Category: featured

Weil descent

Published January 9, 2008 by lievenlb

A classic Andre Weil-tale is his narrow escape from being shot as a Russian spy

The war was a disaster for Weil who was a conscientious objector and so wished to avoid military service. He fled to Finland, to visit Rolf Nevanlinna, as soon as war was declared. This was an attempt to avoid being forced into the army, but it was not a simple matter to escape from the war in Europe at this time. Weil was arrested in Finland and when letters in Russian were found in his room (they were actually from Pontryagin describing mathematical research) things looked pretty black. One day Nevanlinna was told that they were about to execute Weil as a spy, and he was able to persuade the authorities to deport Weil instead.

However, Weil’s wikipedia entry calls this a story too good to be true, and continues

In 1992, the Finnish mathematician Osmo Pekonen went to the archives to check the facts. Based on the documents, he established that Weil was not really going to be shot, even if he was under arrest, and that Nevanlinna probably didn’t do – and didn’t need to do – anything to save him. Pekonen published a paper on this with an afterword by Andre Weil himself. Nevanlinna’s motivation for concocting such a story of himself as the rescuer of a famous Jewish mathematician probably was the fact that he had been a Nazi sympathizer during the war. The story also appears in Nevanlinna’s autobiography, published in Finnish, but the dates don’t match with real events at all. It is true, however, that Nevanlinna housed Weil in the summer of 1939 at his summer residence Korkee at Lohja in Finland – and offered Hitler’s Mein Kampf as bedside reading.

This old spy-story gets a recent twist now that it turns out that Weil’s descent theory of tori has applications to cryptography. So far, I haven’t really defined what tori are, so let us start with some basics.

The simplest (and archetypical) example of an algebraic torus is the multiplicative group(scheme) $\mathbb{G}_m $ over a finite field $\mathbb{F}_q $ which is the affine variety

$\mathbb{V}(xy-1) \subset \mathbb{A}^2_{\mathbb{F}_q} $. that is, the $\mathbb{F}_q $ points of $\mathbb{G}_m $ are precisely the couples ${ (x,\frac{1}{x})~:~x \in \mathbb{F}_q^* } $ and so are in one-to-one correspondence with the non-zero elements of $\mathbb{F}_q $. The coordinate ring of this variety is the ring of Laurant polynomials $\mathbb{F}_q[x,x^{-1}] $ and the fact that multiplication induces a group-structure on the points of the variety can be rephrased by saying that this coordinate ring is a Hopf algebra which is just the Hopf structure on the group-algebra $\mathbb{F}_q[\mathbb{Z}] = \mathbb{F}_q[x,x^{-1}] $. This is the first indication of a connection between tori defined over $\mathbb{F}_q $ and lattices (that is free $\mathbb{Z} $-modules with an action of the Galois group $Gal(\overline{F}_q/F_q) $. In this correspondence, the multiplicative group scheme $\mathbb{G}_m $ corresponds to $\mathbb{Z} $ with the trivial action.

Now take a field extension $\mathbb{F}_q \subset \mathbb{F}_{q^n} $, is there an affine variety, defined over $\mathbb{F}_q $ whose $\mathbb{F}_q $-points are precisely the invertible elements $\mathbb{F}_{q^n}^* $? Sure! Just take the multiplicative group over $\mathbb{F}_{q^n} $ and write the elements x and y as $x = x_1 + x_2 a_2 + \ldots + x_n a_n $ (and a similar expression for y with ${ 1,a_2,\ldots,a_n }$ being a basis of $\mathbb{F}_{q^n}/\mathbb{F}_q $ and write the defning equation $xy-1 $ out, also with respect to this basis and this will then give you the equations of the desired variety, which is usually denoted by $R^1_{\mathbb{F}_{q^n}/\mathbb{F}_q} \mathbb{G}_m $ and called the Weil restriction of scalars torus.

A concrete example? Take $\mathbb{F}_9 = \mathbb{F}_3(\sqrt{-1}) $ and write $x=x_1+x_2 \sqrt{-1} $ and $y=y_1+y_2 \sqrt{-1} $, then the defining equation $xy-1 $ becomes

$~(x_1y_1-x_2y_2) + (x_1y_2-x_2y_1) \sqrt{-1} = 1 $

whence $R^1_{\mathbb{F}_9/\mathbb{F}_3} = \mathbb{V}(x_1y_1-x_2y_2-1,x_1y_2-x_2y_1) \subset \mathbb{A}^4_{\mathbb{F}_3} $, the intersection of two quadratic hypersurfaces in 4-dimensional space.

Why do we call $R^1 \mathbb{G}_m $ a _torus_? Well, as with any variety defined over $\mathbb{F}_q $ we can also look at its points over a field-extension, for example over the algebraic closure $\overline{\mathbb{F}}_q $ and then it is easy to see that

$R^1_{\mathbb{F}_{q^n}/\mathbb{F}_q} \mathbb{G}_m (\overline{\mathbb{F}}_q) = \overline{\mathbb{F}}_q^* \times \ldots \times \overline{\mathbb{F}}_q^* $ (n copies)

and such algebraic groups are called tori. (To understand terminology, the compact group corresponding to $\mathbb{C}^* \times \mathbb{C}^* $ is $U_1 \times U_1 = S^1 \times S^1 $, so a torus).

In fact, it is already the case that the $\mathbb{F}_{q^n} $ points of the restriction of scalar torus are $\mathbb{F}_{q^n}^* \times \ldots \times \mathbb{F}_{q^n}^* $ and therefore we call this field a splitting field of the torus.

This is the general definition of an algebraic torus : a torus T over $\mathbb{F}_q $ is an affine group scheme over $\mathbb{F}_q $ such that, if we extend scalars to the algebraic closure (and then it already holds for a finite extension) we get an isomorphism of affine group schemes

$T \times_{\mathbb{F}_q} \overline{\mathbb{F}}_q = \overline{\mathbb{F}}_q^* \times \ldots \times \overline{\mathbb{F}}_q^* = (\overline{\mathbb{F}}_q^*)^{n} $

in which case we call T a torus of dimension n. Clearly, the Galois group $Gal(\overline{\mathbb{F}}_q^*/\mathbb{F}_q) $ acts on the left hand side in such a way that we recover $T $ as the orbit space for this action.

Hence, anther way to phrase this is to say that an algebraic torus is the Weil descent of an action of the Galois group on the algebraic group $\overline{\mathbb{F}}_q^* \times \ldots \times \overline{\mathbb{F}}_q^* $.

Of course we can also rephrase this is more algebraic terms by looking at the coordinate rings. The coordinate ring of the algebraic group $~(\overline{\mathbb{F}}_q^*)^n $ is the group-algebra of the rank n lattice $\mathbb{Z}^n = \mathbb{Z} \oplus \ldots \oplus \mathbb{Z} $ (the free Abelian group of rank n), that is,
$\overline{\mathbb{F}}_q [ \mathbb{Z}^n ] $. Now the Galois group acts both on the field $\overline{\mathbb{F}}_q $ as on the lattice $\mathbb{Z}^n $ coming from the action of the Galois group on the extended torus $T \times_{\mathbb{F}_q} \overline{\mathbb{F}}_q $. In fact, it is best to denote this specific action on $\mathbb{Z}^n $ by $T^* $ and call $T^* $ the character group of $T $. Now, we recover the coordinate ring of the $\mathbb{F}_q $-torus $T $ as the ring of invariants

$\mathbb{F}_q[T] = \overline{\mathbb{F}}_q [T^*]^{Gal(\overline{\mathbb{F}}_q/\mathbb{F}_q)} $

Hence, the restriction of scalars torus $R^1_{\mathbb{F}_{q^n}/\mathbb{F}_q} \mathbb{G}_m $ is an n-dimensional torus over $\mathbb{F}_q $ and its corresponding character group is the free Abelian group of rank n which can be written as $\mathbb{Z}[x]/(x^n-1) = \mathbb{Z}1 \oplus \mathbb{Z}x \oplus \ldots \oplus \mathbb{Z}x^{n-1} $ and where the action of the cyclic Galois group $Gal(\mathbb{F}_{q^n}/\mathbb{F}_q) = C_n = \langle \sigma \rangle $ s such that the generator $\sigma $ as as multiplication by $x $. That is, in this case the character group is a permutation lattice meaning that the $\mathbb{Z} $-module has a basis which is permuted under the action of the Galois group. Next time we will encounter more difficult tori sich as the crypto-torus $T_n $.

One Comment

A cat called CEILIDH

Published January 7, 2008 by lievenlb

We will see later that the cyclic subgroup $T_6 \subset \mathbb{F}_{p^6}^* $ is a 2-dimensional torus.

Take a finite set of polynomials $f_i(x_1,\ldots,x_k) \in \mathbb{F}_p[x_1,\ldots,x_k] $ and consider for every fieldextension $\mathbb{F}_p \subset \mathbb{F}_q $ the set of all k-tuples satisfying all these polynomials and call this set

$X(\mathbb{F}_q) = { (a_1,\ldots,a_k) \in \mathbb{F}_q^k~:~f_i(a_1,\ldots,a_k) = 0~\forall i } $

Then, $T_6 $ being a 2-dimensional torus roughly means that we can find a system of polynomials such that
$T_6 = X(\mathbb{F}_p) $ and over the algebraic closure $\overline{\mathbb{F}}_p $ we have $X(\overline{\mathbb{F}}_p) = \overline{\mathbb{F}}_p^* \times \overline{\mathbb{F}}_p^* $ and $T_6 $ is a subgroup of this product group.

It is known that all 2-dimensional tori are rational. In particular, this means that we can write down maps defined by rational functions (fractions of polynomials) $f~:~T_6 \rightarrow \mathbb{F}_p \times \mathbb{F}_p $ and $j~:~\mathbb{F}_p \times \mathbb{F}_p \rightarrow T_6 $ which define a bijection between the points where f and j are defined (that is, possibly excluding zeroes of polynomials appearing in denumerators in the definition of the maps f or j). But then, we can use to map f to represent ‘most’ elements of $T_6 $ by just 2 pits, exactly as in the XTR-system.

Making the rational maps f and j explicit and checking where they are ill-defined is precisely what Karl Rubin and Alice Silverberg did in their CEILIDH-system. The acronym CEILIDH (which they like us to pronounce as ‘cayley’) stands for Compact Efficient Improves on LUC, Improves on Diffie-Hellman…

A Cailidh is a Scots Gaelic word meaning ‘visit’ and stands for a ‘traditional Scottish gathering’.

Between 1997 and 2001 the Scottish ceilidh grew in popularity again amongst youths. Since then a subculture in some Scottish cities has evolved where some people attend ceilidhs on a regular basis and at the ceilidh they find out from the other dancers when and where the next ceilidh will be.
Privately organised ceilidhs are now extremely common, where bands are hired, usually for evening entertainment for a wedding, birthday party or other celebratory event. These bands vary in size, although are commonly made up of between 2 and 6 players. The appeal of the Scottish ceilidh is by no means limited to the younger generation, and dances vary in speed and complexity in order to accommodate most age groups and levels of ability.

Anyway, let us give the details of the Rubin-Silverberg approach. Take a large prime number p congruent to 2,6,7 or 11 modulo 13 and such that $\Phi_6(p)=p^2-p+1 $ is again a prime number. Then, if $\zeta $ is a 13-th root of unity we have that $\mathbb{F}_{p^{12}} = \mathbb{F}_p(\zeta) $. Consider the elements

$\begin{cases} z = \zeta + \zeta^{-1} \\ y = \zeta+\zeta^{-1}+\zeta^5+\zeta^{-5} \end{cases} $

Then, for every $~(u,v) \in \mathbb{F}_p \times \mathbb{F}_p $ define the map $j $ to $T_6 $ by

$j(u,v) = \frac{r-s \sqrt{13}}{r+s \sqrt{13}} \in T_6 $

and one can verify that this is indeed an element of $T_6 $ provided we take

$\begin{cases} r = (3(u^2+v^2)+7uv+34u+18v+40)y^2+26uy-(21u(3+v)+9(u^2+v^2)+28v+42) \\
s = 3(u^2+v^2)+7uv+21u+18v+14 \end{cases} $

Conversely, for $t \in T_6 $ write $t=a + b \sqrt{13} $ using the basis $\mathbb{F}_{p^6} = \mathbb{F}_{p^3}1 \oplus \mathbb{F}_{p^3} \sqrt{13} $, so $a,b \in \mathbb{F}_{p^3} $ and consequently write

$\frac{1+a}{b} = w y^2 + u (y + \frac{y^2}{2}) + v $

with $u,v,w \in \mathbb{F}_p $ using the basis ${ y^2.y+\frac{y^2}{2},1 } $ of $\mathbb{F}_{p^3}/\mathbb{F}_p $. Okay, then the invers of $j $ iis the map $f~:~T_6 \rightarrow \mathbb{F}_p \times \mathbb{F}_p $ given by

$f(t) = (\frac{u}{w+1},\frac{v-3}{w+1}) $

and it takes some effort to show that f and j are indeed each other inverses, that j is defined on all points of $\mathbb{F}_p \times \mathbb{F}_p $ and that f is defined everywhere except at the two points
${ 1,-2z^5+6z^3-4z-1 } \subset T_6 $. Therefore, as long as we avoid these two points in our Diffie-Hellman key exchange, we can perform it using just $2=\phi(6) $ pits : I will send you $f(g^a) $ allowing you to compute our shared key $f(g^{ab}) $ or $g^{ab} $ from my data and your secret number b.

But, where’s the cat in all of this? Unfortunately, the cat is dead…

One Comment

ECSTR aka XTR

Published January 5, 2008 by lievenlb

The one thing that makes it hard for an outsider to get through a crypto-paper is their shared passion for using nonsensical abbreviations. ECSTR stands for “Efficient Compact Subgroup Trace Representation” and we are fortunate that Arjen Lenstra and Eric Verheul shortened it in their paper The XTR public key system to just XTR. As both of them speak Dutch, they will know why Ive chosen a magpie-picture on the left… Btw. there is a nice MSRI-talk by Lenstra, starting off with a couple of jokes on what ECSTR is NOT meant to abbreviate (one of them being ‘Elliptic Curve Systems Too Risky’… (( I may even start to share their passion… )) ).

The XTR-system uses safety of $\mathbb{F}_{p^6} $ in the Diffie-Hellman key exchange while transmitting only $2=\phi(6) $ pits. The first question one asks is : why the jump from $N=2 $ from last time to $N=6 $? Well, remember that (conjecturally) we want to use safety of $\mathbb{F}_q $ for $q=p^N $ while using only $\phi(N) $ pits. That is, we want to have $N log(p) $ large (for safety) while at the same time $\phi(N) log(p) $ small (for efficiency). Thus, the most useful N’s to consider are those in the sequence

$N=1,~2,~6=2.3,~30=2.3.5,~210=2,3,5,7,~\ldots $

that is, the products of the first so many prime numbers. The number of elements of the cyclic group $\mathbb{F}_q^* $ is equal to

$p^6-1 = (p-1)(p+1)(p^2+p+1)(p^2-p+1) $

and that the subgroup of order $p-1 $ can be embedded in $\mathbb{F}_p^* $, that of order $p+1 $ can be embedded in $\mathbb{F}_{p^2}^* $, that of order $p^2+p+1 $ can be embedded in $\mathbb{F}_{p^3}^* $, BUT that the subgroup of order $\Phi_6(p)=p^2-p+1 $ CANNOT be embedded in any $\mathbb{F}_{p^i}^* $ for $i = 1,2,3 $, or in other words, the $p^2-p+1 $ subgroup is as hard as $\mathbb{F}_{p^6}^* $. So, let us take a generator $g $ of the subgroup $T_6 $ of order $p^2-p+1 $ and do the Diffie-Hellman trick with it in a modified manner.

Galois groups of finite fields are cyclic and generated by the Frobenius $x \mapsto x^p $. In particular, the Galois group $Gal(\mathbb{F}_{p^6}/\mathbb{F}_{p^2}) = C_3 $ is cyclic of order three and consists of the auromorphisms ${ 1=id, \sigma = (x \mapsto x^{p^2}), \sigma^2 = (x \mapsto x^{p^4}) } $, so the corresponding trace map is given by

$Tr~:~\mathbb{F}_{p^6} \rightarrow \mathbb{F}_{p^2} \qquad Tr(x) = x + x^{p^2} + x^{p^4} $

So, how do we perform our key-exchange using my secret number $a $ and yours $b $? Well, I’ll send you $Tr(g^a) $ and as this is an element of the quadratic extension $\mathbb{F}_{p^2} $ I’ll need just 2 pits instead of 6 and you will send me likewise $Tr(g^b) $. I claim that the common key we (and only we) can compute is $Tr(g^{ab}) $. How does this work?

Given any element $x \in T_6 \subset \mathbb{F}_{p^6}^* $ we can compute the 3-element set $C_x = { x,\sigma(x),\sigma(x^2) } $ and hence the characteristic polynomial
$~(t-x)(t-\sigma(x))(t-\sigma^2(x)) $

$ = t^3 – (x+\sigma(x)+\sigma^2(x))t^2 + (x \sigma(x)+ x\sigma^2(x)+\sigma(x)\sigma^2(x))t – x \sigma(x)\sigma^2(x) $

The first coefficient $x+\sigma(x)+\sigma^2(x) $ is the trace $Tr(x) $ and the second and third coefficients are respectively $Tr(x \sigma(x)) $ and the norm $N(x) $. Now, if $x \in T_6 $ one can show that

$Tr(x \sigma(x)) = Tr(x)^p $ and $N(x)=1 $

That is, from knowing only $Tr(x) $ we can compute the characteristic polynomial and hence recover the 3-element set ${ h,\sigma(h),\sigma^2(h) } $!

If I give you $Tr(g^a) $ you can compute from it the 3-set ${ g^a,\sigma(g^a),\sigma^2(g^a) } $ and raise them all the the b-th power (b being your secret number) to obtain

${ g^{ab},\sigma(g^a)^b,\sigma^2(g^a)^b } = { g^{ab},\sigma(g^{ab}),\sigma^2(g^{ab}) } $

but then you also know our shared key $Tr(g^{ab}) = g^{ab}+\sigma(g^{ab})+\sigma^2(g^{ab}) $… Done!

One Comment