## Abstract

This paper presents a new projective coordinate system and new explicit algorithms which together boost the speed of arithmetic in the divisor class group of genus 2 curves. The proposed formulas generalize the use of Jacobian coordinates on elliptic curves, and their application improves the speed of performing cryptographic scalar multiplications in Jacobians of genus 2 curves over prime fields by an approximate factor of 1.25x. For example, on a single core of an Intel Core i7-3770 (Ivy Bridge), we show that replacing the previous best formulas with our new set improves the cost of generic scalar multiplications from 239,000 to 192,000 cycles and drops the cost of specialized GLV-style scalar multiplications from 155,000 to 123,000 cycles.

## Keywords

Genus 2 Hyperelliptic curves Explicit formulas Jacobian coordinates Scalar multiplication## Notes

### Acknowledgments

We thank Joppe Bos, Michael Naehrig, Benjamin Smith, and Osmanbey Uzunkol for their useful comments on an early draft of this work. We also thank the anonymous Asiacrypt 2014 referees for their valuable comments, and Patrick Longa for independently benchmarking our code on different processors.

## References

- 1.R. M. Avanzi, A note on the signed sliding window integer recoding and a left-to-right analogue, in H. Handschuh and M. A. Hasan, editors,
*Selected Areas in Cryptography, volume 3357 of Lecture Notes in Computer Science*(Springer, 2004), pp. 130–143Google Scholar - 2.R. Barbulescu, P. Gaudry, A. Joux, and E. Thomé. A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic, in P. Q. Nguyen and E. Oswald, editors,
*EUROCRYPT, volume 8441 of Lecture Notes in Computer Science*(Springer, 2014), pp. 1–16Google Scholar - 3.D. J. Bernstein, C. Chuengsatiansup, T. Lange, and P. Schwabe. Kummer strikes back: New DH speed records., in P. Sarkar and T. Iwata, editors,
*Proceedings, Part I on Advances in Cryptology—ASIACRYPT 2014—20th International Conference on the Theory and Application of Cryptology and Information Security, 7–11 December, 2014, Kaoshiung, Taiwan, R.O.C., volume 8873 of Lecture Notes in Computer Science*(Springer, 2014) pp. 317–337Google Scholar - 4.D. J. Bernstein and T. Lange. Faster addition and doubling on elliptic curves, in
*ASIACRYPT 2007, volume 4833 of LNCS*(Springer, 2007), pp. 29–50Google Scholar - 5.D. J. Bernstein and T. Lange (2014). Explicit-formulas database, accessed 2 January 2014. http://www.hyperelliptic.org/EFD/
- 6.D. J. Bernstein and T. Lange. eBACS: ECRYPT Benchmarking of Cryptographic Systems, accessed 28 September, 2013. http://bench.cr.yp.to
- 7.G. Bisson, R. Cosset, and D. Robert. AVIsogenies—a library for computing isogenies between abelian varieties, November 2012. http://avisogenies.gforge.inria.fr
- 8.J. W. Bos, C. Costello, H. Hisil, and K. Lauter. Fast cryptography in genus 2, in T. Johansson and P. Q. Nguyen, editors,
*EUROCRYPT, volume 7881 of Lecture Notes in Computer Science*(Springer, 2013), pp. 194–210. full version available at: http://eprint.iacr.org/2012/670 - 9.W. Bosma, J. Cannon, and C. Playoust. The Magma algebra system. I. The user language.
*J. Symb. Comput.*24(**3**–**4**), 235–265 (1997). [**Computational algebra and number theory (London, 1993)**]Google Scholar - 10.E. Brier and M. Joye. Weierstraß elliptic curves and side-channel attacks, in
*Public Key Cryptography*(Springer, 2002), pp. 335–345Google Scholar - 11.D. V. Chudnovsky and G. V. Chudnovsky. Sequences of numbers generated by addition in formal groups and new primality and factorization tests.
*Adv. Appl. Math.*7(**4**), 385–434 (1986)Google Scholar - 12.C. Costello and K. Lauter. Group law computations on Jacobians of hyperelliptic curves, in A. Miri and S. Vaudenay, editors,
*Selected Areas in Cryptography, volume 7118 of Lecture Notes in Computer Science*(Springer, 2011), pp. 92–117Google Scholar - 13.O. Diao and M. Joye. Unified addition formulæ for hyperelliptic curve cryptosystems, in
*3rd Workshop on Mathematical Cryptology (WMC 2012) and 3rd International Conference on Symbolic Computation and Cryptography (SCC 2012)*(2012), pp. 45–50Google Scholar - 14.S. Erickson, T. Ho, and S. Zemedkun. Explicit projective formulas for real hyperelliptic curves of genus 2.
*Adv. Math. Commun.*(2014) (**To appear**)Google Scholar - 15.X. Fan and G. Gong. Efficient explicit formulae for genus 2 hyperelliptic curves over prime fields and their implementations, in C. Adams, A. Miri, and M. Wiener, editors,
*Selected Areas in Cryptography, volume 4876 of Lecture Notes in Computer Science*(Springer, Berlin, Heidelberg, 2007), pp. 155–172Google Scholar - 16.A. Faz-Hernández, P. Longa, and A. H. Sanchez. Efficient and secure algorithms for GLV-based scalar multiplication and their implementation on GLV-GLS curves, in J. Benaloh, editor,
*CT-RSA, volume 8366 of Lecture Notes in Computer Science*(Springer, 2014), pp. 1–27Google Scholar - 17.S. D. Galbraith, M. Harrison, and D. J. Mireles Morales. Efficient hyperelliptic arithmetic using balanced representation for divisors, in A. J. van der Poorten and A. Stein, editors,
*ANTS, volume 5011 of Lecture Notes in Computer Science*(Springer, 2008), pp. 342–356Google Scholar - 18.S. D. Galbraith, J. Pujolàs, C. Ritzenthaler, and B. A. Smith. Distortion maps for supersingular genus two curves.
*J. Math. Cryptol.*3(**1**), 1–18 (2009)Google Scholar - 19.R. P. Gallant, R. J. Lambert, and S. A. Vanstone. Faster point multiplication on elliptic curves with efficient endomorphisms, in J. Kilian, editor,
*CRYPTO, volume 2139 of Lecture Notes in Computer Science*(Springer, 2001), pp. 190–200Google Scholar - 20.P. Gaudry. Fast genus 2 arithmetic based on Theta functions.
*J. Math. Cryptol. JMC*1(**3**), 243–265 (2007)Google Scholar - 21.P. Gaudry, D. R. Kohel, and B. A. Smith. Counting points on genus 2 curves with real multiplication, in D. H. Lee and X. Wang, editors,
*ASIACRYPT, volume 7073 of Lecture Notes in Computer Science*(Springer, 2011), pp. 504–519Google Scholar - 22.P. Gaudry and E. Schost. Genus 2 point counting over prime fields.
*J. Symb. Comput.*47(**4**), 368–400 (2012)Google Scholar - 23.R. R. Goundar, M. Joye, A. Miyaji, M. Rivain, and A. Venelli. Scalar multiplication on Weierstraß elliptic curves from Co-
*Z*arithmetic.*J. Cryptogr. Eng.*1(**2**), 161–176 (2011)Google Scholar - 24.M. Hamburg. Fast and compact elliptic-curve cryptography. Cryptology ePrint Archive, Report 2012/309 (2012). http://eprint.iacr.org/
- 25.H. Hisil.
*Elliptic curves, group law, and efficient computation*. PhD thesis, Queensland University of Technology (2010)Google Scholar - 26.
- 27.
- 28.V. Kovtun and S. Kavun. Co-Z divisor addition formulae in Jacobian of genus 2 hyperelliptic curves over prime fields. Cryptology ePrint Archive, Report 2010/498 (2010). http://eprint.iacr.org/
- 29.T. Lange. Formulae for arithmetic on genus 2 hyperelliptic curves.
*Appl. Algebra Eng. Commun. Comput.*15(**5**), 295–328 (2005)Google Scholar - 30.P. Longa and A. Miri. New composite operations and precomputation scheme for elliptic curve cryptosystems over prime fields, in R. Cramer, editor,
*Public Key Cryptography PKC 2008, volume 4939 of Lecture Notes in Computer Science*(Springer, Berlin, Heidelberg, 2008), pp. 189–201Google Scholar - 31.D. Lubicz and D. Robert. A generalisation of Miller’s algorithm and applications to pairing computations on abelian varieties. Cryptology ePrint Archive, Report 2013/192 (2013). http://eprint.iacr.org/
- 32.N. Meloni. New point addition formulae for ECC applications, in C. Carlet and B. Sunar, editors,
*WAIFI, volume 4547 of Lecture Notes in Computer Science*(Springer, 2007), pp. 189–201Google Scholar - 33.V. S. Miller. Use of elliptic curves in cryptography, in H. C. Williams, editor,
*CRYPTO, volume 218 of Lecture Notes in Computer Science*(Springer, 1985), pp. 417–426Google Scholar - 34.P. L. Montgomery. Speeding the Pollard and elliptic curve methods of factorization.
*Math. Comput.*48(**177**), 243–264 (1987)Google Scholar - 35.A.-M. Spallek.
*Kurven vom geschlecht 2 und ihre anwendung in public-key-kryptosystemen*. PhD thesis, Universität Essen. Institut für Experimentelle Mathematik (1994)Google Scholar