Supersingular hyperelliptic curves of genus 2 over finite fields

doi:10.1016/j.amc.2004.03.030

Applied Mathematics and Computation

Volume 163, Issue 2, 15 April 2005, Pages 565-576

https://doi.org/10.1016/j.amc.2004.03.030 Get rights and content

Abstract

In this paper we describe an elementary criterion how to determine supersingular hyperelliptic curves of genus 2, directly using only the given Weierstrass equation. A family of the hyperelliptic curve $H/ F_{p}$ of the type v²=u⁵+a and v²=u⁵+au have been studied.

Introduction

Since Koblitz suggested using the hyperelliptic curve H as a good source of public key cryptosystem, many interesting results have been explored toward hyperelliptic cryptosystem. When the genus g of the curve is large, there is a subexponential algorithm due to Adleman et al. [1] for the discrete logarithm problem in $J_{H} (F_{q})$ . Also, when the genus g of a curve is small but g⩾4, Gaudry's algorithm is faster than Pollard's rho algorithm [6]. Consequently, the hyperelliptic curves of genus 2, 3 can be very attractive for the cryptographic purpose.

Using the Tate-pairing, [8], Menezes et al. showed that for the supersingular elliptic curves the value k above is at most 6 and, therefore, the good upper bound of the complexity of the attack in the supersingular elliptic curve could be provided [9]. It turns out that it is not proper to use the supersingular elliptic curve for the Diffie–Hellman type cryptosystem. On the contrary, recently, Boneh and Franklin [2] suggested a constructive application of supersingular elliptic curves (supersingular curves in general [5]) to generate an identity-based cryptosystem.

However, one needs to check if a given hyperelliptic curve of genus 2 and 3 is secure under the Frey–Rück attack [8]. According to Tate-pairing, the discrete logarithm problem on the divisor class group $J_{C} (F_{q})$ of a curve C over the finite field $F_{q}$ can be reduced to that over $F_{q^{k}}$ of some extension of the base field. When k is small one can solve the discrete logarithm problem using the index calculus method over the finite field and this is called Frey–R $u ̈$ ck attack. Galbraith [5] showed that for supersingular curves there is an upper bound, which depends only on genus, on the values of the extension degree k, and in particular, it turns out that k can be at most 12 for the supersingular curve of genus 2 and Rubin and Silverberg improved a bound, i.e. k⩽6 for odd p.

So, it will be very useful to detect those cryptographically weak curves in advance. On the contrary, recently, Boneh and Franklin [2] suggested a constructive application of supersingular elliptic curves (supersingular curves in general [5]) to generate an identity-based cryptosystem. To determine, with known criterions, if the given curves are supersingular (see, for instance, [5], [11]), one needs to compute the number of rational points $|H(F_{q^{i}})|$ of H, for all $i, 1⩽i⩽g$ , or, to know the characteristic polynomial of H. Therefore, when the characteristic p of the base field of the curve is large, this procedure is not really practical.

In this paper, we show that we can check, directly using the defining equation, if a given hyperelliptic curve H of genus 2 over $F_{q}$ , with $q=p^{n}, p>2$ , is supersingular. The criterion depends only on the equation and p. Furthermore, we derive more sharp bound of k for supersingular abelian variety of genus 2 defined over $F_{p}$ .

Finally, as an example, using the above criterion, we determine all primes p where the hyperelliptic curves $H/ F_{p}$ of the type v²=u⁵+a and v²=u⁵+au are supersingular. The orders of Jacobians of the above curves are determined and, therefore, the upper bounds of k are all determined.

This paper is organized as follows. In Section 2 we introduce the usual notations and recall basic definitions of the hyperelliptic curve of genus 2. In Section 3 we derive the main criterion how to determine if the given hyperelliptic curve of genus 2 is supersingular, directly using the defining equation and the proofs of the main theorem and lemmata will be postponed until the last Section 6. Section 4 states a complete characterization of supersingular abelian varieties of dimension 2 over the prime field $F_{p}$ . In Section 5, as an application of the main criterion, we characterize all the hyperelliptic curves $H/ F_{p}$ with defining equation of the type v²=u⁵+a and $v^{2} =u^{5} +au, a∈ F_{p}^{*}$ .

Section snippets

Hyperelliptic curves over finite fields

We recall the useful result related to the supersingularity of hyperelliptic curves over finite field. We follow definitions given in [4].

Let $F_{q}$ be a field with q=pⁿ elements of characteristic p and $F_{q}$ be its algebraic closure of $F_{q}$ . For a simplicity, take p>2 throughout this paper.

Definition 2.1

A hyperelliptic curve H of genus g over $F_{q}$ is a projective non-singular irreducible curve of genus g defined over $F_{q}$ with a map $H→ P^{1}$ of degree 2. Here $P^{s}$ denotes the s-dimensional projective space over $F_{q}$ . Moreover,

Main theorem

There are criterions to check whether or not abelian variety A is supersingular, once its characteristic polynomial is computed. This means that the number of rational points $|H(F_{q^{i}})|$ of H for all $i, 1⩽i⩽g$ of the given hyperelliptic curve H needs to be computed. However, if the defining field $F_{q}$ has a large prime characteristic p, the above criterions are not efficient to test supersingularity.

However, for a hyperelliptic curve of genus 2, there is a criterion to check if the given curve is

Embedding degree of supersingular abelian variety of dimension 2 over $F_{p}$

In this section, we focus more on the supersingular abelian varieties A over $F_{p}$ . Furthermore, an improved upper bound of k, where k is the smallest integer such that ℓ|p^nk−1 and is called the embedding degree, is derived in this case. Here ℓ is the exponent (the largest prime factor) of $|A(F_{p^{n}})|$ .

Proposition 4.1

Let A be any supersingular abelian variety of dimension 2 with genus 2 over $F_{p}$ , with a prime p>16 and $p(x)=x^{4} +a_{1} x^{3} +a_{2} x^{2} +a_{1} px+p^{2}$ be the characteristic polynomial of A.

Then the order of abelian variety $A(F_{p^{n}}$

Examples

In this section we study some family of hyperelliptic curves defined over prime fields and determine all the primes p when they are supersingular as well as their Jacobian group structure [11]. Furthermore, we also get the upper bound of k.

Example 5.1

Consider the following hyperelliptic curve of genus 2; $H/ F_{p} :v^{2} =u^{5} +a, a∈ F_{p}^{*} .$ Then $H is supersingular ⇔ p≠1 (mod 5).$

Furthermore, we can derive the exact order of $J_{H} (F_{p})$ and its group structure as follows:

p	$P(x)$	$\|J_{H} (F_{p})\|$	k	$J_{H} (F_{p})$
$p≡2,3$ (mod 5)	$x^{4} +p^{2}$	$1+p^{2}$	4	$Z /(p^{2} +1)Z$
$p≡9$ (mod 20)	$x^{4}$

Proofs

In this section, proofs of theorems and lemmata given in Sections 3 Main theorem, 4 Embedding degree of supersingular abelian variety of dimension 2 over are derived.

Conclusion

It will be very useful to detect those cryptographically weak curves such as supersingular curve in advance. Or, it will be also useful to find supersingular curve for a constructive application to generate an identity-based cyptosystem suggested by Boneh and Frankin [2] and generalized by Galbraith [5].

In this paper, we show how to determine if the given hyperelliptic curve of genus 2 over the finite field $F_{q},q$ odd, is supersingular directly from the defining equation. Finally, as an example,

References (11)

C. Xing
On supersingular abelian varieties of dimension two over finite fields
Finite Fields Their Appl.
(1996)
L. Adleman et al.
A subexponential algorithm for discrete logarithms over the rational subgroup of the Jacobians of large genus hyperelliptic curves over finite fields
D. Boneh et al.
Identity-based Encryption from the Weil paring
H. Cohen
A Course in Computational Algebraic Number Theory
(1993)
L.H. Encinas, A.J. Menezes, J.M. Masqué, Isomorphism class of genus-2 hyperelliptic curves over finite fields, 2001,...

There are more references available in the full text version of this article.

Cited by (5)

Discrete logarithms
2017, Guide to Pairing-Based Cryptography
Guide to pairing-based cryptography
2017, Guide to Pairing-Based Cryptography
An algorithm for computing a sequence of richelot isogenies
2009, Bulletin of the Korean Mathematical Society
Speeding up pairing computations on genus 2 hyperelliptic curves with efficiently computable automorphisms
2008, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Pairing calculation on supersingular genus 2 curves
2007, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

^☆: This work was partially supported by ITRC and KOSEF R01-2003-000-11596-0.

View full text

Supersingular hyperelliptic curves of genus 2 over finite fields☆

Abstract

Introduction

Section snippets

Hyperelliptic curves over finite fields

Main theorem

Embedding degree of supersingular abelian variety of dimension 2 over Fp

Examples

Proofs

Conclusion

Finite Fields Their Appl.

A subexponential algorithm for discrete logarithms over the rational subgroup of the Jacobians of large genus hyperelliptic curves over finite fields

Identity-based Encryption from the Weil paring

A Course in Computational Algebraic Number Theory

Embedding degree of supersingular abelian variety of dimension 2 over $F_{p}$