Another Approach to Pairing Computation in Edwards Coordinates - - PowerPoint PPT Presentation

Another Approach to Pairing Computation in Edwards Coordinates

Sorina Ionica

PRISM, Universit´ e de Versailles

joint work with Antoine Joux

Sorina Ionica Pairing Computation in Edwards Coordinates

What is a pairing?

A pairing is a map e : G1 × G

′

1 → G2

where G1, G

′

1 are groups of order r noted additively and G2 is a

group of order r noted multiplicatively such that the following hold: bilinear: e(aP, Q) = e(P, aQ) = e(P, Q)a nondegenerate: for every P ∈ G1 different from 0 there is Q ∈ G

′

1 such that e(P, Q) = 1.

Sorina Ionica Pairing Computation in Edwards Coordinates

Pairings in Elliptic Curve Cryptograhy

Pairings on elliptic curves: the Weil pairing, the Tate, Ate and Eta pairings. Applications:

• ne round protocol for tripartite Diffie-Hellman

identity-based encryption short signatures etc.

Sorina Ionica Pairing Computation in Edwards Coordinates

The Tate pairing. Notations.

Let E be an elliptic curve over finite field Fq with q ≥ 5, i.e. E : y2 = x3 + ax + b. Let r|♯E(Fq) and E[r] the r-torsion subgroup, i.e. the subgroup of points of order r in E(Fq). If r|♯E(Fq) then E(Fq)[r] gives at least one component. Embedding degree: k minimal with r|(qk − 1). Note r-roots of unity µr ∈ F ×

qk.

Sorina Ionica Pairing Computation in Edwards Coordinates

The Tate pairing

If k > 1 then E(Fqk)[r] = E[r]. Choose P, Q ∈ E[r] and G1 =< P >, G

′

1 =< Q >.

Take fr,P such that div(fr,P) = r(P) − r(O) and D = (Q + T) − (T), with T such as the support of D is different from the support of fr,P. For crypto use: Tr(·, ·) : G1 × G

′

1 → µr

Tr(P, Q) = fr,P(D)(qk−1)/r

Sorina Ionica Pairing Computation in Edwards Coordinates

Miller’s algorithm

Introduce for i ≥ 1 functions fi,P such as div (fi,P) = i(P) − (iP) − (i − 1)(O) Note div (fr,P) = r(P) − r(O). Establish the Miller equation fi+j,P = fi,Pfj,P liP,jP v(i+j)P where liP,jP and v(i+j)P are such that div (liP,jP) = (iP) + (jP) + (−(i + j)P) − 3(O) div (v(i+j)P) = (−(i + j)P) + ((i + j)P) − 2(O)

Sorina Ionica Pairing Computation in Edwards Coordinates

Miller’s algorithm

f1,P(D) = 1 f2,P(D) = f 2

1,P(D)lP,P(D)

v2P(D) f3,P(D) = f1,P(D)f2,P(D)lP,2P(D) v3P(D) .. .. fr,P(D) = fr−1,P(D)f1,P(D)l(r−1)P,P(D) Use the double-and-add method to compute fr,P(D) (the Tate pairing!) in O(log2r)!

Sorina Ionica Pairing Computation in Edwards Coordinates

Miller’s algorithm or double-and-add

Choose a random point T ∈ E(Fqk) and compute Q

′ = Q + T ∈ E(Fqk).

Let n ← [log2(r)], K ← P, f ← 1. while n ≥ 1

Compute equations of l and v arising in the doubling of K. K ← 2K and f ← f 2(l(Q

′)v(T))/(v(Q ′)l(T)).

the n-th bit of r is 1

Compute equations of l and v arising in the addition of K and P. K ← P + K and f ← f (l(Q

′)v(T))/((l(T)v(Q ′)).

Let n ← n − 1.

end while

Sorina Ionica Pairing Computation in Edwards Coordinates

Implementing Miller’s algorithm

The doubling part of the double-and-add method is most important

Use faster exponentiation techniques (sliding window method, NAF) Choose r with low Hamming weight

Choose P ∈ E(Fq)[r] and Q ∈ E(Fqk)[r]. Take k even and get major speed-ups by using twists and working in subfields Up to now best performance in Jacobian coordinates: (X, Y , Z) such that ( X

Z 2 , Y Z 3 ) is a point on the elliptic curve E.

Sorina Ionica Pairing Computation in Edwards Coordinates

Edwards curves

Let E be an elliptic curve on Fq such that E(Fq) has an element of

• rder 4.

There is a nonsquare d ∈ Fq such that E is birationally equivalent

• ver Fq to the Edwards curve

x2 + y 2 = 1 + d(xy)2. On the Edwards curve the addition law is (x1, y1), (x2, y2) → ( x1y2 + y1x2 1 + dx1x2y1y2 , y1y2 − x1x2 1 − dx1x2y1y2 )

Sorina Ionica Pairing Computation in Edwards Coordinates

Edwards versus Jacobian

Actually use homogenous Edwards coordinates to avoid inversions: (X, Y , Z) corresponding to (X/Z, Y /Z) on the Edwards curve. Edwards coordinates Jacobian coordinates addition 10m+1m 11m+5s doubling 3m+4s 1m+8s

• r 3m+5s for a = −3

mixed addition 9m+1s 7m+4s (Z2 = 1) s, m are the costs of operations in Fq (s = 0.8m).

Sorina Ionica Pairing Computation in Edwards Coordinates

Edwards curves

Note a 4-torsion subgroup defined over Fq: {O = (0, 1), T4 = (1, 0), T2 = (0, −1), −T4 = (−1, 0)} Take at look at the action of this subgroup on a fixed point P = (x, y): P → {P, P+T4 = (y, −x), P+T2 = (−x, −y), P−T4 = (−y, x)}

Sorina Ionica Pairing Computation in Edwards Coordinates

Edwards curves

If xy = 0 note p = (xy)2 and s = x/y − y/x to characterize the point P up to the action of the 4-torsion subgroup. Take Es,p : s2p = (1 + dp)2 − 4p and define φ : E → Es,p φ(x, y) = ((xy)2, x y − y x ). φ is separable of degree 4.

Sorina Ionica Pairing Computation in Edwards Coordinates

And back to an elliptic curve...

Es,p is elliptic as :

s2p = (1 + dp)2 − 4p ↓ (P,S,Z) S2P = (Z + dP)2Z − 4PZ2 ↓ (P=1) s2 = z3 + (2d − 4)z2 + dz

Consider the standard addition law: Os,p = (0, 1, 0) neutral element and T2,s,p = (1, 0, 0) point of order 2.

Sorina Ionica Pairing Computation in Edwards Coordinates

Arithmetic of Es,p

Take ls,p the line passing through P1 and P2. Take R its third point of intersection with the curve Es,p. Take vs,p the vertical line through R. P1 + P2 is the second point of intersection of vs,p with Es,p. div (ls,p) = (P1) + (P2) + (−(P1 + P2)) − 2(T2,s,p) − (Os,p) and div (vs,p) = (P1 + P2) + (−(P1 + P2)) − 2(T2,s,p).

Sorina Ionica Pairing Computation in Edwards Coordinates

Miller’s algorithm on Edwards curves

Consider slightly modified functions f (4)

i,P :

div (f (4)

i,P )

= i((P) + (P + T4) + (P + T2) + (P − T4)) − ((iP) + (iP + T4) + (iP + T2) + (iP − T4)) − (i − 1)((O) + (T4) + (T2) + (−T4)). Then div (f (4)

r,P ) = r((P) + (P + T4) + (P + T2) + (P −

T4)) − r((O) + (T4) + (T2) + (−T4)). Compute the 4-th power of the Tate pairing: Tr(P, Q)4 = f (4)

r,P (D)

qk −1 r

.

Sorina Ionica Pairing Computation in Edwards Coordinates

Miller’s algorithm on the Edwards curve

Establish the Miller equation: f (4)

i+j,P = f (4) i,P f (4) j,P

l v , where l/v is the function of divisor div( l v ) = ((iP) + (iP + T4) + (iP + T2) + (iP − T4)) + ((jP) + (jP + T4) + (jP + T2) + (jP − T4)) − (((i + j)P) + ((i + j)P + T4) + ((i + j)P + T2) + ((i + j)P − T4)) − ((0) + (T4) + (T2) + (−T4)).

Sorina Ionica Pairing Computation in Edwards Coordinates

Miller’s algorithm on the Edwards curve

Let P

′ = φ(P) and ls,p and vs,p such as

div (ls,p) = (iP

′) + (jP ′) + ((i + j)P ′) − 2(T2,s,p) − (Os,p)

and div (vs,p) = ((i + j)P

′) + (−(i + j)P ′) − 2(T2,s,p).

fi+j,P′ = fi,P′fj,P′ ls,p vs,p ↓ φ∗ f (4)

i+j,P = f (4) i,P f (4) j,P

l v Compute l/v = φ∗(ls,p/vs,p).

Sorina Ionica Pairing Computation in Edwards Coordinates

Computing l and v

For the doubling step: l(x, y) = ((X 2

1 + Y 2 1 − Z 2 1 )(X 2 1 − Y 2 1 )(2X1Y1(x/y − y/x)

−2(X 2

1 − Y 2 1 )) + Z3(dZ 2 1 (xy)2 − (X 2 1 + Y 2 1 − Z 2 1 )))/

(2X1Y1(X 2

1 + Y 2 1 − Z 2 1 )(X 2 1 − Y 2 1 )),

v(x, y) = (dZ 2

3 (xy)2 − (X 2 3 + Y 2 3 − Z 2 3 ))/(X 2 3 + Y 2 3 − Z 2 3 ).

For the mixed addition step: l(x, y) = ((X 2

1 + Y 2 1 − Z 2 1 − dZ 2 1 (X0Y0)2)(X1Y1(x

y − y x ) − (X 2

1 − Y 2 1 )) − (X 2 1 − Y 2 1 − X1Y1(X0

Y0 − Y0 X0 )) ·(dZ 2

1 (xy)2 − (X 2 1 + Y 2 1 − Z 2 1 )))

/(X1Y1(X 2

1 + Y 2 1 − Z 2 1 − dZ 2 1 (X0Y0)2));

v(x, y) = (dZ 2

3 (xy)2 − (X 2 3 + Y 2 3 − Z 2 3 ))/(X 2 3 + Y 2 3 − Z 2 3 ).

Sorina Ionica Pairing Computation in Edwards Coordinates

Comparison of costs for the doubling step of Miller’s algorithm

k = 2 k ≥ 4 Jacobian coordinates 10s + 3m + S + M 11s + (k + 1)m + S + M Jacobian coordinates for a = −3 4s + 8m + S + M 4s + (k + 7)m + S + M Das/Sarkar Edwards coordinates 6s + 9m + S + M

• (supersingular curves)

Edwards coordinates 4s + 9m + S + M 4s + (k + 8)m + S + M

s, m are costs of operations in Fq, S, M are costs of

• perations in Fqk.

Sorina Ionica Pairing Computation in Edwards Coordinates

Comparison of costs for the mixed addition step of the Miller operation in the case of k even

k = 2 k ≥ 4 Jacobian coordinates 3s + 11m + M 3s + (k + 9)m + 1M Das/Sarkar Edwards 1s + 17m + M

• coordinates (supersingular curves)

Edwards coordinates 4s + 15m + M 4s + (k + 14)m + 1M

Sorina Ionica Pairing Computation in Edwards Coordinates

A useful scenario

Take E : y2 = x3 + x Take q = 2520 + 2363 − 2360 − 1 (q ≡ 3 mod 4) Then r = 2160 + 23 − 1 and the embedding degree k = 2 The Edwards form is x2 + y2 = 1 − (xy)2, so d = −1.

Sorina Ionica Pairing Computation in Edwards Coordinates

A useful scenario

Suppose you want to implement a protocol in Edwards coordinates.

protection from side channel attacks

You need to compute the pairing of two points e(P, Q), where Q is a fixed point. You have P = (X0, Y0, 1) in Edwards coordinates Switch to Jacobian coordinates (via ψ(X0, Y0) = ((1 + Y0)/(1 − Y0), (1 + Y0)/(X0(1 − Y0)))) and compute the pairing on the Weierstrass form.

faster, but you need one inversion with Montgomery’s trick!

Sorina Ionica Pairing Computation in Edwards Coordinates

An inversion free algorithm

Stick to Edwards coordinates and use our method to implement the pairing We need φ(X0, Y0) = ((X0Y0)2, X0

Y0 − Y0 X0 ) to compute the

l-functions of the mixed addition step. Replace l ← (X0Y0)l in the mixed addition step. The mixed addition will be more expensive (+1m) but NO INVERSIONS!

Sorina Ionica Pairing Computation in Edwards Coordinates

• Questions. . . ?

Sorina Ionica Pairing Computation in Edwards Coordinates