The Realm of the Pairings Paulo S. L. M. Barreto Prolegomena - - PowerPoint PPT Presentation

The Realm of the Pairings

Paulo S. L. M. Barreto

Prolegomena

 Thanks to the organizers of SAC 2013 for

the invitation!

 Accompanying paper: joint work with

• D. Aranha, P. Longa and J. Ricardini.

 “I know I’m speaking in a marvelous

accent without the slightest English” – Viktor Frankl, 1972.

 Hard task ahead: very first talk, to a very

heterogeneous audience!

Cold start

 Tax payment authentication.

 Government of São Paulo, Brazil.  > 40 × 106 inhabitants, 1/3 of GDP.

 Old system (before 2001):

 Mechanical, non-cryptographic authentication system

(authenticating printer).

 Manual verification, requiring a trusted user.

 Frauds!

 Government admitted to 5% [sic] of tax payment

evasion out of a $500 × 106 gross monthly tax revenue (for just one type of tax, namely, car licensing).

 New system needed!

3

Requirements

 Automatic process, without manual intervention.  Open specification, unencumbered by patents.  Public-key scheme with security level roughly

equivalent to RSA-1024.

 Authentication tag must be printable on two

alphanumerical lines (320 bits).

 Half of the available space is occupied by context

information (user id, bank id, amount paid, date, etc).

 About 2 − 4 × 106 authentications a month must

be handled on a single Pentium II 450 MHz PC.

 Not for the faint of heart 

4

 160-bit signatures: ECDSA would

just not do.

 Available options at the time:

CFS Quartz OP/BLS (preprint)

 Would any of these be acceptable?

Assessment

5

Assessment

 CFS

 Very slow to generate (no more than ~4 × 104

sigs/month on target platform).

 Quartz

 Unknown security (now broken).  Covered by patents.

 OP/BLS

 No patents.  Formal proof of security (under the gap Diffie-

Hellman assumption).

 Reported efficiency at the time scaled to ~4 × 105

sigs/month on target platform.

6

Solution and results

 The pairing-based OP/BLS scheme was

the only plausible choice, though performance needed a boost.

7

Solution and results

 All reqs satisfied:

 CPU >80% idle after improvement by

B., Kim, Lynn and Scott.

 Room for business rule improvements.

 Government reported that frauds

fell from 5% to 0% [sic], increasing tax revenue from $500 × 106 to... $1.5 × 109 [sic].

 Still in use today – no further

modification was ever needed.

8

Bilinear maps

 Seminal use: cryptanalysis (MOV & FR attacks).  Amazingly flexible tool for constructing cryptosystems with

novel and useful features (Antoine Joux is one of the key researchers to blame ).

 Identity-based schemes:

 Signatures (plain, blind, proxy, ring, undeniable, batch, …)  Encryption (plain, broadcast, keyword-search capable, …)  Signcryption  Key agreement (plain, authenticated, group, …)  Hierarchical cryptosystems  Threshold cryptosystems (secret sharing, signatures, …)  Chameleon hash and signatures  ...

9

Bilinear maps

 “Conventional” systems

 Access control, identification and traitor tracing  Credentials (anonymous, hidden, self-blindable, …)  Key agreement and non-interactive key distribution  Encryption (strongly insulated, intrusion-resilient, …)  Signatures (short, group, aggregate, ring, verifiably encrypted,

blind, partially blind, proxy, undeniable, limited-verifier, …)

 Signcryption  Threshold cryptosystems (secret sharing, signatures)  Hierarchical and role-based cryptosystems  Chameleon hash and signatures  Certificateless and self-certified PKC  ...

10

Criticism

 “Pairings are too slow for practical

consideration.”

 To what extent is this (in)correct?  But first, some theory (caveat:

sloppy math ahead! )

11

Bilinear maps: definition

 Let 𝔿1, 𝔿2, and 𝔿𝑈 be groups of the same order 𝑜,

the first two usually written additively and the third one written multiplicatively.

 A bilinear map (or pairing) is a function

𝑓 ∶ 𝔿1 × 𝔿2 → 𝔿𝑈 satisfying the conditions:

 Bilinearity: ∀𝑄 ∈ 𝔿1, 𝑅 ∈ 𝔿2, 𝑏 ∈ ℤ/𝑜ℤ ∶ 𝑓 𝑏𝑄, 𝑅 = 𝑓 𝑄, 𝑏𝑅 =

𝑓 𝑄, 𝑅 𝑏.

 Non-degeneracy: ∀𝑄 ∈ 𝔿1, ∃𝑅 ∈ 𝔿2 ∶ 𝑓 𝑄, 𝑅 ≠ 1.  Efficiently computable.

12

 Setup: 𝑓 ∶ 𝔿1 × 𝔿2 → 𝔿𝑈, 𝐼 ∶ 0,1 ∗ → 𝔿1.  Key pair: (𝑡

$ ℤ/𝑜ℤ, 𝑊 ← 𝑡𝑅 ∈ 𝔿2).

 Signature: Σ ← 𝑡𝐼 𝑛 ∈ 𝔿1.  Verification: accept 𝑛, Σ ⇔

𝑓 Σ, 𝑅 = 𝑓(𝐼 𝑛 , 𝑊).

 Explanation: 𝑓 Σ, 𝑅 = 𝑓 𝑡𝐼 𝑛 , 𝑅 =

𝑓 𝐼 𝑛 , 𝑅 𝑡 = 𝑓 𝐼 𝑛 , 𝑡𝑅 = 𝑓(𝐼 𝑛 , 𝑊).

OP/BLS signatures

13

Elliptic curves and pairings

 Pairings of interest are certain rational

functions on elliptic curves.

 An elliptic curve is a smooth projective

algebraic curve of genus 1 with at least one marked point (∞).

 Projective equation: points [𝑌 ∶ 𝑍 ∶ 𝑎] with

𝑍2𝑎 + 𝑏1𝑌𝑍𝑎 + 𝑏3𝑍𝑎2 = 𝑌3 + 𝑏2𝑌2𝑎 + 𝑏4𝑌𝑎2 + 𝑏6𝑎3 (*)

 Affine part equation: points (𝑦, 𝑧) with

𝑧2 + 𝑏1𝑦𝑧 + 𝑏3𝑧 = 𝑦3 + 𝑏2𝑦2 + 𝑏4𝑦 + 𝑏6, together with an extra point at infinity, which corresponds to 𝑎 = 0 in the projective form.

 Group law defined for the points of a curve

(chord-and-tangent method).

14 (*) actually other kinds of projective coordinates are usually adopted

Projective and affine coordinates

• 𝐹 ∶ 𝑍2𝑎 = 𝑌3 + 𝑏𝑌𝑎2 + 𝑐𝑎3
• 𝑄 = [𝑌𝑄 ∶ 𝑍

𝑄 ∶ 𝑎𝑄]

• 𝑅 = [𝑌𝑅 ∶ 𝑍

𝑅 ∶ 𝑎𝑅]

• 𝑆 = 𝑄 + 𝑅 = [𝑌𝑆 ∶ 𝑍

𝑆 ∶ 𝑎𝑆]

• 𝜈 ← 𝑌𝑅𝑎𝑄 − 𝑌𝑄𝑎𝑅
• 𝜇 ← 𝑍

𝑅𝑎𝑄 − 𝑍 𝑄𝑎𝑅

• 𝑌𝑆 ← 𝜇2𝜈𝑎𝑄𝑎𝑅 − 𝑌𝑄𝑎𝑅 + 𝑌𝑅𝑎𝑄 𝜈3
• 𝑍

𝑆 ← −𝜇3𝑎𝑄𝑎𝑅 + 𝜇𝜈2𝑌𝑅𝑎𝑄 − 𝜈3𝑍 𝑄𝑎𝑅

• 𝑎𝑆 ← 𝑎𝑄𝑎𝑅𝜈3

Look more complicated, but involve no inversion, and have lots of common factors

• 𝐹 ∶ 𝑧2 = 𝑦3 + 𝑏𝑦 + 𝑐
• 𝑄 = (𝑦𝑄, 𝑧𝑄)
• 𝑅 = (𝑦𝑅, 𝑧𝑅)
• 𝑆 = 𝑄 + 𝑅 = (𝑦𝑆, 𝑧𝑆)
• 𝜇 ← 𝑧𝑅 − 𝑧𝑄

𝑦𝑅 − 𝑦𝑄

−1

• 𝑦𝑆 ← 𝜇2 − 𝑦𝑄 + 𝑦𝑅
• 𝑧𝑆 ← −𝜇3 + 𝜇𝑦𝑅 − 𝑧𝑄

Multiplication by scalar

 Input: 𝑄 ∈ 𝐹; 𝑠 = 𝑠 𝑢, 𝑠 𝑢−1, … , 𝑠 0 2 ∶ 𝑠 𝑢 = 1  Output: 𝑠𝑄 1.

𝐵 ← 𝑄

2.

for 𝑘 ← 𝑢 − 1 downto 0 do

3.

𝐵 ← 2𝐵

4.

if 𝑠

𝑘 = 1 then 5.

𝐵 ← 𝐵 + 𝑄

6.

end if

7.

end for

8.

return 𝐵

16

• called double-and-add method,

for obvious reasons

Rational maps

 A rational map 𝑔 over 𝕃 is a function of

form 𝑔 𝑨 = 𝑑𝑕(𝑨)/ℎ(𝑨), where 𝑕 and ℎ are monic polynomials over 𝕃 and 𝑑 ∈ 𝕃 is a constant.

 Both 𝑕(𝑨) and ℎ(𝑨) split over 𝕃

: 𝑕 𝑨 = 𝑨 − 𝑏𝑘

𝑛𝑘 𝑡 𝑘=1

, ℎ 𝑨 = 𝑨 − 𝑐𝑙 𝑜𝑙

𝑢 𝑙=1

17

Rational maps

 Assume that gcd

(𝑕, ℎ) = 1, i.e. 𝑏𝑘 ≠ 𝑐𝑙. The zeroes of 𝑔 are the 𝑏𝑘 with multiplicities 𝑛𝑘, and the poles of 𝑔 are the 𝑐𝑙 with multiplicities −𝑜𝑙. The multiplicity of 𝑔 at ∞ is deg ℎ − deg 𝑕 = − 𝑛𝑘

𝑘

− 𝑜𝑙

𝑙

.

 All one needs to know to define 𝑔 up to

the constant 𝑑 are its zeroes and poles with their respective multiplicities.

18

Divisors

 The divisor of a rational map 𝑔 is a tabular

device to represent it: 𝑔 = 𝑛1( 𝑏1 ) + … + 𝑛𝑡( 𝑏𝑡 ) − 𝑜1( 𝑐1 ) − … − 𝑜𝑢 ( 𝑐𝑢 ) − (Σ𝑘𝑛𝑘 − Σ𝑙𝑜𝑙)(∞).

 The degree of a divisor is the sum of all

• multiplicities. Therefore deg

((𝑔)) = 0.

 Properties: (𝑑) = 0, (𝑔𝑕) = (𝑔) + (𝑕),

(𝑔/𝑕) = (𝑔) – (𝑕).

Hey apple!

19

Divisors

 Divisors of functions defined on the points

• f an elliptic curve over 𝔾𝑟 are rational

functions of the point coordinates over the algebraic closure 𝔾𝑟.

 General divisors are unrestricted tabular

associations: 𝔈 = 𝑛𝑄(𝑄)

𝑄

.

 Not all possible divisors correspond to

• function. In particular, if deg

(𝔈) ≠ 0 then 𝔈 does not correspond to a function.

20

Divisors

 Divisors constitute an Abelian group under

pointwise coefficient addition: 𝑛𝑄 𝑄

𝑄

+ 𝑜𝑄(𝑄

𝑄

) = (𝑛𝑄 + 𝑜𝑄)(𝑄)

𝑄

.

 A divisor may be huge – there are infinite

choices of zeroes and poles. It is thus advantageous to define equivalence classes so as to keep the representation small.

21

Divisors

 Two divisors 𝔈1 and 𝔈2 are equivalent iff their

difference is the divisor of a function, i.e. 𝔈1 ~ 𝔈2  𝔈1 – 𝔈2 = (𝑔) for some 𝑔.

 The Cantor-Koblitz algorithm reduces any divisor to a

uniquely defined equivalent divisor of the form 𝑛𝑄(𝑄)

𝑄

− 𝑛𝑄

𝑄

(∞) where 𝑛𝑄

𝑄

≤ 𝑕 where 𝑕 is the curve genus.

 Reduced divisors over elliptic curves are of the form

𝑄 − (∞) for some 𝑄.

22

Miller functions

 A Miller function is any function 𝑔 𝑗,𝑄 such that

𝑔

𝑗,𝑄 = 𝑗 𝑄 − 𝑗𝑄 − (𝑗 − 1)(∞).

 Notice that 𝑔

𝑜,𝑄 = 𝑜 𝑄 − 𝑜(∞).

 Also, 𝑔

0,𝑄 = 𝑔 1,𝑄 = 0, i.e. 𝑔 0,𝑄 and 𝑔 1,𝑄 are constant.

 The line ℓ𝑉,𝑊 through points 𝑉 and 𝑊 has divisor

ℓ𝑉,𝑊 = 𝑉 + 𝑊 + −𝑉 − 𝑊 − 3(∞).

 The vertical line 𝑤𝑄 through a point 𝑄 has divisor

𝑤𝑄 = 𝑄 + −𝑄 − 2(∞).

 Miller functions satisfy a recursive relation

𝑔

𝑗+𝑘,𝑄 = 𝑑 𝑔 𝑗,𝑄 𝑔 𝑘,𝑄 ℓ𝑗𝑄,𝑘𝑄 𝑤 𝑗+𝑘 𝑄.

23

Miller functions



𝑔

𝑗+𝑘,𝑄 = 𝑗 + 𝑘

𝑄 − 𝑗 + 𝑘 𝑄 − 𝑗 + 𝑘 − 1 ∞ = 𝑗 𝑄 − 𝑗𝑄 − 𝑗 − 1 ∞ + 𝑘 𝑄 − 𝑘𝑄 − 𝑘 − 1 ∞ + 𝑗𝑄 + 𝑘𝑄 + − 𝑗 + 𝑘 𝑄 − 3 ∞ − 𝑗 + 𝑘 𝑄 − − 𝑗 + 𝑘 𝑄 + 1 + 1 ∞ = 𝑔

𝑗,𝑄 + 𝑔 𝑘,𝑄 + ℓ𝑗𝑄,𝑘𝑄 − 𝑤 𝑗+𝑘 𝑄

= 𝑔

𝑗,𝑄 𝑔 𝑘,𝑄 ℓ𝑗𝑄,𝑘𝑄 𝑤 𝑗+𝑘 𝑄 .  ∴ 𝑔 𝑗+𝑘,𝑄 = 𝑑 𝑔 𝑗,𝑄 𝑔 𝑘,𝑄 ℓ𝑗𝑄,𝑘𝑄 𝑤 𝑗+𝑘 𝑄 for some 𝑑.

24

’s algorithm

 Miller’s algorithm computes 𝑔 𝑜,𝑄(𝑅) up to 𝑑

concomitantly with the double-and-add scalar multiplication 𝑜𝑄.

 The trick:

 𝑔

𝑗+1,𝑄 = 𝑔 𝑗,𝑄 𝑔 1,𝑄 ℓ𝑗𝑄,𝑄/𝑤 𝑗+1 𝑄 (= 𝑔 𝑗,𝑄 ℓ𝑗𝑄,𝑄/𝑤 𝑗+1 𝑄).

 𝑔

2𝑗,𝑄 = 𝑔 𝑗,𝑄 2 ℓ𝑗𝑄,𝑗𝑄/𝑤 2𝑗 𝑄.

 Functions ℓ𝑗𝑄,𝑄, ℓ𝑗𝑄,𝑗𝑄, 𝑤 𝑗+1 𝑄, and 𝑤 2𝑗 𝑄 appear

naturally during the computation of 𝑜𝑄.

 Denominators might be evaluated on a point where they

vanish: use 𝑜 𝑄 + 𝑆 − 𝑜 𝑆 ~ 𝑜 𝑄 − 𝑜(∞) for random 𝑆.

25

’s algorithm

 Input: 𝑄 ∈ 𝔿1, 𝑅 ∈ 𝔿2, 𝑜 = 𝑜𝑢, 𝑜𝑢−1, … , 𝑜0 2 ∶ 𝑜𝑢 = 1  Output: 𝑔 𝑜,𝑄(𝑅) up to a constant 1.

𝑔 ← 1, 𝑆

$

← 𝐹, 𝐵 ← 𝑄

2.

for 𝑘 ← 𝑢 − 1 downto 0 do

3.

𝑔 ← 𝑔2 ℓ𝐵,𝐵 𝑅 + 𝑆 𝑤2𝐵 𝑆 / ℓ𝐵,𝐵 𝑆 𝑤2𝐵 𝑅 + 𝑆 , 𝐵 ← 2𝐵

4.

if 𝑜𝑘 = 1 then

5.

𝑔 ← 𝑔 ℓ𝐵,𝑄 𝑅 + 𝑆 𝑤𝐵+𝑄 𝑆 / ℓ𝐵,𝑄 𝑆 𝑤𝐵+𝑄 𝑅 + 𝑆 , 𝐵 ← 𝐵 + 𝑄

6.

end if

7.

end for

8.

return 𝑔

26

The Weil pairing

 The Weil pairing of order 𝑜 at points 𝑄 and 𝑅 is

𝑥(𝑄, 𝑅) ∶= 𝑔

𝑜,𝑄(𝑅)/𝑔 𝑜,𝑅(𝑄). Note that the constant

factor 𝑑 of 𝑔 is irrelevant – it does not affect the pairing value.

 Miller’s algorithm computes 𝑔 𝑜,𝑄(𝑅) (and of course

𝑔

𝑜,𝑅(𝑄) as well), and hence the Weil pairing.

 Exercise: show that this function is indeed a

bilinear map.

27

The Tate pairing

 The Tate pairing at points P and Q is defined as

𝜐(𝑄, 𝑅) ∶= 𝑔

𝑜,𝑄 𝑅 𝑨 where 𝑨 ∶= (𝑟𝑙 − 1)/𝑜.  The (𝑟𝑙 − 1)/𝑜 exponent contains all factors 𝑟𝑗 − 1

where 𝑗 | 𝑙. This eliminates 𝑑 by Fermat’s Little Theorem.

 One invocation of Miller’s algorithm is traded for

• ne exponentiation (usually faster).

28

Improvements

 NSA’s Jerry Solinas claimed (verbally) to

have been the first person to actually implement Miller’s algorithm.

 ~15 minutes on a PC (around 1990, so

possibly an Intel 80386 or similar).

 Boneh et al. reported ~2.9 s on a 1GHz

Pentium III for the (then estimated as) 280 security level.

 Long way to go...

Improvements

 Anecdote: more than one researcher claim

to have reviewed more than one paper on speeding up the Weil pairing during the 1990’s.

 All rejected!  “What’s the point? You only get a few bits

in the MOV attack, and it only applies to a few curves nobody really uses.”

Improvements

 Tate-like pairings: any factor or denominator in a

subfield vanishes due to the final exponentiation.

 Swap the arguments: computing 𝑔 𝑜,𝑅(𝑄) instead

• f 𝑔

𝑜,𝑅 𝑄 may lead to shorter loop length.

 Optimal pairings: shortest possible loop length

ℓ~𝜚(𝑙) for embedding degree 𝑙.

 Final exponentiation may become the bottleneck!  [R.I.P.] 𝜃𝑈 pairing: was the fastest known pairing,

but is now defunct (Antoine Joux has more to say about this ).

31

Pairings galore



Weil pairing: 𝑥(𝑄, 𝑅) ∶= 𝑔

𝑜,𝑄(𝑅)/𝑔 𝑜,𝑅(𝑄). 

Tate pairing: 𝜐(𝑄, 𝑅) ∶= 𝑔

𝑜,𝑄 𝑅 𝑨 where 𝑨 ∶= (𝑟𝑙 − 1)/𝑜. 

Eta pairing (or twisted Ate pairing when defined over an ordinary curve): 𝜃 𝑄, 𝑅 ∶= 𝑔

𝜇,𝑄 𝑅 𝑨 where 𝜇𝑒 ≡ 1 (mod 𝑜). 

Ate pairing: 𝑏(𝑄, 𝑅) ∶= 𝑔

𝑢−1,𝑅 𝑄 𝑨, where 𝑢 is the trace of the

Frobenius endomorphism.



Optimized Ate and twisted Ate pairings: 𝑏𝑑(𝑄, 𝑅) ∶= 𝑔 𝑢−1 𝑑 mod 𝑜,𝑅 𝑄 𝑨, 𝜃𝑑 𝑄, 𝑅 ∶= 𝑔𝜇𝑑 mod 𝑜,𝑄 𝑅 𝑨, for some 0 < 𝑑 < 𝑙.



Optimal Ate pairing: 𝑏opt(𝑄, 𝑅) ∶= 𝑔

ℓ,𝑅 𝑄 𝑨 for a certain ℓ such that

lg ℓ ≈ (lg 𝑜)/𝜒(𝑙).



Eil pairing: 𝑥𝑡 𝑄, 𝑅 ≔ −𝜕𝑔

𝑡,𝑄(𝑅)/𝑔 𝑡,𝑅(𝑄) where 𝑡 ≔ 𝑟 mod 𝑜 and

𝜕𝑙 ≡ 1.



...

32

Pairing-friendly curves

 Not all elliptic curves are suitable for pairing

applications.

 On the one hand, the embedding degree 𝑙 must

be small enough to make 𝔾𝑟𝑙 arithmetic tractable (but it is usually enormous).

 On the other hand, 𝑙 must not be proportionally

too small: the value of 𝑙 lg 𝑟 must ensure that the discrete logarithm problem in 𝔾𝑟𝑙

∗ , where

subexponential algorithms exist, remains intractable.

33

Pairing-friendly curves

 Supersingular curves allow for the limited

range 𝑙 ∈ {2,3,4,6} (more recently, only 𝑙 = 2). Hyperelliptic supersingular curves do not effectively improve. MNT curves are ordinary but restrict 𝑙 ∈ {3,4,6}.

 Several methods to construct curves

containing a subgroup with arbitrary 𝑙 are known, but the resulting group size is relatively small: 𝜍 ≔ lg 𝑟/lg 𝑜 ~ 2.

34

Pairing-friendly curves

 Algebraic constructions allow for a better relation

between 𝑜 and 𝑟 for certain values of 𝑙:

 BN curves attain 𝜍 = 1 for 𝑙 = 12; ideal around security

level around 2128.

 KSS and BLS12 curves provide the best tradeoff for

security level 2192.

 BLS24 curves are the most suitable family known when

addressing the 2256 security level.

 Holistic trend: choose pairing-friendly curves that

improve all operations needed by cryptosystems (nor just pairing computation).

35

BN curves in a nutshell

 𝐹/𝔾𝑞 ∶ 𝑧2 = 𝑦3 + 𝑐 (a Bachet curve)  #𝐹 = 𝑜 = 𝑞 + 1 − 𝑢 where, for some 𝑣 ∈ ℤ:

 𝑞 = 𝑞 𝑣 = 36𝑣4 + 36𝑣3 + 24𝑣2 + 6𝑣 + 1  𝑜 = 𝑜 𝑣 = 36𝑣4 + 36𝑣3 + 18𝑣2 + 6𝑣 + 1  𝑢 = 𝑢 𝑣 = 6𝑣2 + 1

 Abundant and easy to find.  Embedding degree 12 (ideal at security level 2128

but good between legacy 280 and long-term 2192).

 Very friendly holistic subfamilies.

36

Optimal Ate pairing on general BN curves

37

• Input: 𝑄 ∈ 𝔿1, 𝑅 ∈ 𝔿2, ℓ = 6𝑣 + 2 =

ℓ2𝑗

lg ℓ 𝑗=0

• Output: 𝑏𝑝𝑞𝑢(𝑅, 𝑄)
• 1. 𝑒 ← 𝑕𝑅,𝑅(𝑄), 𝑈 ← 2𝑅, 𝑓 ← 1
• 2. if ℓ lg ℓ −1 = 1 then 𝑓 ← 𝑕𝑈,𝑅 𝑄 , 𝑈 ← 𝑈 + 𝑅
• 3. 𝑔 ← 𝑒 ⋅ 𝑓
• 4. for 𝑗 = lg ℓ − 2 downto 0 do
• 5. 𝑔 ← 𝑔2 ⋅ 𝑕𝑈,𝑈 𝑄 , 𝑈 ← 2𝑈
• 6. if ℓ𝑗 = 1 then 𝑔 ← 𝑔 ⋅ 𝑕𝑈,𝑅 𝑄 , 𝑈 ← 𝑈 + 𝑅
• 7. end for
• 8. 𝑅1 ← 𝜚𝑞 𝑅 , 𝑅2 ← 𝜚𝑞

2(𝑅)

• 9. if 𝑣 < 0 then 𝑈 ← −𝑈, 𝑔 ← 𝑔𝑞6
• 10. 𝑒 ← 𝑕𝑈,𝑅1 𝑄 , 𝑈 ← 𝑈 + 𝑅1, 𝑓 ← 𝑕𝑈,−𝑅2 𝑄 , 𝑈 ← 𝑈 − 𝑅2, 𝑔 ← 𝑔 ⋅ (𝑒 ⋅ 𝑓)
• 11. 𝑔 ← 𝑔(𝑞6−1)(𝑞2+1)(𝑞4−𝑞2+1)/𝑜
• 12. return 𝑔

Complicated but efficient! Still doing elliptic arithmetic...

Affine pairings

 Projective coordinates avoid field

inversions, trading them for multiplications and additions.

 Affine coordinates need inversions,

hence they are bad for both elliptic

• perations and pairing computations.

 … or are they?

38

Benchmarks

39

Who Mcyc Processor Coord Hankerson, Scott, Menezes 10.0 Core 2 projective Naehrig, Niederhagen, Schwabe 4.40 Core 2 projective Beuchat et al. 2010 2.95 Core 2 projective Beuchat et al. 2010 2.90 Nehalem projective Aranha et al. 2011 2.20 Core 2 projective Aranha et al. 2011 2.00 Nehalem projective Aranha et al. 2011 1.56 Phenom II projective Zavattoni et al. 2013 1.51 Sandy Bridge projective Mitsunari 2013 1.33 Haswell projective Mitsunari 2013 1.17 Haswell+mulx projective [new] 1.42 Sandy Bridge projective [new] 1.21 Haswell projective [new] 1.18 Haswell+mulx projective Acar, Lauter,Naehrig, Shumow 15.6 Core 2 affine [new] 2.43 Nehalem affine

Benchmarks

 “Pairings are too slow for practical

consideration.”

 Sandy Bridge, Wei Dai’s Crypto++ 5.6.2

for RSA and RELIC for pairings:

40

Operation Timings (Mcyc) RSA 3072 signing 25.56 Affine pairing 1.94 Projective pairing 1.43 RSA 3072 verification 0.29

𝒇(𝑸, 𝑹)

𝒇(𝑸, 𝑹)

Benchmarks

 “Wait! How about storage, how about

embedded processors?”

 On a MICAz, the RELIC library computes a

pairing at the 280 security level in ~8s.

 State-of-the-art RSA 1024 takes ~10s.  … both quickly taking all available 4 KiB

RAM, hence long way to go... 

Future directions and challenges

 At ECC 2004 I pointed out a number of

challenges in pairing-based crypto.

 Many of those have been solved (e.g. BN

curves!).

 It seems only fit to make some new ones

now!

Future directions

 What is the speed limit for pairings?

 Clearly, this depends on the platform.  Perhaps the real question is: what platforms

are closest to ideal?

 Higher security

 Better parameters than BLS curves?

 Very constrained platforms (e.g. SIM

cards).

 Internet of Things, including embedded

processors and WSNs.

43

Challenges

 Implement projective (and affine) pairings

taking (substantially) less than 106 cycles.

 Find a family of pairing-friendly curves of

prime order à la BN, but 𝑙/𝑕 ~ 30 (or prove that none exists).

 Implement pairings convincingly on a very

constrained platform (not a coprocessor).

44

QUESTIONS?