key: cord-0529586-5m98lu3i
authors: Voloch, Jose Felipe
title: Commitment Schemes and Diophantine Equations
date: 2020-06-07
journal: nan
DOI: nan
sha: 2ef589c45fe5be7a23eb98eb7f1850073f8ee527
doc_id: 529586
cord_uid: 5m98lu3i

Motivated by questions in cryptography, we look for diophantine equations that are hard to solve but for which determining the number of solutions is easy.

Solving a diophantine equation is typically hard but, given a point, it is typically easy to find a variety containing that point. This is an example of a "one-way function" with potential applications to cryptography. Our current (lack of) knowledge suggests that such a function is possibly quantum resistant and, therefore, cryptosystems based on these could be used for post-quantum cryptography [BL17] .

An encryption system based on this principle was proposed by Akiyama and Goto [AG06, AG08] , then broken by Ivanov and the author [IV09] . It was then fixed, broken again, fixed again,... Current status unclear.

The purpose of a commitment scheme is for a user to commit to a message without revealing it (e.g. vote, auction bid) by making public a value obtained from the message in such a way that one can check, after the message is revealed, that the public value confirms the message.

Using such diophantine one-way functions for commitment schemes was proposed by Boneh and Corrigan-Gibbs [BCG14] . They also suggested to work modulo an RSA modulus N. This could conceivably weaken the system. It will definitely no longer be quantum resistant. Some partial attacks on this particular system are presented in [ZW17] .

Here is the general format of a diophantine commitment scheme. Encode a message as point P over some field F . Make public a variety V /F with P ∈ V , with V taken from some fixed family of varieties. To check the commitment, one verifies that P satisfies the equations of V . We need the following conditions to be satisfied for this to work:

• Given P , it is easy to construct V .

• Given V , it is hard to find V (F ) (hence P ).

• Given V (and perhaps P ), it is easy to verify that #V (F ) = 1. The last condition is important to prevent cheating. It proves that P was indeed the committed message. In general, a commitment scheme consists of two algorithms Commit(m,r), Reveal(m,r,c). The first takes as input a message m and a random string r to produce an output c, which is then made public. The second takes as input m,r,c as before and outputs yes or no, depending on whether c is the correct output of Commit(m,r). The randomness is needed, e.g., if the list of possible messages is small enough that it can be brute force searched. See [BCG14, Section 4.1] for a more precise definition of a commitment scheme and some discussion.

These commitment schemes are similar in spirit to the class of multivariate polynomial cryptosystems. In analogy to what is done there, it is conceivable to have encryption by selecting a subset of varieties V /F such that V (F ) can be easily found but that V can be disguised as a general member of the collection of varieties. We do not address the interesting problem of doing this for schemes we consider.

Answering a question of Friedman, Poonen [Poo10] proved:

Boneh and Corrigan-Gibbs [BCG14] then use the following construction from such a function. For P = (a, b), take V : f (x, y) = f (a, b) to get a commitment scheme fitting the general setting of section 1. Unfortunately, Poonen's proof, besides being conditional on a conjecture, is also non-constructive! Zagier suggested f (x, y) = x 7 + 3y 7 as a polynomial defining an injective function. But we don't have a proof. With exponent 13 instead of 7, the abcd conjecture implies that this function essentially injective.

Question 2.2. Is solving x 7 + 3y 7 = k over Q hard?

Pasten [Pas20] proved that there exists an affine surface S of the form U × U with S(Q) Zariski-dense in S and a morphism S → A 1 inducing an injection S(Q) → Q. But, S(Q) is too sparse to be cryptographically useful.

Cornelissen [Cor99] , using that the abcd conjecture is true for function fields of characteristic 0, noted that x m + ty m is injective in k(t), chark = 0 for m large. My guess is that the answer is no. He also noted that x p + ty p is injective in k(t), chark = p. But solving x p + ty p = k is easy.

The following was noted in [SV20] , with the proof being an extension of [Vol85] (see also [Wan99] for a related result without a hypothesis on the degree of the morphism):

Theorem 2.4. Let K be a function field of a curve C of genus g with field of constants F of characteristic p > 0 and let S be a finite set of places of K. If u 1 , . . . , u t are S-units of K, linearly independent over F , such that the degree of the morphism (u 1 : · · · : u t ) : C → P t−1 is less than p and satisfy u 1 + · · · + u t = 1 then

The above result implies the injectivity of x 13 + ty 13 in the set of pairs of elements of k(t) − k of degree at most p/13 if 13 ∤ p(p − 1). This is enough for the application to commitment schemes by taking a sufficiently large finite field k and considering the function x 13 + ty 13 restricted to the above set where the function is injective.

But the function is not injective in the whole of k(t). Indeed, if x 13 + ty 13 = k, q = p 12 , then (x q /k (q−1)/13 ) 13 + t(t (q−1)/13 y q /k (q−1)/13 ) 13 = k

The cryptosystem of Akiyama and Goto [AG06, AG08] actually uses curves on surfaces over finite fields. We now consider the use of rational curves on surfaces in P 3 over a finite field for commitment schemes.

We start with a rational curve P parametrized by (f 0 : f 1 : f 2 : f 3 ) in P 3 over a finite field F q , where the f i 's are polynomials of degree at most m (i.e a point in P 3 over F q (t)). Such a curve will include the message and randomness and our commitment will be a smooth surface S/F q of degree d containing P . This is a bit different from previous schemes as the surface is constant (i.e. independent of t). If S is given by an homogeneous equation F = 0, the condition that P ⊂ S is simply F (f 0 , f 1 , f 2 , f 3 ) = 0 which can be viewed as a system of linear equation on the coefficients of F , once the f i are given. There are d+3 3 coefficients and dm + 1 equations. One has solutions to the system as soon as there are more coefficients than equations but these are not guaranteed to be smooth. Poonen [Poo08] has proved that, for d large, a positive proportion of those solutions do indeed give smooth surfaces. One expects in practice that, as long as the finite field is big enough, there will be plenty of smooth surfaces.

To guarantee uniqueness of the curve P inside S, we prove the following result. 

. This vanishes precisely when δ = −(2 + (d − 4)m), 2m 2 /d + (2 + (d − 4)m). The first value is negative so cannot be D 1 D 2 and the second value is bigger than m 2 by our hypothesis but D 1 D 2 ≤ m 2 by Bézout's theorem so cannot be D 1 D 2 either.

To apply the theorem, we need to know that the Picard number of S is at most two. For a given surface, this can be done using the algorithm of [Cos15] , for example. This algorithm computes the L-function of S and the Picard number of S is the multiplicity of q as a root of the L-function, conditional on the Tate conjecture. However, the surfaces we construct will have Picard number at least two and a theorem of Tate shows that the multiplicity of q as a root of the L-function is an upper bound for the Picard number. So, if this multiplicity is two, it is verified that the Picard number is two. There is a parity condition coming from the functional equation for L-functions which implies that this will not work if d is odd. It is reasonable to expect that a sizable proportion of such surfaces have Picard number two if d is even, but this is not currently known and is worthy of further investigation.

In sum, our commitment scheme is as follows, with a finite field F q and integers m, d selected a priori.

(1) Encode a message as well as some randomness within

(3) Check whether the surface defined by F = 0 is smooth and has Picard number two.

If so, publish F as the commitment. If not, pick a different F in step (2). For an explicit example, consider m = 3, d = 6. For a sextic surface to contain a given twisted cubic, one needs to satisfy a system of 19 equations in 84 variables and, hopefully, many of those will give rise to smooth surfaces with Picard number two. The space of available messages depends on 16 variables.

One can also use m = 3, d = 4. The inequality in the theorem is not satisfied but the second value for δ is 13/2, which is not an integer so cannot be D 1 D 2 and the result holds. In this case, we have a system of 13 equations in 35 variables for the coefficients of the surface and again, the space of available messages depends on 16 variables.

The expansion from 16 variables to 84 (or 35) from the message to the commitment is potentially wasteful and it is worth investigating whether a priori setting many of these variables to zero will still allow enough variability so that step (3) above succeeds. Another issue worth studying is the choice of q. In some ways, small q is better for computations. But if a very small value of q, such as q = 2 is chosen, then m = 3 is too small, as it allows brute force searching for the rational curve.

Given a surface, to find a rational curve inside it, one can either do a brute force search on the coefficients of the parametrization, or set up a system of equations for these coefficients and try to solve it, e.g, using Gröbner bases. Neither option seem particularly efficient.

Neither option also appears to be much improved by the use of quantum computers. There are general algorithms in the literature (e.g. [PTvL15] ) that compute the Néron-Severi group of a variety but these make no claim of practicality.

A Public-key Cryptosystem using Algebraic Surfaces

An improvement of the algebraic surface public-key cryptosystem

Post-quantum cryptography

Bivariate Polynomials Modulo Composites and Their Applications

Stockage diophantien et hypothèse abc généralisée

Effective computations of Hasse-Weil zeta functions

Breaking the Akiyama-Goto cryptosystem, Arithmetic, geometry, cryptography and coding theory

Bivariate polynomial injections and elliptic curves

Smooth hypersurface sections containing a given subscheme over a finite field

Multivariable polynomial injections on rational numbers

Computing Néron-Severi groups and cycle class groups

Value sets of sparse polynomials

Diagonal equations over function fields

A note on Wronskians and the ABC theorem in function fields of prime characteristic

Partial Bits Exposure Attacks on a New Commitment Scheme Based on the Zagier Polynomial, Information Security and Cryptology

New Zealand E-mail address: felipe.voloch@canterbury.ac

This work was supported by MBIE. I would also like to thank Steven Galbraith for suggesting that I look into commitment schemes and for helpful comments as well as Edgar Costa and Bjorn Poonen for suggestions.