Section: Scientific Foundations

Algebraic curves over finite fields

One of the most used protocol is that of Diffie-Hellman that enables Alice and Bob to exchange a secret information over an insecure channel. Given a publicly known cyclic group G of generator g, Alice sends g^a for a random a to Bob, and Bob responds with a random g^b . Both Alice and Bob can now compute g^ab and this is henceforth their common secret. Of course, this a schematic presentation, since real-life protocols based on this need more security properties. Being unable to recover a from g^a (the discrete log problem – DLP ) is a major concern for the security of the scheme, and groups for which the DLP is difficult must be favored. Therefore, groups are important, and TANC concentrates on algebraic curves, since they offer a very interesting alternative to finite fields, in which the DLP can be broken by subexponential algorithms. Thus using curves a smaller key can be used, and this is very interesting as far as limited powered devices are concerned.

In order to build a cryptosystem based on an algebraic curve over a finite field, one needs to efficiently compute the group law (hence have a nice representation of the elements of the Jacobian of the curve). Next, computing the cardinality of the Jacobian is required, so that we can find generators of the group, or check the difficulty of the discrete logarithm in the group. Once the curve is built, one needs to test its security, for example how hard the discrete logarithm in this group is.

Effective group laws

A curve that interests us is typically defined over a finite field G F (pⁿ) where p is the characteristic of the field. Part of what follows does not depend on this setting, and can be used as is over the rationals, for instance.

The points of an elliptic curve E (of equation y² = x³ + ax + b , say) form an abelian group, that was thoroughly studied during the preceding millenium. Adding two points is usually done using what is called the tangent-and-chord formulae. When dealing with a genus g curve (the elliptic case being g = 1 ), the associated group is the Jacobian (set of g-tuples of points modulo an equivalence relation), an object of dimension g. Points are replaced by polynomial ideals. This requires the help of tools from effective commutative algebra, such as Gröbner bases or Hermite normal forms.

A. Enge and N. Gürel have worked with J. -C. Faugère and A. Basiri (LIP 6) on the arithmetic of superelliptic and C_{a, b} curves, the next complex class of algebraic curves after the well understood hyperelliptic ones. They have dramatically improved the existing algorithms and have found new algorithms for superelliptic cubic curves, that is, curves of the form y³ = f(x) with d e g (f) prime to 3 and at least 4[1] . They have generalized their work, in part based on Gröbner basis computations, to C_{3, 4} curves and have provided explicit formulae for realizing the group law using only operations in the underlying (finite) field [26] .

The great catalog of usable curves is complete, as a result of the work of TANC , notably in two ACI (cryptocourbes and cryptologie p-adique ) that are finished now.

Cardinality

Once the group law is tractable, one has to find means of computing the cardinality of the group, which is not an easy task in general. Of course, this has to be done as fast as possible, if changing the group very frequently in applications is imperative.

Two parameters enter the scene: the genus g of the curve, and the characteristic p of the underlying finite field. When g = 1 and p is large, the only current known algorithm for computing the number of points of E/ G F (p) is that of Schoof–Elkies–Atkin. Thanks to the works of the project, world-widespread implementations are able to build cryptographically strong curves in less than one minute on a standard PC.

When p is small (one of the most interesting cases for hardware implementation in smart cards being p = 2 ) the best current methods use p-adic numbers, following the breakthrough of T. Satoh with a method working for p5 . The first version of this algorithm for p = 2 was proposed independently by M. Fouquet, P. Gaudry and R. Harley and by B. Skjernaa. J. -F. Mestre has designed the currently fastest algorithm using the arithmetico-geometric mean (AGM) approach. Developed by R. Harley and P. Gaudry, it led to new world records. Then, P. Gaudry combined this method together with other approaches, to make it competitive for cryptographic sizes [36] .

When g>1 and p is large, polynomial time algorithms exist, but their implementation is not an easy task. P. Gaudry and É. Schost have modified the best existing algorithm so as to make it more efficient. They were able to build the first random cryptographically strong genus 2 curves defined over a large prime field [8] . To get one step further, one needs to use genus 2 analogues of modular equations. After a theoretical study [9] , they are now investigating the practical use of these equations.

When p = 2 , p-adic algorithms led to striking new results. First, the AGM approach extends to the case g = 2 and is competitive in practice (only three times slower than in the case g = 1 ). In another direction, Kedlaya has introduced a new approach, based on the Monsky-Washnitzer cohomology. His algorithm works originally when p>2 . P. Gaudry and N. Gürel implemented this algorithm and extended it to superelliptic curves, which had the effect of adding these curves to the list of those usable in cryptography.

Closing the gap between small and large characteristic leads to pushing the p-adic methods as far as possible. In this spirit, P. Gaudry and N. Gürel have adapted Kedlaya's algorithm and exhibited a linear complexity in p, making it possible to reach a characteristic of around 1000 (see [35] ). For larger p's, one can use the Cartier-Manin operator. Recently, A. Bostan, P. Gaudry and É. Schost have found a much faster algorithm than currently known ones [29] . Primes p around 10⁹ are now doable.