Efficient Scalar Multiplication for Ate Based Pairing over KSS Curve of Embedding Degree 18
29
Introduction Preparation Proposal Conclusion Efficient Scalar Multiplication for Ate Based Pairing over KSS Curve of Embedding Degree 18 Md. Al-Amin Khandaker (Okayama University, Japan) Yasuyuki Nogami (Okayama University, Japan) Hwajeong Seo (Institute for Infocomm Research (I2R) - A Star) Sylvain Duquesne (Université Rennes I, France)
-
Upload
md-al-amin-khandaker-nipu -
Category
Technology
-
view
45 -
download
0
Transcript of Efficient Scalar Multiplication for Ate Based Pairing over KSS Curve of Embedding Degree 18
Introduction Preparation Proposal Conclusion
Efficient Scalar Multiplication for Ate Based Pairing over KSS Curve of Embedding Degree 18
Md. Al-Amin Khandaker (Okayama University, Japan) Yasuyuki Nogami (Okayama University, Japan)
Hwajeong Seo (Institute for Infocomm Research (I2R) - A Star) Sylvain Duquesne (Université Rennes I, France)
BackgroundIntroduction Preparation Proposal Conclusion
2
E
Finite field arithmetic: multiplication, addition, subtraction, inversion,…
Group operation: point Add/Double
Scalar Multiplication
Elliptic Curve Cryptography
Pairing
Pairing based
cryptography
• Pairing based cryptography • Identity(ID)-based cryptography (Sakai et al. 2000) • Group signature (Boneh et al. 2003)
Expensive Operation
Therefore we focus on Scalar Multiplication
Higher Complexity
BackgroundIntroduction Preparation Proposal Conclusion
3
• Elliptic Curve over Finite Field
Fp : {0, 1, · · · , p� 1},+,
Fpk : {(a1, · · · , ak)|ai 2 Fp},+,
Prime field
Extension FieldFp
Fpk
• Elliptic curve over Fp
Group of rational points on the curve:
E(x, y) : y2 = x
3 + ax+ b, a, b 2 Fp
E(Fp)
E(Fp) : rOrder of
{P, 2P, · · · , [a]P, · · · , [r]P},+,E(Fp) :
P1
P2lP1P2
P3 = P1 + P2
y 2 Fp
x
2 Fp
vP1+P2
rational point
P3
embedding degree
#E(Fp)[#E(Fp)]P},+
BackgroundIntroduction Preparation Proposal Conclusion
4
Pairing
G1
G2
order = r
P
Q
G3
order = r
E(Fp18)
additive multiplicative
e(P,Q)
order = r
P 2 G1 ⇢ E(Fp)
Q 2 G2 ⇢ E(Fp18)
r|#E(Fp)Let
BackgroundIntroduction Preparation Proposal Conclusion
5
Pairing
G1
G2
order = r
P
Q
G3
order = r
E(Fp18)
order = r
P 2 G1 ⇢ E(Fp)
Q 2 G2 ⇢ E(Fp18)
r|#E(Fp)Let
[a]P =a�1X
i=0
P
[b]Q =b�1X
i=0
Q
Bilinearity
e(P,Q)ab
Background• Kachisa-Schaefer-Scott (KSS) Curve
Paring friendly elliptic curve of k = 18
Introduction Preparation Proposal Conclusion
6
• Characteristics p, Frobenius trace t and order r is given systematically by integer z
E : y2 = x
3 + b, (b 2 Fp, b 6= 0 and x, y 2 Fp18)
r(z) = (z6 + 37z3 + 343)/343
p(z) = (z8 + 5z7 + 7z6 + 37z5 + 188z4
+259z3 + 343z2 + 1763z + 2401)/21
t(z) = (z4 + 16z + 7)/7
8 : 6 : 4
MotivationIntroduction Preparation Proposal Conclusion
◆ Scalar Multiplication of EC defined over
here s is a natural number and
• Binary algorithm also required (n-1) ECD. n = bit length of s.
• NAF, Sliding window reduces number of ECA.
• But they also need n-1 ECD.
7
[s]Q = Q+Q+ · · ·+Q| {z }s�1 times additions
Q 2 Fp18
Fp18
MotivationIntroduction Preparation Proposal Conclusion
◆ Scalar Multiplication of EC defined over
here s is a natural number and
• In practice bit long
• It means almost 376 ECD is required in
That is why we tried to make it efficient in KSS curve
8
[s]Q = Q+Q+ · · ·+Q| {z }s�1 times additions
Q 2 Fp18
Fp18
Fp18
n 377
PreparationPreparation Proposal Conclusion
9
Construct extension field arithmetic operations by towering.
Find good parameters in KSS curve.
Finally we need to find certain rational point in G2
G1 ⇥G2 ! G3
Rational point groups
Multiplicative group
over
Fp18
Fp18
Getting Rational Point in G2Proposal Conclusion
r + 1
r
[r]T = O
• Randomly obtained rational point R
• If
• Then is the rational point whose order becomes r
T
• Using we can get certain rational point in
TG2
10
groups
order
[#E(Fp18)
r2]R 6= O
P 2 G1 ⇢ E(Fp)
Q 2 E(Fp18) ⇢ G2
2 E(Fp18)
• Check if
• Then belongs to
Getting Rational Point in G2Proposal Conclusion
⇡p(Q) = [p]Q.(⇡p � [p])Q = O
• Frobenius mapping of , (⇡p � 1)T = Q.
Q G2
T
11
Proposed Scalar MultiplicationProposal Conclusion
• Let, is a scalar and is the Scalar Multiplication[s]Q
• Here 0 < s < r
• Taking mod ,
p ⌘ t� 1 mod r
• From KSS- curve,
• -adic representation(t� 1)
12
#E(Fp) = p+ 1� t
S = SH(t� 1) + SL
Higher bits Lower bits
s
r|#E(Fp)
#E(Fp) = p+ 1� t ⌘ 0 mod rr
s
Proposed Scalar MultiplicationProposal Conclusion
13
(t� 1)
| {z } | {z }SH SL
s = SH(t� 1) + SL
• -adic representation(t� 1) S = SH(t� 1) + SL
• will be nearly equal to the size of (t − 1)SL
• will be half size of (t − 1)SH
s
8 : 6 : 4
Proposed Scalar MultiplicationProposal Conclusion
14
s5 s4 s3 s2 s1 s0
z3 z2 zz
(t� 1)
| {z } | {z }SH SL
1 1
• Let’s consider z-adic representation of and SL SH
s = SH(t� 1) + SL = (s5z + s4)(t� 1) + (s3z3 + s2z
2 + s1z + s0)
• z is the mother parameters of KSS curve properties
• z is about 1/4 of that of (t−1)
Proposed Scalar MultiplicationProposal Conclusion
15
• Final representation of s with 6 coefficients
Consider multiplication of s with Q
[s]Q = (s0 + s1z)Q+ (s2 + s3z)z2Q+ (s4 + s5z)(t� 1)Q
s = (s0 + s1z) + (s2 + s3z)z2 + (s4 + s5z)(t� 1)
Proposed Scalar MultiplicationProposal Conclusion
16
Let = and =
[s]Q = (s0Q+ s2Q1 + s4Q2)+(s1z(Q) + s3z(Q1) + s5z(Q2))
[s]Q = (s0 + s1z)Q+ (s2 + s3z)z2Q+ (s4 + s5z)(t� 1)Q
[s]Q = (s0 + s1z)Q+ (s2 + s3z)Q1 + (s4 + s5z)Q2
Proposed Scalar MultiplicationProposal Conclusion
1713 Precomputed Points
• Using
[s]Q = (s0Q+ s2Q1 + s4Q2)+(s1z(Q) + s3z(Q1) + s5z(Q2))
Example of Previous Scalar Multiplication
Proposal Conclusion
1 2 3 4 5 6 7 42S 1 0 1 1 0 1 1 … 1
(Q) 2(2(2(Q))+Q)+Q
18
• Let, is a scalar and is the Scalar MultiplicationS [S]Q
Let S is 42 bit
2(2(Q))+Q2(Q)
Example of Previous Scalar Multiplication
Proposal Conclusion
1 2 3 4 5 6 7 42S 1 0 1 1 0 1 1 … 1
2(2(2(Q))+Q)+Q
19
• Let, is a scalar and is the Scalar MultiplicationS [S]Q
Let S is 42 bit
41 times ECD, which is about the size of S
Example of Efficient Scalar Multiplication
Proposal Conclusion
20
s1z + s0s3z + s2
s5z + s4
1
0
1
< z(Q) + z(Q2) > < Q+Q1 +Q2 >
1
1
1
s1s3s5
s0s2s4
= 1 0 1 1 0 0 1
= 0 1 1 1 0 1 0
= 1 1 0 1 0 0 0
= 1 1 0 1 1 0 1
= 1 0 0 0 0 0 0 = 1 0 1 1 0 0 0
Example of Efficient Scalar Multiplication
Proposal Conclusion
21
s1z + s0s3z + s2
s5z + s4
0
1
1
1
0
0
s1s3s5
s0s2s4
= 1 0 1 1 0 0 1
= 0 1 1 1 0 1 0
= 1 1 0 1 0 0 0
= 1 1 0 1 1 0 1
= 1 0 0 0 0 0 0 = 1 0 1 1 0 0 0
< z(Q1) + z(Q2) > < Q >
Example of Efficient Scalar Multiplication
Proposal Conclusion
22
s1z + s0s3z + s2
s5z + s4
1
1
0
0
0
1
s1s3s5
s0s2s4
= 1 0 1 1 0 0 1
= 0 1 1 1 0 1 0
= 1 1 0 1 0 0 0
= 1 1 0 1 1 0 1
= 1 0 0 0 0 0 0 = 1 0 1 1 0 0 0
< z(Q) + z(Q1) > < Q2 >
Example of Efficient Scalar Multiplication
Proposal Conclusion
23
s1z + s0s3z + s2
s5z + s4
1
1
1
1
0
1
s1s3s5
s0s2s4
= 1 0 1 1 0 0 1
= 0 1 1 1 0 1 0
= 1 1 0 1 0 0 0
= 1 1 0 1 1 0 1
= 1 0 0 0 0 0 0 = 1 0 1 1 0 0 0
< z(Q) + z(Q1) + z(Q2) > < Q+Q2 >
Example of Efficient Scalar Multiplication
Proposal Conclusion
24
s1z + s0s3z + s2
s5z + s4
1
1
1
1
0
1
s1s3s5
s0s2s4
= 1 0 1 1 0 0 1
= 0 1 1 1 0 1 0
= 1 1 0 1 0 0 0
= 1 1 0 1 1 0 1
= 1 0 0 0 0 0 0 = 1 0 1 1 0 0 0
< z(Q) + z(Q1) + z(Q2) > < Q+Q2 >
represent the ECD 6 ECD is required
Result EvaluationProposal Conclusion
25
Experiment Parameters
KSS curve
s
Mother parameter
Prime numberOrder
trace
500 random scalar (about 377bit )
Result EvaluationProposal Conclusion
CPU* Memory OS CompilerProgramm
ing Language
Library
PC2.7Ghz
Intel Core i5
16 GB Mac OS X
10.11.4 gcc 4.2.1 CGMP
6.1.1
iPhone 6sApple A9 Dual-core 1.84 GHz
2 GB iOS 9.3.1 gcc 4.2.1 Objective-C, C
GMP
6.1.1
26
Experiment environment settings
*Single core is utilized
Result EvaluationProposal Conclusion
27
ECD is about 6 times less of total bit size of scalar
Operation Count and Execution time comparison
Conclusion
ConclusionOur proposed approach reduces the number of ECD by 6 times of existing approaches in KSS curve
Future work• Reduce the execution time and operation complexity by
Skew Frobenius mapping in sextic twisted isomorphic curve.
• Test and evaluate the performance in Paring based protocol implementation.
28
Thank you
