By Stefania Cavallar, Bruce Dodson, Arjen K. Lenstra, Walter Lioen, Peter L. Montgomery (auth.), Bart Preneel (eds.)

This ebook constitutes the refereed court cases of the overseas convention at the idea and alertness of Cryptographic recommendations, EUROCRYPT 2000, held in Bruges, Belgium, in might 2000. The 39 revised complete papers offered have been conscientiously chosen from a complete of a hundred and fifty submissions in the course of a hugely aggressive reviewing approach. The publication is split in topical sections of factoring and discrete logarithm, electronic signatures, deepest details retrieval, key administration protocols, threshold cryptography, public-key encryption, quantum cryptography, multi-party computation and data concept, zero-knowledge, symmetric cryptography, Boolean features and undefined, balloting schemes, and move ciphers and block ciphers.

**Extra info for Advances in Cryptology — EUROCRYPT 2000: International Conference on the Theory and Application of Cryptographic Techniques Bruges, Belgium, May 14–18, 2000 Proceedings**

**Sample text**

Hence an equivalent deﬁnition of smoothness is given by the following proposition. Proposition 3 A divisor = 1 + · · · + g − ∞ is S -smooth if and only if each point i is deﬁned over an extension Fqk with k≤ S . We deﬁne also a factor basis, similar to the one used for classical discrete log problem over F∗p . Deﬁnition 4 The factor basis, denoted by S , is the set of all the prime divisors of degree at most S . For S = 1 we simply write . In the following, we will always take S = 1 and we will say ‘smooth divisor’ for 1-smooth divisor.

A. The computation of a new element of the random walk costs an addition in the Jacobian and two additions modulo n, and the test for its smoothness costs a ﬁrst step of DDF. By proposition 4, we have to compute ! a. ( J + n + q,g )). b. The ﬁnal splitting of the polynomial in order to express the divisor on the factor basis can not be proved to be deterministic polynomial (though it is very fast in practice). For the analysis, we can then suppose that we do a trial division with all the elements of the basis.

717. 5 (720) total time for collecting the relations 797 073 sec = 9 days time for writing relations on the basis 12 057 sec time for preprocessing the matrix 880 sec size of the matrix 162 873 × 162 874 total time for Lanczos 1 038 534 sec = 12 days 6 Conclusion We have proposed an algorithm for the hyperelliptic discrete log problem, which is simpler to implement and to analyze than the previous ones. It is specially well suited for practical cryptosystems where the genus is not too large (say less than 9), and the base ﬁeld is relatively small.