A Weil descent homomorphism over the base field Darlison Nyirenda - - PowerPoint PPT Presentation

a weil descent homomorphism over the base field
SMART_READER_LITE
LIVE PREVIEW

A Weil descent homomorphism over the base field Darlison Nyirenda - - PowerPoint PPT Presentation

Dec 11, 2023 196 likes •445 views

A Weil descent homomorphism over the base field Darlison Nyirenda and Ed Schaefer University of Witwatersrand and Santa Clara University October 11, 2013 A homomorphism from an abelian variety to a group with sub-expl DLP, that is defined

slide-1
SLIDE 1

A Weil descent homomorphism over the base field

Darlison Nyirenda and Ed Schaefer

University of Witwatersrand and Santa Clara University

October 11, 2013

slide-2
SLIDE 2

A homomorphism from an abelian variety to a group with sub-exp’l DLP, that is defined over a relatively small finite field, can be useful. Examples 1 and 2: The Weil and Tate-Lichtenbaum pairings induce homomorphisms to the multiplicative group of an extension field, once a torsion point is specified. If the torsion point is defined over a relatively small extension then DLP translated to multiplicative group where DLP is subexponential in original data (Menezes, Okamoto & Vanstone and Frey & R¨ uck).

slide-3
SLIDE 3

We describe a third (or fourth) such homomorphism, defined over a small finite field, from an abelian variety. Get your grad student to find us an application!

slide-4
SLIDE 4

Background: Weil restriction attack on ECDLP (Frey). Have E/K where K is an extension of finite field k. Search for curves C/k (of low genus) lying on Weil restriction W

  • f E with respect to extension K/k.

Can translate ECDLP to Jac(C)(k) via a homomorphism on function fields over K, followed by trace map down to k. If C is a hyperelliptic curve of genus large wrt #k then Adleman, DeMarrais and Huang have subexponential algorithm to solve DLP in Jac(C)(k). Weil restriction attack first made practical (in certain cases) by Gaudry, Hess & Smart.

slide-5
SLIDE 5

Quick tutorial on Weil restriction. Let F25 = F5[t]/(t2 − 2). Define E : y 2 = x3 + tx + (4t + 2). Let x = x1t + x0, y = y1t + y0 with xi, yi ∈ F5. Substitute and get (2y1y0)t+(2y 2

1 +y 2 0) = (2x3 1 +3x1x2 0 +x0+4)t+(x2 1x0+2x1+x3 0 +2).

W given by 2y1y0 = 2x3

1 + 3x1x2 0 + x0 + 4 and

2y 2

1 + y 2 0 = x2 1x0 + 2x1 + x3 0 + 2 (dim = 2 = [F25 : F5]).

(x1, x0, y1, y0) = (3, 1, 1, 4) ∈ W (F5) gives P = (3t + 1, t + 4) ∈ E(F25). Addition on W induced by addition on E.

slide-6
SLIDE 6

Recall we have E/K where K is an extension of small finite field k. We search for curves C/k lying on Weil restriction W of E with respect to extension K/k. Isomorphism from E(K) to W (k) is easy to evaluate. In this talk, we present a homomorphism from W (k) to Jac(C)(k) that is defined, instead over k. (Recall in GHS, map is defined over K.)

slide-7
SLIDE 7

E/K, K extends small k, C/k lies on Weil Res’n W of E. Goal: Find homomorphism over k from W (k) to Jac(C)(k). The homomorphism: Theory Let [K : k] = n. So dim(W ) = n. Let η be an effective divisor on W over k (example: hyperplane intersection with W of dimension n − 1).

slide-8
SLIDE 8

E/K, [K : k] = n, η/k is effective divisor (dim = n − 1) on W , the Weil restriction. Let ⊕ denote addition on W . Let ˆ W be dual abelian variety to W . Think of ˆ W as degree 0 divisor classes on W . Define morphism denoted λη : W → ˆ W by λη(T) = [(T ⊕ η) − (η)].

slide-9
SLIDE 9

Want homomorphism W (k)→ Jac(C)(k). Have morphism λη : W → ˆ W by λη(T) = [(T ⊕ η) − (η)]. Assume C ⊂ W with C/k, and C(k) = ∅. Have C ֒ → W . Factors through J =Jac(C) (so ∃ J→W ) and induces dual morphism ˆ W → ˆ J. Can compose this with inverse of canonical principal polarization (so ∃ ˆ J→J) to get morphism ˆ W →J.

slide-10
SLIDE 10

Have morphism λη : W → ˆ W by λη(T) = [(T ⊕ η) − (η)]. Let [D] ∈ ˆ W where D is degree 0 divisor on W (dim(D) = n − 1). Map ˆ W →J by [D] → [D.C] where D.C is intersection divisor. Define fη be composition W → ˆ W , ˆ W →J; morphism defined over k. If T ∈ W then fη(T) = [((T ⊕ η).C) − (η.C)]. Induces homomorphism from W (k) to J(k).

slide-11
SLIDE 11
slide-12
SLIDE 12

Isomorphism E(K)→W (k) easy to compute. Have homomorphism fη : W (k)→J(k) over k by fη(T) = [((T ⊕ η).C) − (η.C)]. For crypto, E(K) chosen to have a subgroup of large prime order. If fη does not kill this subgroup, then it maps the DLP in W (k) to the DLP in J(k).

slide-13
SLIDE 13

Homomorphism from W (k) to J(k) in practice Let EA/K be affine curve described by y 2 + a1xy + a3y = x3 + a2x2 + a4x + a6 where ai ∈ K and E/K be projective closure. For a variety V /K let W (V ) denote Weil restriction with respect to K/k. Difficult to create a practical model of W = W (E). Instead, we and GHS use W (EA).

slide-14
SLIDE 14

E/K, [K : k] = n, W is Weil rest’n. J =Jac(C) where C ⊂ W . EA is affine piece of E. We and GHS use W (EA), not W = W (E). There’s a model of W (EA) in A2n. Take projective closure P(W (EA)) in P2n. Sadly P(W (EA)) ∼ = W = W (P(EA)). So above theory is just that . . . theory.

slide-15
SLIDE 15

EA is affine model of E. We and GHS use W (EA), not W = W (E). Choose a basis {t0, t1, . . . , tn−1} for K/k. Replace x by xiti and y by yiti in y 2 + a1xy + . . .. Equate coefficients of ti and get n equations in 2n variables xj and

  • yj. This is model over k for W (EA) in A2n.
slide-16
SLIDE 16

Have model for n-dimensional W (EA) in A2n with n equations in 2n variables xj and yj. How to choose C ⊂ W : GHS intersect W (EA) with n − 1 hyperplanes to get a curve. They use an irreducible component of this intersection curve. This curve is birational to a hyperelliptic curve. Dumsani Sibanda, in his M.Sc. dissertation, intersected W (EA) with n − 1 hyperplanes that are all tangent to W (EA) at a single

  • point. The intersection curve has a very singular point giving the

curve a relatively low genus.

slide-17
SLIDE 17

E/K, [K : k] = n, W is Weil rest’n. J =Jac(C) where C ⊂ W . Want homomorphism W (k)→J(k) in practice. Model for W (EA) given by n equations in 2n variables xj and yj. Let T ∈ W (EA)(k). Choose a hyperplane H ⊂ A2n given by bixi + ciyj = d where bi, ci, d ∈ k. Let H = H ∩ W (EA) (our effective divisor, i.e. η). Now fH(T) = [(T ⊕ H).C − H.C]. Degrees of (T ⊕ H).C and H.C should be same, but not.

slide-18
SLIDE 18

Want homomorphism from W (k) to J(k) over k. Pick hyperplane H in A2n and let H = H ∩ W (EA). New: Pick P ∈ W (EA)(k). To find image of T ∈ W (EA)(k) = W (k) \ {0} compute fP⊕H(T) = [(T ⊕ P ⊕ H).C − (P ⊕ H).C].

slide-19
SLIDE 19
slide-20
SLIDE 20

Found thousands of 5-tuples p, n, E/Fpn, T1, T2 with T1, T2 ∈ EA(Fpn). Let W (EA) be WR of EA with respect to Fpn/Fp. BAON let T1, T2 be the images in W (EA)(Fp). In all examples found f (T1) + f (T2) = f (T1 ⊕ T2) in J(Fp) and the orders of Ti and f (Ti) were always the same.

slide-21
SLIDE 21

Part of the success of GHS is i) since model of curve is planar (hyperelliptic) easy to find genus. ii) since hyperelliptic they can use the index calculus generalization of Adleman, DeMarrais and Huang to solve the DLP in the Jacobian in subexponential time.

slide-22
SLIDE 22

Directions for future work.

  • 1. Create an algorithm to find the genus of non-planar curves over

a finite field.

  • 2. Create an algorithm to solve the DLP in the Jacobian of a

general high genus curve over a small finite field (Diem started).

  • 3. Find an application for our homomorphism.
slide-23
SLIDE 23

Thanks to: Mzuzu University, International Centre for Theoretical Physics, Magma, Nils Bruin, Organizers of GeoCrypt 2013.