Hyperelliptic Covers of Different Degree for Elliptic Curves

Fan, Jing; Fan, Xuejun; Song, Ningning; Wang, Long

doi:https://doi.org/10.1155/2022/9833393

Mathematical Problems in Engineering

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest References Copyright Related Articles

Research Article | Open Access

Volume 2022 | Article ID 9833393 | https://doi.org/10.1155/2022/9833393

Hyperelliptic Covers of Different Degree for Elliptic Curves

Jing Fan,^1,2Xuejun Fan ,²Ningning Song,²and Long Wang²

Academic Editor: Li Haitao

Received17 Mar 2022

Accepted23 Apr 2022

Published04 Jul 2022

Abstract

In elliptic curve cryptography (ECC) and hyperelliptic curve cryptography (HECC), the size of cipher-text space defined by the cardinality of Jacobian is a significant factor to measure the security level. Counting problems on Jacobians of elliptic curve can be solved in polynomial time by Schoof–Elkies–Atkin (SEA) algorithm. However, counting problems on Jacobians of hyperelliptic curves are solved less satisfactorily than those on elliptic curves. So, we consider the construction of the cover map from the hyperelliptic curves to the elliptic curves to convert point counting problems on hyperelliptic curves to those on elliptic curves. We can also use the cover map as a kind of cover attacks. Given an elliptic curve over an extension field of degree , one might try to use the cover attack to reduce the discrete logarithm problem (DLP) in the group of rational points of the elliptic curve to DLPs in the Jacobian of a curve of genus over the base field. An algorithm has been proposed for finding genus 3 hyperelliptic covers as a cover attack for elliptic curves with cofactor 2. Our algorithms are about the cover map from hyperelliptic curves of genus 2 to elliptic curves of prime order. As an application, an example of an elliptic curve whose order is a 256-bit prime vulnerable to our algorithms is given.

1. Introduction

The Weil restriction of scalar has significant implications in ECC. This idea was proposed by Frey and Gangl [1] as an attack on the elliptic curve discrete logarithm problem (ECDLP) and then developed further in [2, 3]. A nonconstant morphism between algebraic curve over and elliptic curve over is a way to achieve this attack. Based on the constructive Weil restriction, Scholten [4] constructed hyperelliptic curves whose Jacobian was isogeneous to the Weil restriction of an elliptic curve and then counted points on the hyperelliptic curve by using an algorithm to count points on the elliptic curve.

Jacobians of hyperelliptic curves have been proposed for use in public key cryptography [5]. In ECC and HECC [6], the size of cipher-text space defined by the cardinality of Jacobian is significant to measure the security level. Specifically, the cardinality should be a prime time for a small so-called cofactor to avoid the baby-step giant-step attack and Pohlig–Hellman attack [7]. For elliptic curves, there is a practical algorithm SEA to count the number of the points over finite fields [8–10]. However, for doing this on hyperelliptic curves, no subexponential general algorithm is currently known except for some small sets of examples [11], which is an impediment to their use. An algorithm proposed by Gaudry and Harley [12] to compute order for Jacobians of random hyperelliptic curves would run for about a week for a genus 2 curve defined over an 80-bit field. In 2003, Scholten [4] proposed a way of counting for hyperelliptic curves of special type , where is the generator of the Galois group of a quadratic extension. Inspired by Scholten, we consider that the cover map can help to count the order of Jacobians of hyperelliptic curves and the crucial point is to find the cover map from some specific hyperelliptic curves to elliptic curves.

ECDLP is the fundamental building block for ECC and concerned by many researchers [13–17]. For many elliptic curves over finite fields, the generally fastest algorithms to solve the ECDLP are still generic algorithms, which are the conversion of attack algorithms on DLP. But there are also many families of elliptic curves, in particular those over finite nonprime fields, where the ECDLP can be solved faster by other methods, such as summation polynomials and cover attack. The former is proposed by Semaev [18] in order to find out whether the index calculus is suitable for ECDLP or not and then Diem [14] and Gaudry [19] independently use it to calculate the ECDLP over small degree extension fields. For cover attack [20], it aims at reducing the DLP in the group of the rational points of an elliptic curve over to DLP in the Jacobian groups of a curve over . The main idea of cover attacks is Weil descent, which is first introduced in cryptography by Frey [1]. The major difficulty in it lies in constructing the curve , which is first solved by Gaudry, Hess, and Smart (GHS) [3] over binary field and generalized by Diem [21] in odd characteristic. For DLPs in the Jacobian groups of the curve , decomposed attack was proposed by Gaudry [22] for hyperelliptic curves over and then advanced to by Nagao [23] using Riemann–Roch spaces. To apply to all composite degree extension fields, Joux and Vitse [24] combined the Weil descent and decomposition attack. They used GHS attack for the part of Weil descent, while GHS attack can not produce a cover with small genus to make the whole attack works well when the elliptic curves have cofactor 2 over cubic extension fields. Tian et al. [25] used the results in reference [26] to fill the gap in GHS. In ECC, the elliptic curves of prime orders are of great interest, so it will be useful to focus on the elliptic curves of cofactor 1 over quadratic extension field. Inspired by reference [25], we try constructing genus 2 hyperelliptic covers for this kind of elliptic curves.

The above two applications induce us to construct genus 2 hyperelliptic covers. We can use the cover to count the order of Jacobians of hyperelliptic curves and to attack the ECDLP.

1.1. Contribution

The contribution of our work is that we construct cover maps from a hyperelliptic curve of genus 2 to an elliptic curve with prime order over quadratic extension field. The whole process is based on the results in references [4, 25, 26]. The corresponding pattern of the map is that the Weierstrass points of the hyperelliptic curve lie over the 2-torsion points of the elliptic curve. Under the given restrictions, we can get a system of some equations, which can be computed easily and its solutions determine the cover maps.

We focus on genus 2 hyperelliptic curves, which seem to be less vulnerable to attacks than others. About the equations of the hyperelliptic curves , we give propositions about the form of , which offers more specific scope of the hyperelliptic curves suitable for our algorithm. There is also a relationship that when satisfies , which is useful for counting applications. If we want to count the order of Jacobian of a hyperelliptic curve , then the experiment can begin with the hyperelliptic curve and aim at finding the corresponding elliptic curve . Then, SEA can be used to compute the cardinality of to evaluate in polynomial running time as long as the cover map exists. At the end of the study, we give an example in 128-bit field to show that our algorithm is faster than previous achievements.

As a kind of a cover attacks, our map can transfer the DLP in the elliptic curve with prime order into DLPs in the Jacobians of a hyperelliptic curves, which can be later solved by decomposition attack of Nagao [23]. The main difference between GHS and our method is that the results of former are mainly nonhyperelliptic curves, while our algorithms have hyperelliptic curves as the final result. We can then construct isogeny from Jac to Jacobian of nonhyperelliptic curves to reduce the time complexity. So, the method in the study has same complexity as GHS attack. The isogeny walk can also extend the scope of curves vulnerable to our attack. After experiments, we count the number of isomorphic classes of in the specific form over relatively small fields and find that all of these elliptic curves can be attacked by our algorithm (Table 1).

Inspirited by Satoh [27], we can also use our algorithms to generate the required hyperelliptic curves, which can be viewed as a by-product of counting method. For example, if a hyperelliptic curve with prime order of the Jacobian is required, then we can randomly select an elliptic curve of prime order as the input of our algorithms. If we can construct the cover map successfully, then the required hyperelliptic curve with the order of its Jacobian can be given. Otherwise, we can select another elliptic curve. The whole process can be viewed as a probabilistic polynomial-time algorithm.

We have published a small part of our work [28] on Australasian Conference on Information Security and Privacy 2019. We only introduce the algorithm for the case when deg = 2 and is reducible in detail in reference [28]. In this study, we offer more concrete proof for all of the propositions and new algorithms for the case when deg = 3, which is more complex than before. Moreover, more experiments on these new algorithms are given in Section 4.

2. Preliminaries

In this section, we review some important conclusions on elliptic curves and hyperelliptic curves and we hope that the reader is familiar with the notions and results of algebraic curves [29].

2.1. Cover Maps

Let be a map of degree from a curve of genus 2 to a curve of genus 1 and let be the hyperelliptic involution on . The hyperelliptic involution can induce a rational involution on that satisfies . Let and be the curves of genus 0 obtained by taking the quotient by the involution. So, the quotient map ramifies at 6 points , which are called Weierstrass ramification points of . The map ramifies at 4 points , which can be called ramification points of over . There is also a map . The following lemma [26] is about the relationship among the ramification points.

Lemma 1. Let , be the Weierstrass ramification points of H and , be the ramification points of E over . The and are the image of these points in and respectively, and then contains with odd multiplicity and any other points of with even multiplicity for each .

This lemma determines the pattern of the correspondence between and . We give the following two kinds of maps of the even degree and odd degree, respectively. In the diagram, represents evenly ramified points, which are therefore other points of .

More details, such as the degree of the map and the ramification index of the map at , will be discussed in Section 3.

2.2. 2-Torsion Subgroup of the Jacobian

Let denote the finite field of elements and be the algebraic closure of the prime field . Then, the unique subfield of with elements, , is an extension field of . Consider that the Jacobian of over is isogenous to the product of and , which have the same number in . That is .

A hyperelliptic curve of genus is determined by an equation , where is a polynomial of degree or without multiple roots. The curve of degree (resp. ) is termed an imaginary (resp. a real) hyperelliptic curve and all of the hyperelliptic curves can be written in the form of real hyperelliptic curve. Let be a real hyperelliptic curves and there are Weierstrass points, . By the corollary in reference [30], every 2-torsion element of is of the form , where and must be even. satisfies the following three properties:(i);(ii), where refers to the complement set;(iii), where .

If is an -rational factor of with even degree, then a divisor can be defined by div and the order of the divisor class is 2 if and only if deg . So, if and the degrees of and are even, we can obtain two distinct divisor classes and .

3. Our Algorithms

In this section, we give algorithms to find the cover map of different degrees from hyperelliptic curves of genus 2 to elliptic curves with prime order. First, we give two basic propositions, which are about the order of Jacobians and the form of the equations of hyperelliptic curves. Then we give the algorithms for deg = 2, among which we find that there is a more specific form of the equations of hyperelliptic curves. Finally, we give an algorithm for deg = 3, which is more complex than that for deg = 2. We also give statistical analysis about the maps of different degrees based on the experimental results in small fields after each algorithm.

3.1. Theory Derivation for the Algorithms

In this subsection, we will compute the the order of the Jacobian and the equations of the hyperelliptic curves. For a smooth projective curve of genus , the polynomial is the numerator of the zata function:

The order of the group of rational points on the Jacobian of C is as follows:where is the characteristic polynomial of the Frobenius endomorphism.

Lemma 2. Let be a genus curve with simple Jacobian and there is a nonconstant morphism , then is isogenous to the Weil restriction of E with respect to , denoted by . So, the characteristic polynomial of the Frobenius endomorphism of is equal to that of : with .

Proposition 1. If has simple Jacobian over and split Jacobian over , then .

Proof. If is regarded as a curve of genus 2 over , from equation (2), we can obtain thatIf is regarded as a curve of genus 2 over , then we can obtainSoBecause of split Jacobian , we can deduce thatCombining equations (3), (5), and (6), we can get , which is important for us to evaluate .

Proposition 2. Let H be a genus hyperelliptic curve and assume that H is given by with f a polynomial of degree in . If H has split Jacobian with an odd, then is irreducible or a product of two irreducible polynomials with degree .

Proof. We have already known that the characteristic polynomial of the Frobenius endomorphism of is with . Because is prime, is odd. Then, , where is the characteristic polynomial of Frobenius endomorphism of . So, is fixed by , which means the 2-torsion points of are all rational. Hence, is a product of linear factors over , which means the degrees of the -irreducible factors of must be factors of 6. So, if has more than 2 factors, there will be two cases:(i) is a product of three -irreducible polynomials and there must be a irreducible factor of degree 2. The factor of degree 2 can be factored into over . So, we can define a divisor by div . Affected by the elements in Gal , has no change, which shows that is a -rational divisor class of order 2. That is a contradiction with our condition that is a prime. So, this case should be excluded.(ii) and there must be . We can define by div , which is similar to the first case. So, this case should be excluded.

3.2. Algorithms for = 2

Now we illustrate some concrete information about the cover map , which is in the form of . We start the experiment from a given elliptic curve. Under the existence of , it is easy to deduce map , which satisfies the commutative diagram, where we represent the point in by .

We define by , where is an irreducible polynomial of degree 3. Otherwise, there will be a contradiction with the claim that is prime. So, can be written into the form of .

Because the degree of equals 2, the expression of is as follows:where are the values that should be determined from the given . However, the number of the values that should be determined is more than the number of the equations from restrictions, so we must fix some of them. The following lemma is helpful for reducing the number of the indeterminate values.

Lemma 3. For every automorphism , there is a linear fractional transformation with for some with such that the following diagram commutes:

It can be proved that this map is transitive over , which means the map satisfies (i) for all and (ii) there exist such that for all .

From the lemma, we can fix the value of in the expression of because different values of induce equivalent cover map . So, we can fix into , a generator of , and any other value can be mapped into it by the linear map above. Then, the expression of can be fixed in

We can also get , where is derivative of .

Next, we will respectively introduce the algorithms according to the different forms of hyperelliptic curves. All of the computation processes are done in Magma and Sage.

3.2.1. is Irreducible

Now, we discuss problems under the term that is defined by and is an irreducible polynomial of degree 6, which can be factored over into . The map leads to a formula . Based on Lemma 1, we can deduce the corresponding maps, where the ramification of at is 1.

.

Taking the first one as an example, we introduce how to compute the and from a given .

Choose the element such that the 6 elements form a normal basis for over . Then, it makes sense to definewhere are the unknown values that should be computed to find out the hyperelliptic curves. Three values need to be determined in the expression of and we can getwhere are extra six unknown values. The useful information of the map is extracted, and we can obtain the following two equations:

By using these equations and the scalar restriction process, we can get a system of 12 equations of degree 3. Then, we can obtain an ideal generated by the equations and the solutions emerge because the dimension of the ideal is 0.

As the results, can be submitted into the equation of and the procedure can be inferred as follows:

So, in order to get the expression of , must be a square in .

Let us retell the whole process of our algorithms. First, we examine the existence of the hyperelliptic curves, which can be mapped into and satisfy that (i) is simple and (ii) ; (iii) is a prime. Then, we get a system consisting of 12 equations through scalar restriction of equations (11) and (12), whose Groebner basis is easy to compute. The solutions of the equations are what we want and they can make us obtain the expressions of the cover maps and the corresponding hyperelliptic curves.

3.2.2. is Reducible

In this part, we discuss that the equation of is reducible. Then, by Proposition 2, the equation can be factored into such two -irreducible polynomials of degree 3 that we can factor it over into . So, we can get the corresponding map.

The whole process is similar to the case that is irreducible with a few differences on the expression of and the restricted equations:

By using the scalar restriction on equations (14) and (15), we can also get a system of 12 equations on 12 variables. Something should be noticed that dimension of the ideal generated by the system is 3. For dimension reduction, we should choose fixed value for 3 variables and then the rational points can be computed on a zero-dimension scheme. To give more information about the forms of the hyperelliptic curves in this case, we propose the following proposition.

Proposition 3. Let H be a genus 2 hyperelliptic curve and assume that H is given by with f a polynomial of degree 6 in . If H has split Jacobian with , is a prime and the degree of the cover map is 2. Then, the corresponding cover map can be easily computed if is of the form:where and is the generator of , ,

Proof. The corresponding x-coordinate map can be written intoSo, it is clear that the ramification index of at is 2. By the Riemann–Hurwitz formula [31]where is the notation for wild ramification, there must be another point , where the ramification index of is 2. If , then we can construct an equation , which has such a double root that can help us get the relationship among and :Substituting formula (19) into the equation , we can get the following expression:The linear fractional transformation is considered. Because is ramified at and , there are two diagrams:

It can be found that id while id, where id means identity transformation. SoThen, we can simplify the formula of into . After adjusting the coefficients of , it is reasonable to require . Combining it with , we can getUsing the original restriction of , we can derive thatFrom equations (22), (24), and (25), the following equation can be derived:which means . Similarly, using , we can get an equation system as follows:From which we can find that , which means the linear fractional transformation satisfies . Now, we can get the relationship between the two points, at which the ramification index of is 2:Because and are the only two points, which satisfy , we can have . Combining with equations (20), (25), and (28) and using ’s proportional coefficients, we can get the final result .

3.2.3. Statistical Results

Elliptic curves are in the same isomorphism class if they have the same -invariant. We count the number of the isomorphism classes that can be attacked by the algorithms of degree 2 in some small fields (Table 1). Let be the number of when is in the form of . Let (resp. ) be the number of that can be attacked by the algorithms with deg 2 and irreducible (resp. reducible) .

From the table, we can find that all of the isomorphic classes of in the form of can be attacked by our algorithms with deg 2 and reducible .

3.3. Algorithms for = 3

The whole progress of the experiment for deg is similar to that for deg with a few differences on the cover diagram and the equation system to be solved. So, for deg , we only introduce one circumstance that can be written into the product of two irreducible polynomials of degree 3 and the map is as follows:

It is obvious that the expression of is as follows:where is one of the roots of over and . The expression of and is same as that in algorithm for deg = 2 and is reducible, while there are a few changes in the variables because of the different expression of and the existence of :

From Lemma 1, we can derive that the function has a multiple root , which must not be equal to because of Riemann–Hurwitz formula:

Because has two different roots and with a double root, we can get the following equation:

From that, we can induce three equations, which can be transferred into a system of 18 equations with 20 variables through scalar restriction:

We should fix the value of and other 2 variables to compute on a zero-dimension scheme. To derive the expression of , the value of should be classified, one is a quadratic residue and the other is a quadratic nonresidue.

3.3.1. Statistical Analysis

After analyzing the solutions of a fixed hyperelliptic curve in a relatively small field, we can find that only has two different values and with . Each choice of corresponds to an isomorphic class of elliptic curves, which conforms to the split Jacobian of over . The relationship between the cover maps and , related to and respectively, is , where the th power over means th power over each coefficient of .

It can be checked that the coefficients of the formula of equal to the th power over those of , so and are in the same isogeny class. Because of the special relationship of , we consider that it may be possible to express by other unknown values, which will reduce 6 variables. Equations (33)–(35) can be used to preprocess these unknown data and the relationship is as follows:

However, the substitute of the expression for will make equation (18) forever admitted. After experiments begin with elliptic curves and hyperelliptic curves respectively, we give the following suggestions:(i)If count of a given hyperelliptic curve is the goal, which means that the experiment is started with the hyperelliptic curve, should be expressed by , which can reduce 6 variables in the final equations. Because of the reduction in the number of both variables and restrictions, the dimension of the final ideal will decrease from 6 to 2, which will cut down the time complexity to a great extent.(ii)If the cover attack on a given elliptic curve is the goal, which means that the experiment is started with the elliptic curve, can be expressed by either or . The dimension of the ideal generated by restrictions is always 2 under both of the two expressions.

3.3.2. Algorithm Improvement

We now try to reduce the dimension of the final ideal, which will enhance the efficiency of the algorithm. The key point is to reduce the number of the varieties. The elliptic curve may be written as [32]. So, the map changes.

The expression of is as follows:where and are the roots of over and . The variables are as follows:

The restricted equations are as follows:which can be transferred into a system of 24 equations with 18 variables through scalar restriction. The dimension of the final ideal is 1 which is reduced by a half.

If we start with hyperelliptic curves, when are known, then the dimension of the final ideal in the previous algorithm is 2 so that we must try all of the possible values of the two free variables. After the improvement, we can get a system of 18 equations with 12 variables and the dimension of the final ideal is 0, which will reduce the time of traversing all values of the free variables.

4. Comparison and Experiments in Large Field

4.1. Experiment for = 2 and is Reducible

We give a finite field , where . Defining the , where . The elliptic curve is as follows:whose order over is a 256-bit prime , can be covered by the hyperelliptic curve:which can be written into . The cover map is withwhere

According to Proposition 1, we can get , who has 128-bit classical security. It can be inspected that the bit length of is exactly equal to that of . To verify , we choose a generator of and compute that .

4.2. Example for = 3 and is Reducible

Giving the finite field with and with . Let us begin classically with the elliptic curve:

It can be covered by the following hyperelliptic curve:

can be written into with a root ofand a root of

The cover map is with

We can also get that the order of the Jacobian of over is 1064295, whose bit length is equal to the bit length of . This example illustrates that our algorithms can also apply to the case, in which is not a prime.

4.3. Comparison

Here, we offer comparisons between our algorithms and existing cover attacks for ECDLP (resp. counting methods for Jacobians of hyperelliptic curves).

As a kind of cover attack for ECDLP, the method in the study has same complexity as GHS attack, which is the most efficient algorithm for general elliptic curves.

As a counting method for Jacobians of hyperelliptic curves, our algorithms can easily compute the cover map for hyperelliptic curves , where , is the generator of , . To be noted that, there is no subexponential general algorithm for some small sets of examples [11]. The algorithm in reference [4] dealt with hyperelliptic curves of form , where is the generator of the Galois group of a quadratic extension. For random hyperelliptic curves [12], an experiment is run for about one week for a genus 2 curve defined over an 80-bit field.

5. Conclusion

In the article, we propose a new method to compute the cover map from hyperelliptic curves of genus 2 to the elliptic curves with prime order. To conduct the experiments successfully, we put forward some important lemmas and propositions first. Then, we propose three different algorithms according to the different degrees of and the different forms of equations of hyperelliptic curves. As an application, we also give examples in relatively large fields. Under the existence of the cover map, we can use it to substitute the GHS attack in cover and decomposition attack in some specific cases. We can also use the algorithms to evaluate the order of the Jacobians of hyperelliptic curves in polynomial time, which can be generalized to generating required hyperelliptic curves. It should be improved that our algorithms apply to a particular part of elliptic curves and hyperelliptic curves, but the method is still very useful in the ECC and HECC.

For the further areas related to this work, we can probe the following two directions:(i)About Finding the More Concrete Form of the Hyperelliptic Curves or Elliptic Curves. We take Proposition 3 as an example. According to the relationship between and in Proposition 3, we can reduce the number of the variates, thus enhancing the efficiency of our algorithm. So, the more concrete form of hyperelliptic or elliptic curves may improve the efficiency.(ii)About the Fast Solution Method Nonlinear Systems. We now use scalar restriction and Groebner basis to get the solutions of the equations, thus getting the expressions of the cover maps and the corresponding hyperelliptic curves. The further research may investigate faster way to solve nonlinear systems.

Data Availability

Data can be obtained upon request to the authors.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

References

G. Frey and H. Gangl, “How to disguise an elliptic curve (Weil descent),” Talk at the 2nd Elliptic Curve Cryptography Workshop (ECC), vol. 98, pp. 128–161, 1998.
View at: Google Scholar
N. P. Smart, “A cryptographic application of Weil descent,” in Proceedings of the IMA International Conference on Cryptography and Coding, vol. 1746, pp. 191–200, Springer LNCS, Cambridge, UK, December 1999.
View at: Google Scholar
P. Gaudry, F. Hess, and N. P. Smart, “Constructive and destructive facets of Weil descent on elliptic curves,” Journal of Cryptology, vol. 15, no. 1, pp. 19–46, 2002.
View at: Publisher Site | Google Scholar
J. S. Weil, “Restriction of an elliptic curve over a quadratic extension. Preprint,” 2003, http://homes.esat.kuleuven.be/˜%20jscholte/weilres.pdf.
View at: Google Scholar
N. Koblitz, “Hyperelliptic cryptosystems,” Journal of Cryptology, vol. 1, no. 3, pp. 139–150, 1989.
View at: Publisher Site | Google Scholar
H. Cohen, G. Frey, R. Avanzi et al., Handbook of Elliptic and Hyperelliptic Curve Cryptography, CRC Press, Boca Raton, FL, USA, 2005.
S. Pohlig and M. Hellman, “An improved algorithm for computing logarithms over<tex>GF(p)</tex>and its cryptographic significance (Corresp.),” IEEE Transactions on Information Theory, vol. 24, no. 1, pp. 106–110, 1978.
View at: Publisher Site | Google Scholar
L. Dewaghe, “Remarks on the schoof-elkies-atkin algorithm,” Mathematics of Computation, vol. 67, no. 223, pp. 1247–1252, 1998.
View at: Publisher Site | Google Scholar
R. Lercier and F. Morain, “Counting the number of points on elliptic curves over finite fields: strategies and performance,” International Conference on the Theory and Applications of Cryptographic Techniques, Springer, Berlin, Germany, pp. 79–94, 1995.
View at: Google Scholar
R. Schoof, “Counting points on elliptic curves over finite fields,” Journal de Théorie des Nombres de Bordeaux, vol. 7, no. 1, pp. 219–254, 1995.
View at: Publisher Site | Google Scholar
G. Frey and H.-G. Rück, “A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves,” Mathematics of Computation, vol. 62, no. 206, p. 865, 1994.
View at: Publisher Site | Google Scholar
P. Gaudry and R. Harley, “Counting points on hyperelliptic curves over finite fields. International algorithmic number theory symposium,” LNCS, vol. 1838, pp. 313–332, 2000.
View at: Google Scholar
C. Diem, “On the discrete logarithm problem in class groups of curves,” Mathematics of Computation, vol. 80, no. 273, pp. 443–475, 2010.
View at: Publisher Site | Google Scholar
C. Diem, “On the discrete logarithm problem in elliptic curves,” Compositio Mathematica, vol. 147, no. 1, pp. 75–104, 2011.
View at: Publisher Site | Google Scholar
S. D. Galbraith and P. Gaudry, “Recent progress on the elliptic curve discrete logarithm problem,” Designs, Codes and Cryptography, vol. 78, no. 1, pp. 51–72, 2016.
View at: Publisher Site | Google Scholar
I. F. Blake, G. Seroussi, and N. P. Smart, Advances in Elliptic Curve Cryptography, Cambridge University Press, Cambridge, United Kingdom, 2005.
D. Hankerson, A. J. Menezes, and S. Vanstone, Guide to Elliptic Curve Cryptography, Springer Science Business Media, Berlin, Germany, 2006.
I. Semaev, “Summation polynomials and the discrete logarithm problem on elliptic curves,” Tech. Rep., 2004, Report 2004/031.
View at: Google Scholar
P. Gaudry, “Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem,” Journal of Symbolic Computation, vol. 44, no. 12, pp. 1690–1702, 2009.
View at: Publisher Site | Google Scholar
C. Diem and J. Scholten, “Cover attacks–a report for the AREHCC project,” 2003, http://www.math.uni-leipzig.de/%20diem/preprints/cover-attacks.pdf.
View at: Google Scholar
C. Diem, “The GHS attack in odd characteristic,” Journal of Ramanujan Mathematical Society, vol. 18, no. 1, pp. 1–32, 2003.
View at: Google Scholar
P. Gaudry, “An algorithm for solving the discrete log problem on hyperelliptic curves,” in Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, pp. 19–34, Springer, Belgium, May 2000.
View at: Google Scholar
K. Nagao, “Decomposition attack for the jacobian of a hyperelliptic curve over an extension field,” in Proceedings of the International Algorithmic Number Theory Symposium, pp. 285–300, Springer, Nancy, France, July 2010.
View at: Google Scholar
A. Joux and V. Vitse, “Cover and decomposition index calculus on elliptic curves made practical,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 9–26, Springer, Cambridge, UK, April 2012.
View at: Google Scholar
S. Tian, B. Li, K. Wang, and W. Yu, “Cover attacks for elliptic curves with cofactor two,” Designs, Codes and Cryptography, vol. 86, no. 11, pp. 2451–2468, 2018.
View at: Publisher Site | Google Scholar
R. M. Kuhn, “Curves of genus 2 with split jacobian,” Transactions of the American Mathematical Society, vol. 307, no. 1, pp. 41–49, 1988.
View at: Publisher Site | Google Scholar
T. Satoh, “Generating genus two hyperelliptic curves over large characteristic finite fields,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 536–553, Cologne, Germany, April 2009.
View at: Google Scholar
X. Fan, S. Tian, B. Li, and W. Li, “Constructing hyperelliptic covers for elliptic curves over quadratic extension fields,” in Proceedings of the Australasian Conference on Information Security and Privacy, vol. 11547, pp. 630–638, Christchurch, New Zealand, July 2019.
View at: Google Scholar
J. H. Silverman, The Arithmetic of Elliptic Curves, Springer, New York, NY, USA, 2009.
D. Mumford, M. Nori, and P. Norman, Tata Lectures on Theta III, Birkhäuser, Boston, MA, USA, vol. 43, 2007.
F. Oort, “The riemann-hurwitz formula,” The Legacy of Bernhard Riemann After One Hundred and Fifty Years, vol. 35, pp. 567–594, 2016.
View at: Google Scholar
A. Dujella, I. Gusic, and L. Lasic, “On quadratic twists of elliptic curves ,” Rad Hrvat.Akad Znan. Umjet. Mat. Znan, pp. 27–34, 2014.
View at: Google Scholar

Copyright

Copyright © 2022 Jing Fan et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

276

Downloads

275

Citations