1 / 40

Implementing Cryptographic Pairings

Implementing Cryptographic Pairings. Mike Scott. TexPoint fonts used in EMF: A A A A A A A A A A A A A A A A. Bilinear pairings. e(aP,bQ) = e(P,Q) ab – bilinearity! The Tate pairing seems best choice. Possible on ordinary elliptic curves of prime characteristic and on supersingular curves.

harken
Download Presentation

Implementing Cryptographic Pairings

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Implementing Cryptographic Pairings Mike Scott TexPoint fonts used in EMF: AAAAAAAAAAAAAAAA

  2. Bilinear pairings • e(aP,bQ) = e(P,Q)ab – bilinearity! • The Tate pairing seems best choice. • Possible on ordinary elliptic curves of prime characteristic and on supersingular curves. • P (of prime order r), and Q are points on E(Fqk). • Embedding degree smallestk such that r |(qk-1) • Pairing evaluates as element in Fqk • Here we concentrate on q=p, and non-supersingular.

  3. Miller’s algorithm

  4. Elliptic Curves (point doubling case) Line of slope λj λj = (3xj2+A)/2yj xj+1 = λj2-2xj yj+1 = λj(xj-xj+1)-yj xj,yj xj+1,yj+1

  5. The Pairing Algorithm Q(xq,yq) Line of slope λj l(Q) = (yq-yj) – λj(xq-xj) yq-yj xj,yj xq-xj v(Q) =xq-xj+1 xj+1,yj+1

  6. Miller’s algorithm • As described, it may fail (the line may pass through Q!) • Traditionally solved by introducing a random R, which doesn’t change value of the pairing. If algorithm fails, choose another R. • Will not be needed later, so omitted here

  7. First optimizations • Choose low Hamming weight r (if possible) • If not possible (MNT curves?) windowing algorithms, also idea of Eisentrager et al. • Choose P from E(Fp) (Solinas’s Miller Light), now use projective coordinates. • NOT choose p of low Hamming weight! (Schirokauer) • Restriction – k=2d is always even. • Final exponentiation considered in 2 parts.

  8. First optimizations

  9. Extension field arithmetic • Considered before for crypto use ( XTR, OEFs). • k=2 case is the simplest • Irreducible polynomial x2+1 for p=3 mod 4 • Element in Fp2 is (a+xb), where a and b are in Fp . • Consider x=i as root of irreducible polynomial, so i=√-1 • Just like complex arithmetic!

  10. Extension field arithmetic • Multiplication (Karatsuba) • (a+ib)(c+id) = ac-bd +i[(a+b)(c+d)-ac-bd] • 3 modmuls? But better to use lazy reduction, e.g. calculate (ac-bd) mod p (2 muls and one reduction) • Cost ~ 2.5 modmuls • Squaring • (a+ib)(a+ib) = (a+b)(a-b)+i.2ab • Cost ~ 2 Modmuls

  11. Cubic Extension? • Irreducible polynomial x3+n • Karatsuba or Toom-Cook for multiplication (6 or 5 Modmuls resp.). Toom-Cook has tricky divisions by constants… • Final exponent has factor of p-1.. So divisions can be replaced by multiplications – thank you Fermat! • Lazy reduction applies again. • Squaring – 4 Modsqrs and 1 Modmul (Chung & Hasan) – recent result!

  12. Square roots • For quadratic extension, irreducible x2+n • Can you find simple solution for cubic extension?

  13. A Tower of Extensions • For a sextic extension field x6+n, could use a cubic extension on top of a quadratic extension – squaring requires only 11 modmuls using Chung-Hasan • Always use pairing-friendly irreducible polynomials. For example for k=12, maybe use X6+(1+√-2) and a sextic extension on top of a quadratic, which uses x2+2 as the irreducible.

  14. Frobenius • The Frobenius is very useful for extension field arithmetic • (a+ib)p = (ap+ipbp) = (a-ib) • When raising an extension field element to a power, you never have to use an exponent greater than p.

  15. Types of pairing-friendly curves • #E=p+1-t • |t| ≤ 2√p • r|#E • ρ = lg(p)/lg(r) • ω = lg(r)/lg(t) • In generalsmall ρ is good (ρ = 1 is “ideal”) • Large ωis also good.

  16. Example - BN Curves • k=12 • p(x) = 36x4+36x3+24x2+6x+1 • #E(x) = 36x4+36x3+18x2+6x+1 • t(x) = 6x2+1 • ρ = 1 (ideal!) • ω = 2 (not bad – but ω = 4 possible for k=12) • In general the smallerρ the harder to find a low hamming weight r. • For Cocks-Pinch curves ρ = 2, free choice for r.

  17. Where were we? • k=2d so assume that Fpkis built as a quadratic extension on top of Fpd. So now consider an element of Fpk as (a+ib). • So (a+ib)pd = (a-ib) • → (1/(a+ib))pd-1 = (a-ib)pd-1 • Which means that following exponentiation to the power of pd-1, inversions cannot be distinguished from conjugates.

  18. Further optimizations

  19. What about Q? • Choose Q to best advantage. • Q is point (xQ,yQ), where xQ = (a+ib), yQ = (c+id) • Now restrict to the case where b=c=0 • The vertical line functions are now in Fpdand so get wiped out - denominator elimination. • If Q(a,id) is a point on E(Fpk), then Q(-a,d) is a point on the quadratic twist E’(Fpd).

  20. Denominator elimination

  21. Yet more optimization • The group order will always be odd, but the effect of the last line addition which takes T to the point-at-infinity will be wiped out by the final exponentiation. • Final exponentiation can be further divided into 3 parts, • pd-1 • (pd+1)/Φk(p) • Φk(p)/r

  22. Yet more optimization • For example for k=6, Φ6(p)=p2-p+1 • p6-1 = (p3-1)(p+1)(p2-p+1) • r|p2-p+1, from definition of the embedding degree. • Exponentiation by p3-1 and p+1 will be easy using Frobenius and one extension field inversion • Exponentiation by (p2-p+1)/r is the “hard part”

  23. Yet more optimization

  24. Hard part of final exponentiation • Express hard exponent to base p • xe = xe0+e1.p+e2.p2… = xe0.(xp)e1.(xp2)e2 …. • Now use Frobenius and multi-exponentiation. • Exploit fact that inverses can be treated as conjugates for fast NAF-based exponentiation.

  25. Compression • Alternatively for k≤8, use Lucas or XTR exponentiation, which uses the full sized exponent, but over smaller fields Fpk/2and Fpk/3 respectively. • Also compresses pairing to one half or one-third size • Probably useful to compress the pairing anyway, even after multi-exponentiation.

  26. Precomputation • In many cases the first parameter P may be fixed – it may be an IBE private key. • In which case it makes sense to precompute the values of T which are multiples of P • In this case use Affine coordinates • Big speed-up for smaller k. For larger k extension field arithmetic dwarf’s elliptic curve point addition/doubling.

  27. Trick #1 • Often in a pairing-based protocol there is a requirement to further raise the value of the pairing to a power v<r • If using multi-exponentiation, the value of r can be “folded into” the exponent at no extra cost. • Powering for free!

  28. Curve dependent Optimizations • There are families of curves for which ω >1. For the MNT curves ω=2. • In these cases a “truncated loop” variant of the pairing is possible – the Ate pairing. • Here P is chosen from E’(Fpd) and Q from E(Fp) • Now we get a bilinear pairing with a much shorter loop!

  29. Ate pairing

  30. Low CM Discriminant curves • For non-supersingular curves, must use Complex Multiplication (CM) method to find curve parameters. • Many pairing-friendly curves have a CM discriminant of -1 or -3. • In these cases quartic and sextic twists also exist. • For BN curves, D=-3, k=12, and so curve over sextic twist E(Fpk/6) can be used.

  31. Low CM Discriminant curves • So Q 2 E(Fpk/c) for c=4 or 6 is possible for Tate pairing…. • Or P 2 E(Fpk/c) for Ate pairing • Works particularly well with Ate pairing • For a k=6 D=-3 curves both P and Q can be on curves over Fp ! • (Unfortunately no such curves are known with ρ <2 ).

  32. Trick #2 • Consider MNT k=6 curve, r = #E a prime. • Hard part of final exponentiation is to the power of (p2-p+1)/r = (p2-p+1)/(p+1-t) = p+ε, where ε ~ t • So hard part of exponentiation is fp.fε • Which is one Frobenius and one half-length exponentiation (not a multi-exponentiation).

  33. The Wider Context • Pairings are not calculated in isolation • They are part of a wider context. • The protocol may also require variable point multiplications – faster if P and Q are over smaller fields. • Or it may only also require fixed-point multiplications (B&F IBE), in which case the pairing will be the dominant computation.

  34. The Wider Context • Compare (a) k=2, p=512 bits with (b) k=6, p=160 bits • Similar security levels. • But pairing for (a) is much faster (especially with precomputation) • Variable point multiplication (over E(Fp)) much faster on (b). • Short signature scheme must use (b). • I could go on…

  35. Scaling security • ..much debated… • Code for higher extensions is much “fussier”. Spends more time hopping in and out of functions, function overhead an issue. • Small instruction cache – more cache misses with fussier code.

  36. Scaling security

  37. Products of Pairings • For example e(P,Q).e(R,S) • Implicit multiplication of P and R take place in “lock-step”. Use affine coordinates and Montgomery’s trick. • Share the Miller variable f between both pairings, and only square it once • .. And of course share the final exponentiation.

  38. Some timings • All code in C and assembly, P4 3GHz • Compare with 1024-bit RSA decryption on the same platform. • Group size of 160-bits, Field size of 1024-bit equivalent. Precomputation allowed. • Three pairings – timings in milliseconds • ηTpairingE(F2379), k= 4 • Tate pairing E(Fp), 512 bit p, k=2 • Ate pairing E(Fp), 256 bit p, k=4, ω=2

  39. Timings

  40. Questions ?? Full paper – ftp.computing.dcu.ie/pub/crypto/pairings.pdf Thank you! mike@computing.dcu.ie

More Related