Parshuram Budhathoki FAU October 25, Ph.D. Preliminary Exam, Department of Mathematics, FAU

Transcription

1 Parshuram Budhathoki FAU October 25, 2012

2 Motivation Diffie-Hellman Key exchange What is pairing? Divisors Tate pairings Miller s algorithm for Tate pairing Optimization

3 Alice, Bob and Charlie want to communicate how can they share key? Alice Bob Charlie

4 Diffie-Hellman Two party key Exchange g x g y Alice Bob G = <g>

5 Diffie-Hellman Two party key Exchange g yx Alice x g x g y g xy Bob y Common Key = g yx Need single round

6 Diffie-Hellman Three party key Exchange g x g y Alice Bob g z Charlie

7 Diffie-Hellman Three party key Exchange x g x y Alice Bob z g First round g y z Charlie

8 Diffie-Hellman Three party key Exchange xz g x g xy y Alice Bob yz g Charlie z

9 Diffie-Hellman Three party key Exchange Alice x xz g Second round Bob y g yz z g xy Charlie

10 Diffie-Hellman Three party key Exchange g yzx x g xzy y Alice Bob g xyz Charlie z Common key = g xzy = g zxy = g zyx

11 Does one round protocol for three party key exchange exist? To answer this question we need special function.

12 Let (G,+) and (V,.) denote cyclic groups of prime order, P G, a generator of G and let e: G x G V be a pairing which satisfies the following additional properties: 1) Bilinearity : P, Q, R G we have and e(p+r, Q)= e(p,q) e(r,q) e(p, R+Q)= e(p,r) e(p,q) 2) Non-degeneracy : There exists P, Q G such that e(p,q) 1. 3) e can be efficiently computable.

13 P a ap P b Alice a e(bp, cp) bp Bob e(ap, cp) b ap cp cp P c bp Charlie e(bp, ap) c G = <P> be additive group.

14 Torsion Points: Let E : y 2 -(x 3 + Ax + B )=0 field q be an elliptic curve over finite E( ) = { (x,y) x,y } { } q q Here is the point at infinity ; these points form additive group with being the group identity. Let be a prime satisfying # E( q ) doesn t divide q-1 and q are co-prime

15 Torsion Points : Then for some integer k, E( q k order if and only if -1 q 2 k ) contains points of Let E[ ] denote the set of these order- points, which is called Torsion points.* E[ ] = { P E( ) : P = } qk 2 * Beyond Scope of Presentation

16 Function on Elliptic Curve : Let E be elliptic curve over a field K A non zero rational function f K( E *) defined at point P E(K) \{ } if => f= g / h, for g and h K ( E ) => h ( P ) 0 f is said to have : => Zero at point P if f ( P ) = 0 => Pole at point P if f ( P ) = or (1/ f ( P ) = 0)

17 Function on Elliptic Curve : There is a function u, called a uniformizer at P, such that u ( P ) = 0 P Every function f ( x, y ) can be written in the form r f = u g, P with r and g ( P ) 0, Order of f at P = r ord (f ) =r P If l is any line through P that is not tangent to E, then l is uniformizer parameter for P.

18 Divisors Up to constant multiple, a rational function is uniquely determined by its zeros and poles A divisor is tool to record these special points of function. For each P E, define formal symbol ( P ) Here E = E ( K )

19 Divisors: A divisor D is a formal sum of points : D = P (P) P E Where P and P = 0 for all but finitely many P E Div( E) denotes group of divisors of E which is free abelian group generated by the points of E, where addition is given by P (P) + (P) = ( + )(P) P E P E p P E P p

20 Divisors : Support of divisor D is supp(d)= { P E P 0} degree of divisor D is deg(d)= P P E sum of divisor D is sum ( D ) = P E P 0 Div (E) is subgroup, of divisors of degree 0, of Div(E) A divisor D with deg(d) = 0 is called a principal divisor.

21 Divisor of function : Number of zeros and poles of rational function f is finite. We can defined divisor of function f as div( f ) = ord ( f ) [ P ] P div( f ) = 0 iff f is constant A principal divisor is divisor which is equal to div ( f ) for some function f div ( f ) records zeros and poles of f and their multiplicities

22 Divisor of function : Let D be divisor : D = P (P) P E Then evaluation of f in D is defined by : f ( D ) = f ( P ) P P supp ( D )

23 Tate Pairing Let P E( k q ) [ ] then ( P ) - ( ) is principal divisor There is rational function with div ( ) = ( P ) - ( ) f ( E ), P q k f, P Let Q be a point representing coset in E ( ) / q k E ( q k) We construct D Div ( E ) such that : = > D ~ ( Q ) ( ) Q Q => supp ( D ) supp ( div ( f ) ) =, P

24 Tate Pairing The Tate pairing e : E( K )[ ] E ( ) / K K / q is given by : e(p, Q ) = f ( D ), P Q q K E ( ) q * ( * k ) q q

25 Tate Pairing e doesn t depend on choice of f, P e doesn t depend on choice of D Q e is well defined e satisfy Non- degeneracy e satisfy bilinearity

26 Miller s algorithm for the Tate pairing : [a]p [b]p -[a+ b] P [a+ b] P

27 Miller s algorithm for the Tate pairing : [a]p [b]p g [a]p,[b]p -[a+ b] P v [a+b]p [a+ b] P Let g be line passing through [a]p and [b]p and v be vertical [a]p,[b]p line passing trough [a+b]p [a+b]p

28 Miller s algorithm for the Tate pairing : [a]p [b]p -[a+ b ]P [a+b]p Then div( g ) = [ a]p + [ b ]P + [-(a+ b )]P 3 [ ] [a]p,[b] P div ( V ) = [ a + b ] P + [-( a+ b ) ] P 2 [ ] [a + b]p

29 Miller s algorithm for the Tate pairing : div ( f / g ) = div ( f ) div ( g ) div ( f g ) = div ( f ) + div ( g )

30 Miller s algorithm for the Tate pairing : Input : P E ( ), Q E ( ), where P has order Output : e ( P, Q ) 1. T = P, f = 1 2. for i = log ( ) -1 to 0 : T = 2T 3. f = f 4. return f k q k 2 f = f. g ( Q ) / v ( Q ) T,T (q - 1 ) / 2T q k if = 1 then i f = f. g ( Q ) / v (Q ) T,P T = T + P T+P

31 Miller s algorithm for the Tate pairing : Example: 2 3 Let E ( 1 1) : y = x + 3x # E ( ) = Choose = 6 then k = 2 If P = (1,9) and Q = (8+7i, 10+6i) find e(p,q) =6 => (,, ) = (1, 1, 0 ) T = (1,9) for i = 1: g = y + 7x + 6 and g = x+8 T,T 2T g T,T ( Q ) = 6 and g ( Q ) = 5 + 7i 2T

32 Miller s algorithm for the Tate pairing : Example: 6 2 f = 1. =1+3i 5+7i T = [2] (1, 9 ) = (3, 5 ) Since = 1 1 g = y + 2x and g =x T,P T + P g T,P ( Q ) = 4+9i and g ( Q ) = 8 + 7i T+P 4+9i Thus f = (1+3i) = 8+ 10i 8 + 7i And T = (3,5) + (1,9) = (0,0)

33 Miller s algorithm for the Tate pairing : Example: for i = 0 g = x and g =1 T,T 2T Then g ( Q ) = 8+7i and g (Q) =1 2T T,T 2 8+7i Thus f = (8+10i) =5i 1 and T = 2 (0,0) = 121-1/6 f = f = 1 mod 11

34 Optimization of Miller s loop for Tate pairing. Miller s algorithm fails if line function g and v pass through Q therefore T,T 2T Choose P and Q from particular disjoint groups For further optimization : Choose to have low hamming weight Choose P from E ( ) p

35 Optimization of Miller s loop for Tate pairing. From here : => k is even i.e. k =2d, where d is +ve integer => q = p, some prime => p = 3 mod 4 Therefore final exponentiation can now be written as f d d (p -1 )(p +1) / d => divides (p +1)

36 Optimization of Miller s loop for Tate pairing. Input : P E ( ), Q E ( ), where P has order Output : e ( P, Q ) 1. T = P, f = 1 2. for i = log ( ) -1 to 0 : T = 2T q k 2 f = f. g ( Q ) / v ( Q ) T,T 3.f = f (p d - 1 ) 4.f = f 5. return f 2T q k if = 1 then i f = f. g ( Q ) / v (Q ) T,P T = T+ P d (p +1 ) / T+P

37 Optimization of Miller s loop for Tate pairing. K is even => p k is quadratic extension of p d 2 Since p = 3 mod 4 => x + 1 is irreducible polynomial. w can be represented as w = a+ib, where a,b p k p d w = conjugate of w = a- i b Using Frobenius = > ( a + ib ) = ( a ib ) p d d p -1 = >(1/ ( a + ib ) ) = ( a ib ) d p -1

38 Optimization of Miller s loop for Tate pairing. Input : P E ( ), Q E ( ), where P has order q k Output : e ( P, Q ) 1. T = P, f = 1 2. for i = log ( ) -1 to 0 : q k 2 f = f. g ( Q ) T,T T = 2T if = 1 then i f = f. g ( Q ) T,P T = T+ P v ( Q ) 2T v ( Q ) T+P 3.f = f (p d - 1 ) 4.f = f 5. return f d (p +1 ) /

39 Optimization of Miller s loop for Tate pairing. Choice of Q : We have, Q = ( x, y ) where x = a+ib and y = c+id and a,b,c,d d p Choose b=c=0 Now v T+P and v 2T are elements of which means they will be wiped out by final exponentiation p d This called denominator-elimination optimization

40 Optimization of Miller s loop for Tate pairing. Input : P E ( ), Q E ( ), where P has order q k Output : e ( P, Q ) 1. T = P, f = 1 2. for i = log ( ) -1 to 0 : q k 2 f = f. g ( Q ) T,T T = 2T if = 1 then i f = f. g ( Q ) T,P T = T+ P v ( Q ) 2T v ( Q ) T+P 3.f = f (p d - 1 ) 4.f = f 5. return f d (p +1 ) /

41 Optimization of Miller s loop for Tate pairing.