Abelian Varieties and Pairing-Based Cryptography Constructing Pairing-Friendly Abelian Varieties Analyzing the Algorithm A Generalized Brezing-Weng Algorithm for Constructing Pairing-Friendly Ordinary Abelian Varieties David Freeman Stanford University, USA Pairing 2008 1 September 2008 David Freeman A Generalized Brezing-Weng Algorithm
Abelian Varieties and Pairing-Based Cryptography Pairing-Based Cryptography Constructing Pairing-Friendly Abelian Varieties Pairing-friendly Abelian Varieties Analyzing the Algorithm Our Result Pairings for cryptography Groups used in pairing-based crypto consist of points of prime order r on abelian varieties A / F q . Elliptic curves are 1-dimensional abelian varieties. Pairings are (variants of) Weil pairing e weil , r : A [ r ] × A [ r ] → µ r ⊂ F × q k or Tate pairing (more complicated). k is the embedding degree of A with respect to r . q k ( ⇔ q k ≡ 1 mod r ). Smallest integer such that µ r ⊂ F × If r , q k are large, discrete log problem (DLP) is infeasible in A [ r ] and F × q k . If k is small, pairings can be computed efficiently (Miller). David Freeman A Generalized Brezing-Weng Algorithm
Abelian Varieties and Pairing-Based Cryptography Pairing-Based Cryptography Constructing Pairing-Friendly Abelian Varieties Pairing-friendly Abelian Varieties Analyzing the Algorithm Our Result Pairing-friendly abelian varieties: first attempts Random abelian varieties Embedding degree of random A / F q with order- r subgroup will be ≈ r . Typical r ≈ 2 160 , so pairing on random A can’t even be computed. Supersingular abelian varieties Embedding degree in dimension g ≤ 6 is k ≤ 7 . 5 g (Rubin-Silverberg). These k are only acceptable for the lowest security levels. Conclusion: need to develop specific constructions of non-supersingular (usually, ordinary ) abelian vareities. David Freeman A Generalized Brezing-Weng Algorithm
Abelian Varieties and Pairing-Based Cryptography Pairing-Based Cryptography Constructing Pairing-Friendly Abelian Varieties Pairing-friendly Abelian Varieties Analyzing the Algorithm Our Result The Problem Find primes q and ordinary abelian varieties A / F q having a subgroup of large prime order r , and 1 prescribed (small) embedding degree k with respect to r . 2 In practice, want r > 2 160 and k ≤ 50. We call such varieties “pairing-friendly.” Want to be able to control the number of bits of r to construct varieties at varying security levels. Want ρ = log ( q g ) / log r close to 1 to maximize efficiency in implementations. David Freeman A Generalized Brezing-Weng Algorithm
Abelian Varieties and Pairing-Based Cryptography Pairing-Based Cryptography Constructing Pairing-Friendly Abelian Varieties Pairing-friendly Abelian Varieties Analyzing the Algorithm Our Result Our contribution We give a method for constructing primes q and ordinary A / F q that have prescribed embedding degree k . arbitrary k , many k , large ρ smaller ρ elliptic curves Cocks-Pinch Brezing-Weng higher dimensions F .-Stevenhagen-Streng This work Kawazoe-Takahashi (next talk) give another approach to filling in the lower-right corner (dimension 2 only). Uses techniques of F .-Stevenhagen-Streng to generalize Brezing-Weng method to arbitrary dimension. David Freeman A Generalized Brezing-Weng Algorithm
Abelian Varieties and Pairing-Based Cryptography Constructing Pairing-Friendly Frobenius Elements Constructing Pairing-Friendly Abelian Varieties The Brezing-Weng Algorithm Analyzing the Algorithm Generalizing the Brezing-Weng method Algorithm for constructing pairing-friendly A.V. Inputs: embedding degree k , CM field K FSS idea : Construct a π ∈ O K with certain properties modulo r . Brezing-Weng idea : Parametrize subgroup order r as polynomial r ( x ) ∈ Z [ x ] . Combine ideas : Obtain π ( x ) ∈ K [ x ] with FSS properties modulo r ( x ) . For certain x 0 ∈ Z , π ( x 0 ) corresponds (in the sense of Honda-Tate theory) to the Frobenius endomorphism of an A / F q that has embedding degree k with respect to r ( x 0 ) . A can be constructed explicitly using CM methods . David Freeman A Generalized Brezing-Weng Algorithm
Abelian Varieties and Pairing-Based Cryptography Constructing Pairing-Friendly Frobenius Elements Constructing Pairing-Friendly Abelian Varieties The Brezing-Weng Algorithm Analyzing the Algorithm Generalizing the Brezing-Weng method Complex multiplication: the basics For ordinary, simple, g -dimensional A / F q , End ( A ) ⊗ Q is a CM field K of degree 2 g . K = totally imaginary quadratic extension of totally real field. Frobenius endomorphism π is a q-Weil number in O K . All embeddings K ֒ → K have ππ = q . David Freeman A Generalized Brezing-Weng Algorithm
Abelian Varieties and Pairing-Based Cryptography Constructing Pairing-Friendly Frobenius Elements Constructing Pairing-Friendly Abelian Varieties The Brezing-Weng Algorithm Analyzing the Algorithm Generalizing the Brezing-Weng method Properties of Frobenius make A / F q pairing-friendly Number of points given by # A ( F q ) = N K / Q ( π − 1 ) . Embedding degree k is order of q = ππ in ( Z / r Z ) × . A has embedding degree k with respect to r iff N K / Q ( π − 1 ) ≡ 0 ( mod r ) (1) Φ k ( ππ ) ≡ 0 ( mod r ) (2) ( Φ k = k th cyclotomic polynomial). Goal: construct a π ∈ O K with properties (1) and (2). David Freeman A Generalized Brezing-Weng Algorithm
Abelian Varieties and Pairing-Based Cryptography Constructing Pairing-Friendly Frobenius Elements Constructing Pairing-Friendly Abelian Varieties The Brezing-Weng Algorithm Analyzing the Algorithm Generalizing the Brezing-Weng method The Brezing-Weng Algorithm Construct pairing-friendly elliptic curves via the following algorithm: √ Choose embedding degree k , CM field K = Q ( − D ) . 1 Choose irreducible r ( x ) ∈ Z [ x ] such that L = Q [ x ] / ( r ( x )) 2 contains K and ζ k . Compute t ( x ) mapping to ζ k + 1 in L . 3 √ Compute y ( x ) mapping to ( ζ k − 1 ) / − D in L . 4 4 ( t ( x ) 2 + Dy ( x ) 2 ) . Set q ( x ) ← 1 5 Theorem: If q ( x 0 ) is a prime integer for some x 0 , there is an elliptic curve over F q ( x 0 ) with an order- r ( x 0 ) subgroup and embedding degree k . David Freeman A Generalized Brezing-Weng Algorithm
Abelian Varieties and Pairing-Based Cryptography Constructing Pairing-Friendly Frobenius Elements Constructing Pairing-Friendly Abelian Varieties The Brezing-Weng Algorithm Analyzing the Algorithm Generalizing the Brezing-Weng method Rethinking the Brezing-Weng algorithm √ BW: t ( x ) ≡ ζ k + 1 and y ( x ) ≡ ( ζ k − 1 ) / − D mod r ( x ) . Let r ( x ) be a factor of r ( x ) in K [ x ] . √ Let π ( x ) = 1 2 ( t ( x ) + y ( x ) − D ) . Then π ( x ) ≡ ζ k mod r ( x ) , 1 π ( x ) ≡ 1 mod r ( x ) . 2 This implies that N K [ x ] / Q [ x ] ( π ( x ) − 1 ) ≡ 0 mod r ( x ) (3) Φ k ( π ( x ) π ( x )) ≡ 0 mod r ( x ) (4) so when we plug in any integer x , the pairing-friendly conditions (1) and (2) hold. David Freeman A Generalized Brezing-Weng Algorithm
Abelian Varieties and Pairing-Based Cryptography Constructing Pairing-Friendly Frobenius Elements Constructing Pairing-Friendly Abelian Varieties The Brezing-Weng Algorithm Analyzing the Algorithm Generalizing the Brezing-Weng method Main idea: A modular approach Easiest case: K Galois cyclic, degree 2 g , Gal ( K / Q ) = � σ � . If L = Q [ x ] / ( r ( x )) is Galois and contains K , then r ( x ) factors into 2 g irreducibles in K [ x ] . Pick a factor r ( x ) of r ( x ) in K [ x ] , and write r ( x ) = r ( x ) · r ( x ) σ · · · r ( x ) σ g − 1 · r ( x ) · r ( x ) σ · · · r ( x ) σ g − 1 σ acts on a polynomial by acting on its coefficients. σ g = complex conjugation. David Freeman A Generalized Brezing-Weng Algorithm
Abelian Varieties and Pairing-Based Cryptography Constructing Pairing-Friendly Frobenius Elements Constructing Pairing-Friendly Abelian Varieties The Brezing-Weng Algorithm Analyzing the Algorithm Generalizing the Brezing-Weng method Constructing a π ( x ) with prescribed residues r ( x ) = r ( x ) · r ( x ) σ · · · r ( x ) σ g − 1 · r ( x ) · r ( x ) σ · · · r ( x ) σ g − 1 Given ξ ( x ) ∈ K [ x ] , write residues of ξ modulo factors of r ( x ) in K [ x ] as ( α 1 , α 2 , . . . , α g , β 1 , . . . , β g ) ∈ L 2 g . Then residues of ξ ( x ) σ − 1 are ( α 2 , α 3 , . . . , β 1 , β 2 , . . . , α 1 ) ∈ L 2 g , and so on for each ξ ( x ) σ − i , until residues of ξ ( x ) σ g − 1 are ( α g , β 1 , . . . , β g − 1 , β g , . . . , α g − 1 ) ∈ L 2 g . Define π ( x ) = � g − 1 i = 0 ξ ( x ) σ − i . Then π ( x ) mod r ( x ) = � g i = 1 α i , π ( x ) mod r ( x ) = � g i = 1 β i ∈ L . David Freeman A Generalized Brezing-Weng Algorithm
Recommend
More recommend
