An Analysis of Affine Coordinates for Pairing Computation

Transcription

1 An Analysis of Affine Coordinates for Pairing Computation Michael Naehrig Microsoft Research joint work with Kristin Lauter and Peter Montgomery Microsoft Research Pairing 2010, Yamanaka Hot Spring, Ishikawa, Japan 13 December 2010

2 Optimal ate pairings To efficiently implement pairing-based protocols (at reasonably high security), one could choose a pairing e : G 2 G 1 G 3, (Q,P) g Q (P) qk 1 r G 1 = E(F q )[r], G 2 = E (F q e)[r], G 3 = µ r F, q k E/F q : elliptic curve, r prime, r #E(F q ), char(f q ) > 3, with small (even) embedding degree k, r q k 1, r q i 1 for i < k, E /F q e: twist of E of degree d k, e = k/d, r #E (F q e), µ r : group of r-th roots of unity in F, q k g Q : function depending on Q with coefficients in F. q k

3 Possible choices for pairing-friendly curves E : y 2 = x 3 + ax + b over F q, q prime Freeman, Scott, Teske: A taxonomy of pairing-friendly elliptic curves security construction curve k d e BN (Ex. 6.8) a = Ex b = Freeman (5.3) a, b Constr a,b BN (Ex. 6.8) a = KSS (Ex. 6.12) a = KSS (Ex. 6.11) b = Constr a,b Constr. 6.6 a = Constr. 6.4 b = Constr a, b

4 Components of the pairing algorithm Pairings are computed with Miller s algorithm. Miller loop builds functions for g Q (P) from DBL/ADD steps. R l R,Q Q R + Q v R +Q DBL ADD computation l R,R (P) l R,Q (P) coefficients in F q e, eval. at P E(F q ) R [2]R R R + Q curve arith. E(F q e) f f 2 l R,R (P) f f l R,Q (P) general squaring, special mult. in F q k Final exponentiation to the power (q k 1)/r needs arithmetic in the special subgroup µ r of F q k.

5 Choosing coordinates for pairings affine coordinates: (F q e = F q (α)) R + Q and l R,Q (P) Q v R +Q λ = (y R y Q )/(x R x Q ), x R +Q = λ 2 x R x Q, y R +Q = λ (x R x R +Q ) y R, l R,Q (P) = y P αλ x P + α 3 (λ x Q y Q ). R l R,Q R + Q DBL/ADD steps in affine coords need one inversion in F q e, projective coordinates avoid the inversion by doing more of the other operations, finite field inversion in prime field F q very expensive, for plain ECC over F q : projective always better, current speed records for pairings at 128-bit security level: projective formulas.

6 Affine vs. projective ab 0, d = 2, e = k/2 Cost for computing [2]R, l R,R (P) and R + Q, l R,Q (P) resp. DBL ADD coord. M q I q e M q e S q e add q e affine k/ proj affine k/ proj Cost to avoid the inversion (assuming S q e 0.8M q e): DBL: 9S q e + 13add q e (k/2)m q > 6M q e ADD: 5M q e + 5S q e + 15add q e (k/2)m q > 8M q e

7 Affine vs. projective a = 0, d = 6 k Cost for computing [2]R, l R,R (P) and R + Q, l R,Q (P) resp. DBL ADD coord. M q I q e M q e S q e add q e affine k/ proj. k/ affine k/ proj. k/ Cost to avoid the inversion (assuming S q e 0.8M q e): DBL: (k/6)m q + 5S q e + 12add q e 1M q e > 3M q e ADD: (k/6)m q + 8M q e + 1S q e + 1add q e > 8M q e

8 Affine vs. projective If extra cost to avoid inversions < cost to compute inversions = projective coordinates are the better choice. It all depends on the cost I q e, or rather on the ratio For q prime, I q >> M q. R q e = I q e/m q e. How large is R q e? How small can it be made in pairing implementations? Note: Pairings based on the ate pairing usually have e > 1, at least for higher security levels. Often, multiple pairings or products of pairings need to be computed.

9 Extension field inversions Quadratic extension: F q 2 = F q (α) with α 2 = ω F q, 1 b 0 + b 1 α = b 0 b 1 α b 2 0 b2 1 ω = b 0 b 2 0 b2 1 ω b 1 b 2 0 b2 1 ωα, b 2 0 b2 1 ω = N(b 0 + b 1 α) F q, compute inversion in F q 2 by inversion in F q and some other operations I q 2 I q + 2M q + 2S q + M (ω) + sub q + neg q. Assume M q 2 3M q and I q 2 I q + 6M q to get R q 2 = I q 2/M q 2 (I q /3M q ) + 2 = R q /3 + 2.

10 Extension field inversions Degree-l extension: generalization of Itoh-Tsujii inversion, standard way for inversion in optimal extension fields, assume F q l = F q (α) with α l = ω F q, with v = (q l 1)/(q 1) = q l q + 1, compute for β F q l, β v = N(β) F q. β 1 = β v 1 β v, R q l R q /M(l) + C(l) l /M(l) 1/3 1/6 1/9 1/13 1/17 1/22 C(l)

11 Simultaneous inversions Montgomery s n-th trick... Idea: To invert a 1 and a 2, compute a 1 a 2, then (a 1 a 2 ) 1 and a 1 1 = a 2 (a 1 a 2 ) 1, a 1 2 = a 1 (a 1 a 2 ) 1, replace 2I by 1I + 3M. In general for s inversions at once: compute c i = a 1 a i for 2 i s, then c 1 s and a 1 s = c 1 s c s 1, c 1 s 1 = c 1 s a s, a 1 s 1 = c 1 s 1 c s 2, replace si by 1I + 3(s 1)M. Average I/M is c 1 s 2 = c 1 s 1 a s 1,... (si)/(sm) = I/(sM) + 3(s 1)/s R/s + 3.

12 Affine coordinates for pairings Affine coordinates can be better than projective if the used implementation has small R q = I q /M q, for ate pairings whenever e is large, at high security levels (when k is large), when high-degree twists are not being used (d = 2), for computing several pairings (or products of several pairings) at once on different point pairs.

13 Pairings based on Microsoft Research s bignum optimal ate pairing on BN curves Pairing implementation uses MSR bignum for base field arithmetic (F p ) with Montgomery multiplication, extension fields based on MSR bignum field extensions, field inversions use norm trick as described before. MSR bignum + pairings is a C implementation (with a little bit of assembly for mod mul in case of 256-bit prime fields), is not restricted to specific security level, curves, or processors, works under 32-bit and 64-bit Windows.

14 Pairings based on Microsoft Research s bignum field arithmetic performance Fields over 256-bit BN prime field with p 3 (mod 4), i.e. F p 2 = F p (i), i 2 = 1. Timings on a 3.16 GHz Intel Core 2 Duo E8500, 64-bit Windows 7 M S I I/M cyc µs cyc µs cyc µs F p F p F p F p

15 Pairings based on Microsoft Research s bignum pairings on a 256-bit BN curve Timings on a 3.16 GHz Intel Core 2 Duo E8500, 64-bit Windows 7 operation CPU cycles time Miller loop 7,572, ms optimal ate pairing 14,838, ms 20 opt. ate at once (per pairing) 14,443, ms product of 20 opt. ate (per pairing) 4,833, ms EC scalar mult in G 1 2,071, ms EC scalar mult in G 2 8,761, ms