The Realm of the Pairings Paulo S. L. M. Barreto Prolegomena - PowerPoint PPT Presentation

The Realm of the Pairings Paulo S. L. M. Barreto

Prolegomena  Thanks to the organizers of SAC 2013 for the invitation!  Accompanying paper: joint work with D. Aranha, P. Longa and J. Ricardini.  “I know I’m speaking in a marvelous accent without the slightest English” – Viktor Frankl, 1972.  Hard task ahead: very first talk, to a very heterogeneous audience!

Cold start  Tax payment authentication.  Government of São Paulo, Brazil.  > 40 × 10 6 inhabitants, 1/3 of GDP.  Old system (before 2001):  Mechanical, non-cryptographic authentication system (authenticating printer).  Manual verification, requiring a trusted user.  Frauds!  Government admitted to 5% [sic] of tax payment evasion out of a $ 500 × 10 6 gross monthly tax revenue (for just one type of tax, namely, car licensing).  New system needed! 3

Requirements  Automatic process, without manual intervention.  Open specification, unencumbered by patents.  Public-key scheme with security level roughly equivalent to RSA-1024.  Authentication tag must be printable on two alphanumerical lines (320 bits).  Half of the available space is occupied by context information (user id, bank id, amount paid, date, etc).  About 2 − 4 × 10 6 authentications a month must be handled on a single Pentium II 450 MHz PC.  Not for the faint of heart  4

Assessment   160-bit signatures: ECDSA would just not do.  Available options at the time:  CFS  Quartz  OP/BLS (preprint)  Would any of these be acceptable? 5

Assessment  CFS  Very slow to generate (no more than ~4 × 10 4 sigs/month on target platform).  Quartz  Unknown security (now broken).  Covered by patents.  OP/BLS  No patents.  Formal proof of security (under the gap Diffie- Hellman assumption).  Reported efficiency at the time scaled to ~4 × 10 5 sigs/month on target platform. 6

Solution and results  The pairing-based OP/BLS scheme was the only plausible choice, though performance needed a boost. 7

Solution and results  All reqs satisfied:  CPU >80% idle after improvement by B., Kim, Lynn and Scott.  Room for business rule improvements.  Government reported that frauds fell from 5% to 0% [sic], increasing tax revenue from $ 500 × 10 6 to... $ 1.5 × 10 9 [sic].  Still in use today – no further modification was ever needed. 8

Bilinear maps  Seminal use: cryptanalysis (MOV & FR attacks).  Amazingly flexible tool for constructing cryptosystems with novel and useful features (Antoine Joux is one of the key researchers to blame  ).  Identity-based schemes:  Signatures (plain, blind, proxy, ring, undeniable, batch, …)  Encryption (plain, broadcast, keyword- search capable, …)  Signcryption  Key agreement (plain, authenticated, group, …)  Hierarchical cryptosystems  Threshold cryptosystems (secret sharing, signatures, …)  Chameleon hash and signatures  ... 9

Bilinear maps  “Conventional” systems  Access control, identification and traitor tracing  Credentials (anonymous, hidden, self-blindable , …)  Key agreement and non-interactive key distribution  Encryption (strongly insulated, intrusion- resilient, …)  Signatures (short, group, aggregate, ring, verifiably encrypted, blind, partially blind, proxy, undeniable, limited- verifier, …)  Signcryption  Threshold cryptosystems (secret sharing, signatures)  Hierarchical and role-based cryptosystems  Chameleon hash and signatures  Certificateless and self-certified PKC  ... 10

Criticism  “Pairings are too slow for practical consideration.”  To what extent is this (in)correct?  But first, some theory (caveat: sloppy math ahead!  ) 11

Bilinear maps: definition  Let 𝔿 1 , 𝔿 2 , and 𝔿 𝑈 be groups of the same order 𝑜 , the first two usually written additively and the third one written multiplicatively.  A bilinear map (or pairing ) is a function 𝑓 ∶ 𝔿 1 × 𝔿 2 → 𝔿 𝑈 satisfying the conditions:  Bilinearity : ∀𝑄 ∈ 𝔿 1 , 𝑅 ∈ 𝔿 2 , 𝑏 ∈ ℤ/𝑜ℤ ∶ 𝑓 𝑏𝑄, 𝑅 = 𝑓 𝑄, 𝑏𝑅 = 𝑓 𝑄, 𝑅 𝑏 .  Non-degeneracy : ∀𝑄 ∈ 𝔿 1 , ∃𝑅 ∈ 𝔿 2 ∶ 𝑓 𝑄, 𝑅 ≠ 1 .  Efficiently computable . 12

OP/BLS signatures  Setup: 𝑓 ∶ 𝔿 1 × 𝔿 2 → 𝔿 𝑈 , 𝐼 ∶ 0,1 ∗ → 𝔿 1 . $ ℤ/𝑜ℤ, 𝑊 ← 𝑡𝑅 ∈ 𝔿 2 ) .  Key pair: (𝑡  Signature: Σ ← 𝑡𝐼 𝑛 ∈ 𝔿 1 .  Verification: accept 𝑛, Σ ⇔ 𝑓 Σ, 𝑅 = 𝑓(𝐼 𝑛 , 𝑊) .  Explanation: 𝑓 Σ, 𝑅 = 𝑓 𝑡𝐼 𝑛 , 𝑅 = 𝑓 𝐼 𝑛 , 𝑅 𝑡 = 𝑓 𝐼 𝑛 , 𝑡𝑅 = 𝑓(𝐼 𝑛 , 𝑊) . 13

Elliptic curves and pairings  Pairings of interest are certain rational functions on elliptic curves.  An elliptic curve is a smooth projective algebraic curve of genus 1 with at least one marked point ( ∞ ).  Projective equation: points [𝑌 ∶ 𝑍 ∶ 𝑎] with 𝑍 2 𝑎 + 𝑏 1 𝑌𝑍𝑎 + 𝑏 3 𝑍𝑎 2 = 𝑌 3 + 𝑏 2 𝑌 2 𝑎 + 𝑏 4 𝑌𝑎 2 + 𝑏 6 𝑎 3 (*)  Affine part equation: points (𝑦, 𝑧) with 𝑧 2 + 𝑏 1 𝑦𝑧 + 𝑏 3 𝑧 = 𝑦 3 + 𝑏 2 𝑦 2 + 𝑏 4 𝑦 + 𝑏 6 , together with an extra point at infinity, which corresponds to 𝑎 = 0 in the projective form.  Group law defined for the points of a curve (chord-and-tangent method). (*) actually other kinds of projective coordinates are usually adopted 14

Projective and affine coordinates  𝐹 ∶ 𝑍 2 𝑎 = 𝑌 3 + 𝑏𝑌𝑎 2 + 𝑐𝑎 3  𝐹 ∶ 𝑧 2 = 𝑦 3 + 𝑏𝑦 + 𝑐 𝑄 ∶ 𝑎 𝑄 ]  𝑄 = (𝑦 𝑄 , 𝑧 𝑄 )  𝑄 = [𝑌 𝑄 ∶ 𝑍 𝑅 ∶ 𝑎 𝑅 ]  𝑅 = (𝑦 𝑅 , 𝑧 𝑅 )  𝑅 = [𝑌 𝑅 ∶ 𝑍 𝑆 ∶ 𝑎 𝑆 ]  𝑆 = 𝑄 + 𝑅 = (𝑦 𝑆 , 𝑧 𝑆 )  𝑆 = 𝑄 + 𝑅 = [𝑌 𝑆 ∶ 𝑍 −1  𝜈 ← 𝑌 𝑅 𝑎 𝑄 − 𝑌 𝑄 𝑎 𝑅  𝜇 ← 𝑧 𝑅 − 𝑧 𝑄 𝑦 𝑅 − 𝑦 𝑄  𝜇 ← 𝑍 𝑅 𝑎 𝑄 − 𝑍 𝑄 𝑎 𝑅  𝑦 𝑆 ← 𝜇 2 − 𝑦 𝑄 + 𝑦 𝑅  𝑌 𝑆 ← 𝜇 2 𝜈𝑎 𝑄 𝑎 𝑅 − 𝑌 𝑄 𝑎 𝑅 + 𝑌 𝑅 𝑎 𝑄 𝜈 3  𝑧 𝑆 ← −𝜇 3 + 𝜇𝑦 𝑅 − 𝑧 𝑄 𝑆 ← −𝜇 3 𝑎 𝑄 𝑎 𝑅 + 𝜇𝜈 2 𝑌 𝑅 𝑎 𝑄 − 𝜈 3 𝑍 𝑄 𝑎 𝑅  𝑍  𝑎 𝑆 ← 𝑎 𝑄 𝑎 𝑅 𝜈 3 Look more complicated, but involve no inversion, and have lots of common factors

Multiplication by scalar  Input : 𝑄 ∈ 𝐹; 𝑠 = 𝑠 𝑢 = 1 𝑢 , 𝑠 𝑢−1 , … , 𝑠 0 2 ∶ 𝑠  Output : 𝑠𝑄 𝐵 ← 𝑄 1. for 𝑘 ← 𝑢 − 1 downto 0 do 2. 𝐵 ← 2𝐵 3. if 𝑠 𝑘 = 1 then 4.  called double-and-add method, 𝐵 ← 𝐵 + 𝑄 5. for obvious reasons end if 6. end for 7. return 𝐵 8. 16

Rational maps  A rational map 𝑔 over 𝕃 is a function of form 𝑔 𝑨 = 𝑑𝑕(𝑨)/ℎ(𝑨) , where 𝑕 and ℎ are monic polynomials over 𝕃 and 𝑑 ∈ 𝕃 is a constant. :  Both 𝑕(𝑨) and ℎ(𝑨) split over 𝕃 𝑡 𝑢 𝑛 𝑘 ℎ 𝑨 = 𝑨 − 𝑐 𝑙 𝑜 𝑙 𝑕 𝑨 = 𝑨 − 𝑏 𝑘 , 𝑘=1 𝑙=1 17

Rational maps  Assume that gcd (𝑕, ℎ) = 1 , i.e. 𝑏 𝑘 ≠ 𝑐 𝑙 . The zeroes of 𝑔 are the 𝑏 𝑘 with multiplicities 𝑛 𝑘 , and the poles of 𝑔 are the 𝑐 𝑙 with multiplicities −𝑜 𝑙 . The multiplicity of 𝑔 at ∞ is deg ℎ − deg 𝑕 = − 𝑛 𝑘 . − 𝑜 𝑙 𝑘 𝑙  All one needs to know to define 𝑔 up to the constant 𝑑 are its zeroes and poles with their respective multiplicities. 18

Divisors  The divisor of a rational map 𝑔 is a tabular device to represent it: 𝑔 = 𝑛 1 ( 𝑏 1 ) + … + 𝑛𝑡( 𝑏𝑡 ) Hey apple! − 𝑜 1 ( 𝑐 1 ) − … − 𝑜 𝑢 ( 𝑐 𝑢 ) − (Σ 𝑘 𝑛 𝑘 − Σ 𝑙 𝑜 𝑙 )(∞).  The degree of a divisor is the sum of all multiplicities. Therefore deg ((𝑔)) = 0 .  Properties: (𝑑) = 0 , ( 𝑔𝑕) = (𝑔) + (𝑕) , (𝑔/𝑕) = (𝑔) – (𝑕) . 19

Divisors  Divisors of functions defined on the points of an elliptic curve over 𝔾 𝑟 are rational functions of the point coordinates over the algebraic closure 𝔾 𝑟 .  General divisors are unrestricted tabular associations: 𝔈 = 𝑛 𝑄 (𝑄) . 𝑄  Not all possible divisors correspond to function. In particular, if deg (𝔈) ≠ 0 then 𝔈 does not correspond to a function. 20

Divisors  Divisors constitute an Abelian group under pointwise coefficient addition: 𝑛 𝑄 𝑄 + 𝑄 𝑜 𝑄 (𝑄 ) = (𝑛 𝑄 + 𝑜 𝑄 )(𝑄) . 𝑄 𝑄  A divisor may be huge – there are infinite choices of zeroes and poles. It is thus advantageous to define equivalence classes so as to keep the representation small. 21

Divisors  Two divisors 𝔈 1 and 𝔈 2 are equivalent iff their difference is the divisor of a function, i.e. 𝔈 1 ~ 𝔈 2  𝔈 1 – 𝔈 2 = (𝑔) for some 𝑔 .  The Cantor-Koblitz algorithm reduces any divisor to a uniquely defined equivalent divisor of the form 𝑛 𝑄 (𝑄) − 𝑛 𝑄 (∞) where 𝑛 𝑄 ≤ 𝑕 where 𝑕 is the 𝑄 𝑄 𝑄 curve genus.  Reduced divisors over elliptic curves are of the form 𝑄 − (∞) for some 𝑄 . 22