Implementing Cryptographic Pairings Mike Scott TexPoint fonts used in EMF: AAAA A A AAAA A AA A A A

Bilinear pairings e(aP,bQ) = e(P,Q) ab – bilinearity! The Tate pairing seems best choice. Possible on ordinary elliptic curves of prime characteristic and on supersingular curves. P (of prime order r), and Q are points on E(F q k ). Embedding degree smallest k such that r |(q k -1) Pairing evaluates as element in F q k Here we concentrate on q=p, and non- supersingular.

Miller’s algorithm

Elliptic Curves (point doubling case) x j,y j Line of slope λ j x j+1,y j+1 λ j = (3x j 2 +A)/2y j x j+1 = λ j 2 -2x j y j+1 = λ j (x j -x j+1 )-y j

l(Q) = (y q -y j ) – λ j (x q -x j ) v(Q) =x q -x j+1 The Pairing Algorithm Q(x q,y q ) x j,y j x q -x j y q -y j Line of slope λ j x j+1,y j+1

Miller’s algorithm As described, it may fail (the line may pass through Q!) Traditionally solved by introducing a random R, which doesn’t change value of the pairing. If algorithm fails, choose another R. Will not be needed later, so omitted here

First optimizations Choose low Hamming weight r (if possible) If not possible (MNT curves?) windowing algorithms, also idea of Eisentrager et al. Choose P from E(F p ) (Solinas’s Miller Light), now use projective coordinates. NOT choose p of low Hamming weight! (Schirokauer) Restriction – k=2d is always even. Final exponentiation considered in 2 parts.

First optimizations

Extension field arithmetic Considered before for crypto use ( XTR, OEFs). k=2 case is the simplest Irreducible polynomial x 2 +1 for p=3 mod 4 Element in F p 2 is (a+xb), where a and b are in F p. Consider x=i as root of irreducible polynomial, so i=√-1 Just like complex arithmetic!

Extension field arithmetic Multiplication (Karatsuba) (a+ib)(c+id) = ac-bd +i[(a+b)(c+d)-ac-bd] 3 modmuls? But better to use lazy reduction, e.g. calculate (ac-bd) mod p (2 muls and one reduction) Cost ~ 2.5 modmuls Squaring (a+ib)(a+ib) = (a+b)(a-b)+i.2ab Cost ~ 2 Modmuls

Cubic Extension? Irreducible polynomial x 3 +n Karatsuba or Toom-Cook for multiplication (6 or 5 Modmuls resp.). Toom-Cook has tricky divisions by constants… Final exponent has factor of p-1.. So divisions can be replaced by multiplications – thank you Fermat! Lazy reduction applies again. Squaring – 4 Modsqrs and 1 Modmul (Chung & Hasan) – recent result!

Square roots For quadratic extension, irreducible x 2 +n Can you find simple solution for cubic extension?

A Tower of Extensions For a sextic extension field x 6 +n, could use a cubic extension on top of a quadratic extension – squaring requires only 11 modmuls using Chung-Hasan Always use pairing-friendly irreducible polynomials. For example for k=12, maybe use X 6 +(1+√-2) and a sextic extension on top of a quadratic, which uses x 2 +2 as the irreducible.

Frobenius The Frobenius is very useful for extension field arithmetic (a+ib) p = (a p +i p b p ) = (a-ib) When raising an extension field element to a power, you never have to use an exponent greater than p.

Types of pairing-friendly curves #E=p+1-t |t| ≤ 2√p r|#E ρ = lg(p)/lg(r) ω = lg(r)/lg(t) In general small ρ is good (ρ = 1 is “ideal”) Large ω is also good.

Example - BN Curves k=12 p(x) = 36x 4 +36x 3 +24x 2 +6x+1 #E(x) = 36x 4 +36x 3 +18x 2 +6x+1 t(x) = 6x 2 +1 ρ = 1 (ideal!) ω = 2 (not bad – but ω = 4 possible for k=12) In general the smaller ρ the harder to find a low hamming weight r. For Cocks-Pinch curves ρ = 2, free choice for r.

Where were we? k=2d so assume that F p k is built as a quadratic extension on top of F p d. So now consider an element of F p k as (a+ib). So (a+ib) p d = (a-ib) → (1/(a+ib)) p d -1 = (a-ib) p d -1 Which means that following exponentiation to the power of p d -1, inversions cannot be distinguished from conjugates.

Further optimizations

What about Q? Choose Q to best advantage. Q is point (x Q,y Q ), where x Q = (a+ib), y Q = (c+id) Now restrict to the case where b=c=0 The vertical line functions are now in F p d and so get wiped out - denominator elimination. If Q(a,id) is a point on E(F p k ), then Q(-a,d) is a point on the quadratic twist E’(F p d ).

Denominator elimination

Yet more optimization The group order will always be odd, but the effect of the last line addition which takes T to the point-at-infinity will be wiped out by the final exponentiation. Final exponentiation can be further divided into 3 parts, –p d -1 –(p d +1)/Φ k (p) –Φ k (p)/r

Yet more optimization For example for k=6, Φ 6 (p)=p 2 -p+1 p 6 -1 = (p 3 -1)(p+1)(p 2 -p+1) r|p 2 -p+1, from definition of the embedding degree. Exponentiation by p 3 -1 and p+1 will be easy using Frobenius and one extension field inversion Exponentiation by (p 2 -p+1)/r is the “hard part”

Yet more optimization

Hard part of final exponentiation Express hard exponent to base p x e = x e 0 +e 1.p+e 2.p 2 … = x e 0.(x p ) e 1.(x p 2 ) e 2 …. Now use Frobenius and multi- exponentiation. Exploit fact that inverses can be treated as conjugates for fast NAF-based exponentiation.

Compression Alternatively for k≤8, use Lucas or XTR exponentiation, which uses the full sized exponent, but over smaller fields F p k/2 and F p k/3 respectively. Also compresses pairing to one half or one-third size Probably useful to compress the pairing anyway, even after multi-exponentiation.

Precomputation In many cases the first parameter P may be fixed – it may be an IBE private key. In which case it makes sense to precompute the values of T which are multiples of P In this case use Affine coordinates Big speed-up for smaller k. For larger k extension field arithmetic dwarf’s elliptic curve point addition/doubling.

Trick #1 Often in a pairing-based protocol there is a requirement to further raise the value of the pairing to a power v<r If using multi-exponentiation, the value of r can be “folded into” the exponent at no extra cost. Powering for free!

Curve dependent Optimizations There are families of curves for which ω >1. For the MNT curves ω=2. In these cases a “truncated loop” variant of the pairing is possible – the Ate pairing. Here P is chosen from E’(F p d ) and Q from E(F p ) Now we get a bilinear pairing with a much shorter loop!

Ate pairing

Low CM Discriminant curves For non-supersingular curves, must use Complex Multiplication (CM) method to find curve parameters. Many pairing-friendly curves have a CM discriminant of -1 or -3. In these cases quartic and sextic twists also exist. For BN curves, D=-3, k=12, and so curve over sextic twist E(F p k/6 ) can be used.

Low CM Discriminant curves So Q 2 E(F p k/c ) for c=4 or 6 is possible for Tate pairing…. Or P 2 E(F p k/c ) for Ate pairing Works particularly well with Ate pairing For a k=6 D=-3 curves both P and Q can be on curves over F p ! (Unfortunately no such curves are known with ρ <2  ).

Trick #2 Consider MNT k=6 curve, r = #E a prime. Hard part of final exponentiation is to the power of (p 2 -p+1)/r = (p 2 -p+1)/(p+1-t) = p+ε, where ε ~ t So hard part of exponentiation is f p.f ε Which is one Frobenius and one half- length exponentiation (not a multi- exponentiation).

The Wider Context Pairings are not calculated in isolation They are part of a wider context. The protocol may also require variable point multiplications – faster if P and Q are over smaller fields. Or it may only also require fixed-point multiplications (B&F IBE), in which case the pairing will be the dominant computation.

The Wider Context Compare (a) k=2, p=512 bits with (b) k=6, p=160 bits Similar security levels. But pairing for (a) is much faster (especially with precomputation) Variable point multiplication (over E(F p )) much faster on (b). Short signature scheme must use (b). I could go on…

Scaling security..much debated… Code for higher extensions is much “fussier”. Spends more time hopping in and out of functions, function overhead an issue. Small instruction cache – more cache misses with fussier code.

Scaling security

Products of Pairings For example e(P,Q).e(R,S) Implicit multiplication of P and R take place in “lock-step”. Use affine coordinates and Montgomery’s trick. Share the Miller variable f between both pairings, and only square it once.. And of course share the final exponentiation.

Some timings All code in C and assembly, P4 3GHz Compare with 1024-bit RSA decryption on the same platform. Group size of 160-bits, Field size of bit equivalent. Precomputation allowed. Three pairings – timings in milliseconds –η T pairing E(F ), k= 4 –Tate pairing E(F p ), 512 bit p, k=2 –Ate pairing E(F p ), 256 bit p, k=4, ω=2

Timings

Questions ?? Full paper – ftp.computing.dcu.ie/pub/crypto/pairings.pdf Thank you!