## Case Study V: Ubiquity of finite fields December 21, 2007

Posted by Alexandre Borovik in Uncategorized.
Zadaje pytania wymijajace, by przeciac droge wymijajacym odpowiedziom.
Stanislaw Jerzy Lec

Whenever you discuss the realities of mathematical life, words of wisdom from Vladimir Arnold, an outspoken critic of the status quo of modern mathematics, often help to clarify the issues:

All mathematics is divided in three parts: cryptography (paid for by the CIA, the KGB and the like), hydrodynamics (supported by manufacturers of atomic submarines) and celestial mechanics (financed by the military and by other institutions dealing with missiles, such as NASA).

Cryptography has generated number theory, algebraic geometry over finite fields, algebra, combinatorics and computers.

Let us pause here and, ignoring the irony of Arnold’s words, take them at face value. Indeed, why there is so much fuss around finite fields? Why is modern, computer-implemented cryptography based on finite fields?

This question is relevant to our discussion since computers can be viewed as very crude models of a mathematical brain. One of the major problems of human mathematics — and the battleground of platonists and formalists — is why mathematics chooses to operate within a surprisingly limited range of basic structures. Why does it reuse, again and again, the same objects? It is this aspect of mathematical practice that turns many mathematicians into instinctive (although not very committed) platonists.

But why not ask the same question about computers? Let us make it more specific: why is the range of structures usable in computer-based cryptography so narrow? Unlike the philosophical questions of mathematics, this last question has the extra bonus of having very obvious practical implications.

Imagine that the proverbial little green men from Mars stole a satellite from its orbit around Earth and attempted to analyze the dedicated microchip responsible, say, for the Diffie-Hellman key exchange. Would they be surprised to discover that humans were using finite fields and elliptic curves?

For further discussion, we need some details of the Diffie-Hellman key exchange. I repeat its basic setup in a slightly more abstract way than is usually done.

Alice and Bob want to make a shared secret key for the encryption of their communications. Until they have done so, they can use only an open line communication, with Clare eavesdropping on their every word. How could they exchange the key in open communication so that Clare would not also get it?

The famous Diffie-Hellman key exchange protocol is a procedure which resolves this problem. Historically, it is one of the starting points of modern cryptography. In an abstract setting, it looks like this:

• Alice and Bob choose a big finite abelian group $G$ (for our convenience, we assume that the operation in $G$ is written multiplicatively). They also specify an element $g \in G$. (As the result of her eavesdropping, Clare also knows $G$ and $g$.)
• Alice selects her secret integer $a$, computes $g^a$ and sends the value to Bob. (Clare knows $g^a$, too.)
• Similarly, Bob selects his secret integer $b$ and sends to Alice $g^b$. (Needless to say, Clare duly intercepts $g^b$ as well.)
• In the privacy of her computer (a major and delicate assumption) Alice raises the element $g^b$ received from Bob to her secret exponent $a$ and computes $(g^b)^a$. (Clare does not know the result unless she has managed to determine Alice’s secret exponent $a$ from the intercepted values of $g$ and $g^a$.)
• Similarly, Bob computes $(g^a)^b$.
• Since $(g^b)^a = g^{ab} = (g^a)^b$, the element $g^{ab}$ is the secret shared element known only to Alice and Bob, but not to Clare. The string of symbols representing $g^{ab}$ can be used by Alice and Bob as their shared secret key for encryption of all subsequent exchanges.

So, what do we need for the realization of this protocol? I will outline the technical specifications only in a very crude form; they can be refined in many ways, but there is no need to do that here, a crude model will suffice.

Since we can always replace $G$ by the subgroup generated by $g$, we can assume that $G$ is cyclic. We will also assume that $G$ has prime order $p$.

Therefore, to implement the Diffie-Hellman key exchange, we need:

• A cyclic group $G$ of very large prime order $p$ such that its elements can be presented by short (that is, of length $O(\log p)$) strings of 0s and 1s.
• The group operation has to be quick, in any case, better than in $O(\log^2 p)$ basic operations of the computer.
• The discrete logarithm problem of finding the secret exponent $a$ from $g$ and $g^a$ has to be very difficult for all elements $g \neq 1$ in $G$; in any case, it should not allow a solution by a polynomial time algorithm. (Even if a polynomial time algorithm is practically unfeasible, its very existence will undermine the commercial confidence in the cryptographic product since it potentially opens up a venue for possible improvements which will eventually destroy the cryptosystem. Commercial and military users of cryptographic products are not willing to take such risks.)
• This should preferably (but not necessarily) be done for an arbitrary prime $p$, or for sufficiently many primes; to make the problem easier, let “sufficiently many” mean “infinitely many”.
• The implementation of the particular instances of the algorithm, compilation of the actual executable file for the computer (or realization of the algorithm at the hardware level in a microchip, say, in a mobile phone) should be easy and done in polynomial time of small degree in $\log p$.

There are two classical ways of making cyclic groups $C_p$ of prime order $p$: one of them is the additive group of the field of residues modulo $p$, $\mathbb{Z}/p\mathbb{Z}$. In another, we select a prime $q$ such that $p$ divides $q-1$ and generate $G$ by an element $g$ of the multiplicative order $p$ in the multiplicative group $(\mathbb{Z}/q\mathbb{Z})^*$. In the additive group $\mathbb{Z}/p\mathbb{Z}$, the exponentiation $g \mapsto g^n$ is just multiplication by $n$, $g \mapsto n\cdot g$, and the Euclidean algorithm instantly solves the discrete logarithm problem. In the multiplicative group $(\mathbb{Z}/q\mathbb{Z})^*$, the discrete logarithm problem is apparently hard. It is also conjectured to be hard in the group of points of an elliptic curve over a finite field, thus giving rise to elliptic curve cryptography. Notice that, in all cases, the group, as an abstract algebraic object, is exactly the same, the cyclic group of order $p$; it is the underlying computational structure that matters.

How can we compare different computational structures for $C_p$? Look again at the examples

$C_p \simeq \mathbb{Z}/p\mathbb{Z}$

and

$C_p \hookrightarrow (\mathbb{Z}/q\mathbb{Z})^*$.

Elements of $\mathbb{Z}/p\mathbb{Z}$ can be naturally represented as integers $0,1,2,\dots, p-1$. Given an element $g \in(\mathbb{Z}/q\mathbb{Z})^*$ of multiplicative order $p$, we can use square-and-multiply to raise $g$ to the power of $n$ in $O(\log n)$ time. Hence the map

$\mathbb{Z}/p\mathbb{Z} \rightarrow (\mathbb{Z}/q\mathbb{Z})^*$

given by $n \rightarrow g^n$ is an isomorphism of the two computational implementations of $C_p$, (an isomorphism which can be computed in time linear in $\log p$).

An impressive body of mathematics has been developed over the last half century for efficient implementation of exponentiation, with the likes of Paul Erdos and Donald Knuth involved.

We shall say that the implementation of $C_p$ as $\mathbb{Z}/p\mathbb{Z}$ is reducible to its implementation as $C_p \hookrightarrow (\mathbb{Z}/q\mathbb{Z})^*$. To compute the inverse isomorphism means to solve the discrete logarithm problem, which, it is universally believed, cannot be done in time which is polynomial in $\log p$. Therefore morphisms of computational structures for $C_p$ are homomorphisms computable in polynomial time.

As Blake, Seroussi and Smart comment in the introduction to their book on elliptic curve cryptography, the three types of groups we just mentioned represent the three principal classes of commutative algebraic groups over finite fields: unipotent — $\mathbb{Z}/p\mathbb{Z}$, tori — $(\mathbb{Z}/q\mathbb{Z})^*$, and abelian varieties — elliptic
curves. They can all be built from finite fields, by simple constructions with fast computer implementations. So far I am aware of only one another class of computational structures for finite abelian groups proposed for use in cryptography, “ideal class groups” in number fields (but it is not clear to me whether they allow a cheap mass set-up).

My million dollar question is

Are there polynomial time computational structures for cyclic groups of prime order (which therefore have a chance to meet memory and speed requirements of computer-based cryptography) and which cannot be reduced, within polynomial space/time constraints, to one of the known types?

Notice that non-reducibility to $\mathbb{Z}/p\mathbb{Z}$ would mean that the discrete logarithm problem cannot be solved in polynomial time, giving such structures a chance to meet security requirements as well.

I accept that this question is likely to be out of reach of modern mathematics. The answer will definitely involve some serious advances in complexity theory. If the answer is “yes”, especially if you can invent something which is quicker than elliptic curve systems, you can patent yourinvention and make your million dollars. If the answer is “no” — and this is what I expect — it will provide some hint as to how similar questions can be asked about mathematical algorithms and structures acceptable for the human brain and about algorithms implemented in the brain at the innate, phylogenic level.

Meanwhile, mathematics already has a number of deep results which show the very special role of finite fields in the universe of all finite structures; we shall discuss one such theorem later.

[Cannibalised from my book; you can find references, etc. there.]

1. James - December 23, 2007

Have you considered abelian varieties of dimension 2? (Elliptic curves are abelian varieties of dimension 1.)

2. Alexandre Borovik - December 25, 2007

Yes, of course. There is quite a body of literature of cryptological assessment of abelian varieties.

3. David Corfield - January 4, 2008

More cryptology here.

4. dcorfield - January 7, 2008

For more blogging on cryptography see here.