So it's my pleasure to introduce
the first speaker for AGNES.
Kristen Lauter is a number
theorist and cryptographer
at Microsoft Research.
In fact, she's a
research manager
on her group at
Microsoft Research.
I've known Kristin
for quite a long time,
and we've worked together
on many projects.
One thing I would
like to mention
is that Kristin is currently
the president of the Association
for Women in Mathematics.
And so she's been active in
a number of areas that are
important to mathematicians.
If you haven't had a chance to
take a look at the AWM website
and see all the
things that are going
on in terms of research,
conferences, and symposia,
please do.
Anyway, it's my pleasure to
introduce Kristen and welcome
her today.
Thank you.
With that kind
introduction, I feel
that I have to return the favor.
Oh.
I tried to turn it on.
Is it on now?
It's got a green light.
Yep, it's on.
So Jill was my first
year professor undergrad
at the University of Chicago.
So largely responsible for
me going into mathematics.
And she was also president
of the AWM several years ago.
So I want to start by thanking
the organizers for inviting me.
It's a great opportunity
to be here to talk to you.
So I prepared a
talk which I hope
will be of general interest to a
fairly broad audience of mostly
algebraic geometers.
But I was told in
particular that there
would be a lot of graduate
students in algebraic geometry,
so I thought I would take
this opportunity to talk
about a lot of open problems.
And that brought me up to
my first problem-- my title.
So I came up with this
tile, "Cryptography Problems
in Algebraic Geometry."
But then I was like, or is it
"Algebraic Geometry Problems
in Cryptography"?
And then actually
I started to think,
what's the difference
between these two things?
And the interesting
thing is that I
think there is probably
a subtle difference
in the following sense.
So cryptographic problems--
problems in cryptography--
are often kind of very
algorithmic in nature.
And I'll talk about that in
a little bit more detail.
Whereas often in
algebraic geometry,
I think in mathematics, people
often think that doing math
means just kind of
proving a theorem.
So the interesting
thing is, and the point
I'd like to make through
a lot of examples today,
is that when you're
doing research
in this area, this kind of a
distinct research area, which
is a combination of cryptography
and algebraic geometry,
I think you really
end up doing both.
There are algorithmic
problems that
need to be solved, but
then a lot of times
to solve algorithmic problems
you have theoretical problems
and theorems that need
to be proved as well.
So I think both titles
are appropriate.
So basically I
don't know how much
I'm going to get
through in an hour.
But I decided to
list a bunch of kind
of nine open problems, areas.
These are all problems I
listed because I really
feel like there's still
some significant kind
of open component to it.
There's some partial solutions
that I'm going to talk about.
But there are some very
interesting challenges,
some of which would have a very,
very big impact on cryptography
and the way that
it's practiced today.
As you can probably tell
from the length of the list,
I'm not going to be able to go
through all of these problems.
And roughly speaking,
the amount of detail
is going to decrease as we
go from problem to problem.
And I'm probably
going to end somewhere
around just telling you
what problem number five is.
So most of these I really
won't have time to talk about.
I can say a few words about
them at the end if there's time.
But so besides the kind of a
little bit of a cryptography
preamble that I'm
going to do, there's
going to be kind of
four main sections.
So if you're not as
interested in one problem,
or you don't follow one problem,
you can wait until the next,
and you might find
it more interesting,
because some of them are
quite a different nature
So kind of my comment, my view
on this area as a research
field is that like I said,
so cryptography problems
are mostly algorithmic.
That is, you're usually
thinking about, OK, well,
if I post this problem
and I say it's hard,
how long is it going to take an
attacker to solve this problem?
Another thing that's
extremely important
is, oh if I want to go tell
my management that we should
implement some new
crypto system, what's
the overhead going to be?
How many seconds or milliseconds
or microseconds delay
is a user going to experience
when I all of a sudden layer
security on top of
whatever protocol
they were trying to do?
So how much space is my
code going to take up?
If it's going to run on
some constrained device,
is there enough memory on this
device for this code to run?
Things like that.
How expensive is it going
to be for an attacker
to mount an attack?
How much hardware
and space are they
going to need for
this algorithm?
That kind of thing.
So a lot of these
are results that
like so if you have a
solution, an algorithm,
it's usually measured not just
by the fact that it exists,
but how good is it in the sense
of what is its running time,
and also what are its
space requirements?
So that's the kind of framework
for research in this area.
And a very key kind of set
of terminology-- and you'll
probably hear me mention this
throughout the talk-- we talk
about polynomial-timed
algorithms
versus exponential algorithms,
and then, kind of in between,
sub-exponential algorithms.
So what we mean by
polynomial-timed algorithms
is that their running time-- or
it could be applied to space as
well-- but their running time is
a polynomial in the input size.
So the input size is the
number of bits it takes
you to write down the input.
So if it's a group
of size-- we usually
talk about the order of g-- then
a polynomial-timed algorithm
would be something that
runs in time of polynomial
in the log of the size of
g of the group order of g.
So one thing that you'll hear
me mention quite a few times
is square root algorithms.
Square root algorithms
are algorithms
that run in the square
root of the group size.
So those are
exponential algorithms.
They are not a polynomial in
the log of the group size.
And in between
exponential and polynomial
is sub-exponential,
which are essentially
you can think of them as
they're exponential in some kind
of like fractional
power of the log.
So that's kind of an
important framework
for considering these.
So the other thing that's kind
of interesting about this area,
it's a really awesome
area to do research in.
But it does require this
kind of strange combination
of background.
So algebraic geometry and number
theory figure heavily into it.
You'll see that in a
lot of different aspects
of the problems I'm
going to mention today.
But you also really need to
have a good sense of algorithms,
because cryptographic
sizes are very, very large.
They're much larger
than what you're
used to thinking about when
you think about math problems.
And so you really have to think
about algorithms in this sense
that I talked about above that
considers their running time,
and their space requirements.
And also another aspect of
this research area-- and I
think this may be becoming more
and more true in lots of areas
of math-- but
definitely programming
ability is very, very helpful.
And being comfortable,
and really
having fun with programming
is kind of a requirement,
because you really need
to be able to compute
things, experiment, see how
long things take to run,
things like that.
So just one last point, I think.
I thought this was just kind
of a fun thing to mention.
It's also an area
that to a large extent
you can actually teach to
computer science students
with very little
math background.
So I taught a graduate CS course
on elliptic curve cryptography
to CS students who
knew very little more
than what a finite field was.
That was pretty
much all they knew.
And I'm not sure, but I
think they enjoyed the class.
I picked up a couple of
interns from that class,
so at least some
of them enjoyed it.
So I guess I'm going to start
with a couple of minutes
of just a little bit of
an overview of cartography
I know that some people probably
know quite a bit about it.
But just to kind
of set the stage,
cryptography, people say, oh,
the art of keeping secrets.
But that's actually
only a part of it.
So cryptography has
several key components.
This isn't totally
exhaustive, but this gives you
a very good idea of the flavor.
Cryptography encompasses
key exchange,
which is two parties
trying to agree
on a secret, exchanging
only information exchanged
in public.
Signature schemes help
assure kind of authenticity.
So signature schemes
allow parties
to authenticate themselves.
And encryption actually
preserves secrets-- kind
of preserves
confidentiality of data.
And some examples of public key
crypto systems that many of you
will be familiar with are RSA
which was proposed around 1975.
So that's based on the hardness
of factoring large integers.
And just so you know, so there
are sub-exponential algorithms
which are known
for breaking RSA,
and that means that the key
sizes that we have to use
are much larger
than before there
were sub-exponential
algorithms that were known.
So the main
sub-exponential algorithm
that's used for
breaking RSA moduli
is called the
number field sieve.
And it uses a lot of interesting
number theory and number fields
algorithms.
So Diffie-Hellman,
I'm going to tell you
a little bit more detail
about what Diffie-Hellman is.
Diffie-Hellman is a
protocol for key exchange.
And then there are
elliptic curve versions
of these things-- elliptic
curve Diffie-Hellman.
DSA is a government standardized
signature algorithm.
And then there's an
elliptic curve version
of that algorithm.
So just very briefly in
your day-to-day life,
you will be using
and experiencing
these crypto systems at
least in the following ways.
So key exchange is used to
establish secure browser
sessions.
So whenever you go
to an HTTPS site--
which is more and more often.
Lots of sites are HTTPS.
So signed, encrypted
email is not something
that actually most of use.
Most of us use Gmail
or Hotmail or something
like that, which is not
signed and not encrypted.
It's like sending
a postcard, which
is kind of unauthenticated.
But for some kind of, let's
say, internal corporate mail,
or things like that,
people could implement
signed and encrypted email.
And that's governed by
the standard S/MIME.
So virtual private networking
is what's used to connect,
like when I want to
connect to the Microsoft
corporate network.
And that's governed
by the standard IPsec.
And then, authentication
is very important
but it's kind of
hidden to all of us
is, is that sometimes you
go to a website and it says,
oh, the certificate for this
website is not recognized.
Are you sure you
want to go there?
And then usually you say, yes,
I want to go there anyway.
So the point is that
what's happening
there is that most of
us, like in the US,
there's a chain of
trust, and we'll
kind of chain up to well-known
or recognized certificates.
And so either if
you're traveling,
or somebody's kind of
established their website
independently, or
something like that,
and not maybe in a mainstream
commercial setting,
they might not be chaining
up to the same root of trust
that we recognize.
So underneath all of our
e-commerce and our trust
there's a very interesting
kind of public policy question
there, which is kind of who
should be trusted to issue
certificates on public keys.
And so right now we're just all
kind of taking this for granted
that this works,
and that there's
a public key
infrastructure that's
actually deployed by companies.
So Verisign, for
example, deploys these.
So although many people
may be well aware of
and familiar with
key exchange, I'd
just like to say what
it is, in the kind
of the mathematical sense.
So two parties, Alice and Bob,
want to agree on a secret key.
And they're going to
exchange information.
And we can assume that
there's an eavesdropper, Eve,
who might see this information.
So that's why we say it's
kind of publicly exchanged.
And Alice is going to
pick a random element a
that she will keep secret
So the red is secret.
Bob picks b.
But what is known
is some groups,
some group is publicly known to
think of it like a phone book,
or some protocol
that's been published,
so everybody knows what group
you're going to work in.
And particularly-- sorry.
The PowerPoint just
capitalized my group generator.
It was supposed
to be a little g.
Little g generates this group.
So in general for
this we're going
to work in an abelian group.
And it wouldn't
have to be cyclic,
but if not we would work
in some cyclic subgroup.
And it might introduce some
extra checks and issues
that would be problematic.
So we're going to
just assume that it's
a cyclic group generated
by little g for now.
And then Alice is going to
send g to the a over to Bob.
And Bob is going to send
g to the b over to Alice.
And then the secret is going to
be established as g to the ab.
So I'm writing this.
It's a little bit
odd, because I'm
going to spend most of the talk
talking about elliptic curve
cryptography, where the
group law is additive-- it's
an addition law.
But ironically in
computer science,
the computer scientists always
write groups multiplicatively,
because they were used to
Diffie-Hellman in like Z mod pZ
star, or FP star.
And so everybody thinks
of all the protocols
as being a multiplicative
group laws.
They're all written like
this, even if we're going to
in the end, we're going
to work in a group
where we would prefer to write
the group law additively.
So the point about this
secret is that g to the ab
is something that
both parties can
compute given the publicly
exchanged information
in their own secret, because
each one can take what they
receive and raise it
to their own power--
whereas anyone in the middle,
all they know is g to the a
and g to the b.
And we should all know
that putting those two
together will give us g to the a
plus b, not g to the a times b.
So that's where the
secret comes from.
And there's actually a problem
which I have it written down
the slide, which is called the
Diffie-Hellman, that explicitly
states the hardness of
breaking this protocol.
Diffie-Hellman problem
is given g to the a
and g to the b-- this public
information-- can you compute g
to the ab?
And that's called
computational Diffie-Hellman.
And then there's
a decision version
of that problem which is DDH--
decision Diffie-Hellman-- which
is given three group elements--
which is basically g to the a,
g to the b, and then g to the y,
just decide whether g to the y
is equal to g to the ab or not.
So there are some groups in
which this decision problem
is still unknown to be solved.
But there are groups in
which the decision problem
is actually easy, whereas
the computational problem is
still hard or still unknown.
So one of the practical
issues, like I said,
the computer
scientists were used
to working in Z mod
pZ star as a group.
That's a nice cyclic group.
So I mentioned in the
beginning that there
are sub-exponential
algorithms known for RSA.
At some point there were
sub-exponential algorithms
that were discovered for working
on the discrete logarithm
problem in Z mod pZ star.
And those are called
index calculus algorithms.
And very, very
beautiful set of ideas.
And those sub-exponential
algorithms
caused the group
size-- the size of p,
to have to be
increased dramatically.
So today, like a minimum
government standard size
for a p, if you
want to work in Z
mod pZ star would be like
somewhere around 2000 bits.
So 2048-bit Diffie-Hellman is
usually like the minimum size.
And so then when you think
about doing computer arithmetic,
if you have computers with
word size 32 bits or 64 bits,
and you have to do
multiplication mod p, where
p is 2048 bits, the
computational cost
of these things can
be pretty significant.
And also just even the size.
These keys get to be
kind of long-- 2048 bits.
So that introduces issues
of power, bandwidth, time
all of these things.
So at some point an alternative
to Z working in Z mod
pZ star was introduced.
And that was based on the group
of points on an elliptic curve.
So this has given rise to
kind of a whole field called
elliptic curve cryptography.
So like I said, RSA was
introduced around 1975.
Elliptical curve crypto
was introduced around 1985,
independently by Koblitz
and Victor Miller.
And for those of you that
were not around at that time--
my understanding
is that there were
a lot of really great number
theory algorithms kind
of being proposed
and investigated
around that time in the mid-80s.
So that includes things like the
first polynomial time algorithm
for point counting
on elliptic curves
by Renee Schoof, the proposal
for the elliptic curve
factoring method
from Hendrik Lenstra.
And so apparently
there were just
a lot of really great algorithms
based on elliptic curves that
were kind of being proposed
and investigated at that time.
And so it was kind of
nice and possibly natural
that it actually came
from two different people
in that community, this proposal
of having elliptic curve
cryptography.
So the security
of elliptic curve
cartography is based on this
hard problem which is related
to the Diffie-Hellman problem.
I'll say a little bit more
about that in a minute.
But just to say
a couple of words
about this kind of
research community.
So the 25th anniversary
of ECC was actually
held at Microsoft
Research in 2010.
And we sponsored that.
And just to give
you an idea, there
were about 125 researchers
there worldwide,
and that includes people
from academia, government,
and industry.
So it's a very
multidisciplinary community.
And it's larger than
you might think.
I mean there's quite a few
very, very active researchers,
and lots and lots and lots of
papers published every year.
And actually just
this week in Bordeaux
is the 30th anniversary of ECC.
And they hosted ECC there.
And I was told that there were
about 150 researchers there.
And this community
also includes a lot
of people that work on what's
not just elliptic curve
cryptography, but some
of the generalizations
that I'll talk about
today to Jacobians
on higher genus
curves, and also things
like pairing-based
cryptography, which
are also based on pairings
in the algebraic geometry.
So pairing-based
cryptography allows
us to do a lot more kind of
new and interesting protocols
than what we could do without
the pairings that we got,
like the Weil pairing
and the Tate pairing
from algebraic geometry.
So this is the first
problem on my list.
So I'm not doing so well,
because I took up 20 minutes,
and I haven't even started
on my first problem yet.
So the first problem is kind
of the biggest, in a sense.
It's the elliptic curve discreet
logarithm problem-- ECDLP.
And this is very, very important
because-- well so, let's see.
I've been at Microsoft
for more than 16 years.
And when I first
went there, I started
working on getting them to ship
elliptic curve cryptography.
And after about five years
of working on things,
so we finally started shipping
elliptic curve cartography
around 2005.
And Vista was our first product.
And now pretty much
all of our products
have elliptic curve
cryptography in them.
And it's a worldwide
industry standard.
So if you break ECDLP, that's
going to be a big deal.
So this is definitely the
number one problem on my list.
This is a big problem.
So what do we mean by break?
Again we have generic algorithms
for a lot of crypto problems
which run in the square
root of the group size.
And so typically when people
say you break something,
it means you've come up
with an algorithm that
runs in less than the square
root of the group size.
And sometimes that doesn't
have a big impact in practice
if it's only slightly less.
But certainly it has an impact
over time in choosing key sizes
and trying to try to see
the future of how you should
set parameters for crypto.
So in general, if you can find
a sub-exponential algorithm,
that's what really
kind of breaks things.
It makes it very kind of unwise
and impractical to implement
something once you
know that there's
sub-exponential attacks.
So I said I'm a
little bit lying here.
It's not the
best-known algorithms
are running in the square
root of the group size.
In general for these kind
of like the Diffie-Hellman
problems, and some
other problems,
they're actually running in
the square root of the largest
prime factor of the group size.
This is kind of an
important point.
Because if you have a group
which has smooth order,
you have this kind of
Pohlig-Hellman approach, which
allows you to break up
a discrete logarithm
problem into pieces,
and basically
use kind of like a Chinese
remainder theorem approach
to solve the problem
in the whole group.
So sorry.
I said the discrete
algorithmic problem,
but I didn't state the problem.
The problem I stated, I stated
the Diffie-Hellman problem.
Now the discrete
logarithm problem is,
let's say you're given
a generator for a group.
So call this generator little g.
And you're given g, you
know g, that's public.
And then you see another
public value-- g to the b.
Can you find b?
That's this discrete
logarithm problem.
And clearly if you can solve
the discrete logarithm problem,
you can solve the
Diffie-Hellman problem.
But interestingly the reverse
is not obviously true.
And there is a reduction
in the reverse direction
that interestingly involves
elliptic curves that
works for black box
groups, but which is not
known in general to be true.
So a couple of extra points.
I'm just going to say
a couple more words
about the history of
the discrete logarithm
problem for elliptic curves.
So like I said, this was
kind of introduced in 1985.
And so except for part of the
reason that it's an industry
standard now, except for special
cases like super singular
elliptic curves, we don't know
any sub-exponential attacks.
So what is this business?
What happens for super
singular elliptic curves?
This is pretty interesting.
So super singular
elliptic curves
were proposed early on
to be used because they
could get some efficiency
improvements for implementing
the system.
And then the
Menezes-Okamoto-Vanstone attack
came along, and
basically used pairings
on elliptic curves--
like the Weil
pairing on an elliptic curve--
to show that you could attack
super singular elliptic curves.
And that made those particular
curves completely unacceptable
for implementation of
elliptic curve cryptography.
But with the exception of
super-singular elliptic curves,
we really don't have any generic
attacks on elliptic curve
cryptography, which is
why I stated as kind
of my first open problem.
But what is the
public information
in the case of an
elliptic curve?
So for an elliptic curve, I
kind of took these slides out.
But so the public information
would be the actual curve.
So if we ignore
characteristics 2 and 3,
you can put an elliptic
curve in a short Weierstrass
form like this.
So the public information
would be the field
that this curve is going
to be defined over.
So some prime p.
And then these two elements
here-- a and b. a often
taken to the minus 3 just
for efficiency reasons.
And so it's essentially
this element here.
So let's suppose the group
order over this prime field FP,
let's suppose the
group order is prime.
Let's say it has
order Q. Then you also
need a point on the
curve to be specified.
That's your generator
for your group.
And if the curve
has prime order,
then you can basically
take any point.
But in particularly,
everybody needs
to agree on the same point.
So if you look up the NIST
standards for elliptic curves,
you will find a list
of elliptic curves,
each one specified
like that, with a point
which is its generator.
And it'll have different types
of curves at each security
level.
So right now, that's
why I put this at 256.
You'll have curves
which are called
P-256 curves,
which means they're
over prime fields of 256 bits.
And there is both prime
fields, and there's
what are called Koblitz
curves and binary curves.
So there's also curves
in characteristic 2.
I'm not going to talk about
the characteristic 2 case that
much.
But then there is currently
in the NIST standard,
there's curves going
up to security level,
256-bit security level,
which means 512-bit field.
So actually I could
talk lots and lots
about standards for
elliptic curves.
But in the interest
of moving on,
I'm not going to
say more about that.
But if anyone wants to
know more about that,
you'll be welcome
to talk to me later.
So how does elliptic
curve cryptography work?
There has to be a group law.
What is the group?
The group is a group of points
on an elliptic curve, which
many of you with an
algebraic geometry background
will not only be familiar
with, but probably
know lots more fancy definitions
of elliptic curves than this.
But for our purposes,
it just means the group
of points on this affine
model for the curve,
along with the
point at infinity.
And there's a group law
which is always kind of shown
with this picture where if you
have two points-- Q 1 and Q 2,
that you want to add together,
you pass a line through them.
You look for the third point
of intersection with the curve.
This is supposed to be a
cubic, even though my graph is
a little bit pathetic.
It might not actually
be a very good cubic.
And then so in a cubic, you
would expect a third point
of intersection with this line.
And then you pass a
vertical line through there.
And the sum of Q 1
and Q 2 is minus R 1.
So an important
point in this picture
is that from an algebraic
geometry point of view, what's
happening is that
there's a group here,
which is basically
degree 0 divisors
module of principle divisors.
And principal divisors are
the divisors of functions
on curves or varieties.
And so here's a function.
It's a line.
And so the divisor of this
function on this curve
is just these three points.
So what it's saying
is these three points
added together in this
group-- think of it
as a formal sum-- is 0.
So that's why Q 1 plus Q
2 is actually minus R 1,
because the sum of
these three things is 0.
And we'll see why
in a few minutes
why that's kind of interesting
in a larger context.
So just to summarize,
this was kind
of all I was going to say
about the elliptic curve
discrete logarithm
problem, is kind
of the foundation of
the talk, because it's
the fundamental problem.
And a lot of these other things
that I'm going to talk about
are very related
to this, the kind
of the practice of elliptic
curve cryptography, which
is based on the hardness
of this problem.
So here's an interesting.
So let's see.
I changed the color
scheme so that you
could see that this is
the next section talk.
And also because maybe
because everybody's
not as in love with
purple as I am.
So we went to white for now.
So here's another group that
you could use in cryptography.
And in a few minutes
I'll tell you
why you might want to use
this in cryptography, instead
of elliptic curves.
So this was introduced
by Neal Koblitz
a few years after the ECC.
And it was around 1989.
Introduced the idea
of using the Jacobian
of a hyperelliptic curve
for crypto systems,
instead of just using
elliptic curves.
And a hyperelliptic curve
in particular in genus 2,
we're going to think of as
being given by an affine model
y squared equals f of x,
where f has degree 5 or 6.
And the elements of
the Jacobian will
be represented by pairs
of points on the curve.
So if you're an
algebraic geometer,
you might know this from
thinking of the Jacobian
as being like a symmetric
product of the curve
with itself g times.
But you'll also
be able to see it
kind of from our
description of the group law
that I'm going to give
it in a few minutes
why this works out nicely.
And there's also a couple
of important things
I'll come back to-- the Mumford
representation and the group
law for Jacobians of
hyperelliptic curves.
So here's some kind of
rough pictures again.
On the left-hand side,
an elliptic curve.
Right-hand side,
a genus 2 curve.
Again, we're drawing
these curves kind of like
over the real numbers,
whereas in cryptography we're
actually going to be
implementing these things
over a finite field.
But the algebraic
rules that we give
for implementing these group
laws will also work over F p.
So you might say, OK,
well, why would you
want to move from this
curve to this curve?
So if you use the
Hasse-Weil theorem,
you'll see that over F p, the
number of points on both curves
is going to be in this region--
p plus 1 plus or minus 2 g
times square root of p.
So you're thinking,
ah, they both have
roughly p points-- p plus or
minus some multiple square
root of p.
So why would you want to
move from one to the other?
Well, and also because if you
look at your nice group law
on elliptic curves,
which has this.
They call it a chord and tangent
method, where you kind of chord
through these points.
Or if it's a doubling
operation, you take a tangent.
And so if you look over
on the genus 2 curve,
well this doesn't
work very well.
You take a line, you
pass it through there,
and you don't get one other
point of intersection.
So that's not working
very well either.
But the nice thing
is that if you
look at the number of
points in the group
that you're going
to be interested in,
the number of points
on an elliptic curve,
will be around p, whereas
the number of points
on the Jacobian will
be around p squared.
So what this means is
for the same group size,
you can cut the
field size in half.
And so there's actually this
interesting tension which
is still we're kind
of right on the cusp
of being able to
make use of this
really in practice,
which is that if you
think about computers,
they were 32-bit words.
Now we're 64-bit words.
Are we going to be 128-bit
words mainstream any time soon?
Well once you can
fit a field element
inside a single word
on the computer,
you get massive
efficiency improvements.
So if you think about cutting
the group size in half--
or sorry, the field
size in half--
you are definitely getting a
major efficiency improvement
for your operations.
And potentially, like this
kind of idea of getting,
if you make the
genus high enough,
that you get every field element
in one word in the finite field
is very tantalizing.
So there's this motivation, oh,
OK, well if we go from genus 1
to genus 2, we can decrease
the size of our field.
That's very good.
We get efficiency improvement.
So but then what happens
to our group law?
Our group law gets kind
of more complicated.
So the simple idea of passing
a line doesn't work anymore.
But this other idea does work.
So I'm just warning you here.
This is my favorite
picture in the whole world.
I used to have this
on my office door.
I usually every talk
try to find some excuse
to show this picture.
So this is a picture of
the group law in genus 2.
And the interesting
thing is that so I
introduced this picture
in a paper in around 2001.
And I basically got it from
the Cassels, Flynn books.
I don't know how many of
you know a Cassels, Flynn
book on genus 2 curves.
In the end a description
of the group law.
And they basically tell
you this is the group law.
What do you do on genus 2
divisors, or in the group,
or group elements for the
Jacobian are pairs of points.
So if you have p 1, p 2,
that's a group element.
And if you want to write it
as a degrees zero divisor,
you need to write like p 1
plus p 2 minus 2 p infinity
so that it actually
has degree 0.
But usually we just kind
of forget about that,
and think about it
as being represented.
This is like the
Mumford representation--
represents these two points as
a quadratic polynomial actually.
So we have these two
divisors represented
by these two pairs of red dots.
So now how do we
add them together?
Well again, this same philosophy
of what the group law is, you
want to have a
principal divisor.
In other words, the
divisor of some function.
So you want a function that
passes through these four
points.
So you take these four
points, you figure out
a cubic function, and then you
pass through those four points.
And then generically, over an
algebraically closed field,
you expect it to intersect this.
So this can be written
as a quintic or a sextic.
Oftentimes we think of like
we use a rational point
to make it into a quintic.
But you can just
think as a sextic.
And so generically you
expect two other points
of intersection with this curve.
And so just like in the
elliptic curve case,
this divisor is
supposed to be 0.
So this plus this plus
this is supposed to be 0.
So this should be-- minus this
should be equal to these guys.
So you take these four,
and you kind of formally
add them together.
But now you want to reduce it.
So this is this very
nice reduction algorithm
that we have for
hyperelliptic curves.
But it's actually not known in
general for algebraic curves.
That's another
thing I could have
put on my list is
unique reductions
for other types of curves.
So these two points,
this is minus these guys.
So you need to kind of
flip these over the x-axis.
So r 1 plus r 2 are
the sum of these guys.
So this is my view of the
group law of a genus 2 curve.
So but I come along and I
start working for Microsoft.
And I find out that
people in cryptography
do not think this is the
group law on a Jacobian.
What do they think
is the group law?
They think Cantor's
algorithm is the group law.
So interestingly
Cantor-- I heard
he was very influenced by
Hendrik Lenstra and Renee
Schoof in developing
this algorithm.
He thinks of a genus
2 curve as basically
thinking of it as its
function field representation.
So think of a
hyperelliptic curve
as being a degree 2
extension of a degree
2 cover of the projected line.
So think of that as being the
analog of a quadratic extension
in number fields.
So here's the
number field world,
and here's the
function field world.
And over here in
number fields we
have this really nice
group-wide quadratic fields
that we've known for
a long time, which
is Gauss composition.
So basically if you
take Gauss composition
for a quadratic
for an ideal class
group of quadratic
number fields,
and kind of push it
over to function fields,
you get Cantor's algorithm.
So Cantor's algorithm
takes kind of divisors,
and represented in terms
of like Mumford's notation,
and does this
reduction, and basically
does composition and
reduction on all of this.
But since that wasn't what
I thought the genus 2 group
law was, so I
wrote a small paper
showing that these two
things are equivalent.
And ever since then, I've
been showing this picture
to everyone.
So everybody can kind
of see the group law,
instead of just compute
it using Cantor.
Why are there only six
points of intersection?
Shouldn't there be 15?
Well, so this is using
the affine. [INAUDIBLE].
So think of it as
y squared equals
f of x, where f has
generically has degree 6.
And then this cubic that I've
drawn, this is basically y
equals the h of x where
h has degree three.
So I'm going to
plug in h in for y.
And I'm going to square it.
And so we've got something
in x, which is degree 6.
So over in algebraic closure,
we're getting six solutions.
So you were thinking of trying
to use Bazoo or something.
So now that I'm going
to try to convince you
that genus 2 curves are
interesting for cryptography,
I'm going to tell you about
the second problem, which
is very interesting and quite
important, and that is so how
do you actually generate
safe curves for crypto?
So somebody earlier
asked, well, what's
the public information for
one of these crypto systems?
So the NIST curves.
Well, the NIST curves are a
selection of prime-order curves
that in this nice
Weierstrass form.
And they've been selected.
We don't actually exactly
know how they were selected.
But one approach that you
could have-- remember,
I told you the
important thing was
is that the group order needed
to be prime-- or quasi-prime
means some very small cofactor
times the group order.
And there's a lot of
controversy in the community
right now about whether small
cofactor is good or bad.
So a small cofactor can
introduce complications
in terms of security
and extra checks that
need to be introduced.
But they can also
introduce efficiency
in terms of what model
of a curve you can use,
and some group law
implementations
are faster than others,
and things like that.
So there's actually quite
a bit of public debate
about that right now.
But so going back to the
basic problem, like I said,
we need a prime of around
256 bits-- so of size of 2
to the 256.
And that's because the square
root would be then roughly 2
to the 128.
So we say this has
128-bit security level.
And that's the minimum
security level required
for government standards.
And so we're going to need
to generate an elliptic curve
with very large prime order.
And just use a basically kind
of the Hasse-Weil theory,
you'll know that if
you have a curve,
we said the number of points
is supposed to be p plus 1
plus or minus 2
square root of p,
or something in the
interval plus or minus
2 square root of p.
And in particular,
it's p plus 1 minus t,
where this t is the
trace of Frobenius, which
is an endomorphism that
acts over an elliptic curve
over a finite field.
And this t, it will determine
that's the trace of Frobenius.
Let's call Frobenius, the
endomorphism, call it pi.
So then pi will
actually end up lying
in this quadratic
imaginary field,
because it satisfies
a quadratic equation
with this discriminant
t squared minus 4 p.
So what ends up happening
is that we end up
wanting to generate
elliptic curves that
have p plus or minus T points,
where the curve that we'll
generate will have
a Frobenius that
lies in this particular field.
This is an imaginary
quadratic field.
This is negative
because of [INAUDIBLE].
So now we can kind of forget
about cryptography, and OK.
So let me finish
with my sentence.
One second.
We can forget
about cryptography,
and we can switch over
to using CM theory
to generate these curves.
So go ahead.
I'm just wondering what
will be the p for the RSA
with a comparable security?
So again, it will
be around 2048 bits.
So 2,048 bits.
So there's some small
amount of dispute
also on how that
should be calculated.
But it's basically
calculated by taking
the best known algorithms.
Which means basically taking
number fields on the RSA side
and taking basically the
square root of this side.
So here's the problem.
And this is why I state
this as an open problem.
So actually, one of
the last two times
I was talking with
Dick Gross, he
stated this problem
a little bit more
generally, and was
very excited about it.
And I still think it's
very interesting problem.
Let's say that you
have a finite field,
and you want a curve with
a certain number of points.
Can you give me an algorithm
for generating a curve
with that number of points?
Well so that's the problem for
cryptography that I've stated.
And now I'll tell you what
we actually do in practice.
So we have a solution,
which works pretty well,
and can handle
most of the things
that we want to do--
especially for elliptic curves.
But it's actually a very
roundabout solution.
And it seems kind of silly
that we would have to do this.
So what we are
actually going to do
is we're going to actually
construct a curve over a number
field, which actually could
potentially be a very, very
large number field.
And then we're going
to-- at least in theory,
we're constructing it
over a number field.
And then we're going
to reduce it mod p.
And we're going to take a p that
splits in this number field,
so that we're going
to end up getting
a curve over a finite field.
So it seems like kind
of a roundabout way
to get to the solution.
And there's a problem
with our approach.
And like I said, I told you it
works fairly well in practice,
but there's some
problems with it.
And that is that in
order to compute,
we're actually not going
to compute the curves
over a big number field.
We're actually going to
compute a minimal polynomial
for the invariant of the curve--
the j invariant in particular.
And then we're going to reduce
that minimal polynomial module
of p.
And so we're doing kind of
a roundabout way of getting
the curve, because once
we've reduced it mod p,
we have a polynomial mod
p, which we can factor,
take a root.
And that's the j
invariant of a curve mod p
that has the right
number of points.
So what is the problem
with this solution?
The Hilbert class polynomial
is the minimal polynomial
of the j invariant, and
its size is roughly d bits.
So you can see that
in the following way.
So it's going to be
the Hilbert class
polynomial is the minimal
polynomial of the j
invariant, which generates
the Hilbert class
field of this field K--
Q joint square root of d.
And it's known that
kind of asymptotically
roughly the degree of that
polynomial is square root of d.
So we've got a polynomial
of degree square root of d.
And then just from analyzing
CM value of the j function,
you can see that each
one of the coefficients
has roughly square
root of d bits.
In other words, the
coefficients are of size like e
to the power of square root
of d times some power of log.
So just to write
down that polynomial
would take you d bits.
But d is around the
size of p which is 256.
So we're saying
this is a polynomial
of size 2 to the power
of 2 to the power of 256.
I mean, it's insane.
And it takes you in particular
d bits just write it down.
So we get around this
problem in several ways.
So one thing is by
taking, if there
were a large square
factor of this--
so say this was like q
squared times d prime,
then we would do this
job just for d prime,
where d prime is
much smaller than d.
So that's one thing we can do.
But in general, it's
still, you would say,
it's not a perfect
solution to this problem.
It's kind of interesting that we
have all this beautiful number
theory.
It provides us a great way to
do this kind of in some cases
and in practice.
But it's kind of
unsatisfactory in the sense
of solving the problem.
So the next thing that
I want to talk about.
So most people will
know-- I'll just
talk about this for
five more minutes.
So most people that have
heard me talk before
will know that this
is my favorite topic.
So I could talk
about this forever.
But so this is the
question of generating
genus 2 curves for
cryptography, which
is more difficult than
generating elliptic curves
for cryptography,
because basically you
have to do all that CM
theory kind of in this higher
dimensional case, and there are
a lot of more difficult things
that come into
play in particular.
So I'm not going to run
through all the details of it,
but it's the same
idea, as you say, oh, I
want a genus 2 curve with
this number of points.
That's going to make it so
that the zeta function has
to be such and such.
And that means that I know
kind of the [INAUDIBLE] type
of this Jacobian.
And so now what I really need is
to compute an abelian variety,
an abelian surface that has CM
by a certain quartic CM field.
This quartic CM field is defined
by some polynomial like this.
And so now what I
really need to do
is to compute the analog of
the Hilbert class polynomial
for this quartic CM field.
And part of the problem is that
the Hilbert class polynomial
was nice in the sense that
it had integer coefficients.
But these other
polynomials don't.
They have rational coefficients.
It makes it much
harder to compute.
And so you'll end up
with things like this,
where you take a relatively
small field-- a quartic CM
field with pretty
small discriminant--
and then you're trying to
compute some polynomial.
So this is it-- like
a degree 8 polynomial.
I've only written down a
few of the coefficients.
And in red down
here at the bottom
I've written the denominator.
And so when I first started
doing these computations long,
long ago, and I didn't
know what to expect,
the real problem,
what you face is
that you're taking
modular functions,
you're evaluating them at
what are called CM points,
and you're evaluating
them to very, very, very
high precision-- thousands
of digits of precision.
And you're multiplying
the factors together,
and you're trying to
recognize the coefficients.
But you're trying to recognize
rational numbers whose
denominators are of this size.
And that kind of stinks,
because usually what happens
is that you don't
recognize anything.
It just looks like garbage.
And then you don't
know what to do
other than increase your
precision and do it over again.
So it was funny because
more than 10 years ago when
I was first doing
these computations,
and computer power
wasn't quite as good,
it would actually take weeks
to compute these polynomials.
And then you find out
that you have garbage.
And then so you'd
recompute them.
And so it was kind of a
disappointing process.
So the nice thing was
when I first started
getting a few examples where
I could recognize them,
and got polynomials like
this, imagine my surprise
when-- I don't know
for what reason-- I
factored the denominator.
And this is what I got
for the factorization
of the denominator.
So you notice a couple
of things about that.
Very high powers.
The high powers are
because of the high power
of the modular form that
appears from the denominator.
And very small primes compared
to the size of the whole thing.
So this pretty interesting.
And the thing that was most
interesting and kind of most
gratifying about this whole
area and this whole field
is that it turned out
to be very connected
to some very other interesting
other results in number theory.
So the first thing I
thought when I saw this,
for some reason or
other it reminded
me very much of
Gross-Zagier's theorem, where
you have these kind of
beautiful factorizations
into small primes.
And so I had this
kind of conjecture
about that this
should be related
to Gross-Zagier's theorem.
But I didn't exactly know
how, and it didn't really
make sense.
The connection was
very, very unclear.
And so eventually,
after many years
of working on this
problem, there
are a couple of
different approaches
that were developed-- one
approach developed jointly
with Eyal Goren to give
a bound on these primes.
And another approach
developed by Bruinier and Yang
using basically kind of our
[INAUDIBLE] theory, which
predicted actually a
factorization formula which
Yang then proved in
some special cases,
and which I proved
in the general case
with Bianca Viray for
general CM fields.
And our proof
actually also led us
to finally kind of a
generalization of Gross
and Zagier's theorem.
So it was a very
nice connection.
So I like to tell
the story to give
the example of a
cryptographic problem
which is computing genus
2 curves for cryptography.
And then the kind of
very practical issue
of needing to compute these
class polynomials, which
is a huge pain, and the fact
that now the algorithms are
much, much better
now that we have
an understanding of
the denominators.
And the theorems which prove
what the denominators are
are purely kind of arithmetic
intersection theory theorems,
kind of in algebraic
geometry number theory
area, which are maybe you could
say of independent interest
as well, especially in the
sense of providing, for example,
a generalization of the
Gross-Zagier theorem.
So that's one
example that I like
to give of the connection
between cryptography and number
theory bringing up new,
interesting problems.
So just to wrap up kind of
that comparison between genus 1
and genus 2, what
this kind of solution
allows us to do, now that we
can fairly efficiently compute
genus 2, these genus 2
curves using these kind
of class polynomials, it allows
us to construct genus 2 curves
for cryptography which
have a number of points
which make them attractive,
make them kind of safe curves.
And in particular, we can
construct them over the fields
that we want.
So we can take fields where we
can do very fast arithmetic.
We can construct safe
curves over those fields.
And then we can do
implementations of the group
law, and try to show what the
efficiency of the system is.
So I like to show this.
So this was a result
from 2013, which
was joint with some
of my co-authors Bos,
Costello, and Hisil, who are
expert implementers in terms
of taking various
platforms and doing really
a fast, underlying
field arithmetic,
and fast group arithmetic.
And through a combination
of a lot of techniques,
we are able to show that
genus 2 can actually
be more efficient than genus 1.
So this was kind of
an interesting result,
because when you look
at the two group laws,
you think, ah, well
in genus 2, that
would be a lot more
complicated to compute.
And so this was done through
a combination of things.
One was, like I said,
being able to generate
these curves over
fields where we
could do very fast arithmetic.
So the NIST curve,
here are the genus 1.
This is the kind of the
standard implementation
of the NIST curve, which
was the kind of baseline.
And we were able to do
a generic genus 2 curve
in much, much,
much fewer cycles.
So this is a group operation.
This is how many
cycles it costs.
And then this is a kind
of a special family.
These are families of curves
that have extra endomorphisms.
And there you can see that
all the records for genus 1
are these assumptions, which
is this category is not
as safe in some sense
as this category,
because these are assuming extra
endomorphisms, which can also
be used to attack curves.
But in that case, the elliptic
curve was still faster.
But then in the third
case, we have this kind
of alternate representation
of a genus 2 Jacobian, which
is a [INAUDIBLE] surface.
And you can see we could get
very, very fast cryptography
or group law over
that for that curve.
But we can't do all protocols
with that implementation.
So this gives you
kind of a picture.
And this is a snapshot.
So since then there
have been improvements
in the elliptic curve
group law to make
it even faster than that in
those kind of special cases.
So my third problem that
I wanted to talk about,
and I think this is
pretty important.
And maybe I'll say as an
aside, if you're a graduate
student, or even a practicing
researcher that kind of wants
to get into cryptography,
a lot of people
ask me how to do that.
And there's a lot of great books
by people like Joe Silverman.
And actually there's Hoffstein,
Pipher, and Silverman.
There's books by Neal Koblitz.
There's all kinds of
great, great books.
But the other thing
that I thought,
oh, I should advertise this.
Do you know, around the world
at all the crypto conferences
that we have every year, so
many of the crypto conferences
are running summer schools
just two or three days
before their conference?
So if you ever really want
to go do intensive crypto
preparation, where you take your
algebraic geometry knowledge,
and all of a sudden learn
all about elliptic curve
crypto, and pairing-based
crypto, and all these things,
you can literally, these
are supported actually
through the IACR.
There was a million dollar gift
from Paul Kocher to the IACR
to pay for students to
go to these conferences
around the world.
So there was one last
week preceding ECC,
and Damien Robert who's
here was speaking there.
And In LATINCRYPT in August,
we had one before LATINCRYPT
in Mexico, and Sorina
Ionica was speaking there.
So it's a really good way
to get into these things.
And pairing-based cryptography
is almost always covered
in these courses, because
it's very important
because there's a
lot of applications
of pairing-based crypto.
So what is pairing-based crypto?
So we have already
mentioned that pairings
were used to attack
the super-singular case
of elliptic curves.
But then in 2001, several
positive applications
of pairings were introduced.
Boneh and Franklin
and Diffie-- or sorry,
Ju-- introduced a
tripartite Diffie-Hellman.
So there are many
other applications now.
I've only listed a couple.
But there are
literally thousands
of papers on the applications
of pairings in cryptography
which are very, very
important, including
attribute-based encryption,
public key encryption
with keyword search,
predicate encryption, even
endomorphic encryption
in limited [INAUDIBLE].
So what do we mean by
pairings in cryptography?
Well strictly speaking it
just means a bilinear pairing.
So you have two groups
which made the same,
or they may be like
two different subgroups
of the same group, as is
the case in elliptic curve
cartography.
And a pairing just
means a bilinear map
between the cross
product of these two,
and some other group.
And how is it used?
And so what the
requirements for crypto
are that the pairings
should be obviously
needs to be easy to compute, but
it needs to be hard to invert.
So that's why I write pairing
inversion as the third problem.
So I'm going to give you
one application of kind
of pairing-based cryptography,
so you see how it's used
and why it needs to
be hard to invert.
Or maybe I say before I
tell you the application
of pairing-based cryptography,
the main thing that you should
be thinking about
here is the group
of points on an elliptic curve.
So think of, let's say, the m
torsion of the elliptic curve.
And so two pieces of
the m torsion, and then
the multiplicative
group of a finite field.
So this application
is a signature scheme,
which I think maybe in
the interest of time maybe
I won't go into a lot of detail.
But a signature
scheme, basically you
take a secret S. You're going
to have some public point P,
and you're going to create
your public key pair S times P.
And this PQ will be
your public key pair.
And then a signature
will be some message.
You hash it by taking S times
the hash of the message.
And the verification,
give it so this
can be verified by anyone
given your public key.
They can just check whether the
bilinear pairing of this point
Q, your public key
with H of M, was
the same as the pairing
of P with the signature.
And that's because
in a bilinear pairing
you should be able to
move this S from this side
over to this side and
get the same thing.
So that's an application of
pairings in cryptography.
This is kind of the
shortest known signature
scheme that we
have, which is used
in practice in many places.
And the main thing that I have
kind of highlighted in red
up here is that the only
known pairings for use
in cryptography are these
algebraic geometry pairings.
So based on the Weill and Tate
pairings on elliptic curves,
and generalizations to Jacobians
of hyperelliptic curves.
So unfortunately I
have taken up way
too much time with my
first three problems,
and do not have time to
talk about my fourth one
or the other ones.
But I'd be very happy
to take questions
about any of these other
problems in the break.
And I guess the
main point that I
wanted to get across
to you is that this
is a very vibrant
research area, kind
of not within
algebraic geometry,
but kind of a crossover
between the algebraic geometry
and algorithmic number
theory and cryptography,
which has lots and lots of
open problems to work on.
So those of you who are
looking for problems,
you can find a lot
of problems here.
So thank you very much.
[APPLAUSE]
Are there some more questions?
So I want to go back to the
issue of the genus 2 curves,
where you were using the
CM the abelian surface,
finding that and then finding.
So I just want to
understand practically,
are you-- how to say it?
Here you're looking
for a Jacobian
with a certain number of points.
And then your N 1 and N 2.
And that imposes on
you a certain CM.
I guess there's lots of
different N 1s and N 2s
that could give
you the same end.
Is there any way to
sort of find a Jacobian
with the right number
of points without sort
of finding the N 1 N 2?
So in practice you're right.
Choosing N 1 and N 2 is
specified in the whole zeta
function.
And you have for a
given number of points
for your Jacobian
lots of choices,
a certain finite
number of choices.
And so it's true you can
kind of vary your choice,
and maybe make your field
better for computation.
But unfortunately, we
actually published a paper
showing that the best
that this approach can be
is still really
bad, unfortunately.
Meaning that you cannot come up
with a nice kind of polynomial
time way for an arbitrary
group order getting a field--
quartic field K with
a discriminant--
small enough to make
it good, unfortunately.
And it's just really
a counting argument.
It kind of counts
the number of fields
that can have the
right property,
and basically says as you go to
infinity you're going to lose.
That's the bad news.
And that's one of the
flaws with this approach,
that this is still this
approach of constructing
the genus 2 curve over a
number field, in a sense,
as opposed to saying, hey,
I have a finite field.
Now I want a genus 2
curve with this number
of points, which is the
problem that we don't really
have a direct solution to.
Does that answer the question?
So if there's an economy
of scale between genus 1
and genus 2, why
stop at genus 2?
Oh, great question.
Thank you for asking that.
So maybe 15 or more
years ago [INAUDIBLE]
proved this very
interesting result,
which is sub-exponential
algorithms
for the discrete
logarithm problems on very
high-genus curves.
So if you have the
genus is roughly
like log Q, which you
can think of-- you
can see we had
fairly large fields.
I mean, 2 to the whatever power.
The log would be fairly large.
If the genus has to
be bigger than a log,
for very large genus they have
sub-exponential algorithms,
meaning like basically L 1/2,
and kind of conjecturally L 1/3
algorithms.
And so everybody had this
kind of idea, oh well,
if the genus gets
too big, the problem,
it becomes sub-exponential
running time to attack it.
So we should not really
think about high genus.
So then the question
is, what do you do
between genus 2 and high genus?
So there are some known
algorithm sites for genus 3
and genus 4, which are
better than the square root
algorithms, but they're
still exponential algorithms.
So for genus 3, which is
something which is on my list--
there are a bunch of open,
interesting problems at genus 3
that some people even in
this audience are working on.
The best known algorithms
are like Q to the 4/3,
or Q [INAUDIBLE]
total of Q algorithms.
So already with genus 3,
we're right on the border
of whether it's worthwhile
to go up to genus 3,
because the attacks
that are known
are better than the
square root attacks.
OK.
Well, let's thank
Kristin for this.
[APPLAUSE]
