FURTHER TOPICS

Table VIII.3. _{Examples of [104, 326, 106] for a, ai∈ K\k}

andh∈k[X] (no Multiple Factors Allowed on the Right Hand Sides of =) n H g C0 _g C0 2 Y2 _{= (X−a)h(X) deg(h)/2 hyperell. 2g} 3 Y2 _{= (X−a)h(X) deg(h)/2 hyperell. 4g+ 1} 3 Y2 _{= (X−a)(X−σ(a))h(X) (deg(h)−1)/2 hyperell. 4g−1} 3 Y2₌g+1 i=1(X−ai)(X−σ(ai)) g – 3g 5 Y2₌ i∈{0,1,2,3}(X−σ i_{(a)) 1 – 5} 7 Y2₌ i∈{0,1,2,4}(X−σi(a)) 1 – 7

construction of [145] carries through in an analogous way. Some examples of the resulting curves are

Y2+XY =X2g+1+· · ·+c3X3+c2X2+c1X+θ, Y2+XY =X2g+1+· · ·+c3X3+c2X2+θX+c1, Y2+XY =X2g+1+· · ·+θX3+c3X2+c2X+c1, Y2+XY =X2g+1+· · ·+θX3+c1X2+θX+θ2,

where ci ∈ k, θ, θ ∈ K and θ, θ have n distinct conjugates. A bound

gC0 ≤ g2m−1 for the genus of the corresponding C0 holds, where m is de-

fined similarly as in Section VIII.2.6.

Another family of curves is given in [327], of the form Y2_{+h(X)Y =} f(X)h(X) + (αX+β)h(X)2 _{with f, h ∈ k[X], α, β ∈ K and some further} conditions. Here the genusgC0 is proven to be equal tog2m−1−1 org2m−1.

A discussion of general Artin–Schreier extensions is carried out in [168]. The main consequences for elliptic curves are presented in Section VIII.1. One result for general Artin–Schreier extensions is that gC0 grows exponentially

inmwhence the attack can only apply to very special families of curves or if nis small. A similar statement holds true for Kummer extensions.

We remark that [327] and [168] also include Artin–Schreier extensions in characteristicp >2.

VIII.5.3. Kernel of Norm-Conorm Maps and Genera. We consider a generalization of the situation in Section VIII.1.2. LetE be a function field of transcendence degree one over the finite exact constant field K, C/E a finite extension andU a finite subgroup of Aut(C). The fixed field ofU inC is denoted by C0_{. As in Section VIII.1.2, we obtain a homomorphism of the} divisor class groupsφ: Pic0K(E)→Pic

0

k(C0) by NC/C0◦ConC/E, the conorm

from E to C followed by the norm from C to C0_{. This situation is quite} general; for example, we do not require U to be abelian.

(i) ker(NE/EV)⊆ker(φ), whereV is any subgroup of U with V E⊆E, so

V restricts to a subgroup of Aut(E) andEV _{is the fixed field ofV in}

E.

(ii) If the intersection E∩σE is a function field and E, σE are linearly disjoint over E∩σE for everyσ∈U, then

[C:E]·kerφ ⊆

σ∈U\{1}

ConE/E∩σE

Pic0K(E∩σE)

.

For example,E andσE are linear disjoint overE∩σE if at least one is Galois overE∩σE.

The theorem applies in particular to the Kummer and Artin–Schreier con- structions discussed so far. Condition (i) basically means that for subfield curves, ker(φ) contains the large prime factor subgroup of Pic0K(E). In con-

dition (ii) we have that the Pic0K(E ∩σE) do not contain the large prime

factor subgroup since E∩σE =K(x), and [C : E] is also not divisible by the large prime factor. As a result, ker(φ) does not contain the large prime factor subgroup either.

A proof of a more general version of Theorem VIII.16 is given in [168]. The case of elliptic and hyperelliptic curves has been independently dealt with in [104].

The genus of C0 _{can be computed in a number of ways. A general way,} which also determines the L-polynomial of C0_{, is as follows. Let G be a} finite subgroup of Aut(C) and let H andU be subgroups ofG such thatH

is normal in G, H ∩U ={1} and G= HU. The subgroup U operates on

H by conjugation. Assume further that H is elementary abelian of prime

exponent l and let {Hν|ν ∈ I} be a system of representatives under the

operation ofU on the subgroups ofH of indexlfor some index setI. LetUν

be the largest subgroup ofU which leavesHν invariant. IfAis any subgroup

of G, then the fixed field of Ain C is denoted byCA _{and the degree of the}

exact constant field ofCA _{over that ofC}G _byd CA.

Theorem _VIII.17. _{Under the above assumptions theL-polynomials satisfy}

LCU(tdCU)/ LCG(t) = ν∈I

LCHν Uν(tdCHν Uν)/ LCHUν(tdCHUν). Corollary _VIII.18. _{The genera satisfy the equation}

dCUgCU −gCG = ν∈I

dCHν UνgCHν Uν−dCHUνgCHUν

.

Theorem VIII.17 and Corollary VIII.18 are proved in [168]. They can be applied to the Artin–Schreier and prime degree Kummer constructions

quite straightforwardly by analysing the defining groups ∆ (and U as in

VIII.5. FURTHER TOPICS 179

VIII.5.4. Construction of Models. The construction of explicit defining equations for C0 _{obtained by the Kummer or Artin–Schreier constructions} and the computation of images underφby means of computer algebra systems is quite technical but does not pose principal algorithmic problems. We refer to [145, 168, 131, 104, 326, 327] for details.

VIII.5.5. Trap Door Systems. The GHS attack with isogenies from Sec- tion VIII.3 can also be used constructively for a trap door system [324]. The basic idea is as follows. A user creates a secret elliptic curveEswhich is sus-

ceptible to the GHS attack. The user then computes a public elliptic curveEp

by means of a secret, sufficiently long and random isogeny chain starting at

Es. The curveEs and the isogeny chain are submitted to a trusted authority

for key escrow, whileEp is used as usual in elliptic curve cryptosystems. The

parameters are chosen such that the Pollard methods are the most efficient way to solve the DLP onEp, while solving the DLP on Esis much easier but

still sufficiently hard. The trusted authority thus has to invest considerable computing power to decrypt which makes widespread wire tapping infeasible. For further details and parameter choices see [324].

VIII.5.6. Other Approaches. Covering techniques can also be applied

when the target function field E comes from a true subfield curve. The

methods described so far do not readily apply because σE =E, in view of Theorem VIII.16. One strategy to overcome this problem is to perform a suitable change of variable such that there are n different conjugate fields σi_{(E), so basically one considers a differentσ. Accordingly, another strategy}

is to twistσ by an automorphismτ of ordernsuch that there arendifferent conjugate fields (στ)i_{(E). If E}

0 is the target field defined overk, such that E=E0K, then this strategy leads to the construction of suitable extensions

C0/E0 and τ0 ∈ Aut(C0) with τ0(E0) =E0 and departs from the Kummer

and Artin–Schreier paradigms. We refer to [103, 106] for details. As a con- sequence, with respect to an extension K/k of degree 3 and char(k)= 2,3, the DLP (in the trace zero group) of a genus 2 curve can always be trans- formed into a DLP of a genus 6 curve defined over k. For a non-negligible percentage even genus 5 is possible, which leads to a more efficient attack via index calculus than by the Pollard methods.

A further approach described in [106] uses special classes of hyperelliptic curves defined overkwhich admit maps to elliptic curves defined overK. The genus of these hyperelliptic curves is equal to n= [K : k], so these attacks would be very efficient. However, the maps between the curves are not (yet) known explicitly and upper bounds for their degrees are very large.

We close with two more remarks. In [45] the GHS construction is used to construct elliptic curves over ¯F2(x) of high rank with constantj-invariant. In [290] a covering technique is used to construct genus 2 curves defined over k with Jacobian isogenous to the Weil restriction of a large class of

elliptic curves defined over K with respect to a quadratic extension K/k of finite fields in odd characteristic. This allows for SEA point counting while avoiding patents in ECC (see also [170, 132]).

Part 4