Section: Research Program

Function fields, algebraic curves and cryptology

Participants : Karim Belabas, Guilhem Castagnos, Jean-Marc Couveignes, Andreas Enge, Damien Robert, Jean Kieffer, Razvan Barbulescu.

Algebraic curves over finite fields are used to build the currently most competitive public key cryptosystems. Such a curve is given by a bivariate equation π’ž(X,Y)=0 with coefficients in a finite field 𝔽q. The main classes of curves that are interesting from a cryptographic perspective are elliptic curves of equation π’ž=Y2-(X3+aX+b) and hyperelliptic curves of equation π’ž=Y2-(X2g+1+β‹―) with gβ©Ύ2.

The cryptosystem is implemented in an associated finite abelian group, the Jacobian Jacπ’ž. Using the language of function fields exhibits a close analogy to the number fields discussed in the previous section. Let 𝔽q(X) (the analogue of β„š) be the rational function field with subring 𝔽q[X] (which is principal just as β„€). The function field of π’ž is Kπ’ž=𝔽q(X)[Y]/(π’ž); it contains the coordinate ring π’ͺπ’ž=𝔽q[X,Y]/(π’ž). Definitions and properties carry over from the number field case K/β„š to the function field extension Kπ’ž/𝔽q(X). The Jacobian Jacπ’ž is the divisor class group of Kπ’ž, which is an extension of (and for the curves used in cryptography usually equals) the ideal class group of π’ͺπ’ž.

The size of the Jacobian group, the main security parameter of the cryptosystem, is given by an L-function. The GRH for function fields, which has been proved by Weil, yields the Hasse–Weil bound (q-1)2gβ©½|Jacπ’ž|β©½(q+1)2g, or |Jacπ’ž|β‰ˆqg, where the genus g is an invariant of the curve that correlates with the degree of its equation. For instance, the genus of an elliptic curve is 1, that of a hyperelliptic one is degXπ’ž-12. An important algorithmic question is to compute the exact cardinality of the Jacobian.

The security of the cryptosystem requires more precisely that the discrete logarithm problem (DLP) be difficult in the underlying group; that is, given elements D1 and D2=xD1 of Jacπ’ž, it must be difficult to determine x. Computing x corresponds in fact to computing Jacπ’ž explicitly with an isomorphism to an abstract product of finite cyclic groups; in this sense, the DLP amounts to computing the class group in the function field setting.

For any integer n, the Weil pairing en on π’ž is a function that takes as input two elements of order n of Jacπ’ž and maps them into the multiplicative group of a finite field extension 𝔽qk with k=k(n) depending on n. It is bilinear in both its arguments, which allows to transport the DLP from a curve into a finite field, where it is potentially easier to solve. The Tate-Lichtenbaum pairing, that is more difficult to define, but more efficient to implement, has similar properties. From a constructive point of view, the last few years have seen a wealth of cryptosystems with attractive novel properties relying on pairings.

For a random curve, the parameter k usually becomes so big that the result of a pairing cannot even be output any more. One of the major algorithmic problems related to pairings is thus the construction of curves with a given, smallish k.