|
|
\documentclass{article}\usepackage[utf8]{inputenc}\usepackage{amsfonts}\usepackage{amsthm}\usepackage{amsmath}\usepackage{amssymb}\usepackage{mathtools}\usepackage{enumerate}\usepackage{hyperref}\hypersetup{ colorlinks, citecolor=black, filecolor=black, linkcolor=black, urlcolor=blue}% \usepackage{xcolor}
% prevent warnings of underfull \hbox:
% \usepackage{etoolbox}
% \apptocmd{\sloppy}{\hbadness 4000\relax}{}{}
\theoremstyle{definition}\newtheorem{definition}{Def}[section]\newtheorem{theorem}[definition]{Thm}\newtheorem{innersolution}{}\newenvironment{solution}[1]{\renewcommand\theinnersolution{#1}\innersolution}{\endinnersolution}
\title{Weil Pairing - study}\author{arnaucube}\date{August 2022}
\begin{document}\maketitle
\begin{abstract} Notes taken from \href{https://sites.google.com/site/matanprasma/artifact}{Matan Prasma} math seminars and also while reading about Bilinear Pairings. Usually while reading papers and books I take handwritten notes, this document contains some of them re-written to $LaTeX$.
The notes are not complete, don't include all the steps neither all the proofs. I use these notes to revisit the concepts after some time of reading the topic.\end{abstract}
\tableofcontents
\section{Rational functions}
Let $E/\Bbbk$ be an elliptic curve defined by: $y^2 = x^3 + Ax + B$.
\paragraph{set of polynomials over $E$:}$\Bbbk[E] := \Bbbk[x,y] / (y^2 - x^3 - Ax - B =0)$
we can replace $y^2$ in the polynomial $f \in \Bbbk[E]$ with $x^3 + Ax + B$
\paragraph{canonical form:} $f(x,y) = v(x)+y w(x)$ for $v, w \in \Bbbk[x]$\paragraph{conjugate:} $\overline{f} = v(x) - y w(x)$\paragraph{norm:} $N_f = f \cdot \overline{f} = v(x)^2 - y^2 w(x)^2 = v(x)^2 - (x^3 + Ax + B) w(x)^2 \in \Bbbk[x] \subset \Bbbk[E]$
we can see that $N_{fg} = N_f \cdot N_g$
\paragraph{set of rational functions over $E$:}$\Bbbk(E) := \Bbbk[E] \times \Bbbk[E]/ \thicksim$
For $r\in \Bbbk(E)$ and a finite point $P \in E(\Bbbk)$, $r$ is \emph{finite} at $P$ iff$$\exists~ r=\frac{f}{g} ~\text{with}~ f,g \in \Bbbk[E],~ s.t.~ g(P) \neq 0$$We define $r(P)=\frac{f(P)}{g(P)}$. Otherwise, $r(P)=\infty$.
Remark: $r=\frac{f}{g} \in \Bbbk(E)$, $r=\frac{f}{g}=\frac{f \cdot \overline{g}}{g \cdot \overline{g}} = \frac{f \overline{g}}{N_g}$, thus$$r(x,y)=\frac{ (f \overline{g})(x,y)}{N_g(x,y)} = \underbrace{ \frac{v(x)}{N_g(x)} + y \frac{w(x)}{N_g(x)} }_\text{canonical form of $r(x,y)$}$$
\paragraph{degree of $f$:} Let $f\in \Bbbk[E]$, in canonical form: $f(x,y) = v(x) + y w(x)$,$$deg(f) := max\{ 2 \cdot deg_x(v), 3+2 \cdot deg_x(w) \}$$
For $f,g \in \Bbbk[E]$:\begin{enumerate}[i.] \item $deg(f) = deg_x(N_f)$ \item $deg(f \cdot g) = deg(f) + deg(g)$\end{enumerate}
\begin{definition} Let $r=\frac{f}{g} \in \Bbbk(E)$ \begin{enumerate}[i.] \item if $deg(f) < deg(g):~ r(0)=0$ \item if $deg(f) > deg(g):~ r ~\text{is not finite at}~ 0$ \item if $deg(f) = deg(g)$ with $deg(f)$ even:\\ $f$'s canonical form leading terms $ax^d$\\ $g$'s canonical form leading terms $bx^d$\\ $a,b \in \Bbbk^\times,~ d=\frac{deg(f)}{2}$, set $r(0)=\frac{a}{b}$ \item if $deg(f) = deg(g)$ with $deg(f)$ odd\\ $f$'s canonical form leading terms $ax^d$\\ $g$'s canonical form leading terms $bx^d$\\ $a,b \in \Bbbk^\times,~ deg(f)=deg(g)=3+2d$, set $r(0)=\frac{a}{b}$ \end{enumerate}\end{definition}
\subsection{Zeros, poles, uniformizers and multiplicities}
$r \in \Bbbk(E)$ has a \emph{zero} in $P\in E$ if $r(P)=0$\\$r \in \Bbbk(E)$ has a \emph{pole} in $P\in E$ if $r(P)$ is not finite.
\paragraph{uniformizer:} Let $P\in E$,uniformizer: rational function $u \in \Bbbk(E)$ with $u(P)=0$ if$\forall r\in \Bbbk(E) \setminus \{0\},~ \exists d \in \mathbb{Z},~ s\in \Bbbk(E)$ finite at $P$ with $s(P) \neq 0$ s.t.$$r=u^d \cdot s$$
\paragraph{order:} Let $P \in E(\Bbbk)$, let $u \in \Bbbk(E)$ be a uniformizer at $P$.For $r \in \Bbbk(E) \setminus \{0\}$ being a rational function with $r=u^d \cdot s$ with $s(P)\neq 0, \infty$, we say that $r$ has \emph{order} $d$ at $P$ ($ord_P(r)=d$).
\paragraph{multiplicity:} \emph{multiplicity of a zero} of $r$ is the order of $r$ at that point, \emph{multiplicity of a pole} of $r$ is the order of $r$ at that point.
if $P \in E(\Bbbk)$ is neither a zero or pole of $r$, then $ord_P(r)=0$ ($=d,~ r=u^0s$).
\vspace{0.5cm}\begin{minipage}{4.3 in} \paragraph{Multiplicities, from the book "Elliptic Tales"} (p.69), to provide intuition
Factorization into \emph{linear factors}: $p(x)=c\cdot (x-a_1) \cdots (x-a_d)$\\ $d$: degree of $p(x)$, $a_i \in \Bbbk$\\ Solutions to $p(x)=0$ are $x=a_1, \ldots, a_d$ (some $a_i$ can be repeated)\\ eg.: $p(x)=(x-1)(x-1)(x-3)$, solutions to $p(x)=0:~ 1, 1, 3$\\ $x=1$ is a solution to $p(x)=0$ of \emph{multiplicity} 2.
The total number of solutions (counted with multiplicity) is $d$, the degree of the polynomial whose roots we are finding.\end{minipage}
\section{Divisors}
\begin{definition}{Divisor} $$D= \sum_{P \in E(\Bbbk)} n_p \cdot [P]$$\end{definition}
\begin{definition}{Degree \& Sum} $$deg(D)= \sum_{P \in E(\Bbbk)} n_p$$ $$sum(D)= \sum_{P \in E(\Bbbk)} n_p \cdot P$$\end{definition}
The set of all divisors on $E$ forms a group: for $D = \sum_{P\in E(\Bbbk)} n_P[P]$ and $D' = \sum_{P\in E(\Bbbk)} m_P[P]$,$$D+D' = \sum_{P\in E(\Bbbk)} (n_P + m_P)[P]$$
\begin{definition}{Associated divisor} $$div(r) = \sum_{P \in E(\Bbbk)} ord_P(r)[P]$$\end{definition}
Observe that\begin{enumerate} \item[] $div(rs) = div(r)+div(s)$ \item[] $div(\frac{r}{s}) = div(r)-div(s)$\end{enumerate}
Observe that$$\sum_{P \in E(\Bbbk)} ord_P(r) \cdot P = 0$$
\begin{definition}{Support of a divisor} $$\sum_P n_P[P], ~\forall P \in E(\Bbbk) ~\text{s.t.}~ n_P \neq 0$$\end{definition}
\begin{definition}{Principal divisor} iff $$deg(D)=0$$ $$sum(D)=0$$\end{definition}$D \sim D'$ iff $D - D'$ is principal.
\begin{definition}{Evaluation of a rational function} (function $r$ evaluated at $D$) $$r(D)= \prod r(P)^{n_p}$$\end{definition}
\section{Weil reciprocity}\begin{theorem}{(Weil reciprocity)} Let $E/ \Bbbk$ be an e.c. over an algebraically closed field. If $r,~s \in \Bbbk\setminus \{0\}$ are rational functions whose divisors have disjoint support, then$$r(div(s)) = s(div(r))$$\end{theorem}Proof. (todo)
\paragraph{Example}\begin{align*} p(x)=x^2 - 1,&~ q(x)=\frac{x}{x-2}\\ div(p)&= 1 \cdot [1] + 1 \cdot [-1] - 2 \cdot [\infty]\\ div(q)&= 1 \cdot [0] - 1 \cdot [2]\\ &\text{(they have disjoint support)}\\ p(div(q)) &= p(0)^1 \cdot p(2)^{-1}= (0^2 - 1)^1 \cdot (2^2 - 1)^{-1} = \frac{-1}{3}\\ q(div(p)) &= q(1)^1 \cdot q(-1)^1 - q(\infty)^2\\ &= (\frac{1}{1-2})^1 \cdot (\frac{-1}{-1-2})^1 \cdot (\frac{\infty}{\infty - 2})^2 = \frac{-1}{3}\end{align*}
so, $p(div(q))=q(div(p))$.
\section{Generic Weil Pairing}Let $E(\Bbbk)$, with $\Bbbk$ of char $p$, $n$ s.t. $p \nmid n$.
$\Bbbk$ large enough: $E(\Bbbk)[n] = E(\overline{\Bbbk}) = \mathbb{Z}_n \oplus \mathbb{Z}_n$ (with $n^2$ elements).
For $P, Q \in E[n]$,\begin{align*} D_P &\sim [P] - [0]\\ D_Q &\sim [Q] - [0]\end{align*}
We need them to have disjoint support:\begin{align*} D_P &\sim [P] - [0]\\ D_Q' &\sim [Q+T] - [T]\end{align*}
$$\Delta D = D_Q - D_Q' = [Q] - [0] - [Q+T] + [T]$$
Note that $n D_P$ and $n D_Q$ are principal. Proof:\begin{align*} n D_P &= n [P] - n [O]\\ deg(n D_P) &= n - n = 0\\ sum(n D_P) &= nP - nO = 0\end{align*}($nP = 0$ bcs. $P$ is n-torsion)
Since $n D_P,~ n D_Q$ are principal, we know that $f_P,~ f_Q$ exist.
Take\begin{align*} f_P &: div(f_P) = n D_P\\ f_Q &: div(f_Q) = n D_Q\end{align*}
We define$$
e_n(P, Q) = \frac{f_P(D_Q)}{f_Q(D_P)}$$
Remind: evaluation of a rational function over a divisor $D$:\begin{align*} D &= \sum n_P [P]\\ r(D) &= \prod r(P)^{n_P}\end{align*}
If $D_P = [P+S] - [S],~~ D_Q=[Q-T]-[T]$ what is $e_n(P, Q)$?
\begin{align*} f_P(D_Q) &= f_P(Q+T)^1 \cdot f_P(T)^{-1}\\ f_Q(D_P) &= f_Q(P+S)^1 \cdot f_Q(S)^{-1}\end{align*}
$$
e_n(P, Q) = \frac{f_P(Q+T)}{f_P(T)} / \frac{f_Q(P+S)}{f_Q(S)}$$
with $S \neq \{O, P, -Q, P-Q \}$.
\section{Properties}\begin{enumerate}[i.] \item $e_n(P, Q)^n = 1 ~\forall P,Q \in E[n]$\\ ($\Rightarrow~ e_n(P,Q)$ is a $n^{th}$ root of unity) \item Bilinearity $$e_n(P_1+P_2, Q) = e_n(P_1, Q) \cdot e_n(P_2, Q)$$ $$e_n(P, Q_1+Q_2) = e_n(P, Q_1) \cdot e_n(P, Q_2)$$ \emph{proof:} recall that $e_n(P,Q)=\frac{g(S+P)}{g(S)}$, then, \begin{align*} e_n(P_1, Q) &\cdot e_n(P_2, Q) = \frac{g(P_1 + S)}{g(S)} \cdot \frac{g(P_2 + P_1 + S)}{g(P_1 + S)}\\ &\text{(replace $S$ by $S+P_1$)}\\ &= \frac{g(P_2 + P_1 + S)}{g(S)} = e_n(P_1+P_2, Q) \end{align*} \item Alternating $$e_n(P, P)=1 ~\forall P\in E[n]$$ \item Nondegenerate $$\text{if}~ e_n(P,Q)=1 ~\forall Q\in E[n],~ \text{then}~ P=0$$\end{enumerate}
\section{Exercises}\emph{An Introduction to Mathematical Cryptography, 2nd Edition} - Section 6.8. Bilinear pairings on elliptic curves
\begin{solution}{6.29} $div(R(x) \cdot S(x)) = div( R(x)) + div( S(x))$, where $R(x), S(x)$ are rational functions. \\proof:\\ \emph{Norm} of $f$: $N_f = f \cdot \overline{f}$, and we know that $N_{fg} = N_f \cdot N_g~\forall~\Bbbk[E]$,\\ then $$deg(f) = deg_x(N_f)$$\\ and $$deg(f \cdot g) = deg(f) + deg(g)$$
Proof: $$deg(f \cdot g) = deg_x(N_{fg}) = deg_x(N_f \cdot N_g)$$ $$= deg_x(N_f) + deg_x(N_g) = deg(f) + deg(g)$$
So, $\forall P \in E(\Bbbk),~ ord_P(rs) = ord_P(r) + ord_P(s)$.\\ As $div(r) = \sum_{P\in E(\Bbbk)} ord_P(r)[P]$, $div(s) = \sum ord_P(s)[P]$.
So, $$div(rs) = \sum ord_P(rs)[P]$$ $$= \sum ord_P(r)[P] + \sum ord_P(s)[P] = div(r) + div(s)$$\end{solution}
\vspace{0.5cm}
\begin{solution}{6.31} $$e_m(P, Q) = e_m(Q, P)^{-1} \forall P, Q \in E[m]$$ Proof: We know that $e_m(P, P) = 1$, so: $$1 = e_m(P+Q, P+Q) = e_m(P, P) \cdot e_m(P, Q) \cdot e_m(Q, P) \cdot e_m(Q, Q)$$
and we know that $e_m(P, P) = 1$, then we have: $$1 = e_m(P, Q) \cdot e_m(Q, P)$$ $$\Longrightarrow e_m(P, Q) = e_m(Q, P)^{-1}$$\end{solution}
\end{document}
|
