The Weil Pairing Presented by J.liu
Outline Primitive Definition Theorems Computation of the pairings
Primitive (1) E is an elliptic curve over K and n is an integer not divisible by char(K) E[n] is a torsion subgroup of E(K), that is E[n] = {P E( )| nP = } E(K). Where we make a assumption that n = {x |x n = 1, x } K. Let T E[n], then there exist a function f such that div(f) = n[T]-n[ ] Note that f has zero at T with order n and has pole at with order -n.
Primitive (2) ∞ T E[n] T” T” is a coset of E[n 2 ] classify by E[n] nn E[n 2 ] E[n] with order n 4 with order n 2 Every coset has order n 2 and there are n 2 cosets If nT”=nT’= T then T”+E[n] = T’+E[n]
Primitive (3) Choose T’ E[n 2 ] such that nT’ = T then there exists a function g such that div(g) = ([T’+R]-[R]) for all R E[n]. Note that g is independent on the T”. div(g) = [T”]- [R], where nT” = T and R E[n] We have div(f 。 n) = n ([T’+R])-n [R] = div(g n ) Note that f 。 n has zeros at T” with order n and has poles at R with order –n, for all nT” = T and for all R E[n].
Primitive (4) From div(f 。 n) = div(g n ), we have f 。 n = c(g n ). Let S E[n] and P E[κ], then g(P+S) n = f(n(P+S)) = f(nP) = g(P) n. Therefore, g(P+S)/g(P) n. In fact, g(P+S)/g(P) is independent of P. (by Zariski topology?)
Definition Define the Weil pairing by e n (S, T) = g(P+S)/g(P) This definition is independent of the choose of g, and independent of the auxiliary points P. Note: e n (S, T) 計算過程為 : 先針對 T 計算 f 函數, 次而由 f 決定 g ,在此決定過程中 g 將有許多不同 的選擇,但是這些選擇並不會影響到 e n (S, T) 的 結果,因此與 g 無關。另外輔助點 P 也不影響計 算結果,這些將在後續的定理與計算中看到。 另外在此省略 Weil pairing 的性質證明。 (bilinear,…)
Theorem When n is large, the computation of Weil pairing is very difficult by the definition. Let S, T E[n] and define D s, D t as following: deg(D s ) = deg(D t ) = 0 and sum(D s ) = S, sum(D t ) = T and such that D s and D t have no points in common. div(f s ) = nD s and div(f T ) = nD T. Then e n (S, T) = f T (D S )/ f S (D T ) Where f(Σa i [P i ]) = Π i f(P i ) a i.
Compute the Weil pairing A nature choice of divisors is D S = [S]-[∞], D T = [T+R]-[R] Then we can compute
Example Let be the elliptic curve over F 7 define by y 2 = x Then E(F 7 )[3] Z 3 ⊕ Z 3 In fact, that is all of E(F 7 ). Let’s compute e 3 ((0, 3), (5, 1)) 1.Let D (0, 3) = [(0, 3)]-[∞], D (5, 1) = [(3, 6)]-[(6, 1)] Where (3, 6) = (5, 1) + (6,1) 2.We need two functions f (0, 3) and f (5, 1), such that div(f (0, 3) ) = 3D (0, 3) and div(f (5, 1) ) = 3D (5, 1)
Example 3.All the tangent lines of the points P on E(F 7 ) have divisors 3[P]-3[∞]. 4.Then div(y-3) = 3[(0, 3)]-3[∞] = 3D (0, 3), div(4x- y+1) = 3[(3, 6)]-3[∞] and div(5x-y-1) = 3[(6, 1)]-3[∞]. Then div((4x-y+1)/(5x-y-1)) = 3[(3, 6)]-3[∞]- (3[(6, 1)]-3[∞]) = 3[(3, 6)]-3[(6, 1)] = 3D (5, 1)
Example
Miller’s algorithm As we seen above, both of the computing of Weil pairing and Tate pairing can reduce to finding a function a function f with div(f) = n[P+R]-n[R] for points P E[n] and R E and evaluating f(Q 1 )/f(Q 2 ) Note that, we omit Tate pairing here because the Galois cohomology theorem is too hard.
Basic idea Define D j = j[P+R]-j[R]-[jP]+[∞]. –Note that, we can’t define D j = j[P+R]-j[R]. We can find a function f j such that div(f j ) = D j. Miller’s Algo. can compute f j+k (Q 1 )/f j+k (Q 2 ) by f j (Q 1 )/f j (Q 2 ) and f k (Q 1 )/f k (Q 2 ) as following: –Let ax+by+c = 0 be the line through jP and kP. –Let x+d = 0 be the vertical line through (j+k)P.
Miller’s algorithm (1) Define v j = f j (Q 1 )/f j (Q 2 ) then we have v j+k = v j ×v k ×(L 1 /L 2 (Q 1 ))/(L 1 /L 2 (Q 2 )) where, L 1 is the line through jP and kP L 2 is the vertical line through (j+k)P and -(j+K)P Used the successive doubling to get v n. Start with i=n, j=0, k=1, v 0 =1, v 1 =f 1 (Q 1 )/f 1 (Q 2 ), where div(f 1 ) = [P+R]-[P]- [R]+[∞].
Miller’s algorithm (2) 1.If i is even then compute v 2k =v j 2 ×(G(Q 1,Q 2 )) i = i/2, k = 2k, j = j save (v j, v k ). 2.If i is odd then compute v j+k =v j ×v k ×… i = i-1, k = k, j = j+k save (v j, v k ). 3.If i≠0 then go to 1. else output v j
Example: compute v 13 1.i = 13, j = 0, k = 1, (v 0, v 1 ).[1101] 2.i = 12, j = 1, k = 1, (v 1, v 1 ).[1100] 3.i = 6, j = 1, k = 2, (v 1, v 2 ).[110] 4.i = 3, j = 1, k = 4, (v 1, v 4 ).[11] 5.i = 2, j = 5, k = 4, (v 5, v 4 ).[10] 6.i = 1, j = 5, k = 8, (v 5, v 8 ).[1] 7.i = 0, j = 13, k = 8, (v 13, v 8 ).[0] Note: there are 5 point adding operations, that is ((numbers of 1)-1)×2+numbers of 0+(0 or 1){0 for right-most bit is 1}
Example E: y 2 =x 3 -x+1 over F 11, n = 5, P = (3,6) with order 5. Let’s compute 5. D P =[(3, 6)]-[∞], D Q =[(1,1)]-[0,1]=[Q 1 ]-[Q 2 ], where R = (0,1) then P+R = (1,1). We use the algorithm to compute f P (D Q ), where div(f P ) = 5D P. We have T = ∞, then D 0 = D 1 = 0. Therefore, f 0 =f 1 =1.