Pairings on ECC
Debdeep Mukhopadhyay
Associate Professor
Dept of Computer Sc and Engg,
IIT Kharagpur
Global Definitions
• For a field K, nϵN, kϵK, we define:
n.k=k+k+…+k (n times)
• The characteristic of a field K is defined as:
• char(K)= 0
for CK=Φ
min(CK)
else
with CK={pϵN>0|p.1=0, 1 ϵ K additive neutral}
• Proposition 1.1 char(K) is either 0 or prime.
Algebraically Closed Fields
• K is an algebraically closed field with char(K)≠2 or 3.
• The letters X and Y are variables.
• K[X] and K[X,Y] are polynomial rings in one
respective two variables.
• K(X) and K(X,Y) are the field of rational functions in
one respective two variables.
Elliptic Curves
• Vanishing Set:
For fϵK[X,Y] we define
V(f)={(a,b) ϵ K2|f(a,b)=0}
• Elliptic Curves:
E=EA,B=V(Y2-X3-AX-B)U{O}
Is called an elliptic curve over K ifs(x)=sA,B(x)=x3+Ax+B has
three distinct roots. The elements OϵE is called identity or
point at infinity and elements of E\{O} finite.
• Negative of a point P: (a,-b) also called –P
• Discriminant: ∆(EA,B)=-4A3-27B2
Non-singular Elliptic Curves
• The set EA,B is called an elliptic curve.
• The elliptic curve is non-singular iff sA,B has 3
distinct roots.
• Otherwise it is called singular.
• We will deal with only non-singular curves.
• They are also called smooth curves.
Singular and non-singular curves
y2=x3 (Cusp): Singular Cubic
Curves
Examples of Elliptic
Curves: Non-singular
Note: The curves are not over finite fields. They are over R, which is not
algebraically closed.
Points of Order 2
• Let EA,B be an Elliptic Curve and w1, w2, w3 the three
distinct roots of sA,B(x).
• The three points Ωi=(wi,0) ϵ EA,B are called points of
order two.
• Since K is algebraically closed
f(x)=(x-w1)(x-w2)(x-w3)=x3+Ax+B
• The set EA,B is an elliptic curve iff ∆(EA,B)≠0.
k-rational points
• For a subfield k⊆K and A,Bϵk
E(k)={(a,b)ϵEA,B|a,bϵk}∪{O}
are called k-rational points.
• More generic definition:
• A plane affine curve C over K is defined by a non-zero
polynomial as C: f(X,Y)=0
• A K-rational point on a curve C : f(X,Y)=0 is a point
P=(h,k)ϵK2 such that f(P)=f(h,k)=0.
Polynomials on Elliptic Curves
• For two polynomials G(X,Y) and H(X,Y)ϵK[X,Y] with f|(G-H)
we have G(P)=H(P) for every rational point P on the curve C.
• Thus G and H represent the same K-valued function on C.
• Thus we can define a congruence:
• G(X,Y)≡H(X,Y) (mod f(X,Y)) iff f|(G-H)
• We define the co-ordinate ring of C:
• K[C]=K[X,Y]/<f(X,Y)>
• We define G(x,y) as the equivalence class of a polynomial
G(X,Y)ϵK[X,Y].
• The set of fractions of elements of K[C] with non-zero
denominators is a field denoted as:
• K(C)={G(x,y)/H(x,y)|H(x,y)≠0}
• K(C) is called the function field of C.
Application to an EC
• Consider an elliptic curve EA,B : Y2=X3+AX+B=s(X).
• Let the small letters x and y be the co-ordinate functions, x(a,b)=a
and y(a,b)=b on E.
• Thus E satisfied y2=s(x).
• With this notation we can say K[E]=K[x,y].
• How can we thus obtain the congruences?
• Replace every Y2 in a polynomial f ϵK[X,Y] by the term
X3+AX+B
• This does not change the equivalence class of f.
• So any f can be written as f(x,y)=v(x)+yw(x) with v,wϵK[X,Y
• We denote the set of polynomials on E by:
K[E]=K[X,Y]/(Y2-X3-AX-B)
Example
• F(x,y)=y4+x2y+x+1
=(y2)2+x2y+x+1
=(x3+Ax+B)2+x2y+x+1
=[(x3+Ax+B)2+x+1]+y[x2]
V(x)
w(x)
Canonical Forms
• A polynomial f ϵK[X,Y] is said to be written in
canonical forms when we write f(x,y)=v(x)+yw(x).
• The canonical form is unique!
• Let f(x,y)=v1(x)+yw1(x)=v2(x)+yw2(x) be two canonical
forms.
• Thus, (v1(x)-v2(x))+y(w1(x)- w2(x))=0.
• Setting, v(x)= v1(x)-v2(x), w(x)= w1(x)- w2(x), we have
v(x)+yw(x)=0.
• Thus, 0=(v(x)+yw(x))(v(x)-yw(x))=v2(x)-y2w2(x)
= v2(x)-(s(x))w2(x).
• Note, degx(v2(x)) and degx(w2(x)) is even. But degx(s(x)) is
odd. Thus, the polynomial w(x) is 0, hence v(x) is also 0.
Conjugate and Norm
• Write f ϵK[X,Y] in canonical form v(x)+yw(x).
• The conjugate of f is 𝑓 𝑥, 𝑦 = 𝑣 𝑥 − 𝑦𝑤(𝑥)
• The norm of f is defined as 𝑁𝑓 = 𝑓 𝑥, 𝑦 . 𝑓 𝑥, 𝑦
• Check: 𝑁𝑓 = 𝑣 2 𝑥 − 𝑠 𝑥 𝑤 2 𝑥 .
• Thus Nf ϵ K[X] ie. is a polynomial in only x.
• It is easy to note 𝑓𝑔 = 𝑓𝑔 ⇒ 𝑁𝑓𝑔 = 𝑁𝑓 𝑁𝑔
Rational Functions on EC
• For an Elliptic Curve E we denote the set of rational
functions on E by K(E)=K[E]2/~ by the following
equivalence relation: for (f,g),(h,k)ϵK[E]2:
𝑓, 𝑔 ~ ℎ, 𝑘 ↔ 𝑓. 𝑘 = 𝑔. ℎ
• We denote the equivalence class of (f,g)ϵK(E) by
𝑓
𝑔
• For rϵK(E) and a finite point PϵE we say that r is finite at
𝑓
P iff there exists a representation r= with f,g ϵK[E] and
g(P)≠0. We say r(P)=
𝑓(𝑃)
𝑔(𝑃)
𝑔
• If r is not finite at a point P we write r(P)=∞
Canonical form for Rational
Functions
• One can calculate for
𝑓
r=
𝑔
ϵK(E):
𝑓 𝑓 𝑔 𝑓𝑔
= =
𝑔 𝑔 𝑔 𝑁𝑔
• We can write 𝑓 𝑔=v(x)+yw(x) in canonical form.
𝑓 v(x)+yw(x) 𝑣(𝑥)
𝑤(𝑥)
• Thus, =
=
+𝑦
𝑔
𝑁𝑔
𝑁𝑔
𝑁𝑔
• Hence, every rational function can be written in canonical form
also.
Rational Functions at O
• With one variable rational functions we normally
compare the degrees of numerator and
denominator to obtain values at ∞
• Here we have two variables: (x,y)
•
•
•
•
•
Note y2=x3+Ax+B => y=(x3+Ax+B)1/2
Thus deg(y)=3/2
Thus deg(yw(x))=(3/2)+degx(w)
Thus, deg(f)=max(degx(v), (3/2)+degx(w))
To avoid fractional degrees we say:
deg(f)=max(2degx(v), 3+2degx(w))
• Note: degx(0)=-∞, degx(c)=0, ∀𝑐 ∈ 𝐾\{0}
Connection of degree to Classical
degree
• For fϵK[E], deg(f)=degx(Nf)
• Write f in canonical form: f(x,y)=v(x)+yw(x).
• Then Nf=v2(x)-s(x)w2(x).
• Thus, degx(Nf)=degx(v2(x)-s(x)w2(x))
=max{degx(v2),degx(s)+degx(w2))
=max{2.degx(v),3+2.degx(w)}
=deg(f)
Property of Degree of Polynomials
• For f,gϵK[E], deg(f.g)=deg(f)+deg(g)
• From the previous result,
deg(f.g)=degx(Nfg)
=degx(NfNg)
=degx(Nf)+degx(Ng)
=deg(f)+deg(g)
Evaluating a rational function at O
• Let 𝑟 =
cases:
𝑓
𝑔
∈ 𝐾(𝐸) and distinguish the following
• deg(f)<deg(g): r(O)=0
• deg(f)>deg(g): r is not finite at O
• deg(f)=deg(g) and deg(f) is even: write both f and g in
canonical form, then both have leading terms axd and
bxd, for some a,bϵK and d=deg(f)/2, set r(O)=a/b.
• deg(f)= deg(g) and deg(f) is odd: write both f and g in
canonical form, then both have leading terms ayxd and
byxd, for some a,bϵK and d=(deg(f)-3)/2, set r(O)=a/b.
An Example
• 𝑟 𝑥, 𝑦 =
𝑥 3 +2𝑥+𝑦+2𝑥 4 𝑦
𝑥+𝑥 2 +5𝑥𝑦 3
• What is r(O)?
An Example
• 𝑟 𝑥, 𝑦 =
𝑥 3 +2𝑥+𝑦+2𝑥 4 𝑦
𝑥+𝑥 2 +5𝑥𝑦 3
• “Canonising” the numerator and denominator we have
𝑟 𝑥, 𝑦 =
•
•
•
•
•
(𝑥 3 +2𝑥)+𝑦(1+2𝑥 4 )
𝑥+𝑥 2 +5𝑥𝑦(𝑥 3 +𝐴𝑥+𝐵)
=
(𝑥 3 +2𝑥)+𝑦(1+2𝑥 4 )
(𝑥+𝑥 2 )+𝑦(5𝑥 4 +5𝐴𝑥 2 +5𝐵𝑥)
Thus, deg(Numerator)=max(2.3,3+2.4)=11
Likewise, deg(Denominator)=max(2.2,3+2.4)=11
Both are odd.
Leading terms are 2yx4 and 5yx4, note 4=(11-3)/2.
Thus r(O)=2/5.
Some more propositions
• For r,sϵK(E) st. r(O) and s(O) are finite then it holds
that:
(r.s)(O)=r(O)s(O)
(r+s)(O)=r(O)+s(O)
Zeros, Poles, and Uniformizers
• Let rϵK(E).
• Zero: We say that r has a zero at PϵE if r(P)=0
• Pole: We say that r has a pole at P if r(P) is not finite.
• Determining poles and zeros can be tricky.
•
•
•
•
Consider the unit circle C: X2+Y2-1=0.
Consider R(x,y)=(1-x)/y ϵK(C).
Take P=(1,0).
Plugging, R(x,y) gives the form 0/0 and it appears R is
not defined at P.
• But take a second look!
Zeros, Poles, and Uniformizers
• Consider the unit circle C: X2+Y2-1=0.
• Consider R(x,y)=(1-x)/y =y/(1+x)
• Thus, R(1,0)=0.
• Hence, R is indeed defined at P.
• Thus, P is a zero of R(x,y)
• If R is not defined at P, R(P)=∞.
• Uniformizers provide a nice algebraic technique of
making this formal.
Uniformizers
• For an Elliptic Curve E, let PϵE be a point. Here,
uϵK(E) with u(P)=0 is called a uniformizer at P if it
has the following property:
• ∀𝑟 ∈ 𝐾(𝐸)\{0}: ∃𝑑 ∈ 𝑍, 𝑠 ∈ 𝐾(𝐸) finite at P with
s(P)≠0, st.:
𝑟 = 𝑢𝑑 𝑠
Uniformizer in general case
• Let E be an Elliptic Curve and PϵE be finite and not
of order 2. Then for P=(a,b), the function u(x,y)=xa is a uniformizer at P.
• Proof: First note u(a,b)=0. Now let rϵK(E)\{0} be
arbitrary. If r has neither a pole nor zero at P, take
d=0 and s=r. We are done.
• Hence, let r(P)=0. We can write r=f/g with f(P)=0
and g(P)≠0. If we can decompose f=uds we can
write:
𝑟=
𝑢𝑑 𝑠
𝑑 𝑠
=𝑢
𝑔
𝑔
= 𝑢𝑑 𝑠
Decomposing
d
f=u s
• Put, s0(x,y)=f(x,y) and repeat the following process.
• i=0
• While si(P)=0, canonize si(x,y)=vi(x)+ywi(x).
• Case 1: 𝑠𝑖 𝑃 = 0.
Thus we have:
vi(a)+bwi(a)=0
vi(a)-bwi(a)=0
Assuming char≠2, vi(a)=wi(a)=0. Thus x=a is a root.
Thus, si(x,y)=vi(x)+ywi(x)=(x-a)vi+1(x)+y(x-a)wi+1(x)=(x-a)si+1(x,y),
where si+1(x,y)=vi+1(x)+ywi+1(x), vi+1(x), wi+1(x)ϵK[E].
Decomposing
d
f=u s
• Case 2: 𝑠𝑖 𝑃 ≠0.
Note: 𝑠𝑖 𝑥, 𝑦 =
𝑁𝑠𝑖 (𝑥)
𝑠𝑖 𝑥,𝑦
Since, si(P)=0 and 𝑠𝑖 𝑃 ≠0, we have 𝑁𝑠𝑖 (𝑎)=0. Thus
x=a is a root of 𝑁𝑠𝑖 (𝑥)=(x-a)ni+1(x).
Thus, 𝑠𝑖 𝑥, 𝑦 =
𝑛𝑖+1 (𝑥)
𝑠𝑖 𝑥,𝑦
𝑥−𝑎 𝑛𝑖+1 (𝑥)
𝑠𝑖 𝑥,𝑦
= (𝑥 − 𝑎) 𝑠𝑖+1 𝑥, 𝑦 , where
𝑠𝑖+1 𝑥, 𝑦 =
If this process terminates, we have s=𝑠𝑖 𝑥, 𝑦 is finite and nonzero. Then, (x-a)=u(x) is the uniformizer, and d=i leads to f=uds.
• But how do we guarantee that the process terminates?
Termination Proof
• 𝑁𝑓 𝑥 = 𝑁𝑢𝑑 𝑠𝑖 𝑥 =
((𝑥 − 𝑎)𝑖 𝑣𝑖 𝑥 )2 −𝑠(𝑥)((𝑥 − 𝑎)𝑖 𝑤𝑖 𝑥 )2 =
(𝑥 − 𝑎)2𝑖 𝑁𝑠𝑖 𝑥 .
• Thus, degx(Nf)=2i+degx(Nsi)
• Since, degx(Nsi)>0, 2i<degx(Nf), so i is bounded by a
finite number.
• Thus, if r has a zero at P we are done.
• If r has a pole at P, 1/r has a zero at P, and we can
take the same u with a negative d and are done
too!
Uniformizer at points with order
two.
• Let E be an EC and P= Ωi=(wi,0) ϵ E be of order 2, then u(x,y)=y is a
uniformizer at Ωi .
• Wlog let i=1.
• Note u(P)=0 and let rϵK(E)\{0} be arbitrary with r(P)=0.
• We can express r as f/g and canonize f(x,y)=v(x)+yw(x). Note f(P)=0.
• Thus, 0=v(w1)=>v(x)=(x-w1)v1(x).
• Thus, 𝑓 𝑥, 𝑦 = 𝑥 − 𝑤1 𝑣1 𝑥 + 𝑦𝑤 𝑥
𝑥−𝑤1 𝑥−𝑤2 𝑥−𝑤3 𝑣1 𝑥 +𝑦𝑤1 (𝑥)
𝑥−𝑤2 𝑥−𝑤3
2
𝑦 𝑣1 𝑥 +𝑦𝑤1 (𝑥)
𝑦𝑣 𝑥 +𝑤1 (𝑥)
=y 1
=u(x,y)W(x,y).
𝑥−𝑤2 𝑥−𝑤3
𝑥−𝑤2 𝑥−𝑤3
=
=
If W(P)≠0, we are done, else we repeat the process.
Again the repetition will be finite as v can have finite many factors.
Uniformizer at O
• Let E be an EC then the function u(x,y)=x/y is a
uniformizer at O∈ 𝐸.
• Since, deg(y)=3>2=deg(x) it follows that u(O)=0.
• Let r=(f/g)ϵK(E)\{O} be arbitrary with r(O)=0 or not
finite at O.
• Thus d=deg(g)-deg(f)≠0.
• Thus, r(x,y)=(x/y)d((y/x)dr(x,y)).
• Observe, that the degree of s(x,y)=((y/x)dr(x,y) is
deg(ydf(x,y))-deg(xdg(x,y))=deg(yd)+deg(f)-deg(xd)deg(g)=3d-2d+(deg(f)-deg(g))=d-d=0=>s(x,y) is indeed
finite and non-zero at O.
Uniformizer Theorem
• Every point on an EC has a uniformizer and the number
d does not depend on its choice.
• The existence is already shown.
• We are to show that d does not depend on its choice.
• Let u and u’ be uniformizers at P
• Thus, u=u’aq, and u’=ubp, for a,bϵZ, q,pϵK(E) are both finite
and non-zero at P.
• Thus, u=u’aq=(ubp)aq=uab(paq).
• Assume, ab≠1, thus 1=uab-1(paq). Thus evaluated at P, we have 1=0.
• Hence, a=b=±1.
• If a=b=-1, u=u’-1q=>uu’=q. Evaluated at P this leads to a contradiction,
since 0=u(P)u’(P)=q(P) ≠0.
• Thus a=b=1.
Proof Contd.
• Let rϵK(E)\{0} be arbitrary. Since, u and u’ are
uniformizers, Эd,d’ and s,t ϵK(E)\{0} finite and nonzero at P st. r=uds, and r=u’d’t.
• uds=u’d’t=(up)d’t=ud’(pd’t)=>ud-d’=pd’t/s
• On the right hand side, we have rational functions which
are non-zero at P.
• But on the left hand side, we have zero if d-d’≠0.
• Thus, d=d’
• Because, of the independence of d from u we can
define the order of a rational function.
Order of a Rational Function
• For an elliptic E let PϵE be a point and u an
uniformizer at P. For rϵK(E)\{0} with r=uds, we call d
the order of r at P, and write ordP(r)=d.
• The multiplicity of a zero is the order of r at that
zero point.
• The multiplicity of a pole is the negative of the
order of r at that point.
Order of a Zero
• If the zero does not correspond to a point of order
two:
• Let f be a function fϵK[X] with f(x)=g(x)(x-a)k for gϵK[X]
with g(a)≠0,kϵN>0 and aϵK.
• Now see f as a polynomial fϵK[E] and pick a uniformizer
at P=(a,±s(a)1/2) (zero of f)
• u=(x-a)
• S(x,y)=g(x)
• Then d=k=ordf(P)
Zero is a point of order two
• When a=wi (wlog i=1), P=(a,0) is a zero.
• Uniformizer: u(x,y)=y at P. Note u(P)=0.
• s(x,y)=g(x)/(x-w2)k(x-w3)k
• We write f(x,y)=uds(x,y)=ydg(x)/(x-w2)k(x-w3)k
= yd [(x-a)kg(x)/(x-w1)k(x-w2)k(x-w3)k]
=yd [(x-a)kg(x)/y2k]=>d=2k
Order of a finite non-root
• Let rϵK(E) and PϵE, st. r(P)≠0 and r is finite at P then
ordP(r)=0
• Set, d=0 and s=r
Order of Polynomials at O
• For fϵK[E]\{0} and ordO(f)=-deg(f)
•
•
•
•
Let u=x/y be a uniformizer at O.
Let k=deg(f), we take s(x,y)=(xk/yk)f(x,y).
deg(xkf(x,y))=2k+deg(f)=3k
deg(yk)=3k
• Thus s is finite and non-zero
• Thus from f(x,y)=(x/y)d(xk/yk)f(x,y)=>d=-k
Property of Order of Rational
Functions
• For r1,r2ϵK(E), and PϵE,
ordP(r1. r2)=ordP(r1)+ordP(r2)
• Let PϵE and pick a uniformizer u at P.
• Thus we have: r1.r2=uds, r1=ud1s1, r2=ud2s2.
• Thus, ud.s=r1r2=(ud1s1)(ud2s2).
• Since, s, s1, s2 are non-zero rational functions we
have d=d1+d2.
• This proves the result.
Examples
• We now want to calculate the orders of r(x,y)=x-a,
where s(a) ≠0 for all points QϵE where r(Q) is not finite
or zero
• ie. at all other points ordQ(r)=0
• Zeros: Clearly, when x=a, r(Q=P)=0. Thus the zero is at
(a,b) where b ≠0 (since s(a)≠0).
• Assume Q=P or Q=P’=(a,-b)≠0. Take r itself as the uniformizer,
ie. r=r1.1, and ordQ(r)=d=1.
• Poles: Take u=x/y as the uniformizer. r=(x-a), deg(r)=2.
Thus (x-a)=(x/y)-2[(x/y)2(x-a)]. Thus, ordQ(r)=-2.
• Summing up, two zeros of order 1, and one pole of
order -2.
Example
• Note when s(a)=0, there is only one zero, viz, say
(w1,0).
• What is the order of zero?
Example
• Note when s(a)=0, there is only one zero, viz, say
(w1,0), where a=w1.
• What is the order of zero?
• (x-a)=yd (1/(x-w2)(x-w3))=yd [(x-a)/(x-w1)(x-w2)(x-w3)]
=yd-2(x-a)
• Hence, d=2.
• Thus, we have a zero with order 2 and a pole with
order -2.
Examples
• Let r(x,y)=y
• Zeros: The zeros are at y=0, which are points of order
two.
• Thus, u(x,y)=y is the unformizer at the three zeros Qi=(wi,0),
i=1,2,3. We have ordQ(r)=1.
• At every other finite point order is 0.
• Pole: Now consider the pole at point O. Note deg(r)=3.
Hence, d=-3, u(x,y)=x/y, and s(x,y)=(x/y)3y=x3y/y3.
• Note deg(s)=2.3+3-3.3=0, hence s is finite at O.
• Thus we have 3 zeros with order 1, and one pole with
order -3.
Example
• Consider r=x/y.
• Zeros:
• Point at O:
• deg(x)-deg(y)=2-3=-1<0, ie. r(O)=0.
• u(x,y)=x/y
• (x/y)=(x/y)1.1=> ordO(r)=1.
• x=0, P±=(0, ±B1/2) are zeros of r, where B≠0.
• u(x,y)=x
• (x/y)=xd(1/y), note s(x,y)=1/y is finite and non-zero at P±.
• Thus, ordP±(r)=1.
• Poles: r is not finite when y=0.
• Points of order two, Qi=(wi,0)
• u(x,y)=y
• (x/y)=y-1(x), note s(x,y)=x is finite and non-zero at Qi, as B≠0, and w1w2w3=-B, hence
wi’s≠0.
• Thus, we have three zeros with order 1 and three pole with order -1.
Example (Case B=0)
• Note the simple zero at O remains.
• For the others we recalculate:
• y2=x3+Ax=x(x-(-A)1/2)(x+(-A)1/2)
• Thus w1=0, w2=(-A)1/2, w3=-(-A)1/2 are the three points of order two.
• Note w2 and w3 are poles as before, but not w1.
• At w2 and w3, we have (x/y)=ydx, again d=-1.
• At w1=0., ie, (0,0) we observe
• (x/y)=xy/y2=xy/(x(x-(-A)1/2)(x+(-A)1/2))=y/(x-(-A)1/2)(x+(-A)1/2)=0
• Thus we have a zero at w1.
• Order?
• Take u=y, s=1/(x-(-A)1/2)(x+(-A)1/2), note s is finite and non-zero at w1=0.
• Thus, y/(x-(-A)1/2)(x+(-A)1/2)=yd(1/(x-(-A)1/2)(x+(-A)1/2), and hence d=1
• We have two zeros with order one and two poles with
order -1.
Baby Riemann Roch Theorem
• Sum of Multiplicities of roots equal degree
• For fϵK[E], deg(f)=
𝑃∈𝐸,𝑓 𝑃 =0 𝑜𝑟𝑑𝑃
𝑓
• Define n=deg(f). We know n=degx(Nf).
• 𝑓𝑓 𝑥 = 𝑁𝑓 𝑥 = 𝑛𝑖=1(𝑥 − 𝑎𝑖 )
• The ais are not necessarily distinct.
• The point on the curve which is a root is thus (ai,±(sA,B(ai))1/2)
• Depending on whether sA,B(ai)=0 or not the order of point is
two or not.
• If the order is two, there is one root, but the multiplicity is two (so
it is a double root)
• Else, there are two roots, but each have multiplicity one
• Hence, counting multiplicities 𝑓𝑓 have exactly 2n roots.
• Since, f and 𝑓 have the same number of roots, f has n roots,
counting multiplicities (the RHS of the statement).
Sum of Order is Zero
• For rϵK(E),
𝑃∈𝐸 𝑜𝑟𝑑𝑃
𝑟 =0
• Since for r=h/g ϵK(E) it holds that
𝑃∈𝐸 𝑜𝑟𝑑𝑃 𝑟 = 𝑃∈𝐸 𝑜𝑟𝑑𝑃 ℎ - 𝑃∈𝐸 𝑜𝑟𝑑𝑃 𝑔
for any PϵE, it suffices to show the result for a polynomial
fϵK[E].
• One can calculate
• 𝑃∈𝐸\{𝑂} 𝑜𝑟𝑑𝑃 𝑓 = 𝑃∈𝐸,𝑓 𝑃 =0 𝑜𝑟𝑑𝑃 𝑓
(since otherwise the order is 0)
• 𝑃∈𝐸,𝑓 𝑃 =0 𝑜𝑟𝑑𝑃 𝑓 =deg(f)
• On the other hand we have order of f at O is –deg(f).
• Hence the result.
Rational Maps and
Endomorphisms
• Let E be an EC defined over a field K.
• Let 𝐾 denote the algebraic closure of K.
• Let us concentrate on finite fields with K=Fq, where
char(K)=p
• We remove the restriction that K is algebraically closed.
• For any field extension L of K, we denote by EL the
group of L-rational points on the curve E (which is
defined over L as well).
• When L=𝐾, we abbreviate E𝐾 as E.
• A rational function R is defined over L if R has a
representation of the form R(x,y)=G(x,y)/H(x,y), where
G(x,y),H(x,y)ϵL[E].
Rational Map
• A rational map E->E is a function. A rational map α
is specified by two rational functions α1, α2 defined
over 𝐾(E) such that for any PϵE, the point
α(P)=(α1(P), α2(P)) lies again on E.
• Since, α(P) is a point on E, the functions α1, α2
satisfy the equation for E, and is a point on the
Elliptic curve 𝐸𝐾(𝐸) .
• Denote the point at infinity on this curve by O’.
Examples of Maps
• Zero Map O’: E->E taking P->O. This is the group
identity of 𝐸𝐾(𝐸) .
• Constant Map αh,k:E->E taking any point P to a fixed
point (h,k). This map corresponds to two constant
rational functions h and k.
• Identity Map: E->E, P->P.
• Translation Map: E->E taking P->P+Q, for a fixed QϵE.
• Multiplication by m map [m]: E->E takes a point P on E
to its m-th multiple mP.
• Frobenius Map: 𝜑𝑞 : E->E taking (h,k) to (hq,kq)
Isomorphisms
• A rational map α: E->E is called an endomorphism
or isogeny of E if α is a group homomorphism, ie.
α(P+Q)= α(P)+ α(Q), for all P,QϵE.
• A bijective isogeny is called isomorphism.
Torsion Points
• Denote [m] (ie. Multiplication with m) with a pair (gm,hm) of
rational functions.
• These functions are inductively defined by the chord-andtangent rule.
• Let E: Y2+a1XY+a3Y=X3+a2X2+a4X+a6, with a1,a2,a3,a4,a6ϵK.
• g1=x, h1=y
• g2=-2x+λ2+a1λ-a2, h2=- λ(g2-x)-a1g2-a3-y,
Where λ=(3x2+2a2x+a4-a1y)/(2y+a1x+a3). Finally, for m≥3, we have:
gm=-gm-1-x+ λ2+a1λ-a2,hm=- λ(gm-x)-a1gm-a3-y, where λ=(hm-1-y)/(gm-1x).
• The kernel of this map is E[m]={PϵE=𝐸𝐾(𝐸) |mP=O}
• Elements of E[m] are called m-torsion points of E. For every mϵZ,
E[m] is a subgroup of E.
Formal Sum
• Let ai, iϵI be symbols indexed by I.
• A finite formal sum of ai, iϵI is an expression of the
form 𝑖∈𝐼 𝑚𝑖 𝑎𝑖 with 𝑚𝑖 ∈ 𝑍 such that mi=0 except
for only finite many iϵI.
• The sum 𝑖∈𝐼 𝑚𝑖 𝑎𝑖 is formal in the sense that ai is not be
evaluated. They act as a placeholder.
• Define 𝑖∈𝐼 𝑚𝑖 𝑎𝑖 + 𝑖∈𝐼 𝑛𝑖 𝑎𝑖 = 𝑖∈𝐼(𝑚𝑖 +𝑛𝑖 )𝑎𝑖 and
- 𝑖∈𝐼 𝑚𝑖 𝑎𝑖 = 𝑖∈𝐼(−𝑚𝑖 )𝑎𝑖
Under these definitions, the set of these finite formal
sums becomes an Abelian group called the free Abelian
Group generated by the symbols ai, iϵI.
Divisor
• A divisor on an Elliptic curve E defined over a field K is a
formal sum of the rational points on E=𝐸𝐾(𝐸)
• Notation: 𝐷 = 𝑃∈𝐸 𝑚𝑃 𝑃
• The sum is formal, ie. when the points P are enclosed within
square brackets they are not be evaluated.
• Support of a divisor 𝐷 = 𝑃∈𝐸 𝑚𝑃 𝑃 , denoted by
Supp(D) is the set of points P for which mP≠0.
• The degree of D is the sum 𝑃∈𝐸 𝑚𝑃
• All divisors on E form a group denoted by Div(E).
• The divisors of degree zero form a subgroup denoted
by Div0(E).
Divisors of a Rational Function
• The divisor of a non-zero rational function 𝑅 ∈ 𝐾(𝐸) is
𝐷𝑖𝑣 𝑅 = 𝑃∈𝐸 𝑜𝑟𝑑𝑃 𝑅 [𝑃]
• Since every non-zero rational function can have only
finitely many zeros and poles Div(R) is defined (ie. A
finite formal sum exists) for any R≠0.
• A principal divisor is the divisor of some rational
functions.
• Every principal divisor belongs to Div(E)
• The set of all principal divisors is a subgroup of Div(E),
denoted as Prin(E)
• Principal Divisors satisfy:
• Div(R)+Div(S)=Div(RS)
• Div(R)-Div(S)=Div(R/S)
Picard Group
• Two divisors D and D’ are called equivalent if they
differ by a principal divisor.
• ie. 𝐷~𝐷′ iff D=D’+Div(R) for some R(x,y)∈ 𝐾 𝐸
• Thus the equivalence of divisors partitions Div(E) and
also Div0(E)
• The quotient group Div(E)/Prin(E) is called the
divisor class group or Picard group.
• The quotient group Div0(E)/Prin(E) is called the
Jacobian of E or J(E)
Example: Zeros and Poles of
Straight Lines
• Div(L)=[P]+[Q]+[R]-3[O]
• Div(T)=2[P]+[Q]-3[O]
• Div(V)=[P]+[Q]-2[O]
Principal Divisor
• A divisor 𝐷 =
1.
2.
𝑃 𝑚𝑃
𝑃 𝑚𝑃 [𝑃]
∈ 𝐷𝑖𝑣𝐾 (𝐸) is principal iff:
= 0 𝑖𝑛𝑡𝑒𝑔𝑒𝑟 𝑠𝑢𝑚
𝑃 𝑚𝑃 𝑃 = 𝑂 (𝑠𝑢𝑚 𝑢𝑛𝑑𝑒𝑟 𝑡ℎ𝑒 𝑐ℎ𝑜𝑟𝑑 𝑎𝑛𝑑 𝑡𝑎𝑛𝑔𝑒𝑛𝑡 𝑟𝑢𝑙𝑒)
Divisors of a line and vertical line
• Div(LP,Q)=[P]+[Q]+[R]-3[O]
• Div(LR,-R)=[R]+[-R]-2[O]
• Div(LP,Q /LR,-R)=[P]+[Q]-[-R][O]=[P]+[Q]-[P+Q]-[O]
• This implies that:
• 𝑃 − 𝑂 ~ 𝑃+𝑄 − 𝑄
• 𝑃 − 𝑂 + 𝑄 − 𝑂 ~ 𝑃+𝑄 −
[𝑂]
Example
• E: Y2=X3+X+5 defined over F37.
• Take P=(1,9), Q=(10,4).
• Equation of LP,Q: y=((4-9)/(10-1))x+c=20x+c, where
c=26=> LP,Q: y+17x+11=0
• The line meets the curve at R=(19,36), -R=(19,36)=(19,1).
• Vertical line: LR,-R: x-19=0, ie. x+18=0
• Div(y+17x+11/x+18)=([P]-[O])-([P+Q]-[Q])
Evaluate a rational function at a
Divisor
• Let 𝐷 = 𝑃 𝑛𝑃 [𝑃] be a divisor on E. Let 𝑓 ∈ 𝐾(𝐸)
be a non-zero rational function, such that the
supports of D and Div(f) are disjoint.
• Define the value of f at D as:
𝑓 𝐷 = 𝑃∈𝐸 𝑓(𝑃)𝑛𝑃 = 𝑃∈𝑆𝑢𝑝𝑝(𝐷) 𝑓(𝑃)𝑛𝑃
[Note that the support means those points for which
the rational function has non-zero order, ie. at poles
and zeros. Now if f also has the same points as poles
and zeros, chances are that f(D) will become zero or
undefined. We avoid such situations with this
restriction of disjoint supports]
f(D) is invariant upto
multiplications by constants
• Let c be a constant in 𝐾 ∗ , and f=cg
• Then
f(D)=g(D) 𝑃 𝑐 𝑛𝑃 = 𝑔 𝐷 𝑐 𝑃 𝑛𝑃 = 𝑔 𝐷 𝑐 0 = 𝑔(𝐷)
Weil’s Reciprocity Theorem
• If f and g are two non-zero rational functions on E
and Div(f) and Div(g) have disjoint supports,
f(Div(g))=g(Div(f)).
• I will not prove this result but shall give an example.
Example
• E: Y2=X3+X+5 defined over F37
• f(x,y)=y+17x+11
• Div(f)=[P1]+[P2]+[P3]-3[O], where P1=(1,9), P2=(10,4),
P3=(19,36)
• g(x,y)=(x+16)/(x+4):
• Zero: P4=(-16,0)=(21,0), order is 2.
• Pole: P5=(-4,14)=(33,14), P6=(-4,-14)=(33,23), order is 1.
• Div(g)=2[P4]-[P5]-[P6] (Note at O the function is 1, so it is not
in the support of g)
• Div(f) and Div(g) are thus disjoint.
• f(Div(g))=f(P4)2f(P5)-1f(P6)-1=35231-13-1=8 (mod 37)
• g(Div(f))=g(P1)g(P2)g(P3)g(O)-3=33.23.16.1-3=8 (mod 37)
Pairings on EC
• Maps which accept pair of EC points as inputs, and
outputs elements of a finite field.
• Let K=Fq, with p=char K. Take a positive integer m which
is co-prime to p.
• The set of all m-th roots of unity in 𝐾 is denoted by 𝜇𝑚 .
There are m such roots, as gcd(p,m)=1.
• The smallest extension L=𝐹𝑞𝑘 of K=𝐹𝑞 , which has the set
𝜇𝑚 has the extension degree k=ordm(q)(multiplicative
order of q mod m).
• We call this k as the embedding degree (wrt. q and m)
• Cases where the embedding degree is small is of particular
interest.
Weil Pairing
• Let P1,P2ϵE[m]
• Let D1 be a divisor equivalent to [P1]-[O]
• Since, mP1=O, there exists a rational function f1 such
that Div(f1)=mD1~m[P1]-m[O]
• Similarly, let D2 be a divisor equivalent to [P2]-[O]
• There exists a rational function f2, such that
Div(f2)=mD2~m[P2]-m[O]
• D1 and D2 are chosen to have disjoint supports.
• Weil Pairing is thus defined as:
𝑒𝑚 𝑃1 , 𝑃2 =
𝑓1 (𝐷2 )
𝑓2 (𝐷1 )
Weil Pairing is independent of D1
and D2
• Take a divisor D1’=D1+Div(g), 𝑔 ∈ 𝐾(𝐸), and support disjoint
from D2.
• The rational function corresponding to mD1’ is f1’.
• Note, mD1’=mD1+mDiv(g)=Div(f1)+Div(gm)=Div(f1gm)
• Thus, f1’=f1gm
• Let us compute:
𝑓1′ (𝐷2 )
𝑓2 (𝐷1′ )
=
𝑓1 𝑔𝑚 (𝐷2 )
𝑓2 (𝐷1 +𝐷𝑖𝑣 𝑔 )
=
𝑓1 (𝐷2 )𝑔𝑚 (𝐷2 )
𝑓2 (𝐷1 )𝑓2 (𝐷𝑖𝑣(𝑔))
𝑓1 𝐷2 𝑔(𝑚𝐷2 ) 𝑓1 𝐷2 𝑔(𝐷𝑖𝑣 𝑓2 ) 𝑓1 (𝐷2 )
=
=
𝑓2 (𝐷1 )𝑓2 (𝐷𝑖𝑣(𝑔)) 𝑓2 (𝐷1 )𝑓2 (𝐷𝑖𝑣(𝑔)) 𝑓2 (𝐷1 )
=
.
Analogously, changing D2 to an equivalent divisor does not
affect the value.
𝑒𝑚 𝑃1 , 𝑃2 is an m-th root of
unity
• 𝑒𝑚 𝑃1 , 𝑃2
=
𝑚
=
𝑓1 (𝐷2 ) 𝑚
𝑓2 (𝐷1 )
=
𝑓1 (𝑃2 ) 𝑓1 (𝑂)−1
𝑓2 (𝑃1 ) 𝑓2 (𝑂)−1
𝑓1𝑚 (𝑃2 ) 𝑓1𝑚 (𝑂)−1 𝑓1 𝑚[𝑃2 −𝑚[𝑂]) 𝑓1 (𝑚𝐷2 )
=
=
𝑓2𝑚 (𝑃1 ) 𝑓2𝑚 (𝑂)−1 𝑓2 𝑚[𝑃1 −𝑚[𝑂]) 𝑓2 (𝑚𝐷1 )
𝑓1 (𝐷𝑖𝑣 𝑓2 )
=
=1
𝑓2 (𝐷𝑖𝑣 𝑓1 )
𝑚
An Alternative Form
• The divisors [P1]-[O] and [P2]-[O] do not have
disjoint supports.
• It is customary to choose D2= [P2]-[O] and
• D1=[P1+T]-[T], for any point Tϵ[E] (Note T need not be in
E[m])
• One may choose T randomly, but to ensure the disjoint
supports, T cannot be P1,P2,-P1,-P2, and O.
• The Weil Pairing is also defined as:
• 𝑒𝑚 𝑃1 , 𝑃2 =
𝑓1 (𝑃2 +𝑆) 𝑓2 (𝑃1 −𝑆)
/
𝑓1 (𝑆)
𝑓2 (−𝑆)
Weil Pairing
• For P, Q∈ 𝐸 𝑚 . Let 𝑓𝑃 , 𝑓𝑄 be rational functions on E
st:
div(𝑓𝑃 )=m[P]-m[O]
div(𝑓𝑄 )=m[Q]-m[O]
Then, 𝑒𝑚 P, 𝑄 =
Note,
𝑓𝑃 (𝑄+𝑆) 𝑓𝑄 (𝑃−𝑆)
/
𝑓𝑃 (𝑆)
𝑓𝑄 (−𝑆)
𝑓𝑃 (𝐷2 ) 𝑓𝑃 ( 𝑄 −[𝑂])
=
𝑓𝑄 (𝐷1 ) 𝑓𝑄 ( 𝑃 −[𝑂])
=
𝑓𝑃 𝑄 (𝑓𝑃 (𝑂))−1
𝑓𝑄 𝑃 (𝑓𝑄 (𝑂))−1
Properties of Weil Pairing
• em(P,Q) is independent of the choice of the functions
and the point S.
• The value of em(P,Q) is an mth root of unity.
• The Weil Pairing is bilinear in a multiplicative manner:
• em(P1+P2,Q)=em(P1,Q)em(P2,Q)
• em(Q, P1+P2)=em(Q,P1)em(Q,P2)
• Alternating: em(P,P)=1
• Skew-symmetric: em(P,Q)=em(Q,P)-1
• Non-degenerate: If em(P,Q)=1 for all QϵE[m], then P=O.
Proof of Bilinearity
𝑒𝑚
𝑓𝑃1 +𝑃2 (𝑄)
𝑃1 + 𝑃2 , 𝑄 =
𝑓𝑄 (𝑃1 + 𝑃2 )
𝑓𝑃1 (𝑄) 𝑓𝑃2 (𝑄)
Likewise, 𝑒𝑚 𝑃1 , 𝑄 𝑒𝑚 𝑃2 , 𝑄 =
RTP:
𝑓𝑄 (𝑃1 ) 𝑓𝑄 (𝑃2 )
𝑓𝑃1 +𝑃2 (𝑄) 𝑓𝑃1 (𝑄) 𝑓𝑃2 (𝑄)
=
.
𝑓𝑄 (𝑃1 +𝑃2 ) 𝑓𝑄 (𝑃1 ) 𝑓𝑄 (𝑃2 )
𝑓𝑃1 +𝑃2 (𝑄)
𝑓𝑄 (𝑃1 +𝑃2 )
Rearranging,
=
𝑓𝑃1 (𝑄)𝑓𝑃2 (𝑄) 𝑓𝑄 (𝑃1 )𝑓𝑄 (𝑃2 )
Proof of Bilinearity
• Define: 𝐹𝑃1 ,𝑃2
𝑋
=
𝑓𝑃1 +𝑃2 (𝑋)
𝑓𝑃1 (𝑋)𝑓𝑃2 (𝑋)
• 𝑑𝑖𝑣 𝐹𝑃1 𝑃2 = 𝑚 𝑃1 + 𝑃2 − 𝑚 𝑂
− (𝑚 𝑃1 −
Proof of Bilinearity
RTP:
𝑓𝑃1+𝑃2 (𝑄) 𝑓𝑃1 (𝑄) 𝑓𝑃2 (𝑄)
=
𝑓𝑄 (𝑃1 +𝑃2 ) 𝑓𝑄 (𝑃1 ) 𝑓𝑄 (𝑃2 )
LHS=𝐹𝑃1,𝑃2 𝑄 = (𝐺𝑃1𝑃2 (𝑄))𝑚
Note this is of the form 𝐺𝑃1 𝑃2 evaluated at a divisor:
[Q]-[O].
Thus
LHS=(𝐺𝑃1 𝑃2 𝑄 . (𝐺𝑃1𝑃2 𝑂 )−1 )𝑚 =
= 𝐺𝑃1𝑃2 𝑚 𝑄 − 𝑚 𝑂 =
𝐺𝑃1𝑃2 𝑑𝑖𝑣(𝑓𝑄 ) = 𝑓𝑄 𝑑𝑖𝑣 𝐺𝑃1𝑃2 =
𝑓𝑄 ([𝑃1 + 𝑃2 ] − 𝑃1 − 𝑃2 + [𝑂])
= 𝑓𝑄 (([𝑃1 + 𝑃2 ] − [𝑂]) − ( 𝑃1 − [𝑂]) − ( 𝑃2 − [𝑂]))
𝑓𝑄 (𝑃1 + 𝑃2 )
=
𝑓𝑄 (𝑃1 )𝑓𝑄 (𝑃2 )
Miller’s Theorem
• Let λ be the slope of the line through P and Q
(λ=∞ if the line is vertical or the slope of the
tangent line through P if P=Q.
• Define the function hP,Q on E as:
𝑌 − 𝑦𝑃 − 𝜆(𝑋 − 𝑋𝑃 )
,
𝜆≠∞
2
ℎ𝑃,𝑄 = 𝑋 + 𝑥𝑃 + 𝑥𝑄 − 𝜆
𝑋 − 𝑥𝑃 ,
𝜆=∞
Then div(𝑌 − 𝑦𝑃 − 𝜆(𝑋 − 𝑋𝑃 ))=[P]+[Q]+[-P-Q]-3[O]
This is the divisor of the numerator.
Proof
• By addition algorithm: 𝑥𝑃+𝑄 = 𝜆2 − 𝑥𝑃 − 𝑥𝑄
• Denominator of ℎ𝑃,𝑄 = 𝑋 + 𝑥𝑃 + 𝑥𝑄 − 𝜆2
= 𝑋 − 𝑥𝑃+𝑄
• Div(𝑋 − 𝑥𝑃+𝑄 )=[P+Q]+[-P-Q]-2[O]
• Div(hP,Q)=[P]+[Q]+[-P-Q]-3[O]-[P+Q]-[-PQ]+2[O]=[P]+[Q]-[P+Q]-[O].
• Finally, if 𝜆 = ∞, then the line is vertical, and thus
Q=-P.
• Thus, Div(hP,Q)=[P]+[-P]-2[O]
Geometry of hP,Q
Miller’s Algorithm
• To Compute em(P,Q)
• Let m=m0+2m1+…+2n1m
n-1
• Following algorithm
computes function fP,
st. Div(fP)=m[P]-[mP](m-1)[O].
• Thus, if PϵE[m],
Div(fP)=m[P]-m[O]
Proof Idea
• Let m=2=(10), n=2, ie. n-2=0)
• f=f2hP,P=hP,P
• Note: Div(hP,P)=2[P]-[2P]-[O]
(which is the desired result).
Proof Idea
• Let m=3=(11)
• i=0. However step 5 is now
executed.
• Thus, f=hP,Ph2P,P
• Div(f)=Div(hP,P)+Div(h2P,P)
=2[P]-[2P]-[O]+[2P]+[P]-[3P][O]=3[P]-[3P]-2[O]
Proof Idea
• Let m=4=(100)
• i=1. Loop executed twice.
• Thus, f=(hP,P)2h2P,2P
• Div(f)=2Div(hP,P)+Div(h2P,2P)
=2(2[P]-[2P]-[O])+([2P]+[2P][4P]-[O])=4[P]-[4P]-3[O]
The Final Step!
𝑓𝑚,𝑃2 𝑇 𝑓𝑚,𝑃1 (𝑃2 − 𝑇)
𝑒𝑚 𝑃1 , 𝑃2 =
𝑓𝑚,𝑃1 −𝑇 𝑓𝑚,𝑃2 (𝑃1 + 𝑇)
Note if the numerators and denominators of Miller’s
Algorithm are separately handled, the division is not
required.
Also if 𝑃1 ≠ 𝑃2 ,
𝑓
𝑃
𝑚 𝑚,𝑃1 2
𝑒𝑚 𝑃1 , 𝑃2 = −1
𝑓𝑚,𝑃2 (𝑃1 )