Finite field multiplication combining AMNS and DFT approach for - - PowerPoint PPT Presentation

Finite field multiplication combining AMNS and DFT approach for Pairing Based Cryptography

Nadia El Mrabet(1) and Christophe Negre(2)

(1) Team Arith/LIRMM, Universit´ e Montpellier 2 (2) Team DALI/ELIAUS, Universit´ e de Perpignan

Queensland University of Technology, July 2009

1 / 27

Outline

1

Pairing over Elliptic Curves Definition and Properties Implementation aspect

2

Arithmetical aspect of Pairing Based cryptography Fields used in Pairing Based Cryptography Multiplication in Fpk with Karatsuba Pairing Friendly Fields

3

Multiplication combining AMNS and DFT (Our contribution) Arithmetic modulo p in an AMNS Multiplication in Fpk with DFT

4

Complexity and conclusion

2 / 27

Outline

1

Pairing over Elliptic Curves Definition and Properties Implementation aspect

2

Arithmetical aspect of Pairing Based cryptography Fields used in Pairing Based Cryptography Multiplication in Fpk with Karatsuba Pairing Friendly Fields

3

Multiplication combining AMNS and DFT (Our contribution) Arithmetic modulo p in an AMNS Multiplication in Fpk with DFT

4

Complexity and conclusion

3 / 27

What is a pairing ?

Properties

Let G1, G2 and G3 be three groups with the same order r. A pairing is a map : e : G1 × G2 → G3 which verifies the following properties : Non degenerate ; Bilinearity ;

4 / 27

What is a pairing ?

Properties

Let G1, G2 and G3 be three groups with the same order r. A pairing is a map : e : G1 × G2 → G3 which verifies the following properties : Non degenerate ; Bilinearity ;

Consequences

∀j ∈ N, e([j]P, Q) = e(P, Q)j = e(P, [j]Q)

4 / 27

Elliptic Curve Cryptography and pairings

Cryptanalysis

Pairings was used to transporte the discrete logarithme problem from an elliptic curve sub group to a finite field.

Cryptography

Pairings allow the construction of novel protocols and simplification of existing protocols. The tri partite Diffie Hellman key exchange protocol (Joux 2001) The Identity Based Encryption (Boneh and Franklin 2001) Short signature scheme (Boneh, Lynn, Schackamm 2001) Group signatures schemes (Boneh, Schackamm, 2004)

5 / 27

Pairings used

In cryptography, four pairings are principally used : the Weil pairing, the Tate pairing, the η pairing, the Ate pairing. All of them involved computation over a finite field Fp and over Fpk an extension of this finite field.

6 / 27

Pairings over elliptic curves : Implementation aspect

The Ate pairing is computed trought the Miller’s algorithm. The complexity of one step during the Miller’s algorithm is : 2kMp + 6Spk + 7Mpk for the Ate pairing. To improve the efficiency of the pairing we can

◮ reduce the number of multiplication and addition in Fpk. ◮ improve multiplication and addition in Fpk. 7 / 27

Pairings over elliptic curves : Implementation aspect

The Ate pairing is computed trought the Miller’s algorithm. The complexity of one step during the Miller’s algorithm is : 2kMp + 6Spk + 7Mpk for the Ate pairing. To improve the efficiency of the pairing we can

◮ reduce the number of multiplication and addition in Fpk. ◮ improve multiplication and addition in Fpk. 7 / 27

Outline

1

Pairing over Elliptic Curves Definition and Properties Implementation aspect

2

Arithmetical aspect of Pairing Based cryptography Fields used in Pairing Based Cryptography Multiplication in Fpk with Karatsuba Pairing Friendly Fields

3

Multiplication combining AMNS and DFT (Our contribution) Arithmetic modulo p in an AMNS Multiplication in Fpk with DFT

4

Complexity and conclusion

8 / 27

Finite fields used in pairings evaluation

The field Fp

◮ is the set of integer modulo a prime p ≥ 2160 . ◮ The curve with fixed embedding degree k are constructed with the

Complex Multiplication method.

◮ Consequence, the prime p cannot be chosen freely and do not have

peculiar property.

◮ The multiplication modulo p is done with generic algorithm

(Montgomery, Barett).

The field Fpk

◮ It is the set of polynomials Fp[X] modulo an irreducible polynomial P

• f degree k.

◮ k is in the interval [6, 32] such that pk ≥ 21024. ◮ P = X k − µ where µ is small and as much as possible a power of 2. 9 / 27

Multiplication in Fpk with Karatsuba

We want to compute U(X) × V (X) mod (X k − µ) where k = 2s

10 / 27

Multiplication in Fpk with Karatsuba

We want to compute U(X) × V (X) mod (X k − µ) where k = 2s

• Multiplication. We first compute W = U × V .

1 We split U and V into two parts

U = U0 + X k/2U1, V = V0 + X k/2V1

2 We compute recursivelly

W0 = U0V0, W2 = U1V1, W1 = (U0 + U1)(V0 + V1) − W0 − W2.

3 We deduce W = W0 + X k/2W1 + X kW2 which is equal to U × V . 10 / 27

Multiplication in Fpk with Karatsuba

• Reduction. The reduction modulo X k − µ of W is done as follows

k−1

• i=0

wiX i

• + µ

2k−2

• i=k

wiX i−k

• .

Toom-Cook-3 approach works like Karatsuba but with decomposition in 3 parts.

11 / 27

Pairing-Friendly Fields

Definition Fqk is a pairing friendly field if p ≡ 1 mod(12) & k = 2i.3j. Theorem Fpk a pairing friendly field, β neither a square or a cube in Fp. Then X k − β irreducible over Fp. Consequences Fpk can be constructed as a tower of quadratic and cubic extensions. ⇒ a perceptible reduction of the cost of a multiplication in Fpk. The cost of one multiplication is equal to 3i5j multiplications in Fp.

12 / 27

Outline

1

Pairing over Elliptic Curves Definition and Properties Implementation aspect

2

Arithmetical aspect of Pairing Based cryptography Fields used in Pairing Based Cryptography Multiplication in Fpk with Karatsuba Pairing Friendly Fields

3

Multiplication combining AMNS and DFT (Our contribution) Arithmetic modulo p in an AMNS Multiplication in Fpk with DFT

4

Complexity and conclusion

13 / 27

Adapted Modular Number System

Classical representation a =

n−1

• i=0

aiβi with ai ∈ {0, . . . , β − 1}. Example :for β = 8 we have a = 1315 = [2, 4, 4, 3]8 ,i.e., a = 2 × 83 + 4 × 82 + 4 × 8 + 3.

14 / 27

Adapted Modular Number System

Classical representation a =

n−1

• i=0

aiβi with ai ∈ {0, . . . , β − 1}. Example :for β = 8 we have a = 1315 = [2, 4, 4, 3]8 ,i.e., a = 2 × 83 + 4 × 82 + 4 × 8 + 3. Representation in AMNS : let 0 < γ < p and n > 0 a =

n−1

• i=0

aiγi mod p with ai < p1/n. and γ satisfies γn = λ mod p with λ small. We will note a(t) =

n−1

• i=0

aiti in polynomial form the AMNS representation of a.

14 / 27

AMNS example

Let p = 17 and n = 3 and γ = 7. γ0 = 1 mod p, γ1 = 7 mod p, γ2 = 15 mod p. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

15 / 27

AMNS example

Let p = 17 and n = 3 and γ = 7. γ0 = 1 mod p, γ1 = 7 mod p, γ2 = 15 mod p. 1 2 3 4 5 1 6 7 8 9 10 11 12 13 14 15 16 − 1

15 / 27

AMNS example

Let p = 17 and n = 3 and γ = 7. γ0 = 1 mod p, γ1 = 7 mod p, γ2 = 15 mod p. 1 2 3 4 5 1 6 7 8 9 10 11 − 1 + γ γ 1 + γ 12 13 14 15 16 − 1

15 / 27

AMNS example

Let p = 17 and n = 3 and γ = 7. γ0 = 1 mod p, γ1 = 7 mod p, γ2 = 15 mod p. 1 2 3 4 5 1 6 7 8 9 10 11 − 1 + γ γ 1 + γ 12 13 14 15 16 − 1 + γ2 γ2 − 1

15 / 27

AMNS example

Let p = 17 and n = 3 and γ = 7. γ0 = 1 mod p, γ1 = 7 mod p, γ2 = 15 mod p. 1 2 3 4 5 1 − γ2 1 − γ2 6 7 8 9 10 11 − 1 + γ γ 1 + γ − γ − 1 − γ − γ + 1 12 13 14 15 16 − 1 + γ2 γ2 − 1

15 / 27

AMNS example

Let p = 17 and n = 3 and γ = 7. γ0 = 1 mod p, γ1 = 7 mod p, γ2 = 15 mod p. 1 2 3 4 5 1 − γ2 1 − γ2 − 1 + γ + γ2 γ + γ2 6 7 8 9 10 11 − 1 + γ γ 1 + γ − γ − 1 − γ − γ + 1 12 13 14 15 16 − γ − γ2 1 − γ − γ2 − 1 + γ2 γ2 − 1

15 / 27

Lattice related to an AMNS

The set L = {a(t) ∈ Z[t] t.q. deg a(t) < n et a(γ) = 0 mod p} is a lattice of rank n. The row of the following matrix form a basis of a lattice B =          p . . . −γ 1 . . . −γ2 1 . . . . . . ... . . . −γn−2 . . . 1 −γn−1 . . . 1          ← p ← t − γ ← t2 − γ2 . . . ← tn−2 − γn−2 ← tn−1 − γn−1 . There exists a polynomial m(t) such that m(γ) = 0 and m∞ ≤ p1/n.

16 / 27

Lattice related to an AMNS

p1/n p1/n p2/n p2/n

17 / 27

Lattice related to an AMNS

ρ ρ 2ρ2|λ| 2ρ2|λ| m

There exist m ∈ L such that m∞ ≤ p1/n

17 / 27

Lattice related to an AMNS

ρ p1/n ρ2/n p2/n a b

17 / 27

Lattice related to an AMNS

ρ ρ λρ2 λρ2 a b ˜ c

17 / 27

Lattice related to an AMNS

p1/n p1/n p2/n p2/n c

c = a × b mod tn − λ satisfies c∞ ≤ np2/n

17 / 27

Lattice related to an AMNS

p1/n p1/n p2/n p2/n c

17 / 27

Lattice related to an AMNS

ρ ρ ρ2 ρ2 c ˜ c

r satisfait r∞ ≤ np1/n and represents r = a × b mod p

17 / 27

Coefficients reduction with a Montgomery approach (Plantard-Negre 07)

Idea : using a short polynomial m(t) of the lattice to kill the lower part of the coefficients. Let ℓ such that 2ℓ ∼ = p1/n

1 q ← a × b × m−1 mod (tn − λ, 2ℓ) 2 r ← ((a × b − q × m mod tn − λ)/2ℓ 18 / 27

Coefficients reduction with a Montgomery approach (Plantard-Negre 07)

Idea : using a short polynomial m(t) of the lattice to kill the lower part of the coefficients. Let ℓ such that 2ℓ ∼ = p1/n

1 q ← a × b × m−1 mod (tn − λ, 2ℓ) 2 r ← ((a × b − q × m mod tn − λ)/2ℓ

We have an algorithm similar to classical Montgomery algorithm, and with similar efficiency. The arithmetic over Fp using an AMNS representation is efficient.

18 / 27

Multiplication dans Fpk

Let U(X), V (X) ∈ Fp[X] with degree k − 1, on compute the product of U and V as follows

1 Polynomial multiplication W (X) = U(X) × V (X), using

multi-evaluation/interpolation approach.

2 The reduction modulo X n − µ is easily done. 19 / 27

Polynomial multiplication with multi-evaluation

We fix n ≥ 2k − 1 distinct elements α0, . . . , αn−1 in Fp.

20 / 27

Polynomial multiplication with multi-evaluation

We fix n ≥ 2k − 1 distinct elements α0, . . . , αn−1 in Fp.

1 Multi-evaluations. Let U(X) and V (X) with degree k − 1. We

compute ˆ U = (U(α0), . . . , U(αn−1)) ˆ V = (V (α0), . . . , V (αn−1)) which is done through a matrix-vector product ˆ U =      1 α1 · · · αk−1

1

1 α2 · · · αk−1

2

. . . . . . 1 αn · · · αk−1

n

     ·      u0 u1 . . . uk−1      .

20 / 27

Polynomial multiplication with multi-evaluation

We fix n ≥ 2k − 1 distinct elements α0, . . . , αn−1 in Fp.

1 Multi-evaluations. Let U(X) and V (X) with degree k − 1. We

compute ˆ U = (U(α0), . . . , U(αn−1)) ˆ V = (V (α0), . . . , V (αn−1)) which is done through a matrix-vector product ˆ U =      1 α1 · · · αk−1

1

1 α2 · · · αk−1

2

. . . . . . 1 αn · · · αk−1

n

     ·      u0 u1 . . . uk−1      .

2 Term by term Multiplications.

ˆ W = (ˆ u0 × ˆ v0, ˆ u1 × ˆ v1, . . . , ˆ un−1 × ˆ vn−1).

20 / 27

Polynomial multiplication with multi-evaluation

We fix n ≥ 2k − 1 distinct elements α0, . . . , αn−1 in Fp.

1 Multi-evaluations. Let U(X) and V (X) with degree k − 1. We

compute ˆ U = (U(α0), . . . , U(αn−1)) ˆ V = (V (α0), . . . , V (αn−1)) which is done through a matrix-vector product ˆ U =      1 α1 · · · αk−1

1

1 α2 · · · αk−1

2

. . . . . . 1 αn · · · αk−1

n

     ·      u0 u1 . . . uk−1      .

2 Term by term Multiplications.

ˆ W = (ˆ u0 × ˆ v0, ˆ u1 × ˆ v1, . . . , ˆ un−1 × ˆ vn−1).

3 Interpolation. We get back to the polynomial form of W with

interpolation in αi.

20 / 27

Using DFT

We choose α a primitive n-th root of unity and αi = αi.

21 / 27

Using DFT

We choose α a primitive n-th root of unity and αi = αi. The multi-evaluation uses the matrix Ω =        1 1 1 · · · 1 1 α α2 · · · αn−1 1 α2 α4 · · · α(n−1)2 . . . . . . 1 αn−1 α2(n−1) · · · α(n−1)(n−1)        (1)

21 / 27

Using DFT

We choose α a primitive n-th root of unity and αi = αi. The multi-evaluation uses the matrix Ω =        1 1 1 · · · 1 1 α α2 · · · αn−1 1 α2 α4 · · · α(n−1)2 . . . . . . 1 αn−1 α2(n−1) · · · α(n−1)(n−1)        (1) The interpolation if α′ = αn−1, uses the matrix Ω−1 = 1 n        1 1 1 · · · 1 1 α′ α′2 · · · α′n−1 1 α′2 α′4 · · · α′(n−1)2 . . . . . . 1 α′n−1 α′2(n−1) · · · α′(n−1)(n−1)        (2)

21 / 27

Using DFT

We choose α a primitive n-th root of unity and αi = αi. The multi-evaluation uses the matrix Ω =        1 1 1 · · · 1 1 α α2 · · · αn−1 1 α2 α4 · · · α(n−1)2 . . . . . . 1 αn−1 α2(n−1) · · · α(n−1)(n−1)        (1) The interpolation if α′ = αn−1, uses the matrix Ω−1 = 1 n        1 1 1 · · · 1 1 α′ α′2 · · · α′n−1 1 α′2 α′4 · · · α′(n−1)2 . . . . . . 1 α′n−1 α′2(n−1) · · · α′(n−1)(n−1)        (2) In other words, there are only multiplications by αi.

21 / 27

Combination of AMNS and DFT

For the AMNS we choose n = k, γ such that γn = −1, α = γ a primitive 2k-th root of unity in Fp. Consequences The multiplication by γi is a simple cyclic shift aγj = (n−1

i=0 aiti)tj

mod tn + 1 = (j−1

i=0 −an−j+iti) + (n−1 i=j ai−jti).

The multiplication by Ω and Ω−1 requires only additions in Fp.

22 / 27

Outline

1

Pairing over Elliptic Curves Definition and Properties Implementation aspect

2

Arithmetical aspect of Pairing Based cryptography Fields used in Pairing Based Cryptography Multiplication in Fpk with Karatsuba Pairing Friendly Fields

3

Multiplication combining AMNS and DFT (Our contribution) Arithmetic modulo p in an AMNS Multiplication in Fpk with DFT

4

Complexity and conclusion

23 / 27

Complexity

Cost of the approach of Karatsuba-Toom-Cook : for k = 2i3j this requires 3i5j multiplications. Cost of the approach AMNS-DFT : it requires 2k multiplications.

24 / 27

Table: Complexity comparison for practical extension degree k Method k Cost of MultFpk # Add. in Fp # Mult. in Fp Karatsuba/Toom-Cook (Friendly Field) 6 60 15 Karatsuba/Toom-Cook (Friendly Field) 8 72 27 Our approach with FFT and E = t8 + 1 8 192 16 Karatsuba/Toom-Cook (Friendly Field) 9 160 25 Our approach with FFT and E = t8 + 1 9 208 18 Our approach with FFT and E = t8 + 1 10 240 23 Our approach with E = 10

i=0(−t)i

11 902 22 Karatsuba/Toom-Cook (Friendly Field) 12 180 45 Our approach with E = 10

i=0(−t)i

12 1408 24 Our approach with E = 10

i=0(−t)i

13 1430 28 Karatsuba/Toom-Cook (Friendly Field) 16 248 81 Our approach with FFT and E = t16 + 1 16 480 32 Our approach with FFT and E = t16 + 1 17 512 34 Our approach with FFT and E = t16 + 1 18 576 39 Karatsuba/Toom-Cook (Friendly Field) 18 480 75

25 / 27

Conclusion

We have presented a method combining AMNS and DFT for multiplication in Fpk. The theoretical results show that our approach seems interisting. Implementation (work in progress), will take in account the small

• vercost due to AMNS and additions, it will show if it is interesting in

practice.

26 / 27

Thank you for your attention. Any question ?

27 / 27