## Section: Research Program

### Function fields, algebraic curves and cryptology

Participants : Karim Belabas, Guilhem Castagnos, Jean-Marc Couveignes, Andreas Enge, Damien Robert, Jean Kieffer, Razvan Barbulescu.

Algebraic curves over finite fields are used to build the currently
most competitive public key cryptosystems. Such a curve is given by
a bivariate equation $\mathrm{\pi \x9d\x92\x9e}(X,Y)=0$ with coefficients in a finite
field ${\mathrm{\pi \x9d\x94\xbd}}_{q}$. The main classes of curves that are interesting from a
cryptographic perspective are *elliptic curves* of equation
$\mathrm{\pi \x9d\x92\x9e}={Y}^{2}-({X}^{3}+aX+b)$ and *hyperelliptic curves* of
equation $\mathrm{\pi \x9d\x92\x9e}={Y}^{2}-({X}^{2g+1}+\beta \x8b\u2015)$ with $g\beta \copyright \u038e2$.

The cryptosystem is implemented in an associated finite
abelian group, the *Jacobian* ${Jac}_{\mathrm{\pi \x9d\x92\x9e}}$. Using the language
of function fields exhibits a close analogy to the number fields
discussed in the previous section. Let ${\mathrm{\pi \x9d\x94\xbd}}_{q}\left(X\right)$ (the analogue of $\mathrm{\beta \x84\x9a}$)
be the *rational function field* with subring ${\mathrm{\pi \x9d\x94\xbd}}_{q}\left[X\right]$ (which
is principal just as $\mathrm{\beta \x84\u20ac}$). The *function field* of $\mathrm{\pi \x9d\x92\x9e}$ is
${K}_{\mathrm{\pi \x9d\x92\x9e}}={\mathrm{\pi \x9d\x94\xbd}}_{q}\left(X\right)\left[Y\right]/\left(\mathrm{\pi \x9d\x92\x9e}\right)$; it contains the *coordinate ring*
${\mathrm{\pi \x9d\x92\u037a}}_{\mathrm{\pi \x9d\x92\x9e}}={\mathrm{\pi \x9d\x94\xbd}}_{q}[X,Y]/\left(\mathrm{\pi \x9d\x92\x9e}\right)$. Definitions and properties carry over from
the number field case $K/\mathrm{\beta \x84\x9a}$ to the function field extension ${K}_{\mathrm{\pi \x9d\x92\x9e}}/{\mathrm{\pi \x9d\x94\xbd}}_{q}\left(X\right)$. The Jacobian ${Jac}_{\mathrm{\pi \x9d\x92\x9e}}$ is the divisor class group of ${K}_{\mathrm{\pi \x9d\x92\x9e}}$, which is
an extension of (and for the curves used in cryptography usually equals) the
ideal class group of ${\mathrm{\pi \x9d\x92\u037a}}_{\mathrm{\pi \x9d\x92\x9e}}$.

The size of the Jacobian group, the main security parameter of the
cryptosystem, is given by an $L$-function. The GRH for function fields,
which has been proved by Weil, yields the HasseβWeil bound
${(\sqrt{q}-1)}^{2g}\beta \copyright \xbd\left|{Jac}_{\mathrm{\pi \x9d\x92\x9e}}\right|\beta \copyright \xbd{(\sqrt{q}+1)}^{2g},$ or
$|{Jac}_{\mathrm{\pi \x9d\x92\x9e}}|\beta \x89\x88{q}^{g}$,
where the *genus* $g$ is an invariant of the curve that
correlates with the degree of its equation. For instance, the genus of
an elliptic curve is 1, that of a hyperelliptic one is
$\frac{{deg}_{X}\mathrm{\pi \x9d\x92\x9e}-1}{2}$. An important algorithmic
question is to compute the exact cardinality of the Jacobian.

The security of the cryptosystem requires more precisely that the
*discrete logarithm problem* (DLP) be difficult in the underlying
group; that is, given elements ${D}_{1}$ and ${D}_{2}=x{D}_{1}$ of ${Jac}_{\mathrm{\pi \x9d\x92\x9e}}$,
it must be difficult to determine $x$. Computing $x$ corresponds in
fact to computing ${Jac}_{\mathrm{\pi \x9d\x92\x9e}}$ explicitly with an isomorphism to an
abstract product of finite cyclic groups; in this sense, the DLP amounts
to computing the class group in the function field setting.

For any integer $n$, the *Weil pairing* ${e}_{n}$ on $\mathrm{\pi \x9d\x92\x9e}$ is a
function that takes as input two elements of order $n$ of ${Jac}_{\mathrm{\pi \x9d\x92\x9e}}$ and
maps them into the multiplicative group of a finite field extension
${\mathrm{\pi \x9d\x94\xbd}}_{{q}^{k}}$ with $k=k\left(n\right)$ depending on $n$. It is bilinear in both
its arguments, which allows to transport the DLP from a curve into
a finite field, where it is potentially easier to solve. The
*Tate-Lichtenbaum pairing*, that is more difficult to define,
but more efficient to implement, has similar properties. From a
constructive point of view, the last few years have seen a wealth of
cryptosystems with attractive novel properties relying on pairings.

For a random curve, the parameter $k$ usually becomes so big that the result of a pairing cannot even be output any more. One of the major algorithmic problems related to pairings is thus the construction of curves with a given, smallish $k$.