Cryptography | neverendingbooks

Posts Tagged ‘cryptography’

return of the cat ceilidh

Thursday, January 24th, 2008

numb3rs

return of the cat ceilidh
another numb3rs screenshot

I couldn’t believe my eyes. I was watching an episode of numb3rs, ‘undercurrents’ to be precise, and there it was, circled in the middle of the blackboard, CEILIDH, together with some of the key-exchange maps around it…

Only, the plot doesn’t involve any tori-crypto… okay, there is an I-Ching-coded-tattoo which turns out to be a telephone number, but that’s all. Still, this couldn’t just be a coincidence. Googling for ‘ ceilidh+numbers‘ gives as top hit the pdf-file of an article Alice in NUMB3Rland written by … Alice Silverberg (of the Rubin-Silverberg paper starting tori-cryptography). Alice turns out to be one of the unpaid consultants to the series. The 2-page article gives some insight into how ’some math’ gets into the script

Typically, Andy emails a draft of the script to the consultants. The FBI plot is already in place, and the writers want mathematics to go with it. The placeholder “math” in the draft is often nonsense or jargon; the sort of things people with no mathematical background might find by Googling, and think was real math. Since there’s often no mathematics that makes sense in those parts of the script, the best the consultants can do is replace jargon that makes us cringe a lot with jargon that makes us cringe a little.
From then on, it’s the Telephone Game. The consultants email Andy our suggestions (”replace ‘our discrete universes’ with ‘our disjoint universes’”; “replace the nonsensical ‘we’ve tried everything -a full frequency analysis, a Vignere deconstruction- we even checked for a Lucas sequence’ with the slightly less nonsensical ‘It’s much too short to try any cryptanalysis on. If it were longer we could try frequency analyses, or try to guess what kind of cryptosystem it is and use a specialized technique. For example, if it were a long enough Vigenere cipher we could try a Kasiski test or an index-of-coincidence analysis’). Andy chooses about a quarter of my sugges- tions and forwards his interpretation of them to the writers and producers. The script gets changed, and then the actors ad lib something completely dif- ferent (’disjointed universes’: cute, but loses the mathematical allusion; ‘Kasiski exam’ : I didn’t mean that kind of ‘test’).

She ends her article with :

I have mixed feelings about NUMB3RS. I still have concerns about the violence, the depiction of women, and the pretense that the math is accurate. However, if NUMB3RS could interest people in the power of mathematics enough for society to greater value and support mathematics teaching, learning, and research, and motivate more students to learnthat would be a positive step.

Further, there is a whole blog dedicated to some of the maths featuring in NUMB3RS, the numb3rs blog. And it was the first time I had to take a screenshot of a DVD, something usually off limits to the grab.app, but there is a simple hack to do it…

Next in series

Tags: Artin, ceilidh, cryptography, google, numb3rs, silverberg, teaching
Posted in general | 5 Comments »

now what?

Monday, January 14th, 2008

You may not have noticed, but the really hard work was done behind the scenes, resurrecting about 300 old posts (some of them hidden by giving them ‘private’-status). Ive only deleted about 10 posts with little or no content and am sorry I’ve self-destructed about 20-30 hectic posts over the years by pressing the ‘delete post’ button. I would have liked to reread them after all the angry mails Ive received. But, as Ive defended myself at the time, and as I continue to do today, a blog only records feelings at a specific moment. Often, the issue is closed for me once Ive put my frustrations in a post, and then Ill forget all about it. Sadly, the gossip-circuit in noncommutative circles is a lot, a lot, slower than my mood swings, so by the time people complain it’s no longer an issue for me and I tend to delete the post altogether. A blog really is a sort of diary. For example, it only struck me now, rereading the posts of the end of 2006, beginning of 2007, how depressed I must have been at the time. Fortunately, life has improved, somewhat… Still, after all these reminiscences, the real issue is : what comes next?

Some of you may have noticed that I’ve closed the open series on tori-cryptography and on superpotentials in a rather abrupt manner. It took me that long to realize that none of you is waiting for this kind of posts. You’re thinking : if he really wants to show off, let him do his damned thing on the arXiv, a couple of days a year, at worst, and then we can then safely ignore it, like we do with most papers. Isnt’t that true? Of course it is…

So, what are you waiting for? Here’s what I believe to be a sensible thing to try out. Over the last 4 years I must have posted well over 50 times what I believe noncommutative geometry is all about, so if you still don’t know, please consult the archive, I fear I can only repeat myself. Probably, it is more worthwhile to reach out to other approaches to noncommutative geometry, trying to figure out what, if anything, they are after, without becoming a new-age convert (’connes-vert’, I’d say). The top-left picture may give you an inkling of what I’m after… Besides, Im supposed to run a ‘capita selecta’ course for third year Bachelors and Ive chosen to read with them the book The music of the primes and to expand on the mathematics hinted only at in the book. So, I’ll totally immerse myself in Connes’ project to solve the Riemann-hypothesis in the upcoming months.

Again, rereading old posts, it strikes me how much effort I’ve put into trying to check whether technology can genuinely help mathematicians to do what they want to do more efficiently (all post categorized as iMath). I plan some series of posts re-exploring these ideas. The first series will be about the overhyped Web-2 thing of social-bookmarking. So, in the next weeks I’ll go undercover and check out which socialsites are best for mathematicians (in particular, noncommutative geometers) to embrace…

Apart from these, admittedly vague, plans I am as always open for suggestions you might have. So, please drop a comment..

Tags: arxiv, Calabi-Yau, Connes, cryptography, geometry, noncommutative, Riemann, superpotential
Posted in rants | 2 Comments »

the crypto lattice

Saturday, January 12th, 2008

rationality & cryptography

Last time we have seen that tori are dual (via their group of characters) to lattices with a Galois action. In particular, the Weil descent torus $R_n=R^1_{\mathbb{F}_{p^n}/\mathbb{F}_p} \mathbb{G}_m$ corresponds to the permutation lattices $R_n^* = \mathbb{Z}[x]/(x^n-1)$ . The action of the generator $\sigma$ (the Frobenius) of the Galois group $Gal(\mathbb{F}_{p^n}/\mathbb{F}_p)$ acts on the lattice by multiplication with .

An old result of Masuda (1955), using an even older lemma by Speiser (1919), asserts than whenever the character-lattice T^* of a torus is a permutation-lattice, the torus is rational, that is, the function-field of the torus $\mathbb{F}_p(T)$ is purely trancendental

$\mathbb{F}_p(y_1,\hdots,y_d) = \mathbb{F}_p(T) = (\mathbb{F}_{q^n}(T^*))^{Gal}$

(recall from last time that the field on the right-hand side is the field of fractions of the Gal -invariants of the group-algebra of the free Abelian group $T^* = \mathbb{Z} \oplus \hdots \oplus \mathbb{Z}$ where the rank is equal to the dimension of the torus).

The basic observation made by Rubin and Silverberg was that the known results on crypto-compression could be reformulated in the language of algebraic tori as : the tori (LUC-system) and (CEILIDH-system) are rational! So, what about the next cryptographic challenges? Are the tori $T_{30}$ , $T_{210}$ etc. also rational varieties?

Recall that as a group, the $\mathbb{F}_p$ -points of the torus T_n , is the subgroup of $\mathbb{F}_{p^n}^*$ corresponding to the most crypto-challenging cyclic subgroup of order $\Phi_n(p)$ where $\Phi_n(x)$ is the n-th cyclotomic polynomial. The character-lattice of this crypto-torus T_n we call the crypto-lattice and it is

$T_n^* = \mathbb{Z}[x]/(\Phi_n(x))$

(again the action of the Frobenius is given by multiplication with ) and hence has rank $\phi(n)$ , explaining that the torus T_n has dimension $\phi(n)$ and hence that we can at best expect a compression from -pits to $\phi(n)$ -pits. Note that the lattice T_n^* is no longer a permutation lattice, so we cannot use the Masuda-Speiser result to prove rationality of T_n .

What have mathematicians proved on T_n before it became a hot topic? Well, there is an old conjecture by V. E. Voskresenskii asserting that all T_n should be rational! Unfortunately, he could prove this only when is a prime power. Further, he proved that for all , the lattice T_n is at least stably-rational meaning that it is rational upto adding free parameters, that is

$\mathbb{F}_p(T_n)(z_1,\hdots,z_l) = \mathbb{F}_p(y_1,\hdots,y_{d+l})$

which, sadly, is only of cryptographic-use if is small (see below). A true rationality result on T_n was proved by A.A. Klyashko : T_n is rational whenever n=p^a.q^b a product of two prime powers.But then, $30=2 \times 3 \times 5$ the first unknown case…

At Crypto 2004, Marten van Dijk and David Woodruff were able to use an explicit form of Voskresenskii stable rationality result to get an asymptotic optimal crypto-compression rate of $n/\phi(n)$ , but their method was of little practical use in the $T_{30}$ , for what their method gave was a rational map

$T_{30} \times \mathbb{A}^{32}_{\mathbb{F}_p} \rightarrow \mathbb{A}^{40}_{\mathbb{F}_p}$

and the number of added parameters (32) is way too big to be of use.

But then, one can use century-old results on cyclotomic polynomials to get a much better bound, as was shown in the paper Practical cryptography in high dimensional tori by the collective group of all people working (openly) on tori-cryptography. The idea is that whenever q is a prime and a is an integer not divisible by q, then on the level of cyclotomic polynomials we have the identity

$\Phi_{aq}(x) \Phi_a(x) = \Phi_a(x^q)$

On the level of tori this equality implies (via the character-lattices) an ismorphism (with same assumptions)

$T_{aq}(\mathbb{F}_p) \times T_a(\mathbb{F}_p) \simeq (R^1_{\mathbb{F}_{p^q}/\mathbb{F}_p} T_a)(\mathbb{F}_p) = T_a(\mathbb{F}_{p^q})$

whenever aq is not divisible by p. Apply this to the special case when q=5,a=6 then we get

$T_{30}(\mathbb{F}_p) \times T_6(\mathbb{F}_p) \simeq R^1_{\mathbb{F}_{p^5}/\mathbb{F}_p} T_6(\mathbb{F}_p)$

and because we know that T_6 is a 2-dimensional rational torus we get, using Weil descent, a rational map

$T_{30} \times \mathbb{A}^2_{\mathbb{F}_p} \rightarrow \mathbb{A}^{10}_{\mathbb{F}_p}$

which can be used to get better crypto-compression than the CEILIDH-system!

This concludes what I know of the OPEN state of affairs in tori-cryptography. I’m sure ‘people in hiding’ know a lot more at the moment and, if not, I have a couple of ideas I’d love to check out. So, when I seem to have disappeared, you know what happened…

Previous in series

Tags: cryptography, Galois, lattices, rationality, tori
Posted in geometry | No Comments »

Weil descent

Wednesday, January 9th, 2008

rationality & cryptography

A classic Andre Weil-tale is his narrow escape from being shot as a Russian spy

The war was a disaster for Weil who was a conscientious objector and so wished to avoid military service. He fled to Finland, to visit Rolf Nevanlinna, as soon as war was declared. This was an attempt to avoid being forced into the army, but it was not a simple matter to escape from the war in Europe at this time. Weil was arrested in Finland and when letters in Russian were found in his room (they were actually from Pontryagin describing mathematical research) things looked pretty black. One day Nevanlinna was told that they were about to execute Weil as a spy, and he was able to persuade the authorities to deport Weil instead.

However, Weil’s wikipedia entry calls this a story too good to be true, and continues

In 1992, the Finnish mathematician Osmo Pekonen went to the archives to check the facts. Based on the documents, he established that Weil was not really going to be shot, even if he was under arrest, and that Nevanlinna probably didn’t do - and didn’t need to do - anything to save him. Pekonen published a paper on this with an afterword by Andre Weil himself. Nevanlinna’s motivation for concocting such a story of himself as the rescuer of a famous Jewish mathematician probably was the fact that he had been a Nazi sympathizer during the war. The story also appears in Nevanlinna’s autobiography, published in Finnish, but the dates don’t match with real events at all. It is true, however, that Nevanlinna housed Weil in the summer of 1939 at his summer residence Korkee at Lohja in Finland - and offered Hitler’s Mein Kampf as bedside reading.

This old spy-story gets a recent twist now that it turns out that Weil’s descent theory of tori has applications to cryptography. So far, I haven’t really defined what tori are, so let us start with some basics.

The simplest (and archetypical) example of an algebraic torus is the multiplicative group(scheme) $\mathbb{G}_m$ over a finite field $\mathbb{F}_q$ which is the affine variety

$\mathbb{V}(xy-1) \subset \mathbb{A}^2_{\mathbb{F}_q}$ . that is, the $\mathbb{F}_q$ points of $\mathbb{G}_m$ are precisely the couples $\{ (x,\frac{1}{x})~:~x \in \mathbb{F}_q^* \}$ and so are in one-to-one correspondence with the non-zero elements of $\mathbb{F}_q$ . The coordinate ring of this variety is the ring of Laurant polynomials $\mathbb{F}_q[x,x^{-1}]$ and the fact that multiplication induces a group-structure on the points of the variety can be rephrased by saying that this coordinate ring is a Hopf algebra which is just the Hopf structure on the group-algebra $\mathbb{F}_q[\mathbb{Z}] = \mathbb{F}_q[x,x^{-1}]$ . This is the first indication of a connection between tori defined over $\mathbb{F}_q$ and lattices (that is free $\mathbb{Z}$ -modules with an action of the Galois group $Gal(\overline{F}_q/F_q)$ . In this correspondence, the multiplicative group scheme $\mathbb{G}_m$ corresponds to $\mathbb{Z}$ with the trivial action.

Now take a field extension $\mathbb{F}_q \subset \mathbb{F}_{q^n}$ , is there an affine variety, defined over $\mathbb{F}_q$ whose $\mathbb{F}_q$ -points are precisely the invertible elements $\mathbb{F}_{q^n}^*$ ? Sure! Just take the multiplicative group over $\mathbb{F}_{q^n}$ and write the elements x and y as $x = x_1 + x_2 a_2 + \hdots + x_n a_n$ (and a similar expression for y with $\{ 1,a_2,\hdots,a_n \}[tex] being a basis of [tex]\mathbb{F}_{q^n}/\mathbb{F}_q$ and write the defning equation xy-1 out, also with respect to this basis and this will then give you the equations of the desired variety, which is usually denoted by $R^1_{\mathbb{F}_{q^n}/\mathbb{F}_q} \mathbb{G}_m$ and called the Weil restriction of scalars torus.

A concrete example? Take $\mathbb{F}_9 = \mathbb{F}_3(\sqrt{-1})$ and write $x=x_1+x_2 \sqrt{-1}$ and $y=y_1+y_2 \sqrt{-1}$ , then the defining equation xy-1 becomes

$~(x_1y_1-x_2y_2) + (x_1y_2-x_2y_1) \sqrt{-1} = 1$

whence $R^1_{\mathbb{F}_9/\mathbb{F}_3} = \mathbb{V}(x_1y_1-x_2y_2-1,x_1y_2-x_2y_1) \subset \mathbb{A}^4_{\mathbb{F}_3}$ , the intersection of two quadratic hypersurfaces in 4-dimensional space.

Why do we call $R^1 \mathbb{G}_m$ a _torus? Well, as with any variety defined over $\mathbb{F}_q$ we can also look at its points over a field-extension, for example over the algebraic closure $\overline{\mathbb{F}}_q$ and then it is easy to see that

$R^1_{\mathbb{F}_{q^n}/\mathbb{F}_q} \mathbb{G}_m (\overline{\mathbb{F}}_q) = \overline{\mathbb{F}}_q^* \times \hdots \times \overline{\mathbb{F}}_q^*$ (n copies)

and such algebraic groups are called tori. (To understand terminology, the compact group corresponding to $\mathbb{C}^* \times \mathbb{C}^*$ is $U_1 \times U_1 = S^1 \times S^1$ , so a torus).

In fact, it is already the case that the $\mathbb{F}_{q^n}$ points of the restriction of scalar torus are $\mathbb{F}_{q^n}^* \times \hdots \times \mathbb{F}_{q^n}^*$ and therefore we call this field a splitting field of the torus.

This is the general definition of an algebraic torus : a torus T over $\mathbb{F}_q$ is an affine group scheme over $\mathbb{F}_q$ such that, if we extend scalars to the algebraic closure (and then it already holds for a finite extension) we get an isomorphism of affine group schemes

$T \times_{\mathbb{F}_q} \overline{\mathbb{F}}_q = \overline{\mathbb{F}}_q^* \times \hdots \times \overline{\mathbb{F}}_q^* = (\overline{\mathbb{F}}_q^*)^{n}$

in which case we call T a torus of dimension n. Clearly, the Galois group $Gal(\overline{\mathbb{F}}_q^*/\mathbb{F}_q)$ acts on the left hand side in such a way that we recover as the orbit space for this action.

Hence, anther way to phrase this is to say that an algebraic torus is the Weil descent of an action of the Galois group on the algebraic group $\overline{\mathbb{F}}_q^* \times \hdots \times \overline{\mathbb{F}}_q^*$ .

Of course we can also rephrase this is more algebraic terms by looking at the coordinate rings. The coordinate ring of the algebraic group $~(\overline{\mathbb{F}}_q^*)^n$ is the group-algebra of the rank n lattice $\mathbb{Z}^n = \mathbb{Z} \oplus \hdots \oplus \mathbb{Z}$ (the free Abelian group of rank n), that is, $\overline{\mathbb{F}}_q [ \mathbb{Z}^n ]$ . Now the Galois group acts both on the field $\overline{\mathbb{F}}_q$ as on the lattice $\mathbb{Z}^n$ coming from the action of the Galois group on the extended torus $T \times_{\mathbb{F}_q} \overline{\mathbb{F}}_q$ . In fact, it is best to denote this specific action on $\mathbb{Z}^n$ by T^_ and call T^_ the character group of . Now, we recover the coordinate ring of the $\mathbb{F}_q$ -torus as the ring of invariants

$\mathbb{F}_q[T] = \overline{\mathbb{F}}_q [T^*]^{Gal(\overline{\mathbb{F}}_q/\mathbb{F}_q)}$

Hence, the restriction of scalars torus $R^1_{\mathbb{F}_{q^n}/\mathbb{F}_q} \mathbb{G}_m$ is an n-dimensional torus over $\mathbb{F}_q$ and its corresponding character group is the free Abelian group of rank n which can be written as $\mathbb{Z}[x]/(x^n-1) = \mathbb{Z}1 \oplus \mathbb{Z}x \oplus \hdots \oplus \mathbb{Z}x^{n-1}$ and where the action of the cyclic Galois group $Gal(\mathbb{F}_{q^n}/\mathbb{F}_q) = C_n = \langle \sigma \rangle$ s such that the generator $\sigma$ as as multiplication by . That is, in this case the character group is a permutation lattice meaning that the $\mathbb{Z}$ -module has a basis which is permuted under the action of the Galois group. Next time we will encounter more difficult tori sich as the crypto-torus T_n .

Previous in series Next in series

Tags: cryptography, descent, Galois, groups, lattices, simples, tori, Weil
Posted in geometry | 1 Comment »

A cat called CEILIDH

Monday, January 7th, 2008

rationality & cryptography

We will see later that the cyclic subgroup $T_6 \subset \mathbb{F}_{p^6}^*$ is a 2-dimensional torus.

Take a finite set of polynomials $f_i(x_1,\hdots,x_k) \in \mathbb{F}_p[x_1,\hdots,x_k]$ and consider for every fieldextension $\mathbb{F}_p \subset \mathbb{F}_q$ the set of all k-tuples satisfying all these polynomials and call this set

$X(\mathbb{F}_q) = \{ (a_1,\hdots,a_k) \in \mathbb{F}_q^k~:~f_i(a_1,\hdots,a_k) = 0~\forall i \}$

Then, T_6 being a 2-dimensional torus roughly means that we can find a system of polynomials such that $T_6 = X(\mathbb{F}_p)$ and over the algebraic closure $\overline{\mathbb{F}}_p$ we have $X(\overline{\mathbb{F}}_p) = \overline{\mathbb{F}}_p^* \times \overline{\mathbb{F}}_p^*$ and T_6 is a subgroup of this product group.

It is known that all 2-dimensional tori are rational. In particular, this means that we can write down maps defined by rational functions (fractions of polynomials) $f~:~T_6 \rightarrow \mathbb{F}_p \times \mathbb{F}_p$ and $j~:~\mathbb{F}_p \times \mathbb{F}_p \rightarrow T_6$ which define a bijection between the points where f and j are defined (that is, possibly excluding zeroes of polynomials appearing in denumerators in the definition of the maps f or j). But then, we can use to map f to represent ‘most’ elements of T_6 by just 2 pits, exactly as in the XTR-system.

Making the rational maps f and j explicit and checking where they are ill-defined is precisely what Karl Rubin and Alice Silverberg did in their CEILIDH-system. The acronym CEILIDH (which they like us to pronounce as ‘cayley’) stands for Compact Efficient Improves on LUC, Improves on Diffie-Hellman…

A Cailidh is a Scots Gaelic word meaning ‘visit’ and stands for a ‘traditional Scottish gathering’.

Between 1997 and 2001 the Scottish ceilidh grew in popularity again amongst youths. Since then a subculture in some Scottish cities has evolved where some people attend ceilidhs on a regular basis and at the ceilidh they find out from the other dancers when and where the next ceilidh will be.
Privately organised ceilidhs are now extremely common, where bands are hired, usually for evening entertainment for a wedding, birthday party or other celebratory event. These bands vary in size, although are commonly made up of between 2 and 6 players. The appeal of the Scottish ceilidh is by no means limited to the younger generation, and dances vary in speed and complexity in order to accommodate most age groups and levels of ability.

Anyway, let us give the details of the Rubin-Silverberg approach. Take a large prime number p congruent to 2,6,7 or 11 modulo 13 and such that $\Phi_6(p)=p^2-p+1$ is again a prime number. Then, if $\zeta$ is a 13-th root of unity we have that $\mathbb{F}_{p^{12}} = \mathbb{F}_p(\zeta)$ . Consider the elements

$\begin{cases} z = \zeta + \zeta^{-1} \\ y = \zeta+\zeta^{-1}+\zeta^5+\zeta^{-5} \end{cases}$

Then, for every $~(u,v) \in \mathbb{F}_p \times \mathbb{F}_p$ define the map to T_6 by

$j(u,v) = \frac{r-s \sqrt{13}}{r+s \sqrt{13}} \in T_6$

and one can verify that this is indeed an element of T_6 provided we take

$\begin{cases} r = (3(u^2+v^2)+7uv+34u+18v+40)y^2+26uy-(21u(3+v)+9(u^2+v^2)+28v+42) \\ s = 3(u^2+v^2)+7uv+21u+18v+14 \end{cases}$

Conversely, for $t \in T_6$ write $t=a + b \sqrt{13}$ using the basis $\mathbb{F}_{p^6} = \mathbb{F}_{p^3}1 \oplus \mathbb{F}_{p^3} \sqrt{13}$ , so $a,b \in \mathbb{F}_{p^3}$ and consequently write

$\frac{1+a}{b} = w y^2 + u (y + \frac{y^2}{2}) + v$

with $u,v,w \in \mathbb{F}_p$ using the basis $\{ y^2.y+\frac{y^2}{2},1 \}$ of $\mathbb{F}_{p^3}/\mathbb{F}_p$ . Okay, then the invers of iis the map $f~:~T_6 \rightarrow \mathbb{F}_p \times \mathbb{F}_p$ given by

$f(t) = (\frac{u}{w+1},\frac{v-3}{w+1})$

and it takes some effort to show that f and j are indeed each other inverses, that j is defined on all points of $\mathbb{F}_p \times \mathbb{F}_p$ and that f is defined everywhere except at the two points $\{ 1,-2z^5+6z^3-4z-1 \} \subset T_6$ . Therefore, as long as we avoid these two points in our Diffie-Hellman key exchange, we can perform it using just $2=\phi(6)$ pits : I will send you f(g^a) allowing you to compute our shared key $f(g^{ab})$ or $g^{ab}$ from my data and your secret number b.