Re: Reduced Tate pairing in supersingular elliptic curves

Aleksandr Lenin on Wed, 18 Apr 2018 10:13:42 +0200

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: Reduced Tate pairing in supersingular elliptic curves

To: pari-users@pari.math.u-bordeaux.fr
Subject: Re: Reduced Tate pairing in supersingular elliptic curves
From: Aleksandr Lenin <aleksandr.lenin@cyber.ee>
Date: Wed, 18 Apr 2018 11:13:34 +0300
Autocrypt: addr=aleksandr.lenin@cyber.ee; prefer-encrypt=mutual; keydata= xsFNBFg+zhcBEADDEV0vMCFAkMGPnaEqsa4JnTUIGPrQvVkp5hCyVwTgHOzDTw4x3FljwbJ9 BoVI9V3d9j9OdxM6WSKlinjf7ZDFajzRo+O1aevXuJNAdXyWsCfdgKP9zsxcdf2pcgkTSh4j I2fFkjndylGYPrSbKFLdZz+SngY+wXAEQ1CcKSAmwm2Gd5qqXgjErIFtvRtcRnH+0z4/Hbw0 5BPASCpdmrfu/ALvM6YWi4Bskqz6TAtsFdqJV1MpWBwU56CdLgt3q8SOoBOzJBIF329OPW/O BIXdByfeA4Z7HVLLjQM/D5CPRvjBRJw5tfTd5dAH30uJDF3C88DE4mpZrR8dRrSuFhBEacSO MU6UoBm8q3V6yeRv9zQENDBXa+StTTOYKR2DI+7pLFzfYBRMu18IdgPoG7Vyzo9T+SSvRkb/ csGS7uwpwzNXLQ7GM4xAguBmlWUBWuJRH+t5+zPJ9a2k9bYpwos72PkPGdss4/xDu/d9p04Z xkXLj3RbPWac8B6wxkt6spuDni8W1N2KIDV8Gbe5wDzEns/ebVaH/oSC0UZaDQVW2ye4jCpL hnn7K23FBGe6xwiD8RzIEHkrTv/M2XoLvt0vkNouquliZSRmLfJA11M+50kOhdd+GntLhob0 zZjYhxv7pJjGW10XpqDE4tP205zrjU/oyn5XQY7IMDrbjCJT3wARAQABzSpBbGVrc2FuZHIg TGVuaW4gPGFsZWtzYW5kci5sZW5pbkBjeWJlci5lZT7CwX0EEwEIACcFAlg+zhcCGyMFCQlm AYAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQ4HByBsz4rF0OURAAjs3Ehe+8EAjhgv0O rKy6SALX2qVPiviwqg4i67HE8E2pJcZNivma8s/6V2VJClzvTpDzW/u5hPVJVJrMBkE+SdQp Z+3GrFUTIElocJWIboqRyTx/h8mHKTjIM9dcJxvnsxxP2l9UoNMr2Dcl3r0v6YMgB1XxiRg5 PROVWlR0do+b6cQb89fLTvngqd9NhpRBgxNqf0HrjAYFuDRXNu5AOlAlKajPc1K0A5B8K0za 4G8jUMipX2/y6iqpjIm73rKvFZVgRlXYlcz+rS6Uhi5ee4/zi8Z3roN9GZ+NzbUV8culwBu0 VhoSXqCfWqdhzCluTw/BWuWbkZ9MENPEhmXmoAK+wmMNXQHVXo602Cjn8xJeYXjoY8cAb7MX SBOYBF4yviTuFHvXiYROxjNsE53i/R4qJEb1Br2So/6oM1jQZ8vWFeE8UlDYsw9UnLgu0tQF iN+O14Az7Ohn367u4kxHnmAyJpxOkJwkzvGejbavyjCg0PkivZfu0Fnfg9JsCdcxMWYTActu GY87rnxx7EGk9VBjmfmtUO0d+MrwL32GyT18KyIGN6H6evJJBp/5hNsh8pDfXwzvHebEADOo BEeQspzAfmc1A92PZLqbXMC62PWz0ULWRzTI20s0AijLwoQFTNgM4n2am4ma+QyyS9gtsvZD lS9BlHOEYkcHOJetdUvOwU0EWD7OFwEQALnjVZAmxrQixWfoQH7DgUNvHD31VDKIU1RZVrgm 43PxrxTVWwAjVm+ZwKqHgUbZeeiQy+mIZN9yL7LNvEtxT3LV2SlUSG0Q7NemQry5+kMbYgyF CVIBp+/5Abay6wBtTk3y/Gk7ZcoDBxxuaMy2bzqFBq1JPmQYWMMWCU7U/mBnJGd8NUaxE016 9QNkJnQsuxHX5IS13qSD3VOAvnqEMcJQxF1HqXTtOG7j3bmkNAgd+uKR/l6tyhr9BqYlguvX JAKipUGBxySHkXdvUledNw3qVqYCzy7+UT/Rjza/mlIDEkFEgevEIGB/u74lr60TnB0FDHQG 7B8p8gT5phNJZQvYxEz/htoUOmuKEAYezY/CFRGS4v1Xzqt5AlXBoorV8YkbMhv1f6H2Y17m RFgIboBYxU66JMKx3AiZMhAg0RpTQgQMsjxKVFEPFTFBsu7rQ76NEFdImjsIG/T0iJSbJYTV QLE/ceRK5mWn8m8PPdSWsERkQIFeUGziMeGZ8MfjeUg33fmt1sf8HW5nPSbsaguMguLYYHiW lSVjUXYCfcXqUdGIm1BrxTI/kThzvD+FFtt5QhLHi7/NxU0IF5AmqKlNO5p7hNgVTQayHzJb 8bR8PdFYXCUuNejO3zeiuWH4Pg1pIc0I/wDnTmkQAhH4O67mmy6RylzhmwAeNeCe/izvABEB AAHCwWUEGAEIAA8FAlg+zhcCGwwFCQlmAYAACgkQ4HByBsz4rF32TRAAl2l5BXnp8Rvnm5Vv 2ZqFRTpVMzVQiH3FsDh7WdA9yzz4xOYxDLmnyOA1Ag4hK2RrotdhLCyNV7VAcXixHwufpXa1 hnXQRGTxRQ/83RHDdhTDYmXgseuJ4A/IUg12Ub10HmdnxHVaF2QT7tbB9Fa9o5DA2DHM4cWQ BhMRjsagVa7PtzadyvrtdXYHunSRh3O2hOMP0w/goU/INL4bqhl7le8qpHIV0K8WQMQHWkuu 5cB6nmsTegFXy3fi0//GN/dtzz9HyCOm2N20rijcuMbNrTSclCOxCUV9mwyTiGQEwOhOhMgH RgbeNUp0nA9P6Q/lANJt0I2qNKZVWV4FtUzzPPMSSz25v39hbiNgT4p3DNYiw8E1rgFj/h0F K0KK16nSao2y62f/p/+pBajYAIPT/z4p80FRK3r7Pauy7LXQya8h+mGiyuY46ZPFQb3xjeZg /1hu5akwrnp8ME54zvzSk86L4zH4XZ20vdU1j7wY8oFbFVdjIDuUfb1XorWRe1aI54Nb+JZm xzBfZwpxmg1i1IMjCRWthVqQdg6oPcabXDrGM4GzJu9UnMLJIGpeUXnhV1VaMCcBBcvc4bwD 6BdW5CFGkncegvQTRnzN8J422a8awuedG0dZtH4OmHn61OZEfrZQWis8UFX2j4gL1HnqdEav ekgdeiobwetd5TJhNf8=
Delivery-date: Wed, 18 Apr 2018 10:13:42 +0200
In-reply-to: <20180417211040.GD25420@yellowpig>
Openpgp: preference=signencrypt
References: <1f4d9137-c75d-3e6c-3120-bf536887e010@cyber.ee> <20180417193911.GJ9805@yellowpig> <20180417211040.GD25420@yellowpig>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0

Hello Bill,

thanks for your answer.

On 04/18/2018 12:10 AM, Bill Allombert wrote:
> However E(F_q) is isomorphic to (Z/lZ)^2 with r^6 dividing l,
> and p2 is of order r, so p2 can be written as [r].q for some point q,
> so the Tate pairing (p1,p2) is trivial.

I do not completely understand the last inference about the triviality
of the Tate pairing.

In my current understanding of elliptic curve math, p1 and p2 may have
the same order r, or, in other words, belong to the r-torsion. In this
case, the reduced Tate pairing is trivial iff both points belong to the
same torsion subgroup (i.e., the base-field subgroup), and in all the
rest of possible cases, the pairing should be non-trivial.

In my example, point p1 coefficients are defined over the prime field
F_l, so in an elliptic curve defined over F_q, where q = l^2, p1 is
defined over the base-field subgroup of the r-torsion. Point p2 has both
coefficients being F_q elements (a*x,b), and thus belongs to the
r-torsion indeed, but it does not belong to the base-field subgroup as
p1 does, it belongs to some other subgroup (depending on the distortion
map used to generate p2).

If p1 and p2 belong to different subgroups of the r-torsion, shouldn't
it be the sufficient condition for non-triviality of the the reduced
Tate pairing?

-- 
Aleksandr

Follow-Ups:
- Re: Reduced Tate pairing in supersingular elliptic curves
  - From: Bill Allombert <Bill.Allombert@math.u-bordeaux.fr>

References:
- Reduced Tate pairing in supersingular elliptic curves
  - From: Aleksandr Lenin <aleksandr.lenin@cyber.ee>
- Re: Reduced Tate pairing in supersingular elliptic curves
  - From: Bill Allombert <Bill.Allombert@math.u-bordeaux.fr>
- Re: Reduced Tate pairing in supersingular elliptic curves
  - From: Bill Allombert <Bill.Allombert@math.u-bordeaux.fr>

Prev by Date: Re: Reduced Tate pairing in supersingular elliptic curves
Next by Date: Re: Reduced Tate pairing in supersingular elliptic curves
Previous by thread: Re: Reduced Tate pairing in supersingular elliptic curves
Next by thread: Re: Reduced Tate pairing in supersingular elliptic curves
Index(es):
- Date
- Thread