Curves

Everything in ronkathon (and much of modern day cryptography) works with elliptic curves $E$ as primitives. Simply put, an elliptic curve is a curve defined by the equation $y^{2} = x^{3} + a x + b$ where $a$ and $b$ are constants that define the curve. When working over a finite field so that $x, y a, b \in F_{q}$ , we put $E (F_{q})$ to denote the set of points on the curve over the field $F_{q}$ . It turns out that the set of points $E (F_{q})$ forms a group under a certain operation called point addition. This group, in at least certain cases, is discrete logarithm hard, which is the basis for much of modern day cryptography.

Curve Group and Pluto Curve

For the sake of ronkathon, we use a specific curve which we affectionately call the "Pluto Curve." Our equation is: $y^{2} = x^{3} + 3$ and we work with the field $F_{p}$ and $F_{p^{2}}$ where $p = 101$ . Predominantly, we use the extension $F_{p^{2}}$ since we need this for the Tate pairing operation. We refer to $F_{101}$ as the PlutoBaseField and $F_{10 1^{2}}$ as the PlutoBaseFieldExtension within ronkathon. From which, we also use the terminology of PlutoCurve to refer to $E (F_{101})$ and PlutoExtendedCurve to refer to $E (F_{10 1^{2}})$ .

We also define a CurveGroup, an extension of FiniteGroup trait representing the group law of the curve.

Type B curve and type 1 pairing

Investigating our curve and choice of field, we find that the curve is Type B since:

It is of the form $y^{2} = x^{3} + b$ ;
$p = 101 \equiv 2 mod 3$ ; It follows that $E (F_{101})$ is supersingular which implies that the PlutoCurve has order (number of points) $n = 101 + 1 = 102$ and PlutoExtendedCurve has order $n^{2} = 10 2^{2} = 10404$ . Finally, the embedding degree of the curve is $k = 2$ .
This curve has a 17-torsion subgroup calculated as largest prime factor of order of curve 102 = 17.2.3.

Since, the curve is supersingular, this allows us to define the type-1 Tate pairing $e : G_{1} \times G_{2} \to F_{p^{2}}^{*}$ in a convenient manner, where both $G_{1}, G_{2} \in G_{1}$ , i.e. the base field subgroup of r-torsion subgroup.

In particular, we can pick $G_{1}$ to be the $r$ -torsion subgroup of PlutoCurve where $r = 17$ is the scalar field of the curve. Note that $r = 17$ is valid since $17 ∤ 101 - 1$ and $17 ∣ 10 1^{2} - 1$ (Balasubramanian-Koblitz theorem).

In this case, we pick $G = Z_{17}$ and define our pairing as: $e (P, Q) = f (P, Ψ (Q))^{(p^{2} - 1) / r}$ where $f$ is the Tate pairing and $Ψ$ is the map $Ψ (x, y) = (ζ x, y)$ where $ζ$ is a primitive cube root of unity. This is due to the fact that $Ψ$ is the distortion map that maps a factor of $E (F_{10 1^{2}}) [17] ≅ Z_{17} \times Z_{17}$ (which is the $17$ -torsion group) to the other.

Pairing and Miller's algorithm

Let's dive a little bit deeper into divisors, and miller's algorithm.

Divisors essentially are just a way to represent zeroes and poles of a rational function. We are interested in divisors of functions evaluated on Elliptic curves, i.e. $div f = \sum_{P \in E} n_{P} (P)$ .

For example: let's take a function $f = x^{3} - 8$ with $x \in C$ , it's divisor is written as $(f)$ and it has a zero of order 3 at $x = 2$ and a pole of order 3 at $x = \infty$ , thus, $(f) = 3 (2) - 3 (\infty)$ .

For an elliptic curve, a line usually intersects the curve at 3 points $P, Q, R = (P + Q)$ , then the divisor is written as $(l) = (P) + (Q) + (R) - 3 (O)$ . Note all of these divisors are degree-zero divisors as sum of their multiplicities is 0. There's another concept called support of divisor = $supp (D) = {P \in E : n_{P} \neq = 0}$ .

Now, we have most of the things we need to represent tate pairing:

$e (P, Q) = f_{P} (D_{Q})$

where $f_{P}$ is a rational function with $(f_{P}) = r (P) - r (O)$ and $D_{Q}$ is the divisor equivalent to $(D_{Q}) \sim (Q) - (O)$ .

Miller's algorithm

$f_{r, P}$ can be calculated as $f_{r - 1, P} \cdot \frac{l _{[r - 1] P, P}}{v _{r P}}$ where $l_{[m] P, P}$ is the line from $[m] P$ and $P$ , and $v [m] P$ is the vertical line going from $m [P], - [m] P$ . Both of these lines are used in chord-and-tangent rule in Elliptic curve group addition law.

Usual naive way is impractical on where $r \sim 2^{160}$ , and thus, for practical pairings, Miller's algorithm is used that has $O (lo g r)$ time complexity, and uses an algorithm similar to double-and-add algorithm.

Helpful Definitions

Here are a few related definitions that might be helpful to understand the curve and the pairing.

roots of unity

the $r t h$ root of unity in $F_{p}$ is some number $h$ such that $h^{r} \equiv 1$ , For example in our field scaler field $F_{101}$ the $4 t h$ roots of unity are ${1, 10, 91, 100}$ .

$r$ -torsion

$r$ -torsion points are points $P \in E (K) ∣ r P = O$ for some point $P$ so that $P$ has order $r$ or is a factor of $r$ . The set of r-torsion points in $E (K)$ is denoted $E (K) [r]$ . If $\overset{ˉ}{K}$ is the algebraic closure of $K$ then the number of r-torsion points in $E (K)$ is the number of points in $E (\overset{ˉ}{K}) [r] = r^{2}$ .

Security note: If $r$ and $q$ are not co-prime then the discrete log is solvable in linear time with something called an anomaly attack.

Frobenius endomorphism

Curve endomorphisms are maps that take points in one a curve subgroup and map them to themselves. An example is point addition and point doubling. The Frobenius endomorphism denoted $Φ$ takes points in $P \in E (F_{q})$ and maps them $Φ (P) = (X^{q}, Y^{q})$ .

For higher powers of the map you write $Φ^{k}$ .

Trace Map

This then allows us to define the trace map which takes points in $E (F_{q^{k}})$ and maps them to $E (F_{q})$

$t r (P) = P + Φ (P) + ... + Φ^{k - 1} (P)$

Since $k = 2$ in our parameters we get $t r (P) = P + Φ (P)$ .

Trace Zero Subgroup: The set of points of trace zero $G = {P ∣ t r P = O}$ is a cyclic group of order $r$ , and every $P \in G$ satisﬁes $Φ (P) = qP$ .

Quadratic Non Residue

A Quadratic Non-residue is a number that, cannot be expressed as a square of any other number. In other words, for a given modulus $n$ , a number $b$ is a quadratic non-residue if there is no number a satisfying the congruence $a^{2} \equiv b$ (mod n).

An example of quadratic non-residues would be the number 2 in modulo 3, 4, or 5. In these cases, there is no integer that we can square and then divide by the given modulus to get a remainder of 2.

References

Note that most of these are gross over-simplification of actual concepts and we advise you to refer to these references for further clarifications.

Ronkathon: Cryptography Educational Foundations