another approach to pairing computation in edwards coordinates · 1 ×g ′ 1 →g 2 where g 1,g...
TRANSCRIPT
![Page 1: Another Approach to Pairing Computation in Edwards Coordinates · 1 ×G ′ 1 →G 2 where G 1,G ′ 1 are groups of order r noted additively and G 2 is a group of order r noted multiplicatively](https://reader033.vdocuments.us/reader033/viewer/2022042809/5f92d51affe6435d007e50c2/html5/thumbnails/1.jpg)
Another Approach to Pairing Computation in
Edwards Coordinates
Sorina Ionica
PRISM, Universite de Versailles
joint work with Antoine Joux
Sorina Ionica Pairing Computation in Edwards Coordinates
![Page 2: Another Approach to Pairing Computation in Edwards Coordinates · 1 ×G ′ 1 →G 2 where G 1,G ′ 1 are groups of order r noted additively and G 2 is a group of order r noted multiplicatively](https://reader033.vdocuments.us/reader033/viewer/2022042809/5f92d51affe6435d007e50c2/html5/thumbnails/2.jpg)
What is a pairing?
A pairing is a mape : G1 × G
′
1 → G2
where G1,G′
1 are groups of order r noted additively and G2 is agroup of order r noted multiplicatively such that the followinghold:
bilinear: e(aP,Q) = e(P, aQ) = e(P,Q)a
nondegenerate: for every P ∈ G1 different from 0 there isQ ∈ G
′
1 such that e(P,Q) 6= 1.
Sorina Ionica Pairing Computation in Edwards Coordinates
![Page 3: Another Approach to Pairing Computation in Edwards Coordinates · 1 ×G ′ 1 →G 2 where G 1,G ′ 1 are groups of order r noted additively and G 2 is a group of order r noted multiplicatively](https://reader033.vdocuments.us/reader033/viewer/2022042809/5f92d51affe6435d007e50c2/html5/thumbnails/3.jpg)
Pairings in Elliptic Curve Cryptograhy
Pairings on elliptic curves: the Weil pairing, the Tate, Ate andEta pairings.
Applications:
one round protocol for tripartite Diffie-Hellmanidentity-based encryptionshort signaturesetc.
Sorina Ionica Pairing Computation in Edwards Coordinates
![Page 4: Another Approach to Pairing Computation in Edwards Coordinates · 1 ×G ′ 1 →G 2 where G 1,G ′ 1 are groups of order r noted additively and G 2 is a group of order r noted multiplicatively](https://reader033.vdocuments.us/reader033/viewer/2022042809/5f92d51affe6435d007e50c2/html5/thumbnails/4.jpg)
The Tate pairing. Notations.
Let E be an elliptic curve over finite field Fq with q ≥ 5, i.e.
E : y2 = x3 + ax + b.
Let r |♯E (Fq) and E [r ] the r -torsion subgroup, i.e. thesubgroup of points of order r in E (Fq).
If r |♯E (Fq) then E (Fq)[r ] gives at least one component.
Embedding degree: k minimal with r |(qk − 1).
Note r -roots of unity µr ∈ F×
qk .
Sorina Ionica Pairing Computation in Edwards Coordinates
![Page 5: Another Approach to Pairing Computation in Edwards Coordinates · 1 ×G ′ 1 →G 2 where G 1,G ′ 1 are groups of order r noted additively and G 2 is a group of order r noted multiplicatively](https://reader033.vdocuments.us/reader033/viewer/2022042809/5f92d51affe6435d007e50c2/html5/thumbnails/5.jpg)
The Tate pairing
If k > 1 then E (Fqk )[r ] = E [r ].
Choose P,Q ∈ E [r ] and G1 =< P >, G′
1 =< Q >.
Take fr ,P such that div(fr ,P) = r(P)− r(O) andD = (Q + T )− (T ), with T such as the support of D isdifferent from the support of fr ,P .
For crypto use:
Tr (·, ·) : G1 × G′
1 → µr
Tr (P,Q) = fr ,P(D)(qk−1)/r
Sorina Ionica Pairing Computation in Edwards Coordinates
![Page 6: Another Approach to Pairing Computation in Edwards Coordinates · 1 ×G ′ 1 →G 2 where G 1,G ′ 1 are groups of order r noted additively and G 2 is a group of order r noted multiplicatively](https://reader033.vdocuments.us/reader033/viewer/2022042809/5f92d51affe6435d007e50c2/html5/thumbnails/6.jpg)
Miller’s algorithm
Introduce for i ≥ 1 functions fi ,P such asdiv (fi ,P) = i(P)− (iP)− (i − 1)(O)
Notediv (fr ,P) = r(P)− r(O).
Establish the Millerequation
fi+j ,P = fi ,P fj ,PliP,jP
v(i+j)P
where liP,jP and v(i+j)P are such that
div (liP,jP) = (iP) + (jP) + (−(i + j)P)− 3(O)
div (v(i+j)P) = (−(i + j)P) + ((i + j)P)− 2(O)
Sorina Ionica Pairing Computation in Edwards Coordinates
![Page 7: Another Approach to Pairing Computation in Edwards Coordinates · 1 ×G ′ 1 →G 2 where G 1,G ′ 1 are groups of order r noted additively and G 2 is a group of order r noted multiplicatively](https://reader033.vdocuments.us/reader033/viewer/2022042809/5f92d51affe6435d007e50c2/html5/thumbnails/7.jpg)
Miller’s algorithm
f1,P(D) = 1
f2,P(D) = f 21,P(D)
lP,P(D)
v2P(D)
f3,P(D) = f1,P(D)f2,P(D)lP,2P(D)
v3P(D)..
..
fr ,P(D) = fr−1,P(D)f1,P(D)l(r−1)P,P(D)
Use the double-and-add method to compute fr ,P(D) (the Tatepairing!) in O(log2r)!
Sorina Ionica Pairing Computation in Edwards Coordinates
![Page 8: Another Approach to Pairing Computation in Edwards Coordinates · 1 ×G ′ 1 →G 2 where G 1,G ′ 1 are groups of order r noted additively and G 2 is a group of order r noted multiplicatively](https://reader033.vdocuments.us/reader033/viewer/2022042809/5f92d51affe6435d007e50c2/html5/thumbnails/8.jpg)
Miller’s algorithm or double-and-add
Choose a random point T ∈ E (Fqk ) and compute
Q′
= Q + T ∈ E (Fqk ).
Let n← [log2(r)], K ← P, f ← 1.
while n ≥ 1
Compute equations of l and v arising in the doubling of K .K ← 2K and f ← f 2(l(Q
′
)v(T ))/(v(Q′
)l(T )).the n-th bit of r is 1
Compute equations of l and v arising in the addition of K andP.K ← P + K and f ← f (l(Q
′
)v(T ))/((l(T )v(Q′
)).
Let n← n − 1.
end while
Sorina Ionica Pairing Computation in Edwards Coordinates
![Page 9: Another Approach to Pairing Computation in Edwards Coordinates · 1 ×G ′ 1 →G 2 where G 1,G ′ 1 are groups of order r noted additively and G 2 is a group of order r noted multiplicatively](https://reader033.vdocuments.us/reader033/viewer/2022042809/5f92d51affe6435d007e50c2/html5/thumbnails/9.jpg)
Implementing Miller’s algorithm
The doubling part of the double-and-add method is mostimportant
Use faster exponentiation techniques (sliding window method,NAF)Choose r with low Hamming weight
Choose P ∈ E (Fq)[r ] and Q ∈ E (Fqk )[r ].
Take k even and get major speed-ups by using twists andworking in subfields
Up to now best performance in Jacobian coordinates:(X ,Y ,Z ) such that ( X
Z2 ,YZ3 ) is a point on the elliptic curve E .
Sorina Ionica Pairing Computation in Edwards Coordinates
![Page 10: Another Approach to Pairing Computation in Edwards Coordinates · 1 ×G ′ 1 →G 2 where G 1,G ′ 1 are groups of order r noted additively and G 2 is a group of order r noted multiplicatively](https://reader033.vdocuments.us/reader033/viewer/2022042809/5f92d51affe6435d007e50c2/html5/thumbnails/10.jpg)
Edwards curves
Let E be an elliptic curve on Fq such that E (Fq) has an element oforder 4.
There is a nonsquare d ∈ Fq such that E is birationally equivalentover Fq to the Edwards curve
x2 + y2 = 1 + d(xy)2.
On the Edwards curve the addition law is
(x1, y1), (x2, y2)→ (x1y2 + y1x2
1 + dx1x2y1y2,
y1y2 − x1x2
1− dx1x2y1y2)
Sorina Ionica Pairing Computation in Edwards Coordinates
![Page 11: Another Approach to Pairing Computation in Edwards Coordinates · 1 ×G ′ 1 →G 2 where G 1,G ′ 1 are groups of order r noted additively and G 2 is a group of order r noted multiplicatively](https://reader033.vdocuments.us/reader033/viewer/2022042809/5f92d51affe6435d007e50c2/html5/thumbnails/11.jpg)
Edwards versus Jacobian
Actually use homogenous Edwards coordinates to avoid inversions:(X ,Y ,Z ) corresponding to (X/Z ,Y /Z ) on the Edwards curve.
Edwards coordinates Jacobian coordinates
addition 10m+1m 11m+5s
doubling 3m+4s1m+8s
or 3m+5s for a = −3
mixed addition9m+1s 7m+4s
(Z2 = 1)
s,m are the costs of operations in Fq (s = 0.8m).
Sorina Ionica Pairing Computation in Edwards Coordinates
![Page 12: Another Approach to Pairing Computation in Edwards Coordinates · 1 ×G ′ 1 →G 2 where G 1,G ′ 1 are groups of order r noted additively and G 2 is a group of order r noted multiplicatively](https://reader033.vdocuments.us/reader033/viewer/2022042809/5f92d51affe6435d007e50c2/html5/thumbnails/12.jpg)
Edwards curves
Note a 4-torsion subgroup defined over Fq:
{O = (0, 1),T4 = (1, 0),T2 = (0,−1),−T4 = (−1, 0)}
Take at look at the action of this subgroup on a fixed pointP = (x , y):
P → {P,P+T4 = (y ,−x),P+T2 = (−x ,−y),P−T4 = (−y , x)}
Sorina Ionica Pairing Computation in Edwards Coordinates
![Page 13: Another Approach to Pairing Computation in Edwards Coordinates · 1 ×G ′ 1 →G 2 where G 1,G ′ 1 are groups of order r noted additively and G 2 is a group of order r noted multiplicatively](https://reader033.vdocuments.us/reader033/viewer/2022042809/5f92d51affe6435d007e50c2/html5/thumbnails/13.jpg)
Edwards curves
If xy 6= 0 note p = (xy)2 and s = x/y − y/x to characterizethe point P up to the action of the 4-torsion subgroup.
Take Es,p : s2p = (1 + dp)2 − 4p and define
φ : E → Es,p
φ(x , y) = ((xy)2,x
y−
y
x).
φ is separable of degree 4.
Sorina Ionica Pairing Computation in Edwards Coordinates
![Page 14: Another Approach to Pairing Computation in Edwards Coordinates · 1 ×G ′ 1 →G 2 where G 1,G ′ 1 are groups of order r noted additively and G 2 is a group of order r noted multiplicatively](https://reader033.vdocuments.us/reader033/viewer/2022042809/5f92d51affe6435d007e50c2/html5/thumbnails/14.jpg)
And back to an elliptic curve...
Es,p is elliptic as :
s2p = (1 + dp)
2− 4p
↓ (P,S,Z)
S2P = (Z + dP)
2Z − 4PZ
2
↓ (P=1)
s2
= z3
+ (2d − 4)z2
+ dz
Consider the standard addition law: Os,p = (0, 1, 0) neutralelement and T2,s,p = (1, 0, 0) point of order 2.
Sorina Ionica Pairing Computation in Edwards Coordinates
![Page 15: Another Approach to Pairing Computation in Edwards Coordinates · 1 ×G ′ 1 →G 2 where G 1,G ′ 1 are groups of order r noted additively and G 2 is a group of order r noted multiplicatively](https://reader033.vdocuments.us/reader033/viewer/2022042809/5f92d51affe6435d007e50c2/html5/thumbnails/15.jpg)
Arithmetic of Es,p
Take ls,p the linepassing through P1
and P2. Take R itsthird point ofintersection with thecurve Es,p.
Take vs,p the verticalline through R.
P1 + P2 is the secondpoint of intersection ofvs,p with Es,p.
div (ls,p) = (P1) + (P2) + (−(P1 + P2))− 2(T2,s,p)− (Os,p) anddiv (vs,p) = (P1 + P2) + (−(P1 + P2))− 2(T2,s,p).
Sorina Ionica Pairing Computation in Edwards Coordinates
![Page 16: Another Approach to Pairing Computation in Edwards Coordinates · 1 ×G ′ 1 →G 2 where G 1,G ′ 1 are groups of order r noted additively and G 2 is a group of order r noted multiplicatively](https://reader033.vdocuments.us/reader033/viewer/2022042809/5f92d51affe6435d007e50c2/html5/thumbnails/16.jpg)
Miller’s algorithm on Edwards curves
Consider slightly modified functions f(4)i ,P :
div (f(4)i ,P ) = i((P) + (P + T4) + (P + T2) + (P − T4))
− ((iP) + (iP + T4) + (iP + T2) + (iP − T4))
− (i − 1)((O) + (T4) + (T2) + (−T4)).
Then div (f(4)r ,P ) = r((P) + (P + T4) + (P + T2) + (P −
T4))− r((O) + (T4) + (T2) + (−T4)).
Compute the 4-th power of the Tate pairing:
Tr (P,Q)4 = f(4)r ,P (D)
qk−1r .
Sorina Ionica Pairing Computation in Edwards Coordinates
![Page 17: Another Approach to Pairing Computation in Edwards Coordinates · 1 ×G ′ 1 →G 2 where G 1,G ′ 1 are groups of order r noted additively and G 2 is a group of order r noted multiplicatively](https://reader033.vdocuments.us/reader033/viewer/2022042809/5f92d51affe6435d007e50c2/html5/thumbnails/17.jpg)
Miller’s algorithm on the Edwards curve
Establish the Miller equation:
f(4)i+j ,P = f
(4)i ,P f
(4)j ,P
l
v,
where l/v is the function of divisor
div(l
v) = ((iP) + (iP + T4) + (iP + T2) + (iP − T4))
+ ((jP) + (jP + T4) + (jP + T2) + (jP − T4))
− (((i + j)P) + ((i + j)P + T4) + ((i + j)P + T2)
+ ((i + j)P − T4))− ((0) + (T4) + (T2) + (−T4)).
Sorina Ionica Pairing Computation in Edwards Coordinates
![Page 18: Another Approach to Pairing Computation in Edwards Coordinates · 1 ×G ′ 1 →G 2 where G 1,G ′ 1 are groups of order r noted additively and G 2 is a group of order r noted multiplicatively](https://reader033.vdocuments.us/reader033/viewer/2022042809/5f92d51affe6435d007e50c2/html5/thumbnails/18.jpg)
Miller’s algorithm on the Edwards curve
Let P′
= φ(P) and ls,p and vs,p such as
div (ls,p) = (iP′
) + (jP′
) + ((i + j)P′
)− 2(T2,s,p)− (Os,p)
and div (vs,p) = ((i + j)P′
) + (−(i + j)P′
)− 2(T2,s,p).
fi+j,P′ = fi,P′ fj,P′
ls,p
vs,p
↓ φ∗
f(4)i+j,P = f
(4)i,P f
(4)j,P
l
v
Compute l/v = φ∗(ls,p/vs,p).
Sorina Ionica Pairing Computation in Edwards Coordinates
![Page 19: Another Approach to Pairing Computation in Edwards Coordinates · 1 ×G ′ 1 →G 2 where G 1,G ′ 1 are groups of order r noted additively and G 2 is a group of order r noted multiplicatively](https://reader033.vdocuments.us/reader033/viewer/2022042809/5f92d51affe6435d007e50c2/html5/thumbnails/19.jpg)
Computing l and v
For the doubling step:
l(x , y) = ((X 21 + Y 2
1 − Z 21 )(X 2
1 − Y 21 )(2X1Y1(x/y − y/x)
−2(X 21 − Y 2
1 )) + Z3(dZ 21 (xy)2 − (X 2
1 + Y 21 − Z 2
1 )))/
(2X1Y1(X21 + Y 2
1 − Z 21 )(X 2
1 − Y 21 )),
v(x , y) = (dZ 23 (xy)2 − (X 2
3 + Y 23 − Z 2
3 ))/(X 23 + Y 2
3 − Z 23 ).
For the mixed addition step:
l(x , y) = ((X 21 + Y 2
1 − Z 21 − dZ 2
1 (X0Y0)2)(X1Y1(
x
y−
y
x)−
(X 21 − Y 2
1 ))− (X 21 − Y 2
1 − X1Y1(X0
Y0−
Y0
X0))
·(dZ 21 (xy)2 − (X 2
1 + Y 21 − Z 2
1 )))
/(X1Y1(X21 + Y 2
1 − Z 21 − dZ 2
1 (X0Y0)2));
v(x , y) = (dZ 23 (xy)2 − (X 2
3 + Y 23 − Z 2
3 ))/(X 23 + Y 2
3 − Z 23 ).
Sorina Ionica Pairing Computation in Edwards Coordinates
![Page 20: Another Approach to Pairing Computation in Edwards Coordinates · 1 ×G ′ 1 →G 2 where G 1,G ′ 1 are groups of order r noted additively and G 2 is a group of order r noted multiplicatively](https://reader033.vdocuments.us/reader033/viewer/2022042809/5f92d51affe6435d007e50c2/html5/thumbnails/20.jpg)
Comparison of costs for the doubling step of Miller’s
algorithm
k = 2 k ≥ 4
Jacobian coordinates 10s + 3m + S + M 11s + (k + 1)m + S + M
Jacobian coordinates for a = −3 4s + 8m + S + M 4s + (k + 7)m + S + M
Das/Sarkar Edwards coordinates6s + 9m + S + M -
(supersingular curves)
Edwards coordinates 4s + 9m + S + M 4s + (k + 8)m + S + M
s,m are costs of operations in Fq, S,M are costs ofoperations in Fqk .
Sorina Ionica Pairing Computation in Edwards Coordinates
![Page 21: Another Approach to Pairing Computation in Edwards Coordinates · 1 ×G ′ 1 →G 2 where G 1,G ′ 1 are groups of order r noted additively and G 2 is a group of order r noted multiplicatively](https://reader033.vdocuments.us/reader033/viewer/2022042809/5f92d51affe6435d007e50c2/html5/thumbnails/21.jpg)
Comparison of costs for the mixed addition step of the
Miller operation in the case of k even
k = 2 k ≥ 4
Jacobian coordinates 3s + 11m + M 3s + (k + 9)m + 1M
Das/Sarkar Edwards1s + 17m + M -
coordinates (supersingular curves)
Edwards coordinates 4s + 15m + M 4s + (k + 14)m + 1M
Sorina Ionica Pairing Computation in Edwards Coordinates
![Page 22: Another Approach to Pairing Computation in Edwards Coordinates · 1 ×G ′ 1 →G 2 where G 1,G ′ 1 are groups of order r noted additively and G 2 is a group of order r noted multiplicatively](https://reader033.vdocuments.us/reader033/viewer/2022042809/5f92d51affe6435d007e50c2/html5/thumbnails/22.jpg)
A useful scenario
Take E : y2 = x3 + x
Take q = 2520 + 2363 − 2360 − 1 (q ≡ 3 mod 4)
Then r = 2160 + 23 − 1 and the embedding degree k = 2
The Edwards form is x2 + y2 = 1− (xy)2, so d = −1.
Sorina Ionica Pairing Computation in Edwards Coordinates
![Page 23: Another Approach to Pairing Computation in Edwards Coordinates · 1 ×G ′ 1 →G 2 where G 1,G ′ 1 are groups of order r noted additively and G 2 is a group of order r noted multiplicatively](https://reader033.vdocuments.us/reader033/viewer/2022042809/5f92d51affe6435d007e50c2/html5/thumbnails/23.jpg)
A useful scenario
Suppose you want to implement a protocol in Edwardscoordinates.
protection from side channel attacks
You need to compute the pairing of two points e(P,Q), whereQ is a fixed point.
You have P = (X0,Y0, 1) in Edwards coordinates
Switch to Jacobian coordinates (viaψ(X0,Y0) = ((1 + Y0)/(1− Y0), (1 + Y0)/(X0(1− Y0)))) andcompute the pairing on the Weierstrass form.
faster, but you need one inversion with Montgomery’s trick!
Sorina Ionica Pairing Computation in Edwards Coordinates
![Page 24: Another Approach to Pairing Computation in Edwards Coordinates · 1 ×G ′ 1 →G 2 where G 1,G ′ 1 are groups of order r noted additively and G 2 is a group of order r noted multiplicatively](https://reader033.vdocuments.us/reader033/viewer/2022042809/5f92d51affe6435d007e50c2/html5/thumbnails/24.jpg)
An inversion free algorithm
Stick to Edwards coordinates and use our method toimplement the pairing
We need φ(X0,Y0) = ((X0Y0)2, X0
Y0− Y0
X0) to compute the
l-functions of the mixed addition step.
Replace l ← (X0Y0)l in the mixed addition step.
The mixed addition will be more expensive (+1m) but NOINVERSIONS!
Sorina Ionica Pairing Computation in Edwards Coordinates
![Page 25: Another Approach to Pairing Computation in Edwards Coordinates · 1 ×G ′ 1 →G 2 where G 1,G ′ 1 are groups of order r noted additively and G 2 is a group of order r noted multiplicatively](https://reader033.vdocuments.us/reader033/viewer/2022042809/5f92d51affe6435d007e50c2/html5/thumbnails/25.jpg)
Questions. . . ?
Sorina Ionica Pairing Computation in Edwards Coordinates