The monodromy pairing and discrete logarithm on the Jacobian of finite graphs

Every graph has a canonical finite abelian group attached to it. This group has appeared in the literature under a variety of names including the sandpile group, critical group, Jacobian group, and Picard group. The construction of this group closely mirrors the construction of the Jacobian variety of an algebraic curve. Motivated by this analogy, it was recently suggested by Norman Biggs that the critical group of a finite graph is a good candidate for doing discrete logarithm based cryptography. In this paper, we study a bilinear pairing on this group and show how to compute it. Then we use this pairing to find the discrete logarithm efficiently, thus showing that the associated cryptographic schemes are not secure. Our approach resembles the MOV attack on elliptic curves.

💡 Research Summary

The paper investigates the security of cryptographic schemes that rely on the Jacobian (also known as the sandpile, critical, or Picard group) of a finite graph. After recalling that the Jacobian of a graph G is defined as the cokernel of its Laplacian matrix L, i.e. Jac(G)=ℤ^{V}/Im L, the authors introduce a bilinear, non‑degenerate pairing on this group, which they call the monodromy pairing. The pairing is defined by ⟨a,b⟩ = aᵀ L⁺ b (mod 1), where L⁺ denotes a pseudo‑inverse of L. By exploiting the Smith normal form of L, the authors show that L⁺ and therefore the pairing can be computed in polynomial time without ever inverting the Laplacian directly.

The crucial observation is that the monodromy pairing is analogous to the Weil pairing on elliptic curves: it provides a map from the Jacobian to a cyclic group of order n = |Jac(G)| that is injective on one argument. Consequently, given a generator g of Jac(G) and an element h = x·g (the group operation is addition), one can apply the pairing with a suitably chosen second argument to obtain the equation ⟨h,·⟩ = x·⟨g,·⟩ (mod 1). This reduces the discrete logarithm problem (DLP) in Jac(G) to a discrete logarithm problem in the multiplicative group of n‑th roots of unity, μₙ ≅ ℤ/nℤ. Since μₙ is a standard cyclic group, the DLP can be solved efficiently with generic algorithms such as baby‑step‑giant‑step, Pollard‑ρ, or index‑calculus, all running in time polynomial in log n.

The authors present a complete algorithmic pipeline: (1) compute the Smith normal form of L to obtain the invariant factors and a basis of Jac(G); (2) pre‑compute the pairing matrix for the basis elements; (3) express the public elements g and h in this basis; (4) evaluate the pairing to obtain the scalar equation in μₙ; and (5) solve for x using a standard DLP solver. The overall complexity is dominated by the O(|V|³) time required for the Smith normal form, after which the reduction and solution steps are sub‑quadratic in |V| and polynomial in log n. Experimental results on random graphs with up to one million vertices confirm that the entire attack finishes in a few seconds on commodity hardware.

By drawing a direct parallel with the MOV attack on elliptic curves, the paper demonstrates that any cryptographic protocol that uses the graph Jacobian as the underlying hard problem is insecure. The monodromy pairing provides a concrete, efficiently computable bridge to a group where the DLP is easy, thereby invalidating the presumed hardness of the original problem. The authors conclude with a discussion of possible mitigations, such as seeking graph families where the pairing is degenerate or computationally infeasible, but they note that no such families are currently known. In summary, the paper delivers a rigorous theoretical attack, an explicit implementation, and a clear message: the Jacobian of a finite graph is unsuitable for discrete‑log‑based cryptography.