Advances in Mathematics of Communications doi:10.3934/amc.2010.4.281 Volume 4, No. 2, 2010, 281–305 RELATIONS BETWEEN ARITHMETIC GEOMETRY AND PUBLIC KEY CRYPTOGRAPHY Gerhard Frey Institute for Experimental Mathematics University of Duisburg-Essen Ellernstrasse 29, 45326 Essen, Germany (Communicated by Ian Blake) Abstract. In the article we shall try to give an overview of the interplay between the design of public key cryptosystems and algorithmic arithmetic geometry. We begin in Section 2 with a very abstract setting and try to avoid all structures which are not necessary for protocols like Diffie-Hellman key exchange, ElGamal signature and pairing based cryptography (e.g. short signatures). As an unavoidable consequence of the generality the result is difficult to read and clumsy. But nevertheless it may be worthwhile because there are suggestions for systems which do not use the full strength of group structures (see Subsection 2.2.1) and it may motivate to look for alternatives to known group-based systems. But, of course, the main part of the article deals with the usual realization by discrete logarithms in groups, and the main source for cryptographically useful groups are divisor class groups. We describe advances concerning arithmetic in such groups attached to curves over finite fields including addition and point counting which have an immediate application to the construction of cryptosystems. For the security of these systems one has to make sure that the computation of the discrete logarithm is hard. We shall see how methods from arithmetic geometry narrow the range of candidates usable for cryptography considerably and leave only carefully chosen curves of genus 1 and 2 without flaw. A last section gives a short report on background and realization of bilinear structures on divisor class groups induced by duality theory of class field theory, the key concept here is the Lichtenbaum-Tate pairing. 1. Arithmetic geometry Arithmetic geometry is one of the most powerful ingredients in mathematics. It combines classical algebraic number theory with algebraic geometry. It uses the theory of functions over C and so analytic geometry and it transfers this theory to its p-adic counterpart, the p-adic rigid geometry. By construction these theories (as well as a great part of classical algebraic geometry) use algebraically closed ground fields. To come down to arithmetically interesting fields K like number fields, p-adic fields, finite fields or more generally fields which are finitely generated over their 2000 Mathematics Subject Classification: 11R65, 11R37, 11G20. Key words and phrases: Discrete logarithms, bilinear structures, divisor class groups, public key systems. This paper is based on a lecture presented at “CHiLE, Curvas Hiperelipticas, Logaritmos discretos, Encriptacion, etc.”,16-20 March 2009 in Frutillar, Chile. I would like to thank the organizers for the opportunity to participate in this very interesting and inspiring conference and to enjoy the warm and generous hospitality. 281 c 2010 AIMS-SDU 282 Gerhard Frey prime fields one uses the action of the absolute Galois group GK = Aut(Ks/K) where Ks is the separable closure of K. This point of view leads in a natural way to the study of absolute Galois groups. As a rule GK will be very big. But it carries a natural topology as a profinite group and is compact. Hence the appropriate tools for studying GK are continuous representations in linear groups over arithmetically interesting rings (very often endowed with the discrete topology). This approach was used with great success during the last 50 years. It led to proofs of famous diophantine results like Deligne’s proof of the Weil conjectures, Faltings’ proof of Mordell’s conjecture, Wiles’ proof of Fermat’s Last Theorem and during the last years to a proof of Serre’s conjecture by Khare, Wintenberger, Kisin and others which classifies the odd two-dimensional representations of GQ over finite fields. The last example is particularly interesting. It is a kind of generalization of Taniyama’s conjecture and it states that two-dimensional representations of GQ are closely related to modular forms. Behind this there is the celebrated Langlands philosophy which is a major motive in nowadays research in arithmetic. 1.1. Algorithmic arithmetic geometry. Classically algorithmic aspects of number theory mostly deal with lattices and derived objects. A fundamental result is Minkowski’s theorem on points with small norms in lattices and related results, for instance about reduction of quadratic forms following Lagrange and Gauß. The enormous growth of computational power made it possible to construct interesting examples in a wide range, and very often one meets the LLL algorithm as a major tool. The theoretical results mentioned above are yielding very exciting and rapidly proceeding algorithmic aspects of arithmetic geometry, generalizing considerably both range and techniques of classical computational number theory. Prominent examples are the computation of tables of modular forms including congruences, algorithmic study of modular curves (see for instance the Cremona tables listing elliptic curves) and related Galois representations. Having translated arithmetical problems into the geometric language has imme- diately as consequence that one can apply the methods to the geometric case, too. And so we have now a very advanced theoretical and algorithmic toolkit to deal with the explicit theory of varieties over finite fields as counterpart to the explicit theory of algebraic number fields. 1.2. Public key cryptosystems. The question is: Has this to do with practical aspects of data security? In particular, as announced in the title, is it relevant to public key cryptography? As we shall see soon the most effective ways to construct public key cryptosystems are based on computational arithmetic geometry. The power of the methods used opens immediately a wide range of possible candidates for systems. But, on the other side, it allows to develop very efficient attacks. So most of the suggested candidates for public key systems did not fulfil the expectations. Nevertheless it was necessary to investigate them, and in many cases we can understand partial weaknesses of systems based on elliptic curves by making more general objects accessible to computation. The continuous study of consequences of advances of algorithmic arithmetic geometry for the security of used cryptosystem and failures of attacks give mathematicians a better conscience and users more trust. Even people Advances in Mathematics of Communications Volume 4, No. 2 (2010), 281–305 Arithmetic geometry and cryptography 283 only interested in designing systems without being interested in the theoretical background can choose (very special) instances, e.g. one elliptic curve over a given field with given addition formulas given in a list of standardized curves. But it is not only the status quo which is supported. New points of view from the theoretical side allow advances in the design of hardware as well as in protocols. One of the striking examples is the development of pairing based cryptography. From its background, namely duality theory in arithmetic geometry, there goes a direct path to very efficient implementations of pairings which allow, for instance, new ways to sign. Finally, though a good part of the necessary work is done, there are still problems for public key cryptography for which arithmetic geometry has to deliver solutions. In the following I shall mention some ideas in this direction but there may be more surprises in future. We do not want to miss another aspect. The demands of engineering and of com- puter science stimulated progress in pure mathematics in a considerable way. By now classical examples come from coding theory. In the same way the extreme re- quirements resulting from data security concerning both constructive aspects (like point counting) and destructive aspects (like factoring) need most effective algo- rithms, and nothing is more effective than a good theory. So there was an interplay between theoretical and algorithmic aspects of discrete mathematics and data se- curity which was very fruitful for both sides, and there is no doubt that this will be so in future, too. 1.3. Cryptographic primitives. We want to • exchange keys, • sign messages • authenticate entities, and • encrypt and decrypt (not too large) messages with simple protocols, clear and easy to follow implementation rules based on cryp- tographic primitives. Apart from the difficult task of developing protocols without security flaws our systems rely on the computational hardness of a mathematical task. Here we have already a problem: which mathematical task under which side conditions has to be solved? Example 1. 1. The RSA system is based on the RSA Assumption: Given a randomly generated RSA modulus N, an exponent e and a random x ∈{1,N − 1} it is hard to find an m ∈{1,...,N − 1} with me = x. At present it is not clear whether an algorithm solving the RSA problem would yield an algorithm of the same complexity for factoring random num- bers. It can be suspected (see [4]) that this may be not true if we restrict e to very small numbers (e.g. e =3 or e = 17). Caution: We have to distinguish the RSA assumption from the problem of finding the private key d (i.e. the number d with d · e ≡ 1 mod ϕ(N)) which is as hard as factoring. 2. The NTRU-system looks like a problem of factoring polynomials (in non UFD- domains (!)) but in fact there is a lattice behind the system (work of Copper- smith and Shamir) and the attack to NTRU is the search for short vectors in this lattice. Advances in Mathematics of Communications Volume 4, No. 2 (2010), 281–305 284 Gerhard Frey 3. Akiyama and Goto have proposed a cryptosystem using algebraic surfaces over finite field. The construction seemed to imply that the mathematical task was to find rational points on curves over function fields (stated in the equivalent form of sections of fibrations on surfaces).