Pairing in cryptography :

an arithmetic point of view

J.C. Bajard and N. El Mrabet

ARITH-LIRMM, CNRS,

Université Montpellier II, France

SPIE

August 2007

PairingsDe�nition

Data

• n ∈ N∗ (generally a prime number).

• G1 and G2 two additive abelean groups of order n.

• G3 cyclic group of order n.

De�nitionA pairing is a map :

e : G1 × G2 → G3

which veri�es the following properties :

PairingsDe�nition's Properties

• Bilinear : ∀P,P ′ ∈ G1,∀Q,Q ′ ∈ G2

e(P + P ′,Q) = e(P,Q).e(P ′,Q)

e(P,Q + Q ′) = e(P,Q).e(P,Q ′)

e(iP,Q) = e(P,Q)i and e(P, iQ) = e(P,Q)i

• Non-degenerate :

∀P ∈ G1 − {0}, ∃Q ∈ G2 s.t. e(P,Q) 6= 1

∀Q ∈ G2 − {0}, ∃P ∈ G1 s.t. e(P,Q) 6= 1

PairingsCryptographic use

Destructive :

• MOV attack : Menezes, Okamoto and Vanstone (1993).

Constructive (since 2000) :

• Tri partite Di�e Hellman key exchange (by A.Joux 2000).

• Short signature (by D.Boneh, B.Lynn, H.Shacham 2001).

• Identity based scheme (by D.Boneh and M.Franklin 2003).

Tri-partite Di�e Hellman

Tri-partite Di�e Hellman

Tri-partite Di�e Hellman

Elliptic curve cryptographyNotations

• E an elliptic curve over a �nite �eld Fp,

• P ∈ E (Fp), n the order of < P >,

• G1 = 〈P〉,• k the smallest integer such that n | (pk − 1) (even in general),

• Q ∈ E (Fpk ),

• G2 = 〈Q〉,• G3 sub-group of order n of F∗

pk.

Weil versus TateDe�nitions of Weil and Tate pairings

Let P ∈ E (Fp), Q ∈ E (Fpk ).

Weil pairing :

eW (P,Q) =FP(Q)

FQ(P)∈ F∗

pk.

Tate pairing :

eT (P,Q) = FP(Q)pk−1

n ∈ F∗pk.

Weil versus TateTwo contradictory conclusions

Two way to compute the pairing : which one is the best ?

• N.Koblitz , A.J.Menezes : Pairing-based cryptography at

high security levels, 2005.

⇒ Weil more e�cient than Tate for high level security.

• R.Granger , D.Page , N.Smart : High security pairing-based

cryptography revisited, 2006.

⇒ Tate always more e�cient than Weil.

Miller algorithmCalculate FP(Q)

• Initialisation : T ← P , f1 ← 1 and f2 ← 1.

1. For each bit of n :

- T ← [2]T ( computation in Fp )

-f1f2←− f1

2

f22 × h1(Q)

h2(Q) (computation in Fpk )

2. If ni = 1

- T ← T ⊕ P ( computation in Fp )

-f1f2←− f1

f2× h1(Q)

h2(Q) (computation in Fpk )

Miller algorithmHow improve it ?

The Miller step need computation in the �eld extension Fpk ,

inversion, and exponentiation.

There is some solutions :

• twisted curve for evaluation in Fpk/2 ,

• elimination of the denominator evaluation,

• pairing friendly �eld and cyclotomic sub group,

• some improvements of the exponentiation.

Twisted curve

De�nitionLet E en elliptic curve over a �eld K.

E over K is a twist of E if there exists an isomorphisme

ψ : E 7→ E

Exemple (E.Brier and M.Joye 2003)

Let E : y2 = x3 − 3x + b over the �eld Fpk ,

ν ∈ Fpk/2 non quadratic in Fpk/2 , such that√ν ∈ Fpk .

Then E : νy2 = x3 − 3x + b over Fpk/2 is a twist of E ,

ψ is de�ned by :

Q = (x , y) 7→ Q = (x ,√νy)

Elimination of the denominator's evaluation

When k is even, a better way to represent Q :

• Q ∈ E (Fpk ) is written (x , y√ν)

where x , y , ν ∈ Fpk/2 ,√ν ∈ Fpk

• Consequence : h2 ∈ Fpk/2 , so hpk/2−1

2= 1,

• For Tate : the exponent is a multiple of pk/2−1,

• For Weil : an exponentiation to pk/2−1 is always a pairing.

Pairing-Friendly Fields

De�nitionFpk is a pairing friendly �eld if p ≡ 1 mod(12) & k = 2i .3j .

TheoremFpk a pairing friendly �eld, β neither a square or a cube in Fp.

Then X k − β irreducible over Fp.

Consequences

Fpk can be constructed as a tower of quadratic and cubic

extensions.

⇒ a perceptible reduction of the cost of a multiplication in Fpk .

Pairing-Friendly FieldsFrobenius operation

TheoremLet ξ be a root of X k − β,then

ξp = Θ.ξ and ξpi

= Θi .ξ

where Θ is a constant in Fpk .

Consequence

ω ∈ F∗pk, ω =

∑ k−1

i=0aiξ

i ,

ωp =∑

k−1

i=0aiΘ

iξi and ωpj

=∑

k−1

i=0aiΘ

ijξi

Pairing-Friendly FieldsTate exponentiation

To improve the computation of ωpk−1

n :

• As n divides Φk(p) : ωpk−1n =

(ω

pk−1Φk (p)

)Φk (p)

n

• The exponentiation to the powerpk−1Φk(p)

is made of Frobenius

operation, so does not cost a lot.

• The more expensive operation is raising the result at the powerΦk(p)n

.(Lucas sequence or Sliding Signed Window)

Cyclotomic sub groupImproving the arithmetic (for Tate & Weil)

De�nitionA subgroup of F∗

pkof order Φk(p)

Lemmafor k = 6, p ≡ 2 or 5 mod(9)Fp6 is de�ned by g(X ) = X 6 + X 3 + 1

Consequences

⇒ more e�cient squaring.

Comparaison between Weil and Tate

Weil Tate

Lite + Full + InvFpk

+ MulFpk

Lite + expo(pk−1

n)

Lite + Full +MulFpk

Lite + expo(φk(p)n

)

Remark : InvFpk

uses Frobenius property, the cost can be neglected.

Characteristic p

k coordinates Tate exponentiation Tate ≤ Weil for l.s.

2 Jacobien Lucas sequence ≤ 128

6 Jacobien Sliding Window Method ≤ 384

12 Jacobien Sliding Window Method ≤ 512

24 A�ne Sliding Window Method 512...

Thank you for your attention.

Characteristic 2

The equations are more simple.

• Only one inversion.

• A�ne coordinates more e�cient then Jacobien.

• Several improvement of the Tate pairing, none for Weil.

So, Tate is more e�cient than Weil.

Further work :

• Trying to improve Weil.

• Finding for which level security Weil becomes more e�cient

than Tate.

Remark about inversion in Fpk

TheoremLet α ∈ F∗

pk, the inverse of α is

α−1 = αpk/2

Proofn is a prime number and n divides pk/2 + 1, so pk/2 + 1 = n × d .

Consequence

The inversion in Fpk is just a Frobenius operation.

Cyclotomic sub groupImproving the square

We can symboliquely compute :

α.αpk/3 − αpk/6

=∑

k−1

i=0viξi

For α ∈ Gφk(p), α =∑ k−1

i=0αiξi , we have that :

α.αpk/3 − αpk/6

= 0

so for all i , vi = 0. Writing that :

α2 = α2 + Γ.t[v0 v1 v2 v3 v4 v5

]With a good matrix Γ the cost of the squaring is improve. For

exemple, for k = 6, a square cost 6 multiplications.

Distorsion map.

De�nition :A not rational endomorphisme ψ from E (Fq) to E (Fqk ).If P is a point of order n of E (Fp), then ψ(P) is a point of order n

of E (Fpk ).

Theorem :P ∈ E (Fq) d'order r prime, k > 1, E (Fqk ) with no points of order

r2.

Let Φ be a distorsion map, then e(P,Φ(P)) 6= 1.