Reducing the Key Size of Rainbow using Non-Commutative Rings

Transcription

1 Reducing the Key Size of Rainbow using Non-Commutative Rings Takanori Yasuda (Institute of systems, Information Technologies and Nanotechnologies (ISIT)), Kouichi Sakurai (ISIT, Kyushu university) and Tsuyoshi Takagi (Kyushu university). 1

2 MQ problem and key size MQ equations Public key = set of coefficients of polynomials m n j i n i m i m i j i m ij n m n j i n i i i j i ij n n j i n i i i j i ij n d c x b x x a x x f d c x b x x a x x f d c x b x x a x x f, 1 1 ) ( ) ( ) ( 1 2, 1 1 (2) (2) (2) 1 2 1, 1 1 (1) (1) (1) 1 1 ),..., ( ),..., ( ),..., ( 2 2) 1)( ( n n m coefficients of number the large key size 2

3 Rainbow Signature of a multilayer variant of UOV Secret key size is also large We reduced by 75%? Rainbow Secret key size Public key size Key size of RSA Ratio (secret key) R(17,13,13) 19.1kB 25.7kB 1369bits 116.6times R(21,16,17) 36.5kB 50.8kB 1937bits 150.7times R(27,19,19) 60.5kB 84.0kB 2560bits 189.0times Reference: A.Petzoldt et al. Selecting Parameters for the Rainbow Signature Scheme, PQCrypto'10, Springer LNCS vol (2010) Reduction by 62% Problem: reduction of key size - reduction of public key CyclicRainbow (INDOCRIPT 10, SCC 10, PKC 11) - reduction of secret key TTS, TRMS 3

4 Proposed scheme Rainbow using non-commutative rings NC - Rainbow( R; v ~, o~, ~,..., ~ 1 o2 o 1 s ) 4

5 Non-commutative rings R : non-commutative ring R : finite dimensional algebra over a finite field K (dimension=r) Fix a K linear isomorphism : K r ~ R Example (quaternion algebra (q : order of K)) Q q ( set) Q q K 1 K i K j K ij, (r = 4), ( product) i 2 j 2 1, ij ji. There is a natural isomorphism : K 4 Q ~ q 5

6 NC - Rainbow( R; v ~, o~, o~,..., o~ s ) (1/2) n : positive number For i = 1,, s ~ Si o~ Central map i ~ G v~ v~ v~ v~ s s 1 {1,..., v~ i }, v~ v~. i 1 i ~ O i { v ~ i 1,..., v~ i 1 ( ~ ~ n~ m~ g,..., ) :, ( ~ ~ ~ ~ 1 g R R m n v ) v 1 g x x x x x x ( k) ( k) k ( 1,..., n) ( i ij j j ij i ) i O, j S h i, j S h n h 1 }, n~ x x ( x x ) h ( k ) ( k,1) ( k,2) i ij j i i i i i S ( k v 1,..., n,,.. R). ( k) ( k) 1 ij 6 1

7 NC - Rainbow( R; v ~, o~, o~,..., o~ s ) (2/2) Key Generation Secret key (n = nr, m = mr) G, two affine transformations Public key ~ F A m~ Signature Generation m M K 1 ~ n~ G : K For message, calculate m~ 1 ~ (1) a ( A1 ( M )), (2) b G in this order. c is a signature. Verification ~ F( c) M If, the signature is accepted. If R=K, then this becomes A 7 2 n A 1 m m : K K, A2 1 K m. ( a), (3) c : K n~ n ( A 1 2 K ( b)) Original Rainbow Rainbow( K; v ~, o~, ~,..., ~ 1 o2 o 1 s n ).

8 Correspondence between NC-Rainbow and Rainbow Theorem There exists a correspondence which holds public key. NC - Rainbow( R; v ~ ~ ~,..., ~ 1, o1, o2 os ) Rainbow( K; rv~, ro~, ro~ 1 1 2,..., ro~ s ) Secret key size of NC-Rainbow m( m 1) n( n 1) s h 1 ro~ (2 v ~ o ~ v~ 2 v ~ Secret key size of corresponding Rainbow m( m 1) n( n 1) s h 1 ~ roh r 2 h v~ o~ h h h h 2 h rv~ ( ~ h rvh 2 h 1 1) rv~ 1) field elements h 1 1 field elements 8

9 Comparison of Secret key size K = GF(256), R = Q 256 (r = 4). Comparison of NC - Rainbow( Q ; ~, ~, ~ ) Rainbow( (256);4 ~,4 ~,4 ~ 256 v1 o1 o2 and GF v1 o1 o2) (v 1, o 1, o 2 ) NC-size Corr. Rainbow R-size ratio (4,3,3) 4.2kB (16,12,12) 15.9kB 26.7% (5,4,4) 8.0kB (20,16,16) 33.6kB 23.9% (7,5,5) 15.1kB (28,20,20) 70.7kB 21.5% (9,6,6) 25.5kB (36,24,24) 128.2kB 19.9% NC-size : Secret key size of NC-Rainbow R-size : Secret key size of corresponding Rainbow ratio = NC-size/R-size 9

10 Reason of reduction of key size Property of regular action R is expressed by a subring of matrix algebra of size r. Q q M ( K 4 entries 16 entries 4, ) M ( d, Qq ) M (4d, K) NC - Rainbow( Q ; ~ ~ ~,..., ~ q v1, o1, o2 os ) Rainbow( K;4 v ~,4 o ~,4 o ~ (Map in Theorem) 4d 2 entries 16d 2 entries ,...,4 o ~ s )

11 Attacks against Rainbow (1/2) Need to analyze attacks against Rainbow to know whether or not they work efficiently against NC-Rainbow. Known attacks against Rainbow Direct attacks Using XL and Grobner basis algorithm etc. UOV attack determine a simultaneous isotropic subspace (which coincides with Oil space in the last layer with high probability) compute invariant spaces of certain matrices UOV-Reconciliation(UOV-R) attack determine a simultaneous isotropic subspace (which coincides with Oil space in the last layer with high probability) Solve a system of equations w.r.t. coefficients of right affine transformation 11

12 Attacks against Rainbow (2/2) Known attacks against Rainbow (continued) MinRank attack determine a matrix with minimal rank among linear combinations of quadratic part of components of public key HighRank attack determine a matrix with the second highest rank among linear combinations of quadratic part of components of public key Rainbow-Band-Separation(RBS) attack transform public key to a form of central map of Rainbow Solve a system of equations w.r.t. coefficients of both affine transformations 12

13 Security for NC-Rainbow l -bit security (K =GF(2 a )) 1. UOV attack 2. MinRank attack 3. HighRank attack 4. UOV-R attack v~ o ~ 1 1 n 2ro~ l / a 1 5. Direct attacks, RBS attack s r o~ v~ ) l / ( 1 1 ro ~ s l / a a same security level against direct attacks A.Petzoldt et al. Selecting Parameters for the Rainbow Signature Scheme, PQCrypto'10, Springer LNCS vol (2010) 13

14 Table of security and secret key size NC - Rainbow( Q ; ~, ~, ~ ) Rainbow( (256);4 ~,4 ~,4 ~ 256 v1 o1 o2 and GF v1 o1 o2) NC-Rainbow (5, 4, 4) (7, 5, 5) (9, 6, 6) Security level 83bits 96bits 107bits Secret key size 8.0kB 15.1kB 25.5kB Corr. Rainbow (20,16,16) (28,20,20) (36,24,24) Secret key size 33.6kB 70.7kB 128.2kB Ratio 23.9% 21.5% 19.9% ratio=secret key size of NCRainbow/Secret key size of corr. Rainbow 14

15 Conclusion Conclusion We proposed a scheme using non-commutative rings, which is regarded as another construction of Rainbow. This scheme can reduce the secret key size in comparison with original Rainbow. In paticular, the secret key size of the proposed NC-Rainbow is reduced by about 75% in the security level of 80 bits. Future works Finding a non-commutative ring with efficient arithmetic operation. Speed up the signature generation 15

16 Dual Exponentiation Schemes Colin D. Walter Information Security Group Royal Holloway University of London 29 Feb 2012

17 The Problem Motivation: New algorithms are always useful as there are always so many different optimisations and conflicting pressures on resource-constrained platforms. Aim: Setting: Better exponentiation on space-limited chip. (Fast memory is expensive.) Mixed base representation for the exponent. Solution: Define a dual for the associated addition chain. Benefits: Derive new algorithms from existing ones; Better understanding of exponentiation. 2 / 30 Dual Exponentiation Colin D. Walter

18 Outline 1 Background 2 The Transposition Method 3 Space Duality 4 Extra Requirements 5 New Algorithms 6 Conclusion 3 / 30 Dual Exponentiation Colin D. Walter

19 Background 1 Background 2 The Transposition Method 3 Space Duality 4 Extra Requirements 5 New Algorithms 6 Conclusion 4 / 30 Dual Exponentiation Colin D. Walter

20 r-ary Exponentiation L2R (Brauer, 1939) Inputs: g G, D = ((d n 1 r+d n 2 )r+... +d 1 )r+d 0 N where 0 d i <r. Output: g D G Initialise table: T [d] g d for all d, 0<d<r. P 1 G for i n 1 downto 0 do { if i n 1 then P P r if d i 0 then P P T [d i ] } return P 5 / 30 Dual Exponentiation Colin D. Walter

21 r-ary Exponentiation R2L (Yao, 1976) Inputs: g G, D = d n 1 r n 1 +d n 2 r n d 1 r 1 +d 0 where 0 d i <r. Output: g D G Initialise table: T [d] 1 G for all d, 0<d<r. P g for i 0 to n 1 do { if d i 0 then T [d i ] T [d i ] P if i n 1 then P P r } return d:0<d<r T [d]d 6 / 30 Dual Exponentiation Colin D. Walter

22 Sliding Window L2R Inputs: g G, D = ((d n 1 r n 2 +d n 2 )r n d 1 )r 0 +d 0 N, where d i {0, ±1, ±3,..., ± 1 2 (r 1)}, r i {2, 2 w } and d i =0 if r i =2. Output: g D G Initialise table: T [d] g d for all d 0. P 1 G for i n 1 downto 0 do { if i n 1 then P P r i if d i 0 then P P T [d i ] } return P 7 / 30 Dual Exponentiation Colin D. Walter

23 Sliding Window R2L Inputs: g G, D = ((d n 1 r n 2 +d n 2 )r n d 1 )r 0 +d 0 N, where d i {0, ±1, ±3,..., ± 1 2 (r 1)}, r i {2, 2 w } and d i =0 if r i =2. Output: g D G Initialise table: T [d] 1 G for all d 0. P g for i 0 to n 1 do { if d i 0 then T [d i ] T [d i ] P if i n 1 then P P r i } return d 0 T [d]d 8 / 30 Dual Exponentiation Colin D. Walter

24 Mixed Base Exponentiation L2R Inputs: g G, D = ((d n 1 r n 2 +d n 2 )r n d 1 )r 0 +d 0 N, where (r i, d i ) R D. Output: g D G Initialise table: T [d] g d for all d D \ {0}. P 1 G for i n 1 downto 0 do { if i n 1 then P P r i if d i 0 then P P T [d i ] } return P 9 / 30 Dual Exponentiation Colin D. Walter

25 Mixed Base Exponentiation R2L Inputs: g G, D = ((d n 1 r n 2 +d n 2 )r n d 1 )r 0 +d 0 N, where (r i, d i ) R D. Output: g D G Initialise table: T [d] 1 G for all d D \ {0}. P g for i 0 to n 1 do { if d i 0 then T [d i ] T [d i ] P if i n 1 then P P r i } return d D\{0} T [d]d 10 / 30 Dual Exponentiation Colin D. Walter

26 A Compact Right-to-Left Algorithm (Arith13, 1997) Inputs: g G, D = ((d n 1 r n 2 +d n 2 )r n d 1 )r 0 +d 0 N, where (r i, d i ) R D. Output: g D G T 1 G P g for i 0 to n 1 do { if d i 0 then T T P d i if i n 1 then P P r i } return T The loop body involves computing P d i en route to P r i. 11 / 30 Dual Exponentiation Colin D. Walter

27 The Transposition Method 1 Background 2 The Transposition Method 3 Space Duality 4 Extra Requirements 5 New Algorithms 6 Conclusion 12 / 30 Dual Exponentiation Colin D. Walter

28 The Computational Di-Graph An addition chain for D yields a computational, acyclic di-graph: n 3 n 5 Here is that for 1+1=2; 1+2=3; 2+3=5. n 1 n 2 For convenience, nodes are numbered so n d represents g d. Addition i+j = k gives directed edges n i n k and n j n k. It is acyclic, with a single root n 1 and a single leaf n 5. All nodes except root n 1 have input degree 2 as all op s are binary. #Ops = #Nodes 1 = 1 2 #Edges. By induction, D = #paths from n 1 to n D. 13 / 30 Dual Exponentiation Colin D. Walter

29 Di-Graph for the Transpose Method n 3 n 5 n 1 n 2 Reverse the edges for the transposition method. Node inputs are again multiplied together. Path count is D, as before. So it again computes g D. Nodes may need merging or expanding to restore in-degree 2. The #binary operations is not changed: 1 2 #edges. This reverses the addition chain in some sense. It doesn t preserve space requirements and without care, sq g & mult n counts may change. 14 / 30 Dual Exponentiation Colin D. Walter

30 Space Duality 1 Background 2 The Transposition Method 3 Space Duality 4 Extra Requirements 5 New Algorithms 6 Conclusion 15 / 30 Dual Exponentiation Colin D. Walter

31 Space-Aware Addition Chains Definition. For a given set of registers, take five classes of atomic op s : Copying one register to another; Copying one register to another & initialising source register to 1 G ; In-place squaring of the contents of one register; Multiplying two different registers into one of the input registers; Multiplying two different registers into one of the input registers, & initialising the other input to 1 G. A space-aware addition chain is a sequence of such operations in which the registers are named. Every addition chain can be written as a space-aware addition chain. 16 / 30 Dual Exponentiation Colin D. Walter

32 Matrix Representation Space For a device with two locations, matrix examples of each class are: [ ] [ ] [ ] [ ] [ ,,,, and They act on a column vector containing the values in each register. By omitting more general op ns, this set is closed under transposition. Copy (without initialise) becomes multiplication with initialise, and vice versa. (The red matrices.) Other operations stay in their class under transposition. Definition. The dual of a space-aware chain is its transpose. (The transposed operations are applied in reverse order.) The dual uses the same space but may not have the same mult n count. ]. 17 / 30 Dual Exponentiation Colin D. Walter

33 Matrix Representation Space For a device with two locations, matrix examples of each class are: [ ] [ ] [ ] [ ] [ ,,,, and They act on a column vector containing the values in each register. By omitting more general op ns, this set is closed under transposition. Copy (without initialise) becomes multiplication with initialise, and vice versa. (The red matrices.) Other operations stay in their class under transposition. Definition. The dual of a space-aware chain is its transpose. (The transposed operations are applied in reverse order.) The dual uses the same space but may not have the same mult n count. ]. 17 / 30 Dual Exponentiation Colin D. Walter

34 Matrix Representation Space For a device with two locations, matrix examples of each class are: [ ] [ ] [ ] [ ] [ ,,,, and They act on a column vector containing the values in each register. By omitting more general op ns, this set is closed under transposition. Copy (without initialise) becomes multiplication with initialise, and vice versa. (The red matrices.) Other operations stay in their class under transposition. Definition. The dual of a space-aware chain is its transpose. (The transposed operations are applied in reverse order.) The dual uses the same space but may not have the same mult n count. ]. 17 / 30 Dual Exponentiation Colin D. Walter

35 The Dual Chain An Example R3 R2; R3 R2+R3; R1 I R2; R2 I R3; R2 I R1+R2 In matrices acting on a col mn vector: = The dual (the transpose) is: = i.e. R1 R2; R3 I R2; R2 I R1; R2 R2+R3; R2 I R2+R3 Both have two multiplications and no squarings. Both compute g 3 from g G with R 2 for I/O. 18 / 30 Dual Exponentiation Colin D. Walter

36 Extra Requirements 1 Background 2 The Transposition Method 3 Space Duality 4 Extra Requirements 5 New Algorithms 6 Conclusion 19 / 30 Dual Exponentiation Colin D. Walter

37 The Main Problems 1 #Mults may not be preserved in the dual as copying becomes mult n with initialisation. 2 The dual chain may not compute the same value unless the matrix product is symmetric. To overcome the first of these, extra conditions are required: Select the initialising op n when possible. Eliminate 1 G as an operand. Remove operations whose output is not used. Fix a subset of registers for I/O. (An I/O register must read input and write non-trivial output.) Definition. A space-aware chain is normalised if the above hold. 20 / 30 Dual Exponentiation Colin D. Walter

38 The Main Problems 1 #Mults may not be preserved in the dual as copying becomes mult n with initialisation. 2 The dual chain may not compute the same value unless the matrix product is symmetric. To overcome the first of these, extra conditions are required: Select the initialising op n when possible. Eliminate 1 G as an operand. Remove operations whose output is not used. Fix a subset of registers for I/O. (An I/O register must read input and write non-trivial output.) Definition. A space-aware chain is normalised if the above hold. 20 / 30 Dual Exponentiation Colin D. Walter

39 The Main Problems 1 #Mults may not be preserved in the dual as copying becomes mult n with initialisation. 2 The dual chain may not compute the same value unless the matrix product is symmetric. To overcome the first of these, extra conditions are required: Select the initialising op n when possible. Eliminate 1 G as an operand. Remove operations whose output is not used. Fix a subset of registers for I/O. (An I/O register must read input and write non-trivial output.) Definition. A space-aware chain is normalised if the above hold. 20 / 30 Dual Exponentiation Colin D. Walter

40 Counting Ones Instances of 1 G or arise from: a) Initial value of a non-input register. b) Initialised by copy or mult n op n. Instances of 1 G or finish their lives as: c) Final value in a non-output register. d) Overwritten by a copy op n. Since #a = #c, we conclude #b = #d. Subtracting the #{copies with init n } from #b and #d, we have #Mult ns with init n = #Copies without init n These op n types are swapped in the dual & others stay as they are. So: Theorem. For a normalised space-aware chain, #Mult ns & #Sq res are the same for the dual. 21 / 30 Dual Exponentiation Colin D. Walter

41 Counting Ones Instances of 1 G or arise from: a) Initial value of a non-input register. b) Initialised by copy or mult n op n. Instances of 1 G or finish their lives as: c) Final value in a non-output register. d) Overwritten by a copy op n. Since #a = #c, we conclude #b = #d. Subtracting the #{copies with init n } from #b and #d, we have #Mult ns with init n = #Copies without init n These op n types are swapped in the dual & others stay as they are. So: Theorem. For a normalised space-aware chain, #Mult ns & #Sq res are the same for the dual. 21 / 30 Dual Exponentiation Colin D. Walter

42 Counting Ones Instances of 1 G or arise from: a) Initial value of a non-input register. b) Initialised by copy or mult n op n. Instances of 1 G or finish their lives as: c) Final value in a non-output register. d) Overwritten by a copy op n. Since #a = #c, we conclude #b = #d. Subtracting the #{copies with init n } from #b and #d, we have #Mult ns with init n = #Copies without init n These op n types are swapped in the dual & others stay as they are. So: Theorem. For a normalised space-aware chain, #Mult ns & #Sq res are the same for the dual. 21 / 30 Dual Exponentiation Colin D. Walter

43 Counting Ones Instances of 1 G or arise from: a) Initial value of a non-input register. b) Initialised by copy or mult n op n. Instances of 1 G or finish their lives as: c) Final value in a non-output register. d) Overwritten by a copy op n. Since #a = #c, we conclude #b = #d. Subtracting the #{copies with init n } from #b and #d, we have #Mult ns with init n = #Copies without init n These op n types are swapped in the dual & others stay as they are. So: Theorem. For a normalised space-aware chain, #Mult ns & #Sq res are the same for the dual. 21 / 30 Dual Exponentiation Colin D. Walter

44 Symmetric Cases If the action of a (multi-) exponentiation function f on registers is described by matrix M then a dual f is described by the transpose M T. Theorem a) f computes the same values as f iff its matrix is symmetric. b) In particular, it uses the same registers for output as input. In the normalised case, unused registers give columns of zeros. Used, non-output registers are over-written with 1 G : more zeros. Used, non-input registers are initialised to 1 G : more zeros. So only the sub-matrix M IO on I/O registers need be symmetric. Theorem A normalised space-aware chain for a single exponentiation and its dual compute the same values. (Duals become unique only when written in atomic operations.) 22 / 30 Dual Exponentiation Colin D. Walter

45 Symmetric Cases If the action of a (multi-) exponentiation function f on registers is described by matrix M then a dual f is described by the transpose M T. Theorem a) f computes the same values as f iff its matrix is symmetric. b) In particular, it uses the same registers for output as input. In the normalised case, unused registers give columns of zeros. Used, non-output registers are over-written with 1 G : more zeros. Used, non-input registers are initialised to 1 G : more zeros. So only the sub-matrix M IO on I/O registers need be symmetric. Theorem A normalised space-aware chain for a single exponentiation and its dual compute the same values. (Duals become unique only when written in atomic operations.) 22 / 30 Dual Exponentiation Colin D. Walter

46 Symmetric Cases If the action of a (multi-) exponentiation function f on registers is described by matrix M then a dual f is described by the transpose M T. Theorem a) f computes the same values as f iff its matrix is symmetric. b) In particular, it uses the same registers for output as input. In the normalised case, unused registers give columns of zeros. Used, non-output registers are over-written with 1 G : more zeros. Used, non-input registers are initialised to 1 G : more zeros. So only the sub-matrix M IO on I/O registers need be symmetric. Theorem A normalised space-aware chain for a single exponentiation and its dual compute the same values. (Duals become unique only when written in atomic operations.) 22 / 30 Dual Exponentiation Colin D. Walter

47 New Algorithms 1 Background 2 The Transposition Method 3 Space Duality 4 Extra Requirements 5 New Algorithms 6 Conclusion 23 / 30 Dual Exponentiation Colin D. Walter

48 High Level Algorithms Question: When is an algorithm dualisable if its steps are more complex than the atomic operations? We want to be able to decompose steps independently into atomic op ns yet obtain the normalised property when all steps are concatenated. Solution: For each step the values initially in its non-input registers must not be used and its used non-output registers must be reset to 1 G. The output registers for one step must be the input registers for the next. (Include unused registers in the I/O set for convenience here.) These are only requirements on how steps are realised as space-aware chains. So not a restriction on algorithm formulation. Definition The dual of a high level exponentiation algorithm is that given by transposing its steps and reversing their order. 24 / 30 Dual Exponentiation Colin D. Walter

49 High Level Algorithms Question: When is an algorithm dualisable if its steps are more complex than the atomic operations? We want to be able to decompose steps independently into atomic op ns yet obtain the normalised property when all steps are concatenated. Solution: For each step the values initially in its non-input registers must not be used and its used non-output registers must be reset to 1 G. The output registers for one step must be the input registers for the next. (Include unused registers in the I/O set for convenience here.) These are only requirements on how steps are realised as space-aware chains. So not a restriction on algorithm formulation. Definition The dual of a high level exponentiation algorithm is that given by transposing its steps and reversing their order. 24 / 30 Dual Exponentiation Colin D. Walter

50 High Level Algorithms Question: When is an algorithm dualisable if its steps are more complex than the atomic operations? We want to be able to decompose steps independently into atomic op ns yet obtain the normalised property when all steps are concatenated. Solution: For each step the values initially in its non-input registers must not be used and its used non-output registers must be reset to 1 G. The output registers for one step must be the input registers for the next. (Include unused registers in the I/O set for convenience here.) These are only requirements on how steps are realised as space-aware chains. So not a restriction on algorithm formulation. Definition The dual of a high level exponentiation algorithm is that given by transposing its steps and reversing their order. 24 / 30 Dual Exponentiation Colin D. Walter

51 An Old Algorithm (Arith13, 1997) Inputs: g G, D = ((d n 1 r n 2 +d n 2 )r n d 1 )r 0 +d 0 N Output: g D G T 1 G P g for i 0 to n 1 do { if d i 0 then T T P d i if i n 1 then P P r i } return T The loop body involves computing P d i en route to P r i. 25 / 30 Dual Exponentiation Colin D. Walter

52 One Iteration Base/digit pairs (r, d) are chosen for compact, fast performance. Specifically at most one register in addition to P and T. e.g. r = 2 i ±1, d = 2 j will involve i squarings & 2 mult s. It avoids a table entry for each d. There is now a dual algorithm using the same space only three registers. The step T TP d, P P r is achieved by [ r 0 d 1 So the transpose performs the dual op n P P r T d. The sequence of op s is easily determined via the dual. ] = [ r d 0 1 ] T. 26 / 30 Dual Exponentiation Colin D. Walter

53 One Iteration Base/digit pairs (r, d) are chosen for compact, fast performance. Specifically at most one register in addition to P and T. e.g. r = 2 i ±1, d = 2 j will involve i squarings & 2 mult s. It avoids a table entry for each d. There is now a dual algorithm using the same space only three registers. The step T TP d, P P r is achieved by [ r 0 d 1 So the transpose performs the dual op n P P r T d. The sequence of op s is easily determined via the dual. ] = [ r d 0 1 ] T. 26 / 30 Dual Exponentiation Colin D. Walter

54 A New Compact Left-to-Right Algorithm Inputs: g G, D = ((d n 1 r n 2 +d n 2 )r n d 1 )r 0 +d 0 N Output: g D G T g P 1 G for i n 1 downto 0 do P P r i T d i return P Loop iterations are computed as described on last slide. It is the dual of the previous R2L algorithm, as just derived. 27 / 30 Dual Exponentiation Colin D. Walter

55 The Value of the Algorithm Table-less exponentiation useful in constrained environments. If space for only three registers and division has the same cost as mult n, the compact algorithms are faster. A left-to-right version allows better use of composite op s, e.g. double-and-add, triple-and-add, quintuple-and-add. Recoding is done on-the-fly for R2L exp n ; in advance for L2R exp n. The recoding typically needs up to 3 times the storage space of D. 28 / 30 Dual Exponentiation Colin D. Walter

56 Conclusion 1 Background 2 The Transposition Method 3 Space Duality 4 Extra Requirements 5 New Algorithms 6 Conclusion 29 / 30 Dual Exponentiation Colin D. Walter

57 Summary & Final Remarks A general setting enabling most exp n algorithms to be described naturally, namely a mixed base recoding. A new space- and time-preserving duality between left-to-right and right-to-left exp n algorithms. A new tableless exp n algorithm. It enables new speed records to be set in certain environments. New understanding of exp n is possible, e.g. a comparison of R2L initialisation with L2R finalisation steps / 30 Dual Exponentiation Colin D. Walter

58 Summary & Final Remarks A general setting enabling most exp n algorithms to be described naturally, namely a mixed base recoding. A new space- and time-preserving duality between left-to-right and right-to-left exp n algorithms. A new tableless exp n algorithm. It enables new speed records to be set in certain environments. New understanding of exp n is possible, e.g. a comparison of R2L initialisation with L2R finalisation steps / 30 Dual Exponentiation Colin D. Walter

59 Summary & Final Remarks A general setting enabling most exp n algorithms to be described naturally, namely a mixed base recoding. A new space- and time-preserving duality between left-to-right and right-to-left exp n algorithms. A new tableless exp n algorithm. It enables new speed records to be set in certain environments. New understanding of exp n is possible, e.g. a comparison of R2L initialisation with L2R finalisation steps / 30 Dual Exponentiation Colin D. Walter

60 Summary & Final Remarks A general setting enabling most exp n algorithms to be described naturally, namely a mixed base recoding. A new space- and time-preserving duality between left-to-right and right-to-left exp n algorithms. A new tableless exp n algorithm. It enables new speed records to be set in certain environments. New understanding of exp n is possible, e.g. a comparison of R2L initialisation with L2R finalisation steps / 30 Dual Exponentiation Colin D. Walter

61 Summary & Final Remarks A general setting enabling most exp n algorithms to be described naturally, namely a mixed base recoding. A new space- and time-preserving duality between left-to-right and right-to-left exp n algorithms. A new tableless exp n algorithm. It enables new speed records to be set in certain environments. New understanding of exp n is possible, e.g. a comparison of R2L initialisation with L2R finalisation steps / 30 Dual Exponentiation Colin D. Walter

62 CT-RSA 2012 February 29th, 2012 Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves Joint work with: Nicolas Estibals CARAMEL project-team, LORIA, Université de Lorraine / CNRS / INRIA, France Nicolas.Estibals@loria.fr Diego F. Aranha Jean-Luc Beuchat Jérémie Detrey Institute of Computing, University of Campinas, Brazil Graduate School of Systems and Information Engineering, University of Tsukuba, Japan CARAMEL project-team, LORIA, INRIA / Université de Lorraine / CNRS, France /* EPI CARAMEL */ C,A, /* Cryptologie, Arithmétique : */ R,a, /* Matériel et Logiciel */ M,E, L,i= 5,e, d[5],q[999 ]={0};main(N ){for (;i--;e=scanf("%" "d",d+i));for(a =*d; ++i<a ;++Q[ i*i% A],R= i[q]? R:i); for(;i --;) for(m =A;M --;N +=!M*Q [E%A ],e+= Q[(A +E*E- R*L* L%A) %A]) for( E=i,L=M,a=4;a;C= i*e+r*m*l,l=(m*e +i*l) %A,E=C%A+a --[d]);printf ("%d" "\n", (e+n* N)/2 /* cc caramel.c; echo f3 f2 f1 f0 p./a.out */ -A);}

63 Pairings and cryptology used as a primitive in many protocols and devices Boneh Lynn Shacham short signature Boneh Franklin identity-based encryption... N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 1 / 14

64 Pairings and cryptology used as a primitive in many protocols and devices Boneh Lynn Shacham short signature Boneh Franklin identity-based encryption... implementations needed for various targets online server high-speed software smart card low-resource hardware reach 128 bits of security (equivalent to AES) N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 1 / 14

65 What s a cryptographic pairing e : G 1 G 2 G T where (G 1, +), (G 2, +) and (G T, ) are cyclic groups of order l The discrete logarithm problem should be hard on these groups N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 2 / 14

66 What s a cryptographic pairing e : G 1 G 2 G T where (G 1, +), (G 2, +) and (G T, ) are cyclic groups of order l The discrete logarithm problem should be hard on these groups Bilinear map: e(ap, bq) = e(p, Q) ab N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 2 / 14

67 What s a cryptographic pairing e : G 1 G 2 G T where (G 1, +), (G 2, +) and (G T, ) are cyclic groups of order l The discrete logarithm problem should be hard on these groups Bilinear map: e(ap, bq) = e(p, Q) ab Symmetric pairing (Type-1): G 1 = G 2, exploited by some protocols N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 2 / 14

68 What s a cryptographic pairing e : G 1 G 2 G T where (G 1, +), (G 2, +) and (G T, ) are cyclic groups of order l The discrete logarithm problem should be hard on these groups Bilinear map: e(ap, bq) = e(p, Q) ab Symmetric pairing (Type-1): G 1 = G 2, exploited by some protocols Choice of the groups: G 1, G 2 : related to an algebraic curve G T : related to the field of definition of the curve N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 2 / 14

69 Classical choice of curves Barreto Naehrig curves + Lots of literature + Huge optimization efforts + Suited for 128 bits of security Arithmetic modulo p 256 bits No symmetric pairing N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 3 / 14

70 Classical choice of curves Barreto Naehrig curves + Lots of literature + Huge optimization efforts + Suited for 128 bits of security Arithmetic modulo p 256 bits No symmetric pairing Supersingular elliptic curves + Symmetric pairing Thanks to a distortion map ψ : G 1 G 2 + Small characteristic arithmetic No carry propagation Not suited to 128-bit security level Larger base field: F , F N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 3 / 14

71 Classical choice of curves Barreto Naehrig curves + Lots of literature + Huge optimization efforts + Suited for 128 bits of security Arithmetic modulo p 256 bits No symmetric pairing Supersingular elliptic curves + Symmetric pairing Thanks to a distortion map ψ : G 1 G 2 + Small characteristic arithmetic No carry propagation Not suited to 128-bit security level Larger base field: F , F N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 3 / 14

72 Classical choice of curves Barreto Naehrig curves + Lots of literature + Huge optimization efforts + Suited for 128 bits of security Arithmetic modulo p 256 bits No symmetric pairing Supersingular elliptic curves + Symmetric pairing Thanks to a distortion map ψ : G 1 G 2 + Small characteristic arithmetic No carry propagation Not suited to 128-bit security level Larger base field: F , F Solutions to the large base field needed by supersingular curves (Pairing 2010) Use fields of composite extension degree: benefit from faster field arithmetic but requires careful security analysis N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 3 / 14

73 Classical choice of curves Barreto Naehrig curves + Lots of literature + Huge optimization efforts + Suited for 128 bits of security Arithmetic modulo p 256 bits No symmetric pairing Supersingular elliptic curves + Symmetric pairing Thanks to a distortion map ψ : G 1 G 2 + Small characteristic arithmetic No carry propagation Not suited to 128-bit security level Larger base field: F , F Solutions to the large base field needed by supersingular curves (Pairing 2010) Use fields of composite extension degree: benefit from faster field arithmetic but requires careful security analysis (This work) Use genus-2 hyperelliptic curves: base field will be F N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 3 / 14

74 Elliptic curves E/K : y 2 + h(x) y = f (x) with deg h 1 and deg f = 3 O N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 4 / 14

75 Elliptic curves E(K) is a group E/K : y 2 + h(x) y = f (x) with deg h 1 and deg f = 3 O Q P N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 4 / 14

76 Elliptic curves E(K) is a group E/K : y 2 + h(x) y = f (x) with deg h 1 and deg f = 3 O L P,Q Q P N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 4 / 14

77 Elliptic curves E(K) is a group E/K : y 2 + h(x) y = f (x) with deg h 1 and deg f = 3 O Q R L P,Q P N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 4 / 14

78 Elliptic curves E(K) is a group E/K : y 2 + h(x) y = f (x) with deg h 1 and deg f = 3 O V R Q R L P,Q P N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 4 / 14

79 Elliptic curves E(K) is a group E/K : y 2 + h(x) y = f (x) with deg h 1 and deg f = 3 O V R Q R L P,Q P R = P + Q N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 4 / 14

80 Elliptic curves E(K) is a group E/K : y 2 + h(x) y = f (x) with deg h 1 and deg f = 3 In practice: K is a finite field F q E(F q ) is a finite group O V R Q R L P,Q P R = P + Q N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 4 / 14

81 Elliptic curves E(K) is a group E/K : y 2 + h(x) y = f (x) with deg h 1 and deg f = 3 In practice: K is a finite field F q O V R E(F q ) is a finite group l: a large prime dividing #E(F q ) Use the cyclic subgroup Q R L P,Q E(F q )[l] = {P [l]p = O} P R = P + Q N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 4 / 14

82 Genus-2 hyperelliptic curves C/K : y 2 + h(x) y = f (x) with deg h 2 and deg f = 5 O N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 5 / 14

83 Genus-2 hyperelliptic curves C(K) not a group! C/K : y 2 + h(x) y = f (x) with deg h 2 and deg f = 5 O N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 5 / 14

84 Genus-2 hyperelliptic curves C(K) not a group! C/K : y 2 + h(x) y = f (x) with deg h 2 and deg f = 5 But pairs of points {P 1, P 2 } O Q 2 P 2 P 1 Q 1 N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 5 / 14

85 Genus-2 hyperelliptic curves C(K) not a group! C/K : y 2 + h(x) y = f (x) with deg h 2 and deg f = 5 But pairs of points {P 1, P 2 } O Q 2 P 2 P 1 Q 1 N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 5 / 14

86 Genus-2 hyperelliptic curves C(K) not a group! C/K : y 2 + h(x) y = f (x) with deg h 2 and deg f = 5 But pairs of points {P 1, P 2 } O Q 2 P 2 R 1 P 1 R 2 Q 1 N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 5 / 14

87 Genus-2 hyperelliptic curves C(K) not a group! C/K : y 2 + h(x) y = f (x) with deg h 2 and deg f = 5 But pairs of points {P 1, P 2 } O Q 2 P 2 R 1 R 2 P 1 R 1 R 2 Q 1 {P 1, P 2 } + {Q 1, Q 2 } = {R 1, R 2 } N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 5 / 14

88 Genus-2 hyperelliptic curves C(K) not a group! But pairs of points {P 1, P 2 } C/K : y 2 + h(x) y = f (x) with deg h 2 and deg f = 5 O Q 2 More formally use the Jacobian Jac C (K) P 2 R 1 R 2 P 1 R 1 R 2 Q 1 {P 1, P 2 } + {Q 1, Q 2 } = {R 1, R 2 } N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 5 / 14

89 Genus-2 hyperelliptic curves C(K) not a group! C/K : y 2 + h(x) y = f (x) with deg h 2 and deg f = 5 But pairs of points {P 1, P 2 } O Q 2 More formally use the Jacobian Jac C (K) D P P 2 R 1 R 2 D R D Q P 1 R 1 R 2 Q 1 D P + D Q = D R N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 5 / 14

90 Genus-2 hyperelliptic curves C(K) not a group! C/K : y 2 + h(x) y = f (x) with deg h 2 and deg f = 5 But pairs of points {P 1, P 2 } O Q 2 More formally use the Jacobian Jac C (K) D P P 2 R 1 R 2 D R D Q general form of the elements (called divisor) P 1 R 1 R 2 Q 1 D P = (P 1 )+(P 2 ) 2(O) D P + D Q = D R N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 5 / 14

91 Genus-2 hyperelliptic curves C(K) not a group! C/K : y 2 + h(x) y = f (x) with deg h 2 and deg f = 5 But pairs of points {P 1, P 2 } O Q 2 More formally use the Jacobian Jac C (K) D P P 2 R 1 R 2 D R D Q general form of the elements (called divisor) P 1 R 1 R 2 Q 1 D P = (P 1 )+(P 2 ) 2(O) degenerate form (P) (O) D P + D Q = D R N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 5 / 14

92 Computing the pairing: Miller s algorithm (elliptic case) e : G 1 G 2 G T Reduced Tate pairing O N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 6 / 14

93 Computing the pairing: Miller s algorithm (elliptic case) P, Reduced Tate pairing e : E(F q )[l] G 2 G T O N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 6 / 14

94 Computing the pairing: Miller s algorithm (elliptic case) Reduced Tate pairing e : E(F q )[l] E(F q k)[l] G T P, Q k: embedding degree (curve parameter) O N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 6 / 14

95 Computing the pairing: Miller s algorithm (elliptic case) Reduced Tate pairing e : E(F q )[l] E(F q k)[l] µ l F q k P, Q f l,p (Q) qk 1 l k: embedding degree (curve parameter) O N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 6 / 14

96 Computing the pairing: Miller s algorithm (elliptic case) Reduced Tate pairing e : E(F q )[l] E(F q k)[l] µ l F q k P, Q f l,p (Q) qk 1 l k: embedding degree (curve parameter) O Miller functions: f n,p N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 6 / 14

97 Computing the pairing: Miller s algorithm (elliptic case) e : E(F q )[l] E(F q k)[l] µ l F q k Reduced Tate pairing P, Q f l,p (Q) qk 1 l k: embedding degree (curve parameter) O Miller functions: f n,p an inductive identity f 1,P = 1 f n+n,p = f n,p f n,p g [n]p,[n ]P N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 6 / 14

98 Computing the pairing: Miller s algorithm (elliptic case) e : E(F q )[l] E(F q k)[l] µ l F q k Reduced Tate pairing P, Q f l,p (Q) qk 1 l k: embedding degree (curve parameter) Miller functions: f n,p an inductive identity f 1,P = 1 f n+n,p = f n,p f n,p g [n]p,[n ]P g [n]p,[n ]P derived from the addition of [n]p and [n ]P g [n]p,[n ]P = L [n]p,[n ]P V [n+n ]P [n]p O [n ]P V [n+n ]P L [n]p,[n ]P [n + n ]P N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 6 / 14

99 Computing the pairing: Miller s algorithm (elliptic case) e : E(F q )[l] E(F q k)[l] µ l F q k Reduced Tate pairing P, Q f l,p (Q) qk 1 l k: embedding degree (curve parameter) Miller functions: f n,p an inductive identity f 1,P = 1 f n+n,p = f n,p f n,p g [n]p,[n ]P g [n]p,[n ]P derived from the addition of [n]p and [n ]P compute f l,p thanks to an addition chain in practice: double-and-add log 2 l iterations g [n]p,[n ]P = L [n]p,[n ]P V [n+n ]P [n]p O [n ]P V [n+n ]P L [n]p,[n ]P [n + n ]P N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 6 / 14

100 Miller s algorithm (hyperelliptic case) e : G 1 G 2 G T O N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 7 / 14

101 Miller s algorithm (hyperelliptic case) e : Jac C (F q )[l] Jac C (F q k)[l] µ l F q k O N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 7 / 14

102 Miller s algorithm (hyperelliptic case) e : Jac C (F q )[l] Jac C (F q k)[l] µ l F q k D 1, D 2 f l,d1 (D 2 ) qk 1 l Hyperelliptic Miller functions: f n,d same inductive identity f 1,D = 1 f n+n,d = f n,d f n,d g [n]d,[n ]D O N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 7 / 14

103 Miller s algorithm (hyperelliptic case) e : Jac C (F q )[l] Jac C (F q k)[l] µ l F q k D 1, D 2 f l,d1 (D 2 ) qk 1 l Hyperelliptic Miller functions: f n,d same inductive identity f 1,D = 1 f n+n,d = f n,d f n,d g [n]d,[n ]D g [n]d,[n ]D = L [n]d,[n ]D V [n+n ]D O g [n]d,[n ]D derived from the addition of [n]d and [n ]D use Cantor s addition algorithm [n]d [n + n ]D [n ]D L [n]d,[n ]D V [n+n ]D N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 7 / 14

104 Miller s algorithm (hyperelliptic case) e : Jac C (F q )[l] Jac C (F q k)[l] µ l F q k D 1, D 2 f l,d1 (D 2 ) qk 1 l Hyperelliptic Miller functions: f n,d same inductive identity f 1,D = 1 f n+n,d = f n,d f n,d g [n]d,[n ]D g [n]d,[n ]D = L [n]d,[n ]D V [n+n ]D O g [n]d,[n ]D derived from the addition of [n]d and [n ]D use Cantor s addition algorithm double-and-add algorithm log 2 l iterations [n]d L [n]d,[n ]D [n + n ]D V [n+n ]D [n ]D iterations are more complex N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 7 / 14

105 Genus-2 binary supersingular curve: our choice C d /F 2 m : y 2 + y = x 5 + x 3 + d with d F 2 A distortion map exists: symmetric pairing # Jac Cd (F 2 m) = 2 2m ± 2 (3m+1)/2 + 2 m ± 2 (m+1)/2 + 1 Embedding degree of the curve: k = 12 For 128 bits of security: F 2 m = F and d = 0 N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 8 / 14

106 Genus-2 binary supersingular curve: our choice C d /F 2 m : y 2 + y = x 5 + x 3 + d with d F 2 A distortion map exists: symmetric pairing # Jac Cd (F 2 m) = 2 2m ± 2 (3m+1)/2 + 2 m ± 2 (m+1)/2 + 1 Embedding degree of the curve: k = 12 For 128 bits of security: F 2 m = F and d = 0 Key property of the curve: [2] ((P) (O)) = (P) + (P) 2(O) N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 8 / 14

107 Genus-2 binary supersingular curve: our choice C d /F 2 m : y 2 + y = x 5 + x 3 + d with d F 2 A distortion map exists: symmetric pairing # Jac Cd (F 2 m) = 2 2m ± 2 (3m+1)/2 + 2 m ± 2 (m+1)/2 + 1 Embedding degree of the curve: k = 12 For 128 bits of security: F 2 m = F and d = 0 Key property of the curve: [2] ((P) (O)) = (P) + (P) 2(O) [4] ((P) (O)) = (P 4 ) + (P 4 ) 2(O) N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 8 / 14

108 Genus-2 binary supersingular curve: our choice C d /F 2 m : y 2 + y = x 5 + x 3 + d with d F 2 A distortion map exists: symmetric pairing # Jac Cd (F 2 m) = 2 2m ± 2 (3m+1)/2 + 2 m ± 2 (m+1)/2 + 1 Embedding degree of the curve: k = 12 For 128 bits of security: F 2 m = F and d = 0 Key property of the curve: [2] ((P) (O)) = (P) + (P) 2(O) [4] ((P) (O)) = (P 4 ) + (P 4 ) 2(O) [8] ((P) (O)) = (P 8 ) (O) N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 8 / 14

109 Genus-2 binary supersingular curve: our choice C d /F 2 m : y 2 + y = x 5 + x 3 + d with d F 2 A distortion map exists: symmetric pairing # Jac Cd (F 2 m) = 2 2m ± 2 (3m+1)/2 + 2 m ± 2 (m+1)/2 + 1 Embedding degree of the curve: k = 12 For 128 bits of security: F 2 m = F and d = 0 Key property of the curve: [2] ((P) (O)) = (P) + (P) 2(O) [4] ((P) (O)) = (P 4 ) + (P 4 ) 2(O) [8] ((P) (O)) = ([8]P) (O) octupling acts on the curve N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 8 / 14

110 Genus-2 binary supersingular curve: our choice C d /F 2 m : y 2 + y = x 5 + x 3 + d with d F 2 A distortion map exists: symmetric pairing # Jac Cd (F 2 m) = 2 2m ± 2 (3m+1)/2 + 2 m ± 2 (m+1)/2 + 1 Embedding degree of the curve: k = 12 For 128 bits of security: F 2 m = F and d = 0 Key property of the curve: [2] ((P) (O)) = (P) + (P) 2(O) [4] ((P) (O)) = (P 4 ) + (P 4 ) 2(O) [8] ((P) (O)) = ([8]P) (O) octupling acts on the curve f 8,D has a much simpler expression than f 2,D N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 8 / 14

111 Constructing the Optimal Eta pairing Algorithm Tate double & add #iterations 2m Vanilla Tate pairing: log 2 l log 2 # Jac C (F 2 m) 2m doublings N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 9 / 14

112 Constructing the Optimal Eta pairing Algorithm #iterations Tate double & add 2m Tate octuple & add 2m 3 Vanilla Tate pairing: log 2 l log 2 # Jac C (F 2 m) 2m doublings Use of octupling: simpler iteration also! N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 9 / 14

113 Constructing the Optimal Eta pairing Algorithm #iterations Tate Tate Barreto et al. double & add octuple & add η T pairing 2m 2m 3 m 2 Vanilla Tate pairing: log 2 l log 2 # Jac C (F 2 m) 2m doublings Use of octupling: simpler iteration also! η T pairing: Miller function is f ±2 (3m+1)/2 1,D 1 N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 9 / 14

114 Constructing the Optimal Eta pairing Algorithm Tate Tate Barreto et al. double & add octuple & add η T pairing Optimal Ate pairing #iterations 2m 2m 3 m 2 m 6 Vanilla Tate pairing: log 2 l log 2 # Jac C (F 2 m) 2m doublings Use of octupling: simpler iteration also! η T pairing: Miller function is f ±2 (3m+1)/2 1,D 1 Optimal Ate pairing distortion map ψ is much more complex iterations would be roughly twice as expensive optimal Ate pairing not considered here N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 9 / 14

115 Constructing the Optimal Eta pairing Algorithm #iterations Tate Tate Barreto et al. This paper double & add octuple & add η T pairing Optimal Eta pairing 2m 2m 3 m 2 m 6 Vanilla Tate pairing: log 2 l log 2 # Jac C (F 2 m) 2m doublings Use of octupling: simpler iteration also! η T pairing: Miller function is f ±2 (3m+1)/2 1,D 1 Optimal Ate pairing distortion map ψ is much more complex iterations would be roughly twice as expensive optimal Ate pairing not considered here Optimal Eta pairing N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 9 / 14

116 Constructing the Optimal Eta pairing Algorithm #iterations Tate Tate Barreto et al. This paper double & add octuple & add η T pairing Optimal Eta pairing 2m 2m 3 m 2 m 6 Vanilla Tate pairing: log 2 l log 2 # Jac C (F 2 m) 2m doublings Use of octupling: simpler iteration also! η T pairing: Miller function is f ±2 (3m+1)/2 1,D 1 Optimal Ate pairing distortion map ψ is much more complex iterations would be roughly twice as expensive optimal Ate pairing not considered here Optimal Eta pairing cannot use 2 m -th power Verschiebung: does not act on the curve N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 9 / 14

117 Constructing the Optimal Eta pairing Algorithm #iterations Tate Tate Barreto et al. This paper double & add octuple & add η T pairing Optimal Eta pairing 2m 2m 3 m 2 m 3 Vanilla Tate pairing: log 2 l log 2 # Jac C (F 2 m) 2m doublings Use of octupling: simpler iteration also! η T pairing: Miller function is f ±2 (3m+1)/2 1,D 1 Optimal Ate pairing distortion map ψ is much more complex iterations would be roughly twice as expensive optimal Ate pairing not considered here Optimal Eta pairing cannot use 2 m -th power Verschiebung: does not act on the curve but can use 2 3m -th power Verschiebung 33% improvement compared to Barreto et al. s work N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 9 / 14

118 Considering degenerate divisors Some protocols allow to choose the form of one or two input divisors Consider degenerate divisors of the form (P) (O) only 2 coordinates in F 2 m to represent such a divisor (instead of 4 coordinates for a general one) since octupling acts on the curve: we can work with a point! [8]((P) (O)) = ([8]P) (O) N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 10 / 14

119 Considering degenerate divisors Some protocols allow to choose the form of one or two input divisors Consider degenerate divisors of the form (P) (O) only 2 coordinates in F 2 m to represent such a divisor (instead of 4 coordinates for a general one) since octupling acts on the curve: we can work with a point! [8]((P) (O)) = ([8]P) (O) We may compute the pairing of two general divisors (GG) one degenerate and one general divisor (DG) halves the amount of computation lot of protocols allow this two degenerate divisors (DD) halves again the amount of computation some protocols still compatible N. Estibals Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves 10 / 14