Cryptology ePrint Archive: Report 2003/203

Novel Efficient Implementations of Hyperelliptic Curve Cryptosystems using Degenerate Divisors

Masanobu Katagi and Izuru Kitamura and Toru Akishita and Tsuyoshi Takagi

Abstract: It has recently been reported that the performance of hyperelliptic curve cryptosystems (HECC) is competitive to that of elliptic curve cryptosystems (ECC). However, it is expected that HECC still can be improved due to their mathematically rich structure. We consider here the application of degenerate divisors of HECC to scalar multiplication. We investigate the operations of the degenerate divisors in the Harley algorithm and the Cantor algorithm of genus 2. The timings of these operations are reported. We then present a novel efficient scalar multiplication method using the degenerate divisors. This method is applicable to cryptosystems with fixed base point, e.g., ElGamal-type encryption, sender of Diffie-Hellman, and DSA. Using a Xeon processor, we found that the double-and-add-always method using the degenerate base point can achieve about a 20% increase in speed for a 160-bit HECC. However, we mounted an timing attack using the time difference to designate the degenerate divisors. The attack assumes that the secret key is fixed and the base point can be freely chosen by the attacker. Therefore, the attack is applicable to ElGamal-type decryption and single-pass Diffie-Hellman SSL using a hyperelliptic curve could be vulnerable to the proposed attack. Our experimental results show that one bit of the secret key for a 160-bit HECC can be recovered by calling the decryption oracle 500 times.

Category / Keywords: hyperelliptic curve cryptosystem, scalar multiplication, timing attack, degenerate divisor, efficient computation

Publication Info: This is a full version of WISA 2004 paper.

Date: received 26 Sep 2003, last revised 12 Aug 2004

Contact author: Masanobu Katagi at jp sony com

Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation

Note: The old title of this paper was "A Timing Attack on Hyperelliptic Curve Cryptosystems".

Version: 20040813:054737 (All versions of this report)

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]