Abelian Varieties and Cryptography

V. Kumar Murty

Department of Mathematics, University of Toronto,40 St. George Street, Toronto, ON M5S 3G3, Canada

murty@math.toronto.edu

Abstract. Let A be an Abelian variety over a finite field F. The pos-sibility of using the group A(F) of points on A in F as the basis of apublic-key cryptography scheme is still at an early stage of exploration.In this article, we will discuss some of the issues and their current staus.In particular, we will discuss arithmetic on Abelian varieties, methodsfor point counting, and attacks on the Discrete Logarithm Problem, es-pecially those that are peculiar to higher-dimensional varieties.

1 Introduction

Let A be an Abelian variety over a finite field F. Thus A is a smooth projectivealgebraic variety defined over F on which there is an algebraic group operation,also defined over F. In particular, the identity element O of the group is anF-rational point. Abelian varieties of dimension one are called elliptic curves.

The possibility of using the group A(F) of points on A in F as the basis of apublic-key cryptography scheme is still at an early stage of exploration. In thisarticle, we will discuss some of the issues and their current staus. In particular,we will discuss the problem of explicit and efficient arithmetic, algorithms forefficient point counting, and criteria by which to eliminate cryptographicallyweak Abelian varieties.

In order to keep our discussion to a moderate length, we shall merely outlineor draw attention to the many developments in this subject. We shall try toemphasize those aspects in which we believe more work is needed.

Denote by F an algebraic closure of F and let

G = Gal(F/F)

be the Galois group. It is a procyclic group, being the inverse limit of cyclicgroups:

G � Z = lim Z/NZ.

Let Frob = FrobF be the map

x �→ xq

where q is the number of elements in F. Sometimes, we may also write Frobq. Itis a topological generator of G.

S. Maitra et al. (Eds.): INDOCRYPT 2005, LNCS 3797, pp. 1–12, 2005.c© Springer-Verlag Berlin Heidelberg 2005

2 V. Kumar Murty

There is an action of G on A(F). In particular, the function

n �→ deg(Frob − n)

is well defined. There is a polynomial PA(T ) with the property that for every n(sufficiently large),

PA(n) = deg(Frob − n).

This is called the characteristic polynomial of the Frobenius automorphism. Ithas many wonderful properties. In particular,

|A(F)| = PA(1).

Moreover, if d is the dimension of A,

PA(T ) =2d∏

i=1

(1 − ωiT )

where|ωi| = q

12

and for 1 ≤ i ≤ d,ωiωd+i = q.

We see from this that|A(F)| = qd + O(qd− 1

2 ).

Since Abelian varieties of higher dimension have more points (roughly qd

where d is the dimension), a generic attack should take about

qd/2

steps. This means that it may be possible to use them as the basis of a securecryptographic scheme with a smaller value of q. Thus, for example, from thispoint of view, a two-dimensional Abelian variety over a field of approximate size282 would be as secure as an elliptic curve over a field of approximate size 2164.

To realize this in practice, we have to solve several problems:

– Explicit and efficient arithmetic– Efficient point counting– Understanding of other attacks that are peculiar to this setting.

2 Explicit and Efficient Arithmetic

For explicit and efficient arithmetic, most effort has been directed at elliptic curves.The state of the art in efficient implementations of arithmetic of elliptic curves overfinite fields is given in the book [12]. It should be noted that some of this work is, infact, about improving the efficiency of arithmetic in finite fields. These results canof course be applied directly in the higher dimensional case as well.

Abelian Varieties and Cryptography 3

In the higher dimensional case, we have already pointed out that the largergroup order ostensibly allows us to work securely in a finite field of smaller size.However, there are two difficulties. Firstly, the theory of Abelian varieties inhigher dimensions has not, for the most part, been developed from the point ofview of explicit equations or explicit arithmetic. Much work remains to be donein this regard. Secondly, even where one is able to explicitly give equations, thenumber of variables tends to be large and this adds complexity to the algorithm.In general, this added complexity seems to offset any gain that might be had byworking over a field of smaller size.

One class of Abelian varieties for which these problems have been studiedextensively is that of Jacobians of hyperelliptic curves. In this case, there hasbeen significant progress in developing efficient arithmetic. The general algo-rithm of Cantor gives formulae for the addition of points on such Jacobians [4].A considerable amount of work by many authors (including Chao, Gonda, Gua-jardo, Guyot, Harley, Kaveh, Kuroki, Lange, Matsuo, Nagao, Paar, Patankar,Pelzl, Tsujii, Wollinger and others) has been done on refining this algorithmto improve the complexity. The standard by which such work is compared isthe speed relative to the known implementations for comparable elliptic curvearithmetic.

For Abelian varieties that are Jacobians of hyperelliptic curves of genus 3,the work of Guyot, Kaveh and Patankar [11] shows that in some cases, thearithmetic is faster than comparable elliptic curve arithmetic. Their work buildson the explicit formula method of Tanja Lange and others. It should be notedthat in making this comparison, the authors took into account the index calculusattack of Theriault [22] on Jacobians of genus three hyperelliptic curves.

There has also been progress on the arithmetic of Abelian varieties that ariseas the Jacobian of more general curves. There is a general treatment due toArita, Miura and Sekiguchi [2].

3 Point Counting

For the problem of point counting, there are fast algorithms in the case of hyper-elliptic Jacobians over fields of small characteristic (work of Satoh[20], Fouquet,Gaudry and Harley[8], Kedlaya[14], Denef and Vercauteren[7], and others).

For the case of a general Abelian variety, there is only a baby step-giant stepapproach to point counting. Gaudry and Harley [10] observed that if one knewthe number of points modulo an integer m, this can be sped up by a factor of√

m. An interesting result of Chao, Matsuo and Tsujii [5] was that this couldbe improved if we knew the entire characteristic polynomial of Frobenius PA(T )modulo m. This work was refined by Izadi and the author [13].

As an illustration of this, consider the case d = 3 (where d is the dimensionof A). The Gaudry-Harley algorithm costs

O(q5/4/m1/2)

4 V. Kumar Murty

steps. The algorithm of Chao-Matsuo-Tsujii costs

O(q3/2/m)

steps. The refined algorithm in [13] gives a cost of

O(q5/4/m)

steps.Much further work is needed to develop practical techniques of point counting

for general Abelian varieties.

4 Primality of the Group Order

The next question that arises is how likely it is that #A(Fq) is prime or nearlyprime. It will be interesting to estimate this as we vary over all Abelian varietiesof a fixed dimension over a fixed finite field. A related problem is to considera fixed Abelian variety over a number field and its reductions modulo variousprimes. Let us briefly discuss the latter problem. It is a difficult one even in thecase of elliptic curves.

More precisely, consider an elliptic curve E over the rational numbers Q. Thereis the following result of Ali Miri and the author [1]. Let E be an elliptic curveover Q. Assuming the Generalized Riemann Hypothesis(GRH) (for all Dedekindzeta functions), we have that

|E(Fp)|

has log log p prime divisors for a set of primes of density 1. Since log log p growsvery slowly with p, this is bounded in cryptographic ranges.

The Generalized Riemann Hypothesis is the assertion that the non-trivialzeros of the zeta function ζF (s) of a number field F are on the critical lineRe(s) = 1

2 . This hypothesis is often introduced because it helps us to controlthe error terms when counting prime ideals that satisfy certain splitting con-ditions. In turn, certain natural Galois representations allow us to relate grouporders of Abelian varieties to the number of prime ideals with prescribed splittingconditions.

In some cases, it is possible to dispense with the GRH by using sieve methods.For example, in the case that E has complex multiplication, the above result hasbeen proved unconditionally by Cojocaru [6].

Note that there is a conjecture of Koblitz that asserts that #E(Fp) should beprime for

∼ cEx

(log x)2

of the primes p ≤ x where cE > 0 is a constant depending on E. He madethis conjecture in analogy with the conjectures of Hardy and Littlewood aboutprimes of the form 2p + 1. Koblitz’s conjecture is still open. The first progress

Abelian Varieties and Cryptography 5

towards the conjecture of Koblitz was the result of Ali Miri and the author [13].There it was shown that assuming the GRH, there are

� x

(log x)2

primes p ≤ x such that #E(Fp) has atmost 13 prime divisors.This used the lower bound Selberg sieve method. The result has been improved

by Steuding and Weng [21] who showed (using the weighted sieve) that 13 canbe replaced by 8. In the case that E has complex multiplication, these resultshave been proved unconditionally and refined by Cojocaru [6]. In particular, sheshows that 13 can be replaced by 6 in the CM case.

For elliptic curves without complex multiplication, we can assert the exis-tence of large prime power divisors for a positive proportion of the primes. Moreprecisely, we have the following result due to Ram Murty and the author.

Theorem 1. (Murty-Murty).Let E be an elliptic curve defined over the rationals which does not have com-plex multiplication. Assume the Generalized Riemann Hypothesis (GRH) forDedekind zeta functions. Then, for a positive proportion of the primes p,

|E(Fp)|

has a prime power divisor > p1/5−ε.

Note that |E(Fp)| is roughly of size p.

Outline of Proof. Let us set

Np = #E(Fp).

Then by the Weil bound,

Np = p + O(p12 ).

Thus, by the prime number theorem,∑

p≤x

log Np ∼ x.

On the other hand, the sum on the left is also equal to∑

d≤x

Λ(d)π(x, d)

where Λ(d) is the usual von Mangoldt function and

π(x, d) = #{p ≤ x : Np ≡ 0 mod d}.

Assuming the GRH and using the Chebotarev density theorem, we have

π(x, d) =1dπ(x) + O(d3/2x1/2 log dNx)

6 V. Kumar Murty

where N is the conductor of E. This means that∑

d≤x15 −ε

Λ(d)π(x, d) = π(x)(15

− ε) log x + O(x1−ε).

Hence ∑

x15 −ε≤d≤x

Λ(d)π(x, d) ∼ (45

+ ε)x.

Since the left hand side is∑

p≤x

∑

x15 −ε≤d≤x

d|Np

Λ(d) ≤ (log x)∑

p≤x

∑

x15 −ε≤d≤x

d|Np

d prime power

1,

we deduce that for a set of primes p of density at least

45

Np has a prime power divisor > p15−ε.

5 Splitting of Abelian Varieties

A phenomenon that is peculiar to the higher dimensional case is that of “splitt-ting modulo all primes”. It is possible to have a simple (or absolutely simple)Abelian variety defined over a number field which has the property that withonly finitely many exceptions, when it is reduced modulo a prime (ideal), it fac-tors into Abelian varieties of smaller dimension. In particular, the group orderwill not be prime. By the usual attacks, this makes such an Abelian variety notoptimal for cryptographic purposes.

This phenomenon of course cannot occur for elliptic curves. But it alreadyoccurs in the two dimensional case, that is for Abelian surfaces. In particular,let A be an Abelian surface that has endomorphisms by an indefinite quaterniondivision algebra over Q. At all but finitely many primes p, the reduction Ap

modulo p is of the formAp ∼ Ep × Ep

where Ep is an elliptic curve over the residue field. Thus, even though A is simpleglobally, it splits everywhere locally.

This is the geometric analogue of a phenomenon that has been known for along time in the context of polynomials. For example, the polynomial T 4 + 1 isirreducible over Q but factors modulo p for every prime p.

This failure of the “local-global principle” was studied in [17] and in thethesis of Patankar [19]. Much further investigation is needed here to identifywhich Abelian varieties have this property.

Abelian Varieties and Cryptography 7

6 The Weil and Tate Pairings

Let A denote the dual Abelian variety. The first pairing to consider is one thatcomes from the cup product:

< ·, · >: A[m] × A[m] −→ µm.

This is the Weil pairing and it is a non-degenerate pairing. In particular, if P isa point in A[m] rational over F, then there is a point R ∈ A[m] rational over F

such that< P, R > = 1.

Now, if Q is a point in A[m] with Q = rP , then

< Q, R > = < rP, R > = < P, R >r .

Thus, if the pairing < ·, · > can be computed efficiently, and if R can be foundefficiently, then the Discrete Logarithm problem on A(F) can be transferred toone in µm. For the latter, there are subexponential algorithms available.

This is the basis of the Menezes-Okamato-Vanstone [15] attack. They consid-ered the case of elliptic curves. In this case, E = E and we have a self-pairing

E[m] × E[m] −→ µm

that is alternating and non-degenerate.Using the isomorphism

E[m] � (Z/m)2,

the above pairing is the exterior square map. Indeed, fix a basis P, Q say of E[m].For T1, T2 ∈ E[m], write

Ti = aiP + biQ.

Then

< T1, T2 > = det(

a1 a2b1 b2

).

In this case there is an efficient algorithm for computing the Weil pairing due toMiller [16]. We shall return to this later.

Frey and Ruck [9] have indicated that a different pairing can be used in asimilar way. Suppose that m is prime to the characteristic of F and suppose thatthe m-th roots of unity are in F. They define a pairing

A(F)/mA(F) × A(F)[m] −→ F×/F

×m � µm.

Frey and Ruck call this the Lichtenbaum-Tate pairing (or just the Tate pairingfor short). The method of Miller allows for the computation of this pairing aswell in the case of elliptic curves.

8 V. Kumar Murty

7 Computation of Pairings

Let E/Fq be an elliptic curve (where q is a power of the prime p). Let gcd(m, p) =1. Denote by Div0(E) the abelian group of divisors of degree zero on E.Two suchdivisors, D1 and D2 say, are said to be linearly equivalent (written D1 ∼ D2) iftheir difference is the divisor of a rational function on E. There is an isomorphism

E � Div0(E)/ ∼

given byP �→ the class of (P ) − (O).

For P, Q ∈ E[m], take DP , DQ ∈ Div0(E) with DP ∼ (P ) − (O) and DQ ∼(Q)−(O). Let fP , fQ be rational functions such that div(fP ) = mDP , div(fQ) =mDQ. Suppose that DP and DQ have disjoint supports. Then the Weil pairingis given by

< P, Q >=fP (DQ)fQ(DP )

,

The Tate pairing can also be described using fP (DQ). We must assume that F

contains the m-th roots of unity. The pairing

T : E(F)[m] × E(F)/mE(F) −→ F×/F

×m

is given byT (P, Q) = fP (DQ) mod mE(F).

Miller’s algorithm provides an efficient method to compute fP (DQ). Accord-ing to this algorithm, one begins by randomly picking R, and forming

DP = (P + R) − (R).

Ifdiv(fk) = k(P + R) − k(R) − (kP ) + (O)

then fm = fP .We can compute fm inductively as follows. For R, S ∈ E, let us denote by

hR,S = 0 the straight line through R, S. Let us also denote by hS = 0 the verticalline through S.Then

div(hk1P,k2P ) = (k1P ) + (k2)P + (−(k1 + k2)P ) − 3Oand

div(h(k1+k2)P ) = ((k1 + k2)P ) + (−(k1 + k2)P ) − 2Oand so

fk1+k2 =fk1fk2hk1P,k2P

h(k1+k2)P.

The initial conditions are f0 = 1 and

f1 =hP+R

hP,R.

Abelian Varieties and Cryptography 9

Thus, the algorithm is as follows:

INPUTS:m =∑t

i=0 bi2i, S ∈ EOUTPUT: f = fm(S).

f ← f1; Z ← P ;For j ← t − 1, t − 2, . . . , 1, 0 do

f ← f2 hZ,Z (S)h2Z (S) ; Z ← 2Z;

If bj = 1 then

f ← f1fhZ,P (S)hZ+P (S) ; Z ← Z + P ;

EndifEndfor

Return f

There have been refinements and improvements of this basic algorithm invarous settings due to many authors including Barreto, Eisentrager, Galbraith,Harrison, Kim, Lauter, Lynn, Montgomery, Scott and Soldera. In recent jointwork with Ian Blake and Greg Xu[3], we have discovered some refinements ofMiller’s algorithm that apply in general. Our approach works for arbitrary finitefields and saves log2 m field multiplications. A variant for finite fields of char-acteristic three saves log3 m field multiplications. (In this case, log3 m of pointtriplings are performed which can be done very efficiently). We expect thatsimilar calculations should work whenever one has an effective Riemann-Rochtheorem.

8 Attacks on the Abelian Variety Discrete LogarithmProblem Using Pairings

Let us return to the Tate pairing. Work of Lichtenbaum and Tate shows thatthis is a non-degenerate pairing. To use it for the Discrete Logarithm problem,one tries to find a point R ∈ A(F) such that the map

A[m] −→ µm

given byP �→ < R, P >

is an isomorphism. One then uses this map as with the Weil pairing to solve theDiscrete Logarithm problem. For the Discrete Logarithm problem, the essentialpoint is that there is an embedding of a large cyclic subgroup of A(F) into µm

(or more precisely, into the multipicative group F×) where one can use indexcalculus methods to mount a subexponential attack.

This approach is very succesful for supersingular Abelian varieties. The reasonis that in this case, the eigenvalues of Frobenius are of the form

q12 ζ

10 V. Kumar Murty

where ζ is a root of unity. Since the eigenvalues lie in an extension field of Q ofdegree ≤ 2d, this bounds the order of ζ. For example, for an elliptic curve, wesee that ζ2 lies in a quadratic field. So if ζ is an m-th root of unity, then

φ(m/(2, m)) ≤ 2.

This means that m ≤ 6. Thus, all the eigenvalues are (after normalization)roots of a cyclotomic polynomial. In particular, |A(Fq)| (or atleast its exponent)divides qk − 1 for some k that depends only on dim A. Thus if m divides thisorder, then m divides qk − 1 and one applies the Tate pairing over the field Fqk .

If one tries to apply this attack in general, the problem is that there is nogood bound for k. However, one might consider Abelian varieties that are “al-most supersingular” in the following sense. Let L be the splitting field of thecharacteristic polynomial PA(T ) of Frobenius. Choose a prime p of L above p.Consider the set of slopes

Slopes(A) = {ordpα : PA(α) = 0}.

This set is independent of the choice of prime p because L is Galois over Q.Define also the length of each slope: for c ∈ Slopes(A), set

length(c) = #{α : ordpα = c}

where α ranges over zeros of PA(T ). A supersingular Abelian variety A can becharacterized by

Slopes(A) = {12

}

andlength(

12) = 2d.

An almost supersingular Abelian variety A (or what Zarhin [23] calls Abelianvarieties of K3-type) can be defined as one for which

Slopes(A) = {0, 1,12}

withlength(0) = length(1) = 1

andlength(

12) = 2d − 2.

For example, considerA = E1 × E2

where E1 is a ordinary elliptic curve and E2 is a supersingular elliptic curve.The Discrete Logarithm Problem here can be solved in

O(q12+ε)

Abelian Varieties and Cryptography 11

steps. This is not subexponential but is much better than the generic squareroot attack which in this case would take

O(q)

steps. Can one use pairings on almost supersingular Abelian varieties to get anattack on DLP that is better than the square root attack?

References

1. S. A. Miri and V. Kumar Murty, An application of sieve methods to ellipticcurves, in: INDOCRYPT 2001, pp. 91-98, Lecture Notes in Computer Science 2247,Springer, Berlin, 2001.

2. S. Arita, S. Miura, T. Sekiguchi, An addition algorithm on the Jacobian varietiesof curves, J. Ramanujan Math. Soc., 19(2004), 235-251.

3. I. Blake, V. Kumar Murty and G. Xu, Refinements of Miller’s algorithm for com-puting the Weil/Tate pairing, J. Algorithms, to appear.

4. D. Cantor, Computing in the Jacobian of a hyperelliptic curve, Math. Comp.,48(1987), 95-101.

5. J. Chao, K. Matsuo, S. Tsujii, Baby step giant step algorithms in point countingof hyperelliptic curves, IEICE Trans. Fundamentals, E86-A, 4(2003).

6. A. Cojocaru, Bounded number of prime factors for the orders of the reductions ofa CM elliptic curve, preprint, 2004.

7. J. Denef and F. Vercauteren, An extension of Kedlaya’s algorithm to Artin-Schreiercurves in characteristic 2, in: ANTS-V, pp. 308-323 eds. C. Fieker and D. Kohel,Lecture Notes in Computer Science 2369, Springer-Verlag, 2002.

8. M. Fouquet, P. Gaudry and R. Harley, An extension of Satoh’s algorithm and itsimplementation, J. Ramanujan Math. Soc., 15(2000), 281-318.

9. G. Frey and H. Ruck, A remark concerning m-divisibility and the discrete logarithmin the divisor class group of curves, Math. Comp., 62(1994), 865-874.

10. P. Gaudry and R. Harley, Counting points on hyperelliptic curves over finite fields,in: ANTS-IV, pp. 297-312, ed. W. Bosma, Lecture Notes in Computer Science 1838,Springer-Verlag, 2000.

11. C. Guyot, K. Kaveh and V. Patankar, Explicit algorithm for the arithmetic on thehyperelliptic Jacobians of genus 3, J. Ramanujan Math. Soc., 19(2004), 75-115.

12. D. Hankerson, A. Menezes and S. Vanstone, Guide to Elliptic Curve Cryptography,Springer-Verlag, New York, 2004.

13. F. Izadi and V. Kumar Murty, Counting points on an Abelian variety over a finitefield, in: INDOCRYPT 2003, pp. 323-333, eds. T. Johansson and S. Maitra, LectureNotes in Computer Science 2904, Springer, 2004.

14. K. Kedlaya, Counting points on hyperelliptic curves using Monsky-Washnitzer co-homology, J. Ramanujan Math. Soc., 16(2001), 323-338. See also Errata, 18(2003),417-418.

15. A. Menezes, T. Okamoto and S. Vanstone, Reducing elliptic curve logarithms tologarithms in a finite field, IEEE Trans. Inform. Theory, 39(5)(1993), 1639-1646.

16. V. Miller, The Weil pairing and its efficient calculation, J. Cryptology, 17(2004),235-261.

17. V. Kumar Murty, Splitting of Abelian varieties: a new local-global problem, in:Algebra and Number Theory, ed. R. Tandon, Hindustan Book Agency, Delhi, 2005.

12 V. Kumar Murty

18. D. Mumford, Abelian Varieties, Oxford.19. V. Patankar, Splitting of Abelian varieties, Ph.D Thesis, University of Toronto,

2005.20. T. Satoh, The canonical lift of an ordinary elliptic curve over a finite field and its

point counting, J. Ramanujan Math. Soc., 15(2000), 247-270.21. J. Steuding and A. Weng, On the number of prime divisors of the order of elliptic

curves modulo p, Acta Arith., 117(2005), 341-352.22. N. Theriault, Index calculus attack for hyperelliptic curves of small genus, in:

ASIACRYPT 2003, pp. 75-92, Lecture Notes in Computer Science 2894, Springer-Verlag, New York, 2003.

23. Y. Zarhin, Abelian varieties of K3-type and �-adic representations, in: AlgebraicGeometry and Analytic Geometry, pp. 231-255, Springer-Verlag, Tokyo, 1991.