Faster Cryptographic Key Exchange on Hyperelliptic Curves

Transcription

1 Faster Cryptographic Key Exchange on Hyperelliptic Curves No Author Given No Institute Given Abstract. We present a key exchange procedure based on divisor arithmetic for the real model of a hyperelliptic curve over a finite field, as opposed to the imaginary representation that is normally used for cryptographic applications. Our protocol is almost fifteen percent faster than conventional key exchange using hyperelliptic curves, with the most significant improvements occurring for low genus (2 and 3). This speed-up is established theoretically and confirmed numerically. Keywords: cryptographic key exchange, hyperelliptic curve, reduced divisor, infrastructure and distance, efficient implementation 1 Introduction and Motivation Cryptographic key exchange à la Diffie-Hellman has been proposed with a variety of different underlying group and group-like structures. Finite fields and elliptic curves have found their way into commercial applications, but in recent years, hyperelliptic curves of low genus have also become an increasingly popular choice. In 1989, Koblitz [6] first proposed the Jacobian of a conventional (imaginary) hyperelliptic curve for key exchange. Several years later, an analogous key exchange protocol was presented for the real model of a hyperelliptic curve [10]. Its underlying key space was the set of reduced principal ideals in the ring of regular functions of the curve, together with its group-like infrastructure. Unfortunately, the protocol [10] was significantly slower and more complicated than its imaginary cousin [6], while offering no additional security; the same was true for subsequent modifications presented in [9]. In this paper, we show that the real model of a hyperelliptic curve allows in fact for more efficient key exchange than the conventional imaginary model. This is due to the fact that in contrast to the Jacobian of an imaginary hyperelliptic curve (which admits only the giant step operation, i.e., divisor addition with subsequent reduction), the set of reduced principal divisors of a real hyperelliptic curve admits in fact two operations. In addition to giant steps, we have a much faster baby step

2 operation that is akin to a Gaussian reduction step (as used in the imaginary setting) and can also be used to jump from one divisor to the next. We show how on average one sixth of the giant steps in the original protocol [10] can be replaced by baby steps, with an additional expense of just a few more baby steps. Since baby steps require linear time only, whereas giant steps take quadratic time, this speeds up the protocol by almost fifteen percent over the procedures given in [6] and [10]. This speed-up can be proven theoretically, even for genus as low as 2, and is confirmed by extensive numerical data. We begin with a brief overview describing the key space for key exchange using both imaginary and real hyperelliptic curves. The mathematical details for the real setting are given in Appendix A, where the infrastructure is described for the first time in the terminology of divisors (as opposed to ideals). Section 3 reviews the key exchange procedures of [6] and [10] and describes our improvements to the latter; proofs of correctness are provided in Appendix B and algorithmic details in Appendix C. We briefly touch upon security issues in Section 3.5 and provide numerical data in Section 4. As some of this is still work in progress, we offer conclusions and some open problems in Section 5. 2 Hyperelliptic Curves Throughout this paper, let C be a hyperelliptic curve of genus g over a finite field k = F q of odd characteristic. Then C is of the form y 2 = f(x) where f(x) is a monic polynomial of degree 2g + 1 or 2g + 2. Let K = k(x, y) be the function field of C. Then the curve C and the extension K/k(x) is said to be imaginary if deg(f) = 2g + 1 is odd and real if deg(f) = 2g + 2 is even. In the former case, the pole of x is totally ramified in K, whereas in the real scenario, there are two poles at x in K, both of degree Imaginary Setting In this scenario, the Jacobian of K (the group of degree zero divisor classes defined over K modulo principal equivalence) is used for cryptographic key exchange. It is well-known that every such class has a unique reduced representative. If R denotes the set of these reduced representatives, then we have an operation on R via (D, D ) D D where D D is the unique reduced representative in the divisor class of D + D. R is a group

3 under this operation. We refer to this operation as a giant step. 1 The conventional method for performing giant steps is divisor addition with subsequent Gaussian reduction, although other more efficient methods such as explicit formulas for low genus curves exist. For definitions of the terminology used above as well as other details, we refer the reader to [1], [6], and [4]. 2.2 Real Setting Suppose now that K/k(x) is real, and let 1 and 2 denote the two poles of x. Then the divisor 1 2 has degree zero and finite order which we denote by R x. Since in this setting, every degree zero divisor class contains many reduced divisors, we restrict ourselves to the principal divisor class only, and define R to be the (finite) set of all reduced principal divisors D with 0 δ(d) < R x. Here, δ(d) is called the distance of D and is defined to be δ(d) = ν 1 (α), where D = (α) with α K, and ν 1 is the additive valuation associated with the place 1. All the mathematical and algorithmic details pertaining to the set R are described in Appendix A; here, we only summarize the details needed for our cryptographic protocol. The divisors in R can be naturally ordered in ascending order of distance; write R = {D 1, D 2, D 3,..., D r } with D 1 = (1). An operation similar to a Gaussian reduction step (as used for divisor reduction on imaginary hyperelliptic curves) moves from D i to D i+1 and is referred to as a baby step. 1 Using the exact same arithmetic as in the imaginary setting, we can also define giant steps (D, D ) D D on R. While R is closed under giant steps, it is not associative, but we have δ(d D ) = δ(d) + δ(d ) d where 0 d 2g, (2.1) where d can be efficiently computed. This behavior is referred to as the infrastructure of R. Finally, we define for any integer n with 0 n < R x the divisor below n to be the unique divisor D i R with δ(d i ) n < δ(d i+1 ). This divisor can be efficiently computed (without knowing its distance) using Algorithm BELOW in the next section. 1 The dagger symbol was chosen for its similarity to the plus sign +, to indicate that a giant step is still a type of addition of divisors. In the imaginary setting, it is in fact addition of divisor classes via reduced representatives; in the real scenario, things are slightly different. The terms baby step and giant step stem from arithmetic on real hyperelliptic curves; the particular choice of terminology is explained in Appendix Appendix A.

4 3 Key Exchange Using Hyperelliptic Curves 3.1 Key Exchange Using Imaginary Hyperelliptic Curves Koblitz [6] was the first to suggest this setting for cryptographic key exchange; we only restate it here for reference. All users agree on an imaginary hyperelliptic curve C, (i.e., a pair (q, f(x)) where q is an odd prime power and f(x) F q [x] is a monic squarefree polynomial of odd degree) and a reduced divisor D of C. We assume that Alice and Bob have access to an algorithm SCALAR(D, n) that on input a reduced divisor D and an integer n outputs the reduced representative of the divisor class of nd. To generate a common key, Alice and Bob execute the following: Protocol 1 Round 1 Alice secretly generates a N, computes D a = SCALAR(D, a), and sends D a to Bob; Bob secretly generates b N, computes D b = SCALAR(D, b), and sends D b to Alice; Round 2 Alice computes K = SCALAR(D b, a); Bob computes K = SCALAR(D a, b). Since K is the unique reduced divisor in the class of abd, both parties have obtained the same key. 3.2 Key Exchange Using Real Hyperelliptic Curves The following protocol was first introduced in [10]; see also [9]. All users agree on a real hyperelliptic curve C, (i.e., a pair (q, f(x)) where q is an odd prime power and f(x) F q [x] is a monic squarefree polynomial of even degree) and a divisor D R of small distance. D can be found by applying zero or more baby steps to the divisor D 1 = (1). We assume that Alice and Bob have access to an algorithm BELOW(D, n) that on input a divisor D R and an integer n outputs the divisor in R below nδ(d). To generate a common key, Alice and Bob perform the following steps: Protocol 2 Round 1 Alice secretly generates a N, computes D a = BELOW(D, a), and sends D a to Bob;

5 Bob secretly generates b N, computes D b = BELOW(D, b), and sends D b to Alice; Round 2 Alice computes K = BELOW(D b, a); Bob computes K = BELOW(D a, b). Since K is the divisor in R below abδ(d), Alice and Bob obtain the same key. We will see in the next section that Protocol 2 is somewhat less efficient than Protocol 1, since the algorithm BELOW is slower than its imaginary cousin SCALAR. 3.3 Improvements to the Real Scenario We now describe a number of improvements to Protocol 2 that will make key exchange using real hyperelliptic curves faster than its imaginary counterpart. In order to explain these improvements, we need to look at Algorithm BELOW in more detail. This algorithm is essentially binary exponentiation applied to giant steps with subsequent baby step adjustments. BELOW(D, n) // outputs the divisor below nδ(d) 1. Compute the binary representation n = l i=0 b i2 l i of n (b 0 = 1, b i {0, 1} for 1 i l); 2. Set E = D; 3. For i = 1 to l do 3.1. Set E = E E and compute d = δ(e ) 2δ(E); 3.2. Compute the divisor E R below 2δ(E) by performing at most d baby steps; replace d by δ(e) δ(e ) in the process; 3.3. If b i = 1 then Set E = E D and d = δ(e ) δ(e) δ(d); Compute the divisor E R below δ(e) + δ(d) by performing at most d baby steps; replace d by δ(e) δ(e ) in the process; 4. Output E. It is clear that this algorithm produces the divisor E R below nδ(d). It is also obvious that BELOW(D, n) is somewhat slower than its imaginary counterpart SCALAR(D, n), since SCALAR is essentially BELOW (with giant steps for imaginary hyperelliptic curves rather than real curves, of course) without the computation of d in steps 3.1 and and, more importantly, without the extra baby step adjustments in steps 3.2 and

6 We now outline our improvements to Protocol 2. For Round 1, we exploit the fact that baby steps are significantly faster than giant steps, so we replace the giant steps in step of BELOW by baby steps. We also replace the adjustment steps in steps 3.2 and of BELOW by a precomputation. In Round 2, we perform a few necessary adjustment steps at the beginning and subsequently perform exponentiation on giant steps only, without adjustments. We write D + for the divisor obtained by applying one baby step to the divisor D R, and use the following heuristics (evidence supporting the validity of these heuristics is provided in Appendix B): Heuristics (H): For sufficiently large q, the following properties hold. (H1) With probability 1 O(q 1 ), we have δ(d + ) δ(d) = 1 for all D R with D (1). (H2) The quantity d in (2.1) is always equal to g/2. That is, for all D, D R \ {(1)}, we have δ(d D ) = δ(d) + δ(d ) g/2. We modify Algorithm BELOW to produce on input n a divisor in R whose distance is larger than n by a factor of approximately g + 2. Here, we replace the giant steps E D in step of BELOW by baby steps and all the adjustment steps by a pre-computation that generates the divisor D d+3 R where d = g/2. D d+3 can be found by applying d + 2 baby steps to D 1 = (1). BELOW-SHIFT(n) // outputs the divisor of distance m, assuming (H), where m = 2 log 2 (n) (g + 1) + n + d. 1. Set m = 2 log 2 (n) (g + 1) + n + d; 2. Compute the binary representation n = l i=0 b i2 l i of n (b 0 = 1, b i {0, 1} for 1 i l); 3. Set E = D d+3 ; 4. For i = 1 to l do 4.1. Replace E by E E; 4.2. If b i = 1 then replace E by E + ; 5. Output E. We prove in Appendix B that under the assumption of Heuristics (H), BELOW-SHIFT(n) outputs a divisor E R of distance δ(e) = m. We now fix an a priori bit size l+1 for our exponents n, i.e., an integer l such that 2 l n < 2 l+1. We also assume that we have pre-computed a second divisor D of distance δ(d ) = 2 l (g + 1) + g. Assuming (H), this can be accomplished by computing the divisor D = BELOW(D 2, 2 l ) of

7 distance δ(d ) = 2 l δ(d 2 ) = 2 l (g + 1) and then applying g baby steps to D to obtain D. Altogether, the computation of D requires l giant steps and ld + g baby steps. We point out that the conjugate divisor D of D (i.e., the image of D under the involution (x, y) (x, y) on the curve C) also lies in R and can be computed from D in constant time (see (A.1) in Appendix A). Knowing D allows us to find for a given integer n with g + 1 n R x 1 a divisor of distance n as follows. DISTANCE(n) // outputs the divisor of distance n, assuming (H) 1. D = BELOW-SHIFT(n); 2. E = D (D ); 3. Output E. We prove in Appendix B that under the assumption of Heuristics (H), DISTANCE(n) outputs a divisor E R of distance δ(e) = n. For Round 2 of Protocol 2, we introduce a faster version of BELOW that performs the necessary adjustment steps before the exponentiation and eliminates all later adjustments. BELOW-PLUS-d(D, n) // outputs a divisor of distance nδ(d) + d 1. For i = 1 to d do 1.1. Replace D by D + ; 2. Compute the binary representation n = l i=0 b i2 l i of n (b 0 = 1, b i {0, 1} for 1 i l); 3. Set E = D; 4. For i = 1 to l do 4.1. Replace E by E E; 4.2. If b i = 1 then replace E by E D; 5. Output E. We prove in Appendix B that under the assumption of Heuristics (H), BELOW-PLUS-d(n) outputs a divisor E R of distance δ(e) = nδ(d) + d. We now describe our improved key exchange protocol for real hyperelliptic curves. We assume that all users have agreed on an odd prime power q, a real hyperelliptic curve C, and a bit size l + 1 for exponents. In addition, the divisors D d+3 and D of respective distances d + g + 2 and 2 l (g + 1) + g have been pre-computed. Protocol 3 Round 1

8 Alice secretly generates a N, computes D a = DISTANCE(a), and sends D a to Bob; Bob secretly generates b N, computes D b = DISTANCE(b), and sends D b to Alice; Round 2 Alice computes K = BELOW-PLUS-d(D b, a); Bob computes K = BELOW-PLUS-d(D a, b). We prove in Appendix B that under the assumption of Heuristics (H), Alice and Bob possess the same key at the end of Protocol 3, namely the divisor K R of distance δ(k) = ab + d. 3.4 Efficiency The following table compares the average computational effort of Protocols 1 and 3 for each user. We assume here that exponents have bit length l + 1, with an equal number of 0 bits and 1 bits. We ignore the effort of generating q and the hyperelliptic curve C, since it is identical for both protocols. For the real scenario, we assume Heuristics (H). Protocol 1 Protocol 3 Precomputation l giant steps (l + 1)d + g + 2 baby steps Round 1 1.5l giant steps l + 1 giant steps 0.5l baby steps Round 2 1.5l giant steps 1.5l giant steps d baby steps Total Rounds 1 & 2 3l giant steps 2.5l + 1 giant steps 0.5l + d baby steps By assuming that the cost of baby steps is negligible, one obtains the rough estimate that Protocol 3 will require 5/ the time as Protocol 1. In order to compare the efficiency of the two protocols more accurately, the speed ratio of baby steps versus giant steps needs to be investigated, and this ratio depends on the implementation of these operations. If 0.5l + d baby steps are faster than 0.5l 1 giant steps, then Protocol 3 is faster than Protocol Security The security of Protocol 1, Diffie-Hellman key exchange using the imaginary model of a hyperelliptic curve, has been studied fairly extensively;

9 see [4] for a survey. Being able to solve the discrete logarithm problem, i.e., computing the integer n given divisors nd and D, allows one to break the protocol. For sufficiently small genus, the best known algorithm for solving the discrete logarithm problem requires O(q g/2 ) operations. As our new Protocol 3 is just a more computationally efficient version of Protocol 2, the same security considerations apply. As discussed in [10], being able to solve the infrastructure discrete logarithm problem, i.e., computing the distance δ(d) of a given principal divisor D, allows one to break the protocol. This problem is closely related to the discrete logarithm problem in the imaginary setting (see, for example, [4]), and as most of the known algorithms for solving the discrete logarithm problem in the imaginary setting can be modified to solve the infrastructure discrete logarithm problem, the same security considerations as in the imaginary setting apply to the real setting. 4 Implementation and Numerical Results In order to test the efficiency of our improved Diffie-Hellman type key exchange protocol using the real model of a hyperelliptic curve (Protocol 3), we implemented it and the corresponding protocol using the imaginary model (Protocol 1), using the computer algebra library NTL [11] for finite field and polynomial arithmetic. We used the GNU C++ compiler version 3.2, and the computations described below were performed on a Pentium IV 2.53 GHz computer running Linux. Both protocols were implemented using curves defined over prime finite fields F p and characteristic 2 finite fields 3 F 2 n. We used the formulation of Cantor s algorithm described in [12] for the giant step operation in both the imaginary and real case for curves over F p, and the obvious generalizations for curves over F 2 n. For reference, the precise formulas we used are presented in Appendix C. We ran numerous examples of both key exchange protocols using curves with genus ranging from 2 to 6 and with the underlying finite field chosen so that the size of the set R (approximately q g where the finite field has q elements) was roughly 2 160, 2 224, 2 256, 2 384, and Assuming only generic attacks with square root complexity, these curves offer 80, 112, 128, 192, and 256 bits of security for cryptographic protocols based on the corresponding discrete logarithm problem. NIST [8] 3 We did not describe the theory and arithmetic of curves over binary fields here, but they can be found, for example, in [4].

10 currently recommends these five levels of security for key establishment in U.S. government applications. As mentioned in Section 3.5, there are algorithms that, for sufficiently large finite fields, will solve the discrete logarithm problem faster than generic methods for g 3. However, to the best of our knowledge, no one has done a precise analysis as to how large the finite field has to be for these algorithms to out-perform the generic ones in practice. As such an analysis is beyond the scope of our paper, and as our goal is simply to demonstrate the relative efficiency of our Protocol 3 as opposed to Protocol 1, we only considered generic methods in determining parameter sizes for our experiments. Thus, for g 3, the parameter sizes should be considered as being approximate lower bounds on the correct sizes to provide the stated level of security. For curves defined over F p, we chose a random prime p of appropriate length such that p g had the required bit length, and for curves over F 2 n we chose the minimal value of n such that gn was greater than or equal to the required bit length. For each genus and finite field, we randomly selected 2000 curves and executed both Protocol 1 and Protocol 3 once for each curve. The random exponents used had 160, 224, 256, 284, and 512 bits, respectively, ensuring that the number of bits of security provided corresponds to the five levels recommended by NIST (again, considering only generic attacks). In order to provide a fair comparison between the two protocols, the same sequence of random exponents was used for each protocol. Tables 1 and 2 contain the average CPU time in seconds per communication partner for a single run of the protocol for curves over F p and F 2 n, respectively. The time for Protocol 1 is denoted by Imag and that of Protocol 3 by Real. We also give the ratios of the average time using Protocol 3 over that using Protocol 1 in Table 3. Table 1. Key exchange timings over F p (in seconds). Security level (in bits) genus Imag Real Imag Real Imag Real Imag Real Imag Real

11 Table 2. Key exchange timings over F 2 n (in seconds). Security level (in bits) genus Imag Real Imag Real Imag Real Imag Real Imag Real Table 3. Key exchange timings over F p and F 2n ratio of real and imaginary runtimes. Security level (in bits) Curves over F p Curves over F 2 n genus Our results show that, as predicted, the protocol using the real model out-performs that using the imaginary model in all cases. Furthermore, the observed ratio between the runtimes of the real versus imaginary protocol is in the neighborhood of the predicted ratio of 5/6. The relative performance of Protocol 3 improves as the security level increases, but gets worse as the genus increases. Since low genus hyperelliptic curves are the most interesting for cryptography, this shows that Protocol 3 particularly useful for cryptographic applications. It should also be noted that although Protocol 3 relies on the heuristics (H1) and (H2), and that as a result there is a negligible (but non-zero) probability of the protocol failing, in all cases both parties computed the same key. 5 Conclusions and Future Work Our results show that using the real model of a hyperelliptic curve as opposed to the usual imaginary model holds much more promise for practical applications than previously believed. In fact, when using Cantor s

12 algorithm as described in [12] for the giant-step divisor arithmetic, using the real model yields significant performance improvements for curves of genus as small as 2 over finite fields (both prime fields and characteristic 2) of cryptographically relevant size. As discussed in Section 3.4, the performance improvements clearly depend on how much faster one can perform a baby step as opposed to a giant step in practice. Thus, it is necessary to investigate more closely the performance of our protocol using both Cantor s algorithm and more efficient formulas for giant steps. We chose Cantor s algorithm for our experiments because precise operation counts exist for both the imaginary and real cases [12] that one could use as the basis for a theoretical analysis of the expected performance improvement and its dependence on the genus and chosen security level. Other faster algorithms, in particular explicit formulas for low genus curves, exist in the imaginary setting. However, before explicit formulas can be employed in this context, it is necessary to generalize them to the real case as well as develop explicit formulas for baby steps. This is the subject of on-going work. Another candidate for faster giant steps is the NUCOMP algorithm of Shanks, as generalized to hyperelliptic curves in [5]. The main idea of NUCOMP is to replace the reduction formulas by an approximate reduction using the more efficient extended Euclidean algorithm. Preliminary, unpublished results show that by using a carefully optimized formulation of NUCOMP, one obtains improvements for genus as low as 2 or 3 in both the real and imaginary settings. We are currently investigating the possibility of using the ideas of NUCOMP to improve the explicit formulas for low-genus curves and the effect such improved arithmetic will have on the performance of our Protocol 3 as compared with its imaginary counterpart Protocol 1. In Protocol 3, the improvements in efficiency as compared to the imaginary version come from the first round where we are able to replace many of the giant steps by baby steps. It is an open problem to take advantage of the existence of the faster baby step operation to improve the second round as well. Finally, it would be interesting to develop an analogue of Koblitz curves (see, for example, [3, 7]) for the real model. Potentially, as with the imaginary model, such curves would have a fast doubling operation, which when combined with our ideas, would result in all the operations required for the first round in Protocol 3 requiring a number of finite field operations that is at most linear in the genus.

13 References 1. D. G. Cantor, Computing in the Jacobian of a hyperelliptic curve, Math. Comp. 48 (1987), E. Friedman and L. C. Washington, On the distribution of divisor class groups of curves over a finite field, in Th eorie des Nombres (Quebec 1987), , de Gruyter, Berlin C. Günther, T. Lange and A. Stein, Speeding up the arithmetic on Koblitz curves of genus two, Selected Areas in Cryptography SAC 2000, LNCS 2012, 2001, M. J. Jacobson, Jr., A. J. Menezes, and A. Stein, Hyperelliptic curves and cryptography, in High Primes and Misdemeanors: Lectures in Honour of the 60th Birthday of Hugh Cowie Williams, Fields Institute Communications, vol. 41, American Mathematical Society, 2004, pp M. J. Jacobson., Jr. and A. J. van der Poorten, Computational aspects of NU- COMP, Proceedings of ANTS-V, Lect. Notes Comp. Sci. 2369, Springer (New York), 2002, N. Koblitz, Hyperelliptic Cryptosystems, J. Cryptology 1 (1989), T. Lange, Fast Arithmetic on Hyperelliptic Curves, Ph.D. thesis, Universität Gesamthochschule Essen, NIST Special Publication , Recommendation on key establishment schemes. Draft 2.0, January See: 9. R. Scheidler, Cryptography in quadratic function fields, Designs, Codes and Cryptography 22 (2110), R. Scheidler, A. Stein and H. C. Williams, Key exchange in real quadratic congruence function fields. Designs, Codes and Cryptography 7 (1996), V. Shoup, NTL: A library for doing number theory. Software, See: A. Stein, Sharp upper bounds for arithmetics in hyperelliptic function fields, Journal of the Ramanujan Mathematical Society, 9 (2001), A. Stein and H. C. Williams, Some methods for evaluating the regulator of a real quadratic function field, Experiment. Math. 8 (1999), Appendix A Divisors of Real Hyperelliptic Curves Let C be a hyperelliptic curve of genus g over a finite field k = F q of odd characteristic, and write C as y 2 = f(x) where f(x) is a monic polynomial of degree 2g + 2, so K = k(x, y) is a real hyperelliptic function field. Denote by 1 and 2 the two poles of x with respective normalized additive valuations ν 1 and ν 2. It is well-known (see, for example, [1] or [6]) that every degree zero divisor D of an imaginary hyperelliptic curve can be uniquely written as D = D x deg(d x ) where is the pole divisor of x and D x is a divisor that is coprime to. If D is semi-reduced, then this representation gives rise to an explicit representation of D by a pair (a, b) k[x] of polynomials

14 where a is unique and b is unique modulo a. We write D = div(a, b) and note that in this fashion, divisor arithmetic can be reduced to simple polynomial arithmetic over k. Similarly, every degree zero divisor of our real hyperelliptic curve can be uniquely written in the form D = D x deg(d x ) 2 +n( 1 2 ) where D x is a divisor that is coprime to both 1, 2 and n = ν 1 (D) Z. As in the imaginary setting, semi-reducedness and reducedness for degree zero divisors can be defined via D x, and for semi-reduced divisors, D x defines a pair of polynomials a, b k[x] with a unique and b unique modulo a. Once again, write D = div(a, b). Note that deg(d x ) = deg(a), the degree of the polynomial a. Details on the arithmetic of semi-reduced divisors can be found for example in [13], [9], or [4], although all these sources employ the terminology of ideals in the ring of O x -integers (where O x is the integral closure of k[x] in K). Instead, we provide a discussion using the language of divisors. For any divisor D defined over K, define by D the conjugate divisor, i.e., the image of D under the involution (x, y) (x, y) on C; note that 1 = 2. If D is semi-reduced, and we write then D = D x deg(d x ) 1 + ν 1 (D)( 1 2 ) = div(a, b), D = D x deg(d x ) 1 +(deg(d x ) ν 1 (D))( 1 2 ) = div(a, b), (A.1) so deg(d x ) = deg(d x ) = deg(a) and D + D = (a) 2 deg(d x ) 1 + deg(d x )( 1 2 ) = div(a, 0), where (a) is the principal divisor of the function a. In contrast to the imaginary scenario, every degree zero divisor class contains many reduced divisors, so arithmetic on divisor classes can no longer be performed via reduced divisors. Instead, we only consider certain reduced principal divisors. The order R x of the degree 0 divisor 1 2 in K is finite and is called the x-regulator of K/k(x). We define a new equivalence relation on principal divisors via (α) (β) if and only of (α) (β) is a multiple of R x ( 1 2 ). Writing (α) = (α) x deg((α) x ) 2 + ν 1 (α)( 1 2 ) as above, we see that every principal divisor is equivalent (under this new relation) to a unique principal divisor (α) with 0 ν 1 (α) < R x. Consider the set of classes (under the equivalence relation defined above) of reduced principal divisors, and choose the unique representative

15 (α) with 0 ν 1 (α) < R x in each of these classes. Let R denote the collection of these representatives. Since for each (α) R, (α) x is an effective divisor of degree at most g and 0 ν 1 (α) < R x, the set R is finite. Denote by R = r its cardinality. Recall from Section 2.2 that for each divisor D = (α) R, the distance of D is δ(d) = ν 1 (α). It can be shown that the quantities ν 1 (α) (α R) are pairwise distinct, so we have a natural ordering of divisors D 1 = (1), D 2, D 3,..., D r with δ(d 1 ) < δ(d 2 ) < δ(d 3 ) < < δ(d r < R x. We have δ(d 1 ) = 0, δ(d 2 ) = g + 1, 1 δ(d i+1 δ(d i ) g for 2 i r. (A.2) An operation similar to Gaussian reduction steps (as used for divisor reduction on imaginary hyperelliptic curves) can be applied to divisors in R, except here, such a step moves from D i to D i+1 and is referred to as a baby step. More exactly, if D = div(a, b) R, then a baby step 4 produces the divisor D + = div(a +, b + ) where b + y b + = b, a + = f b2 +. (A.3) a a Here, for any θ K, we let θ denote the polynomial part of θ when viewing θ as a Laurent series in x 1. Note that the field of Laurent series in x 1 is the completion of K with respect to both 1 and 2, so elements in K are indeed such Laurent series. We have D + = D + (θ) where θ = (b + + y)/a K, so δ(d + ) = δ(d) ν 1 (θ). The running time of a baby step is linear, i.e., O(g) operations in the finite field k. Note that r 1 iterations of (A.3) applied to any divisor in R can be used to generate all of R. If D 1 = (1) = div(1, 0) as before, then a baby step applied to the last divisor D r generates a divisor D with ν 1 (D) = R x. It follows from (A.2) that g + r R x rg + 1. The Hasse- Weil bounds imply that the order h of the Jacobian of K is of order q g, and R x is a divisor of h. Most of the time, the ratio h/r x (which is the ideal class number of O x ) is very small by the Friedman-Washington heuristics [2]; in fact, the curve C can be chosen so that R x is large with high probability, see [4]. It follows that R x, and hence the cardinality r of R, is of magnitude q g, i.e., exponentially large in the size of the field K. Using the exact same arithmetic as in the imaginary setting, we can define giant steps (D, D ) D D on R. The standard way of implementing a giant step is to compute the sum E = D+D and then applying 4 There are more efficient formulas when performing more than one baby step; see Appendix C.

16 baby steps (A.3) until the first reduced divisor is reached; this divisor is D D. Just as in the imaginary case, D D is reached after at most (deg(e x ) g)/2 g/2 steps of (A.3). The running time of a giant step is quadratic, i.e., O(g 2 ) operations in k (see [12] for a more exact complexity analysis of both baby steps and giant steps). Addition of divisors in the set R proceeds exactly as divisor addition of imaginary hyperelliptic curves as described, for example, by Cantor [1]. If D = div(a, b) and D = div(a, b ), then D + D = div(a, B) + (s) where s = gcd(a, a, b + b ) = ua + va + w(b + b ) A = aa s 2, (u, v, w k[x]), B uab + va b + w bb + f (mod A). s The set R of reduced principal divisors is obviously closed under giant steps, but not associative, i.e., it is not necessarily the case that (D D ) D = D (D D ) for D, D, D R. However, R is almost associative in the sense that the operation is almost distance preserving. More exactly, as stated in (2.1), we have δ(d D ) = δ(d)+δ(d ) d where 0 d 2g, and d can be efficiently computed (see, for example, Theorem 3.7 of [13]). Since distances tend be of order of magnitude R x, i.e., of magnitude q g by our previous remarks, they are exponentially large compared to the error d in (2.1). It follows that the distance of the divisor D D is extremely close (and just below) the sum of the distances of the divisors D and D, with a shortfall d of at most 2g. The use of the terms baby step and giant step is now justified: the former yields a very small advance (most of the time between 1 and g by (A.2)) in distance, whereas the latter results in an exponentially larger distance jump that can be of order of magnitude R x. To overcome the shortfall in distance identified in (2.1), we defined in Section 2.2 for any integer n with 0 n < R x the divisor below n to be the unique divisor D i R with δ(d i ) n < δ(d i+1 ). Given n and a divisor D, the divisor E below nδ(d) can be efficiently computed (without knowing δ(d)) using a technique akin to binary exponentiation; details were given in Algorithm BELOW in the Section 3. Appendix B Proofs of Correctness In this appendix, we give justification for Heuristics (H) given in Section 3.3 and prove the correctness of algorithms BELOW-SHIFT, DISTANCE,

17 and BELOW-PLUS-d as well as Protocol 3 described in the same section, assuming Heuristics (H). We begin with a discussion of Heuristics (H). There is ample numerical evidence supporting the truth of these heuristics. Moreover, (H1) can be theoretically justified as follows. The claim is that δ(d + ) δ(d) = 1 for all D R with D (1)}. If D + = D +(θ), i.e., δ(d + ) δ(d) = ν 1 (θ) = deg( θ ), then θ is a partial quotient in the regular continued fraction expansion of y in the field of Laurent series in x 1, and such partial quotients are conjectured to have degree 1 with probability 1 O(q 1 ). We point out that (H1) is equivalent to the assumption that deg(a) = g for all D = div(a, b) R\{(1)}, since g+1 = deg(b + +b) = deg(a)+δ(d + ) δ(d) by (A.3). To justify (H2), i.e., for all D, D R \ {(1)}, we have δ(d D ) = δ(d) + δ(d ) g/2, consider the following. If we write D = div(a, b) and D = div(a, b ), then at most t = (deg(a) + deg(a ) g)/2 baby steps are required to obtain a reduced divisor when starting at D D. If we assume deg(a) = deg(a ) = g according to (H1), then t = g/2. Since each baby step yields an advance of exactly 1 by (H1), we should have d = g/2 in (2.1). We continue to prove the correctness of algorithms BELOW-SHIFT, DISTANCE, and BELOW-PLUS-d as well as Protocol 3 under (H). Theorem 1. Assuming Heuristics (H), BELOW-SHIFT(n) outputs a divisor E R of distance δ(e) = m. Proof. Under Heuristics (H), we have δ(d d+3 ) = d + g + 2. Let E i be the divisor computed after the i-th iteration of the loop, with E 0 = D d+3 and δ(e 0 ) = (g + 1) + b 0 + d. Then by (H) and (2.1), we have δ(e i ) = 2δ(E i 1 ) d + b i for 1 i l. A simple induction argument yields δ(e i ) = 2 i δ(e 0 ) (2 i 1)d + i b j 2 i j = 2 i (g + 1) + d + j=1 Substituting i = l yields δ(e l ) = 2 l (g + 1) + d + n = m. i b j 2 i j. Theorem 2. Assuming Heuristics (H), DISTANCE(n) outputs a divisor E R of distance δ(e) = n. Proof. by (A.1), we have δ(d ) = R x +deg(d x) δ(d ) = R x 2 l (g +1), because deg(d x) = g by (H). By Theorem 1, we obtain δ(d) + δ(d ) d = (2 l (g + 1) + n + d) + (R x 2 l (g + 1)) d = R x + n. It follows from (2.1) and the definition of distance that δ(e) = n. j=0

18 Theorem 3. Assuming Heuristics (H), BELOW-PLUS-d(D, n) outputs a divisor E R of distance δ(e) = nδ(d) + d. Proof. After step 2, we have a divisor D of distance δ(d ) = δ(d) + d. Once again, let E i be the divisor computed after the i-th iteration of the loop, with E 0 = D. Then by (H) and (2.1), we have δ(e i ) = 2δ(E i 1 ) d + b i (δ(d ) d) = 2δ(E i ) b i δ(d). We have δ(e 0 ) = b 0 δ(d) + d and by induction δ(e i ) = i j=0 b j2 i j δ(d) + d. Substituting i = l yields δ(e l ) = nδ(d) + d as desired. Theorem 4. Assuming Heuristics (H), Alice and Bob possess the same key at the end of Protocol 3, namely the divisor K R of distance δ(k) = ab + d. Proof. By Theorem 2, we have δ(d a ) = a and δ(d b ) = b. By Theorem 3, the divisor BELOW-PLUS-d(D b, a) has distance aδ(d b ) + d = ab + d, and similarly, BELOW-PLUS-d(D a, b) has distance bδ(d a ) + d = ba + d. This proves the claim. Appendix C Formulas for Divisor Arithmetic In this appendix, we give the precise formulas for divisor arithmetic used in the implementation described in Section 4. These formulas are for curves defined over odd characteristic finite fields the analogues for the even characteristic case can be derived easily based on the arithmetic descriptions in [4]. The formulas are essentially taken directly from [12] with the following exceptions: We represent the divisor D as div(a, b, c), where c = (b 2 f)/a where the curve is given by y 2 = f. The formulas we used compute c for free as part of the reduction algorithm, and having it available simplifies the doubling (adding a divisor to itself) and baby step computations. We assume the heuristics (H1) and (H2). This simplifies the giant step formulas in that we can assume that the output of any gcd computations will be 1. Throughout, lc(a) denotes the leading coefficient of a F q [x]. In the real setting, we assume that s, the polynomial part of f, is precomputed. REDUCE IMAG(div(a, b, c)) // outputs the reduced divisor equivalent to div(a, b, c)

19 while (deg(a) > g) a = c q = b/c, r = b mod c c = a + q(b r), b = r, a = a Output div(a/lc(a), b, c lc(a)) REDUCE REAL(div(a, b, c)) // outputs a reduced divisor equivalent to div(a, b, c) while (deg(a) > g) q = (s + b)/a, r = (s + b) mod a b = s r a = c + q(b b ) b = b, c = a, a = a Output div(a/lc(a), b, c ( lc(a))) ADD(div(a 1, b 1, c 1 ), div(a 2, b 2, c 2 )) // outputs the reduced divisor div(a 3, b 3, c 3 ) equivalent to // div(a 1, b 1, c 1 ) + div(a 2, b 2, c 2 ) Solve gcd(a 2, a 1 ) = G = Xa 2 + Y a 1 for G, X F q [x] U = X(b 1 b 2 ) mod a 1 a 3 = a 1 a 2, b 3 = b 2 + a 2 U, c 3 = (b 2 3 f)/a 3 (c 3 = (f b 2 3 )/a 3 in the real case) Output REDUCE(div(a 3, b 3, c 3 ) (using either REDUCE IMAG or REDUCE REAL) DOUBLE(div(a, b, c)) // outputs the reduced divisor div(a 2, b 2, c 2 ) equivalent to // div(a, b, c) + div(a, b, c) Solve gcd(2b, a) = G = X(2b) + Y a for G, X F q [x] U = cx mod a 1 a 2 = a 2 1, b 2 = b + au, c 2 = (b 2 2 f)/a 2 (c 2 = (f b 2 2 )/a 2 in the real case) Output REDUCE(div(a 2, b 2, c 2 ) (using either REDUCE IMAG or REDUCE REAL) BABY(div(a, b, c)) // performs one baby step on div(a, b, c) q = (s + b)/a, r = (s + b) mod a b = s r a = q(b b ) c b = b, c = a, a = a Output div(a/lc(a), b, c ( lc(a)))