Weil pairing. Algant: Regensburg and Leiden Elliptic curves and Weil conjectures seminar, Regensburg. Wednesday 22 nd June, 2016.

Similar documents
COMPLEX MULTIPLICATION: LECTURE 15

Introduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013

THE TATE MODULE. Seminar: Elliptic curves and the Weil conjecture. Yassin Mousa. Z p

Lecture 2: Elliptic curves

Mappings of elliptic curves

COMPLEX MULTIPLICATION: LECTURE 14

THE GEOMETRY OF ELLIPTIC CURVES OVER FINITE FIELDS

THE MORDELL-WEIL THEOREM FOR Q

Elliptic Curves and Public Key Cryptography (3rd VDS Summer School) Discussion/Problem Session I

Topics in Number Theory: Elliptic Curves

Introduction to Arithmetic Geometry Fall 2013 Lecture #23 11/26/2013

Elliptic Curves, Group Schemes,

Elliptic Curves Spring 2015 Lecture #7 02/26/2015

Elliptic Nets and Points on Elliptic Curves

15 Elliptic curves and Fermat s last theorem

14 Ordinary and supersingular elliptic curves

Number Theory in Cryptology

Notes on p-divisible Groups

Ate Pairing on Hyperelliptic Curves

Non-generic attacks on elliptic curve DLPs

Katherine Stange. ECC 2007, Dublin, Ireland

Hyperelliptic curves

Isogenies in a quantum world

Outline of the Seminar Topics on elliptic curves Saarbrücken,

Algorithmic Number Theory for Function Fields

FOUNDATIONS OF ALGEBRAIC GEOMETRY CLASS 43

Elliptic Curves: An Introduction

Constructing Abelian Varieties for Pairing-Based Cryptography

Constructing Families of Pairing-Friendly Elliptic Curves

Introduction to Elliptic Curves

Elliptic Curves over Finite Fields 1

HONDA-TATE THEOREM FOR ELLIPTIC CURVES

Background of Pairings

Quadratic points on modular curves

DIVISORS ON NONSINGULAR CURVES

l-adic Representations

Elliptic Curves and Their Torsion

FORMAL GROUPS OF CERTAIN Q-CURVES OVER QUADRATIC FIELDS

Counting points on elliptic curves over F q

THE WEIL PAIRING ON ELLIPTIC CURVES

Exercises for algebraic curves

Proof of the Shafarevich conjecture

CYCLICITY OF (Z/(p))

COMPLEX ALGEBRAIC SURFACES CLASS 9

Counting points on elliptic curves: Hasse s theorem and recent developments

AN INTRODUCTION TO ARITHMETIC AND RIEMANN SURFACE. We describe points on the unit circle with coordinate satisfying

Fast arithmetic and pairing evaluation on genus 2 curves

Math 429/581 (Advanced) Group Theory. Summary of Definitions, Examples, and Theorems by Stefan Gille

Elliptic Curves Spring 2015 Lecture #23 05/05/2015

1 What is an elliptic curve?

Distribution of Squares in Arithmetic Progressions over Number Fields

A Las Vegas algorithm to solve the elliptic curve discrete logarithm problem

Isogeny invariance of the BSD conjecture

p-adic fields Chapter 7

Definitions. Notations. Injective, Surjective and Bijective. Divides. Cartesian Product. Relations. Equivalence Relations

TORSION AND TAMAGAWA NUMBERS

Elliptic Curves with 2-torsion contained in the 3-torsion field

The Kummer Pairing. Alexander J. Barrios Purdue University. 12 September 2013

Theta Characteristics Jim Stankewicz

A reduction of the Batyrev-Manin Conjecture for Kummer Surfaces

Dynamics and Canonical Heights on K3 Surfaces with Noncommuting Involutions Joseph H. Silverman

Computing a Lower Bound for the Canonical Height on Elliptic Curves over Q

Riemann surfaces with extra automorphisms and endomorphism rings of their Jacobians

ON THE COMPUTATION OF THE PICARD GROUP FOR K3 SURFACES

AN INTRODUCTION TO ELLIPTIC CURVES

Independence of Heegner Points Joseph H. Silverman (Joint work with Michael Rosen)

THE ÉTALE FUNDAMENTAL GROUP OF AN ELLIPTIC CURVE

ALGORITHMS FOR ALGEBRAIC CURVES

The Discrete Logarithm Problem on the p-torsion Subgroup of Elliptic Curves

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

Aspects of Pairing Inversion

Appendix by Brian Conrad: The Shimura construction in weight 2

where m is the maximal ideal of O X,p. Note that m/m 2 is a vector space. Suppose that we are given a morphism

7 Orders in Dedekind domains, primes in Galois extensions

ALGORITHMS FOR ALGEBRAIC CURVES

GALOIS THEORY BRIAN OSSERMAN

Structure of elliptic curves and addition laws

On Partial Lifting and the Elliptic Curve Discrete Logarithm Problem

Torsion subgroups of rational elliptic curves over the compositum of all cubic fields

THERE ARE NO ELLIPTIC CURVES DEFINED OVER Q WITH POINTS OF ORDER 11

Density of rational points on Enriques surfaces

Genus 2 Curves of p-rank 1 via CM method

LECTURE 2 FRANZ LEMMERMEYER

On Mordell-Lang in Algebraic Groups of Unipotent Rank 1

CHAPTER 0 PRELIMINARY MATERIAL. Paul Vojta. University of California, Berkeley. 18 February 1998

2.2. The Weil Pairing on Elliptic Curves If A and B are r-torsion points on some elliptic curve E(F q d ), let us denote the r-weil pairing of A and B

Math 121 Homework 5: Notes on Selected Problems

INTERSECTION THEORY CLASS 6

Elliptic curves and modularity

Lecture 7: Etale Fundamental Group - Examples

On elliptic curves in characteristic 2 with wild additive reduction

Dieudonné Modules and p-divisible Groups

A Version of the Grothendieck Conjecture for p-adic Local Fields

(1) A frac = b : a, b A, b 0. We can define addition and multiplication of fractions as we normally would. a b + c d

FOUNDATIONS OF ALGEBRAIC GEOMETRY CLASS 48

LECTURE 7, WEDNESDAY

L-Polynomials of Curves over Finite Fields

MANIN-MUMFORD AND LATTÉS MAPS

TAMAGAWA NUMBERS OF ELLIPTIC CURVES WITH C 13 TORSION OVER QUADRATIC FIELDS

A Remark on Implementing the Weil Pairing

Transcription:

Weil pairing Jana Sotáková Algant: Regensburg and Leiden Elliptic curves and Weil conjectures seminar, Regensburg Wednesday 22 nd June, 2016 Abstract In this talk we are mainly invested in constructing the Weil pairing on N-torsion of elliptic curves and show that it extends to an l-adic Weil pairing on the l-adic Tate module. We start with defining the Weil pairing following Silverman and deducing some of its fundamental properties. After we extend this pairing to the l-adic Tate module and discuss some applications to cryptography. 1 Motivation Let E be an elliptic curve over K and let E[m] denote the m-torsion of E. In the following we will construct a bilinear map e m : E[m] E[m] µ m and show that this map is a non-degenerate alternating Galois-invariant (self)-pairing on the m-torsion with values in m-th roots of unity (as elements in K). The Weil pairing is a powerful tool in studying elliptic curves and so we note some of its seminal properties: the compatibility of the pairing if we change the torsion level, the surjectivity of the pairing in the following sense: there exist two points P, Q E[m] with e m (P, Q) ζ m a m-th root of unity. Moreover, we show that taking the Weil pairing works well with isogenies as well: the dual isogeny is the adjoint for the Weil pairing. By letting m vary over all powers l n of some fixed prime number l, we can construct the l-adic Weil pairing on the Tate module T l (E) retaining the important properties of the Weil pairing. 2 Elliptic curves and divisors Let K be a field and let E/K be an elliptic curve defined over K, that is, a non-singular genus 1 projective curve with a given K-point O E : O. Note that a projective curve is a one-dimensional projective variety, in our case contained in P 2 (K). Without loss of too much of generality we can think of curves as of triples of elements satisfying a given homogeneous equation with only (0, 0, 0) a possible singular point. An elliptic curve is then given by a cubic homogeneous equation and after a suitable projective change of coordinates, the selected point can be taken to be the point at infinity, that is, the point O (0 : 1 : 0) (in projective coordinates). We briefly recall what we (need to) know about an elliptic curve E defined over a field K: the set of L-points for any field extension L/K is denoted by E(L), set of functions on E, denoted by K(E) for rational functions defined over K and K(E) for rational functions defined over K, the divisor group Div(E) P E Z[P ] the free group on the points of E(K), 1

divisors of functions, that is, a map assigning to any non-zero function f K(E) its divisor div f Div 0 (E) is a degree zero divisor on E, the point representatives appearing with positive coefficients are the zeroes of f, the point representatives appearing with negative coefficients are the poles of f, from the degree zero divisor group we can form the Picard group Pic 0 (E) Div 0 (E)/ for the equivalence given by D D D D div f for some f K(E) elliptic curves carry a group law that is commutative with neutral element O, this structure depends on the selected point O, the group law is noncanonically isomorphic to that of the Picard group via P E(K) [P ] [O] Pic 0 (E) maps between curves, that is, rational morphisms of projective varieties φ : E E, but we are mainly interested in maps fixing the special point O: these maps are the so-called isogenies, surjective (unless trivial) and preserve the group law, with a map of curves φ : E E, we can pullback functions on E to functions on E by simply precomposing with the map: that is, f K(E ) φ (f) f φ K(E), with a map φ : E E, we can pullback the divisors on E : this is defined as the linear extension of the map [Q] Div(E ) e φ (P ) [P ] Div(E) P φ 1 (Q) for the ramification index e φ (P ) of φ at P, for most maps we will consider (such as the isogeny [m], which is the multiplication by m on E) this index is 1 for all points P, it is easy to check that for all f K(E ) we have φ (div f) div(φ (f)) div(f φ) kernel of an isogeny is always a finite subgroup of E, for any isogeny φ : E E there exists the dual isogeny ˆφ : E E given by the following composition ˆφ : E Pic 0 (E φ ) Pic 0 (E) E elliptic curves have genus 1 and the theorem of Riemann-Roch now tells us that any non-constant function has at least two poles. The main theorem on the group law The fundamental theorem on the relation of the group law on the elliptic curve and the group law of its divisors, is the following: Theorem (Group law). Let D P n p[p ] be a divisor on E of degree 0, that is, P n P 0. Then D 0, that is, D is a principal divisors, if and only if np P O on E Proof. For proof, see Corollary III.3.5 of [1]. Moment of Zen. We call this theorem the group law as the tangent-chord law gives the sum of two points as follows: take a line passing through the two points P, Q and take R the third point of intersection with E and reflect along the x-axis. From the theorem we can easily deduce that if we take a projective line, which intersects our cubic in three points by Bezout, so we get three points summing to zero: P +Q+R O. To obtain the geometric sum of the two, we only need the horizontal line passing through R and the point at infinity that passes through the third point S and compute S R P + Q. 2

3 Weil pairing Now we discuss the classical version of the Weil pairing, following Silverman. Remember that we want to construct a pairing e m : E[m] E[m] µ m (S, T ) e m (S, T ) Let m N with gcd(m, char K) 1 if char K > 0 and let T E[m] be any m-torsion point. As mt mo O on E, we have that the divisor m[t ] m[o] is principal and thus there exists a function f K(E) with div f m[t ] m[o]. As addition of points is given by rational formulae, it is easy to see that for any point P on E there exists some point P E(K) such that mp P This can also be seen invoking that the multiplication by m map [m] : E E is a nonconstant isogeny and thus is surjective. So let T be any preimage of T under the isogeny [m], that is, [m]t T. Then if we look at the divisor [m] [T ] [m] [O], remembering that [m] is unramified under our hypotheses, we get that [m] ([T ] [O]) e [m] (P )[P ] e [m] (P )[P ] [T + R] [R] P [m] 1 (T ) P [m] 1 (0) If we evaluate the points of the right hand side divisor we get the following (T + R) (R) T m 2 T mt O (as #E[m] m 2 ), so there is a function g K(E) with div g [m] ([T ] [O]). But because the pullback of divisors is linear we immediately get that div f [m] m div g and thus we can normalise f so that f [m] g m Weil pairing So making use of the function g K(E) that we constructed just now, we can define the Weil pairing as follows: for any S E[m] we take X E an arbitrary point such that Supp div g {[X + S], [X]}. Then we have (S is m-torsion) And thus we set to be the Weil pairing of the points S, T. g(x + S) m f([m]x + [m]s) f([m]x) g(x) m e m (S, T ) g(x + S)/g(X) µ m K Now we prove some important properties of the Weil pairing. 3

ℵ) Weil pairing is... well-defined We need to check that the Weil pairing does not change if we use a different function g or a different point X to define it. But the function g is uniquely determined by its divisor, so any other such g differs from g by multiplication by a constant; this cleary does not affect the quotient e m (S, T ) g(x + S)/g(X). To argue that the pairing is independent of the choice of an (admissible) X, we argue as follows: certainly g(x + S) m g(x) m on a Zariski open subset of E(K), so we have the equality as rational functions, thus we can take the m-th roots and have the pairing defined uniquely by properties of rational maps. a) Weil pairing is... bilinear That is, e m (S 1 + S 2, T ) e m (S 1, T )e m (S 2, T ) and e m (S, T 1 + T 2 ) e m (S, T 1 )e m (S, T 2 ) for any S 1, S 2, T 1, T 2 E[m]. Indeed, for the first variable the bilinearity is easy: e m (S 1 + S 2, T ) g(x + S 1 + S 2 ) g(x) g(x + S 1 + S 2 ) g(x + S 1 ) e m (S 1, T )e m (S 2, T ) g(x + S 1 ) g(x) For the second variable, we need to check the corresponding equality for the defining functions. Let f, g be the functions corresponding to T 1 + T 2 and f i, g i the functions corresponding to T i for i 1, 2. For divisors, we have that div g [m] ([T 1 + T 2 ] [O]) and also div g i [m] ([T i ] [O]) and that div f m[t 1 + T 2 ] m[o] and div f i m[t i ] m[o]. Now, compute div f f 1 f 2 div f div f 1 div f 2 m([t 1 + T 2 ] [O]) m([t 1 ] m[o]) m([t 2 ] m[o]) m([t 1 + T 2 ] [T 1 ] [T 2 ] + [O]) As [T 1 + T 2 ] [T 1 ] [T 2 ] + [O] is a degree 0 divisor and (T 1 + T 2 ) (T 1 ) (T 2 ) + (O) O on E, there exists a function h with div h [T 1 + T 2 ] [T 1 ] [T 2 ] + [O] and by possibly multiplying by a suitable constant we may assume that f f 1 f 2 h m Precomposing with the isogeny [m], we obtain the following: ( ) f (h [m]) m h m f [m] [m] [m] f 1 f 2 f 1 [m] f 2 [m] gm g1 m gm 2 and by taking m-th roots we get that for some constant c K we have g cg 1 g 2 (h [m]) Now we are ready to compute the Weil pairing of the points S, T 1 + T 2 : for a suitable X, we have g(x + S) e m (S, T 1 + T 2 ) cg 1(X + S)g 2 (X + S)(h [m])(x + S) g(x) cg 1 (X)g 2 (X)(h [m])(x) g 1(X + S)g 2 (X + S)h(mX + ms) g 1 (X)g 2 (X)h(mX) e m (S, T 1 ) e m (S, T 2 ) g 1(X + S)g 2 (X + S) g 1 (X)g 2 (X) as S E[m]. So the Weil pairing is bilinear also in the second argument. 4

b) Weil pairing is... alternating That is, e m (T, T ) 1. Note that this implies that e m (S, T ) e m (T, S) 1 as 1 e m (S + T, S + T ) e m (S, S)e m (S, T )e m (T, S)e m (T, T ) e m (S, T )e m (T, S), invoking the usual alternating sign definition of alternating bilinear maps. To show that e m (T, T ) 1, we make use of the translation by P map τ P. Recall that div g [m] ([T ] [O]) [T + R] [R]. Therefore, div g τ [i]t [T + R + (i)t ] [R + (i)t ] And if we set G m 1 i0 g τ [i]t and compute its divisor m 1 div G i0 [R + (i + 1)T ] [R + (i)t ] [R + mt ] [R] i0 [R + T ] [R] 0 [R + (i + 1)T ] [R + (i)t ] m 1 [R + (i + 1)T ] [R + (i)t ] as T E[m], so we see that G is constant as the only function in K(E) with zero divisors are constants. So we only need to compare G(X) G(X T ) and thus get m 1 G(X) g(x [i]t ) i0 m 1 G(X T ) g(x T [i]t ) i0 m 1 i0 g(x [i + 1]T ) and by cancelling the corresponding terms in each of these products we get the equality that g(x) g(x [(m 1) + 1]T ) g(x mt ) g(x T ) for any admissible X. So, evaluating at X : X T, we get that the Weil pairing is alternating. e m (T, T ) g((x T ) + T )/g(x T ) g(x)/g(x T ) 1 c) Weil pairing is... non-degenerate That is, for any T E[m] there exists S E[m] such that e m (S, T ) 1. Suppose otherwise: then g(x) g(x + S) for any S E[m] ker[m]. Remember that for isogenies, we had this important theorem in Galois theory of function fields (see [1], III.4.10 (b)). 5

Theorem (Kernel of isogeny gives automorphism of function fields). Let φ : E E be an isogeny. Then there is a bijection between ker φ Aut(K(E )/φ (K(E))) given by T τ T the translation by T. Thus, as g is fixed by translations by all the elements of E[m] (and here we are tacitly using that it is fixed on Zariski dense subset of E as we can only evaluate g at points X such that both X and X + S do not lie in Supp div g), we have that g [m] K(E) and thus there exists a function h with g [m] (h) h [m] But then we also have that g m (h [m]) m f [m] and so looking at divisors we get div f m[t ] m[o] m div h But there is no such function: E is assumed to be an elliptic curve and thus has genus 1 and there is no function with only one pole on a genus 1 curve by Riemann Roch. So e m is non-degenerate. d) Weil pairing is... Galois-invariant For S, T E[m] and for σ Gal(K/K) we have e m (S σ, T σ ) e m (S, T ) σ It is clear that if g is the function with divisor div g [m] ([T ] [O]), then g σ has divisor div g σ [m] ([T σ ] [O]), so it can be used to compute the Weil pairing e m (, T σ ) and thus ( ) σ e m (S σ, T σ ) gσ (X + S σ ) g(x σ 1 + S) g σ (e m (S, T )) σ (X) g(x σ 1 ) e) Weil pairing is... compatible That is, if we have S E[mn] and T E[m], then clearly T E[mn] and the Weil pairing satisfies e mn (S, T ) e m ([n]s, T ) Now, if div f m([t ] [O]), then div f n mn([t ] [O]). Take g with div g [m] ([T ] [O]). Then we need to find a function h with h mn f n [mn] [mn] (f n ) [n] ([m] (f n )) [n] ((f [m]) n ) [n] (g m ) n [n] (g mn ) (g [n]) mn So it suffices to take h g [n] and compute the Weil pairings e mn (S, T ) h(x + S) h(x) (g [n])(x + S) (g [n])(x) g(nx + ns) g(nx) e m ([n]s, T ) f) Weil pairing is... surjective onto µ m That is, there exist two points S, T E[m] such that e m (S, T ) ζ m an m-th root of unity. Indeed, suppose it were not the case, suppose that the image of all e m (S, T ) generates a proper subgroup µ d µ m. Then we have for all S, T E[m] that 1 e m (S, T ) d e m (S, [d]t ). But nondegeneracy then implies that [d]t O for all T E[m]. But we do know what under our hypotheses (m coprime to the characteristic of K if the latter is positive) we have that, as abstract groups, E[m] Z/mZ Z/mZ, the latter is a group of exponent m. So d m. 6

g) Weil pairing is... defined over the same field as the m-torsion That is, if E[m] E(L), we have µ m L. Indeed, this follows directly from the Galois invariance property. Take S, T E[m] with e m (S, T ) ζ m. Then we know that know that ζ m e m (S, T ) K and that for any σ Gal(K/L) we have that ζ σ m e m (S, T ) σ e m (S σ, T σ ) e m (S, T ) ζ m as we suppose that S, T are L-points. So µ m L by Galois theory. Moment of Zen. A case of particular interest is if the elliptic curve is defined over a finite field F q. Then E[m] E(F q ) implies m q 1. Moreover, it is easy to see that if E is defined over F q and k is the smallest positive integer with m q k 1, then µ m F q k. h) Weil pairing... is easy if we know a basis for E[m] Suppose that P, Q E[m] are such that any element S E[m] can be written as S ap + bq for some 0 a, b < m. Write T cp + dq. Then we have e m (S, T ) e m (ap + bq, cp + dq) e m (P, Q) ad bc and so necessarily e m (P, Q) ζ m and the pairing is given simply by exponentiation to the determinant of the coordinate matrix obtained by writing the points S, T in basis P, Q. Moment of Zen. Note that all the defining properties determine the Weil pairing uniquely and it is immediate to show that the Weil pairing given by the exponentiation of the determinant ad bc does satisfy all the conditions. While finding the basis of m-torsion is rather difficult, computing the Weil pairing via functions determined by divisors is relatively easy and computationally efficient. i) Weil pairing is... an adjunction for isogenines That is, let φ : E E be an isogeny and let ˆφ be its dual isogeny. Denote e m, e m the Weil pairings at E[m] and E [m], respectively. Then we have for S E[m] and T E [m] the following adjunction relation: e m (S, ˆφ(T )) e m(φ(s), T ) It is easy to prove this once we remember that we have an explicit description of the dual isogeny using the isomorphisms of elliptic curves and their Picard groups: ˆφ : E Pic 0 (E ) φ Pic 0 (E) E with the middle isomorphism induced by the map [Q] P φ 1 (Q) e φ(p )[P ]. Now take function f, g defining the Weil pairing for T E [m], say e m(φ(s), T ) g(x + φ(s))/g(x) for a function g K(E ) with div g [m] ([T ] [O E ]). Now we need to convince ourselves that (φ) ([T ] [O E ]) [ ˆφ(T )] [O E ] + div h for some function h K(E): it is immediate from the definition of ˆφ that the points involved sum to O E on E and thus there exists such a function h by the central theorem. Claim. The Weil pairing functions ˆf, ĝ for ˆφ(T ) are ˆf f φ h m and ĝ g φ h [m]. 7

Proof of claim. We need to show that div ˆf m([ ˆφ(T )] [O]) and that ĝ m ˆf [m]. computation is easy: The first div ˆf div f φ div(φ) (f) m div h m((φ) ([T ] [O E ])) m div h h m m([ ˆφ(T )] [O E ] + div h)) m div h m([ ˆφ(T )] [O E ]) And for the second claim note that [m] commutes with the isogeny φ ( ) g φ m ĝ m gm φ h [m] (h [m]) m f [m] φ ( ) f φ h m [m] h m [m] ˆf [m] Therefore, we can compute the Weil pairing e m (S, ˆφ(T )) as follows: ( ) e m (S, ˆφ(T g φ )) ĝ(x + S)/ĝ(X) (X + S)/ h [m] g(φ(x) + φ(s)) h(mx + ms) /g(φ(x)) h(mx) g(φ(x) + φ(s)) g(φ(x)) e m(φ(s), T ) ( g φ h [m] ) (X) g(φ(x) + φ(s)) h(mx) h(mx + ms) g(φ(x)) as we wanted to show. So φ and ˆφ are adjoint with respect to the Weil pairing. Corollary. If φ : E E is an endomorphism of E, then e m (φ(s), φ(t )) e m (S, T ) deg φ Proof of the corollary. We simply use the adjunction: e m (φ(s), φ(t )) e m (S, ( ˆφ φ)(t )) e m (S, [deg φ](t )) e m (S, T ) deg φ 4 l-adic Weil pairing Pick l Z >0 prime and coprime to the characteristic of K if it is positive. Then we want to extend the Weil pairing e l n on the l n -torsion E[l n ] to the l-adic Tate module T l (E). As we have the usual projective system of maps l : E[l n+1 ] E[l] and ( ) l : µ l n+1 µ l n, we only need to check that also the system of Weil pairings {e l n} is projective, that is, that we have for any S, T E[l n+1 ] e l n+1(s, T ) l e l n([l]s, [l]t ) But this follows easily from the bilineary and the compatibility property of the Weil pairing: e l n+1(s, T ) l e l n+1(s, [l]t ) e l n([l]s, [l]t ) So the Weil pairing on l n -torsion gives us the l-adic Weil pairing e : T l (E) T l (E) lim µ l n 8

5 Applications In this section, we discuss some (mainly cryptographic) applications of the Weil pairing. The discrete logarithm problem For cryptography applications, the following problem is of singular importance. Let G be a group written multiplicatively. Then the discrete logarithm problem for G is the following question: Given P, Q G, find a Z such that Q P a or say such an a does not exist. Some groups, such as Z, (Z/NZ, +) have easy discrete logarithms. Generic groups (used only as a blackbox) have discrete logs in O( G ). For the multiplicative group of finite fields F q the discrete log is subexponential (faster than the generic case but nowhere near as fast as for (Z/NZ, +)). Claim (A wish). The ECDLP (elliptic curve discrete logarithm problem) over F q is as good as for generic groups. This claim is merely a wish as so far it is not known whether there exists a faster way how to compute discrete logarithms on elliptic curves than on generic groups (in which the mentioned complexity is provably sharp). Reduction to the Weil pairing Let E be an elliptic curve defined over F q. Suppose we are given two points P and Q ap in E[m] and we are asked to compute a, if it exists. The decision upon the existence is an easy lemma: Lemma. Let P, Q E[l] be two nonzero points of order l for l prime. Then e l (P, Q) 1 if and only if Q P the subgroup generated by P. Proof. If Q P then Q ap for some a {1,..., ord P 1} and we have e l (P, Q) e l (P, ap ) e l (P, P ) a 1 a 1. On the other hand, take P, R as the basis of E[l] and write Q ap + br. Then forcing b 0 and thus Q ap P. 1 e l (P, Q) e l (P, ap + br) e l (P, P ) a e l (P, R) b ζ b l, Now let us turn our attention to finding the discrete logarithm a, supposing it exists. If we take any R E[m] with e m (P, R) 1, then we can compute u e m (P, R) and v e m (Q, R). Note that v e m (Q, R) e m (ap, R) e m (P, R) a u a. So if we can solve the discrete logarithm for u, v µ m F q k, then we obtain our desired a and can solve the discrete logarithm in E[m]. This is called the MOV attack. MOV stands for Menezes, Okamoto and Vanstone. But this reduction raises the problem of solving the discrete logarithm in F q k for potentially large k (note that k is the smallest positive integer with m q k 1). And indeed, for a random elliptic curve, the k we will need to use will be prohibitively large. However, for some classes of curves, k will be relatively small. Definition (Embedding degree). Let k be the smallest integer such that E[m] E(F k q). Then k is called the embedding degree of E with respect to m. As we have noted before, if the embedding degree of E with respect to m is k, then the Weil pairings takes values in µ m F k q (as it has values in the same field over which the points of m-torsion are defined). 9

Proposition. Let E be an elliptic curve over F p and let l p be a prime. Assume that E(F p ) contains a point of order l. Then one of the following is true: the embedding degree of E with respect to l is 1 (this cannot happen if l > p + 1), if p 1 mod l then the embedding degree is l, if p 1 mod l then the embedding degree is the smallest k 2 such that p k 1 mod l, i.e. the order of p modulo l. However, random curves have embedding degree much larger than (log p) 2. The MOV attack on supersingular elliptic curves Recall that last time we established that the endomorphism ring of an elliptic curve has rank at most 4. It can be shown that for elliptic curves over finite fields, only ranks 2 and 4 are permissible. The case of rank 4 is called the supersingular case and is the non-typical case. Moreover, supersingular elliptic curves are characterised by #E(F p ) p + 1, which can be checked in polynomial time by counting points. Theorem. For supersingular elliptic curves, k 6. If there is at least one m-torsion point in E(F q ), then k 2. To appreciate this abstract result, we need the real-world cryptographic sizes. For cryptography using DLP in F q, one should use q 3072-bits to get some 128-bits of security, which is considered reasonable (though for instance, the case of small characteristic (including the very important case of characteristic 2) is broken by a heuristic quasipolynomial algorithm) and recent development has shown that medium characteristic is also susceptible to faster attacks than previously expected. For ECDLP, we use q 256-bits to get the same level of security. Corollary (MOV attack on supersingular elliptic curves). For supersingular elliptic curves, we can solve the DLP by using the reduction to the Weil pairing. This is a simple computation, 6 256 1536, which only offers 96 bits of security. Moreover, 2 256 512, which only offers 56 bits of security (for the lack of a better word), which can be broken routinely. Moment of Zen. The elliptic curve y 2 x 3 + x/f p is supersingular for any prime p 3 mod 4 and has embedding degree 2 for l > p + 1, so makes a spectacularly poor choice for cryptography. References [1] J. Silverman. The Arithmetic of Elliptic Curves, GTM 106, Springer, 1986. [2] S. Galbraith. Mathematics of Public Key Cryptography, Cambridge University Press, 2012. [3] F. Hess. A Note on the Tate Pairing of Curves over Finite Fields, Arch. Math. 82: 28-32, 2004. http://www.staff.uni-oldenburg.de/florian.hess/publications/weiltate.pdf [4] I.F. Blake, G. Seroussi, N.P. Smart Elliptic curves in cryptography, LMS 265, Cambridge University Press, 1999. [5] I.F. Blake, G. Seroussi, N.P. Smart Advances in Elliptic Curve Cryptography, LMS 317, Cambridge University Press, 2005. [6] P. Bruin. The Tate pairing for Abelian varieties over finite fields, Journal de Theorie des Nombres de Bordeaux, http://www.math.leidenuniv.nl/~pbruin/tate-pairing.pdf. 10

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback