Effjcient pairing computation with theta functions. ANTS IX David - PowerPoint PPT Presentation

Effjcient pairing computation with theta functions. ANTS IX David Lubicz 1,2 , Damien Robert 3 1 CÉLAR 2 IRMAR, Université de Rennes 1 3 Caramel Team, Nancy Université, CNRS, Inria Nancy Grand Est 21/07/2010

Pairings in cryptography Defjnition A pairing is a bilinear application e ∶ G 1 × G 1 → G 2 . Identity-based cryptography [BF03]. Short signature [BLS04]. One way tripartite Diffje–Hellman [Jou04]. Anonymous credentials [Ver01]. Attribute based cryptography [SW05]. Broadcast encryption [Goy+06]. David Lubicz, Damien Robert (ANTS IX) Pairing with theta functions 2 / 15

Pairings on abelian varieties ( A , L) a principally polarised abelian variety. Θ the theta divisor associated to L . P ∈ A ∥ ℓ ∥ . ∃ f P ∈ k ( A ) ∣ ( f P ) = ℓ ( t ∗ P Θ − Θ ) . Weil pairing e W ∶ A ∥ ℓ ∥ × A ∥ ℓ ∥ → µ ℓ e W ( P , Q ) = f P ( Q − 0 A ) f Q ( P − 0 A ) . Tate pairing: e T ∶ A ∥ ℓ ∥ × A ( k )/ ℓA ( k ) → k ∗ / k ∗ ℓ e T ( P , Q ) = f P ( Q − 0 A ) . David Lubicz, Damien Robert (ANTS IX) Pairing with theta functions 3 / 15

Miller algorithm P ∈ A ∥ ℓ ∥ . ∃ f n , P ∈ k ( A ) ∣ ( f n , P ) ≙ n . t ∗ nP Θ − ( n − 1 ) Θ. P Θ − t ∗ ∃ f n 1 . P , n 2 . P ∈ k ( A ) ∣ ( f n 1 . P , n 2 . P ) ≙ t ∗ n 1 . P Θ + t ∗ n 2 . P Θ − t ∗ ( n 1 + n 2 ) . P Θ − Θ. f ( n 1 + n 2 ) , P ≙ f n 1 , P f n 2 , P f n 1 . P , n 2 . P ⇒ Evaluate f ℓ , P ( Q ) via a Miller loop. Remark Only used with Mumford coordinates ⇒ need to work on a Jacobian of an hyperelliptic curve. David Lubicz, Damien Robert (ANTS IX) Pairing with theta functions 4 / 15

Tieta functions Abelian variety over C : A ≙ C  /( Z  + Ω Z  ) ; Ω ∈ H  ( C ) the Siegel upper half space (Ω symmetric, Im Ω positive defjnite). Tieta functions with characteristics: ϑ ( z , Ω ) ≙ ∑ n ∈ Z  e π i t n Ω n + 2 π i t nz , ϑ ∥ a b ∥( z , Ω ) ≙ e π i t a Ω a + 2 π i t a ( z + b ) ϑ ( z + Ω a + b , Ω ) a , b ∈ Q  . Tieta functions of level 4: ( ϑ [ i / 2 j / 2 ]( 2 z , Ω )) i , j ∈ Z ( 2 ) , coordinates on A . Tieta functions of level 2: ( ϑ [ 0 i / 2 ]( z , Ω / 2 )) i ∈ Z ( 2 ) , coordinates on the Kummer variety A / ± 1. David Lubicz, Damien Robert (ANTS IX) Pairing with theta functions 5 / 15

D uplication formula ϑ [ 0 2 ]( z 1 + z 2 , Ω ) ϑ [ 2 ]( z 1 − z 2 , Ω ) ≙ ∑ ϑ [ 4 ]( 2 z 1 , 2Ω ) ϑ [ t 4 ]( 2 z 2 , 2Ω ) t 0 2 2 j i i + j i − j t ∈ 1 2 Z  / Z  i /( 4 ) ]( 2 z i , 2Ω ) ϑ [ j /( 4 ) ]( 0, 2Ω ) ≙ ϑ [ χ / 2 0 1 e − 2 iπ t χ ⋅ t ϑ [ 4 + t ]( z i , Ω ) ϑ [ 4 + t ]( z i , Ω ) . ∑ 2 χ 0 i − j i + j 2  t ∈ 1 2 Z  / Z  David Lubicz, Damien Robert (ANTS IX) Pairing with theta functions 6 / 15

Ti e difgerential addition law ( ∑ χ ( t ) ϑ i + t ( z 1 + z 2 ) ϑ j + t ( z 1 − z 2 )) . ( ∑ χ ( t ) ϑ k + t ( 0 ) ϑ l + t ( 0 )) ≙ t ∈ Z ( 2 ) t ∈ Z ( 2 ) ( ∑ χ ( t ) ϑ − i ′ + t ( z 2 ) ϑ j ′ + t ( z 2 )) . ( ∑ χ ( t ) ϑ k ′ + t ( z 1 ) ϑ l ′ + t ( z 1 )) . t ∈ Z ( 2 ) t ∈ Z ( 2 ) χ ∈ ˆ Z ( 2 ) , i , j , k , l ∈ Z ( n ) where ( i ′ , j ′ , k ′ , l ′ ) ≙ A ( i , j , k , l ) ⎛ ⎞ 1 1 1 1 − 1 − 1 ⎜ ⎟ A ≙ 1 1 1 ⎜ ⎟ ⎜ ⎟ − 1 − 1 1 1 2 ⎝ ⎠ − 1 − 1 1 1 David Lubicz, Damien Robert (ANTS IX) Pairing with theta functions 7 / 15

A rithmetic with level two theta functions ( car k ≠ 2 ) Mumford Level 2 Level 4 [Lan05] [Gau07] Doubling 34 M + 7 S 7 M + 12 S + 9 m 0 49 M + 36 S + 27 m 0 Mixed Addition 37 M + 6 S Multiplication cost in genus 2 (one step). Montgomery Level 2 Jacobians coordinates Doubling 3 M + 5 S 5 M + 4 S + 1 m 0 3 M + 6 S + 3 m 0 Mixed Addition 7 M + 6 S + 1 m 0 Multiplication cost in genus 1 (one step). David Lubicz, Damien Robert (ANTS IX) Pairing with theta functions 8 / 15

M iller functions with theta coordinates Proposition ϑ ∥ 0 0 ∥( z + nz P ) ( ϑ ∥ 0 0 ∥( z ) 0 ∥( z + z P ) n ) f n , P ≙ ϑ ∥ 0 ϑ ∥ 0 0 ∥( z ) . f n 1 . P , n 2 . P ≙ ϑ ( z + n 1 . z P ) ϑ ( z + n 2 . z P ) ϑ ( z ) ϑ ( z + ( n 1 + n 2 ) . z P ) . Corollary e W ( P , Q ) ≙ ϑ ( ℓz P + z Q ) ϑ ( 0 ) ϑ ( z P ) ϑ ( ℓz Q ) ϑ ( z Q ) ϑ ( ℓz P ) ϑ ( z P + ℓz Q ) ϑ ( 0 ) ⋅ ≙ exp ( 2 πiℓ ( z P ,1 z Q ,2 − z P ,2 z Q ,1 )) with z P ≙ z P ,1 Ω + z P ,2 and z Q ≙ z Q ,1 Ω + z Q ,2 . David Lubicz, Damien Robert (ANTS IX) Pairing with theta functions 9 / 15

F ast pairing computation with theta functions of level 2 P and Q points of ℓ -torsion. ℓP ≙ λ 0 0 A 2 P . . . P 0 A P P ⊕ Q 2 P + Q ℓP + Q ≙ λ 1 . . . Q P Q P + 2 Q 2 Q . . . . . . ℓQ ≙ λ 0 P + ℓQ ≙ λ 1 Q 0 A Q P e W ( P , Q ) 2 ≙ λ 1 P λ 0 Q . Q λ 0 P λ 1 e T ( P , Q ) 2 ≙ λ 1 P . P λ 0 David Lubicz, Damien Robert (ANTS IX) Pairing with theta functions 10 / 15

C omparison with M iller algorithm  ≙ 1 7 M + 7 S + 2 m 0  ≙ 2 17 M + 13 S + 6 m 0 Tate pairing with theta coordinates, P , Q ∈ A ∥ ℓ ∥( F q d ) (one step) Miller Tieta coordinates Doubling Addition One step 1 M + 1 S + 1 m 1 M + 1 m d even  ≙ 1 1 M + 2 S + 2 m 2 M + 2 S + 1 m 2 M + 1 m d odd 1 M + 1 S + 3 m 1 M + 3 m Q degenerate +  ≙ 2 3 M + 4 S + 4 m denominator elimination 2 M + 2 S + 18 m 2 M + 18 m General case P ∈ A ∥ ℓ ∥( F q ) , Q ∈ A ∥ ℓ ∥( F q d ) (counting only operations in F q d ). David Lubicz, Damien Robert (ANTS IX) Pairing with theta functions 11 / 15

H ow to compute P + Q? Work in level 4, and go back to level 2 once we know P + Q . ⇒ Impose the 4-torsion on A to be rational (In level 2: only impose the 2-torsion to be rational). Stay in level 2 and compute the symmetric pairing: e T , s ≙ e T ( P , Q ) + e T ( P , − Q ) . Z -action on k ∗ , ± 1 : x n 1 + n 2 + x n 1 + n 2 ≙ ( x n 1 + 1 1 1 1 x n 1 ) ⋅ ( x n 2 + x n 2 ) − ( x n 1 − n 2 + x n 1 − n 2 ) . David Lubicz, Damien Robert (ANTS IX) Pairing with theta functions 12 / 15

C omputing P ± Q Tie even theta null point are non zero ⇔ the Kummer variety is projectively normal. Generically the case (but not for Jacobians of hyperelliptic curves of genus  ⩾ 3). We can then compute ϑ i ( P + Q ) ϑ j ( P − Q ) + ϑ j ( P + Q ) ϑ i ( P − Q ) . ⇒ Recover P ± Q with a square root. ⇒ Alternatively, compute ℓP + Q in the algebra of degree 2 k ∥ X ∥/(( X − ϑ 0 ( P + Q ))( X − ϑ 0 ( P − Q ))) . David Lubicz, Damien Robert (ANTS IX) Pairing with theta functions 13 / 15

P erspectives Degenerate divisors: should be even faster! Ate pairing, optimal ate? Miller algorithm directly on the theta coordinates. David Lubicz, Damien Robert (ANTS IX) Pairing with theta functions 14 / 15

P ersonal announcement I will defend my PhD Tiesis ‘‘Tieta functions and applications in cryptography’’, Wednesday 21 at 17h00, in C005 (Loria). Talk will be in French, but slides in English. David Lubicz, Damien Robert (ANTS IX) Pairing with theta functions 15 / 15

B ibliography [BF03] D. Boneh and M. Franklin. “Identity-based encryption from the Weil pairing”. In: SIAM Journal on Computing 32.3 (2003), pp. 586–615. (Cit. on p. 2). [BLS04] D. Boneh, B. Lynn, and H. Shacham. “Short signatures from the Weil pairing”. In: Journal of Cryptology 17.4 (2004), pp. 297–319. (Cit. on p. 2). [Gau07] P. Gaudry. “Fast genus 2 arithmetic based on Theta functions”. In: Journal of Mathematical Cryptology 1.3 (2007), pp. 243–265. (Cit. on p. 8). [Goy+06] V. Goyal et al. “Attribute-based encryption for fine-grained access control of encrypted data”. In: Proceedings of the 13th ACM conference on Computer and communications security . ACM. 2006, p. 98. (Cit. on p. 2). [Jou04] A. Joux. “A one round protocol for tripartite Diffie–Hellman”. In: Journal of Cryptology 17.4 (2004), pp. 263–276. (Cit. on p. 2). [Lan05] T. Lange. “Formulae for arithmetic on genus 2 hyperelliptic curves”. In: Applicable Algebra in Engineering, Communication and Computing 15.5 (2005), pp. 295–328. (Cit. on p. 8). [SW05] A. Sahai and B. Waters. “Fuzzy identity-based encryption”. In: Advances in Cryptology–EUROCRYPT 2005 (2005), pp. 457–473. (Cit. on p. 2). [Ver01] E. Verheul. “Self-blindable credential certificates from the Weil pairing”. In: Advances in Cryptology—ASIACRYPT 2001 (2001), pp. 533–551. (Cit. on p. 2). David Lubicz, Damien Robert (ANTS IX) Pairing with theta functions 15 / 15