An Algorithm for the η T Pairing Calculation in Characteristic Three and its Hardware Implementation

Size: px

Start display at page:

Download "An Algorithm for the η T Pairing Calculation in Characteristic Three and its Hardware Implementation"

Justina Andrews
6 years ago
Views:

1 An Algorithm for the η T Pairing Calculation in Characteristic Three and its Hardware Implementation Jean-Luc Beuchat 1 Masaaki Shirase 2 Tsuyoshi Takagi 2 Eiji Okamoto 1 1 Graduate School of Systems and Information Engineering University of Tsukuba, Japan 2 Future University-Hakodate, Japan Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith 18 1 / 25

2 Outline of the Talk 1 Example: Three-Party Key Agreement 2 Computation of the η T Pairing 3 Hardware Architecture 4 Conclusion Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith 18 2 / 25

3 Example: Three-Party Key Agreement Key agreement How can Alice, Bob, and Chris agree upon a shared secret key? Alice Bob? Chris Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith 18 3 / 25

4 Example: Three-Party Key Agreement Discrete logarithm problem (DLP) G = P : additively-written group of order n DLP: given P, Q, find the integer x {0,..., n 1} such that Q = xp Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith 18 4 / 25

5 Example: Three-Party Key Agreement Discrete logarithm problem (DLP) G = P : additively-written group of order n DLP: given P, Q, find the integer x {0,..., n 1} such that Q = xp Diffie-Hellman problem (DHP) Given P, ap, and bp, find abp. Alice a Bob b ap bp Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith 18 4 / 25

6 Example: Three-Party Key Agreement Discrete logarithm problem (DLP) G = P : additively-written group of order n DLP: given P, Q, find the integer x {0,..., n 1} such that Q = xp Diffie-Hellman problem (DHP) Given P, ap, and bp, find abp. Alice a ap Bob b ap bp bp Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith 18 4 / 25

7 Example: Three-Party Key Agreement Discrete logarithm problem (DLP) G = P : additively-written group of order n DLP: given P, Q, find the integer x {0,..., n 1} such that Q = xp Diffie-Hellman problem (DHP) Given P, ap, and bp, find abp. Alice a Bob b abp abp Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith 18 4 / 25

8 Example: Three-Party Key Agreement Alice ap a Bob bp b Chris cp c Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith 18 5 / 25

9 Example: Three-Party Key Agreement Alice a ap bp Bob bp b ap First round cp Chris cp c Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith 18 5 / 25

10 Example: Three-Party Key Agreement Alice abp a Bob bcp b Chris acp c Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith 18 5 / 25

11 Example: Three-Party Key Agreement Alice a abp bcp Bob bcp b abp Second round acp Chris acp c Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith 18 5 / 25

12 Example: Three-Party Key Agreement Alice abcp a Bob abcp b Chris abcp c Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith 18 5 / 25

13 Example: Three-Party Key Agreement Three-party two-round key agreement protocol Does a three-party one-round key agreement protocol exist? Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith 18 6 / 25

14 Example: Three-Party Key Agreement Bilinear pairing G 1 = P : additively-written group G 2 : multiplicatively-written group with identity 1 A bilinear pairing on (G 1, G 2 ) is a map ê : G 1 G 1 G 2 that satisfies the following conditions: 1 Bilinearity. For all Q, R, S G 1, ê(q + R, S) = ê(q, S)ê(R, S) and ê(q, R + S) = ê(q, R)ê(Q, S). 2 Non-degeneracy. ê(p, P) 1. 3 Computability. ê can be efficiently computed. Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith 18 7 / 25

15 Example: Three-Party Key Agreement Bilinear Diffie-Hellman problem (BDHP) Given P, ap, bp, and cp, compute ê(p, P) abc Assumption: the BDHP is difficult Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith 18 8 / 25

16 Example: Three-Party Key Agreement Alice ap a Bob bp b Chris cp c Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith 18 9 / 25

17 Example: Three-Party Key Agreement Alice ap a bp Bob bp b ap ap cp bp cp Chris cp c Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith 18 9 / 25

18 Example: Three-Party Key Agreement Alice ê(bp, cp) a a Bob ê(ap, cp) b b ê(bp, cp) a = ê(ap, cp) b = ê(ap, bp) c = ê(p, P) abc Chris ê(ap, bp) c c Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith 18 9 / 25

19 Example: Three-Party Key Agreement Examples of cryptographic bilinear maps Weil pairing Tate pairing η T pairing (Barreto et al.) Ate pairing (Hess et al.) Applications Identity based encryption Short signature Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith / 25

20 Computation of the η T Pairing Elliptic curve over F 3 m Q = (x q, y q ) P = (x p, y p ) P Q η T pairing calculation η T (P, Q) (F 3 6m) Exponentiation η T (P, Q) W F 3 6m Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith / 25

21 Computation of the η T Pairing Tower Field 1 ρ ρ 2 F 3 6m = F 3 2m[ρ]/(ρ 3 ρ 1) 1 σ F 3 2m = F 3 m[σ]/(σ 2 + 1) 1 x x 2 x m 3 x m 2 x m 1 F 3 m = F 3 [x]/(f (x)) F 3 = Z/3Z = {0, 1, 2} Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith / 25

22 Computation of the η T Pairing Tower Field F 3 2m F 3 2m F 32m 1 σ ρ σρ ρ 2 σρ 2 F 3 6m 12m bits 1 x x 2 x m 3 x m 2 x m 1 F 3 m 2m bits F 3 2 bits Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith / 25

23 Computation of the η T Pairing η T (P, Q) Addition Multiplication Cubing Cube root Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith / 25

24 Computation of the η T Pairing η T (P, Q) Addition Multiplication Cubing Cube root η T (P, Q) 3 m+1 2 Addition Multiplication Cubing Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith / 25

25 Computation of the η T Pairing η T (P, Q) Addition Multiplication Cubing Cube root η T (P, Q) 3 m+1 2 Addition Multiplication Cubing Bilinearity of η T (P, Q) W ( ([ η T (P, Q) W = 3m η T 3 m 1 2 ] P, Q ) m+1 ) W 3 2 Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith / 25

26 Computation of the η T Pairing Multiplication over F 3 6m Exponentiation Only one multiplication Operands: A and B F 3 6m Cost: 18 multiplications and 58 additions over F 3 m Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith / 25

27 Computation of the η T Pairing Multiplication over F 3 6m Only one multiplication Operands: A and B F 3 6m Exponentiation Cost: 18 multiplications and 58 additions over F 3 m Multiplication over F 3 6m η T (P, Q) m+1 2 multiplications Operands: A and B F 3 6m 1 with σ ρ σρ ρ 2 σρ 2 A = a 0 a 1 a a 0, a 1, and a 2 F 3 m Cost: 13 multiplications and 46 additions over F 3 m Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith / 25

28 Hardware Architecture P = (x p, y p ) Q = (x q, y q ) η T pairing calculation η T (P, Q) Exponentiation η T (P, Q) W Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith / 25

29 Hardware Architecture P = (x p, y p ) Q = (x q, y q ) η T pairing calculation η T (P, Q) Exponentiation η T (P, Q) W Multiplication over F 3 6m New algorithm 15 multiplications and 29 additions over F 3 m Allows one to share operands between multipliers (less registers) Architecture 9 multipliers Most significant coefficient first (Horner s rule) Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith / 25

30 Hardware Architecture Prototype Field: F 3 97 = F 3 [x]/(x 97 + x ) FPGA: Cyclone II EP2C35 (Altera) η T (P, Q) Arithmetic over F multipliers 2 adders 1 cubing unit Area: LEs Frequency: 149 MHz Computation time: 33 µs Exponentiation (Waifi 2007) Unified operator Area: 2787 LEs Frequency: 159 MHz Computation time: 26 µs Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith / 25

31 Hardware Architecture Comparisons Architecture Area Calculation time FPGA Our solution LEs 33 µs Cyclone II Grabher and Page (CHES 2005) 4481 slices 432 µs Virtex-II Pro Kerins et al. (CHES 2005) slices 850 µs Virtex-II Pro Ronan et al. (ITNG 2007) slices 178 µs Virtex-II Pro Beuchat et al. (CHES 2007) 1888 slices 222 µs Virtex-II Pro (1 slice 2 LEs) Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith / 25

32 Conclusion Future work Automatic generation of the control unit Application (e.g. short signature) Genus 2 Side-channel Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith / 25

33 Appendix Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith / 25

34 Multiplication over F 3 6m η T (P, Q) A ( r y p y q σ r 0 ρ ρ 2 ) = c 0 + c 1 σ + c 2 ρ + c 3 σρ + c 4 ρ 2 + c 5 σρ 2 c 0 c 1 σ c 2 ρ c 3 σρ c 4 ρ 2 c 5 σρ 2 a 4 r 0 a 5 r 0 a 0 r 0 a 1 r 0 a 2 r 0 a 3 r 0 a 2 a 3 a 4 a 5 a 0 a 1 a 2 a 3 a 4 a 5 a 4 r 0 a 5 r 0 a 0 r0 2 a 0 y p y q a 2 r0 2 a 2 y p y q a 4 r0 2 a 4 y p y q a 1 y p y q a 1 r0 2 a 3 y p y q a 3 r0 2 a 5 y p y q a 5 r0 2 Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith / 25

35 Multiplication over F 3 6m η T (P, Q) A ( r y p y q σ r 0 ρ ρ 2 ) = c 0 + c 1 σ + c 2 ρ + c 3 σρ + c 4 ρ 2 + c 5 σρ 2 c 0 c 1 σ c 2 ρ c 3 σρ c 4 ρ 2 c 5 σρ 2 a 4 r 0 a 5 r 0 a 0 r 0 a 1 r 0 a 2 r 0 a 3 r 0 a 2 a 3 a 4 a 5 a 0 a 1 a 2 a 3 a 4 a 5 a 4 r 0 a 5 r 0 a 0 r0 2 a 0 y p y q a 2 r0 2 a 2 y p y q a 4 r0 2 a 4 y p y q a 1 y p y q a 1 r0 2 a 3 y p y q a 3 r0 2 a 5 y p y q a 5 r0 2 1 Compute in parallel r 2 0, y py q, a 0 r 0, a 1 r 0, a 2 r 0, a 3 r 0, a 4 r 0, and a 5 r 0 (8 multiplications) Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith / 25

36 Multiplication over F 3 6m η T (P, Q) A ( r y p y q σ r 0 ρ ρ 2 ) = c 0 + c 1 σ + c 2 ρ + c 3 σρ + c 4 ρ 2 + c 5 σρ 2 c 0 c 1 σ c 2 ρ c 3 σρ c 4 ρ 2 c 5 σρ 2 a 4 r 0 a 5 r 0 a 0 r 0 a 1 r 0 a 2 r 0 a 3 r 0 a 2 a 3 a 4 a 5 a 0 a 1 a 2 a 3 a 4 a 5 a 4 r 0 a 5 r 0 a 0 r0 2 a 0 y p y q a 2 r0 2 a 2 y p y q a 4 r0 2 a 4 y p y q a 1 y p y q a 1 r0 2 a 3 y p y q a 3 r0 2 a 5 y p y q a 5 r0 2 1 Compute in parallel r 2 0, y py q, a 0 r 0, a 1 r 0, a 2 r 0, a 3 r 0, a 4 r 0, and a 5 r 0 (8 multiplications) 2 Apply Karatsuba s algorithm to compute the remaining products by means of 9 multipliers Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith / 25

37 Multiplication over F 3 6m η T (P, Q) A ( r y p y q σ r 0 ρ ρ 2 ) = c 0 + c 1 σ + c 2 ρ + c 3 σρ + c 4 ρ 2 + c 5 σρ 2 a 0 r0 2 a 0 y p y q a 2 r0 2 a 2 y p y q a 4 r0 2 a 4 y p y q a 1 y p y q a 1 r0 2 a 3 y p y q a 3 r0 2 a 5 y p y q a 5 r0 2 Karatsuba s algorithm (9 multiplications performed in parallel): a 0 y p y q a 1 r 2 0 = (a 0 + a 1 ) (y p y q r 2 0 ) + a 0 r 2 0 a 1 y p y q a 2 y p y q a 3 r 2 0 = (a 2 + a 3 ) (y p y q r 2 0 ) + a 2 r 2 0 a 3 y p y q a 4 y p y q a 5 r 2 0 = (a 4 + a 5 ) (y p y q r 2 0 ) + a 4 r 2 0 a 5 y p y q Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith / 25

38 Multiplication over F 3 6m η T (P, Q) Shift Load Load Load Load c4 D0 c3 c0 c1 c2 D1 M 0 M 1 M 2 a 0 r 0 a 2 r 0 a 4 r 0 a 0 r0 2 a 2 r0 2 a 4 r0 2 c5 Load Three multipliers c7 Clear Common operand: r 0 or r Synchronous reset c10 c6 c9 Select Load c8 Clear P Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith / 25

39 Multiplication over F 3 6m η T (P, Q) Shift Load Load Load Load c4 D0 c3 c0 c1 c2 D1 M 3 M 4 M 5 a 1 r 0 a 3 r 0 a 5 r 0 a 1 y p y q a 3 y p y q a 5 y p y q c5 Load Three multipliers c7 Clear Common operand: r 0 or y p y q Synchronous reset c10 c6 c9 Select Load c8 Clear P Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith / 25

40 Multiplication over F 3 6m η T (P, Q) Load Load Load D0 c0 c1 c2 D1 Load c10 Select c3 c5 Shift M 6 M 7 M 8 r0 2 y py q (a 0 + a 1) (a 2 + a 3) (a 4 + a 5) (y py q r0 2 ) (y py q r0 2 ) (y py q r0 2 ) c4 c6 c8 Load Load Clear c12 c11 Select Synchronous reset c7 c9 Load Clear P Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith / 25

41 A Coprocessor for the η T Pairing Computation d0 Mux0 1 0 d1 D0 Ctrl D1 pe_mult_block_t1_generic Q D0 Ctrl D1 pe_mult_block_t1_generic Q D0 Ctrl D1 pe_mult_block_t2_generic Q D0 Ctrl D1 pe_add S D2 Ctrl 0 1 Mux1 Qa D Ctrl pe_cubing C Mux2 0 1 RAM Qb Jean-Luc Beuchat (University of Tsukuba) η T Pairing in Characteristic Three Arith / 25

Arithmetic Operators for Pairing-Based Cryptography

Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography and Information Security Graduate School of Systems and Information Engineering University of Tsukuba 1-1-1