As mentioned before, we want to restrict ourselves to the case of imaginary quadratic hyperelliptic curvesC/k of genus g given by (V.4). In this section we want to give an algorithm that realises the group law in the Jacobian ofC. From the previous sections, we already know that it is enough to do the arithmetic in the ideal class group Cl(O) with the usual notation. The idea of the algorithm we will describe is the same as Gauß used for number fields in [Gau01]. If D1 and D2 are two reduced divisors, we want to compute a reduced representative of the ideal class of D1 +D2. To this end, we compose D1 and D2, which yields a semireduced representative of the ideal class ofD1+D2 by theorem V.2.28. This semireduced divisor can be reduced to a reduced divisor lying in the same ideal class. This algorithm, consisting of the composition and a reduction step, was first described in [Can87] and is known asCantor’s algorithm.
Composition Step
Let D1 = div(a1, b1) and D2 = div(a2, b2) be two reduced divisors. We summarize the steps we have done in the proof of theorem V.2.28 that multiplied the two ideals corresponding to D1 and D2 and yielded the representation (d)(a, y−b) of this ideal
V.3. AN ALGORITHM FOR THE GROUP LAW 107 Algorithm 3Composition Step
INPUT: Two reduced divisorsD1= div(a1, b1) and D2= div(a2, b2).
OUTPUT: A semireduced representative div(a, b) of the ideal class ofD1+D2.
1: (˜u,v,˜ d)˜ ←EEA(a1, a2) {EEA=Extended Euclidean Algorithm}
2: (u, v, d)←EEA( ˜d, b1+b2+h)
3: u1←uu˜and u3←v {cf. remark V.2.29}
4: a←(a1a2)/d2
5: b←b1+u1a1(b2−b1)−ud3(b21+b1h+f) (moda)
6: return div(a, b)
multipliation. This newly found ideal obviously lies in the same ideal class asD1+D2.
Proof of algorithm 3. See proof of theorem V.2.28, in particular the left side of equation (V.8).
Reduction Step
Our next task is to reduce the semireduced divisor found in the previous algorithm.
The reduction method we will provide has been suggested by Paulus and Stein in [PS98]
and is based on an idea by Lagrange in [Lag73].
Algorithm 4Lagrange Reduction
INPUT: A semireduced divisorD= div(a0, b0).
OUTPUT: A reduced representative div(a, b) of the ideal class ofD.
1: k←0 {some index variable}
2: if deg(ak)> g then
3: k←1
4: a1 ←(b20+b0h−f)/a0
5: b1← −b0−h (moda1) and q1 ←(−b0−h−b1)/a1 {ED}
6: whiledeg(ak)> g do
7: ak←ak−2+qk−1(bk−2−bk−1)
8: bk← −bk−1−h (modak) and qk←(−bk−1−h−bk)/ak {ED}
9: k←k+ 1
10: a←ak and b←bk
11: return div(a, b)
Proof of algorithm 4. Firstly, we prove by induction onk that ak= b2k−1+bk−1h−f
ak−1 fork≥1. (V.9)
This statement is clear by definition of ak, if k= 1. Now, assume that the statement is true fork−1 with k≥2. By inserting the definition of ak, we have
akak−1 =ak−2ak−1+qk−1ak−1(bk−2−bk−1),
which equals
b2k−2+bk−2h−f−(bk−2+bk−1+h)(bk−2−bk−1) =b2k−1+bk−1h−f
by using the induction hypothesis and the construction ofqk−1. This proves the state-ment.
For this form ofak, it is easy to show that the while-loop terminates for some index k: We see that deg(ak)≥g+ 1 in the while-loop of the algorithm which implies that
deg(b2k−1+bk−1h−f)≤max{2 deg(bk−1),deg(bk−1) +g,2g+ 1}
≤max{2 deg(ak−1)−2,2g+ 1}
= 2 deg(ak−1)−2 by assumption.
By (V.9), this means that deg(ak)≤deg(ak−1)−2<deg(ak−1). So if deg(ak−1) =g+1, we have deg(ak)≤g and the while-loop terminates.
Secondly, we show that div(ak, bk) is in the same ideal class as div(ak−1, bk−1) for all k ≥ 1. For simplicity, we let a = ak−1 and b =bk−1. By an easy induction on k, we immediately see that div(ak, bk) is a semireduced divisor for all k. This means in particular that a|b2 +bh−f, i.e. it exists c∈ k[x] such thatac= (y−b)(ω(y)−b) and div(ac, b) and div(c, b) are obviously semireduced divisors. Now, by proposition V.2.27(3), we know that
gcd div (b2+bh−f)O
,div ((y−b)O)
=X
p
vp(P),
whereb2+bh−f =Q
ppvp withp∈k[x] irreducible,vp ≥0 andpis the place ofk(x)/k with uniformizerp. On the other hand, proposition V.2.27(2) says that
X
p
vp(P) = div ((y−b)O), so we have
div((y−b)O) = gcd (div (acO),div ((y−b)O))
by insertingac into the equation. This in turn is the same as div(ac, b) by proposition V.2.26. Using proposition V.2.27(3) twice, we also have
div(ac, b) =X
p
vp(ac)(P) = div(a, b) + div(c, b)
with the usual notation. In total, we have shown
div((y−b)O) = div(a, b) + div(c, b).
By corollary V.2.35 and the definition ofak andbk, we know ω(div(c, b)) = div(c,−b−h mod c) = div(ak, bk)
V.3. AN ALGORITHM FOR THE GROUP LAW 109 and thatω(div(c, b)) lies in the opposite ideal class of div(c, b), i.e.
ω(div(c, b)) = div(a, b) + div((d(y−b)−1)O) for some d∈k[x].
This shows that div(ak, bk) lies in the same ideal class as div(a, b).
Chapter VI
Pairings
In the two previous chapters, we have met elliptic curves and their generalizations, called hyperelliptic curves. Starting with a pointP on an elliptic curve E/kover some finite fieldk, we want construct a mapping
π :hPi × hPi →l∗,
wherelis a certain finite field extension ofk. By restricting the image of this mapping, we can prove that π is a non-degenerate pairing, i.e. a non-degenerate bilinear map.
Such pairings can then be generalized to the case of hyperelliptic curves. Since we will consider cryptographic applications in chapter VII, we need an algorithm to compute these pairings efficiently.
We begin in section VI.1 with the basic notions of pairings on Abelian groups with given exponent. Very quickly, we come to the Weil pairing for elliptic curves, which we define in section VI.2.1 and prove its properties. For computational purposes, we give an alternative definition of this pairing in section VI.2.2. Since the existence of the Weil pairing has far-reaching consequences, we prove some of them in section VI.2.3.
Interestingly, the Weil pairing can be described in terms of another pairing, called the Tate-Lichtenbaum pairing. As promised, we define this pairing and prove its properties in the more general case of arbitrary nonsingular curves in section VI.3. Certainly, the definition of the Tate-Lichtenbaum pairing for elliptic curves is just a special case of this, but we should state it and its consequences, that occur in this special situation, clearly in section VI.4. Then, we are finally in a position to explain an algorithm to compute these pairings, starting with the elliptic curve case in section VI.5.1, and generalize this to the hyperelliptic curve case in section VI.5.2. Section VI.6, the last section of this chapter, has mostly cryptographic purposes. We want to define so called distortion maps on supersingular elliptic curves, which can then be used to modify pairings, so that they are more useful in cryptographic applications.
There are many interesting and important ideas in this chapter, and we like the reader to take special notice of the following highlights/author’s own contributions:
• New proofs of all properties of theφ-Weil pairing. In fact, the content of the whole section VI.2.1 is the author’s own work. It is a generalization of the Weil pairing
111
as it is presented in [Sil86], and the enlightening paper [Gar04] by Theodoulos Garefalakis inspired the author with this idea.
• A proof of the equivalence of the two definitions of the Weil pairing in section VI.2.2, which is based on [Was03], but uses some more advanced methods.
• Complete proofs of the properties of the Tate-Lichtenbaum pairing in section VI.3, which are all the author’s own work. Only the proof of the non-degeneracy is an elaboration of [Hes04], but uses a slightly different approach. Also, we fill all the gaps in [Hes04].
• Proofs of results on when the Tate pairing is non-trivial (see propositions VI.4.6 and VI.4.7).
• Elaboration of [Mil04], and generalization (based on [ACD+06]) to hyperelliptic curves in section VI.5.
• Elaboration of [Ver04] concerning distortion maps in section VI.6.1. We also present ways to modify pairings by using distortion maps in section VI.6.2.
VI.1 Pairings on Abelian Groups
We want to give a short introduction to the notion of pairings on Abelian groups. To this end, let m ∈ Z>0 and let A and B be additively written Abelian groups with identity element 0 and both having exponentm. Suppose thatC is a multiplicatively written cyclic group of orderm with identity element 1.
Definition VI.1.1. Letπ :A×B −→C be a map.
1. π is called apairing (orbilinear) if we have for allP, P0 ∈A and all Q, Q0 ∈B:
π(P +P0, Q) =π(P, Q)π(P0, Q) andπ(P, Q+Q0) =π(P, Q)π(P, Q0).
2. π is called non-degenerate if theassociated homomorphisms A→Hom(B, C) defined by P 7→[Q7→π(P, Q)]
and B →Hom(A, C) defined by Q7→[P 7→π(P, Q)]
are both injective.
The following properties of a pairing can be easily verified by using the bilinearity:
Lemma VI.1.2. Letπ:A×B →C be a pairing. IfP ∈Aand Q∈B, then:
1. π(P,0) =π(0, Q) = 1.
2. π(−P, Q) =π(P, Q)−1=π(P,−Q).
3. π(nP, Q) =π(P, Q)n=π(P, nQ) for all n∈Z.
VI.2. THE WEIL PAIRING 113