The Arithmetic Behind Cryptography Gerhard Frey he security of very efficient and widely list of standardized curves, for instance listed in used public key crypto systems is [NIST] or in [BRAIN]. But apart from applications based on the hardness of mathematical to elliptic curves the higher genus curves have problems. Typically such problems various applications in cryptography which we come from arithmetic. Here are three cannot describe in this short survey. Timportant examples: Find shortest or closest But it is not only the status quo which is vectors in lattices, factor large numbers, and supported. New points of view from the theoretical compute logarithms in finite groups. side lead to advances in the design of hardware as In this article we shall concentrate on the last well as in protocols. One of the striking examples is example and so cover crypto systems for which the development of pairing-based cryptography. the crypto primitive behind them is the discrete From its background, namely duality theory in logarithm (DL) in cyclic groups of prime order (see arithmetic geometry, there goes a direct path to the subsection on Diffie-Hellman Problems). very efficient implementations of pairings which The first proposal for such systems was given by allow, for instance, new ways to sign, and here Diffie and Hellman in their groundbreaking article curves of higher genus may play an important [DH]. As groups they suggested taking roots of role. unity in the multiplicative group of finite fields. Acknowledgment. The author would like to thank The generality of the methods provided by al- the referees for careful reading of the manuscript gorithmic arithmetic geometry opens immediately and for their helpful comments. a wide range of possibilities. One can replace tor- sion points in the multiplicative group by torsion Some Aspects of Arithmetic Geometry points of Jacobian varieties of curves over finite In the section “Construction of DL-Systems” we fields. But, on the other side, the strength of the shall formulate tasks for mathematicians motiva- methods allows us to develop very efficient at- ted by needs of data security. It turns out that it tacks. So most of the suggested candidates for is surprisingly difficult to find families of groups public key systems did not fulfill the expectations, which are candidates for DL-systems, and that and only DL-systems based on carefully chosen the search for bilinear structures is even more elliptic curves and curves of genus 2 survived involved. without any blame. The only known examples are constructed This does not mean that the study of curves of with the help of advanced methods of arithmetic arbitrary genus is not important for applications geometry mostly developed during the last sixty in data security. In many cases we understand years. We emphasize the remarkable fact that they partial weaknesses of elliptic curves by making both enable us to solve old problems like FLT more general objects accessible to computation. (see the subsection “Digression: FLT”) and lead to The continuous study of consequences of advan- efficient and secure families of public key crypto ces in algorithmic arithmetic geometry for the systems. security of used crypto system and failures of at- tacks give mathematicians a better conscience and What Is Arithmetic Geometry? users more trust. So even people only involved in Arithmetic geometry is one of the most powerful designing systems without being interested in the ingredients in mathematics. It combines classical theoretical background can choose (very special) algebraic number theory with algebraic geometry. cases, for example, one elliptic curve over a fixed It uses the theory of functions over C, and so field with explicit addition formulas given in a analytic geometry, and it transfers this theory to Gerhard Frey is professor of mathematics at the Univer- its p-adic counterpart, the p-adic rigid geometry. sity of Duisburg-Essen. His email address is gerhard.frey The important feature is that objects from @gmail.com. number theory, like the ring of integers, and 366 Notices of the AMS Volume 57, Number 3 objects from algebraic geometry, like varieties A fundamental tool is Minkowski’s theorem on over finite fields, can be treated in a unified way points with small norms in lattices and related (as schemes consisting of the set of points with results, for instance reduction of quadratic forms topology and sheaves of functions). For instance, following Lagrange and Gauss. The enormous the arithmetic of rings of integers in number growth of computational power made it possible fields is very similar to the arithmetic of rings of to construct interesting examples in a wide range, holomorphic functions on affine curves over finite and very often one meets the LLL algorithm as a fields. The analogy is neither only formal nor in major tool. all aspects obtained by using a dictionary, and The theoretical insights obtained by the ap- the interplay between the arithmetic world and proach described in the preceding subsection the geometric world is extremely fruitful for both made rapid and exciting progress possible in sides. the area of algorithmic arithmetic geometry, The situation becomes very interesting and ex- generalizing considerably both range and techni- tremely difficult if both points of view are mixed ques of computational number theory. Prominent together, for instance, if we look at the arith- examples are computation of tables of modular metic of curves C defined over number fields or forms including congruences, algorithmic study p-adic fields K. Geometrically these are varieties of modular curves (see, for instance, the Cremona of dimension 1, but since we can look at them tables [C] listing elliptic curves) and related Galois as being defined over the ring of integers OK of representations. K, they carry a 2-dimensional structure: from C Translating arithmetical problems into the geo- we get an arithmetical surface . This surface metric language has the immediate consequence C contains for each prime ideal p of OK a closed that one can apply the methods from arithmetic fiber p (special fiber at p) which is the reduction to the geometric case, too. And so we have now of moduloC p, that is, roughly speaking, the curve a very advanced theoretical and algorithmic tool- obtainedC by looking at the equations defining C (in kit to deal with the explicit theory of varieties a suitable normalization with respect to p) modulo over finite fields as a counterpart to the explicit p. The arithmetical surface contains much more theory of algebraic number fields. We devote the information than its genericC fiber C. It is not uni- subsection “Arithmetic in Divisor Classes” to an quely determined by C. There is an optimal model, important example. the so-called minimal model, and using this model one can try to get the arithmetical data of C from Complexity Hierarchy. A crucial part of every studying the analogous data of the special fibers. algorithmic theory is the determination of the In the case that K is a number field one tries to complexity of the available algorithms. exploit the local information one gets over the Here we can only scratch the surface of this completions at all places of K simultaneously in fascinating mathematical subject. We introduce order to get global information, for example, about Landau’s notation: rational points on C. (If K Q these completions For = f , g : N R are the reals R and, for all prime numbers p, the → p-adic numbers Qp.) If this strategy is successful with g positive define then one has established a local-global principle. f (g) One famous example of such a principle is the = O if there exists d R>0 with theorem of Hasse-Minkowski which states that ∈ one quadratic polynomial in arbitrarily many va- f (N) dg(N) riables with coefficients in a number field K has a | |≤ for all N. K-rational solution if and only if it has solutions Take α [0, 1], c R . in all fields obtained as completions with respect >0 Define ∈ ∈ to valuations of K. α 1 α We cannot expect to get such a principle for LN (α, c) : exp(c log(N) log(N) − ). = · · general varieties. In fact we already find coun- For (almost all) N N, let terexamples if we look at the set of solutions ∈ fN : AN BN of two quadratic equations or of polynomials in → two variables of degree 3. But there is a Galois be maps from sets AN to sets BN . Assume that there theoretical variant which relates local with global is an algorithm which evaluates fN with (probabi- information: the density theorem of Cebotarevˇ listic) complexity (e.g., number of bit operations (Theorem 2.5). needed) F(N). Then the (probabilistic) asymptotic complexity Algorithmic Arithmetic Geometry of the family fN is called Classically algorithmic aspects of number theory polynomial if F (LN (0, c)) (“fast algo- mostly deal with lattices and derived objects. • rithm”) = O March 2010 Notices of the AMS 367 exponential if F (LN (1, c)) (“hard algo- Inside of I(OC ) we have the subgroup Princ(OC ) • = O rithm”) and of principal ideals f OC , f F ∗. The quotient · ∈ C subexponential if there is 0 < α < 1 with group • F (LN (α, c)) Pic(OC ) : I(OC )/Princ(OC ) = O = in log(N). is the ideal class group of OC . It is in a natural Subexponential complexity is a very interesting way isomorphic to Pic0(C), the divisor class group case between the two extremes. of degree 0 of C, and a fundamental theorem Caution: This notion of complexity is an as- of the theory of curves states that Pic0(C) is in ymptotic estimate of a specific algorithm for the a functorial way isomorphic to the group of K- evaluation of fN .