Team-Lfant:Function fields, algebraic curves and cryptology

Inria / Raweb 2009
Presentation of the Team Lfant

Section: Scientific Foundations

Function fields, algebraic curves and cryptology

Participants : Karim Belabas, Jean-François Biasse, Andreas Enge, Jérôme Milan, Pascal Molin, Vincent Verneuil.

Algebraic curves over finite fields are used to build the currently most competitive public key cryptosystems. Such a curve is given by a bivariate equation $Im12 ${\#119966 (X,Y)=0}$$ with coefficients in a finite field $Im13 $\#120125 _q$$ . The main classes of curves that are interesting from a cryptographic perspective are elliptic curves of equation $Im14 ${\#119966 =Y^2-{(X^3+aX+b)}}$$ and hyperelliptic curves of equation $Im15 ${\#119966 =Y^2-{(X^{2g+1}+\#8943 )}}$$ with $Im16 ${g\#10878 2}$$ .

The cryptosystem is implemented in an associated finite abelian group, the Jacobian $Im17 $Jac_\#119966 $$ . Using the language of function fields exhibits a close analogy to the number fields discussed in the previous section. Let $Im18 ${\#120125 _q{(X)}}$$ (the analogue of $Im9 $\#8474 $$ ) be the rational function field with subring $Im19 ${\#120125 _q{[X]}}$$ (which is principal just as $Im8 $\#8484 $$ ). The function field of $Im20 $\#119966 $$ is $Im21 ${K_\#119966 =\#120125 _q{(X)}{[Y]}/{(\#119966 )}}$$ ; it contains the coordinate ring $Im22 ${\#119978 _\#119966 =\#120125 _q{[X,Y]}/{(\#119966 )}}$$ . Definitions and properties carry over from the number field case $Im23 ${K/\#8474 }$$ to the function field extension $Im24 ${K_\#119966 /\#120125 _q{(X)}}$$ . The Jacobian $Im17 $Jac_\#119966 $$ is the divisor class group of $Im25 $K_\#119966 $$ , which is an extension of (and for the curves used in cryptography usually equals) the ideal class group of $Im26 $\#119978 _\#119966 $$ .

The size of the Jacobian group, the main security parameter of the cryptosystem, is given by an L -function. The GRH for function fields, which has been proved by Weil, yields the Hasse–Weil bound $Im27 ${{(\sqrt q-1)}^{2g}\#10877 {|Jac_\#119966 |}\#10877 {(\sqrt q+1)}^{2g},}$$ or $Im28 ${{|}Jac_\#119966 {|\#8776 }q^g}$$ , where the genus g is an invariant of the curve that correlates with the degree of its equation. For instance, the genus of an elliptic curve is 1, that of a hyperelliptic one is $Im29 $\mfrac {deg_X\#119966 -1}2$$ . An important algorithmic question is to compute the exact cardinality of the Jacobian.

The security of the cryptosystem requires more precisely that the discrete logarithm problem (DLP) be difficult in the underlying group; that is, given elements D₁ and D₂ = xD₁ of $Im17 $Jac_\#119966 $$ , it must be difficult to determine x . Computing x corresponds in fact to computing $Im17 $Jac_\#119966 $$ explicitly with an isomorphism to an abstract product of finite cyclic groups; in this sense, the DLP amounts to computing the class group in the function field setting.

For any integer n , the Weil pairing e_n on $Im20 $\#119966 $$ is a function that takes as input two elements of order n of $Im17 $Jac_\#119966 $$ and maps them into the multiplicative group of a finite field extension $Im30 $\#120125 _q^k$$ with k = k(n) depending on n . It is bilinear in both its arguments, which allows to transport the DLP from a curve into a finite field, where it is potentially easier to solve. The Tate-Lichtenbaum pairing , that is more difficult to define, but more efficient to implement, has similar properties. From a constructive point of view, the last few years have seen a wealth of cryptosystems with attractive novel properties relying on pairings.

For a random curve, the parameter k usually becomes so big that the result of a pairing cannot even be output any more. One of the major algorithmic problems related to pairings is thus the construction of curves with a given, smallish k .

Logo Inria