COMPARISON OF SCALAR MULTIPLICATION ON REAL HYPERELLIPTIC CURVES

Real hyperelliptic curves admit two structures suitable for cryptography — the Jacobian (a finite abelian group) and the infrastructure. Mireles Morales described precisely the relationship between these two structures, and made the assertion that when implemented with balanced divisor arithmetic, the Jacobian generically yields more efficient arithmetic than the infrastructure for cryptographic applications. We confirm that this assertion holds for genus two curves, through rigorous analysis and the first detailed numerical performance comparisons, showing that cryptographic key agreement can be performed in the Jacobian without any extra operations beyond those required for basic scalar multiplication. We also present a modified version of Mireles Morales’ map that more clearly reveals the algorithmic relationship between the two structures.


Introduction
In 1976, Diffie and Hellman [3] introduced their celebrated key agreement protocol.While they originally described their scheme in the context of finite fields, other suitable finite abelian groups have since been successfully employed.In particular, the Jacobian of a hyperelliptic curve over a finite field was first proposed for this purpose by Koblitz [12], spawning a great deal of work on the subject; see [2] for a partial survey.
The majority of work on hyperelliptic curve cryptosystems has been confined to so-called imaginary hyperelliptic curves, those originally proposed in [12].However, two other models are available, including the more general real model, which often arises naturally in constructive methods for generating cryptographically suitable curves.In addition to the Jacobian, the real model admits a second structure called the infrastructure.Although not a group, it was nevertheless shown by Scheidler, Stein, and Williams [15] that it could also be used for cryptographic purposes.First attempts to describe arithmetic in the Jacobian and the infrastructure of a real model required extra adjustment steps that were not required in the imaginary model.Consequently, the real model was deemed to be less desirable for cryptographic applications due to its slower performance in practice.
Recent work on arithmetic in the real model has begun to close this performance gap.Galbraith et al. [8] introduced the notion of balanced divisors for arithmetic in the Jacobian, which heuristically removed almost all adjustment steps.Jacobson et al. [9] described improvements to scalar multiplication in the infrastructure.In the variable base case, where the base divisor is an input parameter, a technique was introduced in which all adjustment steps were eliminated heuristically at the cost of a small precomputation.In the fixed base case, a modified algorithm was described that requires no adjustment steps and in which divisor additions were replaced by the faster "baby step" operation.
Although both the Jacobian and the infrastructure can be used for cryptographic applications, it was originally not clear exactly how they were related, or which one offered faster performance in practice.In unpublished work, Mireles Morales [14] described the relationship between the infrastructure and a particular cyclic subgroup of the Jacobian.He showed explicitly that these two structures are equivalent in the sense that any computation in one structure can be reduced to an analogous computation in the other.Furthermore, he made the claim that when coupled with the balanced divisor arithmetic from [8], performing the desired computations in the Jacobian should always be more efficient than in the infrastructure.However, he did not take into the account the improved infrastructure arithmetic from [9] in his analysis.
In this paper, we investigate the assertion by Mireles Morales, considering stateof-the-art algorithms for arithmetic in both settings, including the results of [9].We confirm that scalar multiplication in the Jacobian using balanced divisor representatives is slightly faster than the corresponding operations in the infrastructure.We describe how to perform both types of scalar multiplication in the Jacobian using the same performance improvements from the infrastructure.We formally analyze the cost of the resulting algorithms as compared with those in the infrastructure, and provide numerical experiments showing that key agreement using the Jacobian is slightly faster in genus two.We also present a modified version of Mireles Morales' map that clarifies the algorithmic relationship between the Jacobian and the infrastructure.
We stress that the main contribution of this paper is the analytical comparison between scalar multiplication in the Jacobian and the infrastructure using the latest algorithms, answering the question of which setting is faster based on operation counts.The numerical results we provide are meant only to support these results and give a relative performance comparison with the imaginary case.We use a common hardware and software platform in order to provide a fair comparison.Divisor arithmetic is done using the affine representation in all cases, because projective formulas in the real case are still under development and have not yet been published.For these reasons, a highly-optimized dedicated software implementation using, for example, special types of defining equations and coordinate systems, is beyond the scope of this paper.
This paper is organized as follows.We describe real hyperelliptic curves and the Jacobian in Section 2, as well as algorithms for computing in the Jacobian using balanced divisors as presented in [8].In Section 3, we review the infrastructure of a real hyperelliptic curve and the main arithmetic operations in that context.Mireles Morales' map between infrastructure and Jacobian [14] and our modified map are presented in Section 4. The improved infrastructure arithmetic of [9] takes advantage of certain heuristics involving "holes" (i.e.missing images) in this map; these holes and their properties are the subject of Section 5. We describe how results of Fontein [6] justify the heuristic assumptions used in the arithmetic from [9], and how these can be applied analogously in the Jacobian setting.The resulting scalar multiplication algorithms in both settings, using fixed and variable base divisors, are discussed in Section 6; this includes a comparative analysis.Numerical data supporting our analysis is presented in Section 7, followed by conclusions and suggestions for future work in Section 8.

Hyperelliptic curves and balanced divisors
Much of the literature on hyperelliptic curve cryptography considers imaginary hyperelliptic curves which have one rational point at infinity.Here, every degree zero divisor class contains a unique reduced representative, and the resulting efficient divisor arithmetic has been investigated extensively.In contrast, real models have two rational infinite points, so any degree zero divisor class generally contains a large number of reduced divisors.Thus, additional conditions are required in order to establish a unique representation for each degree zero divisor class.In [8], Galbraith et al. introduced a representation of elements in the Jacobian of a real hyperelliptic curve which is balanced at the two points at infinity.In this section, we briefly review the main definitions and operations for real hyperelliptic curves using balanced divisors.For more details, we refer the reader to [4], [5], and [8].
Throughout, let k = F q be a finite field of prime power order q, k[x] the ring of polynomials in x over k, and k(x) the field of rational functions in x over k.Definition 2.1.A hyperelliptic curve C of genus g (defined) over k is an affine curve that is absolutely irreducible, smooth, and given by an equation of the form where f, h ∈ k[x] satisfy one of the following two conditions: 1. deg(f ) = 2g + 1, f is monic, and h = 0 if q is odd whereas deg(h) ≤ g if q is even.In this case, C is said to be imaginary; 2. deg(f ) = 2g + 2, f is monic and h = 0 if q is odd, whereas f has leading coefficient e2 + e for some e ∈ k * and h is monic of degree g + 1 if q is even.In this case, C is said to be real. 1he coordinate ring of When C is imaginary, it has a unique k-rational point at infinity, denoted by ∞, whereas if C is real, there are two k-rational infinite points on C, denoted by ∞ + and ∞ − , respectively.For real models, we denote by ν ∞ + and ν ∞ − the two corresponding discrete valuations on k(C); it is straightforward to see that . We fix an embedding of k(C) into the field k((x −1 )) of Puiseux series in x −1 over k, the completion of k(x) with respect to both ∞ + and ∞ − .Then the floor function on k((x −1 )) is well-defined on k(C); in particular, y and − y − h(x) are polynomials in k[x] of degree g + 1.Following [8], we let a + and a − be their respective leading coefficients, so {a + , a − } = {1, −1} if q is odd and {a + , a − } = {e, e + 1} (with e as given in Definition 2.1) if q is even.The quantities y , a + and a − are required in several algorithms later on.
For any hyperelliptic curve C over k, we denote by Div 0 (C) its group of degree zero divisors on C defined over k.Henceforth, all divisors are assumed to be defined over k.The hyperelliptic involution on C naturally extends to divisors, and the image of a divisor D under this map is denoted by D.
We denote by div(α) the principal divisor of α ∈ k(C) * .Two divisors D 1 , D 2 ∈ Div 0 (C) are (linearly) equivalent, denoted D 1 ≡ D 2 , if they differ by a principal divisor.The(degree zero) divisor class group, or Jacobian, of C over k, denoted Cl 0 (C), is the group of divisor classes under linear equivalence.The class of a divisor D ∈ Div 0 (C) is written as [D].
A divisor D is affine if it is not supported at infinite points.Any affine semireduced divisor D on C is determined by its Mumford representation consisting of a pair of polynomials Q, P ∈ k[x] where Q is monic of degree deg(D) and divides f + hP − P 2 .The divisor D is uniquely represented by Q and P (mod Q), so we write D = (Q, P ).D is reduced if deg(Q) ≤ g.If C is imaginary, then every degree zero divisor class has a unique representative whose affine part is reduced, whereas if C is real, then each such class contains many divisors with reduced affine support.To establish a unique representation of divisor classes for real models, Galbraith et al. in [8] introduced the effective k-rational degree g divisor and showed that every element of Cl 0 (C) has a unique representative of the form D − D ∞ , where is an effective k-rational divisor of degree g whose affine part D is reduced.D is the balanced representative of its class and is written as D = (D , n) for brevity.Note that the effectiveness of D forces 0 ≤ n ≤ g − deg(D ).We will argue later on that generically, almost all balanced divisors have n = 0; see Section 5. Henceforth, up to and including Section 5, we only consider real hyperelliptic curves.In the sequel, we will require the following balanced representations: Example 2.2.For any real hyperelliptic curve of genus g, we have the following balanced representations: a) The balanced representative of the principal divisor class is (( Definition 2.3 (Definition 5 of [8]).For any two divisors D 1 and D 2 , the integers ω + and ω − are said to be a pair of counterweights for D 1 and D 2 if The set of all pairs of counterweights for D 1 and D 2 is denoted by ω(D 1 , D 2 ).
2.1.The Jacobian operation using balanced divisors.In this section, we summarize the group operation on the Jacobian using balanced representatives.
The main algorithms for Jacobian arithmetic as introduced in [8] are given below.
Throughout, we assume that C is a real hyperelliptic curve of genus g over k = F q , (although Algorithm 1 applies equally to imaginary hyperelliptic curves).Algorithms 1 and 2 are simply Cantor's well-known divisor addition and reduction of balanced divisors, respectively, with the relevant counterweights included in the output.
1: Use the extended Euclidean algorithm to find polynomials s , e 1 , e The output of Algorithm 2 is reduced, but need not be in balanced form.Algorithms 3 and 4 accomplish this task.To see that these two algorithms are correct, consider a reduced input divisor D 0 = ((Q 0 , P 0 ), n 0 ), and let D 0 = (Q 0 , P 0 ) be the affine part of D 0 .If (D 1 , (ω + , ω − )) is the output of either Algorithm 3 or 4, then where n 1 = n 0 + ω + .Therefore, if D 0 is not balanced, i.e. n 0 does not satisfy the condition 0 ≤ n 0 ≤ g − deg(Q 0 ), then we can compute the balanced representative of the divisor class [D 0 ] by applying the appropriate number of successive red ∞ + or red ∞ − steps to D 0 and updating n 0 in the process.When n 0 > g − deg(Q 0 ), then red ∞ + (Algorithm 3) must be applied to decrease the value of n 0 , whereas when n 0 < 0, we use red ∞ − (Algorithm 4) to increase the value of n 0 .
As pointed out in Remark 2 of [8], Algorithm 3 can be interpreted generically as composition with ∞ + − ∞ − ; similarly, Algorithm 4 corresponds to composition by its negative ∞ − − ∞ + .Algorithms 6 and 7 support this observation; see Section 5 for further details.
Note that when Algorithm 3 is applied to the affine part of a divisor without considering the value of n, it corresponds exactly to the baby step operation in the infrastructure (see Section 3).Similarly, Algorithm 4 corresponds to an inverse (or backward) infrastructure baby step.
For any two balanced divisors D 1 and D 2 on C, the balanced representative of the class of and is essentially Algorithm 4 of [8].At most g/2

Algorithm 5 Divisor Class Addition
Call Algorithm 2 on input D 3 to obtain D , (a, b) = red(D 3 )

6:
Set D 3 = D 7: end while 8: while ω + < g/2 or ω − < g/2 do Of particular interest in cryptographic applications is the special case of addition or subtraction by the class [∞ + − ∞ − ] as described in Algorithms 6 and 7, respectively.This is used, for example, in round 1 of the Diffie-Hellman protocol if ∞ + − ∞ − is chosen as public base divisor and scalar multiplication is performed using the non-adjacent form of the scalars.Here, Example 2.2 shows that composition and reduction (steps 1 and 3-7 of Algorithm 5, respectively) are unnecessary, and only one balancing step is needed.
To prove Algorithms 6 and 7 correct, set d = deg(D ) and note that return (E , 0) 4: else 5: Our last algorithm (Algorithm 8) is Algorithm 5 in [8] which describes how to compute a balanced representative of the inverse of a divisor class.Note that there are minor errors on lines 4 (m 1 instead of n 1 ) and 7 (0 instead of n 1 ) in [8] which are corrected here.
For the correctness of Algorithm 8, observe that the conjugate divisor of (Q if g is even and So no balancing is needed unless g is odd and n 0 = 0, in which case a subtraction by ∞ + − ∞ − (Algorithm 7) produces a balanced divisor.

Infrastructure
We summarize the main properties of the infrastructure; details can be found in [18] and [16].As before, let C : y 2 + h(x)y = f (x) be a real hyperelliptic curve of genus g over k = F q with coordinate ring k[C].The infinite degree zero divisor ∞ + − ∞ − plays an important role here.The order R in Cl 0 (C) of the class of this divisor is the regulator of C. The divisor R[∞ + − ∞ − ] is principal and is the divisor

Algorithm 8 Divisor Inversion
return D 0 3: else 4: if g is even then else if g is odd and n 0 > 0 then  The fact that no two infrastructure ideals have the same distance imposes an ordering on R by distance: where a 1 = (1) and δ i = δ(a i ) for 1 ≤ i ≤ r.
Computing the distance of a given infrastructure ideal is computationally infeasible -this is equivalent to the Principal Ideal Problem in k[C] -but there is an efficient way to compute the relative distance of two successive ideals.In [9] and [18], it was shown that (3.1) where The infrastructure supports two main operations.The first operation, named the baby step, computes a i+1 from a i , along with the relative distance δ i+1 − δ i .Formulas for the baby step are given in [18] and [10].The second operation on R, referred to as the giant step and denoted ⊗, computes the first reduced ideal a ⊗ b equivalent to the ideal product ab when applying reduction.In fact, R is "almost" an abelian group under ⊗, failing associativity only barely.More exactly Here, the "shortfall" d in distance tends to be very small compared to δ(a) and δ(b), and is effectively computable as part of the giant step.It is expected to be equal to g/2 ; see (H2) in Section 5.For more details, we refer the reader to [9], [11], and [16].
Since baby steps almost always produce an increase of 1 in distance (see (H1) in Section 5), we see that for almost all integers N ∈ [g + 1, R − 1], there exists an ideal a ∈ R with δ(a) = N .However, δ 2 = g + 1 implies that there are no infrastructure ideals of distance between 1 and g, and there are generally other integers that do not occur as distance values.In general, there exists a unique ideal a i ∈ R with δ(a i ) ≤ N < δ(a i+1 ), referred to as the infrastructure ideal below N .It can be efficiently computed, along with the "error" N − δ(a i ), using a technique akin to exponentiation.
Remark 3.3.Let a i = [Q i−1 , P i−1 + y] be an infrastructure ideal, and let D i = (Q i−1 , P i−1 ) be the corresponding reduced affine divisor.Then we can apply Algorithm 6 to D i to obtain an output D i+1 = ((Q i , P i ), (ω + , ω − )).By Proposition 2 of [8], D i+1 = D i −div((y−P i )/Q i ).Thus, the infrastructure ideal a i+1 = div(D i+1 ) corresponding to D i+1 is the next ideal a i+1 = [Q i , P i + y] in the ordering on R, obtained by applying a baby step to a i , and a i = ((y Remark 3.4.Algorithm 3 is exactly the same as the continued fraction algorithm which was described in [18] and [9].Therefore, r − 1 successive applications of this algorithm to the trivial divisor D 1 = (1, 0) generates the entire infrastructure.4. Two maps from R to Cl 0 (C) Mireles Morales in [14] introduced a map from the infrastructure into the degree zero divisor class group of a real hyperelliptic curve C. In this section, we first review the properties of his map.Then we define a second map between the same sets and show that this new map leads to efficiency improvements in scalar multiplication using balanced divisors.
Mireles Morales' map is defined as follows:  [14]).Thus, the image of ψ consists precisely of the multiples [m(∞ + − ∞ − )] ∈ G for which m occurs as the distance of some infrastructure ideal.
We wish to relate the infrastructure to the Jacobian in a different manner that highlights the connection to balanced divisors.To that end, we define a second map between these two structures, with the difference that representatives of the classes in the image of this map are all balanced.Specifically, we define Thus, φ maps any infrastructure ideal a to the class represented by the balanced divisor (div(a), 0).Since balanced representatives are unique, we see that φ is injective.
In other words, ψ can be interpreted as a shift of φ by g/2 with respect to the class of ∞ + − ∞ − .This is essentially the observation made in Remark 5 of [14].It also implies that the map ψ, as a translation of the injective map φ, is itself injective.The following result is an immediate consequence of Remark 4.1 and Theorem 1 of [14].An important consequence of the results above, as already noted in [14], is that the infrastructure discrete logarithm problem (computing δ(a) given a) can be reduced to the discrete logarithm problem in G, and vice versa.Thus, in terms of security, either R and G can be used for cryptographic purposes.To implement arithmetic in Cl 0 (C) using the infrastructure, it is most efficient if one avoids the elements outside of the image of the map φ.This raises the obvious question of how frequently these non-images occur.Divisor class addition involving hole divisors generally requires balancing steps after divisor addition and reduction, which incur additional computational cost.Therefore, we are interested in avoiding hole elements in practice.If the number of holes is small, then the chance of avoiding them in our arithmetic is high.

Hole elements
Fontein [6] determined the number of hole elements for the entire collection of infrastructures (arising from all ideal classes) of a global hyperelliptic function field.In essence, he proved that the probability that a divisor class is a hole element is asymptotically equal to 1/q, and gave an asymptotic error term, for g fixed and q → ∞.Unfortunately, his results cannot be applied to our setting directly, as his count includes all infrastructures, whereas we only consider the principal ideal class.
Recall from Section 3 that the quotient H = |Cl 0 (C)|/R is equal to the ideal class number of k[C].Heuristics of Friedman and Washington [7] predict that H is generally small; for most real hyperelliptic curves, it is one (in which case Cl 0 (C) = G).Since the size of the infrastructure is governed by R, H = 1 represents the cryptographically ideal scenario, since R = |Cl 0 (C)| is maximal in this situation.Thus, in most cases we expect that the principal infrastructure is in fact the only infrastructure, and Fontein's results would apply.It is an open problem to specialize Fontein's results to the principal infrastructure in the case that H exceeds one.
When the ideal class number is one, applying Fontein's result yields the following.
Remark 5.2.For sufficiently large q and a real hyperelliptic curve C over k = F q with ideal class number one, the probability that a divisor class is a hole element is asymptotically equal to 1/q.
Even if H > 1, we expect this probability to be roughly H/q.When H = 1, Remark 5.2 implies the following properties, which were stated in [9] as heuristics for the set of infrastructure ideals.Although they are proved through Fontein's results, we label them (H1) and (H2) in keeping with the notation of [9].
For sufficiently large q, the following properties hold with probability 1 − O(q −1 ): By (3.1), (H1) is equivalent to deg(a i ) = g; if deg(a i ) < g, then the ideal a i , and its corresponding divisor div(a i ), are said to be degenerate.(H1) asserts that degenerate ideals (and divisors) are extremely rare for large q.Note also that if a i0 is the first degenerate infrastructure ideal in the distance ordering, then for 2 ≤ i ≤ i 0 , we have δ(a i ) = g + i − 1, and hence φ(a i ) = ( g/2 up to the first degenerate ideal when g = 2, 3. (H2) is equivalent to the assumption that reducing the ideal product ab to obtain a ⊗ b requires exactly g/2 reduction steps.Moreover, (H1) and (H2) imply that there is no need to keep track of relative distances when performing baby steps and giant steps.For specific ideals, relative distances may not be exactly as given in (H1) and (H2).However, in practice, when computing an infrastructure ideal via a succession of baby steps and giant steps -as is the case, for example, for two communicants executing the Diffie-Hellman protocol in the infrastructure -one expects to obtain the same target ideal even if these steps are executed in different sequence and relative distances are not computed, since the same degenerate ideals (i.e.exceptions to (H1) and (H2)) are encountered in the respective computations.Numerical computations of [9] and those found in Section 7 confirm this.
Based on (H1) and (H2), Jacobson et al. obtained improvements to scalar multiplication in the infrastructure in [9].The map φ makes it possible to extend these improvements to G, deriving properties of balanced divisors that are analogous to (H1) and (H2).
For sufficiently large q, the following properties hold with probability 1 − O(q −1 ): (H1') follows directly from Proposition 4.2 and shows that the baby step on R generically corresponds to adding [∞ + − ∞ − ] in G.To see that the map φ is generically additive as asserted by (H2'), note that , so ψ is generally not additive.
Remark 5.3.Let D 0 be an affine reduced divisor, and (D 1 , (ω To see this, recall that in Algorithm 3, (ω This important observation was already made in [8].Note that Remark 5.5 implies in particular that in practice the n values of balanced divisor representatives need not be computed, as they will generically be equal to zero.Once again, if Alice and Bob perform the Diffie-Hellman protocol in G using balanced divisor arithmetic without computing any n values and without any balancing (just addition and reduction), they are expected to generate the same shared key divisor class, since they encounter the same hole divisors (i.e.exceptions to Remarks 5.3-5.5) in their respective sequences of reduction steps.Our computations in genus two confirm this; see Section 7.

Scalar multiplication on R and G
In this section, we compare scalar multiplication on the infrastructure R and the group G = [∞ + − ∞ − ] (represented via balanced divisors) on real hyperelliptic curves and on Cl 0 (C) (represented via reduced divisors) on imaginary hyperelliptic curves.For the first two cases, we assume the assertions of Section 5 about degenerate infrastructure ideals and hole elements in G, respectively.In particular, we ignore relative distances in R and n values in G, and perform no "adjustment steps" as described in [9] in the former setting and no balancing in the latter.This implies in particular that the number of Jacobian operations to compute a divisor class [aD], given a scalar a and a base divisor D = (Q, P ), is identical for imaginary and real hyperelliptic curves.
We also consider two standard scenarios occurring in discrete logarithm based cryptography.The fixed base scenario performs scalar multiplication on a fixed base divisor in the group settings, and generates a reduced principal ideal of a fixed distance in the infrastructure setting.This situation occurs in round 1 of the Diffie-Hellman protocol for example.For imaginary hyperelliptic curves, this base is usually a divisor of the form P − ∞ where P is a k-rational point on C. For the group setting on real hyperelliptic curves, we assume that this base divisor is ∞ + − ∞ − written in balanced form as ((1, 0), g/2 + 1); the fact that this divisor does not satisfy Remark 5.4 does not matter by our observations at the end of Section 5.For the infrastructure, the fixed base scenario is described in [9].The variable base scenario performs scalar multiplication on an arbitrary divisor, as is the case, for example, in round 2 of the Diffie-Hellman protocol.
Table 1 shows the operation counts for scalar multiplication on the Jacobian of an imaginary hyperelliptic curve ("Imag") as well as the group G ("Real") and the infrastructure ("Infra") of a real hyperelliptic curve.As in [9], we assume a random scalar of some bit length l given in non-adjacent form, so we expect that about one third of the signed digits are non-zero.In each setting, we count the number of doubles, adds, baby steps, and the expected number of multiplications in F q required in genus two based on the explicit formulas for divisor arithmetic of [13] and [4].For simplicity, we count squarings and multiplications in F q as the same operation.Adds refer to giant steps in the infrastructure and to Jacobian operations in the group G (Algorithm 5) when C is real and in Cl 0 (C) when C is imaginary.Doubles are simply adds of two identical divisors.Baby steps have the usual meaning in the infrastructure, and refer to addition or subtraction of ∞ + − ∞ − (Algorithm 6 or 7) in G when C is real and of a fixed degenerate divisor P − ∞ in Cl 0 (C) when C is imaginary.For the infrastructure, we use the operation counts of VAR-DIST2 and FIXED-DIST2 as given in Table 1 of [9].Note that in the fixed base scenario in G and the imaginary case, the first double can be replaced by a baby step, which is reflected in our counts.Table 1 shows that for even genus, the group operation counts are identical for the group settings on real and imaginary curves; the infrastructure operation count is only very slightly higher.Thus, at the level of just counting baby steps and giant steps, performance of scalar multiplication exhibits essentially equal performance in all three settings under consideration.For odd genus, we observe that the performance for the group setting on real curves is expected to be slower than the other two, due to the single baby step required for balancing after each divisor class addition or double.
For genus two, we expect G to be slightly faster than R at the level of field operations, and the imaginary case to still be the fastest, due to the higher costs of divisor arithmetic in the real case.We investigate practical performance for genus two in the next section.

Numerical results
We implemented the Diffie-Hellman protocol in the Jacobian and infrastructure of genus two real hyperelliptic curves, using the fixed and variable base scalar multiplication algorithms described in the previous section.We employed the explicit formulas from [4] for divisor arithmetic in both cases, in place of the general-purpose formulas given in Subsection 2.1.For comparison purposes, we also implemented Diffie-Hellman in the Jacobian of genus two imaginary hyperelliptic curves, using the explicit formulas from [13].In the fixed base scenario, we used a base divisor of the form P − ∞ with P a k-rational point on the curve; this is the closest analogy to performing baby steps in the real model.We used the affine representation of divisors and applied the standard isomorphic transformations to the defining equations of our curves [13,4] to minimize the number of non-zero coefficients, thereby maximizing the efficiency of the curve arithmetic.
We used the computer algebra library NTL [17] for finite field and polynomial arithmetic and the GNU C++ compiler version 4.4.5.The computations described below were performed on an Intel Core i72600 3.4 GHz computer running Linux.
All three protocols were implemented using genus 2 curves defined over F p and F 2 n .The finite field was chosen so that the size of the infrastructures and Jacobians under consideration were roughly 2 160 , 2 224 , 2 256 , 2 384 , and 2 512 .Thus, for F 2 n , we used n ∈ {80, 112, 128, 192, 256}, and for F p , we chose a random prime p such that p 2 had the required bit length.These settings offer 80, 112, 128, 192, and 256 bits of security, respectively, for cryptographic protocols based on the corresponding discrete logarithm problem.NIST [1] currently recommends these five levels of security for key establishment in U.S. Government applications.
For each finite field, we randomly selected 100,000 curves and executed Diffie-Hellman once for each curve.The random scalars used had 160, 224, 256, 384, and 512 bits, respectively, ensuring that the number of bits of security provided corresponds to the five levels recommended by NIST (again, considering only generic attacks).In order to provide a fair comparison between the three algorithms, the same sequence of random exponents was used for each run of the key agreement protocol.As the algorithms in the real model rely on our heuristic assumptions to ensure correctness, we also checked that the resulting key divisors were in fact equal; across all our computations, this was always the case.
Tables 2 and 3 contain the average CPU time in milliseconds for each of the three algorithms.The headings "Imag", "Real" and "Infra" have the same meaning as for Table 1.The times required to generate domain parameters are not included in these timings, as domain parameter generation is a one-time computation.As predicted by our analysis, the algorithms using the Jacobian in the real model slightly out-perform those using the infrastructure.The imaginary model is still the fastest of all, but by no more than approximately 1.7 milliseconds for q even and 1.1 milliseconds for q odd.

Conclusions and future directions
Our analysis and numerical experiments show that Mireles Morales' claim that the Jacobian of a real hyperelliptic curve is more efficient than the infrastructure for cryptographic applications is true for even genus curves.According to Table 1, Jacobian arithmetic needs more baby steps than infrastructure when the genus of the curve is odd.It should be possible to mirror and interpret the scalar multiplication algorithms for the Jacobian described here in the infrastructure.However, this will not result in anything more efficient, and it seems more natural to describe the algorithms in the Jacobian.
On the other hand, our analysis suggests that scalar multiplication in the infrastructure may be faster than in the Jacobian of an odd-genus real hyperelliptic curve due to the fact that each Jacobian operation requires generically at least one baby step for balancing.Our current work includes a more careful investigation of this case, especially for genus three.One possible approach to closing the performance gap is to apply the same trick from the infrastructure described in [9] to the Jacobian to reduce the number of baby steps.Another idea for reducing the number of balancing steps required for odd genus, suggested by Galbraith, is to work with divisors of degree g + 1 instead of fully reducing after each operation.The advantage is that no balancing steps would be required, but this approach would incur the additional cost of performing divisor arithmetic with higher-degree operands.A careful analysis of these approaches will be required to determine which will work best in practice.
The current state-of-the-art is that scalar multiplication on imaginary and real hyperelliptic curves of even genus both require exactly the same number of operations on divisors, with no adjustment or balancing steps required in practice in the real case.The only remaining difference in performance is in the costs of the basic divisor operation.Baby steps in genus two require five fewer field operations than adding the divisor of a point in the imaginary case, but additions and doublings require four more field multiplications in the real case.However, there has been much less work on explicit formulas for divisor arithmetic on real model.It is conceivable that more attention to this setting may result in a sufficient decrease in the number of field multiplications required per operation, so that the real model will achieve the same or better performance compared to the imaginary model, and become an accepted alternative for practical applications.
and its function field is k(C) = k(x, y).The roots of the curve equation C are y and −(y + h(x)) ∈ k[C], and the hyperelliptic involution on C sends one root to the other.

8 : 10 :Definition 3 . 1 .
return (D , g − n 0 − deg(Q 0 ) + 1) Call Algorithm 7 on input (D , g − deg(Q 0 ) − n 0 ) to obtain (D 1 , n 1 ) 11: return (D 1 , n 1 ) 12: end if 13: end if of a fundamental unit of k[C], i.e. a generator of the infinite cyclic group k[C] * /k * .The quotient |Cl 0 (C)|/R, i.e. the index of the cyclic subgroup G = [∞ + − ∞ − ] in Cl 0 (C), is equal to the ideal class number of k[C].This index is small for most real hyperelliptic curves, and in fact frequently Cl 0 (C) = G.Since the Hasse-Weil bounds establish (√ q − 1) 2g ≤ |Cl 0 (C)| ≤ ( √ q + 1) 2g , the regulator is generally of magnitude q g .Every non-zero k[C]-ideal a is a k[x]-module of rank 2 with a basis of the form {SQ, S(P + y)} where S, Q, P ∈ k[x], and Q divides P 2 + P h − f ; write a = [SQ, S(P + y)].If we take S and Q to be monic, then Q is unique and P is unique modulo Q.The ideal a is primitive if S = 1 and reduced if additionally deg(Q) ≤ g.Hence, the primitive k[C]-ideals are in one-to-one correspondence with the semireduced affine divisors on C by virtue of mapping the k[C]-ideal a = [Q, (P + y)] to the affine divisor div(a) = (Q, P ).Under this mapping, reduced ideals are sent to reduced affine divisors.In fact, this map is simply a restriction of the well-known isomorphism from the group of non-zero fractional k[C]-ideals under multiplication onto the group of affine divisors on C defined over k under addition.The degree of a k[C]-ideal a is deg(a) = deg(div(a)), i.e. the degree of the corresponding affine divisor.A k[C]-ideal a is principal if it consists of all the k[C]-multiples of some fixed element α ∈ a; write a = (α).Every non-zero principal k[C]-ideal has a generator α with −R < ν ∞ + (α) ≤ 0 that is unique up to k * -multiples.The infrastructure of C is defined to be the set R of all reduced principal ideals of k[C].For every ideal a = (α) ∈ R with −R < ν ∞ + (α) ≤ 0, the distance of a is defined to be δ(a) = −ν ∞ + (α).If a, b are infrastructure ideals with δ(a) ≥ δ(b), then the distance from b to a is δ(a, b) = δ(a) − δ(b).

Example 3 . 2 .
The trivial k[C]-ideal a = (1) has basis {1, y} and is hence an infrastructure ideal of distance zero.

Definition 5 . 1 .
The elements in Cl 0 (C) \ B are called hole elements (or holes for short).A hole divisor is the balanced representative of a hole.In other words, hole divisors are balanced divisors of the form (D , n) with n = 0.By Theorem 4.3, the image of φ consists precisely of those multiples of ∞ + − ∞ − , i.e. classes in G, that are not holes.Recall that the image of ψ consisted of exactly those scalar multiples of [∞ + −∞ − ] whose scalar does not occur as an infrastructure distance.Informally, the map ψ misses distance values in its image, while φ misses hole divisors.Note also that by Remark 4.1, m[∞ + − ∞ − ] is a hole element in G if and only if m + g/2 (mod R) does not occur as an infrastructure distance value.

Remark 5 . 4 .
The balanced representative of the conjugate of a balanced divisor D = ((Q, P ), 0) is generically equal to D = ((Q, −P − h), 0) when g is even.This is clear from Algorithm 8, since generically, deg(Q) = g and n 0 = n 1 = 0.For odd genus, by Algorithm 8, D = ((Q, −P − h), 1).Therefore, one balancing step is needed to obtain the balanced representative of [D].Remark 5.5.Generically for two balanced divisors D 1 and D 2 , g/2 reduction steps, no balancing steps for even genus and one for odd genus are needed to compute the balanced divisor D 1 ⊕ D 2 .

Table 1 .
Operation counts for scalar multiplication in Cl 0 (C) for C imaginary and in G and R for C real

Table 2 .
Scalar multiplication and key exchange timings over F p (in milliseconds).

Table 3 .
Scalar multiplication and key exchange timings over F 2 n (in milliseconds).