Parshuram Budhathoki FAU October 25, /25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

 Motivation Diffie-Hellman Key exchange  What is pairing ?  Divisors  Tate pairings  Miller’s algorithm for Tate pairing  Optimization 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

Alice, Bob and Charlie want to communicate how can they share key ? AliceBob Charlie 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

Diffie-Hellman Two party key Exchange g Alice g Bob x y G = 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

Diffie-Hellman Two party key Exchange AliceBob g yx g y x y Need single round g x g xy Common Key =g yx 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

Diffie-Hellman Three party key Exchange g Bob g Alice x y g Charlie z 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

Diffie-Hellman Three party key Exchange Bob Alice x y Charlie z g x g z g y First round 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

Diffie-Hellman Three party key Exchange Alice x g xz Charlie z g yz Bob y g xy 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

Diffie-Hellman Three party key Exchange Alice x g xy Charlie z g xz Bob y g yz Second round 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

Diffie-Hellman Three party key Exchange Alice x g yzx Charlie z g xyz Bob y g xzy Common key = = = g xzy g zxy g zyx 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

Does one round protocol for three party key exchange exist ? To answer this question we need special function. 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

1)Bilinearity :  P, Q, R  G we have e(P+R, Q)= e(P,Q) e(R,Q) and e(P, R+Q)= e(P,R) e(P,Q) 2) Non-degeneracy : There exists P, Q  G such that e(P,Q) ≠1. 3)e can be efficiently computable. Let (G,+) and (V,.) denote cyclic groups of prime order, P  G, a generator of G and let e: G x G  V be a pairing which satisfies the following additional properties: 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

aPaP bP cPcP P Alice a P Bob b P Charlie c bP cPcP aPaP a e(bP, cP) e(aP, cP) b e(bP, aP) c G = be additive group. 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

y -(x + Ax + B )=0 23 Let E : be an elliptic curve over finite field E( ) = { (x,y) | x,y  }  {  } Here  is the point at infinity ; these points form additive group with  being the group identity. Let be a prime satisfying l| # E( ) l doesn’t divide q-1 and q are co-prime  q  q  q  q Torsion Points: 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

Torsion Points : Then for some integer k, E( ) contains points of order if and only if | - 1 k  q 2 q k Let E[ ] denote the set of these order- points, which is called Torsion points.* E[ ] = { P  E( ) : P =  } 2  q k * Beyond Scope of Presentation 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

Function on Elliptic Curve : Let E be elliptic curve over a field K A non zero rational function f  K( E ) defined at point P  E(K) \{  } if => f= g / h, for g and h  K ( E ) => h ( P ) ≠ 0 ¯ * ¯ f is said to have : => Zero at point P if f ( P ) = 0 => Pole at point P if f ( P ) =  or (1/ f ( P ) = 0) 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

 There is a function u, called a uniformizer at P, such that u ( P ) = 0  Every function f ( x, y ) can be written in the form f = u g, with r   and g ( P ) ≠ 0,   Order of f at P = r ord (f ) =r  If l is any line through P that is not tangent to E, then l is uniformizer parameter for P. Function on Elliptic Curve : P P r P 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

Divisors Up to constant multiple, a rational function is uniquely determined by its zeros and poles A divisor is tool to record these special points of function. For each P  E, define formal symbol ( P ) Here E = E ( K ) ¯ 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

Divisors: D =  ( P ) P  E P A divisor D is a “formal” sum of points : Where   and = 0 for all but finitely many P P P  E Div( E) denotes group of divisors of E which is free abelian group generated by the points of E, where addition is given by  ( P ) + P  E P  ( P ) = P  E p  ( + )( P ) P  E Pp 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

Divisors : Support of divisor D is supp(D)= { P  E | ≠ 0} P degree of divisor D is deg(D)=  P P  E Div (E) is subgroup, of divisors of degree 0, of Div(E) 0 A divisor D with deg(D) = 0 is called a principal divisor. sum of divisor D is sum ( D ) =  P P  E 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

Divisor of function :  Number of zeros and poles of rational function f is finite.  We can defined divisor of function f as div( f ) =  ord ( f ) [ P ] P  div( f ) = 0 iff f is constant  A principal divisor is divisor which is equal to div ( f ) for some function f div ( f ) records zeros and poles of f and their multiplicities 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

D =  ( P ) P  E P Divisor of function : Let D be divisor : Then evaluation of f in D is defined by : f ( D ) =  f ( P ) P  supp ( D ) P 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

Tate Pairing Let P  E( ) [ ] then ( P ) - (  ) is principal divisor  k q There is rational function with div ( ) = ( P ) - (  ) f   ( E ), P q k f Let Q be a point representing coset inE (  ) / q k E (  ) q k We construct D  Div ( E ) such that : = > D ~ ( Q ) – (  ) => supp ( D )  supp ( div ( f ) ) =  Q Q, P 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

Tate Pairing The Tate pairing e : E(  )[ ]  E (  ) / / is given by : e(P, Q ) = f ( D ) E (  ) q KK q K K q  q *(  ) q * k, P Q 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

 e doesn’t depend on choice of f  e doesn’t depend on choice of D  e is well defined  e satisfy Non- degeneracy  e satisfy bilinearity Tate Pairing, P Q 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

Miller’ s algorithm for the Tate pairing : [a]P [b]P -[a+ b] P [a+ b] P 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

Miller’ s algorithm for the Tate pairing : [a]P [b]P -[a+ b] P [a+ b] P Let g be line passing through [a]P and [b]P and v be vertical line passing trough [a+b]P [a]P,[b]P [a+b]P g [a]P,[b]P v [a+b]P 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

Miller’ s algorithm for the Tate pairing : [a]P [b]P -[a+ b ]P [a+b]P Then div( g ) = [ a]P + [ b ]P + [-(a+ b )]P – 3 [  ] [a]P,[b] P div ( V ) = [ a + b ] P + [-( a+ b ) ] P – 2 [  ] [a + b]P 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

Miller’ s algorithm for the Tate pairing : div ( f / g ) = div ( f ) – div ( g ) div ( f g ) = div ( f ) + div ( g ) 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

1. T = P, f = 1 2. for i =  log ( )  -1 to 0 : T = 2T Input : P  E (  ), Q  E (  ), where P has order Output : e ( P, Q ) q k q k 3.f = f 4.return f (q - 1 ) / k f = f. g ( Q ) / v ( Q ) T,T2T 2 if = 1 then f = f. g ( Q ) / v (Q ) T = T + P i T,PT+P Miller’ s algorithm for the Tate pairing : 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

Miller’ s algorithm for the Tate pairing : Example: Let E (  ) : y = x + 3x 1 23 # E (  ) = 12 1 Choose = 6 then k = 2 If P = (1,9) and Q = (8+7i, 10+6i) find e(P,Q) =6 => (,, ) = (1, 1, 0 ) 2012 T = (1,9) for i = 1: g = y + 7x + 6 and g = x+8 T,T 2T g ( Q ) = 6 and g ( Q ) = 5 + 7i T,T2T 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

Miller’ s algorithm for the Tate pairing : Example: T = [2] (1, 9 ) = (3, 5 ) g ( Q ) = 4+9i and g ( Q ) = 8 + 7i T,PT+P f = 1. =1+3i 5+7i 6 ¯ 2 Since = 1 g = y + 2x and g =x 1 T,PT + P Thus f = (1+3i) = 8+ 10i ¯ 4+9i 8 + 7i And T = (3,5) + (1,9) = (0,0) 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

Miller’ s algorithm for the Tate pairing : Example: g = x and g =1 T,T2T for i = 0 Then g ( Q ) = 8+7i and g (Q) =1 T,T 2T Thus f = (8+10i) =5i ¯ 8+7i 1 2 and T = 2 (0,0) =  f = f = 1 mod /6 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

T,T2T Miller’s algorithm fails if line function g and v pass through Q therefore Choose to have low hamming weight Choose P and Q from particular disjoint groups Choose P from E (  ) p Optimization of Miller’s loop for Tate pairing. For further optimization : 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

Optimization of Miller’s loop for Tate pairing. From here : => k is even i.e. k =2d, where d is +ve integer => q = p, some prime Therefore final exponentiation can now be written as f (p -1 ) d (p +1) / d => divides (p +1) d => p = 3 mod 4 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

1. T = P, f = 1 2. for i =  log ( )  -1 to 0 : T = 2T Input : P  E (  ), Q  E (  ), where P has order Output : e ( P, Q ) q k q k 3.f = f (p - 1 ) d f = f. g ( Q ) / v ( Q ) T,T2T 2 if = 1 then f = f. g ( Q ) / v (Q ) T = T+ P i T,PT+P 4.f = f 5. return f (p +1 ) / d Optimization of Miller’s loop for Tate pairing. 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

Optimization of Miller’s loop for Tate pairing. K is even =>  is quadratic extension of  p k p d Since p = 3 mod 4 => x + 1 is irreducible polynomial. 2 w   can be represented as w = a+ib, where a,b   p k p d w = conjugate of w = a- i b ¯ Using Frobenius = > ( a + ib ) = ( a – ib ) d p = >(1/ ( a + ib ) ) = ( a – ib ) p -1 d d 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

1. T = P, f = 1 2. for i =  log ( )  -1 to 0 : T = 2T Input : P  E (  ), Q  E (  ), where P has order Output : e ( P, Q ) q k q k 3.f = f (p - 1 ) d 4.f = f 5. return f (p +1 ) / d Optimization of Miller’s loop for Tate pairing. if = 1 then f = f. g ( Q ) T = T+ P i T,P f = f. g ( Q ) T,T 2 ¯ 2T v ( Q ) ¯ T+P v ( Q ) 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

Optimization of Miller’s loop for Tate pairing. Choice of Q : We have, Q = ( x, y ) where x = a+ib and y = c+id and a,b,c,d   p d Choose b=c=0 Now and are elements of  which means they will be wiped out by final exponentiation T+P ¯ v 2T ¯ v p d This called denominator-elimination optimization 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

1. T = P, f = 1 2. for i =  log ( )  -1 to 0 : T = 2T Input : P  E (  ), Q  E (  ), where P has order Output : e ( P, Q ) q k q k 3.f = f (p - 1 ) d 4.f = f 5. return f (p +1 ) / d Optimization of Miller’s loop for Tate pairing. if = 1 then f = f. g ( Q ) T = T+ P i T,P f = f. g ( Q ) T,T 2 ¯ 2T v ( Q ) ¯ T+P v ( Q ) 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

Optimization of Miller’s loop for Tate pairing. 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU