Post on 23-Feb-2016
description
Ph.D. Preliminary Exam, Department of Mathematics, FAU
Implementing Cryptographic Pairings
Parshuram BudhathokiFAU
October 25, 2012
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
Motivation Diffie-Hellman Key exchange What is pairing ? Divisors Tate pairings Miller’s algorithm for Tate pairing Optimization
Out line
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
Alice, Bob and Charlie want to communicate how can they share key ?
Diffie-Hellman Key Exchange:
Alice Bob
Charlie
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
Diffie-Hellman Two party key Exchange
g
Alice
g
Bob
x y
G = <g>
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
Diffie-Hellman Two party key Exchange
Alice Bobg
yx
gy
x y
Need single round
gx g
xy
Common Key = g yx
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
Diffie-Hellman Three party key Exchange
g
Bob
g
Alice
x y
g
Charlie
z
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
Diffie-Hellman Three party key Exchange
BobAlice
x y
Charlie
z
gx
gz g
yFirst round
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
Diffie-Hellman Three party key Exchange
Alice
xgxz
Charlie
zg
yz
Bob
ygxy
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
Diffie-Hellman Three party key Exchange
Alice
x
gxy
Charlie
z
gxz
Bob
y
gyz
Second round
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
Diffie-Hellman Three party key Exchange
Alice
xgyzx
Charlie
zg
xyz
Bob
ygxzy
Common key = = =gxzy
gzxy
gzyx
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
Does one round protocol for three party key exchange exist ?
To answer this question we need special function.
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
Pairings
1) Bilinearity : P, Q , R G we have e(P+R, Q)= e(P,Q) e(R,Q)and e(P, R+Q)= e(P,R) e(P,Q)
2) Non-degeneracy : There exists P, Q G such that e(P,Q) ≠1.3) e can be efficiently computable.
Let (G,+) and (V,.) denote cyclic groups of prime order , P G, a generator of G and let
e: G x G V be a pairing which satisfies the following additional properties:
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
One round three party key exchange ( joux , 2000)
aP
bPcP
P
Alice
a P
Bobb
P
Charlie
c
bP
cPaP
ae(bP , cP)
e(aP, cP)b
e(bP , aP)
c
G = <P> be additive group.
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
y -(x + Ax + B )=02 3Let E : be an elliptic curve over finite
field
E( ) = { (x,y) | x,y } { }
Here is the point at infinity ; these points form additive group with being the group identity.
Let be a prime satisfying l| # E( ) l doesn’t divide q-1 and q are co-prime
qq q
q
Torsion Points:
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
Torsion Points :
Then for some integer k , E( ) contains points of order if and only if | -1
kq2
qk
Let E[] denote the set of these order- points, which is called Torsion points.*
E[] = { P E( ) : P = }
2
qk
* Beyond Scope of Presentation
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
Function on Elliptic Curve :
Let E be elliptic curve over a field K A non zero rational function f K( E ) defined at point P E(K) \{}
if => f= g / h , for g and h K ( E )=> h ( P ) ≠ 0
¯ * ¯
f is said to have :
=> Zero at point P if f ( P ) = 0
=> Pole at point P if f ( P ) = or (1/ f ( P ) = 0)
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
There is a function u , called a uniformizer at P , such that u ( P ) = 0
Every function f ( x, y ) can be written in the form f = u g , with r and g ( P ) ≠ 0 ,
Order of f at P = r ord (f ) =r
If l is any line through P that is not tangent to E, then l is uniformizer parameter for P.
Function on Elliptic Curve :
P
Pr
P
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
Divisors
Up to constant multiple , a rational function is uniquely determined by its zeros and poles
A divisor is tool to record these special points of function.
For each P E, define formal symbol ( P )
Here E = E ( K ) ¯
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
Divisors:
D = (P) P E P
A divisor D is a “formal” sum of points :
Where and = 0 for all but finitely many P P P E
Div( E) denotes group of divisors of E which is free abelian group generated by the points of E, where addition is given by
(P) + P E P (P) = P E p ( + )
(P) P E P p
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
Divisors : Support of divisor D is
supp(D)= { P E | ≠ 0}P
degree of divisor D is
deg(D)= PP E
Div (E) is subgroup, of divisors of degree 0, of Div(E)0
A divisor D with deg(D) = 0 is called a principal divisor.
sum of divisor D is sum ( D ) =
PP E
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
Divisor of function :
Þ Number of zeros and poles of rational function f is finite.Þ We can defined divisor of function f as div( f ) = ord ( f ) [ P ] P
Þdiv( f ) = 0 iff f is constant
Þ A principal divisor is divisor which is equal to div ( f ) for some function f
div ( f ) records zeros and poles of f and their multiplicities
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
D = (P) P E P
Divisor of function : Let D be divisor :
Then evaluation of f in D is defined by :
f ( D ) = f ( P ) P supp ( D )
P
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
Tate Pairing
Let P E( ) [ ] then ( P ) - ( ) is principal divisor kq
There is rational function with div ( ) = ( P ) - ( )
f ( E ) , P qk f , P
Let Q be a point representing coset in E ( ) / qk E ( )
q k
We construct D Div ( E ) such that :
= > D ~ ( Q ) – ( )
=> supp ( D ) supp ( div ( f ) ) =
Q
Q
, P
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
Tate Pairing
The Tate pairing
e : E( )[ ] E ( ) / /
is given by :
e(P, Q ) = f ( D )
E ( ) qKK
qKKq q* ( )q
*k
, P
Q
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
e doesn’t depend on choice of f
e doesn’t depend on choice of D
e is well defined
e satisfy Non- degeneracy
e satisfy bilinearity
Tate Pairing
, P
Q
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
Miller’ s algorithm for the Tate pairing :
[a]P [b]P
-[a+ b] P
[a+ b] P
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
Miller’ s algorithm for the Tate pairing :
[a]P [b]P
-[a+ b] P
[a+ b] P
Let g be line passing through [a]P and [b]P and v be vertical
line passing trough [a+b]P
[a]P,[b]P [a+b]P
g[a]P,[b]P
v [a+b]P
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
Miller’ s algorithm for the Tate pairing :
[a]P [b]P -[a+ b ]P
[a+b]P
Then div( g ) = [ a]P + [ b ]P + [-(a+ b )]P – 3 [ ][a]P,[b] P
div ( V ) = [ a + b ] P + [-( a+ b ) ] P – 2 [ ]
[a + b]P
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
Miller’ s algorithm for the Tate pairing :
div ( f / g ) = div ( f ) – div ( g ) div ( f g ) = div ( f ) + div ( g )
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
1. T = P , f = 12. for i = log ( ) -1 to 0 :
T = 2T
Input : P E ( ) , Q E ( ) , where P has order Output : e ( P , Q )
qk qk
3. f = f 4. return f
(q - 1 ) / k
f = f . g ( Q ) / v ( Q )T,T 2T2
if = 1 then f = f . g ( Q ) / v (Q ) T = T + P
iT,P T+P
Miller’ s algorithm for the Tate pairing :
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
Miller’ s algorithm for the Tate pairing :
Example: Let E ( ) : y = x + 3x 1 1
2 3
# E ( ) = 121 1
Choose = 6 then k = 2If P = (1,9) and Q = (8+7i, 10+6i) find e(P,Q)
=6 => ( , , ) = (1, 1, 0 ) 2 01 2
T = (1,9)for i = 1: g = y + 7x + 6 and g = x+8
T,T 2T
g ( Q ) = 6 and g ( Q ) = 5 + 7iT,T 2T
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
Miller’ s algorithm for the Tate pairing :
Example:
T = [2] (1, 9 ) = (3, 5 )
g ( Q ) = 4+9i and g ( Q ) = 8 + 7iT,P T+P
f = 1. =1+3i5+7i6¯
2
Since = 1
g = y + 2x and g =x 1
T,P T + P
Thus f = (1+3i) = 8+ 10i¯4+9i
8 + 7iAnd T = (3,5) + (1,9) = (0,0)
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
Miller’ s algorithm for the Tate pairing :
Example:
g = x and g =1T,T 2T
for i = 0
Then g ( Q ) = 8+7i and g (Q) =1T,T 2T
Thus f = (8+10i) =5i ¯
8+7i
12 and T = 2 (0,0) =
f = f = 1 mod 11 121-1/6
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
T,T 2TMiller’s algorithm fails if line function g and v pass
through Q therefore
Choose to have low hamming weight
Choose P and Q from particular disjoint groups
Choose P from E ( ) p
Optimization of Miller’s loop for Tate pairing.
For further optimization :
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
Optimization of Miller’s loop for Tate pairing.
From here :
=> k is even i.e. k =2d , where d is +ve integer => q = p , some prime
Therefore final exponentiation can now be written as f (p -1 ) d (p +1) / d
=> divides (p +1) d
=> p = 3 mod 4
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
1. T = P , f = 12. for i = log ( ) -1 to 0 :
T = 2T
Input : P E ( ) , Q E ( ) , where P has order Output : e ( P , Q )
qk qk
3.f = f (p - 1 ) d
f = f . g ( Q ) / v ( Q )T,T 2T2
if = 1 then f = f . g ( Q ) / v (Q ) T = T+ P
iT,P T+P
4.f = f 5. return f
(p +1 ) / d
Optimization of Miller’s loop for Tate pairing.
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
Optimization of Miller’s loop for Tate pairing.
K is even => is quadratic extension of pk pd
Since p = 3 mod 4 => x + 1 is irreducible polynomial.
2
w can be represented as w = a+ib , where a,b pkpd
w = conjugate of w = a- i b ¯ Using Frobenius = > ( a + ib ) = ( a – ib )
dp
= >(1/ ( a + ib ) ) = ( a – ib ) p -1
d p -1
d
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
1. T = P , f = 12. for i = log ( ) -1 to 0 :
T = 2T
Input : P E ( ) , Q E ( ) , where P has order Output : e ( P , Q )
qk qk
3.f = f (p - 1 ) d
4.f = f 5. return f
(p +1 ) / d
Optimization of Miller’s loop for Tate pairing.
if = 1 then f = f . g ( Q ) T = T+ P
iT,P
f = f . g ( Q )T,T2 ¯
2Tv ( Q )
¯T+P
v ( Q )
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
Optimization of Miller’s loop for Tate pairing.
Choice of Q :
We have , Q = ( x , y ) where x = a+ib and y = c+id and a,b,c,d pd
Choose b=c=0
Now and are elements of which means they will be wiped out by final exponentiation
T+P ¯ v 2T ¯ v p d
This called denominator-elimination optimization
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
1. T = P , f = 12. for i = log ( ) -1 to 0 :
T = 2T
Input : P E ( ) , Q E ( ) , where P has order Output : e ( P , Q )
qk qk
3.f = f (p - 1 ) d
4.f = f 5. return f
(p +1 ) / d
Optimization of Miller’s loop for Tate pairing.
if = 1 then f = f . g ( Q ) T = T+ P
iT,P
f = f . g ( Q )T,T2 ¯
2Tv ( Q )
¯T+P
v ( Q )
11/25/2012
Ph.D. Preliminary Exam, Department of Mathematics, FAU
Optimization of Miller’s loop for Tate pairing.
11/25/2012