Guide to Pairing-Based Cryptography. Nadia El Mrabet and Marc Joye, Eds.
Size: px
Start display at page:

Download "Guide to Pairing-Based Cryptography. Nadia El Mrabet and Marc Joye, Eds."

Transcription

1 Guide to Paiing-Based Cyptogaphy by Nadia El Mabet and Mac Joye, Eds.

2 3 Paiings Soina Ionica Univesité de Picadie Jules Vene Damien Robet INRIA Bodeaux Sud-Ouest, Univesité de Bodeaux 3.1 Functions, Divisos and Mille s algoithm Functions and divisos on cuves Mille s algoithm 3.2 Paiings on elliptic cuves The Weil paiing The Tate paiing Using the Weil and the Tate paiing in cyptogaphy Ate and optimal Ate paiings Using twists to speed up paiing computations The optimal Ate and twisted optimal Ate in pactice 3.3 Fomulae fo paiing computation Cuves with twists of degee 2 Cuves with equation y 2 = x 3 + ax Cuves with equation y 2 = x 3 + b 3.4 Appendix: the geneal fom of the Weil and Tate paiing Evaluating functions on a diviso Mille s algoithm fo paiing computation The geneal definition of the Weil paiing The geneal definition of the Tate paiing The optimal Ate and twisted optimal Ate paiing Refeences We ecall fom Section 1.2 that a paiing is a map e : G 1 G 2 G T between finite abelian goups G 1, G 2 and G T, that satisfies the following conditions: e is bilinea, which means that e(p + Q, R) = e(p, R) e(q, R) and e(p, Q + R) = e(p, Q) e(p, R); e is non-degeneate, which means that fo any P G 1 thee is a Q G 2 such that e(p, Q) 1, and fo any Q G 2 thee is a P G 1 such that e(p, Q) 1. A paiing e is suitable fo use in cyptogaphy when futhemoe it is easy to compute, but difficult to invet. Inveting a paiing e means given z G T to find P G 1 and Q G 2 such that e(p, Q) = z. The most efficient cyptogaphic paiings cuently known come fom elliptic cuves (o highe dimensional algebaic vaieties). Stating fom an elliptic cuve E defined ove a finite field F q, we conside the Weil paiing and the Tate paiing associated to it. This allowed cyptogaphes to constuct a map such that: G 1 and G 2 ae subgoups of the ational points of E defined ove an extension F q k of F q ; G T is the goup (F q k, ) whee the goup law is given by the field multiplication on F q k (o moe pecisely G T = µ F q k is the subgoup of -oots of unity); 3-1

3 3-2 Guide to Paiing-Based Cyptogaphy The paiing e can be efficiently computed using Mille s algoithm (see Algoithm 3.2); Cuently the most efficient way to invet e is to solve the Diffie-Helman poblem on G 1, G 2 o G T. In this chapte we intoduce paiings associated to an elliptic cuve E ove a finite field F q and explain how to compute them efficiently, via an algoithm which evaluates functions on points of the cuve. We fist explain in Section 3.1 how to epesent functions efficiently by looking at thei associated divisos, and then give Mille s algoithm which allows to evaluate them. In Section 3.2 we pesent the geneal theoy of the Weil and Tate paiing and we eview main ecent optimizations fo thei computation: the Ate, twisted Ate and optimal paiings, which ae pefeed in implementations nowadays. Finally, we give concete fomulae to compute them in pactice in Section 3.3. Since the goup G T is a subgoup of the multiplicative goup of F q k, secuity equiements involve choosing a base field F q with lage chaacteistic (see [2] o Chapte 9). Fo simplicity, in Section 3.1 and 3.2 points on the elliptic cuve ae epesented in affine coodinates. Using this epesentation, fomulae fo paiing computation ae easy to wite down. Howeve, note that affine coodinates involve divisions and ae not efficient fo a pactical implementation. We study moe efficient epesentations of points in Section 3.3. Fo the cyptogaphic usage of paiings, only a specific vesion of Mille s algoithm and the Weil and Tate paiing need to be pesented. This is the vesion we give in Section 3.1 and 3.2, whee we omit most poofs. Fo the sake of completness, we give the geneal vesion of the paiings along with complete poofs in Section 3.4. Notation. We ecall that an elliptic cuve defined ove a field with chaacteistic geate than 5 can always be given in shot Weiestass fom, as explained in Chapte 2. In the emainde of this chapte, all elliptic cuves ae defined ove a field K with chaacteistic geate than 5 and will be given by a shot Weiestass equation. We denote this equation by y 2 = H(x), with H(x) = x 3 + ax + b and a, b K. 3.1 Functions, Divisos and Mille s algoithm Functions and divisos on cuves Paiing computations will ely cucially on evaluating functions on points of elliptic cuves. A convenient way to epesent functions is by thei diviso. We fist give a gentle intoduction to the theoy of divisos by looking at examples of functions on the line befoe consideing elliptic cuves. Let A 1 be the affine line ove an algebaically closed field K. Adding the point at infinity means that we wok on the pojective line P 1 = A 1 { }. Rational functions K(P 1 ) on A 1 ae simply the ational functions K(t). Let f = P/Q = (t x i) n i (t y i) m i K(t) be such a ational function, whee the numeato P and the denominato Q ae assumed to be pime with each othe. Then the points x i ae zeoes of f with multiplicity m i and the points y i ae poles of f with multiplicity n i. This allows us to define a multiplicity od x (f) fo evey point x P 1 (K) n if x is a zeo of f with multiplicity n, od x (f) = n if x is a pole of f of multiplicity n, 0 if x is neithe a zeo o a pole. Fo example, f has no pole in A 1 if and only if it is a polynomial P (t).

4 Paiings 3-3 Given a ational function f = P/Q as above, we can also define the evaluation of f on the point at infinity. Hee is how to compute the evaluation of f at : the change of vaiables u = 1/t sends to 0. Define g by g(u) = f(1/u). This gives the elation f(t) = g(u) when t = 1/u. We can then define the ode of f at as the ode of g at 0, and when the ode is 0 we can define the value of f at as the value of g at 0. One can then easily check that od (f) = deg f = deg Q deg P. We associate a fomal sum to a function f: div(f) = od x (f)[x], x P 1 (K) whee we use the notation [x] to epesent the point x P 1 (K) in the fomal sum. This fomal sum is called the diviso of f. Since thee is only a finite numbe of poles o zeoes, it is in fact finite. Moeove f is chaacteized by div(f) up to the multiplication by a constant: if f 1 and f 2 ae two ational functions such that div(f 1 ) = div(f 2 ), then f 1 and f 2 have the same poles and zeoes so they diffe by a multiplicative constant. Moe geneally, a diviso D is defined to be a fomal sum of a finite numbe of points: D = n i [x i ]. x P 1 (K) To a diviso D one can associate its degee deg(d) = n i. By the emak above concening the multiplicity of f at, we get that deg div(f) = 0. Convesely, given a diviso D of degee 0 it is easy to constuct a ational function f such that div f = D. The whole theoy extends when we eplace the line P 1 by a (geometically connected smooth) cuve C. If P C(K) is a point of C, then thee is always a unifomise t P, that is a ational function on C with a simple zeo at P. Thus if f K(C) is a ational function on C, then we can always wite f = t m P g whee g is a function having no poles no zeoes at P. We then define the multiplicity od P (f) of f at P to be m. If the multiplicity od P (f) is zeo, that is if P is neithe a pole no a zeo of f, then one can define the value of f at P to be f(p ). In the case of the pojective line P 1, a unifomise at x is t x and a unifomise at is u = 1 t. Hence this new notion of multiplicity coincides with the one intoduced above. Fo an elliptic cuve E we have the following unifomises t P = x x P, except when H(x P ) = 0; t P = y y P, except when H (x P ) = 0; t 0E = x/y. We denote by Disc P the disciminant of a polynomial P, we ecall that the disciminant is non zeo if and only if P does not admit a double oot. Since E is an elliptic cuve, Disc H 0 and we cannot have H(x P ) = 0 and H (x P ) = 0 at the same time. Hence thee is indeed a unifomise fo evey point P E(K). One can also define a diviso on E as a fomal finite sum of geometic points D = n i [P i ] of E, and associate to a ational function f K(E) a diviso div(f) = P E(K) od P (f)[p ]. One can check that od P (f) = 0 fo all but a finite numbe of P so we get a well defined diviso. The degee deg D of a diviso D = n i [P i ] is n i. A diviso D is said to be pincipal when thee exists a function f such that D = div(f). Two divisos D 1 and D 2 ae said to be linealy equivalent when thee exists a function f such that D 1 = D 2 + div(f). It is easy to check that a diviso D is pincipal if and only if it is equivalent to the zeo diviso, and that two divisos D 1 and D 2 ae linealy equivalent if and only if D 1 D 2 is linealy equivalent to the zeo diviso. PROPOSITION 3.1 Let E be an elliptic cuve ove an algebaically closed field K.

5 3-4 Guide to Paiing-Based Cyptogaphy 1. Given f, g K(E) two ational functions, then div(f) = div(g) if and only g diffes fom f by a multiplicative constant; 2. If f K(E) is a ational function, then div(f) is a diviso of degee 0; 3. Convesely if D = n i [P i ] is a diviso on E of degee 0, then D is the diviso of a function f K(E) (ie D is a pincipal diviso) if and only if n i P i = 0 E E(K) (whee the last sum is not fomal but comes fom the addition on the elliptic cuve). Poof. See [22, Poposition 3.4]. In fact, fo the last item, given a diviso D = n i [P i ] of degee 0, we give in Section an explicit algoithm which constucts a ational function f such that D = [P ] [0 E ] + div(f) and P = n i P i E(K). If P = 0 E then D = div(f) is a pincipal diviso. It emains to show that if P 0 E then the diviso [P ] [0 E ] is not pincipal. But if we had a function f such that div(f) = [P ] [0 E ], then the mophism E P 1 : x (1 : f(x)) K associated to f would be biational. (Indeed since f has one simple zeo and one simple pole, one could get evey degee zeo divisos as the diviso of a suitable ational function of f. So the function field of k(e) would be k(f).) But this is absud: E is an elliptic cuve so it has genus 1, it cannot have genus 0. An elliptic cuve E defined ove F q can also be seen as an elliptic cuve E Fq ove the algebaic closue F q. We say that a diviso D = n i [P i ] of E Fq is ational when it is invaiant unde the action of the Fobenius automophism π. If f F q (E) is a ational function defined ove F q, then div(f) is ational. Convesely if f F q (E) has a ational diviso div(f), then thee exists a nonzeo constant λ such that λf F q (E) [22, Chapte II 2] Mille s algoithm Let F be a pincipal diviso. Then by definition thee is a ational function f on E such that F = div f. Then f is uniquely detemined up to a constant. If 0 E is neithe a pole o a zeo of f, then one can uniquely define f by equiing that f(0 E ) = 1. Moe geneally, we can define the nomalized function associated to a pincipal diviso as follow: ( since od 0E )(x/y) = 1, (x/y) od0 E (f) has the same ode at 0 E as f. In paticula the function is defined f (x/y) od 0 E (F ) at 0 E, and we can nomalize f uniquely by equiing that the above function has value 1 at 0 E. This gives the following definition. DEFINITION 3.1 Let( F be a pincipal ) diviso. We define f F to be the unique function such that F = div f F and (0 E ) = 1. Such a function is called nomalized at 0 E f F (x/y) od 0 E (F ) (o simply nomalized). If F is ational, then f F is ational too. If P and Q ae points in E, then [P ] + [Q] [P + Q] [0 E ] is pincipal. Indeed it has degee 0 and P + Q 20 E (P + Q) + 0 E = 0 E so by Poposition 3.1 thee exists a function µ P,Q such that div(µ P,Q ) = [P ] + [Q] [P + Q] [0 E ]. DEFINITION 3.2 We denote by µ P,Q the nomalized function with pincipal diviso [P ] + [Q] [P + Q] [0 E ]. If E is given by a shot Weiestass equation, we can constuct µ P,Q explicitly: if P = Q then P + Q = 0 E and we can choose µ P,Q = x x P. (3.1)

6 Paiings 3-5 Othewise let l P,Q be the line going though P and Q (if P = Q then we take l P,Q to be the tangent to the elliptic cuve at P ). Then by definition of the addition law on E, we have that div(l P,Q ) = [P ] + [Q] + [ P Q] 3[0 E ]. Now let v P,Q = x x P +Q be the vetical line going though P + Q and P Q. Then div(v P,Q ) = [P + Q] + [ P Q] 2[0 E ], so that div( lp,q v P,Q ) = [P ] + [Q] [P + Q] [0 E ] and one can take µ P,Q = lp,q To compute x P +Q, we know that P Q is the thid intesection point between the line l P,Q : y = αx+β and the elliptic cuve E : y 2 = x 3 +ax+b. So x P Q, x P, x Q ae all oots of the degee thee equation x 3 +ax+b (αx+β) 2 = 0, and we get that x P +Q = x P Q = α 2 x P x Q. Putting eveything togethe we finally obtain v P,Q. µ P,Q = y α(x x P ) y P x + (x P + x Q ) α 2 (3.2) yp yq with α = x P x Q when P Q and α = H (x P ) 2y P when P = Q. One can check that the functions µ P,Q defined above ae nomalized (see Section 3.4). Let R E. The following lemma explains how to evaluate µ P,Q on R (in the usual cases encounteed in cyptogaphic applications, we efe to Lemma 3.4 fo the emaining cases). LEMMA 3.1 (Evaluating µ P,Q ) points on E. Let P = (x P, y P ), Q = (x Q, y Q ), and R = (x R, y R ) be Suppose that P, Q and P + Q all diffeent fom 0 E. Then µ P,Q = lp,q v P,Q whee l P,Q = yp yq y αx β with α = x P x Q when P Q and α = H (x P ) 2y P when P = Q, β = y P αx P = y Q αx Q and v P,Q = x x P +Q with x P +Q = α 2 x P x Q. Assume that R is not equal to P, Q, P + Q, P Q o 0 E then we have µ P,Q (R) = y R αx R β x R x P +Q. (3.3) (If R = P Q and P Q P, Q, P + Q, 0 E then µ P,Q is well defined on R, but computing the exact value equies moe wok, see Lemma 3.4 fo the fomula.) If P = Q (but P 0 E ) so that P + Q = 0 E, then µ P,Q = x x P. Assume that R is diffeent fom 0 E, then µ P,Q (R) = x R x P. If P = 0 E o Q = 0 E then µ P,Q = 1. Let P 0 E a point of -tosion on E. Then [P ] [0 E ] is a pincipal diviso (by cite[coollay III.3.5]Silveman09). As a consequence, we have the following definition. DEFINITION 3.3 [0 E ]. We denote by f,p the nomalized function with pincipal diviso [P ] All paiing computations will involve the following key computation: given P 0 E a point of -tosion on E, and Q P, 0 E a point of the elliptic cuve, evaluate f,p (Q). To explain how to compute f,p we need fist to extend its definition. DEFINITION 3.4 Let λ N and P E(K); we define f λ,p K(E) to be the function nomalized at 0 E such that div(f λ,p ) = λ[p ] [λp ] (λ 1)[0 E ].

7 3-6 Guide to Paiing-Based Cyptogaphy Note that if N and P E[], then f,p [P ] [0 E ]. is indeed the nomalized function with diviso PROPOSITION 3.2 Let P be as above, and λ, ν N. We have f λ+ν,p = f λ,p f ν,p f λ,ν,p, whee f λ,ν,p = µ λp,νp is the function associated to the diviso [(λ + ν)p ] [λp ] [νp ] + [0 E ] and nomalized at 0 E. Poof. We have seen in Lemma 3.1 that the function µ λx,νx defined in Equations (3.1) and (3.2) is nomalized and has fo associated diviso [(λ + ν)x] [(λ)x] [(ν)x] + [0 E ]. By definition of f λ,x, we have that div f λ+ν,x = (λ + ν)[x] [(λ + ν)x] (λ + ν 1)[0 E ] = λ[x] [λx] (λ 1)[0 E ] + ν[x] [νx] (ν 1)[0 E ] + [(λ + ν)x] [(λ)x] [(ν)x] + [0 E ] = div f λ,x f ν,x f λ,ν,x. So f λ+ν,x = f λ,x f ν,x f λ,ν,x since they have the same associated diviso and ae both nomalized at 0 E. Poposition 3.2 is the main ingedient that we need to compute f,p, using a double-and-add algoithm, whose pseudocode is descibed in Algoithm 3.2. Hee is how this algoithms woks: given P E[], we compute P as we would with a standad double-and-add algoithm. If the cuent point is T = λp, then at each step in the loop we pefom a doubling T 2T, and wheneve the cuent bit of is a 1, we also do an exta addition T T +P. The only diffeence between Mille s algoithm and scala multiplication is that, at each step in the Mille loop, we also keep tack of the function f λ,p (coesponding to the pincipal diviso λ[p ] [T ] (λ 1)[0 E ]). Duing the doubling and addition step we incement this function using Poposition 3.2, until in the end we obtain f,p, which we can evaluate on Q. Note that in pactice we do the evaluations diectly at each step because epesenting the full function f,p would be too expensive. ALGORITHM 3.1 Mille s algoithm (geneal vesion). Input: N, I = [log ], P = (x P, y P ) E[](K), Q = (x Q, y Q ) E(K). Output: f,p (Q). 1. Compute the binay decomposition: := I i=0 b i2 i. Let T = P, f = Fo i in [I 1..0] compute Retun f. (a) f = f 2 µ T,T (Q); (b) T = 2T ; (c) If b i = 1, then compute i. f = fµ T,P (Q); ii. T = T + P. Remak 3.1 One should be caeful that at the last step, the sum (whethe it is a doubling o an addition) gives 0 E, so the coesponding Mille function is simply x x T.

8 Paiings 3-7 Thee is one dawback in evaluating diectly the intemediate Mille functions µ λp,νp diectly on Q: if Q / {0 E, P }, then f,p (Q) is well defined. But if Q is a zeo o pole of µ λp,νp, then Algoithm 3.1 fails to give the coect esult. A solution to compute f,p (Q) anyway is to change the addition chain used to ty to get othe Mille functions µ λp,νp that do not have a pole o zeo on Q. Anothe solution is given in Section 3.4. We note that this situation can happen only when Q is a multiple of P. Using Lemma 3.1 we get an explicit vesion of Algoithm 3.1, fo an elliptic cuve y 2 = x 3 + ax + b. Fo efficiency easons, we only do one division at the end. ALGORITHM 3.2 Mille s algoithm fo affine shot Weiestass coodinates Input: N, I = [log ], P = (x P, y P ) E[](K), Q = (x Q, y Q ) E(K). Output: f,p (Q). 1. Compute the binay decomposition: := I i=0 b i2 i. Let T = P, f 1 = 1, f 2 = Fo i in [I 1..0] compute (except at the last step) (a) α = 3x2 T +a 2y T, the slope of the tangent of E at T ; (b) x 2T = α 2 2x T, y 2T = y T α(x 2T x T ); (c) f 1 = f 2 1 (y Q y T α(x Q x T )), f 2 = f 2 2 (x Q + 2x T α 2 ); (d) T = 2T. (e) If b i = 1, then compute yt yp i. α = x T x P, the slope of the line going though P and T ; ii. x T +P = α 2 x T x P, y T +P = y T α(x T +P x T ); iii. f 1 = f 1 (y Q y T α(x Q x T )), f 2 = f 2 (x Q + (x P + x T ) α 2 ); iv. T = T + P. 3. At the last step: f 1 = f 1 (x Q x T ). Retun f 1 f Paiings on elliptic cuves The Weil paiing The fist paiing on elliptic cuves has been defined by Weil. Although it is usually not used in pactice fo cyptogaphy (athe the Tate paiing, o vaiants of the Tate paiing is), it is impotant fo histoical easons, and also because the oiginal constuction of the Tate paiing uses the Weil paiing. THEOREM 3.1 Let E be an elliptic cuve defined ove a finite field K, 2 an intege

9 3-8 Guide to Paiing-Based Cyptogaphy pime to the chaacteistic of K and P and Q two points of -tosion on E. Then e W, = ( 1) f,p (Q) f,q (P ) (3.4) is well defined when P Q and P, Q 0 E. One can extend the application to the domain E[] E[] by equiing that e W, (P, 0 E ) = e W, (0 E, P ) = e W, (P, P ) = 1. Futhemoe, the application e W, : E[] E[] µ obtained in this way is a paiing, called the Weil paiing. The paiing e W, is altenate, which means that e W, (P, Q) = e W, (Q, P ) 1. Poof. See [22, Section III.8] o Section Note that the Weil paiing is defined ove any field K of chaacteistic pime to, and takes its values in µ K. Fo cyptogaphic applications, we conside K = F q, with q a pime numbe, and we define the embedding degee k to be such that F q k is the smallest field containing µ. In othe wods, F q k = F q (µ ) o altenatively, k is the smallest intege such that q k 1. Computing the Weil paiing To compute the Weil paiing in pactice we use Algoithm 3.2 twice to compute f,p (Q) and f,q (P ). Note that in this case, by Remak 3.1, wheneve Mille s algoithm fails because we have an intemediate zeo o pole, then Q is a multiple of P so e W, (P, Q) = 1. Indeed, if Q = λp then e W, (P, Q) = e W, (P, P ) λ = 1 because e W, (P, P ) = 1 (e W, is altenate) The Tate paiing The Tate paiing was defined by Tate fo numbe fields in [24, 18] and used by Fey and Rück in the case of finite fields [7]. Fo simplicity, we assume that K = F q, with q pime, and that k is the embedding degee coesponding to (although the constuction is valid fo any finite field). THEOREM 3.2 Let E be an elliptic cuve, a pime numbe dividing #E(F q ), P E[](F q k) a point of -tosion defined ove F q k and Q E(F q k) a point of the elliptic cuve defined ove F q k. Let R be any point in E(F q k) such that {R, Q + R} {P, 0 E } =. Then ( ) f,p (Q + R) qk 1 e T, (P, Q) = (3.5) f,p (R) is well defined and does not depend on R. Futhemoe, the application is a paiing, called the Tate paiing. E[](F q k) E(F q k)/e(f q k) µ (P, Q) e T, (P, Q) Poof. See [7]. We give an elementay poof in Section when all the -tosion is ational ove F q k. When E(F q k) does not contain a point of 2 -tosion (which is always the case in the cyptogaphic setting because is a lage pime), then the Tate paiing esticted to the -tosion is also non-degeneate.

10 Paiings 3-9 PROPOSITION 3.3 Assume that E[] E(F q k) and that thee ae no points of 2 -tosion in E(F q k). Then the inclusion E[](F q k) E(F q k) induces an isomophism E[] E(F q k)/e(f q k) so the Tate paiing e T, is a non-degeneate paiing E[] E[] µ. Poof. Suppose that P E[](F q k) is equivalent to 0 in E(F q k)/e(f q k). Then by definition thee exists a point P 0 E(F q k) such that P = P 0. This means that P 0 is a point of 2 -tosion. By hypothesis thee ae no non-tivial points of 2 -tosion in E(F q k), hence we deduce that E[] E(F q k)/e(f q k) is injective. Since both goups have cadinality 2 (this is shown in the poof of Theoem 3.11), the injection is an isomophism. Computing the Tate paiing In pactice to compute the Tate paiing, when Q is not a multiple of P (fo instance when P G 1 and Q G 2 ) one can take R = 0 E so that e T, (P, Q) = f,p (Q) qk 1. (3.6) (We can t apply Theoem 3.2 diectly with R = 0 E, but Theoem 3.11 will show that fomula (3.6) is coect). We use Algoithm 3.2 to compute f,p (Q) and then we do the final exponentiation by a fast exponentiation algoithm. By Remak 3.1 thee ae no poblems duing the execution of Mille s algoithm. Unlike fo the Weil paiing, e T, (P, P ) may not be tivial, so if we want to compute e T, (P, P ), o e T, (P, Q) with Q a multiple of P, then we need to use Equation 3.18 with R a andom point in E(F q k). If we ae unlucky and get an intemediate zeo o pole, we estat the computation with anothe andom R. An altenative method is to use the geneal Mille s algoithm descibed in Section to compute the Tate paiing Using the Weil and the Tate paiing in cyptogaphy Fo the applications of the Weil and Tate paiing to cyptogaphy, we will always conside an elliptic cuve E defined ove F q and a lage pime numbe such that #E(F q ). When the embedding degee k is geate than one, then E[] is defined ove F q k, and we can define two subgoups G 1 and G 2 of inteest fo paiing computations. LEMMA 3.2 (The cental setting fo cyptogaphy) Let E be an elliptic cuve defined ove F q, a lage pime numbe such that #E(F q ), and π q the Fobenius endomophism. Let k be the embedding degee elative to, and assume that k > 1. Then E[] = G 1 G 2 E(F q k) whee G 1 = E[](F q ) = {P E[] π q P = P } (3.7) G 2 = {P E[] π q P = [q]p }. (3.8) G 1 is called the ational subgoup of E[], while G 2 is called the tace zeo subgoup. Poof. The chaacteistic polynomial of the Fobenius modulo is the degee two polynomial X 2 tx + q modulo whee t is the tace. Let λ 1 and λ 2 be the two eigenvalues. Since #E(F q ), thee is a ational point of -tosion in E(F q ) so that λ 1 = 1. This implies that λ 2 = q. Futhemoe since k > 1, then q 1 (mod ). The two eigenvalues ae then distinct, so the action of π q on E[] is diagonalisable, and we have E[] = Ke(π q Id) Ke(π q q Id) = G 1 G 2.

11 3-10 Guide to Paiing-Based Cyptogaphy Futhemoe, let φ be the endomophism given by the tace of the Fobenius (i.e. φ = 1 + π q + + πq k 1 ). Then φ acts on G 1 by multiplication by k (which in the cyptogaphic setting will be pime to ), and on G 2 the tace acts by multiplication by qk 1 Since the embedding degee k is geate than 1 by hypothesis, then q k 1 and q 1. Hence qk 1 q 1. We conclude that the tace esticted to E[] has G 2 as kenel and G 1 as image [3, 4]. This explains the name tace zeo subgoup fo G 2. In pactice, when using paiing fiendly elliptic cuves to compute paiings fo cyptogaphic applications, we will always be in the situation of Lemma 3.2. It will be convenient to estict the Tate paiing to the subgoups G 1 and G 2 athe than to deal with the full -tosion. Unde some additional hypotheses (which always hold in the cyptogaphic setting), the Tate paiing esticted to G 1 G 2 o to G 2 G 1 is non-degeneate. q 1. PROPOSITION 3.4 Assume that we ae in the situation of Lemma 3.2. Then the estiction of e W, to G 1 G 2 o to G 2 G 1 is non-degeneate. If futhemoe thee ae no points of 2 - tosion in E(F q k), then the estiction of e T, to G 1 G 2 o to G 2 G 1 is also non-degeneate. Moe geneally, if G 3 is any cyclic subgoup of E[] diffeent fom G 1 and G 2, then the Weil and Tate paiing esticted to G 1 G 3, G 3 G 1, G 2 G 3 and G 3 G 2 is non-degeneate. Poof. Note that the Weil paiing is non-degeneate on E[], but is tivial on G 1 G 1 and G 2 G 2 (because these goups ae cyclic and the Weil paiing is altenate). Then since E[] = G 1 G 2, the Weil paiing has to be non degeneate on G 1 G 2 and G 2 G 1. Given P G 1 thee exists Q G 2 such that e W, (P, Q) 1. Thee exists T G 1 such that Q + T G 3, and e W, (P, Q + T ) = e W, (P, Q) 1. Hence the Weil paiing on G 1 G 3 is non degeneate. The same easoning holds fo the othe goups. We efe to Section fo the poof fo the Tate paiing. In the emainde of this chapte, we will always assume that we ae in the setting of Poposition 3.4. Moeove, we focus on the optimization of the computation of the Tate paiing, since it is now pefeed to the Weil paiing in cyptogaphic settings. This choice is explained by the fact that the Mille loop only needs to compute the evaluation of a single f,p function. Denominato elimination The final exponentiation of the Tate paiing kills any element γ which lives in a stict subfield of F q k. In paticula we see that eplacing f,p by γf,p in Equation (3.5) does not change the esult. In the execution of Algoithm 3.2, we can then modify the Mille functions f λ,ν,p by a facto γ in a stict subfield of F q k without affecting the final esult. Suppose that P and Q ae in G 1 o G 2 and the embedding degee k is even. Remembe that by Lemma 3.1, the Mille function f λ,ν,p = µ λp,νp = l λp,νp v λp,νp. Then by Lemma 3.3 below, v λp,νp (Q) = x Q x (λ+ν)p lives in a stict subfield of F q k so this facto will be killed by the final exponentiation. Hence in this situation we don t need to compute the division by v λp,νp (Q) in Mille s algoithm fo the Tate paiing, this is called denominato elimination. LEMMA 3.3 Let E be an elliptic cuve defined ove F q, be such that E[] E(F q k) with k even. Let Q G 1 o Q G 2. Then x Q F q k/2. Poof. If Q G 1 then Q E(F q ) so both x Q and y Q ae in F q F q k/2. Now if Q G 2, then by definition of G 2 we know that πq k/2 (Q) = q k/2 Q. By definition of the embedding degee k, q k = 1 mod, so q k/2 = ±1 mod. But since k is the smallest intege such that q k = 1 mod, we

12 Paiings 3-11 then have q k/2 = 1 mod. So πq k/2 (Q) = Q, and in paticula πq k/2 (x Q ) = x Q = x Q. So x Q is fixed by πq k/2, which means that x Q F q k/2. To sum up, denominato elimination yields Algoithm 3.3 to compute the Tate paiing ove G 1 G 2 o G 2 G 1. ALGORITHM 3.3 Tate s paiing ove G 1 G 2 o G 2 G 1. Input: N an odd pime dividing #E(F q ) s.t. k > 1 is the coesponding embedding degee, k is even and thee ae no points of 2 -tosion in E(F q k), P G 1, Q G 2 (o P G 2, Q G 1 ). Output: The educed Tate paiing e T, (P, Q) = f,p (Q) qk Compute the binay decomposition: := I i=0 b i2 i. Let T = P, f = Fo i in [I 1..0] compute (except at the last step) (a) α = 3x2 T +a 2y T, the slope of the tangent of E at T. (b) x 2T = α 2 2x T, y 2T = y T α(x 2T x T ); (c) f = f 2 l T,T (Q) = f 2 (y Q y T α(x Q x T )), (d) T = 2T, (e) If b i = 1, then compute yt yp i. α = x T x P, the slope of the line going though P and T ; ii. x T +P = α 2 x T x P, y T +P = y T α(x T +P x T ); iii. f = fl T,P (Q) = f(y Q y T α(x Q x T )) iv. T = T + P, 3. At the last step: f = f(x Q x T ). Retun f qk 1. Finding a non tivial paiing Fo all cyptogaphic applications of paiings, one needs to find two points P and Q on the elliptic cuve such that e(p, Q) 1. Fo instance the oiginal use of the Weil paiing was used in [19] as an attack method by educing the DLP fom elliptic cuves to finite fields: the MOV attack (see Chapte 9). Fo the eduction to wok, given P E[](F q ) one need to find a point Q such that e W, (P, Q) 1. Then the DLP between (P, np ) ove E(F q ) educes to a DLP between (e W, (P, Q), e W, (P, Q) n ) ove a finite field. When the embedding degee k is geate than 1 as in Lemma 3.2, then taking any Q G 2 \ 0 E gives a non degeneate paiing e W, (P, Q). The same is tue fo the Tate paiing by Poposition 3.4. Howeve when the embedding degee k is 1, and E[](F q ) =< P > is cyclic, then e W, (P, P ) = 1. To get a non-degeneate Weil paiing one need to find a Q E[]\E[](F q ), and such a point lives ove an extension of degee. But if we eplace the Weil paiing by the Tate paiing, then in this case e T, (P, P ) 1 by Section This popety was the oiginal eason fo the use of the Tate paiing in the aticle [7].

13 3-12 Guide to Paiing-Based Cyptogaphy Paiings of type I,II,III We conclude the discussion in this section by explaining how to instantiate paiings used in cyptogaphic potocols, following the classification into thee types intoduced in Section Type III: The Tate paiing esticted to G 1 G 2 (indeed it is non degeneate by Poposition 3.4). Type II: Let P E[] be a point neithe in G 1 no in G 2 and define G 3 =< P > to be the cyclic subgoup geneated by P. Then by Poposition 3.4 the Tate paiing esticted to G 1 G 3 is non-degeneate. Futhemoe, since the tace of the Fobenius has image G 1 and kenel G 2, the estiction of the tace to G 3 is an isomophism between G 3 and G 1, so the the Tate paiing on G 1 G 3 is of Type II. Type I: An instantiation of Type I paiings is given by the Tate paiing on G G, whee G = E[](F q ), when the embedding degee k = 1 and E[](F q ) is cyclic as discussed in the paagaph above and in Section Anothe example is given by supesingula elliptic cuves, in the situation of Lemma 3.2. Indeed fo a supesingula elliptic cuve E thee exists a distosion map ψ : G 1 = E[](F q ) E[](F q k) such that ψ(g 1 ) G 1. In paticula e W, (P, ψ(p )) 1 and e T, (P, ψ(p )) 1, so composing the Weil o Tate paiing with the distosion map gives a paiing on G 1 G 1. We efe to [26, 8] fo moe details on the constuction of ψ Ate and optimal Ate paiings Mille s basic algoithm descibed in the pevious section is an extension of the double-andadd method fo finding a point multiple. With the inception of paiing-based potocols in the ealy 2000s, the cyptogaphic community put in a lot of effot in simplifying and optimizing this algoithm. The complexity of Mille s algoithm heavily depends on the length of the Mille loop. Majo pogess in paiing computation was made in 2006, with the intoduction of the loop shotening technique. This constuction, called the eta paiing, was fist poposed by Baeto et al. on supesingula cuves and futhe simplified and extended to odinay cuves by Hess et al. In this section, we detail this constuction (the ate paiing) and give explicit fomulae fo its implementation. By definition when Q G 2, π q (Q) = qq. So one can use the Fobenius endomophism π q to speed up the scala multiplication Q Q. Since Mille s algoithm is an extended vesion of the scala multiplication, one can ty to use this popety of the Fobenius to speed up the computation of the Mille function f,q. The fist idea was to eplace by q k 1 (which is a multiple of ), and use the Fobenius to speed up the computation of f qk,q. This leads to the following esult given by Hess et al. [10]. THEOREM 3.3 Let E be an elliptic cuve defined ove F q and a lage pime with #E(F q ). Let k > 1 be the embedding degee and let G 1 = E[] Ke(π q Id) and G 2 = E[] Ke(π q q Id). Let λ q (mod ) and m = (λ k 1)/. Fo Q G 2 and P G 1 we have (i) (Q, P ) (f λ,q (P )) (qk 1)/ defines a bilinea map on G 2 G 1. (ii) Then e T, (Q, P ) m = f λ,q (P ) c(qk 1)/ whee c = k 1 i=0 λk 1 i q i kq k 1 (mod ), so this map is non degeneate if m. In paticula, let t be the tace of the Fobenius, T = t 1 and L = (T k 1)/. Then T q (mod ) so a T : G 2 G 1 µ (Q, P ) (f T,Q (P )) (qk 1)/

14 Paiings 3-13 defines a paiing on G 2 G 1 when L, which we call the Ate paiing. By Hasse s theoem 2.9, the tace of the Fobenius t is such that t 2 q. If t is suitably small with espect to, then the Ate paiing can be computed using a Mille loop of shote size and ae thus faste than the Tate paiing. The exact same algoithm as Algoithm 3.3 allows to compute the Ate paiing by eplacing with T (since denominato elimination holds too). Othe paiings may be obtained fom Theoem 3.3, by setting λ q i (mod ) [27]. Pushing the idea futhe, one may look at a multiple of c of so that we can wite c = c i q i with c i small coefficients. When Q G 2, computing the scala multiplication by c equies computing the points c i Q, using the Fobenius to compute the c i q i Q and then summing eveything. The same idea applied to paiings shows that one can then use a suitable combination of Mille functions f ci,q to constuct a bilinea paiing which is a powe m of the Tate paiing. Once again when m we get a new paiing. THEOREM 3.4 Let λ = φ(k) 1 i=0 c i q i such that λ = m, fo some intege m. Then a [c0,...,c l ] : G 2 G 1 µ defined as (Q, P ) φ(k) 1 i=0 φ(k) 1 f qi c (P ) i,q i=0 l si+1q,c iq i Q(P ) v siq(p ) (q k 1)/, (3.9) with s i = φ(k) 1 j=i c j q j defines a bilinea map. This paiing is non-degeneate if and only if mkq k 1 ((q k 1)/) φ(k) 1 i=0 ic i q i 1 (mod ) and we call it the optimal Ate paiing. Poof. The optimal Ate paiing was poposed by Vecauteen [25]. See Section whee we follow the lines of his poof Using twists to speed up paiing computations The goup G 1 is defined ove the base field F q so it admits an efficient epesentation. In paticula when computing the Tate paiing ove G 1 G 2, the Mille functions ae defined ove F q, so most of the opeations duing the computation ae pefomed in F q. We explain hee why G 2 also admits an efficient epesentation: it is isomophic to a subgoup of ode on a twist defined ove a subfield of F q k. We pove this esult hee and we will show in the next section that this allows to do pat of the paiing computations in a subfield F q e, with e k, athe than in F q k. THEOREM 3.5 Let E be an odinay elliptic cuve ove F q admitting a twist of degee d. Assume that is an intege such that #E(F q ) and let k > 2 be the embedding degee. Then thee is a unique twist E such that #E (F q e), whee e = k/ gcd(k, d). Futhemoe, if we denote by G 2 the unique subgoup of ode of E (F q ) and by Ψ : E E the twisting isomophism, the subgoup G 2 is given by G 2 = φ(g 2 ) and veifies the equation G 2 = E[] Ke([ξ d ]π q e Id), whee [ξ d ] is an automophism of ode dividing d. Poof. Replacing d by gcd(k, d) we can assume that d k and that e = k/d. Take Q G 2. By the definition of G 2 we know that π e (Q) = q e Q. But since k is the smallest intege such that q k = 1 (mod ), we have that q e = ξ d (mod ), whee ξ d is d-th pimitive oot of unity in F q k.

15 3-14 Guide to Paiing-Based Cyptogaphy Note that we have an isomophism [] : µ d Aut(E) ( [22, Coollay III.10.2]). Points in G 2 ae eigenvectos fo any endomophism on the cuve and we denote by [ξ d ] the automophism such that [ξ d ]Q = ξ 1 d Q (mod ). Let E be a twist of degee d of E, defined ove F q e, such that Ψ (Ψ 1 ) σ (with σ the action of the Fobenius on the coefficients of the automophism) is the automophism [ξ d ] on E. If we denote by π q e the Fobenius mophism on E, we obseve that Ψ π q e Ψ 1 = Ψ (Ψ 1 ) σ π q e. Theefoe we have G 2 = Ke([ξ d ]π q e Id). Let G 2 = Ψ 1 (G 2 ). Then Ψ π q e Ψ 1 (G 2 ) = G 2. It follows that G 2 is invaiant unde π q e, hence it is defined ove F q e. Using the esult one can compute the Mille loop fo the Ate (o optimal Ate) paiing a T (Q, P ) by woking ove G 2 to compute the multiples of Ψ 1 (Q), and going back to G 2 only to evaluate the Mille functions on P. Altenatively one can do the full computation on the twist E, as shown in [6]. THEOREM 3.6 Let E be an elliptic cuve defined ove F q Assume that is an intege such that #E(F q ) and let k > 2 be the embedding degee. Let E be the twist of degee d and Ψ : E E the associated twist isomophism, as in Theoem 3.5. Conside Q G 2, P G 1, and let Q = Ψ 1 (Q) and P = Ψ 1 (P ). Let a T (Q, P ) be the Ate paiing of Q and P. Then a T (Q, P ) gcd(d,6) = a T (Q, P ) gcd(d,6) whee a T (Q, P ) = f T,Q (P ) (qk 1)/ uses the same paamete loop. This shows that the paiing on G 2 G 1 may be seen as a G 1 G 2 paiing on a twist defined ove F q e. Indeed since G 2 = E[] Ke([ξ d ]π q e Id) by Theoem 3.5, G 1 = E[] Ke([ξ d ]π q e q e Id), so Ψ 1 (G 2 ) = G 1 (E ) and Ψ 1 (G 1 ) = G 2 (E ), with G 1 (E ) and G 2 (E ) ae the subgoups giving the eigenvectos of the Fobenius on E The twist impoves the Ate paiing on G 2 G 1 by giving an efficient epesentation of G 2. Altenatively, it can be used to give a shote Mille loop fo paiings on G 1 G 2 [13]. THEOREM 3.7 Let λ q (mod ) and m = (λ k 1)/. Assume that E has a twist of degee d and set and set n = gcd(k, d), e = k/n. (i) (P, Q) (f λ e,p (Q)) (qk 1)/ defines a bilinea map on G 1 G 2. (ii) e T, (P, Q) L = f λ e,p (Q) c(qk 1)/N whee c = n 1 i=0 λe(n 1 i) q ei nq e(n 1) (mod ), so this map is non-degeneate if m. In paticula, if t is the tace of the Fobenius, T = t 1, and L = (T k 1)/, then (P, Q) (f T e,p (Q)) (qk 1)/ defines a paiing if L, which we call the twisted Ate paiing. One can also define a twisted optimal Ate paiing on G 1 G 2. This was given by Hess [12], using a geneal fomula fo the paiing function. We pesent it hee in a simplified way, bette suited fo implementations.

16 Paiings 3-15 THEOREM 3.8 Assume that E has a twist of degee d and set n = gcd(k, d), e = k/n. Let λ = φ(k)/e 1 i=0 c i q ie such that λ = m, fo some intege m. Then a [c0,...,c l ] : G 1 G 2 µ (3.10) (q k 1)/ φ(k)/e 1 φ(k)/e 1 (P, Q) f qie c (Q) l si+1p,c iq ie P (Q) i,p, v sip (Q) i=0 whee s i = φ(k)/e 1 j=i c j q je, defines a bilinea map on G 1 G 2. This paiing is non-degeneate if and only if mkq k 1 ((q k 1)/) φ(k)/e 1 i=0 ic i q e(i 1) (mod ). Poof. See Section i= The optimal Ate and twisted optimal Ate in pactice In ode fo the optimal Ate and twisted optimal Ate paiings to give a shot Mille loop, we would like the coefficients c i to be as small as possible. The idea is to seach fo the coefficients c i in Equations 3.9 and 3.10 by computing shot vectos in the following lattice q q q l , (3.11) whee l is eithe φ(k) 1 in the optimal Ate paiing case, and φ(k)/e 1, in the twisted Ate case. The volume of this lattice is, hence by Minkowski s theoem thee is a shot vecto v in the lattice such that v 1/l+1. Stating fom this bound and Theoem 3.4, Vecauteen discusses the existence of paiings that may be computed with a Mille loop of size (log )/φ(k). Note that Theoem 3.4 does not guaantee that the paiing defined in Equation 3.9 can be computed in (log )/φ(k) opeations. If the pocedue descibed above poduces a shot vecto with seveal c i coefficients diffeent fom zeo, then computing each f ci,q(p ) sepaately costs O((log )/φ(k)) opeations. Possible optimizations would be to use multi-exponentiation techniques o a paallel vesion of Mille s algoithm to compute all the f ci,q(p ) functions at once. Howeve, in the case of paametic families intoduced in Chapte 4, the entie computation can be caied with a single basic Mille loop and the paiing given in Theoem 3.4 is indeed optimal, thanks to the special fom of the shot vectos we obtain. To explain this idea, we give explicit fomulae fo this computation in the case of seveal Bezing-Weng type constuctions of paiing-fiendly cuves. Since k is small, these fomulae can be obtained by computing shot vectos fo the lattice given by the matix 3.11, by using an available implementation of the LLL algoithm. We ecommend using fo instance the functions LLL() o BKZ() in Sage [23]. Example 3.1 [25, Vecauteen] We conside the Baeto-Naehig family of cuves, that was intoduced in??. We biefly emind hee that these families have embedding degee 12 ae given by the following paametizations: (x) = 36x x x 2 + 6x + 1, t(x) = 6x 2 + 1, q(x) = 36x x x 2 + 6x + 1.

17 3-16 Guide to Paiing-Based Cyptogaphy By Theoem 3.3, the length of Mille s loop fo the Ate paiing is log 2 2. We will show that the complexity of the computation of the optimal Ate paiing fo this family is O( log 2 4 ). Indeed, in ode to apply Theoem 3.4, we compute the following shot vecto: [6x + 2, 1, 1, 1]. Note that in this case, 3 out of the 4 coefficients in the shot vecto ae tivial. We conclude that the optimal twisted Ate paiing fo this family of cuves is given by the simple fomula: (f 6x+2,Q (P ) l Q3, Q 2 (P )l Q2+Q 3,Q 1 (P )l Q1 Q 2+Q 3,[6x+2]Q(P )) q12 1, whee Q i = Q qi, fo i = 1, 2, 3. Note that the evaluation at Q of the vetical line v (x3 x 2 +1)tP can actually be ignoed because of the final exponentiation. The only costly computation is that of f 6x+2,Q (P ) and costs O(log /2) opeations. While the twisted Ate has loop length log, a seach fo a shot vecto giving the optimal twisted Ate paiing gives [6x 2 + 2x, 2x + 1]. Hence we need to compute f x,p (Q), f x 2,P (Q) and the complexity of computation is O(log /2). Example 3.2 We conside hee the family of cuves with k = 18 poposed by Kachisa et al., whose constuction is given in Chapte 4. We biefly ecall that this family is paametized by the following polynomials (x) = x x , t(x) = 1 7 (x4 + 16x + 7), q(x) = 1 21 (x8 + 5x 7 + 7x x x x x x ). A simila seach fo the optimal paiing on cuves with embedding degee 18 gives, fo example, the shot vecto [1, x ]. Hence the complexity of Mille s algoithm is log 2 2. The optimal Ate paiing computation fo cuves with k = 18 has complexity O( log 6 ). Building on these esults, Vecauteen [25] intoduces the concept of optimal paiing, i.e. a paiing that is computed in log /φ(k) Mille iteations. He puts fowad the following conjectue: Optimality conjectue: Any non-degeneate paiing on an elliptic cuve without any efficiently computable endomophisms diffeent fom the powes of the Fobenius equies at least O(log /φ(k)) basic Mille iteations. Hess [12] poved the optimality conjectue fo all known paiing functions. The paiings given by the fomulae in Theoem 3.4 ae the fastest known paiings at the time of this witing. On cuves endowed with efficiently computable endomophisms othe than the Fobenius (such as automophisms), it is cuently not known how to use the action of these endomophisms to impove on paiing computation.

18 Paiings 3-17 Choosing the ight paiing Assume that we ae in the situation of Poposition 3.4, and let P G 1 and Q G 2. Then one may choose among the Tate paiing e,w (P, Q), the Ate (o Optimal Ate) paiing a,t (P, Q), the twisted Ate paiing... Futhemoe, when k is even, we can apply denominato elimination fo the Tate paiing thanks to the final exponentiation. On the downside, one should emembe that the final exponentiation may be expensive too. Indeed, the loop length of the final exponentiation is aound k log q compaed to log q fo the Mille step. So the implementation of the final exponentiation step should not be neglected and we will give in Chapte 7 efficient algoithms fo its computation. We conclude that the choice of paametes fo applications is a complex matte, with multiple aspects to take into account. Theefoe, we devote the whole Chapte 10 to discussing this poblem. In the emainde of this chapte, we give optimized fomulae fo computing one step of a Mille loop. 3.3 Fomulae fo paiing computation One of the most efficient ways of computing paiings on an elliptic cuve given by a Weiestass equation is to use Jacobian coodinates [17] [9]. A point [X, Y, Z] in Jacobian coodinates epesents the affine point (X/Z 2, Y/Z 3 ) on the elliptic cuve. A point in pojective coodinates [X, Y, Z] epesents the point (X/Z, Y/Z) on the elliptic cuve. In this section we denote by s and m the costs of squaing and multiplication in F q and by S and M the costs of these opeations in the extension field F q k, if k > 1. We denote by d a the cost of the multiplication by a constant a. Sometimes, if q is a spase pime (such as a genealized Mesenne pime), we may assume that s/m = 0.8. Howeve, when constucting paiing fiendly cuves, it is difficult to obtain such pimes. Hence, we geneally have s/m Cuves with twists of degee 2 In the emainde of this section, we suppose that the embedding degee is even and that E has a twist of ode 2 defined ove F q k/2. Fom Theoem 3.5 and by using the equations of twists given in Subsection 2.3.6, we deive an efficient epesentation of points in G 2. It follows that the subgoup G 2 = Q E(F q k) can be chosen such that the x-coodinates of all its points lie in F q k/2 and the y-coodinates ae poducts of elements of F q k/2 with β, whee β is not a squae in F q k/2 and β is a fixed squae oot in F q k. Fo cuves with twists of degee 2, the fastest known fomulae fo Mille s algoithm doubling [14] and addition steps [1] ae in Jacobian coodinates. Theefoe we epesent the point T as T = [X 1, Y 1, Z 1, W 1 ], whee [X 1, Y 1, Z 1 ] ae the Jacobian coodinates of the point T on the Weiestass cuve and W 1 = Z 2 1. The doubling step We will look at the doubling step in the Mille loop. We epesent the point T as T = (X 1, Y 1, Z 1, W 1 ), whee (X 1, Y 1, Z 1 ) ae the Jacobian coodinates of the point T on the Weiestass cuve and W 1 = Z 2 1. We compute 2T = (X 3, Y 3, Z 3, W 3 ) as: X 3 = (3X1 2 + aw1 2 ) 2 8X 1 Y1 2, Y 3 = (3X1 2 + aw1 2 )(4X 1 Y1 2 X 3 ) 8Y1 4, Z 3 = 2Y 1 Z 1 W 3 = Z 2 3.

19 3-18 Guide to Paiing-Based Cyptogaphy We wite the nomalized function l T,T that appeas in Algoithm (3.3) as : l T,T (x Q, y Q ) = (Z 3 W 1 y 2Y 2 1 (3X aw 2 1 )(W 1 x X 1 ))/(Z 3 W 1 ) Thanks to elimination in the final exponentiation, the tem Z 3 W 1 can be ignoed. Fo k = 2, we have that x F q and we can compute the function l T,T as l T,T (x, y) = Z 3 W 1 y 2Y 2 1 (3X aw 2 1 )(W 1 x X 1 ). Fo k > 2, we have that x is in F q k/2 and the computation is slightly diffeent l T,T (x, y) = Z 3 W 1 y 2Y 2 1 W 1 (3X aw 2 1 )x + X 1 (3X aw 2 1 ). The computations ae done in the following ode: A = W1 2, B = X1 2, C = Y1 2, D = C 2, E = (X 1 + C) 2 B D, F = 3B + aa, G = F 2, X 3 = 4E + G, Y 3 = 8D + F (2E X 3 ), Z 3 = (Y 1 + Z 1 ) 2 C W 1, W 3 = Z 2 3, H = (Z 3 + W 1 ) 2 W 3 A, I = H y, J = (F + W 1 ) 2 G A, K = J x, L = (F + X 1 ) 2 G B l T,T = I 4C K + L, f = f 2 l T,T. The opeation count gives 10s+3m+1a+1S+1M fo k = 2 and 11s+(k+1)m+1d a +1S+1M if k > 2. The mixed addition step In implementations, it is often possible to choose the point P such that its Z-coodinate is 1, in ode to save some opeations. The addition of two points T = [X 1, Y 1, Z 1 ] and P = [X 2, Y 2, 1] is called mixed addition. The esult of the addition of T = [X 1, Y 1, Z 1, W 1 ] and P = [X 2, Y 2, 1] is T +P = [X 3, Y 3, Z 3, W 3 ] with X 3 = (X 1 + X 2 Z 2 1)(X 1 X 2 Z 2 1) 2 + (Y 2 Z 3 1 Y 1 ) 2, Y 3 = (Y 2 Z 3 1 Y 1 )(X 1 (X 1 X 2 Z 2 1) 2 X 3 ) + Y 1 (X 1 X 2 Z 2 1) 2, Z 3 = Z 1 (X 2 Z 2 1 X 1 ), W 3 = Z 2 3, T 3 = W 3 x Q X 3. The line l T,P is given by the equation: l T,P = Z 3 y Q Y 2 Z 3 (2Y 2 Z 3 1 2Y 1 )(x Q X 2 ). The computations ae done in the following ode: A = Y2 2, B = X 2 W 1, D = ((Y 2 + Z 1 ) 2 A W 1 ) W 1, H = B X 1, I = H 2 E = 4I, J = H E, L 1 = D 2Y 1, V = X 1 E, X 3 = L 2 1 J 2V, Y 3 = (D Y 1 ) (V X 3 ) 2Y 1 I Z 3 = (Z 1 + H) 2 W 1 I, W 3 = Z 2 3, l T,P = 2Z 3 y Q (Y 2 + Z 3 ) 2 + A + W 3 2L 1 (x Q X 2 ) The opeation count gives 6s + 6m + km + 1M [1].

20 Paiings Cuves with equation y 2 = x 3 + ax These cuves have twists of degee 4. Theefoe, by using the equations fo twists given in Section and Theoem 3.5, we deive that a point Q G 2 may be witten as (x Q, y Q ) = (x Qν 1/2, y Qν 3/4 ) whee x Q, y Q, ν F q k/4 and X 4 ν is an ieducible polynomial. Moeove, thanks to the simple fom of the Weiestass equation, the doubling and addition fomulae fo these cuves ae simple and faste than in the case of cuves allowing only twists of degee 2. The fastest fomulae fo paiing computation on these cuves [6] use Jacobian coodinates. In the doubling step, we compute 2T as X 3 = (X 2 1 az 2 1) 2 Y 3 = 2Y 1 (X 2 1 az 2 1)((X az 2 1) 2 + 4aZ 2 1X 2 1 ) Z 3 = 4Y 2 1. The line function is l T,T = 2(3X 2 1 Z 1 + az 3 1)x Q + (4Y 1 Z 1 )y Q + 2(X 3 1 az 2 1X 1 ) The computation is done using the following sequence of opeations: A = X1 2, B = Y1 2, C = Z1, 2 D = ac, X 3 = (A D) 2, E = 2(A + D) 2 X 3, F = ((A D + Y 1 ) 2 B X 3 ), Y 3 = E F, Z 3 = 4B G = 2Z 1 (3 A + D), H = 2((Y 1 + Z 1 ) 2 B C), II = (X 1 + A D) 2 X 3 A, l T,T = G x Q + H y Q + II. The total cost is (2k/d + 2)m + 8s + 1d a. In the mixed addition step of T = (X 1, Y 1, Z 1 ) and P = (X 2, Y 2, 1) is T + P = (X 3, Y 3, Z 3 ) with X 3 = (Y 1 Y 2 Z 2 1) 2 (X 1 + X 2 Z 1 )S, Y 3 = ((Y 1 Y 2 Z 2 1)(X 1 S X 3 ) Y 1 SU)UZ 1, Z 3 = (UZ 1 ) 2, whee S = (X 1 X 2 Z 1 ) 2 Z 1 and U = X 1 X 2 Z 1. This is computed with the following opeations A = Z 2 1, E = X 2 Z 1, G = Y 2 A, H = D E, I = 2(Y 1 G), II = I 2, J = 2Z 1 H K = 4J H, X 3 = 2II (X 1 + E) K, Z 3 = J 2 Y 3 = ((J + I) 2 Z 3 II) (X 1 K X 3 ) Y 1 K 2, Z 3 = 2Z 3 l T,P = I X 2 I x Q + J y Q J Y 2 The total cost of the computation is ((2k/d) + 9)m + 5s Cuves with equation y 2 = x 3 + b These cuves have twists of degee 6. Theefoe, by using the equations fo twists given in Section and Theoem 2.12, we deive that a point Q G 2 may be witten as (x Q, y Q ) = (x Qν 1/3, y Qν 1/2 ),

21 3-20 Guide to Paiing-Based Cyptogaphy TABLE 3.1 Cost of one step in Mille s algoithm fo even embedding degee Doubling Mixed addition k = 2 k 4 J [14],[1] 3m + 10s + 1a + 1M + 1S (1+k)m+11s+1a+1M+1S (6+k)m+6s+1M J,y 2 = x 3 + b e = 2, 6 [6] (2k/e+2)m+7s+1a+1M+1S (2k/e+2)m+7s+1a+1M+1S (2k/e+9)m+2s+1M J, y 2 = x 3 + ax e = 2, 4 [6] (2k/e+2)m+8s+1a+ 1M+1S (2k/e+2)m+8s+1a+ 1M+1S (2k/e+12)m+4s+1M whee x Q, y Q, ν F q k/6 and X 6 ν is an ieducible polynomial. The fastest existing fomulae on these cuves use pojective coodinates. Following [6], we compute 2T as: X 3 = 2X 1 Y 1 (Y1 2 9bZ1) 2 Y 3 = Y bY1 2 Z1 2 27b 2 Z1 4 Z 3 = 8Y1 3 Z 1 The line equation is l T,T = 3X 2 1 x Q 2Y 1 Z 1 y Q + 3bZ 2 1 Y 2 1. The computation is pefomed in the following ode: A = X1 2, B = Y1 2, C = Z1, 2 D = 3bC, E = (X 1 + Y 1 ) 2 A B, F = (Y 1 + Z 1 ) 2 B C, G = 3D, X 3 = E (B G), Y 3 = (B + G) 2 12D 2, Z 3 = 4B F, H = 3A, I = F, J = D B. l T,T = H x Q + I y Q + J. The total count fo the above sequence of opeations is (2k/d)m + 5s + 1d b. In the mixed addition step of T = (X 1, Y 1, Z 1 ) and P = (X 2, Y 2, 1) is T + P = (X 3, Y 3, Z 3 ) with X 3 = (X 1 Z 1 X 2 )(Z 1 (Y 1 Z 1 Y 2 ) 2 c(x 1 + Z 1 X 2 )(X Z 1 X 2 ) 2 ), Y 3 = (Y 1 Z 1 Y 2 )(c(2x 1 + Z 1 X 2 )(X 1 Z 2 Z 1 X 2 ) 2 Z 1 (Y 1 Z 1 Y 2 ) 2 ) cy 1 (X 1 Z 2 Z 1 X 2 ) 3, Z 3 = cz 1 (X 1 Z 1 X 2 ) 3, whee c = 1/b. The line fomula is given by l T,P = (Y 1 Z 1 Y 2 ) (X 2 x Q ) (X 1 Z 1 X 2 ) Y 2 + (X 1 Z 1 X 2 ) Z 2 y Q The computation is pefomed using the following sequence of opeations : t 1 = Z 1 X 2, t 1 = X 1 t 1, t 2 = Z 1 Y 2, t 2 = Y 2 t 2, g = c 1 t 2 t 1 Y 2 + t 1 y Q t 3 = t 2 1, t 3 = c t 3, X 3 = t 3 X 1, t 3 = t 1 t 3, t 4 = t 2 2 t 4 = t 4 Z 1, t 4 = t 3 + t 4, t 4 = t 4 X 3, X 3 = X 3 t 4, t 2 = t 2 X 3, Y 3 = t 3 Y 1 Y 3 = t 2 Y 3, X 3 = t 1 t 4, Z 3 = Z 1 t 3, whee c 1 = X 2 x Q. The total cost is (2k/d + 9)m + 2s. In Table 3.1 we summaize all these esults.

Similar documents

Fixed Argument Pairing Inversion on Elliptic Curves

Fixed Argument Pairing Inversion on Elliptic Curves Fixed Agument Paiing Invesion on Elliptic Cuves Sungwook Kim and Jung Hee Cheon ISaC & Dept. of Mathematical Sciences Seoul National Univesity Seoul, Koea {avell7,jhcheon}@snu.ac.k Abstact. Let E be an

More information

When two numbers are written as the product of their prime factors, they are in factored form.

When two numbers are written as the product of their prime factors, they are in factored form. 10 1 Study Guide Pages 420 425 Factos Because 3 4 12, we say that 3 and 4 ae factos of 12. In othe wods, factos ae the numbes you multiply to get a poduct. Since 2 6 12, 2 and 6 ae also factos of 12. The

More information

9.1 The multiplicative group of a finite field. Theorem 9.1. The multiplicative group F of a finite field is cyclic.

9.1 The multiplicative group of a finite field. Theorem 9.1. The multiplicative group F of a finite field is cyclic. Chapte 9 Pimitive Roots 9.1 The multiplicative goup of a finite fld Theoem 9.1. The multiplicative goup F of a finite fld is cyclic. Remak: In paticula, if p is a pime then (Z/p) is cyclic. In fact, this

More information

Chapter 3: Theory of Modular Arithmetic 38

Chapter 3: Theory of Modular Arithmetic 38 Chapte 3: Theoy of Modula Aithmetic 38 Section D Chinese Remainde Theoem By the end of this section you will be able to pove the Chinese Remainde Theoem apply this theoem to solve simultaneous linea conguences

More information

On the Computation of the Optimal Ate Pairing at the 192-bit Security Level

On the Computation of the Optimal Ate Pairing at the 192-bit Security Level On the Computation of the Optimal Ate Paiing at the 192-bit Secuity Level Loubna Ghammam 1 and Emmanuel Fouotsa 2 (1) IRMAR, UMR CNRS 6625, Univesité Rennes 1, Campus de Beaulieu 35042 Rennes cedex, Fance.

More information

Stanford University CS259Q: Quantum Computing Handout 8 Luca Trevisan October 18, 2012

Stanford University CS259Q: Quantum Computing Handout 8 Luca Trevisan October 18, 2012 Stanfod Univesity CS59Q: Quantum Computing Handout 8 Luca Tevisan Octobe 8, 0 Lectue 8 In which we use the quantum Fouie tansfom to solve the peiod-finding poblem. The Peiod Finding Poblem Let f : {0,...,

More information

New problems in universal algebraic geometry illustrated by boolean equations

New problems in universal algebraic geometry illustrated by boolean equations New poblems in univesal algebaic geomety illustated by boolean equations axiv:1611.00152v2 [math.ra] 25 Nov 2016 Atem N. Shevlyakov Novembe 28, 2016 Abstact We discuss new poblems in univesal algebaic

More information

Probablistically Checkable Proofs

Probablistically Checkable Proofs Lectue 12 Pobablistically Checkable Poofs May 13, 2004 Lectue: Paul Beame Notes: Chis Re 12.1 Pobablisitically Checkable Poofs Oveview We know that IP = PSPACE. This means thee is an inteactive potocol

More information

arxiv: v1 [math.co] 1 Apr 2011

arxiv: v1 [math.co] 1 Apr 2011 Weight enumeation of codes fom finite spaces Relinde Juius Octobe 23, 2018 axiv:1104.0172v1 [math.co] 1 Ap 2011 Abstact We study the genealized and extended weight enumeato of the - ay Simplex code and

More information

arxiv: v1 [math.co] 4 May 2017

arxiv: v1 [math.co] 4 May 2017 On The Numbe Of Unlabeled Bipatite Gaphs Abdullah Atmaca and A Yavuz Ouç axiv:7050800v [mathco] 4 May 207 Abstact This pape solves a poblem that was stated by M A Haison in 973 [] This poblem, that has

More information

Solution to HW 3, Ma 1a Fall 2016

Solution to HW 3, Ma 1a Fall 2016 Solution to HW 3, Ma a Fall 206 Section 2. Execise 2: Let C be a subset of the eal numbes consisting of those eal numbes x having the popety that evey digit in the decimal expansion of x is, 3, 5, o 7.

More information

Enumerating permutation polynomials

Enumerating permutation polynomials Enumeating pemutation polynomials Theodoulos Gaefalakis a,1, Giogos Kapetanakis a,, a Depatment of Mathematics and Applied Mathematics, Univesity of Cete, 70013 Heaklion, Geece Abstact We conside thoblem

More information

C/CS/Phys C191 Shor s order (period) finding algorithm and factoring 11/12/14 Fall 2014 Lecture 22

C/CS/Phys C191 Shor s order (period) finding algorithm and factoring 11/12/14 Fall 2014 Lecture 22 C/CS/Phys C9 Sho s ode (peiod) finding algoithm and factoing /2/4 Fall 204 Lectue 22 With a fast algoithm fo the uantum Fouie Tansfom in hand, it is clea that many useful applications should be possible.

More information

SPECTRAL SEQUENCES. im(er

SPECTRAL SEQUENCES. im(er SPECTRAL SEQUENCES MATTHEW GREENBERG. Intoduction Definition. Let a. An a-th stage spectal (cohomological) sequence consists of the following data: bigaded objects E = p,q Z Ep,q, a diffeentials d : E

More information

Secret Exponent Attacks on RSA-type Schemes with Moduli N = p r q

Secret Exponent Attacks on RSA-type Schemes with Moduli N = p r q Secet Exponent Attacks on RSA-type Schemes with Moduli N = p q Alexande May Faculty of Compute Science, Electical Engineeing and Mathematics Univesity of Padebon 33102 Padebon, Gemany alexx@uni-padebon.de

More information

ON INDEPENDENT SETS IN PURELY ATOMIC PROBABILITY SPACES WITH GEOMETRIC DISTRIBUTION. 1. Introduction. 1 r r. r k for every set E A, E \ {0},

ON INDEPENDENT SETS IN PURELY ATOMIC PROBABILITY SPACES WITH GEOMETRIC DISTRIBUTION. 1. Introduction. 1 r r. r k for every set E A, E \ {0}, ON INDEPENDENT SETS IN PURELY ATOMIC PROBABILITY SPACES WITH GEOMETRIC DISTRIBUTION E. J. IONASCU and A. A. STANCU Abstact. We ae inteested in constucting concete independent events in puely atomic pobability

More information

Berkeley Math Circle AIME Preparation March 5, 2013

Berkeley Math Circle AIME Preparation March 5, 2013 Algeba Toolkit Rules of Thumb. Make sue that you can pove all fomulas you use. This is even bette than memoizing the fomulas. Although it is best to memoize, as well. Stive fo elegant, economical methods.

More information

A Bijective Approach to the Permutational Power of a Priority Queue

A Bijective Approach to the Permutational Power of a Priority Queue A Bijective Appoach to the Pemutational Powe of a Pioity Queue Ia M. Gessel Kuang-Yeh Wang Depatment of Mathematics Bandeis Univesity Waltham, MA 02254-9110 Abstact A pioity queue tansfoms an input pemutation

More information

The Substring Search Problem

The Substring Search Problem The Substing Seach Poblem One algoithm which is used in a vaiety of applications is the family of substing seach algoithms. These algoithms allow a use to detemine if, given two chaacte stings, one is

More information

CALCULUS II Vectors. Paul Dawkins

CALCULUS II Vectors. Paul Dawkins CALCULUS II Vectos Paul Dawkins Table of Contents Peface... ii Vectos... 3 Intoduction... 3 Vectos The Basics... 4 Vecto Aithmetic... 8 Dot Poduct... 13 Coss Poduct... 21 2007 Paul Dawkins i http://tutoial.math.lama.edu/tems.aspx

More information

PROBLEM SET #1 SOLUTIONS by Robert A. DiStasio Jr.

PROBLEM SET #1 SOLUTIONS by Robert A. DiStasio Jr. POBLM S # SOLUIONS by obet A. DiStasio J. Q. he Bon-Oppenheime appoximation is the standad way of appoximating the gound state of a molecula system. Wite down the conditions that detemine the tonic and

More information

3.1 Random variables

3.1 Random variables 3 Chapte III Random Vaiables 3 Random vaiables A sample space S may be difficult to descibe if the elements of S ae not numbes discuss how we can use a ule by which an element s of S may be associated

More information

Chapter 5 Linear Equations: Basic Theory and Practice

Chapter 5 Linear Equations: Basic Theory and Practice Chapte 5 inea Equations: Basic Theoy and actice In this chapte and the next, we ae inteested in the linea algebaic equation AX = b, (5-1) whee A is an m n matix, X is an n 1 vecto to be solved fo, and

More information

MATH 220: SECOND ORDER CONSTANT COEFFICIENT PDE. We consider second order constant coefficient scalar linear PDEs on R n. These have the form

MATH 220: SECOND ORDER CONSTANT COEFFICIENT PDE. We consider second order constant coefficient scalar linear PDEs on R n. These have the form MATH 220: SECOND ORDER CONSTANT COEFFICIENT PDE ANDRAS VASY We conside second ode constant coefficient scala linea PDEs on R n. These have the fom Lu = f L = a ij xi xj + b i xi + c i whee a ij b i and

More information

Construction and Analysis of Boolean Functions of 2t + 1 Variables with Maximum Algebraic Immunity

Construction and Analysis of Boolean Functions of 2t + 1 Variables with Maximum Algebraic Immunity Constuction and Analysis of Boolean Functions of 2t + 1 Vaiables with Maximum Algebaic Immunity Na Li and Wen-Feng Qi Depatment of Applied Mathematics, Zhengzhou Infomation Engineeing Univesity, Zhengzhou,

More information

A Crash Course in (2 2) Matrices

A Crash Course in (2 2) Matrices A Cash Couse in ( ) Matices Seveal weeks woth of matix algeba in an hou (Relax, we will only stuy the simplest case, that of matices) Review topics: What is a matix (pl matices)? A matix is a ectangula

More information

Galois points on quartic surfaces

Galois points on quartic surfaces J. Math. Soc. Japan Vol. 53, No. 3, 2001 Galois points on quatic sufaces By Hisao Yoshihaa (Received Nov. 29, 1999) (Revised Ma. 30, 2000) Abstact. Let S be a smooth hypesuface in the pojective thee space

More information

ONE-POINT CODES USING PLACES OF HIGHER DEGREE

ONE-POINT CODES USING PLACES OF HIGHER DEGREE ONE-POINT CODES USING PLACES OF HIGHER DEGREE GRETCHEN L. MATTHEWS AND TODD W. MICHEL DEPARTMENT OF MATHEMATICAL SCIENCES CLEMSON UNIVERSITY CLEMSON, SC 29634-0975 U.S.A. E-MAIL: GMATTHE@CLEMSON.EDU, TMICHEL@CLEMSON.EDU

More information

10/04/18. P [P(x)] 1 negl(n).

10/04/18. P [P(x)] 1 negl(n). Mastemath, Sping 208 Into to Lattice lgs & Cypto Lectue 0 0/04/8 Lectues: D. Dadush, L. Ducas Scibe: K. de Boe Intoduction In this lectue, we will teat two main pats. Duing the fist pat we continue the

More information

QUANTUM ALGORITHMS IN ALGEBRAIC NUMBER THEORY

QUANTUM ALGORITHMS IN ALGEBRAIC NUMBER THEORY QUANTU ALGORITHS IN ALGEBRAIC NUBER THEORY SION RUBINSTEIN-SALZEDO Abstact. In this aticle, we discuss some quantum algoithms fo detemining the goup of units and the ideal class goup of a numbe field.

More information

Vanishing lines in generalized Adams spectral sequences are generic

Vanishing lines in generalized Adams spectral sequences are generic ISSN 364-0380 (on line) 465-3060 (pinted) 55 Geomety & Topology Volume 3 (999) 55 65 Published: 2 July 999 G G G G T T T G T T T G T G T GG TT G G G G GG T T T TT Vanishing lines in genealized Adams spectal

More information

THE CONE THEOREM JOEL A. TROPP. Abstract. We prove a fixed point theorem for functions which are positive with respect to a cone in a Banach space.

THE CONE THEOREM JOEL A. TROPP. Abstract. We prove a fixed point theorem for functions which are positive with respect to a cone in a Banach space. THE ONE THEOEM JOEL A. TOPP Abstact. We pove a fixed point theoem fo functions which ae positive with espect to a cone in a Banach space. 1. Definitions Definition 1. Let X be a eal Banach space. A subset

More information

6 PROBABILITY GENERATING FUNCTIONS

6 PROBABILITY GENERATING FUNCTIONS 6 PROBABILITY GENERATING FUNCTIONS Cetain deivations pesented in this couse have been somewhat heavy on algeba. Fo example, detemining the expectation of the Binomial distibution (page 5.1 tuned out to

More information

Lecture 18: Graph Isomorphisms

Lecture 18: Graph Isomorphisms INFR11102: Computational Complexity 22/11/2018 Lectue: Heng Guo Lectue 18: Gaph Isomophisms 1 An Athu-Melin potocol fo GNI Last time we gave a simple inteactive potocol fo GNI with pivate coins. We will

More information

Math 301: The Erdős-Stone-Simonovitz Theorem and Extremal Numbers for Bipartite Graphs

Math 301: The Erdős-Stone-Simonovitz Theorem and Extremal Numbers for Bipartite Graphs Math 30: The Edős-Stone-Simonovitz Theoem and Extemal Numbes fo Bipatite Gaphs May Radcliffe The Edős-Stone-Simonovitz Theoem Recall, in class we poved Tuán s Gaph Theoem, namely Theoem Tuán s Theoem Let

More information

AQI: Advanced Quantum Information Lecture 2 (Module 4): Order finding and factoring algorithms February 20, 2013

AQI: Advanced Quantum Information Lecture 2 (Module 4): Order finding and factoring algorithms February 20, 2013 AQI: Advanced Quantum Infomation Lectue 2 (Module 4): Ode finding and factoing algoithms Febuay 20, 203 Lectue: D. Mak Tame (email: m.tame@impeial.ac.uk) Intoduction In the last lectue we looked at the

More information

(n 1)n(n + 1)(n + 2) + 1 = (n 1)(n + 2)n(n + 1) + 1 = ( (n 2 + n 1) 1 )( (n 2 + n 1) + 1 ) + 1 = (n 2 + n 1) 2.

(n 1)n(n + 1)(n + 2) + 1 = (n 1)(n + 2)n(n + 1) + 1 = ( (n 2 + n 1) 1 )( (n 2 + n 1) + 1 ) + 1 = (n 2 + n 1) 2. Paabola Volume 5, Issue (017) Solutions 151 1540 Q151 Take any fou consecutive whole numbes, multiply them togethe and add 1. Make a conjectue and pove it! The esulting numbe can, fo instance, be expessed

More information

MAC Module 12 Eigenvalues and Eigenvectors

MAC Module 12 Eigenvalues and Eigenvectors MAC 23 Module 2 Eigenvalues and Eigenvectos Leaning Objectives Upon completing this module, you should be able to:. Solve the eigenvalue poblem by finding the eigenvalues and the coesponding eigenvectos

More information

Compactly Supported Radial Basis Functions

Compactly Supported Radial Basis Functions Chapte 4 Compactly Suppoted Radial Basis Functions As we saw ealie, compactly suppoted functions Φ that ae tuly stictly conditionally positive definite of ode m > do not exist The compact suppot automatically

More information

Quantum Fourier Transform

Quantum Fourier Transform Chapte 5 Quantum Fouie Tansfom Many poblems in physics and mathematics ae solved by tansfoming a poblem into some othe poblem with a known solution. Some notable examples ae Laplace tansfom, Legende tansfom,

More information

Fractional Zero Forcing via Three-color Forcing Games

Fractional Zero Forcing via Three-color Forcing Games Factional Zeo Focing via Thee-colo Focing Games Leslie Hogben Kevin F. Palmowski David E. Robeson Michael Young May 13, 2015 Abstact An -fold analogue of the positive semidefinite zeo focing pocess that

More information

2 S. Gao and M. A. Shokollahi opeations in Fq, and usually we will use the \Soft O" notation to ignoe logaithmic factos: g = O(n) ~ means that g = O(n

2 S. Gao and M. A. Shokollahi opeations in Fq, and usually we will use the \Soft O notation to ignoe logaithmic factos: g = O(n) ~ means that g = O(n Computing Roots of Polynomials ove Function Fields of Cuves Shuhong Gao 1 and M. Amin Shokollahi 2 1 Depatment of Mathematical Sciences, Clemson Univesity, Clemson, SC 29634 USA 2 Bell Labs, Rm. 2C-353,

More information

Auchmuty High School Mathematics Department Advanced Higher Notes Teacher Version

Auchmuty High School Mathematics Department Advanced Higher Notes Teacher Version The Binomial Theoem Factoials Auchmuty High School Mathematics Depatment The calculations,, 6 etc. often appea in mathematics. They ae called factoials and have been given the notation n!. e.g. 6! 6!!!!!

More information

Method for Approximating Irrational Numbers

Method for Approximating Irrational Numbers Method fo Appoximating Iational Numbes Eic Reichwein Depatment of Physics Univesity of Califonia, Santa Cuz June 6, 0 Abstact I will put foth an algoithm fo poducing inceasingly accuate ational appoximations

More information

EM Boundary Value Problems

EM Boundary Value Problems EM Bounday Value Poblems 10/ 9 11/ By Ilekta chistidi & Lee, Seung-Hyun A. Geneal Desciption : Maxwell Equations & Loentz Foce We want to find the equations of motion of chaged paticles. The way to do

More information

On decompositions of complete multipartite graphs into the union of two even cycles

On decompositions of complete multipartite graphs into the union of two even cycles On decompositions of complete multipatite gaphs into the union of two even cycles A. Su, J. Buchanan, R. C. Bunge, S. I. El-Zanati, E. Pelttai, G. Rasmuson, E. Spaks, S. Tagais Depatment of Mathematics

More information

Temporal-Difference Learning

Temporal-Difference Learning .997 Decision-Making in Lage-Scale Systems Mach 17 MIT, Sping 004 Handout #17 Lectue Note 13 1 Tempoal-Diffeence Leaning We now conside the poblem of computing an appopiate paamete, so that, given an appoximation

More information

ON SPARSELY SCHEMMEL TOTIENT NUMBERS. Colin Defant 1 Department of Mathematics, University of Florida, Gainesville, Florida

ON SPARSELY SCHEMMEL TOTIENT NUMBERS. Colin Defant 1 Department of Mathematics, University of Florida, Gainesville, Florida #A8 INTEGERS 5 (205) ON SPARSEL SCHEMMEL TOTIENT NUMBERS Colin Defant Depatment of Mathematics, Univesity of Floida, Gainesville, Floida cdefant@ufl.edu Received: 7/30/4, Revised: 2/23/4, Accepted: 4/26/5,

More information

Journal of Inequalities in Pure and Applied Mathematics

Journal of Inequalities in Pure and Applied Mathematics Jounal of Inequalities in Pue and Applied Mathematics COEFFICIENT INEQUALITY FOR A FUNCTION WHOSE DERIVATIVE HAS A POSITIVE REAL PART S. ABRAMOVICH, M. KLARIČIĆ BAKULA AND S. BANIĆ Depatment of Mathematics

More information

ANA BERRIZBEITIA, LUIS A. MEDINA, ALEXANDER C. MOLL, VICTOR H. MOLL, AND LAINE NOBLE

ANA BERRIZBEITIA, LUIS A. MEDINA, ALEXANDER C. MOLL, VICTOR H. MOLL, AND LAINE NOBLE THE p-adic VALUATION OF STIRLING NUMBERS ANA BERRIZBEITIA, LUIS A. MEDINA, ALEXANDER C. MOLL, VICTOR H. MOLL, AND LAINE NOBLE Abstact. Let p > 2 be a pime. The p-adic valuation of Stiling numbes of the

More information

arxiv: v2 [math.ag] 4 Jul 2012

arxiv: v2 [math.ag] 4 Jul 2012 SOME EXAMPLES OF VECTOR BUNDLES IN THE BASE LOCUS OF THE GENERALIZED THETA DIVISOR axiv:0707.2326v2 [math.ag] 4 Jul 2012 SEBASTIAN CASALAINA-MARTIN, TAWANDA GWENA, AND MONTSERRAT TEIXIDOR I BIGAS Abstact.

More information

working pages for Paul Richards class notes; do not copy or circulate without permission from PGR 2004/11/3 10:50

working pages for Paul Richards class notes; do not copy or circulate without permission from PGR 2004/11/3 10:50 woking pages fo Paul Richads class notes; do not copy o ciculate without pemission fom PGR 2004/11/3 10:50 CHAPTER7 Solid angle, 3D integals, Gauss s Theoem, and a Delta Function We define the solid angle,

More information

Appendix A. Appendices. A.1 ɛ ijk and cross products. Vector Operations: δ ij and ɛ ijk

Appendix A. Appendices. A.1 ɛ ijk and cross products. Vector Operations: δ ij and ɛ ijk Appendix A Appendices A1 ɛ and coss poducts A11 Vecto Opeations: δ ij and ɛ These ae some notes on the use of the antisymmetic symbol ɛ fo expessing coss poducts This is an extemely poweful tool fo manipulating

More information

Introduction Common Divisors. Discrete Mathematics Andrei Bulatov

Introduction Common Divisors. Discrete Mathematics Andrei Bulatov Intoduction Common Divisos Discete Mathematics Andei Bulatov Discete Mathematics Common Divisos 3- Pevious Lectue Integes Division, popeties of divisibility The division algoithm Repesentation of numbes

More information

arxiv: v1 [math.nt] 12 May 2017

arxiv: v1 [math.nt] 12 May 2017 SEQUENCES OF CONSECUTIVE HAPPY NUMBERS IN NEGATIVE BASES HELEN G. GRUNDMAN AND PAMELA E. HARRIS axiv:1705.04648v1 [math.nt] 12 May 2017 ABSTRACT. Fo b 2 and e 2, let S e,b : Z Z 0 be the function taking

More information

ME 210 Applied Mathematics for Mechanical Engineers

ME 210 Applied Mathematics for Mechanical Engineers Tangent and Ac Length of a Cuve The tangent to a cuve C at a point A on it is defined as the limiting position of the staight line L though A and B, as B appoaches A along the cuve as illustated in the

More information

Matrix Colorings of P 4 -sparse Graphs

Matrix Colorings of P 4 -sparse Graphs Diplomabeit Matix Coloings of P 4 -spase Gaphs Chistoph Hannnebaue Januay 23, 2010 Beteue: Pof. D. Winfied Hochstättle FenUnivesität in Hagen Fakultät fü Mathematik und Infomatik Contents Intoduction iii

More information

2-Monoid of Observables on String G

2-Monoid of Observables on String G 2-Monoid of Obsevables on Sting G Scheibe Novembe 28, 2006 Abstact Given any 2-goupoid, we can associate to it a monoidal categoy which can be thought of as the 2-monoid of obsevables of the 2-paticle

More information

Pairing Inversion via Non-degenerate Auxiliary Pairings

Pairing Inversion via Non-degenerate Auxiliary Pairings Paiing Invesion via Non-degeneate Auxiliay Paiings Seunghwan Chang 1, Hoon Hong 2, Eunjeong Lee 1, and Hyang-Sook Lee 3 1 Institute of Mathematical Sciences, Ewha Womans Univesity, Seoul, S. Koea schang@ewha.ac.k,

More information

Lecture 28: Convergence of Random Variables and Related Theorems

Lecture 28: Convergence of Random Variables and Related Theorems EE50: Pobability Foundations fo Electical Enginees July-Novembe 205 Lectue 28: Convegence of Random Vaiables and Related Theoems Lectue:. Kishna Jagannathan Scibe: Gopal, Sudhasan, Ajay, Swamy, Kolla An

More information

Classical Worm algorithms (WA)

Classical Worm algorithms (WA) Classical Wom algoithms (WA) WA was oiginally intoduced fo quantum statistical models by Pokof ev, Svistunov and Tupitsyn (997), and late genealized to classical models by Pokof ev and Svistunov (200).

More information

OLYMON. Produced by the Canadian Mathematical Society and the Department of Mathematics of the University of Toronto. Issue 9:2.

OLYMON. Produced by the Canadian Mathematical Society and the Department of Mathematics of the University of Toronto. Issue 9:2. OLYMON Poduced by the Canadian Mathematical Society and the Depatment of Mathematics of the Univesity of Toonto Please send you solution to Pofesso EJ Babeau Depatment of Mathematics Univesity of Toonto

More information

Lecture 25: Pairing Based Cryptography

Lecture 25: Pairing Based Cryptography 6.897 Special Topics in Cyptogaphy Instucto: Ran Canetti May 5, 2004 Lectue 25: Paiing Based Cyptogaphy Scibe: Ben Adida 1 Intoduction The field of Paiing Based Cyptogaphy has exploded ove the past 3 yeas

More information

Lecture 8 - Gauss s Law

Lecture 8 - Gauss s Law Lectue 8 - Gauss s Law A Puzzle... Example Calculate the potential enegy, pe ion, fo an infinite 1D ionic cystal with sepaation a; that is, a ow of equally spaced chages of magnitude e and altenating sign.

More information

Journal of Algebra 323 (2010) Contents lists available at ScienceDirect. Journal of Algebra.

Journal of Algebra 323 (2010) Contents lists available at ScienceDirect. Journal of Algebra. Jounal of Algeba 33 (00) 966 98 Contents lists available at ScienceDiect Jounal of Algeba www.elsevie.com/locate/jalgeba Paametes fo which the Lawence Kamme epesentation is educible Claie Levaillant, David

More information

of the contestants play as Falco, and 1 6

of the contestants play as Falco, and 1 6 JHMT 05 Algeba Test Solutions 4 Febuay 05. In a Supe Smash Bothes tounament, of the contestants play as Fox, 3 of the contestants play as Falco, and 6 of the contestants play as Peach. Given that thee

More information

( ) [ ] [ ] [ ] δf φ = F φ+δφ F. xdx.

( ) [ ] [ ] [ ] δf φ = F φ+δφ F. xdx. 9. LAGRANGIAN OF THE ELECTROMAGNETIC FIELD In the pevious section the Lagangian and Hamiltonian of an ensemble of point paticles was developed. This appoach is based on a qt. This discete fomulation can

More information

Math 2263 Solutions for Spring 2003 Final Exam

Math 2263 Solutions for Spring 2003 Final Exam Math 6 Solutions fo Sping Final Exam ) A staightfowad appoach to finding the tangent plane to a suface at a point ( x, y, z ) would be to expess the cuve as an explicit function z = f ( x, y ), calculate

More information

As is natural, our Aerospace Structures will be described in a Euclidean three-dimensional space R 3.

As is natural, our Aerospace Structures will be described in a Euclidean three-dimensional space R 3. Appendix A Vecto Algeba As is natual, ou Aeospace Stuctues will be descibed in a Euclidean thee-dimensional space R 3. A.1 Vectos A vecto is used to epesent quantities that have both magnitude and diection.

More information

On a generalization of Eulerian numbers

On a generalization of Eulerian numbers Notes on Numbe Theoy and Discete Mathematics Pint ISSN 1310 513, Online ISSN 367 875 Vol, 018, No 1, 16 DOI: 10756/nntdm018116- On a genealization of Euleian numbes Claudio Pita-Ruiz Facultad de Ingenieía,

More information

6 Matrix Concentration Bounds

6 Matrix Concentration Bounds 6 Matix Concentation Bounds Concentation bounds ae inequalities that bound pobabilities of deviations by a andom vaiable fom some value, often its mean. Infomally, they show the pobability that a andom

More information

On a quantity that is analogous to potential and a theorem that relates to it

On a quantity that is analogous to potential and a theorem that relates to it Su une quantité analogue au potential et su un théoème y elatif C R Acad Sci 7 (87) 34-39 On a quantity that is analogous to potential and a theoem that elates to it By R CLAUSIUS Tanslated by D H Delphenich

More information

ASTR415: Problem Set #6

ASTR415: Problem Set #6 ASTR45: Poblem Set #6 Cuan D. Muhlbege Univesity of Mayland (Dated: May 7, 27) Using existing implementations of the leapfog and Runge-Kutta methods fo solving coupled odinay diffeential equations, seveal

More information

SPECTRAL SEQUENCES: FRIEND OR FOE?

SPECTRAL SEQUENCES: FRIEND OR FOE? SPECTRAL SEQUENCES: FRIEND OR FOE? RAVI VAKIL Spectal sequences ae a poweful book-keeping tool fo poving things involving complicated commutative diagams. They wee intoduced by Leay in the 94 s at the

More information

Exceptional regular singular points of second-order ODEs. 1. Solving second-order ODEs

Exceptional regular singular points of second-order ODEs. 1. Solving second-order ODEs (May 14, 2011 Exceptional egula singula points of second-ode ODEs Paul Gaett gaett@math.umn.edu http://www.math.umn.edu/ gaett/ 1. Solving second-ode ODEs 2. Examples 3. Convegence Fobenius method fo solving

More information

MULTILAYER PERCEPTRONS

MULTILAYER PERCEPTRONS Last updated: Nov 26, 2012 MULTILAYER PERCEPTRONS Outline 2 Combining Linea Classifies Leaning Paametes Outline 3 Combining Linea Classifies Leaning Paametes Implementing Logical Relations 4 AND and OR

More information

On the Quasi-inverse of a Non-square Matrix: An Infinite Solution

On the Quasi-inverse of a Non-square Matrix: An Infinite Solution Applied Mathematical Sciences, Vol 11, 2017, no 27, 1337-1351 HIKARI Ltd, wwwm-hikaicom https://doiog/1012988/ams20177273 On the Quasi-invese of a Non-squae Matix: An Infinite Solution Ruben D Codeo J

More information

Syntactical content of nite approximations of partial algebras 1 Wiktor Bartol Inst. Matematyki, Uniw. Warszawski, Warszawa (Poland)

Syntactical content of nite approximations of partial algebras 1 Wiktor Bartol Inst. Matematyki, Uniw. Warszawski, Warszawa (Poland) Syntactical content of nite appoximations of patial algebas 1 Wikto Batol Inst. Matematyki, Uniw. Waszawski, 02-097 Waszawa (Poland) batol@mimuw.edu.pl Xavie Caicedo Dep. Matematicas, Univ. de los Andes,

More information

Chapter 2: Introduction to Implicit Equations

Chapter 2: Introduction to Implicit Equations Habeman MTH 11 Section V: Paametic and Implicit Equations Chapte : Intoduction to Implicit Equations When we descibe cuves on the coodinate plane with algebaic equations, we can define the elationship

More information

Vector d is a linear vector function of vector d when the following relationships hold:

Vector d is a linear vector function of vector d when the following relationships hold: Appendix 4 Dyadic Analysis DEFINITION ecto d is a linea vecto function of vecto d when the following elationships hold: d x = a xxd x + a xy d y + a xz d z d y = a yxd x + a yy d y + a yz d z d z = a zxd

More information

Goodness-of-fit for composite hypotheses.

Goodness-of-fit for composite hypotheses. Section 11 Goodness-of-fit fo composite hypotheses. Example. Let us conside a Matlab example. Let us geneate 50 obsevations fom N(1, 2): X=nomnd(1,2,50,1); Then, unning a chi-squaed goodness-of-fit test

More information

QIP Course 10: Quantum Factorization Algorithm (Part 3)

QIP Course 10: Quantum Factorization Algorithm (Part 3) QIP Couse 10: Quantum Factoization Algoithm (Pat 3 Ryutaoh Matsumoto Nagoya Univesity, Japan Send you comments to yutaoh.matsumoto@nagoya-u.jp Septembe 2018 @ Tokyo Tech. Matsumoto (Nagoya U. QIP Couse

More information

Math 124B February 02, 2012

Math 124B February 02, 2012 Math 24B Febuay 02, 202 Vikto Gigoyan 8 Laplace s equation: popeties We have aleady encounteed Laplace s equation in the context of stationay heat conduction and wave phenomena. Recall that in two spatial

More information

THE JEU DE TAQUIN ON THE SHIFTED RIM HOOK TABLEAUX. Jaejin Lee

THE JEU DE TAQUIN ON THE SHIFTED RIM HOOK TABLEAUX. Jaejin Lee Koean J. Math. 23 (2015), No. 3, pp. 427 438 http://dx.doi.og/10.11568/kjm.2015.23.3.427 THE JEU DE TAQUIN ON THE SHIFTED RIM HOOK TABLEAUX Jaejin Lee Abstact. The Schensted algoithm fist descibed by Robinson

More information

Do Managers Do Good With Other People s Money? Online Appendix

Do Managers Do Good With Other People s Money? Online Appendix Do Manages Do Good With Othe People s Money? Online Appendix Ing-Haw Cheng Haison Hong Kelly Shue Abstact This is the Online Appendix fo Cheng, Hong and Shue 2013) containing details of the model. Datmouth

More information

Relating Branching Program Size and. Formula Size over the Full Binary Basis. FB Informatik, LS II, Univ. Dortmund, Dortmund, Germany

Relating Branching Program Size and. Formula Size over the Full Binary Basis. FB Informatik, LS II, Univ. Dortmund, Dortmund, Germany Relating Banching Pogam Size and omula Size ove the ull Binay Basis Matin Saueho y Ingo Wegene y Ralph Wechne z y B Infomatik, LS II, Univ. Dotmund, 44 Dotmund, Gemany z ankfut, Gemany sauehof/wegene@ls.cs.uni-dotmund.de

More information

A STUDY OF HAMMING CODES AS ERROR CORRECTING CODES

A STUDY OF HAMMING CODES AS ERROR CORRECTING CODES AGU Intenational Jounal of Science and Technology A STUDY OF HAMMING CODES AS ERROR CORRECTING CODES Ritu Ahuja Depatment of Mathematics Khalsa College fo Women, Civil Lines, Ludhiana-141001, Punjab, (India)

More information

Geometry of the homogeneous and isotropic spaces

Geometry of the homogeneous and isotropic spaces Geomety of the homogeneous and isotopic spaces H. Sonoda Septembe 2000; last evised Octobe 2009 Abstact We summaize the aspects of the geomety of the homogeneous and isotopic spaces which ae most elevant

More information

A Relativistic Electron in a Coulomb Potential

A Relativistic Electron in a Coulomb Potential A Relativistic Electon in a Coulomb Potential Alfed Whitehead Physics 518, Fall 009 The Poblem Solve the Diac Equation fo an electon in a Coulomb potential. Identify the conseved quantum numbes. Specify

More information

3D-Central Force Problems I

3D-Central Force Problems I 5.73 Lectue #1 1-1 Roadmap 1. define adial momentum 3D-Cental Foce Poblems I Read: C-TDL, pages 643-660 fo next lectue. All -Body, 3-D poblems can be educed to * a -D angula pat that is exactly and univesally

More information

Supplementary information Efficient Enumeration of Monocyclic Chemical Graphs with Given Path Frequencies

Supplementary information Efficient Enumeration of Monocyclic Chemical Graphs with Given Path Frequencies Supplementay infomation Efficient Enumeation of Monocyclic Chemical Gaphs with Given Path Fequencies Masaki Suzuki, Hioshi Nagamochi Gaduate School of Infomatics, Kyoto Univesity {m suzuki,nag}@amp.i.kyoto-u.ac.jp

More information

Information Retrieval Advanced IR models. Luca Bondi

Information Retrieval Advanced IR models. Luca Bondi Advanced IR models Luca Bondi Advanced IR models 2 (LSI) Pobabilistic Latent Semantic Analysis (plsa) Vecto Space Model 3 Stating point: Vecto Space Model Documents and queies epesented as vectos in the

More information

Quasi-Randomness and the Distribution of Copies of a Fixed Graph

Quasi-Randomness and the Distribution of Copies of a Fixed Graph Quasi-Randomness and the Distibution of Copies of a Fixed Gaph Asaf Shapia Abstact We show that if a gaph G has the popety that all subsets of vetices of size n/4 contain the coect numbe of tiangles one

More information

7.2. Coulomb s Law. The Electric Force

7.2. Coulomb s Law. The Electric Force Coulomb s aw Recall that chaged objects attact some objects and epel othes at a distance, without making any contact with those objects Electic foce,, o the foce acting between two chaged objects, is somewhat

More information

MASSACHUSETTS INSTITUTE OF TECHNOLOGY Physics Department Physics 8.07: Electromagnetism II September 15, 2012 Prof. Alan Guth PROBLEM SET 2

MASSACHUSETTS INSTITUTE OF TECHNOLOGY Physics Department Physics 8.07: Electromagnetism II September 15, 2012 Prof. Alan Guth PROBLEM SET 2 MASSACHUSETTS INSTITUTE OF TECHNOLOGY Physics Depatment Physics 8.07: Electomagnetism II Septembe 5, 202 Pof. Alan Guth PROBLEM SET 2 DUE DATE: Monday, Septembe 24, 202. Eithe hand it in at the lectue,

More information

We give improved upper bounds for the number of primitive solutions of the Thue inequality

We give improved upper bounds for the number of primitive solutions of the Thue inequality NUMBER OF SOLUTIONS OF CUBIC THUE INEQUALITIES WITH POSITIVE DISCRIMINANT N SARADHA AND DIVYUM SHARMA Abstact Let F(X, Y) be an ieducible binay cubic fom with intege coefficients and positive disciminant

More information

Surveillance Points in High Dimensional Spaces

Surveillance Points in High Dimensional Spaces Société de Calcul Mathématique SA Tools fo decision help since 995 Suveillance Points in High Dimensional Spaces by Benad Beauzamy Januay 06 Abstact Let us conside any compute softwae, elying upon a lage

More information

Mathematics 7800 Quantum Kitchen Sink Spring 2002

Mathematics 7800 Quantum Kitchen Sink Spring 2002 Mathematics 7800 Quantum Kitchen Sink Sping 2002 5. Vecto Bundles on a Smooth Cuve. We will constuct pojective moduli spaces fo semistable vecto bundles on a smooth pojective cuve C by applying GIT to

More information

Section 8.2 Polar Coordinates

Section 8.2 Polar Coordinates Section 8. Pola Coodinates 467 Section 8. Pola Coodinates The coodinate system we ae most familia with is called the Catesian coodinate system, a ectangula plane divided into fou quadants by the hoizontal

More information

Upper Bounds for Tura n Numbers. Alexander Sidorenko

Upper Bounds for Tura n Numbers. Alexander Sidorenko jounal of combinatoial theoy, Seies A 77, 134147 (1997) aticle no. TA962739 Uppe Bounds fo Tua n Numbes Alexande Sidoenko Couant Institute of Mathematical Sciences, New Yok Univesity, 251 Mece Steet, New

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback