Overall Objectives
New Software and Platforms
Partnerships and Cooperations
Bibliography
 PDF e-Pub

Section: Research Program

Function fields, algebraic curves and cryptology

Participants : Karim Belabas, Guilhem Castagnos, Jean-Marc Couveignes, Andreas Enge, Damien Robert, Jean Kieffer, Razvan Barbulescu.

Algebraic curves over finite fields are used to build the currently most competitive public key cryptosystems. Such a curve is given by a bivariate equation $𝒞\left(X,Y\right)=0$ with coefficients in a finite field ${𝔽}_{q}$. The main classes of curves that are interesting from a cryptographic perspective are elliptic curves of equation $𝒞={Y}^{2}-\left({X}^{3}+aX+b\right)$ and hyperelliptic curves of equation $𝒞={Y}^{2}-\left({X}^{2g+1}+\cdots \right)$ with $g⩾2$.

The cryptosystem is implemented in an associated finite abelian group, the Jacobian ${Jac}_{𝒞}$. Using the language of function fields exhibits a close analogy to the number fields discussed in the previous section. Let ${𝔽}_{q}\left(X\right)$ (the analogue of $ℚ$) be the rational function field with subring ${𝔽}_{q}\left[X\right]$ (which is principal just as $ℤ$). The function field of $𝒞$ is ${K}_{𝒞}={𝔽}_{q}\left(X\right)\left[Y\right]/\left(𝒞\right)$; it contains the coordinate ring ${𝒪}_{𝒞}={𝔽}_{q}\left[X,Y\right]/\left(𝒞\right)$. Definitions and properties carry over from the number field case $K/ℚ$ to the function field extension ${K}_{𝒞}/{𝔽}_{q}\left(X\right)$. The Jacobian ${Jac}_{𝒞}$ is the divisor class group of ${K}_{𝒞}$, which is an extension of (and for the curves used in cryptography usually equals) the ideal class group of ${𝒪}_{𝒞}$.

The size of the Jacobian group, the main security parameter of the cryptosystem, is given by an $L$-function. The GRH for function fields, which has been proved by Weil, yields the Hasse–Weil bound ${\left(\sqrt{q}-1\right)}^{2g}⩽|{Jac}_{𝒞}|⩽{\left(\sqrt{q}+1\right)}^{2g},$ or $|{Jac}_{𝒞}|\approx {q}^{g}$, where the genus $g$ is an invariant of the curve that correlates with the degree of its equation. For instance, the genus of an elliptic curve is 1, that of a hyperelliptic one is $\frac{{deg}_{X}𝒞-1}{2}$. An important algorithmic question is to compute the exact cardinality of the Jacobian.

The security of the cryptosystem requires more precisely that the discrete logarithm problem (DLP) be difficult in the underlying group; that is, given elements ${D}_{1}$ and ${D}_{2}=x{D}_{1}$ of ${Jac}_{𝒞}$, it must be difficult to determine $x$. Computing $x$ corresponds in fact to computing ${Jac}_{𝒞}$ explicitly with an isomorphism to an abstract product of finite cyclic groups; in this sense, the DLP amounts to computing the class group in the function field setting.

For any integer $n$, the Weil pairing ${e}_{n}$ on $𝒞$ is a function that takes as input two elements of order $n$ of ${Jac}_{𝒞}$ and maps them into the multiplicative group of a finite field extension ${𝔽}_{{q}^{k}}$ with $k=k\left(n\right)$ depending on $n$. It is bilinear in both its arguments, which allows to transport the DLP from a curve into a finite field, where it is potentially easier to solve. The Tate-Lichtenbaum pairing, that is more difficult to define, but more efficient to implement, has similar properties. From a constructive point of view, the last few years have seen a wealth of cryptosystems with attractive novel properties relying on pairings.

For a random curve, the parameter $k$ usually becomes so big that the result of a pairing cannot even be output any more. One of the major algorithmic problems related to pairings is thus the construction of curves with a given, smallish $k$.