# Prerequisites

- Elliptic curves
- Elliptic curves 2
- Group theory
- Morphisms

# Theory

## Torsion points

https://crypto.stanford.edu/pbc/notes/elliptic/torsion.html

Let $E$ be an elliptic curve defined over a field $K$. Let $m$ be a positive integer. We are interested in the group $$E[m]= \{P\in E \ |\ mP=\mathcal{O}\}$$
- A point satisfying $mP = \mathcal{O}$ is called a point of order $m$
- If we want the coordinate of $P$ to lie in a particular field $K$ we write $P \in E(K)[m]$

**Theorem**

Let $E$ be an elliptic curve over a field $K$ and let $n$ be a positive integer. If the characteristic of $K$ **does not divide** $n$, or is $0$, then 
- $E(K)[m] \simeq \mathbb{Z}/m\mathbb{Z} \times \mathbb{Z}/m\mathbb{Z}$ 

If the characteristic of $K$ is $p>0$ and $p|m$ ,write $m=p^r m′$ with $p$ not dividing  $m′$. Then
- $E(K)[m] \simeq \mathbb{Z}/m'\mathbb{Z} \times \mathbb{Z}/m'\mathbb{Z}$ or $\mathbb{Z}/m\mathbb{Z} \times \mathbb{Z}/m'\mathbb{Z}$

**Remark**:
- An elliptic curve $E$ in characteristic $p$ is called **ordinary** if $E[p] \simeq \mathbb{Z}/p\mathbb{Z}$
- If $E[p] \simeq \{\mathcal{O}\}$ the elliptic curve is called **supersingular**
- If $E[p] \neq {\mathcal{O}}$ then $E[p^k]\simeq \mathbb{Z}/p^k\mathbb{Z} \ \forall k>0$.
- If $m$ is coprime to $q$ then $|E[m]|=m^2$

**Mordell-Weil theorem**
> Let $K$ be a number field. Then $E(K)$ is finitely generated

## Bilinear pairings

You have probably seen examples of bilinear pairings in a linear algebra class.

*For example*: 
1. the dot product is a bilinear pairing on the vector space $\mathbb{R}^n \to \beta(v,w)=v·w=v_1w_1+v_2w_2+\dots+v_nw_n$  
    - It is a *pairing* in the sense that it takes a pair of vectors and returns a number
    - It is bilinear in the sense that it is a *linear transformation* in each of its variables.
    
    In other words, for any vectors $v_1,v_2,w_1,w_2$ and any real numbers $a_1,a_2,b_1,b_2 => $
    $$\beta(a_1v_1+a_2v_2,\ w)=a_1 \beta(v_1,w)+a_2 \beta(v_2,w)$$
    $$\beta(v\ ,b_1w_1+b_2w_2)=b_1 \beta(v,w_1)+b_2 \beta(v,w_2)$$

2. The determinant map on $\mathbb{R}^2$.  Let $v=(v_1,v_2) $ and $w=(w_1,w_2)$, then 
    $$\delta(v,w)=\det \begin{bmatrix} v_1 & v_2 \\ w_1 &w_2 \end{bmatrix} =v_1w_2−v_2w_1$$
    - The determinant map has the further property that it is alternating, which means that if we switch the vectors, the value changes sign: $\delta(v,w)=-\delta(w,v) \Rightarrow \delta(v,v) = 0 \ \forall v$
    
**Note**
- We follow with bilinear pairings on elliptic curves -> input two points on an elliptic curve and give as output a number
- However, the bilinearity condition is slightly different, because the output value is a nonzero element of a **finite field**, so the sum on the right-hand side of  is replaced by a product.

- [Dan Boneh's talk](https://www.youtube.com/watch?v=8WDOpzxpnTE&t)

Let $m$ be a positive integer not divisible by the characteristic of $K$. We can choose a basis $\{P_1,P_2\}$ for $E(K)[m] \simeq \mathbb{Z}/m \mathbb Z \times \mathbb{Z}/m \mathbb Z$. 
=> every point $P=E(K)[m]$ can be written as a **linear combination**:
- $P=aP_1+bP_2$ with $a, b$ uniquely determined mod $m$

Let $\alpha:E(K)\to E(K)$ be a homomorphism.Then $\alpha$ maps $E[n]$ into $E[n]$. Therefore, there are $a, b, c, d \in \mathbb Z_n$ such that $\alpha(\beta1)=a\beta 1+c\beta 2,\alpha(\beta 2)=b\beta 1+d\beta 2$.

Therefore each homomorphismα:$E(K)\to E(K)$ is represented by a $2\times2$ matrix $\alpha n=(abcd)$.

Composition of homomorphisms corresponds to multiplication of the corresponding matrices.

## Divisors

Divisors are a device for keeping track of poles and zeroes. For example, suppose a function $g$ has a zero at a point $P$ of order $3$, and a pole at another point $Q $ of order $2$, and a pole at $O$ of order $1$. (Note the number of zeroes and poles are equal, as they must be) Then using divisors, we can say all this concisely as follows:
$$\text{div} g=⟨g⟩=3⟨P⟩-2⟨Q⟩-⟨O⟩$$

If $E$ is an elliptic curve, $E:Y^2=X^3+AX+B$ , and if $f(X,Y)$  is a nonzero rational function of two variables, we may view $f$ as defining a function on $E$ by writing points as $P=(x, y)$ and setting $f(P)=f(x, y)$. Then just as for rational functions of one variable, there are points of $E$ where the numerator of $f$ vanishes and there are points of $E$ where the denominator of $f$ vanishes, so $f$ has zeros and poles on $E$ => We can define a divisor
$$\text{div} f =\sum_{P\in E} n_P[P] = D$$

The coordinates of the zeros and poles of $f$ may require moving to a larger field => If $E$ is defined over $\mathbb{F}_p$, then the poles and zeros of $f$ have coordinates in $\mathbb{F}_{p^k}$ for some $k$ , but the value of $k$ will, in general, depend on the function $f$.

The **degree** of a divisor is the sum of its coefficients => $\deg(D) = \sum_{P\in E}n_P$

## Weil pairing

https://en.wikipedia.org/wiki/Weil_pairing

The Weil pairing, which is denoted by $e_m$, takes as input a pair of points $P,Q \in E[m]$ and gives as output an $m$-th root of unity $e_m(P,Q)$

Let $\mu_m=\{x \in K|x_m=1\}$ = the group of $n$th roots of unity. Since the characteristic of $K$ does not divide $m$, the equation $x^m= 1$ has no multiple roots => has $m$ roots in $K \Rightarrow \mu_n$ is a cyclic group of order $n$

**Theorem**
Let $E$ be an elliptic curve defined over a field $K$ and let $m$ be a positive integer.Assume that the characteristic of $K$ does not divide $m$. Then there is a pairing
- $e_m:E(K)[n]\times E(K)[n]\to \mu_n$ => **The Weil pairing**

Proprieties
1. Bilinearity:
    - $e_m(P_1+P_2,Q)=e_m(P_1,Q) \cdot e_m(P_2,Q)$
    - $e_m(P,Q_1+Q_2)=e_m(P,Q_1)\cdot e_m(P,Q_2)$
2. Nondegenerate in each variable
    - if $e_m(P,Q)=1$ for all $Q\in E[m]$ => then $P=\mathcal{O}$.
3. Is alternating so
    - $e_m(P,P)=1 \ \forall P\in E[m]$
    - $e_m(P,Q)=e_m(Q, P)^{-1} \ \forall P,Q,\in E[m]$

## Tate pairing

https://en.wikipedia.org/wiki/Tate_pairing

The Weil pairing is a nondegenerate bilinear form on elliptic curves defined over **any** field. For elliptic curves over finite fields there is another pairing,called the **Tate pairing** (or sometimes the Tate–Lichtenbaum pairing), that is often used in cryptography because it is computationally somewhat more efficient than the Weil pairing

Let 
- $E$ be an elliptic curve over $\mathbb{F}_q$. 
- $m$ be an integer such that $m|q-1$. 
- Denote by $E(\mathbb{F}q)[n]$ the elements of $E(\mathbb{F}_q)$ of order dividing $m$
- Let $\mu_n=\{x\in \mathbb{F}_q|x^n=1\}$.
- Let $P\in E(\mathbb{F}_q)[n]$ and $Q\in E(\mathbb{F}_q)$ and choose $R\in E(\mathbb{F}_q)$ satisfying $mR=Q$. 
- Denote by $e_m$ the $n$th Weil pairing 
- Denote by $\phi=\phi_q$ the $q$th power Frobenius endomorphism. 

Define
$$\tau_n(P, Q)=e_n(P, \ R-\phi(R))$$

Then
$$\tau_n:E(\mathbb{F}_q)[n]\times E(\mathbb{F}_q)/m E(\mathbb{F}_q) \to \mu_n$$
is a **well-defined nondegenerate bilinear pairing**



## Embedding degree

https://crypto.stackexchange.com/questions/37302/elliptic-curve-and-embedding-degree

Let $E$ be an elliptic curve over $\mathbb{F}_p$ and let $m \geq 1$ be an integer with $p$ not dividing $m$. The **embedding degree** of $E$ with respect to $m$ is the **smallest** value of $k$ such that
- $E(\mathbb{F}_{p^k})[m] \simeq \mathbb{Z}/m\mathbb{Z} \times \mathbb{Z}/m\mathbb{Z}$.

The significance of the embedding degree $k$ is that the Weil pairing embeds the ECDLP on the elliptic curve $E(\mathbb{F}_p)$ into the DLP in the field $\mathbb{F}_{p^k}$

# Code

## Weil pairing

In [2]:
p = 631
F = GF(631)
E = EllipticCurve(F, [30, 34])
E.order()

650

In [3]:
P = E(36, 60)
Q = E(121, 387)
m = P.order()
P.order(), Q.order()

(5, 5)

In [4]:
P.weil_pairing(Q, m), P.weil_pairing(Q, m)^m #check that is indeed a root of unity

(242, 1)

In [5]:
#Alternating
P.weil_pairing(P,m)

1

In [6]:
#Bilinearity
P1 = E(36, 60)
Q1 = E(121, 387)
P2=E(617,5)
Q2=E(121,244)

In [7]:
P2.order(), Q2.order()

(5, 5)

In [8]:
print((P1+P2).weil_pairing(Q1, m) == P1.weil_pairing(Q1, m) * P2.weil_pairing(Q1,m))
print((P1).weil_pairing(Q1+Q2, m) == P1.weil_pairing(Q1, m) * P1.weil_pairing(Q2,m))

True
True


## Tate pairing

In [9]:
p = 101

In [10]:
F = GF(p)
E = EllipticCurve(F, [0, 1])
E_order = E.order()
E_order

102

In [11]:
factor(E_order)

2 * 3 * 17

In [12]:
P = 6 * E.an_element()
m = P.order()

In [13]:
m

17

In [14]:
k = GF(m)(p).multiplicative_order()
k

2

In [15]:
#or search it like this within a bound
k = 1
i = 1
while True:
    i+=1
    if (p^i - 1) % m == 0:
        k = i
        break
k

2

In [16]:
P.tate_pairing(P, m, k)

1

In [17]:
Q = 17 * E.an_element()
Q.order()

6

In [18]:
P.tate_pairing(Q, m, k)

1

# Resources

- Introduction to mathemathical cryptography - Silverman -> P336
- Arithmetic of elliptic curves - Silverman -> P92
- Elliptic curves number theory and cryptography 2nd edition -> Chapter 3 Torion points
- https://www.youtube.com/watch?v=8WDOpzxpnTE&t
- https://en.wikipedia.org/wiki/Pairing-based_cryptography
- https://en.wikipedia.org/wiki/Weil_pairing