1
$\begingroup$

I am working through the BGN Cryptosystem (Section 2 here) and am after a bit of help understanding the key generation section:

Choose two large primes $q$ and $r$ and set $n=qr$

Find a small integer $l$ such that $4ln-1 = p$ is prime

Then $E$ is the supersingular elliptic curve $y^2 = x^3 + x$ over $\mathbb{F}_p$ with $\#E\left(\mathbb{F}_p\right)=p+1=4ln$

Compute a point $P\in E\left(\mathbb{F}_p\right)$ of order $n$ by choosing a random $P'\in E\left(\mathbb{F}_p\right)$ and setting $P=\left[4l\right]P'$

Let $\mathbb{G}=\left$

Choose $Q'\overset{R}{\leftarrow}\mathbb{G}\backslash \{\infty\}$ and set $Q=\left[r\right]Q'$ (which has order $q$)

Then let $\hat{e}:\mathbb{G}\times\mathbb{G}\rightarrow \mu_n\subset\mathbb{F}_{p^2}$ be the modified Weil Pairing (constructed from the Weil Pairing using a distortion map)

The last sentence is the part I don't understand. Can someone explain in basic terms what a 'modified Weil Pairing' is, and how I would go about computing one in a real world scenario?

I'm a computer scientist, so assume limited knowledge of any complex maths/theorems

  • 1
    Since the Weil pairing is alternating, we have $e(P,P)=1$ (by definition of "alternating"), so by bilinearity we get $e(A,B)=1$ for any $A,B \in \mathbb G$. You see that having a trivial Weil pairing (on $\mathbb G \times \mathbb G$) is not interesting at all. Therefore the idea is to use a modified Weil pairing so that it is no longer trivial: $\hat e(a,b) = e(a,\phi(b))$ where $\phi : E \to E$ is a non-scalar isogeny, that is, a group homomorphism given by polynomial equations, which is not of the form $A \mapsto nA$ for some $n$.2017-02-14
  • 0
    The last sentence gives a very declarative statement of the groups which the weil pairing involves -- the weil pairing itself is given in eg the wikipedia article [here](https://en.wikipedia.org/wiki/Weil_pairing)2017-05-22

0 Answers 0