aa r X i v : . [ c s . CR ] M a y TRILINEAR MAPS FOR CRYPTOGRAPHY
MING-DEH A. HUANG (USC, [email protected])
Abstract.
We construct cryptographic trilinear maps that involve simple, non-ordinary abelianvarieties over finite fields. In addition to the discrete logarithm problems on the abelian vari-eties, the cryptographic strength of the trilinear maps is based on a discrete logarithm problemon the quotient of certain modules defined through the N´eron-Severi groups. The discrete log-arithm problem is reducible to constructing an explicit description of the algebra generated bytwo non-commuting endomorphisms, where the explicit description consists of a linear basiswith the two endomorphisms expressed in the basis, and the multiplication table on the basis.It is also reducible to constructing an effective Z -basis for the endomorphism ring of a simplenon-ordinary abelian variety. Both problems appear to be challenging in general and requirefurther investigation. Introduction
Cryptographic applications of multilinear maps were first proposed in the work of Boneh andSilverberg [1]. However the existence of cryptographically interesting n -linear maps for n > H ( A, µ ℓ ) × H ( A, µ ℓ ) × H ( A, µ ℓ ) → H ( A, µ ⊗ ℓ ∼ = µ ℓ where A is an abelian surface over a finite field F and the prime ℓ = char( F ). This trilinear mapis the starting point of our construction.Suppose A is a principally polarized abelian variety over a finite field F . Let ˆ A denote thedual abelian variety. Consider A as a variety over ¯ F , the algebraic closure of F . We have H ( A, µ ℓ ) ∼ = ˆ A [ ℓ ] ∼ = A [ ℓ ]. We have Pic A /ℓ Pic A = 0, so NS(A) /ℓ NS(A) ∼ = Pic(A) /ℓ Pic(A),where NS(A) = Pic(A) / Pic (A) is the N´eron-Severi group . From0 → µ ℓ → G m ℓ → G m → H ( A, G m ) = PicA we get0 → Pic(A) /ℓ Pic(A) → H (A , µ ℓ ) → H (A , G m )[ ℓ ] → , thus we can consider NS(A) /ℓ NS(A) as a subgroup of H ( A, µ ℓ ) and we are led to a trilinearmap A [ ℓ ] × A [ ℓ ] × NS(A) /ℓ NS(A) → µ ℓ . For an invertible sheaf L , let ϕ L be the map A → ˆ A = Pic (A) so that ϕ L ( a ) = t ∗ a L ⊗ L − ∈ Pic (A)for a ∈ A (¯ F ) where t a is the translation map defined by by a ([5] § § e ℓ be thepairing between A [ ℓ ] and ˆ A [ ℓ ] ([5] § α, β, L ) → e ℓ ( α, ϕ L ( β )),where α, β ∈ A [ ℓ ], and L is an invertible sheaf.Note that in the map just described we no longer need to assume that A is of dimension 2.To construct a cryptographically interesting map, we need to work with the N´eron-Severigroup more carefully. We assume that A is a simple, non-ordinary and principally polarizedabelian variety.Suppose L is an invertible sheaf associated to a Cartier divisor D . Let ϕ D also denote ϕ L .Fix a divisor Θ such that ϕ Θ is a principal polarization. Then L → λ D = ϕ − ϕ D determines aninjection from N S ( A ) to End(A), the endomorphism ring of A . For α, β ∈ A [ ℓ ], let e Dℓ ( α, β ) = e ℓ ( α, ϕ D ( β )). Note that e Dℓ is skew-symmetric ([5] Lemma 16.2 (e)). For any divisor D ′ suchthat λ D = λ D ′ , we have ϕ D = ϕ D ′ , hence e Dℓ = e D ′ ℓ .We choose a (random) divisor D and find β ∈ A [ ℓ ] such that ϕ D ( β ) = 0. For this we canchoose a random D such that the characteristic polynomial f ( x ) of λ D = ϕ − ϕ D has a non-zeroroot a mod ℓ , therefore f ( x ) = ( x − a ) f ( x ) mod ℓ , for some polynomial f ( x ) ∈ F ℓ [ x ]. Let λ = λ D . Replacing f by a factor of f if necessary we assume that f ( λ ) = 0 mod ℓ but f ( λ ) = 0mod ℓ . Choose a random γ ∈ A [ ℓ ] so that ( f ( λ ))( γ ) = 0, and let β = ( f ( λ ))( γ ) ∈ A [ ℓ ]. Then( λ − a )( β ) = (( λ − a ) f ( λ ))( γ ) = ( f ( λ ))( γ ) = 0 . Observe that λ − a = ϕ − ϕ D − a Θ . So let D = D − a Θ. Then ϕ D ( β ) = 0 as desired, and wehave e D ℓ ( α, β ) = 1 for all α ∈ A [ ℓ ].With β and D chosen, we choose another random D . Let λ D ( β ) = α . We have e D ℓ ( α, β ) = e ℓ ( α, ϕ D ( β )) = e ℓ ( α, ϕ Θ ( α )) = e Θ ℓ ( α, α ) = 1 . In choosing D we also make sure that λ D ( α ) = 0. This implies λ D λ D = λ D λ D since λ D λ D ( β ) = 0 and λ D λ D ( β ) = λ D ( α ) = 0. It also follows that U/ℓU is of dimension 2.Let E be the submodule of EndA containing all λ D where D is a divisor. Let U be the Z -submodule of End(A) generated by λ D , λ D , and the elements of ℓE . Let U be the Z -submodule of End(A) generated by 1 and the elements of U .If D ′ is a divisor such that λ D ′ ∈ U , then λ D ′ = λ D for some divisor D = xD + yD + ℓD with x, y ∈ Z and D a divisor. Since e D ℓ ( α, β ) = e D ℓ ( α, β ) = e ℓD ℓ ( α, β ) = 1, we have e Dℓ ( α, β ) = 1 .Since e Dℓ = e D ′ ℓ , we have e Θ ℓ ( α, λ D ′ ( β )) = e D ′ ℓ ( α, β ) = 1. So for λ ∈ U , λ encodes 0 if and onlyif λ ∈ U if and only if e Θ ℓ ( α, λ ( β )) = 1.If D ′ is a divisor such that λ D ′ ∈ a + U ⊂ U for some integer a , then λ D ′ = λ D for somedivisor D = a Θ + D with λ D ∈ U . Since e D ℓ ( α, β ) = 1, we have e Dℓ ( α, β ) = e a Θ ℓ ( α, β ) = ζ a where ζ = e Θ ℓ ( α, β ). Since e Dℓ = e D ′ ℓ , we have e D ′ ℓ ( α, β ) = ζ a .Let G and G be respectively the cyclic groups generated by α and β , and G = U /U with1 + U as the generator, we consider the trilinear map G × G × G → µ ℓ sending ( xα, yβ, z + U )to ζ xyz .Following the cryptographic literature, we write [ a ] i for an encoding of a ∈ Z /ℓ Z in G i for i = 1 , ,
3. For a ∈ Z /ℓ Z , [ a ] is the point aα and [ a ] is the point aβ . In particular the encodingof a ∈ Z /ℓ Z in G i is deterministic for i = 1 ,
2. In contrast the encoding in G is probabilistic:for a ∈ Z /ℓ Z , [ a ] is λ D , given in the form of a program P D , where D is a divisor such that λ D ∈ a + U . The length of description of P D is polynomially bounded in the length of thedescription of D , and D is constructed to be linearly equivalent to a Θ + xD + yD + ℓD for some randomly chosen x, y, D where x, y ∈ { , . . . , ℓ − } and D is a divisor (see § x ] = xα , [ y ] = yβ and [ z ] = λ such that λ ∈ z + U , the trilinear map can becomputed as e Θ ℓ ( xα, λ ( yβ )) = ζ xyz where ζ = e Θ ℓ ( α, β ).Suppose the Riemann-Roch space defined by a divisor is efficiently constructible, and thepairing e Θ ℓ is efficiently computable. We will show in § G = U /U . In the discrete logarithm problem for G = U /U , given λ ∈ U we are to determine a such that λ ∈ a + U .In the cryptographic setting we assume that polynomially many instantiations of [1] areknown. From these encodings of 1 polynomially many divisors λ ∈ U can be obtained. Notethat for i = 1 , , a, b ∈ Z /ℓ Z , a [ b ] i is an encoding of ab in G i .To investigate the hardness of the discrete logarithm problem on G = U /U , it will be usefulto consider the following more general formulation of a discrete logarithm problem concerningthe N´eron-Severi group NS(A).Fix a principal polarization ϕ Θ determined by an ample divisor Θ with χ (Θ) = 1. Let ι : NS(A) → End(A) be the injective map determined by ϕ Θ under which the class of an invertiblesheaf L ( D ) associated to a Cartier divisor D is mapped to λ D = ϕ − ϕ D . Let E = ι (NS(A)).We use || || to denote the bit-length in specifying a number or an object, whereas | | denotethe absolute value of a real number or the cardinality of a set. Thus || A || is the bit-length of thedescription of A , including the addition morphism m A . We assume that m A is effectively specified in the sense that given a point a, b ∈ A (¯ F ), m A ( a, b ) can be computed from the description of m A in time polynomially bounded in || a || and || b || . We assume that || A || and || Θ || are polynomiallybounded in log | F | when g = dim A is fixed.Suppose M is a submodule of E such that 1 M . Let M be the submodule generated by 1and the elements of M . An element λ ∈ M is presented as a program that on input a point α of A computes λ ( α ) in time polynomially bounded in || λ || and || α || . We assume that polynomiallymany λ ∈ M can be randomly sampled where || λ || is polynomially bounded in || A || (hence inlog | F | when g is fixed).The discrete logarithm problem on ( M /M ) ⊗ Z /ℓ Z is: given λ ∈ M , to determine a ∈ Z such that λ − a = 0 in ( M /M ) ⊗ Z /ℓ Z .In § M = Z ⊕ M , then the discrete logarithm problem can be effectively solved.This is why in our construction the module U contains ℓE , so at prime ℓ ′ = ℓ , U/ℓ ′ U = U /ℓ ′ U = E/ℓ ′ E , consequently U = Z ⊕ U .We show that, if M/ℓM is generated by mutually commuting elements, then the discretelogarithm problem can be effectively solved. This is why we construct λ D and λ D in U where λ D and λ D do not commute, and U/ℓU is of dimension 2.We show that the discrete logarithm problem can be effectively solved if M is contained in thecenter of the endomorphism algebra End (A) = End(A) ⊗ Q . The center of End A is isomorphicto a CM field Q ( π ), where π is a Weil number associated the Frobenius endomorphism. Weshow that the injective map of E into Q ( π ) is efficiently computable, and with the injective mapthe discrete logarithm problem is reduced to straight-forward linear algebra.The running times of these attacks are polynomial under reasonable heuristic assumptions,most notably that the bit-length of the characteristic polynomial for an endomorphism λ is likelypolynomially bounded in || λ || . Our analysis shows that when
M/ℓM can be generated by commuting elements or when M is contained in the center of End A, the discrete logarithm problem is tractable because we canwork with a commutative subalgebra which can be explicitly described. Therefore we choose A to be non-ordinary, so that End (A) is a non-commutative division algebra. Moreover E , theimage of N S ( A ) in EndA, should not be contained in the center of End (A).In summary there are two important features about the group G = U /U .(1) Non-compatibility at ℓ ′ = ℓ : that U /ℓ ′ U = U/ℓ ′ U = E/ℓ ′ E whereas U /ℓU = Z /ℓ Z ⊕ U/ℓU .(2) Non-commutativity of algebra structure: U is not contained in the center of End A and
U/ℓU can be generated by two elements in EndA that do not commute.Our construction leads to two interesting problems. If either problem can be solved efficientlyfor a simple non-ordinary abelian variety A then trilinear maps constructed from A are notsecure.The first problem is, given λ, µ ∈ E such that λµ = µλ , to construct an explicit descriptionof the algebra Q [ λ, µ ], by which we mean a basis for Q [ λ, µ ] as a vector space over Q with λ and µ expressed in the basis, and the multiplication table on the basis.We say that an endomorphism λ ∈ EndA is effectively specified if for α ∈ A (¯ F ), λ ( α ) can becomputed in time polynomial in || α || from the description of λ .A basis µ , ..., µ m for a submodule M of EndA is effective if µ i is effectively specified for i = 1 , . . . , m , moreover for every λ = P i a i µ i ∈ M with a i ∈ Z , | a i | is polynomially bounded indeg λ for all i .The second problem is to construct an effective Z -basis for any submodule M ′ of EndAcontaining M , in particular M ′ can be E or EndA. It is an interesting question whether aneffective basis for E or EndA exists and can be efficiently constructed.These two problems have not been investigated in depth from an algorithmic perspective andappear to be quite challenging in general.Fix as before a principal polarization ϕ Θ and a corresponding injection ι from NS(A) to EndA.The map ι naturally extends to an injection NS (A) → End A where NS (A) = NS(A) ⊗ Q andEnd A = EndA ⊗ Q . Through this map NS (A) is identified with the subspace S of End Awhose elements are fixed by the Rosati involution defined by ϕ Θ . As before let λ D = ϕ − ϕ D fordivisors D .Let D = End A, a division algebra. Let K be the center of D , and let K be the subfield of K consisting of elements fixed by the Rosati involution. Let d = [ D : K ] = d , e = [ K : Q ], e = [ K : Q ] and η = dim Q S dim Q D . Abelian varieties can be classified into four types according tothese numerical invariants ([7] p.202). Non-ordinary abelian varieties are of Type II, III for IV,where d ≥ A is not Type III, then η ≥ /
2, and dim Q S = ηd e ≥ e ≥ e . In this case the image of arandom element of NS(A) in S is most likely not in the center K . Consequently when choosing D and D to form U , it is very likely λ D and λ D are not in K .When A is Type III, η = 1 / d = 2, and e = e . In this case dim Q S = e = e , so S ⊂ K .Therefore Type III abelian varieties are not adequate for our construction.2. What can be efficiently computed
As before divisor will mean Cartier divisor, and since we are dealing with abelian varieties,we also think of them as Weil divisors.For a divisor D , let L ( D ) denote the invertible sheaf associated to D . Let k ( V ) denote thefunction field of a variety V . Then H ( A, L ( D )) = { f ∈ k ( A ) | ( f ) + D ≥ } ∪ { } , which we also denote as L ( D ). As a Weil divisor, a divisor D can be presented as a finite sum of prime divisors P ni =1 a i v i where a i ∈ Z and v i is a prime of codimension 1. The length of D , written || D || , is P ni =1 ( || a i || + || v i || ) where || a || denotes the bit length of a for a ∈ Z , and || v i || is the length of the polynomialsthat define v i .For α ∈ A (¯ F ), the bit length of α , denoted || α || , is proportional to n log | F ′ | where F ′ is thefinite extension of F over which α is defined and n the dimension of the ambient space in whichthe point is described. We can consider n a constant if the dimension of A is fixed.We assume that a basis of L ( D ) can be computed in time polynomial in || D || and the dimensionof L ( D ). This is a reasonable assumption when dimension of A is fixed.2.1. Computing λ D . We discuss how the map λ D = ϕ − ϕ D can be efficiently computed.Assuming that the pairing e Θ ℓ can be efficiently computed (which is the case for example when A is the Jacobian of a curve), then it will follow that the trilinear map described in the previoussection can be computed efficiently. Lemma 2.1.
Suppose D is an effective divisor such that ϕ D is an isomorphism. Then the onlyeffective divisor linearly equivalent to D is D itself. Proof
Since D is effective, H ( A, L ( D )) = L ( D ) = 0, and since ϕ D is an isomorphism, itfollows from Proposition 9.1 of [5] that D is ample. Since ϕ D is an isomorphism, deg ϕ D = 1,and it follows from Theorem 13.3 [5] that 1 = χ ( L ( D )) = dim H ( A, L ( D )). Since D is effective,this implies L ( D ) contains only constant functions. Therefore the only effective divisor linearlyequivalent to D is D itself. (cid:3) Lemma 2.2.
Given a divisor D and a point a ∈ A (¯ F ) , λ D ( a ) can be computed in expected timepolynomial in || D || , || Θ || and || a || . Proof
For divisors D and D ′ , ϕ D + D ′ = ϕ D + ϕ D ′ . Therefore λ D + D ′ = λ D + λ D ′ . Hence if D = P i a i v i where v i is a prime divisor, then λ D = P a i λ v i .Therefore we may assume D is a prime divisor. Observe that λ D ( a ) = b if and only if ϕ Θ ( b ) = ϕ D ( a ) if and only if D a − D ∼ Θ b − Θ if and only if D a − D + Θ ∼ Θ b .Compute some f ∈ L ( D a − D + Θ), and let D ′ = ( f ) + D a − D + Θ ≥
0. Then D ′ ∼ Θ b ,from Lemma 2.1 we conclude that D ′ = Θ b . The running time for computing f is polynomialin || D || , || Θ || and || a || . Note also that D a , D ′ and b are defined over F ′ if a ∈ A ( F ′ ).From Θ b we can determine b as follows. Sample a random finite set S ⊂ Θ. Then b + β ∈ Θ b for all β ∈ S . Solve for x ∈ A such that x + β ∈ Θ b for all β ∈ S . This amounts to solving apolynomial system. Note that x + β ∈ Θ b implies x ∈ Θ b − β . Hence x ∈ ∩ β ∈ S Θ b − β . When S islarge enough the intersection is likely of dimension zero, hence the polynomial system describing x is likely of dimension zero, and can be solved efficiently when the number of variables isbounded. One of the solutions for x is b , and the correct x can be tested by randomly choosing α ∈ Θ and check if α + x ∈ Θ b . (cid:3) We remark that when A is the Jacobian variety of a curve C , the problem can be solvedeven more efficiently, by reducing to constructing functions in the Riemann-Roch space of somedivisor on C .We assume that Θ has length polynomially bounded. A divisor D that is constructed inpolynomial time also has length of description || D || polynomially bounded. It follows fromLemma 2.2 that λ D is effectively specified. Assuming e Θ ℓ is efficiently computable, then thetrilinear map e Θ ℓ ( u, λ D ( v )) can be computed in expected time polynomially bounded in || u || , || v || and || D || . Computing the characteristic polynomial of an endomorphism.
Suppose λ ∈ End(A) is presented as a program that on input a point α of A computes λ ( α ) in time polyno-mially bounded in || λ || and || α || . Let f ∈ Z [ x ] be the characteristic polynomial of λ . Then f is of degree 2 g , where g = dim A . To determine f it is sufficient by Chinese Remainder Theo-rem to determine f mod ℓ ′ for sufficiently many small primes ℓ ′ with product greater than themaximum absolute value of the coefficients of f . So after obtaining f mod ℓ ′ for many ℓ ′ , wehave a candidate polynomial f for the characteristic polynomial of λ . We can check if f ( λ ) = 0by applying f ( λ ) at a randomly chosen point and see if we get the zero point.To determine f mod ℓ ′ we first determine λ mod ℓ ′ as a map on the 2 g -dimensional linear F ℓ ′ -space A [ ℓ ′ ], by constructing a basis e , . . . , e g for A [ ℓ ′ ] and explicitly determining λ ( e i ) in termsof the basis. This takes expected time polynomial in ( ℓ ′ ) g and || λ || . Then the characteristicpolynomial of λ mod ℓ ′ can be computed, hence f mod ℓ ′ .Therefore we have the following Lemma 2.3. (1) For prime ℓ ′ not equal to the characteristic of F , the map λ mod ℓ ′ can be explicitlydescribed in terms of a basis of A [ ℓ ′ ] in expected time polynomial in ( ℓ ′ ) g and || λ || .(2) The characteristic polynomial f of λ can be constructed in expected time polynomial in || λ || and || f || . Recall that in forming D we need to compute the characteristic polynomial of λ D for ran-domly chosen divisor D . By Lemma 2.2 λ D is effectively specified. We make the heuristicassumption that for random D it is likely that the characteristic polynomial f D has length poly-nomially bounded in || D || , in which case f D can be constructed in expected time polynomial in || D || .2.3. Constructing a random representative of a divisor class.
Suppose D is an effectivedivisor. Since A is simple, if D is not ample then ϕ D = 0, so λ D = 0. This can be tested bychoosing a random a ∈ A ( F ) and check if λ D ( a ) = 0.Now suppose D is an effective ample divisor, and m ∈ Z > , we discuss how we can constructa random looking D ′ ∼ mD such that || D ′ || is polynomial in || mD || = O (log | m ||| D || ).Since D is effective, L ( D ) = { } . Since D is ample, by Theorem 13.3 [5] it follows that χ ( L ( D )) = dim L ( D ) ≥
1, and dim L ( sD ) = χ ( L ( sD )) = s g χ ( L ( D )) ≥ s g . So the space ofdivisors linearly equivalent to D has dimension s g − >
1, when s > s, t greater than 1, so that m = sm + t for m ∈ Z ≥ . Choose arandom f ∈ L ( sD ) and a random f ∈ L ( tD ). Let E = ( f ) + sD and E = ( f ) + tD . Then mD ∼ m E + E and || m E + E || is polynomially bounded in || mD || .In our construction if a divisor D is chosen in the form D = a Θ+ bD + cD + ℓD ′ , we constructa random looking divisor D ′′ linearly equivalent to D to encode the class of λ D + U = a + U .we can apply the above procedure to a Θ, bD , cD and ℓD ′ respectively to construct D ′ ∼ a Θ, D ′ ∼ bD , D ′ ∼ cD and D ′ ∼ ℓD ′ . Then D ′′ = D ′ + D ′ + D ′ + D ′ is linearly equivalent to D , so λ D ′ = λ D .If D is given in the form D = P i a i v i where v i is a prime divisor, we may apply the aboveprocedure to each v i that is ample to construct some D ′ i ∼ a i v i . Then P i D ′ i is linear equivalentto D . The same process can be applied to D ′ i again, and by repeating this process sufficientlymany times, we can construct a divisor D ′′ = P i b i v i mod ℓ where the sum involves many,though polynomially bounded in number, prime divisors v i . We have λ D = λ D ′′ = P i b i λ v i mod ℓ . Each λ v i has a program p i of length polynomially bounded in || v i || by Lemma 2.2. The program for λ D ′′ can be specified in length P i || b i || + || p i || , which is polynomially bounded in || D ′′ || , hence in || D || .We have seen by virtue of Lemma 2.2 that the map NS(A) /ℓ NS(A) → E /ℓ E is efficientlycomputable. An interesting question is whether the inverse is efficient to compute as well.That is, given µ ∈ E , can we construct efficiently a divisor D such that λ D = µ mod ℓ ? Inlight of the discussion in the next subsection, an affirmative answer would reduce the discretelogarithm problem that concerns us to intersection product. The answer is in the affirmativewhen EndA is commutative, and this will follow from Lemma 3.1. However the situation in thenon-commutative case is far from being clear.2.4. Linear algebra on
NS(A) reduces to intersection product.
The reason why thediscrete logarithm problem involving NS(A) is specified in terms of elements in E is becauselinear algebra in NS(A) and NS(A) /ℓ NS(A) can be reduced to intersection product of divisors.More specifically to determine a linear relation in NS(A) /ℓ NS(A) between a divisor D and afinite set of divisors D , ..., D n , we want to solve for x i such that D is algebraically equivalentto P i x i D i modulo ℓ . Let g = dim A . Observe that for a divisor H , the algebraic equivalenceimplies D · H g − = P i x i D i · H g − mod ℓ . Therefore by computing the ( n + 1) intersectionproducts a = D · H g − and b i = D i · H g − , for i = 1 , . . . , n , we get a linear relation a = P i b i x i mod ℓ . With sufficiently many linear relations we can determine x i . Therefore if the discretelogarithm problem is specified in terms of divisors then the problem can be reduced to computingintersection products. If g = dim A is fixed, then intersection products on A can in principle bereduced to counting solutions of polynomial systems in bounded number of variables.3. The discrete logarithm problem involving
N S ( A )We discuss various attacks on the underlying discrete logarithm problem concerning theN´eron-Severi group. Let us recall the general set-up of this problem.Let A be a principally polarized abelian variety defined over a finite field F q . Fix a principalpolarization ϕ Θ determined by an ample divisor Θ with χ (Θ) = 1, and consider the injection ι of NS(A) to End(A) determined by ϕ Θ , such that the class of an invertible sheaf L ( D ), where D is a divisor, is mapped to λ D = ϕ − ϕ D .Suppose M is a submodule of E such that 1 M . Let M be the submodule generated by1 and the elements of M . We do not assume that M is explicitly given, however polynomiallymany elements of M can be randomly sampled.The discrete logarithm problem on ( M /M ) ⊗ Z /ℓ Z is: given λ ∈ M , to determine a ∈ Z such that λ − a = 0 in ( M /M ) ⊗ Z /ℓ Z .3.1. The case M = Z ⊕ M . Given λ ∈ M , we want to determine a mod ℓ such that λ = a + µ with a ∈ Z and µ ∈ M . To determine a it is sufficient to determine a mod ℓ ′ for sufficientlymany small primes ℓ ′ .We may assume that we have sampled enough elements of M that they generate M/ℓ ′ M asa vector space over F ℓ ′ . By Lemma 2.3 we can determine for each sampled element µ the actionof µ on a basis of A [ ℓ ′ ] in time polynomial in ℓ ′ g . Therefore we can construct a F ℓ ′ -basis µ , ..., µ k of M/ℓ ′ M in time polynomial in ℓ ′ g .For all a ,..., a k ∈ F ℓ ′ , we can check if λ = a + a µ + ..., a k µ k mod ℓ ′ by acting on A [ ℓ ′ ] ora basis of A [ ℓ ′ ]. Once the equality is verified we know that a = a mod ℓ ′ . The amount of timerequired is polynomial in ℓ ′ g .In constructing our trilinear map we make sure that for ℓ ′ = ℓ , U/ℓ ′ U = U /ℓ ′ U , in otherwords, U and U are indistinguishable mod ℓ ′ . This is accomplished by including ℓE in U . The case
M/ℓM is of dimension no greater than one.
Since deg is a (homogeneous)polynomial function of degree 2 g on End A ([5] Proposition 12.4), it follows that deg( aλ ) = a g deg λ for λ ∈ End A, moreover if λ, µ ∈ EndA and λ = µ mod ℓ , then deg λ = deg µ mod ℓ . Hence the discrete-log problem in the case M = ℓE is reduced to degree computation.In particular if λ = a mod ℓ then deg λ = a g mod ℓ . Determine the characteristic polynomialsof λ . From the constant terms of the polynomials we get deg λ . Then a can be determined.3.2.1. M/ℓM is of dimension 1.
In the discrete logarithm problem we have polynomially manysamples of elements in M . Pick one λ such that λ = 0 mod ℓ , which can be checked by choosinga random α ∈ A [ ℓ ] and verify that λ ( α ) = 0.Given µ ∈ M we want to find a such that µ = a + bλ mod ℓ where b ∈ Z .Since a + bλ ∈ Q [ λ ] ⊂ End A and Q [ λ ] is a commutative field, every root of the characteristicpolynomial of a + bλ is of the form a + bγ where γ is a root of the characteristic polynomial of λ . The characteristic polynomial of a + bλ is f ( x − ab ) where f is the characteristic polynomial of λ . Compute the characteristic polynomial g of µ . Then g ( x ) = f ( b − ( x − a )) mod ℓ , where g and f are known and a, b are unknown. Comparison of each coefficient gives rise to a polynomialequation in a and b over F ℓ . Solving the system of polynomial equations we can determine a and b up to a finite number of choices. Then determine the correct one by acting on a randompoint of A [ ℓ ].3.3. The case
M/ℓM is generated by at least two elements.
The line of attack describedbelow can be easily generalized, however for simplicity, we illustrate the ideas with the casewhere
M/ℓM is generated by two elements. So from the random samples of elements of M pick two, λ and µ , then it is likely that they generate M/ℓM . Therefore the discrete logarithmproblem can be described as follows: given ω ∈ M , to find a such that ω = a + bλ + cµ mod ℓ where b, c ∈ Z .By an explicit description of the algebra K = Q [ λ, µ ] we mean a basis over Q as vector spacewith λ and µ expressed in terms of the basis, and the multiplication table on the basis elements.If λ and µ commute, then K = Q [ λ, µ ] is a commutative field of extension degree dividing 2 g .Let f ( x ) and g ( x ) be respectively the irreducible polynomials of λ and µ . An explicit descriptionof the algebra K can be obtained from f ( x ) and g ( x ) as follows. Factor g ( x ) over Q [ λ ]. Findthe irreducible factor h ( x ) ∈ Q [ λ ]( x ] of g ( x ) such that h ( µ ) = 0, by choosing random points w on the variety A and checking if h ( µ )( w ) = 0. The field Q [ λ, µ ] is of extension degree deg f deg h over Q , with λ i µ j , 0 ≤ deg f −
1, 0 ≤ deg h − Q [ λ, µ ] over Q . The multiplicationtable on this basis can be written using f and h .Then we can express the action of a + bλ + cµ on the basis with the help of the multiplicationtable and from that determine the characteristic polynomial of a + bλ + cµ acting on K , withcoefficients being polynomials in a, b, c . This polynomial, if the degree is 2 g , or a suitable powerof this polynomial, is the characteristic polynomial of a + bλ + cµ as an element of End A. Thenfrom ω = a + bλ + cµ mod ℓ and by comparing the coefficients of the characteristic polynomialsof a + bλ + cµ and ω , we obtain a system of polynomials in a, b, c , from that we can determine a as before.However, if µλ = λµ , we run into difficulty if we try to mount the same line of attack. Inthis case Q [ λ, µ ] as a subalgebra of End A is not commutative and it is not clear whether onecan efficiently determine the structure of Q [ λ, µ ] explicitly. This is why in our trilinear map the F ℓ -dimension of U/ℓU is generated by two elements that do not commute.Below we give a reduction from the discrete logarithm problem to further clarify how thesecurity of our trilinear map depends on the hardness of constructing an explicit description ofthe subalgebra generated by two non-commuting elements.
From the random samples of elements in M pick two, λ and µ , then it is likely that theygenerate M/ℓM . Therefore the discrete logarithm problem can be described as follows: given ω ∈ M , to find a such that ω = a + bλ + cµ mod ℓ where b, c ∈ Z .Suppose we are given a Q -basis of Q [ λ, µ ] with λ and µ expressed in the basis, as well as themultiplication table on the basis. We want to determine a, b, c such that ω = a + bλ + cµ mod ℓ .As before we can express the action of a + bλ + cµ on the basis with the help of the multiplicationtable and from that determine the characteristic polynomial F of a + bλ + cµ acting on K , withcoefficients being polynomials in a, b, c . Let ρ denote the irreducible polynomial of a + bλ + cµ .Let f denote the characteristic polynomial of a + bλ + cµ as an element of End A.Let d h denote the degree of a polynomial h . Then d f = 2 g , d ρ | g and d F ≤ [End A : Q ] ≤ .We have F = ρH , f = ρh for some polynomials H and h . For each choice of d ρ | g , we set up apolynomial system as follows. Treat ρ , h and H as unknown polynomials. We have d F − d ρ +2 g +3unknown including a, b, c and the unknown coefficients of ρ , h and H .Let F ω be the characteristic polynomial of ω , which is of degree 2 g . From F ω = f = ρh mod ℓ and F = ρH , by comparing coefficients, we derive 2 g + d F many polynomial equations. If d ρ ≥ g + d F ≥ d F − d ρ + 2 g + 3. There are at least as many polynomial equations as thenumber of unknown variables, so we expect on heuristic ground to have finitely many solutions.For each solution we check if ω = a + bλ + cµ mod ℓ by acting on a random point in A [ ℓ ].3.4. The case M is contained in the center of End A . Let C ( A ) denote the center ofEnd A. Then there is an isomorphism ι : C ( A ) → Q ( π ) where Q ( π ) is a CM field and π is theimage of the Frobenius endomorphism π A under ι . Lemma 3.1.
The restriction of the map ι to E ∩ C ( A ) is efficiently computable; that is, given λ ∈ C ( A ) , ι ( λ ) can be computed in time polynomial in || λ || and || f || and || π || , where f is thecharacteristic polynomial of λ . Proof
Suppose λ ∈ C ( A ). Then ι ( λ ) is a root of the characteristic polynomial f of λ . ByLemma 2.3 f can be constructed in time polynomial in || λ || and || f || . By factoring f over Q ( π ),we can express each root of f in Q ( π ) in the form m − P i a i π i where m and a i are integers.This takes time polynomial in || f || and || π || . We want to check if λ = m − P i a i π iA . If theequality does not hold then mλ = P i a i π iA mod ℓ ′ with high probability for random prime ℓ ′ not dividing m deg λ . Therefore choose a small random ℓ ′ not dividing deg λ and m , and checkthat the equality holds mod ℓ ′ by acting on A [ ℓ ′ ], as in Lemma 2.3. Then the correct root of thecharacteristic polynomial of λ can be determined as the image under ι . (cid:3) Given polynomially many elements λ in M , we can by Lemma 3.1 efficiently compute theirimages under ι and determine ι ( M ) as a subspace of Q ( π ).Given λ ∈ M , we want to determine a ∈ Z such that λ − a mod ℓ ∈ M/ℓM . This reduces tofinding a such that ι ( λ ) − a mod ℓ ∈ ι ( M ), which can be solved efficiently since linear algebrain Q ( π ) is easy once elements are expressed in terms of the basis π i , i = 0, ..., e − e = [ Q ( π ) : Q ].If A is simple and ordinary then C ( A ) = End (A). This is why we do not consider ordinaryabelian varieties.3.5. The case when M C ( A ) . In this case the discrete logarithm appears to be difficultgenerally speaking. However suppose we are given a submodule M ′ of End A containing M together with an effective basis µ , ..., µ n of M ′ as a Z -module. Then the discrete logarithmproblem on M /M ⊗ Z /ℓ Z can be solved efficiently, as we show below. Since the basis for M ′ is effective, for each µ i in the basis and prime ℓ ′ , the action of µ i on A [ ℓ ′ ] can be explicitly determined in time ( ℓ ′ ) O ( g ) . Moreover for every λ = P i a i λ i ∈ M ′ with a i ∈ Z , | a i | is polynomially bounded in deg λ for all i .Let λ ∈ M . We can find a i ∈ Z such that λ = P ni =1 a i µ i as follows. For a small prime ℓ ′ ,find b i < ℓ ′ such that λ and P i b i µ i act the same on A [ ℓ ′ ]. By Lemma 2.2 and the assumptionon M ′ we know that this can be done in ( ℓ ′ ) O ( g ) time.Then a i = b i mod ℓ ′ for all i . By the assumption on the basis of M ′ , we only need to considerall primes ℓ ′ up to a bound polynomial in log(deg λ ) in order to determine a i for all i by ChineseRemaindering.We have polynomially many λ i ∈ M and a λ ∈ M , and we would like to find a ∈ Z such that λ − a mod ℓ ∈ M /M ⊗ Z /ℓ Z .We can determine the decomposition of all λ i , for all i , λ , and 1 (as an endomorphism) interms of the basis for M ′ as above, and suppose u i , and v and v are respectively the coefficientvectors in their decomposition. Suppose u i mod ℓ generate M/ℓM as a vector space over F ℓ ,which is most likely the case. Then v = x v + P ni =1 x i u i mod ℓ for some x i ∈ Z /ℓ Z for i = 0 , . . . , n . Solve the linear system over F ℓ to obtain a solution x i , i = 0 , . . . , n , and x is whatwe want, that is a = x mod ℓ .3.6. Summary.
In constructing the trilinear map we choose A to be a simple but non-ordinaryabelian variety with principal polarization. As discussed above, the construction gives rise to adiscrete logarithm problem on some U /U ⊗ Z /ℓ Z where U/ℓU has a basis of two elements thatdo not commute, and U /ℓ ′ U = U/ℓ ′ U for primes ℓ ′ = ℓ .The discrete logarithm problem is reducible to constructing an explicit description of thealgebra generated by two non-commuting endomorphisms - a basis over Q , the multiplicationtable for the basis, and the two elements expressed in the basis. It is also be reducible toconstructing an effective Z -basis for the endomorphism ring of a simple non-ordinary abelianvariety. Both problems appear to be hard.For a simple abelian variety A the center of the division algebra End A is a CM field Q ( π )where π is a Weil number (unique up to conjugacy) associated with the Frobenius endomorphismof A . Our analysis shows that an endomorphism λ D determined by a divisor can be effectivelyexpressed as an element in Q ( π ), if λ D is in the center of End A. This is an important reasonwhy the discrete logarithm problem can be attacked when U is contained in the center of End A.A consequence of Tate’s theorem ([8], also see Chapter 2 [10]) is that the local invariants ofEnd A as a division algebra centered at Q ( π ) is completely determined by π . The question is,apart from the center, how to explicitly and efficiently determine the structure of End A, or in asmaller scale, the subalgebra generated by two non-commuting elements. This is an interestingand important problem for further investigation.
Acknowledgements
I would like to thank the participants of the AIM workshop on cryptographic multilinear mapsfor stimulating discussions. I would also like to thank Dan Boneh and Amit Sahai for helpfuldiscussions during the initial phase of this investigation after the AIM workshop.
References [1] D. Boneh and A. Silverberg, Applications of Multilinear Forms to Cryptography,
Contemporary Mathematics
Vol. 324, American Mathematical Society, pp. 71-90, 2003[2] H. Lin and S. Tessaro, Indistinguishability Obfuscation from Trilinear Maps and Block-Wise Local PRGs, in
CRYPTO 2017 [3] V. Miller, Short programs for functions on curves, unpublished manuscript, 1986.[4] V. Miller, The Weil pairing, and its efficient calculation,
J. Cryptology
17 (2004) 235-261. [5] J.S Milne, Abelian varieties, in Arithmetic Geometry
G. Cornell and J. Silverman editors, Spring Verlag 1986[6] J.S Milne, Jacobian varieties, in
Arithmetic Geometry
G. Cornell and J. Silverman editors, Spring Verlag1986[7] Mumford, Abelian varieties[8] J. Tate, Endomorphisms of Abelian Varieties over Finite Fields,
Inventiones math. , 2, 134– 144 (1966)[9] J. Tate, Classes d’isog´enie des vari´et´es ab´eliennes sur un corps fini (d’apr`es T. Honda Seminaire BourbakiExpos 352, Lecture Notes in Math.), 179, (Springer-Verlag), 1968/69, 95-110[10] W.C. Waterhouse, Abelian varieties over finite fields, Annales scientifiques de l’´Ecole Normale Sup´erieure(1969) Volume: 2, Issue: 4, page 521-560
Computer Science Department,University of Southern California, U.S.A.
E-mail address ::