Search Results

You are looking at 1 - 10 of 17 items :

  • "Tate pairing" x
  • Numerical and Computational Mathematics x
Clear All

Abstract

This paper proposes the computation of the Tate pairing, Ate pairing and its variations on the special Jacobi quartic elliptic curve Y2=dX4+Z4. We improve the doubling and addition steps in Miller's algorithm to compute the Tate pairing. We use the birational equivalence between Jacobi quartic curves and Weierstrass curves, together with a specific point representation to obtain the best result to date among curves with quartic twists. For the doubling and addition steps in Miller's algorithm for the computation of the Tate pairing, we obtain a theoretical gain up to 27% and 39%, depending on the embedding degree and the extension field arithmetic, with respect to Weierstrass curves and previous results on Jacobi quartic curves. Furthermore and for the first time, we compute and implement Ate, twisted Ate and optimal pairings on the Jacobi quartic curves. Our results are up to 27% more efficient compared to the case of Weierstrass curves with quartic twists.

this pairing in cryptographic applications. Keywords. Tate pairing, Weil pairing, self-pairing, pairing based cryptography. 2010 Mathematics Subject Classification. 14G50, 11T71, 11G20, 14Q05. 1 Introduction A pairing is a non-degenerate bilinear map e W G1 G2 7! GT where G1;G2;GT are cyclic groups of prime order r (the first two are usually written additively, and the third multiplicatively). Such groups are found from elliptic or hyperelliptic curves and the pairing is usually the Tate–Lichtenbaum pairing or one of its variants. Pairings have found many

-adic representation, 9 Perrin-Riou's "logarithme elargi", 165 pseudo-isomorphism of lwasawa mod- ules, 40 pseudo-null lwasawa module, 40 representation, p-adic, 9 rigidity, 176 Selmer group, 21 Selmer group of an abelian variety, 27 Selmer sequence, 132 semilocal Galois cohomology, 93, 202 singular cohomology classes, 14 Stickelberger element, 56 symmetric square of an elliptic curve, 73, 170 Tate pairing, 18 Teichmiiller character, 54 Thaine, Francisco, 3 twist (by arbitrary characters), 123 twist (by characters of finite order), 44 twisting homomorphism, 119

cohomology groups. In §1.4 we state without proof the results we need concerning the Tate pair- ing on local cohomology groups, and we study how our special subgroups behave with respect to this pairing. In §1.5 and §1.6 we define Selmer groups and give the basic examples of ideal class groups and Selmer groups of elliptic curves and abelian varieties. Then in §1.7, using Poitou-Tate global duality and the local orthogonality results from §1.4, we derive our main tool (Theorem 1.7.3) for bounding the size of Selmer groups. 1.1. p-adic Representations Definition 1

commutative diagram in which all the maps are isomorphisms where AE is the formal group logarithm, and the bottom right isomorphism is defined in [T3] Theorem 4.2. Using these identifications we will also view AE as a homomorphism from E(Qn,p) to Qn,p· Since V !::! V*, the local Tate pairing gives the second isomorphism in Hom(E(Qn,p), Qp) !::! Hom(H}(Qn,p, V), Qp) !::! H!(Qn,p, V). Thus there is a dual exponential map (see [Kal] §11.1.2) expE; : H!(Qn,p, V) ~ Cotan(E;Qn,p) = Qn,pWE. Write exp~E : Hi (Qn,p, V) ~ Qn,p for the composition wE; o expE;. Since Hi

conse- quence, pairings became very popular in asymmetric cryptography and computing RNS in Fpk and pairings 65 them as fast as possible is very important. Let us first briefly recall the state of the art in this field and then explain how an RNS arithmetic can be helpful. 4.2 The Tate pairing The most popular pairing used in cryptography is the Tate pairing. We present it here in a simplified and reduced form because it is the one usually used in cryp- tographic applications. More details and generalities can be found in [16, 23]. In this paper we assume that E is an

group of points of order r defined over the ground field Fq. Hence, we consider a non-degenerate bilinear pairing of the form e : E(Fq)[r]× E(Fq)[r]→ µr ⊆ F∗qk . We may obtain such a pairing from the Weil pairing [20] or Tate pairing [9] twisted by an endomorphism ψ called a distortion map [21, 22]. For example, if the Tate pairing is used then we define e(P,Q) = fr,P (ψ(Q))(q k−1)/r where fr,P is a function on E with divisor (fr,P ) = r(P ) − r(0) (see [4] or [6] for more details about pairings). The value fr,P (ψ(Q)) may be computed using Miller’s algorithm [16]. 2

for each n > 0. Let r be a prime dividing #Jac(C)(Fq) and coprime to p. We define the embedding degree to be the smallest positive integer k such that r divides qk − 1; note that Fqk is the field generated over Fq by adjoining the group µr of rth roots of unity in Fq. Throughout, er : Jac(C)[r]× Jac(C)[r]→ µr ⊂ F∗qk denotes a non-degenerate, bilinear, and Galois-invariant pairing on Jac(C)[r], such as the Weil pairing or the reduced Tate pairing; we refer the reader to [1, 2, 8, 7, 16, 17] for details on pairings and pairing-based cryptography. An elliptic curve E

–Rück attack and MOV attack use the Tate pairing and Weil pairing, respectively, to map the discrete logarithm problem on the curve’s Jaco- bian defined over Fq to the discrete logarithm in the multiplicative group of the exten- 20 Laura Hitt sion field Fqk , for some integer k, where there are more efficient methods for solving the DLP. This extension degree k is known as the embedding degree. We will say a curve C has embedding degree k with respect to an integer N if and only if a subgroup of order N of its Jacobian JC does. So for pairing-based cryptosystems, it is impor

http://arxiv.org/abs/1409.0846 [11] E. Fouvry and H. Iwaniec, Gaussian primes, Acta Arith. 79 (1997), no. 3, 249–287. 10.4064/aa-79-3-249-287 Fouvry E. Iwaniec H. Gaussian primes Acta Arith. 79 1997 3 249 287 [12] G. Frey, M. Müller and H.-G. Rück, The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems, IEEE Trans. Inform. Theory 45 (1999), no. 5, 1717–1719. 10.1109/18.771254 Frey G. Müller M. Rück H.-G. The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems IEEE Trans. Inform. Theory 45 1999 5 1717