avoiding full extension field arithmetic in pairing
play

Avoiding Full Extension Field Arithmetic in Pairing Computations - PowerPoint PPT Presentation

Dec 28, 2022 •294 likes •556 views

Introduction Motivation Miller 2 n -tupling Results Related Work Avoiding Full Extension Field Arithmetic in Pairing Computations Craig Costello craig.costello@qut.edu.au Queensland University of Technology AfricaCrypt 2010 Joint work with

  1. Introduction Motivation Miller 2 n -tupling Results Related Work Avoiding Full Extension Field Arithmetic in Pairing Computations Craig Costello craig.costello@qut.edu.au Queensland University of Technology AfricaCrypt 2010 Joint work with Colin Boyd, Juanma Gonzalez-Nieto, Kenneth Koon-Ho Wong Craig Costello Avoiding Full Extension Field Arithmetic in Pairing Computations

  2. Introduction Motivation Miller 2 n -tupling Results Related Work Motivation Faster pairings mean more efficient... ID-based encryption (IBE) ID-based key agreement short signatures group signatures ring signatures certificateless encryption hierarchical encryption attribute-based encryption ... Craig Costello Avoiding Full Extension Field Arithmetic in Pairing Computations

  3. Introduction Motivation Miller 2 n -tupling Results Related Work Table of contents 1 Introduction Pairings and Miller’s algorithm The evolution of Miller’s algorithm: state-of-the-art pairings 2 Motivation 3 Miller 2 n -tupling 4 Results 5 Related Work Craig Costello Avoiding Full Extension Field Arithmetic in Pairing Computations

  4. Introduction Motivation Pairings and Miller’s algorithm Miller 2 n -tupling The evolution of Miller’s algorithm: state-of-the-art pairings Results Related Work Pairings on ordinary elliptic curves over large prime fields Need two linearly independent points R and S of large prime order r on E ( F p ), i.e. need two subgroups of E [ r ] E ( F p k ) is the smallest extension that contains two such subgroups (all r + 1 subgroups in fact) k is the embedding degree, first value such that r | p k − 1 Need a function f R with divisor div ( f R ) = r ( R ) − r ( O ) Weil pairing methodology e ( R , S ) = f R ( S ) / f S ( R ) ∈ F p k Tate pairing methodology e ( R , S ) = f R ( S ) p k − 1 ∈ F p k Craig Costello Avoiding Full Extension Field Arithmetic in Pairing Computations

  5. Introduction Motivation Pairings and Miller’s algorithm Miller 2 n -tupling The evolution of Miller’s algorithm: state-of-the-art pairings Results Related Work The pairing evaluation functions What do the functions f R ( S ) and f S ( R ) look like? div ( f R ) = r ( R ) − r ( O ), i.e. a zero of order r at R , and a pole of order r at infinity ( O ). Indeterminate f R , f S are of degree r (at least in affine form) If R ∈ E ( F p ) and S ∈ E ( F p k ), then f R ( S ) will have coefficients in F p , evaluated at elements in F p k f S ( R ) will have coefficients in F p k , evaluated at elements in F p Too much to store f R explicitly before evaluating at S Therefore, evaluate at S as you build the function and vice versa. Craig Costello Avoiding Full Extension Field Arithmetic in Pairing Computations

  6. Introduction Motivation Pairings and Miller’s algorithm Miller 2 n -tupling The evolution of Miller’s algorithm: state-of-the-art pairings Results Related Work Miller’s algorithm Input: R , S and r = ( r ⌊ log ( r ) ⌋ , ..., r 0 ) 2 Output: f R ( S ) f ← 1, T ← R for i from ⌊ log ( r ) ⌋ − 1 to 0 do Compute g = l / v in the chord-and-tangent doubling of T 1 T ← [2] T 2 f ← f 2 · g ( S ) 3 if r i = 1 then 4 i. Compute g = l / v in the chord-and-tangent addition of T + R ii. T ← T + R iii. f ← f · g ( S ) end if end for : return f Craig Costello Avoiding Full Extension Field Arithmetic in Pairing Computations

  7. Introduction Motivation Pairings and Miller’s algorithm Miller 2 n -tupling The evolution of Miller’s algorithm: state-of-the-art pairings Results Related Work Miller’s algorithm for the Weil pairing methodology Initially: run twice to compute e ( R , S ) = f R ( S ) / f S ( R ) Input: R , S and r = ( r ⌊ log ( r ) ⌋ , ..., r 0 ) 2 Output: f R ( S ) (first time) and f S ( R ) (second time) f ← 1, T ← R for i from ⌊ log ( r ) ⌋ − 1 to 0 do Compute g = l / v in the chord-and-tangent doubling of T 1 T ← [2] T 2 f ← f 2 · g ( S ) 3 if r i = 1 then 4 i. Compute g = l / v in the chord-and-tangent addition of T + R ii. T ← T + R iii. f ← f · g ( S ) end if end for : return f Craig Costello Avoiding Full Extension Field Arithmetic in Pairing Computations

  8. Introduction Motivation Pairings and Miller’s algorithm Miller 2 n -tupling The evolution of Miller’s algorithm: state-of-the-art pairings Results Related Work Miller’s algorithm for the Tate pairing methodology Idea: run once and exponentiate e ( R , S ) = f R ( S ) p k − 1 Input: R , S and r = ( r ⌊ log ( r ) ⌋ , ..., r 0 ) 2 Output: f R ( S ) f ← 1, T ← R for i from ⌊ log ( r ) ⌋ − 1 to 0 do Compute g = l / v in the chord-and-tangent doubling of T 1 T ← [2] T 2 f ← f 2 · g ( S ) 3 if r i = 1 then 4 i. Compute g = l / v in the chord-and-tangent addition of T + R ii. T ← T + R iii. f ← f · g ( S ) end if return f ← f ( p k − 1) end for : Craig Costello Avoiding Full Extension Field Arithmetic in Pairing Computations

  9. Introduction Motivation Pairings and Miller’s algorithm Miller 2 n -tupling The evolution of Miller’s algorithm: state-of-the-art pairings Results Related Work Miller’s algorithm with no inversions Ideas: v ’s are in subfields so discard + projective coords Input: R , S and r = ( r ⌊ log ( r ) ⌋ , ..., r 0 ) 2 Output: f R ( S ) f ← 1, T ← R for i from ⌊ log ( r ) ⌋ − 1 to 0 do Compute g = l / v in the chord-and-tangent doubling of T 1 T ← [2] T 2 f ← f 2 · g ( S ) 3 if r i = 1 then 4 i. Compute g = l / v in the chord-and-tangent addition of T + R ii. T ← T + R iii. f ← f · g ( S ) end if return f ← f ( p k − 1) end for : Craig Costello Avoiding Full Extension Field Arithmetic in Pairing Computations

  10. Introduction Motivation Pairings and Miller’s algorithm Miller 2 n -tupling The evolution of Miller’s algorithm: state-of-the-art pairings Results Related Work Miller’s algorithm with optimal loop length Idea: Minimize loop length + low Hamming-weight Input: R , S and m opt = ( m ⌊ log ( m opt ) ⌋ , ..., m 0 ) 2 Output: f R ( S ) f ← 1, T ← R for i from ⌊ log ( m opt ) ⌋ − 1 to 0 do Compute g = l in the chord-and-tangent doubling of T 1 T ← [2] T 2 f ← f 2 · g ( S ) 3 if r i = 1 then 4 i. Compute g = l in the chord-and-tangent addition of T + R ii. T ← T + R iii. f ← f · g ( S ) end if return f ← f ( p k − 1) end for : Craig Costello Avoiding Full Extension Field Arithmetic in Pairing Computations

  11. Introduction Motivation Pairings and Miller’s algorithm Miller 2 n -tupling The evolution of Miller’s algorithm: state-of-the-art pairings Results Related Work The state-of-the-art Input: R , S and m opt = ( m ⌊ log ( m opt ) ⌋ , ..., m 0 ) 2 Output: f R ( S ) f ← 1, T ← R for i from ⌊ log ( m opt ) ⌋ − 1 to 0 do Compute g = l in the chord-and-tangent doubling of T 1 T ← [2] T 2 f ← f 2 · g ( S ) 3 return f ← f ( p k − 1) end for : Craig Costello Avoiding Full Extension Field Arithmetic in Pairing Computations

  12. Introduction Motivation Pairings and Miller’s algorithm Miller 2 n -tupling The evolution of Miller’s algorithm: state-of-the-art pairings Results Related Work Tate vs. ate groups G 1 = E [ r ] ∩ ker ( π p − [1]) and G 2 = E [ r ] ∩ ker ( π p − [ p ]), i.e. G 1 ∈ E ( F p ) (base field) and G 2 ∈ E ( F p k ) (full ext. field) Use twisted curve E ′ ∼ 2 ∼ = E to define G ′ = G 2 but G ′ 2 ∈ E ( F p k / d ) (twisted subfield) Tate-like pairings 2nd argument S ∈ G ′ 1st argument: R ∈ G 1 2 Ate-like pairings 1st argument: R ∈ G ′ 2nd argument S ∈ G 1 2 Craig Costello Avoiding Full Extension Field Arithmetic in Pairing Computations

  13. Introduction Motivation Miller 2 n -tupling Results Related Work What else can we do? Red stuff : Optimized or exhausted or given enough attention Input: R , S and m opt = ( m ⌊ log ( m opt ) ⌋ , ..., m 0 ) 2 Output: f R ( S ) f ← 1, T ← R for i from ⌊ log ( m opt ) ⌋ − 1 to 0 do Compute g = l in the chord-and-tangent doubling of T 1 T ← [2] T 2 f ← f 2 · g ( S ) 3 end for return f ← f ( p k − 1) Craig Costello Avoiding Full Extension Field Arithmetic in Pairing Computations

  14. Introduction Motivation Miller 2 n -tupling Results Related Work A closer look at the Miller update step Complexity of operations i. f ← f 2 s k ii. Evaluate g at S 2 k / d · m 1 iii. f ← f · g m k ? i. f is a general element of F p k (can’t do much here) ii. Indeterminate g takes form g ( x , y ) = g x · x + g y · y + g 0 , and is evaluated as g ( S x , S y ) ate: g x , g y , g 0 ∈ F p k / d and S x , S y ∈ F p Tate: g x , g y , g 0 ∈ F p and S x , S y ∈ F p k / d iii. KEY: If degree of twist d = 4 or d = 6, then g ( S ) is not a general element of F p k / d (i.e. f · g is not a full extension field multiplication!) Craig Costello Avoiding Full Extension Field Arithmetic in Pairing Computations

Recommend

Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography

Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography

Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography and Information Security Graduate School of Systems and Information Engineering University of Tsukuba 1-1-1 Tennodai, Tsukuba Ibaraki, 305-8573,

896 views • 58 slides
Pairing Pairing is the process by which we condition ourselves, the teaching materials, and

Pairing Pairing is the process by which we condition ourselves, the teaching materials, and

Pairing & Manding Vincent J. Carbone Ed.D., BCBA-D NYS Licensed Behavior Analyst Carbone Clinic New York Boston Dubai www.CarboneClinic.com www.TheCarboneclinic.ae IESCUM Parma, Italy December 1,2 & 3, 2016 1 Pairing

622 views • 35 slides
Arithmetic for Computers October 31, 2008 Arithmetic for Computers ALU Arithmetic Logic Unit

Arithmetic for Computers October 31, 2008 Arithmetic for Computers ALU Arithmetic Logic Unit

Arithmetic for Computers October 31, 2008 Arithmetic for Computers ALU Arithmetic Logic Unit Performs most processor operations Control signal predicates addition subtraction logic operations shifting (w / or w / o sign extension) Figure:

205 views • 8 slides
Empiricism, Probability, and Knowledge of Arithmetic Sean Walsh Department of Logic and

Empiricism, Probability, and Knowledge of Arithmetic Sean Walsh Department of Logic and

I. Intro II. Avoiding Counting Assignments III. Avoiding Alignment IV. Summary + Questions Empiricism, Probability, and Knowledge of Arithmetic Sean Walsh Department of Logic and Philosophy of Science University of California, Irvine

396 views • 27 slides
Secure Device Pairing What is device pairing? What is

Secure Device Pairing What is device pairing? What is

Secure Device Pairing What is device pairing? What is device pairing? What is the problem? The wireless communica8on channel is rela8vely easy to

298 views • 9 slides
Part I: RELIC Diego F. Aranha Efficient Binary Field Arithmetic Numbers RELIC is an Efficient

Part I: RELIC Diego F. Aranha Efficient Binary Field Arithmetic Numbers RELIC is an Efficient

Efficient Binary Field Arithmetic and Applications to Curve-based Cryptography Diego F. Aranha Department of Computer Science University of Bras lia CHES 2012 Tutorial Diego F. Aranha Efficient Binary Field Arithmetic Part I: RELIC

738 views • 48 slides
Context This talk is about software for finite field arithmetic ( + . . . ; most

Context This talk is about software for finite field arithmetic ( + . . . ; most

The mp F q library and implementing curve-based key exchanges (yet another finite field library) Emmanuel Thom e, Pierrick Gaudry p. 1/21 Context This talk is about software for finite field arithmetic ( + . . . ; most

539 views • 25 slides
Algorithms for finite field arithmetic ric Schost (joint with Luca De Feo & Javad

Algorithms for finite field arithmetic ric Schost (joint with Luca De Feo & Javad

Algorithms for finite field arithmetic ric Schost (joint with Luca De Feo & Javad Doliskani) Western University University of Waterloo July 9, 2015 Basics 2 / 30 Finite fields Definition A finite field is a field (a set with

750 views • 45 slides
Efficient Finite Field and Elliptic Curve Arithmetic Laurent Imbert CNRS, LIRMM, Universit e

Efficient Finite Field and Elliptic Curve Arithmetic Laurent Imbert CNRS, LIRMM, Universit e

Efficient Finite Field and Elliptic Curve Arithmetic Laurent Imbert CNRS, LIRMM, Universit e Montpellier 2 Summer School ECC 2011 Nancy, September 12-16, 2011 Part 1 Modular and finite field arithmetic 1/40 2/40 Finite fields The

883 views • 49 slides
Finite field multiplication combining AMNS and DFT approach for Pairing Based Cryptography Nadia

Finite field multiplication combining AMNS and DFT approach for Pairing Based Cryptography Nadia

Finite field multiplication combining AMNS and DFT approach for Pairing Based Cryptography Nadia El Mrabet (1) and Christophe Negre (2) (1) Team Arith/LIRMM, Universit e Montpellier 2 (2) Team DALI/ELIAUS, Universit e de Perpignan

753 views • 49 slides
Maximal arithmetic hyperbolic lattices with fixed invariant trace field Jiming Ma Fudan

Maximal arithmetic hyperbolic lattices with fixed invariant trace field Jiming Ma Fudan

Distribution of primes Quaternion algebra Arithmetic hyperbolic 3-manifolds Maximal arithmetic hyperbolic 3-manifolds Maximal arithmetic hyperbolic lattices with fixed invariant trace field Jiming Ma Fudan University The Second China-Russia

961 views • 93 slides
Arithmetic of Extension Fields of Small Characteristics Recent Developments Abhijit Das

Arithmetic of Extension Fields of Small Characteristics Recent Developments Abhijit Das

Arithmetic of Extension Fields of Small Characteristics Recent Developments Abhijit Das Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Indo-US Workshop Indian Statistical Institute, Calcutta January

182 views • 17 slides
Full reduction at full throttle Extension to the Calculus of Inductive Constructions Gerco van

Full reduction at full throttle Extension to the Calculus of Inductive Constructions Gerco van

Full reduction at full throttle Extension to the Calculus of Inductive Constructions Gerco van Heerdt December 19, 2014 1 / 18 Symbolic CIC Term t , T , P ::= x | t 1 t 2 | v | C i ( t ) | case P t of ( C i ( x i ) t i )

225 views • 18 slides
Heavy-Duty Slides for Industrial applications: KA 3300 Full extension ball bearing slides Full

Heavy-Duty Slides for Industrial applications: KA 3300 Full extension ball bearing slides Full

Heavy-Duty Slides for Industrial applications: KA 3300 Full extension ball bearing slides Full extension ball bearing slide KA 3320 / Load capacity up to 500 lbs. (227 kg) 3/4" (19 mm) installation width Precision ball

433 views • 16 slides
T2Pair: Secure and Usable Pairing for Heterogeneous IoT Devices Xiaopeng Li, Qiang Zeng , Lannan

T2Pair: Secure and Usable Pairing for Heterogeneous IoT Devices Xiaopeng Li, Qiang Zeng , Lannan

T2Pair: Secure and Usable Pairing for Heterogeneous IoT Devices Xiaopeng Li, Qiang Zeng , Lannan Luo, Tongbo Luo CCS 2020 IoT Pairing Pairing is supposed to establish a secure communication channel IoT pairing is important for adding

345 views • 21 slides
GDR Terascale Avoiding the Goldstone Boson Catastrophe in general renormalisable field theories

GDR Terascale Avoiding the Goldstone Boson Catastrophe in general renormalisable field theories

GDR Terascale Avoiding the Goldstone Boson Catastrophe in general renormalisable field theories at two loops Johannes Braathen in collaboration with Dr. Mark Goodsell arXiv:1609.06977, to appear in JHEP Laboratoire de Physique Thorique et

792 views • 32 slides
Pairing-Based Cryptography & Generic Groups Lecture 22 Bilinear Pairing Bilinear Pairing

Pairing-Based Cryptography & Generic Groups Lecture 22 Bilinear Pairing Bilinear Pairing

Pairing-Based Cryptography & Generic Groups Lecture 22 Bilinear Pairing Bilinear Pairing Two (or three) groups with an efficient pairing operation, e: G x G G T that is bilinear Bilinear Pairing Two (or three) groups with an

1.44k views • 105 slides
Pairing-Based Cryptography & Generic Groups Lecture 21 Bilinear Pairing Bilinear Pairing

Pairing-Based Cryptography & Generic Groups Lecture 21 Bilinear Pairing Bilinear Pairing

Pairing-Based Cryptography & Generic Groups Lecture 21 Bilinear Pairing Bilinear Pairing Two (or three) groups with an efficient pairing operation, e: G x G G T that is bilinear Bilinear Pairing Two (or three) groups with an

1.67k views • 118 slides
Pairing time-reversal states J = 0 + (a) +m -m k F k F K k F + L.N.

Pairing time-reversal states J = 0 + (a) +m -m k F k F K k F + L.N.

Nuclear pairing from microscopic forces (with applications) Paolo Finelli Dept. of Physics and Astronomy, University of Bologna paolo. fj nelli@bo.infn.it Based on Phys. Rev. C 90, 044003 Published 21 October 2014 Pairing time-reversal

674 views • 22 slides
Arithmtique des corps et gomtrie diophantienne Field Arithmetic and Diophantine Geometry

Arithmtique des corps et gomtrie diophantienne Field Arithmetic and Diophantine Geometry

Arithmtique des corps et gomtrie diophantienne Field Arithmetic and Diophantine Geometry 11-13 Dcembre 2013 Laboratoire Paul Painlev, Universit Lille 1 Lecture room : salle de runions (btiment M2) Contact: Pierre Dbes

494 views • 6 slides
Strategies for Avoiding Consumer Protection and CRA Pitfalls Carol J. Saccomonto Field Review

Strategies for Avoiding Consumer Protection and CRA Pitfalls Carol J. Saccomonto Field Review

Strategies for Avoiding Consumer Protection and CRA Pitfalls Carol J. Saccomonto Field Review Examiner Jeffrey D. Weiner Senior Compliance Examiner FDIC San Francisco Region Banker Teleconference August 5, 2009 1 Overview: Recent

514 views • 38 slides
Proof complexity and arithmetic circuits Pavel Hrube Institute of Mathematics, Prague F a fixed

Proof complexity and arithmetic circuits Pavel Hrube Institute of Mathematics, Prague F a fixed

Proof complexity and arithmetic circuits Pavel Hrube Institute of Mathematics, Prague F a fixed underlying field. Arithmetic circuit: computes a polynomial f F [ x 1 , . . . , x n ] . It starts from variables and field elements and computes

685 views • 49 slides
Avoiding Component Failures Increasing field reliability Agenda A few words about Kluber

Avoiding Component Failures Increasing field reliability Agenda A few words about Kluber

Avoiding Component Failures Increasing field reliability Agenda A few words about Kluber Lubrication Lubrication Fundamentals Tribology Oils and Greases Lubricant Selection for Bearings and Gears Bearing Failure Modes and

832 views • 79 slides
Interstate Land Sales Full Disclosure Act: Ensuring ILSA Compliance, Avoiding Contract

Interstate Land Sales Full Disclosure Act: Ensuring ILSA Compliance, Avoiding Contract

Presenting a live 90-minute webinar with interactive Q&A Interstate Land Sales Full Disclosure Act: Ensuring ILSA Compliance, Avoiding Contract Rescission, Fines and Penalties Latest Developments in CFPB Enforcement, Private Litigation and

1.23k views • 91 slides

More recommend