Complete group law for genus 2 Jacobians on Jacobian coordinates

This manuscript provides complete, inversion-free, and explicit group law formulas in Jacobian coordinates for the genus 2 hyperelliptic curves of the form y 2 = x 5 + a 3 x 3 + a 2 x 2 + a 1 x + a 0 over a ﬁeld K with char ( K ) (cid:2)= 2. The formulas do not require the use of polynomial arithmetic operations such as resultant, mod, or gcd computations but only operations in K .


Introduction
Elliptic curves are offered for the use of cryptographic applications by Miller in 1985 [1] and then by Koblitz in 1987 [2].Two years later, Koblitz [3] proposed that hyperelliptic curves of arbitrary genus can replace elliptic curves in cryptosystems.However, this claim was falsified by Gaudry [4], who showed that security is conversely proportional to the genus.Gaudry's work led the cryptographic studies to be focused on the genus 1 and genus 2 cases specifically.
A genus 1 curve is an elliptic curve.The points on an elliptic curve can be made into an abelian group.In comparison, a hyperelliptic curve of genus ≥ 2 is not an algebraic group by itself; however, its Jacobian becomes an abelian group under the binary operation divisor addition.A landmarking algorithm for divisor addition was introduced by David G. Cantor in 1987 [5, §3, §4].Cantor's algorithm is deterministic and works for arbitrary genus hyperelliptic curves.The algorithm operates on Mumford's coordinates [6], a polynomial representation of divisors, and, consequently, makes heavy use of polynomial arithmetic, which makes it relatively inefficient for cryptographic applications in its original form.
Cantor's algorithm is improved by others [3,[7][8][9], and explicit formulas for hyperelliptic curves of particular genus are studied.Lange reports in her thesis [10] that Spallek [11] proposed explicit formulas for the most common addition on genus 2 curves, later optimized by Harley [12] for odd characteristic curves.Lange [10] advanced Harley's approach to arbitrary characteristics.In her thesis [10] and her following work [13], Lange presented a complete divisor addition algorithm on genus 2 hyperelliptic curves in a semi-explicit manner.Speed-ups [14-16] followed Lange's work.The complete inversion-free projective formulas are proposed in [17][18][19].In 2011, Costello and Lauter [20] derived new formulas for Cantor's composition step, which incorporates solving linear systems instead of polynomial arithmetic.In 2014, Hisil and Costello [21] extended the work in [20] by introducing Jacobian coordinates, reducing the operation counts significantly.A recent work by Hu et al. [22] further extends the work in [21] to the case of degenerate divisor addition.Apart from these developments, which are the main focus of this work, Gaudry [23] provided explicit formulas to perform pseudo-group operations on genus 2 Kummer surfaces which are currently the speed leader in curve-based cryptosystems; see the implementation in [24].However, some cryptographic constructions enforce the use of prime order genus 2 Jacobians, which do not allow a Kummer parameterization.
This work aims to present complete, inversion-free, and explicit formulas for divisor addition on genus 2 hyperelliptic curves.We closely follow Lange's thesis [10] and present an algorithm in affine coordinates.We dispose of all polynomial arithmetic by expressing the operations explicitly.As the main contribution of this paper, we propose the formulas in Jacobian coordinates by exploiting [21].The formulas combine the works in [21] and [22] and handle the missing cases for the sake of a complete inversion-free algorithm.
The paper is organized as follows.We briefly cover the fundamental background in Sect. 2. In Sect.3, we present the complete and explicit formulas in affine coordinates for divisor addition as an algorithm.We present the inversionfree formulas in Jacobian coordinates for the missing cases in the literature; see Sect. 4. The cost analysis is given in Sect. 5. We derive our conclusions in Sect.6.For the convenience of the reader, we attach computer-aided verification scripts in the Appendix.

Preliminaries
This section recalls basic definitions in the theory of hyperelliptic curves.Throughout this section, we assume that K is a field with char(K) = 2.

Hyperelliptic curves
A hyperelliptic curve H of genus g over K is a non-singular curve with the equation where and f (x) is monic.We denote the point set of H as where O is the single point at infinity.Let P = (x, y), the negative of P is given as −P = (x, −y − h(x)).In the following sections, we will use the notation f (x) and f (x) for the derivatives dx and d 2 f (x) dx 2 , respectively.Under the assumption char(K ) = 2, H can be put in the simplified form y 2 = f (x).Additionally, under the assumption char(K ) = 5, a genus 2 hyperelliptic curve can be put in the form We use the letter H in the following sections to address such a curve.We note here that the formulas presented in this work apply to char(K ) = 5 provided that H = 0, where is the discriminant of f (x).

Divisors
where only a finite number of n P ∈ Z are nonzero.The identity is called the zero divisor, denoted 0, with ∀P, n P = 0.The support of D is the set supp(D) = {P ∈ H ( K) : n P = 0} and the degree of D is given by deg(D) = P∈H ( K ) n P .The order of D at a point P ∈ H ( K) is the coefficient n P .A divisor of a function f is given by ( f ) = P∈H ( K ) ord f (P) where ord f (P) is the multiplicity of f on P.
A semi-reduced divisor has the form D = n P (P) − ( n P )(O) where n P ≥ 0 and −P / ∈ supp(D) if P ∈ supp(D) unless P = −P with n P = 1.The inverse of a semi-reduced divisor is formulated as −D = n P (−P) − ( n P )(O).A reduced divisor is a semi-reduced divisor with n P ≤ g.Throughout this paper we will refer to divisors with one and two points in their support (other than O) as; degenerate and non-degenerate divisors, respectively.
On H , the set of all divisors, denoted Div K (H ); degree zero divisors, namely Div 0 K (H ); the principal divisors (divisors of a function), denoted Prin K (H ) form a group.Moreover, the groups mentioned satisfy The quotient group Div 0 K (H )/Prin K (H ) is called the divisor class group, which is isomorphic to the Jacobian, denoted by An important observation about the Jacobian is that each coset of it has a unique reduced divisor.Moreover, let D 1 , D 2 ∈ J (H ) be reduced divisors; then there exists a reduced divisor D such that D ∼ D 1 + D 2 .
A reduced divisor D ∈ J (H ) can be represented using the Mumford representation [6] with two polynomials as D = [u(x), v(x)] where the following assumptions hold Notice that the point in the support of a degenerate divisor is defined to be in H (K ).For a non-degenerate divisor D = (P 1 ) + (P 2 ) − 2(O) where P 1 = (x 1 , y 1 ) ∈ H ( K ) and P 2 = (x 2 , y 2 ) ∈ H ( K ), we will use the notation D = [x 2 + qx + r , sx + t] with q, r , s, t ∈ K .Here, assuming and otherwise We note that y 1 = 0 is not possible by definition of a reduced divisor whose support cannot contain opposite points.Finally, the identity is represented by the divisor [1, 0].

Cantor's algorithm
In 1987, Cantor introduced an algorithm [5, §3, §4] to compute divisor addition on hyperelliptic curves, analogous to class group arithmetic, which is generalized and presented later by [3,25].Cantor's algorithm uses polynomial arithmetic and works for all hyperelliptic curves of arbitrary genus.There are two stages of the algorithm; composition stage (Algorithm 1 lines 1-5) computes the semi-reduced divisor that is equal to the addition of the inputs; reduction stage (Algorithm 1 lines 6-12) computes the related unique reduced divisor.For further information, we refer the reader to the appendix of [26].We use this algorithm to verify the Algorithm 1 Cantor's Algorithm [3,5,25] Require: correctness of the explicit formulas presented in Sect.3. Since the computations involving these verifications are tedious, we prefer to carry them out succinctly with the help of computer algebra rather than pages-long algebraic investigation.We now present the complete and explicit group law in Sect.3.

Explicit formulas for divisor addition
We start with basic facts which are referenced in the body of our algorithm.
Proof This is simply Mumford's composition.
Lemma 2 Let D 1 be a degenerate and D 2 be a nondegenerate divisor.Then, D 1 + D 2 cannot be the zero divisor.
However, D 2 is non-degenerate, contradiction.Thus, the addition of a degenerate divisor with a non-degenerate divisor cannot give the zero divisor.

Lemma 3 There exists no degenerate divisor D
Nevertheless, by Lemma 1, 2D must be non-degenerate while (−P) − (O) is clearly degenerate.This is a contradiction by Lemma 2. Therefore, D must be non-degenerate.
In the remainder of this section, we define two input divisors D 1 , D 2 , and an output divisor D 3 = D 1 + D 2 , and examine the complete formulas for D 3 .We set divisor

Trivial inputs
Here, we investigate the output when at least one of the input divisors is the identity, namely the zero divisor.The cases are trivial, i.e., if one input divisor is 0 then the output is the other input divisor (which is also true when both inputs are 0).

Degenerate/degenerate inputs
. Now, we investigate whether D 1 and D 2 are joint by examining the points at their support: P 1 = (x 1 , y 1 ) and • Case x 1 = x 3 : The input divisors are joint with P 1 = ±P 3 .
-Case y 1 = −y 3 : We have is non-degenerate and can be computed with Mumford's composition (3).[Script 2] in the Appendix verifies the correctness of this formula.
• Case x 1 = x 3 : The input divisors are disjoint, and D 3 = [x 2 +q 3 x +r 3 , s 3 x +t 3 ] can be computed with Mumford's composition (2).[Script 3] in the Appendix verifies the correctness of this formula.
Since the conditions above exhaust all possible cases, a degenerate output is not possible, as stated in Lemma 1.Note that the case where x 1 = x 3 and y 1 = y 3 = 0 (special point doubling) is handled by "Case y 1 = −y 3 ".

Degenerate/non-degenerate inputs
We continue with the addition of a non-degenerate and a degenerate divisor.We assume that the inputs are swapped, if necessary, in order to have D 1 and D 2 , degenerate and nondegenerate, respectively.Let • Case u 2 (x 1 ) = 0: Since x 1 ∈ K is a root of the polynomial u 2 (x), we deduce that u 2 (x) must have the roots = 0, though we do not know x 3 and x 4 explicitly.Without loss of generality, we assume x 3 = x 1 .Now, we compute, Before we proceed to investigate the following subcases, we note that P 3 = (x 3 , y 3 ) and -Case y 1 = −y where Note that D 1 = (P 1 ) − (O) cannot have order three 1 .Note also that the denominators of q 3 , r 3 , s 3 , and t 3 are all powers of y 1 .Here, y 1 = 0 because the case y 1 = 0 is handled in "Case y 1 = −y 3 ".Therefore, the denominators never vanish.[Script 4] in the Appendix verifies the correctness of this formula.* Case x 1 = x 4 : Now, P 4 is disjoint with other points in both supports.So, the addition consists of the doubling of D 1 = (P 1 ) − (O) and the accumulation of (P 4 ) − (O) on 2D 1 .In this case, we compute divisor 2(P 1 ) − 2(O) = [x 2 + qx+r , sx+t] as in Eq. ( 3).Note that the denominator y 1 in Eq. ( 3) does not vanish since the case y 1 = 0 is again handled in "Case y 1 = −y 3 ".Now, D 3 = 2(P 1 ) + (P 4 ) − 3(O) can be computed with the generic formula in [22, §3.1] as follows, where Notice that the denominator of A vanishes only when P 4 is in the support of divisor 2(P 1 )−2(O), which is in contradiction with the assumption x 1 = x 4 .[Script 5] in the Appendix verifies the correctness of this formula.
• Case u 2 (x 1 ) = 0: In this case, we have disjoint divisors, and the generic addition formula in [22, §3.1] applies directly.We have where ] in the Appendix verifies the correctness of this formula.
Finally, we remark that the addition of a non-degenerate divisor with a degenerate divisor cannot give the zero divisor by Lemma 2.

Non-degenerate/non-degenerate inputs
In this section, we examine the last and most common addition, where both inputs are non-degenerate.Let and though we do not know x i and y i explicitly.We continue by investigating v 1 and v 2 . -Case ) which implies that {y 1 , y 2 } = {y 3 , y 4 }.Also, note that y 1 = 0 or y 2 = 0 because otherwise {y 1 , y 2 } = {−y 3 , −y 4 }, which is covered in "Case v 1 = −v 2 ".Thus, D 1 = D 2 and the doubling operation D 3 = 2D 1 is present.We define the common subexpressions A, B, and C for doubling as in [21, §5].
The doubling formula in [21, §5] is not defined for two cases; when the output is degenerate and when the denominator B vanishes.The approach in [10, §3.1, §3.4] properly handles each case leaving a minor use of polynomial arithmetic.Our little contribution here is to eliminate the polynomial arithmetic and carry out the computation solely with field arithmetic.Therefore, we need to pinpoint algebraically the case where the output is degenerate or non-degenerate.These cases are given as follows.
* Case B = 0: B is equal to −2y 1 y 2 which corresponds to the resultant(h + 2v 1 , u 1 ) calculated in [10, §3.1].Now, B = 0 induces at least one of the points in the support being a special point which gives the identity when doubled.We assume y 2 = 0 without loss of generality and compute x 2 by explicitly calculating gcd(u 1 , v 1 ) = x − x 1 as in [10, §3.1].We have Finally, D 3 = 2(P 1 ) − 2(O) can be computed with the composition formula (3).* Case B = 0: Here, the points in the support are not special points, but a degenerate output is possible.The line "s = k/(h + 2v) mod u" of Section 3.4 of [10] is subject to accidental cancellation, which may lead to a degenerate output that is again handled implicitly.An explicit approach is to detect the degenerate output beforehand and to generate new formulas free of polynomial arithmetic.For this purpose, we investigate the common subexpression C. * Case C = 0: As stated in [22, §3.3], C = 0 implies a degenerate output since the coefficient of the degree 3 term in the intersection parabola The corrected version of the formula in [22, §3.3] is as follows 2 2 Incorrect x 3 is replaced with the correct x 5 .
[Script 7] in the Appendix verifies the correctness of this formula.* Case C = 0: In this case, the doubling formula in [21, §5] applies for the non-degenerate output D 3 [10,20].
• Case u 1 = u 2 : Here, the supports of D 1 and D 2 are not identical.Thus, we continue with the addition formulas.We define the common subexpressions A, B, and C as in [21, §5].
As before, we try to detect the cases where the addition formula in [21, §5] is not defined.For that purpose, we investigate the common subexpressions B and C. The reason that we concentrate on B is illuminated when we write B in terms of x 1 , x 2 , x 3 , and x 4 which is given as follows, The value −B corresponds to the resultant(u 1 , u 2 ) in [10, §3.1] and becomes zero when {P 1 , P 2 } ∩ {±P 3 , ±P 4 } = ∅.
-Case B = 0: The supports of the input divisors are joint.Without loss of generality we may assume x 1 = x 3 and calculate x 5 = (q 1 + q 2 ) + A 2 B 2 , [Script 9] in the Appendix verifies the correctness of this formula.* Case C = 0: The addition formula in [21, §5] applies.Furthermore, this is the most frequent case in most cryptographic applications.We reproduce the formulas here to keep the text selfcontained.
[Script 10] in the Appendix verifies the correctness of this formula.
The inversion-free formulas in weighted Jacobian coordinates are given only for the most common addition and doubling (corresponding to Eqs. ( 9) and ( 12) resp.) in [21], and only for the cases that contain degenerate divisors in [22].Moreover, the degenerate divisors in [22] are considered to be in affine coordinates.
By following the same order as in Sect.3, we present inversion-free formulas with all divisors in weighted Jacobian coordinates for the sake of a complete inversion-free divisor addition algorithm.We omit the cases that are already given in [21,22] by referring the reader to the mentioned papers.Finally, a complete and inversion-free divisor addition algorithm is given in https://github.com/ozbayelif/jacon-jac in Magma [27].The code is optimized to reduce operation counts by eliminating the common subexpressions in the formulas.Throughout this section, we will represent the output divisor as

Degenerate/degenerate inputs
Let the input divisors be represented as The inversion-free formulas of the two cases D 1 = D 2 and D 1 = D 2 are given in [22, §4.4]; however, the input divisors are considered to be in affine coordinates.
The formula for the case D 1 = D 2 given below corresponds to Eq. (3).
The inversion-free version of Eq. ( 2) for D 1 = D 2 is as follows.

Degenerate/non-degenerate inputs
Let the input divisors be represented as As investigated in Sect.3.3, there exist 4 cases that can occur.The case where P 1 = −P 3 gives the degenerate output D 3 = (P 4 ) − (O) whose coordinates can be recovered, as described in "Case u 2 (x 1 ) = 0", with the following formula.
The inversion-free tripling formula in [22], for P 1 = P 3 = P 4 , leaves the point P 1 to be tripled in affine coordinates.Here, the fully weighted formula is given, which corresponds to Eq. ( 4).
The last case corresponds to Eq. ( 6), where the supports are disjoint.The formula in [22] leaves P 1 in affine coordinates.
The fully-weighted formula is given below.

Non-degenerate/non-degenerate inputs
Let the input divisors be We omit the cases where the output is degenerate and refer the reader to [22, §4.3].Likewise, we refer to [21] for the common subexpressions in Jacobian coordinates and the formulas for the common cases.Throughout this section, we use the notation P i = (X P i , Y P i , Z P i , W P i ) for the points in the supports to avoid confusion between the Z , W coordinates of points and divisors.
We continue with doubling where u 1 = u 2 and v 1 = v 2 .The case B = 0 does not involve a degenerate divisor, yet it is a rare case where the common addition formulas do not work.Hence, the case is missing in the literature.When B = 0, the result D 3 = 2(P 1 ) − 2(O) can be calculated by making the coordinates of P 1 explicit as below and doubling it with Eq. ( 13).
The addition in the case u 1 = u 2 , v 1 = ±v 2 gives D 3 = 2(P 1 ) − 2(O).The coordinates of P 1 can be computed with the following formula and can be doubled with Eq. ( 13).
Now we investigate addition where u 1 = u 2 .We focus on the case B = 0 which indicates that the input divisors share exactly one common point in their supports.The coordinates of the points in the supports can be calculated as below.
If Y P 1 = Y P 3 , the result can be calculated by doubling P 1 with Eq. ( 13) and adding P 2 and P 3 with Eq. ( 14).

Cost analysis
The divisor addition on genus 2 hyperelliptic curves is intricate, with plenty of different cases.Although rare cases have a low chance of occurrence, handling them in cryptographic applications is vital.While some of the rare cases are quite costly to handle, some others are not.
In Fig. 1; we illustrate all the cases of divisor addition on genus 2 hyperelliptic curves; we present the operation counts and point out the gaps in the literature, which are filled with this work.The dashed edges represent the missing cases in the literature that are proposed with fully-weighted formulas in Jacobian coordinates here.We refer to; degenerate/degenerate addition as 1+1, degenerate/non-degenerate addition as 1 + 2, and non-degenerate/non-degenerate addition as 2 + 2. The letter 'M' stands for the number of field multiplications; 'S' for field squarings; and 'D' for addition or multiplication with constants, respectively.Each edge represents a condition to be checked before determining the present case, with respect to the algorithm in Sect.3. The operation counts given below the edges denote the cost of checking the condition.In some cases, the operations required for determining the case to be handled also provide common subexpressions, which are shared with the addition formulas in that context.Each leaf of the tree corresponds to a case in Sect.3. The operation counts of each case are given in the leaves.
We note that P 5 and P 6 can be interchanged without loss of generality.
The operations needed for the detection of the cases are also taken into account in contrast to the previous works, which present the operation counts for specific cases.This may lead to differences with the operation counts given in the literature.However, exceptional outputs may be produced when assumptions on the inputs are made without checking if the conditions are met.Thus, it is sensible to include the cost of case detection to demonstrate the performance of our complete algorithm.

Conclusion
This paper introduced explicit and inversion-free formulas for the complete group law of genus 2 hyperelliptic curves.The formulas are derived from Cantor's algorithm and presented case by case in regard to whether the divisors are degenerate or non-degenerate.This work can be seen as a completion of the works started in [21] and [22] on Jacobian coordinates.
Any cryptographic application which enforces using a prime order genus 2 Jacobian is amenable to introducing exceptional situations, such as the addition of two divisors with joint support.Our formulas provide an efficient fallback that eliminates the need for polynomial arithmetic required by Cantor's algorithm.Although the formulas we present consist of rare cases, a cryptographic application based on an operation such as digital signature verification is expected to handle all cases properly.In such a scenario, our complete algorithm can be used to prevent active attacks based on faulty inputs which target to trigger an exceptional output.