Section: Scientific Foundations
Function fields, algebraic curves and cryptology
Participants : Karim Belabas, Jean-François Biasse, Andreas Enge, Jérôme Milan, Pascal Molin, Vincent Verneuil.
Algebraic curves over finite fields are used to build the currently most competitive public key cryptosystems. Such a curve is given by a bivariate equation with coefficients in a finite field . The main classes of curves that are interesting from a cryptographic perspective are elliptic curves of equation and hyperelliptic curves of equation with .
The cryptosystem is implemented in an associated finite abelian group, the Jacobian . Using the language of function fields exhibits a close analogy to the number fields discussed in the previous section. Let (the analogue of ) be the rational function field with subring (which is principal just as ). The function field of is ; it contains the coordinate ring . Definitions and properties carry over from the number field case to the function field extension . The Jacobian is the divisor class group of , which is an extension of (and for the curves used in cryptography usually equals) the ideal class group of .
The size of the Jacobian group, the main security parameter of the cryptosystem, is given by an L -function. The GRH for function fields, which has been proved by Weil, yields the Hasse–Weil bound or , where the genus g is an invariant of the curve that correlates with the degree of its equation. For instance, the genus of an elliptic curve is 1, that of a hyperelliptic one is . An important algorithmic question is to compute the exact cardinality of the Jacobian.
The security of the cryptosystem requires more precisely that the discrete logarithm problem (DLP) be difficult in the underlying group; that is, given elements D1 and D2 = xD1 of , it must be difficult to determine x . Computing x corresponds in fact to computing explicitly with an isomorphism to an abstract product of finite cyclic groups; in this sense, the DLP amounts to computing the class group in the function field setting.
For any integer n , the Weil pairing en on is a function that takes as input two elements of order n of and maps them into the multiplicative group of a finite field extension with k = k(n) depending on n . It is bilinear in both its arguments, which allows to transport the DLP from a curve into a finite field, where it is potentially easier to solve. The Tate-Lichtenbaum pairing , that is more difficult to define, but more efficient to implement, has similar properties. From a constructive point of view, the last few years have seen a wealth of cryptosystems with attractive novel properties relying on pairings.
For a random curve, the parameter k usually becomes so big that the result of a pairing cannot even be output any more. One of the major algorithmic problems related to pairings is thus the construction of curves with a given, smallish k .