Cryptography Reference
In-Depth Information
10
Hyperelliptic curves
Hyperelliptic curves are a natural generalisation of elliptic curves, and it was suggested by
Koblitz [298] that they might be useful for public key cryptography. Note that there is not
a group law on the points of a hyperelliptic curve; instead, we use the divisor class group
of the curve. The main goals of this chapter are to explain the geometry of hyperelliptic
curves, to describe Cantor's algorithm [105] (and variants) to compute in the divisor class
group of hyperelliptic curves and then to state some basic properties of the divisor class
group.
Definition 10.0.1
Let
[
x
] (we stress that
H
(
x
) and
F
(
x
) are not assumed to be monic). An affine algebraic set of the form
C
:
y
2
k
be a perfect field. Let
H
(
x
)
,F
(
x
)
∈ k
+
H
(
x
)
y
=
F
(
x
)iscalleda
hyperelliptic equation
.The
hyperelliptic involution
ι
:
C
→
C
is defined
by
ι
(
x,y
)
=
(
x,
−
y
−
H
(
x
)).
Exercise 10.0.2
Let
C
be a hyperelliptic equation over
k
. Show that if
P
∈
C
(
k
) then
ι
(
P
)
∈
C
(
k
).
When the projective closure of the algebraic set
C
in Definition
10.0.1
is irreducible,
dimension 1, non-singular and of genus
g
2, then we will call it a hyperelliptic curve.
By definition, a curve is projective and non-singular. We will give conditions for when a
hyperelliptic equation is non-singular. Exercise
10.1.15
will give a projective non-singular
model, but, in practice, one can work with the affine hyperelliptic equation. To “see” the
points at infinity we will move them to points on a related affine equation, namely, the
curve
C
†
of equation (
10.2
).
The genus has already been defined (see Definition
8.4.7
) as a measure of the complexity
of a curve. The treatment of the genus in this chapter is very “explicit”. We will give precise
conditions (Lemmas
10.1.6
and
10.1.8
) that explain when the degree of a hyperelliptic
equation is minimal. From this minimal degree we define the genus. In contrast, the
approach of most other authors is to use the Riemann-Roch theorem.
We remark that one can also consider the algebraic group quotient Pic
0
≥
F
q
(
C
)
/
[
−
1] of
equivalence classes
where
D
is a reduced divisor. For genus 2 curves this object
can be described as a variety, called the
Kummer surface
. It is beyond the scope of this
topic to give the details of this case. We refer to Chapter 3 of Cassels and Flynn [
115
]for
{
D,
−
D
}
