pairings implementation in the pari computer algebra
play

Pairings implementation in the PARI computer algebra system - PowerPoint PPT Presentation

Dec 31, 2022 •227 likes •739 views

Pairings implementation in the PARI computer algebra system (explained by a mere programmer) jerome.milan (at) lix.polytechnique.fr Outline 1 Motivations and context 2 Pairings over elliptic curves 3 Pairing computation 4 Implementation in PARI

  1. Pairings implementation in the PARI computer algebra system (explained by a mere programmer) jerome.milan (at) lix.polytechnique.fr

  2. Outline 1 Motivations and context 2 Pairings over elliptic curves 3 Pairing computation 4 Implementation in PARI 2 / 51

  3. Outline 1 Motivations and context 2 Pairings over elliptic curves 3 Pairing computation 4 Implementation in PARI 3 / 51

  4. Pairings at a glance Let G 1 and G 2 be two groups written additively Let G 3 be a group written multiplicatively A pairing e is a application from G 1 ˆ G 2 to G 3 1. e is bilinear, i.e. 1.1 @ A , X P G 1 , @ Y P G 2 , e p A ` X , Y q “ e p A , Y q ¨ e p X , Y q 1.2 @ X P G 1 , @ B , Y P G 2 , e p X , B ` Y q “ e p X , B q ¨ e p X , Y q 2. e is non-degenerated, i.e. 2.1 @ X P G 1 , D Y P G 2 | e p X , Y q ‰ 1 2.2 @ Y P G 1 , D X P G 1 | e p X , Y q ‰ 1 Only interesting pairings in cryptography are defined over groups on Jacobians of abelian varieties 4 / 51

  5. Pairings at a glance This presentation Ñ pairings on “standard” elliptic curves only Consider E p F q q and r | # E The embedding degree of E with respect to r ” smallest k such that r | q k ´ 1 Often, we will have G 1 Ď E p F q qr r s G 2 Ă E p F q k q G 3 Ă F ˚ q k 5 / 51

  6. A destructive application – the MOV reduction The mandatory historical example! Solve Elliptic Curve Discrete Log Problem Given P P E p F q q of order r and R P x P y , find a such that R “ r a s P Overview 1. k such that E r r s Ď E p F q k q (1 ď k ď 6 for supersingular curves) 2. Pick Q P E r r s 3. Compute e W p P , Q q and e W p R , Q q 4. Since e W p R , Q q “ e W p P , Q q a P F ˚ q k Ñ solve DLP in F ˚ q k A. Menezes, S. Vanstone, and T. Okamoto. Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inf. Theory, IT-39(5):1639-1646, 1993. 6 / 51

  7. A plethora of constructive applications Identity-based cryptosystems Certificate-less public-key infrastructures Key agreement protocols Short signatures . . . . . . Electronic cash! . . . . . . And about a new application each week... 7 / 51

  8. Outline 1 Motivations and context 2 Pairings over elliptic curves 3 Pairing computation 4 Implementation in PARI 8 / 51

  9. The Weil pairing Let f n , P be a function in F q k p E q with divisor x f n , P y “ n x P y ´ xr n s P y ´ p n ´ 1 qx O y In practice, f n , P computed iteratively in O p log p n qq steps Definition – The Weil pairing e W : E r r s ˆ E r r s Ñ µ r p´ 1 q r f r , P p Q q p P , Q q ÞÑ f r , Q p P q 9 / 51

  10. The Tate pairing Definition – The unreduced Tate pairing F ˚ q k {p F ˚ q k q r e T : E r r s ˆ E p F q k q{ rE p F q k q Ñ ˆ p P , Q q ÞÑ f r , P p Q q Defined up to a coset in p F ˚ q k q r . To obtain unique representative, raise to the p q k ´ 1 q{ r power. Definition – The reduced Tate pairing e T : E r r s ˆ E p F q k q{ rE p F q k q Ñ µ r qk ´ 1 p P , Q q ÞÑ f r , P p Q q r 10 / 51

  11. The ate pairing Let t be the trace of the Frobenius, # E p F q q “ q ` 1 ´ t Write T “ t ´ 1 Definition – The reduced ate pairing e a : E p F q qr r s ˆ E p F q k q{ rE p F q k q X Ker p π q ´ r q sq Ñ µ r qk ´ 1 p P , Q q ÞÑ f T , Q p P q r 11 / 51

  12. The twisted ate pairing Suppose E admits a twist of order d Write e “ k { gcd p k , d q Definition – The reduced twisted ate pairing e tw : E p F q qr r s ˆ E p F q k q{ rE p F q k q X Ker p π q ´ r q sq Ñ µ r qk ´ 1 p P , Q q ÞÑ f T e , P p Q q r 12 / 51

  13. Optimal pairings Optimal pairing Pairing computable with only log 2 p r q{ ϕ p k q iterations The idea i “ 0 λ i q i where the λ i are small Compute f mr , Q p P q with mr “ ř l and use Frobenius maps f x , r q i s Q “ f q i x , Q F. Vercauteren. Optimal Pairings. IEEE Transactions on Information Theory, 56:455461, january 2010. Florian Hess. Pairing Lattices. In Proceedings of the 2nd International Conference on Pairing-Based Cryptography, Pairing 08, pages 1838, 2008. 13 / 51

  14. Optimal ate pairings i “ 0 λ i q i with r ffl m Let mr “ ř l ˜ l ¸ p q k ´ 1 q{ r l ´ 1 l r s i ` 1 s Q , r λ i q i s Q p P q f q i ź ź p P , Q q ÞÑ λ i , Q p P q v r s i s Q p P q i “ 0 i “ 0 with s i “ ř l i “ i λ i q i defines a pairing Optimal only if needs „ log 2 p r q{ ϕ p k q iterations 14 / 51

  15. Optimal ate pairings Since Φ k p p q ” 0 (mod r ) consider only q i with i ă ϕ p k q ¨ r 0 0 ¨ ¨ ¨ 0 ˛ ´ q 1 0 ¨ ¨ ¨ 0 ˚ ‹ ˚ ‹ ´ q 2 0 1 ¨ ¨ ¨ 0 ˚ ‹ L ate “ ˚ ‹ . . . ... ˚ ‹ . . . ˚ . . . 0 ‹ ˝ ‚ ´ q ϕ p k q´ 1 ¨ ¨ ¨ 0 0 1 Find short vector Λ “ r λ 0 , λ 1 , ¨ ¨ ¨ , λ l s using LLL Example – Barreto-Naehrig curve, k=12 36 x 4 ` 36 x 3 ` 24 x 2 ` 6 x ` 1 p p x q “ 36 x 4 ` 36 x 3 ` 18 x 2 ` 6 x ` 1 r p x q “ 6 x 2 ` 1 t p x q “ Λ “ r 6 x ` 2 , 1 , ´ 1 , 1 s gives the optimal pairing f 6 x ` 2 , Q ¨ l r p 3 s Q , r´ p 2 s Q ¨ l r p 3 ´ p 2 s Q , r p s Q ¨ l r p ´ p 2 ` p 3 s Q , r 6 x ` 2 s Q 15 / 51

  16. Optimal twisted ate pairings Same as optimal ate but consider mr “ ř l i “ 0 λ i T ei Since Φ k p q q ” 0 mod r and T ” q mod r then Φ k { e p T e q ” 0 mod r Consider only q i with i ă ϕ p d q . ˜ ¸ r 0 L tw “ ´ T e 1 Compute short vector r a , b s from LLL such that a ` bT e ” 0 (mod r ) Obtain the (unreduced) pairing f a , P p Q q ¨ f p e b , P p Q q ¨ v r a s P p Q q Example – Barreto-Naehrig curves, k=12 r a , b s “ r 2 x ` 1 , 6 x 2 ` 2 x s Yields the following unreduced pairing f 2 x ` 1 , P p Q q ¨ f p 2 6 x 2 ` 2 x , P p Q q 16 / 51

  17. Outline 1 Motivations and context 2 Pairings over elliptic curves 3 Pairing computation 4 Implementation in PARI 17 / 51

  18. Computing a pairing Most pairings require two steps 1. Computing f x , P p Q q or f x , Q p P q – The Miller part 2. Raising result to p q k ´ 1 q{ r – The final exponentiation Exception: the Weil pairing 1. Computing f x , P p Q q (Miller light) 2. Computing f x , Q p P q (Full Miller) 18 / 51

  19. Computing f x , P p Q q or f x , Q p P q – The Miller algorithm Based on following relations: f n ` 1 , P “ f n , P ¨ l P , r n s P { v r n ` 1 s P f m ` n , P “ f m , P ¨ f n , P ¨ l r n s P , r m s P { v r m ` n s P f ´ n , P “ 1 { f n , P ¨ v r n s P l A , B ≡ Y − λ ( X − x A ) − y A B A v A + B ≡ X − x A With f 1 , P “ 1 and v O “ 1 19 / 51

  20. Standard Miller algorithm with NAF Data : P ‰ O , Q , two suitable points on an elliptic curve E over a field, i “ 0 x i 2 i with x i P t´ 1 , 0 , 1 u and x n ‰ 0 x “ ř n Result : f x , P p Q q R Ð P , f Ð 1, g Ð 1 for i Ð n ´ 1 downto 0 do f Ð f 2 ¨ l R , R p Q q R Ð R ` R g Ð g 2 ¨ v R p Q q if x i “ 1 then f Ð f ¨ l R , P p Q q R Ð R ` P g Ð g ¨ v R p Q q if x i “ ´ 1 then f Ð f ¨ l R , ´ P p Q q R Ð R ´ P g Ð g ¨ v R p Q q ¨ v P p Q q return f { g 20 / 51

  21. Standard Miller algorithm with NAF Data : P ‰ O , Q , two suitable points on an elliptic curve E over a field, i “ 0 x i 2 i with x i P t´ 1 , 0 , 1 u and x n ‰ 0 x “ ř n Result : f x , P p Q q R Ð P , f Ð 1, g Ð 1 for i Ð n ´ 1 downto 0 do f Ð f 2 ¨ l R , R p Q q R Ð R ` R g Ð g 2 ¨ v R p Q q if x i “ 1 then f Ð f ¨ l R , P p Q q R Ð R ` P g Ð g ¨ v R p Q q if x i “ ´ 1 then f Ð f ¨ l R , ´ P p Q q R Ð R ´ P g Ð g ¨ v R p Q q ¨ v P p Q q Denominator elimination if k even return f /g 21 / 51

  22. Boxall et al.’s Miller variant A variant based on the relation 1 f m ` n , P “ f ´ m , P ¨ f ´ n , P ¨ l r´ m s P , r´ n s P instead of the usual f m ` n , P “ f m , P ¨ f n , P ¨ l r n s P , r m s P { v r m ` n s P Ñ 3 terms involved instead of 4 Leads to a more complex algorithm 30 to 40% faster for odd k , not interesting for even k J. Boxall, N. El Mrabet, F. Laguillaumie, and D-P. Le. A Variant of Miller’s Formula and Algorithm. LNCS volume 6487, 2010 22 / 51

  23. Boxall et al.’s Miller variant 1 f 7 “ f ´ 6 ¨ f ´ 1 ¨ l ´ 1 , ´ 6 1 f ´ 6 “ f 3 ¨ f 3 ¨ l 3 , 3 1 f 3 “ f ´ 2 ¨ f ´ 1 ¨ l ´ 1 , ´ 2 1 f ´ 2 “ f 1 ¨ f 1 ¨ l 1 , 1 And since f 1 “ 1 l 3 , 3 ¨ l 2 1 , 1 f 7 “ f 2 ´ 1 ¨ l 2 ´ 1 , ´ 2 ¨ l ´ 1 , ´ 6 No verticals explicitly evaluated (except f ´ 1 ) 23 / 51

  24. Boxall et al.’s Miller variant – Algorithm Data : P ‰ O , Q , two suitable points on an elliptic curve E over a field, i “ 0 x i 2 i with x i P t 0 , 1 u and x n “ 1 x “ ř n Result : f x , P p Q q R Ð P , f Ð 1, g Ð 1, δ Ð 0 if n ` h is even then δ Ð 1; g Ð f ´ 1 , P p Q q for i Ð n ´ 1 downto 0 do if δ “ 0 then f Ð f 2 ¨ l R , R p Q q ; g Ð g 2 R Ð R ` R ; δ Ð 1 if x i “ 1 then g Ð g ¨ l ´ R , ´ P ¨ f ´ 1 R Ð R ` P , δ Ð 0 else g Ð g 2 ¨ l ´ R , ´ R p Q q ; f Ð f 2 R Ð R ` R ; δ Ð 0 if x i “ 1 then f Ð f ¨ l R , P , R Ð R ` P , δ Ð 1 return f { g 24 / 51

  25. Final exponentiation Let i be the smallest integer greater than 1 dividing p p k ´ 1 p k ´ 1 p p k { i ´ 1 q . Φ k p p q ¨ Φ k p p q p p k { i ´ 1 q ¨ “ r r “ easy 1 ¨ easy 2 ¨ hard k easy 1 easy 2 Degree Φ k 11 p ´ 1 1 10 p 6 ´ 1 p 2 ` 1 12 4 p 5 ´ 1 p 2 ` p ` 1 15 8 17 p ´ 1 1 16 p 9 ´ 1 p 3 ` 1 18 6 19 p ´ 1 1 18 p 12 ´ 1 p 4 ` 1 24 8 p 5 ´ 1 25 1 20 p 13 ´ 1 26 p ` 1 12 p 9 ´ 1 27 1 18 25 / 51

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Software implementation of pairings Diego de Freitas Aranha September 21, 2011 Department of

Software implementation of pairings Diego de Freitas Aranha September 21, 2011 Department of

Software implementation of pairings Diego de Freitas Aranha September 21, 2011 Department of Computer Science University of Bras lia Joint work with K. Karabina, P. Longa, C. Gebotys, J. L opez, D. Hankerson, A. Menezes, E. Knapp, F.

759 views • 41 slides
CIRM - Luminy, 2 - 6 March 2020 Francophone Computer Algebra Days On the generators of 2 -class

CIRM - Luminy, 2 - 6 March 2020 Francophone Computer Algebra Days On the generators of 2 -class

CIRM - Luminy, 2 - 6 March 2020 Francophone Computer Algebra Days On the generators of 2 -class group of some number fields illustrated by PARI/GP Mohammed TAOUS Moulay Ismal university of Meknes Faculty of Sciences and Technology Errachidia.

959 views • 61 slides
Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First

Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First

Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First Steps To do Pairing based Crypto we need two things Efficient algorithms Suitable elliptic curves We have got both! (Maybe not quite

509 views • 47 slides
Faster Implementation of Pairings Francisco Rodr guez-Henr quez CINVESTAV, IPN, Mexico

Faster Implementation of Pairings Francisco Rodr guez-Henr quez CINVESTAV, IPN, Mexico

ECC 2010 Redmond, USA Faster Implementation of Pairings Francisco Rodr guez-Henr quez CINVESTAV, IPN, Mexico City, Mexico Joint work with: Jean-Luc Beuchat LCIS, University of Tsukuba, Japan enaire, LIP, Nicolas Brisebarre

1.6k views • 145 slides
A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview

A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview

Bordeaux November 22, 2016 A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview pairings 0 / 37 Plan of the lecture Pairings Pairing-friendly curves Progress of NFS attacks

744 views • 72 slides
In Pari Delicto Doctrine in Bankruptcy In Pari Delicto Doctrine in Bankruptcy Litigation:

In Pari Delicto Doctrine in Bankruptcy In Pari Delicto Doctrine in Bankruptcy Litigation:

Presenting a live 90 minute webinar with interactive Q&A In Pari Delicto Doctrine in Bankruptcy In Pari Delicto Doctrine in Bankruptcy Litigation: Anticipating or Raising the Defense Strategies for Trustee and Creditors' Committee Lawsuits

748 views • 21 slides
Haskell Computer Algebra System Rob Tougher December 15, 2007 Rob Tougher Haskell Computer

Haskell Computer Algebra System Rob Tougher December 15, 2007 Rob Tougher Haskell Computer

Haskell Computer Algebra System Rob Tougher December 15, 2007 Rob Tougher Haskell Computer Algebra System Outline Tutorial Implementation Looking Back Rob Tougher Haskell Computer Algebra System Tutorial: Language Summary HCAS

591 views • 35 slides
. 1 / 151 Computer Algebra Basic Information Working defjnition of Computer Algebra:

. 1 / 151 Computer Algebra Basic Information Working defjnition of Computer Algebra:

. 1 / 151 Computer Algebra Basic Information Working defjnition of Computer Algebra: Algorithms, techniques and tools to assist with mathematical work (not just numerical). Syllabus lecture log for details). 2. Basic Structures and

1.65k views • 151 slides
Formally Specified Computer Algebra Software - DK10 Muhammad Taimoor Khan Supervisor: Prof.

Formally Specified Computer Algebra Software - DK10 Muhammad Taimoor Khan Supervisor: Prof.

Project Goals Initial Activities A Computer Algebra Type System Implementation of the Type Checker Current and Future Activities Formally Specified Computer Algebra Software - DK10 Muhammad Taimoor Khan Supervisor: Prof. Wolfgang Schreiner

662 views • 28 slides
Representation theory of the two-boundary Temperley-Lieb algebra Zajj Daugherty (Joint work in

Representation theory of the two-boundary Temperley-Lieb algebra Zajj Daugherty (Joint work in

Representation theory of the two-boundary Temperley-Lieb algebra Zajj Daugherty (Joint work in progress with Arun Ram) September 10, 2014 Temperley-Lieb algebras The Temperley-Lieb algebra TL k ( q ) is the algebra of non-crossing pairings on 2

1.12k views • 78 slides
Relational Algebra Lecture 7 1 Outline Relational Algebra (Section 6.1) 2 Relational

Relational Algebra Lecture 7 1 Outline Relational Algebra (Section 6.1) 2 Relational

Relational Algebra Lecture 7 1 Outline Relational Algebra (Section 6.1) 2 Relational Algebra Formalism for creating new relations from existing ones Its place in the big picture: Declarative query Algebra Implementation

332 views • 16 slides
Relational Algebra Lecture 7 1 Outline Relational Algebra (Section 6.1) 2 1 Relational

Relational Algebra Lecture 7 1 Outline Relational Algebra (Section 6.1) 2 1 Relational

Relational Algebra Lecture 7 1 Outline Relational Algebra (Section 6.1) 2 1 Relational Algebra Formalism for creating new relations from existing ones Its place in the big picture: Declarative query Algebra Implementation

327 views • 14 slides
Implement all the pairings in software! CARAMBA Seminar Diego F. Aranha Department of

Implement all the pairings in software! CARAMBA Seminar Diego F. Aranha Department of

Implement all the pairings in software! CARAMBA Seminar Diego F. Aranha Department of Engineering Aarhus University Bilinear pairings 1 Bilinear pairings e ( P + R , Q ) = e ( P , Q ) e ( R , Q ) and e ( P , Q + S ) = e ( P , Q ) e (

1.52k views • 55 slides
Pairings are not dead, just resting ECC 2017 Diego F. Aranha December 8, 2018 Institute of

Pairings are not dead, just resting ECC 2017 Diego F. Aranha December 8, 2018 Institute of

Pairings are not dead, just resting ECC 2017 Diego F. Aranha December 8, 2018 Institute of Computing University of Campinas Bilinear pairings 1 Bilinear pairings e ( P + R , Q ) = e ( P , Q ) e ( R , Q ) and e ( P , Q + S ) = e ( P , Q

1.02k views • 58 slides
Overview of Computer Algebra http://cocoa.dima.unige.it/ J. Abbott Universitt Kassel J.

Overview of Computer Algebra http://cocoa.dima.unige.it/ J. Abbott Universitt Kassel J.

Overview of Computer Algebra http://cocoa.dima.unige.it/ J. Abbott Universitt Kassel J. Abbott Computer Algebra Basics Manchester, July 2018 1 / 12 Intro Characteristics of Computer Algebra or Symbolic Computation exact arithmetic

170 views • 12 slides
Computer algebra algorithms for solving polynomial systems, sofware and applications Thibaut

Computer algebra algorithms for solving polynomial systems, sofware and applications Thibaut

Computer algebra algorithms for solving polynomial systems, sofware and applications Thibaut Verron Johannes Kepler University, Institute for Algebra, Linz, Austria 1 Non-linear modelization and computer algebra Applications Robotics

822 views • 38 slides
Wordnet Ontology as a Wordnet Ontology as a Geographical Information Geographical Information

Wordnet Ontology as a Wordnet Ontology as a Geographical Information Geographical Information

Wordnet Ontology as a Wordnet Ontology as a Geographical Information Geographical Information Resource Resource Davide Buscaldi, Davide Buscaldi, Dpto. Sistemas Informticos y Dpto. Sistemas Informticos y (DSIC) Computacin (DSIC)

311 views • 18 slides
Constantine believed that the Roman Empire had The

Constantine believed that the Roman Empire had The

World Religions and the History of Christianity: Eastern Orthodox Constantine believed that the Roman Empire had The Byzantine Empire (the Eastern Roman Empire) become

463 views • 10 slides
Analytical data bases Database lectures for mathematics students Zbigniew Jurkiewicz, Institute

Analytical data bases Database lectures for mathematics students Zbigniew Jurkiewicz, Institute

Analytical data bases Database lectures for mathematics students Zbigniew Jurkiewicz, Institute of Informatics UW May 14, 2017 Analytical data bases Database lectures for mathematics Zbigniew Jurkiewicz, Institute of Informatics UW Decision

749 views • 56 slides
Simulation of Computer Networks Holger Fler Lehrstuhl fr Praktische Informatik IV,

Simulation of Computer Networks Holger Fler Lehrstuhl fr Praktische Informatik IV,

Simulation of Computer Networks Holger Fler Lehrstuhl fr Praktische Informatik IV, University of Mannheim Holger Fler Simulation of Computer Networks Universitt Mannheim, WS 2005/2005 Vorbemerkungen Lehrstuhl fr Praktische

691 views • 35 slides
The Greatest Life Ever Lived December 25, 2012 The Greatest Life Ever Lived Nearly two

The Greatest Life Ever Lived December 25, 2012 The Greatest Life Ever Lived Nearly two

The Greatest Life Ever Lived December 25, 2012 The Greatest Life Ever Lived Nearly two thousand years ago in an obscure village, a child was born of a peasant woman. He grew up in another village (called Nazareth) where He worked as a

319 views • 31 slides
Revelation 13 The Beast and the Number 666 Becoming Closer The Beast from the Sea (Rev 13:1-2

Revelation 13 The Beast and the Number 666 Becoming Closer The Beast from the Sea (Rev 13:1-2

Revelation 13 The Beast and the Number 666 Becoming Closer The Beast from the Sea (Rev 13:1-2 NIV) And the dragon stood on the shore of the sea. And I saw a beast coming out of the sea. He had ten horns and seven heads, with ten crowns on

259 views • 15 slides
Adapting the Dynamic Model to historical linguistics Case studies on the Middle English and

Adapting the Dynamic Model to historical linguistics Case studies on the Middle English and

Adapting the Dynamic Model to historical linguistics Case studies on the Middle English and Anglo-Norman contact situation Michael Percillier 1 ICEHL XX, Edinburgh, 30 August 2018 1 Introduction NB: Handout available at

1.06k views • 34 slides
Bertrand Russells Theory of Descriptions FREGES BASIC LAW 5 For any concepts, F and G , the

Bertrand Russells Theory of Descriptions FREGES BASIC LAW 5 For any concepts, F and G , the

Bertrand Russells Theory of Descriptions FREGES BASIC LAW 5 For any concepts, F and G , the extension of F is identical to the extension of G if and only if for every object a , Fa if and only if Ga . A CONSEQUENCE/PRESUPPOSITION Every

517 views • 26 slides

More recommend