By Jean Chaumine, James Hirschfeld, Robert Rolland

This quantity covers many subject matters together with quantity idea, Boolean features, combinatorial geometry, and algorithms over finite fields. This e-book comprises many attention-grabbing theoretical and applicated new effects and surveys awarded by means of the simplest experts in those components, comparable to new effects on Serre's questions, answering a query in his letter to most sensible; new effects on cryptographic purposes of the discrete logarithm challenge concerning elliptic curves and hyperellyptic curves, together with computation of the discrete logarithm; new effects on functionality box towers; the development of recent sessions of Boolean cryptographic capabilities; and algorithmic purposes of algebraic geometry.

2. So P is a flex if and only if h(1, a, b) = 0. 1). We are thankful to F. Voloch for this reference. We also want to thank J. Hirschfeld for pointing out a mistake in an earlier version and M. Girard for discussions on hyperflexes. February 11, 2008 22 15:6 WSPC - Proceedings Trim Size: 9in x 6in S. Flon, R. Oyono, C. Ritzenthaler Table 1. 1 ∗2 saga˙master Addition, deg u1 = deg u2 = 3 D1 = [u1 , v1 ] and D2 = [u2 , v2 ] ui = x3 + ui2 x2 + ui1 x + ui0 , vi = vi2 x2 + vi1 x + vi0 C : y 3 + h(x)y − f (x) = 0 with h(x) := h3 x3 + h2 x2 + h1 x + h0 , f (x) := x4 + f2 x2 + f1 x + f0 D = [uD1 +D2 , vD1 +D2 ] = D1 + D2 with uD1 +D2 = x3 + u2 x2 + u1 x + u0 vD1 +D2 = v2 x2 + v1 x + v0 Expression compute the inverse t1 of v1 − v2 modulo u2 a1 = (v12 − v22 )u22 − (v11 − v21 ), a2 = (v12 − v22 )2 , a3 = a2 u20 − a1 (v10 − v20 ); a4 = a2 (u22 + u21 + u20 + 1) − (v12 − v22 + a1 )(v12 + v11 + v10 − (v22 + v21 + v20 )) − a3 ; a5 = a4 (v12 − v22 ), a6 = a4 (v11 − v21 ) − a3 (v12 − v22 ); a7 = a24 , res1 = a7 (v10 − v20 ) − a6 a3 , t10 = a1 a6 , t12 = (v12 − v22 )a5 ; t11 = (a1 + v12 − v22 )(a6 + a5 ) − (t10 + t12 ), t10 = t10 + a7 ; t1 = t12 x2 + t11 x + t10 compute the remainder r of (u1 − u2 )t1 by u2 b1 = (u12 + u11 + u10 − (u22 + u21 + u20 ))(t12 + t11 + t10 ); b2 = (u12 − u11 + u10 − (u22 − u21 + u20 ))(t12 − t11 + t10 ); b3 = (4(u12 − u22 ) + 2(u11 − u21 ) + u10 − u20 )(4t12 + 2t11 + t10 ); b4 = (u12 − u22 )t12 , b5 = (u10 − u20 )t10 , b6 = (b1 + b2 )/2 − (b5 + b4 ); b7 = ((b3 + b2 − b1 − b5 )/2 − 2(4b4 + b6 ))/3, b8 = b1 − (b5 + b6 + b7 + b4 ); b9 = b7 − b4 u22 , r2 = b5 − b9 u20 ; b10 = b4 + b7 + b6 + b8 + b5 − (b9 + b4 )(u22 + u21 + u20 + 1); r1 = (b10 − (b4 + b6 + b5 − (b7 + b8 ) − (b9 − b4 )(u22 − u21 + u20 − 1)))/2; r0 = b10 − (r2 + r1 ); r = r0 x2 + r1 x + r2 compute the cubic E = y 2 + sy + t 2 c1 = v12 , c2 = r0 c1 , c3 = res1 · (v12 + v22 ) − (r1 c1 ) + (c2 u22 ), c4 = c3 · res1 , c5 = res1 · r0 , c6 = r0 c2 , c7 = r2 c3 − (c6 u20 ) − c5 (v10 + v20 ); c8 = (r0 + r1 + r2 )(c2 + c3 ) − c6 (1 + (u22 + u21 + u20 )) − c5 (v22 + v21 + v20 + v12 + v11 + v10 ) − c7 ; c9 = c4 + u12 c5 c1 − v12 (c8 + 2c5 v11 ), c10 = c5 c9 , c11 = c25 ; c12 = c29 , c13 = c12 + h3 (−2c10 + h3 c11 ), inv1 = (c10 c13 )−1 , c14 = c13 · inv1 , c15 = c9 c14 , c16 = c12 · inv1 · c10 ; s0 = c7 c15 , s1 = c8 c15 , c17 = c4 c15 ; c18 = (1 + u12 + u11 + u10 )(c1 + c17 ) − (v12 + v11 + v10 )(v12 + v11 + v10 + s1 + s0 ), t3 = c9 c15 , t0 = u10 c17 − v10 (v10 + s0 ); t2 = (c18 + (−1 + u12 − u11 + u10 )(−c1 + c17 ) − (v12 − v11 + v10 )(v12 − v11 + v10 − s1 + s0 ))/2 − t0 ; t1 = c18 − (t0 + t2 + t3 ), k1 = c11 c14 , c19 = t0 k1 , c20 = t1 k1 , c21 = t2 k1 ; E = y 2 + (s1 x + s0 )y + t3 x3 + t2 x2 + t1 x + t0 compute res(E, C, y) and u′ := res(E, C, y)∗ /(u1 u2 ) d0 = c221 , d1 = 3c21 , d2 = 3(c20 + d0 ), d3 = c21 (6c20 + d0 ) + 3c19 ; d4 = s21 , d5 = s20 , d6 = (s1 + s0 )2 − (d4 + d5 ), d7 = (s1 + s0 )(t3 + t2 + t1 + t0 ); d8 = (s0 − s1 )(t2 + t0 − (t3 + t1 )), d9 = (2s1 + s0 )(8t3 + 4t2 + 2t1 + t0 ); d10 = s1 t3 , d11 = s0 t0 , d12 = −(d11 + d10 ) + (d7 + d8 )/2; d13 = −2d10 +(d11 −d7 +(d9 −d8 )/3)/2, d14 = d7 −(d11 +d12 +d13 +d10 ); d15 = s1 d4 , d16 = 3d4 s0 , d17 = 1 − 3d10 , d18 = d15 − 3d13 ; d19 = f2 + d16 + (1 − 3d10 )f2 − 3d12 ; d20 = (t3 +t2 +t1 +t0 )(h3 +h2 +h1 +h0 +d4 +d6 +d5 −2(t3 +t2 +t1 +t0 )); d21 = (−t3 +t2 −t1 +t0 )(2(t3 −t2 +t1 −t0 )−h3 +h2 −h1 +h0 +d4 −d6 +d5 ); d22 = (8t3 + 4t2 + 2t1 + t0 )(8(−2t3 + h3 ) + 4(d4 − 2t2 + h2 ) + 2(d6 − 2t1 + h1 ) + d5 − 2t0 + h0 ); Operations 13M+2SQ 9M 39M+3SQ+I (7M+SQ+I) 37M+5SQ (15M) February 11, 2008 15:6 WSPC - Proceedings Trim Size: 9in x 6in saga˙master Fast addition on non-hyperelliptic genus 3 curves Table 2.

Nieuw Arch. , 11:110– 117, 1963. 2. R. M. Avanzi, G. Frey, T. Lange and R. Oyono. On using expansions to the base of −2. Inter. J. of. Comp. , 81(4):403–406, 2004. 3. E. Reinaldo Barreiro, J. Estrada Sarlabous and J. P. Cherdieu. Efficient reduction on the Jacobian variety of Picard curves. In Coding theory, cryptography and related areas (Guanajuato, 1998), pages 13–28. Springer, Berlin, 2000. 4. A. Basiri, A. Enge, J-C. Faug`ere and N. G¨ urel. Implementing the Arithmetic of C3,4 Curves. In Algorithmic Number Theory Symposium - ANTS-VI, volume 3076 of LNCS, pages 87–101.

The running times of these algorithms depend primarily on the sizes of the fields over which the points of J[ℓd ] are defined. Section 6 provides upper bounds for these sizes in terms of the prime ℓ and the size of the base field p. Lauter A detailed statement of the Eisentr¨ager-Lauter CRT algorithm, incorporating the algorithms of Sections 2, 4, and 5, appears in Section 7. Section 8 describes various ways in which we have modified our MAGMA implementation to improve the algorithm’s performance.