Efficient Algorithms for Pairing-Based Cryptosystems

Transcription

1 CS548 Advanced Information Security Efficient Agorithms for Pairing-Based Cryptosystems Pauo S. L. M. Barreto, HaeY. Kim, Ben Lynn, and Michae Scott Proceedings of Crypto, Kanghoon Lee, AIPR Lab., KAIST 1

2 Contents Introduction Mathematica Preiminaries Scaar Mutipication in Characteristic 3 Suare Root Extraction Computing the Tate Pairing Experiment Resuts 2

3 Introduction Probems of Pairing-Based Cryptosystems Expensive biinear pairing computations (e.g. Wei or Tate pairing) Goas To make entirey practica systems Theoretica guarantees Severa efficient agorithms for the arithmetic operations Contributions of this paper Definition of point triping Faster scaar mutipication in characteristic 3 F p Improved suare root computation over m Important for the point compression A variant of Mier s agorithm Efficient computation of Tate pairing 3 2 (In characteristics 2 and 3, compexity reduction of Tate pairing is from O ( m ) to O( m ) ) 3

4 Mathematica Preiminaries (1) Finite Fied, : the fied with p m m eements p (prime number) : characteristicof m (positive integer) : extension degree * F {0} (simpy write F with =p m ) F Eiptic Curve F p E( F ) F The set of soutions (x, y)over to an euation of form E : y + a1xy+ a3y= x + a2x + a4x+ a6 with additiona point at infinity, O There exists an abeiangroup aw on E, P = P + F p m 3 1 P2 The number of points of E( F ), n = E( F), caed orderof the curve over the fied # The order of point P: the east nonzero integer r such that rp=o E[r] : the set of a points of order rin E E( K)[ r] : the set of a points of order r to the particuar subgroup E(K) F 4

5 Mathematica Preiminaries (2) Security mutipier k If r k -1and r does not divide s -1for any 0 < s < k Some cryptographicay interesting supersinguar eiptic curves Divisor: a forma sum of points on the curve F p m The degree of a divisor A = P a ( P) is the sum P A= a P P 5

6 Mathematica Preiminaries (3) Tate Pairing Let be a natura number coprimeto The Tate pairing of order is the map as Tate pairing satisfies the foowing properties * ] )[ ( ] )[ ( : k k F F E F E e Q P k A f Q P e 1)/ ( ) ( ), ( = 6

7 Scaar Mutipication in Characteristic 3 (1) Arithmetic on the curve E 3,b Let P 1 = (x 1, y 1 ), P 2 = (x 2, y 2 ), P 3 = (x 3, y 3 ) By definition, -O = O, -P 1 = (x 1, -y 1 ), O + P 1 = P 1 + O = P 1 Furthermore, Doube-and-add method : V = kp, k Z, k = (k t k 1 k 0 ) 2 where {0,1} k i 7

8 Scaar Mutipication in Characteristic 3 (2) Point Triping for E 3,b P = (x, y) 3P = (x 3, y 3 ) with the foumas, Tripe-and-add method : V = kp, k Z, k = (k t k 1 k 0 ) 3 where { 1,0,1} k i 8

9 Suare Root Extraction 2 Eiptic curve euation E : y = f( x) over F In a finite fied F m where p 3(mod4) and odd m, p the best agorithm to compute a suare root O( m 3 ) A soution of x =a, is given by If m = 2k+1 for some k, x= a 2 ( p +1)/ 4 m a k 1 i u i= 0 u= p where 2 can be verified by induction O( m 2 ogm) Fp operations 9

10 Computing the Tate Pairing Tate Pairing, e : E( F)[ ] E( F k)[ ] F k Let P E( F, )[ ] Q E( F k)[ ] k ( 1)/ e( P, Q) = f ( A ) P Q * To find the function f P and then evauate its vaue at A Q Mier s Formua [1, Theorem 2] where 10

11 Mier s Agorithm Exampe Computation of the Tate Pairing [2, Appendix B] p = 43, k = 2, = 11 Supersinguar eiptic curve E : y 2 = x 3 + x, order = 44 Distortion map φ( x, y) = ( x, iy) P = (23,8), Q=(20,8t) Using the Mier s agorithm, t([2]p, Q) (p^2+1)/ = (40t+28) 168 = 23t + 26, t(p, Q) (p^2+1)/ = (13t+38) 168 = 3t + 11 We know that t([2]p, Q) = t(p, Q) 2 11

12 Improvement of Mier s Agorithm (1) Irreevant denominators e n ( P, φ( Q)) φ When computing and is a distortion map, the g 2V and g V+P denominators in Mier s agorithm can be discarded Distorsion maps Evauation of f n with more efficient tripe-and-addmethod in characteristic 3 f ) = ( f ) + ( g ) + ( g ) ( g ) ( g ) ( 3a a ap, ap 2aP, ap 2aP 3aP With discarding the irreevant denominators 3 f3b( Q) = fb( Q) gap, ap( Q) g2ap, ap( Q) 12

13 Improvement of Mier s Agorithm (2) Speeding up the Fina Powering Evauation of the Tate pairing ( P, Q) incudes a fina raising to the power of Exponent part simiar way to the suare root agorithm e n ( p km 1) / n Fixed-base Pairing Precomputation ( P, Q) e n When computing, P is either fixed (e.g. base point on the curve) or used repeatedy (e.g. pubic key) Precompute e ( P, Q ) e n 13

14 Experimenta Resuts Timings for Boneh-Lynn-Shacham(BLS) verification and Boneh-Frankin identitybased encryption (IBE) (ms) Future works Appy to more genera agebraic curves, e.g., a fast n-th root agorithm 14

15 References [1] Pauo S. L. M. Barreto, HaeY. Kim, Ben Lynn, and Michae Scott, Efficient Agorithms for Pairing-Based Cryptosystems, Proceedings of Crypto, 2002 [2] Marcus Stogbauer, Efficient Agorithms for Pairing-Based Cryptosystems, Dipoma Thesis, Darmastay University of Technoogy,