Faster Pairings on Special Weierstrass Curves

Similar documents
Analysis of Optimum Pairing Products at High Security Levels

Fast hashing to G2 on pairing friendly curves

Efficient Implementation of Cryptographic pairings. Mike Scott Dublin City University

Efficient Implementation of Cryptographic pairings. Mike Scott Dublin City University

Fast Formulas for Computing Cryptographic Pairings

Pairings for Cryptography

Optimal TNFS-secure pairings on elliptic curves with even embedding degree

An Analysis of Affine Coordinates for Pairing Computation

Pairing-Friendly Elliptic Curves of Prime Order

Constructing Pairing-Friendly Elliptic Curves for Cryptography

Fixed Argument Pairings

Faster Computation of the Tate Pairing

Pairing Computation on Elliptic Curves of Jacobi Quartic Form

An Analysis of Affine Coordinates for Pairing Computation

Constructing Abelian Varieties for Pairing-Based Cryptography

A TAXONOMY OF PAIRING-FRIENDLY ELLIPTIC CURVES

Représentation RNS des nombres et calcul de couplages

A TAXONOMY OF PAIRING-FRIENDLY ELLIPTIC CURVES

A New Family of Pairing-Friendly elliptic curves

Speeding up Ate Pairing Computation in Affine Coordinates

Ordinary Pairing Friendly Curve of Embedding Degree 3 Whose Order Has Two Large Prime Factors

Optimised versions of the Ate and Twisted Ate Pairings

Non-generic attacks on elliptic curve DLPs

Pairing computation on Edwards curves with high-degree twists

Individual Discrete Logarithm in GF(p k ) (last step of the Number Field Sieve algorithm)

Faster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves

SM9 identity-based cryptographic algorithms Part 1: General

Ate Pairing on Hyperelliptic Curves

A brief overwiev of pairings

Four-Dimensional GLV Scalar Multiplication

Optimal Pairings. F. Vercauteren

Constructing Tower Extensions of Finite Fields for Implementation of Pairing-Based Cryptography

Implementing Pairing-Based Cryptosystems

On compressible pairings and their computation

Cyclic Groups in Cryptography

Generating more Kawazoe-Takahashi Genus 2 Pairing-friendly Hyperelliptic Curves

Constructing Families of Pairing-Friendly Elliptic Curves

Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves

Tampering attacks in pairing-based cryptography. Johannes Blömer University of Paderborn September 22, 2014

Efficient hash maps to G 2 on BLS curves

Pairings at High Security Levels

Some Efficient Algorithms for the Final Exponentiation of η T Pairing

Efficient Pairings Computation on Jacobi Quartic Elliptic Curves

Background of Pairings

Edwards coordinates for elliptic curves, part 1

FINDING COMPOSITE ORDER ORDINARY ELLIPTIC CURVES USING THE COCKS-PINCH METHOD

On near prime-order elliptic curves with small embedding degrees (Full version)

A Variant of Miller s Formula and Algorithm

Faster Squaring in the Cyclotomic Subgroup of Sixth Degree Extensions

A Generalized Brezing-Weng Algorithm for Constructing Pairing-Friendly Ordinary Abelian Varieties

On hybrid SIDH schemes using Edwards and Montgomery curve arithmetic

On Near Prime-Order Elliptic Curves with Small Embedding Degrees

A Relation between Group Order of Elliptic Curve and Extension Degree of Definition Field

Hyperelliptic pairings

Asymmetric Pairings. Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp)

Faster Group Operations on Elliptic Curves

Aspects of Pairing Inversion

Efficient Pairing Computation on Supersingular Abelian Varieties

Optimal Pairings. Frederik Vercauteren

Katherine Stange. ECC 2007, Dublin, Ireland

PARAMETRIZATIONS FOR FAMILIES OF ECM-FRIENDLY CURVES

Katherine Stange. Pairing, Tokyo, Japan, 2007

Efficient Arithmetic on Elliptic and Hyperelliptic Curves

Mappings of elliptic curves

Efficient Computation of Tate Pairing in Projective Coordinate Over General Characteristic Fields

Hidden pairings and trapdoor DDH groups. Alexander W. Dent Joint work with Steven D. Galbraith

Comparison of Elliptic Curve and Edwards Curve

High-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition

Constructing genus 2 curves over finite fields

Efficient computation of pairings on Jacobi quartic elliptic curves

arxiv: v3 [cs.cr] 5 Aug 2014

Constructing Abelian Varieties for Pairing-Based Cryptography. David Stephen Freeman. A.B. (Harvard University) 2002

The Eta Pairing Revisited

Distinguishing prime numbers from composite numbers: the state of the art. D. J. Bernstein University of Illinois at Chicago

Edwards Curves and the ECM Factorisation Method

Fast, twist-secure elliptic curve cryptography from Q-curves

Genus 2 Hyperelliptic Curve Families with Explicit Jacobian Order Evaluation and Pairing-Friendly Constructions

Attractive Subfamilies of BLS Curves for Implementing High-Security Pairings

Pairing-Friendly Twisted Hessian Curves

Parameterization of Edwards curves on the rational field Q with given torsion subgroups. Linh Tung Vo

Side-channel attacks and countermeasures for curve based cryptography

Faster pairing computation in Edwards coordinates

Computing the endomorphism ring of an ordinary elliptic curve

Co-Z Addition Formulæ and Binary Ladders on Elliptic Curves. Raveen Goundar Marc Joye Atsuko Miyaji

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

14 Ordinary and supersingular elliptic curves

Isogenies in a quantum world

Section 8.3 Partial Fraction Decomposition

Subgroup security in pairing-based cryptography

Heuristics. pairing-friendly abelian varieties

LECTURE 7, WEDNESDAY

PAIRINGS ON HYPERELLIPTIC CURVES. 1. Introduction

A note on López-Dahab coordinates

The Eta Pairing Revisited

Inverted Edwards coordinates

Generating more MNT elliptic curves

Genus 2 Curves of p-rank 1 via CM method

Twisted Jacobi Intersections Curves

Introduction to Elliptic Curves

Twisted Hessian curves

Transcription:

craig.costello@qut.edu.au Queensland University of Technology Pairing 2009 Joint work with Huseyin Hisil, Colin Boyd, Juanma Gonzalez-Nieto, Kenneth Koon-Ho Wong

Table of contents 1 Introduction The evolution of faster pairings: 3 bags of tricks This work 2 What are we looking for? Alternative doublings 3 The Miller lines Results 4 5

The evolution of faster pairings: 3 bags of tricks This work The evolution of faster pairings: 3 bags of tricks 1. Tricks inside the Miller iterations Goal 1 optimal group choices avoiding irrelevant operations - denominator elimination avoiding costly inversions - homogenization minimize additions - low Hamming weight loop parameter operations over smaller fields - employ twisted curve Minimize the number (cost) of field operations throughout each Miller iteration

The evolution of faster pairings: 3 bags of tricks This work The evolution of faster pairings: 3 bags of tricks 2. Pairing-friendly curves An array of constructions (FST - taxonomy) For a small k, we want group size r, field size q, trace t, (n = #E = q + 1 t) Not-in-family, individual curve constructions (Cocks-Pinch, DEM, supersingular curves, etc) Families of curves (MNT, GMV, Freeman, cyclotomic families, Scott-Barreto families, KSS curves, BN curves, etc) Pairing-friendly fields Goal 2 ρ = log q/ log r close to 1

The evolution of faster pairings: 3 bags of tricks This work The evolution of faster pairings: 3 bags of tricks 3. Loop shortening techniques Exploiting efficiently computable endomorphisms on CM (complex multiplication) curves e.g. Scott s NSS curves η T -pairing ate pairing ate pairing variants (optimized ate pairing, ate i pairings, R-ate pairing) Goal 3 Minimize the loop length (Vercauteren s conjecture log 2 (r)/ϕ(k))

Where does this work fit in? The evolution of faster pairings: 3 bags of tricks This work We work on a special j-invariant zero (CM discriminant D = 3) curve 1: Minimize the number of field operations throughout each Miller iteration This curve allows new faster formulas in the Miller loop that reduce the operation count throughout each iteration 2: Low embedding degree k and ρ = log q/ log r close to 1 For the majority of embedding degrees k 50, this curve can be constructed with the best (currently known) ρ-value 3: Minimize the loop length ( log 2 (r)/ϕ(k))... more on this later

Computations in a Miller iteration What are we looking for? Alternative doublings Doubling stage i. Double: R [2]R ii. Compute lines l and v for doubling R = (x R, y R ) iii. f f 2 l(q)/v(q) Addition stage (if necessary) i. Add: R R + P ii. Compute lines l and v for adding R = (x R, y R ) and P = (x P, y P ) iii. f f l(q)/v(q)

What are we looking for? Alternative doublings Attractive doublings: a good place to start Standard doubling of [2](x 1, y 1 ) = (x 3, y 3 ) on y 2 = x 3 + ax + b x 3 = λ 2 2x 1, y 3 = λ(x 1 x 3 ) y 1 with λ = (3x 2 1 + a)/(2y 1). Let a function f = g/h. Define deg TOTAL (f ) = deg(g) + deg(h). Key observation: curve constant b is a square in F q, (b = c 2, c F q ), we can write x 3 = x 1 (µ µ 2 ) + a σ, y 3 = (y 1 c)µ 3 + a δ c with µ = (y 1 + 3c)/(2y 1 ), σ = (a 3x 2 1 )/(2y 1) 2 δ = (3x 1 (y 1 3c)(y 1 + 3c) a(9x 2 1 + a))/(2y 1) 3 At first glance latter formulas look worse... but total degrees less (Monaghan/Pearce simplification algorithm)

The special j-invariant zero curve What are we looking for? Alternative doublings Doubling of [2](x 1, y 1 ) = (x 3, y 3 ) on y 2 = x 3 + c 2 simplifies to µ = (y 1 + 3c )/(2y 1 ) x 3 = x 1 (µ µ 2 ) y 3 = (y 1 c)µ 3 c The curve v 2 = u 3 + c 2 is isomorphic over F q to y 2 = cx 3 + 1 with the isomorphism σ : (x, y) (u, v) = (cx, cy) and σ(o) O. Affine doubling on y 2 = cx 3 + 1 µ = (y 1 + 3 )/(2y 1 ) x 3 = x 1 (µ µ 2 ) y 3 = (y 1 1)µ 3 1 Affine (almost schoolbook) addition on y 2 = cx 3 + 1 µ = (y 1 y 2 )/(x 1 x 2 ) x 3 = c 1 λ 2 x 1 x 2 y 3 = λ(x 1 x 3 ) y 1

The affine Miller lines The Miller lines Results Tate pairing e(p, Q): P E(F q ), x Q F q d (proper subfield) Only factors we need to carry through contain y Q F q k Addition line becomes Doubling line g add = l add (Q) v add (Q) = c λ(x 2 x Q ) y 2 + y Q c(x 1 + x 2 + x Q ) λ 2 g add = (y 1 y 2 )(x 2 x Q ) (x 1 x 2 )(y 2 y Q ) becomes g dbl = l dbl (Q) v dbl (Q) = 2cy 1 (x 1 x Q )2 x 2 1 (3cx Q) y 2 1 + 3 + 2y 1y Q g dbl = x 2 1 (3cx Q) y 2 1 + 3 2y 1y Q

The Miller lines Results Homogeneous projective coordinates Represent (x, y) on the curve y 2 = cx 3 + 1 as (X : Y : Z) on Y 2 Z = cx 3 + Z 3 where (x, y) = (X /Z, Y /Z). Doubling [2](X 1 : Y 1 : Z 1 ) = (X 3 : Y 3 : Z 3 ) gives X 3 = 2X 1 Y 1 (Y1 2 9Z 1 2 ) Y 3 = (Y 1 Z 1 )(Y 1 + 3Z 1 ) 3 8Y1 3 Z 1 Z 3 = 8Y1 3 Z 1 with line equation g dbl = X 2 1 (3cx Q) Y 2 1 + 3Z 2 1 2Y 1Z 1 y Q Point doubling here costs 4m+3s Line computation only costs an extra km+1s (x Q F q k/2, y Q F q k ) Total doubling stage cost = (k+3)m+5s

Results Introduction The Miller lines Results Comparison of doubling and addition stages in the Miller loop against best previous j-invariant zero (CM discriminant D = 3) formulas Tate pairing DBL madd ADD Arène et al. 3m + 8s 6m + 6s 9m + 6s This work 3m + 5s 10m + 2s + 1c 13m + 2s + 1c km (common for all) removed from above table These formulas offer a saving of 3s at each doubling stage Addition stages slower by approximately 4 m/s trade-offs The formulas in this work only apply to special j-invariant zero curves of the form y 2 = cx 3 + 1

y 2 = cx 3 + 1 Construction 6.6 in FST - A taxonomy of pairing-friendly elliptic curves will always generate families of j-invariant zero curves for arbitrary embedding degrees k 18. Most embedding degrees give optimal ρ-value construction on a j-invariant zero (D=3) curves (all k 50, except k = 6, 16, 22, 28, 40, 46) We want to generate y 2 = cx 3 + 1 which always has the point (x, y) = (0, 1) of order 3 If construction 6.6 (or any j-invariant construction) gives a curve with order divisible by 3, faster formulas apply. Most of the embedding degrees facilitate this...

Example curves k= 12, ρ 3/2, c = 1 q = 5889490407496391077863993523923693237754321026389/ 51098413116844771387913 (239 bits) r = 1461501669025015507443564621194276547766154173393 (161 bits) t = 1099511633738 (41 bits) ρ-value is much worse than what is achieved with BN curves (ρ = 1). k=24, ρ 5/4, c = 3 q = 5489399840838040611293290643917562610638922954990/ 22387041217 (199 bits) r = 1490450500267642163962910277522470312138493750001 (161 bits) t = 1051151 (21 bits) ρ-value is current record for families of this embedding degree k = 8, no curve (at least not with construction 6.6)

Tying up a couple of loose ends 1 Scalar multiplication in Jacobian coordinates The EFD reports 2m+5s for point doubling in Jacobian coordinates for j-invariant zero curves. Protocols should only switch to homogeneous projective coordinates for the pairing. Mapping (X : Y : Z) J to (XZ : Y : cz 3 ) P costs 2m+1s+1c. 2 Supersingular scenario Can t just use the distorsion map φ to define ê(p, Q) = e(p, φ(q)) Define ẽ(p, Q) = e(p, θ(q)) where θ(q) = φ(q) π p (φ(q)) so that θ(q) is in the trace-zero subgroup 3 Many methods of curve construction KSS curves, Brezing and Weng curves, etc

Summary (so far) So long as a j-invariant zero curve has a point of order 3, the formulas presented are applicable will give a solidly faster Tate pairing 3: Minimize the loop length ( log 2 (r)/ϕ(k))... more on this later NOW! Can we apply this work to the Ate pairing?

The ate pairing on y 2 = cx 3 + 1... or not? Raw ate pairing a T (Q, P) on curves not facilitating twists will always work When quadratic and sextic twists are applied to compute a T (Q, P), the original curve E : v 2 = u 3 + B and the twisted curve E : v 2 = u 3 + βb (β z 2 ) can t both be written in the form y 2 = cx 3 + 1 The formulas in this paper won t work since they assume that both points are on a curve of the form y 2 = cx 3 + 1 For degree three twists, the formulas will work e.g. The (quadratic, sextic) twist of a BN curve (k=12) has order divisible by 3, but we can only twist Q onto this curve

Current/near future work Faster formulas that work for all j-invariant zero curves Ate-like pairing (quadratic and sextic twists) with both points on the curve y 2 = cx 3 + 1 Speeding up ate pairings on BN curves, KSS curves, etc

Conclusion Tate pairing on j-invariant zero curves can save approximately 3s in each Miller iteration if the curve has order divisible by 3 In the Tate pairing, the relative speed-up becomes less at larger embedding degrees Ate pairing will soon enjoy similar savings on these curves...

Thanks to Professor Tanja Lange and the anonymous referees for their valuable guidance

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback