, is a quotient group, thus the elements of the Jacobian are not points, they are equivalence classes of divisors of degree 0 under the relation of linear equivalence.
[1] The use of hyperelliptic curves in cryptography came about in 1989 from Neal Koblitz.
Although introduced only 3 years after ECC, not many cryptosystems implement hyperelliptic curves because the implementation of the arithmetic isn't as efficient as with cryptosystems based on elliptic curves or factoring (RSA).
The efficiency of implementing the arithmetic depends on the underlying finite field
, in practice it turns out that finite fields of characteristic 2 are a good choice for hardware implementations while software is usually faster in odd characteristic.
[2] The Jacobian on a hyperelliptic curve is an Abelian group and as such it can serve as group for the discrete logarithm problem (DLP).
The first type of group used was the multiplicative group of a finite field, later also Jacobians of (hyper)elliptic curves were used.
If the hyperelliptic curve is chosen with care, then Pollard's rho method is the most efficient way to solve DLP.
But if the hyperelliptic curve is chosen poorly, the DLP will become quite easy to solve.
In this case there are known attacks which are more efficient than generic discrete logarithm solvers[3] or even subexponential.
Considering various attacks on DLP, it is possible to list the features of hyperelliptic curves that should be avoided.
All generic attacks on the discrete logarithm problem in finite abelian groups such as the Pohlig–Hellman algorithm and Pollard's rho method can be used to attack the DLP in the Jacobian of hyperelliptic curves.
The Pohlig-Hellman attack reduces the difficulty of the DLP by looking at the order of the group we are working with.
is just as hard to solve as the DLP in the subgroup of order
For Jacobians of (hyper)elliptic curves there exists an index calculus attack on DLP.
If the genus of the curve becomes too high, the attack will be more efficient than Pollard's rho.
Another restriction on the hyperelliptic curves we can use comes from the Menezes-Okamoto-Vanstone-attack / Frey-Rück-attack.
there exists a computable injective group homomorphism from the subgroup of
); so even though the index calculus attack is quite fast for multiplicative groups of finite fields this attack is not a threat for most curves.
The injective function used in this attack is a pairing and there are some applications in cryptography that make use of them.
In such applications it is important to balance the hardness of the DLP in
; depending on the security level values of
There exists some independent usage in torus based cryptography.
, the largest prime divisor of the order of the Jacobian, is equal to the characteristic of
By a different injective map we could then consider the DLP in the additive group
However, DLP in this additive group is trivial to solve, as can easily be seen.
Hence, in order to choose a good curve and a good underlying finite field, it is important to know the order of the Jacobian.
is the power of a prime number and define
[6] But there is more, we can compute the order using the zeta-function on hyperelliptic curves.
Hence orders of Jacobians can be found by computing the roots of