Aspects of Pairing Inversion

Transcription

1 Applications of Aspects of ECC Dublin Aspects of

2 Applications of Applications of Aspects of

3 Applications of Pairings Let G 1, G 2, G T be groups of prime order r. A pairing is a non-degenerate bilinear map e : G 1 G 2 G T. Bilinearity: e(p1 + P 2, Q) = e(p 1, Q)e(P 2, Q), e(p, Q1 + Q 2 ) = e(p, Q)e(P, Q 2 ). Non-degenerate: for all P 0: x G2 such that e(p, x) 1 for all Q 0: x G1 such that e(x, Q) 1 Examples: Scalar product on euclidean space, : R n R n R. Weil- and Tate pairings on elliptic curves and abelian varieties. Aspects of

4 Applications of Isomorphisms via pairings Since G 1, G 2, G T have prime order r, they re isomorphic. Pairing with first argument fixed, gives isomorphism between G 2 and G T : φ 2 : G 2 G T : Q φ 2 (Q) = e(p, Q) Pairing with second argument fixed, gives isomorphism between G 1 and G T : φ 1 : G 1 G T : P φ 1 (P) = e(p, Q) Generates all isomorphisms between G i and G T, without need to compute DLOGs. Aspects of

5 Applications of DLP, CDH & DDH Let G, + be a group of prime order r. DLP: Given a tuple (P, ap) compute a. CDH: Given a triple (P, ap, bp) compute abp. DDH: Given a quadruple (P, ap, bp, cp) decide if abp = cp. Aspects of

6 Applications of Pairings in cryptography Exploit bilinearity! MOV: DLP reduction from G 1 to G T : DLP ing 1 : (P, xp) DLP in G T : (φ 1 (P), φ 1 (xp)) = (e(p, Q), e(xp, Q)) Decision DH in G 1 : DDH : (P, ap, bp, cp) test if e(cp, Q) = e(ap, bq) but how get bq? Possible if computable isomorphism ψ 1 : G 1 G 2 with ψ 1 (P) = Q. Identity based crypto, short signatures,... Aspects of

7 Applications of Pairing inversion problems Fixed Argument 1 (FAPI-1) problem: Given P G 1 and z G T, compute Q G 2 such that e(p, Q) = z. Fixed Argument 2 (FAPI-2) problem: Given Q G 2 and z G T, compute P G 1 such that e(p, Q) = z. Generalised (GPI): Given z G T, find P G 1 and Q G 2 with e(p, Q) = z. Aspects of

8 Applications of FAPI s and CDH Generalisation of Verheul s result: e : G 1 G 2 G T is non-degenerate bilinear pairing on cyclic groups of prime order r. Suppose one can solve FAPI-1 and FAPI-2 in polynomial time. Then one can solve CDH in G 1, G 2 and G T in polynomial time. Aspects of

9 Applications of FAPI s and CDH Proof for G 1 : O i is FAPI-i oracle. Let (P, ap, bp) be a CDH input in G 1. Choose random Q G 2 and compute z = e(ap, Q). Call O 1 (P, z) to get aq. Now compute z = e(bp, aq) and call O 2 (Q, z ) to get abp. Aspects of

10 Applications of FAPI s and isomorphisms If one can solve FAPI-1 in polynomial time then one can compute all group isomorphisms ψ 1 : G 1 G 2 in polynomial time. Let P G 1 and Q G 2 be generators, then can compute ψ 1 such that ψ 1 (P) = Q. Similar result holds for FAPI-2. Aspects of

11 Applications of FAPI s and DDH If one can solve FAPI-1 in polynomial time then one can solve DDH in G 1 in polynomial time. Proof: Let (P, ap, bp, cp) be DDH quadruple. Want to test if e(cp, Q) = e(bp, aq)? How to get aq? Choose Q G 2 and let ψ 1 : G 1 G 2 be such that ψ 1 (P) = Q. Compute aq = ψ 1 (ap). Aspects of

12 Applications of Pairing inversion and BDH Bilinear-Diffie-Hellman problem (BDH-1) is: given P, ap, bp G 1 and Q G 2 to compute e(p, Q) ab. If one can solve FAPI-1 in polynomial time then one can solve BDH-1 in polynomial time. Proof: Let (P, ap, bp, Q) be BDH-1 quadruple. Let ψ 1 : G 1 G 2 be such that ψ 1 (P) = Q. Compute aq = ψ 1 (ap) and obtain z = e(bp, aq) = e(p, Q) ab. No implications for finite field crypto? Aspects of

13 Applications of Notation Let E be an elliptic curve over a finite field F q, i.e. E : y 2 = x 3 + ax + b for p > 5 Point sets E(F q k ) define an abelian group for all k 1. Hasse-Weil: number of points in E(F q ) is q + 1 t with t 2 q t is called trace of Frobenius. Aspects of

14 Applications of Torsion subgroups E[r] subgroup of points of order dividing r, i.e. E[r] = {P E(F q ) rp = } Structure of E[r] for gcd(r, q) = 1 is Z/rZ Z/rZ. Let r #E(F q ), then E(F q )[r] gives at least one component. Embedding degree: k minimal with r (q k 1). Note r-roots of unity µ r F. q k If k > 1 then E(F q k )[r] = E[r]. Aspects of

15 Applications of Trace and embedding degree Recall r #E(F q ) and #E(F q ) = q + 1 t So q t 1 mod r. Since x k 1 = d k Φ d(x), have r Φ k (q). Conclusion: r Φ k (t 1), so Φ k (t 1) r. t can be as small as r 1/ϕ(k), but not smaller. Aspects of

16 Applications of Frobenius endomorphism Frobenius: ϕ : E E : (x, y) (x q, y q ) Characteristic polynomial: ϕ 2 [t] ϕ + [q] = 0 Eigenvalues on E[r]: 1 and q since r #E(F q ) For k > 1 have q 1 mod r, thus decomposition of E[r] into Frobenius eigenspaces: E[r] = E(F q k )[r] = P Q with ϕ(p) = P and ϕ(q) = qq Notation used before: G 1 = P and G 2 = Q Aspects of

17 Applications of Miller functions Let P E(F q ) and n N. A Miller function f n,p is any function in F q (E) with divisor (f n,p ) = n(p) ([n]p) (n 1)( ) f n,p is determined up to a constant c F q. f n,p has a zero at P of order n. f n,p has a pole at [n]p of order 1. f n,p has a pole at of order (n 1). For every point Q P, [n]p,, we have f n,p (Q) F q. Aspects of

18 Applications of Miller s algorithm Use double-add algorithm to compute f n,p for any n N. Exploit relation: f m+n,p = f m,p f n,p l[n]p,[m]p v [n+m]p l [n]p,[m]p : the line through [n]p and [m]p v [n+m]p : the vertical line through [n + m]p Evaluate at Q in every step Aspects of

19 Applications of Tate pairing Let P E(F q k )[r] and f r,p F q k (E) with (f r,p ) = r(p) r( ) Note: f r,p has zero of order r at P and pole of order r at. Tate pairing is defined as (assuming normalisation) P, Q r = f r,p (Q) Domain and image are:, r : E(F q k )[r] E(F q k )/re(f q k ) F q k /(F q k ) r Reduced Tate pairing: e(p, Q) = P, Q (qk 1)/r r Aspects of

20 Applications of Ate pairing Non-degenerate pairing defined on G 2 G 1 only. Let S be integer with S q mod r and N = gcd(s k 1, q k 1) Let c S = k 1 i=0 Sk 1 i q i mod N. Then a S : G 2 G 1 µ r, (Q, P) f norm S,Q (P)c S(q k 1)/N defines a bilinear pairing, Typical choices for S are: S = t 1 with t trace of Frobenius. S = q, then no final exponentiation necessary. In general t 1 q, but could be as small as r 1/ϕ(k). Aspects of

21 Applications of Pairing Zoo Pairing Domain Where Who s Red Tate E[r] E/rE All HECs Miller r No eta G 1 G 2 SuSi BGOS t 1 No ate EC G 2 G 1 All ECs HSV t 1 No ate EC G 1 G 2 SuSi HSV t 1 No ate HEC G 2 G 1 All HECs GHOTV q Yes ate HEC G 1 G 2 SuSp GHOTV q Yes Aspects of

22 Applications of Extreme elliptic ate Curves with t = 1 give shortest loop in Miller s algorithm. Let E : y 2 = x over F p with p = , then t = 1, r = , k = 31 and D = 3. Let y λ(q)x ν(q) with λ = 3x 2 Q /(2y Q) and ν = ( x 3 Q + 8)/(2y Q) be the tangent at Q. The function (Q, P) ( y P λ(q)x P ν(q) ) (q k 1)/(3r) defines a non-degenerate pairing on G 2 G 1. Aspects of

23 Applications of Extreme elliptic ate: corollary Since (Q, P) ( y P λ(q)x P ν(q) ) (q k 1)/(3r) defines a non-degenerate pairing on G 2 G 1 we have corollary that for all P G 1 and Q G 2 the expressions (y P λ(q)x P ν(q)) 2 (y [2]P λ(q)x [2]P ν(q)) are 3r-th powers. and (y P λ(q)x P ν(q)) 2 (y P λ([2]q)x P ν([2]q)) Aspects of

24 Applications of Miller inversion Most pairings can be expressed as e(p, Q) := f s,p (Q) d for integers s and d and f s,p a Miller function. Possible approach: find correct d-th root first and then solve for Q in f s,p (Q) Miller inversion: Let P be fixed, let S be a set of points and take z F q k. Compute a point Q S such that z = f s,p (Q) or if no such point exists then output no solution. Aspects of

25 Applications of Miller inversion in polytime Setting: Ate pairing on G 2 G 1. Let S 2 and Q have order > 2. Then f s,q (x, y) can be written as f s,q (x, y) = f 1(x) + yf 2 (x) (x x [s]q ) with deg f 1 (x) (S + 1)/2 and deg f 2 (x) S/2 1. Miller inversion is equivalent with finding root of P(x) := (f 1 (x) z(x x [s]q )) 2 f 2 (x) 2 (x 3 + ax + b) of degree at most S + 1. Note: polynomial defined over F q k, but root over F q. Aspects of

26 Applications of Miller inversion in polytime Finding root of P(x) F q k [x] in F q is computing gcd(x q x, P(x)). Takes O( t 2 log q) operations in F q k or O( t 2 k 2 (log q) 3 ) bit-operations. If t and k grow as a polynomial function of log r, one can solve MI in polynomial time. Lemma: There exist families of parameters of pairing friendly curves for which the Miller inversion problem can be solved in polynomial time. Aspects of

27 Applications of FAPI-1 for ate pairing on small trace curves Recall extreme elliptic ate pairing a 2 (Q, P) ( y P λ(q)x P ν(q) ) (q k 1)/(3r) Problem: given Q = (x Q, y Q ) and a target z µ r F, q k need to solve (y λ(q)x ν(q)) (qk 1)/(3r) = z for some (x, y) E(F q ). Aspects of

28 Applications of FAPI-1 for ate pairing on small trace curves But: there are d = (q k 1)/(3r) possible roots of z. Only one of them of form y λx ν for some (x, y) E(F q ). Easy to compute random d-th roots of z, but hard to select the correct root. Can generate many more equations by a 2 (uq, P) = z u. Simpler problem: given many pairs (a, z) F 2 q k, with z = (a + x) d for some x F q, find x. Easy when d (q k 1), but how hard for d (q k 1)? Aspects of

29 Applications of FAPI-1 P MI Is solving MI sufficient to solve FAPI-1? Most people: no, since given z 0 = f s,p (Q) d, still need to try out all d possible roots. Idea: what if you take a random d-th root? Tate-Lichtenbaum pairing: t(, ) : E(F q )[r] E(F q k )/re(f q k ) F q k /(F q k ) r Reduced TL pairing into µ r : e(, ) = t(, ) (qk 1)/r Aspects of

30 Applications of FAPI-1 P MI For P E(F q )[r] let S 2 (P) denote set {Q E(F q k )} with e(p, Q) = 1 Suppose e(p, Q 1 ) = e(p, Q 2 ), then clearly Q 3 := Q 1 Q 2 S 2 (P) If #S 2 (P) is big enough, then likely that there exists Q E(F q k ) with Q := Q + R with R S 2 (P) and for a random root z of z 0. f s,p (Q ) = z Aspects of

31 Applications of FAPI-1 P MI TL pairing: already have re(f q k ) S 2 (P), but this only gives q k /r 2 points. For k > 1, also have E(F q e) S 2 (P) for all e k. At least have that E(F q )[r] S 2 (P). Since r E(F q ), E(F q )[r] re(f q k ) = {O} and thus S 2 (P) E(F q )[r] re(f q k ) rq k /r 2 d. Suggests that for the TL pairing with k > 1, FAPI-1 P MI. Above fails for ate pairing since only defined on G 2 G 1. Aspects of

32 Applications of A degree bound Ate pairing gave isomorphism of G 1 with µ r of the form f s,q ( ) d with f s,q function of low degree. However: total degree of f s,q ( ) d still very high. Lemma: Let E be an elliptic curve and f F q k (E). Assume that Q f (Q) d defines a non-constant homomorphism G 2 µ r for some positive exponent d. Then d deg(f ) (1/6)#G 2. Aspects of

33 Applications of Conclusions FAPI s and implications for crypto. MI can be easy. Extreme elliptic ate leads to new supposedly hard problem? For TL pairing have FAPI-1 P MI. No homomorphisms of low degree into µ r. Inverting pairings still hard... Aspects of