|
|
\documentclass{article}\usepackage[utf8]{inputenc}\usepackage{amsfonts}\usepackage{amsthm}\usepackage{amsmath}\usepackage{amssymb}\usepackage{mathtools}\usepackage{enumerate}\usepackage{hyperref}\hypersetup{ colorlinks, citecolor=black, filecolor=black, linkcolor=black, urlcolor=blue}% \usepackage{xcolor}
% prevent warnings of underfull \hbox:
% \usepackage{etoolbox}
% \apptocmd{\sloppy}{\hbadness 4000\relax}{}{}
\theoremstyle{definition}\newtheorem{definition}{Def}[section]\newtheorem{theorem}[definition]{Thm}\newtheorem{innersolution}{}\newenvironment{solution}[1]{\renewcommand\theinnersolution{#1}\innersolution}{\endinnersolution}
\title{Weil Pairing - study}\author{arnaucube}\date{August 2022}
\begin{document}
\maketitle
\begin{abstract} Notes taken from \href{https://sites.google.com/site/matanprasma/artifact}{Matan Prsma} math seminars and also while reading about Bilinear Pairings. Usually while reading papers and books I take handwritten notes, this document contains some of them re-written to $LaTeX$.
The notes are not complete, don't include all the steps neither all the proofs. I use these notes to revisit the concepts after some time of reading the topic.\end{abstract}
\tableofcontents
\section{Divisors and rational functions}
\begin{definition}{Divisor} $$D= \sum_{P \in E(\mathbb{K})} n_p \cdot [P]$$\end{definition}
\begin{definition}{Degree \& Sum} $$deg(D)= \sum_{P \in E(\mathbb{K})} n_p$$ $$sum(D)= \sum_{P \in E(\mathbb{K})} n_p \cdot P$$\end{definition}
\begin{definition}{Principal divisor} iff $deg(D)=0$ and $sum(D)=0$\end{definition}$D \sim D'$ iff $D - D'$ is principal.
\begin{definition}{Evaluation of a rational function} $$r(D)= \prod r(P)^{n_p}$$\end{definition}
\section{Weil reciprocity}\begin{theorem}{(Weil reciprocity)} Let $E/ \mathbb{K}$ be an e.c. over an alg. closed field. If $r,~s \in \mathbb{K}\setminus \{0\}$ are rational functions whose divisors have disjoint support, then$$r(div(s)) = s(div(r))$$\end{theorem}Proof. (todo)
\section{Generic Weil Pairing}Let $E(\mathbb{K})$, with $\mathbb{K}$ of char $p$, $n$ s.t. $p \nmid n$.
$\mathbb{K}$ large enough: $E(\mathbb{K})[n] = E(\mathbb{\overline{K}}) = \mathbb{Z}_n \oplus \mathbb{Z}_n$ (with $n^2$ elements).
For $P, Q \in E[n]$,\begin{align*} D_P &\sim [P] - [0]\\ D_Q &\sim [Q] - [0]\end{align*}
We need them to have disjoint support:\begin{align*} D_P &\sim [P] - [0]\\ D_Q' &\sim [Q+T] - [T]\end{align*}
$$\Delta D = D_Q - D_Q' = [Q] - [0] - [Q+T] + [T]$$
Note that $n D_P$ and $n D_Q$ are principal. Proof:\begin{align*} n D_P &= n [P] - n [O]\\ deg(n D_P) &= n - n = 0\\ sum(n D_P) &= nP - nO = 0\end{align*}($nP = 0$ bcs. $P$ is n-torsion)
Since $n D_P,~ n D_Q$ are principal, we know that $f_P,~ f_Q$ exist.
Take\begin{align*} f_P &: div(f_P) = n D_P\\ f_Q &: div(f_Q) = n D_Q\end{align*}
We define$$
e_n(P, Q) = \frac{f_P(D_Q)}{f_Q(D_P)}$$
Remind: evaluation of a rational function over a divisor $D$:\begin{align*} D &= \sum n_P [P]\\ r(D) &= \prod r(P)^{n_P}\end{align*}
If $D_P = [P+S] - [S],~~ D_Q=[Q-T]-[T]$ what is $e_n(P, Q)$?
\begin{align*} f_P(D_Q) &= f_P(Q+T)^1 \cdot f_P(T)^{-1}\\ f_Q(D_P) &= f_Q(P+S)^1 \cdot f_Q(S)^{-1}\end{align*}
$$
e_n(P, Q) = \frac{f_P(Q+T)}{f_P(T)} / \frac{f_Q(P+S)}{f_Q(S)}$$
with $S \neq \{O, P, -Q, P-Q \}$.
\section{Properties}
\section{Exercises}\emph{An Introduction to Mathematical Cryptography, 2nd Edition} - Section 6.8. Bilinear pairings on elliptic curves
\begin{solution}{6.29} $div(R(x) \cdot S(x)) = div( R(x)) + div( S(x))$, where $R(x), S(x)$ are rational functions. \\proof:\\ \emph{Norm} of $f$: $N_f = f \cdot \overline{f}$, and we know that $N_{fg} = N_f \cdot N_g~\forall~\mathbb{K}[E]$,\\ then $$deg(f) = deg_x(N_f)$$\\ and $$deg(f \cdot g) = deg(f) + deg(g)$$
Proof: $$deg(f \cdot g) = deg_x(N_{fg}) = deg_x(N_f \cdot N_g)$$ $$= deg_x(N_f) + deg_x(N_g) = deg(f) + deg(g)$$
So, $\forall P \in E(\mathbb{K}),~ ord_P(rs) = ord_P(r) + ord_P(s)$.\\ As $div(r) = \sum_{P\in E(\mathbb{K})} ord_P(r)[P]$, $div(s) = \sum ord_P(s)[P]$.
So, $$div(rs) = \sum ord_P(rs)[P]$$ $$= \sum ord_P(r)[P] + \sum ord_P(s)[P] = div(r) + div(s)$$\end{solution}
\vspace{0.5cm}
\begin{solution}{6.31} $$e_m(P, Q) = e_m(Q, P)^{-1} \forall P, Q \in E[m]$$ Proof: We know that $e_m(P, P) = 1$, so: $$1 = e_m(P+Q, P+Q) = e_m(P, P) \cdot e_m(P, Q) \cdot e_m(Q, P) \cdot e_m(Q, Q)$$
and we know that $e_m(P, P) = 1$, then we have: $$1 = e_m(P, Q) \cdot e_m(Q, P)$$ $$\Longrightarrow e_m(P, Q) = e_m(Q, P)^{-1}$$\end{solution}
\end{document}
|
