\documentclass{article} \usepackage[utf8]{inputenc} \usepackage{amsfonts} \usepackage{amsthm} \usepackage{amsmath} \usepackage{amssymb} \usepackage{mathtools} \usepackage{enumerate} \usepackage{hyperref} \hypersetup{ colorlinks, citecolor=black, filecolor=black, linkcolor=black, urlcolor=blue } % \usepackage{xcolor} % prevent warnings of underfull \hbox: % \usepackage{etoolbox} % \apptocmd{\sloppy}{\hbadness 4000\relax}{}{} \theoremstyle{definition} \newtheorem{definition}{Def}[section] \newtheorem{theorem}[definition]{Thm} \newtheorem{innersolution}{} \newenvironment{solution}[1] {\renewcommand\theinnersolution{#1}\innersolution} {\endinnersolution} \title{Weil Pairing - study} \author{arnaucube} \date{August 2022} \begin{document} \maketitle \begin{abstract} Notes taken from \href{https://sites.google.com/site/matanprasma/artifact}{Matan Prasma} math seminars and also while reading about Bilinear Pairings. Usually while reading papers and books I take handwritten notes, this document contains some of them re-written to $LaTeX$. The notes are not complete, don't include all the steps neither all the proofs. I use these notes to revisit the concepts after some time of reading the topic. \end{abstract} \tableofcontents \section{Rational functions} Let $E/\Bbbk$ be an elliptic curve defined by: $y^2 = x^3 + Ax + B$. \paragraph{set of polynomials over $E$:} $\Bbbk[E] := \Bbbk[x,y] / (y^2 - x^3 - Ax - B =0)$ we can replace $y^2$ in the polynomial $f \in \Bbbk[E]$ with $x^3 + Ax + B$ \paragraph{canonical form:} $f(x,y) = v(x)+y w(x)$ for $v, w \in \Bbbk[x]$ \paragraph{conjugate:} $\overline{f} = v(x) - y w(x)$ \paragraph{norm:} $N_f = f \cdot \overline{f} = v(x)^2 - y^2 w(x)^2 = v(x)^2 - (x^3 + Ax + B) w(x)^2 \in \Bbbk[x] \subset \Bbbk[E]$ we can see that $N_{fg} = N_f \cdot N_g$ \paragraph{set of rational functions over $E$:} $\Bbbk(E) := \Bbbk[E] \times \Bbbk[E]/ \thicksim$ For $r\in \Bbbk(E)$ and a finite point $P \in E(\Bbbk)$, $r$ is \emph{finite} at $P$ iff $$\exists~ r=\frac{f}{g} ~\text{with}~ f,g \in \Bbbk[E],~ s.t.~ g(P) \neq 0$$ We define $r(P)=\frac{f(P)}{g(P)}$. Otherwise, $r(P)=\infty$. Remark: $r=\frac{f}{g} \in \Bbbk(E)$, $r=\frac{f}{g}=\frac{f \cdot \overline{g}}{g \cdot \overline{g}} = \frac{f \overline{g}}{N_g}$, thus $$r(x,y)=\frac{ (f \overline{g})(x,y)}{N_g(x,y)} = \underbrace{ \frac{v(x)}{N_g(x)} + y \frac{w(x)}{N_g(x)} }_\text{canonical form of $r(x,y)$}$$ \paragraph{degree of $f$:} Let $f\in \Bbbk[E]$, in canonical form: $f(x,y) = v(x) + y w(x)$, $$deg(f) := max\{ 2 \cdot deg_x(v), 3+2 \cdot deg_x(w) \}$$ For $f,g \in \Bbbk[E]$: \begin{enumerate}[i.] \item $deg(f) = deg_x(N_f)$ \item $deg(f \cdot g) = deg(f) + deg(g)$ \end{enumerate} \begin{definition} Let $r=\frac{f}{g} \in \Bbbk(E)$ \begin{enumerate}[i.] \item if $deg(f) < deg(g):~ r(0)=0$ \item if $deg(f) > deg(g):~ r ~\text{is not finite at}~ 0$ \item if $deg(f) = deg(g)$ with $deg(f)$ even:\\ $f$'s canonical form leading terms $ax^d$\\ $g$'s canonical form leading terms $bx^d$\\ $a,b \in \Bbbk^\times,~ d=\frac{deg(f)}{2}$, set $r(0)=\frac{a}{b}$ \item if $deg(f) = deg(g)$ with $deg(f)$ odd\\ $f$'s canonical form leading terms $ax^d$\\ $g$'s canonical form leading terms $bx^d$\\ $a,b \in \Bbbk^\times,~ deg(f)=deg(g)=3+2d$, set $r(0)=\frac{a}{b}$ \end{enumerate} \end{definition} \subsection{Zeros, poles, uniformizers and multiplicities} $r \in \Bbbk(E)$ has a \emph{zero} in $P\in E$ if $r(P)=0$\\ $r \in \Bbbk(E)$ has a \emph{pole} in $P\in E$ if $r(P)$ is not finite. \paragraph{uniformizer:} Let $P\in E$, uniformizer: rational function $u \in \Bbbk(E)$ with $u(P)=0$ if $\forall r\in \Bbbk(E) \setminus \{0\},~ \exists d \in \mathbb{Z},~ s\in \Bbbk(E)$ finite at $P$ with $s(P) \neq 0$ s.t. $$r=u^d \cdot s$$ \paragraph{order:} Let $P \in E(\Bbbk)$, let $u \in \Bbbk(E)$ be a uniformizer at $P$. For $r \in \Bbbk(E) \setminus \{0\}$ being a rational function with $r=u^d \cdot s$ with $s(P)\neq 0, \infty$, we say that $r$ has \emph{order} $d$ at $P$ ($ord_P(r)=d$). \paragraph{multiplicity:} \emph{multiplicity of a zero} of $r$ is the order of $r$ at that point, \emph{multiplicity of a pole} of $r$ is the order of $r$ at that point. if $P \in E(\Bbbk)$ is neither a zero or pole of $r$, then $ord_P(r)=0$ ($=d,~ r=u^0s$). \vspace{0.5cm} \begin{minipage}{4.3 in} \paragraph{Multiplicities, from the book "Elliptic Tales"} (p.69), to provide intuition Factorization into \emph{linear factors}: $p(x)=c\cdot (x-a_1) \cdots (x-a_d)$\\ $d$: degree of $p(x)$, $a_i \in \Bbbk$\\ Solutions to $p(x)=0$ are $x=a_1, \ldots, a_d$ (some $a_i$ can be repeated)\\ eg.: $p(x)=(x-1)(x-1)(x-3)$, solutions to $p(x)=0:~ 1, 1, 3$\\ $x=1$ is a solution to $p(x)=0$ of \emph{multiplicity} 2. The total number of solutions (counted with multiplicity) is $d$, the degree of the polynomial whose roots we are finding. \end{minipage} \section{Divisors} \begin{definition}{Divisor} $$D= \sum_{P \in E(\Bbbk)} n_p \cdot [P]$$ \end{definition} \begin{definition}{Degree \& Sum} $$deg(D)= \sum_{P \in E(\Bbbk)} n_p$$ $$sum(D)= \sum_{P \in E(\Bbbk)} n_p \cdot P$$ \end{definition} The set of all divisors on $E$ forms a group: for $D = \sum_{P\in E(\Bbbk)} n_P[P]$ and $D' = \sum_{P\in E(\Bbbk)} m_P[P]$, $$D+D' = \sum_{P\in E(\Bbbk)} (n_P + m_P)[P]$$ \begin{definition}{Associated divisor} $$div(r) = \sum_{P \in E(\Bbbk)} ord_P(r)[P]$$ \end{definition} Observe that \begin{enumerate} \item[] $div(rs) = div(r)+div(s)$ \item[] $div(\frac{r}{s}) = div(r)-div(s)$ \end{enumerate} Observe that $$\sum_{P \in E(\Bbbk)} ord_P(r) \cdot P = 0$$ \begin{definition}{Support of a divisor} $$\sum_P n_P[P], ~\forall P \in E(\Bbbk) ~\text{s.t.}~ n_P \neq 0$$ \end{definition} \begin{definition}{Principal divisor} iff $$deg(D)=0$$ $$sum(D)=0$$ \end{definition} $D \sim D'$ iff $D - D'$ is principal. \begin{definition}{Evaluation of a rational function} (function $r$ evaluated at $D$) $$r(D)= \prod r(P)^{n_p}$$ \end{definition} \section{Weil reciprocity} \begin{theorem}{(Weil reciprocity)} Let $E/ \Bbbk$ be an e.c. over an algebraically closed field. If $r,~s \in \Bbbk\setminus \{0\}$ are rational functions whose divisors have disjoint support, then $$r(div(s)) = s(div(r))$$ \end{theorem} Proof. (todo) \paragraph{Example} \begin{align*} p(x)=x^2 - 1,&~ q(x)=\frac{x}{x-2}\\ div(p)&= 1 \cdot [1] + 1 \cdot [-1] - 2 \cdot [\infty]\\ div(q)&= 1 \cdot [0] - 1 \cdot [2]\\ &\text{(they have disjoint support)}\\ p(div(q)) &= p(0)^1 \cdot p(2)^{-1}= (0^2 - 1)^1 \cdot (2^2 - 1)^{-1} = \frac{-1}{3}\\ q(div(p)) &= q(1)^1 \cdot q(-1)^1 - q(\infty)^2\\ &= (\frac{1}{1-2})^1 \cdot (\frac{-1}{-1-2})^1 \cdot (\frac{\infty}{\infty - 2})^2 = \frac{-1}{3} \end{align*} so, $p(div(q))=q(div(p))$. \section{Generic Weil Pairing} Let $E(\Bbbk)$, with $\Bbbk$ of char $p$, $n$ s.t. $p \nmid n$. $\Bbbk$ large enough: $E(\Bbbk)[n] = E(\overline{\Bbbk}) = \mathbb{Z}_n \oplus \mathbb{Z}_n$ (with $n^2$ elements). For $P, Q \in E[n]$, \begin{align*} D_P &\sim [P] - [0]\\ D_Q &\sim [Q] - [0] \end{align*} We need them to have disjoint support: \begin{align*} D_P &\sim [P] - [0]\\ D_Q' &\sim [Q+T] - [T] \end{align*} $$\Delta D = D_Q - D_Q' = [Q] - [0] - [Q+T] + [T]$$ Note that $n D_P$ and $n D_Q$ are principal. Proof: \begin{align*} n D_P &= n [P] - n [O]\\ deg(n D_P) &= n - n = 0\\ sum(n D_P) &= nP - nO = 0 \end{align*} ($nP = 0$ bcs. $P$ is n-torsion) Since $n D_P,~ n D_Q$ are principal, we know that $f_P,~ f_Q$ exist. Take \begin{align*} f_P &: div(f_P) = n D_P\\ f_Q &: div(f_Q) = n D_Q \end{align*} We define $$ e_n(P, Q) = \frac{f_P(D_Q)}{f_Q(D_P)} $$ Remind: evaluation of a rational function over a divisor $D$: \begin{align*} D &= \sum n_P [P]\\ r(D) &= \prod r(P)^{n_P} \end{align*} If $D_P = [P+S] - [S],~~ D_Q=[Q-T]-[T]$ what is $e_n(P, Q)$? \begin{align*} f_P(D_Q) &= f_P(Q+T)^1 \cdot f_P(T)^{-1}\\ f_Q(D_P) &= f_Q(P+S)^1 \cdot f_Q(S)^{-1} \end{align*} $$ e_n(P, Q) = \frac{f_P(Q+T)}{f_P(T)} / \frac{f_Q(P+S)}{f_Q(S)} $$ with $S \neq \{O, P, -Q, P-Q \}$. \section{Properties} \begin{enumerate}[i.] \item $e_n(P, Q)^n = 1 ~\forall P,Q \in E[n]$\\ ($\Rightarrow~ e_n(P,Q)$ is a $n^{th}$ root of unity) \item Bilinearity $$e_n(P_1+P_2, Q) = e_n(P_1, Q) \cdot e_n(P_2, Q)$$ $$e_n(P, Q_1+Q_2) = e_n(P, Q_1) \cdot e_n(P, Q_2)$$ \emph{proof:} recall that $e_n(P,Q)=\frac{g(S+P)}{g(S)}$, then, \begin{align*} e_n(P_1, Q) &\cdot e_n(P_2, Q) = \frac{g(P_1 + S)}{g(S)} \cdot \frac{g(P_2 + P_1 + S)}{g(P_1 + S)}\\ &\text{(replace $S$ by $S+P_1$)}\\ &= \frac{g(P_2 + P_1 + S)}{g(S)} = e_n(P_1+P_2, Q) \end{align*} \item Alternating $$e_n(P, P)=1 ~\forall P\in E[n]$$ \item Nondegenerate $$\text{if}~ e_n(P,Q)=1 ~\forall Q\in E[n],~ \text{then}~ P=0$$ \end{enumerate} \section{Exercises} \emph{An Introduction to Mathematical Cryptography, 2nd Edition} - Section 6.8. Bilinear pairings on elliptic curves \begin{solution}{6.29} $div(R(x) \cdot S(x)) = div( R(x)) + div( S(x))$, where $R(x), S(x)$ are rational functions. \\proof:\\ \emph{Norm} of $f$: $N_f = f \cdot \overline{f}$, and we know that $N_{fg} = N_f \cdot N_g~\forall~\Bbbk[E]$,\\ then $$deg(f) = deg_x(N_f)$$\\ and $$deg(f \cdot g) = deg(f) + deg(g)$$ Proof: $$deg(f \cdot g) = deg_x(N_{fg}) = deg_x(N_f \cdot N_g)$$ $$= deg_x(N_f) + deg_x(N_g) = deg(f) + deg(g)$$ So, $\forall P \in E(\Bbbk),~ ord_P(rs) = ord_P(r) + ord_P(s)$.\\ As $div(r) = \sum_{P\in E(\Bbbk)} ord_P(r)[P]$, $div(s) = \sum ord_P(s)[P]$. So, $$div(rs) = \sum ord_P(rs)[P]$$ $$= \sum ord_P(r)[P] + \sum ord_P(s)[P] = div(r) + div(s)$$ \end{solution} \vspace{0.5cm} \begin{solution}{6.31} $$e_m(P, Q) = e_m(Q, P)^{-1} \forall P, Q \in E[m]$$ Proof: We know that $e_m(P, P) = 1$, so: $$1 = e_m(P+Q, P+Q) = e_m(P, P) \cdot e_m(P, Q) \cdot e_m(Q, P) \cdot e_m(Q, Q)$$ and we know that $e_m(P, P) = 1$, then we have: $$1 = e_m(P, Q) \cdot e_m(Q, P)$$ $$\Longrightarrow e_m(P, Q) = e_m(Q, P)^{-1}$$ \end{solution} \end{document}