Research Article | Open Access
Seungkook Park, "Hyperelliptic Curves for the Vector Decomposition Problem over Fields of Even Characteristic", Journal of Applied Mathematics, vol. 2015, Article ID 197097, 6 pages, 2015. https://doi.org/10.1155/2015/197097
Hyperelliptic Curves for the Vector Decomposition Problem over Fields of Even Characteristic
We present an infinite family of hyperelliptic curves of genus two over a finite field of even characteristic which are suitable for the vector decomposition problem.
Intractable mathematical problems such as the integer factorization problem, the discrete logarithm problem (DLP), and the computational Diffie-Hellman problem (CDHP) are being used to provide secure protocols for cryptosystems. A new hard problem which is called the vector decomposition problem (VDP) was proposed by Yoshida et al. . The VDP on a two-dimensional vector space can serve as the underlying intractable problem for cryptographic protocols. Galbraith and Verheul presented an application of trapdoor VDP where a trapdoor is used to construct a public key encryption scheme . In 2009, Yoshida and Fujiwara introduced a new watermarking scheme designed for cryptographic data such as keys, ciphertexts, and signatures [3, 4]. The proposed scheme utilizes a two-dimensional vector space where one of the one-dimensional subspaces is used as the domain of cryptographic date and the other one-dimensional subspace is used to embed a watermark. The security of the scheme is based on the infeasibility of the VDP. In , Yoshida stated the conditions that are required for the VDP on a two-dimensional vector space to be at least as hard as the CDHP on a one-dimensional subspace and suggested a particular family of elliptic curves to be used for the VDP. Duursma and Kiyavash  showed that the family of elliptic curves chosen by Yoshida is not secure and moreover none of the elliptic curves have the property that is needed for the VDP to be a hard problem. In order to resolve this problem Duursma and Kiyavash introduced an infinite family of genus two hyperelliptic curves suitable for the VDP. Galbraith and Verheul analyzed the VDP and showed that the VDP on a two-dimensional vector space is equivalent to CDHP on a one-dimensional subspace for the Duursma-Kiyavash curves . The family of hyperelliptic curves proposed by Duursma and Kiyavash are defined over a finite field of odd characteristic. Curve operations are performed using arithmetic operations in the underlying field. Hence the efficient implementation of finite field arithmetic is an important prerequisite in hyperelliptic curve systems. Smart showed that the general multiplication algorithm on the Jacobian for curves defined over odd characteristic fields ended up being around twice as slow as that for even characteristic fields, of an equivalent size, in genus two . Thus curves defined over even characteristic fields have an advantage in computation time over curves defined over odd characteristic fields. Hence one would prefer curves defined over a finite field of even characteristic for the VDP. In this paper, we present an infinite family of hyperelliptic curves of genus two over a finite field of even characteristic and show that it satisfies all the conditions that are needed for the VDP to be a hard problem. The paper is organized as follows: The definitions of CDHP and VDP are given in Section 2. Also we state the conditions for the VDP to be a hard problem and describe the applications of the VDP given in [2–4]. In Section 3, we propose a family of hyperelliptic curves over fields of even characteristic such that the Jacobian of the curves is a product of two elliptic curves. In Section 4, we prove that the two elliptic curves found in Section 3 are 3-isogenous and we find the 3-isogeny. In Section 5, we give the setting of the VDP on the hyperelliptic curves given in Section 3 and show that the VDP defined on these curves can serve as an intractable problem in cryptographic protocols.
2. Vector Decomposition Problem
We state the definition of VDP and the conditions for the VDP on a two-dimensional vector space to be at least as hard as the CDHP on a one-dimensional subspace given by Yoshida .
Definition 1. The VDP on (a two-dimensional vector space over ) is as follows: “given such that is an -basis for , find the vector such that and .”
Definition 2. The CDHP on (a one-dimensional vector space over ) is as follows: “given and , find .”
Theorem 3 (Yoshida ). The vector decomposition problem on is at least as hard as the computational Diffe-Hellman problem on if for any there are linear isomorphisms which satisfy the following three conditions:(1)For any , and are effectively defined and can be computed in polynomial time.(2) is an -basis for .(3)There are with and . The elements , , and their inverses can be computed in polynomial time.
The VDP is hard in general but for certain bases the VDP can be solved in polynomial time even if it satisfies Yoshida’s conditions [2, 8]. In fact, the bases chosen by Duursma and Kiyavash are easy instances of the VDP. The fact that there are easy instances of VDP does not affect the VDP conjecture that the VDP should be hard for randomly chosen basis. In , Kwon and Lee provided criteria for choosing a basis such that the VDP can serve as an intractable problem in cryptographic protocols. In , Galbraith and Verheul showed that if is distortion eigenvector base for then the VDP on a two-dimensional vector is equivalent to the CDHP on one-dimensional vector space .
We give the definition of eigenvector base and distortion eigenvector base.
Definition 4. Let be a group of exponent and order . Let be a group isomorphism computable in polynomial time. A pair of elements is an eigenvector base with respect to if ; that is, each element can be uniquely written as a linear combination in and and if and for some distinct, nonzero .
Definition 5. An eigenvector base is said to be a distortion eigenvector base if there are group homomorphisms and computable in polynomial time and if an integer is given such that .
Remark 6. The VDP with respect to an eigenvector base is solvable in polynomial time.
Two applications of the VDP are watermarking scheme designed for cryptographic date given in [3, 4] and public key encryption scheme given in . In the watermarking scheme a cryptographic date which can be considered as a “vector” is watermarked by adding a linearly independent random vector. Embedding and removing a watermark correspond to adding a one-dimensional vector and decomposing a two-dimensional vector, respectively. Due to the infeasibility of the VDP, removing the watermark is hard unless one has some trapdoor information. The core idea of the public key encryption scheme given in  is that for certain bases the VDP is easy but for general bases the VDP is hard. Let be a two-dimensional vector space isomorphic to with a distortion eigenvector base . If and , where and , then for any , if one knows the then one can solve the VDP of to the base . Using , , , as a trapdoor we obtain a trapdoor VDP scheme. An application of the trapdoor VDP is the public key encryption scheme with public key and private key . A message is encrypted as for a random with .
3. Hyperelliptic Curves over Fields of Even Characteristic
By Theorem 3, the VDP is hard if the CDHP on a one-dimensional subspace is hard. Yoshida suggested to use the full group of -torsion points on the elliptic curve over as the two-dimensional vector space and the subgroup of -rational -torsion points as the one-dimensional subspace . The elliptic curve given by Yoshida is supersingular. Thus the elliptic curve discrete logarithm problem (ECDLP), and hence the CDHP on the one-dimensional subspace, is vulnerable to the MOV attack. Duursma and Kiyavash  showed that any elliptic curve that satisfies the conditions of Theorem 3 is supersingular. Thus, using the VDP with the full -torsion points on an elliptic curve introduces a vulnerability that needs to be compensated by choosing larger parameters. To avoid this, the VDP may be used with higher genus curves. Duursma and Kiyavash introduced an infinite family of genus two hyperelliptic curves suitable for the VDP defined over a finite field of odd characteristic. In this section, we provide an infinite family of genus two hyperelliptic curves suitable for the VDP defined over a finite field of even characteristic. Unless specified otherwise all the fields will be of even characteristic and all the curves will be over fields of even characteristic. For our purpose, we need a hyperelliptic curve such that the Jacobian of the hyperelliptic curve decomposes into two isogenous elliptic curves. Let be a finite field of even characteristic. We consider the following hyperelliptic curve of genus two over :where for some . Let and be the roots of . The automorphism group of (2) is and the automorphisms are(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12).
Theorem 7 (Kani and Rosen ). Given a curve , let be a finite subgroup of Aut() such that where the subgroups of satisfy if . Then one has the following isogeny relation:where and and means the product of with itself times.
Theorem 8. The Jacobian of the hyperelliptic curveis isogenous to a product of elliptic curves and ,
Proof. Let and be automorphisms. We compute and . Since and are invariants under , we set , and find the relation between and . We haveThus isBy Hurwitz genus formula, (7) is a genus 1 curve. Similarly, we can compute . Since and are invariants under , to compute we plug in instead of in (7) to getwhich is also a genus 1 curve. By applying Theorem 7 with , , and , we haveBy applying Poincaré’s complete reducibility theorem, we conclude that is isogenous to the product of the two elliptic curves (7) and (8).
For ease of computation we transform the elliptic curves and into Weierstrass form. First, we considerwith elliptic function field as in Figure 1.
In Figure 1, is the zero of and is the pole of in . is the extension of and , are extensions of . Sincewe setorBy plugging in and into , we getBy the transformationthe curve given by (14) is transformed intoBy the transformationthe curve given by (16) is transformed intoBy the above transformations, we have the elliptic curvewhich is isomorphic to with -invariant . We plug in into in (19) to obtain the elliptic curvewhich is isomorphic to with -invariant . From now on we consider the two elliptic curveswith andwith .
4. Three-Isogeny of and
The modular equation of level three is which is the modular curve reduced modulo 2. Since , and are 3-isogenous. In this section we find a 3-isogeny from to . We use the following theorem in  to find an isogeny.
Theorem 9 (Lercier ). Let be a subgroup (of odd order) of an elliptic curve . If , then there exist isogenies between and of kernel . One of these isogenies is given by where , .
In order to find a 3-isogeny using Theorem 9 we first find the 3-torsion points of the elliptic curve . Let be a point of the elliptic curve over a field of even characteristic with a point at infinity. Then and the formula for doubling a point is is a 3-torsion point if and only if ; that is, . To find the 3-torsion points we set or . If the equation has four roots, say, , and , then where . Now we find two of the 3-torsion points of . Since is a root for we plug in in and solve for to get or . The two points and are 3-torsion points of . Let be a subgroup of the elliptic curve and letbe two elliptic curves. There exists an isomorphism defined by , where . ThenThen is a subgroup of an elliptic curve . We can apply Theorem 9 to and with subgroup to get a 3-isogeny defined asDefine byThen is an isomorphism from to .
Let . Thenwhere is a 3-isogeny over the extension field of . Thus we have proved the following theorem.
Theorem 10. Let and be two elliptic curves defined over byThenwhere is a primitive third root of unity and is a 3-isogeny over the extension field of .
5. VDP on Hyperelliptic Curves over Fields of Even Characteristic
In this section, we set up the VDP on the hyperelliptic curve and prove that the VDP defined on the hyperelliptic curve is hard in general by showing the existence of a distortion eigenvector base. We have shown that the Jacobian ofdecomposes into a product of two elliptic curves and which are 3-isogenous over the extension field that contains the third roots of unity and , where . and have the same number of points over the extension field. We set up the VDP on as follows.
Choosesuch that has a large cyclic subgroup of rational points over , where , is odd, and is a prime greater than 3. Then we choose as two-dimensional vector space the -torsion points in the Jacobian of the hyperelliptic curve over the extension field and choose as one-dimensional subspace the subspace of that is rational over .
The following is a summary of the VDP setting: is Jacobian of the curve , aswhere , is odd, and is a prime greater than 3. ConsiderLet be a primitive third root of unity and letLet and let . We will show that is a distortion eigenvector base, where .
Lemma 11. For any element , ,and if is odd then
Proof. Let be a point in . Since , is fixed by . Thus . Since , isEquation (42) has genus 0. Therefore the class number of the Jacobian of (42) is 1 and hence . We have proved (40).
We need to show that :If is odd, then and hence .
Theorem 12. For an element of prime order , is a distortion eigenvector base for .
Proof. We begin by showing that is an eigenvector base for . Suppose that ; that is, for some . Thus . By (40) of Lemma 11, we have ; that is, . By (41) of Lemma 11, we have ; that is, . ThusThis is a contradiction to the assumption . Hence is a basis for . Note that . By Lemma 11, we haveThus is an eigenvector base. Now we show that is a distortion eigenvector base by showing the existence of a homomorphism and an integer with the property on . Let and let . Since the dual isogeny of is , we have
We have shown that the basis is a distortion eigenvector base and hence proved that the VDP for the proposed family of hyperelliptic curves is hard in general. It is permitted that the VDP be easy for some bases. In fact, for the bases and the VDP can be solved easily. Using the criteria for strong bases for the VDP given in , we may choose with as our basis for the VDP, for example, and , where are nonzero and .
Yoshida and Fujiwara introduced a new watermarking scheme for cryptographic data which is based on VDP. Duursma and Kiyavash showed that elliptic curves are not suitable for VDP and presented an infinite family of genus two hyperelliptic curves suitable for the VDP defined over a finite field of odd characteristic. In this paper, we introduce an infinite family of genus two hyperelliptic curves suitable for the VDP defined over a finite field of even characteristic.
Conflict of Interests
The author declares that there is no conflict of interests regarding the publication of this paper.
This research was supported by the Sookmyung Women’s University Research Grants (1-1103-0682).
- M. Yoshida, S. Mitsunari, and T. Fujiwara, “Vector decomposition problem and the trapdoor inseparable multiplex transmission scheme based problem,” in Proceedings of the Symposium on Cryptography and Information Security (SCIS '03), 2003.
- S. D. Galbraith and E. R. Verheul, “An analysis of the vector decomposition problem,” in Public Key Cryptography—PKC 2008, vol. 4939 of Lecture Notes in Computer Science, pp. 308–327, Springer, Berlin, Germany, 2008.
- M. Yoshida and T. Fujiwara, “Toward digital watermarking for cryptographic data,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E94-A, no. 1, pp. 270–272, 2011.
- M. Yoshida and T. Fujiwara, “Watermarking cryptographic data,” in Proceedings of the 5th International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IH-MSP ’09), pp. 40–43, September 2009.
- M. Yoshida, “Inseparable multiplex transmission using the pairing on elliptic curves and its application to watermarking,” in Proceedings of 5th Conference on Algebraic Geometry, Number Theory, Coding Theory and Cryptography, Graduate School of Mathematical Sciences, University of Tokyo, 2003.
- I. Duursma and N. Kiyavash, “The vector decomposition problem for elliptic and hyperelliptic curves,” Journal of the Ramanujan Mathematical Society, vol. 20, no. 1, pp. 59–76, 2005.
- N. P. Smart, “On the performance of hyperelliptic cryptosystems,” in Advances in Cryptology—EUROCRYPT '99, vol. 1592 of Lecture Notes in Computer Science, pp. 165–175, Springer, Berlin, Germany, 1999.
- S. Kwon and H.-S. Lee, “Analysis of the strong instance for the vector decomposition problem,” Bulletin of the Korean Mathematical Society, vol. 46, no. 2, pp. 245–253, 2009.
- E. Kani and M. Rosen, “Idempotent relations and factors of Jacobians,” Mathematische Annalen, vol. 284, no. 2, pp. 307–327, 1989.
- R. Lercier, “Computing isogenies in ,” in Algorithmic Number Theory, vol. 1122 of Lecture Notes in Computer Science, pp. 197–212, Springer, Berlin, Germany, 1996.
Copyright © 2015 Seungkook Park. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.