Weil pairing. Algant: Regensburg and Leiden Elliptic curves and Weil conjectures seminar, Regensburg. Wednesday 22 nd June, 2016.

Transcription

1 Weil pairing Jana Sotáková Algant: Regensburg and Leiden Elliptic curves and Weil conjectures seminar, Regensburg Wednesday 22 nd June, 2016 Abstract In this talk we are mainly invested in constructing the Weil pairing on N-torsion of elliptic curves and show that it extends to an l-adic Weil pairing on the l-adic Tate module. We start with defining the Weil pairing following Silverman and deducing some of its fundamental properties. After we extend this pairing to the l-adic Tate module and discuss some applications to cryptography. 1 Motivation Let E be an elliptic curve over K and let E[m] denote the m-torsion of E. In the following we will construct a bilinear map e m : E[m] E[m] µ m and show that this map is a non-degenerate alternating Galois-invariant (self)-pairing on the m-torsion with values in m-th roots of unity (as elements in K). The Weil pairing is a powerful tool in studying elliptic curves and so we note some of its seminal properties: the compatibility of the pairing if we change the torsion level, the surjectivity of the pairing in the following sense: there exist two points P, Q E[m] with e m (P, Q) ζ m a m-th root of unity. Moreover, we show that taking the Weil pairing works well with isogenies as well: the dual isogeny is the adjoint for the Weil pairing. By letting m vary over all powers l n of some fixed prime number l, we can construct the l-adic Weil pairing on the Tate module T l (E) retaining the important properties of the Weil pairing. 2 Elliptic curves and divisors Let K be a field and let E/K be an elliptic curve defined over K, that is, a non-singular genus 1 projective curve with a given K-point O E : O. Note that a projective curve is a one-dimensional projective variety, in our case contained in P 2 (K). Without loss of too much of generality we can think of curves as of triples of elements satisfying a given homogeneous equation with only (0, 0, 0) a possible singular point. An elliptic curve is then given by a cubic homogeneous equation and after a suitable projective change of coordinates, the selected point can be taken to be the point at infinity, that is, the point O (0 : 1 : 0) (in projective coordinates). We briefly recall what we (need to) know about an elliptic curve E defined over a field K: the set of L-points for any field extension L/K is denoted by E(L), set of functions on E, denoted by K(E) for rational functions defined over K and K(E) for rational functions defined over K, the divisor group Div(E) P E Z[P ] the free group on the points of E(K), 1

2 divisors of functions, that is, a map assigning to any non-zero function f K(E) its divisor div f Div 0 (E) is a degree zero divisor on E, the point representatives appearing with positive coefficients are the zeroes of f, the point representatives appearing with negative coefficients are the poles of f, from the degree zero divisor group we can form the Picard group Pic 0 (E) Div 0 (E)/ for the equivalence given by D D D D div f for some f K(E) elliptic curves carry a group law that is commutative with neutral element O, this structure depends on the selected point O, the group law is noncanonically isomorphic to that of the Picard group via P E(K) [P ] [O] Pic 0 (E) maps between curves, that is, rational morphisms of projective varieties φ : E E, but we are mainly interested in maps fixing the special point O: these maps are the so-called isogenies, surjective (unless trivial) and preserve the group law, with a map of curves φ : E E, we can pullback functions on E to functions on E by simply precomposing with the map: that is, f K(E ) φ (f) f φ K(E), with a map φ : E E, we can pullback the divisors on E : this is defined as the linear extension of the map [Q] Div(E ) e φ (P ) [P ] Div(E) P φ 1 (Q) for the ramification index e φ (P ) of φ at P, for most maps we will consider (such as the isogeny [m], which is the multiplication by m on E) this index is 1 for all points P, it is easy to check that for all f K(E ) we have φ (div f) div(φ (f)) div(f φ) kernel of an isogeny is always a finite subgroup of E, for any isogeny φ : E E there exists the dual isogeny ˆφ : E E given by the following composition ˆφ : E Pic 0 (E φ ) Pic 0 (E) E elliptic curves have genus 1 and the theorem of Riemann-Roch now tells us that any non-constant function has at least two poles. The main theorem on the group law The fundamental theorem on the relation of the group law on the elliptic curve and the group law of its divisors, is the following: Theorem (Group law). Let D P n p[p ] be a divisor on E of degree 0, that is, P n P 0. Then D 0, that is, D is a principal divisors, if and only if np P O on E Proof. For proof, see Corollary III.3.5 of [1]. Moment of Zen. We call this theorem the group law as the tangent-chord law gives the sum of two points as follows: take a line passing through the two points P, Q and take R the third point of intersection with E and reflect along the x-axis. From the theorem we can easily deduce that if we take a projective line, which intersects our cubic in three points by Bezout, so we get three points summing to zero: P +Q+R O. To obtain the geometric sum of the two, we only need the horizontal line passing through R and the point at infinity that passes through the third point S and compute S R P + Q. 2

3 3 Weil pairing Now we discuss the classical version of the Weil pairing, following Silverman. Remember that we want to construct a pairing e m : E[m] E[m] µ m (S, T ) e m (S, T ) Let m N with gcd(m, char K) 1 if char K > 0 and let T E[m] be any m-torsion point. As mt mo O on E, we have that the divisor m[t ] m[o] is principal and thus there exists a function f K(E) with div f m[t ] m[o]. As addition of points is given by rational formulae, it is easy to see that for any point P on E there exists some point P E(K) such that mp P This can also be seen invoking that the multiplication by m map [m] : E E is a nonconstant isogeny and thus is surjective. So let T be any preimage of T under the isogeny [m], that is, [m]t T. Then if we look at the divisor [m] [T ] [m] [O], remembering that [m] is unramified under our hypotheses, we get that [m] ([T ] [O]) e [m] (P )[P ] e [m] (P )[P ] [T + R] [R] P [m] 1 (T ) P [m] 1 (0) If we evaluate the points of the right hand side divisor we get the following (T + R) (R) T m 2 T mt O (as #E[m] m 2 ), so there is a function g K(E) with div g [m] ([T ] [O]). But because the pullback of divisors is linear we immediately get that div f [m] m div g and thus we can normalise f so that f [m] g m Weil pairing So making use of the function g K(E) that we constructed just now, we can define the Weil pairing as follows: for any S E[m] we take X E an arbitrary point such that Supp div g {[X + S], [X]}. Then we have (S is m-torsion) And thus we set to be the Weil pairing of the points S, T. g(x + S) m f([m]x + [m]s) f([m]x) g(x) m e m (S, T ) g(x + S)/g(X) µ m K Now we prove some important properties of the Weil pairing. 3

4 ℵ) Weil pairing is... well-defined We need to check that the Weil pairing does not change if we use a different function g or a different point X to define it. But the function g is uniquely determined by its divisor, so any other such g differs from g by multiplication by a constant; this cleary does not affect the quotient e m (S, T ) g(x + S)/g(X). To argue that the pairing is independent of the choice of an (admissible) X, we argue as follows: certainly g(x + S) m g(x) m on a Zariski open subset of E(K), so we have the equality as rational functions, thus we can take the m-th roots and have the pairing defined uniquely by properties of rational maps. a) Weil pairing is... bilinear That is, e m (S 1 + S 2, T ) e m (S 1, T )e m (S 2, T ) and e m (S, T 1 + T 2 ) e m (S, T 1 )e m (S, T 2 ) for any S 1, S 2, T 1, T 2 E[m]. Indeed, for the first variable the bilinearity is easy: e m (S 1 + S 2, T ) g(x + S 1 + S 2 ) g(x) g(x + S 1 + S 2 ) g(x + S 1 ) e m (S 1, T )e m (S 2, T ) g(x + S 1 ) g(x) For the second variable, we need to check the corresponding equality for the defining functions. Let f, g be the functions corresponding to T 1 + T 2 and f i, g i the functions corresponding to T i for i 1, 2. For divisors, we have that div g [m] ([T 1 + T 2 ] [O]) and also div g i [m] ([T i ] [O]) and that div f m[t 1 + T 2 ] m[o] and div f i m[t i ] m[o]. Now, compute div f f 1 f 2 div f div f 1 div f 2 m([t 1 + T 2 ] [O]) m([t 1 ] m[o]) m([t 2 ] m[o]) m([t 1 + T 2 ] [T 1 ] [T 2 ] + [O]) As [T 1 + T 2 ] [T 1 ] [T 2 ] + [O] is a degree 0 divisor and (T 1 + T 2 ) (T 1 ) (T 2 ) + (O) O on E, there exists a function h with div h [T 1 + T 2 ] [T 1 ] [T 2 ] + [O] and by possibly multiplying by a suitable constant we may assume that f f 1 f 2 h m Precomposing with the isogeny [m], we obtain the following: ( ) f (h [m]) m h m f [m] [m] [m] f 1 f 2 f 1 [m] f 2 [m] gm g1 m gm 2 and by taking m-th roots we get that for some constant c K we have g cg 1 g 2 (h [m]) Now we are ready to compute the Weil pairing of the points S, T 1 + T 2 : for a suitable X, we have g(x + S) e m (S, T 1 + T 2 ) cg 1(X + S)g 2 (X + S)(h [m])(x + S) g(x) cg 1 (X)g 2 (X)(h [m])(x) g 1(X + S)g 2 (X + S)h(mX + ms) g 1 (X)g 2 (X)h(mX) e m (S, T 1 ) e m (S, T 2 ) g 1(X + S)g 2 (X + S) g 1 (X)g 2 (X) as S E[m]. So the Weil pairing is bilinear also in the second argument. 4

5 b) Weil pairing is... alternating That is, e m (T, T ) 1. Note that this implies that e m (S, T ) e m (T, S) 1 as 1 e m (S + T, S + T ) e m (S, S)e m (S, T )e m (T, S)e m (T, T ) e m (S, T )e m (T, S), invoking the usual alternating sign definition of alternating bilinear maps. To show that e m (T, T ) 1, we make use of the translation by P map τ P. Recall that div g [m] ([T ] [O]) [T + R] [R]. Therefore, div g τ [i]t [T + R + (i)t ] [R + (i)t ] And if we set G m 1 i0 g τ [i]t and compute its divisor m 1 div G i0 [R + (i + 1)T ] [R + (i)t ] [R + mt ] [R] i0 [R + T ] [R] 0 [R + (i + 1)T ] [R + (i)t ] m 1 [R + (i + 1)T ] [R + (i)t ] as T E[m], so we see that G is constant as the only function in K(E) with zero divisors are constants. So we only need to compare G(X) G(X T ) and thus get m 1 G(X) g(x [i]t ) i0 m 1 G(X T ) g(x T [i]t ) i0 m 1 i0 g(x [i + 1]T ) and by cancelling the corresponding terms in each of these products we get the equality that g(x) g(x [(m 1) + 1]T ) g(x mt ) g(x T ) for any admissible X. So, evaluating at X : X T, we get that the Weil pairing is alternating. e m (T, T ) g((x T ) + T )/g(x T ) g(x)/g(x T ) 1 c) Weil pairing is... non-degenerate That is, for any T E[m] there exists S E[m] such that e m (S, T ) 1. Suppose otherwise: then g(x) g(x + S) for any S E[m] ker[m]. Remember that for isogenies, we had this important theorem in Galois theory of function fields (see [1], III.4.10 (b)). 5

6 Theorem (Kernel of isogeny gives automorphism of function fields). Let φ : E E be an isogeny. Then there is a bijection between ker φ Aut(K(E )/φ (K(E))) given by T τ T the translation by T. Thus, as g is fixed by translations by all the elements of E[m] (and here we are tacitly using that it is fixed on Zariski dense subset of E as we can only evaluate g at points X such that both X and X + S do not lie in Supp div g), we have that g [m] K(E) and thus there exists a function h with g [m] (h) h [m] But then we also have that g m (h [m]) m f [m] and so looking at divisors we get div f m[t ] m[o] m div h But there is no such function: E is assumed to be an elliptic curve and thus has genus 1 and there is no function with only one pole on a genus 1 curve by Riemann Roch. So e m is non-degenerate. d) Weil pairing is... Galois-invariant For S, T E[m] and for σ Gal(K/K) we have e m (S σ, T σ ) e m (S, T ) σ It is clear that if g is the function with divisor div g [m] ([T ] [O]), then g σ has divisor div g σ [m] ([T σ ] [O]), so it can be used to compute the Weil pairing e m (, T σ ) and thus ( ) σ e m (S σ, T σ ) gσ (X + S σ ) g(x σ 1 + S) g σ (e m (S, T )) σ (X) g(x σ 1 ) e) Weil pairing is... compatible That is, if we have S E[mn] and T E[m], then clearly T E[mn] and the Weil pairing satisfies e mn (S, T ) e m ([n]s, T ) Now, if div f m([t ] [O]), then div f n mn([t ] [O]). Take g with div g [m] ([T ] [O]). Then we need to find a function h with h mn f n [mn] [mn] (f n ) [n] ([m] (f n )) [n] ((f [m]) n ) [n] (g m ) n [n] (g mn ) (g [n]) mn So it suffices to take h g [n] and compute the Weil pairings e mn (S, T ) h(x + S) h(x) (g [n])(x + S) (g [n])(x) g(nx + ns) g(nx) e m ([n]s, T ) f) Weil pairing is... surjective onto µ m That is, there exist two points S, T E[m] such that e m (S, T ) ζ m an m-th root of unity. Indeed, suppose it were not the case, suppose that the image of all e m (S, T ) generates a proper subgroup µ d µ m. Then we have for all S, T E[m] that 1 e m (S, T ) d e m (S, [d]t ). But nondegeneracy then implies that [d]t O for all T E[m]. But we do know what under our hypotheses (m coprime to the characteristic of K if the latter is positive) we have that, as abstract groups, E[m] Z/mZ Z/mZ, the latter is a group of exponent m. So d m. 6

7 g) Weil pairing is... defined over the same field as the m-torsion That is, if E[m] E(L), we have µ m L. Indeed, this follows directly from the Galois invariance property. Take S, T E[m] with e m (S, T ) ζ m. Then we know that know that ζ m e m (S, T ) K and that for any σ Gal(K/L) we have that ζ σ m e m (S, T ) σ e m (S σ, T σ ) e m (S, T ) ζ m as we suppose that S, T are L-points. So µ m L by Galois theory. Moment of Zen. A case of particular interest is if the elliptic curve is defined over a finite field F q. Then E[m] E(F q ) implies m q 1. Moreover, it is easy to see that if E is defined over F q and k is the smallest positive integer with m q k 1, then µ m F q k. h) Weil pairing... is easy if we know a basis for E[m] Suppose that P, Q E[m] are such that any element S E[m] can be written as S ap + bq for some 0 a, b < m. Write T cp + dq. Then we have e m (S, T ) e m (ap + bq, cp + dq) e m (P, Q) ad bc and so necessarily e m (P, Q) ζ m and the pairing is given simply by exponentiation to the determinant of the coordinate matrix obtained by writing the points S, T in basis P, Q. Moment of Zen. Note that all the defining properties determine the Weil pairing uniquely and it is immediate to show that the Weil pairing given by the exponentiation of the determinant ad bc does satisfy all the conditions. While finding the basis of m-torsion is rather difficult, computing the Weil pairing via functions determined by divisors is relatively easy and computationally efficient. i) Weil pairing is... an adjunction for isogenines That is, let φ : E E be an isogeny and let ˆφ be its dual isogeny. Denote e m, e m the Weil pairings at E[m] and E [m], respectively. Then we have for S E[m] and T E [m] the following adjunction relation: e m (S, ˆφ(T )) e m(φ(s), T ) It is easy to prove this once we remember that we have an explicit description of the dual isogeny using the isomorphisms of elliptic curves and their Picard groups: ˆφ : E Pic 0 (E ) φ Pic 0 (E) E with the middle isomorphism induced by the map [Q] P φ 1 (Q) e φ(p )[P ]. Now take function f, g defining the Weil pairing for T E [m], say e m(φ(s), T ) g(x + φ(s))/g(x) for a function g K(E ) with div g [m] ([T ] [O E ]). Now we need to convince ourselves that (φ) ([T ] [O E ]) [ ˆφ(T )] [O E ] + div h for some function h K(E): it is immediate from the definition of ˆφ that the points involved sum to O E on E and thus there exists such a function h by the central theorem. Claim. The Weil pairing functions ˆf, ĝ for ˆφ(T ) are ˆf f φ h m and ĝ g φ h [m]. 7

8 Proof of claim. We need to show that div ˆf m([ ˆφ(T )] [O]) and that ĝ m ˆf [m]. computation is easy: The first div ˆf div f φ div(φ) (f) m div h m((φ) ([T ] [O E ])) m div h h m m([ ˆφ(T )] [O E ] + div h)) m div h m([ ˆφ(T )] [O E ]) And for the second claim note that [m] commutes with the isogeny φ ( ) g φ m ĝ m gm φ h [m] (h [m]) m f [m] φ ( ) f φ h m [m] h m [m] ˆf [m] Therefore, we can compute the Weil pairing e m (S, ˆφ(T )) as follows: ( ) e m (S, ˆφ(T g φ )) ĝ(x + S)/ĝ(X) (X + S)/ h [m] g(φ(x) + φ(s)) h(mx + ms) /g(φ(x)) h(mx) g(φ(x) + φ(s)) g(φ(x)) e m(φ(s), T ) ( g φ h [m] ) (X) g(φ(x) + φ(s)) h(mx) h(mx + ms) g(φ(x)) as we wanted to show. So φ and ˆφ are adjoint with respect to the Weil pairing. Corollary. If φ : E E is an endomorphism of E, then e m (φ(s), φ(t )) e m (S, T ) deg φ Proof of the corollary. We simply use the adjunction: e m (φ(s), φ(t )) e m (S, ( ˆφ φ)(t )) e m (S, [deg φ](t )) e m (S, T ) deg φ 4 l-adic Weil pairing Pick l Z >0 prime and coprime to the characteristic of K if it is positive. Then we want to extend the Weil pairing e l n on the l n -torsion E[l n ] to the l-adic Tate module T l (E). As we have the usual projective system of maps l : E[l n+1 ] E[l] and ( ) l : µ l n+1 µ l n, we only need to check that also the system of Weil pairings {e l n} is projective, that is, that we have for any S, T E[l n+1 ] e l n+1(s, T ) l e l n([l]s, [l]t ) But this follows easily from the bilineary and the compatibility property of the Weil pairing: e l n+1(s, T ) l e l n+1(s, [l]t ) e l n([l]s, [l]t ) So the Weil pairing on l n -torsion gives us the l-adic Weil pairing e : T l (E) T l (E) lim µ l n 8

9 5 Applications In this section, we discuss some (mainly cryptographic) applications of the Weil pairing. The discrete logarithm problem For cryptography applications, the following problem is of singular importance. Let G be a group written multiplicatively. Then the discrete logarithm problem for G is the following question: Given P, Q G, find a Z such that Q P a or say such an a does not exist. Some groups, such as Z, (Z/NZ, +) have easy discrete logarithms. Generic groups (used only as a blackbox) have discrete logs in O( G ). For the multiplicative group of finite fields F q the discrete log is subexponential (faster than the generic case but nowhere near as fast as for (Z/NZ, +)). Claim (A wish). The ECDLP (elliptic curve discrete logarithm problem) over F q is as good as for generic groups. This claim is merely a wish as so far it is not known whether there exists a faster way how to compute discrete logarithms on elliptic curves than on generic groups (in which the mentioned complexity is provably sharp). Reduction to the Weil pairing Let E be an elliptic curve defined over F q. Suppose we are given two points P and Q ap in E[m] and we are asked to compute a, if it exists. The decision upon the existence is an easy lemma: Lemma. Let P, Q E[l] be two nonzero points of order l for l prime. Then e l (P, Q) 1 if and only if Q P the subgroup generated by P. Proof. If Q P then Q ap for some a {1,..., ord P 1} and we have e l (P, Q) e l (P, ap ) e l (P, P ) a 1 a 1. On the other hand, take P, R as the basis of E[l] and write Q ap + br. Then forcing b 0 and thus Q ap P. 1 e l (P, Q) e l (P, ap + br) e l (P, P ) a e l (P, R) b ζ b l, Now let us turn our attention to finding the discrete logarithm a, supposing it exists. If we take any R E[m] with e m (P, R) 1, then we can compute u e m (P, R) and v e m (Q, R). Note that v e m (Q, R) e m (ap, R) e m (P, R) a u a. So if we can solve the discrete logarithm for u, v µ m F q k, then we obtain our desired a and can solve the discrete logarithm in E[m]. This is called the MOV attack. MOV stands for Menezes, Okamoto and Vanstone. But this reduction raises the problem of solving the discrete logarithm in F q k for potentially large k (note that k is the smallest positive integer with m q k 1). And indeed, for a random elliptic curve, the k we will need to use will be prohibitively large. However, for some classes of curves, k will be relatively small. Definition (Embedding degree). Let k be the smallest integer such that E[m] E(F k q). Then k is called the embedding degree of E with respect to m. As we have noted before, if the embedding degree of E with respect to m is k, then the Weil pairings takes values in µ m F k q (as it has values in the same field over which the points of m-torsion are defined). 9

10 Proposition. Let E be an elliptic curve over F p and let l p be a prime. Assume that E(F p ) contains a point of order l. Then one of the following is true: the embedding degree of E with respect to l is 1 (this cannot happen if l > p + 1), if p 1 mod l then the embedding degree is l, if p 1 mod l then the embedding degree is the smallest k 2 such that p k 1 mod l, i.e. the order of p modulo l. However, random curves have embedding degree much larger than (log p) 2. The MOV attack on supersingular elliptic curves Recall that last time we established that the endomorphism ring of an elliptic curve has rank at most 4. It can be shown that for elliptic curves over finite fields, only ranks 2 and 4 are permissible. The case of rank 4 is called the supersingular case and is the non-typical case. Moreover, supersingular elliptic curves are characterised by #E(F p ) p + 1, which can be checked in polynomial time by counting points. Theorem. For supersingular elliptic curves, k 6. If there is at least one m-torsion point in E(F q ), then k 2. To appreciate this abstract result, we need the real-world cryptographic sizes. For cryptography using DLP in F q, one should use q 3072-bits to get some 128-bits of security, which is considered reasonable (though for instance, the case of small characteristic (including the very important case of characteristic 2) is broken by a heuristic quasipolynomial algorithm) and recent development has shown that medium characteristic is also susceptible to faster attacks than previously expected. For ECDLP, we use q 256-bits to get the same level of security. Corollary (MOV attack on supersingular elliptic curves). For supersingular elliptic curves, we can solve the DLP by using the reduction to the Weil pairing. This is a simple computation, , which only offers 96 bits of security. Moreover, , which only offers 56 bits of security (for the lack of a better word), which can be broken routinely. Moment of Zen. The elliptic curve y 2 x 3 + x/f p is supersingular for any prime p 3 mod 4 and has embedding degree 2 for l > p + 1, so makes a spectacularly poor choice for cryptography. References [1] J. Silverman. The Arithmetic of Elliptic Curves, GTM 106, Springer, [2] S. Galbraith. Mathematics of Public Key Cryptography, Cambridge University Press, [3] F. Hess. A Note on the Tate Pairing of Curves over Finite Fields, Arch. Math. 82: 28-32, [4] I.F. Blake, G. Seroussi, N.P. Smart Elliptic curves in cryptography, LMS 265, Cambridge University Press, [5] I.F. Blake, G. Seroussi, N.P. Smart Advances in Elliptic Curve Cryptography, LMS 317, Cambridge University Press, [6] P. Bruin. The Tate pairing for Abelian varieties over finite fields, Journal de Theorie des Nombres de Bordeaux, 10