1. Introduction
Cryptographic applications of multilinear maps were first proposed in the work of Boneh and Silverberg [1]. However the existence of cryptographically interesting linear maps for remains an open problem. The problem has attracted much attention more recently as multilinear maps and their variations have become a useful tool for indistinguishability obfuscation. Very recently Lin and Tessaro [2] showed that trilinear maps are sufficient for the purpose of achieving indistinguishability obfuscation (see [2] for references to related works along several lines of investigation).
In this paper we study cryptographic trilinear maps involving abelian varieties over finite fields. At the AIM workshop on cryptographic multilinear maps (2017) Chinburg suggested that the following map from étale cohomology may serve as the basis of constructing a cryptographically interesting trilinear map:
where is an abelian surface over a finite field and the prime . This trilinear map is the starting point of our construction.
Suppose is a principally polarized abelian variety over a finite field . Let denote the dual abelian variety. Consider as a variety over , the algebraic closure of . We have . We have , so , where is the NéronSeveri group . From
and we get
thus we can consider as a subgroup of and we are led to a trilinear map
For an invertible sheaf , let be the map so that
for where is the translation map defined by by ([5] § 1 and § 6). Let be the pairing between and ([5] § 16). Then in the trilinear map, , where , and is an invertible sheaf.
Note that in the map just described we no longer need to assume that is of dimension 2.
To construct a cryptographically interesting map, we need to work with the NéronSeveri group more carefully. We assume that is a simple, nonordinary and principally polarized abelian variety.
Suppose is an invertible sheaf associated to a Cartier divisor . Let also denote . Fix a divisor such that is a principal polarization. Then determines an injection from to , the endomorphism ring of . For , let . Note that
is skewsymmetric (
[5] Lemma 16.2 (e)). For any divisor such that , we have , hence .We choose a (random) divisor and find such that . For this we can choose a random such that the characteristic polynomial of has a nonzero root mod , therefore , for some polynomial . Let . Replacing by a factor of if necessary we assume that but . Choose a random so that , and let . Then
Observe that . So let . Then as desired, and we have for all .
With and chosen, we choose another random . Let . We have
In choosing we also make sure that . This implies since and . It also follows that is of dimension 2.
Let be the submodule of containing all where is a divisor. Let be the submodule of generated by , , and the elements of . Let be the submodule of generated by 1 and the elements of .
If is a divisor such that , then for some divisor with and a divisor. Since , we have . Since , we have . So for , encodes 0 if and only if if and only if .
If is a divisor such that for some integer , then for some divisor with . Since , we have where . Since , we have .
Let and be respectively the cyclic groups generated by and , and with as the generator, we consider the trilinear map sending to .
Following the cryptographic literature, we write for an encoding of in for . For , is the point and is the point . In particular the encoding of in is deterministic for . In contrast the encoding in is probabilistic: for , is , given in the form of a program , where is a divisor such that . The length of description of is polynomially bounded in the length of the description of , and is constructed to be linearly equivalent to for some randomly chosen where and is a divisor (see § 2.3 for details).
Given , and such that , the trilinear map can be computed as where .
Suppose the RiemannRoch space defined by a divisor is efficiently constructible, and the pairing is efficiently computable. We will show in § 2 that under these assumptions the trilinear map is efficiently computable.
The cryptographic strength of the trilinear map is linked to the hardness of the discrete logarithm problem in the groups involved. The one group that needs special attention is . In the discrete logarithm problem for , given we are to determine such that .
In the cryptographic setting we assume that polynomially many instantiations of are known. From these encodings of 1 polynomially many divisors can be obtained. Note that for and , is an encoding of in .
To investigate the hardness of the discrete logarithm problem on , it will be useful to consider the following more general formulation of a discrete logarithm problem concerning the NéronSeveri group .
Fix a principal polarization determined by an ample divisor with . Let be the injective map determined by under which the class of an invertible sheaf associated to a Cartier divisor is mapped to . Let .
We use to denote the bitlength in specifying a number or an object, whereas denote the absolute value of a real number or the cardinality of a set. Thus is the bitlength of the description of , including the addition morphism . We assume that is effectively specified in the sense that given a point , can be computed from the description of in time polynomially bounded in and . We assume that and are polynomially bounded in when is fixed.
Suppose is a submodule of such that . Let be the submodule generated by 1 and the elements of . An element is presented as a program that on input a point of computes in time polynomially bounded in and . We assume that polynomially many can be randomly sampled where is polynomially bounded in (hence in when is fixed).
The discrete logarithm problem on is: given , to determine such that in .
In § 3 we consider various attacks on the discrete logarithm problem.
We show that if , then the discrete logarithm problem can be effectively solved. This is why in our construction the module contains , so at prime , , consequently .
We show that, if is generated by mutually commuting elements, then the discrete logarithm problem can be effectively solved. This is why we construct and in where and do not commute, and is of dimension 2.
We show that the discrete logarithm problem can be effectively solved if is contained in the center of the endomorphism algebra . The center of is isomorphic to a CM field , where is a Weil number associated the Frobenius endomorphism. We show that the injective map of into is efficiently computable, and with the injective map the discrete logarithm problem is reduced to straightforward linear algebra.
The running times of these attacks are polynomial under reasonable heuristic assumptions, most notably that the bitlength of the characteristic polynomial for an endomorphism
is likely polynomially bounded in .Our analysis shows that when can be generated by commuting elements or when is contained in the center of , the discrete logarithm problem is tractable because we can work with a commutative subalgebra which can be explicitly described. Therefore we choose to be nonordinary, so that is a noncommutative division algebra. Moreover , the image of in , should not be contained in the center of .
In summary there are two important features about the group .

Noncompatibility at : that whereas .

Noncommutativity of algebra structure: is not contained in the center of and can be generated by two elements in that do not commute.
Our construction leads to two interesting problems. If either problem can be solved efficiently for a simple nonordinary abelian variety then trilinear maps constructed from are not secure.
The first problem is, given such that , to construct an explicit description of the algebra , by which we mean a basis for
as a vector space over
with and expressed in the basis, and the multiplication table on the basis.We say that an endomorphism is effectively specified if for , can be computed in time polynomial in from the description of .
A basis , …, for a submodule of is effective if is effectively specified for , moreover for every with , is polynomially bounded in for all .
The second problem is to construct an effective basis for any submodule of containing , in particular can be or . It is an interesting question whether an effective basis for or exists and can be efficiently constructed.
These two problems have not been investigated in depth from an algorithmic perspective and appear to be quite challenging in general.
Fix as before a principal polarization and a corresponding injection from to . The map naturally extends to an injection where and . Through this map is identified with the subspace of whose elements are fixed by the Rosati involution defined by . As before let for divisors .
Let , a division algebra. Let be the center of , and let be the subfield of consisting of elements fixed by the Rosati involution. Let , , and
. Abelian varieties can be classified into four types according to these numerical invariants (
[7] p.202). Nonordinary abelian varieties are of Type II, III for IV, where .If is not Type III, then , and . In this case the image of a random element of in is most likely not in the center . Consequently when choosing and to form , it is very likely and are not in .
When is Type III, , , and . In this case , so . Therefore Type III abelian varieties are not adequate for our construction.
2. What can be efficiently computed
As before divisor will mean Cartier divisor, and since we are dealing with abelian varieties, we also think of them as Weil divisors.
For a divisor , let denote the invertible sheaf associated to . Let denote the function field of a variety . Then
, which we also denote as .
As a Weil divisor, a divisor can be presented as a finite sum of prime divisors where and is a prime of codimension 1. The length of , written , is where denotes the bit length of for , and is the length of the polynomials that define .
For , the bit length of , denoted , is proportional to where is the finite extension of over which is defined and the dimension of the ambient space in which the point is described. We can consider a constant if the dimension of is fixed.
We assume that a basis of can be computed in time polynomial in and the dimension of . This is a reasonable assumption when dimension of is fixed.
2.1. Computing
We discuss how the map can be efficiently computed. Assuming that the pairing can be efficiently computed (which is the case for example when is the Jacobian of a curve), then it will follow that the trilinear map described in the previous section can be computed efficiently.
Lemma 2.1.
Suppose is an effective divisor such that is an isomorphism. Then the only effective divisor linearly equivalent to is itself.
Proof Since is effective, , and since is an isomorphism, it follows from Proposition 9.1 of [5] that is ample. Since is an isomorphism, , and it follows from Theorem 13.3 [5] that . Since is effective, this implies contains only constant functions. Therefore the only effective divisor linearly equivalent to is itself.
Lemma 2.2.
Given a divisor and a point , can be computed in expected time polynomial in , and .
Proof For divisors and , . Therefore . Hence if where is a prime divisor, then .
Therefore we may assume is a prime divisor. Observe that if and only if if and only if if and only if .
Compute some , and let . Then , from Lemma 2.1 we conclude that . The running time for computing is polynomial in , and . Note also that , and are defined over if .
From we can determine as follows. Sample a random finite set . Then for all . Solve for such that for all . This amounts to solving a polynomial system. Note that implies . Hence . When is large enough the intersection is likely of dimension zero, hence the polynomial system describing is likely of dimension zero, and can be solved efficiently when the number of variables is bounded. One of the solutions for is , and the correct can be tested by randomly choosing and check if .
We remark that when is the Jacobian variety of a curve , the problem can be solved even more efficiently, by reducing to constructing functions in the RiemannRoch space of some divisor on .
We assume that has length polynomially bounded. A divisor that is constructed in polynomial time also has length of description polynomially bounded. It follows from Lemma 2.2 that is effectively specified. Assuming is efficiently computable, then the trilinear map can be computed in expected time polynomially bounded in , and .
2.2. Computing the characteristic polynomial of an endomorphism
Suppose is presented as a program that on input a point of computes in time polynomially bounded in and . Let be the characteristic polynomial of . Then is of degree , where . To determine it is sufficient by Chinese Remainder Theorem to determine for sufficiently many small primes with product greater than the maximum absolute value of the coefficients of . So after obtaining for many , we have a candidate polynomial for the characteristic polynomial of . We can check if by applying at a randomly chosen point and see if we get the zero point.
To determine we first determine as a map on the dimensional linear space , by constructing a basis for and explicitly determining in terms of the basis. This takes expected time polynomial in and . Then the characteristic polynomial of can be computed, hence .
Therefore we have the following
Lemma 2.3.

For prime not equal to the characteristic of , the map can be explicitly described in terms of a basis of in expected time polynomial in and .

The characteristic polynomial of can be constructed in expected time polynomial in and .
Recall that in forming we need to compute the characteristic polynomial of for randomly chosen divisor . By Lemma 2.2 is effectively specified. We make the heuristic assumption that for random it is likely that the characteristic polynomial has length polynomially bounded in , in which case can be constructed in expected time polynomial in .
2.3. Constructing a random representative of a divisor class
Suppose is an effective divisor. Since is simple, if is not ample then , so . This can be tested by choosing a random and check if .
Now suppose is an effective ample divisor, and , we discuss how we can construct a random looking such that is polynomial in .
Since is effective, . Since is ample, by Theorem 13.3 [5] it follows that , and . So the space of divisors linearly equivalent to has dimension , when .
Choose small constant greater than 1, so that for . Choose a random and a random . Let and . Then and is polynomially bounded in .
In our construction if a divisor is chosen in the form , we construct a random looking divisor linearly equivalent to to encode the class of .
we can apply the above procedure to , , and respectively to construct , , and . Then is linearly equivalent to , so .
If is given in the form where is a prime divisor, we may apply the above procedure to each that is ample to construct some . Then is linear equivalent to . The same process can be applied to again, and by repeating this process sufficiently many times, we can construct a divisor where the sum involves many, though polynomially bounded in number, prime divisors . We have . Each has a program of length polynomially bounded in by Lemma 2.2. The program for can be specified in length , which is polynomially bounded in , hence in .
We have seen by virtue of Lemma 2.2 that the map is efficiently computable. An interesting question is whether the inverse is efficient to compute as well. That is, given , can we construct efficiently a divisor such that ? In light of the discussion in the next subsection, an affirmative answer would reduce the discrete logarithm problem that concerns us to intersection product. The answer is in the affirmative when is commutative, and this will follow from Lemma 3.1. However the situation in the noncommutative case is far from being clear.
2.4. Linear algebra on reduces to intersection product
The reason why the discrete logarithm problem involving is specified in terms of elements in is because linear algebra in and can be reduced to intersection product of divisors. More specifically to determine a linear relation in between a divisor and a finite set of divisors , …, , we want to solve for such that is algebraically equivalent to modulo . Let . Observe that for a divisor , the algebraic equivalence implies . Therefore by computing the intersection products and , for , we get a linear relation . With sufficiently many linear relations we can determine . Therefore if the discrete logarithm problem is specified in terms of divisors then the problem can be reduced to computing intersection products. If is fixed, then intersection products on can in principle be reduced to counting solutions of polynomial systems in bounded number of variables.
3. The discrete logarithm problem involving
We discuss various attacks on the underlying discrete logarithm problem concerning the NéronSeveri group. Let us recall the general setup of this problem.
Let be a principally polarized abelian variety defined over a finite field . Fix a principal polarization determined by an ample divisor with , and consider the injection of to determined by , such that the class of an invertible sheaf , where is a divisor, is mapped to .
Suppose is a submodule of such that . Let be the submodule generated by 1 and the elements of . We do not assume that is explicitly given, however polynomially many elements of can be randomly sampled.
The discrete logarithm problem on is: given , to determine such that in .
3.1. The case
Given , we want to determine such that with and . To determine it is sufficient to determine for sufficiently many small primes .
We may assume that we have sampled enough elements of that they generate as a vector space over . By Lemma 2.3 we can determine for each sampled element the action of on a basis of in time polynomial in . Therefore we can construct a basis , …, of in time polynomial in .
For all ,…, , we can check if by acting on or a basis of . Once the equality is verified we know that . The amount of time required is polynomial in .
In constructing our trilinear map we make sure that for , , in other words, and are indistinguishable mod . This is accomplished by including in .
3.2. The case is of dimension no greater than one
Since is a (homogeneous) polynomial function of degree on ([5] Proposition 12.4), it follows that for , moreover if and , then . Hence the discretelog problem in the case is reduced to degree computation. In particular if then . Determine the characteristic polynomials of . From the constant terms of the polynomials we get . Then can be determined.
3.2.1. is of dimension 1
In the discrete logarithm problem we have polynomially many samples of elements in . Pick one such that , which can be checked by choosing a random and verify that .
Given we want to find such that where .
Since and is a commutative field, every root of the characteristic polynomial of is of the form where is a root of the characteristic polynomial of . The characteristic polynomial of is where is the characteristic polynomial of .
Compute the characteristic polynomial of . Then , where and are known and are unknown. Comparison of each coefficient gives rise to a polynomial equation in and over . Solving the system of polynomial equations we can determine and up to a finite number of choices. Then determine the correct one by acting on a random point of .
3.3. The case is generated by at least two elements
The line of attack described below can be easily generalized, however for simplicity, we illustrate the ideas with the case where is generated by two elements. So from the random samples of elements of pick two, and , then it is likely that they generate . Therefore the discrete logarithm problem can be described as follows: given , to find such that where .
By an explicit description of the algebra we mean a basis over as vector space with and expressed in terms of the basis, and the multiplication table on the basis elements.
If and commute, then is a commutative field of extension degree dividing . Let and be respectively the irreducible polynomials of and . An explicit description of the algebra can be obtained from and as follows. Factor over . Find the irreducible factor of such that , by choosing random points on the variety and checking if . The field is of extension degree over , with , , as a basis of over . The multiplication table on this basis can be written using and .
Then we can express the action of on the basis with the help of the multiplication table and from that determine the characteristic polynomial of acting on , with coefficients being polynomials in . This polynomial, if the degree is , or a suitable power of this polynomial, is the characteristic polynomial of as an element of . Then from and by comparing the coefficients of the characteristic polynomials of and , we obtain a system of polynomials in , from that we can determine as before.
However, if , we run into difficulty if we try to mount the same line of attack. In this case as a subalgebra of is not commutative and it is not clear whether one can efficiently determine the structure of explicitly. This is why in our trilinear map the dimension of is generated by two elements that do not commute.
Below we give a reduction from the discrete logarithm problem to further clarify how the security of our trilinear map depends on the hardness of constructing an explicit description of the subalgebra generated by two noncommuting elements.
From the random samples of elements in pick two, and , then it is likely that they generate . Therefore the discrete logarithm problem can be described as follows: given , to find such that where .
Suppose we are given a basis of with and expressed in the basis, as well as the multiplication table on the basis. We want to determine such that . As before we can express the action of on the basis with the help of the multiplication table and from that determine the characteristic polynomial of acting on , with coefficients being polynomials in . Let denote the irreducible polynomial of . Let denote the characteristic polynomial of as an element of .
Let denote the degree of a polynomial . Then , and . We have , for some polynomials and . For each choice of , we set up a polynomial system as follows. Treat , and as unknown polynomials. We have unknown including and the unknown coefficients of , and .
Let be the characteristic polynomial of , which is of degree . From and , by comparing coefficients, we derive many polynomial equations. If then . There are at least as many polynomial equations as the number of unknown variables, so we expect on heuristic ground to have finitely many solutions. For each solution we check if by acting on a random point in .
3.4. The case is contained in the center of
Let denote the center of . Then there is an isomorphism
Comments
There are no comments yet.