Masaryk University Faculty of Informatics

Examining and improving the security of elliptic curve cryptography

Ph.D. Thesis Proposal

Mgr. Vladimír Sedláček

Brno, Fall 2019

Masaryk University Faculty of Informatics

Examining and improving the security of elliptic curve cryptography

Ph.D. Thesis Proposal

Mgr. Vladimír Sedláček

Advisor: prof. RNDr. Václav Matyáš, M.Sc., Ph.D.

Brno, Fall 2019 Signature of Thesis Advisor

Acknowledgements

I would like to thank Vashek Matyáš, Petr Švenda, Marek Sýs, Ján Jančár and other CRoCS lab members for their guidance, support, inspiration and many fruitful discussions.

i Abstract

The focus of the proposed research is to analyze whether elliptic curve cryptography really provides the expected level of security. This in- cludes closely inspecting standardized curves in a new way, trying to link public keys to the source that produced them, finding new theoret- ical weaknesses or vulnerable implementations and finally examining the post-quantum schemes based on isogenies of supersingular curves in more depth.

ii Keywords elliptic curve cryptography, vulnerabilities, standardized curves, key fingerprinting, factorization, primality testing

iii

Contents

1 Introduction 1 1.1 Elliptic curves and their applications ...... 1 1.2 Classical ECC ...... 2 1.3 Post-quantum ECC ...... 3

2 State of the Art 5 2.1 Classical ECC ...... 5 2.2 Post-quantum ECC ...... 10 2.3 Integer factorization ...... 12 2.4 Primality testing ...... 14

3 Thesis aim 17 3.1 Problem statement ...... 17 3.2 Research focus ...... 18 3.3 Work plan ...... 21

4 Achieved results 23 4.1 The 4p 1 factorization method ...... 23 4.2 Fooling− primality tests on smartcards ...... 25 4.3 Bases of circular units ...... 27 4.4 Publications ...... 28

Bibliography 29

A Attached papers 37 A.1 4p 1 factorization ...... 37 A.2 Bases− of circular units ...... 50

v

1 Introduction

This dissertation thesis proposal aims to introduce the motivation for the study of the security of elliptic curve cryptography and relevant areas, cover the state of the art and present my research plan and the results achieved so far. This section gives an introduction to elliptic curves in general, as well as elliptic curve cryptography (ECC). Chapter 2 gives the current state of the art in several areas related to ECC, namely classical ECC, post-quantum ECC, factorization and primality testing. Chapter 3 specifies the research aims with particular applications and plans. Chapter 4 summarizes the achieved results with the list of publications. Appendix A contains attached publications.

1.1 Elliptic curves and their applications

Elliptic curves have been studied by mathematicians for a very long time and provide a very rich interplay between many areas, such as algebra, geometry, number theory and analysis. With the advent of computers, they also became an important computational tool, as they can be used for many different tasks, including integer factorization and primality proving. Yet currently their high popularity in applica- tions stems from the fact that the discrete logarithm problem in the group of points of an elliptic curve over a finite field seems intractable, which allows us to use several very efficient cryptosystems based on this problem (abbreviated as ECDLP from now on). The isogenies of elliptic curves (i.e., rational maps between two elliptic curves that preserve the point at infinity) are also an important tool both for certain computations and for cryptanalysis, and they are becoming increasingly more important with the preparation for the post-quantum era, especially in the context of supersingular curves. Last but not least, the pairing functions (which map two points on an elliptic curve into a group of roots of unity) can be used to construct examples of cryptographic schemes such as identity-based encryption, short signatures or zero-knowledge proofs, thus forming the basis of the so-called pairing-based cryptography.

1 1. Introduction 1.2 Classical ECC

Public-key algorithms form a fundamental part of modern cryptog- raphy, and ECC is its prominent constituent. Widespread usage of elliptic curves started in 2006 when the NIST standardized EC Digital Signature Algorithm (ECDSA). The popularity of elliptic curves in cryptography has grown ever since. Besides ECDSA, elliptic curve Diffie-Hellman (ECDH) is also widely used – nowadays, both are deployed in protocols like TLS or SSH that form a backbone of a se- cure Internet. Practical benefits of elliptic curves come with smaller key sizes and more efficient implementations at the same security level when compared to other public-key schemes like RSA or ElGa- mal. Elliptic curves are attractive, namely for security applications where computational power and integrated circuit space are limited (e.g., smartcards or wireless devices) [KMV00]. Elliptic curves are also deployed in government-issued eIDs of many countries like Austria or Belgium, where ECDSA is used as an equivalent to hand-written signatures. ECC is also at the core of cryptocurrencies like Bitcoin, Ethereum or Monero.

Security: All ECC practical schemes ECDH, ECDSA, EdDSA, ECIES are defined over standardized curves. Vulnerabilities of these schemes can be divided into two broad classes: mathematical ones and those specific to implementations. The mathematical vulnerabilities of ECC schemes relate to parameters of the standardized curves such as the order of the elliptic curve, the complex multiplication (CM) field dis- criminant and others. There are documented instances of standards being manipulated (e.g., known back-door in the Dual EC PRNG [BLN15]). Hence also the curve generation process for hidden vulner- abilities of standardized curves has been examined recently [Ber+15a]. Also, the standards are often very problematic, as they do not explicitly protect against certain attacks and create tensions between simplicity and security (so that producing correct and secure implementations becomes very hard), while not providing optimal performance [BLa]. As a result, many ECC-based systems could be potentially vulnerable.

2 1. Introduction 1.3 Post-quantum ECC

Most of the public key cryptosystems currently used in practice are easily broken by sufficiently large quantum computers, as there are quantum polynomial algorithms for solving both integer factorization and the discrete logarithm problem [RNSL17]. Thus there are various activities aiming to move towards so-called post-quantum cryptosys- tems for the future. Notably, in 2016, NIST initiated a competition to standardize new post-quantum public-key algorithms [ST16]. The second round of the competition was recently announced in January 2019. However, as these systems are quite recent, they require deeper security analyses of various kinds [Ala+19]. Even though most post-quantum algorithms are not based on el- liptic curves anymore, some problems utilizing isogenies (especially between supersingular curves) seem to be hard even for quantum computers. The two main candidates in this isogeny-based cryptog- raphy are SIKE (Supersingular isogeny key encapsulation) [Aza+17], which was submitted to the NIST competition, and CSIDH (Commuta- tive Supersingular Isogeny Diffie-Hellman) [Cas+18], which appeared only recently (November 2018, too late to enter the competition).

3

2 State of the Art

This chapter presents a brief overview of state of the art for classical ECC (Section 2.1), post-quantum ECC (Section 2.2), integer factoriza- tion (Section 2.3) and primality testing (Section 2.4). Even though the latter two might seem somewhat less relevant to elliptic curves at first glance, there are in fact several important connections.

2.1 Classical ECC

Note that in this section, we will only consider curves over Fp, the finite field with p elements, where p is prime, which is the cased most often encountered in real-world cryptography. The other case, where the characteristic of the field is 2, is rarely seen in practice (even though there exist standardized curves of this type) and we will not discuss it, as it is much more complicated to estimate its security, even though the general attacks and some ideas still apply. We also discuss only ECDLP-based issues, disregarding the pairing- based cryptography almost completely, as it is much less prevalent (though to be fair, most pairing-based schemes also rely on the ECDLP intrinsically).

General attacks: While the DLP can be defined in any finite cyclic group, its difficulty might drastically differ for varying groups. In the multiplicative group Z×p (or its subgroup), where p is a prime, there is the subexponential index calculus algorithm, which results in long keys for the DH and DSA schemes that operate in these groups. In contrast, despite several attempts, there does not exist an efficient analog of this algorithm for elliptic curves over prime fields, which is the reason ECC keys might be much shorter while still providing the same level of security. It seems so far that besides certain weak classes of curves (the publicly known ones are described below), the only eligible attacks against ECDLP are those that could be applied to any finite cyclic group. Assuming the group has prime order (otherwise we can use the Pohlig-Hellman attack [PH78] to reduce it to this case), the best

5 2. State of the Art general attack in practice is Pollard’s ρ method [Pol78], asymptotically running in time polynomial in the square root of the group order. Furthermore, the attack can be slightly optimized by using efficient arithmetic and the negation map [BLb].

Vulnerable curves: Some well known ECDLP vulnerabilities are discussed in [MOV93; FR94; Sem96; Sem98; S+98; Sma99; GLV01]. A very good overview can be found at [BLb] (where implementation- specific vulnerabilities are discussed as well). In short, to avoid the known theoretical attacks, the curve E defined over Fp, where p is prime and l is the order of the subgroup of E(Fp) generated by a public generator G, should satisfy the following criteria:

p should be large enough, e.g., over 256 bits if we aim for 128-bit ∙ security;

l should have a large prime factor (as this determines the com- ∙ plexity of the Pohlig-Hellman attack; [PH78]) – in fact, it is best if it is a prime;

the curve should not be anomalous (i.e., l = p), otherwise the ∙ Semaev-Satoh-Araki-Smart attack based on the̸ additive transfer applies [Sma99; Sem98; S+98];

the embedding degree of E (i.e., the order of p in F× if l is prime) ∙ l should be large enough (e.g., at least 20 for the current parameter sizes), otherwise the MOV attack based on multiplicative transfer using Weil and Tate pairings applies [Sem96; FR94; MOV93] – in particular, this rules out all supersingular curves;

the absolute value of the CM field discriminant (i.e., the discrim- ∙ 2 inant of the field Q(t 4p), where t := p + 1 #E(Fp) is the trace of Frobenius of E−) should not be too low ([BLb]− suggests at least 2100), otherwise Pollard’s ρ attack can be speeded up due to the presence of efficiently computable endomorphisms of the curve [GLV01]; this does not pose a serious threat for the moment though, as the limits of the speedup are reasonably well understood.

6 2. State of the Art

All of these conditions are easy to verify and almost all standard- ized curves meet them. However, there is another serious concern: the curve generation process should be rigid enough (or at least satisfy- ingly explained) so that the public can be reasonably sure that it is not the case that the curve creator knows some information that would help to attack the ECDLP on that specific curve. In fact, it seems that if one has state-level computational resources and knows a publicly un- known (and potentially small) class of weak curves, then it is feasible to find such a weak curve that still meets the requirements above, even when one of the curve coefficients is fixed and the other is the hash of a public (unexplained) seed, as is the case for many NIST curves [Ber+15a]. Bernstein et al. [BLb] examined curves from 7 standards (ANSI X9.63, IEEE P1363, SEC 2, NIST FIPS 186-2, Brainpool, NSA Suite B, ANSI FRP256V1) for relevant parameters such as the embedding degree, CM discriminant, the cofactor, twist security and rigidity. They found several curves being at least suspicious: CM discriminant of the widely used EC secp256k1 is only 3, ANSSI FRP256v1 is trivially manipulatable, etc. − Another potential issue to keep in mind is that whenever an isogeny from a curve to another one can be efficiently computed, the DLP can be transferred along it into the target curve, which might lead to a security reduction if the target curve is weak [KKM11]. This is to some extent governed by the maximal conductor gap in the corresponding isogeny class. These gaps were computed for the standard NIST curves, and nothing unexpected was found (at least in the prime field case) [JMV05], but this still does not exclude the existence of a weak curve computably isogenous to a standardized one. These reductions can also be interpreted in a way that ECDLP essentially (with possible minor exceptions) has the same theoretical complexity over all curves of a given order over a fixed field (of course, we cannot use thisin practice if we do not know how to attack the weak curves).

Implementation vulnerabilities: There are many different kinds of implementation-specific vulnerabilities, let us name just a few:

Twist attacks [FLRV] – these apply when the attacker is allowed ∙ to compute on the quadratic twist instead of the original one;

7 2. State of the Art

can be mitigated by point validation at the implementation level or by using twist-secure curves at the curve design level.

Invalid curve attacks [BMM; JSS] – these apply when an attacker ∙ is allowed to compute on another curve (usually sharing the lin- ear coefficient in Weierstrass form) instead of the original curve. It can be mitigated by point validation at the implementation level or by specifying point compression at the protocol design level.

Small subgroup attacks [LL] – these apply when the attacker is ∙ allowed to make queries for multiplication by the secret scalar with points of small order, which can become powerful when combined with the above attacks. The basic form can be miti- gated by a simple point check at the implementation level or by choosing curves with trivial (or small) cofactor (i.e., the ratio of the order of the full group and the subgroup generated by the public generator).

Problems with random number generation, leading for example ∙ to trivial breaks of ECDSA if the nonce is repeated, as happened in 2010 with many Sony PlayStation 3 devices [Sch15; Ber+12].

Side channel attacks – these apply when the attacker can col- ∙ lect some leaked data, usually from the scalar multiplication algorithms or sometimes even the field arithmetic itself; can be mitigated by using constant-time algorithms (which is not as easy to achieve as it might seem).

While the mathematical weaknesses have a very large impact when they occur, buggy or vulnerable implementations are much more com- mon in practice. This is because developers are often confronted with choices they might not be qualified to decide and since there exist many potential pitfalls, history and statistics show us that some prob- lems will inevitably happen unless the standards explicitly describe how to deal with those choices, which is usually not the case with ECC. Thus instead of blaming the developers, it seems to be more constructive to try to improve the standards which are often at fault.

8 2. State of the Art

The truth is that some of the widely used standards are often unnec- essarily complicated, hard to implement correctly, do not explicitly pro- tect against certain attacks (e.g., the invalid-curve attack on TLS-ECDH implementations [JSS]) and are suboptimal in terms of performance [BLa; Ber; BLb]. Bernstein suggested many improvements, notably the use of twisted Edwards curves (which also have a Montgomery form). He also designed Curve25519 [Ber06], specifically created to address many of the issues described above (for example, it has a very transparent generation, lifts the burden of responsible choices from the implementors and enables a very fast and constant-time scalar multiplication). Note that the curve is used under the name X25519 in Montgomery form for ECDH, while the birationally equivalent curve Ed25519 in twisted Edwards form used for EdDSA, a digital signa- ture scheme improving on ECDSA [Ber+12; Ber+15b]. These curves are rising in popularity [BLc; BLd] and have also inspired the cre- ation of several curves of the same type, notably Curve448-Goldilocks [Ham15]. This does not mean, however, that these curves will automatically solve all problems. Certain libraries still only support the Weierstrass form, so when using these curves, they must perform certain transfor- mations, thus opening themselves to potential problems again. Fur- thermore, even if the scalar multiplication algorithm runs in constant time, the underlying field arithmetic might not: this was exploited in a practical attack on Curve25519 [GVY17]. Recently, the security of ECDH key exchange implementations in common protocols TLS, SSH and IPSec was analyzed in the work [VSSH18]. As a result, authors estimated that a small proportion of hosts (<1% of HTTPS and SSH, and 4% of IKEv2) that support curves do not perform required curve validity checks. In addition, new implementation-specific attacks appear quite regularly.

Fingerprinting of ECs: In cryptography, key fingerprinting is a tech- nique that allows one to link a key to the source (library, hardware device, ...) that produced it, which can often be useful, for example when some details about the generation method or even new vulnera- bilities of the source become known.

9 2. State of the Art

In the recent research of my colleagues [Sve+; Nem+17a], they generated and analyzed over 60 million private-public RSA key pairs from 38 sources (libraries, smartcards). Their analyses showed that im- plementations produce different distributions of private keys (primes p, q) and public moduli n = p.q. The fingerprint they found was suffi- ciently large to classify a probable source with a high accuracy, based only on the values of the public keys. In contrast, there are no publications focusing directly on the finger- printing of ECC public keys to the best of my knowledge. In [Bos+14], the authors did somewhat similar work. They generated their own keys using highly non-random scalars and tried to find a match with a database of real-world keys. In the case of matching public keys, they obtained the corresponding private keys. The authors performed a review of ECC, as it was used in practice in 2013, looking for unique mistakes and vulnerabilities that arise in implementations. They stud- ied four popular deployments: Bitcoin, SSH, TLS, Austrian e-ID cards. They found out that the implementations suffer from vulnerabilities similar to those from older cryptographic systems.

2.2 Post-quantum ECC

Isogeny-based cryptography is a fairly new kind of ECC that promises resistance to quantum computers. Instead of relying on the ECDLP, its security is based on (various incarnations of) the problem of finding an explicit isogeny between two fixed isogenous elliptic curves. The brief version of historical developments that follows is taken from [Cas+18]. The first isogeny-based cryptosystem, namely a non-interactive key exchange protocol, was proposed in 1997 by Couveignes [Cou06]. It was based on the idea that the set of Fq-isomorphism classes of ordinary elliptic curves over Fq with a fixed order and a fixed endo- morphism ring (interpreted as an order in an imaginary quadratic field) is acted풪 on freely and transitively by the ideal class group cl( ) through the application of isogenies. Since the original Diffie-Hellman풪 protocol [DH76] can be formulated in terms of an abelian group action and cl( ) is abelian, the protocol arises naturally as a special case of the more풪 general formulation. The protocol was also independently

10 2. State of the Art

rediscovered by Rostovtsev and Stolbunov [RS06] (and is sometimes referred to as the CRS protocol). However, as shown by Childs, Jao and Soukharev, breaking this scheme amounts to solving an instance of the abelian hidden shift problem, for which a quantum subexponential algorithm exists [CJS14]. An even bigger problem is that despite many clever speedups [DKS18; Kie17], the protocol is unacceptably slow in practice. Still, thanks to its conceptual simplicity, compactness and flexibility, the CRS protocol served as an important inspiration. The attack [CJS14] indirectly depended on the commutativity of , which led Jao and De Feo [JD11] to explore supersingular curves, whose풪 full ring of endomorphisms is a maximal order in a quaternion algebra, hence not commutative. Their resulting (interactive) scheme SIDH (Supersingular Isogeny Diffie Hellman) became very popular and its current state-of-the-art implementation SIKE [Aza+17] was submitted to the NIST post-quantum competition. It should be noted that the structure of SIDH is very different from that of CRS andit is not that easy to properly evaluate its security, partly because extra information is published during the protocol and it is not clear whether an attacker could use this to his advantage. Castryck et al. [Cas+18] chose another approach: they took the CRS scheme, restricted themselves only to supersingular curves over a prime field Fp and instead of taking the full ring of endomorphisms, they considered only its subring of Fp-rational endomorphisms, which can again be identified with an order in imaginary quadratic field with abelian ideal class group cl( ), acting풪 through isogenies. While this does not address the concern풪 of a quantum subexponential attack, it provides a very large speedup compared to CRS, making CSIDH practical and ready to be used as a drop-in replacement of (EC)DH. To summarize [De 19a], SIKE is not known to be breakable in quan- tum subexponential time, has the smallest communication complexity among all NIST proposals in each level and offers relatively small key sizes. The downsides are that it is the slowest among all benchmarked NIST proposals, it is not non-interactive and it relies on an ad hoc problem (with only one-way reduction to the isogeny walk problem). On the other hand, CSIDH has the smaller key sizes than all of the NIST candidates (even though not itself submitted to NIST), is non-interactive and relies purely on the isogeny walk problem, but

11 2. State of the Art is roughly ten times slower than SIKE and falls prey to quantum subexponential attacks. We thus have two very different practical isogeny-based schemes, each of which might be suited to different applications. In any case, both of them definitely need much more security analysis before a wide deployment could be discussed. To conclude this section, let us present several open problems in this area, ordered from easier to harder [De 19b]: Give a convincing constant-time implementation of CSIDH. ∙ Find new isogeny-based primitives/protocols. ∙ Precisely assess the quantum security of CRS/CSIDH. ∙ Find an efficient post-quantum isogeny-based signature scheme. ∙ Exploit the extra information transmitted in SIDH/SIKE for ∙ cryptanalytic purposes.

Sample supersingular curves without revealing endomorphism ∙ rings.

Compute endomorphism rings of supersingular curves. ∙

2.3 Integer factorization

Factorization of composite integers is an old and important problem and cryptographic schemes such as RSA are based on its intractability. RSA is one of the most frequently deployed public key cryptosystems, and a possible factorization of RSA moduli could have a serious impact on the security of real-world applications, as was demonstrated in past incidents such as finding weak RSA keys used for TLS [HDWH12; Beu+15], factoring Taiwanese national certificate RSA keys sharing prime factors [Ber+13] or factoring RSA keys from cryptographic smartcards known as the ROCA attack [Nem+17b] with at least hun- dreds of millions affected devices. The performance of already known factorization methods, together with the required security margin, determine the necessary security parameters (e.g., the length of the prime factors p, q of the RSA modulus n = p.q, conditions on the

12 2. State of the Art

structure of the primes). Relevant standards (e.g., NIST FIPS 140-2 [Nat07], BSI TR-02102-1 [Bun18], keylength.com [Gir19]) then define the minimal required parameters. While the performance of the fastest general-purpose factorization algorithms such as Number Field Sieve (NFS) influences the mini- mal secure length of the RSA moduli, the special purpose factoriza- tion methods define the vulnerable format of primes that should be avoided. The short list of factorization algorithms is:

1. General-purpose – these work for general integers n. Pollard ρ [Pol75], Quadratic Sieve [Pom85] and asymptotically fastest NFS [Pol93] belong to this group.

2. Special purpose – very efficient when a factor p n or n itself is of a special form: |

(a) A certain number related to the prime factor p is smooth (has only small prime divisors) – Pollard’s p 1 [Pol74], Williams’s p + 1 [Wil82], Bach-Shallit [BS85] and− Lenstra’s Elliptic Curve (ECM) [Len87] methods assume smoothness of the integers p 1, p + 1, φk(p) (k-th cyclotomic polyno- mial) and #E(p),− respectively. (b) Assumptions about p or n: there are fast methods for n of the form n = prq [BDH99] or n = prqs [CFRZ16]. Cheng’s 4p 1 [Che02a] method is effective whenever the square- free− part of 4p 1 is small. −

All of the mentioned methods look for a multiple kp of some prime divisor p n. In the last step, the methods compute gcd(n, kp) = d. If 1 < d < n|, then a factor is found and the factorization can continue recursively. The methods are probabilistic since the factorization fails when d = n. It is worth noting that both Lenstra’s method and Cheng’s 4p 1 method rely heavily on the use of elliptic curves (albeit not in− the classical sense, as they are defined over a ring that is not a field), thus establishing another connection between these topics.

13 2. State of the Art 2.4 Primality testing

In many algorithms, one often needs to work with prime numbers. However, any naïve methods for testing primality is prohibitively ex- pensive when working with numbers of cryptographic sizes. Thus it is important to have an efficient primality test. Such tests can be divided into two categories: deterministic and probabilistic. The advantage of deterministic tests is that they always give the correct answer. The first unconditional polynomial deterministic primality test was the AKS test [AKS04], but even today, it is very slow in practice and its significance remains only theoretical. On the other hand, probabilis- tic tests can usually only prove that a number is composite but not the opposite. If a defined number of test iterations fails to detect the composite, a number is declared as a “probable prime”. Under the right test settings, the probability that a probable prime is actually still composite can be made sufficiently low so that it is not an issue in practice. A typical example of a probabilistic test is the Miller-Rabin test, described below. Another test from this category is the Lucas test [BW80], which exhibits similar characteristics to the Miller-Rabin test, but seems to be less popular in practice. However, a specific combina- tion of the Miller-Rabin test and the Lucas test, called the Baillie-PSW test [Pom84], results in a strong test, which is only slightly slower than the Miller-Rabin test alone, but with a strong evidence (though still an unproven hypothesis) that the Baillie-PSW test is, in fact, deter- ministic for all numbers with less than about 10000 digits. Such a test gives us a very good security guarantee for the cryptographic uses. Unfortunately, its implementation is rarely seen in practice. [AMPS18] In fact, there is also the Atkin–Morain elliptic curve primality test (ECPP) [AM93], which uses much a deeper theory than the other tests. It is unconditionally deterministic and also produces a certificate of primality so that anyone can check it fast once the computation has already been done, while the same cannot be said about the tests de- scribed above. Even though its worst-case running time is not known, heuristically it is polynomial and quite fast in practice (unlike AKS), so for larger numbers it is perhaps a better choice than Baillie-PSW. As of November 2017, the largest prime that has been proved with the ECPP method has 34,987 digits [Cal].

14 2. State of the Art

The idea of breaking a cryptographic protocol by fooling primality tests was first mentioned in [Ble05]. In [AMPS18], primality tests in many open-source libraries were closely tested and many of them were fooled by carefully constructed pseudoprimes. The construction of such pseudoprimes with respect to the Miller-Rabin test was already described in [Arn95], and relies on the assumption that only a small number of fixed bases is used in the test.

The Miller-Rabin test. The Miller-Rabin test [Mil75], [Rab80] was one of the first practical primality tests and to this day remains very popular because of its simplicity and efficiency. In particular, we be- lieve that if a low-resource device such as a smartcard uses a primality test, Miller-Rabin is the most probable choice (perhaps followed by the Lucas test, which does not seem to be that widespread, and a Ballie-PSW test, which is a combination of these two), as most other tests are too resource-heavy. However, the Miller-Rabin test cannot be used to prove that a number is prime; only compositeness can be proven. It relies on the fact that there exist no nontrivial roots of unity modulo a prime. More precisely, let n be the number we want to test for primality and let write n 1 = 2sd, where d is odd. If n is prime, Fermat’s Little Theorem implies− that for any 1 a < n, we have either ad 1 (mod n) or i ≤ ≡ a2 d 1 (mod n) for some 0 i < s. By taking the contrapositive, if there≡ is − some 1 a < n such that≤ none of these congruences hold, then n is composite (and≤ a is called a witness of compositeness for n). However, if at least of the congruences holds, then we say that n is pseudoprime with respect to base a (or that a is a non-witness of compositeness for n, or also a liar for n). The number of such bases is bounded by the following theorem [Mon80]:

Theorem 2.4.1 (Monier-Rabin bound). Let n = 9 be odd and composite. Then ̸ ϕ(n) S(n) , ≤ 4 where S(n) is the number of non-witnesses a, 1 a < n, and ϕ is the Euler totient function. ≤

15 2. State of the Art

Since ϕ(n) n for large n, we get a practical upper bound for the number of inputs≈ that pass the test for a given a. Thus if we repeat the test t times for random a’s, the probability of fooling the Miller- 1 t Rabin test will be at most ( 4 ) . The whole test with t repetitions is summarised as Algorithm 1.

Algorithm 1 Miller-Rabin primality test (random bases) function Miller-Rabin(n, t) Compute s 1 and odd d s.t: n 1 = 2sd for k = 1 to≥t do [outer] − a R Zn if←ad 1 mod n then for̸≡i = 0 to s do [inner] i if a2 d 1 mod p then continue≡ − outer loop return composite return probably prime

However, the fact that the a’s were picked randomly is crucial for the guarantees above. If the bases are fixed and known in advance (as is the case in many cryptographic libraries, as shown in [AMPS18]), it is possible to construct a pseudoprime, i.e., a number which passes the test with respect to these bases.

16 3 Thesis aim

This section summarizes the overall goals and my research aims. The central question connecting my further research is: How to ensure that elliptic curve cryptography really provides the expected level of security?

3.1 Problem statement

The challenges we aim to address by the future work can be summa- rized as follows:

1. Standardized curves with unexplained parameters. Such curves re- quire our trust, while not dismissing the possibility of some hidden weaknesses (or even backdoors). For example, this is the case for most of the NIST curves.

The analyses of the standardized curves themselves could have major worldwide implications if anything suspicious was found. If any strong indication of some weakness or even a backdoor would emerge, it might force the community to switch to other curves or possibly even drop classical ECC altogether in the long run.

2. Key fingerprinting. If ECC keys could be linked to the source that produced them, it would be easy to filter out those coming from vulnerable systems.

3. New ECC vulnerabilities. There may still be many undiscovered vulnerabilities, both from the theoretical and implementation point of view. Finding some would provide additional insight into a better design of the relevant systems.

4. Analysis of post-quantum ECC. The protocols SIKE and CSIDH are still very young and more public scrutiny would definitely help with a more accurate assessment of their security.

17 3. Thesis aim 3.2 Research focus

Here we present more details in the areas that we want to work on. The first two are already prepared in quite a detail, as the workon them has already started.

Standardized curves with unexplained parameters: I will develop a test suite for unconventional characteristics of standardized ECs and try to reveal potential weaknesses (or even backdoors) based on any unexplained deviations and hidden patterns found. This is a very ambitious goal, yet even a small discovery could go a long way here. I will also repeat the test for ECs isogenous to the standard ones, as the DLP on a curve can be transferred to an isogenous one if the isogeny is computable. Even if we find nothing, the test suite together with the data gathered will be available to applied researchers as a good verification base. The plan is to closely analyze widely used curves, especially those with unexplained parameter generation or those where the process of the curve generation is not rigid and transparent, such as the NIST curves. A good starting point here will be the computation of con- ductor gaps in isogeny classes of standardized curves other than the NIST ones, following up on [JMV05]. After that, a test suite of new algebraic and statistical tests will be created, that will approximate the distributions of certain properties of randomly chosen curves and compare the results to the actual values of the standardized curves and those isogenous to them. This will provide a large dataset and any unexpected deviations in it might reveal hidden weaknesses.

Key fingerprinting – overview: My involvement in this project will be somewhat limited, as I will try to focus mostly on the theoretical parts. Our approach of searching for a fingerprint of EC keys partly builds on our previous work focused on randomness testing [SKS17] and the analyses of RSA keys [Nem+17b; Sve+]. Firstly, we will repeat our approach from [Nem+17b], but with EC (public or private) keys. We will compute and analyze various distributions in order to find biases from the expected random distribution. Secondly, we will analyze

18 3. Thesis aim

the randomness of EC public keys, or equivalently, we will look for patterns within sets of keys. Our approach will generalize the method from [Bos+14] that looks for private keys with very simple patterns. We will now examine keys according to more complex patterns. An important difference of our approach from the previous work [Bos+14] is that we will look for patterns within the differences of public keys rather than within the keys themselves. This would allow one to find more vulnerable keys computed using private keys of a complex yet similar bit-structure. We hypothesize that such an approach has a clear potential to find significantly more vulnerable keys, and thusto highlight traps to avoid in the future and lessons to learn from.

Basic key fingerprinting: The public key Q = dG represents a point on an EC, computed as the generator point G multiplied by the randomly generated private key – the scalar d. The search for the fingerprints of ECC public keys leads directly to an analysis ofthe patterns of private keys produced by PRNGs and/or to an analysis of patterns of corresponding public keys. The basic fingerprinting approach is primarily focused on collecting data (private and pub- lic keys) and basic analysis of keys. We will collect public keys from public databases and generate private and public keys using software libraries and available smartcards. We will perform a basic yet sys- tematic analysis of keys (private and public) following the analysis of RSA keys [Nem+17b] and also standard randomness analyses of keys in order to find a bias of the keys from randomness. We will also briefly analyze the distribution of the most and the least significant bytes, remainders of keys modulo small primes, etc. – even though it is highly unlikely to find patterns in public keys since potential patterns from the private keys most likely get destroyed when transferred to the EC public keys.

Prospective key fingerprinting: Here we will perform more sophis- ticated analyses of public keys, with the aim to identify improperly generated public keys that were generated by the same source. For ex- ample, we will look for collisions of public keys Q or points Q + aG for a known scalar a with a database of keys (collected or self-generated). Potential biases found by the previous approach will help us to identify

19 3. Thesis aim scalars a. We shall build on our experience from analyses of “distin- guishers” and randomness [SKS17; SRM17]. We follow [Bos+14] that allows to find private keys. The authors generated a set of points of the form sG for specific values of s of some pattern. They used s of a small value 1 s 106, s of a small Hamming weight 3 and Debian OpenSSL≤ vulnerable≤ keys generated using a small set≤ of IDs. In order to find the private keys, they looked for collisions of points encountered in the wild and the self-generated keys. There are many possibilities of how this approach can be improved. The simplest way is to use a larger set of self-generated keys. Another path is to use scalars of different patterns – s consisting of blocks of ones and zeroes, non-initialized values, etc. Types of possible patterns are numerous, yet as an inspiration the patterns found as distinguishers by empirical randomness tests, known patterns produced by (P)RNGs or patterns caused by shortcuts (like in [Nem+17b] for RSA keys) used to improve the efficiency of the generation process of EC keys.

New ECC vulnerabilities: I will try to find new types of theoreti- cal attacks on real existing systems, focusing on atypical values of parameters and the corresponding security of the standardized ECs. The observations at [BLb] will serve as a good starting point here. We plan to investigate whether either very small or very large CM discriminants are problematic (that is, the discriminants of the imagi- nary quadratic fields Q( t2 4q), where t is the trace of Frobenius and the EC is defined over F−). Small CM discriminants might lead p q to speedups in the Pollard’s ρ-method (some endomorphisms may accelerate scalar multiplication, [GLV01]). It is worth noting that the CM discriminant of the widely used curve secp256k1 is only -1323 [BLb]. Another venue will be the analysis of real closed-source sys- tems, where we will try to uncover which algorithms (e.g., for scalar multiplication) are used internally, which might point out possible weak spots.

Analysis of post-quantum ECC: Last but not least, I will focus on the security analysis of SIDH/SIKE and CSIDH protocols. Besides trying to tackle some of the open problems mentioned in Section 2.2, such as possible exploitation of the extra information published in

20 3. Thesis aim

SIDH/SIKE, I plan to examine the security of both schemes according to various assumptions on the curves and their parameters used in the algorithms. The goal here is to identify somehow weaker parameters that could lead to new attacks. The curves chosen by the authors could also be subjected to the testing suite described above in order to iden- tify potential irregularities, even though we will need to handle them in a completely different way than the pre-quantum curves. Finally, broadening the attacker model and discovering potential implementa- tion vulnerabilities might also be feasible.

3.3 Work plan

Fall 2019. Focus on theoretical vulnerabilities, creation of the ∙ testing suite for standardized curves and comparison of the results to those for random curves, collecting the keys.

Spring 2020. Key fingerprinting, analysis of practical implemen- ∙ tations, improvements of the testing suite.

Fall 2020. More focus on the analysis of post-quantum ECC ∙ systems as well as on any vulnerabilities discovered during the earlier stages.

Spring 2021. Finishing the dissertation thesis. ∙

21

4 Achieved results

This chapter summarizes the achieved results so far. Section 4.1 de- scribes the 4p 1 method, a factorization algorithm using elliptic curves, Section− 4.2 discusses our work about fooling primality tests and Section 4.3 summarizes an earlier work from algebraic number theory. Finally, Section 4.4 lists my publications.

4.1 The 4p 1 factorization method − The importance of factorization algorithms was already described in Section 2.3. This work focuses on Cheng’s 4p 1 factorization method [Che02b], which we independently rediscovered.− We ana- lyze the method as the means of a potential backdoor for the RSA primes generated inside black-box devices like cryptographic smart- cards, and we devise three detection methods for such a backdoor. We also audit 44 millions of RSA keypairs generated by 18 different types of cryptographic devices. Finally, we offer an improved, simplified and asymptotically deterministic version of the method, together with a deeper analysis of its performance and we publish a Sage implementa- tion (we are currently not aware of any other public implementation). The method can be applied to factor integers with a prime factor p such that the square-free part of 4p 1 is small. This property is (heuristically) independent of any conditions− relied on in other factor- ization algorithms. For simplicity, we only focus on RSA integers N, i.e., the products of two large primes p, q. There are two main basic ideas upon which the method relies. The first is similar to the one in Lenstra’s method: even though elliptic curves are traditionally only defined over fields, we can also consider them over certain more general rings, such as ZN. This brings some challenges, but with the proper definition, we can think of such curves as the direct sum of their projections modulo p and modulo q, i.e.,

E(Z ) E(F ) E(F ). N ≡ p ⊕ q We can add (and multiply by scalars) points on such curves using the classical formulae, with the caveat that occasionally the result of the

23 4. Achieved results operation might be undefined, since we need to compute an inversion that exists only modulo q and not modulo p (or vice versa). However, this is exactly what we are after: in this case, we obtain a multiple of p, and a computation of its greatest common divisor with N reveals p (unless the multiple was also a multiple of N, which is very unlikely). Unlike in Lenstra’s method though, we do not select the elliptic curve at random, hoping its order will be smooth. Instead, we use the complex multiplication (CM method) to construct an anomalous elliptic curve, i.e., a curve with exactly p points over Fp. If we have such a curve together with any affined point P on it, the computation of the multiple N P (realized by the N-th division polynomial) will trigger the “division· by zero modulo N” as described above and reveal p. The construction of the right curve proves to be quite a challenge without the knowledge of p. Namely, the CM method requires us to find a root of the D-th Hilbert class polynomial modulo p, where D is the square-free part− of 4p 1. When the polynomial is not linear, this − can be managed by replacing ZN by ZN[X]/H D(X) and computing symbolically. We also do not have a deterministic− method to efficiently find a point on the curve or compute the quadratic twist if needed, so we use probabilistic guessing instead. In fact, in contrast to Cheng, we show that it suffices to fix an arbitrary twist and that the point guessing works with higher probability than claimed in [Che02b] (depending on the class number h( D)). Thus the expected number of iterations becomes is 2 to 4 times lower− than claimed, and the algorithm becomes asymptotically deterministic with respect to h( D). We also perform many experiments to demonstrate this (among− other observations). Even so, the computation of the Hilbert polynomial itself is still a large bottleneck for the method. The current record is for D 253 [Sut12]. Therefore the probability that a random RSA modulus≈ will be vulnerable to the 4p 1 method is negligible (and to make use of the vulnerability, we would− still need to know D). This can also be interpreted in a way that if an RSA modulus is vulnerable, it was generated so on purpose (as finding appropriate p’s is very easy). This opens up the possibility to use the 4p 1 method as a basis for a backdoor if we have control over the private− key gener- ation process. The advantages of the backdoor include the facts that it works for all key lengths, the public keys seem to show no signs of

24 4. Achieved results

an observable bias, the factorization difficulty can be adjusted, and the Hilbert polynomial computation can be parallelized. On the other hand, D must not be leaked, cannot be reused and the keys have to be sufficiently long (> 1280 bits) if the privates are available in order for the backdoor to avoid discovery. For a better analysis, we come up with three different scenarios, depending on whether an inquirer has access to private keys or not, and if so, how long are the keys. Without the private keys, the backdoor seems impossible to find if the D’s are large enough. However, with access to the private keys, we can directly factor 4p 1 and 4q 1 to find D if they are small enough, or else we can use batch− GCD to− find D if it is shared between any two keys (no matter their length). To summarize, the complete backdoor detection (or its exclusion) is still an open question if the attacker uses a unique D for each keypair (even though this approach might not be that easy to perform in practice). We examine 44.7M keys generated by 18 different black-box devices (15 cryptographic smartcards and 3 HSMs) and rule out the presence of the backdoor in them, at least for the 512-bit and 1024-bit keys.

4.2 Fooling primality tests on smartcards

The issue of primality testing and especially the potential problems of the Miller-Rabin have already been described in 2.4. In this work, we decided to verify whether the primality tests on smartcards could re- ally be fooled in practice. Namely, we analyze whether the smartcards with the JavaCard platform correctly implement an input validation for domain parameters supposed to be a prime. The work is inspired by recent work of [AMPS18], where the authors analyzed many open- source libraries and constructed pseudoprimes fooling the primality testing functions. But in the case of smartcards, the implementation is often closed-source and additionally without a direct way to invoke the primality testing functionality. Instead, we indirectly trigger the pri- mality testing by encoding the tested number into domain parameters of (EC)DSA and (EC)DH cryptosystems, where selected parameters are required to be a prime. The acceptance of composites in place of primes in domain parameters could severely weaken the security of

25 4. Achieved results cryptosystems like (EC)DSA or (EC)DH, resulting in vulnerability to Pohlig-Hellman [PH78] style attacks, assuming adversarially chosen parameters. The construction of pseudoprimes with additional restricting con- ditions is a novel problem as the candidate pseudoprime must not only pass and fool the primality test, but also be a valid domain pa- rameter not to be rejected by the smartcard for other reasons. We offer a set of efficient methods for such a problem in four main scenarios - two in ECDSA/ECDH and two in DH/DSA (in all cases, only one of of the expected primes is replaced by a pseudoprime, while the other parameters are generated in a way to still get accepted by the smartcard). We also present several types of Pohlig-Hellman style attacks that can be used against such parameters. Out of the nine smartcards produced by five major manufacturers we tested, all but one failed to properly verify the primality of certain parameters in (EC)DSA and (EC)DH. As the JavaCard platform pro- vides no public primality testing API, the vulnerability cannot be fixed by an additional check before the parameters are passed to the existing (EC)DSA and (EC)DH functions, making it difficult to mitigate it on already deployed smartcards. As for the attacker model, we adopt the setting from [AMPS18] in which the domain parameters supplied to the device for use in (EC)DH or (EC)DSA are under control of the attacker. This might be a realistic scenario both because of the specifics of the JavaCard environment (notably the missing parameter validation) as well as the existing cryptographic protocols. There are multiple protocols which allow for the transmission of domain parameters and thus force a party to either authenticate or validate them. An example of this is TLS, which, up to version 1.2, allowed explicit (EC)DH parameters to be sent from the server to the client, although authenticated by the server public key. Notably, the certificate format specified in the X.509 standard allows public keysto hold full domain parameters for (EC)DH or (EC)DSA. If this format were used in a JavaCard applet, for example for interoperability rea- sons, it might lead to untrusted parameters being used. As another example, the ICAO document 9303 [Org15] specifying the security requirements for machine-readable travel documents (MRTDs) allows for the transmission of the (EC)DH domain parameters, in the Chip

26 4. Achieved results

Authentication and PACE protocols. However, the specification notes that insecure domain parameters will cause leaks of secret data and that parameters should not be used unless explicitly known to be se- cure (without further elaboration). As the transmission of parameters is done from the smartcard to the reader, it poses validation issues for the reader, not the smartcard. Even in the absence of the direct use of untrusted parameters, the adversarial setting makes sense when accounting for the physical nature of smartcards and thus for fault attacks. A fault attack could be mounted to manipulate any trusted parameters [BMM00]. This work will be submitted to Conference on Cryptographic Hard- ware and Embedded Systems (CHES) 2020.

4.3 Bases of circular units

Circular units appear in many situations in algebraic number theory because in some sense, for a given abelian field, they form a good approximation of the full group of units, which is usually very hard to describe explicitly. The index of the group of circular units in the full group of units is closely related to the class number of the maximal real subfield of the respective field. In contrast to the full group of units, the Sinnott group of circu- lar units is given by explicit generators. Nevertheless, a Z-basis of this group was described only in a few very special cases, for exam- ple, when the abelian field is cyclotomic, has at most two ramified primes, or has three ramified primes and satisfies some other condi- tions [Doh97], [KS16]. This work is concerned with the groups of circular numbers and circular units in Sinnott’s sense in real abelian fields with exactly four ramified primes under certain conditions. In five special infinite families of cases, we construct Z-bases for them. We also derive some results about the corresponding module of relations (in one family of cases, we show that the module of Ennola relations is cyclic). The paper is based upon my master thesis [Sed17a], which builds upon the results of the paper [KS16].

27 4. Achieved results 4.4 Publications

[Sed+19]: Vladimir Sedlacek, Dusan Klinec, Marek Sys, Petr ∙ Svenda, and Vashek Matyas. “I Want to Break Square-free: The 4p 1 Factorization Method and Its RSA Backdoor Viability”. In: Proceedings− of the 16th International Joint Conference on e-Business and Telecommunications (ICETE 2019)- Volume 2: SECRYPT, IN- STICC. SciTePress, 2019, pp. 25–36. isbn: 978-989-758-378-0. doi: 10.5220/0007786600250036. The work describes a very effective factorization method for RSA moduli assuming the private keys are of a special form. I was responsible for the theoretical analysis and improvements as well as the design of the models and experiments. Contribution: 43%, 5 authors.

[Sed17b]: Vladimir Sedlacek. “Circular units of real abelian fields ∙ with four ramified primes”. In: Archivum Mathematicum 53.4 (2017), pp. 221–252. The work shows how to construct a basis of the group of circular units (which is an important object in algebraic number theory) in certain special cases. Contribution: 100%, 1 author.

28 Bibliography

[AKS04] Manindra Agrawal, Neeraj Kayal, and Nitin Saxena. “PRIMES is in P”. In: Annals of Mathematics 160 (2004), pp. 781–793. [Ala+19] Gorjan Alagic, Gorjan Alagic, Jacob Alperin-Sheriff, Daniel Apon, et al. Status Report on the First Round of the NIST Post-Quantum Cryp- tography Standardization Process. Tech. rep. National Institute of Stan- dards and Technology, 2019. [AM93] A Oliver L Atkin and François Morain. “Elliptic curves and primal- ity proving”. In: Mathematics of computation 61.203 (1993), pp. 29– 68. [AMPS18] Martin R Albrecht, Jake Massimo, Kenneth G Paterson, and Ju- raj Somorovsky. “Prime and Prejudice: Primality Testing Under Adversarial Conditions”. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York, NY, USA: ACM, 2018, pp. 281–298. [Arn95] François Arnault. “Rabin-Miller primality test: composite numbers which pass it”. In: Mathematics of Computation 64.209 (1995), pp. 355– 361. [Aza+17] Reza Azarderakhsh, Matthew Campagna, Craig Costello, LD Feo, et al. “Supersingular isogeny key encapsulation”. In: Submission to the NIST Post-Quantum Standardization project (2017). [BDH99] Dan Boneh, Glenn Durfee, and Nick Howgrave-Graham. “Factoring N = prq for Large r”. In: Proceedings of the CRYPTO ’99. Springer- Verlag, 1999, pp. 326–337. [Ber] Daniel J Bernstein. The cr.yp.to blog: How to design an elliptic-curve signature system. http://blog.cr.yp.to/20140323-ecdsa.html. Accessed: 2019-08-13. [Ber+12] Daniel J Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang. “High-speed high-security signatures”. In: Journal of Cryptographic Engineering 2.2 (2012), pp. 77–89. [Ber+13] Daniel J Bernstein, Yun-An Chang, Chen-Mou Cheng, Li-Ping Chou, et al. “Factoring RSA keys from certified smart cards: Coppersmith in the wild”. In: International Conference on the Theory and Application of Cryptology and Information Security. Springer. 2013, pp. 341–360. [Ber+15a] Daniel J Bernstein, Tung Chou, Chitchanok Chuengsatiansup, An- dreas Hülsing, et al. “How to Manipulate Curve Standards: A White Paper for the Black Hat http://bada55. cr. yp. to”. In: International Conference on Research in Security Standardisation. Springer. 2015, pp. 109–139.

29 BIBLIOGRAPHY

[Ber+15b] Daniel J Bernstein, Simon Josefsson, Tanja Lange, Peter Schwabe, and Bo-Yin Yang. “EdDSA for more curves”. In: Cryptology ePrint Archive 2015 (2015). [Ber06] Daniel J Bernstein. “Curve25519: new Diffie-Hellman speed records”. In: International Workshop on Public Key Cryptography. Springer. 2006, pp. 207–228. [Beu+15] Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine Delignat- Lavaud, Cédric Fournet, et al. “A messy state of the union: Taming the composite state machines of TLS”. In: 2015 IEEE Symposium on Security and Privacy. IEEE. 2015, pp. 535–552. [BLa] Daniel J Bernstein and Tanja Lange. Failures in NIST’s ECC stan- dards. https://cr.yp.to/newelliptic/nistecc-20160106.pdf. Accessed: 2019-07-05. [BLb] Daniel J Bernstein and Tanja Lange. SafeCurves: choosing safe curves for elliptic-curve cryptography. https://safecurves.cr.yp.to/. Accessed: 2019-08-13. [BLc] Daniel J Bernstein and Tanja Lange. Things that use Curve25519. https://ianix.com/pub/curve25519- deployment.html. Ac- cessed: 2019-08-13. [BLd] Daniel J Bernstein and Tanja Lange. Things that use Ed25519. https: //ianix.com/pub/ed25519-deployment.html. Accessed: 2019-08- 13. [Ble05] Daniel Bleichenbacher. “Breaking a cryptographic protocol with pseudoprimes”. In: International Workshop on Public Key Cryptogra- phy. Berlin, Heidelberg: Springer, 2005, pp. 9–15. [BLN15] Daniel J Bernstein, Tanja Lange, and Ruben Niederhagen. Dual EC: A Standardized Back Door. Cryptology ePrint Archive, Report 2015/767. https://eprint.iacr.org/2015/767, Accessed: 2019- 07-05. 2015. [BMM] Ingrid Biehl, Bernd Meyer, and Volker Müller. “Differential fault attacks on elliptic curve cryptosystems”. In: CRYPTO 2000. Springer, pp. 131–146. [BMM00] Ingrid Biehl, Bernd Meyer, and Volker Müller. “Differential Fault Attacks on Elliptic Curve Cryptosystems”. In: Proceedings of the 20th Annual International Cryptology Conference. CRYPTO ’00. Berlin, Heidelberg: Springer, Aug. 2000, pp. 131–146. [Bos+14] Joppe W Bos, J Alex Halderman, Nadia Heninger, Jonathan Moore, Michael Naehrig, and Eric Wustrow. “Elliptic curve cryptography in practice”. In: Financial Cryptography and Data Security - 18th Inter- national Conference, FC 2014, Revised Selected Papers. Vol. 8437. LCNS. Springer, 2014, pp. 157–175. doi: 10.1007/978- 3- 662- 45472- 5_11.

30 BIBLIOGRAPHY

[BS85] Eric Bach and Jeffrey Shallit. “Factoring with Cyclotomic Polyno- mials”. In: Mathematics of Computation. Vol. 52. IEEE, Nov. 1985, pp. 443–450. [Bun18] Bundesamt fur Sicherheit in der Informationstechnik. Cryptographic Mechanisms: Recommendations and Key Lengths. Technical Guide- line: TR-02102-1. BSI, 2018. url: https : / / www . bsi . bund . de / SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/ TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile&v=7. [BW80] Robert Baillie and Samuel S Wagstaff. “Lucas pseudoprimes”. In: Mathematics of Computation 35.152 (1980), pp. 1391–1417. [Cal] Chris Caldwell. The Top Twenty: Elliptic Curve Primality Proof. url: https://primes.utm.edu/top20/page.php?id=27 (visited on 08/12/2019). [Cas+18] Wouter Castryck, Tanja Lange, Chloe Martindale, Lorenz Panny, and Joost Renes. “CSIDH: an efficient post-quantum commutative group action”. In: International Conference on the Theory and Applica- tion of Cryptology and Information Security. Springer. 2018, pp. 395– 427. [CFRZ16] Jean-Sébastien Coron, Jean-Charles Faugère, Guénaël Renault, and Rina Zeitoun. “Factoring N = prqs for large r and s”. In: Proceedings of the RSA Conference on Topics in Cryptology - CT-RSA 2016 - Volume 9610. New York, NY, USA: Springer-Verlag, 2016, pp. 448–464. [Che02a] Qi Cheng. “A New Class of Unsafe Primes.” In: IACR Cryptology ePrint Archive 2002 (2002), p. 109. [Che02b] Qi Cheng. A New Special-Purpose Factorization Algorithm. Citeseer. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1. 1.8.9071&rep=rep1&type=pdf[Accessed 6.2.2019]. 2002. [CJS14] Andrew Childs, David Jao, and Vladimir Soukharev. “Construct- ing elliptic curve isogenies in quantum subexponential time”. In: Journal of Mathematical Cryptology 8.1 (2014), pp. 1–29. [Cou06] Jean Marc Couveignes. “Hard Homogeneous Spaces.” In: IACR Cryptology ePrint Archive 2006 (2006), p. 291. [De 19a] Luca De Feo. Cryptography meets Graph Theory summer school: Isogeny graphs in cryptography. https://defeo.lu/docet/assets/slides/ 2019-07-29-wurzburg.pdf. Accessed: 2019-08-14. 2019. [De 19b] Luca De Feo. Mathematics of PKC winter school: Isogeny graphs in cryptography. https://defeo.lu/docet/assets/slides/2019- 03-18-mathsofpkc.pdf. Accessed: 2019-08-14. 2019. [DH76] Whitfield Diffie and Martin Hellman. “New directions in cryptogra- phy”. In: IEEE transactions on Information Theory 22.6 (1976), pp. 644– 654.

31 BIBLIOGRAPHY

[DKS18] Luca De Feo, Jean Kieffer, and Benjamin Smith. “Towards practi- cal key exchange from ordinary isogeny graphs”. In: International Conference on the Theory and Application of Cryptology and Information Security. Springer. 2018, pp. 365–394. [Doh97] Kazuhiro Dohmae. “A note on Sinnott’s index formula”. In: Acta Arithmetica 82 (1997), pp. 57–67. [FLRV] Pierre-Alain Fouque, Reynald Lercier, Denis Réal, and Frédéric Valette. “Fault attack on elliptic curve Montgomery ladder imple- mentation”. In: Fault Diagnosis and Tolerance in Cryptography, 2008. IEEE, pp. 92–98. [FR94] Gerhard Frey and Hans-Georg Rück. “A remark concerning m- divisibility and the discrete logarithm in the divisor class group of curves”. In: Mathematics of Computation 62.206 (1994), pp. 865–874. [Gir19] Damien Giry. Cryptography Key Length Recommendations. http:www. keylength.com. 2019. [GLV01] Robert P Gallant, Robert J Lambert, and Scott A Vanstone. “Faster point multiplication on elliptic curves with efficient endomorphisms”. In: Annual International Cryptology Conference. Springer. 2001, pp. 190– 200. [GVY17] Daniel Genkin, Luke Valenta, and Yuval Yarom. “May the fourth be with you: A microarchitectural side channel attack on several real-world applications of curve25519”. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM. 2017, pp. 845–858. [Ham15] Mike Hamburg. “Ed448-Goldilocks, a new elliptic curve.” In: IACR Cryptology ePrint Archive 2015 (2015), p. 625. [HDWH12] Nadia Heninger, Zakir Durumeric, Eric Wustrow, and J Alex Hal- derman. “Mining your Ps and Qs: Detection of widespread weak keys in network devices”. In: The 21st USENIX Security Symposium 2012. 2012, pp. 205–220. [JD11] David Jao and Luca De Feo. “Towards quantum-resistant cryptosys- tems from supersingular elliptic curve isogenies”. In: International Workshop on Post-Quantum Cryptography. Springer. 2011, pp. 19–34. [JMV05] David Jao, Stephen D Miller, and Ramarathnam Venkatesan. “Do all elliptic curves of the same order have the same difficulty of discrete log?” In: International Conference on the Theory and Application of Cryptology and Information Security. Springer. 2005, pp. 21–40. [JSS] Tibor Jager, Jörg Schwenk, and Juraj Somorovsky. “Practical invalid curve attacks on TLS-ECDH”. In: European Symposium on Research in Computer Security 2015. Springer, pp. 407–425.

32 BIBLIOGRAPHY

[Kie17] Jean Kieffer. “Étude et accélération du protocole d’échange de clés de Couveignes–Rostovtsev–Stolbunov”. PhD thesis. Master’s thesis, Inria Saclay & Université Paris VI, 2017. [KKM11] Ann Hibner Koblitz, Neal Koblitz, and Alfred Menezes. “Elliptic curve cryptography: The serpentine course of a paradigm shift”. In: Journal of Number theory 131.5 (2011), pp. 781–814. [KMV00] Neal Koblitz, Alfred Menezes, and Scott Vanstone. “The State of El- liptic Curve Cryptography”. In: Towards a Quarter-Century of Public Key Cryptography: A Special Issue of DESIGNS, CODES AND CRYP- TOGRAPHY An International Journal. Volume 19, No. 2/3 (2000). Ed. by Neal Koblitz. Springer, 2000, pp. 103–123. [KS16] Radan Kucera and Azar Salami. “Circular units of an abelian field ramified at three primes”. In: Journal of Number Theory 163 (2016), pp. 296–315. [Len87] Hendrik W Lenstra. “Factoring Integers with Elliptic Curves”. In: Annals of Mathematics. Vol. 126. Princeton University, 1987, pp. 649– 673. url: http://www.jstor.org/stable/1971363. [LL] Chae Hoon Lim and Pil Joong Lee. “A key recovery attack on discrete log-based schemes using a prime order subgroup”. In: CRYPTO 1997. Springer, pp. 249–263. [Mil75] Gary L Miller. “Riemann’s Hypothesis and Tests for Primality”. In: Proceedings of the Seventh Annual ACM Symposium on Theory of Computing. STOC ’75. Albuquerque, New Mexico, USA: ACM, 1975, pp. 234–239. [Mon80] Louis Monier. “Evaluation and comparison of two efficient proba- bilistic primality testing algorithms”. In: Theoretical Computer Science 12.1 (1980), pp. 97–108. [MOV93] Alfred J Menezes, Tatsuaki Okamoto, and Scott A Vanstone. “Re- ducing elliptic curve logarithms to logarithms in a finite field”. In: IEEE Transactions on information Theory 39.5 (1993), pp. 1639–1646. [Nat07] National Institute of Standards and Technology. Security Require- ments for Cryptographic Modules. FIPS 140-2. NIST, 2007. [Nem+17a] Matus Nemec, Dusan Klinec, Petr Svenda, Peter Sekan, and Vashek Matyas. “Measuring Popularity of Cryptographic Libraries in Internet- Wide Scans”. In: Proceedings of the 33rd Annual Computer Security Applications Conference. New York, NY, USA: ACM, 2017, pp. 162– 175. [Nem+17b] Matus Nemec, Marek Sys, Petr Svenda, Dusan Klinec, and Vashek Matyas. “The Return of Coppersmith’s Attack: Practical Factoriza- tion of Widely Used RSA Moduli”. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. CCS ’17. Dallas, Texas, USA: ACM, 2017, pp. 1631–1648.

33 BIBLIOGRAPHY

[Org15] International Civil Aviation Organization. Doc 9303 - Machine Read- able Travel Documents. Document. 2015. [PH78] Stephen Pohlig and Martin Hellman. “An Improved Algorithm for Computing Logarithms over GF(p) and Its Cryptographic Signifi- cance”. In: IEEE Transactions on Information Theory 24.1 (Jan. 1978), pp. 106–110. [Pol74] John M Pollard. “Theorems on factorization and primality testing”. In: Mathematical Proceedings of the Cambridge Philosophical Society 76.3 (1974), pp. 521–528. [Pol75] John M Pollard. “A Monte Carlo method for factorization”. In: BIT Numerical Mathematics. Vol. 15. Springer-Verlag, Sept. 1975, pp. 331– 334. [Pol78] John M Pollard. “Monte Carlo methods for index computation ( (mod p))”. In: Mathematics of computation 32.143 (1978), pp. 918– 924. [Pol93] John M Pollard. “Factoring with cubic integers”. In: The development of the number field sieve. Springer-Verlag, 1993, pp. 4–10. [Pom84] Carl Pomerance. Are there counter-examples to the Baillie-PSW primality test? Private communication to Arjen K. Lenstra. 1984. [Pom85] Carl Pomerance. “The Quadratic Sieve Factoring Algorithm”. In: Ad- vances in Cryptology: EUROCRYPT ’84. Proceedings. Springer-Verlag, 1985, pp. 169–182. [Rab80] Michael O Rabin. “Probabilistic algorithm for testing primality”. In: Journal of Number Theory 12 (1 1980), pp. 128–138. [RNSL17] Martin Roetteler, Michael Naehrig, Krysta M Svore, and Kristin Lauter. “Quantum resource estimates for computing elliptic curve discrete logarithms”. In: International Conference on the Theory and Application of Cryptology and Information Security. Springer. 2017, pp. 241–270. [RS06] Alexander Rostovtsev and Anton Stolbunov. “Public-Key Cryp- tosystem Based on Isogenies.” In: IACR Cryptology ePrint Archive 2006 (2006), p. 145. [S+98] Takakazu Satoh, Kiyomichi Araki, et al. “Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves”. In: Rikkyo Daigaku sugaku zasshi 47.1 (1998), pp. 81–92. [Sch15] Markus Schmid. ECDSA-application and implementation failures. 2015.

34 BIBLIOGRAPHY

[Sed+19] Vladimir Sedlacek, Dusan Klinec, Marek Sys, Petr Svenda, and Vashek Matyas. “I Want to Break Square-free: The 4p 1 Factoriza- tion Method and Its RSA Backdoor Viability”. In: Proceedings− of the 16th International Joint Conference on e-Business and Telecommunica- tions (ICETE 2019)- Volume 2: SECRYPT, INSTICC. SciTePress, 2019, pp. 25–36. isbn: 978-989-758-378-0. doi: 10.5220/00077866002500 36. [Sed17a] Vladimir Sedlacek. “Circular units of abelian fields”. Master’s thesis. Masaryk university, Faculty of Science, Brno, 2017. [Sed17b] Vladimir Sedlacek. “Circular units of real abelian fields with four ramified primes”. In: Archivum Mathematicum 53.4 (2017), pp. 221– 252. [Sem96] Igor Semaev. “On computing logarithms on elliptic curves”. In: Discrete Mathematics and Applications 6.1 (1996), pp. 69–76. [Sem98] Igor Semaev. “Evaluation of discrete logarithms in a group of p- torsion points of an elliptic curve in characteristic p”. In: Mathematics of computation 67.221 (1998), pp. 353–356. [SKS17] Marek Sys, Dusan Klinec, and Petr Svenda. “The Efficient Random- ness Testing using Boolean Functions”. In: Proceedings of the 14th International Joint Conference on e-Business and Telecommunications (ICETE 2017) - Volume 4: SECRYPT, Madrid, Spain, July 24-26, 2017. Madrid, Spain: SCITEPRESS, 2017, pp. 92–103. [Sma99] Nigel P Smart. “The discrete logarithm problem on elliptic curves of trace one”. In: Journal of cryptology 12.3 (1999), pp. 193–196. [SRM17] Marek Sys, Zdenek Riha, and Vashek Matyas. “Algorithm 970: optimizing the NIST statistical test suite and the Berlekamp-Massey algorithm”. In: ACM Transactions on Mathematical Software (TOMS) 43.3 (2017), p. 27. [ST16] National Institute of Standards and Technology. Post-quantum cryp- tography standardization. https : / / csrc . nist . gov / Projects / Post - Quantum - Cryptography / Post - Quantum - Cryptography - Standardization. 2016. [Sut12] Andrew V Sutherland. Accelerating the CM method. 2012. doi: 10. 1112/S1461157012001015. [Sve+] Petr Svenda, Matus Nemec, Peter Sekan, Rudolf Kvasnovsky, et al. “The Million-Key Question – Investigating the Origins of RSA Public Keys”. In: The 25th USENIX Security Symposium 2016, pp. 893–910. [VSSH18] Luke Valenta, Nick Sullivan, Antonio Sanso, and Nadia Heninger. In search of CurveSwap: Measuring elliptic curve implementations in the wild. Cryptology ePrint Archive, Report 2018/298. 2018.

35 BIBLIOGRAPHY

[Wil82] Hugh C Williams. “A p + 1 Method of Factoring”. In: Mathematics of Computation. Vol. 39. American Mathematical Society, 1982, pp. 225– 234.

36 A Attached papers

The relevant papers are attached here:

The 4p 1 factorization method in Appendix A.1. ∙ − Bases of circular units in Appendix A.2. ∙

A.1 4p 1 factorization − The paper starts on the next page.

37 I want to break square-free: The 4p 1 factorization method and its RSA backdoor− viability

Vladimir Sedlacek1,2, Dusan Klinec 1, Marek Sys 1, Petr Svenda 1 and Vashek Matyas1 1Masaryk University, 2Ca’ Foscari University of Venice [email protected], xklinec, syso, svenda, matyas @fi.muni.cz { }

Keywords: Backdoor, complex multiplication, integer factorization, RSA security, smartcard.

Abstract: We analyze Cheng’s 4p 1 factorization method as the means of a potential backdoor for the RSA primes − generated inside black-box devices like cryptographic smartcards. We devise three detection methods for such a backdoor and also audit 44 millions of RSA keypairs generated by 18 different types of cryptographic devices. Finally, we present an improved, simplified and asymptotically deterministic version of the method, together with a deeper analysis of its performance and we offer a public implementation written in Sage.

1 INTRODUCTION 2. Special purpose – very efficient when a factor p n or n itself is of a special form: | Factorization of composite integers is an old and im- (a) A certain number related to the prime factor p portant problem and cryptographic schemes such as is smooth (has only small prime divisors) – Pol- RSA are based on its intractability. RSA is one of lard’s p 1 (Pollard, 1974), Williams’s p + 1 the most frequently deployed public key cryptosys- (Williams,− 1982), Bach-Shallit (Bach and Shal- tems, and a possible factorization of RSA moduli lit, 1985) and Lenstra’s Elliptic Curve (ECM) could have a serious impact on the security of real- (Lenstra, 1987) methods assume smoothness of world applications, as was demonstrated in past in- the integers p 1, p+1, φk(p) (k-th cyclotomic cidents such as finding weak RSA keys used for polynomial) and− #E(p), respectively. TLS (Heninger et al., 2012), LogJam (Adrian et al., (b) Assumptions about p or n: there are fast 2015) or factorable RSA keys from cryptographic methods for n of the form n = prq (Boneh smartcards known as the ROCA attack (Nemec et al., et al., 1999) or n = prqs (Coron et al., 2016). 2017) with at least hundreds of millions affected de- Cheng’s 4p 1 (Cheng, 2002a) method is ef- vices. The performance of already known factor- fective whenever− the square-free part of 4p 1 ization methods, together with the required security is small. − margin, determine the necessary security parameters (e.g., the length of the prime factors p,q of the RSA All of the mentioned methods look for a multiple kp n = p.q of some uknown prime divisor p n. In the last step, the modulus , conditions on the structure of the | primes). Relevant standards (e.g., NIST FIPS 140- methods compute gcd(n,kp) = d. If 1 < d < n, then 2 (National Institute of Standards and Technology, a factor is found and the factorization can continue 2007), BSI TR-02102-1 (Bundesamt fur Sicherheit in recursively. The methods are probabilistic since the der Informationstechnik, 2018), keylength.com (Giry, factorization fails when d = n. 2019)) then define the minimal required parameters. If a special form of primes allows for an efficient While the performance of the fastest general- factorization of RSA moduli, an adversary is moti- purpose factorization algorithms such as the Num- vated to subvert the prime generation to produce such ber Field Sieve (NFS) influences the minimal secure keys. This might serve as a backdoor, as the adversary length of the RSA moduli, the special purpose fac- would then be able to perform the factorization much torization methods define the vulnerable format of faster than anyone else. We focus on the relatively un- primes that should be avoided. The short list of fac- known 4p 1 method in this paper, whose existence − 2 torization algorithms is: might naturally introduce such a setting . 1. General-purpose – work for general integers n. Pollard ρ (Pollard, 1975), Quadratic Sieve (Pomerance, 1985) and asymptotically fastest 2See the implementation and the additional materials at NFS (Pollard, 1993) belong to this group. https://crocs.fi.muni.cz/papers/Secrypt2019. The contributions of the paper are the following: 2. choose a random point P E(Zn), ∈ we discuss the viability of the method as a poten- ϕm(P) ωm(P) • 3. compute mP = 2 , 3 , for tial backdoor from different perspectives; ψm(P) ψm(P) ψm(P),ωm(P),ϕm(P) Zn,  we perform an audit of a large RSA keypair ∈ • dataset generated by 18 different types of crypto- 4. compute gcd(ψm(P),n). devices with respect to a potential backdoor; The methods differ in two points: how the curve is we give a more detailed and more precise analysis chosen and how mP is computed. In ECM, random • of the algorithm and show that the algorithm is ECs are chosen with a hope that their order #E(Fp) is asymptotically deterministic; smooth, so m is taken here as product of small primes (e.g., m = B! for some small B). It is hard to find a we present a simplification of the method and • point on the curve E(Zn) for the composite n in gen- show that the number of expected iterations is 2-4 eral. In order to overcome this difficulty, the point P is times lower than stated in (Cheng, 2002b); chosen first and the curve (respectively constants a,b) we offer a compact public implementation of the is chosen accordingly in ECM. • method in Sage, together with an extensive run- In Cheng’s 4p 1 method, we hope that a given time analysis; D is a square-free− part of 4p 1. The method con- − we discover and explain a discrepancy (that gov- structs E(Zn) (computes a,b) so that the correspond- • erns the possibility of modulus factorization) be- ing E(Fp) is anomalous (size of EC is equal to p tween random primes and primes generated by i.e. #E(Fp) = p), so m = n is taken here as a mul- certain smartcards. tiple of p. Since the method constructs the EC first, it is important that Cheng found a way how to avoid The paper is organized as follows: In Section 2, working with points explicitly. Instead of a direct we give a brief overview of the method, together computation of the scalar multiple nP, he used the with the related work. Description of the simplified n-th division polynomial ψn to compute the required method can be found in Section 3. Section 4 is de- ψn(P) = ψn(x) for a randomly chosen x Z, which voted to a deeper analysis of the method. Practical he hopes to be an x-coordinate of some∈ point on limits of the method and time analysis of the Sage im- E(Fp). Cheng’s method uses the complex multipli- plementation are discussed in Section 5. Section 6 is cation (CM) method (Broker¨ and Stevenhagen, 2007) concerned with the real-world impact of the algorithm to construct an anomalous EC. CM computes the j- and covers both the backdoor discussion and our au- invariant of the curve as a root of the Hilbert poly- dit. Finally, conclusions are given in Section 7. nomial H D(x) in Fp corresponding to D. There are − two different yet related curves (twists) E and Ec with the given j-invariant having exactly p 2 and p 2 PREVIOUS WORK points, respectively. The EC E is defined by− the con- stants a,b, which can be computed as rational func- Chengs’s 4p 1 method is similar to Lenstra’s ECM tions of the j-invariant, i.e., a = a( j),b = b( j) de- − (Lenstra, 1987). Both methods work on an elliptic fines E. The EC Ec is defined by the j-invariant curve (EC) E(Zn) (a set of points (x,y) Zn Zn) and some quadratic non-residue c in Fp, i.e., a = ∈ × defined by a,b Zn and the Weierstrass equation: a( j,c),b = b( j,c). Since the method cannot distin- ∈ 2 3 guish between a curve with p points and a curve with E(Zn) : y = x + ax + b, p + 2 points over Fp, Cheng’s method computes nP where n is the number to be factored and 4a3 +27b2 = (more precisely ψn) for both curves. The method 0 (mod n). Both methods work due to the natural6 iterates through various values of x (to guess the x- (mod p) coordinate of some point) and various values of c (to mapping (Zn Fp) that induces a homomor- 7→ guess the quadratic non-residue), hence two for-loops phism E(Zn) E(Fp) by reducing the coordinates 7→ are used in the method. Cheng stated that the proba- modulo p. 1 bility of a successful guess of x or a correct twist is 2 . The methods compute the mutiple mP for a point Later research on ECs (Rubin and Silverberg, 2007) P on E(Zn). If m Z is a multiple of #E(Fp) (order of ∈ showed that it is possible to choose the correct twist the EC over Fp), then the computation of a certain in- (having p elements) with some small additional effort version modulo n fails (inversion of multiple of p for (at least with the knowledge of p). However, we will p n) during the scalar multiplication, which reveals p. | show later that Cheng’s method works for both twists The methods perform the following steps: without influencing the probability of success. 1. choose an elliptic curve E(Zn), Cheng introduced his method in 2002 in (Cheng, 2002a). The original method computes the j-invariant in coordinates of the point at infinity O : as the root of the Hilbert polynomial (HP) H (X) D ϕ (P) ω (P) of degree one. Thus in this case we have a concrete− O = nP = n , n . (1) ψ (P)2 ψ3(P) value of the j-invariant and are able to construct a  n n  concrete EC E over Zn (up to a twist). There are only six HPs of degree one that can occur (we are Input : n (the integer to be factored); D (the not counting the cases D 4, 7, 8 which are square-free part of 4p 1 for p n) excluded by a congruence− ∈ condition{− − − on}D) so the − | Output: p (or failure) method can be used for a prime divisor p of n of compute H D,n(X) (the D-th HP modulo n); six different forms. In the same year, Cheng gener- − − Q Zn[X]/(H D,n(X)); alized his method in (Cheng, 2002b) for HPs of an j ←[X] Q; − arbitrary degree. In the generalized version, a con- ← ∈ k j (1728 j) 1 Q (*); crete j-invariant is not computed (as finding roots of − a,←b ·3k,2k −Q ; ∈ polynomials modulo n is very hard in general), but choose← bound∈B appropriately (for example the method works with j symbolically. In 2017, Shi- B = 10); rase published the paper (Shirase, 2017), where he i 1,2, ,B followed up on Cheng’s older publication (Cheng, forall do generate∈ { random··· x} Q; 2002a) (he clearly missed the newer one). Although i Zn z ψ (a,b,x ) Q∈; ⊆ Shirase “reinvented” Cheng’s method only for HPs n i d←= gcd(z¯(X),H∈ (X)) [X] (*); of degree at most two, the contribution of his work D,n Zn r gcd(d,n); − ∈ is not negligible. Shirase improved Cheng’s unclear ←1 < r < n description of his method (especially the equation if then return r; g(X) = Pn(x) Z/(n)[X] on page 6 of (Cheng, 2002b) is not clear enough).∈ On the other hand, his descrip- end tion is quite complex and can be simplified. end return failure ; Algorithm 1: A simplified version of Cheng’s 4p 1 factorization method. − 3 A SIMPLER VERSION OF CHENG’S 4p 1 METHOD − In our simplified Algorithm 1 of Cheng’s algo- rithm (Cheng, 2002a), two operations are marked In our simplified method, we assume that n, the num- by (*) since these operations may fail. Both of ber to be factored, has a prime divisor p satisfying these operations (the computation of d or the inverse 1 4p 1 = Ds2, (1728 j)− in Q) can be performed using the ex- − tended− version of Euclid’s algorithm with polynomi- where D is square-free (note that this immediately im- als over Zn[X] as an input. The problematic step in plies D 3 (mod 8). We will also assume D = 3 (the the Euclid’s algorithm is to compute qk,rk 1 such that ≡ 6 − case D = 3 is much easier and is handled separately rk 2 = qkrk 1 + rk, when the leading coefficient lc of − − in (Shirase, 2017)). For simplicity of the presentation, rk 1 polynomial is not coprime to n. However, this we will only deal with the case n = p q, where q is means− that we can directly return gcd(lc,n) > 1. also a prime, although this is not a necessary· condi- tion. The most important ideas involved in the algo- rithm are the following: 4 ANALYSIS OF THE METHOD 1. the number of points on a curve E(Fp) can be controlled through the CM method – in our case, This section focuses on a clear description and ex- finding a root j of the HP modulo p and construct- planation of the method (Section 4.1) and its anal- ing an EC E with j as its j-invariant ensures that ysis (Subsections 4.2, 4.3). The original Cheng’s E(Fp) is either p or p + 2; method computes within two ECs – curve defined by the a,b and its twist defined by same a,b and 2. instead of working with unknown roots j Fp of ∈ some quadratic non-residue c (mod p). Since p is the HP H D, we can make symbolic computations − unknown, Cheng’s algorithm iterates through various in the ring Q := Zn[X]/(H D(X)); − c. In Section 4.2 we show that Cheng’s algorithm 3. division polynomials ψn can be used to compute works for both twists, hence the c-loop can be omit- desired zero denominators (ψ (P) 0 (mod p)) ted, and the algorithm can be simplified to Algorithm n ≡ 1. Moreover, in Subsection 4.3 we show that the av- In particular, we have h( D) different projections − erage number of iterations (the x-loop) of the method from Q to Fp, and these are essentially given by lift- depends on the class number h( D) (the degree of the ing an element from Q to Zn[X], substituting some ji − HP H D(X)) and is close to 1 for a large D. into the obtained polynomial and reducing the result − modulo p. 4.1 Correctness of the algorithm 4.2 Both twists work Many computations in the algorithm are performed over the quotient ring Q = Zn[X]/(H D,n(X)). With- 2 − If the constructed curve E : y = f (x) (where f (x) = out proof, we claim that the substitution X j in- 3 7→ x + 3kx + 2k) has p points over Fp, it is clear that duces a ring homomorphism h : Q . In other f (x) j Fp for x such that ( ) = 1, the value ψ (x) will be words, any computation in Q corresponds→ to a sym- p n zero modulo p (since this x then represents a co- bolic computation with a root j Zn of the HP (i.e., ∈ ordinate of a point on E(Fp)). However, if E has H D,n( j) 0 (mod p)). Hence X j induces a ho- − ≡ , 7→ p + 2 points over Fp, it must be a quadratic twist momorphism Q Zn which can be composed with 2 3 2 3 7→ of some curve E0 : y = x + 3kc x + 2kc for some the natural projection Zn Fp to obtain the homo- c 7→ c Fp, = 1, such that E0 has p points over Fp. morphism h j. Figure 1 depicts the relation of compu- ∈ p − tation in F and Q through the h . It should be noted Then there is an isomorphism E E0 over Fp(√c) p j
→ that, when working in Q, we are working symboli- given by (x,y) (cx,c3/2y). Since c is invertible, this cally with all roots of the HP modulo p at once. implies that the7→ division polynomials of the curves The key and most time consuming part of the al- must also be related by an invertible transformation. gorithm is the computation of the division polynomial More specifically, if we let ψn,E (x),ψ0 (x) be the n,E0 ψn(P) related to the given EC E. In general, ψn(P) division polynomials associated to E and E0, respec- is a polynomial in a,b (that define E) and the coor- ( ) = ( ) tively, then we have ψn,E0 x ψn,E cx . Thus if dinates (x,y) of the point P. When n is odd, y only 1 f (c− x) = (x) occurs in even powers and thus can be removed us- p 1, the value ψn will be zero modulo 1 ing the defining Weierstrass equation, so that ψn(P) = p as well.
Since for fixed c the values c− x have the ψn(a,b,x) becomes a polynomial in a,b,x only. The same distribution as x, we do not have to iterate over homomorphism h maps ψ (a,b,x) Q computed in the twists and can fix any of them instead. j n ∈ the method to 0 Fp, as Figure 1 illustrates. Moreover, the probability that value ψn(x) will In Algorithm∈ 1, we compute be zero modulo p for a fixed curve and a randomly gcd(z¯(X),H D,n(X)) = d for the liftz ¯ of z Q chosen x Fp (more precisely, the projection of a − ∈ ∈ to [x]. Lemma 4 in (Cheng, 2002b) says that d randomly chosen x Zn) is pt px + (1 pt )(1 px), Zn ∈ − − is a constant from Zn. Since h j(H D,n(X)) = 0 and where pt is the probability of choosing the right twist − f (x) h j(ψn(a,b,x)) = 0, we must have d 0 (mod p). and p is the probability of the event = 1. ≡ x p For a further analysis, we will need to un- Thus under the classical heuristical assumption derstand the structure of Q. First note that the 1
that pt = 2 (or alternatively, after calculating that px D-th Hilbert polynomial splits completely mod- is very close to 1 ), the above probability is 1 . ulo− p (Broker¨ and Stevenhagen, 2007), so we have 2 2 h( D) H D(X) ∏ =− (X ji)(mod p) for some pair- − ≡ i 1 − 4.3 Expected number of iterations wise distinct j1,..., jh( D) Z (and therefore the ide- als (X j ) [X] are− pairwise∈ comaximal). Now i Fp Now we can estimate the probability that the core part let H − (X)⊆,H (X) be the projections of H (X) D,p D,q D of the algorithm will work. First note that when we to −and , respectively.− Applying the generalized− Fp Zq are considering an EC over a product of rings, all the Chinese remainder theorem several times, we obtain associated rational functions (such as the point multi- the isomorphisms: plication expression (1)) can be computed coordinate- Q = Zn[X]/(H D,n(X)) wise, with the caveat that whenever the result in some − (but not all) coordinates would be the neutral element, = Zq[X]/(H D,q(X)) Fp[X]/(H D,p(X)) ∼ − × − the whole result is undefined (as there are no “points h( D) − in semi-infinity”). This could be fixed by properly = Zq[X]/(H D,q(X)) Fp[X]/(X ji) ∼ − ∏ defining the projective space over the product of rings, × i=1 − but we do not need it here. This undefined behavior h( D) − is exactly what we want to achieve, as one of the de- = Zq[X]/(H D,q(X)) Fp. ∼ − ∏ × i=1 nominators will then reveal a factor of n. 3 j 2 j Fp : H D( j) = 0 (a,b) = , ψn(a,b,xi) = 0 − → 1728 j 1728 j →  − −  h : X j h : X j h : X j ↑ j 7→ ↑ j 7→ ↑ j 7→ 3X 2X Q : H D,n(X) = 0 (a,b) = , ψn(a,b,xi). − → 1728 X 1728 X →  − − 

Figure 1: A diagrammatic overview of arithmetic in Fp and Q.

Thus when we have an elliptic curve over factor of p 1). When D is small (or known), this is polynomial− in logn, which is asymptotically much h( D) − better than for any general classical non-quantum al- Q = Zq[X]/(H D,q(X)) Fp, ∼ − ∏ × i=1 gorithm. This quickly becomes inefficient for larger val- the algorithm will succeed for a fixed x Zn when- ∈ ues of D though, for several reasons. The degree ever there is at least one copy of Fp over which the of the HPs grows quite fast, which complicates both x corresponds to the right twist (unless this happens the computations in the ring Q and the computation over all of the copies at the same time and simultane- of the HPs themselves, and their coefficients grow ously over Zq[X]/(H D,q(X)), which is extremely un- − even more quickly, which might eventually become likely, as q has no relation to H D(X)). Heuristically, − a memory problem. these copies of Fp behave independently, so by the ar- It is possible to compute the H D,n (H D modulo gumentation in Section 4.2, the estimated probability n) directly (Sutherland, 2011) instead− of the− compu- that one iteration of the loop over xi’s in Algorithm 1 tation in , which significantly decreases the mem- h( D) Z reveal p is 1 2− − . Therefore the expected num- ory cost. For instance, H D is about 93 GB for − − ber of the times the loop will have to be executed is D = 2093236031 while H D,n takes only 24 MB for − close to 4096-bit n as the degree of the H D is 100000. 1 2h( D) − = − . The main practical limit is still the fact that the 1 2 h( D) 2h( D) 1 method is only applicable to numbers of a special − − − − − Thus when h( D) = 1, one iteration of the loop form. For expected density results about these num- − 1 will work with probability around 2 , but for a large bers, see Section 5.1. h( D), the probability is almost 1 and the algorithm becomes− almost deterministic. These claims are also 5.1 The expected occurrence of supported by an empirical evidence in Section 5.2. factorable numbers Note that this is a better result than in both (Cheng, 2002a) and (Shirase, 2017), where both twists are We will limit ourselves to the RSA case here, because non-deterministically tested and the expected number it is probably the most important application of in- of execution times of the innermost loop is claimed to teger factorization in the real-world. Let us take a be around 4. look at the expected frequency of factorable numbers. First, let us assume that D is fixed and that p is a 2b 1 2b random 2b-bit integer, so that 2 − < p < 2 . The 2 4p 1 5 TIME ANALYSIS AND condition 4p 1 = Ds is equivalent to − being a − D PRACTICAL LIMITS OF THE square of an odd integer. Since 22b+1 4p 1 22b+2 METHOD < − < D D D When we do not know D in advance, we could and the number of odd integer squares in the interval 2b+1 2b+2 try to loop through all possible values of D up to 2 , 2 is roughly some bound. This yields the complexity (Dlogn)O(1) D D (Cheng, 2002b), as the computation of the D-th HP   2b+2 2b+1 b 2 1 2 2 2 − is exponential in D, while all other parts of Algorithm− , (2) 2 D − D ≈ √ 1 can be performed in a time polynomial in logN r r ! D and D. Compare this to Pollard’s p 1 method with the number of possible 2b-bit primes such that the complexity (Blogn)O(1), where B is− the largest prime square-free part of 4p 1 equals D can be roughly − b 2 estimated as 2 − . Since the total number of 2b-bit we performed the following experiment. For each √D primes is around h( D) [1,1000], we took the smallest absolute value− of∈ the discriminant D found, obtained by sam- 2b 2b 1 2b − 2 2 − 2 pling as described above. For each discriminant, we 2b 2b 1 (3) randomly generated three composites with the vulner- ln(2 ) − ln(2 − ) ≤ b able prime p of bit-size b 256,512,1024,2048 . by the Prime number theorem, we can roughly esti- The composite n = p random∈ { prime(b) has thus bit-} mate that the probability that a random 2b-bit prime size roughly 2b. ∗ is vulnerable to factorization with respect to a given b D is around √ b+2 (for D = 11 and 2b = 1024, this D 2 105 507 · is around 2− ). If we instead consider all D’s up to some bound 104 B instead of one fixed D and use the well-known in- equality 103 B 1 < 2B 1, 2 ∑ √k − time [s] 10 Bitsize k=1 256 it would follow from (2) that the number of possible 101 512 2b-bit primes such that the square-free part of 4p 1 1024 − 2048 equals D < B can be very roughly estimated as 100 0 200 400 600 800 1000 B b 2 B 2 − b 2 1 1 b 4 h(-D) ∑ 2 − ∑ < 2 − B, D=3 √D ≤ 8 D=1 √D · D 3 (mod 8) Figure 2: Observed running times of the fac- D≡is square-free torization algorithm for composite bit-sizes b , , , ∈ which together with (3) gives an estimate that the 256 512 1024 2048 bits for the smallest discriminant found{ per class number.} Three composites with the vul- probability that a random 2b-bit prime is vulnerable nerable prime of the given bit-size were randomly gen- to factorization with respect to some D < B is around erated per discriminant. Bb B = 54 b = 453 2b+4 (for 2 and 2 1024, this is 2− ). Figure 2 depicts the results of the experiment, i.e., 5.2 Run-time statistics the overall running time of the factorization algorithm for composite n with respect to the given class num- Implementation details. We implemented the al- ber. Also, the relation between D’s and their corre- gorithm in Sage, an open-source computer algebra sponding class numbers is depicted in Figure 3, where system. We note that to the best of our knowledge we can see that the degree h( D) of the HP oscillates there is no other implementation available for the vul- even for close values D. − nerable primes based on the same principle at the time of writing this paper. Since most of the mathematical utilities needed are already implemented in Sage, the code is compact and easy to use (although it could probably be opti- mized even more). The only subtlety was the need to set the internal recursion limit to 20 000 in order to compute the n-th division polynomial (for n much larger than 22048, this should probably be increased even more).

Experiment. The factorization algorithm complex- ity is mainly determined by the class number h( D) − – degree of the HP H D. We sampled the func- tion h( D) over the square-free− discriminants D Figure 3: Log-scale of D sampled from the interval − − [0,232 + 3]) and corresponding h( D). (D 3 (mod 8)), so that we could measure the run- − ning≡ time of the algorithm with the smallest discrim- inant per given class number. To practically mea- For comparison, the current factorization record sure the running time of the factorization algorithm, using the number field sieve was achieved for an RSA number with 768-bit modulus and it would take al- most 2000 years if computed on a single core (in Fitted function 50000 2048 bits 2009) (Kleinjung et al., 2010). 40000 D The parameter D Run-time independence on . 30000 affects the coefficient sizes and computation time of time [s] the HP H D. Besides that, the D does not affect the 20000 − rest of the algorithm. The computation of H D is also − easily parallelizable. As we compute H D modulo n, 10000 from a certain class number, e.g., class− number 110 200 400 600 800 1000 for 4096-bit modulus, the coefficients of the H D be- h(-D) come larger than n, thus the complexity depends− only on h( D). − Figure 6: Running time for the factorization algorithm w.r.t. h( D) and fitted linear function for 2048 bit prime size − 30000 p bit-size Fitted model

20000 256 0.33887x 1.17973 512 1.23834x +− 81.44157 10000 1024 6.57677x + 519.07422 Hilbert coefs. bit-size 2048 32.7223x + 4614.71032 0 0 100 200 300 400 500 600 h(-D) Table 1: Runtime linear model fit with respect to the class number. Figure 4: Bit-sizes of all Hilbert polynomial coefficients for the smallest D corresponding to the given class num- ber. The figure illustrates run-time independence on D all complexity of the factorization algorithm by a lin- as coefficients quickly grow over n. ear factor O(log(b)) with respect to the class number as the modulus size mainly affects the division poly- Figure 4 demonstrates the growth of the coeffi- nomial. This enables us to empirically study the fac- cients of H D(X). For comparison, Figure 5 shows − torization algorithm mainly with respect to the class how the computation time is affected by D although number with the lowest such D and with the lowest the class number is the same (in the case where reduc- bit-size to reduce computation time without affecting tion modulo n is only done afterwards). the results validity. Figure 6 depicts the linear model curve fitting over 2048 prime based moduli and Ta- ble 1 shows the linear models fitted for all tested bit- D type 20000 min sizes. max 15000 Component timing. The computation of the divi- sion polynomial is by far the most expensive oper- 10000 time [s] ation for class numbers under 1000 (and even for

5000 higher ones if the HP is computed modulo n directly). As class numbers grow over 1000, the H D(X) com- − 0 putation becomes more significant. Figure 7 illus- 0 1000 2000 3000 4000 5000 trates the factorization algorithm timing by two com- h(-D) ponents, the evaluation of the division polynomial and HP computation for b = 256. Around the class Figure 5: The time computation of the Hilbert number 2000, the component timing becomes equal. polynomial and values of maximal and min- For higher class numbers, the H D(X) computa- imal sampled D for class numbers h( D) in − − tion asymptotically dominates the overall computa- [1,5000]. tion time.

Inner loop iterations. Observe the number of inner Modulus bit-size complexity. As seen from the ex- loop iterations in the depicted dataset. From the to- periment, the modulus bit-size contributes to the over- tal number of experiments 12 000 (1000 4 3), only · · 104 problem.

103 6 THE 4p 1 METHOD AS A − 102 BACKDOOR time [s] 101 The analysis from the previous section shows that if Time components the RSA primes are sufficiently long and generated Division polynomial 100 Hilbert polynomial randomly, it is almost impossible for the resulting public key to be 4p 1 factorable in practice. Tak- 0 1000 2000 3000 4000 5000 ing the contrapositive,− if a public RSA key is 4p 1 h(-D) factorable, there is an overwhelming probability that− at least one of the primes was generated in this way Figure 7: Algorithm log run-time breakdown to two ma- jor components: the evaluation of the division polyno- on purpose, instead of being vulnerable by chance. mial and the computation of H D(X) for b = 256. This could be interesting from the viewpoint of − kleptography (Young and Yung, 1997). It would be possible to backdoor the prime number generation 12 experiments needed more than one iteration. In methods in black-box devices (such as smartcards total, the average number of iterations is 1.001834. or Hardware Security Modules (HSMs) to generate prime(s) p such that the square-free part of 4p 1 The class number for all experiments requiring more − than one iteration was in the interval [1,4], which sup- is relatively small (as generating such primes is very ports our claim that the number of expected iterations easy). We first describe the backdoor construction quickly converges to 1 with higher class numbers. process and later elaborate on the prospective detec- tion methods, showing that the existence of the back- door cannot be ruled out for the longer key lengths Computation resources. Due to the heterogeneous like 2048 bits, if only keys (including private primes) nature of the cluster and the job scheduling sys- are available for the analysis. tem, the jobs were allocated different processors In contrast, the RSA prime number generation in types, namely Intel Xeon Gold 5120 2.20GHz, Gold a wide range of open-source cryptographic libraries 6130 2.10GHz, E5-2630 v3 2.40GHz, E5-2650 v2 was already analyzed with no such backdoor found 2.60GHz. The worker nodes are shared among other (Svenda et al., 2016). users, which affects caches of the processor and thus the overall system performance. Due to the men- 6.1 The backdoor construction tioned irregularities, the timing measurements are ap- proximate. However, the jobs were allocated across In this section, we investigate the properties of all CPU types randomly. Cheng’s 4p 1 method when used as a cryptographic backdoor intentionally− producing moduli that are fac- Running time step-changes. There are noticeable torable. Namely, we analyze the possibility that the changes in the running time of the factorization al- backdoor with a particular choice of D will be both gorithm for some class number ranges. Even though reasonably efficient to exploit for an attacker with the the experiment jobs ran on a cluster with varying load knowledge of chosen D (so he can compute the fac- and processor types, we conclude these regions are torization), yet very hard to detect by an Inquirer. We not a result of a systematic error as for each discrim- define the Inquirer according to (Young and Yung, inant there were three random composites generated, 1997) as a person examining the (large number of) this was performed for all four bit-sizes, thus it gives generated keys from a potentially backdoored imple- 12 different experiment jobs per single D. The effect mentation for the statistical presence of any charac- is observable in all bit-sizes in all experiments. The teristics hinting at the existence of the backdoor. The regions are present even after the re-computation of Inquirer wins if the backdoor is detected with non- the region in further validation experiments. As the negligible probability. The attacker wins if the pres- division polynomial computation is the main running ence of the backdoor is not detected, yet the attacker time component, we conclude the regions are a result can still factorize the resulting keys in a reasonable of the particular Sage implementation, depending on time frame. the class number. Currently, we have no detailed ex- The use of the method as a backdoor has three planation of the phenomena, and it remains an open phases: 1) selection of suitable backdoor parameters, 2) generation of backdoored prime(s), and 3) factor- The backdooring of keys with short lengths (1280 ization of a given (backdoored) public key: • bits and below) is detectable even when unique D 1. An attacker selects a value D with a suitably small is used (Method 1). class number h( D). An attacker can use either If the used value D is leaked, the backdoored keys − a single fixed D (or a small number of them) for • with this specific D become exploitable by anyone all backdoored primes or generate a separate D for (not “only us”). every backdoored key. 2. During the RSA keypair generation, the first 6.2 Inquirer detection strategies prime is generated at random (non-backdoored), while the second one is constructed as follows: We propose three principally different methods to de- (a) Generate randomly an odd number s with the tect the presence of backdoor for the different scenar- length corresponding to the required length of ios concerning the availability of private keys for in- prime. spection and the length of the inspected keys. D s2+1 (b) Compute candidate prime p as p = · 4 . (c) Check if candidate p is probable prime using, Method 1: Inquirer with access to the public keys e.g., the Miller-Rabin primality test. only. An Inquirer picks a candidate Di value, as- (d) Output p if probable prime, or repeat the con- sumes the key being backdoored with this Di attempts struction with a different value of s if not. to perform the factorization using 4p 1 method. If successful, both the presence as well as− the actual pa- 3. The given public key is factorized using Algo- rameter Di used is revealed. The na¨ıve method would rithm 1 as described in Section 3. be to examine all possible values Di, starting from 11 until the allowed examination period is exhausted Method advantages for use as a backdoor. (e.g., at least 1000 vCPU years worth of computa- All standard RSA key lengths now assumed se- tion). Note that an attacker aims to use such a D that • has the corresponding class number h( D) as small cure can be backdoored (including 2048, 4096 − and 8192-bit lengths). as possible to achieve as fast factorization as possible. Figure 3 shows the relation between the value D and No observable bias present in the public keys (if • its h( D). the second prime is chosen at random and the − proper distribution of s is chosen). Even if unsuccessful, this examination establishes a lower limit on the computational time that an actual A favorable ratio between the factorization time • attacker needs for the factorization of a key as seen with the knowledge of D (an attacker) and the from Figure 3. time required by Inquirer to detect the existence Figure 2 shows the running time to factor a com- of such a D (see Figure 8). posite n with a particular choice of D, which is only The adjustable factorization difficulty using value known to the attacker who generated n in this way, • D with suitable class number h( D). i.e., using it as a potential backdoor. The experiment − The good parallelizability for the Hilbert polyno- illustrates the growth of the factorization complexity • mial computation part of the factorization (Suther- for an attacker knowing the D. On the other hand, an land, 2011) which dominates for the sufficiently Inquirer trying to detect such a backdoor and without large class number – see Figure 7. the knowledge of particular D has to try all possible D’s up to the Dmax. The detection complexity is thus The expected number of invocations of the Miller- the sum of all factorization times up to the Dmax (or • Rabin primality test during the keypair generation surface under the curve up to the Dmax). For an illus- is heuristically same as for the situation with truly tration of such case, see Figure 8. random (non-backdoored) primes.

Method disadvantages (for use as a backdoor). Method 2: Inquirer with access to the private key(s) with shorter primes (up to 768 bits). An Easy detection of the backdoor presence if private ∼ • Inquirer performs the direct factorization of 4p 1 keys are available for inspection and same D is value by generic-purpose factorization method. The− reused (two methods are discussed in Section 6.2). resulting factors are then checked for the existence of Need for quick establishment of the D used for unexpectedly small D (or its multiplies), which would • the key attempted for the factorization (as unique implicate the possibility to use 4p 1 method for fac- D has to be used for every keypair). torization and thus a presence of− the backdoor. The ditional information like padding or maintaining the large database of all the Ds used.

6.3 Audit of real-world keys

We collected a large dataset of 512, 1024 and 2048-bit RSA keypairs generated by fifteen different crypto- graphic smartcards and three HSMs with both public and private keys stored (44.7 million keypairs in to- tal). As we knew the keypair primes, we direcly use Inquirer methods 2 and 3 to search for a D and at- tempt to detect a potential backdoor. Figure 8: Estimated factorization times for an Inquirer (without knowing D) and an attacker (knowing D) up to the lowest D for class number 5000 and bit-size 1024. Application of Method 2: Factorization of 4p-1. The inquirer tries all D’s up to the actual D. We used a randomly selected subset from all keys collected with 5 000 512-bit RSA keypairs and 100 public 1024-bit RSA keys for every inspected device. remaining part must be also eligible for square root Each prime is analyzed for vulnerability to the 4p 1 computation. The expected size of D for a truly ran- factorization method, using Algorithm 1 implemented− dom (non-backdoored) prime is large (around the bit- by the Sage computer algebra system for the actual length of the tested prime, see Figure 9 for the experi- computation. mental results from 10000 random primes), so a small We factored 4p 1 (and 4q 1) and computed D is unexpected from non-backdoored keys. their square-free parts.− In the majority− of cases, the square-free parts were the numbers themselves, and Method 3: Inquirer with access to a large number the smallest square-free part found having 490 bits of private keys. An Inquirer collects large num- in the 1024-bit case and 229 bits in the 512-bit case. ber of private keys generated by inspected black-box Thus these public keys are far from being 4p 1 fac- torable, and it would be impractical to use the− 4p 1 implementations and computes the batch-GCD algo- − rithm (Heninger et al., 2012) over all 4p 1 values factorization method on these keys. In fact, if these constructed from the corresponding primes.− Would keys could be factored with the method, then so would the same D be used for any two primes, batch-GCD be any randomly generated keys of the same bit-size. will succeed in factorization, revealing the presence The section 6.3.1 further discusses the observed re- of the backdoor as well as D used. This method is us- sults. Note, that we were not able to completely fac- able also for larger key lengths than would be Method tor a small portion of these numbers in the given time 2, efficiently analyzing 2048-bits keys and longer. frame (2 hours for one number), but since the Sage Here we describe the batch-GCD method. Let factorization algorithm contains a square test and re- vealed prime factors as large as 110 bits in other cases, have gi = gcd 4pi 1,∏i= j 4p j 1 for all primes − 6 − 2 we can be reasonably sure that the square-free parts of pi. Then for any two primes: 4pi 1 = Disi and 54 2
− these unfactored numbers are much larger than 2 as 4p j 1 = D js j it holds that if Di = D j = Di gi. − ek ⇒ | well. Thus, we factorize each gi = ∏qk , compute a candidate D = qhk , 0 h e , i.e., a divisor of i0 ∏ k k k Application of Method 3: Batch-GCD. We used ( ≤ ))≤ gi, such that Di0 3 mod 8 and Di0 is square-free. all 44.7M collected private keys, including the 2048- 4pi 1 ≡ If − is a perfect square for some Di0, we found Di, Di0 bit keys (these keys are not eligible for Method 2 due a square-free part of the 4pi 1. to their length) to search for the shared value of D us- As an Inquirer can collect− and investigate a large ing the batch-GCD algorithm (Heninger et al., 2012). number of private keys during batch-GCD, the prob- Moreover, we added #D = ∏D 50868011 D, i.e., the ability of not investigating at least one pair of two product of all square-free D’s congruent≤ to 3 mod- primes with the same D quickly decreases due to ulo 8 up to the minimal D with h( D) = 5000 to a the Birthday paradox. This motivates any sensible batch-GCD dataset. − backdooring attacker to use different D for every new We found that no two primes share a common prime generated. Having a unique D generated in square-free part D in 4p 1 and due to #D all Ds turn creates the need for efficient reconstruction of the used have to be greater than− 50868011. Therefore, we D’s value on an attacker’s side, e.g., leaking it in ad- can conclude that if the the backdoor is present, each prime has to have its own unique D (as reusing any D that p 1 is divisible by any number between 3 and is very unlikely to be missed as it would have to be 251 inclusive.− If p 1 (mod 3), then drawn from a set of (44.7M)2 possible Ds due to the 6≡ 4p 1 p 1 0 (mod 3) Birthday paradox to evade detection on our dataset). − ≡ − 6≡ Note that a unique D also means, that an attacker must (so that 4p 1 cannot be divisible by 9, which would be able to 1) infer the D used for the given public key − 1 otherwise happen with probability 2 3 ). However, we and 2) compute the Hilbert polynomial for this spe- did not account for the effect of this condition· on other cific D, slowing down the subsequent factorization. primes r, so the probability that 4p 1 is square- 1 − free will not increase by 6 in this case, but only by 0.148 (for convenience again found experimentally). Yet still, forbidding the case p 1 (mod 3) increases the resistance to the factorization≡ (even if only very slightly). This case is special because 4p 1 (p 1) = 3p 0 (mod 3). − − − ≡ On the contrary, forbidding the case p 1 (mod r) for r = 3 decreases this resistance (although≡ even more marginally),6 because 1 is coprime to r and this leads to forbidding r “good” possible residue classes Figure 9: Histogram of bit-lengths of square-free parts of 4p 1 modulo r2 (note that 1 1 (mod r)2), so obtained from the factorization of 4p 1 values con- − 6≡ 4 − that the probability that 4p 1 will be divisible by r2 structed from 10000 primes found in 512-bit RSA keys. 1 1 − 1 All other devices than explicitly listed produced a dis- will be r(r 1) r = r(r 2) instead of r(r 1) in the case tribution undistinguishable from the one of the random that the condition− − p − 1 (mod r) would− not be im- primes generated by Sage (Sage RNG). The reason for posed. 6≡ the observed differences are explained in Section 6.3.1. Experimentally (and for the sufficiently large primes), we found that if p 1 has neither the fac- tor 3 nor the factor 5, the probability− that 4p 1 is 6.3.1 Distribution of square-free parts square-free is approximately 0.88. If a prime has− no factor between 3 and 251, the probability is approx- We compared the distribution of the square-free parts imately 0.875, which closely matches the results ob- of 4p 1 and 4q 1 obtained by application of − − tained from G&D SmartCafe 6.0 and NXP J2E145G Method 2 for every analyzed device and compared smartcards, respectively. these to the reference distribution for p and q gen- erated randomly by Sage. No significant differences were found, with two exceptions – G&D SmartCafe 6.0 and NXP J2E145G smartcards, as shown on Fig- 7 CONCLUSIONS ure 9. Here, we explain the reason for the observed differences. We proposed an improved version of Cheng’s 4p 1 − The expected probability that the number 4p 1 method and performed a thorough analysis both theo- is square-free for a large random prime p is − retically and empirically. The conclusion is that even though the 4p 1 factorization method is powerful in 1 − 1 ∑ 0.748 theory, it does not seem to have any impact on real- − r(r 1) ≈ world applications due to a very limited set of num- r an odd prime − bers on which it can be applied, occurring extremely (established experimentally from 106 random primes rarely if the primes are randomly generated. generated by Sage), because for any (small) odd However, an attacker may intentionally generate prime r, 4 is invertible modulo r2 and we have 4p 1 the primes to result in the factorable keys to form so- ≡ (mod r2) iff p 1 (mod r2) and there are exactly called kleptographic attack, especially in the black- ≡ 4 r(r 1) residue classes modulo r2 that can contain box devices like cryptographic smartcards. We there- p. This− is consistent with the experimental results ob- fore analyzed more than 44 millions of keypairs gen- tained from both Sage and most cards. However, we erated by 15 smartcards and 3 HSMs and found no observed from (Svenda et al., 2016) that G&D Smart- indication of the backdoor presence in any of the ana- Cafe 6.0 avoids primes p such that p 1 is divisible lyzed devices. We were able to rule out the existence by 3 or 5, while NXP J2E145G avoids− primes p such of this backdoor for the key lengths of 512 and 1024 bits, where the detection method based on the full fac- Conference on Topics in Cryptology - CT-RSA 2016 - torization (Method 2) is applicable as no small D was Volume 9610, pages 448–464. Springer-Verlag. found. Giry, D. (2019). Cryptography Key Length Recommenda- Unfortunately, we cannot rule out the presence of tions. http:www.keylength.com. the backdoor in keys with longer lengths, like 2048 Heninger, N., Durumeric, Z., Wustrow, E., and Halderman, bits, despite of the availability and inspection of the J. A. (2012). Mining your Ps and Qs: Detection of private keys. An attacker may use a unique D for Widespread Weak Keys in Network Devices. In 21st USENIX Security Symposium (USENIX Security 12), every prime generated, thus evading the detection by pages 205–220. USENIX. batch-GCD based method (Method 3). The complete Kleinjung, T., Aoki, K., et al. (2010). Factorization of a backdoor detection (or its exclusion) is still an open 768-bit RSA modulus. In Annual Cryptology Confer- question. ence, pages 333–350. Springer-Verlag. As already mentioned in (Cheng, 2002b), there are Lenstra, H. W. (1987). Factoring Integers with Elliptic several other possibilities for future work on the topic Curves. In Annals of Mathematics, volume 126, pages of 4p 1 factorization, including the exploration of 649–673. Princeton University. the possibility− of using Weber polynomials instead of National Institute of Standards and Technology (2007). Hilbert polynomials (whose coefficients do not grow Security Requirements for Cryptographic Modules. as quickly), using curves of a higher genus or study- FIPS 140-2, NIST. ing the discrete logarithm problem for primes of the Nemec, M., Sys, M., Svenda, P., Klinec, D., and Matyas, same structure. Moreover, the inherent asymmetry of V. (2017). The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Mod- the factorization with and without the knowledge of D uli. In ACM’2017 SIGSAC Conference on Computer could prove useful in the construction of some cryp- and Communications Security, CCS ’17, pages 1631– tosystems. 1648. ACM. Acknowledgements: We acknowledge the sup- Pollard, J. M. (1974). Theorems on factorization and pri- port of the Czech Science Foundation, project GA16- mality testing. Mathematical Proceedings of the Cam- 08565S. The access to the computing and storage re- bridge Philosophical Society, 76(3):521528. sources of National Grid Infrastructure MetaCentrum Pollard, J. M. (1975). A Monte Carlo method for factor- (LM2010005) is greatly appreciated. ization. In BIT Numerical Mathematics, volume 15, pages 331–334. Springer-Verlag. Pollard, J. M. (1993). Factoring with cubic integers. In The development of the number field sieve, pages 4– REFERENCES 10. Springer-Verlag. Pomerance, C. (1985). The Quadratic Sieve Factoring Al- Adrian, D., Bhargavan, K., et al. (2015). Imperfect for- gorithm. In Advances in Cryptology: EUROCRYPT ward secrecy: How Diffie-Hellman Fails in Practice. ’84., pages 169–182. Springer-Verlag. In 22nd ACM SIGSAC Conference on Computer and Rubin, K. and Silverberg, A. (2007). Choosing the correct Communications Security, 2015, pages 5–17. elliptic curve in the CM method. In Mathematics of Bach, E. and Shallit, J. (1985). Factoring with cyclotomic Computation, volume 79, pages 545–561. AMS. polynomials. In Mathematics of Computation, vol- Shirase, M. (2017). Condition on composite numbers easily ume 52, pages 443–450. IEEE. factored with elliptic curve method. IACR Cryptology Boneh, D., Durfee, G., and Howgrave-Graham, N. (1999). ePrint Archive, 2017:403. Factoring n = prq for large r. In CRYPTO ’99, pages Sutherland, A. V. (2011). Computing Hilbert class polyno- 326–337. Springer-Verlag. mials with the Chinese remainder theorem. In Math- Broker,¨ R. and Stevenhagen, P. (2007). Efficient CM- ematics of Computation, volume 80, pages 501–538. constructions of elliptic curves over finite fields. AMS. In Mathematics of Computation, volume 76, pages Svenda, P., Nemec, M., Sekan, P., Kvasnovsky, R., For- 2161–2179. AMS. manek, D., Komarek, D., and Matyas, V. (2016). The Bundesamt fur Sicherheit in der Informationstechnik Million-Key Question – Investigating the Origins of (2018). Cryptographic Mechanisms: Recommenda- RSA Public Keys. In The 25th USENIX Security Sym- tions and Key Lengths. Technical Guideline: TR- posium (UsenixSec’2016), pages 893–910. USENIX. 02102-1, BSI. Williams, H. C. (1982). A p + 1 Method of Factoring. In Cheng, Q. (2002a). A New Class of Unsafe Primes. IACR Mathematics of Computation, volume 39, pages 225– Cryptology ePrint Archive, 2002:109. 234. AMS. Cheng, Q. (2002b). A New Special-Purpose Factorization Young, A. L. and Yung, M. (1997). Kleptography: Using Algorithm. Citeseer. http://citeseerx.ist.psu. Cryptography Against Cryptography. In Advances in edu/viewdoc/download?doi=10.1.1.8.9071& Cryptology - EUROCRYPT ’97, International Confer- rep=rep1&type=pdf[Accessed 6.2.2019]. ence on the Theory and Application of Cryptographic Coron, J.-S., Faugere,` J.-C., Renault, G., and Zeitoun, R. Techniques, Konstanz, Germany, 1997, pages 62–74. (2016). Factoring n = prqs for large r and s. In RSA A. Attached papers A.2 Bases of circular units

The paper starts on the next page.

50 Archivum Mathematicum

Vladimír Sedláček Circular units of real abelian fields with four ramified primes

Archivum Mathematicum, Vol. 53 (2017), No. 4, 221–252

Persistent URL: http://dml.cz/dmlcz/146984

Terms of use:

© Masaryk University, 2017

Institute of Mathematics of the Czech Academy of Sciences provides access to digitized documents strictly for personal use. Each copy of any part of this document must contain these Terms of use.

This document has been digitized, optimized for electronic delivery and stamped with digital signature within the project DML-CZ: The Czech Digital Mathematics Library http://dml.cz ARCHIVUM MATHEMATICUM (BRNO) Tomus 53 (2017), 221–252

CIRCULAR UNITS OF REAL ABELIAN FIELDS WITH FOUR RAMIFIED PRIMES

Vladimír Sedláček

Abstract. In this paper we study the groups of circular numbers and circular units in Sinnott’s sense in real abelian fields with exactly four ramified primes under certain conditions. More specifically, we construct Z-bases for them in five special infinite families of cases. We also derive some results aboutthe corresponding module of relations (in one family of cases, we show that the module of Ennola relations is cyclic). The paper is based upon the thesis [6], which builds upon the results of the paper [2].

1. Introduction Circular units appear in many situations in algebraic number theory because in some sense, for a given abelian field, they form a good approximation of the full group of units, which is usually very hard to describe explicitly. The index of the group of circular units in the full group of units is closely related to the class number of the maximal real subfield of the respective field, which was already known to E. Kummer in the case of a prime-power cyclotomic field and which was generalized by W. Sinnott to any abelian field. Circular units can be also used fora construction of annihilators of ideal class group of a given real abelian field, which was discovered by F. Thaine and generalized by K. Rubin (see [8] and [4]). In contrast to the full group of units, the Sinnott group of circular units is given by explicit generators, nevertheless a Z-basis of this group was described only in a few very special cases, for example when the abelian field is cyclotomic, has at most two ramified primes, or has three ramified primes and satisfies someother conditions. More details can be found in [1] and [2]. The aim of this paper is to present new results in the case of a real abelian field having four ramified primes under some other assumptions. Additionally, wewill also explore the structure of the module of all relations (among the generators of the group of circular numbers) modulo the norm relations. Except for some parts of Section 7, all results in this self-contained paper come from the author’s thesis [6], where they are usually explained in greater detail (and

2010 Mathematics Subject Classification: primary 11R20. Key words and phrases: circular units, abelian fields, four ramified primes, Ennola relations. The author was supported under project 15-15785S of the Czech Science Foundation. Received August 2, 2017, revised November 2017. Editor R. Kučera. DOI: 10.5817/AM2017-4-221 222 V. SEDLÁČEK the notation used there is exactly the same as here). In particular, the complete proofs of the theorems in Section 6 can be found there.

2. Basic definitions and results about circular numbers and units For the remainder of this section, let k = Q be a real abelian field, K be its 6 genus field in the narrow sense, P be the set of ramified primes of k/Q and Kp be the maximal subfield of K ramified over Q only at p P . Since Gal(K/Q) has a ∈ natural action on K (given by evaluating an automorphism on an element), this makes K and K× into Z[Gal(K/Q)]-modules. Definition 2.1. The group D(k) of circular numbers of k is given as

D(k) := 1 ηI ( I P , {− } ∪ { ∅ ⊆ } Z[Gal(K/Q)] where ... [Gal(K/ )] means “generated as a Z[Gal( K/Q)]-submodule of K×” and h iZ Q

ηI := N 1 ζ , Q ζ Ki k − cond Ki cond K ∩ i i I i I ∈  ∈  i I ∈
 Q
Q
Q
where N denotes the norm operator, cond(L) is the conductor of an abelian field L, and the product of fields denotes their compositum. The subgroup of totally positive elements of D(k) will be denoted by D+(k). Definition 2.2. The group C(k) of circular numbers of k is E(k) D(k), where ∩ E(k) is the group of units of the ring of algebraic integers of k. The subgroup of totally positive elements of C(k) will be denoted by C+(k). In [3], it is proven that the above definition of C(k) gives the same group as Sinnott’s original definition in [7]. Here are a few well known facts about circular units:

Lemma 2.3. Let ( I P . ∅ ⊆ (1) For I > 1, we have η E(k). | | I ∈ 1 σ (2) For I = 1, we have ηI E(k), but η − E(k) for any σ Gal(K/Q). | | 6∈ I ∈ ∈ Corollary 2.4. We have 1 σ C k η I P, I η − p P, σ K/ ( ) = 1 I 2 p Gal( Q)) [Gal(K/ )] {− } ∪ { ⊆ | | ≥ } ∪ { { } | ∈ ∈ } Z Q and

+ 1 σ C k η I P, I η − p P, σ K/ . ( ) = I 2 p Gal( Q)) [Gal(K/ )] { ⊆ | | ≥ } ∪ { { } | ∈ ∈ } Z Q Proposition 2.5. The Z-rank of D+(k) is [k : Q] + P 1 and the Z-rank of | | − C+(k) is [k : Q] 1. − + Lemma 2.6. If L0 L are abelian fields, then for any  C(L) (or C (L)) we ⊆ + ∈ have N () C(L0) (or C (L0)), respectively. L/L0 ∈ CIRCULAR UNITS OF REAL ABELIAN FIELDS WITH FOUR RAMIFIED PRIMES 223

3. The special case of four ramified primes In the remainder of the paper, we will fix k to be a real abelian field with exactly + four ramified primes p1, p2, p3, p4 and we will abbreviate D(k), D (k), C(k), C+(k) simply as D, D+, C, C+. We will also use the convention that whenever any of the indices i, j, l, h appear on the same line, they denote pairwise distinct integers satisfying 1 i, j, l, h 4, unless stated otherwise. Finally, for any positive ≤ ≤ integer n, ζn will denote a primitive n-th root of unity (without loss of generality 2πi/n we can take ζn = e ). Let K be the genus field in the narrow sense of k and let G := Gal(K/Q). Then we can identify G with the direct product T T T T , where T is the inertia 1 × 2 × 3 × 4 i group corresponding the ramified prime pi. Next, we will define: H := Gal(K/k), • m := H , • | | the canonical projections π : G T , • i → i a := [T : π (H)], • i i i r := H ker π , • i | ∩ i| sij := H ker(πiπj) , • m| ∩ | ni := , • ri η := η p ,p ,p ,p , • { 1 2 3 4} K as the maximal subfield of K ramified only at p . • i i Note that we have Ti = Gal(K/KjKlKh) ∼= Gal(Ki/Q) and

K = kKiKjKl = K1K2K3K4 by ramification theory.

Assumption 3.1. In the remainder of the paper, we will assume the following: H is cyclic, generated by τ, • each T is cyclic, generated by σ . • i i Note that the second assumption isn’t very restrictive, as it is automatically true for example if all the ramified primes of k are odd (because Ti =∼ Gal(Ki/Q) is a quotient of the Galois group Gal( (ζ )/ ) ( /pf ) for some positive Q cond(Ki) Q ∼= Z i × integer f).

a1 a2 a3 a4 Lemma 3.2. Without loss of generality, we can assume τ = σ1 σ2 σ3 σ4 .

Proof. We know that ai = [Ti : πi(H)], hence πi(τ) generates a subgroup of Ti of index ai. The cyclicity of Ti then implies that πi(τ) must be the ai-th power of some generator of Ti, without loss of generality σi. The statement now follows, because τ is determined by its four projections.  224 V. SEDLÁČEK

Proposition 3.3. We have

[k Ki : Q] = ai , ∩ [K : kKi] = ri T = a n , | i| i i [K : kKiKj] = sij , [K : k K ] = π (H) = n , i ∩ i | i | i m [KiKj : k KiKj] = πiπj(H) = ∩ | | sij and

[K K K : k K K K ] = π π π (H) = m . i j l ∩ i j l | i j l | Proof. Since Gal(K/K ) = Gal(K/K K K K K K K K K ) i i j l ∩ i j h ∩ i l h = Gal(K/K K K ) Gal(K/K K K ) Gal(K/K K K ) = T T T i j l · i j h · i l h j l h and Gal(K/k) = H, it follows that Gal(K/k K ) = T T T H. Now consider the ∩ i j l h · short exact sequence

πi 0 H ker π H |H π (H) 0 . → ∩ i → −−−→ i → m It follows that πi(H) = = ni and | | ri H H TjTlTh H πi(H) = = = · ∼ H ker π H T T T ∼ T T T ∩ i ∩ j l h j l h Gal(K/k Ki) = ∩ = Gal(Ki/k Ki) . Gal(K/Ki) ∼ ∩ Therefore

Gal(Ki/Q) Ti [k Ki : Q] = | | = | | = ai ∩ Gal(K /k K ) π (H) | i ∩ i | | i | and Gal(K/k) H m [K : kKi] = | | = | | = = ri . Gal(kK /k) Gal(K /k K ) π (H) | i | | i ∩ i | | i | Putting everything together, we obtain

Ti = [Ki : k Ki] [k Ki : Q] = ai πi(H) = aini . | | ∩ · ∩ | | Next, we also have

Gal(K/K K ) = Gal(K/K K K K K K ) i j i j l ∩ i j h = Gal(K/K K K ) Gal(K/K K K ) = T T i j l · i j h l h CIRCULAR UNITS OF REAL ABELIAN FIELDS WITH FOUR RAMIFIED PRIMES 225 so that Gal(K/k K K ) = T T H. Thus we can consider the short exact sequence ∩ i j l h · πiπj 0 H ker π π H |H π π (H) 0 → ∩ i j → −−−−→ i j → m to conclude that πiπj(H) = and | | sij H H TlTh H πiπj(H) = = = · ∼ H ker π π H T T ∼ T T ∩ i j ∩ l h l h Gal(K/k KiKj) = ∩ = Gal(KiKj/k KiKj) . ∼ Gal(K/KiKj) ∼ ∩ Then it follows that Gal(K/k) H m [K : kKiKj] = | | = | | = = sij . Gal(kK K /k) Gal(K K /k K K ) π π (H) | i j | | i j ∩ i j | | i j | Finally, we have

Gal(KiKjKl/k KiKjKl) = Gal(kKiKjKl/k) = Gal(K/k) = H, ∩ ∼ and we can consider the short exact sequence

πiπj πl 0 H ker π π π H |H π π π (H) 0 → ∩ i j l → −−−−−−→ i j l → where H ker π π π = H T = Gal(K/kK K K ) = 0 . ∩ i j l ∩ h i j l Thus π π π (H) = m and | i j l | Th H πiπjπl(H) = H = · ∼ ∼ Th Gal(K/k KiKjKl) = ∩ = Gal(KiKjKl/k KiKjKl) . ∼ Gal(K/KiKjKl) ∼ ∩  K K

ri sij

kKi kKiKj K = kKiKjKl

Tj Tl Th m Tl Th | × × | | × | n ri sij sij Th i m | |

k Ki k KiKj k KiKjKl

π (H) π π (H) π π π (H) | i | | i j | | i j l | k K k KiKj k KiKjKl ∩ i ∩ ∩

Ti Tj Ti Tj Tl ai | × | | × × | π π (H) π π π (H) | i j | | i j l |

Q Q Q 226 V. SEDLÁČEK

Remark 3.4. Note that Proposition 3.3 implies that a n = 1, otherwise T would i i 6 i be trivial and pi wouldn’t ramify in k. Corollary 3.5. We have m [k KiKj : Q] = aiaj sij , ∩ rirj m2 [k KiKjKl : Q] = aiajal ∩ rirjrl and m3 [k : Q] = a1a2a3a4 . r1r2r3r4 Proof. This follows from the computations

[KiKj : Q] Ti Tj m [k KiKj : Q] = = | | · | | = aiaj sij , ∩ [K K : k K K ] m/s r r i j ∩ i j ij i j 2 [KiKjKl : Q] Ti Tj Tl m [k KiKjKl : Q] = = | | · | | · | | = aiajal ∩ [K K K : k K K K ] m r r r i j l ∩ i j l i j l and 3 [K : Q] T1 T2 T3 T4 m [k : Q] = = | | · | | · | | · | | = a1a2a3a4 . [K : k] m r1r2r3r4  Lemma 3.6. We have

gcd(ri, rj) = sij ,

gcd(ri, rj, rl) = 1 ,

lcm (ni, nj, nl) = m and m gcd(ni, nj) = sij . rirj Proof. It follows from Proposition 3.3 that s r , s r and ij | i ij | j m πi(H) = ni , πiπj(H) = and πiπjπl(H) = m . | | | | sij | | The cyclicity of H then implies m = πiπj(H) = πiπj(τ) = πi(τ)πj(τ) = lcm (ni, nj) , sij | | |h i| |h i| because π (τ) = π (H) and any power of the product π (τ)π (τ) is trivial if and h i i i i j only if the same power of both its factors is (since G is the direct product of the Ti’s). Now for any common divisor t of ri, rj, we have m m m m = lcm (ni, nj) = lcm , , sij ri rj t  

CIRCULAR UNITS OF REAL ABELIAN FIELDS WITH FOUR RAMIFIED PRIMES 227 which implies t s . Hence s = gcd(r , r ). | ij ij i j Similarly, we can compute m = π π π (H) = π π π (τ) = π (τ)π (τ)π (τ) = lcm(n , n , n ) . | i j l | |h i j l i| |h i j l i| i j l In addition, if t is any positive common divisor of ri, rj, rl, we have m m m m m = lcm(ni, nj, nl) = lcm , , , ri rj rl t   which implies t = 1, hence gcd(ri, rj, rl) = 1. Finally, using the first result, we have m m m sij = = , rirj rirj/sij lcm(ri, rj) which clearly divides both m = n and m = n . Moreover, if t is any common ri i rj j divisor of n = m and n = m , then both r t and r t divide m, hence i ri j rj i j t lcm(r , r ) = lcm(r t, r t) m . · i j i j | m Thus t and we are done.  | lcm(ri,rj ) Remark 3.7. If k is fixed, we have shown in Lemmas 3.3 and 3.6 and Remark 3.4 that r m, gcd(r , r , r ) = 1 , a n = 1 . i | i j l i i 6 Conversely, using the theory of Dirichlet characters, it can be shown that for any choice of positive integers m, a1, a2, a3, a4, r1, r2, r3, r4 satisfying r m, gcd(r , r , r ) = 1 , a n = 1 , i | i j l i i 6 there exist infinitely many real abelian fields k ramified at exactly four primes satisfying the assumptions on page 223 (in particular, the family of fields we are studying is nonempty). The proof of this is analogous to the proof of a similar statement in Chapter 6 of [5] and we omit it. Proposition 3.8. We have

x1 x2 x3 x4 m m Gal(k/Q) =∼ σ1 σ2 σ3 σ4 k; 0 x1 < a1 , 0 x2 < a2 , { | ≤ r1 ≤ r2s34 m 0 x3 < a3 s34, 0 x4 < a4 , ≤ r3r4 ≤ } where each automorphism of k determines the quadruple (x1, x2, x3, x4) uniquely. Proof. First note that by Lemma 3.6, we have m a3 s34 = a3 gcd(n3, n4) Z r3r4 ∈ and m a2 Z r2s34 ∈ 228 V. SEDLÁČEK

(this follows from r m, s m and gcd(r , s ) = gcd(r , r , r ) = 1). By 2 | 34 | 2 34 2 3 4 Corollary 3.5, the set on the right hand side has at most Gal(k/Q) elements. Now | | let ρ be any automorphism of k. If we can show that ρ can be written as ρ = σx1 σx2 σx3 σx4 1 2 3 4 |k for a quadruple (x1, x2, x3, x4) satisfying m m m 0 x1 < a1 , 0 x2 < a2 , 0 x3 < a3 s34 , 0 x4 < a4 , ≤ r1 ≤ r2s34 ≤ r3r4 ≤ it will follow that the cardinalities agree and we will be done. Since Gal(k K4/Q) is a cyclic group of order a4 (by Lemma 3.3) generated by ∩ σ (as a quotient of Gal(K / ) = σ ), there must exist a unique x , 4 k K4 4 Q 4 K4 4 Z | ∩ x4 h | i ∈ 0 x4 < a4 such that ρ and σ4 have the same restrictions to k K4. Therefore ≤ x ∩ ρσ− 4 Gal(k/k K ). 4 k ∈ ∩ 4 [k K3K4: ] m Next, Gal(k K K /k K ) is a cyclic group of order ∩ Q = a s 3 4 4 [k K4: ] 3 r3r4 34 ∩ ∩ ∩ Q (by Corollary 3.5) generated by σ3 k K K (as it is isomorphic by restriction to | ∩ 3 4 Gal (k K K )K /K , ∩ 3 4 4 4 which is a quotient of Gal(K K/K ) = σ ),
so there must exist a unique 3 4 4 3 K3K4 m h | i x x x with 0 x < a s such that ρσ− 4 and σ 3 have the same 3 Z 3 3 r3r4 34 4 k 3 ∈ ≤ x x restriction to k K K . Therefore ρσ− 3 σ− 4 Gal(k/k K K ). ∩ 3 4 3 4 k ∈ ∩ 3 4 Following the pattern, Gal(k K K K /k K K ) is a cyclic group of order 2 3 4 3 4 ∩ ∩ [k K2K3K4 : Q] m ∩ = a2 [k K3K4 : Q] r2s34 ∩ (by Corollary 3.5) generated by σ2 k K K K (as it is isomorphic by restriction to | ∩ 2 3 4 Gal (k K K K )K K /K K , ∩ 2 3 4 3 4 3 4 which is a quotient of

Gal(K2K3K4/K3K4) = σ2 ) , h |K2K3K4 i m x3 x4 so there must exist a unique x2 Z, 0 x2 < a2 such that ρσ− σ− and ∈ ≤ r2s34 3 4 k σx2 have the same restriction to k K K K . Therefore 2 ∩ 2 3 4 x x x ρσ− 2 σ− 3 σ− 4 Gal(k/k K K K ) . 2 3 4 k ∈ ∩ 2 3 4

Finally, we have Gal(k/k K K K ) = Gal(kK K K /K K K ) = Gal(K/K K K ) = σ , ∩ 2 3 4 ∼ 2 3 4 2 3 4 2 3 4 h 1i where the isomorphism is given by restriction. Since the order of σ is a m , it follows 1 1 r1 m x2 x3 x4 that there must exist a unique x1 Z, 0 x1 < a1 such that ρσ− σ− σ− ∈ ≤ r1 2 3 4 k and σx1 have the same restriction to k. Thus ρ = σx1 σx2 σx3 σx4 and the proof is 1 1 2 3 4 |k finished. CIRCULAR UNITS OF REAL ABELIAN FIELDS WITH FOUR RAMIFIED PRIMES 229

K1K2K3K4 = K

σ k h 1i a m K2K3K4 1 r1

σ2 k K K K h |K2K3K4 i ∩ 2 3 4 a m K3K4 2 r2s34

σ3 k K K h |K3K4 i ∩ 3 4 a m s K4 3 r3r4 34

σ4 k K h |K4 i ∩ 4

Q a4

Q



4. General strategy for the construction of bases of circular numbers and circular units Our goal will be to find explicit Z-bases of D+ and C+. To achieve this, we will build upon the results in [2]. The generators of D+ are subject to norm relations that correspond to the sum of all elements of the respective inertia groups Ti. Namely, let a 1 n 1 i− i− u uai Ri = σi ,Ni = σi . u u X=0 X=0 Then the norm operator from K to KjKlKh can be given as RiNi, because both are equal to the sum of all elements from Ti. Moreover, we have

Gal(k/k KjKlKh) = Gal(K/KjKlKh) = Ti , ∩ ∼ where the first isomorphism is given by restriction, hence RiNi also acts as the norm operator from k to k K K K . If we denote the congruence corresponding ∩ j l h to the canonical projection Z[G] Z[G/H] by , then we have (using Lemma 3.2) → ≡ n 1 4− N σua1 σua2 σua3 . 4 ≡ 1 2 3 u X=0 Note that any subgroup of k× is naturally a Z[G/H]-module, since the action of H on k is trivial. 230 V. SEDLÁČEK

Moreover, we will denote the congruence corresponding to the composition of canonical projections

Z[G] Z[G/H] Z[G/H]/(R1N1,R2N2,R3N3,R4N4) → → by , where (R1N1,R2N2,R3N3,R4N4) is the ideal generated in Z[G/H] by ∼ + the images of the elements RiNi. Lemma 2.3 shows that η C , therefore by ρRiNi + ∈ Lemma 2.6, we have η C (k KjKlKh) for any ρ G. We will make use of ∈ ∩ + ∈ + this extensively, because explicit Z-bases of D (k KiKjKl) and C (k KiKjKl) ∩ ∩ have already been constructed in [1] if exactly two of the primes pi, pj, pl ramify in k K K K , or in [2] if all three primes ramify in this field, as the following ∩ i j l lemma shows. (If at most one prime ramifies in k KiKjKl, it is quite trivial to + ∩ + describe explicit Z-bases of D (k KiKjKl) and C (k KiKjKl) as well.) ∩ ∩ Lemma 4.1. If the field k K K K is ramified at all three primes p , p , p then ∩ i j l i j l this field satisfies the assumptions of [2]. In other words, if K0 is the genus field in the narrow sense of k K K K , then Gal(K0/k K K K ) is cyclic and the ∩ i j l ∩ i j l inertia subgroups of Gal(K0/Q) are all cyclic. Proof. It’s clear that k K K K is real, abelian (its absolute Galois group is a ∩ i j l quotient of G) and at most three primes ramify in it. By the symmetry between the ramified primes, we can take i, j, l = 1, 2, 3 in the rest of the proof and we { } { } will denote k0 := k K K K to improve readability. ∩ 1 2 3 Now let K0 be the genus field in the narrow sense of k0, and for any u 1, 2, 3 , ∈ { } let Ku0 be the maximal subfield of K0 ramified only at pu and Tu0 be the inertia subgroup of Gal(K0/Q) corresponding to pu. Then by ramification theory, we have K0 Ku , hence T 0 = Gal(K0 /Q) is isomorphic to a quotient of the cyclic group u ⊆ u ∼ u Gal(Ku/Q) =∼ Tu, so it must also be cyclic. Finally note that we have K0 = K0 K0 K0 K K K and kK K K = K, 1 2 3 ⊆ 1 2 3 1 2 3 hence Gal(K0/k0) = Gal(K0 K0 K0 /k K K K ) is a quotient of 1 2 3 ∩ 1 2 3 Gal(K K K /k K K K ) = Gal(K/k), 1 2 3 ∩ 1 2 3 ∼ which is cyclic. This concludes the proof.

K = kK1K2K3

K1K2K3

k

K0 = K10 K20 K30

k0 = k K K K ∩ 1 2 3

Q CIRCULAR UNITS OF REAL ABELIAN FIELDS WITH FOUR RAMIFIED PRIMES 231

 Using the results in [1] and [2], we can thus take the Z-bases of D+(k K K K ),D+(k K K K ),D+(k K K K ),D+(k K K K ) ∩ 1 2 3 ∩ 1 2 4 ∩ 1 3 4 ∩ 2 3 4 and we will denote their union by BD. Analogously, we can take the Z-bases of C+(k K K K ),C+(k K K K ),C+(k K K K ),C+(k K K K ) ∩ 1 2 3 ∩ 1 2 4 ∩ 1 3 4 ∩ 2 3 4 and denote their union by BC . Note that BD and BC contain the same conjugates of ηI for each I ( p1, p2, p3, p4 , I 2. { }+ | | ≥ + To construct a Z-basis of D (or C ), we will take the union of BD (or BC , respectively) with a set B of suitably chosen conjugates of the highest generator η. In order to have a chance to obtain a Z-basis of D+, this set should have cardinality

N : = [k : Q] + 4 1 BD − − | | = [k : Q] + 3 ([k KiKjKl : Q] + 2) − ∩ Xi,j,l + ([k KiKj : Q] + 1) [k Ki : Q] ∩ − ∩ i,j i X X m3 m2 m (4.1) = a a a a a a a + a a s a + 1 1 2 3 4 r r r r − i j l r r r i j ij r r − i 1 2 3 4 i j l i,j i j i Xi,j,l X X by Proposition 2.5 and Corollary 3.5, using the principle of inclusion and exclusion (due to the fact that these bases were constructed “inductively”). Note that all conjugates of η are units by Lemma 2.3, so this number N will remain the same in the case of constructing a Z-basis of C+. Thus we do not have to distinguish between the cases of D+ and C+ anymore and we can take the set B to be the same for both of them. We cannot guarantee at the moment that the set B B (or B B, respectively) D ∪ C ∪ is not linearly dependent, but if we will show how to obtain all the missing conjugates of η using the relations

n 1 4− R N 0,R N 0,R N 0,R σua1 σua2 σua3 0 1 1 ∼ 2 2 ∼ 3 3 ∼ 4 1 2 3 ∼ u X=0 and their Z[G]-linear combinations, it will follow that we really have a Z-basis thanks to the discussion just above Lemma 4.1. A typical way to do that will be the following: if R 0 for some R Z[G] and ηR is a product of conjugates of η ∼ ∈ such that we can already generate all of them except for precisely one, then we can generate the last one as well, because ηR can also be expressed as a Z-linear combination of elements in BC . We will always refer to the conjugates of η by their coordinates x1, x2, x3, x4 according to Proposition 3.8. This allows us to visualise Gal(k/Q) geometrically as a discrete (at most) four-dimensional cuboid. 232 V. SEDLÁČEK

5. The special case a = a = a = r = 1, r = 1, r = 1, r = 1, 1 2 3 4 1 6 2 6 3 6 s12 = s13 = s23 = 1, gcd(n1, n2, n3) = 1 In this case, we have

x1 x2 x3 x4 Gal(k/Q) = σ σ σ σ ; 0 x1 < n1, 0 x2 < n2, 0 x3 < n3, 0 x4 < a4 , ∼ { 1 2 3 4 |k ≤ ≤ ≤ ≤ } s12 = s13 = s14 = s23 = s24 = s34 = 1 and m 1 − N 0,N 0,N 0,R σuσuσu 0 . 1 ∼ 2 ∼ 3 ∼ 4 1 2 3 ∼ u X=0 The condition r = 1, r = 1, r = 1 is actually not restrictive, since we will discuss 1 6 2 6 3 6 the cases where it is not satisfied in Section 6.

Lemma 5.1. If s12 = s13 = s23 = 1, the following are equivalent:

(1) gcd(n1, n2, n3) = 1,

(2) lcm(r1, r2, r3) = m,

(3) r1r2r3 = m,

(4) n1 = r2r3, n2 = r1r3, n3 = r1r2,

n1n2n3 (5) m = m, (6) gcd(n1, n2) = r3, gcd(n1, n3) = r2, gcd(n2, n3) = r1. Proof. This is just elementary number theory (recall that by Lemma 3.6, we have sij = gcd(ri, rj)).  n1n2n3 Thus m = m = r2n2 = gcd(n1, n3)n2 by Lemma 5.1 and using Lemma 3.6, we get n n n N = a n n n 1 2 3 a (n n + n n + n n ) a 2 + a (n + n + n ) 4 1 2 3 − m − 4 1 2 1 3 2 3 − 4 − 4 1 2 3 + gcd(n1, n2) + gcd(n1, n3) + gcd(n2, n3) = (a 1)(n 1)(n 1)(n 1) + (n 1)(n 1)(n 2) 4 − 1 − 2 − 3 − 1 − 2 − 3 − + n n (gcd(n , n ) + 1)n (n gcd(n , n ) 1) 1 2 − 1 3 2 − 1 − 1 3 − + gcd(n , n ) + gcd(n , n ) 2 2 3 1 2 − = (a 1)(n 1)(n 1)(n 1) + (n 1)(n 1)(n 2) 4 − 1 − 2 − 3 − 1 − 2 − 3 − + (n 1)(n r 1) + r + r 2. 2 − 1 − 2 − 1 3 − σx1 σx2 σx3 σx4 We will define B5 as the set of the following N conjugates η 1 2 3 4 : 0 x < n 1, 0 x < n 1, 0 x < n 1, 0 < x a 1, • ≤ 1 1 − ≤ 2 2 − ≤ 3 3 − 4 ≤ 4 − 0 x < n 1, 0 x < n 1, 1 < x n 1, x = 0, • ≤ 1 1 − ≤ 2 2 − 3 ≤ 3 − 4 0 x < n r 1, 0 x < n 1, x = 0, x = 0, • ≤ 1 1 − 2 − ≤ 2 2 − 3 4 x = n r 1, 0 x < r + r 2, x = 0, x = 0. • 1 1 − 2 − ≤ 2 1 3 − 3 4 (Note that n = r r 4, n r 1 = r (r 1) 1 > 0 and n 1 > r +r 2 > 0, 3 1 2 ≥ 1 − 2 − 2 3 − − 2 − 1 3 − since r1, r2, r3 > 1 and n2 = r1r3.) First we will recover the cases 0 < x < a , x = n 1 or x = n 1 or 4 4 1 1 − 2 2 − x = n 1 using the relations N 0, N 0, N 0. From now on, we only need 3 3 − 1 ∼ 2 ∼ 3 ∼ CIRCULAR UNITS OF REAL ABELIAN FIELDS WITH FOUR RAMIFIED PRIMES 233 to deal with the cases where x = 0. Next, we will recover the cases 1 < x n 1, 4 3 ≤ 3 − x = n 1 or x = n 1 (and always x = 0) using the relations N 0,N 0 1 1 − 2 2 − 4 1 ∼ 2 ∼ and the cases x = x = 0, 0 x < n r 1, x = n 1 using the relation 3 4 ≤ 1 1 − 2 − 2 2 − N 0. 2 ∼ At this moment, we are only missing all the cases with x3 = 1, x4 = 0 and some of those with x3 = x4 = 0. From now on, we will only focus on recovering those with x3 = x4 = 0, because once we have those, we can recover those with x = 1, x = 0 just by using the relation N 0. 3 4 3 ∼ From now on, we will write z := z (mod r3) for any z Z, hence we will always ∈ have z 0, 1, . . . , r 1 . We will also define h to be the unique integer satisfying ∈ { 3 − } r h r (mod r ) and h 0, 1, . . . , r 1 1 · ≡ 2 3 ∈ { 3 − } and similarly h0 to be the unique integer satisfying

r h0 r (mod r ) and h0 0, 1, . . . , r 1 2 · ≡ 1 3 ∈ { 3 − } (both are well defined, since gcd(r , r ) = gcd(r , r ) = 1). Clearly h h0 1 1 3 2 3 · ≡ (mod r3). Let Q0 be the quotient Z[G]-module + D / ηI ( I ( P { ∅ } Z[G] and let Q be the quotient Z-module of Q0 by the classes of conjugates we have already recovered, i.e., σx1 σx2 σx3 σx4 Q := Q0/ η 1 2 3 4 ; 0 x < n , 0 x < n , 0 x < n , 0 < x < a , { ≤ 1 1 ≤ 2 2 ≤ 3 3 4 4 or 0 x < n , 0 x < n , 1 < x < n , x = 0, ≤ 1 1 ≤ 2 2 3 3 4 or 0 x < n r 1, 0 x < n , x = x = 0, ≤ 1 1 − 2 − ≤ 2 2 3 4 or x1 = n1 r2 1, 0 x2 < r1 + r3 2, x3 = x4 = 0 − − ≤ − } Z ρ + (where we denote η D and its class in Q0 in the same way for any ρ G). We ∈ ∈ will write Q additively, denoting the class of η in Q by µ, hence denoting the class of ηρ in Q by ρ µ for any ρ Gal(k/Q) or ρ G. Showing that we have indeed · ∈ ∈ chosen a basis now amounts to showing that Q is trivial. Since 0 = σx1 σx2 N µ = σx1 σx2 µ + σx1 σx2 σ µ 1 2 3 · 1 2 · 1 2 3 · x1 x2 for any x1, x2 Z, this is equivalent with showing that σ σ µ = 0 for each ∈ 1 2 · 0 x1 < n1, 0 x2 < n2. ≤ ≤ σx1 σx2 The conjugates with x3 = 0 and x4 = 0 (i.e., those of the form η 1 2 ) can be visualized as a discrete rectangle with n1 rows and n2 columns. Since for each m 1 − u u u R4 σ1 σ2 σ3 x4, there are n3 layers of such rectangles in total, the sum η u=0 must contain m = r conjugates in each of these rectangles. We will now describe the n3 3 P sum of these. Let r 1 3− un3 un3 T := σ1 σ2 . u X=0 234 V. SEDLÁČEK

Lemma 5.2. In Q, we have σx1 σx2 (1 σ σ )T µ = 0 1 2 − 1 2 · for any x1, x2 Z. ∈ Proof. Using the fact that every 0 w < m can be uniquely written as un + v, ≤ 3 where 0 u < r , 0 v < n , together with the fact that the order of σ is n , we ≤ 3 ≤ 3 3 3 get n 1 r 1 n 1 m 1 3− 3− 3− − R T σvσvσv = R σun3 σun3 σun3 σvσvσv = R σwσwσw 0 . 4 1 2 3 4 1 2 3 · 1 2 3 4 1 2 3 ∼ v u v w X=0 X=0 X=0 X=0 Together with N 0, this means that 3 ∼ n 1 3− 0 σx1 σx2 R T σvσvσv σ σ N R T ∼ 1 2 4 1 2 3 − 1 2 3 4 v ! X=0 n 1 3− = σx1 σx2 R T (σvσv σ σ ) σv 1 2 4 1 2 − 1 2 3 v X=0 n 1 3− = σx1 σx2 (1 σ σ )R T + σx1 σx2 R T (σvσv σ σ ) σv 1 2 − 1 2 4 1 2 4 1 2 − 1 2 3 v X=2 a 1 4− = σx1 σx2 (1 σ σ )T + σx1 σx2 (1 σ σ )T σu 1 2 − 1 2 1 2 − 1 2 4 u X=1 n 1 3− + σx1 σx2 R T (σvσv σ σ ) σv . 1 2 4 1 2 − 1 2 3 v X=2 Since all the summands in the expression a 1 n 1 4− 3− σx1 σx2 (1 σ σ )T σu + σx1 σx2 R T (σvσv σ σ ) σv 1 2 − 1 2 4 1 2 4 1 2 − 1 2 3 u v X=1 X=2 have either x4 > 0 or x3 > 1 (where x3 and x4 denote the respective exponents of σ3 and σ4 in each term), the result of their action on µ becomes trivial in Q, which yields the result.  The rest of this section will again be stated purely algebraically, but perhaps it is helpful (although not strictly required) to see some of its parts geometrically. We will decompose our rectangle (of conjugates of η having x3 = x4 = 0) into r r rectangular blocks of height r and width r in the natural way. In 3 × 3 2 1 the following, by a big row (resp. a big column) we will understand a row of blocks (resp. columns), that is r3 consecutive blocks next to (resp. above) each T other. Since r2 n3, r1 n3 and the conjugates contained in η are given by σqn3 σqn3 | | σx1 σx2 T η 1 2 for 0 q r 1, the Chinese remainder theorem implies that η 1 2 ≤ ≤ 3 − contains exactly one conjugate in every big row (resp. every big column) for any 0 x < n , 0 x < n , and these have the same relative position in each of ≤ 1 1 ≤ 2 2 the respective blocks (determined only by r1, r2, x1, x2). We can be even more CIRCULAR UNITS OF REAL ABELIAN FIELDS WITH FOUR RAMIFIED PRIMES 235

σqn3+x1 σqn3+x2 σ(q+1)n3+x1 σ(q+1)n3+x2 precise: the horizontal distance between η 1 2 and η 1 2 for 0 q r 1 and 0 x < n , 0 x < n is exactly r r , i.e., r blocks, ≤ ≤ 3 − ≤ 1 1 ≤ 2 2 2 · 1 2 and the vertical distance between them is exactly r r , i.e., r blocks (again this 1 · 2 1 follows easily from the Chinese remainder theorem). It follows that the horizontal distance between any two conjugates in ηT with a vertical distance of one block is h blocks. n1 2 u r2(r3 1) 1 u For all 0 u n , we will denote X := σ − σ µ and Y := σ − − σ µ. ≤ ≤ 2 u 1 2 · u 1 2 · By definition, Xu and Yu are elements of Q. It will be convenient to allow any integers in the indices of the X’s and Y ’s and regard them only modulo n2 (to be more precise, as in the set 0, 1, . . . , n 1 ). Moreover note that by definition, { 2 − } Y = 0 for 0 u < r + r 2. u ≤ 1 3 − Lemma 5.3. We have X = X for any q q0 (mod r ). Moreover, for any q q0 ≡ 3 0 x < n , 0 x < n , we have ≤ 1 1 ≤ 2 2 0 if 0 x < r (r 1) 1 , ≤ 1 2 3 − − Yx if x = r (r 1) 1 , σx1 σx2 µ =  2 1 2 3 − − 1 2  · Xx2 x1 2 if r2(r3 1) x1 < n1 1 ,  − − − ≤ − Xx x 2 Yx h r if x1 = n1 1 . 2− 1− − 2− · 1 −  Proof. The first part will be proven in a moment, we will now focus on thesecond. The first casex ( < r (r 1) 1) follows directly from the definition of Q and 1 2 3 − − the second case (x = r (r 1) 1) directly from the definition of Y . 1 2 3 − − x2 Now for every 0 u < n , we will prove that ≤ 2 n 2 v u v (5.1) σ 1− − σ − µ = X 1 2 · u by induction with respect to v = 0, 1, . . . , r 2. The base step v = 0 is just the 2 − definition of X . Now suppose that 0 < v r 2 and the statement holds for u ≤ 2 − v 1. Then in the equality − r 1 3− n 2 v u v wn wn (5.2) σ 1− − σ − (1 σ σ ) σ 3 σ 3 µ = 0 , 1 2 − 1 2 1 2 · w  X=0  which follows from Lemma 5.2, we claim that all the terms with w > 0 do not contribute anything to the sum. Indeed, all the exponents of σ1 are pairwise congruent modulo r (since r n ), and since n r n 2 v < n 2 and 2 2 | 3 1 − 2 ≤ 1 − − 1 − n r + 1 n 1 v < n 1, we have 1 − 2 ≤ 1 − − 1 − n 2 v u v wn wn σ 1− − σ − (1 σ σ )σ 3 σ 3 µ = 0 1 2 − 1 2 1 2 · for any w > 0, because r3 does not divide wn3 in this
case. Hence (5.2) implies that

n 2 v u v n 2 v u v n1 2 (v 1) u (v 1) 0 = σ 1− − σ − (1 σ σ ) µ = σ 1− − σ − µ σ − − − σ − − µ , 1 2 − 1 2 · 1 2 · − 1 2 ·
=Xu n 2 v u v therefore σ 1− − σ − µ = X by the induction hypothesis.| This{z completes the} 1 2 · u induction, so (5.1) holds. 236 V. SEDLÁČEK

Now for any 0 u < n , we will take v = r 1 in (5.2). Again, since all ≤ 2 2 − the exponents of σ are pairwise congruent modulo r (since r n ) in this sum, 1 2 2 | 3 the only terms which could be nonzero are those arising from w = 0 and from w satisfying wn + n 2 (r 1) n 1 (mod n ), 3 1 − − 2 − ≡ 1 − 1 which is equivalent to wn r (mod n ), which implies wn r (mod r ). 3 ≡ 2 1 3 ≡ 2 3 Together with wn 0 (mod r ) and the fact that gcd(r , r ) = 1, this means that 3 ≡ 1 1 3 the only solution to the above congruence is wn h r (mod n ). 3 ≡ · 1 2 Thus we have n r 1 u r +1 n 1 u r +1+h r 0 = σ 1− 2− σ − 2 (1 σ σ ) + σ 1− σ − 2 · 1 (1 σ σ ) µ 1 2 − 1 2 1 2 − 1 2 · n1 r2 1 u r2+1 n1 r2 u r2+2 n1 1 u r2+1+h r1 = σ − − σ − µ σ − σ − µ +σ − σ − · µ 1 2 · − 1 2 · 1 2 · =Yu r +1 =Xu due to (5.1) − 2 n u r +1+h r +1 | σ 1 σ −{z2 · 1 } µ| . {z } − 1 2 · =0 Therefore| {z } n1 1 u r2+1+h r1 (5.3) σ − σ − · µ = Xu Yu r +1 . 1 2 · − − 2 Finally, for any 0 u < n , we will take v = r in (5.2). Again, since all the ≤ 2 2 exponents of σ1 are pairwise congruent modulo r2 in this sum, we only get nonzero terms for w = 0 and for w satisfying wn + n 2 r n 2 (mod n ) , 3 1 − − 2 ≡ 1 − 1 which implies (because we have got the same congruence as above) wn h r 3 ≡ · 1 (mod n2). Thus we have n r 2 u r n r 1 u r +1 0 = σ 1− 2− σ − 2 µ σ 1− 2− σ − 2 µ 1 2 · − 1 2 · =0 =Yu r +1 − 2 n 2 u r +h r n 1 u r +1+h r +| σ 1− {zσ − 2 ·}1 µ| σ 1−{zσ − 2 } · 1 µ . 1 2 · − 1 2 · =Xu r +h r =Xu Yu r +1 due to (5.3) − 2 · 1 − − 2 Therefore Xu r +h|r = Xu{z. Note that} | {z } − 2 · 1 h r r 0 (mod r ) · 1 − 2 ≡ 3 and h r r r (mod r ) . · 1 − 2 ≡ − 2 1 Since gcd( r2, r1) = 1 and n2 = r1r3, this means that for all q, q0 Z satisfying − ∈ q q0 (mod r ) , ≡ 3 there is some w Z such that ∈ q0 w(h r r ) + q (mod n ) . ≡ · 1 − 2 2 CIRCULAR UNITS OF REAL ABELIAN FIELDS WITH FOUR RAMIFIED PRIMES 237

Without loss of generality, we can assume that w 0 (otherwise we can just swap ≥ q and q0). But then

Xq = Xq+(h r r ) = Xq+2(h r r ) = = Xq+w(h r r ) = Xq . · 1− 2 · 1− 2 ··· · 1− 2 0 Now for any x , x satisfying r (r 1) x < n 1 and 0 x < n , denoting 1 2 2 3 − ≤ 1 1 − ≤ 2 2 v = n 2 x , u = v + x , 1 − − 1 2 we get 0 v r 2 and the equality (5.1) implies ≤ ≤ 2 − x1 x2 σ σ µ = Xn 2 x +x = Xx x 2 , 1 2 1− − 1 2 2− 1− because r n . 3 | 1 Similarly, for x = n 1 and any 0 x < n , denoting u = x + r 1 h r , 1 1 − ≤ 2 2 2 2 − − · 1 the equality (5.3) implies that

x1 x2 σ σ µ = Xu Yu r +1 = Xx x 2 Yx h r , 1 2 · − − 2 2− 1− − 2− · 1 since u = x 1 + r h r x 1 x 2 + 1 n = x x 2 (mod r ) 2 − 2 − · 1 ≡ 2 − ≡ 2 − − 1 2 − 1 − 3 by definition of h and the fact that r n . 3 | 1 This concludes the proof.  Thanks to Lemma 5.3, from now on we will regard the indices of the X’s only modulo r3. The lemma also implies the equality

n1 1 x2 n1 r2 1 x2 h r1 (5.4) σ − σ µ + σ − − σ − · µ = Xx 1 Yx h r + Yx h r = Xx 1 1 2 · 1 2 · 2− − 2− · 1 2− · 1 2− for any x2 Z, which we will use several times. Another simple observation that ∈ will come in handy in the proofs of the following lemmas is that the unary operation of adding a fixed integer induces an automorphism of Z/r3, which we will not mention explicitly anymore. To show that Q is trivial, it now suffices to show that X = 0 for all 0 u < r u ≤ 3 and Y = 0 for all r + r 2 v < n (knowing already that Y = 0 for all v 1 3 − ≤ 2 v 0 v < r + r 2). To achieve this, we will use linear algebra. ≤ 1 3 − Let

α := Yr +r 2 + Yr +r 1 + + Yn 1 Q 1 3− 1 3− ··· 2− ∈ and

(5.5) β := X0 + X1 + + Xr 1 Q. ··· 3− ∈ Lemma 5.4. We have α = β = 0. Proof. Using the relation N 0, we have 2 ∼ n2 1 n2 1 r (r 1) 1 − r (r 1) 1 x − 0 = σ 2 3− − N µ = σ 2 3− − σ 2 µ = Y = α 1 2 · 1 2 · x2 x x X2=0 X2=0 238 V. SEDLÁČEK and

n2 1 n2 1 r (r 1) − r (r 1) x − 2 3− 2 3− 2 0 = σ1 N2 µ = σ1 σ2 µ = Xx2 r2(r3 1) 2 · · − − − x x X2=0 X2=0 r r 1 r 1 r 1 r 1 1 3− 1− 3− 3− = Xx +r 2 = Xur +v+r 2 = r1 Xv+r 2 = r1 β , 2 2− 3 2− · 2− · x u v v X2=0 X=0 X=0 X=0 since each x 0, 1, . . . , r r 1 can be uniquely written as ur + v, where 2 ∈ { 1 3 − } 3 0 u < r , 0 v < r . ≤ 1 ≤ 3 Similarly, using Lemma 5.3 together with the relation N 0 and the equality 1 ∼ (5.4), we get

r 1 r 1 n 2 r 1 3− 3− 1− 3− qr1 n 1 r2(r3 1) 1 qr1 x qr1 0 = σ N µ = σ 1− + σ − − σ µ+ σ 1 σ µ 2 1 · 1 1 2 · 1 2 · q=0 q=0 x =r (r 1) q=0 X X   1 X2 3− X r 1 n 2 r 1 3− 1− 3− n 1 qr1 r2(r3 1) 1 (q h) r1 x qr1 = (σ 1− σ + σ − − σ − · ) µ + σ 1 σ µ 1 2 1 2 · 1 2 · q=0 x =r (r 1) q=0 X 1 X2 3− X r 1 n 2 r 1 n 1 r 1 3− 1− 3− 1− 3− = Xqr 1 + Xqr x 2 = Xqr x 2 = r2 β , 1− 1− 1− 1− 1− · q=0 x =r (r 1) q=0 x =r (r 1) q=0 X 1 X2 3− X 1 X2 3− X since for any x1, all possible remainders modulo r3 occur exactly once as the indices r3 1 in the sum − Xqr x 2 (due to the fact that the order of the class of r1 is q=0 1− 1− r3 in Z/r3, due to their coprimality). Since gcd(r1, r2) = 1, this implies β = 0 by P Bézout’s identity.  Next, for 0 q r 3, we will define ≤ ≤ 3 −

r h0 1 r 1 3− − 2− (5.6) Γq := Xq+v ur 1 Q. − 2− ∈ u v X=0 X=0 Lemma 5.5. For any 0 q r 3, we have Γ = 0. ≤ ≤ 3 − q Proof. Using Lemma 5.3, the relation N 0 and the equality (5.4), we get 1 ∼

r3 h0 1 − − q uhr 0 = σ − 1 N µ 2 1 · u X=0 r h0 2 3− − n 1 q uhr1 r2(r3 1) 1 q (u+1)hr1 = σ 1− σ − + σ − − σ − µ 1 2 1 2 · u X=0   =Xq uhr 1 due to (5.4) − 1− | {z } CIRCULAR UNITS OF REAL ABELIAN FIELDS WITH FOUR RAMIFIED PRIMES 239

r2(r3 1) 1 q n 1 q (r3 h0 1)hr1 + σ − − σ µ + σ 1− σ − − − µ 1 2 · 1 2 ·

=Yq =Xq (r h 1)hr 1 Yq+r1 − 3− 0− 1− − | n1 2{z r3 h0} 1 | {z } − − − x q uhr + σ 1 σ − 1 µ . 1 2 · x =r (r 1) u=0 1 X2 3− X Now we will use the fact that q r 3 r + r 3 (implying Y = 0) and ≤ 3 − ≤ 1 3 − q q (r h0 1)hr hr = q r r h + r hh0 q + r (mod n ) , − 3 − − 1 − 1 − 1 3 1 ≡ 1 2 since the congruence holds modulo both r1 and r3 (and gcd(r1, r3) = 1). Also note that Yq+r1 = 0, since r q + r r + r 3 , 1 ≤ 1 ≤ 1 3 − which precisely justifies the bounds on q that we used in the definition of Γq and also explains why the upper bound in the first sum was chosen tobe r h0 1. 3 − − Continuing with the previous equality and using Lemma 5.3 together with the congruence hr r (mod r ), we thus have 1 ≡ 2 3

r h0 2 n 2 r h0 1 3− − 1− 3− − 0 = Xq uhr 1 + Xq (r h 1)hr 1 + Xq uhr x 2 − 1− − 3− 0− 1− − 1− 1− u=0 x =r (r 1) u=0  X  1 X2 3− X r h0 1 n 2 r h0 1 3− − 1− 3− − = Xq ur 1 + Xq ur x 2 − 2− − 2− 1− u=0 x =r (r 1) u=0 X 1 X2 3− X n 1 r h0 1 1− 3− − = Xq ur x 2 . − 2− 1− x =r (r 1) u=0 1 X2 3− X After using the substitution v = n 1 x , this becomes 1 − − 1 r h0 1 r 1 3− − 2− 0 = Xq+v ur 1 − 2− u v X=0 X=0 r h0 1 r 1 r 1 3− − 2− 2− = Xq+v ur 1 + Xq+v ur 1 − 2− − 2− u v X=0  X=0 vX=r2  r3 h0 1 r2 1 r3 h0 1 r2+r3 1 − − − − − r2 r2 − = Xq+v ur 1 + − Xq+v ur 1 − 2− r − 2− u v u 3 X=0 X=0 X=0 vX=r2 r h0 1 3− − r r = Γ + 2 − 2 β , q r · u 3 X=0 which equals Γq since β = 0 by Lemma 5.4.  240 V. SEDLÁČEK

Finally, let

r 1 r 1 r 1 3− 2− 1− (5.7) ∆ := u Xv+w ur 1 Q. · − 2− ∈ u v w X=0 X=0 X=0 Lemma 5.6. We have ∆ = 0.

Proof. Using Lemma 5.3, the relation N 0 and the equality (5.4), we get 1 ∼

r3 1 r1 1 − − x uhr 0 = u σ 2− 1 N µ · 2 1 · u x X=0 X2=0 r 1 r 1 3− 1− n 1 x uhr r2(r3 1) 1 x uhr = u σ 1− σ 2− 1 + σ − − σ 2− 1 µ · 1 2 1 2 · u x X=0 X2=0   r3 1 n1 2 r1 1 − − − x x uhr + u σ 1 σ 2− 1 µ · 1 2 · u=0 x =r (r 1) x2=0 X 1 X2 3− X r 2 r 1 3− 1− n 1 x uhr r2(r3 1) 1 x2 (u+1)hr1 = u σ 1− σ 2− 1 µ +(u + 1) σ − − σ − µ  · 1 2 · · 1 2 ·  u=0 x2=0 X X =Xx uhr 1 Yx (u+1)hr =Yx (u+1)hr  2− 1− − 2− 1 2− 1  r 1   1− | {z } | {z } n 1 x2 (r3 1)hr1 + (r 1) σ 1− σ − − µ 3 − · 1 2 · x2=0 X =Xx (r 1)hr 1 Yx hr r 2− 3− 1− − 2− 1 3 r3 1 n1 2 r1 1 − − | − x{z x uhr } + u σ 1 σ 2− 1 µ . · 1 2 · u=0 x =r (r 1) x2=0 X 1 X2 3− X Since x hr r x (mod n ) 2 − 1 3 ≡ 2 2 and 0 x2 < r1, we have Yx hr r = 0. Also note that for any r1 q < n2, there ≤ 2− 1 3 ≤ exist unique u 0, 1, . . . , r 2 , x 0, 1, . . . , r 1 ∈ { 3 − } 2 ∈ { 1 − } such that q x (u + 1)hr (mod n ) ≡ 2 − 1 2 by the Chinese remainder theorem, since gcd(h, r ) = 1 and for u = r 1, we 3 3 − would get q x (mod n ) and 0 x < r . Thus we get a bijection ≡ 2 2 ≤ 2 1 0, 1, . . . , r 2 0, 1, . . . , r 1 r , r + 1, . . . , n 1 , { 3 − } × { 1 − } → { 1 1 2 − } which we will use in a moment to transform a double sum into a simple one. CIRCULAR UNITS OF REAL ABELIAN FIELDS WITH FOUR RAMIFIED PRIMES 241

Continuing with the above equality and using the congruence hr r (mod r ), 1 ≡ 2 3 we thus have

r 2 r 1 r 2 r 1 r 1 3− 1− 3− 1− 1− 0 = u Xx ur 1 + Yx (u+1)hr + Yq · 2− 2− 2− 1 u x u x q X=0 X2=0 X=0 X2=0 X=0 =0 r 1 r 1 n 2 r 1 1− 3− 1− | {z1− } + (r3 1) Xx (r 1)r 1 + u Xx ur x 2 − · 2− 3− 2− · 2− 2− 1− x2=0 u=0 x =r (r 1) x2=0 X X 1 X2 3− X r 1 r 1 n 1 r 1 3− 1− 2− 1− = u Xx ur 1 + Yq + Yq · 2− 2− u x q=r q X=0 X2=0 X1 X=0 =α

r3 1 n1 2 r1 1 − − − | {z } + u Xx ur x 2 · 2− 2− 1− u=0 x =r (r 1) x2=0 X 1 X2 3− X r 1 n 1 r 1 3− 1− 1− = α + u Xx ur x 2. · 2− 2− 1− u=0 x =r (r 1) x2=0 X 1 X2 3− X After using the equality α = 0 by Lemma 5.4 and the substitutions v = n 1 x , 1− − 1 w = x2, this becomes

r 1 r 1 r 1 3− 2− 1− 0 = u Xv+w ur 1 · − 2− u v w X=0 X=0 X=0 r 1 r 1 r 1 r 1 3− 2− 1− 1− = u Xv+w ur 1 + Xv+w ur 1 · − 2− − 2− u v w X=0 X=0  X=0 wX=r1  r3 1 r1 1 r2 1 r3 1 r2 1 − − − − − r1 r1 = u Xv+w ur 1 + u − β. · − 2− · r · u w v u v 3 X=0 X=0 X=0 X=0 X=0 Using the fact that β = 0 by Lemma 5.4, this equals

r 1 r 1 r 1 3− 1− 2− u Xv+w ur 1 · − 2− u w v X=0 X=0 X=0 r 1 r 1 r 1 r 1 3− 1− 2− 2− = u Xv+w ur 1 + Xv+w ur 1 · − 2− − 2− u w v X=0 X=0  X=0 vX=r2  r 1 r 1 3− 1− r r = ∆ + u 2 − 2 β , · r · u w 3 X=0 X=0 which equals ∆ again by β = 0.  242 V. SEDLÁČEK

Now let be the free Z-module with generators X0, X1,..., Xr3 1. Analogously X − to the definitions (5.5), (5.6), (5.7), we will define b b b β : = X0 + X1 + + Xr 1 , ··· 3− ∈ X r3 h0 1 r2 1 b b− −b − b Γq : = Xq+v ur 1 , − 2− ∈ X u v X=0 X=0 r 1 r 1 r 1 b 3− 2− b1− ∆ : = u Xv+w ur 1 · − 2− ∈ X u v w X=0 X=0 X=0 b b for all 0 q r3 3. Also let ψ : Q be the Z-module homomorphism ≤ ≤ − X → satisfying ψ(X ) = X for all 0 u < r (since is free, this is well defined and u u ≤ 3 X determines ψ uniquely). Then for all 0 q r 3, it’s clear by Lemmas 5.4, 5.5 ≤ ≤ 3 − and 5.6 that b

ψ(β) = β = 0, ψ(Γq) = Γq = 0, ψ(∆) = ∆ = 0 , hence b b b (5.8) β, Γ , ∆ ker ψ . q ∈

r3 1 Since is free, each of its elementsb b canb be expressed as − cuXu for a unique X c=0 r3-tuple of integer coefficients (c0, c1, . . . , cr 1). Using this correspondence, we 3− will now construct a matrix M with integer entries of sizeP r rc (indexing its 3 × 3 dimensions from 0 to r 1) as follows: 3 − The 0-th row will correspond to the coefficients of β (i.e., it will consist • of all 1’s). The q-th row for 1 q r3 2 will correspond tob the coefficients of Γq 1. • ≤ ≤ − − The (r 1)-th row will correspond to the coefficients of ∆. • 3 − By the definition of M, we have b b X0 β X Γ  1   0  b Xb2 Γ1  b   b  (5.9) M  X3  =  Γ2  ·      b.   b.   .   .   b   b  Xr 2 Γr 3  3−   3−  X   ∆   r3 1    b −  b  We need to show that M is unimodular,b i.e., invertibleb over Z, from which it will follow that ker ψ = , and consequently X = 0 for all 0 u < r . To achieve X u ≤ 3 that, we will study the effect of multiplying M by a character matrix (i.e., basically performing the discrete Fourier transform). But first we will need two technical lemmas, which will prove useful in a while. CIRCULAR UNITS OF REAL ABELIAN FIELDS WITH FOUR RAMIFIED PRIMES 243

Let r 1 3− q R(x) : = x Z[x] , ∈ q X=0 r 1 3− q D(x) : = q x Z[x] , · ∈ q X=0 r 1 1− r 1 q P (x) : = x 2− x Z[x] . − · ∈ q X=0 Lemma 5.7. Let ζ = 1 be any r -th root of unity. Then we have R(ζ) = 0 and 6 3 D(ζ) (ζ 1) = r . · − 3 Proof. The first assertion is immediate since R(ζ) (ζ 1) = ζr3 1 = 0, but · − − ζ = 1. The second follows from the computation 6 r 1 r 1 r r 1 3− 3− 3 3− D(ζ) (ζ 1) = q ζq+1 q ζq = (q 1) ζq q ζq · − · − · − · − · q q q q X=1 X=1 X=2 X=1 r 1 r 1 3− 3− = (r 1)ζr3 + (q 1) ζq q ζq 3 − − · − · q q X=1 X=1 r 1 3− = r 1 ζq 3 − − q X=1 = r R(ζ) = r . 3 − 3  Lemma 5.8. For any positive integer b and y C, we have the equality ∈ b b (y 1) u yu = (b + 1)yb+1 yu+1 . − · · − u u X=1 X=0 Proof. We have b b b (y 1) u yu = u yu+1 u yu − · · · − · u u u X=1 X=1 X=1 b b 1 − = u yu+1 (u + 1) yu+1 · − · u u X=0 X=0 b 1 − = b yb+1 + u (u + 1) yu+1 · − · u X=0 b
= (b + 1)yb+1 yu+1 . − u X=0  244 V. SEDLÁČEK

Now let ζ be any r3-th root of unity and consider the Z-module homomorphism from to the cyclotomic field Q(ζ) given by X r 1 r 1 3− 3− c X c ζu u u 7→ u u u X=0 X=0 (since is free, this is well definedb and determines the homomorphism uniquely). X We can apply this homomorphism to β, Γ , ∆ for any 0 q r 3, and we will q ≤ ≤ 3 − denote its respective values on these elements by β(ζ), Γq(ζ), ∆(ζ) Q(ζ). Note ∈ that since ζr3 = 1, we have ζu = ζu forb anyc ub Z. ∈ Lemma 5.9. Let ζ = 1 be any r -th root of unity. Then for all 0 q < r 3, we 6 3 ≤ 3 − have β(ζ) = 0 , Γ (ζ) = ζq P (ζ) q · and ∆(ζ) = D(ζ) P (ζ) . · r Proof. Note that ζ− 2 = 1, since gcd(r , r ) = 1 and ζ = 1. 6 3 − 2 6 From the definitions and Lemma 5.7, we directly get β(ζ) = R(ζ) = 0. For the second assertion, we have

r h0 1 r 1 3− − 2− q+v ur2 1 Γq(ζ) = ζ − − u v X=0 X=0 r 1 r h0 1 2− 3− − q 1 v ur = ζ − ζ ζ− 2 · v u X=0 X=0 r2 (r3 h0)r2 q 1 ζ 1 ζ− − 1 = ζ − − − · ζ 1 · ζ r2 1 − − − r2 r1 q 1 ζ 1 ζ 1 = ζ − − − · ζ r2 1 · ζ 1 − − − = ζq P (ζ) . · r Similarly, using Lemma 5.8 with y = ζ− 2 and b = r 1, we can see that 3 − r 1 r 1 r 1 3− 2− 1− v+w ur 1 ∆(ζ) = u ζ − 2− · u v w X=0 X=0 X=0 r 1 r 1 r 1 2− 1− 3− 1 v w ur = ζ− ζ ζ u ζ− 2 · · v w u X=0 X=0 X=0 r2 r1 r2r3 r3 1 r2(u+1) 1 ζ 1 ζ 1 r3ζ− u=0− ζ− = ζ− − − − · ζ 1 · ζ 1 · ζ r2 1 − − −P − CIRCULAR UNITS OF REAL ABELIAN FIELDS WITH FOUR RAMIFIED PRIMES 245

r2 r1 r2 r2 1 ζ 1 ζ 1 r3 ζ− R(ζ− ) = ζ− − − − · · ζ 1 · ζ 1 · ζ r2 1 − − − − r2 r1 1 ζ 1 ζ 1 r3 = ζ− − − · ζ 1 · ζ 1 · ζ r2 1 − − − − r2 r1 1 r3 ζ 1 ζ 1 = ζ− − − · ζ 1 · ζ r2 1 · ζ 1 − − − − = D(ζ) P (ζ) · by Lemma 5.7. 

Proposition 5.10. M is unimodular.

Proof. Let ζr3 be a primitive r3-th root of unity and let C be the corresponding r c r3 r3 character matrix, i.e., C = (ζr · )0 r,c

ζr3 by a row of M from the left corresponds to evaluating the polynomial obtained from this row at ζ . Hence we have M C = C0, where C0 = R(1) = r and the r3 · 0,0 3 c-th column of C0 is

c 0 R(ζr3 ) c c P (ζ ) P (ζr )  r3   3  c c c c ζ P (ζ ) ζr P (ζr )  r3 · r3   3 · 3  c 2 c 2c c  (ζ ) P (ζ )   ζr P (ζr )   r3 r3  =  3 3   ·   ·   .   .   .   .       c r3 3 c   (r3 3)c c  (ζr ) − P (ζr ) ζr − P (ζ )  3 · 3   3 · r3   c c   c c   D(ζr ) P (ζr )   D(ζ ) P (ζ )   3 · 3   r3 r3     ·  for any 0 < c < r3 (we don’t need to specify the rest of the 0-th column, since it c doesn’t influence the determinant of C0). Thus by taking out P (ζr3 ) from each of these columns, we get (using that multiplication by r1 is an automorphism of Z/r3, since gcd(r1, r3) = 1)

c det C0 = det C00 P (ζ ) | | | | · r3

X0 β X Γ  1   0  b Xb2 Γ1  b  1  b   X3  = M −  Γ2  ,   ·    b.   b.   .   .   b   b  Xr 2 Γr 3  3−   3−  X   ∆   r3 1    b −  b  which implies that β, Γ0, Γ1,..., Γr 3, ∆ generate . But all of these elements b 3− b X lie in ker ψ by (5.8), hence ker ψ = and ψ is the zero homomorphism. On the X b b b b b CIRCULAR UNITS OF REAL ABELIAN FIELDS WITH FOUR RAMIFIED PRIMES 247 other hand, we know that the image of ψ is generated by X0,X1,...,Xr 1 by the 3− definition of ψ, so all of these must be zero as well.  Corollary 5.12. We have Y = 0 for all r + r 2 u < n . u 1 3 − ≤ 2 Proof. By the Chinese remainder theorem, it suffices to show by induction with respect to u = 0, 1, . . . , r3 1 that for any 0 v < r1, we have Yv uhr = 0. − ≤ − 1 The base case u = 0 follows directly from the definition of Yu. Now suppose the statement is true for a given 0 u < r 1. Then using N 0 and Lemma 5.3, ≤ 3 − 1 ∼ we get

n1 1 v uhr − x v uhr 0 = σ − 1 N µ = σ 1 σ − 1 µ 2 1 · 1 2 · x =r (r 1) 1 1 2X3− − n 1 1− = Yv uhr Yv uhr hr + Xv uhr x 2 = Yv (u+1)hr − 1 − − 1− 1 − 1− 1− − − 1 x =r (r 1) =0 1 X2 3− =0 by the induction| {z hypothesis} and by Corollary 5.11.| This{z completes} the induction.  By Lemma 5.3, it now follows that Q is trivial, so we have proven the following theorem for the set B5 defined on page 232: Theorem 5.13. Under Assumption 3.1, if a =a = a = r = 1, r = 1, r = 1, r = 1, s = s = s = 1, gcd(n , n , n ) = 1, 1 2 3 4 1 6 2 6 3 6 12 13 23 1 2 3 then the set B B forms a basis of D+ and the set B B forms a basis of 5 ∪ D 5 ∪ C C+.

6. Four more special cases In a similar, although less technical way, a Z-basis of D+ and C+ can be constructed in another four cases, as given below. The details can be found in [6].

Theorem 6.1. Under Assumption 3.1, if r1 = r2 = r3 = r4 = 1, then the set + + B1 BD forms a basis of D and the set B1 BC forms a basis of C , where B1 ∪ σx1 σx2 σ∪x3 σx4 is the set of the following conjugates η 1 2 3 4 : 0 x < a m 1, 0 x < a m 1, 0 x < a m 1, 1 x < a , • ≤ 1 1 − ≤ 2 2 − ≤ 3 3 − ≤ 4 4 0 x < a m 1, 0 x < a (m 1) 1, 0 x < a m 1, x = 0, • ≤ 1 1 − ≤ 2 2 − − ≤ 3 3 − 4 0 x < a 1, x = a (m 1) 1, 0 x < a m 1, x = 0, • ≤ 1 1 − 2 2 − − ≤ 3 3 − 4 x = a 1, x = a (m 1) 1, 0 x < a (m 1), x = 0. • 1 1 − 2 2 − − ≤ 3 3 − 4 Theorem 6.2. Under Assumption 3.1, if r1 = r2 = a3 = r4 = 1, then the set + + B2 BD forms a basis of D and the set B2 BC forms a basis of C , where B2 ∪ σx1 σx2 σ∪x3 σx4 is the set of the following conjugates η 1 2 3 4 : 0 x < a m 1, 0 x < a m 1, 0 x < n 1, 1 x < a , • ≤ 1 1 − ≤ 2 2 − ≤ 3 3 − ≤ 4 4 0 x < a m 1, 0 x < a (m 1) 1, 1 x < n , x = 0, • ≤ 1 1 − ≤ 2 2 − − ≤ 3 3 4 0 x < a , x = a (m 1) 1, 1 x < n , x = 0. • ≤ 1 1 2 2 − − ≤ 3 3 4 Theorem 6.3. Under Assumption 3.1, if a1 = a2 = r3 = r4 = 1, then the set + + B3 BD forms a basis of D and the set B3 BC forms a basis of C , where B3 ∪ σx1 σx2 σ∪x3 σx4 is the set of the following conjugates η 1 2 3 4 : 248 V. SEDLÁČEK

0 x < n 1, 0 x < n 1, 0 x < a m 1, 0 < x a 1, • ≤ 1 1 − ≤ 2 2 − ≤ 3 3 − 4 ≤ 4 − 0 x < n 1, 0 x < n 1, a < x < a m, x = 0, • ≤ 1 1 − ≤ 2 2 − 3 3 3 4 1 x < gcd(n , n ), x = 0, x = 0, x = 0. • ≤ 1 1 2 2 3 4 Theorem 6.4. Under Assumption 3.1, if

a1 = a2 = a3 = r4 = 1, gcd(n1, n2, n3) = gcd(n1, n2) , + then the set B4 BD forms a basis of D and the set B4 BC forms a basis of x x x x + ∪ σ 1∪σ 2 σ 3 σ 4 C , where B4 is the set of the following N conjugates η 1 2 3 4 : 0 x < n 1, 0 x < n 1, 0 x < n 1, 0 < x a 1, • ≤ 1 1 − ≤ 2 2 − ≤ 3 3 − 4 ≤ 4 − 0 x < n 1, 0 x < n 1, 1 < x n 1, x = 0, • ≤ 1 1 − ≤ 2 2 − 3 ≤ 3 − 4 1 x < n , gcd(n , n ) x < n , x = 0, x = 0, • ≤ 1 1 2 3 ≤ 2 2 3 4 gcd(n , n ) x < n , 1 x < gcd(n , n ), x = 0, x = 0, • 1 3 ≤ 1 1 ≤ 2 2 3 3 4 1 x < gcd(n , n ), x = 0, x = 0, x = 0. • ≤ 1 1 2 2 3 4 7. The module of relations In this section, we will study the relations between the generators of the group of circular numbers more abstractly, following the approach in [2]. Sometimes we will only state the results and just outline the proofs or even omit them altogether. Consider the (additively written) Z[G]-module

: = Z[Gal(k Ki)/Q)] X ∩ I 1,2,3,4 i I ∅( ⊆{M } Y∈ = Z[Gal(k/Q)] Z[Gal(k KiKjKl)/Q)] ⊕ ∩ Mi,j,l Z[Gal(k KiKj)/Q)] Z[Gal(k Ki)/Q)] , ⊕ ∩ ⊕ ∩ i,j i M M where G acts on each summand via restriction. For any ( I 1, 2, 3, 4 , we will ∅ ⊆ { } denote x the element of having all coordinates zero except for 1 at the position I X corresponding to I. To simplify the notation, we will sometimes write simply

x : = x 1,2,3,4 , xijl := x i,j,l , xij := x i,j , xi := x i { } { } { } { } and similarly

ηijl := η p ,p ,p , ηij := η p ,p , ηi := η p . { i j l} { i j } { i} Therefore we have = x, x , x , x , x , x , x , x , x , x , x , x , x , x , x X h 123 124 134 234 12 13 14 23 24 34 1 2 3 4iZ[G] and

D+ = η, η , η , η , η , η , η , η , η , η , η , η , η , η , η . h 123 124 134 234 12 13 14 23 24 34 1 2 3 4iZ[G] Since η k, η k K K K , η k K K and η k K , ∈ ijl ∈ ∩ i j l ij ∈ ∩ i j i ∈ ∩ i CIRCULAR UNITS OF REAL ABELIAN FIELDS WITH FOUR RAMIFIED PRIMES 249 this gives us a surjective homomorphism of Z[G]-modules ϕ: D+ defined by X → ϕ(x) = η , ϕ(xijl) = ηijl , ϕ(xij) = ηij , ϕ(xi) = ηi . Then ker ϕ is a Z[G]-submodule of , and we will call it the module of relations X of k, because we can regard its elements as the relations between the generators of the group of circular numbers of k. Lemmas 2.3 and 2.6 imply that for any I 1, 2, 3, 4 , I 2 and i I, we ⊆ { } | | ≥ ∈ have

+ N ϕ(xI ) C k Ku , k K /k K ∩ u ∩ u ∈ ∩ ! u I u I i u I i ∈ ∈ \{ } ∈Y\{ } hence there exists someQ Q

ρi,I xJ ( J I i [G] ∈ h{ |∅ ⊆ \{ }}iZ such that Ni,I := N xI ρi,I ker ϕ . k K /k K ∩ u ∩ u − ∈ u I u I i ∈ ∈ \{ } We will call N a norm relationQ . NoteQ that for I = 1, 2, 3, 4 , we have i,I { } N x = RiNix . k K /k K ∩ u ∩ u u I u I i ∈ ∈ \{ } Q Q Remark 7.1. In fact, the relation Ni,I can be described much more explicitly using the Frobenius automorphisms, but we won’t go into the details here.

Now let M be the Z[G]-submodule of ker ϕ generated by the norm relations Ni,I for all possible I 1, 2, 3, 4 , I 2 and i I. Our goal will be to describe the ⊆ { } | | ≥ ∈ quotient Z[G]-module ker ϕ/M, which we will call the module of Ennola relations of k. (However, to follow the terminology in [2], by an Ennola relation we will mean an element of ker ϕ M rather than ker ϕ/M.) \ Let Eijl be the Ennola relation described by Theorem 10 in [2] applied to the field k K K K . By Theorem 19 there, E generates all the Ennola relations ∩ i j l ijl (modulo the norm relations) for this field.

Proposition 7.2. In all the cases described in sections 5 and 6, the Z[G]-module ker ϕ/M is generated by the classes of E123, E124, E134, E234. In addition, the action of G on ker ϕ/M is trivial.

Proof. For any case described in Sections 5 and 6, let B be a Z-basis of D+. For any element of B, we will fix its preimage with respect to ϕ; let Y be the set of these fixed preimages. Then the elements of Y are Z-linearly independent and we have = ker ϕ Y . Recall that in order to construct B, we always used only X ⊕ (Z[G]-linear combinations of) norm relations together with the four implicit Ennola relations E123, E124, E134, E234 from [2]. This shows that ker ϕ is generated by M E ,E ,E ,E , which proves the first part of the proposition. The ∪ { 123 124 134 234} second part follows from the observation that the action of G on Eijl is the same as the action of Gal(k KiKjKl/Q) on Eijl, which is trivial by Theorem 19 in [2]. ∩  250 V. SEDLÁČEK

In certain cases, we can say something stronger. For the rest of this paragraph and for the next lemma, we will only use Assumption 3.1 (so we’re not focusing on the five cases in Sections 5 and 6 yet). As in the proof of Lemma 4.1,let K0 be the genus field in the narrow sense of k0 = k K K K , and for any u 1, 2, 3 , let ∩ 1 2 3 ∈ { } Ku0 be the maximal subfield of K0 ramified only at pu, Tu0 be the inertia subgroup of Gal(K0/Q) corresponding to pu and ru0 := [K0 : k0Ku0 ]. The order of E123 in the module ker ϕ/M of Ennola relations of k is a divisor of the order of E123 in the [K0:k0] module of Ennola relations of k0, which is equal to by Theorem 19 of [2]. r10 r20 r30

Lemma 7.3. Let s = 1 for all i, j 1, 2, 3 . Then we have T 0 = T , K = K0 ij ∈ { } u u u u and r0 = r for all u 1, 2, 3 and moreover [K0 : k0] = m. u u ∈ { } Proof. Using Proposition 3.3, the ramification index of p1 in k0/Q is T m [K1K2K3 : k K2K3] 1 s23 T1 T 0 = [k0 : k0 K K ] = ∩ = | | · = | | . | 1| ∩ 2 3 [K K K : k K K K ] m s 1 2 3 ∩ 1 2 3 23 Since s = 1, we have T 0 = T and K0 = K . Similarly, T 0 = T , T 0 = T 23 | 1| | 1| 1 1 | 2| | 2| | 3| | 3| and K20 = K2, K30 = K3. Hence

[K0 : k0] = [K K K : k K K K ] = m 1 2 3 ∩ 1 2 3 and

[K0 : k0] m m m r10 = [K0 : K10 k0] = = = = m = r1 [K1k0 : k0] [K1 : K1 k0] [K1 : k K1] ∩ ∩ r1 by Proposition 3.3 again (and similarly r20 = r2, r30 = r3).  Obvious analogies of Lemma 7.3 could be also stated for the fields k K K K , ∩ 1 2 4 k K K K and k K K K , but we would get a collision in notation, because ∩ 1 3 4 ∩ 2 3 4 of our assymetric definition of k0. The proofs would be exactly the same though, because the only assymetry present is purely notational. Corollary 7.4. In the following three cases, more can be said about ker ϕ/M: 4 (i) If r1 = r2 = r3 = r4 = 1, then ker ϕ/M is a quotient of (Z/m) . 3 (ii) If r1 = r2 = a3 = r4 = 1, then ker ϕ/M is a quotient of (Z/n3) Z/m. × (iii) If a = a = a = r = 1 , r = 1 , r = 1 , r = 1 , 1 2 3 4 1 6 2 6 3 6 s12 = s13 = s23 = 1 , gcd(n1, n2, n3) = 1 ,

then ker ϕ/M is a quotient of Z/r1 Z/r2 Z/r3, so it is in particular × × cyclic. Proof. This follows immediately from Proposition 7.2 and the mentioned analogies of Lemma 7.3 (in the third part we also use the pairwise coprimality of r1, r2, r3 by Lemma 3.6).  CIRCULAR UNITS OF REAL ABELIAN FIELDS WITH FOUR RAMIFIED PRIMES 251

Remark 7.5. In the case

a1 = a2 = a3 = a4 = r1 = r2 = r3 = r4 = 1 (which is a special case of the first case in Section 6), it can be shown that 4 ker ϕ/M ∼= (Z/m) , which is a stronger result than in Corollary 7.4. The proof is too technical to be included here, but essentialy it consists of constructing a Z-module (not Z[G]-module!) homomorphism from to Z/m and showing that all X the norm relations together with three of the four Ennola relations lie in its kernel, while the fourth Ennola relation maps to the class of 1 modulo m. It is possible that a similar approach could be used in other cases to improve the bounds in Corollary 7.4. Remark 7.6. A crucial part of the proof of Proposition 7.2 was the fact that in all of the cases studied in Sections 5 and 6, we never encountered any new Ennola relation, i.e., an element of ker ϕ M having a nonzero coefficient at x. This will not \ always be the case though, because we have already found a new Ennola relation E in the special case

m = a3 = r3 = 2, a1 = a2 = a4 = r1 = r2 = r4 = 1 . It’s not very hard to show that E M (and 2E M), but the proof that E ker ϕ 6∈ ∈ 6∈ is again too technical to be described here. Note that in this case, we have N = 0 (recall that N was defined by the equation (4.1)), but it is still possible to recover all the conjugates of η using this new Ennola relation E. In fact, it appears quite plausible that a new Ennola relation could arise whenever we have ai > 1 and ri > 1 at the same time. It is not a coincidence that this didn’t happen in any of the cases studied in Sections 5 and 6, because it seems that this assumption will drastically increase the difficulty of the construction of Z-bases of D+ and C+.

References [1] Dohmae, K., A note on Sinnott’s index formula, Acta Arith. 82 (1997), 57–67. [2] Kučera, R., Salami, A., Circular units of an abelian field ramified at three primes, J. Number Theory 163 (2016), 296–315. DOI: https://doi.org/10.1016/j.jnt.2015.11.023 [3] Lettl, G., A note on Thaine’s circular units, J. Number Theory 35 (1990), 224– 226. DOI: http://dx.doi.org/10.1016/0022-314X(90)90115-8 [4] Rubin, K., Global units and ideal class groups, Invent. Math. 89 (1987), 511–526. [5] Salami, A., Bases of the group of cyclotomic units of some real abelian extension, Ph.D. thesis, Université Laval Québec, 2014. [6] Sedláček, V., Circular units of abelian fields, Master’s thesis, Masaryk University, Faculty of Science, Brno, 2017, [online], [cit. 2017-07-17]. [7] Sinnott, W., On the Stickelberger ideal and the circular units of an abelian field, Invent. Math. 62 (1980/81), 181–234. [8] Thaine, F., On the ideal class groups of real abelian number fields, Ann. of Math. (2) 128 (1988), 1–18. 252 V. SEDLÁČEK

Department of Mathematics, Faculty of Science, Masaryk University, 611 37 Brno, Czech Republic E-mail: [email protected]