Computing the Characteristic Polynomials of a Class of Hyperelliptic Curves for Cryptographic Applications

You, Lin; Han, Guangguo; Zeng, Jiwen; Sang, Yongxuan

doi:https://doi.org/10.1155/2011/437541

Mathematical Problems in Engineering

On this page

Abstract Introduction Conclusion Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2011 | Article ID 437541 | https://doi.org/10.1155/2011/437541

Computing the Characteristic Polynomials of a Class of Hyperelliptic Curves for Cryptographic Applications

Lin You,^1,2Guangguo Han,¹Jiwen Zeng,³and Yongxuan Sang¹

Academic Editor: J. Rodellar

Received12 Nov 2010

Accepted21 Mar 2011

Published22 May 2011

Abstract

Hyperelliptic curves have been widely studied for cryptographic applications, and some special hyperelliptic curves are often considered to be used in practical cryptosystems. Computing Jacobian group orders is an important operation in constructing hyperelliptic curve cryptosystems, and the most common method used for the computation of Jacobian group orders is by computing the zeta functions or the characteristic polynomials of the related hyperelliptic curves. For the hyperelliptic curve : over the field with being a power of an odd prime p, Duursma and Sakurai obtained its characteristic polynomial for , and . In this paper, we determine the characteristic polynomials of over the finite field for , 2 and , . We also give some computational data which show that many of those curves have large prime factors in their Jacobian group orders, which are both practical and vital for the constructions of efficient and secure hyperelliptic curve cryptosystems.

1. Introduction and Main Results

1.1. Hyperelliptic Curves and Cryptosystems

A hyperelliptic curve of genus over is defined by an equation of the form where , with and , and the equation system , , and has no solutions in .

For an extension of , the set is called the set of -rational points on . The symbol is called the point at infinity, and the other points are called finite points.

A divisor is defined as a finite formal sum of finite points or the infinity , while the Jacobian group (or simply called Jacobian) of the curve over is an Abelian group composed of some special divisors (i.e., reduced divisors) on . This Jacobian group is generally denoted as . A hyperelliptic curve cryptosystem (HECC) is a cryptosystem constructed on the Jacobian group of the hyperelliptic curve over a finite field. For example, the hyperelliptic curve digital signature algorithm (HECDSA) is a hyperelliptic curve version of an elliptic curve digital signature algorithm (ECDSA). The security of an HECC is based on the discrete logarithm problems in the corresponding Jacobian group.

Since HECC was invented by Koblitz [1] in 1989, it has been extensively researched, and now it has been considered for practical cryptographic applications. For a certain number of classes of hyperelliptic curves with some specific parameters, the corresponding HECC can even possess lower complexities than an elliptic curve cryptosystem but with the same level of security [2].

In order to construct a secure HECC, one first has to choose a hyperelliptic curve over a finite field and then compute the order of the hyperelliptic curve Jacobian group. If the order does not have a large prime factor, then the discrete logarithm problems in this Jacobian group may not be hard enough to guarantee the security of the HECC, and so the hyperelliptic curve is not suitable for cryptographic uses and should be chosen again to ensure that the Jacobian group order has some large prime factor. But, in most cases, this computation is a very time-consuming task. Hence, the computation of Jacobian group order is a very important step for the efficient implementation of HECC.

1.2. Zeta Functions and Jacobian Group Orders

The most common method used for the computation of Jacobian group orders is by computing the numerator of the zeta functions of the related hyperelliptic curves, or by computing the characteristic polynomial of the hyperelliptic curve. The following results are due to the Weil's theorem [3, 4] and Kedlaya's algorithm [5].

Let be a hyperelliptic curve of (1.1) over . For any positive integer , let denote the number of -rational points on . The zeta function of is defined as

Then (a) is a rational function over and can be written as , where ,(b)there exist complex numbers with such that (c)the integer coefficient polynomial is called the characteristic polynomial of the Frobenius endomorphism on (it is also called the characteristic polynomial of over ), and it is can be expressed as where for , (d)for any positive integer , the order of is given as

Hence, for any positive integer , the order of can be computed if is determined or if ) are computed.

For a positive integer , the quadratic character of is defined as

Obviously, holds for any . By using , we can compute as While for any positive integer and every field element , the value of the extended quadratic character at can be computed as in .

1.3. Our Main Results

Let be the curve with the equation where and is a power of an odd prime . Then is a hyperelliptic curve of genus . In [6], Duursma and Sakurai presented of for and . That is, the numerator of the corresponding zeta function is given as respectively, where , , is a -th unity root, and denotes the Legendre symbol.

In this paper, we compute the characteristic polynomials of with (, ) and get the following Table 1.

From the characteristic polynomials of the hyperelliptic curve over , the orders of Jacobian groups can be easily computed as For example, if is a primitive element modulo , then the characteristic polynomial of is where satisfies . Hence, the order of the Jacobian group of over is

If is an integer coprime to , let ; then will also run through all these roots when runs through the all roots of . Hence, we have

If is an integer not coprime to , let be the factor of such that , then we have That is, for any positive integer , the order of the Jacobian group of the curve over with being a primitive element modulo can be computed as where is the factor of such that .

In Table 2, we give some essential parameters with which the Jacobian group order of has some large prime factors, which shows that the with these parameters may be used for cryptographic applications.

2. Isomorphic Curves, Twisted Curves, and Their Characteristic Polynomials

Two hyperelliptic curves of the same genus over the field are called isomorphic over if they are isomorphic as projective varieties over . If and are isomorphic over , then their Jacobian groups and are also isomorphic [7]. Hence, the hyperelliptic curve cryptosystem based on the Jacobian group of is equivalent to that based on the Jacobian group of .

From [8], we know how to the hyperelliptic curves are isomorphic. Precisely, suppose and are two hyperelliptic curves of the equation forms , respectively, with , (monic) , , and . Then and are isomorphic over if and only if there exist , , and with , such that can be transformed into through the coordinate change:

In our case, a hyperelliptic curve is isomorphic to the hyperelliptic curve if and only if there exist and such that has the equation form

If , then has the equation form

By using (1.10), we can easily show that if and are isomorphic then their characteristic polynomials and are equal.

Theorem 2.1. Let and be a hyperelliptic curve of genus over of odd characteristic , and its characteristic polynomial. Let be a quadratic nonresidue in . Then, the hyperelliptic curve has the characteristic polynomial .

Proof. Let denote the number of rational points of the hyperelliptic curve over and denote the extended quadratic character of . Then, since hence, according to (1.10), we have It follows from (1.6), (1.7), and (1.10).

The hyperelliptic curve is called a twisted curve of over by . For the curve , its twisted curve is a hyperelliptic curve of the equation with a quadratic nonresidue in .

In the following, we compute the characteristic polynomials of over with .

Case 1. For the curve with and , has isomorphic curves over , which are Hence, there are three isomorphism classes of hyperelliptic curves over which are denoted as , and , respectively,
If and is a quadratic nonresidue modulo , then its twisted curve or belongs to .
According to [9], we know that the characteristic polynomial of the hyperelliptic curve over is
While for all the curves in or , their characteristic polynomials were proved by Duursma [9] to be respectively.

For examples, the curve over and the curve over have the characteristic polynomial and , respectively. The curves in or have the characteristic polynomial or , respectively. The curves in or have the characteristic polynomial or , respectively.

Case 2. Over , the hyperelliptic curve is a quotient of the Hermitian curve which is maximal, and this leads to that over , has the characteristic polynomial [10]

Based on the following Theorem 2.6, for any , the curve is isomorphic to . Thus, over also has the characteristic polynomial (2.13). And it follows that the characteristic polynomial of over equals to

Case 3. Suppose . Then for the fixed and all , all the hyperelliptic curves are isomorphic. Hence, each of these curves is isomorphic to its twisted curve. Thus, the coefficients of the terms of odd degrees in their corresponding characteristic polynomials are zero. In fact, we have the following Lemma 2.2.

Lemma 2.2. Suppose is an odd prime number, , and is a positive integer satisfying . Then holds if one of the following three conditions is satisfied:(1) or is odd;(2) is even and is a primitive root modulo .

Proof. Suppose is odd, and let be a quadratic nonresidue in . Then, we have and it follows .
Let or even and a primitive root modulo . We first show that will run through if runs through . It is equivalent to show that for any , if , then . That is, we have to show that the equation has no nonzero solution in .
Assume that is a nonzero root of in , that is, . Then we have , and it follows , that is, or . Thus, or , it is impossible. Therefore,

Lemma 2.3. For any odd prime number , we have

Proof. comes directly from Lemma 2.2 if is odd.
Suppose is even and . Let be the coefficients of the characteristic polynomial (2.14); then if is odd, and if is even. Thus, from (1.7), we have From this above equation and (2.19), we can inductively show

Theorem 2.4. Suppose is an odd prime number and . Let be the order of in the multiplicative group . Then, the characteristic polynomial of the curve over is

Proof. Since is isomorphic to , we only have to consider the curve over .
Let , then for . For any even positive integer not divided by , since , the mapping is a one-to-one mapping in , hence, we have It follows that based on (1.7) and Lemma 2.2. Thus, for all positive integer satisfying , the coefficients of 's characteristic polynomial are equal to 0.
Let be a generator of the cyclic multiplicative group , then there exists an integer such that and , and it follows that there exists an integer satisfying , and Let ; then and From or , we know that there exist integers such that and it follow that there exists an integer such that If is even, then we have Hence, Thus, from (2.21), we have
In addition, for any positive integer , we have And so for , based on (2.21), we have
Therefore, for , we have the coefficients of the corresponding characteristic polynomial as follows: Hence, the characteristic polynomial for even is Especially, if is a primitive element modulo , we have
Suppose is odd. Then and is the smallest even positive integer satisfying . According to the equalities (2.25) and (2.27), we have where for some integer . And it follows that holds for any positive integer .
Since for any odd integer , we have . Hence, similar to the proof of the formula (2.21), for any positive integer , we have Hence, the corresponding characteristic polynomial coefficient for equals to Thus, the corresponding characteristic polynomial is

For example, let , then is not a primitive root of modulo . In fact, we have , and the characteristic polynomial of the curve over is .

Case 4. Now we consider the curves over .

Theorem 2.5. Suppose is an odd prime number. (1)The curve over has the characteristic polynomial (2)For any nonzero element , the all roots of the equation are in . Therefore, for every nonzero element , the hyperelliptic curve over has the characteristic polynomial

Proof. (1) If for , then we have Hence, It follows that if are the all roots of the characteristic polynomial of over , then and so we have It follows for . Hence, the characteristic polynomial of the curve over is
(2) Let be a root of , then , and it follows , which means .
For any element in , let be a root of the equation in and a root of . Then , and so the curve is isomorphic to . Hence, for any nonzero element , all the curve has the characteristic polynomial

For example, let be a root of , then the curve : over has the characteristic polynomial Since is a quadratic nonresidue in , the curve : is one twisted curve of . Hence, 's characteristic polynomial is

Suppose is a root of . Then the curve : over has the characteristic polynomial Since is a quadratic nonresidue in , the curve : is one twisted curve of . has the characteristic polynomial

Theorem 2.6. Suppose is an odd prime number. Then, (1)the equation has roots in if and only if .
For any , the curve is isomorphic to the curve over if and only if .
(2) For any , the curve is isomorphic to the curve over .

Proof. (1) Suppose and is a root of . Then, and it follows , which implies . On the other hand, if is a root of in , then , which implies .
Let be a root of in , then , and over , the curve is isomorphic to the curve , that is, .
(2) Suppose and are two different elements in . Then, obviously, . Let be a square root of in , and let . Then, .
According to (1), the equation has roots in . Let be a root of ; then, over , the curve is isomorphic to the curve That is, is isomorphic to over since we have

For any , the curve has the same characteristic polynomial.

Theorem 2.7. Suppose is an odd prime number and . If , then for every , the curve is a twisted curve of some curve of the form with . If , then for every , the curve is isomorphic to the curve over .
Hence, over , the characteristic polynomial of the curve with is

Proof. Let be a generator of the cyclic multiplicative group .
(1) Assume . Set ; then It follows that is a quadratic nonresidue in , and the curve is a twist of the curve . Hence, due to Theorems 2.1 and 2.5, the curve has the characteristic polynomial
(2) Assume . Let , , and . Then, , and the curve is isomorphic to the curve It follows that is isomorphic to the curve since and . Therefore, for every , the curve has the same characteristic polynomial as the curve over , that is, In a word, for any odd prime number, the characteristic polynomial of the curve is

Theorem 2.8. Suppose is an odd prime number, , and . Let be the order of in if , that is, . And let and be the smallest positive integer such that if . (1)Suppose . Then , and the characteristic polynomial is (2)Suppose ; then the characteristic polynomial of the curve over is

Proof. (1) If , then since . Let be a generator of the cyclic multiplicative group . Then, there exists an integer satisfying , , and .
If , then is odd. Let , then it means that is a quadratic nonresidue in . Hence, the curve has a twisted curve defined by the equation If , then , or and which means . Hence, the curve is isomorphic to the curve . Thus, over , the curve has the characteristic polynomial , that is, .
If , that is, and , then according to Theorem 2.7, has the characteristic polynomial
If , then is even. Let and , then the curve , that is, is an isomorphic curve of the curve
It is clear that if and only if . Hence, based on Theorems 2.6 and 2.7, the curve has the characteristic polynomial
For , we can also show our result as follows.
Set with . Then, are the different nonzero roots of in . Hence, if is a nonzero root of in , we have Thus, according to (1.4) and (1.10), each root of the corresponding characteristic polynomial equals to . It follows that the corresponding characteristic polynomial is
(2) If , then is a root of . Set and , then, over the field , is isomorphic to , that is, . Hence, we only have to compute the characteristic polynomial of the curve over .
(i) If , then means . Suppose is a primitive root of ; then the equation has only zero root in for any positive integer , and it follows that the -th coefficient of the characteristic polynomial of is 0.
Now we compute the -th coefficient . Let be a generator of the cyclic multiplicative group ; then there exists an integer satisfying , , and .
Set ; then , , and . Hence, based on Lemma 2.3, we have where denotes the extended quadratic character of the degree extension of (i.e., ), which is equivalent to , the extended quadratic character of the degree extension of . Thus, Therefore, the corresponding characteristic polynomial is
(ii) Suppose and ; then similar to the proof of Theorem 2.4, we have the corresponding characteristic polynomial coefficients as the the following if is even: for , while the other coefficients are equal to zero. Hence, the corresponding characteristic polynomial is
By the same way, we can show that if is odd, the corresponding characteristic polynomial is .
(iii) Suppose , then . If an integer satisfies and , then the corresponding characteristic polynomial is .
Now suppose is the smallest integer such that and . Then . Otherwise, let with being an integer and . Then, , and it follows , which contradicts being the smallest integer satisfying . Set , . Clearly, .
For any positive integer satisfying , since has no nonzero root in , we have which implies the corresponding characteristic polynomial coefficient .
Hence, we only have to compute the characteristic polynomial coefficients for .
Let be a generator of the cyclic multiplicative group or . Then there exists an integer such that . Since , we have and it follows that must be a positive integer. Set , where is some positive integer satisfying due to the smallest of .
From or , we can deduce that there exists a positive integer such that Hence, we have Let ; then , and for every integer , we have And according to (2.21), we obtain Therefore, the corresponding characteristic polynomial coefficient can be computed as follows: and it follows that the corresponding characteristic polynomial is

3. Some Hyperelliptic Curves Suitable for Cryptographic Applications

Due to the Pollard's rho algorithm, Index-calculus algorithm or their modified versions [11–14], the order of the Jacobian group should have a large prime factor or an almost large prime factor (i.e., the order should be a large prime times a small integer, and the hyperelliptic curves of genus greater than 3 may not be secure for cryptographic applications). Otherwise, the discrete logarithm problems on the Jacobian group may probably be solved in a subexponential time complexity or even in a polynomial time complexity. Hence, the characteristic polynomial of should be irreducible over the rational number field, and the field characteristic should be no larger than 7 when the curve is considered for cryptographic uses. The following Table 2 lists some values of with which have reducible characteristic polynomials in rational number field and so they are not secure for cryptographic applications.

According to the Theorem 1 in [15], the curve over is supersingular and thus the parameters (the characteristic and the extension degree of ) have to be chosen carefully to defend against an MOV-type attack where the group is embedded in the multiplicative group of a finite field. Furthermore, the curves have a large automorphism group [16], and the size of the Jacobian should be large enough to defend against a parallelized Pollard rho-type attack.

If the characteristic polynomial of a hyperelliptic curve over is determined, then for any positive integer , the Jacobian group order can be computed as (1.8).

But if finding the roots of is of some high computational complexity, then one can obtain the Jacobian group order by computing the determinant of the -matrix , where is the companion matrix of , that is,

For a positive integer , by taking modulo in the polynomial ring and setting , then we get that is a monic polynomial of degree no larger than and which may be another more efficient method for the computation of the Jacobian group order if the field extension degree is very large. For with , , and , Duursma and Sakurai gave a table about the bit-sizes of the large prime factors of the orders of the Jacobian groups for some parameters in [6]. In Table 3, we list some parameters with which the Jacobian group orders have large prime factors, together with the corresponding characteristic polynomials, the largest prime factors, and their bit sizes. Where “Bits" in Table 3 denotes the bit-sizes of the largest prime factors of the corresponding Jacobian group orders, is a root of and is a root of .

For the listed parameters in Table 3, the corresponding Jacobian group orders are almost large primes, and so these hyperelliptic curves are suitable for secure hyperelliptic curve cryptographic applications.

4. Conclusion

The computation of hyperelliptic curve Jacobian group orders is an essential step during constructing HECC. At the present, the most common method used for the computation of Jacobian group orders is by computing the zeta functions or the characteristic polynomials of the related hyperelliptic curves. Hence, computing the characteristic polynomials of hyperelliptic curves is a very useful work, and it is often a challenging work.

In this paper, we determine the characteristic polynomials of over the finite field for and . By using the characteristic polynomials one can easily compute out the Jacobian group orders. And we also describe some parameters with which the Jacobian group orders of have large prime factors.

The hyperelliptic curves of genus larger than 3 are not secure for cryptographic applications since the corresponding hyperelliptic curve discrete logarithm problems can be solved by the Index-calculus algorithm or its modified versions in some subexponential time. Hence, we should be careful when the curve with is used for practical cryptosystems. If the implementation speed is the first consideration in the construction of HECC, while the security is not in high demand, then one may choose the curve with some high genus or with the Jacobian group order not having so much large prime factor. Besides, some special hyperelliptic curves having fast arithmetic over finite fields can be found efficient applications in pairing-based cryptosystems or identity-based cryptosystems ([15, 17]).

Since the (divisor) scalar multiplication computation is the most extremely time-consuming operation, we will employ the characteristic polynomials of obtained here to develop some efficient scalar multiplication algorithms on in our future work.

Acknowledgments

The authors would like to thank Professor Shuhong Gao for his comments which greatly improved this paper. The authors would also like to thank the anonymous referee for the careful review and the valuable comments. This research is supported by the Zhejiang Natural Science Foundation of Outstanding Youth Team Project (no. R1090138), the National Science Foundation of China (no. 60763009), and the Science and Technology Key Project of the Ministry of Education of China (no. 207089).

References

N. Koblitz, “Hyperelliptic cryptosystems,” Journal of Cryptology, vol. 1, no. 3, pp. 139–150, 1989.
View at: Publisher Site | Google Scholar | Zentralblatt MATH
J. Pelzl, T. Wollinger, J. Guajardo, and C. Paar, Hyperelliptic Curve Cryptosystems: Closing the Performance Gap to Elliptic Curves, vol. 2779 of Lecture Notes in Computer Science, Springer, Berlin, Germany, 2003.
A. Weil, “Numbers of solutions of equations in finite fields,” Bulletin of the American Mathematical Society, vol. 55, pp. 497–508, 1949.
View at: Publisher Site | Google Scholar | Zentralblatt MATH
R. Hartshorne, Algebraic Geometry, vol. 52 of Graduate Texts in Mathematics, Springer, New York, NY, USA, 1977.
K. S. Kedlaya, “Counting points on hyperelliptic curves using Monsky-Washnitzer cohomology,” Journal of the Ramanujan Mathematical Society, vol. 16, no. 4, pp. 323–338, 2001.
View at: Google Scholar | Zentralblatt MATH
I. Duursma and K. Sakurai, “Efficient algorithms for the Jacobian variety of hyperelliptic curves $y^{2} = x^{p} - x + 1$ over a finite field of odd characteristic $p$ ,” in Proceedings of the International Conference on Coding Theory, Cryptography and Related Areas, pp. 73–89, Springer, Guanajuato, Mexico, 2000.
View at: Google Scholar
J. H. Silverman, Advanced Topics in the Arithmetic of Elliptic Curves, vol. 151 of Graduate Texts in Mathematics, Springer, New York, NY, USA, 1994.
P. Lockhart, “On the discriminant of a hyperelliptic curve,” Transactions of the American Mathematical Society, vol. 342, no. 2, pp. 729–752, 1994.
View at: Publisher Site | Google Scholar | Zentralblatt MATH
I. Duursma, “Class numbers for some hyperelliptic curves,” in Arithmetic, Geometry and Coding Theory, pp. 45–52, de Gruyter, Berlin, Germany, 1996.
View at: Google Scholar | Zentralblatt MATH
S. Tafazolian, On supersingular curves over finite fields, Ph.D. thesis, Instituto Nacional de Matemática Pura e Aplicada, 2008.
J. M. Pollard, “Carlo methods for index computation mod $p$ ,” Mathematics of Computation, vol. 32, no. 143, pp. 918–924, 1978.
View at: Google Scholar | Zentralblatt MATH
O. Schirokauer, D. Weber, and T. Denny, “Discrete logarithms: the effectiveness of the index calculus method,” in Algorithmic Number Theory, vol. 1122 of Lecture Notes in Computer Science, pp. 337–361, Springer, Berlin, Germany, 1996.
View at: Google Scholar | Zentralblatt MATH
P. Gaudry, “An algorithm for solving the discrete log problem on hyperelliptic curves,” in Advances in Cryptology—Eurocrypt 2000, vol. 807 of Lecture Notes in Computer Science, pp. 19–34, Springer, Berlin, Germany, 2000.
View at: Publisher Site | Google Scholar | Zentralblatt MATH
P. Gaudry, E. Thomé, N. Thériault, and C. Diem, “A double large prime variation for small genus hyperelliptic index calculus,” Mathematics of Computation, vol. 76, no. 257, pp. 475–492, 2007.
View at: Publisher Site | Google Scholar | Zentralblatt MATH
S. D. Galbraith, “Supersingular curves in cryptography,” in Advances in Cryptology—ASIACRYPT 2001, vol. 2248 of Lecture Notes in Computer Science, pp. 495–513, Springer, Berlin, Germany, 2001.
View at: Publisher Site | Google Scholar | Zentralblatt MATH
H. Stichtenoth, “Über die Automorphismengruppe eines algebraischen Funktionenkörpers von Primzahlcharakteristik. II. Ein spezieller Typ von Funktionenkörpern,” Archiv der Mathematik, vol. 24, pp. 615–631, 1973.
View at: Publisher Site | Google Scholar | Zentralblatt MATH
D. Boneh, “A brief look at pairings based cryptography,” in Proceedings of the Annual IEEE Symposium on Foundations of Computer Science (FOCS '07), pp. 19–26, IEEE Press, Los Alamitos, CA, USA, 2007.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2011 Lin You et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

828

Downloads

617

Citations