Efficiently Computable Distortion Maps for Supersingular Curves
Efficiently Computable Distortion Maps for Supersingular Curves
ANTS 2008 2008 / 5 / 20
Katsuyuki Takashima Mitsubishi Electric 1
Our results Galbraith-Pujolas-Ritzenthaler-Smith [GPRS] gave unsolved problems on distortion maps for special supersingular curves. We solve them based on explicit construction of a basis
- vector space of consisting of eigenvectors of the Frobenius endomorphism ( -eigenvector basis ) a
-basis
of
- vector space
We explicitly determine the discrete logarithms of the Weil pairing where to one base We obtain an efficiently constructible (semi-)symplectic -eigenvector basis. 2
Agenda Target supersingular curves Distortion maps Computational problems on distortion maps Results and unsolved problem given in [GPRS] Our approach Our results on Our results on Conclusions
3
Target supersingular curves : proj., nonsingular, geom. irred. curve. Def.
Def.
:supersingular :supersingular isogeneous to a product of supersingular elliptic curves
prime,
prime s.t.
-power Frobenius endomorphism action of a primitive -th root of unity induced by on
on
-power Frobenius endomorphism Action of an extra-special 2-group of order 32 [vdGvdV].
4
Distortion maps : prime s.t.
s.t.
: nondegenerate bilinear pairing from
to
Definition [GPRS] For a pair is called a distortion map. Theorem 1 [GPRS] Let
be a target supersingular curve.
endo. of
endo. defined over - vector space
In particular, for every pair there exists a distortion map 5
Computational problems on distortion maps Theorem 1 doesn’t assure the existence of an efficiently computable distortion map. Computational problem 1 For every pair
can we efficiently compute ?
a distortion map Cf. [GR] for the case of supersingular elliptic curves. Computational problem 2 Is there a basis s.t. Basis
of
are efficiently computable ? in problem 2 an answer (efficient algorithm) to problem 1.
6
Results and unsolved problem given in [GPRS] [GPRS] gave bases of
-vector space for target curves.
For is a
-basis.
For and are
-bases.
Unsolved problem given in [GPRS] Are the above
and
-bases of
?
We show that it holds for 1-st curve when and 2-nd curve when by using a direct approach different from theirs. positive answer to problem 2 (and 1) for target curves.
7
Our approach We construct a -eigenvector basis with a nonzero
of
and explicit generating operators s.t. for For example, We show that computable. A key fact:
are given by Gauss sums for the 1-st curve. are invertible and
are also efficiently
: projection to where
Since
are eigenvalues of where
: matrix units w.r.t. we know that
(and
) are
-bases of
8
Our results on
. where
We show that when
is a
-basis of for
-eigenvector basis
)
(it holds if
of
1. Generate a nonzero 2.
for : Gauss sum operator multiplicative character of
of order
additive character of 9
Our results on
.
where is a
where
-eigenvector basis of
and
is a Jacobi sum. is a basis of
From we see that
and
for is a basis of
Fundamental properties of the Weil pairing
where
.
and : the dual of e.g. [Mil, p.132]
In particular, we use the following two cases.
For example, we calculate
11
Weil pairing on
. we obtain
Using the fundamental properties of
where and
for
when (Corollary 2)
for any nonzero If we normalize
to
for
we obtain an efficiently constructible (semi-)symplectic basis w.r.t. the Weil pairing. 12
. (full) embedding degree
for
is 12, i.e., order of
Action of an extra-special 2-group
is 12. of order 32.
For any where is a root of the quadratic eq. The dihedral subgroup
of order 8.
13
Our results on
.
where We show that
and
are
-bases of when
We consider the following 1. Generate a nonzero 2. and where 14
Our results on
. (Lemma 5)
when A basis
consisting of eigenvectors of
of
for when
for is a
-eigenvector basis of 15
Our results on
.
and are -bases of since
is the dihedral group. By the fundamental properties of
: (semi-)symplectic basis w.r.t. the Weil pairing
16
Conclusions We proved several facts on distortion maps given in [GPRS]. Our explicit results seem useful to use
- dim. vector space
in cryptography.
Can we obtain a similar or general result for a broader Cf. [GR] class of curves ? Is there another application of our results ?
17
ANTS 2008 2008 / 5 / 20
Katsuyuki Takashima Mitsubishi Electric 1
Our results Galbraith-Pujolas-Ritzenthaler-Smith [GPRS] gave unsolved problems on distortion maps for special supersingular curves. We solve them based on explicit construction of a basis
- vector space of consisting of eigenvectors of the Frobenius endomorphism ( -eigenvector basis ) a
-basis
of
- vector space
We explicitly determine the discrete logarithms of the Weil pairing where to one base We obtain an efficiently constructible (semi-)symplectic -eigenvector basis. 2
Agenda Target supersingular curves Distortion maps Computational problems on distortion maps Results and unsolved problem given in [GPRS] Our approach Our results on Our results on Conclusions
3
Target supersingular curves : proj., nonsingular, geom. irred. curve. Def.
Def.
:supersingular :supersingular isogeneous to a product of supersingular elliptic curves
prime,
prime s.t.
-power Frobenius endomorphism action of a primitive -th root of unity induced by on
on
-power Frobenius endomorphism Action of an extra-special 2-group of order 32 [vdGvdV].
4
Distortion maps : prime s.t.
s.t.
: nondegenerate bilinear pairing from
to
Definition [GPRS] For a pair is called a distortion map. Theorem 1 [GPRS] Let
be a target supersingular curve.
endo. of
endo. defined over - vector space
In particular, for every pair there exists a distortion map 5
Computational problems on distortion maps Theorem 1 doesn’t assure the existence of an efficiently computable distortion map. Computational problem 1 For every pair
can we efficiently compute ?
a distortion map Cf. [GR] for the case of supersingular elliptic curves. Computational problem 2 Is there a basis s.t. Basis
of
are efficiently computable ? in problem 2 an answer (efficient algorithm) to problem 1.
6
Results and unsolved problem given in [GPRS] [GPRS] gave bases of
-vector space for target curves.
For is a
-basis.
For and are
-bases.
Unsolved problem given in [GPRS] Are the above
and
-bases of
?
We show that it holds for 1-st curve when and 2-nd curve when by using a direct approach different from theirs. positive answer to problem 2 (and 1) for target curves.
7
Our approach We construct a -eigenvector basis with a nonzero
of
and explicit generating operators s.t. for For example, We show that computable. A key fact:
are given by Gauss sums for the 1-st curve. are invertible and
are also efficiently
: projection to where
Since
are eigenvalues of where
: matrix units w.r.t. we know that
(and
) are
-bases of
8
Our results on
. where
We show that when
is a
-basis of for
-eigenvector basis
)
(it holds if
of
1. Generate a nonzero 2.
for : Gauss sum operator multiplicative character of
of order
additive character of 9
Our results on
.
where is a
where
-eigenvector basis of
and
is a Jacobi sum. is a basis of
From we see that
and
for is a basis of
Fundamental properties of the Weil pairing
where
.
and : the dual of e.g. [Mil, p.132]
In particular, we use the following two cases.
For example, we calculate
11
Weil pairing on
. we obtain
Using the fundamental properties of
where and
for
when (Corollary 2)
for any nonzero If we normalize
to
for
we obtain an efficiently constructible (semi-)symplectic basis w.r.t. the Weil pairing. 12
. (full) embedding degree
for
is 12, i.e., order of
Action of an extra-special 2-group
is 12. of order 32.
For any where is a root of the quadratic eq. The dihedral subgroup
of order 8.
13
Our results on
.
where We show that
and
are
-bases of when
We consider the following 1. Generate a nonzero 2. and where 14
Our results on
. (Lemma 5)
when A basis
consisting of eigenvectors of
of
for when
for is a
-eigenvector basis of 15
Our results on
.
and are -bases of since
is the dihedral group. By the fundamental properties of
: (semi-)symplectic basis w.r.t. the Weil pairing
16
Conclusions We proved several facts on distortion maps given in [GPRS]. Our explicit results seem useful to use
- dim. vector space
in cryptography.
Can we obtain a similar or general result for a broader Cf. [GR] class of curves ? Is there another application of our results ?
17
