Download presentation

Presentation is loading. Please wait.

Published byDiana Black Modified over 2 years ago

1
Parshuram Budhathoki FAU October 25, 2012 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

2
Motivation Diffie-Hellman Key exchange What is pairing ? Divisors Tate pairings Miller’s algorithm for Tate pairing Optimization 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

3
Alice, Bob and Charlie want to communicate how can they share key ? AliceBob Charlie 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

4
Diffie-Hellman Two party key Exchange g Alice g Bob x y G = 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

5
Diffie-Hellman Two party key Exchange AliceBob g yx g y x y Need single round g x g xy Common Key =g yx 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

6
Diffie-Hellman Three party key Exchange g Bob g Alice x y g Charlie z 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

7
Diffie-Hellman Three party key Exchange Bob Alice x y Charlie z g x g z g y First round 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

8
Diffie-Hellman Three party key Exchange Alice x g xz Charlie z g yz Bob y g xy 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

9
Diffie-Hellman Three party key Exchange Alice x g xy Charlie z g xz Bob y g yz Second round 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

10
Diffie-Hellman Three party key Exchange Alice x g yzx Charlie z g xyz Bob y g xzy Common key = = = g xzy g zxy g zyx 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

11
Does one round protocol for three party key exchange exist ? To answer this question we need special function. 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

12
1)Bilinearity : P, Q, R G we have e(P+R, Q)= e(P,Q) e(R,Q) and e(P, R+Q)= e(P,R) e(P,Q) 2) Non-degeneracy : There exists P, Q G such that e(P,Q) ≠1. 3)e can be efficiently computable. Let (G,+) and (V,.) denote cyclic groups of prime order, P G, a generator of G and let e: G x G V be a pairing which satisfies the following additional properties: 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

13
aPaP bP cPcP P Alice a P Bob b P Charlie c bP cPcP aPaP a e(bP, cP) e(aP, cP) b e(bP, aP) c G = be additive group. 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

14
y -(x + Ax + B )=0 23 Let E : be an elliptic curve over finite field E( ) = { (x,y) | x,y } { } Here is the point at infinity ; these points form additive group with being the group identity. Let be a prime satisfying l| # E( ) l doesn’t divide q-1 and q are co-prime q q q q Torsion Points: 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

15
Torsion Points : Then for some integer k, E( ) contains points of order if and only if | - 1 k q 2 q k Let E[ ] denote the set of these order- points, which is called Torsion points.* E[ ] = { P E( ) : P = } 2 q k * Beyond Scope of Presentation 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

16
Function on Elliptic Curve : Let E be elliptic curve over a field K A non zero rational function f K( E ) defined at point P E(K) \{ } if => f= g / h, for g and h K ( E ) => h ( P ) ≠ 0 ¯ * ¯ f is said to have : => Zero at point P if f ( P ) = 0 => Pole at point P if f ( P ) = or (1/ f ( P ) = 0) 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

17
There is a function u, called a uniformizer at P, such that u ( P ) = 0 Every function f ( x, y ) can be written in the form f = u g, with r and g ( P ) ≠ 0, Order of f at P = r ord (f ) =r If l is any line through P that is not tangent to E, then l is uniformizer parameter for P. Function on Elliptic Curve : P P r P 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

18
Divisors Up to constant multiple, a rational function is uniquely determined by its zeros and poles A divisor is tool to record these special points of function. For each P E, define formal symbol ( P ) Here E = E ( K ) ¯ 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

19
Divisors: D = ( P ) P E P A divisor D is a “formal” sum of points : Where and = 0 for all but finitely many P P P E Div( E) denotes group of divisors of E which is free abelian group generated by the points of E, where addition is given by ( P ) + P E P ( P ) = P E p ( + )( P ) P E Pp 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

20
Divisors : Support of divisor D is supp(D)= { P E | ≠ 0} P degree of divisor D is deg(D)= P P E Div (E) is subgroup, of divisors of degree 0, of Div(E) 0 A divisor D with deg(D) = 0 is called a principal divisor. sum of divisor D is sum ( D ) = P P E 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

21
Divisor of function : Number of zeros and poles of rational function f is finite. We can defined divisor of function f as div( f ) = ord ( f ) [ P ] P div( f ) = 0 iff f is constant A principal divisor is divisor which is equal to div ( f ) for some function f div ( f ) records zeros and poles of f and their multiplicities 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

22
D = ( P ) P E P Divisor of function : Let D be divisor : Then evaluation of f in D is defined by : f ( D ) = f ( P ) P supp ( D ) P 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

23
Tate Pairing Let P E( ) [ ] then ( P ) - ( ) is principal divisor k q There is rational function with div ( ) = ( P ) - ( ) f ( E ), P q k f Let Q be a point representing coset inE ( ) / q k E ( ) q k We construct D Div ( E ) such that : = > D ~ ( Q ) – ( ) => supp ( D ) supp ( div ( f ) ) = Q Q, P 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

24
Tate Pairing The Tate pairing e : E( )[ ] E ( ) / / is given by : e(P, Q ) = f ( D ) E ( ) q KK q K K q q *( ) q * k, P Q 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

25
e doesn’t depend on choice of f e doesn’t depend on choice of D e is well defined e satisfy Non- degeneracy e satisfy bilinearity Tate Pairing, P Q 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

26
Miller’ s algorithm for the Tate pairing : [a]P [b]P -[a+ b] P [a+ b] P 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

27
Miller’ s algorithm for the Tate pairing : [a]P [b]P -[a+ b] P [a+ b] P Let g be line passing through [a]P and [b]P and v be vertical line passing trough [a+b]P [a]P,[b]P [a+b]P g [a]P,[b]P v [a+b]P 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

28
Miller’ s algorithm for the Tate pairing : [a]P [b]P -[a+ b ]P [a+b]P Then div( g ) = [ a]P + [ b ]P + [-(a+ b )]P – 3 [ ] [a]P,[b] P div ( V ) = [ a + b ] P + [-( a+ b ) ] P – 2 [ ] [a + b]P 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

29
Miller’ s algorithm for the Tate pairing : div ( f / g ) = div ( f ) – div ( g ) div ( f g ) = div ( f ) + div ( g ) 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

30
1. T = P, f = 1 2. for i = log ( ) -1 to 0 : T = 2T Input : P E ( ), Q E ( ), where P has order Output : e ( P, Q ) q k q k 3.f = f 4.return f (q - 1 ) / k f = f. g ( Q ) / v ( Q ) T,T2T 2 if = 1 then f = f. g ( Q ) / v (Q ) T = T + P i T,PT+P Miller’ s algorithm for the Tate pairing : 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

31
Miller’ s algorithm for the Tate pairing : Example: Let E ( ) : y = x + 3x 1 23 # E ( ) = 12 1 Choose = 6 then k = 2 If P = (1,9) and Q = (8+7i, 10+6i) find e(P,Q) =6 => (,, ) = (1, 1, 0 ) 2012 T = (1,9) for i = 1: g = y + 7x + 6 and g = x+8 T,T 2T g ( Q ) = 6 and g ( Q ) = 5 + 7i T,T2T 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

32
Miller’ s algorithm for the Tate pairing : Example: T = [2] (1, 9 ) = (3, 5 ) g ( Q ) = 4+9i and g ( Q ) = 8 + 7i T,PT+P f = 1. =1+3i 5+7i 6 ¯ 2 Since = 1 g = y + 2x and g =x 1 T,PT + P Thus f = (1+3i) = 8+ 10i ¯ 4+9i 8 + 7i And T = (3,5) + (1,9) = (0,0) 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

33
Miller’ s algorithm for the Tate pairing : Example: g = x and g =1 T,T2T for i = 0 Then g ( Q ) = 8+7i and g (Q) =1 T,T 2T Thus f = (8+10i) =5i ¯ 8+7i 1 2 and T = 2 (0,0) = f = f = 1 mod 11 121-1/6 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

34
T,T2T Miller’s algorithm fails if line function g and v pass through Q therefore Choose to have low hamming weight Choose P and Q from particular disjoint groups Choose P from E ( ) p Optimization of Miller’s loop for Tate pairing. For further optimization : 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

35
Optimization of Miller’s loop for Tate pairing. From here : => k is even i.e. k =2d, where d is +ve integer => q = p, some prime Therefore final exponentiation can now be written as f (p -1 ) d (p +1) / d => divides (p +1) d => p = 3 mod 4 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

36
1. T = P, f = 1 2. for i = log ( ) -1 to 0 : T = 2T Input : P E ( ), Q E ( ), where P has order Output : e ( P, Q ) q k q k 3.f = f (p - 1 ) d f = f. g ( Q ) / v ( Q ) T,T2T 2 if = 1 then f = f. g ( Q ) / v (Q ) T = T+ P i T,PT+P 4.f = f 5. return f (p +1 ) / d Optimization of Miller’s loop for Tate pairing. 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

37
Optimization of Miller’s loop for Tate pairing. K is even => is quadratic extension of p k p d Since p = 3 mod 4 => x + 1 is irreducible polynomial. 2 w can be represented as w = a+ib, where a,b p k p d w = conjugate of w = a- i b ¯ Using Frobenius = > ( a + ib ) = ( a – ib ) d p = >(1/ ( a + ib ) ) = ( a – ib ) p -1 d d 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

38
1. T = P, f = 1 2. for i = log ( ) -1 to 0 : T = 2T Input : P E ( ), Q E ( ), where P has order Output : e ( P, Q ) q k q k 3.f = f (p - 1 ) d 4.f = f 5. return f (p +1 ) / d Optimization of Miller’s loop for Tate pairing. if = 1 then f = f. g ( Q ) T = T+ P i T,P f = f. g ( Q ) T,T 2 ¯ 2T v ( Q ) ¯ T+P v ( Q ) 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

39
Optimization of Miller’s loop for Tate pairing. Choice of Q : We have, Q = ( x, y ) where x = a+ib and y = c+id and a,b,c,d p d Choose b=c=0 Now and are elements of which means they will be wiped out by final exponentiation T+P ¯ v 2T ¯ v p d This called denominator-elimination optimization 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

40
1. T = P, f = 1 2. for i = log ( ) -1 to 0 : T = 2T Input : P E ( ), Q E ( ), where P has order Output : e ( P, Q ) q k q k 3.f = f (p - 1 ) d 4.f = f 5. return f (p +1 ) / d Optimization of Miller’s loop for Tate pairing. if = 1 then f = f. g ( Q ) T = T+ P i T,P f = f. g ( Q ) T,T 2 ¯ 2T v ( Q ) ¯ T+P v ( Q ) 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

41
Optimization of Miller’s loop for Tate pairing. 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

Similar presentations

Presentation is loading. Please wait....

OK

FINITE FIELDS 7/30 陳柏誠.

FINITE FIELDS 7/30 陳柏誠.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google