Another Approach to Pairing Computation in Edwards Coordinates - PowerPoint PPT Presentation

Another Approach to Pairing Computation in Edwards Coordinates Sorina Ionica PRISM, Universit´ e de Versailles joint work with Antoine Joux Sorina Ionica Pairing Computation in Edwards Coordinates

What is a pairing? A pairing is a map ′ e : G 1 × G 1 → G 2 ′ where G 1 , G 1 are groups of order r noted additively and G 2 is a group of order r noted multiplicatively such that the following hold: bilinear: e ( aP , Q ) = e ( P , aQ ) = e ( P , Q ) a nondegenerate: for every P ∈ G 1 different from 0 there is ′ Q ∈ G 1 such that e ( P , Q ) � = 1. Sorina Ionica Pairing Computation in Edwards Coordinates

Pairings in Elliptic Curve Cryptograhy Pairings on elliptic curves: the Weil pairing, the Tate, Ate and Eta pairings. Applications: one round protocol for tripartite Diffie-Hellman identity-based encryption short signatures etc. Sorina Ionica Pairing Computation in Edwards Coordinates

The Tate pairing. Notations. Let E be an elliptic curve over finite field F q with q ≥ 5, i.e. E : y 2 = x 3 + ax + b . Let r | ♯ E ( F q ) and E [ r ] the r -torsion subgroup, i.e. the subgroup of points of order r in E ( F q ). If r | ♯ E ( F q ) then E ( F q )[ r ] gives at least one component. Embedding degree: k minimal with r | ( q k − 1). Note r -roots of unity µ r ∈ F × q k . Sorina Ionica Pairing Computation in Edwards Coordinates

The Tate pairing If k > 1 then E ( F q k )[ r ] = E [ r ]. ′ Choose P , Q ∈ E [ r ] and G 1 = < P > , G 1 = < Q > . Take f r , P such that div ( f r , P ) = r ( P ) − r ( O ) and D = ( Q + T ) − ( T ), with T such as the support of D is different from the support of f r , P . For crypto use: ′ T r ( · , · ) : G 1 × G 1 → µ r T r ( P , Q ) = f r , P ( D ) ( q k − 1) / r Sorina Ionica Pairing Computation in Edwards Coordinates

Miller’s algorithm Introduce for i ≥ 1 functions f i , P such as div ( f i , P ) = i ( P ) − ( iP ) − ( i − 1)( O ) Note div ( f r , P ) = r ( P ) − r ( O ). Establish the Miller equation l iP , jP f i + j , P = f i , P f j , P v ( i + j ) P where l iP , jP and v ( i + j ) P are such that div ( l iP , jP ) = ( iP ) + ( jP ) + ( − ( i + j ) P ) − 3( O ) div ( v ( i + j ) P ) = ( − ( i + j ) P ) + (( i + j ) P ) − 2( O ) Sorina Ionica Pairing Computation in Edwards Coordinates

Miller’s algorithm f 1 , P ( D ) = 1 1 , P ( D ) l P , P ( D ) f 2 f 2 , P ( D ) = v 2 P ( D ) f 1 , P ( D ) f 2 , P ( D ) l P , 2 P ( D ) f 3 , P ( D ) = v 3 P ( D ) .. .. f r , P ( D ) = f r − 1 , P ( D ) f 1 , P ( D ) l ( r − 1) P , P ( D ) Use the double-and-add method to compute f r , P ( D ) (the Tate pairing!) in O ( log 2 r )! Sorina Ionica Pairing Computation in Edwards Coordinates

Miller’s algorithm or double-and-add Choose a random point T ∈ E ( F q k ) and compute ′ = Q + T ∈ E ( F q k ). Q Let n ← [ log 2 ( r )], K ← P , f ← 1. while n ≥ 1 Compute equations of l and v arising in the doubling of K . K ← 2 K and f ← f 2 ( l ( Q ′ ) v ( T )) / ( v ( Q ′ ) l ( T )). the n -th bit of r is 1 Compute equations of l and v arising in the addition of K and P . ′ ) v ( T )) / (( l ( T ) v ( Q ′ )). K ← P + K and f ← f ( l ( Q Let n ← n − 1. end while Sorina Ionica Pairing Computation in Edwards Coordinates

Implementing Miller’s algorithm The doubling part of the double-and-add method is most important Use faster exponentiation techniques (sliding window method, NAF) Choose r with low Hamming weight Choose P ∈ E ( F q )[ r ] and Q ∈ E ( F q k )[ r ]. Take k even and get major speed-ups by using twists and working in subfields Up to now best performance in Jacobian coordinates: ( X , Y , Z ) such that ( X Z 2 , Y Z 3 ) is a point on the elliptic curve E . Sorina Ionica Pairing Computation in Edwards Coordinates

Edwards curves Let E be an elliptic curve on F q such that E ( F q ) has an element of order 4. There is a nonsquare d ∈ F q such that E is birationally equivalent over F q to the Edwards curve x 2 + y 2 = 1 + d ( xy ) 2 . On the Edwards curve the addition law is ( x 1 , y 1 ) , ( x 2 , y 2 ) → ( x 1 y 2 + y 1 x 2 , y 1 y 2 − x 1 x 2 ) 1 + dx 1 x 2 y 1 y 2 1 − dx 1 x 2 y 1 y 2 Sorina Ionica Pairing Computation in Edwards Coordinates

Edwards versus Jacobian Actually use homogenous Edwards coordinates to avoid inversions: ( X , Y , Z ) corresponding to ( X / Z , Y / Z ) on the Edwards curve. Edwards coordinates Jacobian coordinates addition 10 m +1 m 11 m +5 s 1 m +8 s doubling 3 m +4 s or 3 m +5 s for a = − 3 mixed addition 9 m +1 s 7 m +4 s ( Z 2 = 1) s , m are the costs of operations in F q ( s = 0 . 8 m ). Sorina Ionica Pairing Computation in Edwards Coordinates

Edwards curves Note a 4-torsion subgroup defined over F q : { O = (0 , 1) , T 4 = (1 , 0) , T 2 = (0 , − 1) , − T 4 = ( − 1 , 0) } Take at look at the action of this subgroup on a fixed point P = ( x , y ): P → { P , P + T 4 = ( y , − x ) , P + T 2 = ( − x , − y ) , P − T 4 = ( − y , x ) } Sorina Ionica Pairing Computation in Edwards Coordinates

Edwards curves If xy � = 0 note p = ( xy ) 2 and s = x / y − y / x to characterize the point P up to the action of the 4-torsion subgroup. Take E s , p : s 2 p = (1 + dp ) 2 − 4 p and define φ : E → E s , p (( xy ) 2 , x y − y φ ( x , y ) = x ) . φ is separable of degree 4. Sorina Ionica Pairing Computation in Edwards Coordinates

And back to an elliptic curve... E s , p is elliptic as : s 2 p = (1 + dp ) 2 − 4 p ↓ (P,S,Z) S 2 P = ( Z + dP ) 2 Z − 4 PZ 2 ↓ (P=1) s 2 = z 3 + (2 d − 4) z 2 + dz Consider the standard addition law: O s , p = (0 , 1 , 0) neutral element and T 2 , s , p = (1 , 0 , 0) point of order 2. Sorina Ionica Pairing Computation in Edwards Coordinates

Arithmetic of E s , p Take l s , p the line passing through P 1 and P 2 . Take R its third point of intersection with the curve E s , p . Take v s , p the vertical line through R . P 1 + P 2 is the second point of intersection of v s , p with E s , p . div ( l s , p ) = ( P 1 ) + ( P 2 ) + ( − ( P 1 + P 2 )) − 2( T 2 , s , p ) − ( O s , p ) and div ( v s , p ) = ( P 1 + P 2 ) + ( − ( P 1 + P 2 )) − 2( T 2 , s , p ) . Sorina Ionica Pairing Computation in Edwards Coordinates

Miller’s algorithm on Edwards curves Consider slightly modified functions f (4) i , P : div ( f (4) i , P ) = i (( P ) + ( P + T 4 ) + ( P + T 2 ) + ( P − T 4 )) − (( iP ) + ( iP + T 4 ) + ( iP + T 2 ) + ( iP − T 4 )) − ( i − 1)(( O ) + ( T 4 ) + ( T 2 ) + ( − T 4 )) . Then div ( f (4) r , P ) = r (( P ) + ( P + T 4 ) + ( P + T 2 ) + ( P − T 4 )) − r (( O ) + ( T 4 ) + ( T 2 ) + ( − T 4 )). Compute the 4-th power of the Tate pairing: qk − 1 T r ( P , Q ) 4 = f (4) r , P ( D ) . r Sorina Ionica Pairing Computation in Edwards Coordinates

Miller’s algorithm on the Edwards curve Establish the Miller equation: l f (4) i + j , P = f (4) i , P f (4) v , j , P where l / v is the function of divisor div ( l v ) = (( iP ) + ( iP + T 4 ) + ( iP + T 2 ) + ( iP − T 4 )) + (( jP ) + ( jP + T 4 ) + ( jP + T 2 ) + ( jP − T 4 )) − ((( i + j ) P ) + (( i + j ) P + T 4 ) + (( i + j ) P + T 2 ) + (( i + j ) P − T 4 )) − ((0) + ( T 4 ) + ( T 2 ) + ( − T 4 )) . Sorina Ionica Pairing Computation in Edwards Coordinates

Miller’s algorithm on the Edwards curve ′ = φ ( P ) and l s , p and v s , p such as Let P ′ ) + ( jP ′ ) + (( i + j ) P ′ ) − 2( T 2 , s , p ) − ( O s , p ) div ( l s , p ) = ( iP ′ ) + ( − ( i + j ) P ′ ) − 2( T 2 , s , p ) . and div ( v s , p ) = (( i + j ) P f i + j , P ′ = f i , P ′ f j , P ′ l s , p v s , p ↓ φ ∗ l f (4) i + j , P = f (4) i , P f (4) j , P v Compute l / v = φ ∗ ( l s , p / v s , p ). Sorina Ionica Pairing Computation in Edwards Coordinates

Computing l and v For the doubling step: (( X 2 1 + Y 2 1 − Z 2 1 )( X 2 1 − Y 2 l ( x , y ) = 1 )(2 X 1 Y 1 ( x / y − y / x ) 1 ( xy ) 2 − ( X 2 − 2( X 2 1 − Y 2 1 )) + Z 3 ( dZ 2 1 + Y 2 1 − Z 2 1 ))) / (2 X 1 Y 1 ( X 2 1 + Y 2 1 − Z 2 1 )( X 2 1 − Y 2 1 )) , 3 ( xy ) 2 − ( X 2 ( dZ 2 3 + Y 2 3 − Z 2 3 )) / ( X 2 3 + Y 2 3 − Z 2 v ( x , y ) = 3 ) . For the mixed addition step: 1 ( X 0 Y 0 ) 2 )( X 1 Y 1 ( x y − y (( X 2 1 + Y 2 1 − Z 2 1 − dZ 2 l ( x , y ) = x ) − 1 − X 1 Y 1 ( X 0 − Y 0 ( X 2 1 − Y 2 1 )) − ( X 2 1 − Y 2 )) Y 0 X 0 1 ( xy ) 2 − ( X 2 · ( dZ 2 1 + Y 2 1 − Z 2 1 ))) / ( X 1 Y 1 ( X 2 1 + Y 2 1 − Z 2 1 − dZ 2 1 ( X 0 Y 0 ) 2 )); 3 ( xy ) 2 − ( X 2 ( dZ 2 3 + Y 2 3 − Z 2 3 )) / ( X 2 3 + Y 2 3 − Z 2 v ( x , y ) = 3 ) . Sorina Ionica Pairing Computation in Edwards Coordinates

Comparison of costs for the doubling step of Miller’s algorithm k = 2 k ≥ 4 Jacobian coordinates 10 s + 3 m + S + M 11 s + ( k + 1) m + S + M Jacobian coordinates for a = − 3 4 s + 8 m + S + M 4 s + ( k + 7) m + S + M Das/Sarkar Edwards coordinates 6 s + 9 m + S + M - (supersingular curves) Edwards coordinates 4 s + 9 m + S + M 4 s + ( k + 8) m + S + M s , m are costs of operations in F q , S , M are costs of operations in F q k . Sorina Ionica Pairing Computation in Edwards Coordinates

Comparison of costs for the mixed addition step of the Miller operation in the case of k even k = 2 k ≥ 4 Jacobian coordinates 3 s + 11 m + M 3 s + ( k + 9) m + 1 M Das/Sarkar Edwards 1 s + 17 m + M - coordinates (supersingular curves) Edwards coordinates 4 s + 15 m + M 4 s + ( k + 14) m + 1 M Sorina Ionica Pairing Computation in Edwards Coordinates