Efficient Algorithms for Pairing-Based

Cryptosystems

CS548 Advanced Information Security

2010. 04. 22.

Kanghoon Lee, AIPR Lab., KAIST

Paulo S. L. M. Barreto, Hae Y. Kim, Ben Lynn, and Michael Scott

Proceedings of Crypto, 2002

1

Contents

Scalar Multiplication in Characteristic 3

Mathematical Preliminaries

Introduction

Computing the Tate Pairing

Square Root Extraction

Scalar Multiplication in Characteristic 3

Experiment Results

2

Introduction

� Problems of Pairing-Based Cryptosystems

• Expensive bilinear pairing computations (e.g. Weil or Tate pairing)

� Goals

• To make entirely practical systems

• Theoretical guarantees

• Several efficient algorithms for the arithmetic operations

� Contributions of this paper

• Definition of point tripling � Faster scalar multiplication in characteristic 3

• Improved square root computation over � Important for the point compression

• A variant of Miller’s algorithm � Efficient computation of Tate pairing

(In characteristics 2 and 3, complexity reduction of Tate pairing is from to )

mpF

)( 3mO )(2mO

3

Mathematical Preliminaries (1)

� Finite Field, : the field with pm elements

• p (prime number) : characteristic of

• m (positive integer) : extension degree

• (simply write with q=pm )

� Elliptic Curve

• The set of solutions (x, y) over to an equation of form

with additional point at infinity, O

mpF

mpF

}0{* −≡ qq FF qF

)( qFE

qF232: axaxaxyaxyayE +++=++ with additional point at infinity, O

• There exists an abelian group law on E,

� The number of points of , , called order of the curve over the field

� The order of point P : the least nonzero integer r such that rP=O

� : the set of all points of order r in E

• : the set of all points of order r to the particular subgroup E(K)

64

2

2

3

31

2: axaxaxyaxyayE +++=++

213 PPP +=

)( qFE qF)(# qFEn =

][rE

])[( rKE

4

Mathematical Preliminaries (2)

� Security multiplier k

• If r | qk-1 and r does not divide qs-1 for any 0 < s < k

� Some cryptographically interesting supersingular elliptic curves

� Divisor : a formal sum of points on the curve

� The degree of a divisor is the sum

mpF

∑= P P PaA )( ∑= P PaA

5

Mathematical Preliminaries (3)

� Tate Pairing

• Let l be a natural number coprime to q

• The Tate pairing of order l is the map

as

� Tate pairing satisfies the following properties

*])[(])[(: kk qqql FlFElFEe →×lq

QPl

k

AfQPe /)1()(),( −=

6

Scalar Multiplication in Characteristic 3 (1)

� Arithmetic on the curve E3,b• Let P1 = (x1, y1), P2 = (x2, y2), P3 = (x3, y3)

• By definition, -O = O, -P1 = (x1, -y1), O + P1 = P1 + O = P1

• Furthermore,

� Double-and-add method : , k = (kt … k1 k0)2 where ZkkPV ∈= , }1,0{∈ik

7

Scalar Multiplication in Characteristic 3 (2)

� Point Tripling for E3,b• P = (x, y)

• 3P = (x3, y3) with the folumas,

� Triple-and-add method : , k = (kt … k1 k0)3 where ZkkPV ∈= , }1,0,1{−∈ik

8

Square Root Extraction

� Elliptic curve equation over

� In a finite field where and odd m,

the best algorithm to compute a square root �

� A solution of , is given by

• If m = 2k+1 for some k ,

mpF )4(mod3≡p

)(: 2 xfyE = qF

)( 3mO

ax =24/)1( +=

mpax

• If m = 2k+1 for some k ,

� can be verified by induction

� operations

2where1

0 puak

i

iu=∑

−

=

)log( 2 mmOpF

9

Computing the Tate Pairing

� Tate Pairing,

• Let ,

•

� To find the function fP and then evaluate its value at AQ

� Miller’s Formula [1, Theorem 2]

*])[(])[(: kk qqql FlFElFEe →×

lq

QPl

k

AfQPe /)1()(),( −=

])[( lFEP q∈ ])[( lFEQ kq∈

where

10

Miller’s Algorithm

�

� Example Computation of the Tate Pairing [2, Appendix B]

• p = 43, k = 2, l = 11

• Supersingular elliptic curve , order = 44

• Distortion map

• P = (23,8), Q=(20,8t)

• Using the Miller’s algorithm,

t([2]P, Q)(p^2+1)/l = (40t+28)168 = 23t + 26 , t(P, Q)(p^2+1)/l = (13t+38)168 = 3t + 11

• We know that t([2]P, Q) = t(P, Q)2

xxyE += 32:

),(),( iyxyx −=φ

11

Improvement of Miller’s Algorithm (1)

� Irrelevant denominators

• When computing and is a distortion map,

the g2V and gV+P denominators in Miller’s algorithm can be discarded

• Distorsion maps

))(,( QPen φ φ

� Evaluation of fn with more efficient triple-and-add method in characteristic 3

•

• With discarding the irrelevant denominators

)()()()()()( 32,2,3 aPaPaPaPaPaPaa ggggff −−++=

)()()()( ,2,3

3 QgQgQfQf aPaPaPaPbb ⋅⋅=

12

Improvement of Miller’s Algorithm (2)

� Speeding up the Final Powering

• Evaluation of the Tate pairing includes a final raising to the power of

• Exponent part � similar way to the square root algorithm

� Fixed-base Pairing Precomputation

• When computing , P is either fixed (e.g. base point on the curve) or used

repeatedly (e.g. public key)

• Precompute

),( QPen npkm /)1( −

),( QPen

),( QPe• Precompute ),( QPen

13

Experimental Results

� Timings for Boneh-Lynn-Shacham (BLS) verification and Boneh-Franklin identity-

based encryption (IBE) (ms)

� Future works

• Apply to more general algebraic curves, e.g., a fast n-th root algorithm

14

References

[1] Paulo S. L. M. Barreto, Hae Y. Kim, Ben Lynn, and Michael Scott, Efficient

Algorithms for Pairing-Based Cryptosystems, Proceedings of Crypto, 2002

[2] Marcus Stogbauer, Efficient Algorithms for Pairing-Based Cryptosystems, Diploma

Thesis, Darmastay University of Technology, 2004

15