A Family of Subfield Hyperelliptic Curves for Use in Cryptography

Abstract

This paper proposes a family of hyperelliptic curves of genus two for public-key cryptographic primitives. Being subfield curves, the members of this family are easy to generate. Although slightly slower than elliptic curves at the same security level, hyperelliptic curves of our family exhibit performance comparable to widely used hyperelliptic curves over prime fields.

Appendix

This section lists a set of subfield curves at various security levels. These curves are of the special form \(y^2=x^5+x+a\), \(a\in \mathbb {F}_p\), where p is a single-precision prime. The curves are naturally defined over the quintic extension \(\mathbb {F}_q=\mathbb {F}_{p^5}\). We represent \(\mathbb {F}_q\) as \(\mathbb {F}_p[t]/\langle F(t)\rangle \), where \(F(t)\in \mathbb {F}_p[t]\) is a monic irreducible polynomial of degree 5. The Jacobian of a curve over \(\mathbb {F}_p\) and \(\mathbb {F}_q\) are denoted by \(\mathbb {J}_p\) and \(\mathbb {J}_q\), and their sizes by \(n_p=|\mathbb {J}_p|\) and \(n_q=|\mathbb {J}_q|\). We have \(\mathbb {J}_q=\mathbb {J}_p\oplus G\). For all the curves listed here, G is a group of prime order \(n=|G|=n_q/n_p\). At all security levels, it is recommended to use the curves with \(n=2^{\cdots }-\cdots \). The curves with \(n=2^{\cdots }+\cdots \) should work well, but would be slightly (and unnecessarily) inefficient.

• Security Level l = 80:

  \(p=2^{20}-5=1048571\), \(n\approx 2^{160}\)

  \(F(t)=t^5+2\) or \(t^5-2\)

  

• Security Level \({\textit{\textbf{l}}} = \mathbf{96:}\)

  \(p=2^{24}-17=16777199\), \(n\approx 2^{192}\)

  \(F(t)=t^5+t-3\) or \(t^5-4t-1\)

  

• Security Level l = 112:

  \(p=2^{28}-57=268435399\), \(n\approx 2^{224}\)

  \(F(t)=t^5-t-2\)

  

• Security Level l = 128:

  \(p=2^{32}-2^{17}-61=4294836163\),   \(n\approx 2^{256}\),

  \(F(t)=t^5+2t-1\)