The Realm of the Pairings Paulo S. L. M. Barreto
Prolegomena Thanks to the organizers of SAC 2013 for the invitation! Accompanying paper: joint work with D. Aranha, P. Longa and J. Ricardini. “I know I’m speaking in a marvelous accent without the slightest English” – Viktor Frankl, 1972. Hard task ahead: very first talk, to a very heterogeneous audience!
Cold start Tax payment authentication. Government of São Paulo, Brazil. > 40 × 10 6 inhabitants, 1/3 of GDP. Old system (before 2001): Mechanical, non-cryptographic authentication system (authenticating printer). Manual verification, requiring a trusted user. Frauds! Government admitted to 5% [sic] of tax payment evasion out of a $ 500 × 10 6 gross monthly tax revenue (for just one type of tax, namely, car licensing). New system needed! 3
Requirements Automatic process, without manual intervention. Open specification, unencumbered by patents. Public-key scheme with security level roughly equivalent to RSA-1024. Authentication tag must be printable on two alphanumerical lines (320 bits). Half of the available space is occupied by context information (user id, bank id, amount paid, date, etc). About 2 − 4 × 10 6 authentications a month must be handled on a single Pentium II 450 MHz PC. Not for the faint of heart 4
Assessment 160-bit signatures: ECDSA would just not do. Available options at the time: CFS Quartz OP/BLS (preprint) Would any of these be acceptable? 5
Assessment CFS Very slow to generate (no more than ~4 × 10 4 sigs/month on target platform). Quartz Unknown security (now broken). Covered by patents. OP/BLS No patents. Formal proof of security (under the gap Diffie- Hellman assumption). Reported efficiency at the time scaled to ~4 × 10 5 sigs/month on target platform. 6
Solution and results The pairing-based OP/BLS scheme was the only plausible choice, though performance needed a boost. 7
Solution and results All reqs satisfied: CPU >80% idle after improvement by B., Kim, Lynn and Scott. Room for business rule improvements. Government reported that frauds fell from 5% to 0% [sic], increasing tax revenue from $ 500 × 10 6 to... $ 1.5 × 10 9 [sic]. Still in use today – no further modification was ever needed. 8
Bilinear maps Seminal use: cryptanalysis (MOV & FR attacks). Amazingly flexible tool for constructing cryptosystems with novel and useful features (Antoine Joux is one of the key researchers to blame ). Identity-based schemes: Signatures (plain, blind, proxy, ring, undeniable, batch, …) Encryption (plain, broadcast, keyword- search capable, …) Signcryption Key agreement (plain, authenticated, group, …) Hierarchical cryptosystems Threshold cryptosystems (secret sharing, signatures, …) Chameleon hash and signatures ... 9
Bilinear maps “Conventional” systems Access control, identification and traitor tracing Credentials (anonymous, hidden, self-blindable , …) Key agreement and non-interactive key distribution Encryption (strongly insulated, intrusion- resilient, …) Signatures (short, group, aggregate, ring, verifiably encrypted, blind, partially blind, proxy, undeniable, limited- verifier, …) Signcryption Threshold cryptosystems (secret sharing, signatures) Hierarchical and role-based cryptosystems Chameleon hash and signatures Certificateless and self-certified PKC ... 10
Criticism “Pairings are too slow for practical consideration.” To what extent is this (in)correct? But first, some theory (caveat: sloppy math ahead! ) 11
Bilinear maps: definition Let 1 , 2 , and 𝑈 be groups of the same order 𝑜 , the first two usually written additively and the third one written multiplicatively. A bilinear map (or pairing ) is a function 𝑓 ∶ 1 × 2 → 𝑈 satisfying the conditions: Bilinearity : ∀𝑄 ∈ 1 , 𝑅 ∈ 2 , 𝑏 ∈ ℤ/𝑜ℤ ∶ 𝑓 𝑏𝑄, 𝑅 = 𝑓 𝑄, 𝑏𝑅 = 𝑓 𝑄, 𝑅 𝑏 . Non-degeneracy : ∀𝑄 ∈ 1 , ∃𝑅 ∈ 2 ∶ 𝑓 𝑄, 𝑅 ≠ 1 . Efficiently computable . 12
OP/BLS signatures Setup: 𝑓 ∶ 1 × 2 → 𝑈 , 𝐼 ∶ 0,1 ∗ → 1 . $ ℤ/𝑜ℤ, 𝑊 ← 𝑡𝑅 ∈ 2 ) . Key pair: (𝑡 Signature: Σ ← 𝑡𝐼 𝑛 ∈ 1 . Verification: accept 𝑛, Σ ⇔ 𝑓 Σ, 𝑅 = 𝑓(𝐼 𝑛 , 𝑊) . Explanation: 𝑓 Σ, 𝑅 = 𝑓 𝑡𝐼 𝑛 , 𝑅 = 𝑓 𝐼 𝑛 , 𝑅 𝑡 = 𝑓 𝐼 𝑛 , 𝑡𝑅 = 𝑓(𝐼 𝑛 , 𝑊) . 13
Elliptic curves and pairings Pairings of interest are certain rational functions on elliptic curves. An elliptic curve is a smooth projective algebraic curve of genus 1 with at least one marked point ( ∞ ). Projective equation: points [𝑌 ∶ 𝑍 ∶ 𝑎] with 𝑍 2 𝑎 + 𝑏 1 𝑌𝑍𝑎 + 𝑏 3 𝑍𝑎 2 = 𝑌 3 + 𝑏 2 𝑌 2 𝑎 + 𝑏 4 𝑌𝑎 2 + 𝑏 6 𝑎 3 (*) Affine part equation: points (𝑦, 𝑧) with 𝑧 2 + 𝑏 1 𝑦𝑧 + 𝑏 3 𝑧 = 𝑦 3 + 𝑏 2 𝑦 2 + 𝑏 4 𝑦 + 𝑏 6 , together with an extra point at infinity, which corresponds to 𝑎 = 0 in the projective form. Group law defined for the points of a curve (chord-and-tangent method). (*) actually other kinds of projective coordinates are usually adopted 14
Projective and affine coordinates 𝐹 ∶ 𝑍 2 𝑎 = 𝑌 3 + 𝑏𝑌𝑎 2 + 𝑐𝑎 3 𝐹 ∶ 𝑧 2 = 𝑦 3 + 𝑏𝑦 + 𝑐 𝑄 ∶ 𝑎 𝑄 ] 𝑄 = (𝑦 𝑄 , 𝑧 𝑄 ) 𝑄 = [𝑌 𝑄 ∶ 𝑍 𝑅 ∶ 𝑎 𝑅 ] 𝑅 = (𝑦 𝑅 , 𝑧 𝑅 ) 𝑅 = [𝑌 𝑅 ∶ 𝑍 𝑆 ∶ 𝑎 𝑆 ] 𝑆 = 𝑄 + 𝑅 = (𝑦 𝑆 , 𝑧 𝑆 ) 𝑆 = 𝑄 + 𝑅 = [𝑌 𝑆 ∶ 𝑍 −1 𝜈 ← 𝑌 𝑅 𝑎 𝑄 − 𝑌 𝑄 𝑎 𝑅 𝜇 ← 𝑧 𝑅 − 𝑧 𝑄 𝑦 𝑅 − 𝑦 𝑄 𝜇 ← 𝑍 𝑅 𝑎 𝑄 − 𝑍 𝑄 𝑎 𝑅 𝑦 𝑆 ← 𝜇 2 − 𝑦 𝑄 + 𝑦 𝑅 𝑌 𝑆 ← 𝜇 2 𝜈𝑎 𝑄 𝑎 𝑅 − 𝑌 𝑄 𝑎 𝑅 + 𝑌 𝑅 𝑎 𝑄 𝜈 3 𝑧 𝑆 ← −𝜇 3 + 𝜇𝑦 𝑅 − 𝑧 𝑄 𝑆 ← −𝜇 3 𝑎 𝑄 𝑎 𝑅 + 𝜇𝜈 2 𝑌 𝑅 𝑎 𝑄 − 𝜈 3 𝑍 𝑄 𝑎 𝑅 𝑍 𝑎 𝑆 ← 𝑎 𝑄 𝑎 𝑅 𝜈 3 Look more complicated, but involve no inversion, and have lots of common factors
Multiplication by scalar Input : 𝑄 ∈ 𝐹; 𝑠 = 𝑠 𝑢 = 1 𝑢 , 𝑠 𝑢−1 , … , 𝑠 0 2 ∶ 𝑠 Output : 𝑠𝑄 𝐵 ← 𝑄 1. for 𝑘 ← 𝑢 − 1 downto 0 do 2. 𝐵 ← 2𝐵 3. if 𝑠 𝑘 = 1 then 4. called double-and-add method, 𝐵 ← 𝐵 + 𝑄 5. for obvious reasons end if 6. end for 7. return 𝐵 8. 16
Rational maps A rational map 𝑔 over 𝕃 is a function of form 𝑔 𝑨 = 𝑑(𝑨)/ℎ(𝑨) , where and ℎ are monic polynomials over 𝕃 and 𝑑 ∈ 𝕃 is a constant. : Both (𝑨) and ℎ(𝑨) split over 𝕃 𝑡 𝑢 𝑛 𝑘 ℎ 𝑨 = 𝑨 − 𝑐 𝑙 𝑜 𝑙 𝑨 = 𝑨 − 𝑏 𝑘 , 𝑘=1 𝑙=1 17
Rational maps Assume that gcd (, ℎ) = 1 , i.e. 𝑏 𝑘 ≠ 𝑐 𝑙 . The zeroes of 𝑔 are the 𝑏 𝑘 with multiplicities 𝑛 𝑘 , and the poles of 𝑔 are the 𝑐 𝑙 with multiplicities −𝑜 𝑙 . The multiplicity of 𝑔 at ∞ is deg ℎ − deg = − 𝑛 𝑘 . − 𝑜 𝑙 𝑘 𝑙 All one needs to know to define 𝑔 up to the constant 𝑑 are its zeroes and poles with their respective multiplicities. 18
Divisors The divisor of a rational map 𝑔 is a tabular device to represent it: 𝑔 = 𝑛 1 ( 𝑏 1 ) + … + 𝑛𝑡( 𝑏𝑡 ) Hey apple! − 𝑜 1 ( 𝑐 1 ) − … − 𝑜 𝑢 ( 𝑐 𝑢 ) − (Σ 𝑘 𝑛 𝑘 − Σ 𝑙 𝑜 𝑙 )(∞). The degree of a divisor is the sum of all multiplicities. Therefore deg ((𝑔)) = 0 . Properties: (𝑑) = 0 , ( 𝑔) = (𝑔) + () , (𝑔/) = (𝑔) – () . 19
Divisors Divisors of functions defined on the points of an elliptic curve over 𝔾 𝑟 are rational functions of the point coordinates over the algebraic closure 𝔾 𝑟 . General divisors are unrestricted tabular associations: 𝔈 = 𝑛 𝑄 (𝑄) . 𝑄 Not all possible divisors correspond to function. In particular, if deg (𝔈) ≠ 0 then 𝔈 does not correspond to a function. 20
Divisors Divisors constitute an Abelian group under pointwise coefficient addition: 𝑛 𝑄 𝑄 + 𝑄 𝑜 𝑄 (𝑄 ) = (𝑛 𝑄 + 𝑜 𝑄 )(𝑄) . 𝑄 𝑄 A divisor may be huge – there are infinite choices of zeroes and poles. It is thus advantageous to define equivalence classes so as to keep the representation small. 21
Divisors Two divisors 𝔈 1 and 𝔈 2 are equivalent iff their difference is the divisor of a function, i.e. 𝔈 1 ~ 𝔈 2 𝔈 1 – 𝔈 2 = (𝑔) for some 𝑔 . The Cantor-Koblitz algorithm reduces any divisor to a uniquely defined equivalent divisor of the form 𝑛 𝑄 (𝑄) − 𝑛 𝑄 (∞) where 𝑛 𝑄 ≤ where is the 𝑄 𝑄 𝑄 curve genus. Reduced divisors over elliptic curves are of the form 𝑄 − (∞) for some 𝑄 . 22
Recommend
More recommend
