Advances in Mathematics of Communications doi:10.3934/amc.2010.4.281 Volume 4, No. 2, 2010, 281–305

RELATIONS BETWEEN ARITHMETIC GEOMETRY AND PUBLIC KEY CRYPTOGRAPHY

Gerhard Frey Institute for Experimental Mathematics University of Duisburg-Essen Ellernstrasse 29, 45326 Essen, Germany

(Communicated by Ian Blake)

Abstract. In the article we shall try to give an overview of the interplay between the design of public key cryptosystems and algorithmic arithmetic geometry. We begin in Section 2 with a very abstract setting and try to avoid all structures which are not necessary for protocols like Diffie-Hellman key exchange, ElGamal signature and pairing based cryptography (e.g. short signatures). As an unavoidable consequence of the generality the result is difficult to read and clumsy. But nevertheless it may be worthwhile because there are suggestions for systems which do not use the full strength of group structures (see Subsection 2.2.1) and it may motivate to look for alternatives to known group-based systems. But, of course, the main part of the article deals with the usual realization by discrete logarithms in groups, and the main source for cryptographically useful groups are divisor class groups. We describe advances concerning arithmetic in such groups attached to curves over finite fields including addition and point counting which have an immediate application to the construction of cryptosystems. For the security of these systems one has to make sure that the computation of the discrete logarithm is hard. We shall see how methods from arithmetic geometry narrow the range of candidates usable for cryptography considerably and leave only carefully chosen curves of genus 1 and 2 without flaw. A last section gives a short report on background and realization of bilinear structures on divisor class groups induced by duality theory of class field theory, the key concept here is the Lichtenbaum-Tate pairing.

1. Arithmetic geometry Arithmetic geometry is one of the most powerful ingredients in mathematics. It combines classical algebraic number theory with algebraic geometry. It uses the theory of functions over C and so analytic geometry and it transfers this theory to its p-adic counterpart, the p-adic rigid geometry. By construction these theories (as well as a great part of classical algebraic geometry) use algebraically closed ground fields. To come down to arithmetically interesting fields K like number fields, p-adic fields, finite fields or more generally fields which are finitely generated over their

2000 Mathematics Subject Classification: 11R65, 11R37, 11G20. Key words and phrases: Discrete logarithms, bilinear structures, divisor class groups, public key systems. This paper is based on a lecture presented at “CHiLE, Curvas Hiperelipticas, Logaritmos discretos, Encriptacion, etc.”,16-20 March 2009 in Frutillar, Chile. I would like to thank the organizers for the opportunity to participate in this very interesting and inspiring conference and to enjoy the warm and generous hospitality.

281 c 2010 AIMS-SDU 282 Gerhard Frey prime fields one uses the action of the absolute Galois group GK = Aut(Ks/K) where Ks is the separable closure of K. This point of view leads in a natural way to the study of absolute Galois groups. As a rule GK will be very big. But it carries a natural topology as a profinite group and is compact. Hence the appropriate tools for studying GK are continuous representations in linear groups over arithmetically interesting rings (very often endowed with the discrete topology). This approach was used with great success during the last 50 years. It led to proofs of famous diophantine results like Deligne’s proof of the Weil conjectures, Faltings’ proof of Mordell’s conjecture, Wiles’ proof of Fermat’s Last Theorem and during the last years to a proof of Serre’s conjecture by Khare, Wintenberger, Kisin and others which classifies the odd two-dimensional representations of GQ over finite fields. The last example is particularly interesting. It is a kind of generalization of Taniyama’s conjecture and it states that two-dimensional representations of GQ are closely related to modular forms. Behind this there is the celebrated Langlands philosophy which is a major motive in nowadays research in arithmetic.

1.1. Algorithmic arithmetic geometry. Classically algorithmic aspects of number theory mostly deal with lattices and derived objects. A fundamental result is Minkowski’s theorem on points with small norms in lattices and related results, for instance about reduction of quadratic forms following Lagrange and Gauß. The enormous growth of computational power made it possible to construct interesting examples in a wide range, and very often one meets the LLL algorithm as a major tool. The theoretical results mentioned above are yielding very exciting and rapidly proceeding algorithmic aspects of arithmetic geometry, generalizing considerably both range and techniques of classical computational number theory. Prominent examples are the computation of tables of modular forms including congruences, algorithmic study of modular curves (see for instance the Cremona tables listing elliptic curves) and related Galois representations. Having translated arithmetical problems into the geometric language has imme- diately as consequence that one can apply the methods to the geometric case, too. And so we have now a very advanced theoretical and algorithmic toolkit to deal with the explicit theory of varieties over finite fields as counterpart to the explicit theory of algebraic number fields.

1.2. Public key cryptosystems. The question is: Has this to do with practical aspects of data security? In particular, as announced in the title, is it relevant to public key cryptography? As we shall see soon the most effective ways to construct public key cryptosystems are based on computational arithmetic geometry. The power of the methods used opens immediately a wide range of possible candidates for systems. But, on the other side, it allows to develop very efficient attacks. So most of the suggested candidates for public key systems did not fulfil the expectations. Nevertheless it was necessary to investigate them, and in many cases we can understand partial weaknesses of systems based on elliptic curves by making more general objects accessible to computation. The continuous study of consequences of advances of algorithmic arithmetic geometry for the security of used cryptosystem and failures of attacks give mathematicians a better conscience and users more trust. Even people

Advances in Mathematics of Communications Volume 4, No. 2 (2010), 281–305 Arithmetic geometry and cryptography 283 only interested in designing systems without being interested in the theoretical background can choose (very special) instances, e.g. one elliptic curve over a given field with given addition formulas given in a list of standardized curves. But it is not only the status quo which is supported. New points of view from the theoretical side allow advances in the design of hardware as well as in protocols. One of the striking examples is the development of pairing based cryptography. From its background, namely duality theory in arithmetic geometry, there goes a direct path to very efficient implementations of pairings which allow, for instance, new ways to sign. Finally, though a good part of the necessary work is done, there are still problems for public key cryptography for which arithmetic geometry has to deliver solutions. In the following I shall mention some ideas in this direction but there may be more surprises in future. We do not want to miss another aspect. The demands of engineering and of com- puter science stimulated progress in pure mathematics in a considerable way. By now classical examples come from coding theory. In the same way the extreme re- quirements resulting from data security concerning both constructive aspects (like point counting) and destructive aspects (like factoring) need most effective algo- rithms, and nothing is more effective than a good theory. So there was an interplay between theoretical and algorithmic aspects of discrete mathematics and data se- curity which was very fruitful for both sides, and there is no doubt that this will be so in future, too.

1.3. Cryptographic primitives. We want to • exchange keys, • sign messages • authenticate entities, and • encrypt and decrypt (not too large) messages with simple protocols, clear and easy to follow implementation rules based on cryp- tographic primitives. Apart from the difficult task of developing protocols without security flaws our systems rely on the computational hardness of a mathematical task. Here we have already a problem: which mathematical task under which side conditions has to be solved?

Example 1. 1. The RSA system is based on the RSA Assumption: Given a randomly generated RSA modulus N, an exponent e and a random x ∈{1,N − 1} it is hard to find an m ∈{1,...,N − 1} with me = x. At present it is not clear whether an algorithm solving the RSA problem would yield an algorithm of the same complexity for factoring random num- bers. It can be suspected (see [4]) that this may be not true if we restrict e to very small numbers (e.g. e =3 or e = 17). Caution: We have to distinguish the RSA assumption from the problem of finding the private key d (i.e. the number d with d · e ≡ 1 mod ϕ(N)) which is as hard as factoring. 2. The NTRU-system looks like a problem of factoring polynomials (in non UFD- domains (!)) but in fact there is a lattice behind the system (work of Copper- smith and Shamir) and the attack to NTRU is the search for short vectors in this lattice.

Advances in Mathematics of Communications Volume 4, No. 2 (2010), 281–305 284 Gerhard Frey

3. Akiyama and Goto have proposed a cryptosystem using algebraic surfaces over finite field. The construction seemed to imply that the mathematical task was to find rational points on curves over function fields (stated in the equivalent form of sections of fibrations on surfaces). This task is known to be hard. Having the points it is easy to construct a curve passing through a few given points. Voloch showed how to break their original cryptosystem by using algebraic points instead of rational points. Such points are easily found. By this attack the scheme is broken again without knowing the secret key (see [27] where this attack and a variant of the scheme resistant against it is discussed). The discussion of the three examples above relies on an intensive use of arithmetic geometry like the theory of smooth numbers in algebraic integers, diophantine prop- erties of algebraic varieties and, above all, problems in lattices like finding shortest and closest vectors. These examples show that it is necessary to understand the mathematical area around the cryptographic primitive. In this article we shall discuss in depth another important family of cryptosystems and show that very concrete questions can be answered by advanced methods from arithmetic geometry.

2. Discrete logarithms In the next subsection we describe in a very abstract setting the necessary struc- tures for establishing key exchange of Diffie-Hellman type and signature schemes (including short signatures). We try to avoid all additional structural properties which make life easier but also may be helpful to attack the systems. An unavoid- able consequence is a certain clumsiness in notation, in particular when one deals with signatures. The author is not sure whether such a general approach is worth- while to struggle through the text, and an apology to the reader is due. On the other side this formalization may motivate people to look for alternatives to known group-based systems. One example is given in Subsection 2.2.1. It may be helpful for the reader to read the following subsection together with Subsection 2.4 and to translate the abstract structure into the well known world of discrete logarithms and pairings of cyclic groups.

2.1. Abstract setting. Assume that A ⊂ N and B ⊂ Endset(A). For simplicity we shall assume that B is closed under composition. We assume that there is an element a0 ∈ A such that the elements of B commute on B{a0}. A given map f from A to A is said to be identified in B if it lies in B and if it is given in such a way that one can evaluate b at random a ∈ A rapidly. The term “choose b ∈ B” will always mean that b is identified.

2.1.1. Key exchange. Two partners P1, P2 want to exchange a key and use a public channel. They can achieve this by using (A, a0),B and the Diffie-Hellman key ∗ exchange protocol : Each Pi chooses bi ∈ B, the private key, and publishes ai := bi(a0). Then κ := bj(ai); i 6= j is the common key.

∗Here we only give the principle and not a secure variant of the protocol.

Advances in Mathematics of Communications Volume 4, No. 2 (2010), 281–305 Arithmetic geometry and cryptography 285

The security depends (not only) on the complexity of finding for randomly chosen a1,a2 ∈ B all elements b ∈ B with b(a0)= a1 modulo the relation: ′ ′ b ∼ b iff b(a2)= b (a2). 2.1.2. Diffie-Hellman encryption. The Diffie-Hellman Encryption scheme is a com- bination of asymmetric key exchange and symmetric encryption. We assume that the partners Pi have agreed to use a symmetric cryptosystem (e.g. AES) and that there is a publicly known and fast function ψ : A → K where K is a key space for the symmetric cryptosystem with plaintext space P. Assume that P1 wants to receive messages lying in P. He chooses b1 ∈ B and publishes a1 := b1(a0). The sender P2 of a message m chooses b2 ∈ B randomly, computes a := b2(a0), a2 := b2(a1) and ψ(a2) =: κ. Then P2 uses Eκ as encryption function and sends (a, Eκ(m)). P1 computes b1(a) which is equal to a2 and hence ψ(a2) is the key for decryption. Remark 1. It would be interesting to get security proofs for protocols in terms of properties of the “cryptographic primitive” (A, a0),B.

2.2. Narrowing the range. We can and will assume that A = B{a0} and hence we find for given a ∈ A a b ∈ B with b(a0) = a. In other words we shall assume from now on that B acts transitively on A. To simplify the situation further we assume that B acts simply transitively on A, i.e. for each a ∈ A there is exactly one b in B with b(a0)= a. We denote this element in B by ba. We can formulate a computational problem

CDHP: For randomly chosen a1,a2 ∈ A compute an element a3

with a3 = ba1 ◦ ba2 (a0). Obviously the security of the Diffie-Hellman key exchange scheme depends on the hardness of CDHP. It is evident that one can solve CDHP if for randomly chosen a ∈ A one can compute ba. In the most important case A is the set of elements different from the neutral element of a cyclic group of prime order and B is equal to the set of automorphisms of A. In this case ba is identified with the discrete logarithm of a with respect to a0 in A and its computation is closely related to (CDHP) (see Subsection 2.4). It would be highly interesting to know more about the relation between CDHP and the “discrete logarithm problem” in more general situations. Related to CDHP but weaker is the decision problem

DDHP: For randomly chosen a1,a2,a3 ∈ A decide whether ba1 ◦ ba2 = ba3 . 2.2.1. One realization. Assume that A is a set with action of a semigroup G, and that for every g ∈ G the endomorphism bg ∈ B is given by a 7→ g · a. In addition we have to assume that for all g1,g2 ∈ G we have g1 · (g2 · a0)) = g2 · (g1 · a0)) and that G acts simply transitive. We get examples for such a situation by taking A as set of isomorphy classes of elliptic curves over a given finite field with the same ring O of endomorphism and for G the ideal class group of elements of the class group Pic(O) of O. Such systems were proposed by J.M. Couveignes and are discussed in the paper of A. Stolbunov in this volume.

Advances in Mathematics of Communications Volume 4, No. 2 (2010), 281–305 286 Gerhard Frey

One should remark that it seems that the security of the system (more precisely: CDGH) does not depend on the discrete logarithm (for definition see Subsection 2.4) in Pic(O) (which is good) but that on the other side one cannot use methods for fast exponentiation by squaring and multiplying.

2.3. Signature schemes. To establish a signature scheme one needs more struc- ture. As above we fix a0 ∈ A.

2.3.1. Signature schemes of ElGamal type. We assume that there is a (quickly com- putable) map µ : A × A → A with the functional equation

bµ(a1,a2)(a)= µ(ba1 (a),ba2 (a)).

Hence given ba1 = b1 ∈ B, ba2 = b2 ∈ B the evaluation of bµ(a1,a2) at a ∈ A can be executed efficiently without knowing ai.

But we assume the stronger condition that for given pairs (a1,ba1 ), (a2,ba2 ) ∈

A × B the map bµ(a1,a2) ∈ B can be identified in B rapidly. Next we assume that messages m are contained in N and that there is a hash function h : N → B. (As always: such that h(.) can be evaluated rapidly.)

Signature: The signer S wants to sign a message M ∈ N and computes its fingerprint h(M). Then S chooses bS ∈ B and publishes aS := bS(a0) as public key. Next S chooses a random element k ∈ B and computes

a1 := (h(M) ◦ bS)(a0), a2 := (h(k(a0)) ◦ k)(a0) and since h(M)◦bS = ba1 , h(k(a0))◦k = ba2 the signer S is able to identify rapidly

φ := bµ(a1,a2) = bµ((h(M)◦bS )(a0),(h(k(a0))◦k)(a0)) in B. S publishes

(φ, M, k(a0)).

Verification: The verifier V computes

µ(h(m)(aS ),h(k(a0))(k(a0))) and compares it with φ. If there is equality the signature is accepted. Again we remark that for security it is crucial that it is very hard to produce an el- ement in B such that the image of a0 is a given element (here: µ(h(m)(aS),h(k(a0)) (k(a0)))).

Advances in Mathematics of Communications Volume 4, No. 2 (2010), 281–305 Arithmetic geometry and cryptography 287

2.3.2. Short signatures. We assume that (A, a0),B are given as in Subsection 2.2, and that for two sets A′, C we have maps ν : B → B′ ⊂ End(A′), and e : A × A′ → C with e(b(a),a′)= e(a, ν(b)(a′)) for all a,a′,b. Both maps e and ν are assumed to be rapidly evaluated. Moreover we shall assume that for random a′ ∈ A′ the map ′ ea′ : a 7→ e(a,a ) is injective. We take a hash function h : N → A′. Signature: The signer S wants to sign the message M ⊂ N. He chooses bS ∈ B and publishes as public key aS = bS(a0). He computes Σ := ν(bS )(h(M)). The signed message is (M, Σ). Verification: The verifier V computes e(a0, Σ) and e(aS,h(M)). If there is equality the signature is accepted. The security of the signature depends on the difficulty to produce a pair (b′ ∈ ′ ′ ′ ′ B,M ) such that e(b (a0),h(M )) = e(bS(a0),h(M )). This can easily be done if one can solve the CDHP either in A or in A′ (use: Σ = ν(bS )(h(M))) or in C (see below). Moreover it has to be very hard to invert the partial functions derived from e by fixing either the first or the second variable randomly. 2.3.3. More applications. Assume now in addition to the above assumptions that there is an injective map γ : B → End(C) with e(b(a),a′)= e(a, ν(b)(a′)) = γ(b)(e(a,a′)).

Tripartite Key Exchange. Assume that three partners Pi want to agree on a key. ′ We use the assumptions from above but assume that A = A and ν = idB. The partners publish three public keys ai := bi(a0) as usual. Then the i-th partner computes γ(bi)e(aj ,ak) with j, k different and not equal to i, the common key. Transfer of CDHP. Assume that a1,a2 ∈ A are given.

We want to compute ba1 ◦ ba2 (a0). ′ ′ ′ ′ We choose a randomly and compute e(a0,a )= c0, e(a1,a )) = c1 and e(a2,a )= c2. In particular, we have

ci = γ(bai )(c0)for i =1, 2.

We assume that we can find c3 ∈ with

c3 = γ(ba1 ) ◦ γ(ba2 )(c0).

Advances in Mathematics of Communications Volume 4, No. 2 (2010), 281–305 288 Gerhard Frey

Hence

a3 := ba1 ◦ ba2 (a0) is determined by ′ e(a3,a )= c3. ′ But this will not be enough to find a3 if e(., a ) behaves like a one-way function, and exactly this property is crucial for the function e in all important applications! Hence we need more: If we find δ ∈ End(C) with δ(c0)= c3 and if γ is bijective (which often is clear in practice) we get −1 a3 = γ (δ)(a0) and we have transferred CDHP from A to the “discrete logarithm” in C. But we remark that we then have solved the “discrete logarithm” in A, too: For given a ∈ A ′ ′ −1 compute δ ∈ End(C) with δ(e(a0,a )) = e(a,a ). Then γ (δ)(a0)= a. DDHP. For this application we assume that A = A′.

For random a1,a2,a3 we want to decide whether ba1 ◦ ba2 = ba3 .

We compute e(ba1 (a0) = a1,ba2 (a0) = a2) and compare it with e(ba3 (a0) = a3,a0). If the values are equal we have

γ(ba1 ◦ ba2 )(e(a0,a0)) = γ(ba3 )(e(a0,a0)) and since we have assumed that γ is injective we can solve DDHP by testing equality in C. Can we find sets A, A′, C and a map e satisfying the conditions from above? A first trial: Take A′ = B, C = A and e(a,b)= b(a) and take as action of B on B the composition. Since elements in B are commuting we have e(b(a),b1) = b1(b(a)) = b(b1(a)) = (b ◦ b1)(a) = e(a,b ◦ b1)). All conditions are satisfied. But can we use this system for one of the applications described above? The transfer makes for C = A no sense, the solving of the DDHP would need that B = A, and trying to use e for signatures would be insecure if we could compute the inverse map to h(m) and so from the signature the private key of the signer. This will be the case in the systems we shall discuss in the next section. But in RSA-like systems (take A = Z/N and B as set of automorphisms induced by exponentiation with elements in (Z/N)∗) this is assumed to be hard. In any case the idea that e should be closely related to evaluation of functions should be kept in mind.

2.4. Algebraic realization. We give now the basic example for systems satis- fying the frame from above. Let G be a cyclic group of prime order ℓ embedded into N by a numeration f : Z/ℓ → G. The group operation is written multiplicatively and denoted by ◦. For A we take G \{eG} where eG is the neutral element in G. For a0 we can take any element of A. ∗ b B := AutZ(A) =∼ (Z/ℓ) is identified with {1, ..., ℓ − 1} by b(a) := a . Hence we can apply squaring-and-multiplying algorithms to make the evaluation of b fast. A private key is the choice of an element s ∈ {1, ..., ℓ − 1}. The related public s key is p = a0. si Diffie-Hellman key exchange is the public exchange of pi := a0 between partners sj P1, P2 with following exponentiation k := pi .

Advances in Mathematics of Communications Volume 4, No. 2 (2010), 281–305 Arithmetic geometry and cryptography 289

b To given a1,a2 ∈ A there is exactly one number b ∈ {1,...,ℓ1} with a1 = a2. The number b is called the discrete logarithm of a2 with base a1 and denoted by loga1 (a2). So B acts simply transitive on A and we are in the frame of Subsection 2.2. Using the notation from this section the automorphism ba is identified by the number loga0 (a).

The composition ba1 ◦ ba2 in B is determined by loga0 (a1) · loga0 (a2). Hence CDHP is in this context:

loga0 (a1)·loga0 (a2) CDHP: For randomly chosen a1,a2 ∈ A compute a3 = a0 . The decision problem is

DDHP: For randomly chosen a1,a2,a3 ∈ A

decide whether loga0 a1 · loga0 a2 = loga0 a3. It is obvious that CDHP and DDHP can be solved if one can compute discrete logarithms, i.e. if one can solve

DLP: For randomly chosen a ∈ A compute loga0 (a). A highly non-trivial result of Maurer - Wolf [31] is: Up to subexponential algo- rithms CDHP in A is equivalent to DLP in A, and so the cryptographic primitive for the Diffie-Hellman key exchange (with a little modification of the protocol) is, up to subexponential algorithms, DLP. This result justifies that in the following we shall investigate DLP. A, a0 is called a DL-system if DLP is hard. In the ideal case its complexity is exponential in ℓ (and then the same is true for CDHP). There are generic algorithms which compute the DL with complexity O(q1/2) using the group structure of G, and since we cannot do better in generic groups we take this complexity as the benchmark for the hardness of DLP. It is clear that we can use a DL-system for encryption, too. Having A ⊂ G and B we can take the partially defined “function” µ : A × A → A −1 induced by multiplication in G. It is defined for a1,a2 iff a1 6= a2 and hence for randomly choosen a1,a2.

Since loga0 (a1)+loga0 (a2) ≡ loga0 (µ(a1,a2)) mod ℓ the map bµ(a1,a2) ∈ B can be identified as loga0 (a1)+loga0 (a2) mod ℓ and we get the functional equation

bµ(a1,a2)(a)= µ(ba1 (a),ba2 (a)). So we can easily establish an ElGamal signature. For the convenience of the reader we give the translation from the abstract setting to our case. We assume that we have a hash function h : N → {1,...,ℓ − 1}. The signer S wants to sign a message M ∈ N and computes its fingerprint h(M). bS Then S chooses bS ∈ B = {1,...,ℓ − 1} and publishes aS := a0 as public key. Next S chooses a random element k ∈ B and computes k φ := bµ(a1,a2) = h(M) · bS + h(a0 ) · k mod ℓ ∈ B. (Recall that k h(M)·bS (h(a0 )·k) a1 := a0 , a2 := a0 .) S publishes k (φ,M,a0 ).

Advances in Mathematics of Communications Volume 4, No. 2 (2010), 281–305 290 Gerhard Frey

Verification: The verifier V computes k h(M) k h(a0 ) aS ◦ (a0 ) and compares it with φ. If there is equality the signature is accepted.† What about short signatures and the following applications? Here we use the fact that G = A ∪{eG} is in a natural way a Z/ℓ-vector space. Definition 1. Assume that there are Z/ℓ-modules A′ and C and a bilinear map Q : G × A′ → C with i): the group composition laws in G, A′ and C as well as the map Q are fast (e.g. in polynomial time). ii): Q(., .) is non-degenerate in the first variable. Hence, for random a′ ∈ A′ we ′ ′ have Q(a1,a )= Q(a2,a ) iff a1 = a2. Then (A, Q) is a DL-system with bilinear structure. We embed {1,...,ℓ − 1} into Aut(A′) and Aut(C) as scalar multiplicators and take for e : A × A′ → C the restriction of Q. Then all conditions of Subsection 2.3.2 are satisfied and we can use the bilinear structure for short signatures as well as for the applications in Subsection 2.3.3. 2.4.1. Tasks to be done. In order that we can use (a family of) groups G for cryp- tosystems in the way described in Subsection 2.4 they have to satisfy three crucial conditions: 1. The elements in G can be stored in a computer in a compact way (e.g. O(log(| G |) bits needed)). 2. The group composition is given by an algorithm easily and efficiently imple- mented and very fast. 3. The computation of the DL in G (for random elements) is (to the best of our knowledge) very hard and so infeasible in practice (ideally exponential in | G |), in particular the group order of G is a large prime. 2.5. How arithmetic geometry can be used. It is a remarkable fact that all systems used (or even discussed) today are closely related to ideal class groups of nice rings O, e.g. one assumes that O is a finitely generated algebra over an euclidian ring B. Concretely one has taken • orders in number fields and in particular, in imaginary quadratic fields (Buch- mann–Williams [5]), • Arakelov class groups of metrisised modules (work of Schoof), or in other words, infrastructures (Shanks, Buchmann), • and, most important for the rest of this article, orders in function fields over finite fields, i.e. rings of holomorphic functions on (maybe singular) affine curves.

†This is one variant of the ElGamal signature scheme. For more variants see Table 11.5 in [32].

Advances in Mathematics of Communications Volume 4, No. 2 (2010), 281–305 Arithmetic geometry and cryptography 291

2.6. Open problems.

2.6.1. More groups? There are many groups floating around in arithmetic geometry which are well studied because of their importance for theory. For instance there are cohomology groups like Brauer groups of fields and varieties, Selmer groups of abelian varieties, Chow groups of varieties, e.g. surfaces, and, maybe the most interesting objects, K-groups. Why can it be interesting to find more groups? I think that their importance would be mostly on the destructive side. There can be transfers from DL-systems we know already to other groups, and this can have consequences for security. We shall see one example, namely Brauer Groups of p-adic fields. Today we are far away from satisfying the conditions from Subsection 2.4.1 for families of groups which are not closely related to Picard groups. It is an exciting challenge to find efficient addition laws in K-groups and in Brauer groups!

2.7. No groups! First of all it would be interesting to have a precise statement about problems which are deciding the security of systems in the general frame of this section. As we have seen G-sets have enough structure for key exchange and encryption. But in known examples the group action is only rather slowly computable. In addition one should find reasonable structures replacing bilinear maps and enabling to establish signatures. Abelian groups are of course Z-modules. In important examples (for instance Kummer surfaces) we can go to “compressed” structures which are only Z-sets. Can one use them for signatures? And finally, can we avoid group like structures and so known generic attacks and even attacks by quantum computers?

3. Arithmetic in Picard groups 3.1. The source for DL-groups. The aim is to find families of groups of growing prime order ℓ for which the conditions formulated in 2.4.1 can be fulfilled. Historically the first suggestion is due to Diffie and Hellman in [14]. They propose to use as groups G the ℓ-th roots of unity in finite fields Fq. In this case DLP was known as computing the “Classical Discrete Logarithm” since the 19-th century (at least). In geometric language this means that one takes the Fq-rational points of the group scheme Gm, the multiplicative group, as the source for such groups. Alge- braically one has different possibilities. One can take the group of elements of order dividing ℓ of the class group of invertible ideals of the ring O = Fq[X, Y ]/(XY − 1) which is the ring of holomorphic functions on the irreducible regular plane affine curve XY = 1, or one can take the elements of order dividing ℓ in the ideal class 2 3 group of the order OC = Fq[X, Y ]/(Y +XY −X ) which is the ring of holomorphic functions on the irreducible plane affine curve C : Y 2 + XY − X3 with one ordi- nary double point as singularity at (0, 0, 1), or one can take the elements of order dividing ℓ of the divisor class group Pic0(C) of degree 0 of the projective cubic C : Y 2Z + XYZ − X3.

Advances in Mathematics of Communications Volume 4, No. 2 (2010), 281–305 292 Gerhard Frey

These interpretations of the group of roots of unity may look artificial but they motivate the generalizations which followed soon after of the suggestion of Diffie- Hellman. First candidates and interesting till today were ideal class groups orders in number fields (work of Buchmann and Williams [5]). Here quadratic fields are espe- cially accessible. For imaginary quadratic fields one can use Gauss reduction theory, and for real quadratic fields (with small class number) infrastructures (Shanks), or as we know by the work of Schoof, Arakelov divisor theory. It was a bit disap- pointing that roughly speaking the security of these systems is not better than the security of the classical DL. By index-calculus methods (going back to Kraitchik [29]) one finds subexponential algorithms for computing the DL. After the algebraic generalization we go to the geometrical line of thinking. The reason for the relative weakness of the classical DL is that one can lift easily elements from Gm(Fq) to integers in number fields or function fields since the curves behind the system are of genus 0. This motivated V. Miller 1986 to suggest to take the group of rational points of elliptic curves over finite fields Fq as source for groups G. Because of the structural theorems known for abelian varieties over number fields, in particular the Theorem of Mordell-Weil and the existence and properties of the N´eron-Tate height, he suspected that no direct index-calculus attack by lifting elements to points over global fields would work. And until today he is right. At the same time and independently N. Koblitz suggested to take elliptic curves, too, and gave practical examples, namely the so-called Koblitz curves. And he went further. Though the group structure of the group of points on elliptic curves is well- known and can be defined using high school math the key point is that an elliptic curve is in a canonical way equal to its Jacobian variety, and in the background there is the Theorem of Riemann-Roch which rules the whole arithmetic. But this is so for all curves. Hence it is natural to take the divisor class groups Pic(C) of irreducible and smooth curves C of higher genus g as source of groups G. The nice fact is that this group is equal to the group of Fq-rational points of the Jacobian JC of C, which is an abelian variety of dimension g and for which many structural theorems (e.g. the results of Weil about Frobenius endomorphisms) can be used. In fact, it is not necessary to assume that C is projective or without singularities. This can be used to establish so-called torus-based DL-systems or use plane affine nice models for C. One should remark that this approach makes it possible to use ideal classes instead of divisor classes and makes the analogy with the number field case evident.

3.2. Addition in class groups. We assume that we have a projective irreducible non-singular curve C of genus g defined over a finite field Fq and that we want to describe the elements and the addition law of Pic(C) in a compact way. In other words we want to find coordinates and addition laws on the Jacobian of C. In principle one can use Mumford’s general theory based on Theta values but the resulting algorithms will be slow. We are in a special situation and exploit the key fact that (g) C := (C ×···× C)/Sg g (with Sg the group of permutations on g letters operating on C in the natural way) is birationally isomorphic to JC . Here the Theorem of Riemann-Roch proves its strength. Hence we find in every divisor class a positive divisor of degree ≤ g and so as coordinates we can use a g-tuple of coordinates of points on C. Since the

Advances in Mathematics of Communications Volume 4, No. 2 (2010), 281–305 Arithmetic geometry and cryptography 293 addition algorithm has to determine in the class of the sum of two divisors of this type again such a “short” divisor we need an effective (and very fast) algorithm to compute spaces of functions with prescribed poles, so-called Riemann-Roch spaces. Such algorithms are well known in algorithmic number theory (with Riemann- Roch replaced by Minkowski’s Theorem). A special case is the arithmetic in imag- inary quadratic fields solved by Gauß reduction theory of binary definite quadratic forms. In his thesis (one of the milestones in the beginning of arithmetic geometry) E. Artin showed that the same arithmetic can be used to add in the divisor class group of hyperelliptic curves with a rational Weierstraß point. This motivated Koblitz to suggest the use of divisor class groups of hyperelliptic curves for DL-systems. But it turned out that, as in the number theoretical case (and partially by the same people using the same methods) the restriction to hy- perelliptic curves is, at least in principle, not necessary. As we shall see this result is apart from its importance for computational mathematics useful for designing attacks to DL-systems. 3.3. Results of Heß and Diem. We shall state the main result concerning ad- dition in divisor classes obtained by F. Heß in [26] and worked out with many additional details in [12]. It is a famous result of F.K. Schmidt (proved by using Zeta-functions) that curves over finite fields have a rational divisor D0 of degree 1 (Caution: It is true only for curves of genus ≤ 1 that this implies the existence of a rational point.) It is not difficult to show that such a divisor can be computed effectively. Next we need an appropriate presentation of points and divisors. Since we are interested in divisor classes we can avoid finitely many disturbing points and use the non-singular points on an affine part of a plane model of C of degree d. Again by Riemann-Roch we see that d can be chosen to be of size O(g) and that, given any presentation of C by homogeneous polynomials (or the function field of C), the equation of this plane model can be computed in polynomial time and space. Definition 2. The height of a divisor D of C is the maximum of the degrees of its positive and of its negative part. The divisor D is reduced along D0 if the linear system | D − D0 | is empty. It follows from the Riemann-Roch theorem that in every divisor class there is a reduced divisor with height polynomially bounded by g, and using [26] it follows that this divisor can be computed with polynomial complexity. Going to affine parts we can identify divisors with ideals of the coordinate ring and hence we can present them as products of powers of prime ideals. Again this presentation (and backwards from ideals to divisors) can be done in polynomial time. So the algorithms known from number theory are applicable. Theorem 1 (Heß, Diem). Let C be a curve of genus g given by a plane model of degree d over Fq. The arithmetic in the degree 0 class group of C can then be performed in an expected number of field operations which is polynomially bounded in g and log(q). 3.4. On the way to efficiency. Of course, Theorem 1 is, as stated, a “theoret- ical” result though the proof gives an implementable algorithm. Its importance is that it provides a tool for studying attacks.

Advances in Mathematics of Communications Volume 4, No. 2 (2010), 281–305 294 Gerhard Frey

If one wants to construct DL-systems usable in practice one has to go to special cases and find optimizations of the generic algorithm. Much work was done in this direction and nice results were found continuously since the introduction of elliptic and hyperelliptic curves to cryptography. For elliptic curves efforts till 2005 can be found in [8], and it is astonishing that even in recent time considerable accelerations were possible. It is typical that they use a mixture of clever implementation and background coming from arithmetic geometry. Here is one example. D. Bernstein and T.Lange used so-called (twisted) Edwards curves (see [3] and following work). This is a plane representation of elliptic curves by a singular plane quartic model instead of the usual Weierstraß cubic equation which is possible over a given field K for all elliptic curves parameterized by K-rational points of the modular curve X1(4). The resulting addition is very simple and symmetric. The big advantage is that in many cases all the rational points lie in the affine plane and so one gets “uniform” and very efficient formulas without distinction of addition and doubling. Hence automatically one has protection against a certain type of side channel attacks comparable with security obtained by Montgomery ladder algorithms. How to find optimized presentations for elliptic curves by using the theory of toric surfaces related to Newton polytopes can be found in [7]. There has been much research on curves of genus ≤ 4. We refer to [1] for fast addition over fields of small characteristic and to [33] for genus-3-curves which are not hyperelliptic.

3.5. Kummer surfaces. As mentioned in Section 2 we need, for many purposes, as structure only Z-sets, i.e. efficient scalar multiplication. Let C be a hyperelliptic curve of genus g with Jacobian JC and with a rational Weierstraß point P∞ which we use to embed C into JC . Let w be the hyperel- liptic involution. Then JC/w =: K is the Kummer variety of C, and we have an embedding of P1 =∼ C/w into K. On K the action of Z is induced by the group structure on the Jacobian. So we have a scalar multiplication but no group structure. Hence the usual add-and double algorithm to get a fast scalar multiplication does not work. To repair this one uses the Montgomery ladder (see [8] ) which is well known for elliptic curves. To make the ladder very fast one uses a remarkable tool: classical modular forms in an abstract setting! From now on we restrict ourselves to g = 2. P. Gaudry uses in [21] classical theory of theta functions, their p-adic interpretation and reduction, exploits “classical” doubling formulas and gets extremely simple doubling formulas. One drawback is that the model used for C based on Theta functions has bad reduction modulo 2. So in [21] Gaudry had to exclude the important case that the ground field has even characteristic. More arithmetic geometry, namely the theory of minimal models enabled him together with D. Lubicz to remove this restriction [24].

3.6. Conclusion. We have solved condition 1 and condition 2 from 2.4.1 in a rather satisfying way for all divisor class groups attached to schemes of dimension 1. We have done this very efficiently in the most interesting cases, namely curves of small genus.

Advances in Mathematics of Communications Volume 4, No. 2 (2010), 281–305 Arithmetic geometry and cryptography 295

We have to discuss the hardness of the DLP in these divisor class groups.

4. Security Before constructing explicit groups inside of divisor class groups it is reasonable to ask for security. Again we take as measure the complexity of the generic attacks. Because of the results of Hasse-Weil (see Section 5) we know that the divisor class g g−1/2 group of curves of genus g over Fq has order q + O(q ) and so we can hope to construct embeddings of Z/ℓ into these groups for primes ℓ of size ∼ qg. Hence g−ǫ every attack with complexity ≤ O(q 2 ) (ǫ> 0) is an undesirable weakening of the DL. 4.1. The index-calculus attack. The most powerful attack is index-calculus. It uses the fact that many rational points in the symmetric product C(g) have as support prime divisors which are rational over Fq and that moreover many of them have a reduced divisor of degree

Advances in Mathematics of Communications Volume 4, No. 2 (2010), 281–305 296 Gerhard Frey is possible. If C is non-hyperelliptic the minimal degree of plane models is ≤ g + 1, and this bound is sharp for generic curves. For instance, non-hyperelliptic curves of genus 3 have plane models of degree 4 and hence are regular. This has consequences for the security of DL-systems. C. Diem has shown in [11] that one can construct index-calculus attacks in divisor class groups with complexity depending on d instead of g. Of course this plays a significant role only for curves of small genus. Theorem 3 (Diem). Fix d ≥ 4 such that d or d − 1 is prime. Then the DLP in the degree 0 class groups of curves given by (reflexive) plane 2 2− −2 models of degree d over Fq can be solved in expected time of O˜(q d ). As consequence one sees that small genus hyperelliptic curves are asymptotically more secure than non-hyperelliptic curves (which is a surprise!).

4.3. Curves of genus 3. For g=3 we get from Theorem 2 that the DL has com- 4/3 1/2 3/2 plexity O˜(q ) which is slightly weaker than O(| JC (Fq) | ) = O(q ) but the difference is not dramatic. But assume now that C is a curve of genus 3 which is non-hyperelliptic and apply Theorem 3 for d = 4. Corollary 1. For non-hyperelliptic curves of genus 3 we get a bound for the com- plexity of DLP by O˜(q). Hence the DL attached to these curves has the same complexity as the complexity we expect for the DL on carefully chosen curves of genus 2 (over the same ground fields). As result we should avoid non-hyperelliptic curves of genus 3. Let us look at this requirement from the point of moduli spaces. Curves of genus 3 are parameterized by a 6-dimensional variety, which can be identified (birationally) with principally polarized abelian varieties of dimension 3. In this space the hyperelliptic curves are parameterized by a 5-dimensional man- ifold, the hyperelliptic locus. So hyperelliptic curves are rare. (This is a serious obstacle if one wants to construct them by random choices of invariants, see next section.) Moreover we have to expect that this subspace is not invariant under iso- genies of principally polarized varieties. If we find such isogenies of small degree we shall be able to transfer the discrete logarithm from divisor class groups of hyper- elliptic curves to the DL in class groups of non-hyperelliptic curves in many cases, and so we shall find many hyperelliptic curves for which the attached DL problem is weak. In fact, there are such isogenies. They are described, in some detail but over algebraically closed fields, in work of Donagi (and Livn´e) [15]. Their kernels are contained in a subgroup of order dividing 8 in the group points of order 2 of the Ja- cobian of the curves. It was B. Smith [34] who saw the relevance of this construction for cryptography, to determine the corresponding isogenies explicitly and to discuss rationality conditions over finite fields in terms of Weierstraß points. Moreover he supports the heuristic “birational” considerations by numerical examples. We recall: The aim is to construct easily computable isogenies of Jacobians of hyperelliptic curves of genus 3 such that the curve corresponding to the image of a generic hyperelliptic curve is non-hyperelliptic. For this we use correspondences. A correspondence of curves C, D is induced by morpisms f1 : T → C and f2 : T → D (hence T is a common cover of C and D) and application of conorm

Advances in Mathematics of Communications Volume 4, No. 2 (2010), 281–305 Arithmetic geometry and cryptography 297 respectively norm maps on divisor class groups: ∗ f2 ∗◦f Pic0(C) −→, 1 Pic0(D). In our case both curves C and D will have genus 3 but D will have a cover map of degree 4 to the projective line ramified in 8 points on P1 with 4 points with ramification type (2, 2) and 4 points with ramification type (2, 1, 1). Such curves can be parameterized (over algebraically closed fields) by a Hurwitz space H which has dimension 5. Since generic hyperelliptic curves of genus 3 do not have such a cover‡ the intersection of H with the hyperelliptic locus has at most dimension 4. The claim of Donagi and Livn´eis that by their construction they get a birational map from the hyperelliptic locus to H. Hyperelliptic curves C such that D is hyperelliptic, too, will lie in a 4-dimensional manifold which is confirmed well by the experimental data in [34] over finite fields. We shall explain the construction in a sketchy way in terms of Galois covers. This point of view is due to E. Kani [28]. From the structural point of view this approach is very clear. It has the disadvantage that the rationality conditions may be more difficult to be verified. But it follows from the construction easily how to find many examples over finite fields for which the isogeny is rational, and, contrary to the one of Donagi, Kani’s construction is valid in any characteristic. The basis of the construction is simple Galois theory of covers. i) Assume that f : X → P1 is a cover of degree 4 with Galois closure f ′ : X′ → 1 P and Galois group S4. Take H2 as a 2-Sylow subgroup of S4 and H1 as subgroup with order 4 and containing a transposition. Via Galois theory we get corresponding covers ′ g1 ′ g2 1 ′ g : Y := X /H1 → Z := X /H2 → P = X /S4.

The degree of g is 6 and the degree of g1 is 2.

ii) Conversely assume that 1 g = g2 ◦ g1 : Y → Z → P ′ ′ 1 is a cover of degree 6 with deg(g1) = 2 and with Galois closure g : X → P with Galois group S4. Taking for H any subgroup of order 6 in S4 the curve X := X′/H has in a natural way a cover map f : X → P1 of degree 4. ′ iii) Take the notations from above and define T = X /(H1 ∩ H). ′ ′ Obviously T covers both X /H1 = Y and X /H = X and hence defines a correspondence between X and Y . So we get a morphism between JX and the connected component of Ker((g1)∗) which is a abelian subvariety of JY . If genus(Z)= 0 then Ker((g1)∗)= JY . We want to realize the above Galois situation for curves X and Y which have genus 3, and curves Z = P1. In particular Y is a hyperelliptic curve. By using the Riemann-Hurwitz genus formula and the fact that monodromy groups of covers of the projective line are generated by the inertia groups of points we find ramification conditions which yield this. For simplicity we begin with the odd characteristic case. Then all occurring ramifications will be tame. Condition for X: X is a cover of P1 of degree 4 such that there are 8 ramification 1 points P1,...,P8 on P . After a suitable numeration we have: Each of the points

‡I am indebted to H. Lange for telling me this argument.

Advances in Mathematics of Communications Volume 4, No. 2 (2010), 281–305 298 Gerhard Frey

P1,...,P4 has two extensions to X which are ramified of degree 2 (i.e. Pi has ramification type (2, 2)) and each of P5,...,P8 has two unramified extensions and one extension which is ramified of degree 2 ( i.e. P5,...,P8 have ramification type (2, 1, 1). It follows that X has genus 3 and that the Galois closure of X → P1 has Galois group S4. Moreover the curve Y constructed as above has degree 2 over Z and is ramified in 8 points which are mapped to the points P1,...,P4. In the 1 extension Z → P only the points P5,...,P8 are ramified of type (2, 1). It follows that the genus of Z is 0 and that Y is a hyperelliptic curve of genus 3. We see that, at least over algebraically closed fields, the covers X → P1 correspond to points on the moduli space of covers of degree 4 with monodromy group S4 and eight ramification points of the ramification type from above. Identifying covers modulo automorphisms of P1 yields that this moduli space has dimension 5. The converse construction: For hyperelliptic curve Y one has to construct 2/3- covers

g : Y → Z → P1

1 with monodromy group S4. In the ideal case one finds, for given g1 : Y → Z = P 1 of degree 2, a cover g2 : Z → P of degree 3 such that the monodromy group of g = g2 ◦ g1 is S4. Over algebraically closed fields this is achieved birationally by the trigonal con- struction used by Donagi and then by Smith. This construction works “generically” but it seems to be not quite clear how to verify that the monodromy group of the 6-cover is in fact S4. This can be forced by prescribing appropriate ramification types which are mo- tivated by the above construction. It is sufficient that the branch locus of g1 on Z is prime to the ramification locus of g2 where g2 is any cover of degree 3, and that the ramification type of all ramified points is (1, 1, 2, 2). In particular, the branch points of g2 are unramified in the g1-cover, and the branch points of g1 are given as 1 4 pairs each mapped to one point on P under g2. To understand this better we observe that there is an elliptic curve with an isogeny of degree 3 behind the scene: Let X′ be as above. Let V be the Klein group ′ ′ in S4 which is a normal subgroup isomorphic to Z/2 × Z/2, and take E = X /V . ′ 1 Then E covers P with Galois group isomorphic to S3, the group of permutations on 3 letters. Looking at the ramification one computes that E′ is an elliptic curve. ′C3 Let C3 be the normal subgroup of S3 of order 3. Then E := E is again an elliptic curve and hence is the image of E′ under an isogeny of degree 3 which necessarily is rational if Y or X is rational. The curve E is (up to a twist) determined by the 1 the cover E → P with ramification points P5,...,P8. The eight ramification points Q1,...,Q8 of Y/Z come in 4 pairs which are mapped to P5,...,P8 under g2. To construct hyperelliptic curves over Fq satis- fying the conditions from above one can proceed as follows. ′ One chooses an elliptic curve E with j-invariant 6= 0 defined over Fq with a Fq-rational isogeny η of degree 3 with kernel generated by R3, a point of order 3. Since the modular curve X0(3) has genus 0 one finds ∼ q such pairs. Let G be the ′ ′ group of morphisms of E generated by −idE and tR3 , the translation with R3. ′ Obviously G is Galois-invariant, isomorphic to S3 and E /G is a projective line as ′ well as E /< −idE′ >=: Z. Choose a Fq-rational divisor D of degree 4 on Z whose support consists of 4 dif- F ′ ′ ′ ferent points Q1,...,Q4 ∈ Z( q,s). Let Q1,...,Q4 be points on E lying over

Advances in Mathematics of Communications Volume 4, No. 2 (2010), 281–305 Arithmetic geometry and cryptography 299

′ ′ Q1,...,Q4.Take Q4+i = Qi + δi · R3 with δi ∈ {1, 2} such that the set of x- ′ ′ coordinates of the points Q4+i = Qi + δi · R3, i = 1,..., 4 is Galois invariant. ′ (This is always possible.) Let Q1,...,Q8 be the image of the points Q on Z. Then the curve Y which covers Z of degree 2 with ramification points Q1,...,Q8 is hyperelliptic with genus 3 and satisfies the conditions of the construction above. By this construction one sees that there is a positive number c such that there are at least (asymptotically) c · q5 isomorphy classes of hyperelliptic curves of genus 3 over Fq for which the above construction is rational. This number c can be computed effectively, it should be compared with the theoretical and experimental results of Smith in [34]. As said above this construction works in even characteristic, too. One takes E and G as above. But now one chooses two pairs of points satisfying the conditions from above instead of 4 pairs. As a consequence it follows that the construction only delivers ordinary hyperelliptic curves Y . Conclusion: There are (in all characteristics) many families of hyperelliptic curves C of genus 3 with an explicit isogeny of degree dividing 8 from the Jacobian JC to the Jacobian of a non-hyperelliptic curve of genus 3. There are obvious questions: • Is it true that for all hyperelliptic curves C the construction can be applied, at least over algebraically closed fields? (The result of Donagi-Livn´eis only birational.) • For given hyperelliptic curve Y over Fq decide whether there is an elliptic curve E with isogeny of degree 3 over Fq for which the construction can be applied, and find this curve! • For given hyperelliptic curve Y decide whether the corresponding curve X is non-hyperelliptic without explicit computation. • Can one use isogenies of other (small) degrees to get analogous results? • What happens for non-ordinary hyperelliptic curves in characteristic 2? In any case one sees that one has to be very careful if one wants to use curves of genus 3 for DL-systems, and it may be wise to restrict to curves of genus 1 and 2 if there are no very good reasons for deciding otherwise. 4.4. Security of elliptic curves over non-prime fields. From a geometric point of view index-calculus algorithms on curves of “large” genus use the structure of the Jacobian as abelian varieties of higher dimension and its substructures like curves (in particular lines) and/or hypersurfaces (in particular hyperplanes). This can be imitated in the case that we use an elliptic curve over a non-prime field. The method is well known in algebraic geometry and used for many construc- tions. It is scalar restriction, also denoted as Weil restriction. The use of Weil restriction in cryptography is now 10 years old. It was proposed in [18]. In the beginning one could be very sceptical about the practicability of this approach but then Gaudry, Hess, Smart [23] and many others showed that there are quite a lot instances where elliptic curves become insecure. For example it is now known that the very nice field F2155 is not the best choice as base field for secure elliptic curves, since 155 = 5 · (32 − 1). But the real strength of the method is again in low dimension. Here the scalar restriction appears very implicitly: as philosophy and to prove that the algorithm works. As one result we shall see that 4 is a bad degree for field extensions, too.

Advances in Mathematics of Communications Volume 4, No. 2 (2010), 281–305 300 Gerhard Frey

Theorem 4 (Diem[12]). • Let ǫ> 0 be a real number and 2 (2 + ǫ)n ≤ log2(q)

and E an elliptic curve over Fqn . Then DLP in E(Fqn ) can be solved in an expected time which is polynomially bounded in q. • Assume 2 2 (2 + ǫ)n ≤ log2(q) ≤ (2+2ǫ)n · log2(q)

Then the DLP in E(Fqn ) can be solved in an expected time O(exp(O(1)(log(qn)2/3))) i. e. with subexponential complexity. • Fix n> 2. § 2−2/n Then the DLP in E(Fqn ) can be solved in an expected time of O˜(q ) (with q growing). In particular, for n =4 the complexity of the DLP is O˜(q). The construction underlying these results uses as factor base points “with X- coordinate in Fq”. More precisely one uses subvarieties defined by Semaev’s sum- mation polynomials. As smoothness test one has to solve systems of polynomial equations defining zero dimensional schemes. 4.5. Conclusion. In this section we saw that very nice pieces of theoretical and computational arithmetic geometry have importance at least for the philosophy behind the construction of DL-systems: Take curves of genus 1 or 2 over prime fields or over fields F2n with n a prime number but not a Mersenne prime.

5. Point counting By the key word “point counting” we mean: For a given a variety V over a finite field Fq determine the number of rational points on V . It has been known for seventy years from the work A. Weil, B. Dwork any many others that this is essentially the same as computing the Zeta-function of V and to evaluate it at special values. Moreover one knows that this Zeta-function is a rational function in one variable and the coefficients of the polynomials in the numerator and the denominator can be bounded. For instance for projective absolutely irreducible smooth curves C of genus g the g denominator LC(T ) is a polynomial of degree 2g in Z[T ] with coefficients ≤ q and g g−1/2 |JC (Fq)| = LC (1). An important consequence is that |JC (Fq)| = q + O(q ). So every strategy to count points boils down to compute LC (T ).

To achieve this goal one uses relations with Galois representations induced by the action on cohomology groups. These cohomology groups will come from De Rham cohomology (spaces attached to differentials), from ´etale cohomology (spaces attached to Tate modules) or from p-adic cohomology (coming from rigid analytic p-adic analysis). In any case these methods are based on very deep theoretical foundations¶.

§A good part of following result was obtained by P. Gaudry [22] independently with related methods. ¶We shall be very sketchy here. For a detailed exposition we refer to [8].

Advances in Mathematics of Communications Volume 4, No. 2 (2010), 281–305 Arithmetic geometry and cryptography 301

5.1. The state of the art. Looking at the results of the previous section we have to find divisor class groups of curves of genus 1, 2 and maybe 3 defined over fields Fq with order almost a prime to get candidates for DL-systems. Theorems from analytic number theory tell us that we have a reasonable chance to succeed if we take enough random curves. Hence we have to compute L-series of such curves. 5.1.1. Etale´ cohomology and elliptic curves. The first algorithm based on ´etale co- homology is due to R. Schoof who computed for enough small primes ℓ the char- acteristic polynomial of the Frobenius endomorphism acting on ℓ-torsion points of elliptic curves. Refinements due to Atkin and Elkies and the input of more machin- ery concerning isogenies of elliptic curves (amongst others by Morain, Couveignes, Lercier) led to algorithms that solve the problem of point counting for elliptic curves in a satisfying way. For curves of genus 2 there are some beginnings to use ´etale cohomology, for genus 3 no effective algorithms are known (though one knows that in principle Schoof’s algorithm works for all abelian varieties of fixed dimension in polynomial time). 5.1.2. Rigid cohomology. We have an exciting development during the last ten years (which is the application by not so new theoretical results) using rigid analytic geometry, in particular crystalline cohomology and living in the p-adic world ex- plored by Tate, Dwork, Monsky, Washnitzer, Berthelot, Fontaine and many others. Amazingly these most abstract concepts can be transformed into most effective algorithms. The principles are • to lift objects in a more or less canonical way from finite fields to p-adic fields, e.g. canonical lifts as Satoh did for ordinary elliptic curves and the AGM-method developed by Mestre, • or to use a formal lifting (initiated by Kedlaya) relying on Monsky-Washnitzer cohomology, • or to use deformation theory (Lauder). These methods solve the point counting problem for random curves over fields of small (or even medium-sized) characteristic. 5.1.3. Curves of genus 2. There remains a gap: Count points on curves of genus 2 or 3 over prime fields! By a tour de force combining all known methods including refined versions of Baby-Step-Giant-Step algorithms P. Gaudry and E. Schost [25] succeeded in com- puting the number of points on the Jacobian of curves of genus 2 over prime fields with 127 bits (so in cryptographically interesting ranges) and to find curves for which this order is a almost a prime. This encourages to hope that further modifi- cations will solve the counting problem for curves of genus 2 in a satisfying way. If one wants to find crytographically strong instances with moderate computing power one has to rely on the “old fashioned” CM-method implemented the first time by A. Spallek [35] in 1994 (also see [36] where one finds the theory and complications for genus 3 curves, too). 5.2. A recent approach. We finish the discussion of point counting methods by mentioning a very interesting new approach. R.Carls and D.Lubicz [6] develop a higher dimensional analogue of Satoh’s method for constructing canonical lifts. They use the classical way to describe abelian varieties in their moduli space by

Advances in Mathematics of Communications Volume 4, No. 2 (2010), 281–305 302 Gerhard Frey

Theta-values in an algebraic setting and then lift these invariants and the action of the Frobenius morphism. The algebraic background is Mumford’s algebraic theory of Theta functions developed to describe abelian varieties by equations, and the theory of Siegel modular forms. That the approach is efficient (which is kind of a wonder) is demonstrated by an implementation in Magma.

5.3. Conclusion. In cryptographic relevant areas • we can count points on random elliptic curves, • we can count points on Jacobians of random curves over fields of small (and even medium) characteristic, • we still have problems with random curves of genus 2 and we have to rely on CM-methods but there is hope, • and, of course, we have many special families of curves whose members are accessible for point counting. So it is no problem to construct instances for all those types of divisor class groups which should yield good candidates for DL-systems. It is obvious how deeply arith- metic geometry was involved to get this clean picture. Certainly in this area of public key cryptography there remain open questions, mostly concerning efficiency but some also concerning theoretical issues which could become relevant for secu- rity. So one should not forget to test if new results from algorithmic arithmetic geometry have implications for DL-systems. But it may not be too soon to say that time is ripe for “standardization” of DL-systems. This comfortable situation is definitely not obtained in the subject of the next section.

6. Bilinear structures Let (A, ◦) be a DL-system. We recall Definition 1 of a bilinear structure on A: There is a non-degenerate and rapidly computable Z-bilinear form Q : A × A′ → C. That it is highly interesting to find bilinear structures was motivated in Subsection 2.3.2. Remark 2. One is used to describe bilinear maps on free modules by matrices whose entries consist of the values of pairs of elements in fixed bases. This is not enough for our purposes. For example assume that A = B is a cyclic group with n elements with generator P0 and take C = Z/n. Choose m ∈ Z prime to n. Let

Qm : A × A → Z/n be the pairing determined by Qm(P0, P0) := m + nZ. Without further information the computation of Qm(P,Q) is equivalent with DLP in A. So, though from the algebraic point of view pairings are “everywhere” it is much harder to find DL-systems with bilinear structure. One source is delivered by duality theorems in arithmetic geometry.

Advances in Mathematics of Communications Volume 4, No. 2 (2010), 281–305 Arithmetic geometry and cryptography 303

6.1. Duality by class field theory. The main results of class field theory (local, global and geometric) are duality theorems. Hence one can expect that this theory can be exploited for bilinear structures. The most prominent example nowadays is the Tate-Lichtenbaum duality. It relates abelian varieties A/K (K any field) with the Brauer group Br(K) of K [17]. Hence we get a bilinear structure on A(K)[ℓ] with values in Br(K)[ℓ] which can be used for DL-transfer, decision problems, short signatures, tripartite key exchange, identity based cryptosystems, etc.– provided that • the pairing is not degenerate, • it can be computed rapidly, • we can compute in Br(K)[ℓ]. These conditions are satisfied if K is a p-adic field or a field of power series over a finite field which contains the ℓ−th roots of unity and A is the Jacobian of a curve. More precisely: Assume that K is a local field with residue field Fq and Frobenius automorphism Frobq, and let ℓ be a prime number not dividing q. Let C′ be a projective curve defined over K with good reduction C. To avoid trivial cases assume that the prime number ℓ divides | JC (Fq) |. Then there is a non-degenerate pairing

′ ′ ′ (q) F ∗ F ∗ ℓ Tℓ : JC (K)[ℓ] × JC (Ks)[ℓ] → q(ζℓ) /( q(ζℓ) ) where ζℓ is a primitive root of unity of order ℓ, Ks is the separable closure of K and (q) JC′ (Ks)[ℓ] := {Q ∈ JC′ (Ks)[ℓ]; Frobq(Q) = q · Q}. One can reduce this pairing and obtains a non-degenerate pairing (q) ∗ ∗ ℓ Tℓ : JC (Fq)[ℓ] × JC (Fq,s)[ℓ] → Fq(ζℓ) /(Fq(ζℓ) ) which can be computed in polynomial time in |Fq(ζℓ)| [19]. So the crucial condition for getting a DL- system with bilinear structure is that k := [Fq(ζℓ) : Fq] is not too large. For elliptic curves we can formulate this condition precisely in terms of the trace of the Frobenius endomorphism. 6.2. Pairing friendly curves. Looking at applications and taking into account the subexponential complexity of the classical DL one requires that k is not too small, for otherwise the transfer of DL would weaken the system, and not too large to make the pairing computable. It is easily seen that the first condition hurts curves with supersingular Jacobians severely. They are too pairing friendly! For constructive applications an ideal size of k would be about 12/g (always provided that ℓ ≈ qg). It is a very interesting diophantine problem to find non- supersingular pairing friendly curves. Thanks to work of Freeman, Cock, Pinch and in particular Barreto and N¨ahrig [2] the situation for elliptic curves is quite satisfying. It is no problem to find many pairing friendly elliptic curves with k = 12. (Maybe one could object that they lie all in one twist family.) For curves of genus 2 there are some beginnings of constructions using very special curves. Curves of genus 3 could be interesting, too (in spite of security problems of the DL) for instance in characteristic 2 and with 2−rank small. And of course the construction of pairing friendly curves of any genus is an inter- esting problem in arithmetic geometry even if there is no cryptographic application.

Advances in Mathematics of Communications Volume 4, No. 2 (2010), 281–305 304 Gerhard Frey

6.3. Open questions. Both for theory and for possible applications we would like to have answers to the questions: • Can we compute more dualities between interesting groups in polynomial time? • How is the balance between efficiency and security if we work in cryptograph- ically relevant ranges? • Are the constructed pairings one-way-functions? • Can we use more general cohomology groups (e.g. motives attached to specific abelian varieties) for multilinear structures? And one should think whether one can use global class field theory, in particular the Hasse-Brauer Noether sequence of Brauer groups, the Cassel pairing on Selmer- respectively Tate-Shafarevich groups, or similar constructions to get local-global results like reciprocity laws highly interesting for arithmetic geometry and, maybe, usable for cryptography.

Acknowledgements The author would like to thank the referees for careful reading of the manuscript and for their helpful comments.

References

[1] R. Avanzi, N. Th´eriault and Z. Wang, Rethinking low genus hyperelliptic Jacobian arithmetic over binary fields: interplay of field arithmetic and explicit formulae, J. Math. Cryptology, 2 (2008), 227–256. [2] P. S. L. M. Barreto and M. N¨ahrig, Pairing-friendly elliptic curves of prime order, in “SAC ’2005,” Springer, (2006), 319–331. [3] D. J. Bernstein and T. Lange, Faster addition and doubling on elliptic curves, in “Advances in Cryptology ASIACRYPT 2007,” (ed. K. Kurosawa), Springer, (2007), 29–50. [4] D. Boneh and R. Venkatesan, Breaking RSA may not be equivalent to factoring, in “Proc. EUROCRYPT 98,” (ed. K. Nyberg), Springer, (1998), 59–71. [5] J. Buchmann and H. C. Williams, A key-exchange system based on imaginary quadratic fields, J. Cryptology, 1 (1988), 107–118. [6] R. Carls and D. Lubicz, A p-adic quasi-quadratic time point counting algorithm, Int. Math. Res. Not., 4 (2009), 698–735. [7] W. Castryck and F. Vercauteren, Forms of elliptic curves, Lecture at the Workshop on Pairings, Essen, 2009, available online at http://www.iem.uni-due.de/zahlentheorie/ pairings09. [8] H. Cohen and G. Frey (eds.), “Handbook of Elliptic and Hyperelliptic Curve Cryptography,” CRC, 2005. [9] D. Coppersmith, Small solutions to polynomial equations, and low exponent RSA vulnerabil- ities, J. Cryptology, 10 (1997), 223–260. [10] J. Daemen and V. Rijmen, “The Design of Rijndael: AES - The Advanced Encryption Stan- dard,” Heidelberg, 2002. [11] C. Diem, An index calculus algorithm for plane curves of small degree, in “Proc. ANTS VII” (eds. F. Heß, S. Pauli and M. Pohst), Springer, (2006), 543–557. [12] C. Diem, On arithmetic and the discrete logarithm problem in class groups of curves, Habil. thesis, Leipzig, 2009. [13] C. Diem, P. Gaudry, E. Thom and N. Th´eriault, A double large prime variation for small genus hyperelliptic index calculus, Math. Comput., 76 (2007), 475–492. [14] W. Diffie and M. E. Hellman, New directions in cryptography, IEEE Trans. Inform. Theory, 22 (1976), 644–654. [15] R. Donagi and R. Livn´e, The arithmetic-geometric mean and isogenies for curves of higher genus, Ann. Scuola Norm. Sup. Pisa Cl. Sci., 28 (1999), 323–339.

Advances in Mathematics of Communications Volume 4, No. 2 (2010), 281–305 Arithmetic geometry and cryptography 305

[16] G. Frey, Applications of arithmetic geometry to cryptographic constructions, in “Finite Fields and Applications” (eds. D. Jungnickel and N. Niederreiter), Springer, (2001), 128–161. [17] G. Frey, Discrete logarithms, duality, and arithmetic in Brauer groups, in “Algebraic Geom- etry and its Applications” (eds. J. Chaumine, J. Hirschfeld and R. Rolland), World Scientific, (2008), 241–272. [18] G. Frey, How to disguise an elliptic curve, slides, available online at http://www.cacr.math. uwaterloo.ca/conferences/1998/ecc98/slides.html. [19] G. Frey and H. G. R¨uck, A remark concerning m-divisibility and the discrete logarithm problem in the divisor class group of curves, Math. Comput., 62 (1994), 865–874. [20] P. Gaudry, An algorithm for solving the discrete log problem on hyperelliptic curves, in “Ad- vances in Cryptology – Eurocrypt 2000” (ed. B. Preneel), (2000), 19–34. [21] P. Gaudry, Fast genus 2 arithmetic based on theta functions, J. Math. Cryptology, 1 (2007), 243–265. [22] P. Gaudry, Index calculus for abelian varieties and the elliptic curve discrete logarithm prob- lem, J. Symbolic Comput., 44 (2009), 1690–1702. [23] P. Gaudry, F. Hess and N. P. Smart, Constructive and destructive facets of Weil descent, J. Cryptology, 15 (2002), 19–46. [24] P. Gaudry and D. Lubicz, The arithmetic of characteristic 2 Kummer surfaces and of elliptic Kummer lines, Finite Fields Appl., 15 (2009), 246–260. [25] P. Gaudry and E. Schost, Construction of secure random curves of genus 2 over prime fields, in “Advances in Cryptology, Eurocrypt 2004,” (2004), 239–256. [26] F. Heß, Computing Riemann-Roch spaces in algebraic function fields and related topics, J. Symbolic Comput., 33 (2002), 425–445. [27] P. Ivanov and J. F. Voloch, Breaking the Akiyama-Goto cryptosystem, in “Arithmetic, Ge- ometry, Cryptography and Coding Theory” (eds. G. Lachaud, C. Ritzenthaler and M.A. Tsfasman), Amer. Math. Soc., Providence, RI, (2009), 113–118. [28] E. Kani, e-mail, 25. March 2009. [29] M. Kraitchik, “Th´eorie des nombres,” Gauthier-Villars, 1922. [30] A. K. Lenstra and H. W. Lenstra Jr. (eds.), “The Development of the Number Field Sieve,” Springer-Verlag, Berlin, 1993. [31] U. M. Maurer and S. Wolf, The relationship between breaking the Diffie-Hellman protocol and computing discrete logarithms, SIAM J. Comput., 28 (1999), 1689–1721. [32] A. J. Menezes, P. C. van Oorschot and S. A. Vanstone, “Handbook of Applied Cryptography,” Amer. Math. Soc., Providence, RI, 1997. [33] R. Oyono, Non-hyperelliptic modular Jacobians of dimension 3, Math. Comput., 78 (2009), 1173–1191. [34] B. Smith, Isogenies and the discrete logarithm problem in Jacobians of genus 3 hyperelliptic curves, in “Advances in Cryptology: EUROCRYPT 2008,” Istanbul, (2008). [35] A. Spallek, “Kurven vom Geschlecht 2 und ihre Anwendung in der Kryptographie,” Ph.D The- sis, Essen, 1994, available online at http://www.iem.uni-due.de/zahlentheorie/AES-KG2. pdf. [36] A. Weng, “Konstruktion Kryptographisch Geeigneter Kurven mit Komplexer Multiplikation,” Ph.D Thesis, Essen, 2001, available online at http://www.iem.uni-due.de/zahlentheorie/ preprints/wengthesis.pdf. Received July 2009; revised November 2009. E-mail address: [email protected]

Advances in Mathematics of Communications Volume 4, No. 2 (2010), 281–305