A Weil descent homomorphism over the base field Darlison Nyirenda - PowerPoint PPT Presentation

A Weil descent homomorphism over the base field Darlison Nyirenda and Ed Schaefer University of Witwatersrand and Santa Clara University October 11, 2013

A homomorphism from an abelian variety to a group with sub-exp’l DLP, that is defined over a relatively small finite field, can be useful. Examples 1 and 2: The Weil and Tate-Lichtenbaum pairings induce homomorphisms to the multiplicative group of an extension field, once a torsion point is specified. If the torsion point is defined over a relatively small extension then DLP translated to multiplicative group where DLP is subexponential in original data (Menezes, Okamoto & Vanstone and Frey & R¨ uck).

We describe a third (or fourth) such homomorphism, defined over a small finite field, from an abelian variety. Get your grad student to find us an application!

Background: Weil restriction attack on ECDLP (Frey). Have E / K where K is an extension of finite field k . Search for curves C / k (of low genus) lying on Weil restriction W of E with respect to extension K / k . Can translate ECDLP to Jac ( C )( k ) via a homomorphism on function fields over K , followed by trace map down to k . If C is a hyperelliptic curve of genus large wrt # k then Adleman, DeMarrais and Huang have subexponential algorithm to solve DLP in Jac ( C )( k ). Weil restriction attack first made practical (in certain cases) by Gaudry, Hess & Smart.

Quick tutorial on Weil restriction. Let F 25 = F 5 [ t ] / ( t 2 − 2). Define E : y 2 = x 3 + tx + (4 t + 2). Let x = x 1 t + x 0 , y = y 1 t + y 0 with x i , y i ∈ F 5 . Substitute and get (2 y 1 y 0 ) t +(2 y 2 1 + y 2 0 ) = (2 x 3 1 +3 x 1 x 2 0 + x 0 +4) t +( x 2 1 x 0 +2 x 1 + x 3 0 +2). W given by 2 y 1 y 0 = 2 x 3 1 + 3 x 1 x 2 0 + x 0 + 4 and 2 y 2 1 + y 2 0 = x 2 1 x 0 + 2 x 1 + x 3 0 + 2 (dim = 2 = [ F 25 : F 5 ]). ( x 1 , x 0 , y 1 , y 0 ) = (3 , 1 , 1 , 4) ∈ W ( F 5 ) gives P = (3 t + 1 , t + 4) ∈ E ( F 25 ). Addition on W induced by addition on E .

Recall we have E / K where K is an extension of small finite field k . We search for curves C / k lying on Weil restriction W of E with respect to extension K / k . Isomorphism from E ( K ) to W ( k ) is easy to evaluate. In this talk, we present a homomorphism from W ( k ) to Jac ( C )( k ) that is defined, instead over k . (Recall in GHS, map is defined over K .)

E / K , K extends small k , C / k lies on Weil Res’n W of E . Goal: Find homomorphism over k from W ( k ) to Jac ( C )( k ). The homomorphism: Theory Let [ K : k ] = n . So dim( W ) = n . Let η be an effective divisor on W over k (example: hyperplane intersection with W of dimension n − 1).

E / K , [ K : k ] = n , η/ k is effective divisor (dim = n − 1) on W , the Weil restriction. Let ⊕ denote addition on W . Let ˆ W be dual abelian variety to W . Think of ˆ W as degree 0 divisor classes on W . Define morphism denoted λ η : W → ˆ W by λ η ( T ) = [( T ⊕ η ) − ( η )].

Want homomorphism W ( k ) → Jac( C )( k ). Have morphism λ η : W → ˆ W by λ η ( T ) = [( T ⊕ η ) − ( η )]. Assume C ⊂ W with C / k , and C ( k ) � = ∅ . Have C ֒ → W . Factors through J =Jac( C ) (so ∃ J → W ) and induces dual morphism ˆ W → ˆ J . Can compose this with inverse of canonical principal polarization (so ∃ ˆ J → J ) to get morphism ˆ W → J .

Have morphism λ η : W → ˆ W by λ η ( T ) = [( T ⊕ η ) − ( η )]. Let [ D ] ∈ ˆ W where D is degree 0 divisor on W (dim( D ) = n − 1). Map ˆ W → J by [ D ] �→ [ D . C ] where D . C is intersection divisor. Define f η be composition W → ˆ W , ˆ W → J ; morphism defined over k . If T ∈ W then f η ( T ) = [(( T ⊕ η ) . C ) − ( η. C )]. Induces homomorphism from W ( k ) to J ( k ).

Isomorphism E ( K ) → W ( k ) easy to compute. Have homomorphism f η : W ( k ) → J ( k ) over k by f η ( T ) = [(( T ⊕ η ) . C ) − ( η. C )]. For crypto, E ( K ) chosen to have a subgroup of large prime order. If f η does not kill this subgroup, then it maps the DLP in W ( k ) to the DLP in J ( k ).

Homomorphism from W ( k ) to J ( k ) in practice Let E A / K be affine curve described by y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 where a i ∈ K and E / K be projective closure. For a variety V / K let W ( V ) denote Weil restriction with respect to K / k . Difficult to create a practical model of W = W ( E ). Instead, we and GHS use W ( E A ).

E / K , [ K : k ] = n , W is Weil rest’n. J =Jac( C ) where C ⊂ W . E A is affine piece of E . We and GHS use W ( E A ), not W = W ( E ). There’s a model of W ( E A ) in A 2 n . Take projective closure P ( W ( E A )) in P 2 n . Sadly P ( W ( E A )) �∼ = W = W ( P ( E A )). So above theory is just that . . . theory.

E A is affine model of E . We and GHS use W ( E A ), not W = W ( E ). Choose a basis { t 0 , t 1 , . . . , t n − 1 } for K / k . Replace x by � x i t i and y by � y i t i in y 2 + a 1 xy + . . . . Equate coefficients of t i and get n equations in 2 n variables x j and y j . This is model over k for W ( E A ) in A 2 n .

Have model for n -dimensional W ( E A ) in A 2 n with n equations in 2 n variables x j and y j . How to choose C ⊂ W : GHS intersect W ( E A ) with n − 1 hyperplanes to get a curve. They use an irreducible component of this intersection curve. This curve is birational to a hyperelliptic curve. Dumsani Sibanda, in his M.Sc. dissertation, intersected W ( E A ) with n − 1 hyperplanes that are all tangent to W ( E A ) at a single point. The intersection curve has a very singular point giving the curve a relatively low genus.

E / K , [ K : k ] = n , W is Weil rest’n. J =Jac( C ) where C ⊂ W . Want homomorphism W ( k ) → J ( k ) in practice. Model for W ( E A ) given by n equations in 2 n variables x j and y j . Let T ∈ W ( E A )( k ). Choose a hyperplane H ⊂ A 2 n given by � b i x i + � c i y j = d where b i , c i , d ∈ k . Let H = H ∩ W ( E A ) (our effective divisor, i.e. η ). Now f H ( T ) = [( T ⊕ H ) . C − H . C ]. Degrees of ( T ⊕ H ) . C and H . C should be same, but not.

Want homomorphism from W ( k ) to J ( k ) over k . Pick hyperplane H in A 2 n and let H = H ∩ W ( E A ). New: Pick P ∈ W ( E A )( k ). To find image of T ∈ W ( E A )( k ) = W ( k ) \ { 0 } compute f P ⊕H ( T ) = [( T ⊕ P ⊕ H ) . C − ( P ⊕ H ) . C ].

Found thousands of 5-tuples p , n , E / F p n , T 1 , T 2 with T 1 , T 2 ∈ E A ( F p n ). Let W ( E A ) be WR of E A with respect to F p n / F p . BAON let T 1 , T 2 be the images in W ( E A )( F p ). In all examples found f ( T 1 ) + f ( T 2 ) = f ( T 1 ⊕ T 2 ) in J ( F p ) and the orders of T i and f ( T i ) were always the same.

Part of the success of GHS is i) since model of curve is planar (hyperelliptic) easy to find genus. ii) since hyperelliptic they can use the index calculus generalization of Adleman, DeMarrais and Huang to solve the DLP in the Jacobian in subexponential time.

Directions for future work. 1. Create an algorithm to find the genus of non-planar curves over a finite field. 2. Create an algorithm to solve the DLP in the Jacobian of a general high genus curve over a small finite field (Diem started). 3. Find an application for our homomorphism.

Thanks to: Mzuzu University, International Centre for Theoretical Physics, Magma, Nils Bruin, Organizers of GeoCrypt 2013.