Section:
Research Program
Curve-Based cryptology
Theme: Curve-Based Cryptology
Jacobians of curves are excellent candidates for cryptographic groups
when constructing efficient instances of public-key cryptosystems.
Diffie–Hellman key exchange is an instructive example.
Suppose Alice and Bob want to establish a secure communication
channel. Essentially, this means establishing a common secret
key, which they will then use for encryption and decryption.
Some decades ago, they would have exchanged this key in person, or
through some trusted intermediary; in the modern, networked world,
this is typically impossible, and in any case completely unscalable.
Alice and Bob may be anonymous parties who want to do e-business, for
example, in which case they cannot securely meet, and they have no way
to be sure of each other's identities. Diffie–Hellman key exchange
solves this problem. First, Alice and Bob publicly agree on a
cryptographic group with a generator (of order ); then
Alice secretly chooses an integer from , and sends to
Bob. In the meantime, Bob secretly chooses an integer from
, and sends to Alice. Alice then computes , while
Bob computes ; both have now computed , which becomes
their shared secret key. The security of this key depends on the
difficulty of computing given , , and ; this is the
Computational Diffie–Hellman Problem (CDHP). In practice, the CDHP
corresponds to the Discrete Logarithm Problem (DLP), which is to
determine given and .
This simple protocol has been in use, with only minor modifications,
since the 1970s. The challenge is to create examples of groups
with a relatively compact representation and an efficiently computable
group law, and such that the DLP in is hard (ideally approaching
the exponential difficulty of the DLP in an abstract group). The
Pohlig–Hellman reduction shows that the DLP in is essentially
only as hard as the DLP in its largest prime-order subgroup.
We therefore look for compact and efficient groups of prime order.
The classic example of a group suitable for the Diffie–Hellman protocol
is the multiplicative group of a finite field .
There are two problems that render its usage somewhat less than ideal.
First, it has too much structure: we have a subexponential Index
Calculus attack on the DLP in this group, so while it is very hard,
the DLP falls a long way short of the exponential difficulty of the
DLP in an abstract group. Second, there is only one such group for
each : its subgroup treillis depends only on the factorization of
, and requiring to have a large prime factor eliminates
many convenient choices of .
This is where Jacobians of algebraic curves come into their own.
First, elliptic curves and Jacobians of genus 2 curves do not have a
subexponential index calculus algorithm: in particular, from the point
of view of the DLP, a generic elliptic curve is currently as
strong as a generic group of the same size. Second, they provide
some diversity: we have many degrees of freedom in choosing
curves over a fixed , with a consequent diversity of possible
cryptographic group orders. Furthermore, an attack which leaves one curve
vulnerable may not necessarily apply to other curves. Third, viewing
a Jacobian as a geometric object rather than a pure group allows us to
take advantage of a number of special features of Jacobians. These
features include efficiently computable pairings, geometric
transformations for optimised group laws, and the availability of
efficiently computable non-integer endomorphisms for accelerated
encryption and decryption.