Efficient Divisor Arithmetic on Real Hyperelliptic Curves

In 1989, Koblitz [3] first proposed the Jacobian of a conventional (imaginary) hyperelliptic curve for use in public-key cryptographic protocols. Hyperelliptic curves are in a sense generalizations of elliptic curves. The Jacobian is a finite abelian group which, like elliptic curve groups, has unique representatives of group elements and efficient arithmetic (divisor addition and reduction). Although the arithmetic appears more complicated than that of elliptic curves [4, 8, 1], there are some indications that it can in some cases be more efficient. Several years later, a key exchange protocol was presented for the real model of a hyperelliptic curve [6]. Its underlying key space was the set of reduced principal ideals in the ring of regular functions of the curve, together with its group-like infrastructure. Although the main operation of divisor addition and reduction is comparable in efficiency to that of the imaginary model [7], the protocol [6] was significantly slower and more complicated than its imaginary cousin [3], while offering no additional security; the same was true for subsequent modifications presented in [5]. Despite the apparent short-comings of the real model, recent work [2] shows that it may admit protocols that are comparable in efficiency to those based on the imaginary model. The main idea is that, in addition to the divisor addition operation, the real model has a second operation called a baby step that is significantly more efficient. By exploiting this operation, cryptographic protocols can be devised that are more efficient than those based on the imaginary model provided that the divisor addition operation is not significantly more expensive in the real model than in the imaginary model. In order to examine the efficiency of these new protocols completely, it is necessary to devise explicit formulas for divisor arithmetic in the real model of cryptographically-relevant low genus curves. The scope of this project is to survey the state-of-the-art in explicit formulas for low-genus imaginary hyperelliptic curves [1, 4, 8] and investigate the generalization of these formulas to the real model. The goal is to provide explicit formulations of the protocols in [2], thereby enabling a direct comparison with the corresponding protocols based on the imaginary model.