Another Approach to Pairing Computation in
Edwards Coordinates
Sorina Ionica
PRISM, Universite de Versailles
joint work with Antoine Joux
Sorina Ionica Pairing Computation in Edwards Coordinates
What is a pairing?
A pairing is a mape : G1 × G
′
1 → G2
where G1,G′
1 are groups of order r noted additively and G2 is agroup of order r noted multiplicatively such that the followinghold:
bilinear: e(aP,Q) = e(P, aQ) = e(P,Q)a
nondegenerate: for every P ∈ G1 different from 0 there isQ ∈ G
′
1 such that e(P,Q) 6= 1.
Sorina Ionica Pairing Computation in Edwards Coordinates
Pairings in Elliptic Curve Cryptograhy
Pairings on elliptic curves: the Weil pairing, the Tate, Ate andEta pairings.
Applications:
one round protocol for tripartite Diffie-Hellmanidentity-based encryptionshort signaturesetc.
Sorina Ionica Pairing Computation in Edwards Coordinates
The Tate pairing. Notations.
Let E be an elliptic curve over finite field Fq with q ≥ 5, i.e.
E : y2 = x3 + ax + b.
Let r |♯E (Fq) and E [r ] the r -torsion subgroup, i.e. thesubgroup of points of order r in E (Fq).
If r |♯E (Fq) then E (Fq)[r ] gives at least one component.
Embedding degree: k minimal with r |(qk − 1).
Note r -roots of unity µr ∈ F×
qk .
Sorina Ionica Pairing Computation in Edwards Coordinates
The Tate pairing
If k > 1 then E (Fqk )[r ] = E [r ].
Choose P,Q ∈ E [r ] and G1 =< P >, G′
1 =< Q >.
Take fr ,P such that div(fr ,P) = r(P)− r(O) andD = (Q + T )− (T ), with T such as the support of D isdifferent from the support of fr ,P .
For crypto use:
Tr (·, ·) : G1 × G′
1 → µr
Tr (P,Q) = fr ,P(D)(qk−1)/r
Sorina Ionica Pairing Computation in Edwards Coordinates
Miller’s algorithm
Introduce for i ≥ 1 functions fi ,P such asdiv (fi ,P) = i(P)− (iP)− (i − 1)(O)
Notediv (fr ,P) = r(P)− r(O).
Establish the Millerequation
fi+j ,P = fi ,P fj ,PliP,jP
v(i+j)P
where liP,jP and v(i+j)P are such that
div (liP,jP) = (iP) + (jP) + (−(i + j)P)− 3(O)
div (v(i+j)P) = (−(i + j)P) + ((i + j)P)− 2(O)
Sorina Ionica Pairing Computation in Edwards Coordinates
Miller’s algorithm
f1,P(D) = 1
f2,P(D) = f 21,P(D)
lP,P(D)
v2P(D)
f3,P(D) = f1,P(D)f2,P(D)lP,2P(D)
v3P(D)..
..
fr ,P(D) = fr−1,P(D)f1,P(D)l(r−1)P,P(D)
Use the double-and-add method to compute fr ,P(D) (the Tatepairing!) in O(log2r)!
Sorina Ionica Pairing Computation in Edwards Coordinates
Miller’s algorithm or double-and-add
Choose a random point T ∈ E (Fqk ) and compute
Q′
= Q + T ∈ E (Fqk ).
Let n← [log2(r)], K ← P, f ← 1.
while n ≥ 1
Compute equations of l and v arising in the doubling of K .K ← 2K and f ← f 2(l(Q
′
)v(T ))/(v(Q′
)l(T )).the n-th bit of r is 1
Compute equations of l and v arising in the addition of K andP.K ← P + K and f ← f (l(Q
′
)v(T ))/((l(T )v(Q′
)).
Let n← n − 1.
end while
Sorina Ionica Pairing Computation in Edwards Coordinates
Implementing Miller’s algorithm
The doubling part of the double-and-add method is mostimportant
Use faster exponentiation techniques (sliding window method,NAF)Choose r with low Hamming weight
Choose P ∈ E (Fq)[r ] and Q ∈ E (Fqk )[r ].
Take k even and get major speed-ups by using twists andworking in subfields
Up to now best performance in Jacobian coordinates:(X ,Y ,Z ) such that ( X
Z2 ,YZ3 ) is a point on the elliptic curve E .
Sorina Ionica Pairing Computation in Edwards Coordinates
Edwards curves
Let E be an elliptic curve on Fq such that E (Fq) has an element oforder 4.
There is a nonsquare d ∈ Fq such that E is birationally equivalentover Fq to the Edwards curve
x2 + y2 = 1 + d(xy)2.
On the Edwards curve the addition law is
(x1, y1), (x2, y2)→ (x1y2 + y1x2
1 + dx1x2y1y2,
y1y2 − x1x2
1− dx1x2y1y2)
Sorina Ionica Pairing Computation in Edwards Coordinates
Edwards versus Jacobian
Actually use homogenous Edwards coordinates to avoid inversions:(X ,Y ,Z ) corresponding to (X/Z ,Y /Z ) on the Edwards curve.
Edwards coordinates Jacobian coordinates
addition 10m+1m 11m+5s
doubling 3m+4s1m+8s
or 3m+5s for a = −3
mixed addition9m+1s 7m+4s
(Z2 = 1)
s,m are the costs of operations in Fq (s = 0.8m).
Sorina Ionica Pairing Computation in Edwards Coordinates
Edwards curves
Note a 4-torsion subgroup defined over Fq:
{O = (0, 1),T4 = (1, 0),T2 = (0,−1),−T4 = (−1, 0)}
Take at look at the action of this subgroup on a fixed pointP = (x , y):
P → {P,P+T4 = (y ,−x),P+T2 = (−x ,−y),P−T4 = (−y , x)}
Sorina Ionica Pairing Computation in Edwards Coordinates
Edwards curves
If xy 6= 0 note p = (xy)2 and s = x/y − y/x to characterizethe point P up to the action of the 4-torsion subgroup.
Take Es,p : s2p = (1 + dp)2 − 4p and define
φ : E → Es,p
φ(x , y) = ((xy)2,x
y−
y
x).
φ is separable of degree 4.
Sorina Ionica Pairing Computation in Edwards Coordinates
And back to an elliptic curve...
Es,p is elliptic as :
s2p = (1 + dp)
2− 4p
↓ (P,S,Z)
S2P = (Z + dP)
2Z − 4PZ
2
↓ (P=1)
s2
= z3
+ (2d − 4)z2
+ dz
Consider the standard addition law: Os,p = (0, 1, 0) neutralelement and T2,s,p = (1, 0, 0) point of order 2.
Sorina Ionica Pairing Computation in Edwards Coordinates
Arithmetic of Es,p
Take ls,p the linepassing through P1
and P2. Take R itsthird point ofintersection with thecurve Es,p.
Take vs,p the verticalline through R.
P1 + P2 is the secondpoint of intersection ofvs,p with Es,p.
div (ls,p) = (P1) + (P2) + (−(P1 + P2))− 2(T2,s,p)− (Os,p) anddiv (vs,p) = (P1 + P2) + (−(P1 + P2))− 2(T2,s,p).
Sorina Ionica Pairing Computation in Edwards Coordinates
Miller’s algorithm on Edwards curves
Consider slightly modified functions f(4)i ,P :
div (f(4)i ,P ) = i((P) + (P + T4) + (P + T2) + (P − T4))
− ((iP) + (iP + T4) + (iP + T2) + (iP − T4))
− (i − 1)((O) + (T4) + (T2) + (−T4)).
Then div (f(4)r ,P ) = r((P) + (P + T4) + (P + T2) + (P −
T4))− r((O) + (T4) + (T2) + (−T4)).
Compute the 4-th power of the Tate pairing:
Tr (P,Q)4 = f(4)r ,P (D)
qk−1r .
Sorina Ionica Pairing Computation in Edwards Coordinates
Miller’s algorithm on the Edwards curve
Establish the Miller equation:
f(4)i+j ,P = f
(4)i ,P f
(4)j ,P
l
v,
where l/v is the function of divisor
div(l
v) = ((iP) + (iP + T4) + (iP + T2) + (iP − T4))
+ ((jP) + (jP + T4) + (jP + T2) + (jP − T4))
− (((i + j)P) + ((i + j)P + T4) + ((i + j)P + T2)
+ ((i + j)P − T4))− ((0) + (T4) + (T2) + (−T4)).
Sorina Ionica Pairing Computation in Edwards Coordinates
Miller’s algorithm on the Edwards curve
Let P′
= φ(P) and ls,p and vs,p such as
div (ls,p) = (iP′
) + (jP′
) + ((i + j)P′
)− 2(T2,s,p)− (Os,p)
and div (vs,p) = ((i + j)P′
) + (−(i + j)P′
)− 2(T2,s,p).
fi+j,P′ = fi,P′ fj,P′
ls,p
vs,p
↓ φ∗
f(4)i+j,P = f
(4)i,P f
(4)j,P
l
v
Compute l/v = φ∗(ls,p/vs,p).
Sorina Ionica Pairing Computation in Edwards Coordinates
Computing l and v
For the doubling step:
l(x , y) = ((X 21 + Y 2
1 − Z 21 )(X 2
1 − Y 21 )(2X1Y1(x/y − y/x)
−2(X 21 − Y 2
1 )) + Z3(dZ 21 (xy)2 − (X 2
1 + Y 21 − Z 2
1 )))/
(2X1Y1(X21 + Y 2
1 − Z 21 )(X 2
1 − Y 21 )),
v(x , y) = (dZ 23 (xy)2 − (X 2
3 + Y 23 − Z 2
3 ))/(X 23 + Y 2
3 − Z 23 ).
For the mixed addition step:
l(x , y) = ((X 21 + Y 2
1 − Z 21 − dZ 2
1 (X0Y0)2)(X1Y1(
x
y−
y
x)−
(X 21 − Y 2
1 ))− (X 21 − Y 2
1 − X1Y1(X0
Y0−
Y0
X0))
·(dZ 21 (xy)2 − (X 2
1 + Y 21 − Z 2
1 )))
/(X1Y1(X21 + Y 2
1 − Z 21 − dZ 2
1 (X0Y0)2));
v(x , y) = (dZ 23 (xy)2 − (X 2
3 + Y 23 − Z 2
3 ))/(X 23 + Y 2
3 − Z 23 ).
Sorina Ionica Pairing Computation in Edwards Coordinates
Comparison of costs for the doubling step of Miller’s
algorithm
k = 2 k ≥ 4
Jacobian coordinates 10s + 3m + S + M 11s + (k + 1)m + S + M
Jacobian coordinates for a = −3 4s + 8m + S + M 4s + (k + 7)m + S + M
Das/Sarkar Edwards coordinates6s + 9m + S + M -
(supersingular curves)
Edwards coordinates 4s + 9m + S + M 4s + (k + 8)m + S + M
s,m are costs of operations in Fq, S,M are costs ofoperations in Fqk .
Sorina Ionica Pairing Computation in Edwards Coordinates
Comparison of costs for the mixed addition step of the
Miller operation in the case of k even
k = 2 k ≥ 4
Jacobian coordinates 3s + 11m + M 3s + (k + 9)m + 1M
Das/Sarkar Edwards1s + 17m + M -
coordinates (supersingular curves)
Edwards coordinates 4s + 15m + M 4s + (k + 14)m + 1M
Sorina Ionica Pairing Computation in Edwards Coordinates
A useful scenario
Take E : y2 = x3 + x
Take q = 2520 + 2363 − 2360 − 1 (q ≡ 3 mod 4)
Then r = 2160 + 23 − 1 and the embedding degree k = 2
The Edwards form is x2 + y2 = 1− (xy)2, so d = −1.
Sorina Ionica Pairing Computation in Edwards Coordinates
A useful scenario
Suppose you want to implement a protocol in Edwardscoordinates.
protection from side channel attacks
You need to compute the pairing of two points e(P,Q), whereQ is a fixed point.
You have P = (X0,Y0, 1) in Edwards coordinates
Switch to Jacobian coordinates (viaψ(X0,Y0) = ((1 + Y0)/(1− Y0), (1 + Y0)/(X0(1− Y0)))) andcompute the pairing on the Weierstrass form.
faster, but you need one inversion with Montgomery’s trick!
Sorina Ionica Pairing Computation in Edwards Coordinates
An inversion free algorithm
Stick to Edwards coordinates and use our method toimplement the pairing
We need φ(X0,Y0) = ((X0Y0)2, X0
Y0− Y0
X0) to compute the
l-functions of the mixed addition step.
Replace l ← (X0Y0)l in the mixed addition step.
The mixed addition will be more expensive (+1m) but NOINVERSIONS!
Sorina Ionica Pairing Computation in Edwards Coordinates
Questions. . . ?
Sorina Ionica Pairing Computation in Edwards Coordinates
Top Related