HAL Id: inria-00512401
https://hal.inria.fr/inria-00512401
Submitted on 30 Aug 2010
HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.
An algorithm for solving the discrete log problem on hyperelliptic curves
Pierrick Gaudry
To cite this version:
Pierrick Gaudry. An algorithm for solving the discrete log problem on hyperelliptic curves. Eurocrypt, 2000, Bruges, Belgium. pp.19-34, �10.1007/3-540-45539-6_2�. �inria-00512401�
Problem on Hyperellipti Curves
PierrikGaudry
?
LIX,
EolePolytehnique,
91128 PalaiseauCedex,Frane
gaudrylix.polytehnique.fr
Abstrat. Wepresentanindex-alulusalgorithmfortheomputation
of disrete logarithms in the Jaobian of hyperellipti urves dened
overniteelds.TheomplexitypreditsthatitisfasterthantheRho
methodfor genus greater than4. Todemonstratethe eÆieny ofour
approah,wedesribe ourbreakingofaryptosystembasedonaurve
ofgenus6reentlyproposedbyKoblitz.
1 Introdution
Theuseofhyperelliptiurvesinpubli-keyryptographywasrstproposedby
Koblitzin1989[24℄.Itappearsasanalternativetotheuseofelliptiurves[23℄
[31℄, with theadvantagethat it uses asmaller base eld for thesame level of
seurity. Several authors havegivenways to build hyperelliptiryptosystems
eÆiently. The seurity of suh systems relies on the diÆulty of solving the
disrete logarithm problem in the Jaobianof hyperelliptiurves.If an algo-
rithmtries tosolvethisproblem performing \simple"groupoperationsonly,it
wasshownbyShoup[39℄thattheomplexityisatleast( p
n),wherenisthe
largestprime dividingtheorderofthegroup.Algorithmswithsuhaomplex-
ityexist for generigroupsand anbe applied to hyperelliptiurves,but are
stillexponential.ThePollardRhomethodanditsparallelvariantsarethemost
importantexamples[34℄,[46℄,[17℄.
Fortheellipti urvedisretelogarithm problem, thereare somepartiular
aseswhereasolutionanbefoundwithaomplexitybetterthanO(
p
n).See
[30℄, [38℄,[40℄,[37℄. Similarases were disovered for hyperellipti urves [14℄,
[35℄.Howevertheyareverypartiularandanbeeasilyavoidedwhendesigning
aryptosystem.
In 1994, Adleman, DeMarrais and Huang [1℄ published the rst algorithm
(ADH for short) to ompute disrete logs whih runs in subexponential time
when the genus is suÆiently large ompared to the size of the ground eld.
Thisalgorithmwasrathertheoretial,andsomeimprovementstoit weredone.
FlassenbergandPaulus[13℄ implementedasieveversionof thisalgorithm,but
?
ThisworkwassupportedbyAtionCOURBESofINRIA(ationooperativedela
provedtheoriginalalgorithmandgaveapreiseevaluationoftherunningtime,
but didnotimplement his ideas.Muller, Stein and Thiel[32℄ extended there-
sultstotherealquadrationgruenefuntion elds.SmartandGalbraith [16℄
alsogavesomeideasintheontextoftheWeildesent,followingideasofFrey;
theydealtwithgeneralurves(not hyperellipti).
Ourpurposeistopresentavariantofexistingindex-alulusalgorithmslike
ADHorHafner-MCurley[19℄,whihallowedustobreakaryptosystembased
on a urve of genus 6 reently proposed by Koblitz. The main improvement
is due to the fat that the ostly HNF omputation in lassialalgorithms is
replaed bythat of the kernelof asparse matrix.A drawbakis that wehave
to assumethat theorder ofthegroupin whihweareworkingis known. This
is notaonstraintin aryptographial ontext, beausetheknowledgeof this
order is preferable to build protools. But from a theoretial point of view it
diersfrom ADH orHafner-MCurleyalgorithm where the orderof thegroup
wasabyprodut ofthe disretelogarithm omputation (in fat theaim ofthe
HNFomputation wastondthegroupstruture).
Wewillanalyse ourmethodfor smallgenus andshowthatit isfaster than
thePollardRhomethodassoonasthegenusisstritlygreaterthan4.Indeedits
omplexityisO(q 2
)whereqistheardinalityofthebaseeld.Wewillexplain
belowsomeonsequenesforthehoieoftheparameters,urveandbaseeld,
whenbuildingaryptosystem.
Moreover,thepreseneofanautomorphismofordermontheurveanbe
usedtospeeduptheomputation,justasintheRhomethod [9℄[17℄ [48℄.This
is the ase in almost all the examples in the literature. The gain in the Rho
methodisafator p
m,butthegainobtainedhereisafatorm 2
,whihisvery
signiantin pratie.
Theorganizationofthepaperisasfollows:insetion2aftersomegeneralities
on hyperelliptiurves,our algorithm is desribed. It is analyzedin setion3,
and in setion 4 we explain how the presene of an automorphism an help.
Finally thesetion5givessomedetails onourimplementationand theresults
ofourexperimentswithKoblitz's urve.
2 Desription of the Algorithm
2.1 HyperelliptiCurves
We give an overview of the theory of hyperelliptiurves.More preise state-
mentsan be foundin [24℄, [4℄,[15℄.Wewill restrit ourselvesto theso-alled
imaginaryquadratiase.
AhyperelliptiurveCofgenusgoveraeldK isasmoothplaneprojetive
urvewhihadmitsanaÆneequationoftheformy 2
+h(x)y=f(x),wheref is
apolynomialofdegree2g+1,and his apolynomialofdegreeat mostg, both
withoeÆientsinK.
A divisor on theurveC is anite formal sum ofpointsof theurve.The
D=
i n
i P
i
2Div(C),wheretheP
i
arepointsontheurve,wedenethedegree
ofD bydeg (D)= P
i n
i
.Theset ofalldivisorsofdegreezeroisasub-groupof
Div(C)denoted byDiv 0
(C).
For eah funtion '(x;y) onthe urve, wean dene adivisor denoted by
div (') by assigning at eah point P
i
of the urve the value n
i
equal to the
multipliity of the zeroif '(P
i
)=0, ortheopposite of themultipliity of the
poleifthefuntion isnotdenedat P
i
.It anbeshownthat thesumisnite,
and moreover that the degree of suh a divisor is always zero. The set of all
divisorsbuilt from afuntion a subgroupof Div 0
(C) denoted byP(C)and we
all thesedivisorsprinipal. TheJaobian oftheurveC isthen denedbythe
quotientgroupJa(C)=Div(C) 0
=P(C).
If the base eld of the urve is a nite eld with ardinality q, then the
Jaobianoftheurveisaniteabeliangroupoforderaroundq g
.TheHasse-Weil
boundgivesapreiseintervalforthisorder:( p
q 1) 2g
#Ja(C)( p
q+1) 2g
.
In[4℄, Cantor gavean eÆientalgorithm for theomputation of thegroup
law.Wedonotreallhismethod,butwerealltherepresentationoftheelements.
Proposition1 IneverylassofdivisorsinJa(C),thereexistsanuniquedivi-
sorD=P
1
++P
g
g1,suhthatforalli6=j,P
i andP
j
arenotsymmetri
points.Suhadivisorisalledredued,andthereisauniquerepresentationofD
bytwopolynomials[u;v℄,suhthatdegv<degug,andudividesv 2
+hv f.
Inthisrepresentation,therootsofthepolynomialuareexatlytheabsissae
ofthepointswhih ourintheredueddivisor.
ThegroupJa(C)annowbeusedinryptographialprotoolsbasedonthe
disretelogarithmproblem,forexampleDiÆe-HellmanorElGamal'sprotools.
TheseurityreliesonthediÆultyofthefollowingproblem.
Denition1 The hyperellipti disrete logarithm problem takes on input a
hyperellipti urve of given genus, an element D
1
of the Jaobian, itsordern,
andanotherelementD
2
inthesubgroupgeneratedbyD
1
.Theproblemistond
an integermodulo nsuhthatD
2
=:D
1 .
2.2 SmoothDivisors
Likeanyindex-alulusmethod,ouralgorithmisbasedonthenotionsofsmooth-
ness,andprimeelements.Wewillreallthesenotionsfordivisorsonhyperellipti
urves,whihwererstdened inADH.
Denition2 With the polynomial representation D = [u;v℄, a divisor will be
saidtobeprimeif the polynomialuisirreduible overF
q .
ForaprimedivisorD,whenthereisnopossibleonfusionwiththedegreeof
Dasadivisor(whihisalwayszero),wewilltalkaboutthedegreeofDinstead
ofthedegreeof u.
Proposition2 A divisor D of Ja(C) represented by the polynomials [u;v℄ is
equal tothe sumof prime divisors[u
i
;v
i
℄,where theu
i
arethe prime fators of
smoothness bound.
Denition3 A divisor is said to be S-smooth if all its prime divisors are of
degree atmost S. When S =1, a 1-smooth divisor will be a divisor for whih
the polynomialusplits ompletelyoverF
q .
TheaseS=1isthemostimportantfortworeasons:therstoneisthatfor
arelativelysmallgenus(sayatmost9),andareasonableeldsize,thishoieis
thebestinpratie.Theseondoneisthatifwewanttoanalyzeouralgorithm
foraxed gandaqtendingtoinnity, thisisalsothegoodhoie.
Thedenitionofasmoothdivisoranbeseendiretly ontheexpressionof
D asasumofpointsoftheurve.NotethatadivisordenedoverF
q
isdened
bybeinginvariantundertheGaloisation.Butitdoesnotimplythatthepoints
ouringin itare dened overF
q
; theyanbeexhangedbyGalois. Hene an
equivalentdenitionof smoothnessisgivenbythefollowingproposition.
Proposition3 A divisor D =P
1
++P
g
g1 is S-smooth if and only if
eah pointP
i
is denedoveranextensionF
q
k with kS.
Wedenealsoafatorbasis,similartotheoneusedforlassialdisretelog
problemoverF
p .
Denition4 Thefatorbasis,denotedbyG
S
,isthesetofalltheprimedivisors
of degreeatmostS.ForS =1wesimply writeG.
Inthefollowing,wewillalwaystakeS =1and wewillsay`smoothdivisor'
for1-smoothdivisor.
2.3 Overview ofthe Algorithm
Forthe sakeof simpliity, wewill suppose that the Jaobianof theurvehas
an orderwhih isalmost prime and that we haveto omputeadisrete login
thesubgroupoflargeprime order(thisisalwaystheasein ryptography).Let
n =ord(D
1
)be this prime order,and D
2
bethe elementfor whih we searh
thelog.
Weintrodue apseudo-randomwalk(as in [45℄)in thesubgroup generated
by D
1 : LetR
0
=
0 D
1 +
0 D
2
bethe startingpointof thewalk,where R
0 is
theredueddivisorobtainedbyCantor'salgorithm, and
0 and
0
arerandom
integers.Forjfrom1tor,weomputerandomdivisorsT (j)
= (j)
D
1 +
(j)
D
2 .
ThewalkwillthenbegivenbyR
i+1
=R
i +T
(H(R
i ))
,whereHisahashfuntion
from thesubgroupgenerated byD
1
totheinterval[1;r℄. Thishash funtion is
assumedto havegood statistial properties; inpratie,it anbe givenbythe
last bitsin theinternalrepresentationofthedivisors.One theinitializationis
nished,weanomputeanewpseudo-randomelementR
i+1
attheostofone
additionintheJaobian.MoreoverateahstepwegetarepresentationofR
i+1
as D + D ,where and areintegersmodulon.
i1 i2
thedisretelogarithm= (
i1
i2 )=(
i1
i2
)modn.Weanhowevermake
useofthesmoothdivisors.ForeahR
i
oftherandomwalk,testitssmoothness.
Ifitissmooth,expressitonthefatorbasis,elsethrowitaway.Thusweextrat
asubsequeneofthesequene(R
i
)whereallthedivisorsaresmooth.Wedenote
alsoby(R
i
)thissubsequene.Heneweanputtheresultofthis omputation
in a matrix M, eah olumn representing an element of the fator basis, and
eahrowbeingaredueddivisorR
i
expressedonthebasis:forarowi,wehave
R
i
= P
k m
ik g
k
, where M = (m
ik
). We ollet w+1 rows in order to have
a (w+1)w matrix.Thus the kernelof thetranspose of M is of dimension
at least1.Using linearalgebra,wend anon-zerovetorof thiskernel,whih
orrespondstoarelationbetweentheR
i
's.Thenwehaveafamily(
i
)suhthat
P
i
i R
i
=0.Going baktothe expressionofR
i
infuntion of D
1 andD
2 , we
get:
P
i
i (
i D
1 +
i D
2
)=0,andthen
= P
i
i
i
P
i
i
i :
Thedisrete logarithmis nowfoundwith highprobability(the denominator is
zerowithprobability1=n).
Wesummarizethisalgorithmin thegure1.
2.4 Details onCritial Phases
Intherststep,wehavetobuildthefatorbasis,andforthat,wehavetond,
ifit exists,apolynomialv orresponding to agivenirreduible u.This anbe
rewritteninsolvinganequationofdegree2overF
q
,whihanbedonequikly.
Theinitialization ofthe randomwalkis onlyamatter of operationsin the
group;afterthat,omputingeahrandomdivisorR
i
requiresasingleoperation
in thegroup.
Oneruial point is to test the smoothness of a divisor, i.e. to deide ifa
polynomialofdegreeg(the uofthedivisor)splitsompletely onF
q
. Awayto
dothatistoperformthebeginningofthefatorizationofu,whihisalledDDF
(standsfordistintdegreefatorization).Byomputinggd(X q
X;u(X)),we
get theprodut ofall theprime fators ofuof degree1.Thus ifthe degreeof
thisprodutisequaltothedegreeofu,itprovesthatusplitsompletelyonF
q .
In the ase where a smooth divisor is deteted, the fatorization an be
ompleted,oratrialdivisionwiththeelementsofthebasisanbeperformed.
Thelinear algebrais the last ruial point. The matrixobtained is sparse,
andwehaveatmostg termsineahrow.ThensparsetehniquelikeLanzos's
[27℄ or Wiedemann's [47℄ algorithm an beused, in order to get a solutionin
timequadratiinthenumberofrows(insteadofubibyGaussianelimination).
Someother optimizations anbedone to speedup theomputation. They
1 q
ord(D1),adivisorD22hD1i,andaparameterr.
Output:AnintegersuhthatD2=D1.
1. /*BuildthefatorbasisG*/
ForeahmoniirreduiblepolynomialuioverFqofdegree1,trytond
v
i
suhthat[u
i
;v
i
℄isadivisoroftheurve.Ifthereisasolution, store
gi =[ui;vi℄ inG(we onlyputoneof thetwooppositedivisors inthe
basis).
2. /*Initializationoftherandomwalk*/
Forjfrom1tor,selet (j)
and (j)
atrandomin[1::n℄,andompute
T (j)
:=
(j)
D1+ (j)
D2.
Selet0 and0 atrandomin[1::n℄ andomputeR0:=0D1+0D2.
Setk to1.
3. /*Mainloop*/
(a) /*Lookforasmoothdivisor*/
Computej:=H(R0),R0:=R0+T (j)
,0:=0+ (j)
modn,and
0 :=
0 +
(j)
modn.
RepeatthisstepuntilR0=[u0(z);v0(z)℄isasmoothdivisor.
(b) /*ExpressR0 onthebasisG*/
Fatoru
0
(z)overF
q
,anddeterminethepositions ofthefatorsin
the basis G.Storethe result as arow Rk = P
mikgi of amatrix
M =(m
ik ).
StoretheoeÆientsk=0 andk=0.
Ifk<#G+1,thensetk:=k+1,andreturntostep3.a.
4. /*Linearalgebra*/
Findanonzero vetor(k)ofthekernelofthetransposeofthematrix
M.TheomputationanbedoneintheeldZ=nZ.
5. /*Solution*/
Return= ( P
kk)=(
P
kk) modn.(Ifthedenominatoriszero,
returntostep2.)
Fig.1.Disretelog algorithm
3 Analysis
3.1 Probability fora Divisor to Be Smooth
Thefollowingpropositiongivestheproportionofsmoothdivisorsandthenthe
probabilityofsmoothnessinarandomwalk.Thisisakeytoolfortheomplexity
analysis.
Proposition4 Theproportionofsmoothdivisorsinthe Jaobianofaurveof
genus g overF
q
tendsto1=g!whenq tendstoinnity.
Proof: ThispropositionisbasedontheHasse-Weilboundforalgebraiurves:
equaltoq+1withanerrorofatmost2g q,i.e.forlargeenoughqweanneglet
it.MoreovertheardinalityofitsJaobianisequaltoq g
withanerrorbounded
byapproximatively2gq g
1
2
.HeretheapproximationholdswhenqissuÆiently
largeomparedto4g 2
,whihistheasein theappliationsonsidered.
To evaluate the proportion of smooth divisors, weonsider the number of
pointsoftheurveoverF
q
whihisapproximativelyq.Now,thesmoothdivisors
of the Jaobianare in bijetion with the g-multiset of points of the urve: we
haveq g
=g!smoothdivisors,andthesearhedproportionis1=g!. 2
3.2 Complexity
Theomplexityof thealgorithmwill beexponentialinthesize ofq, sowewill
ountthe numberof operations whih anbe donein polynomial time. These
operations areof four types:wedenote by
J
theost of agroupoperationin
the Jaobian,
q
the ostof anoperationin the base eld,
q;g
the ost of an
operationon polynomialsofdegreeg overthebase eld, and
n
theost ofan
operationin Z=nZ,wherenq g
istheorder oftheJaobian.Weonsiderthe
enumerationofstepsingure1.
Step1.Forthebuildingofthefatorbasis,wehavetoperformqtimes(i.e.the
numberofmoniirreduiblepolynomialofdegree1)aresolutionofanequation
ofdegree2overF
q
.HenetheomplexityofthisphaseisO(q
q ).
Step 2.Theinitialization ofthe randomwalkis onlyapolynomialnumberof
simpleoperations.HenewehaveO((logn)
J
)forthisstep.
Step 3.Wehavetorepeat#G=O(q)timesthesteps3.a. and3.b.
Step3.a.Theomputationofanewelementoftherandomwalkostsanaddi-
tionintheJaobianandtwoadditionsmodulon,andthetestforitssmoothness
ostsarststep ofDDF.Byproposition4, wehaveto omputeg! divisorson
averagebefore getting asmoothone and goingawayfrom step 3.a. Hene the
ostofthisstepisO(g!(
J +
n +
q;g )).
Step 3.b. Thenal splitting of thepolynomial in order to express thedivisor
on the fator basisan notbe proved to be deterministi polynomial(though
it isveryfast in pratie).Fortheanalysis,weanthen suppose that wedoa
trial division with all the elements of the basis. This leads to a omplexity of
O(q
q;g ).
Henetheomplexityofstep3.isO(qg!(
J +
n +
q;g
))+O(q 2
q;g ).
Step 4. This linear algebra step onsists in nding a vetor of the kernel in
asparse matrixof size O(q), and ofweightO(gq);theoeÆient arein Z=nZ.
Hene Lanzos'salgorithmprovidesasolutionwithostO(gq 2
n ).
Step 5. This last step requires only O(q) multipliations modulo n, and one
inversion.Hene theomplexityisO(q
n ).
Finally,theoverallomplexityofthealgorithmisO(g!q
J
)+O((g!q+gq 2
)(
n +
q;g
))+O(q
q
).Now,byCantor'salgorithm
J
ispolynomialinglogq,andlas-
sialalgorithmonniteeldsandpolynomialsgive polynomialinn=glogq,
