Optimal pairings on abelian varieties 2014/10/10 ECC 2014, Chennai - PowerPoint PPT Presentation

Optimal pairings on abelian varieties 2014/10/10 — ECC 2014, Chennai David Lubicz, Damien Robert Inria Bordeaux Sud-Ouest

Miller’s algorithm Pairings on abelian varieties Theta functions Pairings with theta functions Performance Outline 1 Miller’s algorithm 2 Pairings on abelian varieties 3 Theta functions 4 Pairings with theta functions 5 Performance

Miller’s algorithm Weil pairing. Theta functions Pairings with theta functions Performance The Weil pairing on elliptic curves Pairings on abelian varieties q d Definition (Embedding degree) Let E : y 2 = x 3 + ax + b be an elliptic curve over a field k (char k � = 2 , 3, 4 a 3 + 27 b 2 � = 0 . ) Let P , Q ∊ E [ ℓ ] be points of ℓ -torsion. Let f P be a function associated to the principal divisor ℓ ( P ) − ℓ ( 0 ) , and f Q to ℓ ( Q ) − ℓ ( 0 ) . We define: e W , ℓ ( P , Q ) = f P (( Q ) − ( 0 )) f Q (( P ) − ( 0 )) . The application e W , ℓ : E [ ℓ ] × E [ ℓ ] → µ ℓ ( k ) is a non degenerate pairing: the If E is defined over a finite field � q , the Weil pairing has image in µ ℓ ( � q ) ⊂ � ∗ where d is the embedding degree, the smallest number such that ℓ | q d − 1.

Miller’s algorithm Pairings on abelian varieties Theta functions Pairings with theta functions Performance Definition The Tate pairing is a non degenerate bilinear application given by q d where q d The Tate pairing on elliptic curves over � q � ∗ q d / � ∗ ℓ e T : E 0 [ ℓ ] × E ( � q ) /ℓ E ( � q ) −→ . ( P , Q ) �−→ f P (( Q ) − ( 0 )) E 0 [ ℓ ] = { P ∊ E [ ℓ ]( � q d ) | π ( P ) = [ q ] P } . On � q d , the Tate pairing is a non degenerate pairing ℓ ≃ µ ℓ ; e T : E [ ℓ ]( � q d ) × E ( � q d ) /ℓ E ( � q d ) → � ∗ q d / � ∗ If ℓ 2 ∤ E ( � q d ) then E ( � q d ) /ℓ E ( � q d ) ≃ E [ ℓ ]( � q d ) ; We normalise the Tate pairing by going to the power of ( q d − 1 ) /ℓ .

Miller’s algorithm Pairings on abelian varieties Theta functions Pairings with theta functions Performance Miller’s functions define the Miller’s functions: Definition We need to compute the functions f ℓ , P and f ℓ , Q . More generally, we Let λ ∊ � and X ∊ E [ ℓ ] , we define f λ , X ∊ k ( E ) to be a function thus that: ( f λ , X ) = λ ( X ) − ([ λ ] X ) − ( λ − 1 )( 0 ) . We want to compute (for instance) f ℓ , P (( Q ) − ( 0 )) .

Miller’s algorithm Pairings on abelian varieties Theta functions Pairings with theta functions Performance Miller’s algorithm The key idea in Miller’s algorithm is that f λ + µ , X = f λ , X f µ , X f λ , µ , X where f λ , µ , X is a function associated to the divisor ([ λ ] X )+([ µ ] X ) − ([ λ + µ ] X ) − ( 0 ) . We can compute f λ , µ , X using the addition law in E : if [ λ ] X = ( x 1 , y 1 ) and [ µ ] X = ( x 2 , y 2 ) and α = ( y 1 − y 2 ) / ( x 1 − x 2 ) , we have f λ , µ , X = y − α ( x − x 1 ) − y 1 x +( x 1 + x 2 ) − α 2 .

Miller’s algorithm Theta functions Pairings with theta functions Performance Miller’s algorithm for elliptic curves Pairings on abelian varieties [ λ ] X = ( x 1 , y 1 ) [ µ ] X = ( x 2 , y 2 ) 2 -( λ + μ )X 1 μ X λ X 0 -1.5 -1 -0.5 0 0.5 1 1.5 2 -1 ( λ + μ )X -2 f λ , µ , X = y − α ( x − x 1 ) − y 1 x +( x 1 + x 2 ) − α 2 .

Miller’s algorithm 2 f 2 Return 3 2 1 4 Pairings on abelian varieties 2 1 3 Algorithm (Computing the Tate pairing) Theta functions Pairings with theta functions 1 Performance Miller’s algorithm for the Tate pairing on elliptic curves Input: ℓ ∊ � , P = ( x 1 , y 1 ) ∊ E [ ℓ ]( � q ) , Q = ( x 2 , y 2 ) ∊ E ( � q d ) . Output: e T ( P , Q ) . � I Compute the binary decomposition: ℓ := i = 0 b i 2 i . Let T = P , f 1 = 1 , f 2 = 1 . For i in [ I .. 0 ] compute α , the slope of the tangent of E at T. T = 2 T. T = ( x 3 , y 3 ) . f 1 = f 2 1 ( y 2 − α ( x 2 − x 3 ) − y 3 ) , f 2 = f 2 2 ( x 2 +( x 1 + x 3 ) − α 2 ) . If b i = 1 , then compute α , the slope of the line going through P and T. T = T + Q. T = ( x 3 , y 3 ) . f 1 = f 2 1 ( y 2 − α ( x 2 − x 3 ) − y 3 ) , f 2 = f 2 ( x 2 +( x 1 + x 3 ) − α 2 ) . � f 1 � qd − 1 ℓ .

Miller’s algorithm The same formulas as for elliptic curve define the Weil and a smooth curve C. Then Theorem (Weil) theorem. Pairings on abelian varieties Tate-Lichtenbaum pairings: Performance Miller’s algorithm on Jacobians Pairings with theta functions Theta functions Let P ∊ Jac ( C )[ ℓ ] and D P a divisor on C representing P ; By definition of Jac ( C ) , ℓ D P corresponds to a principal divisor ( f ℓ , P ) on C ; e W ( P , Q ) = f ℓ , P ( D Q ) / f ℓ , Q ( D P ) e T ( P , Q ) = f ℓ , P ( D Q ) . A key ingredient for evaluating f P ( D Q ) comes from Weil’s reciprocity Let D 1 and D 2 be two divisors with disjoint support linearly equivalent to ( 0 ) on f D 1 ( D 2 ) = f D 2 ( D 1 ) .

Miller’s algorithm where l is of degree 3. deg f f x , tion law on the Jacobian of an hyperelliptic curve of genus 2: y 2 Addi- b Pairings on abelian varieties b b 5. The extension of Miller’s algorithm to Jacobians is “straightforward”; Theta functions Pairings with theta functions Performance Miller’s algorithm on Jacobians of genus 2 curves For instance if g = 2, the function f λ , µ , P is of the form y − l ( x ) ( x − x 1 )( x − x 2 ) D = P 1 + P 2 − 2 ∞ D ′ = Q 1 + Q 2 − 2 ∞ D + D ′ = R 1 + R 2 − 2 ∞ b Q 2 Q 1 b R 1 b R ′ 2 b P 2 R ′ b R 2 1 P 1

Miller’s algorithm Pairings on abelian varieties Theta functions Pairings with theta functions Performance Abelian varieties Definition An Abelian variety is a complete connected group variety over a base field k . Abelian variety = points on a projective space (locus of homogeneous Example Elliptic curves= Abelian varieties of dimension 1; If C is a (smooth) curve of genus g , its Jacobian is an abelian variety of dimension g ; polynomials) + an abelian group law given by rational functions. In dimension g � 4, not every abelian variety is a Jacobian.

Miller’s algorithm 0 definition domain). 3 1 as follows: Unravelling the identification, we can compute the Weil-Cartier pairing K is the Cartier dual of K we have a non degenerate pairing f f 0 Pairings on abelian varieties B A K 0 f fit into the diagram Performance The Weil-Cartier pairing varieties defined over k ; Pairings with theta functions Theta functions 0 K A B Let f : A → B be a separable isogeny with kernel K between two abelian The isogeny f and its dual ˆ ˆ ˆ ˆ ˆ Since ˆ e f : K × ˆ K → � m ; If Q ∊ ˆ K ( k ) , Q defines a divisor D Q on B ; 2 ˆ f ( Q ) = 0 means that f ∗ D Q is equal to a principal divisor ( g Q ) on A ; e f ( P , Q ) = g Q ( x ) / g Q ( x + P ) . (This last function being constant in its The Weil pairing e W , ℓ is the pairing associated to the isogeny [ ℓ ] : A → A e W , ℓ : A [ ℓ ] × ˆ A [ ℓ ] → µ ℓ .

Miller’s algorithm Pairings on abelian varieties Theta functions Pairings with theta functions Performance Reformulation action of K : ψ Q f ∗ D Q � A ψ P e f ( P , Q ) τ ∗ P ψ Q τ ∗ P f ∗ D Q τ ∗ P � A ( ψ P is normalized via A ( P ) ≃ A ( 0 ) .) Since f ∗ D Q is trivial, by descent theory D Q is the quotient of A × � 1 by an g x . ( t , λ ) = ( t + x , χ Q ( x ) λ ) where χ Q is a character on K ; e f ( P , Q ) = χ Q ( P ) .

Miller’s algorithm A Theta functions Pairings with theta functions Performance Polarizations Definition (Weil pairing) the pairing Pairings on abelian varieties A A If � is an ample line bundle, the polarization ϕ � is a morphism A → � A , x �→ t ∗ x � ⊗ � − 1 . Let � be a principal polarization on A . The (polarized) Weil pairing e W , � , ℓ is e W , � , ℓ : A [ ℓ ] × A [ ℓ ] −→ µ ℓ . ( P , Q ) �−→ e W , ℓ ( P , ϕ � ( Q )) associated to the polarization ϕ � ℓ : [ ℓ ] � ˆ

Miller’s algorithm The following diagram is commutative up to a multiplication by Theta functions Pairings with theta functions Performance The commutator pairing isogeny 0 A A 0 and thus a pairing Pairings on abelian varieties In general for an ample line bundle � , the polarization ϕ � gives an ˆ K ( � ) e � : K ( � ) × K ( � ) → � m . e � ( P , Q ) : ψ P τ ∗ � P � τ ∗ ψ Q P ψ Q τ ∗ Q ψ P τ ∗ Q � τ ∗ P + Q �

Miller’s algorithm 0 Theta functions Pairings with theta functions Performance The commutator pairing an isomorphism Pairings on abelian varieties 0 The Theta group G ( � ) is the group { ( x , ψ x ) } where x ∊ K ( � ) and ψ x is ψ x : � → τ ∗ x � The composition is given by ( y , ψ y ) . ( x , ψ x ) = ( y + x , τ ∗ x ψ y ◦ ψ x ) . G ( � ) is an Heisenberg group: k ∗ G ( � ) K ( � ) Let g P = ( P , ψ P ) ∊ G ( � ) and g Q = ( Q , ψ Q ) ∊ G ( � ) , e � ( P , Q ) = g P g Q g − 1 P g − 1 Q ; If ψ : K ( � ) × K ( � ) → k ∗ is the 2-cocycle associated to G ( � ) , we also have e � ( P , Q ) = ψ ( P , Q ) ψ ( Q , P ) .