Supersingular hyperelliptic curves of genus 2 over finite fields

Applied Mathematics and Computation 163 (2005) 565–576 www.elsevier.com/locate/amc

Supersingular hyperelliptic curves of genus 2 over finite fields q Young Ju Choie *, Eun Kyung Jeong, Eun Jeong Lee Pohang University of Science and Technology, Mathematics, Hyuja-dong, Pohang 790784, Republic of Korea

Abstract In this paper we describe an elementary criterion how to determine supersingular hyperelliptic curves of genus 2, directly using only the given Weierstrass equation. A family of the hyperelliptic curve H =Fp of the type v2 ¼ u5 þ a and v2 ¼ u5 þ au have been studied. Ó 2004 Elsevier Inc. All rights reserved.

1. Introduction Since Koblitz suggested using the hyperelliptic curve H as a good source of public key cryptosystem, many interesting results have been explored toward hyperelliptic cryptosystem. When the genus g of the curve is large, there is a subexponential algorithm due to Adleman et al. [1] for the discrete logarithm problem in JH ðFq Þ. Also, when the genus g of a curve is small but g P 4, Gaudry’s algorithm is faster than Pollard’s rho algorithm [6]. Consequently, the hyperelliptic curves of genus 2, 3 can be very attractive for the cryptographic purpose. Using the Tate-pairing, [8], Menezes et al. showed that for the supersingular elliptic curves the value k above is at most 6 and, therefore, the good upper bound of the complexity of the attack in the supersingular elliptic curve could

q

This work was partially supported by ITRC and KOSEF R01-2003-000-11596-0. Corresponding author. E-mail address: [email protected] (Y.J. Choie).

*

0096-3003/$ - see front matter Ó 2004 Elsevier Inc. All rights reserved. doi:10.1016/j.amc.2004.03.030

566

Y.J. Choie et al. / Appl. Math. Comput. 163 (2005) 565–576

be provided [9]. It turns out that it is not proper to use the supersingular elliptic curve for the Diffie–Hellman type cryptosystem. On the contrary, recently, Boneh and Franklin [2] suggested a constructive application of supersingular elliptic curves (supersingular curves in general [5]) to generate an identity-based cryptosystem. However, one needs to check if a given hyperelliptic curve of genus 2 and 3 is secure under the Frey–R€ uck attack [8]. According to Tate-pairing, the discrete logarithm problem on the divisor class group JC ðFq Þ of a curve C over the finite field Fq can be reduced to that over Fqk of some extension of the base field. When k is small one can solve the discrete logarithm problem using the index calculus method over the finite field and this is called Frey–R€uck attack. Galbraith [5] showed that for supersingular curves there is an upper bound, which depends only on genus, on the values of the extension degree k, and in particular, it turns out that k can be at most 12 for the supersingular curve of genus 2 and Rubin and Silverberg improved a bound, i.e. k 6 6 for odd p. So, it will be very useful to detect those cryptographically weak curves in advance. On the contrary, recently, Boneh and Franklin [2] suggested a constructive application of supersingular elliptic curves (supersingular curves in general [5]) to generate an identity-based cryptosystem. To determine, with known criterions, if the given curves are supersingular (see, for instance, [5,11]), one needs to compute the number of rational points jH ðFqi Þj of H , for all i; 1 6 i 6 g, or, to know the characteristic polynomial of H . Therefore, when the characteristic p of the base field of the curve is large, this procedure is not really practical. In this paper, we show that we can check, directly using the defining equation, if a given hyperelliptic curve H of genus 2 over Fq , with q ¼ pn ; p > 2, is supersingular. The criterion depends only on the equation and p. Furthermore, we derive more sharp bound of k for supersingular abelian variety of genus 2 defined over Fp . Finally, as an example, using the above criterion, we determine all primes p where the hyperelliptic curves H =Fp of the type v2 ¼ u5 þ a and v2 ¼ u5 þ au are supersingular. The orders of Jacobians of the above curves are determined and, therefore, the upper bounds of k are all determined. This paper is organized as follows. In Section 2 we introduce the usual notations and recall basic definitions of the hyperelliptic curve of genus 2. In Section 3 we derive the main criterion how to determine if the given hyperelliptic curve of genus 2 is supersingular, directly using the defining equation and the proofs of the main theorem and lemmata will be postponed until the last Section 6. Section 4 states a complete characterization of supersingular abelian varieties of dimension 2 over the prime field Fp . In Section 5, as an application of the main criterion, we characterize all the hyperelliptic curves H =Fp with defining equation of the type v2 ¼ u5 þ a and v2 ¼ u5 þ au; a 2 Fp .

Y.J. Choie et al. / Appl. Math. Comput. 163 (2005) 565–576

567

2. Hyperelliptic curves over finite fields We recall the useful result related to the supersingularity of hyperelliptic curves over finite field. We follow definitions given in [4]. Let Fq be a field with q ¼ pn elements of characteristic p and Fq be its algebraic closure of Fq . For a simplicity, take p > 2 throughout this paper. Definition 2.1. A hyperelliptic curve H of genus g over Fq is a projective nonsingular irreducible curve of genus g defined over Fq with a map H ! P1 of degree 2. Here Ps denotes the s-dimensional projective space over Fq . Moreover, we assume that H has an Fq -rational point P such that the Fq -rational function field of H has a non-constant function whose only pole is a double one at P ; such a point P is called a Weierstrass point. Definition 2.2. A Weierstrass equation H of genus g over Fq ; q ¼ pn is an equation of the form H =Fq : v2 ¼ f ðuÞ; f 2 Fq ½u ;

deg f ¼ 2g þ 1; f

monic

with no singular affine points. Remark 2.1. It is known that the curve H has a unique point O at infinity; namely O ¼ ½0; 0; 1 in the homogeneous coordinates u ¼ x1 =x0 , v ¼ x2 =x0 . Moreover, O is a singular point of multiplicity 2g  1 and the line at infinity x0 ¼ 0 is tangent to the curve at this point. The following definition gives the notion of supersingularity of the curve, which is an analogue of that for an elliptic curve (see [5,11]). Definition 2.3. An abelian variety A of dimension 2 over Fq is called supersingular if A is isogenus (over Fq ) to a product of g supersingular elliptic curves. A curve C over Fq is called supersingular if the Jacobian JC ðFq Þ of C is supersingular. Now, we recall the following known criterion for supersingularity [5,11] which is related to the characteristic polynomial of given variety. Theorem 2.1. Suppose A is an abelian variety of dimension 2 over Fq ; q ¼ pn , derived from a curve H . Assume P ðxÞ ¼ x4 þ a1 x3 þ a2 x2 þ qa1 x þ q2 is the characteristic polynomial of the Frobenius endomorphism on A. Then

568

Y.J. Choie et al. / Appl. Math. Comput. 163 (2005) 565–576 rn

(1) H is supersingular iff pd 2 e jar , for all r ¼ 1; 2. (2) Let Mi ¼ jH ðFqi Þj be the number of rational points of a hyperelliptic curve H of genus 2. Then the following holds; a1 ¼ M1  1  q;

a2 ¼ ðM2  1  q2 þ a21 Þ=2:

Proof (1) See Theorem 6.1 in [5]. (2) See page 147 of [7]. 

3. Main theorem There are criterions to check whether or not abelian variety A is supersingular, once its characteristic polynomial is computed. This means that the number of rational points jH ðFqi Þj of H for all i; 1 6 i 6 g of the given hyperelliptic curve H needs to be computed. However, if the defining field Fq has a large prime characteristic p, the above criterions are not efficient to test supersingularity. However, for a hyperelliptic curve of genus 2, there is a criterion to check if the given curve is supersingular, directly using the defining Weierstrass equation. In particular, when a curve is defined over the large prime field, the introduced method can give an effective test. Theorem 3.1. Let H be the hyperelliptic curve of genus 2 over K ¼ Fq . Let Ad is p1 the coefficient of the term ud1 in f ðuÞ 2 . Then the following is true. (1) If H is supersingular, then Ap  A2p1 ¼ Ap1  A2p :

ð3:1Þ

(2) In particular, when H is defined over the prime field Fp , i.e. q ¼ p, H is supersingular iff Ap  A2p1 ¼ Ap1  A2p

and

Ap þ A2p1 ¼ 0:

ð3:2Þ

Proof. The proof is given in Section 6.  Remark 3.1. Theorem 3.1 can be practical to determine if given hyperelliptic curve H of genus 2 is supersingular when the defining field of H is a prime field Fp ; p large. We will discuss examples in Section 5.

Y.J. Choie et al. / Appl. Math. Comput. 163 (2005) 565–576

569

To prove Theorem 3.1, we need the following lemma which states the modular condition of the coefficients of the characteristic polynomial can be relaxed. Lemma 3.2. Suppose A is an abelian variety of dimension 2 over Fq . Let P ðxÞ ¼ x4 þ a1 x3 þ a2 x2 þ qa1 x þ q2 be the characteristic polynomial of the Frobenius endomorphism on A. Then, for r ¼ 1; 2, rn

ar  0 ðmod pÞ iff pd 2 e jar :

ð3:3Þ

Remark 3.3. Lemma 3.2 was derived in [11] from the characterization of the simple abelian varieties over Fq . In Section 6, we give an alternative proof of the above lemma using algebraic property in appendix.

4. Embedding degree of supersingular abelian variety of dimension 2 over F p In this section, we focus more on the supersingular abelian varieties A over Fp . Furthermore, an improved upper bound of k, where k is the smallest integer such that ‘jpnk  1 and is called the embedding degree, is derived in this case. Here ‘ is the exponent (the largest prime factor) of jAðFpn Þj. Proposition 4.1. Let A be any supersingular abelian variety of dimension 2 with genus 2 over Fp , with a prime p > 16 and pðxÞ ¼ x4 þ a1 x3 þ a2 x2 þ a1 px þ p2 be the characteristic polynomial of A. Then the order of abelian variety AðFpn Þ, Jn , and its embedding degree are as follows: a2

n

Jn

k n

n=2

2

0

n  0 (mod 8) n  4 (mod 8) n  1; 3 (mod 4) n  2 (mod 4)

ðp  2p þ 1Þ ðpn þ 2pn=2 þ 1Þ2 p2n þ 1 2 ðpn þ 1Þ

1 1 4 2

p

n  0 (mod 6) n  1; 5 (mod 6) n  2; 4 (mod 6) n  3 (mod 6)

ðpn  2pn=2 þ 1Þ2 p2n þ pn þ 1 2 ðpn þ pn=2 þ 1Þ 2 n ðp  1Þ

1 3 3 1 (continued on next page)

570

Y.J. Choie et al. / Appl. Math. Comput. 163 (2005) 565–576

(continuned)

a2

n

Jn

k n

n=2

2

1 2

2p

n  0 (mod 2) n  1 (mod 2)

ðp  2p 2 ðpn  1Þ

p

n  0 (mod 12) n  2; 10 (mod 12) n  3; 9 (mod 12) n  4; 8 (mod 12) n  6 (mod 12) otherwise

ðpn  2pn=2 þ 1Þ 2 ðpn  pn=2 þ 1Þ 2 n ðp þ 1Þ 2 ðpn þ pn=2 þ 1Þ 2 n n=2 ðp þ 2p þ 1Þ 2n n p p þ1

2

1 3 2 3 1 6

2p

n  0 (mod 4) n  1; 3 (mod 4) n  2 (mod 4)

ðpn  2pn=2 þ 1Þ 2 ðpn þ 1Þ 2 ðpn þ 2pn=2 þ 1Þ

2

1 2 1

þ 1Þ

Proof. Let ‘ be the largest prime dividing jAðFpn Þj ¼ Jn of A and let k be the smallest integer such that ‘jðpnk  1Þ. Let P ðxÞ ¼ x4 þ a1 x3 þ a2 x2 þ a1 px þ p2 be the characteristic polynomial of pth Frobenius map. Since A is supersingular and p > 16, a1 ¼ 0 and a2 ¼ 0; p; 2p by Lemma 3.2 and Hasse–Weil bound. 2 2 On the other hand, it is well known that Jn ¼ jAðFpn Þj ¼ j1  an j j1  bn j , n n where a; b are roots of P ðxÞ and j j is complex absolute. Let tn ¼ a þ a and n . Then t1 þ s1 ¼ a1 ¼ 0 and 2p þ t1 s1 ¼ a2 . This fact with a recursn ¼ bn þ b sion formula sn ¼ sn1 s1  psn2 gives that sn ¼ tn if n is even, sn ¼ tn otherwise. Hence it is enough to derive sn or s2n to determine Jn ¼ ð1  sn þ pn Þð1  tn þ pn Þ and k. Using the induction hypothesis, we can compute Jn according to a2 as the table.  Remark 4.1 (1) In fact, the order jAðFpn Þj is explicitly computed, for each n, when it exists. (2) Galbraith [5] showed that the above embedding extension k is bounded by 12 for a supersingular abelian variety A of dimension 2 over the finite field Fq . Proposition 4.1 gives a better upper bound of k when the defining field is prime field. (3) Furthermore, it is known that there exists k such that, for all n P 1, the exponent of jAðFpn Þj divides pnk  1. Although this was proved by Galbraith (see Theorem 7 in [5]), we will give another elementary proof in this case. 5. Examples In this section we study some family of hyperelliptic curves defined over prime fields and determine all the primes p when they are supersingular as well

Y.J. Choie et al. / Appl. Math. Comput. 163 (2005) 565–576

571

as their Jacobian group structure [11]. Furthermore, we also get the upper bound of k. Example 5.1. Consider the following hyperelliptic curve of genus 2; H =Fp : v2 ¼ u5 þ a;

a 2 Fp :

Then H is supersingular () p 6¼ 1 ðmod 5Þ: Furthermore, we can derive the exact order of JH ðFp Þ and its group structure as follows: P ðxÞ

p p  2; 3 (mod 5) p9 (mod 20) p  19 (mod 20)

k

JH ðFp Þ

2

4

Z=ðp2 þ 1ÞZ

x4 þ 2px2 þ 1

1 þ 2p þ p2

2

ðZ=ðp þ 1ÞZÞ

x4 þ 2px2 þ 1

1 þ 2p þ p2

2

ðZ=ðp þ 1ÞZÞ j ðZ= pþ1 Z  Z=2ZÞ 2

4

x þp

jJH ðFp Þj 2

1þp

2

i

where i þ j ¼ 2; i; j 2 Z; i; j P 0.

Proof (1) We can check the following by direct computation; Ap 6¼ 0 () p  1 ðmod 5Þ;

A2p1 6¼ 0 () p  1 ðmod 5Þ;

A2p 6¼ 0 () p  3 ðmod 5Þ;

Ap1 6¼ 0 () p  2 ðmod 5Þ:

So, for any prime p, A2p Ap1 ¼ 0. By Theorem 3.1, H is supersingular iff Ap A2p1 ¼ 0, Ap þ A2p1 ¼ 0 and this is satisfied whenever p 6¼ 1 (mod 5). (2) When p  2; 3 (mod 5), gcd ðp  1; 5Þ ¼ 1, gcd ðp2  1; 5Þ ¼ 1. So, fx5 þ ajx 2 Fp g ¼ Fp ; fx5 þ ajx 2 Fp2 g ¼ Fp2 : P P M1 ¼ 1 þ p þ x2Fp vðx5 þ aÞ ¼ 1 þ p þ x2Fp vðxÞ ¼ 1 þ p. Similarly, M2 ¼ 1 þ p2 . Therefore, the characteristic polynomial of H is P ðxÞ ¼ x4 þ p2 and jJH ðFp Þj ¼ 1 þ p2 . (3) For the last case, let P ðxÞ ¼ x4 þ a1 x3 þ a2 x2 þ a1 px þ p2 be a characteristic polynomial. we know a1 ¼ 0 since H is supersingular and there are no prime p < 16 when p  4 (mod 5). To compute the number of rational points M2 , we can write M2 ¼ 1 þ jRj þ 2jQj, where R ¼ fx 2 Fp2 jx5 þ a ¼0g, Q ¼ fx 2 Fp2 jx5 þ a is a non-zero quadratic residue in Fp2 g. Because p2  1 is a multiple of 5 and a 2 Fp , R has five elements and Fp2 has a primitive

572

Y.J. Choie et al. / Appl. Math. Comput. 163 (2005) 565–576

5th root of unity, say f. If x0 satisfies x50 þ a ¼ y02 for some y0 2 Fp2 , then x0 fi does also for 0 6 i 6 4. For fixed y0 2 Fp2 , the equation x5 þ a ¼ y02 does not have solutions or five solutions except y02 ¼ a. In this case we have one solution x ¼ 0. So jQj  1 (mod 5) and we have only one choice a2 ¼ 2p. Hence the characteristic polynomial of H is P ðxÞ ¼ x4 þ 2px2 þ p2 and jJH ðFp Þj ¼ p2 þ 2p þ 1. The group structure of JH ðFp Þ follows from its order and the result of [11]. h Example 5.2. Consider the following hyperelliptic curve of genus 2; H =Fp : v2 ¼ u5 þ au;

a 2 Fp :

Then H is supersingular () p  5; 7 ðmod 8Þ: Furthermore, P ðxÞ

p

4

jJH ðFp Þj 2

2

p  7 (mod 8) x  2px þ p p  5 (mod 8), a is q.r in Fp x4  2px2 þ p2 p  5 (mod 8), a is q.n.r in Fp x4 þ p2

k 2

1  2p þ p 1  2p þ p2 1 þ p2

2 or 1 2 or 1 4

Proof (1) A direct computation shows that Ap 6¼ 0 () p  1 ðmod 8Þ;

A2p1 6¼ 0 () p  1 ðmod 8Þ;

A2p 6¼ 0 () p  3 ðmod 8Þ;

Ap1 6¼ 0 () p  3 ðmod 8Þ:

If p  1 (mod 8), then A2p ¼ Ap1 ¼ 0 but Ap A2p1 6¼ 0. If p  3 (mod 8), then Ap ¼ A2p1 ¼ 0 but A2p Ap1 6¼ 0. But if p  5; 7 (mod 8), then Ap ¼ A2p1 ¼ A2p ¼ Ap1 ¼ 0. So, the result follows from Theorem 3.1. (2) Let P ðxÞ ¼ x4 þ a1 x3 þ a2 x2 þ a1 px þ p2 be a characteristic polynomial. Then, we get a1 ¼ 0 for p ¼ 5; 7; 13 by a direct computation and for p > 16 by Hasse bound. By the same reason as the second case in the proof (2) of Example 5.1, we can write M2 ¼ 1 þ jRj þ 2jQj, where R ¼ fx 2 Fp2 jx5 þ ax ¼ 0g, Q ¼ fx 2 Fp2 jx5 þ ax is a non-zero quadratic residue in Fp2 g. Since p2  1 (mod 8), a 2 Fp , Fp2 has a primitive 8th root of unity, say f and jRj ¼ 5 if a is quadratic residue in Fq , jRj ¼ 1 otherwise. If x0 2 Q, then x0 f2i 2 Q, for all i; 0 6 i 6 3 and thus jQj is a multiple of 4. By using this, we can get a2 ¼ 0 if jRj ¼ 1 and a2 ¼ 2p or a2 ¼ 2p, otherwise. h

Y.J. Choie et al. / Appl. Math. Comput. 163 (2005) 565–576

573

6. Proofs In this section, proofs of theorems and lemmata given in Sections 3 and 4 are derived. 6.1. Proof of Lemma 3.2 Since ‘‘if’’ statement is trivial, we claim ‘‘only if’’ part. Let ai ; 1 6 i 6 4, be the roots of P ðxÞ which are arranged in a way that a1 a3 ¼ a2 a4 ¼ q holds (Theorem V.1.15, p. 166 in [10]). In case the splitting field K of P ðxÞ is different from Qða1 Þ or Qða2 Þ, from elementary algebra we can choose a primitive element of the splitting field K ¼ Qða1 ; a2 Þ as follows: take c ¼ a1 þ aa2 , where a satisfies a 6¼

ai  a1 a2  aj

for 1 6 i; j 6 4; j 6¼ 2 and a  0 ðmod pÞ:

So, K ¼ QðcÞ or K ¼ Qða1 Þ ¼ Qða2 Þ. Since P ðxÞ  x4 (mod p), the minimal polynomial gðxÞ of K should satisfy gðxÞ  x½K:Q (mod p) if K ¼ Qða1 Þ. If K ¼ QðcÞ, then consider a monic polynomial f ðxÞ 2 Z½x such that f ðcÞ ¼ 0 constructed as the following way: Consider a matrix M ¼ ðckl Þ0 6 k;l<16 whose entries are determined by the representation of each cai1 aj2 ; k ¼ i þ j, by ai1 aj2 ; 0 6 l ¼ i þ j < 16, where 0 6 i; j < 4. Note that f ðxÞ ¼ jxI  Mj is a monic integral polynomial with the coefficients as combination of a; q; q2 ; a1 ; a1 q; a2 and f ðcÞ ¼ 0. This implies that f ðxÞ  x16 (mod p) and, thus, the minimal polynomial gðxÞ of c should satisfy gðxÞ  x½K:Q (mod p). If Z½c is p-maximal, i.e., ½OK : Z½c

6¼ 0 (mod p), OK ring of integer of K, then pOK ¼ }½K:Q (Theorem 4.8.13, p. 196, [3]). If ½OK : Z½c

 0 (mod p), (Propositions 6.2.1 and 6.2.3, p. 307 in [3]) implies that pOK ¼ }. Here, } is a prime ideal in OK dividing p. So, we showed that p is totally ramified or remains as a prime in K. Now, let P ðxÞ ¼ ðx2  t1 x þ qÞðx2  t2 x þ qÞ where t1 ¼ a1 þ a3 ; t2 ¼ a2 þ a4 2 OK . Since a1 ¼ t1 þ t2 2 pOK  } and a2 ¼ 2q þ t1 t2 2 pOK  }, t1 and t2 are in } and thus all ai 2 }. This implies that ord} ða1 Þ ¼ ord} ða2 Þ ¼ ord} ða3 Þ ¼ ord} ða4 Þ which follows from the fact that aj ¼ rðai Þ for some r 2 AutðKÞ and rð}Þ ¼ }. Let e ¼ eð} j pÞ be the ramification index of p in OK . Since eordp ðqÞ ¼ ord} ðqÞ ¼ ord} ða1 Þ þ ord} ða3 Þ ¼ ord} ða2 Þ þ ord} ða4 Þ; we get, for all i; 1 6 i 6 4, ord} ðai Þ ¼ 2e ordp ðqÞ. Hence, the ‘‘only if’’ statement immediately follows from

574

Y.J. Choie et al. / Appl. Math. Comput. 163 (2005) 565–576

ordp ða1 Þ P

1 1 ord} ðai Þ ¼ ordp ðqÞ e 2

and ordp ða2 Þ ¼ ordp ð2q þ t1 t2 Þ P

1 minðord} ðqÞ; ord} ðt1 Þ þ ord} ðt2 ÞÞ e

1 ¼ ord} ðqÞ ¼ ordp ðqÞ: e This proves lemma. h 6.2. Proof of Theorem 3.1 First, note that M1 :¼ jH ðFq Þj ¼ 1 þ q þ

X

f ðuÞ

q1 2

in Fq ;

u2Fq q1 2

2 f1g in Fq . From the cyclic nature of Fq , the following is true  X 1 if ðq  1Þji; ui ¼ 0 if ðq  1Þ-i: u2F

since f ðuÞ

q

q1

Since f ðuÞ has degree 5, by multiplying out f ðuÞ 2 and sum over u 2 Fq , the only non-zero term comes from uq1 and u2ðq1Þ . Hence, M1 ¼ 1  Aq  A2q1 : Similarly, by letting M2 :¼ jH ðFq2 Þj ¼ 1 þ q2 þ

X

f ðuÞ

q2 1 2

in Fq2 ;

u2Fq2

we have M2 ¼ 1  Aq2  A2q2 1 : On the other hand, since Theorem 2.1––(2) implies that a1 ¼ M1  1  q;

a2 ¼ ðM2  1  q2 þ a21 Þ=2

with the fact that a1 ; a2 are rational integers, we note that dne

H is supersingular () a1  0 ðmod pÞ 2 ;

n

a2  0 ðmod pÞ :

Since Aq þ A2q1 ¼ 0;

Aq2 þ A2q2 1 ¼ 0 () a1  a2  0 ðmod pÞ;

Y.J. Choie et al. / Appl. Math. Comput. 163 (2005) 565–576

575

we can conclude that, from Lemma 3.2, H is supersingular () Aq þ A2q1 ¼ 0;

Aq2 þ A2q2 1 ¼ 0:

Now it remains to show that Aq þ A2q1 ¼ 0;

Aq2 þ A2q2 1 ¼ 0

ð6:1Þ

implies Ap  A2p1 ¼ Ap1  A2p :

ð6:2Þ

First, note that Aq2 ¼ Aqq  Aq þ Aqq1  A2q ¼ Aq  A2q1 þ Aq1  A2q ; A2q2 1 ¼ Aq2q  Aq1 þ Aq2q1  A2q1 ¼ A2q  Aq1  A2q1  Aq and, so, Eq. (6.1) yields Apn  A2pn 1 ¼ A2pn  Apn 1 :

ð6:3Þ

Again, Eq. (6.3) becomes ðApp

n1

n1

n1

n1

 Ap2p1  App1  Ap2p Þ  ðApn1  A2pn1 1  Apn1 1  A2pn1 Þ ¼ 0:

If ðApn1  A2pn1 1  Apn1 1  A2pn1 Þ ¼ 0, then by induction on n the relation (6.2) pn1 pn1 can be derived. If not, i.e., ðAp  A2p1 Þ ¼ ðAp1  A2p Þ , then, again, the equation holds since pn1 does not divide pn  1. This claims our main theorem. h

7. Conclusion It will be very useful to detect those cryptographically weak curves such as supersingular curve in advance. Or, it will be also useful to find supersingular curve for a constructive application to generate an identity-based cyptosystem suggested by Boneh and Frankin [2] and generalized by Galbraith [5]. In this paper, we show how to determine if the given hyperelliptic curve of genus 2 over the finite field Fq ; q odd, is supersingular directly from the defining equation. Finally, as an example, using the above criterion, a family of the hyperelliptic curves H =Fp of the type v2 ¼ u5 þ a and the type v2 ¼ u5 þ au have been studied. We expect that the similar criterions will be held for the case of genus 3 curves.

576

Y.J. Choie et al. / Appl. Math. Comput. 163 (2005) 565–576

References [1] L. Adleman, J. Demarrais, M. Huang, A subexponential algorithm for discrete logarithms over the rational subgroup of the Jacobians of large genus hyperelliptic curves over finite fields, in: Algorithmic Number Theory, LNCS, vol. 877, Springer-Verlag, Berlin, 1994, pp. 28–40. [2] D. Boneh, M. Franklin, Identity-based Encryption from the Weil paring, in: Advances in Cryptology––CRYPTO 2001, 21st Annual International Cryptology Conference, Santa Barbara, LNCS, vol. 2139, Springer, 2001, pp. 21–229. [3] H. Cohen, A Course in Computational Algebraic Number Theory, Springer-Verlag, 1993. [4] L.H. Encinas, A.J. Menezes, J.M. Masque, Isomorphism class of genus-2 hyperelliptic curves over finite fields, 2001, preprint. [5] S. Galbraith, Supersingular curves in cryptography, in: Advances in Cryptology––ASIACRYPT 2001 (Gold Coast), LNCS, vol. 2248, Springer, Berlin, 2001, pp. 495–513. [6] P. Gaudry, An algorithm solving the discrete log problem on hyperelliptic curves, in: Eurocrypt2000, LNCS, vol. 1807, Springer, 2000, pp. 19–34. [7] N. Koblitz, Algebraic Aspects of Cryptography, Springer-Verlag, 1998. [8] G. Frey, H.-G. R€ uck, A remark concerning m-divisibility in the divisor class group of curves, Math. Comp. 62 (206) (1994) 865–874. [9] A.J. Menezes, T. Okamoto, S.A.Q. Vanstone, Reducing elliptic curve logarithms to logarithms in a finite field, IEEE Trans. Inf. Theory 39 (5) (1993) 1639–1646. [10] H. Stichtenoth, Algebraic Function Fields and Codes, Springer-Verlag, 1993. [11] C. Xing, On supersingular abelian varieties of dimension two over finite fields, Finite Fields Their Appl. 2 (1996) 407–421.