## Section: Scientific Foundations

### Algebraic Curves and Cryptology

Though we are interested in algebraic curves by themselves, the applications to cryptology remain a motivation of our research, which is therefore especially focused on curves defined over finite fields.

In the mid-eighties, Koblitz   and Miller   proposed to use elliptic curves as a basis of public key cryptosystems. Indeed, the set of points on an elliptic curve is an abelian group, which is finite if the base field is a finite field. In this group, the discrete logarithm problem is thought to be difficult in general, in the sense that the best known algorithm to solve it has an exponential complexity. This has to be compared with the classical RSA algorithm, the security of which relies on the difficulty of factoring integers, but where the best known factoring algorithm has subexponential complexity. In practice, this means that the size of the parameters is much smaller for elliptic curve based cryptosystems than for classical ones.

More generally, for an algebraic curve over a finite field, there is a finite abelian group associated to it, called the Jacobian of the curve. Algebraic curves can be classified by their genus; the genus of a conic is zero and elliptic curves are curves of genus 1 (in that case, the Jacobian is isomorphic to the curve). As long as the genus is not too large, the discrete logarithm problem in the Jacobian of a curve is thought to be difficult in general, therefore one can also base cryptosystems on non-elliptic curves.

The main algorithmic tasks in relation to the use of curves in cryptography are the following:

1. Have an explicit description of the group and the group operation, as efficient as possible. The speed of ciphering and deciphering is indeed directly linked to the efficiency of the group operation.

2. Construct curves suitable for cryptographic use: the minimal requirement for the discrete logarithm to be difficult is to have a large prime factor in the group order. It is therefore necessary to compute the group order to check that property. This is what we call the point counting task .

3. Study the security of curve-based primitives. By this, since no general framework exists to assess that security, we mean undertake an as thorough as possible study of the security offered by those groups. The most standard way to do this is by trying to solve discrete logarithm problems in certain classes of curves.

Logo Inria