Genus 2 Hyperelliptic Curve Families with Explicit Jacobian Order Evaluation and Pairing-Friendly Constructions

The use of elliptic and hyperelliptic curves in cryptography relies on the ability to compute the Jacobian order of a given curve. Recently, Satoh proposed a probabilistic polynomial time algorithm to test whether the Jacobian – over a finite field Fq – of a hyperelliptic curve of the form Y 2 = X + aX + bX (with a, b ∈ Fq) has a large prime factor. His approach is to obtain candidates for the zeta function of the Jacobian over Fq from its zeta function over an extension field where the Jacobian splits. We extend and generalize Satoh’s idea to provide explicit formulas for the zeta function of the Jacobian of genus 2 hyperelliptic curves of the form Y 2 = X +aX +bX and Y 2 = X +aX +b (with a, b ∈ Fq). Our results are proved by elementary (but intricate) polynomial root-finding techniques. Hyperelliptic curves with small embedding degree and large prime-order subgroup are key ingredients for implementing pairing-based cryptographic systems. Using our closed formulas for the Jacobian order, we propose two algorithms which complement those of Freeman and Satoh to produce genus 2 pairing-friendly hyperelliptic curves. Our method relies on techniques initially proposed to produce pairing-friendly elliptic curves (namely, the Cocks-Pinch method and the Brezing-Weng method). We show that the previous security considerations about embedding degree are valid for an elliptic curve and can be lightened for a Jacobian. We demonstrate this method by constructing several interesting curves with ρ-values around 4 with a Cocks-Pinch-like method and around 3 with a Brezing-Weng-like method.