Analysis of Optimum Pairing Products at High Security Levels

Size: px

Start display at page:

Download "Analysis of Optimum Pairing Products at High Security Levels"

Spencer Clarke
5 years ago
Views:

1 Analysis of Optimum Pairing Products at High Security Levels Xusheng Zhang and Dongdai Lin Institute of Software, Chinese Academy of Sciences Institute of Information Engineering, Chinese Academy of Sciences INDOCRYPT 2012 Indian Statistical Institute, Kolkata Dec 12, 2012

2 Outline 1 Motivation 2 New Miller Formulas with Cubic Twist 3 Fast Pairing Computation on BLS27 Curve 4 Fast Pairing Computation on KSS16 Curve 5 Summary

3 Bilinear pairing on elliptic curve Bilinear Pairing is very important in encryption, signature... Elliptic Curve Pairing is a very simple model. Weil: e(p, Q) = f r,dp (D Q )/f r,dq (D P ) Tate: t(p, Q) = f r,dp (D Q ) (qk 1)/r Many pairings in Tate family could be chosen. Symmetric: eta pairing Asymmetric: ate, optimal ate pairing Special elliptic (pairing-friendly) curves are preferred. Supersingular curve Parameterized ordinary curve: BN, BLS, KSS curves...

4 Fast pairing on elliptic curve For an order-r pairing on elliptic curve e : E(F q )[r] E[r] ker(π q q) µ r F q k Choosing good parameters. Prime r insures ECC security. F q k insures MOV security. ρ = log q/ log r is close to 1. Miller s algorithm is widely used. Doubling or addition formulas: even embedding degree k, highdegree twist... Miller loop length: log r/ϕ(k) (optimal) Choosing Weil family or Tate family? Weil s optimal loop length could be larger than Tate s. Weil s Miller formulas could be more expansive than Tate s. But Weil s final exponentiation is much easier than Tate s. (Fortunately cyclotomic squaring could be used for Tate s.)

5 Fast pairing on elliptic curve For an order-r pairing on elliptic curve e : E(F q )[r] E[r] ker(π q q) µ r F q k Choosing good parameters. Prime r insures ECC security. F q k insures MOV security. ρ = log q/ log r is close to 1. Miller s algorithm is widely used. Doubling or addition formulas: even embedding degree k, highdegree twist... Miller loop length: log r/ϕ(k) (optimal) Choosing Weil family or Tate family? Weil s optimal loop length could be larger than Tate s. Weil s Miller formulas could be more expansive than Tate s. But Weil s final exponentiation is much easier than Tate s. (Fortunately cyclotomic squaring could be used for Tate s.)

6 Fast pairing on elliptic curve For an order-r pairing on elliptic curve e : E(F q )[r] E[r] ker(π q q) µ r F q k Choosing good parameters. Prime r insures ECC security. F q k insures MOV security. ρ = log q/ log r is close to 1. Miller s algorithm is widely used. Doubling or addition formulas: even embedding degree k, highdegree twist... Miller loop length: log r/ϕ(k) (optimal) Choosing Weil family or Tate family? Weil s optimal loop length could be larger than Tate s. Weil s Miller formulas could be more expansive than Tate s. But Weil s final exponentiation is much easier than Tate s. (Fortunately cyclotomic squaring could be used for Tate s.)

7 Optimum choices So the optimum choice is optimal ate pairing with sextic twist! When computing pairing product, what s the optimum choice? Notice Miller iteration is more important. So need to balance the loop length and the twist degree. 128-bit security: recommended kρ = 12 Single: BN (k = 12, ρ = 1) optimal pairing Product: BN optimal pairing 192-bit security: recommended kρ = Single: BLS12 (k = 12, ρ = 1.5) ate pairing Product:? 256-bit security: recommended kρ = 30 Single: BLS24 (k = 24, ρ = 1.25) ate pairing Product:?

8 Optimum choices So the optimum choice is optimal ate pairing with sextic twist! When computing pairing product, what s the optimum choice? Notice Miller iteration is more important. So need to balance the loop length and the twist degree. 128-bit security: recommended kρ = 12 Single: BN (k = 12, ρ = 1) optimal pairing Product: BN optimal pairing 192-bit security: recommended kρ = Single: BLS12 (k = 12, ρ = 1.5) ate pairing Product:? 256-bit security: recommended kρ = 30 Single: BLS24 (k = 24, ρ = 1.25) ate pairing Product:?

9 Optimum choices So the optimum choice is optimal ate pairing with sextic twist! When computing pairing product, what s the optimum choice? Notice Miller iteration is more important. So need to balance the loop length and the twist degree. 128-bit security: recommended kρ = 12 Single: BN (k = 12, ρ = 1) optimal pairing Product: BN optimal pairing 192-bit security: recommended kρ = Single: BLS12 (k = 12, ρ = 1.5) ate pairing Product: KSS16 (k = 16, ρ = 1.5) optimal pairing 256-bit security: recommended kρ = 30 Single: BLS24 (k = 24, ρ = 1.25) ate pairing Product: BLS27 (k = 27, ρ = 1.111) ate pairing

10 Outline 1 Motivation 2 New Miller Formulas with Cubic Twist 3 Fast Pairing Computation on BLS27 Curve 4 Fast Pairing Computation on KSS16 Curve 5 Summary

11 Review Miller s algorithm Input: r = L j=0 s j2 j, s j {0, 1} Output: f r,p (Q) (qk 1)/r 1: R P; f 1 2: for j = L 1..0 do 3: f f 2 l R,R (Q)/v 2R (Q) 4: R 2R 5: if s j = 1 then 6: f f l R,P (Q)/v R+P (Q) 7: R R + P 8: return f (qk 1)/r. Expand in 2-adic Denominator elimination method Expand in 2-NAF

12 Review Miller s algorithm Input: r = L j=0 s j2 j, s j {0, 1} Output: f r,p (Q) (qk 1)/r 1: R P; f 1 2: for j = L 1..0 do 3: f f 2 l R,R (Q) 4: R 2R 5: if s j = 1 then 6: f f l R,P (Q) 7: R R + P 8: return f (qk 1)/r. Expand in 2-adic Denominator elimination method Expand in 2-NAF

13 Review Miller s algorithm Input: r = L j=0 s j2 j, s j { 1, 0, 1} Output: f r,p (Q) (qk 1)/r 1: R P; f 1 2: for j = L 1..0 do 3: f f 2 l R,R (Q) 4: R 2R 5: if s j = 1 then 6: f f l R,P (Q) 7: R R + P 8: if s j = 1 then 9: f f l R,P (Q) 10: R R P 11: return f (qk 1)/r. Expand in 2-adic Denominator elimination method Expand in 2-NAF

14 Curves only with cubic twist Some curves only with cubic twist might have faster Miller iteration (due to larger ϕ(k)/k, e.g. k = 9, 27). Denominator elimination method Classic method is invalid v R (S) = x S x R / F p k (k k) A substituted method by Lin et al. New method f R1,R 2 (S) = l R 1,R 2 v R3 (S) l R1,R 2 (S)(x 2 S + x R 3 x S + x 2 R 3 ) f R1,R 2 (S) = l R 1,R 2 v R3 (S) x 2 S + x R 3 x S + x 2 R 3 λ(y S y R3 )

15 Curves only with cubic twist Some curves only with cubic twist might have faster Miller iteration (due to larger ϕ(k)/k, e.g. k = 9, 27). Denominator elimination method Classic method is invalid v R (S) = x S x R / F p k (k k) A substituted method by Lin et al. New method f R1,R 2 (S) = l R 1,R 2 v R3 (S) l R1,R 2 (S)(x 2 S + x R 3 x S + x 2 R 3 ) f R1,R 2 (S) = l R 1,R 2 v R3 (S) x 2 S + x R 3 x S + x 2 R 3 λ(y S y R3 )

16 Ate-like Miller iteration function Use the cubic twist Affine Miller iteration function f DBL(R1 )(P ) = x x 2 1 2y 1 (y 3 y P ) + x 3 x P ω 2 + x 2 P ω4 f ADD(R1,Q )(P ) = x y 2 y 1 x 2 x 1 (y 3 y P ) + x 3 x P ω 2 + x 2 P ω4 Projective Miller iteration function F DBL(R1 )(P ) = X X 2 1 Y 2 1 (Y 3 Z 3 y P ) + 2X 3 Z 3 ( x P 2 ω2 ) + Z 2 3 (x 2 P ω4 ) F ADD(R1,Q )(P ) = X 2 3 Z 1 Z 2 (Z 1 X 2 X 1 Z 2 ) 2 (Z 1 Y 2 Y 1 Z 2 )(Y 3 Z 3 y P ) +2X 3 Z 3 ( x P 2 ω2 ) + Z 2 3 (x 2 P ω4 )

17 Operations for ate-like Miller formulas with cubic twist Affine ADD A = (x 2 x 1 ) 1, B = A (y 2 y 1 ), x 3 = B 2 x 1 x 2, y 3 = B (x 2 x 3 ) y 2, t 3 = x 2 3, C = B (y 3 y P ), D = t 3 + C, E = x 3 x P. Affine DBL A = 3t 1, B = 2y 1, C = B 1, D = A C, x 3 = D 2 2x 1, y 3 = D (x 1 x 3 ) y 1, t 3 = x 2 3, E = D (y 3 y P ), F = t 3 + E, G = x 3 x P. Projective madd A = X 1 Z 2, B = Y 1 Z 2, C = Z 1 Z 2, D = A Z 1 X 2, E = B Z 1 Y 2, F = D 2, G = E 2, H = D F, I = F A, J = H + C G 2I, K = C F E, X 3 = D J, Y 3 = E (I J) H B, Z 3 = C H, T 3 = X 2 3, U 3 = Z 2 3, L = (X 3 + Z 3 ) 2 T 3 U 3, M = Z 3 y P, L 0 = T 3 K (Y 3 M), L 1 = L (x P /2), L 2 = U 3 (x 2 P ). Projective DBL A = Y 2 1, B = 3b U 1, C = (X 1 + Y 1 ) 2 T 1 A, D = (Y 1 + Z 1 ) 2 A U 1, E = 3B, X 3 = C (A E), Y 3 = (A + E) 2 3(2B) 2, Z 3 = 4A D, T 3 = X 2 3, U 3 = Z 2 3, F = (X 3 + Z 3 ) 2 T 3 U 3, G = 3C 2, H = Z 3 y P, L 0 = G (Y 3 H) + T 3, L 1 = F (x P /2), L 2 = U 3 (x 2 P ).

18 Costs for ate-like Miller formulas with cubic twist 3 k coord. M 1 I k/3 M k/3 S k/3 M ( ) DBL P Costello et al. k 6 7 1M (b) DBL P k 3 9 1M (3b) DBL A k/ madd P Costello et al. k 13 3 madd P k 12 5 ADD A k/ BDL+mADD P Costello et al. 2k M (b) BDL+mADD P 2k M (3b) Projective formulas are a little faster than the previous ones. Affine formulas might be much faster than these projective ones.

19 Affine vs. Projective Lauter et al. showed at high security levels, affine ate-like Miller formulas could be faster than projective ones. (Idea: the inversion-to-multiplication ratio in larger extension field could be lower.) In our case of ate-like pairing computation, the inversion-tomultiplication ratio R k/3 = I k/3 M is still low. k/3 k I k/3 M k/3 R k/3 9 I M 1 6M 1 R (Karatsuba, M 1 0.8S 1 ) (Karatsuba) (R 1 100) 27 I M 1 36M 1 R (Karatsuba, M 1 0.8S 1 ) (Karatsuba) (R 1 100) From the previous cost comparison, our new affine formulas are better than the projective ones when R k/3 5.6.

20 Outline 1 Motivation 2 New Miller Formulas with Cubic Twist 3 Fast Pairing Computation on BLS27 Curve 4 Fast Pairing Computation on KSS16 Curve 5 Summary

21 Barreto-Lynn-Scott 27 curve BLS27: E(r(z), t(z), p(z)), y 2 = x 3 + b r(z) = 1 3 (z18 + z 9 + 1), t(z) = z + 1, p(z) = 1 3 (z 1)2 (z 18 + z 9 + 1) + z. Extension field can be constructed easily. F p 27 = F p [t]/ t 27 2, if (z 1)/3 is odd F p 27 = F p [t]/ t 27 3, two-thirds of even (z 1)/3 Ate pairing is optimal. f z,q (P ) (p27 1)/r Final Exp. can be computed without using addition chains. 8 (p 27 1)/r = (p 9 1)((z 1) 2 (p 9 + z 9 + 1)( z i p 8 i ) + 3) i=0

22 Barreto-Lynn-Scott 27 curve BLS27: E(r(z), t(z), p(z)), y 2 = x 3 + b r(z) = 1 3 (z18 + z 9 + 1), t(z) = z + 1, p(z) = 1 3 (z 1)2 (z 18 + z 9 + 1) + z. Extension field can be constructed easily. F p 27 = F p [t]/ t 27 2, if (z 1)/3 is odd F p 27 = F p [t]/ t 27 3, two-thirds of even (z 1)/3 Ate pairing is optimal. f z,q (P ) (p27 1)/r Final Exp. but lacks cyclotomic squarings! (p 27 1)/r = (p 9 1)((z 1) 2 (p 9 + z 9 + 1)( 8 z i p 8 i ) + 3) i=0

23 Comparison at 256-bit security level Suggested curve choices: E : y 2 = x 3 2, where z = , r(z) has a 516-bit prime factor. and p(z) is a 573-bit prime. Estimated Cost (m m 576, m m 512, m s 576 ) Pairing ML+FS FE Total ( coord.) Full Sq. others n BLS m m m i m 573 ate +33i 573 +i i m 573 (A) i m 573 BLS m m m i m 576 ate +67i i i m 576 (A) i m 576

24 Outline 1 Motivation 2 New Miller Formulas with Cubic Twist 3 Fast Pairing Computation on BLS27 Curve 4 Fast Pairing Computation on KSS16 Curve 5 Summary

25 Kachisa-Schaefer-Scott 16 curve KSS16: E(r(z), t(z), p(z)), y 2 = x 3 + ax Lemma r(z) = z z , t(z) = 1 35 (2z5 + 41z + 35), p(z) = (z10 + 2z 9 + 5z z z z z z ) Optimal ate pairing can be constructed by using Vercauteren s method. Let E(t(z), r(z), p(z)) be a complete family of P-F curves with embedding degree k > 1. Then, there exist m(z) Q[z] and c i (z) Z[z], so that m(z)r(z) = ϕ(k) 1 i=0 c i (z)p(z) i, where deg c 0 (z) = 1 and deg c i (z) = 0. Final exponentiation seems complicated. Analysis of Optimum Pairing Products at High 16Security Levels 8 7 i

26 Kachisa-Schaefer-Scott 16 curve KSS16: E(r(z), t(z), p(z)), y 2 = x 3 + ax r(z) = z z , t(z) = 1 35 (2z5 + 41z + 35), p(z) = (z10 + 2z 9 + 5z z z z z z ) Optimal ate pairing can be constructed by using Vercauteren s method. a opt (Q, P) = ( (fz,q (P) l [z]q,[p]q (P) ) p 3 l Q,Q (P) Final exponentiation seems complicated (p 16 1)/r = (p 8 1) 7 c i (z)p i i=0 ) (p 16 1)/r

27 Kachisa-Schaefer-Scott 16 curve KSS16: E(r(z), t(z), p(z)), y 2 = x 3 + ax r(z) = z z , t(z) = 1 35 (2z5 + 41z + 35), p(z) = (z10 + 2z 9 + 5z z z z z z ) Optimal ate pairing can be constructed by using Vercauteren s method. a opt (Q, P) = ( (fz,q (P) l [z]q,[p]q (P) ) p 3 l Q,Q (P) Final exponentiation seems complicated (p 16 1)/r = (p 8 1) 7 c i (z)p i i=0 ) (p 16 1)/r

28 Kachisa-Schaefer-Scott 16 curve Decomposed the final exp. by using special addition chains. c 0 = 11(z 4 A + 27z 3 B + 28) + 19A, c 1 = 5(3z 3 A + 44z 2 B), c 2 = 25(z 2 A + 38zB), c 3 = 125(zA + 24B), c 4 = (2z 4 A + 55z 3 B) + 84A, c 5 = 5(4z 3 A + 117z 2 B), c 6 = 25(2z 2 A + 41zB), c 7 = 125 7B where A = z 3 B + 56 and B = (z + 1)

29 Comparison at 192-bit Security Level Suggested curve choices: E : y 2 = x 3 3x, where z = , r(z) has a 377-bit prime factor, and p(z) is a 481-bit prime. Estimated Cost (m m 512, m m 384 ) Pairing ML+FS FE Total (coord.) Full Sq. others n KSS m m m i m 481 opt-ate +i i m 481 (P) 7 i m 481 BLS m m m i m 512 ate +6i i m 512 (P) 7 6i m 512 KSS m m m i m 508 opt-ate +8i i m 508 (P) 7 8i m 508

30 Outline 1 Motivation 2 New Miller Formulas with Cubic Twist 3 Fast Pairing Computation on BLS27 Curve 4 Fast Pairing Computation on KSS16 Curve 5 Summary

31 Summary New fast Miller formulas only with cubic twist. Affine formulas (more efficient at high security levels). Projective formulas. Improvements of pairing computations on KSS16 and BLS27. Specially, when computing pairing product KSS16 optimal ate pairing is preferred at 192-bit security level. BLS27 ate pairing might be better at 256-bit security level. Further work... Accelerate the final exp. computation for BLS27 ate pairing? (cyclotomic squaring or cubing) Fast pairing on other curves only with cubic twist? e.g. Supersingular curve E/F p 2m with k = 3 (We have done)

32 Summary New fast Miller formulas only with cubic twist. Affine formulas (more efficient at high security levels). Projective formulas. Improvements of pairing computations on KSS16 and BLS27. Specially, when computing pairing product KSS16 optimal ate pairing is preferred at 192-bit security level. BLS27 ate pairing might be better at 256-bit security level. Further work... Accelerate the final exp. computation for BLS27 ate pairing? (cyclotomic squaring or cubing) Fast pairing on other curves only with cubic twist? e.g. Supersingular curve E/F p 2m with k = 3 (We have done)

33 Thank you for your attention! Any questions, please to

Faster Pairings on Special Weierstrass Curves

Faster Pairings on Special Weierstrass Curves craig.costello@qut.edu.au Queensland University of Technology Pairing 2009 Joint work with Huseyin Hisil, Colin Boyd, Juanma Gonzalez-Nieto, Kenneth Koon-Ho Wong Table of contents 1 Introduction The evolution