Graduate School of Natural Science and Technology Okayama University

Yumi Sakemi, Hidehiro Kato, Shoichi Takeuchi,Yasuyuki Nogami and Yoshitaka Morikawa

Two Improvements of Twisted Ate Pairing with Barreto–Naehrig Curveby Dividing Miller’s Algorithm

Elliptic curve cryptography

Finite field theory

Background

Pairing based cryptography

Identity(ID)-based cryptography (Sakai et al. 2000) Group signature (Boneh et al. 2003)

An efficient algorithm for pairing calculation is required.

2

･･･

expensive operation!!

Pairing

Pairing based cryptography

Elliptic Curve over Finite Field

○ Finite fields

○ Elliptic curve over pF

pFx

pFy

1R2R 3R

213 RRR

21 ,RRl21 RRv

)( pFE

pFbybaxxyxE 0),( 23

●： rational point

,},1,,1,0{: pFp

,},|),,{(: 1 pikkpFaaaF

Prime field

Extension FieldpF

pF k

order of ：

3

)( pFEGroup of rational points on the curve ：　

r

},][,,][,,2,{ RrRaRR ：)( pFE

)( pFE

embedding degree

　　

),( QRe

Pairing

)( pFE

)( kpFE

kpF

4

R

Q

Group1

Group2

Group3order= r

order = r

order = r

e

additive multiplicative

),( QRe

Pairing

)( pFE

)( kpFE

kpF

5

1

0

a

i

RR

Q

Group1

Group2

Group3order = r

order = r

order = r

][a

a

),( QRe

Pairing

)( pFE

)( kpFE

kpF

6

RGroup1

Group2

Group3order = r

order = r

order = r

][b

b

1

0

b

i

QQ

),( QRe

Pairing

)( pFE

)( kpFE

kpF

7

R

Q

Group1

Group2

Group3order = r

order = r

order = r

][a

][b

ab

Bilinearity

Innovative cryptographic applications are based on bilinearity of pairing.

),( QRe

Pairing

)( pFE

)( kpFE

kpF

8

R

Q

Group1

Group2

Group3

order = r

order = r

order = r

Final exponentiation

Miller’salgorithm

)(, Qf Rs

Weil Tate AteTwisted Ate

slow fast

Miller’salgorithm

Several improvements for pairing

(1946) (2006)(1994) (2006)

Barreto-Naehrig(BN) Curve

Elliptic curve of k =12

Parameters p, r and t of BN curve are given by integer variable as

pFbbxy ,32

16243636)( 234 p

16)( 2 t

16183636)( 234 r

9

Miller’s Algorithm

0),(, QQTT yxlTTT RTT

0),(, QQRT yxl

RTfsi s ,1,)(log2

1i1 ii

),(,2

QQTTss yxlff ),(, QQRTss yxlff

)(),(,)(),( 12pQQpRR FEyxQFEyxR

)(, Qf RsOutput :

i-th bit of the binary

representation of s from the lower

Hw(s) : Hamming Weight of s

Hw(s) is large → computationally expensive

10

1][ is

yesno

yes

no

additional operation

main loop

Input :

Twisted Ate Pairing with BN Curve

161836)( 23 s

It is not easy to control the Hw(s) small !!

11

: integer

We can select of small hamming weight.

Improvement 1

conventional method

Miller’s

algorithm ( s )

12

161836 s 3 2

sfOut put

Improvement 1 is based on divisor theorem

proposed method

Miller’salgorithm ( )

Miller’salgorithm ( )

Miller’salgorithm ( )

Combining

f

2f

3f

sfOutput

32 and, fff

Improvement 2

Miller’salgorithm ( a )

Miller’s algorithm ( ab )

Output fab

Miller’salgorithm ( b )

combining

fa

fb

fab = fab ･ fb

An exponentiation is additionally required !!

fap = fap ･ fp

Frobenius mapping

12

Improvement 2

conventional method

Miller’s

algorithm ( s )

sfOut put 13

proposed method

Miller’salgorithm ( )

Miller’salgorithm ( p )

combining and some calculations

f

pf

sfOutput

rp mod6 2s = ( 6 － 3 ) p + ( 6 － 1)s = 363 － 182 ＋ 6 － 1

fs is given by f and fp.

Computational environment

Experimental results

[ms]

-14.8%

14

conventional Improvement 1 Improvement 2

Miller’s algorithm 15.7 12.9 12.8

Final exponentiation 4.70

total 20.4 17.6 17.5

Conclusion

○ We proposed two improvements for twisted Ate pairing.

○ It was shown that they have almost the same efficiency.

16