Elliptic Curve Cryptography by Kai Laemmle (Under The

Kai Laemmle

(Under the direction of Matthew Baker)

Abstract

We will introduce the reader to elliptic curves, and explain how they can be used for cryptography and why they are more difficult to attack in comparison to systems based on finite fields, such as the famous RSA algorithm. This expository paper will discuss different algorithms to attack cryptographic systems, such as the index calculus method, Shanks’ algorithm, Pollard’s rho method and the pairing attack. Finally, we will construct the Weil pairing, prove some of its important properties and present an algorithm to compute it. The study of attacks on cryptographic systems can help to reveal that a certain cryptographic protocol is weak and therefore that it should not be used. The reader should have background in algebra, basic number theory and some cryptography, such as the RSA algorithm. No background in elliptic curves or in algebraic geometry is required, but may be helpful.

Index words: Elliptic curve cryptography, Discrete logarithm problem, Shanks’ Baby-Step Giant-Step algorithm, Pollard’s rho method, Index calculus method, Pairing attack, MOV/Frey-R¨uck attack, Weil pairing, Computing the Weil pairing Elliptic Curve Cryptography

Kai Laemmle

Vordiplom (equiv. B.A.), University of Hannover, Germany, 2001

A Thesis Submitted to the Graduate Faculty of The University of Georgia in Partial Fulﬁllment of the Requirements for the Degree

Master of Arts

Athens, Georgia

Kai Laemmle

Approved:

Major Professor: Matthew Baker

Committee: Robert Rumely Robert Varley

Electronic Version Approved:

Maureen Grasso Dean of the Graduate School The University of Georgia December 2003 Acknowledgments

I address special thanks to Christina Geisler, Kyunglim Nam, Jeﬀ Thompson, Markus Hunziker, Kareem Shabana, Charles James and Allison Barﬁeld for your support and your friendship. Thank you to Michael Guy who encouraged and sup- ported me in common classes, to Janice Winner and to International Student Life of the University of Georgia who helped me very much when I arrived in the United States, and to Nicole Schulze who was right when she suggested to study abroad for a while. I also thank Matt Baker and the other committee members for your academic advice and cooperation. Thanks to all friends I did not mention above and all good things happened to me during my stay in Athens.

iv Table of Contents

Page

Acknowledgments ...... iv

Chapter

1 Introduction ...... 1 1.1 Idea of Cryptography ...... 1 1.2 Overview ...... 2 1.3 Why Elliptic Curve Cryptosystems? ...... 3

2 Applications of Elliptic Curves in Cryptography . . . . . 4 2.1 Elliptic Curves And Cryptography ...... 5 2.2 Analog of Diffie-Hellman Key-Exchange Protocol 8 2.3 Analog of Massey-Omura ...... 9 2.4 Analog of ElGamal ...... 10

3 Encoding ...... 12 3.1 An Encoding Algorithm ...... 13 3.2 Square Test ...... 16

3.3 Computing Square Roots In Fp ...... 21

4 The Discrete Logarithm Problem ...... 27 4.1 The DLP and the Security of Cryptosystems . . . . 27 4.2 Comparing Algorithms on the DLP ...... 29 4.3 Shanks’ Baby-Step Giant-Step Algorithm ...... 30 4.4 Pollard’s Rho Method ...... 32

v vi

4.5 The Index Calculus Method ...... 33

5 The Weil Pairing ...... 36 5.1 The Pairing Attack In General ...... 36 5.2 Preparation for the Weil Pairing ...... 39 5.3 Definition and Properties of the Weil Pairing . . . 43 5.4 Computing the Weil Pairing ...... 48 5.5 Proving Properties of the Weil Pairing ...... 55

Bibliography ...... 62 Chapter 1

Introduction

1.1 Idea of Cryptography

Alice wants to send a message to Bob using a public channel. What does Alice do, if only Bob should be able to read the message? She uses methods of cryptography, for instance a public key cryptosystem: Bob creates a so-called public key and a corresponding private key. The public key is known to every user and is used to encrypt a message. The private key is only known to Bob and is used to decrypt the message. Alice uses the public key of Bob to encrypt her message and sends the encrypted message to Bob. Bob, having his secret information (his secret or private key) can now decrypt the message. Without Bob’s secret key, it should be very hard to decrypt the message. The main idea of cryptography is that decryption is easy when one has certain secret information, but without that information, it is very diﬃcult (or even impossible in a reasonable amount of time) to decrypt the message. In general, when somebody makes up a new cryptosystem, its security will usually be either disproved (for instance, by an algorithm cracking it) or else its security will be believed after a long number of unsuccessful attempts at breaking the cryptosystem. So, we might rephrase one of the above paragraphs: The main idea of cryptography is that decryption is easy when one has certain secret information, but without

1 2 that information, it is believed to be very hard (or even impossible in a reasonable amount of time) to decrypt the message.

1.2 Overview

We will explain how to use elliptic curves for encryption and decryption in chapter 2. There, we will discuss the Diffie-Hellman Key-Exchange protocol and the Diffie- Hellman problem, and we will look at two cryptosystems adapted to elliptic curves, namely the Massey-Omura protocol and the ElGamal protocol. While chapter 2 deals with points on elliptic curves, we actually want to encrypt and decrypt messages. Filling this gap, i.e. embedding messages as points on a given elliptic curve, is called encoding. We will talk about how we can encode messages as points on an elliptic curve in chapter 3. The encoding algorithm needs a square test modulo p, and it involves computing square roots modulo p. The strength of cryptosystems based on discrete exponentiation relies on the fact that the inverse operation, the discrete logarithm problem (DLP), is considered very hard to solve. In chapter 4, we will discuss the DLP and introduce some attacks on it, such as the index calculus method, Shanks’ Baby-Step Giant-Step algorithm and Pollard’s rho method. Knowing under which conditions these attacks are efficient helps to avoid weak cryptosystems when one is choosing or designing a cryptosystem. In Chapter 5, we focus on one particular class of attacks on the DLP on an elliptic curve, namely pairing attacks, and we will discuss one particular example, the Weil pairing attack, in detail. The goal of pairing attacks is to reduce the DLP for elliptic curves to the DLP for multiplicative groups of finite fields. 3

1.3 Why Elliptic Curve Cryptosystems?

The RSA cryptosystem is difficult to crack, because it is believed to be very hard to decompose large composite numbers into their prime factors in a reasonable amount of time. A cryptosystem based on discrete exponentiation, such as the Diffie-Hellman protocol, is difficult to attack because the discrete logarithm problem is believed to be hard to solve. It is a good idea to use a combination of cryptosystems, involving both the discrete logarithm problem and the difficulty of factoring large numbers. Besides adding versatility, cryptosystems based on discrete exponentiation need smaller parameters than comparable RSA-type cryptosystems. This explains why we would like to use discrete logarithms. But why do we not just base our algorithms on multiplicative groups of finite fields rather than elliptic curves, since arithmetic on finite fields is much easier? There is no known “efficient” algorithm to crack a general elliptic curve cryptosystem, if we choose our elliptic curve cryptosystem to satisfy certain conditions. Though the index calculus method, which is based on factor bases, solves the DLP for multiplicative groups of finite fields “efficiently”. This attack does not seem to work for elliptic curve cryptosystems, since there is no known analogue of factor bases on elliptic curves. An “efficient” algorithm means a so-called subexponential algorithm, which is better than exponential running time, but worse than polynomial running time. Let p be the input size. Then 5 log3 p + 3 log p is polynomial in log p (we just say “polynomial”), and p5 + log p is exponential (in log p). The expected running time √ of the index calculus method is O(e 2 log p log log p), which is subexponential. Chapter 2

Applications of Elliptic Curves in Cryptography

In this chapter we will discuss some examples of how elliptic curves can be used for cryptographic purposes. We will present the Diffie-Hellman Key-Exchange protocol, the Massey-Omura protocol and the ElGamal protocol adopted to elliptic curves. These protocols can also be implemented over finite multiplicative groups (see [6]). Elliptic curve cryptosystems can be used to create a common secret with communication over a public channel, which is achieved, for instance, by the Diffie-Hellman Key-Exchange protocol. This common secret can serve as a private key to encrypt and decrypt a message, as in the ElGamal protocol outlined at the end of this chapter. While the ElGamal protocol requires a base point B of the elliptic curve, where B should have a high order, preferably close to the number of points on the elliptic curve, the Massey-Omura protocol needs the number of points of an elliptic curve over a fixed field, which can be computed using Schoof’s algorithm (see [11]). Another disadvantage of Massey-Omura is that it requires more back-and-forth communication, which, in practice, is often a major disadvantage, and which also makes more information accessible to the public, and which therefore might make the protocol more vulnerable. At the end of the section on the Diffie-Hellman protocol, we will mention the Diffie-Hellman problem, which is related to the security of this cryptosystem.

4 5

2.1 Elliptic Curves And Cryptography

Like in the RSA algorithm, we represent a message as an integer. Since elliptic curves consist of points instead of integers, we have to embed the set of all possible messages into the points on our elliptic curves. This step is called encoding and is described in chapter 3. Here, we will focus on how an encoded message, i.e. a point on a given elliptic curve, can be encrypted and decrypted. First, we will address the questions “What is an elliptic curve?” and “How can we do arithmetic over an elliptic curve?”.

Deﬁnition 2.1.1 Let K be a ﬁeld of characteristic 6= 2, 3, and let x3 +ax+b (where a, b ∈ K) be a cubic polynomial with no multiple roots.

1. An elliptic curve over K is the set of all points (x, y) with x, y ∈ K which satisfy the equation

y2 = x3 + ax + b (Weierstrass normal form)

together with a single element denoted 0 and called the “point at inﬁnity”.

2. We use the notation E(K) := {(x, y) ∈ K2 | y2 = x3 + ax + b} ∪ {0}. If it is clear from the context what our base ﬁeld is, then we write E instead of E(K).

Remark The definition can be generalized to a field of any characteristic. There is also a more geometric definition based on some concepts in algebraic geometry. We refer the reader to [12]. The Group Structure. The set of all points on an elliptic curve forms an abelian group. How do we add two points? If we are given two points P,Q ∈ E(K) with P,Q 6= 0, then the chord through the points P,Q intersects the curve in a third point R (if the chord is vertical, then the third point is the point at infinity, and if 6

P = Q then we take the line tangent to the curve E at the point P ). We reflect R across the x-axis to obtain P + Q. If one of P or Q is the point at infinity, say Q, then the chord through P and Q is a vertical line intersecting the curve with P, 0, and a third point R which is the reflection of P across the x-axis. As above, reflect this point across the x-axis to get P + 0, which leads us back to P . In other words, P + 0 = P . And similarly, we have 0 + Q = Q. For more details on the group structure, and a nice picture, see [6], pp. 168–169. Do we really know that this operation together with E forms a group? Besides showing that 0 is the identity, that every element has an inverse, and that the operation is commutative (all of which follow directly from the definition), one has to show that the operation is associative, which is not obvious (for a proof, see [14], section “The Group Law”).

Example 2.1.2 Given the elliptic curve E : y2 = x3 + 17 over the ﬁeld Q. Let P := (−1, 4) and Q := (2, 5). The line going through these two points is given by y = 1/3x + 13/3. This line intersects E in three points, namely P,Q and a third point R := (−8/9, 109/27). If we reﬂect this point across the x-axis, we get P + Q = (−8/9, −109/27).

Lemma 2.1.3

Let P := (x1, y1),Q := (x2, y2), and P + Q := (x3, y3). If P 6= Q then 2 y2 − y1 x3 = − x1 − x2 x2 − x1 y2 − y1 y3 = −y1 + (x1 − x3) x2 − x1 If P = Q then P + Q = 2P has the following coordinates: 2 2 3x1 + a x3 = − 2x1 2y1 2 3x1 + a y3 = −y1 + (x1 − x3) 2y1 7

These formulas hold in any characteristic (except for characteristic 2). If our base

ﬁeld is Fq, where q is a power of a prime number, then x3 and y3 can be computed 3 in at most 20 operations in Fq. Since one operation in Fq takes O(log q), we can compute P + Q in O(log3 q) (see [6], p. 178). While the RSA algorithm is based on arithmetic over the integers, elliptic curve cryptosystems take advantage of the group structure of elliptic curves. Suppose we are given a message encoded as a point P on an elliptic curve, and we want to encrypt this point. A possibility is to use a positive integer e to encrypt P in the following way: eP = P + P + ··· + P | {z } e times Here, the encrypted message is the point eP , and the encryption key is an integer. In elliptic curve cryptography, encryption and decryption keys are either integers, as in the example above, or certain points on the elliptic curve. The operation above, multiplying the point P by e to get eP , in elliptic curve cryptosystems corresponds to taking the group element g and raising it to the power e to obtain ge in a ﬁnite multiplicative group. How quick can we compute eP ? The idea is to use the repeated doubling method:

Example 2.1.4 (taken from [6]) To ﬁnd 100P we write 100P = 2(2(P + 2(2(2(P + 2P ))))), and end up performing 6 doublings and 2 additions of points on the curve.

This idea results in log e group operations in E(Fq) to calculate eP based on P . Since 3 3 one group operation in E(Fq) takes O(log q), it takes O(log e log q) to compute eP . Let us have a look at three examples illustrating how we can use elliptic curves for cryptographic purposes. These three examples are protocols originally based on

(Z/(nZ))∗, and in the following sections, the protocols are adapted to elliptic curves. 8

2.2 Analog of Diffie-Hellman Key-Exchange Protocol

Originally, the protocol was applied to (Z/(nZ))∗ (see [6], p.98) and was later adapted to elliptic curves. In this section, we will only discuss the version of this protocol for elliptic curves. A¨ıdaand Bernardo want to share a common secret key. This secret key can be used to encrypt and decrypt messages. They can only communicate via a public channel. How is it possible that they agree on a common secret while their communication is accessible to the public? The idea is that this protocol takes advantage of the diﬃculty to solve the so-called Diﬃe-Hellman problem (see end of this section).

First, A¨ıdaand Bernardo agree on a ﬁnite ﬁeld Fq, on an elliptic curve E and on a base point B. It is desirable that the order of B has the same magnitude as the number of points of E(Fq). These parameters are publicly known, i.e. it is okay to use the public channel to appoint them:

1. Public: ﬁnite ﬁeld Fq, elliptic curve E, base point B

2. Secret: A¨ıda a, Bernardo b Then A¨ıdaand Bernardo choose an arbitrary integer individually, and they keep them secret, i.e. A¨ıdadoes not know b, and Bernardo does not know a.

3. Public: aB, bB Afterwards, they calculate and publish aB, respectively bB.

4. Secret: abB A¨ıdagets bB, knows a and calculates a(bB) = abB. Similarly, Bernardo computes b(aB) = abB.

Now, they share the information abB. Is it really a secret? Eve observing the communication channel of A¨ıdaand Bernardo would get aB and bB (of course, she would 9 know B together with Fq and E). Is it possible to determine abB from aB, bB, B? This is actually a hard problem, and it is called the Diﬃe-Hellman problem. If one is able to solve this problem, then (s)he would be able to crack the Diﬃe-Hellman protocol. A related problem is the so-called Discrete Logarithm problem (DLP), which will be discussed later.

2.3 Analog of Massey-Omura

The Massey-Omura protocol for (Z/(nZ))∗ is discussed in [6], p.100. In this section, we will describe the protocol adapted to elliptic curves. Alice intends to send a secret message to Bob. As discussed in the introduction of this chapter, the Massey-Omura protocol has some disadvantages, namely that more back-and-forth communication is required and the number of points of elliptic curve must be known.

Setup

1. Public: Fq: ﬁnite ﬁeld, E: elliptic curve, N: number of points on E

2. Secret: encryption key of Alice eA, encryption key of Bob eB Alice and Bob choose individually an arbitrary secret integer between 1 and N, such that this integer and N are coprime.

3. Secret: decryption key of Alice dA, decryption key of Bob dB

−1 Both compute their corresponding decryption key dA ≡ eA mod N respec- −1 tively dB ≡ eB mod N using Euclid’s algorithm. 10

Alice sends a secret message m to Bob. 1. Secret: Alice m: message represented as an integer, M ∈ E: encoded message.

2. Public: eAM Alice encrypts the encoded message M in order to send it to Bob.

3. Public: eB(eAM) = eAeBM

Bobs multiplies the point eAM with his encryption key.

4. Public: dA(eAeBM) = eBM Alice multiplies the point by her decryption key.

5. Secret: dB(eBM) = M Bob multiplies the point by his decryption key receiving the encoded message.

Eve observing the communication channel of Alice and Bob perceives eAM, eAeBM, eBM. If Eve is able to determine eA from these three points, then she

−1 can compute the decryption key dA ≡ eA mod N, like Alice did, breaking the

Massey-Omura protocol by computing M = dA(eAM).

2.4 Analog of ElGamal

We will discuss the ElGamal protocol adapted to elliptic curves. The version for

(Z/(nZ))∗ of this protocol is described in [6], pp.100–101. Anuita would like to send a secret message, represented by the point M, to Bj¨orn. Instead of the number of points of the elliptic curve E, we need a base point B of high order (desirably of the same magnitude as #E).

1. Public: Fq: ﬁnite ﬁeld, E: elliptic curve, B: base point in E

2. Secret: Anuita aA, Bj¨orn aB: secret key of Anuita/Bj¨orn Both choose an arbitrary integer individually. 11

3. Public: aBB Bj¨orn computes and publishes this point.

4. Public: aAB,M + aA(aBB) Anuita computes and publishes these two points.

5. Secret: M + aA(aBB) − aB(aAB) = M Bj¨orn receives the encoded message M.

Open to the public are the points B, aBB, aAB,M + aAaBB. Is it possible to determine M from these points?

Notice that this algorithm uses the Diﬃe-Hellman protocol: The point aAaBB masks the message M. Consider aAaBB as a common secret of Anuita and Bj¨orn. Determining M from the four points mentioned above is equivalent to computing the mask point aAaBB.

Since M can be anything, the point M + aAaBB does not help to compute aAaBB from B, aBB, aAB. Indeed, cracking this cryptosystem is equivalent to crack the Diﬃe-Hellman protocol. Chapter 3

Encoding

This chapter answers the question “How can we use an elliptic curve E for encryption and decryption?”, or more precisely “How can we connect messages we want to encrypt and decrypt to points on an elliptic curve?”. Making this connection is called encoding. First, we will present an encoding algorithm, which requires a square test, and involves computing the square root modulo p. As in the RSA algorithm, we represent a message as an integer m in a certain interval, e.g. 0 ≤ m < M, where M ∈ Z. So, we consider M different possible messages.1 If we want to do arithmetic on an elliptic curve, we have to somehow embed all possible messages into the elliptic curve, or more precisely into its points over a chosen and fixed finite field. In other words, we will represent every possible message as a point on our elliptic curve. Then, we will use arithmetic of our elliptic curve, i.e. its group structure, to encrypt and decrypt the message. Note that we have to distinguish two steps. The first step is representing the message as a point on the elliptic curve (encoding), and the second step is the actual encryption. After Bob receives the encrypted message from Alice, he decrypts it to get the point on the elliptic curve representing the actual message. We want it to be easy to recover (“decode”) the message from the point representing it.

1In practice, the length of a message can vary a lot, so it makes sense to divide a message into parts and to treat every part separately.

12 13

We require two properties for encoding:

• That it is injective, so that the inverse process (“decoding”) can be performed without loss of information.

• That “decoding”, i.e. recovering the message m from the encoded point, is easy to compute (e.g. we might get the message back from the x-coordinate of the point).

Usually, the encoding and decoding algorithm are publicly known, and so are the encryption and decryption algorithms. The only things which are kept secret are the secret keys.

3.1 An Encoding Algorithm

Now, let us look at an algorithm which represents each possible message as a point on a given elliptic curve. Unfortunately this algorithm is probabilistic, but we can make the probability that the encoding fails as small as we want. For simplicity, let us assume that our given finite field has characteristic p 6= 2, 3, so that our elliptic curve E can be represented in Weierstrass normal form y2 = x3 + ax + b, where a, b live in our given field. Furthermore, let us suppose that our

field is Fp, i.e. a finite field of order p. We have to make sure that we have enough points on our elliptic curve, one for each possible message. This means that our given field has to be large enough. Let m be the message we want to represent as a point on our elliptic curve. We take x := m mod p to be the x-coordinate of our anticipated point. A problem is that f(x) := x3 + ax + b has to be a square modulo p, in order that x corresponds to a point on the curve. The probability that f(x) is a square modulo p is roughly 1/2, i.e. in half of the cases, the chosen x-coordinate does not belong to a point on the elliptic curve. 14

Once we have fixed an x-coordinate, we calculate f(x). Using a square test, we can check whether there is a point on the elliptic curve with this x-coordinate. If there is such a point, i.e. if f(x) is a square modulo p, then we compute a square root of f(x) modulo p to obtain the y-coordinate, and then take (x, y) as the point on E representing the message; in other words, the encoded message is (x, y).2 But, in half of the cases, the square test will tell us that f(x) for the chosen x-coordinate is not a square modulo p. So, we have a failure probability of 50%, which is very high. What do we do if we want to increase the probability that the encoding does not fail, i.e. that the chosen x-coordinate yields a point on E? Let us assume that we are satisfied with a failing probability of 1/2κ, and κ is big enough.3 So far, one message, represented as an integer, corresponds to one x-coordinate. Now, suppose that one message is allowed to correspond to κ different x-coordinates. Then we can try each of the κ x-coordinates corresponding to the message, and check whether they belong to a point on E. This certainly decreases the failure probability. The idea is to space out the possible messages. Instead of taking the possible messages 0, 1, 2, 3,...,M − 1 to encode, we take 0, κ, 2κ, 3κ, . . . , (M − 1)κ. Between mκ and (m+1)κ, we have κ different numbers, from mκ+1 to (m+1)κ, representing the message m. We try to encode mκ+1. If this fails, we continue with mκ+2, then mκ+3. We repeat this until we successfully encode or until we fail to encode mκ+κ. There are at most κ encoding attempts for the message m. Assuming probabilistic independence, we get a failure probability of 1/2κ. Note that we do not try to find a square root of mκ + 1, mκ + 2,... modulo p, but of f(mκ + 1), f(mκ + 2),...

2Note that we have to decide which square root of f(x) we choose for y. 3in practice, κ = 30 or = 50 is enough 15

Algorithm 3.1.1 Encoding Fixed: prime number p 6= 2, 3 elliptic curve E in Weierstrass normal form y2 = x3 + ax + b error tolerance 2−κ

Input: message m with 0 ≤ m < M, and M ∈ Z Output: encoded point P for j = 1 to κ do x := mκ + j mod p, with 0 ≤ x < p

3 calculate f(x) := x + ax + b ∈ Fp if f(x) is a square mod p then // need square test modulo p y := square root of f(x) mod p // need to calculate square root mod p // ﬁnish algorithm and return encoded message as point return P := (x, y) end for return “algorithm failed” // found no point on E

Why do we ﬁrst test whether f(x) is a square, and only then calculate a square root? Is it not quicker to calculate a square root (which would fail, if we did not have a square) without a prior square test? No, it is not. In the following sections, we will discuss a square test with running time O(log2p) and an algorithm to compute the square root, which has running time O(log4p). Here, log2p means (log p)2, not log log p. With the prior square test, we have a running time of O(κ log2p + log4p). If we leave out the square test, we get a running time of O(κ log4p). Though both variants yield a running time of O(log4p), we should prefer the prior square test, since κ log2p + log4p is better than κ log4p. 16

3.2 Square Test

Given an integer a and a prime number p 6= 2, 3, and we want to know whether a is a square modulo p, i.e. whether there is an x ∈ Z, such that x2 ≡ a mod p. We remind the reader of the Legendre symbol:   1 if a is a square modulo p, and a 6≡ 0 mod p  a  = 0 if a ≡ 0 mod p p    −1 otherwise

We only have to compute the Legendre symbol in order to test whether we have a square. The quadratic reciprocity law is very useful for computing the Legendre symbol, but it requires that the top is a prime number: p p−1 · q−1 q = (−1) 2 2 for p and q odd primes. q p

Do we therefore need to factor the number a into its prime factors? Since this is in general very hard to compute, we hope that there is a way to avoid factorization. The Kronecker symbol4, which is a generalization of the Legendre symbol, helps to

a compute p without knowing the prime factorization of a. While the Legendre symbol expects an odd prime number at the bottom, the

a Kronecker symbol b allows any integer for a and b.

a Deﬁnition 3.2.1 The Kronecker symbol b for all a, b ∈ Z is deﬁned as follows:  1 if a = ±1 a  1. If b = 0 then 0 = 0 else

2. If b 6= 0 then a Y a = , b p

4also called the Kronecker-Jacobi symbol 17

where b = Q p with p running through a ﬁnite and not necessarily distinct set

a of primes (including p = 2), or p = −1 to take care of the sign. p is the Legendre symbol for p > 2.

(a) For p = 2, we deﬁne  a 0 if a is even = 2 (−1)(a2−1)/8 if a is odd

(b) For p = −1, we deﬁne  a  1 if a ≥ 0 = −1 −1 if a < 0

a Note that if b = 1 then this does not necessarily imply that a is a square modulo b, as the following example shows:

Example 3.2.2 We calculate 3 3−1 · 35−1 35 17 2 = (−1) 2 2 = (−1) · = (−1) · (−1) = 1. 35 3 3 Since 3 is neither a square modulo 5 nor a square modulo 7, 3 is not a square modulo 35. The following calculation 3 3 3 3 3 = −1, = −1, = · = (−1)(−1) = 1 5 7 35 5 7 shows that this does not contradict the deﬁnition of the Legendre symbol.

The key to avoid factorization of a into its prime factors is in part 3b of the theorem below: The quadratic reciprocity law for the Kronecker symbol allows odd and positive integers, instead of only prime numbers. Hence we do not need to factor a. We only have to make sure that we have

a positive and odd numbers to use the reciprocity law. If we want to calculate b , then the idea is to collect 2’s appearing in the prime factorization of a or b, and to extract possible -1’s, in the case that a and/or b are negative. 18

Theorem 3.2.3

a 1. b = 0 if and only if a and b are not relatively prime.

2. The Kronecker symbol is multiplicative at the top and at the bottom: For all a, b, c ∈ Z, we have

ab a b a a a = and = if bc 6= 0 c c c bc b c

3. The following formulas, which hold for the Legendre symbol, are also true for the Kronecker symbol:

(a) Let b be a positive odd integer (not necessarily prime), then we have −1 2 2 = (−1)(b−1)/2 and = (−1)(b −1)/8 b b

(b) We have the reciprocity law: For a and b positive odd and coprime integers, not necessarily prime, it holds a a−1 · b−1 b = (−1) 2 2 b a

Collecting twos. How do we collect 2’s appearing in the prime factorization of a or b? If both a and b are even, then by 1 in the theorem above, the Kronecker symbol is 0. Now, let us assume that one of a and b is odd.

a Case a is odd. Then the bottom number b is even. We take advantage of 2 = (−1)(a2−1)/8: We write b = 2vc, where c is odd, i.e. v counts how often b is divisible by 2, and we reduce b until we obtain an odd number c. We have

a a av a = = b 2vc 2 c

a v a a If v is even, then we know that 2 = 1, hence b = c , so we reduce to the case where the bottom number in the Kronecker symbol is odd. If v is odd, we get

a a a a (a2−1)/8 b = 2 c . We calculate 2 = (−1) by table lookup, i.e. we save in a 19 table of size 8, let us call the table tab2, the values {0, 1, 0, −1, 0, −1, 0, 1}, and we get (−1)(a2−1)/8 by tab2[a mod 8].5

2 (b2−1)/8 Case a is even. Then b is odd, and we use b = (−1) in the same manner a (a2−1)/8 as we used 2 = (−1) in the case above. a Dealing with negative numbers. If we have a negative b, we calculate b = a a a −1 |b| , where −1 can be easily calculated by using the deﬁnition of the Kro- a necker symbol, and |b| involves a positive number in the bottom. What do we do with a negative a? The following lemma tells us that we do not need to take care of a negative a:

Lemma 3.2.4 Let a and b be odd integers with b > 0 (but not necessarily a > 0). Then we have a a−1 b−1 b = (−1) 2 2 b |a|

Proof: If a is positive then we have the quadratic reciprocity law from Theorem 3.2.3. Now, let us assume that a is negative6, i.e. a = −|a|. a −1 |a| (b−1)/2 b |a|−1 b−1 = = (−1) (−1) 2 2 b b b |a|

Hence, it is enough to show that

b−1 |a|−1 b−1 b−1 (1+ |a|−1 ) ! a−1 b−1 (−1) 2 (−1) 2 2 = (−1) 2 2 = (−1) 2 2 .

In other words, we want that

(∗)(b − 1)/2 · (|a| + 1)/2 ≡ (b − 1)/2 · (a − 1)/2 mod 2.

Since a is odd, we have 2(a−1)/2 = a−1 ≡ 0 mod 2, from which we can deduce that (a−1)/2 ≡ (−a+1)/2 mod 2. If we rewrite this, we get (|a|+1)/2 ≡ (a−1)/2 mod 2. Multiplying both sides by (b − 1)/2, we get (∗). 2

5a mod 8 is easily performed by looking at the lowest three binary digits of a 6a is not 0, since it is odd 20

a a 2 In the following algorithm, the variable k collects all the factors 2 , −1 , b and a possible -1 when applying the quadratic reciprocity law.

Algorithm 3.2.5 Square Test (Kronecker) Input: arbitrary integers a, b

a Output: the Kronecker symbol b , hence the Legendre symbol if b is an odd prime // consider the case b equals 0  1 if a = ±1 if b = 0 then return 0 else // remove 2’s from b if a and b are both even then return 0 v ← number of 2’s in b // step-by-step divide b by 2, count how often b ← b/2v // make b odd if v is even then k ← 1 else k ← (−1)(a2−1)/8 // by table lookup if b < 0 then b ← −b, if a < 0 then k ← −k do // remove 2’s from a (b is odd and positive)  k if b = 1 if a = 0 then return 0 if b > 1 v ← number of 2’s in a // step-by-step divide a by 2, count how often a ← a/2v // make a odd if v is odd then k ← (−1)(b2−1)/8k // by table lookup // apply reciprocity

a−1 b−1 k ← (−1) 2 2 k // using if-statements (test the 2nd lowest bit of a and b) r ← |a|, a ← b mod r, b ← r end do

From the number b, we have to clean powers of 2 and extract a possible -1 only at the beginning. When we apply the reciprocity law, we already made a positive 21 and odd. The quadratic reciprocity law basically switches a and b, hence we get that our new b is positive and odd. The new number a at the top might becomes even or negative through the assignments a ← b mod r and if a > b/2 then a ← a − b, so we have to clean a in each loop-cycle. The algorithm can be slightly improved, the running time will improve by a constant, by adding the line “if a > b/2 then a ← a − b” at the end of the do-loop. Why does the algorithm terminate? At the end of each loop-cycle, we have 0 ≤ a < b (with the improvement mentioned above, we have −b/2 < a ≤ b/2). In each loop-cycle, the bigger number of a and b will be reduced modulo the smaller number, which gives a strictly decreasing sequence of nonnegative integers. After a ﬁnite number of steps, we will get that a = 0, and the algorithm terminates. If this algorithm is carefully programmed, then the running time is O(log2 N), where N is an upper bound for the numbers a and b. In the encoding algorithm, we wanted to know whether f(x) is a square modulo

f(x) 2 p, hence we wanted to calculate p , which can be done in O(log p).

3.3 Computing Square Roots In Fp

In this section, we will give an algorithm which computes the square root modulo p in an expected running time of O(log4 p).

Given a ∈ Fp, how do we compute a square root of a mod p, i.e.

2 How do we ﬁnd an x ∈ Fp with x ≡ a mod p ?

A brute force algorithm would be to go through all elements of Fp and check, one by one, whether their squares are equal to a mod p. This would give an algorithm with a running time of O(p), which is very bad. Tonelli and Shanks oﬀer a better algorithm, which has an expected running time of O(log4 p). Before we discuss the algorithm in detail, we need a lemma from group theory: 22

Lemma 3.3.1 Let H be a cyclic multiplicative ﬁnite group of order n, where n is even. For all h ∈ H, we have:

h is a square in H, i.e. there is an x ∈ H such that x2 = h iﬀ hn/2 = 1

Proof: Let x ∈ G with x2 = g. By Fermat’s little theorem, we have xn = 1. We get that 1 = xn = (x2)n/2 = gn/2. Conversely, assume gn/2 = 1. Let G =:< z > and zk = g. Because of 1 = gn/2 = zk·n/2, we can deduce that n = ord z | k · n/2, and thus k/2 ∈ Z. Deﬁne x := zk/2. If we square x, we get x2 = zk = g, i.e. x is a square root of g in G. 2 Write p − 1 = 2eq with q odd. We will see later that x := a(q+1)/2zk/2 is a square

e root of a mod p for a certain even k ∈ Z and for some element z ∈ Fp of order 2 .

It is enough to ﬁnd z and k in order to compute x.

The only probabilistic part of the algorithm is finding z, which is simple to solve in practice, while computing k is harder. We will first discuss how we find z, and then present how to compute k.

Claim: For n ∈ Z, we have nq mod p has order 2e in Z/(pZ)∗ iﬀ n is a quadratic non-residue modulo p. Assuming the claim, the idea is to choose random integers for n and to hope

n that we ﬁnd that p = −1 (use the square test algorithm on p. 16) after a certain number of trials, then we take z := nq mod p. Since there are exactly (p−1)/2 non-squares modulo p, the probability that a random n is not a square is exactly (p − 1)/(2p), which is roughly 1/2. For instance, after 20 trials we have a probability of less than 10−6 that we do not ﬁnd a quadratic non-residue. Proof of the Claim: If p | n, then nq ≡ 0 mod p, which has not order 2e. Since 0 is a square modulo p, the claim is true for integers which are divisible by p. Now, 23 let us assume that p does not divide n, i.e. that n 6≡ 0 mod p. We have

ord z = 2e iﬀ z2e−1 ≡ −1 mod p iﬀ z2e−1 ≡ nq·2e−1 ≡ n(p−1)/2 ≡ −1 mod p.

(p−1)/2 n And from the lemma above, we get n ≡ −1 mod p iﬀ p = −1. Thus, we have that z = nq has order 2e if and only if n is a quadratic non-residue modulo p, showing the claim. 2 Existence of k. Let a be a square modulo p. We know that there is an element z ∈ Z/(pZ)∗ of order 2e, but why is there an integer k such that x := a(q+1)/2zk/2 is a square root of a?

Let G := {t ∈ Z/(pZ)∗ | the order of t divides 2e}. We claim that G = . We have ord z = 2e, so z ∈ G, and hence ⊆ G. As a subgroup of Z/(pZ)∗ (a ﬁnite cyclic group) G is itself cyclic. A generator of G has order dividing 2e, thus G is of order at most 2e. Together with ⊆ G, we get that G = .

Since a is a square in Z/(pZ)∗, using the lemma above we get a(p−1)/2 ≡ 1 mod p. We have 1 ≡ a(p−1)/2 ≡ (aq)2e−1 mod p. So, aq has order dividing 2e−1, and in particular aq ∈ G. Due to the lemma, we have that aq is a square in G, i.e. aq ∈< z2 >. Hence, the inverse of aq lies as well. This means that there is an even k ∈ {0,..., 2e − 1} such that aqzk ≡ 1 mod p. Now, it turns out, like magic, that

x2 ≡ (a(q+1)/2zk/2)2 ≡ aq+1zk ≡ a mod p, so x2 ≡ a mod p, i.e. x is a square root of a mod p. Computing k is a little bit more diﬃcult than ﬁnding an element z. But here is the good news: We do not need an explicit k. We only need to know a(q+1)/2zk/2. The algorithm below determines that. 24

Algorithm 3.3.2 Square Root Modulo p Input: odd prime p integer a, compute the square root of a mod p Output: a square root x of a, i.e. x2 ≡ a mod p, or an error message saying that a is not a square modulo p Write p − 1 = 2e · q, with q odd.

n Find generator z: Choose numbers n at random until p = −1 or give up after a certain number of trials. z ← nq mod p. // Initialize. y ← z, r ← e, x ← a(q−1)/2 mod p, b ← ax2 mod p, x ← ax mod p do // Find exponent. if b ≡ 1 mod p then return x else // Find m. Find the smallest m ≥ 1 such that b2m ≡ 1 mod p. if m = r then return “a is not a quadratic residue modulo p” end if // Reduce exponent. t ← y2r−m−1 , y ← t2, r ← m, x ← xt, b ← by (all operations modulo p) end do

The idea. At the beginning of each do-loop cycle, we claim that we always have the following three congruences (assuming that a is a square modulo p)

ab ≡ x2 mod p, y2r−1 ≡ −1 mod p, b2r−1 ≡ 1 mod p. 25

The congruence ab ≡ x2 mod p is very close to that what we want: a ≡ x2 mod p. We want to get rid of the b, i.e. b should be 1 that we can return x as a square

r root. Let Gr be the subgroup of G containing all elements of order dividing 2 (then

Ge = G). The second congruence means that y is a generator of Gr, and the third congruence means that b is a square in Gr. In particular, we have b ∈ Gr−1.

The idea is to reduce the exponent r to 1 (so that eventually b ∈ G1 = {1}) in such a way that the three congruences remain true. Congruences are true after initializing. After initializing, we have the following equalities y = z, r = e, b ≡ aq mod p, x ≡ a(q+1)/2 mod p. You can check the ﬁrst congruence ab ≡ x2 mod p directly by substitution. The second congruence is true, since z is a generator of G, i.e. z2r−1 ≡ −1 mod p. Finally, we have b2r−1 = aq·2e−1 = a(p−1)/2. This is congruent to 1 mod p iﬀ a is a square modulo p. Reduce exponent. The assignments performed in “Reduce exponent” are

y˜ ← y2r−m , r˜ ← m, x˜ ← xy2r−m−1 , ˜b ← by2r−m , where the variables with a tilde represent the values at the end of the do-loop, and where the variables on the right hand side represent the values before the assignments in the part “Reduce exponent”. Find m. In the ﬁrst loop-cycle, we have: b2r ≡ b2e ≡ aq·2e ≡ ap−1 ≡ 1 mod p. In the following loop-cycles, m ≤ r can be deduced from ˜b2r˜ ≡ 1 mod p, which can be directly calculated. Therefore, m is always at most r. If a is a square modulo p, then m < r, due to the third congruence. In the case that a is not a square modulo p, m and r are equal, and we can return “a is not a quadratic residue modulo p”. Congruences remain true. Assuming that a is a square modulo p, we can reduce our exponent r to m. To assure the second congruence thaty ˜, the new y, has 26 order 2r˜, we raise y to the power of 2r−m to gety ˜:

y˜2r˜−1 ≡ (y2r−m )2m−1 ≡ yr−1 ≡ −1 mod p

We also want the third congruence to remain true, i.e. ˜b2m−1 ≡ 1 mod p. We achieve this by multiplying b by y2r−m to obtain ˜b:

˜b2r˜−1 ≡ (by2r−m )2m−1 ≡ b2m−1 · y2r−1 ≡ (−1) · (−1) ≡ 1 mod p, where b2m−1 ≡ −1 mod p due to the choice of m. Let us have a look at the ﬁrst congruence ab ≡ x2 mod p. We multiplied b by y2r−m . Hence, we get on the left hand side an additional factor y2r−m . In order to balance the right hand side, i.e. in order to have ab · y2r−m ≡ x2 · y2r−m mod p, we multiply x by y2r−m−1 , which is the assignmentx ˜ ← xy2r−m−1 (recall that r > m). Running time analysis. In each loop-cycle, the exponent r decreases by at least 1. As soon as r = 1, we get b = 1, hence the algorithm terminates after at most e cycles. According to [4], it is easy to show that each loop-cycle requires on average e2/4, and at most e2 multiplications modulo p. So, during the whole loop, at most e3 multiplications modulo p are performed. Since e is of magnitude log p, and a multiplication modulo p has a running time of O(log2 p), the whole loop has a running time of O(log4 p).

n In the part “Find generator”, the square test p has a running time of order O(log2 p) (see “Square Test” on page 16). There are at most 20 square tests performed (if you choose to pick at most 20 random integers for n), so a generator can be found in a time of O(log2 p) (be reminded that this is exactly the probabilistic part of the algorithm). The rest of the ﬁrst part and the part “Initialize” have O(log p) multiplications modulo p, which yields a running time of O(log3 p). Comparing the part before the loop, which was O(log3 p), with the loop itself, which was O(log4 p), we conclude that the algorithm has a total running time of O(log4 p). Chapter 4

The Discrete Logarithm Problem

In this chapter, you will ﬁnd answers on “what is the discrete logarithm problem (DLP)?” and “how is it related to the security of certain cryptosystems?”. Then we will discuss methods to solve the DLP. We will mention the Pohlig-Hellman attack, present Shanks’ Baby-Step Giant-Step method, Pollard’s rho method, and the index calculus method. In chapter 5, we will study a certain attack on DLP, namely the Weil pairing attack.

4.1 The DLP and the Security of Cryptosystems

On page 9, we introduced the Diffie-Hellman protocol, whose strength is based on the difficulty to determine the secret point abB from the observed points aB, bB and B. The arbitrary integers a and b are kept secretly. Knowing aB does not mean that one knows a. If you are able to determine a from aB, then you cracked Diffie-Hellman: Having a, you can compute a(bB) = abB receiving the secret point. Figuring out a from aB is called the discrete logarithm problem for elliptic curves. First, we will define the DLP for elliptic curves and give an example. Then we will define the DLP for general abelian groups.

Deﬁnition 4.1.1 (DLP for elliptic curves) Let P and B be two points on E, and P ∈ , i.e. P lies in the subgroup generated by B. Hence, there is an a ∈ Z with aB = P .

27 28

1. An integer a with aB = P is called discrete logarithm of P (with respect to B or to the base B).

2. Determining a discrete logarithm of P is called the discrete logarithm problem (DLP).

Example 4.1.2 Let our base ﬁeld be Fp where

p = 1037409259811952655310068034003 is a large prime number. Let our elliptic curve be E : y2 = x3 + 17, and let our base point be B := (−1, 4) ∈ E(Fp) (see example 2.1.2). Choose

P := (814018908907412054098443886689, 633158865773655115262132178282).

It is not obvious whether P ∈ . If we assume this (it is actually true), then it is not obvious what the discrete logarithm of P to the base B is either.

Given the ﬁeld Fp, the elliptic curve E, and the base point B, then it is easy to compute 57B (using the formulas in 2.1.3), and we will get 57B = P .

Deﬁnition 4.1.3 (DLP for general abelian groups) Let G be a ﬁnite abelian group, and let g, h ∈ G with h ∈.

1. An integer a with ga = h is called discrete logarithm of h (with respect to g or to the base g).

2. Determining a discrete logarithm of h is called the discrete logarithm problem (DLP).

With the help of the discrete logarithm for elliptic curves, we are also able to crack the Massey-Omura cryptosystem discussed on page 9: From the communication between Alice and Bob, we observe the points

X := eAM,Y := eAeBM and Z := eBM. 29

We know that eBX = Y , so we compute the discrete logarithm of Y with respect

−1 to X and receive eB. Having eB, we calculate dB ≡ eB (mod N). We receive the secret point with dBZ = M. Note that we do not say that if you can crack the Diﬃe-Hellman protocol, then you can solve the DLP. The same is true for the Massey-Omura cryptosystem. The DLP may be harder than cracking one of these cryptosystems, maybe it is not.

4.2 Comparing Algorithms on the DLP

Shanks and Pollard. While Shanks’ Baby-Step Giant-Step method is determin- istic, Pollard’s rho method is a probabilistic algorithm. Let the desired discrete logarithm lie in an interval of length at most n. Then the big advantage of Pollard’s method is that it only requires space for a constant number of group elements, while √ Shanks’ method requires space for O( n) group elements. According to [7], both Shanks’ and Pollard’s methods require around n1/2 steps. Assuming we use Shanks’ or Pollard’s algorithm to solve the DLP for a given elliptic curve of the ﬁeld Fq, where q is a power of a prime number. Due to Hasse-Weil, we have √ | #E(Fq) − (q + 1) |≤ 2 q. √ Thus, a discrete logarithm can be found in the interval [0, q + 1 + 2 q]. Hence, the √ √ number of steps for Shanks or Pollard is pq + 1 + 2 q, which is O( q). A group

3 operation, adding two points, in E(Fq) takes O(log q). We get a running time of √ O( q log3 q), which is exponential in log q, for Shanks’ and Pollard’s algorithms. Pohlig-Hellman and Index Calculus. The Pohlig-Hellman attack has a run-

4 ning time of O(pmax log p), where pmax is the largest prime factor dividing p − 1. If pmax = 2, i.e. p is power of 2, then this algorithm can crack a cryptosystem based 30 on the ﬁnite ﬁeld Fp in polynomial time, polynomial in log p. If pmax = (p − 1)/2, then the running time becomes O(p log4 p), which is exponential in log p.

The index calculus method to solve the DLP over Fq, where q is a power of a √ prime number, has a running time of O(ec log q log log q) for a positive constant c. This is subexponential. Conclusion. The DLP seems to be very hard to solve. Though there are several algorithms solving the DLP for elliptic curves, they are either very slow (exponential), such as Shanks’ Baby-Step Giant-Step algorithm and Pollard’s rho method, or work fast only under a certain condition: The Weil pairing attack is effective if we have a so-called supersingular curve, the method of Pohlig-Hellman (see [15], pp.166–170) beats the DLP if the number of points N on the elliptic curve is a product of small prime numbers. In this case, we call N smooth. Though the index calculus method has an expected subexponential running time, it does not help to solve the DLP for elliptic curves, since the method does not work directly for elliptic curves (see page 33). In order to attack cryptosystems based on discrete exponentiation in a finite field, we would prefer the index calculus method rather than Shanks’ or Pollard’s methods. While designing a secure cryptosystem and choosing an elliptic curve, one should avoid supersingular curves as well as curves, where the number of points is smooth, and where the range of the discrete logarithm is too limited.

4.3 Shanks’ Baby-Step Giant-Step Algorithm

Let us say, we want to solve the discrete logarithm problem in the abelian group G. We assume that we have a generator g of G (in this case, we assume that G is cyclic), or an element g ∈ G of order of magnitude #G. For a given h ∈ < g >, we want to ﬁnd the smallest positive k ∈ Z, such that gk = h. 31

Shanks’ algorithm needs to know an upper bound of the order of g. Let us call this upper bound n. We can take n := ord g, if we know the order of g. Shanks’ algorithm can be used to compute the discrete logarithm of h in O(n1/2 log(n1/2)) operations. If we want to compute the order of g, we can use the algorithm with h as the identity, since the smallest positive integer k with gk = 1 is exactly the order of g. Again, we need an upper bound for the order of g. We assume for our group that we have an eﬃcient method to produce a unique canonical representation for a given element. This ensures that we can compare elements in our group easily, since we need to sort elements later. In the elliptic curve case, we can sort points by their x-coordinate. √ First, we set m := d n e. The yet unknown k can be written as k = i + jm with 0 ≤ i, j < m. So, it is enough to ﬁnd i and j. We have h = gk = gi+jm = gi · gjm, which is equivalent to hg−i = gjm. We compute two lists:

S := {h, hg−1, hg−2, . . . , hg−(m−1)} and

L := {1, gm, g2m, . . . , g(m−1)m}

Then we compare the two lists and look for equal elements hg−i ∈ S and gjm ∈ L. We have to be careful while comparing. A naive way is to compare each element of S with each element of L. Then we would have m2, i.e. roughly n group comparisons, which would result in a running time of at least O(n). We can avoid this by sorting one list, say S, in O(m log m) group comparisons (using a heap sort algorithm), and then for each element a ∈ L, we search for a ∈ S in O(log m) group comparisons (using binary search). The running time of Shanks’ algorithm is dominated by computing the two lists S and L, and by sorting one list. O(m) group operations are necessary to compute the two lists, and O(m log m) group comparisons are necessary to search for a common 32 element. The running time needed to perform a group operation or group comparison can slow down the algorithm.

If we want to solve the DLP for an elliptic curve, then we have G = E(Fq). In this additive group, computing gm corresponds to computing mB for some ﬁxed base point B ∈ E(Fq). As discussed already in section 4.2, the running time of Shanks’ algorithm is √ O( q log3 q), i.e. it is exponential in log q.

4.4 Pollard’s Rho Method

As in Shanks’ Baby-Step Giant-Step algorithm, we have the same setup: We want to solve the DLP in the abelian group G, i.e. for given g, h ∈ G, we want to ﬁnd k ∈ Z such that gk = h (assuming that such a k exists). The idea is to generate a sequence of elements in G, which is suﬃciently chaotic, but can be represented easy enough that calculating the discrete logarithm is easy. Choose a random partition S,T,U of G, where these three sets have roughly equal size. Start with x0 := 1 and   x h if x ∈ S  i i  2 xi+1 := xi if xi ∈ T    xig if xi ∈ U

ai bi Then, we can represent the xi’s as powers of h and g, in other words xi =: h g , where ai, bi ∈ Z≥0.

We keep computing the sequence, until we get xi = x2i for some i ≥ 1. Then, we have hai gbi = ha2i gb2i , which leads to a linear equation by taking the discrete logarithm on each side: ai loggh + bi ≡ a2i loggh + b2i mod ord(g). 33

With the above k, we get k(a2i − ai) ≡ bi − b2i mod ord(g). If a2i − ai and ord(g) are relatively prime, then we calculate with Euclid’s algorithm:

−1 k ≡ (a2i − ai) · (bi − b2i) mod ord(g).

If we consider that we compare xi with x2i in each step, we might think that we need to store all the elements between these two. This would require O(m1/2) space.

Instead, we store xi, ai, bi and x2i, a2i, b2i in each step. Hence, we only need space of constant size. √ The expected running time of Pollard’s rho method is O( q log3 q), which is exponential in log q, as derived in section 4.2.

4.5 The Index Calculus Method

While the previous sections deal with the DLP for elliptic curves, this section presents a method to solve the DLP for multiplicative groups of finite fields of the form Fp, where p is a prime number. This method has a subexponential running time in log p. We refer the reader interested in a subexponential algorithm to solve the DLP for any finite field to [1]. Cryptosystems based on discrete exponentiation in multiplicative groups of any finite field can be efficiently attacked by the index calculus method. The next chapter will show that we can reduce the DLP for elliptic curves to the DLP for multiplicative groups of finite fields. Using this reduction together with the index calculus method yields an effective attack, if our elliptic curve is supersingular.

∗ ∼ ∗ The goal. Given α, β ∈ Z/(pZ) = Fp, and assume that β ∈ < α > = {1, α, α2, α3,...}. The index calculus method tries to ﬁnd a positive λ ∈ Z such that αλ = β. 34

The idea. Let B = {p1, p2, . . . , pB} be a set of “small” prime numbers. We call B factor base. First, we compute the discrete logarithms of all prime numbers in B. Based on this information, we will compute the discrete logarithm of β.

Precomputation step. Choose random values x ∈ Z/(pZ), compute z := αx modulo p, and then test whether all prime factors of z lie in B (e.g. by using trial division). In this case, we call z smooth (or B-smooth).

Let us assume that we found smooth numbers αxj for j = 1,...,C, where C ≥ B, i.e. we have

xj a1j a2j aBj α ≡ p1 p2 ··· pB mod p for j = 1,...,C. Taking the discrete logarithm to the base α, we get

xj ≡ a1j logα p1 + ··· + aBj logα pB mod (p − 1) for j = 1,...,C.

We have a system of C linear congruences in the B unknowns logα p1,..., logα pB. We hope that this system has a unique solution modulo p − 1. In this case, we can solve for logα p1,..., logα pB. Computing an individual discrete logarithm. Choose random integers s with 1 ≤ s ≤ p − 2 until γ = βαs mod p is smooth, or until we give up after a certain number of unsuccessful tries to ﬁnd a smooth γ. If we found a smooth number γ, then we can write

s c1 c2 cB γ ≡ βα ≡ p1 p2 ··· pB mod p.

Taking the discrete logarithm on both sides we get

logα β + s ≡ c1 logα p1 + c2 logα p2 + ··· + cB logα pB mod (p − 1).

In the last congruence, we know everything except for λ ≡ logα β mod p, which we can easily compute. Running time and examples. The expected running time of the index calculus √ √ 2 log p log log p c log pr log log pr method over Fp is O(e ), and over Fpr is O(e ) for a positive 35 constant c. These running times are subexponential. We refer the reader to [16], pp.134–136 and to [15], pp.171–172 for examples showing how the index calculus method works. Factor bases. There is no known analogue of factor bases on elliptic curves.

So, we can not use this method directly to attack DLP for elliptic curves. Fpr can

r not be embedded into the integers like Fq, since Z/(p Z) is not an integral domain (p · pr−1 ≡ 0 mod pr) and is therefore not a ﬁeld.

Therefore, we do not represent elements of Fpr as integers. One possibility is to work with number fields and the ideals in its ring of integers. Then a factor base is a finite set of prime ideals instead of prime numbers. Another possibility is to represent elements of Fpr by polynomials in Z/(pZ)[X]/f(x), where f(x) ∈ Z/(pZ)[X] is irreducible and of degree r. In this case, a factor base is a finite set of polynomials of small degree. (see [1]). Chapter 5

The Weil Pairing

This chapter explains how we can reduce the DLP of elliptic curves to the DLP for finite fields, and why we are interested in this reduction. The reduction step utilizes a so-called pairing, and is therefore called pairing attack. Then, we will discuss why the pairing attack is effective when we have a so-called supersingular elliptic curve. Supersingular curves are therefore considered weak for cryptographic purposes and should be avoided when choosing a cryptosystem. While the first section deals with the pairing attack in general, the sections afterward are dedicated to a particular pairing, namely the Weil pairing. We will study the Weil pairing in detail, investigate its properties, and present an algorithm to compute the Weil pairing.

5.1 The Pairing Attack In General

In this section, we define the notion of a pairing, outline the idea of the reduction, also called the MOV/Frey-Rück attack or pairing attack, in more detail, and mention the connection between supersingularity and the security of the DLP on an elliptic curve. The key property for reducing the DLP on an elliptic curve to the DLP on a finite field is the bilinearity of a pairing.

36 37

Why do we want to make this reduction? The index calculus method can

∗ be applied to the DLP for Fq. It uses factor bases (a set of small prime numbers) and gives us a subexponential algorithm. Since factor bases do not have an equivalent in the elliptic curve case, the index calculus method will not directly work for elliptic curves. So far, there is no known subexponential algorithm to solve the discrete logarithm for a general elliptic curve. So, it looks like a reasonable idea to try to reduce the DLP of elliptic curves to the DLP for multiplicative groups of finite fields. But the reduction does not result in an effective algorithm in general. As mentioned at the beginning of this chapter, the pairing attack is effective for all supersingular elliptic curves.1 Designers of cryptosystems should therefore avoid using such curves.

Let E be an elliptic curve over the ﬁeld Fq, where q is a power of the prime number p. Fix an integer m ≥ 2 such that p - m.

¯∗ Deﬁnition 5.1.1 A pairing is a function e: E[m] × E[m] −→ Fq with

n e(nP, Q) = e(P, nQ) = e(P,Q) for all n ∈ Z and all P,Q ∈ E[m],

¯ where E[m] := {P ∈ E(Fq) | mP = 0} (set of m-torsion points).

Note that a pairing maps into the m-th roots of unity, i.e.

¯∗ e: E[m] × E[m] −→ µm ⊆ Fq

From algebra, we know that the smallest ﬁeld containing Fq and the m-th roots of

∗ k unity is Fqk , where k is the smallest integer with q ≡ 1 mod m. It is also desirable that a pairing e has the following two properties:

• For all P ∈ E[m], we have: If e(P,Q) = 1 for all Q ∈ E[m], then P = 0 (non-degenerate). 1This does not mean that an elliptic curve E is safe from the pairing attack if E is not supersingular. 38

• e(P,Q) is computable, i.e. there is an algorithm which computes e(P,Q) for all m-torsion points P,Q in a reasonable amount of time.

Algorithm 5.1.2 MOV 2/Frey-R¨uckAttack

Input: base point P ∈ E(Fq), m := ord P Q ∈

, i.e. there is a λ ∈ Z with Q = λP Output: the discrete logarithm λ mod m of Q to the base P

1. Get Fqk from Fq by adjoining the m-th roots of unity.

2. Find an auxiliary point S ∈ E[m] s.t. e(P,S) 6= 1 holds.3

3. Compute ζ1 := e(P,S) and ζ2 := e(Q, S).

λ λ ζ2 = e(Q, S) = e(λP, S) = e(P,S) = ζ1

λ ∗ hence: ζ2 = ζ1 in Fqk .

λ ∗ 4. Solve the DLP ζ2 = ζ1 in Fqk to obtain λ mod ord(ζ1).

5. Return λ mod m.

Closer look at the last two lines. With the help of the DLP in a ﬁnite ﬁeld, we get λ modulo ord(ζ1). We want to get the discrete logarithm λ modulo the order of P , i.e. modulo m. So, it is desirable that the order of ζ1 is the same as the order of P , or at least as big as possible. We will see that with the Weil pairing, it is possible to pick a point S, such that

ζ1 is a primitive m-th root of unity (see 5.5.2). In this case, ζ1 and P have the same order. But how we ﬁnd such an auxiliary point S is a problem which we do not address in this paper.

2Menezes, Okamoto, Vanstone 3Here, we need that the pairing is non-degenerate. 39

Running time. A discussion of the running time of step 3, if q is a prime number instead of a power of a prime number, and if we use the Weil pairing, can be found on page 55.

∗ Note that as k grows, the number of elements in Fqk grows exponentially. If we use the index calculus method described in [1] for step 4 in the MOV attack, then √ we have an expected running time of O(ec log qk log log qk ) for a positive constant c. If k = log q, then we get a running time exponential in log q. Therefore, this method is only eﬀective, if k is not too big. We will discuss a certain class of elliptic curves which always result in a small k. Curves in this class are called supersingular elliptic curves, and they always yield cryptosystems which can be eﬀectively cracked with the algorithm above.

Deﬁnition 5.1.3 (supersingular)

Let E(Fq) = q + 1 − t denote the order of an elliptic curve. If q is a power of p, then E is called supersingular iﬀ p divides t.

Theorem 5.1.4 (MOV) Supersingular curves have k ≤ 6, which is considered weak for cryptography.

Proof: See [9].

5.2 Preparation for the Weil Pairing

As an example of a pairing, we will take a closer look at the Weil pairing. While the MOV attack uses the Weil pairing, the Frey-R¨uck attack utilizes the Tate pairing. In this section, we will deﬁne the projective plane, divisors, degree and support of a divisor, divisors of rational functions, and principal divisors, and we will prove some properties of divisors. 40

Deﬁnition 5.2.1 (projective line)

Let K be any ﬁeld.

1. For x, y, u, v ∈ K¯ , we deﬁne (x, y) ∼ (u, v) iﬀ there is a λ ∈ K¯ ∗ such that (λx, λy) = (u, v), e.g. (1, 5) ∼ (2, 10).

¯ ¯ 2. P1(K) = { (x, y) | x, y ∈ K, x or y 6= 0 } /∼ Elements of the 1-dimensional projective plane are written in homogeneous notation (x : y), e.g. (1 : 5) = (2 : 10) = (−1/5 : −1).

Deﬁnition 5.2.2

Let E be an elliptic curve over a ﬁxed ﬁeld K of any characteristic.

1. Div(E) denotes the free abelian group generated by the points of E(K¯ ).

P 2. A divisor D ∈ Div(E) is a formal sum D = P ∈E nP (P ), where nP ∈ Z, and

only ﬁnitely many of the nP are nonzero (i.e. we have a ﬁnite sum).

P 3. The degree of a divisor D = P ∈E nP (P ) is deﬁned as X deg(D) := nP . P ∈E P 4. The support of a divisor D = P ∈E nP (P ) is the set

supp(D) := {P ∈ E | nP 6= 0}.

5. Div0(E) := {D ∈ Div(E); deg(D) = 0}.

Example 5.2.3 Given the elliptic curve E : y2 = x3 − x over Q¯ . Let √ A := (0, 0),B := (2, 10),C := (i, 0) ∈ E(Q¯ ).

Then we deﬁne

D1 := 5(A) − 3(B) − 2(C)

D2 := 5(A) − 3(B) − (2C) 41

0 Note that D1,D2 ∈ Div (E) are diﬀerent. We have

deg D1 = 5 − 3 − 2 = 0, deg D2 = 5 − 3 − 1 = 1,

0 0 i.e. D1 ∈ Div (E) and D2 6∈ Div (E). The support of D1 is {A, B, C}, and the support of D2 is {A, B, 2C}.

Deﬁnition 5.2.4 (divisors of rational functions) ¯ ¯ For a nonzero rational function f: E(K) −→ P1(K), we deﬁne the divisor of f as the P formal sum div(f) := ¯ ordf (P )(P ) where ordf (P ) is the order of vanishing P ∈E(K) of f at P .

P See [14], p.22, Proposition 1.2 for references that ¯ ordf (P )(P ) is indeed P ∈E(K)

ﬁnite and for a rigorous deﬁnition of ordf (P ).

2 3 x3+3x2y ¯ ¯ Example 5.2.5 Let E : y = x +x, and f(x, y) := y3 , f: E(Q) −→ Q∪{∞} be a rational function. Write f as f = a/b, i.e. a(x, y) = x3 + 3x2y and b(x, y) = y3. Then b(x, y) has zeros of order 3 at every point of

Q¯ (1, 0) = {λ · (1, 0); λ ∈ Q¯ }, a(x, y) has double zeros at Q¯ (0, 1) and single zeros at Q¯ (−3, 1). These are the only zeros of a(x, y) and b(x, y). Though a(x, y) and b(x, y) have inﬁnitely many zeros, they do not necessarily lie on the elliptic curve. √ Let α := 1/18(1 + 323i). Among the zeros mentioned above, only (0, 0) (pole of order 2), (i, 0), (−i, 0) (poles of order 3), (0, 1), (0, −1) (double zeros), (α, −α/3) and (¯α, −α/¯ 3) (single zeros) lie on the elliptic curve.

Hence, div(f) = (α, −α/3) + (¯α, −α/¯ 3)

+2(0, 1) + 2(0, −1) − 2(0, 0) − 3(i, 0) − 3(−i, 0). 42

Deﬁnition 5.2.6 (principal divisors) 0 ¯ ¯ PDiv (E) := {D ∈ Div(E); ∃f: E(K) −→ P1(K) rational, such that div(f) = D}

Theorem 5.2.7 P P 1. Let ρ( ¯ nP (P )) := ¯ nP P . The latter sum indicates addition in P ∈E(K) P ∈E(K) E(K¯ ). Then D is principal iﬀ ρ(D) = 0 ∈ E(K¯ ) and D has degree 0.

2. PDiv0(E) is a subgroup of Div0(E).

0 0 3. The map ϕ: E(K¯ ) −→ Div (E)/PDiv (E) with P 7−→ [(P ) − (0)] is a group isomorphism, where [D] denotes the equivalence class of D modulo PDiv0(E).

¯ ¯ 4. Let f, g : E(K) −→ P1(K) be rational. Then f, g have the same divisor iﬀ f = λ · g for some constant λ ∈ K¯ ∗. In particular: div(f) = 0 iﬀ f is constant and nonzero.

Proof: 1. See [14] for a proof.

2. Let D ∈ PDiv0(E) be principal. Note that we do not know yet that deg(D) = 0. ¯ ¯ Let f: E(K) −→ P1(K) be rational with div(f) = D. deg(D) is the number of zeros, counting multiplicity, minus the number of poles, counting multiplicity. These two numbers are the same, so we get deg(D) = 0 (see [14], p. 32 to ﬁnd references for a proof). Hence, D ∈ Div0(E). Now, let A, B ∈ PDiv0(E). It is enough to show that A − B is principal to

0 obtain that PDiv (E) is a subgroup. Let f, g: E(K¯ ) −→ K¯ ∪ {∞} be rational with div(f) = A and div(g) = B. Then f/g has divisor A − B, hence A − B is principal.

3. ϕ is well-deﬁned: ψ(P ) := (P )−(0) maps into Div0(E), since deg ((P ) − (0)) = 1 − 1 = 0. Therefore, the image of ϕ lies in Div0(E)/PDiv0(E). 43

ϕ is a group homomorphism. Let P,Q ∈ E be points on the elliptic curve. We want to show that [ψ(P + Q)] = [ψ(P )] + [ψ(Q)]. Since [ψ(P )] + [ψ(Q)] = [ψ(P ) + ψ(Q)], it suﬃces to show that

D := ψ(P + Q) − ψ(P ) − ψ(Q) is principal.

The divisor D = (P +Q)−(0)−(P )+(0)−(Q)+(0) = (P +Q)−(P )−(Q)+(0) has degree 0 and ρ(D) = 0. According to 1, D is principal. Thus, ϕ is a group homomorphism.

P 0 ϕ is surjective: Let D = nP (P ) be any divisor in Div (E), in particular D has degree 0.

X Claim: For Q := nP P we have (Q) − (0) ∼ D, i.e. ϕ(Q) = [D] ¯ P ∈E(K) P P The divisor (Q)−(0)−D = ( ¯ nP P )−(0)− ¯ nP (P ) is principal, P ∈E(K) P ∈E(K) P ¯ since it has degree 1 − 1 − ¯ nP = 0, and ρ((Q) − (0) − D) = 0 ∈ E( ). P ∈E(K) K This proves surjectivity. ϕ is injective: Let ϕ(P ) = [0], i.e. (P )−(0) is principal. Due to part 1, P −0 = 0, i.e. P = 0. Thus, ϕ is injective.

4. f/g has divisor 0, which means, it has neither zeros nor poles. Hence, f/g is an entire function and therefore constant. 2

5.3 Definition and Properties of the Weil Pairing

Before we define the Weil pairing, we will state some of its important properties in the theorem below. We will prove this theorem in a later section at the end of this chapter, i.e. we will not assume any of the results of theorem 5.3.1. After giving the definition, we will prove that the Weil pairing is well-defined.

In this section, let E be an elliptic curve over the ﬁeld K, and ﬁx m ≥ 2 such that char K- m. 44

We deﬁne E[m] := {P ∈ E(K¯ ) | mP = 0} the set of m-torsion points of the elliptic curve E over K.

Theorem 5.3.1

¯ ¯ ∗ ¯ The Weil pairing em: E[m] × E[m] −→ µm(K) ⊆ K , where µm(K) is the set of the m-th roots of unity lying in K¯ , has the following properties:

1. bilinear, i.e. em(S + U, T ) = em(S,T ) · em(U, T ) and

em(S,T1 + T2) = em(S,T1) · em(S,T2).

−1 2. alternating, i.e. em(S,T ) = em(T,S) .

3. non-degenerate, i.e. if em(S,T ) = 1 for all S ∈ E[m] then T = 0.

¯ 4. Galois invariant, i.e. σ(em(S,T )) = em(σ(S), σ(T )) for all σ ∈ Gal (K/K) and S,T ∈ E[m].4

0 0 5. compatible, i.e. if S ∈ E[mm ],T ∈ E[m] then emm0 (S,T ) = em([m ]S,T ).

Note that property 1 shows that our deﬁnition of a pairing is consistent with the name “Weil pairing”. Besides being non-degenerate (property 3), we wanted a pairing to be computable. We will show in section 5.4 that the Weil pairing is computable.

Deﬁnition 5.3.2 (Weil pairing)

¯ ∗ 0 ¯ We want to deﬁne em : E[m] × E[m] −→ K . Let S,T ∈ E[m]. Choose T ∈ E(K) such that mT 0 = T .

P 0 The divisor D := R∈E[m](T + R) − (R) has degree 0, and

X ρ(D) = T 0 + R − R = m2T 0 = mT = 0, R∈E[m] where ρ is deﬁned in theorem 5.2.7.

4We apply σ to a point S on our elliptic curve by applying σ to its coordinates separately, i.e. σ((a, b)) := (σ(a), σ(b)). 45 ¯ ¯ Thus D is principal, and therefore there is a rational g: E(K) −→ P1(K) with

X div(g) = (T 0 + R) − (R). R∈E[m]

Now, we can deﬁne the Weil pairing:

em : E[m] × E[m] −→ µm (S,T ) 7−→ g(X + S)/g(X), where X ∈ E(K¯ ) is arbitrary as long as g(X) and g(X + S) are ﬁnite, and nonzero.

Note that such an X exists, since g has finitely many poles and zeros, but E(K¯ ) has infinitely many points. The following lemma shows that the Weil pairing is well-defined. Part 2 is useful when proving the properties of em.

Lemma 5.3.3

1. The Weil pairing em does not depend on the particular choice of g and X.

¯ ¯ 2. There is a rational f: E(K) −→ P1(K) with

f ◦ [m] = gm and div(f) = m(T ) − m(0),

where [m](P ) = mP (multiplication by m), and where g is the map which appears in the construction of the Weil pairing (recall that g depends on T ).

¯ ¯ 3. Given a point T ∈ E[m], then the rational functions f, g: E(K) −→ P1(K) are uniquely determined up to a scalar by

div(f) = m(T ) − m(0) and f ◦ [m] = gm.

4. The Weil pairing em maps into the m-th roots of unity. 46

Proof:

1. em is independent of choice of g. According to lemma 5.2.7, g is determined by

its divisor up to a scalar λ ∈ K¯ ∗. This scalar cancels itself in g(X + S)/g(X).

So, em is independent from the choice of g.

em is independent of choice of X. We recall that the divisor of g is div(g) =

P 0 R∈E[m](T + R) − (R). From

P is a zero/pole of g(X) iﬀ P − S is a zero/pole of g(X + S),

we get

X X div(g(X + S)) = (T 0 + R − S) − (R − S) = (T 0 + R) − (R), R∈E[m] R∈E[m]

using that the map R 7→ R−S is a bijection of E[m] on itself. Hence, g(X) and g(X +S) have the same divisor, so their quotient has divisor 0, and is therefore constant. In other words, the map g(X)/g(X + S) is constant (varying X and ﬁxing S), so the Weil pairing does not depend on the particular choice of X.

2. With the map from lemma 5.2.7, we have ϕ(T ) = [(T ) − (0)]. We get

[m(T ) − m(0)] = m · [(T ) − (0)] = mϕ(T ) = ϕ(mT ) = ϕ(0) = [0].

¯ ¯ Hence, m(T ) − m(0) is principal. Let f : E(K) −→ P1(K) be rational with div(f) = m(T ) − m(0).

X ∈ E(K¯ ) is a zero or pole of f ◦ [m] iﬀ mX is a zero or pole of f. Since T is the only zero and 0 the only pole of f, X is a zero (respectively pole) of f ◦[m] iﬀ mX = T (respectively mX = 0). Therefore, we have

zeros of f ◦ [m]: { T 0 + R | R ∈ E[m] }

poles of f ◦ [m]: E[m] 47

These are the only zeros and poles of f ◦ [m]. Since [m] does not change the order of the zeros or poles, all zeros and poles of f ◦ [m] have order m, hence

X X div(f ◦ [m]) = m(T 0 + R) − m(R) = m · div(g) = div(gm). R∈E[m] R∈E[m]

According to lemma 5.2.7, f ◦ [m] and gm diﬀer by a constant. Without loss of generality, we can assume that f ◦ [m] = gm (multiplying f by λ does not change the divisor of f).

3. Let f, g: E(K¯ ) −→ K¯ ∪ {∞} be the two rational functions appearing in part 2 respectively in the construction of the Weil pairing. Let furthermore f,¯ g¯:

E(K¯ ) −→ K¯ ∪ {∞} be any two rational functions satisfying

div(f¯) = m(T ) − m(0) and f¯◦ [m] =g ¯m.

Since f and f¯ have the same divisor, they diﬀer by a constant λ ∈ K¯ ∗: f¯ = λf. We get g¯m = f¯◦ [m] = λf ◦ [m] = λ(f ◦ [m]) = λ(gm).

Becauseg ¯m and gm diﬀer by a constant, they have the same divisor. Due to the relation div(hn) = n · div(h), g andg ¯ have the same divisor, so they diﬀer by a constant.

¯ ∗ ¯ ∼ ¯ ∗ 4. Note that the image of em lies in K , since g maps into P1(K) = K ∪ {∞}, and because X is chosen such that g(X) and g(X + S) are ﬁnite and nonzero,

i.e. their quotient lies in K¯ ∗. For all X ∈ E(K¯ ), we have

g(X + S)m = (f ◦ [m])(X + S) = f(mX + mS) = f(mX)

= (f ◦ [m])(X) = g(X)m.

m Hence, (g(X + S)/g(X)) = 1, and therefore em(S,T ) = g(X + S)/g(X) is an m-th root of unity. 48

Convention:

1. Though we do not have absolute uniqueness of f and g, we refer to any two

rational functions f, g : E(K¯ ) −→ K¯ ∪ {∞} satisfying the two conditions in part 3 as “the functions associated with the point T ∈ E[m]” or the “functions corresponding to the point T ∈ E[m]”.

2. If we only need the function g (or f) in some context, we refer to it as “the function associated to T ∈ E[m]” or the “function corresponding to the point T ∈ E[m]”.

5.4 Computing the Weil Pairing

The goal of this section is to present an algorithm, taken from [2], which computes the Weil pairing based on a different, but equivalent definition. First, we will give an alternative definition of the Weil pairing and show that the two definitions coincide. Eventually, we will present the algorithm and discuss its running time.

An Alternative Definition

We will introduce some notation, state the second definition of the Weil pairing and show that this definition is well-defined.

Let p > 3 and let E be a supersingular elliptic curve defined over the field Fp. For simplicity, we do not consider elliptic curves over a more general finite field (of order pr). According to [2], the algorithm described later easily generalizes to any finite field.

Let m be an integer with char Fp = p- m. We want to deﬁne

¯∗ em : E[m] × E[m] −→ Fp. 49

Let P and Q ∈ E[m] be arbitrary m-torsion points. Let AP and AQ be divisors with

AP ∼ (P ) − (0) and AQ ∼ (Q) − (0). Then mAP and mAQ are principal divisors, ¯ ¯ hence there exist rational functions fP , fQ : E(Fp) −→ Fp ∪ {∞} such that

div(fP ) = mAP and div(fQ) = mAQ.

P If A = P aP (P ) is a divisor, then we deﬁne for a rational function f Y f(A) := f(P )aP P Since this product should be nonzero and ﬁnite (6= ∞), we require that div(f) and A have disjoint support.

Deﬁnition 5.4.1 (Weil pairing, second deﬁnition)

¯ ∗ Using the notation from above, we deﬁne em : E[m] × E[m] −→ K ,

fP (AQ) em(P,Q) := fQ(AP ) for P,Q ∈ E[m].

We will show that the deﬁnition above depends neither on the particular choice of the functions f and g (lemma 5.4.2) nor on the particular choice of the divisors

AP and AQ (lemma 5.4.3).

Lemma 5.4.2 ¯ ¯ If f, g : E(Fq) −→ Fq ∪{∞} are two rational functions with the same divisor, and A is a divisor of degree 0, and q = pr where p is a prime number, then f(A) = g(A).

P P Proof: Let A := P nP (P ). Because A has degree 0, we have P nP = 0. Since f and g have the same divisor, they diﬀer by a constant, say f = λg, where λ ∈ Fq. Y Y f(A) = (λg)(A) = [(λg)(P )]nP = λnP g(P )nP P P Y n Y n P n 0 = λ P g(P ) P = λ P P g(A) = λ g(A) = g(A). 2 P P 50

The following lemma uses the so-called Weil reciprocity law, which will be stated and proved in the subsection “Equivalence of the Weil pairings”.

Lemma 5.4.3

The deﬁnition 5.4.1 is independent of the particular choice of the divisors AP and

AQ, as long as AP ∼ (P ) − (0) and AQ ∼ (Q) − (0).

Proof: In order to prove the lemma, it is enough to prove that we get the same ˆ ˆ value for em(P,Q) if we replace AP by AP , where AP ∼ (P ) − (0). Then, we will use the same argument for AQ. ˆ ˆ ˆ ˆ Let AP , AP ∼ (P ) − (0), and div(fP ) = mAP , div(fP ) = mAP . Thus, AP ∼ AP , ˆ ˆ i.e. AP − AP is principal. Let g be a rational function with div(g) = AP − AP . Then m ˆ ˆ ˆ div(g ) = m · div(g) = mAP − mAP = div(fP ) − div(fP ) = div(fP /fP ). So, we can m ˆ ˆ m ˆ assume that g = fP /fP , i.e. fP = fP · g . Note that AP = AP + div(g). We ﬁnally get

fˆ (A ) f (A )g(A )m f (A ) g(mA ) e (P,Q) = P Q = P Q Q = P Q · Q m ˆ fQ(AP ) fQ(AP )fQ(div(g)) fQ(AP ) fQ(div(g)) f (A ) g(div(f )) f (A ) = P Q · Q = P Q . fQ(AP ) fQ(div(g)) fQ(AP )

In the last step, we used the Weil reciprocity law (see corollary 5.4.5). 2

Equivalence of the Weil pairings

Assuming the so-called Generalized Weil reciprocity law (see theorem 5.4.4), we will prove that the two deﬁnitions of the Weil pairing are equivalent. The Generalized Weil reciprocity law is not only useful to prove that the two deﬁnitions of the Weil pairing almost coincide, but also to prove the Weil reciprocity law. The following three results are taken from [3]. 51

Theorem 5.4.4 (Generalized Weil reciprocity law) ¯ ¯ For f, g: E(K) −→ P1(K), we have Y P = 1, ¯ P ∈E(K) where ! fordP (g) ordP (f)·ordP (g) P := (−1) (P ). gordP (f) Proof: See [3], p.26. 2

Corollary 5.4.5 (Weil reciprocity law) ¯ ¯ Let f, g: E(K) −→ P1(K) have divisors with disjoint support, i.e. they have zeros and poles at diﬀerent points of E. Then

f(div g) = g(div f).

Proof: If a point P does not appear in the support of f and g, then ordP (f) = ordP (g) = 0, and hence P = 1. We set F := supp(divf) and G := supp(divg). From the theorem above, we have Y Y Y 1 = P = P · P ¯ P ∈E(K) P ∈ F P ∈ G Y Y = (−1)0g−ordP (f)(P ) · (−1)0fordP (g)(P ) P ∈ F P ∈ G = g(div f)−1 · f(div g).

Hence, we get f(div g) = g(div f). 2 The following theorem shows the relation between the two deﬁnitions of the Weil pairing more precisely:

¯ ∗ Theorem 5.4.6 Let em, eˆm : E[m] × E[m] −→ K , where em is the Weil pairing from deﬁnition 5.3.2, and eˆm is the Weil pairing from the deﬁnition 5.4.1. Then we have

em(P,Q) =e ˆm(P,Q) for all P,Q ∈ E[m]

The proof of this theorem is an exercise in [14] on page 108. 52

The Actual Computing Algorithm

The algorithm (taken from the appendix of [2]) uses the repeated doubling method as well as an auxiliary algorithm. We will go through some deﬁnitions, explain the repeated doubling method and state the algorithm to compute the Weil pairing. Finally, we will discuss the auxiliary algorithm, and at the end, we will discuss the running time to compute the Weil pairing. Preparation. Given two points P,Q ∈ E[m], and let us assume that P 6= Q

(else em(P,P ) = 1, as one sees easily from either deﬁnition). We want to calculate em(P,Q).

Pick two arbitrary points R1,R2 ∈ E[m] and deﬁne

AP := (P + R1) − (R1) ∼ (P ) − (0)

AQ := (Q + R2) − (R2) ∼ (Q) − (0)

fP (AQ) The probability that em(P,Q) = is not defined or 0 (out of all choices of fQ(AP ) log p R1 and R2) is at most O( p ). If this happens, we have to choose R1 and R2 again, until we find a pair of points R1 and R2, such that em(P,Q) is defined and nonzero.

It is enough to show how to evaluate fP at AQ. Then fQ(AP ) can be computed analogously.

For nonnegative b ∈ Z, we deﬁne Ab := b(P + R1) − b(R1) − (bP ) + (0), which is principal. Thus, there is a rational function fb such that div(fb) = Ab. Here, any fb is allowed which has the given divisor, i.e. fb is determined up to a constant factor.

This will be useful to remember when we compute f1 later.

div(fm) = Am = m(P + R1) − m(R1) − (mP ) + (0) |{z} 0

= m(P + R1) − m(R1)

= mAP

= div(fP ) 53

Thus, fm(AQ) = fP (AQ) (due to lemma 5.4.2). So, it is enough to compute fm(AQ).

We will present an algorithm (taken from [2]) which computes fm(AQ) using the repeated doubling method. This algorithm uses an auxiliary algorithm, which computes fb+c(AQ) based on fb(AQ), fc(AQ), bP, cP, (b + c)P in a small constant number of arithmetic operations. The repeated doubling method. The algorithm below is used to compute both fP (AQ) and fQ(AP ). Taking the quotient of these gives us the Weil pairing em(P,Q).

Starting with f1(AQ), we will explain later how we can compute f1(AQ), the algorithm computes fi(AQ), where i strictly increases, and i will be at least doubled in each step using the auxiliary algorithm, until we reach fm(AQ) = fP (AQ). Denote the output of the auxiliary algorithm by

D(fb(AQ), fc(AQ), bP, cP, (b + c)P ) = fb+c(AQ).

Algorithm 5.4.7 Computing the Weil pairing

Input: elliptic curve E, ﬁeld Fp, m-torsion points P,Q

Output: fP (AQ) // Initialize

Z ← 0, k ← 0,V ← 1 // V ← 1, since f0(AQ) = 1 for i = n, n − 1,..., 1, 0 do

if bi = 1 then // compute fk+1 based on fk and f1   f1(AQ) if k = 0 V ←  D(V, f1(AQ),Z,P,Z + P ) if k > 0 Z ← Z + P, k ← k + 1

if i > 0 then // compute f2k based on fk V ← D(V,V,Z,Z, 2Z) Z ← 2Z, k ← 2k end for 54

Pn i Let m = bnbn−1 . . . b1b0 be the binary representation of m, i.e. m = i=0 bi2 . The algorithm starts with the highest bit and works through the binary representation of m to the lowest bit. At the end of each iteration, we have n X j−i k = bj2 ,Z = kP, V = fk(AQ), j=i i.e. the binary representation of k is k = bnbn−1 . . . bi.

How can we compute f1(AQ)? The divisor of f1 is (P + R1) − (R1) − (P ) + (0).

1. Let a1x + b1y + c1 = 0 be the line passing through the points P and R1. Deﬁne

g1(x, y) := a1x + b1y + c1. Then, div(g1) = (P ) + (R1) + (−(P + R1)) − 3(0).

2. Let x + c2 = 0 be the vertical line passing through the point P + R1. Deﬁne

g2(x, y) := x + c2. Then, div(g2) = (P + R1) + (−(P + R1)) − 2(0).

3. The quotient g2/g1 has the same divisor as f1. Hence, we can choose f1 such

that f1(x, y) = g2(x, y)/g1(x, y). In the deﬁnition of fi, we allowed any rational function with the respective divisor.

Algorithm 5.4.8 Auxiliary Algorithm (to Compute the Weil pairing)

Input: fb(AQ), fc(AQ), bP, cP, (b + c)P , where b, c > 0

Output: fb+c(AQ)

1. Let a1x + b1y + c1 = 0 be the line passing through the points bP and cP (if

b 6= c) or the line tangent to E at the point bP (if b = c). Deﬁne g1(x, y) :=

a1x + b1y + c1.

2. Let x + c2 = 0 be the vertical line passing through the point (b + c)P . Deﬁne

g2(x, y) := x + c2.

The divisors of these functions are:

div(g1) = (bP ) + (cP ) + (−(b + c)P ) − 3(0)

div(g2) = ((b + c)P ) + (−(b + c)P ) − 2(0) 55

By deﬁnition we have that:

Ab = b(P + R1) − b(R1) − (bP ) + (0)

Ac = c(P + R1) − c(R1) − (cP ) + (0)

Ab+c = (b + c)(P + R1) − (b + c)(R1) − ((b + c)P ) + (0)

It now follows that: Aa+b−Ab−Ac = (bP )+(cP )−((b+c)P )−(0) = div(g1)−div(g2). Hence:

g1(AQ) fb+c(AQ) = fb(AQ) · fc(AQ) · g2(AQ)

Running time. Given fb(AQ), fc(AQ) and bP, cP, (b + c)P , the auxiliary algorithm computes g1(AQ), g2(AQ), and therefore fb+c(AQ) in a ﬁnite number of arithmetic operations. The for-loop in the algorithm 5.4.7 has O(log m) cycles. The for-loop contains a constant number of operations in Fp, i.e. one loop-cycle has a running time of O(log3 p). Hence, the running time of the algorithm to compute the Weil pairing is O(log m log3 p).

5.5 Proving Properties of the Weil Pairing

The goal of this section is to prove theorem 5.3.1 on page 44. Furthermore, we will ¯ show that the Weil pairing E[m] × E[m] −→ µm(K) is surjective.

Theorem 5.5.1

¯ ¯ ∗ ¯ The Weil pairing em: E[m] × E[m] −→ µm(K) ⊆ K , where µm(K) is the set of the m-th roots of unity lying in K¯ , has the following properties:

1. bilinear, i.e. em(S + U, T ) = em(S,T ) · em(U, T ) and

em(S,T1 + T2) = em(S,T1) · em(S,T2).

−1 2. alternating, i.e. em(S,T ) = em(T,S) . 56

3. non-degenerate, i.e. if em(S,T ) = 1 for all S ∈ E[m] then T = 0.

¯ 4. Galois invariant, i.e. σ(em(S,T )) = em(σ(S), σ(T )) for all σ ∈ Gal (K/K) and S,T ∈ E[m].5

0 0 5. compatible, i.e. if S ∈ E[mm ],T ∈ E[m] then emm0 (S,T ) = em([m ]S,T ).

Proof:

1. Bilinear. em is bilinear in the ﬁrst argument.

g(X + S + U) g(X + S + U) g(X + S) e (S + U, T ) = = · m g(X) g(X + S) g(X)

= em(U, T ) · em(S,T ).

Note that we have to choose X such that g(X), g(X + S), g(X + S + U) are

all finite and nonzero. This is possible, since E(K¯ ) contains infinitely many elements. For all Y ∈ E(K¯ ) for which g(Y + U) and g(Y ) are finite and nonzero, we have

em(U, T ) = g(Y + U)/g(Y ).

Above, we chose Y = X + S.

em is bilinear in the second argument. Let f1, g1 be the functions corresponding

to T1, and f2, g2 to T2, and f3, g3 to T3 := T1 + T2, in other words:

m div(fi) = m(Ti) − m(0) and fi ◦ [m] = gi for all i = 1, 2, 3.

Due to ϕ(T1 + T2 − T1 − T2 + 0) = ϕ(0) = [(0) − (0)] = [0], there is a rational

function h: E(K¯ ) −→ K¯ ∪ {∞} with

div(h) = (T1 + T2) − (T1) − (T2) + (0). 5We apply σ to a point S on our elliptic curve by applying σ to its coordinates separately, i.e. σ((a, b)) := (σ(a), σ(b)). 57

f3 Then div( ) = m(T1 + T2) − m(0) − m(T1) + m(0) − m(T2) + m(0) = f1f2 m ¯ ∗ m m · div(h) = div(h ). Hence, there is a constant c ∈ K with f3 = cf1f2h . It follows that

m m m m m g3 = f3 ◦ [m] = c · (f1 ◦ [m])(f2 ◦ [m])(h ◦ [m]) = c · g1 g2 (h ◦ [m])

m = c · (g1g2(h ◦ [m])) .

0 ¯ m 0 m Let c ∈ K be an m-th root of c. Then we have g3 = (c · g1g2(h ◦ [m])) =:

m m m h . Since mdiv(g3) = div(g3 ) = div(h ) = mdiv(h), the functions g3 and ¯ ∗ h have the same divisor, i.e. g3 = λ · h for some λ ∈ K . It follows that

0 g3 = λc · g1g2(h ◦ [m]) Finally, we get

g3(X + S) g1(X + S) g2(X + S) h([m]X + [m]S) em(S,T1 + T2) = = · · g3(X) g1(X) g2(X) h([m]X)

= em(S,T1) · em(S,T2).

2. Alternating. From 1, we know em(S+T,S+T ) = em(S,S)·em(S,T )·em(T,S)·

em(T,T ) for all S,T ∈ E[m]. So, it is enough to show that

em(T,T ) = 1 for all T ∈ E[m].

From that, it would follow: em(S,T ) · em(T,S) = 1 for all S,T ∈ E[m].

So, let T ∈ E[m]. Let f : E(K¯ ) −→ K¯ ∗ ∪ {∞} be rational with div(f) = m(T ) − m(0), and ¯ ¯ τP: E(K) −→ E(K), τP (X) := X + P (translation by P ).

For all j = 0, . . . , m − 1, f has a zero/pole at X iﬀ f ◦ τjT has a zero/pole at X − jT . Since a translation preserves the order of a zero/pole, we get that

div(f ◦ τjT ) = m(T − jT ) − m(−jT ). 58

It follows that

m−1 ! m−1 Y X div f ◦ τjT = m((1 − j)T ) − m(−jT ) j=0 j=0 = m(T ) − m((−m + 1)T )

= m(T ) − m(T ) = 0, hence the product on the left hand side is a constant function. Choose T 0 ∈

¯ 0 Qm−1 E(K) with mT = T , and deﬁne ϕ := j=0 g ◦ τjT 0 , where

g : E(K¯ ) −→ K¯ ∪ {∞} is rational with gm = f ◦ [m]. Since

0 ([m] ◦ τjT 0 )(X) = [m](X + jT ) = mX + jT = τjT (mX)

= (τjT ◦ [m])(X), we see that

m−1 m−1 m Y m Y ϕ = (g ◦ τjT 0 ) = (f ◦ [m] ◦ τjT 0 ) j=0 j=0 m−1 m−1 Y Y = (f ◦ τjT ◦ [m]) = ( f ◦ τjT ) ◦ [m] j=0 j=0 is constant, hence (according to lemma 5.2.7) ϕm has divisor 0. From mdiv(ϕ) = div(ϕm) = 0, we obtain that ϕ has divisor 0, and therefore ϕ is constant as well.

Evaluating ϕ at X and at X +T 0 yields (choosing X such that all of the factors below are nonzero):

m−1 m−1 Y Y g(X + jT 0) = ϕ(X) = ϕ(X + T 0) = g(X + T 0 + jT 0) j=0 j=0 m Y = g(X + jT 0). j=1 59

The telescoping eﬀect results in g(X) = g(X +0T 0) = g(X +mT 0) = g(X +T ).

Finally, we get em(T,T ) = g(X + T )/g(X) = 1, what we wanted to prove.

3. Non-degenerate. Let T ∈ E[m] and em(S,T ) = 1 for all S ∈ E[m]. We get

1 = em(S,T ) = g(X + S)/g(X) =⇒ g(X) = g(X + S) for all S ∈ E[m].

From lemma 4.10b (see [14], p. 76), we see that g = h ◦ [m] for some rational

h: E(K¯ ) −→ K¯ ∪ {∞}. Since

f ◦ [m] = gm = (h ◦ [m])m = hm ◦ [m],

we get f = hm. Considering divisors, we get mdiv(h) = div(f) = m(T )−m(0), which leads to div(h) = (T ) − (0). Due to lemma 5.2.7, part 1, we get T = 0.

4. Galois invariant. Now, let σ ∈ Gal (K¯ /K) and let S,T ∈ E[m]. Let

f, g : E(K¯ ) −→ K¯ ∪ {∞}

correspond to T ∈ E[m].

Recall that f (and g) can be written locally as f(P ) = a(P )/b(P ), where

a, b are polynomials in X and Y with coeﬃcients in K¯ , and where X and Y are substituted by the coordinates of P . σ(f) means that you apply σ to the

coeﬃcients of f to obtain a new rational function σ(f): E(K¯ ) −→ K¯ ∪{∞}.

Since σ is an automorphism, we get σ(f(P )) = σ(f)(σ(P )). Therefore, P is a zero/pole of f iﬀ σ(P ) is a zero/pole of σ(f) (of the same order). We can deduce the divisor of σ(f):

div(σ(f)) = m(σ(T )) − m(σ(0)) = m(σ(T )) − m(0)

Hence, σ(f) corresponds to σ(T ). 60

The function [m] can be written as [m](P ) = (c(P ), d(P )), where c, d :

E(K¯ ) −→ K¯ ∪ {∞} are rational functions with coeﬃcients in K (c represents the x-coordinate of mP , and d its y-coordinate). Therefore, and because σ

ﬁxes K, we have

σ(f) ◦ [m] = σ(f ◦ [m]) = σ(gm) = σ(g)m.

Hence, σ(g) corresponds to σ(T ). It follows that g(X + S) σ(g)(σ(X) + σ(S)) σ(e (S,T )) = σ( ) = = e (σ(S), σ(T )) m g(X) σ(g)(σ(S)) m showing Galois invariance.

5. Compatible. Let S ∈ E[mm0],T ∈ E[m]. Let f, g correspond to T ∈ E[m], i.e.

m f, g : E(K¯ ) −→ K¯ ∪ {∞}, div(f) = m(T ) − m(0), and f ◦ [m] = g .

Then f m0 corresponds to T ∈ E[mm0], since div(f m0 ) = m0·div(f) = m0m(T )− m0m(0). Now, let us ﬁnd the other function corresponding to T ∈ E[mm0]:

f m0 ◦ [mm0] = (f ◦ [m] ◦ [m0])m0 = (gm ◦ [m0])m0 = (g ◦ [m0])mm0

We can deduce that f m0 and g ◦ [m0] correspond to T ∈ E[mm0]. Now, we get

0 0 0 0 (g ◦ [m ])(X + S) g(m X + m S) g(Y + m S) 0 e 0 (S,T ) = = = = e (m S,T ) mm (g ◦ [m0])(X) g(m0X) g(Y ) m with Y := m0X, which shows the compatibility of the Weil pairing. 2

Lemma 5.5.2

Let E be an elliptic curve over the ﬁeld K, and let m ≥ 2 with char K- m.

1. There is a point P ∈ E[m] of order m.

2. For all P ∈ E[m] with ord P = m the map   E[m] −→ µm, em(P, ·) =  S 7−→ em(P,S) is surjective. 61

3. The Weil pairing em : E[m] × E[m] −→ µm is surjective.

Proof: ∼ 1. This follows from the fact that E[m] = (Z/mZ)×(Z/mZ), and therefore E[m] always contains a point P of order m (see [14], p.89, Corollary 6.4).6

2. Let P be an m-torsion point of order m. Then the image of em(P, ·) is a

subgroup of µm, say µd. For all S ∈ E[m], we have

d 1 = em(P,S) = em(dP, S)

Due to the non-degeneracy of em, it follows that dP = 0. Since the order of P

is m, we have that d = m. Hence, em(P, ·) is surjective.

3. This follows directly from parts 1 and 2. 2

Connection with the MOV attack. We remind the reader of the DLP for elliptic curves and the MOV attack. We are given an elliptic curve E over the ﬁeld Fq and two points P,Q ∈ E(Fq) such that Q ∈

. To ﬁnd the discrete logarithm of

Q to the base P , we use the Weil pairing em : E[m]×E[m] −→ µm where m := ord P .

We choose an auxiliary point S ∈ E[m]. We want the order of ζ1 := em(P,S) to be the same as the order of P , which is m, i.e. ζ1 ∈ µm should be a primitive m-th root of unity. The lemma above, part 2 shows that for a given P ∈ E(Fq) there is an

S ∈ E[m] such that em(P,S) is an m-th root of unity.

6 Here, we need that char K- m. Bibliography

[1] L. M. Adleman and J. DeMarrais, A Subexponential Algorithm for Discrete Logarithms over all Finite Fields, Advances in cryptology—CRYPTO ’93 (Santa Barbara, CA, 1993), Lecture Notes in Comp. Sci., vol.773, pp.147–158, Springer- Verlag, Berlin 1994

[2] D. Boneh and M. Franklin, “Identity-Based Encryption from the Weil Pairing”, 16 Oct. 2003, ¡http://crypto.stanford.edu/ dabo/papers/ibe.pdf¿

[3] L. S. Charlap and R. Coley, “An Elementary Introduction to Elliptic Curves II—Center for Communications Research Expository Report 34”, 16 Oct. 2003, ¡http://www.idaccr.org/reports/er34.ps¿

[4] H. Cohen, A Course in Computational Algebraic Number Theory, Springer- Verlag, 1996

[5] S. Galbraith, “Elliptic Curve Cryptography according to Steven Galbraith”, 16 Oct. 2003, ¡http://www.isg.rhul.ac.uk/ sdg/gs.ps¿

[6] N. Koblitz, A Course in Number Theory and Cryptography, Second Edition, Springer-Verlag, 1995

[7] N. Koblitz (ed.), Towards a quarter-century of public key cryptography, Des. Codes Cryptogr., vol.19, no.2–3, pp.129–145, 2000

[8] R. Kumanduri and C. Romero, Number Theory with Computer Applications, Prentice Hall, 1997

62 63

[9] A. J. Menezes, T. Okamoto and S. A. Vanstone, Reducing Elliptic Curve Log- arithms to Logarithms in a Finite Field, IEEE Trans. Inform. Theory, vol.39, no.5, pp.1639–1646, 1993

[10] J. M. Pollard, Monte Carlo Methods for Index Computation (mod p), Math. Comp., vol. 32, number 143, pp.918–924, 1978

[11] R. Schoof, Elliptic Curves over Finite Fields and the Computation of Square Roots Mod p, Math. Comp., vol. 44, pp. 483–494, 1985.

[12] I. R. Shafarevich, Basic Algebraic Geometry I—Varieties in Projective Space, Second Edition, Springer-Verlag, 1988

[13] J. H. Silverman and J. Tate, Rational Points on Elliptic Curves, Springer-Verlag, 1992

[14] J. H. Silverman, The Arithmetic of Elliptic Curves, Springer-Verlag, 1986

[15] D. R. Stinson, Cryptography—Theory and Practice, CRC Press, Inc., 1995

[16] L. C. Washington, Elliptic Curves—Number Theory and Cryptography, Chapman & Hall/CRC, 2003