Project-TANC:Algebraic curves over finite fields

Inria / Raweb 2009
Presentation of the Project TANC

Section: Scientific Foundations

Algebraic curves over finite fields

One of the most common cryptographic protocols is Diffie–Hellman Key Exchange, which enables Alice and Bob to exchange secret information over an insecure channel. Given a publicly known cyclic group G of generator g , Alice sends g^a for a random a to Bob, and Bob responds with a random g^b . Both Alice and Bob can now compute g^ab , and this is henceforth their common secret. Of course, this a schematic presentation; real-life protocols based on this need more security properties. Being unable to recover a from g^a (the discrete log problem – DLP ) is a fundamental to the security of the scheme, and groups for which the DLP is difficult must be favored. Therefore, the choice of group G is crucial, and TANC concentrates on groups derived from algebraic curves. These groups offer a very interesting alternative to finite fields: the DLP in a finite field can be broken by subexponential algorithms, while exponential time is required for an elliptic curve over the same field. Smaller keys can therefore be used in curve-based cryptosystems; this is very interesting from the point of view of limited-power devices.

In order to build a cryptosystem based on an algebraic curve over a finite field, one needs to efficiently compute the group law (and hence have a nice representation for elements of the Jacobian of the curve). Next, one must compute the cardinality of the Jacobian, so that we can find generators of the group. Once the curve is built, one needs to test its security, for example by determining the hardness of the DLP in its Jacobian.

Effective group laws

The curves that interest us are typically defined over a finite field GF (pⁿ) , where p is the (prime) characteristic of the field. The points of an elliptic curve E (of equation y² = x³ + ax + b , say) form an abelian group, that was thoroughly studied during the preceding millennium. Adding two points is usually done using the so-called chord-and-tangent formulæ. When dealing with a genus g curve (the elliptic case being g = 1 ), the associated group is the Jacobian (set of g -tuples of points modulo an equivalence relation), an object of dimension g . Points are replaced by polynomial ideals. This requires the help of tools from effective commutative algebra, such as Gröbner bases or Hermite normal forms.

The great catalog of usable curves is now complete, as a result of the work of TANC , notably in two ACI (cryptocourbes and cryptologie p-adique ) that are now finished.

Cardinality

Once the group law is tractable, one has to find means of computing the cardinality of the group, which is not an easy task in general. Of course, this has to be done as fast as possible, if changing the group very frequently in applications is imperative.

Two parameters enter the scene: the genus g of the curve, and the characteristic p of the underlying finite field. When g = 1 and p is large, the only current known algorithm for computing the number of points of E/ GF (p) is that of Schoof–Elkies–Atkin. Thanks to the works of the project, world-widespread implementations are able to build cryptographically strong curves in less than one minute on a standard PC. Recent improvements were made by F. Morain and P. Gaudry (CACAO), see [42] . The current record of SEA was established by F. Morain in 2007 for a prime p of 2500 decimal digits (again compared to 500dd back in 1995), using the work in [3] and in [9] , in which a new approach to the eigenvalue computation is described and proven.

When p is small (one of the most interesting cases for hardware implementation in smart cards being p = 2 ) the best current methods use p -adic numbers, following the breakthrough of T. Satoh with a method working for p $\ge$ 5 . The first version of this algorithm for p = 2 was proposed independently by M. Fouquet, P. Gaudry and R. Harley and by B. Skjernaa. J. -F. Mestre has designed the currently fastest algorithm using the arithmetico-geometric mean (AGM) approach. Developed by R. Harley and P. Gaudry, it led to new world records. Then, P. Gaudry combined this method with other approaches to make it competitive for cryptographic sizes [41] .

When g>1 and p is large, polynomial time algorithms exist, but their implementation is not an easy task. P. Gaudry and É. Schost have modified the best existing algorithm so as to make it more efficient. They were able to build the first random cryptographically strong genus 2 curves defined over a large prime field [43] . To get one step further, one needs to use genus 2 analogues of modular equations. After a theoretical study [44] , they are now investigating the practical use of these equations.

When p = 2 , p -adic algorithms led to striking new results. First, the AGM approach extends to the case g = 2 and is competitive in practice (only three times slower than in the case g = 1 ). In another direction, Kedlaya has introduced a new approach, based on the Monsky–Washnitzer cohomology. His algorithm works originally when p>2 . P. Gaudry and N. Gürel implemented this algorithm and extended it to superelliptic curves, which had the effect of adding these curves to the list of those usable in cryptography.

Closing the gap between small and large characteristic leads to pushing the p -adic methods as far as possible. In this spirit, P. Gaudry and N. Gürel have adapted Kedlaya's algorithm and exhibited a linear complexity in p , making it possible to reach a characteristic of around 1000 (see [39] ). For larger p 's, one can use the Cartier–Manin operator. Recently, A. Bostan, P. Gaudry and É. Schost have found a much faster algorithm than currently known ones [26] . Primes p around 10⁹ are now doable.

Computing isogenies

The core of the Schoof–Elkies–Atkin (SEA) algorithm that computes the cardinality of elliptic curves over finite fields consists in using the theory of isogenies to find small factors of division polynomials. SEA is still the method of choice for the large characteristic case, but no longer for small characteristics.

Isogenies are also a tool for understanding the difficulty of the Discrete Log problem among classes of elliptic curves [52] . Recently, there appeared suggestions to use isogenies in a cryptographic context, replacing the multiplication on curves by the use of such morphisms [63] , [60] .

Algorithms for computing isogenies are very well known and used in the large characteristic case. When the characteristic is small, three algorithms exist: two due to Couveignes [29] , [30] , [56] , and one due to Lercier [55] .

The discrete logarithm problem

The discrete logarithm problem is one of the major difficult problems that allow us to build secure cryptosystems. It has essentially been proved equivalent to the computational Diffie–Hellman problem, which is closer to the actual security of many systems. For an arbitrary group of prime order N , it can be solved by a generic, exponential algorithm using $Im1 ${\#920 (\sqrt N)}$$ group operations. For elliptic curves, set aside some rare and easily avoidable instances, no faster algorithms are known.

In higher genus curves, the algorithms with the best complexity create relations as smooth principal divisors on the curve and use linear algebra to deduce discrete logarithms, similarly to the quadratic sieve for factoring. The first such algorithm for high genus hyperelliptic curves with a heuristic complexity analysis is given in [23] , and A. Enge has developed the first algorithm with a proven subexponential run time of L(1/2) in [35] . Generalisations to further groups suggested for cryptography, in particular ideal class groups of imaginary quadratic number fields, are obtained by A. Enge and P. Gaudry in [5] [34] . Proofs for arbitrary curves of large genus are given by J.-M. Couveignes [28] and F. Heß [49] .

The existence of subexponential algorithms shows that high genus curves are less secure than, say, elliptic ones in cryptography. By analyzing the same algorithms differently, concrete recommendations for key lengths can be obtained, an approach introduced by P. Gaudry in [40] and pursued in [45] . It turns out that elliptic curves and hyperelliptic curves of genus 2 are not affected, while the key lengths have to be increased in higher genus, for instance by 12 % in genus 3.

Using similar algorithms to those analyzed in [5] , C. Diem has shown in [31] that non-hyperelliptic curves (of genus at least 3) are even less secure than hyperelliptic ones of the same genus. This effectively leaves elliptic and low genus hyperelliptic curves as potential sources for public-key cryptosystems.

Pairings on algebraic curves

Algebraic curves have first been used in cryptography as a source for groups in which the discrete logarithm problem should be harder than in the multiplicative group of a finite field. Totally new applications stem from the use of structures proper to algebraic curves, the Tate and Weil pairings. These are bilinear maps that associate to two group elements, at least one of which is defined in an extension field, a root of unity in the same extension field. Among the first new cryptographic primitives were a tripartite Diffie–Hellman key exchange [53] and identity based encryption [61] . Subsequently, the number of articles concerned with pairings has exploded, and a specialised series of conferences has been inaugurated with Pairings 2007 in Tokyo, A. Enge being a member of the programme committees in 2007 and 2008.

One of the most challenging problems related to pairing based cryptography is to find suitable curves, that are hidden like needles in a hay stack. Supersingular elliptic curves yield a rather limited supply of doubtful security. Using its expertise on complex multiplication, the TANC team has published one of the first two algorithms for finding pairing friendly ordinary curves for arbitrary field extension degrees in [33] , the other one being developed in [24] .

Logo Inria