20 decembre 2013 1/44
Arithmetique des couplages sur les courbesalgebriques pour la cryptographie
Soutenance de these de doctorat, specialite informatique
Aurore Guillevic
grid
20 decembre 2013 2/44
Contributions
� Asiacrypt 2013: Four dimensional GLV via the Weilrestriction, with S. Ionica, LNCS 8269
� ACNS 2013: Comparing the pairing efficiency overcomposite-order and prime-order elliptic curves, LNCS 7954
� Patents: On pairing computation delegation, with R. Duboisand D. Vergnaud, 2012
� Pairing 2012: Genus 2 hyperelliptic curve families with explicitJacobian order evaluation and pairing-friendly constructions,with D. Vergnaud, LNCS 7708
� Pairing 2012: Improved broadcast encryption scheme withconstant-size ciphertext, with R. Dubois and M. Sengelin LeBreton, LNCS 7708
� Africacrypt 2011: efficient multiplication in finite fieldextensions of degree 5, with N. El Mrabet and S. Ionica,LNCS 6737
grid
20 decembre 2013 2/44
Contributions
� Asiacrypt 2013: Four dimensional GLV via the Weilrestriction, with S. Ionica, LNCS 8269
� ACNS 2013: Comparing the pairing efficiency overcomposite-order and prime-order elliptic curves, LNCS 7954
� Patents: On pairing computation delegation, with R. Duboisand D. Vergnaud, 2012
� Pairing 2012: Genus 2 hyperelliptic curve families with explicitJacobian order evaluation and pairing-friendly constructions,with D. Vergnaud, LNCS 7708
� Pairing 2012: Improved broadcast encryption scheme withconstant-size ciphertext, with R. Dubois and M. Sengelin LeBreton, LNCS 7708
� Africacrypt 2011: efficient multiplication in finite fieldextensions of degree 5, with N. El Mrabet and S. Ionica,LNCS 6737
grid
20 decembre 2013 3/44
Outline
1 Introduction
2 Elliptic curves and pairings
3 Pairings on composite-order groups
4 Fast scalar multiplication with 4-dim GLV
5 Conclusion
grid
20 decembre 2013 4/44
Outline
1 IntroductionPublic-key encryption, identity-based encryption
2 Elliptic curves and pairings
3 Pairings on composite-order groups
4 Fast scalar multiplication with 4-dim GLV
5 Conclusion
grid
20 decembre 2013 5/44
Constructions
� Asymmetric cryptography born in 1976 with Diffie-Hellmankey-exchange
Diffie-Hellman problem (DHP)Discrete logarithm problem (DLP)
� Public key encryption: Rivest-Shamir-Adleman 1978
Factorization
grid
20 decembre 2013 6/44
Discrete log problem, Diffie-Hellman problem
� given a cyclic group G, a generator g and a ∈ G, computex ∈ {0, 1, . . . ,#G− 1} s.t. g x = a
� (g , x) 7→ g x efficient
� x is the discrete logarithm of a = g x in base g
� computing x from g and a is intractable in well chosen largeenough groups
� Diffie-Hellman problem: given G, g , α = ga, β = gb, computegab
� 1976: F∗q, 1985: E defined over Fq
grid
20 decembre 2013 7/44
ElGamal encryption
Alice Bob
(G, ·), g ,m = #G (G, ·), g ,m = #Gpublic parameters
secret key skA = a← Z∗mpublic key PKA= ga Encryption
1. gets Alice’s public key PKA
2. M∈ G
3. r ← Z∗m at random
4. γ = g r
5. EncPKA(M) =M · PKA
r = δ
6. sends C = (γ, δ) to Alice
PKA
Decryption
7. get C = (γ, δ) from Bob
8. DecskA(C ) = (γ−a) · δ =M
C
grid
20 decembre 2013 7/44
ElGamal encryption
Alice Bob
(G, ·), g ,m = #G (G, ·), g ,m = #Gpublic parameters
secret key skA = a← Z∗mpublic key PKA= ga Encryption
1. gets Alice’s public key PKA
2. M∈ G
3. r ← Z∗m at random
4. γ = g r
5. EncPKA(M) =M · PKA
r = δ
6. sends C = (γ, δ) to Alice
PKA
Decryption
7. get C = (γ, δ) from Bob
8. DecskA(C ) = (γ−a) · δ =M
C
grid
20 decembre 2013 7/44
ElGamal encryption
Alice Bob
(G, ·), g ,m = #G (G, ·), g ,m = #G
public parameters
secret key skA = a← Z∗mpublic key PKA= ga
Encryption
1. gets Alice’s public key PKA
2. M∈ G
3. r ← Z∗m at random
4. γ = g r
5. EncPKA(M) =M · PKA
r = δ
6. sends C = (γ, δ) to Alice
PKA
Decryption
7. get C = (γ, δ) from Bob
8. DecskA(C ) = (γ−a) · δ =M
C
grid
20 decembre 2013 7/44
ElGamal encryption
Alice Bob
(G, ·), g ,m = #G (G, ·), g ,m = #G
public parameters
secret key skA = a← Z∗mpublic key PKA= ga
Encryption
1. gets Alice’s public key PKA
2. M∈ G
3. r ← Z∗m at random
4. γ = g r
5. EncPKA(M) =M · PKA
r = δ
6. sends C = (γ, δ) to Alice
PKA
Decryption
7. get C = (γ, δ) from Bob
8. DecskA(C ) = (γ−a) · δ =M
C
grid
20 decembre 2013 7/44
ElGamal encryption
Alice Bob
(G, ·), g ,m = #G (G, ·), g ,m = #G
public parameters
secret key skA = a← Z∗mpublic key PKA= ga Encryption
1. gets Alice’s public key PKA
2. M∈ G
3. r ← Z∗m at random
4. γ = g r
5. EncPKA(M) =M · PKA
r = δ
6. sends C = (γ, δ) to Alice
PKA
Decryption
7. get C = (γ, δ) from Bob
8. DecskA(C ) = (γ−a) · δ =M
C
grid
20 decembre 2013 7/44
ElGamal encryption
Alice Bob
(G, ·), g ,m = #G (G, ·), g ,m = #G
public parameters
secret key skA = a← Z∗mpublic key PKA= ga Encryption
1. gets Alice’s public key PKA
2. M∈ G
3. r ← Z∗m at random
4. γ = g r
5. EncPKA(M) =M · PKA
r = δ
6. sends C = (γ, δ) to Alice
PKA
Decryption
7. get C = (γ, δ) from Bob
8. DecskA(C ) = (γ−a) · δ =M
C
grid
20 decembre 2013 7/44
ElGamal encryption
Alice Bob
(G, ·), g ,m = #G (G, ·), g ,m = #G
public parameters
secret key skA = a← Z∗mpublic key PKA= ga
Encryption
1. gets Alice’s public key PKA
2. M∈ G
3. r ← Z∗m at random
4. γ = g r
5. EncPKA(M) =M · PKA
r = δ
6. sends C = (γ, δ) to Alice
PKA
Decryption
7. get C = (γ, δ) from Bob
8. DecskA(C ) = (γ−a) · δ =M
C
grid
20 decembre 2013 8/44
Pairings: black-box properties
(G1,+), (G2,+), (GT , ·) three cyclic groups of order mPairing: map e : G1 × G2 → GT
1. bilinear: e(P1 + P2, Q) = e(P1,Q) · e(P2,Q),e(P,Q1 + Q2) = e(P,Q1) · e(P,Q2)
2. non-degenerate: e(G1,G2) 6= 1 for 〈G1〉 = G1, 〈G2〉 = G2
3. efficiently computable.
In practice we use mostly
e([a]P, [b]Q) = e([b]P, [a]Q) = e(P,Q)ab .
Many applications in asymmetric cryptography.
grid
20 decembre 2013 9/44
Identity-based encryption
� 1984: idea of identity-based encryption formalized by Shamir
� 1999: first practical identity-based cryptosystem ofSakai-Ohgishi-Kasahara
� 2000: constructive pairings, Joux’s tri-partite key-exchange
� 2001: IBE of Boneh-Franklin
Rely on
� DLP, DHP
� bilinear DLP and DHP
� pairing inversion problem
grid
20 decembre 2013 10/44
IBE: [Boneh Franklin 01], setup, extract
Alice Bob
Service providerG1 = 〈G1〉 ,G2 = 〈G2〉 ,GT of prime order m,
e : G1 × G2 → GT
MSK = s ← Z∗m, PK = [s]G2 ∈ G2
setup
IDBob 7→ IDB ∈ G1, IDAlice 7→ IDA ∈ G1
skA = [s]IDA, skB = [s]IDB
IDBobIDAlice
extract
PP, skBPP, skA
PP= {G1,G2,GT ,m, e,PK}skA
PP= {G1,G2,GT ,m, e,PK}skB
grid
20 decembre 2013 10/44
IBE: [Boneh Franklin 01], setup, extract
Alice Bob
Service providerG1 = 〈G1〉 ,G2 = 〈G2〉 ,GT of prime order m,
e : G1 × G2 → GT
MSK = s ← Z∗m, PK = [s]G2 ∈ G2
setup
IDBob 7→ IDB ∈ G1, IDAlice 7→ IDA ∈ G1
skA = [s]IDA, skB = [s]IDB
IDBobIDAlice
extract
PP, skBPP, skA
PP= {G1,G2,GT ,m, e,PK}skA
PP= {G1,G2,GT ,m, e,PK}skB
grid
20 decembre 2013 10/44
IBE: [Boneh Franklin 01], setup, extract
Alice Bob
Service providerG1 = 〈G1〉 ,G2 = 〈G2〉 ,GT of prime order m,
e : G1 × G2 → GT
MSK = s ← Z∗m, PK = [s]G2 ∈ G2
setup
IDBob 7→ IDB ∈ G1, IDAlice 7→ IDA ∈ G1
skA = [s]IDA, skB = [s]IDB
IDBobIDAlice
extract
PP, skBPP, skA
PP= {G1,G2,GT ,m, e,PK}skA
PP= {G1,G2,GT ,m, e,PK}skB
grid
20 decembre 2013 10/44
IBE: [Boneh Franklin 01], setup, extract
Alice Bob
Service providerG1 = 〈G1〉 ,G2 = 〈G2〉 ,GT of prime order m,
e : G1 × G2 → GT
MSK = s ← Z∗m, PK = [s]G2 ∈ G2
setup
IDBob 7→ IDB ∈ G1, IDAlice 7→ IDA ∈ G1
skA = [s]IDA, skB = [s]IDB
IDBobIDAlice
extract
PP, skBPP, skA
PP= {G1,G2,GT ,m, e,PK}skA
PP= {G1,G2,GT ,m, e,PK}skB
grid
20 decembre 2013 10/44
IBE: [Boneh Franklin 01], setup, extract
Alice Bob
Service providerG1 = 〈G1〉 ,G2 = 〈G2〉 ,GT of prime order m,
e : G1 × G2 → GT
MSK = s ← Z∗m, PK = [s]G2 ∈ G2
setup
IDBob 7→ IDB ∈ G1, IDAlice 7→ IDA ∈ G1
skA = [s]IDA, skB = [s]IDB
IDBobIDAlice
extract
PP, skBPP, skA
PP= {G1,G2,GT ,m, e,PK}skA
PP= {G1,G2,GT ,m, e,PK}skB
grid
20 decembre 2013 10/44
IBE: [Boneh Franklin 01], setup, extract
Alice Bob
Service providerG1 = 〈G1〉 ,G2 = 〈G2〉 ,GT of prime order m,
e : G1 × G2 → GT
MSK = s ← Z∗m, PK = [s]G2 ∈ G2
setup
IDBob 7→ IDB ∈ G1, IDAlice 7→ IDA ∈ G1
skA = [s]IDA, skB = [s]IDB
IDBobIDAlice
extract
PP, skBPP, skA
PP= {G1,G2,GT ,m, e,PK}skA
PP= {G1,G2,GT ,m, e,PK}skB
grid
20 decembre 2013 11/44
IBE: [Boneh Franklin 01], encrypt, decrypt
Alice Bob
PP= {G1,G2,GT ,m, e,PK}skA
PP= {G1,G2,GT ,m, e,PK}skB
Encrypt
1. IDAlice 7→ IDA ∈ G1
2. r ← Z∗m, γIDA= e(IDA,PK) ∈ GT
3. C = ([r ]G2, M · γrIDA) ∈ G2 × GT
C
Decrypt
4. gets C = (U,V ) from Bob
5. computes DecskA(C ) =V /e(skIDA
,U) =M
→ e(skIDA,U) = e(IDA,G1 ,PK)r
grid
20 decembre 2013 11/44
IBE: [Boneh Franklin 01], encrypt, decrypt
Alice Bob
PP= {G1,G2,GT ,m, e,PK}skA
PP= {G1,G2,GT ,m, e,PK}skB
Encrypt
1. IDAlice 7→ IDA ∈ G1
2. r ← Z∗m, γIDA= e(IDA,PK) ∈ GT
3. C = ([r ]G2, M · γrIDA) ∈ G2 × GT
CDecrypt
4. gets C = (U,V ) from Bob
5. computes DecskA(C ) =V /e(skIDA
,U) =M
→ e(skIDA,U) = e(IDA,G1 ,PK)r
grid
20 decembre 2013 11/44
IBE: [Boneh Franklin 01], encrypt, decrypt
Alice Bob
PP= {G1,G2,GT ,m, e,PK}skA
PP= {G1,G2,GT ,m, e,PK}skB
Encrypt
1. IDAlice 7→ IDA ∈ G1
2. r ← Z∗m, γIDA= e(IDA,PK) ∈ GT
3. C = ([r ]G2, M · γrIDA) ∈ G2 × GT
C
Decrypt
4. gets C = (U,V ) from Bob
5. computes DecskA(C ) =V /e(skIDA
,U) =M
→ e(skIDA,U) = e(IDA,G1 ,PK)r
grid
20 decembre 2013 11/44
IBE: [Boneh Franklin 01], encrypt, decrypt
Alice Bob
PP= {G1,G2,GT ,m, e,PK}skA
PP= {G1,G2,GT ,m, e,PK}skB
Encrypt
1. IDAlice 7→ IDA ∈ G1
2. r ← Z∗m, γIDA= e(IDA,PK) ∈ GT
3. C = ([r ]G2, M · γrIDA) ∈ G2 × GT
CDecrypt
4. gets C = (U,V ) from Bob
5. computes DecskA(C ) =V /e(skIDA
,U) =M
→ e(skIDA,U) = e(IDA,G1 ,PK)r
grid
20 decembre 2013 11/44
IBE: [Boneh Franklin 01], encrypt, decrypt
Alice Bob
PP= {G1,G2,GT ,m, e,PK}skA
PP= {G1,G2,GT ,m, e,PK}skB
Encrypt
1. IDAlice 7→ IDA ∈ G1
2. r ← Z∗m, γIDA= e(IDA,PK) ∈ GT
3. C = ([r ]G2, M · γrIDA) ∈ G2 × GT
CDecrypt
4. gets C = (U,V ) from Bob
5. computes DecskA(C ) =V /e(skIDA
,U) =M
→ e(skIDA,U) = e(IDA,G1 ,PK)r
grid
20 decembre 2013 12/44
Outline
1 Introduction
2 Elliptic curves and pairingsElliptic curvesPairing computationPairing implementation
3 Pairings on composite-order groups
4 Fast scalar multiplication with 4-dim GLV
5 Conclusion
grid
20 decembre 2013 13/44
Elliptic curves
E : y 2 = x3 + ax + b, a, b ∈ Fq
� proposed in 1985 by Koblitz, Miller
� E (Fq) has an efficient group law (chord an tangent rule)→ G
� efficient group order computation (point counting)
� #E (Fq) = q + 1− t, trace t: |t| 6 2√
q
� only generic attacks against DLP in well-chosen curves
� optimal parameter sizes
grid
20 decembre 2013 14/44
Elliptic curves
P1
P2
P3
P3 = P1 ⊕ P2
Addition
P1
P3
P3 = 2P1
Doubling
grid
20 decembre 2013 15/44
Pairings
� G1 ⊂ E (Fq)[m] = {P ∈ E (Fq), [m]P = O}� embedding degree k : smallest integer s.t. m | qk − 1
� G2 ⊂ E (Fqk )[m]
� G1 ∩ G2 = O by construction for our practical applications
� GT = µm = {u ∈ F∗qk, um = 1} ⊂ F∗
qk
When k is small i.e. 1 6 k 6 24, the curve is pairing-friendly. Thisis very rare: For a random curve, log k ∼ log m.Let P ∈ E (Fq)[m],Q ∈ E (Fqk )[m].Let fm,P the function s. t. div(fm,P) = m(P)−m(O).
eTate(P,Q) = fm,P(Q)
grid
20 decembre 2013 16/44
Miller’s algorithm, reduced Tate pairing [BKLS02]
Input: E , a, b, P ∈ E (Fq)[m], Q ∈ E (Fqk )[m], m
, k even
if P = O or Q = O then Return 1else
f ← 1for do Miller loop
f ← f2
if mj = 1 then
f ← f
Final exponentiation
return f
grid
20 decembre 2013 16/44
Miller’s algorithm, reduced Tate pairing [BKLS02]
Input: E , a, b, P ∈ E (Fq)[m], Q ∈ E (Fqk )[m], m
, k even
if P = O or Q = O then Return 1else
f ← 1for do Miller loop
f ← f2
if mj = 1 then
f ← f
Final exponentiation
return f
grid
20 decembre 2013 16/44
Miller’s algorithm, reduced Tate pairing [BKLS02]
Input: E , a, b, P ∈ E (Fq)[m], Q ∈ E (Fqk )[m], m
, k even
if P = O or Q = O then Return 1else
Pj ← P; f ← 1
for do Miller loop
f ← f2
if mj = 1 then
f ← f
Final exponentiation
return f
grid
20 decembre 2013 16/44
Miller’s algorithm, reduced Tate pairing [BKLS02]
Input: E , a, b, P ∈ E (Fq)[m], Q ∈ E (Fqk )[m], m
, k even
if P = O or Q = O then Return 1else
Pj ← P; f ← 1for (double and add loop over m) do Miller loop
f ← f2
if mj = 1 then
f ← f
Final exponentiationreturn f
grid
20 decembre 2013 16/44
Miller’s algorithm, reduced Tate pairing [BKLS02]
Input: E , a, b, P ∈ E (Fq)[m], Q ∈ E (Fqk )[m], m
, k even
if P = O or Q = O then Return 1else
Pj ← P; f ← 1for (double and add loop over m) do Miller loop
f ← f2
if mj = 1 then
f ← f
f ← f(pk−1)/m Final exponentiation
return f
grid
20 decembre 2013 16/44
Miller’s algorithm, reduced Tate pairing [BKLS02]
Input: E , a, b, P ∈ E (Fq)[m], Q ∈ E (Fqk )[m], m
, k even
if P = O or Q = O then Return 1else
Pj ← P; f ← 1for (double and add loop over m) do Miller loop
f ← f2
if mj = 1 then
f ← f
f ← f(pk−1)/m Final exponentiationreturn f
grid
20 decembre 2013 16/44
Miller’s algorithm, reduced Tate pairing [BKLS02]
Input: E , a, b, P ∈ E (Fq)[m], Q ∈ E (Fqk )[m], m
, k even
if P = O or Q = O then Return 1else
Pj ← P; f ← 1for j ← blog2(m)c − 1, . . . , 0 do Miller loop
f ← f2
if mj = 1 then
f ← f
f ← f(qk−1)/m Final exponentiationreturn f
grid
20 decembre 2013 16/44
Miller’s algorithm, reduced Tate pairing [BKLS02]
Input: E , a, b, P ∈ E (Fq)[m], Q ∈ E (Fqk )[m], m
, k even
if P = O or Q = O then Return 1else
Pj ← P; f ← 1for j ← blog2(m)c − 1, . . . , 0 do Miller loop
Pj ← 2Pj
f ← f2
if mj = 1 thenPj ← Pj + P
f ← f
f ← f(qk−1)/m Final exponentiationreturn f
grid
20 decembre 2013 16/44
Miller’s algorithm, reduced Tate pairing [BKLS02]
Input: E , a, b, P ∈ E (Fq)[m], Q ∈ E (Fqk )[m], m
, k even
if P = O or Q = O then Return 1else
Pj ← P; f ← 1for j ← blog2(m)c − 1, . . . , 0 do Miller loop
Pj ← 2Pj
`← tangent at Pj
v ← vertical line at 2Pj
f ← f2
if mj = 1 thenPj ← Pj + P`← line through Pj and Pv ← vertical line at (Pj + P)
f ← f
f ← f(qk−1)/m Final exponentiationreturn f
grid
20 decembre 2013 16/44
Miller’s algorithm, reduced Tate pairing [BKLS02]
Input: E , a, b, P ∈ E (Fq)[m], Q ∈ E (Fqk )[m], m
, k even
if P = O or Q = O then Return 1else
Pj ← P; f ← 1for j ← blog2(m)c − 1, . . . , 0 do Miller loop
Pj ← 2Pj
`← tangent at Pj
v ← vertical line at 2Pj
f ← f2 · `(Q) / v(Q)if mj = 1 then
Pj ← Pj + P`← line through Pj and Pv ← vertical line at (Pj + P)f ← f · `(Q) / v(Q)
f ← f(qk−1)/m Final exponentiationreturn f
grid
20 decembre 2013 16/44
Miller’s algorithm, reduced Tate pairing [BKLS02]
Input: E , a, b, P ∈ E (Fq)[m], Q ∈ E (Fqk )[m], m
, k even
if P = O or Q = O then Return 1else
Pj ← P; f ← 1for j ← blog2(m)c − 1, . . . , 0 do Miller loop
Pj ← 2Pj
`← tangent at Pj
v ← vertical line at 2Pj
f ← f2 · `(Q) / v(Q)if mj = 1 then
Pj ← Pj + P`← line through Pj and Pv ← vertical line at (Pj + P)f ← f · `(Q) / v(Q)
f ← f(qk−1)/m Final exponentiationreturn f
grid
20 decembre 2013 16/44
Miller’s algorithm, reduced Tate pairing [BKLS02]
Input: E , a, b, P ∈ E (Fq)[m], Q ∈ E (Fqk )[m], m
, k even
if P = O or Q = O then Return 1else
Pj ← P; f ← 1for j ← blog2(m)c − 1, . . . , 0 do Miller loop
Pj ← 2Pj
`← tangent at Pj
v ← vertical line at 2Pj
f ← f2 · `(Q) / v(Q)if mj = 1 then
Pj ← Pj + P`← line through Pj and Pv ← vertical line at (Pj + P)f ← f · `(Q) / v(Q)
f ← f(qk−1)/m Final exponentiationreturn f
grid
20 decembre 2013 16/44
Miller’s algorithm, reduced Tate pairing [BKLS02]
Input: E , a, b, P ∈ E (Fq)[m], Q ∈ E (Fqk )[m], m , k even
if P = O or Q = O then Return 1else
Pj ← P; f ← 1for j ← blog2(m)c − 1, . . . , 0 do Miller loop
Pj ← 2Pj
`← tangent at Pj
v ← vertical line at 2Pj
f ← f2 · `(Q) / v(Q)if mj = 1 then
Pj ← Pj + P`← line through Pj and Pv ← vertical line at (Pj + P)f ← f · `(Q) / v(Q)
f ← f(qk−1)/m Final exponentiationreturn f
grid
20 decembre 2013 16/44
Miller’s algorithm, reduced Tate pairing [BKLS02]
Input: E , a, b, P ∈ E (Fq)[m], Q ∈ E (Fqk )[m], m , k even
if P = O or Q = O then Return 1else
Pj ← P; f ← 1for j ← blog2(m)c − 1, . . . , 0 do Miller loop
Pj ← 2Pj
`← tangent at Pj
f ← f2 · `(Q)if mj = 1 then
Pj ← Pj + P`← line through Pj and P
f ← f · `(Q)
f ← f(qk−1)/m Final exponentiationreturn f
grid
20 decembre 2013 16/44
Miller’s algorithm, reduced Tate pairing [BKLS02]
Input: E , a, b, P ∈ E (Fq)[m], Q ∈ E (Fqk )[m], m , k even
if P = O or Q = O then Return 1else
Pj ← P; f ← 1for j ← blog2(m)c − 1, . . . , 0 do Miller loop
Pj ← 2Pj
`← tangent at Pj
f ← f2 · `(Q)if mj = 1 then
Pj ← Pj + P`← line through Pj and P
f ← f · `(Q)
f ← f(qk−1)/m Final exponentiationreturn f
grid
20 decembre 2013 16/44
Miller’s algorithm, reduced Tate pairing [BKLS02]
Input: E , a, b, P ∈ E (Fq)[m], Q ∈ E (Fqk )[m], m , k even
if P = O or Q = O then Return 1else
Qj ← Q; f ← 1for j ← blog2(m)c − 1, . . . , 0 do Miller loop
Qj ← 2Qj
`← tangent at Qj
f ← f2 · `(P)if mj = 1 then
Qj ← Qj + Q`← line through Qj and Q
f ← f · `(P)
f ← f(qk−1)/m Final exponentiationreturn f
grid
20 decembre 2013 16/44
Miller’s algorithm, reduced Tate pairing [BKLS02]
Input: E , a, b, P ∈ E (Fq)[m], Q ∈ E (Fqk )[m], m , k even
if P = O or Q = O then Return 1else
Qj ← Q; f ← 1for j ← blog2(t− 1)c − 1, . . . , 0 do Miller loop
Qj ← 2Qj
`← tangent at Qj
f ← f2 · `(P)if mj = 1 then
Qj ← Qj + Q`← line through Qj and Q
f ← f · `(P)
f ← f(qk−1)/m Final exponentiationreturn f
grid
20 decembre 2013 17/44
Pairing implementation in the LibCryptoLCH
� don’t be too specific but still efficient enough
� use the Modular package for Fp and modular arithmetic
� Fq2 , Fq3 with q ≡ 1 mod 3
� supersingular curves E : y 2 = x3 − x over Fq, q prime, k = 2
can be of composite order
� Barreto-Naehrig (BN) curves E : y 2 = x3 + b, over Fq, qprime
� Tate pairing over these two curves
� ate and optimal ate pairing over BN curves (4 times faster)
� dedicated final exponentiation for BN curves
grid
20 decembre 2013 17/44
Pairing implementation in the LibCryptoLCH
� don’t be too specific but still efficient enough
� use the Modular package for Fp and modular arithmetic
� Fq2 , Fq3 with q ≡ 1 mod 3
� supersingular curves E : y 2 = x3 − x over Fq, q prime, k = 2
can be of composite order
� Barreto-Naehrig (BN) curves E : y 2 = x3 + b, over Fq, qprime
� Tate pairing over these two curves
� ate and optimal ate pairing over BN curves (4 times faster)
� dedicated final exponentiation for BN curves
grid
20 decembre 2013 17/44
Pairing implementation in the LibCryptoLCH
� don’t be too specific but still efficient enough
� use the Modular package for Fp and modular arithmetic
� Fq2 , Fq3 with q ≡ 1 mod 3
� supersingular curves E : y 2 = x3 − x over Fq, q prime, k = 2
can be of composite order
� Barreto-Naehrig (BN) curves E : y 2 = x3 + b, over Fq, qprime
� Tate pairing over these two curves
� ate and optimal ate pairing over BN curves (4 times faster)
� dedicated final exponentiation for BN curves
grid
20 decembre 2013 18/44
Benchmarks
equiv. AES AES-128 AES-192 AES-256
log p, k log p 256, 3072 640, 7680 1280, 15360
Miller Loop 2.35 ms 18.4 ms 109.2 ms
Final Exp. 2.70 ms 15.8 ms 75.5 ms
Optimal ate pairing1 5.05 ms 34.2 ms 184.7 ms
Microsoft Lib2 6.09 ms 55.7 ms –
Specific implementations:
[NNS12]3 1.54 ms – –
[Beuchat et al. 10]4 0.83 ms – –
1: x86-64, Intel Celeron E3400 @ 2.6 GHz, 20132: x86-64 dual core Intel Core2 E6600 @ 2.4 GHz, 20123: Intel Core 2 Quad Q9550 @ 2.83 GHz, 2012, parameter seedv = 0x1c81013, E : y 2 = x3 + 34: Intel Core i7 @ 2.8 GHz, parameter seed v = t = 262 − 254 + 244,E : y 2 = x3 + 5 .
grid
20 decembre 2013 19/44
Outline
1 Introduction
2 Elliptic curves and pairings
3 Pairings on composite-order groups
4 Fast scalar multiplication with 4-dim GLV
5 Conclusion
grid
20 decembre 2013 20/44
Composite-order groups: constructions
� [Boneh, Goh and Nissim, TCC 2005] First public-keyhomomorphic encryption scheme using composite-ordergroups and pairings
� Based on the Subgroup Decision Assumption
� For the last seven years, many protocols with interestingproperties based on this assumption
� [Freeman, Eurocrypt 2010] Specific conversions to prime-ordergroups
� [Lewko, Eurocrypt 2012] Generic conversions to prime-ordergroups and better security proofs
→ Which ones are more efficient ?
grid
20 decembre 2013 21/44
HIBE: main ideas
� G1,G2,GT of composite-order N = p1p2p3
� orthogonality: G1 = G(p1) ⊕ G(p2) ⊕ G(p3), for anygi ∈ G(pi ), gj ∈ G(pj ), i = j , e(gi , gj) = 1
� hard to distinguish a random u ∈ G(p1p2) from a randomv ∈ G(p1) unless given element w in G(p2) (→ in this casee(u,w) = 1 iff u ∈ G(p1))
grid
20 decembre 2013 22/44
HIBE over prime-order group
� G1 , G2 , GT are groups of prime-order m ( of e.g. 256 bits),let gi be a generator of Gi
� Let e : G1 × G2 → GT be a bilinear 1-dim pairing
� Let G1 = G 61 , G2 = G 6
2 as 6-dim vector space in the exponents
� GT = GT
� g ∈ G1, g = g~v1 = [g v11 , . . . , g
v61 ]
� Pairing:e6(g~v1 , g
~w2 ) =
∏6i=1 e(g vi
1 , gwi2 ) = e(g1, g2)~v ·~w ∈ GT ⊂ F∗
pk
grid
20 decembre 2013 23/44
Implementation results
1 2 3 4 5 6 7 8 9
100
101
102
103
104
Number of primes in N = p1p2 · · · pi
tim
e(m
s),
loga
rith
mic
scal
e
Tate Pairing
scalar mult. [m]P ∈ E (Fp)exp. gm ∈ µN ⊂ Fp2
opt. ate, BN curve
[m]P, BN curve
grid
20 decembre 2013 24/44
Conclusion
� Subgroup decision assumption introduced very nice propertiesand is practical but quite slow on a PC (few seconds for onepairing)
� Conversions in the prime-order setting provide much fastertimings
→ For performance considerations, better to use prime-ordergroups
� However, composite-order elliptic curves have additionalproperties that ordinary curves do not have yet
grid
20 decembre 2013 25/44
Outline
1 Introduction
2 Elliptic curves and pairings
3 Pairings on composite-order groups
4 Fast scalar multiplication with 4-dim GLVElliptic, hyperelliptic curves and endomorphismsIsogenies4-dim GLV on elliptic curves4-dimensional GLV on genus 2 curves
5 Conclusion
grid
20 decembre 2013 26/44
Elliptic and hyperelliptic curves
#E (Fq) = q + 1− tgroup lawpoint countingendomorphismsisogenies
#JC(Fq) = q2 +1−(q +1)aq +bq
group lawpoint countingendomorphismsisogenies
grid
20 decembre 2013 27/44
Endomorphisms: application in crypto
Scalar multiplication: given G of prime order m, a ∈ Zm, P ∈ G,
(P, a) 7→ [a]P
� Assume there is an efficient (almost free) endomorphism
φ : G→ G, φ(P) = [λ](P)
� Gallant-Lambert-Vanstone 2001: method to speed-up [a]P onE of up to 50 %
if λ is large, decompose a = a0 + λa1 mod m (extendedEuclid), with log a0 ∼ log a1 ∼ log a/2
compute [a]P = [a0]P + [a1]φ(P) with a multi-multiplicationmethod “a la“ ([b]P + [c]Q)
Save half doublings and ∼ 18 additions→ speed-up of ∼ 50 %
in theory but cost of decomposition → a bit less in practice
grid
20 decembre 2013 28/44
Endomorphisms: an example
Eα : y 2 = x3 + αx , j(Eα) = 1728 (i .e. CM by√−1, D = 4)
� Eα defined over Fq with q ≡ 1 mod 4, i ∈ Fq s.t.i2 = −1 ∈ Fq
� φ : (x , y) 7→ (−x , iy) is an endomorphism
� φ ◦ φ(x , y) = (x ,−y) = (x , y) → φ2 + Id = 0 on E
� eigenvalue: λ ≡√−1 mod #E (Fq)
� this means for P ∈ E (Fq) of prime-order m | #E (Fq),φ(P) = [λ mod m]P
→ short-cut to compute [λ]P
grid
20 decembre 2013 29/44
4-GLV, . . ., 2i -GLV: time-memory trade-off
� We would like a 4-dimensional decompositiona ≡ a0 + a1λ+ a2µ+ a3λµ mod m with log ai ∼ 1
4 log a whencomputing [a]P
� 2 endomophisms φ, ψ of eigenvalues λ, µ
� decomposition: lattice reduction algorithm (e.g. BKZ BlockKorkine-Zolotarev)
� we need ψ s.t. µ ≡ α+ βλ mod m and α, β > m1/4 to have agood reduction
grid
20 decembre 2013 30/44
GLV friendly curve zoo
Genus 1 Genus 2
� GLV 2001 : complexmultiplication by√−1,√−2, 1+
√−7
2 ,√−3, 1+
√−11
2
� Galbraith-Lin-Scott 2009:curves/Fq2 , j ∈ Fq
� Longa-Sica 2012: 4-dimGLV+GLS
� Smith 2013: 2-dim GLVon twist-secure curveswith chosen q
� This work: 4 dim.-GLV ontwo families ofcurves/Fq2 , but j ∈ Fq2
� Mestre, Kohel-Smith,Takashima : explicit realmultiplication by
√2,√
5
� 4-dim. : Buhler-Koblitz,Furukawa-Takahashicurves
� This work: 4-dim.-GLV onSatoh/Satoh-Freemancurves 2009
grid
20 decembre 2013 30/44
GLV friendly curve zoo
Genus 1 Genus 2
� GLV 2001 : complexmultiplication by√−1,√−2, 1+
√−7
2 ,√−3, 1+
√−11
2
� Galbraith-Lin-Scott 2009:curves/Fq2 , j ∈ Fq
� Longa-Sica 2012: 4-dimGLV+GLS
� Smith 2013: 2-dim GLVon twist-secure curveswith chosen q
� This work: 4 dim.-GLV ontwo families ofcurves/Fq2 , but j ∈ Fq2
� Mestre, Kohel-Smith,Takashima : explicit realmultiplication by
√2,√
5
� 4-dim. : Buhler-Koblitz,Furukawa-Takahashicurves
� This work: 4-dim.-GLV onSatoh/Satoh-Freemancurves 2009
grid
20 decembre 2013 30/44
GLV friendly curve zoo
Genus 1 Genus 2
� GLV 2001 : complexmultiplication by√−1,√−2, 1+
√−7
2 ,√−3, 1+
√−11
2
� Galbraith-Lin-Scott 2009:curves/Fq2 , j ∈ Fq
� Longa-Sica 2012: 4-dimGLV+GLS
� Smith 2013: 2-dim GLVon twist-secure curveswith chosen q
� This work: 4 dim.-GLV ontwo families ofcurves/Fq2 , but j ∈ Fq2
� Mestre, Kohel-Smith,Takashima : explicit realmultiplication by
√2,√
5
� 4-dim. : Buhler-Koblitz,Furukawa-Takahashicurves
� This work: 4-dim.-GLV onSatoh/Satoh-Freemancurves 2009
grid
20 decembre 2013 31/44
Our tool : Isogenies
An isogeny is a surjective morphism of finite kernel between twoJacobians (more generally, two abelian varieties).
Isogenies: Endomorphisms:
JC1 JC2
IJ
IJJC1 ψ
� any endomorphism is also an isogeny
� map of given kernel computed with Velu’s formulas betweentwo different elliptic curves
� certain classes of isogenies on genus 2 Jacobians (Richelot,Robert–Lubicz, Cosset–Robert, Smith)
grid
20 decembre 2013 32/44
Two families of genus-2 curves
� C1(Fq) : y 2 = x5 + ax3 + bx , a, b 6= 0 ∈ Fq
studied by Leprevost-Morain (1997), Satoh (2009),Freeman-Satoh (2011)
� C2(Fq) : y 2 = x6 + ax3 + b, a, b 6= 0 ∈ Fq
studied by Gaudry-Schost (2001), Freeman-Satoh (2011)
� efficient point counting, possible pairing-friendly constructions
→ improvements in point counting and more pairing-friendlyconstructions1
The Jacobians of C1, C2 are isogenous to the product of two ellipticcurves over an extension field.
1work with D. Vergnaud: Genus 2 Hyperelliptic Curve Families with ExplicitJacobian Order Evaluation and Pairing-Friendly Constructions, Pairing 2012
grid
20 decembre 2013 33/44
4-dim GLV on elliptic curves
JC1(Fq)
JC1(Fq8) Ec × Ec(Fq8)
Ec × Ec(Fq2)
I
I
Φ−1
φ2
Ec(Fq2) ?I
C1 : y 2 = x5 + ax3 + bx , Satoh’s curvesWeil restriction of E
Ec : y 2 = x3 + 27(3c − 10)x + 108(14− 9c), c = a/√
b ∈ Fq2
grid
20 decembre 2013 33/44
4-dim GLV on elliptic curves
JC1(Fq)
JC1(Fq8) Ec × Ec(Fq8)
Ec × Ec(Fq2)
I
I
Φ−1
φ2
Ec(Fq2) ?I
Ec : y 2 = x3 + 27(3c − 10)x + 108(14− 9c), c = a/√
b ∈ Fq2
grid
20 decembre 2013 34/44
4-dim GLV on elliptic curves
D = 2D′. We computed with Velu’s formulas this 2-isogeny
I2 : Ec → E−c
(x , y) 7→(−x2 + 162+81c
−2(x−12) ,−y
2√−2
(1− 162+81c
(x−12)2
))
Ec E−cI2
πq
πq ◦ I2 = φ2
= [ñ2]
ID′
� Ec : y 2 = x3 + 27(3c − 10)x + 108(14− 9c)
� E−c : y 2 = x3 + 27(−3c − 10)x + 108(14 + 9c)
� in Fq2 , πq(c) = −c
� go back from E−c to Ec with the Frobenius map
� φ2 is different from the CM
� we can construct a second endomorphism from CM.
grid
20 decembre 2013 34/44
4-dim GLV on elliptic curves
D = 2D′. We computed with Velu’s formulas this 2-isogeny
I2 : Ec → E−c
(x , y) 7→(−x2 + 162+81c
−2(x−12) ,−y
2√−2
(1− 162+81c
(x−12)2
))
Ec E−cI2
πq
πq ◦ I2 = φ2
= [ñ2]
ID′
� Ec : y 2 = x3 + 27(3c − 10)x + 108(14− 9c)
� E−c : y 2 = x3 + 27(−3c − 10)x + 108(14 + 9c)
� in Fq2 , πq(c) = −c
� go back from E−c to Ec with the Frobenius map
� φ2 is different from the CM
� we can construct a second endomorphism from CM.
grid
20 decembre 2013 34/44
4-dim GLV on elliptic curves
D = 2D′. We computed with Velu’s formulas this 2-isogeny
I2 : Ec → E−c
(x , y) 7→(−x2 + 162+81c
−2(x−12) ,−y
2√−2
(1− 162+81c
(x−12)2
))
Ec E−cI2
πq
πq ◦ I2 = φ2
= [ñ2]
ID′
� Ec : y 2 = x3 + 27(3c − 10)x + 108(14− 9c)
� E−c : y 2 = x3 + 27(−3c − 10)x + 108(14 + 9c)
� in Fq2 , πq(c) = −c
� go back from E−c to Ec with the Frobenius map
� φ2 is different from the CM
� we can construct a second endomorphism from CM.
grid
20 decembre 2013 34/44
4-dim GLV on elliptic curves
D = 2D′. We computed with Velu’s formulas this 2-isogeny
I2 : Ec → E−c
(x , y) 7→(−x2 + 162+81c
−2(x−12) ,−y
2√−2
(1− 162+81c
(x−12)2
))
Ec E−cI2
πq
πq ◦ I2 = φ2
= [ñ2]
ID′
� Ec : y 2 = x3 + 27(3c − 10)x + 108(14− 9c)
� E−c : y 2 = x3 + 27(−3c − 10)x + 108(14 + 9c)
� in Fq2 , πq(c) = −c
� go back from E−c to Ec with the Frobenius map
� φ2 is different from the CM
� we can construct a second endomorphism from CM.
grid
20 decembre 2013 34/44
4-dim GLV on elliptic curves
D = 2D′. We computed with Velu’s formulas this 2-isogeny
I2 : Ec → E−c
(x , y) 7→(−x2 + 162+81c
−2(x−12) ,−y
2√−2
(1− 162+81c
(x−12)2
))
Ec E−cI2
πq
πq ◦ I2 = φ2
= [√±2] ID′
� Ec : y 2 = x3 + 27(3c − 10)x + 108(14− 9c)
� E−c : y 2 = x3 + 27(−3c − 10)x + 108(14 + 9c)
� in Fq2 , πq(c) = −c
� go back from E−c to Ec with the Frobenius map
� φ2 is different from the CM
� we can construct a second endomorphism from CM.
grid
20 decembre 2013 35/44
Example with D = 40
q =2n2 + D
′m2
4, D = 2D
′
Ec(Fq2) E−c(Fq2)
I2
I5
πqπq ◦ I2 = φ2 ≡ [√−2]
πq ◦ I5 = φ5 ≡ [√
5]
� second isogeny I5 computed with Velu’s formulas
� φ5 ◦ φ5 = [5], I5 ◦ I5 = [5] on Ec(Fq2)
� eigenvalues: λφ2 = 2n−m√−D
2 ≡√−2,
λφ5 = D′m+n
√−D
2 ≡√
5 mod #Ec(Fq2)
� D = 40, CM from D by√−10: this is exactly φ2 ◦ φ5 on
Ec(Fq2)
grid
20 decembre 2013 36/44
Satoh’s genus-2 curves
JC1(Fq)
JC1(Fq8) Ec × Ec(Fq8)
Ec × Ec(Fq2)
I
I
Φ−1
φD′
ΦD′ ??
φ2
� the isogeny I allows to have efficient point-counting on JC1
from efficient point counting on Ec × Ec
� we already have Φ−1 on JC1 :D : (u1, u0, v1, v0) 7→ (−u1, u0,−iv1, iv0)
� construct an endomorphism from CM on Ec
� bring it back to JC1 with the isogeny
grid
20 decembre 2013 36/44
Satoh’s genus-2 curves
JC1(Fq)
JC1(Fq8) Ec × Ec(Fq8)
Ec × Ec(Fq2)
I
I
Φ−1
φD′
ΦD′ ??
φ2
� the isogeny I allows to have efficient point-counting on JC1
from efficient point counting on Ec × Ec
� we already have Φ−1 on JC1 :D : (u1, u0, v1, v0) 7→ (−u1, u0,−iv1, iv0)
� construct an endomorphism from CM on Ec
� bring it back to JC1 with the isogeny
grid
20 decembre 2013 37/44
Example with D = 40 for Ec
JC1(Fq)
JC1(Fq8) Ec × Ec(Fq8)
Ec × Ec(Fq2)
I
I8
4
φ2 ≡ [√−2]
φ5 ≡ [√
5]
Φ−1 ≡ [√−1]
I ◦ (φ5, φ5) ◦ I= Φ−10 ≡[D
′m + n
√−10]
� Φ−1 s.t. Φ2−1 = −Id on JC1
� we bring back on C1 the endomorphism φ5 on Ec : Φ−10
� 2 endomorphisms on JC1 : Φ−1, Φ−10
grid
20 decembre 2013 38/44
Operation count at the 128-bit security level
Curve Method Operation count Global estim.
Ec 4-GLV, 16 pts. 2748m+1668s 4416m
D = 4 [LongaSica12] 4-GLV, 16 pts. 1992m+2412s 4404m
JC1 4-GLV, 16 pts. 4500m+ 816s 5316m
FKT [Bos et al. 13] 4-GLV, 16 pts. 4500m+ 816s 5316m
Kummer [Bos et al. 13] – 3328m+2048s 5376m
grid
20 decembre 2013 39/44
Conclusion
� two families of genus 2 curves C1, C2 which can be definedover a prime field
� two families of elliptic curves defined over a quadraticextension
� with two independent endomorphisms, one always available,the second one from CM, and explicit construction
� with fast scalar multiplication thanks to a 4-dimensional GLVmethod
grid
20 decembre 2013 40/44
Outline
1 Introduction
2 Elliptic curves and pairings
3 Pairings on composite-order groups
4 Fast scalar multiplication with 4-dim GLV
5 Conclusion
grid
20 decembre 2013 41/44
Publications
� Asiacrypt 2013: Four dimensional GLV via the Weilrestriction, with S. Ionica, LNCS 8269
� ACNS 2013: Comparing the pairing efficiency overcomposite-order and prime-order elliptic curves, LNCS7954
� Patents: On pairing computation delegation, with R. Duboisand D. Vergnaud, 2012
� Pairing 2012: Genus 2 hyperelliptic curve families with explicitJacobian order evaluation and pairing-friendly constructions,with D. Vergnaud, LNCS 7708
� Pairing 2012: Improved broadcast encryption scheme withconstant-size ciphertext, with R. Dubois and M. Sengelin LeBreton, LNCS 7708
� Africacrypt 2011: Efficient multiplication in finite fieldextensions of degree 5, with N. El Mrabet and S. Ionica,LNCS 6737
grid
20 decembre 2013 42/44
Summary of contributions
� Efficient C modules in the LibCryptoLCH for extension fieldarithmetic and pairings
� Generic design as most as possible
� Comparaison of protocols on composite-order and prime-ordersettings with clear conclusion: prefer prime-order groups forefficiency reasons
� Two new constructions of endomorphisms on elliptic curvesdefined over Fq2 and genus 2 curves defined over Fq for fastscalar multiplication
� ANR project: demonstrator for pairing-based broadcastencryption system (BGW05, PPSS12)
grid
20 decembre 2013 43/44
Conclusions and Perspectives
� Pairings can be used in commercial products
� Don’t use pairings in small characteristic
� Module for genus 2 curves in the LibCryptoLCH
� More collaboration with protocol designers
� Pairings in Teopad, Galileo ?
� More research needed about genus 2 curves
� 8-dim GLV ?
� pairings with GLV ?
grid
20 decembre 2013 44/44
Thanks!
Questions.