Cyclic Groups in Cryptography

Size: px

Start display at page:

Download "Cyclic Groups in Cryptography"

Gerard Watts
6 years ago
Views:

1 Cyclic Groups in Cryptography p. 1/6 Cyclic Groups in Cryptography Palash Sarkar Indian Statistical Institute

2 Cyclic Groups in Cryptography p. 2/6 Structure of Presentation Exponentiation in General Cyclic Groups. Cyclic Groups from Finite Fields. Cyclic Groups from Elliptic Curves. Bilinear Pairings in Cryptography.

3 Exponentiation in General Cyclic Groups Cyclic Groups in Cryptography p. 3/6

4 Cyclic Groups in Cryptography p. 4/6 Exponentiation Let G = g be a cyclic group of order G = q. Basic Problem: Input: a Z q. Task: Compute h = g a. Let a = a n 1...a 0, n = log 2 q ; each a i is a bit. Two simple methods. Right-to-left. Left-to-right.

5 Cyclic Groups in Cryptography p. 5/6 Right-to-Left n = 1: h = g a 0. n = 2: h = g 2a 1+a 0 = (g 2 ) a 1 ga 0. t = g; r = g a 0 ; t = t 2 ; r = t a 1 r; h = r. n = 3: h = g 22 a 2 +2a 1 +a 0 = (g 22 ) a 2 (g2 ) a 1 ga 0. t = g; r = g a 0 ; t = t 2 ; r = t a 1 r; t = t 2 ; r = t a 2 r; h = r. At ith step: square t; multiply t to r if a i = 1.

6 Cyclic Groups in Cryptography p. 6/6 Left-to-Right n = 1: h = g a 0. n = 2: h = g 2a 1+a 0 = (g a 1 )2 g a 0. r = g a 1 ; r = r 2 g a 0 ; h = r. n = 3: h = g 22 a 2 +2a 1 +a 0 = ((g a 2 )2 g a 1 )2 g a 0. r = g a 2 ; r = r 2 g a 1 ; r = r 2 g a 0 ; h = r. At ith step: square r; multiply r by g if a n i = 1. Important: always multiply by g. Also called square-and-multiply algorithm.

7 Cyclic Groups in Cryptography p. 7/6 Addition Chains An addition chain of length l is a sequence of l + 1 integers such that the first integer is 1; each subsequent integer is a sum of two previous integers. Example: 1,2,3,5,7,14,28,56,63. Addition chains can be used to compute powers. Consider the set of (n 1,...,n p,l) such that there is an addition chain of length l containing n 1,...,n p. Downey, Leong and Sethi (1981) proved this set to be NP-complete.

8 Cyclic Groups in Cryptography p. 8/6 Exponentiation Algorithms A survey by Bernstein with the title Pippenger s Exponentiation Algorithm Brauer (1939): the left-to-right 2 k -ary method. Straus (1964): computes a product of p powers with possibly different bases. Yao (1976): computes a sequence of p powers of a single base. Pippenger (1976): improves on both Straus s and Yao s algorithm.

9 Cyclic Groups from Finite Fields Cyclic Groups in Cryptography p. 9/6

10 Cyclic Groups in Cryptography p. 10/6 Structure of Finite Fields Let (IF, +, ) be a finite field with q = IF. q = p m, where p is a prime and m 1; p is called the characteristic of the field. (IF, +) is a commutative group. (IF = IF \ {0}, ) is a cyclic group. Basic Operations: addition and subtraction; multiplication; inversion (and division).

11 Cyclic Groups in Cryptography p. 11/6 Useful Fields We are interested in large fields: p m Commonly used fields. Large characteristics: m = 1 and p is large. Characteristics 2: p = 2. Characteristics 3: p = 3, relevant for pairing based cryptography. Other composite fields: Optimal extension fields. Criteria for choosing a field: security/efficiency trade-off.

12 Cyclic Groups in Cryptography p. 12/6 Large Characteristics Use of multi-precision arithmetic; p is stored as several 32-bit words; each field element is stored as several 32-bit words; all computations done modulo p; combination of Karatsuba-Ofman and table look-up used for multiplication; Inversion using Itoh-Tsuji algorithm; [I] 30 to 50 [M].

13 Cyclic Groups in Cryptography p. 13/6 Characteristics Two Polynomial Basis Representation. Let τ(x) be an irreducible polynomial of degree n over GF(2). IF consists of all polynomials of degree at most n 1 over GF(2). Addition and multiplication done modulo τ(x). Multiplication: Karatsuba-Ofman, table look-up. Inversion: extended Euclidean algorithm. [I] 8 to 10 [M] (or lesser). Normal Basis Representation: but multiplication is costlier. squaring is free

14 Cyclic Groups in Cryptography p. 14/6 Choice of Cyclic Group The whole of IF is not used. Let r be a prime dividing q 1 = p m 1. Then IF q has a subgroup G of order r. Being of prime order, this subgroup is cyclic, i.e., G = g. Cryptography is done over G. Necessary Criteria: The discrete log problem should be hard over G.

15 Cyclic Groups in Cryptography p. 15/6 Discrete Log Algorithms Generic algorithms: O( G ). Pollard s rho algorithm. Pohlig-Hellman algorithm. Index calculus algorithm: O Works over Z p. Number field sieve: O sub-exponential algorithm. ( e (1+o(1)) lnplnlnp ). ( ) e (1.92+o(1))(lnq)1/3 (lnlnq) 2/3 ) ;

16 Cyclic Groups in Cryptography p. 16/6 Security Versus Efficiency Size of G and IF has to be chosen so that all known discrete log algorithms have a minimum run time. Size of IF determines the efficiency of multiplication and inversion. For 80-bit security: G is at least ; IF is at least ; Existence of sub-exponential algorithms necessitates larger size fields. Detailed study of feasible parameters by Lenstra and Verheul.

17 Cyclic Groups from Elliptic Curves Cyclic Groups in Cryptography p. 17/6

18 Cyclic Groups in Cryptography p. 18/6 Weierstraß Form Weierstraß equation: elliptic curve over a field K. E/K : y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6, a i K; there are no singular points. L-rational points on E: (L K), E(L) = {(x,y) L L : C(x,y) = 0} {O}. C(x,y) = y 2 + a 1 xy + a 3 y (x 3 + a 2 x 2 + a 4 x + a 6 ). If L K, then E(L) E(K). K: algebraic closure of K; denote E(K) by E.

19 Cyclic Groups in Cryptography p. 19/6 Simplifying Weierstraß Form y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 replacing y by 1 2 (y a 1x a 3 ) gives where y 2 = 4x 3 + b 2 x 2 + 2b 4 x + b 6 b 2 = a a 2,b 4 = 2a 4 + a 1 a 3,b 6 = a a 6. If characteristics 2, 3, then replacing (x,y) by ((x 3b 2 )/36,y/108) gives y 2 = x 3 27c 4 x 54c 6.

20 Relations: 4b 8 = b 2 b 6 b 2 4, 1728 = c3 4 c2 6. Cyclic Groups in Cryptography p. 20/6 Simplifying Weierstraß Form Define b 8 = a 2 1a 6 + 4a 2 a 6 a 1 a 3 a 4 + a 2 a 2 3 a 2 4 c 4 = b b 4 c 6 = b b 2 b 4 216b 6 = b 2 2b 8 8b b b 2 b 4 b 6 (discriminant) j = c 3 4 / (j-invariant) ω = dx/(2y + a 1 x + a 3 ) = dy/(3x 2 + 2a 2 x + a 4 a 1 y) (invariant differential)

21 Cyclic Groups in Cryptography p. 21/6 Simplified Weierstraß Form char(k) 2, 3: the equation simplifies to y 2 = x 3 + ax + b a,b K and 4a b 2 0. ensures x 3 + ax + b does not have repeated roots; x 3 + ax + b has repeated roots iff x 3 + ax + b and d dx (x3 + ax + b) = 3x 2 + a have a common root; eliminating x from these two relations gives the condition 4a b 2 = 0; this corresponds to = 0.

22 Cyclic Groups in Cryptography p. 22/6 Simplified Weierstraß Form char(k) = 2: the equation simplifies to y 2 + xy = x 3 + ax 2 + b, a, b K, b 0, non-supersingular, or y 2 + cy = x 3 + ax + b, a,b,c K, c 0, supersingular.

23 Cyclic Groups in Cryptography p. 23/6 Finding a Point Basic idea: choose a random x; compute z = x 3 + ax + b and find a square root of y of z (if one exists). Square roots modulo a prime p: compute Legendre symbol to check if z has a square root. Square roots modulo a prime power p e : compute square root modulo p and use Hensel lifting to obtain square root modulo p e. ( z p )

24 Prime p: Known Cases p 3 mod 4: (Lagrange) Since z (p 1)/2 = (±z (p+1)/4 ) 2 ( ) z p = 1. = z (p+1)/2 = z z (p 1)/2 = z. p 5 mod 8: (Legendre) p 1 mod 8: no known deterministic algorithms. Tonelli (in 1891) and Cipolla. Require finding a quadratic nonresidue (mod p). Easily done in a randomised manner. (half the numbers modulo p are quadratic nonresidues). Cyclic Groups in Cryptography p. 24/6

25 Cyclic Groups in Cryptography p. 25/6 Group Law E(L): L-rational points on E is an abelian group; addition is done using the chord-and-tangent law ; O acts as the identity element. Consider E/K : y 2 = x 3 + ax + b. Addition formulae are as follows: P + O = O + P = P, for all P E(L). O = O. If P = (x,y) E(L), then P = (x, y). If Q = P, then P + Q = O.

26 Cyclic Groups in Cryptography p. 26/6 Group Law (contd.) If P = (x 1,y 1 ), Q = (x 2,y 2 ), with P Q, then P + Q = (x 3,y 3 ), where and x 3 = λ 2 x 1 x 2, y 3 = λ(x 1 x 3 ) y 1, λ = y 2 y 1 x 2 x 1 if P Q; = 3x2 1+a 2y 1 if P = Q.

27 Cyclic Groups in Cryptography p. 27/6 Deriving Addition Law Let P = (x 1,y 1 ),Q = (x 2,y 2 ) and P Q. If P Q, then the line l(x,y) : y = λx + ν through P and Q intersects the curve E(x,y) at a third point R; the reflection of R on the x-axis is defined to be the point P + Q given by (x 3,y 3 ); If P = Q, then the tangent l(x,y) : y = λx + ν intersects the curve at a point R; the reflection of R on the x-axis is defined to be the point 2P given by (x 3,y 3 );

28 Cyclic Groups in Cryptography p. 28/6 Deriving Addition Law Let P = (x 1,y 1 ),Q = (x 2,y 2 ) and P Q, Q. So λ = (y 2 y 1 )/(x 2 x 1 ),ν = y 1 λx 1 = y 2 λx 2. Putting l(x, y) into E(x, y) we get (λx + ν) 2 = x 3 + ax + b which is the same as x 3 λ 2 x 2 + (a 2νλ)x + b ν 2 = 0. This equation has three roots and x 1,x 2 are two of the roots. So the third root is x 3 = λ 2 x 1 x 2. Also, y 3 = λx 3 + ν and y 1 = λx 1 + ν gives y 3 = λ(x 1 x 3 ) y 1. (Note: the line through (x 1,y 1 ) and (x 2,y 2 ) passes through (x 3, y 3 ).)

29 Cyclic Groups in Cryptography p. 29/6 Deriving Addition Law Let P = (x 1,y 1 ),Q = (x 2,y 2 ) and P = Q. E : y 2 = x 3 + ax + b and so 2y dy dx = 3x2 + a. Slope λ at (x 1,y 1 ) is 3x2 1+a 2y 1. Rest of the analysis same as the previous case. Obtained formula for (x 3,y 3 ) same except for the changed value of λ.

30 Cyclic Groups in Cryptography p. 30/6 Elliptic Curve Group O is the additive identity; for any point P, P + ( P) = O; for any points P,Q and R, P + (Q + R) = (P + Q) + R. associative property; this is difficult to verify directly; follows easily from the notion of divisors.

31 Cyclic Groups in Cryptography p. 31/6 Frobenius Map τ p : E(IF p ) E(IF p ), τ p (x,y) = (x p,y p ). τ p is a group homomorphism. Trace of Frobenius: t p = p + 1 #E(IF p ). Theorem (Hasse): #E(IF p ) = p + 1 t p, where t p 2 p. Consequently, #E(IF p ) p. Theorem (Birch): #{E/F p : α t p β} 1 π β α 4p x2 dx.

32 Cyclic Groups in Cryptography p. 32/6 Number of Points Let K = IF q and K = m 1 IF q m. Schoof s Algorithm. Compute t modulo small primes and then use CRT. Improvement by Elkies and Atkin. #E(IF p ) can be computed in time O((log p) 6 ) by SEA algorithm. Subsequent work for computing points on EC on different fields. Weil s Theorem: Let t = q + 1 #E(IF q ). Let α,β be complex roots of T 2 tt + q. Then #E(IF q ) = q k + 1 α k β k for all k 1.

33 Cyclic Groups in Cryptography p. 33/6 Koblitz Curves Characteristics 2, q = 2 k. E : y 2 + xy = x 3 + ax 2 + 1, a {0, 1}. Chosen for reasons of efficiency. For security reasons k is taken to be a prime. ( ) k ( ) k #E(IF q ) = 2 k

34 Cyclic Groups in Cryptography p. 34/6 Structure Theorem Let E be an elliptic curve defined over IF q. E(IF q ) = Z n1 Z n2, where n 2 n 1 and n 2 (q 1). E(IF q ) is cyclic if and only if n 2 = 1. P E is an n-torsion point if np = O; E[n] is the set of all n-torsion points. Theorem : If gcd(n,q) = 1, then E[n] = Z n Z n.

35 Cyclic Groups in Cryptography p. 35/6 Supersingular Elliptic Curves An elliptic curve E/IF q is supersingular if p t where t = q + 1 #E(IF q ). Theorem (Waterhouse): E/IF q is supersingular if and only if t 2 = 0,q, 2q, 3q or 4q.

36 Cyclic Groups in Cryptography p. 36/6 Supersingular Elliptic Curves Theorem (Schoof): Let E/IF q be supersingular with t = q + 1 #E(IF q ). Then If t 2 = q, 2q or 3q, then E(IF q ) is cyclic. If t 2 = 4q and t = 2 q, then E(IF q ) = Z q 1 Z q 1. If t 2 = 4q and t = 2 q, then E(IF q ) = Z q+1 Z q+1. If t = 0 and q 3 mod 4, then E(IF q ) is cyclic. If t = 0 and q 3 mod 4, then E(IF q ) is cyclic or E(IF q ) = Z q+1 Z 2. 2

37 Cyclic Groups in Cryptography p. 37/6 Choosing the Group Let r be a prime such that r #E(L) where L IF q. Then there is a cyclic subgroup G = P of E(L). Choosing P : let r 1 = (#E(L))/r; choose a random point R of E(L); with high probability P = r 1 R is a point of order r; r being prime, P is a generator of G. It is possible to do cryptography over G.

38 Cyclic Groups in Cryptography p. 38/6 A Summary Elliptic curves over finite fields provide rich examples of abelian groups. Advantage: no sub-exponential algorithm for solving discrete log is known for G. (We will qualify this statement later.) Consequently, one can work over comparatively small fields. Gains: The finite field arithmetic is more efficient. Storage requirement is smaller. Important for implementation on resource constrained devices.

39 Cyclic Groups in Cryptography p. 39/6 Jacobian Coordinates Affine coordinates: P = (x 1,y 1 ) and Q = (x 2,y 2 ). Slope computation: λ = y 2 y 1 x 2 x 1 or 3x2 1+a 2y 1. One inversion required. Jacobian coordinates: (X, Y, Z) represents (X/Z 2,Y/Z 3 ). Addition using Jacobian coordinates avoids inversions.

40 Cyclic Groups in Cryptography p. 40/6 Doubling in Jacobian Curve: y 2 = x 3 + ax + b. (X 1,Y 1,Z 1 ) is doubled to obtain (X 3,Y 3,Z 3 ). x 3 = (3X2 1 + az4 1 )2 8X 1 Y1 2 4Y 2 1 Z2 1 ( X1 y 3 = 3X2 1 + az1 4 2Y 1 Z 1 Z1 2 X 3 X 3 = (3X1 2 + az1) 4 2 8X 1 Y1 2 ) Y 1 Z 3 1 Y 3 = (3X1 2 + az1)(4x 4 1 Y1 2 X 3 ) 8Y1 4 Z 3 = 2Y 1 Z 1.

41 Cyclic Groups in Cryptography p. 41/6 Mixed Addition Curve: y 2 = x 3 + ax + b. (X 1,Y 1,Z 1 ) and P = (X,Y, 1) are added to obtain (X 3,Y 3,Z 3 ) as follows. x 3 = y 3 = ( Y Y 1 ) 2 Z1 3 X X X 1 1 Z 2 X Z1 2 1 ( ) ( Y Z 3 1 Y 1 X1 (XZ 2 1 X 1)Z 1 Z 2 1 X 3 ) Y 1 Z 3 1

42 Cyclic Groups in Cryptography p. 42/6 Mixed Addition (contd.) X 3 = x 3 Z 3 = (Y Z 3 1 Y 1 ) 2 X 1 (XZ 2 1 X 1 ) 2 X(XZ1 2 X 1) 2 Z1 2 = (Y Z1 3 Y 1) 2 (XZ1 2 X 1) 2 (X 1 + XZ1 2 ) Y 3 = y 3 Z 3 = (Y Z1 3 Y 1)((XZ1 2 X 1) 2 X 1 X 3 ) Y 1 (XZ 2 1 X 1 ) 3 Z 3 = (XZ 2 1 X 1 )Z 1

43 Cyclic Groups in Cryptography p. 43/6 Scalar Multiplication Let G = P be a subgroup of E(L) of prime order r. Instance: P and a Z r. Task: Compute ap. a is usually a secret. Basic algorithm: left-to-right double and add algorithm; addition is always by P ; underlines the importance of mixed addition.

44 Side Channel Information Let a = a n 1 a n 2...a 0. At the ith step: a doubling takes place; if a n i = 1, then an addition takes place. Suppose it is possible to measure the time required for the ith step. Then a n i can be uniquely determined. Instead of time, it may be possible to measure the power consumption at each step. The attack actually works and has been demonstrated. Countermeasures: several are known; ongoing research. Cyclic Groups in Cryptography p. 44/6

45 Cyclic Groups in Cryptography p. 45/6 Scalar Multiplication Issues Representation of scalars. Expansion using {0, ±1} instead of {0, 1}; negation of a point is free ; not good for finite fields. Non-adjacent form: no two non-zero adjacent digits ; example: ; known results on length of representation and density of non-zero digits; left-to-right online algorithm to obtain NAF.

46 Cyclic Groups in Cryptography p. 46/6 Scalar Multiplication Issues Window method. Base-φ representation of the scalar; φ is the Frobenius map. Double base chain expansion; use bases {2, 3} or {2, 3, 5} instead of base 2; optimal length and density of non-zero digits not yet known. Parallelism, memory requirement.

47 Cyclic Groups in Cryptography p. 47/6 Other Curve Forms Montgomery form: x-coordinate only scalar multiplication. ay 2 = x 3 + bx + x, a 0; (Twisted) Edwards form: complete (and hence unified) formulae for addition and doubling. ax 2 + y 2 = 1 + dx 2 y 2 ; a,d 0, a d. Jacobi-Quartic form.

48 Bilinear Pairings in Cryptography. Cyclic Groups in Cryptography p. 48/6

49 Cyclic Groups in Cryptography p. 49/6 Divisors Let E/IF q be given by C(x,y) = 0. The group of divisors of E(IF q n) is the free abelian group generated by the points of E(IF q n). Thus any divisor D is of the form D = n P P. n P Z, P E(IF q n) n P = 0 except for finitely many P s. Zero divisors: n P = 0.

50 Cyclic Groups in Cryptography p. 50/6 Rational Functions A rational function f on E is an element of the field of fractions of the ring IF q n[x,y]/(c(x,y)). The divisor of a rational function f is defined by div(f) = ord P (f) P P E(IF q n) where ord P (f) is the order of the zero/pole that f has at P. A divisor D is said to be principal if D = div(f), for a rational function f.

51 Cyclic Groups in Cryptography p. 51/6 Rational Functions (contd.) Theorem: A divisor D = P E(IF q n) n P P is principal if and only if n P = 0 and n P P = O. Definition. Two divisors D 1 and D 2 are said to be equivalent (D 1 D 2 ) if D 1 D 2 is principal.

52 Cyclic Groups in Cryptography p. 52/6 Rational Functions (contd.) Theorem : Any zero divisor D = n P P is equivalent to a (unique) divisor of the form Q O for some Q E(IF q n). If P = (x,y), then by f(p) we mean f(x,y). Definition. Given a rational function f and a zero divisor D = n P P, define f(d) = f(p) n P. P E(IF q n)

53 Cyclic Groups in Cryptography p. 53/6 Tate Pairing (Preliminaries) Embedding Degree: Let r be co-prime to q and r #E(IF q ). The least positive integer k such that r (q k 1) is called the embedding degree. n-torsion Points: Let E/IF q be an elliptic curve. Then E(IF q k)[n] = {P E(IF q k) : np = O}. µ r (IF q k): cyclic subgroup of IF q k of order r. Here r is prime and r (q k 1).

54 Cyclic Groups in Cryptography p. 54/6 Tate Pairing (Preliminaries) E(IF q k)/re(if q k): collection of all cosets of re(if q k). f s,p : an IF q k-rational function f s,p with divisor f s,p = s P [s]p (s 1) O.

55 Cyclic Groups in Cryptography p. 55/6 Tate Pairing Definition Tate pairing e(, ): (modified: reduced and normalised) E(IF q )[r] E(IF q k)/re(if q k) µ r (IF q k) is given by e(p,q) = f r,p (Q) (qk 1)/r. P is an r-torsion point from E(IF q k); Q is any point in a coset of re(if q k); the result is an element of IF q k of order r.

56 Cyclic Groups in Cryptography p. 56/6 Computing Tate Pairing Note: P is from E(IF q ) while Q is from E(IF q k). f r,p = r P [r]p (r 1) O = r P r O. The computation of f s,p is using a double-and-add algorithm similar to that of scalar multiplication.

57 Cyclic Groups in Cryptography p. 57/6 Some Simple Facts Assume that E is given in Weierstraß form. Let P and R be points on E. l P,R, R P : line passing through P, R and (P + R). l R,R : line passing through R and 2R. l R, R : line passing through R and R. l P,R = P + R + (P + R) 3 O l R,R = 2 R + 2R 3 O l R, R = R + R 2 O

58 Cyclic Groups in Cryptography p. 58/6 Some Simple Facts h P,R, R P : h P,R = l P,R /l T, T ; T = P + R. h R,R : h R,R = l R,R /l T, T ; T = 2R. h P,R = l P,R l T, T h P,R = l R,R l T, T f 1,P = P P = 0: So, f 1,P = 1.

59 Cyclic Groups in Cryptography p. 59/6 Recurrence for f s,p f 2m,P = 2m P 2mP (2m 1) O = 2(m P mp (m 1) O ) +2 mp 2mP O = 2 f m,p + 2 mp + 2mP 3 O ( 2mP + 2mP 2 O ) = 2 f m,p + l mp,mp l 2mP, 2mP = 2 f m,p + h mp,mp.

60 Recurrence for f s,p f 2m+1,P = (2m + 1) P (2m + 1)P 2m O = 2m P 2mP (2m 1) O + P + 2mP (2m + 1)P O = f 2m,P + P + 2mP + (2m + 1)P 3 O ( (2m + 1)P + (2m + 1)P 2 O ) = f 2m,P + l 2mP,P l (2m+1)P, (2m+1)P = f 2m,P + h P,2mP. Cyclic Groups in Cryptography p. 60/6

61 Cyclic Groups in Cryptography p. 61/6 Recurrence for f s,p So, So, f 2m,P = 2 f m,p + h mp,mp. f 2m,P = fm,p 2 h mp,mp. f 2m+1,P = 2 f m,p + h P,2mP. f 2m+1,P = f 2m,P h P,2mP.

62 Cyclic Groups in Cryptography p. 62/6 Miller s Algorithm Given P E(IF q ) and Q E(IF q k) to compute f r,p (Q). Let r t 1 r t 2...r 0 be the binary expansion of r. Set f 1. Compute rp from left-to-right using double and add. Let R be the input before the ith iteration. f f 2 h R,R (Q); R 2R; if r n i = 1 f f h R,P (Q); R R + P.

63 Cyclic Groups in Cryptography p. 63/6 Effect of Bilinear Map Recall e : E(IF q )[r] E(IF q k)/re(if q k) µ r (IF q k) e(ap,q) = e(p,q) a reduces discrete log over E(IF q ) to that over µ r (IF q k); security depends on k; for supersingular curves k 6; for general elliptic curves k is large.

64 Cyclic Groups in Cryptography p. 64/6 Effect of Bilinear Map Symmetric bilinear map: The second argument Q of e(p,q) is an element E(IF q k). Using a distortion map, one can consider Q to be an element of E(IF q ). Solution to DDH: given (P,aP,bP,Q) determine if Q = abp ; verify e(ap,bp) = e(p,q). Gap DH-groups: groups where CDH is hard but DDH is easy.

65 Cyclic Groups in Cryptography p. 65/6 Joux s Key Agreement Protocol 3-party, single-round. Three users U 1,U 2 and U 3 ; U i chooses a uniform random r i and broadcasts X i = r i P ; U i computes K = e(x j,x k ) r i, where {j,k} = {1, 2, 3} \ {i}; K = e(p,p) r 1r 2 r 3.

66 Cyclic Groups in Cryptography p. 66/6 Efficiency Improvements Irrelevant denominators: the denominator of h P,R need not be evaluated. Point tripling: the line through P and 2P passes through 3P ; instead of doubling, use tripling; applicable for characteristics three curves. Variants: Ate and Eta pairings; the aim is to reduce the number of Miller iterations. Pairings on other forms of elliptic curves. Other implementation issues.

67 Cyclic Groups in Cryptography p. 67/6 Pairing Friendly Curves Supersingular curves have embedding degree at most 6. Obtain non-supersingular curves with low embedding degree k; typically k 12; involves a lot of computation with computer algebra packages; only a few examples are known. Embedding degree and group size determines the security level of the target protocol.

68 Thank you for your kind attention! Cyclic Groups in Cryptography p. 68/6

Parshuram Budhathoki FAU October 25, Ph.D. Preliminary Exam, Department of Mathematics, FAU

Parshuram Budhathoki FAU October 25, 2012 Motivation Diffie-Hellman Key exchange What is pairing? Divisors Tate pairings Miller s algorithm for Tate pairing Optimization Alice, Bob and Charlie want to