Pairings on Elliptic Curves II Fr e Vercauteren ESAT/COSIC - K.U. - - PowerPoint PPT Presentation

Choosing G1 and G2 Ate Pairing Optimal Pairing

Pairings on Elliptic Curves II

Fr´ e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium ECC Summer School - 2011

Fr´ e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium Pairings on Elliptic Curves II

Choosing G1 and G2 Ate Pairing Optimal Pairing

Outline

Choosing G1 and G2 Ate Pairing Optimal Pairing

Fr´ e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium Pairings on Elliptic Curves II

Choosing G1 and G2 Ate Pairing Optimal Pairing

Elliptic curves

◮ Base field Fq with q = pm. ◮ E elliptic curve E defined over Fq (short Weierstrass).

◮ Point sets E(Fqn) are abelian groups. ◮ E(Fqn)[r] subgroup of points of order r. ◮ Point at infinity ∞ ∈ E(Fq) is neutral element.

◮ Assume

◮ exists subgroup E(Fq)[r] of large prime order r = q. ◮ embedding degree is k, that is r || (qk − 1) and k minimal.

◮ If k > 1, then E(Fqk)[r] ∼

= Z/rZ × Z/rZ and µr ⊆ F×

qk.

Fr´ e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium Pairings on Elliptic Curves II

Choosing G1 and G2 Ate Pairing Optimal Pairing

r-torsion and Frobenius

◮ Denote πq Frobenius endomorphism (x, y) → (xq, yq). ◮ [m] multiplication-by-m endomorphism. ◮ Z[πq] ⊆ End(E), π2 q − [t]πq + q = 0, |t| ≤ 2√q. ◮ Since r|#E(Fq), πq has eigenvalues 1 and q on E[r]. ◮ Embedding degree k is precisely such that q-eigenspace

• f πq is Fqk-rational.

G1 = E[r] ∩ Ker(πq − [1]) G2 = E[r] ∩ Ker(πq − [q])

◮ If k > 1, then q ≡ 1 mod r and thus E[r] = E(Fqk)[r]. ◮ For k = 1, either E[r] is Fq-rational or Fqr -rational.

Fr´ e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium Pairings on Elliptic Curves II

Choosing G1 and G2 Ate Pairing Optimal Pairing

Representing G2: ordinary curves

◮ Let E and E′ be ordinary elliptic curves defined over Fq. ◮ We call E′ a twist of E of degree d if there is an

isomorphism ψ : E′ → E defined over Fqd, and d is minimal.

◮ A twisting isomorphism ψ defines

◮ a vector space isomorphism E′(Fqd)[r] → E(Fqd)[r]. ◮ automorphism of E: ψσ ◦ ψ−1, where ψσ is ψ with

coefficients raised to q-th power.

◮ so for p ≥ 5, only d = 2, 3, 4, 6 are possible. Fr´ e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium Pairings on Elliptic Curves II

Choosing G1 and G2 Ate Pairing Optimal Pairing

Representing G2: ordinary curves

◮ For p ≥ 5, set of twists of E is isomorphic with F∗ q/(F∗ q)d

with d = 2 if j(E) = 0, 1728, d = 4 if j(E) = 1728 and d = 6 if j(E) = 0.

◮ Let D ∈ F∗ q, then the twists corresponding to D mod (F∗ q)d

are given by d = 2 y2 = x3 + a/D2x + b/D3 (x, y) → (Dx, D3/2y) d = 4 y2 = x3 + a/Dx (x, y) → (D1/2x, D3/4y) d = 3, 6 y2 = x3 + b/D (x, y) → (D1/3x, D1/2y)

Fr´ e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium Pairings on Elliptic Curves II

Choosing G1 and G2 Ate Pairing Optimal Pairing

Representing G2: ordinary curves

◮ Let E have a twist of degree d and assume d | k ◮ Let e = k/d, then degree d twist E′ over Fqe exists with

r | #E′(Fqe).

◮ Let G′ 2 be the unique subgroup of order r of E′(Fqe) and

denote φd : E′ − → E the twisting isomorphism, then G2 = φd(G′

2) . ◮ Conclusion: obtain pairing on G1 × G′ 2

Fr´ e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium Pairings on Elliptic Curves II

Choosing G1 and G2 Ate Pairing Optimal Pairing

Representing G2: use of twists

◮ Denominator elimination:

◮ For k > 1 even, have quadratic twist of E over Fqk/2 ◮ Note that for k even, if twisting isomorphism maps

x-coordinate into Fqk/2 then denominator elimination applies.

◮ Faster pairing on G2 × G1

◮ Miller’s algorithm corresponds to computing rQ with Q ∈ G2 ◮ Can instead compute rQ′ with Q′ ∈ G′

2 and then use

twisting isomorphism

Fr´ e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium Pairings on Elliptic Curves II

Choosing G1 and G2 Ate Pairing Optimal Pairing

Outline

Choosing G1 and G2 Ate Pairing Optimal Pairing

Fr´ e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium Pairings on Elliptic Curves II

Choosing G1 and G2 Ate Pairing Optimal Pairing

Ate pairing on G2 × G1

◮ Let T ≡ q mod r, Q ∈ G2 and P ∈ G1 ◮ ate pairing: fT,Q(P) defines a bilinear pairing on G2 × G1 ◮ let N = gcd(T k − 1, qk − 1) and T k − 1 = LN, with k the

embedding degree, then tr(Q, P)L = fT,Q(P)c(qk−1)/N where c = k−1

i=0 T k−1−iqi ≡ kqk−1 mod r ◮ for r ∤ L, the ate pairing is non-degenerate

Fr´ e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium Pairings on Elliptic Curves II

Choosing G1 and G2 Ate Pairing Optimal Pairing

Ate pairing: proof sketch

◮ Step 1: prove that

tr(Q, P)L = fT k,Q(P)(qk−1)/N by considering tr(Q, P)L = fN,Q(P)L(qk−1)/N = fLN,Q(P)(qk−1)/N = fT k−1,Q(P)(qk−1)/N

◮ Step 2: prove that (exercise)

fT k,Q = f T k−1

T,Q f T k−2 T,[T]Q · · · fT,[T k−1]Q

Fr´ e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium Pairings on Elliptic Curves II

Choosing G1 and G2 Ate Pairing Optimal Pairing

Ate pairing: proof sketch

◮ By definition of G1 and G2 we have

∀P ∈ G1 : πq(P) = P and ∀Q ∈ G2 : πq(Q) = [q]Q

◮ So for Q ∈ G2 we have [T]Q = πq(Q), since q ≡ T mod r ◮ Replacing [T i]Q by πi q(Q) and using that curve and P are

defined over Fq, we get fT,[T i]Q(P) = fT,πi

q(Q)(P) = f qi

T,Q(P) ◮ Substituting in expression for fT k,Q(P) finishes proof

Fr´ e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium Pairings on Elliptic Curves II

Choosing G1 and G2 Ate Pairing Optimal Pairing

Ate pairing on G2 × G1

◮ Advantage: T can be smaller than r, so shorter loop ◮ Disadvantage: first input point defined over big field Fqk,

but can use twists

◮ Same proof holds for all T ≡ qi mod r ◮ Recall that r | Φk(q), so r | Φk(T) ◮ So the smallest T is roughly of size

r 1/ϕ(k)

◮ Bound is attained for some families of pairing friendly

curves, but not in general.

Fr´ e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium Pairings on Elliptic Curves II

Choosing G1 and G2 Ate Pairing Optimal Pairing

Extreme ate

◮ Curves with t = −1 give shortest loop in Miller’s algorithm. ◮ Let E : y2 = x3 + 4 over Fp with p = 41761713112311845269, then

t = −1, r = 715827883, k = 31 and D = −3.

◮ Let y − λ(Q)x − ν(Q) with λ = 3xQ/(2yQ) and

ν = (−xQ + 8)/(2yQ) be the tangent at Q.

◮ The function

(Q, P) → (yP − λ(Q)xP − ν(Q))(qk−1)/r defines a non-degenerate pairing on G2 × G1

Fr´ e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium Pairings on Elliptic Curves II

Choosing G1 and G2 Ate Pairing Optimal Pairing

Outline

Choosing G1 and G2 Ate Pairing Optimal Pairing

Fr´ e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium Pairings on Elliptic Curves II

Choosing G1 and G2 Ate Pairing Optimal Pairing

Creating “new” pairings

◮ Given cyclic groups G1, G2, GT, a pairing e is completely

determined by (P, Q, z) with e(P, Q) = z and G1 = P, G2 = Q

◮ Any other non-degenerate bilinear pairing is a fixed power

• f one given pairing

◮ Conclusion: on given prime order groups, all pairings can

be obtained as powers of Tate

◮ However: could be more efficient to compute than Tate

Fr´ e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium Pairings on Elliptic Curves II

Choosing G1 and G2 Ate Pairing Optimal Pairing

Creating “new” pairings

◮ Let E be an elliptic curve over Fq and let r | #E(Fq), with

gcd(r, q) = 1 and embedding degree k.

◮ Let λ = Cr be a multiple of r, then the following map

aλ : E(Fqk)[r] × E(Fqk)/rE(Fqk) − → µr ⊂ F∗

qk :

(P, Q) → aλ(P, Q) = fλ,P(Q)(qk−1)/r , with fλ,P normalized, defines a bilinear pairing which is non-degenerate if and only if gcd(r, C) = 1.

Fr´ e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium Pairings on Elliptic Curves II

Choosing G1 and G2 Ate Pairing Optimal Pairing

Creating “new” pairings

◮ Take divisors of both sides, can verify formula

fab,P = f b

a,P · fb,[a]Q ◮ Can take fλ,P as fλ,P = fCr,P = f C r,P · fC,[r]P ◮ Since [r]P = ∞, we have fC,[r]P = 1. ◮ Take C-th power of the reduced Tate pairing

tr(P, Q)C = fr,P(P)C(qk−1)/r = aλ(P, Q)

◮ Furthermore, since tr has order r and is non-degenerate,

we conclude that aλ is non-degenerate if and only if gcd(r, C) = 1.

Fr´ e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium Pairings on Elliptic Curves II

Choosing G1 and G2 Ate Pairing Optimal Pairing

Ate pairing on ordinary elliptic curves

◮ Optimal pairing: if pairing can be computed using

log2 r/ϕ(k) Miller iterations

◮ Does not imply that pairing has to be of the form fS,Q(P) ◮ For some families of elliptic curves, ate is already optimal ◮ Main idea: products and fractions of pairings are also

pairings

Fr´ e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium Pairings on Elliptic Curves II

Choosing G1 and G2 Ate Pairing Optimal Pairing

Ate pairing on ordinary elliptic curves

◮ Consider λ = Cr = l i=0 ciqi, then f (qk−1)/r λ,Q

defines a bilinear pairing

◮ Expand fλ,Q and divide out ate pairings aqi

a[c0,...,cl] : G2 × G1 → µr : (Q, P) → l

• i=0

f qi

ci,Q(P) · l−1

• i=0

l[si+1Q,[ciqi]Q(P) v[si]Q(P) (qk−1)/r with si = l

j=i cjqj defines bilinear pairing ◮ If

Ckqk−1 ≡ ((qk − 1)/r) ·

l

• i=0

iciqi−1 mod r then the pairing is non-degenerate

Fr´ e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium Pairings on Elliptic Curves II

Choosing G1 and G2 Ate Pairing Optimal Pairing

If it looks too good to be true, . . .

◮ r|Φk(q), so could try λ = Φk(q), then ci tiny and pairing

a[c0,...,cl] extremely efficient

◮ But: pairing will be degenerate! ◮ Could only consider λ of the form

λ = Cr =

ϕ(k)−1

• j=1

cjqj

Fr´ e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium Pairings on Elliptic Curves II

Choosing G1 and G2 Ate Pairing Optimal Pairing

Automagical construction

◮ To find best multiples of r, find short vectors in the lattice

(spanned by the rows) L :=        r · · · −q 1 · · · −q2 1 · · · . . . . . . ... −qϕ(k)−1 . . . 1        .

◮ Volume of L is easily seen to be r , so by Minkowski

V ∈ L with ||V||∞ ≤ r 1/ϕ(k) where ||V||∞ = maxi |vi|

◮ The shortest vector V in L satisfies

||V||∞ ≥ r 1/ϕ(k) ϕ(k)

Fr´ e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium Pairings on Elliptic Curves II

Choosing G1 and G2 Ate Pairing Optimal Pairing

An example

◮ The family of BN-curves has k = 12 and is given by

p(x) = 36x4 + 36x3 + 24x2 + 6x + 1 r(x) = 36x4 + 36x3 + 18x2 + 6x + 1

◮ The shortest vectors in the lattice L

V1(x) = [x + 1, x, x, −2x] V2(x) = [2x, x + 1, −x, x] .

◮ Short vectors with minimal number of coefficients of size x

W(x) = [6x + 2, 1, −1, 1]

◮ The pairing a[c0,...,cl] can be computed as

• f6x+2,Q(P) · lQ3,−Q2(P) · l−Q2+Q3,Q1(P) · lQ1−Q2+Q3,[6x+2]Q

(qk−1)/r where Qi = Qqi for i = 1, 2, 3.

Fr´ e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium Pairings on Elliptic Curves II

Choosing G1 and G2 Ate Pairing Optimal Pairing

Questions?

End of Part II . . . there is no part III

Fr´ e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium Pairings on Elliptic Curves II