## Section: Scientific Foundations

### Function fields, algebraic curves and cryptology

Participants : Karim Belabas, Jean-François Biasse, Andreas Enge, Jérôme Milan, Pascal Molin, Vincent Verneuil.

Algebraic curves over finite fields are used to build the currently
most competitive public key cryptosystems. Such a curve is given by
a bivariate equation with coefficients in a finite
field . The main classes of curves that are interesting from a
cryptographic perspective are *elliptic curves* of equation
and *hyperelliptic curves* of
equation with .

The cryptosystem is implemented in an associated finite
abelian group, the *Jacobian* . Using the language
of function fields exhibits a close analogy to the number fields
discussed in the previous section. Let (the analogue of )
be the *rational function field* with subring (which
is principal just as ). The *function field* of is
; it contains the *coordinate ring* . Definitions and properties carry over from
the number field case to the function field extension . The Jacobian is the divisor class group of , which is
an extension of (and for the curves used in cryptography usually equals) the
ideal class group of .

The size of the Jacobian group, the main security parameter of the
cryptosystem, is given by an L -function. The GRH for function fields,
which has been proved by Weil, yields the Hasse–Weil bound
or
,
where the *genus* g is an invariant of the curve that
correlates with the degree of its equation. For instance, the genus of
an elliptic curve is 1, that of a hyperelliptic one is
. An important algorithmic
question is to compute the exact cardinality of the Jacobian.

The security of the cryptosystem requires more precisely that the
*discrete logarithm problem* (DLP) be difficult in the underlying
group; that is, given elements D_{1} and D_{2} = xD_{1} of ,
it must be difficult to determine x . Computing x corresponds in
fact to computing explicitly with an isomorphism to an
abstract product of finite cyclic groups; in this sense, the DLP amounts
to computing the class group in the function field setting.

For any integer n , the *Weil pairing* e_{n} on is a
function that takes as input two elements of order n of and
maps them into the multiplicative group of a finite field extension
with k = k(n) depending on n . It is bilinear in both
its arguments, which allows to transport the DLP from a curve into
a finite field, where it is potentially easier to solve. The
*Tate-Lichtenbaum pairing* , that is more difficult to define,
but more efficient to implement, has similar properties. From a
constructive point of view, the last few years have seen a wealth of
cryptosystems with attractive novel properties relying on pairings.

For a random curve, the parameter k usually becomes so big that the result of a pairing cannot even be output any more. One of the major algorithmic problems related to pairings is thus the construction of curves with a given, smallish k .