Application of Explicit Hilbert s Pairing to Constructive Class Field Theory and Cryptography

Size: px

Start display at page:

Download "Application of Explicit Hilbert s Pairing to Constructive Class Field Theory and Cryptography"

Kristian Wilkerson
6 years ago
Views:

1 Applied Mathematical Sciences, Vol. 10, 2016, no. 45, HIKARI Ltd, Application of Explicit Hilbert s Pairing to Constructive Class Field Theory and Cryptography S.V. Vostokov, O.Yu. Podkopaeva and K.V. Ratko St. Petersburg State University Universitetskaya nab., 7-9, St. Petersburg, Russia Copyright c 2016 S.V. Vostokov, O.Yu. Podkopaeva and K.V. Ratko. This article is distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. Abstract In the present paper, we apply the explicit formula for Hilbert s pairing suggested by S.V. Vostokov in the late 1970s to class field theory and cryptography. We give an explicit construction of the norm group of a radical extension of a local field F. We also suggest a new public key cryptographic protocol based on the explicit Hilbert pairing. Mathematics Subject Classification: 12J10 Keywords: Hilbert pairing, local field, class group, public key protocol 1 Introduction In the 1985 N. Koblitz and V. Miller independently (see [2] and bibliography therein) inspired by Lenstra s factoring algorithm based on elliptic curves constructed a completely new Diffie-Hellman type protocols using the group of points of an elliptic curve defined over a finite field rather than the multiplicative group of a finite field. Since seminal works of N. Koblitz and V. Miller, more and more pairing-based cryptosystems have been invented. Some time earlier, I.R. Shafarevich, S.V. Vostokov, and H.Brückner initiated the study of explicit constructions in the classical class field theory, which led, above other things, to explicit formulas for Hilbert s pairing [3]. This research direction was further developed by S.V. Vostokov in the 1980s. In section 1 of the present

2 2206 S.V. Vostokov, O.Yu. Podkopaeva and K.V. Ratko paper, we give an explicit formula for Hilbert s pairing and list its basic properties needed in the sequel. In section 2, we apply the explicit Hilbert pairing to class field theory. In section 3, we give an explicit construction of the norm group of a radical extension of a local field F for a given set of generators of an open subgroup of finite index in the multiplicative group of a one-dimensional local field F with finite residue field of characteristic p > 0. In Sec. 4, we apply the explicit Hilbert s pairing to public key cryptography. We suggest an identity-based encryption protocol based on the explicit Hilbert pairing. 2 Hilbert symbol in a one-dimensional local field 2.1 Notation Let F be a local field (a finite extension of Q p ), π a prime element in F, a maximal ideal of the ring of integers in F, R the system of multiplicative representatives in F, U F the group of units in F, U 1 the subgroup of principal units in U F, T the inertia subfield in F, O := O T the ring of integers in T, tr the trace operator in the extension T/Q p, ζ := ζ p n a primitive p n th root of unity in F, e the ramification index of F, e e m =, 1 m n, p m 1 (p 1) U = 1 + XZ p [[X]], Eis(X) = ((1+X)p 1), X p the Frobenius operator on the ring O((X)), f = m a m X m m a σ mx pm, where σ is the Frobenius automorphism in O, R = O T [[X]] o the ideal of series with zero constant term (additive Z p - module), µ m the group of mth roots of unity.

3 Application of explicit Hilbert s pairing The definition and basic properties of the Hilbert symbol Let F contain µ m. For each α F, we denote by σ α the corresponding automorphism of the maximal Abelian extension of F, given by local class field theory. The Hilbert symbol is the pairing defined by the formula (, ) m : F F µ m (α, β) = m β σα 1, (see [1]). We list the basic properties of the Hilbert symbol. 1. Bilinearity (α 1 α 2, β) = (α 1, β)(α 2, β), (α, β 1 β 2 ) = (α, β 1 )(α, β 2 ) 2. Skew-symmetry (α, β) = (β, α) 1 3. Norm property { α is a norm in F ( m β)/f (α, β) = 1 β is a norm in F ( m α)/f. (1) 4. Independence in each argument. Namely, let Eis(X) be an irreducible Eisenstein s polynomial of degree p 1, Eis(X) = ((1 + X)p 1) X p, and let r(x) be the remainder upon dividing f(x) 1 by the polynomial u(x). Then < f(x), g(x) >=< r(x), g(x) >. (2) 2.3 Explicit form of the Hilbert symbol For all f R and g 1 + R, we define the Artin Hasse function and the Vostokov function (see [4, Sec.1]), ( E(f) = exp 1 + ) p + 2 p +... (f), l(g) = 1 2 p log gp. It can be proved (see [3, Proposition 1]) that the functions l and E are inverse isomorphisms between Z p -module R and multiplicative Z p -module 1 + R, i.e., l(e(f)) = f and E(l(g)) = g.

4 2208 S.V. Vostokov, O.Yu. Podkopaeva and K.V. Ratko For an element α F, we denote by α(x) an element of O((X)) such that α(π) = α. Let s(x) = ζ pn 1. It is easy to prove the following two statements. Proposition 1. Let f(x) XO[[X]] and f(x) = a m X m Then l(1 + f(x)) a m X m (mod deg(m + 1)). Proposition 2. Let ζ n = 1 + cπ en + c 1 π en , where c, c i O. Then 1/s(X) satisfies the congruence 1/s(X) c 1 X pe 1 (mod po{{x}}), (3) where O{{X}} = { a ix i i, a i 0}. Now, we define a bilinear pairing γ α,β : F F Z p. Let α = π a θε and β = π b θ η be elements of F, where θ, θ R, and ε, η U 1. We choose α(x) in the form X a θε(x), where ε(x) X=π = ε. In the same way, we define β(x) and η(x) for β. Let p 2. We put where γ α,β = res X Φ α,β (X)/s(X), (4) Φ(α, β) = l(ε) d l(η) d l(ε)β 1 dx dx β + d l(η)α 1 dx α. It can be proved (see [3, Secs. 2 and 3]) that the pairing γ α,β is bilinear, skewsymmetric (mod p n ), and does not dependent (mod p n ) on the choice of a prime element π. Moreover, < α, β > n = tr γ α,β (5) does not depend (mod p n ) on the choice of expansions of the elements α, β, and ζ in power series in π and has the following norm property: < α, β > m = 1 { α is a norm in F ( m β)/f β is a norm in F ( m α)/f In addition, for the Hilbert symbol we have an explicit formula (α, β) n = ζ trγ α,β = ζ <α,β>n.

5 Application of explicit Hilbert s pairing The class group of a cyclic p n -extension of a one-dimensional local field 3.1 Generators of cyclic p n -extensions In this section, we study generators of a cyclic extension F ( pn α), where F is a local field and α F. Lemma 1. Let L = F ( pn α) be a cyclic extension of degree p n. Let β F be such that β is a generator of the cyclic group F /Nm L/F L. Let α 1, α 2, and β 1 be elements of F such that α = α 1 α p 2 and (α 1, β 1 ) = ζ. Then β 1 is also a generator of F /Nm L/F L. Proof. We have (α, β 1 ) = (α 1, β 1 )(α p 2, β 1 ) = ζ 1+pk for some k. Therefore, (α, β 1 ) = (α, β 1+pk ) since (α, β) = ζ. Consequently, (α, β 1+pk β 1 1 ) = 1, and, by the norm property of the Hilbert symbol, we have β 1 β (1+pk) = Nm L/F γ, γ F, which implies that β 1 = β 1+pk Nm L/F γ, i.e., the elements β 1 and β 1+pk of F /Nm L/F L coincide. Therefore, β 1 also generates the factor group. Corollary 1. To find a generator of the group F /Nm L/F L, where L = F ( pn α), it is sufficient to consider the element α modulo F p. An element ω F is called p n -primary if the extension F ( pn ω)/f is unramified. In [4, Sec.4] it is proved that p n -primary elements have the form and ω(a) = E(as(X)) X=π, a O, Moreover, the following congruence is valid: (π, ω(a)) = ζ tr a (6) ω(a) 1 + cπ pe 1 (mod π pe 1+1 ). (7) Lemma 2. a) If α π a ε (mod F p ), (a, p) = 1, and ε is a principal unit, then there is a prime element τ in F such that F ( pn α) = F ( p n τ). b) If α 1 + aπ pe 1 (mod π pe 1+1 ), a O, then α ω(ac 1 ) (mod F p ), where the element c is from (7). c) If α ε (mod F p ) and ε = 1 + aπ u +..., where (p, au) = 1, 1 u < pe 1, then there is a prime element τ in F such that α 1 + aτ u (mod F p ).

6 2210 S.V. Vostokov, O.Yu. Podkopaeva and K.V. Ratko Proof. a) For any integer b prime to p, we have F ( pn α) = F ( p n αb ). Since (a, p) = 1, there is a b such that ab 1 (mod p n ). Consequently, where τ = πε b. b) Follows from (3) and (7). c) By assumption, we have F ( pn α) = F ( p n αb ) = F ( pn πεb ) = F ( pn τ), ε = 1 + aπ u +... = 1 + aπ u (1 + c 1 c 1 π +...) = 1 + aηπ u, where η = 1 + c 1 c 1 π +... U 1. Since the group of principal units U 1 is the m divisible for all m prime to p, there exists an η 1 U 1 such that η u 1 = η. It follows that ε = 1 + c(πη 1 ) u = 1 + cτ u (mod F p ), where τ = πη Generators of the class group of a cyclic p n -extension of a one-dimensional local field In this section, we prove the main result of the paper. Namely, we find an explicit form of a generator of the class group of a radical p n -extension. Theorem 1. Let L = F ( pn α), where α F, be a cyclic extension of degree p n. a) If α τ (mod F p ), then p n -primary element ω(a) with tr a 0 (mod p) is a generator of F /Nm L/F L. b) If α ω(a) (mod F p ), then any prime element π of F is a generator of F /Nm L/F L. c) If α 1 + aπ u (mod F p ), where (p, au) = 1 and 1 u < pe 1, then the element β = 1 + bπ v, where u + v = pe 1 and tr ab 1 (mod p) is a generator of F /Nm L/F L. Proof. a) and b) follow from (6) and Lemma 2. To prove c), we use formula (4) for the Hilbert symbol. We obtain Φ(α, β) = l(1 + bx v )d log(1 + ax u ) l(1 + ax u )d p log(1 + bxv ). By Proposition 1, we have Φ(α, β) ab X u+v 1 = ab X pe 1 1 (mod deg(pe 1 + 1)). (8)

7 Application of explicit Hilbert s pairing 2211 Since u + v = pe 1, congruences (3) and (8) imply Φ(α, β)/s(x) abc 1 X 1 (mod po{{x}}). Consequently, res X Φ(α, β)/s(x) abc 1 (mod p) and < α, β >= tr res Φ(α, β)/s = tr (ab/c) 1 (mod p). As a result, we see that < α, β > n 1 (mod p) and (α, β) = ζ 1+pk is a primitive p n th root of unity. From the norm property of the Hilbert symbol (1), it follow that β is a generator of the class group of F ( pn α) if and only if (α, β) = ζ, where ζ is a primitive p n th root of unity. This proves the theorem. 4 Protocol authentication without disclosure In this section, we use the explicit reciprocity law to describe a variant of a cryptographic protocol. The proof of security of the protocol under consideration is based on the non-polynomial complexity of the discrete logarithm problem in the ring of polynomials with integer coefficients. 4.1 Protocol of parameters and participants The participants of the protocol are Alice A and a verifier V. Both participants know a number s, a polynomial Eis(X), and a polynomial F (X) from the group U(x). Alice knows a secret polynomial a(x) U(X) such that < F (x), a(x) > 0. According to the classical problem of a protocol authentication without disclosure, Alice should be able to prove to the verifier that she knows the secret polynomial a(x) without disclosing it. To verify that Alice knows the secret polynomial a(x), the verifier uses the polynomial A(X) : A(X) = a(x) s mod Eis(X). 4.2 The protocol choreography 1. Alice chooses a random polynomial r(x) :< r(x), F (x) > 0 and calculates the polynomial R(X) = r(x) s mod Eis(X). 2. Alice transmits the value R(x) to the verifier. 3. V verifies < R(x), F (x) > 0 and can ask A one of the following questions:

8 2212 S.V. Vostokov, O.Yu. Podkopaeva and K.V. Ratko A must tell V the polynomial z(x) : s < z(x), F (X) > + < F (X), R(X) >= 0, A must tell V the polynomial y(x) : s < y(x), F (X) > + < F (X), R(X)A(X) >= To answer the first question, A uses the knowledge of the random polynomial r(x) and forms the polynomial z(x) = r(x); to answer the second question, A uses the knowledge of the secret polynomial a(x) and calculates the polynomial y(x) = r(x)a(x) mod Eis(X). 5. V makes sure that the answer of A is correct: for the answer to the first question, s < z(x), F (X) > + < F (X), R(X) > = s < r(x), F (X) > +s < F (X), r(x) >= 0 for the answer to the second question, s < y(x), F (X) > + < F (X), R(X)A(X) > = s < r(x)a(x), F (X) > +s < F (X), r(x)a(x) >= 0. The steps listed above are performed until the verifier makes sure that Alice knows the secret polynomial a(x). All properties of the protocol correspond completely to the classical protocol of authentication without disclosure. Acknowledgements. The work has been supported by the Russian Foundation for Basic Research (grant no ) and by the Russian Federation Government (grant no.14.z ) References [1] I.B. Fesenko and S.V. Vostokov, Local Fields and Their Extensions, The 2nd Edition, American Math Society, Translations of Math Monographs Vol. 121, [2] A.H. Koblitz, N. Koblitz and A. Menezes, Elliptic curve cryptography: the serpentine course of a paradigm shift, Journal of Number Theory, 131 (2011), [3] S.V. Vostokov, Explicit form of the reciprocity law, Izvestiya Acad. of Science USSR, Math., 42 (1978), no. 6,

9 Application of explicit Hilbert s pairing 2213 [4] S.V. Vostokov, Hilbert symbol in a discrete valuated field, Journal of Soviet Mathematics, 19 (1982), no. 1, Received: April 29, 2016; Published: July 6, 2016

Explicit Formulas for Hilbert Pairings on Formal Groups

CHAPTER 8 Explicit Formulas for Hilbert Pairings on Formal Groups The method of the previous chapter possesses a valuable property: it can be relatively easily applied to derive explicit formulas for various