DOCSLIB.ORG

Pairing-Based Cryptography by Martijn Maas

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Pairing-Based Cryptography by Martijn Maas TECHNISCHE UNIVERSITEIT EINDHOVEN Department of Mathematics and Computing Science MASTER’S THESIS Pairing-Based Cryptography by Martijn Maas Eindhoven, January 2004 Supervisor: Prof. dr. ir. H.C.A. van Tilborg Advisors: Dr. B.M.M. de Weger Drs. G. Schmitz Dr. ir. P.A.H. Bours Acknowledgements I would like to take this opportunity to express my gratitude to some people who were involved in this project. First of all, I owe thanks to Henk van Tilborg for being my overall supervisor and arranging current and previous projects. I would like to thank Benne de Weger, who was closely involved in the writing of this report, for the fruitful discussions and useful advises. Thanks is due to Hans Cuijpers for being on my committee. Patrick Bours and Gido Schmitz deserve thanks for supervising the project and editing this report. Special thanks goes out to Gido, who put a great deal of effort in teaching me all about elliptic curves and making this project into a valuable and enjoyable experience. On a more personal note, I would like to mention some people who mean a lot to me. First of all Vincent, who provided me with a bed to sleep in and, more importantly, a place to call home in The Hague. Thanks goes out to Ard Jan and Maarten who were always there for me – especially whenever I needed a drink after a train ride across country. Last but by no means least, I would like to thank Ciska and Hans for their unconditional support. Contents Acknowledgements 3 1 Introduction 7 1.1 Project Background . 7 1.2 Project Description . 8 1.3 Report Outline . 8 2 Preliminaries 11 2.1 Elliptic Curves . 11 2.2 Functions on an Elliptic Curve . 13 2.3 Multiplicity of Zeros and Poles . 14 2.4 Divisor Theory . 14 2.5 Computing the Function of a Principal Divisor . 16 2.5.1 Example . 17 3 Weil Pairing 19 3.1 Definition . 19 3.2 Properties . 21 3.3 Alternative Definition . 23 3.4 Miller’s Algorithm for the Weil Pairing . 26 3.4.1 Example . 27 3.4.2 Implementation in Mathematica ........................ 28 4 Tate Pairing 30 4.1 Definition . 30 4.2 Properties . 31 4.3 Miller’s Algorithm for the Tate Pairing . 33 4.3.1 Example . 35 4.3.2 Implementation in Mathematica ........................ 36 4.4 Comparison with the Weil Pairing . 36 4.4.1 Algebraic Relation . 36 4.4.2 Efficiency of the Pairings . 38 4.5 Efficient Implementation of the Tate Pairing . 38 4.5.1 Adaptation of the Algorithm . 38 4.5.2 Choice of Parameters . 39 5 Embedding Degree 41 5.1 A Lower Bound . 41 5.2 Additional Conditions . 42 5.2.1 Example . 43 5.3 Curves with Small Embedding Degree . 44 5.3.1 Supersingular Curves . 44 CONTENTS 5 5.3.2 MNT-Curves . 46 6 Distortion Maps 48 6.1 Definition . 48 6.1.1 Non-Supersingular Curves . 48 6.1.2 Supersingular Curves . 49 6.2 Modified Pairings . 50 6.3 Cryptographic Use . 50 6.3.1 Asymmetric Pairings . 51 6.3.2 Symmetric Pairings . 51 7 Elliptic Curve Cryptography 52 7.1 Introduction to the Discrete Logarithm Problem . 52 7.1.1 Discrete Logarithm and Related Problems . 52 7.1.2 Attacks on the Discrete Logarithm Problem . 53 7.1.3 Some Standard Protocols . 54 7.2 Discrete Logarithm on Elliptic Curves . 55 7.2.1 Use of Elliptic Curves . 55 7.2.2 Reductions to Other Groups . 55 7.2.3 Security Issues . 57 7.3 Gap Diffie-Hellman Groups . 58 7.3.1 Definition . 58 7.3.2 Realization with Pairings . 59 7.3.3 Bilinear Diffie-Hellman Problem . 60 7.3.4 Security Issues . 61 8 Identity-Based Cryptography 63 8.1 Definition . 63 8.1.1 Public-Key Cryptography . 63 8.1.2 Identity-Based Cryptography . 64 8.1.3 Security of Identity-Based Cryptosystems . 65 8.2 Comparison to PKI . 67 8.3 Realization with Pairings . 71 8.3.1 The BasicIdent IBE Scheme . 71 8.3.2 The FullIdent IBE Scheme . 73 8.3.3 Observations on IBE . 74 8.3.4 Identity-Based Signature Scheme . 75 8.3.5 Other Identity-Based Applications . 76 9 Other Applications of Pairings 78 9.1 Joux’s Tripartite Diffie-Hellman Key Exchange . 78 9.2 Short Signatures . 79 10 Concluding Remarks 81 10.1 Theory of the Pairings . 81 10.1.1 The Weil versus the Tate Pairing . 81 10.1.2 Suitable Curves . 82 10.1.3 Further Research . 82 10.2 Pairing-Based Cryptography . 83 10.2.1 Identity-Based Cryptography . 83 10.2.2 Security of Pairing-Based Cryptography . 84 10.2.3 Further Research . 84 Bibliography 85 6 CONTENTS Index 90 A Mathematica Code 92 Chapter 1 Introduction This report is the result of my graduation project in completion of the Master program Industrial and Applied Mathematics at the Eindhoven University of Technology (TU/e). It has been written in order to obtain the degree of Master of Science. The project has been carried out at the Netherlands National Communications Security Agency (NLNCSA), which is part of the General Intelligence and Security Service (GISS) in Leidschendam. 1.1 Project Background Elliptic curves have been a subject of research for a long time already. They naturally occur in the study of congruent numbers and Diophantine equations. Initially, researchers were mainly interested in finding points on elliptic curves over infinite fields such as the field of rational or real numbers. The study of curves over finite fields, which at first sight seem to form rather boring abelian groups, aided in finding such points. In 1985, however, elliptic curves over finite fields found an application of their own in cryptography. Koblitz and Miller independently realized that discrete logarithm-based cryptosystems might provide better security when defined on the group of points on an elliptic curve rather than the conventional multiplicative group of a finite field. Or alternatively, they figured, elliptic curves could enable shorter keys, while providing a similar level of security. Since then, a lot of research effort has been put in elliptic curve cryptography and numerous cryptosystems have been proposed. Some of them, however, proved less secure than initially assumed, as the structure of the proposed elliptic curves provides tools to attack the system. This is where pairings first come into play. A pairing in this context is a function that takes as input two points on an elliptic curve and outputs an element of some multiplicative abelian group. Furthermore, a pairing satisfies some special properties, the most important of which is bilinearity. Due to these special properties, pairings are hard to construct. The two pairings that are known at present are the Weil pairing and the Tate pairing. In 1993, Menezes et al. discovered that the Weil pairing can be used to attack discrete logarithm-based systems on a certain class of elliptic curves; the so-called MOV-reduction. One year later, Frey and R¨uck used the Tate pairing to describe a similar attack, called the FR-reduction. This cryptanalytic use was the only known application of pairings for a long time. In 2000, however, Joux discovered that pairings can be used as cryptographic building blocks as well. The bilinearity of the pairings enables many cryptosystems with interesting properties. Joux’s discovery spurred an extensive research into new applications based on pairings. The large number of articles on pairing-based cryptography that have appeared since 2000 indicates the tremendous amount of research effort put into this subject. An excellent reference is Barreto’s ’Pairing-Based Crypto Lounge’ [4]. Undoubtedly the most striking application of pairings is the realization of identity-based cryp- tography. In this variant of public-key cryptography, already proposed by Shamir in 1984, users’ 8 Introduction public keys are derived from their identity and the corresponding secret keys are generated by some trusted party. The fact that public keys are linked to the users’ identity guarantees the authenticity and therefore takes away the need for certificates as in conventional public-key cryp- tosystems. Some satisfactory identity-based signature schemes were proposed soon after Shamir described the concept of identity-based crypto. The implementation of an identity-based encryp- tion scheme, however, remained an open problem until Joux’s discovery of the constructive use of pairings. In 2001, Boneh and Franklin were able to design an efficient identity-based encryption scheme through pairings. (Simultaneously, Cocks came up with a non pairing-based solution; we do not deal with this scheme.) Soon identity-based signature schemes appeared that are com- patible with the encryption scheme by Boneh and Franklin, thus yielding a complete and fully functional solution to the open problem put by Shamir. Besides identity-based systems, numerous other pairing-based schemes with interesting properties have appeared, such as an efficient key agreement protocol and a signature scheme with short signatures. 1.2 Project Description It is of great importance for the NLNCSA to keep abreast of the recent developments in cryptogra- phy. Therefore, the aim of this project is to gain knowledge of the current status of pairing-based crypto in general and identity-based crypto in particular. This includes the mathematics involved on one hand and the potential applications on the other. The fact that in this subject challenging mathematics lies close to real-life applications (in contrast to most interesting mathematics, where usually a.
Load more

Recommended publications
  • Easy Decision Diffie-Hellman Groups
    EASY DECISION-DIFFIE-HELLMAN GROUPS STEVEN D. GALBRAITH AND VICTOR ROTGER Abstract. The decision-Di±e-Hellman problem (DDH) is a central compu- tational problem in cryptography. It is already known that the Weil and Tate pairings can be used to solve many DDH problems on elliptic curves. A natural question is whether all DDH problems are easy on supersingular curves. To answer this question it is necessary to have suitable distortion maps. Verheul states that such maps exist, and this paper gives an algorithm to construct them. The paper therefore shows that all DDH problems on the supersingular elliptic curves used in practice are easy. We also discuss the issue of which DDH problems on ordinary curves are easy. 1. Introduction It is well-known that the Weil and Tate pairings make many decision-Di±e- Hellman (DDH) problems on elliptic curves easy. This observation is behind ex- citing new developments in pairing-based cryptography. This paper studies the question of which DDH problems are easy and which are not necessarily easy. First we recall some de¯nitions. Decision Di±e-Hellman problem (DDH): Let G be a cyclic group of prime order r written additively. The DDH problem is to distinguish the two distributions in G4 D1 = f(P; aP; bP; abP ): P 2 G; 0 · a; b < rg and D2 = f(P; aP; bP; cP ): P 2 G; 0 · a; b; c < rg: 4 Here D1 is the set of valid Di±e-Hellman-tuples and D2 = G . By `distinguish' we mean there is an algorithm which takes as input an element of G4 and outputs \valid" or \invalid", such that if the input is chosen with probability 1/2 from each of D1 and D2 ¡ D1 then the output is correct with probability signi¯cantly more than 1/2.
    [Show full text]
  • The Tate Pairing for Abelian Varieties Over Finite Fields
    Journal de Th´eoriedes Nombres de Bordeaux 00 (XXXX), 000{000 The Tate pairing for Abelian varieties over finite fields par Peter BRUIN Resum´ e.´ Nous d´ecrivons un accouplement arithm´etiqueassoci´e `aune isogenie entre vari´et´esab´eliennessur un corps fini. Nous montrons qu'il g´en´eralisel'accouplement de Frey et R¨uck, ainsi donnant une d´emonstrationbr`eve de la perfection de ce dernier. Abstract. In this expository note, we describe an arithmetic pairing associated to an isogeny between Abelian varieties over a finite field. We show that it generalises the Frey{R¨uck pairing, thereby giving a short proof of the perfectness of the latter. 1. Introduction Throughout this note, k denotes a finite field of q elements, and k¯ denotes an algebraic closure of k. If n is a positive integer, then µn denotes the group of n-th roots of unity in k¯×. Let C be a complete, smooth, geometrically connected curve over k, let J be the Jacobian variety of C, and let n be a divisor of q − 1. In [1], Frey and R¨uck defined a perfect pairing f ; gn : J[n](k) × J(k)=nJ(k) −! µn(k) as follows: if D and E are divisors on C with disjoint supports and f is a non-zero rational function with divisor nD, then (q−1)=n f[D]; [E] mod nJ(k)gn = f(E) ; where Y nx X f(E) = f(x) if E = nxx: x2C(k¯) x2C(k¯) Remark. We have composed the map as defined in [1] with the isomor- × × n phism k =(k ) ! µn(k) that raises elements to the power (q − 1)=n.
    [Show full text]
  • The Generalized Weil Pairing and the Discrete Logarithm Problem on Elliptic Curves
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Elsevier - Publisher Connector Theoretical Computer Science 321 (2004) 59–72 www.elsevier.com/locate/tcs The generalized Weil pairing and the discrete logarithm problem on elliptic curves Theodoulos Garefalakis Department of Mathematics, University of Toronto, Ont., Canada M5S 3G3 Received 5 August 2002; received in revised form 2 May 2003; accepted 1 June 2003 Abstract We review the construction of a generalization of the Weil pairing, which is non-degenerate and bilinear, and use it to construct a reduction from the discrete logarithm problem on elliptic curves to the discrete logarithm problem in ÿnite ÿelds. We show that the new pairing can be computed e2ciently for curves with trace of Frobenius congruent to 2 modulo the order of the base point. This leads to an e2cient reduction for this class of curves. The reduction is as simple to construct as that of Menezes et al. (IEEE Trans. Inform. Theory, 39, 1993), and is provably equivalent to that of Frey and Ruck7 (Math. Comput. 62 (206) (1994) 865). c 2003 Elsevier B.V. All rights reserved. Keywords: Elliptic curves; Cryptography; Discrete Logarithm Problem 1. Introduction Since the seminal paper of Di2e and Hellman [11], the discrete logarithm prob- lem (DLP) has become a central problem in algorithmic number theory, with direct implications in cryptography. For arbitrary ÿnite groups the problem is deÿned as fol- lows: Given a ÿnite group G, a base point g ∈ G and a point y ∈g ÿnd the smallest non-negative integer ‘ such that y = g‘.
    [Show full text]
  • On the Implementation of Pairing-Based Cryptosystems a Dissertation Submitted to the Department of Computer Science and the Comm
    ON THE IMPLEMENTATION OF PAIRING-BASED CRYPTOSYSTEMS A DISSERTATION SUBMITTED TO THE DEPARTMENT OF COMPUTER SCIENCE AND THE COMMITTEE ON GRADUATE STUDIES OF STANFORD UNIVERSITY IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY Ben Lynn June 2007 c Copyright by Ben Lynn 2007 All Rights Reserved ii I certify that I have read this dissertation and that, in my opinion, it is fully adequate in scope and quality as a dissertation for the degree of Doctor of Philosophy. Dan Boneh Principal Advisor I certify that I have read this dissertation and that, in my opinion, it is fully adequate in scope and quality as a dissertation for the degree of Doctor of Philosophy. John Mitchell I certify that I have read this dissertation and that, in my opinion, it is fully adequate in scope and quality as a dissertation for the degree of Doctor of Philosophy. Xavier Boyen Approved for the University Committee on Graduate Studies. iii Abstract Pairing-based cryptography has become a highly active research area. We define bilinear maps, or pairings, and show how they give rise to cryptosystems with new functionality. There is only one known mathematical setting where desirable pairings exist: hyperellip- tic curves. We focus on elliptic curves, which are the simplest case, and also the only curves used in practice. All existing implementations of pairing-based cryptosystems are built with elliptic curves. Accordingly, we provide a brief overview of elliptic curves, and functions known as the Tate and Weil pairings from which cryptographic pairings are derived. We describe several methods for obtaining curves that yield Tate and Weil pairings that are efficiently computable yet are still cryptographically secure.
    [Show full text]
  • An Introduction to Pairing-Based Cryptography
    An Introduction to Pairing-Based Cryptography Alfred Menezes Abstract. Bilinear pairings have been used to design ingenious protocols for such tasks as one-round three-party key agreement, identity-based encryption, and aggregate signatures. Suitable bilinear pairings can be constructed from the Tate pairing for specially chosen elliptic curves. This article gives an introduction to the protocols, Tate pairing computation, and curve selection. 1. Introduction The discrete logarithm problem (DLP) has been extensively studied since the discovery of public-key cryptography in 1975. Recall that the DLP in an additively- written group G = P of order n is the problem, given P and Q, of finding the integer x [0,n 1]h suchi that Q = xP . The DLP is believed to be intractable for certain∈ (carefully− chosen) groups including the multiplicative group of a finite field, and the group of points on an elliptic curve defined over a finite field. The closely related Diffie-Hellman problem (DHP) is the problem, given P , aP and bP , of finding abP . It is easy to see that the DHP reduces in polynomial time to the DLP. It is generally assumed, and has been proven in some cases (e.g., see [10, 38]), that the DLP reduces in polynomial time to the DHP. The assumed intractability of the DHP is the basis for the security of the Diffie- Hellman key agreement protocol [20] illustrated in Figure 1. The objective of this protocol is to allow Alice and Bob to establish a shared secret by communicating over a channel that is being monitored by an eavesdropper Eve.
    [Show full text]
  • Clean Rings & Clean Group Rings
    CLEAN RINGS & CLEAN GROUP RINGS Nicholas A. Immormino A Dissertation Submitted to the Graduate College of Bowling Green State University in partial fulfillment of the requirements for the degree of DOCTOR OF PHILOSOPHY August 2013 Committee: Warren Wm. McGovern, Advisor Rieuwert J. Blok, Advisor Sheila J. Roberts, Graduate Faculty Representative Mihai D. Staic ii ABSTRACT Warren Wm. McGovern, Advisor Rieuwert J. Blok, Advisor A ring is said to be clean if each element in the ring can be written as the sum of a unit and an idempotent of the ring. More generally, an element in a ring is said to be clean if it can be written as the sum of a unit and an idempotent of the ring. The notion of a clean ring was introduced by Nicholson in his 1977 study of lifting idempotents and exchange rings, and these rings have since been studied by many different authors. In our study of clean rings, we classify the rings that consist entirely of units, idempotents, and quasiregular elements. It is well known that the units, idempotents, and quasiregular elements of any ring are clean. Therefore any ring that consists entirely of these types of elements is clean. We prove that a ring consists entirely of units, idempotents, and quasiregular elements if and only if it is a boolean ring, a local ring, isomorphic to the direct product of two division rings, isomorphic to the full matrix ring M2(D) for some division ring D, or isomorphic to the ring of a Morita context with zero pairings where both of the underlying rings are division rings.
    [Show full text]
  • Frobenius Algebra Structure in Hopf Algebras and Cohomology Ring with Poincaré Duality
    FROBENIUS ALGEBRA STRUCTURE IN HOPF ALGEBRAS AND COHOMOLOGY RING WITH POINCARÉ DUALITY SIQI CLOVER ZHENG Abstract. This paper aims to present the Frobenius algebra structures in finite-dimensional Hopf algebras and cohomology rings with Poincaré duality. We first introduce Frobenius algebras and their two equivalent definitions. Then, we give a concise construction of FA structure within an arbitrary finite- dimensional Hopf algebra using non-zero integrals. Finally, we show that a cohomology ring with Poincaré duality is a Frobenius algebra with a non- degenerate bilinear pairing induced by cap product. Contents 1. Introduction1 2. Preliminaries1 3. Frobenius Algebras3 4. Frobenius Algebra Structure in Hopf Algebras5 4.1. Existence of Non-zero Integrals6 4.2. The Converse direction 10 5. Frobenius Algebra Structure in Cohomology Ring 11 Acknowledgement 12 References 12 1. Introduction A Frobenius algebra (FA) is a vector space that is both an algebra and coal- gebra in a compatible way. Structurally similar to Hopf algebras, it is shown that every finite-dimensional Hopf algebra admits a FA structure [8]. In this paper, we will present a concise version of this proof, focusing on the construction of non- degenerate bilinear pairings. Another structure that is closely related to Frobenius algebras is cohomology ring with Poincaré duality. Using cap product, we will show there exists a natural FA structure in cohomology rings where Poincaré duality holds. To understand these structural similarities, we need to define Frobenius algebras and some compatibility conditions. 2. Preliminaries Definition 2.1. An algebra is a vector space A over a field k, equipped with a linear multiplication map µ : A ⊗ A ! A and unit map η : k ! A such that Date: October 17, 2020.
    [Show full text]
  • 24 Divisors and the Weil Pairing
    18.783 Elliptic Curves Spring 2015 Lecture #24 05/07/2015 24 Divisors and the Weil pairing In this lecture we address a new topic, the Weil Pairing, which has many practical and theoretical applications. In order to define the Weil pairing we first need to expand our discussion of the function field of a curve from Lecture 5. This requires a few basic results from commutative algebra and algebraic geometry that we will not take the time to prove (most of what we need it is summarized in the first two chapters of [5]). 24.1 Valuations on the function field of a curve Let C=k be a smooth projective curve defined by a homogeneous polynomial f(x; y; z) = 0 that (as always) we assume is irreducible over k¯.1 In order to simplify the presentation, we are going to assume in this section that k = k¯ is algebraically closed, but we will note in remarks along the way how to handle non-algebraically closed (but still perfect) fields. In Lecture 5 we defined the function field k(C) as the field of rational functions g=h, where g; h 2 k[x; y; z] are homogeneous polynomials of the same degree with h 62 (f), modulo the equivalence relation g1 g2 ∼ () g1h2 − g2h1 2 (f): h1 h2 1 Alternatively, we can view the function g=h as a rational map (g : h) from C to P . The fact that C is a smooth curve implies that this rational map is actually a morphism, meaning that it is defined at every point P 2 C(k¯); this was stated in Theorem 5.10 which we will prove below.
    [Show full text]
  • Constructing Pairing-Friendly Hyperelliptic Curves Using Weil Restriction
    CONSTRUCTING PAIRING-FRIENDLY HYPERELLIPTIC CURVES USING WEIL RESTRICTION DAVID MANDELL FREEMAN1 AND TAKAKAZU SATOH2 Abstract. A pairing-friendly curve is a curve over a finite field whose Ja- cobian has small embedding degree with respect to a large prime-order sub- group. In this paper we construct pairing-friendly genus 2 curves over finite fields Fq whose Jacobians are ordinary and simple, but not absolutely simple. We show that constructing such curves is equivalent to constructing elliptic curves over Fq that become pairing-friendly over a finite extension of Fq. Our main proof technique is Weil restriction of elliptic curves. We describe adap- tations of the Cocks-Pinch and Brezing-Weng methods that produce genus 2 curves with the desired properties. Our examples include a parametric fam- ily of genus 2 curves whose Jacobians have the smallest recorded ρ-value for simple, non-supersingular abelian surfaces. 1. Introduction Let q be a prime power and Fq be a finite field of q elements. In this paper we study two types of abelian varieties: • Elliptic curves E, defined over Fqd , with j(E) 2 Fq. • Genus 2 curves C, defined over Fq, whose Jacobians are isogenous over Fqd to a product of two isomorphic elliptic curves defined over Fq. Both types of abelian varieties have recently been proposed for use in cryptography. In the first case, Galbraith, Lin, and Scott [17] showed that arithmetic operations on certain elliptic curves E as above can be up to 30% faster than arithmetic on generic elliptic curves over prime fields. In the second case, Satoh [32] showed that point counting on Jacobians of certain genus 2 curves C as above can be performed much faster than point counting on Jacobians of generic genus 2 curves.
    [Show full text]
  • Polarizations and the Weil Pairing
    Chapter XI. Polarizations and Weil pairings. In the study of higher dimensional varieties and their moduli, one often considers polarized varieties. Here a polarization is usually defined as the class of an ample line bundle modulo a suitable equivalence relation, such as algebraic or homological equivalence. If X is an abelian variety then, as we have seen in (7.24), the class of an ample bundle L modulo algebraic equiv- alence carries the same information as the associated homomorphism λ = ϕ : X Xt.And L → it is in fact this homomorphism that we shall put in the foreground. One reason for this is that λ usually has somewhat better arithmetic properties; for instance, it may be defined over a smaller field than any line bundle representing it. The positivity of an ample bundle shall later be translated into the positivity of the Rosati involution associated to λ; this is an important result that shall be given in the next chapter. The first Chern class of L only depends on L modulo algebraic equivalence, and we therefore expect that it can be expressed directly in terms of the associated homomorphism λ = ϕL.This is indeed the case. As we have seen before (cf. ??), the #-adic cohomology of X can be described in more elementary terms via the Tate-#-module. The class c1(L) then takes the form of an alternating pairing Eλ: T X T X Z (1), usually referred to as the Riemann form of L (or " " × " → " of λ). It is obtained, by a limit procedure, from pairings eλ: X[n] X[n] µ , called the Weil n × → n pairing.
    [Show full text]
  • Dieudonné Modules and P-Divisible Groups Associated with Morava K
    DIEUDONNE´ MODULES AND p-DIVISIBLE GROUPS ASSOCIATED WITH MORAVA K-THEORY OF EILENBERG-MAC LANE SPACES VICTOR BUCHSTABER AND ANDREY LAZAREV Abstract. We study the structure of the formal groups associated to the Morava K-theories of integral Eilenberg-Mac Lane spaces. The main result is that every formal group in the collection ∗ {K(n) K(Z, q), q = 2, 3,...} for a fixed n enters in it together with its Serre dual, an analogue of a principal polarization on an abelian variety. We also identify the isogeny class of each of these formal groups over an algebraically closed field. These results are obtained with the help of the Dieudonn´ecorrespondence between bicommutative Hopf algebras and Dieudonn´e modules. We extend P. Goerss’s results on the bilinear products of such Hopf algebras and corresponding Dieudonn´emodules. 1. Introduction The theory of formal groups gave rise to a powerful method for solving various problems of algebraic topology thanks to fundamental works by Novikov [9] and Quillen [12]. Formal groups in topology arise when one applies a complex oriented cohomology theory to the infinite complex projective space CP ∞. However the formal groups obtained in this way are all one-dimensional and so far the rich and intricate theory of higher dimensional formal groups remained outside of the realm of algebraic topology. One could hope to get nontrivial examples in higher dimensions by applying a generalized cohomology to an H-space. For most known cohomology theories and H-spaces this hope does not come true, however there is one notable exception. Quite surprisingly, the Morava K-theories applied to integral Eilenberg-Mac Lane spaces give rise to formal groups in higher dimensions.
    [Show full text]
  • Open Problems in Pairings
    Open Problems in Pairings Tanja Lange Department of Mathematics and Computer Science Eindhoven University of Technology [email protected] TanjaLange OpenProblemsinPairings–p.1 Protocols TanjaLange OpenProblemsinPairings–p.2 Security Assumptions – DL systems All systems assume that the Discrete Logarithm Problem (DLP) is hard to solve, i.e. given P and PA = [sA]P it is hard to find sA. The Computational Diffie-Hellman Problem (CDHP) is the problem given P , PA = [sA]P , and PB = [sB]P compute [sAsB]P . The Decisional Diffie-Hellman Problem (DDHP) is the problem given P , PA = [sA]P , PB = [sB]P and R = [r]P decide whether R = [sAsB]P . TanjaLange OpenProblemsinPairings–p.3 Pairings Let (G1, ), (G2, ) and (GT , ) be cyclic groups of prime order ℓ and⊕ let ⊕ · e : G G G 1 × 2 → T be a an efficiently computable map satisfying e(P Q, R′) = e(P, R′)e(Q, R′) ⊕ e(P, R′ S′) = e(P, R′)e(P,S′) ⊕ The map is non-degenerate in the first argument, i.e. if e(P, R′)=1 for all R′ G for some P then P is the ∈ 2 identity in G1 Then e is called a bilinear map or pairing.This implies ′ ′ ′ e([a]P, R ) = e(P, [a]R ) = e(P, R )a. In protocol papers often G1 = G2 (keyword “distortion map”). TanjaLange OpenProblemsinPairings–p.4 Consequences I Pairings allow to transfer the DLP in G1 to a DLP in GT . ′ ′ Let P G2 be such that e(P, P ) =1, ∈ 6 Given DLP P, PA = [sA]P compute ′ ′ ′ ′ sA sA g = e(P, P ) and h = e(PA, P ) = e([sA]P, P ) = e(P, P ) = g .
    [Show full text]