Computing optimal pairings on abelian varieties with theta functions - PowerPoint PPT Presentation

Computing optimal pairings on abelian varieties with theta functions 10/02/2011 (Luminy) David Lubicz 1,2 , Damien Robert 3 1 CÉLAR 2 IRMAR, Université de Rennes 1 1 LFANT Team, IMB & Inria Bordeaux Sud-Ouest

Motivations Miller’s algorithm Abelian varieties Theta functions Optimal pairings Outline 1 Motivations 2 Miller’s algorithm 3 Abelian varieties 4 Theta functions 5 Optimal pairings

Motivations Miller’s algorithm Abelian varieties Theta functions Optimal pairings Discrete logarithm Definition (DLP) Let G = 〈 g 〉 be a cyclic group of prime order. Let x ∊ � and h = g x . The discrete logarithm log g ( h ) is x . O ( � p ) (in a generic group). Exponentiation: O ( log p ) . DLP: � The DLP is supposed to be difficult to solve in � ∗ q , E ( � q ) , J ( � q ) , A ( � q ) . ⇒ The DLP yields good candidates for one way functions.

Motivations Miller’s algorithm Abelian varieties Theta functions Optimal pairings Pairings Definition Let G 1 and G 2 be two cyclic groups of prime order. A pairing is a (non degenerate) bilinear application e : G 1 × G 1 → G 2 . If the pairing e can be computed easily, the difficulty of the DLP in G 1 reduces to the difficulty of the DLP in G 2 . ⇒ MOV attacks on elliptic curves.

Motivations One way tripartite Diffie–Hellman [Jou04]. Example (Identity-based cryptography) Broadcast encryption [GPSW06]. Miller’s algorithm Self-blindable credential certificates [Ver01]. Attribute based cryptography [SW05]. Short signature [BLS04]. Identity-based cryptography [BF03]. Cryptographic applications of pairings Optimal pairings Theta functions Abelian varieties Master key: ( P , sP ) , s . s ∊ � , P ∊ G 1 . Derived key: Q , sQ . Q ∊ G 1 . Encryption, m ∊ G 2 : m ′ = m ⊕ e ( Q , sP ) r , rP . r ∊ � . Decryption: m = m ′ ⊕ e ( sQ , rP ) .

Motivations associated to this principal divisor. Proof. Miller’s algorithm pairing: the Weil pairing. The Weil pairing on elliptic curves Optimal pairings Abelian varieties Theta functions Let E : y 2 = x 3 + ax + b be an elliptic curve over k ( car k ̸ = 2,3 ). Let P , Q ∊ E [ ℓ ] be points of ℓ -torsion. The divisor [ ℓ ] ∗ ( Q − 0 ) is trivial, let g Q ∊ k ( E ) be a function g Q ( x + P ) The function x �→ is constant and is equal to a ℓ -th root g Q ( x ) ∗ . of unity e W , ℓ ( P , Q ) in k If f Q is a function associated to the principal divisor ℓ Q − ℓ 0 , we have ( g ℓ Q ) = [ ℓ ]( g Q ) = [ ℓ ] ∗ [ ℓ ]( Q − 0 ) = [ ℓ ] ∗ ( f Q ) = ( f Q ◦ [ ℓ ]) so g Q ( x + P ) ℓ = f Q ( ℓ x + ℓ P ) = f Q ( ℓ x ) = g Q ( x ) ℓ and e W , ℓ ( P , Q ) ℓ = 1 . The application e W , ℓ : E [ ℓ ] × E [ ℓ ] → µ ℓ ( k ) is a non degenerate

Motivations Miller’s algorithm Abelian varieties Theta functions Optimal pairings Computing the Weil pairing By Weil reciprocity, we have: we define the Miller’s functions: Definition Let f P be a function associated to the principal divisor ℓ ( P − 0 ) , and f Q to ℓ ( Q − 0 ) . e W , ℓ ( P , Q ) = f Q ( P − 0 ) f P ( Q − 0 ) . We need to compute the functions f P and f Q . More generally, Let λ ∊ � and X ∊ E [ ℓ ] , we define f λ , X ∊ k ( E ) to be a function thus that: ( f λ , X ) = λ ( X ) − ([ λ ] X ) − ( λ − 1 )( 0 ) .

Motivations Miller’s algorithm Abelian varieties Theta functions Optimal pairings Miller’s algorithm The key idea in Miller’s algorithm is that f λ + µ , X = f λ , X f µ , X f λ , µ , X where f λ , µ , X is a function associated to the divisor ([ λ + µ ] X ) − ([ λ ] X ) − ([ µ ] X ) + ( 0 ) . We can compute f λ , µ , X using the addition law in E : if [ λ ] X = ( x 1 , y 1 ) and [ µ ] X = ( x 2 , y 2 ) and α = ( y 1 − y 2 ) / ( x 1 − x 2 ) , we have f λ , µ , X = y − α ( x − x 1 ) − y 1 x + ( x 1 + x 2 ) − α 2 .

Motivations The Tate pairing is a non degenerate bilinear application given This final exponentiation allows to save some computations. For We normalise the Tate pairing by going to the power of Miller’s algorithm by are killed by the final exponentiation. Definition Tate pairing Abelian varieties Theta functions Optimal pairings Let E / � q be an elliptic curve of cardinal divisible by ℓ . Let d be the smallest number thus that ℓ | q d − 1 : we call d the embedding degree. � q d is constructed from � q by adjoining all the ℓ -th root of unity. ℓ � ∗ q d / � ∗ e T : E ( � q d ) /ℓ E ( � q d ) × E [ ℓ ]( � q ) −→ . q d ( P , Q ) �−→ f Q (( P ) − ( 0 )) If ℓ 2 ∤ E ( � q d ) then E ( � q d ) /ℓ E ( � q d ) ≃ E [ ℓ ]( � q d ) . ( q d − 1 ) /ℓ . instance if d = 2 d ′ is even, we can suppose that P = ( x 2 , y 2 ) with x 2 ∊ E ( � q d ′ ) . Then the denominators of f λ , µ , Q are ℓ -th powers and

Motivations Return Abelian varieties Theta functions Optimal pairings Miller’s algorithm Computing Tate pairing Miller’s algorithm Input: ℓ ∊ � , Q = ( x 1 , y 1 ) ∊ E [ ℓ ]( � q ) , P = ( x 2 , y 2 ) ∊ E ( � q d ) . Output: e T ( P , Q ) . � I i = 0 b i 2 i . Let Compute the binary decomposition: ℓ : = T = Q , f 1 = 1, f 2 = 1 . For i in [ I ..0 ] compute α , the slope of the tangent of E at T . T = 2 T . T = ( x 3 , y 3 ) . f 1 = f 2 1 ( y 2 − α ( x 2 − x 3 ) − y 3 ) , f 2 = f 2 2 ( x 2 + ( x 1 + x 3 ) − α 2 ) . If b i = 1 , then compute α , the slope of the line going through Q and T . T = T + Q . T = ( x 3 , y 3 ) . f 1 = f 2 1 ( y 2 − α ( x 2 − x 3 ) − y 3 ) , f 2 = f 2 ( x 2 + ( x 1 + x 3 ) − α 2 ) . � f 1 � qd − 1 ℓ . f 2

Motivations Miller’s algorithm Abelian varieties Theta functions Optimal pairings Abelian varieties Definition An Abelian variety is a complete connected group variety over a base Abelian variety = points on a projective space (locus of homogeneous polynomials) + an abelian group law given by rational functions. Example field k . Elliptic curves= Abelian varieties of dimension 1 . If C is a (smooth) curve of genus g , its Jacobian is an abelian variety of dimension g .

Motivations Pairing on abelian varieties We can then define the Weil pairing: Miller’s algorithm Likewise, we can extend the Tate pairing to abelian varieties. Optimal pairings Theta functions Abelian varieties Let Q ∊ � A [ ℓ ] . By definition of the dual abelian variety, Q is a divisor of degree 0 on A such that ℓ Q is principal. Let f Q ∊ k ( A ) be a function associated to ℓ Q . Let P ∊ A [ ℓ ] . Since � � A ≃ A , we can see P as a divisor of degree 0 on A . ℓ ( P ) is then a principal divisor ( f P ) where f P ∊ k ( � � A ) . e W , ℓ : A [ ℓ ] × � A [ ℓ ] −→ µ ℓ ( k ) . f Q ( P ) ( P , Q ) �−→ f P ( Q )

Motivations Miller’s algorithm Abelian varieties Theta functions Optimal pairings Pairings and polarizations If Θ is an ample divisor, the polarisation ϕ Θ is a morphism A → � A , x �→ t ∗ x Θ − Θ . We can then compose the Weil and Tate pairings with ϕ Θ : e W , Θ , ℓ : A [ ℓ ] × A [ ℓ ] −→ µ ℓ ( k ) . ( P , Q ) �−→ e W , ℓ ( P , ϕ Θ ( Q )) More explicitly, if f P and f Q are the functions associated to the principal divisors ℓ t ∗ P Θ − ℓ Θ and ℓ t ∗ Q Θ − ℓ Θ we have e W , Θ , ℓ ( P , Q ) = f Q ( P − 0 ) f P ( Q − 0 ) .

Motivations Miller’s algorithm Abelian varieties Theta functions Optimal pairings Cryptographic usage of pairings on abelian varieties abelian varieties in function of the security parameters. Supersingular elliptic curves have a too small embedding degree. [RS09] says that for the current security parameters, optimal supersingular abelian varieties of small dimension are is richer. The moduli space of abelian varieties of dimension g is a space of dimension g ( g + 1 ) / 2 . We have more liberty to find optimal of dimension 4 . If A is an abelian variety of dimension g , A [ ℓ ] is a ( � /ℓ � ) -module of dimension 2 g ⇒ the structure of pairings on abelian varieties

Motivations easy to extend Miller’s algorithm to compute the Tate and Weil What about more general abelian varieties? We don’t have pairings on elliptic curves. Miller’s algorithm Mumford coordinates. Computing pairings on abelian varieties Optimal pairings Theta functions Abelian varieties If J is the Jacobian of an hyperelliptic curve H of genus g , it is pairing on J . For instance if g = 2 , the function f λ , µ , Q is of the form y − l ( x ) ( x − x 1 )( x − x 2 ) where l is of degree 3 . If P is a degenerate divisor ( P is a sum of only one point on the curve H ), the evaluation f Q ( P ) is faster than for a general divisor (which would be a sum of g points on the curve H ). ⇒ Pairings on Jacobians of genus 2 curves can be competitive with