Cryptography Reference
In-Depth Information
H
(
x
)
v
‡
(
x
)
−
≤
+
d
u
−
1. Let
d
u
†
=
deg(
u
†
(
x
)) so that
m
=
d
u
+
F
(
x
))
d
d
u
†
. Show that
v
‡
(
x
))
v
‡
(
x
))
v
∞
−
(
y
−
=−
d
,div(
y
−
=
2
div(
u
†
(
x
)
,y
v
†
(
x
))
2
div(
u
(
x
)
,y
−
v
(
x
))
∩ A
+
+
H
(
x
)
+
∩ A
∞
+
)
∞
−
)
−
(
d
u
+
d
u
†
−
d
)(
−
d
(
(10.13)
v
‡
(
x
))
and
v
∞
+
(
y
−
=−
(
d
u
+
d
u
†
−
d
).
We now discuss how to represent divisor classes. An obvious choice is to represent
classes as
D
∞
+
) where
D
is an affine effective divisor of degree
d
(see Paulus and
Ruck [
429
] for a full discussion of this case). A more natural representation, as pointed
out by Galbraith, Harrison and Mireles [
202
], is to use balanced representations at infinity:
in other words, when
g
is even, to represent divisor classes as
D
−
d
(
∞
+
)
∞
−
))
−
(
g/
2)((
+
(
where
D
is an effective divisor of degree
g
.
Definition 10.4.9
Let
C
be a hyperelliptic curve of genus
g
over
k
with split model. If
g
g
2
((
(
g
+
1)
∞
+
)
∞
−
)). If
g
is odd then define
D
∞
=
∞
+
)
is even then define
D
∞
=
+
(
(
+
2
(
g
−
1)
2
∞
−
).
Let
u
(
x
)
,v
(
x
)
(
∈ k
[
x
] be the Mumford representation of a semi-reduced divisor
D
=
2
and
n
div(
u
(
x
)
,y
−
v
(
x
))
∩ A
∈ Z
. Then div(
u
(
x
)
,v
(
x
)
,n
) denotes the degree zero divisor
∞
+
)
∞
−
)
D
+
n
(
+
(
g
−
deg(
u
(
x
))
−
n
)(
−
D
∞
.
If 0
≤
deg(
u
(
x
))
≤
g
and 0
≤
n
≤
g
−
deg(
u
(
x
)) then such a divisor is called
reduced
.
Uniqueness of this representation is shown in Theorem
10.4.19
. When
g
is odd then
one could also represent divisor classes using
D
∞
=
∞
−
)). This is
applicable in the inert case too. A problem is that this would lead to polynomials of higher
degree than necessary in the Mumford representation, and divisor class representatives
would no longer necessarily be unique.
It is important to realise that
u
(
x
) and
v
(
x
) are only used to specify the affine divisor. The
values of
v
∞
+
(
y
+
∞
+
)
+
(
g
1)
/
2((
(
v
(
x
)) have no direct influence over the degree zero
divisor under consideration. Note also that we allow
n
−
v
(
x
)) and
v
∞
−
(
y
−
∈ Z
in Definition
10.4.9
in general,
but reduced divisors must have
n
∈ Z
≥
0
.
For hyperelliptic curves with split model,
∞
+
,
∞
−
∈ k
and so a divisor (
u
(
x
)
,v
(
x
)
,n
)
is defined over
k
if and only if
u
(
x
)
,v
(
x
)
∈ k
[
x
]. Note that when the genus is even then
D
∞
is
k
-rational even when the model is inert, though in this case a divisor (
u
(
x
)
,v
(
x
)
,n
)
with
n
[
x
].
We may now consider Cantor's addition algorithm in this setting.
=
0 is not defined over
k
if
u
(
x
)
,v
(
x
)
∈ k
Lemma 10.4.10
Let C be a hyperelliptic curve over
of genus g with split model.
Let
div(
u
1
(
x
)
,v
1
(
x
)
,n
1
)
and
div(
u
2
(
x
)
,v
2
(
x
)
,n
2
)
be degree zero divisors as above. Write
D
i
=
k
2
2
be
div(
u
i
(
x
)
,y
−
v
i
(
x
))
∩ A
for i
=
1
,
2
and let D
3
=
div(
u
3
(
x
)
,y
−
v
3
(
x
))
∩ A
the semi-reduced divisor equivalent to D
1
+
D
2
, and s
(
x
)
such that D
1
+
D
2
=
D
3
+
