − z 1 + h 2w 4 − w 5[2M][3M]

318 Ch. 14 Arithmetic of Hyperelliptic Curves7. compute v ′ = `−h − (l + v 2)´ mod u ′ = v 1x ′ + v 0′w 1 ← l 2 ′ − u ′ 1, w 2 ← u ′ 1w 1 + u ′ 0 − l 1 ′ and v 1 ′ ← w 2w 3 − v 21 − h 1 + h 2u ′ 1w 2 ← u ′ 0w 1 − l 0 ′ and v 0 ′ ← w 2w 3 − v 20 − h 0 + h 2u ′ 0[4M]8. return [u ′ ,v ′ ] [total complexity: I + 22M + 3S]In case s = s 0 , one needs to replace Lines 4–6 with the following.4’. compute s [I + M]inv ← 1/r and s 0 ← s ′ 0inv5’. compute u ′ = `t − s(l + h +2v 2)´/u 1 = x + u ′ 0[S]u ′ 0 ← f 4 − u 21 − u 11 − s 2 0 − s 0h 26’. compute v ′ = `−h − (l + v 2)´ mod u ′ = v 0′ [3M]w 1 ← s 0(u 21 + u ′ 0)+h 1 + v 21 − h 2u ′ 0 and w 2 ← u 20s 0 + v 20 + h 0v 0 ′ ← u ′ 0w 1 − w 2In this case the total complexity drops to I + 12M + 2S.14.3.2.b Addition in case deg u 1 =1and deg u 2 =2We now treat case 2.B.i of Section 14.3.1 in which for u 1 = x + u 10 we have u 2 (−u 10 ) ≠0.In principle we follow the same algorithm as stated in the previous section. But to obtain u wedivide by a polynomial of degree one, therefore we need an additional coefficient of t and save a lotin the other operations. Algorithm 14.20 shows that this case is much cheaper than the general one;however, it is not too likely to happen as with all special cases.Algorithm 14.20 Addition (g =2, deg u 1 =1, and deg u 2 =2)INPUT: Two divisor classes [u 1,v 1], [u 2,v 2] with u 1 = x+u 10,u 2 = x 2 +u 21x+u 20,v 1 = v 10and v 2 = v 21x + v 20.OUTPUT: The divisor class [u ′ ,v ′ ]=[u 1,v 1] ⊕ [u 2,v 2].1. compute r = u 2 mod u 1r ← u 20 − (u 21 − u 10)u 10u 2u 12. compute inverse of u 2 modulo u 1inv ← 1/r3. compute s = `(v 1 − v 2)inv´ mod u 1s 0 ← inv(v 10 − v 20 − v 21u 10)4. compute l = su 2 = s 0x 2 + l 1x 1x + l 0l 1 ← s 0u 21 and l 0 = s 0u 205. compute t =(f − v 2h − v 2)/u 2 2 = x 3 + t 2x 2 + t 1x + t 0t 2 ← f 4 − u 21 and t 1 ← f 3 − (f 4 − u 21)u 21 − v 21h 2 − u 20[M][I][2M][2M]6. compute u ′ = `t − s(l + h +2v 2)´/u 1 = x 2 + u ′ 1x + u ′ 0 [2M + S]u ′ 1 ← t 2 − s 2 0 − s 0h 2 − u 10u ′ 0 ← t 1 − s 0(l 1 + h 1 +2v 21) − u 10u ′ 17. compute v ′ = `−h − (l + v 2)´ mod u ′ = v 1x ′ + v 0′v 1 ′ ← (h 2 + s 0)u ′ 1 − (h 1 + l 1 + v 21)v 0 ′ ← (h 2 + s 0)u ′ 0 − (h 0 + l 0 + v 20)[M][2M]8. return [u ′ ,v ′ ] [total complexity: I + 10M + S]

§ 14.3 Arithmetic on genus 2 curves over arbitrary characteristic 31914.3.2.cDoublingThe above case study left open how one computes the double of a class where the first polynomialhas degree 2 and both points of the representing divisor are not equal to their opposites. Put u =x 2 + u 1 x + u 0 ,v= v 1 x + v 0 . Composing [u, v] with itself should result in a class [u new ,v new ],whereu new = u 2 ,v new ≡ v (mod u), (14.11)u new | vnew 2 + v newh − f. (14.12)Then this class is reduced to obtain [u ′ ,v ′ ]. We use the following subexpressions:t ← (f − hv − v 2 )/us ← t/(h +2v) modul ← suũ ← s 2 − ( (h +2v)s − t ) /uu ′ ← ũ made monicv ′ ← ( −h − (l + v) ) mod u ′Note that as above we do not compute the semi-reduced divisor explicitly, herev new = l + v = su + v.Hence, we see that (14.11) holds. To prove (14.12) we considerandv 2 new + v newh − f = l 2 +2lv + v 2 + hl + hv − f = s 2 u 2 + u(s(h +2v) − t)Finally, one finds by(h +2v)s − t ≡ (h +2v)t/(h +2v) − t ≡ 0 (mod u).(v 2 new + v newh − f)/u new =(s 2 u 2 +(h +2v)su − tu)/u 2that ũ is in fact obtained as described in the reduction algorithm.Unlike in the addition case we now need the exact polynomial t to compute the result. Forthe doublings it is necessary to separately count the operations for odd and even characteristic.The given formulas are most general, but for an actual implementation they should be modified,depending on the characteristic. For odd characteristic we assume h =0, as this can be achievedby replacing y by y − h(x)/2 in the defining equation, which transforms the curve to an isomorphicone.For even characteristic the different types of defining equation lead to many ways of improvement.They are studied in Section 14.5 in more detail. Therefore, we skip counting them in thefollowing Algorithm 14.21.Algorithm 14.21 Doubling (g =2and deg u =2)INPUT: A divisor class [u, v] with u = x 2 + u 1x + u 0 and v = v 1x + v 0.OUTPUT: The divisor class [u ′ ,v ′ ] = [2][u, v].1. compute ṽ =(h +2v) modu =ṽ 1x +ṽ 0ṽ 1 ← h 1 +2v 1 − h 2u 1 and ṽ 0 = h 0 +2v 0 − h 2u 0

320 Ch. 14 Arithmetic of Hyperelliptic Curves2. compute resultant r =Res(ṽ, u) [3M + 2S]w 0 ← v1, 2 w 1 ← u 2 1 and w 2 ← ṽ1 2 (note that w 2 =4w 0)w 3 ← u 1ṽ 1 and r ← u 0w 2 +ṽ 0(ṽ 0 − w 3)3. compute almost inverse inv ′ = r invinv ′ 1 ←−ṽ 1 and inv ′ 0 ← ṽ 0 − w 34. compute t ′ = `(f − hv − v )/u´ 2 mod u = t ′ 1x + t ′ 0w 3 ← f 3 + w 1, w 4 ← 2u 0 and t ′ 1 ← 2(w 1 − f 4u 1)+w 3 − w 4 − h 2v 1t ′ 0 ← u 1(2w 4 − w 3 + f 4u 1 + h 2v 1)+f 2 − w 0 − 2f 4u 0 − h 1v 1 − h 2v 05. compute s ′ =(t ′ inv ′ )moduw 0 ← t ′ 0inv ′ 0 and w 1 ← t ′ 1inv ′ 1s ′ 1 ← (inv ′ 0 +inv ′ 1)(t ′ 0 + t ′ 1) − w 0 − w 1(1 + u 1) and s ′ 0 ← w 0 − u 0w 1if s ′ 1 =0 see below[M][5M]6. compute s ′′ = x + s 0/s 1 and s 1 [I + 5M + 2S]w 1 ← 1/(rs ′ 1), w 2 ← rw 1 and w 3 ← s ′2 1w 1w 4 ← rw 2, w 5 ← w4 2 and s ′′0 ← s ′ 0w 2we have w 1 =1/r 2 s 1, w 2 =1/s ′ 1, w 3 = s 1 and w 4 =1/s 17. compute l ′ = s ′′ u = x 3 + l 2x ′ 2 + l 1x ′ + l 0′l 2 ′ ← u 1 + s ′′0 , l 1 ′ ← u 1s ′′0 + u 0 and l 0 ′ ← u 0s ′′0[2M]8. compute u ′ = s 2 +(h +2v)s/u +(v 2 + hv − f)/u 2 [2M + S]u ′ 0 ← s ′′ 2 0 + w 4`h2(s ′′0 − u 1)+2v 1 + h 1´+ w5(2u 1 − f 4)u ′ 1 ← 2s ′′0 + h 2w 4 − w 59. compute v ′ = `−h − (l + v)´ mod u ′ = v 1x ′ + v 0′w 1 ← l 2 ′ − u ′ 1, w 2 ← u ′ 1w 1 + u ′ 0 − l 1 ′ and v 1 ′ ← w 2w 3 − v 1 − h 1 + h 2u ′ 1w 2 ← u ′ 0w 1 − l 0 ′ and v 0 ′ ← w 2w 3 − v 0 − h 0 + h 2u ′ 0[4M]10. return [u ′ ,v ′ ] [total complexity: I + 22M + 5S]In case s = s 0 , one replaces Lines 6–9 by the following.6’. compute s and precomputations [I + 2M]w 1 ← 1/r, s 0 ← s ′ 0w 1 and w 2 ← u 0s 0 + v 0 + h 07’. compute u ′ =(f − hv − v 2 )/u 2 − (h +2v)s/u − s 2[S]u ′ 0 ← f 4 − s 2 0 − s 0h 2 − 2u 18’. compute v ′ = `−h − (su + v)´ mod u ′[2M]w 1 ← s 0(u 1 − u ′ 0) − h 2u ′ 0 + v 1 + h 1 and v 0 ′ ← u ′ 0w 1 − w 2In this case the total complexity drops to I + 13M + 3S.14.4 Arithmetic on genus 2 curves in odd characteristicIn the previous section we derived explicit formulas for addition and doubling on genus 2 curvesover finite fields of arbitrary characteristic. Already for the operation count of the doubling weneeded to separate even characteristic fields from those of odd characteristic. In this section weconsider further improvements for different coordinate systems. Here, we concentrate on fields ofodd characteristic.We introduce different sets of coordinates and consider the most frequent cases of inputs, namelythose given in detail in the previous section, and assume the most general output cases. Thus thespecial case of s = s 0 is no longer considered. Then we consider the task of computing scalar mul-

§ 14.4 Arithmetic on genus 2 curves in odd characteristic 321tiplication in the divisor class group and investigate the advantages of the different representationswith and without precomputations.14.4.1 Projective coordinates (P)So far, in the process of computation one inversion is required for each addition or doubling. Now,instead of following this line, we introduce a further coordinate called Z as with elliptic curves andlet the quintuple [U 1 ,U 0 ,V 1 ,V 0 ,Z] stand for [x 2 + U 1 /Z x + U 0 /Z, V 1 /Z x + V 0 /Z]. Due to theobvious resemblance with the case of elliptic curves we refer to this representation as projectivecoordinates and to the original one as affine coordinates. If the output of a scalar multiplicationshould be in the usual affine representation we need one inversion and four multiplications at theend of the computations.This idea was first proposed for genus 2 curves in [MIDO + 2002] and then largely improved andgeneralized by Lange in [LAN 2002c]. The idea of using affine and projective inputs together forthe addition algorithm was proposed for elliptic curves in [COMI + 1998] and generalized to genus2 curves in [LAN 2002c].We now proceed to investigate the arithmetic in the main cases. For applications one usuallychooses prime fields F q = F p ,wherep is large, or optimal extension fields F p d (cf. Chapter 2 forthe definitions) for p ∼ 2 32 . In particular one can assume that p ≠5and thus choose f 4 =0byExample 14.4.14.4.1.aAddition in projective coordinates for odd characteristicHere we consider the case that we add two classes, both in projective representation. This is neededif the whole system avoids inversion and classes are transmitted using this quintuple representation,if during the verification of a signature intermediate results should be added, or when using precomputationsgiven in projective representation. Obviously this algorithm also works for affine inputs ifone writes [u 1 ,v 1 ] as [u 11 ,u 10 ,v 11 ,v 10 , 1]. The numbers in brackets refer to the case, that the firstinput is affine, i.e., has Z 1 =1. A more careful implementation of this case allows us to save somefurther multiplications (see [LAN 2002c]), namely then one addition needs 40M + 3S.Algorithm 14.22 Addition in projective coordinates (g =2and q odd)INPUT: Two divisor classes D __1 and D __2 represented by D __1 = [U 11,U 10,V 11,V 10,Z 1] and__D 2 =[U 21,U 20,V 21,V 20,Z 2].OUTPUT: The divisor class [U 1,U ′ 0,V ′ 1,V ′0,Z ′ ′ ]= D __1 ⊕ D __2.1. precomputations [5M (none)]Z ← Z 1Z 2, eU 21 ← Z 1U 21, eU 20 ← Z 1U 20, eV 21 ← Z 1V 21 and eV 20 ← Z 1V 202. compute resultant r =Res(U 1,U 2)z 1 ← U 11Z 2 − eU 21 and z 2 ← eU 20 − U 10Z 2z 3 ← U 11z 1 + z 2Z 1 and r ← z 2z 3 + z1U 2 10u 2u 13. compute almost inverse of u 2 modulo u 1inv 1 ← z 1 and inv 0 ← z 3[6M + S (5M + S)]4. compute s [8M (7M)]w 0 ← V 10Z 2 − eV 20 and w 1 ← V 11Z 2 − eV 21w 2 ← inv 0w 0 and w 3 ← inv 1w 1s 1 ← (inv 0 + Z 1inv 1)(w 0 + w 1) − w 2 − w 3(Z 1 + U 11)s 0 ← w 2 − U 10w 3

322 Ch. 14 Arithmetic of Hyperelliptic Curves5. precomputations [8M + S]R ← Zr, s 0 ← s 0Z, s 3 ← s 1Z and eR ← Rs 3S 3 ← s 2 3, S ← s 0s 1, eS ← s 3s 1, bS ← s 0s 3 and bR ← eR eS6. compute l [3M]l 2 ← eS eU 21, l 0 ← S eU 20 and l 1 ← ( eS + S)( eU 21 + eU 20) − l 2 − l 0l 2 ← l 2 + b S7. compute U ′ [8M + 2S]U 0 ′ ← s 2 0 + s 1z 1`s1(z 1 + eU 21) − 2s 0´+ z2 eS + R`2s 1eV 21 + r(z 1 +2eU 21 − f 4Z)´U 1 ′ ← 2 bS − eSz 1 − R 28. precomputations [4M]l 2 ← l 2 − U ′ 1, w 0 ← U ′ 0l 2 − S 3l 0 and w 1 ← U ′ 1l 2 + S 3(U ′ 0 − l 1)9. adjust [3M]Z ′ ← eRS 3, U ′ 1 ← eRU ′ 1 and U ′ 0 ← eRU ′ 0V ′10. compute V ′V ′0 ← w 0 − b R eV 20 and V ′1 ← w 1 − b R eV 21[2M]11. return [U ′ 1,U ′ 0,V ′1,V ′0 ,Z ′ ] [total complexity: 47M + 4S (40M + 4S)]14.4.1.bDoubling in projective coordinates for odd characteristicFor the doubling algorithm the input is almost always in projective representation. Multiplicationsby f 4 are not counted.Algorithm 14.23 Doubling in projective coordinates (g =2and q odd)INPUT: A divisor class represented by [U 1,U 0,V 1,V 0,Z].OUTPUT: The divisor class [U 1,U ′ 0,V ′ 1,V ′0,Z ′ ′ ] = [2][U 1,U 0,V 1,V 0,Z].1. compute resultant and precomputations [4M + 3S]Z 2 ← Z 2 , eV 1 ← 2V 1, eV 0 ← 2V 0, w 0 ← V1 2 , w 1 ← U1 2 and w 2 ← 4w 0w 3 ← eV 0Z − U 1eV 1 and r ← eV 0w 3 + w 2U 02. compute almost inverseinv 1 ←−eV 1 and inv 0 ← w 33. compute t [5M]w 3 ← f 3Z 2 + w 1, w 4 ← 2U 0, t 1 ← 2w 1 + w 3 − Z(w 4 +2f 4U 1)t 0 ← U 1`Z(2w4 + f 4U 1) − w 3´+ Z`Z(f2Z − 2f 4U 0) − w 0´see Remark 14.24 (ii)4. compute s [7M]w 0 ← t 0inv 0, w 1 ← t 1inv 1 and s 3 ← (inv 0 +inv 1)(t 0 + t 1) − w 0 − (1 + U 1)w 1s 1 ← s 3Z and s 0 ← w 0 − ZU 0w 15. precomputations [6M + 2S]R ← Z 2r, eR ← Rs 1, S 1 ← s 2 1 and S 0 ← s 2 0s 1 ← s 1s 3, s 0 ← s 0s 3, S ← s 0Z and b R ← eRs 16. compute l [3M]l 2 ← U 1s 1, l 0 ← U 0s 0 and l 1 ← (s 1 + s 0)(U 1 + U 0) − l 2 − l 07. compute U ′ [4M + S]U ′ 0 ← S 0 + R`2s 3V 1 + Zr(2U 1 − f 4Z)´ and U ′ 1 ← 2S − R 2

§ 14.4 Arithmetic on genus 2 curves in odd characteristic 3238. precomputations [4M]l 2 ← l 2 + S − U ′ 1, w 0 ← U ′ 0l 2 − S 1l 0 and w 1 ← U ′ 1l 2 + S 1(U ′ 0 − l 1)9. adjust [3M]Z ′ ← S 1eR, U ′ 1 ← eRU ′ 1 and U ′ 0 ← eRU ′ 010. compute V ′ [2M]V 0 ′ ← w 0 − RV b 0 and V 1 ′ ← w 1 − RV b 111. return [U ′ 1,U ′ 0,V ′1,V ′0 ,Z ′ ] [total complexity: 38M + 6S]Remarks 14.24(i) First of all one notices that doublings are much faster than general additions; this isespecially interesting as doublings occur much more frequently than additions in anyalgorithm to compute scalar multiples, most striking in windowing methods.(ii) If f 4 =0,thent 0 in Line 3 is computed as t 0 ← U 1 (2Zw 4 − w 3 )+Z(f 2 Z 2 − w 0 ).Here, we use that Zw 4 is already obtained during the computation of t 1 .It is interesting to note that the value of the additional coordinate Z ′ was not kept minimal. Onecould have avoided (at least) a factor of Z1Z 2 2 of the denominator in the addition and of Z in thedoubling. However, as we tried to minimize the number of operations, we allowed the larger valueof Z 4 rs 3 1 in both cases as this proved to be more efficient. Besides one sees that U 1 ′ and U 0 ′ have tobe adjusted to have the same (larger) denominator Z ′ as V 1 ′,V′0 .14.4.2 New coordinates in odd characteristic (N )As we just noticed, the necessary denominator of the V i ’s differs from that of the U i ’s. This leads usto consider a further set of coordinates. Here, we suggest letting [U 1 ,U 0 ,V 1 ,V 0 ,Z 1 ,Z 2 ] correspondto the affine class [x 2 +U 1 /Z1 2 x+U 0 /Z1,V 2 1 /(Z1Z 3 2 ) x+V 0 /(Z1Z 3 2 )]. This means that now a pointcorresponds to a sextuple; thus one needs one more entry than for projective coordinates. Coordinatesystems in which not all entries have the same denominator are called weighted coordinates. Forelliptic curves this corresponds to Jacobian coordinates. Compared to the case of elliptic curves, forequal security the entries for g =2are of only half the size, thus the space requirements are similar.As usual we assume f 4 =0. This time we do not include this coefficient in the formulas. Toincrease the performance we enlarge the set of coordinates to [U 1 ,U 0 ,V 1 ,V 0 ,Z 1 ,Z 2 ,z 1 ,z 2 ],wherez 1 = Z1 2 and z 2 = Z2 2 . These additional entries are computed anyway during each addition ordoubling and keeping them saves in the following operation. Both addition and doubling profitfrom z 1 whereas z 2 is only used for the doublings. We do not include Z 1 Z 2 because it is not usefulin doublings and is not automatically computed.If space is more restricted such that we can only use the sextuple of coordinates, we need twoextra squarings in the first step of the doubling or addition.These new coordinates were first proposed by the Lange [LAN 2002d]; they generalize the conceptsof Jacobian, Chudnovsky Jacobian and modified Jacobian coordinates from elliptic to hyperellipticcurves. The respective counterparts can be seen if one varies the additional coordinates —the original Jacobian coordinates correspond to allowing only Z 1 ,Z 2 . In the following we statethe most efficient algorithms, the additional coordinates become more and more useful with the increaseof the window size in scalar multiplications, and hence they form the counterpart to modifiedJacobian coordinates. The topic of which coordinates to choose in which system is treated furtherin Section 14.4.3.

324 Ch. 14 Arithmetic of Hyperelliptic Curves14.4.2.aAddition in new coordinates in odd characteristicIf one computes a scalar multiple of a point given in affine coordinates and has the intermediate resultsnon-normalized, then in the addition, the intermediate result enters in new coordinates whereasthe other class enters always as [U 11 ,U 10 ,V 11 ,V 10 , 1, 1, 1, 1]. The numbers in brackets refer to this(cheaper) case. For an algorithm devoted to this case see [LAN 2002d]. It needs only 36M + 5S.Algorithm 14.25 Addition in new coordinates (g =2and q odd)INPUT: Two divisor classes D __1 and D __2 represented by D __1 =[U 11,U 10,V 11,V 10,Z 11,Z 12,z 11,z 12] and D __2 =[U 21,U 20,V 21,V 20,Z 21,Z 22,z 21,z 22].OUTPUT: The divisor class D __ ′ =[U 1,U ′ 0,V ′ 1 ′ ,V 0,Z ′1,Z ′ 2,z ′ 1,z ′ 2]= ′ D __1 ⊕ D __2.1. precomputations [8M (2M)]z 13 ← Z 11Z 12, z 23 ← Z 21Z 22, z 14 ← z 11z 13 and z 24 ← z 21z 23eU 21 ← U 21z 11, eU 20 ← U 20z 11, eV 21 ← V 21z 14 and eV 20 ← V 20z 142. compute resultant r =Res(U 1,U 2)[11M + 4S (8M + 3S)]y 1 ← U 11z 21 − eU 21, y 2 ← eU 20 − U 10z 21 and y 3 ← U 11y 1 + y 2z 11r ← y 2y 3 + y1U 2 10, Z 2 ′ ← Z 11Z 21, eZ 2 ← Z 12Z 22 and Z 1 ′ ← Z 2′2eZ 2 ← eZ 2Z 1r, ′ Z 2 ′ ← Z 2 ′ Z e 2, eZ 2 ← eZ 2 2 and z 2 ′ ← Z 2′2u 2u 13. compute almost inverse of u 2 modulo u 1inv 1 ← y 1 and inv 0 ← y 34. compute s [8M (7M)]w 0 ← V 10z 24 − Ṽ 20, w 1 ← V 11z 24 − Ṽ 21, w 2 ← inv 0w 0 and w 3 ← inv 1w 1s 1 ← (inv 0 + z 11inv 1)(w 0 + w 1) − w 2 − w 3(z 11 + U 11)s 0 ← w 2 − U 10w 35. precomputations [6M + 3S]S 1 ← s 2 1, S 0 ← s 0Z ′ 1, Z ′ 1 ← s 1Z ′ 1, S ← Z ′ 1S 0 and S 0 ← S 2 0R ← rZ ′ 1, s 0 ← s 0Z ′ 1, s 1 ← s 1Z ′ 1 and z ′ 1 ← Z ′216. compute l [3M]l 2 ← s 1eU 21, l 0 ← s 0eU 20 and l 1 ← (s 0 + s 1)( eU 20 + eU 21) − l 0 − l 2l 2 ← l 2 + S7. compute U ′V 1 ′ ← R eV 21U 0 ′ ← S 0 + y 1`S1(y 1 + eU 21) − 2s 0´+ y2s 1 +2V 1 ′ +(2eU 21 + y 1) eZ 2U ′U ′ 1 ← 2S − y 1s 1 − z ′ 2[6M]8. precomputations [2M]l 2 ← l 2 − U ′ 1, w 0 ← l 2U ′ 0 and w 1 ← l 2U ′ 1V ′9. compute V ′V 1 ′ ← w 1 − z 1(l ′ 1 + V 1 ′ − U 0) ′ and V 0 ′ ← w 0 − z 1(l ′ 0 + R eV 20)[3M]10. return [U ′ 1,U ′ 0,V ′1,V ′0 ,Z ′ 1,Z ′ 2,z ′ 1,z ′ 2] [total complexity: 47M + 7S (37M + 6S)]14.4.2.bDoublingThe formulas for doubling make obvious why we include z 2 = Z2 2 as well. If space is very limitedsuch that one cannot apply windowing methods at all, this is the first coordinate to drop if one needsto restrict the storage. Still, any binary method is fastest when including z 2 .

§ 14.4 Arithmetic on genus 2 curves in odd characteristic 325Algorithm 14.26 Doubling in new coordinates (g =2and q odd)INPUT: A divisor class represented by D __=[U 1,U 0,V 1,V 0,Z 1,Z 2,z 1,z 2].OUTPUT: The divisor class [U 1,U ′ 0,V ′ 1,V ′0,Z ′1,Z ′ 2,z ′ 1,z ′ 2]=[2] ′ D.__1. compute resultant and precomputations [8M + 3S]eU 0 ← U 0z 1, w 0 ← V 21 , w 1 ← U 2 1 and w 3 ← V 0z 1 − U 1V 1r ← w 0U 0 + V 0w 3, eZ 2 ← Z 2rz 1, Z ′ 2 ← 2 eZ 2Z 1 and eZ 2 ← eZ 2 22. compute almost inverseinv 1 ←−V 1 and inv 0 ← w 33. compute t [6M + S]z 3 ← z 2 1, w 3 ← f 3z 3 + w 1 and t 1 ← z 2`2(w1 − eU 0)+w 3´z 3 ← z 3z 1and t 0 ← z 2`U1(4 eU 0 − w 3)+z 3f 2´− w04. compute s [5M]w 0 ← t 0inv 0 and w 1 ← t 1inv 1s 1 ← (inv 0 +inv 1)(t 0 + t 1) − w 0 − w 1(1 + U 1) and s 0 ← w 0 − w 1eU 05. precomputations [5M + 3S]S 0 ← s 2 0, Z 1 ′ ← s 1z 1, z 1 ′ ← Z 12 ′ and S ← s0Z 1′R ← rZ 1, ′ z 2 ′ ← Z 2 ′2 , s 0 ← s 0s 1 and s 1 ← Z 1s ′ 16. compute l [3M]l 2 ← s 1U 1, l 0 ← s 0U 0 and l 1 ← (s 0 + s 1)(U 0 + U 1) − l 0 − l 2l 2 ← l 2 + S7. compute U ′ [2M]V 1 ′ ← RV 1, U 0 ′ ← S 0 +4(V 1 ′ +2eZ 2U 1) and U 1 ′ ← 2S − z 2′8. precomputations [2M]l 2 ← l 2 − U ′ 1, w 0 ← l 2U ′ 0 and w 1 ← l 2U ′ 19. compute V ′ [3M]V 1 ′ ← w 1 − z 1(l ′ 1 +2V 1 ′ − U 0) ′ and V 0 ′ ← w 0 − z 1(l ′ 0 +2RV 0)10. return [U ′ 1,U ′ 0,V ′1,V ′0 ,Z ′ 1,Z ′ 2,z ′ 1,z ′ 2] [total complexity: 34M + 7S]14.4.3 Different sets of coordinates in odd characteristicSo far we have given algorithms to perform the computations within one system and briefly mentionedadditions involving one input in affine coordinates. Now we are concerned with mixes ofcoordinate systems. To have suitable abbreviations, we denote by C 1 + C 2 = C 3 the computation ofan addition, where the first input is in coordinate system C 1 , the second in C 2 and the output is inC 3 . Similarly, 2C 1 = C 2 denotes a doubling with input in system C 1 and output in C 2 . We denote theaffine system by A, the projective by P and the new by N . In the following we estimate the costsof computing scalar multiples using various systems of coordinates. To have the figures in mind,the following Table 14.2 lists the costs for the most useful additions and doublings.14.4.3.a Scalar multiples in odd characteristicIn this section we concentrate on the computation of n-folds [n] D, __wheren is an integer and D __is adivisor class. For references on how to compute the respective expansions of n, see Chapter 9 and

326 Ch. 14 Arithmetic of Hyperelliptic Curvesthe references given therein.Table 14.2 Addition and doubling in different systems and in odd characteristic.DoublingAdditionOperation Costs Operation Costs2N = P 38M + 7S N + N = P 51M + 7S2P = P 38M + 6S N + P = P 51M + 4S2P = N 35M + 6S N + N = N 47M + 7S2N = N 34M + 7S N + P = N 48M + 4S— — P + P = P 47M + 4S— — P + P = N 44M + 4S— — A + N = P 40M + 5S— — A + P = P 40M + 3S— — A + N = N 36M + 5S— — A + P = N 37M + 3S2A = A I + 22M + 5S A + A = A I + 22M + 3SLet n = ∑ l−1i=0 n i2 i . The direct approach to compute [n] D __for a given class D __is to use the binarydouble and add method, starting with the most significant bit of n. Foreveryn i =1we need to performan addition as well as a doubling, while for a 0 one only doubles. The density is asymptotically1/2.Here we deal with the divisor class group of hyperelliptic curves and the negative of a classis obtained by negating the coordinates V i or v i respectively. Hence, signed binary expansionsare useful. They have the lower density of 1/3 if one uses an NAF of the multiplier, and areapproximately of the same length.If we can afford some precomputations, windowing methods (cf. Section 9.1.3) provide betterperformance; we consider signed expansions here. The NAF w representation, cf. Section 9.1.4 isadvantageous to compute scalar multiples [n]P . This requires us to precompute all odd multiples[i]P for 1

§ 14.4 Arithmetic on genus 2 curves in odd characteristic 327I+7Mfor N→A. Then we double l times and add on average l 3 times using l 3(4I + 88M + 18S).Table 14.3 Without precomputations, odd characteristic.Systems2A = A and A + A = A2N = N and A + N = N2N = N and N + P = Nl3l3l3Cost(4I + 88M + 18S)(138M + 26S)(150M + 25S)Otherwise, for affine input the new system is best, as the most common operation (doubling) ischeaper than in any other fixed system and the mixed addition is also fast.If the input is in P and inversions are very expensive, we need to find two systems C 1 and C 2 suchthat 2C 1 = C 1 , 2C 1 = C 2 and C 2 + P = C 1 are as cheap as possible, the first being the most frequentoperation. By Table 14.2 we choose C 1 = N .ForC 2 it is equal to choose N or P, therefore weuse N to save some bookkeeping. Thus the first doubling is done as 2P = N and all further as2N = N . There are approximately l doublings 2N = N and l 3additions N + P = N leading tol3(150M + 25S).If the input is in new coordinates, we do the same, except that the first doubling is 2N = Nneeding 1 more S, and we use 4M for N→Pof the initial point.To compare, using only projective coordinates we would need l 3(161M + 22S) and using onlynew coordinates results in l 3(149M + 28S); thus mixing the coordinate systems is advantageous.We state the overview in Table 14.3.Windowing methodsTo obtain the table of precomputed values, i.e., all odd multiples [i]D for 1

328 Ch. 14 Arithmetic of Hyperelliptic Curvesprojective coordinates for the precomputations, and the doublings are performed as 2N = N .Thenthe addition is done as N + P = N .Table 14.4 Precomputations in odd characteristic.System I M SA 2 w−2 22 × 2 w−2 3 × 2 w−2 +2A w − 1 25 × 2 w−2 +22w − 72 3 × 2 w−2 +5w − 3A 1 50 × w−2 −15 4 × 2 w−2 +2P 47 × 2 w−2 − 9 4 × 2 w−2 +2As in the case of elliptic curves, we put l 1 = l − (w − 1)/2 and K =1/2 − 1/(w +1). In a scalarmultiplication using an NAF w representation, on average l 1 + K doublings and (l 1 − K)/(w +1)additions are used. The costs are listed in Table 14.5. Some more computations can be saved usingthe tricks of [COMI + 1998]. Again, we leave out the initial costs for conversions and state theprecomputations separately in Table 14.4.Table 14.5 Windowing method in odd characteristic.Systems I M S2A = A, A + A = A l 1 + K + l1−Kw+122 ( l 1 + K + l1−K )w+15(l 1 + K)+3 l1−Kw+12N = N , A + N = N34(l 1 + K)+36 l1−Kw+17(l 1 + K)+5 l1−Kw+12N = N , N + P = N34(l 1 + K)+48 l1−Kw+17(l 1 + K)+4 l1−Kw+114.4.4 Montgomery arithmetic for genus 2 curves in odd characteristicFor elliptic curves we have shown in Section 13.2.3 that for certain curves a more efficient arithmeticis possible, one that also avoids inversions and uses the Montgomery ladder (cf. Algorithm 9.5). Thisallows us to have the uniform sequence of operations in the scalar multiplication of performing anaddition and a doubling for each bit of the scalar. This is advantageous if one tries to find countermeasuresagainst side-channel attacks as considered in Chapter 29. Furthermore, compared to thedirect application of ladder techniques, one can save some space by neglecting the y-coordinate.In this section we provide an analogue for genus 2 curves over fields of odd characteristic andshow how one can also neglect the second part of the representations here, i.e., the v in [u, v]. Notethat this is still an active area of research and that so far explicit formulas have only been derived forodd characteristic fields. Furthermore, both publications [DUQ 2004, LAN 2004a] take their mainmotivation from achieving countermeasures against side-channel attacks. Finding an analogue ofMontgomery coordinates in the sense of obtaining a very efficient projective coordinate system isstill an open problem.To describe Duquesne’s generalization [DUQ 2004] we need to consider a new object related to

§ 14.4 Arithmetic on genus 2 curves in odd characteristic 329genus 2 curves, the Kummer surface. His approach works only for curves that have a second F q -rational Weierstraß point, hence they have at least a cofactor of 2. Lange’s proposal [LAN 2004a]can be applied to arbitrary curves but is less efficient. Therefore, we decided not to put it in thischapter on efficient implementations.14.4.4.aDefinitionA Montgomery-like form for genus 2 curvesIn the following, we will say that a curve C is transformable into Montgomery-like form if it isisomorphic to a curve given by an equation of the typeBy 2 = x 5 + f 4 x 4 + f 3 x 3 + f 2 x 2 + x. (14.13)It is easy to prove that a curve C as defined in (14.1) is transformable into Montgomery-like form ifand only if• the polynomial f(x) has at least one root α in F q .• for this root, f ′ (α) is a fourth power in F q .Thus, as in the case of elliptic curves, not all the curves are transformable into the Montgomery-likeform. Nevertheless, there are O(q 3 ) genus 2 curves over F q showing that the choice of curves inMontgomery-like form is not too special. Note that different choices of f 4 ,f 3 and f 2 give rise todifferent isomorphism classes while B distinguishes only between the two quadratic twists.The Kummer surfaceMontgomery coordinates for elliptic curves allow us to avoid storing the y-coordinate (cf. Section13.2.3). This means that for the representation P and −P are identified. The analog for genus2 curves is called the Kummer surface, where a divisor and its opposite are identified. The Kummersurface is a quartic surface in P 3 . We give here the definition of the Kummer surface and itsproperties without proofs for curves in Montgomery-like form. They were obtained using the samemethod as in the book of Cassels and Flynn on genus 2 curves (cf. [CAFL 1996] or[FLY 1993]).We use the fact that each divisor class D __of degree 0 in Pic 0 C can be uniquely represented by at most2 points P =(x 1 ,y 1 ) and Q =(x 2 ,y 2 ) and identify the class D __with this representation. Let S bethe subset of Pic 0 C such that each divisor class is represented by a reduced divisor with exactly twodifferent points in the support.The Kummer surface is the image of the mapwithκ : S −→ P 3 (F q ){(x1 ,y 1 ), (x 2 ,y 2 ) } (↦−→ 1:x 1 + x 2 : x 1 x 2 : F )0(x 1 ,x 2 ) − 2By 1 y 2,(x 1 − x 2 ) 2F 0 (x 1 ,x 2 )=(x 1 + x 2 )+2f 2 x 1 x 2 + f 3 (x 1 + x 2 )x 1 x 2 +2f 4 x 2 1x 2 2 +(x 1 + x 2 )x 2 1x 2 2,together with the neutral element, which is represented by (0:0:0:1).In the following, for any divisor class __D, we will denote the components of the map κ asκ( __D) = ( k 1 ( __D) :k 2 ( __D) :k 3 ( __D) :k 4 ( __D) ) .More precisely, the Kummer surface is the projective locus given by an equation K of degree fourin the first three variables and of degree two in the last one. The exact equation can be found

330 Ch. 14 Arithmetic of Hyperelliptic Curvesonline [FLY]. In passing from the Jacobian to the Kummer surface, we have lost the group structure(as was already the case with elliptic curves) but traces of it remain. For example, it is possible todouble on the Kummer surface.Nevertheless, for general divisor classes D __1 and D __2 , we cannot determine the values of thek i ( D __1 ⊕ D __2 ) from the values of the k i ( D __1 ) and k i ( D ______2 ) since the latter do not distinguish between+− D 1 and + − D 2 , and so not between D __1 ⊕ D __2 and D __1 ⊖ D __2 . However the values of the k i ( D ____1 ⊕D 2 )k j ( D __1 ⊖ D __2 )+k i ( D __1 ⊖ D __2 )k j ( D __1 ⊕ D __2 ) are well defined.Theorem 14.27 There are explicit polynomials ϕ ij biquadratic in the k i ( D __1 ),k i ( D __2 ) such thatprojectivelyk i ( D __1 ⊕ D __2 )k j ( D __1 ⊖ D __2 )+k i ( D __1 ⊖ D __2 )k j ( D __1 ⊕ D __ ( __2 )=ϕ ij κ( D 1 ),κ( D __2 ) ) . (14.14)Using these biquadratic forms, we can easily compute the k i ( D __1 ⊕ D __2 ) if the k j ( D __1 ⊖ D __2 ) areknown. We can also compute the k i ([2] D __1 ) by putting D __1 = D __2 .By abuse of notation we put [2]κ( D) __=κ([2] D) __and κ( D __1 ) ⊕ κ( D __2 )=κ( D __1 ⊕ D __2 ) defininga group law on the Kummer surface, provided that this is possible, i.e., that κ( D __1 ) ⊖ κ( D __2 )=D 1 ⊖ D __2 ) is known.κ( __AdditionProposition 14.28 Let F q be a field of characteristic p ≠2, 3 and let C/F q be a curve of genus 2in Montgomery form (14.13). Let K C denote the Kummer surface of C. Let D __1 and D __2 be twodivisor classes of C, and assume that the difference D __1 ⊖ D __2 is known and that the third coordinateof its image in the Kummer surface is 1 (remember we are in P 3 (F q ) and thus can normalize as longas x 1 x 2 ≠0).Then we obtain the Kummer coordinates for D __1 ⊕ D __2 by the following formulas :k 1 ( D __1 ⊕ D __( __2 ) = ϕ 11 κ( D 1 ),κ( D __2 ) ) , (14.15)k 2 ( __D 1 ⊕ __D 2 ) = 2 ( ϕ 12(κ(__D 1 ),κ( __D 2 ) ) − k 1 ( __D 1 ⊕ __D 2 )k 2 ( __D 1 ⊖ __D 2 ) ) ,k 3 ( __D 1 ⊕ __D 2 ) = k 1 ( __D 1 ⊖ __D 2 )ϕ 33(κ(__D 1 ),κ( __D 2 ) ) ,k 4 ( __D 1 ⊕ __D 2 ) = 2 ( ϕ 14(κ(__D 1 ),κ( __D 2 ) ) − k 1 ( __D 1 ⊕ __D 2 )k 4 ( __D 1 ⊖ __D 2 ) ) ,where the ϕ ij are the biquadratic forms described in Theorem 14.27.( __The expressions of the ϕ ij κ( D 1 ⊕ D __2 ) ) , are available by anonymous ftp [FLY] but require a largenumber of operations in the base field to be computed. The main difficulty is to find expressionsthat require the least possible number of multiplications in F q . We now give more precisely theseexpressions for those ϕ ij we are interested in. We use the notation κ( D __1 )=(k 1 : k 2 : k 3 : k 4 ) andκ( D __2 )=(l 1 : l 2 : l 3 : l 4 ).( __ϕ 11 κ( D 1 ),κ( D __2 ) ) = ( (k 4 l 1 − k 1 l 4 )+(k 2 l 3 − k 3 l 2 ) ) 2,( __ϕ 12 κ( D 1 ),κ( D __2 ) ) = ( (k 2 l 3 + k 3 l 2 )+(k 1 l 4 + k 4 l 1 ) )( f 3 (k 1 l 3 + k 3 l 1 )+(k 2 l 4 + k 4 l 2 ) )+2(k 1 l 3 + k 3 l 1 ) ( f 2 (k 1 l 3 + k 3 l 1 )+(k 1 l 2 + k 2 l 1 ) − (k 3 l 4 + k 4 l 3 ) )+2f 4 (k 1 l 4 + k 4 l 1 )(k 2 l 3 + k 3 l 2 ),( __ϕ 33 κ( D 1 ),κ( D __2 ) ) = ( (k 3 l 4 − k 4 l 3 )+(k 1 l 2 − k 2 l 1 ) ) 2,( __ϕ 14 κ( D 1 ),κ( D __2 ) ) = (k 1 l 1 − k 3 l 3 ) [ (f 3 (k1 l 4 + k 4 l 1 ) − (k 2 l 3 + k 3 l 2 ) )+2 ( (k 1 l 2 + k 2 l 1 ) − (k 3 l 4 + k 4 l 3 ) )+ f 2 (k 4 l 4 + k 2 l 2 )+2f 4 (k 1 l 1 − k 3 l 3 ) ]+(k 2 l 2 − k 4 l 4 ) ( (k 2 l 3 + k 3 l 2 ) − (k 1 l 4 + k 4 l 1 ) − f 2 (k 1 l 1 + k 3 l 3 ) ) .

§ 14.4 Arithmetic on genus 2 curves in odd characteristic 331DoublingProposition 14.29 Let F q be a field of characteristic p ≠2, 3 and let C/F q be a curve of genus 2in Montgomery form (14.13). Let K C denote the Kummer surface of C. Let also D __1 beadivisorclass of C and κ( D __1 )=(k 1 : k 2 : k 3 : k 4 ), its image in the Kummer surface. Then we obtain theKummer coordinates for [2] D __1 given by κ([2] D __1 )=(δ 1 : δ 2 : δ 3 : δ 4 ) by the following formulas:δ 1 = 2ϕ 14(κ(__D 1 ),κ( __D 1 ) ) , (14.16)δ 2 = 2ϕ 24(κ(__D 1 ),κ( __D 1 ) ) +2f 3 K( __D 1 ),δ 3 = 2ϕ 34(κ(__D 1 ),κ( __D 1 ) ) ,δ 4 = ϕ 44(κ(__D 1 ),κ( __D 1 ) ) +2K( __D 1 ),where the ϕ ij are the biquadratic forms described in Theorem 14.27 and K is the equation of theKummer surface such that K( __D 1 )=0.This is just a consequence of Theorem 14.27. Let us note that in δ 2 and δ 4 we added a multiple ofthe equation of the Kummer surface in order to simplify the expressions as much as possible. Wegive now more precisely these expressions for the δ i .δ 1 = 8(k1 2 − k3) 2 ( f 4 (k1 2 − k3)+2(k 2 1 k 2 − k 3 k 4 ) )+8(k 1 k 4 − k 2 k 3 ) ( k4 2 − k2 2 + f 2 (k 1 k 4 − k 2 k 3 )+f 3 (k1 2 − k3) 2 ) ,δ 2 = 8(k1 2 + k3 2 − f 3 k 1 k 3 − 3k 2 k 4 )(k2 2 + k4 2 − f 3 (k1 2 + k3)+4k 2 1 k 3 )+ 16(k 2 k 4 + f 3 k 1 k 3 ) ( f 4 (k 1 k 2 + k 3 k 4 )+2(k2 2 + k2 4 )+f 2(k 1 k 4 + k 2 k 3 ) )(+32k 1 k 3 4k2 k 4 + f 2 (k 1 k 2 + k 3 k 4 )+(f2 2 + f 4 2 )k 1k 3 +8f 4 (k 1 k 4 + k 2 k 3 ) ) ,δ 3 = 8(k1 2 − k2 3 )(f 2(k1 2 − k2 3 )+2(k 1k 4 − k 2 k 3 )+f 3 (k 1 k 2 − k 3 k 4 )) +8(k 3 k 4 − k 1 k 2 ) ( k4 2 − k2 2 + f 4 (k 3 k 4 − k 1 k 2 ) ) ,δ 4 = (k2 2 + k4) 2 ( (k2 2 + k4) 2 − 2f 3 (k1 2 + k3) 2 )− 8k 1 k 3+(k1 2 + k3) 2 [ f 3 k 1 k 3 + f 4 (k 1 k 4 + k 2 k 3 )+2k 2 k 4 + f 2 (k 1 k 2 + k 3 k 4 )+(f3 2 − 4f 2 f 4 )(k1 2 + k3) 2 ] − 8f 2 f 4 (k 1 k 3 ) 2 .14.4.4.b Montgomery scalar multiplication on genus 2 curves in Montgomery-like formWe now show how to compute scalar multiplications [n] D __for some integer n and divisor class D.__To add two classes in the representation on the Kummer surface we need to know their difference.Therefore, we can apply the Montgomery ladder (cf. Algorithm 9.5).Algorithm 14.30 Montgomery scalar multiplication for genus 2 curvesINPUT: A divisor class D __∈ Pic 0 C and a positive integer n =(n l−1 ...n 0) 2.OUTPUT: The image κ([n] D) __of [n] D __in the Kummer surface.__1. (D 1,D 2) ←`(0:0:0:1),κ( D)´2. for i = l − 1 down to 0 do3. if n i =0 then (D 1,D 2) ← ([2]D 1,D 1 ⊕ D 2)4. else (D 1,D 2) ← (D 1 ⊕ D 2, [2]D 2)5. return D 1

332 Ch. 14 Arithmetic of Hyperelliptic CurvesNote that, at each step, we always have D 2 ⊖ D 1 = κ( __D) so that the addition of D 1 and D 2 ispossible on the Kummer surface.Number of operationsAt each step of the algorithm, we perform both an addition and a doubling, hence we just haveto count the number of operations required for each of them. In the following, M will denote amultiplication in F q and S a squaring.Table 14.6 Doubling of __D 1 in K C and addition of __D 1 and __D 2 in K C if __D 1 ⊖ __D 2 is known.DoublingAdditionOperation Costs Operation CostsPrecomputations {k i k j } i,j=1,...,46M + 4S Precomputations {k i l j } i,j=1,...,416M( __δ 1 5M ϕ 11 κ( D 1 ),κ( D __2 ) )S( __δ 2 11M ϕ 12 κ( D 1 ),κ( D __2 ) )6M( __δ 3 5M ϕ 33 κ( D 1 ),κ( D __2 ) )S( __δ 4 5M ϕ 14 κ( D 1 ),κ( D __2 ) )6M— — κ( D __1 ⊕ D __2 )3MTotal 31M + 5S Total 31M + 2SRemarks 14.31(i) To double one uses 31 multiplications including 16 multiplications by coefficients of thecurve. The multiplications f 3 k 1 k 3 ,f 3 (k1 2 + k2 3 ),f 4(k 1 k 4 + k 2 k 3 ) and f 2 (k 1 k 2 + k 3 k 4 )are not counted in δ 4 since they were already computed in δ 2 . Furthermore, we assumedthat f 2 f 4 ,f3 2 − 4f 2f 4 and f2 2 + f 4 2 were precomputed.(ii) The 31 multiplications needed for an addition include 7 multiplications by coefficientsof the curve.Hence, on a curve in the Montgomery form as in (14.13), the scalar multiplication [n] D __by n =∑ l−1i=0 n i2 i using the Montgomery method requires (62M + 7S)l.14.4.4.cComparison with usual algorithms for scalar multiplicationTo date, the best algorithms for scalar multiplication on genus 2 curves defined over a field of oddcharacteristic are obtained by using mixed new coordinates (cf. Section 14.4.2). In this case, oneneeds 34M + 7S for a doubling and 36M + 5S for an addition. Hence, a single operation is moreexpensive but the Montgomery ladder requires us to compute both addition and doubling for eachbit of the scalar while the usual arithmetic can be used with N . Assuming an average density of 1/3of the scalar, new coordinates need only about 46M + 9S per bit. The use of windowing methodswith precomputations allows us to reduce this even further.Nevertheless, this algorithm is still interesting for many reasons.Remarks 14.32(i) As for elliptic curves, the Montgomery algorithm is automatically resistant against simpleside-channel attacks (cf. Section 29.1). Therefore, it is of interest for implementa-

§ 14.4 Arithmetic on genus 2 curves in odd characteristic 333tions on restricted devices including smart cards.Compared to the easiest countermeasure of performing a double and always add Algorithm28.3, the use of Montgomery arithmetic is much more efficient as 62M+7S insteadof 70M + 12S are needed per bit. Furthermore, one does not need dummy operationsthat could weaken the system against fault attacks. For more details on side-channelattacks see Chapters 28 and 29.(ii) The algorithm is very dependent on the coefficients of the curve. Indeed, there are 23multiplications by these coefficients but only 2 in Lange’s formulas. Hence, a goodchoice of the coefficients of the curve allows better timings. We consider this issue now.14.4.4.dSome special casesIn order to decrease the number of base field operations for the Montgomery algorithm, certainchoices of coefficients of the curve are better to use. For example, there are 6 multiplications byf 3 in the formulas in (14.15) and (14.16) so that, if one chooses f 3 =0or 1, the total amount ofmultiplications necessary for each bit of the scalar is 63 instead of 69. In Table 14.7, we summarizethe gain obtained in each operation. Let us note that there is no gain for the calculation of ϕ 11 , ϕ 33and precomputations.Table 14.7 Gain obtained in different cases.f 2 =0 f 2 small f 3 =0or small f 4 =0 f 4 smallϕ 12 M M M 2M Mϕ 14 2M 2M M M Mδ 1 M M M M Mδ 2 2M 2M 2M 2M 2Mδ 3 M M M M Mδ 4 M+S M 0 M+S MTotal 8M + S 8M 6M 8M + S 7MRemark 14.33 If two of these conditions on the coefficients are satisfied, the gain obtained is atleast the sum of the gains. If f 2 and f 4 are both small a further M is saved in (f 2 2 + f 2 4 )k 1k 3 .Of course, this kind of restriction implies that fewer curves are taken into account. For example,if f 3 =0, there are basically two free coefficients (namely f 2 and f 4 ) so that the number of suchcurves is O(q 2 ). Thus, we lose in generality. However, the cryptographic applications require onlyone curve such that the divisor class group has a large prime order subgroup.Let us now examine more precisely a particular case and compare our algorithm to the usual ones.Let C be a genus 2 curve defined over F q by an equation of the formBy 2 = x 5 + f 3 x 3 + εx 2 + x with ε = + − 1 and B and f 3 ∈ F p . (14.17)Here, Montgomery algorithm of scalar multiplication requires 46M+6S for each bit of the exponent,whereas with mixed new coordinates,• a sliding window method with window size equal to 4 requires on average 40M + 8Sper bit,

334 Ch. 14 Arithmetic of Hyperelliptic Curves• using the NAF representation requires (46M + 9S)l on average.Thus, this algorithm is 7 percent faster than a double and add and not too far from the slidingwindow method (less than 6 percent).The gain compared to the double-and-always-add algorithm is particularly striking, as there only70M + 12S are needed per bit. In fact, this is a gain of 37 percent.Of course, one can even be faster than the sliding window method by choosing a small coefficientf 3 , but the number of such curves becomes very small.Remark 14.34 Another means to accelerate this algorithm would be to choose f 2 , f 3 and f 4 to fitin one word. If the field needs b words then each multiplication is about b times faster, as for suchsmall field sizes the schoolbook method (Algorithm 10.8) is applied. E.g., if b =3then the numberof operations per bit reduces to about 47M + 7S.14.4.4.eExamplesHere we give examples of genus 2 curves in Montgomery form. The base field is the prime field F pwith p =2 80 +13(so that the group size is the same as for elliptic curves over fields of 160 bits).Let C 1 , C 2 and C 3 be the genus 2 curves defined by the equationsC 1 : 44294637780422381596577 y 2 = x 5 + 27193747657561668783534 x 4+ 29755922098575219239037 x 3+ 76047862040141126737826 x 2 + x,C 2 : 10377931047456722522292 y 2 = x 5 + 77304198867988157865677 x 3 + x 2 + x,C 3 : 69418837068442493864220 y 2 = x 5 + x 3 + x.Timings for these curves are provided in [DUQ 2004]. Montgomery arithmetic on C 3 outperformsnew coordinates with window width w =4and gets close to this on C 2 . The general type curve C 1is slower than new coordinates except for the side-channel resistant implementation.14.5 Arithmetic on genus 2 curves in even characteristicIn this section we consider hyperelliptic curves of genus 2 over binary fields given by an equationof the form (14.1) y 2 + h(x)y = f(x), whereh(x) =h 2 x 2 + h 1 x + h 0 and f(x) =x 5 + f 4 x 4 +f 3 x 3 + f 2 x 2 + f 1 x + f 0 are polynomials defined over F 2 d. By Example 14.9 we have h(x) ≠0.In order to get the best possible arithmetic, we first classify genus 2 curves and then give formulasfor addition and doubling for each type of curves following [BYDU 2004, LAST 2005,PEWO + 2004]. Then we deal with inversion-free systems as in odd characteristic.In this section, we will call “small” an element in F 2 d that is represented by a polynomial withalmost all its coefficients equal to zero, so that multiplications by such an element can be performedvia few additions and are almost for free.14.5.1 Classification of genus 2 curves in even characteristicClassification of genus 2 curves in characteristic 2 is considered in, for example, [CHYU 2002,BYDU 2004, LAST 2005]. We divide them into into three types depending on the polynomial h:• Type I if deg h =2. This type can be split in a Type Ia where h has no root in F 2 d and aType Ib where such a root exists.• Type II if deg h =1.

§ 14.5 Arithmetic on genus 2 curves in even characteristic 335• Type III if deg h =0.We will first find equations for these types of curves with the minimal number of nonzero coefficients.In other words, we give an analogue of the short Weierstraß equations for elliptic curves.Thanks to a change of variables of the formx ↦→ µ 2 x ′ + λ and y ↦→ µ 5 y ′ + µ 4 αx ′2 + µ 2 βx ′ + γ (14.18)after dividing the new equation by µ 10 , we can eliminate some coefficients from the equation (14.1).Proposition 14.35 A genus 2 curve of Type I defined over F 2 d by an equation of the form (14.1) isisomorphic to a curve defined by an equation of one of the following forms:Type Ia : y 2 +(x 2 + h 1 x + th 2 1)y = x 5 + εtx 4 + f 1 x + f 0 ,Type Ib : y 2 + x(x + h 1 )y = x 5 + εtx 4 + f 1 x + f 0 ,where ε ∈ F 2 and t denotes an element of trace 1 (t =1if d is odd). The isomorphism is explicitand uses the solution of quadratic equations in characteristic 2 explained in detail in Section 11.2.6.It is obtained using the change of variables (14.18) with• µ = h 2 ,• λ a root of h, if the Type is Ib (i.e., if Tr(h 0 h 2 h −21 )=0) and a solution of h(x) =th 2 1 h−1 2 , if the Type is Ia (i.e., if Tr(h 0h 2 h −21 )=1),• α a root of x 2 + h 2 x + f 4 + λ + εth −22 with ε =Tr ( (f 4 + λ)h2) 2 ,• β =(f 3 + h 1 α)h −12 ,• γ = ( )β 2 + h 1 β + αh(λ)+f 3 λ + f 2 h−12 .Remark 14.36 For curves of Type I, the three parameters h 1 , f 1 and f 0 are free so that this changeof variables provides 4q 3 isomorphism classes (with q =2 d ).Proposition 14.37 A genus 2 curve of Type II defined over F 2 d by an equation of the form (14.1)is isomorphic to a curve defined by an equation of the formy 2 + xy = x 5 + f 3 x 3 + εx 2 + f 0 ,y 2 + h 1 xy = x 5 + ε ′ x 3 + εth 2 1x 2 + f 0 ,if d is oddif d is evenwhere ε and ε ′ are in F 2 and t denotes an element of trace 1.The isomorphism is explicit and it is obtained using the change of variables (14.18) with• µ such that µ 3 = h 1 if d is odd and µ 4 = f 3 + h 1 α if d is even,• λ = h 0 h −11 .• α = √ λ + f 4 ,• β a root of x 2 + h 1 x + f 2 + f 3 λ + εth 2 1 with ε =Tr( (f 2 + f 3 λ)h −2 )1 and t =1if d isodd,• γ = ( )λ 2 f 3 + λ 4 + f 1 h−11 .

336 Ch. 14 Arithmetic of Hyperelliptic CurvesRemarks 14.38(i) Finding an element µ such that µ 3 = h 1 is always possible if d is odd, as then 3 ∤2 d − 1 (cf. Remark 2.94). Even though d odd is the most common case in cryptographicapplications (because of the Weil descent attack, Section 22.3), we also consider thecase where d is even. In this case, if h 1 is not a cube, an element b can be chosen inF 2 d such that h 1 b is a cube. Moreover, the probability that this element can be chosen“small” is very high so that multiplications by b are almost for free. In this case one canobtain an isomorphic curve given by an equation that is very similar to the one obtainedif d is odd [LAST 2005]:y 2 + b −1 xy = x 5 + f 3 x 3 + εts −2 x 2 + f 0 . (14.19)(ii) There are only two free parameters, f 3 and f 0 in the first form and h 1 and f 0 in thesecond one, as opposed to three in the general case showing that this type is indeedspecial. Thus, we obtain at most 2q 2 isomorphism classes of curves of Type II definedover F q if d is odd and 4q 2 if not.(iii) It is also possible to have f 3 zero at the cost of a nonzero h 0 , but we will see later that itis much more useful to have h 0 zero.For curves of Type Ib the group order is always divisible by 4 since there exist three divisor classesof order 2 resulting from the 2 points with x 1 =0and x 1 = h 1 .OverF 2 d the group order of TypeIa curves is divisible by 2 but not by 4, which needs a quadratic extension. Both types have full2-rank, i.e., J C [2] ≃ Z/2Z × Z/2Z.Type II curves have group order divisible by 2 as h has a single root. These curves have 2-rank 1.Type III curves have 2-rank 0 as h is constant and are thus supersingular (cf. Definition 4.74 andthe remark thereafter). This makes them weak under the Frey–Rück attack [FRRÜ 1994] astheyalways have a small embedding degree (cf. Section 24.2.2 and Galbraith [GAL 2001a]). Hence, theyshould be avoided for discrete logarithm systems. However, such curves have found an applicationin pairing based cryptography so that they must be considered.Proposition 14.39 A genus 2 curve of Type III defined over F 2 d by an equation of the form (14.1)is isomorphic to a curve defined by an equation of the formy 2 + b −1 y = x 5 + f 3 x 3 + f 1 x + εts −2 ,where we may assume that b is a “small” element of F 2 d such that bh 0 is a fifth power and ε is inF 2 . For odd d we can again achieve b =1.Remark 14.40 With this form we do not get a unique representative equation for each isomorphismclass, because it is proven in [CHYU 2002] that there are between 2q and 32q isomorphism classesfor curves of Type III and the form presented here has two free parameters (f 3 and f 1 ). In fact, afurther change of variables leads to restrictions on f 1 but this involves equations of degree 16.14.5.2 Explicit formulas in even characteristic in affine coordinates (A)The classification of the previous section allows some improvements in the formulas for the doubling.Addition works the same as in the general case given in Section 14.3.2.a. Of course, as somecoefficients of the curve become zero or “small”, some multiplications can be easily saved in theformulas. We now show how the doubling Algorithm 14.21 can be sped up for the individual types.In the following, the element t of trace 1 will always be chosen “small” and multiplications by tare not taken into account when listing the costs per step.

§ 14.5 Arithmetic on genus 2 curves in even characteristic 337The major speedup is obtained when h 0 =0which holds for curves of Type Ib and II. Langeand Stevens noticed in [LAST 2005] thatr, the resultant computed in the general formulas (seeSection 14.3.2.c for more details) will simplify to the form r = u 0˜r for some ˜r. This allows us tocancel r in the expressions, so its inverse is no longer needed.Moreover, they use the equationf + hv + v 2 = ut ′ + u 2 (x + f 4 ), (14.20)to avoid the computation of t ′ 0 and also the exact computation of s′ 0 is not necessary.We will now give explicit formulas for doubling an element [u, v] with deg u =2(thisisthegeneral case) on each type of curve in affine coordinates.In Algorithm 14.41 we give doubling formulas for a curve of Type Ia given by an equation ofthe form as in Proposition 14.35. In this case, h 0 ≠0so that the improvement of [LAST 2005]cannot be used. However, it is possible to use the equation (14.20) to trade off a multiplicationfor a squaring (which is usually more efficient in characteristic 2) as explained in [LAST 2005].Finally, we use the fact that h 0 = th 2 1 to save a multiplication compared to the doubling formulasin [LAST 2005].Formulas for such curves contain a lot of multiplications by h 1 so that it is interesting for efficiency’ssake to choose h 1 “small”. For h 1 =1and thus h 0 = t, only 15 multiplications, 7squarings and 1 inversion are required for doubling.Algorithm 14.41 DoublingonTypeIacurves(g =2and q even)INPUT: A divisor class [u, v] with u = x 2 + u 1x + u 0, v = v 1x + v 0, h 2 1 and t with Tr(t) =1.OUTPUT: The divisor class [u ′ ,v ′ ] = [2][u, v].t ′ 11. compute t ′ 1 and precomputations [3M + 2S]z 0 ← u 2 0, z 1 ← u 2 1 and w 0 ← h 1v 1(h 1 + v 1)t ′ 1 ← z 1 + v 1 and w 1 ← h 1u 12. compute resultant r =Res(ṽ, u)r ← (u 0 + th 2 1)(u 0 + th 2 1 + w 1)+h 2 1(u 0 + tz 1)s ′ 1s ′ 0[2M]3. compute s ′ 1 and almost s ′ 0 [3M + S]s ′ 1 ← f 1 + z 0 + w 1`t′ 1 + t(w 1 + εu 1)´ + w 0y ← f 0 + εtz 0 +(v 0 + εtw 1) 2 + h 1(u 0t ′ 1 + tw 0)If s ′ 1 =0see below4. compute s ′′ ← x + s 0/s 1 and s 1 [I + 5M + 2S]w 1 ← 1/(rs ′ 1), w 2 ← rw 1 and w 3 ← s ′21 w 1w 4 ← rw 2, w 5 ← w4 2 and s ′′0 ← u 1 + yw 2note that w 1 =1/r 2 s 1, w 2 =1/s ′ 1, w 3 = s 1 and w 4 =1/s 15. compute l ′l 2 ′ ← u 1 + s ′′0 , l 1 ′ ← u 1s ′′0 + u 0 and l 0 ′ ← u 0s ′′0[2M]6. compute u ′ [M + S]u ′ 0 ← s ′′ 2 0 + w 4(s ′′0 + u 1 + h 1)+εtw 5 and u ′ 1 ← w 4 + w 57. compute v ′w 1 ← l 2 ′ + u ′ 1 and w 2 ← u ′ 1w 1 + u ′ 0 + l 1′v 1 ′ ← w 2w 3 + v 1 + h 1 + u ′ 1w 2 ← u ′ 0w 1 + l 0 ′ and v 0 ′ ← w 2w 3 + v 0 + h 0 + u ′ 0[4M]8. return [u ′ ,v ′ ] [total complexity: I + 20M + 6S]

338 Ch. 14 Arithmetic of Hyperelliptic CurvesIn case s = s 0 , one replaces Lines 4–7 by the following lines.4’. compute s and precomputations [I + 2M]w 1 ← 1/r, s 0 ← yw 1 and w 2 ← u 0s 0 + v 0 + h 05’. compute u ′[S]u ′ 0 ← s 2 0 + s 0 + εt6’. compute v ′[2M]w 1 ← s 0(u 1 + u ′ 0)+u ′ 0 + v 1 + h 1 and v 0 ′ ← u ′ 0w 1 + w 2In this case the total complexity drops to I + 12M + 4S.In Algorithm 14.42 we give doubling formulas for a curve of Type Ib given by an equation ofthe form given in Proposition 14.35, assuming that h 2 1 is precomputed. There are, again, a lot ofmultiplications by h 1 so that we can get many more operations for free if we are willing to chooseh 1 “small”. Therefore we also include this possibility in parentheses.Algorithm 14.42 DoublingonTypeIbcurves(g =2and q even)INPUT: A divisor class [u, v] with u = x 2 + u 1x + u 0, v = v 1x + v 0 and h 2 1.OUTPUT: The divisor class [u ′ ,v ′ ] = [2][u, v].t ′ 11. compute t ′ 1 and precomputationsz 0 ← u 2 0, z 1 ← u 2 1 and w 0 ← v 1(h 1 + v 1)t ′ 1 ← z 1 + v 1, z 2 ← h 1u 1 and z 3 ← εtu 12. compute resultant r =Res(ṽ, u)˜r ← u 0 + h 2 1 + z 2 note that ˜r = r/u 0s ′ 1s ′ 03. compute s ′ 1 and almost s ′ 0w 2 ← u 1(t ′ 1 + z 3)+w 0 and w 3 ← v 0 + h 1t ′ 1s ′ 1 ← f 1 + z 0 + h 1w 2m 0 ← w 2 + w 3 note that m 0 =(s ′ 0 − u 1s ′ 1)/u 0If s ′ 1 =0see below[2M + 2S (3S)][3M (M)]4. compute s ′′ = x + s 0/s 1 and s 1 [I + 3M + S]w 2 ← 1/(s ′ 1) and w 3 ← u 0w 2w 4 ← ˜rw 3 and w 5 ← w42s ′′0 ← u 1 + m 0w 3note that w 2 =1/rs 1 and w 4 =1/s 15. compute u ′ [M + S]z 4 ← εtw 4 and u ′ 1 ← w 4 + w 5u ′ 0 ← s ′′20 + w 4(s ′′0 + h 1 + u 1 + z 4)v ′6. compute v ′z 5 ← w 2`m2 0 + t ′ 1(s ′ 1 + h 1m 0)´z 6 ← s ′′0 + h 1 + z 4 + z 5v ′ 0 ← v 0 + z 2 + z 1 + w 4(u ′ 0 + z 3)+s ′′0 z 6v ′ 1 ← v 1 + w 4(u ′ 1 + s ′′0 + εt + u 1)+z 5[6M + S (5M + S)]7. return [u ′ ,v ′ ] [total complexity: I + 15M + 5S (I + 10M + 6S)]In case s = s 0 , one replaces Lines 4–6 by the following lines.4’. compute s and precomputations [I + 2M]w 1 ← 1/˜r, s 0 ← m 0w 1 and w 2 ← u 0s 0 + v 05’. compute u ′[S]u ′ 0 ← s 2 0 + s 0

§ 14.5 Arithmetic on genus 2 curves in even characteristic 3396’. compute v ′w 1 ← s 0(u 1 + u ′ 0)+u ′ 0 + v 1 + h 1 and v 0 ′ ← u ′ 0w 1 + w 2[2M]In this case the total complexity drops to I+9M+3S,resp.I+5M+4S.In Algorithm 14.43 we give doubling formulas for a curve of Type II given by an equation of theformy 2 + h 1 xy = x 5 + f 3 x 3 + f 2 x 2 + f 0 .The number of operations required for each step is given for d odd (since it is the most frequentlyused case) and in parentheses for d even. If d is even, h 2 1 is precomputed.Algorithm 14.43 Doubling on Type II curves (g =2and q even)INPUT: A divisor class [u, v] with u = x 2 + u 1x + u 0, v = v 1x + v 0, h −11 , and h2 1.OUTPUT: The divisor class [u ′ ,v ′ ] = [2][u, v].1. compute rs 1z 0 ← u 2 0 and t ′ 1 ← u 2 1 + f 3w 0 ← f 0 + v0 2 note that w 0 = rs ′ 1/h 3 1If w 0 =0see below2. compute 1/s 1 and s ′′0 [I + 2M]w 1 ← (1/w 0)z 0 note that w 1 = h 1/s 1z 1 ← t ′ 1w 1 and s ′′0 ← z 1 + u 1s ′′3. compute u ′w 2 ← h 2 1w 1, u ′ 1 ← w 2w 1 and u ′ 0 ← s ′′20 + w 2u ′[3S][2S (2M + S)]4. compute v ′[3M + S (5M + S)]w 3 ← w 2 + t ′ 1v 1 ′ ← h −11 (w3z1 + w2u′ 1 + f 2 + v1) 2 and v 0 ′ ← h −11 (w3u′ 0 + z 0)v ′5. return [u ′ ,v ′ ] [total complexity: I+5M+6S(I+9M+5S)]If h −11 is small then the complexity drops down by 2M in Line 4.In case w 0 =0, one replaces Lines 2–4 by the following lines.2’. compute s and precomputations [M (2M)]s 0 ← h −11 t′ 1 and w 1 ← u 0s 0 + v 03’. compute u ′[S]u ′ 0 ← s 2 04’. compute v ′[2M]w 2 ← s 0(u 1 + u ′ 0)+v 1 + h 1 and v 0 ′ ← u ′ 0w 2 + w 1In this case the total complexity is 3M + 4S for h −11 =1or small and 4M + 4S otherwise.SummaryThe classification of the different types of genus 2 curves in characteristic 2 allows significantspeedups in the formulas for doublings given in Section 14.3.2.c for general curves. Indeed, theformulas for general curves in the general case require I + 22M + 5S ([LAN 2005b]) (in affinecoordinates) whereas only I+5M+6Sare needed for h(x) =x.We summarize the results in Table 14.8 listing only the general cases; for h of degree 1 andgeneral h the case “f 4 not small” does not apply, since then f 4 =0.

340 Ch. 14 Arithmetic of Hyperelliptic CurvesTable 14.8 Overview.f 4 small f 4 not smallh = x I+5M+6S n. a.h = h 1 x with h −11 small I+7M+5S n. a.h = h 1 x I+9M+5S n. a.h = x 2 + h 1 x with h −11 small I + 10M + 6S I + 12M + 6SType Ib I + 15M + 5S I + 17M + 5SType Ia, h 1 =1 I + 15M + 7S n. a.Type Ia I + 20M + 6S n. a.Supersingular curvesFinally, Algorithm 14.44 presents the doubling formulas for supersingular curves, i.e., curves ofType III. This case is included due to the recent work done with supersingular curves and identitybased encryption (cf. Chapter 24). The Tate–Lichtenbaum pairing on these curves (cf. Chapter 16)builds on addition and doubling. The costs of the doubling are given for h −10 =1as for d odd thiscase can always be achieved. Otherwise we include h −10 in the curve parameters. We state the costsfor arbitrary h 0 in parentheses and comment on small h −10 below.Algorithm 14.44 Doubling on Type III curves (g =2and q even)INPUT: A divisor class [u, v] with u = x 2 + u 1x + u 0, v = v 1x + v 0 and h −10 .OUTPUT: The divisor class [u ′ ,v ′ ] = [2][u, v].s 11. compute s 1z 0 ← u 2 1 and z 1 ← v12w 0 ← f 3 + z 0 note that w 0 ← s ′ 1/h 0If w 0 =0see below2. compute 1/s 1 and s ′′0 [I + M + S]w 1 ← 1/w 0 note that w 1 ← h 0/s ′ 1s ′′0 ← (f 2 + z 1)w 1 + u 1 and z 3 ← s ′′20s ′′3. compute u ′ [S (2M) ]w 2 ← h 2 0w 1, u ′ 1 ← w 2w 1 and u ′ 0 ← z 3u ′4. compute v ′v 1 ′ ← h −10`f1 + u 2 0 + u ′ 0w 0 + w 2(u ′ 1 + u 1 + s ′′0 )´v 0 ′ ← h −10`f0 + v0 2 + u ′ 0(f 2 + z 1 + w 2)´ + h 0v ′[2S][3M + 2S (5M + 2S)]5. return [u ′ ,v ′ ] [total complexity: I+4M+6S(I+8M+5S)]For small h −10 we save 2M in Line 4. In case w 0 =0, one replaces Lines 2–4 by the following lines.2’. compute s and precomputations [M (2M)]s 0 ← h −10 (f2 + z1) and w1 ← u0s0 + v0 + h03’. compute u ′[S]u ′ 0 ← s 2 04’. compute v ′[2M]w 2 ← s 0(u 1 + u ′ 0)+v 1 and v 0 ′ ← u ′ 0w 2 + w 1

§ 14.5 Arithmetic on genus 2 curves in even characteristic 341In this case the total complexity drops to 4M + S for arbitrary h 0 and 3M + 3S for h −10 smallincluding the case h 0 =1.14.5.3 Inversion-free systems for even characteristic when h 2 ≠0In this section we discuss inversion-free coordinate systems starting with some comments on projectivecoordinates. It is also possible to design formulas for the Types Ia and Ib separately resultingin slightly better results.All considerations for deg(h) =1are postponed until the next section.14.5.4 Projective coordinates (P)Addition in projective coordinates works almost the same as in Algorithm 14.22. In Line 5 oneadditionally computes w 4 = s 1 (w 1 + Ũ 21 ) and ˜h 1 = h 1 Z. The expressions for the output changetoU 0 ′ ← s 2 0 + s 1z 1 w 4 + z 2 ˜S + R ( h 2 (s 0 + w 4 )+s 1˜h1 + r(z 1 + f 4 Z) )U ′ 1 ← ˜Sz 1 + h 2 R + R 2V 0 ′ ← w 0 + h 2 u ′ 0 + ̂RṼ 20 + h 0 ZV 1 ′ ← w 1 + h 2 U 1 ′ + ̂R(Ṽ 21 + ˜h 1 )The doubling algorithm differs so much that we give the general formulas for even characteristiconly. For the counting we assume h 2 =1and f 4 = f 3 = f 2 =0as this can be reached for eachcurve of Type I by a slightly different change of variables for x and allowing an arbitrary h 0 .Algorithm 14.45 Doubling in projective coordinates (g =2, h 2 ≠0, and q even)INPUT: A divisor class represented by [U 1,U 0,V 1,V 0,Z].OUTPUT: The divisor class [U 1,U ′ 0,V ′ 1,V ′0,Z ′ ′ ] = [2][U 1,U 0,V 1,V 0,Z].1. compute resultant and precomputations [6M + 4S]˜h 1 ← h 1Z, ˜h 0 ← h 0Z, Z 2 ← Z 2 and eV 1 ← ˜h 1 + h 2U 1eV 0 ← ˜h 0 + h 2U 0, w 0 ← V 21 , w 1 ← U 2 1 and w 2 ← eV 2 1w 3 ← eV 0Z + U 1eV 1 and r ← eV 0w 3 + w 2U 02. compute almost inverseinv 1 ← eV 1 and inv 0 ← w 33. compute t [5M]t 1 ← w 1 + f 3Z 2 + Zh 2V 1 see Remark 14.46t 0 ← U 1`Z(f4U 1 + h 2V 1)+w 1 + f 3Z 2´+ Z`Z(f2Z + V 1h 1 + V 0h 2)+w 0´4. compute s [7M]w 0 ← t 0 inv 0 and w 1 ← t 1 inv 1s 3 ← (inv 0 +inv 1)(t 0 + t 1)+w 0 +(1+U 1)w 1s 1 ← s 3Z and s 0 ← w 0 + ZU 0w 15. precomputations [6M + 2S]R ← Z 2r, eR ← Rs 1, S 1 ← s 2 1, S 0 ← s 2 0 and w 2 ← h 2s 0s 1 ← s 1s 3, s 0 ← s 0s 3, S ← s 0Z and b R ← eRs 16. compute l [3M]l 2 ← U 1s 1, l 0 ← U 0s 0 and l 1 ← (s 1 + s 0)(U 1 + U 0)+l 2 + l 0

342 Ch. 14 Arithmetic of Hyperelliptic Curves7. compute U ′ [2M + S]U 0 ′ ← S 0 + R`s 3(h 2U 1 + ˜h 1)+w 2 + f 4R´ and U 1 ′ ← h 2eR + R 28. precomputations [4M]l 2 ← l 2 + S + U ′ 1, w 0 ← U ′ 0l 2 + S 1l 0 and w 1 ← U ′ 1l 2 + S 1(U ′ 0 + l 1)9. adjust [3M]Z ′ ← S 1eR, U ′ 1 ← eRU ′ 1 and U ′ 0 ← eRU ′ 0V ′10. compute V ′V ′0 ← w 0 + h 2U ′ 0 + bR(V 0 + ˜h 0) and V ′1 ← w 1 + h 2U ′ 1 + bR(V 1 + ˜h 1)[2M]11. return [U ′ 1,U ′ 0,V ′1,V ′0 ,Z ′ ] [total complexity: 38M + 7S]Remark 14.46 In fact if f 4 = f 3 = f 2 =0one computes t 0 differently as t 0 = U 1 t 1 + Z 2 (h 2 V 0 +h 1 V 1 )+Zw 0 using t 1 = w 1 + h 2 ZV 1 as precomputation.14.5.4.a New coordinates in even characteristic (N )To achieve better performance in inversion-free coordinates one can introduce weighted coordinates.In the following we present Lange’s [LAN 2002d, LAN 2005b] new coordinates. For the generalcase in even characteristic it is most useful to use the set of coordinates extended by some precomputationsand let N denote [U 1 ,U 0 ,V 1 ,V 0 ,Z 1 ,Z 2 ,z 1 ,z 2 ,z 3 ,z 4 ] with u i = U i /Z 2 1 ,v i = V i /(Z 3 1 Z 2)and the precomputations z 1 = Z 2 1,z 2 = Z 2 2,z 3 = Z 1 Z 2 and z 4 = z 1 z 3 . The latter is useful foradditions only and leaves the costs for doublings unchanged. The formulas show that Z 1 and Z 2 areno longer used separately. Therefore they can be left out leading again to 6 coordinates only.As p =2and h 2 ≠0, we assume f 3 = f 2 =0,h 2 =1and include them in the algorithm (butnot in the counting) only for the sake of completeness; f 4 is left out completely.For the addition we assume that both classes are in N . If one is in A the costs are given in brackets.A dedicated algorithm for N + A = N needs 37M + 5S (see [LAN 2002d]).Algorithm 14.47 Addition in new coordinates (g =2, h 2 ≠0, and q even)INPUT: Two divisor classes D __1 and D __2 represented by D __1 =[U 11,U 10,V 11,V 10,Z 11,Z 12,z 11,z 12,z 13,z 14] and D __2 =[U 21,U 20,V 21,V 20,Z 21,Z 22,z 21,z 22,z 23,z 24].OUTPUT: The divisor class D __ ′ =[U 1,U ′ 0,V ′ 1 ′ ,V 0,Z ′1,Z ′ 2,z ′ 1,z ′ 2,z ′ 3,z ′ 4]= ′ D __1 ⊕ D __2.1. precomputations [6M (none)]eU 21 ← U 21z 11, eU 20 ← U 20z 11, eV 21 ← V 21z 14 and eV 20 ← V 20z 14Z 1 ← z 11z 21 and Z 3 ← z 13z 232. compute resultant r =Res(U 1,U 2)[8M + S (7M + S)]y 1 ← U 11z 21 + eU 21, y 2 ← U 10z 21 + eU 20 and y 3 ← U 11y 1 + y 2z 11r ← y 2y 3 + y1U 2 10, eZ 2 ← rZ 3 and Z 2 ′ ← eZ 2Z 1u 2u 13. compute almost inverse of u 2 modulo u 1inv 1 ← y 1 and inv 0 ← y 34. compute s [8M (7M)]w 0 ← V 10z 24 + eV 20, w 1 ← V 11z 24 + eV 21, w 2 ← inv 0w 0 and w 3 ← inv 1w 1s 1 ← (inv 0 + z 11inv 1)(w 0 + w 1)+w 2 + w 3(z 11 + U 11)s 0 ← w 2 + U 10w 35. precomputations [10M + 3S]˜s 0 ← s 0Z 1, S 0 ← ˜s 2 0, Z 1 ′ ← s 1Z 1 and R ← rZ 1′

§ 14.5 Arithmetic on genus 2 curves in even characteristic 343y 4 ← s 1(y 1 + Ũ21), U 1 ′ ← y 1s 1, s 1 ← s 1Z 1 ′ and s 0 ← s 0Z 1′z 1 ′ ← Z 1 ′2 , z 2 ′ ← Z 2 ′2 , z 3 ′ ← Z 1Z ′ 2, ′ z 4 ′ ← z 1z ′ 3 ′ and ˜h 1 ← h 1z 3′6. compute l [3M]l 2 ← s 1eU 21, l 0 ← s 0eU 20 and l 1 ← (s 0 + s 1)( eU 20 + eU 21)+l 0 + l 27. compute U ′U 0 ′ ← S 0 + y 4U 1 ′ + y 2s 1 + Z 2`h2(˜s ′ 0 + y 4)+y 1eZ 2´+ ˜h1U 1 ′ ← U 1Z ′ 1 ′ + h 2z 3 ′ + z 2′[5M]8. precomputations [3M]l 2 ← l 2 + Z ′ 1˜s 0 + h 2z ′ 3 + U ′ 1, w 0 ← l 2U ′ 0 and w 1 ← l 2U ′ 1V ′V 1 ′ ← w 1 + z 1(l ′ 1 + R eV 21 + U 0 ′ + ˜h 1) and V ′__9. compute V ′D ′ ← [U 1,U ′ 0,V ′ 1,V ′0,Z ′1,Z ′ 2,z ′ 1,z ′ 2,z ′ 3,z ′ 4]′10. return __D ′0 ← w 0 + z ′ 1(l 0 + R eV 20)+h 0z ′ 4[5M][total complexity: 48M + 4S (40M + 4S)]Now we consider doublings.Algorithm 14.48 Doubling in new coordinates (g =2, h 2 ≠0, and q even)INPUT: A divisor class represented by D __=[U 1,U 0,V 1,V 0,Z 1,Z 2,z 1,z 2,z 3,z 4].OUTPUT: The divisor class [U 1,U ′ 0,V ′ 1,V ′0,Z ′1,Z ′ 2,z ′ 1,z ′ 2,z ′ 3,z ′ 4]=[2] ′ D.__1. compute resultant and precomputations [8M + 3S]˜h 1 ← z 1h 1 and ˜h 0 ← z 1h 0eV 1 ← ˜h 1 + h 2U 1 and eV 0 ← ˜h 0 + h 2U 0w 0 ← V1 2 , w 1 ← U1 2 and w 2 ← ˜h 2 1 + h 2 2w 1w 3 ← z 1(h 1U 1 + h 2U 0 + ˜h 0)+h 2w 1r ← w 2U 0 + eV 0w 3, eZ 2 ← z 3r and Z ′ 2 ← eZ 2z 42. compute almost inverseinv 1 ← eV 1 and inv 0 ← w 33. compute t [5M]w 3 ← f 3z 2 1 + w 1 and t 1 ← w 3z 2 + V 1h 2z 3t 0 ← U 1t 1 + w 0 + z 4(V 1h 1 + V 0h 2 + f 2z 4)4. compute s =(t inv) mod u[6M]w 0 ← t 0 inv 0 and w 1 ← t 1 inv 1s 1 ← (inv 0 +inv 1)(t 0 + t 1)+w 0 + w 1(1 + U 1)s 0 ← w 0 + U 0w 1z 15. precomputations [8M + 3S]y ← h 2s 0 + s 1(h 2U 1 + ˜h 1), Z ′ 1 ← s 1z 1, S 0 ← s 2 0 and z ′ 1 ← Z ′ 1S ← s 0Z ′ 1, R ← eZ 2Z ′ 1, s 0 ← s 0s 1 and s 1 ← Z ′ 1s 1z ′ 2 ← Z ′ 22 , z′3 ← Z ′ 1Z ′ 2 and z ′ 4 ← z ′ 1z ′ 36. compute l [3M]l 2 ← s 1U 1, l 0 ← s 0U 0 and l 1 ← (s 1 + s 0)(U 1 + U 0)+l 0 + l 2l 2 ← l 2 + S + h 2z ′ 37. compute U ′U 0 ′ ← S 0 + Z 2y ′ and U 1 ′ ← z 2 ′ + h 2z 3′2[M]

344 Ch. 14 Arithmetic of Hyperelliptic Curves8. precomputations [2M]l 2 ← l 2 + U ′ 1, w 0 ← l 2U ′ 0 and w 1 ← l 2U ′ 1V ′9. compute V ′V ′1 ← w 1 + z ′ 1(l 1 + RV 1 + U ′ 0)+z ′ 4h 1V ′0 ← w 0 + z ′ 1(l 0 + RV 0)+z ′ 4h 0[6M]10. return [U ′ 1,U ′ 0,V ′1,V ′0 ,Z ′ 1,Z ′ 2,z ′ 1,z ′ 2,z ′ 3,z ′ 4] [total complexity: 39M + 6S]14.5.4.bDifferent sets of coordinatesUsing the same abbreviations as in odd characteristic, we state the costs for the operations in differentcoordinate systems in Table 14.9. Note that contrary to the odd characteristic case the advantageof using the new coordinates is smaller. We state the operation count for curves of Type Ia. If infact h has a root it is possible to design faster algorithms.Table 14.9 Addition and doubling in different systems and in even characteristic with h 2 ≠0.DoublingAdditionOperation Costs Operation Costs2N = P 39M + 6S N + P = P 51M + 4S2P = P 38M + 7S N + N = P 50M + 4S2N = N 37M + 6S N + P = N 49M + 4S2P = N 36M + 7S P + P = P 49M + 4S— — N + N = N 48M + 4S— — P + P = N 47M + 4S— — A + N = P 39M + 5S— — A + P = P 39M + 4S— — A + P = N 37M + 4S— — A + N = N 37M + 5S2A = A I + 20M + 6S A + A = A I + 22M + 3S14.5.4.cComputation of scalar multiplesWe follow the same lines as in the odd characteristic and distinguish between precomputations andno precomputations.No precomputationFor cheap inversions one again uses the affine system alone. If one wants to avoid inversions andhas an affine input (or can allow one I to achieve this) we perform the doublings as 2N = N andthe addition as A + N = N . For non-normalized input we use the new coordinates for doublingsand as non-normalized input system if necessary.

§ 14.5 Arithmetic on genus 2 curves in even characteristic 345Table 14.10 Without precomputations in even characteristic with h 2 ≠0.Systems2A = A, A + A = A2N = N , A + N = N2N = N , N + N = Nl3l3l3Cost(4I + 82M + 21S)(148M + 23S)(159M + 22S)Windowing methodsTo obtain the table of precomputed values we need one doubling and 2 w−2 − 1 additions. Here it isadvantageous to choose either C 3 = A or C 3 = N .Table 14.11 Precomputations in even characteristic with h 2 ≠0.System I M SA 2 w−2 22 × 2 w−2 − 2 3 × 2 w−2 +3A w − 1 25 × 2 w−2 +20w − 68 3 × 2 w−2 +6w − 15A 1 51 × 2 w−2 − 17 4 × 2 w−2 +2P 48 × 2 w−2 − 11 4 × 2 w−2 +2The costs of computing scalar multiples are listed in Table 14.12 for the most useful matches of setsof coordinates. We use the same abbreviations as in the odd characteristic case. Again we leave outthe costs for the initial conversions and mention that some constant number of operations can besaved if one considers in more detail the first doubling and the final addition/doubling.Table 14.12 Windowing method in even characteristic with h 2 ≠0.Systems I M S2A = A, A + A = A2N = N , A + N = N2N = N , N + N = Nl 1 + K + l1−Kw+120(l 1 + K)+22 l1−Kw+16(l 1 + K)+3 l1−Kw+137 ( (l 1 + K)+ l1−K )w+16(l 1 + K)+5 l1−Kw+137(l 1 + K)+48 l1−Kw+16(l 1 + K)+4 l1−Kw+1Compared to the results in odd characteristic this case is a bit more expensive. On the other handthe arithmetic in binary fields is easier to implement and usually faster and there is space for improvementstaking into account the different types of curves.14.5.5 Inversion-free systems for even characteristic when h 2 =0Obviously this case can be considered as a special case of the previous section, but as in affinecoordinates specialized doubling algorithms are much faster. For the whole section we assume thatthe curve is given by an affine equation of the form (14.19).

346 Ch. 14 Arithmetic of Hyperelliptic Curves14.5.5.aDoubling in projective coordinatesFor the additions the changes are quite obvious and are simply obtained by fixing the respectivecurve parameters to be zero. Hence, we only treat doublings in the following.Algorithm 14.49 Doubling in projective coordinates (g =2, h 2 =0, and q even)INPUT: A divisor class represented by D __=[U 1,U 0,V 1,V 0,Z] and the precomputed values h 2 1and h −11 .OUTPUT: The divisor class [U 1,U ′ 0,V ′ 1,V ′0,Z ′ ′ ] = [2][U 1,U 0,V 1,V 0,Z].1. precomputations [9M + 4S]Z 2 ← Z 2 , z 0 ← U0 2 , t 1 ← U1 2 + f 3Z 2, w 0 ← f 0Z 2 + V0 2 and w 1 ← z 0Z 2z 1 ← t 1z 0, w 2 ← h 2 1w 1, w 3 ← w 2 + t 1w 0 and w 4 ← w 0Zs 0 ← z 1 + U 1w 4 and w 4 ← w 4Z2. compute U ′ [2M + S]U 1 ′ ← w 1w 2 and U 0 ′ ← s 2 0 + w 2w 4U ′3. compute V ′ [11M + S]w 5 ← w 0w 4 and V 1 ′ ← h −11`w2U 1 ′ + `w 3z 1 +(f 2Z 2 + V1 2 )w 5´w4´w 5 ← w 5w 4 and V 0 ′ ← h −11 (w3U 0 ′ + z 0w 5)V ′4. adjust [3M]Z ′ ← w 5Z 2, U ′ 1 ← U ′ 1w 4 and U ′ 0 ← U ′ 0w 45. return [U ′ 1,U ′ 0,V ′1,V ′0 ,Z ′ ] [total complexity: 25M + 6S]If h −11 is small one saves 2M,andifh 1 =1— as one can always achieve for odd extension degrees— 22M + 6S areusedintotal.14.5.5.bRecent coordinates in even characteristic (R)For h 2 =0we follow [LAN 2005a] and use [U 1 ,U 0 ,V 1 ,V 0 ,Z,z] with u i = U i /Z, v i = V i /Z 2and the precomputation z = Z 2 . These coordinates have the advantage of allowing faster doublingswhile the additions are more expensive. However, usually mixed additions are chosen for implementations.They are not too much slower, and furthermore, in windowing methods the number ofadditions is reduced considerably.The formulas for new coordinates (in the sense of section 14.5.4.a) can be found in [LAN 2005b].An addition N + N takes 44M + 6S and in mixed coordinates A+N = N one needs 36M + 4S.Using the conditions on the curve parameters given in (14.19) for extension of odd degrees the costsfor a doubling reduce to 28M + 7S.The results in brackets refer to the case in which the second input is in affine coordinates.Algorithm 14.50 Addition in recent coordinates (g =2, h 2 =0, and q even)INPUT: Two divisor classes D __1 and D __2 represented by D __1 =[U 11,U 10,V 11,V 10,Z 1,z 1] and__D 2 =[U 21,U 20,V 21,V 20,Z 2,z 2].OUTPUT: The divisor class [U 1,U ′ 0,V ′ 1,V ′0,Z ′ ′ ,z ′ ]= D __1 ⊕ D __2.1. precomputations [5M + S (none)]Z ← Z 1Z 2, z ← Z 2 , eU 21 ← U 21Z 1 and eU 20 ← U 20Z 1eV 21 ← V 21z 1 and eV 20 ← V 20z 12. compute resultant r =Res(U 1,U 2)y 1 ← U 11Z 2 + eU 21 and y 2 ← U 10Z 2 + eU 20y 3 ← U 11y 1 + y 2Z 1 and r ← y 2y 3 + y1U 2 10[6M + S (5M + S)]

§ 14.5 Arithmetic on genus 2 curves in even characteristic 347u 2u 13. compute almost inverse of u 2 modulo u 1inv 1 ← y 1 and inv 0 ← y 34. compute s [8M (7M)]w 0 ← V 10z 2 + eV 20 and w 1 ← V 11z 2 + eV 21w 2 ← inv 0w 0 and w 3 ← inv 1w 1s 1 ← (inv 0 +inv 1Z 1)(w 0 + w 1)+w 2 + w 3(Z 1 + U 11)s 0 ← w 2 + U 10w 35. precomputations [7M + S]__Z ← s 1r, w 4 ← rZ, w 5 ← w4, 2 S ← s 0Z and Z ′ ← Z Z__˜s 0 ← s 0Z ′ __, ¯s 1 ← s 1 Z and ˜s 1 ← ¯s 1Z6. compute l [5M]L 2 ← ¯s 1eU 21, l 2 ← L 2Z and l 0 ← ˜s 0eU 20l 1 ← ( eU 21 + eU 20)(˜s 0 +˜s 1)+l 2 + l 0, l 2 ← L 2 +˜s 0 and ˜h 1 ← h 1zU ′7. compute U ′ [8M + 2S]U 0 ′ ← r(S 2 + y 1(s 2 1(y 1 + eU 21)+Zw 5)+˜h 1Z ′ )+y 2˜s 1U 1 ′ ← y 1¯s 1 + w 4w 58. precomputations [5M + S]w 1 ← l 2 + U 1, ′ U 1 ′ ← U 1w ′ __4, Z ← Z ′ Z ____and l 0 ← l 0 Zw 2 ← U 1w ′ 1 +(U 0 ′ + l __1) Z and Z __← Z __ 29. compute V ′ [6M + 2S]V 1 ′ ← w 2s 1 +(eV 21 + ˜h __1) Z , U 0 ′ ← U 0r ′ and w 2 ← U 0w ′ 1 + l 0V 0 ′__← w 2s 1 + eV 20 Z, Z ′ ← Z ′2 and z ′ ← Z ′210. return [U ′ 1,U ′ 0,V ′1,V ′0 ,Z ′ ,z ′ ] [total complexity: 50M + 8S (43M + 7S)]If h 1 =1as we can always assume for d odd one more multiplication is saved in Line 6.Algorithm 14.51 Doubling in recent coordinates (g =2, h 2 =0, and q even)INPUT: A divisor class [U 1,U 0,V 1,V 0,Z,z] and the precomputed values h 2 1 and h −11 .OUTPUT: The divisor class [U 1,U ′ 0,V ′ 1,V ′0,Z ′ ′ ,z ′ ] = [2][U 1,U 0,V 1,V 0,Z,z].1. precomputations [10M + 4S]Z 4 ← z 2 , y 0 ← U0 2 , t 1 ← U1 2 + f 3z and w 0 ← Z 4f 0 + V02¯Z ← zw 0, w 1 ← y 0Z 4, y 1 ← t 1y 0z and s 0 ← y 1 + U 1w 0Zw 2 ← h 2 1w 1 and w 3 ← w 2 + t 1w 02. compute U ′ [2M + S]U 1 ′ ← w 2w 1, w 2 ← w 2 ¯Z and U′0 ← s 2 0 + w 23. compute V ′ [11M + 3S]Z ′ ← ¯Z 2 and V 1 ′ ← h −11`w2U 1 ′ +(w 3y 1 + f 2Z ′ +(V 1w 0) 2 )Z ′´`V 0 ′ ← h −1 ¯Z(w3U 0 ′ + y 0w 0Z ′ )´, z ′ ← Z ′214. return [U ′ 1,U ′ 0,V ′1,V ′0 ,Z ′ ,z ′ ] [total complexity: 23M + 8S]For small h −11 we save 2M,ifevenh 1 =1a total of only 20M + 8S is needed.A comparison of different sets of coordinates is given in [LAN 2005a]. It also contains formulasfor operations in [U 1 ,U 0 ,V 1 ,V 0 ,Z,Z 2 Z 3 ] in which the doublings are less efficient than in R butthe additions do not introduce such a big overhead. In general, for curves of form (14.19) inversionfreesystems will be useful only for very expensive inversions and when combined with windowingmethods.

348 Ch. 14 Arithmetic of Hyperelliptic Curves14.6 Arithmetic on genus 3 curvesCantor’s algorithm applies to hyperelliptic curves of arbitrary genus. In this section we study arithmeticon curves of genus 3. Again the most frequent input for addition consists of two divisorclasses represented by [u 1 ,v 1 ], [u 2 ,v 2 ],wheredeg(u 1 ) = deg(u 2 ) = 3 and gcd(u 1 ,u 2 ) = 1.These conditions guarantee that the associated reduced divisors D 1 ,D 2 do not have any point or itsopposite in common and both divisors have 3 affine points in the support. For the doubling we mayassume that the class is represented by [u 1 ,v 1 ] with deg(u 1 )=3and that gcd(h +2v 1 ,u 1 )=1.This means that the support of D 1 contains no Weierstraß point and there are 3 affine points.We omit the complete case study here. It can be found in [PEL 2002, WOL 2004]. There existsa generalization of projective coordinates to genus 3 curves [FAWA 2004] such that one does notneed inversions for the group operations, but we only state arithmetic in affine coordinates. Forsmaller fields an inversion is less expensive in terms of multiplications and on the other hand moremultiplications are needed to save the one remaining inversion.The following sections give algorithms for addition of general divisor classes and for doublingof a general class. For these we allow arbitrary equations of the curve and arbitrary finite groundfields. Note that the number of operations might still depend on this. For even characteristic weadditionally state doubling formulas for one special curve. As for genus 2, the addition formulas dobarely change with the equation of the curve but the doubling needs far fewer field operations forspecial equations.These formulas were taken from [WOL 2004]. Formulas for genus 3 curves can also be found in[GOMA + 2005, KUGO + 2002] and[GUKA + 2004].14.6.1 Addition in most common caseThis section treats the addition of two different divisor classes. In odd characteristic we can transformto an isomorphic curve y 2 = f(x). In even characteristic we assume for simplicity thath(x) ∈ F 2 [x]. For other values of the h i some operations should be performed differently.Algorithm 14.52 Addition on curves of genus 3 in the general caseINPUT: Two divisor classes [u 1,v 1] and [u 2,v 2] with u i = x 3 + u i2x 2 + u i1x + u i0,v i =v i2x 2 + v i1x + v i0.OUTPUT: The divisor class [u ′′ ,v ′′ ]=[u 1,v 1]⊕[u 2,v 2] with u ′′ = x 3 +u ′′2 x 2 +u ′′1 x+u ′′0 ,v ′′ =v 2 ′′ x 2 + v 1 ′′ x + v 0 ′′ .1. compute resultant r =Res(u 1,u 2) (Bezout) [12M + 2S]t 1 ← u 12u 21, t 2 ← u 11u 22, t 3 ← u 11u 20, t 4 ← u 10u 21 and t 5 ← u 12u 20t 6 ← u 10u 22, t 7 ← (u 20 − u 10) 2 , t 8 ← (u 21 − u 11) 2 and t 9 ← (u 22 − u 12)(t 3 − t 4)t 10 ← (u 22 − u 12)(t 5 − t 6) and t 11 ← (u 21 − u 11)(u 20 − u 10)r ← (u 20 − u 10 + t 1 − t 2)(t 7 − t 9)+(t 5 − t 6)(t 10 − 2t 11)+t 8(t 3 − t 4)If r ← 0 perform Cantor’s Algorithm 14.72. compute almost inverse inv = r/u 1 mod u 2inv 2 ← (t 1 − t 2 − u 10 + u 20)(u 22 − u 12) − t 8 and inv 1 ← inv 2u 22 − t 10 + t 11[4M]inv 0 ← inv 2u 21 − u 22(t 10 − t 11)+t 9 − t 73. compute s ′ = rs ≡ (v 2 − v 1)inv (mod u 2) (Karatsuba)[11M]t 12 ← (inv 1 +inv 2)(v 22 − v 12 + v 21 − v 11) and t 13 ← (v 21 − v 11)inv 1

§ 14.6 Arithmetic on genus 3 curves 349t 14 ← (inv 0 +inv 2)(v 22 − v 12 + v 20 − v 10) and t 15 ← (v 20 − v 10)inv 0t 16 ← (inv 0 +inv 1)(v 21 − v 11 + v 20 − v 10) and t 17 ← (v 22 − v 12)inv 2r 0 ′ ← t 15, r 1 ′ ← t 16 − t 13 − t 15 and r 2 ′ ← t 13 + t 14 − t 15 − t 17r 3 ′ ← t 12 − t 13 − t 17, r 4 ′ ← t 17 and t 18 ← u 22r 4 ′ − r 3′t 15 ← u 20t 18, t 16 ← u 21r 4 ′ and s ′ 0 ← r 0 ′ + t 15s ′ 1 ← r 1 ′ − (u 21 + u 20)(r 4 ′ − t 18)+t 16 − t 15s ′ 2 ← r ′ 2 − t 16 + u 22t 18If s ′ 2 =0perform Cantor’s Algorithm 14.74. compute s =(s ′ /r) and make s monic [I + 6M + 2S]w 1 ← (rs ′ 2) −1 , w 2 ← rw 1, w 3 ← w 1s ′ 22 , w4 ← rw 2 and w 5 ← w 2 4s 0 ← w 2s ′ 0 and s 1 ← w 2s ′ 15. compute z = su 1z 0 ← s 0u 10, z 1 ← s 1u 10 + s 0u 11 and z 2 ← s 0u 12 + s 1u 11 + u 10z 3 ← s 1u 12 + s 0 + u 11 and z 4 ← u 12 + s 16. compute u ′ =[s(z + w 4(h +2v 1)) − w 5((u 20 − v 1h − v1)/u 2 1)]/u 2[6M][15M]u ′ 3 ← z 4 + s 1 − u 22 and u ′ 2 ←−u 22u ′ 3 − u 21 + z 3 + s 0 + w 4h 3 + s 1z 4u ′ 1 ← w 4(h 2 +2v 12 + s 1h 3)+s 1z 3 + s 0z 4 + z 2 − w 5 − u 22u ′ 2 − u 21u ′ 3 − u 20u ′ 0 ← w 4(s 1h 2 + h 1 +2v 11 +2s 1v 12 + s 0h 3)+s 1z 2 + z 1 + s 0z 3 + w 5(u 12 − f 6) −u 22u ′ 1 − u 21u ′ 2 − u 20u ′ 37. compute v ′ = −(w 3z + h + v 1)modu ′[8M]t 1 ← u ′ 3 − z 4 and v ′ 0 ←−w 3(u ′ 0t 1 + z 0) − h 0 − v 0v ′ 1 ←−w 3(u ′ 1t 1 − u ′ 0 + z 1) − h 1 − v 11v ′ 2 ←−w 3(u ′ 2t 1 − u ′ 1 + z 2) − h 2 − v 12v ′ 3 ←−w 3(u ′ 3t 1 − u ′ 2 + z 3) − h 38. reduce u ′ , i.e., u ′′ =(f − v ′ h − v ′2 )/u ′ [5M + 2S]u ′′2 ← f 6 − u ′ 3 − v 32 ′ − v 3h ′ 3u ′′1 ←−u ′ 2 − u ′′2 u ′ 3 + f 5 − 2v 2v ′ 3 ′ − v 3h ′ 2 − v 2h ′ 3u ′′0 ←−u ′ 1 − u ′′2 u ′ 2 − u ′′1 u ′ 3 + f 4 − 2v 1v ′ 3 ′ − v 22 ′ − v 2h ′ 2 − v 3h ′ 1 − v 1h ′ 39. compute v ′′ = −(v ′ + h) modu 3v 2 ′′ ←−v 2 ′ +(v 3 ′ + h 3)u ′′2 − h 2v 1 ′′ ←−v 1 ′ +(v 3 ′ + h 3)u ′′1 − h 1v 0 ′′ ←−v 0 ′ +(v 3 ′ + h 3)u ′′0 − h 0[3M]10. return [u ′′ ,v ′′ ] [total complexity: I + 70M + 6S]If char(F q ) is even, h(x) ∈ F 2 [x], andf 6 =0then the total complexity reduces to I + 65M + 6S.14.6.2 Doubling in most common caseWe now state the formulas to double on general curves. Compared to the addition the formulasdepend much more on the equation of the curve. We give the number of operations for arbitrarycharacteristic including characteristic 2. For the counting we assume for simplicity that h(x) ∈F 2 [x] and f 6 =0.For other values of the h i some operations should be performed differently. The special case ofh(x) =1will be discussed in more detail in the next section.

350 Ch. 14 Arithmetic of Hyperelliptic CurvesAlgorithm 14.53 Doubling on curves of genus 3 in the general caseINPUT: A divisor class [u, v] with u = x 3 + u 2x 2 + u 1x + u 0 and v = v 2x 2 + v 1x + v 0.OUTPUT: The divisor class [u ′′ ,v ′′ ] = [2][u, v].1. compute resultant r =Res(u, ˜h) where ˜h ˜h = h +2v (Bezout) [12M + 2S]t 1 ← u 2˜h1, t 2 ← u 1˜h2, t 3 ← u 1˜h0, t 4 ← u 0˜h1, t 5 ← u 2˜h0 and t 6 ← u 0˜h2t 7 ← (˜h 0 − h 3u 0) 2 , t 8 ← (˜h 1 − h 3u 1) 2 and t 9 ← (˜h 2 − h 3u 2)(t 3 − t 4)t 10 ← (˜h 2 − h 3u 2)(t 5 − t 6) and t 11 ← (˜h 1 − h 3u 1)(˜h 0 − h 3u 0)r ← (˜h 0 − h 3u 0 + t 1 − t 2)(t 7 − t 9)+(t 5 − t 6)(t 10 − 2t 11)+t 8(t 3 − t 4)If r =0perform Cantor’s Algorithm 14.72. compute almost inverse inv = r/(h +2v) moduinv 2 ←−(t 1 − t 2 − h 3u 0 + ˜h 0)(˜h 2 − h 3u 2)+t 8inv 1 ← inv 2u 2 + t 10 − t 11inv 0 ← inv 2u 1 + u 2(t 10 − t 11) − t 9 + t 7[4M]3. compute z = `(f − hv − v )/u´ 2 mod u [8M + 2S]t 12 ← v 2 2, z ′ 3 ← f 6 − u 2, t 13 ← z ′ 3u 1 and z ′ 2 ← f 5 − h 3v 2 − u 1 − u 2f 6 + u 2 2z ′ 1 ← f 4 − h 2v 2 − h 3v 1 − t 12 − u 0 − t 13 − z ′ 2u 2z 2 ← f 5 − h 3v 2 − 2u 1 + u 2(u 2 − 2z ′ 3) and z 1 ← z ′ 1 − t 13 + u 2u 1 − u 0z 0 ← f 3 − h 2v 1 − h 1v 2 − 2v 2v 1 − h 3v 0 + u 0(u 2 − 2z 3) ′ − z 2u ′ 1 − z 1u ′ 24. compute s ′ =(z inv) mod u (Karatsuba)[11M]t 12 ← (inv 1 +inv 2)(z 1 + z 2) and t 13 ← z 1inv 1t 14 ← (inv 0 +inv 2)(z 0 + z 2) and t 15 ← z 0inv 0t 16 ← (inv 0 +inv 1)(z 0 + z 1) and t 17 ← z 2inv 2r 0 ′ ← t 15, r 1 ′ ← t 16 − t 13 − t 15 and r 2 ′ ← t 13 + t 14 − t 15 − t 17r 3 ′ ← t 12 − t 13 − t 17, r 4 ′ ← t 17 and t 18 ← u 2r 4 ′ − r 3′t 15 ← u 0t 18, t 16 ← u 1r 4, ′ s ′ 0 ← r 0+t ′ 15 and s ′ 1 ← r 1−(u ′ 1+u 0)(r 4−t ′ 18)+t 16−t 15s ′ 2 ← r ′ 2 − t 16 + u 2t 18If s ′ 2 =0perform Cantor’s Algorithm 14.75. compute s =(s ′ /r) and make s monic [I + 6M + 2S]w 1 ← (rs ′ 2) −1 , w 2 ← w 1r, w 3 ← w 1(s ′ 2) 2 , and w 4 ← w 2r note that w 4 = r/s ′ 2w 5 ← w4, 2 s 0 ← w 2s ′ 0 and s 1 ← w 2s ′ 16. compute G = su[6M]g 0 ← s 0u 0, g 1 ← s 1u 0 + s 0u 1 and g 2 ← s 0u 2 + s 1u 1 + u 0g 3 ← s 1u 2 + s 0 + u 1 and g 4 ← u 2 + s 17. compute u ′ = u −2 [(G + w 4v) 2 + w 4hG + w 5(hv − f)] [6M + 2S]u ′ 3 ← 2s 1, u ′ 2 ← s 2 1 +2s 0 + w 4h 3u ′ 1 ← 2s 0s 1 + w 4(2v 2 + h 3s 1 + h 2 − h 3u 2) − w 5u ′ 0 ← w 4`2v1 + h 1 + h 3s 0 − h 3u 1 +2v 2s 1 + u 2(u 2h 3 − 2v 2 − h 2 − s 1h 3)+h 2s 1´u ′ 0 ← u ′ 0 + w 5(−f 6 +2u 2)+s 2 08. compute v ′ = −(Gw 3 + h + v) modu ′[8M]t 1 ← u ′ 3 − g 4v ′ 3 ←−(t 1u ′ 3 − u ′ 2 + g 3)w 3 − h 3 and v ′ 2 ←−(t 1u ′ 2 − u ′ 1 + g 2)w 3 − h 2 − v 2v ′ 1 ←−(t 1u ′ 1 − u ′ 0 + g 1)w 3 − h 1 − v 1 and v ′ 0 ←−(t 1u ′ 0 + g 0)w 3 − h 0 − v 09. reduce u ′ i.e., u ′′ =(f − v ′ h − v ′2 )/u ′ [5M + 2S]

§ 14.6 Arithmetic on genus 3 curves 351u ′′2 ← f 6 − u ′ 3 − v 32 ′ − v 3h ′ 3u ′′1 ←−u ′ 2 − u ′′2 u ′ 3 + f 5 − 2v 2v ′ 3 ′ − v 3h ′ 2 − v 2h ′ 3u ′′0 ←−u ′ 1 − u ′′2 u ′ 2 − u ′′1 u ′ 3 + f 4 − 2v 1v ′ 3 ′ − v 22 ′ − v 2h ′ 2 − v 3h ′ 1 − v 1h ′ 310. compute v 2 = −(v ′ + h) modu 2v 2 ′′ ←−v 2 ′ +(v 3 ′ + h 3)u ′′2 − h 2v 1 ′′ ←−v 1 ′ +(v 3 ′ + h 3)u ′′1 − h 1v 0 ′′ ←−v 0 ′ +(v 3 ′ + h 3)u ′′0 − h 0[3M]11. return [u ′′ ,v ′′ ] [total complexity: I + 69M + 10S]For characteristic 2 fields, the costs drop down to I + 53M + 10S if we assume in addition thath i ∈ F 2 and to I + 22M + 7S when h(x) =1. Note that in the latter case the following sectiongives a much better result.14.6.3 Doubling on genus 3 curves for even characteristic when h(x) =1For genus 2 curves we gave a complete characterization of all types of curves (cf. Section 14.5).There the fastest doubling occurred for constant h ∈ F ∗ 2but we did not further investigate thesedcurves as they are supersingular.For genus 3 the situation is different: constant polynomials h again lead to a minimal number offield operations, but these curves are not supersingular. They have 2-rank zero (cf. Definition 14.12)but so far there is no method known making the computation of discrete logarithms on such curveseasier than on arbitrary curves.Here, we detail the doubling onC : y 2 + y = x 7 + f 5 x 5 + f 4 x 4 + f 3 x 3 + f 2 x 2 + f 1 x + f 0 ,f i ∈ F 2 d.Algorithm 14.54 Doubling on curves of genus 3 with h(x) =1INPUT: A divisor class [u, v] with u = x 3 + u 2x 2 + u 1x + u 0 and v = v 2x 2 + v 1x + v 0.OUTPUT: The divisor class [u ′ ,v ′ ] = [2][u, v].1. compute d = gcd(u 1, 1) = 1 = s 1a + s 3hs 3 ← 1 and s 1 ← 0u 22. compute u 2t 1 ← u 2 2, t 2 ← u 2 1 and t 3 ← u 2 03. compute w = v 2 + f mod u ′[3S]t 4 ← v2, 2 t 5 ← v1, 2 t 6 ← v0, 2 w 5 ← f 5 + t 1 and w 4 ← f 4 + t 4w 3 ← f 3 + t 2, w 2 ← f 2 + t 5, w 1 ← f 1 + t 3 and w 0 ← f 0 + t 64. compute u ′ = `(f − hw − w 2 )/u 2´[3M + 3S]u ′ 4 ← w 2 5 , u ′ 3 ← 0, u ′ 2 ← w 2 4 + t 1u ′ 4, u ′ 1 ← 1 and u ′ 0 ← w 3 + t 2u ′ 4 + t 1u ′ 25. compute u 2 = u ′′ made monic, i.e., u ′ ← u ′ made monic [I + 2M]u ′ 1 ← u ′ 4−1 , u′2 ← u ′ 2u ′ 1 and u ′ 0 ← u ′ 0u ′ 16. compute v ′ = −(w + h) modu ′t 1 ← w 5u ′ 2, t 2 ← w 4u ′ 1, t 3 ← (w 5 + w 4)(u ′ 2 + u ′ 1) and v 3 ′ ← w 3 + t 1v 2 ′ ← t 3 + t 1 + t 2 + w 2, v 1 ′ ← t 2 + w 5u ′ 0 + w 1 and v 0 ′ ← w 4u ′ 0 + w 0 +1[3S][5M]7. compute u ′′ =(f − v ′ h − v ′2 )/u ′ [M + 2S]

352 Ch. 14 Arithmetic of Hyperelliptic Curvesu ′′2 ← v ′2 3, u ′′1 ← u ′ 2 + f 5 and u ′′0 ← u ′ 2u ′′2 + f 4 + v ′2 2 + u ′ 18. compute v ′′ :←−(v ′ + h) modu ′′v 2 ′′ ← v 2 ′ + v 3u ′ ′′2 , v 1 ′′ ← v 1 ′ + v 3u ′ ′′1 and v 0 ′′ ← v 0 ′ + v 3u ′ ′′0 +1[3M]9. return [u ′′ ,v ′′ ] [total complexity: I + 14M + 11S]14.7 Other curves and comparisonIn principle such explicit formulas can be derived for arbitrarily large genus and also for nonhyperellipticcurves. Picard curves and more generally C 3,4 curves are nonhyperelliptic curves ofgenus 3 (cf. Section 4.4.6.a). Starting from a generalization of Cantor’s algorithm or a geometricaldescription of the steps, respectively, [BAEN + 2002, FLOY 2004] deal with the arithmeticof Picard curves. These curves are a special class of C 3,4 ; the general curves are studied in[BAEN + 2004, FLOY + 2004].Also, hyperelliptic curves of genus 4 received some attention and explicit formulas are given forthe most frequent cases. For this we refer to [WOL 2004] and the references given therein. Histhesis also provides timings for hyperelliptic curves over binary fields for group sizes of use forcryptographic applications. Depending on the processor, genus 2 curves can outperform ellipticcurves for the same group size. We remark that the genus 2 curves were chosen of the special TypeII (cf. Section 14.5) but more field operations than proposed here were used. Thus, the results haveto be taken with a grain of salt.In [LAST 2005] implementations of binary elliptic curves and curves of genus 2 are reported.Their study considers all different choices detailed above. Curves of Type II lead to faster scalarmultiplication than elliptic curves with the same number of precomputations. Scalar multiplicationon general curves of Type I is a bit slower than on elliptic curves.Avanzi [AVA 2004a] gives a thorough comparison in implementing the explicit formulas in primefields of cryptographically relevant size. His results show that computing scalar multiples in theJacobian of hyperelliptic curves of genus 2 is only 10% slower than on elliptic curves of the samegroup size. The chosen curves were general using no special properties. For all field sizes the basicarithmetic was optimized to the same extent.To conclude, we present the timings from [AVA 2004a] for all coordinate systems presented aboveand in Chapter 13 for odd characteristic. To compute scalar multiples on the curves signed windowingmethods were used (cf. Chapter 9). The parameter w states the width of the window.

§ 14.7 Other curves and comparison 353Table 14.13 Comparison of running times, in msec (1 GHz AMD Athlon PC).curveeccoord.APJscalarBit length of group order (approximate)mult. 128 144 160 192 224 256 320 512binary 1.671 2.521 3.074 5.385 8.536 12.619NAF 1.488 2.252 2.701 4.809 7.596 11.315NAF w 1.363 2.205 2.489 4.335 6.841 10.099(w =4) (w =3) (w =4) (w =4) (w =4) (w =4)binary 0.643 0.94 1.152 1.879 3.22 4.243NAF 0.575 0.841 1.017 1.685 2.881 3.747NAF w 0.551 0.808 0.982 1.591 2.711 3.523(w =3) (w =3) (w =3) (w =3) (w =4) (w =4)binary 0.584 0.856 1.05 1.702 2.912 3.876NAF 0.517 0.776 0.907 1.499 2.558 3.325NAF w 0.492 0.713 0.864 1.397 2.357 3.086(w =3) (w =3) (w =3) (w =3) (w =3) (w =4)binary 0.614 0.901 1.109 1.812 3.081 3.995cJNAF 0.546 0.802 0.965 1.6 2.727 3.583NAF w 0.517 0.756 0.922 1.499 2.527 3.275(w =3) (w =3) (w =3) (w =3) (w =3) (w =3)binary 0.607 0.872 1.076 1.782 3.005 3.945mJNAF 0.512 0.748 0.906 1.515 2.592 3.35NAF w 0.474 0.684 0.838 1.395 2.296 3.048(w =3) (w =3) (w =3) (w =3) (w =3) (w =3)Abinary 0.888 1.614 1.899 2.546 4.612 5.514 10.409 39.673NAF 0.797 1.449 1.706 2.265 4.139 4.952 9.298 35.430NAF w 0.73 1.421 1.558 2.053 3.73 4.464 8.343 31.246hecg=2hecg=3PNA(w =4) (w =4) (w =4) (w =4) (w =4) (w =4) (w =4) (w =5)binary 0.839 1.473 1.642 2.102 3.996 4.712 8.653 30.564NAF 0.755 1.325 1.48 1.901 3.588 4.203 7.758 27.359NAF w 0.703 1.211 1.352 1.742 3.256 3.842 6.998 24.451(w =4) (w =4) (w =4) (w =4) (w =4) (w =4) (w =4) (w =5)binary 0.844 1.395 1.564 2.038 3.777 4.413 8.265 29.11NAF 0.746 1.247 1.391 1.778 3.357 4.002 7.329 25.816NAF w 0.675 1.14 1.262 1.623 3.02 3.575 6.53 22.73(w =4) (w =4) (w =4) (w =3) (w =4) (w =4) (w =4) (w =5)binary 1.896 1.984 2.992 3.597 5.39 6.001 12.66 42.907NAF 1.64 1.744 2.538 3.085 4.82 5.39 11.24 38.326NAF w 1.424 1.528 2.077 2.584 4.33 4.86 9.92 34.117(w =4) (w =4) (w =5) (w =5) (w =4) (w =5) (w =4) (w =4)

Chapter ½Arithmetic of Special CurvesChristophe Doche and Tanja LangeContents in Brief15.1 Koblitz curves 355Elliptic binary Koblitz curves • Generalized Koblitz curves • Alternative setup15.2 Scalar multiplication using endomorphisms 376GLV method • Generalizations • Combination of GLV and Koblitz curvestrategies • Curves with endomorphisms for identity-based parameters15.3 Trace zero varieties 383Background on trace zero varieties • Arithmetic in GIn this chapter we present the arithmetic for special choices of curves that offer advantages in thecomputation of scalar multiples.The first example is given by Koblitz curves. There the improvement results from a clever use ofthe Frobenius endomorphism. The use of endomorphisms on special curves over prime fields is thetopic of the following section. An approach similar to Koblitz curves but for large characteristic isthe key to trace zero varieties, which we present in the last section.For a curve C defined over F q , a common strategy in this chapter is to consider C over anextension field F q k, i.e., C · F q k, and to study the divisor class group there. For C = E, an ellipticcurve, we use the fact that E is equal to its divisor class group and write E(F q k) to denote theset of points defined over F q k. For a curve C of higher genus, we put Pic 0 C(F q d) as a shorthandfor Pic 0 C·F to abbreviate notation and to highlight the field in which we are working. Finally weq kassume an embedding Pic 0 C (F q) ⊂ Pic 0 C (F q k).15.1 Koblitz curvesThe notion of Koblitz curves is not clearly defined. In the scope of this book we associate a broadmeaning with this name and use it to denote subfield curves for which the Frobenius endomorphismis used in the computation of scalar multiples.We introduce Koblitz curves first in the special case initially proposed by Koblitz and then continuewith the general case of arbitrary genus and arbitrary characteristic. Finally we present analternative approach that is better suited for applications.355

356 Ch. 15 Arithmetic of Special Curves15.1.1 Elliptic binary Koblitz curvesWe refer to [KOB 1992] and[SOL 1999b, SOL 2000] for this part and treat in detail elliptic curvesdefined over F 2 and considered over the extension field F 2 d.The first attempt to use the Frobenius endomorphism in the computation of scalar multiples wasmade by Menezes and Vanstone [MEVA 1990] using the curveE : y 2 + y = x 3 .In this case, the characteristic polynomial of the Frobenius endomorphism denoted by φ 2 (cf. Example4.87 and Section 13.1.8), which sends P ∞ to itself and (x 1 ,y 1 ) to (x 2 1 ,y2 1 ),isχ E (T )=T 2 +2.Thus doubling is replaced by a twofold application of the Frobenius endomorphism and taking thenegative as for all points P ∈ E(F 2 d), wehaveφ 2 2(P )=−[2]P . Since the computation of theFrobenius map is almost free in normal basis representation and requires at most three squaringsusing a polynomial basis and projective coordinates, this idea led to very efficient implementations.However, the curve E is supersingular and should not be used in applications if one only needs aDL system, (cf. Section 22.2).As “the next best thing,” Koblitz [KOB 1992] suggested using the remaining two nonsupersingularcurves defined over F 2 .Definition 15.1 In the context of an elliptic curve defined over F 2 ,aKoblitz curve is given by theequationE a2 : y 2 + xy = x 3 + a 2 x 2 +1, with a 2 =0 or 1. (15.1)These curves are sometimes referred to as anomalous binary curves, ABC for short.In this case, the characteristic polynomial of the Frobenius endomorphism isχ a2 (T )=T 2 − µT +2 (15.2)where µ =(−1) 1−a2 . It follows that doublings can be replaced by computations involving theFrobenius endomorphism as[2]P =[µ]φ 2 (P ) ⊖ φ 2 2 (P ). (15.3)The following shows that scalar multiplications by powers of 2 can be easily obtained using theFrobenius endomorphism. For instance when a 2 =1,wehave[2]P = φ 2 (P ) ⊖ φ 2 2(P ), [4]P = −φ 2 2(P ) ⊖ φ 3 2(P ),[8]P = −φ 3 2(P ) ⊕ φ 5 2(P ), [16]P = φ 4 2(P ) ⊖ φ 8 2(P ),as one can easily check from using (15.2). This idea gives an efficient general scalar multiplicationwhen combined with the 2 k -ary or the sliding window method; see Section 9.1. But one can use iteven more efficiently in the computation of arbitrary scalar multiples, as we shall see in the sequel.Let τ be a complex root of χ a2 (T ). As the Frobenius endomorphism operates on E a2 , the curve hascomplex multiplication by the ring Z[τ].

§ 15.1 Koblitz curves 35715.1.1.aProperties of the ring Z[τ]First, fix τ = µ+√ −72as a root of χ a2 . The other root is the complex conjugate of τ, namelyτ = µ−√ −72· Let us review some properties of the ring Z[τ].The field Q(τ) is an imaginary quadratic field with ring of integers Z[τ]. Every element η ∈ Z[τ]can be written in the form η = n 0 + n 1 τ with n 0 ,n 1 ∈ Z. To every element η = n 0 + n 1 τ ∈ Z[τ]one associates the norm of η (cf. Proposition 2.77), given byN(η) =(n 0 + n 1 τ)(n 0 + n 1 τ)=n 2 0 + µn 0n 1 +2n 2 1 .As a consequence, N(τ) =2.Asφ d 2 operates on E a2 (F 2 d) as identity, one getsN(1 − τ d )=|E a2 (F 2 d)|.In classical number theory one associates Lucas sequences to a quadratic polynomial using theequation to define a recurrence relation. In our case, (15.2) gives rise toL k+1 = µL k − 2L k−1 , for k 1. (15.4)The first and second Lucas sequence differ by the initialization of the first two sequence elementsand use the same recurrence relation (15.4). Define (U k ) k0 byU 0 =0,U 1 =1, (15.5)and (V k ) k0 byBy using (15.4) one immediately seesV 0 =2,V 1 = µ. (15.6)andτ k = −2U k−1 + U k τ (15.7)τ k + τ k = −2V k−1 + V k τ. (15.8)This second sequence gives a recurrence formula to compute the cardinality of E a2 (F 2 d). Indeed,we have|E a2 (F 2 d)| = (1− τ d )(1 − τ d )= 2 d +1− (τ d + τ d )=2 d +1− V d . (15.9)As the number of points over the ground field always divides the group order over extension fields,we have an inevitable factor c of the group order given by{c =4, if a 2 =0|E a2 (F 2 d)| = cN with(15.10)c =2, if a 2 =1.Here, c = |E a2 (F 2 )| =N(τ − 1) and N =N(δ) where δ = τ d − 1τ − 1 ·Example 15.2 TakeE 1 : y 2 + xy = x 3 + x 2 +1over F 2 11. ThenwehaveE 1 (F 2 11) =2× 991 where 991 is prime.

358 Ch. 15 Arithmetic of Special CurvesFurther developments would be irrelevant if we were not able to find extension fields F 2 d with alarge prime order subgroup of E(F 2 d). Fortunately, the integer N in (15.10) is prime for manyextension degrees and in particular for the following ones of cryptographic interesta 2Degree d0 233, 239, 277, 283, 349, 409, 5711 163, 283, 311, 331, 347, 359For more information on point counting we refer to Chapter 17.15.1.1.bComputation of τ-adic expansionsWe have seen how to use (15.3) to replace computations of [2 k ]P by operations involving the Frobeniusendomorphism. In the endomorphism ring of E a2 we have the relation 2=µτ − τ 2 and wecan try to find a similar expansion for every integer.Definition 15.3 In analogy to binary expansions, we define the τ-adic expansion of η ∈ Z[τ] as∑l−1η = r i τ i , (15.11)where r i ∈{0, 1},foralli. Such an expansion is denoted by (r l−1 ...r 0 ) τ .i=0The key observation to compute the expansion (15.11) of η = n 0 +n 1 τ ∈ Z[τ] is that the coefficientscan be obtained from the least significant one by repeatedly dividing n 0 with remainder by 2 as in thebinary expansion and replacing 2 by µτ −τ 2 . The remainders constitute the sequence of coefficientsand the norm decreases. This shows that every η ∈ Z[τ] has a τ-adic expansion.Example 15.4 For instance, put µ =1and let us compute the τ-adic expansion of 7. Wehavethefollowing equalities7 = 1+2× 3= 1+τ(3 − 3τ)= 1+τ + τ 2 (−2 − τ)= 1+τ + τ 3 (−2+τ)= 1+τ + τ 4 (τ)= 1+τ + τ 5 .Once it is determined, the τ-adic expansion of an integer n gives a way to compute the scalarmultiplication by n using only the Frobenius endomorphism and additions. For example, if P is apoint of E 1 (F 2 d), wehave[7]P = P ⊕ φ 2 (P ) ⊕ φ 5 2 (P ).The number of nonzero coefficients in the τ-adic expansion of n determines the number of additionsto perform in order to get [n]P and thus rules the complexity of the computation. To obtain a sparserrepresentation, Koblitz [KOB 1992] suggests using a signed τ-adic expansion. Solinas [SOL 1997]generalizes the notion of binary non-adjacent forms NAFs.Definition 15.5 An element η = n 0 + n 1 τ ∈ Z[τ] is written in τ-adic non-adjacent form, τNAFfor short, if∑l−1η = r i τ i , (15.12)i=0

§ 15.1 Koblitz curves 359with the extra conditions r i ∈{0, + − 1} and r i r i+1 =0for all i. Such an expansion is denoted by(r l−1 ...r 0 ) τ NAF .In [SOL 1999b], an algorithm to compute the τNAF of every η ∈ Z[τ] is proposed. In addition, it isshown that the τNAF expansion is unique and Avanzi et al. show in [AVHE + 2004] that its numberof nonzero coefficients is minimal among all the representations with coefficients in {0, + − 1}.Algorithm 15.6 τNAF representationINPUT: An element η = n 0 + n 1τ ∈ Z[τ].OUTPUT: The τ -adic expansion (r l−1 ...r 0) τNAF of η in non-adjacent form.1. S ← ()2. while |n 0| + |n 1| ≠0 do3. if n 0 ≡ 1 (mod 2) then4. r ← 2 − `(n 0 − 2n 1)mod 4´5. n 0 ← n 0 − r6. else r ← 07. S ← r || S [r prepended to S]8. (n 0,n 1) ← (n 1 + µn 0/2, −n 0/2)9. return SRemark 15.7 The length l of the τ-adic NAF expansion of n ∈ Z obtained by Algorithm 15.6 isapproximately equal to 2lgn while its density is 1/3 as with the ordinary NAF, cf. Section 9.1.4.In order to obtain an expansion of size lg n, we shall introduce the notion of reduction (see Section15.1.1.c) and this will allow us to get expansions of the same density and length lg n.Example 15.8 Take µ =1and let us compute the τNAF representation of n = 409 in Z[τ]. UsingAlgorithm 15.6, we obtain409 = (¯100¯1000010¯101001001) τ NAFwhereas it is easily checked that the τ-adic expansion of 409 is (11000111101001001) τ . The lengthis the same in both cases but the density of the τNAF expansion is less.From the τ-adic or the τNAF expansion, it is possible to derive a left-to-right scalar multiplicationalgorithm similar to the double and add method, where every doubling is replaced by the Frobeniusaction. In Chapter 9, we have seen that some precomputations can reduce significantly the numberof additions involved in a scalar multiplication, and the same considerations hold here as well.15.1.1.cReducing the lengthLet P be a point in E a2 (F 2 d). Sinceφ d 2 is the identity map in the finite field F 2 d, we have, as pointedout in [MEST 1993], that[n]P =[η]P whenever n ≡ η (mod (τ d − 1)).Now recall that |E a2 (F 2 d)| = cN with c =2or 4. When there exists a point Q such that P =[c]Q,then it is even possible to reduce n modulo δ =(τ d − 1)/(τ − 1) to compute [n]P . Note that

360 Ch. 15 Arithmetic of Special Curvesthis condition means no restriction for cryptographic applications since the base point P is usuallychosen to have prime order. Furthermore, for an arbitrary P this property is also very easy to checkfor. Indeed, if P =(x 1 ,y 1 ) there exists Q ∈ E a2 (F 2 d) such that P =[c]Q if and only if• Tr(x 1 )=Tr(a 2 ),whenc =2• Tr(x 1 )=0and Tr(y 1 )=Tr(λx 1 ) where λ satisfies λ 2 + λ = x 1 ,whenc =4.Taking such a Q, we see that[δ]P = [δ][c]Q= [δ][τ − 1][τ − 1]Q= [τ − 1]([τ d − 1]Q)= P ∞ ,where the second equality used N(τ − 1) = c. As a consequence, if n ≡ ρ (mod δ) we haven = κδ + ρ and[n]P = [κ][δ]P ⊕ [ρ]P= [ρ]P.This reduction is of great interest, since the length of a τ-adic expansion of ρ, computed withAlgorithm 15.6 or 15.17, will be shown to be approximately half the one of n and is now of thesame size as the binary expansion of n.To actually compute the reduction, we first need to determine δ. For that, we use the Lucassequence (U k ) k0 as defined in (15.5) and get τ d = −2U d−1 + U d τ.Thenδ = (τ d − 1)/(τ − 1) = (−2U d−1 + U d τ − 1)(τ − 1)/c (15.13)= ( (2 − 2µ)U d−1 +2U d − µ +1+(2U d−1 − U d +1)τ ) /c=: δ 0 + δ 1 τusing c =(τ − 1)(τ − 1) and µ = τ + τ.To be able to compute a division with remainder as required in n = κδ + ρ we need a roundingnotion. For λ ∈ Q, the rounding is ambiguous for half integers. In the following, we use twodifferent rounding notions for λ ∈ Q, namely{⌈λ − 1/2⌉ if λ>0⌊λ⌉ = ⌊λ +1/2⌋ and ⌈λ⌋ =⌊λ +1/2⌋ else.The second definition ensures that in the ambiguous cases the integer with least absolute value ischosen.Similarly, for λ ∈ Q(τ), we need to find a closest neighbor of λ in Z[τ]. AsQ(τ) ⊂ C and Z[τ]forms a two-dimensional lattice, we use the complex absolute value as it captures the distance inthe complex plane. The complex absolute value equals the positive square root of the norm. Theelement q 0 + q 1 τ ∈ Z[τ] is a closest lattice element of λ ifN ( λ − q 0 − q 1 τ ) N ( λ − α ) for all α ∈ Z[τ].Algorithm 15.9 provided in [MEST 1993, SOL 1999b] computes such an element denoted by ⌊λ⌉ τ.

§ 15.1 Koblitz curves 361Algorithm 15.9 Rounding-off of an element of Q[τ]INPUT: Two rational numbers λ 0 and λ 1 specifying λ = λ 0 + λ 1τ ∈ Q(τ).OUTPUT: Two integers q 0 and q 1 such that q 0 + q 1τ = ⌊λ⌉ τ∈ Z[τ].1. f 0 ←⌊λ 0⌉ and f 1 ←⌊λ 1⌉2. η 0 ← λ 0 − f 0 and η 1 ← λ 1 − f 13. h 0 ← 0 and h 1 ← 04. η ← 2η 0 + µη 15. if η 1 then6. if η 0 − 3µη 1 < −1 then h 1 ← µ else h 0 ← 17. else8. if η 0 +4µη 1 2 then h 1 ← µ9. if η

362 Ch. 15 Arithmetic of Special CurvesRemark 15.12 The remainder ρ given by Algorithm 15.11 does not only satisfy N(ρ) < N(δ) butdue to the lattice structure one even has N(ρ) 4 7N(δ), cf.[MEST 1993].This algorithm can be used to compute reductions of integers n moduloδ = δ 0 + δ 1 τ =(τ d − 1)/(τ − 1).Algorithm 15.13 Reduction of n modulo δINPUT: An integer n ∈ [1,N − 1] where N =N(δ) and δ 0,δ 1 as in (15.13).OUTPUT: The element ρ = r 0 + r 1τ ≡ n (mod δ).1. d 0 ← δ 0 + µδ 12. λ 0 ← d 0n/N and λ 1 ←−δ 1n/N3. q 0 + q 1τ ←⌊λ 0 + λ 1τ⌉ τ [use Algorithm 15.9]4. r 0 ← n − δ 0q 0 +2δ 1q 15. r 1 ←−δ 1q 0 − d 0q 16. return r 0 + r 1τRemarks 15.14(i) The length of the τ-adic expansion of ρ is at most d + a 2 and grows with N(ρ).(ii) To avoid the multiprecision division by N in Line 2, a partial reduction algorithm hasbeen proposed [SOL 1999b]. Let C be a constant greater than 1, K =(d +5)/2+C,n ′ = ⌊ n/(2 d−K−2+a2 )⌋ and V d as in (15.6). Then perform the following operations toobtain an approximation λ ′ i of λ i,fori =0and 1.2’. g ′ i ← s in ′ , h ′ i ←⌊g′ i /2d ⌋, j ′ i ← V dh ′ i and λ′ i ←⌊(g′ i + j′ i )/2K−C +1/2⌋/2 CIn any case, ρ ′ = r 0 ′ +r′ 1τ obtained in that way is equivalent to n modulo δ. However,ρ′can be different from ρ computed exactly. This occurs with probability less than 1/2 C−5and the length of the τ-adic expansion of ρ ′ is always at most d + a 2 +3.(iii) After the reduced element ρ has been computed, we can compute its τNAF. To obtainsparser representations, windowing methods can be used (cf. Section 15.1.1.d).Example 15.15 TakeE 1 : y 2 + xy = x 3 + x 2 +1over F 2 11, realized as F 2 [θ] with θ such that θ 11 + θ 2 +1=0. We know from Example 15.2 thatE 1 (F 2 11) =2× 991. LetustakeP =(0x34A, 0x69B) a random point in E 1 (F 2 11), expressed inhexadecimal notation, and let us compute [409]P . We remark that Tr(0x34A) =1.SothereisQsuch that [2]Q = P and we can reduce 409 modulo δ,whereδ =(τ 11 −1)/(τ −1). Algorithm 15.13shows that 409 ≡ 13 − 9τ (mod δ) and Algorithm 15.6 giveshaving only 8 digits instead of 17.13 − 9τ =(¯1010100¯1) τ NAF

§ 15.1 Koblitz curves 36315.1.1.dWindowing methodsIt is possible to generalize windowing methods to τ-adic windowing methods. We present a generalizationof the notion of width-w NAF expansion, cf. Definition 9.19.Definition 15.16 Let w be a parameter greater than 1. Then every element η ∈ Z[τ] can be writtenas∑l−1η = r i τ iwherei=0• each r i is zero or r i = + − α u where α u ≡ u (mod τ w ) for some odd u ∈ [1, 2 w−1 − 1]• r l−1 ≠0• among any w consecutive coefficients, at most one is nonzero.Such a representation is called a width-w τ-adic expansion in non-adjacent form, τNAF w for short,and is denoted by (r l−1 ...r 0 ) τ NAFw .Mimicking Algorithm 9.20, we derive a method to compute the τNAF w , which we shall describenow. More explanations can be found in [SOL 2000].Let (h k ) k1 be the sequence of integers defined byh k =2U k−1 U −1kmod 2 k , for all k 1,where (U k ) k0 is the Lucas sequence given by (15.5). We can check thath 2 k − µh k +2≡ 0 (mod 2 k ), for all k 1.The next step is to precompute the elements α u ∈ Z[τ] such that α u ≡ u (mod τ w ) for u odd in[1, 2 w−1 −1]. With Algorithm 15.9, we obtain the remainder β u +γ u τ of u divided by τ w expressedas a linear term in τ using (15.7). Then, when it is possible, a simpler expression for α u is computedusing, for instance, the τNAF or previous precomputations. As a result, at most two additions areneeded to determine α u P in each case.w u β u + γ u τ α u3 3 1 − µτ —4 3 −3+µτ −1+τ 25 −1+µτ —7 1+µτ —5 3 −3+µτ −1+τ 25 −1+µτ 1+τ 27 1+µτ —9 −3+2µτ 1 − µτ 3 α 511 −1+2µτ α 5 + µτ13 1+2µτ α 7 + µτ15 1 − 3µτ −α 11 − µτNow we can give the algorithm to compute the τNAF w . It was first proposed in [SOL 1999b] butthe given routine fails in some situations. We present here the corrected version [SOL 2000].

364 Ch. 15 Arithmetic of Special CurvesAlgorithm 15.17 τNAF w representationINPUT: An element η = n 0 +n 1τ ∈ Z[τ], a parameter w>1 and h w, β u, γ u and α u as above.OUTPUT: The width-w τ-adic expansion (r l−1 ...r 0) τNAFw of η in non-adjacent form.1. S ← ()2. while |n 0| + |n 1| ≠0 do3. if n 0 is odd then4. u ← (n 0 + n 1h w)mods2 w [see Remark (i)]5. if u>0 then ξ ← 16. else ξ ←−1 and u ←−u7. n 0 ← n 0 − ξβ u, n 1 ← n 1 − ξγ u and r ← ξα u8. else r ← 09. S ← r || S10. (n 0,n 1) ← (n 1 + µn 0/2, −n 0/2)11. return SRemarks 15.18(i) The integer (n 0 + n 1 h w )mods2 w is the unique integer in [−2 w−1 , 2 w−1 ] which iscongruent to n 0 + n 1 h w modulo 2 w .(ii) When w =2the width-w τ-adic NAF coincides with the classical τ-adic NAF, in otherwords τNAF 2 = τNAF.(iii) The length l of the τNAF w expansion of η = n 0 + n 1 τ is approximately equal to thebinary length of the norm of η. Ifη = n ∈ Z then l ≈ 2lgn.(iv) Since P α1 simply equals P , we need to precompute only 2 w−2 − 1 points.(v) The average density of the τNAF w expansion of η is equal to 1/(w +1). As for theordinary windowing methods, the expansions do not get longer. Hence, on average2 w−2 − 1+ dw+1elliptic curve additions are sufficient to compute the scalar multiplication[n]P , including the cost of the precomputations and assuming a reduced representationof n as input of Algorithm 15.17.Example 15.19 We continue with the setting of Example 15.15, where we have already obtainedthat [409]P = [13]P ⊖ [9]φ 2 (P ). Now it is possible to start with the τNAF 4 of 13 − 9τ instead,and Algorithm 15.17 returns13 − 9τ =(α 5 000 α 7 000 α 7 ) τ NAFw .For instance, using this last expansion, we see thatwhere[409]P = φ 8 2 (P α 5) ⊖ φ 4 2 (P α 7) ⊕ P α7 ,P α5 = [α 5 ]P = φ 2 (P ) ⊖ P = (0x256, 0x61B)P α7 = [α 7 ]P = φ 2 (P ) ⊕ P = (0x2F2, 0x11A)

§ 15.1 Koblitz curves 365have been precomputed, following the table given on page 363. We get [409]P =(0x606, 0x55A)with only two extra additions.To obtain expansions of lower density, it is possible to mix point halving (cf. Section 13.3.5)and τ-adic NAF recoding to form a double expansion (cf. Section 9.1.5) with joint weight 1/4[AVCI + 2004, AVHE + 2004], which allows faster scalar multiplication if a normal basis is chosenand some precomputations can be made.15.1.1.eComputation of the τ-adic joint sparse formBy analogy with the joint sparse form (see Section 9.1.5) a τ-adic joint sparse form is developedin [CILA + 2003]. It can be applied to Koblitz curves for faster signature verification, but also forfaster scalar multiplication if one long-term precomputation, namely that of φ ⌊d/2⌋2 , is possible.Definition 15.20 Let∑l−1∑l−1η 0 = n 0,j τ j and η 1 = n 1,j τ jj=0be two elements of Z[τ] with n i,j ∈{0, + − 1}. Theτ-adic joint sparse form, τJSF for short, of η 0and η 1 is a signed representation of the formwhere r i,j ∈{0, + − 1}, and such thatj=0( ) (η0 r0,l+2 ...r 0,0=η 1 r 1,l+2 ...r 1,0)τ JSF• of any three consecutive positions, at least one is a zero column, that is for all i and allpositive j one has r i,j+k = r 1−i,j+k =0, for at least one k in {0, + − 1}• it is never the case that r i,j r i,j+1 = µ• if r i,j+1 r i,j ≠0then one has r 1−i,j+1 = + − 1 and r 1−i,j =0.Next, we give an algorithm to actually compute such a form.Algorithm 15.21 Recoding in τ-adic joint sparse formINPUT: Two τ -adic expansions η i = P l−1j=0 ni,jτ j ,withn i,j ∈{0, + − 1}, fori =0and 1.OUTPUT: The τ -adic joint sparse form of η 0 and η 1.1. j ← 0, S 0 =()and S 1 =()2. for i =0 to 1 do3. d i,0 ← 0 and d i,1 ← 04. a i ← n i,0, b i ← n i,1 and c i ← n i,25. while l − j>0 or |d 0,0| + |d 0,1| + |d 1,0| + |d 1,1| > 0 do6. for i =0 to 1 do7. if d i,0 ≡ a i (mod 2) then r i ← 08. else r i ← `d i,0 + a i +2µ(d i,1 + b i)´ mods 49. t i,0 ← d i,0 + a i − 2µ(d i,1 + b i) − 4c i10. if t i,0 ≡ + − 3 (mod 8) then t i,1 ← d 1−i,0 +a 1−i+2(d 1−i,1 +b 1−i)11. if t i,1 ≡ 2 (mod 4) then r i ←−r i

366 Ch. 15 Arithmetic of Special Curves12. S i ← r i || S i13. for i =0 to 1 do14. d i,0 ← µ(d i,0 + a i − r i)/2+d i,1 and d i,1 ← µ(d i,1 − d i,0)15. a i ← b i, b i ← c i and c i ← η i,j+316. j ← j +117. return S 0 and S 1Remarks 15.22(i) Algorithm 15.21 works for every signed τ-adic expansions; however, in signature verificationit is usually applied to two integers η 1 ,η 2 after reducing them modulo δ. Inthis case one saves the time to compute the τ-adic expansion and just computes the reduction.To use it for single scalar multiplication, one starts with a τ-adic expansion oflength d + a 2 and splits it asη 0 =⌊d/2⌋−1∑i=0r i τ i and η 1 =d−1+a∑ 2i=⌊d/2⌋such that n = η 0 + τ ⌊d/2⌋ η 1 .(ii) Although Algorithm 15.21 is inspired from Algorithm 9.27, there are two main differences.First, two carries d i,0 and d i,1 are used for each i. Second, the conditions modulo2, 4,and8 are translated to conditions modulo τ, τ 2 and τ 3 .(iii) Like the JSF, the τJSF exists for any two elements η 0 ,η 1 ∈ Z[τ] and is unique. However,the τJSF of −3+µτ =(10¯1) τ NAF and of µτ =(0µ0) τ NAF is( ) −3+µτ=µτ( ) ¯µ0¯µ0¯µ10000µ0 τ JSFshowing that the optimality of the JSF, cf. Remark 9.28 (i), does not carry over to theτJSF.r i τ iExample 15.23 Let P and Q be two elements of E 1 (F 2 11) and let us compute [409]P ⊕ [457]Q.We have already seen that 409 ≡ 13 − 9τ (mod δ). Inthesameway,457 ≡ 17 − 10τ (mod δ).Their τNAF expansions are13 − 9τ = (000¯1010100¯1) τ NAF17 − 10τ = (101000¯10101) τ NAFwhich allows to compute [409]P ⊕ [457]Q with essentially 7 additions, if P ⊕ Q and P ⊖ Q areprecomputed. In contrast, Algorithm 15.21 returns( ) 13 − 9τ=17 − 10τgiving the same result with only 4 additions.)(¯1010100¯1¯10101¯101 τ JSF

§ 15.1 Koblitz curves 367Remark 15.24 For larger ground fields, similar subfield curves have been studied by Müller incharacteristic 2 [MÜL 1998] and by Smart in characteristic p [SMA 1999b]. In both cases, the fieldof definition is small so that χ(T ) can be computed easily. The process of expanding is as describedabove; however, the study is not as detailed as Solinas’.In [GÜLA + 2000], Günther, Lange, and Stein generalized the concept of Koblitz curves tolarger genus curves and studied two curves of genus two over F 2 . In [LAN 2001b] it has beenshown that this approach works for any genus and characteristic and this study has been detailed in[LAN 2001a]. The following section deals with Koblitz curves of arbitrary characteristic and curvesof larger genera.15.1.2 Generalized Koblitz curvesIn the previous section, we introduced the main strategies one applies to use the Frobenius endomorphismfor scalar multiplication. Here we consider generalized Koblitz curves of arbitrary genusover finite fields F q of arbitrary characteristic p. In spite of the generality, the reader should keepin mind that for use as DL systems only the Jacobians of small genus g 3 curves are useful andthat this approach should be applied only to small characteristic as the number of precomputationsgrows exponentially with the characteristic. Usually we assume prime fields as ground fields toreduce the risks of Weil descent attacks (cf. Section 22.3).We sometimes require that the characteristic polynomial of the Frobenius endomorphism is irreducible.In our case, this means no restriction as one always chooses curves with irreducible χ toavoid cofactors in the group order. We additionally require that the degree k of extension should beprime to get an almost prime group order. Let τ be a complex root of the characteristic polynomialof the Frobenius endomorphism.Then|Pic 0 C(F q k)| ==2g∏i=12g∏i=1(1 − τ k i )(1 − τ i ) ( 1+τ i + ···+ τ k−1 )= |Pic0C (F q )|i2g∏i=1(1+τi + ···+ τ k−1 )where the τ i ’s are the conjugates of τ. Thus we cannot avoid having a cofactor of size about q g ,and any divisor of k will lead to additional factors. Likewise a composite χ gives rise to cofactorsfor any degree of extension. Hence, the condition that χ should be irreducible means no restriction.Furthermore, for composite or medium degree extensions, Weil descent attacks have to be takenseriously.Formally, we have|Pic 0 C(F q k)| = cN where c = |Pic 0 C(F q )|.For cryptographic applications, we work in the cyclic subgroup of prime order l | N of Pic 0 C(F q k)generated by some divisor class D. __As our aim is to find groups with fast scalar multiplication andhard DLP we avoid supersingular curves here.We follow the same approach as in Section 15.1.1 in showing how to expand integers to the baseof τ. As before, we need to show how to reduce the length of the expansions by using a fixed degreeof the extension field.Throughout this section we let C/F q be a hyperelliptic curve of genus g given by an equationC : y 2 + h(x)y = f(x), f,h∈ F q [x], deg f =2g +1, deg h g, f monic, (15.14)and we consider the curve over the extension field F q k. Our aim is to compute the scalar multiplication[n] D __for a divisor class D __∈ Pic 0 C (F qk). For full details we refer to Lange [LAN 2005c].i

368 Ch. 15 Arithmetic of Special Curves15.1.2.a Computation of χ C (T )To make use of the Frobenius endomorphism we need to know the way it operates. By Theorem14.17, it is enough to count the number of points on C over F q , F q 2,...,F q g to compute thecharacteristic polynomial. This is very feasible as the ground field and the genus are small enoughto perform this by brute force computation.We repeat that for a curve of genus g defined over F q , the characteristic polynomial χ C (T ) is ofthe following form:where a i ∈ Z.χ C (T )=T 2g + a 1 T 2g−1 + ···+ a g T g + ···+ a 1 q g−1 T + q g ,Example 15.25 Over F 2 , we can classify up to isogeny the nine classes of hyperelliptic curvesof genus 2 given by an equation of the form (15.14) with irreducible χ C (T ), which are given inTable 15.1.Table 15.1 Binary curves of genus 2.Equation of C Characteristic polynomial χ C (T )y 2 + y = x 5 + x 3 T 4 +2T 3 +2T 2 +4T +4y 2 + y = x 5 + x 3 +1 T 4 − 2T 3 +2T 2 − 4T +4y 2 + y = x 5 + x 3 + x T 4 +2T 2 +4y 2 + xy = x 5 +1 T 4 + T 3 +2T +4y 2 + xy = x 5 + x 2 +1 T 4 − T 3 − 2T +4y 2 +(x 2 + x)y = x 5 +1 T 4 − T 2 +4y 2 +(x 2 + x +1)y = x 5 +1 T 4 + T 2 +4y 2 +(x 2 + x +1)y = x 5 + x T 4 +2T 3 +3T 2 +4T +4y 2 +(x 2 + x +1)y = x 5 + x +1 T 4 − 2T 3 +3T 2 − 4T +4The first five examples were given in Koblitz [KOB 1989]. Besides the first three classes thesecurves are nonsupersingular. The fourth and fifth case were studied by Günter, Lange, and Stein in[GÜLA + 2000].Group orders and characteristic polynomials χ C (T ) for all Koblitz curves of genus g 4 overF q with q 7 can be found at [LAN 2001c]. More details on how to obtain the characteristicpolynomial and the number of points over extension fields can be found in Section 17.1.1.15.1.2.bComputation of τ-adic expansionsAs before, let χ C (T ) denote the characteristic polynomial of the Frobenius endomorphism and letτ be one of its complex roots. To make use of the Frobenius endomorphism, we need to be able torepresent [n] D __as a linear combination of the φ i q ( D) __with bounded coefficients. This is equivalentto expanding n to the base of τ as∑l−1n = r i τ ii=0

§ 15.1 Koblitz curves 369where the r i ∈ R are elements of a set of coefficients R to be defined later. If one precomputes [r] D__for all occurring coefficients r ∈ R, then the computation of [n] D __is realized by applications of theFrobenius endomorphism, table lookups, and additions of divisor classes whenever the coefficientis nonzero. The elements of Z[τ] are of the form η = n 0 + n 1 τ + ···+ n 2g−1 τ 2g−1 with n i ∈ Z.By definition, τ satisfies a polynomial of degree 2g with constant term q g . Thus one can replace thecomputation of [q g ] D __with− ( [q g−1 a 1 ]φ q ( __D) ⊕ [q g−2 a 2 ]φ 2 q ( __D) ⊕···⊕[a g ]φ g q ( __D) ⊕···⊕[a 1 ]φ 2g−1q( __D) ⊕ φ 2gq ( __D) ) .But this need not be faster than computing [q g ] __D by the usual method of double and add. Still it isthe key observation used in expanding an integer. To compute the expansion we need a division by τwith remainder. We give the following result with proof to explain the details behind the expansionmechanism.Lemma 15.26 The element η = n 0 + n 1 τ + ···+ n 2g−1 τ 2g−1 ∈ Z[τ] is divisible by τ if and onlyif q g | n 0 .Indeed, let us suppose that τ | η. This is equivalent toη = τη ′ = τ(n ′ 0 + n′ 1 τ + ···+ n′ 2g−1 τ 2g−1 )= n ′ 0τ + n ′ 1τ 2 + ···+ n ′ 2g−2τ 2g−2 − n ′ 2g−1(q g + a 1 q g−1 τ + ···+ a 1 τ 2g−1 )= −n ′ 2g−1q g + n 1 τ + ···+ n 2g−1 τ 2g−1which is in turn equivalent to q g | n 0 .To allow computing an expansion by dividing with remainder by τ, thesetR needs to contain atleast a complete set of remainders modulo q g . Since taking the negative of a class is essentially forfree, we will use{R =0, + − 1, + − 2,..., + −⌈ q g − 12as a minimal set of remainders. Note that we would not need to include −q g /2 in the case of evencharacteristic. But as we get it for free we will make use of it.To derive a τ-adic expansion of n ∈ Z, we apply Lemma 15.26 repeatedly. Put r 0 = n mod q gfor r 0 ∈ R, s 1 =(n−r 0 )/q g , r 1 = −s 1 a 1 q g−1 mod q g for r 1 ∈ R and s 2 =(−s 1 a 1 q g−1 −r 1 )/q g .Thenn = r 0 + n − r 0 = r 0 + s 1 q g= r 0 − s 1 (a 1 q g−1 τ + a 2 q g−2 τ 2 + ···+ a g τ g + ···+ a 1 τ 2g−1 + τ 2g )= r 0 + τ(−s 1 a 1 q g−1 − s 1 a 2 q g−2 τ −···−s 1 a g τ g−1 −···−s 1 a 1 τ 2g−2 − s 1 τ 2g−1 )= r 0 + r 1 τ + τ(s 2 q g − s 1 a 2 q g−2 τ −···−s 1 a g τ g−1 −···−s 1 a 1 τ 2g−2 − s 1 τ 2g−1 )= r 0 + r 1 τ + τ 2 (...).For a concrete application of this idea in the context of elliptic curves, see Example 15.4.The expansions derived by repeatedly applying this process with minimal remainders |r i | ⌉might become periodic in some rare cases.⌈ q g −12⌉}

370 Ch. 15 Arithmetic of Special CurvesRemarks 15.27(i) For elliptic curves in even characteristic, these expansions are finite for every input (cf.Müller [MÜL 1998]), whereas in odd characteristic, Smart [SMA 1999b] shows thatonly for small field sizes they can turn out to be periodic and that this can only happenfor q =5,a 1 = + − 4 and q =7,a 1 = + − 5. To surround this problem these numbers areincluded in the set of allowed coefficients. Therefore, these “bad” values are no longerexpanded and each integer has a finite expansion.(ii) In general, let C be a hyperelliptic curve over F q of genus g. An expansion using the setof remainders R with maximal coefficient r max can be periodic of period length 1 up tochange of sign only ifr max |Pic 0 e C(F q )|,where ˜C is either the curve or its quadratic twist. If in this case the period starts atsome η ∈ Z[τ], thenη is small and one can adjoin + − r ( q g −|Pic 0 e C(F q )| ) to R for allintegers 1 r r max /|Pic 0 e C(F q )| to guarantee finite expansions, cf. [LAN 2005c] forfull details and for considerations of larger periods.In the following, we assume that R has been chosen to contain a complete set of remainders andsome further coefficients if necessary. Later in the text we shall impose conditions to achieve asparse representation, and therefore we will use different choices of the set of coefficients R dependingon the structure of χ C (T ).Now we state the algorithm for expanding an element of Z[τ] to the base of τ. Note that at themoment we would only need to represent integers, but in the further sections we will reduce thelength of the representation. Thereby we stumble over this more general problem.Algorithm 15.28 Expansion in τ-adic formINPUT: The element η = n 0 + n 1τ + ···+ n 2g−1τ 2g−1 , χ C(T ) given by the coefficients a iand a suitable set R.OUTPUT: The τ -adic expansion (r l−1 ...r 0) τ of η.1. S ← ()2. while P 2g−1j=0|nj| > 0 do3. if q g | n 0 then r ← 04. else r ← n 0 mod q g with r ∈ R [see Remark 15.29]5. S ← r || S6. s ← (n 0 − r)/q g7. for i =0 to g − 1 do8. n i ← n i+1 − a i+1q g−i−1 s9. for i =0 to g − 2 do10. n g+i ← n g+i+1 − a g−i−1s11. n 2g−1 ←−s12. return SRemark 15.29 Further requirements may be taken into account in Line 4, for instance, in evencharacteristic set r ← n 0 if |n 0 | = q g /2.

§ 15.1 Koblitz curves 371As in the binary elliptic case, the expansions are longer than desired but as there, we can use areduction technique.15.1.2.cReducing the lengthThe strategy explained so far would lead to expansions of length 2log q n ≈ 2gk — thus expansionsthat are 2g times as long as a q g -adic expansion, which mitigates the advantage of using the Frobeniusendomorphism. Thus, actually one does not expand n itself but looks for an element η ∈ Z[τ]having a short expansion and satisfying [n] D __=[η] D __for all D __∈ Pic 0 C(F q k). Oncewedecidetouse such a curve we need to fix the field F q k, i.e., the degree of extension. This gives us the additionalequation φ k q =Id. Therefore, if n ≡ η mod (τ k − 1) then [n] D __=[η] D __for D __∈ Pic 0 C (F q k)and we can choose an equivalent η with a short expansion.Remark 15.30 Note that for a fixed extension field, τ satisfies two equations. Since we consideronly irreducible polynomials χ C and since the constant term of χ C is q g ≠ + − 1, the polynomialsχ C (T ) and T k − 1 are coprime. Thus their gcd over Q[T ] is one. But we are working in Z[T ]. Theideal generated by these polynomials is a principal ideal generated by an integer (since the gcd overQ[T ] is one). In fact this number is equal to the cardinality of the divisor class group over F q k.Torephrase this, modulo |Pic 0 C(F q k)| these polynomials have a common linear factor. Now recall thatwe work in the subgroup of prime order l | N of |Pic 0 C (F qk)|. Hence, if we consider only this cyclicgroup, the polynomials have a common factor T − s in F l [T ]. This means that the operation of theFrobenius endomorphism on a divisor class corresponds to the multiplication of the ideal class bythe integer s modulo l, i.e., φ q ( D) __=[s] D __for D __in the subgroup of order l.Example 15.31 Here, we present one example; however, further good instances are easy to get[LAN 2001c]. Consider the binary curve of genus 2 given byC : y 2 +(x 2 + x +1)y = x 5 + x +1with characteristic polynomial of the Frobenius endomorphism χ C (T )=T 4 −2T 3 +3T 2 −4T +4.For the extension of degree 89 the class number is almost prime, namely|Pic 0 C(F 2 89)| =2× 191561942608242456073498418252108663615312031512914969.Let l be the large prime number. The operation of φ q on the group of order l corresponds to themultiplication bys ≡ 82467179009623045188999864044344866954789403836113928(mod l).Now let us suppose that l 2 ∤ |Pic 0 C(F q k)|, which is not a restriction in practice. Then we can evenreduce n modulo δ =(τ k − 1)/(τ − 1) = τ k−1 + τ k−2 + ···+ τ +1to compute [n] D, __astheFrobenius endomorphism cannot correspond to the identity.In summary, the following theorem holds.Theorem 15.32 Let τ be a complex root of the characteristic polynomial χ C (T ) of the Frobeniusendomorphism φ q of the hyperelliptic curve C of genus g defined over F q . Consider the curve overF q k and let n ∈ Z. Using a set of remainders R for the expansion such that no periodic expansionsoccur, there is an element η ∈ Z[τ] such that• η ≡ n (mod δ)• η has a τ-adic expansion with coefficients in R of length at most k +4g.

372 Ch. 15 Arithmetic of Special CurvesFor an element λ ∈ Q, let us recall that z = ⌈λ⌋ is the nearest integer to λ with the least absolutevalue; see p. 360 for a computational realization. We will also use ⌈·⌋ for elements of Q(τ)represented as Q[T ]/ ( χ C (T ) ) , where it is understood coefficient-wise.The idea for reduction uses the fact that one can invert elements in the field Q(τ). Thus, putso λ =2g−1∑i=0λ = n/δ ∈ Q(τ),λ i τ i ,whereλ i ∈ Q. For0 i 2g − 1, put z i = ⌈λ i ⌋ and putz :=2g−1∑i=0z i τ i and η := n − zδ.Thus it is easy to see that η ≡ n (mod δ) and we use this equivalent multiplier.Remark 15.33 The usage of ⌈·⌋ might not be the best choice, but nevertheless it provides an efficientway to compute a length-reduced representation that works for every genus g, ground fieldF q , and degree of extension k. For example, for the two binary elliptic curves, Algorithm 15.9investigates in more detail an optimal way of reduction. Considering the lattice spanned by {1,τ},the algorithm uses that for each element of Q(τ) there is a unique lattice point within distance lessthan 4/7. For larger genera the computation of the nearest point is computationally hard to realizeand we do not lose much choosing the “rounded” elements the way it is presented here.The remainder of this section is devoted to computational aspects. One first needs to compute δ andits inverse in Q(τ), which is done only once for C and k. The computations are performed usingrecurrence sequences. This corresponds to the use of Lucas sequences in the case of elliptic curves(15.13). To derive the inverse in Q(τ) one uses the extended Euclidean algorithm. If C and k aresystem parameters, these elements can be computed externally and stored on the device, as they areindependent of the chosen divisor classes. In Section 15.1.3 we state a way to circumvent this; seealso Remark 15.36 (iii).First of all one needs the representation of δ in Z[τ].Algorithm 15.34 Representation of δ =(τ k − 1)/(τ − 1) in Z[τ]INPUT: An extension degree k 1 and χ C(T ).OUTPUT: The τ -adic expansion (d 2g−1d 2g−2 ...d 0) τ of δ.1. c 0 ← 1 and d 0 ← 12. for i =1 to 2g − 1 do3. c i ← 0 and d i ← 04. for j =1 to k − 1 do5. c ′ ← c 2g−16. for i =2g − 1 down to g do7. c i ← c i−1 − a 2g−ic ′ and d i ← d i + c i8. for i = g − 1 down to 1 do9. c i ← c i−1 − a iq g−i c ′ and d i ← d i + c i10. c 0 ←−q g c ′

§ 15.1 Koblitz curves 37311. d 0 ← d 0 + c 012. return (d 2g−1d 2g−2 ...d 0) τTo find the inverse δ 1 of δ in Q(τ), we consider δ(T )= ∑ d i T i and compute the inverse of δ(T )modulo χ C (T ) in Q[T ] by the extended Euclidean algorithm; as forgcd ( δ(T ),χ C (T ) ) = δ(T )δ 1 (T )+χ C (T )V (T )one has δ −1 (T ) ≡ δ 1 (T )(modχ C (T )), which gives δ −1 = δ 1 , by abuse of notation. For fixedgenus, and hence degree of the involved polynomials, this can be made explicit.We now present the algorithm for computing scalar multiples as a whole.Algorithm 15.35 Computation of n-folds using τ-adic expansionsINPUT: An integer n, D __=[u, v], u, v ∈ F q k[x], χ C(T ), thesetR, δ and δ 1 as above.OUTPUT: The divisor class [n] D __represented by H =[s, t] with s, t ∈ F q k[x].1. for i ∈ R, i > 0 do [precomputation]2.__D(i) ← [i] D __and D(−i) __←− D(i)__3. z(T ) ←⌈nδ 1(T )⌋4.P 2g−1i=0 niT i ← n − δ(T )z(T )modχ C(T )5. η ← P 2g−1i=0 niτ i6. compute the τ -adic expansion (r l−1 ...r 0) τ of η [use Algorithm 15.28]7.__H ← D(r __l−1 )8. for i = l − 2 down to 0 do9.__H ← φ __q( H)10. if r i ≠0 then11.__H ← H __⊕ D(r __i)12. return H__Remarks 15.36(i) The first two lines are precomputations and need to be performed only once per curveand base D, __so in some applications one saves the precomputed points on the deviceand skips this step. In this case or if space is more restricted it is probably better toprecompute only the D(i)’s __and compute − D(i) __on the fly when necessary.(ii) Lines 3 to 6 compute the τ-adic expansion of η ≡ n (mod δ). The computations are infact performed in Q[T ] modulo χ C (T ).(iii) Arithmetic in Q has high system requirements. Therefore, for binary elliptic curves,Solinas [SOL 2000] proposes a partial modular reduction, cf. Remark 15.14 (ii). Insteadof computing η ∈ Z[τ] of minimal norm he obtains an element η ′ ≡ n (mod δ) whichmight have a slightly longer expansion, but the computations involve only truncated divisionsby powers of 2, which can easily be realized in soft- and hardware. For theparticular curves he considers one can explicitly state the group order as an expressionof the degree of extension k and therefore find appropriate denominators giving a good

374 Ch. 15 Arithmetic of Special Curvesapproximation. In our general case this is not possible, but one can work with an arbitrarygood approximation δ ′ 1 (T ) of δ 1(T ) in which all denominators are powers of 2.The idea of Solinas of using the number theoretic norm can be generalized to computing(τ 1 − 1)2g∏(τ1 k − 1) =i=1(τ i − 1)2g∏(τi k − 1) ×i=2(τ k i − 1)(τ i − 1) = N −1 ×2g∏i=2(τ k i − 1)(τ i − 1) .Thus, one can also precompute a Barrett inversion of N and get the inversion by multiplicationsand modular reductions.Note that in any case the resulting η ′ will still be in the same class as n sinceη ′ = n − δ ⌈nδ ′ 1⌋ ≡ n(mod δ).15.1.2.dComplexity and comparisonThe estimates for the complexity are given as number of group operations. Using precomputationsas suggested, one only needs to use group additions. If the elements are represented with respect toa normal basis, then φ q ( D) __can be computed for free. In any case, the expansions are all of approximatelength k such that k applications of φ q are always needed. Thus we ignore these operationsin the following. Besides the length, the second important characteristic for the complexity is thedensity of the expansion.We first consider the minimal set R = {0, + − 1,..., + − ⌊q g /2⌋} of coefficients. A zero coefficientoccurs with probability 1/q g , therefore the asymptotic density is (q g − 1)/q g < 1. Certainly allusual (signed) windowing methods carry through to τ-adic windows; thus if one precomputes allmultiples[r 0 ] D __⊕ [r 1 ]φ q ( D) __⊕···⊕[r w−1 ]φ w−1 ( D), __r i ∈ R, r 0 ≠0the density reduces. Thus one can trade off storage for larger speedup. Depending on the curve onecan also use other sets of coefficients, cf. Chapter 9 and [GÜLA + 2000,LAN 2001a]. This includesprecomputing all multiples [r] D __for the set R ′ = {r ∈ [2, ⌊ q 2g /2 ⌋ ]:q g ∤ r} and leads to a densityof (q g − 1)/(2q g − 1). We also like to mention that the comb methods can be applied as well, whichis interesting if the Frobenius operation is not for free and the precomputations are done for a fixedbase point as this method reduces not only the number of additions but also the number of Frobeniusoperations. As a drawback, more additions than with the windowing method are used for the samenumber of precomputations.To estimate the advantage of using Koblitz curves these numbers need to be compared to theusual arithmetic. Using binary double and add, the number of operations is 3 2 lg n ≈ 3 2kg lg q andusinganNAFofn it still is ≈ 4 3kg lg q.To sum up we have obtained the following result:Fact 15.37 If we disregard storage and time for precomputations and assume a τ-adic expansion oflength ≈ k +2g +1, the speedup factor is approximatelycompared to the binary expansion and3gq g lg q2(q g − 1) > 1.5g4gq g lg q3(q g − 1) > 1.3gcompared to the NAF expansion, for the minimal set of coefficients and for k large compared to gand q.q

§ 15.1 Koblitz curves 375Precomputations and signed digit expansions cannot be taken into account in a general formula, asit is a bit tricky to allow the same number of precomputations for comparison. We state q =2and q =5as examples, allowing windows of length at most 2, and using both, the minimal setof remainders and R ′ . The tables list the average number of group operations to compute a scalarmultiple using a signed digit windowing method and using the Frobenius endomorphism. For q =2and w =1the corresponding binary system is allowed to use a window of width g +1;forw =2a width of 2g +1is more than fair.Entries may be rounded to the nearest integer. We also include the case of elliptic curves. Forthem w =2does not require any storage and hence, we consider only that case.g binary τ-adic speedup binary τ-adic speedupwindow w =1 factor window w =2 factor1 4k/3 k/3 42 5k/2 3k/4 3 7k/3 3k/7 5.53 18k/5 7k/8 4 27k/8 7k/15 7For q =5, we cannot directly express the width w bin for the binary method as a function in g, thuswe include this parameter in the table. In all cases, w bin was chosen as the ceiling of lg(q g − 1/2)+2respectively lg(q g q g − 1/2) + 2, hence favoring the binary method.g w bin binary τ-adic speedup w bin binary τ-adic speedupwindow w =1 factor window w =2 factor1 3 4lg(5)k/5 4k/5 3.5 6 8lg(5)k/7 4k/9 62 6 16 lg(5)k/7 24k/25 5.5 11 13 lg(5)k/6 24k/49 103 8 10 lg(5)k/3 124k/125 8 15 51 lg(5)k/16 124k/249 1515.1.3 Alternative setupLike before, we concentrate on the fast computation of scalar multiples. If this is used in a DLsystem (cf. Chapter 23), the scalars are often randomly chosen. Hence, one can as well start with anexpansion of fixed length and use this as the secret scalar — not caring which integer it correspondsto if at all. This idea, suggested by H. Lenstra, as mentioned by Koblitz [KOB 1992], implies thatthe device need not be able to perform polynomial arithmetic and to deal with arithmetic, both infinite fields and in Q.If, as usual, we restrict ourselves to divisor classes D __of prime order l, weworkinacyclicgroup and φ q operates as a group automorphism. Then for the action of the Frobenius, we haveφ q ( D) __=[s] D, __wheres is an integer modulo l; see Remark 15.30. Hence, any sum∑l−1r i τ ii=0corresponds to an integer mod l, namely to∑l−1r i s i mod l,and one can replace the whole procedure of choosing random integers and computing a reducedexpansion described above by choosing a random l-tuple of coefficients r i ∈ R. The integer s isobtained viagcd ( χ C (T ),T d−1 + ···+ T +1 ) = ( T − s ) in F l [T ].This computation is done only once and s is included in the curve parameters. Here, we use theminimal set{qR = 0, + − 1,..., + g }− 1−2i=0

376 Ch. 15 Arithmetic of Special Curvesin odd characteristic andin even characteristic to avoid ambiguity.( qg )R ={0, + − 1,..., + −2 − 1 ,q g }2Remark 15.38 Likewise we can use the enlarged sets R ′ of size q g (q g − 1) and impose conditionson the density to obtain sequences (r l−1 ...r 0 ) τ resembling outputs of the reduction and expansionprocedure. Obviously, this leads to faster computations but it requires more precomputed points.We skip the details as most considerations are very similar.By a random expansion of length l we mean a tuple (r l−1 ,...,r 0 ) with r i chosen randomly inR along with the interpretation as ∑ l−1i=0 r iτ i . In [LAN 2005c, LASH 2005b] it is shown that areasonable choice is l = k − 1. The main reason against longer expansions is that collisions arethen more likely, i.e., there are several expansions corresponding to the same integer modulo l andthe probability of multiple occurrence is not equally distributed.As a possible drawback, the most significant τ-adic digits are always zero. One can design aτ-adic baby-step giant-step algorithm to exploit this and it slightly reduces the security, but usuallythe storage requirements are prohibitively large. To play it safe one should choose a slightly biggervalue for the extension degree k.This is also suggested as the Frobenius endomorphism speeds up the ordinary baby-step giantstepalgorithm by allowing us to consider equivalence classes under φ q , cf. Section 19.5.5.For signature schemes this setup might sound suspicious to attacks as described in [BOVE 1996,HOSM 2001,NGSH 2003]. Lange [LAN 2001a, LAN 2005c] generalizes the attack to hyperellipticcurves and shows that the τ-adic variant is much harder to break and that up to current knowledgeno extra weakness is implied. An extremely careful user might feel better using this approach onlyfor ElGamal and Diffie-Hellman.Remarks 15.39(i) One can restrict the key size even more by choosing a smaller set of coefficients for theτ-adic expansion. This reduces the storage requirements and the probability of collisions,but for extreme choices, e.g., if R ′ = {0, + − 1} chosen also for g, q > 2 to avoidprecomputations, one has to be aware of lattice based attacks on the subset sum problem[COJO + 1992,NGST 1999]. If one tries to get around these by using longer keys oflength k + ɛ, collisions get more likely since one has to deal with 1+s + ···+ s k−1 ≡ 0(mod l). Then the zero element occurs at least( )ɛ + r′2 max − 1+1 timesr ′ maxwhere r ′ max is the maximal coefficient of R′ .Another idea is to consider only sparse representations to reduce the complexity. Althoughthis reduces the size of the key-space as well, the implications are less dramatic.15.2 Scalar multiplication using endomorphismsIn the previous section we detailed how to use the Frobenius endomorphism to speed up the computationof scalar multiples. Gallant, Lambert, and Vanstone [GALA + 2001] observe that for curvesthat have an efficiently computable endomorphism of small norm, a speedup can be obtained. Such

§ 15.2 Scalar multiplication using endomorphisms 377specially designed curves are often called GLV curves. Every curve over a finite field comes witha nontrivial endomorphism ring, cf. Remark 14.14, but for a random curve over a prime field onecannot expect to find such a special endomorphism. We refer to [SICI + 2002] for arguments as towhy the class of elliptic curves with an endomorphism of small norm is small.15.2.1 GLV methodHere we describe how to compute scalar multiples using efficient endomorphisms. To ease theexposition we start with elliptic curves only. Let E/F q be an elliptic curve and let |E(F q )| = cl,where the cofactor c is small, in particular l ∤ c. Hence, there is only one cyclic group G of orderl contained in E(F q ). Let ψ be a nontrivial endomorphism defined over F q with characteristicpolynomial (cf. Definition 4.84)χ ψ (T )=T 2 + t ψ T + n ψ ,where the integers t ψ and n ψ are respectively the trace and the norm of ψ. In the sequel, weassume that both the trace and the norm of ψ are small. In G, the endomorphism corresponds tothe multiplication with some integer ψ(P )=[s ψ ]P for s ψ ∈ [0,l− 1] and s ψ can be obtainedas one of the roots of χ ψ (T ) modulo l. This is a complete analogy with the case of Koblitz curvesconsidered above where ψ is the Frobenius endomorphism and s ψ = s, cf. Section 15.1.To every pair (n 0 ,n 1 ) there corresponds the endomorphism n 0 + n 1 ψ operating as[n 0 ]P ⊕ [n 1 ]ψ(P ), for P ∈ G.So we can associate the integer n = n 0 + n 1 s ψ mod l to (n 0 ,n 1 ). Conversely, given n, theGLVmethod aims at finding n 0 and n 1 with the extra condition that n 0 and n 1 should be sufficientlysmall, i.e., of half the binary length of n. Then one can use multi-exponentiation, cf. Section 9.1.5,to compute [n]P faster than with ordinary scalar multiplication.We first give some examples of curves with efficiently computable ψ and then state the algorithmsto compute the ψ-adic expansion.15.2.1.aExamplesThe following examples can be found in [COH 2000, GALA + 2001].1. Let p ≡ 1(mod4)be a prime. Let E 1 /F p be given byE 1 : y 2 = x 3 + a 4 x.Let α be an element of order 4 in F p and let P =(x 1 ,y 1 ) ∈ E 1 . Then ψ 1 (P ) =(−x 1 ,αy 1 ) is also on E 1 and the map ψ 1 is an endomorphism of E 1 defined over F pwith endomorphism ring Z[ψ 1 ]=Z[ √ −1]. One can check that ψ 1 satisfies ψ 2 1 +1=0.2. Let p ≡ 1(mod3)be a prime. Define an elliptic curve E 2 /F p byE 2 : y 2 = x 3 + a 6 .If β is a third root of unity in F p ,thenψ 2 defined in the affine plane by ψ 2 (x 1 ,y 1 )=(βx 1 ,y 1 ) is an endomorphism of E 2 defined over F p with Z[ψ 2 ]=Z [ 1+ √ ]−32 . As β isa third root of unity, ψ 2 satisfies the equation ψ2 2 + ψ 2 +1=0.3. Let p>3 be a prime such that −7 is a quadratic residue modulo p. Define an ellipticcurve E 3 /F p byE 3 : y 2 = x 3 − 3 4 x2 − 2x − 1.

378 Ch. 15 Arithmetic of Special CurvesIf γ = 1+√ −72and a =(γ − 3)/4, then the map ψ 3 defined in the affine plane by( x2ψ 3 (x 1 ,y 1 )= 1 − γγ 2 (x 1 − a) , y 1(x 2 )1 − 2ax 1 + γ)γ 3 (x 1 − a) 2is an endomorphism of E 3 defined over F p with Z[ψ 3 ]=Z [ 1+ √ ]−72 . Moreover ψ3 satisfiesthe equation ψ3 2 − ψ 3 +2=0.4. Let p>3 be a prime such that −2 is a quadratic residue modulo p. Let E 4 /F p bedefined byE 4 : y 2 =4x 3 − 30x − 28.The map ψ 4 defined in the affine plane by(ψ 4 (x 1 ,y 1 )=− 2x2 1 +4x 1 +94(x 1 +2)), − 2x2 1 +8x 1 − 14 √ −2(x 1 +2) 2is an endomorphism of E 4 defined over F p with Z[ψ 4 ]=Z[ √ −2]. Moreover, ψ 4 satisfiesthe equation ψ 2 4 +2=0.5. Iijima et al. [IIMA + 2002] suggest using a quadratic twist Ẽ v /F q k of a Koblitz curveE/F q , with char(F q ) ≠2, 3, to get an endomorphism derived from the Frobenius endomorphismwithout the drawback that the group order needs to contain a factor |E(F q )|from the ground field. Therefore, k needstobeevenandv is a nonsquare in F q k.More precisely, let E be given by15.2.1.band letE : y 2 = x 3 + a 4 x + a 6 ,Ẽ v : y 2 = x 3 + a 4 v 2 x + a 6 v 3be the quadratic twist of E by v. LetP =(x 1 ,y 1 ) ∈ Ẽ v (F q k). Then one can check that˜φ q defined by˜φ q (x 1 ,y 1 )= ( v 1−q x q 1 ,v3(1−q)/2 y q )1is an endomorphism of Ẽ v over F q k, satisfying also the characteristic polynomial of φ q .Computing a basis of the endomorphism ringIn each case the endomorphism ring can be seen as a two-dimensional lattice spanned by 1 and s ψ .Finding integers n 0 and n 1 such that n = n 0 + n 1 s ψ with n i ≈ l 1/2 corresponds to finding theclosest vector to n. To avoid this heavy machinery, [GALA + 2001] suggest starting with applyingseveral steps of the extended Euclidean algorithm 10.42 to first find short vectors v 0 ,v 1 generatingthe lattice and then to compute the splitting of n.Note that the initial part of finding v 0 ,v 1 does not depend on the integer; hence, the vectors canbe precomputed and kept with the curve parameters. Let us detail how to compute v 0 and v 1 .Byrepeated division with remainder, it is possible to obtain a sequence of relationswhere• |s i | < |s i+1 |,fori 1• |t i | < |t i+1 | and r i >r i+1 0,fori 0.s i l + t i s ψ = r i , for i =0, 1, 2,...,

§ 15.2 Scalar multiplication using endomorphisms 379This can be explicitly done executing a modified version of Algorithm 10.42 with arguments s ψ andl. Namely, start with i =0, put the statements t i ← U A and r i ← A at the beginning of the whileloop in Algorithm 10.42, and increment the index after each loop.This procedure would terminate with r l−1 =1for some l as l is prime and s ψ l 1/2 . The coefficients r m+1 and t m+1 satisfy r m+1 − s ψ t m+1 ≡ 0(modl) and(r 2 m+1 + t2 m+1 )1/2 (2l) 1/2 .So v 0 =(r m+1 , −t m+1 ) is a short vector. The GLV algorithm then sets v 1 to be the shorter of(r m , −t m ) and (r m+2 , −t m+2 ).Remark 15.40 In [SICI + 2002], it is shown thatmin { max{r m , |t m |}, max{r m+2 , |t m+2 |} } Kl 1/2with an explicitly computable constant K. The size of K depends heavily on the norm of ψ and,hence, only endomorphisms with small norm lead to representations with small integers. Furthermore,this paper gives an optimal strategy to find a short vector such that the entries have a smallsize. This is done by using a different norm.Given the short vectors v 0 and v 1 from the previous step we now show how to find an expansion ofan integer n. Solve the linear equation n = n ′′0 v 0 + n ′′1 v 1 in the two-dimensional vector space overthe rationals Q and then choose n ′ i = ⌊n′′ i ⌉ = ⌊n′′ i +1/2⌋, a closest integer to n′′ i . As for Koblitzcurves this approximation is sufficiently good. Then we deducen ≡ n − n ′ 0v 0 − n ′ 1v 1 s ψ (mod l)and we assign the result to n 0 + n 1 s ψ , with small n i as the entries of v i are small. The algorithm isas follows.Algorithm 15.41 GLV representationINPUT: The integers n ∈ [0,l− 1], s ψ and the vectors v 0 =(a 0,b 0), v 1 =(a 1,b 1) as above.OUTPUT: The integers (n 0,n 1) such that n ≡ n 0 + n 1s ψ (mod l).1. n ′′0 ← b 1n/l and n ′′1 ←−b 0n/l2. n ′ 0 ←⌊n ′′0 ⌉ and n ′ 1 ←⌊n ′′1 ⌉3. n 0 ← n − n ′ 0a 0 − n ′ 1a 1 and n 1 ←−n ′ 0b 0 − n ′ 1b 14. return (n 0,n 1)Example 15.42 Let p = 2029 and let us consider a curve of the form E 2E : y 2 = x 3 +10defined over F p . The group E(F p ) is generated by P = (1620, 334) and has prime cardinality l =1951. InF p , β = 975 is a primitive third root of unity and ψ 2 (x, y) =(βx,y) is an endomorphismof E. Also, the action of ψ 2 corresponds to the scalar multiplication by s ψ = 1874.

380 Ch. 15 Arithmetic of Special CurvesTo compute [n]P with the GLV method, one must first compute short vectors v 0 =(a 0 ,b 0 ) andv 1 =(a 1 ,b 1 ) such that a i + s ψ b i ≡ 0(modl), fori =0, 1. One applies the modified version ofAlgorithm 10.42 explained above, which gives the relations1 × 1951 + 0 × 1874 = 19510 × 1951 + 1 × 1874 = 18741 × 1951 − 1 × 1874 = 77−24 × 1951 + 25 × 1874 = 2649 × 1951 − 51 × 1874 = 25.It follows that v 0 = (26, −25) and v 1 = (25, 51). Now let us compute [1271]P using Algorithm15.41. One has 1271 ≡ 13 + 9s ψ (mod 1951). The joint sparse form of 13 and 9 returnedby Algorithm 9.27 is( ) ( )13 1101= .9 1001 JSFNow precomputing ψ 2 (P )=Q = (938, 334) and R = P ⊕ Q = (1500, 1695), one has[1271]P = [13]P ⊕ [9]Q= [4]([2]R ⊕ P ) ⊕ R= (370, 359).with only 3 additions and 3 doublings. A direct computation using 1271 = (1010000¯100¯1) NAFrequires 10 doublings and 4 additions.15.2.2 GeneralizationsThe approach obviously generalizes to hyperelliptic curves as soon as one has an efficiently computableendomorphism of small norm. In [PAJE + 2002b] this idea is outlined and studied in moredetail, also giving bounds for the constants in [SICI + 2002, PAJE + 2002a].So far, only very few examples were stated in the literature. The following curves are generalizationsof the above examples.1. Let p ≡ 1(mod4)and consider the hyperelliptic curve C 1 /F p of genus g given byC 1 : y 2 = x 2g+1 + f 2g−1 x 2g−1 + ···+ f 3 x 3 + f 1 x.For P =(x 1 ,y 1 ) ∈ C 1 also ψ 1 (P )=(−x 1 ,αy 1 ) is on C 1 where as before α 4 =1.This endomorphism operates on the divisor classes in a similar manner by∑r−1∑r−1])ψ 1([x r + u i x i , v i x i =i=0i=0[∑r−1∑r−1]x r + (−1) i u i x i ,α (−1) i v i x iand has the characteristic polynomial T 2 +1.2. Let p ≡ 1(mod8). Let the genus 2 curve C 2 /F p be given byi=0C 2 : y 2 = x 5 + ax,for an arbitrary a ∈ F ∗ p.Forξ an eighth root of unity the map ψ 5 (x 1 ,y 1 )=(ξ 2 x 1 ,ξy 1 )is an endomorphism of the curve with characteristic polynomial T 4 +1.i=0

§ 15.2 Scalar multiplication using endomorphisms 381Likewise, one can construct a genus 3 curve with complex multiplication by a twelfthroot of unity ζC 3 : y 2 = x 7 + ax,satisfying ψ 6 (x 1 ,y 1 )=(ζ 2 x 1 ,ζy 1 ) and χ C3 (T )=T 6 +1.3. Let m =2g +1be an odd prime and let p ≡ 1(modm). Then the curve C 4 /F p givenbyC 4 : y 2 = x m + ahas complex multiplication by an m-th root of unity and characteristic polynomialT 2g+1 − 1T − 1= T 2g + T 2g−1 + ···+ T +1.All these examples have complex multiplication by a root of unity. There is however no technicalreason against constructing curves with an endomorphism with small norm, e.g., using the CMmethod 18.Takashima [TAK 2004] proposes to combine the GLV method of scalar splitting with real multiplicationby some ψ RM on genus 2 curves. He states how to apply ψ RM on divisor classes inMumford representation and presents two types of curves on which the endomorphism can be appliedparticularly efficiently. These curves are far more general than the examples above and thesplitting is efficient.On the BH curvesC β,γ : y 2 = βx 5 −(β+γ−3)x 4 +(β 2 −3β+5−2γ)x 3 −γx 2 +(β−3)x−1, with β ∈ F ∗ q ,γ ∈ F qthe application of ψ RM can be computed with only slightly more field operations than an addition ofdivisor classes, and the characteristic polynomial of ψ RM isχ(ψ RM )(T )=T 2 + T − 1,such that the splitting leads to small coefficients.The idea of using real multiplication can be extended to other curves and Takashima provides onemore example.15.2.3 Combination of GLV and Koblitz curve strategiesIn [CILA + 2003], it is shown how to combine the methods presented so far. Let ψ be an endomorphismof a GLV curve of cardinality l with endomorphism ψ and letχ ψ (T )=T 2 + t ψ T + n ψ .We denote by ν a complex root of χ ψ (T ). In Section 15.2.1, we have given an algorithm to computean expansion of the form n = n 0 + n 1 ν ∈ Z[ν] where n i ≈ l 1/2 while for Koblitz curves we haveshown how to obtain a long expansion with small coefficients, cf. Sections 15.1.1.b and 15.1.2.b.The ideas used to achieve the long expansion can be applied successfully to every other endomorphismas long as the norm n ψ is larger than 1. Namely, set{⌊ nψ⌋}R = 0, + − 1,..., + −2and precompute [r i ]P for every r i ∈ R. If(t ψ ,n ψ ) ≠(+ − 2, 2), ( + − 3, 3), ( + − 4, 5) or ( + − 5, 7), therelation n ψ = −t ψ ν − ν 2 used inductively on n 0 + n 1 ν gives rise to a ν-adic expansion of the form∑l−1n = r i ν ii=0

382 Ch. 15 Arithmetic of Special Curveswith r i ∈ R and l ≈ log nψl.When the pair (t ψ ,n ψ ) belongs to the set of exceptions listed above, the coefficients r i have tobetakeninthelargersetR ∪{+−⌈nψ +1This longer expansion with small coefficients is useful only if applying ψ to P is less expensive thantwo additions. In [CILA + 2003] some examples are given where this can be achieved in projectivecoordinates, namely for the examples E 3 and E 4 .For these two cases one can obtain better performance for either simple scalar multiplications, ifone can precompute Q = ψ ⌈l/2⌉ (P ), or double scalar multiplications. In the former case, once aν-adic expansion of length l is found, we can split the expansion in two parts,⌈l/2⌉−1∑i=0r i ψ i (P )and2⌊l/2⌋−1∑i=0⌉}·r ⌈l/2⌉+i ψ i (Q).such that in both cases one deals with a double scalar multiplication and can try to reduce the jointweight of them.The characteristic polynomial of ψ 4 for E 4 is given by T 2 +2 and thus a slightly modified versionof the original JSF for integers can be used leading to a joint density of 1/2.We observe that the characteristic polynomial of ψ 3 is the same as that of the binary ellipticKoblitz curves considered in Section 15.1.1 and thus exactly the same Algorithm 15.21 can be usedto derive a joint ψ 3 -adic expansion of joint density 1/2.Hence, in the two cases that one either does a double expansion as for signature verification (cf.Algorithm 1.20) or one has a long-term precomputation of Q, the longer expansions lead to fastercomputation of scalar multiples.15.2.4 Curves with endomorphisms for identity-based parametersLenstra [LEN 1999] and Brown, Myers, and Solinas [BRMY + 2001] suggest curves with endomorphismsnot only because they offer the fast scalar multiplication detailed in the previous sectionsbut also because their numbers of points are easy to determine due to their simple endomorphismrings.All examples given in Section 15.2.1.a have small discriminant and Lenstra lists some morecurves with discriminant up to 163 together with divisibility conditions on p. Using the CM-theoryas shown in Chapter 18 in an explicit way, one can easily state the number of points depending onthe representation of p = a 2 + db 2 with integers a, b, whered divides the discriminant. He alsoshows that there are several primes p such that the curves have an almost prime group order overF p .The advantage of this idea lies in the cryptographic applications (cf. Chapters 1 and 23). Thetables can be used to associate a curve with known group order and base point of almost primeorder in a deterministic manner to any bit-string, e.g., the name and properties of an entity. This isdone by using the bit-string to define a and x,wherefirsta is modified in a prescribed way till thereexists a b such that a 2 + db 2 is a prime of the desired size. Then the base point is constructed usingx. The resulting curve and base point can be used as parameters for a DL system assigned to theentity given by a, x. The advantage is that the public parameters can be computed by everybody,reducing the requirements for certificates. Furthermore, the scalar multiplication on these curves isfast.In [BRMY + 2001], Brown et al. restrict to fewer curves that correspond to the first twoin [LEN 1999], which they call compact curves, and give the group order more explicitly. This

§ 15.3 Trace zero varieties 383implies that the parameters can be constructed much faster even by restricted devices. These curvesare special cases of the curves E 1 and E 2 given in Section 15.2.1.a and thus the GLV method leadsto a fast scalar multiplication. Moreover, they provide the short vectors v 0 ,v 1 , as defined in Section15.2.1.b, which allow us to obtain the decomposition in the GLV method efficiently and thenapply the JSF. The following two examples are provided in [BRMY + 2001].1. Let f ≡ 3(mod4)and g ≡ 2(mod8)be integers such that p = f 2 + g 2 and r =p +1/2+g are both prime. The curve Cf,g α , having complex multiplication with a fourthroot of unity α as ψ 1 (x 1 ,y 1 )=(−x 1 ,αy 1 ),isgivenbyC α f,g : y 2 = x 3 − 2x.Obviously the point P =(−1, 1) ∈ C α f,g for all choices of f,g. The curve Cα f,g hasorder 2r.2. Let f ≡ 2(mod3)and g ≡ 3(mod6)be integers such that p = f 2 − fg + g 2 andr = p +1− (2f − g) are both prime. For p ≡ 2, 5(mod8)defineC β f,g : y2 = x 3 +2.Obviously the point P =(−1, 1) ∈ C β f,gfor all choices of f,g.If p ≡ 7(mod8)letC β f,g : y2 = x 3 − 2,with point P =(3, 5).For these cases, C β f,g has order r and the curves have an automorphism ψ 2 given byψ 2 (x 1 ,y 1 )=(βx 1 ,y 1 ) with β 3 =1.These conditions can be verified very easily such that they can be used to implement Lenstra’s ideaeven for restricted environments. We like to point out that in spite of these positive applications thecurves are very special and thus susceptible to specialized attacks.The same authors also proposed such a system based on genus two GLV curves of type C 4 .15.3 Trace zero varietiesTrace zero varieties were suggested for cryptographic applications by Frey [FRE 1998, FRE 2001].The construction is based on the Weil restriction of a curve over F p d to F p , cf. Section 7.4.2. Toobtain fast arithmetic in the group, one makes use of efficient arithmetic in the finite field F p d and ofthe Frobenius endomorphism. The strategy can be seen as a Koblitz curve method applied to smallextension degrees. This way, scalar multiplications in the group can be performed faster than on aJacobian of the same size.In the genus 1 case, these varieties were studied by Naumann [NAU 1999]andBlady[BLA 2002]for d =3andbyWeimerskirch[WEI 2001]ford =5.Diem[DIE 2001] studies the background ofthe general case and [LAN 2001a, LAN 2004c] studies in detail the case of genus 2 curves over F p 3.The implementation details are considered in [AVLA 2005]. (See also [CES 2005, AVCE 2005]forthe case of trace zero varieties over fields of even characteristic.) Following [DISC 2003] we arguein Section 22.3.4.b that these are the only cases of relevance for cryptographic applications as theothers achieve lower security for the same group size and thus are not competitive. Clearly, thetheoretical results can easily be generalized to larger genera and extension fields F p d. The completemathematical background is detailed in Section 7.4.2. Therefore, we concentrate on the algorithmicdetails here.

384 Ch. 15 Arithmetic of Special Curves15.3.1 Background on trace zero varietiesThe starting point for our construction is a hyperelliptic curve of genus g including elliptic curvesdefined over a prime field F p ,wherep is chosen such that p d−1 is of the desired group size. Inparticular, we assume p>5. We consider the divisor class group over the finite field extension F p dand restrict the computations to the subgroup G defined by the property that its elements D __are oftrace zero, i.e.,G :={ __D ∈ Pic 0 C (F p d) ∣ ∣ __D ⊕ φ p ( __D) ⊕···⊕φ d−1p( D) __ }=0 .The group G is a subgroup of Pic 0 C (F p d) as it is the kernel of the trace map. Obviously, φ p is agroup automorphism of G.Since in the case considered here, p is not too large, we may assume that the characteristic polynomialof the Frobenius endomorphism is known. Therefore, we can compute the order of G as|G| = |Pic0 C(F p d)||Pic 0 C(F p )|=∏ 2gi=1 (1 − τ d i )∏ 2gi=1 (1 − τ i), (15.15)where τ i are the roots of χ C (T ), the characteristic polynomial of the Frobenius endomorphism.Explicitly, if a i are the coefficients of χ C (T ), one has• for g =1and d =3• for g =1and d =5|G| = p 2 − p(1 + a 1 )+a 2 1 − a 1 +1|G| = p 4 − (a 1 +1)p 3 +(a 1 +1) 2 p 2 +(5a1 − (a 1 +1) 3) p − ( 5a 1 (a 2 1 + a 1 +1)− (a 1 +1) 4)• for g =2and d =3|G| = p 4 − a 1 p 3 +(a 2 1 +2a 1 − a 2 − 1)p 2 +(−a 2 1 − a 1 a 2 +2a 1 )p + a 2 1 + a 2 2 − a 1 a 2 − a 1 − a 2 +1.The equations above with |τ i | p 1/2 allow to obtain upper bounds on |G|. Namely• for g =1and d =3• for g =1and d =5• for g =2and d =3|G| p 2 +2p 3/2 +3p +2p 1/2 +1|G| p 4 +2p 7/2 +3p 3 +4p 5/2 +5p 2 +4p 3/2 +3p +2p 1/2 +1|G| p 4 +4p 7/2 +10p 3 +16p 5/2 +19p 2 +16p 3/2 +10p +4p 1/2 +1.In the cryptographic applications which we envision, a cyclic group of prime order is used. Thereforewe shall assume that G has a subgroup G 1 of large prime order l with a small cofactor. Inparticular, we may assume that G 1 is the only subgroup of order l of G, hence the Frobenius operationmaps G 1 onto itself. Like in the case of Koblitz curves (cf. Remark 15.30), there is an integers (modulo l) such that φ p ( D) __=[s] D __for all D __∈ G 1 (this must hold for a generator of G 1 , hencefor all elements). The integer s is computed as follows

§ 15.3 Trace zero varieties 385• for g =1and d =3• for g =1and d =5s = p − 11 − a 1mod l• for g =2and d =3s = p2 − p − a 2 1p + a 1 p +1p − 2a 1 p + a 3 1 − a2 1 + a 1 − 1 mod ls = − p2 − a 2 + a 1mod l.a 1 p − a 2 +1In other words, it can be computed explicitly in terms of a 1 (and a 2 ) and, hence, it depends only onthe curve parameters; if all users of a cryptographic system use the same curve, or may choose froma small set, s can as well be hard-coded.15.3.2 Arithmetic in GTo perform the arithmetic in the trace zero subvariety, one can use the formulas and algorithms forthe whole divisor class group, cf. Chapters 13 and 14. So far no formulas are known that succeed inmaking use of the subgroup properties.Remark 15.43 In [LAN 2004c] it is shown that for g =2only the main cases of representation needto be considered in the case distinction of Section 14.3.1. This has advantages for implementationsas the code size can be reduced and conditional branches can be avoided to a larger extent.The fast arithmetic of trace zero varieties results from a fast arithmetic of the finite field F p d withsmall extension degree (cf. Section 11.3.6) and from using the Frobenius endomorphism φ p ofthe Jacobian which can be restricted to G. This approach is similar to the one for Koblitz curvespresented in Section 15.1 but due to the small extension degree, some different choices have to bemade.Remark 15.44 It is still an open problem to find explicit formulas for the arithmetic in G or G 1 only,that are faster than the general formulas. For g =1, see Section 7.4.2 for a geometrical descriptionof the trace zero variety.On the one hand, φ p satisfies its characteristic polynomial inherited from Pic 0 C and by constructionit also satisfies T d−1 + ···+ T +1=0. Using it, we want to replace the scalar multiplication [n] D__with computations of the type[n 0 ] D __⊕···⊕[n d−1 ]φ d−1 ( D),__where the n i are of size O ( l 1/(d−1)) . The multiple scalar product can be carried out simultaneouslyreducing the number of doublings to about 1/(d − 1)-th of those necessary for [n]D, if the impliedconstants are small enough. For more details on multiple scalar multiplications see Section 9.1.5.There are two approaches to get such a representation, both being generalizations of the differentapproaches for Koblitz curves.• One is, given n, tosplit it into suitable n i ’s like in the expansion method of Koblitzcurves Section 15.1 or in the GLV method Section 15.2. As we started with randomn < l we need to ensure that the n i ’s are small, i.e., n i = O ( l 1/(d−1)) with smallconstants, but need not worry about the distribution of the scalars.p

386 Ch. 15 Arithmetic of Special Curves• The second approach is to start with the n i ’s and with suitable bounds on their size.We give upper bounds on the n i ’s ensuring that collisions cannot occur, i.e., any twodifferent sets of n i ’s lead to different elements of G. One can use this approach if onecan obtain close to l different elements. It has the advantage that one saves the time forthe splitting of n; for a restricted environment it is even more important that one savesspace for the code, cf. Section 15.1.3 for similar discussions of Koblitz curves.Starting with the expansion is preferable if one can randomly choose the integer, however, in applicationslike electronic signatures, cf. Section 1.6.3, one needs to multiply with a given integer.To obtain the splitting, one can use the same method as developed for the GLV curves becausethe Frobenius endomorphism satisfies T d−1 + ···+ T +1for all points in G and this polynomialplays the role of the characteristic polynomial of the endomorphism in that method. As the constantterm is 1, we can expect the expansions to be short. A different version working directly with thetwo equations T d−1 + ···+ T +1and χ φp (T ) is provided in [AVLA 2005]. This method has lowerrequirements than needed for implementing the GLV method but leads to slightly longer expansions.For example, the splitting of the initial n can be done with 10M for g =1,d =3and some moremultiplications in the other two recommended cases.We now state bounds on the n i such that the resulting n = n 0 + ···+ n d−2 s d−2 are all distinctmodulo l. Thus, using n i within the given bounds avoids collisions. The proofs can be found in[NAU 1999, AVLA 2005, LAN 2004c] in the given order.Theorem 15.45 Let C be a curve of genus g defined over F p and consider a base field extensionof degree d. Let D __be a generator of a subgroup of prime order l of the corresponding trace zerovariety G.1. In case g = 1,letT 2 + a 1 T + p be the characteristic polynomial of the Frobeniusendomorphism.(i) If d =3,let{ lr := min ,p − a 1}p − 1·gcd(p − 1,a 1 − 1)Then the r 2 classes [n 0 ] D __⊕ [n 1 ]φ p ( D), __0 n i

§ 15.3 Trace zero varieties 387all of G. As the size of r can easily be computed, one can check if a trace zero variety is good forthis approach.For d =3one uses the JSF of the two integers applied to D __and φ p ( D) __while for d =5it is moreuseful to work with all four integers in NAF representation and use the plain Straus–Shamir trickfor joint doublings (cf. Chapter 9 for details).

Chapter ½Implementation of PairingsSylvain Duquesne and Gerhard FreyContents in Brief16.1 The basic algorithm 389The setting • Preparation • The pairing computation algorithm • The case ofnontrivial embedding degree k • Comparison with the Weil pairing16.2 Elliptic curves 396The basic step • The representation • The pairing algorithm • Example16.3 Hyperelliptic curves of genus 2 398The basic step • Representation for k>216.4 Improving the pairing algorithm 400Elimination of divisions • Choice of the representation • Precomputations16.5 Specific improvements for elliptic curves 400Systems of coordinates • Subfield computations • Even embedding degree •Example16.1 The basic algorithmIn this chapter, we will be dealing with the computation of the Tate–Lichtenbaum pairing on JacobiansJ C of hyperelliptic curves C of genus g defined over some finite field F q of characteristic p.It is defined in Definition 6.16. The mathematical background can be found in Chapter 6. The ideato use pairings for cryptographic purposes was introduced during the 1990s, and because of the importancefor applications a lot of valuable work was done to make the computation of these pairingsas efficient as possible. There is a vast and rapidly growing literature; here we restrict ourselves tomentioning [GAHA + 2002, BAKI + 2002, BALY + 2004b] and recommending a visit to the mostinteresting crypto lounge of Barreto [BAR] which provides a very complete source of information.For simplicity, we assume that C has an F q -rational Weierstraß point, which we choose as thepoint at infinity P ∞ . That implies that we can describe the affine part of C by an equation y 2 +h(x)y = f(x) with a polynomial f of odd degree.As explained in Section 4.4.6.a, we can represent elements in J C (F q k), or alternatively divisorclasses D __of degree 0 in Pic 0 C·F , by divisors of the formq kD − gP ∞389

390 Ch. 16 Implementation of Pairingswith D an effective divisor of C of degree g rational over F q k. If we assume that D is reduced (seeSection 4.4.6.a) the representation of D __depends only on the choice of the Weierstraß point.We will first specify the context we are interested in and recall the definition of the Tate–Lichtenbaumpairing in this context.16.1.1 The settingAs usual in cryptographic applications, we shall work in a cyclic subgroup of prime order l. Weshall assume that l is large. The most interesting case is that l 2 does not divides the order of J C (F q ).We shall assume this in the future.Let k be the smallest integer such that l divides q k − 1. Thus, F q k is obtained by adjoining thel-th roots of unity to F q . The number k is called the embedding degree (with respect to l). In mostof the constructive applications of the Tate pairing we have k>1.The following remarks are easy but important consequences of our definitions and assumptions.Remarks 16.1(i) For e

§ 16.1 The basic algorithm 39116.1.2 PreparationTo implement this pairing we shall need a result following from the Riemann–Roch theorem.Lemma 16.3 Let C be as above and k ∈ N.Let s ∈ N with s O(lg q) and take effective divisors D 1 ,...,D s of degree g rational overF q .LetD be an effective divisor of degree g rational over F q k and D 2 a randomly chosen effectiveF q -rational divisor of C.Then, with a high probability (depending on q) the divisor D 1 := D ⊕ D 2 is relatively prime to∑ sj=1 Dj + P ∞ .Remark 16.4 This lemma is of no real practical importance. In the cases that are important forcryptographic applications we shall see directly how to choose D 2 .Using a variant of Lemma 16.3, we give a heuristic algorithm to represent a divisor class (D − gP ∞ )in J C (F q k) by a difference D 1 − D 2 of effective divisors (with D 2 being F q -rational) and D 1 + D 2prime to a finite set of F q -rational divisors D 1 ,...,D s of degree g with s = O(lg q).Algorithm 16.5 Relative prime representationINPUT: Effective divisors D, D 1 ,...,D s of degree g.OUTPUT: Divisors D 1,D 2 with D 1 − D 2 = D − gP ∞ and D 1 +D 2 prime to P ∞ + P sj=1 Dj .1. repeat2. choose P ∈ C(F q) and m ∈ N such that m |J C(F q)|3. compute D 2 effective with D 2 − gP ∞ = m(P − P ∞)4. compute D 1 such that (D − gP ∞) − (D 2 − D 1)=0.5. until D 1 + D 2 is prime to P sj=1 Dj + P ∞6. return (D 1,D 2)Remarks 16.6(i) By Lines 2 and 3, we get a “nearly random” element in the set of effective divisors ofdegree g on C. Note that for many instances these steps can be done by a precomputation.(ii) In very rare cases (D 1 ,D 2 ) will not satisfy the relative primeness condition. So thechoice of another random pair (P, m) will never be necessary in practice.16.1.3 The pairing computation algorithmWe shall give a procedure to compute the Tate–Lichtenbaum pairing that works in the general case.16.1.3.aThe basic stepTo compute the Tate–Lichtenbaum pairing we first have to compute the function f P andthenevaluateit at D Q . The basic step for the computation of f P consists of solving the following task, whichis also the key ingredient for the addition law in the Jacobian.For given effective divisors A, A ′ of degree g and rational over F q , find an effective divisor B ofdegree g and a function G on C such that A + A ′ − B − gP ∞ =div(G).

392 Ch. 16 Implementation of PairingsWe remark that G is a function on C defined over F q , whose zero divisor and pole divisor havedegree 2g.We shall always assume that the divisor B is reduced. By adding a suitable multiple of P ∞ wecan and will assume that B has degree g.16.1.3.bRepresentation of elementsWe want to compute T l (P, Q) with P ∈ J C (F q )[l] and Q ∈ J C (F q k).We give P by a representative D P − gP ∞ with D P reduced of degree g.For every multiple [i]P, 1 i l we choose the same type of representation: [i]P is given byD Pi −gP ∞ with D Pi an F q -rational effective divisor of degree g. So we have an identity of divisorsD Pi + D Pj − D Pi+j − gP ∞ =div(h i,j ) for i + j land D Pi ⊕ D Pj = D Pi+j .By using Algorithm 16.5 we choose a representative D Q = D 1 −D 2 for Q with D 2 an F q -rationaleffective divisor on C such that D 1 + D 2 is prime to D P + P ∞ .Remark 16.7 The reader should not be confused: It can happen that P = Q. Nevertheless, wechoose different representations according to the different roles the elements play in the pairing.16.1.3.cThe pairing algorithmWe get the following algorithm for the computation of the Tate–Lichtenbaum pairing. For ellipticcurves this algorithm was proposed by Miller to compute the Weil pairing [MIL 1986, MIL 2004].Algorithm 16.8 Tate–Lichtenbaum pairingINPUT: The integer l =(l l−1 ...l 0) 2 with l l−1 =1, a point P ∈ J C(F q)[l], the divisor D Pwith P = D P − gP ∞, and Q = D Q − gP ∞ ∈ J C(F q k).OUTPUT: The Tate–Lichtenbaum pairing T l (P, Q).1. compute D 1,D 2 [using Algorithm 16.5 on D Q]2. D Q ← D 1 − D 23. T ← D P and f ← 14. for i = l − 2 down to 0 do5. T ← [2]T6. f ← f 2 G(D Q) [div(G) =2T − [2]T − gP ∞]7. if l i =1 then8. T ← T ⊕ D P9. f ← fG(D Q) [div(G) =T + D P − (T ⊕ D P ) − gP ∞]10. return (f) qk −1lRemarks 16.9(i) In Algorithm 16.8, we have to evaluate several functions G at D Q . They have zeroesand poles at P ∞ and D Pi for indices i occurring in the addition chain, depending onlyon the binary expansion of l. WeneedthedivisorD Q to be prime to the divisors of

§ 16.1 The basic algorithm 393these functions. By Lemma 16.3 we know that we have a very good chance that this issatisfied; or else we have to choose a new random representation for Q.(ii) The algorithm is presented here in a double and add form and requires O(lg l) basicsteps to evaluate f P at D Q (i.e., to compute the Tate–Lichtenbaum pairing). In thefollowing, for clarity, we will always use this form, but the reader must keep in mindthat better algorithms are available and must be used in practice. These algorithms(window methods, recoding of the exponent, use of endomorphisms of special curvesif available) are described in Chapters 9 and 15 and can be applied to our situation forpairings without difficulties.(iii) While executing Algorithm 16.8 we have to evaluate quotients of polynomials and soinversions occur. But, as is easily seen, we can postpone these inversions by multiplyingand squaring denominators, and then we have to execute just one inversion in F q k at theend of the algorithm.(iv) The algorithm depends heavily on the Hamming weight of l, and if we have the opportunityto have an l with small Hamming weight, such as a Solinas prime [SOL 1999a],for instance, it should be taken.In fact, the same remark applies if the order N of J C (F q ) has low Hamming weight[GAHA + 2002]. We replace l-elements by the whole Mordell–Weil group J C (F q ).IfN/l is sufficiently small such a choice provides computational savings. But be careful:we need more roots of unity and so k would be much larger in general (without anypositive effect for security).In constructive applications we are often in a context that k>g.Forg =1this just means that kis larger than 1. In applications to g 2 the assumption on k is reasonable, too. In the followingsection we explain which accelerations this implies.16.1.4 The case of nontrivial embedding degree kIn this section we shall assume that k>g.As always we assume that the element P is rational over F q and has order l.It is useful to recall that for any element P ′ in J C (F q e) with e

394 Ch. 16 Implementation of PairingsLet P ′ be a point on C(F q ), which appears in D Pj =: D j (for some j) aswellasinD Q . Thenall conjugates of P ′ appear in D j and so P ′ is rational over a field F q e with eg• P ∈ J C (F q )[l], Q ∈ J C (F q k), P and Q represented by D P − gP ∞ resp. D Q ′ − gP ∞• D Q be the divisor obtained from D Q ′ by removing all sub-summands that are rationalover F q e for some egINPUT: The integer l =(l l−1 ...l 0) 2 with l l−1 =1, P = D P − gP ∞ ∈ J C(F q)[l], Q =D ′ Q − gP∞ ∈ JC(F q k), D′ Q effective of degree g.OUTPUT: The Tate–Lichtenbaum pairing T l (P, Q).1. compute D Q from D ′ Q by removing all sub-summands rational over F q e with e

§ 16.1 The basic algorithm 3955. f ← f 2 G(D Q) [div(G) =2T − [2]T − gP ∞ ]6. if l i =1 then7. T ← T ⊕ D P8. f ← fG(D Q) [div(G) =T + D P − (T ⊕ D P ) − gP ∞]9. return (f) qk −1lThe remaining computations in the pairing algorithm are performed in F q with the exception of theevaluations of the functions G at D Q , which are executed by multiplications of elements of F q withelements of F q k, since the coefficients of the functions G are in F q . For implementation of extensionfield arithmetic, we refer to Chapter 11.16.1.5 Comparison with the Weil pairingBoth in a destructive manner [MEOK + 1993] and in a constructive manner [BOFR 2001], the useof pairings in cryptography first appeared through the use of the Weil pairing. ItisdefinedbyW l : J C (F q )[l] × J C (F q )[l] → µ l(P, Q) ↦→ f P (D Q )f Q (D P )where µ l is the multiplicative groups of the l-th roots of unity in the algebraic closure F q of F q .Note that no final powering is required for the Weil pairing.To evaluate the pairing, we have to work in a finite field F q k ′ . We can take k′ as the degree of thesmallest extension of F q over which the rank of l-torsion elements is larger than g.It follows that k k ′ . In most cases, k is equal to k ′ (for instance, for elliptic curves such that ldoes not divide q −1 [BAKO 1998]) but there are cases in which we have inequality even for ellipticcurves and so the underlying field used for the Tate–Lichtenbaum pairing is smaller. Related to thisis the following observation: by definition W l (P, P) is always trivial. This is not always the casefor the Tate–Lichtenbaum pairing [FRMÜ + 1999]. This point will be discussed in more detail inSection 24.2.1.b.This first advantage of the Tate–Lichtenbaum pairing concerns mostly its destructive role. On theconstructive side, we want k to be different from 1.The computation of the Weil pairing evidently requires two evaluations of functions, whereasonly one is required for the Tate pairing so that it is usually assumed that the computation of theWeil pairing takes roughly twice as long as the computation of the Tate–Lichtenbaum pairing. Thesituation is in fact worse if we take the results in Section 16.1.4 into account. The accelerationsobtained there crucially depend on the fact that P is defined over F q . It shows that the evaluation off P (Q) modulo l-th powers is faster than the evaluation of f Q (P ) if k>1 or even k>g.Moreover, in the Weil pairing we must take Q as an element of order l not lying in the cyclic groupgenerated by P . To find such an element it is often necessary to take a random element in J C (F q k)and then to multiply it by |J C (F q k)|/l, which corresponds to the final exponentiation in the Tate–Lichtenbaum pairing. In any case we cannot use the freedom to choose a suitable representative inthe class of Q modulo lJ C (F q k), which enabled us to considerably simplify the pairing algorithm .There is one additional step when we compute the Tate–Lichtenbaum pairing: the final exponentiation.Since it is costly it should be postponed whenever possible, and in fact this can be done inmany protocols (cf. Chapter 24).So, there are reasons to prefer the Tate–Lichtenbaum pairing for cryptographic use. We shall now

396 Ch. 16 Implementation of Pairingsgive more explicit details for this algorithm, first in the case of elliptic curves and second in the caseof hyperelliptic curves of genus 2.16.2 Elliptic curvesIn this section, E will denote an elliptic curve defined over F q . In this case the Tate–Lichtenbaumpairing is described in full detail in [FRMÜ + 1999]. The special situation is that E can be identifiedwith its Jacobian (after the choice of P ∞ as zero point).16.2.1 The basic stepAs we know, every divisor class of degree 0 in E(F q ) can be uniquely represented by a divisorP − P ∞ with P ∈ E(F q ). We will describe how to find the function G that occurs in the basic stepof the computation.Take P and P ′ in E(F q ). We have to find a point B on E and a function G such that we have thedivisor identityP + P ′ − B − P ∞ =div(G).We observe that B = P ⊕ P ′ is in fact the usual sum of P with P ′ on E, andG isgivenbytheequations of the lines used to compute B.Let L 1 be the line through P and P ′ (which is the tangent to the curve at P if P = P ′ ). This lineintersects E at a third point C. LetL 2 be the (vertical) line through C and P ∞ .The equations of these two lines induce two functions on the curve, the function G is nothing butL 1 /L 2 . In factdiv(L 1 ) = P + P ′ + C − 3P ∞div(L 2 ) = C + B − 2P ∞div(L 1 /L 2 ) = P + P ′ − B − P ∞ .To clarify, we choose the usual affine coordinates and assume that P =(x 1 ,y 1 ) and Q =(x 2 ,y 2 )and that x 1 ≠ x 2 .WegetG = Y − λ(X − x 1) − y 1X +(x 1 + x 2 ) − λ 2 where λ = y 1 − y 2x 1 − x 2·If P = Q we have to replace λ by the slope of the tangent to E at P to get G.We remark that we can avoid the inversion needed to compute λ by using homogeneous coordinates.We cannot avoid that G is a rational function, so divisions occur when we evaluate thefunctions G at a point R. But we can reduce them easily to one inversion at the end of the additionchain (for the cost of one multiplication and, in some instances, one squaring in addition, at eachstep of the pairing algorithm).16.2.2 The representationWe restrict ourselves to the most interesting case and assume that k>1.As usual, we represent points R on E by the divisor R − P ∞ . So, points on E play an ambiguousrole, being interpreted as prime divisors or as elements on the Jacobian of E associated to the classR − P ∞ .

§ 16.2 Elliptic curves 397As l is given, the pairing algorithm involves a fixed set of prime divisors [d j ]P (denoted by D Pj inthe general case) whose number s is of size O(lg l). LetQ be given in the standard form Q − P ∞with Q an F q k-rational point on E which is not rational over F q e for e1INPUT: The integer l =(l l−1 ...l 0) 2 with l l−1 =1, the points P =(x 1,y 1) ∈ E(F q)[l] andQ =(x 2,y 2) ∈ E(F q k).OUTPUT: The Tate–Lichtenbaum pairing T l (P, Q).1. T ← P , f 1 ← 1 and f 2 ← 12. for i = l − 2 down to 0 do3. T ← [2]T [T =(x 3,y 3)]4. λ ← the slope of the tangent of E at T5. f 1 ← f 2 1 (y 2 − λ(x 2 − x 3) − y 3)6. f 2 ← f 2 2 (x 2 +(x 1 + x 3) − λ 2 )7. if l i =1 then8. T ← T ⊕ P9. λ ← the slope of the line through T and P10. f 1 ← f 1(y 2 − λ(x 2 − x 3) − y 3)11. f 2 ← f 2(x 2 +(x 3 + x 1) − λ 2 )12. ` freturn 1´ q k −1lf 216.2.4 ExampleConsider the elliptic curve E defined over F 13 byy 2 = x 3 +6.Its order is l = 7 = (111) 2 and E(F 13 ) is generated by the point P =(2, 1). In the addition chain,there occur T = P, T =[2]P, T =[3]P, T =[6]P . We can choose P 0 =[5]P . The embeddingdegree is 2 because 7 divides 13 2 − 1 but not 13 − 1. Since 2 is not a square in F 13 , F 13 2 ≃ F 13 [α]where α 2 =2. We want to compute the Tate–Lichtenbaum pairing of P and Q =(10+3α, 11+2α).Let us apply Algorithm 16.12.First, initialize f 1 = f 2 =1and T =(2, 1).

398 Ch. 16 Implementation of PairingsThen i =1. We compute the lines L 1 and L 2 arising in the doubling of T =(x 3 ,y 3 ):Then, we evaluate these functions at Q:so that T =[2]P =(6, 1) andλ = 3x 2 3/2y 3 = 6,L 1 = y − y 3 − λ(x − x 3 ) = y +7x +11,L 2 = x +2x 3 − λ 2 = x +7.L 1 (Q) = ( 11 + 2α +7(10+3α)+11 ) =1+10α,L 2 (Q) = (10+3α)+7=4+3α,f 1 = L 1 (Q) =1+10α,f 2 = L 2 (Q) =4+3α.Since l 1 =1, we compute now the lines arising in the addition of T and P :so that T =[3]P =(5, 12) andL 1 = y +12and L 2 = x +8,f 1 = f 1 L 1 (Q) =(1+10α)(10 + 2α) =11+11α,f 2 = f 2 L 2 (Q) =(4+3α)(5 + 3α) =12+α.The next value of i is 0. We compute the lines L 1 and L 2 arising in the doubling of T :so that T =[6]P =(2, 12) andL 1 = y +5x +2and L 2 = x +11,f 1 = f 2 1 L 1 (Q) =(11+11α) 2 (11 + 4α) =1+6α,f 2 = f 2 2 L 2(Q) =(12+α) 2 (8 + 3α) =12+6α.Since l 0 =1, we now compute the lines arising in the addition of T and P :L 1 = x − 2 and L 2 =1,so that T =7P = P ∞ , f 1 =(1+6α)(8 + 3α) =5+12α and f 2 =12+6α.Thus the Tate–Lichtenbaum pairing of P and Q is( ) 24 5+12α=4+α.12 + 6α16.3 Hyperelliptic curves of genus 2In Section 16.1.3.c, it is shown how to evaluate the Tate–Lichtenbaum pairing on the Jacobian of acurve, assuming an explicit reduction algorithm for divisors on the curve. For hyperelliptic curves,such an algorithm can be given by Cantor’s algorithm or by explicit formulas (see Chapter 14). Weshall make this a bit more explicit in the case that g =2.

§ 16.3 Hyperelliptic curves of genus 2 39916.3.1 The basic stepLet A =[u, v] and A ′ =[u ′ ,v ′ ] be divisors in Mumford representation. Cantor’s Algorithm 14.7returns the divisor B in Mumford representation such that there exists a function G on C andA + A ′ − B − 2P ∞ =div(G).We will now explain how to compute G.In the composition step of Cantor’s algorithm, we compute the polynomial δ which is the greatestcommon divisor of u, u ′ and v + v ′ + h and a divisor [U, V ], which is in the same divisor class asB. At this point, two cases may occur:• deg(U) 2: this means that [U, V ] is already reduced, so we set G(x, y) equal to δ(x),• deg(U) > 2: the divisor [U, V ] must be reduced to obtain B and G(x, y) = U(x)V (x)+y δ(x).16.3.2 Representation for k>2Assume that P ∈ J C (F q ) and Q ∈ J C (F q k) J C (F q e) for all e2• P ∈ J C (F q )[l] and Q ∈ J C (F q k), P and Q represented by D P − 2P ∞ respectivelyD ′ Q − 2P ∞ with D ′ Q = Q 1 + Q 2 and assume that Q is not rational over any field F q ewith e

400 Ch. 16 Implementation of PairingsSo, we can remove in D ′ Q exactly the points that are defined over F q e with eg. We have explainedin Proposition 16.10 and in Example 16.2.4 how to do this.Also, the extension field arithmetic has to be implemented with care [GAHA + 2002].16.4.3 PrecomputationsIf P is either fixed or used several times, the computation of the pairing can easily been sped upby precomputing the functions G. Indeed, these functions depend only on P . Then, if k>g,we simply evaluate these functions at D Q . Note that actual cryptosystems based on pairings oftenneed such a P (base divisor on the Jacobian, public key). On the other side the number of neededprecomputations is of size O(lg l), which is quite large.16.5 Specific improvements for elliptic curvesWe list now some possibilities for improving the evaluation algorithm in the special case that C isan elliptic curve E.

§ 16.5 Specific improvements for elliptic curves 40116.5.1 Systems of coordinatesWe have already seen that other systems of coordinates should be used to avoid inversions, as it is thecase for scalar multiplication (see Section 16.4.1). Moreover, Izu and Takagi observe [IZTA 2003a]that in using Jacobian coordinates, many squarings of the Z-coordinate are needed in the computationof the lines L 1 and L 2 . Therefore, they introduce a new system of coordinates (X, Y, Z, Z 2 )in which (X, Y, Z) represent a point in the Jacobian coordinates. This representation is called thesimplified Chudnovsky Jacobian coordinates and denoted J s . This system of coordinates requiresthe same number of operations as Jacobian coordinates for doubling and addition, but a square canbe removed both in the computation of the line for addition and for doubling.The authors also provide iterated doubling formulas with this new system of coordinates. Itconsists in directly computing 2 j P . This method avoids j − 1 squarings compared to j standarddoublings. We can take advantage of this if a large window size is used in the scalar multiplicationor if the binary expansion of l has many zeroes. The same kind of idea is used in [BLMU + 2004]where some operations are saved using a 4-ary algorithm with direct formulas.Nevertheless, we have to keep in mind that, since P is defined over F q , the inversions savedby these changes of coordinate are inversions in F q . Also, extra multiplications are introduced (asusual, when one uses projective coordinates), but with one of the factors in F q k. So projectivelikecoordinates must be used very carefully for the computation of the Tate–Lichtenbaum pairing[GAHA + 2002]. By coupling the pairing algorithm with Montgomery’s scalar multiplication ladder,Scott and Barreto obtained a laddering version of Algorithm 16.12 [SCBA 2004]. This canof course be combined with efficient formulas for doubling and addition if the curve can be transformedinto Montgomery form as described in Section 13.2.3. Therefore, the advantages of thisscalar multiplication method (little memory required, parallel computing eased and resistance toside-channel attacks enabled [JOYE 2000]) can be exploited in pairing-based cryptosystems.16.5.2 Subfield computationsLet e be a nontrivial divisor of k and let k 1 = k/e. We shall use the fact that elements in F q e arel-th powers. This makes the inversion needed in the evaluation step faster.Lemma 16.14 Let z be an element of F ∗ q k .Thenk∏1−1j=1φ j q e(z) ≡ z−1 mod ( (F ∗ q k)l) . (16.1)The proof follows from the fact that z times the left-hand term of (16.1) is in F q e and hence is anl-th power.Remark 16.15 In Chapter 11, it is explained how to evaluate ∏ k 1−1j=1 φj qe(z) quickly. There, thenorm map is used to compute inverse elements in extension fields exactly and not only up to l-thpowers.So, we can rewrite our pairing algorithm for the Tate–Lichtenbaum pairing of elliptic curves.We assume that k>1 and that k 1 is the smallest prime divisor of k.As usual we take P ∈ E(F q ) and Q ∈ E(F q k) E(F q ).

402 Ch. 16 Implementation of PairingsAlgorithm 16.16 Tate–Lichtenbaum pairing for g =1if k>1 and k = k 1 eINPUT: The integer l =(l l−1 ...l 0) 2 with l l−1 =1, the points P =(x 1,y 1) ∈ E(F q)[l] andQ =(x 2,y 2) ∈ E(F q k).OUTPUT: The Tate–Lichtenbaum pairing T l (P, Q).1. T ← P and f 1 ← 1 and f 2 ← 12. for i = l − 2 down to 0 do3. T ← [2]T [T =(x 3,y 3)]4. λ ← the slope of the tangent of E at T5. f 1 ← f12 `y2 − λ(x 2 − x 3) − y 3´6. f 2 ← f22 `x2 +(x 3 + x 1) − λ 2´7. if l i =1 then8. T ← T ⊕ P9. λ ← the slope of the line through T and P10. f 1 ← f 1(y 2 − λ(x 2 − x 3) − y 3)11. f 2 ← f 2(x 2 +(x 3 + x 1) − λ 2`f)Q e(f2)´ k1 −1qk −112. return 1 j=1 φj lqFor small number k 1 the inversion would be computed using the norm map and an inversion in F q k.So, our observation saves one inversion and also 2k 1 multiplications in F q e.The nicest case is k 1 =2and so k even. We have to apply φ q e just once. But we shall see inthe next section that with the cost of at most one addition on elliptic curves (which is very often notnecessary) we shall get a further simplification.16.5.3 Even embedding degreeWe assume that k =2e and choose k 1 =2. The Frobenius automorphism φ q e operates as aninvolution on E(F q k)[l] and has one eigenvalue 1 with P as eigenvector. By elementary linearalgebra it follows that it has −1 as eigenvalue with eigenspace V − of rank 1. IfQ ′ ∈ V − we getthat φ q e(Q ′ ) has the same x-coordinate as Q ′ and so the x-coordinate of Q ′ lies in F q e.If Q is any point of E[l] the point Q ′ := Q − φ q eQ lies in V − .SinceT l (P, Q ′ )=T l (P, Q) · T l (P, −φ q eQ) =T l (P, Q) 2it follows that we can compute T l (P, Q) 2 by using Q ′ , a point whose x-coordinate lies in F q e.Again, given that elements in this field are l-th powers, we can simplify the evaluation algorithmfor the Tate–Lichtenbaum pairing.Algorithm 16.17 Tate–Lichtenbaum pairing for g =1and k =2eINPUT: The integer l =(l l−1 ...l 0) 2 with l l−1 =1, points P ∈ E(F q)[l] and Q ∈ E(F q k).OUTPUT: The quantity T l (P, Q) 21. Q ← Q − φ q eQ2. T ← P and f ← 1

§ 16.5 Specific improvements for elliptic curves 4033. for i = l − 2 down to 0 do4. T ← [2]T5. f ← f 2 L(Q) [L is the tangent line of E at T ]6. if l i =1 then7. T ← T ⊕ P8. f ← fL(Q) [L is the line through T and P ]9. return f qk −1lRemark 16.18 In most applications, the knowledge of T l (P, Q) 2 will be as good as that of T l (P, Q).If not, we can proceed as follows.• If q is even, compute the unique square root of f qk −1l• Otherwise, setχ(f) =and T l (P, Q) =f qk −12l χ(f).{−1 if f is not a square in F q k,1 else.in F q k which is equal to T l (P, Q).16.5.4 ExampleWe consider again the elliptic curve E defined over F 13 byy 2 = x 3 +6.We take P =(2, 1).The embedding degree is 2 because 7 divides 13 2 − 1 but not 13 − 1. Since 2 is not a square inF 13 , F 13 2 ≃ F 13 [α] where α 2 =2. We want to compute the Tate–Lichtenbaum pairing of P andQ =(10+3α, 11 + 2α).We apply Algorithm 16.17. So, we have to compute Q ′ = Q − φ 13 2(Q). Sincewe get−φ 13 2(Q) =(10+10α, 2+2α)Q ′ =(12, 3α).First, let us initialize f =1and T =(2, 1). Then i =1. We compute the line L arising in thedoubling of T =(x 3 ,y 3 ):λ =3x 2 3 /2y 3 =6,We evaluate L at Q ′ :L = y − y 3 − λ(x − x 3 )=y +7x +11.L(Q ′ ) = (3α +7× 12 + 11) = 4 + 3α.Now, we have T =[2]P =(6, 1) and f =4+3α.Since l 1 =1, we compute the line arising in the addition of T and P :L = y +12

404 Ch. 16 Implementation of Pairingsand compute T =[3]P =(5, 12). Sof =(4+3α)(12 + 3α) =1+9α.Finally, i =0. We compute the line L arising in the doubling of T :and compute T =[6]P =(2, 12) andL = y +5x +2f = f 2 L(Q ′ )=(1+9α) 2 (10 + 3α =9+6α =3(3+2α).Since l 0 =1, we compute the line arising in the addition of T and P :L = x − 2We get, as expected T =7P = P ∞ .Since the x-coordinate of Q ′ is in F 13 , we are done:T l (P, Q ′ )=(3+2α) 24 =5+8α.We note that T l (P, Q) =(3+2α) 12 =4+α, and we get the result from Example 16.2.4 back.

ÁÎPoint Counting

Chapter ½Point Counting on Elliptic andHyperelliptic CurvesReynald Lercier, David Lubicz, and Frederik VercauterenContents in Brief17.1 Elementary methods 407Enumeration • Subfield curves • Square root algorithms • Cartier–Maninoperator17.2 Overview of l-adic methods 413Schoof’s algorithm • Schoof–Elkies–Atkin’s algorithm • Modular polynomials •Computing separable isogenies in finite fields of large characteristic •Complete SEA algorithm17.3 Overview of p-adic methods 422Satoh’s algorithm • Arithmetic–Geometric–Mean algorithm • Kedlaya’salgorithm17.1 Elementary methodsThis section describes various elementary methods to compute the characteristic polynomial χ(φ q ) Cof a nonsingular curve C over a finite field F q . Recall that the L-polynomial of C is defined asL C (T )=T 2g χ(φ q ) C (1/T ), which shows that computing either polynomial is sufficient.17.1.1 EnumerationLet C be a projective, nonsingular curve over a finite field F q with q = p d and letL C (T )=2g∑a i T i =2g∏i=0 i=1(1 − α i T )denote the L-polynomial of C. By the Weil conjectures we have|C(F q k )| = q k +1−4072g∑i=0α k i , (17.1)

408 Ch. 17 Point Counting on Elliptic and Hyperelliptic Curvesand if S k = −2g∑i=0α k i , then the Newton–Girard formula gives the following recurrence formula:ka k = S k a 0 + S k−1 a 1 + ···+ S 1 a k−1 , (17.2)with a i =0, for i>2g. The functional equation of the zeta function implies that a i+g = q g−i a ifor i =0,...,g, so it suffices to compute a 0 ,...,a g or S 1 ,...,S g by (17.2).17.1.1.a Hyperelliptic curves over finite fields of characteristic 3In this section, we will assume that p is an odd prime and q = p d . As shown in Section 4.4.2.b, agenus g hyperelliptic curve C with F q -rational Weierstraß point can be defined by an affine equationof the form y 2 = f(x) with f ∈ F q [x] a squarefree polynomial of degree 2g +1.To compute |C(F q k )| for k =1,...,g, we simply test which α ∈ F q k give rise to points on Cand add the unique place at infinity. Clearly, to every zero α ∈ F q k of f only one point (α, 0) correspondsand to every α ∈ F q k with f(α) a nonzero square, two points ( √ )α, + − f(α) correspond.Let F q k be represented by F p [X]/ ( g(X) ) with g(X) an irreducible polynomial of degree dk, thenby the definition of the (generalized) Legendre symbol (see Section 2.3.4), we have|C(F q k)| =1+ ∑α∈F q k(1+( f(α)g(X)α∈F q k))= q k +1+ ∑α∈F q kwhere the 1 corresponds to the place at infinity. Comparing with (17.1) shows thatS k = ∑ ( ) f(α)·g(X)( ) f(α), (17.3)g(X)To compute the generalized Legendre symbol, we can use Algorithm 11.69. However, for small q itis often much faster to precompute a hash table of squares in F q k and test if f(α) is in the table.Remark 17.1 Precomputing a hash table of squares in a finite field F q k can be done quite efficientlyas follows: first assume that q = p and k =1, then clearly 1(modp) is a square and the othersquares can be computed using the recursion(α +1) 2 ≡ α 2 +2α +1 (modp),for α =1,...,(p − 1)/2. A similar, though slightly more complicated trick can be used to computethe table for k>1 based on the recursion(α(X)+Xi ) 2= α(X) 2 +2α(X)X i + X 2i .The product α(X)X i is in fact a simple shift, which leaves the term X 2i . Here we make thedistinction between i

§ 17.1 Elementary methods 40917.1.1.b Hyperelliptic curves over finite fields of characteristic 2Recall from Section 4.4.2.b that a genus g hyperelliptic curve C with F q -rational Weierstraß pointfor q =2 d can be defined by an affine equation y 2 + h(x)y = f(x), with deg h g and deg f =2g +1. To compute |C(F q k )|, we again count the number of points corresponding to every elementα ∈ F q k and add the unique place at infinity. Every zero α ∈ F q k of h is the x-coordinate ofonly one point ( α, √ f(α) ) ;everyα ∈ F q k with h(α) ≠0is the x-coordinate of either 0 or 2points depending on the trace of f(α)/h(α) 2 . Indeed, define z = y/h(α), then the equation ofthe curve becomes z 2 + z = f(α)/h(α) ( 2 and according to Hilbert Satz 90 this equation has twodistinct solutions if and only if Tr ) Fq k /F 2 f(α)/h(α)2=0.LetV h be the affine variety defined byh(x) =0, then we conclude that∑(( )) f(α)|C(F q k)| =1 + |V h (F q k)| + 2 1 − Tr Fq k /F 2,h(α)α∈F q k 2 Vhwhere again the 1 corresponds to the unique place at infinity.Example 17.3 Let d =5and F 2 5 ≃ F 2 (θ) with θ 5 + θ 2 +1=0and let C be defined by y 2 +h(x)y = f(x) withh(x) =(θ 4 + θ 3 + θ +1)x 3 +(θ 4 + θ 2 + θ +1)x 2 +(θ 3 + θ)x + θ 2 + θ +1,f(x) =x 7 +(θ 4 + θ 2 )x 6 +(θ 4 + θ 2 + θ)x 5 +(θ 4 + θ 3 + θ 2 + θ)x 4 +(θ 3 + θ 2 )x 3+(θ 3 + θ)x 2 +(θ 4 + θ 3 )x + θ 3 + θthen S 1 =3,S 2 =13,S 3 = 423 and formula (17.2) leads to a 0 =1,a 1 =3,a 2 =11,a 3 = 165,so the L-polynomial of C is given byL C (T ) = 32768T 6 + 3072T 5 + 352T 4 + 165T 3 +11T 2 +3T +1.17.1.2 Subfield curvesCurves defined over a small finite field admit faster Jacobian arithmetic using the Frobenius endomorphismas shown in Section 15.1. Since the curve is defined over a small finite field, it is easy tocompute its L-polynomial using an elementary method such as enumeration.Let C be a nonsingular curve over F q with Jacobian variety J C and let L k ∈ Z[T ] denote theL-polynomial of C/F q k, then the order |J C (F q k)| is given by L k (1). Assume we have computedL 1 (T )= ∏ 2gi=1 (1 − α iT ), then by the Weil conjectures (see Section 8.3) we can easily recoverL k (T ) asL k (T )=2g∏i=1(1 − α k i T ).A first approach therefore is to factor L 1 (T ) over C with suitable precision, compute the k-th powersof the roots and recover |J C (F q k)| = ∏ 2gi=1 (1 − αk i ).SinceJ C(F q ) is a subgroup of J C (F q k) weconclude that L 1 (1) | L k (1). This observation can be used to lower the precision with which the α ihave to be computed, since it suffices to round ∏ 2gi=1 (1 − αk i ) to the nearest multiple of L 1(1).The second method solely relies on integer arithmetic and is thus far easier to implement. LetL 1 (T )= ∑ 2gi=0 a iT i and define S k = − ∑ 2gi=1 αk i , then again we can use the recurrence formuladue to Newton–Girardka k = S k a 0 + S k−1 a 1 + ···+ S 1 a k−1 (17.4)

410 Ch. 17 Point Counting on Elliptic and Hyperelliptic Curveswhere a i =0,fori>2g.The above formula can be used in two ways: firstly, given a i for i =0,...,2g compute S kfor any k or secondly, given S k for k =1,...,g compute a i for i =0,...,g and thus also fori = g +1,...,2g since a i+g = q g−i a i . WriteL k (T )=2g∏i=1(1 − α k i T )=2g∑i=0a k,i T i ,then we can easily compute the a k,i given S jk for j =1,...,gby using the Newton–Girard formulafor L k :ia k,i = S ik a k,0 + S (i−1)k a k,1 + ···+ S k a k,i−1 . (17.5)The algorithm thus proceeds in two phases: in the first phase compute S jk for j =1,...,gfrom thecoefficients a i using (17.4); in the second phase, recover the a k,i using (17.5). A similar approachcan be found in the thesis of Lange [LAN 2001a].Example 17.4 Let C be an elliptic curve over F q ,thenL 1 (T )=qT 2 − tT +1, with t = α 1 + α 2the trace of the q-th power Frobenius. Let t k = α k 1 + αk 2 be the trace of the qk -th power Frobenius,then the t k are given by the recursion t 1 = t, t 2 = t 2 − 2q andt k = tt k−1 − qt k−2 .The number of points on C(F q k) then follows easily from |C(F q k)| = q k +1− t k .17.1.3 Square root algorithmsLet C be a projective nonsingular curve over F q of genus g and let J C denote its Jacobian variety.This section shows how the structure of the abelian group J C (F q ) helps to compute its order.Recall that for an arbitrary abelian group G the exponent e is defined as the smallest nonzerointeger such that [e]α =0for all α ∈ G. Denote with ord(α) the order of α. The square rootalgorithms described in Chapter 19 compute ord(α) as the discrete logarithm of 0 to the base α intime O ( ord(α) 1/2) . ( )Since clearly e =lcm α∈G ord(α) , in many cases e can be computed very efficiently by pickinga few random α i ∈ G for i =1,...,nand computing e n =lcm ( ord(α 1 ),...,ord(α n ) ) . Note thate i should be used to speed up the computation of the order of α i+1 . If the group order is boundedfrom above by C and if e n >C/2,thene n is the group order of G. Furthermore, if the group orderis also bounded from below by C/2 C− B, then the unique multipleof e n in the interval [B,C] is the group order of G. In the unlikely event that the above casesdo not apply, one can always resort to a probabilistic algorithm that computes the group order ofany abelian group [COH 2000, Algorithm 5.4.1] with expected running time of O( √ C − B) groupoperations. Recall from Proposition 5.78 that J C (F q ) is the direct sum of at most 2g cyclic groupsJ C (F q ) ≃⊕Z/d i Z,1i2gwith d i | d i+1 for 1 i

§ 17.1 Elementary methods 411exponent e = d 2g satisfies e ( √ q − 1). However, in most cases e>wso there is only onemultiple of e in the Hasse–Weil interval.The above approach is especially useful in combination with other algorithms that provide partialinformation, i.e., J C (F q )(modN) for some modulus N ∈ N. Clearly, if N>wthen there is onlyone candidate for |J C (F q )| in the Hasse–Weil interval. When N2 and let C be a projective nonsingular curve over F q ,with function field K = F q (C). LetK p denote the subfield of p-th powers and choose a separablegenerating transcendental element x ∈ K K p .Denote with Ω(K) the K-vector space of differentials as introduced in Section 4.4.2.c, then everydifferential ω ∈ Ω(K) can be written uniquely asω = dλ + α p x p−1 dx with λ, α ∈ K.Definition 17.5 The Cartier operator C :Ω(K) → Ω(K) is defined asC(ω) =αdx.Recall that the set of holomorphic differentials Ω 0 (K) (see Section 4.4.2.c) forms an F q -vectorspace of dimension g.Proposition 17.6 The F q -vector space Ω 0 (K) is closed under the Cartier operator. Let (ω 1 ,...,ω g )be a basis of Ω 0 (K), then there exists a g × g matrix A =(a i,j ) with coefficients in F q such that⎡ ⎤ ⎡ ⎤ω 1ω 1C ⎢⎥⎣ . ⎦ = A(1/p) ⎢⎥⎣ . ⎦ ,ω g ω gwhere A (1/p) denotes the matrix ( a 1/p )i,j .The matrix A in the above proposition is called the Cartier–Manin matrix of C and is determined upto a transformation of the form S −1 AS (p) , with S a nonsingular g × g matrix and S (p) is obtainedfrom S by raising each of its elements to the p-th power. Manin [MAN 1961] proved that the matrixA can be linked to the characteristic polynomial of Frobenius χ(φ q ) C .Theorem 17.7 Let C be a projective nonsingular curve of genus g over a finite field F q with q = p d .Since the Cartier–Manin matrix A is determined up to a transformation of the form S −1 AS (p) ,thematrix M = AA (p) ···A (pd−1) is an invariant of the curve. Let κ(T )=det(TI g − M) be thecharacteristic polynomial of M and χ(φ q ) C the characteristic polynomial of Frobenius, thenχ(φ q ) C (T ) ≡ T g κ(T )(mod p).

412 Ch. 17 Point Counting on Elliptic and Hyperelliptic CurvesTo apply the above theorem, we need to compute the Cartier–Manin matrix A. For a hyperellipticcurve of genus g given by an equation y 2 = f(x) with f ∈ F q [x] a monic squarefree polynomial ofdegree 2g +1,Manin[MAN 1962] proved the following proposition.Proposition 17.8 Let c i denote the coefficient of x i in the polynomial f(x) (p−1)/2 , then the Cartier–Manin matrix with respect to the basis ω i = x i−1 dx/y for i =1,...,gis given by⎡⎤c p−1 c p−2 ··· c p−gc 2p−1 c 2p−2 ··· c 2p−gA =⎢.⎣ . . .. ⎥ . ⎦ . (17.6)c gp−1 c gp−2 ··· c gp−gThe trivial method to apply the above proposition is to expand h = f(x) (p−1)/2 and to select thedesired coefficients. As noted by Flajolet and Salvy [FLSA 1997], the coefficients of h satisfy alinear recurrence based on the identity:f(x)h ′ (x) − p − 12 f ′ (x)h(x) =0.Let f(x) = ∑ n∈Z f nx n and h(x) = ∑ n∈Z h nx n , then from the above equation we deduce that:((n +1)f 0 h n+1 + n − p − 1 )(f 1 h n + ···+ n − 2g −2)(2g +1)(p − 1)f 2g+1 h n−2g =0.2Bostan, Gaudry, and Schost [BOGA + 2004] describe an optimized algorithm to compute terms inlinear recurrences and prove that the Cartier–Manin matrix can be computed in timeO (( R M (g)g √ p + g 3 R P ( √ p) ) (d lg p) µ) ,with R M (s) the number of ring operations to multiply two s × s matrices over a ring, R P (s) thenumber of ring operations to multiply two degree s polynomials over a ring, and µ a constant suchthat two B-bit integers can be multiplied in time B µ .Example 17.9 Let p = 101 and consider the genus 3 hyperelliptic curve C defined byy 2 = x 7 +93x 6 +64x 5 +2x 4 +65x 3 +90x 2 +18x +10.The Cartier–Manin matrix A of C can be easily computed and is given by⎡ ⎤4 54 49⎢ ⎥A = ⎣13 67 10⎦ .78 40 44Computing the characteristic polynomial of A then shows thatχ(φ q ) C (T ) ≡ T 6 +87T 5 +84T 4 + 100T 3(mod p).which is indeed the reduction of the characteristic polynomial of Frobeniusχ(φ q ) C (T )=T 6 − 14T 5 − 17T 4 + 1716T 3 − 1717T 2 − 142814T + 1030301.

§ 17.2 Overview of l-adic methods 41317.2 Overview of l-adic methodsThis section gives an overview of the l-adic methods to compute the number of points on an ellipticcurve over a finite field. Although the l-adic approach can be made to work in all characteristics,we will mainly focus on elliptic curves over large prime fields F p . For curves over finite fields ofsmall characteristic, the p-adic algorithms described in Section 17.3 are much faster and easier toimplement.17.2.1 Schoof’s algorithmIn 1985 Schoof [SCH 1985] was the first to describe a polynomial time algorithm to count thenumber of points on an elliptic curve E over a large prime field F p . In the remainder of this section,we will assume that p>3. As shown in Corollary 4.118, this means that E can be given by anequation of the formE : y 2 = x 3 + a 4 x + a 6 , with a 4 ,a 6 ∈ F p . (17.7)Recall that |E(F p )| = p +1− t with t the trace of the Frobenius endomorphism φ p andbyHasse’sTheorem 5.83, we have |t| 2 √ p. The main idea of Schoof’s algorithm is to compute t modulovarious small primes l 1 ,...,l r such that ∏ ri=1 l i > 4 √ p. The trace t can then be determined usingthe Chinese remainder theorem and the group order follows. From the prime number theorem, itfollows that r is O(lg p/ lg lg p) and that the largest prime l r is of order O(lg p).To illustrate the idea, we show how to compute t (mod 2). Since p is an odd prime, we have|E(F p )|≡t (mod 2), sot ≡ 0(mod2)if and only if E(F p ) has a nontrivial F p -rational point oforder two. The nontrivial points of order two are given by (ξ i , 0) with ξ i a root of X 3 + a 4 X + a 6 .Therefore, if X 3 + a 4 X + a 6 is irreducible over F p we have t ≡ 1(mod2);otherwise,t ≡ 0(mod 2). Note that the polynomial X 3 + a 4 X + a 6 is irreducible over F p if and only if gcd(X 3 +a 4 X + a 6 ,X p − X) =1. The computation of t (mod 2) thus boils down to polynomial arithmeticmodulo X 3 + a 4 X + a 6 .More generally, we obtain the trace t modulo a prime l by computing with the l-torsion points.Recall that the Frobenius endomorphism φ p is defined by φ p : E(F p ) → E(F p ):(x, y) ↦→ (x p ,y p )and that it satisfies the equation χ(φ q ) E (T )=T 2 − tT + p, i.e., for all points P ∈ E(F p ) we haveφ 2 p (P ) − [t]φ p(P )+[p](P )=P ∞ .By restricting to nontrivial l-torsion points P ∈ E[l] {P ∞ }, we obtain the reduced equationφ 2 p(P ) − [t l ]φ p (P )+[p l ]P = P ∞with t l ≡ t (mod l) and p l ≡ p (mod l) and 0 t l ,p l

414 Ch. 17 Point Counting on Elliptic and Hyperelliptic Curvescomputed using the division polynomials (see Section 4.4.5.a). To compute t l ,wesimplytryallτ ∈{0,...,l− 1} until we find the unique value τ for which ( X p2 ,Y p2 )⊕ [pl ](X, Y )=[τ](X p ,Y p )holds modulo f l (X) and E(X, Y ).Example 17.10 Let p = 1009 and consider the elliptic curve E/F p defined by the equationE : y 2 = x 3 + 184x + 896.For l =3,thel-th division polynomial is given by f l (X) =3X 4 +95X 2 + 338X + 450. An easycalculation shows that q l ≡ 1(modl) andX p ≡ 278X 3 + 467X 2 + 479X + 447(mod f l (X))Y p ≡ (357X 3 + 734X 2 + 822X + 967)Y (mod (f l (X),E(X, Y )))and X p2 ≡ X (mod f l (X)) and Y p2 ≡−Y (mod (f l (X),E(X, Y )). This clearly shows thatφ 2 p(X, Y ) ⊕ (X, Y )=P ∞ and thus t ≡ 0(mod3). Computing t modulo 2, 3, 5,and7 shows thatχ(φ q ) E (T )=T 2 +12T + p.Recall that for l ≠ 2 and gcd(l, p) = 1,wehaveE[l] ≃ Z/lZ × Z/lZ and thus deg f l =(l 2 − 1)/2. The computation of (X p2 ,Y p2 ) and (X p ,Y p ) modulo f l and E(X, Y ) clearly takesO(lg p) multiplications in the ring F p [X, Y ]/ ( E(X, Y ),f l (X) ) .Sincedeg f l is of the order O(l 2 ),each of these multiplications takes O(l 2µ lg µ p) bit-operations, so computing t (mod l) requiresO(l 2µ lg 1+µ p) bit-operations. Summing over all primes l 1 ,...,l r and using the prime numbertheorem gives an overall complexity of O(lg 2+3µ p) bit-operations.Note that if we could replace the division polynomials f l by alternative polynomials of lowerdegree, the complexity of the algorithm would drop considerably. In the next section, we show thatfor ordinary elliptic curves it is possible to use alternative polynomials for about half the primes land show how to deal with the other primes.17.2.2 Schoof–Elkies–Atkin’s algorithmThe improvements of Atkin and Elkies rely on a detailed analysis of the action of the Frobeniusendomorphism φ p on the group of l-torsion points E[l] with l ≠ p. Since E[l] ≃ F l × F l ,the Frobenius endomorphism can be represented by an element of PGL 2 (F l ). Atkin [ATK 1988,ATK 1991] devised an algorithm to compute the order of φ p in PGL 2 (F l ) and showed how this canbe used to count the number of points on E(F p ). Elkies [ELK 1991] on the other hand devised amethod to replace the division polynomials of degree (l 2 − 1)/2 by a factor of degree (l − 1)/2 forabout half the primes l.Recall that the restriction of φ q to E[l] satisfies the equationT 2 − t l T + q l =0.Depending on whether the discriminant ∆=t 2 − 4q is a square or a nonsquare in F l , the roots ofthis polynomial are defined over F l or F l 2. In the former case, the prime l is called an Elkies primeand in the latter case, l is called an Atkin prime. Of course, since we do not know t, we cannot usethe above definition to decide if l is an Elkies or Atkin prime. Atkin proved that the l-th modularpolynomial Φ l (X, Y ) ∈ Z[X, Y ] can be used to distinguish both cases.The l-th modular polynomial Φ l (X, Y ) ∈ Z[X, Y ] (see Section 17.2.3) is a symmetric polynomialof degree l +1and has the following crucial property: let F p be a finite field with p ≠ l andE an elliptic curve over F p , then the l +1zeroes ˜j ∈ F p of the polynomial Φ l(X, j(E))=0

§ 17.2 Overview of l-adic methods 415are precisely the j-invariants of the isogenous curves Ẽ = E/C with C one of the l +1cyclicsubgroups of E[l]. Vélu’s formulas [VÉL 1971] can be used to write down a Weierstraß equationfor Ẽ and the isogeny E → Ẽ. The following proposition shows that C can be defined over F p [˜j]with ˜j ∈ F p a zero of Φ l(X, j(E))=0.Proposition 17.11 Let E be an ordinary elliptic curve over F p with j-invariant j ≠0or 1728.Then• the polynomial Φ l (X, j) has a zero ˜j ∈ F p r if and only if the kernel C of the correspondingisogeny E → E/C is a one-dimensional eigenspace of φ r p in E[l], with φ p theFrobenius endomorphism of E• the polynomial Φ l (X, j) splits completely in F p r[T ] if and only if φ r p acts as a scalarmatrix on E[l].The above proposition already shows that φ p has a one-dimensional eigenspace defined over F pprecisely when Φ l (X, j) has a root in F p . However, Atkin [ATK 1991] proved that only certainfactorizations can occur.Theorem 17.12 (Atkin) Let E be an ordinary elliptic curve defined over F p with j-invariant j ≠0or 1728. Let Φ l (X, j) =f 1 f 2 ···f s be the factorization of Φ l (X, j) ∈ F p [X] as a product ofirreducible polynomials. Then there are the following possibilities for the degrees of f 1 ,...,f s :1. (1,l) or (1, 1,...,1). In either case we have t 2 − 4p ≡ 0(modl). In the former casewe set r = l and in the latter case r =1.2. (1, 1,r,r,...,r). In this case t 2 − 4p is a square modulo l, r divides l − 1 and φ p actson E[l] as a diagonal matrix [ ]λ 00 µ with λ, µ ∈ F∗l .3. (r,r,...,r) for some r>1. In this case t 2 − 4p is a nonsquare modulo l, r dividesl +1and the restriction of φ p to E[l] has an irreducible characteristic polynomial overF l .In all cases, r is the order of φ p in the projective general linear group PGL 2 (F l ) and the trace t ofthe Frobenius satisfiest 2 ≡ p(ξ + ξ −1 ) 2 (mod l), (17.9)for some primitive r-th root of unity ξ ∈ F l . Furthermore, the number of irreducible factors ssatisfies( p)(−1) s = ·lTo decide if a prime l is an Atkin or Elkies prime, the above theorem shows that it suffices tocompute g(X) =gcd ( Φ l (X, j),X p − X ) . Indeed, for g(X) =1, l is an Atkin prime, else l isan Elkies prime. Since Φ l (X, j) has degree l +1, computing g(X) only requires O(l µ lg p 1+µ )bit-operations.Atkin primesTo limit the number of possibilities for t (mod l) in case of an Atkin prime l, we need to computethe exact order r of the Frobenius endomorphism in PGL 2 (F l ) by computingg i (X) =gcd ( Φ l (X, j),X pi − X ) ,for i =2, 3,... until g i (X) =Φ l (X, j). To speed up this computation, i should be limited to thedivisors of l +1that furthermore satisfy (−1) (l+1)/i = ( pl)· Once r is determined, there are onlyϕ(r) (l +1)/2 choices for the r-th root of unity ξ, whereϕ denotes Euler’s totient function. Bysymmetry there are ϕ(r)/2 possible values for t 2 l and accordingly ϕ(r) values for t l.

416 Ch. 17 Point Counting on Elliptic and Hyperelliptic CurvesAtkin repeats this computation for various small primes l and then uses a baby-step/giant-step-likealgorithm to determine the correct value of the trace of Frobenius. Note that only the computationswith the modular polynomials are polynomial time; the baby-step giant-step algorithm on the otherhand is an exponential time algorithm.Elkies primesIf l is an Elkies prime, then Theorem 17.12 implies that there exists a subgroup C l of order lthat is stable under φ p ,i.e.,φ p (P ) ∈ C l for P ∈ C l . This subgroup C l is an eigenspace of φ pcorresponding to one of the eigenvalues λ or µ respectively, i.e., φ p acts as multiplication by λ or µon C l .Let∏ ( )g l (X) =X − x(P ) ,+− P ∈C l {P∞}where x(P ) denotes the x-coordinate of P ,thendeg g l = (l − 1)/2 and g l could replace thedivision polynomial in the above explanation if we knew how to compute it (see Section 17.2.4).Furthermore as we can obtain t l as t l = λ + p l /λ ∈ F l it suffices to find 0 λ < l withφ(P )=[λ]P ,forallP ∈ C l . The complexity of this calculation is determined by the computationof X p and Y p modulo g l (X); sinceg l has degree O(l) instead of O(l 2 ), this computation onlytakes O(l µ lg p 1+µ ) bit-operations.The main idea to obtain g l is to use an isogeny whose kernel is precisely C l . This is possible asfor every finite subgroup C l of E(F p ) which is stable under the Frobenius endomorphism φ p ,thereexists an isogenous curve E (l) defined over F p and a separable isogeny ψ l : E → E (l) with kernelequal to C l . A detailed description of how to compute g l is given in Section 17.2.4.17.2.3 Modular polynomialsIn this section, we define the l-th modular polynomials Φ l (X, Y ) over C as minimum polynomialsfor j-invariants of curves isogenous to E considered as modular functions for certain subgroupsΓ 0 (l) of SL 2 (Z). However, the classical modular polynomials Φ l (X, Y ) have two main drawbacks:the size of their coefficients increases badly as l increases and their degree in Y is too high. Polynomialswith fewer and smaller coefficients can be obtained as minimum polynomials of differentmodular functions. In this section we only review one such alternative, called the canonical modularpolynomials, and refer the interested reader to [MOR 1995, MÜL 1995] for more complete details.The mathematical background can be found in [SER 1970, SCH 1974, SIL 1994].17.2.3.aModular functionsAs shown in Corollary 5.18, an elliptic curve E defined over C is analytically isomorphic to thequotient of C by a lattice Λ τ = Z + τZ where τ belongs to the Poincaré upper half plane H ={z ∈ C |Imz > 0}. Thej-invariant of the elliptic curve defined by Λ τ can be computed by theseries∀τ ∈H,j(τ) = 1 q + 744 + ∑ c n q nn1where the coefficients c n are integers and q = e 2iπτ .ForamatrixM = [ abcd]∈ SL2 (Z), the lattice(aτ + b)Z +(cτ + d)Z is isomorphic to Λ τ .Thefundamental domain F of a subgroup Γ of SL 2 (Z)is defined as the connected open subset of H such that τ and M(τ) =(aτ + b)/(cτ + d) for M ∈ Γdo not simultaneously belong to this subset. The fundamental domain F for SL 2 (Z) is shown inFigure 17.1

§ 17.2 Overview of l-adic methods 417Figure 17.1 Fundamental domain for SL 2 (Z).Fi;1 ; 1 12 0 2 1Since E τ and E M(τ ) are isomorphic, we have ∀τ ∈H, ∀M ∈ SL 2 (Z),j ( M(τ) ) = j(τ), whichshows that j(τ) is a modular function. More precisely, denote withH ∗ = {z ∈ C |Imz >0}∪Q ∪{∞}the compactification of H, then a modular function for a discrete subgroup Γ of SL 2 (Z) is a meromorphicfunction on the compact Riemann surface Γ H ∗ .Definition 17.13 Let Γ be a subgroup of finite index in SL 2 (Z); a modular function for Γ is acomplex function f of H ∗ such that1. f is invariant under Γ, i.e., ∀M ∈ Γ, f ( M(τ) ) = f(τ),2. f is meromorphic in H ∗ (see [SCH 1974] for a precise definition of this condition).It is not difficult to see that modular functions for a subgroup Γ form a field, denoted K Γ . Theysatisfy the following two additional properties.Proposition 17.14 If f is a modular function for Γ and if Γ ′ is a subgroup of finite index of Γ,thenf is a modular function for Γ ′ .Proposition 17.15 If f is a modular function for Γ and M ∈ SL 2 (Z), thenf |M : H ∗ → C,τ ↦→ f ( M(τ) ) , is a modular function for M −1 ΓM.Modular functions are worth studying in our context mainly because a modular function for adiscrete subgroup Γ of SL 2 (Z) is a root of an algebraic equation of degree d = [SL 2 (Z) : Γ]whose coefficients are rational functions of j. In other words, K Γ is an algebraic extension ofK SL2(Z) = C(j) of degree d.Theorem 17.16 Any modular function f for a subgroup Γ of SL 2 (Z) with finite index d is the rootof an equation of degree d,d∑G(f,j) = R i (j)f i =0i=0

418 Ch. 17 Point Counting on Elliptic and Hyperelliptic Curveswhere R i (j) are rational functions in j(τ) over C. This equation is G(X, j) =S i are representatives of SL 2 (Z)/Γ.d∏(X − f |Si ) whereThe modular equations used in the SEA algorithm are built using the above theorem and depend onthe specific discrete subgroups of SL 2 (Z) and functions f(τ) chosen.17.2.3.bClassical modular polynomialsFor a prime l, the modular polynomial Φ l (X, Y ) is the minimum polynomial of the modular functionj l : τ ↦→ j(lτ) for the subgroup Γ 0 (l) of SL 2 (Z) defined by{[ ]}a bΓ 0 (l) =with ad − bc =1 and c ≡ 0 (mod l) .c dIn order to apply Theorem 17.16 to j l , we need to know the structure of SL 2 (Z)/Γ 0 (l).Proposition 17.17 Γ 0 (l) is a subgroup of SL 2 (Z) of finite index l +1. A set of representatives forthe cosets of SL 2 (Z)/Γ 0 (l) is given by[ ] [ ]1 0 0 −1andfor 0 v

§ 17.2 Overview of l-adic methods 419with v = s(l − 1)/12 and that f l is a modular function for Γ 0 (l).By definition, the canonical modular polynomial is the minimum polynomial of f l given byΦ c l( ) (X, j(τ) = X − fl (τ) ) l−1 ∏( ( )) −1X − f l .τ + iOne can prove that the splitting behavior of Φ c l (X, j) is the same as the splitting behavior ofΦ l (X, j). However, to determine the j-invariant of the isogenous curve, we cannot simply computea zero of Φ c l (X, j), but have to work in two stages. First, compute a zero f of Φc l (X, j) and thencompute a zero of Φ c l (ls /f, Y ) which, gives the j-invariant of the isogenous curve. This followsimmediately from the definition of Φ c l (X, Y ), sinceΦc l (f l,j)=0implies Φ c l (ls /f l ,j l )=0.Example 17.19 To illustrate the fact that the canonical modular polynomials have smaller coefficientsand lower degree in Y compared to the classical ones, we give Φ c 5(X, Y ):Φ c 5 (X, Y )=X6 +30X 5 + 315X 4 + 1300X 3 + 1575X 2 +(−Y + 750)X + 125.i=017.2.4 Computing separable isogenies in finite fields of large characteristicAssuming l is an Elkies prime, Theorem 17.12 implies that there exists a subgroup C l ⊂ E[l] oforder l which is an eigenspace of the Frobenius endomorphism φ p . Furthermore, there exists anisogenous elliptic curve Ẽ = E/C l and a separable isogeny of degree l between E and Ẽ. Thissection not only shows how to compute a Weierstraß equation for the elliptic curve Ẽ, butalsothepolynomial∏ ( )g l (X) =X − x(P ) .Both algorithms are due to Elkies [ELK 1991].17.2.4.aIsogenous curve+− P ∈C l {P∞}Clearly, the j-invariant ˜j of Ẽ can simply be obtained as a root of the polynomial Φ l(X, j(E))=0.However, in finite fields of large characteristic, the equation of Ẽ can not be recovered directly from˜j, since a twisted curve has the same j-invariant.Elkies [ELK 1991] proved the following theorem, which provides a Weierstraß equation for Ẽ,given the Weiestraß equation for E and the j-invariant ˜j. A detailed proof of this theorem can befound in an article by Schoof [SCH 1995].Theorem 17.20 Let E be an ordinary elliptic curve over a large prime finite field F p with j-invariantj not 0 or 1728. Assume that E is given by the Weierstraß equation E : y 2 = x 3 + a 4 x + a 6 andthat Ẽ is l-isogenous over F p to E. Let˜j be the j-invariant of Ẽ then a Weierstraß equation for Ẽis given byẼ : y 2 = x 3 +ã 4 x +ã 6withwhere ˜j ′ ∈ F p is given by˜j ′2ã 4 = − 1 48 ˜j(˜j − 1728)˜j ′3and ã 6 = − 1864 ˜j 2 (˜j − 1728) ,˜j ′ = − 18 a 6 Φ l,X (j, ˜j)l a 4 Φ l,Y (j, ˜j) jand Φ l,X (resp. Φ l,Y ) denotes the partial derivative of Φ l (X, Y ) with respect to X (resp. Y ).

420 Ch. 17 Point Counting on Elliptic and Hyperelliptic CurvesRemark 17.21 A similar theorem can be obtained for the canonical modular polynomial Φ c l (X, Y );the explicit formulas in this case can be found in [MOR 1995, MÜL 1995].17.2.4.bKernel of a separable isogenyLet E be defined by the Weierstraß equation E : y 2 = x 3 + a 4 x + a 6 and the isogenous ellipticcurve Ẽ = E/C l by Ẽ : y 2 = x 3 +ã 4 x +ã 6 . To compute the polynomial∏ ( )g l (X) =X − x(P ) ,+− P ∈C l {P∞}Elkies first computes the sum p 1 of the x-coordinates of the nonzero points in E[l]. A proof of thefollowing theorem can again be found in [SCH 1995].Theorem 17.22 Let E 4 = −48a 4 and E 6 = 864a 6 and similarly, Ẽ 4 = −48ã 4 and Ẽ 6 = 864ã 6 ,then∑p 1 =x(P )is given bywhere J is defined asp 1 = l 2 J + l 4P ∈C l {P∞}( ) E24− l Ẽ2 4+ l ( )E6− l Ẽ6 ,E 6 Ẽ 6 3 E 4 Ẽ 4J = − j′2 Φ l,XX (j, ˜j)+2lj ′˜j ′ Φ l,XY (j, ˜j)+l 2˜j ′2 Φ l,Y Y (j, ˜j)j ′ Φ l,X (j, ˜j)and j ′ = −jE 6 /E 4 and ˜j ′ = −˜jẼ 6 /Ẽ 4 . The notation for the partial derivatives is as above, forinstance Φ l,XX is shorthand for ∂ 2 Φ l /∂X 2 .Given the equation for E and Ẽ and the value of p 1 , there are various algorithms to compute thepolynomial g l (X). In this section we follow the description in [SCH 1995] and refer to [MOR 1995,MÜL 1995] for alternative algorithms.Instead of working with Ẽ, Schoof works with the isomorphic curve Ê : y2 = x 3 +â 4 x +â 6with â = l 4 ã 4 and â 6 = l 6 ã 6 .ToE we can associate the reduced Weierstraß ℘-function bywhere the coefficients are given by℘(z) = 1 ∞ z 2 + ∑c k z 2kk=1c 1 = − a 45 , c 2 = − a k−267 , 3 ∑c k =c j c k−1−j , for k 3.(k − 2)(2k +3)The function ˆ℘ for Ê is defined similarly using the coefficients â 4 and â 6 . The following theoremprovides an efficient method to compute g l (X) given E, Ẽ = E/C l and p 1 .Theorem 17.23 Let g l (X) be the polynomial that vanishes on the x-coordinates of the points inthe kernel of the isogeny ψ l : E → Ẽ,then)z l−1 ( )g l ℘(z) =exp(− 1 ∞∑2 p 1z 2 ĉ k − lc k−(2k + 1)(2k +2) z2k+2 ·k=1j=1

§ 17.2 Overview of l-adic methods 421Let g l (X) =X d + ∑ d−1k=0 g l,kX k , then by the above theorem, the first few coefficients of g l (X)areg l,d−1 = − p 12 ,g l,d−2 = p2 18 − ĉ1 − lc 1− l − 112 2 c 1,g l,d−3 = − p3 148 − ĉ2 − lc 2 ĉ 1 − lc 1+ p 1 − l − 130 24 2 c 2 + l − 34 c 1p 1 .Remark 17.24 The above algebraic relations are in fact reductions of relations over C; fortheserelations to hold over a finite field, the characteristic p must be large enough. In particular, thecoefficients c k and ĉ k need inversions of integers of the form (k − 2)(2k +3), which can be equal tozero when k (p − 3)/2. For finite fields of small characteristic, alternative algorithms to computeg l (X) have been developed; the most important references are [LER 1996, COU 1996].17.2.5 Complete SEA algorithmTo conclude we give an overview of the SEA algorithm in pseudo-code. The time complexity ofAlgorithm 17.25 amounts to O ( (lg p) 2µ+2) bit-operations and the space complexity is O ( (lg p) 2) .Algorithm 17.25 SEAINPUT: An ordinary elliptic curve E over F p,withj-invariant not 0 or 1728.OUTPUT: The number of points |E(F p)|.1. l ← 3,M A ← 1,A←{},M E ← 2 and E ←{(t 2, 2)} [t 2 like in the introduction]2. while M E × M A < 4 √ p do3. compute a modular equation Φ l (X, Y ) (mod p)4. find the splitting of Φ l (X, j) (mod p)5. if l is an Elkies prime then6. compute j (l) from Φ l (X, j) in F p7. determine an isogeny ψ l : E → E (l) and g l8. find an eigenvalue λ of φ in F l9. t l ← λ + p/λ mod l10. E ← E ∪{(t l ,l)} and M E ← M E × l11. else [l is an Atkin prime]12. determine the set T l of possible values for t (mod l)13. A ← A ∪{(T l ,l)} and M A ← M A × l14. l ← nextprime(l)15. determine t from E ∪ A using match and sort algorithm [ATK 1988, LER 1997]16. return p +1− tExample 17.26 Let E be the curve defined over F 257 by y 2 = x 3 + x +2. Assume we want tocompute the trace t 5 of the Frobenius endomorphism modulo 5. Evaluating Φ c 5 (X, j) (modp) with

422 Ch. 17 Point Counting on Elliptic and Hyperelliptic Curvesj =25shows that 5 is an Elkies prime for E sinceΦ c 5(X, 25) ≡ (X + 74)(X + 137)(X 4 +76X 3 +98X 2 + 152 X + 124)(mod p).This polynomial has two roots, f 1 = 120 and f 2 = 183. Assume we choose the root f 2 =183, then the j-invariant of the isogenous curve can be determined as the root of Φ c 5 (ls /f 2 ,Y) ≡Φ c 5(231,Y) ≡ 0(modp). The root of this polynomial is j (5) = 166. Using Elkies’ formulas, weknow that the curve E is therefore isogenous toE (5) : y 2 = x 3 +86x + 204,and that the sum of the x-coordinates of the nonzero points in the kernel of the isogeny is equal top 1 = 225. Finally, we recoverg 5 (X) =X 2 +16X +21.An easy calculation then shows thatX 257 ≡ 256X + 241(mod g l (X))Y 257 ≡ (144X + 61)Y (mod g l (X),Y 2 − X 3 − X − 2).Determining the eigenvalue gives λ =3and finally we conclude that t 5 = λ+257/λ ≡ 2(mod5).Remarks 17.27(i) In 1990, Pila [PIL 1990] described a generalization of Schoof’s algorithm that computesthe characteristic polynomial of Frobenius on an arbitrary abelian variety over a finitefield. Although the algorithm has a polynomial time complexity in the size of the finitefield, it is rather impractical since it requires as input a system of polynomial equationsdescribing the abelian variety and a set of rational functions that express the group law.Even for the Jacobian of a genus 2 curve, this requires 72 quadratic equations in 15variables.(ii) Kampkötter [KAM 1991] developed an algorithm specifically for hyperelliptic curvesincluding recurrence formulas describing the l-torsion. Although the algorithm is muchfaster than Pila’s, it is still too slow to be of cryptographic interest.(iii) Adleman and Huang [ADHU 1996, ADHU 2001] and Huang and Ierardi [HUIE 1998]improved Pila’s work by restricting to curves, but again the algorithms are more oftheoretical interest and far too slow for cryptographic purposes.(iv) For curves over finite fields of large characteristic, only the genus 2 case is more orless practical thanks to the work of Gaudry and Harley [GAHA 2000] and the improvementsby Gaudry and Schost [GASC 2004a]. The current situation is best compared toSchoof’s algorithm for elliptic curves and as such, the algorithm is just fast enough toreach the cryptographic range. The corresponding improvements by Elkies and Atkinare still lacking for higher genus curves, although Gaudry and Schost [GASC 2005]haveintroduced modular polynomials using a purely algebraic construction based on ideas byCharlap, Coley and Robbins [CHCO + 1991].17.3 Overview of p-adic methodsThe history of p-adic algorithms to compute the zeta function of curves or even algebraic varieties,is a rather odd one. Indeed, in 1960 Dwork [DWO 1960] already illustrated the power of the p-adic

§ 17.3 Overview of p-adic methods 423approach in his proof of the rationality of the zeta function of an algebraic variety. Furthermore, atthe end of the 1970’s, Kato and Lubkin [KALU 1982] designed a p-adic algorithm to compute thenumber of points on an elliptic curve that runs in polynomial time for fixed p, but nobody actuallyimplemented their algorithm.Finally, at the end of 1999, Satoh [SAT 2000] realized that the p-adic approach is, at least forsmall p, much more powerful than the existing l-adic methods. Not only did Satoh describe a p-adic algorithm to compute the number of points on an ordinary elliptic curve over a finite field, butalso illustrated its efficiency with an implementation.Since then, many p-adic algorithms have been designed and in this section we give an overviewof the three most practical ones: Satoh’s algorithm, the Arithmetic-Geometric-Mean algorithm andfinally, an algorithm based on Monsky–Washnitzer cohomology.17.3.1 Satoh’s algorithmIn [SAT 2000], Satoh shows how to efficiently compute a p-adic approximation of the canonical liftof an ordinary elliptic curve E over a finite field and how this can be used to count the number ofpoints on E.17.3.1.aThe canonical lift of an ordinary elliptic curveIn this section, we specialize the theory of the canonical lift of ordinary abelian varieties to ordinaryelliptic curves over a finite field F q , with q = p d and p prime.Definition 17.28 The canonical lift E of an ordinary elliptic curve E over F q is an elliptic curveover Q q which satisfies:• the reduction of E modulo p equals E,• the ring homomorphism End(E) → End(E) induced by reduction modulo p is an isomorphism.Deuring [DEU 1941] showed that the canonical lift E always exists and is unique up to isomorphism.The above definition is actually one of many ways in which the canonical lift can be characterized.Theorem 17.29 Let E/F q denote an ordinary elliptic curve and let E/Q q be a lift of E, then thefollowing statements are equivalent:• E is the canonical lift of E.• Reduction modulo p induces an isomorphism End(E) ≃ End(E).• The q-th power Frobenius φ q ∈ End(E) lifts to an endomorphism F q ∈ End(E).• The p-th power Frobenius isogeny φ p : E → E σ lifts to an isogeny F p : E→E Σ , withΣ the Frobenius substitution on Q q .The last property implies that there exists an isogeny of degree p between the canonical lift E and itsconjugate E Σ . By the properties of the p-th modular polynomial Φ p (X, Y ) ∈ Z[X, Y ], this impliesthat Φ p(j(E), Σ(j(E)))=0. The next theorem by Lubin, Serre and Tate [LUSE + 1964] showsthat this is in fact a sufficient condition.Theorem 17.30 (Lubin–Serre–Tate) Let E be an ordinary elliptic curve over F q with j-invariantj(E) ∈ F q F p 2. Denote with Σ the Frobenius substitution on Q q and with Φ p (X, Y ) the p-thmodular polynomial. Then the system of equationsΦ p(X, Σ(X))=0 and X ≡ j(E) (mod p), (17.10)

424 Ch. 17 Point Counting on Elliptic and Hyperelliptic Curveshas a unique solution J ∈ Z q , which is the j-invariant of the canonical lift E of E (defined up toisomorphism).The hypothesis j(E) ∉ F p 2 in Theorem 17.30 is necessary to ensure that a certain partial derivativeof Φ p does not vanish modulo p and guarantees the uniqueness of the solution of (17.10). Thecase j(E) ∈ F p 2 can be handled very easily as shown in Section 17.1.2, since the curve is thenisomorphic to a curve defined over F p or F p 2. In the remainder of this section we will thereforeassume that j(E) ∉ F p 2 and in particular that E is ordinary [SIL 1986, Theorem V.3.1].17.3.1.bIsogeny cyclesTo compute j(E) modp N , Satoh considered E together with all its conjugates E i = E σi with0 i

§ 17.3 Overview of p-adic methods 425with (DΘ)(x 0 ,...,x d−1 ) the Jacobian matrix⎡Φ ′ p(x 0 ,x 1 ) Φ ′ ⎤p(x 1 ,x 0 ) 0 ··· 00 Φ ′ p (x 1,x 2 ) Φ ′ p (x 2,x 1 ) ··· 0... . .. . ,⎢⎣ 0 0 0 ··· Φ ′ p (x ⎥d−1,x d−2 ) ⎦Φ ′ p(x 0 ,x d−1 ) 0 0 ··· Φ ′ p(x d−1 ,x 0 )where Φ ′ p (X, Y ) denotes the partial derivative with respect to X. Note that Φ′ p (Y,X) is the partialderivative of Φ p (X, Y ) with respect to Y since Φ p (X, Y ) is symmetric.The p-th modular polynomial satisfies the Kronecker relationΦ p (X, Y ) ≡ (X p − Y )(X − Y p ) (mod p)and since j(E i ) ∉ F p 2 and j(E i+1 )=j(E i ) p ,wehave{Φ ′ p(j(Ei+1 ),j(E i ) ) ≡ j(E i ) p2 − j(E i ) ≢ 0 (mod p),Φ ′ p(j(Ei ),j(E i+1 ) ) ≡ j(E i ) p − j(E i ) p ≡ 0 (mod p).The above equations imply that (DΘ)(x 0 ,...,x d−1 )(modp) is a diagonal matrix with nonzerodiagonal ( elements. Therefore, the Jacobian matrix is invertible over Z q and we conclude that δ =(DΘ) −1 Θ ) (x 0 ,x 1 ,...,x d−1 ) ∈ Z d q . Note that we can simply apply Gaussian elimination to solve(DΘ)(x 0 ,...,x d−1 )δ =Θ(x 0 ,...,x d−1 )since the diagonal elements are all invertible. Using row operations we move the bottom left elementΦ ′ p(x 0 ,x d−1 ) towards the right. After k row operations this element becomesk−1∏(−1) k Φ ′ p(x 0 ,x d−1 )i=0Φ ′ p (x i+1,x i )Φ ′ p (x i,x i+1 )which clearly is divisible by p k since Φ ′ p(x i+1 ,x i ) ≡ 0(modp). This procedure is summarized inAlgorithm 17.31.Algorithm 17.31 Lift j-invariantsINPUT: A cycle j i ∈ F q F p 2 with Φ p(j i+1,j i) ≡ 0 (mod p) for 0 i

426 Ch. 17 Point Counting on Elliptic and Hyperelliptic Curves9. P i ← t`(Φ p(J i+1,J i)modp N )/p N′´ mod p M10. R ← Φ ′ p(J 0,J d−1 )modp M11. S ←“`(Φp(J 0,J d−1 )modp N )´/p N′” mod p M12. for i =0 to min{M, d − 2} do13. S ← (S − RP i)modp M14. R ← (−RD i)modp M15. R ← `R +Φ ′ p(J d−1 ,J 0)´ mod p M16. P d−1 ← (SR −1 )modp M17. for i = d − 2 down to 0 do P i ← (P i − D iP i+1) modp M18. for i =0 to d − 1 do J i ← (J i − p N′ P i)modp N19. return (J 0,...,J d−1 )Example 17.32 Let p =7, d =5and F p d ≃ F p (θ) with θ 5 + θ +4=0. Consider the j-invariantj 0 =3θ 4 +6θ 3 +2θ, then Algorithm 17.31 computes the j-invariant of the canonical lift to precisionN =10with Z q ≃ Z p [T ]/ ( G(T ) ) and G(T )=T 5 + T +4asJ 0 ≡ 249888299T 4 + 236778044T 3 + 9871351T 2 + 169542361T + 26531974 (mod p N ).As shown in Section 4.4.2.a, we can assume that either E or its quadratic twist is given by anequation of the formp =2 : y 2 + xy = x 3 + a 6 , j(E) =1/a 6 ,p =3 : y 2 = x 3 + x 2 + a 6 , j(E) =−1/a 6 ,p>5 : y 2 = x 3 +3ax +2a, j(E) = 1728a/(1 + a).Once the j-invariant j(E) of the canonical lift of E is computed, a Weierstraß model for E is givenbyp =2 : y 2 + xy = x 3 +36αx + α, α =1/ ( 1728 − j(E) ) ,p =3 : y 2 = x 3 + x 2 /4+36αx + α, α =1/ ( 1728 − j(E) ) ,p>5 : y 2 = x 3 +3αx +2α, α = j(E)/ ( 1728 − j(E) ) .Note that the above models have the correct j-invariant j(E) and reduce to E modulo p.17.3.1.dThe trace of FrobeniusBy analyzing the action of F q on a holomorphic differential on E (see Section 4.4.2.c), we can easilyrecover the trace Tr(φ q ) of the Frobenius endomorphism φ q .Proposition 17.33 (Satoh) Let E be an elliptic curve over Q q having good reduction modulo p andlet f ∈ End(E) of degree n. Letω be a holomorphic differential on E and let f ∗ (ω) =cω be theaction of f on ω,thenTr(f) =c + n c ·Note that if we apply the above proposition to the lifted Frobenius endomorphism F q ,wegetTr(F q )=b + q/b with F ∗ q (ω) =bω.SinceE is ordinary it follows that either b or q/b is a unit inZ q .However,φ q is inseparable and thus b ≡ 0(modp), which implies that b ≡ 0(modq), since

§ 17.3 Overview of p-adic methods 427q/b has to be a unit in Z q . So if we want to compute Tr(F q )modp N , we would need to determineb mod p d+N . Furthermore, it turns out to be quite difficult to compute b directly. As will becomeclear later, we would need to know ker(F p,i ), which is subgroup of E i [p] of order p. However, sinceker(φ p,i ) is trivial we cannot use a simple lift of ker(φ p,i ) to ker(F p,i ), but would need to factor thep-division polynomial of E i .To avoid these problems, Satoh works with the Verschiebung V q , i.e., the dual isogeny of φ q ,which is separable since E is ordinary and thus ker(V q ) can be easily lifted to ker(V q ), with V qthe image of V q under the ring isomorphism End(E) ≃ End(E). Furthermore, the trace of anendomorphism equals the trace of its dual, so we have Tr(F q )=Tr(V q )=c + q/c with V ∗ q (ω) =cω and c a unit in Z q . Diagram (17.11) shows that V q = ̂F p,0 ◦ ̂F p,1 ◦···◦ ̂F p,d−1 and thereforewe can compute c from the action of ̂F p,i on a holomorphic differential ω i of E i for i =0,...,d−1.More precisely, take ω i = ω Σi for 0 i

428 Ch. 17 Point Counting on Elliptic and Hyperelliptic CurvesLemma 17.34 (Satoh) Let p 3, thenker ̂Σ i = E i+1 [p] ∩E i+1 (Z urq ), with Z urq the valuation ringof the maximal unramified extension Q urq of Q q.The above lemma implies that H i (x) ∈ Z q [x] is the unique monic polynomial that divides Ψ p,i+1 (x)andsuchthatH i (x) is squarefree modulo p of degree (p − 1)/2. SinceE i is ordinary, ker(̂φ p,i )=E i+1 [p] and Ψ p,i+1 (x) (modp) has inseparable degree p. Therefore, δH i (x) p ≡ Ψ p,i+1 (x)(mod p), with δ the leading coefficient of Ψ p,i+1 . This implies that we cannot apply Hensel’slemma 3.17, since the polynomials H i (x) modp and Ψ p,i+1 (x)/H i (x) modp are not coprime. Tosolve this problem, Satoh devised a modified Hensel lifting [SAT 2000, Lemma 2.1], which also hasquadratic convergence.Lemma 17.35 (Satoh) Let p 3 beaprimeandΨ(x) ∈ Z q [x] satisfying Ψ ′ (x) ≡ 0(modp) andΨ ′ (x) ≢ 0(modp 2 ).Leth(x) ∈ Z q [x] be a monic polynomial such that1. h(x) modp is squarefree and coprime to (Ψ ′ (x)/p) modp,2. Ψ(x) ≡ f(x)h(x) (modp n+1 ),then the polynomial(( ) )Ψ(x)H(x) =h(x)+Ψ ′ (x) h′ (x) mod h(x)satisfies H(x) ≡ h(x) (modp n ) and Ψ(x) ≡ F (x)H(x) (modp 2n+1 ).The following algorithm computes∏ ( )H(x) =x − x(P )P ∈(ker Σ b i {P∞})/ − +mod p N−1 (17.13)Algorithm 17.36 Lift kernelINPUT: The p-division polynomial Ψ p(x) of an elliptic curve E over Z q/p N Z q and precision N.OUTPUT: The polynomial H(x) as in (17.13).1. if N =1 then2. H(x) ← h(x) such that Ψ p(x) ≡ δh(x) p (mod p) [h(x) monic]3. else4. N ′ ← ˚ N−125. H(x) ← Lift kernel(Ψ p(x),N ′ )6. H(x) ← H(x)+7. return H(x)ˇ“H′ (x)Ψp(x)Ψ ′ p (x)”mod H(x) mod p NExample 17.37 Let p =7, d =3, Z q ≃ Z p [T ]/ ( G(T ) ) with G(T )=T 3 +6T 2 +4and considerthe elliptic curve E : y 2 = x 3 + a 4 x + a 6 witha 4 ≡ 1409T 2 + 2308T + 2293 (mod p 4 ) and a 6 ≡ 139T 2 + 2339T + 2329 (mod p 4 ).

§ 17.3 Overview of p-adic methods 429The p-division polynomial Ψ p (x) of E is then equivalent to7x 24 + (1792T 2 + 168T + 350)x 22 + (788T 2 + 374T + 1751)x 21 + (364T 2 + 1330T + 2051)x 20+ (1974T 2 + 2226T + 1057)x 19 +(98T 2 + 1526T + 1995)x 18 + (1673T 2 + 546T + 70)x 17+(77T 2 + 910T + 378)x 16 + (1302T 2 + 2289T + 2058)x 15 + (631T 2 + 2008T + 1189)x 14+ (791T 2 + 504T + 2268)x 13 +(21T 2 + 2247T + 1953)x 12 + (1519T 2 + 1106T + 945)x 11+ (490T 2 + 525T + 1526)x 10 + (532T 2 + 1792T + 1575)x 9 + (434T 2 + 735T + 147)x 8+ (843T 2 + 879T + 925)x 7 + (1274T 2 + 2212T + 2009)x 6 + (1764T 2 + 903T + 882)x 5+ (2107T 2 + 1946T + 2324)x 4 + (784T 2 + 1197T + 1673)x 3 + (245T 2 + 560T + 2261)x 2+ (245T 2 + 679T + 1582)x + 1014T 2 + 282T + 1562modulo p 4 and Algorithm 17.36 computes the following factor of Ψ p :H(x) ≡ x 3 +(502T 2 +1965T +742)x 2 +(1553T 2 +2106T +474)x+2329T 2 +1521T +2058 (mod p 4 ).For p>3, E i+1 can be defined by the equation y 2 = x 3 + a i+1 x + b i+1 . Using Vélu’s formulas,Satoh [SAT 2000, Proposition 4.3] shows that E i+1 / ker( ̂F p,i ) is given by the equation y 2 = x 3 +α i+1 x + β i+1 withα i+1 =(6− 5p)a i+1 − 30(h 2 i,1 − 2h i,2 )β i+1 =(15− 14p)b i+1 − 70(−h 3 i,1 +3h i,1h i,2 − 3h i,3 )+42a i+1 h i,1where h i,k denotes the coefficient of x (p−1)/2−k in H i (x) and we define h i,k =0for (p−1)/2

430 Ch. 17 Point Counting on Elliptic and Hyperelliptic CurvesAlgorithm 17.38 Satoh’s point counting methodINPUT: The elliptic curve E : y 2 = x 3 + a 4x + a 6 over F p d, j(E) ∉ F p 2.OUTPUT: The number of points on E(F p d)1. N ← ˚log p 4+d/2ˇ2. S ← 1 and T ← 13. a 0 ← a 4, a d ← a 4, b 0 ← a 6, b d ← a 6, j 0 ← j(E) and j d ← j(E)4. for i =0 to d − 2 do5. j i+1 ← j p i6. (J d−1 ,...,J 0) ← Lift j-invariants`(j d−1 ,...,j 0),N´7. for i =0 to d − 1 do8. γ ← J i/(1728 − J i)modp N9. a ← 3γ mod p N and b ← 2γ mod p N10. Ψ p(x) ← p-division polynomial of y 2 = x 3 + ax + b11. H(x) ← Lift kernel (Ψ p(x),N +1)12. for j =1 to 3 do h j ← coefficient of H(x) of degree (p − 1)/2 − j13. α ← (6 − 5p)a − 30(h 2 1 − 2h 2)14. β ← (15 − 14p)b − 70(−h 3 1 +3h 1h 2 − 3h 3)+42ah 115. S ← βaS and T ← αbT16. t ← Sqrt(S/T, N)17. γ ← coefficient of (x 3 + a 4x + a 6) (p−1)/2 of degree p − 118. if t ≢ γγ σ ···γ σn−1 (mod p) then t ←−t (mod p N )19. if t 2 > 4p d then t ← t − p N20. return p d +1− tExample 17.39 Let p =5, d =7, F p d ≃ F p (θ) with θ 7 +3θ +3=0and consider the ellipticcurve defined by y 2 = x 3 + x + a 6 witha 6 =4θ 6 +3θ 5 +3θ 4 +3θ 3 +3θ 2 +3.Algorithm 17.38 then computes the following intermediate results: N =6, j 0 =4T 6 +T 5 +2T 4 +2T 2 andJ 0 ≡ 6949T 6 + 6806T 5 + 14297T 4 + 2260T 3 + 13542T 2 + 13130T + 15215 (mod p N ),with Z q ≃ Z p [T ]/ ( G(T ) ) and G(T )=T 7 +3T +3. This gives the following values for a, ba ≡ 6981T 6 + 8408T 5 + 1033T 4 + 8867T 3 + 15614T 2 + 3514T + 675 (mod p N )b ≡ 4654T 6 + 397T 5 + 5897T 4 + 703T 3 + 5201T 2 + 7551T + 450 (mod p N )and the polynomial H describing the kernel of F pH(x) ≡ x 2 + (1395T 6 + 7906T 5 + 3737T 4 + 9221T 3 + 9207T 2 + 5403T + 7401)x+ 6090T 6 + 206T 5 + 5259T 4 + 7576T 3 + 3863T 2 + 8903T + 7926 (mod p N ).

§ 17.3 Overview of p-adic methods 431Finally, we recover α and β asα ≡ 11086T 6 + 2618T 5 + 6983T 4 + 13192T 3 + 15324T 2 + 13544T + 10550 (mod p N )β ≡ 4940T 6 + 3060T 5 + 14966T 4 + 6589T 3 + 7934T 2 + 6060T + 12470 (mod p N ).By computing the norm of (αb)/(βa), taking the square root and determining the correct sign,Algorithm 17.38 computes Tr(φ q ) = 433 and |E(F p d)| = 77693.The case p =3is very similar to the case p 5. There are only two minor adaptations: firstly,note that ker(F p,i )={Q, −Q, P ∞ } with Q a 3-torsion point on E i+1 with integral coordinates,so Algorithm 17.36 reduces to a simple Newton iteration on the 3-division polynomial of E i+1 ;secondly, the Weierstraß equation for E i is different from the one for p 5, which slightly changesVélu’s formulas. Let x 2 denote the x-coordinate of Q ∈ ker( ̂F p,i ) and let E i+1 be defined byy 2 = x 3 + x 2 /4+a i+1 x + b i+1 ,thenE i+1 / ker( ̂F p,i ) is given by the equation y 2 = x 3 + x 2 /4+α i+1 x + β i+1 , withα i+1 = −30x 2 2 − 5x 2 − 9a i+1 ,β i+1 = −70x 3 2 − 20x2 2 − (42a i+1 +1)x 2 − 2a i+1 − 27b i+1 .To compute u 2 i and thus c2 i , we first translate the x-axis to get rid of the quadratic term and thenapply (17.14) which then givesTaking the square root ofc 2 i = (48a i − 1)(864β i+1 − 72α i+1 +1)(864b i − 72a i + 1)(48α i+1 − 1) ·c 2 =d−1∏determines the trace of Frobenius t up to sign. Furthermore, since the curve E is defined by anequation of the form y 2 = x 3 + x 2 + a 6 , the correct sign follows from t ≡ 1(mod3).i=0Example 17.40 Let d =7and F 3 d ≃ F 3 (θ) with θ 7 +2θ 2 +1=0and consider the elliptic curveE given byE : y 2 = x 3 + x 2 + θ 6 + θ 4 +2θ 3 +2θ 2 .The j-invariant of E is 2θ 6 + θ 4 + θ 2 and if Z q ≃ Z 3 [T ]/ ( G(T ) ) with G(T )=T 7 +2T 2 +1,thenj(E) ≡ 29T 6 + 378T 5 + 310T 4 + 528T 3 + 337T 2 + 621T + 474 (mod p 6 ).Computing a, b, α, β then givesa ≡ 387T 6 + 117T 4 + 315T 3 + 531T 2 +54T (mod p 6 )b ≡ 31T 6 +81T 5 + 145T 4 + 191T 3 + 521T 2 + 123T +81 (modp 6 )α ≡ 150T 6 + 204T 5 + 531T 4 + 218T 3 + 329T 2 + 178T +39 (modp 6 )β ≡ 488T 6 +53T 5 + 675T 4 + 151T 3 +97T 2 + 320T + 510 (mod p 6 ).Computing the norm of the formula for c 2 i and taking the square root finally leads to Tr(φ q)=73and thus |E(F 3 d)| = 2115.c 2 i

432 Ch. 17 Point Counting on Elliptic and Hyperelliptic CurvesFor p =2, Lemma 17.34 no longer holds. Indeed, the Newton polygon of the 2-division polynomialshows that there are two nontrivial points in E i+1 [p] ∩E i+1 (Z urq ), whereas ker( ̂F p,i ) hasonly one nontrivial point. The main problem in extending Satoh’s algorithm to characteristic 2therefore lies in choosing the correct 2-torsion point. There are two algorithms that are bothbased on diagram (17.12). Let ker( ̂F p,i ) = 〈Q〉, thensinceλ is an isomorphism we concludej(E i+1 /〈Q〉) =j(E i ).The first algorithm to compute Q =(x 2 ,y 2 ) is due to Skjernaa [SKJ 2003], who gives an explicitformula for x 2 as a function of j(E i ) and j(E i+1 ). Since Q is a 2-torsion point, it follows that2y 2 + x 2 =0. Substituting y 2 in the equation of the curve and using the equality j(E i+1 /〈Q〉) =j(E i ), Skjernaa deduces an explicit expression for x 2 . A proof of the following proposition can befound in [SKJ 2003, Lemma 4.1].Proposition 17.41 Let Q =(x 2 ,y 2 ) be the nontrivial point in ker( ̂F p,i+1 ) and let z 2 = x 2 /2,thenj(E i ) 2 + 195120j(E i ) + 4095j(E i+1 ) + 660960000z 2 = −8 ( j(E i ) 2 + j(E i ) ( 563760 − 512j(E i+1 ) ) + 372735j(E i+1 ) + 8981280000 )·Skjernaa shows that the 2-adic valuation of both the numerator and denominator is 12, so we haveto compute j(E i )(mod2 N+12 ) to recover z 2 (mod 2 N ).The second algorithm is due to Fouquet, Gaudry, and Harley [FOGA + 2000] and is based on thefact that ker( ̂F p,i )=〈Q〉 ⊂E i+1 [2]. LetE i+1 be given by the equation y 2 + xy = x 3 +36a i+1 x +a i+1 with a i+1 =1/(1728 − j ( E i+1 ) ) . Since Q is a 2-torsion point, we have 2y 2 + x 2 =0and x 2 is a zero of the 2-division polynomial 4x 3 + x 2 + 144a i+1 x +4a i+1 . Clearly we havex 2 ≡ 0(mod2), so Fouquet, Gaudry, and Harley compute z 2 = x 2 /2 as a zero of the modified2-division polynomial 8z 3 + z 2 +72a i+1 z + a i+1 . The main problem is choosing the correctstarting value when considering this equation modulo 8. Usingj(E i+1 /〈Q〉) =j(E i ) they provedthat z ≡ 1/j(E i )(mod8)is the correct starting value giving x 2 .Vélu’s formulas show that E i+1 / ker( ̂F p,i ) is given by the Weierstraß equation y 2 + xy = x 3 +α i+1 x + β i+1 withα i+1 =36−j(E i+1 ) − 1728 − 5γ i+1,β i+1 =1−j(E i+1 ) − 1728 − (1 + 7x 2)γ i+1 ,where γ i+1 =3x 2 2 − 36/(j(E i+1 ) − 1728) + x 2 /2. The isomorphism λ i now has the general form(x, y) −→ (u 2 i x + r i,u 3 i y + u2 i s ix + t i ), (u i ,r i ,s i ,t i ) ∈ Q ∗ q × Q3 q ,but an easy calculation shows that c 2 i = u−2 i . Solving the equations satisfied by (u i ,r i ,s i ,t i ) givenin [SIL 1986, Table 1.2] finally leads toc 2 i = − 864β i − 72α i +1· (17.15)48α i − 1The complexity of Algorithm 17.38 directly follows from Hasse’s theorem, i.e., |t| 2 √ q.Thereforeit suffices to lift all data with precision N ≃ d/2. Since elements of Z q /p N Z q are representedas polynomials of degree less than d with coefficients in Z/p N Z, every element takes O(dN) memoryfor fixed p. As shown in Section 12.2.1, multiplication and division in Z q /p N Z q takes O(d µ N µ )time.For each curve E i with 0 i

§ 17.3 Overview of p-adic methods 433In every iteration the precision of the computations almost doubles, so the complexity is determinedby the last iteration that takes O(d µ+1 N µ ) bit-operations. Computing one coefficient c 2 i requiresO(1) multiplications, so to compute all c i we also need O(d µ+1 N µ ) bit-operations.Theorem 17.42 (Satoh) There exists a deterministic algorithm to compute the number of points onan elliptic curve E over a finite field F q with q = p d and j(E) ∉ F p 2, which requires O(d 2µ+1 )bit-operations and O(d 3 ) space for fixed p.17.3.1.fOptimizations of Satoh’s algorithmSatoh’s algorithm basically consists of two steps: in the first step, a sufficiently precise approximationof the canonical lift of an ordinary elliptic curve is computed; in the second step, the traceof Frobenius is recovered as the norm of an element in Z q . As such, the optimizations of Satoh’salgorithm can be categorized accordingly. Since computing the norm of an element in Z q is notspecific to point counting algorithms, we simply refer the interested reader to Section 12.8.5.Recall that if E is an ordinary elliptic curve over F q with q = p d and p a prime, then by thetheorem of Lubin, Serre, and Tate (Theorem 17.30), the j-invariant of the canonical lift E satisfiesΦ p(j(E), Σ(j(E)))=0 and j(E) ≡ j(E)(mod p).The optimizations of the lifting step are essentially algorithms to compute the root of an equationof the form φ ( X, Σ(X) ) =0with φ(X, Y ) ∈ Z q [X, Y ], starting from an initial approximate rootx 0 ∈ Z q . The algorithm used by Satoh is a simple multivariate Newton iteration that lifts thewhole cycle of conjugates of x 0 simultaneously. Computing the solution to precision p N then takesO(d 1+µ N µ ) bit-operations and O(d 2 N) space, for fixed p and fixed degree of φ.Vercauteren [VEPR + 2001] devised a lifting algorithm that requires O(d µ N 1+µ ) bit-operations,but only O(dN) space. This algorithm is based on a repeated application of Proposition 17.51,since this allows us to avoid costly Frobenius substitutions. Further details can be found in thepaper [VEPR + 2001].Mestre [MES 2000b] devised an elliptic curve point counting algorithm in characteristic 2, basedon a 2-adic version of the Arithmetic-Geometric-Mean (AGM). The AGM algorithm has the sametime and space complexity as Vercauteren’s algorithm, but is far easier to implement and also runsfaster in practice. The main difference with the other optimizations is that the AGM cannot be usedto solve a general equation of the form φ ( X, Σ(X) ) ( )=0, although implicitly it computes a rootof Φ 2 X, Σ(X) =0with Φ2 (X, Y ) the 2-nd modular polynomial. A detailed description of theAGM algorithm and its generalization to hyperelliptic curves is given in Section 17.3.2.Satoh, Skjernaa, and Taguchi [SASK + 2003] proposed to use a Teichmüller modulus (see Section12.1) to represent Z q ,i.e.,ifF q is represented as F p [T ]/ ( f(T ) ) with f(T ) a monic irreduciblepolynomial of degree d,thenZ q is represented as Z p [T ]/ ( f(T ) ) with f(T ) the unique monic polynomialwith f(T ) | T q − T and f(T ) ≡ f(T )(modp). The advantage of this representation isthat it allows efficient Frobenius substitutions. Combining this with a Taylor expansion leads to analgorithm to compute the root of an equation of the form φ ( X, Σ(X) ) =0to precision p N in timeO ( d µ N µ+1/(µ+1)) and O(dN) space, for fixed p andfixeddegreeofφ. Furthermore, they alsoproposed a fast norm computation algorithm, which is described in detail in Section 12.8.5.Kim, Park, Cheon, Park, Kim, and Hahn [KIPA + 2002] showed that a Gaussian normal basiscan be lifted trivially to Z q and allows efficient computation of arbitrary iterates of the Frobeniussubstitution. Their point counting algorithm is a combination of the SST algorithm and a normcomputation algorithm due to Kedlaya [KED 2001], which can be found in Section 12.8.5.Gaudry [GAU 2002] used the AGM iteration to devise a modified modular polynomial in characteristic2 (see Section 17.3.2.b), which has lower degree than Φ 2 (X, Y ) and thus leads to a fasteralgorithm, but with the same time and space complexity as the SST algorithm.

434 Ch. 17 Point Counting on Elliptic and Hyperelliptic CurvesLercier and Lubicz [LELU 2003] devised an algorithm to solve Artin–Schreier equations over Z q(see Section 12.6) and used this to compute a root of an equation of the form φ ( X, Σ(X) ) =0toany precision p N . For finite fields with Gaussian normal basis, this algorithm runs in O(d µ N µ lg d)time and O(dN) space, for p fixed and fixed degree of φ. A detailed description of this algorithmcan be found in Section 12.7.Finally, Harley [HAR 2002b] presented three very efficient algorithms: an algorithm to computethe Teichmüller modulus (see Section 12.1), an algorithm to solve Artin–Schreier equationsmodulo p N in time O(d µ N µ lg N) (see Section 12.7) and a fast norm computation algorithm (seeSection 12.8.5). Combining these algorithms leads to an asymptotically optimal elliptic curve pointcounting algorithm that runs in time O(d 2µ lg d) and requires O(d 2 ) space, for p fixed.17.3.2 Arithmetic–Geometric–Mean algorithmClassically, the Arithmetic-Geometric-Mean (AGM) was introduced by Lagrange [LAG 1973] andGauß [GAU 1973] to compute elliptic integrals or equivalently the period matrix of an elliptic curveover C. Mestre [MES 2000b] showed how a 2-adic version of the AGM can be used to countthe number of points on an ordinary elliptic curve over a finite field of characteristic 2. Later,Mestre [MES 2002] reinterpreted this algorithm as a special case of Riemann’s duplication formulafor theta functions and generalized it to ordinary hyperelliptic curves. This section first reviews theAGM over C and then describes both approaches to the 2-adic AGM.17.3.2.aAGM in CDefinition 17.43 Let a 0 ,b 0 ∈ R with a 0 b 0 > 0, then the AGM iteration for k ∈ N is defined as(ak + b k(a k+1 ,b k+1 )= , √ )a k b k .2Since b k b k+1 a k+1 a k and 0 a k+1 − b k+1 (a k − b k )/2, we conclude that the limitsof a k and b k when k tends to infinity exist and are equal. This common value is called the AGM ofa 0 and b 0 and is denoted as AGM(a 0 ,b 0 ). An easy calculation shows thata kb k− 1 a 0 − b 02 k b k 12 k (a0b 0− 1so after a logarithmic number of steps we have a k /b k =1+ε k with ε k < 1. The Taylor seriesexpansion of 1/ √ 1+ε k shows that convergence is quadratic when ε k < 1:a k+1= a k + b kb k+1 2 √ = 2+ε ka k b k=(1+ ε k22 √ 1+ε k) ( ∑∞ ( −1/2n= 1+ ε2 k8 − ε3 k8 + O(ε4 k). (17.16)Remark 17.44 The coefficient of ε n kin the above Taylor expansion is easily seen to be( ) −1/2 1 − nn 1 − 2n·Since 1 − 2n is odd, the 2-adic valuation of the denominator of the above coefficient is at mostn + v 2 (n!) n + ⌊lg n⌋ (1 + ⌊lg n⌋)/2. For the 2-adic AGM to converge, it is necessary thatv 2 (ε k+1 ) 3 due to the quadratic term.n=0),)ε n k)

§ 17.3 Overview of p-adic methods 435The main reason for Legendre and Gauß to introduce the AGM is that it allows us to compute ellipticintegrals and periods of elliptic curves.Theorem 17.45 Let a, b ∈ R with 0 0. Consider the following diagramC/(Z + τZ)F≃C/(Z +2τZ) ≃ µ 1µ 0E τ (C)φE 2τ (C)with F : z ↦→ z and φ the isogeny of degree 2 such that the above diagram commutes. The ellipticcurve E 2τ has as equation E 2τ : y1 2 = x 1 (x 1 −a 2 1)(x 1 −b 2 1) with a 1 =(a 0 +b 0 )/2 and b 1 = √ a 0 b 0 .Furthermore, the isogeny φ is given by(x1 (x 1 − b 2φ :(x 1 ,y 1 ) ↦→1),x 1 − a 2 y (x2 − 2x 1 a 2 1 + a 2 1b 2 )1)1 (x 1 − a 2 · (17.18)1 )2Since φ = µ 0 ◦ F ◦ µ −11 , the action of φ on the holomorphic differential form dx 0/y 0 is given by( )( )( )φ ∗ dx0=(µ 0 ◦ F ◦ µ −1 dx01y )∗ =(F ◦ µ −110 y )∗ dz =(µ −1 dx11 )∗ dz = ,0 y 1since clearly F ∗ (dz) = dz. This shows that the integral (17.17) remains unchanged under thetransformation φ and thus− i 2∫ −∞0dx√x(x − a20 )(x − b 2 0 ) = − i 2∫ −∞0dx√x(x − a21 )(x − b 2 1 )·Repeating the same argument and by taking limits, we obtain E ∞ : y 2 = x ( x − AGM(a, b) 2) 2.Note that E ∞ is of genus 0, which implies that the corresponding integral can be evaluated usingelementary functions. This finally proves− i 2∫ −∞0dx√x(x − a2 )(x − b 2 ) = − i 2∫ −∞0dx√ x(x − AGM(a, b)2 ) = π2AGM(a, b)·

436 Ch. 17 Point Counting on Elliptic and Hyperelliptic Curves17.3.2.bElliptic curve AGMLet F q denote the finite field with 2 d elements and let Q q be the unramified extension of Q 2 ofdegree d with valuation ring Z q . Let Σ ∈ Gal(Q q /Q 2 ) be the Frobenius substitution, i.e., theunique automorphism of Q q with Σ(x) ≡ x 2 (mod 2) for x ∈ Z q .For c ∈ 1+8Z q , denote by √ c the unique element e ∈ 1+4Z q with e 2 = c. Givena, b ∈ Z qwith a/b ∈ 1+8Z q ,thena ′ =(a + b)/2 and b ′ = b √ a/b also belong to Z q and a ′ /b ′ ∈ 1+8Z q .Furthermore, if a, b ∈ 1+4Z q ,thenalsoa ′ ,b ′ ∈ 1+4Z q .Remark 17.46 The analysis in Remark 17.44, shows that the 2-adic AGM sequence will convergeif and only if a/b ∈ 1+16Z q .Fora/b ∈ 1+8Z q the AGM sequence will not converge at all, soAGM(a, b) is not defined. Nonetheless, the AGM sequence (a k ,b k ) ∞ k=0can be used to compute thenumber of points on an ordinary elliptic curve.Let a, b ∈ 1+4Z q with a/b ∈ 1+8Z q and E a,b the elliptic curve defined byE a,b : y 2 = x(x − a 2 )(x − b 2 ).Similar to the AGM over C of Section 17.3.2.a, the 2-adic AGM iteration constructs a sequence ofelliptic curves all of which are 2-isogenous.Proposition 17.47 Let a, b ∈ 1+4Z q with a/b ∈ 1+8Z q and E a,b the elliptic curve definedby the equation y0 2 = x 0(x 0 − a 2 )(x 0 − b 2 ). Let a ′ =(a + b)/2, b ′ = √ ab and E a′ ,b ′ : y2 1 =x 1 (x 1 − a ′2 )(x 1 − b ′2 ),thenE a,b and E a ′ ,b′ are 2-isogenous. The isogeny is given byψ : E a,b −→ E a ′ ,b( ′)(x + ab)2(x, y) ↦−→,(x − ab)(x + ab)y ,4x8x 2and the kernel of ψ is 〈(0, 0)〉. Furthermore, the action of ψ on the holomorphic differential is( )ψ ∗ dx1=2 dx 0·y 1 y 0The isogeny φ defined in (17.18) is in fact the dual of the isogeny ψ and the same formula clearlyremains valid over Q q .Remark 17.48 Note that the above proposition is in fact a special case of the general constructiondescribed in Section 8.3.1. Indeed, the kernel of ψ is precisely E a,b [2] loc , i.e., the 2-torsion pointsin the kernel of reduction. This implies that E a ′ ,b ′ ≃ E a,b/E a,b [2] loc .Let (a k ,b k ) ∞ k=0 be the AGM sequence and consider the elliptic curves E a k ,b k. To relate this back toa sequence of elliptic curves over F q , we cannot simply reduce the equations defining E ak ,b ksincethe result would be singular. The following lemma construct an isomorphic curve which can thenbe reduced modulo 2.Lemma 17.49 Let a, b ∈ 1+4Z q with a/b ∈ 1+8Z q and E a,b : y 2 = x(x − a 2 )(x − b 2 ).Theisomorphism( x − ab(x, y) ↦→ , y − x + ab )4 8

§ 17.3 Overview of p-adic methods 437transforms E a,b in y 2 + xy = x 3 + rx 2 + sx + t withr = −a2 +3ab − b 2 − 1,4s = −a3 b +2a 2 b 2 − ab 3,8t = −a4 b 2 +2a 3 b 3 − a 2 b 4·64Furthermore, r ∈ 2Z q , s ∈ 8Z q and t ≡− ( )a−b 28 (mod 16), which shows that the reduction isnonsingular.Let E be an ordinary elliptic curve defined by y 2 + xy = x 3 + c with c ∈ F ∗ q and let E be itscanonical lift. Take any e ∈ Z q such that e 2 ≡ c (mod 2) and let a 0 =1+4e and b 0 =1− 4e,then Lemma 17.49 shows that E a0,b 0is isomorphic to a lift of E to Z q and thus j(E a0,b 0) ≡ j(E)(mod 2).As indicated in Remark 17.48, the AGM sequence is a special case of the the general constructiondescribed in Section 8.3.1 and thus must converge linearly to the canonical lift E of E.Theorem 17.50 The sequence of elliptic curves E ak ,b klift E of E in the following sense:converges linearly towards the canonicalj (E ak ,b k) ≡ Σ k( j(E) ) (mod 2 k+1 ).The proof of this theorem is not difficult and is based on the following proposition due to Vercauteren[VEPR + 2001].Proposition 17.51 Let Q q be the unramified extension of Q p of degree d and denote with Z q itsvaluation ring. Let g ∈ Z q [X, Y ] and assume that x 0 ,y 0 ∈ Z q satisfyg(x 0 ,y 0 ) ≡ 0(mod p),∂g∂X (x 0,y 0 ) ≢ 0(mod p),∂g∂Y (x 0,y 0 ) ≡ 0(mod p).Then the following properties hold:1. For every y ∈ Z q with y ≡ y 0 (mod p) there exists a unique x ∈ Z q such that x ≡ x 0(mod p) and g(x, y) =0.2. Let y ′ ∈ Z q with y ≡ y ′ (mod p n ), n 1 and let x ′ ∈ Z q be the unique element withx ′ ≡ x 0 (mod p) and g(x ′ ,y ′ )=0.Thenx ′ satisfies x ′ ≡ x (mod p n+1 ).By Proposition 17.47 the curves E ak ,b kand E ak+1 ,b k+1are 2-isogenous, soΦ 2(j(Eak ,b k),j(E ak+1 ,b k+1) ) =0,with Φ 2 (X, Y ) the second modular polynomial. Furthermore, an easy computation shows thatj(E ak+1 ,b k+1) ≡ j(E ak ,b k) 2 (mod 2), so we can apply Proposition 17.51 which proves the result.As noted in Remark 17.46, the AGM sequence itself does not converge, but by the above theoremthe sequence of elliptic curves E adk ,b dkdoes converge to the canonical lift E. The first approachwould thus be to use the AGM iteration to compute j(E) mod2 N and then to apply the secondstage of Satoh’s algorithm. However, the AGM also provides an elegant formula for the trace ofFrobenius.

438 Ch. 17 Point Counting on Elliptic and Hyperelliptic CurvesAssume we have computed a, b ∈ 1+4Z q with a/b ∈ 1+8Z q such that j(E a,b )=j(E). Let(a ′ ,b ′ )= ( (a + b)/2, √ ab ) , ψ : E a,b −→ E a′ ,b ′ the AGM isogeny and F 2 : E a,b −→ E Σ(a),Σ(b) thelift of the 2-nd power Frobenius, then we have the following diagram:E a,bF 2✲E Σ(a),Σ(b)◗ ◗ψ ◗◗✑ ✑✑✑✸ λE a′ ,b ′(17.19)The kernel of the Frobenius isogeny F 2 : E a,b −→ E Σ(a),Σ(b) is a subgroup of order 2 ofE a,b [2] = {P ∞ , (0, 0), (a 2 , 0), (b 2 , 0)}.Using the isomorphism given in Lemma 17.49, we now analyze the reduction of the 2-torsion points.An easy calculation shows that (0, 0) is mapped onto P ∞ whereas (a 2 , 0) and (b 2 , 0) are mapped to(0, (a−b)/8mod2). Therefore we conclude that ker(F 2 )={P ∞ , (0, 0)}. Proposition 17.47 showsthat ker(F 2 )=ker(ψ) and since both isogenies are separable, there exists an isomorphism λ :E a′ ,b ′ −→ E Σ(a),Σ(b), such that F 2 = λ ◦ ψ. The following proposition shows that this isomorphismhas a very simple form.Proposition 17.52 Given two elliptic curves E a,b : y 2 = x(x − a 2 )(x − b 2 ) and E a′ ,b ′ : y′2 =x ′ (x ′ − a ′2 )(x ′ − b ′2 ) over Q q with a, b, a ′ ,b ′ ∈ 1+4Z q and a/b, a ′ /b ′ ∈ 1+8Z q ,thenE a,b andE a′ ,b ′ are isomorphic if and only if x′ = u 2 x and y ′ = u 3 y withu 2 = a′2 + b ′2a 2 + b 2 ·Furthermore, we have ( )a 2 (b = a′ ) 2 (b or a) 2 ( ′ b = b′ )a2· ′Let ω = dx/y and ω ′ = dx ′ /y ′ be the holomorphic differentials on E a,b and E Σ(a),Σ(b) respectively,thenF ∗ 2 (ω′ )=(λ ◦ ψ) ∗ (ω ′ )=2u −1 ω with u 2 = Σ(a)2 +Σ(b) 2a ′2 + b ′2 ·Define ζ = a/b =1+8c and ζ ′ = a ′ /b ′ =1+8c ′ , then Lemma 17.52 also implies thatζ ′2 =Σ(ζ) 2 or ζ ′2 = 1Σ(ζ) 2 ·Substituting ζ =1+8c and ζ ′ =1+8c ′ in the above equation and dividing by 16, we conclude thatc ′ ≡ Σ(c) (mod4)or c ′ ≡−Σ(c) (mod4). The Taylor expansion of 1+8c ′ =(1+4c)/ √ 1+8cmodulo 32 shows that c ′ ≡ c 2 (mod 4). Since after the first iteration, c itself is a square α 2 modulo4 and Σ(α 2 ) ≡ α 4 (mod 4), we conclude that ζ ′2 =Σ(ζ) 2 . Note that since ζ ≡ ζ ′ ≡ 1(mod8),we conclude thatζ ′ =Σ(ζ). (17.20)Substituting b ′2 = a ′2 Σ(b)/Σ(a) 2 in the expression for u 2 and taking square roots leads tou = + −Σ(a)a ′ · (17.21)

§ 17.3 Overview of p-adic methods 439Let (a k ,b k ) ∞ k=0 be the AGM sequence with a 0 = a and b 0 = b and consider the following diagramwhere E k = E Σk (a),Σ k (b) and F 2,k : E k −→ E k+1 the lift of the 2-nd power Frobenius isogeny.ψ 0 ψ 1 ψ 2 ψ d−1E✲a,b E✲a1,b 1E✲a2,b 2···✲E ad ,b dId λ 1 λ 2 . λ d❄ F 2,0 ❄ F 2,1 ❄ F 2,2 F 2,d−1 ❄E✲0 E✲1 E✲2 ···✲E d = E 0 (17.22)Since ker(F 2,k ◦ λ k )=ker(ψ k ) for k ∈ N, we can repeat the same argument as for diagram (17.19)and find an isomorphism λ k+1 such that F 2,k = λ k+1 ◦ ψ k ◦ λ −1k.SinceE a,b is isomorphic to thecanonical lift E of E, we conclude thatTr(F 2,d−1 ◦···◦F 2,0 )=Tr(F q )=Tr(φ q ).The above diagram shows that F 2,d−1 ◦···◦F 2,0 = λ d ◦ ψ d−1 ◦···◦ψ 0 and since ψ k acts on theholomorphic differential ω as multiplication by 2 and λ d as multiplication by + − a d /a 0 , we concludethatF ∗ q (ω) = + − 2 d a da 0(ω).The Weil conjectures imply that the product of the roots of the characteristic polynomial of Frobeniusis 2 d and thusaTr(F q )=Tr(φ q )= + 0− +a − 2 d a d· (17.23)d a 0Remark 17.53 If the curve E is defined by the equation y 2 + xy = x 3 + c with c ∈ F ∗ q,then( 4√ c, √ c) is a point of order 4, which implies that Tr(φ q ) ≡ 1(mod4).Sincea 0 /a d ∈ 1+4Z q ,we can choose the correct sign in (17.23) and conclude that Tr(φ q ) ≡ a 0 /a d (mod q).The only remaining problem is that we are working with approximations to a and b and not theexact values as assumed in the previous section, so the question of precision remains.Let E be an ordinary elliptic curve defined by y 2 + xy = x 3 + c with c ∈ F ∗ q .Takeanyr ∈ Z qsuch that r 2 ≡ c (mod 2) and let a 0 =1+4r and b 0 =1− 4r. Theorem 17.50 shows that if(a k ,b k ) ∞ k=0is the AGM sequence, thenj (E ak ,b k) ≡ j(E k ) (mod 2 k+1 ),where E k is the canonical lift of σ k (E). Expressing j(a k ,b k ) as a function of a k and b k shows thata k and b k must be correct modulo 2 k+3 . Therefore, we conclude thatTr(φ q ) ≡a N−3+2 d a N−3+d(mod 2 N ).a N−3+d a N−3Algorithm 17.54 Elliptic curve AGMINPUT: An elliptic curve E : y 2 + xy = x 3 + c over F 2 d with j(E) ≠0.OUTPUT: The number of points on E(F 2 d).1. N ← ˚ ˇ d2 +32. a ← 1 and b ← (1 + 8c) mod2 4 [c arbitrary lift of c]3. for i =5 to N do4. (a, b) ← `(a + b)/2, √ ab´ mod 2 i

440 Ch. 17 Point Counting on Elliptic and Hyperelliptic Curves5. a 0 ← a6. for i =0 to d − 1 do7. (a, b) ← `(a + b)/2, √ ab´ mod 2 N8. t ← a0mod 2N−1a9. if t 2 > 2 d+2 then t ← t − 2 N−110. return 2 d +1− tThe complexity of Algorithm 17.54 is determined by the AGM iterations in the for loops, whichrequire O(d) square root computations to precision O(d). Since each square root computationtakes O(1) multiplications at full precision, the complexity of Algorithm 17.54 is O(d 2µ+1 ) bitoperations.The space complexity clearly is O(d 2 ), since only O(1) elements of Z q /2 N Z q arerequired.Remark 17.55 Note that it is possible to replace the loop starting in Line 6 of Algorithm 17.54 byone AGM iteration and a norm computation. Indeed, equation (17.21) shows that( ) dxF2∗ = +y − 2 a ( )1 dx,Σ(a 0 ) yand since all curves E k are conjugates, we have( )( )dxFq∗ = +y − 2 d a1 dxN Qq/Q pΣ(a 0 ))(yTherefore, it suffices to compute a 1 with one AGM iteration and to sett ≡ N Qq/Q p(a 0 /a 1 ) (mod 2 N ).We refer to Section 12.8.5 for efficient norm computation algorithms.( )( )= + − 2 d a1 dxN Qq/Q p·a 0 yRemark 17.56 The AGM sequence has been generalized, at least in theory, to ordinary abelianvarieties in the thesis of Carls [CAR 2003].Example 17.57 Let p =2, d =7and F p d ≃ F p (θ) with θ 7 + θ +1 =0. Consider the ellipticcurve E given by the affine equation y 2 + xy = x 3 + c with c =1+θ 4 . It is easy to check thatj(E) ≠0.LetZ q ≃ Z 2 [T ]/(T 7 + T +1), then after the initialization stepa ≡ 1 (mod 2 4 ) and b ≡ 8T 4 +9 (mod2 4 ).The values of a 0 and a in Line 8 are then given bya 0 ≡ 16T 6 +32T 4 +8T 3 +16T 2 +36T +5 (mod2 6 )a ≡ 48T 6 +32T 5 +32T 4 +40T 3 +48T 2 +52T +57 (mod2 6 )and finally t =13and |E(F p d)| = 116.A first improvement of Algorithm 17.54 is to consider a univariate AGM sequence. Let (a k ,b k ) ∞ k=0with a k ≡ b k ≡ 1(mod4)and a k ≡ b k (mod 8) be the bivariate AGM sequence, then we definethe univariate AGM sequence (ξ k ) ∞ k=0 by ξ k = a k /b k , which corresponds to the curvesE ξk : y 2 = x(x − 1)(x − ξ 2 k ).

§ 17.3 Overview of p-adic methods 441Since (a k+1 ,b k+1 )= ( (a k + b k )/2, √ a k b k), we can compute ξk+1 from ξ k byξ k+1 = 1+ξ k2 √ ξ k· (17.24)Note that this only requires 1 inverse square root computation; as shown in Section 12.3.3, thissaves one multiplication over the square root computation √ a k b k . Given an ordinary elliptic curveE : y 2 +xy = x 3 +c with c ∈ F ∗ q, the univariate AGM sequence should be initialized by ξ 1 ≡ 1+8c(mod 16) with c an arbitrary lift of c. Unlike the bivariate AGM sequence, the univariate AGMsequence does converge, in the sense that ξ k ≡ ξ k+d (mod 2 k+3 ).Remark 17.55 shows that given the bivariate AGM sequence (a k ,b k ) ∞ k=0 we can compute thetrace of Frobenius asTr(φ q ) ≡ t k + q (mod 2 k+3 ),t kwith t k =N Qq/Q p(a k /a k+1 ). Substituting a k+1 =(a k + b k )/2, ξ k = a k /b k finally gives( ) 2ξkt k =N Qq/Q p·1+ξ kAlgorithm 17.58 Univariate elliptic curve AGMINPUT: An elliptic curve E : y 2 + xy = x 3 + c over F 2 d with j(E) ≠0.OUTPUT: The number of points on E(F 2 d).1. N ← ˚ d2ˇ+32. c ← c mod 2 [c arbitrary lift of c]3. ξ ← (1 + 8c) mod2 44. for i =5 to N do5. ξ ← (1 + ξ)/(2 √ ξ)mod2 i6. t ← N Qq/Q p`2ξ/(1 + ξ)´mod 2N−17. if t 2 > 2 d+2 then t ← t − 2 N−18. return 2 d +1− tExample 17.59 We keep the settings of Example 17.57, i.e., p =2, d =7and F p d ≃ F p (θ) withθ 7 + θ +1=0and let E be the elliptic curve given by the affine equation y 2 + xy = x 3 + c withc =1+θ 4 .LetZ q ≃ Z 2 [T ]/(T 7 + T +1), then after the initialization step we get ξ ≡ 8T 4 +9(mod 2 4 ) and finally in Line 6, ξ ≡ 16T 6 +56T 4 +8T 2 +24T +9 (mod2 6 ) and t =13.A second improvement of Algorithm 17.54 is due to Gaudry [GAU 2002], who devised a modifiedmodular polynomial based on the univariate AGM sequence. In this case, define λ k = b k /a k (i.e.,λ k =1/ξ k ) which gives the iterationλ k+1 = 2√ λ k1+λ k· (17.25)Note that this iteration is less efficient than the one for ξ k , since it requires a square root computation(not an inverse square root) and an extra inverse. The sequence can again be initialized by λ 1 =1+8c with c an arbitrary lift of c. From 17.20 follows thatλ k+1 ≡ Σ(λ k ) (mod 2 k+3 ).

442 Ch. 17 Point Counting on Elliptic and Hyperelliptic CurvesSubstituting this in equation (17.25) shows that λ k satisfiesΣ(Z) 2 (1 + Z) 2 − 4Z ≡ 0 (mod 2 k+3 ) and Z ≡ 1+8Σ k−1 (c) (mod 16).Let Λ 2 (X, Y ) = Y 2 (1 + X) 2 − 4X, thenλ k satisfies Λ 2(X, Σ(X))≡ 0(mod2 k+3 ). Thisequation is almost of the form considered in Section 12.7, except that both partial derivatives vanishmodulo 2. Therefore, we make the change of variables X ← 1+8X and Y ← 1+8Y to obtainthe modified modular polynomialΥ 2 (X, Y )=(X +2Y +8XY ) 2 + Y +4XY,Let γ k be defined by λ k =1+8γ k ,thenγ k satisfies Υ 2(X, Σ(X))≡ 0(mod2 k ) and γ k ≡σ k−1 (c) (mod2). The partial derivatives of Υ 2 are∂Υ 2(X, Y )∂X= 2(X +2Y +8XY )(1 + 8Y )+4Y,∂Υ 2(X, Y )∂Y= (4(X +2Y +8XY) + 1)(1 + 4X),which shows that ∂Υ2∂Υ2∂X≡ 0(mod2),but∂Y≡ 1(mod2). Using any of the algorithms describedin Section 12.7, we can compute γ k for any k ∈ N. The trace of Frobenius can be computed asTr(φ q ) ≡ t k + qt k(mod 2 k+3 ),with t k =N Qq/Q p(2/(1 + λk ) ) =N Qq/Q p(1/(1 + 4γk ) ) .Remark 17.60 This optimization by Gaudry has been extended to other characteristics by Madsenin [MAD 2003] usingλ-modular polynomials. A related approach based on lifting of Heegnerpoints on modular curves X 0 (N) was described by Kohel in [KOH 2003].17.3.2.cHyperelliptic curve AGMTo extend the AGM to ordinary curves of genus g 2,Mestre[MES 2002] showed how to interpretthe AGM as a special case of the Riemann duplication formula for theta functions.Let F q a finite field with q =2 d elements. Let C be a curve defined over F q such that its Jacobianvariety J = J Cis ordinary and assume that J C[2] is F q -rational. Denote with J i the i-th conjugateof J and let φ 2,i : J i −→ J i+1 denote the corresponding 2-nd power Frobenius isogeny.Let Q q be the degree d unramified extension of Q 2 , with valuation ring Z q such that Z q /2Z q ≃ F qand denote with J c the canonical lift of J Cand J i,c = JcΣi for i positive. Since Σ d =Id, we clearlyhave J i,c = J i+d,c . Let F 2,i be the image of φ 2,i under the isomorphism Hom(J i,c , J i+1,c ) ≃Hom(J i , J i+1 ),thenF q = F 2,d−1 ◦···◦F 2,0 is the lift of the Frobenius endomorphism φ q underthe ring isomorphism End(J c ) ≃ End(J C).Consider the following sequence of abelian varietiesIJ0 I0 −→1 IJ1 −→2 IJ2 −→3J3 −→ ..., (17.26)with J 0 = J c and for i ∈ N, J i+1 = J i /J i [2] loc with J i [2] loc = J i [2] ∩ ker(π), i.e., the 2-torsionpoints in the kernel of reduction. Since the isogenies I i : J i −→ J i+1 reduce to the 2-nd powerFrobenius isogeny φ 2,i : J i −→ J i+1 , we conclude that J i must also be a canonical lift of J i .Dueto the uniqueness of the canonical lift, there must exists an isomorphism λ i : J i,c −→ J i . Consider

§ 17.3 Overview of p-adic methods 443the following diagramI 0 I 1 I 2 I d−1J✲0 J✲1 J✲2 ···✲J dId✻λ✻1 λ✻2 . λ✻dF 2,0 F 2,1 F 2,2 F 2,d−1J✲0,c J✲1,c J✲2,c ···✲J d,c = J 0,c (17.27)then we can express the lift V q of the dual of the q-th power Frobenius φ q asV q = ̂F 2,0 ◦···◦ ̂F 2,d−1 = Î0 ◦···◦Îd−1 ◦ λ d .As in the elliptic curve AGM, we can choose a basis B of the vector space D 0 (J c , Q q ) of holomorphicdifferential forms of degree 1 on J c such that the action of Îi, i.e., the dual of I i ,istheidentity. The action of the lift of Verschiebung V q on B is thus simply given by the action of λ d .To turn the above approach into an algorithm, Mestre considers the diagram (17.27) over C andcomputes on the corresponding analytic varieties. Let Q ur2 denote the maximal unramified extensionof Q 2 and fix an embedding σ : Q ur2 ↩→ C. SinceQ q ⊂ Q ur2 , we can associate to the J i in the abovediagram, an abelian variety over C given by J C,i = J i ⊗ σ C.As shown in Section 5.1.3, each abelian variety J C,i is isomorphic as an analytic variety to acomplex torus T i = C g /(Z g +Ω i Z g ) with Ω i a symmetric matrix such that Im Ω i > 0, i.e., theperiod matrix of J C,i .Letµ i : J C,i −→ T i denote this isomorphism, then the following propositionshows that the isogenies I i have a particular simple expression in the analytic setting.Proposition 17.61 The complex torus T i is given by C g /(Z g +2 i ΩZ g ) and the isogeny I i correspondsto the isogeny I i,an defined by the inclusion of the latticesi.e., I i,an ◦ µ i = µ i+1 ◦I i .2(Z g +2 i ΩZ g ) ⊂ (Z g +2 i+1 ΩZ g ),Since λ d : J 0 −→ J d is an isomorphism, there exists an isomorphism λ C,d : T 0 −→ T d over C.Definition 17.62 Let Sp(2g, Z) denote the symplectic group over Z, i.e., the set of 2g ×2g matrices[ ABCD ] with A, B, C, D ∈ Z(g×g) , such that[AC] t [BD0 I g−I g 0][AC] [ ]B 0 I g=.D −I g 0Denote with Γ N the subgroup of elements M ∈ Sp(2g, Z) with M ≡ I 2g(mod N).Then there exists a group action of Sp(2g, Z) on C g × H g given by[ ]A B(z,Ω) = ( (CΩ+D) −1 z,(AΩ+B)(CΩ+D) −1) .C DBy Theorem 5.50, the isomorphism λ C,d : T 0 → T d is defined by a matrix [CD AB ] ∈ Sp(2g, Z)and the action of λ C,d on C g is given by z ↦→ (CΩ +D) −1 z. For every i ∈ N, wehavethatB i,an = ( dz (i) )1 ,...,dz(i) g forms a basis of the holomorphic differentials on Ti . By the descriptionof the I i,an in Proposition 17.61, we conclude thatÎ ∗ i,an B i,an = B i+1,an .

444 Ch. 17 Point Counting on Elliptic and Hyperelliptic CurvesThe action of V q,an on B 0,an is thus simply given by M Vq =(CΩ +D) −1 . If we would be ableto compute M Vq we could easily recover the characteristic polynomial of φ q from the minimalpolynomial of M Vq + qM −1V q. Unfortunately, we will only be able to determine + − det(M Vq ) andnot M Vq itself. Since J Cis ordinary, the characteristic polynomial χ(φ q ) Chas exactly g rootsπ 1 ,...,π g that are 2-adic units and since V q is separable, we conclude that det(M Vq )=π 1 ···π g .Although this only determines χ(φ q ) Cuniquely in genus 1 and 2, we can use the LLL algorithmto determine χ(φ q ) C( + − T ). To decide the correct sign, test which choice χ(φ q ) C( + − 1) gives thecorrect order.The determinant + − det(CΩ+D) −1 can be recovered from the theta constants associated to T nand T n+d for any n ∈ N. As shown in Section 5.1.6.a, we can associate to a principally polarizedabelian variety A C over C with period matrix Ω, the Riemann theta function, which for z ∈ C g isgiven byθ(z,Ω) = ∑ exp ( πi(n t Ωn +2n t z) ) .n∈Z gMore generally, we consider translations of θ(z,Ω) by an element of 1 2 Zg +Ω ( 12 Zg) , leading tothe theta functions with characteristicsθ [ δ ε ](z,Ω) = ∑ ( (exp πi n + 1 ) t2 δ Ω(n + 1 )2 δ +2(n + 1 ) t (z2 δ + 1 ))2 ε ,n∈Z gwith δ, ε ∈ R g . When δ, ε ∈ Z g and δ t ε ≡ 0(mod2)the theta characteristic is called even;otherwise, it is called odd.Definition 17.63 For integral theta characteristic [ δ ε ],thevalueθ [ δ ε](0, Ω) is called the theta constantof characteristic [ δ ε ].The relation with the isomorphism λ C,d : T 0 → T d given by the matrix [CD AB ] ∈ Sp(2g, Z) is thefollowing proposition.Proposition 17.64 For all δ, ε ∈ Z g and [ ABCD ] ∈ Γ 2 we haveθ [ δ ε ]2 ( 0, (AΩ+B)(CΩ+D) −1) = + − det(CΩ+D)θ [ δ ε ]2 (0, Ω).Since T 0 has period matrix Ω and T d has period matrix 2 d Ω, the above proposition leads to the maintheorem.Theorem 17.65 Let π 1 ,...,π g be the unit roots of χ(φ q ) C, then if there exists δ, ε ∈ Z g such thatθ [ δ ε ]2 (0, Ω) ≠0,thenθ [ δ ε ]2 (0, 2 d Ω) ≠0is nonzero andθ [ δ ε ]2 (0, Ω)θ [ δ ε ]2 (0, 2 d Ω) = + − (π 1 ···π g ).To apply the above theorem, we need to compute θ [ δ ε ]2 (0, Ω) and θ [ δ ε ]2 (0, 2 d Ω) for a givenδ, ε ∈ Z g . Unfortunately, there is currently no algorithm that computes these values for one fixedpair δ, ε ∈ Z g . Luckily it is possible to compute θ [ 0 ε ]2 (0, 2 d Ω) for all vectors ε ∈ (Z/2Z) g simultaneously.The following duplication formula, which is a special case of Riemann’s duplicationformula, is at the heart of this algorithm.Proposition 17.66 For ε ∈ (Z/2Z) g we haveθ [ 0 ε ]2 (0, 2Ω) = 1 ∑2 g θ [ ]0ε+e (0, Ω) × θ [0e ](0, Ω). (17.28)e∈(Z/2Z) g

§ 17.3 Overview of p-adic methods 445Example 17.67 Let g =1and define θ i,k = θ [ 0εi] 2(0, 2 k Ω) with ε i the vector containing the bitsin the binary representation of i. The above proposition then gives:θ0,k+1 2 = 1 (θ22 0,k + θ1,k)2θ1,k+1 2 = θ 0,kθ 1,k ,which is exactly the AGM iteration if we set a k = θ 2 0,k and b k = θ 2 1,k .In the elliptic curve case, we considered the univariate AGM instead of the bivariate one sinceit was more efficient. Similarly, we can divide out the theta constant θ [ 0 0 ]2 (0, 2 k Ω) to obtain anonhomogeneous variant of the above proposition.Proposition 17.68 Define τ i,k = θ i,k /θ 0,k for i =1,...,2 g − 1 with θ i,k = θ [ ]0 2εi(0, 2 k Ω) andε i the vector containing the bits in the binary representation of i. LetG : Z 2g −1q −→ Z q be definedby G(t 1 )= 2√ t 11+t 1if g =1and more generally for g>1 by√t1 + √ √t 2 t3 + ···+ √ √t 2g −2 t2g −1G(t 1 ,...,t 2g −1) =2· (17.29)1+t 1 + ···+ t 2g −1Then∀i ∈{1,...,2 g − 1}, τ i,k+1 = G(τ i,k ,τ i2,k,τ i3,k,...,τ i2 g −2 ,k,τ i2 g −1 ,k),where, for each i, the indices i 2 ,...,i 2g −1 are such that{{0,i}, {i2 ,i 3 },...,{i 2g −2,i 2g −1} } = { {j, j XOR i} |j ∈{1,...,2 g − 1} } . (17.30)The iteration in the above proposition satisfies similar properties as the univariate AGM iterationdescribed in Section 17.3.2.b.Lemma 17.69 The generalized AGM sequence defined in Proposition 17.68 satisfies:• Linear convergence: let η i,k ≡ τ i,k (mod p n ) for i =1,...,2 g − 1 and let η i,k+1 beobtained by applying G, thenη i,k+1 ≡ τ i,k+1 (mod p n+1 ).• Conjugacy property:τ i,k+1 =Σ(τ i,k ).The linear convergence property shows that if we start from an approximation of τ i,0 (mod 2 s )for i = 1,...,2 g − 1, thenaftern iterations we have obtained τ i,n (mod 2 s+n ). To recover+− (π 1 ···π g ) to precision N, we therefore simply computeτ i,N−sτ i,N−s+d≡ + − (π 1 ···π g ) (mod 2 N ).Like in the univariate AGM, there are two further optimizations possible based on the conjugacyproperty. Instead of using the generalized AGM iteration to compute τ i,k for i =1,...,2 g − 1,wecompute τ i (mod 2 N ) for i =1,...,2 g − 1 as the solution of the system of equationsΣ(τ i )=G(τ i ,τ i2 ,τ i3 ,...,τ i2 g −2,τ i2 g −1), for i =1,...,2 g − 1. (17.31)This system of equations can be solved efficiently using a vectorial version of the generalized Newtonlift described in Section 12.7.

446 Ch. 17 Point Counting on Elliptic and Hyperelliptic CurvesThe second optimization replaces the extra d AGM iterations by a fast norm computation. Indeed,let τ i with i =1,...,2 g − 1 be a solution of (17.31) to precision N,then(2+− g )(π 1 ···π g ) ≡ N Qq/Q p(mod 2 N ). (17.32)1+τ 1 + ···+ τ 2g −1The only remaining problem is to devise an initial approximation to the τ i for i =1,...,2 g − 1.This is in fact the only step that really depends on the curve C itself; all the steps described so faronly require that J Cis ordinary and that J C[2] is defined over F q .For C a hyperelliptic curve, the initial approximations can be computed using formulas due toThomae as follows: assume that C is defined by an equation of the formC : y 2 + h(x)y = h(x)f(x),with f,h ∈ F q [x], deg f =degh = g +1and such that h has g +1roots in F q with multiplicityone. This latter condition ensures that J C[2] is defined over F q . Note that all ordinary hyperellipticcurves can be written in the above form after a suitable extension of the base field and a change ofvariables.Take arbitrary lifts f,h ∈ Z q [x] of f and h with deg f =degh = g +1, and consider thecurve C : y 2 + h(x)y = h(x)f(x). Multiplying both sides by 4 and completing the square gives(2y + h(x)) 2= h(x)(h(x)+4f(x)).Sinceh(x) splits completely over Fq , Hensel’s lemma impliesthat h(x) and also h(x) +4f(x) have g +1roots over Z q with multiplicity 1. We can thusconsider the isomorphic curve defined by the equationy 2 =g∏(x − α i ) ( x − (α i +4β i ) ) .i=0Let a 2i = α i and a 2i+1 = α i +4β i for i =0,...,g, then we clearly have a 2i ≡ a 2i+1 (mod 4).The following lemma finally provides the last missing step in the algorithm.Lemma 17.70 (Thomae formula) Let C be a hyperelliptic curve over Z q given by an equationof the form C : y 2 = ∏ 2g+1i=0 (x − a i) with a i ∈ Z q and a 2i ≡ a 2i+1 (mod 4), then for k =0,...,2 g − 1√ ∏θ 1,k = (a 2i+ki − a 2j+kj )(a 2i+1−ki − a 2j+1−kj ),0i

§ 17.3 Overview of p-adic methods 447q Q5. θ k ←0i

448 Ch. 17 Point Counting on Elliptic and Hyperelliptic Curvesandλ ≡ 2876672816405499004481849 (mod 2 82 ).The only remaining problem is to devise χ(φ q ) C from the product of the unit roots + − (π 1 ···π g )(mod 2 N ). Factoring χ(φ q ) C givesχ(φ q ) C (T )=g∏(T − π i )(T − π i ).i=1As an intermediate step, we will compute a polynomial of degree 2 g−1 with coefficients in Z.Definition 17.73 The symmetric polynomial P sym of a projective nonsingular curve C over F q isthe unique monic polynomial of degree 2 g−1 whose roots are α + q g /α where α is the product of gsuccessive terms in {π 1 , π 1 },...,{π g , π g }.It is not difficult to see that P sym has integer coefficients. Recall that since C is assumed to beordinary, the roots π 1 ,...,π g are 2-adic units. The following lemma shows that in this case P symalmost determines χ(φ q ) C .Lemma 17.74 Let C be an ordinary, projective nonsingular curve of genus g > 1, thenP symdetermines the set {π 2 i } i=1,...,g. Furthermore, if χ(φ q ) C is irreducible, then P sym determinesχ(φ q ) C ( + − T ).According to a theorem by Tate [TAT 1966], if J C is F q -simple then χ(φ q ) C is irreducible, so inthis case P sym determines χ(φ q ) C .Given λ ≡ + − (π 1 ···π g )(modp N ) for some sufficiently large precision N, P sym can be computedusing the LLL algorithm [LELE + 1982] as follows: let η = λ+2 dg /λ and consider the latticeL over Z given by⎡⎤SM 0 SM 1 ··· SM m S2 N0 0 ··· q ⌊Sm⌋ 00 0 ··· 0 0. . . .. . .⎢⎣ 0 q ⌊S1⌋ ⎥··· 0 0 ⎦q ⌊S0⌋ 0 ··· 0 0where the columns are the basis vectors, m =2 g−1 , S an arbitrarily large constant andM i ≡ 2 d(m−1−i) η i (mod 2 N ), i =0,...,m− 1, M m ≡ η m (mod p N )S i =i(g − 2),m(g − 2)i =0,...,m− 1, S m = +1.22To see where the above lattice comes from, note that P sym (T )=T m + ∑ m−1i=0 r iq m−1−i T i andthat the r i can be bounded by( ) m|r i | 2 (m−i) q (g−2)(m−i)2+1 .iThe S i are thus weight factors such that S i r i ≃ S j r j for all 0 i, j m. Multiplying the abovematrix by the column vector [r 0 ,...,r m−1 , 1,R] t shows that we can recover the coefficients ofP sym from a short vector Π in the lattice. The LLL algorithm can compute this vector Π if its

§ 17.3 Overview of p-adic methods 449Euclidean norm ||·|| 2 (or sup-norm || || 1 ) satisfy ||Π|| 1 ||Π|| 2 det(L) 1/ dim L . This leads tothe following asymptotic estimates for the necessary precision N:N> 22g (g − 2) + 2 g+1 (g +2)16Example 17.75 Continuing Example 17.72, after the lattice reduction step, one obtains,and finally,P sym (T )=T 4 +23T 3 − 18384 T 2 − 264960 T + 58593280,χ(φ q ) C (T )=T 6 − 3 T 5 +11T 4 − 73 T 3 + 176 T 2 − 768 T + 4096.d.17.3.3 Kedlaya’s algorithmLet p 3 be a prime number and F q a finite field with q = p d elements and algebraic closure F q .Let C be a hyperelliptic curve of genus g defined by the equationy 2 = f(x),with f ∈ F q [x] a monic polynomial of degree 2g +1without repeated roots. In particular, C isnonsingular in its affine part and has one rational Weierstraß place at infinity. Kedlaya [KED 2001]does not work with the curve C itself, but with the affine curve C, which is obtained from C byremoving the point at infinity and the locus of y =0, i.e., the points (ξ i , 0) ∈ F q × F q where ξ i isa zero of f. The reason for working with C instead of C will become clear during the exposition ofthe algorithm.17.3.3.aDagger algebra and Frobenius liftLet Q q be the degree d unramified extension of Q p , with valuation ring Z q , such that Z q /pZ q = F q .Take any monic lift f ∈ Z q [x] of f and let C be the hyperelliptic curve defined by y 2 = f(x). LetC be the curve obtained from C by removing the point at infinity and the locus of y =0and letA = Q q [x, y, y −1 ]/ ( y 2 − f(x) ) be its coordinate ring.The dagger algebra corresponding to C is given byA † = Q q 〈x, y, y −1 〉 † / ( y 2 − f(x) ) ,with Q q 〈x, y, y −1 〉 † the dagger algebra of Q q 〈x, y, y −1 〉 as described in Section 8.3.2. Every elementof A † can be written as a power series ∑ i∈Z A i(x)y i with A i ∈ Q q [x], deg(A i ) 2g andv p (A i ) >α|i| + β for constants α, β with α>0. Note that these constants are not fixed for all ofA † , but depend on the particular element chosen.Since φ q = φ d p, with φ p the p-power Frobenius, it suffices to lift φ p to an endomorphism F p of A † .It is natural to define F p as the Frobenius substitution on Z q and to extend it to A † by mapping x toF p (x) =x p and y to F p (y) with(F p (y) =y p 1+ F ( ) ) 1/2p f(x) − f(x)p ∑∞ ( )( ( ) )1/2y 2p = y p Fp f(x) − f(x)p iiy 2pi · (17.33)An easy calculation shows that ord p( 1/2i) 0 which implies that Fp (y) is an element of A † ,sincep divides F p(f(x))− f(x) p . Note that it is essential that y −1 is an element of A † , which explainswhy we compute with C instead of C.i=0

450 Ch. 17 Point Counting on Elliptic and Hyperelliptic CurvesIn the final algorithm, we actually need F p (y) −1 , which can be computed as F p (y) −1 = y −p Rwhere R is a root of the equation F (Z) =SZ 2 − 1 with S = ( 1+ ( F p(f(x))− f(x)p ) /y 2p) .TheNewton iteration to compute R is given byZ ← Z(3 − SZ2 )2(17.34)starting from Z ≡ 1(modp). In each step, the truncated power series should be reduced modulothe equation of the curve to keep the degree of the coefficients less than or equal to 2g, i.e., for eachterm B i (x)y i with deg B i > 2g, writeB i (x)y i = ( Q i (x)f(x)+R i (x) ) y i = R i (x)y i + Q i (x)y i+2with Q i and R i the quotient and remainder in the division of B i by f.17.3.3.bReduction in cohomologyAnalogous to Section 4.4.2.c, we associate to each element h of A † a differential dh such that theLeibniz rule holds d(hg) =hdg + gdh and such that da =0for a ∈ Q q .LetΩ be the module ofthese differentials, then the operator d defines a Q q -derivation from A † to Ω. Sincey 2 − f(x) =0,we conclude thatdy = f ′ (x)2y dx and thus Ω=A† dx y ·By definition we haveH 0 (C/Q q )=ker(d) ={h ∈ A † | dh =0}, H 1 (C/Q q )=coker(d) =(A † dx )/(dA † ),ythus elements of H 1 (C/Q q ) are differentials modulo exact differentials dh for some h ∈ A † .Thenext lemma gives bases for both H 0 (C/Q q ) and H 1 (C/Q q ).Lemma 17.76 H 0 (C/Q q )=Q q and H 1 (C/Q q ) splits into eigenspaces under the hyperellipticinvolution ı:• a positive eigenspace H 1 (C/Q q ) + with basis x i /y 2 dx for i = 0, ..., 2g,• a negative eigenspace H 1 (C/Q q ) − with basis x i /y dx for i =0,...,2g − 1.To compute in H 1 (C/Q q ) we need to express an arbitrary differential form as the sum of a Q q -linearcombination of the basis in Lemma 17.76 and an exact differential. This process is called reductionin cohomology and works as follows. It is clear that any differential form can be written as+∞∑2g∑k=−∞ i=0a i,k x i /y k dxwith a i,k ∈ Q q . Indeed, using the equation of the curve we can repeatedly replace h(x)f(x) byh(x)y 2 . A differential P (x)/y s dx with P (x) ∈ Q q [x] and s ∈ N can be reduced as follows. Sincef(x) has no repeated roots, we can always write P (x) =U(x)f(x) +V (x)f ′ (x). Using the factthat d(V (x)/y s−2 ) is exact, we obtainP (x)y sdx ≡(U(x)+ 2V ′ )(x) dxs − 2 y , s−2 (17.35)where ≡ means equality modulo exact differentials. This congruence can be used to reduce adifferential form involving negative powers of y to the case s = 1 and s = 2. A differential

§ 17.3 Overview of p-adic methods 451P (x)/y dx with deg P = n 2g can be reduced by repeatedly subtracting suitable multiples of theexact differential d(x i−2g y) for i = n,...,2g. Finally, it is clear that the differential P (x)/y 2 dxis congruent to ( P (x) modf(x) ) /y 2 dx modulo exact differentials. A differential of the formP (x)y s dx with P (x) ∈ Q q [x] and s ∈ N is exact if s is even and equal to P (x)f(x) ⌈s/2⌉ /y dx ifs is odd and thus can be reduced using the above reduction formula.17.3.3.cRecovering the zeta functionThe first Monsky–Washnitzer cohomology group H 1 (C/Q q ) decomposes as the direct sum of theı-invariant part H 1 (C/Q q ) + on which ı acts trivially and the ı-anti-invariant part H 1 (C/Q q ) − onwhich ı acts as multiplication by −1. Theı-invariant part of A † is given byZ q 〈x, y 2 ,y −2 〉 † / ( y 2 − f(x) ) ,which clearly is isomorphic to Z q 〈x, (f(x)) −1 〉 † . The latter ring is the dagger ring of the curveA 1 V fwith V fthe set of zeroes of f. The Lefschetz fixed point formula applied to C and A 1 V fthen gives∣∣C(F q k) ∣ = q k − r k − Tr ( q k Fq −k ; H 1 (C/Q q ) −)with r k the number of zeroes of f defined over F q k.Let˜C be the unique smooth projective curvebirational to C, then∣∣˜C(Fq k) ∣ ∣ = ∣C(Fq k) ∣ ∑2g+ rk +1=q k +1− α k i , (17.36)with α i the eigenvalues of qFq −1 on H 1 (C/Q q ) − .The Weil conjectures from Section 8.1.1 imply that the α i can be labeled such that α i α g+i = qonH 1 (C/Q q ) − , it is clear that q/α i = α i+g is an eigenvalue of F q on H 1 (C/Q q ) − . This proves thefollowing proposition.for i =1,...,2g where the indices are taken modulo 2g. Since α i is an eigenvalue of qF −1qProposition 17.77 Let χ(T ) be the characteristic polynomial of F q on H 1 (C/Q q ) − , then the zetafunction of ˜C is given byZ( ˜C/F q ; T )= T 2g χ(1/T )(1 − T )(1 − qT)·Since F q = Fp d, it suffices to compute the matrix M through which the p-power Frobenius F p actson the anti-invariant part H 1 (C/Q q ) − of H 1 (C/Q q ); the matrix of the q-power Frobenius can thenbe easily obtained as M Fq =Σ d−1 (M) ···Σ(M)M.The action of F p on the basis of H 1 (C/Q q ) − can be computed as( ) xiF py dx = pxp(i+1)−1dx,F p (y)for i =0,...,2g − 1. Given a sufficiently precise approximation to 1/F p (y), we can use reductionin cohomology to express F p (x i /y dx) on the basis of H 1 (C/Q q ) − and compute the matrix M.Remark 17.78 In general, the matrix M has coefficients in p −s Z q where s is small and only dependson p and g. However, by comparison with crystalline cohomology there always exists a basissuch that M has integral coefficients, e.g., the basis x i /y 3 dx with 0 i

452 Ch. 17 Point Counting on Elliptic and Hyperelliptic CurvesWrite T 2g χ(1/T )= ∑ 2gi=0 a iT i ; then the Weil conjectures imply that for 1 i g, a g+i = q i a g−iand|a i | ( 2gi)q i/2 ( 2gg)q g/2 .In particular, if we compute χ (mod p B ) with p B greater than twice the above bound, we canrecover χ uniquely. Note that this does not imply that all computations should be performed modulop B since the reduction process introduces denominators and thus causes a loss of precision. Thefollowing lemma quantifies this loss of precision and can be found in [KED 2001, Lemma 2-3].Lemma 17.79 (Kedlaya) Let h ∈ Z q [x] be a polynomial of degree 2g, then for n ∈ N thereduction of h(x)y 2n+1 dx (resp. h(x)/y 2n+1 dx) becomes integral upon multiplication by p m withm ⌊ log p((2g +1)(n +1)− 2)⌋(resp. m ⌊logp (2n +1) ⌋ ).A further careful analysis [EDI 2003] shows we actually have to compute with N digits instead ofB where(N = B + v p (2g +1)+⌊log p 2g +1− 2 )⌋+ ⌊ logpp (2g − 1) ⌋ ,and that it suffices to approximate F p (y) −1 byy −p∑0n

§ 17.3 Overview of p-adic methods 453A detailed complexity analysis of the above algorithm can be found in [KED 2001].Theorem 17.81 (Kedlaya) There exists a deterministic algorithm to compute the zeta function of asmooth hyperelliptic curve of genus g defined over a finite field F p d with p 3 using O(g 4+ε d 3+ε )bit-operations and O(g 3 d 3 ) space for p fixed.Example 17.82 Let C be the genus 2 hyperelliptic curve over F 3 defined by the equationy 2 = x 5 + x 4 +2x 3 +2x +2.Algorithm 17.80 then computes the following intermediate results: B =4, N =6, M =9andS = y −p R where R is given byR ≡ 1+(−363x 4 +96x 3 + 144x 2 − 6x + 207)τ +(−123x 4 − 153x 3 − 21x 2 + 351x + 210)τ 2+ (339x 4 − 228x 3 − 60x 2 − 204x + 186)τ 3 +(−81x 4 +54x 3 − 243x 2 − 243x + 27)τ 4+(−54x 4 − 162x 3 − 54x 2 − 54x + 162)τ 5 + (351x 4 + 189x 3 + 189x 2 + 189x + 351)τ 6+(−243x 4 + 243x 3 − 108x 2 − 270x + 27)τ 7 +(−135x 3 +54x 2 +81x − 108)τ 8+ (216x 4 + 108x 3 − 297x 2 + 351x − 162)τ 9 +(−243x 4 − 162x 3 − 324x 2 + 243x)τ 10+(81x 4 − 243x 3 − 162x 2 + 162x − 81)τ 11 +(−162x 4 + 162x 3 + 324x 2 − 324x + 324)τ 12with τ = y −2 . The matrix M Fp is given by⎡⎤27 39 30 108129 36 27 126⎢⎥⎣ 204 186 12 138⎦46/3 76/3 41/3 169and the characteristic polynomial is χ(T ) ≡ T 4 +80T 3 + T 2 +78T +9 (mod3 4 ), which givesZ( ˜C/F q ; T )= 9T 4 − 3T 3 + T 2 − T +1·(1 − T )(1 − 3T )Remark 17.83 Kedlaya’s algorithm does not apply when p =2, since the nature of the problemchanges: for p 3, a hyperelliptic curve defines a Kummer extension, whereas for p = 2,itdefines an Artin–Schreier extension. Denef and Vercauteren [DEVE 2002, DEVE 2005] extendedKedlaya’s algorithm to characteristic 2 and showed that the average time and space complexityare the same as for Kedlaya’s algorithm. The main difference is that the curve equation has to belifted in a rather specific way. A ready to implement description of the algorithm can be foundin [DEVE 2005].Remark 17.84 A related approach for Artin–Schreier covers based on Dwork–Reich cohomologywas worked out by Lauder and Wan [LAWA 2002a, LAWA 2004]. For p =2, their algorithm isslightly less general than the one of Denef and Vercauteren, and the complexity of the algorithm isnot rigorously proven.

Chapter ½Complex MultiplicationGerhard Frey and Tanja LangeContents in Brief18.1 CM for elliptic curves 456Summary of background • Outline of the algorithm • Computation of classpolynomials • Computation of norms • The algorithm • Experimental results18.2 CM for curves of genus 2 460Summary of background • Outline of the algorithm • CM-types and periodmatrices • Computation of the class polynomials • Finding a curve • Thealgorithm18.3 CM for larger genera 470Strategy and difficulties in the general case • Hyperelliptic curves withautomorphisms • The case of genus 3In this chapter we present a method for finding a curve and the group order of its Jacobian whichcan be seen as complementary to those in Sections 17.2 and 17.3. Instead of trying several randomcurves over a fixed finite field until a good one is found and determining the group order by computingthe characteristic polynomial of the Frobenius endomorphism, we start with the endomorphismring and vary the prime until one with a good group order is found. These checks can be computedrelatively fast. Only the last step of actually computing the equation of the curve requires someeffort, but at that time one knows already that the result is the desired one. On the other hand thecurves one can construct are somewhat special as the running time depends on the discriminant ofthe CM-field and thus only small discriminants are possible.The approach works in general for curves of arbitrary genus but the implementation has to bedone for each genus separately. We first detail it for elliptic curves as it is easier to understand there.In genus g =2we can efficiently compute curves with the CM method. This is in contrast to thefact that point counting over fields of large characteristic as described in Section 17.2 is still ratherinefficient and to date needs about one week to determine the order of the Jacobian of a genus twocurve over the prime field with p =5× 10 24 + 8503491 [GASC 2004a].For larger genera the constructions are possible in principle, but the difficulty is that hyperellipticcurves become very rare. We give some indications on what is possible and which difficulties haveto be dealt with. For genus g =3we give examples of curves with additional automorphisms.455

456 Ch. 18 Complex Multiplication18.1 CM for elliptic curvesThe theoretical background of this chapter is given in Chapter 5 for curves over the complex numbers.We briefly summarize what is necessary for the implementations and then concentrate on thealgorithms.18.1.1 Summary of backgroundLet E be an elliptic curve over the complex numbers C. Then it is isomorphic to C/Λ E for somelattice Λ E . We recall that an elliptic curve E/C has complex multiplication if its endomorphismring is strictly bigger than Z. Its lattice corresponds to an ideal A of an order O in an imaginaryquadratic field K. Thej-invariant j(A) =j EA is an algebraic integer lying in the ring class fieldof O. Moreover j EA depends only on the ideal class of A in Cl(O). It satisfies a monic polynomialwith integer coefficients whose zeroes are the j-invariants of the isomorphism classes of the ellipticcurves corresponding to a set of representatives of ideal classes of O.For our purposes it is enough to restrict to the case that O is equal to the ring of integers O K ofK = Q( √ −d).Then the minimal polynomial of j(E) is the Hilbert class polynomial∏h d(H d (X) = X − j(Ar ) ) ,r=1where j(A r ) is the j-invariant of the elliptic curve corresponding to A r , h d is the order of the idealclass group of O K ,andA r are representatives of elements of the class group of O K .The reduction of (a suitably chosen equation for) E modulo a prime p of the Hilbert class fieldH is again an elliptic curve. Its j-invariant is a root of H d (X) (modp), wherep ∈ Z is the primeinteger in (p).So it is easy to find the j-invariant j p of the reduction of a model of E defined over H by factoringH d (X) over F p if we can compute H d (X).We get the most important example by choosing for p a prime that splits completely in H. Thenthe reduced curve is defined over F p .The important property is that one can easily compute the number of points on the reduced curve.Let ω ∈O K be an element with ωω = p.Then there is an elliptic curve E p defined over F p with j-invariant j p having p +1− (ω + ω)points; and ω and ω are the eigenvalues of the Frobenius endomorphism on this curve. From this itfollows that the curve is not supersingular.Recall that for a given element j an elliptic curve with j-invariant j ≠0, 12 3 is isomorphic toor to a quadratic twist of E j .E j : y 2 = x 3 −27j4(j − 12 3 ) x + 27j4(j − 12 3 )· (18.1)18.1.2 Outline of the algorithmFrom the background we derive a method to construct elliptic curves over finite prime fields orsmall extensions. In this exposition we shall restrict ourselves to the prime field case. Given aHilbert class polynomial H d (X) of an imaginary quadratic field with not too large discriminant done can reduce it modulo primes p, which are the product of principal prime ideals in O K and factor

§ 18.1 CM for elliptic curves 457the result. For these primes, H d (X) (modp) splits completely and one obtains j p , from which onecan reconstruct the elliptic curve E p defined over F p . To be more exact, one constructs one curveE ′ p with invariant j p and then distinguishes E p from its twists by checking the group order. This isperformed by trial scalar multiplications with the group order and random points.For use in cryptography one needs curves with almost prime order. To this aim one additionallyrequires that for p = ωω at least one of the numbers p +1+ − (ω + ω) isalmostprimeasthisisthegroup order of E p or its quadratic twist. From theorems of analytic number theory it follows thatby varying the prime p one has a good chance to find elliptic curves with almost prime order afterfew trials. Likewise, one might be interested in curves with a smooth group order. In the sequel weassume that one wants to construct curves with a certain property Pr.So first one chooses a squarefree natural number d such that the class number h d ∼ h 2 d of K d =Q( √ −d) is not too large. Then one computes H d (X) or a variant (cf. Remark 18.3).Remark 18.1 Determining the class number h d and also the Hilbert class polynomial H d (X) isdone as precomputation and thus does not belong to the actual algorithm. Furthermore, these datacan be obtained by table lookup as all appropriate polynomials are precomputed and published[WENG].Starting from H d we can use the one dimensional scheme Spec(O K ) as parameter space. So foreach fixed d we are in a situation that can be compared with the classical construction of discrete logarithmsystems that uses the global group scheme G m (the multiplicative group) and then choosesthe reduction modulo primes to find appropriate groups inside the multiplicative group of finitefields.To compare the effectiveness of key generation one has to assume that H d (X) is known andthen one has to find methods to compute both the equation and the group order of a correspondingelliptic curve. In detail one does the following: one chooses random prime numbers of the desiredground field size and solves the norm equation p = ωω if possible. For such primes one factorsp +1+ − (ω + ω). If one of them satisfies property Pr, one computes the factorization of H d (X)(mod p). We take a factor X − j p and construct the elliptic curve E p by (18.1).In the sequel of this section we study these steps in detail.18.1.3 Computation of class polynomialsTo compute H d , one first needs a list of the A r . This is obtained through the equivalence betweenthe ideal classes of an algebraic number field with discriminant d and the equivalence classes ofprimitive, positive definite binary quadratic forms of discriminant d.Definition 18.2 A quadratic form ax 2 + bxy + cy 2 is called a reduced binary quadratic form if itsatisfies the conditions• |b| a c• b 0 if a = |b| or a = c• gcd(a, b, c) =1.Like in the case of the ideal class group of function fields (cf. Section 4.4.6) one shows that thereis exactly one reduced binary quadratic form in each equivalence class, so one can enumerate allreduced binary quadratic forms of discriminant d to obtain a complete system of representatives; seee.g., [ZAG 1981, Teil II, §10]. Then to each reduced quadratic form ax 2 + bxy + cy 2 correspondsthe ideal A = Z + τZ, withτ = b + √ −d· (18.2)2a

458 Ch. 18 Complex MultiplicationIn that way one obtains a list of numbers τ r with A r = Z+τ r Z,andtheA r form a complete systemof representatives of the ideal classes of K.The j-invariants j(A r ) of the elliptic curves over C with lattice A r are calculated by( ∑ ∞ 1 + 240n=1j(A r )(q) =σ 3(n)q n) 3q ∏ ∞n=0 (1 − ,qn ) 24where q = e 2πiτr and σ 3 (n) = ∑ t 3 .Thent|n∏h d(H d (X) = X − j(Ar ) ) ∈ Z[X].i=1All computations are done over C and, thus, it is only possible to compute approximate values forthe j(A r ). But since the coefficients of H d are rational integers, we find the exact polynomial if wecompute with sufficient precision.For a fixed discriminant d of an imaginary quadratic field K the complexity of computing H d (X)depends mainly on the size of the class number h d , and so on the size of √ d. It turns out that it is nogreat problem to deal with d 8 × 10 6 . In this range we reach class numbers up to 5000. Becausewe need to factor H d (X) it makes no sense to choose larger class numbers because deg(H d )=h d .In practice we would propose to use a table of class polynomials, e.g., [WENG], where one findsmany examples covering all CM-curves up to discriminant d 422500, and choose a d with a nottoo small class number.Remark 18.3 For theoretical reasons we have used the Hilbert class polynomial to explain theglobal part of the CM-method. In practice one should use Weber’s polynomials whose coefficientshave smaller absolute value. For details we refer to [ATMO 1993].18.1.4 Computation of normsTo find suitable curves one chooses primes p and factors H d modulo p. For this, p has to split as(p) =(ω)(ω) in O K . These are the primes for which we have integer solutions x, y of the normequation{x 2 + dy 2 1, if d ≡ 1, 2 (mod 4)= εp, with ε =(18.3)4, if d ≡ 3 (mod 4).A necessary condition for p to split as above is that −d is a square modulo p. Hence, one firstcomputes the Legendre symbol “ ”−dp (cf. Section 2.3.4) and rejects the prime if the result is not 1.In the positive case one uses Cornacchia’s algorithm [COH 2000] to find a solution to a 2 +db 2 = pfrom which one easily obtains the desired x, y.Algorithm 18.4 Cornacchia’s algorithm“ ”−dINPUT: A positive integer d>0 and a prime p such that =1.pOUTPUT: Two integers (a, b) ∈ Z 2 with a 2 + db 2 = p if possible.1. compute square root p/2

§ 18.1 CM for elliptic curves 45918.1.5 The algorithmIn the following we give the description of the algorithm using the theory from above. For moredetails see [SPA 1994].The parameter ε is chosen according to (18.3) and δ =+ √ ε.Algorithm 18.5 Construction of elliptic curves via CMINPUT: A squarefree integer d ≠1, 3, parameters ε and δ, Hilbert class polynomial H d (X),desired size of p and property Pr.OUTPUT: Aprimep of the desired size, an elliptic curve E/F p whose group order |E(F p)|satisfies property Pr.1. repeat2. repeat choose p prime of desired size [see remark below]3. until εp = x 2 + dy 2 with x, y ∈ Z4. n 1 ← p +1− 2x/δ and n 2 ← p +1+2x/δ5. until n 1 or n 2 satisfies property Pr6. compute a root j of H d (X) (mod p)7. compute E j/F p from (18.1) and its twist e E j/F p8. while true do9. take P ∈ R E j(F p) and compute Q ← [n 1]P10. if Q = P ∞ and [n 2]P ≠ P ∞ then return p and E j11. else if Q ≠ P ∞ then return p and e E jExamples of desired properties Pr are that the group order contains a prime factor larger thana given bound or that the group order is smooth with a given smoothness bound. The latter isinteresting for factorization methods (cf. Chapter 25) while the prior can be used as basis for acryptosystem (cf. Chapter 23).Remarks 18.6(i) To simplify finding primes p that split in O K together with their decomposition, onereplaces Lines 2 and 3 and chooses integers x, y such that x, √ dy are of size √ p andtests whether (x 2 + dy 2 )/ε is a prime.(ii) The factorization of H d (X) (modp) needs the largest computational effort but it isdone only once.(iii) For d =1, the splitting condition is p ≡ 1(mod4)and the j-invariant is equal to 12 3 ,hence, H 1 (X) =X − 12 3 .Thereare4 twists by the 4th roots of unity to consider.(iv) For d =3, the splitting condition is p ≡ 1(mod3)and the j-invariant is equal to zero,thus H 3 (X) =X. Thereare6 twists by the different 6th roots of unity.18.1.6 Experimental resultsWe list the running times of the CM-method for elliptic curves as stated in [WEN 2001b, AppendixA]. Table 18.1 contains the timings needed on a 650 Mhz Pentium III computer to find 1000 primenumbers of size 2 160 , which satisfy a norm equation with respect to K d and lead to a group order

460 Ch. 18 Complex Multiplication|E(F p )| = cl with c 1000 and l prime. The discriminant of the imaginary quadratic field isdenoted by D = −εd. The entries are ordered with increasing class number, which ranges from200 to 5800.Table 18.1 Time to find 1000 primes p with |E(F p )| of cofactor c 1000.D Time (in s) D Time (in s)−53444 476.25 −973496 437.32−345124 292.89 −2128136 424.44−17111 734.06 −900311 698.49−19631 733.88 −1139519 807.23−19031 521.46 −2155919 876.61−56696 293.71 −3300359 836.26−698472 521.44 −4145951 904.15−98276 293.99 −5154551 817.52−180164 327.60 −6077111 1013.19−237236 345.40 −7032119 994.38−326504 365.75 −8282039 928.72Table 18.2 shows the timings for constructing an elliptic curve over F p having complex multiplicationby O K for a fixed imaginary quadratic field K. The first column describes the imaginaryquadratic field and the second gives the class number. For completeness, the third column containsthe time needed to compute the class polynomial. In practice H d has been precomputed and storedonce and for all, e.g., it can be obtained from the large data base [WENG].The actual running time to construct the curve (given in the fourth column) contains only thefactorization of the class polynomial at one prime p and the time to determine the correct equationfor E.So the actual running time consists of the time to find a suitable prime p as stated in Table 18.1and the time stated in the fourth column.18.2 CM for curves of genus 2For genus g =2we can follow the lines we have explained in the beginning of this chapter if wereplace elliptic curves by hyperelliptic curves of genus g =2. Imaginary quadratic fields and theirclass field theory have to be replaced by CM fields of degree 4 and the Shimura–Taniyama versionof class field theory. The invariant theory becomes more involved; we shall need 3 invariants in theplace of the j-invariant of elliptic curves.After a brief overview of the background we summarize the algorithm. Then we go into thedetails of the computations. We give a complete study starting from the choice of the CM fieldwith computation of the period matrix and the computation of the class polynomials. These twosteps are usually omitted in an actual implementation as the respective information can be obtainedfrom tables available on the web. The important steps for the implementation are explained inSection 18.2.5, namely the choice of suitable primes and the computation of the curve equation.

§ 18.2 CM for curves of genus 2 461Table 18.2 Complexity of CM-method for g =1, dependence on discriminant and class number.D h K Time (in s) D h K Time (in s)Precomp. Curve Precomp. Curve−53444 200 3 14 −345124 200 4 9−17111 202 1 8 −19031 203 1 9−56696 204 3 10 −395652 204 16 10−18119 205 1 9 −19631 208 2 14−345624 208 20 20 −690072 208 23 9−57944 210 3 10 −58484 210 6 11−52664 212 3 9 −159416 212 3 9−18191 213 1 9 −55844 216 3 10−698472 224 26 10 −698772 228 91 10−128456 236 5 10 −158036 242 11 9−124004 248 5 15 −78536 252 4 10−699752 264 9 16 −113636 284 7 16−98276 304 7 18 −132404 332 24 23−120056 340 10 20 −144836 352 13 20−160676 380 16 20 −168164 384 18 19−180164 400 19 101 −185624 402 32 76−247796 466 75 24 −248804 468 31 24−237236 476 78 25 −283076 520 43 35−318776 540 184 49 −326504 578 60 39−399944 612 75 39 −434216 630 84 42−442196 644 218 41 −450056 676 103 44−512984 714 135 43 −607844 752 161 142−650744 832 211 192 −727256 866 246 170−803864 914 291 45 −914744 972 367 48−973496 1044 460 69 −1202984 1126 599 81−1319876 1188 728 93 −1435496 1218 803 89−1514036 1250 2201 93 −1561544 1280 966 98−1617656 1324 1134 99 −1890776 1404 1467 102−2128136 1500 1724 99 −701399 1581 566 92−900311 1626 626 94 −1139519 2027 1306 109−1238639 2150 1595 176 −1614311 2421 3465 193−1884791 2669 3407 211 −2155919 2968 5373 223−2336879 3036 5883 212 −3300359 3531 9458 250−3190151 3593 10034 272 −3312839 3632 10424 269−3524351 3714 11585 262 −3983591 3918 13694 293−4145951 4065 16008 281 −4305479 4227 17515 479−4972679 4498 21830 507 −5154551 4551 22698 521−5652071 4802 28634 501 −5892311 4913 29785 550−6077111 5092 34459 509 −6606599 5180 35831 529−7032119 5424 45254 615 −7651199 5628 52417 589−7741439 5686 54300 641 −8282039 5819 59305 668

462 Ch. 18 Complex Multiplication18.2.1 Summary of backgroundFor this section we refer to Section 5.1.6.b for background. Let C be a hyperelliptic curve of genus2 over the complex numbers C. Then its Jacobian J C is isomorphic to C 2 /Λ C for some lattice Λ C .We recall that C has complex multiplication if the endomorphism ring of its Jacobian contains anorder O of a field of degree 4 over Q, which has to be a CM-field K, i.e., it is a totally imaginaryquadratic extension of a totally real field K 0 of degree 2 over Q. For our purposes it is enough toconsider the case that O = O K is the ring of integers of K. The lattice Λ C is called the periodlattice of C and can be chosen as an ideal A of O K . The Jacobian J C is principally polarized.This is reflected by the period matrix Ω C . This matrix is determined by arithmetical data of K,andso the Igusa invariants j 1 ,j 2 ,j 3 (cf. Section 5.1.6.b) of the curve C can be computed as complexnumbers. Under suitable conditions they depend only on the ideal A and the chosen polarization,which is reflected by the group of units of O K .So, it is possible to determine a complete set C i , 1 i s, for some integer s, of representativesfor isomorphism classes of curves whose Jacobian variety J Ci has endomorphism ring O K .Thisisdone in terms of ideals A i and principal polarizations, which are also used to determine the Igusainvariants j (i)k,k =1, 2, 3 of C i. A consequence is that the polynomialsH K,k (X) =s∏ ((i)) X − j , k =1, 2, 3i=1have rational coefficients.The computation of these polynomials corresponds to the computation of the Hilbert class polynomialH d (X) in the case of elliptic curves.A slight complication is that the polynomials H K,k no longer have integer coefficients. But inpractice, the denominators only have small prime divisors. Hence, we can reduce these polynomialsmodulo large enough primes p and get H K,k (mod p) and the roots of these polynomials are theinvariants j k of curves C i modulo p.We get the most important example by choosing primes p for which all H K,k (mod p) have atleast one linear factor. This can be interpreted by class field theory in a slightly more complicatedway than in the case of elliptic curves. Then the reduced curve is defined over F p or over a quadraticextension. We consider only the first case.In this case we find elements ω 1 , ω 1 ∈O K satisfying ω 1 ω 1 = p. Up to negation and conjugationthere can exist at most one second solution ω 2 ω 2 = p, withω 2 ∉{+ − ω 1 , + − ω 1 , + − ˆσ(ω 1 ), + − ˆσ(ω 1 )},where ˆσ is the extension of the real conjugation to an embedding of K into C. In this case putW = { + − ω 1 , + − ω 2 },elseW = { + − ω 1 }. Then the group order of J Ci (mod p)(F p ) is ink{χ ω (1) | w ∈ W }, (18.4)where χ ω (T ) is the characteristic polynomial of ω.In Section 5.1.6.b it is explained how to obtain the equation of C i (mod p) from its Igusa invariants.Note that this is not done by exploiting a simple formula as in the elliptic case.18.2.2 Outline of the algorithmThe first step to construct curves C of genus 2 with CM and known group order modulo a prime pis to choose a suitable CM field of degree 4, e.g., the subfield K 0 has to have class number 1 and

§ 18.2 CM for curves of genus 2 463like for elliptic curves the class number of K has to be moderately small. For further computationsone has to determine the class group of K and its fundamental units. One computes a complete setof representatives of the ideal classes and principal polarizations.The next step is to compute the period matrix Ω C , cf. Definition 5.19 attached to the curve C withlattice Λ C being a given ideal in O K together with a polarization. Using Ω C one determines thetheta constants (5.2), which already provide a system of invariants over the complex numbers. Analgebraic system of equation is given by the Igusa invariants j k , which are explicit rational functionsin the theta constants.Doing this procedure for every C i , one can compute the polynomials H K,k (X).As for elliptic curves, these steps are done once and for all as a precomputation. Suitable CMfields and their arithmetical data and also the class polynomials H K,k can be obtained from tables.Then one looks for a prime p for which the norm equation p = ωω has solutions in O K . Atthis point one computes the at most 4 numbers (18.4) that contain the information about the grouporder of J C (mod p) (F p ). If at least one of them has a desired property one proceeds to compute theequation of the curve, otherwise one repeats this step with a different choice of p.One factors the class polynomials modulo p and determines the invariants j (i)kof C i (mod p) asroots of H K,k (X) (modp).The last step is to determine an equation (up to a twist) for some C := C i (mod p) from theknowledge of its invariants. For this one uses either Gröbner basis techniques or the more efficientmethod of Mestre, which relies on the invariant theory of binary forms.Finally, one needs to determine the group order of J C (F p ) from the set of possible values (18.4).This is done by randomly choosing a point P ∈ J C (F p ) and scalar multiplication by the candidategroup orders. If one finds no matches one replaces C by a twist and tries again. This immediatelyanswers whether one has to take C or a twist of C to get the desired order of the group of rationalpoints on the corresponding Jacobian variety.18.2.3 CM-types and period matricesChoose a squarefree d ∈ N such that K 0 := Q( √ d) has class number one. Choose α = a + b √ dsquarefree and totally positive, i.e., a + − b √ d>0. ThenK := K 0 (i √ α) is a CM field of degree 4.We require that K is not a Galois extension of Q with Galois group Z/2Z × Z/2Z (this ensures thatthe constructed Jacobian varieties are simple). We choose two non-conjugate distinct embeddingsϕ 1 ,ϕ 2 of K into C. The tuple (K, Φ) = (K, {ϕ 1 ,ϕ 2 }) is called CM-type. For an ideal A we put{ (ϕ1Φ(A) = (α),ϕ 2 (α) ) }t,α∈ A .By Theorem 5.58, C 2 /Φ(A) is an abelian variety with complex multiplications by O K .Thefinalstructure, abelian variety with polarization, is determined by Theorem 5.62. The following procedureuses this theorem and computes a complete set of representatives for isomorphism classes ofprincipally polarized abelian varieties with endomorphism ring O K of CM-type (K, Φ). Weusethenotation from Section 5.1.6.d.The computation of a fundamental unit ɛ 0 of K 0 is done with the help of a computer algebrasystem. Let U + be the group of units ɛ with N K0/Q(ɛ) =1.PutU 1 = {ɛ ∈ U + |∃γ ∈ K with N K/K0 (γ) =ɛ}.At this point one also determines the ideal classes of O K that contain an ideal A such that AĀ =αO K with ϕ i (α) real positive for i =1, 2. We choose a complete set of representatives A 1 ,...,A h ′Kof these classes. We can assume that A j is of the formO K0 + τ j O K0 , (18.5)

464 Ch. 18 Complex Multiplicationwhere Im(τ j ) > 0 and if the norm of the fundamental unit N K0/Q(ɛ 0 ) is negative one also requiresN K/K0 (τ j ) totally positive.Let σ be the real conjugation in K 0 and denote by √ a + the positive square root of a ∈ R. Thisgives rise to two embeddings of K given byˆσ ( i √ α + )= i√ α+and ρˆσ(i√ α+)= −i√ α+.We put ψ = ρˆσ.Having these definitions, we make some observations concerning the CM-types:1. (K, {1,ψ}) is a CM-type.2. The abelian varieties obtained for a CM-type (K, Φ) are isomorphic to varieties obtainedfrom either (K, {1,ψ}) or (K, {1, ψ}). IfK is Galois over Q then (K, {1,ψ}) issufficient.For the following result we shall treat the two types {1,ψ} and {1, ψ} in parallel and list for eachτ j asetK j defining the period matrices of a complete set of isomorphism classes of principallypolarized abelian varieties related to the ideal A j .Definition 18.7 Let τ j be as in (18.5).If K is Galois with Galois group Z/4Z we define K j by{• (τj ,τ ϕ j ), (ɛ 0τ j , (ɛ 0 τ j ) ϕ ) } , if N K0/Q(ɛ 0 )=1,ɛ 0 ∈ U 1 , N K/K0 (τ j ) totally positive,{• (τj ,τ ϕ j )} , if N K0/Q(ɛ 0 )=1,ɛ 0 ∈ U + U 1 , N K/K0 (τ j ) totally positive,{• (τj ,τ ϕ j ), (ɛ 0τ j , (ɛ 0 τ j ) ϕ ) } , if N K0/Q(ɛ 0 )=−1,• ∅, if N K/K0 (τ j ) not totally positive.If K is not Galois then we define K j by{• (τj ,τ ψ j ), (ɛ 0τ j , (ɛ 0 τ j ) ψ ) } , if N K0/Q(ɛ 0 )=1,ɛ 0 ∈ U 1 , N K/K0 (τ j ) totally positive,{• (τj ,τ ψ j ), (ɛ 0τ j , (ɛ 0 τ j ) ψ ) } , if N K0/Q(ɛ 0 )=1,ɛ 0 ∈ U 1 , N K/K0 (τ j ) not totally positive,{• (τj ,τ ψ j )} , if N K0/Q(ɛ 0 )=1,ɛ 0 ∈ U + U 1 , N K/K0 (τ j ) totally positive,{• (τj ,τ ψ j )} , if N K0/Q(ɛ 0 )=1,ɛ 0 ∈ U + U 1 , N K/K0 (τ j ) not totally positive,{• (τj ,τ ψ j ), (ɛ 0τ j , (ɛ 0 τ j ) ψ ) } , if N K0/Q(ɛ 0 )=−1.By Spallek [SPA 1994] we have that a complete set of period matrices for all representatives ofisomorphism classes of abelian varieties with complex multiplication with O K isgivenbythefollowingresult.Theorem 18.8 Let K be a CM field which is not a Galois extension of Q with Galois group Z/2Z×Z/2Z and let {τ 1 ,...,τ h ′K} be as described above. Let O K0 = Z + wZ, with w totally positive.A complete set of period matrices for representatives of all isomorphism classes of simple principallypolarized abelian varieties having complex multiplication by O K is given by{h ′ K⋃Ω :(t, (t,˜t)˜t) ∈ K j},j=1where[Ω = 1 w 2 t − (w σ ) 2˜tt,˜tw − w σ wt − w σ˜twt− w σ˜tt− ˜t].

§ 18.2 CM for curves of genus 2 46518.2.4 Computation of the class polynomialsAs in the previous section, we are dealing again with a precomputation. As explained in the background(cf. Chapter 5), the class polynomials are computed from the invariants of the curves overC represented by the period matrix Ω. To get these invariants we first need to determine the thetaconstants. This needs to be done for each of the s = |K| isomorphism classes (cf. Section 18.2.3)to determine j (i)k,k =1, 2, 3 and i =1,...,s. Here, we omit the upper index and explain how tocompute one set of invariants.18.2.4.aComputation of the theta constantsWe recall (5.2), the definition of the theta constants in terms of the period matrix Ω for genus g =2:[ ] δθ (z,Ω) = ∑ ( (exp πi n + 1 ) tɛ 2 δ Ω(n + 1 )2 δ +2(n + 1 ) t (z2 δ + 1 ))2 ɛ .n∈Z 2As explained in Chapter 5 we need only the even theta constants as the odd ones vanish. Forgenus 2 they are given by[(0θ 1 := θ 0)( 0 0)[(1θ 6 := θ 0)( 0 1)] [(0, θ 2 := θ0)( 1 0)] [(0, θ 7 := θ1)( 0 0)] [(0, θ 3 := θ0)( 0 1)] [(0, θ 8 := θ1)( 1 0)] [(0, θ 4 := θ0)( 1 1)] [(1, θ 9 := θ1)( 0 0)] [(1, θ 5 := θ0)( 0 0)] [(1, θ 10 := θ1)( 1 1)],].The algorithmic problem is to evaluate the series with sufficiently high precision. The analysis canbe found in [WEN 2003, Sect. 4].18.2.4.bComputation of Igusa invariantsWe now show how to compute the Igusa invariants from the period matrix using the theta constants.To compute the Igusa invariants from the theta constants we introduce the values h 4 ,h 10 ,h 12 ,andh 16 related to modular forms of the respective weights. Then we express the invariants I 2 ,I 4 ,I 6 ,and I 10 in terms of the h i to define the Igusa invariants j i as in (5.3).h 4 :=∑10θ 8 i ,h 10 :=10∏i=1i=1θ 2 i ,h 12 := (θ 1 θ 5 θ 2 θ 9 θ 6 θ 10 ) 4 +(θ 1 θ 2 θ 9 θ 6 θ 8 θ 3 ) 4 +(θ 5 θ 9 θ 6 θ 8 θ 10 θ 7 ) 4 +(θ 5 θ 2 θ 6 θ 8 θ 3 θ 7 ) 4+(θ 1 θ 5 θ 2 θ 10 θ 3 θ 7 ) 4 +(θ 1 θ 9 θ 8 θ 10 θ 3 θ 7 ) 4 +(θ 1 θ 5 θ 2 θ 8 θ 10 θ 4 ) 4 +(θ 1 θ 5 θ 9 θ 8 θ 3 θ 4 ) 4+(θ 5 θ 9 θ 6 θ 10 θ 3 θ 4 ) 4 +(θ 2 θ 6 θ 8 θ 10 θ 3 θ 4 ) 4 +(θ 1 θ 2 θ 9 θ 6 θ 7 θ 4 ) 4 +(θ 1 θ 5 θ 6 θ 8 θ 7 θ 4 ) 4+(θ 2 θ 9 θ 8 θ 10 θ 7 θ 4 ) 4 +(θ 5 θ 2 θ 9 θ 3 θ 7 θ 4 ) 4 +(θ 1 θ 6 θ 10 θ 3 θ 7 θ 4 ) 4 ,

466 Ch. 18 Complex Multiplicationh 16 := θ8(θ 4 1 θ 5 θ 2 θ 9 θ 6 θ 8 θ 10 ) 4 + θ5(θ 4 1 θ 5 θ 2 θ 9 θ 6 θ 8 θ 3 ) 4 + θ10(θ 4 1 θ 2 θ 9 θ 6 θ 8 θ 10 θ 3 ) 4+ θ3 4 (θ 1θ 5 θ 2 θ 9 θ 6 θ 10 θ 3 ) 4 + θ1 4 (θ 1θ 5 θ 9 θ 6 θ 8 θ 10 θ 7 ) 4 + θ2 4 (θ 5θ 2 θ 9 θ 6 θ 8 θ 10 θ 7 ) 4+ θ1(θ 4 1 θ 5 θ 2 θ 6 θ 8 θ 3 θ 7 ) 4 + θ9(θ 4 5 θ 2 θ 9 θ 6 θ 8 θ 3 θ 7 ) 4 + θ9(θ 4 1 θ 5 θ 2 θ 9 θ 10 θ 3 θ 7 ) 4+ θ6 4 (θ 1θ 5 θ 2 θ 6 θ 10 θ 3 θ 7 ) 4 + θ5 4 (θ 1θ 5 θ 9 θ 8 θ 10 θ 3 θ 7 ) 4 + θ2 4 (θ 1θ 2 θ 9 θ 8 θ 10 θ 3 θ 7 ) 4+ θ6(θ 4 1 θ 9 θ 6 θ 8 θ 10 θ 3 θ 7 ) 4 + θ8(θ 4 1 θ 5 θ 2 θ 8 θ 10 θ 3 θ 7 ) 4 + θ10(θ 4 5 θ 2 θ 6 θ 8 θ 10 θ 3 θ 7 ) 4+ θ3 4 (θ 5θ 9 θ 6 θ 8 θ 10 θ 3 θ 7 ) 4 + θ7 4 (θ 1θ 5 θ 2 θ 9 θ 6 θ 10 θ 7 ) 4 + θ7 4 (θ 1θ 2 θ 9 θ 6 θ 8 θ 3 θ 7 ) 4+ θ9 4 (θ 1θ 5 θ 2 θ 9 θ 8 θ 10 θ 4 ) 4 + θ6 4 (θ 1θ 5 θ 2 θ 6 θ 8 θ 10 θ 4 ) 4 + θ2 4 (θ 1θ 5 θ 2 θ 9 θ 8 θ 3 θ 4 ) 4+ θ6(θ 4 1 θ 5 θ 9 θ 6 θ 8 θ 3 θ 4 ) 4 + θ1(θ 4 1 θ 5 θ 9 θ 6 θ 10 θ 3 θ 4 ) 4 + θ2(θ 4 5 θ 2 θ 9 θ 6 θ 10 θ 3 θ 4 ) 4+ θ1 4 (θ 1θ 2 θ 6 θ 8 θ 10 θ 3 θ 4 ) 4 + θ5 4 (θ 5θ 2 θ 6 θ 8 θ 10 θ 3 θ 4 ) 4 + θ9 4 (θ 2θ 9 θ 6 θ 8 θ 10 θ 3 θ 4 ) 4+ θ8(θ 4 5 θ 9 θ 6 θ 8 θ 10 θ 3 θ 4 ) 4 + θ10(θ 4 1 θ 5 θ 9 θ 8 θ 10 θ 3 θ 4 ) 4 + θ3(θ 4 1 θ 5 θ 2 θ 8 θ 10 θ 3 θ 4 ) 4+ θ5 4 (θ 1θ 5 θ 2 θ 9 θ 6 θ 7 θ 4 ) 4 + θ2 4 (θ 1θ 5 θ 2 θ 6 θ 8 θ 7 θ 4 ) 4 + θ9 4 (θ 1θ 5 θ 9 θ 6 θ 8 θ 7 θ 4 ) 4+ θ8(θ 4 1 θ 2 θ 9 θ 6 θ 8 θ 7 θ 4 ) 4 + θ1(θ 4 1 θ 2 θ 9 θ 8 θ 10 θ 7 θ 4 ) 4 + θ5(θ 4 5 θ 2 θ 9 θ 8 θ 10 θ 7 θ 4 ) 4+ θ6 6 (θ 2θ 9 θ 6 θ 8 θ 10 θ 7 θ 4 ) 4 + θ10 4 (θ 1θ 2 θ 9 θ 6 θ 10 θ 7 θ 4 ) 4 + θ10 4 (θ 1θ 5 θ 6 θ 8 θ 10 θ 7 θ 4 ) 4+ θ1(θ 4 1 θ 5 θ 2 θ 9 θ 3 θ 7 θ 4 ) 4 + θ6(θ 4 5 θ 2 θ 9 θ 6 θ 3 θ 7 θ 4 ) 4 + θ8(θ 4 5 θ 2 θ 9 θ 8 θ 3 θ 7 θ 4 ) 4+ θ5 4 (θ 1θ 5 θ 6 θ 10 θ 3 θ 7 θ 4 ) 4 + θ2 4 (θ 1θ 2 θ 6 θ 10 θ 3 θ 7 θ 4 ) 4 + θ9 4 (θ 1θ 9 θ 6 θ 10 θ 3 θ 7 θ 4 ) 4+ θ8(θ 4 1 θ 6 θ 8 θ 10 θ 3 θ 7 θ 4 ) 4 + θ10(θ 4 5 θ 2 θ 9 θ 10 θ 3 θ 7 θ 4 ) 4 + θ3(θ 4 1 θ 2 θ 9 θ 6 θ 3 θ 7 θ 4 ) 4+ θ3 4 (θ 1θ 5 θ 6 θ 8 θ 3 θ 7 θ 4 ) 4 + θ3 4 (θ 2θ 9 θ 8 θ 10 θ 3 θ 7 θ 4 ) 4 + θ7 4 (θ 1θ 5 θ 2 θ 8 θ 10 θ 7 θ 4 ) 4+ θ7(θ 4 1 θ 5 θ 9 θ 8 θ 3 θ 7 θ 4 ) 4 + θ7(θ 4 5 θ 9 θ 6 θ 10 θ 3 θ 7 θ 4 ) 4 + θ7(θ 4 2 θ 6 θ 8 θ 10 θ 3 θ 7 θ 4 ) 4+ θ4 4 (θ 1θ 5 θ 2 θ 9 θ 6 θ 10 θ 4 ) 4 + θ4 4 (θ 1θ 2 θ 9 θ 6 θ 8 θ 3 θ 4 ) 4 + θ4 4 (θ 5θ 9 θ 6 θ 8 θ 10 θ 7 θ 4 ) 4+ θ4(θ 4 5 θ 2 θ 6 θ 8 θ 3 θ 7 θ 4 ) 4 + θ4(θ 4 1 θ 5 θ 2 θ 10 θ 3 θ 7 θ 4 ) 4 + θ4(θ 4 1 θ 9 θ 8 θ 10 θ 3 θ 7 θ 4 ) 4 .This allows us to define:and we recall (5.3)I 2 := h 12h 10, I 4 := h 4 ,I 6 := h 16h 10, I 10 := h 10j 1 = I5 2I 10, j 2 = I3 2 I 4I 10and j 3 = I2 2 I 6I 10·18.2.4.cComputation of the class polynomialThe 3s invariantsj (i)1 , j(i) 2 and j (i)3 ,i=1,...,sallow to compute the class polynomialss∏ ((i)) s∏ ((i)) H K,1 (X) = X − j , HK,2 (X) = X − j and HK,3 (X) =i=11i=12s∏ ((i)) X − j .Unlike in the elliptic case the polynomials are no longer defined over the integers but over therationals, hence we need to control the denominator. In all practical situations the denominatorshave no large prime factors and one can apply the continued fraction algorithm to the second highestcoefficients of the polynomials to obtain possible denominators d K,k . Often it is enough to multiplythe polynomial with d K,k to obtain a polynomial over the integers. There are some exceptions,however, where the other coefficients have other factors or a higher power. Hence, one shouldcheck with care whether the coefficients times d K,k are close enough to integers and in case ofdoubt try to approximate the other coefficients, too.In the sequel we take the integer polynomials HK,k ′ (X) ∈ Z[X].i=13

§ 18.2 CM for curves of genus 2 46718.2.5 Finding a curveThis is the step in the CM method, which needs to be done for each curve one wants to construct.The previous sections have lead to the class polynomials H K,k corresponding to the CM field Kand the polynomials H K,k ′ defined over Z. The aim here is to find suitable primes such that theHK,k ′ have a linear factor and that the cardinality of Pic0 (C) for C/F p has some desired propertyPr, such as having a large prime factor or being smooth. Then we can use Mestre’s algorithm tocompute an equation of such a curve C.18.2.5.aChoosing the characteristic pIn the algorithm we are required to find primes p such that (p) =(ω)(ω) with principal prime ideals(ω), (ω).In computational number theory there are algorithms to test whether this equation is solvable foragivenp and to compute solutions ω in the positive case (cf. [COH 2000]) and these algorithms areimplemented in computer algebra systems like Pari [PARI].Given the factors ω, ω we obtain the possible group orders of the Jacobian as in (18.4). The CMmethod is usually used in applications where one has special requirements Pr and at this point onechecks whether at least one of the candidate orders fulfills it.If one does not want to use the heavy machinery of a computer algebra system, the inverse approachis interesting. One starts with an integer ω ∈O K , which has N K/K0 (ω) ∈ Z. This conditioncan be phrased via quadratic polynomials in the coefficients of ω with respect to {1,w,η,wη},where O K = O K0 + ηO K0 .We detail the case of η = i √ a + bw, i.e., where the discriminant D of K 0 is equivalent to 0modulo 4. The other case is treated similarly and can be found in [WEN 2003, Sect. 8].Let ω = c 1 + c 2 w + c 3 η + c 4 wη. ThenN K/K0 (ω) = (c 1 + c 2 w + c 3 η + c 4 wη)(c 1 + c 2 w − c 3 η − c 4 wη)= c 2 1 + c2 2 w2 + c 2 3 a + c2 4 aw2 +2c 3 c 4 bw 2 +(2c 1 c 2 + c 2 3 b + c2 4 bw2 +2c 3 c 4 a)w.The requirement (p) =(ω)(ω) translates toc 2 1 + c2 2 w2 + c 2 3 a + c2 4 aw2 +2c 3 c 4 bw 2 = p2c 1 c 2 + c 2 3b + c 2 4bw 2 +2c 3 c 4 a = 0.This leads to all possible solutions of the norm equation. We start with a random choice of c 3 ,c 4such that they are coprime. From the second condition we immediately get the requirementc 2 3b + c 2 4bw 2 ≡ 0 (mod 2)and have to make a different choice otherwise. By the same condition one has 2c 1 c 2 = −(c 2 3 b +c 2 4 bw2 +2c 3 c 4 a) and tries for different factors c 1 ,c 2 whether c 2 1 + c2 2 w2 + c 2 3 a + c2 4 aw2 +2c 3 c 4 bw 2is a prime. If not, one starts with a different choice of c 3 ,c 4 .Remarks 18.9(i) Of course, one gets by this method (up to sign and complex conjugation) only one solutionof the norm equation. It can happen that there is no curve of genus 2 over F pfor which the Jacobian has the expected group order. In this case one starts with a newchoice of ω.(ii) In applications one needs primes of a certain size. To this end one chooses c 3 ,c 4 to havesize O( √ p).

468 Ch. 18 Complex Multiplication(iii) In this method the most expensive step consists in the primality test (cf. Chapter 25). Wenote that primality tests or even factorization methods are usually needed in any case totest for the property Pr. One should use an early abort strategy and apply trial divisionfirst. With this method the time to find a suitable prime and its factors is usually shorterthan for the method starting with candidate primes p.18.2.5.bFinding the invariantsBy construction, the class polynomials H K,k have a linear factor modulo the primes generated inthe previous paragraph.One can also investigate the splitting behavior for other primes p. Factors of larger degree leadto curves defined over extension fields of F p . For our purposes we are interested in curves definedover a prime field, and hence refer to Weng [WEN 2003] for a complete study.As already remarked, the denominators occurring in the polynomials H K,k are not divisible bylarge primes, and hence the invariants j (i)kof the curves C i correspond in a canonical way to theroots of H K,k modulo p, which are the invariants of C i (mod p).At this point a further difficulty compared to the case of elliptic curves occurs, this time causedby the more involved invariant theory. We do not know how to combine the 3 zeroes arising fromthe 3 polynomials H K,k ,k =1, 2, 3 to form a triple of invariants. Hence, we have to do the stepsin Mestre’s algorithm and the final step for each of the at most s 3 triples whose entries are zeroesj 1(i ′ 1) ,j 2(i ′ 2) ,j 3(i ′ 3) of the polynomials H K,k .18.2.5.cMestre’s algorithmLet (j 1 ,j 2 ,j 3 ) ∈ F 3 p be a candidate triple of invariants of a curve C i (mod p).InSection5.1.6.bwedefined a conic Q j1,j 2,j 3(x 1 ,x 2 ,x 3 ) and a cubic H j1,j 2,j 3(x 1 ,x 2 ,x 3 ). As a first step one determinesa rational point (a 1 ,a 2 ,a 3 ) of Q j1,j 2,j 3by multivariate factorization methods. If there does not existsuch a point one rejects the triple and tries with a new one. It can happen that for none of the triplesfound in Section 18.2.5.b the conic has a rational point. In this case one needs to start anew with adifferent choice of the prime p.Now assume that Q j1,j 2,j 3(a 1 ,a 2 ,a 3 )=0. Then one can parameterize the conic withQ j1,j 2,j 3(x1 (t),x 2 (t),x 3 (t) ) =0.We find the points of intersection between Q j1,j 2,j 3and H j1,j 2,j 3by solving the equationH j1,j 2,j 3(x1 (t),x 2 (t),x 3 (t) ) =0.In general, this leads to a polynomial f(t) of degree 6 such that the roots t i give the 6 points ofintersection over F p .Remark 18.10 It is only possible to parameterize affine parts of the conic. If we assume thatQ j1,j 2,j 3and H j1,j 2,j 3intersect only in this part we get deg(f) =6. Otherwise, there is anotheraffine part on which the description works as described.By Lemma 5.53 the curve C with invariants j 1 ,j 2 ,j 3 is given, up to a twist, by the affine equationC a : y 2 = f(x).18.2.5.d The final stepThroughout this book we always assume that hyperelliptic curves have a F p -rational Weierstraßpoint. In our case that means that the polynomial f(x) has a root ξ over F p . By the transformationξ →∞we get a new affine equation y 2 = ˜f(x) with deg( ˜f) =5.

§ 18.2 CM for curves of genus 2 469Now we have to check whether the Jacobian of the constructed curve C and of its twists has one ofthe at most 4 possible numbers in N = {N ω = χ ω (1) | ω ∈ W } as in (18.4) of F p -rational points.This is done as usual:Choose a random divisor class D __∈ Pic 0 Cfails for all N i one chooses a new triple (j 1 ,j 2 ,j 3 ) or, if not available, another p.In case of ambiguity one tries a different random divisor class D __∈ Pic 0 C.Remark 18.11 The quadratic twist of C is defined by, check whether [N]__ D =0for N ∈N. If this checkC v : vy 2 = f(x),where v is not a square in F p .IfC has order N ω then the twist C v has order N −ω anditcouldbethat N −ω rather than N ω has the desired property Pr.18.2.6 The algorithmIn the following we give the complete description of the algorithm using the theory from above.In Sections 18.2.3 and 18.2.4 we described the choice of the CM field and the computation of thetheta constants and the class polynomials. In practice this is done as a precomputation step. So, weshall take the CM-field and the class polynomials as given in the following algorithm.Algorithm 18.12 Construction of genus 2 curves via CMINPUT: ACM-fieldK/K 0/Q, class polynomials H K,k (X), desired size of p and property Pr.OUTPUT: Aprimep, a genus 2 curve C/F p whose group order N = |Pic 0 C(F p)| satisfies Pr.1. while true do2. repeat3. repeat choose prime p of desired size [see remark below]4. until p = ω 1ω 1 with ω 1 ∈O K [compute also p = ω 2ω 2 if possible]5. compute the set of possible group orders N as in (18.4)6. until at least one N ∈Nsatisfies property Prn o7. for k =1 to 3 compute all roots J k = j (i)k of H K,k (X) (mod p)8. for (j 1,j 2,j 3) ∈ J 1 × J 2 × J 3 do9. compute the conic Q j1 ,j 2 ,j 3(x 1,x 2,x 3)10. if there exists a point (a 1,a 2,a 3) with Q j1 ,j 2 ,j 3(a 1,a 2,a 3)=0 then11. compute H j1 ,j 2 ,j 3and the intersection polynomial f(t)12. if f(t) has a root in F p then13. find the curve C given by y 2 = ˜f(x) and deg( ˜f) =514. deduce the twist C e given by dy 2 = ˜f(x)15. choose a random divisor class D __∈ Pic 0 C(F p)16. use D __to check if N is the group order17. if desired group order is assumed then break18. return the prime p, thecurveC and the order N

470 Ch. 18 Complex MultiplicationAs for elliptic curves, examples of desired properties Pr are that the group order contains a primefactor larger than a given bound or that the group order is smooth with a given smoothness bound.The latter is interesting for factorization methods (cf. Chapter 25), while the prior can be used asbasis for a cryptosystem (cf. Section 23.4).Remarks 18.13(i) Lines 3 and 4 can be replaced as described in Section 18.2.5.(ii) The largest complexity is introduced by the factorization of the H K,k and the followingstep, which is executed in the worst case for all possible triples.18.3 CM for larger generaWe give a short outline of possibilities and difficulties that occur when one tries to construct hyperellipticcurves of genus 3 by using the CM-method.18.3.1 Strategy and difficulties in the general caseThe CM-theory of Shimura and Taniyama is valid for all CM-fields K of degree 2g. Of course thearithmetic of K becomes more complicated for increasing degrees but for moderate g (e.g., g 5)it is possible to determine the period matrices of a set or representatives of all principally polarizedabelian varieties over the complex numbers with endomorphism ring equal to the ring of integers inK. The next step, to compute the theta constants attached to the matrices as complex numbers withhigh precision, causes only numerical difficulties that can be overcome if one uses enough effort.The first theoretical problem arises when one has to decide which of the constructed abelianvarieties are Jacobian varieties of curves. Due to a theorem of Weil this is always the case forg =3;forg 4 the question is unsolved (Schottky problem).But we are interested in hyperelliptic curves and so we can say more. By results of Mumfordand Poor one has a criterion that is easily verified: let Ω be the period matrix of a principallypolarized abelian variety A. A necessary and sufficient condition for A being the Jacobian varietyof a hyperelliptic curve is that one of the even theta constants vanishes. So, one can determine theisomorphism classes (over C) of all hyperelliptic curves whose Jacobian varieties have as ring ofendomorphisms the integers of K.Now the next complication arises. The invariant theory of such curves becomes more complicatedand the structure of the invariant ring is not well understood at least when g>5. So, we restrictourselves to g 5 (which is of course enough for practical applications). Then we can proceed as inSection 18.2.4 and compute class polynomials for a set of invariants that determine the isomorphismclasses of the curves. These polynomials have rational coefficients, and the possible denominatorsare becoming larger but for primes p, large enough reduction theory works as in the case of g 2.By solving a norm equation with integers in K, one finds candidates for the Frobenius endomorphismmodulo p and so possible orders of the group of rational points of the Jacobian. Even the laststep, to find the curve equation, can be done in reasonable time [WEB 1997].So, in theory we can use the CM-method at least for hyperelliptic curves of genus 5. Butinpractice we meet a big difficulty: if we do not impose additional conditions on K we rarely findhyperelliptic curves.The reason comes from the theory of the moduli space of curves of genus g 2. The dimensionof this space is 3g − 3, and the locus of hyperelliptic curves has dimension 2g − 1 (it has 2g +2Weierstraß points containing (up to projective transformations) the points P ∞ , (0, 0), (1, 0)). So

§ 18.3 CM for larger genera 471already for g =3the hyperelliptic curves lie in an algebraic set of codimension 1. Anextensivesearch, cf. Weng [WEN 2001b], did not yield any example of a hyperelliptic curve of genus 3 andCM without additional automorphism. So only very special CM-fields K can be chosen if we wantto find hyperelliptic curves.18.3.2 Hyperelliptic curves with automorphismsAssume that K contains the complex number i with i 2 = −1. This means that K = K 0 (i) whereK 0 is a totally real field of degree g over Q.We get the following result.Lemma 18.14 Let A be a principally polarized abelian variety with endomorphism ring equal tothe ring of integers of K. Assume that A is simple and that it is the Jacobian of a curve C.Then C is hyperelliptic and has an automorphism τ(i) of order 4.Proof. By assumption A has an automorphism τ(i) of order 4. It is a general fact that τ(i) inducesan automorphism of order 2 or 4 of C. In any case C has an automorphism of order 2. Hence thefunction field of C has a subfield of index 2. The Hurwitz genus formula yields that this subfield hasgenus g 0

472 Ch. 18 Complex MultiplicationCorollary 18.17 Assume that the conditions of Lemma 18.14 are satisfied and that C and τ(i) aredefined over F q . Then a twist of C is given by an equationy 2 = x 2g+1 + x 2g−1 +g∑a 2j x 2g+1−2j .j=218.3.3 The case of genus 3We now apply our results to the case that K 0 is totally real of degree 3 and class number 1. Becauseof the Theorem of Weil and Lemma 18.14 we know that every principally polarized abelian varietywith endomorphism ring O K is the Jacobian of a hyperelliptic curve.In a precomputation we determine the period matrices and the theta constants of a set of representativesof the C-isomorphism classes of such varieties. This is explained in detail in section 3and 4 of [WEN 2001a].As seen in the background there are 5 Shioda invariants that determine a curve up to isomorphism.Due to the automorphisms we have a symmetry and thus it is enough to compute only 2 invariants,j 1 and j 3 . This is done either directly from the theta constants or via a Rosenhain model for C (cf.[WEB 1997]and[WEN 2001a, Chap. 4]) over C for each of the representatives, and we use this todetermine the class polynomials H jk (X) for k =1and 3.After this precomputation (which can be replaced by a look-up of tables) the algorithm proceedsas follows.1. Choose a prime p, solve the norm equationp = ωωwith ω ∈ O K and test whether there is a candidate curve C (mod p) for which theorder of the rational points of its Jacobian has the desired property.2. Compute the zeroes of H jk (X) over F p .3. At this step we use the extra structure we have.By Corollary 18.17 we know that the curve we are looking for is (up to a twist) given byThe discriminant of x 7 + x 5 + ax 3 + bx isy 2 = x 7 + x 5 + ax 3 + bx; a, b ∈ F p .∆ = − 17280a 5 b 2 + 9216a 5 b − 1024a 5 − 4352a 4 b 3 + 512a 4 b 2 + 9216a 4 b 4+ 62280a 6 b − 13824a 5 b 3 − 64a 3 b 3 − 13824a 6 − 1024a 3 b 3 + 512a 3 b 5 − 46656a 7 .DefineI 2 = −1/4a − 1/28bandI 4 = 1288 (−504b − 120)(−504a − 120b3 )+ 196 (−196a +68b)3 .Then we have the identitiesj 1 ∆ − I2 5 =0andj 3 ∆ − I 2 I 4 =0,which give two polynomial equations for possible values of a and b.Take these equations with (j = j 1 ,j ′ = j 3 ) a combination of the zeroes of H j1 (X) andH j3 (X) over F p and compute the candidates (a ′ ,b ′ ) for (a, b).

§ 18.3 CM for larger genera 4734. Test whether C ′ : y 2 = x 7 +x 5 +a ′ x 3 +b ′ x or one of its twist curves has a Jacobian J Cwith J C (F p ) of desired order. If not, choose another pair (a ′ ,b ′ ) and eventually anotherpair (j, j ′ ).Remarks 18.18(i) Examples and a detailed discussion of the general case of hyperelliptic curves of genus3 can be found in [WEN 2001a].(ii) If one wants to use curves of genus 3 for cryptographic purposes, the examples constructedabove may have some security deficiencies compared with random curves, forinstance, caused by the existence of a nontrivial automorphism. But they are easily constructedand serve well if one wants to test, for example, efficiency of specific scalarmultiplications.On the other hand, Section 15.2 shows how to use endomorphisms to speed up scalarmultiplication in Pic 0 C .(iii) One can drop the condition that C is hyperelliptic. Then one finds many curves of genus3 with complex multiplication. Another interesting subclass of such curves consists ofPicard curves, which have an automorphism of order 3. TheyhaveasCM-fieldafieldK 0 ( √ −3). For more details see [KOWE 2005].

ÎComputation ofDiscrete Logarithms

Chapter ½Generic Algorithms for ComputingDiscrete LogarithmsRoberto M. AvanziContents in Brief19.1 Introduction 47819.2 Brute force 47919.3 Chinese remaindering 47919.4 Baby-step giant-step 480Adaptive giant-step width • Search in intervals and parallelization •Congruence classes19.5 Pollard’s rho method 483Cycle detection • Application to DL • More on random walks • Parallelization •Automorphisms of the group19.6 Pollard’s kangaroo method 491The lambda method • Parallelization • Automorphisms of the groupThis chapter is devoted to the generic methods for computing discrete logarithms in commutativegroups and group orders. There are also applications where, apart from the group order, we haveadditional knowledge on the logarithm log g (h), such as a certain amount of high or low orderbits, or a probability distribution of the logarithm, or else the interval in which it lies is knownbeforehand. The last kind of information is exploited, for example, by the kangaroo methods (seeSection 19.6): if we are interested in the order of an elliptic or hyperelliptic curve, this informationby Hasse’s bound (see Section 5.2.3) is an interval centered on the cardinality of the underlyingfield. In general, such knowledge (especially information about certain bits) can be used to reducethe running time for solving the DLP, so the designer of a DL system must take it into account[NGSH 2003]. The adaptation of the methods described here to the context where one has thatparticular information is often quite straightforward.Our presentation has been influenced by Teske’s excellent survey [TES 2001b].477

478 Ch. 19 Generic Algorithms for Computing Discrete Logarithms19.1 IntroductionWe begin our presentation with exponential time methods; we recall that this means that the complexityis exponential in the logarithm of the order. For factoring an integer n, this implies that thesemethods may take n C operations on integers of size comparable to n for some positive constant C.For computing DLs, it means that they may require |G| C compositions on G.The best methods that apply to any cyclic group provide an upper bound C =1/2 — which is thereason they are also called square root algorithms — and are based on only a handful of ideas: bruteforce, the Chinese remainder theorem, the birthday paradox. In fact, most of the methods explainedin this section are square root methods. This explains why subexponential time algorithms (despitetheir names) are in many cases better than square root methods! We first give a rigorous definitionof a generic algorithm:Definition 19.1 An algorithm performing computations in groups is called a generic algorithm ifthe only computations it performs are:• computation of the composition of two elements• computation of the inverse of an element, and• checking two elements for equality.Such an algorithm is also said to operate in black-box groups.Shoup [SHO 1997], generalizing a result of Nechaev [NEC 1994], has shown that if p is the largestprime dividing the group order, a generic algorithm to solve the DLP with a probability boundedaway from zero has to perform Ω( √ p) group operations. Let G be a cyclic group of order n.Starting with the notion of an oracle that can be queried for the result of the three above genericgroup operations, Shoup computes the probability that an algorithm outputs the correct answer to aDLP in G after m oracle invocations. The numeration of elements of G can be reinterpreted as anencoding of the n (distinct) scalar multiples of g that are given by a map σ of Z/nZ into a set S ofbinary strings representing elements of G uniquely. The problem [t]g = h in G is then rewritten asfollows: Given ( σ(1),σ(t) ) ,findt ∈ Z/nZ. We cite Shoup’s main result concerning generic DLalgorithms.Theorem 19.2 [SHO 1997] Letn be a positive integer whose largest prime divisor is p. LetS be aset of binary strings of cardinality at least n. LetA be a generic algorithm for Z/nZ on S that makesm oracle queries, and suppose that the encoding function σ of Z/nZ on S is chosen randomly. Theinput to A is ( σ(1),σ(t) ) where t ∈ Z/nZ is random. The output of A is v ∈ Z/nZ. Then theprobability that t = v is O(m 2 /p).Therefore, for achieving a nonnegligible probability of success, one needs O( √ p) oracle calls. Theresult is that a generic DL algorithm must perform Ω( √ p) group operations. The generic algorithmsfor the DLP that we shall describe provide a constructive proof of how the DLP can be solved intime O( √ |G|) for any cyclic group G. The ideas underlying these methods are often used for otherpurposes too, for example, for factoring, as we shall see in Chapter 25, or to improve algorithms,which in principle are completely different. Generic methods like the ones described here are oftensuperseded by better algorithms that have been designed for particular kinds of groups. Some ofthese methods are presented in Section 20 if still “generic” enough, and are then discussed in moredetail for specific groups in the next chapters. This is the reason why ideal group-based cryptosystemsare based on primitives whose solution has square root complexity. For a very interestingdiscussion of other types of information that can weaken the protocols, we refer to [MAWO 1998].In the following, G can always be assumed cyclic: in fact, since the discrete logarithm problemwe want to solve is [t]g = h with h ∈〈g〉, we can always replace G with 〈g〉.

§ 19.2 Brute force 47919.2 Brute force (exhaustive search)Given a group G generated by one of its elements g and a second element h ∈ G, anintegert such that [t]g = h can be found by comparing [t]g to h for all t with 0 t < |G|. Thistakes at most ord(g) additions in G and is definitely not viable for large groups. For the integerfactorization problem this is simply trial division: see Chapter 25. Usually this method is too slow,but, surprisingly, it has some important applications: due to its absence of overhead, it might evenbe the method of election for checking whether a given element splits completely over a small, givenset of primes (smoothness test: see Section 20.1).19.3 Chinese remainderingDiscrete logarithms in G = 〈g〉 can be computed easily if n := ord(g) has only small factors.More precisely, the complexity of computing discrete logarithms in a group of composite order nis (from the point of view of computational complexity) bounded from above by the complexity ofsolving the DLP in a group whose order is the largest prime factor of n. This was first observed forcryptographic applications by Silver, Pohlig, and Hellman [POHE 1978].Assume n composite and let p | n. From[t]g = h it follows that[t mod p] ([ ] ) ([np g =[t] n] ) [p g = n]p h.Thus, t modulo each of the primes p dividing n can be found by solving the DLP in a cyclic groupof order p. Ifn is a product of distinct primes, then t is recovered applying the Chinese remaindertheorem (see Section 10.6.4).If n is not squarefree, the p-adic expansion can be used as described, for example, in [LELE 1990],to compute t modulo the highest power of p dividing n for all primes p, and then the Chineseremainder theorem is employed. If, say, p k divides n, one first gets t mod p, then “lifts” this valueto t mod p j for j =2, 3,...,k. For simplicity, suppose that G is a cyclic group of order p k and that[t]g = h with t = t 0 + t 1 p + t 2 p 2 + ···+ t k−1 p k−1 where 0 t j

480 Ch. 19 Generic Algorithms for Computing Discrete LogarithmsRemark 19.3 The algorithms in the following sections are the “serious” generic methods to solvethe DLP. Of course, in order to avoid this weakness one has to assume that the group order isknown. In some cases, however, this is not the case. In particular, many algorithms can be adaptedto this case simply by using them to solve log g (1), i.e., to compute the order of g. In most casessimplifications and optimizations are just obvious.19.4 Baby-step giant-stepThe baby-step giant-step algorithm was first published by Shanks in [SHA 1971]. According toNechaev [NEC 1994] it was known to Gelfond in 1962. See also [KNU 1997, Ex. 5.17]. The firstapplication of this method was order computation: in fact Shanks used it to compute ideal classnumbers of quadratic number fields. It can be used for discrete logarithm computation and we shallpresent it in this form, which is more general. Order computation is then done solving [t]g =0withfor t ≠0(and of course with unknown order). The baby-step giant-step method is based on thefollowing observation:Lemma 19.4 Let n be a positive integer. Put s := ⌊√ n ⌋ +1. Then for any t with 0 t

§ 19.4 Baby-step giant-step 481that the group order is 2 b ). But there are better alternatives for these cases, which also allow aneasier solution if t is much smaller than n (it happens for the DL systems that use small exponentsfor performance reasons). We see these in the next section.19.4.1 Adaptive giant-step widthA different approach allows us to obtain results relative to the discrete logarithm itself rather thanrelative to an upper bound on it. It can also be used to compute unknown group orders withoutthe complexity becoming possibly linear in the group order itself. Buchmann, Jacobson, andTeske [BUJA + 1997] suggested starting with a conservative, moderate assumption on the order ofmagnitude of t =log g (h) and doubling the giant step width at certain intervals. Their method isbased on the following result:Lemma 19.6 [BUJA + 1997, Lemma 2.1] For every integer t>1 there are uniquely determinedintegers k, c and j such thatt =2 k+1 c + j with ( 2 k−2 − 1 2) c1 with [t]g = h.OUTPUT: An integer t with [t]g = h.1. k ←⌊lg( √ t)⌋2. for j =0 to 2 k+1 − 1 store (β j ← h ⊕ [−j]g, j) in a hash table [initial ‘baby steps’]3. while true do4. for c = ⌊2 k−1 ⌋ to 2 k+1 − 1 do5. γ ← [2 k+1 c]g [the ‘giant steps’]6. if (γ = β j for some j with 1 j 2 k+1 ) then return (2 k+1 c + j).7. k ← k +18. for j =2 k to 2 k+1 − 1 insert (β j ← h ⊕ [−j]g,j) in the baby step hash tableIn Line 5, γ should not be computed anew each time as [2 k+1 c]g, as this would be too expensive.Instead, [2 k+1 c]g and [4 k ]g =[2 k+1 2 k−1 ]g (where 2 k−1 is the first value of c unless k is zero) arecomputed before the while loop and updated as k increases. The values [2 k+1 c]g in the internal forloop are obtained upon adding repeatedly [2 k+1 c]g to a variable initially containing [4 k ]g. Asintheoriginal baby-step giant-step method, the search in Line 6 should be performed using a hash table.The complexity of this variant is O( √ t).Another approach is to increment the width of the giant steps after each baby step [TER 2000]. It isbased on the following way of representing integers:Lemma 19.8 For every nonnegative integer t there are uniquely determined integers j and k with0 k

482 Ch. 19 Generic Algorithms for Computing Discrete Logarithmsh ⊕ [0]g = h and the giant step [T 1 ]g = [0]g = 0 G ; the baby steps are always stored, onlythe last giant step is kept in memory. For j 1, thej-th iteration consists of computing thegiant step [T j+1 ]g =[T j ]g ⊕ [j]g. If j 2, we check whether [T j+1 ]h is in the baby step setfor some s with 0 s < j: if this is the case, then t = T j+1 − s, otherwise the baby stepβ j = h ⊕ [j]g = h ⊕ [j − 1]g ⊕ g is computed, j increased by one and the next iteration performed.Algorithm 19.9 Terr’s variant of the baby-step giant-step algorithmINPUT: A generator g of a group G of unknown order and h ∈ G.OUTPUT: An integer t with [t]g = h.1. β 0 ← h, γ ← [T 1]g =0 G, δ ← 0 G and j ← 02. while true do3. j ← j +14. δ ← δ ⊕ g and γ ← γ ⊕ δ [γ =[T j+1]g]5. if j 2 then6. if (γ = β s for some s with 0 s

§ 19.5 Pollard’s rho method 483is easily achieved. It suffices to divide the interval to be searched into m approximately equallywide subintervals and to apply the algorithm independently on each of them. In order to get a betterspeedup one would presumably need a parallel machine with shared memory with unrestrictedaccess. Furthermore it seems at least very intricate to combine parallelization with dynamicallyexpanding giant step width. The conclusion is that the baby-step giant-step method cannot be parallelizedin an efficient way.19.4.3 Congruence classesIn other contexts the order is known to lie in one or more congruence classes modulo a given integer.For simplicity, assume that we know that n ≡ n 0 (mod m). This can happen, for example, if weused a Schoof-like algorithm (cf. Section 17.2) to compute the order of the curve or of the Jacobian,but because of computational limitations we stop earlier and compute the order only modulo m. Inthis situation we usually also know the interval [a, b] in which the order t lies, where we can assumea ≡ n 0 (mod m), and clearly b − a>m, otherwise the result is already uniquely determined. Inthis case we choose s to be the smallest integer √ (b − a)/m which is divisible by m. The babysteps β j are given by h ⊕ [−a − jm]g for 0 j

484 Ch. 19 Generic Algorithms for Computing Discrete Logarithms19.5.1 Cycle detectionCycle detection algorithms in general do not exploit the group structure of G in which the functionΦ defines a random walk (the map Φ, on the other hand, must be defined in terms of the group law).As a result, the methods described here in fact apply to any set G on which an iterated map Φ isused to make random walks, and their utilization goes beyond DL and group order computations.19.5.1.aFloyd’s algorithmIt is not necessary to compare each new w i to all previous ones, which would make the method asslow as exhaustive search: for instance, according to Floyd’s cycle-finding algorithm it suffices tocompare w i to w 2i for all i (see [KNU 1997, §3.1, Ex. 6]). In fact, if i is any multiple of τ that islarger than µ,thenw i = w 2i , so any cycle will be detected. To avoid storing all the w i the algorithmis in fact implemented as follows, where only two intermediate values need to be stored.Algorithm 19.12 Floyd’s cycle-finding algorithmINPUT: An initial value w 0 and an iterating function Φ:G → G.OUTPUT: An index i>0 such that Φ i (x) =Φ 2i (x).1. x ← Φ(w 0), y ← Φ(x) =Φ 2 (w 0) and i ← 12. while (x ≠ y) do3. i ← i +1, x ← Φ(x) and y ← Φ 2 (y)4. return iLet the length of the prefix and of the loop be µ and τ respectively, as above. If τ µ the firstcollision will happen after τ iterations. If τ < µ the match will be found after τ ⌈ ⌉µτ iterations,which lies between µ and 2µ: the precise distribution depends on the group and on the mapping.√Under the assumptions that Φ is a random mapping, and thus that the expected values of µ and τ areπn/8 and with good probability relatively close, we estimate the expected number of iterationsby 3 2√πn/8 ≈ 0.94√ n, and thus about 2.82√ n evaluations of Φ.19.5.1.bGosper’s algorithmGosper’s algorithm is item number 132 of the HAKMEM list [BEGO + 1972]. It has been designedto be used in the very specific context where it is difficult to recompute former values of the sequenceΦ k (w 0 ), because of the way the system is constructed. Such an example could be a pseudorandomnumber generator based on an iterative “black box” with a very limited interface. This context isquite far from that of order and discrete logarithm computations, but the beauty and ingenuity of thealgorithm persuaded us that it should be popularized. It is a nice exercise to try to understand howit works and why.Let w 0 be the initial value of the sequence, L be an upper bound for the length of the cycle, andT a table to keep m := ⌈lg L⌉ old values of Φ k (w 0 ). Let i be a counter of the number of timesΦ has been applied. For each i compare Φ i (w 0 ) for equality with the first s entries in the table T ,where s = ⌈lg i⌉ (the number of bits necessary to represent i). If there is no match increment i and(using this new value of the counter i) storeΦ i (w 0 ) into T [r], wherer is the exponent to which 2divides i (the number of trailing zero bits in the binary representation of i). A match with the entryin position e means the loop length is 1 more than the low e +2bits of i − 2 e+1 . Note that if thebound L is too small, then the algorithm will fail to find a loop. Otherwise, it will detect repetitionbefore the third occurrence of any value, guaranteeing that the correct length of the loop is found

§ 19.5 Pollard’s rho method 485and not a multiple of it.Algorithm 19.13 Gosper’s cycle finding algorithmINPUT: An initial value w 0, an iterating function Φ:G → G and a bound L on the period of thesequence {Φ i (w 0)} that is to be found.OUTPUT: Indexes i ≠ j>0 such that Φ i (x) =Φ j (x).1. m ←⌈lg L⌉ and create the table T [0,...,m− 1]2. T [0] ← w 0, i ← 1 and z ← Φ(w 0)3. while (i |G|) do4. s ←⌈lg i⌉5. for k =0 to s − 1 do6. if (z = T [k]) then7. τ ← 1+`(i − 2 e+1 )mod2 e+2´8. return (i, i + τ )9. else10. i ← i +111. z ← Φ(z)12. let r be the 2-adic valuation of i13. T [r] ← z14. return fail19.5.1.cBrent’s algorithmAn obvious problem with Floyd’s cycle-finding algorithm lies in the fact that w i must be recomputedtwice at least for large i or, in other words, at every iteration step we have to evaluate Φ thrice.Brent [BRE 1980] improved on Floyd’s cycle-finding algorithm. Brent’s algorithm uses an auxiliaryvariable z, which holds w l(i)−1 , l(i) being the largest power of two contained in the current indexof the walk i, i.e., l(i) =2 ⌊lg i⌋ . For each newly computed step of the walk, we check whetherz = w i . Whenever the index i equals a power of two minus one, we assign z = w i . This is repeateduntil a match is found.Algorithm 19.14 Brent’s cycle-finding algorithmINPUT: An initial value w 0 and an iterating function Φ:G → G.OUTPUT: Integers i and j such that Φ i (w 0)=Φ j (w 0).1. z ← w 0, w ← w 0, i ← 0 and l ← 1 [l is always a power of two]2. while true do3. w ← Φ(w) and i ← i +1 [compute next step]4. if w = z then break5. if i (2l − 1) then z ← w and l ← 2l6. return (i, j ← l − 1)

486 Ch. 19 Generic Algorithms for Computing Discrete Logarithms√Under the assumption√that Φ is a random mapping, the first match is expected to occur afterπn/2 ≈ 1.25 n iterations. Brent analyzes his algorithm running time. He finds that the firstmatch is found after an expected number of ≈ 1.9828 √ n iterations. This is a higher number ofiterations than with Floyd’s algorithm, in fact about twice as much, but in Floyd’s algorithm Φ isevaluated three times per iteration, and only once in Brent’s. The price for this reduction (of aboutone third) in evaluations of Φ before finding a match is a much higher number of comparisons,which can offset the advantages in some circumstances. The following observation yields a variantthat performs much better in practice as it reduces the number of comparisons:Proposition 19.15 Let i be the smallest index with w i = w l(i)−1 . Then i satisfies 3 2 l(i) i 2l(i).For a proof, see [COH 2000, Prop. 8.5.1].We can now give the improved version of Brent’s algorithm.Algorithm 19.16 Brent’s improved cycle-finding algorithmINPUT: An initial value w 0 and an iterating function Φ:G → G.OUTPUT: Integers i and j such that Φ i (w 0)=Φ j (w 0).1. z ← w 0 w ← w 0 i ← 0 and l ← 12. while true do3. w ← Φ(w) and i ← i +14. if w = z then break5. if i (2l − 1) then6. z ← w and l ← 2l7. 3while i

§ 19.5 Pollard’s rho method 487to perform one search in T ,andlett Φ be the time needed to evaluate Φ once. Then, the authorsshow, g can be chosen as a function of t s , t f ,andM, such that the algorithm’s worst-case runningtime is t Φ (µ + λ) ( 1+(t s /M t Φ ) ( 1+o(1) )) . They also show that this worst-case performance isasymptotically optimal.The next algorithm has worse worst-case performance, but better running time on average.19.5.1.eNivash’s stack-based cycle detectionNivash algorithm is introduced in [NIV 2004]. It is probably the most efficient known cycle detectionalgorithm on single processor machines.The basic methodThis algorithm requires that a total ordering < be defined on the set G,andworksasfollows:keepa stack of pairs (w j ,j), where, at all times, both the j’s and the w j ’s in the stack form strictlyincreasing sequences (with respect to the usual ordering of the natural integers and, for the w i ∈ G,with respect to the ordering w i .Ifamatchw i = w j is found with an element in the stack, thealgorithm terminates successfully: the cycle length is equal to i − j. Otherwise, push (w i ,i) on topof the stack, compute w i+1 =Φ(w i ), increase i by one and continue.We easily see that this algorithm always halts on the second occurrence of the element z of theperiodic part of the sequence that is minimal with respect to the given orderings. Let w imin bethe first occurrence of z. This element is added to the stack the first time it appears, and is neverremoved. On the other hand, any other element in the cycle belongs to a pair that is greater than(w imin ,i min ), so it will be removed (with probability that depends on the relative “magnitude” ofthe elements with respect to w imin according to the ordering in G, and at latest when w imin isencountered for the second time) before it has a chance to appear again.Let h be the number of evaluations of Φ of the algorithm before it terminates. Under the assumptionthat the Φ is a random mapping, the expected value of h is µ + τ ( 1+ 1 2 )= 2√ 5 πn/8 ≈1.5666 √ n. Under the same assumption, Nivash proves also that the expected size of the stack isln h + O(1). Therefore, the algorithm only requires a probabilistic logarithmic amount of memory.Note that the search in the stack for the first element w j w i can be done via a binary search. Thesize of the stack can be estimated, as we just saw, and therefore it can be implemented by an array,handling the unlikely situation when it overflows by resizing and relocating it. There is thereforeno need to explicitly erase or deallocate popped stack entries: they will simply be overwritten andonly the stack size (i.e., the number of entries in it) needs to be kept. If the magnitudes of the elementsof the sequence with respect to the ordering in G present some regularities, Nivash suggests“randomizing” them by applying a fixed hash function to the values before comparing them.A partitioning techniqueThe basic stack algorithm halts at a uniformly random point in the second loop through the sequence’scycle. In order to increase its probability of halting closer to the beginning of the secondloop, which is especially important if loops may be quite long, while adding virtually no extra timepenalty per step, we introduce the following partitioning technique: For some integer m, wedivideG into m disjoint classes. This can be done, for example, according to the values of some bits in theinternal representation of the elements of G. Ideally, the classes should have the same cardinality.We keep m different stacks, one for each class of elements of G. Any new element in the sequenceis compared only to the element in its corresponding stack, and pushed onto it; in particular any minimalelement of a class, on its second occurrence, will collide with the first occurrence of the sameelement because they are pushed in the same stack. This method is called the multi-stack algorithm.The algorithm halts whenever the first of all the stacks detects a match. Each class contains its own

488 Ch. 19 Generic Algorithms for Computing Discrete Logarithmscycle minimum, which is distributed uniformly and independently at random in the cycle. It followsthat the expected number of evaluations of Φ before the algorithm halts is µ + λ ( 1+1/(m +1) ) .The size of each stack is about ln h − ln m + O(1), hence the memory usage is roughly multipliedby m with respect to the basic version.Algorithm 19.17 Nivash’ cycle-finding algorithmINPUT: An initial value w 0, an iterating function Φ:G → G, a number of stacks K andaclassfunction χ : G → [0,...,K − 1].OUTPUT: Integers i and j such that Φ i (w 0)=Φ j (w 0).1. create stacks S[0],...,S[K − 1] containing pairs (element, index)2. initialize stack indexes p 0,...,p K−1 to −13. x ← w 04. while true5. κ ← χ(x)6. find smallest index t p k such that element (S[t]) x or put t = −17. if t ≠ −1 and element(S[t]) = x then break8. i ← i +1 and p k ← t +19. if p k is too large then resize k-th stack10. S[p k ] ← (x, i)11. x ← Φ(x)12. `i, return index(S[t])´Remark 19.18 In Line 1, the element of the pair is in G and the index is a natural number. Theinitial depth of the stacks should be about 1 2ln n.The multi-stack algorithm is especially useful on single processor computers with large memory.The distinguished point technique (see Section 19.5.4) can be used to find collisions early in theloop on multiple processors and, as Nivash himself observes, it offers in that situation a somewhatbetter time/memory trade-off. The multi-stack algorithm is also suited to the situations where themapping Φ is not a random mapping and its cycles are short compared to the aperiodic part ofthe sequence. The (multi-)stack algorithm does not seem applicable to Pollard’s rho factorizationmethod (see Section 25.3.1).19.5.2 Application to DLThe walk on G is given by { w i =[a i ]g ⊕ [b i ]h } i0 for known integers a i and b i . A collision hasthe form [a i ]g ⊕ [b i ]h =[a j ]g ⊕ [b j ]h,sothatlog g (h) = a i − a jb j − b i,computed modulo the group order. According to [POL 1978], one way to create a ‘random-ish’walk is the following. First, partition G into three subsets G 1 , G 2 ,andG 3 of approximately equalcardinality. This can be done fairly accurately and in a ‘random’ way exploiting the representationof the elements of G, for instance, using some fixed bits in the internal machine representation, in

§ 19.5 Pollard’s rho method 489other words hashing the elements of G. Takew 0 = g (so a 0 =1,b 0 =0), and define w i+1 as afunction of w i as follows:⎧⎧⎪⎨ h ⊕ w i if w i ∈ G 1⎪⎨ (a i ,b i +1)w i+1 =Φ(w i ):= [2]w i if w i ∈ G 2 ⇒ (a i+1 ,b i+1 )= (2a i , 2b i ) respectively.⎪⎩⎪⎩g ⊕ w i if w i ∈ G 3 (a i +1,b i )(19.1)Of course one can choose any other random mapping that allows an easy computation of the scalarsa i and b i .19.5.3 More on random walksAs observed in [SASC 1985,TES 1998b] partitioning G into only three sets does not in general leadto a truly random walk. This is reflected in the fact that the collision occurs on average later thanexpected. A truly random walk is difficult to achieve, but as the number of partitions is substantiallyincreased, performance is improved and approaches the ideal one. One method is to use r-addingwalks.Definition 19.19 Let r>1 be a small integer and assume we have a partition G 1 ∪ . ··· ∪ . G r of Ginto subsets of approximately equal cardinality. For any x ∈ G let v(x) be the index with x ∈ G v(x) .An r-adding walk is generated by an iterating function of the form w i+1 =Φ(w i )=M v(wi) ⊕ w i ,where the elements M 1 ,...,M r are of the form M s =[m s ]g ⊕ [n s ]h with m s and n s chosen(possibly at random) in [1,...,n− 2].Usually 3 r 100 and v(x) is a hash function. From the definition it follows immediately thatw i =[a i ]g ⊕ [b 1 ]h with a i+1 = a i + m v(wi)and b i+1 = b i + n v(wi).These addings (whence the name) are defined modulo n. It is not strictly necessary to reduce a iand b i modulo n — which is relatively inexpensive anyway — since their increase is only linear inthe number of iterations and they will be therefore bounded by a constant times √ n. This meansthat r-adding walks can be computed even if the group order is not known, by taking m s and n sbounded by some hopefully well-guessed large number. Since in some practical instances the grouporder is known to lie in an interval (for example, for elliptic and hyperelliptic curves), this can bedone. Note that this would not be meaningful with mappings like (19.1) where the numbers a i andb i would grow exponentially with i. In particular, by taking h =0 G one can get a multiple of thelogarithm t =log g (0 G ) which is at most off by a factor around √ t, then one adjusts the result. Thishas been done by Sattler and Schnorr [SASC 1985] using8-adding walks. Teske’s investigations[TES 1998b] (the results have been slightly updated in [TES 2001a]) in elliptic curve (sub)groupsallowed her to obtain matches after ≈ 1.452 √ n iterations using 20-adding walks. She also used amix of 16 addings and 4 doublings, with similar performance.19.5.4 ParallelizationThe above methods can be run on m processors in parallel, each starting with a different point w (t)0for t =0, 1,...,m− 1. A speedup of a factor √ m can be expected.A better parallelization is described in [QUDE 1990] — where it is actually used to find the firstcollisions in DES reported in the literature — and in [OOWI 1999].TheideaistohaveasetD ofrarely occurring distinguished points.

490 Ch. 19 Generic Algorithms for Computing Discrete LogarithmsThere is a central server and m client processors. The clients start with different points w (t)0 fort =0, 1,...,m− 1, which may be computed, in the DL case, as [a t ]g ⊕ [b t ]h for integers a t and b twhich are different for each processor.When a processor hits some element in D, it reports this fact to a central server, together withthe element and the corresponding values of the scalars of g and h. Then, the same processor startsafresh with a new trail. The starting points must of course always be different. Two strategies arepossible:1. Each client generates new starting points as [a t ]g ⊕ [b t ]h for integers a t and b t generatedrandomly, and the random number generator of each client is initialized with a differentseed. The likelihood that the same point is reused is in practice negligible.2. The server produces the unique starting points, to guarantee that they are all different.The points are generated either in packets, which are sent to each client when the clienthas used all the points in the previous batch (this can induce too much network traffic)or one by one (less network traffic, but the clients must wait until the server replies bydelivering a new starting point after the finding of a distinguished point is reported).In this way some collisions between trails can be detected. The central server applies a brute forceapproach to detect whether two of the distinguished points are in fact a match — usually aided byhashing. Nivash [NIV 2004] suggests using a partitioning technique (see Section 19.5.1).One way of defining the set D is to fix an integer f and to define that x ∈ D if and only if thef least significant bits in the internal machine representation of x are zero. This definition allows afast test, and the size of D can be easily monitored. By the theoretical analysis in [OOWI 1999] aspeedup of a factor m with m processors can be expected.The cardinality of D is crucial for the performance. The more distinguished points there are,the easier it will be to detect collisions, but, on the other hand, the client processors will spendmore time reporting the points to the server. Let n = |G| and θ be the proportion of distinguishedpoints. Further let τ g and τ r denote the costs of a group composition and of reporting the arrivalon a distinguished point to the server, respectively. The expected running time (cf. [OOWI 1999])on each processor is ≈ ( √ π2 n/m +1/θ)τ g + n 0 θτ r where n 0 is the expected length of the trails(which shall also depend on D). We do not enter into details, but observe that Schulte–Geers[SCH 2000d] concludes that the cardinality of D must be proportional to √ |G|.The DLP in subgroups of elliptic curves of about 2 108 elements has been successfully solved byPollard’s parallelized rho algorithms distributed over the Internet. See http://www.certicom.comfor the most recent successes. The extensive experimental work related to this challenge (see[ESSA + 1998]) confirms the theoretically predicted linear speedup for the parallelized rho method.These implementations, whenever possible, also made use of automorphisms of the group (see thenext section) to further speed up the computation.19.5.5 Automorphisms of the groupIn certain types of groups, a speedup up to a factor of √ 2 is obtained by means of the so-calledinverse-point strategy. This strategy applies if the inverse of any group element can be computedvery efficiently. Each group element is paired with its inverse: the iterating function must be definedwith the property that if Φ(a) =b then Φ(−a) =−b. If we use a distinguished point set D, this mustfulfill the property that if a ∈ D then also −a ∈ D. Further, we require from the representation ofthe group elements that it can be detected if the inverse of a previously submitted point is submitted.Of course the method would not work if such a collision would not help in revealing the discretelogarithm.The inverse-point strategy has been successfully applied to groups of elliptic curves over finite

§ 19.6 Pollard’s kangaroo method 491fields [ESSA + 1998, WIZU 1998]. It applies essentially unchanged to Jacobian varieties of hyperellipticcurves, but also to some groups that are outside the scope of the present book, like the XTRsubgroup in the natural (i.e., not trace-based) representation [STA 2003, STLE 2003] (note that forthe latter, which is a subgroup of a finite field, better algorithms belonging to the family of IndexCalculus attacks (see Chapter 20) may apply). The fundamental fact here is that a ↦→ −a is an automorphismof the elliptic curve. In fact, let ψ be an automorphism of the group G with the followingproperties:• Almost all orbits of the elements of the group under ψ have order m,say.• It is easy (i.e., computationally negligible) to check whether two group elements belongto the same orbit.• The automorphism acts like the multiplication by a known scalar s, say (coprime to thegroup order).Usually, such a group automorphism is induced by an easily computable endomorphism of the algebraicvariety underlying the considered group, said endomorphism satisfying a known polynomialequation. Suppose that the iterating function has been constructed in such a way that if Φ(a) =bthen Φ ( ψ(a) ) = ψ(b). Then we can use such Φ to make the random walk and detect collisionsbetween orbits, and not only between elements. Suppose we want to solve the DLP [t]g = h. Ifthe random walk is given by the sequence { w i =[a i ]g ⊕ [b i ]h } i0 , then a collision w i = ψ k (w j )means that w i =[s k ]w j , henceand the discrete logarithm is computed as[a i ]g ⊕ [b i ]h =[s k a j ]g ⊕ [s k b j ]hlog g (h) = a i − s k a js k b j − b imod |G|.The theoretical speedup with this technique is up to a factor of √ m. This claim is obvious, since thesearch for collisions is in fact made on the quotient of the group (as a set) modulo the equivalencerelation induced by the orbits under the automorphism. The speedup is, however, in practice somewhatsmaller, because the test for same orbit membership is not completely free, and it might bedifficult to find an iterating function that acts almost like a random mapping on the orbits. Furtherdifficulties (which are, however, in general not unsurmountable) include:• If a distinguished point set is used, then it must be invariant under ψ in order for thetechnique to be applicable• If we want to use a (multi-)stack method a la Nivash, then the ordering should be on thegroup modulo the equivalence relation induced by ψ.The Frobenius endomorphism and other automorphisms have been used for computing the DL insome classes of elliptic curves over fields of characteristic 2 [GALA + 2000, WIZU 1998], suchas Koblitz curves, and of hyperelliptic curves [DUGA + 1999]. In particular, it is quite easy toset up an improved attack on elliptic and hyperelliptic Koblitz curves when the definition field ofcharacteristic 2 is implemented using normal bases. In this particular case, distinguished point setscan be defined, for example, using the Hamming weight of some coordinates.19.6 Pollard’s kangaroo methodWe have seen that there are variants of Shanks’ baby-step giant-step method to solve the DLP orcompute the order of an element when we know that the answer lies in a given interval, exploiting

492 Ch. 19 Generic Algorithms for Computing Discrete Logarithmsthis information to get lower running times. We describe here a method due to Pollard [POL 1978,POL 2000] that achieves the same purpose while at the same time retaining the space efficiencyadvantages of Pollard’s rho methods. The fundamental idea of this method is to have more randomwalks at the same time, and to watch when these collide. Since they are “deterministically” randomas in Pollard’s rho method (cf. Section 19.5), there is no need to check whether each element ofeach random walk collides with some element of the other walks: as with the rho method, checkingfor each possible collision would in fact slow down the approach and render it useless. Since thewalks can be viewed as “jumping” inside the considered group, Pollard depicted them as if done bykangaroos jumping in that immense unknown expanse, which is the group where we want to solvethe DLP. The first version of Pollard’s kangaroo method, sometimes called the lambda method, isserial and works with a tame kangaroo T and a wild kangaroo W with respective starting pointsw 0 (T )=[b]g and w 0 (W )=h. The first kangaroo is called tame because, in a figurative sense,we know where it starts, whereas we do not know where the wild kangaroo comes from. Theywill start jumping inside the group, and both will remember exactly the path they have followed.When a collision between the paths of the tame and the wild kangaroo happens, we say that thetame kangaroo has captured the wild one. If the paths of the two kangaroos cross, they will coincideafter that event, because the next jump of each kangaroo is determined only by the current position.Usually, the tame kangaroo sets a trap after a certain number of jumps, then waits for the wild one:if the two paths cross, the wild kangaroo will fall in the trap. If the tame kangaroo successfullycaptures the wild kangaroo, then we can use the information from both about their travel to find“where” h is, i.e., its discrete logarithm with respect to g.19.6.1 The lambda methodLet r>1 be an integer and v : G →{1,...,r} be a hash function. The kangaroos follow r-addingwalks of the formw i+1 (K) =w i (K) ⊕ M ( v ( w i (K) )) , with K = T or Wwith multipliers M(j) =[s j ]g for jump lengths s j > 0 of size O( √ b − a) for all j. Thetraveleddistances for each kangarood 0 (K) =0 and d i+1 (K) =d i (K)+s v(wi(K)), with i ∈ Nare recorded. Note that w j (T )=[b + d j (T )]g and w j (W )=h ⊕ [d j (W )]g. The tame kangaroo isset off first and after a certain number of jumps, say M, it stops and installs a trap at the final spott M (its distance from the start is then d M (T )). Then W is freed and starts jumping: after each jumpof W we check to see if it has fallen into the trap, i.e., if w M (T )=w N (W ) for some N. Ifthishappens, a solution to [t]g = h is computed immediately, namely t = d M (T ) − d N (W ). Afteracertain number of steps the wild kangaroo is halted — because we may assume it has gone too farand is now in safe territory (in other words it has probably entered a cycle that does not include thetrap) — and a new wild one starts jumping. Its starting point is w 0 (W )=hg z , with z small andincreasing with each new wild kangaroo. This fact about z is important: we can imagine that thewild kangaroos start with “parallel” trails and we hope that at least one shall be caught. If W fallsinto T ’s trap, the paths of the two kangaroos have with high probability met earlier during the travel,from which point on the paths coincided. A graphical representation of this phenomenon resemblesthe Greek letter λ, whence the alternative name of this basic version of the kangaroo method.Put ξ = √ b − a. Van Oorschot and Wiener [OOWI 1999] show that the expected number ofgroup operations is minimal if1. The average of the s j is ≈ ξ/2,and

§ 19.6 Pollard’s kangaroo method 4932. The tame kangaroo T makes about 0.7ξ jumps before installing the trap; and the maximalnumber of jumps done by each wild kangaroo is ≈ 2.7ξ.At that point either W has fallen into T ’s trap or is safe in the sense already described. The latteroutcome happens on average 0.33 times, whereas the former has probability 0.75 after an expectednumber of ≈ 1.7ξ jumps. From this they get the expected value of (0.7 +0.33 × 2.7 +1.7)ξ ≈3.3 √ b − a group operations. The algorithm needs storage only for the jump set and for the currentpositions of the two kangaroos. Using a set of distinguished points and slightly more storage onecan obtain an algorithm with an expected total running time of ≈ 2 √ b − a group operations.19.6.2 ParallelizationOne can employ a distinguished point set D to realize a parallel kangaroo algorithm in the sameway as for the rho method [OOWI 1999].Suppose then that we have 2m processors, each processor being the “home” to a kangaroo. Thereare two kangaroo herds, one consisting of m tame kangaroos {T 1 ,...,T m } and the other of m wildones {W 1 ,...,W m }. We use a global√multiplier set, defined as in the serial variant, whose jumpdistances s j have mean value β = m 2 b − a. Let σ ≈1mβ be an integer corresponding to thespacing between kangaroos of the same herd. The starting points of the kangaroos are given byw 0 (T i )= [ a+b2+(i − 1)σ ] g and w 0 (W i )=h ⊕ [(i − 1)σ]g, for 1 i m/2.Observe that the tame kangaroos start near the middle of the interval rather than its end b, asthisleads to lowest average running times. The initial traveled distances are thusd 0 (T i )= a + b2+(i − 1)σ and d 0 (W i )=(i − 1)σ, for 1 i m/2.Each kangaroo starts jumping and after each jump it is tested whether the kangaroo landed on a distinguishedpoint, in which case a packet is sent to the central server consisting of: the distinguishedpoint, the type (tame/wild) of kangaroo that has just landed there, and its traveled distance. Thecentral server checks whether that point has already been previously submitted in order to detect acollision between a tame and a wild kangaroo, and otherwise stores it. Let τ g , respectively τ r ,bethecosts of a group composition and of reporting the arrival on a distinguished point, and n 0 the averagelength of trails before the algorithm terminates. Let, as usual, θ be the proportion of distinguishedpoints. The expected running time (on each processor) is ≈ ( √ b − a/m +1/θ)τ g + n 0 θτ r .Asforthe rho method, the proportion of distinguished points must be chosen carefully.With respect to the size of D, remarks similar to those of Section 19.5.4 apply here, in the sensethat |D| must be proportional to √ b − a (see [TES 2003, §6.4]).Kangaroos of the same herd might collide, and such collisions are useless as they do not helprecovering the discrete logarithm. Pollard [POL 2000] has developed a parallelized version whereuseless collisions cannot occur. He writes m = A + B with A, B coprime and ≈ m/2. ThereareA tame and B wild kangaroos. The jump lengths for the multiplier set are multiples of AB of theform k i AB where the k i ’s have average β = √ (b − a)/(AB)/2. The starting points of the tameand wild kangaroos are[ a+b2+(i − 1)B]g with 1 i A and h ⊕ [(j − 1)A]g with 1 j B,respectively. Observe that the congruencea + b2+(i − 1)B ≡ t +(j − 1)A(mod AB)

494 Ch. 19 Generic Algorithms for Computing Discrete Logarithmshas only one solution in i and j whence, for any residue class modulo AB, there is exactly one pairof kangaroos, one tame and one wild, which both travel in that class and thus can collide.Pollard’s variant avoids useless collisions at the price of preventing collisions from more thanone tame/wild pair. Therefore the fact that the expected running time is about the same as for vanOorschot and Wiener’s variant is not surprising. A big problem with Pollard’s variant occurs withsearches distributed over the Internet: if one of the players retires, the only possible tame/wild matchmight disappear. This makes the approach infeasible for such attacks. A running time analysis isfound in [POL 2000].The jump lengths s i and the jump length factors k i in the two versions should be chosen withsome care. Randomly chosen integers in {1, 2,...,β} with no common factors are quite good,slightly better performance is obtained by picking different small powers of 2 including 1. Notefurther that kangaroos can enter in loops: in this case cycle recognition clearly does not help inrecovering the discrete logarithms, so, ideally, this situation should be avoided. We can use a veryinexpensive cycle-finding method like Brent’s, or let the kangaroos start again with a new trail ifafter a certain number of jumps no distinguished point has been met, or use a distinguished pointset that is dense enough to allow the server computer to detect most of the cycles by the clients. Theexact values of these parameters must be chosen carefully for each case, by heuristic arguments orby doing some smaller experiments before the longer computation takes place.19.6.3 Automorphisms of the groupExactly as with Pollard’s rho method we can use an efficiently computable automorphism ψ: all thekangaroos will in fact jump in the quotient set of G modulo the equivalence relation determined byψ. The expected speedup is about √ k where k is the average size of the orbits.

Chapter ¾¼Index CalculusRoberto M. Avanzi and Nicolas ThériaultContents in Brief20.1 Introduction 49520.2 Arithmetical formations 496Examples of formations20.3 The algorithm 498On the relation search • Parallelization of the relation search • On the linearalgebra • Filtering • Automorphisms of the group20.4 An important example: finite fields 50620.5 Large primes 507One large prime • Two large primes • More large primes20.1 IntroductionIn view of Shoup’s Theorem 19.2, methods that have lower time complexity than the methodsexplained in Chapter 19 cannot be generic. This applies not only to subexponential time methods,but also to methods whose complexity is still exponential and of the form O(|G| C ) with C

496 Ch. 20 Index Calculusscalars e j ,thenr∑e i log g (g i ) ≡ 0 (mod N) . (20.2)i=1If we are able to obtain many equations of the form (20.1) with at least one of them involving anelement for which the discrete logarithm is known, for example g itself, and the number of the g i ’sis not too large, then we can solve the system (20.2) by linear algebra for the log g (g i )’s. The set{g 1 ,...,g r } is called the factor base. If we include an element h in the factor base for which weknow that h =[t]g,butt itself is unknown, then we might hope to recover t.Finding enough equations of the form (20.1) is equivalent to computing the structure of G asZ-module: If Z r is the free abelian group generated by base elements {X 1 ,...,X r } and L is thelattice in Z r generated by the relations ∏ ri=1 Xei i =1corresponding to the equations (20.1), thenΦ:Z k → G (20.3)(e 1 ,...,e k ) ↦→ [e i ]g 1 ⊕···⊕[e k ]g kis a homomorphism with kernel L so that Z k /L ≃ G.Ideally, one has to prove that for a suitable choice of the factor base, given a randomly chosenelement of G there is a high probability that it can be written as a linear combination of a smallnumber of elements of the factor base and with small coefficients. The index calculus methodsachieve a subexponential complexity depending on the ability to efficiently generate such relations,which is often the dominant part of these algorithms.Subexponential index calculus algorithms have been developed for a variety of discrete logarithmproblems, for instance finite fields and Jacobians of hyperelliptic curves of large genus. Notableexamples where they have not been made to work are elliptic curve discrete logarithms and discretelogarithms in Jacobians of genus 2 hyperelliptic curves.20.2 Arithmetical formationsWe follow here the presentation of Enge and Gaudry [ENGA 2002].Definition 20.1 [KNO 1975] LetP be a countable set, whose elements are called primes. Anadditivearithmetical semigroup is a free abelian monoid M over P together with an equivalencerelation ∼ that is compatible with its composition law, such that G is isomorphic to M/∼.Each element g of G is represented by an unique element ı(g) of M such that the isomorphismG →M/∼ is given by g ↦→ ı(g)/∼.A size map is a homomorphism of monoids norm : (M, ⊕) → (R, +), and as such it is completelydetermined by its values at the primes of M. We shall always assume that all primes p ∈Phave positive size. The size map is also applied to the elements of G via ı. The size of an elementg ∈ G (respectively m ∈M) is denoted by |g| (respectively |m|).Such a group G, together with the monoid M, the equivalence relation ∼, the representationmap ı and a size map — in other words the quintuple ( G, (M, ·), ∼,ı,|·| ) — is then called anarithmetical formation,orformation for short.We assume that the elements of G are represented by bit-strings associated to the correspondingelements of M and of length bounded by some constant r and that all generic operations in G (i.e.,the operations listed in Definition 19.1) are performed in time polynomial in r.Definition 20.2 A smoothness bound B is a positive integer and we denote by M B (respectivelyP B )thesetofelementsofM (respectively P) of size not larger than B.

§ 20.2 Arithmetical formations 497We denote by n B the cardinality of P B and by n ′ B the cardinality of M B. An element of G is calledB-smooth if the decomposition of its representation in M involves only primes in P B .When possible, the factor base is defined by a smoothness bound and is denoted P B . In somecases, however, (see Sections 21.2.2 and 21.3), the factor base cannot be defined only in terms of asmoothness bound. In these cases, the factor base will be denoted B.In our context, we require that n ′ B is finite and of cardinality polynomial in B, and that theelements of M B can be enumerated in a time polynomial in B and linear in n ′ B . We also requirethat an element m ∈Mcan be tested for being prime in time polynomial in |m| and linear inn ′ |m| (by trial division by all elements of norm smaller than |m|, for instance). Thus, P B can beconstructed in time polynomial in B and quadratic in n ′ B .It should be possible to test elements of G for B-smoothness and decompose them into primes intimeÕ(n ′ B ) (in practice, this can be done even faster).20.2.1 Examples of formationsPrime fieldsThe multiplicative group G = F ∗ p can be represented as (Z, ×)/∼ where n 1 ∼ n 2 if and only ifn 1 ≡ n 2 (mod p) and P is the set of rational prime numbers. The size of an element of G is thelogarithm of the element of N by which it is represented. In practice, the bit length ⌈lg n⌉ of theinteger n is used.Nonprime finite fieldsThe multiplicative group G = F ∗ pwith d>1 can be represented by the polynomials of degreedless than d over F p . Let f be a monic irreducible polynomial over F p and let M be the multiplicativemonoid of the ring of polynomials over F p under the usual polynomial multiplication ascomposition. There exists a field isomorphismψ : F p d∼−→ F p [X]/ ( f(X) )such that for each element g ∈ F p d there is a unique u ∈ F p [X] of degree less than d with ψ(g) =U +(f). Write ı(g) =U: themapı can be restricted to a map G →M, because the inverseimage of 0 ∈ F p [X] under ı consists of the zero of F p d alone. We can then represent G as M/∼where U 1 ∼ U 2 if and only if U 1 ≡ U 2 (mod f). ThesetP of primes consists of the set of monicirreducible polynomials over F p together with a multiplicative generator for F ∗ p , embedded in theobvious way in the Cartesian product. The size of an element g ∈ F p d is now defined as deg ı(g).Jacobians of hyperelliptic curvesLet C be a hyperelliptic curve of genus g over a finite field K of characteristic p, and consider thegroup G =Pic 0 C (K) of the divisor classes of C over K. Here, P is the set of irreducible divisors.It is known that each element of G can be represented by a K-rational divisor of degree at most g.The set of primes is defined as the set of principal divisors whose effective divisors are irreducibleover K. The latter can be single K-rational points, or sums of all Galois conjugates over K of anon-K-rational point: In other words, if a divisor D has Mumford representation [u D ,v D ], D isprime if and only if the polynomial u D is irreducible over K. The size of a divisor D is the degreeof u D .

498 Ch. 20 Index Calculus20.3 The algorithmOne possible way of describing the basic form of the index calculus method is the following one.There are in fact a few variants, but they differ only in minor details.Algorithm 20.3 Index calculusINPUT: A group G of order N, two elements g,h ∈ G with h ∈〈g〉.OUTPUT: An integer t with h =[t]g.1. Construction of the factor baseChoose a smoothness bound B and let the factor base be the set P B = {π 1,...,π nB }of the B-smooth primes of G.2. Produce relationsThey are equalities of the form[a i]g ⊕ [b i]h =n B Mj=1[e i,j]π j, for i =1, 2,...Put c = n B. Construct a matrix A with c rows defined as the row vectors(e i,1,e i,2,...,e i,c), for i =1, 2,...,c.Store the vectors a =(a 1,a 2,...,a c) and b =(b 1,b 2,...,b c).Putv =(e c+1,1,e c+1,2,...,e c+1,c).Possibly, process the matrix and the vectors a, b and x to make c smaller.3. Linear algebraCompute a solution to xA ≡ v (mod N) or find an element x of the kernel of A, i.e.,xA ≡ 0 (mod N).4. Extract solutionThe matrix A and the vectors a, b satisfy by construction the following formal relation inG (where the apex t denotes transposition):2 3`at b t´ 6 ×g 74 5 = A × Π whereh`at b t´ =23a 1 b 1a 2 b 2. 75a c b c6 . 4and Π=2 3π 1π 26 . 74 5π c.Let x =(x 1,...,x c) be the vector found in Line 3. Let α, respectively β be equal to theinner product xa t , respectively β = xb t .if xA =0 then6xAΠ =0and we obtain (α, β) ×g 74 5 =0, i.e., [α]g ⊕ [β]h =0.hTherefore log g (h) =− α mod N provided that gcd(β,N) =1.βif xA = v then[α]g ⊕ [β]h = xAΠ =vΠ =[a c+1]g ⊕ [b c+1]h.Therefore log g (h) =− α − ac+1mod Nβ − b c+123

§ 20.3 The algorithm 499Remark 20.4 If we want to solve a discrete logarithm problem in a proper subgroup G 0 of orderN 0 of G, we can perform all the computations involving integers modulo N (keeping track of a iand b i , the linear algebra step, the final division) modulo N 0 instead — this is clear because thefinal result should be reduced modulo N 0 anyway — hence all the operations that take place in thering Z/N Z can be replaced with operations in the ring Z/N 0 Z.IfN 0 is, as in most applications,prime, then all the computations, including the linear algebra, take place in the finite field with N 0elements.When analyzing an index calculus variant, several problems have to be addressed. If B is too small,the time to find relations will probably be too large; on the other hand, if B is too large, the linearalgebra step will be too expensive. The construction of the factor base has running time at mostÕ ( (n B ) 2) Õ ( (n ′ B )2) (by enumerating the elements of norm at most B and checking them forprimality).20.3.1 On the relation searchFor the second step of the algorithm, we must take into account the probability of finding a relation.This probability is about |G B |/|G| where G B denotes the set of B-smooth elements of G. Candidaterelations can be generated by random walks of the form [a]g ⊕ [b]h in the group G andtheyallmustbe tested for smoothness, which takes an expected time τ s per test. All random walk techniquesseen in Section 19.5.3 can be of course adopted here.Avanzi and Thériault [AVTH 2004] have a strategy that can be very efficient in many situations.It is often much faster to compute several group operations simultaneously than to compute them sequentially.For example, on elliptic and hyperelliptic curves using affine coordinates, Montgomery’strick (Section 11.1.3.c) can be used to perform the (independent) inversions in parallel. The obviousapplication is to perform several random walks simultaneously on a single processor, but severalsimultaneous group operations can be sped up further if one of the arguments is the same in alloperations.As in the r-adding walk method (Section 19.5.3), a set {M 1 ,...,M r }, with M s =[m s ]g ⊕ [n s ]hfixed and r registers z 1 ,...,z r , which are initialized, for example, as z i = M i for all i. One indexs with 1 s r is picked, for example, by taking the value of a hash function from the groupinto the index set {1, 2,...,r} on the element z 1 , and a single processor puts w = z s and computesz 1 = M 1 ⊕ w, z 2 = M 2 ⊕ w,...,z r = M r ⊕ w. These elements are then checked for smoothness,and, if the corresponding relation is smooth, it is added to the relation set. After one such step,if squarings (doublings) are cheaper than multiplications (additions), then all the elements z i canbe squared (doubled) one or more times, and the results checked for smoothness. It is understoodthat these squarings (doublings) are also performed in parallel. Because of the seemingly randombehavior of the smoothness property with respect to the group operations, this method will bringa noteworthy speedup (the factor is r/r ′ ,wherer ′ is the time to compute M 1 ⊕ w,...,M r ⊕ wfor 1 i r relative to the time to compute just one element alone). If squarings or doublingsare faster than multiplications or additions, then the speedup due to this strategy is even faster.If multiplying (respectively adding) and multiplying by the inverse (respectively subtracting) havesimilar costs, and the simultaneous computations of ab and ab −1 (respectively of a + b and a − b)share some partial results, one can keep 2r registers z 1 ,...,z 2r and compute z 1 = M 1 ⊕ w, z 2 =M 2 ⊕ w,...,z r = M r ⊕ w together with z r+1 = M 1 ⊖ w, z r+2 = M 2 ⊖ w,...,z 2r = M r ⊖ w. Bymeans of this we can compute more candidate relations in the same amount of time — and thereforefind relations more quickly.In general, regardless of how the relations are sought, one can choose to find kc relations fora suitable k = Õ(lg c) and observe that there is an appreciable probability that c − 1 relationsare linearly independent [ENGA 2002]: This means that Õ(n ′ B |G|/|G B|) candidates have to be

500 Ch. 20 Index Calculustested. Another approach for generating relations is due to Dixon: All relations but one are foundupon checking for smoothness multiples [a]g of g, for several values of a, which can be chosen atrandom. The last relation is of the form h ⊕ [v]g for a suitable, possibly also randomly chosen, v.This has the additional advantage that the relations involving only g and not h canbeusedlatertocompute the logarithms of other elements.20.3.2 Parallelization of the relation searchRelation search can be done in parallel by several machines, since the linear independence of the relationis not checked after each new relation is found. This has the advantage that, with n machines,the total amount of time to find the desired number of relations is reduced by a factor n. Of course,at some point the relations must be sent to a central server, and time spent in network traffic mustbe taken into account too.20.3.3 On the linear algebra20.3.3.aComplexityIn the third step of the algorithm, the linear dependency is found modulo prime divisors of |G|(but usually this number is just a large prime). The matrix A is sparse, because the elements of Ghave bounded norm, so there are O(lg c) =O(lg n ′ B ) (recall that c is the dimension of the matrix)nonzero entries in each row for c large enough. Sparse matrix techniques such as Wiedemann’s orLanczos’ (described in the next sections) can be used: In this case, the running time of this step isO(c 2 + cω),whereω is the total number of nonzero entries among all the e i,j and a i ,b i , i.e., Õ ( c 2) .The complexity of the algorithm, apart from the time required to factor the order of G (which weassume to be known and factored) is then()Õ (n ′ B) 2 + n ′ |G|B|G B | τ s . (20.4)In particular, the smoothness bound B and the complexity τ s play an important role in determiningthe overall complexity of an index calculus algorithm for a specific type of group. These considerationslead to the following result:Theorem 20.5 (based on [ENGA 2002]): Assume that the following smoothness result holds forthe group G: The bound B can be chosen such thatn ′ ( )B = L |G| 1/2,ρ+ o(1)and|G||G B | = L ( )|G| 1/2,σ+ o(1)for some constants ρ, σ > 0.Also, suppose, that the smoothness test in G can be done in timeÕ ( (n ′ B )τ ) for a constant exponentτ. Then, solving the discrete logarithm problem in G requiresoperations in G.Õ ( L |G|(1/2, max{2ρ, 1+(1+τ)ρ + σ} + o(1)))

§ 20.3 The algorithm 50120.3.3.bMethodsWe now review the linear algebra methods that can be used for index calculus. Recall that we havea large matrix A with c columns and rows. The goal is to find an element of the kernel of A, i.e.,a vector x such that xA =0(more precisely xA ≡ 0(mod|G|), but we assume that our grouphas prime order N = p, and therefore we obtain a linear system over F p ). This is a very wellinvestigatedproblem and a complete treatment would definitely be outside the scope of this book.The matrix obtained is sparse, and in most cases the number of nonzero entries in the matrix is verysmall. We observe two very typical matrix types that arise in this context:1. For the index calculus in extension fields (respectively prime fields), the number of entriesper row is the number of factors in the polynomial over the base field that representsthe field element (respectively the number of prime factors in the integer representingthe field element).The “smaller” primes appear more often, and usually with higher multiplicities, hencethe matrix is “denser” in the first columns. This is clearly true in the prime field case.In the extension field case we note that the case of binary fields has been investigatedin more detail, and since the factor base must contains polynomials over F 2 of severaldegrees, those of smaller degree will appear more often. Under these conditions, thewell-known structured Gaussian elimination can reduce the size of the system by a considerableamount.2. For hyperelliptic curves of small genus g and the version of index calculus presented inAlgorithm 20.3, the nonzero entries are scattered in a rather homogeneous way in thematrix. In this case, the structured Gaussian elimination has only a limited impact.To complete the solution of the system, several algorithms can be used. For each type of discretelogarithm problem to be solved, a careful comparison of the algorithms by Lanczos and Wiedemann,along with their “block” variants, is necessary, and the best algorithm must be considered. This isnot a trivial task. We will describe the basic versions of these two methods below. Further methodsto be taken into account are the conjugate gradient method (which can be viewed as two pipelinedLanczos algorithms) and Lambert’s variant (see [LAM 1996]).The “block” variations try to minimize scattered memory reads and to replace them with consecutivereads as much as possible, and are also used in numerical analysis. They replace vector-matrixmultiplications by multiplications of several vectors by the same matrix at once, thus also improvingcache locality and in fact greatly reducing accesses to the main memory. We will not enterinto details in their description, just as we will not deal with the parallelization of such methods.In the context of discrete logarithm computation, see [LAM 1996], [THO 2001], [THO 2003], andreferences therein for more details and literature on the subject.20.3.3.cWiedemann’s methodThis method [WIE 1986] solves a system xA = v by building a Krylov subspace generated by thevectorsv, vA, vA 2 , vA 3 ,... (20.5)Such a sequence is eventually recurrent, which is evident from the Cayley–Hamilton formula, whichsays that a matrix satisfies its characteristic polynomial. Let the minimal polynomial for this sequencebe f(T ). In order to determine f(T ), Wiedemann’s method picks a random vector u andfeeds the sequencevu t , vAu t , vA 2 u t , vA 3 u t ,... (20.6)into the Berlekamp–Massey algorithm [MAS 1969], which determines the minimal polynomial ofthe sequence. When applied to the sequence (20.6) the polynomial resulting from the Berlekamp–

502 Ch. 20 Index CalculusMassey algorithm must divide the minimal polynomial of the sequence (20.5) andalsotheminimaland characteristic polynomials of A. Hence by computing the minimal polynomials of sequenceswith various u’s, some information on the factors of the minimal polynomial of the sequence (20.5)is discovered.Under the assumption that u is randomly chosen, Wiedemann shows that it is quite likely thatafter a certain number of factors f (i) (T ) of the minimal polynomial f(T ) have been found, f(T )itself can be reconstructed as the least common multiple of these factors. More precisely, the successprobability is 70% with just three factors.In practice, the following accumulation procedure is used to determine f(T ):1. Put v 0 = v and let f (0) (T ) be the minimal polynomial of the sequencev 0 u t 0, v 0 Au t 0, v 0 A 2 u t 0, v 0 A 3 u t 0,...2. If v 0 f (0) (A) ≠ 0, then put v 1 = v 0 f 0 (A), select another vector u 1 , compute theminimal polynomial f (1) (T ) of the sequencev 1 u t 1, v 1 Au t 1, v 1 A 2 u t 1, v 1 A 3 u t 1,...3. Repeating this, various factors f (i) (T ), i =0, 1, 2,... of f(T ) are found and f(T ) isjust their product.If the degree of f (0) (T ) is smaller than that of f(T ), then the first pass, suitably pipelined withBerlekamp–Massey’s algorithm, will terminate earlier. The computation of f (1) (T ) will be fasterbecause we have an easy bound on its degree, i.e., c − deg f (0) (T ), and the sequence {v 1 A j u t 1} j0must be at most twice that degree for the Berlekamp–Massey algorithm to determine f (1) (T )uniquely. Similar considerations and bounds hold for the successive factors f (i) (T ).Once f(T ) has been determined, the solution x or an element of the kernel of A can be computedas follows:• If the constant term of this minimal polynomial f(T ) is zero, v times f(T )/T evaluatedwith T = A yields an element of the kernel. This null vector is not trivial because of theminimality of f(T ).f(T ) − f(0)• If f(0) ≠0, then put g(T )= · It is immediate to verify that z = −vg(A).f(0) TWiedemann’s algorithm will, at best, be completed in a single pass, requiring 2c multiplications byA, wherec is the dimension of A, before the Berlekamp–Massey algorithm determines the (factorof the) minimal polynomial. The time required by the Berlekamp–Massey algorithm is negligiblewith respect to the time necessary to form the generating vectors of the Krylov subspace. Thevectors A i b cannot be stored, so they must be recomputed in the last phase. Hence, at best 3cmultiplications by A are required. As a consequence of the remarks after the description of theaccumulation approach for determining f(T ), the worst case cost is not much worse than the bestcase. Upon closer analysis, one sees that the Wiedemann method needs to store, apart from thematrix and the scalar quantities, only four vectors.20.3.3.dLanczos’ methodLanczos’ method solves an equation xS = y for x where S is a symmetric matrix. To use it forsolving xA = v with A nonsymmetric we set S = AA t and y = vA t , then solve xS = y. Thesolution obtained may actually differ from the desired solution by an element of the kernel of A t .In applying this method to finding a vector in the kernel of A, as in the index calculus method,the matrix will have more columns (relations) than rows (primes). If it has full column rank c, thenthe solution of the system xS =0with S = AA t will be a solution to the original system Az =0,

§ 20.3 The algorithm 503If the rank is not full, this becomes unlikely, hence in practice one adds more relations to increasethe likelihood that the column rank is in fact maximal.Putw 0 = y, v 1 = w 0 S, w 1 = v 1 − 〈v 1, v 1 〉〈w 0 , v 1 〉 w 0and define the following iterationsv i+1 = w i S, w i+1 = v i+1 − 〈v i+1, v i+1 〉〈w i , w i+1 〉 w i − 〈v i+1, v 1 〉〈w i−1 , v i 〉 w i−1.Note that the matrix S is in general not sparse and it is therefore never computed explicitly: v i+1 =w i S is in fact computed by two multiplications of a vector by a sparse matrix as v i+1 = w i AA t .The algorithm stops when w j is found to be self-conjugate, i.e., 〈w j , w j S〉 =0: this expressionappears in fact already as the first denominator of the above iterative formula.If w j =0, then a solution isx =∑j−1i=0〈w i , y〉〈w i , v i+1 〉 w iwhich is accumulated partially as the algorithm progresses.Over the reals, if S is positive definite and w j is self-conjugate, then w j must be 0, but this is notnecessarily the case in finite characteristic where there exist nonzero self-conjugate vectors. If thishappens, then the algorithm fails. When the Lanczos algorithm is used to find a solution modulo 2,such as in the number field sieve for factorization (see Section 25.3.4.g), Montgomery [MON 1995]proposed to keep subspaces instead of vectors, thus deriving a block version of the Lanczos algorithm.This has the dual advantage of greatly reducing the risk of zero denominators in the iterationabove and of speeding up the algorithm by making use of the fact that most processors can operateon a block of elements modulo 2.When p is large, the zero denominator problem can be dealt with simply by restarting the algorithmwith a different system.The Lanczos algorithm uses seven vector variables, but in fact only the storage for six is required.Each iteration of the algorithm requires one matrix-vector product (which in the case of S = AA tcosts as two matrix-vector products of the “simple” type used in Wiedemann’s method — we multiplyby A and A t separately because it is faster than multiplying by S, which is, in general, too largeto store anyway), and three inner product calculations (one calculation is preserved for the nextiteration). Since the Lanczos method will terminate in at most c iterations where c is the dimensionof A, this will be at most 2c “simple” matrix-vector products and 3c inner products. Comparedwith the Wiedemann method, the Lanczos method requires c less matrix-vector products, 3c innerproducts where the Wiedemann algorithm required only one, and roughly 50% more storage. Sincematrix-vector products will likely dominate the computation, if the storage is available, it would beeasy to draw the conclusion that Lanczos’ method seems preferable over Wiedemann’s for findingsolutions modulo large primes. In fact, if the system is very large, there might be big problems inconstructing and storing the transpose matrix A t . Therefore the use of Wiedemann’s algorithm mustbe seriously considered in some circumstances.20.3.4 FilteringAn important step that can be included between the relation search and the linear algebra is filtering.Its aim is to reduce the size of the linear system without losing the fact that it is overdetermined.This is particularly successful with the type of systems obtained in the index calculus of finite fields.

504 Ch. 20 Index CalculusThe most common filtering strategies can be divided into two types: removing useless and unnecessaryrelation, or pruning;andmerging two (respectively r) relations to build one (respectively r −1)relation(s), removing one variable in the process.Before entering into details, we should also briefly mention the removal of duplicate relations,which applies mainly to factorization problems. In factoring, relations are usually obtained bydifferent means: two sieves are commonly used, the line-by-line siever and the lattice siever, andthis may cause some overlap. Duplicate relations are removed using hashing techniques.20.3.4.aPruningSuppose that a relation of the form [a]g ⊕ [b]h = ⊕ n Bj=1 [e j]π j is found, and after the relationcollection stage we can determine that one of the primes π j appears in this relation with a nonzerocoefficient, but its multiplicity is zero in all other relations. It is clear that this relation is uselessfor the purpose of solving the discrete logarithm, and can be purged from the system, decreasingdimension of the matrix and number of variables both by one. We also reduce the total weight ofthe matrix.Since at some point during pruning, the system might have more relations than absolutely necessaryto have a kernel of dimension bigger than zero, it may be possible to remove relations thatcontribute to the kernel. A natural approach to do this is to choose a variable that has a nonzero coefficientin only two relations (doublets) and remove one of these two relations. Since the variable nowhas nonzero coefficient in only one relation, that relation becomes useless and it is purged from thesystem, along with the variable. This is particularly successful if chains of doublets can be found,i.e., sequences of pairs of doublets that have nonzero coefficients in the same relation. Furthermore,closed cycles of doublets can be removed without affecting the dimension of the kernel.In order to use this approach, a database with the total multiplicities of all the primes in the factorbase is created as relations are collected.20.3.4.bMergingMerging is based on the structured Gaussian elimination as described in [POSM 1992]. This takesadvantage of both the sparsity of the matrix, and (when possible) the “unbalanced” shape of itsrows. It is in principle the usual Gaussian elimination, but it works from “right to left” in orderto eliminate the elements that appear less frequently, i.e., the larger primes first, and is only donepartially. This reduces the size of the system while attempting to preserve the sparse character ofthe matrix.The present description of merging follows Avanzi and Thériault [AVTH 2004], who build uponthe strategies developed for the number field sieve method for factorization, such as, for example,those described in [CAV 2000] and in the references therein.Suppose we have two relations[a i ]g ⊕ [b i ]h =n B⊕j=1[e i,j ]π jfor i =1, 2, and, for simplicity, assume that e 1,1 = e 2,1 =1, but that the coefficient of π 1 is zero inall other relations. If we replace the two relations with the single relation[a 1 − a 2 ]g ⊕ [b 1 − b 2 ]h =n B⊕j=1[e 1,j − e 2,j ]π j =n B⊕j=2[e 1,j − e 2,j ]π jthen, clearly, the prime π 1 does not appear in the system any longer, therefore we in fact reduceboth the dimension of the matrix and the number of variables by one. It is clear that the first system

§ 20.3 The algorithm 505is solvable if and only if the merged system is solvable, and finding an element of the kernel of thesystem before the merging is equivalent to finding an element of the kernel of the new system.If the prime π 1 belongs to more than one relation we can, in the same way, merge the first relationto the other ones where π 1 appears, thus eliminating one variable and one relation once again.Note that the total weight of the matrix usually increases when one relation is merged to more thanone other relation. One should always pick the relation of smallest weight among those containing agiven variable and merge that one to the other ones. The implementor of the filtering stage must takeparticular care to merge only if this actually does not increase the complexity of the linear algebrasolution step that follows. Usually a given sparse linear algebra algorithm takes time k 1 c 2 + k 2 cωwhere ω is the weight of the matrix and k 1 ,k 2 are time constants that depend on the algorithmand on the computing architecture chosen (in practice, due to the extreme complexity of today’scomputer architectures, the latter can be correctly determined only experimentally). This meansthat this quantity, at least in principle, should not increase after a merging step.In principle, one determines a threshold t and then merges the relations containing variables thatappear at most t times in the whole system. But there might be rather complicated networks ofrelations, where two relations are adjacent if they both contain a variable to be merged, and it istherefore not clear in which order they should be removed. This cannot be considered on a case-bycasebasis, hence the most common situations have to be analyzed beforehand and “hardwired” inthe code for a specific application, taking into account the impact on the total running time of thelinear algebra step.Note also that, due to the particular shape of the matrices arising from finite field discrete logarithmor integer factorization problems, filtering is usually much more effective in those cases thanfor the hyperelliptic curve index calculus method.20.3.5 Automorphisms of the groupThe presence of an automorphism ψ for the group G has a great impact on index calculus methods,as remarked by Gaudry in [GAU 2000b, GAU 2000a]. We restate his result in the context of indexcalculus methods for generic groups:Theorem 20.6 Let G be an abelian group for which there exists an index calculus variant, with setof primes P and smoothness bound B, and which admits an automorphism ψ of order m with thefollowing properties:(i) Almost all orbits under ψ of the elements of the group have order m. The automorphismψ acts transitively on the set of primes P B , also with almost all orbits of order m.(ii) The computation of ψ can be performed in reasonable time: a computation in polynomialtime of ψ and of the verification that two elements belong to the same orbit is enough forour purposes.(iii) The automorphism acts like the multiplication by a known scalar s, say (coprime to thegroup order).The automorphism can be exploited to improve the index calculus to make:(i) The search for relations up to m times faster.(ii) The linear algebra phase up to m 2 times faster.Gaudry’s idea, originally formulated only for the Jacobians of hyperelliptic curves, is to include inthe factor base only one element for each orbit under ψ. LetP B be the original factor base, and let̂P B be the factor base containing only one element per orbit. ̂PB has cardinality ̂n B ≈ n B /m, Letthe elements of ̂P B be denoted by ̂π i .

506 Ch. 20 Index CalculusThe size of the factor base is then reduced by a factor m, and so is the number of relations to befound. The relations with respect to P B are of the form[a i ]g ⊕ [b i ]h =n B⊕j=1[e i,j ]π j .Now for all i we can write an element of P B as π i = ψ ηi (̂π γi ) where ̂π i is in the factor base ̂P Band η i and γ i are suitable integers. Hence[a i ]g ⊕ [b i ]h =n B⊕j=1[e i,j s ηi ]̂π γj =bn B⊕k=1[ ∑j : γ j=ke i,j s ηi ]̂π k .The matrix  of the resulting, reduced, linear algebra system is m times smaller than A, sotheresult about the speedup of the linear algebra phase is immediate.The important consequence of Theorem 20.6 is that in groups with automorphisms the indexcalculus can be sped up much more than Pollard’s rho method. The theorem claims a speedup up toa factor m 2 , but we expect it to be somewhat smaller for the following two reasons:1. The nonzero elements of A are, as integers, usually very small (almost always just + − 1),whereas those of  are often rather large numbers modulo |G|. Multiplications by smallnumbers can be done by repeated additions, but generic multiplications are more expensive,hence influence the performance of the linear algebra in the small system.2. The automorphism ψ introduces small overheads in the relation collection phase as well.20.4 An important example: finite fieldsWe now outline a realization of the index calculus algorithm in the case G is the group F ∗ p.Thedexpected running times are given for p →∞and d fixed or for p fixed and d →∞.According to Definition 20.2 and the usual definition of rational primes, a positive integer is B-smooth if all its prime factors are B.Lemma 20.7 [CAER + 1983, BRU 1966] Letα, β, r, s ∈ R >0 with s 0 with r>1 and100polynomial in F p [X] of norm L x (r, α) is L x (s, β)-smooth with probabilityL x (r − s, −α(r − s)/β) for x →∞.r99r

§ 20.5 Large primes 507Let B be a smoothness bound, and let the factor base S be the subset of F ∗ p d of primes of norm B.We can now apply the index calculus Algorithm 20.3.With B = L (p d −1)(1/2,√1/2)and Dixon’s approach (cf. end of Section 20.3.1) the relationcollection stage takes expected time L p d(1/2,√2). This follows from the smoothness probabilitiesgiven above, the running time of the elliptic curve factoring method if d = 1, and, ifd > 1, the fact that polynomials over F p of degree k can be factored in expected time polynomialin k and ln p [BER 1967, MCE 1969, CAM 1981, CAZA 1981, CAM 1983, SHO 1990,SHO 1991, GASH 1992]. Solving the system of linear equations takes the same expected runningtime L p d(1/2, √ 2) because the matrix is sparse. This results in an expected running timeL p d(1/2,√2).There are two important variants of the index calculus method for general finite fields F p d.Oneisbased on the number field sieve (cf. Section 25.3.4) and, given that d< √ ln p, it attains an expectedrunning time L p d(1/3, 1.923), similar to that of the number field sieve for factoring [SCH 2000b].The other method, due to Coppersmith, is called the function field sieve and applies only tod > (ln p) 2 . It actually predates the number field sieve and was the first cryptanalytic methodto break through the L x (1/2,c) barrier, but only for fields of small fixed characteristic, such asF 2 d: For such fields it attains a complexity L 2 d(1/3, 1.588). Observe that the constant 1.588 issubstantially smaller than 1.923, making DL systems in groups F ∗ 2even less desirable than RSAdsystems. It has been applied to F 2 503 [GOMC 1993]andF 2 607 [THO 2003].Remark 20.9 For finite fields in the “gap” √ ln p

508 Ch. 20 Index Calculuswhere L i does not belong to the factor base, are collected at the same time as the B-smooth ones.The L i are larger than B, but are usually bounded in size, too. For example, the condition mightbe L i ∈P B1 where B 1 is larger than B: that’s why these L i ’s are called large primes. Relationslike (20.7) are called almost-smooth relations (or 1-almost-smooth relations) or partial relations(1-partial relations), and are of course in far greater number than the B-smooth ones, called fullrelations. With this terminology, partial relations are used to construct full ones as follows: If twopartial relations with the same large prime have been found, subtracting the second relation fromthe first (exactly as we did for merging) gives a smooth relation. Such relations are usually a bitheavier than the normal ones, and thus using large primes will create a matrix that is less sparse. Onthe other hand, the search becomes much faster, reducing the total running time.Large prime matches are found using a hash table. When two relations are merged, one of themmust be removed from the list of partial relations, otherwise we might merge both relations with athird one containing the same large prime, giving rise to three linearly dependent full relations.Large prime variants have been used since the beginning of the development of factoring methodssuch as that of Morrison and Brillhart [MOBR 1975] (see Section 25.3.4) or in the first implementationof the quadratic sieve (see Section 25.3.4.b) by Gerver [GER 1983] as well as of index calculusmethods (see Odlyzko’s survey paper [ODL 1985]). In all these cases, relations obtained by mergingpartial relations with one large prime account for the majority of the relations found, and theusage of large primes brought a speedup of a factor 2 to 2.5.20.5.2 Two large primesA natural extension of the large prime idea is to use two or more large primes. Although theoriginal concept of using two large primes can be traced back to ideas of Montgomery and Silvermanfrom the mid 1980s, the classic paper on the subject is that of Lenstra and Manasse [LEMA 1994].Merging in the single large prime case is a trivial task, but dealing with more than one large primeis more difficult.One way of using two large primes is typical of factoring applications, and is related to the socalled“Waterloo variant” of searching smooth relations. The Waterloo variant has been developedby Blake et al. in [BLFU + 1984] (seealso[BLMU + 1984]) and consists in the following: insteadof testing values b = g a mod p for smoothness, the extended Euclidean algorithm is used to findintegers u, v, w with w = ub + vp where both u and w are smooth. Instead of stopping when, asis more usual, w =1and u, v are the Bezout coefficients with u ≡ b −1 (mod p), the algorithmwill be interrupted when u ≈ √ p, in which case w ≈ √ p too. Then u and w are checked forsmoothness: if they are both smooth we get a relation b = g a ≡ wu −1 (mod p). It is more likelythat two integers of size about √ p are both smooth than a single integer of size about p. Clearly,since we are actually building a single relation from two “halves,” we can admit one (or more) largeprimes in w independently from the large prime in u. This method has also been used by Thoméin his successful computation of a discrete logarithm in F 2 607 [THO 2003] — but it does not seemadaptable to the solution of DLPs in groups arising from geometric constructions. Note that, byadmitting negative exponents, we can consider either b ≡ g a (mod p) or b −1 ≡ g −a (mod p)for our purposes, according to the way we couple the large primes in “half relations” arising fromdifferent b’s. An analysis of the Waterloo variant can be found in Holt’s PhD. Thesis [HOL 2003].Another variant has been developed for the number field sieve with two factor bases [LELE 1993]and has not been adapted to the discrete logarithm case.How are full relations built from partial relations with up to two large primes? During the relationsearch, a graph is built whose vertices are the large primes. Two vertices are connected by an edgeif there exists at least one partial relation involving them both. There is a special vertex referred toas “0” (alternatively “1”), to which all primes that appear alone in a partial relation are connected.

§ 20.5 Large primes 509For the purposes of factoring a cycle in the graph it is sufficient to “eliminate” the large primesby simply multiplying together all the partial relations corresponding to the edges, since each largeprime will appear an even number of times in a cycle.For solving DLPs, all cycles containing the special vertex “0” can be used to produce a fullrelation, but only about half of all other cycles are useful. Let us see why: Letρ i =[a i ]g ⊕ [b i ]h = L i − ɛ i L i+1 + {smooth primes}for i =1, 2,...,n where the L i are large primes with L n+1 = L 1 ,andɛ i = + − 1 (this is alwayspossible by suitably replacing some ρ i ’s with their opposites). All the large primes are pairwisedifferent and, with the only possible exception of L 1 , all different from the special prime “0”. Thenρ = ρ 1 + ɛ 1 ρ 2 + ɛ 1 ɛ 2 ρ 3 + ···+ ɛ 1 ɛ 2 ···ɛ n−1 ρ nis a relation involving smooth primes and (1 − ∏ ni=1 ɛ i)L i . If L i is “0,” then ρ is always a fullrelation; otherwise ρ is a full relation if and only if ∏ ni=1 ɛ i =1:Suchacycleiscalledanevencycle.This problem does not occur in factoring applications where all the multiplicities are consideredmodulo 2, hence all cycles produce full relations in these situations.To find relations, one must therefore detect cycles containing “0” as well as even cycles in theconnected components of the graph. Cycle detection involves only a relatively small overhead, butit must be implemented with care as the graph can be very large (for example, more than 10 8 edgesamong 2 × 10 9 vertices) and managing it is not a trivial task.Note, however, that long cycles may not be very effective because they tend to generate veryheavy relations and using them can lead to a denser matrix.20.5.3 More large primesHere the landscapes for factoring and discrete logarithms start to be very different. Using morethan two large primes (and up to 4) with the Waterloo variant of factorization is in fact just usingup to two large primes for both “half relations.” See [DOLE 1995] for a four large primes variantof the number field sieve. In general, and always for discrete logarithms, one needs to considerhigher-dimensional generalizations of graphs, where the “edges” connect more than two vertices(still corresponding to primes), as in [HOL 2003], or follow Cavallar’s [CAV 2000] method inspiredfrom structured Gaussian elimination.While the multi-large-prime schemes have been very efficient for factoring, it is not clear howmore than two large primes can be used for computing discrete logarithms in groups arising fromgeometric constructions.

Chapter ¾½Index Calculus forHyperelliptic CurvesRoberto M. Avanzi and Nicolas ThériaultContents in Brief21.1 General algorithm 511Hyperelliptic involution • Adleman–DeMarrais–Huang • Enge–Gaudry21.2 Curves of small genus 516Gaudry’s algorithm • Refined factor base • Harvesting21.3 Large prime methods 519Single large prime • Double large primes21.1 General algorithmAs stated in Section 20.2.1, the index calculus algorithm can be applied to compute discrete logarithmsin the Jacobian of hyperelliptic curves. For groups of this type, the set of primes are primedivisors or, in terms of the ideal class group, prime ideals. These divisors can be single F q -rationalpoints or the sums of all Galois conjugates over F q of a non-F q -rational point: In other words, if adivisor D has Mumford representation [u(x),v(x)], D is prime if and only if the polynomial u(x)is irreducible over F q .Algorithm 21.1 Divisor decompositionINPUT: A semi-reduced divisor D =[u(x),v(x)].OUTPUT: Prime divisors P 1,...,P k and coefficients e 1,...,e k such that D = P kj=1 ejPj.1. find the factorization Q ki=1 ui(x)e iof u(x)2. i ← 13. while i k do4. v i ← v(x) modu i(x)5. P i ← [u i(x),v i(x)]511

512 Ch. 21 Index Calculus for Hyperelliptic Curves6. i ← i +17. return P kj=1 ejPjAs is common for index calculus algorithms, the prime decomposition does not require a divisor tobe reduced and two divisors in the same class will have two different decompositions.Remark 21.2 For the remainder of this chapter, once the prime decomposition of a divisor has beencomputed it will be assumed that both the Mumford representation and the prime decompositioncan be used when required and the two representations will not be explicitly distinguished.21.1.1 Hyperelliptic involutionAs stated in Section 20.3.5, using group automorphisms can have a significant impact on the speed ofthe index calculus algorithm, although this impact is in the size of the constants involved and not inthe asymptotic form of the resulting algorithm. In the case of hyperelliptic curves, the automorphismused is the hyperelliptic involution.Definition 21.3 Let C be a hyperelliptic curve given by the equation y 2 + h(x)y = f(x). Thehyperelliptic involution of a divisor D = [u(x),v(x)] is the divisor [u(x), ṽ(x)], denoted −D,where ṽ(x) :=−v(x) − h(x) (modu(x)).Since the hyperelliptic involution is an automorphism of order two, it can be used to make therelation search twice as fast and the linear algebra four times faster (more if the sparse linear algebraalgorithms of Section 20.3.3 cannot be used).In order to take advantage of the hyperelliptic involution, we act as if for every prime P ∈P B , itsimage under the involution were also in P B , but at most one copy of P and −P is actually includedin P B . The prime decomposition is rewritten to reflect that fact, i.e., if P is in the factor base andthe prime decomposition of a divisor D would call for the prime (−P ), then we replace e(−P ) by(−e)P .21.1.2 Adleman–DeMarrais–HuangWith the exception of some special cases, the first general description of an index calculus algorithmfor Jacobians of hyperelliptic curves is due to Adleman, DeMarrais, and Huang [ADDE + 1999].The algorithm can be used for curves over any finite field, but describing in full generality thevarious sub-algorithms would only make things unnecessarily confusing, so only the case curvesdefined over fields of odd characteristic and defined by equations of the form y 2 = f(x) will bedescribed in this section.Factor baseJust as the factor base is chosen such that it contains primes with a small norm when we are dealingwith the index calculus algorithm for finite fields, we attach a notion of “size” to prime divisors.For a given smoothness bound B, the factor base will then be composed of all the prime divisors ofdegree at most B, where the degree of a prime divisor is the degree of its polynomial u(x) in theMumford representation [u(x),v(x)].Definition 21.4 A divisor is said to be B-smooth if all the prime divisors in its decomposition havedegree at most B.

§ 21.1 General algorithm 513To find all the prime divisors of a given degree, it suffices to test all the irreducible polynomialsu(x) of that degree, checking to see if there exists a polynomial v(x) satisfying v(x) 2 ≡ f(x)(mod u(x)). If we also take advantage of the hyperelliptic involution, we get the following methodto find all the elements of the factor base:Algorithm 21.5 Computing the factor baseINPUT: A hyperelliptic curve C and a smoothness bound BOUTPUT: AsetP B of B-smooth prime divisors1. P B ←{}2. for every irreducible monic polynomial u(x) ∈ F q[x], deg u B do3. if u(x) ∤ f(x) and f(x) ≡ square (mod u(x)) then4. find v(x) such that deg v

514 Ch. 21 Index Calculus for Hyperelliptic Curves13. until e D is B-smooth14. return eDAlgorithm 21.7 Finding smooth principal divisorsINPUT: A factor base P B and a parameter d.OUTPUT: The prime decomposition of a B-smooth principal divisor D e =[ũ(x), ṽ(x)].1. repeat2. repeat3. choose random A(x),B(x) ∈ F q[x] of degree d4. until gcd`A(x),B(x)´ =15. ũ(x) ← B(x) 2 − A(x) 2 f(x)6. ṽ(x) ← B(x)A(x) −1 mod ũ(x)7. D e ← [ũ(x), ṽ(x)]8. D eP ← ri=1hdecomposition eiPi of D e iinto prime divisors9. until D e is B-smooth10. return D eSince the smoothing algorithm does not work for ramified primes (i.e., primes of the form [u(x), 0]),it may be necessary to find an equivalent divisor that does not contain any ramified prime in itsdecomposition. This is done as follows:Algorithm 21.8 Decomposition into unramified primesINPUT: A semi-reduced divisor D =[u(x),v(x)].OUTPUT: The decomposition of an equivalent divisor D e into unramified primes.1. d(x) ← gcd`u(x),f(x)´2. if d(x) =1 then3. find the decomposition of [u(x),v(x)] into prime divisors P ri=1 eiPi4. return D e = P ri=1 eiPi5. else6. u 1(x) ← u(x)/d(x)7. v 1(x) ← v(x) modu 1(x)8. u 2(x) ← `d(x) 2 − f(x)´ /d(x)9. v 2(x) ← d(x) modu 2(x)10. find the decomposition of [u 1(x),v 1(x)] into prime divisors P ri=1 eiPi11. find the decomposition of [u 2(x),v 2(x)] into prime divisors P sj=1 fjQj12. return e D = P ri=1 eiPi − P sj=1 fjQj

§ 21.1 General algorithm 515AlgorithmThe index calculus algorithm presented by Adleman, DeMarrais, and Huang [ADDE + 1999] differssomewhat from Algorithm 20.3. The idea behind the algorithm is to consider the kernel of the mapbetween the free abelian group Z n generated by the factor base and the Jacobian of the curve. Sincethis kernel is a lattice of Z n , working out the structure of the lattice makes it relatively easy to findthe relationship between two smooth divisors in the Jacobian.We first find smooth representations of the pair of divisors for which we want to compute thediscrete logarithm. To obtain the structure of the lattice, we must find enough smooth principaldivisors (which correspond to points in the lattice) and decompose the linear system obtained fromthese relations. It may not be necessary to completely work out the structure of the lattice, and thesearch for smooth principal divisors is ended once the discrete logarithm is found.The resulting algorithm can be written as follows:Algorithm 21.9 Adleman–DeMarrais–HuangINPUT: A hyperelliptic curve C, two divisors g and h with h ∈〈g〉, a smoothness bound B, anda parameter d.OUTPUT: An integer t with [t]g = h.1. compute the factor base P B [use Algorithm 21.5]2. n ←|P B|3. g ← P ri=1eiPi [decompose g into unramified primes]4. i ← 15. while i r do6. smooth the prime divisor P i and put the result in e P i [use Algorithm 21.6]7. i ← i +18. ˜g ← P ri=1 ei P e i9. write ˜g as a 1 × n vector denoted by v g10. h ← P sj=1fjQj [decompose h into unramified primes]11. j ← 112. while j s do13. smooth the prime divisor Q j and put the result in e Q j [use Algorithm 21.6]14. j ← j +115. ˜h ←P sj=1 fj ˜Q f16. write ˜h as a 1 × n vector denoted by v h17. M ← 0 × n matrix18. j ← 019. repeat20. j ← j +121. find a smooth principal divisor D j [use Algorithm 21.7]22. write D j as a 1 × n vector denoted by v j23. add v j to M as the j-th row

516 Ch. 21 Index Calculus for Hyperelliptic Curves24. find matrices L ∈ GL(j, Z) and R ∈ GL(n, Z) such that LMR = C where Cis a m × n matrix with all nonzero entries on the diagonal and with diagonal entriessatisfying c i | c i+1 and c i > 025. c ← Q ji=1 ci26. if c>( √ q +1) 2g then [upper bound of the group order]27. ṽ g ← v gR28. ṽ h ← v h R29. if ṽ h = tṽ g for some t ∈ Z then30. return t31. until t is foundBy setting B = ⌊log q L q 2g+1(1/2, 1/ √ 2k)⌋ and d = ⌊log q L q 2g+1(1/2, √ 2k)⌋ where the constantk depends on the speed of the linear algebra, we get:Theorem 21.10 [ADDE + 1999] LetC be a hyperelliptic curve of genus g over the finite field F q .If ln q (2g +1) 1−ɛ , then there exists a constant c 2.181 such that discrete logarithms in J C (F q )can be computed in expected time L q 2g+1(1/2,c).The constant c is in fact dependent on the value of k coming from the linear algebra, withc = k +1 √2k·The value c =2.181 is obtained when no sparse linear algebra arithmetic is assumed (with k =7.376). Although the algorithms described in Section 20.3.3 cannot be applied in this context,sparse arithmetic might still be used, giving a value of c =4/ √ 6 (assuming k =3is possible).21.1.3 Enge–GaudryThe algorithm can be adapted to fit more closely with the index calculus as described in Chapter 20(and used in the remainder of this chapter). Using results by Enge, Gaudry, and Stein [ENG 2002,ENGA 2002, ENST 2002]weget:Theorem 21.11 [ENGA 2002, Theorem 1] Let C be a hyperelliptic curve of genus g defined overF q and let log g denote the logarithm in base g. For g/ log g q>t, the discrete logarithm in thedivisor class group of C can be computed with complexity bounded by(1L q g2 , √ ( (2 1+ 1 ) 1/2 ( )) 1/2 1+.2t 2t)21.2 Curves of small genusAlthough Algorithm 21.9 is very efficient when g > log g q, it must be modified in order to beapplied for hyperelliptic curves of “small” genus, i.e., such that gg! (which implies g

§ 21.2 Curves of small genus 51721.2.1 Gaudry’s algorithmThere are three major differences with the Algorithm 21.10 when adapting the index calculus algorithmto curves of small genus:• The approach of Algorithm 20.3 is used.• The only primes considered for the factor base are those coming from F q -rational points,i.e., we are looking for 1-smooth divisors.• Rather than smoothing divisors, smooth relations are found by repeatedly looking atdifferent reduced divisors until a smooth one is found.Using these ideas, Gaudry [GAU 2000b] obtained an algorithm that is more efficient when the genusof the hyperelliptic curve is small. The second step of Algorithm 20.3 is done as follows:Algorithm 21.12 Relation searchINPUT: A hyperelliptic curve C, two divisors g and h with h ∈〈g〉, and a factor base P 1.OUTPUT: A system of r 1-smooth divisors of the form [α i]g ⊕ [β i]h.1. choose random α, β ∈{1,...,|J C(F q)|}2. D ← [α]g ⊕ [β]h3. i ← 14. while i r do5. D ← Φ(D)6. update α and β7. decompose D into prime divisors8. if D is 1-smooth then9. D i ← D10. i ← i +111. return {D 1,...,D r}Remark 21.13 To take into account the various linear algebra methods of Section 20.3.3, the desirednumber of smooth relations produced by Algorithm 21.12 (and by the remaining algorithms in thischapter) is denoted by r. In most cases, r can be assumed to be close to the size of the factor base:If Wiedemann’s method is used, we need r = |B| +1, while if Lanczos’ method is preferred, r maybe chosen somewhat larger (to get a system with higher rank).Since approximately 1 in g! divisors in the Jacobian is 1-smooth, obtaining enough relations is quitefast and takes time O ( g 2 g! q 1+ɛ) . The other steps of Algorithm 20.3 are dominated by the linearalgebra, which has running time O ( g 3 q 2+ɛ) . These running times combine to give the result:Theorem 21.14 [GAU 2000b] Let C be a hyperelliptic curve of genus g over the finite field F q .Ifq>g! then discrete logarithms in J C (F q ) can be computed in expected time O(g 3 q 2+ɛ ).21.2.2 Refined factor baseBecause the running time for Gaudry’s algorithm is dominated by the cost of solving the linearalgebra, a natural approach to improving the speed of the algorithm is to reduce the cost of the

518 Ch. 21 Index Calculus for Hyperelliptic Curveslinear algebra part. Unless new sparse linear algebra algorithms are developed, the only option is toreduce the size of the system, which means reducing the size of the factor base (since we need atleast as many relations as factor base elements).To do this, we choose the factor base B as a subset of P 1 . Since reducing the size of the factorbase makes it less likely that a random reduced divisor is smooth (or B-smooth), this increases thecost of the relation search. If the factor base is reduced too much, the relation search will eventuallybecome the dominant part of the algorithm as smooth relations become rarer. This brings us back tothe usual situation for index calculus algorithms, where optimizing the running time is a balancingact between the relation search and the linear algebra.By choosing the factor base B such that |B| = O(g 2 q g/(g+1)+ɛ ), we get the following result:Theorem 21.15 [THÉ 2003a, Theorem 2] Let C be a hyperelliptic curve of genus g over the finitefield F q . If q > g! then discrete logarithms in J C (F q ) can be computed in expected timeO(g 5 q 2− 2g+1 +ɛ ).21.2.3 HarvestingFor the index calculus of hyperelliptic curves, Avanzi and Thériault [AVTH 2004] introduce a “drastic”extension of pruning they call harvesting. The idea behind harvesting is to start with a veryoverdetermined system, in fact of k times as many relations as variables for k relatively large (evenk 100 can be useful), and then remove as many relations as possible while at the same timereducing as much as possible the numbers of variables present in the system, in order to find a smallsubsystem that is still overdetermined.How are we going to choose the equations that can be removed to obtain the smallest possiblesystem after the filtering? We remove all relations that contain “rare” variables, i.e., the variablesthat appear less frequently with nonzero coefficients in the equations of the system. If this processis repeated until the system has only a few more relations than variables, we can reasonably expectthat the result is almost as small as possible.At the end, we can obtain a system that is still overdetermined, but with much less variablesthan the elements in the original factor base. Of course there might exist a smaller subsystem ofthe original system, but that subsystem cannot be found efficiently, hence the construction by anapproximation method.Such a harvesting step, just like pruning, has the nice side effect of decreasing the multiplicitiesof all other variables that appeared in the removed relations. This means that one can see if the newsystem can be harvested again, until it reaches the desired size or it can no longer be harvested.After harvesting has been performed and the desired level of overdetermination has been reached,we can still perform merging. In fact, merging after harvesting will be, in comparison, more efficientthan if it had been performed before.Harvesting can also be viewed as a redefinition (reduction) of the factor base a posteriori (i.e., afterthe relation search has been done). Since harvesting requires more smooth relations but producesa smaller linear system, which leaves the relation search and linear algebra unbalanced (comparedto an optimized algorithm with k ∼ 1), it is only natural to readjust the original size of the factorbase to re-balance the algorithm. If, for a given k, the reduction factor of harvesting is large enough,the running time for the new optimized algorithm will be smaller than the running time with k ∼ 1.With the approach of Section 21.2.2, harvesting can be used to reduce the running time of the indexcalculus algorithm by a non-negligible factor (although only the constant term in the asymptoticrunning time is affected). In Jacobians of genus 6 curves for example, a total saving of close to 45%can be obtained using k = 100. Harvesting can also be applied to the algorithm in Section 21.3.1and Section 21.2.1 (although there is no re-balancing of the choice of the factor base in that case),

§ 21.3 Large prime methods 519but it is not yet known how well it can be adapted to the other algorithms of this chapter and ofChapter 20.ParallelizationAlthough it is not clear how to perform pruning and merging in parallel with a non shared-memorycomputer, such as a cluster, some distribution is possible (and relatively easy) for harvesting.We proceed by repeated steps as follows: Each node keeps track of its own part of the systemand lets the server know how many times each variable is used. The server can then decide whichvariables will be removed from the system and tells the nodes. The nodes then look for the relationscontaining the variables removed (and remove those equations from the system) and update thenumber of times variables are used.In order to reduce latency, variables are not removed one by one but in groups (still with the“rarest” variables first). Since removing “blocks” of variables together is likely to have a detrimentalimpact on the effectiveness of harvesting, one must be careful and choose these blocks as small aspossible without getting too much latency.Once the system is reduced to the point where harvesting is no longer possible or distributing thework is no longer advantageous, the remaining relations are collected and the filtering is completedon a single processor. If this is implemented carefully, the total amount of information transmittedis not much more than what would be transmitted to collect the full system (certainly much less thantwice that amount) while most of the work is distributed among the nodes. A major advantage ofthis approach is the distribution of the system pre-harvesting, potentially making it possible to workwith systems that would be too big to be handled by a single processor.If the expansion factor k is very large (and larger than the number of client computers involved inthe filtering), then some harvesting may be done locally by each node (and independently of othernodes), reducing the number of relations but not the number of variables (since a variable removedon one node can still be used on another). The harvesting can then be done distributively on thereduced system or the relations can be collected together and the filtering (including harvesting) canbe done on a single computer. This will reduce network traffic (as no information is communicatedon the relations that were removed locally) but will also (presumably) reduce the effectiveness ofthe filtering.21.3 Large prime methodsAs was described in Section 20.5, using large primes to decrease the time required to find relationscan have a significant impact on the running time of the index calculus algorithm.The main difference when using large primes for Jacobians of hyperelliptic curves is in theirdefinition. Whereas large primes are usually defined as all the primes not included in the factorbase, in this situation we only consider all the primes in P 1 not included in the factor base (in otherwords, we ignore large primes of degree greater than one). This restriction is not strictly speaking anecessary one, but more one of convenience.In essence, this is because a large prime must appear in at least two different divisors found duringthe relation search before it can be of any use in building smooth relations. Although almost-smoothdivisors with a large prime of degree at least 2 are more common than almost-smooth divisors witha linear large prime, the low probability that a specific prime of higher degree appears more thanonce far offsets the large number of these primes.Even if all primes outside the factor base were to be considered, the number of smooth relationsobtained due to the use of the primes of degree larger than one would be almost insignificantcompared to what is obtained using only P 1 . In practice, restricting the definition of large primes

520 Ch. 21 Index Calculus for Hyperelliptic Curvesdoes increase the running time of the relation search, but not in any meaningful way. The mainreason to restrict the definition of large prime is to reduce the amount of memory required to run thealgorithm, the set P 1 being much more manageable than the set of all primes.At the time this book was written, methods using relations with one or two large primes had beendescribed, but no effective way had yet been found to use relations with more than two large primes.The algorithms described here will therefore be limited to single and double large prime variants.21.3.1 Single large primeIn order to take advantage of the high number of almost-smooth divisors, we must find pairs of thesedivisors with the same large prime (up to sign, using the hyperelliptic involution). The approachrelies on the birthday paradox, since the large primes in almost-smooth divisor are uniformly distributedamong the set of linear large primes. In order to identify these pairs, we use a list P of thelarge primes encountered during the search and a list R of the almost-smooth divisors in which theyappeared. To avoid producing redundant relations, only the first copy of a large prime is includedin the list, and subsequent copies are used to produce smooth relations (using the correspondingdivisors to cancel the large primes).Algorithm 21.16 Single large primeINPUT: A hyperelliptic curve C, two divisors g and h with h ∈〈g〉, and a factor base B.OUTPUT: A system of r B-smooth divisors of the form D i =[α i]g ⊕ [β i]h.1. P←{} and R←{}2. choose random α, β ∈{1,...,|J C(F q)|}3. D ← [α]g ⊕ [β]h4. i ← 15. while i r do6. D ← Φ(D), update α and β7. decompose D into prime divisors8. if D is B-smooth then9. D i ← D10. i ← i +111. if D is almost-smooth with large prime P then12. if P = P j ∈P then13. R ← almost-smooth divisor containing P j14. D i ← D ⊖ R15. i ← i +116. else if P = −P j ∈P then17. R ← almost-smooth divisor containing P j18. D i ← D ⊕ R19. i ← i +120. else21. add P to P

§ 21.3 Large prime methods 52122. add D to R [almost-smooth divisor containing P ]23. return {D 1,...,D r}By choosing the factor base B such that |B| = O(g 2 q (g− 1 2 )/(g+ 1 2 )+ɛ ), we get the following result:Theorem 21.17 [THÉ 2003a, Theorem 3] Let C is a hyperelliptic curve of genus g over the finitefield F q . If q > g! then discrete logarithms in J C (F q ) can be computed in expected timeO(g 5 q 2− 42g+1 +ɛ ).In practice, smooth relations coming from smooth divisors are used, but they are not taken intoaccount to obtain this result. Since only a small number of smooth divisors are found during therelation search, they do not have a significant impact on the time required for the relation search.21.3.2 Double large primesSince almost-smooth divisors can be used to produce relations so much faster, it is natural to alsoconsider 2-almost-smooth divisors. The idea is to produce chains of 2-almost-smooth (and almostsmooth)divisors where two consecutive divisors have a common large prime. To each such chain,we associate a relation where the divisors of the chain are added to the first one in such a way thatthe common large primes between consecutive divisors are canceled.The chain produces a smooth relation if all large primes are canceled. This can happen in twoways: The first and last divisors in the chain are almost-smooth, or the first and last divisors inthe chain are 2-almost-smooth with a common large prime and the cancellation of the other largeprimes in the chain also cancels that one. It is important to notice that even if the divisors at theextremities of the chain are 2-almost-smooth with a common large prime, that large prime need notbe canceled in the relation associated to that chain. On average, the large prime common to the firstand last divisor will only cancel out in half of these chains.In order to find chains of divisors producing smooth relations, we use a graph G where thevertices are the large primes and an edge between two vertices correspond to a 2-almost-smoothdivisor containing those two large primes. Since we also want to take advantage of almost-smoothdivisors, the graph G contains an extra vertex denoted 1 and an almost-smooth divisor is associatedto the edge between its large prime and 1. The search for chains of divisors producing smoothrelations can then be viewed as a search for cycles in the graph G corresponding to the randomwalk.The general algorithm for the relation search using divisors with up to two large primes can begiven as follows:Algorithm 21.18 Double large primesINPUT: A hyperelliptic curve C, two divisors g and h with h ∈〈g〉, and a factor base B.OUTPUT: A system of r B-smooth divisors of the form D i =[α i]g ⊕ [β i]h.1. G ← empty graph2. choose random α, β ∈{1,...,|J C(F q)|}3. D ← [α]g ⊕ [β]h4. i ← 15. while i r do6. D ← Φ(D), update α and β

522 Ch. 21 Index Calculus for Hyperelliptic Curves7. decompose D into prime divisors8. if D is B-smooth then9. D i ← D10. i ← i +111. if D is almost-smooth or 2-almost-smooth then12. update G13. if a smooth divisor S is created then14. D i ← S15. i ← i +116. return {D 1,...,D r}Obviously, the graph must be updated in such a way that no redundant relations are created. Forexample, it may be possible to break down a cycle into distinct subcycles, but even if all the relationsobtained from each subcycle and from the original cycle itself are smooth, it would be undesirableto use them all since they are clearly not linearly independent.The main difference between the various double large prime algorithms is how the graph G isupdated, i.e., how edges are added to the graph. In the following sections, we will describe threeways of constructing the graph and produce only good relations. We will call these the full graph,simplified graph,andconcentric circles method.21.3.2.aFull graph methodThe first, and more natural, approach to building the graph is to use every almost-smooth and 2-almost-smooth divisor to add an edge to the graph, giving us the full graph.To avoid producing redundant relations, edges that would close a cycle are used to produce relationsbut are not added to the graph, which means that the graph G never actually contains anycycles. Since not all cycles produce smooth relations, the non-smooth relations that may be obtainedfrom these cycles (which are in fact almost-smooth relations) are used to produce an edge between1 and the non-canceled large prime.Algorithm 21.19 Full graph methodINPUT: A graph G, a set of relations R = {R e} corresponding to the edges of G, andanewalmost-smooth or 2-almost-smooth relation R.OUTPUT: Updated G and R and (if possible) a smooth relation S.1. if R is almost-smooth then2. P ← large prime in R3. if P is connected to 1 then4. (e 1,...,e i) ← path from 1 to P in G5. use R and R e1 ,...,R ei to cancel the large primes6. S ← smooth divisor obtained7. leave G and R untouched8. else9. add the edge (1,P) to G

§ 21.3 Large prime methods 52310. add R (1,P ) = R to R11. if R is 2-almost-smooth then12. P 1,P 2 ← large primes in R13. if (P 1,P 2) would create a loop in G then14. if the loop would contain the vertex 1 then15. (e 1,...,e i) ← path from 1 to P 1 in G16. (f 1,...,f j) ← path from 1 to P 2 in G17. use R and R e1 ,...,R ei and R f1 ,...,R fj to cancel the large primes18. S ← smooth divisor obtained19. leave G and R untouched20. else21. (e 1,...,e i) ← path from P 1 to P 2 in G22. use R and R e1 ,...,R ei to cancel the large primes other than P 123. if P 1 is also canceled then [smooth relation]24. S ← smooth divisor obtained25. leave G and R untouched26. else [almost-smooth relation]27. R (1,P1 ) ← almost-smooth relation obtained28. add the edge (1,P 1) to G29. add R (1,P1 ) to R30. else31. add the edge (P 1,P 2) to G32. add R (P1 ,P 2 ) = R to R33. return G, R and if possible SRemark 21.20 This method is heuristically faster than the methods in next sections but its runningtime is (at the time of this writing) still unproven. Although the relation search is faster with the fullgraph method, there is no proven bound on the weight of the system generated using this method,hence the cost of solving the linear system is unclear. If the system can be proven to be sparseenough (and its weight is not significantly greater than with the other graph methods), this is themethod that should be favored.The other methods described in the next two sections look for cycles in specific subgraphs of Ginstead of the entire full graph and limit themselves to the connected component of the vertex 1.21.3.2.bSimplified graph methodIn order to make the analysis more accessible, Gaudry, Thériault, and Thomé [GATH + 2004] introducea more restrictive approach to the graph construction. The idea is to discard edges that fallcompletely outside of the connected component of the graph containing the vertex 1.

524 Ch. 21 Index Calculus for Hyperelliptic CurvesAlgorithm 21.21 Simplified graph methodINPUT: A graph G, a set of relations R = {R e} corresponding to the edges of G, andanewalmost-smooth or 2-almost-smooth relation R.OUTPUT: Updated G and R and (if possible) a smooth relation S.1. if R is almost-smooth then2. P ← large prime in R3. if P is connected to 1 then4. (e 1,...,e i) ← path from 1 to P in G5. use R and R e1 ,...,R ei to cancel the large primes6. S ← smooth divisor obtained7. leave G and R untouched8. else9. add the edge (1,P) to G10. add R (1,P ) = R to R11. if R is 2-almost-smooth then12. P 1,P 2 ← large primes in R13. if P 1 and P 2 are both connected to 1 then14. (e 1,...,e i) ← path from 1 to P 1 in G15. (f 1,...,f j) ← path from 1 to P 2 in G16. use R and R e1 ,...,R ei and R f1 ,...,R fj to cancel the large primes17. S ← smooth divisor obtained18. leave G and R untouched19. else if one of P 1 or P 2 is connected to 1 then20. add the edge (P 1,P 2) to G21. add R (P1 ,P 2 ) = R to R22. else23. leave G and R untouched24. return G, R and if possible SThis approach has the following advantages compared to the full graph method:• The algorithm as proven bounds on both the relation search and the linear algebra.• All the cycles found in the graph produce a smooth relation since they correspond tochains of divisors with first and last divisors almost-smooth.Obviously the bound on the relation search with the simplified graph methods automatically givesan upper bound on the relation search for the full graph method. However, the bound on the linearalgebra may not hold true for Algorithm 21.19, which is why Algorithm 21.21 is still important.There are some significant disadvantages, however:• Cycles in the full graph that are not connected to 1 cannot be found.

§ 21.3 Large prime methods 525• When looking at an edge during the search, if neither of the vertices have already beenconnected to 1 then the edge is not used. But it can happen that the edge would be in theconnected component of 1 in the full graph (because of edges that are found later in thesearch or other edges that were not used). This will most likely destroy some cycles.• The relation search is slower (because of the previous points).By choosing the factor base P B such that |P B | = O(g 2 q (g−1)/g+ɛ ), we get the following result:Theorem 21.22 [GATH + 2004, Theorem 2] Let C be a hyperelliptic curve of genus g over thefinite field F q . If q > g! then discrete logarithms in J C (F q ) can be computed in expected timeO(g 5 q 2− 2 g +ɛ ).Remark 21.23 The ɛ in the exponents of Theorems 21.14, 21.15, 21.17, and 21.22 are due to ln qfactor in the running times. These ɛ hide the fact that the double large prime algorithm contains anextra ln q factors compared to the three other variants.21.3.2.cConcentric circles methodThe approach described in this section is a modification of an algorithm by Nagao [NAG 2004].Like the simplified graph method, we are looking for cycles in the connected component of thefull graph containing 1. Instead of building the graph bit by bit as almost-smooth and 2-almostsmoothrelations are found, the random walk is completely done first and then the graph is constructed.To make it possible to keep the weight of the smooth relations low enough (and give a bound onthe linear algebra), the random walk is prolonged so that the connected component of 1 containsmore cycles than necessary. The shortest relations are found by looking at the large primes inconcentric circles centered at 1, i.e., in terms of their distance to the vertex 1.In order to reduce the total cost of the index calculus algorithm as much as possible, the factorbase is again chosen with size O(g 2 q (g−1)/g+ɛ ), giving the same running time of O(g 5 q 2(g−1)/g+ɛ )as the simplified graph method (possibly with a slightly different constant). To make notation easier,three sets are constructed during the random walk:• the set F contains the smooth divisors found,• the set G contains the almost-smooth divisors, and• the set H contains the 2-almost-smooth divisors.For each concentric circle, we build a list L n of the large primes at distance n from the vertex 1 (andtheir corresponding almost-smooth relations) and a subset H n of the divisors in H that have not yetbeen used to built smooth or almost-smooth relations.Algorithm 21.24 Concentric circles methodINPUT: Sets F, G, H of respectively smooth, almost-smooth, and 2-almost-smooth divisors.OUTPUT: A system of r smooth relations.1. i ← 12. while i |F| and i r do3. D i ← i-th divisor in F4. L 1 ←{}5. j ← 16. while j |G| and i r do

526 Ch. 21 Index Calculus for Hyperelliptic Curves7. R ← j-th divisor in G8. P ← large prime in R9. if + − P ∈L 1 then10. R 0 ← almost-smooth relation for + − P11. use R and R 1 to cancel the large prime12. D i ← smooth divisor obtained13. i ← i +114. leave L 1 untouched15. else16. almost-smooth divisor for + − P ← R17. add P to L 118. j ← j +119. H 1 ←H20. n ← 121. while i r do22. L n+1 ←{}23. H n+1 ←{}24. j ← 125. while j |H n| and i r do26. R ← j-th divisor in H n27. P 1,P 2 ← large primes in R28. if + − P 1 and + − P 2 ∈L n ∪L n+1 then29. R 1 ← almost-smooth relation for + − P 130. R 2 ← almost-smooth relation for + − P 231. use R, R 1 and R 2 to cancel the large primes32. D i ← smooth divisor obtained33. i ← i +134. leave L n+1 and H n+1 untouched35. else if + − P 1 ∈L n, + − P 2 ∉L n ∪L n+1 then36. R 1 ← almost-smooth relation for + − P 137. use R and R 1 to cancel P 138. almost-smooth divisor for + − P 2 ← almost-smooth divisor obtained39. add P 2 to L n+140. leave H n+1 untouched41. else if + − P 2 ∈L n, + − P 1 ∉L n ∪L n+1 then42. R 2 ← almost-smooth relation for + − P 243. use R and R 2 to cancel P 244. almost-smooth divisor for + − P 1 ← almost-smooth divisor obtained

§ 21.3 Large prime methods 52745. add P 1 to L n+146. leave H n+1 untouched47. else48. add R to H n+149. leave L n+1 untouched50. j ← j +151. n ← n +152. return {D 1,...,D r}ParallelizationContrary to Algorithms 21.19 and 21.21, Algorithm 21.24 can be easily adapted to work distributivelyeven on non-shared memory computers. The sets F, G,andH are constructed independentlyon each node. At the beginning of every layer of concentric circles, each node has its own H n andthe server sends L n and the corresponding partial relations to the nodes. Each node computes itsH n+1 and its part of L n+1 . All the partial L n+1 ’s and corresponding partial relations (as well asthe smooth relations produced) are collected by the server and combined, keeping at most one copyof each large prime (and using supplementary appearances to produce more smooth relations).

Chapter ¾¾Transfer of Discrete LogarithmsGerhard Frey and Tanja LangeContents in Brief22.1 Transfer of discrete logarithms to F q -vector spaces 52922.2 Transfer of discrete logarithms by pairings 53022.3 Transfer of discrete logarithms by Weil descent 530Summary of background • The GHS algorithm • Odd characteristic • Transfervia covers • Index calculus method via hyperplane sectionsIn this chapter we give three different methods of how to transfer the discrete logarithm problemon the Jacobian of a curve to the discrete logarithm problem on a different group where it might beeasier to solve. The cryptographic implications on the security of the DL systems are discussed inChapter 23.We briefly show the transfer to the additive group of a finite field in the exceptional case wherel = p. The next section shows how the pairings introduced in Chapter 6 can be used to transfer thediscrete logarithm problem. Then we explain in detail how the methodology of Weil descent can beused to transfer the discrete logarithm problem from one variety to another.22.1 Transfer of discrete logarithms to F q -vector spacesLet C/F q ,q = p d be a hyperelliptic curve of genus g and assume that p ||Pic 0 C|. For this case, itis shown in Section 4.4.3.a that there exists a map from Pic 0 C [p] to Ω0 (C), theF q -vector space ofholomorphic differentials on C. This space is isomorphic to F 2g−1q . Even though computing themap involves some effort, the complexity of computing it is in O(lg q).This means that the discrete logarithm problem in Pic 0 C [p] can be transferred efficiently to F2g−1 q ,where it can be solved by methods generalizing the Euclidean algorithm (for g =1) and linearalgebra techniques in general. These methods run in O ( (2g−1) lg(q) k) ,wherek is a small constant.Note that this transfer is only interesting if one considers the discrete logarithm problem inPic 0 C [p] and, hence, if p is sufficiently large. For a random curve this situation will not occur.The general case for this transfer is presented in [RÜC 1999], for elliptic curves this method wasdiscovered by several authors [SAAR 1998, SEM 1998, SMA 1999a].F q529

530 Ch. 22 Transfer of Discrete LogarithmsFor applications this case can be easily identified. So far only destructive consequences of thistransfer are known, namely breaking of the discrete logarithm problem in Pic 0 C [p] by transfer to theeasier problem.22.2 Transfer of discrete logarithms by pairingsAs usual, let C/F q ,q = p d be a hyperelliptic curve of genus g. We consider the discrete logarithmproblem in a subgroup of Pic 0 C of prime order l. Letk be such that l | qk − 1.In Chapter 6, the Tate–Lichtenbaum pairing was defined. For our purposes the following versionis most useful. As in Chapter 16 we interpret the Tate–Lichtenbaum pairing as the pairingT l : J C (F q )[l] × J C (F q k) → F ∗ q k[l],( D, __E __) ↦→ ( f D(E) ) __q k −1lwhere D __and E __are elements of J C (F q )[l] respectively J C (F q k) and F ∗ q[l] are the l-th roots ofkunity. We let D __and E __be represented by the divisors D and E such that no point P ∈ C occurs inboth E and D.The original Tate–Lichtenbaum pairing is not degenerate. In our version this is expressed by thefollowing fact: for randomly chosen E __∈ J C (F q k) and D __≠0we get T l ( D, __E) __≠1. Chapter 16deals with the efficient implementation of this map showing that computing T l is polynomial in q k .The implications on the discrete logarithm problem are immediate. Consider the subgroup oforder l of Pic 0 __C and let D be the base point. The degree of extension k can be obtained from q andl. Choose E __randomly in J C (F q k). One can expect that T l ( D, __E) __=ζ, whereζ is an l-th root ofunity. Then the discrete logarithm problem F __=[n] D __can be transferred to F ∗ q[l] by computingkT l ( D, __E __) and T l ( F, __E) __and observing thatT l ( F, __E) __=T l ( D, __E __) n .If k is small, the pairing can be efficiently computed and the discrete logarithm problem can besolved in the group of l-th roots of unity in F q k by methods explained in the examples of Chapter 20.For elliptic curves this transfer was pointed out in [MEOK + 1993]. The general case is consideredin [FRRÜ 1994, FRMÜ + 1999].We like to stress that the transfer is possible in any case. Negative implications are that for smallk a cryptosystem built on Pic 0 C can be attacked using the pairing (cf. Chapter 23) while the positiveapplications of the transfer are dealt with in Chapter 24. As shown in Section 24.2.2, the embeddingdegree k is always small for supersingular curves.22.3 Transfer of discrete logarithms by Weil descentThe principle of transfers by Weil descent is that one transfers the discrete logarithm problem fromJ C (F q k) to the discrete logarithm problem of its Weil descent and then uses additional structures onthis higher dimensional variety. Here, we present 3 variants that have been proposed in the literature.The mathematical background is explained in Chapter 7.Note that for security considerations it is not enough to exclude these cases as Weil descent isa far more general concept. It is applicable in composite fields. We start with a finite field F q k,q = p d , and assume k>1.With the main applications in mind (see Chapter 23) we are especially interested in the case thatPic 0 C contains a large subgroup of prime order l. This is needed in some places and mentionedthere, but we would like to stress here that this is no real restriction, just the most interesting case.

§ 22.3 Transfer of discrete logarithms by Weil descent 53122.3.1 Summary of backgroundWe recall that the Weil descent W Fq k /F q(A)(F q k ) of an abelian variety A/F q k has the propertyW Fq k /F q(A)(F q )=A(F q k).By the construction (either by using affine pieces or by Galois theory cf. Chapter 7) this identificationcan be made explicit and realized computationally. So, obviously, the discrete logarithmproblem can be transferred from A(F q k ) to W Fq k /F q(A)(F q ). It can happen that W Fq k /F q(A)(F q )is a factor of the Jacobian variety of a curve D/F q . Equivalently this means that we can embedD into W Fq k /F q(A). Then the discrete logarithm problem in W Fq k /F q(A)(F q ) is transferred to thediscrete logarithm problem in the Jacobian of D.This situation can be realized by covers for A = J C .AcurveD/F q is called a cover of C/F q kif there exists a nonconstant morphismψ : D Fq k→ Cdefined over F q k. Under this condition the transfer can be made explicit by norm and conorm mapsof divisor classes. As usual we denote by ψ ∗ the induced map from Pic 0 C to Pic0 D Fq. It correspondskto the conorm map of divisors in the function fields ψ ∗( F q k(C) ) ⊂ F q k(D).Next we use the inclusion F q (C) ⊂ F q k(D) to define a correspondence map on divisor classesφ :Pic 0 C → Pic 0 Dgiven byφ := N Fq k /F q◦ ψ ∗ .We assume that both D and the cover map ψ are explicitly given and that ψ can be computedquickly.Of course, the efficiency of the transfer depends heavily on the genus g ′ of D. As J D needsto contain the considered subgroup of W Fq k /F q(A)(F q ) the genus cannot be too small as by theHasse–Weil Theorem 5.76 and its corollary we have |J D (F q )| = O(q g′ ). If the subgroup underconsideration has size O(q gk ) we haveg ′ gk. (22.1)22.3.2 The GHS algorithmIn this section we want to explain the (until now) most successful applications of the idea to useWeil restriction to get a transfer of discrete logarithms. Building on [GASM 1999] Gaudry, Hess,and Smart [GAHE + 2002b] developed it for C an elliptic curve E defined over binary fields,q = 2 d . For this reason we shall call it the GHS algorithm. This section contains materialfrom [DIE 2003], [GAL 2001b],[GAHE + 2002a], [HES 2003], [JAME + 2001], [MAME + 2002],[MEQU 2001], and [THÉ 2003b].We describe the more general setting of starting with a hyperelliptic curve C of genus g.Let C/F q k be given by the usual equationC : y 2 + h(x)y = f(x), f(x),h(x) ∈ F q k[x],where f is monic of degree 2g +1and deg(h) g (cf. 4.3).

532 Ch. 22 Transfer of Discrete LogarithmsRemark 22.1 To use Artin–Schreier theory we make a change of variables and writeC : v 2 + v = ˜f(x),where v = y/h(x) and ˜f(x) =f(x)/h 2 (x). Note that in general ˜f(x) is not a polynomial. Byabuse of notation, from now on we write the equation asC : y 2 + y = f(x),f(x) ∈ F q k(x).The crucial ingredient for the algorithm is a careful choice of an extension of the Frobenius automorphismφ q : F q k → F q k to an isomorphism on F q k(C) into its algebraic closure. We extend φ qto an automorphism of F q k(x)/F q by requiring φ q (x) =x and φ q (y) =y (1) such that the followingequation is satisfiedC φq : y (1)2 + y (1) ( )= φ q f(x) .The field F q k(C φq ):=F q k(x)[T ]/ ( ( ))T 2 + T − φ q f(x) is the function field of a hyperellipticcurve C φq with rational subfield F q k(x).) (( )We repeat this construction to get F q k(Cφ i q = Fq k Cφ i−1 φq) ( )q and note that Fq k Cφ k q =F q k(C).( ) ( )Take F ′ as composite of the fields F q k(C), F q k Cφ q ,...,Fq k Cφ k−1q . It is a Galois extensionof F q k(x) with a two-elementary Galois group of order 2 m with m k. The algebraic closure ofF q k in F ′ has degree at most 2. To simplify the exposition we assume from now on that the degreeis equal to 1 and so F ′ is the function field of an absolutely irreducible nonsingular curve D ′ definedover F q k. The inclusion F q k(C) ↩→ F ′ induces a coverψ : D ′ → Cof degree 2 m .We assume k is either equal to 2 or odd. Then one has that the Frobenius automorphism φ q onF q k(C) has an extension to an automorphism φ q ′ of F ′ of order k. DefineF = F ′φq ′ as fixed fieldof φ q ′ .Lemma 22.2 The field F is a function field in one variable with field of constants F q containingF q (x) as subfield of index 2 m .The projective curve D corresponding to F has the property thatD · F q k = D ′ .Hence, we are in the situation described at the beginning and the cover ψ induces a homomorphismφ :Pic 0 C → Pic0 D ,φ=N F q k /F q◦ ψ ∗ .The map φ is useful if the subgroup we are interested in is mapped injectively to Pic 0 D . For the mostinteresting cases Diem [DIE 2003, Theorem 1] shows that this requirement is satisfied.Proposition 22.3 Assume that k is a prime and that C cannot be obtained by constant field extensionfrom a curve defined over F q . Then the kernel of φ contains only points of order 2.This encourages us to go further and study explicitly the construction of D. In the sequel we assumek to be prime. We give an affine part of D as an intersection of hyperplanes. Therefore, we take a

§ 22.3 Transfer of discrete logarithms by Weil descent 533basis (α 0 ,α 1 ,...,α k−1 ) of F q k as F q -vector space, where we additionally require ∑ k−1i=0 α i =1.We introduce the variables x j ,y j for j =0,...,k− 1 byk−1∑k−1∑x = α j x j and y = α j y j .j=0By Proposition 7.1, we get a system of equations defining an open affine part W a of the Weilrestriction W Fq k /F q(C) in the affine space A 2k by plugging in these expressions for x, y into theequation defining C.Define the hyperplanesH j : x j = x 0for j =1,...,k− 1,thenk−1⋂D a := W a ∩is an affine nonempty open part of the curve D. Thus D can be computed in principle.Remark 22.4 Up to this point of discussion we did not use that q is even. From now on this willbecome crucial.We have defined the function fields F q k(C φq i ) and their composite field F ′ . To determine m weuse Artin–Schreier theory and get that the Galois group of F ′ /F q k(x) is isomorphic to a subspaceU generated by the classes of {f,φ q (f),...,φ k−1q (f)} of the F 2 -vector space F q k(x)/P(F q k(x)),where P : z ↦→ P(z) =z 2 + z is the Artin–Schreier operator. Thus m is equal to dim F2 (U){ {m =dim span F2 f,φq (f),...,φ k−1 q (f) }} .The genus of the resulting curve will depend heavily on m. In fact we will show that for ellipticcurves and some hyperelliptic curves one has g ′ = g2 m−1 − 1 or g ′ = g2 m−1 .To compute m under the additional assumption gcd(d, k) =1we observe that U is not only avector space over F 2 but even a F 2 [Gal(F q k/F q )]-module. The assumption that C is not definedover F q implies that U is nontrivial. As φ q (y) =y (1) we get that m depends on the length of theorbit of y.Hence,m = κϕ 2 (k) or m = κϕ 2 (k)+1 (22.2)with some natural number κ =1,...,(k − 1)/ϕ 2 (k), where ϕ 2 (k) is the multiplicative order of 2modulo k.For Mersenne primes, i.e., primes k of the form 2 a − 1, ϕ 2 (k) =a is minimal. If κ =1then thegenus of D can be as low as g2 ϕ2(k) = gk which is minimal according to (22.1).The Mersenne primes in the cryptographically important range arej=13, 7, 31, and 127.For these primes some curves may allow κ =1and, hence, the transfer will lead to a probablyeasier problem. For k =3it is possible to find curves with g ′ =3g.A further class of primes k leading to a small ϕ 2 (k) are the Fermat primes given by k =2 2a +1.In the cryptographically important range they arej=0H j3, 5, 17, and 257.

534 Ch. 22 Transfer of Discrete LogarithmsExplicitly, if k =5and g =1, the minimal genus one can obtain is 7;ifk =17, the minimal genusis 127, andfork = 257, itis32768. For the latter two cases, g ′ is already quite high in relation tok.In the literature [DIE 2001, GAHE + 2002b, MEQU 2001, THÉ 2003b] one finds examples ofcurves C and fields F q k with small κ and ϕ 2 (k) and, hence, of examples where the transfer leads toa curve of relatively small genus.( )Cφ m−1q . An interest-The integer m was determined such that F ′ is defined by F q k(C),...,F q king special case is that D is hyperelliptic. In this case one can use the highly optimized arithmetic inits divisor class group, and the index-calculus methods for computing the discrete logarithm in thesegroups are well analyzed. (But see Remark 22.8.) So it seems worthwhile to look for conditionswhich yield that D is hyperelliptic.We recall that we have to find a subfield L of F ′ of degree 2 such that L is rational over F q k.We give a sufficient condition for this and show how the proof works. An additional benefit isthat one can also easily compute the genus of D ′ and hence of D by using the explicit generation ofthe rational subfield. The field F is then obtained as the fixed field of the Frobenius.Proposition 22.5 Let C/F q k with k odd be a nonsingular hyperelliptic curve of genus g given byan equationC : y 2 + y = f(x) (22.3)with f(x) =(αx + β)+ u(x)v(x) , 2 β ∈ F q k,α∈ F q k F q ,u(x),v(x) ∈ F q [x], deg(u) 2g +1and deg(v) g.Then D ′ is hyperelliptic of genus g2 m−1 − 1 or g2 m−1 .Remarks 22.6(i) Note that these conditions are always satisfied for elliptic curves. The original paper[GAHE + 2002b] gives an explicit description of the equation that is a special case ofthe result given below.(ii) Thériault [THÉ 2003b] shows which genus is assumed depending on conditions on uand v.The crucial step for establishing this result is the explicit construction of L. This field is constructedas composite of fields L i of index 2 in F q k(C)·F q k(Cφ i q).SinceFq k(Cφ i q)is a quadratic extensionof F q k(x) with equationy (i)2 + y (i) = φ i q(αx + β)+ u(x)v(x) 2we get by Artin–Schreier theory that L i is defined byt 2 i + t i =(αx + β)+ u(x)v(x) 2 + u(x)φi q (αx + β)+v(x) 2 =(αx + β)+φi q (αx + β)for t i = y + y (i) and, hence, has genus 0.Taking the composite L of these L 1 ,...,L m−1 and following the same procedure we obtain thatL is a rational extension of F q k with [L : F q k(x)] = 2 m−1 . This dependence can be made explicitby expressing L = F q k(c) with x(c) =λ −1 + ∑ m−1i=0 λ ic 2i , with λ i ∈ F q k,λ 0 ,λ m−1 ≠0.Inserting this expression for x in the definition of F q k(C), we get an equationy 2 + y = ˜f(c)from which one can read off the genus. As k is assumed to be odd, the fixed field under the Frobeniushas the same genus and one can obtain F from F ′ .

§ 22.3 Transfer of discrete logarithms by Weil descent 535For curves C given by an equation of the type (22.3) we can explicitly give the equation of theresulting curve. Let min α (z) be the minimal polynomial of α in φ q , i.e., min α (φ q )(α) =0and oneadditionally requires min α (φ q )(1) = 0. Furthermore, let µ ∈ F q k be such that Tr Fq k /F q(µ) =1and let F q k = F 2 (θ). We now give the algorithmic description taken from [THÉ 2003b] of how toobtain D explicitly.Algorithm 22.7 Weil descent of C via GHSINPUT: The curve C : y 2 + h(x)y = f(x) +(αx + β)h(x) 2 , of genus g with f(x),h(x) ∈F q,β ∈ F q k ,α∈ F q k F q, deg(f) 2g +1, deg(h) g, and F q = F 2 d.OUTPUT: The curve D :ỹ 2 + ˜h(c)ỹ = ˜f(c).1. for i =0 to k compute φ i q(α) as expression over F 22. compute min α(z) and m ← deg`min α(z)´3. ν ← `min α(θ 2d )/(θ 2 − 1)´(β)4. if Tr Fq k /F 2(β) =0 then ν β ← ν5. else u(φ q)= φk q −1min and ν α(φ q) β ← ν − Tr F q k /F 2 (β)u(φ q)(1)6. find 0 i k − 1 with Tr Fq k /F q(θ i ) ≠0and set µ ←θ iTr Fq k /Fq (θi )7. for i =1 to m − 1 do γ i ← φ i q(α) − α and δ i ← φ i q(β) − β8. for i =1 to m − 1 do9. ɛ i ← γ i and ρ i ← δ i10. for j = i +1 to m − 1 do γ j ←11. s m−1 ← c12. for i = m − 2 down to 0 do13. s i ← 1 `s2ɛ i+1 i+1 − s i+1 − ρ i+1´14. express s 0(c) =λ −1 + P λ ic 2i15. ˜λ ←P k−1i=0 φi q(µ) P i−1j=0 φj q(φ q(λ 0)ν β ) and c ← 1λ 0(˜c − ˜λ)16. x(˜c) ← s 0(˜c) and z(˜c) ← s 1(˜c), ˜h(˜c) ← h(x(˜c))“γjɛ i” 1/2−“γjɛ i”and δ j ← δ j − ρ iγ jɛ i17. ˜f(˜c) ← f`x(˜c)´+`TrFqk /F q(µ 2 α)x(˜c)+Tr Fq k /F q(µ 2 β)´˜h(˜c)218. ˜f(˜c) ← ˜f(˜c)+`P k−1i=0 φi q(µ 2 − µ) P ij=0 φj q(s 1(˜c))´˜h(˜c)219. return D :ỹ 2 − ˜h(˜c)ỹ = ˜f(˜c)To actually transfer the discrete logarithm problem from J C (F q k) to J D (F q ) one first uses x = x(˜c)to embed F q k(C) into F ′ = LF q k(C) and then the norm down to F q (D).Remark 22.8 If one gives up the restriction that the resulting curve D should be hyperelliptic,one does not need curves of the form (22.3). Nevertheless the transfer of the discrete logarithmproblem can be very efficient. In fact, new results of Diem [DIE 2005] motivate that in many casesthe index-calculus method will be more effective if D is not hyperelliptic. The reason is that itsefficiency depends on the degree of plane models of D, and this degree is g +1for genericcurves but for hyperelliptic curves in canonical form it is 2g +1or 2g +2.Menezes and Qu [MEQU 2001] give a complete study of all fields F 2 d for primes d ∈ [100, 600]stating the minimal m that could occur for an elliptic curve over F 2 d. Furthermore, they also considerthe finite field F 2 155, which had been proposed to offer computational advantages for the field

536 Ch. 22 Transfer of Discrete Logarithmsarithmetic (cf. Chapter 11). The genus of the resulting curve D is given by 2 m or 2 m − 1. Thisstudy is extended in [MAME + 2002] to composite d in the same interval.Galbraith, Hess, and Smart [GAHE + 2002a] extend the GHS method to more curves over thesame field by additionally applying isogenies of small degree. This shows that more curves allow Dto have comparably small genus but still the fraction is negligible (about 2 33 out of the 2 156 isogenyclasses for elliptic curves over F 2 155). Hess [HES 2003] considers Weil descent to nonhyperellipticcurves and bounds the genus of the resulting curve. Especially for the field F 2 155 he shows thataround 2 123 isogeny classes of elliptic curves E/F 2 155 lead to a curve D such that the discretelogarithm in J D (F 2 5) can be computed faster than on J C (F 2 155).In [METE + 2004] the authors consider Weil descent as a transfer of the discrete logarithm problemof an elliptic curve over a composite field F 2 d where d is divisible by 4 or 5. Furthermore, theylook at F 2 161 = F q 7 with q =2 23 .Remark 22.9 Hess [HES 2003] and Thériault [THÉ 2003b] study Weil descent on general Artin–Schreier curves defined by an affine equation of the formy p − y = f(x),f(x) ∈ F q k(x) and q = p d .In fact, most results stated here for p =2hold in more generality.22.3.3 Odd characteristicIn principle the same approach can be taken in the case of odd characteristic. However, the resultingfield F ′ will rarely have a subfield rational over F q k. The background of the generalization ispresented in [DIE 2001]and[DIE 2003]. Thériault [THÉ 2003c] studies for which fields and typesof equation one obtains that D is of the same type as the original curve C.For our exposition we concentrate on the case that F q = F p d with p odd and that C/F q k ishyperelliptic of genus g given by an affine equation of the formC : y 2 = f(x),f(x) ∈ F q k[x] and deg(f) =2g +1.Like for even characteristic one needs a suitable extension of the Frobenius automorphism φ q fromF q k/F q to an isomorphism on F q k(C) into its algebraic closure. We extend φ q to an automorphismof F q k(x)/F q by requiring φ q (x) =x and φ q (y) =y (1) such that the following equation is satisfiedC φq : y (1)2 = φ q(f(x)).The field F q k(C φq ):=F q k(x)[T ]/ ( ( ))T 2 − φ q f(x) is the function field of a ) hyperelliptic ( curve )C φq with rational subfield F q k(x). LetF ′ be the composite of F q k(C), F q k(Cφ q ,...,Fq k Cφ k−1q .One obtains that[F ′ : F q k(x)] = 2 m with m =dim F2 (U),where U is an F 2 -vector space generated by the images of φ i q(f), 0 i

§ 22.3 Transfer of discrete logarithms by Weil descent 537Let r be the number of places in F q (x) that ramify in F q F . Since all ramification orders are equalto 2, and hence the ramification is tame, the Hurwitz genus formula 4.110 yieldsand so2g ′ − 2=−2 × 2 m + r × 2 m−1For prime k and elliptic curves E it is shown in [DIE 2003]:g ′ =2 m−2 (r − 4) + 1. (22.4)• If k =2, 3, 5, 7 there exists an elliptic curve E over F q k such that g = k. Ifk =2or 3,E can additionally be chosen such that F is hyperelliptic.• If k 11 and q k 2 160 ,thenq g 2 5000 and thus the discrete logarithm problem inJ E (F q k) is transferred to a far larger group.It follows that the GHS algorithm in odd characteristic transfers the discrete logarithm problem toone that is harder to solve if the extension degree is different from 3, 5,or7.Extending this work, it is shown in [THÉ 2003b] that k =2and k =3are the only degrees ofextension leading to a hyperelliptic curve D. Explicitly the following theorem is shown:Theorem 22.101. LetC : y 2 =(x − a)h(x) =(x − a)2g∑i=0h i x i ,h i ∈ F q and a ∈ F q 2 F q .Then the Weil descent gives rise to a hyperelliptic curve of genus 2gD : v 2 =(a − φ q (a)) 2g+3 s(u)2g∑i=0h i(a(u − φq (a) ) 2− φq (a)(u − a) 2) is(u) 2g−i ,where s(u) = ( u − φ q (a) ) 2− (u − a) 2 .2. LetC : y 2 =(x − a)h(x),h(x) ∈ F q [x] and a ∈ F q 3 F q .Then the Weil descent gives rise to a hyperelliptic curve over F q of genus 4g +1,whichcan be computed explicitly in the coefficients of h and depending on the class of qmodulo 12.3. LetC : y 2 =(x − a)(x − φ q (a))h(x),h(x) ∈ F q [x] and a ∈ F q 3 F q .Then the Weil descent gives rise to a hyperelliptic curve over F q of genus 4g − 1,whichcan be computed explicitly in the coefficients of h and depending on the class of qmodulo 12.We refer to the paper for details and proofs. If one is willing to give up the hyperellipticity of theresulting curve, the transfer is useful for a larger class of curves. In [DIE 2003] one finds that forC : y 2 =(x − a 1 )(x − a q 1 )(x − a 2)(x − a q 2 ) ···(x − a g+1)(x − a q g+1 ), (22.5)

538 Ch. 22 Transfer of Discrete Logarithmswhere the a 1 ,a q 1 ,...,a g+1,a q g+1 ∈ F q 3 F q are pairwise distinct, the resulting function fieldF ′ /F q 3 has genus 3g. It does not contain a rational subfield but the fixed field of the Frobeniusφ q has degree 4 over F q (x).22.3.4 Transfer via coversIn Section 7.4.3 we have described a method of transferring the discrete logarithm from a subgroupof the Jacobian of a curve C over F q k to the Jacobian of a curve D defined over F q by using coversin a more general way than is done in the GHS algorithm. In particular, it is not necessary that thecurve C is not defined over F q ; the “twist,” which ensures that the transfer map is injective on theinteresting part of the divisor group is obtained by the cover map, which is not defined over F q .Instead of following the Weil descent strategy as extended from the GHS method, we take a moretheoretical approach andstudywhichgenerag ′ could occur for D/F q , a cover of C/F q k, dependingon k and g. It may then be possible to construct a curve C that actually assumes these parameters.In fact, the example presented at the end of the previous section was constructed this way.We first show how this method works in the GHS situation for curves defined over F q k that arenot defined over a subfield. Then we consider transfers via covers for trace zero varieties. Here, itis important that the method applies also to curves defined over a subfield.22.3.4.aThe GHS situationAs in the previous section, we assume that the curve C/F q k is not defined over a subfield. We usethe notions developed in the GHS method. Our main objective is to study systematically how theGalois group Gal(F q k/F q ) operates on the branched places of F q kF ′ /F q k(x), where like before F ′is the composite of F q k(Cφq) i , 0 i

§ 22.3 Transfer of discrete logarithms by Weil descent 539g k Tuples r m g ′1 2 (1)(1)(1)(10) 5 2 23 (110)(110) 6 2 34 (1)(1110) 5 4 55 (11110) 5 4 57 (1110100) 7 3 72 2 (1)(1)(1)(1)(1)(10) 7 2 43 (110)(110)(110) 9 2 64 (1110)(1110) 8 3 95 (1)(111110) 7 5 257 (1111110) 7 6 493 2 (1)(1)(1)(1)(1)(1)(1)(10) 9 2 63 (110)(110)(110)(110) 12 2 94 (1)(1)(1)(1)(1)(1110) 9 4 215 (11110)(11110) 10 4 257 (1110100)(1110100) 14 3 21By these methods and extensions to the case of k =4,[DIE 2001,DISC 2003] derive the followingtable. With the exception of the entry g =2,k =4(marked by ∗ ) one finds curves C attaining thebounds.22.3.4.bg\k 2 3 4 5 7 111 2 3 5 5 7 17932 4 6 9 ∗ 25 49 17933 6 9 21 25 21 1793Transfer by covers for trace zero varietiesIn Section 7.4.2 and Section 15.3 we introduced trace zero varieties of elliptic and hyperellipticcurves. Let C be a hyperelliptic curve of genus g defined over F q and k be a positive integer. TheF q -rational points of the trace zero variety J C,0 of the Jacobian of C with respect to the extensionF q k/F q is isomorphic to the kernel G of the trace map from Pic 0 C·F −→ Pic0 q kC ,i.e.,G := { D __∈ Pic 0 C·F | D __+ φq kq ( __D)+···+ φ k−1q( __D) =0}.For applications it is especially interesting to study the case that k is small and q is a prime p.The difference to the GHS method lies in the fact that C is defined over F q and thus the originalmethod fails. The way to overcome this problem is to construct a twist of C that is defined over F q kbut not over F q .Construction of the twisted coverLet ψ : D → C be a cover defined over F q , and suppose that D has an automorphism τ of orderk, such that ψ ◦ τ ≠ ψ. LetD τ denote the twist of D over the extension F q k/F q with respect toτ. (Note that D · F q k ≃ D τ · F q k.) In [DIE 2001, Theorem 9] it is proved that under some mildconditions the kernel of the mapJ C,0 (F q ) ↩→ Pic 0 C·F q kψ−→ ∗Pic 0 N Fq kD −→/FqPic 0 τD τ

540 Ch. 22 Transfer of Discrete Logarithmsdoes not contain a subgroup of large prime order. If the genus of D is not much bigger than (k − 1)times the genus of C, then index calculus algorithms on Pic 0 D are more efficient than square rootτalgorithms on G for solving the discrete logarithm problem.TofindsuchcurvesD we again use the theory of covers of the projective line with given ramificationtype. For simplicity assume from now on that k is a prime number. Assume that there isa rational function f on C of degree k. Take the Galois closure F of the function field of C overF q (f). The corresponding curve D covers C and has the Galois group of F/F q (f) as its group ofautomorphisms. By construction this group has cycles τ of length k with τ ◦ ψ ≠ ψ, as required.So, we have to find suitable functions f such that the genus of D is small. The first step isto do this over F q . One looks for tamely ramified covers and uses again the theory of Hurwitzspaces as in the classical case over the complex numbers. The background is delivered by thetheory of monodromy groups. This allows us to study whether “geometrically” suitable coversexist. It remains to find the definition fields for these covers and, last but not least, to construct themexplicitly. This is done in [DISC 2003].Results for small extension degreesHere we consider small degrees of extension as proposed in Section 15.3 to give a complete studyof which genera can occur depending on properties of the curve.Example 22.12 (Case k = 3andg g = 2) Take k =3and let C be any curve of genus 2. Take apoint P ∈ C(F q ),andtakef as function on C, which has a pole at P of order 3, andwhichisholomorphic everywhere else. The Galois group is the symmetric group S 3 , D covers C of degree2, and the genus of D is 6.It is interesting to note that there is a kind of converse to this statement following from results in[HOW 2001, Theorem 3.3].Let C/F q be a curve of genus 2 and assume that 3 does not divide Pic 0 C·F q. Then by the cover6approach the discrete logarithm in J C,0 is transferred to discrete logarithms in Jacobians of curvesof genus at least 6, except for very special cases.Now we specialize the (arithmetical) conditions for C. Letw : C → C denote the hyperellipticinvolution. If Pic 0 C has a divisor class D __of order 3 with representative P 1 + P 2 − 2P ∞ ,whereP 1and P 2 are in C(F q ),thenP 1 − w(P 2 ) has order 3 in Pic 0 C . Hence, there is a function f with divisor3P 1 − 3w(P 2 ). Generically, this f has the required ramification. The corresponding cover curve Dhas genus 5.By replacing C by a quadratic twist one can do this construction in the case that the point D __isdefined over F q 6.Diem and Scholten construct an explicit family of curves C, for which the covering curve C ofgenus 5 is hyperelliptic.Specializing even more and using Kummer theory one can construct in an explicit way a familyof hyperelliptic curves of genus 2 such that the cover curve D has genus 4.Example 22.13 (Elliptic curves) We are now interested in covers of elliptic curves E, which canbe used to transfer the discrete logarithm of the trace zero varieties to Jacobian varieties of smalldimension. For k =3the dimension of E 0 is 2 and so generic methods of computing discretelogarithms have complexity O(q) (cf. Chapter 19), and, hence, a transfer cannot lead to a variety inwhich the DLP is easier to solve.The first interesting case is k =5. One would like to get a cover curve of genus 4. By thedescribed method this can be done only for the curveE : y 2 = x 3 + 3165x − 31070.Next assume k =7. Assume moreover that q is prime to 6. Then one can show that there exists acover D of genus 8 for all elliptic curves E defined over the algebraic closure of F q . Until now, no

§ 22.3 Transfer of discrete logarithms by Weil descent 541explicit example is known, but for many q and many elliptic curves E/F q this cover will be definedover F q . In these cases there is a very effective transfer of discrete logarithms on E 0 , the trace zerovariety of E with respect to F q 7. This shows that extensions of degree 7 should be avoided in thedesign of discrete logarithm systems on elliptic curves.22.3.5 Index calculus method via hyperplane sectionsThe previous sections used Weil descent to construct a curve D such that the discrete logarithmproblem on J C (F q k) can be transferred to the discrete logarithm problem in J D (F q ). Such a transferis useful if the resulting problem is easier to solve. Usually, index calculus methods (cf. Chapter 21)are used in J D (F q ). If one wants to apply index-calculus methods in the group of rational points ofelliptic curves over finite fields without transfer, one has to find an appropriate factor base. It seemsto be impossible to do this by lifting techniques analogously to the case of discrete logarithms infinite fields. Diem [DIE 2004] and Gaudry [GAU 2004] found (independently) a first approach toovercome this difficulty in the case that the curve is defined over F q k with k>1. They suggest tointersect the Weil descent of J C with the hyperplanes x i =0,wherei =1,...,k− 1 in Gaudry’sapproach and i ∈ I ⊂{0, 1,...,k− 1} in Diem’s. These elements constitute the factor base for theindex calculus method.To implement the index calculus algorithm with this factor base one needs an efficient methodfor membership testing. In the case of elliptic curves this is given by the summation polynomialsintroduced by Semaev [SEM 2004].Definition 22.14 Let E : y 2 = x 3 + a 4 x + a 6 be an elliptic curve over F q k. The summationpolynomials f n are defined by the following recurrence. The initial values for n =2and n =3aregiven byf 2 (x 1 ,x 2 )=x 1 − x 2 ,andf 3 (x 1 ,x 2 ,x 3 )=(x 1 −x 2 ) 2 x 2 3 −2( (x 1 +x 2 )(x 1 x 2 +a 4 )+2a 6)x3 + ( (x 1 x 2 −a 4 ) 2 −4a 6 (x 1 +x 2 ) ) ,and for n 4 and 1 j n − 3 byf n (x 1 ,x 2 ,...,x n )=Res x(fn−j (x 1 ,x 2 ,...,x n−j−1 ,x),f j+2 (x n−j ,...,x n ,x) ) .Semaev shows that f n is uniquely defined in spite of the redundancy in the definition. One can checkthat f n (x 1 ,x 2 ,...,x n )=0, with x i ∈ F q k, if and only if there exists an n-tuple (y 1 ,y 2 ,...,y n ),with y i ∈ F q k, such that P i =(x i ,y i ) ∈ E(F q k) andP 1 ⊕ P 2 ⊕···⊕P n = P ∞ .The polynomials f n are symmetric and have degree 2 n−2 in each variable.The methods of Gaudry and Diem differ in the choice of the factor base. We describe both in thesetting of elliptic curves as there the summation polynomials are already determined even thoughthe method can be applied in more generality. Gaudry also gives the relation to the standard Weildescent method and shows that for hyperelliptic curves this approach corresponds to the standardindex calculus method with factor base given by linear polynomials.22.3.5.aChoice of the factor base by GaudryGaudry’s [GAU 2004] method is applicable for small k 3 only, as the (k +1)-th summationpolynomial is involved in a Gröbner basis computation and the complexity of this step dependsheavily on the degree.

542 Ch. 22 Transfer of Discrete LogarithmsLet E be an elliptic curve defined over F q k = F q (θ) and not over a proper subfield and putk−1∑k−1∑x = x i θ i and y = y i θ i .i=0Assume that the intersection of an open affine part W a of the Weil restriction W Fq k /F q(E)(F q ) withthe hyperplanes H j : x j =0for j =1,...,k− 1 is an irreducible curve (this is the case genericallyand can otherwise be reached by a different choice of the basis). Then one can choose the factorbaseF = {P ∈ E(F q k) | P =(x P ,y P ),x P = x P,0 ∈ F q ,y ∈ F q k}.Like in the usual index calculus algorithm for computing the discrete logarithm of Q ∈〈P 〉 onecomputes combinationsR =[m P ]P ⊕ [m Q ]Qwith random integers m P ,m Q , and hopes that R can be expressed as sum of points in F. Hereweuse that the arithmetic on W Fq k /F q(E)(F q ) is inherited from E and apply Weil descent only in thebasic form of sorting the equations according to the powers of θ.Gaudry suggests to use only such points R that allow a representation asi=0R = P 1 ⊕ P 2 ⊕···⊕P k ,with P i ∈F. The existence of such a representation can be checked with the (k +1)-th summationpolynomial which gives rise to an equation of the formk−1∑ψ i (x P1,0,x P2,0,...,x Pk ,0)θ i =0,i=0where the ψ i depend on R. This is a system of k equations in k unknowns which all have to holdindividually. Before applying Buchberger’s algorithm one should symmetrize the equations. Incase one finds a solution in the symmetric expressions one checks whether this in fact gives riseto a decomposition with x Pi,0 ∈ F q and (finally) in F. As soon as one has more equations thanunknowns, sparse linear algebra techniques allow to compute the discrete logarithm. Note that eachrow has only k nonzero entries.Remarks 22.15(i) The complexity of this algorithm is O(q k− 2 k ), where the hidden constants depend (exponentially)on k. Gaudry proposes this method for k =3or k =4only and showsthat for E defined over F q 3, the discrete logarithm problem can be solved in timeO(q 4/3 ) ≃ O(q 1.33 ). If E is defined over F q 4, then the discrete log problem can besolved in time O(q 1.5 ). These complexities are no better than those resulting from Weildescent of curves over F q k as explained in the previous sections. But there are only afew curves leading to such a small genus of D while Gaudry’s method applies to allcurves.(ii) We point out that this algorithm does not work as described if E is defined over a propersubfield F q k ′ as then all combinations of points in F lead to points in E(F qk′ ) which isusually outside of the subgroup of large prime order one is working in. A way out is tomake a different choice of the factor base by putting a different x i ≠0.Like with the standard Weil descent approaches one can also use an isogenous curvedefined over F q k.

§ 22.3 Transfer of discrete logarithms by Weil descent 54322.3.5.bChoice of the factor base by DiemDiem’s version [DIE 2004] uses a larger factor base by observing that there is no need to allowonly one nonzero coordinate of x. Let c k be an integer and put m = ⌈ ⌉kc and l = mc − k.The x-coordinates of points in the factor base lie in an m-dimensional subspace of F q k over F q .Wedescribe a simplified version and fix a polynomial basis F q k = F q (θ) and a subset I ⊂{0, 1,...,k−1} of cardinality m. We putF = {P ∈ E(F q k) | P =(x P ,y p ),x P = ∑ i∈Ix P,i θ i ,x P,i ∈ F q ,y P ∈ F q k}.To guarantee that a sufficiently large factor base can be obtained by this method in O(q m ) field operations,Diem needs to make a random choice averaging over all bases of m-dimensional subspacesand put the fixed coordinates to some randomly chosen values. We refer to his paper for details.For c < k he also uses a second factor base F ′ ⊂ F for which the x-coordinates lie in an(m − 1)-dimensional space over F q . He looks for relationsR =[m P ]P ⊕ [m Q ]Q = P 1 ⊕ P 2 ⊕···⊕P c ,such that P 1 ,...,P l+1 ∈F ′ and P l+2 ,...,P c ∈F. To check for the existence of such a splitting,the (c +1)-th summation polynomial is used and k equations are found. Unlike Gaudry he suggeststo perform this Gröbner basis computation once symbolically involving the k coefficients definingx R . The task of checking whether a given R allows such a decomposition is then simplified tochecking whether the k equations can be satisfied. To obtain a relation one finally needs to checkwhether the x Pi lead to a point defined over F q k or F q 2k. In the latter case the relation is rejected.By the choice of m and l he has k equations defining the k − 1 variables which determine theelements in F ′ and F and this is used in the analysis of the algorithm (the case c = k is alreadyconsidered in the previous section). His paper considers the complexity of the algorithm for variouschoices of c in relation to k.The asymptotic result found by Diem (heuristic since one has to make a very plausible assumption)is stated in the following proposition.Proposition 22.16 Let 0

ÎÁApplications

Chapter ¾¿Algebraic Realizations of DL SystemsGerhard Frey and Tanja LangeContents in Brief23.1 Candidates for secure DL systems 547Groups with numeration and the DLP • Ideal class groups and divisor classgroups • Examples: elliptic and hyperelliptic curves • Conclusion23.2 Security of systems based on Pic 0 C 554Security under index calculus attacks • Transfers by Galois theory23.3 Efficient systems 557Choice of the finite field • Choice of genus and curve equation • Specialchoices of curves and scalar multiplication23.4 Construction of systems 564Heuristics of class group orders • Finding groups of suitable size23.5 Protocols 569System parameters • Protocols on Pic 0 C23.6 Summary 571We want to design a public-key cryptosystem that enables us to exchange keys, sign and authenticatedocuments and encrypt and decrypt (small) messages. The system should rely on simple protocolsthat are based on secure cryptographic primitives with a well understood mathematical background.The implementation rules should be clear and easy to understand.By using the results obtained in the previous chapters, we hope to convince the reader that thesecriterions can be realized quite satisfyingly by systems based on the discrete logarithm in finitegroups G of prime order l.The purpose of this chapter is to serve as a digest of the other chapters. To this aim we brieflystate the main results and provide many references to the much more detailed descriptions in thebook.23.1 Candidates for secure DL systemsThe protocols based on discrete logarithms are described and discussed in Chapter 1. It is obviousthat the complexity of computing discrete logarithms in the chosen group is a key ingredient forthe security of the system. For actual use in practice, the DLP is used as a cryptographic primitive547

548 Ch. 23 Algebraic Realizations of DL Systemsin protocols. In this section we shall introduce examples for groups that are expected to be goodcandidates for this.23.1.1 Groups with numeration and the DLPFor the convenience of the reader we shall repeat the essential notions from Chapter 1. Let (G, ⊕)be a group of order l, wherel is a prime number. Let P, Q ∈ G be two elements. The discretelogarithm in G of Q with respect to P is a number n =log P (Q) withQ =[n]P = P ⊕ P ⊕···⊕P .} {{ }n timesThe number n is determined modulo l. To compute n (for randomly given (P, Q)) isthediscretelogarithm problem in G (the DLP in G).To enable this computation for a computer, we have to assume that G is given in a very concreteway. So, we shall assume that the elements of G are given as bit-strings of length O ( lg(l) ) .Theassumption used here is that G is a group with numeration. For the exact definition of this notionwe refer to [FRLA 2003].Furthermore, for estimating the hardness of the discrete logarithm problem, the instantiation ofG is very important. The fact that the representation plays a key role for the complexity of thecomputations of discrete logarithms is demonstrated by two examples.Up to isomorphisms there is only one group with l elements.As a first representation, we choose (G, ⊕) =(Z/lZ, +) with natural numerationf : Z/lZ → {1,...,l}m + lZ ↦→ r m such that r m ≡ m (mod l).The discrete logarithm of m 1 + lZ with respect to m 2 + lZ is computed in O(lg l) bit operations(cf. Chapter 10).In Example 1.13 we choose another representation for such a group. We find G embedded inthe multiplicative group of the finite field F p as the group of roots of unity of order l, wherep is aprime such that l divides p − 1. In this case the complexity of the DLP is subexponential in p (cf.Chapter 20).We take this opportunity to recall our measure for the complexity of algorithms introduced inChapter 1 and used many times.Let N be a natural number. DefineL N (α, c) :=exp ( (c + o(1))(ln N) α (ln ln N) 1−α)with 0 α 1 and c>0. L N (α, c) interpolates between polynomial complexity for α =0andexponential complexity for α =1.Forα

§ 23.1 Candidates for secure DL systems 54923.1.2.aMathematical backgroundLet O be a commutative ring with unit element and without zero divisors. The quotient field K ofO consists of all fractions f/g with f,g ∈Owith addition and multiplication defined by rules oneis used to follow in Q.A fractional ideal is a set A ⊆ K such that there exists an element f ∈O,sothatfA is an idealin O. The multiplication of fractional ideals is defined and associative. A first criterion to choose Ois that the fractional ideals form a group called the ideal group I(O) of O.The group I(O) will have no elements of finite order. This changes if we introduce the followingequivalence relation: two fractional ideals A, A ′ are equivalent if there exists an element f ∈ Ksuch that A = fA ′ .The resulting group is denoted by Cl(O), theideal class group of O. The neutral element in theclass group consists of the group of principal ideals Princ(O) and so Cl(O) =I(O)/Princ(O).The next criterion to choose O is that Cl(O) should have many elements of finite order. In fact, inall existing systems Cl(O) is a finite group.This advantage has a price. As usual one computes in quotient structures like Cl(O) by usingrepresentatives (in our case, ideals) of the classes, composes these representatives, and then formsthe class of the result. Since there are infinitely many elements in an ideal class, this does not leadto an algorithm if one does not have more information. There are two ways out of this difficulty.1. It is possible to find a distinguished element in each ideal class (respectively a finite[small] subset of such elements).2. It is possible to define “coordinates” and addition formulas directly for elements ofCl(O).The first possibility can be used if we have efficient “reduction algorithms” that compute the distinguishedelement in ideal classes, and the second possibility can be realized if there is a geometricbackground of Cl(O).Most interesting cases are those for which both methods can be used!23.1.2.bRealization in number fieldsHaving in mind the requirements stated above, it is no wonder that the first suggestions for systemsof discrete logarithms based on ideal classes came from number theory [BUWI 1988]. The highlydeveloped “computational number theory” based on Minkowski’s geometry of numbers made itpossible to compute efficiently with ideal class groups of the ring of integers O K of number fieldsK that are finite algebraic extensions of Q. An important special case is that K is an imaginaryquadratic field. In this case already Gauß developed a fast algorithm for computing with idealclasses. It relies on the identification of these classes with classes of binary quadratic forms. Thedistinguished ideals correspond to the uniquely determined reduced quadratic forms. A given formis transformed into a reduced one by an explicit algorithm using Euclid’s algorithm which runs inpolynomial time.The disadvantage of these systems is that the index calculus attack is very effective, i.e., thealgorithm based on the principles explained in Chapter 20 has only subexponential complexity. Oneuses prime ideals of O K with small norm to build up a factor base for Cl(O).23.1.2.cRealization in function fieldsThis motivates us to look for rings O having a similar simple structure as O K but being moreresistant against index calculus attacks. Since the beginning of arithmetic geometry in the lastcentury, it is well-known and has been often exploited that the ring O Ca of regular functions ona nonsingular irreducible affine curve C a defined over a finite field F q is a Dedekind domain with

550 Ch. 23 Algebraic Realizations of DL Systemsfinite ideal class group Cl(O Ca ) and that the arithmetic is analogous to the arithmetic of the ring ofintegers in number fields. The quotient field of O Ca is the function field (of meromorphic functions)of C a and is denoted by K(C a ).These rings and their ideal class groups are explained in Section 4.4. As size of ideals one usestheir degree, and the theorem of Minkowski about points in lattices is replaced by the Riemann–Roch theorem, which yields (amongst other results) that in every ideal class in Cl(O Ca ) there areideals contained in O Ca with small degree. (For a precise formulation see Section 4.4.6 and especiallyTheorem 4.143.) The reader familiar with the geometry of numbers will remark that thelogarithm of the absolute value of number fields is replaced by the genus g of the curve C a , respectivelyof its function field K(C a ) (cf. Definition 4.107). Already at this stage it follows that thegroup Cl(O Ca ) is at least as good as a candidate for groups, in which the group operation can beexecuted effectively, as the rings of integers in number fields.But we can go further because of the geometrical background of O Ca . The prime ideals in O Caare closely related to points on C a . To see this one takes the points P on C a with coordinatesin the algebraic closure F q of F q together with the operation of the Galois group G Fq of F q (cf.Section 4.4.4). The resulting Galois orbits G Fq· P of points correspond one-to-one to the primeideals (always taken differently from {0}) ofO Ca consisting of functions f ∈O Ca vanishing inP . By taking the order of vanishing of f at P we define a valuation v P on O Ca , and hence onK(C a ), whose valuation ring contains O Ca . Its equivalence class is called a prime divisor p ofK(C a ) corresponding to G Fq·P .One of the major advantages of the geometric theory of curves over finite fields is that it is veryeasy to compactify the affine curve C a by going to its projective closure. In principle this is doneby homogenizing the equations defining C a . The procedure is explained in Section 4.22. We find aprojective curve C containing the affine curve C a and the difference set of points consists of finitelymany “points at infinity.” The Galois orbits of these points define, as above, equivalence classes ofvaluations of K(C a ) and hence divisors p. They correspond one-to-one to the equivalence classesof valuations (and hence to prime divisors) of K(C a ) which do not contain O Ca .Because of the compactness of C the only functions that are regular at all points of C are constants.To study the arithmetic of C one has to introduce the divisor group of C (see Section 4.4.2)replacing the ideal group of O Ca . Divisors can be identified with formal sums of points on Cwith integers as coefficients. The role of principal ideals is taken by principal divisors (cf. Definition4.102) and the resulting quotient group is the divisor class group of degree 0 of C denoted byPic 0 C . By construction, it is closely related to Cl(O C a) For instance, if there is only one point atinfinity of C then Pic 0 C is isomorphic to Cl(O Ca ) by Proposition 4.140. We shall assume from nowon that this is satisfied. We denote by P ∞ this unique point at infinity.The group Pic 0 C is (in a canonical way) isomorphic to the group of rational points of the Jacobianvariety J C of C which is an abelian variety (cf. Definition 4.134) defined over F q and intrinsicallyattached to C. Together with the abstract theory comes a very concrete way to construct J C (upto birational equivalence): a consequence of the theorem of Riemann–Roch is that in every divisorclass of degree 0 of C, there is a divisor of the form ∑ ri=1 P i − rP∞ with r g. Details are foundin Section 4.4.4.23.1.2.dConclusionBeginning with an affine curve C a and its ring of regular functions O Ca we construct the associatedprojective curve C. Under the assumption that there is only a single point at infinity we can interpretPic 0 C, its divisor class group of degree 0, as both — as class group of ideals of the ring O Ca ,forwhich we have an efficient reduction theory, and as an abelian variety. Hence, we have a compactway to represent its elements and we can introduce coordinates for ideal classes and expect algebraicformulas describing the group composition in these coordinates.

§ 23.1 Candidates for secure DL systems 551Since we have related the ideal class group of O Ca to rational points of abelian varieties we canuse their rich structure in general as described in Section 4.3 and especially over finite fields (seeSection 5.2).For the choice of a ring O Ca or equivalently, an affine or projective curve C we have a lot offreedom compared with the case that the chosen ring is a ring of integers in a number field. Theparameters are1. the characteristic p of the base field F p ,2. the degree d of the ground field F q over F p ,3. the genus g C = g of the curve C (resp. the function field K(C)).The number of isomorphism classes of curves of genus g =1over F p d is about p d and for genusg 2 it is of size p d(3g−3) .Even more important is that in the geometric case we have a much stronger relation between theseparameters and the expected order of the divisor class group. By Theorem 5.76 of Hasse–Weil weget|Pic 0 C | ∼ pdg .So, if l is the desired size of the group of prime order we want to embed into Pic 0 C ,wehavetotaked lg p slightly larger than lg(l)/g.The explicit construction of the Jacobian variety represented as divisors of degree zero containingat most g affine points yields that the number of bits needed to represent group elements isO(dg lg p) =O(lg l).23.1.3 Examples: elliptic and hyperelliptic curvesIn this section we shall apply our general theory to two special families of curves called ellipticand hyperelliptic curves. The assumption we have made in Section 23.1.2.c that there is only asingle point at infinity implies that the hyperelliptic curves have a rational Weierstraß point. InSection 4.4.2.b and Chapter 14 we have studied these curves in great detail. We shall repeat theirdefinition and crucial properties for the convenience of the reader.23.1.3.aElliptic curvesAn elliptic curve E defined over F q is a projective absolute irreducible curve of genus 1 with arational point P ∞ . It can be given by an affine Weierstraß equationE a : y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 .If the characteristic is prime to 6 this equation can be transformed toE a : y 2 = x 3 + a 4 x + a 6 , with a 4 ,a 6 ∈ F q .For normal forms and invariants of the curve we refer to Table 4.1.The ring O Ea is F q [x, y]/(y 2 + a 1 xy + a 3 y − x 3 − a 2 x 2 − a 4 x − a 6 ). So it is a polynomial orderin F q (x, y) which has rank 2 over F q [x].By Riemann–Roch, we find in each ideal class of O Ea a uniquely determined prime ideal M Pof degree 1. It is generated by the two functions x − x 1 ,y − y 1 with x 1 ,y 1 ∈ F q correspondingto the point P =(x 1 ,y 1 ) of E(F q ). The Jacobian of E is isomorphic to E with zero element P ∞ .The point P corresponds to the divisor class of P − P ∞ . Hence the F q -rational points of E formin a natural way an abelian group. The addition law can be expressed either by polynomials in the

552 Ch. 23 Algebraic Realizations of DL Systemshomogeneous coordinates of points on E or by rational functions (with the appropriate interpretationif the point P ∞ is involved) in the affine coordinates (x 1 ,y 1 ).The explicit formulas can be found in great detail in Section 4.4.5 and Chapter 13.23.1.3.bHyperelliptic curvesA generalization of elliptic curves are hyperelliptic curves C. These are projective curves of genusg>1. We assume that they have a rational Weierstraß point P ∞ . Then they are determined byaffine equationsC a : y 2 + h(x)y = f(x), with h(x),f(x) ∈ F q [x], (23.1)where deg(h) g and deg(f) 2g +1. Hence O Ca = F q [x, y]/ ( y 2 + h(x)y − f(x) ) is apolynomial order of rank 2 in F q (x, y).By Riemann–Roch, we find in each ideal class of O Ca an ideal lying in O Ca of degree lessthan or equal to g. Again we get that Cl(O Ca ) is isomorphic to Pic 0 C, the divisor class group ofdegree 0 of C. In the language of divisors we get that in each divisor class of degree 0 there is adivisor D = ∑ ri=1 P i − rP ∞ where P i are points on C a , which are now not necessarily rationalover F q . If we assume that D is reduced (cf. Theorem 4.143) then D is uniquely determined. Forcomputations the representation by ideals is most convenient. It leads to the Mumford representationdiscussed already in Theorem 4.145, and which we repeat here to give a flavor of how to introduce“coordinates” for compact presentations of the classes.Theorem 23.1 (Mumford representation)Let C be a genus g hyperelliptic curve given as in (23.1). Each nontrivial group element D __∈ Pic 0 Ccan be represented via a unique pair of polynomials u(x) and v(x), u,v∈ F q [x] ,where(i) u is monic,(ii) deg v

§ 23.1 Candidates for secure DL systems 5533. s 1 ← c 1e 1,s 2 ← c 1e 2 and s 3 ← c 24. u ← u1u2 s1u1v2 + s2u2v1 + s3(v1v2 + f)d 2 and v ← mod ud5. repeat6. u ′ f − vh − v2←uand v ′ ← (−h − v) modu ′7. u ← u ′ and v ← v ′8. until deg u g9. make u monic10. return [u, v]23.1.4 ConclusionTo design DL-based cryptosystems we have the following results:• In ideal class groups Cl(O) of orders O in number fields or function fields over finitefields one can perform the group operation in polynomial time.• Let O be the ring of regular functions on an affine nonsingular curve C a of genus g overa finite field F q . There is a close connection between Cl(O) and Pic 0 C , the divisor classgroup of the projective curve associated to C a . Moreover Pic 0 C is equal to the set ofrational points of the Jacobian variety of C. So its order is of size g g .• If C is an elliptic curve E we have thatPic 0 E ≃ Cl( F q [x, y]/(y 2 + a 1 xy + a 3 y − x 3 − a 2 x 2 − a 4 x − a 6 ) ) .The curve E is isomorphic to its Jacobian variety with P ∞ as zero element. The elementsin Pic 0 E correspond one-to-one to the rational points E(F q) and hence can be representedby bit strings of size O(lg |E(F q )|) =O(lg q). The addition law described by explicitformulas can be found in Chapter 13 and is done in O(lg q) bit operations.• If C is a hyperelliptic curve of genus g with an F q -rational Weierstraß point P ∞ we havethatJ C (F q ) ≃ Pic 0 C ≃ Cl ( F q [x, y]/ ( y 2 + h(x)y − f(x) )) ,with h, f ∈ F q [x] and deg(h) g, deg(f) =2g +1.Hence, the points in Pic 0 C can be given by ideals in Mumford representation and theaddition is done by Cantor’s algorithm. So Pic 0 C is a group in which elements can berepresented by bit strings of size O(lg |Pic 0 C|) and addition is done in O(lg |Pic 0 C|) bitoperations.Remark 23.3 Obviously the arithmetical properties of elliptic and of hyperelliptic curves are completelyanalogous. For this reason we often interpret elliptic curves as “hyperelliptic curves of genus1” without mentioning it.

554 Ch. 23 Algebraic Realizations of DL Systems23.2 Security of systems based on Pic 0 CIn the last section we have seen that ideal class groups attached to elliptic and hyperelliptic curveslead to groups in which elements have a compact representation and in which the composition lawis computable in polynomial time.In generic black-box groups of order N, the results by Shoup show that the discrete logarithmproblem cannot be solved in less than O( √ N). Hence, if only the generic algorithms (cf. Chapter19) can be used, we can consider the discrete logarithm problem to be hard as they run in timeO( √ N).There are also some results showing that the discrete logarithm problem and the Diffie–Hellmanproblem on elliptic curves have at least a certain complexity when attacked by means like Booleanfunctions or polynomials. However, the results given in [LAWI 2002, LAWI 2003] aremuchweaker than expected and can only give an indication on the hardness — only the opposite resultwould have catastrophic implications.We now deal with security issues showing under which conditions there exist attacks that arestronger than the generic ones.23.2.1 Security under index calculus attacksWe have stressed the similarity with the case of orders in imaginary quadratic fields and, hence,the disadvantage: namely, the possibility of computing the discrete logarithm by index calculusalgorithms must be discussed.In fact, one has seen in Chapter 21 that this type of algorithms works in certain ranges. In thesequel we briefly present these results.We recall the result of Gaudry, Enge, and Stein [ENG 2002, ENGA 2002, ENST 2002] whichisstrong for large genus g.Theorem 23.4 For g/ ln(q) >tthe discrete logarithm in the divisor class group of a hyperellipticcurve of genus g defined over F q can be computed with complexity bounded by(1L , √ ( (1+ )1 1/2 (q g222t + 1) )) 1/22t.The results of Gaudry [GAU 2000b] and more recently of Thériault [THÉ 2003a] and Gaudry, Thériault,and Thomé [GATH + 2004] are serious for hyperelliptic curves of relatively small genus (inpractice: g 9).There is an index calculus attack of complexityO ( g 5 q 2− 2 g +ɛ)with “reasonably small” constants and even for g =3and 4 the security is reduced.The explicit result for g =4is: for hyperelliptic curves C of genus 4 defined over F q there is anindex calculus algorithm that computes the discrete logarithm in Pic 0 C with complexityO ( q 3/2+ɛ) = O ( |Pic 0 C| 0.375) .This means that the discrete logarithm is considerably weaker than generically expected.The explicit result for g =3is: for hyperelliptic curves C of genus 3 defined over F q ,thereisanindex calculus algorithm that computes the discrete logarithm in Pic 0 C with complexityO ( q 4/3+ɛ) = O ( |Pic 0 C |0.44) .

§ 23.2 Security of systems based on Pic 0 C 555This shows that asymptotically genus 3 curves are weaker than elliptic curves and even for groupsizes encountered in practice the security is reduced. However, the main application of genus threecurves is over fields of 64 bits using one word on a 64-bit processor or two words on a 32-bitprocessor. This setting can easily offer group sizes of 192 bits. So even with some percent lesssecurity, one is above the usual security threshold of working in groups of size 2 160 .We stress that these results hold for all curves of that genus, not only for hyperelliptic curves.The difference appears only in the constants that are smaller for hyperelliptic curves.23.2.1.aConclusionWe can summarize our results.• For curves C of genus g 4, a direct application of index calculus algorithms toCl(O Ca ) gives a complexity of the DLP that is smaller than the generic one. Hence,orders related to curves of genus g 4 or closely related abelian varieties should notbe used as crypto primitives for public-key systems, or, if one has very good reasons forusing them, one has to enlarge the group size considerably.• The state of the art is: we have only three types of rings O which avoid serious indexcalculus attacks and for which addition in Cl(O) is fast enough. These are the maximalorders belonging to curves of genus 1, 2 and 3. Evenforg =3one needs to take intoaccount the group size to compare the complexities of the generic attacks and Thériault’slarge prime variant of the index calculus attack and the more recent double large primevariants (cf. Section 21.3).23.2.2 Transfers by Galois theoryIn the last section we have studied a “generic” attack to compute discrete logarithms based on idealclass groups and as a consequence we have to exclude all (not only hyperelliptic) curves of genusg 4 from the candidate list. Now we want to show that special curves of genus g 3 over specialfields can deliver weak DL systems though no direct application of an index calculus algorithm canbe used. The method is to transfer the discrete logarithm problem in the original group in polynomialtime to a group in which index calculus algorithms are efficient. The transfer maps known today aretreated in Chapter 22.In the following sections we shall always work with a projective absolutely irreducible nonsingularcurve C defined over the finite field F q .23.2.2.aPairingsThe first method uses the duality theory of Jacobian varieties.First look at the special case that l divides q. Then we can transfer Pic 0 C in polynomial time intoa subgroup of a vector space of dimension g over F q , and in this group the discrete logarithm hascomplexity O ( (2g − 1) lg(q) k) ,wherek is a small constant. Hence, one has to avoid this case inall circumstances.So assume now that l is prime to q. In Chapter 6 one finds the definition and the mathematicalbackground of the Tate pairing in the Lichtenbaum version. In Chapter 16 one finds algorithms toimplement the pairing efficiently. The result to be kept in mind is Theorem 6.15. Together with itscorollary it states: let F q be the field with q elements, l a prime number prime to q and k ∈ N beminimal with l | (q k − 1).There is a bilinear mapT l :Pic 0 C [l] × Pic0 C·F q k → F∗ q k/(F∗ q k)l ,

556 Ch. 23 Algebraic Realizations of DL Systemswhich is nondegenerate on the right side, i.e., for a random element in D __∈ Pic 0 C·F the mapq kT l,__D :Pic 0 C [l] → F∗ q k[l]__P ↦→ T l, D(P ):= ( T l (P, D) __ ) q k −1lis an injective homomorphism of groups, which has complexity O(k lg q).As a consequence we get from the results in Chapter 20 the following proposition.Proposition 23.5 The discrete logarithm in Pic 0 C has complexity L q k( 12 , √ 2 ) and so is subexponentialin q k .Example 23.6 Assume that k ln q. Then the complexity to compute the discrete logarithm inPic 0 C is L q( 12 , √ 2k ) .It is rather easy to avoid curves C of genus 3 for which a large prime l divides |Pic 0 C| and forwhich at the same time the corresponding k is relatively small. For elliptic curves we have proved inSection 6.4.2 a necessary and sufficient criterion for this situation. It turns out that for supersingularelliptic curves (cf. Definition 4.74) k is always small, namely less than or equal to 6, while forordinary random elliptic curves k can be expected to be large. Analogous results hold for curves ofgenus g 3. So, for a cryptographic system with discrete logarithms as crypto primitive, the divisorclass groups Pic 0 C of supersingular curves are to be avoided — or, if there is a strong reason for usingthem, one has to choose the parameters in such a way that for given k the complexity L q( 12 , √ 2k )is large enough. One of these strong reasons is motivated by the constructive aspects of the Tatepairing related to the bilinear structure on Pic 0 C. A detailed discussion is found in Chapter 24.23.2.2.bWeil descentIn Section 23.1.2.d we have given a list for parameters of DL systems. By index calculus methodswe have seen that we should restrict the genus to be less than or equal to 3. Because of duality wehave to make sure that for the pair (F q ,l) the minimal number k with l | q k − 1 has to be largeenough.Now we come to the parameter d with q = p d . Assume that d>1 and that d 0 | d with d 0

§ 23.3 Efficient systems 557There should be a very good reason if one does not follow this rule, and then a careful discussion ofthe security has to be performed. We shall give one example for this.Example 23.7 Trace zero varieties introduced in Section 15.3 are constructed from curves definedover F p which are considered over F p d for d =3or d =5. The latter is only proposed for ellipticcurves while the former construction could be used for elliptic and genus 2 curves.As DL system one uses the group of divisor classes that have trace zero (hence the name), i.e.,{ __G = D ∈ Pic 0 C (F p d) ∣ D __⊕ φ p ( D) __⊕···⊕φ d−1 ( D) __ }=0 .Geometrically this group is isomorphic to an abelian variety G of dimension g(d − 1) in the Weildescent of C, whichshows|G| ∼ p g(d−1) . The advantages of this group come from efficientimplementation and will be made clear in the following section. From the security considerationsthe choice of (g, d) =(1, 3) has no known weakness. For good choices of parameters the other twopossibilities that lead to groups of size p 4 offer better security than genus 4 curves or elliptic curvesover fields F p 4, which would have the same group order. For (g, d) =(2, 3) this comes from the factthat G can always be embedded in the Jacobian of a genus 6 curve over F p and that there the indexcalculus algorithm runs in O ( q 22 +ɛ) 13 = O ( |G| 11 +ɛ) 16 . In this rough bound we did not include theconstants. A more thorough study (cf. Section 22.3.4.b, [DISC 2003]) reveals that for low securityapplications, e.g., group sizes of 128 bits, the security is close to the generic one whereas for largerbit sizes one loses asymptotically about 17% of security.23.2.2.cConclusionThe results of Section 23.2.2 show that one has to be careful with the choice of the pair (C, F q ) ifone wants to have instances in which the complexity of algorithms computing the discrete logarithmis O(l 1/2 ).1. One has to choose l so that it does not divide q andsothatthefieldF q (ζ l ) is an extensionof F q of sufficiently large degree k. For instance k 1000 should be ensured. (Notethat this does not mean that one needs to actually compute k but that one checks for allk ′ k that l ∤ q k′ − 1.) This excludes especially the case that C is supersingular.2. One should take F q either as prime field or as an extension of a field of small characteristicp (e.g., p =2), which has prime degree d over F p . Moreover the number 2 shouldhave large order modulo d, e.g., d must not be a Mersenne or a Fermat prime number.If one has strong reasons not to follow these directions, one has to make a careful analysis of thesituation.Example 23.8 Assume the situation that one would like to find a group of order equivalent to q 4as, e.g., the arithmetic in F q is particularly suited to the hardware. In this case, one should nottake curves of genus 4 over F q or elliptic curves defined over F q 4, as due to the attacks describedin Section 22.3.5.a the size of q needs to be chosen much larger. One can do better with tracezero varieties of curves of genus 2 defined over F q with respect to extensions of degree 3 (seeExample 23.7).p23.3 Efficient systemsIn the previous section we have shown that ideal class groups of function fields over finite fieldsallow us to obtain groups in which the discrete logarithm is supposed to be hard to compute, given

558 Ch. 23 Algebraic Realizations of DL Systemsthat the genus is less than or equal to 3. The parameters p, d, andg may then be chosen to accommodatefast computation of scalar multiples in the group provided that the group size O(p dg ) is ofthe correct size and none of the weaknesses mentioned before is introduced.23.3.1 Choice of the finite fieldFrom the point of view of finite field arithmetic, prime fields F p and binary fields F 2 d are the mostcommon choices, but for some implementations optimal extension fields and their generalizationsmight offer advantages, as they are ideally suited to the word size. For full details on arithmetic onfinite fields we refer to Chapter 11, and the mathematical background can be found in Chapter 2.For special considerations for hardware implementation one should consult Chapter 26.23.3.1.aPrime fieldsIn prime fields F p , addition and subtraction are performed as in the integers and the result is reducedmodulo the prime p. In general, much of the considerations for integer arithmetic (cf. Chapter 10)can be applied for the arithmetic modulo p.For multiplication one uses the schoolbook method or Karatsuba’s trick. Fast multiplicationmethods like FFT do not apply for the small size of p we are considering here. Squaring has aboutthe same complexity as multiplication and can either be implemented separately (which can lead toa speedup in trade-off for more code) or by reusing the multiplication routine. In general one shouldconsider the multiplication separately from the reduction and take into account the effect that forcomputing ab + cd, for field elements a, b, c, d, one only needs one reduction instead of two.Inversions and divisions are computed using the (binary) extended gcd.To have fast arithmetic in F p it is advisable to choose p of low Hamming weight, ideally of theform 2 wn + c, wherew is the word size and c is small. This allows us to compute the modularreduction more efficiently.Montgomery representation of elements in F p speeds up the computations even further. Theelement x is represented by xR, whereR is the smallest power of 2 w larger than p. This representationbehaves well with respect to addition, multiplication, and inversion and the reductions areparticularly simple. For full details we refer to Algorithms 11.3 and 11.9.23.3.1.bExtension fieldsTo represent extension fields one has two general methods, either using the multiplicative or theadditive structure of F p d. In the first case one uses a generator g and represents each element as apower of g. This way, multiplications are very efficient but additions are problematic. For smallfields one can use a lookup table but this gets inefficient very quickly.So, for implementations in cryptographically relevant ranges, representations using the additivestructure of F p d as d-dimensional vector space over F p are favored. In this representation additionis done coefficient-wise.There are two main trends for choosing the basis: either find an irreducible polynomial m(X) ∈F p [X] of degree d and use ( 1,θ,...,θ d−1) as basis, where θ is a root of m(X) over F p d, or choosea basis of the form ( )α, α p ,...,α pd−1 . The latter is called a normal basis; it has the advantage thatthe operation of the Frobenius automorphism φ p is computed by a cyclic shift of the coefficients. Asa drawback, multiplications are more complicated than in polynomial basis representation, wherethey are computed by a multiplication of polynomials followed by a reduction modulo m(X).We now give some details for binary fields F 2 d and optimal extension fields F p d. Some applicationsdiscussed in Chapter 24 use the field F 3 d. It shares many properties with F 2 d. Hence, themathematical background is covered in the following paragraph. Note that the basic arithmetic in

§ 23.3 Efficient systems 559F 3 is slower than in F 2 as two bits are needed to represent a field element.Binary fieldsThe security considerations impose that d is a large prime. So, in all applications d is odd implyingthat Tr F2 d /F 2(1) = 1. This means that some transformations on the curve equations, discussed later,are always possible. On the other hand this means that there is no type I optimal normal basis (cf.Section 11.2.2.b), i.e., if one represents the multiplication using a matrix, then it is not possible toget the most sparse type of matrix.The use of normal basis representation can be useful if many more squarings than multiplicationsare needed or if one needs to compute square roots. For many of the coordinate systems onelliptic and hyperelliptic curves and ways of scalar multiplication discussed below, normal basisrepresentation leads to slower implementations than cleverly chosen irreducible polynomials with apolynomial basis.To be able to multiply in normal basis representation one is either given an explicit multiplicationmatrix or uses Gauß periods over extensions. Inversion is either done by transforming to apolynomial representation and then performing it there as described in the sequel or by using Lagrange’stheorem. In the latter case one should apply an addition chain involving the Frobeniusautomorphism, as this map is particularly fast in normal basis representation.We now turn our attention to polynomial basis representations. As for primes it is very usefulif the irreducible polynomial is sparse, i.e., it has only few nonzero coefficients. Over F 2 eachbinomial has either 0 or 1 as its root and hence it cannot be irreducible. For implementationsirreducible trinomials are the best choice if they exist. Otherwise Section 11.2.1.b proposes to useredundant trinomials to obtain sparse polynomials for reduction.Multiplication is performed as a multiplication followed by a reduction modulo m(X). Forthefields F 2 d a Montgomery representation of the fields exists as well. Also, for inversions the sametricks can be applied and usually they are computed as an extended gcd. For restricted devicesinversions are usually too time and space-consuming. However, one should note that the ratiobetween multiplication and inversion is not as bad as in prime fields.Even though in polynomial basis representation a squaring is more complicated than a cyclic shift,it is still a fast operation compared to multiplication as no mixed terms occur. A rough estimate isS=0.1M,whereS abbreviates a squaring and M stands for a multiplication.Optimal extension fieldsFor some platforms or applications other choices of p and d are more advantageous. For securityreasons one chooses d to be prime. The idea behind optimal extension fields and their generalizationas processor adapted finite fields is to use a ground field F p such that the elements of F p fit withinone word, with the consequence that they can be particularly efficiently handled. For the choice ofp the same considerations as in the prime field case apply.To construct the field extension one tries to use an irreducible binomial m(X) =X d − a, whereoptimally a is small such that multiplications involving a can be performed by a few modular additions.Hence, reduction modulo m(X) can be efficiently computed.Addition is trivial. To multiply, the reductions are simplified by the choices of p and m(X)and for small extension degrees d like those needed for trace zero varieties, one can save a fewmultiplications over F p by making a detailed look at the code. For d =3and 5 these formulas areincluded in Section 11.3.6.For inversion one uses α pd−1 =1and expressesα −1 =d−1∏i=1α pi/ d−1∏α pj .j=0

560 Ch. 23 Algebraic Realizations of DL SystemsNote that some of the powers can be rearranged to save even more operations. For d =5this readsα −1 =(αp α p2 (α p α p2 ) p2α ( α p α p2 (α p α p2 ) p2)·For very small d 4 an approach based on linear algebra is more efficient. We refer to Section11.3.4.23.3.2 Choice of genus and curve equationIn this section we assume that the scalar multiplications appearing in the DL-based protocols arecarried out using doublings and additions, and, depending on the storage capacities, by using someprecomputed points. The latter can be applied in windowing methods as explained in Chapter 9to reduce the number of additions needed in a scalar multiplication. As the number of doublingsremains unchanged such systems need especially cheap repeated doublings.Clearly, Cantor’s algorithm can be used to perform arithmetic in the ideal class group of arbitraryhyperelliptic curves. As soon as one fixes the genus of the curve one can derive explicit formulasfrom the general group operations, which are usually much faster in implementations. As the groupsize behaves like p dg a larger genus allows smaller finite fields. By the security considerations weare, however, limited to g =1, 2,and3.23.3.2.aElliptic curvesElliptic curves are curves of genus 1. On them the ideal and divisor class group are isomorphic tothe group of points and thus one can define addition and doubling in terms of the coordinates ofpoints. The general addition formula is given in Section 13.1.1.Over a binary field, each nonsupersingular curve can be given (after an isomorphic transformation)by an affine equationy 2 + xy = x 2 + a 2 x 2 + a 6 , where a 2 ∈ F 2 d and a 6 ∈ F ∗ 2 d.As d should be odd, we can even choose a 2 ∈ F 2 , cf. Remark 13.40.In affine coordinates the addition formulas read as follows, where −P =(x 1 ,x 1 + y 1 ).AdditionLet P =(x 1 ,y 1 ), Q =(x 2 ,y 2 ) such that P ≠ + − Q then P ⊕ Q =(x 3 ,y 3 ) is given byDoublingx 3 = λ 2 + λ + x 1 + x 2 + a 2 , y 3 = λ(x 1 + x 3 )+x 3 + y 1 , λ = y 1 + y 2x 1 + x 2.Let P =(x 1 ,y 1 ) then [2]P =(x 3 ,y 3 ),wherex 3 = λ 2 + λ + a 2 , y 3 = λ(x 1 + x 3 )+x 3 + y 1 , λ = x 1 + y 1x 1·Thus an addition and a doubling require exactly the same number of operations that is I+2M+S.Here, we use the abbreviations I for inversion, M for multiplication, and S for squaring. We useM 2 to denote a multiplication by a 2 . This is counted separately as for odd d there always exists anisomorphic curve with a 2 ∈ F 2 such that the multiplication is computed as an addition.

§ 23.3 Efficient systems 561To avoid inversions one can use projective and different weighted projective coordinates. The followingTable 23.1 lists the number of operations needed to double or add in different coordinatesystems (A denotes affine coordinates, P projective coordinates, and J and LD stand for Jacobianand López–Dahab coordinates, respectively). For details on the arithmetic we refer to Section 13.3.Table 23.1 Operations required for addition and doubling.DoublingAdditionOperation Costs Operation Costs2P 7M + 4S + M 2 J + J 15M + 3S + M 22J 5M + 5S P + P 15M + 2S + M 22LD 4M + 4S + M 2 LD + LD 13M + 4S2A = P 5M + 2S + M 2 P + A = P 11M + 2S + M 22A = LD 2M + 3S + M 2 J + A = J 10M + 3S + M 22A = J M+2S+M 2 LD + A = LD 8M + 5S + M 2— — A + A = LD 5M + 2S + M 22A I+2M+S A + A = J 4M + S + M 22A ′ I+M+S A + A = A ′ 2I + 3M + S2A ′ = A M+2S A + A I+2M+SIf inversions are affordable, affine coordinates are preferred as the total number of field operationsis lowest. Otherwise, one should use López–Dahab coordinates, as for them doublings are fastestand additions, especially mixed addition A + LD = LD, are cheap as well. For the binary ellipticcurves proposed in the standards a 6 is chosen to be small such that multiplications by this constantare fast. Then the standard doubling formulas should be applied, while for random curves, and thuslarge and changing a 6 , formulas (13.9) are preferred.In odd characteristic for p>3 one can make an isomorphic transform to get each elliptic curverepresented by an affine equation of the formy 2 = x 3 + a 4 x + a 6 , with a 4 ,a 6 ∈ F q ,such that x 3 + a 4 x + a 6 has only simple roots over F q . The negative of P =(x 1 ,y 1 ) is given by−P =(x 1 , −y 1 ).AdditionLet P =(x 1 ,y 1 ), Q =(x 2 ,y 2 ) such that P ≠ + − Q and P ⊕ Q =(x 3 ,y 3 ). In this case, addition isgiven byDoublingx 3 = λ 2 − x 1 − x 2 , y 3 = λ(x 1 − x 3 ) − y 1 , λ = y 1 − y 2x 1 − x 2·Let [2]P =(x 3 ,y 3 ).Thenx 3 = λ 2 − 2x 1 , y 3 = λ(x 1 − x 3 ) − y 1 , λ = 3x2 1 + a 42y 1·

562 Ch. 23 Algebraic Realizations of DL SystemsAn addition needs I+2M+Sand to compute a doubling I+2M+2Sare used.As stated in the previous section, in odd characteristic inversions are very time-consuming comparedto multiplications. Hence, it is even more important to consider inversion-free coordinate systems.The following Table 23.2 gives an overview of the number of field operations per group operation.In addition to the above abbreviations we use J m for modified Jacobian coordinates and J c forChudnovsky Jacobian coordinates. For full details on the formulas, we refer to Section 13.2.Table 23.2 Operations required for addition and doubling.DoublingAdditionOperation Costs Operation Costs2P 7M + 5S J m + J m 13M + 6S2J c 5M + 6S J m + J c = J m 12M + 5S2J 4M + 6S J + J c = J m 12M + 5S2J m = J c 4M + 5S J + J 12M + 4S2J m 4M + 4S P + P 12M + 2S2A = J c 3M + 5S J c + J c = J m 11M + 4S2J m = J 3M + 4S J c + J c 11M + 3S2A = J m 3M + 4S J c + J = J 11M + 3S2A = J 2M + 4S J c + J c = J 10M + 2S— — J + A = J m 9M + 5S— — J m + A = J m 9M + 5S— — J c + A = J m 8M + 4S— — J c + A = J c 8M + 3S— — J + A = J 8M + 3S— — J m + A = J 8M + 3S— — A + A = J m 5M + 4S— — A + A = J c 5M + 3S2A I+2M+2S A + A I+2M+S23.3.2.b Curves of genus 2For these curves the explicit formulas are more involved compared to elliptic curves. On the otherhand the field one works in is of half the size for equal security as the group order is given byO(p 2d ). In affine coordinates an addition needs I + 22M + 3S and a doubling needs 2S more. Werefer to Chapter 14 for the details on the group operation but mention that as for elliptic curvesone has the choice between different coordinate systems including inversion-free systems. Thechoice of genus 2 curves leads to similar speed for scalar multiplication as elliptic curves. This canbe seen from the implementation results listed in Table 14.13, p. 353. For each environment oneneeds to check which fields are faster to implement and also whether the longer code needed forthe group operations for genus 2 curves is a problem. It is only possible to state the advantages ordisadvantages of elliptic curves over genus 2 curves based on implementations. From a theoretical

§ 23.3 Efficient systems 563point of view their performance is similar.Special choices of curves, like the family of binary curvesy 2 + xy = x 5 + f 3 x 3 + εx 2 + f 0 , with f 3 ,f 0 ∈ F 2 d and ε ∈ F 2 ,over fields with odd d allow us to obtain especially fast doubling formulas that outperform ellipticcurves. There is no similar family of elliptic curves, and, hence, the richer structure of genus 2curves pays off.23.3.2.c Curves of genus 3So far explicit formulas for arithmetic on genus 3 curves were obtained in affine and projective coordinates.For general curves it seems that the number of operations is so large that the performanceis worse than for elliptic and genus 2 curves. Furthermore, one needs to take into account the reductionof security due to index calculus attacks, such that the group order needs to be made evenlarger.For special choices of curves like the binary curvesy 2 + y = f(x), with f(x) ∈ F 2 d[x]particularly fast doublings can be designed without weakening security.23.3.2.dConclusionOver prime fields elliptic curves and genus 2 curves offer similar efficiency, while genus 3 curvesare less efficient with the current explicit formulas. For completely general curves over binary fieldsthe same observations hold.If one is willing to trade off generality for higher speed, there exist genus 2 and 3 curves over F 2 doffering fast arithmetic. Comparable choices cannot be made for elliptic curves. We mention thatthese curves constitute families and thus they are not considered special curves.23.3.3 Special choices of curves and scalar multiplicationSome curves have extra properties that can be used to compute scalar multiplication faster. Thisdoes not mean that the single group operations, i.e., additions and doublings, are sped up, but oneuses a different procedure to compute the scalar multiples.In Example 23.7 we introduced trace zero varieties. In general, subfield curves defined over F pand considered over F p d offer the advantage that the Frobenius endomorphism φ p operates on thepoints of the curve by raising each coordinate to the power of p. This can be used to obtain fastermethods for scalar multiplication. In Chapter 15 we showed how to compute [n] D __by using φ p .Instead of using a double and add algorithm, one applies a Frobenius and add algorithm, whichleads to faster computations as φ p can be computed efficiently.It is also possible to use other endomorphisms of curves. A general curve will not have anefficiently computable endomorphism, but on specially chosen curves it can be used to speed up thescalar multiplication. The methods are described in Section 15.2.In both cases one needs to be aware that the endomorphisms also speed up the attacks. The effectsare discussed in Section 19.5.5. The use of special curves is particularly interesting for either largesystems, where a central server has to perform a huge amount of encryptions and has no problemswith a slightly larger group size (as long as the protocols run faster), or in lightweight cryptographyapplications, where the security needs are reduced but the devices cannot consume too much powerand have limited storage. In this scenario curves with endomorphisms make the operations faster.

564 Ch. 23 Algebraic Realizations of DL Systems23.4 Construction of systemsDepending on the security needs one chooses the size N of the group in which the discrete logarithmis to be used. The list of candidates for secure DL systems in Section 23.1.4 gives possible choicesof parameters for the system. By considering the given environment and by looking at the results onefficiency in Section 23.3 one chooses candidate pairs (F q ,C) such that the expected group orderof Pic 0 C is of size N and that the other needs are met. The final step is to look for primes l ∼ N forwhich Z/lZ can be embedded into Pic 0 C for a candidate curve C in a bit-efficient way. Usually onehas to do this by randomly choosing curves C in a certain family F and then computing Pic 0 C .So, one needs two ingredients: there have to be sufficiently many instances leading to an almostprime group order and one has to be able to compute the group order efficiently.23.4.1 Heuristics of class group ordersFirst there has to be (at least) a heuristic prediction stating that with large probability the order ofPic 0 C for C ∈Fis almost a prime, i.e., there is a number c B with |Pic 0 C| = cl with l aprimenumber. The number c is called the cofactor, usually one sets the bound to B 1000. A largechoice of B will raise the probability of finding a suitable curve C but it will imply that we have totake the size of the ground field F q (and hence the key length) larger, since we haveg lg q ∼ lg c +lgl.The main sources for such heuristics are analytic number theory and analogous techniques overfinite fields. Key words are Cohen–Lenstra heuristics about the behavior of class groups of globalfields and Lang–Trotter conjectures about the distribution of traces of Frobenius automorphismsacting on torsion points of abelian varieties over number fields. Combined with sieving techniquesone finds a positive probability for the existence of class numbers with only a few prime divisors. Itis outside the scope of this book to give more details. For applications and statistics in the cases weare interested in we refer readers to [BAKO 1998]and[WEN 2001b]. For our purposes it is enoughto state that in all families F that can be used in practice it will not take much time to find curvesthat can be used for DL systems.In many cases one can impose c =1. But one has to be cautious in special cases. There can befamilies F for which there is a number c 0 such that for each member, C, one has that c 0 divides|Pic 0 C| and so c has to be a multiple of c 0 . For example take F as the set of ordinary binary ellipticcurves. They are all of the form y 2 +xy = x 3 +a 2 x 2 +a 6 with a 6 ≠0. Therefore, 2 always dividesthe cofactor as (0, √ a 6 ) is a point of order 2 defined over the ground field. Another example is thefamily F consisting of curves C of genus 3, which have an automorphism of order 4. Their classnumber is always even (cf. Section 18.3).In other families it can occur that the class numbers are always divisible by different numbersbounded by c 0 . For instance take F as a family of curves defined over a field F q0 with q 0 | q. Thenthe class number of C over F q is divided by the class number of C regarded as curve over F q0 andso the cofactor c has to be ( √ q 0 − 1) 2g . Examples of families F for which c =1is possible andfor which one can (efficiently) determine the group order are random elliptic curves or hyperellipticcurves of genus 2 over fields F q of odd characteristic, as well as elliptic curves over prime fieldsconstructed by the method of complex multiplication (cf. Section 18), and not isogenous to a curvewith j-invariant equal to 0 or 12 3 .

§ 23.4 Construction of systems 56523.4.2 Finding groups of suitable sizeIn the following we shall give examples for families of curves F for which the (heuristic) resultsof the Section 23.4.1 predict that with a reasonable probability the number of elements in Pic 0 C forC ∈Fis divisible by a large prime l and for which it is possible to determine |Pic 0 C | efficiently.To find a curve C usable for DL systems one chooses a random curve in F and computes the orderof Pic 0 C. If it is not of the right shape one chooses another random element in F and repeats thecomputation until finally a usable curve is found.Once a suitable curve is found, one has to choose a base point in Pic 0 C of order l.23.4.2.aFinding a curveAs said already the key ingredients for finding curves with divisor class group usable for DL systemsare point counting algorithms, which are described in Chapter 17. Their common principle is thatthey compute the characteristic polynomial χ(φ q ) C(T ) of the Frobenius endomorphism φ qC actingon J C (cf. Section 4.3.6) and use the fact that |Pic 0 C| = χ(φ q ) C (1) (cf. Corollary 5.70).Curves defined over subfieldsTake as F the family of curves C of genus g over fields F q , which are defined over subfields F q0 .If q 0 is small, elementary methods like counting by enumeration (cf. Section 17.1.1) or square rootalgorithms (cf. Chapter 19) can be used. This is reasonable e.g., for q g 0 1016 .For larger q 0 it may be necessary to replace these counting algorithms by more refined algorithmsexplained in the next paragraphs. Nevertheless this counting will be very fast compared to countingmethods for curves defined over F q .So, it is possible to compute the characteristic polynomial χ(φ q0 )(T ) of the Frobenius endomorphismφ q0 over F q0 . As explained in Section 17.1.2 this can be used to compute the characteristicpolynomial of φ q and hence the order of Pic 0 C.Remark 23.9 This method is especially fast if q 0 is small. Moreover, the operation of the Frobeniusendomorphism φ q0 can be used to accelerate the computation of scalar multiples in Pic 0 C considerably(cf. Section 15.1). The key word is “Koblitz curves.”Example 23.10 The most famous Koblitz curves areE a2 : y 2 + xy = x 3 + a 2 x 2 +1, with a 2 =0 or 1seen as curves over F 2 . The characteristic polynomial is given byχ a2 (T )=T 2 − (−1) 1−a2 T +2and the number of points of E(F 2 d) is given by (15.9).The disadvantages are that if q 0 is very small there will be only a few curves in the cryptographicallyinteresting range. At the same time the cofactors will be divisible by χ(φ q0 ) C (1), which is of sizeequivalent to q g 0 . Moreover the degree of F q over F q0 should be a prime number because of thetransfers related to Weil descent (cf. Section 22.3). This attack has to be considered for smallextensions, too.Remark 23.11 If the degree of F q over F q0 is small ( 5) one is led to systems based on tracezero varieties (cf. Section 7.4.2), which can be interesting alternatives in special situations for fastarithmetic; see Section 15.3.

566 Ch. 23 Algebraic Realizations of DL SystemsRandom elliptic curvesOne chooses the size of the allowed cofactor c and of the prime l, which should divide the orderof the group of rational points of an elliptic curve E. Letq beapowerofaprimep of size cl. Asfamily F we take the set of elliptic curves defined over F q .Let E be a randomly chosen elliptic curve defined over F q . We can apply the SEA Algorithm17.25 to count the elements of E(F q ) in O ( lg(q) 2µ+2) bit operations, where µ is a constantsuch that two B-bit integers can be multiplied in time B µ . The algorithm is fast enough to findcryptographically usable elliptic curves even with cofactor 1 in a short time.Random curves of genus 2As above, the desired size of the group order is denoted by N. One chooses q to be of size N 1/2 .The family F consists of all curves of genus 2 defined over F q . In [GASC 2004a] one finds analgorithm combining p-adic, l-adic, and generic methods to count points on the Jacobian variety ofrandom curves of genus 2 defined over F q , and to find such curves that can be used for DL systems.At the moment this is rather time-consuming — for a curve over a F p with p =5× 10 24 +8503491,the time reported in [GASC 2004a] is one week per curve — but it is to be expected that refinementswill accelerate the algorithm in the near future.Curves over fields of small characteristicLet p be a small prime number, in practice p =2or p =3. So, to reach cryptographic group sizeswe need q = p d with d large. (For security reasons d should be a prime such that the multiplicativeorder of 2 modulo d is large (cf. Section 22.3)). The family F consists of random curves C of genusg (with 1 g 3) defined over F q . Hence d ∼ log g N/g. To count points on random curvesC in F one uses p-adic methods as described in Section 17.3. For p =2the AGM method (cf.Section 17.3.2) generalizes Satoh’s method for elliptic curves and constructs canonical liftings ofJacobian varieties of curves of genus 1, 2, and3 in a most efficient way — provided that this curveis ordinary. For random curves this condition will be satisfied.The AGM algorithm is very easy to implement, especially for elliptic curves. As an example, westate the algorithm for elliptic curves over F 2 . The idea is to use a recurrence to compute the trace tof the Frobenius endomorphism.Algorithm 23.12 Elliptic curve AGMINPUT: An elliptic curve E : y 2 + xy = x 3 + a 6 over F 2 d with j(E) ≠0.OUTPUT: The number of points on E(F 2 d).1. L ←⌈ d ⌉ +3 [L is the precision to be used]22. a ← 1 and b ← (1 + 8e) mod2 4 [e arbitrary lift of a 6]3. for i =5 to L do4. (a, b) ← `(a + b)/2, √ ab´ mod 2 i5. a 0 ← a6. for i =0 to d − 1 do7. (a, b) ← `(a + b)/2, √ ab´ mod 2 L8. t ← a0mod 2L−1a9. if t 2 > 2 d+2 then t ← t − 2 L−110. return 2 d +1− t

§ 23.4 Construction of systems 567In Section 17.3.2.c one finds the algorithms for g 2. The theoretical background is given inSection 17.3.A universal method of computing the characteristic polynomial of the Frobenius endomorphismφ q for arbitrary (small) p and arbitrary hyperelliptic curves was developed for the first time by Kedlaya[KED 2001]. He uses the Monsky–Washnitzer cohomology, which computes the de Rhamcohomology of a formal lifting of the curve. Though the background is rather involved, the algorithmis easily implemented. It is given in Section 17.3.3 as Algorithm 17.80.If the AGM method can be used it is faster than algorithms based on Kedlaya’s idea. The bigadvantage of Kedlaya’s approach is that it is a universally applicable algorithm (which can be generalizedto practically all curves). In any case, one can state that point counting for random hyperellipticcurves of genus 1, 2, and3 over fields of characteristic 2, 3, and5 in cryptographicallyrelevant ranges can be done in a satisfying way.The CM methodThe methods described until now leave one gap open: it is difficult to compute the characteristicpolynomial of the Frobenius endomorphism acting on the Jacobian variety of curves of genus 2and 3 defined over fields F q of large characteristic. To fill this gap, especially in the case that qis a prime number p, one can use the theory of complex multiplication relying on the results ofTaniyama and Shimura. Even for elliptic curves this method remains interesting, especially if onewants to find many curves to check heuristics or to construct an elliptic curve with prescribed grouporder [BRST 2004], e.g., if one wants to obtain a group order with low Hamming weight.For the background of this theory, we refer to Section 5.1. In this method one begins with thechoice of a ring of endomorphisms End C of an abelian variety that has complex multiplication andthat is the Jacobian variety of a hyperelliptic curve C of genus g. ThisringEnd C has to be an orderin a CM-field of degree 2g. One characterizes the curve by its invariants, and to obtain the equationof the curve one computes the minimal polynomials over Q of the invariants, the class polynomials.For details on the computation of the class polynomial we refer to Section 18.1.3.In practice both finding the ring End C and computing the class polynomials are to be regarded aspart of a precomputation. For elliptic curves they can be taken from published lists (cf. [WENG]).The family F consists of the curves C p , which are obtained from C by reduction modulo primesp. So, our space of parameters is now the set of prime numbers. Arithmetic geometry tells us thatthis can be regarded as the analogue of a curve, and so the richness of the family F is analogous tothat of the family consisting of all curves of genus g over a fixed finite field F q .By class field theory it is possible to determine the order of Pic 0 C pby solving a norm equation inEnd C that can be done quickly. Only after having found a “good” prime p one constructs the curveC p in an explicit way.The algorithm for elliptic curves E is found in Section 18.1.5. We repeat it here for this case.Algorithm 23.13 Construction of elliptic curves via CMINPUT: A squarefree integer d ≠1, 3, parameters ε and δ, Hilbert class polynomial H d (X),desired size of p and l.OUTPUT: Aprimep of the desired size, an elliptic curve E/F p whose group order |E(F p)| has alarge prime factor l.1. repeat2. repeat choose p prime of desired size3. until εp = x 2 + dy 2 with x, y ∈ Z4. n 1 ← p +1− 2x/δ and n 2 ← p +1+2x/δ5. until n 1 or n 2 has a large prime factor l

568 Ch. 23 Algebraic Realizations of DL Systems6. compute a root j of H d (X) (mod p)7. compute E j/F p from (18.1) and its twist E e j/F p8. while true do9. take P ∈ R E j(F p) and compute Q ← [n 1]P10. if Q = P ∞ and [n 2]P ≠ P ∞ then return p and E j11. else if Q ≠ P ∞ then return p and E e jThe situation is more complicated for g =2but nevertheless the corresponding algorithm worksvery well. The details can be found in Section 18.2. For g =3one has to assume that End Ccontains √ −1 and hence C has an automorphism of order 4, which implies that the cofactor isdivisible by 2. So we get only special curves, and the situation is not totally satisfying. Neverthelesswe can construct many hyperelliptic curves of genus 3, which can be used for DL systems.23.4.2.bState of the art of point countingWe have seen that the computation of the order of Pic 0 C for curves C of genus g defined over fieldsF q can be performed efficiently by not too complicated algorithms if• The curve C is already defined over a small subfield F q0 of F q ,or• The genus g is equal to 1,or• The characteristic of F q is small, or• The genus of C is 1 or 2,thefieldF q is a prime field, and the curve C is the reduction moduloq of a curve ˜C with complex multiplication over a given order End C in a CM-field.For random curves C of genus 2 there is hope that one will find an efficient algorithm for pointcounting. The results of Gaudry and Schost [GASC 2004a] are very encouraging.For genus g =3and F q a prime field, we have to restrict ourselves, at least at the moment, tohyperelliptic curves that have an automorphism of order 4.23.4.2.cFinding a base pointWe assume now that C is a hyperelliptic curve defined over F q such thatand that C is given by an affine equation|Pic 0 C| = clC a : y 2 + h(x)y = f(x).One chooses a random element x 1 ∈ F q and tests whether the polynomial y 2 + h(x 1 )y − f(x 1 ) hasa solution y 1 in F q . This will be the case with probability 1/2. If the polynomial has no solution inF q one chooses another x 1 . After a few trials one has found a point P =(x 1 ,y 1 ) ∈ C(F q ).Oneuses the embedding of C in its Jacobian. With probability 1 − 1/l the divisor class of P − P ∞ hasorder divisible by l and so [c](P − P ∞ ) has order l. To check this one verifies that [c](P − P ∞ ) isnot the neutral element.If this is the case we can take D __=[c](P − P ∞ ) as the base point of our DL system and embedZ/lZ into Pic 0 C by mapping n ↦→ [n] D __for 0 n

§ 23.5 Protocols 569If the trial multiplication fails, i.e., if [c](P − P ∞ )=0, one repeats the procedure by choosing anew element x 1 .The expected time to find a base point by this method is O(lg l). For details concerning hyperellipticcurves implemented with explicit formulas we refer to Section 14.1.2.23.5 ProtocolsSo far we have presented groups in which the discrete logarithm problem is assumed to be hard. InChapter 1 we stated some protocols in Section 1.6 using only the structure of a DL system. We nowbriefly cover two issues: how to actually instantiate these protocols with groups based on Pic 0 C ofcurves over finite fields; and which pitfalls one needs to be aware of.We need to make a general remark. As of the time of writing this, only elliptic curves are inthe standards. In this section we state system parameters and protocols for hyperelliptic curves bygiving the generalizations from the elliptic curve setting.23.5.1 System parametersWe now assume that the system parameters consisting of the ground field, the genus of the curve,and the curve equation are chosen in a manner that the DL problem should be hard to compute.To use these parameters in a cryptosystem they need to be published. For the finite field thismeans that q = p d needstobegivenbutalsothewaythefield elements are represented, i.e.,for prime fields one needs to state whether the following parameters of curve and points refer toMontgomery or standard representation. In extension fields the type of basis and how to multiply init need to be stated, e.g., for polynomial basis one gives the irreducible polynomial m(X) of degreed over F p .Once the field elements can be represented, the equation of the curve, the base point, and alsopublic keys can be stated. This information is sufficient for most applications — if all users behavewell. In the following we sometimes assume that an attacker could get signatures on innocentlookingmessages. In practice this is not too far fetched — there are service providers that signall packages transmitted by them so that one could easily get signatures implying arbitrary groupelements unless the following checks are implemented.Standards additionally require that the group order N = |Pic 0 C | is given together with the cofactorc such that N/c = l is prime, and also ask for a small cofactor. In signature schemes likeAlgorithm 1.18 one needs l, as the signature is an integer modulo l, and an inversion modulo l isrequired when signing. We point out that there are inversion-free signature schemes that would notrequire knowledge of the group order but usually they are less efficient. However, what is worse isthat a malicious user could ask for a signature on an element D __that comes from a subgroup of Pic 0 Cof order dividing c. If c has enough prime factors the attacker could determine the secret scalarmodulo all these primes and recover a large part of the secret by using Chinese remaindering. Thisattack is called the small subgroup attack.To avoid this attack one should check whether D __has order l. This can be done by either actuallychecking [l] D __=0or by computing [h] D __for h = c/p i for all prime divisors p i of c and checkingthat the result is not 0. Both methods require that l is prime, which could also be checked.Browsing the algorithms for addition and doubling in Pic 0 C one notices that not all curve coefficientsare needed in the arithmetic. Hence, the same set of formulas could be used for differentcurves. The invalid curve attack works by requesting a signature on a group element of Pic 0____C,whereC has the same coefficients as C on those positions appearing in the group operations and is differentotherwise. If it is possible to find a curve C __that offers less security, this could be used to find

570 Ch. 23 Algebraic Realizations of DL Systemsthe secret key by attacking the DL problem in the easier group Pic 0__C . In fact, it is very likely thatthere are curves C __such that the group order contains many factors of moderate size, such that theDLP could be solved by using Chinese remaindering.Hence, the protocols require to check whether D __is actually a group element.To sum up: the system parameters consist of the five entries(F p d,C, __D, N, c),where we assume that F q d contains information on the field representation and D __is the base pointof the system. The system parameters are accepted if1. all field elements are correctly represented,__2. D ≠0∈ Pic 0 C ,and3.__D has order l = N/c.User A has public key D __A =[a A ] D, __which is included in her system parameters. To verify asignature issued by her or before sending her an encrypted message, B checks whether D __A ∈ Pic 0 C .Before signing a message that involves computation of [a A ] E __for some E, __A needs to checkwhether E __∈ Pic 0 __C and if so whether E has order l.23.5.2 Protocols on Pic 0 CFor using elliptic curves, some special protocols were designed that make use of the representationof group elements by points. Applying compression techniques (cf. Sections 13.2.5 and 13.3.7) apoint P =(x 1 ,y 1 ) can be uniquely stored using its x-coordinate and a bit of y. As for each x 1there are at most two y 1 ’s such that (x 1 ,y 1 ) is on the curve and the points are the negatives of oneanother, one can also give up the uniqueness and only use x 1 to represent both P and −P .Hence, some reduction in the length of the key and signatures is possible such as is not possiblein a generic group. In the following, we detail a signature algorithm to show the differences to thegeneral purpose algorithm presented in Chapter 1. For other protocols similar observations hold.The elliptic curve digital signature algorithm (ECDSA) [ANSI X9.62] is a signature scheme ofElGamal type as given in Section 1.6.3. We state the generalized version applicable to hyperellipticcurves in the following. For easier reference we call it HECDSA. We assume Mumfordrepresentation for elements in Pic 0 C and assume that the finite field elements are ordered such that0 L(α)

§ 23.6 Summary 5716. until U ≠0 and 17. s ← `r −1`h(m) A]U´´ − [a mod l8. until s ≠09. return (U, s)Algorithm 23.15 HECDSA – Signature verificationINPUT: The system parameters (F p d,C, D, __N, c), the public key D __A, a hash function h, themessage m, and the possible signature (U, s) on m.OUTPUT: Acceptance or rejection of signature.1. if U or s/∈ [1,l− 1] then return “reject”2. else w ← s −1 mod l3. u 1 ← `h(m)w´ mod l and u 2 ← (Uw)modl4.__F ← [u __1] D ⊕ [u __2] D A[ F __=[u F ,v F ]]__5. if F =0 then return “reject”6. else U 1 ← `P ν−1i=0 mod l ˆu F = x ν + P ν−1i=0uF,i for some ν g˜7. if U = U F then return “accept” else return “reject”The signature scheme works as specified as it is a special instance of Algorithm 1.18. Note, however,that the storage requirements are reduced as the first entry of the signature is not a group elementbut an integer modulo l.As only the first part of the representation of E __is used in the signature, the scheme is malleable,i.e., it is possible to obtain a valid signature on a different message by the observation that E __and− E __result in the same signature. This property was pointed out in [STPO + 2002] together withan attack that uses this property to choose the private key in a manner that two apriorichosenmessages will result in the same signature.An easy way to avoid this drawback is to apply a compression, (cf. Section 14.2) to E, __whichmeans that U depends uniquely on E.__There are also encryption and key agreement protocols that take into account the special propertiesof elliptic curves. Usually it is easy to obtain hyperelliptic curve analogies. We do not includethem in this book but refer the reader to the vast literature. A useful overview with many referencesis given in [HAME + 2003].23.6 SummaryIn Chapter 1 we have explained which purposes public-key cryptography can be used for as part ofsystems that provide data security. In Section 1.5 we have defined discrete logarithms in an abstractway and in Section 1.6 one finds protocols that use discrete logarithms as crypto primitives.The purpose of the present chapter is to help to decide how to realize such systems in the mostefficient way.Remark 23.16 In Chapter 1 we have discussed bilinear structures as additional structures of certainDL systems, as well as their use in protocols. Their realization is discussed in the next chapter.

572 Ch. 23 Algebraic Realizations of DL SystemsTo use DL systems in practice one first has to analyze which grade of security is needed. Then oneinspects the offered types of groups and the hardness in the DLP in these groups. It could be thatfor specific practical reasons one is satisfied with subexponential complexity of DLP and choosesas the group a subgroup of prime order in the multiplicative group of a sufficiently large finite fieldF q . The system XTR is an example of an efficient realization of such a system (see Example 1.13).But in most cases one will want to have key sizes as small as possible with an easy scalable security,and so groups for which there are good reasons to believe in the exponential hardness of the DLPare the appropriate choice. In Section 23.2 we have discussed such groups; the results are statedin Sections 23.2.1.a and 23.2.2.c. The short answer is that the groups Pic 0 C for curves of genus1, 2, 3 over prime fields, or over fields of order 2 d with d a prime such that the multiplicative orderof 2 modulo l is large, are good candidates. A more subtle answer can be found by followingthe references in Section 23.2 leading to detailed discussions of the mathematical background andimplementational details of attacks.Roughly spoken, the proposed groups have the same level of security, require the same space forkeys, and need the same time for scalar multiplication. But in concrete realizations, in particular theefficiency will depend heavily on the specific implementation and the computational environment.So, the discussion in Section 23.3 becomes relevant. One of the basic decisions is the choice of theground field F q and its arithmetic. Hints for this are to be found in Section 23.3.1 and referencescited there. Since the group size l is determined by the security level the choice of the bit size of theground field is related to the genus g of the curve C by lg l ∼ g lg q. So, the choice of q determinesg and hence one has to check whether one finds a family of curves of genus g over F q that fits intothe special situation one has.The next criterion for the choice of C is the efficiency of the group law in Pic 0 C . This is discussedin Sections 23.3.2 and 23.3.3. In many cases it will be sufficient to take random curves and standardversions of the scalar multiplication. But in special cases “the” best implementation will depend onspecial properties of the processors used, and adding additional structures like endomorphisms canresult in significant accelerations. But then implementations (and choices) have to be done morecarefully and the relevant background chapters have to be consulted.Having gone through all choices one needs a pair (C, F q ) satisfying the properties one wants tohave. At this stage one can either look for standard curves (especially for g =1) or use the resultsdescribed in Section 23.4. This part is one of the most attractive aspects of cryptography from themathematical point of view and the algorithms related to point counting are relatively involved. Onthe other side, for all practical needs they are well documented and can be implemented withoutknowing the whole theoretical background. So in praxis it will be no problem to find suitableinstances (C, F q ).Now the last but not the least step has to be done: the embedding of the crypto primitive in thechosen protocol. In Section 23.5 it is explained how the generic protocols from Chapter 1 haveto be transformed into protocols using Pic 0 C as crypto primitive. This was done for signatures inSection 23.5.2, and it is not difficult to treat other protocols in a similar way.

Chapter ¾Pairing-Based CryptographySylvain Duquesne and Tanja LangeContents in Brief24.1 Protocols 573Multiparty key exchange • Identity-based cryptography • Short signatures24.2 Realization 579Supersingular elliptic curves • Supersingular hyperelliptic curves • Ordinarycurves with small embedding degree • Performance • Hash functions on theJacobianChapter 23 showed us how to build DL systems on the Jacobian of curves. In Chapter 1 we introducedDL systems with bilinear structure. In this chapter we first give more applications of this construction,namely the extension of the tripartite protocol given before to multiparty key exchange,identity-based cryptography, and short signatures. In recent years many systems using this extrastructure have been proposed. We include some more references to further work in the respectivesections, since giving a complete survey of all these schemes is completely out of the scope of thisbook. For a collection of results on pairings we refer to the “Pairing-Based Crypto Lounge” [BAR].The second section is devoted to realizations of such systems. In Chapter 6 we gave the mathematicaltheory for the Tate–Lichtenbaum pairing and Chapter 16 provided algorithms for efficientevaluation of this pairing on elliptic curves and the Jacobian of hyperelliptic curves. There we assumedthat the embedding degree (i.e., the degree k of the extension field F q k to which the pairingmaps), is small, so as to guarantee an efficiently computable map as required in a DL system withbilinear structure. In Section 24.2 we explain for which curves and fields these requirements can besatisfied and give constructions.24.1 ProtocolsFor the convenience of the reader we repeat the definition of DL systems with bilinear structure.For the definition of general DL systems we refer to Chapters 1 and 23.573

574 Ch. 24 Pairing-Based CryptographyDefinition 24.1 Let (G, ⊕) beaDLsystem,whereG is a group of prime order l and such that thereis a group (G ′ , ⊕ ′ ) in which we can compute “as fast” as in G. Assume moreover that (H, ⊞) isanother DL system and that a mapsatisfies the following requirements:e : G × G ′ → H• the map is e is computable in polynomial time (this includes the fact that the elementsin H should need only O(lg l) space),• for all n 1 ,n 2 ∈ N and random elements (P 1 ,P ′ 2) ∈ G × G ′ we havee([n 1 ]P 1 , [n 2 ]P ′ 2 )=[n 1n 2 ]e(P 1 ,P ′ 2 ),• the map e(· , ·) is nondegenerate in the first argument, so that for a random P ′ ∈ G ′ wehave e(P 1 ,P ′ )=e(P 2 ,P ′ ) if and only if P 1 = P 2 .We then call (G, e) a DL system with bilinear structure.If there exists such a bilinear map with G = G ′ or an efficiently computable isomorphism ψ : G →G ′ , the decision Diffie–Hellman problem becomes easy. Namely, given (P, [a]P, [b]P, [r]P ) we cancompare e ( [a]P, ψ([b]P ) ) =[ab]e ( P, ψ(P ) ) with e ( [r]P, ψ(P ) ) =[r]e ( P, ψ(P ) ) .AsH has thesame order l we have equality only if ab ≡ r (mod l).DL systems with bilinear structure are a special case of Gap-DH groups. These are groups inwhich the computational Diffie–Hellman problem (CDHP) is hard while the corresponding decisionproblem DDHP is easy. Joux and Nguyen [JONG 2003] show that the two problems can beseparated and give a realization via supersingular elliptic curves.Supersingular elliptic curves were shown to have this additional structure (cf. Sections 24.2.1).For a long time this was considered a weakness since it makes the DLP in G no harder than in H.Joux [JOU 2000] was the first to propose a positive application of bilinear maps, namely tripartitekey exchange. For the extended version of the paper see [JOU 2004].In this section we first repeat this protocol and then show how to extend it to more than threeparties. As a second topic we introduce ID-based cryptography. We picked these examples asthey are historically the first constructive applications of DL systems with bilinear structure. Theymotivate the study of suitable groups with respect to fast implementations of the bilinear map andalso the investigation of their security. As a third application we describe how one can use DLsystems with bilinear structure to build a signature scheme with short signatures.Some protocols require G = G ′ , for the others we can usually save some computations of scalarmultiples per participant if the groups are equal. In the remainder of this section we will sometimesassume that we are in this favorable case since it simplifies the description of the protocols.Furthermore we make the assumption that the DLP is hard in G (G ′ )andH.24.1.1 Multiparty key exchangeFor the convenience of the reader we recall Joux’s [JOU 2000, JOU 2004] tripartite key exchangeprotocol.Let P be a generator of G and P ′ one for G ′ . We state the algorithm for the viewpoint of user A;user B and C follow the same steps with the roles interchanged accordingly.

§ 24.1 Protocols 575Algorithm 24.2 Tripartite key exchangeINPUT: The public parameters (G, ⊕,P,G ′ , ⊕ ′ ,P ′ ,H,⊞,e).OUTPUT: The joint key K ∈ H for A, B, C.1. choose a A ∈ R N [a A is the secret key of A]2. (P A,P ′ A) ← ([a A]P, [a A]P ′ )3. send (P A,P ′ A) to B and C4. receive (P B,P ′ B) from B [P B =[a B]P and P ′ B =[a B]P ′ ]5. receive (P C,P C) ′ from C [P C =[a C]P and P C ′ =[a C]P ′ ]6. return K ← [a A]`e(P B,P C)´′Applying this algorithm, A, B,andC obtain the same element K of H asK =[a A ] ( e(P B ,P ′ C) ) =[a A a B a C ] ( e(P, P ′ ) ) =[a B ] ( e(P A ,P ′ C) ) =[a C ] ( e(P A ,P ′ B) ) .The joint key could be computed by an eavesdropper if the computational bilinear Diffie–Hellmanproblem (CBDHP) were easy, namely the problem of computing [a A a B a C ] ( e(P, P ′ ) ) given• the points P and P ′• the description of G, G ′ ,H,ande• the transmitted values [a A ]P, [a B ]P, [a C ]P ∈ G and [a A ]P ′ , [a B ]P ′ , [a C ]P ′ ∈ G ′ .The security of protocols is usually based on decision problems. The decision bilinear Diffie–Hellman problem (DBDHP) is the problem of distinguishing[a A a B a C ] ( e(P, P ′ ) ) from [r] ( e(P, P ′ ) )under the same conditions as for the CBDHP.To avoid a man-in-the-middle attack we usually assume that A, B, C participate in some publickeycryptosystem and can thus sign their messages. The receiver has to check the authenticity ofthe message before using it in the computation of the key. Some proposals use ideas from ID-basedcryptography (see below) to achieve authenticity.Assume that a group of more than three parties wants to agree on a joint key. If a public-keyinfrastructure exists, i.e., a directory listing public keys of all participants together with a certificateof their correctness, this can be solved by sending the encrypted key to each participant using Algorithm1.16 or 1.17. The first proposal for such a group key exchange was given in [INTA + 1982].The Burmester–Desmedt schemes I and II [BUDE 1995,BUDE 1997] give extensions of the Diffie–Hellman key exchange to more participants based on ordinary DL systems. The first one is contributory,i.e., the contribution of each participant is reflected in the key while the second one is noncontributorybut more efficient (O(n) vs. O(lg n) for n participants). Both protocols can be turnedinto authenticated key agreement protocols as described in [KAYU 2003, DELA + 2004]. Note thatthis approach does not prevent attacks from malicious insiders as described in [JUVA 1996], e.g.,participants not playing according to the rules — such as refusing to deliver messages or giving avalid signature on an incorrect message — can make the system insecure.

576 Ch. 24 Pairing-Based CryptographyThere exist many proposals combining multiparty key exchange with DL systems with bilinearstructure. This allows us to gain efficiency by at least a constant factor as the basic block consistsof three parties instead of two. The first authenticated scheme is proposed in [CHHW + 2004]and improved in [DELA 2004b]. In [BADU + 2004], Barua et al. propose a different arrangementof the participants which has some computational advantages, and to date the most efficient butnoncontributory scheme is described in [DELA + 2004].Group key exchange is combined with ID-based cryptography (see below) in [CHHW + 2004,DUWA + 2003] to achieve authenticity. Hence, they keep the two-party DH protocol as a buildingblock and apply the additional structure to get the sender’s identity involved. This eases the verificationof the messages since no extra public-key cryptosystem is involved, but it has the drawbackthat the long-term secret key of the ID-based system is involved in the protocol. Unless time stampsor other randomization techniques are used this allows for replay attacks.24.1.2 Identity-based cryptographyThe algorithms presented for general DL systems require the receiver of an encrypted message tohave set up his public key in advance. To solve the problem of sending a ciphertext to a personwho is not yet in the system leads to the concept of ID-based cryptography, [SHA 1984]. Here, thepublic key is derived in a deterministic way from the user’s identity parameters.In an ID-based system, the receiver then has to put in some effort to determine his private key.All systems proposed so far require a trusted authority (TA)tohelpinthisprocessanditisTAwho checks whether the entity is allowed to obtain the private key. The systems in Section 1.6.2and Section 23.5 require the sender to make sure that he receives the latest public key together witha certificate that the key actually belongs to the intended receiver. Identity-based systems allow thesender to choose the public key of the recipient, thus putting the workload on the person interestedin receiving the message.In the usual DL systems, a third party was only needed to guarantee that the public key belongsto a certain entity by issuing a certificate of the public key. Such a certification authority (CA)never sees the user’s private key. The drawback of ID-based systems proposed so far is that therethe trusted authority issues the private keys of the participants, i.e., a malicious TA could decrypt allincoming messages and sign on behalf of any participant. We present ID-based systems using DLsystems with bilinear structure — which up to now provide the only efficient examples. Burmesterand Desmedt [BUDE 2004] study in detail advantages and disadvantages of ID-based cryptography.We present the ID-based encryption protocol as proposed by Boneh and Franklin [BOFR 2001].An extended version achieving chosen ciphertext security can be found in [BOFR 2003]. They basethe protocol on a DL system with bilinear structure in the special case that e : G × G → H,i.e.,thefirst two groups are equal.We assume that each participant can be uniquely identified by a bit-string ID and that there isa map, usually taken to be a cryptographic hash function, h 1 : {0, 1} ∗ → G, such that one canassociate a group element to every identity. We give implementation details for this hash function inSection 24.2.5 for the realization of G as a subgroup of the Jacobian of some curve. Let the messagespace be given by bit-strings of fixed length M = {0, 1} n . We also need a second hash functionh 2 : H →M.Before one can use the scheme, the trusted authority TA sets up the system by choosing a group(G, ⊕,P) with bilinear map e to H and computing the public key P TA =[a TA ]P . The systemparameters (G, ⊕,H,⊞,P,P TA ,e) are made public, the integer a TA is kept secret and serves as themaster key.

§ 24.1 Protocols 577Algorithm 24.3 Identity-based encryptionINPUT: A message m, public parameters (G, ⊕,H,⊞,P,P TA,e), and the identity of the recipientID.OUTPUT: The ciphertext (R, c).1. choose r ∈ R N2. R ← [r]P3. Q ← h 1(ID)4. S ← e(P TA,Q) [S ∈ H]5. c ← m XOR h 2([r]S)6. return (R, c)The group element Q = h 1 (ID) is the public key of the user with identity ID. As we assume theDLP in G to be hard, it is not possible to compute the corresponding private key as log P (Q). Thisis the point where TA enters the scene. After checking that the user is allowed to obtain his privatekey, TA performs the following algorithm:Algorithm 24.4 Private-key extractionINPUT: The parameters (G, ⊕,P), the master key a TA, and the identity ID.OUTPUT: The private key A ID ∈ G of ID.1. Q ← h 1(ID)2. A ID ← [a TA]Q3. return A IDOnce this private key is obtained, TA is no longer needed and A ID is used as the private key. If hethinks that the key might be compromised, the sender can append the time to ID. Then a furtherinteraction of ID with TA is needed. For the decryption, the bilinear structure is used again.Algorithm 24.5 Identity-based decryptionINPUT: The ciphertext (R, c), the parameters (G, ⊕,P,P TA,e), and the private key A ID.OUTPUT: The message m.1. T ← e(R, A ID)2. return m ← c XOR h 2(T )The algorithm works as specified asT = e(R, A ID )=e ( [r]P, [a TA ]Q ) =[ra TA ] ( e(P, Q) ) =[r] ( e(P TA ,Q ) )=[r]S.Clearly, this cryptosystem is weak if one can solve the DLP in G or H. The actual security is basedon the intractability of the CBDHP. To prove security in the random oracle model one needs toassume the intractability of the DBDHP.

578 Ch. 24 Pairing-Based CryptographyAs TA poses a critical point of security, it is recommended to use a secret sharing scheme to store themaster key a TA . This was already noticed in [BOFR 2003] and considered further in [LIQU 2003,BAZH 2004, DELA 2004a].For a large group of participants it is clearly not desirable that all participants need to contact TAto obtain their keys. Fortunately, the system allows a hierarchical structure as shown in [GESI 2002]and considered further in [DOYU 2003, BOBO + 2005].24.1.3 Short signaturesIn [OKPO 2001], Pointcheval and Okamoto show how a Gap-DH group can be used to design asignature scheme. Boneh, Lynn, and Shacham [BOLY + 2002, BOLY + 2004] give a realizationusing supersingular elliptic curves with the Tate–Lichtenbaum pairing as bilinear structure. In thisrealization the signature scheme has the advantage of offering shorter signature lengths comparedto DSA and ECDSA (cf. Chapter 23). We present the basic scheme using a DL system with bilinearstructure now and give details on the key length in Section 24.2.4.a. For simplicity we assumeG = G ′ but the scheme can be modified to allow different groups with a slightly modified securityassumption (for a discussion of this co-DHP see [BOLY + 2002, BOLY + 2004]).The system parameters consist of a DL system with bilinear structure (G, ⊕,P,e). Furthermore,a hash function h 1 : {0, 1} ∗ → G, mapping from the message space in the group is required. Forrealizations of h 1 see Section 24.2.5.Like in an ordinary DL system A’s private key consists of a secret integer a A , and the public keyis P A =[a A ]P (cf. Section 1.6.2).The signing procedure simplifies compared to Algorithm 1.18 and the signature consists only ofone group element.Algorithm 24.6 Signature in short signature schemeINPUT: A message m, system parameters (G, ⊕,P), and the private key a A.OUTPUT: The signature S on m.1. M ← h 1(m) ∈ G2. S ← [a A]M3. return SIf compression techniques exist in G, the signature can be even shorter. This will be the case for therealization with Jacobians of curves (cf. Section 24.2.4.a).To verify the signature the receiver performs the following steps:Algorithm 24.7 Signature verification in short signature schemeINPUT: The message m, the signature S, parameters (G, ⊕,P,e), and the public key P A.OUTPUT: Acceptance or rejection of signature.1. if S/∈ G then return “rejection”2. else M ← h 1(m)3. u ← e(P A,M)4. v ← e(P, S)5. if u = v then return “acceptance” else return “rejection”

§ 24.2 Realization 579Obviously, the signature scheme is valid since for a correct signature we haveu = e(P A ,M)=[a A ]e(P, M) =e(P, [a A ]M) =e(P, S) =v.The larger workload lies on the side of the verifier, since he must compute two pairings, whereas thesigner only needs to compute one scalar multiplication. But this meets the usual scenario encounteredin practice that the sender should sign every message and the receiver can decide whether it isworth the effort checking the signature, or if he believes that it is correct right away.Remark 24.8 Obviously short signatures do not require a DL system with bilinear structure but useonly the defining property of Gap-DH groups to compare u and v. We described the system inthis more restrictive setting, as curves lead to efficient instantiations allowing compression, and asuntil now curves with efficiently computable Tate–Lichtenbaum pairing constitute the only knownexamples of such groups.24.2 RealizationWe have seen in Section 6.4.1 that the Tate–Lichtenbaum pairing is a bilinear map from the JacobianJ C of a curve C/F q to the multiplicative group of F q k for some k depending on C and F q . If kis small, the pairing can be computed very efficiently, as explained in Chapter 16. The previoussection shows how it can be used for cryptographic applications. In this section, we will focus onrealizations of the Tate–Lichtenbaum pairing, namely how to use it in practice and how to createinstances with small k.Some systems require the bilinear map e to map G × G to H, while for the Tate–Lichtenbaumpairing the inputs come from two different groups e : G × G ′ → H. Therefore, we study efficientlycomputable isomorphisms from G to G ′ .Let C be a curve of genus g defined over F q with q = p d and p prime. Let J C be its Jacobian.In this section, we are only interested in cryptographic applications, so we assume that we work ina cyclic subgroup G of J C (F q ) of prime order l. The Tate–Lichtenbaum pairing maps the pointsof order l into some field extension of the base field F q (cf. Section 16.1.1 for details). The degreeof this extension is called the embedding degree and will always be denoted by k. In fact k isthe minimal number such that l | q k − 1, and the Tate–Lichtenbaum pairing takes its values inF ∗ q/(F ∗ k q) l . To achieve a unique representation one usually raises the result to the power of (q k −k1)/l such that this modified pairing maps to the l-th roots of unity µ l in F ∗ q. kThe size of this embedding degree is very important. Indeed, as mentioned above, the DLPin G cannot be harder than in µ l . The multiplicative group was considered as an example forindex calculus √ ) methods in Section 20.4 There it was shown that the security is subexponentialL q k(1/2, 2 for general fields and even Lq k(1/3,c) for the number and function field sieves asopposed to exponential security of J C for g 3. Therefore the parameters have to be chosen insuch a way that the DLP is hard in J C (F q ) and in µ l . Due to the different levels of security, kshould not be too small to avoid using a large finite field. On the other hand, if k is too large, thecomputation of the Tate–Lichtenbaum pairing becomes inefficient since a lot of computations areperformed in F q k or the field F q is too small such that the DLP in J C (F q ) is easy.By [BAKO 1998] a random elliptic curve has a large k and this result generalizes to larger genera.In the next sections, we first detail implementations on supersingular elliptic curves as they are themost important examples of curves with small embedding degrees and were the first to be proposedfor applications using pairings. We then consider supersingular hyperelliptic curves and concludewith constructions of nonsupersingular elliptic curves having a small embedding degree.

580 Ch. 24 Pairing-Based Cryptography24.2.1 Supersingular elliptic curvesWe now describe supersingular elliptic curves and their use for pairing-based cryptosystems. Supersingularabelian varieties are defined in Chapter 4 (cf. Definition 4.74). We recall some propertiesspecialized to elliptic curves here (cf. Definition 13.14).Definition 24.9 Let E be an elliptic curve defined over F q with q = p d .IfE[p e ] ≃{P ∞ } for all ethe curve is called supersingular, otherwise it is called ordinary.For us the most important property is that the trace t =Tr(φ q ) of the Frobenius endomorphismsatisfies t ≡ 0(modp). By the Theorem of Hasse–Weil 13.28 we have |t| 2 √ q. Hence, overprime fields F p with p 5, the condition implies t =0and the cardinality of E(F p ) satisfies|E(F p )| = p +1.Asl divides |E(F p )| = p +1, which in turn divides (p 2 − 1), we see that forsupersingular curves over large prime fields the embedding degree is bounded by 2. As outlined inSection 6.4.2, Menezes, Okamoto, and Vanstone [MEOK + 1993] prove that the embedding degreefor supersingular elliptic curves is always less than or equal to 6. In fact, we can even say more. It isproved in Section 6.4.2 that the upper bound on the embedding degree depends on the characteristicofthebasefield:• in characteristic 2 we have k 4,• in characteristic 3 we have k 6,• over prime fields F p with p 5 we have k 2,and these bounds are attained.This means that for supersingular elliptic curves over large prime fields we must work in a largerfield than usual for curve-based cryptography. For current security parameters we should choose aground field with around 2 512 elements to obtain a satisfying level of security, since the finite fieldF q k needs to have at least 2 1024 elements to adhere to the proposals. But this is to the detriment ofefficiency, since we have to compute on some larger field for the same level of security (note that thecurrent proposals assume elliptic curves with 2 160 elements to offer sufficient security). Therefore,it is preferable to work in characteristic 2 or, even better, in characteristic 3 and on curves with themaximal possible k.Once the curve is chosen and k has been determined, the algorithms from Chapter 16, usuallyreferred to as Miller’s algorithms, can be used to implement the protocols from the previous section.Particular care should be taken when working in characteristic 3 as this is not very common andsome specific algorithms and improvements to the computation of the pairing should be used, whichwe now consider.24.2.1.a Efficient Tate–Lichtenbaum pairing in characteristic 3In characteristic 3 (i.e., q =3 d ), it is quite natural to use a triple and add algorithm instead of thestandard double and add method used to describe Miller’s algorithm as proposed in [GAHA + 2002]and [BAKI + 2002]. In the computation of the Tate–Lichtenbaum pairing we compute the l-fold ofa point of order l keeping some information along the way. In general, let ∑ l−1i=0 n i3 i be the signedbase 3 representation of the integer n where n i ∈{0, + − 1} and n l−1 =1.LetP be some point onthe elliptic curve; the computation of the scalar multiplication [n]P proceeds as follows

§ 24.2 Realization 581Algorithm 24.10 Triple and add scalar multiplicationINPUT: An integer n represented in signed base 3 format P l−1i=0 ni3i and a point P ∈ E(F 3 d).OUTPUT: The scalar multiple [n]P .1. T ← P2. for i = l − 2 down to 0 do3. T ← [3]T4. if n i =1 then T ← T ⊕ P5. if n i = −1 then T ← T ⊖ P6. return TRemark 24.11 Obviously, all the algorithmic improvements explained in Chapter 9 can easily beapplied to this basic algorithm.To apply this algorithm efficiently, of course, we need the formulas for tripling. Note that a supersingularelliptic defined over F 3 d can always be represented by an equation of the formy 2 = x 3 + a 4 x + a 6 .Let P =(x 1 ,y 1 ) ∈ E(F 3 d), then using the division polynomials (cf. Section 4.4.5.a) one sees that[3]P is given by)(x 331 + a 3 6[3]P =a 4 +2 a 6, 2 y33 14 a 4 a 6 · (24.1)4As cubing is linear in characteristic 3, point tripling on curves of this form can be done in timeO(d) (and even O(1) in normal basis representation), which is very efficient and corresponds to thelinearity of point doubling for supersingular curves in characteristic 2 as discovered by Menezes andVanstone [MEVA 1990]. Moreover this provides an inversion-free algorithm for tripling (assumingthat 1/a 4 is precomputed). In total, this leads to a triple and add algorithm, which is much moreefficient than the standard double and add algorithm.Unfortunately, an inversion is required to compute the pairings since we need to compute 1/y toobtain the equations of the lines (cf. Chapter 16 for details). Indeed, to triple the point P =(x 1 ,y 1 )we need the lines L 1 and L 2 involved in the doubling of P and the lines L ′ 1 and L′ 2 involved in theaddition of P and [2]P . These lines are given by the following equations [GAHA + 2002]:L 1 : y − λx +(λx 1 − y 1 )=0 with λ =2 a y 1the slope of the tangent at P,L 2 : x − x 2 =0 with x 2 = λ 2 + x 1 ,L ′ 1 : y − µx +(µx 1 − y 1 )=0 with µ =L ′ 2 : x − x 3 =0 with x 3 = µ 2 − x 1 − x 2 .( y31a 2 − λ )As previously, let us write the integer l in signed base 3 expansion, namelythe slope of the line through P and [2]P,∑l−1l = l i 3 i with l i ∈{0, + − 1} and l l−1 ≠0. (24.2)i=0The following algorithm is a version of Miller’s algorithm 16.1.3.c in base 3 which is well adaptedfor base fields of characteristic 3.

582 Ch. 24 Pairing-Based CryptographyAlgorithm 24.12 Tate–Lichtenbaum pairing in characteristic 3INPUT: An integer l = P l−1i=0 li3i as in (24.2) and the points P ∈ E(F 3 d)[l], Q ∈ E(F 3 dk)[l].OUTPUT: The Tate–Lichtenbaum pairing T l (P, Q).1. choose S ∈ R E(F 3 dk)2. Q ′ ← Q ⊕ S3. P 2 ← [2]P4. f 2 ← f(Q ′ − S) [f is such that div(f) =2P − P 2 − P ∞]5. if n l−1 =1 then T ← P and f 1 ← 16. else T ← P 2 and f 1 ← f 27. for i = l − 2 down to 0 do8. T ← [3]T [use (24.1)]9. f 1 ← f 3 110. if l i =1 then11. T ← T ⊕ PL 1 L ′ 1L 2 L ′ 2(Q ′ − S) [L 1,L ′ 1,L 2 and L ′ 2 are the lines arising in [3]T ]12. f 1 ← f 1L 1L 2(Q ′ − S) [L 1 and L 2 are the lines arising in T ⊕ P ]13. if l i = −1 then14. T ← T ⊖ PL15. f 1 ← f 1f 1 2 L 2(Q ′ − S) [L 1 and L 2 are the lines arising in T ⊖ P ]316. return f dk −11 lRemarks 24.13(i) Remember that Q ′ − S is a divisor, so that f(Q ′ − S) = f(Q′ )f(S) ·(ii) Algorithm 24.2 is just an equivalent form of Miller’s basic algorithm, and all the improvementsexplained in Chapter 16 can of course be applied.(iii) The final exponentiation can be omitted if one does not need a unique representative perclass of F ∗ q k /(F ∗ q k ) l . For example, in Algorithm 24.6 one could first compute only the24.2.1.bclasses u and v and check whether (u/v) (qk −1)/l = 1.Distortion mapsThe main drawback of the Weil pairing is that W l (P, P) is always equal to 1. Hence, the pairing isdegenerate if applied to the cyclic subgroup of order l in both arguments. This is not the case withthe Tate–Lichtenbaum pairing. Frey, Müller, and Rück state in [FRMÜ + 1999] thatifl 2 does notdivide the cardinality of the elliptic curve over F q k, the Tate–Lichtenbaum pairing applied to a pointwith itself yields a primitive l-th root of unity (see also Example 6.10).Otherwise, i.e., if l 2 ||E(F q k )|, a modification is required to make the pairing nontrivial on thecyclic subgroup generated by P ∈ E(F q ). Verheul [VER 2001, VER 2004] suggests to make useof the fact that the endomorphism ring of a supersingular elliptic curve is an order in a quaternionalgebra. In particular this implies that the ring is not commutative and, hence, there exists anendomorphism ψ such that P and ψ(P ) lie in disjoint cyclic groups of order l in E(F q k). He

§ 24.2 Realization 583calls these endomorphisms distortion maps. They give the possibility of sending points from onel-torsion subgroup to another (different) one, over F q k. In this way we define a new pairing byT l(P, ψ(Q)). In most applications, P and Q are defined over Fq and lie in the same subgroupof order l of E(F q ),andψ is a non-F q -rational endomorphism. We now give examples of suchendomorphisms.24.2.1.cExamplesIn this part, we give some examples of supersingular elliptic curves in various characteristics that canbe used to build pairing-based cryptosystems. These examples come from [JOU 2000, JOU 2004],[BAKI + 2002], and [GAHA + 2002]. One needs finite fields F q k of 1024 bits to achieve that theDLP in the multiplicative group F ∗ qis as hard as the DLP of a 160-bit elliptic curve because therekare subexponential algorithms solving the DLP in finite fields while no subexponential algorithm isknown for solving the DLP on elliptic curves. The following types of supersingular elliptic curvescome with a fixed embedding degree k but allow to choose q. We state the needed size of q toachieve that simultaneously the DLP on the curve and in F ∗ qis hard. In fact as all these curveskare supersingular, the finite fields are all chosen larger than necessary as k is bounded by 6 (cf.Section 24.2.1).Over prime fields F p (p ≠ 2, 3), there are two well-known families of supersingular ellipticcurves. The first family is given by the equationy 2 = x 3 + a 4 x (24.3)when p ≡ 3(mod4). The latter condition ensures that −1 is a nonsquare in F q . As a distortionmap we can thus choose (x, y) ↦→ (−x, iy) with i 2 = −1 as this maps P ∈ E(F q ) to a point of theextension field F q 2 and hence to a linearly independent group.The second family is given by the equationy 2 = x 3 + a 6 (24.4)when p ≡ 2(mod3). As a distortion map we can choose (x, y) ↦→ (jx,y) with j 3 =1,j ≠1,which maps to F q 2 as there are no nontrivial cube roots of unity in F q .In[BOFR 2001,BOFR 2003],Boneh and Franklin suggested this setting with a 6 =1together with the Weil pairing to realize theirID-based encryption scheme.In both cases, the order of the curve is equal to p +1and the embedding degree is equal to 2(which is the maximal possible value in this case), so that p must be chosen of the order of 2 512 .However, as noticed by Boneh and Franklin [BOFR 2001] this does not mean that l must beof this size. Indeed, for this level of security, it is sufficient to work on a subgroup of E(F q ) ofapproximately 160 bits. In fact, the cardinality of E(F q ) need not be almost prime as usual but canbe of the form p +1= cl with l a 160-bit prime number and c some large cofactor. Hence, thenumber of loops in Miller’s algorithm is not increased but the computations need to be carried outover far too large a field.It is possible to have an embedding degree equal to 3 in large characteristic using curves of theform (24.4) defined over F p 2 with p prime and a 4 /∈ F p (in which case a 340-bit base field can beused).Over F 2 d, we can use the subfield curves given by the equationand the distortion mapy 2 + y = x 3 + x + a 6 , with a 6 =0 or 1(x, y) ↦→ (x + s 2 ,y+ sx + t) with s, t ∈ F 2 4d, s 4 + s =0 and t 2 + t + s 6 + s 2 =0.

584 Ch. 24 Pairing-Based CryptographyThese curves have 2 d +1+ − 2 (d+1)/2 points and an embedding degree equal to 4 (which is themaximal value in characteristic 2). As a consequence a 256-bit base field is sufficient. Again, thisis not satisfactory but better than in large characteristic and, of course, we can again use a subgroupof 160-bit prime order.Furthermore, as shown in the first part of Section 13.3, doublings are particularly fast on this typeof curve and the arithmetic profits from the coefficients being defined over the ground field.Finally, in characteristic 3 we can use the curves given by the equationsy 2 = x 3 + x + a 6 , with a 6 = + − 1whose embedding degree is 6 and cardinality is 3 d +1+ − 3 (d+1)/2 (the precise cardinality in termsof d modulo 12 and a 6 is given in [JOU 2000]). In this case we can choose the distortion map(x, y) ↦→ (−x + s, iy) with s 3 +2s +2a 6 =0 and i 2 = −1.For these curves the tripling in (24.1) is even simpler given by [3]P =(x 33 , −y 33 ). The relativelylarge embedding degree allows at least a satisfactory efficiency with respect to the level of securityobtained. Indeed, in this case it is sufficient to choose a 170-bit base field.Moreover, for the examples in characteristic 2 and 3, it can be advantageous to use the particularstructure of the extensions involved in these examples. In fact, Galbraith, Harrison, and Solderaexplain in [GAHA + 2002] how to work efficiently in F 2 4d and F 3 6d where d is prime (cf. alsoSection 11.3).Thanks to these results, it is possible to choose an elliptic curve with an embedding degree equalto 6 defined over some field of about 2 170 elements, so that transferring the discrete logarithmproblem gives one on a 1020-bit field, which is not easier to solve. Thus, using pairings in this casecan be done without loss of security and (almost) without loss of performance.Moreover, to increase the level of security, the growth in the group size for elliptic curves is muchsmaller than for finite fields, e.g., an elliptic curve of 160 bits is assumed to offer security similarto a finite field of 1024 bits, and when the finite field size is increased to 2048 bits, the size of theelliptic curve is only increased to 200-230 bits. Thus, larger embedding degrees are required to keepacceptable performance in both groups.To get around this problem, we can either use hyperelliptic supersingular curves for genus g 3,or try to find ordinary elliptic curves with larger embedding degrees. We treat these two possibilitiesin the next sections.24.2.2 Supersingular hyperelliptic curvesMost of this section is based on [GAL 2001a]. We first recall that a hyperelliptic curve is said to besupersingular if its Jacobian is isogenous, over F q , to a product of supersingular elliptic curves (cf.Definition 4.74).As in the case for elliptic curves, there exists an upper bound, denoted by k(g), on the embeddingdegree for supersingular curves depending only on the genus and not on the abelian variety[GAL 2001a] (cf. Section 6.4.2).We will now give effective values for these bounds for higher genera (we have shown above thatk(1) = 6). In fact, in terms of security, the interesting value is k(g)/g and it is called the securityparameter. It represents the logarithmic ratio between the size of the Jacobian and the size of thefinite field F q k, which are the important parameters for security. Using cyclotomic polynomials,

§ 24.2 Realization 585Galbraith proves thatk(2) = 12,k(3) = 30,k(4) = 60,(k(2)/2 =6),(k(3)/3 =10),(k(4)/4 =15).This shows that for hyperelliptic curves one can obtain larger embedding degrees, but it also showsthat genus 2 supersingular curves do not solve the problem of the too-small embedding degreeencountered with elliptic curves. On the contrary, higher dimensional abelian varieties seem toprovide better ratios (for instance, 10 for dimension 3). Note that the bounds are upper bounds andthat Galbraith shows that they are sharp, in the sense that they are attained, but it is not proved thatthey can be attained for the Jacobian of a hyperelliptic curve.Remark 24.14 In cryptosystems based on general abelian varieties A/F q , the security depends onthe cyclic subgroup of A(F q ) of prime order. Thus, in cryptography, we are only interested insimple abelian varieties (i.e., those that do not decompose as products of lower dimensional abelianvarieties). For this case, Rubin and Silverberg prove in [RISI 1997] that Galbraith’s bounds are notattained for dimensions greater or equal to 3.Just as for elliptic curves, the largest security parameters (or the largest embedding degree) achievabledepend on the characteristic of the base field.In the following table [RISI 1997], we give the highest security parameters attainable with simplesupersingular abelian varieties for dimensions g up to 6 defined over F q with q = p d (the sign —means that there is no simple supersingular abelian variety in this case).Table 24.1 Security parameter k(g)/g for simple supersingular abelian varieties.g 1 2 3 4 5 6q arbitrary (Galbraith’s bounds) 6 6 10 15 24 3515 11 7q square 3 3 34 5 214 15 22q nonsquare, p>3 2 33 4 5 7q nonsquare, p =2 4 6 — 5 — 615q nonsquare, p =3 6 2 62— 7In dimension 2, the best bound obtained is the same as Galbraith’s. It is interesting to note that itis attained in characteristic 2, which is more convenient for implementations than characteristic 3(which is required in genus 1). As an example, Galbraith suggests the hyperelliptic curve C/F 2given by C : y 2 + y = x 5 + x 3 , which has embedding degree equal to 12.In higher dimensions, bounds for the security parameters are smaller for simple supersingularabelian varieties than for general ones. The largest security parameter is 152=7.5 and it is attainedfor a supersingular simple abelian variety of dimension 4 in characteristic 3. Rubin and Silverberg[RISI 1997] construct such an abelian variety by using the Weil restriction of scalars of anelliptic curve (which is explained in Chapter 7). For this example the field sizes can be chosensmaller than for supersingular elliptic curves.

586 Ch. 24 Pairing-Based Cryptography24.2.3 Ordinary curves with small embedding degreeAs seen in the previous sections, supersingular curves are not optimal for constructing cryptosystemsbased on the Tate–Lichtenbaum pairing, for at least two reasons.The first reason is that supersingular elliptic curves (or higher genus curves and more generallyabelian varieties) attain large embedding degrees only in small characteristic (e.g., char(F q )=3for elliptic curves and char(F q )=2for genus 2 curves). This implies in particular that for thefinite field F q k the security estimates have to take into account Coppersmith’s attack [COP 1984].Furthermore, recent generalizations of the Weil descent approach [GAU 2004, DIE 2004] (cf. Section22.3.5) make these fields with small characteristic more suspect to attacks.The second reason is that larger embedding degrees will be necessary in the future in order tomaintain an optimal ratio between the security in the Jacobian of the curve and the security in thefinite field F q k, and higher genus curves (or higher dimensional abelian varieties) do not really solvethis problem as seen in Section 24.2.2.In this section, we will explain how to solve these two problems by constructing ordinary ellipticcurves defined over some prime field with a large embedding degree. This is not easy since theresults of Balasubramanian and Koblitz [BAKO 1998] show that curves having a large prime ordersubgroup usually have a large extension degree. Luca and Shparlinski [LUSH 2005] generalize thisstudy to arbitrary elliptic curves. Therefore, trying to find at random an elliptic curve suitable forpairing-based protocols (i.e., one with a moderately small embedding degree k ∼ 10 and a largesubgroup of prime order) is not appropriate. It is therefore quite natural to try to construct suchcurves using the CM-method explained in Chapter 18.24.2.3.aConstructing ordinary elliptic curves defined over F p with k 6F pThe first work in this direction is due to Miyaji, Nakabayashi, and Takano [MINA + 2001] whodescribe how to construct ordinary elliptic curves with an embedding degree equal to 3, 4, or6having a large subgroup of prime order. Their method is quite restrictive since it is is necessary tofind an elliptic curve with prime order. To allow a small cofactor, Scott and Barreto [SCBA 2004],following previous work with Lynn [BALY + 2003, BALY + 2004a], transformed these conditionsinto a condition on cyclotomic polynomials: let E be an elliptic curve defined over F q with trace tand cardinality equal to cl with l prime (and c small). Then, the subgroup of order l in E(F q ) hasembedding degree equal to k if and only if l | Φ k (t − 1) and l ∤ Φ i (t − 1) for i

§ 24.2 Realization 587using q = cl + t − 1 and Φ k (t − 1) = c ′ l . In the cases we are interested in, the degree of thecyclotomic polynomial is always 2 so that this equation is quadratic. Setting n 3 =2c + c ′ , n 4 = c ′ ,n 6 = −2c + c ′ , m =4c − c ′ , r = c ′ mD, y = m(t − 1) + n k and f k = n 2 k − m2 , the CM-equationsimplifies to the generalized Pell equationy 2 − rv 2 = f k .Such Diophantine equations are a classical topic in number theory and can easily be solved (cf.[SMA 1998]or[COH] for details). For each solution, we must check that• t = y−n km+1is an integer• l = Φ k(t−1)cis prime, and′• q = cl + t − 1 is prime (or a power of a prime but, as noticed in [DUEN + 2005], thisseems hopeless).These are restrictive conditions so that solutions are rare — especially since in addition q and l mustbe in a range interesting for cryptographic applications. Still, this leads to a probabilistic algorithmthat finds an ordinary elliptic curve with a given embedding degree equal to 3, 4,or6.Algorithm 24.15 Construction of elliptic curves with prescribed embedding degreeINPUT: An embedding degree k =3, 4, or6, the maximal cofactor c max, and the maximal discriminantfor the CM-algorithm D max.OUTPUT: AprimefieldF q and an elliptic curve E such that |E(F q)| = cl with c c max and lprime or “failure”.1. λ ←−2⌊k/2⌋ +42. for c =1 to c max do3. for c ′ =1 to 4c − 1 do4. n k ← λc + c ′5. m ← 4c − c ′6. f k ← n 2 k − m 27. for D =1 to D max squarefree do8. r ← c ′ mD9. for each solution of y 2 − rv 2 = f k do10. t ← (y − n k )/m +111. l ← Φ k (t − 1)/c ′12. q ← cl + t − 113. if t ∈ Z and l is prime and q is prime then14. return q and CM(q, t,D)15. return “failure”Remarks 24.16(i) The input value of c max must be chosen small for reasons of efficiency of the cryptographicapplication and D max must not be too large to facilitate the CM-algorithm.

588 Ch. 24 Pairing-Based Cryptography(ii) Scott and Barreto [SCBA 2004] give some congruential restrictions (on c ′ and D) toeliminate some impossible solutions and speed up this algorithm. They also notice thatsome congruences give better results than others (for instance D ≡ 3(mod8)).Example 24.17 This algorithm allows Scott and Barreto to find several ordinary elliptic curvessuitable for pairing-based cryptosystems such asy 2 = x 3 − 3x + 259872266527491431103791444700778440496305560566defined over the 160-bit prime field F p ,wherep = 730996464809526906653170358426443036650700061957,and which has a 160-bit prime order subgroup of sizel = 730996464809526906653171213409755627912276816323and embedding degree k =6.They also find curves defined over fields of size 192, 224,and256 bits with very small cofactorsand embedding degrees equal to 6,cf.[SCBA 2004].This algorithm cannot be generalized directly to higher values of the embedding degree. In fact, ituses the fact that the k-th cyclotomic polynomial for k =3, 4,or6 has degree equal to 2 so that theCM-equation can be solved. For higher values of k the degree of the k-th cyclotomic polynomial islarger than or equal to 3 and we must use other methods.24.2.3.bConstructing ordinary elliptic curves with larger embedding degreeIn [BALY + 2003, BALY + 2004a], the authors notice that the conditions required in the previousmethod are too restrictive for larger values of k and the CM-equation cannot be reduced to Pell’sequation and thus cannot easily be solved. They avoid these problems by• relaxing the condition on the size of c, which can be of the size of l,• choosing a value to serve as solution to the CM-equation, and then• searching for parameters that yield a CM-equation with this particular solution.In this way they produce examples of curves with embedding degree 7, 11,and12.However, since the condition on the size of c has been omitted, the curves that are obtained havea subgroup of prime order l of size only √ q. This loss of efficiency is not very suitable for cryptographicpurposes. In some applications such as short signatures [BOLY + 2002, BOLY + 2004]there are further reasons that require the same size for l and q. Otherwise, the use of such curvesresults in an increase of length of ciphertexts or generated signatures.Dupont, Enge, and Morain [DUEN + 2005] also find solutions of CM-equations for larger valuesof the embedding degree but they use a different approach. They choose the maximal value for thetrace with respect to the Hasse–Weil bound so that the solution to the CM-equation must be small.They then use an exhaustive search on the remaining parameters. They also produce examples withlarge embedding degrees (up to 50) but their approach has the same drawback: the curves obtainedcannot be used for efficient cryptosystems since q has twice the number of bits as l. Note that solarge degrees are not useful for the settings considered here; an embedding degree of 1024/160, i.e.,of 6 or 7, is optimal for current security requirements and in the near future, where the finite fieldF q k should have 2048 bits, k =10is a good choice.More recently, Brezing and Weng obtained a better cofactor (i.e., a better ratio between the sizeof the field and the size of the subgroup of prime order) under certain conditions [BRWE 2004].

§ 24.2 Realization 589For instance they can find ordinary elliptic curves with an embedding degree equal to 8 such thatln qln l = 5 4so that a 200-bit prime field is required for 160-bit security.Thus, by using CM-methods as explained above it is possible to construct ordinary elliptic curveswith small embedding degrees. Of course, the main drawback of those methods is that ordinaryelliptic curves have no distortion maps, which are required in many protocols, so that, up until nowit is usually more practical to use supersingular curves.Fortunately, as noticed in [BAKI + 2002] and mentioned above, some protocols or variants ofprotocols do not require such maps (i.e., can work with G ≠ G ′ ). This is for instance the case in theshort signature protocol [BOLY + 2002, BOLY + 2004] or in the ID-based encryption [BOFR 2001]described in Section 24.1, since the second divisor can be chosen in E(F q k) E(F q ), thanks to thehash function (see next section for more details).This approach has been partially generalized to hyperelliptic curves in [GAMC + 2004].24.2.4 PerformanceIn the following we comment on additional performance issues, namely the signature length, andcompare performance between supersingular and ordinary curves.24.2.4.aShort signaturesThe signature scheme based on Gap-DH systems was proposed as a scheme with short signatures.In [BOLY + 2002, BOLY + 2004] the authors suggest using a supersingular elliptic curve E overF 3 d with maximal embedding degree k =6. The signature then consists of a point on the curve.By Section 13.2.5 a point can be uniquely represented by the x-coordinate and one further bit. Ifcompression is used the signature has a length of only d lg 3. For the proposed parameters this resultsin a very much shorter signature than in DSA and of half the bit-size than in ECDSA since there,two integers modulo l are required. As a drawback, the decompression requires some additionalalgorithms to recover the y-coordinate. The same considerations apply to hyperelliptic curves aswell.24.2.4.bComparison of ordinary and supersingular elliptic curvesIn [PASM + 2004], Page, Smart, and Vercauteren compare the efficiency of pairing-based cryptosystemsusing supersingular elliptic curves with those using ordinary elliptic curves constructedas explained above. As already noticed, the main drawback of ordinary curves is the absence ofdistortion maps. To cope with this, we can use hash functions taking their values in E(F q k) asexplained in the next section. In this manner, the hashed point is defined over E(F q k), onwhicharithmetic is slower than on E(F q ). For instance in the short signature scheme explained in Section24.1.3, a scalar multiplication of this hashed point is required. Thus if an ordinary curve isused, we must perform a scalar multiplication on E(F q k), whereas if a supersingular curve is used,it is only necessary to perform a scalar multiplication on E(F q ) as the distortion map transforms theresult to an element in E(F q k).On the other hand, ordinary elliptic curves are defined over a base field F ql of large characteristic,whereas supersingular curves interesting for cryptographic applications are defined over a basefield F qs of small characteristic and algorithms for solving DL on finite fields are more efficient insmall characteristic [COP 1984, JOLE 2002]. Studying the complexities in detail, the authors of[PASM + 2004] prove that, for the same level of security, we needq s = q 1.7l .It follows that for supersingular curves we need much larger base fields than for ordinary curves.

590 Ch. 24 Pairing-Based CryptographyTaking this into account, the arithmetic on ordinary curves is more efficient than the one on supersingularcurves for the same level of security.Moreover, we have seen that embedding degrees larger than 6 can be obtained with ordinaryelliptic curves, while this is not the case for supersingular ones.Finally, ordinary elliptic curves are more efficient for pairing-based protocols, except for applicationsto signature schemes, for which a costly scalar multiplication is required. Nevertheless, wecould swap the roles of G and G ′ to obtain a more efficient signature generation.24.2.5 Hash functions on the JacobianHere we deal with the issue of defining a cryptographic hash function h 1 : {0, 1} ∗ → G, takingvalues in a subgroup G of the Jacobian of some curve. Such a hash function is needed in ID-basedcryptography (cf. Section 24.1.2).In general, such hash functions are hard to build in practice. Therefore, Boneh and Franklindescribe in [BOFR 2001] how to relax the requirements. Instead of hashing directly onto a Jacobian,one can hash onto some set A ⊆{0, 1} ∗ (using standard hash functions) and then use an admissibleencoding function to map A onto the Jacobian. An encoding function is said to be admissible if itis computable, c-to-1 and samplable ([BOFR 2001]), where c is the cofactor (|J C (F p )| = cl). It isproved in [BOFR 2001] that this relaxation does not affect security.Example 24.18 Boneh and Franklin give an example of admissible encoding functions for the ellipticcurve y 2 = x 3 +1defined over F p (where p ≡ 2(mod3)is prime). They use a standardhash function from {0, 1} ∗ to F p . This allows us to obtain a y-coordinate y 0 . Then the x-coordinatex 0 is obtained byx 0 =(y 2 0 − 1) 1/3 =(y 2 0 − 1) (2p−1)/3 .Finally they compute the scalar multiplication [c](x 0 ,y 0 ) to obtain a c-to-1 map.Of course, this kind of map can be applied to other curves. Galbraith generalizes this example in[GAL 2001a] as follows: the identity bit-string is concatenated with a given padding string andthen passed through a standard hash function taking its values in F q . This process is repeatedusing a deterministic sequence of padding strings until the output is the x-coordinate (or the firstpolynomial u(x) in the higher genus case) of an F q -rational element of the Jacobian. It is then easyto find the remainder of the representation of this element using the decompression techniques (cf.Sections 13.2.5, 13.3.7, 14.2.1, and 14.2.2). Finally, this element is multiplied by c.This method provides an F q -rational element of the Jacobian. Often an F q k-rational element isrequired to ensure that the pairing is nontrivial. For supersingular curves, distortion maps can beused to transform the element obtained above to an F q k-rational one. But for ordinary curves, thisis not possible.

Chapter ¾Compositeness and Primality TestingFactoringRoberto M. Avanzi and Henri CohenContents in Brief25.1 Compositeness tests 592Trial division • Fermat tests • Rabin–Miller test • Lucas pseudoprime tests •BPSW tests25.2 Primality tests 596Introduction • Atkin–Morain ECPP test • APRCL Jacobi sum test • Theoreticalconsiderations and the AKS test25.3 Factoring 601Pollard’s rho method • Pollard’s p − 1 method • Factoring with elliptic curves •Fermat–Morrison–Brillhart approachPrimality and factoring are essential in many aspects of public-key cryptography. RSA is still themost widely used public-key cryptosystem, and its fundamental idea is based on the difficulty offactoring compared to the simplicity of primality testing. In addition, in ECC and HECC we needto work in groups whose order is either prime or a small factor times a large prime, so once againprimality is essential.The simplest attempt to factor an integer n is of course trial division. But the main breakthroughin primality and compositeness testing was made by Fermat thanks to his “little” theorem a n−1 ≡ 1(mod n) when n is a prime not dividing a. Although this does not give a necessary and sufficientcondition for primality, it can be modified so that the number of exceptions becomes vanishinglysmall. Such modifications are called compositeness tests since they will prove a number composite,but will never prove that a number is prime, only give a “moral certainty” of that fact. Deepermodifications lead to true primality tests, giving a proof of primality. Once a number n is provencomposite, we can either be content with that fact, or want to know the factors of n, and this is thewhole subject of factoring.There are two attitudes that one can have with respect to compositeness and primality testing. Ifwe are content with the fact that a number is almost certainly, but not yet provably prime, we canstop there, and declare our n to be an industrial-grade prime number. The disadvantage is that thismay be false, and as a consequence it can induce either bugs or security holes in cryptosystems using591

592 Ch. 25 Compositeness and Primality Testing – Factoringthat number. The big advantage is that the test is very fast and easy to implement, so for instance adynamical generation of industrial-grade primes can be included in a smart card environment.If we want higher security, or if we can spare the time, or simply if we want mathematical rigor,we must use a true primality test. These are much more complex than compositeness tests, bothin the mathematics involved (although the mathematics of the AKS test is quite simple), and in thealgorithmic description.Finally, if we know that a number is composite, we may want to know its factors. This leads tothe vast domain of factoring, which includes a wide variety of basic methods, and of variants ofthese methods.Since this book is primarily targeted to elliptic and hyperelliptic curve cryptosystems, we will notgive too much detail of the algorithms, but refer the reader to the abundant literature on the subject,for instance to [COH 2000].Our focus is on generic methods. Techniques that only work for inputs of a certain form (such asMersenne numbers) will not be considered here. Information about them can be found in any goodbook on computer algebra.As we remarked in Chapter 19, when constructing a cryptosystem based on the DLP in a group,the order of the latter must be prime or almost prime. After point counting, the order must bechecked for suitability, or, if a curve is constructed by means of complex multiplication, the possibleorders must be checked for (almost) primality. Moreover, some of the methods presented here makeuse of the theory of elliptic and hyperelliptic curves, and are themselves applications of the ideasgiven in other chapters. In general, their implementation can take advantage of the techniques thatwe describe elsewhere in this book; see for example Chapters 9, 11, 13, and 14.25.1 Compositeness testsWe begin with compositeness tests. These are tests that can prove that a number is composite orassess that it is a prime with a certain probability. This might seem strange, since a given integeris either prime or composite. It refers to the fact that a run of the test will possibly not be ableto identify some composites as such. Running the test several times with different parameters —or using a combination of different tests — can increase the probability that a number identifiedas a probable prime is indeed prime, but will never give us complete certainty unless an explicitprimality proof is given. For this purpose, primality tests have been devised, and we shall see themin Section 25.2.25.1.1 Trial divisionAs already mentioned, the simplest method for factoring a number n, and in particular to detectwhether it is prime or composite, is trial division. This can be done in several ways. We coulddivide n by all integers up to n 1/2 until either a nontrivial factor is found or n is declared primebecause it is not divisible by any such integer. An evident improvement that gains a multiplicativefactor is to divide only by 2, 3, and integers congruent to + − 1 modulo 6, or more generally to use awheel, in other words to use as divisors elements of congruence classes of integers coprime to someinteger W , together with the prime divisors of W . The number W should not be chosen too largesincewehavetostoreatableofϕ(W ) integers, where ϕ denotes Euler’s totient function. Anotherpossibility is to use a precomputed table of prime numbers up to some bound B. Ifn B 2 thiswill be sufficient to factor n, otherwise the prime number table will at least tell us that the smallestprime factor of n is larger than B. Once again B should not be chosen too large since there are moreefficient ways than trial division for removing small factors, for instance, Pollard’s rho method.

§ 25.1 Compositeness tests 59325.1.2 Fermat testsThe fundamental remark, due in essence to Fermat, that allows us to distinguish between primesand composites without factoring is that an element g of a finite group G of cardinality N satisfiesg N =1,where1 denotes the identity element of G. Applied, for instance, to G =(Z/nZ) ∗ for nprime, it gives Fermat’s little theorema n−1 ≡ 1 (mod n) when gcd(a, n) =1.If n is not prime but satisfies this condition, we say that it is a pseudoprime to base a. If the conditionis not satisfied, then we call a a Fermat witness for the compositeness of n.Although it is not a necessary and sufficient condition (for instance 2 340 ≡ 1 (mod 341) although341 = 11×31 is not prime), the pseudoprimality test is already very useful for the followingtwo reasons:• The number of exceptions, although infinite, is quite small. In other words, if n is apseudoprime to base a there is already a good chance that n is in fact prime.• The test is practical, in other words it is easy to compute a n−1 mod n using any reasonableexponentiation method in Z/nZ, cf. Chapter 9. This is in marked contrast withother tests such as those based on Wilson’s theorem (n − 1)! ≡−1(modn) if andonly if n is prime, since it is not known how to compute (n − 1)! mod n in a reasonableamount of time (and this is probably impossible).Pseudoprimes to base 2 are sometimes also called Poulet numbers or Sarrus numbers. There are1091987405 primes less than 25 × 10 9 and 21853 nonprime pseudoprimes to base 2 – a relativelysmall number, but still too large for some applications.To improve on this test (i.e., to reduce the number of exceptions), we can use several bases a.Unfortunately, even such a stronger test has infinitely many exceptions since there exist infinitelymany nonprime n such that a n−1 ≡ 1(modn) for all a coprime to n. Such a composite numbern without any Fermat witnesses is called a Carmichael number. It is easy to show that Carmichaelnumbers must satisfy very strong conditions: an integer n is a Carmichael number if and only if itis squarefree and p − 1 divides n − 1 for all prime factors p of n. As a consequence, Carmichaelnumbers are odd and have at least three prime factors. On the other hand, it has been quite difficultto show that there are infinitely many Carmichael numbers. In [ALGR + 1994] it has been proventhat the number of Carmichael numbers up to x is at least x 2/7 for x large enough (2/7 ≈ 0.285).The exponent has been improved to ≈ 0.293 in [BAHA 1998] and, recently, to ≈ 0.332 by Harmanin [HAR 2005]. Erdős [ERD 1956] conjectured that there are x 1−o(1) Carmichael numbers up tox for x large. Granville and Pomerance [GRPO 2002] give convincing arguments to support thisconjecture and also their own that, for any given integer k 3, therearex 1/k−ok(1) Carmichaelnumbers up to x with exactly k prime factors.There are only 2163 Carmichael numbers less than 25 × 10 9 [POSE + 1980]. The Carmichaelnumbers under 100000 are561, 1105, 1729, 2465, 2821, 6601, 8911, 10585,15841, 29341, 41041, 46657, 52633, 62745, 63973, and 75361.Richard Pinch gives a table of Carmichael numbers up to 10 17 on his web site [PINCH].It is possible and important to use more sophisticated groups G than (Z/nZ) ∗ . These groupsmust have the following properties:• The cardinality of G should be equal to some simple function f(n) when n is prime,and rarely be a divisor of f(n) if n is not prime (or even better, the group law maynot be defined everywhere if n is not prime). In the example G =(Z/nZ) ∗ we havef(n) =n − 1.

594 Ch. 25 Compositeness and Primality Testing – Factoring• It must be easy to compute in G, and in particular to detect if an element is equal to theidentity element 1 of G.As examples of such groups we mention subgroups of finite fields and the group of rational pointsof an elliptic or (of the Jacobian of) a hyperelliptic curve over a finite field.All these groups can also be used for factoring, but then we need some additional properties thatwe will mention below.25.1.3 Rabin–Miller testThe Fermat test is very attractive because of its simplicity, but it is not able to identify the Carmichaelnumbers as composite. As Pomerance [POM 1990] writes: Using the Fermat congruence is sosimple that it seems a shame to give it up just because there are a few counter examples! Henceimproved tests have been devised that aim to reduce the number of incorrectly identified composites,but without sacrificing too much of the beauty of the Fermat test.Certainly the most important of all compositeness tests improving upon the Fermat test is theRabin–Miller test. It is based on the following additional property of a prime number n: ifx 2 ≡ 1(mod n) then x ≡ + − 1(modn). Thus instead of testing only that a n−1 ≡ 1(modn) we writen − 1=2 t m with m odd, and then it is easily seen that either a m ≡ 1(modn) or that there existsan integer s with 0 s t − 1 such that a 2sm ≡−1(modn). If these conditions are satisfied wesay that n is a strong pseudoprime to base a.If a 2s+1m ≡ 1(modn) and b = a 2sm ≢ + − 1(modn) for some 0 s t − 1,thenn must becomposite, and gcd(b +1,n) is a nontrivial factor of n. In fact, if a is chosen uniformly at randomin [2,n− 2], the test furnishes a proper divisor of a Carmichael number with probability at least1/2.As such, this simply gives a stronger test than the basic Fermat test. For instance, although 340is a pseudoprime to base 2, it is not a strong pseudoprime because 2 170 ≡ 1 (mod 341) while2 85 ≢ + − 1 (mod 341). The smallest nonprime strong pseudoprime to base 2 is n = 2047. Thefollowing list [POSE + 1980] gives all composite numbers up to 25 × 10 9 that are simultaneouslystrong pseudoprime for bases 2, 3 and 5:25326001, 161304001, 960946321, 1157839381, 3215031751,3697278427, 5764643587, 6770862367, 14386156093,15579919981, 18459366157, 19887974881, and 21276028621.The only number of the above that is also a strong pseudoprime to base 7 is 3215031751.The basic result due to Rabin and Monier is that for a given nonprime n the number of falsewitnesses, i.e., of a between 1 and n such that n is a strong pseudoprime to base a is at most equalto n/4, in fact at most equal to ϕ(n)/4, whereϕ is Euler’s totient function. Thus, by repeating thetest a small number of times (for instance, 20), and assuming that the tests are independent (whichthey are not), we can say that n has a very high probability of being prime, and so is an industrialgradeprime, according to a name coined by one of the authors. The above procedure is called theRabin–Miller test.Thus, after a small trial division search, one applies the Rabin–Miller test and the outcome isas follows: if the test has failed for some a this gives a proof that n is composite, usually withoutgiving any clue to its factors. If it is necessary to know the factors of n, we must then use a factoringmethod. On the other hand if every test has succeeded, then there is a very high probability that n isprime. Note however that in this case the tests will never prove that n is prime. To prove primality,we must use a primality test. Such a test will have two possible outcomes: either it will give a

§ 25.1 Compositeness tests 595proof that n is prime, or it will give a proof that n is composite, this last alternative being extremelyunlikely since it is essentially ruled out by the Rabin–Miller test.There are other similar strengthenings of the Fermat test, for instance, the Solovay–Strassencompositeness test, which checks whether( aa (n−1)/2 ≡ (mod n),n)where ( an)is the Legendre–Kronecker symbol. This test is strictly weaker than the Rabin–Millertest since every strong pseudoprime to base a passes this test, but the number of exceptions for agiven nonprime n can be as large as ϕ(n)/2 instead of ϕ(n)/4. Since the probability of error (thatis, the probability that it fails when n is composite) is higher than in the Rabin–Miller test, the samedegree of confidence can be achieved by using more iterations of the test.Slightly more complicated tests have been introduced that reduce the proportion to 1/4 as in theRabin–Miller test, but to little advantage: in practice the Rabin–Miller test efficiently distinguishesbetween prime and composite numbers, although if the number is prime a primality proof is alwaysnecessary afterwards, except if we are content with industrial-grade primes (for instance, when weneed to generate large prime numbers in real time on a smart card).25.1.4 Lucas pseudoprime testsFor a reference to the facts mentioned in this section, see [RIB 1996]. √ ) ( √ )Let P and Q integers satisfying D := P 2 − 4Q >0,andletρ = 2( 1 P + D , σ =12 P − Dbe the roots of the equation x 2 − Px+ Q =0. Consider the two sequencesU k = ρk − σ kρ − σThe sequences U k and V k satisfy{U 0 =0, U 1 =1,and, for k 0,V 0 =2, V 1 = P,and V k = ρ k + σ k .{U k+2 = PU k+1 − QU k ,V k+2 = PV k+1 − QV k .The terms of the sequences can be very efficiently obtained by means of recurrence relations thatpermit the construction of a kind of double-and-add-like ladder for each value of the index k consistingof O(lg k) steps. These relations are{U 2k = U k V k ,V 2k = V 2k − 2Qk ,{U 2k+1 = U k+1 V k − Q k ,V 2k+1 = V k+1 V k − PQ k .We have the following result, which is exactly analogous to the one leading to the notion of strongpseudoprime.Theorem 25.1 Let p be a prime number not dividing 2QD, and write p − ( )Dp =2 t m with m odd.Then either p | U m or there exists s with 0 s t − 1 such that p | V 2s m.A composite number n relatively prime to 2QD and such that either n | U m , or there exists s with0 s t − 1 such that p | V 2 s m,wheren − ( )Dn =2 t m with m odd, is called a strong Lucaspseudoprime with respect to the parameters P and Q.A weaker notion is that of a Lucas pseudoprime, which is defined as a composite number n thatis coprime to 2QD, and such that the Legendre symbol ( )Dn =1,andn | Un+1 .TherearenoevenLucas pseudoprimes [BRU 1994], and the first Lucas pseudoprimes are 705, 2465, 2737, 3745,...There are several additional definitions, such as that of extra strong Lucas pseudoprime [MOJO],Frobenius pseudoprime, Perrin pseudoprime, and probably many more scattered in the literature.See, for example, [GRA 2001].

596 Ch. 25 Compositeness and Primality Testing – Factoring25.1.5 BPSW testsBaillie and Wagstaff [BAWA 1980] and Pomerance et al. [POSE + 1980, POM 1984] proposed atest (or rather a related set of tests), now known as the BPSW probable prime test, whichisacombination of a strong pseudoprime test and a “true” Lucas test, i.e., with ( )Dn = −1.There are several variants, such as the following, modeled around the description in [POM 1984]:1. Perform a strong pseudoprime test to base 2 on n.• If this test fails, declare n composite and halt.• If this test succeeds, n is probably prime: perform the next step.2. In the sequence 5, −7, 9, −11, 13,...find the first number D for which the Legendresymbol ( )Dn = −1, then perform a Lucas pseudoprime test with discriminant D onn. Some authors perform here a strong Lucas pseudoprime test in place of the Lucaspseudoprime test. Marcel Martin uses a different sequence for finding D, namely D =5, 21, 45,...,(2k +1) 2 − 4,...which may lead to a faster search. This approach mighthave been suggested by Wei Dai, but the attribution is uncertain.• If this test fails, declare n composite and halt.• If this test succeeds, n is very probably prime.Pomerance [POM 1984] originally offered a prize of $30 for discovery of a composite numberthat passes this test, but the offer was subsequently raised to $620 by Selfridge and Wagstaff.PRIMO [PRIMO] author Marcel Martin uses the BPSW test in his ECPP (cf. Section 25.2.2) software.Based on the fact that in more than 3 years of regular usage the ECPP part of his softwarenever found a composite that passes the BPSW test, he estimates that no composite up to about10000 digits (the current limit for ECPP) can fool the latter. Still, its exact reliability is not yetknown.Grantham [GRA 1998] provided a pseudoprimeness test (RQFT) with probability of error lessthan 1/7710, and he pointed out that the lack of counter examples to the BPSW test was a quitestrong hint that probability of error of the latter may be much lower.Zhenxiang Zhang [ZHA 2002] has a variant of the BPSW test called the one-parameter quadratic-basetest (OPQBT), that is passed by all primes 5 andpassedbyanoddcompositen with acertain probability of error that is also very carefully analyzed.The running time of the OPQBT is asymptotically 4 times that of a Rabin–Miller test in the worstcases, but only twice that of a Rabin–Miller test for most composites. This, together with the muchhigher reliability of the test, should result in a test that is faster that the Rabin–Miller test for a given,asymptotically very high, reliability level on large numbers.25.2 Primality testsThis section is devoted to primality tests, i.e., to tests that can identify prime numbers with certainty.25.2.1 IntroductionNote first that primality tests may be error-prone, since they may only give a one bit yes/no answer.Thus if there is any mistake, either in the algorithm or in the implementation, it will be difficult todetect, and the only remedy is to use another algorithm and another implementation on the samenumber. Thus, if possible, we will ask the primality test not only to give a proof of primality, but

§ 25.2 Primality tests 597also a primality certificate, in other words some data that will allow anyone to prove the primalityof the number for himself much more rapidly than the initial proof. Of the two main primality testsin use today, the ECPP test gives such a certificate, while the APRCL test does not, at least withoutconsiderable modifications.The simplest primality test is the Pocklington–Lehmer test. Although completely superseded, itcontains the basic ingredients of modern primality tests. It is based on the following result.Proposition 25.2 Let n be a prime number. Then for every prime divisor p of n − 1, one can findan integer a p such thata n−1p ≡ 1 (mod n) and gcd ( a p (n−1)/p − 1,n ) =1.Conversely, if this is satisfied and n>1,thenn is prime.The problem with using this proposition is that it is necessary to find the prime factors of n − 1,hence essentially to factor n − 1, which may be impossible in practice. Although this test can beimproved in a number of ways, and combined with tests coming from other subgroups of finitefields (in other words, essentially Lucas-type tests), it is basically limited in scope because of theneed to factor.25.2.2 Atkin–Morain ECPP testECPP stands for elliptic curve primality proving. The initial method is described in [ATMO 1993].See [FRKL + 2004] for the latest version. This is currently the primality test of choice, and hasfor some time held the record for the size of general numbers that have been proved prime (specialnumbers such as Mersenne numbers can be proved prime using faster methods). In any case, forcryptographic purposes, ECPP and the other modern primality test APRCL are just as efficient,since a 1024 bit number, for example, can be proven prime in less than a minute by both algorithms.The ECPP primality test is based on a result very similar to the one used for the Pocklington–Lehmer test, replacing the group (Z/nZ) ∗ by the group E(Z/nZ), whereE is a suitable ellipticcurve.Proposition 25.3 Let n>1 be an integer coprime to 6. Assume that we can find a plane ellipticcurve E defined over Z/nZ, a point P ∈ E(Z/nZ), and a positive integer m satisfying thefollowing conditions:• [m]P = P ∞ ,whereP ∞ is the identity element of the elliptic curve.• There exists a prime divisor q of m such that q>(n 1/4 +1) 2 and [m/q]P =(X : Y : Z)in projective coordinates with gcd(Z, n) =1.Then n is prime.The integer m above is in practice going to be the cardinality of E(Z/nZ) (if n is prime), but itis not necessary to know this in advance. This is similar to the Fermat–Pocklington–Lehmer testwhere one uses n − 1 as a supposed cardinality of (Z/nZ) ∗ , although this is not yet known.There are two apparently quite difficult problems that we must solve to be able to use Proposition25.3. The first one is to find a suitable integer m, hence essentially to compute the cardinality ofE(Z/nZ). The second is once again to factor m so as to find a suitable prime divisor q. Apriorithis seems to make life even more difficult than for the Pocklington–Lehmer test. However, this isnot at all the case, because of the following two crucial remarks.• Contrary to the Pocklington–Lehmer test we can vary the elliptic curve E, sothatifwe have some algorithm that can compute the cardinality m of E(Z/nZ) (when n is

598 Ch. 25 Compositeness and Primality Testing – Factoringprime), we use trial division on m to see whether there exists a large (pseudo)primedivisor q of m, and if this does not seem to be the case or cannot be determined easilywe simply choose another curve. This is the basis of the theoretical and nonpracticalGoldwasser–Killian test.• Although there do exist efficient (polynomial time) algorithms for computing m, itismuch better to use the theory of complex multiplication to construct elliptic curves Efor which m can be immediately computed. This is the basis of the Atkin–Morain ECPPtest.To use complex multiplication, cf. Chapter 18, we must find a negative discriminant D (not necessarilyfundamental) such that n splits in the quadratic order of discriminant D as a product of twoelements n = ππ or, equivalently, such that there exist integers a and b with a 2 +|D|b 2 =4n. Ifthisis the case, it is immediate to construct an elliptic curve E over Z/nZ with complex multiplicationby the given order (see below), and we have the simple formula|E(Z/nZ)| = n +1− π − π = n +1− a.A necessary condition for n to split as a product of two elements is ( Dn)=1. This will occur withprobability approximately equal to 1/2. This necessary condition will also be sufficient if the classnumber h(D) of the order is equal to 1, and this occurs only for 13 values of D, namely D = −3,−4, −7, −8, −11, −12, −16, −19, −27, −28, −43, −67, or−163. Otherwise,if ( Dn)=1therewill be a probability close to 1/h(D) for n to split as a product of two elements.The basic Atkin–Morain test thus proceeds as follows. We choose discriminants D in sequenceof increasing h(D), and for a given D we test whether ( Dn)=1and whether 4n is of the forma 2 + |D|b 2 . This last condition can easily be checked using a Euclidean type algorithm calledCornacchia’s algorithm, see[COH 2000]. Once a suitable D has been found, as well as the correspondinginteger a, we compute m = n +1− a. Ifm can easily be factored and is found to havea pseudoprime divisor q>(n 1/4 +1) 2 we can apply Proposition 25.3 and prove (or very rarelydisprove) that n is prime. If we cannot easily factor m we go on to the next value of D.To finish the description of the test we explain how to construct the elliptic curve E, givenadiscriminant D satisfying the above conditions. Assume first that D ≠ −3 and D ≠ −4. Wefirstcompute the elliptic j invariants of the h(D) classes of the order of discriminant D as complexnumbers, using one of the efficient formulas for j. We then form the monic polynomial H D (X)whose roots are these h(D) values, in other words the class polynomial, see Chapter 18. The theoryof complex multiplication tells us that H D (X) has integer coefficients, and gives an estimate onthe size of these coefficients, so if we have used sufficient accuracy we simply round to the closestinteger the coefficients of the polynomial that we have obtained so as to compute H D (X). Sincewehave chosen D such that n splits as a product of two elements, the theory of complex multiplicationalso tells us that the polynomial H D (X) will split modulo n as a product of h(D) linear factors, atleast if n is prime. If we call j one of the h(D) roots modulo n the elliptic curve E can be definedby the equationy 2 = x 3 − 3cg 2k x +2cg 3k ,where c = j/(j − 1728), g is any quadratic nonresidue modulo n and k is 0 or 1. Although itseems that we obtain in this way many different elliptic curves, corresponding to the choice of theroot j, of the nonresidue g and of k, it is easily shown that there are only two nonisomorphic curvesE, corresponding for instance to a fixed choice of j and g and the two possible values of k. Thecardinality |E(Z/nZ)| of these curves is equal to n +1− a or n +1+a, so we have two chancesof obtaining a suitable curve for a given D

§ 25.2 Primality tests 599for n ≡ 1(mod4), we have the four curvesy 2 = x 3 − g k x,where as before g is any quadratic nonresidue modulo n but now 0 k 3. IfD = −3, hence forn ≡ 1(mod3), we have the six curvesy 2 = x 3 − g k ,where 0 k 5 and where g is not only a quadratic nonresidue but also a cubic nonresidue, inother words must also satisfyg (n−1)/3 ≢ 1 (mod n).Remarks 25.4(i) The above method in fact leads to a recursive test: after having found a suitable ellipticcurve E andanintegerm having a large strong pseudoprime factor q, we must applythe method once again, but now with n replaced by q, until we reach integers that aresufficiently small to be shown prime by some other method.(ii) The ECPP test gives a primality certificate for the primality of n. Indeed, at each stageof the recursion it is sufficient to give the equation of the elliptic curve E, the integerm, andtheprimeq (note that the choice of the point P satisfying the hypotheses ofProposition 25.3 is unimportant and can be done very rapidly).(iii) We have only described the basic Atkin–Morain test. In an actual implementation thereare evidently many additional tricks that we will not give here.25.2.3 APRCL Jacobi sum testAPRCL stands for the initials of the five authors of this test (Adleman, Pomerance, Rumely, Cohen,Lenstra), see [ADPO + 1983], [COLE 1984], [COLE 1987].This test is based on a version of Fermat’s theorem in cyclotomic fields. It is considerably morecomplicated to explain than ECPP so we will be content with a sketch.Let χ be a Dirichlet character modulo some prime q (which in practice will not be very large, atmost 10 8 , say), and let ζ q =exp(2iπ/q) be a primitive q-th root of unity in C. Recall that the Gaußsum τ(χ) is defined byτ(χ) =∑χ(x)ζq x .x∈Z/qZOne of its basic properties is that when χ is not the unit character then |τ(χ)| = q 1/2 .Furthermoreif χ is a character of order 2 (in other words a real character) we even have τ(χ) =(χ(−1)q) 1/2 fora suitable choice of the square root.The basic idea of the APRCL test is the following proposition, stated purposely in vague terms.Proposition 25.5 Let n be prime, and let χ be a character of prime order p with p | q − 1. Inthering Z[ζ q ,ζ p ] we have the congruenceτ(χ) n ≡ χ(n) −n τ(χ n ).Conversely, if this congruence is true for sufficiently many characters χ, and if some easily checkedadditional conditions are satisfied then n is prime.

600 Ch. 25 Compositeness and Primality Testing – FactoringWe note that if we choose χ(n) = ( qn)we obtain again the Solovay–Strassen test, which reduces totest if q (n−1)/2 ≡ ( qn)(mod n).We must solve two important problems. One is theoretical: we must make precise the “sufficientlymany” and the additional conditions of Proposition 25.5. The second is practical: how doesone test the congruence, since even if q and p are moderately small the ring Z[ζ q ,ζ p ] may be quitelarge. The first problem is (almost) solved by the following theorem.Theorem 25.6 Let t>1 be an integer, and set e(t) = ∏ (q−1)|tq, where the product is over theprimes q such that (q − 1) divides t. For each q | t and for each prime p | (q − 1) choose anycharacter χ q,p modulo q of exact order p. Assume that the following conditions are satisfied:• For each such pair (p, q), we have the congruenceτ(χ p,q ) n ≡ χ p,q (n) −n τ(χ n p,q ).• For each p | t a technical condition L p is true.• We have gcd(te(t),n)=1and e(t) >n 1/2 .• For every i with 0

§ 25.3 Factoring 601running time that is polynomial in lg n, of the order of O ( lg n 4+ε) for the most recent implementations(fastECPP). This is indeed what is observed in practice, but is not proved. Also the test isprobabilistic.In its practical version the APRCL test is also probabilistic, with a proven expected running timethat is almost polynomial time, more precisely of O ( lg n C lg lg lg n) . It seems that in practice theAPRCL test is slower by a factor of 2 or 3 (although serious comparisons of professional-levelimplementations have never been made), but this is not at all because of its non-polynomial nature.Instead it is because of the higher complexity of the basic operations, in other words because of thesize of the implicit O constant. It is to be noted that there exists a deterministic version of APRCLwith a similar running time, but which is less practical.There have been two breakthroughs on the theoretical aspect of primality testing. The first oneoccured at the beginning of the 1980’s: Adleman–Huang [ADHU 1992] proved that primality testingwas in RP, in other words that there exists a probabilistic algorithm for primality proving thatcan be proved to run in expected polynomial time. Their quite sophisticated proof involves workingin the Jacobians of curves of genus 2 over finite fields.The most spectacular breakthrough took place in the summer of 2002 through the work ofAgrawal–Kayal–Saxena [AGKA + 2002], who proved that in fact primality is in P, inotherwordsthat there exists a deterministic polynomial time algorithm for primality testing. All the more remarkableis the fact that their algorithm is based on very simple considerations (in other words theunderlying groups are not complicated) and not on curves or higher-dimensional objects.Since their fundamental discovery, much progress has been done by experts in the field. Lenstraand Pomerance have for instance shown that modifications of the AKS ideas lead to a deterministicalgorithm that runs in time O(lg n 6+ε ). Even though the initial goal was to remove probabilistic aspects,Bernstein [BER 2004a] has found a probabilistic variant of AKS that runs in O(lg n 4+ε ).Thishas been discovered independently by Mihăilescu and Avanzi [MIAV 2003], and builds upon improvementsby Berrizbeitia [BER 2001b]. Qi Cheng has an interesting approach combining roundsof ECPP with rounds of AKS [CHE 2003]. For now it is not clear how promising this combinationmay be. The hope is to obtain a practical version, but for the moment we are far from that goal sincethe best implementations can handle numbers of 300 decimal digits, a far cry from the 10000 digitsthat ECPP can handle. Thus, since AKS is for the moment purely of theoretical interest, we do notdescribe it here but refer for instance to [MORAIN].25.3 FactoringContrary to primality testing, factoring need not be rigorous in any way, since if an algorithm claimsto output a factor of n this can trivially be checked by division.There are many more factoring methods than primality tests. This is due primarily to the factthat, contrary to primality, which is in a very satisfactory state, factoring is very difficult and almostno method is really superseded. For instance, even though Pollard’s rho method, which we shalldescribe in a moment, is much slower than more sophisticated methods, it is still used to removesmallish prime factors from n, much faster than trial division. Thus a good factoring engine in acomputer algebra system usually has a large combination of methods, and the implementer mustchoose carefully the sequence of methods to be used so as to optimize for speed.25.3.1 Pollard’s rho methodThis method is remarkable by its simplicity (a few lines of code) and the fact that it is much more efficientthan trial division for similar results. More precisely, while trial division requires (essentially)

602 Ch. 25 Compositeness and Primality Testing – Factoringtime O(p) to find a prime factor p of n, Pollard’s rho method requires time approximately O(p 1/2 ),which of course makes a huge difference. It is based on the following idea. Let f ∈ Z[X] be apolynomial with integer coefficients. Consider the sequence x k defined by x k+1 = f(x k )modn,(in other words x k+1 is obtained by reducing f(x k ) modulo n), and x 0 being arbitrary. If p is some(unknown) divisor of n we also have x k+1 ≡ f(x k )(modp), hence the sequence x k modulo p canbe considered as a sequence of iterates of the function f in the ring Z/pZ (note that p need not beprime). Since this ring is finite, the sequence is necessarily ultimately periodic with some period T .Now it can be shown that if we average over all sequences of iterates of all functions f, the averageof T is O(p 1/2 ) (much more precise results are known, see for instance [COH 2000]). Thus if weassume that our polynomial f behaves like a “random” map from Z/pZ to itself, the period of oursequence x k modulo p should be of the order O(p 1/2 ). This poses a number of questions which areall easily solved.• The choice of f. Evidently linear polynomials will not be random. On the other handthere is no need to choose polynomials of degree greater or equal to 3. Thus we choosef of degree 2, and to minimize computation time we simply choose f(x) =x 2 + c forsome c ∈ Z. Evidently we must choose c ≠0, but less evidently we must also choosec ≠ −2 because (y +1/y) 2 − 2=y 2 +1/y 2 . All other choices seem to be acceptable.• The detection of the periodicity modulo p. Since p is unknown, the congruence x k+T ≡x k (mod p) cannot be tested as written. Instead, we simply test whether gcd(x k+T −x k ,n) > 1. If this is not the case then certainly x k+T ≢ x k (mod p). On the otherhand if gcd(x k+T − x k ,n) > 1 then we may not have discovered p itself, but in anycase we have found a divisor of n strictly larger than 1, which with very high probabilitywill be nontrivial, i.e., not equal to n itself.• The detection of the condition gcd(x k+T − x k ,n) > 1, in other words cycle detection.We have studied this subject in detail in Section 19.5.1. Recall that a simple solutionis to test gcd(x 2k − x k ,n) > 1, which will be true as soon as k is simultaneously amultiple of T and larger than the length of the nonperiodic part. Of course we may missthe first occurrence of the period, and make a computation that is a little longer thannecessary, but this is largely compensated by the simplicity of the test. In practice oneuses the slightly more elaborate but much faster cycle-detection method due to Brentand explained in Section 19.5.1.c, see [KNU 1997]andalso[COH 2000].• The detection of the condition gcd(x 2k − x k ,n) > 1 or of conditions of the same type.We could of course store the x k as we go along. In fact it is much simpler, althoughwasteful in time, to have the two sequences x k and y k = x 2k considered as independentsequences, with the recursion y k+1 = f ( f(y k ) ) mod n. The storage requirements thusbecome O(1). However, an easy but important improvement must also be made: since agcd computation takes some time, it is much more efficient to group a large number ofgcd computations together by multiplying modulo n and doing a single gcd from timeto time. For instance, setting z k = x 2k − x k = y k − x k , to test whether z 0 ,...,z 20are all coprime to n (which they will be if n is large), we simply compute recursivelyZ = z 0 z 1 ···z 20 modulo n (which requires for each z k only one multiplication modulon, not a gcd with n), and compute gcd(Z, n). If this is equal to 1, wehaveshownthat all the z k are coprime to n. Otherwise (which happens only at the very end of thecomputation) we must backtrack our steps.Because of its simplicity and importance, we give the algorithm explicitly, including Brent’s cycledetectionmethod mentioned above adapted to our case.

§ 25.3 Factoring 603Algorithm 25.7 Pollard’s rho with Brent’s cycle detectionINPUT: A positive integer n.OUTPUT: A nontrivial factor of n or a failure message.1. y ← 2, x ← 2, x 1 ← 2, k ← 1, l ← 1, P ← 1 and c ← 02. while true do3. x ← x 2 + 1 mod n, P ← P × (x 1 − x) modn and c ← c +14. if c =20 then5. if gcd(P, n) > 1 then break6. y ← x and c ← 07. k ← k − 18. if k =0 then9. if gcd(P, n) > 1 then break10. x 1 ← x, k ← l and l ← 2l11. for i =1 to k do12. x ← x 2 + 1 mod n13. y ← x and c ← 014. repeat15. y ← y 2 + 1 mod n and g ← gcd(x 1 − y, n)16. until g>117. if g = n then the algorithm return fail else return gExample 25.8 If we choose n = 49649 the successive values of x will be 2, 5, 26, 677, 11489,30080, 3025, 15210, 29410, 12872, 9672, 8869, 15146, 22937, 25166, 4913, and we will discoverthat gcd(x 1 − x, n) = gcd(15210 − 25166, 49649) = 131 is a nontrivial factor of n after 15iterations (note that the last iteration leading to x k = 4913 is unnecessary, but comes from thecycle-finding method).25.3.2 Pollard’s p − 1 methodThis method is also due to Pollard [POL 1974]. By Fermat’s little theorem a p−1 ≡ 1(modp) forprime p and any integer a not divisible by p. It follows that if k is any integer multiple of p − 1we also have a k ≡ 1(modp). Furthermore, if p | n, thenp | gcd(a k − 1,n). Of course p isunknown, but we can use this to find the prime factor p of n by computing gcd(a k − 1,n) for anarbitrary integer a ∈ [2,...,n− 1] coprime to n: this is checked by a gcd computation (and, eventhough unlikely, one might already find a factor of n). For this to work we have to find a multiple kof p − 1, and the main problem is evidently that p − 1 is not known beforehand. Thus we hope thatn has a prime factor p for which p − 1 consists of the product of some small primes. If this is thecase we can choose for k a product of many small prime powers. This number might be very large,but a k is only computed modulo n, and recursively without computing the number k itself. If thisdoes not work we choose k having more prime power factors and try again, or, even better, we usea “second stage;” see [MON 1987] for implementation details.

604 Ch. 25 Compositeness and Primality Testing – FactoringThe result is that a prime factor p of n can be found in time proportional to the largest prime factorof p − 1. There also exists a straightforward variant of this method using p +1instead of p − 1[WIL 1982], which is the second cyclotomic polynomial. This is the reason that some cryptographicstandards require RSA moduli consisting of products of primes p for which p − 1 and p +1havelarge prime factors. However, there are similar methods using all cyclotomic polynomials: becauseof this and mainly because of the elliptic curve factoring method, which is only sensitive to the sizeof p (see Section 25.3.3) and which has a much lower complexity, such precautions are superfluous[RISI 1997].25.3.3 Factoring with elliptic curvesOne can rephrase Pollard’s p − 1 method in terms of B-smoothness: it attempts to find p dividingn for which p − 1 is B-smooth by computing gcd(a k − 1,n) for k equal to a product of the primepowers less than or equal to B. However, in almost all cases the largest prime in p − 1 is too largeto make this practical.The elliptic curve method (in short: ECM) due to H. W. Lenstra, Jr. [LEN 1987] is similar toPollard’s p − 1 method in the sense that it tries to exploit the smoothness of a group order. InPollard’s p − 1 method the groups are fixed: they are the groups (Z/pZ) ∗ for the primes p dividingthe number that we try to factor. The ECM randomizes the choice of the groups and of their orders.Such groups are, as the name of the method says, the groups of points of elliptic curves, thereforefor their definitions and arithmetic we refer to the sections on elliptic curves mentioned above.However, unlike the presentation given in the sections mentioned previously, here it is necessaryto consider curves defined over rings Z/nZ having zero divisors corresponding to the factors of n,which “behave like fields” until some impossible division has to be performed, revealing a nontrivialfactor of n. This is what Lenstra calls a “side-exit.”25.3.3.aElliptic curves over Z/nZ with n compositeNote that a complete theory of elliptic curves over Z/nZ with n composite exists. However, we donot need this theory here, but only some elementary remarks. Let n be a composite number coprimeto 6. An elliptic curve over Z/nZ is defined by a pair (a 4 ,a 6 ) ∈ (Z/nZ) 2 with 4a 3 4 +27a 2 6 ∈(Z/nZ) ∗ as the “curve” with equationE : y 2 = x 3 + a 4 x + a 6 .The set of points is, informally, the set E(Z/nZ) of pairs (x 1 ,y 1 ) ∈ (Z/nZ) 2 which satisfy theabove equation together with a point at infinity P ∞ . On that set we define, exactly as for thecurves defined over fields, an addition that we call a partial addition. In other words, we define:P ⊕ P ∞ = P ∞ ⊕ P = P for all P on E. Thepartial inverse −P of a point P =(x 1 ,y 1 ) such thatP ⊕ (−P )=P ∞ is the point (x 1 , −y 1 ).IfP, Q ∈ E(Z/nZ) {P ∞ } with Q =(x 2 ,y 2 ) ≠ −P ,we set{(y 1 − y 2 )/(x 1 − x 2 ) if x 1 ≠ x 2λ =(3x 2 1 + a 4 )/(2y 1 ) if x 1 = x 2and x 3 = λ 2 − (x 1 + x 2 ), and define P ⊕ Q = ( x 3 ,λ(x 1 − x 3 ) − y 1). Since in Z/nZ thereexist zero divisors that may appear as denominators in these formulas, the composition law mayfail to add points (this is why it is called a partial addition). Since in principle to invert a numbera modulo n we have to compute its extended integer gcd with n, a number a that corresponds to anontrivial zero divisor in Z/nZ will produce a nontrivial factor of n: one just has to put a “hook” inthe modular inversion routine to detect this fact (instead of just halting the software).

§ 25.3 Factoring 605Another, more mathematical way of considering the set of points of an elliptic curve over Z/nZfor n composite is by using projective coordinates. The set E(Z/nZ) is the disjoint union of threesubsets: first the usual set of affine points having projective coordinates (X : Y : Z) with Zinvertible modulo n, corresponding to the affine coordinates (XZ −1 ,YZ −1 ). Second, the pointat infinity P ∞ with projective coordinates (0:1:0). Finally and most importantly for the ECMfactoring method, the “interesting points” (X : Y : Z) where Z ≠0and Z is not invertible modulon. If n is prime there are no interesting points. On the other hand if n is composite these pointsexist, and for any such point the gcd of Z and n is not equal to 1 or n hence gives a nontrivial divisorof n. Thus the only purpose of the ECM method that we will see below is to perform computationsthat allow us after a while to land in the set of interesting points.25.3.3.bElliptic curves over Z/nZ modulo a primeLet now p be a prime dividing n. The elliptic curve E over Z/nZ and its set of points can be mappedonto an elliptic curve E p defined over F p simply by reducing modulo p the equation of E and thecoordinates of a point P ∈ E(Z/nZ), thus obtaining a point P p ∈ E p (F p ).LetP, Q ∈ E(Z/nZ).If the partial addition can successfully compute P ⊕ Q ∈ E(Z/nZ), then it is trivial to verify thatP p ⊕ Q p =(P ⊕ Q) p . Note that the algorithm detects a prime factor p of n (by failure of inversionmodulo n) if and only if it reaches a point P ∈ E(Z/nZ) for which the reduction modulo a factorp yields P p =(P ∞ ) p , the zero element in E p (F p ),butP ≠ P ∞ in E(Z/nZ).25.3.3.cThe algorithmRecall also that by Hasse’s theorem (cf. Corollary 5.76) we have |E(F p )| = p +1− t for someinteger t with |t| 2 √ p.IfE is randomly chosen among the elliptic curves over F p , it is reasonableto expect that |E(F p )| behaves like a “random number close to p+1.” Old results of Birch suggestedthat this is indeed plausible [BIR 1968] and we also have the following theorem of Lenstra:Theorem 25.9 [LEN 1987] There exist effectively computable positive constants c 1 and c 2 suchthat for each prime p 5 and for any subset S of integers in the interval [p +1− √ p, p +1+ √ p],the probability r S that a random pair (a 4 ,a 6 ) ∈ F p × F p determines an elliptic curve E : y 2 =x 3 + a 4 x + a 6 with |E(F p )|∈S is bounded as follows:c 1 ×|S|−22⌊ √ p⌋ +1 (ln |S|p)−1 r S c 2 ×2⌊ √ p⌋ +1 ln p (ln ln p)2 .Similar results for the case of elliptic curves over F 2 m can be deduced from the work of Waterhouse[WAT 1969] and Schoof [SCH 1987].Furthermore, there are results about the density of smooth integers in intervals [1,M] but notabout those in [M − √ M,M + √ M]. Therefore the runtime arguments are based on the heuristicassumption that these densities are equal: this has been confirmed by experiments and by the factthat the ECM so far behaves as predicted. (In passing, we mention that Croot [CRO 2003]hassomepartial results on the density of smooth numbers in intervals [M,M + H] where H = c √ (M) andthe constant c depends only on a lower bound on x.)Pick a 4 ,a 6 ∈ Z/nZ at random with 4a 3 4 +27a2 6 coprime to n (otherwise we might have beenso lucky to already have found a nontrivial factor of n). With such a 4 and a 6 , we define an ellipticcurve E over Z/nZ. In practice it is sufficient for a 4 to be a single precision random integer, whichreduces the cost of operations on E. Moreover, there is no need to check if gcd(4a 3 4 +27a2 6 ,n) ≠1,as this is extremely unlikely unless n has a small prime factor.Thus an elliptic curve E p = E mod p over F p is defined for each prime factor p of n, and|E p (F p )| behaves (heuristically) as a random integer close to p +1. Based on Lemma 20.7 with

606 Ch. 25 Compositeness and Primality Testing – Factoringr =1, α =1, s =1/2,andβ = √ 1/2 we can assume that |E p (F p )| = L p [1, 1] is L p [1/2, √ 1/2]-smooth with probability L p [1/2, − √ 1/2]. Putξ = L p [1/2, √ 1/2]. Thus, for a fixed p, once everyξ random elliptic curves over Z/nZ one expects to find a curve E for which |E p (F p )| is ξ-smooth:Assume that E is such and let k be the product of the primes ξ and some of their powers. Further,we let P be a random element of E(Z/nZ). Note that since n is composite, it is not easy tocompute a square root modulo n, hence to find a point P , so in practice we proceed in reverse byfirst choosing P =(x 1 ,y 1 ) at random modulo n, and setting a 6 = y 2 1 − (x3 1 + a 4x 1 ).Letk be a nottoo large product of enough prime powers so that the order of P p divides k, and attempt to compute[k]P in E(Z/nZ) using the partial addition.Suppose that for such a k the computation of [k]P is successful, i.e., it did not fail because ofnoninvertible denominators, which means that we find no nontrivial factors of n. Then[k]P equalssome R ∈ E(Z/nZ). Its reduction modulo p, i.e.,R p ∈ E p (F p ) would have been also obtained bycomputing the elliptic curve scalar product [k]P p in E p (F p ).Beingk a multiple of the order of P pwe have R p =(P ∞ ) p ∈ E p (F p ).ButR p =(P ∞ ) p if and only if R = P ∞ whence R q =(P ∞ ) qfor any prime q dividing n. It follows that k must be a multiple of the order of P when taken moduloany prime dividing n. ButE was a random curve such that |E p (F p )| was ξ-smooth: It is extremelyunlikely that for such a curve this would happen for all prime factors of n simultaneously.Thus it is much more likely that the attempt to compute R fails: the partial addition breaks downduring the computation of the scalar multiplication, producing a nontrivial factor of n that is amultiple of p.Since one in every ξ elliptic curves over Z/nZ can be expected to generate a factor, the totalexpected runtime is ξ times the time required to compute [k]P with k as above, which in turnrequires ξ partial additions, that is a cost O ( M(lg n)ξ ) where M(t) is the complexity of multiplicationsof t-bit numbers. The total heuristically expected running time is O ( ξM(lg n)ξ ) equalto O ( M(lg n)L p [1/2, √ 2] ) . This can be improved further using better scalar multiplication algorithms;see Chapter 9. In a nutshell: if it must fail, it will fail anyway. So it is better to do things asfast as possible to save time on all curves where it does not fail.It follows that using the ECM small factors can be found faster than large factors. For p ≈ √ n,the worst case, the expected runtime becomes L n [1/2, 1]. For composites without known properties,and, in particular, a smallest factor of unknown size, one generally starts off with a relatively smallk aimed at finding small factors. This k is gradually increased for each new attempt, until a factoris found or until the factoring attempt is aborted. See [BOLE 1995] for implementation details.The ECM can be easily turned into a parallel algorithm: any number of attempts can be runindependently on, say r processors in parallel, until one of them succeeds in finding a nontrivialfactor. The expected speedup is of a factor r.Remark 25.10 In order to speed up the computation of the partial additions, one might want to useadvanced implementations of the modular arithmetic. Suppose one wants to adopt the Montgomeryrepresentation, see Section 10.4, which works even for nonprime odd moduli. In this case, if thenumber a is a multiple of a prime factor p of the modulus n, also the Montgomery representationof a will be an integer divisible by p, and the inversion algorithm will discover it. For the coward:since the quantities involved are rather large, one is also still safe from the performance point ofview using the Barrett or the Quisquater reduction methods, cf. Section 10.4 again.25.3.3.dUsing Montgomery’s trickThe ECM requires one inversion modulo n per partial addition or doubling, which takes approximatelythe same time as computing a gcd with n. This slows operations down, and one wants toavoid it. One possible improvement is the use of projective coordinates. At the end of the computationof [k]P the gcd of the coordinates might yield a factor of n. The use of projective coordinates

§ 25.3 Factoring 607requires about 12 multiplications (13 in the case of a doubling) and no inversions. There is, however,a usually much faster approach that makes use of the trick due to Montgomery described inSection 11.1.3.c, Algorithm 11.15. How can it be deployed to improve the ECM? The usual methodwould have required i inversions (for instance: invocations of an extended Euclid algorithm) to dothe job. But this method requires only one inversion and 3(i − 1) multiplications modulo n. Thereforeit is superior as soon as one inversion is slower than three multiplications, and this is almostalways the case. Let τ be the ratio between the timings of an inversion and of a multiplication,both modulo n. The computation of a partial addition requires the computation of (x 1 − x 2 ) −1 ifthe points P =(x 1 ,y 1 ) and Q =(x 2 ,y 2 ) have distinct x-coordinates and of (2y 1 ) −1 if P = Q,plus two multiplications modulo n and some additions and subtractions. So if we work with mcurves in parallel — on a single processor in order to avoid slow intercommunication overheads —we get that the cost of a partial addition corresponds to 6+τ/m multiplications (7 +τ/m for adoubling). If m is large enough (m =50) this improvement can be remarkable (from a cost 6+τto about 6). Note however that working with several curves simultaneously on one single processormeans that the processor has to work with much more data, and the number of cache misses couldlead to a performance penalty that might overcome the advantages. The quantity m must be chosenwith care. Moreover, it seems to be rather intricate to combine this idea with sophisticated scalarmultiplication algorithms; see Chapter 9. However the combination with fixed-width non-slidingwindow methods seems to be relatively straightforward.Remarkable successes of the ECM were the factorizations of the tenth and eleventh Fermat numbers.A variant of the ECM suitable for the computation of discrete logarithms has never been published.25.3.4 Fermat–Morrison–Brillhart approachThis approach is based on Fermat’s factoring method of solving a congruence of squares modulo n:try to find integers x and y such thatx 2 ≡ y 2 (mod n) and gcd(xy, n) =1. (25.1)It then follows that n divides x 2 − y 2 =(x − y)(x + y) so that n =gcd(n, x− y)(n/ gcd(n, x− y),which may yield a nontrivial factorization of n with a probability of 1 − 2 1−k where k is thenumber of distinct odd prime factors in n. Fermat’s method to find x and y consists in tryingx = ⌊ √ n⌋ +1, ⌊ √ n⌋ +2,... in succession, until an x is found such that x 2 − n is a perfect square.In this form, however, the method has the same worst case running time as trial division, but is fasterif n is a product of two primes that are close to each other.Remark 25.11 These methods do not work if n is a prime power but this is checked easily. Ifn = p l where p is prime and l 1,thenn − 1=p l − 1 is divisible by p − 1 and, by Fermat’s littletheorem, if gcd(a, n) =1,thena n−1 ≡ 1(modp). Hence p | gcd(a n−1 − 1,n). Consequently, ifwe find an a such that gcd(a n − a, n) =1,thenn cannot be a prime power.Morrison and Brillhart [MOBR 1975] proposed a faster way to find x and y. Their approach consistsin constructing x and y using identities modulo n which are, supposedly, easier to solve. There aretwo phases. First, a set of relations is sought and, second, the relations are used to construct asolution to x 2 ≡ y 2 (mod n). This is, essentially, the same scheme also used in the index calculusalgorithms.

608 Ch. 25 Compositeness and Primality Testing – FactoringAlgorithm 25.12 Fermat–Morrison–Brillhart factoring algorithmINPUT: A rational integer n.OUTPUT: A nontrivial factor of n.1. Choose a factor baseGiven a smoothness bound B, letthefactor base P be the set of primes B.The cardinality of P is π(B).2. Collecting relationsCollect more than |P| integers v such that v 2 mod n is B-smooth:v 2 mod n =Y p∈Pp ev,p !.These congruences are called the relations.Let V be the resulting set of relations of cardinality |V| > |P|.3. Linear algebraEach v ∈V gives rise to a |P|-dimensional vector (e v,p) p∈P. Since |V| > |P|, thevectors {(e v,p) p∈P : v ∈V}are linearly dependent. This implies that there exist at least|V| − |P| linearly independent subsets S of V for which P v∈Sev,p =2sp is even for allp ∈P. These subsets S can, in principle, be found using Gaussian elimination modulo 2on the matrix having the vectors (e v,p) p∈P as rows.4. Compute a solutionFor any subset S of V given by the linear algebra stage and the corresponding integervector (s p) p∈P, the integersx = Y v∈Sv mod n and y = Y p∈Pp sp mod nform a solution to the congruence x 2 ≡ y 2 (mod n). Each of the |V| − |P| independentsubsets thus leads to an independent chance of at least 50% to produce a nontrivial factorof n.We did not mention how to collect the relations in Line 2. Morrison and Brillhart found them usingcontinued fractions. Dixon proposed a simpler (but slower) method: pick v

§ 25.3 Factoring 609If n is a perfect square, then it is easy to factor it, but we are excluding this case anyway in view ofthe remark opening the section. So √ n is irrational.There exist infinitely many rational approximations p/q of √ n such thatp∣q − √ n∣ < 1 q ,2which are obtained as the partial fractions (convergents) of the (infinite) continued fraction expansionfor √ n.Ifp/q is any such an approximation and ɛ is such that p/q = √ n + ɛ/q 2 thenp 2 − nq 2 = ( q √ n + ɛ/q ) 2− nq 2 =2ɛ √ n + ɛ 2 /q 2 .Since |ɛ| < 1,weget|p 2 − nq 2 | < 2 √ n +1/q 2 , whence all such values of p 2 − nq 2 are O( √ n) asdesired.Remarks 25.13(i) Observe that the numerators and denominators p and q are given by recurrence formulasinvolving the coefficients of the continued fraction of √ n. Since these continued fractionsare periodic, one can compute p and q directly modulo n instead of computing withunbounded integers. This trick was suggested by Montgomery.(ii) Note that the factor base is actually only half as big as it could be: if p ′ | (p 2 − nq 2 )then n must be a quadratic residue modulo p ′ unless p ′ | n. Sincen is assumed not to bea perfect square, asymptotically only half of the primes have n as a quadratic residue.Therefore, if B is the smoothness bound, the cardinality of the factor base is ≈ π(B)/2.25.3.4.bThe quadratic sieveMuch of the time in CFRAC is spent testing the residues p 2 −nq 2 for B-smoothness: factoring themessentially by brute force, but Pollard’s p − 1, rho methods and ECM might be also employed. Thequadratic sieve, proposed by Pomerance [POM 1983, POM 1985], eliminates this burden almostcompletely. It also tries to find small quadratic residues: those found by the quadratic sieve areslightly larger than those found by CFRAC, but can, in practice, be tested much faster.The method is based on the following observation: If f(X) ∈ Z[X] is a polynomial with integercoefficients and p is a prime number, then f(i) ≡ f(i + p) (modp) for all i.Suppose now that we want to check for smoothness the values of a polynomial f at severalconsecutive values of i,sayfori ∈ [0,...,L− 1].We present a first idea for doing it. Start by building a table of values of f(i) with 0 i

610 Ch. 25 Compositeness and Primality Testing – Factoring3. for all roots r of f(x) modulo p with 0 r

§ 25.3 Factoring 611condition b 2 − 4a 2 c = kn. This leads us to discard the case when f(ξ) and f(ξ + m) have the samesign and thus in the case f(ξ) < 0 0, δ := b 2 − ac > 0 satisfying n | δ. These polynomials are alsoequally useful as v(x) 2 sinceaf(X) =(aX + b) 2 − (b 2 − ac) ≡ (aX + b) 2(mod n).As soon as the values of one get too large for i large, a new polynomial is selected and sievingresumes again with i =0.By arguments similar to those for Montgomery’s polynomials, we obtain that: a could be chosenamong the prime numbers close to √ 2n/m with ( )na =1. Then b should satisfy b 2 ≡ n(mod a). The easiest way to do it works for about half of the primes: if a ≡ 3(mod4),pickb = n (a+1)/4 mod a. See Section 11.1.5 for more general square root algorithms. Finally, setc =(b 2 − n)/a. Wehavemax {|f(i)|} ≈ m√ n/2 as with Montgomery’s choice.i∈IThe resulting method is called the multiple polynomial quadratic sieve, or MPQS. There areseveral ways this basic algorithm can be improved upon: we present here some of the most importantand general ideas.25.3.4.dSelf-initializing polynomialsThe above description of the MPQS may lead us to think that we can try changing polynomials asoften as possible in order to make the residues as small as possible. Apart from the fact that thismight lead to collisions (i.e., small smooth residues found twice), this means, even with moderateswitching, that for each polynomial all roots modulo all primes B have to be computed. Anothervery time-consuming part is the inversion of the leading coefficient a 2 (in Montgomery’s version)or a (in Cohen’s version) modulo each prime in the factor base.Self-initialization works choosing a not prime, but a product of a few t (about 10) medium-sizedprime numbers p with ( )np =1. The number of possible b, hence the number of possible polynomialswith leading term a, is equal to the number of solutions of b 2 0 ≡ kn (mod a) or b2 ≡ n (mod a)in Cohen’s case (in Montgomery’s case this is similar), which is equal to 2 t−1 . This procedure thenleads to a speedup of a factor about 2 t−1 in the most time-consuming part of the root computationduring the sieve initialization phase. Faster root computation allows one to benefit by changingpolynomials more frequently, hence sieving on smaller residues that are more likely to be smooth.The net result is about a factor of 2 speedup.25.3.4.eLarge prime variationsThe sieving procedure of Algorithm 25.14 looks for values of i such that f(i) is B-smooth. It iseasily modified to also find values of i for which f(i) is a B-smooth number times one or more

612 Ch. 25 Compositeness and Primality Testing – Factoringprimes not much larger than B, by lowering the threshold used when inspecting logarithms aftersieving. The extra prime in the factorization of f(i) is called a large prime. If one finds two valuesof i for which f(i) has the same large prime, then the corresponding congruences, which are calledpartial relations, can be multiplied (or divided) together to obtain a new single relation, called a fullrelation, that can be used in the rest of the algorithm.Combined partial relations make the matrix somewhat less sparse. It is a consequence of thebirthday paradox that matches between large primes occur often enough to make this approachworthwhile: indeed, one large prime more than halves the sieving time. Two large primes againhalve the sieving time and A. K. Lenstra claims that a third large prime has again the same effect,see [LEN 2002, § 4.2.5].Large primes can be interpreted as a cheap way to extend the size of the factor base — cheapbecause they are not sieved with — but we cannot allow too many large primes. One reason is thedecrease in sparseness of the matrix in the linear algebra stage. The other reason lies in the way theyare recognized. After the sieving process, all powers of factor base elements are found. Therefore,allowing one large prime requires one primality test per relation after the sieving stage, until oneis found, and then an additional comparison for all subsequent steps (in practice this primality testis not needed for a single large prime since those that are kept are less than B 2 and the residue isnot divisible by any primes up to B, so it must be prime). Allowing a remainder of the form l 1 l 2where l 1 and l 2 are large primes already requires the use of a fast special purpose factoring methodto extract l 1 and l 2 , unless one wants to find l 1 and l 2 first in separate occasions and only thenchecking if they appear – reducing drastically the efficiency of the whole idea. This is practical aslong as the large primes fit in a computer word, so our special purpose factoring method has to splitintegers of size 2 64 . The use of Pollard’s rho method and Lenstra’s ECM have been reported forthis purpose in the literature. The combination of relations having more than one large prime is anintricate task. The basic case of two large primes was done in [LEMA 1994] and later extended tofour and applied to the number field sieve (see Section 25.3.4.g) and to the computation of discretelogarithms.This variation is compatible with the use of multiple polynomials.25.3.4.fSmall prime variationDuring the sieving process (Algorithm 25.14) for collecting relations, the small primes and primepowers take quite a long time to process since about 1/p numbers are divisible by p. In addition,their contribution to the logarithms is smallest. So we do not sieve at all with prime powers less thana carefully chosen threshold, say 100. This makes it necessary to keep numbers whose residual logarithmis further away from zero than usual, but experience shows that this makes little difference:the important thing is to avoid ignoring some smooth numbers, at the expense of having to checkand reject a few more that are not smooth. As a bonus, this might indirectly help in finding somelarge primes.The small and large prime variations can also be used in a parallelized implementation of theMPQS.25.3.4.gThe number field sieveThe number field sieve (NFS) is the fastest general purpose factoring algorithm that has been publisheduntil now.It is based on an idea by Pollard in 1988 to factor numbers of the form x 3 + k for small k.This method was quickly generalized to a factoring method for numbers of the form x d + k, amethod that is currently referred to as the special number field sieve (SNFS) to distinguish it fromthe method used for factoring general integers, called the general number field sieve (GNFS). It

§ 25.3 Factoring 613proved to be practical by factoring the ninth Fermat number F 9 =2 29 +1. It was the first factoringalgorithm with runtime substantially below L n [1/2,c] (for constant c) making cryptosystems basedon the assumed hardness of the integer factorization [ problem at once less secure than thought.The heuristic expected runtime of the NFS is L n 1/3,η] where η =(32/9) 1/3 for the SFNS andη =(64/9) 1/3 for the GNFS. Coppersmith [COP 1993] has slightly improved the complexity of theGNFS to η = 1 3 (92 + 26√ 13) 1/3 at least theoretically.The NFS follows the Morrison–Brillhart approach of collecting relations involving smooth quantities,followed by linear algebra to find congruences among squares. Its better complexity comparedwith previous smoothness based methods is due to the fact that the numbers that are testedfor smoothness are of order n o(1) for n →∞, as opposed to n c for some constant c for the oldermethods. There are several reasons for the practicality of NFS. One is that recomputing roots isvery fast. Another is that polynomial selection allows a lot more freedom and can result in greatspeedups. It also allows relatively easy use of more than two large primes, so that comparably smallfactor bases can be used during sieving [DOLE 1995], although this is not always the case (for instance,the GNFS RSA-130 factor base was 7 times the size of of the MPQS RSA-129 factor base).Initially there was skepticism as to whether this method would be practical, but those doubts havebeen dispelled by a series of remarkable improvements.The content of a polynomial with integer coefficients is the gcd of its coefficients.Suppose n is a composite integer to be factored. It is easy to check whether n is a prime numberor a prime power (using primality tests), so we assume that n is neither.The algorithm has four main phases:Algorithm 25.15 The number field sieveINPUT: A rational integer n.OUTPUT: A nontrivial factor of n.1. Polynomial selectionSelect two irreducible univariate polynomials f(X) and g(X) with content equal to one,which have at least one common root m modulo n – i.e., f(m) ≡ g(m) ≡ 0 (mod n) –but have no common factors over Q.Let α and β denote complex roots of f and g respectively.2. SievingFind pairs (a i,b i) with gcd(a i,b i)=1and such thatF (a i,b i):=b i deg(f) f(a i/b i) and G(a i,b i):=b i deg(g) g(a i/b i)are both smooth with respect to a chosen factor base.3. Linear algebraUse linear algebra to find a set S of indices such that the two productsYs − b sα) ands∈S(a Y (a s − b sβ)s∈Sare both squares of products of prime ideals in Q[α] and Q[β], respectively.4. Square rootUsing the set S, try to find algebraic numbers γ ∈ Q(α) and δ ∈ Q(β) withγ 2 = Y (a s − b sα) and δ 2 = Y s − b sβ).s∈Ss∈S(aConsider now the natural homomorphismsφ α : Q(α) → Z/nZ, α↦→ m and φ β : Q(β) → Z/nZ, β↦→ m,

614 Ch. 25 Compositeness and Primality Testing – Factoringwhere m is the common root modulo n of f and g. The congruence„ Y«φ α(γ) 2 = φ α(γ 2 )=φ α s − b sα) ≡s∈S(as∈S(a Y s − b sm) ≡ φ β (δ) 2 (mod n)has the form (25.1): the two sides will be coprime to n if none of F (a i,b i) and G(a i,b i)for i ∈Sshare a factor with n.Remarks 25.16(i) On the selection of polynomials. A lot of research has been done in order to determinewhat a “good” polynomial is in terms of root properties and coefficient sizes. For adescription of clever algorithms for finding such polynomials, see Murphy’s PhD. Thesison R. Brent’s web page [BRENT]. On the other hand, when n has a very special form thechoice of polynomial is much simpler. For the 162-digit Cunningham number (12 151 −1)/11, which had been factored in 1994 by a group led by Montgomery, the polynomials12X 5 − 1 and X − 12 30 were chosen. For the ninth Fermat number, the polynomialsX − 2 103 and X 5 − 8 were chosen, with common root m =2 103 .In order to make arithmetic faster, one would want to pick f and g so that at least onehas “small” integer coefficients.One common method is the base m method: for a small number d (usually 4 or 5) putm = ⌊n 1/d ⌋ and define f asthemonicdegreed polynomial with the coefficients of thebase m expansion of n. Now f(X) and g(X) =X − m together with m satisfy therequirements, unless f is reducible, in which case it almost surely can yield a nontrivialfactor of n.(ii) On the sieving phase. In the classical sieving method we begin by choosing upperbounds for a and b. Then we start sieving for a with b =1fixed and, when finishedwith a, increase b until we reach its bound. The estimates for the smoothness are doneby approximated logarithms and the values F (a, b), G(a, b) computed from the remainingpairs can then verified by trial division [GOLE + 1994]. Since we already computedthe roots of f and g modulo each p, the first division by p for each candidate is exact.At the end, the smooth value pairs are those that have been replaced in the meantime byapairof + − 1’s.Here one can also use the small and large prime variations to speed up sieving.The expressions F (a, b), G(a, b) are the norms of the algebraic numbers a − bα anda−bβ, multiplied by the leading coefficients of f and of g, respectively. These algebraicnumbers generate ideals in Q(α) and Q(β).InotherwordsinLine2wesieveideals andnot just pairs of integers, by bounding their norms. What we have then is a set of smoothideals. The principal ideals (a − bα) and (a − bβ) factor into products of prime idealsin the number fields Q(α) and Q(β), respectively. All prime ideals appearing in thesefactorizations have small norm (since the norms are assumed to be smooth), so only afew different prime ideals can occur.(iii) On the square root computation. There are various methods to find the square roots inLine 4 of the NFS, the most important being the methods of Couveignes, Montgomeryand improvements to the latter by P. Nguyen. See [ELK 1996, NGU 1998].The interested reader can find more information in one of the excellent surveys on the subject[LELE + 1990, LELE 1993] and the book by Crandall and Pomerance [CRPO 2001].

ÎÁÁRealization of DiscreteLogarithm Systems

Chapter ¾Fast Arithmetic in HardwareKim Nguyen and Andrew WeiglContents in Brief26.1 Design of cryptographic coprocessors 618Design criterions26.2 Complement representations of signed numbers 62026.3 The operation XY + Z 622Multiplication using left shifts • Multiplication using right shifts26.4 Reducing the number of partial products 625Booth or signed digit encoding • Advanced recoding techniques26.5 Accumulation of partial products 627Full adders • Faster carry propagation • Analysis of carry propagation •Multi-operand operations26.6 Modular reduction in hardware 63826.7 Finite fields of characteristic 2 641Polynomial basis • Normal basis26.8 Unified multipliers 64426.9 Modular inversion in hardware 645This chapter describes some aspects of the realization of arithmetic in dedicated hardware environments.It falls naturally into three main parts: the first one introduces some basic criteria applicableto the design of cryptographic hardware, highlighting some of the specific constraints to be observedfor implementations in constrained hardware environments. The second one deals with therealization of multiplication as the main arithmetic operation in hardware, which can be seen as thefoundation of nearly all public-key cryptosystems in use today. The motivation of this part is tointroduce the reader to some of the peculiarities of the implementation of basic arithmetic in constrainedenvironments. In the third part we touch on some topics more relevant to the precedingchapters, i.e., finite field arithmetic and modular inversion in hardware.The main motivation for this dedicated treatment of arithmetic in hardware is that the hardwareenvironments in which elliptic and hyperelliptic curve cryptosystems can be implemented can differdramatically with respect to the computing power available: while a multiprecision arithmetical libraryon a PC can realize fast finite field arithmetic based on the arithmetic core operations providedby the CPU, on a smart card or an embedded device the standard CPU used will not offer sufficientsupport for this. Thus a dedicated piece of hardware will be added in order to offer support for these617

618 Ch. 26 Fast Arithmetic in Hardwarearithmetic operations. In order to make this support as efficiently as possible we need to analyze indetail the realization of the basic arithmetic operations in hardware.This chapter can only give a brief introduction to the main challenges when implementing arithmeticoperations in hardware. The interested reader should refer to the excellent books [KOR 2002]and [PAR 2000] for more details and variants of the implementation of the operations describedhere. Furthermore, these books also introduce important technical concepts that we cannot coverhere (e.g., pipelining).26.1 Design of cryptographic coprocessorsThe main purpose of a cryptographic coprocessor is to accelerate the execution of cryptographicalgorithms either on hardware with otherwise restricted computing power (e.g., on a security controllerused for a smart card or an embedded device) or in situations where an especially highthroughput is required (e.g., when generating digital signatures on a file server, etc.). In this sectionwe want to describe some of the criteria that are important when designing a cryptographic coprocessor.26.1.1 Design criterionsThe main criteria influencing the design of cryptographic hardware come from three different areas:1. algorithmic considerations2. hardware considerations3. application considerationsRemarks 26.1(i) We first look at the algorithmic side. These considerations are of a more general natureand will be of interest to both application scenarios mentioned above.The earliest cryptographic coprocessors were focused on supporting private-key algorithms(e.g., DES or later triple DES). In this case the complete flow of one completeDES operation is modeled in and executed by dedicated hardware.The first cryptographic coprocessors that became available commercially focused on thesupport of the public-key system available at that time, i.e., RSA. It is plain to see thatby offering hardware assistance for modular multiplication XY mod N and modularsquaring X 2 mod N, it is relatively easy to implement the modular exponentiation,which is the core operation of the RSA system.For elliptic or hyperelliptic curves the situation is a little more complicated. This is dueto the higher algorithmic complexity of the operations on an elliptic curve opposed tothe case of RSA. For an elliptic curve coprocessor the main possibilities are:• Supporting atomic finite field operations (e.g., multiplication, addition, subtraction,etc.).• Supporting elementary operations on an elliptic curve or a Jacobian of a hyperellipticcurve (e.g., point addition, point doubling, etc.).• Supporting complex operations on an elliptic curve or a Jacobian of a hyperellipticcurve (e.g., scalar multiplication or the computation of a digital signature).

§ 26.1 Design of cryptographic coprocessors 619(ii) All of these options have their own advantages and disadvantages:• Supporting only atomic finite field operations leaves the implementer with thechoice of different ways to actually implement the arithmetic on elliptic curvesand Jacobians of hyperelliptic curves by choosing, for example, different coordinatesystems, group operation formulas, and scalar multiplication methods. Theimplementer can make maximum use of special arithmetic properties of the underlyingfinite field, the curves or Jacobians used and of cryptographic algorithmsto be implemented, which can lead to significant optimizations with respect toboth performance and security of the implementation. However, this option alsorequires deep insights into the arithmetic and security of the objects involved.• Supporting elementary operations on an elliptic curve narrows down the freedomof the implementer, but on the other hand allows a much easier, high-levelapproachto the implementation of, for example, scalar multiplication or even moreabstract cryptographic algorithms like digital signature algorithms. The flexibilityto make use of special properties is restricted to the higher level of scalar multiplication.Special properties of the underlying finite field or of the elliptic curvecan only be used if these are already built into the existing elementary operationsprovided by the hardware. This option requires a good understanding of the morehigh-level algorithms, but does not require an intimate knowledge of the arithmeticof the underlying curves or Jacobians.• Supporting complete operations on an elliptic curve (e.g., scalar multiplication)allows us to quickly implement high-level cryptographic algorithms like a digitalsignature algorithm or a key exchange without requiring a deep knowledge of theunderlying arithmetic or structures. However, the implementer is not able to makeuse of any special properties that are not already available.(iii) Besides the specific algorithmic constraints imposed upon a cryptographic coprocessor,there are also technological and economical restraints one has to observe, and whichalso influence the design of the coprocessor:• Area consumption: the area and thus the number of gates available for a completesmart card security controller is limited (normally less than 25mm 2 ). Of these25mm 2 almost all is taken up by the different memory blocks. Thus the area availablefor the coprocessor is limited to a few mm 2 . This imposes severe constraintson the complexity of operations that can be implemented in hardware.Furthermore, each additional mm 2 used will increase the price of the IC produced.Thus there are both technological and economical constraints resulting from thearea consumption that will severely influence the architecture of the coprocessor.• Power consumption: the energy available to a smart card or embedded device isusually strictly limited. In contactless mode of operation, the total power can decreaseto only a few mW, which will be another severely limiting factor for thehardware design of a cryptographic coprocessor.(iv) Finally, if there exists a specific application the hardware system is aimed at supporting,this particular application will impose specific requirements and a specific environmentto be used. These will determine the algorithmic and technological constraints applicableand will, finally, determine the architecture of a suitable cryptographic coprocessor.A hardware unit designed for, say, generating fast elliptic curve-based digital signaturesin a server could well consist of a large arithmetic unit capable of multiplying two 256-bit integers in one clock cycle, computing a modular inverse in a 256-bit sized finite field

620 Ch. 26 Fast Arithmetic in Hardwarein only a few clock cycles and performing a complete hard-coded scalar multiplicationon an elliptic curve in a few ms. This is due to the fact that neither restraints in termsof power nor due to area consumption will be applicable in this situation. A securitycontroller designed for a smart card will more likely offer arithmetic support of considerablyless computing power, or will make extensive use of special arithmetic propertiesto offer a performance increase.However, the algorithmic requirements, for example, with respect to the number of digitalsignature computations performed in a given time, will also differ dramatically: whilefor a server application this could easily be something like several hundred per minute,a security controller will most likely be required to generate only one signature duringa cryptographic algorithm, such as, an authentication scheme. Hence its more limitedcomputing power will still be enough to satisfy the performance requirements imposedby the application.We now turn to the technical part. We start by briefly recalling the representation of integers indifferent complement representations.26.2 Complement representations of signed numbersRecall from Section 10.1 that there are several techniques available to represent signed numbers inbinary form. We will concentrate on the so-called complement representation. The name complementrefers to the fact that the negative value −x of a number x is represented as the value M − x,where M is a suitably chosen large complementation constant. If we want to represent numbers inthe range of [−N,+P ] we need that M N +P +1, otherwise we would have an overlap betweenrepresentations of positive and negative numbers. The choice of M = N + P +1will yield themost efficient version available.Remark 26.2 The advantages of complement representation are:• addition can be performed by adding the respective unsigned representations modulo M• subtraction can be performed by complementing the subtrahend and adding the complementedversion.The rules for addition in a complement number system can be summarized as follows:Table 26.1 Operations in complement number systems.Operation Computation mod M Result Overflow if:(+x)+(+y) x + y x + y x + y>P(+x)+(−y) x +(M − y) x − y if y x NAy − x if y>x(−x)+(+y) (M − x)+y y − x if x y NAM − (x − y) if x>y(−x)+(−y) (M − x)+(M − y) M − (x − y) x + y>NIn the most widely used case of ordinary binary representation, the choice of M =2 l is referred toas two’s complement representation, generally known as radix complement.

§ 26.2 Complement representations of signed numbers 621Remarks 26.3(i) Recall from Section 10.1.2 that the computation of the two’s complement can be accomplishedvery easily by inverting bitwise and adding 1.(ii) Note that the choice of M =2 l makes computation modulo M especially easy: if, forexample, a carry is produced in addition, we simply ignore this. Since such a carry isworth 2 l , we thus perform a reduction by 2 l .The range of numbers representable in the two’s complement is given by [−2 l−1 , 2 l−1 − 1]. Thezero element has the (unique) representation0}...{{0}.l timesAnother possible choice of M is to set M =2 l − 1. The representation obtained by this choice ofM is known as the one’s complement or generally as a digit complement. The one’s complement ofa number x can be obtained by bitwise complementation. This is due to the fact that(2 l − 1) − x = x compl .Remarks 26.4(i) In contrast to the two’s complement representation we do not need to add 1, thereforeobtaining the one’s complement is easier than obtaining the two’s complement representation.(ii) However, performing the reduction modulo M is now slightly more complicated: when,for example, performing addition, we have to drop the carry-out corresponding to subtracting2 l from the result. We also have to produce a carry-in at position 0 which will,together with the dropped carry-out, produce a reduction by 2 l − 1. Note that in hardwarethe new carry-in could be produced by feeding the carry-out from position l − 1into the carry-in at position 0. This technique is referred to as end-around carry.The range of numbers in the one’s complement is [−(2 l −1), 2 l −1], which is symmetric in contrastto the range of numbers represented by the two’s complement system. In contrast to the two’scomplement system, where zero had a unique representation, in the one’s complement we obviouslyhave two representations0 ... 0} {{ }l timesand 1}...{{1},l timeswhich are both valid.A comparison of radix and digit complement is given in Table 26.2.Which system is to be preferred? It turns out that the two’s complement representation is thestandard representation in almost all systems. The biggest disadvantage of two’s complement mightbe the more complicated way of actually obtaining the complement representation of a number x.However, the most interesting application of a complement representation will be the performanceof subtraction by actually performing an addition.In this application the addition of the two’s complement of a number X can be achieved byinverting all the bits of X and setting the carry-in at position 0 to 1. Hence subtraction can beperformed as an addition with building the two’s complement on the fly.We will assume that some sort of complement representation is used, thus we will not deal explicitlywith the topic of subtraction in what follows.

622 Ch. 26 Fast Arithmetic in HardwareTable 26.2 Comparison of radix and digit complement.Property Radix complement Digit complementRange of numbers represented Asymmetric SymmetricUnique zero Yes NoObtaining the complement Bitwise complement, add 1 Bitwise complementAddition modulo M Drop carry-out End-around carry26.3 The operation XY + ZContrary to the relatively high mathematical complexity of the topics of the previous chapters, thefirst question we want to address is a rather basic one: how to multiply two integers of fixed sizeefficiently using elementary operations? In Chapter 10 the main algorithms needed to implementmultiprecision integer arithmetic were presented. Even in this presentation the core operation ofmultiplying two elements u and v, both not larger than the base b, was assumed as given.It is the aim of this section to precisely explain this operation, i.e., to explain the fundamentals ofrealizing the multiplication operation in hardware.Example 26.5 We consider the elementary multiplication method as it was described in Example10.10. The two values to be multiplied are u = (9712) 10 and v = (526) 10 . Recall that the mainarithmetic operations used in order to compute u × v = 5108512 were the computation of the threeproducts 9712 × 6, 9712 × 20, 9712 × 500 and the addition of the intermediate results.The first point of relevance for a hardware implementation is that the operation 9712 × 20 canbe rewritten as 9712 × 2 × 10, where in decimal representation the multiplication by 10 can berealized by a left shift of the decimal representation of 9712 × 2. The same argument applies for themultiplication 9712 × 500 where a double left shift needs to be performed.Thus we obtain the following steps:• first partial product is 9712 × 6 = 58272• second partial product is 9712 × 2 = 19424• third partial product is 9712 × 5 = 48560• shift second partial product one position to the left 9712 × 2 × 10 = 194240• shift third partial product two positions to the left 9712 × 5 × 100 = 4856000• obtain first intermediate sum 9712 × 6 + 9712 × 20 = 252512• obtain second final result 252512 + 4856000 = 5108512.Example 26.6 Consider the case of a 6 × 6 multiplication using the schoolbook method. Themost straightforward way of arranging the partial products as given in the algorithm above has thegraphical representation shown in Figure 26.3.Remarks 26.7(i) Taking a look at these two simple examples in a more abstract way we see that theprocess of multiplication falls into two main steps:• The first step generates a number of intermediate results, i.e., partial products derivedfrom the two multiplicands X and Y .

§ 26.3 The operation XY + Z 623• In the second step, the final result is produced by adding all the intermediate partialproducts generated. This step is totally independent of the two multiplicands.(ii) As surprising as it may be, this is exactly what happens in a hardware implementation ofmultiplication, and thus the two steps described above are the main challenges one hasto overcome in order to implement an efficient multiplication method.Figure 26.3 Schoolbook multiplication of two 6-digits numbers.11 10 9 8 7 6 5 4 3 2 1 0• • • • • •• • • • • •• • • • • •• • • • • •• • • • • •• • • • • •• • • • • • • • • • • •Goal 26.8 The main goal of this section is to show that the efficient realization of multiplication inhardware needs to solve the following main tasks:• efficiently generate partial products• efficiently compute the sum of several integers.As it was pointed out before, the standard method of performing a multiplication of two singleprecision integers X and Y is a sequential algorithm generating partial products and accumulatingthese correctly shifted partial products in order to obtain the final result.Now we give a more detailed explanation of this elementary method.The correct alignment of the partial products can be accomplished using either left or right shifts.We will explain these two fundamental methods in the following two sections.26.3.1 Multiplication using left shiftsThe following algorithms describe a simple multiplication using left shifts.Algorithm 26.9 Sequential multiplication of two integers using left shiftINPUT: Single precision integers X =(x l−1 ...x 1x 0) 2 and Y =(y l−1 ...y 1y 0) 2.OUTPUT: The product P = XY =(p 2l−1 ...p 1p 0) 2.1. P (0) ← 02. for i =0 to l − 1 do3. P (i+1) ← (2P (i) + x l−i−1 Y )4. return P (l)

624 Ch. 26 Fast Arithmetic in HardwareExample 26.10 Consider the multiplication XY where X = (101) 2 and Y = (111) 2 . We obtainthe following sequence:P (0) 0 0 0 0 0 02P (0) 0 0 0 0 0 0x 2 Y 1 1 1P (1) 0 0 0 1 1 12P (1) 0 0 1 1 1 0x 1 Y 0 0 0P (2) 0 0 1 1 1 02P (2) 0 1 1 1 0 0x 0 Y 1 1 1P (3) 1 0 0 0 1 126.3.2 Multiplication using right shiftsBy using right shifts we obtain the following algorithm:Algorithm 26.11 Sequential multiplication of two integers using right shiftINPUT: Single precision integers X =(x l−1 ...x 1x 0) 2 and Y =(y l−1 ...y 1y 0) 2.OUTPUT: The product P = XY =(p 2l−1 ...p 1p 0) 2.1. P (0) ← 02. Y ← 2 l Y3. for i =0 to l − 1 do4. P (i+1) ← (P (i) + x iY )2 −15. return P (l)Example 26.12 We again consider the multiplication XY where X = (101) 2 and Y = (111) 2 .We obtain the following sequence:P (0) 0 0 0 0 0 0x 2 Y 1 1 12P (1) 1 1 1 0 0 0P (1) 0 1 1 1 0 0x 1 Y 0 0 02P (2) 0 1 1 1 0 0P (2) 0 0 1 1 1 0x 0 Y 1 1 12P (3) 1 0 0 0 1 1P (3) 1 0 0 0 1 1

§ 26.4 Reducing the number of partial products 625Remarks 26.13(i) The right shift algorithm only uses l-bit addition, while in contrast to this the left shiftalgorithm has to use 2l-bit addition in order to properly accumulate the partial products.Hence the right shift algorithm is more efficient to implement in hardware.(ii) Inspection of the right shift algorithm yields that the output after l steps is equal toP (l) = XY + P (0) 2 −l . Therefore by setting P (0) to the value 2 l Z where Z has l bits,we see that we are able to compute XY + Z with nearly no extra costs compared to thenormal multiplication XY .Since the multiplication operation falls into two main parts (generation and addition of partial products),the reduction of the number of partial products generated and the acceleration of the accumulationof these partial products or, preferably, a combination of these two ideas, will obviously leadto a speedup. We will discuss these ideas in the following sections.26.4 Reducing the number of partial productsOne way of reducing the numbers of partial products would be to examine more than one bit of themultiplier in one step, but this would require the generation of Y, 2Y, 3Y,... which would increasethe complexity of each single step.There are several algorithms that reduce the number of partial products while still keeping thelow complexity of the simple algorithm in each step. One of the first and most prominent is Booth’salgorithm, also known as signed digit encoding.26.4.1 Booth or signed digit encodingThe main observation is that fewer partial products can be generated for groups of either consecutiveones or zeroes. If a group of consecutive zeroes appears, there is no need for the multiplier togenerate a new partial product, we simply have to shift the accumulated partial product one step tothe right or left (according to which basic algorithm you use) for every 0 appearing in the multiplier.The procedure just described above is also referred to as recoding the multiplier in SD (signed digit)representation. The algorithm below gives the original formulation of Booth’s algorithm.Algorithm 26.14 Recoding the multiplier in signed-digit representationINPUT: A multiplier X =(x l−1 ...x 1x 0x −1) 2 with x −1 =0 and x l =0.OUTPUT: The recoded multiplier Y =(y l−1 ...y 1y 0) s of X.1. for i = −1 to l − 1 do2. if x i+1 =0 and x i =0 then y i+1 =03. if x i+1 =1 and x i =1 then y i+1 =04. if x i+1 =1 and x i =0 then y i+1 = ¯15. if x i+1 =0 and x i =1 then y i+1 =16. return (y l−1 ...y 1y 0) sNote that given x i+1 and x i , the computation of y i+1 can be represented by the formulay i+1 = x i − x i+1 .

626 Ch. 26 Fast Arithmetic in HardwareRemark 26.15 There are two major drawbacks of this SD recoding technique:1. The number of add or subtract operations is variable, as is the number of shift operationsbetween two consecutive add or subtract operations. This can pose a serious problemin a synchronous design where the steps of an algorithm have to be performed in afixed specified order and where input values from intermediate steps are expected at afixed point in time. In order to deal with varying computing time needed to generateintermediate values, one would need to store other values in internal memories knownas latches in order to keep them available in all cases. This will lead to an increasedpower and area consumption and to a higher overall complexity of the hardware designand is thus best avoided.2. The signed digit recoding can be very inefficient when isolated 1’s occur.Example 26.16 Consider the binary number X = (001010101) 2 . A multiplication with X can berealized using four additions. Using the SD recoding algorithm given above we obtain(001010101(0)) 2 =(01¯11¯11¯11¯1) s ,as recoding for X implies that, by using the recoded multiplier, we need eight instead of fouradditions.Inspecting more than two bits at a time can lead to significant performance gains (see a similarsigned digit recoding technique introduced in Section 9 in order to speed up generic scalar multiplicationin a group). The following section looks at two possible algorithms especially suitable forhardware implementation.26.4.2 Advanced recoding techniquesTaking into consideration three consecutive bits at a time, the bits x i+1 and x i are recoded into y i+1and y i while x i−1 has to be inspected as well. We call this Radix-4 SD recoding:Algorithm 26.17 Recoding the multiplier in radix-4 SD representationINPUT: A multiplier X =(x l−1 ...x 1x 0x −1) 2 where x −1 =0.OUTPUT: The recoded multiplier Y =(y l−1 ...y 1y 0) s of X.1. for i =0 to l − 1 do2. if x i+1 =0 and x i =0 and x i−1 =0 then y i+1 =0and y i =03. if x i+1 =0 and x i =1 and x i−1 =0 then y i+1 =0and y i =14. if x i+1 =1 and x i =0 and x i−1 =0 then y i+1 = ¯1 and y i =05. if x i+1 =1 and x i =1 and x i−1 =0 then y i+1 =0and y i = ¯16. if x i+1 =0 and x i =0 and x i−1 =1 then y i+1 =0and y i =17. if x i+1 =0 and x i =1 and x i−1 =1 then y i+1 =1and y i =08. if x i+1 =1 and x i =0 and x i−1 =1 then y i+1 =0and y i = ¯19. if x i+1 =1 and x i =1 and x i−1 =1 then y i+1 =0and y i =010. return (y l−1 ...y 1y 0) s

§ 26.5 Accumulation of partial products 627Remarks 26.18(i) Again we note that a simple formula is the basis of this recoding technique; first computingx i + x i−1 − 2x i+1and then representing this result as a 2-bit binary number in SD representation givesy i+1 and y i as required.(ii) Using this algorithm, the occurrence of an isolated 1 or 0 no longer poses a problem,since if x i is an isolated 1, we have y i =1and y i+1 =0, hence there is only a singleoperation needed. Also, in the situation 101, wehavey i =0and y i−1 = ¯1, soagainonly one single operation is needed.Example 26.19 Let us again consider (01010101(0)) 2 . We see that this is recoded as (01010101) s ,hence the number of operations remains four. However, if we consider (00101010(0)) 2 we see thatthis is recoded to (010¯10¯1¯10) s , which implies that the number of operations required goes up tofour by the recoding process.However, the number of patterns for which this phenomenon occurs is relatively small and theincrease in the number of operations is minimal. Using the radix-4 SD representation it is possibleto design a synchronous multiplier generating exactly l/2 partial products.Remark 26.20 Note that all the multiples required by this encoding scheme can be generated usingsimple shift operations on the multiplicand (in order to obtain 2Y ) and the two’s complementrepresentation (in order to obtain −Y and −2Y ).Remark 26.21 We can take this even further by changing the SD representation from radix-4 toradix-8, which needs only l/3 partial products.Now we have to investigate 4 consecutive bits of the multiplier for encoding. Each partial productgenerated by this radix-8 encoded multiplier will come from the set { + − 4Y, + − 3Y, + − 2Y, + − Y,0}.As in the case of radix-4 encoding, the elements + − 4Y and + − 2Y can be generated using shiftoperations and the two’s complement. However, using these operations, it is not possible to generatethe elements + − 3Y using these operations (therefore the element 3Y is sometimes referred to as thehard multiple). In order to generate it, a full carry propagate addition is required. Fortunately,we will not need the most general kind of adder (as described below), since an adder especiallydesigned for the operation Y +2Y will suffice.26.5 Accumulation of partial productsOnce we have produced all the partial products needed for the multiplication operation, we have toaccumulate them in order to obtain the final result. Obviously this fast accumulation will also speedup the overall multiplication process.We start by giving an overview over the existing types of adders that can be used.26.5.1 Full addersA full adder (FA) is a logic circuit producing a sum bit s i and a carry bit c i+1 from two input bitsx i ,y i and an input carry bit c i . The output bits s i and c i+1 are given by the equationss i = x i XOR y i XOR c i , c i+1 = x i ∧ y i + c i ∧ (x i ∨ y i ).

628 Ch. 26 Fast Arithmetic in HardwareHere x XOR y refers to exclusive disjunction, x ∧ y to logical conjunction AND and x ∨ y to logicaldisjunction OR. Addition of two n-bit operands can be accomplished using n full adders by thefollowing algorithm.Algorithm 26.22 Addition using full addersINPUT: Operands X =(x n−1 ...x 1x 0) 2 and Y =(y n−1 ...y 1y 0) 2.OUTPUT: The sum X + Y =(s n−1 ...s 1s 0) 2 and a carrybit c.1. for i =0 to n − 1 do2. c 0 ← 03. s i,c i+1 ← FA(x i,y i,c i)4. return (s n−1 ...s 1s 0) 2 and the carrybit c nRemarks 26.23(i) Although we have all the bits of the operands available from the very beginning of thealgorithm, the carries have to propagate from j =0until j = i in order to produce thecorrect sum s i and carry c i+1 . Hence we have to wait until the carry ripples through allthe stages of the algorithm before we can be sure that we have obtained the correct finalresult.(ii) The adder at level i =0will always see the incoming carry c 0 =0, so it can be replacedby a simpler adder called a half adder (HA), which produces s 0 and c 1 froms 0 = x 0 XOR y 0 , c 1 = x 0 ∧ y 0 .(iii) It might be necessary to keep the incoming carry c 0 as a variable, if we want to be ableto perform not only addition but also subtraction using the same setup. Subtraction intwo’s complement is accomplished by complementing the subtrahend and then addingit to the minuend. Therefore we add the one’s complement of the subtrahend and use aforced carry as input to the FA at level 0 by setting c 0 =1.(iv) A system of full adders imposes a carry propagation chain of length n when adding twon-bit numbers. This is the main obstacle we have to overcome in order to achieve asignificant speedup for addition.Two ideas come to mind immediately: to reduce the time the carry needs for propagation and tochange the system in such a way that enables us to see whether the carry propagation is finishedinstead of waiting for a fixed time of n∆ FA where ∆ FA is the delay of a full adder.We will develop these ideas in the next sections26.5.2 Faster carry propagation26.5.2.aCarry-look-ahead addersOne of the most well-known techniques available to accelerate the carry propagation is the use of acarry-look-ahead adder.The basic idea behind this type of adder is to simultaneously generate the carries at higher levelsinstead of waiting for the carry of level 0 to ripple through the system.

§ 26.5 Accumulation of partial products 629Remarks 26.24(i) We first note that in some situations the output carry c i+1 is already known from theinput bits x i and y i , namely in the situation where x i = y i =1. In this case the outputcarry c i+1 =1can be computed immediately.(ii) If x i =1and y i =0or x i =0and y i =1, then an incoming carry can only bepropagated. It will not be annihilated, neither can an outgoing carry be generated.(iii) Conversely, if x i = y i =0, an incoming carry will be annihilated.In order to be able to make use of this information, we define two more variables G iand P i , which are called generated carry and propagated carry. They are defined by thefollowing equations:G i = x i y i , P i = x i + y i .Now the outgoing carry can be expressed as a function of G i , P i and c i as follows:c i+1 = x i y i + c i (x i + y i )=G i + c i P i .Since also c i = G i−1 + c i−1 P i−1 we obtainc i+1 = G i + G i−1 P i + c i−1 P i−1 P i .(iv) We can go on inductively until we obtain an expression for c i+1 , which is only dependenton G j ,P j for j i and c 0 . Thus we are able to compute all the carries c i in parallelfrom the input bits (x n−1 ...x 1 x 0 ) 2 and (y n−1 ...y 1 y 0 ) 2 .Example 26.25 Consider a 4-bit adder. Here the carries are:Remarks 26.26c 1 = G 0 + c 0 P 0c 2 = G 1 + G 0 P 1 + c 0 P 0 P 1c 3 = G 2 + G 1 P 2 + G 0 P 1 P 2 + c 0 P 0 P 1 P 2c 4 = G 3 + G 2 P 3 + G 1 P 2 P 3 + G 0 P 1 P 2 P 3 + c 0 P 0 P 1 P 2 P 3 .(i) What do we gain in comparison to a carry-ripple adder if we use a full n-stage carrylook-aheadadder?• For each stage we have a delay of ∆ G , which is needed in order to generate the P iand G i . Assuming a two-level gate implementation of the formulas for the carriesc i given above we need 2∆ G to generate all the carries c i .• Furthermore, we need another 2∆ G to generate the sum bits in a two-level implementation.• Therefore we have a total time of 5∆ G for the whole addition regardless of thelength n of the operands.(ii) Consulting the above example we see that for typical values like n =32we will needan enormous number of gates. Even worse, we will have n +1gate inputs. Thus wehave to balance the range of carry-look-ahead adders (and hence the complexity of theimplementation we use) against the speedup factor we want to achieve.26.5.2.bCarry-look-ahead adders arranged in groupsOne of the techniques available to deal with the problems just described is the following one: wedivide the stages of the total addition process into several groups, where each group will have aseparate carry-look-ahead adder. The different groups are then connected in carry-ripple fashion. Anatural way of doing this is to form groups of the same size.

630 Ch. 26 Fast Arithmetic in HardwareRemarks 26.27(i) A commonly used option is to divide the complete n-level structure into groups of size4, hence there will be n/4 groups (assuming that n is a multiple of 4, which is the casefor all common word sizes).(ii) The propagation of a carry through one group is 2∆ G , once the inputs P i , G i and c 0 areavailable. If ∆ G is needed in order to generate all P i and G i ,then(n/4)2∆ G is spent onpropagating the carry through all levels and finally 2∆ G is needed in order to computethe sum bits.(iii) In total we have a timing of(2 n ) ( ) n4 +3 ∆ G =2 +3 ∆ G ,which is about four times faster in delay than the delay of 2n∆ G needed in the case of an-level carry-ripple adder.Remark 26.28 We can further improve on this situation if we also apply the idea of carry-lookaheadto the n/4 groups we used.In order to achieve this we introduce a group-generated carry G ∗ and a group-propagated carryP ∗ by setting G ∗ =1, if we have an outgoing carry (for the whole group) and P ∗ =1,ifwehavean incoming carry that is propagated internally to an outgoing carry of the group.If we assume a group size of four bits, we have the following expression:G ∗ = G 3 + G 2 P 3 + G 1 P 2 P 3 + G 0 P 1 P 2 P 3 , P ∗ = P 0 P 1 P 2 P 3 .Now we use this to combine several groups not in a carry-ripple but in a carry-look-ahead way,obtaining a so-called carry-look-ahead generator.26.5.2.cConditional-sum adders and carry-select addersWhile carry-look-ahead adders produce the actual incoming carry bits for all levels, we can also tryto base a system on the idea of dealing with the case that the incoming carry is either set or not setsimultaneously, which leads to the so-called carry-select adders or conditional-sum adders.Assume that we generate two outputs for a set of m input bits, whereby each output consists ofasetofm sum bits and one carry bit. Now one set will be computed based on the assumption thatthe incoming carry to the system will be set, while the other set is based upon the fact that it is notset. Of course, once we know the value of the incoming carry we do not need to compute the outputof the adder; we just have to select the correct output from the two choices available. As before, wewill form subgroups of k operations.Example 26.29 To illustrate this, assume that we divide 2m input bits into two groups of sizek = m each. While the lower m bits will be summed up directly, resulting in an m-bit sum and anoutgoing carry c, the higher m bits are summed up, generating two outputs, one corresponding toc =0and the other corresponding to c =1.An adder using this approach will be called a carry-select adder.Example 26.30 It is possible to take this approach even further and to divide the groups of size kinto further subgroups:Assume for example that n is a perfect power of two, then we could divide the n bits into twogroups of size n/2 each.This could then be continued in an inductive fashion so that in the end we would reach a groupsize of 1. In this case we would need k =lgn steps.

§ 26.5 Accumulation of partial products 631Remark 26.31 Comparing the conditional-sum adder to a carry-save adder, both have about thesame execution time. However, the design of a conditional-sum adder is considerably less modularthan the carry-lookahead adders described above. They are therefore more to difficult to adapt tolarger input sizes.26.5.2.dCarry-skip addersYet another way of reducing carry propagation time is the carry-skip adder. The main observationhere is that in certain stages of addition no carry propagation can occur, namely in the situationwhen we have x j ≠ y j or equivalently P j = x j XOR y j =1. Thus, several consecutive steps canbe skipped for carry propagation as long as we have P j =1.How can we make use of this in an n-level addition? Again we divide this addition into severalconsecutive stages, where each stage is built in carry-ripple fashion. However, if we have P j =1for all the internal stages, we allow the incoming carry to this group to skip all the internal levelsand to generate a group-carry-out immediately.Suppose we have a group consisting of the k bits in position j, j +1,...,j+ k − 1. Wethenhavethe incoming Group-Carry-in and an internal normal carry c j+k at level j + k − 1. These allow theGroup-Carry-out to be expressed asGroup − Carry − Out = c j+k +Group− Carry − In × (P j × P j+1 ×···×P j+k−1 ).The values of the P j can be computed simultaneously at the beginning of the process.Remark 26.32 What is the optimal value for the group-size k?In order to compute this we assume that all groups will have the same size k and that n/k is aninteger. We relate the time t r a carry needs to ripple through a single stage of a group to the timet s that is needed to skip a group of size k. The longest carry-propagation time one could imagineoccurs when a carry is generated in the first level, skips all the following steps till the last one andthen ripples through the last step.The execution time for this comes down toT =(k − 1)t r +(k − 1)t r +(n/k − 2)(t s + t b )where t b denotes the time needed to combine the internal carry with the skipped carry. Assumingwe have an implementation in which t r = t s + t b =2∆ G for the gate delays, we obtainT =(2k + n/k − 4) × 2∆ G .This expression is minimized if we choose k to be equal tok = √ n/2.26.5.3 Analysis of carry propagationA natural question to ask is what the typical length of carry-propagation in an addition of two n-bitnumbers is. More precisely, we call a carry-chain the sequence of positions starting with generationand ending with absorbing or annihilating the carry. Thus a carry-chain of length zero correspondsto no generation of a carry, while a carry-chain of length 1 corresponds to immediate absorbing ofthe carry in the next position.

632 Ch. 26 Fast Arithmetic in HardwareTable 26.4 Probabilities concerning carry propagation.EventProbabilityGeneration of carry 1/4Annihilation of carry 1/4Propagation of carry 1/2Remarks 26.33(i) Considering binary numbers with random values, the different cases of carry propagationare summarized in Table 26.4.(ii) Now consider the probability that a carry generated at position i is propagated up toposition j − 1 and annihilated at position j: itisgivenby2 −(j−i−1) × 1/2 =2 (j−i) .The expected length of a carry chain starting at position i is therefore given byn−1∑j=i+1(j − i)2 −(j−i) +(n − 1)2 −(n−1−i) =n−1−i∑l=1l2 −l +(n − i)2 −(n−1−i)= 2− (n − i +1)2 −(n−1−i)+(n − i) −(n−1−i)= 2− 2 −(n−i−1) ,where the identity ∑ pl=1 l2−l =2− (p +2)2 −p was used. The term (n − i)2 −(n−1−i)represents the fact that the carry has to stop at the last position n (since we consider nbit numbers).(iii) So in the case that i is much smaller than n the expected length of the carry-chain is 2.Remark 26.34 Another question is what length the longest carry-chain occurring in the addition oftwo n-bit numbers on average will be. A celebrated result by Burks, Goldstine and von Neumannstates that this value is given by lg n (see [BUGO + 1946]).Theorem 26.35 On average, the longest carry chain when adding n-bit numbers has length lg n.Proof. Let η n (h) denote the probability that the longest carry-chain in n-bit addition is of lengthat least h. The probability of the longest carry-chain being exactly of length h is then given byη n (h) − η n (h +1). We can use recursive techniques in order to compute η n (h).How can a carry-chain of length at least h be generated? There are two ways in which this canhappen:1. The least significant n − 1 bits have a carry-chain of length at least h.2. If the above condition is not met, the most significant h bits, including the last bit, havea carry-chain of (exact) length h.We thus obtain thatη n (h) η n−1 (h)+ 1 4 × 2−(h−1) (26.1)where 1 4 and 2−(h−1) correspond respectively to the carry generation and the carry propagation ofexactly h − 2 steps. The inequality (26.1) in fact implies that η n (h) η n−1 (h)+2 −(h+1) holds.

§ 26.5 Accumulation of partial products 633Assuming η i (h) =0for iγ,thus obtainingλ =n∑η n (h) h=1< γ +2 −(γ+1) k.γ∑1+h=1n∑h=γ+12 −(h+1) nNow we write γ =lgn − 1 − ɛ where ɛ =lgn −⌊lg n⌋, and obtainλ

634 Ch. 26 Fast Arithmetic in Hardware26.5.4.aCarry-save addersThe idea behind carry-save adders is to use a redundant representation of the sum of the input vectorsin the form S + C, where only one carry propagation is needed when adding S and C in the end.Remark 26.37 In the case of three inputs mentioned before, the easiest way of implementing acarry-save adder is to use a full adder with three 1-bit inputs x, y,andz, which generates the outputvalues s and c given bys =(x + y + z) mod2 and c = ( (x + y + z) − s ) /2.Figure 26.5 illustrates how this principle applies to the case of three 6-bit inputs.Figure 26.5 A carry-save adder for three 6-bit inputs X,Y and Z.X • • • • • •Y • • • • • •Z • • • • • •S • • • • • •C • • • • • •We refer to this principle as a (3, 2)-counter, since the output essentially represents the weightedbinary representation of the number of 1’s in the inputs.Afulln-bit carry-save adder consists of n copies of a (3, 2)-counter acting in parallel withoutlinks between their carry outputs. In order to obtain the final result we need to add the n-bit sumvector and the carry vector together, using a standard two operand adder as described before.Note that the carry output has to be shifted before it is added to the n-bit sum.Example 26.38 Consider X = (100000) 2 , Y = (010101) 2 and Z = (111111) 2 with X +Y +Z =(1110100) 2 . The carry-save adders generate the sum and carry bits as follows:Hence the final adder obtains the resulti X i Y i Z i Sum bit Carry bit0 0 1 1 0 11 0 0 1 1 02 0 1 1 0 13 0 0 1 1 04 0 1 1 0 15 1 0 1 0 1S 0 0 1 0 1 0C 1 1 0 1 0 1 01 1 1 0 1 0 0implying that the value of the sum is (110100) 2 and that the carry bit is set.

§ 26.5 Accumulation of partial products 635Figure 26.6 Addition of four 4-bit operands using carry-save adders.CSACSACPA26.5.4.bAccumulation of partial products using carry-save addersWe will now explain how carry-save adders can be used to accumulate up to n partial productsgenerated in a (n × n)-bit multiplication.In general, we will have the following architecture: partial products will be generated as describedabove (see section 26.4) and will then be fed into a tree architecture, accumulating them in carrysaverepresentation. Finally a carry-propagation adder will convert the result of the reduction treefrom carry-save representation to normal binary representation.Example 26.39 In the most simple form we assume that all the n multiples of the multiplicand aregenerated at once. Then we would use n-input carry-save adder to reduce the n partial products totwo operands for the final addition.This could be accomplished using (n − 2) carry-save adder units and 1 carry-propagation adder.Normally, one would expect that one has to use (n − 1) carry-save adders, however, note that thefirst counter compresses three partial products.A typical arrangement for the addition of the four 4-bit numbers x, y, z, and w with the 5-bit sumS is shown in Figure 26.6.There are much more efficient ways of setting up the carry-save adders, which result in a muchhigher performance. The most common solutions are the Wallace tree and Dadda tree.Remark 26.40 A k-input Wallace tree reduces its knbit entries to two outputs of size(n +lgk − 1).

636 Ch. 26 Fast Arithmetic in HardwareFigure 26.7 shows an example of a Wallace tree adding 7 numbers, each of size n bits.Note that some of the outputs of the carry-save adders have to be shifted before they are addedagain. By [i, j] we denote that the (j − i +1)bit output is fed into the next block as bit i up to andincluding bit j.Figure 26.7 A Wallace tree for the addition of seven n-bit numbers.[0,n-1] [0,n-1] [0,n-1] [0,n-1] [0,n-1] [0,n-1] [0,n-1]n-bit CSAn-bit CSA[1,n][0,n-1] [1,n] [0,n-1]n-bit CSA[1,n][0,n-1]n-bit CSA[2,n+1][1,n][1,n-1]n-bit CSA[2,n+1][2,n+1][1,n+1]n-bit CPAk+2 [2,n+1] 1 0Remarks 26.41(i) We have the following recurrence for the smallest possible height h(k) of a k-inputWallace tree:h(k) =1+h(⌈2k/3⌉)which is easily deduced using the fact that each carry-save adder reduces the number ofoperands by a factor of 3/2. By applying this recurrence we can obtain the exact heightof an k-input Wallace tree, while setting h(k) =1+h(2n/3) enables us to obtain a

§ 26.5 Accumulation of partial products 637lower bound for h(k) given byh(k) log 3/2 (k/2),where equality holds for k =2, 3.(ii) Conversely we can also compute the maximal number of inputs n(h) for a Wallace treeof given height. Again we obtain a recurrence relation for this given byn(h) =⌊3n(h − 1)/2⌋.By removing the floor operation, we obtain an upper bound for n(h) given by n(h) 2(3/2) h and a lower bound n(h) > 2(3/2) h−1 .(iii) The number of levels needed for a k operand addition using Wallace trees is shown inthe following table:Number of levels needed for given number of operandsOperands 3 4 5 k 6 7 k 9Levels 1 2 3 410 k 13 14 k 19 20 k 28 29 k 42 43 k 635 6 7 8 9(iv) The general philosophy in the Wallace adder is to reduce the number of operands asquickly as possible, therefore we apply ⌊m/3⌋ full adders to m dots in one column.This means that we make the final carry-propagation adder as small as possible, whichin turn will lead to the minimal possible delay at this stage.Another philosophy is that of the Dadda tree. The Dadda tree aims at reducing the number ofoperands, thus using the fewest possible number of full and half adders. In general, this means thatthe carry-save adder tree will be simpler in the Dadda arrangement, while the final carry-propagationadder will be larger.Example 26.42 We consider the case of multiplication of two 4-bit numbers.When using the conventional algorithm from Section 26.3.1, we would obtain the partial productsin the following form:6 5 4 3 2 1 0• • • •• • • •• • • •• • • •We can rearrange these elements in the following way:6 5 4 3 2 1 0• • • • • • •• • • • •• • ••

638 Ch. 26 Fast Arithmetic in HardwareTable 26.8 Wallace tree for 4 × 4 multiplication.1 2 3 4 3 2 1FA FA FA HA1 3 2 3 2 1 1FA HA FA HA2 2z2}| {2 1 1 14-bit adder1 1 1 1 1 1 1 1Table 26.9 Dadda tree for 4 × 4 multiplication.1 2 3 4 3 2 1FA FA1 3 2 3 2 1 1FA HA HA FA2 2z2}|2 1{2 16-bit wide CP adder1 1 1 1 1 1 1 1The Wallace tree design for accumulating these partial products is shown in Table 26.8, where FAdenotes a full adder, HA a half adder, and the integers represent the numbers of bits remaining inone column. In the Dadda tree the structure described in Table 26.9 is used.Note that in the Wallace tree we use 5 full adders, 3 half adders, and a 4-bit carry-propagationadder. In the Dadda tree we use 4 full adders, 2 half adders and a 6-bit carry-propagation adder. See[KOR 2002] for more details on these examples.Remark 26.43 Since we gave an example for a 7-operand Wallace tree above, it is instructive to alsoshow how this example may be applied in a 7 × 7 multiplication. This is shown in Figure 26.10.Note that in contrast to the simple addition of 7 operands as shown in Figure 26.7, in this situationwe have also to deal with shifted results due to the structure of the partial products generated. In totalwe have 14 positions for the product value. At the top level, the 7 partial products corresponding topositions [0, 6], [1, 7] up to [6, 12], are fed into the carry-save adder tree.In contrast to the standard addition of 7 operands of 7 bits each, we have to use a 10 bit widecarry-save adder and a 10-bit wide carry-propagation adder in the last two levels of the tree.26.6 Modular reduction in hardwareMost of the modular reduction techniques described in Section 10.4 are directly applicable to hardwareimplementations. Note that, in general, interleaved multiplication and reduction methods asdescribed in Algorithm 11.1 will be preferred for implementation in hardware since they guaranteethat the intermediate result will not require significant register space to be stored.Hardware implementations of modular reduction will favor techniques that allow an easy determinationof the reduction factor for the intermediate results. For example, Montgomery multiplication,which is probably the most used algorithm for hardware implementations, (cf. Section 10.4.2) for

§ 26.6 Modular reduction in hardware 639example, reduces this task to a simple lookup of the most significant word of the intermediate result,which can be be realized very efficiently in hardware.As pointed out before, modular reduction implementations in hardware will most likely use aninterleaved multiplication-reduction approach, since this guarantees that the bit size of the intermediateresults can be stored in registers not much larger in size than the size of the input variables.One should note that there exist many different possibilities to realize a word-wise interleavedmultiplication-reduction algorithm. All these are equivalent from an algorithmic point of view, butcan differ greatly with respect to the suitability of implementation in hardware.Figure 26.10 Carry-save adder tree for 7 × 7 multiplication.[0,6] [1,7] [2,8] [3,9] [4,10] [5,11] [6,12]7-bit CSA7-bit CSA[2,8][1,8] [5,11] [3,11][2,8][6,12]7-bit CSA[3,12]7-bit CSA[3,9][2,12][3,12]10-bit CSA[4,13][3,12][4,12]10-bit CPAIgnore [4,13] 3 2 1 0Remark 26.44 Considering Montgomery reduction, Acar, Kaliski, and Koç have carefully analyzedthe different ways of implementation in [KOAC + 1996]. They classify algorithms according towhether multiplication and reduction are separated or interleaved, where the interleaving can beeither coarse-grained or fine-grained, depending on how often multiplication and reduction alternate(i.e., after processing an array of words, or just one word). Furthermore, they consider two generalforms of multiplication and reduction, one form being the operand scanning, where an outer loop

640 Ch. 26 Fast Arithmetic in Hardwaremoves through words of one of the operands, while the other form considered is product scanning,where the loop moves through words of the product itself. This second aspect is independent fromthe first; moreover, it is also possible for multiplication to have one form and reduction to have theother form, even in the integrated approach.Acar, Kaliski, and Koç come up with five variants and evaluate these according to the number ofelementary multiplications, additions, and read- and write-operations, as well as the memory spaceused by the algorithm.Based on implementations in C and assembler, they find that the so-called coarsely integratedoperand scanning method has the best performance. This method is based on an interleaved multiplication-reductionalgorithm that multiplies one word of the first operand with the complete secondoperand, then performs reduction on the intermediate result and also integrates the right shiftingof the reduced intermediate result into the reduction process itself. However, they note that onprocessors with different arithmetic architecture, like digital signal processors, other algorithms canoutperform this method. This is a typical phenomenon, showing again that, as mentioned before,there is no universal optimal choice of algorithms that will offer maximum performance on differenttypes of hardware platforms.Remarks 26.45(i) To give the reader an idea of different types of optimizations, we briefly present twoimplementational options, each using different hardware and algorithmic options.(ii) Incomplete reduction. In [YASA + 2002] the authors consider the use of incomplete reductionfor modular arithmetic, i.e., when computing modulo p the intermediate resultsare allowed to remain in a range of [0, 2 m − 1], wherep

§ 26.7 Finite fields of characteristic 2 641(mod p). Thus the modular reduction can be achieved by a simple modular addition.This operation is so simple that it can even be performed using the elementary additionprovided by a standard micro controller. The techniques also described in Section 10.4.3extend these reduction methods to primes of the more general form p =2 m + c with|c| small. Again the main arithmetic operation used in these reduction techniques isaddition and only a few multiplications, and thus can be realized even on a general purposemicrocontroller. Again it should be noted that the benefit of the implementationof these special reduction techniques in hardware depends strongly on the applicationthe hardware is intended to support. If this is a closed application (i.e., one in which allthe system parameters are known in advance and can thus be chosen to allow the usageof special moduli), then the use of such specialized hardware will lead to a substantialperformance gain and might even make the usage of general purpose hardware insteadof specialized cryptographic hardware. However, if the hardware must support differentmoduli in an open application, where the system parameters like, for example, primefields can vary, no automatic performance gain can be expected, since it cannot be guaranteedthat all users in the system will actually make use of the special moduli supportedby the hardware.26.7 Finite fields of characteristic 2While arithmetic modulo p can be realized using normal long-integer arithmetic together with specialreduction methods as described above, this does not hold for the case multiplication in a fieldof characteristic 2.The main difference is that in normal long-integer arithmetic, multiplication can be realized as acombined shift-and-add operation involving carries, while addition in a field of characteristic 2 isequivalent to the binary logical XOR function, which implies that no carries occur.Therefore, special multipliers have to be designed for the F 2 d situation.Remarks 26.46(i) The following two ways of representing an element of a finite field F 2 d (see also 11.2.1)are generally considered for hardware implementations:• Using polynomial basis representation.• Using normal basis representation.(ii) From the point of hardware realization of multiplication, we can also distinguish betweentwo different possibilities:• bit parallel implementations• bit serial implementations(iii) Bit parallel implementations compute the product of two elements of F 2 d in one clockcycle. This method has the highest area consumption and will thus in general not beavailable in especially restricted environments. Therefore in the following only bit serialmultipliers will be investigated.

642 Ch. 26 Fast Arithmetic in Hardware26.7.1 Polynomial basisLet two elements a(X) and b(X) in canonical basis be given asd−1∑d−1∑a(X) = a i X i and b(X) = b i X i .i=0The standard method to multiply these two elements in hardware is to use the Mastrovito multiplier:this canonical basis multiplier is based on the fact that the F 2 d multiplication of a(X) and b(X) canbe described as a matrix productZ × (b 0 ,b 1 ,...,b d−1 ) t ,where the matrix Z = (z ij ) 1i,jd is a function of both the vector (a 0 ,a 1 ,...,a d−1 ) and the(d − 1) × d basis reduction matrix Q =(q ij ) defined byi=0(X d ,X d+1 ,...,X 2d−2) t= Q ×(1,X,X 2 ,...,X d−1) t.The values of z ij are defined to be{a i : j =0,i=0, 1,...,d− 1z ij =u(i − j)a i−j + ∑ j−1t=0 q j−1−t,ia m−1−t : j =1,...,d− 1,i=0, 1,...,d− 1where the step function u is defined viaRemarks 26.47u(t) ={1 if t 00 otherwise.(i) The Mastrovito algorithm describes a way of directly implementing the matrix productZ × (b 0 ,b 1 ,...,b d−1 ) t . It has a theoretical gate count of d 2 AND gates and at leastd 2 − 1 XOR gates. Here the lower limit for the bound on the XOR gates is attained if thedefining field polynomial m(X) is a trinomial with certain coefficient configuration.(ii) The delay is bounded from above by T A +2⌈lg d⌉T X for an irreducible polynomial ofthe form X d + X +1.In polynomial basis we can also use a bit-serial multiplier utilizing a shift-and-add, either with aleast-significant- or a most-significant-bit-first approach. Algorithms that can be used for this aredescribed in Section 11.2.2. Note that for a hardware implementation one will most likely choosean algorithm that interleaves multiplication and reduction, as described in Algorithm 11.1 for thecase of modular reduction in odd characteristic. The main advantage of an interleaved algorithm isthat the intermediate result one needs to store has much smaller size, thus preventing the usage ofdouble sized registers.Remark 26.48 A generalization of this method is a least- or most-significant-digit-first approach.Choose a digit size D, then an element of F 2 d can be represented with k D digits, where 1 k D ⌈d/D⌉. Now writeb(X) =k∑D−1i=0B i X Di where B i (X) =D−1∑j=0b Di+j X j .

§ 26.7 Finite fields of characteristic 2 643The multiplication a(X)b(X) modm(X) can now be realized in the digit-approach by an algorithmsimilar to the one described in Algorithm 11.37. This will lead to especially efficient implementationsif the digit size D is chosen to be the width of the hardware multiplier used. In thiscase the operation B i (At Di ) can be realized with a few calls to the internal hardware multiplier.Note that, in general, the possibility to use lookup tables as required in Algorithm 11.37 will lead toadditional area consumption and therefore cannot be taken for granted.Algorithm 26.49 Least-significant-digit-first shift-and-add multiplication in F 2 dINPUT: An irreducible polynomial m(X) over F 2 of degree d, polynomials a(X) and b(X) ofdegree d − 1 over F 2.OUTPUT: The product r(X) =a(X)b(X) modm(X).1. r(X) ← 02. for i =0 to k D − 13. r(X) ← B i(AX Di )+r(X)4. r(X) ← r(X) modm(X)5. r(X) ← r(X) modm(X)26.7.2 Normal basisThe standard multiplier for normal basis multiplication was proposed by Massey and Omura. A bitserial Massey–Omura multiplier uses the following main observation: let two elements A and B ofthe field F 2 d be given in normal basis representationd−1∑d−1∑A = a i α 2i and B = b i α 2i .i=0The product C = A × B has the representationd−1∑C = c i α 2i .i=0The Massey–Omura circuit has the property that it computes the coefficient c d−1 from the inputs(a 0 ,a 1 ,...,a d−1 ) and (b 0 ,b 1 ,...,b d−1 ). It will produce the remaining coefficients c d−2 ,c d−3 ,...,c 1 ,c 0 , when the rotated input vectorsandi=0(a d−k ,a d−k+1 ,...,a d−1 ,a 0 ,a 1 ,...,a d−k−1 )(b d−k ,b d−k+1 ,...,b d−1 ,b 0 ,b 1 ,...,b d−k−1 )for 1 k d − 1 are used as inputs.Thus using one Massey–Omura circuit we can compute the product of the two elements A and Bin d steps.Remark 26.50 A different approach is to use a canonical basis multiplier in order to perform anormal basis multiplication. It is described in [KOSU 1998].The main observation here is that in some cases the basis B 1 = ( α, α 2 ,α 22 ,...,α 2d−1 )canbe rewritten as B 2 = ( α, α 2 ,α 3 ,...,α d) , which in turn implies that an element in normal basis

644 Ch. 26 Fast Arithmetic in Hardwarerepresentation can be rewritten in the shifted canonical basis B 2 . Thus, instead of using a canonicalbasis multiplier, we first transform the operands from normal basis to canonical basis, then multiplyin canonical basis and finally convert back. Of course, this is only worth doing if the transformationsneeded are not too expensive.However, it turns out that the transformation can be obtained via a suitable permutation of thecoefficients, thus the transformation can be easily implemented in hardware.26.8 Unified multipliersSince elliptic curve cryptography can be implemented both over fields of characteristic 2 and ofcharacteristic larger than 2, it is desirable to support both these cases in hardware. Clearly, anoptimal solution would be to have one multiplier unit, which is able to perform modular reductionfor F p , as well as multiplication of polynomials over F 2 modulo an irreducible polynomial m(X)for F 2 d support.There are several such unified multipliers described in literature.Remark 26.51 In 2000, Savas introduced a unified multiplier (see [SATE + 2000]), which usesMontgomery reduction for modular multiplication and an adaptation of Montgomery reduction forthe F 2 d multiplication, which was introduced in [KOAC 1998].Analogous to Montgomery reduction in the modular case, instead of computing a × b ∈ F 2 d itis proposed to compute a × b × r −1 for a special fixed element of F 2 d.Letm(X) be the definingirreducible polynomial of degree d and r(X) =X d ,thenr is the element given by r = r(X) modm(X). As in the original method, m(X) and r(X) need to be prime to each other, hence m(X)should be not divisible by X. Sincem(X) is irreducible over F 2 this will always be the case. Therelative primeness of r(X) and m(X) implies the existence of r −1 (X) and ˜m(X), such thatr(X)r −1 (X)+m(X) ˜m(X) =1via the extended Euclidean algorithm. Now the Montgomery product of a and b is defined to bec(X) =a(X)b(X)r −1 (X) modm(X).A detailed description of the multiplication algorithm can be found in [KOAC 1998].Note that we have to transfer elements a(X) of F 2 d to the Montgomery representation, that isa(X)X −d mod m(X) in order to apply the Montgomery reduction as described.This has the advantage that both multiplications with reduction essentially follow the same reductionalgorithm. The implementation uses an array of word-size processing units organized in apipeline. Therefore the architecture is highly scalable. The word size of the processing unit and thenumber of pipeline stages can be selected according to the desired area/performance relation.Remark 26.52 Goodman and Chandrasekaran [GOCH 2000] presented a domain specific reconfigurablecryptographic processor (DSRPC), which provides a unified multiplier by means of a singlecomputation unit, equipped with data path cells that can be reconfigured on the fly. While modulararithmetic is performed using Montgomery reduction, the F 2 d multiplication is based on an iteratedMSB-first approach.Remark 26.53 Großschädl [GRO 2001] introduced a unified multiplier that performs modular multiplicationin a serial-parallel way, where the reduction is performed during multiplication by concurrentreduction of the intermediate result using an MSB-first approach. The F 2 d multiplication inthis multiplier is simply achieved by setting all carry-bits of the intermediate result to 0 resulting

§ 26.9 Modular inversion in hardware 645in a shift-and-add reduction algorithm. Therefore, the area-cost of the modified multiplier is onlyslightly higher than that of the original modular multiplier. Furthermore, the transformation intoMontgomery domain is not needed, and we also do not have to do precomputations.26.9 Modular inversion in hardwareAs it was pointed out before, the availability of a fast inversion algorithm is of great importancefor the efficient implementation of elliptic and hyperelliptic curve cryptosystems. Software-basedoperations can normally rely on very fast inversion, which in turn implies that they will most likelyuse affine coordinates. However, the situation is quite different on hardware platforms that are usedfor embedded devices or smart cards. In the following we briefly discuss two main options.If only the basic modular arithmetic operations (multiplication and squaring) are supported byhardware, the only way to realize modular inversion is to either implement the extended Euclideanalgorithm on the main CPU, using some functionality of the cryptographic hardware, or to makeuse of Fermat’s little theorem (see the introduction of Section 11.1.3). In most of these cases, thesecond solution will be better, since modular exponentiation is normally available anyway.Remarks 26.54(i) Hardware support for modular inversion in odd characteristic usually focuses on differentvariants of the Extended Euclidean algorithm as described in Section 11.2.4 for evencharacteristic and in Section 11.1.3 for odd characteristic.(ii) We first deal with the odd characteristic case. The analysis of the main arithmetic operationsused in this algorithm shows that the following operations are most important:(a) addition(b) subtraction(c) halving an even number(d) computing the absolute value |A − B| of two odd numbers A and B.While the first three operations are easy to implement (addition and subtraction are performedby the main arithmetic unit, halving of an even number can be realized veryeasily by a shift operation, and checking whether a number is even or odd can be accomplishedby simply inspecting its least significant bit), the computation of the absolutevalue |A − B| can be different to realize. This is mainly due to the fact that the absolutevalue is normally obtained by first computing A − B, then inspecting the sign of thisresult and finally computing the two’s complement if the outcome of the subtraction wasnegative. Since the sign of the result will only be available after the end of subtraction,the two’s complement building can only start once the subtraction operation is finished.Summarizing, we see that the cost for the comparison of two integers is mainly dominatedby the cost of a subtraction. However, the computation of the absolute value willcost some extra cycles.If Montgomery multiplication is used, there are much more efficient inversion algorithmsavailable that have already been described in Section 11.1.3.(iii) In even characteristic, the same two main options as in the odd characteristic case arevalid. The usage of the basic polynomial multiplication in order to compute the inverseof an element was described in Section 11.2.4.c. However, special properties ofpolynomial arithmetic in characteristic two allow especially efficient implementations

646 Ch. 26 Fast Arithmetic in Hardwareof the inversion according to the extended Euclidean algorithm. This is mainly due tothe fact that addition and subtraction are replaced by the simple XOR operation, whichdoes not have carry propagation. Furthermore, the comparison of two elements can beaccomplished by comparing single bits starting at the most significant bit.The combination of these observations with specially designed hardware can lead tovery fast implementations of the modular inversion in even characteristic.(iv) Analogously to the design of unified multipliers able to perform modular arithmetic inboth even and odd characteristic, designs for unified modular inversion also exist. Thesedesigns obviously rely on the choice of an inversion algorithm that can be easily adjustedto the case of even and odd characteristic. A good example of this is the Montgomeryinversion algorithm as described in [KAL 1995], which was used by Savas and Koçto describe architectures for unified inversion in [SAKO 2002]. The main algorithmicingredient here is that the comparison of two integers u and v (i.e., the decision whetheru>vholds) is replaced by the comparison of the bit-sizes of u and v respectively, asdone in the characteristic two case. This replacement implies requiring the temporaryvariables of this algorithm to be either positive or negative (which in turn implies that afurther bit has to be reserved to store the sign of these variables). However, as a resultof this modification, identical hardware can now be used for the comparison.(v) Inversion in optimal extension fields, as introduced in Section 11.3, relies on a combinationof the computation of a modular inverse in a (small) prime field F p and a modularexponentiation in an extension field F p d. Due to the special nature of the prime p thiscan be realized so efficiently that even without specific cryptographic hardware, fastinversion implementations are possible (see [WOBA + 2000]). Their implementationalresults are based on an Infineon SLE44C24S, an 8051 derivative. For an OEF of approximately135 bits field size their performance results are as follows: for a modularmultiplication 5084µs are needed, while an inversion is computed in 24489µs. Thusthey obtain a ratio multiplication/inversion below 5, which allows the usage of affine coordinatesin the implemented elliptic curve operations. This rather low ratio is achievedby using an adaptation of the algorithm described in Section 11.3.4, where an additionchain is used for the main exponentiation α r−1 , and the inversion t −1 in the ground fieldF p is performed via table lookup.

Chapter ¾Smart CardsBertrand Byramjee and Andrew WeiglContents in Brief27.1 History 64727.2 Smart card properties 648Physical properties • Electrical properties • Memory • Environment andsoftware27.3 Smart card interfaces 659Transmission protocols • Physical interfaces27.4 Types of smart cards 664Memory only cards (synchronous cards) • Microprocessor cards(asynchronous cards)Although smart cards are now very common, this technology is still very new, with the first smartcards appearing in the 1970’s. Since then, their evolution has been very rapid. Smart cards haveadvanced from simple memory cards to very efficient “microcomputers” with multiple applications.Equipped with a microcontroller, these cards are able to store and protect information usingcryptographic algorithms. They are also resistant to physical stresses such as twisting and bending.The physical structure of the smart card consist of a small plastic rectangle with a magnetic stripe,holograms, relief characters and an embedded chip. They are small, and easy to use and carry.The security and portability of smart cards provide a safe, reliable, convenient, and effective way toensure secure transactions (banking, e-business, etc.), and to enable a broad range of applications.Thus, modern smart cards can actually be used in any system that needs security and authentication.They have been proven to be an ideal means of making high-level security available to everyone.This chapter aims to present an overview of today’s smart card technology and show the limitationsthat smart card manufacturers must take into account when implementing cryptographicalgorithms, for example, elliptic or hyperelliptic curve algorithms, in a smart card environment.27.1 HistoryIn the beginning of the 1950’s, the first plastic (PVC) cards appeared in the USA as a substitutefor paper money. They were initially aimed at the rich and powerful, and were only accepted byprestigious hotels and restaurants. These cards were very simple with the owner’s name printed in647

648 Ch. 27 Smart Cardsrelief, and sometimes the handwritten signature was added. These cards provided a more convenientpayment system than paper money. With the involvement of VISA TM and MasterCard TM inplastic money, credit cards spread rapidly around the world. Later a magnetic stripe was added toreduce fraud and to increase security. Confidential digitized data was stored on this stripe, but thisinformation was accessible to anyone possessing the appropriate card reader.Between 1970 and 1973 there was a significant development in plastic cards with the additionof microcircuits to the card. Many patents were filed during this time; the best known inventorsinclude: J. Dethleff, K. Arimura, and R. Moreno. The term “smart card” was proposed by R. Bright.It was not until 1984 that the smart card was first put into commercial use by the French PTT (postaland telecom services) with their first telephone cards (smart cards with memory chips). In 1986,millions of these smart cards were sold in France and other countries. After telephone cards, thenext big application was their use as banking cards. This development was more difficult becausethey contained more complicated chips that were able to compute cryptographic calculations. TheFrench banks were the first to introduce this technology in 1984. A number of ISO standards werecreated to encourage interoperability of smart cards. By 1997, bank cards were widely used inFrance and Germany. The microcontrollers continued to advance and became more powerful withlarger memory capacity. This allowed for sophisticated cryptographic algorithms, providing higherlevels of security.Nowadays, smart cards are present all over the world, and their use is likely to spread even further.27.2 Smart card propertiesSmart cards are physically similar to the classic embossed plastic cards. The older model cards areused as the base design for the newer smart cards. There are two different categories of smart cards:memory only cards, which are the cheapest and the simplest, and the microprocessor cards, whichare more expensive, but have more applications and security features. The structure of smart cardsis standardized by ISO, principally: ISO 7816 [ISO 1999a, ISO 1999b, ISO 1999c, ISO 1999d],and ISO 7810 [ISO 1995].The following sections look at the different aspects of the smart card properties.27.2.1 Physical propertiesThe most widely used smart card format, ID-1, is part of the 1985 ISO 7810 standard [ISO 1995].Most smart cards are made from PVC (polyvinyl chloride), which is also used for credit cards.Some are made from ABS (acrylonitrile-butadiene-styrol),but they cannot be embossed; an exampleapplication is a mobile phone card.The body of the card includes the following components: magnetic stripe, signature stripe, embossing,imprinting of personal data (picture, text, fingerprint), hologram, security printing, invisibleauthentication features (fluorescence, UV), and a microprocessor chip.27.2.1.aThe chip module and its embeddingThe chip module, also called the micromodule, is the thin gold contact on the left side of the smartcard. This module needs to be firmly attached to the plastic of the card. Its purpose is to protect thecard and the microprocessor chip. The contacts for contact-type smart cards can also be in the chipmodule.Many embedding techniques have been tested and used with the aim to optimize overall cardresilience to everyday physical and mechanical stresses (temperature abrasion, twisting, bending,

§ 27.2 Smart card properties 649etc.) while keeping the production costs as low as possible.27.2.1.bContact and contactless cardsThere are two main ways a smart card can communicate with the card terminal: through physicalcontact or by using a contactless connection. The contact cards were the first types of smart cards onthe market. However, with new advances in microcircuit technology, contactless cards have becomephysically feasible.Contact cardsThis is currently the most common type of card. It communicates via a card reader where theinformation passes through the contacts. There are metal contacts inside the card reader and on thechip module of the smart card. The position and dimensions of these contacts (power supply, datatransfer, etc.) are set in the ISO 7816-2 standard [ISO 1999b]. Another standard, AFNOR, is stillin use by some cards in France, but is likely to disappear in the near future.Figure 27.1 Pin layout for contact smart cards.GNDC 1 VCCC 2 RESETC 3 CLK00000000000000111111111111110000000000000011111111111111000000000000001111111111111100000000000000111111111111110000000000000011111111111111000000000000001111111111111100000000000000111111111111110000000000000011111111111111000000000000001111111111111100000000000000111111111111110000000000000011111111111111000000000000001111111111111100000000001111111111000000000011111111110000000000111111111100000000001111111111000000000011111111110000000000111111111100000000001111111111 VPP000000000011111111110000000000111111111100000000001111111111000000000011111111110000000000111111111100000000001111111111000000000011111111110000000000111111111100000000001111111111000000000011111111110000000000111111111100000000001111111111 I/O000000000011111111110000000000111111111100000000001111111111000000000011111111110000000000111111111100000000001111111111000000000011111111110000000000111111111100000000000000000000000000000011111111111111111111111111111100000000001111111111RFU000000000011111111110000000000111111111100000000001111111111C 5C 6C 7C 4 RFUC 8There are 8 contact areas C 1 ,...,C 8 :C 1 : Supply voltage, VCC,C 2 : Reset,C 3 :Clock,CLK,C 4 : Not in use, reserved for future use,C 5 : Ground, GND,C 6 : External voltage programming,C 7 : Input/Output for serial communication,C 8 : Not in use, reserved for future use.Contactless cardsThese cards contain special circuits, which allow data transmission over short distances withoutmechanical contact and without a direct supply of power. This technology is not new but is difficultto apply to smart cards. At the moment it is possible to incorporate a battery into the card, but itincreases the size and cost of the card. Research is ongoing to reduce this problem.Not only is there a problem supplying power to the smart card circuits, but data and clock signals

650 Ch. 27 Smart Cardsalso need to be transmitted between the card and the terminal. The technique of capacitive andinductive coupling, at this time, is the most suitable for smart cards and has been standardized inISO/IEC 14443 [ISO 2000]. This standard presents a method for capacitive and inductive couplingwhere the card’s conductive surfaces act as capacitor plates. One or several coupling loops areintegrated into the card to receive energy from the terminal. A carrier frequency in the range 100-300 kHz is used, which allows very rapid transmission.Dual interface or “combi-cards”In the future it is likely that “combi-cards” will become more common. They combine the advantagesof contact and contactless cards. In ISO/IEC 10536 the application is described as “slotor surface operation.” Depending on the operation, the card must either be inserted in a slot tomake contact or placed on a certain surface for contactless transaction. This type of card allowsapplications such as credit, debit, membership, and mass transit to be used on the same card.27.2.2 Electrical propertiesThe electrical properties of a smart card depend on its embedded microcontroller, since this isthe only component of the card with an electrical circuitry. The basic electrical requirements aredefined by the ISO/IEC 7816-3 standard, Part 3: Electronic signals and transmission protocols[ISO 1999c]. Electrical characteristics and class indication for operating at 5 V, 3 Vand1.8 Vare described within Amendment 1. Amendment 2, which describes an USB interface for smartcards, is currently under preparation. The GSM mobile telephone network (GSM 11.11) should bementioned here, because it also contributes to the requirements in this area. Further modificationsof the ISO/IEC 7816 standard are driven by the UMTS specification.27.2.2.aSupply voltageA smart card supply voltage is 5 V, with a maximum deviation of + − 10%. This voltage, which isthe same as that used for conventional transistor-transistor-logic (TTL) circuits, is standard for allcards currently on the market. Since all modern cellular telephones are built with 1.8 V technology(GSM 11.18), modern smart cards are designed for a voltage range of 1.8-5 V + − 10%, which resultsin an effective voltage range of 1.6-5.5 V. They can be used in both, 1.8 Vand5 V terminals, to keepthe advantage of simple and straightforward card usage.27.2.2.bSupply currentThe built-in microcontroller obtains its supply voltage via contact C1 (see Figure 27.1). Accordingto the GSM 11.11 specification, the current may not exceed 10 mA, so the maximum power dissipationis 50 mW, with a supply voltage of 5 V and an assumed current consumption of 10 mA.Table 27.2 gives an overview of the actually defined maximum power consumption classes, specifiedby ISO 7816 and GSM.The current consumption is directly proportional to the clock frequency used, so it is also possible tospecify the current as a function of the clock frequency. State-of-the-art smart card microcontrollersuse configurable internal clock frequencies for their processor and their arithmetic coprocessor.Hence, the current consumption is not only dependent on the external clock, but also on the givenconfiguration of the microcontroller itself and the setting of the coprocessor. The coprocessor canbe programmed to keep power consumption under a set value, for example, the GSM values.

§ 27.2 Smart card properties 651Table 27.2 Smart card power consumption specified by ISO 7816 and the GSM specifications.Specification ISO 7816-3 GSMNotation Class A Class B GSM 11.11 GSM 11.12 GSM 11.18Supply voltage 5 V 3 V 5 V 3 V 1.8 VSupply current 600mA 50 mA 10 mA 6 mA 4 mAFrequency 5 MHz 4 MHz 5 MHz 4 MHz 4 MHzPower consumption 300 mW 150 mW 50 mW 18 mW 7.2 mW27.2.3 MemorySmart cards can be divided into two main components: the processor (including coprocessor) andmemory. Memory can again be divided into volatile and non-volatile memory. Table 27.3 shows thedifferent types of volatile and non-volatile memory. Since a smart card needs to be able to functionas an independent unit, most cards will be found with a combination of RAM, ROM, and EEPROM.Table 27.3 Types of memory found in smart cards.Memory types found in smart cardsVolatile memoryRAMNon-volatile memoryROMPROMEPROMEEPROMFlash EEPROMFRAM27.2.3.aRead-Only Memory (ROM)ROMs are non-volatile memory that can be randomly accessed during reading. There is no limitto the number of times the memory can be read, but it can only be written during production. Thistype of memory requires no voltage to hold the information, so when the power is disconnected, thedata is still retained. This is excellent memory for storing vital programs that the smart card needsto run, like the operating system and the diagnostic functions. The data is imprinted onto the chipby using lithographic techniques. ROM cells require the least amount of area per cell compared toother available types of memory.27.2.3.bRandom Access Memory (RAM)RAM is the work area for the smart card. It can quickly read and write data, and there is no limit tothe number of writes a RAM cell can handle. However, since it is volatile memory, constant powerneeds to be supplied, or otherwise the contents will be lost. The method for accessing this memoryis what gives it its name; random access means that the memory is selected and directly accessed

652 Ch. 27 Smart Cardswithout having to sequentially traverse the memory block.In smart cards, the most common form of RAM is static RAM (SRAM), which, unlike dynamicRAM (DRAM), does not need to be periodically refreshed. SRAM has flip-flops as the basic componentwhile DRAM uses capacitors with refresh circuitry.Smart card chip designers try to keep the amount of RAM to a minimum, since it requires a largearea per cell. Indeed, RAM cells require seventeen times more area than a ROM cell.27.2.3.cProgrammable read-only memory (PROM)Programmable read-only memory is similar to ROM in that once it has been written it cannot berewritten. The difference is that the code does not need to be written with lithographic techniques.PROM has a serious drawback; access needs to be granted to the address, data, and control busesfor the writing process. This leaves a security hole in the smart card that a hacker could use to readthe data stored on the chip. PROM is not used in smart cards because of this vulnerability.27.2.3.dErasable programmable read-only memory (EPROM)An EPROM is essentially an n-channel MOSFET (metal-oxide-semiconductor field effect transistor)with an extra polysilicon gate called the floating gate. In Figure 27.4 the left curve has arelatively low V t and is normally chosen as state “1.” This state is also called the “preprogrammed”state.Figure 27.4 Threshold voltage curves for programmed and preprogrammed state.iDThreshold voltagea) Programmed (1) b) Preprogrammed (0)vGSA voltage needs to be applied between the drain and source to program the EPROM to the “0” state(see Figure 27.5). On the select gate a voltage of 17 Vto25 V needs to be applied. Since smart cardcontrollers use a supply voltage between 3 and 5 V, a cascaded voltage-multiplier circuit, or chargepump, needs to be used to generate the required voltage levels.The device acts as a regular n-channel enhancement MOSFET when there is no charge present onthe floating gate. With the voltages present, a tapered n-type inversion layer is formed at the surfaceof the substrate. The drain-to-source voltage accelerates the electrons through the channel. Theelectric field formed by the voltage on the selected gate attracts the hot electrons (the acceleratedelectrons) towards the floating gate. At the floating gate the electrons collect, causing the gate to

§ 27.2 Smart card properties 653become negatively charged. This process continues until enough of a negative charge is formed onthe floating gate to reduce the strength of the electric field to the point of not being able to accelerateany more hot electrons.Figure 27.5 EPROM during programming.+25VSelect gateFloating gaten channel+16VOxideDrain n+Depletion layerSource n +p substrateThe negatively charged floating gate repels electrons away from the surface of the substrate. Tocompensate for the loss of electrons in the region, a larger select gate voltage is required to form ann-channel. This will shift the i D − v GS characteristic graph upwards, as can be seen in Figure 27.4[SESM 1991].For the microcontroller to read the state of the EPROM, the unit only needs to apply a test V GSbetween the two i D − v GS curves. If the current flows, the EPROM is in state “1” and if it does notflowthenitisinstate“0”.For smart cards, EPROM was used by the French PTT in their first telephone cards, since, at thattime, it was the only ROM type memory available [RAEF 2000]. As with other ROM types, it doesnot require a supply voltage to retain the data. EPROM can be reprogrammed, but it first requiresultraviolet light to erase the old data. This method is not feasible for smart cards, so this technologyhas been abandoned for newer erasable ROMs.27.2.3.eElectrically erasable programmable read-only memory (EEPROM)As with regular computers, sometimes data needs to be read, altered and then stored with the possibilitythat the voltage supply is disconnected. Computers use hard drives to store the data for longerperiods of time, but smart cards do not have this option. Instead they use a type of ROM that canhandle multiple writes. EPROM can only be erased with ultraviolet light, which makes it unsuitableas a multi-write memory. The solution is found with another type of ROM that can be electricallyerased, the electrically erasable programmable read-only memory (EEPROM), see Table 27.7.EEPROM operates similarly to the method described in Section 27.2.3.d. There are two maindifferences between EPROM and EEPROM. The first difference is how the electrons travel fromthe substrate to the floating oxide layer. The method described in Section 27.2.3.d uses hot electroninjection, while standard EEPROM uses the tunnel effect (Fowler–Nordheim effect). A high positive

654 Ch. 27 Smart Cardsvoltage at the select gate causes electrons to migrate through the tunnel oxide to the floating gate,where they collect. Eventually, the floating gate becomes negatively charged.The second difference between EPROM and EEPROM is how the data is erased. As stated earlier,EPROM requires ultraviolet light to reset its state. For EEPROM a negative voltage applied to theselect gate forces the electrons from the floating gate back to the substrate. After this process, theEEPROM is classified again as discharged and the V t is low.Similar to RAM and other types of ROM, EEPROM can be read an unlimited number of times.However, there is a limit to the number of writes that can be performed. The life expectancy islimited by the quality, type, and thickness of the tunnel oxide layer, which is the oxide layer betweenthe floating gate and the substrate (see Figure 27.5). During production, the tunnel oxide is one ofthe first layers to be produced. As the rest of the production continues, it undergoes large thermalstresses that cause minute faults in the oxide layer. This allows the tunnel oxide to absorb electronsduring the programming cycle, which are not returned to the substrate when the data is erased. Thetrapped electrons then collect at the channel between the drain and source. This process continuesuntil enough electrons collect that they influence the threshold voltage to a greater degree than thefloating gate. The threshold voltage then stays in one state, regardless of whether the floating gateis charged or not; the EEPROM is then useless.27.2.3.fFlash electrically erasable programmable read-only memory (flash EEPROM)Flash EEPROM is a mixture of EEPROM and EPROM technology. It operates with hot electronsbut uses an erase technique similar to EEPROM. Most manufacturers implement a combination offlash EEPROM and regular EEPROM onto their chips. Each memory type has its benefits when itcomes to endurance and space requirements. A typical application for regular EEPROM is transientdata or constants that may need to be occasionally changed. Flash EEPROM is better suited forprogram code, which may need to be upgraded or changed only a few times during the products,life cycle [BUR 1999].EEPROM uses both, a read and a write transistor, while flash memory uses only one transistor.Also, each cell of the regular EEPROM requires signal routing and complex address-decoding logic,since each word has its own control signals. Flash memory, on the other hand, employs less complexword decoders that allow for more compact units. This leads to a trade-off in programmingflexibility and write time.With regular EEPROM any word can be altered by accessing that memory location, erasing theword, then writing in the new data. This is not possible with the word decoder of flash memory.Before any data can be changed, the whole array must be erased and then completely rewritten. Thisleads to a large difference in operating speed. EEPROM can be reprogrammed in a few milliseconds,whereas flash memory may take from a few microseconds to a second to reprogram.Another key factor that makes regular EEPROM able to better handle transient data is the enduranceof its cells. Flash EEPROM can only handle about 1000 write cycles, which is too short formost application requirements. Since application data does not change that often, it is perfect for itto be programmed onto flash EEPROM. It can be upgraded after manufacture giving it an advantageover ROM or PROM. Most smart cards now incorporate some flash EEPROM in their system.27.2.3.gFerroelectric random access memory (FRAM)Ferroelectric Random Access Memory (FRAM), a relatively new type of memory, has recentlybecome available to the microprocessor manufacturers. The characteristics of FRAM are similarto those of both RAM and ROM. It is a non-volatile memory, but with a write speed considerablyfaster than flash or EEPROM memory.Instead of using a floating oxide layer as the dielectric, FRAM employs a ferroelectric film. Thecomposition of the film is usually either PZT ( Pb(Zr, Ti)O 3), PLZT((Pb, La)(Zr, Ti)O3),orSBT

§ 27.2 Smart card properties 655(Sr Bi 2 Ta 2 O 9 ). Figure 27.6 shows the crystalline structure of PZT. Polarization through electricfields has a dual advantage over the injecting of hot electrons or tunneling effect method, it isfaster at writing and it requires less power (see Table 27.7 for the comparison between the differentmemory types).Figure 27.6 View of the crystalline structure of ferroelectric material.0000 11110000 11110000 11110000 11110000 11110000 11110000 11110000 1111000001111100000111110000011111000001111100000111110000011111000001111100000 1111100000 1111100000 1111100000 1111100000 1111100000 1111100000 1111100000 11111000001111100000111110000011111000001111100000111110000011111000001111100000111110000 11110000 11110000 11110000 11110000 11110000 11110000 1111000001111100000111110000011111000001111100000111110000011111000001111100000 11111 000001111100000 11111 000001111100000 11111 000001111100000 11111 000001111100000 11111 000001111100000 11111 000001111100000 11111 000001111100000 1111100000 11111000000000000000 11111Lead (Pb)00000 1111100000 1111100000 11111Oxygen (O)Zirconium / Titanium (ZrTable 27.7 Comparison of different memories [FUJITSU].Memory SRAM DRAM EEPROM FLASH FRAMType Volatile Volatile Non-volatile Non-volatile Non-volatileRead cycle 12 ns 70 ns 200 ns 70 ns 180 nsWrite cycle 12 ns 70 ns 5 ms 1 s 180 nsData write method Overwrite Overwrite Erase & Write Erase & Write OverwriteWrite Endurance ∞ ∞ 10 4 10 3 10 1027.2.3.hMemory management unit (MMU)The physical memory is divided into memory pages with the assistance of the MMU. Inside theMMU a translation of the memory address occurs, and the visibility of the storage space is changed.

656 Ch. 27 Smart CardsEach segment of the physical memory is placed into the logical memory. Figure 27.8 shows thebehavior of the address translation.Figure 27.8 Memory segmentation.Virtual addressesPhysical addresses00000011111100000011111100000011111100000011111100000001111111000000011111110000000111111100000001111111000000011111110000000111111100000001111111000000011111110x00000000001111110000001111110000001111110000001111110000001111110000001111110000001111110000001111110000001111110000001111110000001111110000001111110000001111110000001111110000001111110000001111110000001111110000001111110000001111110000001111110000001111110000001111110x0000The size of one segment is programmable by the processor and can comprise the whole physicalmemory or only a small portion of it. It is only limited by the maximum number of allowed segmentations.The processor view of the memory may differ from the real memory alignment, sincethere is no direct connection between the processor and the memory.In most cases, the MMU is not enabled after power-on or a global reset. At this point, theprocessor operates in “system” mode and the virtual addresses are equal to the physical addresses.All special function registers (SFR) of the MMU are accessible by the CPU; these registers performthe address translation.When an application is executed from the code space the MMU is enabled and it is then in “user”mode. Direct access to the SFR is disabled to protect other applications. Thus, each applicationcan only use its own memory region. This region contains the shared ROM for the program code,and a part of the RAM for the variable data (see Figure 27.9). Memory protection is distinctivelyimportant for the non-volatile data in the EEPROM, since that is where applications store sensitivedata, and it is necessary to protect this information against spying or loss of power.27.2.4 Environment and softwareSmart card systems consist of two parts: the host system, residing in the terminal (or in a PC with acard reader) and the card system, inside the smart card. This section looks at the smart card software,including the system software and the user applications that run on the card system.Developing a smart card application traditionally was a long and difficult process. Most smartcard development tools were built by the smart card manufacturers using generic assembly lan-

§ 27.2 Smart card properties 657guage tools and dedicated hardware emulators obtained from the silicon chip vendors. Therefore,developing smart card applications was limited to a group of highly skilled and specialized programmerswho had intimate knowledge of the specific smart card hardware and software. Theyhad to deal with very low-level communications protocols, memory management and other minutedetails, dictated by the specific hardware of the smart card. Upgrading software or moving applicationsto a different platform was particularly difficult or even impossible. Furthermore, becausesmart card applications were developed to run on proprietary platforms, applications from differentservice providers could not coexist and run on a single card. Lack of interoperability and limitedcard functions prevented a broader deployment of smart card applications. The development of theJava Card technology changed this situation. This language, designed by SUN technology, offersnew possibilities for smart cards, as will be seen in the following sections.Figure 27.9 Example for the processor view.RAMPhysicaladdress busCPUVirtualaddress busMMUROMEEPROM27.2.4.aOperating System (OS)Each operating system depends on the manufacturer’s philosophy. The conventional operating systemis the one based on standard instructions, which is designed such that it can be implemented forany application on the component. Smart card operating systems support a collection of instructionsthat the user’s applications can access.Many operating systems have been designed for smart cards: Windows R○ for smart cards, whichis no longer used, Multos, Java Card, etc. There is no real standard for a smart card operatingsystem. The OS is strongly linked to the manufacturer, and standardizing it would affect the intellectualproperty of the manufacturer. The group SCOPE, directed by GlobalPlatform, tried todesign a document specifying the main functionality that should be supported by a smart card OS.The ISO 7816-4 [ISO 1999d] standardizes a wide range of instructions in the format of the applicationprotocol data unit, APDU. A smart card operating system may support some or all of theseAPDUs as well as the manufacturer’s additions and extensions.The operating system on a smart card has fewer operations to deal with than those present instandard personal computers. Its purpose is essentially to regulate the input and output (I/O), timers,exceptions, communications between the server and the terminal, memory management, and to

658 Ch. 27 Smart Cardssecurely load and run specific programs. In Figure 27.10, the OS is composed of the followingelements:• the BIOS: for the protocol communication T (0, 1, both, or others), the timers, theexceptions, the EEPROM management,• the Java Card Virtual Machine (VM),• some native applications used for access rights on memory.The majority of applications are applets, native applications and the link with the Java Card VM.No external instruction is allowed to interfere with the operation of the card. System crashes oruncontrolled reactions due to a faulty instruction or as result of failed EEPROM sections must notoccur under any circumstances.Figure 27.10 Architecture of the smart card.EEPROMApplet Applet Applet AppletData Data Data DataApplet Applet AppletROM ROM ROMAPIsNativeApplicationROMJava Card Virtual MachineBIOS (Communications, memory, etc.)CPUCryptoDevice

§ 27.3 Smart card interfaces 65927.2.4.bJava CardJava Card TM offers a way to overcome obstacles hindering smart card acceptance. It allows smartcards and other memory-constrained devices to run applications (called applets) written in the Javaprogramming language. Essentially, Java Card technology defines a secure, portable, and multiapplicationsmart card platform that incorporates many of the main advantages of the Java language.This type of platform has found wide acceptance and is currently being shipped in high volume. AJava Card platform-based smart card runs Java based applications in the form of byte-code. Theseare loaded into the memory of the smart card’s microprocessor where they are run by the virtualmachine (typically in the EEPROM). The advantages provided are:• Multiple application management: multiple Java applications (electronic purse, authentication...)can reside on a single card. These applications can be upgraded with new orupdated applets without the need of issuing a new or a different card.• Security: the different applets present on the card are each separated by the applet firewall.It ensures their integrity and eliminates program tampering; the level of access toall methods and variables is strictly controlled.• Hardware independence: Java Card technology is independent of the type of componentused. It can run on any smart card (8, 16, or 32 bits) because the applets are written ontop of the Java card platform.• Compatibility: any card can run any application. Java Card technology is based on theJava Card international standard ISO 7816, applets can interoperate not only with allJava smart cards but also with existing card acceptance devices.• High level development: applet developers do not have to deal with the details of microcontroller,with the exception of cryptographic algorithms.ThemainelementsinJavaCardare:• The Java Virtual Machine: necessary to compile the byte codes of the applet and to runthe applications.• The different applets that can be loaded in EEPROM or stored on ROM for some specialapplications.• The APIs: these are the classic APIs of the functions used in the card, for example thecryptographic functions. These are designed and standardized by Sun to ensure thatapplets are portable.For more detailed information, the Java Card environment is described in the book Java Card Technologyfor Smart Cards: Architecture and Programmers Guide [CHE 2000].27.3 Smart card interfaces27.3.1 Transmission protocolsThis section explains the structure of transmission and specific control in half-duplex transmissionprotocols. Three types of protocols are defined in the ISO/IEC standards 7816 [ISO 1999a,ISO 1999b, ISO 1999c, ISO 1999d] and 14443 [ISO 2000,ISO 2000a, ISO 2000b, ISO 2000c,ISO 2000d]: one character protocol (T = 0), and two block protocols (T = 1 and T = CL). The designationT = CL is currently in the final stage of specification, which is why it does not appear inliterature. Every smart card must support at least one of these protocol types, while terminals needto support all of them.

660 Ch. 27 Smart CardsTable 27.11 Transmission protocols [RAEF 2000].Protocol Explanation SpecificationT=0 Asynchronous, half-duplex, byte-oriented ISO/IEC 7816-3T=1 Asynchronous, half-duplex, byte-oriented ISO/IEC 7816-3T=2 Asynchronous, half-duplex, byte-oriented ISO/IEC 10536-4T=3 Full-duplex –T=4 Asynchronous, half-duplex, byte-oriented, –extension of the T = 0 protocolT = 5-13 Reserved for future use –T=14 Reserved for national use(in Germany: Deutsche Telekom) Proprietary standardsT=15 Reserved for future use and extensions –Altogether, the ISO/IEC standards comprise of fifteen types of transmission protocols. Up to now,only three of them are fully specified while the rest is either still under definition, reserved for futureuse, or reserved for national use (see Table 27.11).The half-duplex block transmission protocol T = CL addresses the special needs of contactlesscard environments and is not listed in Table 27.11. It sets out the requirements for contactless smartcards to operate in the vicinity of other contactless cards that conform to the ISO/IEC 10536 andISO/IEC 15693 standards.Which transmission protocol is to be used for subsequent communication between terminal andsmart card is indicated within the answer-to-reset (ATR) interface bytes and shall always be T = 0or T = 1 for cards with contacts. If the interface bytes are absent, T = 0 is assumed by default.For contactless cards only T = CL is designated. In Europe only Germany uses the T = 1 protocol,whereas the rest of Europe uses T = 0 protocol.27.3.1.a Protocol T = 0The half-duplex asynchronous transmission protocol T = 0 (cf. standards [ISO 1999a, ISO 1999b,ISO 1999c, ISO 1999d]) is the basic protocol for cards with contacts. It is the oldest transmissionprotocol and is designed for a minimum of technical requirements. For this reason, it is used in thepresent GSM technology for mobile phones. The protocol T = 0 is completely byte-oriented and ituses the following character frame format: a character consists of 10 consecutive bits:• 1 start bit in state “Low,”• 8 bits, which comprise the data byte,• 1 even parity checking bit.A character is the smallest data unit that can be exchanged. The interval between two consecutivecharacter’s leading edge start bits is comprised of the duration of the data plus a guard time. Theminimum value of this guard time is 2 Elementary Time Units (ETU). Thus, for T = 0 the minimumduration between two consecutive start bits is 12 ETU. With the ATR parameter N, the guard timevalue can be changed. Its value represents the number of ETU to be added.During the guard time, both communication partners are in receive mode (I/O line in state“High”). The transmitter checks the state of the I/O line by sampling the I/O port. In the eventof an error-free transmission, the I/O line remains in the “High” state and the next character is

§ 27.3 Smart card interfaces 661expected after the guard time has expired.If the card or the terminal detects a parity error in the received character, it sets the I/O line tothe “Low” state for one or two ETU to indicate an error. Since the transmitter samples the I/O portduring the guard time, it detects the “Low” state and identifies it as a parity error. After detection ofthe error signal, the sender repeats the character instead of transmitting the next one.The error signal and character repetition procedure is mandatory for all cards offering the T = 0protocol.27.3.1.b Protocol T = 1The half-duplex asynchronous transmission protocol T = 1 (cf. standards [ISO 1999a, ISO 1999b,ISO 1999c, ISO 1999d]) consists of block frames exchanged between the two communicationpartners. They convey either application data transparent to the protocol or transmission controldata including transmission error handling. The protocol T = 1 is designed using the layeringtechnique found in the Open System Interface (OSI) model [RAEF 2000], with particular attentionpaid to the minimization of interactions across boundaries.A block is the smallest unit exchanged. It is defined as a sequence of bytes, whereby each byteis conveyed in a single character, see Section 27.3.1.a for the definition of a character. The protocolalways starts with a block sent by the terminal and continues with alternating the right to send ablock. The block structure allows us to check the received data before processing the conveyeddata.Within a block, the standard duration between the start bit leading edges of two consecutivecharacters is 12 ETU. The error signal and character repetition procedure, as defined for T = 0,does not take place in the T = 1 block protocol. Thus, the minimum delay between the leadingedge of the start bits of two consecutive characters may be reduced from 12 ETU to 11 ETU. If thecorresponding ATR interface parameter indicates N = ’FF’ (N = 255), this leads to a guard time ofonly 1 ETU.A block consists of the following three fields where the items in brackets indicate optional requirements(see Figure 27.12):• The “Prologue” field consists of a “Node Address” byte (NAD), a “Protocol ControlByte” (PCB) and a “Length” byte (LEN).• The “Information” field is optional. If present, it is comprised of 0 to 254 bytes (INF).• The “Epilogue” field consists of one or two mandatory bytes for the “Error DetectionCode” (EDC).Figure 27.12 Structure of a T = 1 block frame.PCB1 byteCID NAD INF EDC1 byte 1 byte 0 to 254 bytes 1 to 2 bytesPrologue field Information field Epilogue field

662 Ch. 27 Smart Cards27.3.1.cProtocol T = CLThe half-duplex block transmission protocol T = CL controls the special needs of contactless smartcard environments [ISO 2000, ISO2000a, ISO 2000b, ISO 2000c, ISO 2000d] and supportsboth type A and type B frame formats (see Figure 27.13). An extra guardtime is inserted betweenthe characters in type B frame, which is used to separate the single characters. As already annotated,this protocol is currently in the final stage of specification with the designation T = CL, which isthe reason why it does not appear in current literature. This protocol is designed according to theprinciple of layering in the OSI reference model, with particular attention to the minimization ofinteractions across boundaries, which is similar to T = 1 (cf. Section 27.3.1.b).Figure 27.13 Type A and type B frame formats.Type AS b0 b1 b2 b3 b4 b5 b6 b7 P S b0 b1 b2 . . . b5 b6 b7 PE1 st byte n th byteType BSOF character1 EGT character2 EGT characterN EOFAnother similarity with T = 1 is the method of transferring the character frame formats. The protocolT = CL also exchanges block frames between terminal and smart card. A block is the smallest dataunit that can be exchanged, and it may be used to convey application data or transmission controldata, including transmission error handling. This is one reason why in T = CL the error signal andcharacter repetition procedure, as specified for the T = 0 protocol, does not take place. Anotherreason is that T = CL uses different frame formats than the T = 0 or the T = 1 protocols.Figure 27.14 Character and next character transmission.CharacterNext CharacterS b0 b1 b2 b3 b4 b5 b6 b7 P GT S b0 b1 b2 b3 b4 b5 b6 b7 PGTt < CWT

§ 27.3 Smart card interfaces 663The protocol starts with a first block sent by the terminal and continues with alternating the right tosend a block. As shown in Figure 27.14, a block consists of the following three fields, where theitems in brackets indicate optional requirements:• The “Prologue” field consists of up to three bytes, where the first byte (PCB) is mandatoryand the two other bytes (CID and NAD) are optional.• The “Information” field is optional. If present, it comprises 11 to 253 bytes (INF).• The “Epilogue” field consists of two mandatory bytes for the “Error Detection Code”(EDC).Figure 27.15 Structure of a T = CL block frame.PCB1 byteCID NAD1 byte 1 byteINF11 to 253 bytesEDC2 bytesPrologue field Information field Epilogue field27.3.2 Physical interfacesThere exist different interfaces in the smart card environment. The ‘universal asynchronous receivertransmitter’ (UART) is the most used interface for data exchange. There also exist the ‘universalserial bus’ (USB) and, for special cases, radio frequency waves. The UART and the USB areinvestigated in the following sections.27.3.2.aUARTThe UART enables hardware supported data transfer at the serial I/O line. In former smart cardarchitectures, the software, in conjunction with the OS, exclusively handled the process of transmittingand receiving data. This was sufficient as long as the desired baud rate did not exceedapproximately 111 Kb/s. However, with higher rates, the received bits could not always be identifiedas valid, since the verification time was too short. An error-free communication was then nolonger possible.Today’s smart card applications are becoming more complex. Apart from the increasing baud ratementioned above, the security requirements, like cryptographic algorithms, need CPU time for theircomputation. Another factor is the possibility of several applications running simultaneously duringa card session. These developments result in an increasing effort by the CPU, OS, and software tomanage all requests in a satisfactory manner.Using a UART is an efficient solution to increase the speed of data exchange without loading theCPU (see Figure 27.16). The hardware and software, for the UART implementation and control,are of a manageable size. The UART decouples the CPU from direct I/O data handling duringcommunication. In this way, high baud rate can be achieved without decreasing the speed of therunning applications. The UART autonomously organizes the transfer via the I/O lines, and, when

664 Ch. 27 Smart Cardsnecessary, prepares the data for the CPU. Also, there is a UART extension for direct memory access(DMA) operation. The function allows the UART to exchange the data with the memory withoutassistance of the microprocessor.Figure 27.16 Example for an UART environment.I = HJ? = H@ F H ? A I I H, ) ) 4 * 16 - 44 ) 6 A H E = , A L E? AI A HE= 1@ = J=7 ) 4 6 + 2 7F A HEF D A H= > K I27.3.2.bUSBThe universal serial bus (USB) specification [USB] is a standardized peripheral connection developedin 1995 by leading companies in the PC industry. The major goal of USB is to define anexternal expansion bus, which makes adding of peripherals to a PC as easy as possible. In thesmart card world, the USB interface serves as a high speed connection between smart card chip andexternal peripheral components.With an implemented USB interface, the same smart card chip can be used for communication(card and reader).The employment of a standard smart card chip on the reader side leads to a cheaper system, sincedeveloping one chip for both sides reduces the costs. This results in a shorter development period.A standard USB interface consists of three components: the Interface Logic, the Serial InterfaceEngine, and the USB Transceiver. The transceiver (see Figure 27.17) transforms the differentialsignal at ports D+ and D- into traditional digital logic.27.4 Types of smart cards27.4.1 Memory only cards (synchronous cards)This is the first type of card to be widely used. The prepaid telephone cards mentioned in theintroduction are an example of this type of card. The data required for the applications are stored inthe EEPROM memory (EPROM for the first cards). In the simplest case the cards use memory thatcan only be written once, and after use, the memory is deleted and made inoperable (the ThomsonST1200 SGS, introduced in 1983 for the French telephone card, worked in this way). The additionof a security logic device allows more control over the memory access. There now exist morecomplex memory cards, which can perform simple encryption.

§ 27.4 Types of smart cards 665Figure 27.17 Example for an USB interface.7 5 * 6 H= I ? A EL A H - 5 2 - - ,8 . 5 - 8 2 , , 5 J= JK I E? H ? JH A H1 JA HB= ? A* K BBA HI1 JA HB= ? A C E?+ JH , = J=7 5 *5 A HE= 1 JA HB= ? A- C E A4 + 88 28 These types of cards are easy to use, the electronics are simple, the chip is small, and the priceis low. However, memory space and flexibility are limited, and they are not adapted to securityapplications.27.4.2 Microprocessor cards (asynchronous cards)These cards are equipped with an “intelligent circuit”: a processor connected to memory blockscapable of carrying out complex calculations. The added functionality of the microprocessor allowsfor higher security and application choices. However, as a result, these cards are larger and morecomplex. It is possible to connect other devices to the microprocessor for communication, specialoperations or security. Figure 27.18 shows many of the possible components that can be added tothe microprocessor card. In smart cards, there are many different types of microprocessors. All ofthem function as a secured unit, protected from unauthorized access.Figure 27.18 Components of the microprocessor.Timers UART CPUCryptoDeviceBusSecuritySensorsROMRAMEEPROM

666 Ch. 27 Smart CardsTable 27.19 Characteristics of CISC and RISC based processors.CISCExtensive instruction setComplex and efficient machine instructionsAdvanced instructions microencodedExtensive addressing capabilities for memory operationsFew registersRISCSmall instruction setSimple instructionsHardwired machine instructionsFew addressing modesMany registersAll microprocessors (and most computers) employ the principle of stored program digital computer.This means that data and instructions, which are stored in a memory area, must first be loaded intoregisters. Then the central processing unit, CPU, operates on these registers and places the resultsback into the memory areas.The CPUs used in smart cards are usually built around proven modules from other applications.Many CPUs are based on the CISC (complex instruction set computer) architecture, which requiresseveral clock cycles per instruction. However, CPUs based on the RISC (reduced instruction setcomputer) architecture are becoming more common. Table 27.19 shows the different characteristicsbetween the CISC and RISC type processors. Many current CISC type processors are based oneither one of the two main families: the Intel 8051 or the Motorola 6805 family. Manufacturers,such as Philips, Infineon, and ARM, take the base design of either a CISC or RISC processor andadd their own functionality as needed.The processing speed of the smart card is controlled by a clock circuit normally set to 5 MHz.Modern smart card processors use clock multipliers (by two or four) to increase this operating clockspeed for internal calculations. Using clock multipliers, smart cards are able to operate at speedsbetween 20 and 48 MHz.The area occupied by the microprocessor on the chip has a big influence on its manufacturingcosts and its resistance to bending and shearing forces. Therefore, effort is made to reduce thechip’s size as much as possible. The chip’s surface area must be less than 25 mm 2 . Using currentchip technology, 0.25 or 0.30 µm, this means that the microprocessor contains between 150, 000 and200, 000 transistors. Future microprocessors will be produced using newer 0.18 µm technology.To provide additional functionality to the smart card, manufacturers add specialized processorsand coprocessors to perform only specific tasks. The next section takes a closer look at coprocessorsin smart cards.27.4.2.aCoprocessorsCoprocessors are used on the majority of current chips for special operations and to optimize standardoperations. Among those used for cryptography are:• a coprocessor for DES encryption/decryption,• a random number generator coprocessor: allows the use of random values in algorithms,• an arithmetic coprocessor: dedicated to arithmetic operations (modular operations) onlong integers; for example, 160-bit or longer integers.An arithmetic coprocessor element is essential for asymmetric cryptography algorithms such asDSA, ECDSA, etc. Now there are more coprocessors that are not only optimized for RSA operationsbut also for elliptic and hyperelliptic curves operations. The first ECC cards started to appear around2001 and 2004 the first smart card using HEC was produced.

§ 27.4 Types of smart cards 667Adding such coprocessors has a significant impact on the cost of the chip, increasing it by as muchas a factor of ten. This being the case, one may wonder why with increasingly powerful processorsit continues to be necessary to add coprocessors. But at the same time, cryptographic algorithmsrequire longer keys to keep them secure, so coprocessors are likely to remain necessary for highperformance cards.

Chapter ¾Practical Attacks on Smart CardsBertrand Byramjee, Jean-Christophe Courrège, and Benoît FeixContents in Brief28.1 Introduction 66928.2 Invasive attacks 670Gaining access to the chip • Reconstitution of the layers • Reading thememories • Probing • FIB and test engineers scheme flaws28.3 Non-invasive attacks 673Timing attacks • Power consumption analysis • Electromagnetic radiationattacks • Differential fault analysis (DFA) and fault injection attacks28.1 IntroductionFrom the very first use of cryptography, people have always tried to decrypt enciphered messagesin order to gain access to the sensitive and hidden information. We have seen, in the mathematicalpart of this book, different signature or cipher schemes based on the use of elliptic or hyperellipticcurves. These are considered to be secure from a theoretical point of view if the parameters are wellchosen.But, as far as a cryptosystem can be theoretically secure against actual cryptanalysis, in real implementations(for instance, in a smart card), it faces other threats than the mathematical ones; inparticular side-channel attacks, SCA for short. As we have seen in the previous hardware Chapter27, a smart card is very complex with many constraints such as speed and storage limitations.Side-channel attacks exploit the behavior of the chip while computing. Analyzing power consumption,Electromagnetic Emissions, calculation time, reactions to perturbations and fault injections,can reveal information on secret keys present in memory.In this chapter, we are first going to deal with invasive attacks, which can be considered the mostdetectable because they partially modify (or destroy) the product. Then we will discuss non-invasiveattacks, which can be performed on elliptic and hyperelliptic curves including: timing attacks, poweranalysis, electromagnetic analysis, and differential fault analysis.669

670 Ch. 28 Practical Attacks on Smart Cards28.2 Invasive attacksThe techniques in the following discussion originate from the failure analysis domain, but havealso been used to attack electronic devices such as smart cards. We are not going to discuss indetail the most sophisticated types of attacks due to cost constraints and the complexities involved.For more details on these techniques we refer the reader to [MFA 2004]. Equipping a laboratoryis very expensive, typically costing several million US$. However, price is less important as it ispossible to rent a full laboratory station. Depending on the complexity of the work involved and theavailable knowledge of the chip being targeted, it can take many days or even weeks of work in avery specialized laboratory (see [CAMB]and[KÖKU 1999] for more details). Moreover, the ownerof the card should notice these attacks in most cases because of the (partial) destruction of the smartcard, and warn his provider. Nevertheless, it is important to bear in mind that such attacks couldfatally undermine an entire security system. For instance, shared master keys should not be presentinto a card; in that case only the secret proper to the card attacked could be extracted.28.2.1 Gaining access to the chipRemoval of the chip module from the card in order to connect it in a test package is quite easy; witha sharp knife, simply cut away the plastic behind the chip until the epoxy resin becomes visible.A smarter solution is to heat the card. This softens the glue of the chip which can then easily beremoved by bending the card.Once the chip module has been separated from the card, any remaining resin must be removed.A number of techniques are available depending upon the nature of the coating and of the targetedresult (e.g., keep the module functional or not).For instance, dropping fuming nitric acid completely dissolves the resin after a while. The processcan be accelerated by heating the nitric acid. Then, the chip is plunged into acetone in order to washit, followed by a short bath in deionized water and isopropanol.Functional tests have proven that nitric acid damages neither the chip nor the EEPROM content.This is important as protected information is stored in non-volatile memory.The chip is now ready for reconnection into another package, with fine aluminum wire, in a manualbonding machine. Now that access to the chip has been gained, analysis of the microelectroniccharacteristics can begin.28.2.2 Reconstitution of the layersThe next step of the invasive attack involves reverse engineering the chip layout. This type of attackcan be sufficient to provide direct access to sensitive data in the memory. It can also give rise tomore complex scenarios such as micro-probing of critical signals or chip reconfiguration. Reverseengineering mainly consists of removing layers sequentially. The oxide layers can be selectivelyremoved using a plasma machine, or chemically (for instance, fluoric acid). Metal layers are alsochemically etched (for example, chloric acid for aluminum lines). Polishing techniques can also beused.Images of each layer can be made using an optical or electronic microscope. Then by combiningthese images it is possible to regenerate the layout of the device (or at least a part of the device).Once the different layers and interconnections between them have been rebuilt, it becomes possibleto regenerate the electronic schemes of the chip and so to explain how it really works.In Figure 28.1, on the left, there is a top view of a chip with all the metal layers (3 layers). On theright, this is the same chip , but after removal of the upper metal layers.

§ 28.2 Invasive attacks 671However, even if a complete reverse engineer of a circuit is possible, the increasing complexity ofdevices can make this quite unrealistic.Figure 28.1 Reverse engineering, layer observation.28.2.3 Reading the memoriesIn the previous section we explained that it is possible to determine the electric design of the circuit.In the same way, non-volatile memory contents can be “directly” read. Nevertheless, the remainingeffort depends upon the kind of memory or the scrambling of the memory plan. In a ROM, forexample, reading of the bits’ values can be performed directly by optical observation of the firstmetal layer in the case of hard-wired memory. For diffused memory it will be necessary to reachthe bulk level (lift off all layers until reaching the active one). Then, additional selective etchingtechniques could be necessary to highlight the diffusion area. In case of canal-implanted ROMs,dopant-selective crystallographic etching techniques or AFM (atomic force microscope) would beneeded, cf. [BEC 1998].In Figure 28.2, on the left, there is a view of the ROM before chemical treatment. On the right,this is the same ROM, but after chemical operation. The dark spots indicate the transistors set totransmit 0 volt by ion implantation (the bit is equal to 0). The bright spots indicate the transistorsset to transmit 5 volt (the bit is equal to 1).Other non-volatile memories such as EEPROM, Flash, and FRAM can, theoretically, be read bysimilar techniques. Nevertheless, because of the nature of the data coding, it is much more difficultto achieve the sample preparation without losing part of the memory content.Finally, in most smart card products, the memories are fully scrambled and sometimes encrypted.So even if it is possible to access the memory, it is also necessary to completely rebuild the scrambling/cipheringprocess.28.2.4 ProbingPrevious sections deal with directly obtaining information through reverse engineering. But theseanalyses are intrinsically useful for additional attack paths such as the probing of internal signals.Indeed, if it is possible to observe data flow into internal buses then one can gain direct access to

672 Ch. 28 Practical Attacks on Smart Cardssensitive data. Different kinds of techniques can be used to observe the internal signals: galvanicprobing (using a probe station cf. Figure 28.3); voltage contrast on a scanning electron microscope(SEM) or even light emission during transistor flips.Figure 28.2 Crystallographic attack.Figure 28.3 Microprobing station.28.2.5 FIB and test engineers scheme flawsAttackers also have a lot of interest in focused ion beam (FIB) workstations. This useful tool isa vacuum chamber with an ion gun (usually gallium), which is comparable to a scanning electronmicroscope. A FIB can generate images of the surface of the chip down to a few nm resolutionand operates circuit reconfiguration with the same resolution. The first basic usage consists inincreasing the “testability” of the circuit by managing access to deep internal signals. The FIB

§ 28.3 Non-invasive attacks 673could be used to add test pads (probing) on critical signals. But the FIB can also be used to modifythe internal behavior of the device by changing the internal connections. Finally, FIB is used tofacilitate physical analysis of the device by making localized cross sections.Figure 28.4 shows some typical FIB modification results. On the left, the image shows the creationof a connection between the second metal layer and the third one with a platinum strap. Onthe right the image has been annotated to explain what has been done in this FIB manipulation.Figure 28.4 FIB circuit modifications.It is clear that such equipment presents a security threat to smart cards. It is possible, for instance,to disable security sensors. In particular it can be used to bypass some layout protections such asactive shields.It can also be used to rebuild a security fuse that has been blown after test during manufacture.We have seen above that some invasive attacks can be performed in order to access sensitive data.Nevertheless they are very expensive in terms of time, resources, and equipment. In addition,technological advances are enabling the design of more and more complex and compact circuits,increasing the difficulty of such attacks as a side effect.28.3 Non-invasive attacksNon-invasive attacks destroy neither the chip nor damage the packaging around it. So, they are lesslikely to be detected by the owner of the card. They are extremely dangerous for this reason and alsobecause the equipment needed to perform them is relatively inexpensive. Smart cards are nowadaysutilized in many security domains and applications: bank cards, mobile communication and secureaccess, etc. Thus, groups of attackers or illegal organizations could create laboratories in order toprocess such attacks on the different products that are widely available within our society.28.3.1 Timing attacksMost of the programs and the code naturally designed contains conditional branching operations.Therefore, algorithm implementations have no constant time and thanks to these variations, it ispossible to retrieve information. That is why the running time of an algorithm can constitute aside channel and give information on data operated during computations, which is the principle of

674 Ch. 28 Practical Attacks on Smart Cardstiming attacks. In 1996, taking advantage of the variation in the algorithm execution time as a resultof input changes, Kocher performed the first timing attacks on real PC implementations of severalcryptographic algorithms (RSA, DSA, etc), cf. [KOC 1996].The first timing attack on smart card was performed in 1998 by Dhem et al. in [DHKO + 2000].Take for example, the following algorithm computing a reduction modulo the secret integer N:Algorithm 28.1 Modular reductionINPUT: Two integers x and N of size respectively l 1 and l 2 bits with l 1 >l 2.OUTPUT: The integer x mod N.1. t ← 2 l 1−l 2× N2. for i =0 to (l 1 − l 2) do3. if x t then x ← x − t4. t ← t/25. return xAs one can see in this algorithm, if x is not greater than the integer t, Line 3 is not computed.Where x t the calculation takes longer and it is possible to deduce information on the value ofthe number x, particularly, the bit at the ith step. The attacker will analyze the running times ofdifferent computations of known or chosen messages in order to recover the modulus N.Although it is an efficient attack, it’s quite easy to thwart by implementing constant time algorithms,for instance by doing dummy computations.For example, the following reduction algorithm will avoid timing attacks:Algorithm 28.2 Modular reduction against timing attacksINPUT: Two integers x and N of size respectively l 1 and l 2 bits with l 1 >l 2.OUTPUT: The integer x mod N.1. t ← 2 l 1−l 2× N2. for i =0 to (l 1 − l 2) do3. if x t then x ← x − t4. else u ← x − t [dummy computation]5. t ← t/26. return xIn this reduction algorithm, the subtraction is always computed, but the result is discarded in thevariable u if the computation is not relevant for the reduction.Moreover, nowadays, smart cards can prevent such attacks thanks to hardware countermeasures:dummy cycles, internal clocks, etc. To summarize, the cryptographic programmer has to implementalgorithms in such a way that their execution times are independent of the input data. So, a timingattack proof algorithm is constant in time and, therefore, always longer than an efficient algorithm.This type of attack has not been detailed here but they are not the most used against smart cards.For further details, we refer the interested reader Koeune’s Thesis [KOE 2001]. Moreover, almostno timing attacks against ECC or HEC have been published yet, mainly because power analysisattacks, which have been deeply studied, are more powerful. Moreover, power consumption of thesmart card gives more information about the secret key than the running time and can be more dif-

§ 28.3 Non-invasive attacks 675ficult to thwart. In [KAKI + 2004], the authors give an example of attacking hyperelliptic curves.Nevertheless, the attack is not really practical as only the general case is implemented in hyperellipticcurves on smart cards, whereas the attack is based on degenerated cases.28.3.2 Power consumption analysisKocher, Jaffe, and Jun first presented the idea of using the measure of power consumption of anelectronic device to retrieve information about the secret keys inside a tamper-proof device. In[KOJA + 1999], Kocher et al. described two methods for extracting the keys, which they namedsimple power analysis (SPA) and differential power analysis (DPA).An electronic device such as a smart card is made of thousands of logical gates that switch differentlydepending on the complexity of the operations executed. These commutations create powerconsumption for a few nanoseconds. Thus the current consumption is dependent on the operationsof its different peripherals: CPU, cryptographic accelerators, buses and memories, etc. In particular,during cryptographic computations, for the same instruction, the current consumption changesif the value of registers and data processed are different. Simply monitoring the power consumption,eventually followed by a statistical treatment, one can expect to deduce information on sensitive datawhen they are manipulated. With some experience and knowledge on the cryptographic algorithms,such analysis can be applied to many smart cards.To mount these attacks the necessary equipment is a numerical oscilloscope, a computer, and amodified card reader to communicate with the card. For the most complicated attacks (such as DPA)other softwares are also necessary: to acquire the consumption curves, to treat the curves (signalprocessing), and process the attack (see Figure 28.5). So, nowadays the setup required to attackrecent devices is still affordable for small organizations.Figure 28.5 Setup for power analysis.Oscilloscope+5VI/OComputer50 Ω11 0011 00Smart Card28.3.2.aSimple power analysisSPA needs only a single observation of the current consumption curve. The attacker can find informationjust by looking carefully at the curve representing the execution of a cryptographic algo-

676 Ch. 28 Practical Attacks on Smart Cardsrithm. This is carried out by a detailed analysis of the curve. The power consumption curve of asmart card is different according to the executed instruction and data manipulated. For instance, amultiply instruction executed by the CPU needs more clock cycles than a XOR operation, or in acircular rotation operation, where the value of the carry could be observed.As the implementation variants are limited and mainly known for a given algorithm, an attackercan deduce the structure of the implementation (from the sequence of double and add, the attackercan find which coordinate system is used during the computation of Q =[n]P on an elliptic curve).With a straightforward implementation of a cryptographic algorithm, he can perhaps determine lotsof details about it, for instance, to see precisely when the key is used and finally to retrieve all thebits of the key.For example, we can analyze the scalar multiplication of [n]P for a smart card using the doubleand add algorithm. If n is the secret exponent, an attacker monitoring the power consumption of thesmart card can guess the bits of n with a single curve. Moreover, with some experience it is easy toknow if the trace is a double or an addition. Furthermore, an addition should consume more than adouble (at least for projective coordinates). In any case, as it is not possible in the double and addalgorithm for two additions to be consecutive, it must be two doubles. So the attacker can guesswhen a bit of n is a zero or a one and with the whole consumption curve discover all the secretexponents.This general technique can be performed against implementations of elliptic curves scalar multiplicationbased on the double and add algorithm with affine or projective coordinates. In a moregeneral way, every algorithm that treats the bits scanned of the secret parameter differently if itequals zero or one, is vulnerable to simple power analysis. In the same way, it is obvious that SPAcan also be efficient against implementations of hyperelliptic curves.Techniques to counteract SPA are quite simple and generally implemented nowadays by programmers.For instance a solution is to avoid conditional branching operations or to compute thesame operations in all cases. Unfortunately, that mean slowing down the overall execution time anda compromise must be found between timing and security.In the following the double-and-add-always algorithm is protected against a SPA attack:Algorithm 28.3 Double and add alwaysINPUT: A point P and an integer n =(n l−1 ...n 0) 2.OUTPUT: The point Q =[n]P .1. Q ← P2. for i =(l − 2) down to 0 do3. Q 0 ← [2]Q4. Q 1 ← Q 0 ⊕ P5. Q ← Q li6. return QAnother generic countermeasure is the use of the Montgomery ladder Algorithm, [JOYE 2000].This can be viewed as a variant of the double and add algorithm, since point doubling and additionare performed for any input bit. Some other elliptic forms have been proposed, like the Jacobiform [LISM 2001] and the Hessian form [JOQU 2001], and as we have seen in the mathematicalpart, they have the same formulas for adding and doubling. Unfortunately, they are excluded fromrecommended curves by standards, such as NIST or Certicom curves, as their order is a multiple of4 or 3, respectively.

§ 28.3 Non-invasive attacks 677Manufacturers also try to make SPA more difficult by including hardware countermeasures. Wecan quote the most frequently used: noise generators, dummy cycles, clock jitters, power filtering,variable frequency oscillators, and trying to make instructions cycles consuming identically.28.3.2.bDifferential power analysisAs we said above, DPA was first introduced by Kocher et al. Nowadays any symmetric or asymmetricalgorithm implementation can be threatened by DPA including computations based upon ellipticand hyperelliptic curves.Today most chips are designed in CMOS technology. The power consumption depends mainlyon the number of cells switching at a given time. Consumption for an instruction varies dependingon the Hamming weight of the data manipulated. For instance, consider a multiplication operationbetween two registers. The power consumption needed for this operation is different if most of thebits equal zero compared to the case where most of the bits are equal to one. Thus for the sameoperation the chip power consumption varies according to the data manipulated, for instance a XORbetween 0x33 and 0x01 will not have the same power consumption as a XOR between 0x33 and0xFF.DPA uses statistics to amplify and reveal these differences that cannot be easily exploited andseen with SPA. To be performed DPA requires several hundreds or even thousands of power consumptiontraces corresponding to the computations of the algorithm in the smart card. The aim is toretrieve information on the key used at each of these executions. Therefore other software has to bedeveloped for signal processing and computing the differential traces. Of course, DPA works onlyif the key or the secret parameter the attacker wants to retrieve is constant during the monitoring ofthe power consumption traces.Principle of an attack on an algorithm FLet F (K, M) be a cryptographic algorithm, with a key K on a message M.An attacker collects many consumption curves C i of the execution of F (K, M i ) on the smartcard for k (random or chosen) known messages M i for i =1,...,k. Then the attacker wants toguess bits of the secret key used. He makes a supposition on the bits and uses these to generatesome intermediate values of the algorithm. Then he supposes that at an instant t in the algorithm(corresponding to certain cycles of operation) the data will vary depending on the value of some bitsof K: for instance l bits of K. At this instant t the value computed in the algorithm is D(M i ,K 1...l )with D(.,.) a known function. With this function the attacker wants to separate the curves in twosets G 0 and G 1 where basically:• G 0 = {C i | at instant t the power consumption is low (D(M i ,K 1...l ) and has one (orseveral) bit(s) to zero)}• G 1 = {C i | at instant t the power consumption is high (D(M i ,K 1...l ) and has one (orseveral) bit(s) to one)}Then by subtracting the means of the two groups for each supposition we obtain 2 l differentialtraces T j , with j =0,...,2 l − 1. For the correct guess h the trace T h will show many peaks ofconsumption. Indeed only in this case the separation will create two groups of different averageconsumptions. Basically one can choose a bit of D(M i ,K 1...l ) to make the selection if it equalsto zero (G 0 ) or not (G 1 ) but many more evolved methods exist to select the curves into sets and toprocess the attack.To perform such an attack we need to know the value of inputs and the structure of the algorithmimplemented.

678 Ch. 28 Practical Attacks on Smart CardsWe observe that in ECDSA or in HECDSA, the scalar multiplications are not vulnerable to DPA,indeed at each signature step it takes a new random scalar to undertake it. However, DPA can bemounted on elliptic curves; an example is the attack against the EC ElGamal type encryption byCoron [COR 1999]. The attacker knows (or guesses in SPA) which algorithm is used to perform thescalar multiplication. Let the double and add be the algorithm used by the smart card.Figure 28.6 DPA example on DES: correct supposition (left) and wrong supposition (right).Let P 1 ,...,P j ,...,P k be k random points on the curve. The attacker knows for instance the first bitof the exponent, generally it equals 1. Then he wants to guess the next one. Either it equals to 1 andthen the card computes C j =[3]P j or not and then [3]P j will never be calculated. So, the attackerwants to verify its supposition. He collects k curves C 1 ,...,C k corresponding to the computations[n]P 1 ,...,[n]P k by the card. He divides the power consumption curves C 1 ,...,C k collected intotwo groups G 0 and G 1 according to a chosen (or many) bit(s) of [3]P j (most significant or leastsignificant for instance) or to the hamming weight of a byte of [3]P j . If the difference between themeans of the two groups is not zero then we observe peaks of consumption and we know that [3]P jhas been computed. This means that the second bit of n equals one.Where Figure 28.7 shows a significant peak (it reveals at the same time the moment in the algorithmwhen [3]P j is computed or used in the next computation), the bit is equal to one. The attackerthen guesses the third bit of n: if this bit is equal to one, [7]P j is computed and not otherwise. Byrepeating this attack until the last bit of n he can recover the whole secret key.The same attack can be used against the double and add always algorithm (see Algorithm 28.3) tofind the second bit of n, indeed the attacker does not exploit the value [3]P that is always computedbut the value [6]P that is computed in the next step only if the second bit is one.Similarly the Montgomery ladder algorithm can be attacked in DPA; either the second bit is oneand the value [7]P will be computed by the smart card, otherwise it is equal to zero and the value[5]P will be computed. Differential traces are computed for the value [7]P and [5]P and the traceshowing peaks will indicate the right supposition, cf. Figure 28.8.To speed up the attack, instead of guessing the key bit per bit, the attacker can guess k bits butmust check 2 k hypotheses. It is also the case if sliding window methods are implemented.

§ 28.3 Non-invasive attacks 679Figure 28.7 Means for a correct ([3]P ) and a wrong guess on the 2-nd bit of n on the double andadd.Figure 28.8 Means for a correct ([7]P ) and a wrong guess ([5]P )onthe2-nd bit of n on Montgomeryladder.

680 Ch. 28 Practical Attacks on Smart CardsCountermeasuresAs previously, when we studied SPA, we can identify two types of countermeasures against DPA:hardware protections and software countermeasures.Since DPA is based on the ability of the attacker to predict one temporary variable of an algorithmby guessing a few bits of the secret key, a solution for preventing DPA is to randomize thevalue of the temporary variables of the algorithm with a random number. For elliptic curves thepossibilities are numerous: randomizing the scalar n and randomizing the coordinates (projective,Jacobian, etc.), blinding of the message [COR 1999], random elliptic curve, or field isomorphism[JOTY 2002].Hardware countermeasures are included in the chip design. We presented some of them in theSPA paragraph, the effects are mainly desynchronization of the curves and more noise in the signal,so reducing the efficiency of the attack. However this kind of countermeasure might be sometimesbypassed by signal processing techniques and by increasing the number of curves and messages.Then more powerful countermeasures are appearing: dual rails encoding should theoretically eliminatethe correlation between the hamming weight of the data and the power consumption but suchdesigns increase the size of the chip and cannot always be used. Moreover the final chip can be stillsensitive to DPA for manufacturing reasons. Manufacturers can also replace synchronous technologyby an asynchronous one, in this case the consumption curve may be more difficult to exploit.Statistics have been studied to improve DPA and some techniques exist to decrease the numberof power consumption curves needed to perform the attack, see [COKO + 2001]and[BEKN 2003].In [BRCL + 2004] the authors present correlation power analysis attacks that exploit the correlationfactor and a linear model of consumption. These methods have been proven both theoretically andpractically as more efficient than classical DPA, but they must only be considered as an optimizationof DPA.28.3.2.cHigh order power analysisKocher et al. [KOJA + 1999] also present an enhanced type of DPA called high order DPA, HODPAfor short. We briefly introduce it in this paragraph. The idea is that instead of studying a singlemoment t in the algorithm corresponding to an interval T 1 of points in the consumption curve inDPA, one has to study many moments t 1 ,...,t n and then n intervals T 1 ,...,T n of points. Basically,for a second order DPA (n =2), the attacker predicts a few bits at these two different placescorresponding to two different intermediate values V 1 and V 2 of the computation of the algorithm.If those bits are “masked” with the same value, (i.e., XOR with this value), this “mask” can be eliminatedif a supposition is made on a combination of V 1 and V 2 value (XOR for instance). Then theattacker constructs for each power curve a new one equal to T 1 − T 2 (for instance) and performs theDPA with those new curves. Indeed, as seen by Messerges in [MES 2000a], “masking” a value isnot sufficient to protect DPA attacks. To be protected against high order DPA, several masks haveto be used, instead of just one.Even if HODPA is generally used against symmetric implementations, where countermeasuresare often based on masking methods, a theoretical second order DPA attack has been recently presentedin [JOY 2004] against the Additive Randomization countermeasure. However, high orderDPA is complex to set up and not so easy to use against most of the asymmetric algorithm countermeasures.28.3.2.dGoubin’s refined power analysis attackHere we will see how difficult it can be to secure elliptic curves and, even more, hyperelliptic curvesagainst power analysis. Indeed Goubin [GOU 2003], shows that even an algorithm protected againstSPA and DPA with the random (projective coordinates, random elliptic curves isomorphism, or field

§ 28.3 Non-invasive attacks 681isomorphism) countermeasures can still be vulnerable to DPA. We will only present the elliptic caseas the hyperelliptic case does not differ a lot. We will just give some remarks regarding that case.The idea of the attack is to find a divisor that, given a correct guess of a scalar bit during the scalarmultiplication, leads to the neutral divisor or at least one of its coordinates leads to 0. It, therefore,leads to a significant difference in the consumption traces.We will describe the attack on the protected double and add always algorithm, introduced in Section28.3.2.a, but the result would be similar with an algorithm that, for instance, uses Montgomeryladder method; for further details we refer the reader to [GOU 2003]. Let us assume that the attackerknows the most significant bits n l−1 ...n i+1 of the scalar multiplier and that the ellipticcurve E(F p ) contains a “special” point P 0 , we mean in that sense that one of its coordinates x or yis 0.In Algorithm 28.3, knowing a point P , the point Q at the end of the (l − i − 1)-thstepoftheloop is the following:⎡⎤∑l−1Q = ⎣ n j 2 j−i + n i⎦ Pj=i+1During the next step of the loop, depending on the value of n i , we have the two following cases:⎡⎤⎡⎤∑l−1∑l−1• if n i =0, Q 0 = ⎣ n j 2 j−i+1 ⎦ P and Q 1 = ⎣ n j 2 j−i+1 +1⎦ P .⎡• if n i =1, Q 0 = ⎣j=i+1∑l−1j=i+1⎤⎡n j 2 j−i+1 +2⎦ P and Q 1 = ⎣j=i+1∑l−1j=i+1Depending on the value of n i , we construct the point P 1 in the following way.If⎛⎞∑l−1⎝ n j 2 j−i+1 +1+2n i⎠j=i+1⎤n j 2 j−i+1 +3⎦ P .is coprime to |E(F p )|, which means no restriction, since |E(F p )| must be a prime number or a primenumber times a cofactor less than or equal to 4 for most standardized elliptic curves, then⎡⎛⎞⎤−1⎢ ∑l−1P 1 = ⎣⎝n j 2 j−i+1 +1+2n i⎠⎥mod |E(F p )| ⎦ P 0 .j=i+1Let us now assume that one of the DPA countermeasures discussed previously has been implemented.In that case the computation in the card of [n]P 1 will at the step (l − i) lead to a pointwith one coordinate equal to zero. We collect k curves C 1 ,...,C k of these computations, theseconsumption curves are different for repeated computations of [n]P because of the randomizationof the countermeasure. Then we compute the average traceT P1= 1 kk∑C j .If the guess for n i is correct then in all curves C j one coordinate at the step (l − i) equals 0 and thenwe can observe notable peaks due to its computation. In the same way, we can recursively recoverthe remaining bits n i−1 ,...,n 0 .j=1

682 Ch. 28 Practical Attacks on Smart CardsRemarks 28.4(i) For elliptic curves, special points do exist [GOU 2003].(ii) For hyperelliptic curves, these kind of divisors also exist, but in a different way. First, wecan achieve that attack with a divisor with 0 coordinates, which means that the degreeof the divisor is inferior or equal to g +1, g being the genus of the curve. This canbe well exploited, as in a smart card. All different cases cannot be implemented, andjust the more common case is actually in the card. Secondly, this attack can also workin the general case, if we choose a degree g divisor, having in Mumford representationits first polynomial with some 0 coefficients. Let us say, for a genus 2 curve, D =[u(x),v(x)] = [x 2 + u 1 + u 0 ,v 1 x + v 0 ], with u 1 =0or u 0 =0(choosing carefully thedivisor, we even can have v 1 =0or v 0 =0).We stress here to the reader that this idea has recently been extended by Akishita and Takagi in[AKTA 2003], to other points that do not contain a 0 among their coordinates but lead to 0 in theintermediate computation of the double or addition of a point.As Goubin’s attack is based on the prediction of the scalar multiplier and knowing the base point,a solution for preventing this attack can be to randomize the secret scalar or make it impossible tochoose the base point. So, the first two countermeasures of Coron [COR 1999] can be applied, inaddition to the third one (and for hyperelliptic curves also): randomizing the private exponent andblinding the base point. A better solution has been proposed by Smart using isogenies for ellipticcurves in [SMA 2003], but it is much slower to implement on a smart card.28.3.3 Electromagnetic radiation attacksElectromagnetic analysis (EMA) is quite similar to power analysis but we analyze here the electromagneticemanations of the chip instead of its power consumption.The threat through EM radiation leakage has been well known for a long time in visual displayunits and the use of EM against smart cards is not more complicated. At the beginning of thiscentury, some declassified U.S. Government Tempest documents [NSA] and preliminary claimsby researchers at international cryptographic conference rump sessions (such as Eurocrpypt 2000)made public the threat of EM radiation.The current consumed by the chip creates electromagnetic fields that can be measured with a specificprobe. Thus one can monitor the radiation emitted by a precise part of the chip on a numericaloscilloscope and analyze the signal obtained.Such analysis allows isolating and observing the activity of particular areas of the chip, dependingon the position of the probe on its surface. Thus countermeasures against power analysis could bebypassed by EMA. For instance, if an attacker wants to analyze elliptic curve computations he canplace its probe on the crypto accelerator to analyze its operations and consumption. In practice,however, this is not so easy. Better results could be obtained when the probe is placed on specificpower lines. Reverse engineering and a scanning of the chip can also give information on the bestplace to put the probe.The equipment needed for these attacks is not much more expensive than PA. The attacker needsone magnetic or electric probe, an amplifier and a system with precision movement. A careful studythat has shown efficient results [GAMO + 2001] has been made with very small (a few mm) butsimple hand made probes. These consist of small solenoids made of coiled copper wire.To refine the analysis of the EM radiations, one may need AM or FM demodulators which can bevery expensive [AGAR + 2003]. Techniques used in power analysis can be adapted to EMA: simpleelectromagnetic analysis (SEMA); differential electromagnetic analysis (DEMA).

§ 28.3 Non-invasive attacks 683However, cards secured against power analysis can be vulnerable to EMA. For instance, comparisonsof bytes that were not visible in the power curve could be seen in EMA; noise generatorsor dummy operations effects can be eliminated and then an EM curve contains more informationthan the power curve. Thus DEMA can be successful when DPA has failed. Accesses to memoriescan be observed, perhaps a dummy addition in the double-and-add-always algorithm can be seenbecause the memory treatment is different.The DPA software countermeasures that aim at preventing an attacker to predict intermediatevalues are still efficient against DEMA. However, hardware countermeasures against SPA can beinefficient against EMA and then specific countermeasures need to be added. It can take the formof shielding to contain or blur the emanation, by including a metal layer on top of the other layers,or by generating noisy fields.One can observe that EMA is not really a non-invasive attack, as is the DPA, but a semi-invasiveattack. Indeed to place the probe on the chip the card must be de-packaged. Keep in mind that theefficiency of these attacks is dependent upon the equipment, the quality of the EM probe, and theamplifier.28.3.4 Differential fault analysis (DFA) and fault injection attacksThe effects of faults and perturbations on electronic devices have been observed since the 1970s.The first faults were accidentally obtained because the chips were used in particular contexts such asin the aerospace domain. Later we observed that fault injections and perturbations into a componentduring computations could lead to information leakages and reveal sensitive data.The first attack, known as the Bellcore attack, presented by researchers from Bellcore, was publishedin[BODE+ 1997]. The authors use fault injection during a RSA CRT computation to recoverthe two prime factors that compose the public modulus. A few months later in [BISH 1997], Bihamand Shamir adapted this idea on symmetric algorithms. Basically, any kind of algorithm canbe threatened by fault attacks. Firstly considered as non-exploitable, these attacks are today a realthreat for smart cards. They must nowadays be considered very seriously and countermeasures mustbe added into products to protect them. These attacks are being increasingly studied because thepossibilities have not been fully exploited today.These attacks rely on generating errors in the chip during the execution of the algorithm. Then,the comparison between the genuine outputs and the outputs generated with errors gives informationon the key. For instance, for RSA using speedup based on Chinese remainder theorem, a key can beretrieved either with the knowledge of a faulty signature and a correct one, or with the knowledgeof a message and its erroneous signature. For an elliptic curve, the method is different: faults inthe base point or in the definition field lead to solving the discrete logarithm problem in easiersubgroups than in the original elliptic curve group.There are several techniques available to perform a fault attack. The most common types are presentedbelow:• Glitch attacks induce glitches on one of the contacts of the card: the VCC pad, theReset pad or the clock. A brief injection of power during computations can perturb acomponent behavior so that it will not return the right value. The equipment necessaryfor such an attack can be made of a pulse generator or a function and waveform generatoror a pattern generator. Nevertheless, for more precise attacks it can be necessary to usea very precise generator together with highly sophisticated synchronization systems inorder to perturb only chosen instructions during computation.

684 Ch. 28 Practical Attacks on Smart Cards• Light attacks have been presented by Anderson and Skorobogatov in [SKAN 2003].They used a simple camera flash placed on a microscope to focus light on the surfaceof the chip and then perturb it. More generally the principle is to use the energy of alight emission to perturb the silicon of a chip. Indeed, because silicon is very sensitiveto light, such an attack will create parasitic currents sufficient to perturb the electricalbehavior of the circuit. Contrary to glitch attacks, light attacks are semi-invasive becausethe card must be opened to allow light to reach the surface of the chip. The two mainways to process light attacks are the use of a camera flash, and for more precise andpowerful attacks one can use a laser.To illustrate these types of attacks, based upon [BIME + 2000], we present two ways to exploit flawsin implementing hyperelliptic curves.For further details on fault attacks, we refer the interested reader to [BACH + 2004, GITH 2004,CIE 2003].28.3.4.aFlaw in input pointsThis attack is a little bit different as it does not need to generate any faults. Indeed, the flaw exploitsthe fact that faulty points can be interpreted in order to find the key if the device does not checkthat the input points belong to the curve. Here, we will treat the example of a hyperelliptic curvefollowing [BIME + 2000].Let H be a genus 2 hyperelliptic curve , on F in the following equation:with:andH : y 2 + h(x)y = f(x) (28.1)h(x) =h 2 x 2 + h 1 x + h 0 ,h∈ F[x]f(x) =x 5 + f 4 x 4 + f 3 x 3 + f 2 x 2 + f 1 x + f 0 ,f∈ F[x] (28.2)We will denote J H the Jacobian of the hyperelliptic curve H and D = P 1 + P 2 − 2P ∞ a divisor ofJ H . We can assume that our divisor is of degree 2.As is well-known, not all the coefficients for elliptic curves are used in the formulas of additionand doubling. The same holds for hyperelliptic curves; in that case f 0 and f 1 are not used in explicitformulas, as we can see in Chapter 14.We choose D ′ = P 1 ′ + P 2 ′ − 2P ∞ , which is not a divisor of J H , but one of J H ′(with H ′ givenby (28.3)) such thatf 1 ′ = c 1 − c 2x ′ 1 − , f x′ 0 ′ = c 2x ′ 1 − c 1x ′ 22 x ′ 1 − x′ 2where, for i =1, 2c i = y ′ i2 + h2 x ′ i2 y′i + h 1 x ′ iy ′ i + h 0 y ′ i − x ′ i5 − f4 x ′ i4 − f3 x ′ i3 − f2 x ′ i2 .So, H ′ has the following equation:withH ′ : y 2 + h(x)y = f ′ (x) (28.3)f ′ (x) =x 5 + f 4 x 4 + f 3 x 3 + f 2 x 2 + f ′ 1 x + f ′ 0We calculate the cardinality of J H ′, and denote by r a small divisor of |J H ′|. Let D ′ 1 = |JH|r D′ ,it has order r. We know that with D ′ as an input, the output [n]D ′ is still in J H ′. Therefore, we

§ 28.3 Non-invasive attacks 685change the discrete logarithm problem from a secure hyperelliptic curve into the discrete logarithmproblem in a subgroup of order r. We found a value n ′ such as n ≡ n ′ (mod r). Then, thanks tothe Chinese remainder theorem cf. Section 10.6.4, we repeat that operation with other input divisorsuntil we have enough r such that ∏ r>ord(D).Note that this algorithm is even more efficient if, instead of choosing the divisor D ′ ,wefirstchose the hyperelliptic curve H and then compute the divisor. In the case of an elliptic curve, it isvery efficient as we can construct an elliptic curve. For hyperelliptic curves, it is still quite difficult,and no method is known to compute the cardinality in the general case. Algorithms are still underdevelopment cf. [GASC 2004a] and [MACH + 2002].28.3.4.bFlaw in output pointsThis time, creating a fault during the computation, we can recover the key, if the device does notcheck that output points belong to the curves.Actually, we can apply exactly the same method as previously described. Assuming that the inputis correct, we succeed in provoking a fault, just before the beginning of the computation of [n]D.Indeed, we assume that the correct input D has been provided, but while computing, the device hastaken a divisor D ′ that only differs from D in one bit. Therefore, reduce the problem the same wayas in Section 28.3.4.a, even if we do not know the divisor D ′ . Indeed, we first find a hyperellipticcurve H ′ , thanks to [n]D ′ and then recover D ′ as there are only a few possibilities.The authors in [BIME + 2000] also explain how to perform DFA attacks even if we don’t know theposition of the fault during the scalar computation. They basically calculate two different outputs,one correct and one faulty. Then they guess at which step of the loop of a double and add algorithmthe fault occurs further simulating the computation until the output point is produced. Doing that,they recover MSB or LSB block bits — depending on the choice of the algorithm — of the secretkey n. So, recursively, they recover the remaining bits with other random faults.Even though the way to find the secret scalar n is very different from the previous attack, it doesexploit the same characteristic: it uses faulty output points.Countermeasures against fault injection attacks are not always as easy as it seems to implementand can be time-consuming. Moreover, improvements on the fault injection techniques could succeedin bypassing insufficient countermeasures. Semaphores for critical parts of the programs aresometimes used, for instance, verifying that the final result computed belongs to the curve.

Chapter ¾Mathematical Countermeasuresagainst Side-Channel AttacksTanja LangeContents in Brief29.1 Countermeasures against simple SCA 688Dummy arithmetic instructions • Unified addition formulas • Montgomeryarithmetic29.2 Countermeasures against differential SCA 697Implementation of DSCA • Scalar randomization • Randomization of groupelements • Randomization of the curve equation29.3 Countermeasures against Goubin type attacks 70329.4 Countermeasures against higher order differential SCA 70429.5 Countermeasures against timing attacks 70529.6 Countermeasures against fault attacks 705Countermeasures against simple fault analysis • Countermeasures againstdifferential fault analysis • Conclusion on fault induction29.7 Countermeasures for special curves 709Countermeasures against SSCA on Koblitz curves • Countermeasures againstDSCA on Koblitz curves • Countermeasures for GLV curvesThis chapter has been influenced by Avanzi’s report [AVA 2005c], which provides an excellentoverview of side-channel attacks on curves and their countermeasures — including a historicalperspective. Also Joye’s chapter [JOY 2005] in[BLSE + 2005] has been a source of inspiration.For the most recent research on SCA one should consider the proceedings of the CHES workshopseries. A good overview with many links is the side-channel lounge [SCA LOUNGE].In Chapter 28 attacks against implementations of cryptosystems were introduced. For restricteddevices like smart cards it is possible for an attacker to derive side-channel information on the operationsperformed. This additional information can be the timing of the total operation or (moreprecise) the power consumption at different time points during the execution of the algorithm. Forthe introduction to side-channel attacks (SCA), we refer to Chapter 28. Here, we concentrate onsoftware countermeasures, i.e., different methods of implementing the same group operations insuch a manner that the information obtained from the side-channels is useless. Obviously, these687

688 Ch. 29 Mathematical Countermeasures against Side-Channel Attackscountermeasures apply only to non-invasive attacks, but these are the most likely to occur in practice.In applications, software and hardware countermeasures complement each other.In this chapter we provide alternative ways of performing group operations and of computingscalar multiplications on the Jacobian of elliptic and hyperelliptic curves in order to avoid sidechannelattacks. The main ideas of these mathematical countermeasures are as follows.• Against simple side-channel attacks (cf. Section 28.3.2.a, Section 29.1) make the informationuniform, i.e., independent of the operation performed.• To avoid differential side-channel attacks (cf. Section 28.3.2.b, Section 29.2) insert randomness,e.g., by modifying the scalar or by changing the internal representation.• To avoid Goubin type attacks (cf. Section 29.3) insert randomness but additionally oneneeds to ensure that there is no set of elements unchanged under these methods.• To detect and thwart fault attacks (cf. Section 28.3.4, Section 29.6) one should check thein- and output elements and also make sure that error messages leak no information.In Chapters 13 and 14 we have described the most efficient ways of performing group operationson the Jacobian of elliptic and hyperelliptic curves but on devices like smart cards that are used inhostile environments, security becomes the main issue. The solutions we present in the sequel tryto achieve security while keeping a certain level of efficiency. To avoid simple side-channel attacksthe easiest method described already in Chapter 28 consists of performing the double and alwaysadd Algorithm 28.3, which strongly decreases the efficiency but makes the side-channel informationuseless. Our countermeasures will be more efficient than this direct one. Furthermore, combinationsof different side-channel attacks have to be taken into account, for instance the double and alwaysadd algorithm is vulnerable against fault attacks and if the same scalar is used multiple times it doesnot provide any security against differential attacks.We like to stress that no perfect countermeasures exist. The situation is similar to classical (mathematical)attacks. One has to make an estimate of the attacker’s resources and abilities and designthe countermeasures in a way that the device can resist at least these attacks.For the time being there is no sound theory of side-channel cryptanalysis as this area is stillrelatively new. Hence, the implementor should carefully choose the most efficient countermeasurethe constraints like performance and chip area allow.This chapter is organized as follows: we first present countermeasures against simple side-channelattacks, then deal with differential and timing attacks and consider fault attacks. Finally we brieflystate additional approaches for special curves like Koblitz curves.For the scalar multiplication we assume that the result is computed by a sequence of additions,subtractions, and doublings by using addition chains. For full details and the windowing methodswe refer to Chapter 9. We fix the following notation: the secret scalar is denoted by n and one usesan expansion of length l given by (n l−1 ...n 1 n 0 ) b to some base b. Furthermore, as we are workingin the Jacobian of a curve, we assume that an addition and a subtraction need about the same timeunless we work on a very low atomic level. To give the number of field operations needed for thegroup operations we use the notation S to denote a squaring, M for a multiplication and I for aninversion.29.1 Countermeasures against simple SCAsimple side-channel attacks (SSCAs) obtain information from a single scalar multiplication by observingleaked information. We stress that also short term secrets like the nonces in signatures(cf. Sections 1.6.3 and 23.5.2) need to be protected as their knowledge is sufficient to obtain thelong-term secret key.

§ 29.1 Countermeasures against simple SCA 689To harden a cryptographic primitive against simple side-channel attacks one makes the observableinformation independent of the secret scalar. The attacker only sees a fixed sequence of operationsthat cannot be linked to the bits of n being processed. This can be achieved by one of the followingthree approaches: insert dummy arithmetic instructions, use indistinguishable or unified additionand doubling formulas, or apply Montgomery’s ladder for scalar multiplication. Furthermore, thesestrategies can be applied on different levels. We like to point out that some approaches belong tomore than one category and that this distinction is sometimes too strong. We explain the method inthat section where we deem it to be most suitable and give references in the other ones.29.1.1 Dummy arithmetic instructionsThe double and always add Algorithm 28.3 already mentioned in the introduction and in the previouschapter inserts dummy group additions such that after each group doubling one performs oneaddition. This is one example of inserting dummy operations on the top level. We also show how toinsert dummy field operations to make the observable information uniform and thus predictable.29.1.1.aDummy group operationsThe methods described here are universal and work for any group no matter how different additionand doubling are. However, the big drawback is that much more operations are needed — on averagel/3 additions or subtractions are used in a non-shielded implementation using an NAF of n, whichcompares to the fixed number of l additions needed with the double and always add algorithm. Forthe scalar multiplication methods used here we refer to Chapter 9.Obviously, this drawback is less dramatic when applied together with a (fixed) window scalarmultiplication algorithm. A width w expansion of n is given byn =⌈l/w⌉−1∑i=0n i 2 wi , where n i ∈ [0, 2 w − 1].The likelihood of zero coefficients n i is much lower than in a binary expansion and the absolutenumber of dummy group additions (inserted only if n i =0) is accordingly also much lower. On theother hand, these methods need storage, which is often a concern on the small devices we considerin this context.For curve-based cryptography where the negations are efficiently computable one might try tokeep the advantages of signed expansions. Hitchcock and Montague [HIMO 2002] provide amethod transforming an NAF into a sequence consisting of the fixed blocks DBL, DBL, ADD,which is achieved by inserting dummy additions and doublings. Compared to the unprotected NAFthis method needs 1.5 times as long in the worst case. On average 44% additions are saved comparedto the double and always add algorithm while 11% extra doublings are needed. The advantageof this method is that no storage is needed except for the dummy operations. If the negation couldbe detected, one more group element is needed to store the negative of the base. Alternatively onecould perform a negation before each addition that might be a dummy negation.Actually a similar but more efficient idea can be found in [GIE 2001]. The NAF representation ofn is grouped into double-bits from 00, 01, 0¯1, 10, ¯10. For each double-bit they perform 2 doublingsand one addition — which is not used only in the case of the double-bit 00. Thus, compared withthe NAF they started with, they have the same number of doublings but for every two coefficientsthey perform an addition instead of one only for one third of the coefficients. This leads to a densityof 1/2, which is much better compared to density 1 obtained above, using the obvious method anddoes not introduce a larger complexity except for a bit of bookkeeping. We like to mention thatthe computations of the two doublings and one addition can be interleaved to need fewer inversions

690 Ch. 29 Mathematical Countermeasures against Side-Channel Attacksin affine coordinates or to save some multiplications in other coordinate systems. This way thismethod differs from using a sliding windowing method with inserted dummy operations.As dummy operations can be detected by fault induction attacks (cf. Section 29.6), Möller proposedin [MÖL 2001a, MÖL 2001b] to use windowing methods with coefficients from [1, 2 w −1] ∪{−2 w } or [1, 2 w−1 ] ∪ [−2 w−1 − 1, −1] ∪{−2 w }. Okeya and Takagi [OKTA 2003] achieveexpansions without zero coefficients requiring storage of 2 w−1 elements. We like to point out thatthese methods do not use dummy operations, but we decided to mention them in this context as theefficiency is similar to the combination of dummy operations and windows of width w except thatone avoids the drawback of having (possibly detectable) dummy operations. If only the positivescalar multiples are stored one needs to pay attention that the negation cannot be detected. Thiscan be done by always inserting a negation that might be a dummy negation in case of a positivecoefficient.For elliptic curves, both methods can be combined with fast repeated doublings (cf. Chapter 13).For hyperelliptic curves it can be expected that such formulas will be published in the near future.In [IZTA 2002a], Izu and Takagi report on a parallel implementation resistant against simple poweranalysis using Möller’s coefficients. They additionally apply countermeasures against DPA attacks.29.1.1.bDummy field operationsOne can also introduce dummy operations on the low-level of field operations inside the groupoperations and achieve that the side-channel information is identical for group additions and doublings.As each group operation consists of several field operations, it can be expected that thisapproach leads to faster shielded algorithms compared to the ones of the previous section. On theother hand we need to point out that this way the total number of group operations is leaked by thetime the scalar multiplication takes. If the length of the scalar and, hence, the number of doublingsis known, this means that the Hamming weight of the used expansion is obtained by the attacker.For extreme low or high weight a brute force attack is possible. For attacks using this leakage werefer to [CAKO + 2003]. Note that this is less problematic if the method is combined with slidingwindowing techniques, as they tend to unify the Hamming weight of the scalar. Additionally, scalarrandomization techniques can be used to thwart differential attacks, and they change the Hammingweight, too.We now state the explicit formulas for elliptic curves first over binary fields and then in oddcharacteristic. For hyperelliptic curves we only give the references.For nonsupersingular binary elliptic curves (cf. Section 13.3.1.a) both a doubling and a groupaddition require I+2M+Sbut in a straightforward implementation they can nevertheless be distinguishedby the different sequences of operations. Let P =(x 1 ,y 1 ),Q =(x 2 ,y 2 ) be points onan elliptic curve E/F 2 d given byE : y 2 + xy = x 3 + a 2 x 2 + a 6 . (29.1)The formulas for addition and doubling differ mainly in the slope λ which is given by⎧⎪⎨λ =⎪⎩y 1 + y 2x 1 + x 2if P ≠ + − Q,x 1 + y 1x 1if P = Q.Then R =(x 3 ,y 3 )=P ⊕ Q reads x 3 = λ 2 + λ + a + x 1 + x 2 and y 3 = λ(x 2 + x 3 )+x 1 + y 2 .Based on these observations, in [CHCI + 2004] the following algorithm is provided, that allows usto compute an addition with the same sequence of field operations as a doubling by inserting onlytwo field additions. This is a very cheap countermeasure using dummy operations as field additions

§ 29.1 Countermeasures against simple SCA 691are the cheapest operations in a finite field. The input registers T 1 ,T 2 ,T 3 ,T 4 contain the x- andy-coordinates of the points P, Q ∈ E(F 2 d) and the left column is used for P ≠ + − Q while the rightone performs a doubling P = Q.Algorithm 29.1 Atomic addition-doubling formulasINPUT: The points P =(T 1,T 2) and Q =(T 3,T 4) on E(F 2 d).OUTPUT: The points P ⊕ Q or [2]P .Addition: P ← P ⊕ QDoubling: P ← [2]P1. T 1 ← T 1 + T 3 [x 1 + x 2] 1. T 6 ← T 1 + T 3 [fake]2. T 2 ← T 2 + T 4 [y 1 + y 2] 2. T 6 ← T 3 + T 6 [x 1]3. T 5 ← T 2/T 1 [λ] 3. T 5 ← T 2/T 1 [y 1/x 1]4. T 1 ← T 1 + T 5 4. T 5 ← T 1 + T 5 [λ]5. T 6 ← T5 2 [λ 2 ] 5. T 1 ← T5 2 [λ 2 ]6. T 6 ← T 6 + a 2 [λ 2 + a 2] 6. T 1 ← T 1 + a 2 [λ 2 + a 2]7. T 1 ← T 1 + T 6 [x 3] 7. T 1 ← T 1 + T 5 [x 3]8. T 2 ← T 1 + T 4 [x 3 + y 2] 8. T 2 ← T 1 + T 2 [x 3 + y 1]9. T 6 ← T 1 + T 3 [x 2 + x 3] 9. T 6 ← T 1 + T 6 [x 1 + x 3]10. T 5 ← T 5 × T 6 10. T 5 ← T 5 × T 611. T 2 ← T 2 + T 5 [y 3] 11. T 2 ← T 2 + T 5 [y 3]12. return (T 1,T 2) 12. return (T 1,T 2)The choice of the numbers of the extra registers was done in such a way that with a simple assignmentof two variables depending on the bit of the scalar, both group addition and doubling can beimplemented with the same algorithm using no if/else conditional branching.The big advantage of this idea is that only cheap dummy operations are introduced and that thescalar multiplication can make use of windowing techniques to have a sparse representation. Theabove algorithm can be modified to deal with subtractions, too, by inserting one more addition atthe beginning to change y 2 to y 2 + x 2 if necessary.For elliptic curves over fields of odd characteristic, a direct application of this method would implythat one needs to insert a dummy squaring in each addition as an addition needs I+2M+Swhile adoubling needs I+2M+2S. First of all, squarings take a non-negligible effort and furthermore, forthe environments we consider in this chapter, inversion-free coordinate systems are more useful. Tocircumvent this difficulty, [CHCI + 2004] introduce the concept of side-channel atomicity. Insteadof trying to make the group operations look identical, they split the operations into identical blocks,each consisting of one field multiplication (which could also be a squaring), one field addition, onefield negation, and one further field addition. An attacker can only observe a sequence of identicalblocks and cannot link them to the operation that is performed. For elliptic curves over F p d withp odd, [CHCI + 2004] implement a curve doubling in Jacobian coordinates using 10 blocks andan addition in 16 blocks. The computational overhead involved in this countermeasure is almostnegligible, introducing only a few further field additions and negations but no multiplications.The security is based on the assumption that real and dummy operations cannot be distinguishedand that multiplications cannot be told from squarings, which is often a valid assumption in oddcharacteristic. (This might not hold if higher order differential attacks can be used, cf. Section 29.4.)When the scalar multiplication is computed with these addition and doubling algorithms, it becomesa computation of a series of atomic blocks and the side-channel information becomes uniform. Thisdifference is visualized in the following two pictures. Figure 29.1 shows the view of the attacker

692 Ch. 29 Mathematical Countermeasures against Side-Channel AttacksFigure 29.1 Attacker’s view on algorithm.... ...Figure 29.2 Actual operations inside blocks.ADD 14 ADD 15 ADD 16 DBL 1 DBL 2 DBL 3 DBL 4 DBL 5... ...who only sees a uniform sequence of operations. In Figure 29.2 one sees that the first three stepsbelonged to an addition while the following ones show the beginning of a doubling.We do not state the original formulas in atomic blocks for odd characteristic but state a simplifiedversion in Algorithms 29.2 and 29.3. Unlike in the original version, we only list a ∗ to denote adummy operation while in [CHCI + 2004] the authors state the access to the registers by a uniformalgorithm in a compact representation given by a matrix. In total 10 registers are used to hold thevariables for doubling and addition and the dummy operations are performed by different registers.Our tables come from Mishra’s approach [MIS 2004a] to combine side-channel atomicity andpipelined implementations on two processors to achieve a high throughput. Also, he considersmixed additions, i.e., additions in which one point is in affine coordinates while the other is inJacobian. In Section 13.2.2 this was identified to be the fastest system for unprotected implementationsand using the cheap countermeasure of side-channel atomicity, Mishra obtains a very efficientpipelined implementation, which we detail in the following.We now list the algorithms for doubling in Jacobian coordinates and mixed addition. Like beforethe sequence of field operations is M, A, Neg, A,whereNeg denotes a field negation. A ∗ denotesa dummy operation of the respective type. Note that no dummy multiplications appear. The valueof the current variable is given in brackets. The intermediate point is stored in Jacobian coordinatesin (T 6 : T 7 : T 8 ) and the result is written back to these registers. The notation refers to theabbreviations used in Section 13.2.1.c.Algorithm 29.2 Elliptic curve doubling in atomic blocksINPUT: The point P i =(X i : Y i : Z i)=(T 6 : T 7 : T 8).OUTPUT: The point [2]P i =(X i+1 : Y i+1 : Z i+1) =(T 6 : T 7 : T 8).∆ 1. R 1 ← T 8 × T 8 ∗ ∗ ∗ˆZ2 i˜∆ 2. R 1 ← R 1 × R 1 ∗ ∗ ∗ˆZ4 i˜∆ 3. R 1 ← a 4 × R 1 ∗ ∗ ∗˜ ˆa4Z i4∆ 4. R 2 ← T 6 × T 6 R 3 ← R 2 + R 2 ∗ R 2 ← R 3 + R 2ˆX2 i˜ ˆ2X2i˜ ˆ3X2i˜

§ 29.1 Countermeasures against simple SCA 693∆ 5. T 8 ← T 7 × T 8 T 8 ← T 8 + T 8 ∗ R 1 ← R 1 + R 2[Y iZ i]ˆZi+1˜∆ 6. R 4 ← T 7 × T 7 R 2 ← R 4 + R 4 ∗ ∗˜ ˜22ˆYi ˆ2Yi ∆ 7. R 4 ← T 6 × R 2 R 4 ← R 4 + R 4 R 4 ←−R 4 R 5 ← R 4 + R 4˜ ˆ2XiYi2[A] [−A] [−2A]∆ 8. R 3 ← R 1 × R 1 T 6 ← R 3 + R 5 ∗ R 4 ← T 6 + R 4ˆB2˜ˆX i+1˜[X i+1 − A]∆ 9. R 2 ← R 2 × R 2 R 2 ← R 2 + R 2 ∗ ∗˜ ˜44ˆ4Yi ˆ8Yi ∆ 10. T 7 ← R 1 × R 4 T 7 ← T 7 + R 2 T 7 ←−T 7 ∗[B(X i+1 − A)][−Y i+1]ˆYi+1˜[B]Algorithm 29.3 Elliptic curve addition in atomic blocksINPUT: The points P =(T x,T y) and P i =(X i : Y i : Z i)=(T 6 : T 7 : T 8).OUTPUT: The point P + P i =(X i+1 : Y i+1 : Z i+1) =(T 6 : T 7 : T 8).Γ 1. R 1 ← T 8 × T 8 ∗ ∗ ∗ˆZ2 i˜Γ 2. R 2 ← T x × R 1 ∗ R 2 = −R 2 ∗[A][−A]Γ 3. R 3 ← T y × T 8 ∗ ∗ ∗[YZ i]Γ 4. R 3 ← R 3 × R 1 R 1 ← R 2 + T 6 R 1 ←−R 1 ∗[C] [E] [−E]Γ 5. T 8 ← R 1 × T 8 ∗ ∗ ∗ˆZi+1˜Γ 6. R 4 ← R 1 × R 1 ∗ ∗ ∗ˆE2˜Γ 7. R 2 ← R 2 × R 4 R 5 ← R 2 + R 2 ∗ ∗ˆ−AE2˜ˆ−2AE2˜Γ 8. R 1 ← R 4 × R 1 R 1 ← R 1 + R 5 R 3 ←−R 3 R 5 ← R 3 + T 7ˆ−E3˜ˆ−E 3 − 2AE 2˜[−C] [F ]Γ 9. T 6 ← R 5 × R 5 T 6 ← T 6 + R 1 ∗ R 2 ← T 6 + R 2ˆF2˜ ˆX i+1˜ ˆXi+1 − AE 2˜Γ 10. R 2 ← R 5 × R 2 ∗ R 1 ←−R 1 ∗ˆ−F (Xi+1 − AE )˜2 ˆE3˜Γ 11. T 7 ← R 3 × R 4 T 7 ← T 7 + R 2 ∗ ∗ˆ−CE3˜ˆY i+1˜If, instead, a subtraction should be performed, i.e., one wants to add the negative (−T x ,T y ),thiscan be incorporated as R 2 = −T x in Γ 1 and by replacing the first step of Γ 2 by R 2 = R 2 × R 1 .

694 Ch. 29 Mathematical Countermeasures against Side-Channel AttacksTable 29.3 EC-operations in the pipeline.DBL-DBL DBL-ADD ADD-DBLTime PS1 PS2 PS1 PS2 PS1 PS2k......k +1 ∆ (i)1 — ∆ (i)1 — Γ (i)1 —k +2 ∆ (i)2 — ∆ (i)2 — Γ (i)2 —k +3 ∆ (i)3 — ∆ (i)3 — Γ (i)3 —k +4 ∆ (i)4 — ∆ (i)4 — Γ (i)4 —k +5 ∆ (i)5 — ∆ (i)5 — Γ (i)5 —k +6k +7k +8k +9∆ (i+1)1 ∆ (i)6 Γ (i+1)1 ∆ (i)6 ∆ (i+1)1 Γ (i)6∆ (i+1)2 ∆ (i)7 Γ (i+1)2 ∆ (i)7 ∆ (i+1)2 Γ (i)7∆ (i+1)3 ∆ (i)8 Γ (i+1)3 ∆ (i)8 ∆ (i+1)3 Γ (i)8∆ (i+1)4 ∆ (i)9 Γ (i+1)4 ∆ (i)9 ∗ Γ (i)9k +10 ∗ ∆ (i)k +11k +1210 Γ (i+1)5 ∆ (i)10 ∆ (i+1)4 Γ (i)10∆ (i+1)5 ∗. Γ (i+1)6 ∗ Γ (i)11. ∆ (i+1)6 . Γ (i+1)7 ∆ (i+1)5 ∗Table 29.3 shows the pipelining for all 3 possible cases — 2 doublings in a row, a doubling followedby a mixed addition and a mixed addition followed by a doubling. This scheduling introducescomplete dummy blocks in the wait stages, but this is the usual drawback one needs to take intoaccount when using more than one processor. As in a scalar multiplication each addition is followedby a doubling, the last two columns always appear together. This implies that each group operationconsumes 6 atomic blocks, i.e., a scalar multiplication using an NAF of the scalar needs on average8 atomic blocks per bit of the scalar.Additionally, this method can be combined efficiently with windowing methods as the SCA resistanceis implied by the atomic block structure [MIS 2004b]. The generalization to genus 2 curveswas done in [LAMI 2004] in which the authors provide the expressions for performing parallel doublingor addition in atomic blocks. In even characteristic affine coordinates are chosen and due tothe large similarity of addition and doubling, each group operation is made one big atomic block.In odd characteristic new coordinates (cf. Section 14.4.2) are used and it turns out that the atomicblocks proposed for implementing elliptic curves remain optimal. These formulas also apply tononparallel implementations and achieve the lowest number of registers.Countermeasures inserting dummy operations are always vulnerable to fault attacks (cf. Section29.6). If the faults can be induced very precisely it may be possible to distinguish real fromdummy operations, as a fault in the latter does not influence the result. Nevertheless, these attacksare less likely for the quick dummy operations appearing in the atomicity approach, but they are areal threat in the double and always add algorithm.29.1.2 Unified addition formulasUsing unified formulas means that in the scalar multiplication algorithm the same set of formulasis invoked with different inputs. The operations are valid for both addition and doubling. To

§ 29.1 Countermeasures against simple SCA 695avoid leakage from the if/else instruction one should use arithmetic operations to schedule whichof the inner paths is taken in the few places where the formulas still differ. We point out that thesedifferences will not be between doubling and addition.So far such formulas have been obtained only for elliptic curves. There is some ongoing researchfor hyperelliptic curves but so far nothing is published. Hence, we concentrate on elliptic curves forthe remainder of this section.In the previous section we have shown how to make addition and doubling on a binary curveuse the same sequence of field operations, such that the side-channel information looks the same.There this was done by inserting dummy field additions. Here we achieve this aim without dummyoperations. We first deal with general elliptic curves over arbitrary fields and then consider countermeasuresfor more special types of curves.29.1.2.aUnified formulas for general curvesHere we consider elliptic curves given byE : y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 ,for a i ∈ F q , for some prime power q. By writing the slope λ in a different manner one can alsoobtain really unified addition formulas needing identical computations for addition and doubling.Building on [BRJO 2003]itisshownin[BRDÉ + 2004] that in arbitrary characteristic we have:λ = y 2 − y 1x 2 − x 1= y 2 − y 1x 2 − x 1y 1 + y 2 + a 1 x 2 + a 3y 1 + y 2 + a 1 x 2 + a 3= x2 1 + x 1x 2 + x 2 2 − a 1y 1 + a 2 (x 1 + x 2 )+a 4y 1 + y 2 + a 1 x 2 + a 3= x2 1 + x 1 x 2 + x 2 2 − a 1 y 1 + a 2 (x 1 + x 2 )+a 4 +(y 1 − y 2 )my 1 + y 2 + a 1 x 2 + a 3 +(x 1 − x 2 )m= x2 1 + x 1x 2 + x 2 2 − a 1y 2 + a 2 (x 1 + x 2 )+a 4 +(y 2 − y 1 ) ˜m,y 1 + y 2 + a 1 x 1 + a 3 +(x 2 − x 1 ) ˜mwhere m = m(x 1 ,y 1 ; x 2 ,y 2 ) is an arbitrary polynomial and ˜m = m(x 2 ,y 2 ; x 1 ,y 1 ). The verysame expression holds also for doublings. We remark that it is necessary to introduce both mand ˜m as the first version [BRJO 2003], corresponding to the second line, was vulnerable to theexceptional procedure attack [IZTA 2003b] (cf. Section 29.3). Namely, the algorithm would fail ify 1 + y 2 + a 1 x 2 + a 3 =0, i.e., if the y-coordinate of P equaled the y-coordinate of −Q.By defining λ m as in the last line whenever y 1 + y 2 + a 1 x 2 + a 3 +(x 1 − x 2 )m =0and asin the one to last line otherwise, this expression is valid for all points for appropriately chosenm. For nonsupersingular binary elliptic curves as given in (29.1) and curves over fields of oddcharacteristic, one can choose m =1.In affine coordinates this means that λ m can be evaluated with I+5Mincluding 2M with the constantsa 1 and a 2 . In odd characteristic these constants can be chosen to be zero and in characteristic2 one has a 1 =1. In characteristic 2, affine coordinates are often the fastest method of computationas inversions are not much more expensive than multiplications. In odd characteristic, one tries toavoid inversions and moves to projective or Jacobian coordinates. The same ideas can be applied tothe differently defined slope λ m given above. For isomorphic transformations and ways to deriveinversion-free formulas we refer to Sections 13.2 and 13.3.In particular, the inversion-free systems in odd characteristic suffer from the loss of speed dueto the countermeasure. If the curve has points of order 2 or 3, other representations of the curveleading to faster unified group operations can be designed.

696 Ch. 29 Mathematical Countermeasures against Side-Channel Attacks29.1.2.bUnified formulas for Hessian curvesIn Section 13.1.5.b Hessian coordinates were introduced. Let q ≡ 2(mod3)and consider anelliptic curve E over F q with an F q -rational point of order 3. TheHessian form is given byH : X 3 + Y 3 + Z 3 = cXY Zfor some c ∈ F q .Joye and Quisquater [JOQU 2001] suggested using Hessian curves to avoid simple side-channelattacks. It is possible to compose the scalar multiplication of additions only as[2](X 1 : Y 1 : Z 1 )=(Z 1 : X 1 : Y 1 ) ⊕ (Y 1 : Z 1 : X 1 )and (Z 1 : X 1 : Y 1 ) ≠(Y 1 : Z 1 : X 1 ). An addition needs 12M + 6S, which compares favorablyto the general unified formulas presented before. Hence, the use of unified addition formulas isimmediate. Additionally, Hessian curves allow for fast parallel implementation [SMA 2001].29.1.2.cElliptic curves in Jacobi modelA further set of unified formulas is obtained in [LISM 2001] by viewing the curve as intersectionof two quadrics. They need that E(F q ) contains a copy of Z/2Z × Z/2Z. Their formulas wereimproved in [BIJO 2003] and the approach was generalized to curves having one affine point oforder two only. The extended Jacobi form of an elliptic curve is given byE J : Y 2 = ɛX 4 − 2δX 2 Z 2 + Z 4 .The sum of P =(X 1 : Y 1 : Z 1 ) and Q =(X 2 : Y 2 : Z 2 ) is given by (X 3 : Y 3 : Z 3 ) withX 3 = X 1 Y 2 Z 1 + X 2 Y 1 Z 2 ,Z 3 =(Z 1 Z 1 ) 2 − ɛ(X 1 X 2 ) 2 ,Y 3 = (Z 3 + ɛ(X 1 X 2 ) 2 )(Y 1 Y 2 − 2δX 1 X 2 Z 1 Z 2 )+2ɛX 1 X 2 Z 1 Z 2 (X1 2 Z2 2 + X2 2 Z1),2with the only exception Q = −P =(−X 1 : Y 1 : Z 1 ). Hence, the formula holds also for P = Q.Olson [OLS 2004] generalized the approach in [BIJO 2003] by showing how to obtain an isomorphicprojective quartic curve with weighted inversion-free coordinates, in which doubling andaddition need the same formulas. This can be done for each elliptic curve but is highly inefficientin the general case requiring 31M. If the curve contains a point of order 2, i.e., with Y =0,histransformation yields the curve considered above. Another case leading to a simple equation is acurve containing a point with X =0as this results in a quarticand the unified formulas are efficient.W 2 = S 4 − βS − a 4 /429.1.3 Montgomery arithmeticThe Montgomery ladder 9.5 was introduced in Chapter 9 with a reference to side-channel attacks.In fact this idea thwarts simple side-channel attacks as for each bit of the scalar a doubling and anaddition are performed. The difference to the double and always add approach is that the additionsare used additions; hence, the method is not subject to fault attacks.We briefly recall the algorithm here in the setting of J C the Jacobian of an elliptic or hyperellipticcurve C and D __∈ J C . Then we consider issues specific to elliptic and hyperelliptic curves.

§ 29.2 Countermeasures against differential SCA 697Algorithm 29.4 Montgomery’s ladderINPUT: An element D __∈ J C and a positive integer n =(n l−1 ...n 0) 2.OUTPUT: The element [n] D __∈ J C.1.__D 1 ← D __and D __2 ← [2] D__2. for i = l − 2 down to 0 do3. if n i =0 then4.__D 1 ← [2] D __1 and D __2 ← D __1 ⊕ D __25. else__6.D 1 ← D __1 ⊕ D __2 and D __2 ← [2] D __27. return D __1This algorithm can be applied universally for any group. However, it suffers from the additionalgroup operations like the double and always add method and additionally doubles the storage requirements.On the other hand, fault attacks cannot be applied, which made [IZTA 2002b] use thismethod against SPA.For elliptic curves and hyperelliptic curves of genus 2 we have shown in Chapters 13 and 14that one does not need the Y coordinate, respectively the second polynomials v(x), to carry out thescalar multiplication with Algorithm 29.4 and that this coordinate can be recovered uniquely.We do not repeat the formulas here and refer to Sections 13.2.3 and 13.3.4 for Montgomerycoordinates on elliptic curves in odd and even characteristic. In the latter case they can be evaluatedefficiently for arbitrary curves but for odd characteristic they are more efficient for curves having agroup order divisible by 4. We present both cases in the section on efficient arithmetic.For genus 2 curves different approaches exist depending on whether the group order is divisibleby 2. Like in the case of elliptic curves a larger rational 2-torsion part facilitates the arithmetic. Forthe more efficient case, due to Duquesne [DUQ 2004], the formulas are given in Section 14.4.4.Lange’s [LAN 2004a] approach is valid for arbitrary curves over fields of odd characteristic butit is less efficient. Both methods are better than the double and always add approach but far lessefficient than the introduction of dummy field operations considered in Section 29.1.1.b.The drawback of the Montgomery method is that one cannot use precomputations to speed upthe scalar multiplications. On the other hand, Montgomery arithmetic can be parallelized efficientlyeven for small devices as reported in [FIGI + 2002]. As fault attacks cannot be applied the implementationis hedged against non-differential attacks.29.2 Countermeasures against differential SCADifferential side-channel attacks (DSCAs) are usually applied only if the simple side-channel attacksdo not succeed, e.g., if the leaked information cannot be linked directly to the bits of the secretscalar. If one has access to side-channel information of several scalar multiplications involving thesame secret scalar and different group elements, differential techniques can be applied. Note thatwe consider averaging over several measurements of the same scalar multiplication, i.e., the samescalar and same base point, as an enhanced simple side-channel attack and not as a differential one.Furthermore, this situation is very unlikely to occur in practice.To mount a differential attack one needs to be able to simulate the operations in the attackeddevice. In particular one needs to know the internal representations as the operations are likely to

698 Ch. 29 Mathematical Countermeasures against Side-Channel Attacksdepend on this. The common strategy in all countermeasures is therefore to introduce randomnessin the representation of the points, of the curve or of the scalar such that the simulation cannot beachieved. In practice, these countermeasures are often combined.The next sections deal with these methods. We like to mention that these countermeasures areonly needed if a long-term secret is involved. If the scalar is changed at each iteration of the protocolthey are not needed. However, still one needs to make sure that the implementation does not leakinformation on the bits of the nonces in signature schemes, as this can be used in a lattice basedattack as shown in [BOVE 1996, HOSM 2001, NGSH 2003].29.2.1 Implementation of DSCASuppose that by applying the countermeasures from the previous section the implementation issecured against SSCA. DSCA on a double and add scalar multiplication algorithm computing [n] D,__where n is a secret scalar used for several executions works as follows:Let n =(n l−1 n l−2 ...n 0 ) 2 , and suppose that the first digits n l−1 n l−2 ...n j+1 are known. Theattacker wants to find n j . He proceeds as follows:1. The attacker first makes a guess: n j =0or 1.2. He chooses several inputs D __1 ,..., D __t and computes E __i = [ ∑ l−1k=j n k23. He picks a Boolean selection function B to construct two index setsk−j]__S t = { i : B( __E i )=true } and S f = { i : B( __E i )=false } .For instance, B might be the least significant bit of the representation of E __i in case thisinfluences the computation.4. He puts SC i = SC i (t) to be the side-channel information obtained from the computationof [n] D __i . This is a function of the time t. In the case where electromagneticemission is used, this function is in fact also a function of space, for example, of a pointon the surface of the card: namely SC i = SC i (t; x, y).5. Let 〈SC i〉i∈S denote the average of the functions SC i for the i ∈S. If the guess of n jwas incorrect, then one expects〈SCi〉i∈S t− 〈 〉SC i i∈S f≈ 0i.e., the two sets are uncorrelated as the selection function was not related to the operationactually carried out. On the other hand, if the guess of n j was correct then〈SCi〉i∈S t− 〈 〉SC ias a function of time (and possibly space) will present spikes, i.e., deviations from zero,cf. Figures 28.7 and 28.8.This means that the cases of correlation and uncorrelation should be easy to distinguish, providedthat the selection function captures the properties of the algorithm and enough samples are obtained.Once n j is obtained, the attack is used on the next digit.Note that in practice the attacker does not choose the D __i but waits for further operations involvingthe private key or issues elements D __i on which [n] D __i is computed. Usually the attacker has noinfluence on the choice of the D __i so they are assumed to be random.Additionally we like to mention that this method does not require making fresh measurementsafter each bit n j obtained but can work as an offline attack. In a short time many samples ofi∈S fD i .

§ 29.2 Countermeasures against differential SCA 699side-channel leakage are recorded and stored. Then they allow us to recover the secret key bitby-bitby following the above steps for each n j ,l − 2 j 0 in an offline computation. Thishas the drawback that the complete side-channel traces need to be recorded, increasing the storagerequirement — but it might be harder to notice the attacker.29.2.2 Scalar randomizationThe idea of this countermeasure is to change the representation of the scalar (bit-pattern or windowingexpansion) such that it is not linked between the different executions of the algorithm. This canbe achieved by either changing the scalar itself or by only changing the addition chain used for thescalar multiplication.29.2.2.aVarying the scalarIn all applications the group order l isassumedtobeknown.Wehave[n] D __=[n + il] D __for anyinteger i. Random choices of i should randomize the binary pattern of the applied scalar and thus therepresentations during the execution. In [OKSA 2000] it has been shown that this randomizationleaves a bias in the least significant bits of the scalar. For elliptic curves, Möller [MÖL 2001a]combines this method with an idea of Clavier and Joye, and suggests the computation of [n] D __=[n + k 1 + k 2 l] D __⊖ [k 1 ] D, __wherek 1 and k 2 are two suitably sized random numbers. In the contextof group-based cryptography this method is called Coron’s first countermeasure [COR 1999]. Itinduces a performance penalty depending linearly on the bit lengths of the random quantities k,respectively k 1 and k 2 .These countermeasures can be combined with any of those described in the following section toprovide stronger defense.29.2.2.bVarying the representationThe insertion of random decisions during the execution of the scalar multiplication algorithmalso helps in preventing side-channel analysis. In general, these decisions amount to randomlychoosing among several different redundant weighted binary representations of the same integer[HAMO 2002, OSAI 2001]. Such methods must be used with care, and indeed their soundness hasbeen questioned [WAL 2004], sometimes under the assumption that no SSCA-countermeasures areimplemented [OKSA 2002, OKSA 2003].Liardet and Smart [LISM 2001] propose not only unified addition formulas as explained in theprevious section but also a countermeasure against DSCA. Assuming the indistinguishability ofaddition and doubling, they present three general-purpose randomized signed window methods forperforming SCA-resistant scalar multiplication.However, their argument depends heavily on the unified group operations. Under the hypothesisthat additions are distinguishable from doublings, Walter [WAL 2002a] shows that repeated use ofthe same secret key with the algorithm of Liardet and Smart is insecure. Another randomized 2 k -arymethod is given in [ITYA + 2002].It is also possible to apply a variant of MIST [WAL 2001, WAL 2002b]. The basic idea is torandomly choose between several different representations on a mixed base number system andat the same time select small addition chains for the different parts of the computation that arecomposed from similar sub-blocks of group operations. Ideally, such a technique would provideboth SSCA and DSCA resistance. However, especially in the presence of long keys, this methodalone can also leak some information on the exponent [WAL 2003].

700 Ch. 29 Mathematical Countermeasures against Side-Channel Attacks29.2.3 Randomization of group elementsThe methods described in this section leave the scalar invariant but change the representation of thebase group element. Hence, it is no longer possible to simulate the attack as the internal representationis unknown.29.2.3.aBlinding of group elementsIn any group it is possible to apply Coron’s second countermeasure [COR 1999]. Let n be thelong-term secret. To implement this countermeasure one chooses a group element E __∈ Pic 0 C froma list stating pairs ( E,[n] __E __) for various E __and computes [n] D __=[n]( D __⊕ E) __⊖ [n] E __. So, thecomputation is hidden due to the blinding addend E __.Besides the precomputations this method only adds an addition and a doubling per scalar multiplication.__The list should be large enough and kept secret, to avoid brute force attacks. The elementE should be changed at each execution.29.2.3.bRandomization by redundant coefficientsA particularity of cryptography based on curves is that the groups come with a natural way ofredundant representation. In inversion-free coordinate systems like projective or Jacobian coordinatesa point is not uniquely represented. In Jacobian coordinates the points (X 1 : Y 1 : Z 1 ) and(λ 2 X 1 : λ 3 Y 1 : λZ 1 ) are equal for any λ ∈ F ∗ q. This means that it is possible to change the representationof a point by 4M + S and even less in projective coordinates. The same approach can beused in all inversion-free coordinate systems [JOTY 2002] and it applies to elliptic curves as wellas to the divisor class group of higher genus curves [AVA 2004b]. In addition to those results, wemention that in the meantime also projective formulas for genus 3 curves were published. Hence,this method can be applied there as well. The randomization can also be applied additionally atrandom places during the scalar multiplication.Note that the final inversion to obtain affine coordinates and to change between the systems needsto be performed in the secure environment. Otherwise, i.e., if the triple is the direct result of a scalarmultiplication without further randomization, [NAST + 2004] show that the previous operations(doublings or additions) can be distinguished.It is important that this attack was found, however, in practice one would either provide theresult in affine coordinates (which is standard in transmission to reduce the bandwidth) or performa further random blinding with a new choice of λ.However, there are some coordinates that are not changed by multiplication by λ. Namely ifthe respective field element is 0 then it is unchanged by this method. Goubin’s attack [GOU 2003]makes use of this observation together with the fact that a zero coordinate leads to shorter computationtimes in most operations. We like to point out that this method is not restricted to zerocoordinatesbut it can also work if just some coefficients in the representation of F q as vector spaceover F p are zero. We discuss this in more detail in the following Section 29.3.29.2.4 Randomization of the curve equationSo far we implicitly identified isomorphic affine equations for curves and different representationsof the finite fields. However, it is possible to use the isomorphisms as secret maps to prevent theattacker from simulating the scalar multiplication.

§ 29.2 Countermeasures against differential SCA 70129.2.4.aIsomorphic field representationsUsing a different irreducible polynomial of degree d leads to an isomorphic description of F p d.Thismethod does not depend on the curve and, hence, [JOTY 2002] covers this idea for general curves.There are a few drawbacks attached to this method: computations in the isomorphic fields might beconsiderably slower than usual as less efficient field representations (e.g., perhaps no binomials) areused. Furthermore, the field isomorphism is often only given by a (d × d) matrix over F p .29.2.4.bIsomorphic curve equationsIn Sections 13.1.5 and 14.1.3 we introduced isomorphic transformations on the curve equation.The resulting curve is given by a different equation and the representation of the group elementsis changed, too. If the isomorphism is secret the attacker has no information on the representationof the group elements, and hence, cannot simulate the computation. This countermeasure wasproposed for elliptic curves in [JOTY 2002] and generalized to hyperelliptic curves in [AVA 2004b].We present the version from the latter reference in the setting of hyperelliptic curves.Let C and ˜C be two hyperelliptic curves of genus g 1 over a finite field F q . Suppose thatψ : C → ˜C is an F q -isomorphism that is easily extended to an F q -isomorphism of the divisor classgroups ψ :Pic 0 C → Pic 0 C e. Let us further assume that ψ, andtheinverseψ −1 , are computable in areasonable amount of time, i.e., small with respect to the time of a scalar multiplication. We do notrequire apriorithe computation time of ψ to be negligible with respect to a single group operation.Then, instead of computing E __=[n] D __in Pic 0 C we perform:__E = ψ −1( [n] ψ( D) __ )so that the bulk of the computation is done in Pic 0 C e. We visualize it in the following commutativediagram.multiplication by n__D ∈ Pic 0 CDψPic 0 C ∋ [n] __ψ( __D) ∈ Pic 0 e Cmultiplication by nψ −1Pic 0 e C∋ [n]ψ( D)__and we follow it along the longer path. The countermeasure is effective if the representations of theimages under ψ of the curve coefficients and of the elements of Pic 0 C are unpredictably differentfrom those of their sources. This can be achieved by using randomly chosen isomorphisms ψ,whichboils down to multiplying all the quantities involved in a computation with “random” numbers.In Section 14.1.3 we gave examples of isomorphisms and in the following sections, optimalequations for each isomorphism class of curves were obtained. Applying random isomorphismsmeans that this optimal equation cannot be used. We briefly recapitulate the effects of isomorphismson hyperelliptic curves, implying elliptic curves.Let C, ˜C be two hyperelliptic curves of genus g defined by Weierstraß equationsC : y 2 + h(x)y − f(x) =0 (29.2)˜C : y 2 + ˜h(x)y − ˜f(x) =0 (29.3)over F q ,wheref, ˜f are monic polynomials of degree 2g +1in x and h(x), ˜h(x) are polynomials inx of degree at most g. AllF q -isomorphisms of curves ψ : C → ˜C are of the typeφ : (x, y) ↦→ ( s −2 x + b, s −(2g+1) y + A(x) ) (29.4)

702 Ch. 29 Mathematical Countermeasures against Side-Channel Attacksfor some s ∈ F ∗ q , b ∈ F q and a polynomial A(x) ∈ F q [x] of degree at most g. Upon substitutings −2 x + b and s −(2g+1) y + A(x) in place of x and y in equation (29.3) and comparing with (29.2)we obtain {h(x) =s2g+1 (˜h( s −2 x + b ) +2A(x) )whose inversion isf(x) =s 2(2g+1)( ˜f( s −2 x + b ) − A(x) 2 − ˜h ( s −2 x + b ) A(x) ) (29.5){ ˜h(x) =s −(2g+1) h(ˆx) − 2A(ˆx)˜f(x) =s −2(2g+1) f(ˆx)+s −(2g+1) h(ˆx)A(ˆx) − A(ˆx) 2 (29.6)where ˆx = s 2 (x − b).Avanzi [AVA 2004b] gives a detailed study on this countermeasure for hyperelliptic curves includingelliptic curves. Hence, we only state these more general results in the sequel. For ellipticcurves we refer to the original paper [JOTY 2002].• For hyperelliptic curves in odd characteristic we can restrict the isomorphisms to thetypeψ : (x, y) ↦→ ( s −2 x, s −(2g+1) y ) , (29.7)with h(x) =˜h(x) =0. This gives a fast countermeasure that effectively multipliesall quantities involved in the computations of the group operations by powers of therandomly chosen nonzero parameter s.Also, here we need to mention that zero coefficients remain zero when applying thisrandomization. Additional care needs to be taken to avoid Goubin type attacks (cf.Section 29.3).• For genus 2 hyperelliptic curves in characteristic 2, one loses performance compared tothe optimal formulas stated in Chapter 14. On the other hand, the general formulas canbe applied in any case and thus one has to analyze on a case-by-case basis which costs areacceptable. For example, in Proposition 14.37 a unique representative per isomorphismclass is given while the restricted parameter ε does not influence the performance and itis not necessary to map f 1 to 0. Hence, different choices are possible without affectingthe performance.• For genus 3 curves in even characteristic similar observations hold. Additionally, thetype of curve given by an equation y 2 + h 0 y = f(x) can be randomized byψ : (x, y) ↦→ ( s −2 x, s −(2g+1) y ) , (29.8)leaving the shape of the curve unchanged and varying only h 0 on the left-hand side; thusthe group operations remain particularly fast.Remarks 29.5(i) Clearly, using more general isomorphisms, e.g., including a constant term, Goubin typeattacks can be easily avoided on the cost of a less efficient map.(ii) Note that it is also possible to use isogenies of low degree, which are efficiently computableas the DLP is usually stated in a prime order subgroup and thus the group structureof the interesting part is not altered by isogenies. In particular, when searching formaps that avoid Goubin type attacks one might come back to the more general isogenies.

§ 29.3 Countermeasures against Goubin type attacks 70329.3 Countermeasures against Goubin type attacksGoubin observed that some elements remain unchanged under some of the randomization techniquespresented in the previous section, e.g., as in the example we already mentioned, the randomizationby redundant coefficients leaves zero coordinates unchanged.This can be used in an active attack. Assume that an attacker can observe the computation of[n] D __i for elements D __i ∈ Pic 0 C chosen by himself, and assume that the D __i were chosen such thatfor each D __i the result of [3] D __i has a zero coordinate while [4] D __i does not. As a zero coordinateis invariant under the randomization by redundant coefficients, all side-channel traces should showthe particularities of a zero coordinate if [3] D __is used in the scalar multiplication, i.e., if the secondmost significant bit is set in a left-to-right algorithm, and be normal otherwise.In full generality, we have the following approach: let H ⊂ Pic 0 C be a subset of elements havingsome property that makes their processing detectable by side-channel analysis (for example, zeroesin the internal representation) and that are invariant under a given randomization procedure R.The set H is called the set of special group elements. It is used in an attack as follows:Suppose that the most significant bits n l−1 ,n l−2 ,...,n j+1 of the secret scalar n are known andthat we want to discover the next bit n j .1. Make a guess: n j =0or 1.2. Set up a chosen message attack: choose a number of elements E __i ∈ H and determinethe corresponding D __i such that [(n r n r−1 ...n j+1 n j ) 2 ] D __i = E __i and additionally checkthat [(n r n r−1 ...n j+1¯n j ) 2 ] D __i ∉ H.3. Then, statistical correlation of the side-channel traces corresponding to the computationsof [n]E i may reveal if the guess was correct even if the randomization procedure R isused.As already mentioned, such sets H exist:• The set of points with a zero coordinate of an elliptic curve.• The set of divisors classes on a hyperelliptic curve with a zero coordinate in the uniquerepresentation. As we use Mumford representation, D __=[u(x),v(x)], the set of specialelements could consist of those divisor classes for which deg(u) 1), let H be the set of divisor classes D __=[u(x),v(x)] such thatdeg(u)

704 Ch. 29 Mathematical Countermeasures against Side-Channel Attackstion algorithm will double it. To do it, the formulas for the most common case (cf. Chapter 14) willnot work — and even if Cantor’s algorithm 14.7 is used to implement the group arithmetic, therewill be less reduction steps than in the general case. The consequences are easily detectable differencesin power consumption and even timing. The timing differences are the leaked informationused in the attack described in [KAKI + 2004], which we can thus consider as a Goubin-type timingattack.An approach to thwart Goubin’s attack could use very general curve isomorphisms that do notrespect the short Weierstraß form using b, A(x) ≠0to randomize also the vanishing coefficientsof the divisors: this has the disadvantage of requiring more general and slower formulas for theoperations.However, as shown by Avanzi [AVA 2004a, AVA 2004b], the methods of randomizing the scalarand blinding the group elements (cf. Section 29.2.2 and 29.2.3.a) can be effective against Goubin’sattack.Under Goubin type attacks we also subsume the exceptional procedure attack [IZTA 2003b]. It isalso an active attack in which the attacker chooses the input D,onwhich[n] __D __is computed, in such away that the computation fails for one assignment of the next unknown bit and does not for the other.By recording the error messages or observing the algorithm to choose an exceptional procedure, theattacker can learn subsequent bits. This attack is feasible, e.g., if the group order is not prime bysubmitting a point of small order such that the computation would hit the point at infinity. However,the standards suggest choosing curves with small cofactor only (cf. Chapter 23) such that the attackcould discover only a very small portion of n. Furthermore, checks that the submitted point is infact on the curve and of the given prime group order are imposed by the protocols (cf. Section 23.5).This attack could also be mounted against the initial version of unified addition formulas (givenin [BRJO 2003]) as they proposed only one set of formulas that would fail for only a very few cases.Clearly, these cases would never occur in a random scalar multiplication, but assuming an activeattacker such instances can be found even if the group order is prime. Note that the unified formulaspresented in Section 29.1.2.a no longer suffer from this problem. Furthermore, the countermeasuresof blinding and scalar randomization are also effective against these attacks.29.4 Countermeasures against higher order differential SCAIn the DSCAs explained so far the attacker monitors leaked signals and calculates the individual statisticalproperties of the signals at each sample time. In a higher order DPA attack, the attacker calculatesjoint statistical properties of power consumption at multiple sample times within the powersignals.More formally, an k-th order DSCA is defined as a DSCA that makes use of k different samplesin the power consumption signal that correspond to k different intermediate values calculated duringthe execution of an algorithm.The attacks described so far are first order DSCAs. The idea behind higher order DSCA hadalready been defined in [KOJA + 1999]. A description of a second-order DPA can be found in[MES 2000a].A possible scenario in the setting of curve-based cryptography is that the implementer chooses awindowing method such that the leakage of zero coefficients does not seem to be a real concern, e.g.,a fixed or sliding window of width w =4, or he applies a method such that no zero coefficients canoccur (cf. Section 29.1.1.a). At each addition, one adds one of few (e.g., 16) possible precomputedmultiples of the base group element D __to the intermediate value. The higher order DSCA methoddeems to determine when a precomputed multiple is reused. This might be observable from the sidechannelinformation, as half of the input is fixed while the other can be assumed to vary randomly.

§ 29.5 Countermeasures against timing attacks 705This method might also be used to distinguish multiplications from squarings in odd characteristic.Implementers should be aware of this when using the algorithms presented in Section 29.1.1.b; forimplementations of RSA these issues were studied in [SCH 2000a] and following papers.In [SASC + 2004] it is shown how such an attack can be used for elliptic curves over F p wherethe field operations are implemented in Montgomery representation. They use the visibility of thefinal reduction in the multiplication to distinguish the computations of x 2 ,xy,and3xy to attackcurves in Jacobian coordinates given by the (especially efficient) equation y 2 = x 3 − 3x + a 6 .In order to avoid the detection of reusage of a precomputed point or prevent the observation of thefinal reduction via side-channel attacks, it is also advisable to use a redundant, i.e., inversion-free,representation of the group elements and to randomize the representation of a precomputed pointafter each time it is used. This is trivial to implement, and comparably inexpensive.SSCA-countermeasures will also make it more difficult for the attacker to guess which portionsof single traces are to be correlated. This shall force him, ultimately, to adopt a brute force strategy,i.e., to try to correlate all possible sub-traces: the amount of possible combinations will increaseexponentially with the length of the scalar multiplication and thereby make k-th order attacks computationallyinfeasible.The same holds true for address bit DPA in which the attacker obtains information about reusageof locations by using the side-channel information. A further countermeasure is to randomly changethe assignment of storage locations during the execution of the algorithm.29.5 Countermeasures against timing attacksTiming attacks were the first side-channel attacks ever described [KOC 1996]. The attacker is onlyassumed to be able to measure the time needed per complete scalar multiplication and not to obtaina more detailed side-channel information.If the attacker is allowed to issue group elements D __on which [n] D __is computed, he might choosethem in such a way that, depending on a certain bit, the complete scalar multiplication differs in thecomputation time. In other words, the timings of the part of the whole computation that processesthe bit n j must be biased in the step obtaining the j-th bit.Timing attacks have been shown to work on real life smart cards in [DHKO + 2000] for an implementationof RSA, and the same methods can be used also for curve-based cryptography.The countermeasures are in principle the same as for differential side-channel analysis. Randomizingthe representation of D __and of n should make it infeasible to obtain information from the totalcomputation time as the internal representation is not known.29.6 Countermeasures against fault attacksAttacks based on fault induction essentially force the device to perform erroneous instructions —e.g., by changing some bits in the internal memory. They have been announced officially in 1996 ina Bellcore press release, followed by a paper by Boneh, DeMillo, and Lipton [BODE + 1997].Originally, the attack was presented for RSA and usually the scenario assumes that the attackerhas access to the result of the computation [n] D __and that he might request this computation for thesame input D __more than once. Hence, like for DSCA this attack does not apply to the randomlychosen nonces in the protocol but only to the long term secret key, e.g., used in signing.First of all, inserting errors during the execution of an algorithm allows us to determine if the hitoperation was a dummy or a real one by comparing the outputs of the original computation of [n] D__to the output after the insertion of a fault. The obvious countermeasure is to check the output by a

706 Ch. 29 Mathematical Countermeasures against Side-Channel Attackscheck computation.Unfortunately for curve-based cryptography, checking the result amounts to performing the wholecomputation twice or in parallel requiring either double time or size. (This is in contrast to RSA,where usually one of the operations is chosen to be cheap.) Hence, a more thorough look at possibleeffects is necessary. We follow Avanzi [AVA 2005c] and distinguish between simple fault analysis(SFA) and differential fault analysis (DFA) depending on whether the attack makes use of a singleexecution of the algorithm or of many in combination with statistical analysis.29.6.1 Countermeasures against simple fault analysisAt Crypto2000, Biehl, Meyer, and Müller [BIME + 2000] presented three different types of attackson ECC that can be used to derive information about the secret key if bit errors can be inserted intothe elliptic curve computations in a tamper-proof device. They also estimate the effectiveness of theattacks using a software simulation.Their methods require very precise placement and timing of the faults. Generalizing the approachof [LILE 1997], their first two techniques depend on the ability to change the coordinates of a pointon the curve at the beginning of the scalar multiplication. This can work because the elliptic curveformulas do not use all the coefficients of the equation of the curve to perform their operations (cf.Chapter 13); e.g., in affine coordinates and a finite field F q of odd characteristic the coefficient a 6 inthe curve equation E : y 2 = x 3 +a 4 x+a 6 is not used in either doubling or addition. Therefore, if theinput point is changed it will no longer lie on E but has good chance of lying on Ẽ = y 2 + a 4 x +ã 6for some ã 6 . The implemented addition and doubling formulas will compute the multiple of thechanged point on the changed curve. The largest prime factor of Ẽ(F q ) will most likely be smallerthan the group order E(F q ) such that solving the DLP on Ẽ is easier (cf. Section 19.3 for invalidcurve attack).To actually have a DLP to solve we assume that the attacker obtains the output [n] ˜P from whichhe can determine ã 6 as a 4 is known to him. Furthermore, we assume that the attacker has someknowledge of how the fault was induced, e.g., he could place it such that only the y-coordinate ischanged while x is fixed. Given a 4 ,x and ã 6 he gets two candidates for the y-coordinates. Bysolving the DLP for one of them he obtains either n or l − n from which the DL is derived bychecking.Note that this scenario holds also for hyperelliptic curves and for all other coordinate systems, asusually not all curve coefficients appear in the explicit group operations and a divisor class group ina random Jacobian is likely to have no big prime factor.The countermeasure consists of checking whether the resulting point satisfies the curve equation.Note that the standards require this check for the input point (cf. Section 23.5) and this comparablycheap procedure also at the end of the computation.Furthermore, the attack is not possible if the result is not available to the attacker. On the otherhand, holding back the result just in case of a detected fault allows an attacker to find dummyinstructions.29.6.2 Countermeasures against differential fault analysisWe now introduce a class of fault attacks that need more than one scalar multiplication.29.6.2.a Faults changing the curveHere we assume the faults can be placed at exact timings but their effects on D __cannot be controlled.Hence, most likely one works on a different curve after the fault is induced.

§ 29.6 Countermeasures against fault attacks 707The method of detecting dummy operations mentioned in the introduction belongs to this class ofattacks. For the purpose of illustration we describe an attack on the right to left scalar multiplicationAlgorithm 29.6, which we repeat here for easier reference.Algorithm 29.6 Right to left binary exponentiationINPUT: An element D __∈ G and a nonnegative integer n =(n l−1 ...n 0) 2 with n l−1 =1.OUTPUT: The element [n] D __∈ G.__1. E ← 0, F __← D __and i ← 02. while i l − 2 do3. if n i =1 then E __← E __⊕ F__4.__F ← [2] F__5. i ← i +16.__E ← E __⊕ F__7. return E__The group element F __contains [2 i ] D __in round i. Note that in Line 3 a dummy addition could beperformed to avoid SSCA attacks.Assume that we know the binary length l of the unknown multiplier n (note that an attacker caneasily guess this length). First use the device to compute [n] D __without inducing faults to have avalue for comparison. Then change the content of F __in the next to last round. If the result ischanged then n l−2 ≠0. Proceeding to inserting an error in the previous round and repeating thisprocess, the attacker can read out all bits of n.The paper [BIME + 2000] also contains an approach in which faults are introduced during thescalar multiplication in a more sophisticated way. Assume that the attacker can, at any prescribediteration, say flip just one bit of the variable E __. (The case where the variable F __is modified ishandled in a similar way.) Assume also that the scalar is fixed and not randomized, and that we knowhow the internal variables are represented. Then, essentially, the bits of the key can be recovered insmall blocks as follows:1. Perform a normal scalar multiplication E __=[n] D __with a given input.2. Repeat the computation of [n] D, __but this time induce a bit flip in a register m steps beforethe end of the scalar multiplication, giving a result E __ ′ . Of course all computations beforethe fault in the two cases will be equal, and all those involving the processing of the mmost significant bits of the unknown scalar n in the faulted computation will have beenchanged with respect to those of the reference computation — the very first differenceconsisting of just a single bit.3. For all possible m bit integers x, “reverse” the correct computation and the faulted one,i.e., determine E __⊖ [x2 l−m ] D __and E __ ′ ⊖ [x2 l−m ] D.__4. If pairs of results that differ in only one bit are found, then the correct and faulted registervalues are now determined together with the m most significant bits of the scalar.5. If one bit of F __(which is supposed to contain a copy of the input base point D) __wasflipped, and not one of E __, the computations need to be done not only for all possiblecombinations of m bits, but also for all possible single bit faults induced in E. __Thereexist O(lg q) different possibilities over F q .6. Iteration of the above process yields all the bits of the secret scalar, m bits at a time.

708 Ch. 29 Mathematical Countermeasures against Side-Channel AttacksThe attack works essentially unchanged if the binary representation of the scalar is replaced withany other deterministic recoding (NAF, m-ary, w-NAF, etc.).In [BIME + 2000] the authors deal with more sophisticated attacks, such as attacks where thefaults are induced but it is not possible to determine precisely when – such attacks are reasonable ifclock randomization or randomized processor instructions are implemented on the card.All such attacks have been originally presented for elliptic curves but are in fact entirely generic andapply to implementations of hyperelliptic curves, trace zero varieties and other geometric objects.Countermeasures are obvious: checking at regular intervals to see whether the intermediate result ison the curve, and restarting the computation (possibly from a backup value) if something has gonewrong; never allowing wrong results to leave the device; randomizing the scalar.29.6.2.bFaults preserving the curveThe countermeasures described so far would not apply if the resulting points happened to be validpoints of the curve. In [BLOT + 2004] the authors analyze the scenario that the attacker is able toinsert such precise faults that it is possible to change the sign of an integer modulo p. This mightbe unrealistic in practice but offers the interesting scenario that the attack would not be noticedthrough the above countermeasures. They show how one could still obtain the secret scalar n fromsign change fault attacks.Apart from the attack, they also propose a countermeasure generalizing Shamir’s idea [SHA 1999]for RSA to ECC, which works similar to performing the computation twice — but choosing the secondgroup to be a small group over F p ′ for p ′

§ 29.7 Countermeasures for special curves 709In other words, an (apparently) improved cryptosystem may actually leak useful observable information.If this behavior can be observed for several different faults induced in different momentsof a scalar multiplication with fixed scalar, then an attacker may be able to guess the secret key.Accordingly we strongly advise randomizing the scalar.29.7 Countermeasures for special curvesThe curves considered in Chapter 15 allow fast scalar multiplications by using endomorphismsof the curve. On Koblitz curves (cf. Section 15.1) the Frobenius endomorphism φ q operates byraising each coefficient of the representation to the power of q. On GLV curves (cf. Section 15.2.1)other efficiently computable endomorphisms are applied. For such curves it is possible to designcountermeasures against side-channel attacks that are more efficient than for general curves.In the sequel we first report on countermeasures for Koblitz curves as there is a vast literatureproposing methods against SSCA and DSCA. As the Frobenius endomorphism is usually usedto speed up the scalar multiplication (cf. Section 15.1) we now assume that n is given by its τ-adic expansion n = ∑ l−1i=0 n iτ i for n i ∈ R for some set of coefficients R. Finally we report oncountermeasures for GLV curves.29.7.1 Countermeasures against SSCA on Koblitz curvesIn general, the SSCA countermeasures of inserting dummy group operations apply also to τ-adicinstead of binary expansions. However, avoiding simple side-channel attacks on Koblitz curves byresorting to the Frobenius and always add method would reduce much of the advantages of Koblitzcurves, as many expensive additions are inserted. Likewise, there is no use in obtaining unifiedgroup operations, as the advantage of using Koblitz curves is that the Frobenius endomorphism is acheap operation and thus its cost cannot and should not be made equal to that of an addition.To find the most appropriate countermeasure it is necessary to specify how the computations aredone.29.7.1.aNormal basis situationIf the implementation is using a normal basis representation, e.g., in hardware based implementations,computing φ i q ( D) __requires the same time for each exponent i. Therefore, a countermeasureagainst SSCA is not needed as the attacker automatically sees the deterministic sequence of operationsconsisting of one application of the Frobenius endomorphism and one addition. For genusg>1 or q > 2 one table lookup is used before the addition. Note that this reveals the τ-adicHamming weight of the representation as the number of additions is observable.φ i q29.7.1.b Power of φ i q can be detectedWe now detail methods to counteract SSCAs if it is possible to determine the number of Frobeniusoperations between two additions. The first generalizations of side-channel attacks to ellipticKoblitz curves were obtained in [HAS 2000]. The methods are stated for elliptic curves but hold thesame for arbitrary genus curves.First of all, it is possible to design an algorithm that resists SSCA and DSCA at the same time.As the Frobenius endomorphism can be applied almost for free, it is possible to insert dummyapplications of φ q . We repeat Algorithm 3 of [SMGE 2003] in the general setting of arbitraryKoblitz curves. We need a random nonce j, by which we mean a binary sequence of length l +1if the expansion of n has length l. By the logical complement of the expansion of n, we mean a

710 Ch. 29 Mathematical Countermeasures against Side-Channel Attacksτ-adic expansion that has a 0 whenever the expansion of n has a nonzero coefficient, and whichcontains a random coefficient from the set of coefficients otherwise. By abuse of notation we alsouse n to denote its expansion and n ′ for the logical complement. The logical complement j ′ of j isthe binary sequence such that j + j ′ is the all one string.Algorithm 29.7 SSCA and DSCA by random assignmentINPUT: An integer n = P l−1i=0 riτ i , a divisor D, __and precomputed multiples [r __i] D.OUTPUT: The divisor E __=[n] D.__1. generate random nonce j of length l +12. kval[j l ] ← n and kval[j l] ′ ← n ′3.__E[0] ← 0 and E[1] __← 04. for i = l − 1 to 0 do5.__E[j i] ← φ __q( E[j i])6. bit ← kval i[j i]7. if (bit ≠0) then E[j __i] ← E[j __i] ⊕ [bit] D__8.__E[j i] ′ ← φ __q( E[j i])′9. bit ← kval i[j i]′10. if (bit ≠0) then E[j __i] ′ ← E[j __i] ′ ⊕ [bit] D__11. return E[j __l ]Note that at each step φ q was applied twice while only one of the additions took place and the orderof used and dummy additions is randomized due to j. As in the double-and-always-add method thedensity of the expansion is constantly 1.The same idea works also for the windowing method with fixed window width by redefining thelogical complement of n, which has the advantage of needing fewer additions on the cost of largerstorage requirements.Furthermore, one needs to take into account that in even characteristic negating can be observedfrom the side-channel information, such that it might be necessary to store both [i] D __and [−i] D.__This observation also holds true for the cases considered next.Binary elliptic Koblitz curvesWe are working on the original Koblitz curves g =1,q =2and no precomputations are used. Foran unshielded implementation it is possible to use a τ-adic NAF expansion that has density 1/3.From the NAF property one knows that each addition is followed by at least two applicationsof φ 2 as there are no two consecutive nonzero coefficients. One can use a direct generalization ofthe idea presented in Section 29.1.1.a by using a fixed pattern of operations. This way the scalarmultiplication would consist of applying φ 2 twice followed by an addition, where some of theadditions and some of the Frobenius operations are actually dummy operations.Note that dummy Frobenius operations appear if the number of zeroes between two nonzerocoefficients is even whereas dummy additions are inserted whenever two adjacent zero-coefficientsappear in the expansion.As for Koblitz curves φ 2 is much cheaper than a group addition, and it is advisable to prescribemore (dummy) Frobenius operations to reduce the number of dummy additions. Depending on thelength of the scalar, we propose to let each addition be followed by 3 or 4 applications of φ 2 .Tothwart fault attacks, the dummy Frobenius operations could be placed randomly among the 3 resp.

§ 29.7 Countermeasures for special curves 7114 applications.Also, the idea in [GIE 2001] can be used in this contextSimilar considerations hold if precomputations can be used to achieve a low density expansion.Generalized Koblitz curvesIn the case of larger genus or characteristic the density of the τ-adic expansion is much closer to1. So, inserting some dummy additions does not constitute a major drawback. To additionally takeinto account DSCA one can randomize the times where the dummy operations are executed and theplaces where they are stored. Some clever ways for this are detailed in [SMGE 2003].It is also possible to directly generalize the use of windowing methods in which w operations ofthe Frobenius endomorphism are followed by an addition, which might be a dummy addition. Here,the use of fixed windows is advantageous.An analogue of Möller’s method of deriving expansions with no zero coefficients can be obtainedas well. In a more sophisticated way the following adaptation of Hasan [HAS 2000] to arbitraryKoblitz curves C/F q works (for the details on Koblitz curves we refer to Section 15.1). Note thatwe consider C over an extension field F q k.Using τ k − 1=0in the subgroup under consideration we reduce the length of the expansion ofn allowing larger coefficients. For large k the coefficients will all be of a size less than q g − 1. Putr min < 0 the minimal and r max the maximal coefficient of this enlarged set of coefficients. Then forall coefficients r i , 0 i k − 1 of the expansion r i − r min +1is an integer > 0. We precomputethe multiples D, __[2] D,...,[r __max − r min +1] D __in advance. Then ∑ k−1i=0 [r i − r min +1]φ i q ( D) __stillcomputes [n] D __as (−r min +1)(φ k q − 1)/(φ q − 1)( D) __=0. But now we perform a table lookup andnon-dummy addition for each of the d coefficients. The density is still 1 but this trick avoids faultattacks.29.7.2 Countermeasures against DSCA on Koblitz curvesTo counteract differential attacks all methods introduce randomness in the computation. Severalof the methods introduced in Section 29.2 have direct analogies for Koblitz curves, which can beapplied much more efficiently as the doublings are replaced by cheap applications of φ q .29.7.2.aVarying the scalar or the representationCoron’s countermeasure [COR 1999] of adding a random multiple of the group order to the multipliern before computing [n] D __does not help at all for Koblitz curves. Note that in the process ofcomputing the τ-adic expansion we first reduce modulo (τ k − 1)/(τ − 1) and that the group orderis always a multiple of this in Z[τ] (at least when it is almost prime as we suppose). This means thatn plus any multiple of the group order is always reduced to the same element in Z[τ]. This holds forall hyperelliptic curves independent of the genus. To find efficient countermeasures we again needto distinguish whether the number of applications of φ q can be determined from the side-channelinformation or not.Normal basis situationAs before, we assume that the side-channel traces of φ i q and φj q are indistinguishable.Hasan [HAS 2000] deals especially with elliptic Koblitz curves over F 2 but the method works forany genus and ground field. Use the relation τ k − 1=0to reduce the length of the expansion tohave fixed length k allowing larger coefficients. We can rotate the expansion usingr k−1 τ k−1 + r k−2 τ k−2 + ···+ r 1 τ + r 0 = τ t (r t−1 τ k−1 + r t−2 τ k−2 + ···+ r t k +1τ + r t )

712 Ch. 29 Mathematical Countermeasures against Side-Channel Attacksfor arbitrary t.φ i qPower of φ i q can be detectedThe exponent splitting algorithm of [SMGE 2003, Algorithm 2] works efficiently if the final additionis implemented in such a manner that no information on the E __i is leaked. We present their ideain the general setting of arbitrary Koblitz curves. They suggest splitting the expansion into s groupsof t coefficients, where t = ⌈k/s⌉. For each subsequenceu i =(r (i+1)t−1 r (i+1)t−2 ...r it+1 r it ), for 0 i s − 1the computation of __E i =[u i ] __D is done in a random order for the i. Finally the result is obtained as__ ∑s−1E = φ itq ( E __i ).i=0Adding random multiples of (τ k −1)/(τ −1) does not change the content of the integer but changesthe representation. Note, however, that this makes the coefficients larger and that each coefficient isincreased by one.The method described in Algorithm 29.7 is actually a DSCA countermeasure that also worksagainst SSCA.Joye and Tymen [JOTY 2002] consider elliptic Koblitz curves in the case that one would be ableto tell the power of the Frobenius. Instead of reducing n modulo τ k − 1 before computing theexpansion, they reduce it modulo ρ(τ k − 1),whereρ is a random element of Z[τ] of bounded norm.If for the complex norm N we have lg N(ρ) ∼ 40 then the expansion will be of length 200 insteadof 160, which does not seem to be too bad as the density of the expansion is unchanged. Besides,one does not need to introduce further routines except for choosing a random ρ as only reductionmodulo an element of Z[τ] and the algorithm to compute the expansion are needed.In [LAN 2001a] it is proposed to first compute n mod (τ k − 1)/(τ − 1) as in the unshieldedalgorithm and then to add a random multiple α(τ k − 1)/(τ − 1), whereα is of norm less thansome K. The result is similar to what is obtained above and n is equally hidden in the full lengthof the element to expand. The important advantage is that we can make use of the precomputedvalues for (τ k − 1)/(τ − 1) and (τ − 1)/(τ k − 1) in Z[τ] and only need to compute the productα(τ k − 1)/(τ − 1) in Z[τ] additionally. Using this for K of about 40 bits also results in expansionsof length 200 but the computation of the expansion is faster.In the case of higher genus curves we can use the same approach, except that finding elements ofbounded norm is not as immediate as for the elliptic case. However, slightly reducing the space forthese random elements α we can choose those where the coefficients α = c 0 + ···+ c 2g−1 τ 2g−1satisfy( 2g−1) 2 ∑|c j | √ q j 2 L−2 /( √ q − 1) 2 ;j=0this means that we can choose all c i at random under the condition that |c j | 2 (L+2)/2 /(q g − 1),where L is the chosen parameter to guarantee enough security. The expansions will be longer by+L. If we use a new random α each time the algorithm is invoked, the information of the expansionof the multiplier should be well hidden.29.7.2.bOther countermeasuresAs in the general case, one can also use randomization of group elements together with the Frobeniusoperation. In inversion-free coordinate systems some more representing field elements need tobe raised to the power of q, but this remains much cheaper than an ordinary scalar multiplication.

§ 29.7 Countermeasures for special curves 713Clearly, blinding methods also work universally in the setting of Koblitz curves, but we are notaware of an improvement making use of the possibilities Koblitz curves offer.It is possible to use an isomorphic field representation, but usually this comes at the penalty ofless efficient arithmetic. Concerning curve isomorphisms: they need to be defined over the smallfield F q as otherwise the advantage of Koblitz curves cannot be used — and there are just very fewisomorphic curves, e.g., for the case g =1,q =2there are 4 curves in each isomorphism class. Arandom choice among such a small number does not considerably increase the security for the costof far less efficient group operations.29.7.3 Countermeasures for GLV curvesWe now deal with side-channel attacks on GLV curves. Recall that these are curves with an endomorphismψ and that to compute [n] D __one splits n = n 0 + n 1 s ψ ,whereψ( D) __=[s ψ ] D __for all D__such that n 0 ,n 1 are of size O( √ n) only.To avoid SSCA, all methods described in Section 29.1 can be applied as they only make use ofthe scalar multiplication. One needs to take into account that the computation of [n 0 ] D __⊕ [n 1 ]ψ( D)__applies a joint sparse form together with the Straus–Shamir trick of simultaneous doubling (cf.Section 9.1.5). Thus the initial density of the expansion is 1/2 asymptotically. The effects andlosses due to the SSCA countermeasures need to be slightly adjusted but basically that issue issolved.To counteract DSCA, Ciet, Quisquater, and Sica [CIQU + 2002] give three approaches on how torandomize the decomposition of the scalar in the GLV scalar multiplication Algorithm 15.41. In theoriginal GLV method one first computes a short basis v 0 ,v 1 of the lattice Z[s ψ ]. Denote by f themapZ × Z → Z/lZ(i, j) ↦→ f(i, j) ≡ i + js ψ (mod l).One has that f(v 0 )=f(v 1 )=0.Then one solves the linear system of equations over Q to get (n, 0) = k 0 v 0 + k 1 v 1 with k i ∈ Q.Let k i ′ be the integer closest to k i,then(n, 0) − k 0v ′ 0 + k 1v ′ 1 =(n 0 ,n 1 ) is a short vector in thelattice and f(n 0 ,n 1 ) ≡ n (mod l).In [CIQU + 2002], Ciet et al. basically show how to obtain slightly longer vectors (n 0 ,n 1 ) in arandom manner.In order to do this, the easiest way is to add scalar multiples of v 1 and v 2 to (n 0 ,n 1 ).Theresultwill still be a comparably short vector and it operates like n on all D. __This countermeasure inducesan overhead as the resulting (n ′ 0,n ′ 1) has larger coefficients but it is rather easy to control the effectsand the increase of security.To reach a higher order of randomization they propose not only to randomize the splitting of thescalar in base {1,ψ} but also to randomize the basis such that the resulting splitting n ′ 0 ,n′ 1 of nrefers to [n ′ 0 ]ψ 0( D) __⊕ [n ′ 1 ]ψ 1( D) __for some random basis {ψ 0 ,ψ 1 }.To get the random basis, they apply a random invertible matrix[ ]α βA =γ δto (1,ψ) and then apply the usual GLV method including the computation of the short vectors v 0 ′ ,v′ 1in the changed basis. The only difference is that one does not search for a rational approximationof (n, 0) but needs to express this first with respect to the changed basis. Define s ψ0 by ψ 0 ( D) __=[s ψ0 ] D __−1and let s ψ 0be the inverse of s ψ0 modulo l. Then the modified GLV method proceeds asfollows:

714 Ch. 29 Mathematical Countermeasures against Side-Channel AttacksAlgorithm 29.8 Randomized GLV methodINPUT: An integer n, the endomorphism ψ, the order s ψ , and short basis v 0,v 1 for {1,ψ}.OUTPUT: The elements ψ 0,ψ 1 and n ′ 0,n ′ 1 such that [n] D __=[n ′ 0]ψ __0( D) ⊕ [n ′ 1]ψ __1( D).1. choose random invertible matrix A2. (ψ 0,ψ 1) t ← A(1,ψ) t and s ψ0 ← (α + βs ψ )modl3. v ′ 0 ← δv 0 − βv 1 and v ′ 1 ←−γv 0 + αv 1 [compute short basis v ′ 0,v ′ 1 for ψ ′ 0,ψ ′ 1]4. s −1ψ 0← (s −1ψ 0)modl5. find n ′ 0,n ′ 1 for v ′ 0,v ′ 1 like in original GLV for (ns −1ψ 0, 0) [use Algorithm 15.41]6. return ψ 0,ψ 1,n ′ 0 and n ′ 1Remarks 29.9(i) The integers n ′ 0 ,n′ 1 obtained by this method are at most 2R times larger as with theoriginal GLV method if α, β, γ, δ are bounded by R.(ii) If det(A) =1, one can use v 0 ,v 1 as short vectors, also with respect to the new basis.A special effect is that the maximal size of n ′ i is at most twice as large as that of n iindependent of the bound R. Note however, that the matrices of determinant 1 are veryspecial.(iii) It is possible to combine both ideas and use this changed basis and an affine translationof the resulting n ′ 0,n ′ 1 to achieve higher randomization.So far the GLV method on hyperelliptic curves is applied only to endomorphisms having a minimalpolynomial of degree 2 instead of the maximal degree of 2g. Hence, the same method also appliesliterally to the hyperelliptic GLV curves proposed so far, and it can be adjusted also for more generalendomorphisms.

Chapter ¿¼Random NumbersGeneration and TestingTanja Lange, David Lubicz, and Andrew WeiglContents in Brief30.1 Definition of a random sequence 71530.2 Random number generators 717History • Properties of random number generators • Types of random numbergenerators • Popular random number generators30.3 Testing of random number generators 72230.4 Testing a device 72230.5 Statistical (empirical) tests 72330.6 Some examples of statistical models on Σ n 72530.7 Hypothesis testings and random sequences 72630.8 Empirical test examples for binary sequences 727Random walk • Runs • Autocorrelation30.9 Pseudorandom number generators 729Relevant measures • Pseudorandom number generators from curves • Otherapplications30.1 Definition of a random sequenceWhat exactly are random numbers? Is number “5” random? In this section as well as in Section 30.4and Section 30.5 we closely follow the exposition of [LUBICZ]. Let Σ={0, 1} and Σ ∗ be the setof sequences of countable infinite length with coefficients in the alphabet Σ. An element of u ∈ Σ ∗can be written as a sequence of 0 and 1:u = u 0 u 1 u 2 u 3 u 4 u 5 ...,with u i ∈{0, 1}. Forn ∈ N, the set of finite binary sequences of length n is denoted by Σ n .Anelement u ∈ Σ n can be written as:u = u 0 u 1 u 2 ...u n−1 .715

716 Ch. 30 Random Numbers – Generation and TestingThe objective of this paragraph is to define among all the elements of Σ ∗ those that are random.Let W k be the map from Σ ∗ in the set of sequences with coefficients in Σ k , which associates tou ∈ Σ ∗ the unique sequence such that:u = w 0 || w 1 || ... || w q || ...with || the concatenation and w i ∈ Σ k .In the following, a sequence of events is defined as a sequence (u n ) n∈N with values in a set Ωwhich will always be finite. The probability denoted byP e [(u n )=x]is the empirical probability that an event is equal to x if the following limit existslimk→∞S k (x), (30.1)kwith S k = ∣ ∣{n k | u n = x} ∣ ∣.If(w n ) is a sequence of words of Σ k ,thenE ( (w n ) ) denotes theShannon entropy function of (w n ),definedbyE ( (w n ) ) = ∑The definition from [KNU 1997] can now be stated.x∈Σ k P e [(w n )=x]ln ( 1/P e [(w n )=x] ) .Definition 30.1 A sequence (u n ) ∈ Σ ∗ is l-distributed for l ∈ N ∗ ,ifE ( W l ((u n )) ) = l or thatfor all x ∈ Σ l , P e [W l ((u n )) = x] = ( 1 l.2)A sequence (un ) ∈ Σ ∗ is then ∞-distributed if it isl-distributed for all l ∈ N ∗ .Temporarily, it can be stated that a sequence is random if it is ∞-distributed. In particular, if (u n )is a random sequence, then W k ((u n )) is an equidistributed sequence of words of Σ k . If a randomsubsequence of length k is picked from a random sequence, then the probability of selecting a givensubsequence is the same for all words in Σ k . This illustrates well the intuitive idea of a randomphenomenon. A consequence of this is that it is impossible to precisely define what is a finiterandom sequence.The link between the statistical tests and the preceding definition of a random sequence canbe shown by rewriting the preceding definition in the terms of probability theory. For that, let(Ω, A,P) be a probability space, which is defined by Ω, a set that is finite, endowed by the discretesigma-algebra, i.e., the one generated by all the elements of Ω and a positive measure P on Aequidistributed and of total weight 1. For this paragraph, Ω will be Σ n , the set of binary sequencesof length n. The probability space is then denoted by (Σ n , A n ,P n ).A random variable is a map X :Ω↦→ R. This endows R with a structure of measured space, andthe induced measure is indicated by the abuse of notation P X . The function, which maps x ∈ R toP [X = x] =P ( X −1 (x) ) is called the law of X. This gives the following alternative definition ofa random sequence, which is just a reformulation of Definition 30.1.Definition 30.2 A sequence (u n ) ∈ Σ ∗ is random if and only if for all random variables from Σ kendowed with the equidistributed law of probability to R and for all x ∈ R there isP e [X ( W k ((u n )) ) = x] =P [X = x].

§ 30.2 Random number generators 717In other words, the empiric law determined by the sequence X(u) follows the theoretical law inducedby the random variable on R by the equidistributed probability law of Σ k . This definitiongives a general principle that underlies statistical tests in order to assess if a sequence is random:some random variables are defined on the sets Σ k , k being an integer endowed with the equidistributedprobability. This gives a law on R that is able to be computed or approximately computedthanks to the results from the probability theory. Most of the time, this law will use a Gaussian ora χ 2 distribution. This law is then compared, for example, using a test of Kolmogorov–Smirnov, tothe empiric law, obtained from the limit in (30.1), which is approximated with a computation on asample finite sequence.The problem is that the preceding general principle is asymptotic by nature: as by definition all thesequences of fixed length l have the same probability to occur in a random sequence. Without anyfurther hypothesis, it is not possible to distinguish a random sequence from a nonrandom sequenceonly having a finite subsequence. It is important to remember two main ideas: an infinite sequencecan be associated with a probability distribution on the space of finite sequences of length l and aproperty for all random sequences of length l is that they have a uniform distribution.As noted in [KNU 1997], the definition of a random sequence that has been stated does not catchall the properties that may be expected from a random sequence. For instance, let u ∈ Σ ∗ be a∞-distributed sequence and let u 0 be the sequence deduced from u by forcing to zero the bits ofrank n 2 , n 2. Then it is easy to see that the sequence u 0 is also ∞-distributed and is not random,because the value of some of its bits can be easily predicted apriori. However, even if the definitiondoes not catch the unpredictability notion that is expected from a random sequence, it is enough forthe purpose of statistical tests.The next section will take a closer look at generating random sequences and the testing to see ifthese generators are operating properly.30.2 Random number generators30.2.1 HistoryProgress in generating random number sequences has been significant. However, people are stilltrying to figure out new methods for producing fast, cryptographically secure random bits. Beforethe first table of random numbers was published in 1927, researchers had to work with very slowand simple random number generators (RNG), like tossing a coin or rolling a dice. Needless to say,these methods were very time consuming. It was not until 1927 when Tippetts published a tableof 40,000 numbers derived from the census reports that people had access to a large sequence ofrandom numbers.This lack of a ready source of random number sequences led people to try and create moreefficient means of producing random numbers. In 1939, the first mechanical random number machinewas created by Kendell and Babington–Smith. Their machine was used to generate a table of100,000 numbers, which was later published for further use. The practice of using random numbermachines to generate tables of random numbers continued with the publishing of 1,000,000 digitsby the Rand Corporation. Their generator could be best described as an electronic roulette wheel.The first version produced sequences with a statistical biases. The Rand Corp had to optimize andfix their machine, but even after this the new sequences showed a slight statistical bias. However,the random sequences were deemed to be “good enough.”Even though tables provided researchers with a larger selection of random numbers, this methodstill had its drawbacks. It required large amounts of memory, since each random number had tobe preloaded into memory, and it took a long time to input the data. At this point, RNG researchbranched into two paths: the algorithmic approach and the sampling of physical systems. The

718 Ch. 30 Random Numbers – Generation and Testingalgorithmic approach looked into producing random numbers by using the computer’s arithmeticoperations, and this led to the creation of deterministic random number generators or pseudorandomnumber generators. Sampling of physical systems, however, looked at how to create statisticallyacceptable sequences from natural random sources. These random number generators are called“true” random number generators, since they are based on a truly random source.Remark 30.3 A detailed time for the random number machine can be found in [RIT].30.2.2 Properties of random number generatorsWhen looking at a random number generator, how is it possible to determine if it is a source ofrandom numbers? Four properties distinguish a random number generator from just an ordinarynumber generator. The best way to illustrate these properties is to examine a simple random numbergenerator. One of the most recognized and used RNG is the coin toss; if the coin is assumed to be“fair.”By giving the coin a “0” and “1” for each side, it can be used to generate a random binarysequence. One of the first properties noticed is that the result from each toss is not affected, in anyway, by the previous tosses. This means that if ten ones are tossed in a row, the probability of tossingan eleventh one is still 50%. This example illustrates the property of independence: previous resultsdo not affect future results.Random number generators can be designed to produce any range of values, or distribution.When examining the output of common RNGs, the values usually fall into a uniform distribution,which means that they have an equal probability of obtaining any of the values in the specifiedrange. This distribution does not need to be uniform; for some simulations a designer may wish toproduce a random sequence following a normal or other distribution. For cryptographic applicationsit is important that the distribution is uniform. Using a nonuniform distribution allows a hacker toconcentrate on a smaller group of numbers to attack the system.There are physical and computational limits to the size of numbers that an RNG can create. Theselimitations impose a natural boundary on the RNG and once it has reached these limits, the RNGrepeats its output. This defines the period of the RNG. A well designed RNG will only be boundby the hardware limits. If the RNG is designed without taking care, there can be multiple sequencegroups that the RNG could produce, with each group less than the ideal period.The size of random sequences required is dependent upon the desired application. Cryptographicapplications require relatively small sequences, in the range of 1024 bits depending on the algorithm,whereas simulations require extremely large sequences. A good example is the Monte Carlosimulation, which may require random sequences up to a billion bit bits in length, or even more.Therefore, RNGs need to be very efficient and must quickly generate numbers.The next sections examine the different properties of three classes of random number generators:pseudo, true, and cryptographic random number generators. Each has its own unique requirementsand restrictions.30.2.3 Types of random number generators30.2.3.aPseudorandom number generatorsAs mentioned in the history of RNGs (cf. Section 30.2.1), development of random number generatorsbranched with the advent of computers. Researchers looked for methods to create large randomsequences by using algorithms. Using such algorithms, they were able to make sequences, whichmimic the properties of “true” random generators. Since they were created with a deterministic

§ 30.2 Random number generators 719equation, they could not be called “truly” random. This led to a new class of generators, calledpseudorandom number generators (PRNGs).Compared to true random number generators, PRNGs are easier to implement in both hardwareand software, and they also produce large sequences very quickly. In [ECU 1998, ECU 2001], thePRNG is described as a structure of the form (X, x 0 ,f,f t ,f o ,Z) where X is the finite set of stateswith a distribution of δ. The element x 0 ∈ X is called the initial state or seed. Using the transitionfunction f t and the output function f o as shown in Algorithm 30.4 a pseudorandom sequence canbe generated, (z 0 ,...,z n ) with z i ∈ Z and Z =[0, 1) as the output set.Algorithm 30.4 A pseudorandom number generatorINPUT: An integer n and a seed x 0.OUTPUT: A pseudorandom sequence (z 0,...,z n) with z i ∈ Z.1. for i =0 to n do2. x i+1 ← f t(x i)3. z i ← f o(x i)4. return (z 0,...,z n)The benefit of the PRNG is its ability to quickly produce large sequences of statistically randomnumbers. This is very important for running simulations when input data may require millions oreven billions of random values. Caution must be taken when using pseudorandom number generatorsfor cryptographic applications. Attacks have been published that are able to reveal the secretgenerator values for some types of pseudorandom generators, which then enables a hacker to accuratelyreproduce the sequence. Cryptographic secure RNGs will be looked at in Section 30.2.3.c.30.2.3.bTrue random number generatorsA computer algorithm can only create pseudorandom sequences. However, there exist a variety ofphenomenons related to a computation that are nondeterministic. Some examples are noise generatedby a transistor, a dual oscillator, air turbulence in a hard drive, or capturing user input onthe computer. Whatever the source of natural entropy, the data need to be digitized and convertedinto a working space, often a binary sequence. True random number generators provide a sourceof random numbers that is impossible to predict (nondeterministic), but at the cost of the sequencegeneration speed. Therefore, these generators are generally suitable for cryptographic applicationsbut unsuitable for simulations. The use of natural entropy is a good source of randomness, but caremust still be taken to examine the sequence for other weaknesses: correlation or superposition ofregular structures. To overcome these weaknesses, RNG sources are mathematically altered to maskweaknesses in the digitized analogue signal. Table 30.1 shows the characteristics of both pseudoandtrue random number generators.Table 30.1 Characteristics of pseudo- and true random number generators.True RNGPhysical random sourceSlowHard to implementPseudo-RNGDeterministic algorithmFastEasy to implement

720 Ch. 30 Random Numbers – Generation and Testing30.2.3.cCryptographic random number generatorsCryptography has taken on a new importance as more personal and financial information is availablein digital form. The strength of encrypted messages depends on many factors, one of which isthe random number sequence used in key generation. Many people believe that the random numbergenerator, provided with their compiler or mathematical package, is good enough. However,research has shown that they are very insecure for cryptographic applications. An example of aninsecure RNG is where an attacker, who knows the pseudorandom algorithm and has a generatedsequence, can take this information and calculate future values. With these values the attacker cancalculate a secret key.Cryptographic random number generators have an added property compared to other generators.They need to be unpredictable, given knowledge of the algorithm and previously generated bits.These properties can be found in both pseudo- and true random number generators. Often themost efficient method of creating secure cryptographic random number sequences is by using acombination of the two types of generators.30.2.4 Popular random number generatorsThis section describes three common random number generators, but there are many more available[FIPS 140-2, MEOO + 1996, RUK 2001, KNU 1997, ENT 1998]. Care must be taken to selectthe correct generator for the required application.30.2.4.aLinear congruential generatorThe linear congruential generator (LCG) is a classic pseudorandom number generator and has beenpublished in many journals and books [KNU 1997, CAR 1994, ENT 1998]. The LCG can be fullydescribed using the following formula:X n =(aX n−1 + c) modmwith a the multiplier, c the increment and m the modulus. Care has to be taken when selectingthe constants since it is very easy to create a poor random generator. This generator is so popularbecause it is simple to implement in both software and hardware after having selected the constants.Another benefit of this algorithm is its low memory requirement, since only the last value and thesecret constants are required to calculate a new value. Knuth [KNU 1997] dedicates a large portionof the chapter on LCGs to the selection of each constant.Table 30.2 is a list of popular linear congruential generators. The constants used and the qualityof the generator are shown along with the generator’s name. Two noteworthy LCGs are the RANDUand the ANSI-C generators, which can still be found in many mathematical packages and compilers.Both generators have been extensively researched and it was found that their quality is very poor.Park and Miller [PAMI 1998] describe the RANDU as:“RANDU represents a flawed generator with no significant redeeming features. Itdoes not have a full period and it has some distinctly non-random characteristics.”As for the ANSI-C generator, it was found to be very nonrandom at lower bits.30.2.4.bBlum–Blum–Shub generator (computationally perfect PRNG)The Blum–Blum–Shub (BBS) generator is an example of a class of provably secure random numbergenerators. It works under the complexity theory assumption that P ≠ NP. The BBS generator was

§ 30.2 Random number generators 721first published in 1986 by Blum et al. [BLBL + 1986], where they showed that a quadratic residueof the form:X n+1 = X 2 n mod mis very easy to calculate in the forwards direction. However, the backwards calculation of findingthe square root of a number modulo m,whenm is large, is very difficult. The modulus is m = p 1 p 2 ,where p 1 and p 2 are large Blum prime numbers. Blum primes are prime numbers, satisfying:p ≡ 3 (mod 4)as −1 is not a square modulo p.The BBS generator is targeted towards cryptographic applications, since it is not a permutationgenerator, which means the period of the generator is not necessarily m − 1. This makes the BBSgenerator not suitable for stochastic simulations.Table 30.2 Popular LCGs.ConstantsGenerator a c m seed Good/PoorRANDU 65539 0 2 31 PoorANSI-C 1103515245 12345 2 31 12345 PoorMinimumStandard16807 0 2 31 − 1 Good[PAMI 1998]Note: Good and bad and generators are rated on how well they pass empirical tests.30.2.4.cCryptographic RNG (hardware RNG)All previous examples of random number generators used deterministic algorithms. These generatorsstatistically act like true RNGs but in fact are not. In order to be thought of as a true randomnumber generator, the source of bits needs to be nondeterministic, which is usually achieved bysampling a natural stochastic process. There are many sources of natural randomness, includingmeasuring radioactive decay, thermal noise, or noise generated by a reversed biased diode.The problem with nondeterministic random sources is the possible presence of biasing, whichmeans that ones or zeroes occur more often. A variety of methods have been developed to reducethe effect of biasing. A few common methods include the XORing of successive bits using the vonNeumann algorithm [DAV 2000], or XORing the nondeterministic bit stream with the bits from acryptographically secure random number generator (see Figure 30.3).Hardware random number generators tend to be slower than their pseudorandom counterparts.However, for cryptographic applications, which may need only a few thousand bits, this is usuallynot a factor. For applications that need many random digits, hardware random generators aregenerally too slow.Remark 30.5 There are many implementations of hardware cryptographic random number generators[DAV 2000, INTEL 8051, CR 2003].

722 Ch. 30 Random Numbers – Generation and TestingFigure 30.3 Cryptographic hardware design.Pseudorandomnumber generatorAmplifier &DigitizerXOR(Combine sequence)OutputNon−deterministicsourceCorrector− Xor− von Neumann30.3 Testing of random number generatorsThere are two methods for testing a random number generator. One is to treat the generator as ablack-box and only examine a portion of the resulting sequence, this is called empirical testing. Theother method is to open the box and examine apriorithe internal structure. This type of testingis called theoretical testing. Both empirical and theoretical tests use statistical tests, but they differin the length of a sequence they examine. For theoretical tests, the full period of the generator isused; therefore, they detect global nonrandomness. Not all statistical tests are suitable for this typeof testing.Empirical testing is used to detect local nonrandomness. It is used to examine subsequences oflength a lot less than the full period. Often these tests are used during the operation of the RNGto determine if the generator is still functioning properly, or as a quick test of a newly selectedrandomness generator. When selecting a RNG for an application, if possible, it is best to use boththeoretical and empirical testing. This then helps to avoid both local and global abnormalities.30.4 Testing a deviceThis section presents a definition of the mathematical objects that represent the device under test.A source S T is the mapping from a parameter space T in the set Σ ∗ to a binary sequence of infinitelength with either discrete or continuous parameter space. In the case of a physical generator Tthere can be a set of continuous variables that describes the state of the RNG (temperature of thecircuit, position of each of the bits). For a LFSR, T is the discrete space describing the initializationvector, the polynomial of retroaction, and the filtration function.For an infinite binary sequence there can be associated for all n ∈ N ∗ a probability distribution onΣ n given by the definition of the empiric probability of W k ((u n )). In particular, a source defines amap from the set of parameters T to the set of probability distributions on Σ n for all n. This justifiesthe following definition:

§ 30.5 Statistical (empirical) tests 723Definition 30.6 Let T be a set of parameters, the statistical model on Σ n is the data for all n ∈ N ∗with a probability distribution denoted by P n t for t ∈ T on the set Σ n .In practice, the set of parameters can take into account the normal operation of the source as well asflaws. It is possible that the source can produce sequences with good statistical properties for somevalues of the parameter in T and poor statistical properties for the other values of T . For instance,a physical random generator can be built so that the output bits have a bias p independent of thepreceding draws. It outputs “1” with a probability of p and a “0” with a probability of q =1− p. Ahard to control production process may influence the parameter p. Therefore, a means is needed toassess the generator and reject any source that has a parameter p too far from 1 2·30.5 Statistical (empirical) testsOften it is not possible or feasible to look at the physical structure of the random number generator;for example, when the RNG needs to be tested before each operation. The only method to determine,to any degree of certainty, if the device is producing statistically independent and symmetricallydistributed binary digits, is to examine a sample sequence of a given length n. In[MAU 1992] theidea is presented where a statistical or empirical test T is an algorithm that has as input a binarysample sequence and produces as output an “accept” or “reject” decisionT : B n →{“accept, “reject”} (30.2)where B is a binary set of {0, 1}. Using this function, all the possible binary sequences x of lengthn, x n = x 1 ,...,x n are divided into two subsetsandA T = {s n |T (s n )=“accept”} ⊆B n (30.3)R T = {s n |T (s n )=“reject”} ⊆B n (30.4)with A T being the set of accepted or “random” sequences and R T being the set of rejected or“nonrandom” sequences.Hypothesis testingThe method used to determine whether a device is operating properly, as a binary symmetric source,or is malfunctioning, is to test a parameter using the theory of hypothesis testing. The first step ofthis testing method is to calculate a test parameter by comparing the estimated parameters froma sample sequence for the given statistical model to the parameters for a binary stationary source.The sample is then accepted or rejected by comparing the test parameter to a probability distributionfrom a binary symmetric source.Remark 30.7 Randomness is a property of the device being tested, not of the finite sequence.The researcher wishes to test the hypothesis that the device’s parameter follows the parameter ofthe theoretical distribution. For hypothesis testing, the null hypothesis, H 0 , is the claim that thesequence is acceptable as random, while the alternative hypothesis, H a , states that the sequence isrejected. This hypothesis is in a general form and can take on a wide variety of parameters. Oneexample is the examining of the population mean of the sample sequence and comparing it to thedistribution of the mean for a binary symmetric sequence, µ 0 . The hypothesis can then be writtenas follows:H 0 : µ = µ 0 H a : µ ≠ µ 0 .

724 Ch. 30 Random Numbers – Generation and TestingIn order to decide between H 0 and H a , the researcher needs to first determine the error threshold orsignificance level α. This level indicates the probability the researcher is willing to take in rejectingatrueH 0 . For a significance level of α =0.001, the probability is that one sequence in a thousandwill be rejected when in fact it should be accepted. This level is also called a Type I error.Figure 30.4 Parameters α and β for a statistical test.β0000011111 α1110000011111 0101000 111 00000111110000011111 0101µ00000111110µ aThe next step in hypothesis testing is to calculate the statistical test. This step is dependent on thedata under study. From the previous example, using the mean, the statistical test can be calculated byexamining the sample mean, x; the sample variance, s 2 ; the theoretical mean from a truly randomsequence, µ 0 ; the theoretical variance, σ 2 ; and the sample size, n. The statistical test is then asfollows:|Z| =∣∣ ∣∣∣∣>Zα2x − µ 0σ√ nThe rejection region works by examining the sample mean and determining whether there are toomany standard deviations, more than Z α2 , from µ 0. The rejection region can be seen in Figure 30.4and if the statistical test falls in this region, then the null hypothesis is rejected in favor of thealternative hypothesis.Often empirical tests described in the literature use a value called the P-value, to determinewhether the sample sequence should be rejected or not. The significance level, as described inthe last paragraph, is the boundary value between acceptance and rejection of the null hypothesis:P>α,H 0is acceptedP α, H 0 is rejected.Hypothesis testing can have two possible conclusions; the test accepts H 0 or it accepts H a . As canbe seen in Table 30.5, there are two possible errors that may arise. The Type I error has already beendiscussed and it is the significance level of the test. Type II error β is the probability that the deviceis random, when it is not. The goal of the statistical test is to minimize the possibility of both typesof errors. When dealing with statistical tests, the researcher is often able to set the sample size andone of the two types of errors, usually the Type I error. Setting the two points produces a β as smallas possible. It is not possible to determine the β probability, which means that it is only possible todraw a firm conclusion about the Type I error. However, if the statistical test does not fall inside therejection region, it can be stated that there is insufficient evidence to reject H 0 . The null hypothesisis not affirmatively accepted, since there is a lack of information about the Type II error.

§ 30.6 Some examples of statistical models on Σ n 725Table 30.5 Type I and II errors.DecisionReject H 0 Do not reject H 0H 0 true Type I error CorrectH 0 false Correct Type II errorΣ n30.6 Some examples of statistical models on Σ nThis paragraph presents some statistical models currently used (sometimes in an implicit way) inthe definition of random sequence tests. Further information can be found in [MAU 1992,LUBICZ].A random variable X is said to be binary if its values are in the set B = {0, 1}. In that case,the distribution of probability defined on B is given by a unique parameter called the bias of X,which is by definition P [X =1].LetX 1 ,...,X n ,...be a sequence of binary independent randomvariables. They define a distribution of probability on Σ n . When all these random variables havethe same bias, the previous distribution depends only on the parameter p.This model describes a binary memoryless source (BMS) that outputs independent random variableswith a bias p. As stated, a BMS defines a distribution of probability on the sets Σ n dependingon the parameter p, and is therefore a statistical model on Σ n . A particular case of a BMS is thebinary symmetric memoryless canal, which corresponds to the parameter p = 1 2·Another model is the Source Transition (ST) that outputs a sequence of binary random variablesX 1 ,...,X n ,...of parameter 1 2 such that P [X i + X i+1 =1]=p and P [X i + X i+1 =0]=1− pfor i ∈ N.Generally, a source can produce a sequence of binary random variables X 1 ,...,X n ,... suchthat the conditional probability of X n given X 1 ,X 2 ,...,X n−1 depends only on the last m bits,i.e., such thatP Xn|X n−1...X 1(x n |x n−1 ...x 1 )=P Xn|X n−1...X n−m(x n |x n−1 ...x n−m ). (30.5)The least m satisfying this preceding property is called the memory of the source S and Σ n =[X n − 1,...X n−m ] is the state at the time n. Therefore taking the sequence (X n ) n∈N is equivalentto consider an initial state Σ m−1 , represented by the trivial random variables [X m ,...,X 0 ] (theirweight being totally concentrated either on 0 or 1) as well as a distribution of probability for thetransition of states P Σn|Σ n−1for all n greater than m. If this last probability is independent of n,then the source is classified as stationary. So, a stationary source is completely described by itsinitial state and P Σm+1|Σ m.The set of states is a particular case of a Markov chain, with the restriction that each state canhave only two successors. If this Markov chain is ergodic, the limit of the distribution of probabilityon the set of states converge towards a limit. Let the integers between 0 and 2 m−1 represent the setof possible states of the sources, then the Chapman–Kolmogorov equations give:limn→+∞ P Σ n(j) =p jwhere the p j are the solution of a system of 2 m equations:2∑m −1j=0p j =0, (30.6)

726 Ch. 30 Random Numbers – Generation and Testingp j =2∑m −1k=0P Σ2|Σ 1p k , for 0 j 2 m − 2. (30.7)There are two interesting points to consider with the statistical model of ergodic stationary sources:• this model seems to be the most general of the models presented. In particular, it containsthe BMS and ST models.• this model has been extensively studied in the field of information theory. In particular,it is possible to compute its entropy.30.7 Hypothesis testings and random sequencesIn the previous sections it was stated that all the statistical models that can be used to carry outstatistical tests on a binary sequence describe, for a given parameter value, a distribution that isverified if the random variables are Bernoulli with a parameter equal to 1 2.From[LUBICZ], the linkbetween the theory of hypothesis testings and random sequences is given as follows: a statisticalmodel is adapted to the device that is under test, an H 0 chosen so that the values of the parametersof the model are verified if the random input variables are Bernoulli with a parameter of 1, 2and asalternative hypothesis there is a large deviation from this 1 2 value.For example, if it is known that the statistical model of the device is a BMS, the monobit frequencytest can be used on its own: this is the best test associated to this model. It may happen thatthe statistical model is more general and includes several different tests. For instance, the BMS iscontained in the general model of a stationary ergodic source with a certain amount of memory. Inthis case, the advantage of the more specific test is that it is more powerful. However, it may notdiscover deviations in the parameters that it does not control. Therefore, it is important to first usethe more specific tests and then the more general ones. It amounts to restraining the variance, insome direction, of the parameter space.In general, the use of the techniques of hypothesis tests in order to verify the random quality of asource is characterized by:• the choice of a statistical model based on the operation of the device• the use of only a small number of tests (one or maybe two) that are associated with thestatistical model.It should be pointed out that this general technique does not describe the set of available proceduresin order to test a random number generator. It is apparent that it is difficult to attach a statisticalmodel to some tests that are widely published and recommended. Moreover, in the available testsuites it is quite common to use many different tests. In practice, it is often difficult to prove thata certain physical device corresponds to a given statistical model apart from very general models,which then leads to tests of very poor quality.In the case where no statistical model is available, it is possible to use the property that the estimatorscomputed by the tests are consistent. Then, under the assumption of the Bernoulli distributionwith a parameter equal to 1 2(BSS), the property that the sequence is ∞-distributed can be checkedby the convergence in probability of certain estimators. Therefore, it is possible to use a group ofseveral tests, so that each of them, with a given probability, outputs a pass for a random sequence.It should be noted that it is not easy to compute the rejection rate of a full test suite, because theestimators of different tests are often extremely nonindependent. This rate can, nevertheless, beestimated by stochastic simulations.The reader should keep in mind that if the device is not provided with a statistical model and if thestatistical tests cannot be interpreted with respect to the cryptographic use of the random sequence,

§ 30.8 Empirical test examples for binary sequences 727the rejection zone selected by the statistical tests is totally arbitrary. If we have a statistical model,the rejection zone is chosen to contain most of the weight of probability when the device is faulty.But, if we do not know this statistical model, it may happen, on the contrary, that the rejectionzone contains sequences with a low probability of appearance: this means that the probability ofpassing the test is higher when the device is faulty. In this respect, a statistical test is nothing buta convenient way to choose a certain proportion of sequences in the set of all binary sequences ofa given length. In particular, if the tests do not pass, it is difficult to pronounce with any degree ofcertainty that there is no systematic interpretation of the result of the tests.It is also important to realize that a random test may undermine cryptographic security in someapplications. The problem is that, if a statistical test is used to filter the flux of a random generator,it introduces a bias that is very easy to detect by using the same test. A practical example of this isgiven to draw the reader’s attention to this topic.Example 30.8 The user may want to cypher the content of a hard drive by using a strong symmetricencryption function. It may be required that an intruder, who does not posses the secret key, is notable to distinguish the written sectors on the hard drive from the blank ones. One way to implementthis functionality is to consider the symmetric encryption function as a pseudorandom function.Therefore, a random number generator can be used to write random noise on nonwritten sectors ofthe harddrive. If the output of this random number generator is filtered by a statistical test with, forinstance, a rejection rate of 1%, this means that 1% of the sequences of a given length will neverappear in the nonwritten sectors of the harddrive, but will be present in the written sectors. Thisallows an attacker to find the distinguishing point between the written and nonwritten sectors veryeasily.30.8 Empirical test examples for binary sequences30.8.1 Random walkThe last example of counting the number of ones in the 100-bit sequence is an example of anempirical test based on the random walk. The random walk, Y n , is the sum of independent Bernoullirandom variables, X i . It can be written:n∑Y n = X i (30.8)i=1Using the Central Limit Theorem and the De Moivre–Laplace theorem, a binomial sum, normalizedby √ n, follows a normal distribution, if the sample size n is large. This can be written as:( )lim P Yn√ y = 1 ∫ y√ e − h22 dh = f (y) . (30.9)n→∞ n 2πThis theory is the basis for one of the simplest but most important statistical tests, the frequency(monobit) test. The null hypothesis for this test states that a sequence of independent, identicallydistributed Bernoulli variables will have a probability:−∞P (X i =1)= 1 2· (30.10)As already mentioned in previous sections, this statistical test is based on the model for a binarymemoryless source.

728 Ch. 30 Random Numbers – Generation and TestingAnother implementation of the random walk is a variation on the previous frequency test calledthe frequency block test. This test performs multiple frequency tests on smaller, equally distributedsubsequence blocks of the main sample sequence. This allows the detection of localized deviationsfrom randomness. The sample sequence is divided into n sets of m bits. The number of ones in eachm sequence is counted, π i . A test characteristic is then calculated by using the following formula:n∑(πiX =4mm − 1 ) 2· (30.11)2i=130.8.2 RunsTests based on the runs property observe the trend of a sequence. There are many variations of theruns test; a run can be treated as a grouping of ones and zeroes in a binary sequence, or it could alsorefer to the grouping of the sequence into subsequences, which end when the trend changes fromascending to descending or vice versa. These are only two examples of the many different forms inwhich a run can be defined.For binary sequences, the FIPS 140-2 standard provides a runs test, which is a one parameter test,contained in a model of a stationary ergodic source with a memory of 6 bits. The runs test countsthe length of runs of one and zero in the sequence and then compares the results to a precalculatedrange. The test inspects a sequence to see if the oscillations between the zeroes and ones are toofast or too slow.As published in [MEOO + 1996], the statistical test is calculated by first counting the length,i, of each run for both zeroes, G, and ones, B. A sequence of length n will have an expectednumber of runs, e i , for each length i. The following formulas show how to calculate e i and the testcharacteristic:X =e i =k∑ (B i − e i ) 2+e ii=1(n − i +3)2 i+2 , (30.12)k∑ (G i − e i ) 2· (30.13)e iRepeating bits are stored and counted until a change is noticed. If the run has a length of greaterthan six, then it is treated as a run of length six. If using the FIPS 140-2 suggested sequence lengthof 20,000 bits, then Table 30.6 can be used as acceptance ranges. Should any of the run’s count falloutside of the acceptable range, then the sequence is rejected.The turning point test is another type of run test and it can be found in [KAN 1993]. This testcounts the number of turning points (peaks and troughs) in a sequence. To calculate the statisticaltest, the number of samples tested needs to be large. This allows for the assumption of a normaldistribution with a mean of µ = 2 3 (n − 2) and a variance of σ2 = (16n−29)90· The test characteristiccan then be calculated with the following:X =¯x − µ∣ σ ∣ · (30.14)i=130.8.3 AutocorrelationVisually, it is possible to detect regular waveforms as nonrandom. How can this property be automatedfor randomness testing in applications? One method is to compare the signal with a shift copy

§ 30.9 Pseudorandom number generators 729of itself, which is the autocorrelation function. A random sequence will have very little correlationwith any copy of itself.Table 30.6 FIPS 140-2 intervals for runs test.Length of run (i) Required interval1 2343–26572 1135–13653 542–7084 251–3735 111–2016+ 111–201The autocorrelation test, as described in [MEOO + 1996], checks for the correlation between thecurrent sequence and a shifted version. The statistical model for this test is the source transitionmodel. It operates by taking a sample sequence and XORing with a d delayed version of itself.With a large sample, n,andn − d 10 the statistical test can again be assumed to follow a normaldistribution. The test characteristic is calculated using the following formulas:A(d) =X =2n−d−1∑i=0s i XOR s i+d (30.15)( )A (d) −n−d2√ · (30.16)n − dRemark 30.9 The empirical tests presented here are only a small fraction of what is available inliterature. Three randomness test suites have been created to help evaluate the selected randomnumber generators:• NIST statistical test suite [RUSO + ],• The diehard battery of strigent statistical randomness tests [MAR],• ENT: A pseudorandom number sequence test program [ENT 1998].30.9 Pseudorandom number generatorsThe previous part introduced physical mechanisms to build true unbiased random number generatorsand detailed test suites such generators have to pass. In this section pseudorandom numbergenerators based on curves are considered. A pseudorandom number generator (PRNG) is a deterministicalgorithm taking as input some (truly random) seed and producing a sequence of numbersthat satisfies certain statistical properties. Here “statistical properties” are meant in a really broadsense. An important requirement, called unpredictability, is that one should not be able to computefurther elements given a substring of the sequence. Another requirement, called indistinguishability,is that the sequence should resemble a truly random sequence, i.e., one should not be able todistinguish a sequence generated by a PRNG from a random sequence.

730 Ch. 30 Random Numbers – Generation and TestingIt is important to note that there is a whole wealth of other pseudorandom number generators basedon much cheaper devices, e.g., on shift register sequences. Some popular ones are briefly describedin Section 30.2.4. In this section only applications of elliptic and hyperelliptic curves are considered.One of the advantages of these generators is that one can base their security on well-studiedproblems like the ECDLP or the ECDHP. On the other hand, their use as building blocks for pseudorandomnumber generators is less studied and thus it might bear further disadvantages besidesbeing rather complicated. Some of the following algorithms are generalizations from PRNGs overfinite fields. Just as with the normal DLP, the advantage of using curves is the smaller field size forthe same level of security.This section studies sequences of random points on elliptic curves or of random divisor classeson hyperelliptic curves. Let E : y 2 = x 3 + a 4 x + a 6 be an elliptic curve over a finite field of oddcharacteristic F q . Assume that x 3 + a 4 x + a 6 has a root α ∈ F q .ThenP =(0,α) is as random asany other point even if it is clearly not a random point in our usual understanding as, for example,the multiples of P alternate between P and P ∞ . Therefore, like in the previous section, measuresare needed to determine the (pseudo-)randomness of such sequences. For applications to generaterandom numbers one will usually only use the x-coordinates of the points.This study also serves a second purpose — if the sequence of powers of an element would turn outto be biased (for instance some bits were fixed for certain multiples) the discrete logarithm problemwould be weaker than assumed as some bits of the exponent would leak.Furthermore, there are many more results on pseudorandom sequences from curves published inthe area of stream ciphers [NIXI 2001, NIE 2003] that will not be studied within the scope of thisbook.30.9.1 Relevant measuresThis section gives some basic definitions concerning pseudorandom sequences. In particular, itdefines expressions to measure their quality. First, note that a sequence over a finite field for whicha sequence element depends deterministically on the previous ones needs to have a finite period,i.e., there exist some integers N and t such that s(i + t) =s(N + i + t) for all i 0. The integerN is called the period and t is called the preperiod; in the applications studied here one usually hast =0.Definition 30.10 Let S = {s(0),s(1),...,s(N − 1)} be a sequence of elements of F q and letα ∈ F ∗ q.Thebalance of S with respect to α is defined in the following way:B S (α) = 1 NN−1∑i=0ζ Tr Fq /Fp (αs(i))p ,where ζ p =exp(2πi/p) denotes a primitive p-th root of unity.Furthermore, the balance is defined to beB S =max{|B S (α)|}.α∈F ∗ qSo the balance is the largest absolute value of character sums with nontrivial additive characters oforder p. Asthethep-th roots of unity sum up to zero ∑ p−1i=0 ζi p =0, the balance evaluates to zero ifeach element of F p appears equally often as trace Tr Fq/F p(αs(i)) for some element of the sequence.If some elements occur more often than others, the balance gives a measure of the bias.The autocorrelation was already introduced at the end of the previous section. The followingdefinition provides a more concrete formula.

§ 30.9 Pseudorandom number generators 731Definition 30.11 Let {s(0),s(1),...,s(N − 1)} be a sequence S of period N defined over thefinite field F q . Furthermore, let α, β ∈ F ∗ q.The autocorrelation with respect to α and β of a sequence is defined as follows:with 0 d

732 Ch. 30 Random Numbers – Generation and TestingDefinition 30.14 The linear complexity L(S) of an infinite sequence S = s(i),i =0, 1,... over aring R is the length of the shortest linear recurrence relation, i.e., L(S) =l if and only ifs(i + l) =a l−1 s(i + l − 1) + ···+ a 0 s(i), for i = t, t +1,...,with a 0 ,...,a l−1 ∈ R, which is satisfied by this sequence and l is minimal with this property. Here,t is the preperiod and thus usually t =0in our examples.30.9.2 Pseudorandom number generators from curvesThroughout this section E denotes an elliptic curve and P ∈ E is a point of order l. In the sequel,different ways to construct sequences S of points are presented. They can be used to constructsequences of field elements by considering only x(P ) ∈ F q ,thex-coordinate of P , maybe afterdiscarding some bits. The references to balance, correlation and discrepancy assume this conversionto be done. One can also consider the distribution of the coordinate tuples (x, y).30.9.2.aThe linear congruential generatorIn 1994, Hallgren [HAL 1994] proposed a linear congruential generator from an elliptic curve.Gong, Berson, and Stinson [GOBE + 2000] study binary sequences derived from this generatorwhere they use the trace to map to F 2 . This study has been extended in [BEDO 2002, ELSH 2002,GOLA 2002, HESH 2005, KOSH 2000].The linear congruential generator builds a sequence of points on E by the rule s(0) = P 0 forsome point P 0 ∈ E and s(i) =P ⊕ s(i − 1) = [i]P ⊕ P 0 .Obviously, for this generator one can obtain the next element in the sequence given the twoprevious elements, as this reveals the difference P . To avoid this problem, one additionally uses afunction f ∈ F q (E) from the function field of E, i.e., a function that can be evaluated at points ofthe curve. If the function is kept secret and subsequently evaluated at the points s(i) one obtainsa sequence of field elements that (presumably) cannot be reconstructed. To scramble the resultseven further and to allow a better analysis, most authors propose to apply the trace Tr Fq/F pto theresulting field elements, mapping them to the smaller field F p .Clearly the distribution of the sequence depends a lot on the function f, i.e., the most strikingexample being a constant function f.The following part briefly outlines the first construction of [GOBE + 2000] and states some results(the proofs can be found in the original papers). The authors suggest using a binary supersingularcurveE : y 2 + y = x 3 + a 4 x + a 6 over F q = F 2 d with d odd,and let P = P 0 be a generator of E(F q ) with ord(P )=|E(F q )| = v +1. The sequence is aninterleaved sequence given bys(2i) =Tr ( x([i]P ) ) ,s(2i +1)=Tr ( y([i]P ) ) , for 1 i vwhere x(P ) and y(P ) are the x- andy-coordinate of P , respectively.For this sequence they prove that the period is maximal, namely equal to 2v.For the more special curve E 1 : y 2 +y = x 3 they use |E 1 (F 2 d)| =2 d +1and for odd d =2m+1they show that the number of of 1’s and 0’s in S is equal to 2 d + − 2 m , respectively. Hence, the biasis small but not negligible.Beelen and Doumen [BEDO 2002] consider curves of arbitrary genus over arbitrary finite fields.The following is a simplified version for elliptic curves. The full version can be found in the paper(cf. also [KOSH 2000]).

§ 30.9 Pseudorandom number generators 733They define a whole family of PRNGs by using functions f ∈ F q k(E) inside the trace map. AsTr(a p − a) = 0 for all a ∈ F q k, one can change the function f to f − h p + h for arbitraryh ∈ F q k(E) without changing the value. If (f − h p + h)(Q) is not defined for any such h, put(f − h p + h)(Q) =0in the definition below.Definition 30.15 Let E be an elliptic curve defined over F q k.LetP be a generator of a prime ordersubgroup of E(F q k) and denote its order by l. Letf ∈ F q k(E). The sequenceS AS (f,P) ={s(i)} 0i

734 Ch. 30 Random Numbers – Generation and TestingDetermining e, which is the obvious way to compute the next element of the sequence, correspondsto solving the discrete logarithm problem. Given a part of the sequence, one needs to solve a problemrelated to the Diffie–Hellman problem in order to compute further elements of the sequence.The statistical properties like discrepancy are studied in [LASH 2005a].It is easy to see that the period of this sequence equals T =ord l (e), the multiplicative order of emodulo l.Theorem 30.20 Let E be a non-supersingular elliptic curve defined over F q and let P be a point oforder l. Then, for any integer ν 1, the bound∆ e (S PG ) ≪ T 1−(3ν+2)/2ν(ν+2) t (ν+1)/ν(ν+2) q 1/4(ν+2) (ln p +1) γholds for the discrepancy of the sequence S PG .From the discrepancy one obtains the following result on the linear complexity.Theorem 30.21 Let E be a non-supersingular elliptic curve defined over F q . Then the boundL(S PG ) ≫ Tl −2/3holds, where T is the multiplicative order of e modulo l.30.9.2.cThe Naor–Reingold generatorThe following PRNG is similar to the power generator, but one uses a vector (e 0 ,...,e n−1 ) ofsecret integers instead of only one secret scalar e. For elliptic curves it was proposed by Shparlinski[SHP 2000] and studied further in [SISH 2001]. For simplicity the definition and results arerestricted to elliptic curves over prime fields.Definition 30.22 Let the bit representation of i be given by (i n−1 ...i 0 ) 2 and let e 0 ,...,e n−1 benonzero integers and P be a point of prime order l of a nonsupersingular elliptic curve E/F p .The i-th element of the sequence S NR produced by the Naor–Reingold generator is given byfor 0 ip 1/2+ɛ , the discrepancy is small. In more detail,Shparlinski [SHP 2000] proves the following result:

§ 30.9 Pseudorandom number generators 735Theorem 30.24 For any δ>0 and a random vector (e 0 ,...,e n−1 ) chosen uniformly from (F ∗ l )nthe bound∆(S NR ) ≪ δ −1 B(n, l, p)lg 2 pholds, wherewith probability at least 1 − δ.B(n, l, p) =2 −n/2 +3 n/2 2 −n l −1/2 p 1/4 + n 1/2 l −1/2 + l −1 p 1/2For the linear complexity [SISH 2001] provides the following result.Theorem 30.25 Suppose that γ>0 and n are chosen to satisfyn (2 + γ)lgl.Then for any δ>0 and sufficiently large l, the linear complexity L(S NR ) of the sequence of thex-coordinates of the points satisfiesL(S NR ) ≫ min{l 1/3−δ ,l γ−3δ lg −2 l}for all except O ( (l − 1) n−δ) vectors (e 0 ,...,e n−1 ) ∈ (F ∗ l )n .30.9.3 Other applicationsThis section briefly highlights two other applications of elliptic and hyperelliptic curves related torandomness.To hide that a message is sent, Kaliski [KAL 1986] uses that a given x P ∈ F q is the x-coordinateof a point on E/F q or on its twist Ẽ/F q (cf. Remark 13.17). He proposes to modify the usual encryptionschemes (cf. Algorithms 1.16 and 1.17) by using both curves. The public key of A consistsof P A ∈ E(F q ) and ˜P A ∈ Ẽ(F q ). The sender randomly selects one of P A , ˜P A and uses it as publickey in the normal protocol. The ciphertext consists of the compressed representation, i.e., the x-coordinate of the result and one bit of the y-coordinate, as described in Sections 13.2.5 and 13.3.7.As the result corresponds to an arbitrary point on either E or Ẽ, it cannot be distinguished froma random bit-string and therefore an eavesdropper does not learn that a message was sent. Uponreceiving the message, the receiver determines the curve on which a point with this x-coordinateexists and recovers the y-coordinate by decompression. This idea was studied further and broughtto implementation in [BAI 2003].Section 15.1 introduced Koblitz curves as curves defined over a very small finite field, which arethen considered over a large extension field. The first curves proposed by Koblitz were even definedover F 2 . Up to isogenies, there are only two curvesE a2 : y 2 + xy = x 3 + a 2 x 2 +1, a 2 ∈{0, 1}.For applications in DL systems, these curves offer the advantage that to compute scalar multiples ofa point one can make use of the Frobenius endomorphism. This avoids doublings and thus increasesthe efficiency considerably. As described in Section 15.1.3 one can use an alternative setup to obtainrandom scalar multiples of a point P by picking random τ-adic expansions.Obviously, this can be used in the setting of pseudorandom sequences as well. The sequence ofsuch points is shown to be almost uniformly distributed in [LASH 2005b].

ReferencesNumbers in the margin specify the pages where citations occur[ + 1999] ĺ ź ÐÑÒ, º ÅÖÖ×,&ź¹º ÀÙÒ, A subexponential algorithm ½¾¸ ½¸ ½℄for discrete logarithms over hyperelliptic curves of large genus over GF(q), Theoret. Comput.Sci. 226 (1999), 7–18.[ÀÙ 1992] ĺ ź ÐÑÒ & ź¹º ÀÙÒ, Primality testing and Abelian varieties over finite ¼½℄fields, Lecture Notes in Math., vol. 1512, Springer-Verlag, Berlin, 1992.[ÀÙ 1996] , Counting rational points on curves and abelian varieties over finite fields, Algo- ¾¾℄rithmic Number Theory Symposium – ANTS II, Lecture Notes in Comput. Sci., vol. 1122,Springer-Verlag, Berlin, 1996, 1–16.[ÀÙ 2001] , Counting points on curves and abelian varieties over finite fields, J. Symbolic ¾¾℄Comput. 32 (2001), 171–189.[ÈÓ + 1983] ĺ ÐÑÒ, º ÈÓÑÖÒ, &ʺ ÊÙÑÐÝ, On distinguishing prime numbers ℄from composite numbers, Ann. of Math. 117 (1983), 173–206.[Ö + 2003] º ÖÛÐ, º ÖÑÙÐØ, º ʺ ÊÓ, &Ⱥ ÊÓØ, The EM Side- ¾℄Channel(s), Cryptographic Hardware and Embedded Systems – CHES 2002, LectureNotes in Comput. Sci., vol. 2523, Springer-Verlag, Berlin, 2003, 29.[à + 2002] ź ÖÛÐ, ƺ ÃÝÐ, &ƺ ËÜÒ, PRIMES is in P, preprint, date Aug. 6th, ¼½℄2002.http://www.cse.iitk.ac.in/primality.pdf[Ì 2003] ̺ ×Ø & ̺ Ì, Zero-value point attacks on elliptic curve cryptosystem, ¾℄Information Security Conference – ISC 2003, Lecture Notes in Comput. Sci., vol. 2851,Springer-Verlag, Berlin, 2003, 218–233.[ÐÖ + 1994] ʺ ÐÓÖ, º ÖÒÚÐÐ, &º ÈÓÑÖÒ, There are infinitely many ¿℄Carmichael numbers, Ann. of Math. 139 (1994), 703–722.[ÐÅ + 2002] º йÓÙ, ʺ ÅÑÓ, ź ÊÙ×Ò, &º ÃÐÑÒ, A new addition ¾¿℄formula for elliptic curves over GF(2 n ), IEEE Trans. on Computers 51 N o 8 (2002), 972–975.[ÒÒ + 1999] Áº Ò×Ð, ź Ò×Ð,&º ÓÐÐ, An algebraic method for public key cryp- ½℄tography, Math. Res. Lett. 6 (1999), 287–291.[Ò× º¾℄ ÆËÁ º¾¹½, Public key cryptography for the financial services industry: The ½¿¸ ¼℄elliptic curve digital signature algorithm (ECDSA), 1999.[Ô×℄ Áº ÅÓÒÒÐÐ, Maple programs. ¾℄ftp://ftp.math.mcgill.ca/pub/apecs[Ø 1988] º Ǻ ĺ ØÒ, The number of points on an elliptic curve modulo a prime, 1988. ½¸ ¾½℄E-mail on the Number Theory Mailing List.[Ø 1991] , The number of points on an elliptic curve modulo a prime, 1991. E-mail on the ½¸ ½℄Number Theory Mailing List.[ØÅÓ 1993] º Ǻ ĺ ØÒ & º ÅÓÖÒ, Elliptic curves and primality proving, Math.Comp. ¸ ℄61 (1993), 29–68.¿

738 References[Ú 2002] ʺ ź ÚÒÞ, On multi-exponentiation in cryptography, Tech. Report 154, AREHCC, ½℄2002.http://citeseer.nj.nec.com/545130.html[Ú 2004a] , Aspects of hyperelliptic curves over large prime fields in software implementa- ¾¸ ¿¾¸ ¼℄tions, Cryptographic Hardware and Embedded Systems – CHES 2004, Lecture Notes inComput. Sci., vol. 3156, Springer-Verlag, 2004, 148–162.[Ú 2004b] , Countermeasures against Differential Power Analysis for hyperelliptic curve ¼¼¼℄cryptosystems, Cryptographic Hardware and Embedded Systems – CHES 2003, LectureNotes in Comput. Sci., vol. 2779, Springer-Verlag, Berlin, 2004, 366–381.[Ú 2005a] , A note on the signed sliding window integer recoding and a left-to-right analogue, ½¿¸ ½℄Selected Areas in Cryptography – SAC 2004, Lecture Notes in Comput. Sci., vol. 3357,Springer-Verlag, Berlin, 2005, 130–143.[Ú 2005b] , On the complexity of certain multi-exponentiation techniques in cryptography, J. ½℄Cryptology (2005), to appear.[Ú 2005c] , Side channel attacks on implementations of curve-based cryptographic primi- ¸ ¼℄tives, preprint, extended version of AREHCC-report, 2005.http://eprint.iacr.org/2005/017/[Ú 2005] ʺ ź ÚÒÞ & º ×Ò, Trace zero varieties over binary fields for cryptography, ¿¿℄preprint, 2005.[Ú + 2004] ʺ ź ÚÒÞ, ź Ø, &º Ë, Faster scalar multiplication on Koblitz curves ¿¼½¸ ¿℄combining point halving with the Frobenius endomorphism, Public Key Cryptography –PKC 2004, Lecture Notes in Comput. Sci., vol. 2947, Springer-Verlag, 2004, 28–40.[ÚÀ + 2004] ʺ ź ÚÒÞ, º ÀÙÖÖ,&Àº ÈÖÓÒÖ, Scalar multiplication on Koblitz ¿¸ ¿℄curves using the Frobenius endomorphism and its combination with point halving: extensionsand mathematical analysis, preprint, 2004.http://finanz.math.tu-graz.ac.at/ ~ cheub/publications/tauext.pdf[ÚÄ 2005] ʺ ź ÚÒÞ & ̺ ÄÒ, Cryptographic applications of trace zero varieties, ½¿¸ ¿¿¸ ¿℄preprint, 2005.[ÚÅ 2004] ʺ ź ÚÒÞ & Ⱥ ÅÐ×Ù, Generic efficient arithmetic algorithms for PAFFs ½¾¸ ¾¿¼¸ ¾¿℄(Processor Adequate Finite Fields) and related algebraic structures, Selected Areas inCryptography – SAC 2003, Lecture Notes in Comput. Sci., vol. 3006, Springer-Verlag,Berlin, 2004, 320–334.[ÚÌ 2004] ʺ ź ÚÒÞ & ƺ ÌÖÙÐØ, Random walks and filtering strategies for index ¸ ¼¸ ½℄calculus, Manuscripts, 2004.[ + 2004] Àº Ö¹Ð, Àº ÓÙÖ, º Æ, ź ÌÙÒ×ØÐÐ, &º ÏÐÒ, The ℄sorcerer’s apprentice guide to fault attacks, Workshop on Fault Diagnosis and Tolerancein Cryptography – FDTC 2004, 2004.http://www.elet.polimi.it/res/FDTC04/Naccache.pdf[Ù + 2004] ʺ ÖÙ, ʺ ÙØØ, &Ⱥ ËÖÖ, Provably secure authenticated tree based ℄group key agreement protocol using pairing, preprint, 2004.http://eprint.iacr.org/2004/90/[Ò + 2002] º ×Ö, º Ò, º¹º ÙÖ, &ƺ ÖÐ, The arithmetic of Jacobian ¿¾℄groups of superelliptic cubics, Tech. report, INRIA – RR-4618, 2002.[Ò + 2004] , Implementing the arithmetic of C 3,4 curves, Algorithmic Number Theory Sym- ¿¾℄posium – ANTS VI, Lecture Notes in Comput. Sci., vol. 3076, Springer-Verlag, Berlin,2004, 87–101.[À 1998] ʺ º Ö & º ÀÖÑÒ, Shifted primes without large prime factors, Acta Arith. ¿℄83 N o 4 (1998), 331–361.

References 739[ 2003] Àº Ö, A fast Java implementation of a provably secure pseudo random bit generator ¿℄based on the elliptic curve discrete logarithm problem, Tech. Report TI 7/03, Universityof Darmstadt, 2003.[à + 2002] Ⱥ˺ĺźÖÖØÓ, Àº º ÃÑ, º ÄÝÒÒ,&ź ËÓØØ, Efficient algorithms ¿¸ ¼¸ ¿¸℄for pairing-based cryptosystems, Advances in Cryptology – Crypto 2002, Lecture Notesin Comput. Sci., vol. 2442, Springer-Verlag, Berlin, 2002, 354–368.[ÃÓ 1998] ʺ Ð×ÙÖÑÒÒ & ƺ ÃÓÐØÞ, The improbability that an elliptic curve has ¿¸ ¸ ¸℄a sub-exponential discrete log problem under the Menezes–Okamoto–Vanstone algorithm,J. Cryptology 11 (1998), 141–145.[ÄÝ + 2003] Ⱥ˺ĺźÖÖØÓ, º ÄÝÒÒ,&ź ËÓØØ, Constructing elliptic curves with ¸ ℄prescribed embedding degrees, Security in Communication Networks – SCN 2002, LectureNotes in Comput. Sci., vol. 2576, Springer-Verlag, Berlin, 2003, 257–267.[ÄÝ + 2004a] , Efficient implementation of pairing-based cryptosystems, J. Cryptology 17 ¸ ℄(2004), 321–334.[ÄÝ + 2004b] , On the selection of pairing-friendly groups, Selected Areas in Cryptography – ¿℄SAC 2003, Lecture Notes in Comput. Sci., vol. 3006, Springer-Verlag, Berlin, 2004, 17–25.[È 1998] º κ ÐÝ & º ÈÖ, Optimal extension fields for fast arithmetic in public key ¾¾℄algorithms, Advances in Cryptology – Crypto 1998, Lecture Notes in Comput. Sci., vol.1462, Springer-Verlag, Berlin, 1998.[Ö℄ Ⱥ ˺ ĺ ź ÖÖØÓ, The pairing-based crypto lounge. ¿¸ ¿℄http://planeta.terra.com.br/informatica/paulobarreto/pblounge.html[Ö 1987] Ⱥ ÖÖØØ, Implementing the Rivest Shamir and Adleman public key encryption al- ½℄gorithm on a standard digital signal processor, Advances in Cryptology – Crypto 1986,Lecture Notes in Comput. Sci., vol. 263, Springer-Verlag, Berlin, 1987, 311–323.[Ï 1980] ʺ ÐÐ & ˺˺Ï×ظ ÂÖº, Lucas pseudoprimes, Math.Comp.35 (1980), ℄1391–1417.[ 2004] º & º Ò, Identity-based threshold decryption, Public Key Cryptography ℄– PKC 2004, Lecture Notes in Comput. Sci., no. 2947, Springer-Verlag, 2004, 262–276.[ + 1989] º ÖÖÓÒ, º Ö×ØÐ, ˺ ÖÐ, &º ÙÓ, Addition chains using con- ½½¸ ½℄tinued fractions, J. Algorithms 10 N o 3 (1989), 403–412.[ + 1994] º ÖÖÓÒ, º Ö×ØÐ, &˺ ÖÐ, Efficient computation of addition chains, ½¾℄J. Théor. Nombres Bordeaux 6 (1994), 21–38.[ 1998] º , Integrated circuit failure analysis – a guide to preparation techniques, John ½℄Wiley & Sons, Ltd., 1998.[Ó 2002] Ⱥ Àº ̺ ÐÒ & º ź ÓÙÑÒ, Pseudorandom sequences from elliptic curves, ¿¾¸ ¿¿℄Finite fields with applications to coding theory, cryptography and related areas, Springer-Verlag, 2002, 37–52.[ + 1991] ̺ Ø, Ϻ ×ÐÑÒÒ, &º ÅÝÖ, Finding (good) normal basis in finite ¾¾½℄fields, International Symposium on Symbolic and Algebraic Computations – ISSAC 1991,ACM Press, Bonn, 1991, 173–178.[Ó + 1972] ź ÐÖ, ʺ Ϻ Ó×ÔÖ, &ʺ ËÖÓÔÔÐ, HAKMEM, Memo 239, Mas- ℄sachusetts Institute of Technology Artificial Intelligence Laboratory, February 1972.[ÃÒ 2003] ʺ ÚÒ & º Ϻ ÃÒÙ×Ò, Ways to enhance differential power analysis, Infor- ¼℄mation Security and Cryptology – ICISC 2002, Lecture Notes in Comput. Sci., vol. 2587,Springer-Verlag, 2003, 327–342.[Å + 1978] º ʺ ÖÐÑÔ, ʺ º ÅÐ, &Àº º ÚÒ ÌÐÓÖ, On the inherent ½℄intractability of certain coding problems, IEEE Trans. Inform. Theory 24 N o 3 (1978),384–386.

740 References[Ö 1967] º ʺ ÖÐÑÔ, Factoring polynomials over finite fields, Bell System Tech. J. 46 ¼℄(1967), 1853–1859.[Ö 1974] Ⱥ ÖØÐÓØ, Cohomologie cristalline des schémas de caractéristique p>0, Lecture ½¿℄Notes in Math., vol. 407, Springer-Verlag, Berlin, 1974.[Ö 1982] º ʺ ÖÐÑÔ, Bit-serial Reed–Solomon encoder, IEEE Trans. Inform. Theory ¿℄IT-28 (1982), 869–874.[Ö 1986] Ⱥ ÖØÐÓØ, Géométrie rigide et cohomologie des variétés algébriques de carac- ½¿℄téristique p, Mém. Soc. Math. France (N.S.) N o 23 (1986), 3, 7–32, Introductions auxcohomologies p-adiques (Luminy, 1984).[Ö 1998] º º ÖÒ×ØÒ, Detecting perfect powers in essentially linear time, Math.Comp.67 ½¸ ½℄N o 223 (1998), 1253–1283.[Ö 2001a] , Multidigit multiplication for mathematicians, 2001. ½℄http://cr.yp.to/papers.html[Ö 2001b] Ⱥ ÖÖÞØ, Sharpening “primes in P” for a large family of numbers, preprint, ¼½℄2001.http://lanl.arxiv.org/abs/math.NT/0211334[Ö 2002] º º ÖÒ×ØÒ, Pippenger’s exponentiation algorithm, 2002. preprint. ½¸ ½¸ ½¸½℄http://cr.yp.to/papers.html[Ö 2004a] , Proving primality in essentially quartic random time, preprint, 2004. ¼½℄http://cr.yp.to/papers.html[Ö 2004b] , Scaled remainder trees, preprint, 2004. ½℄http://cr.yp.to/papers.html[ÆÙÑ℄ º¹º ÀÖÚ, º ËÖÔØØ, &º ÎÙÐÐÑÒ, BigNum: A portable and efficient ½℄package for arbitrary-precision arithmetic, Tech. report, Digital Paris Research Laboratory,1989, available via e-mail from librarian@decprl.dec.com.[ÂÓ 2003] Ǻ ÐÐØ & ź ÂÓÝ, The Jacobi model of an elliptic curve and Side-Channel Anal- ℄ysis, Applicable Algebra, Algebraic Algorithms and Error-Correcting Codes – AAECC2003, Lecture Notes in Comput. Sci., vol. 2643, Springer-Verlag, Berlin, 2003, 34–42.[Å + 2000] Áº Ð, º ÅÝÖ,&κ Å ÐÐÖ, Differential fault attacks on elliptic curve cryp- ¸ ¸¼¼℄tosystems, Advances in Cryptology – Crypto 2000, Lecture Notes in Comput. Sci., vol.1880, Springer-Verlag, Berlin, 2000, 131–146.[Ö 1968] º º Ö, How the number of points of an elliptic curve over a fixed prime field ¼℄varies, J. London Math. Soc. 43 (1968), 57–60.[Ë 1997] º Ñ & º ËÑÖ, Differential fault analysis of secret key cryptosystems, Ad- ¿℄vances in Cryptology – Crypto 1997, Lecture Notes in Comput. Sci., vol. 1294, Springer-Verlag, 1997, 513–525.[Ð 2002] º ÐÝ, Die Weil-Restriktion elliptischer Kurven in der Kryptographie, Master’sthe- ¿¿℄sis, Universität-Gesamthochschule Essen, 2002.[ÐÐ + 1986] ĺ ÐÙÑ, ź ÐÙÑ, &ź ËÙ, A simple unpredictable pseudo-random number ¾½℄generator, SIAM J. Comput. 15 (1986), 364–383.[ÐÐ℄ º ÐÒÖ & º ÐÑÑÒÑÔ, An efficient algorithm for computing ½℄shortest addition chains.http://www.uni-bielefeld.de/ ~ achim/ac.dvi[ÐÙ + 1984] Áº º Ð, ʺ Ù¹ÀÖ, ʺ º ÅÙÐÐÒ, &˺ºÎÒ×ØÓÒ, Computing ¼℄logarithms in finite fields of characteristic two, SIAM J. Algebraic Discrete Methods 5N o 2 (1984), 276–285.

References 741[Ð + 1994a] Áº º Ð, ˺ Ó, &ʺ º ÄÑÖØ, Constructive problems for irreduciblepolynomials over finite fields, Proceedings of the 1993 Information Theory and ApplicationsConference, Lecture Notes in Comput. Sci., vol. 793, Springer-Verlag, Berlin, 1994,1–23.[Ð + 1994b] Áº º Ð, ˺Ó, &ʺ º ÅÙÐÐÒ, Normal and self dual normal bases fromfactorization of cx q+1 + dx q − ax − b, SIAM J. Discrete Math. 7 N o 3 (1994), 499–512.¾½℄¿℄[Ð + 1996] Áº º Ð, ˺Ó,&ʺ º ÄÑÖØ, Construction and distribution problems for ¾½℄irreducible trinomials over finite fields, Applications of Finite Fields, Oxford UniversityPress, New York, 1996, 19–32.[ÐÅÙ + 1984] Áº º Ð, ʺ º ÅÙÐÐÒ,&˺ºÎÒ×ØÓÒ, Computing logarithms in F 2 n , ¼℄Advances in Cryptology – Crypto 1984, Lecture Notes in Comput. Sci., vol. 196, Springer-Verlag, 1984, 73–82.[ÐÅÙ + 2004] Áº º Ð, ú ÅÙÖØÝ,&º Ù, Refinements of Miller’s algorithm for computing ¼½℄Weil/Tate pairing, preprint, 2004.http://eprint.iacr.org/2004/065/[ÐÇØ + 2004] º ÐÑÖ, ź ÇØØÓ, &º¹Èº ËÖØ, Sign change fault attacks on elliptic curve ¼℄cryptosystems, preprint, 2004.http://eprint.iacr.org/2004/227/[ÐÊÓ + 1998] Áº º Ð, ʺ ź ÊÓØ,&º ËÖÓÙ××, Efficient arithmetic in GF(2 n ) through ¾½¸ ¾¾½℄palindromic representation, Tech. Report HPL-98-134, Hewlett–Packard, August 1998.http://www.hpl.hp.com/techreports/98/HPL-98-134.pdf[ÐË + 1999] Áº º Ð, º ËÖÓÙ××,&ƺ Ⱥ ËÑÖØ, Elliptic curves in cryptography, Lon- ½℄don Mathematical Society Lecture Note Series, vol. 265, Cambridge University Press,Cambridge, 1999.[ÐË + 2005] , Advances in elliptic curve cryptography, London Mathematical Society Lecture ℄Note Series, vol. 317, Cambridge University Press, Cambridge, 2005.[ÓÓ + 2005] º ÓÒ, º ÓÝÒ, &º¹Âº Ó, Hierarchical Identity Based encryption with ℄constant size ciphertext, preprint, 2005.http://eprint.iacr.org/2005/015/[ÓÓ 1990] º Ó× & ź º Ó×ØÖ, Addition chain heuristics, Advances in Cryptology – Crypto ½¾¸ ½¿℄1989, Lecture Notes in Comput. Sci., vol. 435, Springer-Verlag, Berlin, 1990, 400–407.[Ó + 1997] º ÓÒ, ʺ ÅÐÐÓ, &ʺ ÄÔØÓÒ, On the importance of checking crypto- ¿¸ ¼℄graphic protocols faults, Advances in Cryptology – Eurocrypt 1997, Lecture Notes inComput. Sci., vol. 1233, Springer-Verlag, Berlin, 1997, 37–51.[Ó + 2004] Áº ÓÙÛ, º Ñ, &º ËÓÐØÒ, Ordinary elliptic curves of high rank over F p ½¿½℄with constant j-invariant, Manuscripta Math. 114 (2004), 487–501.[ÓÖ 2001] º ÓÒ & ź ÖÒÐÒ, Identity based encryption from the Weil pairing, Advances ¿¸ ¸ ¿¸¸ ¼℄in Cryptology – Crypto 2001, Lecture Notes in Comput. Sci., vol. 2139, Springer-Verlag,Berlin, 2001, 213–229.[ÓÖ 2003] , Identity based encryption from the Weil pairing, SIAM J. Comput. 32 N o 3 ¸ ¸ ¿℄(2003), 586–615.[Ó + 2004] º Ó×ØÒ, Ⱥ ÙÖÝ,&º ËÓ×Ø, Linear recurrences with polynomial coeffi- ½¾℄cients and application to integer factorization and Cartier–Manin operator, Proceedingsof Fq7, Lecture Notes in Comput. Sci., vol. 2948, Springer-Verlag, Berlin, 2004, 40–58.[ÓÓ + 1994] º Ó××ÐÖ×, ʺ ÓÚÖØ×,&º ÎÒÛÐÐ, Comparison of three modular ½¸ ½¾℄reduction functions, Advances in Cryptology – Crypto 1993, Lecture Notes in Comput.Sci., vol. 773, Springer-Verlag, Berlin, 1994, 175–186.[ÓÄ 1995] Ϻ Ó×Ñ & º ú ÄÒ×ØÖ, An implementation of the elliptic curve integer factor- ¼℄ization method, Computational algebra and number theory (Ϻ Ó×Ñ & º ÚÒ ÖÈÓÓÖØÒ, eds.), Kluwer Academic Publishers, 1995.

742 References[ÓÄÝ + 2002] º ÓÒ, º ÄÝÒÒ, &Àº ËÑ, Short signatures from the Weil pairing, ¸ ¸ ℄Advances in Cryptology – Asiacrypt 2001, Lecture Notes in Comput. Sci., vol. 2248,Springer-Verlag, Berlin, 2002, 514–532.[ÓÄÝ + 2004] , Short signatures from the Weil pairing, J. Cryptology 17 (2004), 297–319. ¸ ¸ ℄[ÓÓ 1951] º º ÓÓØ, A signed binary multiplication technique, Quarterly J. Mech. Appl. Math. ½½℄4 (1951), 236–240.[Ó× 2001] Ϻ Ó×Ñ, Signed bits and fast exponentiation, J. Théor. Nombres Bordeaux 13 (2001), ½½℄27–41.[ÓÎ 1996] º ÓÒ & ʺ ÎÒØ×Ò, Hardness of computing the most significant bits of se- ¿¸ ℄cret keys in Diffie–Hellman and related schemes, Advances in Cryptology – Crypto 1996,Lecture Notes in Comput. Sci., vol. 1109, Springer-Verlag, Berlin, 1996, 129–142.[Ö 1939] º ÖÙÖ, On addition chains, Bull. Amer. Math. Soc. 45 (1939), 736–739. ½¸ ½℄[ÖÖ 1996] º Ö××Ò & Ⱥ ÖØÐÝ, Fundamentals of Algorithmics, Prentice-Hall, Inc., ℄Englewood Cliffs NJ, 1996, first published as Algorithmics — Theory & Practice, 1988.[ÖÐ + 2004] º ÖÖ, º ÐÚÖ, &º ÇÐÚÖ, Correlation power analysis with a leakage ¼℄model, Cryptographic Hardware and Embedded Systems – CHES 2004, Lecture Notes inComput. Sci., vol. 3156, Springer-Verlag, Berlin, 2004, 16–29.[ÖÙ + 1993] Àº ÖÙÒÒÖ, º ÙÖÖ, &ź ÀÓ×ØØØÖ, On computing multiplicative in- ¾¾¿℄verses in GF(2m), IEEE Trans. on Computers 42 N o 8 (1993), 1010–1015.[Ö + 2004] º ÖÖ, Áº Ò, &ź ÂÓÝ, Unified point addition formulæ for elliptic ℄curve cryptosystems, Embedded Cryptographic Hardware: Methodologies & Architectures,Nova Science Publishers, 2004.[Ö 1980] ʺ Ⱥ ÖÒØ, An improved Monte Carlo factorization algorithm, BIT20 (1980), 176– ℄184. The paper can be obtained as a series of .gif bitmaps from [ÖÒØ].[ÖÒØ℄ , homepage, Oxford University Computing Laboratory. ½¸ ¾℄http://web.comlab.ox.ac.uk/oucl/work/richard.brent[ÖÓ + 1993] º º ÖÐÐ, º ź ÓÖÓÒ, ú ˺ ÅÙÖÐÝ,&º º ÏÐ×ÓÒ, Fast ½℄exponentiation with precomputation, Advances in Cryptology – Eurocrypt 1992, LectureNotes in Comput. Sci., vol. 658, Springer-Verlag, Berlin, 1993, 200–207.[ÖÂÓ 2002] º ÖÖ & ź ÂÓÝ, Weierstraß elliptic curves and side channels attacks, Public Key ¾℄Cryptography – PKC 2002, Lecture Notes in Comput. Sci., vol. 2274, Springer-Verlag,2002, 335–345.[ÖÂÓ 2003] , Fast point multiplication on elliptic curves through isogenies, Applicable Alge- ¾¾¸ ¸ ¼℄bra, Algebraic Algorithms and Error-Correcting Codes – AAECC 2003, Lecture Notes inComput. Sci., vol. 2643, Springer-Verlag, Berlin, 2003, 43–50.[ÖÃÙ 1978] ʺ Ⱥ ÖÒØ & Àº ̺ ÃÙÒ, Fast algorithms for manipulating formal power series, ¾¾℄J. Assoc. Comput. Mach. 25 N o 4 (1978), 581–595.[ÖÃÙ 1983] , Systolic VLSI arrays for linear-time GCD computation, VLSI 1983, Elsevier ¾¼¸ ¾¾¿℄Science Publishers B. V., 1983, 145–154.[ÖÅÝ + 2001] º ÖÓÛÒ, º ̺ ÅÝÖ×,&º º ËÓÐÒ×, Elliptic curves with compact param- ¿¾¸ ¿¿℄eters, Combinatorics and Optimization Research Report CORR 2001-68, University ofWaterloo, 2001.http://www.cacr.math.uwaterloo.ca/techreports/2001/corr2001-68.ps[ÖËØ 2004] ʺ ÖÖ & Ⱥ ËØÚÒÒ, Elliptic curves with a given number of points, Al- ℄gorithmic Number Theory Symposium – ANTS VI, vol. 3076, Springer-Verlag, Berlin,2004, 117–131.[ÖÙ 1966] ƺ º ÖÙÒ, On the number of positive integers x and free of prime factors ¼℄>y,II, Indag. Math. 38 (1966), 239–247.

References 743[ÖÙ 1994] Ⱥ ˺ ÖÙÑÒ, Lucas pseudoprimes are odd, Fib.Quart.32 (1994), 155–157. ℄[ÖÏ 2004] º ÖÞÒ & º ÏÒ, Elliptic curves suitable for pairing based cryptography, ℄preprint, 2004.http://eprint.iacr.org/2003/143/[Ö 2003] ʺ Ⱥ ÖÒØ & Ⱥ ÑÑÖÑÒÒ, Random number generators with period divisible ¾½℄by a Mersenne prime, Computational Science and its Applications – ICCSA 2003, vol.2667, Springer-Verlag, Berlin, 2003, 1–10.[Ù 1995] ź ÙÖÑ×ØÖ & º ×ÑØ, A secure and efficient conference key distribution ½¿¸ ℄system, Advances in Cryptology – Eurocrypt 1994, Lecture Notes in Comput. Sci., vol.950, Springer-Verlag, Berlin, 1995, 275–286.[Ù 1997] , Efficient and secure conference key distribution, Proceedings of the 1996 Work- ½¿¸ ℄shop on Security Protocols, Lecture Notes in Comput. Sci., vol. 1189, Springer-Verlag,Berlin, 1997, 119–130.[Ù 2004] , Identity based key infrastructures, Proceedings of the IFIP 2004 World Computer ℄Congress, Kluwer Academic Publishers, 2004.[ÙÓ + 1946] º Ϻ ÙÖ×, Àº Àº ÓÐ×ØÒ, &º ÚÓÒ ÆÙÑÒÒ, Preliminary discussion ¿¾℄of the logical design of an electronic computing instrument, Tech. Report Princeton, NJ,Institute for Advanced Study, 1946.[Ù + 1997] º ÙÑÒÒ, ź º ÂÓ×ÓÒ¸ ÂÖº,&º Ì×, On some computational prob- ½℄lems in finite abelian groups, Math.Comp.66 (1997), 1663–1687.[ÙÖ 1999] º ÙÖ×Ý, Flash and EEPROM storage boost 8-bit mcu flexibility, Electronic Design ℄47 N o 5 (1999).[ÙÏ 1988] º ÙÑÒÒ & Àº º ÏÐÐÑ×, A key-exchange system based on imaginary ℄quadratic fields, J. Cryptology 1 N o 2 (1988), 107–118.[Ù 1998] º ÙÖÒÐ & º ÐÖ, Fast recursive division, Tech. Report MPI-I-98-1-022, ½℄Max Planck Institut für Informatik, October 1998.http://data.mpi-sb.mpg.de/internet/reports.nsf/[ÝÙ 2004] º ÝÖÑ & ˺ ÙÕÙ×Ò, Classification of genus 2 curves over F 2 n and opti- ¿¿℄mization of their arithmetic, preprint, 2004.http://eprint.iacr.org/2004/107/[Ö + 1983] º ʺ ÒÐ, Ⱥ Ö×, &º ÈÓÑÖÒ, On a problem of Oppenheim ¼℄concerning factorizatio numerorum, J. Number Theory 17 (1983), 1–28.[Ð 1996] º Ϻ ˺ ××Ð× & º κ ÐÝÒÒ, Prolegomena to a middlebrow arithmetic of ¸ ¿¾℄curves of genus 2, London Mathematical Society Lecture Note Series, vol. 230, CambridgeUniversity Press, 1996.[ÃÓ + 2003] º ØÐÓ, º ÃÓÙÒ,&º¹Âº ÉÙ×ÕÙØÖ, A new type of timing attack: appli- ¼℄cations to GPS, Cryptographic Hardware and Embedded Systems – CHES 2003, LectureNotes in Comput. Sci., vol. 2779, Springer-Verlag, Berlin, 2003, 291–303.[Ñ 1981] Ⱥ ÑÓÒ, Factorisation des polynômes de F q[X], Tech. Report RR-0093, INRIA, ¼℄September 1981, in French.[Ñ 1983] , Improving an algorithm for factoring polynomials over a finite field and con- ¼℄structing large irreducible polynomials, IEEE Trans. Inform. Theory 29 N o 3 (1983), 378–385.[Ñ℄ ÑÖ ÍÒÚÖ×ØÝ, TAMPER Lab homepage. ¼℄http://www.cl.cam.ac.uk/Research/Security/tamper/[Ò 1987] º º ÒØÓÖ, Computing in the Jacobian of a hyperelliptic curve, Math.Comp.48 ¿¼℄(1987), 95–101.

744 References[Ö 1932] ĺ ÖÐØÞ, The arithmetic of a polynomial in a Galois field, Amer.J.ofMath.54 ¿℄(1932), 39–50.[Ö 1994] º º ÖØÖ, The generation and application of random numbers, Forth Dimensions ¾¼℄XVI N o 1 & 2 (1994).[Ö 2003] ʺ ÖÐ×, Generalized AGM sequences and approximation of canonical lifts, September ½¿¸ ¼℄2003.[× 1991] º Ϻ ˺ ××Ð×, Lectures on elliptic curves, Cambridge University Press, New York, ¾¼¸ ¾℄1991.[Ú 2000] ˺ ÚÐÐÖ, Strategies in filtering in the Number Field Sieve, Algorithmic Number ¼¸ ¼℄Theory Symposium – ANTS IV, Lecture Notes in Comput. Sci., no. 1838, Springer-Verlag,2000, 209–232.[ 1981] º º ÒØÓÖ & Àº ××ÒÙ×, A new algorithm for factoring polynomials over ¼℄finite fields, Math.Comp.36 N o 154 (1981), 587–592.[× 2005] º ×Ò, Varietá a traccia zero su campi binari: Applicazioni crittografiche, Master’s ¿¿℄thesis, Universitá degli Studi di Milano, 2005.[ 1999] º¹º Ò & º¹º Ò, Fast modular multiplication algorithm for calculating ¾¼¾℄the product AB modulo N, Inform. Process. Lett. 72 (1999), 77–81.[ + 2004] º ÚÐÐÖ¹ÅÑ×, ź Ø, &ź ÂÓÝ, Low-cost solutions for preventing ¼¾℄simple Side-Channel Analysis: Side-Channel Atomicity, IEEE Trans. on Computers 53(2004), 760–768.[Ó + 1991] ĺ ˺ ÖÐÔ, ʺ ÓÐÝ, &º Ⱥ ÊÓÒ×, Enumeration of rational points on ¾¾℄elliptic curves over finite fields, Draft, 1991.[ 2000] º Ò, Java card technology for smart cards: Architecture and programmers guide, ℄Addison-Wesley Publishing Company, Reading, MA, 2000.[ 2003] ɺ Ò, Primality proving via one round ECPP and one iteration in AKS, preprint, ¼½℄2003.[ÀÛ + 2004] ú º Ó, º º ÀÛÒ,&º Àº Ä, Efficient ID-based group key agreementwith bilinear maps, Public Key Cryptography – PKC 2004, Lecture Notes in Comput. Sci.,vol. 2947, Springer-Verlag, 2004, 130–144.℄[ÂÙ 2003] º Àº ÓÒ & º ÂÙÒ, A polynomial time algorithm for the braid Diffie–Hellman ½℄conjugacy problem, Advances in Cryptology – Crypto 2003, Lecture Notes in Comput.Sci., vol. 2729, IACR and Springer-Verlag, 2003, 212–225.[Ù 2002] º Ó & º ÙÒ, Isomorphism classes of hyperelliptic curves of genus 2 over ¿¿¸ ¿¿℄F q, Australasian Conference on Information Security and Privacy – ACISP 2002, LectureNotes in Comput. Sci., vol. 2384, Springer-Verlag, Berlin, 2002, 190–202.[ 2003] ź Ø, Aspects of fast and secure arithmetics for elliptic curve cryptography, ℄PhD. Thesis, Université Catholique de Louvain, 2003.[ÂÓ + 2003] ź Ø, ź ÂÓÝ, ú ÄÙØÖ, &Ⱥ ĺ ÅÓÒØÓÑÖÝ, Trading inversions for ¾½¸ ¾¾℄multiplications in elliptic curve cryptography, preprint, 2003.http://eprint.iacr.org/2003/257/[Ä + 2003] ź Ø, ̺ ÄÒ, º Ë, &º¹Âº ÉÙ×ÕÙØÖ, Improved algorithms for ¿¸ ¿½¸ ¿¾℄efficient arithmetic on elliptic curves using fast endomorphisms, Advances in Cryptology– Eurocrypt 2003, Lecture Notes in Comput. Sci., vol. 2656, Springer-Verlag, 2003, 388–400.[ÉÙ + 2002] ź Ø, º¹Âº ÉÙ×ÕÙØÖ, &º Ë, Preventing differential analysis in GLV ½¿℄elliptic curve scalar multiplication, Cryptographic Hardware and Embedded Systems –CHES 2002, Lecture Notes in Comput. Sci., vol. 2523, Springer-Verlag, Berlin, 2002,540–550.

References 745[Ó + 2001] ƺ ÓÙÖØÓ×, ź Ò×Þ, &ƺ ËÒÖÖ, How to achieve a McEliece-based ½℄digital signature scheme, Advances in Cryptology – Asiacrypt 2001, Lecture Notes inComput. Sci., no. 2248, Springer-Verlag, 2001, 157–174.[Ó℄ Àº ÓÒ, Diophantine Equations, p-adic Numbers and L-functions, Springer-Verlag, ℄to appear.[Ó 2000] , A course in Computational Algebraic Number Theory, Graduate Texts in ¸ ½¸ ½¼¸½¼¸½½¸½¸Mathematics, vol. 138, Springer-Verlag, Berlin, 2000, fourth edition.½¸½¸¾¼¸¿¸½¼¸¸¸¸¾¸¸¼¾¸½½℄[Ó 2005] , Analysis of the flexible window powering algorithm, J. Cryptology 18 N o 1 ½¿¸ ½℄(2005), 63–76.[ÓÂÓ + 1992]ź º Ó×ØÖ, º ÂÓÙÜ, º º ÄÅ, º ź ÇÐÝÞÓ, º¹Èº ¿℄ËÒÓÖÖ, &º ËØÖÒ, Improved low-density subset sum algorithms, Comput. Complexity2 (1992), 111–128.[ÓÃÓ + 2001] º¹Ëº ÓÖÓÒ, Ⱥ ÃÓÖ, &º Æ, Statistics and secret leakage, Finan- ¼℄cial Cryptography – FC 2000, Lecture Notes in Comput. Sci., vol. 1962, Springer-Verlag,2001, 157–173.[ÓÐ 1969] º º ÓÐÐÒ×, Computing multiplicative inverses in GF(p), Math.Comp.23 (1969), ¾¼℄197–200.[ÓÐ 1980] , Lecture notes on arithmetic algorithms, 1980. University of Wisconsin. ½¾℄[ÓÄ 1984] Àº ÓÒ & Àº Ϻ ÄÒ×ØÖ¸ ÂÖº, Primality testing and Jacobi sums,Math.Comp. ℄42 (1984), 297–330.[ÓÄ 1987] Àº ÓÒ & º ú ÄÒ×ØÖ, Implementation of a new primality test, Math.Comp. ℄48 (1987), 103–121.[ÓÅ + 1997] Àº ÓÒ, º ÅÝ,&̺ ÇÒÓ, Efficient elliptic curve exponentiation, Information ½¿℄and Communication Security – ICICS 1997, Lecture Notes in Comput. Sci., vol. 1334,Springer-Verlag, Berlin, 1997, 282–290.[ÓÅ + 1998] , Efficient elliptic curve exponentiation using mixed coordinates, Advances in ¾¸ ¾¼¸ ¾¾¸¾¿¸¾¸¾¸Cryptology – Asiacrypt 1998, Lecture Notes in Comput. Sci., vol. 1514, Springer-Verlag,¿¾½¸¿¾¸¿¾℄Berlin, 1998, 51–65.[ÓÒ 2005] ˺ ÓÒØÒ, FactorWorld: General purpose factoring records, 2005. ℄http://www.crypto-world.com/FactorRecords.html[ÓÔ 1984] º ÓÔÔÖ×ÑØ, Fast evaluation of logarithms in fields of characteristic two, IEEE ¾½¸ ¸ ℄Trans. Inform. Theory 30 N o 4 (1984), 587–594.[ÓÔ 1993] , Modifications to the Number Field Sieve, J. Cryptology 6 (1993), 169–180. ½¿℄[ÓÖ 1999] º¹Ëº ÓÖÓÒ, Resistance against differential power analysis for elliptic curve cryptosys- ¸ ¼¸ ¾¸¸¼¼¸½½℄tems, Cryptographic Hardware and Embedded Systems – CHES 1999, Lecture Notes inComput. Sci., vol. 1717, Springer-Verlag, Berlin, 1999, 392–302.[ÓË 1997] º ÓÔÔÖ×ÑØ & º ËÑÖ, Lattice attacks on NTRU, Advances in Cryptology – ½℄Eurocrypt 1997, Lecture Notes in Comput. Sci., vol. 1233, Springer-Verlag, Berlin, 1997,52–61.[Ó×ØÖ℄ ź º Ó×ØÖ, homepage. ½¾℄http://www.coster.demon.nl/[ÓÙ 1996] º ź ÓÙÚÒ×, Computing l-isogenies with the p-torsion, Algorithmic Number ¾½℄Theory Symposium – ANTS II, Lecture Notes in Comput. Sci., vol. 1122, Springer-Verlag,1996, 59–65.[Ê 2003℄ ÖÝÔØÓÖÔÝ Ê×Ö¸ ÁÒº, Evaluation of VIA C3 Nehemiah Random Number ¾½℄Generator, Tech. report, 2003.http://www.cryptography.com/resources/whitepapers/VIA_rng.pdf

746 References[Ö 1992] ʺ ÖÒÐÐ, Method and apparatus for public key exchange in a cryptographic sys- ½¾℄tem, United States Patent 5, 159, 632, Date: Oct. 27th 1992.[ÖÓ 2003] º ˺ ÖÓÓØ ÁÁÁ, Smooth numbers in short intervals, preprint, 2003. ¼℄http://www.math.gatech.edu/ ~ ecroot/papers.html[ÖÈÓ 2001] ʺ ÖÒÐÐ & º ÈÓÑÖÒ, Prime numbers, a computational perspective, ½¼¸ ½¸ ½¾¸¾¼¸ ½℄Springer-Verlag, Berlin, 2001.[Ú 2000] ʺ Ú×, Hardware random number generators, New Zealand Statistics Conference, ¾½℄2000.[Ð 1974] Ⱥ ÐÒ, La conjecture de Weil. I, Inst. Hautes Études Sci. Publ. Math. 43 (1974), ½¿℄273–307.[Ä 2004a] º ×ÑØ & ̺ ÄÒ, Pairing based threshold cryptography improving on Libert, ℄Quisquater, Baek, and Zheng, preprint, 2004.[Ä 2004b] , Pairing variants of Burmester–Desmedt I and Katz–Yung, preprint, 2004. ℄[Ä + 2004] º ×ÑØ, ̺ ÄÒ, &ź ÙÖÑ×ØÖ, Exponential improvement on Katz– ¸ ℄Yung’s constant round authenticated group key exchange and tripartite variants, preprint,2004.[Ù 1941] ź ÙÖÒ, Die Typen der Multiplikatorenringe elliptischer Funktionenkörper, Abh. ½¿¸ ¾¿℄Math.Sem.HansischenUniv.14 (1941), 197–272.[Î 2002] º Ò & º ÎÖÙØÖÒ, An extension of Kedlaya’s algorithm to Artin–Schreier ¿℄curves in characteristic 2, Algorithmic Number Theory Symposium – ANTS V, LectureNotes in Comput. Sci., vol. 2369, Springer-Verlag, Berlin, 2002, 308–323.[Î 2005] , An extension of Kedlaya’s algorithm to hyperelliptic curves in characteristic 2, ¿℄J. Cryptology (2005), to appear.[ 1998] º¹º Ñ, Design of an efficient public key cryptographic library for RISC-based ¾¼¿¸ ¾¼℄smart cards, PhD. Thesis, Faculté des sciences appliquées, Laboratoire de microélectronique,Université catholique de Louvain-la-Neuve, Belgique, 1998.http://users.belgacom.net/dhem/these/these_public.pdf[ÃÓ + 2000] º¹º Ñ, º ÃÓÙÒ, Ⱥ¹º ÄÖÓÙÜ, Ⱥ Å×ØÖ, º¹Âº ÉÙ×ÕÙØÖ,&º¹Äº ÏÐÐÑ×, A practical implementation of the timing attack, Smart Card Research¸ ¼℄and Advanced Application – CARDIS 1998, Lecture Notes in Comput. Sci., vol. 1820,Springer-Verlag, 2000, 167–182.[ 2001] º Ñ, A study on theoretical and practical aspects of Weil-restriction of varieties, ½¾¸ ¿¿¸ ¿¸¿¸ ¿℄PhD. Thesis, Universität Gesamthochschule Essen, 2001.[ 2003] , The GHS-attack in odd characteristic, J. Ramanujan Math. Soc. 18 N o 1 (2003), ¿½¸ ¿¾¸ ¿¸¿℄1–32.[ 2004] , On the discrete logarithm problem in elliptic curves over non-prime finite fields, ½¸ ¿¸ ℄2004. preprint.[ 2005] , Index calculus in class groups of plane curves of small degree, preprint, 2005. ¿℄http://eprint.iacr.org/2005/119/[À 1976] Ϻ & ź º ÀÐÐÑÒ, New directions in cryptography, IEEE Trans. Inform. ÜÜܸ ½¼℄Theory 22 N o 6 (1976), 644–654.[Ë 2003] º Ñ & º ËÓÐØÒ, Cover Attacks – A report for the AREHCC project, 2003. ¿¿¸ ¿¸ ¼¸℄http://www.arehcc.com[Ó 2005] º Ó, Redundant trinomials for finite fields of characteristic 2, Australasian Con- ¾½℄ference on Information Security and Privacy – ACISP 2005, Lecture Notes in Comput.Sci., vol. 3574, Springer-Verlag, Berlin, 2005, 122–133.[Ó℄ , homepage. ¾½℄http://www.math.u-bordeaux.fr/ ~ cdoche/

References 747[ÓÄ 1995] º Ó×ÓÒ & º ú ÄÒ×ØÖ, NFS with four large primes: an explosive experiment, ¼¸ ½¿℄Advances in Cryptology – Crypto 1995, Lecture Notes in Comput. Sci., vol. 963, Springer-Verlag, Berlin, 1995, 372–385.[ÓÄ + 1981] Ⱥ ÓÛÒÝ, º ÄÓÒ, &ʺ ËØ, Computing sequences with addition chains, ½℄SIAM J. Comput. 10 (1981), 638–646.[ÓÙ 2003] º Ó× & ź ÙÒ, Exposure-resilience for free: Hierarchical ID-based encryption ℄case, IEEE Security in Storage 2003, 2003, 45–52.[ÙÒ + 2005] ʺ ÙÔÓÒØ, º Ò, &º ÅÓÖÒ, Building curves with arbitrary small MOV ¸ ℄degree over finite prime fields, J. Cryptology 18 N o 2 (2005), 79–89.[Ù + 1999] Áº ÙÙÖ×Ñ, Ⱥ ÙÖÝ,&º ÅÓÖÒ, Speeding up the discrete log computation ½℄on curves with automorphisms, Advances in Cryptology – Asiacrypt 1999, Lecture Notesin Comput. Sci., vol. 1716, Springer-Verlag, Berlin, 1999, 103–121.[Ùà 1990] ˺ ʺ Ù×× & º ˺ ÃÐ׸ ÂÖº, A cryptographic library for the Motorola ½½℄DSP56000, Advances in Cryptology – Eurocrypt 1990, Lecture Notes in Comput. Sci.,vol. 478, Springer-Verlag, Berlin, 1990, 230–244.[ÙÕ 2004] ˺ ÙÕÙ×Ò, Montgomery scalar multiplication for genus 2 curves, Algorithmic Num- ¿¾¸ ¿¿¸ ℄ber Theory Symposium – ANTS VI, Lecture Notes in Comput. Sci., vol. 3076, Springer-Verlag, 2004, 153–168.[ÙÏ + 2003] º Ù, º ÏÒ, º , &º ÏÒ, An improved ID-based authenticated groupkey agreement scheme, preprint, 2003.http://eprint.iacr.org/2003/260/℄[ÛÓ 1960] º ÛÓÖ, On the rationality of the zeta function of an algebraic variety,Amer.J.Math. ½¿¸ ½¿¸ ¾¾℄82 (1960), 631–648.[Ù 1998] Ⱥ ijÙÝÖ, Uniform random number generators, Proceedings of the 1998 Winter ½℄Simulation Conference (1998), 97–104.[Ù 2001] , Software for uniform random number generation: Distinguishing the good and ½℄the bad, Proceedings of the 2001 Winter Simulation Conference (2001), 95–105.[ 2003] º ÜÓÚÒ, Point counting after Kedlaya, EIDMA-Stieltjes graduate course Leiden, ¾℄2003.[Ä + 2003] ú ×ÒØÖÖ, ú ÄÙØÖ, &Ⱥ ĺ ÅÓÒØÓÑÖÝ, Fast elliptic curve arith- ¾½¸ ¾¾℄metic and improved Weil pairing evaluation, Topics in Cryptology – CT-RSA 2003, LectureNotes in Comput. Sci., vol. 2612, Springer-Verlag, Berlin, 2003, 343–354.[Ð 1985] ̺ ÐÑÐ, A public key cryptosystem and a signature scheme based on discrete ½℄logarithms, Advances in Cryptology – Crypto 1984, Lecture Notes in Comput. Sci., vol.196, Springer-Verlag, Berlin, 1985, 10–18.[Ð 1991] ƺ º Ð×, Explicit isogenies, Draft, 1991. ½¸ ½℄[Ð 1996] ʺ ÐÒÖعÀÙÞÒ, An implementation of the Number Field Sieve, Experi- ½℄ment. Math. 5 N o 3 (1996), 231–253.[ÐË 2002] º Ð Å××Ò & Áº º ËÔÖÐÒ×, On the uniformity of distribution of con- ¿¾℄gruential generators over elliptic curves, Sequences and their Applications – SETA 2001,Discrete Mathematics and Theoretical Computer Science, Springer-Verlag, 2002, 257–264.[Ò 2002] º Ò, Computing discrete logarithms in high-genus hyperelliptic Jacobians in prov- ½¸ ℄ably subexponential time, Math.Comp.71 N o 238 (2002), 729–742.[Ò 2002] º Ò & Ⱥ ÙÖÝ, A general framework for subexponential discrete logarithm ¸ ¸ ¼¼¸½¸ ℄algorithms, Acta Arith. 102 N o 1 (2002), 83–103.[ÒËØ 2002] º Ò & º ËØÒ, Smooth ideals in hyperelliptic function fields, Math.Comp.71 ½¸ ℄(2002), 1219–1230.

748 References[ÒØ 1998] ú ÒØÖ, Bad subsequences of well-known linear congruential pseudorandom ¾¼¸ ¾℄number generators, ACM Transactions on Modeling and Computer Simulation 8 N o 1(1998), 61–70.[Ö 1956] Ⱥ Ö×, On pseudoprimes and Carmichael numbers, Publ. Math. Debrecen 4 (1956), ¿℄201–206.[×Ë + 1998] º º ×ÓØØ, º º ËÖ, º Ⱥ ĺ ËÐÖ, &º Ì×Ô×, Attack- ¼¸ ½℄ing elliptic curve cryptosystems using the parallel Pollard rho method, CryptoBytes (Thetechnical newsletter of RSA laboratories) 4 N o 2 (1998), 15–19.http://www.rsa.com/rsalabs/pubs/cryptobytes[ÂÓ 2003] º¹º ÙÖ & º ÂÓÙÜ, Algebraic cryptanalysis of Hidden Field Equations (HFE) ½℄using Gröbner bases, Advances in Cryptology – Crypto 2003, Lecture Notes in Comput.Sci., vol. 2729, IACR and Springer-Verlag, 2003, 44–60.[Ï 2004] º Ò & º ÏÒ, Inversion-free arithmetic on genus 3 hyperelliptic curves, preprint, ¿℄2004.http://eprint.iacr.org/2004/223/[ + 1999] ˺ ×Ð, º ÚÓÒ ÞÙÖ ØÒ, &ź º ËÓÖÓÐÐ, Normal bases via ¿℄general Gauß periods, Math.Comp.68 N o 225 (1999), 271–290.[Å + 1996] ʺ ÖÖÖ, ʺ ÅÐÞÒ, Ⱥ ÅÖ××Ò, º¹Âº ÉÙ×ÕÙØÖ, &̺ ÏÐÐ, ¾¼℄FAME: A 3rd generation coprocessor for optimising public key cryptosystems in smartcard applications, Smart Card Research and Advanced Application – CARDIS 1996,Stichting Mathematisch Centrum, CWI, Amsterdam, 1996.[ + 2002] Ϻ ×Ö, º ÖÙ, º Ϻ ÃÒÙ×Ò, &ºȺ ËÖØ, Parallel scalar ¾¸ ℄multiplication on general elliptic curves over F p hedged against non-differential sidechannelattacks, preprint, January 2002.http://eprint.iacr.org/2002/007/[Ô× ½¼¹¾℄ ÁÈË ½¼¹¾, Security requirements for cryptographic modules, Federal Information ¾¼℄Processing Standards Publication 140-2, 1999.http://csrc.nist.gov[Ô× ½¹¾℄ ÁÈ˽¹¾, Digital signature standard, Federal Information Processing Standards Pub- ½¿¸ ¾½℄lication 186-2, 2000.http://csrc.nist.gov[Ô× ½℄ ÁÈ˽, Advanced encryption standard (AES), Federal Information Processing Stan- ¾℄dards Publication 197, 2001.http://csrc.nist.gov[ÐÇÝ 2004] ˺ ÐÓÒ & ʺ ÇÝÓÒÓ, Fast arithmetic on Jacobians of Picard curves, Public Key ¿¾℄Cryptography – PKC 2004, Lecture Notes in Comput. Sci., vol. 2947, Springer-Verlag,Berlin, 2004, 55–68.[ÐÇÝ + 2004] ˺ ÐÓÒ, ʺ ÇÝÓÒÓ,&º ÊØÞÒØÐÖ, Fast addition on non-hyperelliptic genus ¿¾℄3 curves, preprint, 2004.http://eprint.iacr.org/2004/118/[ÐË 1997] Ⱥ ÐÓÐØ & º ËÐÚÝ, The SIGSAM challenges: Symbolic asymptotics in practice, ½¾℄SIGSAM Bulletin 31 N o 4 (1997), 36–47.[ÐÝ℄ º κ ÐÝÒÒ, Formulas for the Kummer surface of a genus 2 curve. ¿¿¼℄ftp://ftp.liv.ac.uk/pub/genus2/kummer[ÐÝ 1993] , The group law on the Jacobian of a curve of genus 2, J. Reine Angew. Math. 439 ¿¾℄(1993), 45–69.[Ó + 2000] ź ÓÙÕÙØ, Ⱥ ÙÖÝ, &ʺ ÀÖÐÝ, An extension of Satoh’s algorithm and ¿¾℄its implementation, J. Ramanujan Math. Soc. 15 N o 4 (2000), 281–318.

References 749[Ö 1998] º ÖÝ, How to disguise an elliptic curve, Talk at Waterloo workshop on the ECDLP, ½¾¸ ¿¿℄1998.http://cacr.math.uwaterloo.ca/conferences/1998/ecc98/slides.html[Ö 2001] , Applications of arithmetical geometry to cryptographic constructions, Proceed- ½¿½¸ ¿¿℄ings of the 1998 Finite Fields and Applications Conference, Springer, Berlin, 2001, 128–161.[ÖÄÔ℄ º ú ÄÒ×ØÖ & Ⱥ ÄÝÐÒ, Free version of the LIP package, 1996. ½℄[Ö 2001] Àº ʺ ÖÙÑ, The group law on elliptic curves on Hesse form, Sixth International ¾¸ ¾℄Conference on Finite Fields and Applications, Springer-Verlag, Berlin, 2001. See also thetechnical report CORR 2001-09.http://www.cacr.math.uwaterloo.ca/techreports/2001/corr2001-09.ps[ÖÃÐ + 2004] º ÖÒ, ̺ ÃÐÒÙÒ, º ÅÓÖÒ, &̺ ÏÖØ, Proving the primality of ℄very large numbers with fast ECPP, Algorithmic Number Theory Symposium – ANTSVI, vol. 3076, Springer-Verlag, Berlin, 2004, 194–207.[ÖÄ 2003] º ÖÝ & ̺ ÄÒ, Mathematical background of public key cryptography, Tech. ℄Report 10, IEM Essen, 2003, To appear in Séminaires et Congrès.[ÖÅ + 1999] º ÖÝ, ź Å ÐÐÖ,&Àº¹º Ê , The Tate pairing and the discrete logarithm ¿¸ ¿¸ ¿¼¸¾℄applied to elliptic curve cryptosystems, IEEE Trans. Inform. Theory 45 N o 5 (1999), 1717–1719.[ÖÊ 1994] º ÖÝ & Àº¹º Ê , A remark concerning m-divisibility and the discrete loga- ¿¿¸ ¿¼℄rithm problem in the divisor class group of curves, Math.Comp.62 (1994), 865–874.[ÖÌ 1991] º ÖÐ & ź ÌÝÐÓÖ, Algebraic number theory, Cambridge Studies in Adv. ½℄Math., vol. 27, Cambridge Univ. Press, 1991.[ÙØ×Ù℄ ÙØ×Ù ÄÑØ, Fram guide book. ℄http://www.fujitsu.com/global/services/microelectronics/technical/[ÙÐ 1969] Ϻ ÙÐØÓÒ, Algebraic curves: An introduction to algebraic geometry, Benjamin, 1969. ℄[ + 2000] ˺Ó, º ÚÓÒ ÞÙÖ ØÒ, º ÈÒÖÓ, &κ ËÓÙÔ, Algorithms for expo- ¿¸ ¾¾¸ ¾¾℄nentiation in finite fields, J. Symbolic Comput. 29 (2000), 879–889.[ 1996℄ º ÚÓÒ ÞÙÖ ØÒ & º ÖÖ, Arithmetic and factorization of polynomi- ¾¾¼℄als over F 2 , International Symposium on Symbolic and Algebraic Computation – ISSAC1996, 1–9.[ 1999] , Modern computer algebra, Cambridge University Press, 1999. ¿℄[À 2000] Ⱥ ÙÖÝ & ʺ ÀÖÐÝ, Counting points on hyperelliptic curves over finite fields, ¾¾℄Algorithmic Number Theory Symposium – ANTS IV, vol. 1838, Springer-Verlag, Berlin,2000, 313–332.[À + 2002] ˺ º ÐÖØ, ú ÀÖÖ×ÓÒ,&º ËÓÐÖ, Implementing the Tate pairing, ¿¸ ¿¿¸ ¼¼¸¼½¸¼¸½¸Algorithmic Number Theory Symposium – ANTS V, Lecture Notes in Comput. Sci., vol.¿¸ ℄2369, Springer-Verlag, Berlin, 2002, 324–337.[À + 2002a] ˺ ÐÖØ, º À××, &ƺ ËÑÖØ, Extending the GHS Weil-descent attack,Advances in Cryptology – Eurocrypt 2002, Lecture Notes in Comput. Sci., vol. 2332,Springer-Verlag, Berlin, 2002, 29–44.[À + 2002b] Ⱥ ÙÖÝ, º À××, &ƺ Ⱥ ËÑÖØ, Constructive and destructive facets of Weildescent on elliptic curves, J. Cryptology 15 N o 1 (2002), 19–46.¿½¸ ¿℄¿½¸ ¿℄[Ð 2001a] ˺ºÐÖØ, Supersingular curves in cryptography, Advances in Cryptology – ½¾¸ ¿¿¸ ¸¼℄Asiacrypt 2001, Lecture Notes in Comput. Sci., vol. 2248, Springer-Verlag, Berlin, 2001,495–513.[Ð 2001b] , Weil descent of Jacobians, Workshop on Coding and Cryptography, 2001, Elec- ¿½℄tronic Notes in Discrete Mathematics, vol. 6, Elsevier Science Publishers, 2001.

750 References[Ä + 2000] ʺ Ⱥ ÐÐÒØ, ʺ º ÄÑÖØ,&˺ºÎÒ×ØÓÒ, Improving the parallelized ½℄Pollard lambda search on anomalous binary curves, Math.Comp.69 (2000), 1699–1705.[Ä + 2001] , Faster point multiplication on elliptic curves with efficient endomorphisms, Ad- ¿¿℄vances in Cryptology – Crypto 2001, Lecture Notes in Comput. Sci., vol. 2139, Springer-Verlag, Berlin, 2001, 190–200.[Ä 1992] ˺ Ó & Àº Ϻ ÄÒ×ØÖ¸ ÂÖº, Optimal normal bases, Des. Codes Cryptogr. 2 ¾½℄(1992), 315–323.[Å 2000] ˺ º ÐÖØ & º ÅÃ, The probability that the number of points on an ¾¾℄elliptic curve over a finite field is a prime, J. London Math. Soc. (2) 62 N o 3 (2000), 671–684.[Å + 2004] ˺ º ÐÖØ, º ÅÃ, &Ⱥ ÎÐÒ, Ordinary abelian varieties havingsmall embedding degree, preprint, 2004.http://eprint.iacr.org/2004/365/[ÅÓ + 2001] ú ÒÓÐ, º ÅÓÙÖØÐ, &º ÇÐÚÖ, Electronic analysis: concrete results,Cryptographic Hardware and Embedded Systems – CHES 2001, Lecture Notes in Comput.Sci., vol. 2162, Springer-Verlag, Berlin, 2001, 251–261.℄¾℄[Æ 2005] º ÚÓÒ ÞÙÖ ØÒ & ź ÆÖ, Polynomial and normal bases for finite fields, ¾½¸ ¾½¸ ¾¾¼℄J. Cryptology (2005), to appear.[Ó 2001] ˺ Ó, Abelian groups, Gauß periods and normal bases, Finite Fields Appl. 7 N o 1 ¿℄(2001), 148–164.[Ö 1959] Àº ÖÒÖ, The residue number system, IRE Transactions on Electronic Computers ½℄EC-8 (1959), 140–147.[Ë 2004a] Ⱥ ÙÖÝ & º ËÓ×Ø, Construction of secure random curves of genus 2 over ¾¾¸ ¸ ¸¸ ℄prime fields, Advances in Cryptology – Eurocrypt 2004, Lecture Notes in Comput. Sci.,vol. 3027, Springer-Verlag, 2004, 239–256.[Ë 2004b] , A low-memory parallel version of Matsuo, Chao, and Tsujii’s algorithm, Al- ½½℄gorithmic Number Theory Symposium – ANTS VI, Lecture Notes in Comput. Sci., vol.3076, Springer-Verlag, Berlin, 2004, 208–222.[Ë 2005] , Modular equations for hyperelliptic curves,Math.Comp.74 N o 249 (2005), 429– ¾¾℄454 (electronic).[Ë 1992] º ÚÓÒ ÞÙÖ ØÒ & κ ËÓÙÔ, Computing Frobenius maps and factoring poly- ¼℄nomials (extended abstract), ACM Symposium on Theory of Computing, 1992, 97–105.[ËÑ 1999] ˺ º ÐÖØ & ƺ Ⱥ ËÑÖØ, A cryptographic application of Weil descent, ¿½℄Proceedings of the 1999 Cryptography and Coding Conference, Lecture Notes in Comput.Sci., vol. 1746, Springer-Verlag, Berlin, 1999, 191–200. A version is available as HPTechnical report HPL-1999-70.[Ì + 2004] Ⱥ ÙÖÝ, ƺ ÌÖÙÐØ,&º ÌÓÑ, A double large prime variation for small ¾¿¸ ¾¸ ℄genus hyperelliptic index calculus, preprint, 2004.http://eprint.iacr.org/2004/153/[Ù 1973] º º Ù, Werke, Georg Olms Verlag, 1973, in German. ¿℄[Ù 2000a] Ⱥ ÙÖÝ, Algorithmique des courbes hyperelliptiques et applications à la cryptologie, ¼℄PhD. Thesis, École polytechnique, 2000.http://www.lix.polytechnique.fr/Labo/Pierrick.Gaudry/publis/[Ù 2000b] , An algorithm for solving the discrete log problem on hyperelliptic curves, Ad- ¼¸ ½¸ ℄vances in Cryptology – Eurocrypt 2000, vol. 1807, Springer-Verlag, Berlin, 2000, 19–34.[Ù 2002] , A comparison and a combination of SST and AGM algorithms for counting points ¿¿¸ ½℄of elliptic curves in characteristic 2, Advances in Cryptology – Asiacrypt 2002, LectureNotes in Comput. Sci., vol. 2501, Springer-Verlag, Berlin, 2002, 311–327.

References 751[Ù 2004] , Index calculus for abelian varieties and the elliptic curve discrete logarithm prob- ½¸ ℄lem, preprint, 2004.http://eprint.iacr.org/2004/073/[Ö 1983] º ĺ ÖÚÖ, Factoring large numbers with a quadratic sieve,Math.Comp.41 (1983), ¼℄287–294.[Ë 2002] º ÒØÖÝ & º ËÐÚÖÖ, Hierarchical ID-based encryption, Advances in Cryp- ℄tology – Asiacrypt 2002, Lecture Notes in Comput. Sci., no. 2501, Springer-Verlag, 2002,548–566.[ËÑ 2003] ú ÐÖ & ƺ Ⱥ ËÑÖØ, Computing the M = UU t integer matrix decompo- ½℄sition, Proceedings of the 2003 Cryptography and Coding Conference, Lecture Notes inComput. Sci., vol. 2898, Springer-Verlag, 2003, 223–233.[ 2001] º¹º ××ÑÒÒ, Ein schneller Algorithmus zur Punktevervielfachung, der gegen ¸ ½½℄Seitenkanalattacken resistent ist, talkatWorkshop über Theoretische und praktische Aspektevon Kryptographie mit Elliptischen Kurven, Berlin, 2001.[Ì 2004] º ÖÙ & Àº ÌÙÐ, A survey on fault attacks, Smart Card Research and ℄Advanced Application – CARDIS 2004, Kluwer Academic Publishers, 2004, 159–176.[ÅÈ℄ Ö ËÓØÛÖ ÓÙÒØÓÒ, GNU MP library, version 4.1.4, 2004. ½¸ ½℄http://www.swox.com/gmp/[Ó + 2000] º ÓÒ, ̺ º Ö×ÓÒ,&º ʺ ËØÒ×ÓÒ, Elliptic curve pseudorandom sequence ¿¾℄generators, Selected Areas in Cryptography – SAC 1999, Lecture Notes in Comput. Sci.,vol. 1758, Springer-Verlag, Berlin, 2000, 34–48.[Ó 2000] º ÓÓÑÒ & º ÒÖ×ÖÒ, An energy efficient reconfigurable public key ℄cryptography processor architecture, Cryptographic Hardware and Embedded Systems –CHES 2000, Lecture Notes in Comput. Sci., vol. 1965, Springer-Verlag, Berlin, 2000,174–191.[ÓÀ + 1996] º ÓÐÐÑÒ, º ÀÒ,&º ÅØÐÐ, Redundant integer representations and fast ½¼℄exponentiation, Des. Codes Cryptogr. 7 (1996), 135–151.[ÓÄ 2002] º ÓÒ & º º º ÄÑ, Recursive sequences over elliptic curves, Sequences ¿¾℄and their Applications – SETA 2001, Discrete Mathematics and Theoretical ComputerScience, Springer-Verlag, 2002, 182–196.[ÓÄ + 1994] ʺ º ÓÐÐÚÖ, º ú ÄÒ×ØÖ,&ú ˺ ÅÙÖÐÝ, Lattice sieving and trial ½℄division, Algorithmic Number Theory Symposium – ANTS I, Lecture Notes in Comput.Sci., vol. 877, Springer-Verlag, Berlin, 1994, 18–27.[ÓÅ + 2005] ź ÓÒ, ú ÅØ×ÙÓ, ú Ó, º Ó, &˺ Ì×Ù, Improvements of additionalgorithm on genus 3 hyperelliptic curves and their implementations, IEICETrans.Fundamentals E88-A N o 1 (2005), 89–96.¿℄[ÓÅ 1993] º ź ÓÖÓÒ & ú ˺ ÅÙÖÐÝ, Massively parallel computation of discrete ¾½¸ ¼℄logarithms, Advances in Cryptology – Crypto 1992, Lecture Notes in Comput. Sci., vol.740, Springer-Verlag, Berlin, 1993, 312–323.[ÓÖ 1989] º ÓÖÓÒ, Fast multiplicative inverse in modular arithmetic, Proceedings of the 1986 ½¾℄Cryptography and Coding Conference, Oxford University Press, New York, 1989, 269–279.[ÓÖ 1998] º ź ÓÖÓÒ, A survey of fast exponentiation methods, J. Algorithms 27 N o 1 (1998), ½℄129–146.[ÓÙ 2003] ĺ ÓÙÒ, A refined power analysis attack on elliptic curve cryptosystems, Public Key ¼¾¸ ¼¼℄Cryptography – PKC 2003, Lecture Notes in Comput. Sci., vol. 2567, Springer-Verlag,Berlin, 2003, 199–210.[Ö 1998] º ÖÒØÑ, A probable prime test with high confidence, J. Number Theory 72 ℄(1998), 32–47, MR 2000e:11160.

752 References[Ö 2001] , Frobenius pseudoprimes, Math.Comp.70 (2001), 873–891. ℄[Ö 2004] ̺ ÖÒÐÙÒ, The GNU Multiple Precision arithmetic library, version 4.1.4, 2004. ½¸ ½℄http://www.swox.com/gmp[ÖÀ 1978] Ⱥ ÖØ× & º ÀÖÖ×, Principles of algebraic geometry, John Wiley & Sons, ¸ ¼℄Ltd., 1978.[ÖÀ + 2004] Ⱥ ÖÒÖ, º ÀÙÖÖ, &Àº ÈÖÓÒÖ, Distribution results for low- ½℄weight binary representations for pairs of integers, Theoret. Comput. Sci. 319 (2004),307–331.[ÖÃÒ + 1994] ʺ ĺ ÖÑ, º º ÃÒÙØ, &Ǻ ÈØ×Ò, Concrete Mathematics, 2nd ℄edition, Addison-Wesley Publishing Company, Reading, MA, 1994, first edition 1989.[ÖÓ 1968] º ÖÓØÒ, Crystals and the de Rham cohomology of schemes, Dix Exposés ½¿℄sur la Cohomologie des Schémas, North-Holland, Amsterdam, 1968, 306–358.[ÖÓ 2001] º ÖÓ×Ð, A bit-serial unified multiplier architecture for finite fields GF(p) and ℄GF(2 m ), Cryptographic Hardware and Embedded Systems – CHES 2001, Lecture Notesin Comput. Sci., Springer-Verlag, 2001, 202–219.[ÖÈÓ 2002] º ÖÒÚÐÐ & º ÈÓÑÖÒ, Two contradictory conjectures concerning ¿℄Carmichael numbers, Math.Comp.71 (2002), 883–908.[Ùà + 2004] º ÙÝÓØ, ú ÃÚ, &κ ź ÈØÒÖ, Explicit algorithm for the arithmetic ¿℄on the hyperelliptic Jacobians of genus 3, J. Ramanujan Math. Soc. 19 (2004), 119–159.[ Ä + 2000] º ÒØÖ, ̺ ÄÒ,&º ËØÒ, Speeding up the arithmetic on Koblitz curves of ¿¸ ¿¸ ¿℄genus two, Selected Areas in Cryptography – SAC 2000, Lecture Notes in Comput. Sci.,vol. 2012, Springer-Verlag, Berlin, 2000, 106–117.[ÙÈ 1997] º ÙÖÓ & º ÈÖ, Efficient algorithms for elliptic curve cryptosystems, Ad- ¾℄vances in Cryptology – Crypto 97, Lecture Notes in Comput. Sci., vol. 1294, Springer-Verlag, Berlin, 1997, 342–356.[ÀÐ 1994] ˺ ÀÐÐÖÒ, Linear congruential generators over elliptic curves, Tech. Report CS-94- ¿¾℄143, Carnegie Mellon Univ., 1994.[ÀÄ + 2000] º ÀÒÖ×ÓÒ, º ÄÔÞ,&º º ÅÒÞ×, Software implementation of elliptic ¾¸ ¾½℄curve cryptography over binary fields, Cryptographic Hardware and Embedded Systems– CHES 2000, Lecture Notes in Comput. Sci., vol. 1965, Springer-Verlag, Berlin, 2000,1–24.[ÀÅ + 2003] º ÀÒÖ×ÓÒ, º º ÅÒÞ×, &˺ º ÎÒ×ØÓÒ, Guide to elliptic curve ½¾¸ ¾½¸ ¾½¸¾¾¿¸¾¿½¸¾¿¸cryptography, Springer-Verlag, Berlin, 2003.[ÀÅÓ 2002] º À & ˺ ÅÓÓÒ, Randomized signed-scalar multiplication of ECC to resist power ℄attacks, Cryptographic Hardware and Embedded Systems – CHES 2002, Lecture Notes inComput. Sci., vol. 2523, Springer-Verlag, Berlin, 2002, 551–563.[ÀÒ 1959] Ϻ ÀÒ×Ò, Zum Scholz–Brauerschen Problem, J. Reine Angew. Math. 202 (1959), ½℄129–136, in German.¾¸¿¼½¸¼¸[ÀÉÙ + 2002] º ÀÒÖÓØ, ź ÉÙÖ, &Ⱥ ÑÑÖÑÒÒ, Chronométrages d’algorithmes ½¸ ½℄multiprécision, janvier 2002.http://www.pauillac.inria.fr/ ~ quercia/papers/mesures2.tar½℄[ÀÉÙ + 2004] , The middle product algorithm, I, Appl. Algebra Engrg. Comm. Comput. 14 N o 6 ½℄(2004), 415–438.[ÀÖ 1960] º ÀÖÖ×, Probability distributions related to random mappings, Ann. of Math. Statis- ¿℄tics 31 (1960), 1045–1062.[ÀÖ 1977] ʺ ÀÖØ×ÓÖÒ, Algebraic Geometry, Graduate Texts in Mathematics, vol. 52, ¼℄Springer-Verlag, 1977.

References 753[ÀÖ 2000℄ ʺ ÀÖÐÝ, Fast arithmetic on genus 2 curves, 2000. ¿½¿℄See http://cristal.inria.fr/ ~ harley/hyper for C source code and further explanations.[ÀÖ 2002a] , Algorithmes avancés pour l’arithmétique des courbes (Advanced algorithms for ½℄arithmetic on curves), PhD. Thesis, Université Paris 7, 2002.[ÀÖ 2002b] , Asymptotically optimal p-adic point-counting, e-mail to NMBRTHRY list, De- ¾¼¸ ¾¸ ¾¿¸¿℄cember 2002.[ÀÖ 2005] º ÀÖÑÒ, On the number of Carmichael numbers up to x, Bull. London Math. Soc. ¿℄(2005), to appear.[À× 2000] ź º À×Ò, Power analysis attacks and algorithmic approaches to their countermea- ¼¸ ½½℄sures for Koblitz curve cryptosystems, Cryptographic Hardware and Embedded Systems– CHES 2000, Lecture Notes in Comput. Sci., vol. 1965, Springer-Verlag, Berlin, 2000,93–108.[ÀÒ 1908] ú ÀÒ×Ð, Theorie der algebraischen Zahlen, Leipzig, 1908. ½¼℄[ÀÒ 1961] Àº º ÀÒÖ×ÓÒ, Fast high-accuracy binary parallel addition, IRE Trans. Elec- ¿¿℄tronic Computers 10 (1961), 465–468.[À× 2003] º À××, The GHS attack revisited, Advances in Cryptology – Eurocrypt 2003, Lecture ¿½¸ ¿℄Notes in Comput. Sci., vol. 2656, Springer-Verlag, Berlin, 2003, 374–387.[À× 2004] , A note on the Tate pairing of curves over finite fields, Arch. Math. (Basel) 82 ½¾¾℄(2004), 28–32.[ÀË + 2001] º À××, º ËÖÓÙ××, &ƺ Ⱥ ËÑÖØ, Two topics in hyperelliptic cryptography, ¿½½¸ ¿½¿℄Selected Areas in Cryptography – SAC 2000, Lecture Notes in Comput. Sci., vol. 2259,Springer-Verlag, Berlin, 2001, 181–189.[ÀË 2005] º À×× & Áº º ËÔÖÐÒ×, On the linear complexity and multidimensional dis- ¿¾℄tribution of congruential generators over elliptic curves, Des. Codes Cryptogr. 35 (2005),111–117.[ÀÅÓ 2002] º ÀØÓ & Ⱥ ÅÓÒØÙ, A new elliptic curve scalar multiplication algo- ℄rithm to resist simple power analysis, Australasian Conference on Information Securityand Privacy – ACISP 2002, Lecture Notes in Comput. Sci., vol. 2384, Springer-Verlag,Berlin, 2002, 214–225.[ÀÌ 2000] º ÀÙ & ƺ Ì, A fast addition algorithm for elliptic curve arithmetic in ¾¿℄GF(2 n ) using projective coordinates, Inform. Process. Lett. 76 (2000), 101–103.[ÀÓÀÓ + 2003] º ÀÓ×ØÒ, ƺ ÀÓÛÖÛ¹ÖÑ, º ÈÔÖ, º Àº ËÐÚÖÑÒ, &Ϻ ÏÝØ, NTRUSign: Digital Signatures Using the NTRU Lattice, Topics in Cryptology½℄– CT-RSA 2003, Lecture Notes in Comput. Sci., vol. 2612, Springer-Verlag, Berlin,2003, 122–140.[ÀÓÐ 2003] º º ÀÓÐØ, On computing Discrete Logarithms: Large prime(s) variants, PhD. Thesis, ¼¸ ¼℄University of Bath, 2003.[ÀÓÇ + 1996] ˺¹Åº ÀÓÒ, ˺¹º Ç, &Àº ÓÓÒ, New modular multiplication algorithms for ¾¼℄fast modular exponentiation, Advances in Cryptology – Eurocrypt 1996, Lecture Notes inComput. Sci., vol. 1070, Springer-Verlag, Berlin, 1996, 166–177.[ÀÓÈ + 1998] º ÀÓ×ØÒ, º ÈÔÖ, &º Àº ËÐÚÖÑÒ, NTRU: a ring-based public key ½℄cryptosystem, Algorithmic Number Theory Symposium – ANTS III, Lecture Notes inComput. Sci., vol. 1423, Springer-Verlag, Berlin, 1998, 267–288.[ÀÓËÑ 2001] ƺ º ÀÓÛÖÚ¹ÖÑ & ƺ Ⱥ ËÑÖØ, Lattice attacks on digital signature ¿¸ ℄schemes, Des. Codes Cryptogr. 23 (2001), 283–290.[ÀÓÛ 2001] º ÀÓÛ, Isogeny classes of abelian varieties with no principal polarizations, Moduli ¼℄of abelian varieties (Texel Island, 1999), Progr. Math., vol. 195, Birkhäuser, Basel, 2001,203–216.

754 References[ÀÙÁ 1998] ź¹º ÀÙÒ & º ÁÖÖ, Counting points on curves over finite fields, J. Symbolic ¾¾℄Comput. 25 N o 1 (1998), 1–21.[ÀÙÈ 1998] º ÀÙÒ & κ º ÈÒ, Fast rectangular matrix multiplication and applications, J. ¾½℄Complexity 14 N o 2 (1998), 257–299.[Áà 1975] Ǻ Àº ÁÖÖ & º º ÃÑ, Fast approximation algorithms for the knapsack and ½℄sum of subsets problems, J.oftheACM22 (1975), 463–468.[ÁÙ 1960] º¹Áº ÁÙ×, Arithmetic variety of moduli for genus two, Ann. of Math. (2) 72 (1960), ½¼½℄612–649.[ÁÅ + 2002℄ ̺ ÁÑ, ú ÅØ×ÙÓ, º Ó, &˺ Ì×Ù, Construction of Frobenius maps of ¿℄twists elliptic curves and its application to elliptic scalar multiplication, Symposium onCryptography and Information Security – SCIS 2002.[ÁÒÌ + 1982] Áº ÁÒÑÖ××ÓÒ, º ̺ ÌÒ, &º Ϻ ÏÓÒ, A conference key distribution ℄system, IEEE Trans. Inform. Theory 28 (1982), 714–720.[ÁÒØÐ ¼½℄ ÄØÖØÙÖ ÔÖØÑÒØ ÁÒØÐ ÓÖÔÓÖØÓÒ, Microcontroller handbook. ¾½℄[ÁËÇ 1995℄ ÁËÇ ÖÓÙÔ, International Standard ISO 7810 Identification cards — Physical charac- ℄teristics, Tech. report, ISO/IEC Copyright Office, 1995.[ÁËÇ 1999℄ , Part 1: Physical characteristics, International Standard ISO/IEC 7816: Identifi- ¸ ½℄cation cards — Integrated circuit(s) cards with contacts, Tech. report, ISO/IEC CopyrightOffice, 1995-99.[ÁËÇ 1999℄ , Part 2: Dimensions and location of the contacts, International Standard ISO/IEC ¸ ¸½℄7816: Identification cards — Integrated circuit(s) cards with contacts, Tech. report,ISO/IEC Copyright Office, 1995-99.[ÁËÇ 1999℄ , Part 3: Electronic signals and transmission protocols, International Standard ¸ ¼¸½℄ISO/IEC 7816: Identification cards — Integrated circuit(s) cards with contacts, Tech.report, ISO/IEC Copyright Office, 1995-99.[ÁËÇ 1999℄ , Part 4: Interindustry commands for interchange, International Standard ISO/IEC ¸ ¸½℄7816: Identification cards — Integrated circuit(s) cards with contacts, Tech. report,ISO/IEC Copyright Office, 1995-99.[ÁËÇ 2000℄ , International Standard ISO/IEC 14443: Identification cards — Contactless inte- ¼¸ ¸ ¾℄grated circuit(s) cards — Proximity cards, Tech. report, ISO/IEC Copyright Office, 2000.[ÁËÇ 2000℄ , Part 1: Physical characteristics, International Standard ISO/IEC 14443: Iden- ¸ ¾℄tification cards — Contactless integrated circuit(s) cards - Proximity cards, Tech.report,ISO/IEC Copyright Office, 2000.[ÁËÇ 2000℄ , Part 2: Radio frequency power and signal interface, International Standard ¸ ¾℄ISO/IEC 14443: Identification cards — Contactless integrated circuit(s) cards — Proximitycards, Tech. report, ISO/IEC Copyright Office, 2000.[ÁËÇ 2000℄ , Part 3: Initialization and anticollision, International Standard ISO/IEC 14443: ¸ ¾℄Identification cards — Contactless integrated circuit(s) cards — Proximity cards, Tech.report, ISO/IEC Copyright Office, 2000.[ÁËÇ 2000℄ , Part 4: Transmission protocol, International Standard ISO/IEC 14443: Identi- ¸ ¾℄fication cards — Contactless integrated circuit(s) cards — Proximity cards, Tech.report,ISO/IEC Copyright Office, 2000.[ÁØÌ× 1988] ̺ ÁØÓ & ˺ Ì×Ù, A fast algorithm for computing multiplicative inverses in GF(2 m ) ¾¾¸ ¾¿℄using normal bases, Inform. and Comp. 78 N o 3 (1988), 171–177.[ÁØÌ× 1989] , Structure of parallel multipliers for a class of fields GF(2 m ), Inform. and Comp. ¾½℄83 (1989), 21–40.[ÁØ + 2002] ú ÁØÓ, º Ñ, ź ÌÒ, &ƺ ÌÓÖ, DPA countermeasures by im- ℄proving the window method, Cryptographic Hardware and Embedded Systems – CHES2002, Lecture Notes in Comput. Sci., vol. 2523, Springer-Verlag, Berlin, 2002, 303–317.

References 755[ÁÞÌ 2002a] ̺ ÁÞÙ & ̺ Ì, Fast elliptic curve multiplication with SIMD operations, Infor- ¾¸ ¼℄mation and Communication Security – ICICS 2002, Lecture Notes in Comput. Sci., vol.2513, Springer-Verlag, 2002, 217–230.[ÁÞÌ 2002b] , A fast parallel elliptic curve multiplication resistant against Side-Channel At- ℄tacks, Public Key Cryptography – PKC 2002, Lecture Notes in Comput. Sci, vol. 2274,Springer-Verlag, Berlin, 2002, 280–296.[ÁÞÌ 2003a] , Efficient computations of the Tate pairing for the large MOV degrees, Informa- ¼½℄tion Security and Cryptology – ICISC 2002, Lecture Notes in Comput. Sci., vol. 2587,Springer-Verlag, Berlin, 2003, 283–297.[ÁÞÌ 2003b] , Exceptional procedure attack on elliptic curve cryptosystems, Public Key Cryp- ¸ ¼℄tography – PKC 2003, Lecture Notes in Comput. Sci, vol. 2567, Springer-Verlag, Berlin,2003, 224–239.[ÂÅ + 2001] ź º ÂÓ×ÓÒ¸ ÂÖº, º º ÅÒÞ×,&º ËØÒ, Solving elliptic curve discrete ¿½℄logarithm problems using Weil descent, J. Ramanujan Math. Soc. 16 (2001), 231–260.[ 1993a] ̺ ÂÐÒ, An algorithm for exact division, J. Symbolic Comput. 15 N o 2 (1993), ½¸ ½¼℄169–180.[ 1993b] , Improving the multiprecision Euclidean algorithm, Design and Implementation ½¾℄of Symbolic Computation Systems – DISCO 1993, Lecture Notes in Comput. Sci., vol.722, Springer-Verlag, Berlin, 1993, 45–58.[ÂÓÄ 2002] º ÂÓÙÜ & ʺ ÄÖÖ, The function field sieve is quite special, Algorithmic Number ℄Theory Symposium – ANTS V, Lecture Notes in Comput. Sci., vol. 2369, Springer-Verlag,2002, 431–445.[ÂÓÆ 2003] º ÂÓÙÜ & ú ÆÙÝÒ, Separating decision Diffie–Hellman from Diffie–Hellman in ℄cryptographic groups, J. Cryptology 16 (2003), 239–247.[ÂÓÉÙ 2001] ź ÂÓÝ & º¹Âº ÉÙ×ÕÙØÖ, Hessian elliptic curves and side-channel attacks, ¾¸ ¾¸ ¸℄Cryptographic Hardware and Embedded Systems – CHES 2001, Lecture Notes in Comput.Sci., vol. 2162, Springer-Verlag, Berlin, 2001, 402.[ÂÓÉÙ + 2002] ź ÂÓÝ, º¹Âº ÉÙ×ÕÙØÖ, ˺¹Åº Ò, &ź ÙÒ, Observability analysis – ¼℄detecting when improved cryptosystems fail, Topics in Cryptology – CT-RSA 2002, LectureNotes in Comput. Sci., vol. 2271, Springer-Verlag, Berlin, 2002, 17–29.[ÂÓÌÝ 2002] ź ÂÓÝ & º ÌÝÑÒ, Protections against differential analysis for elliptic curve cryp- ¼¸ ¼¼¼¾¸½¾℄tography – an algebraic approach, Cryptographic Hardware and Embedded Systems –CHES 2001, Lecture Notes in Comput. Sci., vol. 2162, Springer-Verlag, Berlin, 2002,377–390.[ÂÓÙ 2000] º ÂÓÙÜ, A one round protocol for tripartite Diffie–Hellman, Algorithmic Number The- ½¿¸ ¸ ¿¸℄ory Symposium – ANTS IV, Lecture Notes in Comput. Sci., vol. 1838, Springer-Verlag,2000, 385–394.[ÂÓÙ 2004] , A one round protocol for tripartite Diffie–Hellman, J. Cryptology 17 (2004), ¸ ¿℄263–276.[ÂÓÝ 2004] ź ÂÓÝ, Smart-card implementation of elliptic curve cryptography and DPA-type at- ¼℄tacks, Smart Card Research and Advanced Application – CARDIS 2004, Kluwer AcademicPublishers, 2004, 114–125.[ÂÓÝ 2005] , Defenses against side-channel analysis, Advances in Elliptic Curve Cryptogra- ℄phy (Áº º Ð, º ËÖÓÙ××, &ƺ Ⱥ ËÑÖØ, eds.), Cambridge UniversityPress, 2005.[ÂÓ 2000] ź ÂÓÝ & ˺źÒ, Optimal left-to-right binary signed-digit recoding, IEEE Trans. ½½¸ ½¾¸ ¼½¸℄on Computers 49 N o 7 (2000), 740–748.[ÂÙÅ + 1990] º ÂÙÒÒÐ, º º ÅÒÞ×,&˺ºÎÒ×ØÓÒ, On the number of self dual ¿℄basis of GF(q m ) over GF(q), Proc. Amer. Math. Soc. 109 (1990), 23–29.

756 References[ÂÙÒ 1993] º ÂÙÒÒÐ, Finite fields, B.I.-Wissenschaftsverlag, Manheim, Leipzig, Wien, ¾¼½¸ ¾¿¼℄Zürich, 1993.[ÂÙÎ 1996] ź ÂÙ×Ø & ˺ÎÙÒÝ, Authenticated multi-party key agreement, Advances in Cryp- ℄tology – Asiacrypt 1996, Lecture Notes in Comput. Sci., vol. 1163, Springer-Verlag, 1996,36–49.[Ãà + 2004] ź ÃØ, Áº ÃØÑÙÖ, ̺ ×Ø,&̺ Ì, Novel efficient implemen- ¸ ¼℄tations of hyperelliptic curve cryptosystems using degenerate divisors, Workshop on InformationSecurity Applications – WISA 2004, Lecture Notes in Comput. Sci., vol. 3325,Springer-Verlag, Berlin, 2004, 347–361.[ÃÐ 1986] º ˺ ÃÐ׸ ÂÖº, A pseudorandom bit generator based on elliptic logarithms, Ad- ¿℄vances in Cryptology – Crypto 1986, Lecture Notes in Comput. Sci., vol. 293, Springer-Verlag, Berlin, 1986, 84–103.[ÃÐ 1995] , The Montgomery inverse and its applications, IEEE Trans. on Computers 44 N o 8 ¾¼¸ ℄(1995), 1064–1065.[ÃÄÙ 1982] º º ÃØÓ & ˺ ÄÙÒ, Zeta matrices of elliptic curves, J. Number Theory 15 N o 3 ½¿¸ ¾¿℄(1982), 318–330.[ÃÑ 1991] Ϻ ÃÑÔØØÖ, Explizite Gleichungen für Jacobische Varietäten hyperelliptischer ½¼¸ ¾¾℄Kurven, PhD. Thesis, Universität Gesamthochschule Essen, 1991.[ÃÅ 1997] º Àº ÃÖÔ & Ⱥ ÅÖ×ØÒ, High-precision division and square root,ACMTrans. ¾℄Math. Software 23 N o 4 (1997), 561–589.[ÃÒ 1993] º ÃÒ, 100 statistical tests, Sage Publications, 1993. ¾℄[ÃÇ 1962] º º ÃÖØ×Ù & Ùº ÇÑÒ, Multiplication of multiplace numbers on au- ½℄tomata, Dokl. Acad. Nauk SSSR 145 N o 2 (1962), 293–294.[ÃÇ 1963] , Multiplication of multidigit numbers on automata, Soviet Physics-Doklady 7 ¾℄(1963), 595–596.[ÃÖ 1995] º º ÃÖØ×Ù, The complexity of computations, Trudy Mat. Inst. Steklov. ØÖÒ×¹ ½℄ÐØ ÒProc. Steklov Inst. Math. 211 (1995), 186–202.[ÃÙ 2003] º ÃØÞ & ź ÙÒ, Scalable protocols for authenticated group key exchange, Ad- ℄vances in Cryptology – Crypto 2003, Lecture Notes in Comput. Sci., vol. 2729, Springer-Verlag, 2003, 110–125.[à 2001] ú ˺ ÃÐÝ, Counting points on hyperelliptic curves using Monsky–Washnitzer ½¿¸ ¾½¸ ¿¿¸¸¾¸¿¸cohomology, J. Ramanujan Math. Soc. 16 (2001), 323–338.[ÃÒ 2001] º ÃÒ, An improved implementation of elliptic curves over GF(2) when using pro- ¾¾½℄jective point arithmetic, Selected Areas in Cryptography – SAC 2001, Lecture Notes inComput. Sci., vol. 2259, Springer-Verlag, Berlin, 2001, 134–150.[ÃÈ + 1999] º ÃÔÒ×, º ÈØÖÒ, &ĺ ÓÙÒ, Unbalanced oil and vinegar signature ½¸ ℄schemes, Advances in Cryptology – Eurocrypt 1999, Lecture Notes in Comput. Sci., vol.1592, Springer-Verlag, 1999, 206–222. Extended version: [ÃÈ + 2003].℄[ÃÈ + 2002]Àº º ÃÑ, º º ÈÖ, º Àº ÓÒ, º Àº ÈÖ, º Àº ÃѺ, &˺ º ¾¼¸ ¿¿℄ÀÒ, Fast elliptic curve point counting using Gaussian Normal Basis, AlgorithmicNumber Theory Symposium – ANTS V, Lecture Notes in Comput. Sci., vol. 2369,Springer-Verlag, 2002, 292–307.[ÃÈ + 2003] º ÃÔÒ×, º ÈØÖÒ, &ĺ ÓÙÒ, Unbalanced oil and vinegar signature ½¸ ℄schemes, extended version of [ÃÈ + 1999], 2003.http://citeseer.nj.nec.com/231623.html[ÃÒÓ 1975] º ÃÒÓÔÑÖ, Abstract analytic number theory, North–Holland Mathematical Li- ℄brary, vol. 12, North–Holland, Amsterdam, 1975.

References 757[ÃÒÈ 1981] º º ÃÒÙØ & º Àº ÈÔÑØÖÓÙ, Duality in addition chains, Bull. Eur. Assoc. ½℄Theoret. Comput. Sci. 13 (1981), 2–4.[ÃÒÙ 1981] º º ÃÒÙØ, The art of computer programming. Vol. 2, Seminumerical algorithms, ½℄second ed., Addison-Wesley Publishing Company, Reading, MA, 1981, Addison-WesleySeries in Computer Science and Information Processing.[ÃÒÙ 1997] , The art of computer programming. Vol. 2, Seminumerical algorithms, thirded., ½¸ ½¼¸ ½¾¸½¼¸½¸½¸Addison-Wesley Publishing Company, Reading, MA, 1997, Addison-Wesley Series in¾¾¸¼¸¸Computer Science and Information Processing.¼¾¸½¸½¸[ÃÒÙ 1999] º Ϻ ÃÒÙ×Ò, Elliptic scalar multiplication using point halving, Advances in Cryp- ¾¾¸ ¾¸ ¿¼¼℄tology – Asiacrypt 1999, Lecture Notes in Comput. Sci., vol. 1716, Springer-Verlag,Berlin, 1999, 135–149.[ÃÓ 1998] º ú ÃÓ & ̺ Ö, Montgomery multiplication in GF(2 k ), Des. Codes Cryptogr. ¾½¸ ℄14 N o 1 (1998), 57–69.[ÃÓ + 1996] º ú ÃÓ, ̺ Ö, &º ˺ ÃÐ׸ ÂÖº, Analyzing and comparing Mont- ¾¼¸ ¿℄gomery multiplication algorithms, IEEE Micro 16 N o 3 (1996), 26–33.[ÃÓ 1989] ƺ ÃÓÐØÞ, Hyperelliptic cryptosystems, J. Cryptology 1 (1989), 139–150. ¿¼¸ ¿℄[ÃÓ 1992] , CM-curves with good cryptographic properties, Advances in Cryptology – ¿¸ ¿¸ ¿℄Crypto 1991, Lecture Notes in Comput. Sci., vol. 576, Springer-Verlag, Berlin, 1992,279–287.¾¼℄[ÃÓ 1994] , A course in Number Theory and Cryptography, Graduate Texts in Mathematics, ¾½¾℄vol. 114, Springer-Verlag, 1994, second edition.[ÃÓ 1996] Ⱥ ÃÓÖ, Timings attacks on implementations of Diffie–Hellman, RSA, DSS and other ¸ ¼℄systems, Advances in Cryptology – Crypto 1996, Lecture Notes in Comput. Sci., vol. 1109,Springer-Verlag, Berlin, 1996, 104–113.[ÃÓ 2001] º ÃÓÙÒ, Careful design and integration of cryptographic primitives, with contri- ℄bution to timing attack, padding schemes and random number generators, PhD. Thesis,Katholieke Universiteit Leuven, 2001.http://www.dice.ucl.ac.be/ ~ fkoeune/thesis.ps.gz[ÃÓ 2003] º ʺ ÃÓÐ, The AGM-X 0 (N) Heegner point lifting algorithm and elliptic curve ¾℄point counting, Advances in Cryptology Proceedings – Asiacrypt 2003, Lecture Notes inComput. Sci., vol. 2894, Springer-Verlag, Berlin, 2003, 124–136.[ÃÓ + 1999] Ⱥ ÃÓÖ, º Â, &º ÂÙÒ, Differential power analysis, Advances in Cryp- ¸ ¼¸ ¼℄tology – Crypto 1999, Lecture Notes in Comput. Sci., vol. 1666, Springer-Verlag, Berlin,1999, 388–397.[ÃÃÙ 1999] Ǻ ÃÑÑÖÐÒ & ź º ÃÙÒ, Design principles for tamper-resistant smartcard ¼℄processors, Proceedings of the 1999 USENIX Workshop on Smartcard Technology, 1999,9–20.[ÃÓÄ + 2000] ú Àº ÃÓ, ˺ º Ä, º Àº ÓÒ, º Ϻ ÀÒ, º ÃÒ, &º ÈÖ, ½℄New public key cryptosystem using braid groups, Advances in Cryptology – Crypto 2000,Lecture Notes in Comput. Sci., vol. 1880, Springer-Verlag, Berlin, 2000, 166–183.[ÃÓÅÓ + 1999] ̺ ÃÓÝ×, Àº ÅÓÖØ, ú ÃÓÝ×, &º ÀÓ×ÒÓ, Fast elliptic curvealgorithm combining Frobenius map and table reference to adapt to higher characteristic,Theory and Application of Cryptographic Techniques, 1999, 176–189.¾¿℄[ÃÓÖ 2002] Áº ÃÓÖÒ, Computer arithmetic algorithms, A. K. Peters, 2002. ½¸ ¿℄[ÃÓË 2000] º ʺ ÃÓÐ & Áº º ËÔÖÐÒ×, Exponential sums and group generators for ¿¾℄elliptic curves over finite fields, Algorithmic Number Theory Symposium – ANTS IV,Lecture Notes in Comput. Sci., vol. 1838, Springer-Verlag, Berlin, 2000, 395–404.[ÃÓËÙ 1998] º ú ÃÓ & º ËÙÒÖ, Low-complexity bit-parallel canonical and normal basis ¿℄multipliers for a class of finite fields, IEEE Trans. on Computers 47 N o 3 (1998), 353–356.

758 References[ÃÓÌ× 1993] ú ÃÓÝÑ & º Ì×ÙÖÙÓ, Speeding up elliptic cryptosystems by using a signed ½¾¸ ¿¼¾℄binary window method, Advances in Cryptology – Crypto 1992, Lecture Notes in Comput.Sci., vol. 740, Springer-Verlag, Berlin, 1993, 345–357.[ÃÓÏ 2005] ú ÃÓ & º ÏÒ, Construction of CM-Picard curves, Math.Comp.74 N o 249 ¿℄(2005), 499–518.[ÃÖ 1922] ź ÃÖØ, Théorie des nombres, vol. 1, Gauthier-Villars, 1922. ℄[ÃÖ 1924] , Recherches sur la théorie des nombres, Gauthier-Villars, 1924. ℄[ÃÖ 1997] ͺ ÃÖÖ, Anwendung hyperelliptischer Kurven in der Kryptographie, Master’sthe- ¿½¿℄sis, Universität Gesamthochschule Essen, 1997.[ÃÖ 1996] Ϻ ÃÖÒ & ̺ ÂÐÒ, Bidirectional exact integer division, J. Symbolic ½¼℄Comput. 21 N o 4–6 (1996), 441–445.[ÃÙÓ + 2002℄ º ÃÙÖÓ, ź ÓÒ, ú ÅØ×ÙÓ, º Ó, &˺ Ì×Ù, Fast genus threehyperelliptic curve cryptosystems, Symposium on Cryptography and Information Security– SCIS 2002, 503–507.http://lab.iisec.ac.jp/ ~ matsuo_lab/pub/pdf/8b-2_1244.pdf¿℄[à 1902] Àº à Ò, Eine Wechselbeziehung zwischen Funktionen mehrerer Unbestimmten, die ¿℄zu Reciprocitätsgesetzen führt, J. Reine Angew. Math. 124 (1902), 121–133.[ÃÙ 1998] ƺ ÃÙÒÖÓ & Àº ÑÑÓØÓ, Window and extended window methods for addition ½¼℄chain and addition-subtraction chain, IEICE Trans. Fundamentals E81-A N o 1 (1998),72–81.[Ä 1973] º ĺ ÄÖÒ, Œuvres, Georg Olms Verlag, 1973, in French. ¿℄[ÄÑ 1996] ʺ º ÄÑÖØ, Computational aspects of Discrete Logarithms, PhD. Thesis, Univer- ¼½℄sity of Waterloo, Ontario, Canada, 1996.[ÄÅ 2004] ̺ ÄÒ & Ⱥ ú Å×Ö, SCA resistant parallel explicit formula for addition and ℄doubling of divisors in the Jacobian of hyperelliptic curves of genus 2, preprint, 2004.[ÄÒ 1973] ˺ÄÒ, Elliptic functions, Addison-Wesley Publishing Company, Reading, MA, 1973. ¸ ½¾¿℄[ÄÒ 1982] , Introduction to algebraic and abelian functions, 2nd edition ed., Springer-Verlag, ½¼¼¸ ½¼℄Berlin, 1982.[ÄÒ 2001a] ̺ ÄÒ, Efficient arithmetic on hyperelliptic curves, PhD. Thesis, Universität-Gesam- ¿½¿¸ ¿½¸ ¿¸¿¸¿¸¿¿¸thochschule Essen, 2001.[ÄÒ 2001b] , Efficient arithmetic on hyperelliptic Koblitz curves, Tech. Report 2-2001, ¿℄Universität-Gesamthochschule Essen, 2001.½¼¸ ½¾℄[ÄÒ 2001c] , Hyperelliptic curves allowing fast arithmetic, webpage, 2001. ¿¸ ¿½℄http://www.ruhr-uni-bochum.de/itsc/tanja/KoblitzC.html[ÄÒ 2002a] ˺ ÄÒ, Algebra, Graduate Texts in Mathematics, vol. 211, Springer-Verlag, Berlin, ½¸ ¾¸ ¾℄2002, third edition.[ÄÒ 2002b] ̺ ÄÒ, Efficient arithmetic on genus 2 hyperelliptic curves over finite fields via ex- ¿½℄plicit formulae, preprint, 2002.http://eprint.iacr.org/2002/121/[ÄÒ 2002c] , Inversion-free arithmetic on genus 2 hyperelliptic curves, preprint, 2002. ¿¾½℄http://eprint.iacr.org/2002/147/[ÄÒ 2002d] , Weighted coordinates on genus 2 hyperelliptic curves, preprint, 2002. ¿¾¿¸ ¿¾¸ ¿¾℄http://eprint.iacr.org/2002/153/[ÄÒ 2004a] , Montgomery addition for genus two curves, Algorithmic Number Theory Sym- ¿¾¸ ¿¾¸ ℄posium – ANTS VI, Lecture Notes in Comput. Sci., vol. 3076, Springer-Verlag, 2004,309–317.

References 759[ÄÒ 2004b] , A note on López–Dahab coordinates, preprint, 2004. ¾℄http://eprint.iacr.org/2004/323/[ÄÒ 2004c] , Trace zero subvarieties of genus 2 curves for cryptosystems, J. Ramanujan Math. ½¿½¸ ¿¿¸ ¿¸¿℄Soc. 19 N o 1 (2004), 15–33.[ÄÒ 2005a] , Arithmetic on binary genus 2 curves suitable for small devices, preprint, 2005. ¿½¿¸ ¿¸ ¿℄[ÄÒ 2005b] , Formulae for arithmetic on genus 2 hyperelliptic curves, Appl. Algebra Engrg. ¿¿¸ ¿¾¸ ¿℄Comm. Comput. 15 N o 5 (2005), 295–328.[ÄÒ 2005c] , Koblitz curve cryptosystems, Finite Fields Appl. 11 N o 2 (2005), 220–229. ¿¸ ¿¼¸ ¿℄[ÄÊÙ 1985] Àº ÄÒ & Ϻ ÊÙÔÔÖØ, Complete systems of addition laws on abelian varieties, ℄Invent. Math. 79 (1985), 603–610.[ÄË 2005a] ̺ ÄÒ & Áº º ËÔÖÐÒ×, Certain exponential sums and random walks on ¿¿¸ ¿℄elliptic curves, Canad. J. Math. 57 (2005), 338–350.[ÄË 2005b] , Collisions in fast generation of ideal classes and points on hyperelliptic and ¿¸ ¿℄elliptic curves, Appl. Algebra Engrg. Comm. Comput. 15 N o 5 (2005), 329–337.[ÄËØ 2005] ̺ ÄÒ & ź ËØÚÒ×, Efficient doubling for genus two curves over binary fields, ¿¿¸ ¿¿¸ ¿¿¸¿¾℄Selected Areas in Cryptography – SAC 2004, Lecture Notes in Comput. Sci., vol. 3357,Springer-Verlag, Berlin, 2005, 170–181.[ÄÙ 2004] º º º ÄÙÖ, Deformation theory and the computation of zeta functions, Proc. ½¿℄London Math. Soc. (3) 88 N o 3 (2004), 565–602.[ÄÏ 2002a] º º º ÄÙÖ & º ÏÒ, Computing zeta functions of Artin–Schreier curves ½¿¸ ¿℄over finite fields, LMS J. Comput. Math. 5 (2002), 34–55 (electronic).[ÄÏ 2002b] , Counting points on varieties over finite fields of small characteristic, Algorith- ½¿℄mic Number Theory: Lattices, Number Fields, Curves and Cryptography, MathematicalSciences Research Institute Publications, 2002. Proceedings of an MSRI workshop. Toappear.[ÄÏ 2004] , Computing zeta functions of Artin-Schreier curves over finite fields II, J.Com- ½¿¸ ¿℄plexity 20 N o 2-3 (2004), 331–349.[ÄÏ 2002] ̺ ÄÒ & º ÏÒØÖÓ, Polynomial interpolation of the elliptic curve and XTR ℄discrete logarithm, Computing and Combinatorics – COCOON 2002, Lecture Notes inComput. Sci., vol. 2387, Springer-Verlag, Berlin, 2002, 137–143.[ÄÏ 2003] , Interpolation of the elliptic curve Diffie–Hellman mapping, Applicable Alge- ℄bra, Algebraic Algorithms and Error-Correcting Codes – AAECC 2003, Lecture Notes inComput. Sci., Springer-Verlag, Berlin, 2003, 51–60.[Ä 1938] º Àº ÄÑÖ, Euclid’s algorithm for large numbers, Amer. Math. Monthly 45 (1938), ½¾℄227–233.[ÄÄ 1990] º ú ÄÒ×ØÖ & Àº Ϻ ÄÒ×ØÖ¸ ÂÖº, Algorithms in number theory, Handbook oftheoretical computer science, Volume A, algorithms and complexity (º ÚÒ ÄÙÛÒ,℄ed.), Elsevier, Amsterdam, 1990.[ÄÄ 1993] º ú ÄÒ×ØÖ & Àº Ϻ ÄÒ×ØÖ¸ ÂÖº (eds.), The development of the Number ¼¸ ½℄Field Sieve, Lecture Notes in Math., vol. 1554, Springer-Verlag, Berlin, 1993.[ÄÄ + 1982] º ú ÄÒ×ØÖ, Àº Ϻ ÄÒ×ØÖ¸ ÂÖº,&ĺ ÄÓÚ ×Þ, Factoring polynomials with ℄rational coefficients., Math. Ann. 261 (1982), 513–534.[ÄÄ + 1990] º ú ÄÒ×ØÖ, Àº Ϻ ÄÒ×ØÖ¸ ÂÖº, ź ˺ ÅÒ××,&º ź ÈÓÐÐÖ, ½℄The Number Field Sieve, Symposium on the Theory of Computing – STOC 1990, ACM,1990, 564–572.[ÄÄÙ 2003] ʺ ÄÖÖ & º ÄÙÞ, Counting points on elliptic curves over finite fields of small ¾¿¸ ¿℄characteristic in quasi quadratic time, Advances in Cryptology – Eurocrypt 2003, LectureNotes in Comput. Sci., vol. 2656, Springer-Verlag, 2003, 360–373.

760 References[ÄÅ 1994] º ú ÄÒ×ØÖ & ź ˺ ÅÒ××, Factoring with two large primes, Math.Comp. ¼¸ ½¾℄63 (1994), 77–82.[ÄÒ 1987] Àº Ϻ ÄÒ×ØÖ¸ ÂÖº, Factoring integers with elliptic curves, Ann. of Math. (2) 126 ¼¸ ¼℄N o 3 (1987), 649–673.[ÄÒ 1999] º ú ÄÒ×ØÖ, Efficient identity based parameter selection for elliptic curve cryp- ¿¾℄tosystems, Australasian Conference on Information Security and Privacy – ACISP 1999,Lecture Notes in Comput. Sci., vol. 1587, Springer-Verlag, 1999, 294–302.[ÄÒ 2002] , Computational methods in public key cryptology, 2002. ¾¼¸ ½¼¸ ½¾℄http://www.win.tue.nl/ ~ klenstra/notes.ps[ÄÖ 1996] ʺ ÄÖÖ, Computing isogenies in GF(2 n ), Algorithmic Number Theory Symposium ¾½℄– ANTS II, Lecture Notes in Comput. Sci., vol. 1122, Springer-Verlag, 1996, 197–212.[ÄÖ 1997] , Algorithmique des courbes elliptiques dans les corps finis, PhD. Thesis, École ½¼¸ ½¾¸ ½¸¾¸ ¾½℄polytechnique, 1997.http://www.medicis.polytechnique.fr/ ~ lercier/preprints/these.pdf[ÄË 1984] Àº Ϻ ÄÒ×ØÖ¸ ÂÖº & º Ⱥ ËÒÓÖÖ, A Monte Carlo factoring algorithm with ℄linear storage, Math.Comp.43 N o 167 (1984), 289–311.[ÄÎ 2000] º ú ÄÒ×ØÖ & º ʺ ÎÖÙÐ, The XTR public key system, Advances in Cryp- ℄tology – Crypto 2000, Lecture Notes in Comput. Sci., vol. 1880, Springer-Verlag, Berlin,2000, 1–19.[Ä 1978] º ÄÑÔÐ & º Ú, Compression of individual sequences via variable rate coding, ½¼℄IEEE Trans. Inform. Theory IT-24 N o 5 (1978), 530–536.[Ä 1969] ˺ ÄØÒÙÑ, Duality theorems for curves over p-adic fields, Invent. Math. 7 ½¾¼℄(1969), 120–136.[Ä + 1994] º º Ä, ʺ Àº Ò, &º ź ÏÒ, On the equivalence of McEliece’s and ½℄Niederreiter’s public-key cryptosystems, IEEE Trans. Inform. Theory 40 N o 1 (1994), 271–273.[Ä℄ Ä, A C++ library for computational number theory, version 2.1.3, 2004. ¾¼½℄http://www.informatik.tu-darmstadt.de/TI/LiDIA/[ÄÄ 1994] º Àº ÄÑ & Ⱥ º Ä, More flexible exponentiation with precomputation, Advances ½℄in Cryptology – Crypto 1994, Lecture Notes in Comput. Sci., vol. 839, Springer-Verlag,Berlin, 1994, 95–107.[ÄÄ 1997] , A key recovery attack on discrete log-based schemes using a prime order sub- ¼℄group, Advances in Cryptology – Crypto 1997, Lecture Notes in Comput. Sci., vol. 1294,Springer-Verlag, 1997, 249–263.[ÄÆ 1997] ʺ ÄÐ & Àº ÆÖÖØÖ, Finite fields, second ed., Cambridge University Press, ½¸ ¿½¸ ¾¼½℄1997.[ÄÉÙ 2003] º ÄÖØ & º¹Âº ÉÙ×ÕÙØÖ, Efficient revocation and threshold pairing based ℄cryptosystems, Principles of Distributed Computing – PODC 2003, ACM, 2003, 163–171.[ÄËÑ 2001] Ⱥ¹º ÄÖØ & ƺ Ⱥ ËÑÖØ, Preventing SPA/DPA in ECC systems using the ¾¸ ¸ ¸℄Jacobi form, Cryptographic Hardware and Embedded Systems – CHES 2001, LectureNotes in Comput. Sci., vol. 2162, Springer-Verlag, Berlin, 2001, 391.[Ä 1998] º ÄÔÞ & ʺ , Improved algorithms for elliptic curve arithmetic in GF(2 n ), ¾¸ ¾¿¸ ¾℄Tech. Report IC-98-39, Relatório Técnico, October 1998.[Ä 1999] , Fast multiplication on elliptic curves over GF(2 m ) without precomputation, ¾¸ ¾℄Cryptographic Hardware and Embedded Systems – CHES 1999), Lecture Notes in Comput.Sci., vol. 1717, Springer-Verlag, Berlin, 1999, 316–327.[Ä 2000a] , High-speed software multiplication in F 2 m, Progress in Cryptology – Indocrypt ¾½℄2000, Lecture Notes in Comput. Sci., vol. 1977, Springer-Verlag, Berlin, 2000, 203–212.

References 761[Ä 2000b] , An overview of elliptic curve cryptography, Tech. Report IC-00-10, Relatório ¾℄Técnico, May 2000.[ÄÓÖ 1996] º ÄÓÖÒÞÒ, An invitation to arithmetic geometry, Graduate studies in mathematics, ℄vol. 9, AMS, 1996.[ÄÙ 1968] ˺ ÄÙÒ, A p-adic proof of Weil’s conjectures, Ann. of Math. (2), 105-194; ibid. (2) ½¿℄87 (1968), 195–255.[ÄÙÞ℄ º ÄÙÞ, homepage, Sur les tests statistiques de générateurs aléatoires. ½¸ ¾¸ ¾℄http://www.math.u-bordeaux.fr/ ~ lubicz/[ÄÙË + 1964] º ÄÙÒ, º¹Èº ËÖÖ, &º ÌØ, Elliptic curves and formal groups, July 1964. ½¿¸ ¾¿℄Lecture notes prepared in connection with the seminars held at the Summer Institute onAlgebraic Geometry, Whitney State, Woods Hole, Massachusets.http://ma.utexas.edu/users/voloch/lst.html[ÄÙË 2005] º ÄÙ & Áº º ËÔÖÐÒ×, On the exponent of the group of points on elliptic ℄curves in extension fields, Intern. Math. Research Notices 23 (2005), 1391–1409.[Å + 2001] ú ÅØ×ÙÓ, º Ó, &˺ Ì×Ù, Fast genus two hyperelliptic curve cryp- ¿½℄tosysytems, Tech. Report ISEC2001-23, IEICE, 2001.[Å + 2002] , An improved baby-step giant-step algorithm for point counting of hyperelliptic ½½¸ ℄curves over finite fields, Algorithmic Number Theory Symposium – ANTS V, LectureNotes in Comput. Sci., vol. 2369, Springer-Verlag, 2002, 461–474.[Å 2003] ź ˺ Å×Ò, A general framework for p-adic point counting and application to ¾℄elliptic curves in Legendre form, preprint, 2003.[ÅÑ℄ The Magma computational algebra system for algebra, number theory and geometry, ver- ¾¼½¸ ¾℄sion 2.11-14, April 2005.http://magma.maths.usyd.edu.au/magma/[ÅÁÑ 1988] ̺ ÅØ×ÙÑÓØÓ & Àº ÁÑ, Public quadratic polynomial-tuples for efficient signature ½℄verification and message-encryption, Advances in Cryptology – Eurocrypt 1988, LectureNotes in Comput. Sci., vol. 330, Springer-Verlag, 1988, 419–445.[ÅÅ + 2002] ͺ ź ÅÙÖÖ, º º ÅÒÞ×, &º Ì×, Analysis of the GHS Weil descentattack on the ECDLP over characteristic two finite fields of composite degree, LMSJ.Comput. Math. 5 (2002), 127–174.¿½¸ ¿℄[ÅÒ 1961] ÂÙº Áº ÅÒÒ, The Hasse-Witt matrix of an algebraic curve, Izv. Akad. Nauk. SSSR ½½℄Ser. Mat. 25 (1961), 153–172.[ÅÒ 1962] , On the theory of Abelian varieties over a field of finite characteristic, Izv. Akad. ½¾℄Nauk. SSSR Ser. Mat. 26 (1962), 281–292.[ÅÆ 2002] º Å×ÒÖ & º ÆÖØ, Abelian surfaces over finite fields as Jacobians, Experiment. ½½¿℄Math. 11 (2002), 321–337, with an appendix by E. Howe.[ÅÖ℄ º ÅÖ×Ð, The diehard battery of stringent statistical randomness tests. ¾℄http://random.com.hr/products/random/manual/html/Diehard.html[Å× 1969] º ĺ Å××Ý, Shift–register synthesis and BCH decoding, IEEE Trans. Inform. Theory ¼½℄IT-15 (1969), 122–127.[ÅÙ 1992] ͺ ź ÅÙÖÖ, A universal statistical test for random number generators, J. Cryptol- ¾¿¸ ¾℄ogy 5 N o 2 (1992), 89–105.[ÅÏÓ 1998] ͺ ź ÅÙÖÖ & ˺ ÏÓÐ, Lower bounds on generic algorithms in groups, Ad- ℄vances in Cryptology – Eurocrypt 1998, Lecture Notes in Comput. Sci., vol. 1403,Springer-Verlag, Berlin, 1998, 72–84.[ÅÏÓ 1999] , The relationship between breaking the Diffie–Hellman protocol and computing ½¼℄Discrete Logarithms, SIAM J. Comput. 28 N o 5 (1999), 1689–1721.

762 References[Å 1990] ú ˺ ÅÙÖÐÝ, The discrete logarithm problem, Cryptography and computational ℄number theory (º ÈÓÑÖÒ, ed.), Proc. Symp. Appl. Math., vol. 42, AMS, 1990,49–74.[Å 1969] ʺ º ÅÐ, Factorization of polynomials over finite fields, Math.Comp.23 ¼℄(1969), 861–867.[Å 1978] , A public-key cryptosystem based on algebraic coding theory, Deep Space Net- ½℄work Progress Report 42-44, Jet Propulsion Lab., California Institute of Technology(1978), 114–116.[ÅÙ + 2004] º ÅÙÖ ÓÖÑÐ, Ⱥ ÙÐÒ×, &º¹Âº ÉÙ×ÕÙØÖ, Efficient mod- ¾¼℄ular division implementation: ECC over GF(p) affine coordinates application, Field-Programmable Logic and Applications – FPL 2004, Lecture Notes in Comput. Sci., vol.3203, Springer-Verlag, Berlin, 2004, 231–240.[ÅÇ + 1993] º º ÅÒÞ×, ̺ ÇÑÓØÓ,&˺ºÎÒ×ØÓÒ, Reducing elliptic curve loga- ¿¸ ¿¼¸ ¼℄rithms to a finite field, IEEE Trans. on Inform. Theory 39 (1993), 1639–1646.[ÅÇÓ + 1996] º º ÅÒÞ×, Ⱥ ÚÒ ÇÓÖ×ÓØ, &˺ºÎÒ×ØÓÒ, The Handbook of Ap- ÜÜܸ ¸ ½¼¸½¾¸ ½¿¸ ½¸plied Cryptography, CRC Press, Inc., 1996.http://www.cacr.math.uwaterloo.ca/hac/½¼¸½¼¸½¿¸½¸¾¼¸¾¸¾¸ ¿½℄[ÅÉÙ 2001] º º ÅÒÞ× & ź ÉÙ, Analysis of the Weil descent attack of Gaudry, Hess and ¿½¸ ¿¸ ¿℄Smart, Topics in cryptology – CT-RSA 2001, Lecture Notes in Comput. Sci., vol. 2020,Springer-Verlag, Berlin, 2001, 308–318.[Å× 1991] º¹º Å×ØÖ, Construction des courbes de genre 2 à partir de leurs modules, Prog. ½¼¾℄Math., Birkhäuser 94 (1991), 313–334.[Å× 2000a] ̺ ˺ Å××Ö×, Using second order power analysis to attack DPA resistant software, ¼¸ ¼℄Cryptographic Hardware and Embedded Systems – CHES 2000, Lecture Notes in Comput.Sci., vol. 1965, Springer-Verlag, Berlin, 2000, 238–251.[Å× 2000b] º¹º Å×ØÖ, Lettre adressée à Gaudry et Harley, December 2000. In French. ½¿¸ ¿¿¸ ¿℄http://www.math.jussieu.fr/ ~ mestre/[Å× 2002℄ , Applications de l’AGM au calcul du nombre de points d’une courbe de genre 1 ¿¸ ¾℄ou 2 sur F 2 n. Talk given to the Séminaire de Cryptographie de l’Université de Rennes,March 2002.http://www.maths.univ-rennes1.fr/crypto/2001-02/Mestre2203.html[ÅËØ 1993] Ϻ ÅÖ & Ǻ ËØÐ, Efficient multiplication on certain nonsupersingular ¿¸ ¿¼¸ ¿¾℄elliptic curves, Advances in Cryptology – Crypto 1992, Lecture Notes in Comput. Sci.,vol. 740, Springer-Verlag, Berlin, 1993, 333–344.[ÅÌ + 2004] º º ÅÒÞ×, º Ì×,&º ÏÒ, Weak fields for ECC, Topics in Cryptology ¿℄– CT-RSA 2004, Lecture Notes in Comput. Sci., vol. 2964, Springer-Verlag, 2004, 366–386.[ÅÎ 1990] º º ÅÒÞ× & ˺ºÎÒ×ØÓÒ, The implementation of elliptic curve cryptosys- ¿¸ ½℄tems, Advances in Cryptology – Auscrypt 1990, Lecture Notes in Comput. Sci., vol. 453,Springer-Verlag, Berlin, 1990, 2–13.[Å 2004] Microelectronics Failure Analysis Desk Reference Fifth Edition EDFAS (Electronic De- ¼℄vice Failure Analysis Society) and ASM International editors, 2004.[ÅÚ 2003] Ⱥ ÅÐ×Ù & ʺ ź ÚÒÞ, Efficient “quasi”-deterministic primality test im- ¼½℄proving AKS, preprint, March 2003.[ÅÓ + 2002℄ º ÅÝÑÓØÓ, Àº Ó, ú ÅØ×ÙÓ, º Ó, &˺ Ì×Ù, A fast addition ¿½¸ ¿¾½℄algorithm of genus two hyperelliptic curve, Symposium on Cryptography and InformationSecurity – SCIS 2002, 497–502. In Japanese.[Å 1997] Ⱥ ÅÐ×Ù, Optimal Galois field bases which are not normal, 1997. Presented at ¾¾℄the Workshop on Fast Software Encryption in Haifa.

References 763[Å 2000] , Medium Galois fields, their bases and arithmetic, 2000. Preprint. ¾¿½℄http://grouper.ieee.org/groups/1363/P1363a/contributions/Medium.pdf[ÅÐ 1986] κ ˺ ÅÐÐÖ, Short programs for functions on curves, 1986. IBM, Thomas J. Watson ½¾¾¸ ¿¾℄Research Center.http://crypto.stanford.edu/miller/[ÅÐ 2004] , The Weil pairing, and its efficient calculation, J. Cryptology 17 (2004), 235–261. ½¾¾¸ ¿¾℄[ÅÆ + 2001] º ÅÝ, ź ÆÝ×, &˺ ÌÒÓ, New explicit conditions of elliptic ℄curve traces for FR-reduction, IEICE Trans. Fundamentals E84-A N o 5 (2001), 1234–1243.[Å× 2004a] Ⱥ ú Å×Ö, Pipelined computation of scalar multiplication in elliptic curve cryp- ¿¼¾¸ ¾℄tosystems, Cryptographic Hardware and Embedded Systems – CHES 2004, Lecture Notesin Comput. Sci., vol. 3156, Springer-Verlag, Berlin, 2004, 328–342.[Å× 2004b] , Scalar multiplication in elliptic curve cryptosystems: Pipelining with pre- ℄computations, preprint, 2004.http://eprint.iacr.org/2004/191/[ÅÓÓ 1972] ʺ ̺ ÅÓÒ & º º ÓÖÓÒ, Fast modular transforms via division, Conf. ½℄Record, IEEE 13th Annual Symp. on Switching and Automata Theory, IEEE Press, 1972,90–96.[ÅÓÖ 1975] ź º ÅÓÖÖ×ÓÒ & º ÖÐÐÖØ, A method of factorization and the factorization ¼¸ ¼℄of F 7 ,Math.Comp.29 (1975), 183–205.[ÅÓ 1973] ʺ ̺ ÅÓÒ, Fast computation of GCDs, Proceedings of the 5th Annual ACM Sym- ¾¿℄posium on the Theory of Computing, 1973, 142–151.[ÅÓÂÓ℄ º ÅÓ & º Ⱥ ÂÓÒ×, A new primality test using Lucas sequences, preprint. ℄[ÅÐ 2001a] º ÅÐÐÖ, Securing elliptic curve point multiplication against Side-Channel Attacks, ¼¸ ℄Information Security Conference – ISC 2001, Lecture Notes in Comput. Sci., vol. 2200,Springer-Verlag, 2001, 324–334. See also [ÅÐ 2001].[ÅÐ 2001b] , Securing elliptic curve point multiplication against Side-Channel Attacks, Tech. ¼¸ ¿℄report, TU Darmstadt, 2001, Addendum “Efficiency Improvement” added 2001-08-27/2001-08-29. Errata added 2001-12-21.http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/[ÅÐ 2003] , Improved techniques for fast exponentiation, Information Security and Cryptol- ½℄ogy – ICISC 2002, Lecture Notes in Comput. Sci., vol. 2587, Springer-Verlag, 2003, 298–312.[ÅÓÒ 1968] Ⱥ ÅÓÒ×Ý, Formal cohomology. II: the cohomology sequence of a pair, Ann. of Math. ½¿¸ ½¿℄(2) 88 (1968), 218–238.[ÅÓÒ 1970] , p-adic analysis and zeta functions, Lectures in Mathematics, Department of ½¿℄Mathematics Kyoto University, vol. 4, Kinokuniya Book-Store Co. Ltd., Tokyo, 1970.[ÅÓÒ 1971] , Formal cohomology. III: fixed point theorems, Ann. of Math. (2) 93 (1971), 315– ½¿¸ ½¿℄343.[ÅÓÒ 1985] Ⱥ ĺ ÅÓÒØÓÑÖÝ, Modular multiplication without trial division, Math.Comp.44 ½¼¸ ¾¼℄N o 170 (1985), 519–521.[ÅÓÒ 1987] , Speeding the Pollard and elliptic curve methods of factorization, Math.Comp. ¾¸ ¼¿℄48 N o 177 (1987), 243–264.[ÅÓÒ 1994] , A survey of modern integer factorization algorithms, CWI Quarterly 7 N o 4 ½¼℄(1994), 337–366.[ÅÓÒ 1995] , A block Lanczos algorithm for finding dependencies over GF(2), Advances in ¼¿℄Cryptology – Eurocrypt 1995, Lecture Notes in Comput. Sci., no. 921, Springer-Verlag,1995, 106–120.

764 References[ÅÓÇÐ 1990] º ÅÓÖÒ & º ÇÐÚÓ×, Speeding up the computations on an elliptic curve using ½½¸ ½¿℄addition-subtraction chains, Inform. Theory Appl. 24 (1990), 531–543.[ÅÓÖ 1995] º ÅÓÖÒ, Calcul du nombre de points sur une courbe elliptique dans un corps fini : ½¸ ¾¼℄aspects algorithmiques, J. Théor. Nombres Bordeaux 7 (1995), 255–282.[ÅÓÖÒ℄ , homepage. ¼½℄http://www.lix.polytechnique.fr/ ~ morain/[ÅÓÏ 1968] Ⱥ ÅÓÒ×Ý & º Ï×ÒØÞÖ, Formal cohomology. I, Ann. of Math. (2) 88 (1968), ½¿¸ ½¿℄181–217.[Å Ð 1995] κ Å ÐÐÖ, Ein Algorithmus zur Bestimmung der Punktanzahl elliptisher Kurven über ½¸ ¾¼℄endlichen Körpen der Charakteristik größer drei, PhD. Thesis, Technische Fakultät derUniversität des Saarlandes, February 1995.[Å Ð 1998] , Fast multiplication on elliptic curves over small fields of characteristic two, J. ¿¸ ¿¼℄Cryptology 11 (1998), 219–234.[ÅÙÑ 1966] º ÅÙÑÓÖ, On the equations defining Abelian varieties I-III, Invent. Math. 1 (1966), ℄287–354.[ÅÙÑ 1974] , Abelian varieties, Oxford University Press, New York, 1974. ¸ ¼¸ ¾¸ ¿¸[ÅÙÇÒ + 1989] ʺ º ÅÙÐÐÒ, Áº ź ÇÒÝ×ÞÙ, ˺ºÎÒ×ØÓÒ,&ʺ ź ÏÐ×ÓÒ, Optimalnormal bases in GF(p n ), Discrete Appl. Math. 22 (1989), 149–161.[ÅÙËÑ + 2004] º ÅÙÞÖÙ, ƺ Ⱥ ËÑÖØ, &º ÎÖÙØÖÒ, The equivalence between the ½¼℄DHP and DLP for elliptic curves used in practical applications, LMSJ.Comp.Math.7(2004), 50–72.[ÅÙËØ 2004] º º ÅÙÖ & º ʺ ËØÒ×ÓÒ, Minimality and other properties of the width-w nonad- ½¿℄jacent form, Combinatorics and Optimization Research Report CORR 2004-08, Universityof Waterloo, 2004.http://www.cacr.math.uwaterloo.ca/techreports/2004/corr2004-08.ps[ÅÙËØ 2005] , New minimal weight representations for left-to-right window methods, Topics in ½℄cryptology – CT-RSA 2005, Lecture Notes in Comput. Sci., vol. 3376, Springer-Verlag,Berlin, 2005, 366–383.[Æ 2004] ú¹Áº ÆÓ, Improvement of Thériault algorithm of index calculus for Jacobian of ¾℄hyperelliptic curves of small genus, preprint, 2004.http://eprint.iacr.org/2004/161/[ÆËØ + 2004] º Æ, º ËØÖÒ,&ƺ Ⱥ ËÑÖØ, Projective coordinates leak, Advances in ¼¼℄Cryptology – Eurocrypt 2004, Lecture Notes in Comput. Sci., vol. 3027, Springer-Verlag,Berlin, 2004, 257–267.¾¸ ¿¸ ½½½¸½½℄¾½¸ ¾¾½℄[ÆÙ 1999] ƺ ÆÙÑÒÒ, Weil-Restriktion abelscher Varietäten, Master’s thesis, University Essen, ¿¿¸ ¿℄1999.[Æ 1994] κ Áº ÆÚ, On the complexity of a deterministic algorithm for a discrete logarithm, ¸ ¼℄Mat. Zametki 55 N o 2 (1994), 91–101, 189, Russian. Translation in Math. Notes 55 (1994),no. 1-2, 165–172.[ÆÅ 2002] ƺ Æ & ĺ ÅÓ ÅÓÙÖÐÐ, Minimal addition chain for efficient ½¿℄modular exponentiation using genetic algorithms, Proceedings of the 2002 Industrial andEngineering, Applications of Artificial Intelligence and Expert Systems Conference, LectureNotes in Comput. Sci., vol. 2358, Springer-Verlag, Berlin, 2002, 88–98.[ÆË 2003] Ⱥ ɺ ÆÙÝÒ & Áº º ËÔÖÐÒ×, The insecurity of the elliptic curve digital ¿¸ ¸ ℄signature algorithm with partially known nonces, Des. Codes Cryptogr. 30 (2003), 201–217.[ÆËØ 1999] Ⱥ ɺ ÆÙÝÒ & º ËØÖÒ, The hardness of the hidden subset sum problem and ¿℄its cryptographic implications, Advances in Cryptology – Crypto 1999, Lecture Notes inComput. Sci., vol. 1666, Springer-Verlag, Berlin, 1999, 31–46.

References 765[ÆÙ 1998] Ⱥ ɺ ÆÙÝÒ, A Montgomery-like square root for the Number Field Sieve, Algorith- ½℄mic Number Theory Symposium – ANTS III, Lecture Notes in Comput. Sci., vol. 1423,Springer-Verlag, Berlin, 1998, 151–168.[ÆÙ 2001] ú ÆÙÝÒ, Explicit arithmetic of Brauer groups, ray class fields and index calculus, ½½¸ ½¾½¸ ¼℄PhD. Thesis, Universität Gesamthochschule Essen, 2001.[Æ 1986] Àº ÆÖÖØÖ, Knapsack-type cryptosystems and algebraic coding theory, Prob. ½℄Contr. Inform. Theory 15 N o 2 (1986), 157–166.[Æ 2003] , Linear complexity and related complexity measures for sequences, Progress in ¿¼℄Cryptology – Indocrypt 2003, Lecture Notes in Comput. Sci., vol. 2904, Springer-Verlag,2003, 1–17.[ÆË 1999] Àº ÆÖÖØÖ & Áº º ËÔÖÐÒ×, On the distribution and lattice structure of ¿½℄nonlinear congruential pseudorandom numbers, Finite Fields Appl. 5 (1999), 246–253.[ÆÁËÌ℄ ÆØÓÒÐ ÁÒ×ØØÙØ Ó ËØÒÖ Ò ÌÒÓÐÓÝ, Recommended elliptic curves for ¾℄federal government use, 1999.http://www.csrc.nist.gov/encryption/[ÆÚ 2004] º ÆÚ×, Cycle detection using a stack, Inform. Process. Lett. 90 N o 3 (2004), 135– ¸ ¼℄140.[Æ 2001] Àº ÆÖÖØÖ & º Ò, Rational points on curves over finite fields. Theory and ¿¼℄Applications, London Mathematical Society Lecture Note Series, vol. 285, CambridgeUniversity Press, 2001.[Æ 1996] ź ÆÖ, Exponentiation in finite fields: theory and practice, Diplomarbeit im Fach ¾¾¸ ¾¾℄Informatik, Universität Paderborn, 1996.[Æ 2001] , Data structures for parallel exponentiation in finite fields, PhD. Thesis, Univer- ¿℄sität Paderborn, 2001.[ÆË℄ ÆË ÌÑÔ×Ø ËÖ×. ¾℄http://cryptome.org/nsa-tempest.htm[ÆÌÄ℄ κ ËÓÙÔ, NTL: A Library for doing Number Theory, version 5.4, 2005. ¾¼½℄http://www.shoup.net/[ÆÌÊÍ℄ ÆÌÊÍ ÖÝÔØÓÐ. ½℄http://www.ntru.com/cryptolab/index.htm[Ç³Ó 2001℄ ĺ º dzÓÒÒÓÖ, On string replacement exponentiation, Des. Codes Cryptogr. 23 ½¼℄(2001), 173–183.[ÇÐ 1985] º ź ÇÐÝÞÓ, Discrete logarithms in finite fields and their cryptographic signifi- ¾½¸ ¸ ¼¸¼℄cance, Advances in Cryptology – Eurocrypt 1984, Lecture Notes in Comput. Sci., vol.209, Springer-Verlag, Berlin, 1985, 224–314.[ÇÐ 1990] , The rise and fall of knapsack cryptosystems, Cryptology and computational num- ½℄ber theory (Boulder, CO, 1989) (Providence, RI), Amer. Math. Soc., 1990, 75–88.[ÇÈÓ 2001] ̺ ÇÑÓØÓ & º ÈÓÒØÚÐ, The gap-problems: a new class of problems for ℄the security of cryptographic schemes, Public Key Cryptography – PKC 2001, LectureNotes in Comput. Sci., vol. 1992, Springer-Verlag, 2001, 104–118.[ÇË 2000] ú ÇÝ & ú ËÙÖ, Power analysis breaks elliptic curve cryptosystems even ℄secure against the timing attack, Progress in Cryptology – Indocrypt 2000, Lecture Notesin Comput. Sci., vol. 1977, Springer-Verlag, Berlin, 2000, 178–190.[ÇË 2001] , Efficient elliptic curve cryptosystems from a scalar multiplication algorithm with ¾¸ ¾℄recovery of the y-coordinate on a Montgomery-form elliptic curve, Cryptographic Hardwareand Embedded Systems – CHES 2001, Lecture Notes in Comput. Sci., vol. 2162,Springer-Verlag, Berlin, 2001, 126–141.

766 References[ÇË 2002] , On insecurity of the Side Channel Attack countermeasure using addition- ℄subtraction chains under distinguishability between addition and doubling, AustralasianConference on Information Security and Privacy – ACISP 2002, Lecture Notes in Comput.Sci., vol. 2384, Springer-Verlag, Berlin, 2002, 420–435.[ÇË 2003] , A simple power attack on a randomized addition-subtraction chains method for ℄elliptic curve cryptosystems, IEICE Transactions E86-A (2003), 1171–1180.[ÇÌ 2003] ú ÇÝ & ̺ Ì, The width-w NAF method provides small memory and fast ¼℄elliptic scalar multiplication secure against side channel attacks, Topics in Cryptology –CT-RSA 2003, Lecture Notes in Comput. Sci., vol. 2612, Springer-Verlag, Berlin, 2003,328–342.[ÇÐ 1981] º ÇÐÚÓ×, On vectorial addition chains, Journal of algorithms 2 (1981), 13–21. ½℄[ÇÐ× 2004] ĺ º ÇÐ×ÓÒ, Side-Channel Attacks in ECC: A general technique for varying the ℄parametrization of the elliptic curve, Cryptographic Hardware and Embedded Systems– CHES 2004, Lecture Notes in Comput. Sci., vol. 3156, Springer-Verlag, Berlin, 2004,220–229.[ÇÑÅ 1986] º ÇÑÙÖ & º ĺ Å××Ý, Computational method and apparatus for finite field ¿¸ ¾¾¼℄arithmetic, United States Patent 4, 587, 627, Date: May 6th 1986.[ÇÓÌ× 1986] º ÇÓÖØ & ˺ Ì×ÙØÓÑÙ, The canonical lifting of an ordinary Jacobian variety need ½¿℄not be a Jacobian variety, J. Math. Soc. Japan 38 N o 3 (1986), 427–437.[ÇÓÏ 1999] Ⱥ ÚÒ ÇÓÖ×ÓØ & ź º ÏÒÖ, Parallel collision search with cryptanalytic ¸ ¼¸ ¾¸¿℄applications, J. Cryptology 12 (1999), 1–28.[Ç× 2001] º Ç×ÛÐ & ź ÒÖ, Randomized addition-subtraction chains as a countermea- ℄sure against power attacks, Cryptographic Hardware and Embedded Systems – CHES2001, Lecture Notes in Comput. Sci., vol. 2162, Springer-Verlag, Berlin, 2001, 39–50.[È + 2002a] º¹Àº ÈÖ, ˺ ÂÓÒ, º ÃÑ,&º ÄÑ, An alternate decomposition of an integer ¿¼℄for faster point multiplication on certain elliptic curves, Public Key Cryptography – PKC2002, Lecture Notes in Comput. Sci., vol. 2274, Springer-Verlag, Berlin, 2002, 323–334.[È + 2002b] º¹Àº ÈÖ, ˺ ÂÓÒ,&º ÄÑ, Speeding up point multiplication on hyperelliptic ¿¼℄curves with efficiently-computable endomorphisms, Advances in Cryptology – Eurocrypt2002, Lecture Notes in Comput. Sci., vol. 2332, Springer-Verlag, 2002, 197–208.[ÈÅ 1998] ˺úÈÖ & ú Ϻ ÅÐÐÖ, Random number generators: Good ones are hard to ¾¼¸ ¾½℄find, Comm. ACM 31 N o 10 (1998), 1192–1201.[ÈÔ 1994] º Àº ÈÔÑØÖÓÙ, Computational complexity, Addison-Wesley Publishing Com- ¾℄pany, Reading, MA, 1994.[ÈÖ 2000] º ÈÖÑ, Computer arithmetic – algorithms and hardware design, Oxford Univer- ½℄sity Press, New York, 2000.[ÈÖ℄ The PARI Group, Bordeaux, PARI/GP, version 2.1.6, 2004. ¾¸ ℄http://pari.math.u-bordeaux.fr/[ÈËÑ + 2004] º È, ƺ Ⱥ ËÑÖØ, &º ÎÖÙØÖÒ, A comparison of MNT curves and ℄supersingular curves, preprint, 2004.http://eprint.iacr.org/2004/165/[ÈËØ 1973] ź ˺ ÈØÖ×ÓÒ & ĺ º ËØÓÑÝÖ, On the number of nonscalar multiplications ¾½¸ ¾¿¸ ¾¼¸¾½℄necessary to evaluate polynomials, SIAM J. Comput. 2 (1973), 60–66.[ÈØ 1996] º ÈØÖÒ, Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): ½℄two new families of asymmetric algorithms, Advances in Cryptology – Eurocrypt 1996,Lecture Notes in Comput. Sci., vol. 1070, Springer-Verlag, Berlin, 1996, 33–48.[ÈÐ 2002] º ÈÐÞÐ, Fast hyperelliptic curve cryptosystems for embedded processors,Master’sthe- ¿℄sis, Ruhr-University of Bochum, 2002.

References 767[ÈÏÓ + 2004] º ÈÐÞÐ, ̺ ÏÓÐÐÒÖ,&º ÈÖ, Special hyperelliptic curve cryptosystems of ¿¿℄genus two: Efficient arithmetic and fast implementation, Embedded Cryptographic Hardware:Design and Security, Nova Science Publishers, 2004.[ÈÐ 1990] º ÈÐ, Frobenius maps of abelian varieties and finding roots of unity in finite fields, ½¿¸ ¾¾℄Math. Comp. 55 N o 192 (1990), 745–763.[ÈÒ℄ ʺ ÈÒ, homepage. ¿℄http://www.chalcedon.demon.co.uk/rgep.html[ÈÔ 1979] ƺ ÈÔÔÒÖ, The minimum number of edges in graphs with prescribed paths, Math. ½℄Systems Theory 12 (1979), 325–346.[ÈÔ 1980] , On the evaluation of powers and monomials, SIAM J. Comput. 9 (1980), 230– ½℄250.[ÈÃË℄ ÈÙÐ ÃÝ ÖÝÔØÓÖÔÝ ËØÒÖ×, PKCS #1 v1.5: RSA encryption stan- ½℄dard, 1993.http://www.rsasecurity.com/rsalabs/pkcs[ÈÓÀ 1978] ˺ ÈÓÐ & ź ÀÐÐÑÒÒ, An improved algorithm for computing logarithms over ℄GF(p) and its cryptographic significance, IEEE Trans. Inform. Theory IT-24 (1978), 106–110.[ÈÓÐ 1974] º ź ÈÓÐÐÖ, Theorems on factorization and primality testing, Proceedings of the ¼¿℄Cambridge philosophical society 76 (1974), 521–528.[ÈÓÐ 1978] , Monte Carlo methods for index computation (mod p), Math.Comp.32 (1978), ¿¸ ¸ ¾℄918–924.[ÈÓÐ 2000] , Kangaroos, monopoly and discrete logarithms, J. Cryptology 13 (2000), 437– ¾℄447.[ÈÓÑ 1983] º ÈÓÑÖÒ, Analysis and comparison of some integer factoring algorithms, Computationalmethods in number theory (Àº Ϻ ÄÒ×ØÖ¸ ÂÖº & ʺ ÌÑÒ,eds.),¼¸ ½¼℄Math. Centre Tracts, no. 154, 155, Mathematisch Centrum, Amsterdam, 1983, 89–139.[ÈÓÑ 1984] , Are there counter-examples to the Baillie-PSW primality test?, Dopo Le Parole ℄aangeboden aan Dr. A.K. Lenstra (Àº Ϻ ÄÒ×ØÖ¸ ÂÖº, º ú ÄÒ×ØÖ,&Ⱥ ÚÒÑ Ó×, eds.), Amsterdam, 1984.http://www.pseudoprime.com/dopo.ps[ÈÓÑ 1985] , The quadratic sieve factoring algorithm, Advances in Cryptology – Eurocrypt ¼℄1984, Lecture Notes in Comput. Sci., vol. 209, Springer-Verlag, Berlin, 1985, 169–182.[ÈÓÑ 1990] , Factoring, Cryptology and Computational Number Theory, Proceedings of Sym- ℄posia in Applied Mathematics, vol. 42, American Mathematical Society, 1990, 27–47.[ÈÓË + 1980] º ÈÓÑÖÒ, º ĺ ËÐÖ, &˺˺Ï×ظ ÂÖº, The pseudoprimes ¿¸ ¸ ℄to 25 · 10 9 ,Math.Comp.35 N o 151 (1980), 1003–1026.[ÈÓËÑ 1992] º ÈÓÑÖÒ & º Ϻ ËÑØ, Reduction of huge, sparse matrices over finite fields ¼℄via created catastrophes, Experiment. Math. 1 N o 2 (1992), 89–94.[ÈÊÁÅÇ℄ ź ÅÖØÒ, PRIMO – Primality Proving. ℄http://www.ellipsa.net[ÈÙØ 1986] ź ÚÒ Ö ÈÙØ, The cohomology of Monsky and Washnitzer, Mém. Soc. Math. France ½¿℄23 (1986), 33–60.[ÉÙ 1990] º¹Âº ÉÙ×ÕÙØÖ & º¹Èº Ð×ÐÐ, How easy is collision search? Application ℄to DES, Advances in Cryptology – Eurocrypt 1989, Lecture Notes in Comput. Sci., no.434, Springer-Verlag, 1990, 429–434.[ÉÙ 1990] º¹Âº ÉÙ×ÕÙØÖ, Procédé de codage selon la méthode dite RSA, par un microcon- ½¸ ¾¼¿℄trôleur et dispositifs utilisant ce procédé, Demande de brevet français. N o de dépôt 9002274, Date: Feb. 23rd 1990.

768 References[ÉÙ 1992] , Encoding system according to the so-called RSA method, by means of a micro- ½¸ ¾¼¿℄controller and arrangement implementing this system, U.S. Patent # 5,166,978, Date: Nov.24th 1992.[ÉÙÏ + 1991] º¹Âº ÉÙ×ÕÙØÖ, º ÏÐ, &º¹Èº ÓÙÖÒ×, A chip with fast RSAcapability, Proceedings of Smart Card 2000, Elsevier Science Publishers, Amsterdam,1991, 199–205.¾¼℄[Ê 1980] ź Ǻ ÊÒ, Probabilistic algorithms in finite fields, SIAM J. Comput. N o 9 (1980), ¾½℄273–280.[Ê 2000] Ϻ ÊÒÐ & Ϻ Ò, Smart card handbook, 2nd ed., John Wiley & Sons, Ltd., ¿¸ ¼¸ ½℄2000.[Ê 1962] º ÊØÛ×ÒÖ, Binary arithmetic, Adv. Comput. 1 (1962), 231–308. ½½℄[Ê 1996] Ⱥ ÊÒÓÑ, Lucas pseudoprimes, p. 129, Springer, 1996. ℄[ÊË + 1978] ʺ ĺ ÊÚ×Ø, º ËÑÖ, &ĺ ÐÑÒ, A method for obtaining digital signa- ℄tures and public key cryptosystems, Comm. ACM 21 (1978), 120–126.[ÊË 1997] ʺ ĺ ÊÚ×Ø & ʺ º ËÐÚÖÑÒ, Are “strong” primes needed for RSA?, preprint, ¸ ¼℄1997.http://eprint.iacr.org/2001/007/[ÊØ℄ ̺ ÊØØÖ, Random number machines: A literature survey. ½℄http://www.ciphersbyritter.com/RES/RNGMACH.HTM[ÊÓÓ 1995] Ⱥ ÊÓÓ, Efficient exponentiation using precomputation and vector addition chains, ½℄Advances in Cryptology – Eurocrypt 1994, Lecture Notes in Comput. Sci., vol. 950,Springer-Verlag, Berlin, 1995, 389–399.[ÊË℄ The new RSA factoring challenge. ℄http://www.rsasecurity.com/rsalabs/node.asp?id=2092[Ê 1999] Àº¹º Ê , On the discrete logarithm problem in the divisor class group of curves, ¸ ¾℄Math. Comp. 68 (1999), 805–806.[ÊÙ 2001] º ÊÙÒ, Testing randomness: A suite of statistical procedures, Theory Probab. Appl. ¾¼℄45 N o 1 (2001), 111–132.[ÊÙËÓ + ℄ º ÊÙÒ, º ËÓØÓ, º ÆÚØÐ, ź ËÑ, º ÖÖ, ˺ Ä, ¾℄ź ÄÚÒ×ÓÒ, ź ÎÒÐ, º Ò×, º ÀÖØ, º ÖÝ, &˺ ÎÓ, Astatistical test suite for random and pseudorandom number generators for cryptographicApplications, NIST Special Publication 800-22.http://csrc.nist.gov/rng/[ËÖ 1998] ̺ ËØÓ & ú Ö, Fermat quotients and the polynomial time discrete log algo- ¾℄rithm for anomalous elliptic curves, Comm. Math. Univ. Sancti Pauli 47 (1998), 81–92.[Ë 1975] ˺ ËÒ, Approximate algorithms for the 0/1 knapsack problem, J.ACM22 (1975), ½℄115–124.[ËÃÓ 2002] º ËÚ & º ú ÃÓ, Architectures for unified field inversion with applications in ℄elliptic curve cryptography, International Conference on Electronics, Circuits and Systems– ICECS 2002, vol. 2, 2002, 1155–1158.[ËË 1985] º ËØØÐÖ & º Ⱥ ËÒÓÖÖ, Generating random walks in groups,Ann.Univ.Sci. ℄Budapest. Sect. Comput. 6 (1985), 65–79.[ËË + 2004] Àº ËØÓ, º ËÔÖ×,&̺ Ì, Exact analysis of Montgomery multiplication, ¼℄Progress in Cryptology – Indocrypt 2004, vol. 3348, Springer-Verlag, Berlin, 2004, 290–304.[ËË + 2003] ̺ ËØÓ, º ËÖÒ, &º ÌÙ, Fast computation of canonical lifts of ¾¸ ¾¾¸ ¿¿℄elliptic curves and its application to point counting, Finite Fields Appl. 9 (2003), 89–101.

References 769[ËØ 2000] ̺ ËØÓ, The canonical lift of an ordinary elliptic curve over a finite field and its point ½¿¸ ¾¿¸ ¾¸¾℄counting, J. Ramanujan Math. Soc. 15 N o 4 (2000), 247–270.[ËÌ + 2000] º ËÚ, º º ÌÒ,&º ú ÃÓ, A scalable and unified multiplier architecture ℄for finite fields GF(p) and GF(2 m ), Cryptographic Hardware and Embedded Systems –CHES 2000, Lecture Notes in Comput. Sci., vol. 1965, Springer-Verlag, Berlin, 2000,277–292.[Ë ÄÓÙÒ℄ ÖÝÔعÎÑÔÖ, The side-channel cryptanalysis lounge.http://www.crypto.ruhr-uni-bochum.de/en_sclounge.html℄[Ë 2004] ź ËÓØØ & Ⱥ ˺ ĺ ź ÖÖØÓ, Compressed pairings, Advances in Cryptology ¼½¸ ¸ ℄– Crypto 2004, Lecture Notes in Comput. Sci., vol. 3152, Springer-Verlag, Berlin, 2004,140–156.[Ë 1927] º ú ËÑØ, Zur Zahlentheorie in Körpern der Charakteristik p. (Vorläufige Mit- ¿℄teilung.), Sitz.-Ber. phys. med. Soz. Erlangen 58/59 (1926/1927), 159–172.[Ë 1974] º ËÓÒÖ, Elliptic modular functions, Die Grundlehren der mathematischen ½¸ ½℄Wissenschaften in Einzeldarstellungen, vol. 203, Springer-Verlag, 1974.[Ë 1975] º ËÒ, A lower bound on the length of addition chains, Theoret. Comput. Sci. ½℄1 (1975), 1–12.[Ë 1985] ʺ ËÓÓ, Elliptic curves over finite fields and the computation of square roots mod p, ½¿℄Math. Comp. 44 (1985), 483–494.[Ë 1987] , Nonsingular plane cubic curves, J. Combin. Theory Ser. A 46 N o 2 (1987), 183– ¼℄211.[Ë 1995] , Counting points on elliptic curves over finite fields, J. Théor. Nombres Bordeaux ½¸ ¾¼℄7 (1995), 219–254.[Ë 1996] º ËÒÖ, Applied cryptography: protocols, algorithms and source code in C, John ℄Wiley & Sons, Ltd., New York, 1996, second edition.[Ë 2000a] Ϻ ËÒÐÖ, A timing attack against RSA with the Chinese Remainder Theorem, ¼℄Cryptographic Hardware and Embedded Systems – CHES 2000, Lecture Notes in Comput.Sci., vol. 1965, Springer-Verlag, Berlin, 2000, 109–124.[Ë 2000b] Ǻ ËÖÓÙÖ, Using number fields to compute logarithms in finite fields, Math. ¼℄Comp. 69 N o 231 (2000), 1267–1283.[Ë 2000c] ʺ ËÖÓÔÔÐ, Elliptic curves: Twice as fast!, 2000. Presentation at the Crypto 2000 ¾℄Rump Session.[Ë 2000d] º ËÙÐعÖ×, Collision search in a random mapping: some asymptotic results, ¼℄Talk at ECC 2000, the fourth Workshop on Elliptic Curve Cryptography, Essen, Germany,2000.http://www.cacr.math.uwaterloo.ca/conferences/2000/ecc2000/[ËÇÖ + 1995] ʺ ËÖÓÔÔÐ, Àº ÇÖÑÒ,&˺ dzÅÐÐÝ, Fast key exchange with elliptic curve ¾½℄systems, Tech. report, Department of Computer Science. The University of Arizona, 1995.[ËËØ 1971] º ËÒ & κ ËØÖ××Ò, Schnelle Multiplikation grosser Zahlen, Computing ¾℄(Arch. Elektron. Rechnen) 7 (1971), 281–292.[ËÏ + 1996] Ǻ ËÖÓÙÖ, º ÏÖ, &̺ º ÒÒÝ, Discrete logarithms: the effec- ¼℄tiveness of the index calculus method, Algorithmic Number Theory Symposium – ANTSII, Lecture Notes in Comput. Sci., vol. 1122, Springer-Verlag, Berlin, 1996, 337–361.[Ë℄ ËØÒÖ× ÓÖ ÒØ ÖÝÔØÓÖÔÝ, Elliptic curve cryptography Ver.0.5, 1999. ¾℄http://www.secg.org/drafts.htm[ËÄ 1980] º ËÖÓÙ×× & º ÄÑÔÐ, Factorization of symmetric matrices and trace-orthogonal ¿℄bases in finite fields, SIAM J. Comput. 9 N o 4 (1980), 758–767.

770 References[ËÑ 1983] Áº ËÑ, Systematic method for determining the number of multiplications required to ½℄compute x m ,wherem is a positive integer, J. Inform. Process. 6 N o 1 (1983), 31–33.[ËÑ 1998] Áº ËÑÚ, Evaluation of discrete logarithms in a group of p-torsion points of an elliptic ¾℄curve in characteristic p,Math.Comp.67 (1998), 353–356.[ËÑ 2004] , Summation polynomials and the discrete logarithm problem on elliptic curves, ½℄preprint, 2004.http://eprint.iacr.org/2004/031/[ËÖ 1958] º¹Èº ËÖÖ, Sur la topologie des variétés algébriques en caractéristique p, Symposium ℄internacional de topología algebraica – International symposium on algebraic topology(México City 1956), Universidad Nacional Autónoma de México and UNESCO, 1958,24–53.[ËÖ 1970] , Cours d’arithmétique, Presses Universitaires de France, 1970. ½℄[ËÖ 1979] , Local Fields, Graduate Texts in Mathematics, vol. 67, Springer-Verlag, 1979. ¿℄[ËÖ 1998] º ËÖÓÙ××, Table of low-weight binary irreducible polynomials, Tech. Report HPL- ¾½¸ ¾½℄98-135, Hewlett–Packard, August 1998.http://www.hpl.hp.com/techreports/98/HPL-98-135.pdf[ËËÑ 1991] º ˺ ËÖ & ú º ËÑØ, Microelectronic circuits, Oxford University Press, New ¿℄York, 1991.[ËËÞ + 1982] ʺ ËÛ, ̺ º ËÞÝÑÒ×,&º º Ó, The complexity of finding cycles ℄in periodic functions, SIAM J. Comput. 11 N o 2 (1982), 376–390.[Ë ℄ Théorie des topos et cohomologie étale des schémas., Springer-Verlag, Berlin, 1973, Sémi- ½¿℄naire de Géométrie Algébrique du Bois-Marie 1963–1964 (SGA 4), Dirigé par M. Artin,A. Grothendieck et J. L. Verdier. Lecture Notes in Math., Vol. 269, 270, 305.[Ë 1971] º ËÒ×, Class number, a theory of factorization and genera, Proc. Symp. Pure Math. ¼℄20 (1971), 415–440.[Ë 1984] º ËÑÖ, Identity-based cryptosystems and signature schemes, Advances in Cryp- ℄tology – Crypto 1984, Lecture Notes in Comput. Sci., vol. 196, Springer-Verlag, 1984,47–53.[Ë 1999] , Method and apparatus for protecting public key schemes from timing and fault ¼℄attacks, United States Patent 5991415, 1999.[Ë 1967] ̺ ËÓ, On the graded ring of invariants of binary octavics, Amer.J.Math.89 ½¼½℄(1967), 1022–1046.[Ë 1998] º ËÑÙÖ, Abelian Varieties with complex multiplication and modular functions, re- ½¼℄vised ed., Princeton University Press, 1998.[ËÓ℄ κ ËÓÙÔ, A computational introduction to number theory and algebra. ¾¼½℄http://www.shoup.net/ntb/ntb-b5.pdf[ËÓ 1990] , On the deterministic complexity of factoring polynomials over finite fields, In- ¼℄form. Process. Lett. 33 N o 5 (1990), 261–267.[ËÓ 1991] , A fast deterministic algorithm for factoring polynomials over finite fields of ¼℄small characteristic, International Symposium on Symbolic and Algebraic Computations– ISSAC 1991, ACM Press, Bonn, 1991, 14–21.[ËÓ 1994a] , Exponentiation in GF(2 n ) using fewer polynomial multiplications, preprint, ¾¾℄1994.[ËÓ 1994b] , Fast construction of irreducible polynomials over finite fields, J. Symbolic Com- ¾½℄put. 17 N o 5 (1994), 371–391.[ËÓ 1997] , Lower bounds for discrete logarithms and related problems, Advances in Cryp- ℄tology – Eurocrypt 1997, Lecture Notes in Comput. Sci., vol. 1233, Springer-Verlag,Berlin, 1997, 256–266.

References 771[ËÔ 1999] Áº º ËÔÖÐÒ×, Finite fields: Theory and computation, Kluwer Academic Publish- ¿¸ ¾¼½℄ers, Dordrecht/Boston/London, 1999.[ËÔ 2000] , On the Naor–Reingold pseudo-random function from elliptic curves,Appl.Alge- ¿℄bra Engrg. Comm. Comput. 11 (2000), 27–34.[ËÔ 2003] , Cryptographic applications of analytic number theory, Progress in Computer ℄Science and Applied Logic, vol. 22, Birkhäuser Verlag, Basel, 2003, Complexity lowerbounds and pseudorandomness.[ËÌ 1961] º ËÑÙÖ & º ÌÒÝÑ, Complex multiplication of abelian varieties and its ½¼¸ ½¼℄applications to number theory, Publications of the Mathematical Society of Japan, vol. 6,the Mathematical Society of Japan, Tokyo, 1961.[Ë + 2002] º Ë, ź Ø,&º¹Âº ÉÙ×ÕÙØÖ, Analysis of the Gallant-Lambert-Vanstone ¿¸ ¿¸ ¿¼℄method based on efficient endomorphisms: Elliptic and hyperelliptic curves, Selected Areasin Cryptography – SAC 2002, Lecture Notes in Comput. Sci., vol. 2595, Springer-Verlag, 2002, 21–36.[Ë 1994] κ ź ËгÒÓÚ, A public-key cryptosystem based on Reed–Muller codes, Discr. ½℄Math. Appli. 4 N o 3 (1994), 191–207.[ËÐ 1986] º Àº ËÐÚÖÑÒ, The Arithmetic of Elliptic Curves, Graduate Texts in Mathematics, ¸ ¾¸ ¸ ¸¸ ½½¸ ¾¸vol. 106, Springer-Verlag, Berlin, 1986.[ËÐ 1994] , Advanced topics in the arithmetic of elliptic curves, Springer-Verlag, Berlin, ¸ ½℄1994.¿¾℄[ËÐ 1999] , Fast multiplication in finite fields GF(2 n ), Cryptographic Hardware and Embed- ¾½℄ded Systems – CHES 1999, Lecture Notes in Comput. Sci., vol. 1717, Springer-Verlag,Berlin, 1999, 122–134.[ËÑØ℄ Simath, a computer algebra system for number theoretic applications. ¾℄http://tnt.math.metro-u.ac.jp/simath[ËÊÙ 2004] º ËÐÚÖÖ & ú ÊÙÒ, Algebraic tori in cryptography, HighPrimesandMis- ℄demeanours: lectures in honour of the 60th birthday of Hugh Cowie Williams, FieldsInstitute Communications, AMS, 2004.[ËË 2001] º Àº ËÐÚÖÑÒ & Áº º ËÔÖÐÒ×, On the linear complexity of the Naor– ¿¸ ¿℄Reingold pseudo-random function from elliptic curves, Des. Codes Cryptogr. 243 (2001),279–289.[ËÒ 2003] ˺ȺËÓÖÓÓØÓÚ & ʺ º ÒÖ×ÓÒ, Optical fault induction attacks, Crypto- ℄graphic Hardware and Embedded Systems – CHES 2002, Lecture Notes in Comput. Sci.,vol. 2523, Springer-Verlag, Berlin, 2003, 281–290.[Ë 2003] º ËÖÒ, Satoh’s algorithm in characteristic 2, Math.Comp.72 N o 241 (2003), ¿¾℄477–487.[ËÑ 1998] ƺ Ⱥ ËÑÖØ, The algorithmic resolution of Diophantine equations, London Mathemat- ℄ical Society Student Texts, vol. 41, Cambridge University Press, 1998.[ËÑ 1999a] , The Discrete Logarithm problem on elliptic curves of trace one, J. Cryptology 12 ¾℄(1999), 193–196.[ËÑ 1999b] , Elliptic curve cryptosystems over small fields of odd characteristic, J. Cryptology ¿¸ ¿¼℄12 (1999), 141–151.[ËÑ 2001] , The Hessian form of an elliptic curve, Cryptographic Hardware and Embedded ¾¸ ¾¸ ¾¸℄Systems – CHES 2001, Lecture Notes in Comput. Sci., vol. 2162, Springer-Verlag, 2001,118–125.[ËÑ 2003] , An analysis of Goubin refined power analysis attack, Cryptographic Hardware ¾¸ ¼¿℄and Embedded Systems – CHES 2003, Lecture Notes in Comput. Sci., vol. 2779, Springer-Verlag, Berlin, 2003, 281–290.

772 References[ËÑ 2003] º ËÑØ & º ÓØÝ×, SCA countermeasures for ECC over binary fields on a VLIW ¼¸ ½½¸ ½¾℄DSP core, Combinatorics and Optimization Research Report CORR 2003-06, Universityof Waterloo, 2003.http://www.cacr.math.uwaterloo.ca/techreports/2003/cacr2003-06.pdf[ËÑË 1995] Ⱥ ËÑØ & º ËÒÒÖ, A public key cryptosystem and a digital signature system ℄based on the Lucas function analogue to discrete logarithms, Advances in Cryptology –Asiacrypt 1994, Lecture Notes in Comput. Sci., vol. 917, Springer-Verlag, Berlin, 1995,357–364.[ËÓÐ 1997] º º ËÓÐÒ×, An improved algorithm for arithmetic on a family of elliptic curves, Ad- ¾¸ ¿¸ ¾℄vances in Cryptology – Crypto 1997, Lecture Notes in Comput. Sci., vol. 1294, Springer-Verlag, Berlin, 1997, 357–371.[ËÓÐ 1999a] , Generalized Mersenne numbers, Combinatorics and Optimization Research Re- ½¿¸ ¿¿℄port CORR 99-39, University of Waterloo, 1999.http://www.cacr.math.uwaterloo.ca/techreports/1999/corr99-39.ps[ËÓÐ 1999b] , Improved algorithms for arithmetic on anomalous binary curves, Combinatorics ¿¸ ¿¸ ¿¼¸¿¾¸ ¿¿℄and Optimization Research Report CORR 99-46, University of Waterloo, 1999, updatedand corrected version of [ËÓÐ 1997].http://www.cacr.math.uwaterloo.ca/techreports/1999/corr99-46.ps[ËÓÐ 2000] , Efficient arithmetic on Koblitz curves, Des. Codes Cryptogr. 19 (2000), 195–249. ¿¸ ¿¿¸ ¿¿℄[ËÓÐ 2001] , Low-weight binary representations for pairs of integers, Combinatorics and Op- ½¸ ½℄timization Research Report CORR 2001-41, University of Waterloo, 2001.http://www.cacr.math.uwaterloo.ca/techreports/2001/corr2001-41.ps[ËÔ 1994] º ź ËÔÐÐ, Kurven vom Geschlecht 2 und ihre Anwendung in Public-Key- ½¼½¸ ¿½¿¸ ¸℄Kryptosystemen, PhD. Thesis, Universität Gesamthochschule Essen, 1994.[ËØ 2003] ź ËØÑ, Speeding up subgroup cryptosystems, PhD. Thesis, Technische Universiteit ½¸ ½¸ ½℄Eindhoven, 2003.[ËØ 2004] º ËØÐ, Point compression on Jacobians of hyperelliptic curves over F q, preprint, ¿½½℄2004.http://eprint.iacr.org/2004/030/[ËØ 1910] º ËØÒØÞ, Algebraische Theorie der Körper, J. Reine Angew. Math. 137 (1910), 167– ¾℄309.[ËØ 1979℄ Àº ËØØÒÓØ, Die Hasse–Witt–Invariante eines Kongruenzfunktionenkörpers, ½¿℄Arch. Math. (Basel) 33 N o 4 (1979/80), 357–360.[ËØ 1993] , Algebraic function fields and codes, Springer-Verlag, Berlin, 1993. ¸ ½¸ ¸ ¸[ËØ 1995] º ËØÒ×ÓÒ, Cryptography – theory and practice, CRC Press, Inc., 1995. ℄[ËØÄ 2003] ź ËØÑ & º ú ÄÒ×ØÖ, Efficient subgroup exponentiation in quadratic and ½℄sixth degree extensions, Cryptographic Hardware and Embedded Systems – CHES 2002,Lecture Notes in Comput. Sci., vol. 2523, Springer-Verlag, 2003, 317–332.[ËØÈÓ + 2002] º ËØÖÒ, º ÈÓÒØÚÐ, º ÅÐÓÒ¹Ä, &ƺ Ⱥ ËÑÖØ, Flaws in ap- ½℄plying proof methodologies to signature schemes, Advances in Cryptology – Crypto 2002,Lecture Notes in Comput. Sci., vol. 2442, Springer-Verlag, Berlin, 2002, 93–110.[ËØÖ 1964] º º ËØÖÙ×, Addition chains of vectors (problem 5125), Amer. Math. Monthly 70 ½℄(1964), 806–808.[ËØ 1995] Àº ËØØÒÓØ & º Ⱥ Ò, On the structure of the divisor class group of a class ½¿℄of curves over finite fields, Arch.Math.(Basel)65 N o 2 (1995), 141–150.¿¸ ¸½½¼½½¾℄[ËÙÅ + 2002] Àº ËÙÞ, ú ÅØ×ÙÓ, º Ó,&˺ Ì×Ù, An Extension of Harley algorithm ¿½¸ ¿½℄addition algorithm for hyperelliptic curves over finite fields of characteristic two, Tech.Report ISEC2002-9(2002-5), IEICE, 2002.

References 773[ËÛ 1962] ʺ º ËÛÒ, Factorization of polynomials over finite fields, Pacific J. Math. 12 (1962), ¾½℄1099–1106.[Ì 1998] ƺ Ì, A VLSI algorithm for modular division based on the binary GCD algorithm, ¾¼℄IEICE Trans. Fundamentals E81-A N o 5 (1998), 724–728.[Ì 2002℄ ź Ì×, Improving Harley algorithms for Jacobians of genus 2 hyperelliptic ¿½¸ ¿½℄curves, Symposium on Cryptography and Information Security – SCIS 2002. In Japanese.[Ì 2004℄ ú Ì×Ñ, New families of hyperelliptic curves with efficient Gallant-Lambert- ¿½℄Vanstone method, Preproceedings ICISC 2004.[ÌØ 1958] º ÌØ, WC-groups over p-adic fields, Séminaire Bourbaki; 10e année: 1957/1958. ½½℄Textes des conférences; Exposés 152 à 168; 2e éd. corrigée, Exposé 156, vol. 13, Secrétariatmathématique, Paris, 1958.[ÌØ 1966] , Endomorphisms of abelian varieties over finite fields, Invent. Math. 2 (1966), ½½¾¸ ℄134–144.[ÌÖ 2000] º º ÌÖÖ, A modification of Shanks’ baby-step giant-step algorithm, Math.Comp. ½℄69 N o 230 (2000), 767–773.[Ì× 1998a] º Ì×, A space efficient algorithm for group structure computation, Math.Comp.67 ℄N o 224 (1998), 1637–1663.[Ì× 1998b] , Speeding up Pollard’s rho method for computing discrete logarithms, Algorith- ℄mic Number Theory Symposium – ANTS III, Lecture Notes in Comput. Sci., no. 1423,Springer-Verlag, Berlin, 1998, 541–554.[Ì× 2001a] , On random walks for Pollard’s rho method, Math.Comp.70 N o 234 (2001), ℄809–825.[Ì× 2001b] , Square-root algorithms for the Discrete Logarithm Problem (a survey), Public- ℄Key Cryptography and Computational Number Theory, Walter de Gruyter, 2001, 283–301.[Ì× 2003] , Computing discrete logarithms with the parallelized kangaroo method, Discrete ¿℄Appl. Math. 130 N o 3 (2003), 61–82.[Ì 2003a] ƺ ÌÖÙÐØ, Index calculus attack for hyperelliptic curves of small genus, Advances ½¸ ¾½¸ ℄in Cryptology – Asiacrypt 2003, Lecture Notes in Comput. Sci., vol. 2894, Springer-Verlag, Berlin, 2003, 75–92.[Ì 2003b] , Weil descent attack for Artin–Schreier curves, preprint, 2003. ¿½¸ ¿¿℄http://www.cacr.math.uwaterloo.ca/ ~ ntheriault/weildescent.pdf[Ì 2003c] , Weil descent attack for Kummer extensions, J. Ramanujan Math. Soc. 18 (2003), ¿℄281–312.[Ìà + 1986] º º ÌÓÑ×, º ź ÃÐÐÖ,&º ƺ ÄÖ×Ò, The calculation of multiplicative ¾¼℄inverses over GF(p) efficiently where p is a Mersenne prime, IEEE Trans. on Computers35 N o 5 (1986), 478–482.[ÌÓ 2001] º ÌÓÑ, Computation of Discrete Logarithms in F 2 607 , Advances in Cryptology – ¼½℄Asiacrypt 2001, Lecture Notes in Comput. Sci., vol. 2248, Springer-Verlag, 2001, 107–124.[ÌÓ 2003] , Algorithmes de calcul des Logarithmes Discrets dans les corps finis, PhD. Thesis, ¼½¸ ¼¸ ¼℄École Polytechnique, Palaiseau, September 2003.[ÌÙ 1999] º º ÌÙÖÖ, Efficient generation of minimal length addition chains,SIAMJ.Com- ½℄put. 28 N o 4 (1999), 1247–1263.[ÌÖ + 1997] º ÌÖÓÑÔ, ĺ Ò,&º Ó, Small weight bases for Hamming codes, Theoret. ¾½℄Comput. Sci. 181 N o 2 (1997), 337–345.[ÌÙÒ 1968] º Ⱥ ÌÙÒ×ØÐÐ, Synthesis of noiseless compression codes, PhD. Thesis, Georgia Inst. ½¼℄Tech. Atlanta, 1968.

774 References[Í×℄ Í×, ÍÒÚÖ×Ð ×ÖÐ Ù× ×ÔØÓÒ ÖÚ×ÓÒ ¾º¼, April 27 2000. ℄http://www.usb.org[ÎÐ 1971] º ÎÐÙ, Isogénies entre courbes elliptiques, C. R. Acad. Sci. Paris Sér. A-B 273 (1971), ½¸ ¾℄A238–A241.[ÎÈÖ + 2001] º ÎÖÙØÖÒ, º ÈÖÒÐ,&º ÎÒÛÐÐ, A memory efficient version of ¿¿¸ ¿℄Satoh’s algorithm, Advances in Cryptology – Eurocrypt 2001, Lecture Notes in Comput.Sci., vol. 2045, Springer-Verlag, Berlin, 2001, 1–13.[ÎÖ 2001] º ÎÖÙÐ, Evidence that XTR is more secure than supersingular elliptic curves cryp- ¾℄tosystems, Advances in Cryptology – Eurocrypt 2001, Lecture Notes in Comput. Sci., vol.2045, Springer-Verlag, Berlin, 2001, 195–210.[ÎÖ 2004] , Evidence that XTR is more secure than supersingular elliptic curves cryptosys- ¾℄tems, J. Cryptology 17 (2004), 277–296.[ÏÐ 2001] º º ÏÐØÖ, MIST: An efficient, randomized exponentiation algorithm for resisting ℄power analysis, Topics in Cryptology – CT-RSA 2002, Lecture Notes in Comput. Sci.,vol. 2271, Springer-Verlag, Berlin, 2001, 53–66.[ÏÐ 2002a] , Breaking the Liardet–Smart randomized exponentiation algorithm, Smart Card ℄Research and Advanced Applications – CARDIS 2002, Usenix Association, 2002, 59–68.[ÏÐ 2002b] , Some security aspects of the MIST randomized exponentiation algorithm, Cryp- ℄tographic Hardware and Embedded Systems – CHES 2002, Lecture Notes in Comput.Sci., vol. 2523, Springer-Verlag, Berlin, 2002, 276–290.[ÏÐ 2003] , Seeing through MIST given a small fraction of an RSA private key, Topics in ℄Cryptology – CT-RSA 2003, Lecture Notes in Comput. Sci., vol. 2612, Springer-Verlag,Berlin, 2003, 391–402.[ÏÐ 2004] , Security constraints on the Oswald–Aigner exponentiation algorithm, Topics in ℄Cryptology – CT-RSA 2004, Lecture Notes in Comput. Sci., vol. 2964, Springer-Verlag,Berlin, 2004, 208–221.[ÏØ 1969] Ϻ ÏØÖÓÙ×, Abelian varieties over finite fields, Ann. Sci. École Norm. Sup. 4 ¾¸ ¼℄série 2 (1969), 521–560.[Ï 1997] Àº º ÏÖ, Hyperelliptic simple factors of J 0 (N) with dimension at least 3, Exper- ½¼¸ ¼¸ ¾℄iment. Math. 6 (1997), 273–287.[Ï 1948] º ÏÐ, Sur les courbes algébriques et les variétés qui s’en déduisent, Publ. Inst. Math. ½¿℄Univ. Strasbourg (1945), Hermann et Cie., Paris, 1948.[Ï 1949] , Numbers of solutions of equations in finite fields, Bull. Amer. Math. Soc. 55 ½¿℄(1949), 497–508.[Ï 1957] , Zum Beweis des Torellischen Satzes, Nachr. Akad. Wiss. Göttingen, Math. Phys. ½¼½℄Klasse (1957), 33–53.[Ï 2001] º ÏÑÖ×Ö, The application of the Mordell–Weil group to cryptographic sys- ¿¿℄tems, Master’s thesis, Worchester polytechnic institute, 2001.[Ï 2005] º Ϻ Ï××ØÒ, RSA-200 factored, 2005. ℄http://mathworld.wolfram.com/news/2005-05-10/rsa-200/[ÏÒ 2001a] º ÏÒ, Hyperelliptic CM-curves of genus 3, J. Ramanujan Math. Soc. 16 (2001), ½¼¸ ½¼¸ ¾¸¿℄339–372.[ÏÒ 2001b] , Konstruktion kryptographisch geeigneter Kurven mit komplexer Multiplikation, ½¼¸ ¸ ½¸℄PhD. Thesis, Universität Gesamthochschule Essen, 2001.[ÏÒ 2003] , Constructing hyperelliptic curves of genus 2 suitable for cryptography, Math. ½¼½¸ ¸ ¸℄Comp. 72 N o 241 (2003), 435–458.[ÏÒ℄ , A table of class polynomials covering all CM-curves up to discriminant 422500. ¸ ¸ ¼¸℄http://www.exp-math.uni-essen.de/zahlentheorie/classpol/class.html

References 775[Ï 1986] º Àº ÏÑÒÒ, Solving sparse linear equations over finite fields, IEEE Trans. ¼½℄Inform. Theory IT-32 N o 1 (1986), 54–62.[ÏÐ 1982] Àº º ÏÐÐÑ×, A p+1 method of factoring,Math.Comp.39 N o 159 (1982), 225–234. ¼℄[ÏÙ 1998] ź ÏÒÖ & ʺ ÙÖØÓ, Faster attacks on elliptic curve cryptosystems, Se- ½℄lected Areas in Cryptography – SAC 1998, Lecture Notes in Comput. Sci., vol. 1556,Springer-Verlag, Berlin, 1998, 190–200.[ÏÓ + 2000] º ÏÓÓÙÖÝ, º ÐÝ,&º ÈÖ, Elliptic curve cryptography on smart cardswithout coprocessor, Smart Card Research and Advanced Application – CARDIS 2000,IFIP Conference Proceedings, vol. 180, Kluwer Academic Publishers, 2000, 71–92.¾¾¸ ℄[ÏÓÐ 2004] ̺ ÏÓÐÐÒÖ, Software and hardware implementation of hyperelliptic curve cryp- ¿¸ ¿¾℄tosystems, PhD. Thesis, Ruhr-University of Bochum, 2004.[ÏÙÀ + 2002] Àº ÏÙ, ź º À×Ò, Áº º Ð, &˺ Ó, Finite field multiplier usingredundant representation, IEEE Trans. on Computers 51 N o 11 (2002), 1306–1316.[ÏÙÏÙ + 2004] º¹Àº ÏÙ, º¹Åº ÏÙ, ź¹º Ë, &º¹Ìº ÀÛÒ, High-speed, lowcomplexitysystolic designs of novel iterative division algorithms in GF(2m), IEEE Trans.on Computers 53 N o 3 (2004), 375–380.¾½℄¾¾¿℄[ 1998] º Ó, Fast exponentiation using data compression, SIAM J. Comput. 28 N o 2 ½¼℄(1998), 700–703.[Ò 2001] ̺ Ò, New methods for finite field arithmetic, PhD. Thesis, Oregon State University, ¾¼¾℄2001.http://islab.oregonstate.edu/papers/01Yanik.pdf[Ó 1976] º º Ó, On the evaluation of powers, SIAM J. Comput. 5 (1976), 100–103. ½¸ ½℄[Ë + 2002] ̺ Ò, º ËÚ, &º ú ÃÓ, Incomplete reduction in modular arithmetic, ¾¼¾¸ ¼℄IEEE Micro 149 N o 2 (2002), 46–52.[ 1981] º Ö, Zetafunktionen und quadratische Zahlkörper, Springer-Verlag, Berlin, 1981, ℄Eine Einführung in die höhere Zahlentheorie. [An introduction to higher number theory],Hochschultext. [University Text].[Ë 1976] Ǻ Ö× & Ⱥ ËÑÙÐ, Commutative algebra. vol. II., Springer, 1976. ¸ ¸ ¸ ¸[Ò℄ º Ù & ʺ ÄÖÖ, ZEN, version 3.0, 2001. ¾¼½℄http://zenfact.sourceforge.net/[ 2002] º Ò, A one-parameter quadratic-base version of the Baillie-PSW probable prime ℄test, Math.Comp.71 N o 240 (2002), 1669–1734.[Ä 1977] º Ú & º ÄÑÔÐ, A universal algorithm for data compression, IEEE Trans. Inform. ½¼℄Theory IT-23 (1977), 337–343.[Ñ 2001] Ⱥ ÑÑÖÑÒÒ, Arithmétique en précision arbitraire, Tech. Report 4272, INRIA Lor- ½¾¸ ½℄raine, September 2001.http://www.loria.fr/ ~ zimmerma/papers/RR4272.ps.gz℄

Notation IndexSymbols(G, ⊕): group G with operation ⊕,8(K, Φ): CM-type, 105, 463(X 0 : X 1 : ···: X n ): projective point in P n /K,46(X : Y : Z): projective point in P 2 /K, 270(u n−1 ...u 0 ) 2 : binary expansion of u ∈ N, 170(u n−1 ...u 0 ) b : expansion of u ∈ N in base b, 170(n l−1 ...n 0 ) s : signed-digit expansion of n ∈ N, 151(n l−1 ...n 0 ) NAF : expansion of n in non-adjacent form, 151(n l−1 ...n 0 ) NAFw : expansion of n ∈ N in width-w non-adjacent form, 153(r l−1 ...r 0 ) τ : τ-adic expansion of η ∈ Z[τ], 358, 370(r l−1 ...r 0 ) τ NAF : expansion of η ∈ Z[τ] in τ-adic non-adjacent form, 359(r l−1 ...r 0 ) τ NAFw : expansion of η ∈ Z[τ] in width-w τ-adic non-adjacent form, 363(n0,l ...n 0,0: expansions of n 0 ,n 1 ∈ N in joint sparse form, 155n 1,l ...n 1,0)JSF(r0,l+2 ...r 0,0: expansions of η 0 ,η 1 ∈ Z[τ] in τ-adic joint sparse form, 365r 1,l+2 ...r) 1,0)τ JSF: Legendre symbol of the integer a modulo the prime p,36( a(pa( bf(X)m(X)): Kronecker–Jacobi)symbol of the integers a and b,36: Legendre–Kronecker–Jacobi symbol of f(X) and m(X) ∈ F p [X],36(r 1 ,r 2 ): signature of the number field K/Q,29(v [ 0 ,...,v s ): addition chain computing the integer v s , 1571]2 P : halving of the point P on the elliptic curve E, 299[2]P : doubling of the point P lying on the elliptic curve E, 270[2] D: __doubling of the divisor class D, __307[G : H]: index of the subgroup H in the group G, 20[L : K]: degree of the extension L/K,25[n]: scalar multiplication by n, i.e., (n − 1)-fold application of the addition ⊕,60[u(x),v(x)]: divisor class in Mumford representation, 83, 307[x]: Montgomery representation of the integer x, 180〈x〉: subgroup generated by x, 20〈SCi〉 i∈S : average of the functions SC i for the i ∈S, 698∆ E : discriminant of the elliptic curve E, 71∆ G : delay at each stage in a full n-stage carry-look-ahead adder, 629Λ C : period lattice of curve C, 91, 462Λ E : period lattice of elliptic curve E, 95Λ τ : period lattice of elliptic curve E τ for τ ∈H,97Ω 0 (K(C)): set of holomorphic differentials of C, 76Ω: period matrix of the abelian variety A, 93777

778 Notation IndexΩ C : period matrix of Λ C called period matrix of C, 93, 100χ(φ q ) JC (T ): characteristic polynomial of the Frobenius endomorphism φ q on C and of J C , 110,310χ(ϕ) A (T ): characteristic polynomial of endomorphism ϕ on abelian variety A, 62χ E (T ): characteristic polynomial of the Frobenius endomorphism of an elliptic curve E, 278χ a2 (T ): characteristic polynomial of the Frobenius endomorphism on E a2 , 356χ ψ (T ): characteristic polynomial of the endomorphism ψ of a GLV curve, 377δ N : density of the multiplication matrix T N , 221η n (h): probability that the longest carry-chain in n-bit addition is of length at least h, 632Φ k (x): k-th cyclotomic polynomial, 586Φ l (X, Y ): l-th modular polynomial, 414Φ l,X (X, Y ): partial derivative of Φ l (X, Y ) with respect to X, 419Φ l,Y (X, Y ): partial derivative of Φ l (X, Y ) with respect to Y , 419Φ l,XX (X, Y ): second partial derivative of Φ l (X, Y ) with respect to X, 420Φ l,XY (X, Y ): second partial derivative of Φ l (X, Y ) with respect to X and Y , 420Φ l,Y Y (X, Y ): second partial derivative of Φ l (X, Y ) with respect to Y , 420Φ c l(X, Y ): l-th canonical modular polynomial, 419φ p : absolute Frobenius automorphism of a finite field, 33φ q : relative Frobenius automorphism of a finite field, 33φ p : Frobenius morphism from the variety V to φ p (V ), 53ψ n : n-th division polynomial, 80Σ: Frobenius substitution of Z q , 240Σ: {0, 1}, 715Σ ∗ : set of sequences of countable infinite length with coefficients in Σ, 715Σ F/K : set of places of F/K,65Σ n : set of finite sequences of length n with coefficients in Σ, 715τ,τ: complex roots of χ E (φ q ), 279τ 1 ,...,τ 2g : complex roots of χ(φ q ) C (T ) for curve of genus g, 311Θ (Ω) : Riemann theta divisor associated to the period matrix Ω, 1000xA: 10 in hexadecimal notation, 290∞: point at infinity (0 : 1),50|u| b : length of the expansion of u in base b, 170|x| p : p-adic norm of x ∈ Q p ,41|x| K : norm of x belonging to the complete discrete valuation field K,41⌊λ⌉: rounded value of λ ∈ Q given by ⌊λ +1/2⌋, 360⌈λ⌋: rounded value of λ ∈ Q of smallest absolute value, 360⌊λ⌉ τ: rounded value of λ ∈ Z[τ], 360∆(S): discrepancy of sequence S ∈ [0, 1] N , 731K: algebraic closure of the field K,27u: bitwise complement of the single u, 172x: complement of the bit x, 170ϕ ∗ : induced K-algebra morphism ϕ ∗ : K[W ] → K[V ] by morphism ϕ ∈ Mor K (V,W), 52ˆψ: dual isogeny of the isogeny ψ of an elliptic curve, 277ˆψ: dual isogeny of the isogeny ψ of the Jacobian of a hyperelliptic curve, 309µ(j): Möbius function of the integer j, 33ν(n): Hamming weight of the integer n, 147ϕ(N): Euler totient function of the integer N,23π(x): number of primes less than x, 6τ(χ): Gauß sum of the character χ, 599

Notation Index 779θ(z,Ω): [ ] Riemann theta function associated to the period matrix Ω, 100θ δɛ(z,Ω): theta characteristics associated to the period matrix Ω, 100[x][y]: Montgomery multiplication of the integers x and y in Montgomery representation, 204〈· , ·〉 L : Lichtenbaum pairing, 120〈· , ·〉 T,n : Tate pairing, 117P__⊕ Q: addition of the points P and Q, 79, 270D ⊕ E: __addition of divisor classes D __and E, __307v ⊕ j: composition of the addition chain v and of the integer j, 161v ⊗ w: composition of the addition chains v and w, 161x ∨ y: disjunction of the bits x and y, 170u ∨ v: bitwise disjunction of the singles u and v, 172x ∧ y: conjunction of the bits x and y, 170u ∧ v: bitwise conjunction of the singles u and v, 172ut: right shift of t bits of the single u, 172|| : concatenation, 5Ω C : period matrix of Λ C called period matrix of C, 462A∼B: isogenous abelian varieties A and B,58A≃B: isomorphic abelian varieties A and B,58x ≡ y (mod n): x and y are congruent modulo n, 21x ∈ R E: choose x at random in the set E, 10AA: an elementary addition, 692A: abelian variety, 56A: affine coordinates, 280, 291, 316, 336a 1 ,a 2 ,...,a 2g : coefficients of χ(φ q ) C (T ) for curve of genus g, 135a 1 ,a 2 ,a 3 ,a 4 ,a 6 : coefficients of elliptic curve in Weierstraß form, 69, 268A[n]: setofn-torsion points of an abelian variety A, 60A n : affine space of dimension n over K,47A n (L): setofL-rational affine points, 47A † : dagger ring, 140AGM(a 0 ,b 0 ): Arithmetic-Geometric-Mean of a 0 and b 0 , 434BB: a smoothness bound, 496B: a basis of the vector space D 0 (J c , Q q ), 443b 2 : a 2 1 +4a 2 ,70b 4 : 2a 4 + a 1 a 3 ,70b 6 : a 2 3 +4a 6 ,70b 8 : a 2 1a 6 − a 1 a 3 a 4 +4a 2 a 6 + a 2 a 2 3 − a 2 4,72B S : balance of sequence S ∈ F N q , 730B S (α): balance of sequence S ∈ F N q with respect to α ∈ F∗ q , 730CC: Cartier operator, 411˜C: desingularization of C, 64c 4 : b 2 2 − 24b 4,70

780 Notation Indexc 6 : −b 3 2 +36b 2b 4 − 216b 6 ,70C S : autocorrelation of sequence S ∈ F N q , 731C S,T : crosscorrelation of sequences S and T ∈ F N q , 731C ab : C ab curve, 82C an : analytic curve, 89char(R): characteristic of the ring R,22Cl(O): ideal class group of O, 81Cl K : class group of O K ,30D__D: divisor class of D, 76D 0 (A c , Q q ): space of holomorphic differential forms of degree 1 on A c defined over Q q , 139deg(L/K): degree of the extension L/K,25deg(D): degree of a divisor D,66deg s (L/K): degree of separability of L over K,27df : differential of f ∈ K(C), 75dim(V ): dimension of the variety V ,49D ∈ Div C : divisor on C,66div(f): principal divisor of f ∈ K(C) ∗ ,67div an (f): analytic divisor of the meromorphic function f,88Div C : divisor group of the curve C, 66Div 0 C: group of degree zero divisors of the curve C, 67, 76, 306EE: elliptic curve, E : y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 , 69, 268E: canonical lift over Q q of an ordinary elliptic curve E defined over F q , 423E ( (w n ) ) : Shannon entropy function of the sequence (w n ) of words of Σ k , 716E(K): K-rational points of the elliptic curve E, 272e(P 1 ,P 2 ): a bilinear map, 9E[n]: setofn-torsion points of an elliptic curve E, 273E a2 : binary Koblitz curve y 2 + xy = x 3 + a 2 x 2 +1, 356E M : elliptic curve in Montgomery form, 285Ẽ v : quadratic twist of the elliptic curve E by v, 71, 274End K (A): set of endomorphisms of the abelian variety A, 59End K (A) 0 : End K (A) ⊗ Z Q,60End K (E): set of endomorphisms of the elliptic curve E defined over K, 277End K (J C ): set of endomorphisms of the Jacobian of the hyperelliptic curve C defined over K, 310exp(x): p-adic exponential of x ∈ Z q , 259FF p : lift of the Frobenius isogeny φ p of an ordinary elliptic curve defined over F q , 423F q : lift in End(E) of the Frobenius endomorphism φ q , 423F q : the unique finite field of order q,31Gg: genus, 68, 304G B :setofB-smooth elements of the group G, 499G L : absolute Galois group of L,45

Notation Index 781G L/K : Galois group of L over K,28G n (Λ): Eisenstein series of weight n associated to the lattice Λ,96Gal(L/K): Galois group of L over K,28gcd(x, N): greatest common divisor of the integers x and N, 190GF (q): the unique finite field of order q, 31HH: Poincaré upper half plane {τ ∈ C |Im(τ) > 0)},97h(K): class number of the number field K,30h d : class number of number field Q( √ −d), 99H d (x): Hilbert class polynomial for the discriminant d, 99, 456H K,k (X): class polynomial for a hyperelliptic curve of genus 2 and 3, 107, 462H g : Siegel upper half plane, 100H i (X,Q l ): l-adic cohomology group, 136HDR i (M): de Rham cohomology group of the compact complex manifold M, 134H n (G K ,M): quotient of the group of n-cocycles modulo the subgroup of n-coboundaries, giventhe G K -module M, 116Hom K (A, B): set of homomorphisms from the abelian variety A to the abelian variety B,57Hom K (A, B) 0 : Hom K (A, B) ⊗ Z Q,57II: an elementary inversion, 280I 2 ,I 4 ,I 6 ,I 10 : absolute invariants of a hyperelliptic of genus 2, 101INV(u): Montgomery inverse of the integer u, 207JJ : Jacobian coordinates, 282, 292J c : Chudnovsky Jacobian coordinates, 282J m : modified Jacobian coordinates, 282J s : simplified Chudnovsky Jacobian coordinates, 401j E : absolute invariant or j-invariant of the elliptic curve E, 71j(τ): j-function of τ ∈H,97j(q): j-function of q = e 2πiτ ,98j 1 ,j 2 ,j 3 : Igusa invariants of a hyperelliptic curve of genus 2, 101, 462j 1 ′ ,j′ 2 ,j′ 3 : Mestre’s invariants of a hyperelliptic curve of genus 2, 102j 1 ,j 3 ,j 5 ,j 7 ,j 9 : Shioda invariants of a hyperelliptic curve of genus 3, 104J(χ 1 ,χ 2 ): Jacobi sum of the characters χ 1 and χ 2 , 600J C : Jacobian variety of the curve C, 78J C (F q )[n]: F q -rational n-torsion points on Jacobian of curve C, 111J C [n]: setofn-torsion points of Jacobian of C, 309J K : group of fractional ideals of the field K,30KK(n): complexity to multiply two n-word integers with Karatsuba method, 176K(P ): field of definition of P ,46K(V ): function field of the variety V ,51ker ψ: kernel of a group homomorphism, 21ker(ϕ) 0 : connected component of the unity of ker(ϕ) for ϕ ∈ Hom K (A, B),58

782 Notation IndexLL(D): {f ∈ ( K(C) ) | div(f) −D},67l(D): dim K L(D) ,67l(n): length of the shortest addition chain computing the integer n, 157L(S): linear complexity of sequence S with coefficients in a ring, 732L(T ): L-polynomial of a curve, 135L/K: L is an extension field of K,25L H : invariant elements of the field L under the action of the group H,28L N (α, c): complexity of algorithm depending on N,4L N (α): L N (α, 1/2),4LD: López–Dahab coordinates, 293lg x: binary logarithm of x, 3lim ←−A i : inverse limit of (A i , {p ij } j∈I ),40ln x: natural logarithm of x, 3log(x): p-adic logarithm of x ∈ Z q , 258log a b: logarithm of b to base a,3log P (Q): discrete logarithm of Q to the base of P ,8MM: additive arithmetical semigroup, 496M: an elementary multiplication, 149M(n): complexity to multiply two n-word integers, 174M B : set of elements of M of size not larger than B, 496m P : local ring of the point P ,64m v : maximal ideal of valuation v, 65x mod n: canonical representative of x modulo n,21x mods n: centered representative of x modulo n, 21Mor K (V,W): set of morphisms from the variety V to the variety W ,52NN : new coordinates, 323, 342n ψ : norm of the endomorphism ψ of a GLV curve, 377n B : cardinality of P B , 497n ′ B : cardinality of M B, 497N k : number of F q k-rational points on an algebraic variety defined over F q , 112, 134N L/K (x): norm of x ∈ L over K,26n P (f): order of vanishing of the meromorphic function f at the point P ,88Neg: an elementary negation, 692NP: set of decision problems whose “yes” answer can be verified in polynomial time, 4OO ( f(N 1 ,...,N s ) ) :big-O of f,3o ( f(N 1 ,...,N s ) ) : small-o of f,3Õ ( g(n) ) : O ( g(n)lg k g(n) ) ,3O K : integer ring of the field K,29O P : set of rational functions that are regular at the point P ,64O P /m P : residue field of the point P ,64O S : ring of regular functions on S, 64

Notation Index 783O v : local ring of valuation v, 65PP: set of decision problems solvable in polynomial time, 4P: a countable set whose elements are called primes, 496P: projective coordinates, 281, 292, 321, 341, 346p: place of K(C), 65P ∞ : point at infinity, 269, 306P B :setofB-smooth prime divisors, 513P K : subgroup of fractional principal ideals of the field K,30P n (L): setofL-rational points, 46P n /K: n-dimensional projective space over K,46℘(z,Λ): Weierstraß ℘-function associated to the lattice Λ, 96Pic 0 C: divisor class group of degree zero or Picard group of the curve C, 76, 306Pic 0 C·L: Picard group of base change Pic 0 C·L =(Pic 0 C·K )GL ,77Princ C : group of principal divisors of the curve C,67QQ q : unramified extension of Q p ,43RR: recent coordinates, 346R ∗ : multiplicative group of the invertible elements of the ring R,23R(N): reciprocal integer of the integer N, 178REDC(u): Montgomery reduction of the integer u, 180SS: an elementary squaring, 149S AS : pseudorandom generator from elliptic curves, 733S NR : Naor–Reingold pseudorandom generator, 734S PG (f,P): elliptic curve power pseudorandom generator, 733SC i : side-channel information obtained from the computation of [n] D __i , 698Sp(2g, Z): symplectic group over Z, 100Tt ψ : trace of the endomorphism ψ of a GLV curve, 377T N : multiplication matrix of a normal basis, 220T d,N : time to multiply two polynomials of degree less than d in (Z/p N Z)[X] , 243T f (N): time to evaluate f ∈ Z q [X] at precision N, 247T l (A): l-adic Tate module of A,61T n : Tate–Lichtenbaum pairing, 122t P : translation by point P ,57Tr(φ q ): trace of the Frobenius endomorphism on C, 110Tr L/K (x): trace of x ∈ L over K,26UU + : totally positive units of real subfield K 0 of CM-field K, 106U k : Lucas sequence, 357, 595

784 Notation IndexU i : affine open parts, standard covering, 47VV I : {P ∈ P n (K) | f(P )=0, ∀f ∈ I} for a homogeneous ideal I,47V I : {P ∈ A n (K) | f(P )=0, ∀f ∈ I}, for ideal I, 47V k : Lucas sequence, 357, 595v K : discrete valuation of the complete discrete valuation field K,41V L : variety V/K considered as V L /L,51v P : valuation at the point P on O P ,65v p (x): p-adic valuation, 41V p : Verschiebung of φ p ,61V q : Verschiebung of φ q , 427V q : lift of Verschiebung on B, 443WW n : Weil pairing, 117w(K): order of the group of roots of unity in O K ,31W L/K (V ): Weil descent of the variety V defined over L, 126Xx n : x to the power n, 145x XOR y: exclusive disjunction of the bits x and y, 170u XOR v: bitwise exclusive disjunction of the singles u and v, 172ZZ(n): Zech’s logarithm of γ n where 〈γ〉 = F ∗ q,33Z(X/F q ; T ): zeta function of the algebraic variety X defined over F q , 134Z/nZ: quotient group of Z modulo n,20Z p :ringofp-adic integers, 40Z q :ringofintegersofQ q ,43

General IndexSymbols2 k -ary method, 148, 165, 356AABC, see anomalous binary curveAbel–Jacobi map, 91Abel–Jacobi theorem, 91abelian group, 20abelian variety, 56canonical lift, 138complex multiplication, 63, 456endomorphism, 59homomorphism, 57isogeny, 58isogeny over C,94isomorphism, 58l-adic Tate module, 61ordinary, 60p-rank, 61period matrix, 93principally polarized, 93simple, 60supersingular, 61Verschiebung, 61see also Jacobian varietyabsolute invariant of an elliptic curve, 71, 72,97absolute ramification index, 43absolutely irreducible variety, 48additionbinary field, 218hardwarecarry-chain, 632carry-look-ahead adder, 628, 629carry-save adder, 634carry-select adder, 630conditional-sum adder, 630Dadda tree, 635, 638full adder, 627generated carry, 629half adder, 628propagated carry, 629Wallace tree, 635, 638integers, 173optimal extension field, 231prime field, 202addition chain, 157, 157–164, 224, 233, 237,559, 646, 699dichotomic strategy, 161dyadic strategy, 162factor method, 162Fermat’s strategy, 162power tree method, 160Thurber’s algorithm, 158total strategy, 162Tunstall method, 160see also addition-subtraction chain, additionsequence, and vectorial additionchainaddition lawelliptic curve, 79, 270hyperelliptic curve, 306addition sequence, 158, 162addition-subtraction chain, 158additive arithmetical semigroup, 496Adleman–DeMarrais–Huangalgorithm, 512–516admissible change of variables, 274admissible encoding function, 590affine coordinateselliptic curve, 280–281, 283, 284, 291–292, 294–295, 297hyperelliptic curve, 316, 336affine space, 47,49closed set, 47open set, 47affine variety, 48AGM algorithm, 434–449elliptic curve, 441generalized sequence, 445hyperelliptic curve, 446iteration, 434785

786 General Indexunivariate sequence, 440AKS test, 600algebraic closure, 27algebraic coding theory, 15algebraic element, 25algebraic extension of a field, 25algebraic group, 55algebraic integer, 29algebraic number, 29conjugate, 27integral over Z, 29minimal polynomial, 25all one polynomial, 215almost irreducible trinomial, 217almost Montgomery inverse, 208analytic variety, 88anomalous basis, 217anomalous binary curve (ABC), see Koblitzcurveanomalous curve, 76ANSI-C generator, 720a p ecs, 267APRCL Jacobi sum test, 599arithmeticbinary field, 213–229elliptic curve, 280–302Hessian form, 696Jacobi model, 696supersingular, 290triple and add, 581unified formulas, 694hardware, 617–646hyperelliptic curve, 303–352genus 2, 313–347genus 3, 348–352optimal extension field, 229–237p-adic numbers, 239–263prime field, 201–213special curve, 355–387elliptic Koblitz curve, 356–367generalized Koblitz curve, 367–376GLV curve, 377–380trace zero variety, 383–387Arithmetic-Geometric-Mean, 434–435see also AGM algorithmarithmetical formation, 496, 496–497exampleJacobian of hyperelliptic curves, 497nonprime finite field, 497prime field, 497prime, 496size map, 496smoothness bound, 496Artin–Schreiercover, 453curve, 536equation, 252, 252–256, 434Harley’s algorithm, 255Lercier–Lubicz’ algorithm, 253, 434extension, 453operator, 533, 536root, 254, 255theory, 532, 534associative law, 20asymmetric Diffie–Hellman encryption, 10asynchronous card, 665Atkin prime, 414, 415see also SEA algorithmatomic force microscope, 671attackChinese remaindering, 479Frey–Rück, 530invalid curve, 569, 706man-in-the-middle, 10MOV, 530Rück, 529Silver–Pohlig–Hellman, see Chinese remainderingsmall subgroup, 569see also baby-step giant-step algorithm,index calculus, pairing, Pollard’skangaroo, Pollard’s rho, side-channelattacks, transfer, and Weil descentautocorrelation of a sequence, 731autocorrelation test, 729BB-smoothdivisor, 512–514number, 604, 608–611baby-step giant-step algorithm, 155, 226, 480,480–483class number computation, 480DL computation, 376, 482point counting, 411, 416balance of a sequence, 730Barrett method, 179, 182, 202, 203, 210, 606reciprocal integer, 178

General Index 787base b representation, 170base change, 57, 66, 77basiscomplementary, 35dual, 35normal, 34, 224, 228self-complementary, 35optimal normal basis, 217–218, 221, 220–221polynomial, 34, 218–220, 225–226anomalous, 217ghost bit basis, 217pentanomial, 214redundant trinomial, 217, 228sedimentary polynomial, 215sparse, 34, 214, 216trinomial, 214self-dual, 35vector space, 24Bellcore attack, 683see also side-channel attacksBerlekamp–Massey algorithm, 501BGMW algorithm, see Yao’s exponentiationmethodBH curve, 381big endian, 171BigNum, 169binary extended gcd, 195binary fieldarithmetic, 213–229exponentiation, see exponentiation ina binary fieldinversion, see inversion in a binary fieldmultiplication, see multiplication in abinary fieldsquare root, 228–229squaring, 221hardware, 641–645Massey–Omura multiplier, 643Mastrovito multiplier, 642normal basis, 643–645polynomial basis, 642–643unified multipliers, 644–645quadratic equation, 228representation, see normal basis, optimalnormal basis, and polynomial basistrace computation, 35, 229binary quadratic form, 457birational map, 53birationally equivalent varieties, 53birthday paradox, 478, 483, 520, 612bit, 170bitwise complement, 172bitwise conjunction, 172bitwise disjunction, 172bitwise exclusive disjunction, 172black-box group, 478, 554Blum–Blum–Shub generator, 720Booth recoding technique, 151, 625borrow bit, 172BPSW test, 596Braid groups, 15Brent–Kung modular composition, 225byte, 170CC ab -curve, 82, 352canonical liftabelian variety, 138elliptic curve, 423hyperelliptic curve, 442Cantor’s algorithm, 308, 552cardinalityelliptic curve, 278–279admissible, 278cofactor, 272Hasse–Weil theorem, 278subfield curve, 279trace of the Frobenius, 278twist, 279heuristics, 564hyperelliptic curve, 310–311divisor class group, 111Hasse–Weil theorem, 310see also point counting and complexmultiplicationCarmichael number, 593carry bit, 172carry-chain, 632carry-look-ahead adder, 628, 629carry-save adder, 634carry-select adder, 630Cartier operator, 411CBDHP, see computational bilinear Diffie–Hellman problemCDHP, see computational Diffie–HellmanproblemČebotarev’s density theorem, 236centered representative, 21

788 General Indexcertification authority, 576CFRAC, see continued fraction methodcharacter of a finite field, 35characteristic of a field, 23characteristic of a ring, 22characteristic polynomial of an endomorphism,62Chinese remainder theorem (CRT), 22, 196–197, 199, 316, 413, 685Chinese remaindering attack, 479Chudnovsky Jacobian coordinates, 282–284class group, 30, 81, 84, 306class modulo n, 20class number, 30, 457, 480, 598class polynomial, 107, 462, 463, 465, 466,472CM-field, 105, 107, 462CM-type, 63, 105, 463cohomologycrystalline, 136, 451de Rham, 134, 140, 567Dwork–Reich, 138, 453Monsky–Washnitzer, 136, 139, 451, 567rigid, 136combi-card, 650commutative group, 20commutative law, 19compact curve, 382complement, 170, 172one’s ˜, 621two’s 171, 620complementary˜, basis, 35complete discrete valuation field, 41complex homomorphism, 29complex multiplication, 63abelian variety, 63, 456elliptic curve, 98, 277, 456–460computation of norms, 458construction, 459Hilbert class field, 99Hilbert class polynomial, 99, 456hyperelliptic curve, 104, 310computation of theta constant, 465construction, 469genus 2, 460–470genus 3, 470genus 3, 470–473Mestre’s algorithm, 468with endomorphisms, 471complexity, 2,3exponential, 4, 548polynomial, 4, 548space, 3subexponential, 4, 548time, 3compositeness test, 591, 592–596BPSW, 596Fermat, 593Lucas pseudoprime, 595OPQBT, 596pseudoprime, 593Rabin–Miller, 594, 596Solovay–Strassen, 595trial division, 592see also primality testcomposition law, 19associative, 20commutative, 19distributive, 21compressionelliptic curve, 288–289, 302hyperelliptic curve, 311–313computation of norms, 458computation problem, 3computational bilinear Diffie–Hellman problem(CBDHP), 575computational Diffie–Hellman problem (CD-HP), 10, 574computer algebra systemMagma, 201, 267Maple, 267PARI/GP, 267, 467SIMATH, 267concentric circles method, 525–527conditional-sum adder, 630congruence, 21conjugate of an algebraic number, 27conjunction, 170, 172construction of DL systems, 565construction of ordinary elliptic curves withsmall embedding degree, 586contact card, 649contactless card, 649content of a polynomial, 613continued fraction method, 608coordinate ring of a variety, 51coordinateselliptic curveaffine, 280–281, 283, 284, 291–292,294–295, 297

General Index 789Chudnovsky Jacobian, 282–284comparison, 283, 296generalized projective, 271Jacobian, 282, 292–295, 297López–Dahab, 293–295, 297mixed, 283–285, 296–298modified Jacobian, 282–284Montgomery, 285–288, 696projective, 281, 283, 284, 292, 294–295, 297simplified Chudnovsky Jacobian coordinates,401homogeneous, 46, 69hyperelliptic curveaffine, 316, 336comparison, 325, 344mixed, 325–328, 344–345new, 323, 342projective, 321, 341, 346recent, 346coprime ideals, 22Cornacchia’s algorithm, 458, 598Coron’s first countermeasure, 682, 699correlation power analysis, 680countermeasuresagainst differential fault analysis, 706–708against differential side-channel attacks,697–702Koblitz curves, 711–713against fault attacks, 705–709against Goubin type attacks, 703–704against higher order differential side-channelattacks, 704–705against side-channel attacksGLV curves, 713–714special curves, 709–714against simple fault analysis, 706against simple side-channel attacks, 688–697Koblitz curves, 709–711against timing attacks, 705dummy operations, 689atomic blocks, 691field operations, 690group operations, 689Montgomery arithmetic, 696randomizationcurve equation, 700group elements, 700scalar, 699cover map, 538cover methodtrace zero variety, 539twisted cover, 539crosscorrelation of two sequences, 731CRT, see Chinese remainder theoremcryptographic primitive, 1, 8, 547, 569crystalline cohomology, 136, 451curve, 49anomalous, 76BH, 381C ab , 82, 352desingularization, 64divisor, 66divisor class group Pic 0 C of C of degreezero, 76, 81divisor group, 66, 306genus, 68, 304Hasse–Weil theorem, 110, 112, 278, 310ideal class group, 81–83imaginary quadratic, 83, 304Jacobian variety, 78, 77–80nonsingular, 64, 65period lattice, 91, 95, 462period matrix, 93Picard, 83, 352, 473Picard group, 76Serre bound, 112smooth, 64, 65uniformizer at point P ,65see also elliptic curve and hyperellipticcurvecyclic group, 20DDadda tree, 635, 638dagger ring, 140, 451DBDHP, see decision bilinear Diffie–HellmanproblemDDHP, see decision Diffie–Hellman problemde Rham cohomology, 134, 140, 567decision bilinear Diffie–Hellman problem(DBDHP), 575decision Diffie–Hellman problem (DDHP),10, 574decision problem, 3Dedekind ring, 30defining element, 28

790 General Indexdegreedivisor, 66extension field, 25isogeny, 59, 277, 309separability, 27transcendence, 26dehomogenization, 49density of a normal basis, 221desingularization of a curve, 64differential, 75electromagnetic analysis, 682fault analysis, 683–685power analysis, 677–678side-channel attacks, 697, 698differential holomorphic, 76differential over C, 89Diffie–Hellman (DH) protocol, 10digit, 170dimensionanalytic variety, 88variety, 49vector space, 24directed family of groups, 39directed set, 39discrepancy of a sequence, 731discrete logarithmcomputation, 477–543baby-step giant-step, 376, 482generic algorithm, 478, 554GHS algorithm, 131, 531, 538square root algorithms, 477–494see also index calculus, Pollard’s rho,and Pollard’s lambdatransfer, 9, 529by cover method for trace zero varieties,539by pairings, 530, 555by Weil descent, 530–543, 556odd characteristic, 536to F q -vector spaces, 529via covers, 538discrete logarithm problem (DLP), 8discrete logarithm system (DLS), 8, 547, 571choice of genus and curve equation, 560choice of secure candidates, 547choice of the finite field, 558construction of systems, 565function field, 549generic, 8index calculus, 554number field, 549summary of elliptic curves, 551summary of hyperelliptic curves, 552transfers, see transfer of DLPwith bilinear structure, 9, 573, 574discrete Newton iteration, 179discrete valuation, 41discriminant of an elliptic curve, 71, 268disjunction, 170, 172distortion map, 582distributive law, 21divisionbinary field, see inversion in a binaryfieldintegers, 184–190exact, 189, 204Karatsuba method, 188normalization, 186Quisquater’s normalization, 187, 202recursive method, 188schoolbook method, 185p-adic numbers, 245prime field, see inversion in a prime fielddivision ideal, 60division polynomial of an elliptic curve, 60,80, 413divisor, 66B-smooth, 512class groupMumford representation, 84, 306of order equal to char(K),76Pic 0 C of C of degree zero, 76, 81, 306relation between ideal class group anddivisor, 81, 306degree, 66effective, 66group of a curve, 66, 306prime, 66principal, 67, 306, 550random class, 307rational function, 67, 306, 550reduced, 84, 307, 552DL, see discrete logarithmDLP, see discrete logarithm problemDLS, see discrete logarithm systemdominant rational map, 53double precision integer, 171DSCA, see differential side-channel attacksdual basis, 35dual isogeny

General Index 791elliptic curve, 277hyperelliptic curve, 309dummy operations, 689atomic blocks, 691field operations, 690group operations, 689Dwork–Reich cohomology, 138, 453Eearly abort strategy, 468see also SEA algorithmECDSA, see elliptic curve digital signaturealgorithmECM, see elliptic curve methodECPP test, 597, 601EEPROM, 653effective divisor, 66eigenvalues of the Frobenius endomorphism,110, 111, 279, 311, 356Eisenstein polynomial, 43Eisenstein series, 96electromagnetic analysis, 682–683ElGamalencryption, 10, 11signature, 12Elkies prime, 414, 416, 419see also SEA algorithmelliptic curve, 68–72, 95–100, 268, 551–552absolute invariant, 71, 72, 97, 268addition in atomic blocks, 690, 693addition law, 79, 270admissible change of variables, 274arithmetic, 267–302, 355–387binary field, 289–302prime field, 280–289see also special curvecanonical lift, 423cardinality, 278–279admissible, 278Hasse–Weil interval, 112Hasse–Weil theorem, 110, 112, 278subfield curve, 279trace of the Frobenius, 278twist, 279characteristic polynomial of the Frobenius,278compact curve, 382comparison of coordinate systems, 283,296complex multiplication, 98, 277, 456–460construction, 459compression, 288–289, 302coordinates, see coordinates for ellipticcurvesdiscriminant, 71, 268distortion map, 582division polynomial, 60, 80, 413doublingfollowed by addition, 281, 292in atomic blocks, 690, 692repeated, 295dual isogeny, 277eigenvalues of the Frobenius endomorphism,279endomorphism, 277–278endomorphism ring, 98Frobenius endomorphism, 277GLV curve, 377–380group law, 79, 270group structure of the F q -rational points,272halving, 299, 299–302, 365Hessian form, 696Hilbert class field, 99Hilbert class polynomial, 99, 456computation, 457isogeny, 277, 282point counting, 415, 419, 420, 424,435, 439isomorphism, 71, 273–276Hessian form, 275–276Jacobi model, 275, 696Legendre form, 275twist, 71, 99, 274, 279, 378, 459, 568,735j-function, 97, 417j-invariant, 71, 72, 97, 268Koblitz curve, 356–367library and softwarea p ecs, 267Magma, 267PARI/GP, 267SIMATH, 267minimal 2-torsion, 299Montgomery form, 285, 286, 288nonsingular, 268nonsupersingular, 273, 289, 290, 584comparison with supersingular, 589

792 General Indexuse in pairings, 586–588with small embedding degree, 586ordinary, see nonsupersingularpairing, 122, 123, 390–392, 396, 397embedding degree, 123, 390, 573Tate–Lichtenbaum, 396Tate–Lichtenbaum in characteristic 3,580period lattice, 95, 456point at infinity, 269rational point, 272Serre bound, 112short Weierstraß equation, 70, 73, 268singular point, 268smooth, 268supersingular, 123, 273, 279, 556, 574,580, 583arithmetic, 289comparison with nonsupersingular, 589torsion point, 273, 413, 414trace of the Frobenius endomorphism, 110,413, 426trace zero variety, 383–387triple and add, 581tripling, 580unified formulas, 694Hessian form, 696Jacobi model, 696Vélu’s formulas, 415Verschiebung, 427, 443Weierstraß equation, 69, 73, 268Weierstraß point, 83elliptic curve digital signature algorithm (ECDSA),13, 570elliptic curve method (ECM), 7, 604, 604–607, 612partial addition on an elliptic curve, 604partial inverse on an elliptic curve, 604elliptic curve power generator, 733elliptic function, 95embedding degree, 123, 390, 573, 585construction of ordinary elliptic curves,586end-around carry, 621endomorphismabelian variety, 59curve with identity-based parameters, 382elliptic curve, 277–278hyperelliptic curve, 310ring of an elliptic curve, 98see also Frobenius endomorphism andscalar multiplicationEnge–Gaudry’s theorem, 516EPROM, 652Euclid extended gcd, 191Euclidean exponentiation method, 166Euler totient function, 23exact differential, 141, 450exceptional procedure attack, see Goubin typeattackexclusive disjunction, 170, 172exponent, 145exponent recoding, 151ν-adic expansion, 381τ-adic expansion, 358, 368length reduction, 359–362, 371–373τJSF, 365τNAF, 358τNAF w , 363Booth technique, 151JSF, 155Koyama-Tsuruoka, 152NAF, 151NAF w , 153signed fractional window method, 154exponential complexity, 4, 548exponentiation, 145–1682 k -ary method, 148, 165, 356addition chain, 164, 157–164, 224, 233,237, 559, 646, 699base point, 145BGMW algorithm, see Yao’s methodbinary field, 225–227Brent–Kung composition, 225Shoup algorithm, 227Euclidean method, 166exponent, 145fixed-base comb method, 167left-to-right binary method, 146, 210,253, 261Montgomery, 210Montgomery’s ladder, 148, 697multi-exponentiation, 154–157, 164,377optimal extension field, 231–233Pippenger’s algorithm, 166prime field, 209–210right-to-left binary method, 146sliding window, 150, 163

General Index 793square and multiply, see left-to-right binarymethodYacobi’s method, 160Yao’s method, 165, 227see also scalar multiplicationextension field, 25Ffactor basefactoring, 608index calculus, 496factoring, 601–614continued fraction method, 608elliptic curve method, 7, 604, 604–607factor base, 608Fermat–Morrison–Brillhart approach, 607–614general number field sieve, 612multiple polynomial quadratic sieve, 611number field sieve, 7, 613, 612–614Pollard’s p − 1 method, 603Pollard’s rho method, 601–603quadratic sieve, 508, 609–610special number field sieve, 612false witness, 594fastECPP, 601fault injection attack, 683–685Fermat prime, 533, 557Fermat test, 593Fermat witness, 593Fermat’s little theorem, 23, 599, 603, 607,645Fermat–Morrison–Brillhart factoring method,607–614FFT multiplication, 177field, 23algebraic closure, 27automorphism, 27CM-field, 105, 107, 462CM-type, 63, 105, 463complete discrete valuation, 41extension, 25algebraic, 25defining element, 28degree, 25degree of separability, 27finite, 25Galois, 28monogenic, 26normal, 27purely transcendental, 26separable, 27transcendental, 26fraction of a ring, 23function ˜ of a variety, 51homomorphism,˜23isomorphism, 25norm, 26of constants of a function field, 51of definition of P ,46perfect, 28trace, 26see also finite field, number field, and p-adic fieldfinite extension field, 25finite field, 31, 31–37library and softwareLidia, 201Magma, 201NTL, 201ZEN, 201multiplicative group, 32norm, 33Rabin irreducibility test, 214representation, 33–35trace, 33see also binary field, prime field, and optimalextension fieldfinitely generated ideal, 22fixed-base comb exponentiation method, 167flash EEPROM, 654focused ion beam, 672formation, see arithmetical formationfractional ideal, 30, 549inverse, 30fractional O-ideal, 81FRAM, 654FreeLip, 169frequency block test, 728Frey–Rück attack, 530Frobenius automorphismabsolute, 33relative, 33Frobenius endomorphism, 59, 109, 355elliptic curvecharacteristic polynomial, 278eigenvalues, 279, 356Koblitz, 356trace, 278, 413, 426, 564

794 General Indexhyperelliptic curve, 109, 310characteristic polynomial, 310eigenvalues, 311Koblitz, 367trace, 564varietycharacteristic polynomial, 109–110eigenvalues, 110, 111trace, 110, 111Frobenius morphism, 53, 59, 109, 133see also Frobenius endomorphismFrobenius substitution, 43, 240, 250–252, 423full adder, 627full-graph method, 522–523function field, 51ideal class group, 81, 84, 306variety, 51fundamental domain, 416fundamental unit, 31, 463GGalois extension, 28Galois field, see finite fieldGalois group, 28Gap-Diffie–Hellman group, 10, 574Gauß period, 34general ˜,35Gaudry’s algorithm, 517see also index calculusGauß sum, 599Gaussian normal basis, 35, 240p-adic field, 240, 252, 261, 433see also optimal normal basisgcdinteger, 190–197binary extended, 195Euclid extended, 191generalized binary, 195Lehmer extended, 192polynomial, 222general number field sieve (GNFS), 612generalized binary gcd, 195generalized projective coordinates, 271generated carry, 629generating set, 24generic algorithm, 478, 554genus, 68, 304Hurwitz formula, 68hyperelliptic curve, 73, 304ghost bit basis, 217GHS algorithm, 131, 531, 538Artin–Schreier curve, 536magic number, 532see also Weil descentglitch attack, 683GLV curve, 377–380basis of the endomorphism ring, 378combination with Koblitz curves, 381computation of expansion, 379countermeasures against side-channelattacks, 713–714elliptic curve, 377generalizations, 380–381hyperelliptic curve, 380GMP, 169, 176GNFS, see general number field sieveGoldwasser–Killian test, 598Goubin’s refined power analysis, 680–682greatest common divisor, see gcdgroup, 19, 19–21abelian, 20action, 21cyclic, 20Galois, 28homomorphism, 21kernel, 21index, 20inverse, 20normal, 20order, 20quotient, 20subgroup, 20unit element, 20Hhalf adder, 628halve and add scalar multiplication algorithm,301halving map, 299Hamming weight, 147, 158, 234, 393, 491,558, 677hardwareaddition, see addition in hardwarebinary field, see binary field in hardwareinversion, 645–646modular reduction, see modular reductioninhardwaremultiplication, see multiplication inhardware

General Index 795hardware random number generator, 721hash function, 12hash function on the Jacobian, 590Hasse–Weil interval, 112, 410Hasse–Weil theorem, 110, 112, 278, 310HECDSA, see hyperelliptic curve digital signaturealgorithmHensel odd division, 180see also Montgomery reductionHessian form of an elliptic curve, 275–276heuristics of class number, 564hidden field equations (HFE), 15higher order differential power analysis, 680Hilbert class field, 99Hilbert class polynomial, 99, 456computation, 457holomorphic differential, 76homogeneouscoordinates, 46, 69see also projective coordinatesideal, 47polynomial, 46homomorphismabelian variety, 57complex, 29connected component of the unity of ker(ϕ),58field, 23group, 21kernel, 21real, 29homothetic lattices, 97Horner-like scheme, 227Hurwitz genus formula, 68hyperelliptic curve, 73, 303, 552–553addition in atomic blocks, 694addition law, 304, 308arithmeticgenus 2, 313–347genus 2 in even characteristic, 334–347genus 2 in odd characteristic, 320–334genus 3, 348–352BH curve, 381canonical lift, 442Cantor’s algorithm, 308, 552cardinality, 310–311Hasse–Weil interval, 410Hasse–Weil theorem, 110, 112, 310characteristic polynomial of the Frobenius,310class polynomial, 107, 462, 463, 465,466, 472computation, 462, 472comparison of coordinate systems, 325,344complex multiplication, 104, 310, 460–473computation of theta constant, 465construction, 469curve with automorphisms, 471Mestre’s algorithm, 468compression, 311–313computation of Igusa invariants, 465coordinates, see coordinates for hyperellipticcurvesdivisor class group Pic 0 C of C of degreezero, 306doubling in atomic blocks, 694dual isogeny, 309eigenvalues of the Frobenius endomorphism,311endomorphism, 310Frobenius endomorphism, 109, 310genus, 73, 304group law, 304group structure of the F q -rational pointsJ C (F q )[n], 111ideal class group, 83–85, 306Igusa invariants, 101, 107, 462index calculus method, 511isogeny, 309isomorphism, 74, 308Koblitz curve, 367–376Mestre’s invariants, 102, 468Montgomery like form, 329nonsingular, 304p-rank of a hyperelliptic curve, 310pairing, 122, 390–392, 394, 398embedding degree, 123, 390, 573Tate–Lichtenbaum, 398period lattice, 462period matrix, 100, 462, 463Picard group, 306random divisor class, 307Riemann theta divisor, 100Rosenhain model, 104, 472Serre bound, 112Shioda invariants, 104, 472

796 General Indexsmooth, 304supersingular, 310, 584, 585arithmetic, 340theta characteristic, 100, 444theta constants, 100, 444, 463torsion point, 309trace zero variety, 383–387Weierstraß equation, 74, 83, 304Weierstraß point, 73, 304hyperelliptic curve digital signature algorithm(HECDSA)generation, 570verification, 570hyperelliptic involution, 73, 512hypersurface, 47IID-basedcryptography, 576–578decryption, 577encryption, 576parameters, 382ideal, 21above pZ, 31coprime, 22finitely generated, 22fractional, 30, 549homogeneous, 47inert, 31maximal, 22prime, 22principal, 22product, 30ramified, 31split, 31ideal class group, 81–83hyperelliptic curve, 83–85, 306Mumford representation, 84, 306relation with divisor class group, 81, 306identity-based, see ID-basedIgusa invariants, 101, 107, 462computation, 465imaginary quadratic curve, 83, 304incompletely reduced number, 202index calculus, 495–527, 554–555arithmetical formation, 496–497automorphism of the group, 505–506factor base, 496filtering, 503–505merging, 504–505pruning, 504finite field, 506–507hyperelliptic curve, 511–527Adleman–DeMarrais–Huangalgorithm, 512–516B-smooth divisor, 512concentric circles method, 525–527double large primes, 521–522Enge–Gaudry’s theorem, 516factor base, 512, 515, 517full-graph method, 522–523Gaudry’s algorithm, 517general algorithm, 511–512harvesting, 518–519hyperelliptic involution, 512refined factor base, 517–518relation search, 513–514simplified graph method, 523–525single large prime, 520–521large primes, 507–5091 large prime, 507–5082 ˜, 508–509more ˜, 509linear algebra, 500–503see also Lanczos’ method and Wiedemann’smethodprime, 496relation search, 499–500parallelization, 500smoothness bound, 496via hyperplane sections, 541Waterloo variant, 508index of a group, 20indistinguishability, 729induced morphism, 52industrial-grade prime, 591inert ideal, 31inertia degree, 43integer arithmetic, 169–199addition, 173concatenation, 187division, see division of integersexact division, 189, 204gcd, see gcd of integersinteger square root, 198multiplication, see multiplication of integersreduction, see modular reductionsquare root, 198

General Index 797squaring, see squaring of integerssubtraction, 173integer factorization problem, 1, 7, 479integer ring of a number field, 29integral basis, 29integral domain, 21integrally closed ring, 30interleaved multiplication-reduction, 203invalid curve attack, 569, 706invasive attacks, 670–673inverse limit, 40inverse of a fractional ideal, 30inverse of a group element, 20inverse of a ring element, 23inverse square root of p-adic numbers, 248inversionbinary field, 222–225binary method, 223extended gcd, 222Itoh and Tsujii algorithm, 225Lagrange’s theorem, 224hardware, 645–646integers, see division of integersoptimal extension field, 233–234, 237p-adic numbers, 247prime field, 205–209almost Montgomery inverse, 208Montgomery inverse, 208plus-minus method, 206simultaneous, 209, 283, 296, 327Thomas et al. method, 207involution of a hyperelliptic curve, 73, 512irreducible subset of a topological space, 48isogenyabelian variety, 58over C,94degree, 59, 277dual, 277elliptic curve, 277, 282point counting, 415, 419, 420, 424,435, 439Vélu’s formulas, 415hyperelliptic curve, 309purely inseparable, 59separable, 59isomorphismabelian variety, 58elliptic curve, 71, 273–276admissible change of variables, 274Hessian form, 275–276Jacobi model, 275, 696Legendre form, 275field, 25hyperelliptic curve, 74, 308variety, 52Itoh and Tsujii inversion, 225Jj-function, 97, 417j-invariant, 71, 72, 97, 268Jacobi criterion, 64Jacobi model, 275, 696Jacobi sum, 600Jacobian coordinates, 282, 292–295, 297see also Chudnovsky Jacobian coordinates,modified Jacobian coordinates,and simplified ChudnovskyJacobian coordinatesJacobian variety, 78, 77–80Java Card, 659Jebelean exact division, 189, 204joint Hamming weight, 156joint sparse form, see JSFJSF, 155simple, 156τJSF, 365KKaratsubainteger division, 188integer multiplication, 176, 202integer squaring, 178polynomial multiplication, 220, 227,236, 244, 317Kedlaya’s algorithm, 449kernel of a group homomorphism, 21key exchangecontributory, 575multiparty, 574noncontributory, 575key generation, 11Knapsack problem, 14Koblitz curveτ-adic expansion, 358, 368alternative generation of τ-adic expansion,375combination with GLV method, 381countermeasures against

798 General Indexdifferential side-channel attacks, 711–713simple side-channel attacks, 709–711elliptic curve, 356–367τJSF, 365length reduction of the τ-adic expansion,359–362main subgroup membership, 359τNAF, 358τNAF w , 363hyperelliptic curve, 367–376length reduction of the τ-adic expansion,371–373Koyama–Tsuruoka recoding, 152Kronecker relation, 425Kronecker–Jacobi symbol, 36Kummer surface, 329Ll-adic Tate module, 61L-polynomial of a curve, 135, 407L-rational points, 46Lanczos’ method, 500–503, 517LCG, see linear congruential generatorleast significant digit, 170left-to-right binary method, 146, 210, 253,261Legendre form, 275Legendre symbol, 36, 210Legendre–Kronecker–Jacobisymbol, 36, 235Lehmer extended gcd, 192Lempel–Ziv compression algorithm, 160Lercier–Lubicz’ algorithm, 253, 434library and softwarea p ecs, 267BigNum, 169FreeLip, 169GMP, 169, 176Lidia, 201Magma, 201, 267Maple, 267NTL, 201PARI/GP, 267, 467SIMATH, 267ZEN, 201Lidia, 201lift of an element in a valuation ring, 41lift of p-adic numbersHensel, 250, 249–250, 428Newton, 246–249generalized, 257, 447Teichmüller, 241, 257, 258light attack, 684linear complexity of a sequence, 732linear congruential generator (LCG), 720linearly independent vectors, 24little endian, 171local ring of a point, 64local Tate pairing, 118López–Dahab coordinates, 293–295, 297Lubin–Serre–Tate theorem, 423Lucas pseudoprime, 595Lucas pseudoprime test, 595Lucas sequence, 357MMöbius function, 33magic number, 532Magma, 201, 267man-in-the-middle attack, 10Maple, 267a p ecs, 267Massey–Omura multiplier, 643Mastrovito multiplier, 642match and sort, 421see also SEA algorithmmaximal ideal, 22maximal order, 30memory management unit, 655memory only card, see synchronous cardMersenne prime, 182, 207, 533, 556, 640pseudo-˜, 230Mestre’s algorithm for complex multiplication,468Mestre’s invariants, 102, 468micromodule, 648microprocessor card, see asynchronous cardMiller’s pairing computation algorithm, 122,392minimal 2-torsion for an elliptic curve, 299minimal polynomial of an algebraic element,25mixed coordinateselliptic curve, 283–285, 296–298hyperelliptic curve, 325–328, 344–345modified Jacobian coordinates, 282–284modular function, 97modular polynomial, 416–419

General Index 799canonical, 418classical, 418Kronecker relation, 425modular reduction, 178–184Barrett method, 179, 182, 202, 203, 210,606hardware, 638–641incomplete reduction, 640special moduli, 640modulo several primes, 184remainder tree, 184scaled remainder tree, 184modulo special integers, 183, 182–184Mersenne prime, 182NIST prime, 183Montgomery reduction, 181, 180–182Montgomery representation, 180residue number system arithmetic, 197see also interleaved multiplication-reductionmodule, 24monobit test, 726Monsky–Washnitzer cohomology, 136, 139,451, 567Montgomeryalmost inverse, 208exponentiation, 210inversion, 208multiplication, 204reduction, 181, 180–182coarsely integrated operand scanningmethod, 640hardware, 639–640representation, 180Montgomery coordinates on an elliptic curve,285–288, 696Montgomery form of an elliptic curve, 285,286, 288Montgomery like form of hyperelliptic curve,329Montgomery’s ladder, 148, 287, 298, 328, 331,401, 676, 697morphismaffine variety, 52Frobenius, 53, 59, 109, 133see also Frobenius endomorphismfrom A n to A 1 ,52from A n to A m ,52from V ⊂ A n to a variety W ⊂ A m ,52induced, 52projective variety, 55most significant digit, 170MOV attack, 530MPQS, see multiple polynomial quadraticsievemulti-exponentiation, 154–157, 164, 377multi-stack algorithm, 487multiple polynomial quadratic sieve (MPQS),611multiplicationbinary field, 218–221optimal normal basis, 220–221polynomial basis, 218–220hardwareusing left shift, 623using right shift, 624integers, 174–177FFT, 177Karatsuba method, 176, 202schoolbook method, 174Toom–Cook, 177optimal extension field, 231, 236–237p-adic numbers, 244prime field, 202–205interleaved with reduction, 203Montgomery method, 204see also squaringmultiplication matrix of a normal basis, 220density, 221multiplicative group, 32multiplier recodingBooth method, 625radix-4 signed digit, 626multiprecision, 171multiprecision libraryBigNum, 169FreeLip, 169GMP, 169, 176Mumford representation, 84, 306Nn-word integer, 171NAF, 151NAF w , 153Naor–Reingold generator, 734new coordinates for hyperelliptic curves ofgenus 2, 323, 342Newton–Girard formula, 229, 408NFS, see number field sieve

800 General IndexNoetherian ring, 30non-adjacent form, see NAFnon-invasive attacks, 673–685see also side-channel attacksnonempty affine part of a variety, 50nonsingular curve, 64, 65elliptic curve, 268hyperelliptic curve, 304nonsingular point, 64, 65, 268, 304nonsupersingular elliptic curve, 273, 584normalgebraic number, 29endomorphism, 377field, 26finite field, 33p-adic number, 41, 261–263normal basis, 34, 224, 228density, 221hardware, 643–645multiplication matrix, 220self-complementary, 35see also optimal normal basisnormal element, 34, 218normal extension, 27normal group, 20normalized valuation of a place, 65NTL, 201NTRU encryption system, 14null hypothesis, 723number field, 29, 29–31class number, 30, 457, 480, 598fundamental unit, 31, 463ideal class group, 30ideal decomposition, 31integer ring, 29maximal order, 30norm, 29order, 30signature, 29totally complex, 29totally real, 29trace, 29number field sieve (NFS), 7, 613, 612–614OO-notation, 3o-notation, 3OEF, see optimal extension fieldONB, see optimal normal basisone’s complement, 621one-parameter quadratic-base test (OPQBT),596one-way function, 5OPQBT, see one-parameter quadratic-basetestoptimal extension field (OEF)arithmetic, 229–237exponentiation, 231–233inversion, 233–234, 237multiplication, 231, 236–237specific improvements, 235–237square root, 234–235trace, 235type I, 230type II, 230optimal normal basis (ONB), 217–218, 221,220–221density, 221multiplication matrix, 220palindromic representation, 221type I, 217type II, 218see also Gaussian normal basisoracle, 10, 478random model, 577order of a group, 20order of a number field, 30order of an elementfinite, 20infinite, 20ordinaryabelian variety, 60curve for pairings, 586–588elliptic curve, 273, 289, 290, 584Pp-adic exponential, 259p-adic fieldabsolute ramification index, 43inertia degree, 43unramified extension, 43, 136, 138, 239,428, 436p-adic integer ring, 40p-adic logarithm, 258p-adic norm, 41p-adic numbersarithmetic, 239–263fast division with remainder, 245

General Index 801inverse, 247inverse square root, 248multiplication, 244square root, 249exponential, 259Frobenius substitution, 43, 240, 250–252,423generalized Newton lifting, 257, 447Hensel lifting, 250, 249–250, 428logarithm, 258Newton lifting, 246–249norm, 261–263representationGaussian normal basis, 240, 252, 261,433sparse modulus, 240Teichmüller modulus, 240Teichmüller lift, 241, 256, 257, 258Teichmüller modulus increment, 242trace, 260p-adic valuation, 41p-rankabelian variety, 61hyperelliptic curve, 310padding, 170pairingcomparison of ordinary and supersingularcurves, 589computation in characteristic 3, 580distortion map, 582elliptic curve, 123, 396, 397embedding degree, 123, 390, 573, 585hyperelliptic curve, 398improvements for elliptic curves, 400local Tate, 118Miller’s algorithm, 122, 392ordinary curve, 586–588over local fields, 118security parameter, 585short signature protocol, 578, 589supersingular curve, 580, 584Tate, 116Tate–Lichtenbaum, 122, 390–392, 394comparison with Weil pairing, 395efficient computation, 400elimination of divisions, 400elliptic curve, 396hyperelliptic curve, 398subfield computations, 401transfer of DLP, 530, 555Weil, 115comparison with Tate–Lichtenbaumpairing, 395palindromic representation, 221PARI/GP, 267, 467pentanomial, 214perfect field, 28period lattice of a curve, 91, 95, 462period matrixabelian variety, 93curve, 93hyperelliptic curve, 100, 462, 463period of a pseudorandom sequence, 730Picard curve, 83, 352, 473Picard groupcurve, 76hyperelliptic curve, 306PID, see principal ideal domainPila’s algorithm, 422Pippenger’s exponentiation algorithm, 166place of a function field, 65plus-minus inversion method, 206Pocklington–Lehmer test, 597Poincaré upper half plane, 97, 416point at infinity, 50, 74, 269–271, 306point countingAGM, see AGM algorithmCartier–Manin method, 411enumeration, 407Kedlaya’s algorithm, 449l-adic methods, 413–422p-adic methods, 422–453Pila’s algorithm, 422Satoh’s algorithm, 430, 423–434, 437Schoof’s algorithm, 413SEA, see SEA algorithmsquare root algorithms, 410–411subfield curve, 409point halving, 299, 299–302, 365points at infinity, 50, 550Pollard’s kangaroo, 491–494automorphism, 494lambda method, 492–493parallelization, 493–494tame kangaroo, 492trap, 492wild kangaroo, 492Pollard’s p − 1 factoring method, 603Pollard’s rho, 483–491automorphisms, 490–491

802 General Indexcollision, 483distinguished point technique, 488, 489factoring method, 601–603for discrete logarithms, 488–489match, 483multi-stack algorithm, 487parallelization, 489–490random mapping, 483, 486, 489polynomial basis, 34, 218–220, 225–226all one polynomial, 215anomalous, 217ghost bit basis, 217hardware, 642–643pentanomial, 214redundant, 34redundant trinomial, 217, 228sedimentary, 215sparse, 34, 214, 216trinomial, 214polynomial complexity, 4, 548Poulet number, 593power consumption analysis, 675power tree method, 160powering, see exponentiationprecision of an integer, 170preperiod of a pseudorandom sequence, 730primality certificate, 597primality test, 596–601AKS, 600APRCL Jacobi sum, 599Atkin–Morain ECPP, 597, 601fastECPP, 601Goldwasser–Killian, 598Pocklington–Lehmer, 597primality certificate, 597see also compositeness testprime divisor, 66prime field, 32arithmetic, 201–213exponentiation, see exponentiation in aprime fieldinversion, see inversion in a prime fieldmultiplication, see multiplication in aprime fieldquadratic nonresidue, 36quadratic residue, 36reduction, see modular reductionrepresentative of a class, 202square root, see square root in a primefieldsquaring, 205prime ideal, 22prime number theorem, 6prime of an arithmetical formation, 496primitive element, 32, 215, 217, 230primitive polynomial, 34principal divisor, 67, 306, 550principal ideal, 22principal ideal domain (PID), 22principally polarized abelian variety, 93probing, 671projective closure of an affine set, 50projective coordinateselliptic curve, 281, 283, 284, 292,294–295, 297hyperelliptic curve, 321, 341, 346see also homogeneous coordinatesprojective point, 46, 270, 271projective space, 46,49closed set, 46open set, 46standard covering, 50projective variety, 48PROM, 652propagated carry, 629protocols, 9, 569–571ECDSA, 570HECDSA, 570ID-basedcryptography, 576–578decryption, 577encryption, 576multiparty key exchange, 574short signature, 578, 589pseudoprime, 593Lucas, 595strong, 594strong Lucas, 595pseudorandom number generator, 718–719,729–735public-key cryptography, 5public-key infrastructure, 11, 575pure transcendental extension, 26purely inseparable isogeny, 59Qquadratic nonresidue, 36quadratic reciprocity lawLegendre symbol, 36

General Index 803Legendre–Kronecker–Jacobisymbol, 37quadratic residue, 36quadratic sieve, 508, 609–610quadratic twist, 71, 99, 274, 279, 378, 459,568, 735quotient group, 20RRabin polynomial irreducibility test, 214Rabin–Miller compositeness test, 594, 596radix, 170radix complement, 620RAM, 651ramified ideal, 31random mapping, 483, 486, 489random oracle model, 577random walk, 484, 489r-adding walk, 489, 492randomizationcurve equation, 700group elements, 700scalar, 699randomized GLV method, 713randomness∞-distributed sequence, 716autocorrelation of a sequence, 731autocorrelation test, 729balance of a sequence, 730crosscorrelation of two sequences, 731discrepancy of a sequence, 731frequency block test, 728hardware random number generator, 721indistinguishability, 729l-distributed sequence, 716linear complexity of a sequence, 732monobit test, 726null hypothesis, 723period of a pseudorandom sequence, 730preperiod of a pseudorandom sequence,730pseudorandom number generator, 718–719, 729–735Blum–Blum–Shub generator, 720elliptic curve power generator, 733linear congruential generator, 720Naor–Reingold generator, 734RANDU, 720random number generator, 717–721ANSI-C, 720random sequence, 716random walk, 727runs test, 728seed, 490, 719Shannon entropy function, 716statistical model, 723statistical tests, 723–724true random number generator, 718turning point test, 728unpredictability, 729RANDU generator, 720rational function, 53divisor, 67, 306, 550pole, 67regular at point P ,54zero, 67rational map, 53birational, 53dominant, 53regular at point P ,54rational pointelliptic curve, 272hyperelliptic curve, 306variety, 46real homomorphism, 29recent coordinates for hyperelliptic curves ofgenus 2, 346reciprocal integer, 178recursive integer division, 188recursive middle product, 188reduced divisor, 84, 307, 552redundant trinomial basis, 217, 228refined factor base, 517–518register, 170, 172remainder tree, 184representationfinite field, 33–35integer in base b, 170see also basisrepresentative of a congruence class, 202canonical, 21centered, 21incompletely reduced number, 202residual logarithm, 610residue field, 41of a point, 64residue number system arithmetic, 197reverse engineering, 670Riemann form, 93Riemann theta divisor, 100

804 General IndexRiemann–Roch theorem, 68right-to-left binary method, 146rigid cohomology, 136ring, 21, 21–23characteristic, 22commutative, 21Dedekind, 30ideal, 21integrally closed, 30inverse, 23invertible element, 23Noetherian, 30p-adic integers, 40regular functions, 64unit, 23ROM, 651Rosenhain model, 104, 472RSA, 7RSA assumption, 7RSA problem, 7Rück attack, 529runs test, 728SSarrus number, 593Satoh’s algorithm, 430, 423–434, 437SCA, see side-channel attacksscalar, 24scalar multiplicationcurve with endomorphism, 376–383elliptic curvehalve and add, 301GLV curveelliptic curve, 377–380hyperelliptic curve, 380–381Koblitz curveelliptic curve, 356–367hyperelliptic curve, 367–376Montgomery’s ladder, 287, 298, 328, 331,401, 676sliding window, 271, 284, 356, 678, 704trace zero variety, 383–387triple and add, 581tripling, 580see also arithmetic, elliptic curve, hyperellipticcurve, exponentiation, andspecial curvescalar randomization, 699scalar restriction, 125scaled remainder tree, 184scanning electron microscope, 672Schoof’s algorithm, 413Schoof–Elkies–Atkin’s algorithm, see SEAalgorithmSEA algorithm, 421, 414–422, 566Atkin prime, 414, 415canonical modular polynomial, 418classical modular polynomial, 418early abort, 468Elkies prime, 414, 416, 419match and sort, 421security parameter, 585sedimentary polynomial, 215seed, 490, 719self-complementary normal basis, 35self-dual basis, 35separable extension of a field, 27separable isogeny, 59Serre bound, 112Shannon entropy function, 716shiftinteger multiplication using left ˜, 623integer multiplication using right ˜, 624left, 172right, 172Shioda invariants, 104, 472short signature, 578, 589Shoup exponentiation algorithm, 227side-channel atomicity, 691elliptic curveaddition, 690, 693doubling, 690, 692hyperelliptic curveaddition, 694doubling, 694side-channel attacks (SCA), 285, 288, 328,673–685Bellcore attack, 683correlation power analysis, 680differential electromagnetic analysis,682differential fault analysis, 683–685differential power analysis, 677–678electromagnetic analysis, 682–683fault injection, 683–685glitch attack, 683Goubin’s refined power analysis, 680–682

General Index 805higher order differential power analysis,680light attack, 684power consumption analysis, 675simple power analysis, 675–677timing attack, 673–675see also countermeasures against ˜signature of a number field, 29signature scheme, 12signature verification, 13signed fractional window method, 154signed-binary representation, 151signed-digit representation, 151signed-magnitude representation, 171Silver–Pohlig–Hellman attack, see Chineseremaindering attackSIMATH, 267simple abelian variety, 60simple joint sparse form, 156simple power analysis, 675–677simple side-channel attacks (SSCA), 688see also side-channel attacks and countermeasuresagainst ˜simplified Chudnovsky Jacobian coordinates,401simplified graph method, 523–525simultaneous inversion modulo p, 209, 283,296, 327single precision integer, 171singular point, 64, 65, 268, 304size map, 496sliding windowexponentiation algorithm, 150, 163scalar multiplication algorithm, 271, 284,356, 678, 704small subgroup attack, 569smart cardasynchronous card, 665card system, 656combi-card, 650contact card, 649contactless card, 649coprocessor, 666electrical properties, 650floating gate, 652host system, 656invasive attacks, 670–673memory, 651–656EEPROM, 653EPROM, 652flash EEPROM, 654FRAM, 654PROM, 652RAM, 651ROM, 651memory management unit, 655memory only card, see synchronous cardmetal layers, 670micromodule, 648microprocessor card, see asynchronouscardnon-invasive attacks, 673–685see also side-channel attacksoperating system, 657Java Card, 659Multos, 657Windows, 657physical properties, 648preprogrammed state, 652probing, 671reverse engineering, 670synchronous card, 664transmission protocol, 659–663UART, 663USB, 664smoothcurve, 64, 65elliptic curve, 268hyperelliptic curve, 304smoothness bound, 496SNFS, see special number field sieveSolovay–Strassen compositeness test, 595space complexity, 3sparse modulus representation, 240sparse polynomial basis, 34, 214, 216special curve, 355–387countermeasures against side-channelattacks, 709–714see also GLV curve, Koblitz curve, andtrace zero varietyspecial number field sieve (SNFS), 612splitting field, 27splitting ideal, 31square and multiply, see left-to-right binarymethodsquare rootbinary field, 228–229integers, 198optimal extension field, 231, 234–235p-adic numbers, 249

806 General Indexprime field, 212, 213Tonnelli and Shanks square root algorithm,212squaringbinary field, 221integersKaratsuba method, 178schoolbook method, 177prime field, 205SSCA, see simple side-channel attacksstandard covering of a projective space, 50star addition chain, 157, 225statistical model, 723Straus–Shamir’s trick, 155, 387, 713see also multi-exponentiationstrong Lucas pseudoprime, 595strong pseudoprime, 594subexponential complexity, 4, 548subgroup, 20subgroup generated by an element, 20subtractionbinary field, 218integers, 173optimal extension field, 231prime field, 202summation polynomial, 541supersingularabelian variety, 61security parameter, 585elliptic curve, 123, 273, 279, 289, 556,574, 580, 583attack via pairing, 530distortion map, 582security parameter, 585use in pairings, 580hyperelliptic curve, 310, 584, 585arithmetic, 340security parameter, 585use in pairings, 584Jacobian, 310symmetric key cryptography, 2synchronous card, 664system parameter, 569Tτ-adic expansionalternative generation, 375comparison, 374elliptic curvecomputation, 358length reduction, 359–362windowing methods, 363hyperelliptic curvecomputation, 368length reduction, 371–373see also τNAF, τNAF w ,andτJSFτ-adic joint sparse form, see τJSFτ-adic non-adjacent form, see τNAFτJSF, 365τNAF, 358τNAF w , 363Tate pairing, 116, 117, 119see also Tate–Lichtenbaum paringTate–Lichtenbaum pairing, 122, 390, 392characteristic 3, 580comparison with Weil pairing, 395computation, 391, 394efficient computation, 400elimination of divisions, 400elliptic curve, 123, 396, 397hyperelliptic curve, 398ordinary curve, 586–588subfield computations, 401supersingular curve, 580, 584Teichmüller lift, 256Teichmüller modulus increment, 242Teichmüller modulus representation, 240theta characteristic, 100, 444theta constant, 100, 444, 463computation, 465even, 100odd, 100Thomae formula, 446Thurber’s algorithm for addition chain, 158time complexity, 3timing attack, 673–675Tonnelli and Shanks square root algorithm,212Toom–Cook multiplication, 177torsion pointabelian variety, 60elliptic curve, 273, 413, 414minimal 2-torsion, 299hyperelliptic curve, 309torus, 92totally complex number field, 29totally real number field, 29tracealgebraic number, 29

General Index 807binary field, 35efficient computation, 229endomorphism, 377field, 26finite field, 33Frobenius endomorphism, 110, 111, 413,426, 564p-adic number, 260trace zero variety, 130, 383–387, 539, 557arithmetic, 385–387background, 384transcendence degree, 26transcendental element, 26transcendental extension, 26transfer of DLP, 9, 529, 555–557by pairings, 530, 555by Weil descent, 530–543, 556in odd characteristic, 536to F q -vector spaces, 529via covers, 538translation by point P ,57trial division, 592trinomial, 214tripartite key exchange, 14triple and add scalar multiplication algorithm,581tripling on an elliptic curve, 580true random number generator, 718trusted authority, 576turning point test, 728twist of an elliptic curve, 71, 99, 274, 279,378, 459, 568, 735see also isomorphism of elliptic curvestwisted cover, 539two’s complement, 171, 620Uunified arithmetic for elliptic curves, 694Hessian form, 696Jacobi model, 696unified multipliers, 644–645uniformizer for the curve C at the point P ,65uniformizing element, 41,44unit element of a group, 20unit of a ring, 23universal asynchronous receiver transmitter (UART),663universal serial bus (USB), 664unpredictability, 729unramified extension of a p-adic field, 43,136, 138, 239, 428, 436USB, see universal serial busVvaluation at a point, 65valuation ring, 41varietyabsolutely irreducible, 48birational equivalence, 53coordinate ring, 51dimension, 49function field, 51vector space, 24basis, 24dimension, 24generating set, 24linearly independent vectors, 24scalar, 24vector, 24vectorial addition chain, 158, 164Vélu’s formulas, 415Verschiebungabelian variety, 61elliptic curve, 427, 443WWallace tree, 635, 638Waterloo variant, 508weak completion, see dagger ringWeierstraß equationelliptic curve, 69, 73, 268short, 70, 73, 268hyperelliptic curve, 74, 83, 304Weierstraß ℘-function, 96Weierstraß point, 73, 83, 304Weil descent, 90, 125, 127, 530–543, 556in odd characteristic, 536index calculusvia hyperplane sections, 541over C,89trace zero variety, 539transfer of DLP, 530–543, 556via GHS, 131, 531, 538Weil pairing, 115comparison with Tate–Lichtenbaumpairing, 395see also Tate paring and Tate–Lichtenbaumparing

808 General Indexwidth-wτ-adic non-adjacent form, see τNAF wwidth-w non-adjacent form, see NAF wWiedemann’s method, 500–503, 517Witt vector, 44XXOR, see exclusive disjunctionYYacobi’s exponentiation method, 160Yao’s exponentiation method, 165, 227ZZariski topology, 46, 47Zech’s logarithm, 33ZEN, 201zeta function, 134, 408, 422, 451