On the Performance of Hyperelliptic Cryptosystems

In this paper we discuss various aspects of cryptosystems based on hyperelliptic curves. In particular we cover the implementation of the group law on such curves and how to generate suitable curves for use in cryptography. This paper presents a practical comparison between the performance of elliptic curve based digital signature schemes and schemes based on hyperelliptic curves. We conclude that, at present, hyperelliptic curves o er no performance advantage over elliptic curves. Elliptic curve cryptosystems are now being deployed in the real world and there has been much work in recent years on their implementation. A natural generalization of such schemes was given by Koblitz [12], who described how the group law on a Jacobian of a hyperelliptic curve can be used to de ne a cryptographic system. Almost all of the standard discrete logarithm based protocols such as DSA and El Gamal have elliptic and hyperelliptic variants. This is because such protocols only require the presence of a nite abelian group, with a large prime order subgroup, within which the basic group operation is easy whilst the associated discrete logarithm problem is hard. We shall not discuss these protocols in this paper since everything that can be said for elliptic curve based protocols can usually be said for hyperelliptic curve based protocols. Instead we shall concentrate more on the underlying group: In particular how one performs the group operation and how one produces groups of the required type. The Jacobian of a genus g hyperelliptic curve will have roughly q points on it, where q denotes the number of elements in the eld of de nition of the Jacobian. By choosing hyperelliptic curves of genus greater than one we can achieve the same order of magnitude of the group order with a smaller value for q when compared with elliptic curve based systems which have g = 1. This has led some people to suggest that hyperelliptic curves may o er some advantages over elliptic curves in some special situations. For example if we wanted to only perform arithmetic using single words on a 32-bit computer we could choose g = 5 or 6 to obtain group orders of around 160 to 192 bits. One has to be a little careful as to how large one makes g, since for large genus there is a sub-exponential method to solve the discrete logarithm problem [1]. However this does not appear to a ect the security of curves of genus less than 10 over eld sizes of around 32 bits. In this paper we give an overview of the group law on a curve of genus g in arbitrary characteristic. We shall give a more e cient reduction method