Faster pairing computation in Edwards coordinates

Transcription

1 Faster pairing computation in Edwards coordinates PRISM, Université de Versailles (joint work with Antoine Joux) Journées de Codage et Cryptographie 2008

2 Edwards coordinates Á Thm: (Bernstein and Lange, 2007) Let E be an elliptic curve on F q. If E F q µ has a unique element of order 2 then there is a nonsquare d ¾ F q such that E is birationally equivalent over F q to the Edwards curve x 2 y 2 1 dx 2 y 2 Á On the Edwards curve the addition law is x 1 y 1 µ x 2 y 2 µ x1y 2 y 1 x 2 y 1 y 2 x 1 x 2 µ 1 dx 1 x 2 y 1 y 2 1 dx 1 x 2 y 1 y 2

3 Homogeneous Edwards coordinates Á In cryptographic applications one should use homogeneous Edwards coordinates, i.e. X Y Z µ corresponding to X Z Y Z µ on the Edwards curve. Á Addition becomes: X 3 Z 1 Z 2 X 0 Y 1 Y 0 X 1 µ Z 2 1 Z 2 2 dx 0X 1 Y 0 Y 1 µ Y 3 Z 1 Z 2 Y 0 Y 1 X 0 X 1 µ Z 2 1 Z 2 2 dx 0X 1 Y 0 Y 1 µ Z 3 Z 2 1 Z 2 2 dx 0X 1 Y 0 Y 1 µ Z 2 1 Z 2 2 dx 0X 1 Y 0 Y 1 µ

4 Edwards versus Jacobian Let E be an elliptic curve over F q, i.e. E y 2 x 3 ax b Á Jacobian coordinates : X Y Z µ such that X Z 2 Y Z 3 µ is a point on the elliptic curve E. Á Computations in Edwards coordinates are significantly faster than in Jacobian coordinates!

5 Edwards versus Jacobian Table: Performance evaluation: Edwards versus Jacobian Edwards coordinates Jacobian coordinates addition 10M+1S 11M+5S (plus S-M tradeoff) doubling 3M+4S 1M+8S or 4M+4S for a 3 mixed addition 9M+1S 8M+3S (Z 2 1) (plus 2 M-S tradeoffs)

6 What is a pairing? A pairing is a map e G 1 G ¼ 1 G 2 where G 1 G ¼ 1 G 2 are groups of order r such that the following hold: Á bilinear: e ap Qµ e P aqµ e P Qµ a Á non-degenerate: for every P ¾ G 1 different from 0 there is Q ¾ G ¼ 1 such that e P Qµ 1.

7 The Tate pairing. Notations. Let E be an elliptic curve over F q, i.e. E y 2 x 3 ax b Á Let r E F q µ and E r the subgroup of points of order r, i.e. E r P ¾ E F q µ rp O Á Embedding degree: k minimal with r q k 1µ. Á Note r-roots of unity r ¾ F q k. Á If k 1 then E F q k µ r E r.

8 The Tate pairing Á Choose P ¾ E r and Q ¾ E F q k µ Á Take f r P r Pµ r Oµ and D Q T µ T µ, with T such as the support of D is different from the support of f r P. Á The Tate pairing is given by T r P Qµ f r P Dµ qk 1µ r Á Domain and image are T r µ E r E F q k µ re F q k µ r

9 Miller s algorithm Á Introduce for i 1 functions f i P such as div f i P µ i Pµ ipµ i 1µ Oµ Á Note div f r P r Pµ r Oµ. Á Establish the Miller equation where l and v are such that f i j P f i P f j P l v div lµ ipµ jpµ i jµpµ 3 Oµ and div vµ i jµpµ i jµpµ 2 Oµ

10 Miller s algorithm Á Use the double and add method to compute f r P Dµ. Á Exploit the Miller equation Á l: the line through ip and jp f i j P f i P f j P l v Á v: the vertical line through i jµp. Á Evaluate at D ¼ at every step.

11 Miller s algorithm Á Count number of operations in the doubling step in the double and add method to evaluate performance of the algorithm independently from Á any faster exponentiation techniques Á the Hamming weight of r. Á Up to now best performance in Jacobian coordinates.

12 Back to Edwards curves Á Note a 4-torsion subgroup defined over F q : O 0 1µ T 4 1 0µ T 2 0 1µ T 4 1 0µ Á Take at look at the action of this subgroup on a fixed point P x yµ: P P P T 4 y xµ P T 2 x yµ P T 4 y xµ

13 Back to Edwards curves Á If xy 0 note p xyµ 2 and s x y y x to characterize the point P up to the action of the 4-torsion subgroup. Á Take E s p s 2 p 1 dpµ 2 4p and define E E s p x yµ xyµ 2 x y y x µ Á is separable of degree 4.

14 And back to an elliptic curve... Á E s p is elliptic as : s 2 p 1 dpµ 2 4p P S Z µ S 2 P Z dpµ 2 Z 4PZ 2 P 1µ s 2 z 3 2d 4µz 2 dz Á Consider the standard addition law: O s p 0 1 0µ neutral element and T 2 s p 1 0 0µ point of order 2.

15 Arithmetic of E s p Á Take P 1 and P 2 two points on E s p Á Take l s p the line passing through P 1 and P 2. Take R its third point of intersection with the curve E s p. Á Take v s p the vertical line through R. Á Define P 1 P 2 as the second point of intersection of v s p with E s p. Á Note that div l s p µ P 1 µ P 2 µ P 1 P 2 µµ 2 T 2 s p µ O s p µ and div v s p µ P 1 P 2 µ P 1 P 2 µµ 2 T 2 s p µ

16 Miller s algorithm on Edwards curves Á Consider slightly modified functions f 4µ i P : f 4µ i P i Pµ P T 4 µ P T 2 µ P T 4 µµ ipµ ip T 4 µ ip T 2 µ ip T 4 µµ i 1µ Oµ T 4 µ T 2 µ T 4 µµ Á Then f 4µ r P r Pµ P T 4µ P T 2 µ P T 4 µµ r Oµ T 4 µ T 2 µ T 4 µµ. Á Compute the 4-th power of the Tate pairing: T r P Qµ 4 f 4µ r P Dµ q k r 1

17 Miller s algorithm on the Edwards curve Establish the Miller equation: f 4µ i j P f 4µ i P f 4µ j P where l v is the function of divisor l div v µ ipµ ip T 4µ ip T 2 µ ip T 4 µµ jpµ jp T 4 µ jp T 2 µ jp T 4 µµ l v i jµpµ i jµp T 4 µ i jµp T 2 µ i jµp 0µ T 4 µ T 2 µ T 4 µµ

18 Miller s algorithm on the Edwards curve Á Let P ¼ Pµ and l s p and v s p such as div l s p µ ip ¼ µ jp ¼ µ i jµp ¼ µ 2 T 2 s p µ O s p µ and div v s p µ i jµp ¼ µ i jµp ¼ µ 2 T 2 s p µ Á Get l v l s p v s p µ.

19 Computations Á doubling for K X 1 Y 1 Z 1 µ: X 3 2X 1 Y 1 2Z1 2 X 1 2 Y 1 2 µµ Y 3 X1 2 Y 1 2 µ Y 1 2 X 1 2 µ Z 3 X1 2 Y 1 2 µ 2Z 1 2 X 1 2 Y 1 2 µµ Á computing l and v: l x yµ l 1 x yµ l 2 X1 2 Y 1 2 Z 1 2 µ X 1 2 Y 1 2 µ 2X 1 Y 1 x y y xµ 2 X1 2 Y 1 2 µµ Z 3 dz1 2 xyµ2 X1 2 Y 1 2 Z 1 2 µµµ Z 1 6 v x yµ v 1 x yµ v 2 dz3 2 xyµ2 X3 2 Y 3 2 Z 3 2 µµ Z 3 2

20 Operation count and conclusions Table: Comparison of costs Jacobian coordinates Edwards coordinates k 1 8s 12m 6s 12m Á similar analysis for k odd (although such curves are less used in practice)

21 Even embedding degree k Á Choose P such that P E F q µ Á Choose Q such as elements of Q have one coordinate defined over F q k 2 Á Compute T r P Qµ f r P Qµ qk 1µ r.

22 Operation count and conclusions Table: Comparison of costs in the case of k 2 Jacobian coordinates Jacobian coordinates for a 3 Edwards coordinates k 2 6s 7m S M 4s 8m S M 3s 10m S M Á s m costs of operations in F q and S M costs of operations in F q k

23 Operation count and conclusions Table: Comparison of costs in the case of k 4 even Jacobian coordinates Jacobian coordinates for a 3 Edwards coordinates k 4 even 6s k 6µm S M 4s k 7µm S M 3s k 9µm S M Á s m costs of operations in F q and S M costs of operations in F q k

24 Questions...?