Abelian varieties, theta functions and cryptography Part 2 Damien - - PowerPoint PPT Presentation

Abelian varieties, theta functions and cryptography

Part 2 Damien Robert1

1LFANT team, INRIA Bordeaux Sud-Ouest

08/12/2010 (Bordeaux)

Outline

1

Abelian varieties and cryptography

2

Tieta functions

3

Arithmetic

4

Pairings

5

Isogenies

6

Perspectives

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 2 / 31

Abelian varieties and cryptography

Outline

1

Abelian varieties and cryptography

2

Tieta functions

3

Arithmetic

4

Pairings

5

Isogenies

6

Perspectives

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 3 / 31

Abelian varieties and cryptography Discrete logarithm in cryptography

Discrete logarithm

Defjnition (DLP)

Let G ≙ ⟨⟩ be a cyclic group of prime order. Let x ∈ N and h ≙ x. Tie discrete logarithm log(h) is x. Exponentiation: O(log p). DLP: ̃ O(√p) (in a generic group). ⇒ Public key cryptography ⇒ Signature ⇒ Zero knowledge G ≙ F∗

p : sub-exponential attacks.

⇒ Use G ≙ A(Fq) where A/Fq is an abelian variety for the DLP.

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 4 / 31

Abelian varieties and cryptography Discrete logarithm in cryptography

Pairing-based cryptography

Defjnition

A pairing is a bilinear application e ∶ G1 × G1 → G2. Identity-based cryptography [BF03]. Short signature [BLS04]. One way tripartite Diffje–Hellman [Jou04]. Self-blindable credential certifjcates [Ver01]. Attribute based cryptography [SW05]. Broadcast encryption [Goy+06].

Example

Tie Weil and Tate pairings on abelian varieties are the only known examples of cryptographic pairings.

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 5 / 31

Abelian varieties and cryptography Discrete logarithm in cryptography

Security of abelian varieties

 # points DLP 1 O(q) ̃ O(q1/2) 2 O(q2) ̃ O(q) 3 O(q3) ̃ O(q4/3) (Jacobian of hyperelliptic curve) ̃ O(q) (Jacobian of non hyperelliptic curve)  O(q) ̃ O(q2−2/)  > log(q) L1/2(q)≙ exp(O(1)log(x)1/2 loglog(x)1/2)

Security of the DLP

Weak curves (MOV attack, Weil descent, anomal curves). ⇒ Public-key cryptography with the DLP: Elliptic curves, Jacobian of hyperelliptic curves of genus 2. ⇒ Pairing-based cryptography: Abelian varieties of dimension  ⩽ 4.

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 6 / 31

Abelian varieties and cryptography Discrete logarithm in cryptography

Security of abelian varieties

 # points DLP 1 O(q) ̃ O(q1/2) 2 O(q2) ̃ O(q) 3 O(q3) ̃ O(q4/3) (Jacobian of hyperelliptic curve) ̃ O(q) (Jacobian of non hyperelliptic curve)  O(q) ̃ O(q2−2/)  > log(q) L1/2(q)≙ exp(O(1)log(x)1/2 loglog(x)1/2)

Security of the DLP

Weak curves (MOV attack, Weil descent, anomal curves). ⇒ Public-key cryptography with the DLP: Elliptic curves, Jacobian of hyperelliptic curves of genus 2. ⇒ Pairing-based cryptography: Abelian varieties of dimension  ⩽ 4.

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 6 / 31

Abelian varieties and cryptography Isogenies

Isogenies

Defjnition

A (separable) isogeny is a fjnite surjective (separable) morphism between two Abelian varieties. Isogenies = Rational map + group morphism + fjnite kernel. Isogenies ⇔ Finite subgroups. (f ∶ A → B) ↦ Ker f (A → A/H) ↤ H Example: Multiplication by ℓ (⇒ ℓ-torsion), Frobenius (non separable).

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 7 / 31

Abelian varieties and cryptography Isogenies

Cryptographic usage of isogenies

Transfert the DLP from one Abelian variety to another. Point counting algorithms (ℓ-adic or p-adic) ⇒ Verify a curve is secure. Compute the class fjeld polynomials (CM-method) ⇒ Construct a secure curve. Compute the modular polynomials ⇒ Compute isogenies. Determine End(A) ⇒ CRT method for class fjeld polynomials.

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 8 / 31

Theta functions

Outline

1

Abelian varieties and cryptography

2

Tieta functions

3

Arithmetic

4

Pairings

5

Isogenies

6

Perspectives

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 9 / 31

Theta functions Theta coordinates

Complex abelian varieties and theta functions of level n

(ϑi)i∈Z(n): basis of the theta functions of level n. (Z(n) :≙ Z/nZ) ⇔ A∥n∥ ≙ A1∥n∥ ⊕ A2∥n∥: symplectic decomposition. (ϑi)i∈Z(n) ≙ {coordinates system n ⩾ 3 coordinates on the Kummer variety A/ ± 1 n ≙ 2 Tieta null point: ϑi(0)i∈Z(n) ≙ modular invariant.

Example (k ≙ C)

Abelian variety over C: A ≙ C/(Z + ΩZ); Ω ∈ H(C) the Siegel upper half space (Ω symmetric, Im Ω positive defjnite). ϑi :≙ Θ [ 0

i/n ](z, Ω/n).

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 10 / 31

Theta functions Constructing theta functions

Jacobian of hyperelliptic curves

C ∶ y2 ≙ f (x), hyperelliptic curve of genus . (deg f ≙ 2 − 1) Divisor: formal sum D ≙ ∑ niPi, deg D ≙ ∑ ni. Pi ∈ C(k). Principal divisor: ∑P∈C(k) vP(f ).P; f ∈ k(C). Jacobian of C = Divisors of degree 0 modulo principal divisors + Galois action = Abelian variety of dimension . Divisor class D ⇒ unique representative (Riemann–Roch): D ≙

k

∑

i≙1

(Pi − P∞) k ⩽ , symmetric Pi ≠ Pj Mumford coordinates: D ≙ (u, v) ⇒ u ≙ ∏(x − xi), v(xi) ≙ yi. Cantor algorithm: addition law. Tiomae formula: convert between Mumford and theta coordinates of level 2 or 4.

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 11 / 31

Theta functions Constructing theta functions

Tie modular space of theta null points of level n (car k ∤ n)

Tieorem (Mumford)

Tie modular space Mn of theta null points is: ∑

t∈Z(2)

ax+tay+t ∑

t∈Z(2)

au+tav+t ≙ ∑

t∈Z(2)

ax′+tay′+t ∑

t∈Z(2)

au′+tav′+t, with the relations of symmetry ax ≙ a−x. Abelian varieties with a n-structure = open locus of Mn. If (au)u∈Z(n) is a valid theta null point, the corresponding abelian variety is given by the following equations in Pn −1

k

: ∑

t∈Z(2)

Xx+tXy+t ∑

t∈Z(2)

au+tav+t ≙ ∑

t∈Z(2)

Xx′+tXy′+t ∑

t∈Z(2)

au′+tav′+t.

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 12 / 31

Theta functions Riemann relations

Tie difgerential addition law (k ≙ C)

( ∑

t∈Z(2)

χ(t)ϑi+t(x + y)ϑ j+t(x − y)).( ∑

t∈Z(2)

χ(t)ϑk+t(0)ϑl+t(0)) ≙ ( ∑

t∈Z(2)

χ(t)ϑ−i′+t(y)ϑ j′+t(y)).( ∑

t∈Z(2)

χ(t)ϑk′+t(x)ϑl ′+t(x)). where χ ∈ ˆ Z(2), i, j, k, l ∈ Z(n) (i′, j′, k′, l′) ≙ A(i, j, k, l) A ≙ 1 2 ⎛ ⎜ ⎜ ⎜ ⎝ 1 1 1 1 1 1 −1 −1 1 −1 1 −1 1 −1 −1 1 ⎞ ⎟ ⎟ ⎟ ⎠

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 13 / 31

Arithmetic

Outline

1

Abelian varieties and cryptography

2

Tieta functions

3

Arithmetic

4

Pairings

5

Isogenies

6

Perspectives

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 14 / 31

Arithmetic

Arithmetic with low level theta functions (car k ≠ 2)

Mumford Level 2 Level 4 [Lan05] [Gau07] Doubling 34M + 7S 7M + 12S + 9m0 49M + 36S + 27m0 Mixed Addition 37M + 6S Multiplication cost in genus 2 (one step). Montgomery Level 2 Jacobians Level 4 Doubling 5M + 4S + 1m0 3M + 6S + 3m0 3M + 5S 9M + 10S + 5m0 Mixed Addition 7M + 6S + 1m0 Multiplication cost in genus 1 (one step).

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 15 / 31

Arithmetic

Arithmetic with high level theta functions [LR10a]

Algorithms for

Additions and difgerential additions in level 4. Computing P ± Q in level 2 (need one square root). [LR10b] Fast difgerential multiplication.

Compressing coordinates O(1):

Level 2n theta null point ⇒ 1 + ( + 1)/2 level 2 theta null points. Level 2n ⇒ 1 +  level 2 theta functions.

Decompression: n difgerential additions.

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 16 / 31

Pairings

Outline

1

Abelian varieties and cryptography

2

Tieta functions

3

Arithmetic

4

Pairings

5

Isogenies

6

Perspectives

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 17 / 31

Pairings Miller algorithm

Pairings on abelian varieties

E/k: elliptic curve. Weil pairing: E∥ℓ∥ × E∥ℓ∥ → µℓ. P, Q ∈ E∥ℓ∥. ∃fℓ,P ∈ k(E), (fℓ,P) ≙ ℓ(P − 0E). eW,ℓ(P, Q) ≙ fℓ,P(Q − 0E) fℓ,Q(P − 0E) . Tate pairing: eT,ℓ(P, Q) ≙ fℓ,P(Q − 0E). Miller algorithm: pairing with Mumford coordinates.

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 18 / 31

Pairings Pairings with theta coordinates

Tie Weil and Tate pairing with theta coordinates [LR10b]

P and Q points of ℓ-torsion. 0A P 2P . . . ℓP ≙ λ0

P0A

Q P ⊕ Q 2P + Q . . . ℓP + Q ≙ λ1

PQ

2Q P + 2Q . . . . . . ℓQ ≙ λ0

Q0A

P + ℓQ ≙ λ1

QP

eW,ℓ(P, Q) ≙

λ1

P λ0 Q

λ0

P λ1 Q .

eT,ℓ(P, Q) ≙ λ1

P

λ0

P . Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 19 / 31

Pairings Pairings with theta coordinates

Comparison with Miller algorithm

 ≙ 1 7M + 7S + 2m0  ≙ 2 17M + 13S + 6m0

Tate pairing with theta coordinates, P, Q ∈ A∥ℓ∥(Fqd ) (one step)

Miller Tieta coordinates Doubling Addition One step  ≙ 1 d even 1M + 1S + 1m 1M + 1m 1M + 2S + 2m d odd 2M + 2S + 1m 2M + 1m  ≙ 2 Q degenerate + denominator elimination 1M + 1S + 3m 1M + 3m 3M + 4S + 4m General case 2M + 2S + 18m 2M + 18m

P ∈ A∥ℓ∥(Fq), Q ∈ A∥ℓ∥(Fqd ) (counting only operations in Fqd ).

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 20 / 31

Isogenies

Outline

1

Abelian varieties and cryptography

2

Tieta functions

3

Arithmetic

4

Pairings

5

Isogenies

6

Perspectives

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 21 / 31

Isogenies

Explicit isogeny computation

Given an isotropic subgroup K ⊂ A(k) compute the isogeny A ↦ A/K. (Vélu’s formula.) Given an abelian variety compute all the isogeneous varieties. (Modular polynomials.) Given two isogeneous abelian variety A and B fjnd the isogeny A ↦ B. (Clever use

• f Vélu’s formula ⇒ SEA algorithm).

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 22 / 31

Isogenies

Explicit isogeny computation

Given an isotropic subgroup K ⊂ A(k) compute the isogeny A ↦ A/K. (Vélu’s formula.) Given an abelian variety compute all the isogeneous varieties. (Modular polynomials.) Given two isogeneous abelian variety A and B fjnd the isogeny A ↦ B. (Clever use

• f Vélu’s formula ⇒ SEA algorithm).

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 22 / 31

Isogenies

Explicit isogeny computation

Given an isotropic subgroup K ⊂ A(k) compute the isogeny A ↦ A/K. (Vélu’s formula.) Given an abelian variety compute all the isogeneous varieties. (Modular polynomials.) Given two isogeneous abelian variety A and B fjnd the isogeny A ↦ B. (Clever use

• f Vélu’s formula ⇒ SEA algorithm).

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 22 / 31

Isogenies

Explicit isogeny computation

Given an isotropic subgroup K ⊂ A(k) compute the isogeny A ↦ A/K. (Vélu’s formula.) Given an abelian variety compute all the isogeneous varieties. (Modular polynomials.) Given two isogeneous abelian variety A and B fjnd the isogeny A ↦ B. (Clever use

• f Vélu’s formula ⇒ SEA algorithm).

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 22 / 31

Isogenies Computing isogenies in genus 1

Vélu’s formula

Tieorem

Let E ∶ y2 ≙ f (x) be an elliptic curve and G ⊂ E(k) a fjnite subgroup. Tien E/G is given by Y 2 ≙ (X) where X(P) ≙ x(P) + ∑

Q∈G∖{0E}

x(P + Q) − x(Q) Y(P) ≙ y(P) + ∑

Q∈G∖{0E}

y(P + Q) − y(Q) Uses the fact that x and y are characterised in k(E) by v0E(x) ≙ −2 vP(x) ⩾ 0 if P ≠ 0E v0E(y) ≙ −3 vP(y) ⩾ 0 if P ≠ 0E y2/x3(0E) ≙ 1 No such characterisation in genus  ⩾ 2.

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 23 / 31

Isogenies Isogenies by going down in the level

Tie isogeny theorem

Tieorem (Mumford)

Let ℓ ∧ n ≙ 1, and ϕ ∶ Z(n) → Z(ℓn), x ↦ ℓ.x be the canonical embedding. Let K0 ≙ A∥ℓ∥2 ⊂ A∥ℓn∥2. Let (ϑA

i )i∈Z(ℓn) be the theta functions of level ℓn on A ≙ C/(Z + ΩZ).

Let (ϑB

i )i∈Z(n) be the theta functions of level n of B ≙ A/K0 ≙ C/(Z + Ω ℓ Z).

We have: (ϑB

i (x))i∈Z(n) ≙ (ϑA ϕ(i)(x))i∈Z(n)

Example

π ∶ (x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11) ↦ (x0, x3, x6, x9) is a 3-isogeny between elliptic curves.

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 24 / 31

Isogenies Isogenies by going up in the level

Tie contragredient isogeny [LR10a]

y ∈ B z ∈ A ̂ π x ∈ A π ∥ℓ∥ Let π ∶ A → B be the isogeny associated to (ai)i∈Z(ℓn). Let y ∈ B and x ∈ A be one of the ℓ

• antecedents. Tien

̂ π(y) ≙ ℓ.x

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 25 / 31

Isogenies Isogenies by going up in the level

Tie contragredient isogeny [LR10a]

y ∈ B z ∈ A ̂ π x ∈ A π ∥ℓ∥ Let π ∶ A → B be the isogeny associated to (ai)i∈Z(ℓn). Let y ∈ B and x ∈ A be one of the ℓ

• antecedents. Tien

̂ π(y) ≙ ℓ.x

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 25 / 31

Isogenies Isogenies by going up in the level

Tie contragredient isogeny [LR10a]

y ∈ B z ∈ A ̂ π x ∈ A π ∥ℓ∥ Let π ∶ A → B be the isogeny associated to (ai)i∈Z(ℓn). Let y ∈ B and x ∈ A be one of the ℓ

• antecedents. Tien

̂ π(y) ≙ ℓ.x

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 25 / 31

Isogenies Isogenies by going up in the level

Tie contragredient isogeny [LR10a]

y ∈ B z ∈ A ̂ π x ∈ A π ∥ℓ∥ Let π ∶ A → B be the isogeny associated to (ai)i∈Z(ℓn). Let y ∈ B and x ∈ A be one of the ℓ

• antecedents. Tien

̂ π(y) ≙ ℓ.x 1 Ω 3Ω R0 R1 R2 y

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 25 / 31

Isogenies Isogenies by going up in the level

Tie contragredient isogeny [LR10a]

y ∈ B z ∈ A ̂ π x ∈ A π ∥ℓ∥ Let π ∶ A → B be the isogeny associated to (ai)i∈Z(ℓn). Let y ∈ B and x ∈ A be one of the ℓ

• antecedents. Tien

̂ π(y) ≙ ℓ.x 1 Ω 3Ω R0 R1 R2 y

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 25 / 31

Isogenies Isogenies by going up in the level

Tie contragredient isogeny [LR10a]

y ∈ B z ∈ A ̂ π x ∈ A π ∥ℓ∥ Let π ∶ A → B be the isogeny associated to (ai)i∈Z(ℓn). Let y ∈ B and x ∈ A be one of the ℓ

• antecedents. Tien

̂ π(y) ≙ ℓ.x 1 Ω 3Ω R0 R1 R2 y

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 25 / 31

Isogenies Isogenies by going up in the level

Tie contragredient isogeny [LR10a]

y ∈ B z ∈ A ̂ π x ∈ A π ∥ℓ∥ Let π ∶ A → B be the isogeny associated to (ai)i∈Z(ℓn). Let y ∈ B and x ∈ A be one of the ℓ

• antecedents. Tien

̂ π(y) ≙ ℓ.x 1 Ω 3Ω R0 R1 R2 y x

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 25 / 31

Isogenies Isogenies in the same level

Changing level without taking isogenies

Tieorem (Koizumi-Kempf)

Let L be the space of theta functions of level ℓn and L′ the space of theta functions of level n. Let F ∈r (Z) be such that tFF ≙ ℓ Id, and f ∶ Ar → Ar the corresponding isogeny. We have L ≙ f ∗L′ and the isogeny f is given by f ∗(ϑL′

i1 ⋆ . . . ⋆ ϑL′ ir ) ≙ λ

∑

(j1,..., jr)∈K1(L′)×...×K1(L′) f (j1,..., jr)≙(i1,...,ir)

ϑL

j1 ⋆ . . . ⋆ ϑL jr

F ≙ ( 1 −1

−1 1 ) give the Riemann relations. (For general ℓ, use the quaternions.)

⇒ Go up and down in level without taking isogenies [Cosset+R].

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 26 / 31

Isogenies Isogenies in the same level

Changing level and isogenies

Corollary

Let A ≙ C/(Z + ΩZ) and B ≙ C/(Z + ℓΩZ). We can express the isogeny A → B, z ↦ ℓz of kernel K ≙ 1

ℓZ/Z in term of the theta functions of level n on A and B:

ϑ [ 0

i1 ](ℓz, ℓ Ω

n )ϑ [ 0

i2 ](0, ℓ Ω

n ) . . . ϑ [ 0

ir ](0, ℓ Ω

n ) ≙ ∑

t1,...,tr∈K F(t1,...,tr)≙(0,...,0)

ϑ [ 0

j1 ](X1 + t1, Ω

n ) . . . ϑ [ 0

jr ] L (Xr + tr, Ω

n ), where X ≙ F−1(ℓz, 0, . . . , 0).

Remark

We compute the coordinates ϑ [ 0

ji ](Xi + ti, Ω n ) not in A but in C thanks to the

difgerential additions.

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 27 / 31

Isogenies Isogenies in the same level

A complete generalisation of Vélu’s algorithm [Cosset+R]

Compute the isogeny B → A while staying in level n. O(ℓ) difgerential additions + O(ℓ) or O(ℓ2 for the changing level. Tie formulas are rational if the kernel K is rational. Blocking part: compute K ⇒ compute all the ℓ-torsion on B.  ≙ 2: ℓ-torsion, ̃ O(ℓ6) vs O(ℓ2) or O(ℓ4) for the isogeny. ⇒ Work in level 2. ⇒ Convert back and forth to Mumford coordinates: B A Jac(C1) Jac(C2) ̂ π

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 28 / 31

Perspectives

Outline

1

Abelian varieties and cryptography

2

Tieta functions

3

Arithmetic

4

Pairings

5

Isogenies

6

Perspectives

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 29 / 31

Perspectives

Tie AGM and canonical lifus

Tie elliptic curves En ∶ y2 ≙ x(x − a2

n)(x − b2 n) converges over Q2α to the

canonical lifu of (E0)F2α [Mes01], where (an)n∈N, (bn)n∈N satisfy the Arithmetic Geometric Mean: an+1 ≙ an + bn 2 bn+1 ≙ √ anbn Generalized in all genus by looking at theta null points [Mes02]. Generalized in arbitrary characteristic p by [CL08] by looking at modular relations

• f degree p2 on theta null points.

⇒ Point counting. ⇒ Class polynomials.

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 30 / 31

Perspectives

Some perspectives

Improve the pairing algorithm (Ate pairing,optimal ate). Characteristic 2 [GL09]. A SEA-like algorithm in genus 2?

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 31 / 31

References

Bibliography

[BF03]

• D. Boneh and M. Franklin. “Identity-based encryption from the Weil pairing”. In: SIAM Journal
• n Computing 32.3 (2003), pp. 586–615.

[BLS04]

• D. Boneh, B. Lynn, and H. Shacham. “Short signatures from the Weil pairing”. In: Journal of

Cryptology 17.4 (2004), pp. 297–319. [CL08]

• R. Carls and D. Lubicz. “A p-adic quasi-quadratic time and quadratic space point counting

algorithm”. In: International Mathematics Research Notices (2008). [Gau07]

• P. Gaudry. “Fast genus 2 arithmetic based on Theta functions”. In: Journal of Mathematical

Cryptology 1.3 (2007), pp. 243–265. [GL09]

• P. Gaudry and D. Lubicz. “The arithmetic of characteristic 2 Kummer surfaces and of elliptic

Kummer lines”. In: Finite Fields and Their Applications 15.2 (2009), pp. 246–260. [Goy+06]

• V. Goyal, O. Pandey, A. Sahai, and B. Waters. “Attribute-based encryption for fine-grained

access control of encrypted data”. In: Proceedings of the 13th ACM conference on Computer and communications security. ACM. 2006, p. 98. [Jou04]

• A. Joux. “A one round protocol for tripartite Diffie–Hellman”. In: Journal of Cryptology 17.4

(2004), pp. 263–276. [Lan05]

• T. Lange. “Formulae for arithmetic on genus 2 hyperelliptic curves”. In: Applicable Algebra in

Engineering, Communication and Computing 15.5 (2005), pp. 295–328. [LR10a]

• D. Lubicz and D. Robert. Computing isogenies between abelian varieties. HAL

http://hal.archives-ouvertes.fr/hal-00446062/. Jan. 2010. arXiv:1001.2016. url: http://www.normalesup.org/~robert/pro/publications/articles/isogenies.pdf.

[LR10b]

• D. Lubicz and D. Robert. “Efficient pairing computation with theta functions”. In: Lecture Notes

in Comput. Sci. 6197 (Jan. 2010). Ed. by G. Hanrot, F. Morain, and E. Thomé. 9th International Symposium, Nancy, France, ANTS-IX, July 19-23, 2010, Proceedings. doi:

10.1007/978-3-642-14518-6_21. url: http://www.normalesup.org/~robert/pro/publications/articles/pairings.pdf. Slides http://www.normalesup.org/~robert/publications/slides/2010-07-ants.pdf.

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 31 / 31

Perspectives Bibliography

[Mes01] J.-F. Mestre. Lettre à Gaudry et Harley. 2001. url: http://www.math.jussieu.fr/mestre. [Mes02] J.-F. Mestre. Notes of a talk given at the Cryptography Seminar Rennes. 2002. url:

http://www.math.univ-rennes1.fr/crypto/2001-02/mestre.ps.

[SW05]

• A. Sahai and B. Waters. “Fuzzy identity-based encryption”. In: Advances in

Cryptology–EUROCRYPT 2005 (2005), pp. 457–473. [Ver01]

• E. Verheul. “Self-blindable credential certificates from the Weil pairing”. In: Advances in

Cryptology—ASIACRYPT 2001 (2001), pp. 533–551.

Damien Robert (LFANT) Abelian varieties, theta functions and cryptography 08/12/2010 (Bordeaux) 31 / 31