Point compression for the trace zero subgroup over a small degree extension field

Using Semaev's summation polynomials, we derive a new equation for the $\mathbb{F}_q$-rational points of the trace zero variety of an elliptic curve defined over $\mathbb{F}_q$. Using this equation, we produce an optimal-size representation for such points. Our representation is compatible with scalar multiplication. We give a point compression algorithm to compute the representation and a decompression algorithm to recover the original point (up to some small ambiguity). The algorithms are efficient for trace zero varieties coming from small degree extension fields. We give explicit equations and discuss in detail the practically relevant cases of cubic and quintic field extensions.Comment: 23 pages, to appear in Designs, Codes and Cryptograph

Group law computations on Jacobians of hyperelliptic curves

We derive an explicit method of computing the composition step in Cantor’s algorithm for group operations on Jacobians of hyperelliptic curves. Our technique is inspired by the geometric description of the group law and applies to hyperelliptic curves of arbitrary genus. While Cantor’s general composition involves arithmetic in the polynomial ring F_q[x], the algorithm we propose solves a linear system over the base field which can be written down directly from the Mumford coordinates of the group elements. We apply this method to give more efficient formulas for group operations in both affine and projective coordinates for cryptographic systems based on Jacobians of genus 2 hyperelliptic curves in general form

Optimality of the Width-ww Non-adjacent Form: General Characterisation and the Case of Imaginary Quadratic Bases

Efficient scalar multiplication in Abelian groups (which is an important operation in public key cryptography) can be performed using digital expansions. Apart from rational integer bases (double-and-add algorithm), imaginary quadratic integer bases are of interest for elliptic curve cryptography, because the Frobenius endomorphism fulfils a quadratic equation. One strategy for improving the efficiency is to increase the digit set (at the prize of additional precomputations). A common choice is the width\nbd-$w$ non-adjacent form (\wNAF): each block of $w$ consecutive digits contains at most one non-zero digit. Heuristically, this ensures a low weight, i.e.\ number of non-zero digits, which translates in few costly curve operations. This paper investigates the following question: Is the \wNAF{}-expansion optimal, where optimality means minimising the weight over all possible expansions with the same digit set? The main characterisation of optimality of \wNAF{}s can be formulated in the following more general setting: We consider an Abelian group together with an endomorphism (e.g., multiplication by a base element in a ring) and a finite digit set. We show that each group element has an optimal \wNAF{}-expansion if and only if this is the case for each sum of two expansions of weight 1. This leads both to an algorithmic criterion and to generic answers for various cases. Imaginary quadratic integers of trace at least 3 (in absolute value) have optimal \wNAF{}s for $w\ge 4$. The same holds for the special case of base $(\pm 3\pm\sqrt{-3})/2$ and $w\ge 2$, which corresponds to Koblitz curves in characteristic three. In the case of $\tau=\pm1\pm i$, optimality depends on the parity of $w$. Computational results for small trace are given

Elliptic curve cryptography: Generation and validation of domain parameters in binary Galois Fields

Elliptic curve cryptography (ECC) is an increasingly popular method for securing many forms of data and communication via public key encryption. The algorithm utilizes key parameters, referred to as the domain parameters. These parameters must adhere to specific characteristics in order to be valid for use in the algorithm. The American National Standards Institute (ANSI), in ANSI X9.62, provides the process for generating and validating these parameters. The National Institute of Standards and Technology (NIST) has identified fifteen sets of parameters; five for prime fields, five for binary fields, and five for Koblitz curves. The parameter generation and validation processes have several key issues. The first is the fast reduction within the proper modulus. The modulus chosen is an irreducible polynomial having degree greater than 160. Choosing irreducible polynomials of a particular order is less critical since they have isomorphic properties, mathematically. However, since there are differences in performance, there are standards that determine the specific polynomials chosen. The NIST standards are also based on word lengths of 32 bits. Processor architecture, primality, and validation of irreducibility are other important characteristics. The area of ECC that is researched is the generation and validation processes, as they are specified for binary Galois Fields F (2m). The rationale for the parameters, as computed for 32 bit and 64 bit computer architectures, and the algorithms used for implementation, as specified by ANSI, NIST and others, are examined. The methods for fast reduction are also examined as a baseline for understanding these parameters. Another aspect of the research is to determine a set of parameters beyond the 571-bit length that meet the necessary criteria as determined by the standards

On Index Calculus Algorithms for Subfield Curves

In this paper we further the study of index calculus methods for solving the elliptic curve discrete logarithm problem (ECDLP). We focus on the index calculus for subfield curves, also called Koblitz curves, defined over Fq with ECDLP in Fqn. Instead of accelerating the solution of polynomial systems during index calculus as was predominantly done in previous work, we define factor bases that are invariant under the q-power Frobenius automorphism of the field Fqn, reducing the number of polynomial systems that need to be solved. A reduction by a factor of 1/n is the best one could hope for. We show how to choose factor bases to achieve this, while simultaneously accelerating the linear algebra step of the index calculus method for Koblitz curves by a factor n2. Furthermore, we show how to use the Frobenius endomorphism to improve symmetry breaking for Koblitz curves. We provide constructions of factor bases with the desired properties, and we study their impact on the polynomial system solving costs experimentally.SCOPUS: cp.kinfo:eu-repo/semantics/publishe

Quasi-quadratic elliptic curve point counting using rigid cohomology

We present a deterministic algorithm that computes the zeta function of a nonsupersingular elliptic curve E over a finite field with p^n elements in time quasi-quadratic in n. An older algorithm having the same time complexity uses the canonical lift of E, whereas our algorithm uses rigid cohomology combined with a deformation approach. An implementation in small odd characteristic turns out to give very good results.Comment: 14 page