Hyperelliptic curve cryptography

Hyperelliptic curve cryptography is similar to elliptic curve cryptography (ECC) insofar as the Jacobian of a hyperelliptic curve is an abelian group in which to do arithmetic, just as we use the group of points on an elliptic curve in ECC.

An (imaginary) hyperelliptic curve of genus ${\displaystyle g}$ over a field ${\displaystyle K}$ is given by the equation ${\displaystyle C:y^{2}+h(x)y=f(x)\in K[x,y]}$ where ${\displaystyle h(x)\in K[x]}$ is a polynomial of degree not larger than ${\displaystyle g}$ and ${\displaystyle f(x)\in K[x]}$ is a monic polynomial of degree ${\displaystyle 2g+1}$. From this definition it follows that elliptic curves are hyperelliptic curves of genus 1. In hyperelliptic curve cryptography ${\displaystyle K}$ is often a finite field. The Jacobian of ${\displaystyle C}$, denoted ${\displaystyle J(C)}$, is a quotient group, thus the elements of the Jacobian are not points, they are equivalence classes of divisors of degree 0 under the relation of linear equivalence. This agrees with the elliptic curve case, because it can be shown that the Jacobian of an elliptic curve is isomorphic with the group of points on the elliptic curve. The use of hyperelliptic curves in cryptography came about in 1989 from Neal Koblitz. Although introduced only 3 years after ECC, not many cryptosystems implement hyperelliptic curves because the implementation of the arithmetic isn't as efficient as with cryptosystems based on elliptic curves or factoring (RSA). The efficiency of implementing the arithmetic depends on the underlying finite field ${\displaystyle K}$, in practice it turns out that finite fields of characteristic 2 are a good choice for hardware implementations while software is usually faster in odd characteristic.

...
Wikipedia