Hyperelliptic Curve Cryptosystems Over Optimal Extension Fie

HYPERELLIPTIC CURVE
CRYPTOSYSTEMS
OVER
OPTIMAL EXTENSION FIELDS
by
Montserrat B. Ros
Department of Computer Science and Electrical Engineering,
University of Queensland.
Submitted for the degree of

Bachelor of Engineering (Honours)
in the division of Computer Systems Engineering
October, 2000
ii
iii
12 Berendt Crt
MEADOWBROOK QLD 4131
Tel. (07) 3299 6073
October 20, 2000
The Dean
School of Engineering
University of Queensland
St Lucia, Q 4072
Dear Professor Simmons,
In accordance with the requirements of the degree of Bachelor of Engineering

(Honours) in the division of Computer Systems Engineering / Electrical and Elec-
tronic Engineering, I present the following thesis entitled ‘Hyperelliptic Curve Cryp-
tosystems over Optimal Extension Fields’. This work was performed under the joint
supervision of A/Prof Brian Lovell( Dept. of Computer Science and Electrical En-
gineering), Dr John Homer (Dept. of Computer Science and Electrical Engineering)
and Dr Barry Jones (Dept. of Mathematics).
I declare that the work submitted in this thesis is my own, except as acknowl-
edged in the text and footnotes, and has not been previously submitted for a degree
at the University of Queensland or any other institution.
Yours sincerely,
Montserrat B. Ros.
iv
Abstract
This thesis outlines the issues arising from the implementation of a commercially
secure Hyperelliptic Curve Cryptosystem over Optimal Extensions Fields as a follow-
up to the student-devised Elliptic Curve product, ECCpert.
The cryptosystem is based on the Discrete Logarithm Problem and the El Gamal
encryption / decryption scheme and uses the finite abelian group generated from
the Jacobian of a Hyperelliptic Curve over a significantly large finite extension field.
After an introduction to the area of cryptography, a brief background of previous

work is presented. This is followed by a full description of the mathematical con-
cepts behind the theory of algebraic geometric cryptosystems and followed up by a
discussion of implementation issues and future work.
v
vi ABSTRACT
Acknowledgments
There are many people who have helped me in the research, implementation and
writing of this thesis. This thesis would not have been possible without their help,
whether it be direct assistance or in the form of moral support, and I would like to
acknowledge and thank them all here.
1. Dr Barry Jones (Department of Mathematics) for giving me plenty of advice

on the material presented in this thesis and its proof-reading, for the support
he has shown me throughout the entire year and for always having his door
open to me when I needed assistance.
2. Dr Brian Lovell (Department of CSEE) for his guidance through first semester
and for taking me on as a special thesis topic.
3. Dr John Homer (Department of CSEE) for his proof-reading and help in

second semester and for taking over from Dr Lovell mid year.
4. Christina Miller for her help in passing on information relevant to the con-
tinuation of her thesis and for the idea in the first place.
5. Mr Shane Goodwin, SIP lab manager in semester two for not wiping the
computers in the second half of the year!
6. My parents, Jorge Ros and Nuri Ros for their support and encouragement
throughout my entire degree.
vii
viii ACKNOWLEDGMENTS
7. Karen Dancer and Jane Kemplar for their assistance with proof-reading,
for their many very helpful LATEX tips and their general help throughout my
maths degree over the years.
8. Ben Appleton, Jenna Hall and Simon Gee for their proof-reading and
constructive comments.
9. The other CS229 tutors in semester two, Charles Pizzato and Simon Long,
for the many practical sessions they had to cover me for while doing thesis!
10. My house-mate Nerrida Dempster for her support through the last 3 months
of my thesis and for putting up with my late nights and grumpy mornings!
11. My live-in SIP lab buddies, Marty Robinson, Christian Walder, Chucky
Hoang and Marcus Lim for keeping me sane throughout the entire year!
12. My good friends Christopher Pascoe, Kristan Slack and Paul Webster,
for their many enjoyable visits, distractions and “The Ville”-runs!
Contents
Abstract v
Acknowledgments vii
List of Figures xi
List of Tables xii
1 Introduction 1
1.1 History of Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Secret Key Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Public Key Cryptography . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3.1 Integer Factorisation Problem . . . . . . . . . . . . . . . . . . 5
1.3.2 Discrete Logarithm Problem . . . . . . . . . . . . . . . . . . . 6
1.3.3 P , N P and N P -completeness . . . . . . . . . . . . . . . . . . 7
1.3.4 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.4 Scope of Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2 Background and Previous Work 11

2.1 Previous Work on Hyperelliptic Curves . . . . . . . . . . . . . . . . . 11
2.2 Prime, Binary and Prime Extension Fields . . . . . . . . . . . . . . . 13
2.3 Existing Public Key Cryptosystems . . . . . . . . . . . . . . . . . . . 14
2.3.1 RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.3.2 El Gamal Cryptosystem . . . . . . . . . . . . . . . . . . . . . 17
3 Theory 19
3.1 Abstract Algebra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.1.1 Elementary Concepts . . . . . . . . . . . . . . . . . . . . . . . 20
3.1.2 Finite Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.2 Optimal Extension Fields . . . . . . . . . . . . . . . . . . . . . . . . 24
3.3 Elliptic Curves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.3.1 Elliptic Curve theory . . . . . . . . . . . . . . . . . . . . . . . 26
ix
x CONTENTS
3.4 Hyperelliptic Curves . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

3.4.1 Geometric Basics . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.4.2 Polynomial and Rational Functions . . . . . . . . . . . . . . . 32
3.4.3 Zeros and Poles . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.4.4 Divisors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.4.5 Jacobian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.4.6 Reduced Divisors . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.4.7 Adding Divisors . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4 Implementation 41
4.1 Optimisation of Preceeding Software . . . . . . . . . . . . . . . . . . 41
4.2 Optimal Extension Fields . . . . . . . . . . . . . . . . . . . . . . . . 43
4.3 Hyperelliptic Curves . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
4.4 Divisors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
5 Performance 47
5.1 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5.1.1 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5.1.2 Efficiency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
5.2 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
6 Further Developments and Conclusions 51

6.1 Further Developments . . . . . . . . . . . . . . . . . . . . . . . . . . 51
6.2 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Appendices 55
A Divisor Manipulation 55
A.1 Divisor Addition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
A.2 Divisor Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
References 61
List of Figures
1.1 A graphic representation of the Diffie-Hellman Key exchange . . . . . 5
3.1 Addition on the elliptic curve y 2 = x3 − 7x . . . . . . . . . . . . . . . 27

3.2 The hyperelliptic curve, y 2 = x5 − 5x3 + 4x, over the real numbers . . 31
3.3 The hyperelliptic curve, y 2 = x5 − 5x3 + 4x, over GF (53) = Z53 . . . 32
4.1 Implementation of Euclid’s algorithm in dividemodp . . . . . . . . . 42

4.2 Implementation of the Poly class . . . . . . . . . . . . . . . . . . . . 44
4.3 Extract from the Implementation of the polynomial class . . . . . . 45
5.1 Comparison of security levels . . . . . . . . . . . . . . . . . . . . . . 50
A.1 The Divisor Addition algorithm . . . . . . . . . . . . . . . . . . . . . 56

A.2 The code for divaddition . . . . . . . . . . . . . . . . . . . . . . . . 57
A.3 The Divisor Reduction algorithm . . . . . . . . . . . . . . . . . . . . 58
A.4 The code for divreduce . . . . . . . . . . . . . . . . . . . . . . . . . 59
xi
List of Tables
2.1 Euclid’s algorithm applied to find the inverse of an integer . . . . . . 16
3.1 Non-zero elements of the finite field described by F34 = F3 [x]/(x4 + x + 2)

in powers of α. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
5.1 Average number of field operations for the full addition of divisors. . 49
5.2 Expected speed of group operations in the Jacobian. . . . . . . . . . 49
xii
Chapter 1
Introduction
Cryptography is an area that has received much attention since the rise in the use
of electronic communication for the exchange of financial information and has been
mainly driven by the increased demands for secure transactions over the Internet.
With the introduction of on-line banking, Internet stockbroking and purchasing
goods over the Internet, the need for personal and/or business data to be kept secret
has driven the world of cryptography forward to the point where it has developed
its own commercial value.
The term Cryptography is originally derived from the two greek words “kryptos”
and “graph”, meaning hidden and writing. This is an accurate representation of
the meaning of the word, as cryptography is the art of ensuring that messages
(writing) are kept secure (hidden) from those recipients to whom the messages are
not addressed.
For this reason, the notions of ciphers and codes were invented to encrypt mes-
sages so that an on-looker would view useless gibberish instead of the real, meaning-
ful information. This, of course, required the recipient to be the only one to know
how to decrypt the message back to its original form.
Modern cryptographic techniques are more sophisticated, with public key cryp-
tosystems publishing the method of encryption and decryption for all to see. How-
ever, without a particular secret piece of information known only to the intended
recipient, all other entities would find it very difficult to decipher.
One of the major reasons higher level cryptographic methods have been sought to
keep data secret is the continual advancement in processor speeds and architecture.
This advancement has rendered many earlier cryptosystems useless where sometimes
even a naive exhaustive search method can become viable and can be performed in
reasonable time to search for every possible key combination and solution.
To avoid this, the theory of cryptography, and in particular of cryptosystems
based on large finite groups, has advanced to a stage where large integers and/or
other constructs are required to represent information, that are of the order of 160- to
1
2 CHAPTER 1. INTRODUCTION
1024- bits per key. This represents a large amount of information being transmitted
and new algorithms are continually being considered, to make this more efficient.
This generates the motivation for the study of other cryptosystems in the hope to
increase the transmission rate efficiency by decreasing the number of bits required
for the keys while maintaining the same level of security. The other option is to
increase the bandwidth for the particular communications channel where encryption
is required. In many cases, this is an impossibility and data efficient encryption
techniques are sought.
1.1 History of Cryptography

Cryptography dates back to the days of the Roman Empire where Julius Caesar is
acreditted with being the first to develope the use of a substitution alphabet cipher;
where letters were written in a code that mapped each letter to another letter at
a certain, secret distance away in the alphabet. For example, if the secret number
was 3, then the mapping would include a 7→ d, b 7→ e ... z 7→ c . Cryptography has
come a long way since the days of the substitution cipher!
Such conventional cryptography methods are often referred to as secret key cryp-
tosystems because the shared knowledge between the parties (referred to as the secret
key) must remain secret. In the example above, if a third party were able to find
out the secret number 3, then that party would not only be able to decipher any
messages it encountered between the original two parties, but could also write its
own (perhaps misleading) messages, claiming to be one of the original parties.
In the past, kings wishing to send such secret messages to other rulers would first
send their most trusted courier with the secret information required to decrypt any
future messages. If their courier returned alive then communication was allowed to
commence!
1.2 Secret Key Ciphers

The substiution cipher is one of the many known simple secret key ciphers, where
the letters in the alphabet are simply shifted along the alphabet a certain number of
letters. It is easy to see that with a 26-letter alphabet, there will be 26 possibilities for
the key (secret number). This may have been secure enough for when all exhaustive
searches had to be done by hand, however, many of the traditional secret key ciphers
have no use in today’s computer-driven society.
This section aims to give a brief overview of the techniques that were used in the
era before there was a need to turn to Public Key cryptography. For example, the
substitution cipher was extended slightly to include the use of the linear combination:
1.3. PUBLIC KEY CRYPTOGRAPHY 3
e(x) = ax + b(mod 26), in the Affine Cipher. This gave a larger number of possible
keys of the form (a, b), making an exhaustive search just that more challenging.
Other systems that were more powerful include the Hill Cipher invented in 1929
by Lester S. Hill [18]. The key space for this cipher was the set of m × m invertible
matrices over Z26 and involved breaking up the message stream into equal vectors
of size m and then multiplying these vectors by the invertible matrix K.
 
k11 k12 . . . k1m
k21 k22 . . . k2m
 
 
eK (x) = xK(y1 y2 . . . ym ) = (x1 x2 . . . xm )  .. .. ... .. 
. . .
 
 
km1 km2 . . . kmm
Of course, to decrypt the ciphertext, the recipient would have to find the inverse of
K and apply dK (y) = yK −1 . Once again, this cipher led to the existence of many
more possible keys.
Other systems include the Vigenere Cipher which added a word to each block
of m letters in the message, the Permutation Cipher that just permuted each set
of m letters in a specified way and many more. The common theme behind all of
these cryptosystems is that the sender and recipient had to agree on a key before
transmitting began. While these cryptosystems certainly were effective in their days,
it is easy to see that modern processors would conduct an exhaustive search for the
solution in a relatively small amount of time.
1.3 Public Key Cryptography

In 1976, the idea of Public Key Cryptography was proposed by Diffie and Hellman
in [11]. Public Key Cryptography gave a new view on the field of cryptography,
in particular for the creation and transfer of session key information. Before this,
keys were generated centrally and transmitted to the users in a secret “brown-paper
bag”, where the user had to physically be given this information somehow.
Although in some cryptosystems, such as DES (Data Encryption Standard, 1976)
secret keys are still used, in many of the now common mainstream cryptosystems
such as RSA and Elliptic Curves, keys are generated by each user as a part of the
system’s Public Key Infrastructure. Public Key Cryptosystems differ from their
Secret Key counterparts by the selection of session keys without transferal of these
keys between users.
The main idea behind encryption of data is no longer to keep the method for
encrypting secret. On the contrary, in Public Key cryptography not only do the
receiving users publish their public keys, but the method for encrypting the data,
plus any global variables (eg the hyperelliptic curve of choice, or the modulus prime
p for integer exponentiation) are all decided upon quite publicly and published for
all users to see. The only information that remains secret is each user’s private key
which they, and they alone, require to decrypt any message sent to them, or to use
for authentication when sending to another user.
The Diffie and Hellman Public Key Algorithm [11] describes a very simple al-
gorithm for key exchange and involves two users coming to a decision on a key
to be used for information transfer with out the key itself being transferred along
any communication channel. The setup and transmissions required are outlined in
greater detail in Algorithm 1.1. Notice that all information, except the private keys
a and b and the final result xab , is public. Hence any other user could listen in and
acquire the values G, x, xa and xb , and from these must get xab . This would require
the user to solve the Discrete logarithm Problem, described in greater detail later
in this chapter.
Algorithm 1.1 (Diffie-Hellman Key Exchange) .
The Diffie-Hellman Key Exchange algorithm explains how two parties, A and B can
arrive at an agreement on a secret key without either party transmitting this key
along any channel.
INPUT: Two users (A and B) with the capability to randomly select or generate
integers
OUTPUT: A mutually shared session key.
1. User A and user B publicly select a finite abelian group G and an element
x ∈ G.
2. User A generates a random integer a, computes xa ∈ G and transmits xa to

user B over a public channel.
3. User B generates a random integer b, computes xb ∈ G and transmits xb to

user A over a public channel.
4. User A receives xb and computes (xb )a .
5. User B receives xa and computes (xa )b .
Notice that the only pieces of information which is transmitted across public,
insecure channels are G, x, xa and xb . A graphic representation of the system
suggested by Diffie and Hellman is shown in Figure 1.1 where Anne and Bob are the
users attempting to establish a common key and Oscar is an on-looker with access
to the insecure channel. To work out (xab ), an on-looker would have to first obtain
either a or b from xa or xb . This is known as the Discrete Logarithm Problem.
Figure 1.1: A graphic representation of the Diffie-Hellman Key exchange
1.3.1 Integer Factorisation Problem

The reason cryptosystems such as RSA are secure is because they are based on
mathematical problems that have been proven to be ‘hard’. A further discussion on
quantifying how ‘hard’ a problem can be, is presented later in this chapter, while
a further extrapolation of this information into a discussion about the security of a
particular cryptosystem can be found in Chapter Five.
In particular, factorising large integers has always been a potentially ‘hard’ prob-
lem, especially if the integer has no small factors. That is why, when two large primes
are multiplied together to form a very large integer, factorising this integer is consid-
ered a ‘hard problem’. This is called the Integer Factorisation Problem (IFP). Many
techniques have been used to reduce the complexity of the algorithm to a small de-
gree, but essentially there still does not exist an algorithm that will factorise a very
large integer into its prime factors within a feasible amount of time.
Some techniques that have been used in the past, not only for finding the prime
factorisation of an integer, but also as a naive technique for determining whether
an integer is prime or not, include the quadratic sieve and number field sieve, later
extended to a generalised version. Another general-purpose factoring algorithm

known as the continued fraction algorithm was used prior to the introduction of
RSA, to factor numbers up to 40 decimal digits (133 bits) and is based on the
idea of using a factor base of primes. The quadratic and number field sieve use a
similar underlying idea and can be used very easily in parallel to allow factoring
on distributed systems. A brief description of these algorithms is given in [10] as
well as a discussion on their use throughout history. For numbers having more
than 120 decimal digits (400 bits) the generalised number field sieve appears to be
the superior algorithm with a recent factorisation of the 155-digit RSA Challenge
Number within the equivalent calendar time of 3.7 months [10].
1.3.2 Discrete Logarithm Problem

Just as the RSA Cryptosystem bases its security on the fact that factorising large
numbers is a ‘hard’ problem, other cryptosystems such as the El Gamal Cryptosys-
tem, base their security on the intractability of the Discrete Logarithm Problem.
Definition 1.3.2.1 The Discrete Logarithm problem (DLP) is the following:

given ai = b, find the particular value for i that satisfies the equation, namely
i = loga b.
When solving for the DLP over Zp , for example, this translates to finding the
integer i for which ai ≡ b(mod p). When solving the DLP over a set of points
on an elliptic curve, however, this translates to finding the integer i such that
(b1 , b2 ) = i(a1 , a2 ), where (a1 , a2 ) and (b1 , b2 ) are two points on the curve.
As with the Integer Factorisation Problem, the number field sieve is the best
currently known algorithm to solve the Discrete Logarithm Problem. It has an
asymptotic running time equivalent to the corresponding integer factorisation algo-
rithm. Another such algorithm is the index-calculus method which uses a database
of small primes and their corresponding logarithms. From this, logarithms of other
field elements can be easily obtained. An implementation of the gaussian integer
method which is a variant of the index-calculus method was conducted recently in
[28] to compute discrete logarithms modulo a 191-bit prime. It is suggested in [10]
that to avoid such algorithms to be a threat to long-term security, 1024-bit or larger
moduli p should be used in normal Discrete Logarithm Problems.
Some of the known attacks upon cryptosystems based on the Discrete Logarithm
Problem for elliptic curves includes the Baby-Step Giant-Step method, Pollard Rho-
Method, the Pohlig-Hellman algorithm and many others, most of which have an
√
asymptotic running time of O( n) where n is the number of points on the curve.
This number can be very large, and to date, no subexponential-time algorithm has
been discovered for the elliptic curve Discrete Logarithm Problem, even after much
work done in the area over the past 16 years, adding to the popular belief that no
such algorithm exists [10].
1.3.3 P , N P and N P -completeness

This section discusses the nature of a ‘hard problem’ and why we can say that
some problems are ‘harder’ to solve than others. So, what does it mean when a
mathematical problem is difficult to solve? To discuss this, we need to understand
the concept of algorithm analysis. An algorithm is a step-by-step process that
describes how the problem is solved. This may involve many iterative processes
that return to previous steps until a certain condition is met. Or, the algorithm may
involve loops that depend on the size of the input. The study of how efficient/fast
these algorithms are, is called algorithm analysis. It basically analyses the running
time usually (but sometimes space usage and other parameters), as a function of
the size of the input given. By doing this, information can be derived as to the
asymptotic nature of the algorithm. That is, as the input size tends to an infinite
size, the algorithm’s running time grows ‘slower’, ‘equally as fast’ or ‘faster’.
To get an idea of just how ‘faster’ the algorithm running time grows as the input
size increases, the idea of polynomial time and exponential time is introduced. If the
algorithm running time grows at a rate proportional to a polynomial of the input
size then the problem is said to be solved in polynomial time. That is, if there exists
an algorithm which conducts steps such that the running time rt of these steps varies
with input size n and it can be written as:
r t = a0 + a1 n + a2 n 2 + . . . + ai n i
where the ai are constants, for some finite integer i, it is said to have a running time
of ‘the order of’ O(ni ). If the algorithm running time cannot be expressed in this
way, then it is super-polynomial. For example, exponentional running time can be
expressed as:
r t = an where a is a constant
and would have a running time of O(an ) This basically gives us a way to analyse
algorithms and how effective they are. Also, if the fastest solution to a problem has
a running time that is exponential, then for very large input sizes, the algorithm
will be very slow and the problem can be considered ‘difficult’.
When we apply the concept of algorithm analysis to the solution of problems such
as the Integer Factorisation Problem and the Discrete Logarithm Problem, we find
that there does not exist an algorithm that solves the problems in polynomial time,
with respect to the size of the input number. It is fitting to analyse the algorithms
based on the bit-size of the input number, as the number of bit-operations determines
just how long the algorithm will run for.
If a problem can be solved in polynomial time, then it is considered to be in the
P - complexity class of problems. If, however, given a solution to a problem, that
solution can be verified in polynomial time, then the problem is considered to be
in the N P - complexity class of problems. So, clearly all problems in P are also in
N P , ie P ⊆ N P but whether the opposite is true or not is of great interest but has
not been either proven or disproven. Problems in N P may be further classified as
N P -complete. A problem is N P -complete if it is in N P , and if every other problem
also in N P is “reducible” to it, or translatable to it, in polynomial time. This means
that if there was discovered a polynomial time algorithm to solve an N P -complete
problem, then all problems in N P would be solvable in polynomial time.
The security of cryptosystems is based on the fact that problems in these classes
are virtually intractable and that there does not exist a polynomial time algorithm
that will solve the problem. If there were (ie if N P ⊆ P ) then many cryptosystems
would fail due to the ease of computing polynomial time algorithms on modern
processors.
1.3.4 Applications
Since the beginning of the electronic revolution, when governments, commercial busi-
nesses and individuals alike started storing and transmitting data in electronic form,
the need for information security has increased. Information security encompasses
“all measures taken to prevent the unauthorised use of of electronic data
- whether this unauthorised use takes the form of disclosure, alteration,
substitution, or destruction of the data concerned”[8].
Modern public-key cryptosystems provide each of the major information security ser-
vices: confidentiality, user authentication, data origin authentication, data integrity,
and non-repudiation. When applied to modern systems, cryptosystems should pro-
vide these services with total transparency to the end user. Below is listed a few
simple examples of where cryptography is applied in the real world in such a way
that the end-user is unaware of its use and the user’s data is maintained secure [8].
Automatic Teller Machines One example of where information security is re-
quired is in modern automatic teller machines. As it would be an impracti-
cality and also nearly impossible to have a copy of the entire bank’s database
of client records on every single automatic teller machine, the information is
stored at a head office, and the automatic teller machines access that informa-
tion by way of electronic communication. For example, the user enters their
PIN number, and this must be transmitted to the head office for verification
of access to that account. Also, when the user types in the amount he or she
requires, this is transferred by the same way with the head office responding
as to whether to proceed with the transacation. It is quite clear that confi-
dentiality of information such as the user’s personal identification number and
account number is required and that measures must be taken to ensure that
the amount of money required cannot be altered by an outside source, whilst
it is in transit.
Phone Cards The storage of information on phone cards is an area that requires
that the data stored retain its integrity. In this particular case, the information
is encoded onto the card, and if it was possible to alter the stored information,
then the amount stored on the card could be continually replenished thereby
giving the perpertrator free access to the telephone network. This is an exam-
ple of where data integrity would be very useful to companies or organisations
operating the telephone network.
Remote System Access With many businesses allowing personnel to work from
home, the need for remote access security has increased. Employees accessing
the business system from home would require a way to log in and send and
transmit data that is often highly classified, or at the very least should not
be intercepted by any competitor in the industry. The business also requires
some way to ensure that the access being requested is by an authorised person.
Smart Cards The use of smart cards is just one area where cryptography and
information security have a potential field to expand within in the future.
With the transition from the familiar magnetic-stripe to the newer smart cards
just around the corner, we will see more secure and convenient transactions.
With the magnetic-stripe, no security is placed on the card itself - the only
security is provided from the business’ point of sale terminal to the bank at
the other end. With the introduction of smart cards (that contain a small
microprocessor upon which a public-key cryptosystem can be installed), all
cards such as credit cards, health care cards, etc, will be able to ensure security
both during transmission and at the hardware level. Smart cards will certainly
not have to be restricted to usage as credit cards. Much speculation has been
entered into about just how far smart cards will be used in the future. The
ideas of electronic cash (where a person’s purse or wallet is replaced by a single
card with automatic access to funds) and health care smart cards (where a
person’s medical records are stored on the card and doctors can access this
instantaneously) are already hot topoics of conversation amongst many.
These applications and many more are examples of where cryptography currently
plays and will potentially play a big part of every day life.
1.4 Scope of Thesis

This thesis presents all of the theory, background information and algorithms nec-
essary to implement a cryptosystem based on hyperelliptic curves over extension
fields. It focusses on the hyperelliptic curves of genus g < 10 over the Optimal
Extension Fields of a particular type as discussed in [2].
Chapter Two gives an overview of the background to the world of cryptography.
It begins with a review of papers on the topic of hyperelliptic curves, giving a discus-
sion of the major developments in the history of hyperelliptic curve cryptosystems
since their suggestion as a cryptographic technique in [26] in 1989. The next section
in Chapter Two provides a description of Optimal Extension Fields and discusses
why they have been chosen as the appropriate underlying field. Finally, the last two
sections in Chapter Two provide an overview on some of the current cryptographic
algorithms used and gives an example cryptosystem.
The large bulk of the theory for the abstract algebra, finite field theory, elliptic
curves and hyperelliptic curves is presented in Chapter Three. In particular, the
section on hyperelliptic curves contains an in-depth description of the use of polyno-
mial and rational functions, zeros, poles and divisors. Particular emphasis is placed
on the usage of divisors as the main elements of the group, the addition operation
defined on these divisors and also how the Jacobians of hyperelliptic curves can be
used as a great source for finite abelian groups.
The implementation of the hyperelliptic curve and divisors is discussed in Chap-
ter Four along with a description of appropriate hash functions for embedding and
retrieving the message data. Chapter Five is a discussion on the program’s perfor-
mance in a variety of aspects including security and results are presented. A final
word is given in Chapter Six on the possible further developments to the system and
conclusions.
Chapter 2
Background and Previous Work
Without a doubt, cryptography has found its way into the e-commerce scene with
much gusto and significance. Although many of the number-theoretic algorithms
had been discovered long before, it wasn’t until the 1970’s that they were put to
good use in this field, due to the introduction of the Internet, and in particular the
requirement of secure transactions across it. Gone are the days of requiring secret
information to keep the plaintext message from prying eyes - instead the focus has
changed greatly towards creating cryptosystems that are secure due to the amount
of processing power required to search for the solution.
Naturally, the increase in security demands means increased information trans-
fer, with greater overhead, hence a reduction in communication efficiency. Although
in many applications, the lowering of information transfer efficiency is not as imper-
ative as the security of either customer or business information, certainly a reduced
overhead at no cost to the system’s security will undoubtedly be an advantage to
increase communication throughput. This is the motivation behind finding new
and more efficient cryptosystems that can still offer the security required, with a
reduction in communication bandwidth and possibly memory usage.
2.1 Previous Work on Hyperelliptic Curves

Since Koblitz’s 1989 paper on hyperelliptic curves [26], introduced the Jacobians
(that is the groups of divisor classes) of hyperelliptic curves as a rich source of finite
Abelian groups suitable for cryptosystems, there have been few, but very important
papers written on the topics of hyperelliptic curve cryptosystems, their performance,
efficiency and cryptanalytic algorithms for their attack.
In particular, [34] describes the possibility of hyperelliptic curves as a further
development worth investigating in:
“Hyperelliptic curve cryptosystems have the potential to offer even fur-
11
12 CHAPTER 2. BACKGROUND AND PREVIOUS WORK
ther reduced bandwidth but because of their complexity, they have not
been practically implemented. It is conceivable that, once efficient al-
gorithms have been constructed, hyperelliptic cryptosystems may rival
the mainstream cryptosystems, especially for bandwidth and memory
constrained applications.”
In that thesis, which concentrates on the development of elliptic curves over

Optimal Extension Fields, hyperelliptic curves play a very minor part and are only
discussed in the possible future developments of the application. Some algorithms
currently do exist, but their efficiency is yet to be analysed.
In comparison, a recent study by Smart in [40], discusses the implementation of
a hyperelliptic curve digital signature algorithm where it is concluded that,
“while hyperelliptic curves are more efficient in characteristic two, they

appear to offer no practical advantage over elliptic curve systems.”
It is also stated in this reference that
“hyperelliptic cryptosystems could be efficient enough in practice to use

in real life situations.”
The paper discusses the hyperelliptic jacobian groups as a whole, and deals with
the group elements in a very theoretical way, admitting that its implementation
generally uses field sizes that require more than a single word in the processor to
represent. Hence, the efficiency of hyperelliptic curves over Optimal Extension Fields
is a case that may offer a performance advantage.
The last major development of interest is the discovery of a sub-exponential al-
gorithm for solving the DLP in hyperelliptic curves of large genus over GF (p). This
obviously has immense implications if such an algorithm were to be a viable method
for decrypting information in a polynomial amount of time, rendering cryptosys-
tems based on such hyperelliptic curves useless. In [1], an algorithm is described
that would make hyperelliptic curves seem an unlikely choice as the basis for a
cryptosystem. This paper describes an algorithm that is particularly useful in hy-
perelliptic Curve Cryptosystems with large genus. When considering the effects such
an algorithm would have on the hyperelliptic cryptosystem over Optimal Extension
Fields, as described in this paper, it must be remembered that the sub-exponential
algorithm is based on cryptosystems over Prime Fields. Whether this algorithm may
be useful over Optimal Extension Fields is open to speculation. Also, for smaller
genus, the algorithm is slower than even a naive search algorithm. To over come
this potential threat, the construction algorithm for a cryptosystem based on hyper-
elliptic curves would just need to avoid curves with large genus g. To be sure that
2.2. PRIME, BINARY AND PRIME EXTENSION FIELDS 13
the curve will be impervious to this particular kind of attack, when constructing
hyperelliptic curves for the cryptosystem, it will be of use to keep the genus g < 10
over field sizes of around 32-bits. By adding in this requirement at the initialisation
of the curve, we avoid the possibility of the attack in [1] being used efficiently to
gain access to data.
2.2 Prime, Binary and Prime Extension Fields

Most work to date on elliptic and hyperelliptic curve cryptosystems based over finite
fields has been focussed on two types of fields, prime fields and binary extension
fields. This corresponds to the Galois Fields of the form GF (p) (p prime) and
GF (2m ) (m positive). This is for a large number of reasons which will be covered
in the following section, along with reasons why these fields may not be as efficient
as we would like.
The types of fields are described in more detail in the theory section of this
thesis and are explained in a more mathematical context, but for the purpose of this
section, we are mainly looking at the advantages and disadvantages of one type of
field as opposed to another. We discuss in which applications prime and or binary
extension fields are used efficiently, and why we turn to the larger prime extension
fields for our field base.
The main attraction of using binary extension fields of the form GF (2m ), m
positive, is their potential use in hardware situations. By being able to represent
the elements of GF (2) in binary, using logical ‘0’ and ‘1’ signals, this approach
can increase the efficiency of addition and multiplication operations, by making
use of faster bit-wise operations in the hardware. Each operation just requires m
bit-operations on a field of size 2 and this also makes field operation easier.
The computational efficiency and advantage disappears, however, when imple-
menting this type of field in software. This is mostly due to the fact that the
arithmetic on most modern processors is designed to be efficient for operations with
bit length of up to the word length of the processor. This is typically ≤ 64 bits,
making 264 the largest possible number of elements in the Galois Field GF (2m ) using
normal integer arithmetic.
This is a similar problem facing the implementation of fields of the type GF (p),
where the number p itself is restricted to be above 64 bits, or the number 264 =
18446744073709551616. This is insufficient for the security that is needed for many
commercial applications, where the security required is closer to that which is
achieved using the GF (2265 ) field.
Most modern processors do have the ability to handle larger numbers by making
use of the in-built multi-precision arithmetic capabilities. This allows the program-
mer to declare and use larger integers, without the hassle of thinking about how they
are implemented in the hardware. However, using the processor’s multi-precision
arithmetic comes at a cost to time efficiency, particularly with operations having
to be reduced modulo p where p is a large prime number spanning multiple ma-
chine words. By using the approach with prime extension fields, we can leave out
the multi-precision arithmetic, replacing it with the number theory behind exten-
sion fields. We use m machine-words, each representing an element in the field of
GF (p) ≡ Zp where p is a prime number smaller than the largest possible number
representable in the processor’s word size.
2.3 Existing Public Key Cryptosystems

Secret Key systems are potentially very powerful tools and can implement a system
that is very secure. The only problem being, of course, that if they are used across
a communication medium where the two end users wish to communicate with each
other, then both parties are required to know the secret key before communication
starts. This lends to the problem of how to get the secret key from one user to
the other without an on-looker intercepting it. Indeed, many systems implemented
even now, use a public key exchange method to agree upon a secret key that will
then be used for that session. The existing Public Key cryptography methods that
will be discussed in this section are the popular RSA algorithm and the El Gamal
Cryptosystem.
2.3.1 RSA
The RSA Cryptosystem, so named after its three creators, R.L. Rivest, A. Shamir
and L. Adlman, was the first practical system to implement the Diffie-Hellman public
key model and is currently the most widely used public-key cryptosystem. It bases
its security on the fact that factorising very large numbers is a ‘hard’ problem. This
problem is the Integer Factorisation Problem discussed in Chapter One.
Algorithms 2.1 through 2.3 describe the setup process required by each user upon
initialisation of the cryptosystem and the algorithms for encryption and decryption.
In a group of users, each user must have access to each other user’s public key, whilst
retaining their own private key.
When each person in the set of users has completed the initialisation in Algorithm
2.1, Algorithms 2.2 and 2.3 may be followed for the encryption and decryption of
data.
The complete proof that the above cryptosystem works can be seen by the de-
2.3. EXISTING PUBLIC KEY CRYPTOSYSTEMS 15
Algorithm 2.1 (RSA User Initialisation) .
INPUT: A way to generate or select large random prime numbers

OUTPUT: A public key, (n, e), and a private key, d.
1. Select or generate two large random prime numbers, p and q.
2. Compute n = pq and φ = (p − 1)(q − 1)
3. Select a random integer e, 1 < e < φ, such that gcd(e, φ) = 1.
4. Using the extended Euclidean Algorithm, find the unique integer d, 1 < d < φ,
such that ed ≡ 1(mod φ).
5. Publish the public key, (n, e), and keep the private key, d, secret.
Algorithm 2.2 (RSA Encryption) .
INPUT: The plaintext to encrypt, and the receiving user’s public key (n, e)
OUTPUT: The encrypted ciphertext.
User A sends the message to user B.
1. Using an agreed hash function, convert the plaintext into a unique integer m
in the interval [0, n − 1]
2. Compute c = me (mod n) and send c to user B
Algorithm 2.3 (RSA Decryption) .
INPUT: The received encrypted ciphertext and the receiver’s private key d
OUTPUT: The original plaintext. User B receives the message from user A.
1. Use the private key to compute m = cd mod n
2. Recover the plaintext by applying the inverse of the hash function from Algo-
rithm 2.2, returning the integer in the interval [0, n − 1] to the unique message
it represents.
cryption proof in [34],however, using some simple algebra, we see that
cd ≡ (me )d ≡ med ≡ m1+kφ ≡ m(mod n),
returning back to the original message m.
Example 2.3.1.1 (An example of the RSA cryptosystem) .

This is an example of a very small RSA cryptosystem to give an overview of how a
message could be encrypted using the algorithms in this chapter.
Application of Algorithm 2.1 - RSA User Initialisation:
Firstly, we select two primes, say, p = 25169 and q = 96851 and calculate n = pq =
2437642819 and φ = (p − 1)(q − 1) = 2437545968. Hence, we are interested in the
field Z2437642819 .
Next, we select a random e = 21481, noting gcd(2437545968, 21481) = 1 and use
Euclid’s Algorithm to find the unique d such that ed ≡ 1(mod φ). The process is
shown in Table 2.1.
a b q r s1 s2 t1 t2
2437520800 21481 113473 7287 0 1 1 0
21481 7287 2 6907 1 0 -113473 1
7287 6907 1 380 -2 1 226947 -113473
6907 380 18 67 3 -2 -340420 226947
380 67 5 45 -56 3 6354507 -340420
67 45 1 22 283 -56 -32112955 6354507
45 22 2 1 -339 283 38467462 -32112955
22 1 22 0 961 -339 -109047879 38467462
Table 2.1: Euclid’s algorithm applied to find the inverse of an integer
This gives us 1 = 961 × 2437520800 + −109047879 × 21481 ⇒
21481 × (−109047879) ≡ −1(mod 2437520800)

(21481 × (−109047879))2 ≡ 1(mod 2437520800)
21481 × 21481 × (−109047879)2 ≡ 1(mod 2437520800)

21481 × 2328472921 ≡ 1(mod 2437520800)
So, we have computed d = 2437520800 and can publish the pair (n, e) = (2437642819, 21481)
and keep the private key d = 2437520800.
Application of Algorithm 2.2 - RSA Encryption:
Now, to send a message to a person with the above public key, the sender first embeds
his or her message using a public hash function. In this example, we will use the
2.3. EXISTING PUBLIC KEY CRYPTOSYSTEMS 17
common hash function of setting letters to their position in the alphabet. So, the
message “hello” would become the plaintext
0805121215.
So, we say m = 805121215 is the unique integer that represents the message “hello”.
To encrypt this, we find:
c = me (mod n)
= 80512121521481 (mod 2437642819)
= 2073052364(mod 2437642819)
and the ciphertext information to be sent is the integer 2073052364.

Application of Algorithm 2.3 - RSA Decryption:
To decrypt the message on the receiving end, the recipient need only use their private
key and calculate:
cd ≡ 20730523642427106313 (mod 2437642819)

≡ 805121215(mod 2437642819)
≡ m(mod 2437642819)
To get back to the plain text m = 805121215 and from there apply the inverse hash
function to get the message “hello”.
2.3.2 El Gamal Cryptosystem

There have been many public key cryptography schemes invented and implemented,
but the scheme used in ECCpert is the one first cited in [12] by T. El Gamal. This
cryptosystem, when viewed in its generalised form, can be applied to any finite group
G, given a group operation ◦ where the DLP in H = {αi : i ≥ 0} is intractable. In
[41] we see that the generalised form of the El Gamal Cryptosystem in Algorithm
2.4.
In a hyperelliptic curve cryptosystem using the El Gamal method, the Group
G is quite simply the set of divisor classes described in the Chapter Three and the
group operation is divisor addition, also defined in that chapter.
An important thing to recognise is that the El Gamal system leads to a message
expansion factor of 2. That is, two points (y1 and y2 ) are required to be transmitted
for a given message, x. Although this is a disadvantage when sending information,
the users need only remember their secret exponent to decipher the message.
Algorithm 2.4 (El Gamal Algorithm) .
INPUT: A group, G, generating element, α, and each user’s ability to select or

create a random integer
OUTPUT: A cryptosystem with encryption and decryption functions e(x, k) and
d(y1 , y2 ), respectively.
1. Each receiving user picks a secret number i and computes β = αi , then pub-
lishes β.
2. The encryption function requires the sender to choose a random integer k ∈

Z|H| , compute and transmit e(x, k) = (y1 , y2 ) = (αk , x ◦ β k ) where x is the
point representing the message.
3. The receiving user then decrypts the sent pair by applying d(y1 , y2 ) = y2 ◦(y1i )−1 .
Chapter 3
Theory
This chapter introduces the concepts and theory of geometric algebraic curves and
why they are so important to modern cryptosystems. To aid in the understanding
of this complex theory, some useful abstract algebra concepts are described in the
first section by introducing the concepts of groups, rings and fields. This is by no
means a complete discussion in this area, and the inexperienced reader may choose
to refer to [6] for a deeper treatment of these abstract concepts. A further reference
to note is, of course, the thesis containing the development of elliptic curves over
Optimal Extension Fields, [34]. It contains similar concepts, but in particular their
reference to the theory of elliptic curves, which is an advantage to read to gain
further understanding of the concepts in the following chapter.
Both elliptic and hyperelliptic curves have received much attention, with hyper-
elliptic curve cryptosystems yet to be implemented and tested as thoroughly as their
elliptic curve counterparts have been. The section on Elliptic Curves in included
to aid the reader in the understanding of how points on a curve make up a finite
abelian group and the also understand the notion of point addition. And finally,
the section on the theory of hyperelliptic curves contains much of the matter crucial
to this thesis. In fact, much of the theory presented in that section can be almost
directly taken from the original introduction to the topic by Koblitz in [26], with
some extra help from the very useful paper written in co-authorship with Menezes,
Wu and Zuccherato [32]. The latter is included also included as an appendix in
Koblitz’s [25]. To discuss the concept of divisors, [33] was also chosen as a good
reference book with a slightly more appealing treatment of these abstract elements.
3.1 Abstract Algebra

Abstract Algebra is an area of pure mathematics that has come to find for itself many
applications and in particular, somewhat of a niche in the world of cryptography.
19
20 CHAPTER 3. THEORY
Using the concepts and theory introduced throughout this chapter, both elementary
and complex cryptosystems can be constructed, and when used in conjunction with
the algorithms of Public Key Cryptography, can become a powerful way to keep
data secure.
This section initially describes the elementary concepts behind the theory of
groups, including binary relations and the laws associated with them. Then, it
introduces the concept of rings, leading in to the particularly relevant theory of
finite fields, and especially Galois Fields and Extension Fields.
3.1.1 Elementary Concepts

Much of today’s cryptography is based heavily around the use of modern abstract
algebra where the theory of groups, fields and many of the abstract data types
used in cryptography are in fact structures taken from this area of mathematics. In
particular, the points of an elliptic curve and the divisor classes in a hyperelliptic
curve form a finite abelian group under point/divisor addition, while the points are
based over an underlying finite field.
To understand the structure of groups and fields, we first define some simple,
yet important properties of binary relations. Let S be a set of elements of the type
s1 , s2 ... sx and let ◦ be a binary operation defined on S, then the following laws
are defined:
1. commutativity: s1 ◦ s2 = s2 ◦ s1
2. associativity: (s1 ◦ s2 ) ◦ s3 = s1 ◦ (s2 ◦ s3 )
3. identity: ∃e ∈ S, ∀sx ∈ S, sx ◦ e = sx = e ◦ sx
4. inverse: ∀sx ∈ S, ∃sy , sx ◦ sy = sy ◦ sx = e
5. closure: if s1 , s2 ∈ S then (s1 ◦ s2 ) ∈ S

And, if we add a second binary operation + also defined on S, then:
6. distributivity: s1 ◦ (s2 + s3 ) = s1 ◦ s2 + s1 ◦ s3
Now, we have a set of tools with which to define the properties of our next
important structure, that of a group. Groups can be further specified as abelian
groups or subgroups of larger groups and these definitions are also included.
Definition 3.1.1.1 A Group (G, ◦) is a set G together with a binary operator ◦

with the following properties:
1. associativity
3.1. ABSTRACT ALGEBRA 21
2. identity
3. inverse
4. closure
Definition 3.1.1.2 An Abelian Group (G, ◦) is a Group with the extra property of
being commutative.
Definition 3.1.1.3 Given a subset H ⊆ G, (H, ◦) is a subgroup of the group (G, ◦)

if (H, ◦) is a group itself.
With these definitions, we can discuss the further theory of rings and fields.
Before we commence that discussion, however, it is important to discuss Euclid’s
Extended Algorithm. In particular, we will be interested in this algorithm over
polynomials, so presented in Algorithm 3.1 is the generalisation of Euclid’s Extended
Algorithm. This algorithm is taken from [20].
In the following sections, there is some reference to rings, but in particular com-
mutative rings with identity. Because of that, we define here not only the concept
of a ring, but also one that is commutative and has an identity, which as the name
suggests, has the same structure of a ring but includes the two extra properties.
Definition 3.1.1.4 A ring, (R, ×, +) is a set R defined with two binary operators,
× and +. The laws that hold in a ring include:
1. (R, +) is an abelian group
2. associativity for (R, ×)
3. distributivity
Definition 3.1.1.5 A commutative ring with identity, (R, ×, +) is a set R, together

with two binary operations, × and +, such that
1. (R, ×, +) is a ring
2. commutativity for (R, ×)
3. identity for (R, ×)
We see that (R, ×, +) satisfies all properties for a field except that of all non-zero
elements requiring multiplicative inverses.
Another concept of importance is that of the ideal of a commutative ring with

identity.
Algorithm 3.1 (Generalisation of Euclid’s Extended Algorithm) .
INPUT: Two elements in the group, a and b.

OUTPUT: The (unique) element d = gcd(a, b) and two (unique) elements m and n
such that:
d = gcd(a, b) = am + bn
1. Set:
s2 = 1 t1 = 1 s1 = 0 t2 = 0
2. Divide a/b and set q and r to be the quotient and remainder respectively
q = ba/bc r=a
3. If r = 0, then the algorithm terminates and outputs:
gcd = b m = s1 n = s2
4. Set
a=b b=r
temp = s2 s2 = s1 s1 = temp − qs1
temp = t2 t2 = t1 t1 = temp − qt1
And then repeat by going back to step 2.
Definition 3.1.1.6 The ideal, I, of a commutative ring with identity, R, is an

additive subgroup, I ⊆ R, where ra ∈ I for all a ∈ I and for every r ∈ R. That
is, the ideal is closed under addition and subtraction and also multiplication by any
element of R.
Also of importance are the concepts of polynomial and quotient rings. When
dealing with polynomial rings and in particular their elements, the usual definitions
apply to their degree and whether they are monic, divide another polynomial or are
irreducible, as you would expect from normal polynomials.
Definition 3.1.1.7 A polynomial ring over the field F in the set x = {x1 , ..., xm } is
denoted F[x] and consists of all finite sums of products of powers of x1 , ..., xm with
coefficients in F.
Definition 3.1.1.8 A quotient ring is the quotient of a ring and one of its ideals.
For example, the quotient ring with respect to a Ring R modulo some Integer n, is
3.1. ABSTRACT ALGEBRA 23
denoted R/nR and

R/nR ∼
= Fp1 ⊗ Fp2 ⊗ . . . ⊗ Fpk
where
k
Y
n= pi
i=1
With the definitions of the elementary structures presented, we can now move
on to the important concept of finite fields.
3.1.2 Finite Fields

By far the most relevant and important of the elementary constructs associated with
abstract algebra are fields, in particular finite ones. This is because the elements
of these fields are used to embed the plaintext upon. Then, a series of well-defined
actions are taken on these elements, outputting elements of the same field from
which the ciphertext can be extrapolated.
We begin with a discussion of fields themselves including definitions of the char-
acteristic of such a field, and its algebraic closure.
Definition 3.1.2.1 A field (F, ×, +) is a set F defined with two binary operators
(denoted × and + here because of the intuitive laws that exist pertaining to normal
‘multiplication’ and ‘addition’). These laws include:
1. commutativity for both (F, ×) and (F, +)
2. associativity for both (F, ×) and (F, +)
3. distributivity
4. identity for + in F (denoted 0)
5. identity for × in F\{0} (denoted 1)
6. inverse for + in F
7. inverse for × in F\{0}
Definition 3.1.2.2 If there exists a prime number p such that the identity 1 added
to itself p times equals the zero element of a field F and p is the minimum such
number, then the characteristic of F is defined as char(F) = p. If such a number
does not exist, then char(F) = 0.
The concept of an algebraic closure is an important one when dealing with hyper-
elliptic curves. The very definition of hyperelliptic curves, discussed later, requires
the notion of a coordinate system of two elements in the algebraic closure of a field.
Definition 3.1.2.3 The algebraic closure of a field F is the smallest algebraically

closed extension field of F and is denoted F. An algebraically closed field is one which
has the property that every polynomial with coefficients in F, factors completely into
linear factors.
Let Fq be a finite field containing q elements, q = pn , p prime. If K is a field, then
S
we let K denote its algebraic closure. If K = Fq then K = m≥1 Fqm
In particular, we are interested in the theory of finite fields. These fields are more
commonly known as Galois Fields and are denoted GF (x). They are described in
more detail in [5]. We need only define one more type of field before giving an
example of a Galois Field that could be used in a (small!) cryptosystem.
Definition 3.1.2.4 If F is a field, an Extension Field of F is a field having F as a

subfield.
To give an example of the theory of finite fields, example 3.1.2.5, let us select an
underlying finite field that will be relevant when considering the kinds of fields that
the hyperelliptic curves in ECCPERT are defined over. That is, let us select a finite
field of the form GF (pm ) where this field is an Optimal Extension field.
Example 3.1.2.5 We will take p = 3 and m = 4, and make use of the fact that
x4 +x+2 is an irreducible polynomial over Z3 to get the field, F34 = F3 [x]/(x4 +x+2).
Now, we let α be a primitive root of the above polynomial, such that α4 + α + 2 = 0,
or in other words, α4 = 2α + 1.
Table 3.1 lists the powers of α. Remember that the field contains these elements
as well as the zero element.
Now that we have discussed fields in general, and the idea of Galois and extension
fields, we can introduce the field of choice in this thesis and discuss its benefits.
3.2 Optimal Extension Fields

Having introduced the topic of extension fields, we now introduce a special type of
extension field first presented in great detail in [2]. The motivation for this type of
field is explained in the section on prime and binary fields in the preceeding chapter
- the need to use the faster integer arithmetic but still generate key sizes larger than
that of a machine-word in length. So, we are interested in the fields of type GF (pm )
where p and m conform to particular kind of integers. Firstly, the integer p needs to
be less than but close to the word-size of the processor to take maximum advantage
of the system. Secondly, we define an OEF as follows:
3.2. OPTIMAL EXTENSION FIELDS 25
n αn n αn n αn
0 1 27 α3 + 2α2 + α 54 α2 + α
1 α 28 2α3 + α2 + 2α + 1 55 α3 + α2
2
2 α 29 α3 + 2α2 + 2α + 2 56 3
α + 2α + 1
3 α3 30 2α3 + 2α2 + α + 1 57 2α2 + 1
4 2α + 1 31 2α3 + α2 + 2α + 2 58 2α3 + α
2
5 2α + α 32 α3 + 2α2 + 2 59 α2 + α + 2
6 2α3 + α2 33 2α3 + α + 1 60 α3 + α2 + 2α
3
7 α +α+2 34 α2 + 2α + 2 61 α + 2α2 + 2α + 1
3
8 α2 + α + 1 35 α3 + 2α2 + 2α 62 2α3 + 2α2 + 1

9 α3 + α2 + α 36 2α3 + 2α2 + 2α + 1 63 2α3 + 2α + 2
10 α + α + 2α + 1 37 2α3 + 2α2 + 2α + 2
3 2
64 2α2 + 2
11 α3 + 2α2 + 1 38 2α3 + 2α2 + 2 65 2α3 + 2α
3
12 2α + 1 39 2α3 + 2 66 2α2 + α + 2
13 2α + 2 40 2 67 2α3 + α2 + 2α
2
14 2α + 2α 41 2α 68 α3 + 2α2 + α + 2
15 2α3 + 2α2 42 2α2 69 2α3 + α2 + α + 1
16 2α3 + α + 2 43 2α3 70 α3 + α2 + 2α + 2
17 α2 + 2 44 α+2 71 α3 + 2α2 + α + 1
18 α3 + 2α 45 α2 + 2α 72 2α3 + α2 + 1
19 2α2 + 2α + 1 46 α3 + 2α2 73 α3 + 2α + 2
3 2
20 2α + 2α + α 47 2α3 + 2α + 1 74 2α2 + α + 1
21 2α3 + α2 + α + 2 48 2α2 + 2α + 2 75 2α3 + α2 + α
22 α3 + α2 + 2 49 2α3 + 2α2 + 2α 76 α3 + α2 + α + 2
3
23 α +α+1 50 2α3 + 2α2 + α + 2 77 α3 + α2 + α + 1
24 α2 + 1 51 2α3 + α2 + 2 78 α3 + α2 + 1
3
25 α +α 52 α3 + 2 79 α3 + 1
26 α2 + 2α + 1 53 α+1
Table 3.1: Non-zero elements of the finite field described by F34 = F3 [x]/(x4 + x + 2)
in powers of α.
Definition 3.2.0.6 An Optimal Extension Field is a (finite) Galois Field of the

form GF (pm ) where the following constraints apply to p and m:
1. p is a pseudo-Mersenne prime (a prime of the form 2n ±c, for some log2 c ≤ 21 n.
2. There exists an irreducible polynomial P (x) = xm − ω over GF (p).
The approach in [2] further defines Optimal Extension Fields by describing two
different categories of OEFs. A ‘Type I OEF’ has p = 2n ± 1 while a ‘Type II OEF’
has an irreducible binomial xm − 2 and has much faster subfield modular reduction.
This is due to the multiplications by ω = 2 being able to be done with shifts instead
of integer multiplication.
By comparison, [2] appears to have the fastest field multiplication, by more than
twice as fast. OEFs take advantage of the fast finite field arithmetic optimisations
available on microprocessors commonly found in workstations.
3.3 Elliptic Curves

It is important to gain an understanding of the theory of elliptic curves when im-
plementing either elliptic or hyperelliptic curve cryptosystems. Hyperelliptic curves
can just be viewed as a generalisation of elliptic curves, with elliptic curves hav-
ing genus 2. Much work has been published on the theory and practice of elliptic
curves, yet hyperelliptic curves have not yet received as much attention. As such,
this section on elliptic curves is included in this thesis to give an understanding of
the geometric relevance of these curves, to describe the point addition operation,
and to show that the points on such a curve in fact do form an abelian group over
point addition.
3.3.1 Elliptic Curve theory

We begin our elliptic curve theory by introducing the definition of an elliptic curve.
In particular, many papers on the usage of elliptic curves for cryptographic purposes
further define a particular type of elliptic curve where the characteristic of the un-
derlying field, char(F) > 3. Further discussion in this chapter will be limited to this
type of elliptic curve. This definition follows:
Definition 3.3.1.1 An elliptic curve, E, over a field F, is the set of solutions (x, y)
of the equation:
E : y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 , ai ∈ F.
This is known as the Weierstrass form. However, when char(F) > 3 then, this
simplifies to
E : y 2 = x3 + ax + b a, b ∈ F. (3.1)
The set of solutions to the above equation, together with a point at infinity, which
we label ∞, form the abelian group we are looking for. To show that it is an abelian
group, we first define the identity of the group, the inverse of an element and the
addition operation on the set of points with a given number of rules. We can then
show the addition is both commutative and associative, hence showing its abelian
nature. This addition can be thought of geometrically initially, however, further
rules are given for the mathematical addition that is used in the implementation.
3.3. ELLIPTIC CURVES 27
The identity of the group is defined as the point at infinity, ∞. The inverse of a
point P = (x, y) will be denoted −P and can be obtained by setting −P = (x, −y)
in the case of an elliptic curve with char(F) > 3. The inverse of ∞, the infinity
point, is ∞ itself. Now the addition on the set of points on the curve can be defined.
Given two points on the curve, P, Q ∈ E, we define addition as follows:
1. If P = ∞ then P + Q = ∞ + Q = Q
2. If Q = ∞ then P + Q = P + ∞ = P
3. If P = −Q then P + Q = ∞
4. If P 6= ∞ and Q 6= ∞ and P 6= −Q and P 6= Q then let R be the point of

intersection where the line P Q and the elliptic curve E meet. Then P +Q = R.
5. If P 6= ∞ and Q 6= ∞ and P 6= −Q and P = Q then let R be the point of

intersection where the line tangent to E at P and the elliptic curve E meet.
Then P + Q = R.
The case where two distinct non-infinity points are added is shown graphically
in Figure 3.1 while Algorithm 3.2 further defines the addition of points on an elliptic
curve, in a mathematical context.
Figure 3.1: Addition on the elliptic curve y 2 = x3 − 7x
With this definition, we can see that each addition will only have one solution, as
the cubic nature of the equation of the curve E ensures that there are no more than
Algorithm 3.2 (Mathematical Addition of Points on an Elliptic Curve) .
INPUT: Two points, P1 = (x1 , y1 ) and P2 = (x2 , y2 ) on the curve

OUTPUT: A point, P3 = (x3 , y3 ) = P1 + P2 also on the curve
1. If P1 = ∞ then return
P3 = P2 .
2. If P2 = ∞ then return
P3 = P1 .
3. If P1 = −P2 , that is x1 = x2 and y1 = −y2 , then return
P3 = ∞.
4. If P1 = P2 (doubling) then set
3x21 + a
λ=
2y1
Otherwise, P1 6= P2 (addition) and set

y2 − y1
λ=
x2 − x1
Where a is the corresponding coefficient in the curve equation, (3.1).
5. Set
x 3 = λ2 − x 1 − x 2
and
y3 = λ(x1 − x3 )−, y1
3 points on any straightline through the curve, with the other rules above ensuring
that special cases of point addition, such as those including the point at infinity,
follow the rules for identity and inverses in a group.
It can be shown that this set of points is both associative and commutative,
although the proof is quite a lengthy and tedious process and is not shown here.
For a complete proof and a deeper treatment of elliptic curves in both the affine
and projective coordinates, see [13]. When computing the above algorithm, it is
necessary to realise that inverses of points, which we denote −P because we are
dealing with the addition operation, can be easily obtained by finding the second
solution at the x-coordinate. For example, if P = (x, y) then P −1 = −P = (x, −y).
3.4. HYPERELLIPTIC CURVES 29
Having addressed all of the criteria for an abelian group, we can say that elliptic
curves of the above format and with the above definition of addition, form a finite
abelian group when the underlying field is finite. As a result, they and their hy-
perelliptic counterparts are a large source of the types of groups that are needed to
implement cryptosystems over finite abelian groups.
3.4 Hyperelliptic Curves

To fully understand the theory required for the cryptosystem implemented and
reported in this thesis, we first must explore the theory of hyperelliptic curves and
the points on these types of curves. A detailed discussion of divisors, reduced divisors
and rational functions is also needed. We must realise that the reason hyperelliptic
curves have been considered with potential application to cryptography, is that by
defining these somewhat obscure entities known as divisors, described later in this
chapter, hyperelliptic curves become a large source of finite abelian groups which is
advantageous to this type of cryptosystem.
Many of the theoretical definitions, lemmas and theorems discussed in this sec-
tion of the chapter are taken from [32], an excellent source for the theory and
structure of hyperelliptic curve cryptosystems. It discusses not only the theory it-
self, presented here in the following few sections, but also provides enough examples
throughout the text to help the reader gain an understanding of the theory. Much
of the theory in this reference has been taken from the initial paper by Koblitz in
[26] but presented in a much less complicated and palatable fashion. Another valu-
able source has been [25] which not only discusses a brief overview of hyperelliptic
curves, but also many abstract algebra concepts and cryptosystems based on such
combinatorial-algebraic concepts.
3.4.1 Geometric Basics

Like elliptic curves, the concept of hyperelliptic curves is much easier to grasp if they
are initially thought of in the geometric sense. It is easy to visualise a curve in two-
dimensional space and from there begin to add the notion of finite underlying fields,
divisor classes and addition implementation. Firstly, we define the hyperelliptic
curve itself, along with a definition of the term singular points as required.
Definition 3.4.1.1 A hyperelliptic curve H of genus g (g ≥ 1) over a field F is

comprised of the set of solutions (u, v) ∈ F × F of the equation:
H : v 2 + h(u)v = f (u) (3.2)

together with an infinity point, ∞, where the following constraints hold:
1. deg(h(u)) ≤ g,
2. deg(f (u)) = 2g + 1,
3. f (u) is a monic polynomial,
4. there are no singular points on H.
Definition 3.4.1.2 A singular point on a hyperelliptic curve is a point (u, v) ∈

F × F that is a solution to the curve equation 3.2 and simultaneously satisfies the
two partial derivative equations
1. 2v + h(u) = 0 and
2. h0 (u)v − f (u) = 0
These definitions may not seem totally intuitive, however, many of the con-
straints placed on the requirements for a hyperelliptic curve ensure that the points
can be used to form the divisors that make up the finite abelian groups for use with
modern cryptosystems. This will be discussed later in this chapter. For now, Figure
3.2 shows an example of a hyperelliptic curve in the real plain whilst Figure 3.3
shows the same hyperelliptic curve equation over the finite field GF (53) ≡ Z53 .
Points on the hyperelliptic curve H are specified with a u- and v- coordinate.
Every u-coordinate on the hyperelliptic curve will have two points and hence two
v-coordinates associated with it, indicated from the v 2 in the hyperelliptic equation.
In this case, the two values of v may be different, depending on the choice of the
polynomial h(u) as discussed below.
Definition 3.4.1.3 Let P be a F-rational point of the hyperelliptic curve H. Then,

Pe is defined as the opposite of P , where Pe is the other point on the curve with the
same u-coordinate. That is, Pe = (u, −v − h(u)). If P = ∞, then Pe = P .
We can see quite clearly that if h(u) = 0 then the equation becomes v 2 = f (u).
Hence, when h(u) = 0, one solution is the negative of the other and the two v-
coordinates are v and −v.
There are a few definitions of types of points that need to be declared for use
later on in this chapter. The following definition is here as an aid to categorise the
different types of points that exist on a hyperelliptic curve. Remember that because
these are all different types of points on the hyperelliptic curve, none of them can
also be singular.
Figure 3.2: The hyperelliptic curve, y 2 = x5 − 5x3 + 4x, over the real numbers
Definition 3.4.1.4 Any point, P = (x, y), on a hyperelliptic curve can be cate-
gorised as one or more of the following types of points:
1. The point at infinity which is denoted as P = ∞.
2. A finite point is any point that is not the point at infinity.
3. A F-rational point of the hyperelliptic curve H over the field F, is either the
point at ∞ or a solution (x, y) ∈ F × F of the equation (3.2).
4. A special point is a point such that Pe = P , that is, the point P is its own
opposite.
6 P
5. An ordinary point is a point that is not special, that is, Pe =
This concludes the theory behind the geometric aspects of hyperelliptic curves.
With this information, we can go on to construct more abstract concepts that will
Figure 3.3: The hyperelliptic curve, y 2 = x5 − 5x3 + 4x, over GF (53) = Z53
be used in the generation of the finite abelian groups associated with hyperelliptic
curve cryptosystems.
3.4.2 Polynomial and Rational Functions

The theory in this section is given as a background to the properties of polynomial
and rational functions that will be required in the succeeding sections of this chapter.
The notion of coordinate rings and the degree of polynomial and rational functions
will also be introduced.
Definition 3.4.2.1 The coordinate ring of H over F, F[H], is the quotient ring:
F[H] = F[u, v]/(v 2 + h(u)v − f (u))
where (v 2 + h(u)v − f (u)) denotes the ideal in F[u, v] generated by the polynomial
v 2 + h(u)v − f (u). Similarly, the coordinate ring of H over F, F[H], is the quotient
ring:
F[H] = F[u, v]/(v 2 + h(u)v − f (u)).
Definition 3.4.2.2 An element of the coordinate ring of H over F, F[H], is called

a polynomial function on H.
Lemma 3.4.2.3 The polynomial v 2 + h(u)v − f (u) is irreducible over F.
PROOF: If v 2 + h(u)v − f (u) = (v − a(u))(v − b(u)) then degu (a · b) = degu (f ) =

2g + 1 and degu (a + b) = degu (h) ≤ g, which is impossible.
We observe that for any given polynomial function, G(u, v) ∈ F[H], we can
repeatedly replace any instance of v 2 with f (u) − h(u)v, so all such polynomial
functions can be reduced to a (unique) representation of the form:
G(u, v) = a(u) − b(u)v where a(u), b(u) ∈ F[u] (3.3)
With this in mind, we add three definitions. We define the degree on a polynomial
function and describe two further constructs, the conjugate and norm of G(u, v) in
the (reduced) form above.
Definition 3.4.2.4 Let G(u, v) = a(u) − b(u)v ∈ F[H] be a non-zero polynomial

function. The degree of G is defineds as:
deg(G) = max {2 deg(a(u)), 2g + 1 + 2 deg(b(u))} .
Definition 3.4.2.5 Let G(u, v) = a(u) − b(u)v be a polynomial function in F[H].

The conjugate of G(u, v) is defined to be the polynomial function G(u, v) = a(u) +
b(u)(h(u) + v).
Definition 3.4.2.6 Let G(u, v) = a(u) − b(u)v be a polynomial function in F[H].

The norm of G(u, v) is defined to be the polynomial function N (G) = GG.
If we take a look at what the norm of a polynomial function actually gives us in

terms of the original variables, we get:
N (G) = GG
= (a(u) − b(u)v)(a(u) + b(u)(h(u) + v))
= a2 (u) + a(u)b(u)h(u) − b2 (u)(v 2 + h(u)v)
= a2 (u) + a(u)b(u)h(u) − b2 (u)f (u)
The norm of a polynomial function is a useful concept when wanting to transform

questions about polynomials in two variables to questions about polynomials in one
variable. Notice the replacement of v 2 + h(u)v with the polynomial f (u), as per
equation (3.2), in the very last step so as to remove all instances of the variable v.
The norm of a polynomial function is a polynomial in F[u] and the norm of G(u, v)
is clearly the same as the norm of G(u, v).
We now move our discussion to rational functions. Rational functions are es-
sentially just the elements of the field of fractions of the coordinate ring of H over
F.
Definition 3.4.2.7 The function field F(H) of H over F is the field of fractions of
F[H]. The elements of F(H) are called rational functions on H.
Definition 3.4.2.8 The rational function R is said to be defined at the point P ∈
H, P 6= ∞, if there exists polynomial functions G, H ∈ F[H] such that R = G/H
and H(P ) 6= 0. Then, the value of R at P is defined as R(P ) = G(P )/H(P ).
Definition 3.4.2.9 Let R = G/H ∈ F[H] be a rational function, then
1. If deg(G) < deg(H) then the value of R at ∞ is defined to be R(∞) = 0.
2. If deg(G) > deg(H) then R is not defined at ∞.
3. If deg(G) = deg(H) then R is defined to be the ration of the leading coefficients

(with respect to the degree function) of G and H.
3.4.3 Zeros and Poles

Similar to the previous section on polynomial and rational functions, this section on
poles and zeros concentrates on a small but important area of the theory required to
understand the notion of divisors and implement them in a cryptosystem requiring
large finite abelian groups. Beginning with the definition of a zero and a pole in this
respect, we then state and prove Lemma 3.4.3.2
Definition 3.4.3.1 Let R ∈ F(H) be a non-zero rational function and let P ∈ H
be a point on H. The following defines zeroes and poles:
1. If R(P ) = 0 then R is said to have a zero at P .
2. If R(P ) is not defined at P then R is said to have a pole at P .

Lemma 3.4.3.2 Let G ∈ F[H] be a non-zero polynomial function and let P ∈ H
be a point on H. If G(P ) = 0, then G(Pe) = 0.
PROOF: Let G(u, v) = a(u) − b(u)v and P = (x, y). Then G(u, v) = a(u) + b(u)(v +
h(u)) and Pe = (x, −y − h(x)) and
G(Pe) = a(x) + b(x)(−y − h(x) + h(x))

= a(x) − b(x)y
= G(P )
= 0.
3.4.4 Divisors
Probably the most important abstract concept required for the implementation of
a hyperelliptic curve cryptosystem is the divisor. Understanding the theory and
use of these elements is essential in the implementation of the finite abelian groups
they make up, in particular in reference to the Jacobian of a hyperelliptic curve.
The concept of a divisor is very abstract, yet understandable with some well-based
definitions as given below. Although the addition of divisors will not be as intuitive
as the addition of the points on an elliptic curve, we can still show that the Jacobian,
made up of some of these divisors, indeed does form a finite abelian group, under
divisor addition.
Definition 3.4.4.1 A divisor on a hyperelliptic curve, H, is defined as a finite

P
formal sum of F-rational points. D = mi Pi , where mi ∈ Z. The set of all
divisors is denoted D.
Now, having defined the divisor base element, we introduce the concepts of their
degree, their order at a given point and the greatest common divisor between two
divisors.
Definition 3.4.4.2 The degree of a divisor, D, is the sum of the coefficients deg(D) =
mi . The subgroup D0 of D is the set of all divisors of degree 0.
P
Definition 3.4.4.3 The order of the divisor D at the point Pi , is the integer mi
and is denoted ordPi (D) = mi .
n i Pi ∈ D0
P P
Definition 3.4.4.4 The greatest common divisor of D1 = mi Pi , D2 =
is defined as:
X X
gcd(D1 , D2 ) = min(mi , ni )Pi − min(mi , ni ) ∞.
A divisor D ∈ D can be broken up into parts by defining, for example, the

positive part of D as D+ = mi >0 mi Pi and we can say that D ≥ 0 if D = D+ . If
P
we set D0 = D − (deg D)∞, then we get D0 ∈ D0 . Hence, we can imagine the above
definition of the of two divisors as being gcd(D1 , D2 ) = ( min(mi , ni )Pi )0 ∈ D0 . It
P
is these divisors we are particularly interested in, in the next few definitions.
Now, we define a new set of divisors that make use of the theory related in the
section on rational functions. We begin with a definition of the support of a divisor.
This is then used for the definition of a semi-reduced divisor.
Definition 3.4.4.5 The support of a divisor D is the set supp(D) = {Pi ∈ H|mi 6= 0}.
Definition 3.4.4.6 A Semi-Reduced Divisor is a divisor of the form

P P
D = mi Pi − ( mi )∞, where the following constraints hold:
1. mi ≥ 0
2. all points Pi are finite points
3. if Pi ∈ supp(D) and Pi 6= Pei then Pei 3 supp(D)
4. if Pi ∈ supp(D) and Pi = Pei then mi = 1
The last main concept in this section is that of a principal divisor. This leads
on to the equivalence of divisors.
Definition 3.4.4.7 A principal divisor is a divisor of the form (G(u, v))−H(u, v)),
that is the divisor of the rational function G(u, v)/H(u, v). This means D = div(R)
for some non-zero rational runction R ∈ F (H). The set of all principal divisors is
denoted P, and is a subgroup of D0 .
Definition 3.4.4.8 D1 , D2 ∈ D0 are said to be equivalent divisors, denoted by

D1 ∼ D2 , if D1 − D2 ∈ P. That is, the divisors D1 and D2 are equal when con-
sidered as elements of the Jacobian.
The reason we are interested in the use of divisors in cryptography is because

these sets of divisors form large finite abelian groups. For example the set of all
divisors, denoted D, forms an additive group under the addition rule:
X X X
m i Pi + n i Pi = (mi + ni )Pi .
The subgroup, D0 of D, is also an additive group under the same addition rule.
3.4.5 Jacobian
Much emphasis is placed, throughout papers on hyperelliptic curve cryptosystems,
on addition in the Jacobian of the hyperelliptic curve. When comparing cryptosys-
tems based on elliptic and hyperelliptic curves, one question becomes immediately
apparent - why work within the Jacobian group of a hyperelliptic curve? Firstly, let
us define exactly what is meant by the Jacobian.
Definition 3.4.5.1 Once again, let F be the algebraic closure of F. Also let P
denote the subgroup of principal divisors coming from G, H ∈ F[u, v] and let D0 be
the group of divisors of degree zero defined over P. Then the Jacobian of the curve
is the quotient group J(F) = D0 /P.
The set, J(F), of all divisor classes in J that have a representative defined over F
is a subgroup of J. Each divisor in J(F) has a unique reduced divisor representation,
div(a(u), b(u)), a(u), b(u) ∈ F[u] and deg(a(u)) ≤ g, deg(b(u)) ≤ deg(a(u)). Hence,
the elements in J(F) form an abelian group under divisor addition, which is described
in the following sections.
3.4.6 Reduced Divisors

Reduced Divisors are an important set of divisors in this context, as they are a
unique way to represent each coset in the quotient group J(F) = D0 /P. In this
section we not only define the term reduced divisor, but also give an algorithm for
getting from a semi-reduced divisor to its (unique) reduced divisor representation.
P P
Definition 3.4.6.1 A semi-reduced divisor D = mi Pi − ( mi )∞ is known as
P
a reduced divisor if mi ≤ g where g is the genus of H.
Reduced divisors being as important as they are, it is very useful to have an

algorithm to ‘reduce’ any semi-reduced divisor. There are three known algorithms,
Gauss Reduction, Cantor Reduction and Lagrange reduction [38]. The algorithm
used in this implementation is taken from the appendix in [25].
Algorithm 3.3 (Reduction of a divisor to a Reduced Divisor) .
INPUT: A semi-reduced divisor, D = (a, b)

OUTPUT: The equivalent reduced divisor, D0 = (a0 , b0 ) ∼ D
1. Set
a0 = (f − bh − b2 )/a
and
b0 = (−h − b)(mod a0 ).
2. If degu a0 > g then set a = a0 , b = b0 and go to step 1.
3. Let c be the leading coefficient of a0 . Set a0 = c−1 a0 .
4. Output D0 = (a0 , b0 ).
From Algorithm 3.3, we see that there is only one possible divisor element as the
outcome and hence, we can say that the reduced divisor is unique. This is stated in
Theorem 3.4.6.2
Theorem 3.4.6.2 For each divisor D ∈ D0 , there exists a unique reduced divisor,
D0 , such that D ∼ D0 .
This result is important when dealing with the elements in this group, and in
particular, we know that each and every divisor will have a unique representation as
a reduced divisor. Hence, when adding divisors on the hyperelliptic curve jacobian,
we can employ the tactic shown in Algorithm 3.4 in the following section, followed
immediately by a reduction of the resulting divisor, using Algorithm 3.4.
3.4.7 Adding Divisors

The algorithms presented in [26] for the addition of semi-reduced divisors and the
reduction of semi-reduced divisors to the equivalent reduced divisor are mirrored in
the appendix of [25] and formalised in [32]. All references in the literature reviewed,
to the addition of divisors on a hyperelliptic curve return to this initial reference and
hence, the algorithm presented originally by Koblitz is implemented in this thesis.
If D1 = div(a1 , b1 ) and D2 = div(a2 , b2 ) are two reduced divisors defined over
F, then Algorithm 3.4 finds a semi-reduced divisor D3 = div(a3 , b3 ) such that D3 ∼
0
D1 + D2 , where ai , bi ∈ F[u] for i = 1, 2, 3. To find the unique divisor, D3 ∼ D3 ,
Algorithm 3.3 should be used just after the addition of two divisors.
Algorithm 3.4 then reduces the divisor obtained, D3 , to it’s unique equivalent
reduced divisor, D0 .
Algorithm 3.4 (Addition defined over the Group of Divisors) .
INPUT: Two semi-reduced divisors, D1 = div(a1 , b1 ) and D2 = div(a2 , b2 ), both

defined over F (i.e. a1 , b1 , a2 , b2 ∈ F[u]).
OUTPUT: A semi-reduced divisor, D3 = div(a3 , b3 ) defined over F such that D3 ∼
D1 + D2 .
1. Using Euclid’s algorithm, find polynomials d1 , e1 , e2 ∈ F[u] where d1 =

gcd(a1 , a2 ) and d1 = e1 a1 + e2 a2 .
2. Using Euclid’s algorithm, find polynomials d2 , f1 , f2 ∈ F[u] where d2 =

gcd(d1 , b1 + b2 + h) and d1 = f1 d1 + f2 (b1 + b2 + h).
3. Let s1 = f1 e1 , s2 = f1 e2 and s3 = f2 , so that d2 = s1 a1 + s2 a2 + s3 (b1 + b2 + h).
4. Set
a1 a2
a=
d22
and
s1 a1 b2 + s2 a2 b1 + s3 (b1 b2 + f )
b= (mod a).
d2
Chapter 4
Implementation
This chapter discusses the implementation details of a hyperelliptic curve cryp-

tosystem over Optimal Extension Fields. Over the next sections, data structures
and algorithm details are presented for the three main areas that are required to be
implemented, the underlying Optimal Extension Fields, the hyperelliptic curve and
divisors. The implementation of divisors includes defining an algorithm for their
addition.
The implementation in [34] used Microsoft Visual C/C++ as the compiler of
choice and used the template Microsoft Foundation Classes to set up a Microsoft
Windows application, with the view of making ECCpert an application that would
be useful to business. The recommended requirements to run ECCpert are that of
a PC with a Pentium II 300MHz with 32MB of RAM.
To continue the thesis, code was written in C/C++ with subfield oerations such
as dividemodp in C and classes such as polynomial in C++. The overall ‘look’ of
the application was left unchanged except to cater for an ‘Advanced Settings’ menu.
4.1 Optimisation of Preceeding Software

The first task in the implementation of this thesis was to modify the software pre-
sented in [34] to suit the current application. This involved much testing and de-
bugging but as a result, the files common to both applications now allow for use
with both. In many cases, the modifications included overloading of class operators
or adding some more error-checking. For example:
friend Poly operator+ (const Poly& a, const Poly& b);

friend Poly operator+ (const Poly& a, const int& b);
In the subfield code, Euclid’s Extended Algorithm was implemented to compute

the inverse of an integer, mod p. This algorithm was then used in the function
41
42 CHAPTER 4. IMPLEMENTATION
dividemodp which computes a/b(mod p) = ab−1 (mod p) by first finding the inverse
of b. Example code is shown in Figure 4.1 and the algorithm can be verified from
Algorithm 3.1.
/*
* dividemodp calculates a/b mod p, where a,b are integers.
* Note, ONLY for positive integers AND p prime.
*/
int dividemodp(int a, int b, int p) {
int q, r, s1, s2, t1, t2, temp;
// use euclid’s algorithm in Zp to get b^(-1) mod p

// start by getting gcd(p, b)
q = p / b;
r = p % b;
s1 = 0;
s2 = 1;
t1 = 1;
t2 = 0;
while(r != 0) {
a = b;
b = r;
temp = s2;
s2 = s1;
s1 = temp - q * s1;
temp = t2;
t2 = t1;
t1 = temp - q * t1;
q = a / b;
r = a % b;
}
// so now we have s1*p + s2*b (cong) 1 so s2 = b^(-1) mod p
// and using that a/b mod p = a*(b^(-1)) mod p:
temp = mmult(s2, a, p);
return temp;
}
Figure 4.1: Implementation of Euclid’s algorithm in dividemodp
The other elementary algorithm used in this implementation is that of finding

the greatest common divisor of polynomials. This was done by modifying slightly
the algorithm in [20] which also makes use of Euclid’s Extended Algorithm, this
time applied to polynomials.
4.2. OPTIMAL EXTENSION FIELDS 43
4.2 Optimal Extension Fields

For the implementation of the underlying OEFs, the same approach was used as in
[34]. This is because both implementations are over Optimal Extension Fields as
described in [2]. The underlying class, Poly was used, and furthermore, the class
polynomial was modelled in the same way. The Poly class is used to contain an
element of the underlying GF (pm ) field as well as define all operations on that type
of element. Each GF (pm )-element is represented as an array of m integers. Because
this kind of structure is used many times throughout the class definitions, it has
been defined as the type poly and referred to throughout the Poly class. The class
declaration of the header file is included in Figure 4.2.
The Poly class holds an array of m integers whose maximum value is p. The
polynomial class, on the other hand is an array of variable length of Poly’s, rep-
resenting the coefficients of a larger polynomial. These polynomials are used for
representing polynomial functions as well as the polynomials f (u) and h(u) of the
hyperelliptic curve.
The structure of the class polynomial is not dissimilar to that of the Poly class
with the extra bit of information being the degree of the polynomial. A snippet of
this class is given in 4.3.
4.3 Hyperelliptic Curves

To implement hyperelliptic curve cryptosystems, few algorithms and many data
structures are required and although not much has been presented in the way of
example implementations, there are certainly many papers on the algorithms which
can be used.
The hyperelliptic curve structure used in this implementation is basically a con-
tainer for the three parameters which uniquely define a hyperelliptic curve. These
are the genus g (an integer) and the two polynomials h(u) and f (u) that make up
the equation of the hyperelliptic curve given in Equation 3.2.
typedef struct {
int g; // genus
polynomial h; // deg <= g
polynomial f; // deg = 2g+1, monic
} hyper;
This structure can be used to work out the irreducible polynomial v 2 + h(u)v − f (u)
for use when reducing polynomial functions to the form
G(u, v) = a(u) − b(u)v where a(u), b(u) ∈ F[u]

typedef int* poly;
class Poly
{
poly fn;
public:
Poly() {fn = (poly)calloc(vars.M, sizeof(int));}
Poly(poly a)
{fn = (poly)calloc(vars.M, sizeof(int)); copy_poly(fn, a, vars);}
Poly& operator= (int *a)
{copy_poly(fn, a, vars); return *this;}
Poly& operator= (const Poly& a)
{copy_poly(fn, a.fn, vars); return *this;}
int& operator[](int i)
{return fn[i];}
friend Poly operator+ (const Poly& a, const Poly& b);
friend Poly operator+ (const Poly& a, const int& b);
friend Poly operator+ (const int& a, const Poly& b);
friend Poly operator- (const Poly& a);
friend Poly operator- (const Poly& a, const Poly& b);
friend Poly operator* (const Poly& a, const Poly& b);
friend Poly operator* (const Poly& a, const int& b);
friend Poly operator* (const int& a, const Poly& b);
friend Poly operator/ (const Poly& a, const Poly& b);
friend Poly operator% (const Poly& a, const Poly& b);
friend ostream& operator<<(ostream& s, const Poly& a);
friend Poly operator^ (const Poly& a, const int& b);
friend Poly operator^ (const Poly& a, const Big& b);
friend Poly operator>> (const Poly& a, const int& b);
friend BOOL operator== (const Poly& a, const int& b);
friend BOOL operator== (const Poly& a, const Poly& b);
friend BOOL operator!= (const Poly& a, const int& b);
friend BOOL operator!= (const Poly& a, const Poly& b);
~Poly() {;}
private:
};
Figure 4.2: Implementation of the Poly class

4.4. DIVISORS 45
class polynomial
{
int degree;
polynomial thePolynomial;
...
similar operators to Poly
...
};
Figure 4.3: Extract from the Implementation of the polynomial class
4.4 Divisors
Possibly, the most difficult concept to physically grasp in this thesis, is the concept
of the divisor. Divisors are abstract quantities we chose to construct to make it
easier to manipulate the finite sums of points on the hyperelliptic curve. Much of
the derivation of the theory for divisors is long and tedious, and as such has not
been included in this thesis. Instead, we concentrate mainly on the algorithms that
exist for the addition/reduction of these divisors. We recall that each divisor can be
uniquely represented by two polynomial functions, D1 = div(a(u), b(u)). Hence, the
following structure was used in this implementation to contain these two polynomial
functions and make working with divisors a little less painful.
typedef struct {
polynomial a;
polynomial b;
} divisor;
This use of the divisor structure allows us to declare the two main operations
on divisors as described in Algorithms 3.3 and 3.4: divisor reduction and addition.
Divisor addition takes two semi-reduced divisors and outputs a semi-reduced divisor
that is equivalent to the addition of the input divisors. This output is not necessarily
a reduced divisor. The divisor reduce algorithm takes a semi-reduced divisor and
outputs the unique reduced divisor. Hence, with a call to those two functions, in
that order, we can implement the group operation.
The code and flowcharts for these algorithms are included in Appendix A, how-
ever below is an example of the declaration of these functions, showing that using
the classes and container structures created, algorithms manipulating divisors seem
intuitive and can be abstracted away from the underlying structures.
divisor divaddition(divisor div1, divisor div2);

divisor divreduce(divisor div);
The flowcharts for divaddition and divreduce are given in Appendix A as

Figures A.1 and A.3 and the code sections in Figures A.2 and A.4.
Chapter 5
Performance
When evaluating and comparing the performance of various cryptosystems, “. . . with-

out a doubt the two major benchmarks are security and efficiency” [9]. Security
evaluation is a very theoretical analysis of just how ‘difficult’ a problem is and how
long it is ‘expected’ that a cryptanalyst would take to solve the problem. Efficiency,
however, relates to the actual amount of overhead required to transmit information
that is secure. This chapter discusses the security and efficiency of cryptosystems
based on hyperelliptic curves over Optimal Extension Fields.
5.1 Evaluation
This section conducts a reflective evaluation on the performance of hyperelliptic
curve cryptosystems over Optimal Extension Fields. This is broken up into evalua-
tion of security and efficiency.
5.1.1 Security
A cryptosystem’s security is a difficult parameter to quantify. Security requirements
are varied and differ remarkably from application to application. For example,
a recent factorisation of the 155-digit (512-bit) RSA challenge number using the
general number field sieve took a calendar equivalent time of no less than 7.4 months!
Thus, the complexity of the encryption algorithm varies greatly with the required
security of the application.
The study of security is not a concrete science. Unfortunately, there is no math-
ematical problem for which it can be absolutely proven that the best possible algo-
rithm would take exponential time. Hence, security of cryptosystems depends on
the algorithms in existence at the time of assessment.
Throughout this document, references have been made to the difficulty of the
problem to be solved. Whether or not a problem is a ‘hard’ one depends greatly
47
48 CHAPTER 5. PERFORMANCE
on the algorithms that exist to solve the problem. This has been discussed in much
further depth in Section 1.3.3. Much study has been done on the time constraints of
algorithms which could be used by a cryptanalyst faced with the task of attacking
both the RSA and elliptic curve cryptosystems. At the present moment, several al-
gorithms exist which depend on sub-exponential time to attack RSA, however, even
the most efficient algorithm for the DLP over elliptic curves has running time pro-
portional to the square root of the number of points on the curve. This undoubtedly
gets unpractically difficult for large sized elliptic curves.
The security of hyperelliptic curve cryptosystems is a topic that has not received
much notice due to its new introduction into the field, in 1989 in [26]. Although,
some attacks do exist, including a sub-exponential algorithm for solving the Discrete
Logarithm Problem in hyperelliptic curves of large genus has been proposed in [1].
This algorithm is based on cryptosystems over prime fields, and is only efficient for
hyperelliptic curves of a high genus.
5.1.2 Efficiency
When discussing the efficiency of a public key cryptosystem, the three main factors
to be taken into account are computational overheads, key size and bandwidth
considerations. Computational overheads is the amount of work that must be done
to generate and perform operations on the private and public keys. The keysize is
obviously the size of the key in bits, and bandwidth considerations regard how much
actual information (in bits) is required to transfer an entire ciphertext message.
To evaluate efficiency of hyperelliptic curves, it is important to analyse the av-
erage number of field multiplications and inverses. An excellent discussion of the
comparison between hyperelliptic curves over GF (p) and GF (2m ) is given in [38].
It takes into consideration the number of field multiplications and inversions in a
scalar multiplication and the efficiency of field operations. The number of opera-
tions depends on the genus of the curve and on the characteristic of the defined
field; while efficiency of the field operations depends on the size of the fields log2 q,
the word size of the fields on the processor and on the properties of the processor’s
architecture.
Table 5.1 gives the average number of field operations for the fields GF (p) and
GF (2m ) and Table 5.2 gives the expected speed of group operations in the Jacobian.
5.2 Discussion
To give an idea of just how more efficient cryptosystems based on elliptic curves
are over the traditional RSA types, Figure 5.1 gives a keysize vs. amount of time
5.2. DISCUSSION 49
Addition
multiplications inversions
3
J(Fp ), g even 17g 2 + 3g − 3 2
g+3
3
J(Fp ), g odd 2
17g + 4g− 2
g + 72
3
J(F2m ), g even 14g 2 + 4g − 1 2
g+2
3
J(F2m ), g odd 2
14g + 5g 2
g + 52
Table 5.1: Average number of field operations for the full addition of divisors [38]
g J(F) Addition 160-bit scalar multiplication

3 J(Fp ) 163Mp + 8Ip 39920Mp + 1760Ip
J(F2m ) 137M2m + 7I2m 18000M2m + 1360I2m
4 J(Fp ) 281Mp + 9Ip 68080Mp + 2000Ip
J(F2m ) 239M2m + 8I2m 37840M2m + 1280I2m
5 J(Fp ) 443Mp + 9.5Ip 106640Mp + 2120Ip
J(F2m ) 375M2m + 10I2m 59920M2m + 1600I2m
Table 5.2: Expected speed of group operations in the Jacobian [38]
required to break the key, taken from [9].

From the figure, we can see that not only are elliptic curve cryptosystems more
efficient (smaller keysize for the same security), but the security gap between them
and RSA-style cryptosystems increases with larger keysizes.
50 CHAPTER 5. PERFORMANCE
Figure 5.1: Comparison of security levels [9]

Chapter 6
Further Developments and

Conclusions
This chapter suggests some possible improvements to the implementation presented

in this thesis as well as finishing off with some closing remarks.
6.1 Further Developments

This implementation of a cryptosystem based on hyperelliptic curves over Optimal
Extension Fields implements the basic techniques and algorithms presented in [26]
and further explained in subsequent papers [32] and [25]. As a result of the relatively
new nature of this field, there are many aspects of the design of hyperelliptic curve
cryptosystems that are not fully reported upon. There is much room for improve-
ment and this section describes just a few areas where the ideas in this thesis could
be taken further.
Choice of Algorithms Where possible, optimised algorithms have been used and
their origin referenced in this thesis. However, many solutions to problems,
of which no precedence was found, have been solved in a simplistic way and
would greatly benefit from algorithm optimisation. Further research into bet-
ter mathematical solutions could be beneficial to the overall efficiency of the
application.
Optimisation of Implementation Not only can the mathematical aspect be con-

sidered for optimisation, but also the way in which the algorithms are imple-
mented in the code. Some areas that could use some improvement are:
• The selection of a hyperelliptic curve. There are strict parameters spec-

ified for the selection of hyperelliptic curves in many papers, however,
51
52 CHAPTER 6. FURTHER DEVELOPMENTS AND CONCLUSIONS
there does not appear to be a clear and simple algorithm for the selection
of one such random curve.
• The subfield multiplication within the Optimal Extension Fields could
be greatly improved for efficiency.
• A faster subfield division which doesn’t need to find the greatest common
divisor could be designed and implemented.
• If an optimisation of the implementation of the greatest common divisor
method could be found, then that would greatly improve the efficiency of
divaddition and dividemodp. Since dividemodp is used in the division
operator of the Poly class, all division operations involving Poly’s would
be sped up.
Extension of Classes The treatment of the polynomial class in this thesis was
very simplistic and naive. This class could be greatly extended to include the
full funcionality for the class of polynomials. Methods and operators were only
written as they were needed for this application, however, a full imlementation
of this class would greatly aid any extension at a later date. Also, further
methods could be created within the class to make accessing information on
the polynomial easier.
Portability The application itself was written in Microsoft Visual C++ for the
Windows Operating System. For some applications, this may be inappropriate
and the application could be ported to other operating systems and may even
be implemented in an embedded system environment for use in things such as
automatic teller machines or smart cards.
Communication The program is a stand-alone encryption application that allows

the user to encrypt data in one file and output to another. This is a fairly lim-
ited capability and is not really as useful as you would expect a cryptosystem
to be. Further functionality could be implemented to include many different
applications such as the transmitting and receiving of encrypted data between
the application and another session of the same application on another com-
puter, for example in a business LAN, or to a common server.
These are just a few of the areas that this thesis could be extended upon to
further study the practicality of cryptosystems based on hyperelliptic curves over
Optimal Extension Fields.
6.2. CONCLUSIONS 53
6.2 Conclusions
This thesis has presented the relevant material for the implementation of a hyperel-
liptic curve cryptosystem based over Optimal Extension Fields. It has defined the
initialisation of the cryptosystem and the methods for encryption and decryption
of information using the El Gamal techniques. This encryption and decryption of
information is conducted over a group of divisor classes in the Jacobian of the hy-
perelliptic curve and the methods for implementing the group operation (divisor
addition) are described.
This thesis has demonstrated the motivation for the study of hyperelliptic curves
and shown that they can be a feasible encryption technique. This coupled with
the use of Optimal Extension Fields makes the implementation in this thesis of
great value. With the considerations presented in Chapter Five and the further
developments as suggested earlier in this chapter, it is conceivable that hyperelliptic
curve cryptosystems could provide a commercially secure alternative to elliptic curve
cryptosystems, with at least the efficiency of elliptic curves, if not more so.
54 CHAPTER 6. FURTHER DEVELOPMENTS AND CONCLUSIONS
Appendix A
Divisor Manipulation
This appendix includes flowcharts and code for the divisor operations divaddition
and divreduce.
A.1 Divisor Addition

The technique in Algorithm 3.4, Divisor Addition, is represented here graphically, as
a flowchart in Figure A.1. The code written for the implementation of this algorithm
is given as C code in Figure A.2.
A.2 Divisor Reduction

The technique in Algorithm 3.3, Divisor Reduction, is represented here graphically,
as a flowchart in Figure A.3. The code written for the implementation of this
algorithm is given as C code in Figure A.4.
55
56 APPENDIX A. DIVISOR MANIPULATION
Figure A.1: The Divisor Addition algorithm

A.2. DIVISOR REDUCTION 57
/*
* divaddition
*
* INPUT: Takes two divisors, div1 and div2, represented by two
* polynomial functions each
* OUTPUT: Returns (a) semi-reduced divisor (equivalent to)
* div3 ~ div1 + div2
*
* Uses the algorithm introduced by Koblitz[1989] and clarified by
* Menezes/Wu/Zuccherato[1996] with a slight alteration at step
* three. Note that the output is NOT a reduced divisor to get
* a reduced divisor, divreduce should be run after this function.
*/
divisor divaddition(divisor div1, divisor div2) {
euclid temp;
Poly a, b;
divisor ret;
//step 1
temp = gcd(div1.a, div2.a);
Poly d1 = temp.gcd;
Poly e1 = temp.first;
Poly e2 = temp.second;
//step 2
Poly d2 = div1.b + div2.b + theCurve.h;
temp = gcd(d1, d2);
Poly d = temp.gcd;
Poly c1 = temp.first;
Poly c2 = temp.second;
//skip step 3 and just do all computation in step 4

//without needing extra variables
a = (div1.a * div2.a) / (d * d);
b = c1*e2*div1.a*div2.b + c1*e2*div2.a*div1.b
+ c2*(div1.b*div2.b + theCurve.f);
b = b / d;
b = reducePoly(a, b);
ret.a = a;
ret.b = b;
return ret;
}
Figure A.2: The code for divaddition

Figure A.3: The Divisor Reduction algorithm

A.2. DIVISOR REDUCTION 59
/*
* divreduce
*
* INPUT: A semi-reduced divisor div represented by two
* polynomial functions
* OUTPUT: The (unique) reduced divisor that is ~ (equivalent
* to) the input divisor.
*
* Returns the reduced divisor that is equivalent to the input
* divisor. Uses the second main algorithm introduced by
* Koblitz[1989] and clarified by Menezes/Wu/Zuccherato[1996].
* This function is commonly used in conjuction with the
* divaddition function to add divisors and get a
* reduced divisor answer.
*/
divisor divreduce(divisor div) {
divisor ret;
polynomial a, b, a1, b1;
//copy variables from input

a = div.a;
b = div.b;
//step 1 inside the loop for step 2

while(TRUE) {
a1 = (theCurve.f - b*theCurve.h - b*b) / a;
b1 = (-theCurve.h - b) % a1;
if(a1.degree() < theCurve.g)
break;
a = a1;
b = b1;
}
//step 3
c = a1[a1.getDegree()];
c = inverse(c);
a1 = a1 * c;
//step 4 return
ret.a = a1;
ret.b = b1;
return ret;
}
Figure A.4: The code for divreduce

Bibliography
[1] L. Adleman, J. De Marrais, M.D. Huang. A Sub-exponential Algorithm for

Discrete Logarithms over the Rational Subgroup of the Jacobians of Large
Genus Hyperelliptic Curves Over Finite Fields, Algorithmic Number Theory,
LNCS 877, pp28-40, 1994.
[2] Daniel V. Bailey, Christof Paar. Optimal Extension Fields for Fast Arithmetic
in Public-Key Algorithms, Crypto ‘98, Santa Barbara, California USA, August
1998, pp. 472-485.
[3] S. A. Barbulescu, S. S. Pietrobon, Turbo Codes: A Tutorial on a New Class

of Powerful Error Correcting Coding Schemes, Part1: Code Structures and
Interleaver Design, Journal of Electrical & Electronics Engineering, Australia
Vol. 19, No. 3, pp. 129-142, 1999.
[4] S. A. Barbulescu, S. S. Pietrobon, Turbo Codes: A Tutorial on a New Class of

Powerful Error Correcting Coding Schemes, Part2: Decoder Design and Per-
formance, Journal of Electrical & Electronics Engineering, Australia Vol. 19,
No. 3, pp. 143-152, 1999.
[5] J. R. Bastida, Field Extension and Galois Theory, Encyclopedia of Mathematics

and its Applications, vol 22, Addison-Wesley, 1984.
[6] E. J. Billington, et al, Discrete Mathematics : Logic and Structures, 2nd Ed,
Longman Cheshire, 1993.
[7] M. E. Briggs. An Introduction to the General Number Field Sieve. Master of

Science Thesis, Virginia Polytechnic Institute, 1998.
[8] Certicom. An Introduction to Information Security
http://www.certicom.com/research/wecc1.html
(7th October 2000).
[9] Certicom. Current Public-Key Cryptographic Systems
61
62 BIBLIOGRAPHY
(7th October 2000).
[10] Certicom. Remarks on the security of the Elliptic Curve Cryptosystem
(7th October 2000).
[11] W. Diffie, M.E. Hellman. New Directions in Cryptography, IEEE Transactions

on Information Theory, IT-22:644-654, 1976.
[12] T. ElGamal. A public key cryptosystem and a signature scheme based on dis-
crete logarithms, IEEE Transactions on Information Theory, 31:469-472, 1985.
[13] A. Enge. Elliptic Curves and their Applications to Cryptography, An Introduc-

tion, Kluwer Academic Publishers, USA, 1999.
[14] R. Harasawa, J. Shikata, J. Suzuki, H. Imai: Comparing the MOV and FR

Reductions in Elliptic Curve Cryptography, EuroCrypt, 190-205, 1999.
[15] T. Hasegawa, J. Nakajima, M. Matsui, A practical Implementation of Ellip-

tic Curve Cryptosystems over GF (p) on a 16-bit Microcomputer, Public Key
Cryptography, 182-194, 1998.
http://www.mitsubishi.com/ghp japan/misty/main.pdf
(30th March, 2000)
[16] IEEE P1363/D10 (Draft Version 13). Standard Specications for Public Key
Cryptography, New York USA, 1999.
[17] D. P. Jablon, Elliptic Curve Cryptography, Integrity Sciences Inc, 1997.
http://world.std.com/ dpj/elliptic.html
(30th March, 2000)
[18] B. Jones. MP315 Lecture Notes, University of Queensland, 1999.
[19] A. Knapp, Elliptic Curves, Princeton University Press, Princeton, 1992.
[20] Donald E. Knuth. The Art of Computer Programming, Volume 1 Fundamental

Algorithms, 3rd Edition, Addison-Wesley, USA, 1997.
BIBLIOGRAPHY 63
[21] Donald E. Knuth. The Art of Computer Programming, Volume 2 Seminumerical

Algorithms, 3rd Edition, Addison-Wesley, USA, 1998.
[22] Donald E. Knuth. The Art of Computer Programming, Volume 3 Sorting and
searching Algorithms, 3rd Edition, Addison-Wesley, USA, 1997.
[23] T. Kobayashi, H. Morita, K. Kobayashi, F. Hoshino, Fast Elliptic Curve Al-

gorithm Combining Frobenius Map and Table Reference to Adapt to Higher
Characteristic, EuroCrypt, 176-189, 1999.
[24] N. Koblitz, A Course in Number Theory and Cryptography, Graduate Texts in

Mathematics, Springer-Verlag, New York, 1987.
[25] N. Koblitz, Algebraic Aspects of Cryptography, Algorithms and Computation

in Mathematics, Volume 3, Springer-Verlag, New York, 1998.
[26] N. Koblitz, Hyperelliptic Curve Cryptosystems, Journal of Cryptography, 1:139-

150, 1989.
[27] C. K. Koc, Elliptic Curve Cryptosystems, Course Handouts for ECE 575, Ore-
gon State University.
http://www.security.ece.orst.edu/koc/ece575/notes/elliptic.pdf
(7th October, 2000)
[28] B. A. LaMacchia, A. M. Odlyzko, Computation of Discrete Logarithms in Prime

Fields, Designs, Codes and Cryptography, vol 1, 47-62, 1991.
[29] K. Matthews. MP313 Lecture Notes, University of Queensland, 1999.
[30] K. Matthews. MP473 Lecture Notes, University of Queensland, 2000.
[31] A. Menezes. Elliptic Curve Cryptosystems. CryptoBytes, Vol.1 No.2, Summer

1995.
[32] A. J. Menezes, Y.H. Wu, R.J Zuccherato, An elementary Introduction to Hyper-

elliptic Curves, Technical Report CORR 96-19, Department of C&O, University
of Waterloo, Ontario, 1996.
[33] A. J. Menezes, Elliptic Curve Public Key Cryptosystems, Kluwer Academic

Publishers, USA, 1993.
[34] C. Miller, ECCpert: Development and Design, Undergraduate Thesis for Bach-
elor of Engineering, Dept. of Computer Science & Electrical Engineering, Uni-
versity of Queensland, Australia, 1999.
64 BIBLIOGRAPHY
[35] S. X. Ng et al, Performance of BCH Turbo Codes. Dept. of Electronics

and Computer Science, University of Southampton, UK, to appear in IEEE
VTC2000 Spring,Tokyo.
http://www-mobile.ecs.soton.ac.uk/lly/papers/vtc2000 turbo-web.pdf
(30th March, 2000)
[36] T. Okamoto, K. Sakurai, Efficient algorithms for the construction of hyperel-

liptic cryptosystems, Crypto 91, LNCS 576, 1992.
[37] M.J.B. Robshaw, Y.L. Yin. Overview of Elliptic Curve Cryptosystems, An RSA
Laboratories Technical Note, Revised June 27, 1997.
http://www.rsasecurity.com/rsalabs/ecc/elliptic-curve.html
(8th May, 2000)
[38] Y. Sakai, K. Sakurai. On the Practical Performance of HECC in Software Im-

plementation, IEICE Trans. Fundamentals, Vol E38-A, No. 4 April 2000.
[39] S. Singh, The Code Book, Clays Ltd, Great Britian, 1999.
[40] Nigel P. Smart, On the Performance of Hyperelliptic Cryptosystems, EURO-

CRYPT 99, LNCS 1592, pp. 165-175, 1999.
http://www.hpl.hp.com/techreports/98/HPL-98-162.pdf
(3oth March, 2000)
[41] D.R. Stinson. Cryptography - Theory and Practice, Discrete Mathematics and
its applications, Boca Raton, CRC Press, 1995.

Hyperelliptic Curve Cryptosystems Over Optimal Extension Fie

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Hyperelliptic Curve Cryptosystems Over Optimal Extension Fie

Uploaded by

Copyright:

Available Formats

HYPERELLIPTIC CURVE

Submitted for the degree of

Dear Professor Simmons,

In accordance with the requirements of the degree of Bachelor of Engineering

After an introduction to the area of cryptography, a brief background of previous

1. Dr Barry Jones (Department of Mathematics) for giving me plenty of advice

3. Dr John Homer (Department of CSEE) for his proof-reading and help in

List of Tables xii

2 Background and Previous Work 11

3.4 Hyperelliptic Curves . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

6 Further Developments and Conclusions 51

1.1 A graphic representation of the Diffie-Hellman Key exchange . . . . . 5

3.1 Addition on the elliptic curve y 2 = x3 − 7x . . . . . . . . . . . . . . . 27

4.1 Implementation of Euclid’s algorithm in dividemodp . . . . . . . . . 42

5.1 Comparison of security levels . . . . . . . . . . . . . . . . . . . . . . 50

A.1 The Divisor Addition algorithm . . . . . . . . . . . . . . . . . . . . . 56

2.1 Euclid’s algorithm applied to find the inverse of an integer . . . . . . 16

3.1 Non-zero elements of the finite field described by F34 = F3 [x]/(x4 + x + 2)

1.1 History of Cryptography

1.2 Secret Key Ciphers

1.3 Public Key Cryptography

Algorithm 1.1 (Diffie-Hellman Key Exchange) .

2. User A generates a random integer a, computes xa ∈ G and transmits xa to

3. User B generates a random integer b, computes xb ∈ G and transmits xb to

4. User A receives xb and computes (xb )a .

5. User B receives xa and computes (xa )b .

Figure 1.1: A graphic representation of the Diffie-Hellman Key exchange

1.3.1 Integer Factorisation Problem

extended to a generalised version. Another general-purpose factoring algorithm

1.3.2 Discrete Logarithm Problem

Definition 1.3.2.1 The Discrete Logarithm problem (DLP) is the following:

1.3.3 P , N P and N P -completeness

1.4 Scope of Thesis

Background and Previous Work

2.1 Previous Work on Hyperelliptic Curves

“Hyperelliptic curve cryptosystems have the potential to offer even fur-

In that thesis, which concentrates on the development of elliptic curves over

“while hyperelliptic curves are more efficient in characteristic two, they

It is also stated in this reference that

“hyperelliptic cryptosystems could be efficient enough in practice to use

2.2 Prime, Binary and Prime Extension Fields

2.3 Existing Public Key Cryptosystems

Algorithm 2.1 (RSA User Initialisation) .

INPUT: A way to generate or select large random prime numbers

1. Select or generate two large random prime numbers, p and q.

2. Compute n = pq and φ = (p − 1)(q − 1)

3. Select a random integer e, 1 < e < φ, such that gcd(e, φ) = 1.

Algorithm 2.2 (RSA Encryption) .

2. Compute c = me (mod n) and send c to user B

Algorithm 2.3 (RSA Decryption) .

1. Use the private key to compute m = cd mod n

cryption proof in [34],however, using some simple algebra, we see that

cd ≡ (me )d ≡ med ≡ m1+kφ ≡ m(mod n),

returning back to the original message m.

Example 2.3.1.1 (An example of the RSA cryptosystem) .

Table 2.1: Euclid’s algorithm applied to find the inverse of an integer

This gives us 1 = 961 × 2437520800 + −109047879 × 21481 ⇒

21481 × (−109047879) ≡ −1(mod 2437520800)

21481 × 2328472921 ≡ 1(mod 2437520800)

and the ciphertext information to be sent is the integer 2073052364.

cd ≡ 20730523642427106313 (mod 2437642819)

2.3.2 El Gamal Cryptosystem

Algorithm 2.4 (El Gamal Algorithm) .