Trusted Setup with Isogeny-based Cryptography

Trusted parties are fundamental in seting up secure communication among parties. For instance, a trusted setup is needed when establishing a trusted relationship between users and certain public information in a public-key infrastructure (PKI) for public-key encryption and signature schemes.

The risk with placing trust on a third party can be seen when they misbehave, causing the security of the scheme to be compromised. For example, if the trusted certificate authority of a PKI is corrupted and issues certificates for users without verifying their identities, there is no longer a guarantee on the privacy and authenticity of the communication.

For the full blogpost, click here.

-M x

Post Quantum Cryptography – The Basics

Post-quantum cryptography aims to find schemes that can withstand an attack from a quantum computer. This is becoming an increasingly important field of research as the development of quantum computers intensifies and current cryptography schemes relying on the difficulty of factorisation can be broken in polynomial time by these quantum computers. So, researchers have tried to find other ‘hard’ problems in mathematics (take exponential time to solve) that can be exploited to create classical crypto schemes that withstand attack of quantum computers (at least for now).

In general post-quantum schemes require more resources compared to traditional cryptography, in particular Elliptic Curve cryptography; security against quantum computer attacks come at a cost. There are four different families of post-quantum schemes that are considered to be the best candidates, and in this blog post I will briefly discuss each of them.

Code-Based Cryptography

Traditionally, error-correction codes are used to detect and correct bit errors when messages are transmitted over an unreliable channel. The code can be chosen to fulfil the requirements of the channel; in particular the number t of correctable bit errors can be determined.

Decoding arbitrary codes is computationally hard and can be infeasible depending on the code parameters. However, there are specific codes for which efficient decoding algorithms are known. So in practice only such codes are used that have efficient decoding algorithms.

The main security assumption of code-based cryptography is the difficulty of decoding a random linear code. Even with quantum computers, only exponential-time algorithms are known.

The first code-based public key crypto system was proposed by McEliece in 1978 and has not been fundamentally broken since, however the main problem with this is the size of the keys: it requires key sizes of about 4MB in order to achieve post-quantum security. Niederreiter introduced a scheme that gave some improvements to the encryption and decryption cost and required smaller keys.

There have been many attempts to reduce key sizes by using different codes that have some redundant structure in the public key. But this structure has led to efficient classical attacks on the crypto-systems. 

There are also signature schemes, hash functions and random number generators based on code-based cryptography. 

Lattice-Based Cryptography

The underlying ‘hard’ problem is the shortest vector problem (SVP): a basis of a vector space V and a norm N are given for a lattice L and one must find the shortest non-zero vector in V, as measured by N, in L. It is believed that the SVP is computationally hard even for quantum computers.

NTRUEncrypt is a commercial public key encryption scheme based on lattices. Public key sizes of about 1.5kB to 2kB are required in order to achieve the desired security. Note that these are the requirements based on the algorithms that have (up to today) been developed to solve the SVP. These restrictions are called ‘parameters’.

Closely related is the signature scheme NTRUSign. However, the security of this is not yet well understood and so there are no recommendations for these signature schemes for post-quantum security.

There are also key exchange protocols that are built on lattice-based cryptography, such as NewHope that has been experimentally adopted by Google. NewHope is not symmetric and needs two rounds of agreement (unlike the Diffie-Hellman Key Exchange). Also, it does not include authentication, so this needs to be achieved by other means.

By switching to post-quantum key exchange now, an attacker in the future does not learn encryption kets even if he breaks long-term authentication keys. Therefore, combining a post-quantum key exchange with a classical authentication scheme provides a cost effective long-term secure authenticated key exchange for the interim period until all cryptographic primitives have been transitioned to post-quantum secure schemes.

Hash-based Cryptography

Hash functions are one-way functions tha tmap bit strings of an arbitrary length to relatively short, fixed length bit strings called hash values. There are three required properties:

  • Pre-image resistance: must be hard to compute a pre-image of a hash value i.e. a bit string that once hashed results in a given hash value.
  • Second pre-image resistance: given a bit string, it must be hard to find a different bit string that has the same hash value.
  • Collision resistance: it must be hard to find two arbitrary bit strings that have the same hash value.

Since by definition it is not computationally feasible to compute the inverse of a hash function it is not known how to construct public-key encryption schemes using hash functions. However, it is possible to construct signature schemes, where in general the required signature size increases if more signatures for the same public key are needed.

Hash-based signature schemes have been around for a long time and so the estimates of the required parameters to achieve post-quantum security are very reliable.

Multivariate Cryptography

This is based on the difficulty of the MQ-problem: solving multivariate quadratic systems of equations over finite fields is NP hard (no efficient algorithm for solving random multivariate polynomial systems). The difficulty depends on the size of the underlying field, the number of variables and the degree of the system. If the number of equations and variables is sufficiently large then even quadratic equations over a the field with two elements are hard to solve.

For constructing an asymmetric public-key scheme, the public-key itself is a set of multivariate quadratic polynomial and the private key often is the knowledge of a trapdoor that allows to efficiently solve the multivariate system. The construction of the scheme allows the use of systems with more variables than equations, so there may be more that one solution. Any of these solutions is a valid signature.

The confidence in multivariate systems is quite high however a relatively large public key is required. Attempts to reduce key sizes by using few variables over larger fields, but the security of such systems is not well understood. The second approach is to use sparse systems in order to compress the public key, but this often leads to a loss in security. 

For public key encryption, we need the resulting equation system to only have one solution and so we must have an over-defined system i.e. the public key must have more polynomials than variables. Currently there are not many multivariate public-key encryption schemes that are considered secure. 

Multivariate cryptography can also be used for pseudo random-number generators, cryptographic hash functions and symmetric encryption, e.g. the symmetric block gopher QUAD.

What about Elliptic-Curve Cryptography?

I have talked about elliptic curve cryptography in previous blog posts, so why isn’t this mentioned?

Due to the novelty of these cryptographic schemes there is not great confidence in them yet. So they are not currently consensually considered as candidates for post-quantum public-key encryption. 


This is the first installation in my series about post-quantum cryptography. Anything you want me to talk about in particular? M x

Elliptic Curves: The Basics

Working over the rationals (or more precisely any field with characteristic 0) an elliptic curve is a curve given the equation

such that the discriminant, which is 4A3 + 27B2, is non-zero. Equivalently, the polynomial on the right hand side has distinct roots, ensuring that the curve is non-singular. Though we restrict our attention to these non-singular curves we note that if the right hand side is a cubic polynomial, there are only two types of singular curves, corresponding to whether there is a double root (node) or triple root (cusp).

Source: Wolfram Mathworld

Point at Infinity

The point at infinity is an important point that always lies on an elliptic curve. For those who have studied algebraic geometry this is a familiar concept and comes from defining a projective closure of the equation defining the elliptic curve. However, informally it can be described as an idealised limiting point at the ‘end’ of each line.

If you imagine a vertical straight line, which intersects the elliptic curve at most two times.

The point at infinity is the point at which the two ends of this vertical line ‘meet’.

The reason that elliptic curves are amazing objects is because we can use geometry to make the points on the curve a group. Therefore we can use tools from algebraic number theory to study them.

Making Points on an Elliptic Curve into a Group

This is done using the chord and tangent process:

We denote the point at infinity on an elliptic curve E over Q as OE. E meets each line in 3 points, counted with multiplicity. Given two points on E, say P and Q, let R be the third point of intersection of PQ and E. Then P ⊕ Q is the third point of intersection of OER (vertical line through R) and E.

Source: jeremykun.com

If P = Q we take the tangent at P instead of the line PQ.

Then E with the group law on points defined above, denoted by (E, ⊕), is an abelian group:

  • The fact that is abelian is clear by construction
  • Identity: OE – this is why the point at infinity is such an important point and exists on all elliptic curves.
  • Inverses: Given a point P, let S be the point of intersection of the tangent at OE and E. Then let Q be the intersection of PS and E. Then the inverse of P is defined to be Q. Note that if OE is a point of inflection (point of multiplicity 3) then S = OE in the above.
  • Associativity: This is much harder to prove. It can be done by identifying (E, ⊕) with a subgroup of the Picard Group, which related to something called divisors.

Divisors are a tool for keeping track of poles and zeroes. For example, suppose a function g has a zero at a point P of order 3, and a pole at another point Q of order 2, and a pole at O of order 1 (note the number of zeroes and poles are equal, as they must be for a function). Then using divisors, we can say all this concisely as follows:

div g=3P−2Q−O

More precisely, we can define a divisor D to be a ‘formal sum’ of points on E (meaning that we write a sum of points using a + symbol but no actual operation is defined), say

Then the degree of a divisor is the sum of the coefficients.

This set of divisors forms a group, Div(E), generated by the points on E. Immediately we can identify a subgroup of Div(E), namely the divisors of degree zero denoted Div0(E).

We can also define an equivalence relation ~ on divisors: D1, D2 ∈ Div(E) are linearly equivalent, written D1 ~ D2, if exists an f such that div(f) = D1 – D2.

We can now introduce the Picard Group. It is a subgroup of Div(E), defined by quotienting out by this equivalence relation

A subgroup of the Picard group is given by

We’re now ready to go back to talking about elliptic curves. The point of this discussion is that we know (Pic0(E), +) is a group which has the associative property. Furthermore, we can show that we have a bijection between (E, ⊕) and (Pic0(E), +) that preserves the group structure i.e. we have an isomorphism of groups. So, using this isomorphism we can identify the two groups and deduce that (E, ⊕) is also associative.

Consequence

Say we started looking at points defined over Q (denoted by E(Q)). A natural question is to ask how we know that the addition or inverses of these points remains in Q?

We defined the group law by looking at the intersections of lines and curves. So, working through the algebra, we can get explicit equations for the addition of points and inverses. For example if we have an elliptic curve E over Q and a point P = (x,y) in E(Q), then -P = (x, -y).

These explicit equations are useful because they tell us that the points do indeed remain defined over Q. More precisely, we find that (E(Q), ⊕) is a subgroup of (E, ⊕):

  • The identity OE is in E(Q) by definition
  • (E(Q), ⊕) is closed under addition and has inverses by the explicit formulae
  • Associativity and commutativity is inherited from (E, ⊕).

Note: This in fact holds for any field K, not just Q, but we must be a bit more careful, as the elliptic curve may not be expressible in the nice form y2 = x3 + Ax + B so the formulae are a bit messier. The reason why this is important is that we often want to consider elliptic curves over finite fields, something I will explore in future posts.

M x

4: An Example

In this blog post I will show you how you can use the tools developed in parts 1, 2 and 3 to solve a problem in number theory.

Determine all the integer solutions of the equations x2 − 3y2 = m for m = −1 and 13.

Noting that x2 − 3y2 = (x – √3y)(x + √3), first we find the fundamental unit, e = a + b√3, of the number field Q(√3):

For b = 1, 3b2 + 1 = 4 = 2and so a = 2. Hence the fundamental unit is e = 2 +√3.

First we note that the norm of an element in Q(√d) is:

N(a + b√d) = a2 − db2

We will use the following three facts:

  1. N(x + √3y) = x2 − 3y2 = m.
  2. If we have a unit u, then N(a) = N(ua) for some a in Q(√d), as N(u) = 1 and N(ua) = N(u)N(a) (i.e. norm is multiplicative).
  3. In the last post, we saw how the units in the ring of algebraic integers of L is of the form:

Screenshot 2019-10-13 at 10.01.15 PM.png

Thus, multiplying x + √3y by a unit is equal to multiplying x + √3y by a power of the fundamental unit e.

So how do we solve this equation? First, by fact 1 we have to do find the element of Q(√3) that has norm +m or -m (there will be one such element for each, up to multiplication by a unit). Using fact 1 and 2, we deduce all the solutions to the equation are given by (x, y) such that:

  • N(e) = – 1, N(x + √3y) = -m: en(x + √3y) for n a natural number.
  • N(e) = – 1, N(x + √3y) = m: e2n(x + √3y) for n a natural number.
  • N(e) = 1, N(x + √3y) = m: en(x + √3y) for n a natural number.

m = -1

Noting that for any element a,|N(a)| = 1 if and only if a is a unit. Hence as the solutions are given by (x, y) where N(x + √3y) = -1, we must have that x + √3y is a unit. But,

Screenshot 2019-10-13 at 10.01.15 PM.pngso all units have norm 1, and thus there are NO integer solutions to this equation.

 m = 13

We need to find (x, y) such that N(x + √3y) = x2 − 3y2 = 13 (because N(e) = 1).

  • When y = 1, x2 = 14, so x is not an integer.
  • When y = 2, x2 = 25, so x = 5.

Hence we get that all solutions are of the form:

en(5 + 2√3), for n a natural number and e = 2 +√3, fundamental unit


This is the last post of this series! Next I’ll be delving into Galois Theory. M x

 

3: Dirichlet’s Unit Theorem

Last time, I discussed Dedekind’s Criterion. In this post I aim to introduce Dirichlet’s Unit Theorem.

Let L be a number field (finite extension of the field of rational numbers).

We will define a complex embedding of L as being a field homomorphism:

Screenshot 2019-10-12 at 6.49.21 PM.png

Then a real embedding of L  is similarly defined as being a field homomorphism:

Screenshot 2019-10-12 at 6.49.57 PM.png

We note that the complex embeddings can be given in pairs:

Screenshot 2019-10-12 at 6.51.38 PM.png

where we obtain one embedding by taking the complex conjugate of the other embedding in the pair.

Hence, given a number field L, we can label its real embeddings as

Screenshot 2019-10-12 at 6.57.45 PM.png

and its complex embeddings as

Screenshot 2019-10-12 at 6.58.36 PM.png

Noting that the degree, n, of the field extension L/Q (where Q is the field of rational numbers) is equal to the total number of embeddings and hence we deduce that n = 2s + r. The fact that there is this equivalence is non-trivial, so don’t worry if you don’t immediately see why this is! In order to prove this we must use tools from Galois Theory, such as something called the ‘Tower Law’, and therefore I will emit the proof from this blog post.


Let me know if you’re interested in seeing Galois Theory related posts in the future!


Letting Screenshot 2019-10-12 at 7.01.18 PM.png be the units in the ring of algebraic integers of L we are now ready to state Dirichlet’s Unit Theorem.

Dirichlet’s Unit Theorem

Screenshot 2019-10-12 at 7.04.57 PM.png

The proof of this is rather complicated and involves defining a map, whose kernel is this finite cyclic group, which takes Screenshot 2019-10-12 at 7.01.18 PM.png into a lattice. Considering lattices are involved in the proof, you can start to see where the isomorphism with the integers comes from.

Why is this useful?

Take the case where r = 0 and s = 1, i.e. L is an imaginary quadratic number field:

Screenshot 2019-10-12 at 7.11.23 PM.png

As r + s – 1 = 0, we get that Screenshot 2019-10-12 at 7.01.18 PM.png is a finite group. By explicitly defining the isomorphism we can deduce that the finite cyclic group is simply {+/- 1}, and Screenshot 2019-10-12 at 7.01.18 PM.png is generated by one element – the fundamental unit, i.e.

Screenshot 2019-10-12 at 7.17.07 PM.png

I’ve purposefully skipped a lot of the details as what is important is the result. The proof requires a bit of magic and is not terribly enlightening. However, the result is extremely important – using this, for the case of imaginary quadratic fields, we can completely specify Screenshot 2019-10-12 at 7.01.18 PM.png, provided we find the fundamental unit.

Finding the Fundamental Unit

It turns out that finding the fundamental unit in this case is extremely straightforwards. There are various different cases.

  • If d = 2, 3 (mod 4) we characterise the fundamental unit u in the following way: let b be the least positive integer such that db2 + 1 or db2 – 1 is of the form a2 for some natural number a. Then:

Screenshot 2019-10-12 at 7.25.39 PM.png

  • If d = 1 (mod 4) and d is not equal to 5: let b be the least positive integer such that db2 + 4 or db2 – 4 is of the form a2 for some natural number a. Then:

Screenshot 2019-10-12 at 7.27.40 PM.png

  • If d = 5: 

Screenshot 2019-10-12 at 7.28.33 PM.png

(If you would like the proof as to WHY this is true, leave me a comment below and I’ll be happy to make a post!)

Example: d = 2

Then 𝑏 = 1 works since 2 − 1 = 1so 1 + √2 is a fundamental unit.


In order to get a lot of the symbols I had to LaTex some of the sections so sorry if the formatting is a little off! Next time we will start solving some equations using algebra!

M x

1: Unique Factorisation of Ideals

The next few posts will be me detailing some interesting results in the area of Maths that I hope to specialise in: Algebraic Number Theory. The first result will be the unique prime factorisation of ideals. But first, what is an ideal?

Ideals

If you’re not familiar with the definition of a ring click here, as we’ll need this for the following discussion.

An ideal, I, is a subset of a ring R if :

  • It is closed under addition and has additive inverses (i.e. it is an additive subgroup of (R, +. 0);
  • If aI and bR, then a · bI.

I is a proper ideal if does not equal R.

Ring of Integers

In order to prove the result, I need to introduce the concept of number fields and the ring of integers. A number field is a finite field extension over the rationals.

Field Extension: a field extension F of a field E  (written F/E) is such that the operations of E are those of restricted to E, i.e. is a subfield of F.

Given such a field extension, F is a vector space over E, and the dimension of this vector space is called the degree of the extension. If this degree is finite, we have a finite field extension.

So if is a number field, E would be the rationals.

Suppose is a number field. An algebraic integer is simply a fancy name for an element of F such that there exists a polynomial f with integer coefficients, which is monic (the coefficient of the largest power of x is 1), such that f(a) = 0.

The algebraic integers in a number field F form a ring, called the ring of integers, which we denote as OF. It turns out that the ring of integers is very important in the study of number fields.

Prime Ideals

If P is a prime ideal in a ring R, then for all x, y in R, if xyP, then x ∈ P or y ∈ P. As OF is a ring we can consider prime ideals in OF.

Division = Containment

We want to try and deal with ideals in the same way we deal with numbers, as ideals are easier to deal with (ideals are a sort of abstraction of the concept of numbers). After formalising what it means to be an ideal and proving certain properties of ideals, we can prove that given two ideals I and J, I dividing (written I|J) is equivalent to J containing I.

Three Key Results

Now, there are three results that we will need in order to prove the prime factorisation of ideals that I will simply state:

  1. All prime ideals P in Oare maximal (in other words, there are no other ideals contained between P and R). Furthermore, the converse also holds: all maximal ideals in OF are prime.
  2. Analogously to numbers (elements of a number field F), if I, J are ideals in Owith J|I, there exists an ideal contained in I, such that I = JK.
  3. For prime ideal P, and ideals I,J of  OF , PIJ implies PI or PJ.

Main Theorem

Theorem: Let I be a non-zero ideal in OF . Then I can be written uniquely as a product of prime ideals.

Proof:  There are two things we have to prove: the existence of such a factorisation and then its uniqueness.

Existence: If is prime then we are done, so suppose it isn’t. Then it is not maximal (by 1) so there is some ideal J, properly contained in I. So J|I, so (by 2) there is an ideal K, contained in I, such that I = JK. We can continue factoring this way and this must stop eventually (for the curious, I make the technical note that this must stop as we have an infinite chain of strictly ascending ideals, and OF is Noetherian).

Uniqueness: If P1 · · · Pr = Q1 · · · Qs, with Pi , Qj prime, then we know P1 | Q1 · · · Qs, which implies P1 | Qi for some i (by 3), and without loss of generality i = 1. So Q1 is contained in P1. But Q1 is prime and hence maximal (by 1). So P1 = Q1. Simplifying we get P2 · · · Pr = Q2 · · · Qs. Repeating this we get r = s and Pi = Qi for all i (after renumbering if necessary).

Why is this important?

For numbers, we only get unique prime factorisation in what is called a unique factorisation domain (UFD). Examples of UFDs are the complex numbers and the rationals. However, the integers mod 10 no longer form a UFD because, for example, 2*2 = 4 = 7*2 (mod 10).

However, we have the unique prime factorisation of ideals in the ring of algebraic integers of any number field. This means that we can prove many cool results by using this unique prime factorisation, which we can then translate into results about numbers in that number field. I will detail some of these in future blog posts.

M x

Towers of Hanoi

The Problem

The Tower of Hanoi is a famous problem first posed in 1883 by E. Lucas. There are 3 rods and n disks resting on one rod, sorted in size like a pyramid with the smallest disk on top. Given that you can only move the disks one at a time and that you can never place a bigger disk on a smaller disk, the aim is to move all the disks from the left hand post to the right hand post in the smallest number of moves possible.

Towers Of Hanoi
Source: http://www.codenuclear.com

Obtaining a Recurrence

Consider n = 0, the simplest case with no discs. As there are no discs to move, we cannot make any moves, so the number of steps required is 0. Letting Sn be the number of moves required for n disks, we get S= 0.

Now, we must consider how the problem scales. With n = 1, a single step will solve the problem. With n = 2, the answer is 3 steps: one to move the top (small) disk to another rod, one step to move the big disk to the destination rod, and lastly one step to move the small disk on top of the big disk.

We now consider n discs. We need Sn-1 steps to move all disks except the biggest one, then move the biggest disks then move the sub-tower on top of that disc with Sn-1 steps again. So we have the following upper bound:

Screenshot 2019-07-03 at 5.29.06 PM.pngWhat about a lower bound? At some point we must move the biggest disk to the destination rod. To get to the biggest disk, we must have moved all disks on top of it to another rod (the sub-tower), and after having moved the biggest disk, we must move this sub-tower back on top of that rod back onto the biggest disk. Due to these constraints due to the rules of the problem, we know that for n > 0 we must take at least 2*(Sn-1) + 1 steps.

Hence, this recurrence relation gives us the exact number moves needed.

Simplifying the Recurrence

Claim: Sn = 2n – 1 for all natural n.

Proof (by Induction):

Clearly true for n = 0.

Then Sk+1 = 2*(Sk + 1 = 2*(2k – 1) + 1, by the induction hypothesis.
So Sk+1 = 2*2k – 2 + 1 = 2k+1 – 1, as required.

So the claim holds by induction.

So we have found an easy formula for the number of steps needed to solve the Tower of Hanoi problem for any n!

M x

 

The woman who could help put men on Mars

Kathleen Howell is an American scientist and aerospace engineer. Her contributions to the theory of dynamical systems have been applied to spacecraft trajectory design, which led to the use of near-rectilinear halo orbit (NRHO) in various NASA space missions.

Unlike an ordinary flat orbit, an NRHO can be slightly warped. Further, it stands on end, almost perpendicular to an ordinary orbit – hence “near rectilinear”.

NASA have decided that an NRHO would be an ideal place to put the Lunar Orbital Platform-Gateway, which is a planned way station for future human flights to the Moon and eventually Mars. The plan is for the Gateway’s circuit to pass tight over the Moon’s north pole at high speed and more slowly below the south pole, because of the greater distance from the moon.

Imagine moving your hand in circles, as if washing a window, while you walk forward. Except you’re making hand circles around the moon while walking around Earth.” – Bloomberg

Although this orbit seems to be an ordinary circuit of the moon, it’s actually part of a family of orbits, centred on an empty point, called L2 (or Lagrange Point 2). Here, around 45,000 miles beyond the far side of the Moon, the gravitational forces of the Earth and the moon are in balance with the centrifugal forces on the spacecraft.

Although we are taught in school that orbits must be around something, it is quite possible to orbit around nothing, so long as that ‘nothing’ is a Lagrange point.

“It is elegant and very rich. All the forces come together to produce an unexpected path through space” – Howell

Howell’s work build on an 18th century discovery, by Euler, who theorised that for any pair of orbiting bodies, there are 3 points in space where gravitational and centrifugal forces balance precisely. In 1772, Lagrange found two more such spots. All five are now known as Lagrange points.

Image result for ;lagrange points
Source: Wikipedia

In 2017 Kathleen Howell was elected to National Academy of Engineering “for contributions in dynamical systems theory and invariant manifolds culminating in optimal interplanetary trajectories and the Interplanetary Superhighway“.

M x

NEWS: Fields Medal Winners 2018

The four winners of the Fields Medal for 2018 have been announced. The Fields Medal is awarded every 4 years at an international gathering of mathematicians and is considered the Nobel Prize for Mathematics. However, there is one key difference: recipients must be 40 years old or younger.

This years recipients were announced on Wednesday 1st August at the International Congress of Mathematicians in Rio de Janeiro. They are:

  • Caucher Birker, 40, of the University of Cambridge in England: “for his proof of the boundedness of Fano varieties and for contributions to the minimal model program.”
  • Click here for more information.
  • Allesio Figalli, 34, of the Swiss Federal Institute of Technology in Zurich: “for his contributions to the theory of optimal transport, and its application to partial differential equations, metric geometry, and probability.”
  • Click here for more information.
  • Akshay Venkatesh, 36, of the Institute for Advanced Study in Princeton and Stanford University in California: “for his synthesis of analytic number theory, homogeneous dynamics, topology, and representation theory, which has resolved long-standing problems in areas such as the equidistribution of arithmetic objects.” Click here for more information.
  • Peter Scholze, 30 (one of the youngest recipients), of the University of Bonn in Germany: “for transforming arithmetic algebraic geometry over p-adic fields through his introduction of perfectoid spaces, with application to galois representations and for the development of new cohomology theories.” Click here for more information.

1630.jpg
Source: The Guardian

M x