The ideal class group of hyperelliptic curves can be used in cryptosystems based on the discrete logarithm problem. In this article we present explicit formulae to perform the group operations for genus 2 curves. The formulae are completely general but to achieve the lowest number of operations we treat odd and even characteristic separately. We present 3 different coordinate systems which are suitable for different environments, e. g. on a smart card we should avoid inversions while in software a limited number is acceptable. The presented formulae render genus two hyperelliptic curves very useful in practice. The first system are affine coordinates where each group operation needs one inversion. Then we consider projective coordinates avoiding inversions on the cost of more multiplications and a further coordinate. Finally, we introduce a new system of coordinates and state algorithms showing that doublings are comparably cheap and no inversions are needed. A comparison between the systems concludes the paper.

Though the implementation of the Tate pairing is commonly believed to be computationally more intensive than other cryptographic operations, such as ECC point multiplication, there has been a substantial progress in speeding up the Tate pairing computations. Because of their inherent parallelism, the existing Tate pairing algorithms are very suitable for hardware implementation aimed at achieving a high operation speed. Supersingular elliptic curves over binary fields are good candidates for hardware implementation due to their simple underlying algorithms and binary arithmetic. In this paper we propose e#cient Tate pairing implementations over binary fields F 2 239 and F 2 283 via FPGA. Though our field sizes are larger than those used in earlier architectures with the same security strength based on cubic elliptic curves or binary hyperelliptic curves, fewer multiplications in the underlying field are required, so that the computational latency for one pairing can be reduced. As a result, our pairing accelerators implemented via FPGA can run 15-to-25 times faster than other FPGA realizations at the same level of security strength, and at the same time achieve lower product of latency by area.

Abstract. Cryptographic algorithms are used in a large variety of different applications to ensure security services. It is, thus, very interesting to investigate various implementation platforms. Hyperelliptic curve schemes are cryptographic primitives to which a lot of attention was recently given due to the short operand size compared to other algorithms. They are specifically interesting for special-purpose hardware. This paper provides a comprehensive investigation of high-efficient HEC architectures. We propose a genus-2 hyperelliptic curve cryptographic coprocessor using affine coordinates. We implemented a special class of hyperelliptic curves, namely using the parameter h(x) = x and f = x 5 + f1x + f0 and the base field GF(2 89). In addition, we only consider the most frequent case in our implementation and assume that the other cases are handled, e.g. by the protocol. We provide three different implementations ranging from high speed to moderate area. Hence, we provide a solution for a variety of applications. Our high performance HECC coprocessor is 78.5 % faster than the best previous implementation and our low area implementation utilizes only 22.7 % of the area that the smallest published design uses. Taking into account both area and latency, our coprocessor is an order of magnitude more efficient than previous implementations. We hope that the work at hand provides a step towards introducing HEC systems in practical applications.

Abstract. We describe an implementation of binary field arithmetic written in the C programming language. Even though the implementation targets 32-bit CPUs, the results can be applied also to CPUs with different granularity. We begin with separate routines for each operand size in words to minimize performance penalties that have a bigger relative impact for shorter operands – such as those used to implement modern curve based cryptography. We then proceed to use techniques specific to operand size in bits for several field sizes. This results in an implementation of field arithmetic where the curve representing field multiplication performance closely resembles the theoretical quadratic bit-complexity that can be expected for small inputs. This has important practical consequences: For instance, it will allow us to compare the performance of the arithmetic on curves of different genera and defined over fields of different sizes without worrying about penalties introduced by field arithmetic and concentrating on the curve arithmetic itself. Moreover, the cost of field inversion is very low, makingthe use of affine coordinates in curve arithmetic more interesting. These applications will be mentioned.

Abstract. The most important and expensive operation in a hyperelliptic curve cryptosystem (HECC) is scalar multiplication by an integer k, i.e., computing an integer k times a divisor D on the Jacobian. Using some recoding algorithms for scalar k, we can reduce a number of divisor class additions during the process of computing scalar multiplication. So divisor doubling will account for the main part in all kinds of scalar multiplication algorithms. In order to accelerate the genus 3 HECC over binary fields we investigate how to compute faster doubling in this paper. By constructing birational transformation of variables, we derive explicit doubling formulae for all types of defining equations of the curve. For each type of curve, we analyze how many field operations are needed. So far all proposed curves are secure, though they are more special types. Our results allow to choose curves from a large enough variety which have extremely fast doubling needing only one third the time of an addition in the best case. Furthermore, an actual implementation of the new formulae on a Pentium-M processor shows its practical relevance.

Abstract. The HyperElliptic Curve Cryptosystem (HECC) was quite extensively studied during the recent years. In the open literature one can find results on improving the group operations of HECC as well as implementations on various types of processors. There have also been some efforts to implement HECC on hardware devices, like for instance FPGAs. Only one of these works, however, deals with the inversionfree formulae to compute the group operations of HECC. We present inversionfree group operations for the HEC y 2 + xy = x 5 + f1x + f0 and targeting characteristic two fields. The reason being to allow a fair comparison to hardware architectures using the affine case presented in [BBWP04]. In the main part of the paper we use these results to investigate various hardware architectures for a HECC VLSI coprocessor. If area constraints are not considered, scalar multiplication can be performed in 19769 clock cycles using three field multipliers (of type D = 32), one field adder and one field squarer, where D indicates the digit size of the multiplier. However, the optimal solution in terms of latency and area uses two multipliers (of type D = 4), one addition and one squaring. The main finding of the present contribution is that coprocessors based on the inversionfree formulae should be preferred compared to those using group operations containing inversion. This holds despite the fact that one field inversion in the affine HECC group operation is traded by up to 24 field multiplications in the inversionfree case.

Abstract. We propose a superscalar coprocessor for high-speed curvebased cryptography. It accelerates scalar multiplication by exploiting instruction-level parallelism (ILP) dynamically and processing multiple instructions in parallel. The system-level architecture is designed so that the coprocessor can fully utilize the superscalar feature. The implementation results show that scalar multiplication of Elliptic Curve Cryptography (ECC) over GF(2 163), Hyperelliptic Curve Cryptography (HECC) of genus 2 over GF(2 83) and ECC over a composite field, GF((2 83) 2)can be improved by a factor of 1.8, 2.7 and 2.5 respectively compared to the case of a basic single-scalar architecture. This speed-up is achieved by exploiting parallelism in curve-based cryptography. The coprocessor deals with a single instruction that can be used for all field operations such as multiplications and additions. In addition, this instruction only allows one to compute point/divisor operations. Furthermore, we provide also a fair comparison between the three curve-based cryptosystems.

Abstract—This paper presents a microcode instruction set coprocessor which is designed to work with an 8-bit 8051 microcontroller and implements a Hyperelliptic Curve Cryptosystem (HECC). The microcode coprocessor is capable of performing a range of Galois Field operations using a dualmultiplier/dual-adder datapath and storing the intermediate results in the local storage unit of the coprocessor (RAM). This coprocessor is programmed using the software routines from the 8051 microcontroller which implements the HECC divisor’s doubling and addition operations. The Jacobian scalar multiplication was computed in a 656 msec (7.87 M cycles) at 12 MHz clock frequency.

Abstract. Implementing public-key cryptography on platforms with limited resources, such as microprocessors, is a challenging task. Hardware/software co-design is often the only answer to implement the computationally intensive operations with limited memory and power at an acceptable speed. This contribution describes such a solution for Hyperelliptic Curve Cryptography (HECC). The proposed hardware/software co-design of the HECC system was implemented and co-simulated using the GEZEL design environment [3]. As a low-cost platform, we chose an 8-bit 8051 microprocessor to which one small hardware co-processor was added for field multiplication. We show that the Jacobian scalar multiplication can be computed in 2.488 sec at 12 MHz on this platform if a minimal hardware module is added i.e. a hardware multiply-add unit. This optimal solution provides a factor of 26 speed-up over a softwareonly solution. Keywords: HECC, GF(2 m), genus 2 curves, hardware/software codesign, embedded implementation. 1

The Hyperelliptic curve cryptosystem is one of the emerging cryptographic primitives of the last years. This system offers the same security as established public-key cryptosystems, such as those based on RSA or elliptic curves, with much shorter operand length. However, until recently the common belief in industry and in the research community was that hyperelliptic curves are out of scope for any practical application. We were able to show the practical use of hyperelliptic curve cryptosystems (HECC) by narrowing the performance gap between elliptic curve (EC) and hyperelliptic curve cryptosystems. The complexity of the group operation for small genus hyperelliptic curves was reduced and efficient algorithms have been proposed [PWGP03, PWP03]. We developed a new metric to compare different cryptographic primitives based on the atomic operations of a processor and our theoretical comparison between elliptic curve and hyperelliptic curve cryptosystems, as well as our software and hardware implementations show that the performance of both cryptographic primitives are