Abelian varieties, theta functions and cryptography Part 2 Damien - PowerPoint PPT Presentation

Abelian varieties, theta functions and cryptography Part 2 Damien Robert 1 1 LFANT team, INRIA Bordeaux Sud-Ouest 08/12/2010 (Bordeaux)

Outline Abelian varieties and cryptography 1 Tieta functions 2 3 Arithmetic 4 Pairings 5 Isogenies Perspectives 6 Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 2 / 31

Abelian varieties and cryptography Outline Abelian varieties and cryptography 1 Tieta functions 2 3 Arithmetic 4 Pairings 5 Isogenies Perspectives 6 Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 3 / 31

Abelian varieties and cryptography Discrete logarithm in cryptography Discrete logarithm Defjnition (DLP) Let G ≙ ⟨  ⟩ be a cyclic group of prime order. Let x ∈ N and h ≙  x . Tie discrete logarithm log  ( h ) is x . O (√ p ) (in a generic group). Exponentiation: O ( log p ) . DLP: ̃ ⇒ Public key cryptography ⇒ Signature ⇒ Zero knowledge G ≙ F ∗ p : sub-exponential attacks. ⇒ Use G ≙ A ( F q ) where A / F q is an abelian variety for the DLP. Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 4 / 31

Abelian varieties and cryptography Discrete logarithm in cryptography Pairing-based cryptography Defjnition A pairing is a bilinear application e ∶ G 1 × G 1 → G 2 . Identity-based cryptography [BF03]. Short signature [BLS04]. One way tripartite Diffje–Hellman [Jou04]. Self-blindable credential certifjcates [Ver01]. Attribute based cryptography [SW05]. Broadcast encryption [Goy+06]. Example Tie Weil and Tate pairings on abelian varieties are the only known examples of cryptographic pairings. Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 5 / 31

Abelian varieties and cryptography Discrete logarithm in cryptography Security of abelian varieties  # points DLP ̃ O ( q 1 / 2 ) 1 O ( q ) ̃ O ( q 2 ) O ( q ) 2 ̃ O ( q 4 / 3 ) (Jacobian of hyperelliptic curve) O ( q 3 ) 3 ̃ O ( q ) (Jacobian of non hyperelliptic curve) ̃ O ( q 2 − 2 /  )  O ( q  ) L 1 / 2 ( q  )≙ exp ( O ( 1 ) log ( x ) 1 / 2 loglog ( x ) 1 / 2 )  > log ( q ) Security of the DLP Weak curves (MOV attack, Weil descent, anomal curves). ⇒ Public-key cryptography with the DLP: Elliptic curves, Jacobian of hyperelliptic curves of genus 2. ⇒ Pairing-based cryptography: Abelian varieties of dimension  ⩽ 4. Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 6 / 31

Abelian varieties and cryptography Discrete logarithm in cryptography Security of abelian varieties  # points DLP ̃ O ( q 1 / 2 ) 1 O ( q ) ̃ O ( q 2 ) O ( q ) 2 ̃ O ( q 4 / 3 ) (Jacobian of hyperelliptic curve) O ( q 3 ) 3 ̃ O ( q ) (Jacobian of non hyperelliptic curve) ̃ O ( q 2 − 2 /  )  O ( q  ) L 1 / 2 ( q  )≙ exp ( O ( 1 ) log ( x ) 1 / 2 loglog ( x ) 1 / 2 )  > log ( q ) Security of the DLP Weak curves (MOV attack, Weil descent, anomal curves). ⇒ Public-key cryptography with the DLP: Elliptic curves, Jacobian of hyperelliptic curves of genus 2. ⇒ Pairing-based cryptography: Abelian varieties of dimension  ⩽ 4. Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 6 / 31

Abelian varieties and cryptography Isogenies Isogenies Defjnition A (separable) isogeny is a fjnite sur jective (separable) morphism between two Abelian varieties. Isogenies = Rational map + group morphism + fjnite kernel. Isogenies ⇔ Finite subgroups. ( f ∶ A → B ) ↦ Ker f ( A → A / H ) ↤ H Example: Multiplication by ℓ ( ⇒ ℓ -torsion), Frobenius (non separable). Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 7 / 31

Abelian varieties and cryptography Isogenies Cryptographic usage of isogenies Transfert the DLP from one Abelian variety to another. Point counting algorithms ( ℓ -adic or p -adic) ⇒ Verify a curve is secure. Compute the class fjeld polynomials (CM-method) ⇒ Construct a secure curve. Compute the modular polynomials ⇒ Compute isogenies. Determine End ( A ) ⇒ CRT method for class fjeld polynomials. Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 8 / 31

Theta functions Outline Abelian varieties and cryptography 1 Tieta functions 2 3 Arithmetic 4 Pairings 5 Isogenies Perspectives 6 Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 9 / 31

Theta functions Theta coordinates Complex abelian varieties and theta functions of level n ( Z ( n ) : ≙ Z  / n Z  ) ( ϑ i ) i ∈ Z ( n ) : basis of the theta functions of level n . ⇔ A ∥ n ∥ ≙ A 1 ∥ n ∥ ⊕ A 2 ∥ n ∥ : symplectic decomposition. ( ϑ i ) i ∈ Z ( n ) ≙ { coordinates system n ⩾ 3 coordinates on the Kummer variety A / ± 1 n ≙ 2 Tieta null point: ϑ i ( 0 ) i ∈ Z ( n ) ≙ modular invariant. Example ( k ≙ C ) Abelian variety over C : A ≙ C  /( Z  + Ω Z  ) ; Ω ∈ H  ( C ) the Siegel upper half space (Ω symmetric, Im Ω positive defjnite). ϑ i : ≙ Θ [ 0 i / n ]( z , Ω / n ) . Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 10 / 31

Theta functions Constructing theta functions Jacobian of hyperelliptic curves C ∶ y 2 ≙ f ( x ) , hyperelliptic curve of genus  . (deg f ≙ 2  − 1) Divisor: formal sum D ≙ ∑ n i P i , P i ∈ C ( k ) . deg D ≙ ∑ n i . Principal divisor: ∑ P ∈ C ( k ) v P ( f ) . P ; f ∈ k ( C ) . Jacobian of C = Divisors of degree 0 modulo principal divisors + Galois action = Abelian variety of dimension  . Divisor class D ⇒ unique representative (Riemann–Roch): k ∑ ( P i − P ∞ ) D ≙ k ⩽  , symmetric P i ≠ P j i ≙ 1 Mumford coordinates: D ≙ ( u , v ) ⇒ u ≙ ∏( x − x i ) , v ( x i ) ≙ y i . Cantor algorithm: addition law. Tiomae formula: convert between Mumford and theta coordinates of level 2 or 4. Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 11 / 31

Theta functions Constructing theta functions Ti e modular space of theta null points of level n ( car k ∤ n) Tieorem (Mumford) Tie modular space M n of theta null points is: ∑ a x + t a y + t ∑ a u + t a v + t ≙ ∑ a x ′ + t a y ′ + t ∑ a u ′ + t a v ′ + t , t ∈ Z ( 2 ) t ∈ Z ( 2 ) t ∈ Z ( 2 ) t ∈ Z ( 2 ) with the relations of symmetry a x ≙ a − x . Abelian varieties with a n -structure = open locus of M n . If ( a u ) u ∈ Z ( n ) is a valid theta null point, the corresponding abelian variety is given by the following equations in P n  − 1 : k a u + t a v + t ≙ ∑ ∑ X x + t X y + t ∑ X x ′ + t X y ′ + t ∑ a u ′ + t a v ′ + t . t ∈ Z ( 2 ) t ∈ Z ( 2 ) t ∈ Z ( 2 ) t ∈ Z ( 2 ) Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 12 / 31

Theta functions Riemann relations Ti e difgerential addition law (k ≙ C ) ( ∑ χ ( t ) ϑ i + t ( x + y ) ϑ j + t ( x − y )) . ( ∑ χ ( t ) ϑ k + t ( 0 ) ϑ l + t ( 0 )) ≙ t ∈ Z ( 2 ) t ∈ Z ( 2 ) ( ∑ χ ( t ) ϑ − i ′ + t ( y ) ϑ j ′ + t ( y )) . ( ∑ χ ( t ) ϑ k ′ + t ( x ) ϑ l ′ + t ( x )) . t ∈ Z ( 2 ) t ∈ Z ( 2 ) Z ( 2 ) , i , j , k , l ∈ Z ( n ) χ ∈ ˆ where ( i ′ , j ′ , k ′ , l ′ ) ≙ A ( i , j , k , l ) ⎛ ⎞ 1 1 1 1 ⎜ − 1 − 1 ⎟ ⎜ ⎟ A ≙ 1 1 1 ⎜ ⎟ − 1 − 1 1 1 2 ⎝ ⎠ − 1 − 1 1 1 Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 13 / 31

Arithmetic Outline Abelian varieties and cryptography 1 Tieta functions 2 3 Arithmetic 4 Pairings 5 Isogenies Perspectives 6 Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 14 / 31

Arithmetic Arithmetic with low level theta functions ( car k ≠ 2 ) Mumford Level 2 Level 4 [Lan05] [Gau07] 34 M + 7 S Doubling 7 M + 12 S + 9 m 0 49 M + 36 S + 27 m 0 37 M + 6 S Mixed Addition Multiplication cost in genus 2 (one step). Montgomery Level 2 Jacobians Level 4 Doubling 3 M + 5 S 5 M + 4 S + 1 m 0 3 M + 6 S + 3 m 0 9 M + 10 S + 5 m 0 Mixed Addition 7 M + 6 S + 1 m 0 Multiplication cost in genus 1 (one step). Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 15 / 31

Arithmetic Arithmetic with high level theta functions [ LR 10a] Algorithms for Additions and difgerential additions in level 4. Computing P ± Q in level 2 (need one square root). [LR10b] Fast difgerential multiplication. Compressing coordinates O ( 1 ) : Level 2 n theta null point ⇒ 1 +  (  + 1 )/ 2 level 2 theta null points. Level 2 n ⇒ 1 +  level 2 theta functions. Decompression: n  difgerential additions. Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 16 / 31

Pairings Outline Abelian varieties and cryptography 1 Tieta functions 2 3 Arithmetic 4 Pairings 5 Isogenies Perspectives 6 Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 17 / 31