Efficient and Generalized Pairing Computation on Abelian Varieties

Transcription

1 ECC 2008 Efficient and Generalized Pairing Computation on Abelian Varieties Hyang-Sook Lee Ewha Womans University Korea Joint Work with Eunjeong Lee (North Carolina State University) Cheol-Min Park (EWHA)

2 Contents Background of pairings Efficient pairing computations - review Motivation for efficient pairing computation Eta and Eta T pairings on supersingular curves Ate and Ate i pairings on ordinary curves R-ate pairing Optimal pairing

3 Background of Pairings

4 Pairings (G 1,+), (G 2,+) and (G 3,*) : cyclic groups of a prime order r e be a map e : G 1 X G 2 G 3 satisfying Non-degeneracy : If e(p, Q) = 1 for all Q G 2, then P G 1 is the identity (vice versa) Bilinearity : e(ap, bp) = e(p, P) ab for a, b Z e is computable in polynomial time e : bilinear map or pairing (ex) Weil and Tate pairings on supersingular curves using distortion map.

5 Tate pairing/ate pairing F q : finite field with q elements C : nonsingular curve of genus g over F q J C : a group of degree zero divisor classes of C g = 1 J C elliptic curve r : a positive divisor of J C (F q ) with gcd(r, q) = 1 k is the smallest integer s.t. if r q k -1, r ł q s -1, 0< s < k k: embedding degree J C [r] : divisor classes of order dividing r

6 Tate pairing Define the Tate pairing <, > : J C [r] X J C (F q k)/rj C (F q k) F q k * / (F q k * ) r by <D, E> = f r,d (E ) where div(f r,d ) = rd, E E with supp(e ) supp(div(f r,d )) = Φ. For the uniqueness in F q k, define the reduced Tate pairing e(d, E) = f r,d (E ) (qk 1)/r

7 Ate pairing Let φ be the q-power Frobenius endomorphism on J C. G 1 = J c [r] ker(φ 1), G 2 = J c [r] ker(φ [q]). For D G 1, E G 2, Ate pairing (g=1)[hsv] : a(e, D) = f t-1,e (D) (qk 1)/r Ate pairing (g 2)[GHOTV] : a(e, D) = f q,e (D) (qk 1)/r Ate i pairing (g=1)[zzh] : a i (E, D) = f q i mod r,e (D) (qk 1)/r, 0<i< k

8 Miller s Algorithm Input : r= n-1 i=0 r i2 i Z, D J C [r], E J C (F q k)/rj C (F q k) Output : e(d,e) Number of iterations Def. Miller length n = log 2 r V=D, f=1 For i=n-1 down to 0 f f 2 g V,V (E)/g 2V (E) V 2V If r i =1 then f f 2 g V,D (E)/g V+D (E) V V+D Return f (qk -1)/r

9 Miller s Algorithm div(f n ) = n(p) - n(o) div(f 2 ) = 2(P) - (2P) - (O) div(f 4 ) = 4(P) - (4P) - 3(O) (f 4 =f 2 2 *g 2P,2P /g 4P,-4P ) (f 8 =f 4 2 *g 4P,4P /g 8P,-8P ) div(f 8 ) = 8(P) - (8P) - 7(O) div(f 9 ) = 9(P) - (9P) - 8(O) : : : div(f n ) = n(p)-n(o) (f 9 =f 8 *g 8P,P /g 9P,-9P ) Log 2 n - step

10 Supersingular curves An elliptic curve E/ F q is called supersingular if it has E[p s ](F q ) = {O} or p t, where p=char F q. - distortion map Eta pairing approach - small embedding degree p=2 k 4 p=3 k 6, over prime fields F p with p 5 k 2. - small number of curves 10

11 Ordinary curves Otherwise, is called ordinary curve, and E[p s ](F q ) = Z/p s Z - no distortion map Ate pairing approach - can be used over prime fields p for large prime - more and larger embedding degree - more choice of curves

12 Hyperelliptic cuves A hyperelliptic curve is called supersingular if its Jacobian is isogenous to the product of supersingular elliptic curves A hyperelliptic curve is called superspecial if its Jacobian is isomorphic to the product of supersingular elliptic curves Ate pairing applicable (GHOTV07) e.g. DL-curves

13 Efficient Pairing Computation

14 Pairing application in crypto Pairings in cryptanalysis ECDLP DLP / F q - MOV reduction, using Weil pairing (Menezes, Okamoto, Vanston 1993) - FR reduction, using Tate pairing (Frey RÜ ck 1994)

15 Motivation for efficient pairing computation Cryptosystem using pairings - one round tree party key agreement (A. Joux, 2000) - ID based encryption (Boneh & Franklin, 2001) - Short signatures/id based signatures - ID based key agreement protocols - Certificateless PKC... Signcryption, Broadcast encryption, Traitor tracing

16 Recent progress in pairing computation BKLS/GHS algorithm (2002) Duursma-Lee technique (2003) Eta T pairing on supersingular curves (BGES 2004) Ate pairing on ordinary curves (HSV 2006/GHOTV 2007) optimized Ate pairing (MKHO 2007) Ate i pairing (ZZH 2007) R-Ate pairing (LLP 2008) Optimal pairing (V 2008) Pairing Lattice (H 2008) goal of this process is simplifying Miller s algorithm and reducing the loop length of Miller s algorithm.

17 Improvements on Tate pairing BKLS/GHS algorithm, 2002 on y 2 = x 3 - x + d, d= 1 1. Evaluate at divisor evaluate at point 2. Removing the denominator in Miller algorithm after final exponentiation. 3. Using multiplication by 3 rather than 2 : multiplication V 3V is particularly simple, V = (a,b), 3V = ((a 3 ) 3 -d,-(b 3 ) 3 ). Duursma-Lee Algorithm, generalized to a hypereliptic curve, 2. providing the loop shortening idea eta pairing approach

18 Eta, Eta T, Ate pairing #E(F q ) = q +1-t = q - T = N ( t 2 q) #J(F q ) = q 2 +a q+b = N (f A,P ) = A(P) ([A]P) (A-1)(O) f N,P : Tate pairing f q,p : Eta pairing (Ate pairing) Supersingular curve with y 2 =x p -x+b, (b=±1, p 3 mod 4) (DL 03) Hyperelliptic curve (Ate pairing) (GHOTV 07) f T,P : Eta T pairing (Ate pairing) Supersingular elliptic/ Hyperelliptic curve (BGES 04) Ordinary elliptic curve (Ate pairing) (HSV 06)

19 Optimized Ate and Ate i pairing #E(F q ) = q+1-t = q-t = N t r 1/φ(k) ( r N ) S q mod r, f S,D (Optimized Ate) (MKHO 07) T i q i mod r, f T i,d (Ate i ) (ZZH 07)

20 Pairings on Elliptic curve #E(F q ) = q+1-t = q-t = N ( t 2 q), r N, r~q(size) Supersingular Ordinary Miller length Tate pairing f r,p (Q) f r,p (Q) log 2 r r:prime Eta pairing f q,p (ψ(q)) log 2 q ψ:distortion map Eta T pairing f T,P (ψ(q)) log 2 q 1/2 Ate pairing f T,P (Q) f T,Q (P) log 2 q 1/2 P G 1 Q G 2 Op Ate, Atei f T (Q) i,p f T (P) i,q log 2 r 1/ (k) T j =q j mod r

21 Example BN curve k=12, (k)=4 p=36z 4 +36z 3 +24z 2 +6z+1 r= 36z 4 +36z 3 +18z 2 +6z+1 T := min{t i =p i mod r, 1 i k} = T 1 = 6z 2 Miller length for Ate i pairing: log 2 r 1/2 There are many elliptic curves which cannot reach the low bound, log 2 r 1/ (k)

22 Pairings on Hyperelliptic curve with genus 2 #J(F q ) = q 2 +aq+b = N, r N, r~q 2 Supersingular Ordinary Miller length Tate pairing f r,p (Q) f r,p (Q) log 2 r Eta pairing f q,p (ψ(q)) log 2 q ψ:distortion map DL-curve EtaT pairing f T,P (ψ(q)) log 2 q 3/2 y 2 +y=x 5 +x 3 +d /F 2 m Ate pairing f q,p (Q) * f q,q (P) log 2 q P G 1 Q G 2 * Superspecial

23 [Pairing 2007, Galbraith, Hess, Vercauteren] Can further loop shortening be performed for the hyperelliptic Ate pairing such that Miller length log 2 q a with a < 1?

24 R-ate pairing [08, Lee, Lee & Park] Recall the Ate pairing and the Tate pairing #E(Fq) = q-t=n f q,q (P) = f N+T,Q (P) = f N,Q (P)f T,Q (P)G NQ, TQ (P) Use two parameters q and N for a new pairing Use other parameters for a new pairing Improve the efficiency of the pairing computation for some pairing friendly curves for supersingular hyperelliptic curves with genus 2 Generalize previous pairings

25 Definition: R-ate pairing Let ω = aτ + b for ω, a, τ, b Z f ω,d = f aτ +b,d = (f τ,d ) a f a,τd f b,d G aτd,bd (G aτ D,bD = l aτ D, bd /v (aτ +b)d ) If f ω,d, (f τ,d ) a are bilinear, then Ratio of two pairings f a,τ D f b,d G aτ D, bd is bilinear. R ω,τ (D,E) = f a,τ D (E) f b,d (E) G aτ D,bD (E) R R-ate pairing

26 Theorem Let N = #J(F q ) ω = aτ + b f ω,d, and f τ,d provides non-degenerate pairings with e(d,e) L 1 = f ω,d (E) M 1, e(d,e) L 2 = f τ,d (E) M 2 Let M=lcm(M 1,M 2 ), L=M(L 1 /M 1 -al 2 /M 2 ) If r L, R ω,τ (D, E) is a non-degenerate bilinear pairing with the relation, e(d,e) L = R ω,τ (D, E) M

27 Corollary (ω, τ ) = (q, r) : R-ate pairing = Ate pairing q = ar+t f q,d = f ar+t,d = f ar,d f T,D R-ate pairing = f T,D (ω, τ ) = (q i, r) : R-ate pairing = Ate i pairing q i = ar+t i f q i,d = f ar +T = f i,d ar,d f T i,d R-ate pairing = f Ti,D

28 Corollary (ω, τ ) = (T i, T j ) or (r, T j ) T i = at j +b or r = at j +b f T i,d (or f r,d ) = f at j+b,d = (f T j,d) a f ad,t j f b,d G at jd,bd = (f T j,d) a (f a,d ) qj f b,d G at jd,bd R-ate pairing = (f a,d ) qj f b,d G at jd,bd

29 R-ate pairings 1 i, j k, ω=aτ+b, T i = q i mod r (ω, τ ) R-ate pairing (q,r) f T,D Ate (q i,r) f Ti,D Ate i (T i,t j ) (f a,d ) qj f b,d G atd j,bd (r, T j ) (f a,d ) qj f b,d G atd j,bd New type

30 How can we compute the R-ate pairing with better efficiency than Ate or Ate i even if it looks complicated? goal : Miller length > r 1/φ(k)

31 Algorithm Input: D,E, (T i, T j ) Output: R(D,E)=(f a,d ) qj f b,d G at jd,bd with T i =at j +b Let a=cb+d 1. (f b,d, bd) Miller alg.(d,e,b) 2. (f c,bd,cbd) Miller alg.(bd,e,c) 3. (f d,d,dq) Miller alg.(d,e,d) 4. f 1 f b,dc f c,bd f d,d 5. f a,d f 1 G cbd,dd 6. ad cbd+dd 7. f 2 f a,d qj f b,d 8. f 3 f 2 G j(ad),bd Return f 3

32 A Criterion for efficient R-ate Assumption pairing on elliptic curves k : even embedding degree t MO : time for computing one loop in Note Miller s algorithm t(miller)~miller length t MO t(g c in F q k) 2(log 2 c) t MO /17

33 Then t(ate i )= log 2 T t MO, T=min 1 i k (T i ) t(r ω, τ ) t MO ω=aτ +b, max{a,b} = c min{a,b} + d =log 2 (min{a,b})+19log 2 c/17+log 2 d+2 (ω,τ ) := / log 2 T Thus (ω,τ ) such that (ω,τ ) < 1 efficient R-ate pairing

34 Supersingular elliptic curves with char 2,3 E : y 2 =x 3 -x+b / F q (b=±1, q=3 m, (m,6)=1) #E(F q )=3 m +1±b3 (m+1)/2 =3 m -T 3 m =±b3 (m-1)/2 (T+1) f 3 m = f 3 (m-1)/2 (T+1) = (f T+1 ) 3(m-1)/2 f 3 (m-1)/2,t+1 = (f T ) 3(m-1)/2 f 3 (m-1)/2, (T+1) (G T,1 ) 3(m-1)/2 R-ate pairing = f 3 (m-1)/2, (T+1) (G T,1 ) 3(m-1)/2 Eta T pairing = f 3 (m+1)/2 G 3 (m+1)/2,1

35 Ordinary elliptic curves(1) E1 curve (MF05) : k=7 T 2 : 54bits (Ate i pairing = f ) T 2 r = T 1 + b (b: 27bits, r: 160 bits) R-ate pairing = f b,d G T 1D,bD E2 curve (MF05) : k=10 T 6 : 60bits (Ate i pairing = f T 6 ) T 9 = at 2 + a 2 (a: 20bits, r: 160 bits) R-ate pairing = (f a,d ) q2 f a 2,D G at2 D, a 2 D (T 9, T 2 ) = 2/3

36 Ordinary elliptic curves(2) E3 curve (FST06) : k=8 r = 9z 4 +12z 3 +8z 2 +4z+1 T 1 = -9z 3-3z 2-2z-1 (Ate i pairing = f T 1 ) T 3 = T 2 + b (b=3z+1) R-ate pairing = f b,d G T 1D,bD (T 3, T 2 ) = 1/3 E4 curve (F06) : k=10 T 2 = 5z 2 (Ate i pairing = f T 2 ) T 9 = (a+2)t 2 + a (a=5z+1) R-ate pairing = (f a+2,d ) q2 f a,d G (a+2)t2 D,aD (T 9, T 2 ) = 1/2

37 Ordinary elliptic curves(3) E5 curve (BN05) k=12, (k)=4 r= 36z 4 +36z 3 +18z 2 +6z+1 T =T 1 = 6z 2 (Ate i pairing = f ) T 1 T 10 = (a+1)t 1 + a (a=6z+2) R-ate pairing = (f a+1 ) q f a G (a+1)t1, a (T 10, T 1 ) = 1/2

38 curve Parameters Ate i R-ate E1 k=7, (k)=6, log 2 r=160 T 2 = r =T N/A [MF05] p= (54bits) (27bits) r= E2 [MF05] k=10, (k)=4, log 2 r=160 p= T 6 = (60bits) T 9 = T (40bits) 2/3 r= E3 k=8, (k)=4 T 1 = T 3 = T 2 + 3z + 1 1/3 [FST06] p=(81z 6 +54z 5 +45z z 3-3z 2-2z-1 12z 3 +13z 2 +6z+1)/4 r=9z 4 +12z 3 +8z 2 +4z+1 E4 [F06] k=10, (k)=4 p=25z 4 +25z 3 +25z 2 +10z+3 r=25z 4 +25z 3 +15z 2 +5z+1 T 2 = 5z 2 T 9 = (5z+3)T 2 + (5z+1) 1/2 E5 k=12, (k)=4 T 1 = 6z 2 T 10 = 1/2 [BN05] p=36z 4 +36z 3 +24z 2 +6z+1 (6z+3)T 1 + 6z + 2 r=36z 4 +36z 3 +18z 2 +6z+1

39 Supersingular hyperelliptic curve with genus 2 q = p n, n odd H : supersingular hyperelliptic curve of genus 2 defined over F q #J(F q ) = q 2 +aq+b, r : large prime factor of #J(F q ) G 1 = J c [r] ker(φ 1), G 2 = J c [r] ker(φ [q]) as before

40 Supersingular hyperelliptic curve with genus 2 [Theorem] #J(F q ) = q 2 +aq+b (1) a 4 q + 10, b 4 q +1, a-b 9 (2) R-ate pairing : (f a,q (P)) q f b,q (P) G at1,b if supersingular (f a,p (Q)) q f b,p (Q) G at1,b if superspecial

41 Remark on Miller length R T 2,T1(Q,P)=(f a,qq f b,q G qaq,bq )(P) a = b + d However, d 9 not quite half in log 2 min{a,b} ~ (log 2 q) / 2 practical. t(r-ate) t MO (log 2 min{a,b}+log 2 9) + t MA + 3M k + t G,A The next t MA + 3M k + t G,A 2 t MO case is : time for addition, an mult in F q k, and computing G qaq,bq example. t(r-ate) t MO (log 2 min{a,b}+5) Miller length ~ half of log 2 q

42 Supersingular hyperelliptic curve with genus 2 H 2 : y 2 =x 5 -x+b / F q (b=0,1, q=5 m ) #J(F q ) = 5 2m + (a+2)5 m +a ( a = ±5 (m+1)/2 +1 ) T 2 = (a+2)t 1 + a R-ate pairing = (f a+2 ) q f a G (a+2)t1, a Ate pairing = f 5 m

43 Comparison of the Miller length Curve E1 E2 E3 E4 E5* H5 Miller length for Ate i Miller length for R-ate <80 bit security level, *128 bit>

44 Optimal pairing[08, Vercateran] Using q-expansion of a multiple λ = m r Using LLL-Alg, find small coeff of q-expansion Let e: G 1 X G 2 G T be a non-degenerate, bilinear with order r, called optimal pairing if e can be computed in log 2 r/φ(k) + ε(k) basic Miller iterations, with ε(k) log 2 k

45 λ = m r = Σ c i q i t(q,p) m = f r,q (P) m = f mr,q (P) = f λ,q (P) = f Σ ci q i,q(p) Tate pairing = f ci q i,q(p) G i,q (P) = ( f ci q i,q(p) f q i, ci Q(P)) G i,q (P) = ( f ci q i,q(p) G i,q (P)) f q i, ci Q(P) Candidate of Optimal pairing Product of Eta pairing

46 L : = r q q q φ(k) short vector V L with V r 1/φ(k) Using LLL-Algorithm, we can find V.

47 m ⅹ c 1 ⅹ c 2 ⅹ c l ⅹ r q q q φ(k) = ( c 0, c 1,, c l ) V = (c 0,c 1, c l ) with V r 1/φ(k)

48 mr = c 0 + c 1 q + + c l q l a [c0,c 1,, c l ](Q,P) = ( f ci qi,q(p) G i,q (P)) : Pairing with c i r 1/φ(k) for 0 i l = φ(k)-1 For optimal pairing, we need to choose a short vector V with a minimal number of coordinates of size r 1/φ(k)

49 Conclusion &... R-ate pairing: give pairings with low bound of Miller length when Ate i pairings can t reach. give more optimization for pairing computation in supersingular hyperelliptic curve with genus 2. Higher genus curve or non-supersingular hyperelliptic curve? also applicable but is it efficient?

50 Thank you!