# Project : tanc

## Section: New Results

### Algebraic curves over finite fields

Participants : Andreas Enge, Pierrick Gaudry, Nicolas Gürel.

In order to build a cryptosystem based on an algebraic curve over a finite field, one needs to efficiently compute the group law (hence have a nice representation of the elements of the Jacobian of the curve). Next, computing the cardinality of the Jacobian is required, so that we can find generators of the group, or check the difficulty of the discrete logarithm in the group.

#### Effective group laws

A curve that interests us is typically defined over a finite field
$GF({p}^{n})$ where *p* is the characteristic of the field. Part
of what follows does not depend on this setting, and can be used as is
over the rationals, for instance.

The points of an elliptic curve *E* (of equation ${y}^{2}={x}^{3}+ax+b$,
say) form an abelian group, that was thoroughly studied during the
preceding millenium. Adding two points is usually done using what is
called the *tangent-and-chord* formulas. When dealing with a genus
*g* curve (the elliptic case being $g=1$), the associated group is the
Jacobian (set of *g*-tuples of points modulo an equivalence relation),
an object of dimension *g*. Points are replaced by polynomial
ideals. This requires the help of tools from effective commutative
algebra, as Gröbner bases or Hermite normal forms.

A. Enge and N. Gürel have been working with J. -C. Faugère and A. Basiri (LIP 6) on the arithmetic of superelliptic and ${C}_{a,b}$ curves, the next complex class of algebraic curves after the well understood hyperelliptic ones. They have dramatically improved the existing algorithms and have found new algorithms for superelliptic cubic curves, that is, curves of the form ${y}^{3}=f\left(x\right)$ with $deg\left(f\right)$ prime to 3 and at least 4[20]. They have generalised their work, in part based on Gröbner basis computations, to ${C}_{3,4}$ curves and have provided explicit formulae for realising the group law using only operations in the underlying (finite) field [14].

#### Cardinality

Once the group law is tractable, one has to find means of computing the cardinality of the group, which is not an easy task in general. Of course, it has to be done as fast as possible, if changing the group very frequently in applications is imperative.

Two parameters enter the scene: the genus *g* of the curve, and the
characteristic *p* of the underlying finite field. When $g=1$ and *p*
is large, the only current known algorithm for computing the number of
points of $E/GF\left(p\right)$ is that of Schoof–Elkies–Atkin. Thanks to the
works of the project (actually, *before* joining INRIA),
world-widespread implementations are able to build cryptographically
strong curves in less than one minute on a standard PC.

When *p* is small, with one of the most interesting cases for hardware
implementation in smart cards being $p=2$, the best current methods
are *p*-adic methods, following the breakthrough of T. Satoh with a
method working for $p\ge 5$. The first version of this algorithm for
$p=2$ was proposed independently by M. Fouquet, P. Gaudry and
R. Harley and by B. Skjernaa. J. -F. Mestre has designed the current
fastest algorithm using an AGM approach. Developped by R. Harley and
P. Gaudry, it led to new world records. Then, P. Gaudry combined this
method together with other approaches, to make it competitive for
cryptographic sizes [32].

When $g>1$ and *p* is large, polynomial time algorithms exist, but
their implementation is not an easy task. P. Gaudry and É. Schost
have modified the best existing algorithm so as to make it more
efficient. They were able to build the first random cryptographically
strong genus 2 curves, defined over a large prime field [19].
To get one step further, one needs to use genus 2 analogues of modular
equations. After a theoretical study [24], they are now
investigating the practical use of these equations.

When $p=2$, *p*-adic algorithms led to striking new results. First,
the AGM approach extends to the case $g=2$ and are competitive in
practice (only three times slower than in the case $g=1$). In another
direction, Kedlaya has introduced a new approach, based on the
Monsky-Washnitzer cohomology. His algorithm works originally when
$p>2$. P. Gaudry and N. Gürel implemented this algorithm and
extended it to superelliptic curves, which had the effect of adding
these curves to the list of those that can be used in cryptography.

Closing the gap between small and large characteristic leads to
pushing the *p*-adic methods as far as possible. In this spirit, P. Gaudry and
N. Gürel have adapted Kedlaya's algorithm and exhibited a linear
complexity in *p*, making it possible to reach a characteristic of around
1000 (see [31]). For larger *p*'s, one can use the Cartier-Manin
operator. Recently, A. Bostan, P. Gaudry and É. Schost have found
a much faster algorithm than currently known [15]. Primes
*p* around $1{0}^{9}$ are now doable.