Computing the Automorphism Groups of Hyperelliptic Function Fields

The purpose of this paper is to propose an efficient method to compute the automorphism group of an arbitrary hyperelliptic function field over a given ground field of characteristic > 2 as well as over its algebraic extensions. Beside theoretical applications, knowing the automorphism group of a hyperelliptic function field also is useful in cryptography: The Jacobians of hyperelliptic curves have been suggested by Koblitz as groups for cryptographic purposes, because the computation of the discrete logarithm is believed to be hard in this kind of groups ([Kob89]). In order to obtain “secure” Jacobians it is necessary to prevent attacks like Pohlig/Hellman’s ([PH78]), Frey/Rück’s ([FR94]) and Duursma/Gaudry/Morain’s ([DGM99]). The latter attack is only feasible, if the corresponding function field has an automorphism of large order. To forestall the Pohlig-Hellman attack, one needs to assert that the group order is almost prime, i.e. it ought to contain a large prime factor p0. To prevent the Frey-Rück attack, p0 needs to possess additional properties. Therefore, one needs to know both the automorphism group of the function field and the order of the Jacobian. Unfortunately, there is no efficient algorithm known to compute this order for arbitrary hyperelliptic curves. Only for specific types of curves, divisor class counting is feasible for cryptographically relevant group sizes (e.g. [SSI98], [GH00]). A theorem by Madan ([Mad70]) implies that |JF | divides |JF ′ | whenever F ⊆ F ′ is a (hyper-)elliptic subfield of a hyperelliptic function field s.th. [F ′ : F ] <∞. Thus, a hyperelliptic function field with secure Jacobian will most likely have a trivial automorphism group, i.e. one consisting of the hyperelliptic involution, only. Therefore, the proposed technique provides a quick test to check whether a given hyperelliptic curve may yield a secure Jacobian, i.e. whether it is worthwhile to apply expensive divisor class counting algorithms. Let us outline the afore mentioned algorithm briefly. It is well known that the automorphism group of a hyperelliptic function field is finite (cf. [Sch38]). For each finite group, which can occur as subgroup of such an automorphism group, Brandt gave a normal form for the corresponding hyperelliptic function fields and explicit formulas for these automorphisms (cf. [Bra88]). Brandt’s results only apply to function fields over algebraically closed constant fields, but this is no hindrance as we will see later. For now, we suppose the constant field to be algebraically closed. Hence, computing the automorphism group reduces to the problem of deciding, whether a given hyperelliptic function field has a defining equation of the form given by Brandt’s theorems. This can be checked using theorem 10, which states that two hyperelliptic function fields k(t, u), k(x, y) with u = Dt, y 2 = Dx are equal iff x = α0t+α1 α2t+α3 for some αi ∈ k and y = φu, where φ ∈ k(t) can be determined