Efficient Reduction of Large Divisors on Hyperelliptic Curves

We present an algorithm for reducing a divisor on a hyperelliptic curve of arbitrary genus over any finite field. Our method is an adaptation of a procedure for reducing ideals in quadratic number fields due to Jacobson, Sawilla and Williams, and shares common elements with both the Cantor and the NUCOMP algorithms for divisor arithmetic. Our technique is especially suitable for the rapid reduction of a divisor with very large Mumford coefficients , obtained for example through an efficient tupling technique. Results of numerical experiments are presented, showing that our algorithm is superior to the standard reduction algorithm in many cases.


Introduction and Motivation
An important concern in the implementation of curve based cryptography, as well as computer algebra systems, is the choice of algorithms with respect to performance. Cryptographic systems are often chosen according to their speed at a given security level, and the working mathematician will surely profit from shorter waiting times in front of the computer. A concrete example is divisor reduction, which represents a key ingredient in hyperelliptic curve arithmetic. Since this procedure can be rather time consuming, it is desirable to optimize this process as much as possible.
In Mumford's representation [25], a degree zero divisor D on a hyperelliptic curve of genus g is represented by a pair of polynomials (Q, P ), with Q monic of degree t and P usually (but not necessarily) of degree at most t − 1. Here, t is the number of finite places in the support of D, counted with multiplicities. The polynomial Q is referred to as the norm of D, and D is said to be reduced if t ≤ g. In the case of imaginary hyperelliptic curves, each divisor class contains a unique reduced representative, and the purpose of reduction is to determine this representative. In the real hyperelliptic curve scenario, there are in general many reduced elements in each class, and reduction generates one of them. This paper presents a procedure for efficiently reducing a divisor whose norm has very large degree. Such a divisor can arise for example in the context of scalar multiplication as employed in many cryptographic and number theoretic applications, as explained below. Our method is an adaptation of the most efficient algorithm for reducing ideals in quadratic number fields, due to Sawilla et al. [29,18], to the setting of hyperelliptic curves.
The reduction operation plays an important role in divisor arithmetic. For instance, in Cantor's seminal algorithm [4], the addition of two divisor classes is split into two steps: a composition of two degree zero divisors to obtain a divisor equivalent to the sum of the two input divisors, followed by the reduction of said composition. Composing two divisors whose norms have respective degrees s and t usually results in a divisor whose norm has degree s + t and requires a quadratic number (in s + t) of base field operations. As result, the composition of two reduced divisors generally results in a divisor whose norm has degree 2g, and this process, combined with subsequent reduction, requires a base field operation count that is quadratic in g. A different approach to divisor class addition was given by Shanks' NUCOMP algorithm [28,17], which was originally introduced in the context of composing reduced imaginary binary quadratic forms [31]. NUCOMP interleaves reduction with composition, essentially performing reduction on intermediate operands occurring during the addition. This keeps their degrees well below 2g and additionally avoids other computational overhead arising in Cantor's technique. The total number of base field operations is still quadratic in g, but in practice, NUCOMP performs significantly faster than Cantor's method [20] in most cases.
Our focus in this paper is somewhat different from the scenario of computing the reduced composition of two divisors. Instead, the main application of the research described here is the efficient reduction of a divisor of very large norm, i.e. whose norm has degree significantly larger than 2g. In practice, such a divisor is often obtained by composing several -i.e. more than two -not necessarily distinct divisors. To motivate this scenario, we consider an operation on divisors that is an essential ingredient in much of hyperelliptic curve cryptography and number theory: scalar multiplication.
Given a divisor D and an integer n, the scalar multiplication of D by n consists of computing (a divisor equivalent to) nD. The most common method to perform this operation is based on a suitable digital expansion of the scalar n. For instance, using a base 2 expansion n = i=0 n i 2 i , one can compute the n-fold of D by a Horner scheme, i.e. a double-and-add method. The most commonly used binary expansion is the w-NAF [5,32,1]; we refer to [12] for additional information on scalar multiplication techniques. On elliptic curves over fields of characteristic three [21], one would adopt a triple-and-add method. In the hyperelliptic curve scenario, this corresponds to composing three copies of the same divisor, see [15] for efficient divisor tripling. In general, the composition of p copies of the same divisor on a curve defined over a field of characteristic p is often an inexpensive process. This is because its main ingredient is the computation of the p-th power of a polynomial, which in characteristic p is very fast. One can even employ several bases simultaneously to expand a given scalar and use such an expansion for scalar multiplication [7,9,6].
In all these scalar multiplication techniques, one would first employ tupling, i.e. scalar multiplication of a given group element by the underlying base(s) and possibly some of their products and powers. For example, in a double-base representation using 2 and 3 as bases, one would wish to precompute at the minimum the divisors 2D and 3D, and possibly 5D, 6D, and other higher multiples of D as well. While this is usually quite straightforward, the resulting divisors will then have to be reduced. This reduction process needs to handle polynomials of very large degree: m-tupling a reduced divisor on a curve of genus g is expected to result in Mumford coefficients of degree as large as mg. This necessitates highly efficient reduction algorithms.
Reduction of a divisor on a hyperelliptic curve is closely linked to the regular continued fraction expansion of the corresponding irrational function in an appropriate field of Laurent series [20]. Such an expansion is expensive to compute. In contrast, the continued fraction expansion of a rational function is simply produced by the Euclidean algorithm and is thus efficiently computable. It is therefore desirable to replace the partial quotients in the expansion of the irrational function arising in the classical reduction procedure by those of a known close rational approximation in such a way that the process still leads to the correct reduced divisor.
This fact was first exploited in the context of arithmetic on ideals in quadratic number fields in [30] and of Jacobians of hyperelliptic curves [4]. It is also the basis for the NUCOMP algorithm mentioned earlier. The idea was again employed by Sawilla et al. [29,18] in the context of reducing ideals in quadratic number fields. Sawilla's technique is the best available reduction algorithm in this setting and represents the starting point for our divisor reduction procedure. In addition, our method shares similarities with Cantor's and uses ideas akin to those employed in NUCOMP as presented in [20]. However, we note that Cantor only considered imaginary hyperelliptic curves over fields of odd characteristic, whereas our description also includes real models and applies to any finite field.
As in both Sawilla's and Cantor's methods, the approximating rational function is the quotient of the two Mumford polynomials of the divisor to be reduced; note that NUCOMP uses a different rational approximation. The Euclidean algorithm is applied to these polynomials until half way to finding their greatest common divisor, at which point we obtain a divisor that is almost always reduced and is (in the setting of certain real hyperelliptic curves) at most one step away from being reduced; this is analogous to the NUCOMP situation. We discuss how to avoid this potential extra reduction step, and provide formulae for the final reduced divisor that eliminate the need to compute all the intermediate divisors and are computationally more efficient than Cantor's. This paper is organized as follows. In Sections 2 through 6, we recall the necessary background on hyperelliptic curves and continued fractions, and explain the connection to divisor reduction. We then describe our reduction algorithm plus some variations, and present numerical experiments designed to test their efficiency, in Section 7. An alternative representation of a real hyperelliptic curve that provides some advantages for our reduction algorithm is given in Section 8. Conclusions and ideas for future research are found in Section 9.

Overview of Hyperelliptic Curves
A considerable amount of literature has been devoted to hyperelliptic curves and their cryptographic applications. We therefore only provide an overview of the material required here and refer the reader to [24,16,19,20] for more details. Following the description of [19], we define a hyperelliptic curve of genus g over a finite field F q (with q any prime power) to be an absolutely irreducible, non-singular affine plane curve of the form and h is usually (but need not be) taken to be zero if q is odd. Such a curve can take on the following two forms: • Imaginary model: f is monic, deg(f ) = 2g + 1, and deg(h) ≤ g; • Real model: h = 0 or h is monic and deg(h) = g +1. Moreover, if q is odd, then f is monic and deg(f ) = 2g + 2. If q is even, then either deg(f ) ≤ 2g + 1, or deg(f ) = 2g + 2 and the leading coefficient of f is of the form sgn(f ) = u 2 + u for some non-zero u ∈ F q .
The coordinate ring of C is the ring F q [x, y]; its field of fractions F q (x, y) is the function field of C. The hyperelliptic involution on C takes y to y = −h(x) − y, and hence extends to the conjugation map on F q (x, y) that maps every element α = a + by ∈ F q (x, y) (with a, b ∈ F q (x)) to its conjugate α = a − bh − by.
Imaginary hyperelliptic curve models have one (ramified) place at infinity, denoted by ∞, whereas real models have two infinite places, ∞ and ∞, both of degree one. In the latter case, there are two embeddings of F q (x, y) into the field of Laurent series F q x −1 , given by the valuations v ∞ and v ∞ corresponding to the two infinite places. Non-zero elements in F q x −1 have the form α = a n x n + · · · + a 0 + a −1 x −1 + · · · with n ∈ Z, a i ∈ F q for i ≤ n, and a n = 0. Write n = deg(α), a n = sgn(α), and α = a n x n + · · · + a 1 x + a 0 ∈ F q [x]. We choose the embedding of F q (x, y) into F q x −1 with deg(y) = −v ∞ (y) = g + 1; this establishes the notion of degree and sign for non-zero functions in F q (x, y).
Every degree zero divisor D on C can be uniquely written in the form where D x is a finite divisor, i.e. a divisor on C whose support does not include any of the infinite places. Here, δ(D) = −v ∞ (D) is the value of D at the place ∞, referred to as the distance of D, if C is real. For C imaginary, D is thus uniquely determined by its finite part D x , whereas for C real, D is uniquely determined by D x and δ(D).
The exact definition of a semi-reduced divisor can be found in [4]; suffice it to state here that the semi-reduced divisors on C are exactly those divisors D whose finite portion D x can be represented by a pair of polynomials Q, P ∈ F q [x] with Q dividing P 2 + hP − f . Here, Q is unique up to constant factors in F q -usually Q is chosen to be monic -and P is unique modulo Q. The pair (Q, P ) is generally referred to as the Mumford representation of D x . In literature sources that focus on imaginary hyperelliptic curves, the Mumford representation specifies that deg(P ) < deg(Q), but we will not impose this restriction here; in fact, in our algorithm, we generally have deg(P ) = deg(Q) + 1. A semi-reduced divisor D is reduced if the Mumford representation (Q, P ) of D x satisfies deg(Q) ≤ g.
The Jacobian J of C over F q is the group of degree zero divisor classes defined over F q under linear equivalence. An easy consequence of the Riemann-Roch Theorem is the fact that every divisor class in J contains a reduced divisor D. Arithmetic in J can then be performed via these reduced representatives. Real hyperelliptic curve cryptography can also take place in the (principal) infrastructure of C, which is the set of reduced principal divisors D with 0 ≤ δ(D) < R. Here, R is the order of the divisor class of ∞ − ∞ in J and is refereed to as the regulator of C.
In the context of Jacobian or infrastructure arithmetic, and specifically public key cryptography, one is frequently faced with the following situation: a potentially large semi-reduced divisor E is given; here, "large" refers to the degree of the polynomial Q in the Mumford representation of E x , i.e. deg(Q) is larger, and possibly significantly larger, than the genus g of C. The task is to find a reduced divisor D linearly equivalent to E as efficiently as possible. If C is imaginary, then D is unique. If C is real, then usually certain restrictions on δ(D) relative to δ(E) are imposed to guarantee uniqueness. One such common example is the condition 0 ≤ δ(E)−δ(D) ≤ g which can always be satisfied; in practice, one can even achieve δ(D) = δ(E); see [27,11,19].
In order to treat the imaginary and real hyperelliptic curve scenarios simultaneously, we will henceforth write every semi-reduced divisor D as D = (Q, P, (δ)) where (Q, P ) is the Mumford representation of D x , δ = δ(D) is included in the representation of D if C is real, and δ is not included otherwise.

Continued Fraction Expansions
We review some basic required facts about continued fractions, confining our discussion to rational functions only, rather than the more general scenario of Laurent series considered in [20].
A continued fraction expansion is any symbolic expression of the form [q 0 , q 1 , . . . , q n , α n+1 ] := q 0 + 1 Associated with the continued fraction expansion α 0 = [q 0 , q 1 , . . . , q m ] are the following two sequences of polynomials in F q [x]: and is hence known as the i-th convergent of α. The name is justified by inequality It will be useful to define two more sequences of polynomials: The sequences given in (3.3) and (3.1) are related as follows: These identities are easily established using induction. Using (3.4) and (3.5), (3.2) can now be rewritten as Note that in the special case when the sequences q i and C i represent the quotients and remainders, respectively, obtained when applying the Euclidean algorithm to α 0 = P 0 /Q 0 . In this case, α 0 = [q 0 , q 1 , . . . , q m ] is known as the regular continued fraction expansion of α 0 , and we have q i = α i for 0 ≤ i ≤ m. Since deg(C i ) strictly decreases and deg(J i ) strictly increases as i increases from 0 to m, (3.6) implies which is a stronger statement than (3.7). Note that the length m + 1 of the regular continued fraction expansion of P 0 /Q 0 is usually of approximate order deg(Q 0 ). More exactly, since deg(C i ) decreases by at least one (and usually exactly one) as i increases, we see that deg ). Since this inequality is usually close to sharp, and gcd(P 0 , Q 0 ) tends to have small degree, we see that m + 1 ≈ deg(Q 0 ).

Continued Fractions and Hyperelliptic Divisors
The relationship between continued fraction expansions and hyperelliptic divisor arithmetic was described in considerable detail in [20], but mainly in the context of divisor composition with subsequent reduction via the NUCOMP algorithm. Although the techniques used here share similarities with those employed in NU-COMP [20], the results and formulas appearing here are new, and we present a more general framework than [20].
Let C be a hyperelliptic curve over F q as given in (2.1), and as before, fix poly- Put Ψ 1 = 1, and for 2 ≤ i ≤ m + 2, denotes the principal divisor of any non-zero function α ∈ F q (x, y). Then it is easy to verify, using (4.1), that Our aim is to obtain closed form formulae for Q i and P i in terms of the sequences C i and J i only, using (4.3). These formulae avoid the need to compute the intermediate . A similar idea was employed in the NUCOMP algorithm -see expression (8.1) of [20] -except that the sequence (−1) i A i , with A i as given in (3.1), was used in place of J i . In fact, there are many similar such expressions for the Mumford coefficients Q i and P i in terms of the remainder sequence C i and one other related linear sequence. In our context, we chose the formulation in terms of C i and J i because in view of (4.3), it allows for the most straightforward treatment and minimizes notation as well as computational effort.
Proof. From (4.1), it is easy to verify that Furthermore, again by (4.3), The formula for P i can now be read off by comparing the basis coefficient of 1 on both sides.
The polynomials P i and Q i are related as follows: with Q 0 dividing f + hP 0 − P 2 0 , and let Q i , P i be defined by (4.1), and C i , J i by (3.3). Then Proof. Multiply the expressions for P i+1 and Q i+1 in Proposition 4.1 by C i−1 and C i−2 , respectively, to obtain Our claim now follows from (3.6). The second identity can be obtained similarly.

Divisor Reduction via Continued Fractions
Consider now the case where P 0 /Q 0 = [q 0 , q 1 , . . . , q m ] is the regular continued fraction expansion of P 0 /Q 0 . Conventional divisor reduction as described for example in [20] applies uniformly to both real and hyperelliptic curves (although in practice, one would not use the technique for imaginary curves).
The idea is to compute a reduced (or almost reduced) divisor D i+1 = (Q i , P i , (δ i+1 )) linearly equivalent to some starting divisor D 1 = (Q 0 , P 0 ), (δ 1 )) by repeatedly applying (4.1) until a polynomial Q i of degree at most g (or possibly g + 1) is reached. Each iteration of (4.1) reduces the degree of Q i by at least 2, except for the last step which might only reduce it by 1. When C is real, the relative distance δ i+1 −δ 1 can easily be obtained alongside as well. In almost all situations, a reduced divisor is obtained; for just one scenario (which only occurs when deg(f ) = 2g + 2), this procedure might only produce a minimal degree of g + 1 for Q i , but a slight change in the expression (4.1) for P i in the last step yields a reduced divisor. The target divisor is reached after at most (deg(Q 0 ) − g)/2 iterations; this bound is generally sharp, especially for large base fields F q .
The recursive nature of (4.1) requires the computation of the Mumford basis coefficients of all the intermediate divisors D 2 , D 3 , . . . , D i , which is very costly. This can be avoided by computing Q i and P i via the much faster linear recurrences (3.3), using the expressions given in Proposition 4.1. However, the termination condition deg(Q i ) ≤ g is now useless -one cannot know if this holds at any given point without actually computing Q i , which is exactly what we wish to avoid. In this section, we replace this condition by a more suitable termination condition involving either one of the sequences J i or C i . We also explain how the distance of the reduced target divisor can be found.
The ideas described above -using the partial quotients of the regular continued fraction expansion of a suitable rational function and certain simple linear recurrences to avoid computing intermediate divisors -were already employed in the NUCOMP algorithm. So it is once again not surprising that the techniques utilized in this section are quite similar to those of [20,Section 8]. The main difference is that NUCOMP is based on the continued fraction expansion of a different rational function that was first suggested by Schnorr and Seysen (see Appendix A of [29]). The numerator and denominator of this rational function, when expressed in lowest terms, arise from the formulae for divisor addition, and their degrees are bounded by the genus g of the curve when the input divisors are reduced. For this reason, when the aim is to find the reduced composition of two reduced divisors, NUCOMP is more efficient than composing the two divisors and subsequently applying the reduction method presented here. As mentioned earlier, our algorithm is instead best suited to the situation when the input divisor D 1 is very large, i.e. the Mumford coefficients Q 0 and P 0 have degree significantly exceeding 2g.
We continue to let C be a hyperelliptic curve of genus g over F q as given in (2.1). Throughout this section, Q 0 , P 0 are polynomials in F q [x] with Q 0 non-zero and Q 0 dividing f + hP 0 − P 2 0 . We also assume that deg(Q 0 ) ≥ g + 1, as otherwise D 1 is already reduced. Henceforth, we restrict to the case of the regular continued fraction expansion of P 0 /Q 0 and make the connection to reduction. That is, P 0 /Q 0 = [q 0 , q 1 , . . . , q m ] where q i = C i−2 /C i−1 for 0 ≤ i ≤ m, with C i given by (3.3). We begin with some bounds on deg(Q i ).
Lemma 5.1. Let Q i , P i (1 ≤ i ≤ m + 1) be given by Proposition 4.1, and let r ≥ 0 be the maximal index such that Then the following hold.
We use the formula for Q i given in Proposition 4.1 for our proof, and bound each of the summands in that expression separately, starting with the middle summand. Since J 0 = −1 and deg(Q 0 ) ≥ g + 1, we see that deg(J 0 ) ≤ N , so the index r ≥ 0 as defined in (5.1) exists. We also note that deg where the first inequality is an equality if deg(Q 0 ) − g is odd, and the second inequality is an equality if deg(Q 0 ) − g is even.
Using (3.9), and noting that deg(Q 0 ) − N = (deg(Q 0 ) + g)/2 , we easily derive the following alternate characterization of the index r of Lemma 5.1: From Lemma 5.1, we infer the following.
Corollary 5.2. With the notation of Lemma 5.1, set D i = (Q i−1 , P i−1 , (δ i )). Then the following hold: 1. D i is not reduced for 1 ≤ i ≤ r. 2. D r+1 is reduced if and only if deg(J r ) = N and deg(Q 0 ) − g is even.
3. If D r+1 is not reduced, then D r+2 is reduced unless deg(Q 0 ) − g is odd, deg(J r ) = N and deg(f ) = 2g + 2, in which case D i is not reduced for all We note the similarity of Lemma 5.1 to Lemma 8.1 and Corollary 8.1 of [20], and that of Corollary 5.2 to Proposition 8.1 of [20].
By Lemma 5.1, deg(Q i ) decreases by at least 2 whenever i increases, except for the step just before the minimal degree (g or g +1) is encountered, which may result in a decrease by one only. The only problem case, when none of the divisors D i (1 ≤ i ≤ m + 2) is reduced, happens when deg(f ) = 2g + 2, deg(Q 0 ) − g is odd, and deg(J r ) = N . Then D r+1 (and also D r+2 ) is as close to being reduced as possible. We will address this last situation shortly and also revisit it in Section 8.
Corollary 5.3. Let Q i , P i (1 ≤ i ≤ m + 1) be given by Proposition 4.1, and r by (5.1). Then q i = P i /Q i for 0 ≤ i ≤ r − 1. In addition, if deg(Q r ) ≥ g + 1, then q r = P r /Q r .
Proof. By Lemma 4.2 and (3.9), we have The result of Corollary 5.3 is analogous to Theorem 7.1 of [20]. It shows that (4.1) with q i = C i−2 /C i−1 (0 ≤ i ≤ m) is in fact identical to the conventional reduction method as described in [20]. Therefore, the divisors D i = (Q i−1 , P i−1 ) produced by the algorithm of [20] are identical to those produced by (4.1) and by Proposition 4.1.
In the case when deg(f ) = 2g + 2, deg(Q 0 ) − g odd and deg(J r ) = N , we obtain deg(Q r ) = deg(Q r+1 ) = g + 1 according to Lemma 5.1. In this case, a modified version of (4.1) needs to be applied to D r+1 = (Q r , P r , δ r+1 ) to obtain a reduced divisor as follows. First, precompute an element s ∈ F * q such that s 2 = sgn(f ) if q is odd and s 2 + s = sgn(f ) if q is even, so s = sgn(y) or s = sgn(−y − h). Specifically, s = ±1 if q is odd and s = u or u + 1 with sgn(f ) = u 2 + u if q is even. Now set These expressions are the analogue of Equation (8.5) of [20]. If both the pairs (Q r , P r ) and (Q r−1 , P r−1 ) are available, then the full division by Q r in (5.3) can be avoided by using the recursion Proof. We have By Lemma 5.1, deg(Q r ) = g + 1, so deg(R r ) ≤ deg(Q r ) − 1 = g. Therefore, both summands in the numerator of the right hand side of (5.5) have degree at most 2g + 1. Thus, deg(Q r ) = g + 1 implies deg(Q r+1 ) ≤ g.
We conclude this section by determining the distance of the reduced target divisor in the case when C is real.
Theorem 5.5 is analogous to the discussion about distances on p. 228 of [20]. We point out that we generally expect deg(P i + y) = g + 1 in the above identity. Furthermore, the sum above can be computed concurrently with the recurrence for C j by initializing d 1 = δ 1 − deg(Q 0 ), computing d j+1 = d j + deg(q j ) alongside q j and C j for 1 ≤ j ≤ i, and finally setting δ i+1 = d i + deg(P i + y).
We are now able to compute the Mumford representation of a reduced divisor D i+1 that is linearly equivalent to D 1 , and the distance of D i+1 if C is real, directly from D 1 . No intermediate divisors D 2 , D 3 , . . . are computed except in one case, where only D i needs to be computed.
In the next section, we derive expressions for Q i and P i that represent an alternative to those given in Proposition 4.1. They make use of the recurrences C i , J i and A i as given in (3.3) and (3.1), respectively, as well as another new sequence of polynomials E i given in (6.2) below.

More Mumford Representation Formulae
The discussion of NUCOMP in [20] used four linear sequences to express the Mumford coefficients of a divisor. Here, we proceed similarly and introduce one more auxiliary linear sequence of polynomials to accompany the already familiar sequences C i and J i of (3.3) and A i of (3.1). Using the same notation as in the previous section, put where A i and B i are as in (3.1). Two more auxiliary identities, easily verified by applying induction to (3.1), (3.3) and (6.2), will facilitate the development of our final formulae: We are now ready to provide our desired expressions for P i and Q i . These formulae are reminiscent of (7.9) and (7.10) of [20].

Thus,
by (6.6) and (6.1) using the above expressions for Q i and P i 1) and (3.3) .

The Reduction Algorithm, Variations, and Experiments
Finding a reduced divisor linearly equivalent to D 1 = (Q 0 , P 0 ) now simply requires applying the Euclidean algorithm to P 0 /Q 0 , i.e. computing the sequence of quotients q i and remainders C i , until the index r is found as defined in (5.1). Then the Mumford coefficients Q r and P r of the reduced or almost reduced divisor D r+1 need to be recovered.
In the preceding sections, several options for recovering these coefficients have been presented. These variations are distinguished by which recurrences are computed along with the remainders C i and which formulae are used at the end. Although more versions are possible, we only list three below, having chosen not to consider those that involve more than one division by the large degree Q 0 .
1. Compute only J i recursively along with C i , then compute Q r via Proposition 4.1 and P r via the second formula of Lemma 4.2. This requires one division by Q 0 and one by the much smaller polynomial J r , plus a number of multiplications involving not too large operands. 2. Compute both A i and J i recursively along with C i , then E r = (h − P 0 )A r + (−1) r+1 R 0 J r , and finally Q r+1 and P r+1 via Theorem 6.1, using the second of the two formulae for P r+1 . This requires one division by Q 0 and one multiplication involving two large operands, P 0 (h − P 0 ), to compute R 0 , two multiplications involving one small operand and one large operand, (h−P 0 )A r and (−1) r+1 R 0 J r , to compute E r , four multiplications involving medium size operands for the formulae of Theorem 6.1, and two recurrences. 3. Compute all three sequences A i , J i , E i recursively along with the C i . This requires one division by Q 0 and one multiplication involving two large operands, P 0 (h − P 0 ), to compute E −2 , four multiplications involving medium size operands for the formulae of Theorem 6.1, and three recurrences.
It is easy to see that at least one of the sequences A i , E i , J i needs to be computed with C i , since not all three sequences can be recovered from C i alone. It is unknown whether D r+1 can be found without any polynomial divisions.
We implemented all three versions of our reduction algorithm for divisor reduction in imaginary hyperelliptic curves and compared their performance to that used in Cantor's algorithm. We used the computer algebra library NTL [26] for finite field and polynomial arithmetic and the GNU C++ compiler version 4.1.2. The computations described below were performed on an Intel Core Duo 2.66 GHz processor running Linux. All four algorithms were implemented using curves defined over finite prime fields F p and characteristic 2 finite fields F 2 n .
For our experiments, we used finite fields F q where q has 2, 4, 8, 16, 32, and 64 bits. The odd q were taken to be the smallest prime of the given length. For each value of q, we selected 5 random imaginary hyperelliptic curves of genus 2-15, 20, 25, and 30. For each curve, we applied the four reduction algorithms to random prime divisors D = (Q, P ), Q irreducible, for which deg(Q) = mg with m ∈ {2, 4, 8, 16, 32, 64, 128, 256}. We recorded the average time required to reduce a prime divisor of a given size using each algorithm, taken over all prime divisors and curves for a fixed genus and q.
Of the three variations of our new reduction algorithm, the first variation was the most efficient in all cases except m = 2. In other words, the versions that require computing more than the J i recursively do not seem to offer any performance improvements.
Unfortunately, the new reduction algorithm does not compare so favorably to the basic version due to Cantor; we address a possible reason for this in the last section. In the following tables, we give the average times per reduction (in milliseconds) for all the genera g and scalars m listed above. Table 7.1 gives the times for curves defined over F p where p = 65537 is a 16-bit prime, and Table 7.2 gives the times for curves defined over F 2 16 . The results for the other finite fields we tested are similar, so these data are omitted for brevity. Times are given for Cantor's reduction algorithm and the first version of our reduction algorithm. Shaded cells indicate that for the given genus g and scalar m, the new reduction algorithm was the faster of the two. As can be seen from the tables, our new reduction algorithm does consistently out-perform Cantor's algorithm once m is sufficiently large in the odd characteristic case. It also appears that its relative performance improves slightly as the genus increases. Both these phenomena are what one would expect; as more reduction We revisit the unfortunate scenario where Proposition 4.1 does not yield a reduced divisor. Recall that this situation was encountered exactly when deg(J r ) = N , deg(Q 0 ) − g is odd, and deg(f ) = 2g + 2. Suppose that C is given by (2.1) with deg(f ) = 2g + 2. We generally expect deg(J r ) to increase in steps of one as i increases, so deg(J r ) = N will likely occur. We have no influence over this. This leaves the investigation of what to do if deg(Q 0 ) − g is odd.
Suppose that D 1 = (Q 0 , P 0 , (δ 1 )) is a scalar multiple of some reduced divisor D = (Q, P, (δ)); this is a common situation in hyperelliptic curve arithmetic and cryptography. Say D 1 = mD. Then one expects deg(Q) = g and deg(Q 0 ) = mg. If m is odd -this is more likely to occur when the order q of the base field is oddthen deg(Q 0 ) − g = (m − 1)g is even, so our problem case does not happen.
The case m even, i.e. deg(Q 0 ) − g odd, is more likely to occur over fields of even characteristic. In this case, one can use a hyperelliptic curve model (with the same polynomial h) that is isomorphic to C and avoids the problem scenario. For our purposes, it suffices to ensure deg(f ) ≤ 2g + 1, but it is possible to obtain a much lower bound, namely deg(f ) ≤ g. In fact, if q is odd, this also produces an isomorphic model with a lower degree right hand side, but at the expense of introducing a y-coefficient.
Theorem 8.1. Let C : y 2 +h(x) = f (x) be a real hyperelliptic curve of genus g over any finite field F q as given in (2.1) with deg(f ) = 2g + 2. Then C is isomorphic to a real hyperelliptic curve C : z 2 + H(x)z = F (x) over F q , where deg(F ) ≤ g, deg(H) = g + 1, and F q [x, z] = F q [x, y].
If q is even, then H = h, and C requires far less storage than C, namely 2g + 2 − deg(F ) ≥ g + 2 fewer elements in F q . For q odd, there may be no reduction in storage when switching from C to C . The model C requires storing the 2g + 3 coefficients of f , while C needs space for the g + 2 coefficients of h and up to g + 1 coefficients of F .
In practice, finding Y requires computing the first g+1 coefficients of the Laurent expansion of y in F q x −1 . Write y = sx g+1 + y g x g + · · · + y 0 + y −1 x −1 + · · · with s = sgn(y); note that s = ±1 if q is odd. Then it is easy to see that y i satisfies a linear equation in the higher-indexed coefficients y j (i+1 ≤ j ≤ g) whose coefficients involve s −1 as well as the coefficients of f , and of h if q is even. So finding Y requires solving g + 1 linear equations over F q to successively find y g , y g−1 , . . . , y 0 . If q is even, then a quadratic equation over F q may also need to be solved to find s, plus one inversion to obtain s −1 .
We conclude with the remark that this kind of variable transformation has no analog for imaginary hyperelliptic curves. In addition to eliminating the need for an extra reduction step in our reduction algorithm, this model warrants further investigation in that it might offer some advantages for divisor arithmetic, possibly saving some field operations in the context of low-genus explicit formulae. For q even, arithmetic on C will certainly be no slower than that on C; for q odd, it is unclear how the two models compare. In either case, it would be interesting to explore in detail how divisor arithmetic on C compares to that on C in terms of efficiency; this is the subject of ongoing research.

Conclusions and Further Work
As shown in Section 7, our reduction algorithm does offer some performance improvements for reducing sufficiently large divisors. When using curves over prime fields, our algorithm is faster than Cantor's algorithm in all cases as soon as the size of the divisor to reduce is sufficiently large. For even characteristic fields, our results are not as convincing, with improvements realized in only a few cases.
It should be possible to improve the performance of our algorithm further. In the number field version described in [18], the best performance is only realized when using an accelerated partial extended GCD algorithm. An adaptation of Lehmer's algorithm [22] works well, especially with large operands, as it replaces most of the multi-precision integer operations with single precision operations. The half-GCD algorithm translates some of the ideas of Lehmer's algorithm to the polynomial case. A version of this algorithm that stops part-way through the computation should greatly improve the efficiency of our reduction algorithm, and hopefully make it more competitive in the even characteristic case.
Another open question is whether our reduction algorithm can be used to improve the m-tuple based scalar multiplication techniques mentioned in Section 1. To properly test this, it will be necessary to develop explicit formulae for the most cryptographically interesting scenarios, i.e., genus at most 3 and certain specific sizes of non-reduced divisors. In addition, these should be implemented using dedicated finite field arithmetic routines tailored to specific fields of interest. This, as well as the aforementioned issues, are the subject of ongoing research.