Efficient doubling on genus 3 curves over binary fields

  • Authors:
  • Xinxin Fan;Thomas Wollinger;Yumin Wang

  • Affiliations:
  • State Key Lab of Integrated Service Networks, Xidian University, Xi’an, P.R. China;Communication Security Group (COSY), Ruhr-Universitäet Bochum, Germany;State Key Lab of Integrated Service Networks, Xidian University, Xi’an, P.R. China

  • Venue:
  • CT-RSA'06 Proceedings of the 2006 The Cryptographers' Track at the RSA conference on Topics in Cryptology
  • Year:
  • 2006

Quantified Score

Hi-index 0.00

Visualization

Abstract

The most important and expensive operation in a hyperelliptic curve cryptosystem (HECC) is the scalar multiplication by an integer k, i.e., computing an integer k times a divisor D on the Jacobian. Using some recoding algorithms for the scalar, we can reduce the number of divisor class additions during the process of computing the scalar multiplication. On the other side, the divisor doublings will stay the same for all kinds of scalar multiplication algorithms. In this paper we accelerate the divisor doublings for genus 3 HECC over binary fields by using special types of curves. Depending on the degree of h, our explicit formulae only require 1I + 11M + 11S, 1I + 13M + 13S, 1I + 20M + 12S and 1I + 26M + 11S for divisor doublings in the best case, respectively. Especially, for the case of deg h = 1, our explicit formula improve the recent result in [GKP04] significantly by saving 31M at the cost of extra 7S. In addition, we discuss some cases which are not included in [GKP04]. By constructing birational transformation of variables, we derive explicit doubling formulae for special types of equations of the curve. For each type of curve, we analyze how many field operations are needed. So far no attack on any of the all curves suggested in this paper is known, even though some cases are very special. Our results allow to choose curves from a large variety which have extremely fast doubling needing only one third the time of an addition in the best case. Furthermore, an actual implementation of the new formulae on a Pentium-M processor shows their practical relevance.