Implementation of Index Calculus Attack for Hyperelliptic Curves of High Genera

Σχετικά έγγραφα
GPU. CUDA GPU GeForce GTX 580 GPU 2.67GHz Intel Core 2 Duo CPU E7300 CUDA. Parallelizing the Number Partitioning Problem for GPUs

EE512: Error Control Coding

ES440/ES911: CFD. Chapter 5. Solution of Linear Equation Systems

Congruence Classes of Invertible Matrices of Order 3 over F 2

C ab, Algorithms for computations in Jacobian group of C ab curve and their application to discrete-log based public key cryptosystems.

Vol. 31,No JOURNAL OF CHINA UNIVERSITY OF SCIENCE AND TECHNOLOGY Feb

Quick algorithm f or computing core attribute

A Method for Creating Shortcut Links by Considering Popularity of Contents in Structured P2P Networks

Bundle Adjustment for 3-D Reconstruction: Implementation and Evaluation

GPGPU. Grover. On Large Scale Simulation of Grover s Algorithm by Using GPGPU

Simplex Crossover for Real-coded Genetic Algolithms

CRASH COURSE IN PRECALCULUS

D Alembert s Solution to the Wave Equation

High order interpolation function for surface contact problem

Homomorphism in Intuitionistic Fuzzy Automata

J. of Math. (PRC) Banach, , X = N(T ) R(T + ), Y = R(T ) N(T + ). Vol. 37 ( 2017 ) No. 5

Example Sheet 3 Solutions

Retrieval of Seismic Data Recorded on Open-reel-type Magnetic Tapes (MT) by Using Existing Devices

Buried Markov Model Pairwise

Study of In-vehicle Sound Field Creation by Simultaneous Equation Method

Section 8.3 Trigonometric Equations

Web-based supplementary materials for Bayesian Quantile Regression for Ordinal Longitudinal Data

Probabilistic Approach to Robust Optimization

The Simply Typed Lambda Calculus

4.6 Autoregressive Moving Average Model ARMA(1,1)

Reminders: linear functions

Feasible Regions Defined by Stability Constraints Based on the Argument Principle

6.3 Forecasting ARMA processes

Yoshifumi Moriyama 1,a) Ichiro Iimura 2,b) Tomotsugu Ohno 1,c) Shigeru Nakayama 3,d)

Appendix to On the stability of a compressible axisymmetric rotating flow in a pipe. By Z. Rusak & J. H. Lee

Jesse Maassen and Mark Lundstrom Purdue University November 25, 2013

Second Order Partial Differential Equations

: Monte Carlo EM 313, Louis (1982) EM, EM Newton-Raphson, /. EM, 2 Monte Carlo EM Newton-Raphson, Monte Carlo EM, Monte Carlo EM, /. 3, Monte Carlo EM

Inverse trigonometric functions & General Solution of Trigonometric Equations

Areas and Lengths in Polar Coordinates

CHAPTER 25 SOLVING EQUATIONS BY ITERATIVE METHODS

Reaction of a Platinum Electrode for the Measurement of Redox Potential of Paddy Soil

[4] 1.2 [5] Bayesian Approach min-max min-max [6] UCB(Upper Confidence Bound ) UCT [7] [1] ( ) Amazons[8] Lines of Action(LOA)[4] Winands [4] 1

Πανεπιστήµιο Πειραιώς Τµήµα Πληροφορικής

On the Galois Group of Linear Difference-Differential Equations

ΠΑΝΔΠΙΣΗΜΙΟ ΜΑΚΔΓΟΝΙΑ ΠΡΟΓΡΑΜΜΑ ΜΔΣΑΠΣΤΥΙΑΚΧΝ ΠΟΤΓΧΝ ΣΜΗΜΑΣΟ ΔΦΑΡΜΟΜΔΝΗ ΠΛΗΡΟΦΟΡΙΚΗ

Numerical Analysis FMN011

A New Algebraic Method to Search Irreducible Polynomials Using Decimal Equivalents of Polynomials over Galois Field GF(p q )

A Fast Finite Element Electromagnetic Analysis on Multi-core Processer System

Re-Pair n. Re-Pair. Re-Pair. Re-Pair. Re-Pair. (Re-Merge) Re-Merge. Sekine [4, 5, 8] (highly repetitive text) [2] Re-Pair. Blocked-Repair-VF [7]

Optimization, PSO) DE [1, 2, 3, 4] PSO [5, 6, 7, 8, 9, 10, 11] (P)

Resurvey of Possible Seismic Fissures in the Old-Edo River in Tokyo

2. THEORY OF EQUATIONS. PREVIOUS EAMCET Bits.

The Spiral of Theodorus, Numerical Analysis, and Special Functions

b. Use the parametrization from (a) to compute the area of S a as S a ds. Be sure to substitute for ds!

Phys460.nb Solution for the t-dependent Schrodinger s equation How did we find the solution? (not required)

ΖΩΝΟΠΟΙΗΣΗ ΤΗΣ ΚΑΤΟΛΙΣΘΗΤΙΚΗΣ ΕΠΙΚΙΝΔΥΝΟΤΗΤΑΣ ΣΤΟ ΟΡΟΣ ΠΗΛΙΟ ΜΕ ΤΗ ΣΥΜΒΟΛΗ ΔΕΔΟΜΕΝΩΝ ΣΥΜΒΟΛΟΜΕΤΡΙΑΣ ΜΟΝΙΜΩΝ ΣΚΕΔΑΣΤΩΝ

ΠΟΛΥΤΕΧΝΕΙΟ ΚΡΗΤΗΣ ΣΧΟΛΗ ΜΗΧΑΝΙΚΩΝ ΠΕΡΙΒΑΛΛΟΝΤΟΣ

Applying Markov Decision Processes to Role-playing Game

Arbitrage Analysis of Futures Market with Frictions

Homework 3 Solutions

A research on the influence of dummy activity on float in an AOA network and its amendments

Areas and Lengths in Polar Coordinates

PARTIAL NOTES for 6.1 Trigonometric Identities

New Adaptive Projection Technique for Krylov Subspace Method

Πανεπιστήμιο Πειραιώς Τμήμα Πληροφορικής Πρόγραμμα Μεταπτυχιακών Σπουδών «Πληροφορική»

Schedulability Analysis Algorithm for Timing Constraint Workflow Models

Nov Journal of Zhengzhou University Engineering Science Vol. 36 No FCM. A doi /j. issn

Fourier Series. MATH 211, Calculus II. J. Robert Buchanan. Spring Department of Mathematics

Abstract Storage Devices

Newman Modularity Newman [4], [5] Newman Q Q Q greedy algorithm[6] Newman Newman Q 1 Tabu Search[7] Newman Newman Newman Q Newman 1 2 Newman 3

Nowhere-zero flows Let be a digraph, Abelian group. A Γ-circulation in is a mapping : such that, where, and : tail in X, head in

6.1. Dirac Equation. Hamiltonian. Dirac Eq.

ΑΠΟΔΟΤΙΚΗ ΑΠΟΤΙΜΗΣΗ ΕΡΩΤΗΣΕΩΝ OLAP Η ΜΕΤΑΠΤΥΧΙΑΚΗ ΕΡΓΑΣΙΑ ΕΞΕΙΔΙΚΕΥΣΗΣ. Υποβάλλεται στην

Higher Derivative Gravity Theories

Other Test Constructions: Likelihood Ratio & Bayes Tests

Differential equations

ΔΙΠΛΩΜΑΣΙΚΗ ΕΡΓΑΙΑ. του φοιτητή του Σμήματοσ Ηλεκτρολόγων Μηχανικών και. Σεχνολογίασ Τπολογιςτών τησ Πολυτεχνικήσ χολήσ του. Πανεπιςτημίου Πατρών

Anomaly Detection with Neighborhood Preservation Principle

ACTA MATHEMATICAE APPLICATAE SINICA Nov., ( µ ) ( (

Vol. 37 ( 2017 ) No. 3. J. of Math. (PRC) : A : (2017) k=1. ,, f. f + u = f φ, x 1. x n : ( ).

Overview. Transition Semantics. Configurations and the transition relation. Executions and computation

ΕΚΤΙΜΗΣΗ ΤΟΥ ΚΟΣΤΟΥΣ ΤΩΝ ΟΔΙΚΩΝ ΑΤΥΧΗΜΑΤΩΝ ΚΑΙ ΔΙΕΡΕΥΝΗΣΗ ΤΩΝ ΠΑΡΑΓΟΝΤΩΝ ΕΠΙΡΡΟΗΣ ΤΟΥ

Bayesian statistics. DS GA 1002 Probability and Statistics for Data Science.

2 Composition. Invertible Mappings

ΠΟΛΥΩΝΥΜΙΚΗ ΠΑΡΕΜΒΟΛΗ ΚΡΥΠΤΟΓΡΑΦΙΚΩΝ ΣΥΝΑΡΤΗΣΕΩΝ. Γ. Κ. Μελετίου

Exercises 10. Find a fundamental matrix of the given system of equations. Also find the fundamental matrix Φ(t) satisfying Φ(0) = I. 1.

ΕΘΝΙΚΟ ΚΑΙ ΚΑΠΟΔΙΣΤΡΙΑΚΟ ΠΑΝΕΠΙΣΤΗΜΙΟ ΑΘΗΝΩΝ ΣΧΟΛΗ ΘΕΤΙΚΩΝ ΕΠΙΣΤΗΜΩΝ ΤΜΗΜΑ ΠΛΗΡΟΦΟΡΙΚΗΣ ΚΑΙ ΤΗΛΕΠΙΚΟΙΝΩΝΙΩΝ

Speeding up the Detection of Scale-Space Extrema in SIFT Based on the Complex First Order System

Srednicki Chapter 55

þÿ ½ Á Å, ˆ»µ½± Neapolis University þÿ Á̳Á±¼¼± ¼Ìù±Â ¹ º à Â, Ç» Ÿ¹º ½ ¼¹ºÎ½ À¹ÃÄ ¼Î½ º±¹ ¹ º à  þÿ ±½µÀ¹ÃÄ ¼¹ µ À»¹Â Æ Å

Εργαστήριο Ανάπτυξης Εφαρμογών Βάσεων Δεδομένων. Εξάμηνο 7 ο

ΠΑΝΕΠΙΣΤΗΜΙΟ ΠΑΤΡΩΝ ΔΙΠΛΩΜΑΤΙΚΗ ΕΡΓΑΣΙΑ

CCA. Simple CCA-Secure Public Key Encryption from Any Non-Malleable ID-based Encryption

SCITECH Volume 13, Issue 2 RESEARCH ORGANISATION Published online: March 29, 2018

Απόκριση σε Μοναδιαία Ωστική Δύναμη (Unit Impulse) Απόκριση σε Δυνάμεις Αυθαίρετα Μεταβαλλόμενες με το Χρόνο. Απόστολος Σ.

ΚΒΑΝΤΙΚΟΙ ΥΠΟΛΟΓΙΣΤΕΣ

X g 1990 g PSRB

Section 9.2 Polar Equations and Graphs

Assalamu `alaikum wr. wb.

FX10 SIMD SIMD. [3] Dekker [4] IEEE754. a.lo. (SpMV Sparse matrix and vector product) IEEE754 IEEE754 [5] Double-Double Knuth FMA FMA FX10 FMA SIMD

Ελαφρές κυψελωτές πλάκες - ένα νέο προϊόν για την επιπλοποιία και ξυλουργική. ΒΑΣΙΛΕΙΟΥ ΒΑΣΙΛΕΙΟΣ και ΜΠΑΡΜΠΟΥΤΗΣ ΙΩΑΝΝΗΣ

Research on vehicle routing problem with stochastic demand and PSO2DP algorithm with Inver2over operator

IPSJ SIG Technical Report Vol.2014-CE-127 No /12/6 CS Activity 1,a) CS Computer Science Activity Activity Actvity Activity Dining Eight-He

Partial Differential Equations in Biology The boundary element method. March 26, 2013

Transcript:

041-8655 116-2,,, HCDLP),, F 3 H : y 2 = x 2g+1 + 1, HCDLP,, g = 74 J H F 3 ) HCDLP J H F 3 ) 2 120 ) Implementation of Index Calculus Attack for Hyperelliptic Curves of High Genera Yasunori Kobayashi Tsuyoshi Takagi Graduate School of Systems Information Science, Future University Hakodate, 116-2, Kamedanakano-cho, Hakodate, Hokkaido, 041-0806, Japan. Abstract Recently, pairngs over hyperelliptic curves have been getting more attentions due to novel protocols and their rich algebraic structures. The security of these pairings depends on both the discrete logarithm problem over hyperelliptic curves HCDLP) and that over finite fields. However, there are a few previous works which evaluate the security of the HCDLP with high genus by implementing them on computers. In this paper, we implement an efficient algorithm called index calculus method for solving the HCDLP of high genus hyperelliptic curve H : y 2 = x 2g+1 + 1 over F 3. Then we solved the HCDLP over J H F 3 ) of g = 74, J H F 3 ) 2 120, in 2.3 days using Core 2 Quad2.66GHz), Core 2 Quad2.40GHz), and Core 2 Duo3.00GHz). 1 ID [6], [5],,, [19],,,., HCDLP), DLP) F p n DLP [12, 14], [1, 3] HCLDP, HCDLP,, HCDLP, p, q, g, 1994, Adleman [2]. Adleman, L p 2g+1[1/2, c], c 2.181, L N α, c) = exp clog N) α log log N) 1 α ) Flassenberg 1997,, [8]., Flassenberg, 40 Enge 2002,, L q g1/2, 6/ 5) [9]. 2002, Enge Gaudry L q g1/2, 2) [10]., F 3 H :

y 2 = x 2g+1 + 1 Enge Gaudry [10],. C, gcc gnu mphttp://gmplib.org/) D 1, D 2 J H F p ), J H F p ) = p g + 1, smooth bound B N, D 2 = nd 1 n [0, J H F p ) 1] Z,,, 3, smooth, Cantor-Zassenhaus Lanczos [16], F B) F B) = O3 B ) smooth, exp g log logqg ) 2B )., Core 2 Quad 2.40GHz) 1, Core 2 Quad 2.66GHz) 1, Core 2 Duo 3.00GHz) 1, 3 10 ) g = 74, B = 13, 1.3 F B) = 96, 124,, Core 2 Quad 2.66GHz) 1 1 2.3 120 J H F 3 ) 2 120 ) HCDLP, 2, 3 [10] 4, 5, HCDLP 2, p, q = p m, m N, C F q g N C : y 2 = fx), 1), fx) F q [x] F, degf) = 2g + 1, C, m i P m i O, m i N, m i g 2) P i C P i C P i C, O, 2) F q C, J C F q ) Hasse, J C F q ) q 1) 2g J C F q ) q + 1) 2g 3) 2.1 Mumford, Mumford [18], 2) D J C F q ), P i = α i, β i ) F, Ux), V x) F q [x] Uα i ) = 0, V α i ) = β i, Ux) fx) V x) 2, degv ) degu) g, Ux) : monic 4) D 4) [Ux), V x)] F q [x] 2, Mumford D = [Ux), V x)] wtd) = degu), Ux) F q D prime) Mumford D = [Ux), V x)] D = [Ux), V x)] Mumford, Cantor [7] 2.2, r r J C F q ), k r q k 1 k k G 1 = J C F q )[r], G 2 = J C F q k)/rj C F q k), G 3 = F /F ) r q k q k, C Tate 2 1, : G 1 G 2 G 3 Tate η T [4], Ate [13] 2.3 D 1 J C F q ), D 2 D 1, D 2 = αd 1 α {0, 1, 2,, D 1 1}, Hyperelliptic Curves Discrete Logarithm Problem, HCDLP), α α = log D1 D 2 ) 3 Enge Gaudry [10] C F q g D 1 J C F q ), D 2 D 1, D 1, smooth-bound B N, log D1 D 2 ) 1), 2), 3) 3

3.1,, smooth-bound B N F B) = {D J C F q ) D : prime, wtd) B} 5), F B) F q [x] n νn), νn) = n 1 k n µk)q n/k [17]., µk) degu) < g Ux) F q [x], 4) V x) F q [x], X 2 fx) mod Ux)), degx) < degu) X F q [x], Ux), F q degu) X 2 = fx) mod Ux)), F q {a F q dega) < degu)},, 1/2, F B) 1 2 B νn) n=1, k 2 q n/k q n/2, q n µk)q n/k = q n + µk)q n/k k n q n k n,k 2, F B) B q n n=1 2n, 3.2 B-smooth F B) = Oq B ) 6) B-smooth, J C F q ) D B- smooth D = [Ux), V x)], Ux) Ux) = ΠU i x) ci, 4) D D[Ux), V x)] = c i P i, P i = [U i x), V i x)] 7) 7), P i smooth bound B wtp i ) B, D B-smooth, J C F q ) D B- smooth, J C F q ) B-smooth SB) J C F q ) B-smooth Enge Stein ρ > 0, smooth bound B, B = log q L q g1/2, ρ) 8) SB) q g L q g 1/2, 1 ) 2ρ + o1) 9) [11]. L N c, α), N > 0, c [0, 1], α > 0 L N c, α) = expclog N) α log log N) 1 α ), 9) o1), N o1) 0, 8) smooth bound B, J C F q ) D B-smooth, 3), 9) SB)/ J C F q ) L q g 1/2, 1 ) 10) 2ρ 8), 10) B exp g log ) logqg ) 11) 2B 3.3,,. F B) P 1, P 2,, P F B), F B) = {P 1, P 2,, P F B) }, B-smooth D = c i P i SB), v v = c 1, c 2,, c F B)) T, F B) + 1) 1. α, β [0, J C F q ) 1] Z, D = αd 1 + βd 2 2. D B-smooth smooth

3. D B-smooth, α, β,v) smooth, D = [Ux), V x)] Ux), B, 10), F B)+1), smooth F B) + 1)/L q g1/2, 1 2ρ )) 1,, L q g 1/2, ρ + 1 ) 2ρ + o1) 12) 3.4,,, F B)+ 1 v 1, v 2,, v F B)+1, v i = c i,1, c i,2,, c i, F B) ) T, F B)) F B) + 1) A A = v 1,, v F B)+1 ) c 1,1 c F B)+1,1 c 1,2 c F B)+1,2 =..... c 1, F B) c F B)+1, F B) v i g A, g, AX = 0 mod J C F q ) 13) F B) + 1) X, ranka) F B) < X ), 13) Z/J C F q ), 13) X Z/J C F q )Z) F B)+1, J C F q ) 1) A, 13) Lanczos [16], Wiedemann [21] Lanczos, )) 1 O F B) 2 ) = O L q g 2, 2ρ 14) 13) X = x 1, x 2,, x F B)+1 ), F B)+1 i=0 x i α i D 1 + βd 2 ) = 0, x i β i )D 2 = x i α i )D 1, log D1 D 2 ) F B)+1 i=0 x i α i log D1 D 2 ) = F B)+1 mod J C F q ) i=0 x i β i 3.5 smooth-bound B 8), 12), 14), 1 L q g 2, ρ + 1 ) ) 1 + L q g 2ρ 2, 2ρ { 1 L q g 2, max ρ + 1 }) 2ρ, 2ρ { } max ρ + 1 2ρ, 2ρ ρ = 1/ 2 2, 4 L q g1/2, 2) 15), [10] 2, F p g H : y 2 = x 2g+1 +1 1. 2g + 1, p mod 2g + 1 F 2g+1 p, g, distortion [20], 2. p, g, J H F p ) = p g + 1,, 2, p = 3 1) F p [x], CSS2008 J H F 3 ) Tate [22] 2), g 4.1 C, gcc, gnu mphttp://gmplib.org/)

Core 2 Quad Q66002.40GHz), 3.25 GB RAM, Windows XP 1, Core 2 Quad2.66 GHz), 4.00 GB RAM, Windows Vista 1, Core 2 Duo3.00 GHz), 4.00 GB RAM, Windows XP 1 2 4.2, p 3, g, smooth-bound B 2 g, g = 74 J H F 3 ) 2 120, g, g = 26, 56, 74, J H F 3 ) = 3 g + 1 40, 80, 120 smooth-bound B, 8), 15) B = L p g1/2, 1/ 2), g = 26, 56, 74 B 7,11,13, B, smooth, B = 10, 11, 12, 13, 14, 15, 16, 17 4.3 [Ux), V x)] = [Ux), V x)], [Ux), V x)] F B), [Ux), V x)] F B), F B) 1, B, F B) 1 F B) = O3 B ), 6) 1 B F B) 10 4,672 11 12,724 12 34,804 13 96,124 14 266,787 15 745,075 16 2,090,080 17 5,888,320 [Ux), V x)], 4) V x) Ux), F B) [Ux), V x)] Ux), F B) l N, D 1, D 2 J H F 3 ) {D 1, 2D 1, ld 1, D 2, 2D 2, ld 2 } l = 1000 S i, T i J H F 3 ), i = 0, 1, 2, ), D 1, D 2 s, t [0, J H F 3 ) 1] Z, S 0 = sd 1, T 0 = td 2, α i, β i {1, 2,, l}, S i+1 = S i + α i D 1, T i+1 = T i + β i D 2 S i, T i, S i, T i D = S i + T i, smooth D B-smooth D = [Ux), V x)], smooth Cantor-Zassenhaus Ux), distinct degree factorizationddf) B smooth Ux) = ΠU i x) mi, U i F B), m i 0 m i F B), g m i = 0, m i m i = 1 B-smooth D = [Ux), V x)], v = c 1, c 2,, c F B) ) T, m i = 0 i, c i = 0 m i 0 i ax) = V x) mod U i x), ax) 1 0 c i = m i, ax) 1 c i = m i Lanczos., Structured Gaussian EliminationSGE)[15] 13) X, SGE 4.4, 4.2 g, B, 1 10,000. 2 g = 26, 3 g = 56, 3 g = 74, P rb) smooth,, P rb) = 10,000/10,000 smooth ) ave 1,, ave = 10,000 )/10,000 total,, total = F B) + 1)ave smooth, 11),, 12), DDF B smooth

2 g = 26 case J H F 3 ) 2 40 ) B P rb) aveµsec) totalsec) 10 0.14 367 1.7 11 0.20 244 3.1 12 0.27 205 7.2 13 0.34 165 15.9 14 0.42 142 37.9 15 0.48 131 97.6 3 g = 56 case J H F 3 ) 2 80 ) B P rb) avesec) totalhour) 10 9.4 10 5 3.32 4.3 11 3.6 10 4 0.85 3.0 12 1.1 10 3 0.29 2.8 13 2.7 10 3 0.12 3.2 14 5.5 10 3 0.06 4.7 15 1.0 10 2 0.03 6.6 4 g = 74 case J H F 3 ) 2 120 ) B P rb) avesec) totalday) 12 1.7 10 5 14.89 5.9 13 6.5 10 5 3.73 4.1 14 2.2 10 4 1.14 3.5 15 5.3 10 4 0.49 4.2 16 1.2 10 3 0.22 5.3 17 2.2 10 3 0.12 7.9 4.5 g = 74, B = 13, g = 74 smooth bound B B = L 3 741/2, 1/ 2) = 13, 4.1 3 10 ) 1.3, 1 1 13) 2.3 g = 74, B = 13 J H F 3 ) HCDLP 5, F 3 H : y 2 = x 2g+1 + 1, smooth, Cantor-Zassenhaus Lanczos, smooth bound B smooth, exp g log logqg ) 2B, g = 7, B = 13, 120 HCDLP [1] L. M. Adleman, The Function Field Sieve, ANTS-I, LNCS 877, pp.108-121, 1994. [2] L. M. Adleman, J. DeMarrais and M. D. A. Huang, A Subexponential Algorithm for Discrete Logarithms over the Rational Subgroup of the Jacobians of Large Genus Hyperelliptic Curves over Finite Fields, ANTS- I, LNCS 877, pp.28-40, 1994. [3] L. M. Adleman and M. D. A. Huang. Function Field Sieve Method for Discrete Logarithms over Finite Fields, Inform. and Comput., 151, 12, pp.5-16, 1999. [4] P. S. L. M. Barreto, S. Galbraith, C. heingeartaigh and M. Scott, Efficient Pairing Computation on Supersingular Abelian Varieties, Designs, Codes and Cryptography, 42, 3, pp.239-271, 2007. ) [5] D. Boneh, G.D. Crescenzo, R. Ostrovsky and G. Persiano, Public Key Encryption with Keyword Search, EUROCRYPT 2004, LNCS 3027, pp.506-522, 2004. [6] D. Boneh and M. Franklin, Identity Based Encryption from the Weil Pairing, CRYPTO 2001, LNCS 2139, pp.213-229, 2001. [7] D.G. Cantor, Computing in the Jacobian of a Hyperelliptic Curve, Math. Comp., 48, 177, pp.95-101, 1987. [8] R. Flassenberg and S. Paulus, Sieving in Function Fields, Experiment. Math., 8, pp.339-349, 1999. Preliminary Version: Technical Report, TI-97-13, Darmstadt University of Technology, 1997.) [9] A. Enge, Computing Discrete Logarithm in High- Genus Hyperelliptic Jacobians in Provably Subexponential Time, Math. Comp., 71, pp.729-742, 2002. [10] A. Enge and P. Gaudry, A General Framework for Subexponential Discrete Logarithm Algorithm, Acta Arith, 102, pp.83-103, 2002. [11] A. Enge and A. Stein, Smooth Ideals in Hyperelliptic Function Fields, Math. Comp., 71, pp.1219-1230, 2002. [12] D. M. Gordon, Discrete Logarithms in GFp) Using the Number Field Sieve, SIAM Journal on Discrete Mathmatics 6, 1, pp.124-138, 1993. [13] R. Granger, F. Hess, R. Oyono, N. Thériault, and F. Vercauteren, Ate Pairing on Hyperelliptic Curves, EUROCRYPT 2007, LNCS 4515, pp.430-447, 2007. [14] A. Joux, R. Lercier, N. Smart and F. Vercauteren, The Number Field Sieve in the Medium Prime Case, CRYPTO 2006, LNCS 4117, pp.326-344, 2006. [15] B. A. LaMacchia and A. M. Odlyzko, Solving Large Sparse Linear Systems over Finite Fields, CRYPTO 90, LNCS 537, pp.109-133, 1991. [16] C. Lanczos, Solution of Systems of Linear Equations by Minimized Iterations, J. Res. Nat. Bur. Stand, 49, pp.33-53, 1952. [17] R. Lidl and H. Niederreiter, Introduction to Finite Field and Their Applications, Cambridge University Press, pp.85-86, 1986. [18] D. Mumford, Tata Lectures on Theta II, Birkhaeuser, 1984. [19] T. Okamoto and K. Takashima Homomorphic Encryption and Signatures from Vector Decomposition, Pairing 2008, LNCS 5209, pp.57-74, 2008. [20] K. Takashima, Efficiently Computable Distortion Maps for Supersingular Curves, ANTS VIII, LNCS 5011, pp.88-101, 2008. [21] D. H. Wiedemann, Solving Sparse Linear Equations over Finite Fields, IEEE Trans. Information Theory, IT-32, pp.54-62, 1986. [22],, Tate, CSS 2008,, pp.187-192, 2008. 4.5 HCDLP D 1 = [U 1 x), V 1 x)], D 2 = [U 2 x), V 2 x)], α = log D1 D 2 ), n ax) = n i=0 c ix i, a = c n c n 1 c 1 c 0 U 1 = 10 01202100 01010200 12022012 01022222 22200111 20000220 10000022 01001002 22121021 V 1 = 11222100 10002121 10012111 11212021 02002122 10021202 02212212 10201120 02102112 U 2 = 12 20120102 22122100 00011110 01001221 00122122 21121121 22210210 00202011 02212012 V 2 = 1 20122100 21202221 01110222 00020102 12110120 02200121 21201211 11100102 12111012 α = 19 82417165 79069728 64909939

2025 © DocPlayer.gr Πολιτική Απορρήτου | Όροι Χρήσης | Σχόλια