Team, Visitors, External Collaborators
Overall Objectives
Research Program
Highlights of the Year
New Software and Platforms
New Results
Partnerships and Cooperations
XML PDF e-pub
PDF e-Pub

Section: Research Program

Function fields, algebraic curves and cryptology

Participants : Karim Belabas, Guilhem Castagnos, Jean-Marc Couveignes, Andreas Enge, Damien Robert, Jean Kieffer, Razvan Barbulescu.

Algebraic curves over finite fields are used to build the currently most competitive public key cryptosystems. Such a curve is given by a bivariate equation 𝒞(X,Y)=0 with coefficients in a finite field 𝔽q. The main classes of curves that are interesting from a cryptographic perspective are elliptic curves of equation 𝒞=Y2-(X3+aX+b) and hyperelliptic curves of equation 𝒞=Y2-(X2g+1+⋯) with g⩾2.

The cryptosystem is implemented in an associated finite abelian group, the Jacobian Jac𝒞. Using the language of function fields exhibits a close analogy to the number fields discussed in the previous section. Let 𝔽q(X) (the analogue of ℚ) be the rational function field with subring 𝔽q[X] (which is principal just as ℤ). The function field of 𝒞 is K𝒞=𝔽q(X)[Y]/(𝒞); it contains the coordinate ring 𝒪𝒞=𝔽q[X,Y]/(𝒞). Definitions and properties carry over from the number field case K/ℚ to the function field extension K𝒞/𝔽q(X). The Jacobian Jac𝒞 is the divisor class group of K𝒞, which is an extension of (and for the curves used in cryptography usually equals) the ideal class group of 𝒪𝒞.

The size of the Jacobian group, the main security parameter of the cryptosystem, is given by an L-function. The GRH for function fields, which has been proved by Weil, yields the Hasse–Weil bound (q-1)2g⩽|Jac𝒞|⩽(q+1)2g, or |Jac𝒞|≈qg, where the genus g is an invariant of the curve that correlates with the degree of its equation. For instance, the genus of an elliptic curve is 1, that of a hyperelliptic one is degX𝒞-12. An important algorithmic question is to compute the exact cardinality of the Jacobian.

The security of the cryptosystem requires more precisely that the discrete logarithm problem (DLP) be difficult in the underlying group; that is, given elements D1 and D2=xD1 of Jac𝒞, it must be difficult to determine x. Computing x corresponds in fact to computing Jac𝒞 explicitly with an isomorphism to an abstract product of finite cyclic groups; in this sense, the DLP amounts to computing the class group in the function field setting.

For any integer n, the Weil pairing en on 𝒞 is a function that takes as input two elements of order n of Jac𝒞 and maps them into the multiplicative group of a finite field extension 𝔽qk with k=k(n) depending on n. It is bilinear in both its arguments, which allows to transport the DLP from a curve into a finite field, where it is potentially easier to solve. The Tate-Lichtenbaum pairing, that is more difficult to define, but more efficient to implement, has similar properties. From a constructive point of view, the last few years have seen a wealth of cryptosystems with attractive novel properties relying on pairings.

For a random curve, the parameter k usually becomes so big that the result of a pairing cannot even be output any more. One of the major algorithmic problems related to pairings is thus the construction of curves with a given, smallish k.