Download presentation

Presentation is loading. Please wait.

Published byDiana Black Modified over 3 years ago

1
Parshuram Budhathoki FAU October 25, 2012 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

2
Motivation Diffie-Hellman Key exchange What is pairing ? Divisors Tate pairings Miller’s algorithm for Tate pairing Optimization 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

3
Alice, Bob and Charlie want to communicate how can they share key ? AliceBob Charlie 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

4
Diffie-Hellman Two party key Exchange g Alice g Bob x y G = 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

5
Diffie-Hellman Two party key Exchange AliceBob g yx g y x y Need single round g x g xy Common Key =g yx 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

6
Diffie-Hellman Three party key Exchange g Bob g Alice x y g Charlie z 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

7
Diffie-Hellman Three party key Exchange Bob Alice x y Charlie z g x g z g y First round 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

8
Diffie-Hellman Three party key Exchange Alice x g xz Charlie z g yz Bob y g xy 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

9
Diffie-Hellman Three party key Exchange Alice x g xy Charlie z g xz Bob y g yz Second round 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

10
Diffie-Hellman Three party key Exchange Alice x g yzx Charlie z g xyz Bob y g xzy Common key = = = g xzy g zxy g zyx 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

11
Does one round protocol for three party key exchange exist ? To answer this question we need special function. 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

12
1)Bilinearity : P, Q, R G we have e(P+R, Q)= e(P,Q) e(R,Q) and e(P, R+Q)= e(P,R) e(P,Q) 2) Non-degeneracy : There exists P, Q G such that e(P,Q) ≠1. 3)e can be efficiently computable. Let (G,+) and (V,.) denote cyclic groups of prime order, P G, a generator of G and let e: G x G V be a pairing which satisfies the following additional properties: 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

13
aPaP bP cPcP P Alice a P Bob b P Charlie c bP cPcP aPaP a e(bP, cP) e(aP, cP) b e(bP, aP) c G = be additive group. 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

14
y -(x + Ax + B )=0 23 Let E : be an elliptic curve over finite field E( ) = { (x,y) | x,y } { } Here is the point at infinity ; these points form additive group with being the group identity. Let be a prime satisfying l| # E( ) l doesn’t divide q-1 and q are co-prime q q q q Torsion Points: 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

15
Torsion Points : Then for some integer k, E( ) contains points of order if and only if | - 1 k q 2 q k Let E[ ] denote the set of these order- points, which is called Torsion points.* E[ ] = { P E( ) : P = } 2 q k * Beyond Scope of Presentation 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

16
Function on Elliptic Curve : Let E be elliptic curve over a field K A non zero rational function f K( E ) defined at point P E(K) \{ } if => f= g / h, for g and h K ( E ) => h ( P ) ≠ 0 ¯ * ¯ f is said to have : => Zero at point P if f ( P ) = 0 => Pole at point P if f ( P ) = or (1/ f ( P ) = 0) 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

17
There is a function u, called a uniformizer at P, such that u ( P ) = 0 Every function f ( x, y ) can be written in the form f = u g, with r and g ( P ) ≠ 0, Order of f at P = r ord (f ) =r If l is any line through P that is not tangent to E, then l is uniformizer parameter for P. Function on Elliptic Curve : P P r P 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

18
Divisors Up to constant multiple, a rational function is uniquely determined by its zeros and poles A divisor is tool to record these special points of function. For each P E, define formal symbol ( P ) Here E = E ( K ) ¯ 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

19
Divisors: D = ( P ) P E P A divisor D is a “formal” sum of points : Where and = 0 for all but finitely many P P P E Div( E) denotes group of divisors of E which is free abelian group generated by the points of E, where addition is given by ( P ) + P E P ( P ) = P E p ( + )( P ) P E Pp 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

20
Divisors : Support of divisor D is supp(D)= { P E | ≠ 0} P degree of divisor D is deg(D)= P P E Div (E) is subgroup, of divisors of degree 0, of Div(E) 0 A divisor D with deg(D) = 0 is called a principal divisor. sum of divisor D is sum ( D ) = P P E 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

21
Divisor of function : Number of zeros and poles of rational function f is finite. We can defined divisor of function f as div( f ) = ord ( f ) [ P ] P div( f ) = 0 iff f is constant A principal divisor is divisor which is equal to div ( f ) for some function f div ( f ) records zeros and poles of f and their multiplicities 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

22
D = ( P ) P E P Divisor of function : Let D be divisor : Then evaluation of f in D is defined by : f ( D ) = f ( P ) P supp ( D ) P 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

23
Tate Pairing Let P E( ) [ ] then ( P ) - ( ) is principal divisor k q There is rational function with div ( ) = ( P ) - ( ) f ( E ), P q k f Let Q be a point representing coset inE ( ) / q k E ( ) q k We construct D Div ( E ) such that : = > D ~ ( Q ) – ( ) => supp ( D ) supp ( div ( f ) ) = Q Q, P 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

24
Tate Pairing The Tate pairing e : E( )[ ] E ( ) / / is given by : e(P, Q ) = f ( D ) E ( ) q KK q K K q q *( ) q * k, P Q 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

25
e doesn’t depend on choice of f e doesn’t depend on choice of D e is well defined e satisfy Non- degeneracy e satisfy bilinearity Tate Pairing, P Q 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

26
Miller’ s algorithm for the Tate pairing : [a]P [b]P -[a+ b] P [a+ b] P 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

27
Miller’ s algorithm for the Tate pairing : [a]P [b]P -[a+ b] P [a+ b] P Let g be line passing through [a]P and [b]P and v be vertical line passing trough [a+b]P [a]P,[b]P [a+b]P g [a]P,[b]P v [a+b]P 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

28
Miller’ s algorithm for the Tate pairing : [a]P [b]P -[a+ b ]P [a+b]P Then div( g ) = [ a]P + [ b ]P + [-(a+ b )]P – 3 [ ] [a]P,[b] P div ( V ) = [ a + b ] P + [-( a+ b ) ] P – 2 [ ] [a + b]P 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

29
Miller’ s algorithm for the Tate pairing : div ( f / g ) = div ( f ) – div ( g ) div ( f g ) = div ( f ) + div ( g ) 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

30
1. T = P, f = 1 2. for i = log ( ) -1 to 0 : T = 2T Input : P E ( ), Q E ( ), where P has order Output : e ( P, Q ) q k q k 3.f = f 4.return f (q - 1 ) / k f = f. g ( Q ) / v ( Q ) T,T2T 2 if = 1 then f = f. g ( Q ) / v (Q ) T = T + P i T,PT+P Miller’ s algorithm for the Tate pairing : 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

31
Miller’ s algorithm for the Tate pairing : Example: Let E ( ) : y = x + 3x 1 23 # E ( ) = 12 1 Choose = 6 then k = 2 If P = (1,9) and Q = (8+7i, 10+6i) find e(P,Q) =6 => (,, ) = (1, 1, 0 ) 2012 T = (1,9) for i = 1: g = y + 7x + 6 and g = x+8 T,T 2T g ( Q ) = 6 and g ( Q ) = 5 + 7i T,T2T 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

32
Miller’ s algorithm for the Tate pairing : Example: T = [2] (1, 9 ) = (3, 5 ) g ( Q ) = 4+9i and g ( Q ) = 8 + 7i T,PT+P f = 1. =1+3i 5+7i 6 ¯ 2 Since = 1 g = y + 2x and g =x 1 T,PT + P Thus f = (1+3i) = 8+ 10i ¯ 4+9i 8 + 7i And T = (3,5) + (1,9) = (0,0) 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

33
Miller’ s algorithm for the Tate pairing : Example: g = x and g =1 T,T2T for i = 0 Then g ( Q ) = 8+7i and g (Q) =1 T,T 2T Thus f = (8+10i) =5i ¯ 8+7i 1 2 and T = 2 (0,0) = f = f = 1 mod 11 121-1/6 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

34
T,T2T Miller’s algorithm fails if line function g and v pass through Q therefore Choose to have low hamming weight Choose P and Q from particular disjoint groups Choose P from E ( ) p Optimization of Miller’s loop for Tate pairing. For further optimization : 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

35
Optimization of Miller’s loop for Tate pairing. From here : => k is even i.e. k =2d, where d is +ve integer => q = p, some prime Therefore final exponentiation can now be written as f (p -1 ) d (p +1) / d => divides (p +1) d => p = 3 mod 4 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

36
1. T = P, f = 1 2. for i = log ( ) -1 to 0 : T = 2T Input : P E ( ), Q E ( ), where P has order Output : e ( P, Q ) q k q k 3.f = f (p - 1 ) d f = f. g ( Q ) / v ( Q ) T,T2T 2 if = 1 then f = f. g ( Q ) / v (Q ) T = T+ P i T,PT+P 4.f = f 5. return f (p +1 ) / d Optimization of Miller’s loop for Tate pairing. 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

37
Optimization of Miller’s loop for Tate pairing. K is even => is quadratic extension of p k p d Since p = 3 mod 4 => x + 1 is irreducible polynomial. 2 w can be represented as w = a+ib, where a,b p k p d w = conjugate of w = a- i b ¯ Using Frobenius = > ( a + ib ) = ( a – ib ) d p = >(1/ ( a + ib ) ) = ( a – ib ) p -1 d d 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

38
1. T = P, f = 1 2. for i = log ( ) -1 to 0 : T = 2T Input : P E ( ), Q E ( ), where P has order Output : e ( P, Q ) q k q k 3.f = f (p - 1 ) d 4.f = f 5. return f (p +1 ) / d Optimization of Miller’s loop for Tate pairing. if = 1 then f = f. g ( Q ) T = T+ P i T,P f = f. g ( Q ) T,T 2 ¯ 2T v ( Q ) ¯ T+P v ( Q ) 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

39
Optimization of Miller’s loop for Tate pairing. Choice of Q : We have, Q = ( x, y ) where x = a+ib and y = c+id and a,b,c,d p d Choose b=c=0 Now and are elements of which means they will be wiped out by final exponentiation T+P ¯ v 2T ¯ v p d This called denominator-elimination optimization 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

40
1. T = P, f = 1 2. for i = log ( ) -1 to 0 : T = 2T Input : P E ( ), Q E ( ), where P has order Output : e ( P, Q ) q k q k 3.f = f (p - 1 ) d 4.f = f 5. return f (p +1 ) / d Optimization of Miller’s loop for Tate pairing. if = 1 then f = f. g ( Q ) T = T+ P i T,P f = f. g ( Q ) T,T 2 ¯ 2T v ( Q ) ¯ T+P v ( Q ) 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

41
Optimization of Miller’s loop for Tate pairing. 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU

Similar presentations

OK

Cryptography and Network Security Chapter 4 Fourth Edition by William Stallings.

Cryptography and Network Security Chapter 4 Fourth Edition by William Stallings.

© 2018 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on law against child marriage in islam Ppt on crash fire tender fire Ppt on water resources in india Ppt on supply chain management of a mule Ppt on value of pie in math Ppt on principles of object-oriented programming tutorial Ppt on bluetooth devices Free video backgrounds for ppt on social media Ppt on accounting standard 12 Ppt on production function and returns to a factor