1 / 41

Implementing Cryptographic Pairings

Implementing Cryptographic Pairings . Parshuram Budhathoki FAU October 25, 2012. Out line. Motivation Diffie-Hellman Key exchange What is pairing ? Divisors Tate pairings Miller’s algorithm for Tate pairing Optimization. Diffie-Hellman Key Exchange :.

brenna
Download Presentation

Implementing Cryptographic Pairings

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Implementing Cryptographic Pairings Parshuram Budhathoki FAU October 25, 2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

  2. Outline • Motivation Diffie-Hellman Key exchange • What is pairing ? • Divisors • Tate pairings • Miller’s algorithm for Tate pairing • Optimization Ph.D. Preliminary Exam, Department of Mathematics, FAU

  3. Diffie-HellmanKey Exchange: Alice, Bob and Charlie want to communicate how can they share key ? Alice Bob Charlie Ph.D. Preliminary Exam, Department of Mathematics, FAU

  4. Diffie-Hellman Two party key Exchange g Alice g Bob y x G = <g> Ph.D. Preliminary Exam, Department of Mathematics, FAU

  5. Diffie-Hellman Two party key Exchange yx y xy x g g g g Alice Bob y x yx Common Key = g Need single round Ph.D. Preliminary Exam, Department of Mathematics, FAU

  6. Diffie-Hellman Three party key Exchange g Alice g Bob y x g Charlie z Ph.D. Preliminary Exam, Department of Mathematics, FAU

  7. Diffie-Hellman Three party key Exchange y x z g g g Alice Bob y x First round Charlie z Ph.D. Preliminary Exam, Department of Mathematics, FAU

  8. Diffie-Hellman Three party key Exchange xz yz xy g g g Alice Bob y x Charlie z Ph.D. Preliminary Exam, Department of Mathematics, FAU

  9. Diffie-Hellman Three party key Exchange xy xz yz g g g Alice Bob y x Second round Charlie z Ph.D. Preliminary Exam, Department of Mathematics, FAU

  10. Diffie-Hellman Three party key Exchange xzy yzx xyz g g g Alice Bob y x Charlie z zyx xzy zxy g g g Common key = = = Ph.D. Preliminary Exam, Department of Mathematics, FAU

  11. Does one round protocol for three party key exchange exist ? To answer this question we need special function. Ph.D. Preliminary Exam, Department of Mathematics, FAU

  12. Pairings Let (G,+) and (V,.) denote cyclic groups of prime order , P G, a generator of G and let e: G x G  V be a pairing which satisfies the following additional properties: Bilinearity :  P, Q , R  G we have e(P+R, Q)= e(P,Q) e(R,Q) and e(P, R+Q)= e(P,R) e(P,Q) 2) Non-degeneracy : There exists P, Q  G such that e(P,Q) ≠1. e can be efficiently computable. Ph.D. Preliminary Exam, Department of Mathematics, FAU

  13. One round three party key exchange ( joux , 2000) P Alice P Bob a aP b a b e(aP, cP) e(bP , cP) bP cP aP P Charlie c e(bP , aP) c bP cP G = <P> be additive group. Ph.D. Preliminary Exam, Department of Mathematics, FAU

  14. Torsion Points: • Let E : be an elliptic curve over finite field • E( ) = { (x,y) | x,y  }  {  } • Here  is the point at infinity ; these points form additive group with  being the group identity. • Let be a prime satisfying • | # E( ) • doesn’t divide q-1 •  and q are co-prime     q q q q 2 3 y -(x + Ax + B )=0 Ph.D. Preliminary Exam, Department of Mathematics, FAU

  15. Torsion Points : Then for some integer k, E( ) containspoints of order if and only if  | -1 2  2 Let E[] denote the set of these  order-  points, which is called Torsion points.* E[] = { P  E( ) : P =  } k q k q * Beyond Scope of Presentation  q k Ph.D. Preliminary Exam, Department of Mathematics, FAU

  16. Function on Elliptic Curve : Let E be elliptic curve over a field K ¯ ¯ * A non zero rational function f K( E ) defined at point P  E(K) \{} if => f= g / h , for g and h  K ( E ) => h ( P ) ≠ 0 f is said to have : => Zero at point P if f( P ) = 0 => Pole at point P iff ( P ) =  or (1/ f( P ) = 0) Ph.D. Preliminary Exam, Department of Mathematics, FAU

  17. Function on Elliptic Curve : • There is a function u , called a uniformizer at P , such that u ( P ) = 0 • Every function f ( x, y ) can be written in the form f = u g , with r  and g ( P ) ≠ 0 ,  • Order of f at P = r ord (f ) =r • If l is any line through P that is not tangent to E, then l is uniformizer parameter for P. P r P P Ph.D. Preliminary Exam, Department of Mathematics, FAU

  18. Divisors Up to constant multiple , arational function is uniquely determined by its zeros and poles A divisor is tool to record these special points of function. For each P  E, define formal symbol ( P ) ¯ Here E = E ( K ) Ph.D. Preliminary Exam, Department of Mathematics, FAU

  19. Divisors: A divisor D is a “formal” sum of points : D =   (P)   (P) +   (P) = ( +  )(P) P P P  E P  E p P P  E P  E Where   and = 0 for all but finitely many P  E Div( E) denotes group of divisors of E which is free abelian group generated by the points of E, where addition is given by   P P p Ph.D. Preliminary Exam, Department of Mathematics, FAU

  20. Divisors : Support of divisor D is supp(D)= { P  E | ≠ 0} degree of divisor D is deg(D)= 0 Div (E) is subgroup, of divisors of degree0, of Div(E)   P P sum of divisor D is sum ( D ) =    P  E P  E P A divisor D with deg(D) = 0 is called a principal divisor. Ph.D. Preliminary Exam, Department of Mathematics, FAU

  21. Divisor of function : • Number of zeros and poles of rational function fis finite. • We can defined divisor of function fas • div( f ) =  ord (f ) [ P ] P • div( f) = 0 iff fis constant • Aprincipal divisor is divisor which is equal to div ( f ) for some function f div ( f ) records zeros and poles of f and their multiplicities Ph.D. Preliminary Exam, Department of Mathematics, FAU

  22. Divisor of function : Let D be divisor : D =   (P) P P  E Then evaluation of f in D is defined by : f ( D ) =  f ( P ) P  supp ( D )  P Ph.D. Preliminary Exam, Department of Mathematics, FAU

  23. Tate Pairing Let P  E( ) [ ] then ( P ) -  (  ) is principal divisor  There is rational function with div ( ) =  ( P ) -  (  ) Let Q be a point representing coset in k q We construct D  Div ( E ) such that : = > D ~ ( Q ) – (  ) => supp ( D )  supp ( div ( f ) ) =  Q f f   ( E )  , P  , P E (  ) /  E(  ) k q k q Q k  , P q Ph.D. Preliminary Exam, Department of Mathematics, FAU

  24. Tate Pairing The Tate pairing e : E(  )[ ] E (  ) / / is given by : e(P, Q ) = f ( D )  , P Q  E(  ) * (  )  q k K q K * K Ph.D. Preliminary Exam, Department of Mathematics, FAU q K  q q

  25. Tate Pairing • e doesn’t depend on choice of f • e doesn’t depend on choice of D • e is well defined • e satisfyNon- degeneracy • e satisfy bilinearity  , P Q Ph.D. Preliminary Exam, Department of Mathematics, FAU

  26. Miller’ s algorithm for the Tate pairing : -[a+ b] P [b]P [a]P [a+ b] P Ph.D. Preliminary Exam, Department of Mathematics, FAU

  27. Miller’ s algorithm for the Tate pairing : g -[a+ b] P [a]P,[b]P [b]P [a]P v [a+b]P [a+ b] P Let g be line passing through [a]P and [b]P and v be vertical line passing trough [a+b]P [a+b]P [a]P,[b]P Ph.D. Preliminary Exam, Department of Mathematics, FAU

  28. Miller’ s algorithm for the Tate pairing : -[a+ b ]P [b]P [a]P [a+b]P Then div( g ) = [ a]P + [ b ]P + [-(a+ b )]P – 3 [ ] [a]P,[b] P div ( V ) = [ a + b ] P + [-( a+ b ) ] P – 2 [ ] [a + b]P Ph.D. Preliminary Exam, Department of Mathematics, FAU

  29. Miller’ s algorithm for the Tate pairing : div ( f / g ) = div ( f ) – div ( g ) div ( f g ) = div ( f ) + div ( g ) Ph.D. Preliminary Exam, Department of Mathematics, FAU

  30. Miller’ s algorithm for the Tate pairing : Input : P  E (  ) , Q  E (  ) , where P has order  Output : e ( P , Q ) 1. T = P , f = 1 2. for i = log (  )  -1 to 0 : f = f . g ( Q ) / v ( Q ) 2 T,T 2T T = 2T if  = 1 then f = f . g ( Q ) / v (Q ) T = T + P i T,P T+P f = f return f k k k (q - 1 ) /  q q Ph.D. Preliminary Exam, Department of Mathematics, FAU

  31. Miller’ s algorithm for the Tate pairing : Example: Let E (  ) : y = x + 3x 2 3 1 1 # E (  ) = 12 1 1 Choose= 6 then k = 2 If P = (1,9) and Q = (8+7i, 10+6i) find e(P,Q)  =6 => ( , , ) = (1, 1, 0 ) 2 1 0 2 T = (1,9) for i = 1: g = y + 7x + 6 and g = x+8 T,T 2T g ( Q ) = 6 and g ( Q ) = 5 + 7i T,T 2T Ph.D. Preliminary Exam, Department of Mathematics, FAU

  32. Miller’ s algorithm for the Tate pairing : Example: 2 f = 1. =1+3i 6 ¯ 5+7i T = [2] (1, 9 ) = (3, 5 ) Since = 1 g = y + 2x and g =x 1 4+9i T,P T + P ¯ 8 + 7i g ( Q ) = 4+9i and g ( Q ) = 8 + 7i And T = (3,5) + (1,9) = (0,0) Thus f = (1+3i) = 8+ 10i T,P T+P Ph.D. Preliminary Exam, Department of Mathematics, FAU

  33. Miller’ s algorithm for the Tate pairing : Example: for i = 0 Then g ( Q ) = 8+7i and g (Q) =1 g = x and g =1 2T T,T T,T 2T 8+7i ¯ and T = 2 (0,0) =  1 2 Thus f = (8+10i) =5i 121-1/6 f = f = 1 mod 11 Ph.D. Preliminary Exam, Department of Mathematics, FAU

  34. Optimization of Miller’s loop for Tate pairing. Miller’s algorithm fails if line function g and v pass through Q therefore T,T 2T Choose P and Q from particular disjoint groups For further optimization : Choose  to have low hamming weight Choose P from E (  ) p Ph.D. Preliminary Exam, Department of Mathematics, FAU

  35. Optimization of Miller’s loop for Tate pairing. From here : => k is even i.e. k =2d , where d is +ve integer => q = p , some prime Therefore final exponentiation can now be written as f => p = 3 mod 4 d d (p +1) /  (p -1 ) d =>  divides(p +1) Ph.D. Preliminary Exam, Department of Mathematics, FAU

  36. Optimization of Miller’s loop for Tate pairing. Input : P  E (  ) , Q  E (  ) , where P has order  Output : e ( P , Q ) 1. T = P , f = 1 2. for i = log (  )  -1 to 0 : f = f . g ( Q ) / v ( Q ) 2 T,T 2T T = 2T if  = 1 then f = f . g ( Q ) / v (Q ) T = T+ P i T,P T+P 4.f = f 5. return f 3.f = f d d k k (p - 1 ) (p +1 ) /  q q Ph.D. Preliminary Exam, Department of Mathematics, FAU

  37. Optimization of Miller’s loop for Tate pairing. K is even =>  is quadratic extension of  2 Since p = 3 mod 4 => x + 1 is irreducible polynomial. w  can be represented as w = a+ib , where a,b   d k k d p p p p w = conjugate of w = a- i b ¯ Using Frobenius = > ( a + ib ) = ( a – ib ) = >(1/ ( a + ib ) ) = ( a – ib ) d p d d p -1 p -1 Ph.D. Preliminary Exam, Department of Mathematics, FAU

  38. Optimization of Miller’s loop for Tate pairing. Input : P  E (  ) , Q  E (  ) , where P has order  Output : e ( P , Q ) 1. T = P , f = 1 2. for i = log (  )  -1 to 0 : f = f . g ( Q ) 2 T,T T = 2T ¯ v ( Q ) ¯ v ( Q ) T+P 2T if  = 1 then f = f . g ( Q ) T = T+ P i T,P 3.f = f 4.f = f 5. return f d d k k (p - 1 ) (p +1 ) /  q q Ph.D. Preliminary Exam, Department of Mathematics, FAU

  39. Optimization of Miller’s loop for Tate pairing. Choice of Q : We have , Q = ( x , y ) where x = a+ib and y = c+id and a,b,c,d   Choose b=c=0 d p Now and are elements of  which means they will be wiped out by final exponentiation d p This called denominator-elimination optimization v ¯ v ¯ 2T T+P Ph.D. Preliminary Exam, Department of Mathematics, FAU

  40. Optimization of Miller’s loop for Tate pairing. Input : P  E (  ) , Q  E (  ) , where P has order  Output : e ( P , Q ) 1. T = P , f = 1 2. for i = log (  )  -1 to 0 : f = f . g ( Q ) 2 T,T T = 2T ¯ v ( Q ) ¯ v ( Q ) T+P 2T if  = 1 then f = f . g ( Q ) T = T+ P i T,P 3.f = f 4.f = f 5. return f d d k k (p - 1 ) (p +1 ) /  q q Ph.D. Preliminary Exam, Department of Mathematics, FAU

  41. Optimization of Miller’s loop for Tate pairing. Ph.D. Preliminary Exam, Department of Mathematics, FAU

More Related