Effjcient pairing computation with theta functions. ANTS IX David - - PowerPoint PPT Presentation

effjcient pairing computation with theta functions
SMART_READER_LITE
LIVE PREVIEW

Effjcient pairing computation with theta functions. ANTS IX David - - PowerPoint PPT Presentation

Feb 22, 2023 371 likes •551 views

Effjcient pairing computation with theta functions. ANTS IX David Lubicz 1,2 , Damien Robert 3 1 CLAR 2 IRMAR, Universit de Rennes 1 3 Caramel Team, Nancy Universit, CNRS, Inria Nancy Grand Est 21/07/2010 Pairings in cryptography

slide-1
SLIDE 1

Effjcient pairing computation with theta functions.

ANTS IX David Lubicz1,2, Damien Robert3

1CÉLAR 2IRMAR, Université de Rennes 1 3Caramel Team, Nancy Université, CNRS, Inria Nancy Grand Est

21/07/2010

slide-2
SLIDE 2

Pairings in cryptography

Defjnition

A pairing is a bilinear application e ∶ G1 × G1 → G2. Identity-based cryptography [BF03]. Short signature [BLS04]. One way tripartite Diffje–Hellman [Jou04]. Anonymous credentials [Ver01]. Attribute based cryptography [SW05]. Broadcast encryption [Goy+06].

David Lubicz, Damien Robert (ANTS IX) Pairing with theta functions 2 / 15

slide-3
SLIDE 3

Pairings on abelian varieties

(A, L) a principally polarised abelian variety. Θ the theta divisor associated to L. P ∈ A∥ℓ∥. ∃fP ∈ k(A) ∣ (fP) = ℓ (t∗

PΘ − Θ) .

Weil pairing eW ∶ A∥ℓ∥ × A∥ℓ∥ → µℓ eW(P, Q) = fP(Q − 0A) fQ(P − 0A) . Tate pairing: eT ∶ A∥ℓ∥ × A(k)/ℓA(k) → k∗/k∗ℓ eT(P, Q) = fP(Q − 0A).

David Lubicz, Damien Robert (ANTS IX) Pairing with theta functions 3 / 15

slide-4
SLIDE 4

Miller algorithm

P ∈ A∥ℓ∥. ∃fn,P ∈ k(A) ∣ (fn,P) ≙ n.t∗

PΘ − t∗ nPΘ − (n − 1)Θ.

∃fn1.P,n2.P ∈ k(A) ∣ (fn1.P,n2.P) ≙ t∗

n1.PΘ + t∗ n2.PΘ − t∗ (n1+n2).PΘ − Θ.

f(n1+n2),P ≙ fn1,P fn2,P fn1.P,n2.P ⇒ Evaluate fℓ,P(Q) via a Miller loop.

Remark

Only used with Mumford coordinates ⇒ need to work on a Jacobian of an hyperelliptic curve.

David Lubicz, Damien Robert (ANTS IX) Pairing with theta functions 4 / 15

slide-5
SLIDE 5

Tieta functions

Abelian variety over C: A ≙ C/(Z + ΩZ); Ω ∈ H(C) the Siegel upper half space (Ω symmetric, Im Ω positive defjnite). Tieta functions with characteristics: ϑ(z, Ω) ≙ ∑

n∈Z eπi t nΩn+2πi t nz,

ϑ ∥ a

b ∥(z, Ω) ≙ eπi t aΩa+2πi t a(z+b)ϑ(z + Ωa + b, Ω)

a, b ∈ Q. Tieta functions of level 4: (ϑ [ i/2

j/2 ](2z, Ω))i, j∈Z(2), coordinates on A.

Tieta functions of level 2: (ϑ [ 0

i/2 ](z, Ω/2))i∈Z(2), coordinates on the Kummer

variety A/ ± 1.

David Lubicz, Damien Robert (ANTS IX) Pairing with theta functions 5 / 15

slide-6
SLIDE 6

Duplication formula

ϑ [ 0

i 2 ](z1 + z2, Ω)ϑ [ j 2 ](z1 − z2, Ω) ≙ ∑

t∈1

2Z/Z

ϑ [

t 2 i+j 4 ](2z1, 2Ω)ϑ [ t 2 i−j 4 ](2z2, 2Ω)

ϑ [ χ/2

i/(4)](2zi, 2Ω)ϑ [ j/(4)](0, 2Ω) ≙

1 2 ∑

t∈1

2Z/Z

e−2iπ t χ⋅tϑ [

i+j 4 +t ](zi, Ω)ϑ [ i−j 4 +t ](zi, Ω). David Lubicz, Damien Robert (ANTS IX) Pairing with theta functions 6 / 15

slide-7
SLIDE 7

Tie difgerential addition law

( ∑

t∈Z(2)

χ(t)ϑi+t(z1 + z2)ϑ j+t(z1 − z2)).( ∑

t∈Z(2)

χ(t)ϑk+t(0)ϑl+t(0)) ≙ ( ∑

t∈Z(2)

χ(t)ϑ−i′+t(z2)ϑ j′+t(z2)).( ∑

t∈Z(2)

χ(t)ϑk′+t(z1)ϑl ′+t(z1)). where χ ∈ ˆ Z(2), i, j, k, l ∈ Z(n) (i′, j′, k′, l′) ≙ A(i, j, k, l) A ≙ 1 2 ⎛ ⎜ ⎜ ⎜ ⎝ 1 1 1 1 1 1 −1 −1 1 −1 1 −1 1 −1 −1 1 ⎞ ⎟ ⎟ ⎟ ⎠

David Lubicz, Damien Robert (ANTS IX) Pairing with theta functions 7 / 15

slide-8
SLIDE 8

Arithmetic with level two theta functions (car k ≠ 2)

Mumford Level 2 Level 4 [Lan05] [Gau07] Doubling 34M + 7S 7M + 12S + 9m0 49M + 36S + 27m0 Mixed Addition 37M + 6S Multiplication cost in genus 2 (one step). Montgomery Level 2 Jacobians coordinates Doubling 5M + 4S + 1m0 3M + 6S + 3m0 3M + 5S Mixed Addition 7M + 6S + 1m0 Multiplication cost in genus 1 (one step).

David Lubicz, Damien Robert (ANTS IX) Pairing with theta functions 8 / 15

slide-9
SLIDE 9

Miller functions with theta coordinates

Proposition

fn,P ≙ ϑ ∥ 0

0 ∥(z)

ϑ ∥ 0

0 ∥(z + nzP) ( ϑ ∥ 0 0 ∥(z + zP)

ϑ ∥ 0

0 ∥(z)

)

n

. fn1.P,n2.P ≙ ϑ(z + n1.zP)ϑ(z + n2.zP) ϑ(z)ϑ(z + (n1 + n2).zP) .

Corollary

eW(P, Q) ≙ ϑ(ℓzP + zQ)ϑ(0) ϑ(zQ)ϑ(ℓzP) ⋅ ϑ(zP)ϑ(ℓzQ) ϑ(zP + ℓzQ)ϑ(0) ≙ exp(2πiℓ(zP,1zQ,2 − zP,2zQ,1)) with zP ≙ zP,1Ω + zP,2 and zQ ≙ zQ,1Ω + zQ,2.

David Lubicz, Damien Robert (ANTS IX) Pairing with theta functions 9 / 15

slide-10
SLIDE 10

Fast pairing computation with theta functions of level 2

P and Q points of ℓ-torsion. 0A P 2P . . . ℓP ≙ λ0

P0A

Q P ⊕ Q 2P + Q . . . ℓP + Q ≙ λ1

PQ

2Q P + 2Q . . . . . . ℓQ ≙ λ0

Q0A

P + ℓQ ≙ λ1

QP

eW(P, Q)2 ≙

λ1

P λ0 Q

λ0

P λ1 Q .

eT(P, Q)2 ≙ λ1

P

λ0

P . David Lubicz, Damien Robert (ANTS IX) Pairing with theta functions 10 / 15

slide-11
SLIDE 11

Comparison with Miller algorithm

 ≙ 1 7M + 7S + 2m0  ≙ 2 17M + 13S + 6m0

Tate pairing with theta coordinates, P, Q ∈ A∥ℓ∥(Fqd ) (one step)

Miller Tieta coordinates Doubling Addition One step  ≙ 1 d even 1M + 1S + 1m 1M + 1m 1M + 2S + 2m d odd 2M + 2S + 1m 2M + 1m  ≙ 2 Q degenerate + denominator elimination 1M + 1S + 3m 1M + 3m 3M + 4S + 4m General case 2M + 2S + 18m 2M + 18m

P ∈ A∥ℓ∥(Fq), Q ∈ A∥ℓ∥(Fqd ) (counting only operations in Fqd ).

David Lubicz, Damien Robert (ANTS IX) Pairing with theta functions 11 / 15

slide-12
SLIDE 12

How to compute P + Q?

Work in level 4, and go back to level 2 once we know P + Q. ⇒ Impose the 4-torsion on A to be rational (In level 2: only impose the 2-torsion to be rational). Stay in level 2 and compute the symmetric pairing: eT,s ≙ eT(P, Q) + eT(P, −Q). Z-action on k∗,±1: xn1+n2 + 1 xn1+n2 ≙ (xn1 + 1 xn1 ) ⋅ (xn2 + 1 xn2 ) − (xn1−n2 + 1 xn1−n2 ) .

David Lubicz, Damien Robert (ANTS IX) Pairing with theta functions 12 / 15

slide-13
SLIDE 13

Computing P ± Q

Tie even theta null point are non zero ⇔ the Kummer variety is projectively normal. Generically the case (but not for Jacobians of hyperelliptic curves of genus  ⩾ 3). We can then compute ϑi(P + Q)ϑ j(P − Q) + ϑ j(P + Q)ϑi(P − Q). ⇒ Recover P ± Q with a square root. ⇒ Alternatively, compute ℓP + Q in the algebra of degree 2 k∥X∥/((X − ϑ0(P + Q))(X − ϑ0(P − Q))) .

David Lubicz, Damien Robert (ANTS IX) Pairing with theta functions 13 / 15

slide-14
SLIDE 14

Perspectives

Degenerate divisors: should be even faster! Ate pairing, optimal ate? Miller algorithm directly on the theta coordinates.

David Lubicz, Damien Robert (ANTS IX) Pairing with theta functions 14 / 15

slide-15
SLIDE 15

Personal announcement

I will defend my PhD Tiesis ‘‘Tieta functions and applications in cryptography’’, Wednesday 21 at 17h00, in C005 (Loria). Talk will be in French, but slides in English.

David Lubicz, Damien Robert (ANTS IX) Pairing with theta functions 15 / 15

slide-16
SLIDE 16

Bibliography

[BF03]

  • D. Boneh and M. Franklin. “Identity-based encryption from the Weil pairing”. In: SIAM Journal
  • n Computing 32.3 (2003), pp. 586–615. (Cit. on p. 2).

[BLS04]

  • D. Boneh, B. Lynn, and H. Shacham. “Short signatures from the Weil pairing”. In: Journal of

Cryptology 17.4 (2004), pp. 297–319. (Cit. on p. 2). [Gau07]

  • P. Gaudry. “Fast genus 2 arithmetic based on Theta functions”. In: Journal of Mathematical

Cryptology 1.3 (2007), pp. 243–265. (Cit. on p. 8). [Goy+06]

  • V. Goyal et al. “Attribute-based encryption for fine-grained access control of encrypted data”. In:

Proceedings of the 13th ACM conference on Computer and communications security. ACM. 2006,

  • p. 98. (Cit. on p. 2).

[Jou04]

  • A. Joux. “A one round protocol for tripartite Diffie–Hellman”. In: Journal of Cryptology 17.4

(2004), pp. 263–276. (Cit. on p. 2). [Lan05]

  • T. Lange. “Formulae for arithmetic on genus 2 hyperelliptic curves”. In: Applicable Algebra in

Engineering, Communication and Computing 15.5 (2005), pp. 295–328. (Cit. on p. 8). [SW05]

  • A. Sahai and B. Waters. “Fuzzy identity-based encryption”. In: Advances in

Cryptology–EUROCRYPT 2005 (2005), pp. 457–473. (Cit. on p. 2). [Ver01]

  • E. Verheul. “Self-blindable credential certificates from the Weil pairing”. In: Advances in

Cryptology—ASIACRYPT 2001 (2001), pp. 533–551. (Cit. on p. 2).

David Lubicz, Damien Robert (ANTS IX) Pairing with theta functions 15 / 15