Computing optimal pairings on abelian varieties with theta functions 06/06/2013 — AGCT David Lubicz, Damien Robert June 6, 2013
Pairings on curves Abelian varieties Theta functions Pairings with theta functions Performance Outline 1 Pairings on curves 2 Abelian varieties 3 Theta functions 4 Pairings with theta functions 5 Performance
Pairings on curves Weil pairing. Theta functions Pairings with theta functions Performance The Weil pairing on elliptic curves Abelian varieties Definition (Embedding degree) Let E : y 2 = x 3 + ax + b be an elliptic curve over k ( char k ̸ = 2,3 ). Let P , Q ∊ E [ ℓ ] be points of ℓ -torsion. Let f P be a function associated to the principal divisor ℓ ( P ) − ℓ ( 0 ) , and f Q to ℓ ( Q ) − ℓ ( 0 ) . We define: e W , ℓ ( P , Q ) = f P (( Q ) − ( 0 )) f Q (( P ) − ( 0 )) . The application e W , ℓ : E [ ℓ ] × E [ ℓ ] → µ ℓ ( k ) is a non degenerate pairing: the The embedding degree d is the smallest number thus that ℓ | q d − 1 ; � q d is then the smallest extension containing µ ℓ ( k ) .
Pairings on curves Theta functions Pairings with theta functions Performance Definition The Tate pairing is a non degenerate (on the right) bilinear application given by Abelian varieties where The Tate pairing on elliptic curves over � q ℓ � ∗ q d / � ∗ e T : E 0 [ ℓ ] × E ( � q ) /ℓ E ( � q ) −→ . q d ( P , Q ) �−→ f P (( Q ) − ( 0 )) E 0 [ ℓ ] = { P ∊ E [ ℓ ]( � q d ) | π ( P ) = [ q ] P } . On � q d , the Tate pairing is a non degenerate pairing ℓ ≃ µ ℓ ; e T : E [ ℓ ]( � q d ) × E ( � q d ) /ℓ E ( � q d ) → � ∗ q d / � ∗ q d We normalise the Tate pairing by going to the power of ( q d − 1 ) /ℓ .
Pairings on curves Abelian varieties Theta functions Pairings with theta functions Performance Miller’s functions the Miller’s functions: Definition We need to compute the functions f P and f Q . More generally, we define Let λ ∊ � and X ∊ E [ ℓ ] , we define f λ , X ∊ k ( E ) to be a function thus that: ( f λ , X ) = λ ( X ) − ([ λ ] X ) − ( λ − 1 )( 0 ) . We want to compute (for instance) f ℓ , P (( Q ) − ( 0 )) .
Pairings on curves Abelian varieties Theta functions Pairings with theta functions Performance Miller’s algorithm The key idea in Miller’s algorithm is that f λ + µ , X = f λ , X f µ , X f λ , µ , X where f λ , µ , X is a function associated to the divisor ([ λ + µ ] X ) − ([ λ ] X ) − ([ µ ] X ) + ( 0 ) . We can compute f λ , µ , X using the addition law in E : if [ λ ] X = ( x 1 , y 1 ) and [ µ ] X = ( x 2 , y 2 ) and α = ( y 1 − y 2 ) / ( x 1 − x 2 ) , we have f λ , µ , X = y − α ( x − x 1 ) − y 1 x + ( x 1 + x 2 ) − α 2 .
Pairings on curves Abelian varieties Theta functions Pairings with theta functions Performance Pairings on Jacobians The same formulas as for elliptic curve define the Weil and Tate pairings: Let C be a curve of genus g ; Let P ∊ Jac ( C )[ ℓ ] and D P a divisor of degree 0 on C representing P ; By definition of Jac ( C ) , ℓ D P corresponds to a principal divisor ( f P ) on C ; e W ( P , Q ) = f P ( D Q ) / f Q ( D P ) e T ( P , Q ) = f P ( D Q ) .
Pairings on curves Theorem (Weil) Theta functions Pairings with theta functions Performance Pairings on Jacobians Abelian varieties The same formulas as for elliptic curve define the Weil and Tate pairings: Let C be a curve of genus g ; Let P ∊ Jac ( C )[ ℓ ] and D P a divisor of degree 0 on C representing P ; By definition of Jac ( C ) , ℓ D P corresponds to a principal divisor ( f P ) on C ; e W ( P , Q ) = f P ( D Q ) / f Q ( D P ) e T ( P , Q ) = f P ( D Q ) . A key ingredient for evaluating f P ( D Q ) comes from Weil reciprocity theorem. Let D 1 and D 2 be two divisors with disjoint support linearly equivalent to ( 0 ) on a smooth curve C . Then f D 1 ( D 2 ) = f D 2 ( D 1 ) .
Pairings on curves The extension of Miller’s algorithm to Jacobians is “straightforward”; Theta functions Pairings with theta functions Performance Pairings on Jacobians Abelian varieties The same formulas as for elliptic curve define the Weil and Tate pairings: Let C be a curve of genus g ; Let P ∊ Jac ( C )[ ℓ ] and D P a divisor of degree 0 on C representing P ; By definition of Jac ( C ) , ℓ D P corresponds to a principal divisor ( f P ) on C ; e W ( P , Q ) = f P ( D Q ) / f Q ( D P ) e T ( P , Q ) = f P ( D Q ) . For instance if g = 2 , the function f λ , µ , P is of the form y − l ( x ) ( x − x 1 )( x − x 2 ) where l is of degree 3 .
Pairings on curves Abelian varieties Theta functions Pairings with theta functions Performance Abelian varieties Definition Example An Abelian variety is a complete connected group variety over a base field k . Elliptic curves= Abelian varieties of dimension 1 ; If C is a (projective smooth absolutely irreducible) curve of genus g , its Jacobian is an abelian variety of dimension g ; In dimension g � 4 , not every abelian variety is a Jacobian.
Pairings on curves 1 3 domain). Abelian varieties 2 Isogenies and pairings Theta functions Performance Pairings with theta functions Let f : A → B be a separable isogeny with kernel K between two abelian varieties defined over k : f 0 K A B 0 ˆ f ˆ ˆ ˆ 0 A B K 0 ˆ K is the Cartier dual of K , and we have a non degenerate pairing ∗ : e f : K × ˆ K → k If Q ∊ ˆ K ( k ) , Q defines a divisor D Q on B ; ˆ f ( Q ) = 0 means that f ∗ D Q is equal to a principal divisor ( g Q ) on A ; e f ( P , Q ) = g Q ( x ) / g Q ( x + P ) . (This last function being constant in its definition The Weil pairing e W , ℓ is the pairing associated to the isogeny [ ℓ ] : A → A .
Pairings on curves Abelian varieties Theta functions Pairings with theta functions Performance Polarisations Definition the pairing If � is an ample line bundle, the polarisation ϕ � is a morphism A → � A , x �→ t ∗ x � ⊗ � − 1 . Let � be a principal polarization on A . The (polarized) Weil pairing e W , � , ℓ is e W , � , ℓ : A [ ℓ ] × A [ ℓ ] −→ µ ℓ ( k ) . ( P , Q ) �−→ e W , ℓ ( P , ϕ � ( Q )) associated to the polarization � ℓ : [ ℓ ] � ˆ A A A
Pairings on curves and Hilbert 90; where the last isomorphism comes from the Kummer sequence Abelian varieties Composing with the Weil pairing, we get a bilinear application we get from Galois cohomology a connecting morphism From the exact sequence The Tate pairings on abelian varieties over finite fields Performance Pairings with theta functions Theta functions given by 0 → A [ ℓ ]( � q d ) → A ( � q d ) → [ ℓ ] A ( � q d ) → 0 δ : A ( � q d ) /ℓ A ( � q d ) → H 1 ( Gal ( � q d / � q d ) , A [ ℓ ]) ; ℓ ≃ µ ℓ A [ ℓ ]( � q d ) × A ( � q d ) /ℓ A ( � q d ) → H 1 ( Gal ( � q d / � q d ) , µ ℓ ) ≃ � ∗ q d / � ∗ q d ∗ ∗ 1 → µ ℓ → � q d → � q d → 1 Explicitely, if P ∊ A [ ℓ ]( � q d ) and Q ∊ A ( � q d ) then the (reduced) Tate pairing is e T ( P , Q ) = e W ( P , π ( Q 0 ) − Q 0 ) where Q 0 is any point such that Q = [ ℓ ] Q 0 and π is the Frobenius of � q d .
Pairings on curves are in this situation.) Theta functions Pairings with theta functions Performance Cycles and Lang reciprocity The cycle Theorem ([Lan58]) Abelian varieties Let ( A , � ) be a principally polarized abelian variety; � ( P i ) on A , we can associate the line bundle ⊗ t ∗ To a degree 0 cycle P i � on A ; � � ( P i ) corresponds to a trivial line bundle iff P i = 0 in A ; � If f is a function on A and D = ( P i ) a cycle whose support does not contain a zero or pole of f , we let � f ( D ) = f ( P i ) . (In the following, when we write f ( D ) we will always assume that we Let D 1 and D 2 be two cycles equivalent to 0 , and f D 1 and f D 2 be the corresponding functions on A . Then f D 1 ( D 2 ) = f D 2 ( D 1 )
Pairings on curves Abelian varieties Theta functions Pairings with theta functions Performance The Weil and Tate pairings on abelian varieties Theorem The Weil pairing is given by Theorem Let P , Q ∊ A [ ℓ ] . Let D P and D Q be two cycles equivalent to ( P ) − ( 0 ) and ( Q ) − ( 0 ) . e W ( P , Q ) = f ℓ D P ( D Q ) f ℓ D Q ( D P ) . Let P ∊ A [ ℓ ]( � q d ) and Q ∊ A ( � q d ) , and let D P and D Q be two cycles equivalent to ( P ) − ( 0 ) and ( Q ) − ( 0 ) . The (non reduced) Tate pairing is given by e T ( P , Q ) = f ℓ D P ( D Q ) .
Pairings on curves Abelian varieties Theta functions Pairings with theta functions Performance Cryptographic usage of pairings on abelian varieties varieties in function of the security parameters. Supersingular abelian varieties can have larger embedding degree than supersingular elliptic curves. Over a Jacobian, we can use twists even if they are not coming from twists of the underlying curve. The moduli space of abelian varieties of dimension g is a space of dimension g ( g + 1 ) / 2 . We have more liberty to find optimal abelian If A is an abelian variety of dimension g , A [ ℓ ] is a ( � /ℓ � ) -module of dimension 2 g ⇒ the structure of pairings on abelian varieties is richer.
Recommend
More recommend