Cryptographic Applications of the Weil Pairing Travis Scholl January 11, 2019 Abstract In this talk we will introduce the Weil pairing on an elliptic curve and give several cryptographic applications. We will review the argument of Boneh and Silverberg which suggests that this kind of pairing does not exist naturally on higher dimensional varieties. We will also look at some constructions of pairing-friendly elliptic curves. Contents 1 Introduction 1 2 Background 2 2.1 Divisors . .2 2.2 Elliptic Curves . .2 2.3 Torsion Points . .3 3 Weil Pairing 3 4 Computing the Weil Pairing 4 5 Obstructions To Generalizations 6 5.1 Tensor Products . .6 5.2 Galois Equivariance . .6 6 Pairing Friendly Curves 7 1 Introduction Last time we introduced the notion of a cryptographic multilinear map. This is a k-linear map of the form e : G1 × · · · × G1 ! G2; where G1 and G2 are cyclic groups of prime order `. We require that: 1. Products and inverses in Gi are easy to compute. 1 2. The map e is easy to compute. 3. The DLP in G1 is hard to compute. Remark 1. If the DLP in G1 is hard, then the DLP is G2 must also be hard. This is because, using e, we can transfer any instance of the DLP from G1 to a a an instance of the DLP for G2 as e(g; ··· ; g ) = e(g; : : : ; g) . Last time we also showed that multilinear maps have many applications: multiparty key exchange, short signatures, and broadcast encryption. The main open problem about cryptographic multilinear maps is to find one with k ≥ 3. The only known example of a cryptographic multilinear map is the Weil pairing on an elliptic curve, which has k = 2. The main goal of this talk is to introduce the Weil pairing and argue that it does not generalize. We will also give examples of constructing \pairing-friendly" elliptic curves. 2 Background 2.1 Divisors Let C be a smooth curve over a field F . Recall that div(C) is the free abelian P group on the set of points C(F ). So D 2 div(C) looks like D = nP [P ] where P the sum is over all points P 2 C(F ). The degree of D is deg D = nP . The set of degree 0 divisors is div0(E). For a function f 2 F (C), we let div f = P P OrdP (f)[P ]. A divisor D is principle if D = div f for some f. Example 2. Let C : y = 0. Then f = x is a function on C. Note that div f = [(0; 0)]−[1], where 1 is the point at infinity, or in projective coordinates it is (1 : 0 : 0). Example 3. Let E : y2 = x3 − x. Then f = x is a function on E. One can show1 that div f = 2[(0; 0)] − 2[0], where 0 is the point at infinity, i.e. the zero element on the elliptic curve E. In projective coordinates, 0 corresponds to (0 : 1 : 0). This is the same for any short Weirstrass equation. The Picard group Pic0(C) is defined by the exact (this needs to be proved) sequence: × 1 ! F ! F (C)× ! div0(C) ! Pic0(C) ! 0: This is similar to the ideal class group for number fields K=Q, × × 1 !OK ! K ! ffraction idealsg ! fclassgroupg ! 0: 2.2 Elliptic Curves Let E be an elliptic curve over a field F . 1See the exercises in chapter 6 of [HPS14]. 2 Theorem 4 ([Sil09, Prop. III.3.4]). The map sending P 2 E(F ) to the divisor [P ] − [0] 2 div0(E) induces an isomorphism E(F ) =∼ Pic0(E). Corollary 5. A divisor D 2 div(E) is principle if and only if deg D = 0 and P nP P = 0 where the sum is taken in the group E(F ). P P Definition 6. The sum of a divisor D = nP [P ] is Sum(D) = nP P . 2.3 Torsion Points Let m 2 Z be coprime to the characteristic of F . Recall that E[m] =∼ Z=mZ × Z=mZ, where E[m] = P 2 E(F ): mP = 0 . Our goal is to come up with a bilinear pairing on E[m]. Since E[m] has rank 2, there is a \natural" pairing coming from the determinate. Fix a basis fR; Sg of E[m] and define det : E[m] × E[m] ! Z=mZ by a b det(P; Q) = det(aR + bS; cR + dS) = = ad − bc: c d This has two issues: 1. It is not independent of the basis. 2. It may not be Galois invariant, i.e. det(σ(P ); σ(Q)) may not be σ(det(P; Q)) (where σ acts on Z=mZ trivially). Both of these issues suggest that this value may not admit a nice formula. In fact, the only way we now how to find a; b; c; d is by computing discrete logs. To fix these issues, we will modify the pairing to be a map from E[m] × ad−bc E[m] ! µm(F ). Essentially, we choose em(P; Q) = ζ for some ζ 2 µm(F ). 3 Weil Pairing P 0 Let D = nP [P ] 2 div (E) and f 2 F (E). If the supports of D and div f are disjoint, then we define f(D) = Q f(P )nP . Lemma 7. f(D) depends only on div f. × Proof. If div g = div f, then g = af for some a 2 F . Note that Q anP = adeg D = 1 because D 2 div0(E). 0 Let P 2 E[m] and DP 2 div (E) such that Sum(DP ) = P . Because mP = 0, it follows that mDP is principal. Choose fP such that div fP = mDP . Now let Q 2 E[m] and choose DQ and fQ similarly. We may assume that DP is disjoint from DQ. For example, we can choose X; Y 2 E(F ) at random and use DP = [P + X] − [X]; and DQ = [Q + Y ] − [Y ]: These divisors are likely to be disjoint. 3 Definition 8. The Weil pairing is fP (DQ) em(P; Q) = : fQ(DP ) To show that em is well defined, we have to show that it is independent of the choice of fP , fQ, DP , and DQ. The former two follows from the fact that the value of f(D) depends only on div f. 0 0 0 Suppose DP (and fP ) is an alternate choice for DP (and fP ). Then DP −DP 0 is principle, say DP = DP + div g. Since we have already shown em(P; Q) is 0 m 0 independent of the choice of fP , we may assume fP = fP g because div fP = 0 m m mDP = mDP +m div g = div fP +div g = div fP g . Now by Weil reciprocity, m fQ(div g) = g(div fQ) = g (DQ). So m 0 fP (DQ) fP (DQ) g (DQ) fP (DQ) · 1 = · = 0 : fQ(DP ) fQ(DP ) fQ(div g) fQ(DP ) Theorem 9 ([Sil09, Prop. III.8.1]). The Weil pairing satisfies the following properties. m 1. It is in µm(F ),(em(P; Q) = 1). 2. It is bilinear, (em(P1 + P2;Q) = em(P1;Q)em(P2;Q)). −1 3. It is alternating, (em(P; Q) = em(Q; P ) ). 4. It is non-degenerate, (if em(P; Q) = 1 for all Q, then P = 0). 5. It is Galois invariant, (em(σ(P ); σ(Q)) = σ(em(P; Q))). 0 0 6. It is compatible, (emm0 (P; Q) = em(m P; Q) for P 2 E[mm ], Q 2 E[m]). Remark 10. Because em is alternating, em(P; P ) = 1. For cryptographic bilinear maps e : G1 × G1 ! G2, if g is a generator for G1, then e(g; g) should be a generator for G2. The Weil pairing does not satisfy this. However, we can fix this by using a twist. That is, we definee ~m(P; Q) = em(P; φ(Q)) for a certain endomorphism φ called a distortion map. As long as fP; φ(P )g is linearly independent,e ~m will have the desired properties. 4 Computing the Weil Pairing Our goal is to compute em(P; Q) given P and Q. Let fP ; fQ be functions with div fP = m[P ]−m[0] and div fQ = m[Q]−m[0]. Then for almost any choice of X; Y 2 E, we have fP (Q − Y )fQ(−X) em(P; Q) = : fP (−Y )fQ(P − X) To see why, note that divfR 7! fP (R − Y )g = m[P + Y ] − m[Y ], which is m times a divisor [P + Y ] − [Y ] that sums to P . 4 Remark 11. Formally what is happening is that we are using fp ◦ τ−Y where τ−Y is the translation by −Y function. This is useful because τ−Y is easy to compute. So to calculate em(P; Q) we need to solve the following problems: 1. Given P 2 E[m], find fP such that div fP = m[P ] − m[0]. 2. Evaluate fP on several points. Remark 12. Note that computing fP completely is too expensive because it in- volves polynomials of degree ≈ m. Instead, we will only compute the evaluations fP (S) for whichever points S 2 E we need. Theorem 13 ( [Sil09, Thm XI.8.1]). Let E be an elliptic curve given by a 2 3 Weirstrass equation y = x + Ax + B. Let S = (xS; yS) and T = (xT ; yT ) be point on E. Let λ denote the slope2 of the line from S to T .