## Section: Research Program

### Function fields, algebraic curves and cryptology

Participants : Karim Belabas, Guilhem Castagnos, Jean-Marc Couveignes, Andreas Enge, Damien Robert, Jean Kieffer, Razvan Barbulescu.

Algebraic curves over finite fields are used to build the currently
most competitive public key cryptosystems. Such a curve is given by
a bivariate equation $\mathcal{C}(X,Y)=0$ with coefficients in a finite
field ${\mathbb{F}}_{q}$. The main classes of curves that are interesting from a
cryptographic perspective are *elliptic curves* of equation
$\mathcal{C}={Y}^{2}-({X}^{3}+aX+b)$ and *hyperelliptic curves* of
equation $\mathcal{C}={Y}^{2}-({X}^{2g+1}+\cdots )$ with $g\u2a7e2$.

The cryptosystem is implemented in an associated finite
abelian group, the *Jacobian* ${Jac}_{\mathcal{C}}$. Using the language
of function fields exhibits a close analogy to the number fields
discussed in the previous section. Let ${\mathbb{F}}_{q}\left(X\right)$ (the analogue of $\mathbb{Q}$)
be the *rational function field* with subring ${\mathbb{F}}_{q}\left[X\right]$ (which
is principal just as $\mathbb{Z}$). The *function field* of $\mathcal{C}$ is
${K}_{\mathcal{C}}={\mathbb{F}}_{q}\left(X\right)\left[Y\right]/\left(\mathcal{C}\right)$; it contains the *coordinate ring*
${\mathcal{O}}_{\mathcal{C}}={\mathbb{F}}_{q}[X,Y]/\left(\mathcal{C}\right)$. Definitions and properties carry over from
the number field case $K/\mathbb{Q}$ to the function field extension ${K}_{\mathcal{C}}/{\mathbb{F}}_{q}\left(X\right)$. The Jacobian ${Jac}_{\mathcal{C}}$ is the divisor class group of ${K}_{\mathcal{C}}$, which is
an extension of (and for the curves used in cryptography usually equals) the
ideal class group of ${\mathcal{O}}_{\mathcal{C}}$.

The size of the Jacobian group, the main security parameter of the
cryptosystem, is given by an $L$-function. The GRH for function fields,
which has been proved by Weil, yields the Hasse–Weil bound
${(\sqrt{q}-1)}^{2g}\u2a7d\left|{Jac}_{\mathcal{C}}\right|\u2a7d{(\sqrt{q}+1)}^{2g},$ or
$|{Jac}_{\mathcal{C}}|\approx {q}^{g}$,
where the *genus* $g$ is an invariant of the curve that
correlates with the degree of its equation. For instance, the genus of
an elliptic curve is 1, that of a hyperelliptic one is
$\frac{{deg}_{X}\mathcal{C}-1}{2}$. An important algorithmic
question is to compute the exact cardinality of the Jacobian.

The security of the cryptosystem requires more precisely that the
*discrete logarithm problem* (DLP) be difficult in the underlying
group; that is, given elements ${D}_{1}$ and ${D}_{2}=x{D}_{1}$ of ${Jac}_{\mathcal{C}}$,
it must be difficult to determine $x$. Computing $x$ corresponds in
fact to computing ${Jac}_{\mathcal{C}}$ explicitly with an isomorphism to an
abstract product of finite cyclic groups; in this sense, the DLP amounts
to computing the class group in the function field setting.

For any integer $n$, the *Weil pairing* ${e}_{n}$ on $\mathcal{C}$ is a
function that takes as input two elements of order $n$ of ${Jac}_{\mathcal{C}}$ and
maps them into the multiplicative group of a finite field extension
${\mathbb{F}}_{{q}^{k}}$ with $k=k\left(n\right)$ depending on $n$. It is bilinear in both
its arguments, which allows to transport the DLP from a curve into
a finite field, where it is potentially easier to solve. The
*Tate-Lichtenbaum pairing*, that is more difficult to define,
but more efficient to implement, has similar properties. From a
constructive point of view, the last few years have seen a wealth of
cryptosystems with attractive novel properties relying on pairings.

For a random curve, the parameter $k$ usually becomes so big that the result of a pairing cannot even be output any more. One of the major algorithmic problems related to pairings is thus the construction of curves with a given, smallish $k$.