DOCSLIB.ORG

Dual Pairing Vector Space

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Dual Pairing Vector Space Change Background colours in the layout tab in the panel above^ Dual Pairing Vector Space Shiwei Zhang School of Computer Science and Software Engineering Faculty of Engineering and Information Sciences University of Wollongong, Australia Student Number: 3792444 Email: [email protected] October 3, 2014 VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW Literature [1] Okamoto, T.: Dual pairing vector spaces and their applications to functional encryption (July 2014), lecture in University of Wollongong [2] Okamoto, T., Takashima, K.: Homomorphic encryption and signatures from vector decomposition. In: Galbraith, S., Paterson, K. (eds.) Pairing-Based Cryptography { Pairing 2008, Lecture Notes in Computer Science, vol. 5209, pp. 57{74. Springer Berlin Heidelberg (2008) [3] Okamoto, T., Takashima, K.: Some key techniques on pairing vector spaces. In: Nitaj, A., Pointcheval, D. (eds.) Progress in Cryptology { AFRICACRYPT 2011, Lecture Notes in Computer Science, vol. 6737, pp. 380{382. Springer Berlin Heidelberg (2011) VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 1 Outline 1 Preliminaries 2 Dual Pairing Vector Space 3 Intractable Problems Vector Decomposition Problem Decisional Subspace Problem Hierarchical Trapdoors 4 Conclusion VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW Outline 1 Preliminaries 2 Dual Pairing Vector Space 3 Intractable Problems Vector Decomposition Problem Decisional Subspace Problem Hierarchical Trapdoors 4 Conclusion VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW Pairing Groups Let G1 and G2 be additive groups of prime order q with generator P and Q respectively, and G3 be multiplicative group of the same prime order q. jG1j = jG2j = jGT j = q P 2 G1;Q 2 G2 (P; Q =6 1) Scalar multiplication is defined for G1 and G2 as follows: 8 2 Z ··· a q; aP = |P + P + P +{z + P + P} a The conventional notation ga, where g is a generator, is not used for more nature DPVS representation. VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 2 Bilinear Pairing The e: G1 × G2 ! GT is a bilinear pairing which has following properties: Bilinearity: xy 8P 2 G1;Q 2 G2; x; y 2 Zq; e(xP; yQ) = e(P; Q) Non-degeneracy: 9P 2 G1;Q 2 G2 : e(P; Q) =6 1 Computability: 8P 2 G1;Q 2 G2; 9A which is an efficient algorithm to compute e(P; Q) VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 3 Outline 1 Preliminaries 2 Dual Pairing Vector Space 3 Intractable Problems Vector Decomposition Problem Decisional Subspace Problem Hierarchical Trapdoors 4 Conclusion VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW Objective Mathematically rich structures should be useful in implementing various cryptographic primitives and protocols [2]. F∗ Traditional cryptography (genus 0). e.g. finite field ( p) Pairing-based cryptography (genus 1). e.g. elliptic curve groups (E=Fp) New property: Bilinearity A nature way to construct a richer structure from pairing groups is Direct Product of Pairing Groups −! Dual Pairing Vector Space VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 4 Definition Vectors x 2 V and y 2 V∗ are defined as following: 2 GN V x := (P1;:::;PN ) 1 = 2 GN V∗ y := (Q1;:::;QN ) 2 = Vector Addition 8 2 GN V z := (R1;:::;RN ) 1 = x + z := (P1 + R1;:::;PN + RN ) Scalar multiplication 8a 2 Fq; ax := (aP1; : : : ; aPN ) VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 5 Canonical Basis I The canonical bases are defined as following: A := (a1; : : : ; aN ) a1 := (P; 0;:::; 0); a2 := (0; P; 0;:::; 0); aN := (0;:::; 0;P ) A∗ ∗ ∗ ∗ ∗ ∗ := (a1; : : : ; aN ) a1 := (Q; 0;:::; 0); a2 := (0; Q; 0;:::; 0); aN := (0;:::; 0;Q) Visually, they can be represented as following: 0 1 0 1 P 0 ··· 0 Q 0 ··· 0 B ··· C B ··· C B 0 P 0 C ∗ B 0 Q 0 C A := B . C A := B . C @ . .. A @ . .. A 0 0 ··· P 0 0 ··· Q VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 6 Canonical Basis II Elements x 2 V, y 2 V∗ can be expressed on canonical basis: x := (x1P; : : : ; xN P ) y := (y1Q; : : : ; yN Q) ··· ∗ ··· ∗ = x1a1 + + xN aN = y1a1 + + yN aN = (x1; : : : ; xN )A = (y1; : : : ; yN )A∗ = (~x)A = (~y)A∗ 2 FN Note that ~x;~y q . VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 7 Canonical Basis III As ~x is a N-dimensional vector and A is a N × N matrix and by observing the definition of the calculation of x, it can also be computed naturally using matrix. 2 3 a1;1 a1;2 ··· a1;N 6 7 [ ] 6 a2;1 a2;2 ··· a2;N 7 ··· x = ~xA = x1 x2 xN 6 . 7 4 . .. 5 a a ··· a " N;1 N;2 # N;N XN XN XN = xiai;1 xiai;2 ··· xiai;N = (~x)A i=1 i=1 i=1 Similarly, y = ~yA∗. VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 8 Duality Inner-Products between V and V∗ are defined as following: ∗ 8x := (~x)A 2 V; y := (~y)A∗ 2 V ; XN x · y := xiyi = ~x · ~y 2 Fq i=1 ∗ ∗ Since 8y 2 V , there is a linear map y : V ! Fq (i.e. y : x 7! x · y), V is the dual space of V. Hence, bilinear pairing between V and V∗ is defined as YN P N ~x;~y x·y i=1 xiyi 2 G e(x; y) := e(xiP; yiQ) = e(P; Q) = gT = gT T i=1 VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 9 Orthonormality Since V is finite-dimensional (i.e. N-dimensional), V∗ has the same dimension as V and ( ∗ 1 if i = j ∗ δi;j ai · a = δi;j := =) e(ai; a ) = g j 0 if i =6 j j T (A; A∗) are dual orthonormal bases of V and V∗. VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 10 Base Change I To change the base (A; A∗) to a new base (B; B∗), a N × N invertible matrix X is uniformly chosen from the general linear group of degree N over Fq. U T −1 X := (χi;j ) − GL(N; Fq)(θi;j) := (X ) VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 11 Base Change II The base change operation is processed as following using linear transformation: T −1 A −!X B A∗ −−−−−!(X ) B∗ B B∗ ∗ ∗ := (b1; : : : ; bN ) := (b1; : : : ; bN ) XN XN ∗ ∗ bi = χi;jaj for i = 1;:::;N bi = θi;jaj for i = 1;:::;N j=1 j=1 := (χi;1P; : : : ; χi;N P ) := (θi;1Q; : : : ; θi;N Q) A ~ = ( ~χi) = (θi)A∗ VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 12 Base Change III As an extension of x = ~xA, the previous base change can be simplified. 2 3 XN XN XN 6 χ a χ a ··· χ a 7 6 1;i i;1 1;i i;2 1;i i;N 7 2 3 2 3 6 i=1 i=1 i=1 7 ··· ··· 6 7 χ1;1 χ1;2 χ1;N a1;1 a1;2 a1;N 6 XN XN XN 7 6 ··· 7 6 ··· 7 6 ··· 7 6 χ2;1 χ2;2 χ2;N 7 6 a2;1 a2;2 a2;N 7 6 χ2;iai;1 χ2;iai;2 χ2;iai;N 7 B = XA = 6 . 7 6 . 7 = 6 7 4 . .. 5 4 . .. 5 6 i=1 i=1 i=1 7 . 6 . 7 ··· ··· 6 . .. 7 χN;1 χN;2 χN;N aN;1 aN;2 aN;N 6 7 4XN XN XN 5 χN;iai;1 χN;iai;2 ··· χN;iai;N i=1 i=1 i=1 Similarly, B∗ = (XT )−1A∗. VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 13 Base Change IV Note that B is a basis of V and B∗ is a basis of V∗. Since ∗ ∗ δi;j · · ~ ∗ · ~ ) bi bj = ( ~χi)A (θj)A = ~χi θj = δi;j = e(bi; bj ) = gT (B; B∗) are dual orthonormal bases of V and V∗. The pairing operation of vectors of the changed base by X is shown below: x := x1b1 + ··· + xN bN = (x1; ··· ; xN )B = (~x)B 2 V ∗ ∗ ∗ ··· ··· ∗ ∗ 2 V y := y1b1 + + yN bN = (y1; ; yN )B = (~y)B YN P ∗ N ∗ i=1 xiyi e(x; y) = e(xibi; yibi ) = e(P; Q) (since e(bi; bi ) = gT ) i=1 ~x·~y = gT VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 14 Trapdoor It is hard to compute B∗ from (B; A; A∗) but is easy with X. −−−−−−!hard6 B A A∗ B∗ ( ; ; ) −−−−−−!easy X VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 15 Special Case: Self-Duality With symmetric pairing group (G1 = G2) = G, the bilinear pairing and the vector space ∗ N become e: G × G ! GT and V = V := G . Other properties are changed as following: Base change U X −GL(N;F ) A −−−−−−−−−−!q (B; B∗) Note that (A; B; B∗) are (self-dual) orthonormal bases of V. Trapdoor 6−−−−−! ∗ (B; A) −−−−−! B X VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 16 Outline 1 Preliminaries 2 Dual Pairing Vector Space 3 Intractable Problems Vector Decomposition Problem Decisional Subspace Problem Hierarchical Trapdoors 4 Conclusion VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW Intractable Problems There are two intractable problems in DPVS suitable for cryptographic applications: Vector Decomposition Problem (VDP) Decisional Subspace Problem (DSP) VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 17 Vector Decomposition Problem I VDP definition is originally named as Computational Vector Decomposition Problem [2]. Definition (VDP(N1;N2): (N1;N2)-Vector Decomposition Problem) Let G be an N1-dimensional Fq-vector space generator, taking a security parameter k, and N1 > N2. Let A be a probabilistic polynomial-time machine. The advantage of A is defined as following: 2 3 R k U N1 VDP u = (v1; : : : ; vN ; 0;:::; 0)B j V −G(1 ); B − V ; (N1;N2) 4 2 5 AdvA (k) = P r U − FN1 A k V B ~v = (v1; : : : ; vN1 ) q ; v = (~v)B; u (1 ; ; ; v) The VDP(N1;N2) assumption is satisfied if there is no probabilistic polynomial-time VDP(N1;N2) adversary A has non-negligible advantage AdvA (k). VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 18 Vector Decomposition Problem II ! v = v1; v2; : : : ; vN2−1; vN2 ; vN2+1; : : : ; vN1−1; vN1 ? B ? ? 6y Hard ! u = v1; v2; : : : ; vN2−1; vN2 ; 0;:::; 0 B Remark that there is a special case of VDP.
Load more

Recommended publications
  • Clean Rings & Clean Group Rings
    CLEAN RINGS & CLEAN GROUP RINGS Nicholas A. Immormino A Dissertation Submitted to the Graduate College of Bowling Green State University in partial fulfillment of the requirements for the degree of DOCTOR OF PHILOSOPHY August 2013 Committee: Warren Wm. McGovern, Advisor Rieuwert J. Blok, Advisor Sheila J. Roberts, Graduate Faculty Representative Mihai D. Staic ii ABSTRACT Warren Wm. McGovern, Advisor Rieuwert J. Blok, Advisor A ring is said to be clean if each element in the ring can be written as the sum of a unit and an idempotent of the ring. More generally, an element in a ring is said to be clean if it can be written as the sum of a unit and an idempotent of the ring. The notion of a clean ring was introduced by Nicholson in his 1977 study of lifting idempotents and exchange rings, and these rings have since been studied by many different authors. In our study of clean rings, we classify the rings that consist entirely of units, idempotents, and quasiregular elements. It is well known that the units, idempotents, and quasiregular elements of any ring are clean. Therefore any ring that consists entirely of these types of elements is clean. We prove that a ring consists entirely of units, idempotents, and quasiregular elements if and only if it is a boolean ring, a local ring, isomorphic to the direct product of two division rings, isomorphic to the full matrix ring M2(D) for some division ring D, or isomorphic to the ring of a Morita context with zero pairings where both of the underlying rings are division rings.
    [Show full text]
  • Frobenius Algebra Structure in Hopf Algebras and Cohomology Ring with Poincaré Duality
    FROBENIUS ALGEBRA STRUCTURE IN HOPF ALGEBRAS AND COHOMOLOGY RING WITH POINCARÉ DUALITY SIQI CLOVER ZHENG Abstract. This paper aims to present the Frobenius algebra structures in finite-dimensional Hopf algebras and cohomology rings with Poincaré duality. We first introduce Frobenius algebras and their two equivalent definitions. Then, we give a concise construction of FA structure within an arbitrary finite- dimensional Hopf algebra using non-zero integrals. Finally, we show that a cohomology ring with Poincaré duality is a Frobenius algebra with a non- degenerate bilinear pairing induced by cap product. Contents 1. Introduction1 2. Preliminaries1 3. Frobenius Algebras3 4. Frobenius Algebra Structure in Hopf Algebras5 4.1. Existence of Non-zero Integrals6 4.2. The Converse direction 10 5. Frobenius Algebra Structure in Cohomology Ring 11 Acknowledgement 12 References 12 1. Introduction A Frobenius algebra (FA) is a vector space that is both an algebra and coal- gebra in a compatible way. Structurally similar to Hopf algebras, it is shown that every finite-dimensional Hopf algebra admits a FA structure [8]. In this paper, we will present a concise version of this proof, focusing on the construction of non- degenerate bilinear pairings. Another structure that is closely related to Frobenius algebras is cohomology ring with Poincaré duality. Using cap product, we will show there exists a natural FA structure in cohomology rings where Poincaré duality holds. To understand these structural similarities, we need to define Frobenius algebras and some compatibility conditions. 2. Preliminaries Definition 2.1. An algebra is a vector space A over a field k, equipped with a linear multiplication map µ : A ⊗ A ! A and unit map η : k ! A such that Date: October 17, 2020.
    [Show full text]
  • Dieudonné Modules and P-Divisible Groups Associated with Morava K
    DIEUDONNE´ MODULES AND p-DIVISIBLE GROUPS ASSOCIATED WITH MORAVA K-THEORY OF EILENBERG-MAC LANE SPACES VICTOR BUCHSTABER AND ANDREY LAZAREV Abstract. We study the structure of the formal groups associated to the Morava K-theories of integral Eilenberg-Mac Lane spaces. The main result is that every formal group in the collection ∗ {K(n) K(Z, q), q = 2, 3,...} for a fixed n enters in it together with its Serre dual, an analogue of a principal polarization on an abelian variety. We also identify the isogeny class of each of these formal groups over an algebraically closed field. These results are obtained with the help of the Dieudonn´ecorrespondence between bicommutative Hopf algebras and Dieudonn´e modules. We extend P. Goerss’s results on the bilinear products of such Hopf algebras and corresponding Dieudonn´emodules. 1. Introduction The theory of formal groups gave rise to a powerful method for solving various problems of algebraic topology thanks to fundamental works by Novikov [9] and Quillen [12]. Formal groups in topology arise when one applies a complex oriented cohomology theory to the infinite complex projective space CP ∞. However the formal groups obtained in this way are all one-dimensional and so far the rich and intricate theory of higher dimensional formal groups remained outside of the realm of algebraic topology. One could hope to get nontrivial examples in higher dimensions by applying a generalized cohomology to an H-space. For most known cohomology theories and H-spaces this hope does not come true, however there is one notable exception. Quite surprisingly, the Morava K-theories applied to integral Eilenberg-Mac Lane spaces give rise to formal groups in higher dimensions.
    [Show full text]
  • Pairing-Based Cryptography in Theory and Practice
    Pairing-Based Cryptography in Theory and Practice Hannes Salin Ume˚aUniversity Department of Mathematics and Mathematical Statistics Bachelor's Thesis, 15 credits Spring 2021 Abstract In this thesis we review bilinear maps and their usage in modern cryptography, i.e. the theo- retical framework of pairing-based cryptography including the underlying mathematical hardness assumptions. The theory is based on algebraic structures, elliptic curves and divisor theory from which explicit constructions of pairings can be defined. We take a closer look at the more com- monly known Weil pairing as an example. We also elaborate on pairings in practice and give numerical examples of how pairing-friendly curves are defined and how different type of crypto- graphical schemes works. Acknowledgements I would first like to thank my supervisor Klas Markstr¨omand examiner Per-H˚akan Lundow for all insightful feedback and valuable help throughout this work. It has been very helpful in a time where work, study and life constantly requires prioritization. I would also like to thankLukasz Krzywiecki by all my heart for mentoring me the past year, and to have directed me deeper into the wonderful world of cryptography. In addition, I show greatest gratitude towards Julia and our daughters for supporting me and being there despite moments of neglection. Finally, an infinitely thank you to my parents for putting me to this world and giving me all opportunities to be where I am right now. Contents 1 Introduction 4 2 Preliminaries 4 2.1 Algebraic Structures . 4 2.2 Elliptic Curves . 7 2.2.1 Elliptic Curves as Groups .
    [Show full text]
  • P-Adic Hodge Theory (Math 679)
    MATH 679: INTRODUCTION TO p-ADIC HODGE THEORY LECTURES BY SERIN HONG; NOTES BY ALEKSANDER HORAWA These are notes from Math 679 taught by Serin Hong in Winter 2020, LATEX'ed by Aleksander Horawa (who is the only person responsible for any mistakes that may be found in them). Official notes for the class are available here: http: //www-personal.umich.edu/~serinh/Notes%20on%20p-adic%20Hodge%20theory.pdf They contain many more details than these lecture notes. This version is from July 28, 2020. Check for the latest version of these notes at http://www-personal.umich.edu/~ahorawa/index.html If you find any typos or mistakes, please let me know at [email protected]. The class will consist of 4 chapters: (1) Introduction, Section1, (2) Finite group schemes and p-divisible groups, Section2, (3) Fontaine's formalism, (4) The Fargues{Fontaine curve. Contents 1. Introduction2 1.1. A first glimpse of p-adic Hodge theory2 1.2. A first glimpse of the Fargues{Fontaine curve8 1.3. Geometrization of p-adic representations 10 2. Foundations of p-adic Hodge theory 11 2.1. Finite flat group schemes 11 2.2. Finite ´etalegroup schemes 18 2.3. The connected ´etalesequence 20 2.4. The Frobenius morphism 22 2.5. p-divisible groups 25 Date: July 28, 2020. 1 2 SERIN HONG 2.6. Serre{Tate equivalence for connected p-divisible groups 29 2.7. Dieudonn´e{Maninclassification 37 2.8. Hodge{Tate decomposition 40 2.9. Generic fibers of p-divisible groups 57 3. Period rings and functors 60 3.1.
    [Show full text]
  • Arxiv:1905.04626V2 [Math.AG] 4 Mar 2020 H Iosfudto Gat#175,Respectively
    STANDARD CONJECTURE D FOR MATRIX FACTORIZATIONS MICHAEL K. BROWN AND MARK E. WALKER Abstract. We prove the non-commutative analogue of Grothendieck’s Standard Conjecture D for the dg-category of matrix factorizations of an isolated hypersurface singularity in characteristic 0. Along the way, we show the Euler pairing for such dg-categories of matrix factorizations is positive semi-definite. Contents 1. Introduction 1 1.1. Grothendieck’s Standard Conjecture D 2 1.2. Noncommutative analogue 2 1.3. Main theorem 3 1.4. Application to a conjecture in commutative algebra 5 2. Background 5 2.1. The Grothendieck group of a dg-category 5 2.2. Matrix factorizations 6 3. Reduction to the case of a polynomial over C 7 4. The Milnor fibration 9 4.1. The Milnor fiber and its monodromy operator 9 4.2. The Gauß-Manin connection 10 4.3. The Brieskorn lattice 11 4.4. Steenbrink’s polarized mixed Hodge structure 12 5. The map chX∞ and its properties 13 6. Positive semi-definiteness of the Euler pairing 18 7. Proof of the main theorem 20 8. Hochster’s theta pairing 21 8.1. Background on intersection theory 21 8.2. Proof of Theorem 1.10 22 Appendix A. Polarized mixed Hodge structures 23 References 25 arXiv:1905.04626v2 [math.AG] 4 Mar 2020 1. Introduction Let k be a field. Grothendieck’s Standard Conjecture D predicts that numerical equivalence and homological equivalence coincide for cycles on a smooth, projective variety X over k. Marcolli and Tabuada ([MT16], [Tab17]) have formulated a non-commutative generalization of this conjecture, referred to as Conjecture Dnc, which predicts that numerical equivalence and homological equivalence coincide for a smooth and proper dg-category C over a field k.
    [Show full text]
  • Diapos / Slides
    The generic group model in pairing- based cryptography Hovav Shacham, UC San Diego I. Background Pairings • Multiplicative groups G1, G2, GT • Maps between G1 and G2 (more later) • A “pairing” e: G1 × G2 → GT that is • bilinear: e(ua,vb) = e(u,v)ab • nondegenerate: e(g1,g2) ≠ 1 • efficiently computable [M86] • Such groups arise in algebraic geometry Pairings — birds & bees • Consider elliptic curve E/Fp; prime r|#E(Fp) • G1 = E(Fq)[r] × • G2 ≤ E(Fpk)[r] k: order of p in (Z/rZ) × • GT = µr < (Fpk) • e is the Weil pairing, Tate pairing, etc. Elliptic curve parameters x • Discrete logarithm: given g1 , recover x • For 80-bit dlog security on E, need: • r > 2160 for generic-group attacks; 1024 • | Fpk | > 2 for index-calculus attacks • Barreto and Naehrig generate prime- order curves with k=12. For example: E: y2 = x3 + 13 k = 12 p = 1040463591175731554588039391555929992995375960613 (160 bits) r = #E = 1040463591175731554588038371524758323102235285837 Maps between G1 & G2 • tr gives ψ: G2 → G1 for E[r] G not trace-0 2 trace-0 • In supersingular curves, also have φ: G1 →G2 G 2 φ • can identify G1=G2=G ψ If need hash onto G2, • E(Fp)[r] = G1 take G2 = E(Fpk)[r] Assumptions in paring-based crypto • Classic, e.g., • DBDH: given g, ga, gb, gc, distinguish abc e(g,g) from random in GT • Baroque, e.g., k-BDHI, k-SDH (see later) • Decadent, e.g., Gaining confidence in assumptions 1. Show that they hold unconditionally (assuming, say, P≠NP) 2. Try to break them, consider observed hardness (e.g., factoring, discrete log) 3.
    [Show full text]
  • 24 Divisors and the Weil Pairing
    18.783 Elliptic Curves Spring 2017 Lecture #24 05/10/2017 24 Divisors and the Weil pairing In this lecture we address a completely new topic, the Weil Pairing, which has many practical and theoretical applications. In order to define the Weil pairing we first need to expand our discussion of the function field of a curve from Lecture 5. This requires a few basic results from commutative algebra and algebraic geometry that we will not take the time to prove; almost everything we need it is summarized in the first two chapters of Silverman’s book [6], which I recommend reviewing if you have not seen this material before. 24.1 Valuations on the function field of a curve Let C=k be a smooth projective curve defined by a homogeneous polynomial fC (x; y; z) = 0 that (as always) we assume is irreducible over k¯.1 In order to simplify the presentation, we are going to assume in this section that k = k¯ is algebraically closed, but we will note in remarks along the way how to handle non-algebraically closed (but still perfect) fields. In Lecture 5 we defined the function field k(C) as the field of rational functions g=h, where g; h 2 k[x; y; z] are homogeneous polynomials of the same degree with h 62 (fC ), modulo the equivalence relation g1 g2 ∼ () g1h2 − g2h1 2 (fC ): h1 h2 1 Alternatively, we can view the function g=h as a rational map (g : h) from C to P . Our assumption that C is smooth implies that this rational map is actually a morphism, meaning that it is defined at every point P 2 C(k¯); this was stated as Theorem 5.10 and we will 1 prove it below.
    [Show full text]
  • Elementary Group-Theoretic Approach to Pairings∗
    Elementary group-theoretic approach to pairings∗ Nadia EL Mrabet1 and Laurent Poinsot2,3 1 SAS-CMP, École des Mines, 13120 Gardanne, France [email protected] 2 LIPN, CNRS (UMR 7030), University Paris 13, Sorbonne Paris Cité, 93140 Villetaneuse, France 3 Secondary adress: CReA, French Air Force Academy, Base aérienne 701, 13361 Salon de Provence, France [email protected] Abstract Pairing-based cryptography offers an interesting option for the development of new protocols. In practice the pairings are defined over elliptic curves. This contribution is an analysis of these objects in a more general setting. A pair of finite abelian groups is called “pairing admissible” if there exists a non-degenerate bilinear map, called a “pairing”, from the product of these groups to a third one. Using some elementary group-theory, as a main result is proved that two abelian groups are pairing admissible if, and only if, the canonical bilinear map to their tensor product is itself a pairing, if and only if, they share the same exponent. One also observes that being pairing admissible is an equivalence relation among the class of all finite abelian groups, and one proves that the corresponding quotient set admits a structure of a semilattice isomorphic to that of positive integers under divisibility. Mathematics Subject Classification (2010) 20K01, 15A69, 11E39 1998 ACM Subject Classification G.2 Discrete Mathematics, E.3 Data Encryption Keywords and phrases Pairing, finite abelian group, tensor product, primary decomposition. Digital Object Identifier 10.4230/LIPIcs... 1 Introduction A pairing f : A × B → C, where A, B, C, are finite abelian groups, is a non-degenerate bilinear map (see Section 2).
    [Show full text]
  • NONCOMMUTATIVE RINGS Michael Artin
    NONCOMMUTATIVE RINGS Michael Artin class notes, Math 251, Berkeley, fall 1999 I began writing notes some time after the semester began, so the beginning of the course (diamond lemma, Peirce decomposition, density and Wedderburn theory) is not here. Also, the first chapter is sketchy and unreadable. The remaining chapters, though not in good shape, are a fair record of the course except for the last two lectures, which were on graded algebras of GK dimension two and on open problems. I. Morita equivalence 1. Hom 3 2. Bimodules 3 3. Projective modules 4 4. Tensor products 5 5. Functors 5 6. Direct limits 6 7. Adjoint functors 7 8. Morita equivalence 10 II. Localization and Goldie's theorem 1. Terminology 13 2. Ore sets 13 3. Construction of the ring of fractions 15 4. Modules of fractions 18 5. Essential submodules and Goldie rank 18 6. Goldie's theorem 20 III. Central simple algebras and the Brauer group 1. Tensor product algebras 23 2. Central simple algebras 25 3. Skolem-Noether theorem 27 4. Commutative subfields of central simple algebras 28 5. Faithful flatness 29 6. Amitsur complex 29 7. Interlude: analogy with bundles 32 8. Characteristic polynomial for central simple algebras 33 9. Separable splitting fields 35 10. Structure constants 36 11. Smooth maps and idempotents 37 12. Azumaya algebras 40 13. Dimension of a variety 42 14. Background on algebraic curves 42 15. Tsen's theorem 44 1 2 IV. Maximal orders 1. Lattices and orders 46 2. Trace pairing on Azumaya algebras 47 3. Separable algebras 49 4.
    [Show full text]
  • Random Maximal Isotropic Subspaces and Selmer Groups
    RANDOM MAXIMAL ISOTROPIC SUBSPACES AND SELMER GROUPS BJORN POONEN AND ERIC RAINS Abstract. We rst develop a notion of quadratic form on a locally compact abelian group. Under suitable hypotheses, we construct a probability measure on the set of closed maximal isotropic subspaces of a locally compact quadratic space over . A random subspace Fp chosen with respect to this measure is discrete with probability 1, and the dimension of its intersection with a xed compact open maximal isotropic subspace is a certain nonnegative- integer-valued random variable. We then prove that the p-Selmer group of an elliptic curve is naturally the intersection of a discrete maximal isotropic subspace with a compact open maximal isotropic subspace in a locally compact quadratic space over . By modeling the rst subspace as being random, Fp we can explain the known phenomena regarding distribution of Selmer ranks, such as the theorems of Heath-Brown and Swinnerton-Dyer for 2-Selmer groups in certain families of quadratic twists, and the average size of 2- and 3-Selmer groups as computed by Bhargava and Shankar. The only distribution on Mordell-Weil ranks compatible with both our random model and Delaunay's heuristics for p-torsion in Shafarevich-Tate groups is the distribution in which 50% of elliptic curves have rank 0, and 50% have rank 1. We generalize many of our results to abelian varieties over global elds. Along the way, we give a general formula relating self cup products in cohomology to connecting maps in nonabelian cohomology, and apply it to obtain a formula for the self cup product associated to the Weil pairing.
    [Show full text]
  • Report on Pairing-Based Cryptography
    Volume 120 (2015) http://dx.doi.org/10.6028/jres.120.002 Journal of Research of the National Institute of Standards and Technology Report on Pairing-based Cryptography Dustin Moody, Rene Peralta, Ray Perlner, Andrew Regenscheid, Allen Roginsky, and Lily Chen National Institute of Standards and Technology, Gaithersburg, MD 20899 [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] This report summarizes study results on pairing-based cryptography. The main purpose of the study is to form NIST’s position on standardizing and recommending pairing-based cryptography schemes currently published in research literature and standardized in other standard bodies. The report reviews the mathematical background of pairings. This includes topics such as pairing-friendly elliptic curves and how to compute various pairings. It includes a brief introduction to existing identity-based encryption (IBE) schemes and other cryptographic schemes using pairing technology. The report provides a complete study of the current status of standard activities on pairing-based cryptographic schemes. It explores different application scenarios for pairing-based cryptography schemes. As an important aspect of adopting pairing-based schemes, the report also considers the challenges inherent in validation testing of cryptographic algorithms and modules. Based on the study, the report suggests an approach for including pairing-based cryptography schemes in the NIST cryptographic toolkit. The report also outlines several questions that will require further study if this approach is followed. Key words: IBE; identity-based encryption; pairing-based cryptography; pairings. Accepted: January 21, 2015 Published: February 3, 2015 http://dx.doi.org/10.6028/jres.120.002 1.
    [Show full text]