avoiding full extension field arithmetic in pairing
play

Avoiding Full Extension Field Arithmetic in Pairing Computations - PowerPoint PPT Presentation

Dec 28, 2022 •294 likes •556 views

Introduction Motivation Miller 2 n -tupling Results Related Work Avoiding Full Extension Field Arithmetic in Pairing Computations Craig Costello craig.costello@qut.edu.au Queensland University of Technology AfricaCrypt 2010 Joint work with

  1. Introduction Motivation Miller 2 n -tupling Results Related Work Avoiding Full Extension Field Arithmetic in Pairing Computations Craig Costello craig.costello@qut.edu.au Queensland University of Technology AfricaCrypt 2010 Joint work with Colin Boyd, Juanma Gonzalez-Nieto, Kenneth Koon-Ho Wong Craig Costello Avoiding Full Extension Field Arithmetic in Pairing Computations

  2. Introduction Motivation Miller 2 n -tupling Results Related Work Motivation Faster pairings mean more efficient... ID-based encryption (IBE) ID-based key agreement short signatures group signatures ring signatures certificateless encryption hierarchical encryption attribute-based encryption ... Craig Costello Avoiding Full Extension Field Arithmetic in Pairing Computations

  3. Introduction Motivation Miller 2 n -tupling Results Related Work Table of contents 1 Introduction Pairings and Miller’s algorithm The evolution of Miller’s algorithm: state-of-the-art pairings 2 Motivation 3 Miller 2 n -tupling 4 Results 5 Related Work Craig Costello Avoiding Full Extension Field Arithmetic in Pairing Computations

  4. Introduction Motivation Pairings and Miller’s algorithm Miller 2 n -tupling The evolution of Miller’s algorithm: state-of-the-art pairings Results Related Work Pairings on ordinary elliptic curves over large prime fields Need two linearly independent points R and S of large prime order r on E ( F p ), i.e. need two subgroups of E [ r ] E ( F p k ) is the smallest extension that contains two such subgroups (all r + 1 subgroups in fact) k is the embedding degree, first value such that r | p k − 1 Need a function f R with divisor div ( f R ) = r ( R ) − r ( O ) Weil pairing methodology e ( R , S ) = f R ( S ) / f S ( R ) ∈ F p k Tate pairing methodology e ( R , S ) = f R ( S ) p k − 1 ∈ F p k Craig Costello Avoiding Full Extension Field Arithmetic in Pairing Computations

  5. Introduction Motivation Pairings and Miller’s algorithm Miller 2 n -tupling The evolution of Miller’s algorithm: state-of-the-art pairings Results Related Work The pairing evaluation functions What do the functions f R ( S ) and f S ( R ) look like? div ( f R ) = r ( R ) − r ( O ), i.e. a zero of order r at R , and a pole of order r at infinity ( O ). Indeterminate f R , f S are of degree r (at least in affine form) If R ∈ E ( F p ) and S ∈ E ( F p k ), then f R ( S ) will have coefficients in F p , evaluated at elements in F p k f S ( R ) will have coefficients in F p k , evaluated at elements in F p Too much to store f R explicitly before evaluating at S Therefore, evaluate at S as you build the function and vice versa. Craig Costello Avoiding Full Extension Field Arithmetic in Pairing Computations

  6. Introduction Motivation Pairings and Miller’s algorithm Miller 2 n -tupling The evolution of Miller’s algorithm: state-of-the-art pairings Results Related Work Miller’s algorithm Input: R , S and r = ( r ⌊ log ( r ) ⌋ , ..., r 0 ) 2 Output: f R ( S ) f ← 1, T ← R for i from ⌊ log ( r ) ⌋ − 1 to 0 do Compute g = l / v in the chord-and-tangent doubling of T 1 T ← [2] T 2 f ← f 2 · g ( S ) 3 if r i = 1 then 4 i. Compute g = l / v in the chord-and-tangent addition of T + R ii. T ← T + R iii. f ← f · g ( S ) end if end for : return f Craig Costello Avoiding Full Extension Field Arithmetic in Pairing Computations

  7. Introduction Motivation Pairings and Miller’s algorithm Miller 2 n -tupling The evolution of Miller’s algorithm: state-of-the-art pairings Results Related Work Miller’s algorithm for the Weil pairing methodology Initially: run twice to compute e ( R , S ) = f R ( S ) / f S ( R ) Input: R , S and r = ( r ⌊ log ( r ) ⌋ , ..., r 0 ) 2 Output: f R ( S ) (first time) and f S ( R ) (second time) f ← 1, T ← R for i from ⌊ log ( r ) ⌋ − 1 to 0 do Compute g = l / v in the chord-and-tangent doubling of T 1 T ← [2] T 2 f ← f 2 · g ( S ) 3 if r i = 1 then 4 i. Compute g = l / v in the chord-and-tangent addition of T + R ii. T ← T + R iii. f ← f · g ( S ) end if end for : return f Craig Costello Avoiding Full Extension Field Arithmetic in Pairing Computations

  8. Introduction Motivation Pairings and Miller’s algorithm Miller 2 n -tupling The evolution of Miller’s algorithm: state-of-the-art pairings Results Related Work Miller’s algorithm for the Tate pairing methodology Idea: run once and exponentiate e ( R , S ) = f R ( S ) p k − 1 Input: R , S and r = ( r ⌊ log ( r ) ⌋ , ..., r 0 ) 2 Output: f R ( S ) f ← 1, T ← R for i from ⌊ log ( r ) ⌋ − 1 to 0 do Compute g = l / v in the chord-and-tangent doubling of T 1 T ← [2] T 2 f ← f 2 · g ( S ) 3 if r i = 1 then 4 i. Compute g = l / v in the chord-and-tangent addition of T + R ii. T ← T + R iii. f ← f · g ( S ) end if return f ← f ( p k − 1) end for : Craig Costello Avoiding Full Extension Field Arithmetic in Pairing Computations

  9. Introduction Motivation Pairings and Miller’s algorithm Miller 2 n -tupling The evolution of Miller’s algorithm: state-of-the-art pairings Results Related Work Miller’s algorithm with no inversions Ideas: v ’s are in subfields so discard + projective coords Input: R , S and r = ( r ⌊ log ( r ) ⌋ , ..., r 0 ) 2 Output: f R ( S ) f ← 1, T ← R for i from ⌊ log ( r ) ⌋ − 1 to 0 do Compute g = l / v in the chord-and-tangent doubling of T 1 T ← [2] T 2 f ← f 2 · g ( S ) 3 if r i = 1 then 4 i. Compute g = l / v in the chord-and-tangent addition of T + R ii. T ← T + R iii. f ← f · g ( S ) end if return f ← f ( p k − 1) end for : Craig Costello Avoiding Full Extension Field Arithmetic in Pairing Computations

  10. Introduction Motivation Pairings and Miller’s algorithm Miller 2 n -tupling The evolution of Miller’s algorithm: state-of-the-art pairings Results Related Work Miller’s algorithm with optimal loop length Idea: Minimize loop length + low Hamming-weight Input: R , S and m opt = ( m ⌊ log ( m opt ) ⌋ , ..., m 0 ) 2 Output: f R ( S ) f ← 1, T ← R for i from ⌊ log ( m opt ) ⌋ − 1 to 0 do Compute g = l in the chord-and-tangent doubling of T 1 T ← [2] T 2 f ← f 2 · g ( S ) 3 if r i = 1 then 4 i. Compute g = l in the chord-and-tangent addition of T + R ii. T ← T + R iii. f ← f · g ( S ) end if return f ← f ( p k − 1) end for : Craig Costello Avoiding Full Extension Field Arithmetic in Pairing Computations

  11. Introduction Motivation Pairings and Miller’s algorithm Miller 2 n -tupling The evolution of Miller’s algorithm: state-of-the-art pairings Results Related Work The state-of-the-art Input: R , S and m opt = ( m ⌊ log ( m opt ) ⌋ , ..., m 0 ) 2 Output: f R ( S ) f ← 1, T ← R for i from ⌊ log ( m opt ) ⌋ − 1 to 0 do Compute g = l in the chord-and-tangent doubling of T 1 T ← [2] T 2 f ← f 2 · g ( S ) 3 return f ← f ( p k − 1) end for : Craig Costello Avoiding Full Extension Field Arithmetic in Pairing Computations

  12. Introduction Motivation Pairings and Miller’s algorithm Miller 2 n -tupling The evolution of Miller’s algorithm: state-of-the-art pairings Results Related Work Tate vs. ate groups G 1 = E [ r ] ∩ ker ( π p − [1]) and G 2 = E [ r ] ∩ ker ( π p − [ p ]), i.e. G 1 ∈ E ( F p ) (base field) and G 2 ∈ E ( F p k ) (full ext. field) Use twisted curve E ′ ∼ 2 ∼ = E to define G ′ = G 2 but G ′ 2 ∈ E ( F p k / d ) (twisted subfield) Tate-like pairings 2nd argument S ∈ G ′ 1st argument: R ∈ G 1 2 Ate-like pairings 1st argument: R ∈ G ′ 2nd argument S ∈ G 1 2 Craig Costello Avoiding Full Extension Field Arithmetic in Pairing Computations

  13. Introduction Motivation Miller 2 n -tupling Results Related Work What else can we do? Red stuff : Optimized or exhausted or given enough attention Input: R , S and m opt = ( m ⌊ log ( m opt ) ⌋ , ..., m 0 ) 2 Output: f R ( S ) f ← 1, T ← R for i from ⌊ log ( m opt ) ⌋ − 1 to 0 do Compute g = l in the chord-and-tangent doubling of T 1 T ← [2] T 2 f ← f 2 · g ( S ) 3 end for return f ← f ( p k − 1) Craig Costello Avoiding Full Extension Field Arithmetic in Pairing Computations

  14. Introduction Motivation Miller 2 n -tupling Results Related Work A closer look at the Miller update step Complexity of operations i. f ← f 2 s k ii. Evaluate g at S 2 k / d · m 1 iii. f ← f · g m k ? i. f is a general element of F p k (can’t do much here) ii. Indeterminate g takes form g ( x , y ) = g x · x + g y · y + g 0 , and is evaluated as g ( S x , S y ) ate: g x , g y , g 0 ∈ F p k / d and S x , S y ∈ F p Tate: g x , g y , g 0 ∈ F p and S x , S y ∈ F p k / d iii. KEY: If degree of twist d = 4 or d = 6, then g ( S ) is not a general element of F p k / d (i.e. f · g is not a full extension field multiplication!) Craig Costello Avoiding Full Extension Field Arithmetic in Pairing Computations

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography

Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography

Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography and Information Security Graduate School of Systems and Information Engineering University of Tsukuba 1-1-1 Tennodai, Tsukuba Ibaraki, 305-8573,

896 views • 58 slides
Pairing Pairing is the process by which we condition ourselves, the teaching materials, and

Pairing Pairing is the process by which we condition ourselves, the teaching materials, and

Pairing & Manding Vincent J. Carbone Ed.D., BCBA-D NYS Licensed Behavior Analyst Carbone Clinic New York Boston Dubai www.CarboneClinic.com www.TheCarboneclinic.ae IESCUM Parma, Italy December 1,2 & 3, 2016 1 Pairing

622 views • 35 slides
Arithmetic for Computers October 31, 2008 Arithmetic for Computers ALU Arithmetic Logic Unit

Arithmetic for Computers October 31, 2008 Arithmetic for Computers ALU Arithmetic Logic Unit

Arithmetic for Computers October 31, 2008 Arithmetic for Computers ALU Arithmetic Logic Unit Performs most processor operations Control signal predicates addition subtraction logic operations shifting (w / or w / o sign extension) Figure:

205 views • 8 slides
Empiricism, Probability, and Knowledge of Arithmetic Sean Walsh Department of Logic and

Empiricism, Probability, and Knowledge of Arithmetic Sean Walsh Department of Logic and

I. Intro II. Avoiding Counting Assignments III. Avoiding Alignment IV. Summary + Questions Empiricism, Probability, and Knowledge of Arithmetic Sean Walsh Department of Logic and Philosophy of Science University of California, Irvine

396 views • 27 slides
Secure Device Pairing What is device pairing? What is

Secure Device Pairing What is device pairing? What is

Secure Device Pairing What is device pairing? What is device pairing? What is the problem? The wireless communica8on channel is rela8vely easy to

298 views • 9 slides
Part I: RELIC Diego F. Aranha Efficient Binary Field Arithmetic Numbers RELIC is an Efficient

Part I: RELIC Diego F. Aranha Efficient Binary Field Arithmetic Numbers RELIC is an Efficient

Efficient Binary Field Arithmetic and Applications to Curve-based Cryptography Diego F. Aranha Department of Computer Science University of Bras lia CHES 2012 Tutorial Diego F. Aranha Efficient Binary Field Arithmetic Part I: RELIC

738 views • 48 slides
Context This talk is about software for finite field arithmetic ( + . . . ; most

Context This talk is about software for finite field arithmetic ( + . . . ; most

The mp F q library and implementing curve-based key exchanges (yet another finite field library) Emmanuel Thom e, Pierrick Gaudry p. 1/21 Context This talk is about software for finite field arithmetic ( + . . . ; most

539 views • 25 slides
Algorithms for finite field arithmetic ric Schost (joint with Luca De Feo & Javad

Algorithms for finite field arithmetic ric Schost (joint with Luca De Feo & Javad

Algorithms for finite field arithmetic ric Schost (joint with Luca De Feo & Javad Doliskani) Western University University of Waterloo July 9, 2015 Basics 2 / 30 Finite fields Definition A finite field is a field (a set with

750 views • 45 slides
Efficient Finite Field and Elliptic Curve Arithmetic Laurent Imbert CNRS, LIRMM, Universit e

Efficient Finite Field and Elliptic Curve Arithmetic Laurent Imbert CNRS, LIRMM, Universit e

Efficient Finite Field and Elliptic Curve Arithmetic Laurent Imbert CNRS, LIRMM, Universit e Montpellier 2 Summer School ECC 2011 Nancy, September 12-16, 2011 Part 1 Modular and finite field arithmetic 1/40 2/40 Finite fields The

883 views • 49 slides
Finite field multiplication combining AMNS and DFT approach for Pairing Based Cryptography Nadia

Finite field multiplication combining AMNS and DFT approach for Pairing Based Cryptography Nadia

Finite field multiplication combining AMNS and DFT approach for Pairing Based Cryptography Nadia El Mrabet (1) and Christophe Negre (2) (1) Team Arith/LIRMM, Universit e Montpellier 2 (2) Team DALI/ELIAUS, Universit e de Perpignan

753 views • 49 slides
Maximal arithmetic hyperbolic lattices with fixed invariant trace field Jiming Ma Fudan

Maximal arithmetic hyperbolic lattices with fixed invariant trace field Jiming Ma Fudan

Distribution of primes Quaternion algebra Arithmetic hyperbolic 3-manifolds Maximal arithmetic hyperbolic 3-manifolds Maximal arithmetic hyperbolic lattices with fixed invariant trace field Jiming Ma Fudan University The Second China-Russia

961 views • 93 slides
Arithmetic of Extension Fields of Small Characteristics Recent Developments Abhijit Das

Arithmetic of Extension Fields of Small Characteristics Recent Developments Abhijit Das

Arithmetic of Extension Fields of Small Characteristics Recent Developments Abhijit Das Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Indo-US Workshop Indian Statistical Institute, Calcutta January

182 views • 17 slides
Full reduction at full throttle Extension to the Calculus of Inductive Constructions Gerco van

Full reduction at full throttle Extension to the Calculus of Inductive Constructions Gerco van

Full reduction at full throttle Extension to the Calculus of Inductive Constructions Gerco van Heerdt December 19, 2014 1 / 18 Symbolic CIC Term t , T , P ::= x | t 1 t 2 | v | C i ( t ) | case P t of ( C i ( x i ) t i )

225 views • 18 slides
Heavy-Duty Slides for Industrial applications: KA 3300 Full extension ball bearing slides Full

Heavy-Duty Slides for Industrial applications: KA 3300 Full extension ball bearing slides Full

Heavy-Duty Slides for Industrial applications: KA 3300 Full extension ball bearing slides Full extension ball bearing slide KA 3320 / Load capacity up to 500 lbs. (227 kg) 3/4" (19 mm) installation width Precision ball

433 views • 16 slides
T2Pair: Secure and Usable Pairing for Heterogeneous IoT Devices Xiaopeng Li, Qiang Zeng , Lannan

T2Pair: Secure and Usable Pairing for Heterogeneous IoT Devices Xiaopeng Li, Qiang Zeng , Lannan

T2Pair: Secure and Usable Pairing for Heterogeneous IoT Devices Xiaopeng Li, Qiang Zeng , Lannan Luo, Tongbo Luo CCS 2020 IoT Pairing Pairing is supposed to establish a secure communication channel IoT pairing is important for adding

345 views • 21 slides
GDR Terascale Avoiding the Goldstone Boson Catastrophe in general renormalisable field theories

GDR Terascale Avoiding the Goldstone Boson Catastrophe in general renormalisable field theories

GDR Terascale Avoiding the Goldstone Boson Catastrophe in general renormalisable field theories at two loops Johannes Braathen in collaboration with Dr. Mark Goodsell arXiv:1609.06977, to appear in JHEP Laboratoire de Physique Thorique et

792 views • 32 slides
Fields and model-theoretic classification, 2 Artem Chernikov UCLA Model Theory conference

Fields and model-theoretic classification, 2 Artem Chernikov UCLA Model Theory conference

Fields and model-theoretic classification, 2 Artem Chernikov UCLA Model Theory conference Stellenbosch, South Africa, Jan 11 2017 NIP Definition Let T be a complete first-order theory in a language L . 1. A (partitioned) formula ( x , y )

562 views • 25 slides
Normal Field Extensions Bernd Schr oder logo1 Bernd Schr oder Louisiana Tech University,

Normal Field Extensions Bernd Schr oder logo1 Bernd Schr oder Louisiana Tech University,

Characterizing Splitting Fields Normal Extensions Size of the Galois Group Normal Field Extensions Bernd Schr oder logo1 Bernd Schr oder Louisiana Tech University, College of Engineering and Science Normal Field Extensions

1.69k views • 131 slides
Lecture One: Classical Galois Theory and Some Generalizations Lecture Two: Grothendieck

Lecture One: Classical Galois Theory and Some Generalizations Lecture Two: Grothendieck

Lecture One: Classical Galois Theory and Some Generalizations Lecture Two: Grothendieck Galois theory Lecture Three: Infinitary Galois theory Three Lectures on Galois Theory Jean-Jacques Szczeciniarz Jean-Jacques Szczeciniarz Three

802 views • 64 slides
New Directions for Web Applications Dave Raggett, Canon, TV Raman, IBM 1/11 Web Applications

New Directions for Web Applications Dave Raggett, Canon, TV Raman, IBM 1/11 Web Applications

Canon New Directions for Web Applications Dave Raggett, Canon, TV Raman, IBM 1/11 Web Applications Workshop, San Jose, June 2004 Canon Goals Break Web applications out of the browser! Freedom to build wider variety of applications

612 views • 18 slides
Curve25519: Which public-key systems new Diffie-Hellman speed records are smallest? Fastest? D.

Curve25519: Which public-key systems new Diffie-Hellman speed records are smallest? Fastest? D.

Curve25519: Which public-key systems new Diffie-Hellman speed records are smallest? Fastest? D. J. Bernstein Real-world cost measures: Pentium cycles, Athlon cycles, Thanks to: etc. for generating keys, signing, University of Illinois at

541 views • 35 slides
tr trssrs

tr trssrs

tr trssrs rs rst s r t

699 views • 21 slides
Construction of the Lindstr om valuation of an algebraic matroid Dustin Cartwright University

Construction of the Lindstr om valuation of an algebraic matroid Dustin Cartwright University

Construction of the Lindstr om valuation of an algebraic matroid Dustin Cartwright University of Tennessee, Knoxville August 3, 2017 Dustin Cartwright Construction of Lindstr om valuation Algebraic matroids Given K L = K ( x 1 , . .

468 views • 11 slides
Hardy Fields, Transseries, and Surreal Numbers Lou van den Dries University of Illinois at

Hardy Fields, Transseries, and Surreal Numbers Lou van den Dries University of Illinois at

Hardy Fields, Transseries, and Surreal Numbers Lou van den Dries University of Illinois at Urbana-Champaign PAULO RIBENBOIM DAY at IHP, March 20, 2018 PAULO RIBENBOIM DAY at IHP, March 20, 2018 1 Lou van den Dries Hardy Fields, Transseries,

517 views • 30 slides

More recommend