introduction to pairings - ecc ``summer'' school
TRANSCRIPT
Introduction to Pairings
ECC “Summer” School
Diego F. Aranha
November 12, 2017
Institute of Computing – University of Campinas
What is a pairing?
1
Why a bilinear pairing?
e(P + R,Q) = e(P,Q) · e(R,Q) and e(P,Q + S) = e(P,Q) · e(P,S)
.
2
Introduction
Elliptic Curve Cryptography (ECC):
• Underlying problem harder than integer factoring (RSA)
• Same security level with smaller parameters
• Efficiency in storage (short keys) and execution time
Pairing-Based Cryptography (PBC):
• Initially destructive
• Allows for innovative protocols
• Makes curve-based cryptography more flexible
3
Introduction
Pairing-Based Cryptography (PBC) enables many elegant solutions to
cryptographic problems:
• Implicit certification schemes (IBC, CLPKC, etc.)
• Short signatures (in group elements, BLS, BBS)
• More efficient key agreements (Joux’s 3DH, NIKDS)
• Low-depth homomorphic encryption (BGN and variants)
• Isogeny-based cryptography (although not postquantum)
Pairing computation is the most expensive operation in PBC.
Net week: State-of-the art techniques to make it faster!
4
Elliptic curves
An elliptic curve is the set of solutions (x , y) ∈ Fqm × Fqm that satisfy
the Weierstrass equation
E : y2 = x3 + ax + b
where a, b ∈ Fqm with ∆ 6= 0, and a point at infinity ∞.
A degree d twist E ′ of E is a curve isomorphic to E over the algebraic
closure of Fqm . The only possible degrees for elliptic curves are
d ∈ {2, 3, 4, 6}.
Important: Very convenient mathematical setting where pairings can be
constructed and evaluated efficiently.
5
Elliptic curves
Definitions
The order n of the curve is the number of points that satisfy the curve
equation.
The Hasse condition states that n = qm + 1− t, |t| ≤ 2√qm.
The curve is supersingular when q divides t.
More definitions
The order of point P is the smallest integer r such that rP =∞. We
always have r |n.
The r-torsion subgroup (E (Fqm)[r ]) is the set of points P in which
their order divides r .
6
Bilinear pairings
Let G1 = 〈P〉 and G2 = 〈Q〉 be additive groups and GT be a
multiplicative group such that |G1| = |G2| = |GT | = prime r .
Definition
An efficiently-computable map e : G1 ×G2 → GT is an admissible
bilinear map if the following properties are satisfied:
1. Bilinearity: given (V , W ) ∈ G1 ×G2 and (a, b) ∈ Z∗r :
e(aV , bW ) = e(V ,W )ab = e(abV ,W ) = e(V , abW ) = e(bV , aW ).
2. Non-degeneracy: e(P,Q) 6= 1GT, where 1GT
in GT .
7
Bilinear pairings
A general pairing
e : G1 ×G2 → GT
• G1 is typically a subgroup of E (Fq).
• G2 is typically a subgroup of E (Fqk ).
• GT is a multiplicative subgroup of F∗qk .
Hence pairing-based cryptography involves arithmetic in Fqk .
Problem: In practice, we want small k for computable pairing!
8
Pairing-friendly curves
Definitions
The embedding degree of the curve is the smallest integer k such that
r |(qk − 1).
In other words, it is the smallest extension of Fq in which we can embed
the r -torsion group. For efficiency, we want the largest d such that d |k.
Random curves have k ≈ q, but supersingular curves have k ≤ 6 and
there are families of ordinary curves with k < 50.
9
Pairing operations
A general pairing
e : G1 ×G2 → GT
Cryptographic schemes require multiple operations in pairing groups:
1. Scalar multiplication, membership, compression in G1 and G2.
2. Exponentiation, membership, compression in GT .
3. Hashing strings into groups G1, G2, GT .
4. Efficient maps between G1 and G2.
5. Efficient pairing computation.
Problem: No concrete instantiation supports last three simultaneously!
10
Pairing types
If G1 = G2, the pairing is symmetric (or Type-1) and defined over a
supersingular curve equipped with a distortion map
ψ : E (Fq)[r ]→ E (Fqk )[r ].
If G1 6= G2, the pairing is asymmetric (or Type-3) and G2 is chosen as
the group of points in the twist that is isomorphic to a subgroup of
E (Fqk )[r ]. There is no efficient map ψ : G2 → G1.
Important: Supersingular curves over small characteristic (q = 2, 3) are
broken by quasi-polynomial algorithm by [Barbulescu et al. 2014]!
11
Security of pairings
A general pairing
e : G1 ×G2 → GT
Classical problems:
• DLP: Recover a from 〈g , g a〉• CDHP: Compute g ab from 〈g , g a, gb〉
Underlying problems:
• ECDLP: Recover a from 〈P, aP〉• BCDHP: Compute e(P,Q)abc from 〈P, aP, bP, cP,Q, aQ, bQ, cQ〉
12
Security of pairings
There are multiple security requirements to satisfy:
• The (EC)DLP problem must be hard in G1,G2 and GT .
• Parameters in G1,G2 should be large enough.
• Good balance can be found by choosing the right k.
The value ρ = log qlog r describes how good the balance is (ρ = 1 is optimal)
for a certain set of parameters.
Important: Plenty research into suitable curves for good values of k.
13
Applications
The first cryptographic application of pairings was attacking ECDLP!
The Menezes-Okamoto-Vanstone (MOV) attack
Given P and Q = aP on curve E , find a:
1. Find point S of order n such that e(P,Q) 6= 1GT.
2. Compute e(P,S) = g .
3. Compute e(Q,S) = e(aP,S) = e(P,S)a = g a.
4. Solve the DLP on 〈g , g a〉 in GT .
Best general known algorithms for ECDLP run in O(√n), but there are
subexponential methods such as index calculus for DLP in GT .
Note: this attacked killed the faster supersingular curves in the 90s.
14
Applications
Conventional paradigm (PKI):
• Three-party key agreement [Joux 2000]
• Short signatures [Boneh et al. 2001]
Alternate paradigms:
• Non-interactive identity-based AKE [Sakai et al. 2001]
• Identity-based encryption [Boneh et al., Sakai et al. 2001]
15
Applications
Joux’s one-round Tripartite Diffie-Hellman [Joux 2000]:
• Key generation:
1. Parties A,B,C generate short-lived secrets a, b, c ∈ Z∗r respectively
2. Parties A,B,C broadcast aG , bG , cG to the other parties
• Key sharing:
1. A computes KA = e(bG , cG)a
2. B computes KB = e(aG , cG)b
3. C computes KC = e(aG , bG)c
Correctness: Shared key is K = KA = KB = KC = e(G ,G )abc .
16
Applications
Boneh-Lynn-Schacham (BLS) short signatures in the conventional PKI
paradigm [Boneh et al. 2001]:
• Key generation:
1. Select a private key x ∈ Z∗r
2. Compute the public key V ← xP
• Signature:
1. Compute H ← h(M) ∈ G1
2. Sign S ← xH
• Verification:
1. Compute H ← h(M)
2. Verify if e(P, S) = e(V ,H)
Correctness: Works because e(P,S) = e(P, xH) = e(xP,H) = e(V ,H).
17
Applications
Identity-based encryption facilitates certification of public keys. If Alice
wants to encrypt a message to Bob, she must be sure that an adversary
did not replace his public key.
Conventional: Employ a Certificate Authority (CA) to compute a
signature linking Bob and his public key. Alice can check the signature
and learns Bob’s public key.
However, certificates are expensive to manage (procedures, audits,
revocation), thus Alice could use some trivially authentic information
about Bob (e-mail address?).
Solution: Introduce authority to generate and distribute private keys.
18
Applications
Non-interactive identity-based AKE [Sakai et al. 2001]:
• Initialization:
1. Central authority generates master key s ∈ Z∗r .
• Key generation:
1. User with identity IDi computes Pi = H(IDi )
2. Central authority generates private key Si = sPi
• Key derivation:
1. Users A e B compute shared key e(SA,PB) = e(SB ,PA)
Correctness: e(SA,PB) = e(sPA,PB) = e(PA, sPB) = e(SB ,PA).
19
Applications
Identity-based encryption [Boneh and Franklin 2001]:
• Initialization:
1. Authority (PKG) generates master key s ∈ Z∗r and computes its
public key Ppub = sP
2. Fix hash functions H1 : {0, 1}∗ → G1 and H2 : GT → {0, 1}m.
• Key generation:
1. User with identity IDi computes public key Pi = H1(IDi )
2. Central authority generates private key Si = sPi
• Encryption:
1. To encrypt m, Bob selects random ` and computes R = `P and
c = m ⊕ H2(e(PA,Ppub)`).
2. Bob sends (R, c) to Alice.
• Decryption:
1. Alice uses her private key to compute
c ⊕H2(e(SA,R)) = c ⊕H2(e(sPA, `P)) = c ⊕H2(e(PA,Ppub)`) = m.
20
Pairing computation
A general pairing
e : G1 ×G2 → GT
Many moving parts (parameters):
• What choice of curve?
• What is an appropriate embedding degree k?
• How to balance hardness of DLP among different groups?
Note: Hardness of GT is given by k · |q|.
Problem: How to build and compute map e?
21
Pairing computation
Definitions
A divisor is a formal sum of points and integer coefficients:
D =∑P∈E
dP(P)
The degree of a divisor is the sum of integer coefficients:
deg(D) =∑P∈E
dP
The support of a divisor is the set of points P with dP 6= 0.
22
Pairing computation
The set of divisors forms an abelian group:
∑P∈E
aP(P) +∑P∈E
bP(P) =∑P∈E
(aP + bP)(P)
Repeated addition of a divisor to itself is given by:
nD =∑P∈E
(ndP)(P)
23
Pairing computation
Divisors are a mathematical device convenient to store poles and zeroes
of rational functions and their multiplicities.
The divisor of a non-zero rational function f : E (Fqk )→ Fqk is called
principal divisor and defined as div(f ) =∑
P∈E ordP(P), where ordP is
the multiplicity of P.
If D is a principal divisor, then deg(D) = 0 and∑P∈E
dPP =∞.
Two divisors C and D are equivalent (C ∼ D) is their difference (C − D)
is a principal divisor.
24
Pairing computation
When div(f ) and D have disjoint support:
f (D) =∏P∈E
f (P)dP
Let P ∈ E (Fqk )[r ] and D a divisor equivalent to (P)− (∞).
Since rP =∞ and deg(D) = 0, the divisor rD is principal and there is a
function fr ,P such that div(fr ,P) = rD = r(P)− r(∞).
Pairings are defined by the evaluation of fr ,P on divisors.
Problem: How to construct and compute fr ,P?
25
Pairing computation
Let P,Q be r -torsion points. The pairing e(P,Q) is defined by the
evaluation of fr ,P at a divisor related to Q.
[Miller 1986] constructed fr ,P in stages combining Miller functions
evaluated at divisors.
[Barreto et al. 2002] showed how to evaluate fr ,P at Q using the final
exponentiation employed by the Tate pairing.
26
Pairing computation
Let gU,V be the line equation through points U,V ∈ E (Fqk ) and gU the
shorthand for gU,−U .
For any integers a and b, we have:
1. fa+b,P(D) = fa,P(D) · fb,P(D) · gaP,bP(D)
g(a+b)P(D)
2. f2a,P(D) = fa,P(D)2 · gaP,aP (D)g2aP (D)
3. fa+1,P(D) = fa,P(D) · g(a)P,P (D)
g(a+1)P (D)
27
Miller’s algorithm
Algorithm 1 Miller’s Algorithm [Miller 1986, Barreto et al. 2002].
Input: r =∑log2 r
i=0 ri2i ,P,Q.
Output: er (P,Q).
1: T ← P
2: f ← 1
3: for i = blog2(r)c − 1 downto 0 do
4: T ← 2T
5: f ← f 2 · gT,T (D)g2T (D)
6: if ri = 1 then
7: T ← T + P
8: f ← f · gT,P (D)gT+P (D)
9: end if
10: end for
11: return f
28
Miller’s algorithm
Let l be the line equation that passes through T and P in the addition
T + P.
Let v be the vertical line that passes through T and −T .
Recall that:
f (D) =∏P∈E
f (P)dP
We can replace:
1. gT ,P(D) = lT ,P((Q + R)− (R)) =lT,P (Q+R)lT,P (R) ;
2. gT (D) = vT ((Q + R)− (R)) = vT (Q+R)vT (R) .
29
Miller’s algorithm
Algorithm 2 Miller’s Algorithm [Miller, 1986].
Input: r =∑log2 r
i=0 ri2i ,P,Q.
Output: er (P,Q).
1: T ← P
2: f ← 1
3: for i = blog2(r)c − 1 downto 0 do
4: T ← 2T
5: f ← f 2 · lT,T (Q+R)v2T (R)v2T (Q+R)lT,T (R)
6: if ri = 1 then
7: T ← T + P
8: f ← f · lT,P (Q+R)vT+P (R)vT+P (Q+R)lT,P (R)
9: end if
10: end for
11: return f
30
Weil pairing
Let P,Q divisors equivalent to (P)− (∞), (Q)− (∞), respectively. The
Weil pairing is the map:
wr : E (Fq)[r ]× E (Fqk )[r ]→ F∗qk
wr (P,Q) = (−1)r · fr ,P(Q)
fr ,Q(P).
It turns out that we can evaluate the functions over points instead of
divisors [Miller 1986].
31
Tate pairing
The reduced Tate pairing is the map:
er : E (Fq)[r ]× E (Fqk )[r ]→ F∗qk
er (P,Q) = fr ,P(D)(qk−1)/r .
The final exponentiation by (qk − 1)/r allows [Barreto et al. 2002]:
• Choosing R with coordinates in a subfield to eliminate l(R), v(R)
• Choosing R as ∞ and evaluate f on Q instead of D• Using a distortion map to eliminate v(Q)
• Choosing k even and construct a quadratic extension such that the
coordinates of Q are in a subfield to eliminate v(Q)
32
Miller’s algorithm
Algorithm 3 Miller’s Algorithm [Miller, 1986].
Input: r =∑log2 r
i=0 ri2i ,P,Q.
Output: er (P,Q).
1: T ← P
2: f ← 1
3: for i = blog2(r)c − 1 downto 0 do
4: T ← 2T
5: f ← f 2 · lT,T (Q+R)v2T (R)v2T (Q+R)lT,T (R)
6: if ri = 1 then
7: T ← T + P
8: f ← f · lT,P (Q+R)vT+P (R)vT+P (Q+R)lT,P (R)
9: end if
10: end for
11: return f
33
Tate pairing
Algorithm 4 Tate pairing [Barreto et al. 2002].
Input: r =∑log2 r
i=0 ri2i ,P,Q.
Output: er (P,Q).
1: T ← P
2: f ← 1
3: s ← r − 1
4: for i = blog2(s)c − 1 downto 0 do
5: T ← 2T
6: f ← f 2 · lT ,T (Q)
7: if ri = 1, i 6= 0 then
8: T ← T + P
9: f ← f · lT ,P(Q)
10: end if
11: end for
12: return f (qk−1/r)
34
Pairing computation
Important: How can we optimize it?
The main optimization is to reduce the length of the loop keeping the
Hamming weight of r small. There are several ways of doing this: Ate,
Ate i, R-ate, χ− ate.
The optimal pairing construction reduces the loop iterations by a factor
of φ(k).
We can observe that Miller’s Algorithm employs:
• Extension field arithmetic
• Elliptic curve arithmetic
• Base field arithmetic.
35
Tate pairing
Algorithm 5 Tate pairing [Barreto et al. 2002].
Input: r =∑log2 r
i=0 ri2i ,P,Q.
Output: er (P,Q).
1: T ← P
2: f ← 1
3: s ← r − 1
4: for i = blog2(s)c − 1 downto 0 do
5: T ← 2T
6: f ← f 2 · lT ,T (Q)
7: if si = 1 then
8: T ← T + P
9: f ← f · lT ,P(Q)
10: end if
11: end for
12: return f (qk−1/r)
36
Arithmetic levels
Protocols
Low-level backend
37
Curve families
BN curves: k = 12, ρ ≈ 1
p(x) = 36x4 + 36x3 + 24x2 + 6x + 1
r(x) = 36x4 + 36x3 + 18x2 + 6x + 1, t(x) = 6z2 + 1
BLS12 curves: k = 12, ρ ≈ 1.5
p(x) = (x − 1)2(x4 − x2 + 1)/3 + x ,
r(x) = x4 − x2 + 1, t(x) = x + 1
KSS18 curves: k = 18, ρ ≈ 4/3
p(x) = (x8 + 5x7 + 7x6 + 37x5 + 188x4 + 259x3 + 343x2 + 1763x + 2401)/21
r(x) = (x6 + 37x3 + 343)/343, t(x) = (x4 + 16z + 7)/7
BLS24 curves: k = 24, ρ ≈ 1.25
p(x) = (x − 1)2(x8 − x4 + 1)/3 + x ,
r(x) = x8 − x4 + 1, t(x) = x + 1
38
Barreto-Naehrig curves
Let x be an integer such that p(x) and r(x) below are prime:
• p(x) = 36x4 + 36x3 + 24x2 + 6x + 1
• r(x) = 36x4 + 36x3 + 18x2 + 6x + 1
Then y2 = x3 + b, b ∈ Fp is a curve of order r and embedding degree
k = 12 [Barreto and Naehrig 2012].
Important: BN curves used to be optimal at the 128-bit security level.
39
Optimal ate pairing
aopt : G2 ×G1 → GT
(Q,P) → (fr ,Q(P) · lrQ,πp(Q)(P) · lrQ+πp(Q),−π2p(Q)(P))(p
12−1)/n
with r = 6x + 2,G1 = E (Fp),G2 = E (Fp2)[n].
Fix x = −(262 + 255 + 1) and b = 2. Since p ≡ 3 (mod 4), the towering
can be:
• Fp2 = Fp[i ]/(i2 − β), where β = −1
• Fp4 = Fp2 [s]/(s2 − ε), where ξ = 1 + i
• Fp6 = Fp2 [v ]/(v3 − ξ), where ξ = 1 + i
• Fp12 = Fp4 [v ]/(t3 − s) or Fp6 [w ]/(w2 − v)
Important: Choice of representation changes formulas (and costs)!
40
Software libraries
There are many different software implementations of pairings:
1. RELIC: UNICAMP, flexible and state-of-the-art.
2. Ate-pairing: CINVESTAV, used to be state-of-the-art.
3. mcl: new library at “new” 128-bit level by Shigeo Mitsunari.
4. MIRACL: special support for constrained platforms.
5. Panda: not as efficient, but constant-time.
6. PBC: on top of GMP, horribly outdated.
41
Questions?
Code, documentation and tests at the pairings branch of my private
OpenSSL fork:
https://github.com/dfaranha/openssl
Recommended further reading: Pairings for Beginners, by Craig Costello,
and the early papers by Mike Scott for the optimization techniques.
42
References
[1] Victor S. Miller: The Weil Pairing, and Its Efficient Calculation.
J. Cryptology 17(4): 235-261 (2004)
[2] Dan Boneh, Matthew K. Franklin: Identity-Based Encryption
from the Weil Pairing. SIAM J. Comput. 32(3): 586-615 (2003)
[3] Paulo S. L. M. Barreto, Hae Yong Kim, Ben Lynn, Michael Scott:
Efficient Algorithms for Pairing-Based Cryptosystems. CRYPTO
2002: 354-368
[4] Ryuichi Sakai, Masao Kasahara: ID based Cryptosystems with
Pairing on Elliptic Curve. IACR Cryptology ePrint Archive 2003: 54
(2003)
43
References
[5] Antoine Joux: A One Round Protocol for Tripartite
Diffie-Hellman. J. Cryptology 17(4): 263-276 (2004)
[6] Paulo S. L. M. Barreto, Michael Naehrig: Pairing-Friendly Elliptic
Curves of Prime Order. Selected Areas in Cryptography 2005:
319-331
[7] Diego F. Aranha, Koray Karabina, Patrick Longa, Catherine H.
Gebotys, Julio Lopez: Faster Explicit Formulas for Computing
Pairings over Ordinary Curves. EUROCRYPT 2011: 48-68
[8]Razvan Barbulescu, Pierrick Gaudry, Antoine Joux, Emmanuel
Thom?: A Heuristic Quasi-Polynomial Algorithm for Discrete
Logarithm in Finite Fields of Small Characteristic. EUROCRYPT
2014: 1-16
44