Section: New Results
Algebraic curves over finite fields
Participants : Andreas Enge, Pierrick Gaudry, Nicolas Gürel, François Morain.
Cardinality
F. Morain, helped by A. Enge and P. Gaudry, has been revisiting the SEA algorithm in genus 1, to see what was left to be improved since the last record, which was achieved in 1995 [45] . This led first to new easy records resulting from Moore's law. The program was completely rewritten in NTL and new algorithms were introduced, concerning mainly the fast search for eigenvalues; this work was presented at ISSAC 2006 [19] . Together with A. Bostan, B. Salvy (from projet ALGO ), and É. Schost, F. Morain gave quasi-linear algorithms for computing the explicit form of a strict isogeny between two elliptic curves, another important block in the SEA algorithm [22] . The new record is currently (September 2006) for a prime p of 2100 decimal digits (again compared to 500dd back in 1995).
This was made possible only because of A. Enge new algorithm [24] for computing modular equations of index greater than 2000. The algorithm computes bivariate modular polynomials by an evaluation and interpolation approach and relies on the ability to rapidly evaluate modular functions in complex floating point arguments (cf. Section 6.2.1 ). It has a quasi-linear complexity with respect to its output size, so that again the performance of the algorithm is limited by the size of the result: we have in fact been able to compute modular polynomials of degree larger than 10000 and of size 16 GB by a parallelised implementation of the algorithm. Nevertheless, computing modular polynomials remains the stumbling block for new point counting records. Clearly, to circumvent the memory problems, one would need an algorithm that directly obtains the polynomial specialised in one variable.
We plan to make our new implementation available as an extension to the NTL library.
During his postdoctoral stay in Sydney, N. Gürel worked with D. Kohel and R. Gerkmann on practical aspects of Dwork theory of p-adic differential equations. Based on an unpublished article of N. Tsuzuki, they have constructed the Frobenius matrix of a general family of elliptic curves in characteristic two. In particular, this matrix, whose coefficients are overconvergent series, gives a new point counting method in characteristic two. This work is still in progress.
Discrete logarithms on curves
Concerning the discrete logarithm problem on algebraic curves, the most promising algorithms rely on creating relations as smooth principal divisors on the curve and use linear algebra to deduce the discrete logarithms. Two research directions can be distinguished, that are both pursued by our team. The first approach consists of deriving complexity results for the genus tending to infinity and the size of the finite field growing only moderately. Typically, this results in algorithms of subexponential complexity L(1/2) . This direction has been pursued by A. Enge in his doctoral thesis and later in collaboration with P. Gaudry. The second approach consists in analysing essentially the same algorithms for fixed genus, but with the field size tending to infinity. Typically, the outcome are exponential algorithms, but these may nevertheless be faster than generic algorithms of square root complexity and thus consist a threat for the cryptographic use of algebraic curves. This approach has been founded by P. Gaudry in his doctoral thesis.
Making clever use of the notion of large primes, P. Gaudry, N. Thériault, E. Thomé and C. Diem have succeeded in lowering the complexity of the above mentioned discrete logarithm algorithms for fixed genus so much that curves of genus 5 or higher are definitely eliminated from cryptography [38] . Curves of genus 1 or 2 are not affected, while those of genus 3 or 4 require the key size to be slightly increased and thus might survive in special situations.
A. Enge and P. Gaudry have exhibited a class of curves in which the discrete logarithm is attacked by a subexponential algorithm of complexity L(1/3) , for the very first time in algebraic curve cryptography [25] . This shows that the corresponding algebraic curve cryptosystems, essentially based on Ca, b curves with the degrees in X and Y growing in a special way with the genus, are no more secure than RSA and thus of no cryptographic interest.
