>> Kristin Lauter: Okay. So today we are very happy to welcome Damien Robert here to speak
to us. Damien is visiting from University of Bordeaux where he is an INRIA researcher. He was
previously a postdoc in our group at Microsoft Research, and he is a world renowned expert on
isogenies of abelian varieties and theta functions. Thank you.
>> Damien Robert: Thank you Kristen. It's always a pleasure to be back there. So, as the title
says, I will speak today about pairings between abelian varieties with theta function. But that's
not my main subject of interest here is abelian varieties where we see that it has applications
for elliptic curves already. So, first the plan. I'll be a brief background on cross-pairing
cartography. It will be brief because I'm most of you know most of it. Then I will spend a bit
more time on abelian varieties and theta functions, and I will explain the main part of the talk
which is pairing with the theta function, and the end of the talk a bit about the [inaudible]
amounts we achieve.
So first, cross-pairing on cartography. So pairing, as most of you all know, is simply a nondegenerate bilinear application between one group and another which [inaudible] in this talk
will be finite. So the first applications where [inaudible] application like it allows two transfers
or differential guide program from one group to the other, then people realize that there is a
lot of application for cartography and a lot of protocols. I like to see pairings as a way to
homeomorphic encryption when you get two additions but only one multiplication. So it's not
as peripheral but it’s much faster that, if we do homeomorphic encryption that we can do
today.
So how do we get pairings? Well, the prime examples come from elliptical. So, as you know,
elliptical is simply curve of this form where square to X, Q plus X plus B over [inaudible].
[inaudible] if I want to find pairings. I take P and Q, two points of l-torsion, then the divisor, I
times P minus L times U is a principle divisor. So I can find a function up towards, well defined
up to a constant associated to this divisor which I call F, P. It's the same. I have a function F, Q,
S associated to this divisor here. And I define the Weil pairing by this formula. So because I
relate on Q minus 0 is does not to depend on the constant of F, P here. So a little [inaudible] is
that you look at my definition F, P has a pull at zero and I'm everything has zeros. It doesn't
make any sounds, but actually if you normalize things correctly, this formula actually makes
sense. And it is what we call that Weil pairing. We can show that this is abelian and nondegenerate. It is indeed a pairing.
So we’ll define some embedding degree, simply the smallest field extension of F, Q where the
points, so all sorts of unity leaves and I will call it D, some embedding degree. So this is the Weil
pairing, and in practice and crypto we use something that is called a Tate pairing that is very
close but this time P still, so Q is any point in the [inaudible] point in the elliptic curve. P is a
point of l-torsion that such that, so [inaudible] of P is equal to Q times P. And then the Weil
pairing is only defined by this formula which is well-defined up to L [inaudible]. So it falls in this
group here. So just one mark is here if I work about this one here we don't have the full ltorsion to get a pairing, but of course, you have work of F, Q, D about some embedding degree.
The Tate pairing goes from J, l-torsion times a point here is to [inaudible] infinity if I normalize.
And the Tate pairing is used a lot in cryptography because, as you can see, it's only half the Weil
pairing, but since we also do an exponentiation to normalize the pairing, it can allow us to gain,
to serve some computation which is called denominator [inaudible].
So how do we compute these pairings? Well, we need to compute this function F, P and F, Q
and the [inaudible] on Q and P. More generally, what we did find is what you call the mirror
functions [inaudible] lambda and a different F lambda X to be a function necessitated to this
divisor here while we can check the [inaudible] principal divisor. And we want to do is compute
F, P simply with this new definition F, L, P. So the [inaudible] behind mirrors [inaudible], which
I'll use, which is still used to compute pairings, is to do it by sort of double on [inaudible]. So
mine is, my idea is that the function of F lambda plus mu is equal to F lambda times M mu times
something that I call I've got it lambda mu, and if you look at the definition of F in time of
divisor, we see that F lambda and I’ve got it lambda and mu is simply the function necessitated
to this divisor here. But if you want [inaudible] addition low works for elliptical, it's geometric,
meaning that if you know what to do the addition, even though it’s in a geometric way, you
know how to work over this function because this is some piece of sum of these two points
here.
So maybe it will be clear with an example. So I have the point lambda X here, mu X here, and
as you know, the addition on that plus mu X, it takes the line and puts it here, and if you look at
this function, so this line it has zeros, at this point and we are [inaudible] not infinity.
[inaudible]. So was this gives a flowing, double and hard [inaudible] to compute the [inaudible]
edge pairing. So each time we do a double and then we are [inaudible] mirror functions and
throw them away and sometimes we do in addition, so we are to compute this slope here and
we get again the mirror functions in the flowing way.
So [inaudible] algorithm; it’s pretty fast. Okay. So we know how to compute pairings on
ellipticals. And now the question is can we compute pairings on geometric object, but not
complicated like, let’s say, greater dimensions and ellipticals. So one prime example of things
that look like ellipticals but are greater dimension is what we call Jacobian of curves meaning
that you should take the curve of genus G, you don't have to addition go on it, except if G
equaled one if the curve is elliptic, but you can construct the geometric object called the
Jacobian where you do have an addition low.
So formally, the Jacobian consists of the [inaudible] divisor [inaudible] here, and if you look at
rational points, we have an additional low so it's what we call an abelian variety. And generally,
a point in the Jacobian would be represented by a sum of, some formal sum of two points on
the curve. So, for instance, I know that you already have seen genus 2 curves. So here is a
genus 2 curve. So I have two points on the Jacobian D, which is the sum of two points on the
curve, P, 1 and P, 2, [inaudible] 1 is the sum of two points in the curve Q, 1 and Q, 2. I want to
compute the addition, so the way I do is to find the functions that goes through all these points,
so first on this cubic and so, by definition of the Jacobian, we know that this former sum of this
point is zero.
So D plus D prime is minus one prime, minus 2 prime, and that I just need to take this vertical
line to find the D plus D prime is one plus 2 here. Okay. So we can go farther. So if this is genus
curve of curves of genus we, which is [inaudible] Jacobians of the [inaudible]. So we have
hyperelliptical of genus [inaudible], but we also have another sort of family which are quartic
curves here. So do we still have pairing on them? Well, of course. So if I take P and Q, so let's
take P, a point of l-torsion, the Jacobian, so it is represented by divisor on C. By definition, since
P is a point of l-torsion, L times D, P correspond to principal divisor on the curve. This gives me
the, my function F, P which I had already in the elliptic curve case. So then I can use exactly the
same definition for the Weil pairing and the Tate pairing here and they give me pairings as in
the elliptical case.
And one [inaudible] for evaluating the Weil or Tate pairing comes from what you call we'll Weil
reciprocity theorem that says that if I have two divisors, D, 1 and D, 2 with [inaudible] part and
principle, then F, D, 1 of F, D, 2 is a quarter of D, 2 of D, 1. So these things here tell me that I
can change D, P and D, Q by any equivalent divisor and still have the same function. So it helps
a lot to compute pairings. And in practice, so what we need to do to [inaudible] them is
compute this Miller function I’ve got at lambda and P, N, find some genus twist very similar in
elliptical curves. So it's something [inaudible]. It could be [inaudible] those were my points.
And here it's the two verticals that I add in the preceding figures. So it's pretty [inaudible] to
compute pairings, Jacobians of curves too.
But now, my main question that I frame to us would be what about abelian varieties. What
about abelian varieties that don't come from curve? In this case, I don't have a geometric
interpretation of the addition low. So how can I work over pairings here? So first let's look at
abelian varieties. So let's forget about this definition here and just [inaudible] abelian varieties
simply, abelian varieties, so you have some equations plus a rational group low between the
points in this projective space.
So, for instance, ellipticals are exactly abelian varieties of dimension one. And, as I said, if you
take a curve of genus G, the Jacobian is an abelian variety of dimension G. But starting from
dimension for not having abelian varieties are Jacobian. But do we still have pairings, we see
that we still have the Weil pairing [inaudible] from any isogeny, which I won’t explain what it is,
but from any isogeny we can take a Weil pairing. Let's say, so I take an isogeny between
abelian variety and B, K is a canal and I can form what we call the [inaudible] isogeny where K
dual is a canal of the [inaudible] isogeny and one can show you that K dual here is a Cartier dual
of meaning that you have a natural pairing between K and K dual.
How is this pairing different? Well, it's pretty straightforward. So take a point Q and this canal
here, so by definition, F tilde of Q is zero, but Q transformed to a divisor on B because B tilde is
a dual of B. Since F tilde of Q is a zero, it just means if pull back of this divisor is principle on A.
So I have a function G, Q and one can show that this function G, Q of X of our G, Q of X plus P is
constant and it’s actually a [inaudible] infinity which define my pairing here. If I take for
isogenies, so multiplication by L, I work over the Weil pairing from before. Well, almost a Weil
pairing from before except that this time it goes from the l-torsion on A times l-torsion on the J,
L of A to L [inaudible] infinity. So this is not really satisfying. I would like to have a pairing on
the full l-torsion on A. So what we do is we use what we call a polarisation, so if you don't know
about it, don't, it's not too bad. Don't worry about it. But if I get principle polarisation I can
compose the polarisation with the Weil pairing and get your pairing on the l-torsion of A times
l-torsion on A to L sort of infinity. So I can generalize a Weil pairing to any abelian varieties.
What about the Tate pairing? Well, we can do that also. So I will only need, if I need
[inaudible] embedding degree of [inaudible] embedding degree field. So I can look at the
limitation by L on F, Q to the D and is a canal is of course l-torsion and when I look at [inaudible]
going from Galois cohomology I get a connecting morphism here. If I compose the connecting
morphisms here, we have the Weil pairing, I get the abelian map from points of l-torsion here,
two points here, this set here, which we can so [inaudible] but it's actually just [inaudible] of
unity. Isomorphic joint sort of unity. [inaudible] is a Tate pairing defined why at [inaudible]
point of l-torsion Q any point in F, Q to D, then if Q zero is a point in which Q is equal to L times
Q zero and the pairing between P and this point here, which is as you see, is a point of l-torsion
give me the Tate pairing. What I defined to be the Tate pairing. So as you can see, I have a
Weil pairing and the Tate pairing but our definition look very different from the ones I had for
elliptical or for Jacobians.
So are they the same? And actually, the answer is yes. To prove that, I need an equal amount
of [inaudible] worked on divisor on curves. But he had no type curves. So what I will look at is
what I call cycles. So it's a former sum of points on [inaudible] abelian variety and one can
show that cycles can, as I said, the divisor here and the cycle here goes 1 to 12 divisor,
[inaudible] if the sum of the points [inaudible]. Exactly like for elliptic curves, if you know about
it. And then if I have a function, I can define the value of the function on the cycle by this
formula. So this looks a lot like the elliptical curve. One can show that on an abelian variety if
D, 1 and D, 2 are two cycles that cycle round to zero then F, D 1 of F, D 2 is equal to F, D, 2 of D,
1. This was shown by Lang. I'm using this tool; I am exactly like people who use [inaudible]
reciprocity, so I am elliptic curves we get that, if we define, so I take P and Q points of l-torsion,
D, P and D, Q be any cycles and come around to these two cycles and I can define the Weil
pairing to be F, L, D, P of D, Q over F, L, D, Q of D, P. So I find [inaudible] an easier definition of
Weil pairing for elliptic curves. And we have exactly the same formula for the Tate pairing.
So just a little point here is that it looks, it’s the same formula as for elliptic curves, but it's not
the same formula as for Jacobians. The formula in Jacobians, we would work a point in terms of
divisor on the curves and we needed always go back on the curve. Whereas here we did only
[inaudible] point on abelian variety. Like for elliptic curves we did [inaudible] points, so we can
use addition directly. We don't need to go back to the curve and talk about divisors. So that
means that [inaudible] community there was some ways to prove ellipticals and you wait six
months or one year to have the same ways to promote Jacobian for elliptic curves. Like for
Weil pairings when your letters was [inaudible] pairing because drawing this [inaudible] to
curves was not entirely straightforward. But with these definitions, it’s for abelian varieties
likely simpler. You just have to prove this test, so prove the ellipticals on the same thing will
work for abelian varieties. So how you hear that reasoning with directly abelian varieties was
on Jacobian of curve is simpler to prove things.
>>: What you mean by non-reduced, the non-reduced Tate pairing on the bottom one?
>> Damien Robert: Just because it does not take the [inaudible] here. So it's up to [inaudible]
here. Okay. So one the point in cryptography to look at abelian varieties is [inaudible] point of
view. Well, there are several reasons. First, there are more elliptic curves for [inaudible]
elliptic curves is for dimension one meaning that you can represent an elliptic curve on one in
the variant called the chain variant. So you don’t have much latitude to choose, like you
formed an [inaudible] that saying some condition that’s [inaudible] nice feel, nice on the
[inaudible] it can get pretty hard to find one. But for abelian varieties of dimension G,
[inaudible] dimension G times G plus 1 over 2. So we have much more latitude to find a good
abelian varieties.
Secondly, if you look at supersingular elliptic curves the embedding degree is quite small, so
that's annoying, but over abelian varieties you're embedding that we can be a lot bigger. So it
could allow to [inaudible] abelian varieties for pairing application. Also, so this work is for
Jacobians. But some things, if we look at pairing on Jacobians, what one common trick to use
to do is we use to feel is we use twist. But we can only if we work, if we need to go back to the
curve we cannot reuse twist coming from the curve. But if you work the [inaudible] abelian
variety you can use twist cross-running to abelian variety. So, for instance, if you look at the
quartic curve in genus three, you don't have quadratic twist. In elliptic curve you have
quadratic twist but not have quartic curve. But around the edge, an abelian variety always have
a quadratic twist. So you're not twist on abelian varieties.
Lastly, probably what is in my mind is, more important is that the abelian varieties, so the
pairing on the point of l-torsion and the structure of the l-torsion is [inaudible]. It's a model of
dimension to G where there's only two. So maybe it can be used to have more peripheral
cartographic protocols.
Okay. So now we know why it is important to work abelian varieties. But how do we work on
abelian varieties when we don't have a curve to go back from and compute the addition?
Right? We need a way to represent points in abelian varieties and a way to compute additions.
And actually, it's something more than that if, remember, the mirror function comes from the
geometric interpretation of the addition. So what I need to find a nice amounts of geometric
interpret representation of the addition to complete pairing this in abelian varieties. And all
this will be given by the theory of theta functions.
So I will only explain theta function[inaudible] can be defined over any field [inaudible] so I’ll
stick on this case. So [inaudible] the complex number abelian variety, simply what we call
[inaudible] that is a vector space of dimension G represented by lattices. That is why we have
polarisations. [inaudible] here. If I look at the Chern class of this line bundle it gives rise to
simplistic form and V that is integral on the torus. So [inaudible] if I take the exponential of this
form I get a pairing on the abelian variety if I tell you is a Weil pairing; it’s another way to see
the Weil pairing. And if I normalize my lattice here by a symplectic basis I can write the lattice
as omega Z to the G plus Z to the G. One controls that if I am abelian variety, omega needs to
live in the [inaudible] space to keep it out of the parallel F plane for elliptic curves. And then
the associated Riemann form is simply defined by [inaudible] symplectic pairing here and it
actually is a Weil pairing.
So this is my abelian variety and I need to represent points by functions and this is given by the
theory of theta functions meaning that if I take theta function defined by it this big exponential
sum, then they give projective coordinates meaning that, so theta function is defined for point
in Z to the G, but if my abelian varieties Z to the G over all the lattice. But one can show that if I
change Z by Z plus lambda where lambda is a point in this lattice, this change of theta functions
but always by the same factor. So if we look at the coordinates as projective coordinates gives
this the same point in projective coordinate. So let’s just give a projective embedding of my
abelian varieties. If I use what we call theta function of [inaudible] N I get a projective on
embedding except when N is equal to 2 where I don't get a projective embedding of the abelian
variety but of what we call the Kummer variety, meaning that I can't distinguish a point from its
[inaudible]. But I won’t tell you that where I [inaudible] theta functions, so introduce the
[inaudible].
So that's all I represent of points of my abelian variety by a projective vector of theta functions.
Now I need to explain how to do the addition. It's given by what we call Riemann relations
here. So as you can see, if I have theta coordinates of a point X, the theta coordinates of the
point Y and the theta coordinate of the little point which is zero, of course, then I can work over
the coordinate of X plus Y and X minus Y. So I can't work over on the existing coordinates. But
what I can do is look [inaudible] the coordinates theta Y affects plus Y times theta zero affects
minus Y, but this means that in terms of projective coordinates I have the theta coordinates of
the projective point X plus Y here. That's why I do the addition using theta coordinates.
Okay. But actually, I could do something more here because of course, my abelian variety Z to
the G of our lattice and there’s addition law [inaudible] lattice. But I also have an addition law
of our Z to the G which is simply a [inaudible] additional law which I will call the differential
addition law. If I look at the points on Z to the G, not [inaudible] lattice, so this time I look at
the point, not theta X, not up to a projective vector, but really the affine point given by theta
coordinates where X is not anymore [inaudible] varieties. Then what this shows is that is if I
have X and Y and Z to the G, and if I am given X minus Y, the theta affine, theta coordinates of X
minus Y, I can work over exactly the theta coordinate of X plus Y. It not up to a projective
vector anymore but the Weil affine theta coordinates.
So I have some extra information here. This X, Y information I will, we see that this is exactly
what will allow us to compute pairings.
>>: So what was the [inaudible]? [inaudible] affine?
>> Damien Robert: Yes. So if you look at affine X, if you look at X in abelian varieties defined
only up to a [inaudible] amount of the lattices meaning that theta coordinating are different
only up to a projective vector. But if I take a lift to Z to the G I can always pick about affine
coordinate here. And what I say on Z to the G I have an addition law [inaudible], addition law
which is [inaudible] by H vector and I can work over this addition law in terms of theta
coordinates if I have the point X minus Y. And this is what I will call differential additions.
>>: Can you remind, what was the definition of the [ki] of T?
>> Damien Robert: [ki] of T is just [inaudible].
>>: But is there any particular form to these characters that to make this, to be true or>> Damien Robert: No. Any character works. So then we can [inaudible] a character to find
this product here. Okay. So this is what differential addition looked like on elliptic curve
[inaudible]. So [inaudible] you’ve looked at [inaudible] genus two should look very familiar.
And, as you can see, it's actually really fast. You do some square, some multiplication, and you
have an addition law. So you [inaudible] to compare this is, of course, an addition law in level 2
for elliptic curves; and this is, of course, of addition law in the Weil, two for genus 2 curves. So,
as you can see, using theta of level 2 is way faster than we using [inaudible] presentation like in
term of Jacobian of hyperelliptic curves. But it does explain why I will want to use the function
of level two rather than level four because level four are quite [inaudible]. So I want to, of
course, on level two hear.
So, as you can see, I've been doing this for a while. Why is addition law so fast? Maybe if we
can use a pairing we have a fast way to compute pairing at this in genus two. So the question
was when you compute pairings is theta coordinates. Okay. So this is the part of this talk. So
what you can prove is that, so as I said, I take P, so some notation. If P is a point of abelian
variety, so points [inaudible] law varieties, I will not Z, P the point in Z to the G. Then if I look at
the coordinates I will call P a projective point because theta coordinates only need to affine up
to projective vector. But Z, P is an affine coordinate, theta coordinate of Z, P, L well defined
here. And then we can show, so F lambda P is a mirror function from before, we can show that
if lambda P over Z is given on Z to the G by this function here. So the mirror function, I’ve got it
from the mu P, is given by this function here. So you can see the addition law. Here you have Z
plus lambda Z, P, Z plus mu Z, P and the F, [inaudible] Z plus lambda plus mu Z, P. So you can
understand what’s divisor here, of this function here. [inaudible] for a while.
But as you can see here is that, why it's important to take a lift is because this will not make any
sense if you are dealing about projective points because projecting points are only defined up
to a vector. So this would be defined up to a vector but this is a [inaudible] so it will not make
any sense. But since I'm taking it lift to Z to the G, this does make sense. But now I need to
explain how to compute this function here, not on the abelian variety anymore, but on the lift Z
to the G using some differential additions.
So one way to do this is to use this proposition here, meaning that if I have chosen a lift of a
point P, Q, R, so three points, and I also have lift, given lift of P plus Q, P plus R and Q plus R,
then I put on, I can find exactly the lift cross-running to P plus Q plus R. So it was a correct lift.
And this is a variant of different additions and this use a variant of Riemann relations here. So
it should look pretty close to what we had before. And using that, I can compute the mirror
function here. How do I do that? I'd just first to show that it's not that complicated in practice.
This is [inaudible] addition. So the formula is a bit complicated than differential addition, but
that's not [inaudible] function. Okay. So I had to compute the mirror function here. So I have
the point of the abelian variety, lambda P, mu P and Q. And I want to compute this. So first I
compute lambda plus mu P. Q plus lambda P and Q plus mu P. So to compute these points, the
problem is that I need to use addition so I can't work [inaudible] here. It's okay. So I need to
[inaudible]. Then I take any lift, so I have projective point, I take any F in lift, then I can
compute this using the three addition because I have all the points here on the two by two
sums. So I can compute this exactly. Then I used the definition of F lambda mu P from before
to compute at this function here.
>>: So, like what is the [inaudible] requirement for these affine lifts? So are you free to choose
the affine lifts of these three like in anyone and then>> Damien Robert: Yeah. So I choose these three in anyway. Yeah. So two means, it would
seem to be something that does not have any meaning. But [inaudible] that what I do
afterwards is this: I compute it exactly from this affine lift I present here. And if you look at, if I
add, chosen some affine lift, I will have some projective vector here. Alpha, beta, and gamma.
But this will change this point, so I compute it exactly, exactly by alpha times beta times
gamma. And if I look at the final formula, each vector cancels out. This means that this, while
this depends on the lift I’ve chosen, this also, this formula does not depend on the lift
[inaudible]. And so this is well defined. Because of this I compute exactly from the choices
here. So [inaudible] does not depend on the choices of the lift here.
>>: Okay. So like really, you choose the affine lift for any, for all>> Damien Robert: Yeah>>: Like a global>> Damien Robert: Yeah. Any lift I want. So I have a projective vector. I use the same the
vector as an affine vector. The example to apply is since I’m doing the computation here
exactly, the choice I made here outcomes a lot. And so I have a way to compute the mirror
function. And since all pairing, Weil pairing take pairing, ate pairing, optimal pairing, all use this
mirror function and I have no way to compute all pairings using theta functions.
Okay. So what does this give me at the end if I use a double and hard algorithm? This is
something like that. So I have P point first pairing. So P is a point of l-torsion, creates a point in
the abelian variety, so I choose any lift of P, Q and P plus Q. And then I will do, so I suppose
that during my computation I computed a lift from that P and a lift from the P plus Q and I will
repeat a doubling while I can doubled this using differential additions, so it's okay. And for
addition, while I compute two times lambda plus 1, P on take again will lift. Now we try lift
here. And then I can use a [inaudible] addition to compute this point here. So I repeat and
repeat and tell at the end I got to lambda equal L, so I have a lift Z, L, P and Z, L, P plus Q. Okay?
But L, P on the abelian variety is equal. So Z, L, P is equal to zero up to projective vector. The
same for Z, L, P plus Q is equal to Z, Q up to projective vector. And if you look, if you know very
well the computation down here, what we can see at the end that the Tate pairing is a
[inaudible] quotient of these two projective vectors here which does not to depend, because I
take a quotient, is not depend on the choices of lift I have made in all these types.
So the nice thing about this description is that we can actually this to a level [inaudible] two,
which is nice. But, as you can see, we use a lot of additions, simple addition that are very slow,
whereas differential additions are a lot faster. So the question is, yeah.
>>: So if you have an abstract abelian variety, how do you get lambda plus one times P?
>> Damien Robert: When? Sorry, when?
>>: Like if you have like an abstract abelian variety. How do you compute>> Damien Robert: Okay. So I don't have, I have [inaudible] abelian variety but suppose I have
theta function on it. And [inaudible] when the function, I can use [inaudible] relations to
compute the addition. Like, it's the formula from here. Meaning that if only if X and Y, I can't
recall exactly if I have X plus Y, but I can work on that to projective vector. So this is fine if I'm
working on the abelian variety and not on lift.
Okay. So we know to compute pairings, in practice [inaudible] things that pairings fall back to
that. So they fall back to finding projective vectors between two different affine [inaudible]
that I've defined in two different ways. The question is: can I do that in a somewhat faster way
than by using the [inaudible] Miller algorithm? And the answer is yes. So let's go back to the
definition of the Weil and Tate pairing and if I look at the definition [inaudible] theta function
find some ate pairing is given by this. You can see, it’s why I explained before, we compute an
affine lift of Z, Q plus L, Z, P. This is equal to Z, Q in the abelian variety because P is the point of
l-torsion. This means that this theta function is equal to this one up to a projective vector. And
as you can see, the quotient of these two projective vectors give me exactly this Tate pairing.
So the question is: how can I compute this projective vector? Well, I can compute them using
the function additions. Right? So I take P and Q and a lift as before. I take also any lift of P plus
Q. That's why I use these differential additions when I take any lift. But once I've chosen this
lift here, I can compute, for instance, two times Z, P plus Z, Q exactly using differential addition.
And so on and so on and I can compute L, Z, P plus Z, Q exactly using differential addition. And
as I said, this is equal to Z,Q, L, P plus Q is equal to Q in the abelian variety, meaning that the
winner affine lift, this is equal to this up to a projective vector that I call on that one P. And I
argue that the Tate pairing is exactly on the one P over lambda is zero P here, which is pretty
clear from the definition here. And the same for the Weil pairing one I also use. It's just two
Tate pairing, right?
So the next thing I need to check is that this computation does not depend on the choices of lift
I made here [inaudible] for one. If I modify the lift by vector alpha, beta, and gamma here I can
keep track of all this vector because afterwards I need do differential additions, we can do that
the end the new Tate pairing is equal to the old one up to L [inaudible], so this is the same Tate
pairing. It does not depend on the choices I made. So that's how I compute Weil and Tate
pairings in differential additions.
Now the question is: can these [inaudible] be generalized to ate pairing on the general ate
pairing? The answer is yes. For instance, let's forget about the Weil two case, so for instance,
let's look at the ate pairing. So this time Q is a rational point and P is upon that [inaudible] P is
equal to two times P. So that means that when we look at projective coordinate, if we look at
the [inaudible] P plus Q it's equal to lambda it the D, P plus Q where lambda is [inaudible] Q
[inaudible] L.
Okay? But of course, if I look in term of affine coordinates, the [inaudible] lift P plus Q is not
equal to something here, we use something here computed using differential additions. But
these are the same projective point. So they differ by projective vector, right? And I argue that
this projective vector is actually the ate pairing. So let me sum up. I have P and Q. I take any
lift Z, P and Z, Q and I can compute Z, Q plus lambda Z, P in two different ways. One way using
the difference additions, like I used for the Tate pairing, and those are ways to apply directly
the [inaudible]. And if I compare, so this gives me the same projective points but two different
affine points, they will differ by two projective vectors, and the quotient of these two projective
vectors exactly ate pairing. So it’s pretty amazing, I think. It's, if we look directly at what
happened here, it’s simply that we go back to the definition of pairing as something like an
[inaudible] pairing and cycle and things like that. That's exactly what happened here. We
compared two projective vectors and they give us pairings.
So what about the optimal ate pairing? Well, as you know, optimal ate pairing is a combination
of things that looked like ate pairing. There is some vector here that [inaudible] the pairings
and it really works the same. So in theta coordinates, what I do, so once again I choose lift of P
and Q. So I have Z, P and Z, Q. I can compute Z, I times Z, P and Z, Q plus Z, I times Z, P using
differential additions. So now I apply some [inaudible] to compute this down here. Then I need
to do some gluing. So this is a part while I do some gluing we do some Miller functions here,
but if you go back and compute Miller function using [inaudible] additions. And using static and
compute so this I can't compute it using a differential addition because I don't have the
difference. So I need to do a normal addition so I can only compute this up to a constant. Once
I choose any lift here, I can do a [inaudible] addition to compute this down here, which will be
defined up to the same constant as a choice here. So in the end it will cancel out. So in the end
what we get is we have computed lambda times Z, P which is equal to Z, P up to projective
vector and Z, Q plus lambda times Z, P which is equal to Z, Q up to projective vector and the
quotient of both projective vector gives us optimal pairing. This takes a quotient; this does not
depend on the choices I made here.
Okay. So once again, I need to [inaudible] the case N is equal to two, which is really interesting,
but I won't have time I think. Okay. Let's, during the last five minutes I will talk about the
performance amounts of this algorithm. So here is what one step of the Miller loop look like.
So I have the point N, P, so one step, so I have N, P plus one N, P plus one N, P plus Q and I will
untwist two N, P, two N plus one P and two N plus one P plus Q. So as you can see, since I'm
working on the Weil two here, I always do an addition on the doubling. Always with the same
operation. This is given by this which is just some square on multiplications once again. So it's
not, it's really nice.
So what does it give me? Well, let's look first not on cryptographic application, but suppose
you want to compute Weil pairings because you want to find the symplectic basis for abelian
variety on something like that so you need to compute Weil pairings between points that live in
[inaudible] F, Q to the D. Then this goes six multiplication on X, 8 square on the [inaudible] one
in the 14 multiplication on 16 square in genus two. So small M and big M you can see that as
multiplication.
So just in term of compare reason, if I look at elliptic curve on [inaudible] like one type of Miller
loop we said with coordinate it will cost nine multiplication on seven square. You can see we
are [inaudible] here. And it's even more impressive in genus two if I'm not even speaking about
computing a Miller loop but just dumping a point using [inaudible] coordinates is more
expensive than computing or pairing using theta coordinates. And so that's quite impressive.
But, [inaudible] if we look at it symplectically, so Weil pairing is faster than Tate pairing because
symplectically the maximization is more expensive. But actually, in the [inaudible] while
looking for maximization is not more expensive, so the Tate pairing is faster for users of
cartography and when we look at the Tate pairing for cryptography we don't take both points in
the big field. We can take one of the points in the small field.
So what happens in this case is [inaudible] cost in terms of theta coordinates, so this is not
really readable so it's better to look at this table where I forget any operations that does not
have all something in F, Q to the D. So, in terms of theta coordinates in genus one, each step is
always the same. We always do one multiplication, two square and two mixed multiplication.
If we look at the [inaudible] Miller algorithm, each step will always do a doubling and
sometimes we do an addition. And then it depends if [inaudible] odds, meaning if you can do it
in [inaudible] or not. And we can see that if you can do the [inaudible] elimination actually is
the [inaudible] Miller algorithm is faster than theta coordinates. And it’s also the case in genus
two if we suppose that we also use [inaudible].
So what we can guess from that is that overall, for pairings computation theta function are
pretty fast. But if you look at optimized ration of pairings where we can choose points,
[inaudible] results and [inaudible] is actually pretty close but not as fast, unfortunately. But
that was because a lot of operation is done in the big field. But if you look at ate pairing, all
operation needs to be done in the big field. And this over a while we two less operations, we
will expect to gain for the right pairing. This isn't the case here is a cost of the ate paring, so we
do the function genus two, we do a 11 multiplication and 16 square in the big field and we
should look and find some as [inaudible] ate pairing using [inaudible] coordinate.
As you can see even the doubling is much more expensive than affine coordinates. So for
genus two [inaudible] for the ate pairing to the coordinates looks pretty interesting. And since
it already gives the best [inaudible], it looks pretty interesting to look at what you can do in the
genus to case for pairing computation compare it with the best we can do for elliptic curves.
But of course, a big problem is we don't have nice pairing from the genus two curve yet. But if
we had, it will be a very interesting to look at this formula to compute pairings. Okay. Thanks.
>>: Questions?
>>: So for the optimum pairings, the elliptic curve is the standard way [inaudible]. I haven’t
seen that you’re I probably missed it where you just see that they are more efficient from the
others?
>> Damien Robert: Well, it's exactly the same as you like. So you find the multiple of L here.
So J and Z, I are small, and if you look what computation you do, this is the most expensive
when you need to do differential addition to compute that. So it's in log of the Z, I. So if the Z,
I’s are small, you would use a loop [inaudible]. This is trivial, just for beginners. This is a bit
more complicated. You need to do gluing and so on and so forth through the addition which
we don't need to do a lot of them, right? So in terms it don't matter. So what matter is this
step, so if the Z, I is more you don't need to do a lot of differential addition. So we use loop
[inaudible] yes, in that case.
>>: How do the coordinates of a degenerative [inaudible]?
>> Damien Robert: Sorry?
>>: So, in the pairing you want to use a degenerative [inaudible]?
>> Damien Robert: Yes. So that's an interesting question is that, so [inaudible].
>>: What do the points on the [inaudible] look like?
>> Damien Robert: So I'm guessing what makes this fast is to use degenerative divisor when we
use [inaudible] coordinates because like if you [inaudible] and so on. So in terms of theta
coordinates, [inaudible] by the fact that one of the theta coordinate is zero. One of the
[inaudible]. But I did not manage to find a way to use that to speed up the computation.
Actually, the way we do the addition it will slow it down because if you want [inaudible]
differential addition and we quotient out by [inaudible] coordinates. So we need to use a
different formula to be able to compute the differential addition we saw>>: [inaudible]?
>> Damien Robert: I won't explain to you. It’s a bit complicated. It's a lot of [inaudible] theta
function that I didn't [inaudible] after a while. So I’ll tell you we need, when [inaudible] a
differential divisor, we need to use some formula to use the differential addition and the one’s
that I’ve found are slower. But you would expect that this, you have the coordinates, which
equal to zero, so there should be a way to expect it to actually have faster formulas. And
hopefully, the [inaudible] coordinates in this case that would be nice. But I did not manage to
find them. But it would be very nice. I'm sure there should be a way to expect, to find the
coordinate is zero to speed up the computations.
>>: Any more questions?
>>: What was the case N equals two that you skipped? What was the N?
>> Damien Robert: Okay. Just briefly, so let's look back at the optimal pairing.
>>: But first tell me what was N? Because>> Damien Robert: N is of L of theta function that I use. N equal two is interesting because
that's only four theta function [inaudible] 16 the addition law is much faster. But we can't
distinguish a point from its opposite so we can't do normal addition. We can only do
differential additions. We can only go so fast right? So we can only do normal addition. And
the question is: how you can compute pairings in this case? Right? So if we look at optimal
pairings, this is differential addition. You could do in level two. This needs a normal addition.
You can do at in level 2. This is a [inaudible] addition. You can do it in level 2, but how do you
compute this? And if that's pretty clever is that if you want to compute this, well you can't
compute using a normal addition because we don't know the sign. So what we can do is
compute this plus or minus. So we have two possibilities, right? And [inaudible] 2 plus square
root somewhere. This is very costly. Moreover, and we can't distinguish between this here and
this here when we do the computation. But if we do the wrong choice, we need to do make
the same choice all the time otherwise the gluing is not any sense. We cannot glue it together
if sometime we choose a plus here and minus here.
So how can you solve that? Well, I put down that in level two, if you have some way, there’s
three points X, Y, and Z, plus or minus of course, and you are given X plus Z and Y plus Z, then
you can work over X plus Y. Result a square root. [inaudible] exactly. Normally what happens
is that if you have this, you fix the sign of Z corresponding to the sign of X. You linked the two
signs. If you are given this point, you have linked the sign of Z with the sign of Y. But then you
have also linked the sign of X with the sign of the Y, so you should be able to compute this
directly. And you use that with the point here. So this point we have, this point we have, and
this point we have also. And we also have computed the sum. So we can use compatible
additions in this type here, actually. So that's exactly. And that's what I call compatible
addition, and it looks like this. So it's a bit complicated, but it's only for the gluing task which
you don't, you do it o of one times. It's not important. That's a trick about level two here.
>>: So, like if you have higher than level two you get the embedding of the entire abelian
variety?
>> Damien Robert: Yeah. Of the abelian variety.
>>: And using these [inaudible] addition formulas you can actually compute the sum of like
anything. This is not like a differential addition kind of thing.
>> Damien Robert: You can compute to sum of anything.
>>: Can you show me the formula?
>> Damien Robert: Yes. So if you look at that, so what you get at sum of character, of T, T, I
plus T to I, J plus T is equal to something here or something here. And we can show that this is
not you. So you can work over all this is sum here. But if the sum is also correct there, what
you work over is also projective to I of X plus Y times theta J of X minus Y. So here are two
cases. You want to do differential additions. So you know theta J of X minus Y. So go back to
the I of X plus Y exactly. Or in that case, you don't know the difference here, so you don't know
coordinate, but you know [inaudible] theta I to theta J. So you can fix J is equal to zero and also
take the I of X plus Y theta zero of X minus Y, but in term of projective coordinates this is the
projective coordinates of X plus Y.
>>: Oh, I see. So that's how you can actually compute>> Damien Robert: Compute it to the same vector here.
>>: Right. Okay. That makes sense. Thanks.
>> Damien Robert: But the nice thing is we prefer differential addition, in level four we could
do normal addition it's because actually differential addition are faster which makes sense
because you have more data. You know X, Y and X minus Y. So it makes sense that using more
data means that you can compute X plus Y faster than if you [inaudible] of X minus Y.
>>: Okay. So let's thanks Damien.