Implementing Cryptographic Pairings

Ph.D. Preliminary Exam, Department of Mathematics, FAU

Implementing Cryptographic Pairings

Parshuram BudhathokiFAU

October 25, 2012

11/25/2012


Motivation Diffie-Hellman Key exchange What is pairing ? Divisors Tate pairings Miller’s algorithm for Tate pairing Optimization

Out line

11/25/2012


Alice, Bob and Charlie want to communicate how can they share key ?

Diffie-Hellman Key Exchange:

Alice Bob

Charlie

11/25/2012


Diffie-Hellman Two party key Exchange

g

Alice

g

Bob

x y

G = <g>

11/25/2012


Diffie-Hellman Two party key Exchange

Alice Bobg

yx

gy

x y

Need single round

gx g

xy

Common Key = g yx

11/25/2012


Diffie-Hellman Three party key Exchange

g

Bob

g

Alice

x y

g

Charlie

z

11/25/2012



BobAlice

x y

Charlie

z

gx

gz g

yFirst round

11/25/2012



Alice

xgxz

Charlie

zg

yz

Bob

ygxy

11/25/2012



Alice

x

gxy

Charlie

z

gxz

Bob

y

gyz

Second round

11/25/2012



Alice

xgyzx

Charlie

zg

xyz

Bob

ygxzy

Common key = = =gxzy

gzxy

gzyx

11/25/2012


Does one round protocol for three party key exchange exist ?

To answer this question we need special function.

11/25/2012


Pairings

1) Bilinearity : P, Q , R G we have e(P+R, Q)= e(P,Q) e(R,Q)and e(P, R+Q)= e(P,R) e(P,Q)

2) Non-degeneracy : There exists P, Q G such that e(P,Q) ≠1.3) e can be efficiently computable.

Let (G,+) and (V,.) denote cyclic groups of prime order , P G, a generator of G and let

e: G x G V be a pairing which satisfies the following additional properties:

11/25/2012


One round three party key exchange ( joux , 2000)

aP

bPcP

P

Alice

a P

Bobb

P

Charlie

c

bP

cPaP

ae(bP , cP)

e(aP, cP)b

e(bP , aP)

c

G = <P> be additive group.

11/25/2012


y -(x + Ax + B )=02 3Let E : be an elliptic curve over finite

field

E( ) = { (x,y) | x,y } { }

Here is the point at infinity ; these points form additive group with being the group identity.

Let be a prime satisfying l| # E( ) l doesn’t divide q-1 and q are co-prime

qq q

q

Torsion Points:

11/25/2012


Torsion Points :

Then for some integer k , E( ) contains points of order if and only if | -1

kq2

qk

Let E[] denote the set of these order- points, which is called Torsion points.*

E[] = { P E( ) : P = }

2

qk

* Beyond Scope of Presentation

11/25/2012


Function on Elliptic Curve :

Let E be elliptic curve over a field K A non zero rational function f K( E ) defined at point P E(K) \{}

if => f= g / h , for g and h K ( E )=> h ( P ) ≠ 0

¯ * ¯

f is said to have :

=> Zero at point P if f ( P ) = 0

=> Pole at point P if f ( P ) = or (1/ f ( P ) = 0)

11/25/2012


There is a function u , called a uniformizer at P , such that u ( P ) = 0

Every function f ( x, y ) can be written in the form f = u g , with r and g ( P ) ≠ 0 ,

Order of f at P = r ord (f ) =r

If l is any line through P that is not tangent to E, then l is uniformizer parameter for P.

Function on Elliptic Curve :

P

Pr

P

11/25/2012


Divisors

Up to constant multiple , a rational function is uniquely determined by its zeros and poles

A divisor is tool to record these special points of function.

For each P E, define formal symbol ( P )

Here E = E ( K ) ¯

11/25/2012


Divisors:

D = (P) P E P

A divisor D is a “formal” sum of points :

Where and = 0 for all but finitely many P P P E

Div( E) denotes group of divisors of E which is free abelian group generated by the points of E, where addition is given by

(P) + P E P (P) = P E p ( + )

(P) P E P p

11/25/2012


Divisors : Support of divisor D is

supp(D)= { P E | ≠ 0}P

degree of divisor D is

deg(D)= PP E

Div (E) is subgroup, of divisors of degree 0, of Div(E)0

A divisor D with deg(D) = 0 is called a principal divisor.

sum of divisor D is sum ( D ) =

PP E

11/25/2012


Divisor of function :

Þ Number of zeros and poles of rational function f is finite.Þ We can defined divisor of function f as div( f ) = ord ( f ) [ P ] P

Þdiv( f ) = 0 iff f is constant

Þ A principal divisor is divisor which is equal to div ( f ) for some function f

div ( f ) records zeros and poles of f and their multiplicities

11/25/2012


D = (P) P E P

Divisor of function : Let D be divisor :

Then evaluation of f in D is defined by :

f ( D ) = f ( P ) P supp ( D )

P

11/25/2012


Tate Pairing

Let P E( ) [ ] then ( P ) - ( ) is principal divisor kq

There is rational function with div ( ) = ( P ) - ( )

f ( E ) , P qk f , P

Let Q be a point representing coset in E ( ) / qk E ( )

q k

We construct D Div ( E ) such that :

= > D ~ ( Q ) – ( )

=> supp ( D ) supp ( div ( f ) ) =

Q

Q

, P

11/25/2012


Tate Pairing

The Tate pairing

e : E( )[ ] E ( ) / /

is given by :

e(P, Q ) = f ( D )

E ( ) qKK

qKKq q* ( )q

*k

, P

Q

11/25/2012


e doesn’t depend on choice of f

e doesn’t depend on choice of D

e is well defined

e satisfy Non- degeneracy

e satisfy bilinearity

Tate Pairing

, P

Q

11/25/2012


Miller’ s algorithm for the Tate pairing :

[a]P [b]P

-[a+ b] P

[a+ b] P

11/25/2012



[a]P [b]P

-[a+ b] P

[a+ b] P

Let g be line passing through [a]P and [b]P and v be vertical

line passing trough [a+b]P

[a]P,[b]P [a+b]P

g[a]P,[b]P

v [a+b]P

11/25/2012



[a]P [b]P -[a+ b ]P

[a+b]P

Then div( g ) = [ a]P + [ b ]P + [-(a+ b )]P – 3 [ ][a]P,[b] P

div ( V ) = [ a + b ] P + [-( a+ b ) ] P – 2 [ ]

[a + b]P

11/25/2012



div ( f / g ) = div ( f ) – div ( g ) div ( f g ) = div ( f ) + div ( g )

11/25/2012


1. T = P , f = 12. for i = log ( ) -1 to 0 :

T = 2T

Input : P E ( ) , Q E ( ) , where P has order Output : e ( P , Q )

qk qk

3. f = f 4. return f

(q - 1 ) / k

f = f . g ( Q ) / v ( Q )T,T 2T2

if = 1 then f = f . g ( Q ) / v (Q ) T = T + P

iT,P T+P


11/25/2012



Example: Let E ( ) : y = x + 3x 1 1

2 3

# E ( ) = 121 1

Choose = 6 then k = 2If P = (1,9) and Q = (8+7i, 10+6i) find e(P,Q)

=6 => ( , , ) = (1, 1, 0 ) 2 01 2

T = (1,9)for i = 1: g = y + 7x + 6 and g = x+8

T,T 2T

g ( Q ) = 6 and g ( Q ) = 5 + 7iT,T 2T

11/25/2012



Example:

T = [2] (1, 9 ) = (3, 5 )

g ( Q ) = 4+9i and g ( Q ) = 8 + 7iT,P T+P

f = 1. =1+3i5+7i6¯

2

Since = 1

g = y + 2x and g =x 1

T,P T + P

Thus f = (1+3i) = 8+ 10i¯4+9i

8 + 7iAnd T = (3,5) + (1,9) = (0,0)

11/25/2012



Example:

g = x and g =1T,T 2T

for i = 0

Then g ( Q ) = 8+7i and g (Q) =1T,T 2T

Thus f = (8+10i) =5i ¯

8+7i

12 and T = 2 (0,0) =

f = f = 1 mod 11 121-1/6

11/25/2012


T,T 2TMiller’s algorithm fails if line function g and v pass

through Q therefore

Choose to have low hamming weight

Choose P and Q from particular disjoint groups

Choose P from E ( ) p

Optimization of Miller’s loop for Tate pairing.

For further optimization :

11/25/2012



From here :

=> k is even i.e. k =2d , where d is +ve integer => q = p , some prime

Therefore final exponentiation can now be written as f (p -1 ) d (p +1) / d

=> divides (p +1) d

=> p = 3 mod 4

11/25/2012


1. T = P , f = 12. for i = log ( ) -1 to 0 :

T = 2T


qk qk

3.f = f (p - 1 ) d

f = f . g ( Q ) / v ( Q )T,T 2T2

if = 1 then f = f . g ( Q ) / v (Q ) T = T+ P

iT,P T+P

4.f = f 5. return f

(p +1 ) / d


11/25/2012



K is even => is quadratic extension of pk pd

Since p = 3 mod 4 => x + 1 is irreducible polynomial.

2

w can be represented as w = a+ib , where a,b pkpd

w = conjugate of w = a- i b ¯ Using Frobenius = > ( a + ib ) = ( a – ib )

dp

= >(1/ ( a + ib ) ) = ( a – ib ) p -1

d p -1

d

11/25/2012


1. T = P , f = 12. for i = log ( ) -1 to 0 :

T = 2T


qk qk

3.f = f (p - 1 ) d

4.f = f 5. return f

(p +1 ) / d


if = 1 then f = f . g ( Q ) T = T+ P

iT,P

f = f . g ( Q )T,T2 ¯

2Tv ( Q )

¯T+P

v ( Q )

11/25/2012



Choice of Q :

We have , Q = ( x , y ) where x = a+ib and y = c+id and a,b,c,d pd

Choose b=c=0

Now and are elements of which means they will be wiped out by final exponentiation

T+P ¯ v 2T ¯ v p d

This called denominator-elimination optimization

11/25/2012


1. T = P , f = 12. for i = log ( ) -1 to 0 :

T = 2T


qk qk

3.f = f (p - 1 ) d

4.f = f 5. return f

(p +1 ) / d


if = 1 then f = f . g ( Q ) T = T+ P

iT,P

f = f . g ( Q )T,T2 ¯

2Tv ( Q )

¯T+P

v ( Q )

11/25/2012



11/25/2012

Date post:	23-Feb-2016
Category:	Documents
Upload:	brenna
View:	50 times
Download:	0 times

Implementing Cryptographic Pairings

Documents