Professional Documents
Culture Documents
CRYPTOSYSTEMS
OVER
OPTIMAL EXTENSION FIELDS
by
Montserrat B. Ros
Department of Computer Science and Electrical Engineering,
University of Queensland.
12 Berendt Crt
MEADOWBROOK QLD 4131
Tel. (07) 3299 6073
October 20, 2000
The Dean
School of Engineering
University of Queensland
St Lucia, Q 4072
Yours sincerely,
Montserrat B. Ros.
iv
Abstract
This thesis outlines the issues arising from the implementation of a commercially
secure Hyperelliptic Curve Cryptosystem over Optimal Extensions Fields as a follow-
up to the student-devised Elliptic Curve product, ECCpert.
The cryptosystem is based on the Discrete Logarithm Problem and the El Gamal
encryption / decryption scheme and uses the finite abelian group generated from
the Jacobian of a Hyperelliptic Curve over a significantly large finite extension field.
v
vi ABSTRACT
Acknowledgments
There are many people who have helped me in the research, implementation and
writing of this thesis. This thesis would not have been possible without their help,
whether it be direct assistance or in the form of moral support, and I would like to
acknowledge and thank them all here.
2. Dr Brian Lovell (Department of CSEE) for his guidance through first semester
and for taking me on as a special thesis topic.
4. Christina Miller for her help in passing on information relevant to the con-
tinuation of her thesis and for the idea in the first place.
5. Mr Shane Goodwin, SIP lab manager in semester two for not wiping the
computers in the second half of the year!
6. My parents, Jorge Ros and Nuri Ros for their support and encouragement
throughout my entire degree.
vii
viii ACKNOWLEDGMENTS
7. Karen Dancer and Jane Kemplar for their assistance with proof-reading,
for their many very helpful LATEX tips and their general help throughout my
maths degree over the years.
8. Ben Appleton, Jenna Hall and Simon Gee for their proof-reading and
constructive comments.
9. The other CS229 tutors in semester two, Charles Pizzato and Simon Long,
for the many practical sessions they had to cover me for while doing thesis!
10. My house-mate Nerrida Dempster for her support through the last 3 months
of my thesis and for putting up with my late nights and grumpy mornings!
11. My live-in SIP lab buddies, Marty Robinson, Christian Walder, Chucky
Hoang and Marcus Lim for keeping me sane throughout the entire year!
12. My good friends Christopher Pascoe, Kristan Slack and Paul Webster,
for their many enjoyable visits, distractions and “The Ville”-runs!
Contents
Abstract v
Acknowledgments vii
List of Figures xi
1 Introduction 1
1.1 History of Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Secret Key Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Public Key Cryptography . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3.1 Integer Factorisation Problem . . . . . . . . . . . . . . . . . . 5
1.3.2 Discrete Logarithm Problem . . . . . . . . . . . . . . . . . . . 6
1.3.3 P , N P and N P -completeness . . . . . . . . . . . . . . . . . . 7
1.3.4 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.4 Scope of Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3 Theory 19
3.1 Abstract Algebra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.1.1 Elementary Concepts . . . . . . . . . . . . . . . . . . . . . . . 20
3.1.2 Finite Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.2 Optimal Extension Fields . . . . . . . . . . . . . . . . . . . . . . . . 24
3.3 Elliptic Curves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.3.1 Elliptic Curve theory . . . . . . . . . . . . . . . . . . . . . . . 26
ix
x CONTENTS
4 Implementation 41
4.1 Optimisation of Preceeding Software . . . . . . . . . . . . . . . . . . 41
4.2 Optimal Extension Fields . . . . . . . . . . . . . . . . . . . . . . . . 43
4.3 Hyperelliptic Curves . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
4.4 Divisors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
5 Performance 47
5.1 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5.1.1 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5.1.2 Efficiency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
5.2 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Appendices 55
A Divisor Manipulation 55
A.1 Divisor Addition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
A.2 Divisor Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
References 61
List of Figures
xi
List of Tables
5.1 Average number of field operations for the full addition of divisors. . 49
5.2 Expected speed of group operations in the Jacobian. . . . . . . . . . 49
xii
Chapter 1
Introduction
Cryptography is an area that has received much attention since the rise in the use
of electronic communication for the exchange of financial information and has been
mainly driven by the increased demands for secure transactions over the Internet.
With the introduction of on-line banking, Internet stockbroking and purchasing
goods over the Internet, the need for personal and/or business data to be kept secret
has driven the world of cryptography forward to the point where it has developed
its own commercial value.
The term Cryptography is originally derived from the two greek words “kryptos”
and “graph”, meaning hidden and writing. This is an accurate representation of
the meaning of the word, as cryptography is the art of ensuring that messages
(writing) are kept secure (hidden) from those recipients to whom the messages are
not addressed.
For this reason, the notions of ciphers and codes were invented to encrypt mes-
sages so that an on-looker would view useless gibberish instead of the real, meaning-
ful information. This, of course, required the recipient to be the only one to know
how to decrypt the message back to its original form.
Modern cryptographic techniques are more sophisticated, with public key cryp-
tosystems publishing the method of encryption and decryption for all to see. How-
ever, without a particular secret piece of information known only to the intended
recipient, all other entities would find it very difficult to decipher.
One of the major reasons higher level cryptographic methods have been sought to
keep data secret is the continual advancement in processor speeds and architecture.
This advancement has rendered many earlier cryptosystems useless where sometimes
even a naive exhaustive search method can become viable and can be performed in
reasonable time to search for every possible key combination and solution.
To avoid this, the theory of cryptography, and in particular of cryptosystems
based on large finite groups, has advanced to a stage where large integers and/or
other constructs are required to represent information, that are of the order of 160- to
1
2 CHAPTER 1. INTRODUCTION
1024- bits per key. This represents a large amount of information being transmitted
and new algorithms are continually being considered, to make this more efficient.
This generates the motivation for the study of other cryptosystems in the hope to
increase the transmission rate efficiency by decreasing the number of bits required
for the keys while maintaining the same level of security. The other option is to
increase the bandwidth for the particular communications channel where encryption
is required. In many cases, this is an impossibility and data efficient encryption
techniques are sought.
e(x) = ax + b(mod 26), in the Affine Cipher. This gave a larger number of possible
keys of the form (a, b), making an exhaustive search just that more challenging.
Other systems that were more powerful include the Hill Cipher invented in 1929
by Lester S. Hill [18]. The key space for this cipher was the set of m × m invertible
matrices over Z26 and involved breaking up the message stream into equal vectors
of size m and then multiplying these vectors by the invertible matrix K.
k11 k12 . . . k1m
k21 k22 . . . k2m
eK (x) = xK(y1 y2 . . . ym ) = (x1 x2 . . . xm ) .. .. ... ..
. . .
km1 km2 . . . kmm
Of course, to decrypt the ciphertext, the recipient would have to find the inverse of
K and apply dK (y) = yK −1 . Once again, this cipher led to the existence of many
more possible keys.
Other systems include the Vigenere Cipher which added a word to each block
of m letters in the message, the Permutation Cipher that just permuted each set
of m letters in a specified way and many more. The common theme behind all of
these cryptosystems is that the sender and recipient had to agree on a key before
transmitting began. While these cryptosystems certainly were effective in their days,
it is easy to see that modern processors would conduct an exhaustive search for the
solution in a relatively small amount of time.
plus any global variables (eg the hyperelliptic curve of choice, or the modulus prime
p for integer exponentiation) are all decided upon quite publicly and published for
all users to see. The only information that remains secret is each user’s private key
which they, and they alone, require to decrypt any message sent to them, or to use
for authentication when sending to another user.
The Diffie and Hellman Public Key Algorithm [11] describes a very simple al-
gorithm for key exchange and involves two users coming to a decision on a key
to be used for information transfer with out the key itself being transferred along
any communication channel. The setup and transmissions required are outlined in
greater detail in Algorithm 1.1. Notice that all information, except the private keys
a and b and the final result xab , is public. Hence any other user could listen in and
acquire the values G, x, xa and xb , and from these must get xab . This would require
the user to solve the Discrete logarithm Problem, described in greater detail later
in this chapter.
The Diffie-Hellman Key Exchange algorithm explains how two parties, A and B can
arrive at an agreement on a secret key without either party transmitting this key
along any channel.
INPUT: Two users (A and B) with the capability to randomly select or generate
integers
OUTPUT: A mutually shared session key.
1. User A and user B publicly select a finite abelian group G and an element
x ∈ G.
Notice that the only pieces of information which is transmitted across public,
insecure channels are G, x, xa and xb . A graphic representation of the system
suggested by Diffie and Hellman is shown in Figure 1.1 where Anne and Bob are the
users attempting to establish a common key and Oscar is an on-looker with access
1.3. PUBLIC KEY CRYPTOGRAPHY 5
to the insecure channel. To work out (xab ), an on-looker would have to first obtain
either a or b from xa or xb . This is known as the Discrete Logarithm Problem.
When solving for the DLP over Zp , for example, this translates to finding the
integer i for which ai ≡ b(mod p). When solving the DLP over a set of points
on an elliptic curve, however, this translates to finding the integer i such that
(b1 , b2 ) = i(a1 , a2 ), where (a1 , a2 ) and (b1 , b2 ) are two points on the curve.
As with the Integer Factorisation Problem, the number field sieve is the best
currently known algorithm to solve the Discrete Logarithm Problem. It has an
asymptotic running time equivalent to the corresponding integer factorisation algo-
rithm. Another such algorithm is the index-calculus method which uses a database
of small primes and their corresponding logarithms. From this, logarithms of other
field elements can be easily obtained. An implementation of the gaussian integer
method which is a variant of the index-calculus method was conducted recently in
[28] to compute discrete logarithms modulo a 191-bit prime. It is suggested in [10]
that to avoid such algorithms to be a threat to long-term security, 1024-bit or larger
moduli p should be used in normal Discrete Logarithm Problems.
Some of the known attacks upon cryptosystems based on the Discrete Logarithm
Problem for elliptic curves includes the Baby-Step Giant-Step method, Pollard Rho-
Method, the Pohlig-Hellman algorithm and many others, most of which have an
√
asymptotic running time of O( n) where n is the number of points on the curve.
This number can be very large, and to date, no subexponential-time algorithm has
1.3. PUBLIC KEY CRYPTOGRAPHY 7
been discovered for the elliptic curve Discrete Logarithm Problem, even after much
work done in the area over the past 16 years, adding to the popular belief that no
such algorithm exists [10].
r t = a0 + a1 n + a2 n 2 + . . . + ai n i
where the ai are constants, for some finite integer i, it is said to have a running time
of ‘the order of’ O(ni ). If the algorithm running time cannot be expressed in this
way, then it is super-polynomial. For example, exponentional running time can be
expressed as:
r t = an where a is a constant
and would have a running time of O(an ) This basically gives us a way to analyse
algorithms and how effective they are. Also, if the fastest solution to a problem has
a running time that is exponential, then for very large input sizes, the algorithm
will be very slow and the problem can be considered ‘difficult’.
When we apply the concept of algorithm analysis to the solution of problems such
as the Integer Factorisation Problem and the Discrete Logarithm Problem, we find
that there does not exist an algorithm that solves the problems in polynomial time,
8 CHAPTER 1. INTRODUCTION
with respect to the size of the input number. It is fitting to analyse the algorithms
based on the bit-size of the input number, as the number of bit-operations determines
just how long the algorithm will run for.
If a problem can be solved in polynomial time, then it is considered to be in the
P - complexity class of problems. If, however, given a solution to a problem, that
solution can be verified in polynomial time, then the problem is considered to be
in the N P - complexity class of problems. So, clearly all problems in P are also in
N P , ie P ⊆ N P but whether the opposite is true or not is of great interest but has
not been either proven or disproven. Problems in N P may be further classified as
N P -complete. A problem is N P -complete if it is in N P , and if every other problem
also in N P is “reducible” to it, or translatable to it, in polynomial time. This means
that if there was discovered a polynomial time algorithm to solve an N P -complete
problem, then all problems in N P would be solvable in polynomial time.
The security of cryptosystems is based on the fact that problems in these classes
are virtually intractable and that there does not exist a polynomial time algorithm
that will solve the problem. If there were (ie if N P ⊆ P ) then many cryptosystems
would fail due to the ease of computing polynomial time algorithms on modern
processors.
1.3.4 Applications
Since the beginning of the electronic revolution, when governments, commercial busi-
nesses and individuals alike started storing and transmitting data in electronic form,
the need for information security has increased. Information security encompasses
“all measures taken to prevent the unauthorised use of of electronic data
- whether this unauthorised use takes the form of disclosure, alteration,
substitution, or destruction of the data concerned”[8].
Modern public-key cryptosystems provide each of the major information security ser-
vices: confidentiality, user authentication, data origin authentication, data integrity,
and non-repudiation. When applied to modern systems, cryptosystems should pro-
vide these services with total transparency to the end user. Below is listed a few
simple examples of where cryptography is applied in the real world in such a way
that the end-user is unaware of its use and the user’s data is maintained secure [8].
Automatic Teller Machines One example of where information security is re-
quired is in modern automatic teller machines. As it would be an impracti-
cality and also nearly impossible to have a copy of the entire bank’s database
of client records on every single automatic teller machine, the information is
stored at a head office, and the automatic teller machines access that informa-
tion by way of electronic communication. For example, the user enters their
1.3. PUBLIC KEY CRYPTOGRAPHY 9
PIN number, and this must be transmitted to the head office for verification
of access to that account. Also, when the user types in the amount he or she
requires, this is transferred by the same way with the head office responding
as to whether to proceed with the transacation. It is quite clear that confi-
dentiality of information such as the user’s personal identification number and
account number is required and that measures must be taken to ensure that
the amount of money required cannot be altered by an outside source, whilst
it is in transit.
Phone Cards The storage of information on phone cards is an area that requires
that the data stored retain its integrity. In this particular case, the information
is encoded onto the card, and if it was possible to alter the stored information,
then the amount stored on the card could be continually replenished thereby
giving the perpertrator free access to the telephone network. This is an exam-
ple of where data integrity would be very useful to companies or organisations
operating the telephone network.
Remote System Access With many businesses allowing personnel to work from
home, the need for remote access security has increased. Employees accessing
the business system from home would require a way to log in and send and
transmit data that is often highly classified, or at the very least should not
be intercepted by any competitor in the industry. The business also requires
some way to ensure that the access being requested is by an authorised person.
Smart Cards The use of smart cards is just one area where cryptography and
information security have a potential field to expand within in the future.
With the transition from the familiar magnetic-stripe to the newer smart cards
just around the corner, we will see more secure and convenient transactions.
With the magnetic-stripe, no security is placed on the card itself - the only
security is provided from the business’ point of sale terminal to the bank at
the other end. With the introduction of smart cards (that contain a small
microprocessor upon which a public-key cryptosystem can be installed), all
cards such as credit cards, health care cards, etc, will be able to ensure security
both during transmission and at the hardware level. Smart cards will certainly
not have to be restricted to usage as credit cards. Much speculation has been
entered into about just how far smart cards will be used in the future. The
ideas of electronic cash (where a person’s purse or wallet is replaced by a single
card with automatic access to funds) and health care smart cards (where a
person’s medical records are stored on the card and doctors can access this
instantaneously) are already hot topoics of conversation amongst many.
10 CHAPTER 1. INTRODUCTION
These applications and many more are examples of where cryptography currently
plays and will potentially play a big part of every day life.
Without a doubt, cryptography has found its way into the e-commerce scene with
much gusto and significance. Although many of the number-theoretic algorithms
had been discovered long before, it wasn’t until the 1970’s that they were put to
good use in this field, due to the introduction of the Internet, and in particular the
requirement of secure transactions across it. Gone are the days of requiring secret
information to keep the plaintext message from prying eyes - instead the focus has
changed greatly towards creating cryptosystems that are secure due to the amount
of processing power required to search for the solution.
Naturally, the increase in security demands means increased information trans-
fer, with greater overhead, hence a reduction in communication efficiency. Although
in many applications, the lowering of information transfer efficiency is not as imper-
ative as the security of either customer or business information, certainly a reduced
overhead at no cost to the system’s security will undoubtedly be an advantage to
increase communication throughput. This is the motivation behind finding new
and more efficient cryptosystems that can still offer the security required, with a
reduction in communication bandwidth and possibly memory usage.
11
12 CHAPTER 2. BACKGROUND AND PREVIOUS WORK
ther reduced bandwidth but because of their complexity, they have not
been practically implemented. It is conceivable that, once efficient al-
gorithms have been constructed, hyperelliptic cryptosystems may rival
the mainstream cryptosystems, especially for bandwidth and memory
constrained applications.”
The paper discusses the hyperelliptic jacobian groups as a whole, and deals with
the group elements in a very theoretical way, admitting that its implementation
generally uses field sizes that require more than a single word in the processor to
represent. Hence, the efficiency of hyperelliptic curves over Optimal Extension Fields
is a case that may offer a performance advantage.
The last major development of interest is the discovery of a sub-exponential al-
gorithm for solving the DLP in hyperelliptic curves of large genus over GF (p). This
obviously has immense implications if such an algorithm were to be a viable method
for decrypting information in a polynomial amount of time, rendering cryptosys-
tems based on such hyperelliptic curves useless. In [1], an algorithm is described
that would make hyperelliptic curves seem an unlikely choice as the basis for a
cryptosystem. This paper describes an algorithm that is particularly useful in hy-
perelliptic Curve Cryptosystems with large genus. When considering the effects such
an algorithm would have on the hyperelliptic cryptosystem over Optimal Extension
Fields, as described in this paper, it must be remembered that the sub-exponential
algorithm is based on cryptosystems over Prime Fields. Whether this algorithm may
be useful over Optimal Extension Fields is open to speculation. Also, for smaller
genus, the algorithm is slower than even a naive search algorithm. To over come
this potential threat, the construction algorithm for a cryptosystem based on hyper-
elliptic curves would just need to avoid curves with large genus g. To be sure that
2.2. PRIME, BINARY AND PRIME EXTENSION FIELDS 13
the curve will be impervious to this particular kind of attack, when constructing
hyperelliptic curves for the cryptosystem, it will be of use to keep the genus g < 10
over field sizes of around 32-bits. By adding in this requirement at the initialisation
of the curve, we avoid the possibility of the attack in [1] being used efficiently to
gain access to data.
mer to declare and use larger integers, without the hassle of thinking about how they
are implemented in the hardware. However, using the processor’s multi-precision
arithmetic comes at a cost to time efficiency, particularly with operations having
to be reduced modulo p where p is a large prime number spanning multiple ma-
chine words. By using the approach with prime extension fields, we can leave out
the multi-precision arithmetic, replacing it with the number theory behind exten-
sion fields. We use m machine-words, each representing an element in the field of
GF (p) ≡ Zp where p is a prime number smaller than the largest possible number
representable in the processor’s word size.
2.3.1 RSA
The RSA Cryptosystem, so named after its three creators, R.L. Rivest, A. Shamir
and L. Adlman, was the first practical system to implement the Diffie-Hellman public
key model and is currently the most widely used public-key cryptosystem. It bases
its security on the fact that factorising very large numbers is a ‘hard’ problem. This
problem is the Integer Factorisation Problem discussed in Chapter One.
Algorithms 2.1 through 2.3 describe the setup process required by each user upon
initialisation of the cryptosystem and the algorithms for encryption and decryption.
In a group of users, each user must have access to each other user’s public key, whilst
retaining their own private key.
When each person in the set of users has completed the initialisation in Algorithm
2.1, Algorithms 2.2 and 2.3 may be followed for the encryption and decryption of
data.
The complete proof that the above cryptosystem works can be seen by the de-
2.3. EXISTING PUBLIC KEY CRYPTOSYSTEMS 15
4. Using the extended Euclidean Algorithm, find the unique integer d, 1 < d < φ,
such that ed ≡ 1(mod φ).
5. Publish the public key, (n, e), and keep the private key, d, secret.
INPUT: The plaintext to encrypt, and the receiving user’s public key (n, e)
OUTPUT: The encrypted ciphertext.
User A sends the message to user B.
1. Using an agreed hash function, convert the plaintext into a unique integer m
in the interval [0, n − 1]
INPUT: The received encrypted ciphertext and the receiver’s private key d
OUTPUT: The original plaintext. User B receives the message from user A.
2. Recover the plaintext by applying the inverse of the hash function from Algo-
rithm 2.2, returning the integer in the interval [0, n − 1] to the unique message
it represents.
16 CHAPTER 2. BACKGROUND AND PREVIOUS WORK
a b q r s1 s2 t1 t2
2437520800 21481 113473 7287 0 1 1 0
21481 7287 2 6907 1 0 -113473 1
7287 6907 1 380 -2 1 226947 -113473
6907 380 18 67 3 -2 -340420 226947
380 67 5 45 -56 3 6354507 -340420
67 45 1 22 283 -56 -32112955 6354507
45 22 2 1 -339 283 38467462 -32112955
22 1 22 0 961 -339 -109047879 38467462
So, we have computed d = 2437520800 and can publish the pair (n, e) = (2437642819, 21481)
and keep the private key d = 2437520800.
Application of Algorithm 2.2 - RSA Encryption:
Now, to send a message to a person with the above public key, the sender first embeds
his or her message using a public hash function. In this example, we will use the
2.3. EXISTING PUBLIC KEY CRYPTOSYSTEMS 17
common hash function of setting letters to their position in the alphabet. So, the
message “hello” would become the plaintext
0805121215.
So, we say m = 805121215 is the unique integer that represents the message “hello”.
To encrypt this, we find:
c = me (mod n)
= 80512121521481 (mod 2437642819)
= 2073052364(mod 2437642819)
To get back to the plain text m = 805121215 and from there apply the inverse hash
function to get the message “hello”.
1. Each receiving user picks a secret number i and computes β = αi , then pub-
lishes β.
3. The receiving user then decrypts the sent pair by applying d(y1 , y2 ) = y2 ◦(y1i )−1 .
Chapter 3
Theory
This chapter introduces the concepts and theory of geometric algebraic curves and
why they are so important to modern cryptosystems. To aid in the understanding
of this complex theory, some useful abstract algebra concepts are described in the
first section by introducing the concepts of groups, rings and fields. This is by no
means a complete discussion in this area, and the inexperienced reader may choose
to refer to [6] for a deeper treatment of these abstract concepts. A further reference
to note is, of course, the thesis containing the development of elliptic curves over
Optimal Extension Fields, [34]. It contains similar concepts, but in particular their
reference to the theory of elliptic curves, which is an advantage to read to gain
further understanding of the concepts in the following chapter.
Both elliptic and hyperelliptic curves have received much attention, with hyper-
elliptic curve cryptosystems yet to be implemented and tested as thoroughly as their
elliptic curve counterparts have been. The section on Elliptic Curves in included
to aid the reader in the understanding of how points on a curve make up a finite
abelian group and the also understand the notion of point addition. And finally,
the section on the theory of hyperelliptic curves contains much of the matter crucial
to this thesis. In fact, much of the theory presented in that section can be almost
directly taken from the original introduction to the topic by Koblitz in [26], with
some extra help from the very useful paper written in co-authorship with Menezes,
Wu and Zuccherato [32]. The latter is included also included as an appendix in
Koblitz’s [25]. To discuss the concept of divisors, [33] was also chosen as a good
reference book with a slightly more appealing treatment of these abstract elements.
19
20 CHAPTER 3. THEORY
Using the concepts and theory introduced throughout this chapter, both elementary
and complex cryptosystems can be constructed, and when used in conjunction with
the algorithms of Public Key Cryptography, can become a powerful way to keep
data secure.
This section initially describes the elementary concepts behind the theory of
groups, including binary relations and the laws associated with them. Then, it
introduces the concept of rings, leading in to the particularly relevant theory of
finite fields, and especially Galois Fields and Extension Fields.
1. commutativity: s1 ◦ s2 = s2 ◦ s1
3. identity: ∃e ∈ S, ∀sx ∈ S, sx ◦ e = sx = e ◦ sx
6. distributivity: s1 ◦ (s2 + s3 ) = s1 ◦ s2 + s1 ◦ s3
Now, we have a set of tools with which to define the properties of our next
important structure, that of a group. Groups can be further specified as abelian
groups or subgroups of larger groups and these definitions are also included.
1. associativity
3.1. ABSTRACT ALGEBRA 21
2. identity
3. inverse
4. closure
Definition 3.1.1.2 An Abelian Group (G, ◦) is a Group with the extra property of
being commutative.
With these definitions, we can discuss the further theory of rings and fields.
Before we commence that discussion, however, it is important to discuss Euclid’s
Extended Algorithm. In particular, we will be interested in this algorithm over
polynomials, so presented in Algorithm 3.1 is the generalisation of Euclid’s Extended
Algorithm. This algorithm is taken from [20].
In the following sections, there is some reference to rings, but in particular com-
mutative rings with identity. Because of that, we define here not only the concept
of a ring, but also one that is commutative and has an identity, which as the name
suggests, has the same structure of a ring but includes the two extra properties.
Definition 3.1.1.4 A ring, (R, ×, +) is a set R defined with two binary operators,
× and +. The laws that hold in a ring include:
3. distributivity
1. (R, ×, +) is a ring
We see that (R, ×, +) satisfies all properties for a field except that of all non-zero
elements requiring multiplicative inverses.
1. Set:
s2 = 1 t1 = 1 s1 = 0 t2 = 0
2. Divide a/b and set q and r to be the quotient and remainder respectively
q = ba/bc r=a
gcd = b m = s1 n = s2
4. Set
a=b b=r
temp = s2 s2 = s1 s1 = temp − qs1
temp = t2 t2 = t1 t1 = temp − qt1
And then repeat by going back to step 2.
Also of importance are the concepts of polynomial and quotient rings. When
dealing with polynomial rings and in particular their elements, the usual definitions
apply to their degree and whether they are monic, divide another polynomial or are
irreducible, as you would expect from normal polynomials.
Definition 3.1.1.7 A polynomial ring over the field F in the set x = {x1 , ..., xm } is
denoted F[x] and consists of all finite sums of products of powers of x1 , ..., xm with
coefficients in F.
Definition 3.1.1.8 A quotient ring is the quotient of a ring and one of its ideals.
For example, the quotient ring with respect to a Ring R modulo some Integer n, is
3.1. ABSTRACT ALGEBRA 23
where
k
Y
n= pi
i=1
With the definitions of the elementary structures presented, we can now move
on to the important concept of finite fields.
Definition 3.1.2.1 A field (F, ×, +) is a set F defined with two binary operators
(denoted × and + here because of the intuitive laws that exist pertaining to normal
‘multiplication’ and ‘addition’). These laws include:
3. distributivity
6. inverse for + in F
Definition 3.1.2.2 If there exists a prime number p such that the identity 1 added
to itself p times equals the zero element of a field F and p is the minimum such
number, then the characteristic of F is defined as char(F) = p. If such a number
does not exist, then char(F) = 0.
The concept of an algebraic closure is an important one when dealing with hyper-
elliptic curves. The very definition of hyperelliptic curves, discussed later, requires
the notion of a coordinate system of two elements in the algebraic closure of a field.
24 CHAPTER 3. THEORY
In particular, we are interested in the theory of finite fields. These fields are more
commonly known as Galois Fields and are denoted GF (x). They are described in
more detail in [5]. We need only define one more type of field before giving an
example of a Galois Field that could be used in a (small!) cryptosystem.
To give an example of the theory of finite fields, example 3.1.2.5, let us select an
underlying finite field that will be relevant when considering the kinds of fields that
the hyperelliptic curves in ECCPERT are defined over. That is, let us select a finite
field of the form GF (pm ) where this field is an Optimal Extension field.
Example 3.1.2.5 We will take p = 3 and m = 4, and make use of the fact that
x4 +x+2 is an irreducible polynomial over Z3 to get the field, F34 = F3 [x]/(x4 +x+2).
Now, we let α be a primitive root of the above polynomial, such that α4 + α + 2 = 0,
or in other words, α4 = 2α + 1.
Table 3.1 lists the powers of α. Remember that the field contains these elements
as well as the zero element.
Now that we have discussed fields in general, and the idea of Galois and extension
fields, we can introduce the field of choice in this thesis and discuss its benefits.
n αn n αn n αn
0 1 27 α3 + 2α2 + α 54 α2 + α
1 α 28 2α3 + α2 + 2α + 1 55 α3 + α2
2
2 α 29 α3 + 2α2 + 2α + 2 56 3
α + 2α + 1
3 α3 30 2α3 + 2α2 + α + 1 57 2α2 + 1
4 2α + 1 31 2α3 + α2 + 2α + 2 58 2α3 + α
2
5 2α + α 32 α3 + 2α2 + 2 59 α2 + α + 2
6 2α3 + α2 33 2α3 + α + 1 60 α3 + α2 + 2α
3
7 α +α+2 34 α2 + 2α + 2 61 α + 2α2 + 2α + 1
3
Table 3.1: Non-zero elements of the finite field described by F34 = F3 [x]/(x4 + x + 2)
in powers of α.
The approach in [2] further defines Optimal Extension Fields by describing two
different categories of OEFs. A ‘Type I OEF’ has p = 2n ± 1 while a ‘Type II OEF’
has an irreducible binomial xm − 2 and has much faster subfield modular reduction.
This is due to the multiplications by ω = 2 being able to be done with shifts instead
of integer multiplication.
26 CHAPTER 3. THEORY
By comparison, [2] appears to have the fastest field multiplication, by more than
twice as fast. OEFs take advantage of the fast finite field arithmetic optimisations
available on microprocessors commonly found in workstations.
Definition 3.3.1.1 An elliptic curve, E, over a field F, is the set of solutions (x, y)
of the equation:
E : y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 , ai ∈ F.
This is known as the Weierstrass form. However, when char(F) > 3 then, this
simplifies to
E : y 2 = x3 + ax + b a, b ∈ F. (3.1)
The set of solutions to the above equation, together with a point at infinity, which
we label ∞, form the abelian group we are looking for. To show that it is an abelian
group, we first define the identity of the group, the inverse of an element and the
addition operation on the set of points with a given number of rules. We can then
show the addition is both commutative and associative, hence showing its abelian
nature. This addition can be thought of geometrically initially, however, further
rules are given for the mathematical addition that is used in the implementation.
3.3. ELLIPTIC CURVES 27
The identity of the group is defined as the point at infinity, ∞. The inverse of a
point P = (x, y) will be denoted −P and can be obtained by setting −P = (x, −y)
in the case of an elliptic curve with char(F) > 3. The inverse of ∞, the infinity
point, is ∞ itself. Now the addition on the set of points on the curve can be defined.
Given two points on the curve, P, Q ∈ E, we define addition as follows:
1. If P = ∞ then P + Q = ∞ + Q = Q
2. If Q = ∞ then P + Q = P + ∞ = P
3. If P = −Q then P + Q = ∞
The case where two distinct non-infinity points are added is shown graphically
in Figure 3.1 while Algorithm 3.2 further defines the addition of points on an elliptic
curve, in a mathematical context.
With this definition, we can see that each addition will only have one solution, as
the cubic nature of the equation of the curve E ensures that there are no more than
28 CHAPTER 3. THEORY
1. If P1 = ∞ then return
P3 = P2 .
2. If P2 = ∞ then return
P3 = P1 .
P3 = ∞.
3x21 + a
λ=
2y1
5. Set
x 3 = λ2 − x 1 − x 2
and
y3 = λ(x1 − x3 )−, y1
3 points on any straightline through the curve, with the other rules above ensuring
that special cases of point addition, such as those including the point at infinity,
follow the rules for identity and inverses in a group.
It can be shown that this set of points is both associative and commutative,
although the proof is quite a lengthy and tedious process and is not shown here.
For a complete proof and a deeper treatment of elliptic curves in both the affine
and projective coordinates, see [13]. When computing the above algorithm, it is
necessary to realise that inverses of points, which we denote −P because we are
dealing with the addition operation, can be easily obtained by finding the second
solution at the x-coordinate. For example, if P = (x, y) then P −1 = −P = (x, −y).
3.4. HYPERELLIPTIC CURVES 29
Having addressed all of the criteria for an abelian group, we can say that elliptic
curves of the above format and with the above definition of addition, form a finite
abelian group when the underlying field is finite. As a result, they and their hy-
perelliptic counterparts are a large source of the types of groups that are needed to
implement cryptosystems over finite abelian groups.
1. deg(h(u)) ≤ g,
2. deg(f (u)) = 2g + 1,
1. 2v + h(u) = 0 and
2. h0 (u)v − f (u) = 0
These definitions may not seem totally intuitive, however, many of the con-
straints placed on the requirements for a hyperelliptic curve ensure that the points
can be used to form the divisors that make up the finite abelian groups for use with
modern cryptosystems. This will be discussed later in this chapter. For now, Figure
3.2 shows an example of a hyperelliptic curve in the real plain whilst Figure 3.3
shows the same hyperelliptic curve equation over the finite field GF (53) ≡ Z53 .
Points on the hyperelliptic curve H are specified with a u- and v- coordinate.
Every u-coordinate on the hyperelliptic curve will have two points and hence two
v-coordinates associated with it, indicated from the v 2 in the hyperelliptic equation.
In this case, the two values of v may be different, depending on the choice of the
polynomial h(u) as discussed below.
We can see quite clearly that if h(u) = 0 then the equation becomes v 2 = f (u).
Hence, when h(u) = 0, one solution is the negative of the other and the two v-
coordinates are v and −v.
There are a few definitions of types of points that need to be declared for use
later on in this chapter. The following definition is here as an aid to categorise the
different types of points that exist on a hyperelliptic curve. Remember that because
these are all different types of points on the hyperelliptic curve, none of them can
also be singular.
3.4. HYPERELLIPTIC CURVES 31
Figure 3.2: The hyperelliptic curve, y 2 = x5 − 5x3 + 4x, over the real numbers
Definition 3.4.1.4 Any point, P = (x, y), on a hyperelliptic curve can be cate-
gorised as one or more of the following types of points:
3. A F-rational point of the hyperelliptic curve H over the field F, is either the
point at ∞ or a solution (x, y) ∈ F × F of the equation (3.2).
4. A special point is a point such that Pe = P , that is, the point P is its own
opposite.
6 P
5. An ordinary point is a point that is not special, that is, Pe =
This concludes the theory behind the geometric aspects of hyperelliptic curves.
With this information, we can go on to construct more abstract concepts that will
32 CHAPTER 3. THEORY
Figure 3.3: The hyperelliptic curve, y 2 = x5 − 5x3 + 4x, over GF (53) = Z53
be used in the generation of the finite abelian groups associated with hyperelliptic
curve cryptosystems.
Definition 3.4.2.1 The coordinate ring of H over F, F[H], is the quotient ring:
where (v 2 + h(u)v − f (u)) denotes the ideal in F[u, v] generated by the polynomial
v 2 + h(u)v − f (u). Similarly, the coordinate ring of H over F, F[H], is the quotient
ring:
F[H] = F[u, v]/(v 2 + h(u)v − f (u)).
3.4. HYPERELLIPTIC CURVES 33
With this in mind, we add three definitions. We define the degree on a polynomial
function and describe two further constructs, the conjugate and norm of G(u, v) in
the (reduced) form above.
N (G) = GG
= (a(u) − b(u)v)(a(u) + b(u)(h(u) + v))
= a2 (u) + a(u)b(u)h(u) − b2 (u)(v 2 + h(u)v)
= a2 (u) + a(u)b(u)h(u) − b2 (u)f (u)
The norm of a polynomial function is a polynomial in F[u] and the norm of G(u, v)
is clearly the same as the norm of G(u, v).
We now move our discussion to rational functions. Rational functions are es-
sentially just the elements of the field of fractions of the coordinate ring of H over
F.
Definition 3.4.2.7 The function field F(H) of H over F is the field of fractions of
F[H]. The elements of F(H) are called rational functions on H.
Definition 3.4.2.8 The rational function R is said to be defined at the point P ∈
H, P 6= ∞, if there exists polynomial functions G, H ∈ F[H] such that R = G/H
and H(P ) 6= 0. Then, the value of R at P is defined as R(P ) = G(P )/H(P ).
Definition 3.4.2.9 Let R = G/H ∈ F[H] be a rational function, then
1. If deg(G) < deg(H) then the value of R at ∞ is defined to be R(∞) = 0.
3.4.4 Divisors
Probably the most important abstract concept required for the implementation of
a hyperelliptic curve cryptosystem is the divisor. Understanding the theory and
use of these elements is essential in the implementation of the finite abelian groups
they make up, in particular in reference to the Jacobian of a hyperelliptic curve.
The concept of a divisor is very abstract, yet understandable with some well-based
definitions as given below. Although the addition of divisors will not be as intuitive
as the addition of the points on an elliptic curve, we can still show that the Jacobian,
made up of some of these divisors, indeed does form a finite abelian group, under
divisor addition.
Now, having defined the divisor base element, we introduce the concepts of their
degree, their order at a given point and the greatest common divisor between two
divisors.
Definition 3.4.4.2 The degree of a divisor, D, is the sum of the coefficients deg(D) =
mi . The subgroup D0 of D is the set of all divisors of degree 0.
P
Definition 3.4.4.3 The order of the divisor D at the point Pi , is the integer mi
and is denoted ordPi (D) = mi .
n i Pi ∈ D0
P P
Definition 3.4.4.4 The greatest common divisor of D1 = mi Pi , D2 =
is defined as:
X X
gcd(D1 , D2 ) = min(mi , ni )Pi − min(mi , ni ) ∞.
we set D0 = D − (deg D)∞, then we get D0 ∈ D0 . Hence, we can imagine the above
definition of the of two divisors as being gcd(D1 , D2 ) = ( min(mi , ni )Pi )0 ∈ D0 . It
P
is these divisors we are particularly interested in, in the next few definitions.
Now, we define a new set of divisors that make use of the theory related in the
section on rational functions. We begin with a definition of the support of a divisor.
This is then used for the definition of a semi-reduced divisor.
Definition 3.4.4.5 The support of a divisor D is the set supp(D) = {Pi ∈ H|mi 6= 0}.
36 CHAPTER 3. THEORY
1. mi ≥ 0
The last main concept in this section is that of a principal divisor. This leads
on to the equivalence of divisors.
Definition 3.4.4.7 A principal divisor is a divisor of the form (G(u, v))−H(u, v)),
that is the divisor of the rational function G(u, v)/H(u, v). This means D = div(R)
for some non-zero rational runction R ∈ F (H). The set of all principal divisors is
denoted P, and is a subgroup of D0 .
The subgroup, D0 of D, is also an additive group under the same addition rule.
3.4.5 Jacobian
Much emphasis is placed, throughout papers on hyperelliptic curve cryptosystems,
on addition in the Jacobian of the hyperelliptic curve. When comparing cryptosys-
tems based on elliptic and hyperelliptic curves, one question becomes immediately
apparent - why work within the Jacobian group of a hyperelliptic curve? Firstly, let
us define exactly what is meant by the Jacobian.
Definition 3.4.5.1 Once again, let F be the algebraic closure of F. Also let P
denote the subgroup of principal divisors coming from G, H ∈ F[u, v] and let D0 be
the group of divisors of degree zero defined over P. Then the Jacobian of the curve
is the quotient group J(F) = D0 /P.
3.4. HYPERELLIPTIC CURVES 37
The set, J(F), of all divisor classes in J that have a representative defined over F
is a subgroup of J. Each divisor in J(F) has a unique reduced divisor representation,
div(a(u), b(u)), a(u), b(u) ∈ F[u] and deg(a(u)) ≤ g, deg(b(u)) ≤ deg(a(u)). Hence,
the elements in J(F) form an abelian group under divisor addition, which is described
in the following sections.
1. Set
a0 = (f − bh − b2 )/a
and
b0 = (−h − b)(mod a0 ).
4. Output D0 = (a0 , b0 ).
From Algorithm 3.3, we see that there is only one possible divisor element as the
outcome and hence, we can say that the reduced divisor is unique. This is stated in
Theorem 3.4.6.2
38 CHAPTER 3. THEORY
Theorem 3.4.6.2 For each divisor D ∈ D0 , there exists a unique reduced divisor,
D0 , such that D ∼ D0 .
This result is important when dealing with the elements in this group, and in
particular, we know that each and every divisor will have a unique representation as
a reduced divisor. Hence, when adding divisors on the hyperelliptic curve jacobian,
we can employ the tactic shown in Algorithm 3.4 in the following section, followed
immediately by a reduction of the resulting divisor, using Algorithm 3.4.
4. Set
a1 a2
a=
d22
and
s1 a1 b2 + s2 a2 b1 + s3 (b1 b2 + f )
b= (mod a).
d2
40 CHAPTER 3. THEORY
Chapter 4
Implementation
41
42 CHAPTER 4. IMPLEMENTATION
dividemodp which computes a/b(mod p) = ab−1 (mod p) by first finding the inverse
of b. Example code is shown in Figure 4.1 and the algorithm can be verified from
Algorithm 3.1.
/*
* dividemodp calculates a/b mod p, where a,b are integers.
* Note, ONLY for positive integers AND p prime.
*/
int dividemodp(int a, int b, int p) {
int q, r, s1, s2, t1, t2, temp;
typedef struct {
int g; // genus
polynomial h; // deg <= g
polynomial f; // deg = 2g+1, monic
} hyper;
This structure can be used to work out the irreducible polynomial v 2 + h(u)v − f (u)
for use when reducing polynomial functions to the form
class Poly
{
poly fn;
public:
Poly() {fn = (poly)calloc(vars.M, sizeof(int));}
Poly(poly a)
{fn = (poly)calloc(vars.M, sizeof(int)); copy_poly(fn, a, vars);}
Poly& operator= (int *a)
{copy_poly(fn, a, vars); return *this;}
Poly& operator= (const Poly& a)
{copy_poly(fn, a.fn, vars); return *this;}
int& operator[](int i)
{return fn[i];}
friend Poly operator+ (const Poly& a, const Poly& b);
friend Poly operator+ (const Poly& a, const int& b);
friend Poly operator+ (const int& a, const Poly& b);
friend Poly operator- (const Poly& a);
friend Poly operator- (const Poly& a, const Poly& b);
friend Poly operator* (const Poly& a, const Poly& b);
friend Poly operator* (const Poly& a, const int& b);
friend Poly operator* (const int& a, const Poly& b);
friend Poly operator/ (const Poly& a, const Poly& b);
friend Poly operator% (const Poly& a, const Poly& b);
friend ostream& operator<<(ostream& s, const Poly& a);
friend Poly operator^ (const Poly& a, const int& b);
friend Poly operator^ (const Poly& a, const Big& b);
friend Poly operator>> (const Poly& a, const int& b);
friend BOOL operator== (const Poly& a, const int& b);
friend BOOL operator== (const Poly& a, const Poly& b);
friend BOOL operator!= (const Poly& a, const int& b);
friend BOOL operator!= (const Poly& a, const Poly& b);
~Poly() {;}
private:
};
class polynomial
{
int degree;
polynomial thePolynomial;
...
...
};
4.4 Divisors
Possibly, the most difficult concept to physically grasp in this thesis, is the concept
of the divisor. Divisors are abstract quantities we chose to construct to make it
easier to manipulate the finite sums of points on the hyperelliptic curve. Much of
the derivation of the theory for divisors is long and tedious, and as such has not
been included in this thesis. Instead, we concentrate mainly on the algorithms that
exist for the addition/reduction of these divisors. We recall that each divisor can be
uniquely represented by two polynomial functions, D1 = div(a(u), b(u)). Hence, the
following structure was used in this implementation to contain these two polynomial
functions and make working with divisors a little less painful.
typedef struct {
polynomial a;
polynomial b;
} divisor;
This use of the divisor structure allows us to declare the two main operations
on divisors as described in Algorithms 3.3 and 3.4: divisor reduction and addition.
Divisor addition takes two semi-reduced divisors and outputs a semi-reduced divisor
that is equivalent to the addition of the input divisors. This output is not necessarily
a reduced divisor. The divisor reduce algorithm takes a semi-reduced divisor and
outputs the unique reduced divisor. Hence, with a call to those two functions, in
that order, we can implement the group operation.
The code and flowcharts for these algorithms are included in Appendix A, how-
ever below is an example of the declaration of these functions, showing that using
46 CHAPTER 4. IMPLEMENTATION
the classes and container structures created, algorithms manipulating divisors seem
intuitive and can be abstracted away from the underlying structures.
Performance
5.1 Evaluation
This section conducts a reflective evaluation on the performance of hyperelliptic
curve cryptosystems over Optimal Extension Fields. This is broken up into evalua-
tion of security and efficiency.
5.1.1 Security
A cryptosystem’s security is a difficult parameter to quantify. Security requirements
are varied and differ remarkably from application to application. For example,
a recent factorisation of the 155-digit (512-bit) RSA challenge number using the
general number field sieve took a calendar equivalent time of no less than 7.4 months!
Thus, the complexity of the encryption algorithm varies greatly with the required
security of the application.
The study of security is not a concrete science. Unfortunately, there is no math-
ematical problem for which it can be absolutely proven that the best possible algo-
rithm would take exponential time. Hence, security of cryptosystems depends on
the algorithms in existence at the time of assessment.
Throughout this document, references have been made to the difficulty of the
problem to be solved. Whether or not a problem is a ‘hard’ one depends greatly
47
48 CHAPTER 5. PERFORMANCE
on the algorithms that exist to solve the problem. This has been discussed in much
further depth in Section 1.3.3. Much study has been done on the time constraints of
algorithms which could be used by a cryptanalyst faced with the task of attacking
both the RSA and elliptic curve cryptosystems. At the present moment, several al-
gorithms exist which depend on sub-exponential time to attack RSA, however, even
the most efficient algorithm for the DLP over elliptic curves has running time pro-
portional to the square root of the number of points on the curve. This undoubtedly
gets unpractically difficult for large sized elliptic curves.
The security of hyperelliptic curve cryptosystems is a topic that has not received
much notice due to its new introduction into the field, in 1989 in [26]. Although,
some attacks do exist, including a sub-exponential algorithm for solving the Discrete
Logarithm Problem in hyperelliptic curves of large genus has been proposed in [1].
This algorithm is based on cryptosystems over prime fields, and is only efficient for
hyperelliptic curves of a high genus.
5.1.2 Efficiency
When discussing the efficiency of a public key cryptosystem, the three main factors
to be taken into account are computational overheads, key size and bandwidth
considerations. Computational overheads is the amount of work that must be done
to generate and perform operations on the private and public keys. The keysize is
obviously the size of the key in bits, and bandwidth considerations regard how much
actual information (in bits) is required to transfer an entire ciphertext message.
To evaluate efficiency of hyperelliptic curves, it is important to analyse the av-
erage number of field multiplications and inverses. An excellent discussion of the
comparison between hyperelliptic curves over GF (p) and GF (2m ) is given in [38].
It takes into consideration the number of field multiplications and inversions in a
scalar multiplication and the efficiency of field operations. The number of opera-
tions depends on the genus of the curve and on the characteristic of the defined
field; while efficiency of the field operations depends on the size of the fields log2 q,
the word size of the fields on the processor and on the properties of the processor’s
architecture.
Table 5.1 gives the average number of field operations for the fields GF (p) and
GF (2m ) and Table 5.2 gives the expected speed of group operations in the Jacobian.
5.2 Discussion
To give an idea of just how more efficient cryptosystems based on elliptic curves
are over the traditional RSA types, Figure 5.1 gives a keysize vs. amount of time
5.2. DISCUSSION 49
Addition
multiplications inversions
3
J(Fp ), g even 17g 2 + 3g − 3 2
g+3
3
J(Fp ), g odd 2
17g + 4g− 2
g + 72
3
J(F2m ), g even 14g 2 + 4g − 1 2
g+2
3
J(F2m ), g odd 2
14g + 5g 2
g + 52
Table 5.1: Average number of field operations for the full addition of divisors [38]
Choice of Algorithms Where possible, optimised algorithms have been used and
their origin referenced in this thesis. However, many solutions to problems,
of which no precedence was found, have been solved in a simplistic way and
would greatly benefit from algorithm optimisation. Further research into bet-
ter mathematical solutions could be beneficial to the overall efficiency of the
application.
51
52 CHAPTER 6. FURTHER DEVELOPMENTS AND CONCLUSIONS
there does not appear to be a clear and simple algorithm for the selection
of one such random curve.
• The subfield multiplication within the Optimal Extension Fields could
be greatly improved for efficiency.
• A faster subfield division which doesn’t need to find the greatest common
divisor could be designed and implemented.
• If an optimisation of the implementation of the greatest common divisor
method could be found, then that would greatly improve the efficiency of
divaddition and dividemodp. Since dividemodp is used in the division
operator of the Poly class, all division operations involving Poly’s would
be sped up.
Extension of Classes The treatment of the polynomial class in this thesis was
very simplistic and naive. This class could be greatly extended to include the
full funcionality for the class of polynomials. Methods and operators were only
written as they were needed for this application, however, a full imlementation
of this class would greatly aid any extension at a later date. Also, further
methods could be created within the class to make accessing information on
the polynomial easier.
Portability The application itself was written in Microsoft Visual C++ for the
Windows Operating System. For some applications, this may be inappropriate
and the application could be ported to other operating systems and may even
be implemented in an embedded system environment for use in things such as
automatic teller machines or smart cards.
These are just a few of the areas that this thesis could be extended upon to
further study the practicality of cryptosystems based on hyperelliptic curves over
Optimal Extension Fields.
6.2. CONCLUSIONS 53
6.2 Conclusions
This thesis has presented the relevant material for the implementation of a hyperel-
liptic curve cryptosystem based over Optimal Extension Fields. It has defined the
initialisation of the cryptosystem and the methods for encryption and decryption
of information using the El Gamal techniques. This encryption and decryption of
information is conducted over a group of divisor classes in the Jacobian of the hy-
perelliptic curve and the methods for implementing the group operation (divisor
addition) are described.
This thesis has demonstrated the motivation for the study of hyperelliptic curves
and shown that they can be a feasible encryption technique. This coupled with
the use of Optimal Extension Fields makes the implementation in this thesis of
great value. With the considerations presented in Chapter Five and the further
developments as suggested earlier in this chapter, it is conceivable that hyperelliptic
curve cryptosystems could provide a commercially secure alternative to elliptic curve
cryptosystems, with at least the efficiency of elliptic curves, if not more so.
54 CHAPTER 6. FURTHER DEVELOPMENTS AND CONCLUSIONS
Appendix A
Divisor Manipulation
This appendix includes flowcharts and code for the divisor operations divaddition
and divreduce.
55
56 APPENDIX A. DIVISOR MANIPULATION
/*
* divaddition
*
* INPUT: Takes two divisors, div1 and div2, represented by two
* polynomial functions each
* OUTPUT: Returns (a) semi-reduced divisor (equivalent to)
* div3 ~ div1 + div2
*
* Uses the algorithm introduced by Koblitz[1989] and clarified by
* Menezes/Wu/Zuccherato[1996] with a slight alteration at step
* three. Note that the output is NOT a reduced divisor to get
* a reduced divisor, divreduce should be run after this function.
*/
divisor divaddition(divisor div1, divisor div2) {
euclid temp;
Poly a, b;
divisor ret;
//step 1
temp = gcd(div1.a, div2.a);
Poly d1 = temp.gcd;
Poly e1 = temp.first;
Poly e2 = temp.second;
//step 2
Poly d2 = div1.b + div2.b + theCurve.h;
temp = gcd(d1, d2);
Poly d = temp.gcd;
Poly c1 = temp.first;
Poly c2 = temp.second;
/*
* divreduce
*
* INPUT: A semi-reduced divisor div represented by two
* polynomial functions
* OUTPUT: The (unique) reduced divisor that is ~ (equivalent
* to) the input divisor.
*
* Returns the reduced divisor that is equivalent to the input
* divisor. Uses the second main algorithm introduced by
* Koblitz[1989] and clarified by Menezes/Wu/Zuccherato[1996].
* This function is commonly used in conjuction with the
* divaddition function to add divisors and get a
* reduced divisor answer.
*/
divisor divreduce(divisor div) {
divisor ret;
polynomial a, b, a1, b1;
//step 3
c = a1[a1.getDegree()];
c = inverse(c);
a1 = a1 * c;
//step 4 return
ret.a = a1;
ret.b = b1;
return ret;
}
[2] Daniel V. Bailey, Christof Paar. Optimal Extension Fields for Fast Arithmetic
in Public-Key Algorithms, Crypto ‘98, Santa Barbara, California USA, August
1998, pp. 472-485.
[6] E. J. Billington, et al, Discrete Mathematics : Logic and Structures, 2nd Ed,
Longman Cheshire, 1993.
http://www.certicom.com/research/wecc1.html
61
62 BIBLIOGRAPHY
http://www.certicom.com/research/wecc2.html
http://www.certicom.com/research/wecc3.html
[12] T. ElGamal. A public key cryptosystem and a signature scheme based on dis-
crete logarithms, IEEE Transactions on Information Theory, 31:469-472, 1985.
http://www.mitsubishi.com/ghp japan/misty/main.pdf
[16] IEEE P1363/D10 (Draft Version 13). Standard Specications for Public Key
Cryptography, New York USA, 1999.
http://world.std.com/ dpj/elliptic.html
[22] Donald E. Knuth. The Art of Computer Programming, Volume 3 Sorting and
searching Algorithms, 3rd Edition, Addison-Wesley, USA, 1997.
[27] C. K. Koc, Elliptic Curve Cryptosystems, Course Handouts for ECE 575, Ore-
gon State University.
http://www.security.ece.orst.edu/koc/ece575/notes/elliptic.pdf
[34] C. Miller, ECCpert: Development and Design, Undergraduate Thesis for Bach-
elor of Engineering, Dept. of Computer Science & Electrical Engineering, Uni-
versity of Queensland, Australia, 1999.
64 BIBLIOGRAPHY
http://www-mobile.ecs.soton.ac.uk/lly/papers/vtc2000 turbo-web.pdf
[37] M.J.B. Robshaw, Y.L. Yin. Overview of Elliptic Curve Cryptosystems, An RSA
Laboratories Technical Note, Revised June 27, 1997.
http://www.rsasecurity.com/rsalabs/ecc/elliptic-curve.html
[39] S. Singh, The Code Book, Clays Ltd, Great Britian, 1999.
http://www.hpl.hp.com/techreports/98/HPL-98-162.pdf
[41] D.R. Stinson. Cryptography - Theory and Practice, Discrete Mathematics and
its applications, Boca Raton, CRC Press, 1995.