Upload
md-al-amin-khandaker-nipu
View
47
Download
0
Embed Size (px)
Citation preview
Introduction Preparation Proposal Conclusion
Efficient Scalar Multiplication for Ate Based Pairing over KSS Curve of Embedding Degree 18
Md. Al-Amin Khandaker (Okayama University, Japan) Yasuyuki Nogami (Okayama University, Japan)
Hwajeong Seo (Institute for Infocomm Research (I2R) - A Star) Sylvain Duquesne (Université Rennes I, France)
BackgroundIntroduction Preparation Proposal Conclusion
2
E
Finite field arithmetic: multiplication, addition, subtraction, inversion,…
Group operation: point Add/Double
Scalar Multiplication
Elliptic Curve Cryptography
Pairing
Pairing based
cryptography
• Pairing based cryptography • Identity(ID)-based cryptography (Sakai et al. 2000) • Group signature (Boneh et al. 2003)
Expensive Operation
Therefore we focus on Scalar Multiplication
Higher Complexity
BackgroundIntroduction Preparation Proposal Conclusion
3
• Elliptic Curve over Finite Field
Fp : {0, 1, · · · , p� 1},+,
Fpk : {(a1, · · · , ak)|ai 2 Fp},+,
Prime field
Extension FieldFp
Fpk
• Elliptic curve over Fp
Group of rational points on the curve:
E(x, y) : y2 = x
3 + ax+ b, a, b 2 Fp
E(Fp)
E(Fp) : rOrder of
{P, 2P, · · · , [a]P, · · · , [r]P},+,E(Fp) :
P1
P2lP1P2
P3 = P1 + P2
y 2 Fp
x
2 Fp
vP1+P2
rational point
P3
embedding degree
#E(Fp)[#E(Fp)]P},+
BackgroundIntroduction Preparation Proposal Conclusion
4
Pairing
G1
G2
order = r
P
Q
G3
order = r
E(Fp18)
additive multiplicative
e(P,Q)
order = r
P 2 G1 ⇢ E(Fp)
Q 2 G2 ⇢ E(Fp18)
r|#E(Fp)Let
BackgroundIntroduction Preparation Proposal Conclusion
5
Pairing
G1
G2
order = r
P
Q
G3
order = r
E(Fp18)
order = r
P 2 G1 ⇢ E(Fp)
Q 2 G2 ⇢ E(Fp18)
r|#E(Fp)Let
[a]P =a�1X
i=0
P
[b]Q =b�1X
i=0
Q
Bilinearity
e(P,Q)ab
Background• Kachisa-Schaefer-Scott (KSS) Curve
Paring friendly elliptic curve of k = 18
Introduction Preparation Proposal Conclusion
6
• Characteristics p, Frobenius trace t and order r is given systematically by integer z
E : y2 = x
3 + b, (b 2 Fp, b 6= 0 and x, y 2 Fp18)
r(z) = (z6 + 37z3 + 343)/343
p(z) = (z8 + 5z7 + 7z6 + 37z5 + 188z4
+259z3 + 343z2 + 1763z + 2401)/21
t(z) = (z4 + 16z + 7)/7
8 : 6 : 4
MotivationIntroduction Preparation Proposal Conclusion
◆ Scalar Multiplication of EC defined over
here s is a natural number and
• Binary algorithm also required (n-1) ECD. n = bit length of s.
• NAF, Sliding window reduces number of ECA.
• But they also need n-1 ECD.
7
[s]Q = Q+Q+ · · ·+Q| {z }s�1 times additions
Q 2 Fp18
Fp18
MotivationIntroduction Preparation Proposal Conclusion
◆ Scalar Multiplication of EC defined over
here s is a natural number and
• In practice bit long
• It means almost 376 ECD is required in
That is why we tried to make it efficient in KSS curve
8
[s]Q = Q+Q+ · · ·+Q| {z }s�1 times additions
Q 2 Fp18
Fp18
Fp18
n 377
PreparationPreparation Proposal Conclusion
9
Construct extension field arithmetic operations by towering.
Find good parameters in KSS curve.
Finally we need to find certain rational point in G2
G1 ⇥G2 ! G3
Rational point groups
Multiplicative group
over
Fp18
Fp18
Getting Rational Point in G2Proposal Conclusion
r + 1
r
[r]T = O
• Randomly obtained rational point R
• If
• Then is the rational point whose order becomes r
T
• Using we can get certain rational point in
TG2
10
groups
order
[#E(Fp18)
r2]R 6= O
P 2 G1 ⇢ E(Fp)
Q 2 E(Fp18) ⇢ G2
2 E(Fp18)
• Check if
• Then belongs to
Getting Rational Point in G2Proposal Conclusion
⇡p(Q) = [p]Q.(⇡p � [p])Q = O
• Frobenius mapping of , (⇡p � 1)T = Q.
Q G2
T
11
Proposed Scalar MultiplicationProposal Conclusion
• Let, is a scalar and is the Scalar Multiplication[s]Q
• Here 0 < s < r
• Taking mod ,
p ⌘ t� 1 mod r
• From KSS- curve,
• -adic representation(t� 1)
12
#E(Fp) = p+ 1� t
S = SH(t� 1) + SL
Higher bits Lower bits
s
r|#E(Fp)
#E(Fp) = p+ 1� t ⌘ 0 mod rr
s
Proposed Scalar MultiplicationProposal Conclusion
13
(t� 1)
| {z } | {z }SH SL
s = SH(t� 1) + SL
• -adic representation(t� 1) S = SH(t� 1) + SL
• will be nearly equal to the size of (t − 1)SL
• will be half size of (t − 1)SH
s
8 : 6 : 4
Proposed Scalar MultiplicationProposal Conclusion
14
s5 s4 s3 s2 s1 s0
z3 z2 zz
(t� 1)
| {z } | {z }SH SL
1 1
• Let’s consider z-adic representation of and SL SH
s = SH(t� 1) + SL = (s5z + s4)(t� 1) + (s3z3 + s2z
2 + s1z + s0)
• z is the mother parameters of KSS curve properties
• z is about 1/4 of that of (t−1)
Proposed Scalar MultiplicationProposal Conclusion
15
• Final representation of s with 6 coefficients
Consider multiplication of s with Q
[s]Q = (s0 + s1z)Q+ (s2 + s3z)z2Q+ (s4 + s5z)(t� 1)Q
s = (s0 + s1z) + (s2 + s3z)z2 + (s4 + s5z)(t� 1)
Proposed Scalar MultiplicationProposal Conclusion
16
Let = and =
[s]Q = (s0Q+ s2Q1 + s4Q2)+(s1z(Q) + s3z(Q1) + s5z(Q2))
[s]Q = (s0 + s1z)Q+ (s2 + s3z)z2Q+ (s4 + s5z)(t� 1)Q
[s]Q = (s0 + s1z)Q+ (s2 + s3z)Q1 + (s4 + s5z)Q2
Proposed Scalar MultiplicationProposal Conclusion
1713 Precomputed Points
• Using
[s]Q = (s0Q+ s2Q1 + s4Q2)+(s1z(Q) + s3z(Q1) + s5z(Q2))
Example of Previous Scalar Multiplication
Proposal Conclusion
1 2 3 4 5 6 7 42S 1 0 1 1 0 1 1 … 1
(Q) 2(2(2(Q))+Q)+Q
18
• Let, is a scalar and is the Scalar MultiplicationS [S]Q
Let S is 42 bit
2(2(Q))+Q2(Q)
Example of Previous Scalar Multiplication
Proposal Conclusion
1 2 3 4 5 6 7 42S 1 0 1 1 0 1 1 … 1
2(2(2(Q))+Q)+Q
19
• Let, is a scalar and is the Scalar MultiplicationS [S]Q
Let S is 42 bit
41 times ECD, which is about the size of S
Example of Efficient Scalar Multiplication
Proposal Conclusion
20
s1z + s0s3z + s2
s5z + s4
1
0
1
< z(Q) + z(Q2) > < Q+Q1 +Q2 >
1
1
1
s1s3s5
s0s2s4
= 1 0 1 1 0 0 1
= 0 1 1 1 0 1 0
= 1 1 0 1 0 0 0
= 1 1 0 1 1 0 1
= 1 0 0 0 0 0 0 = 1 0 1 1 0 0 0
Example of Efficient Scalar Multiplication
Proposal Conclusion
21
s1z + s0s3z + s2
s5z + s4
0
1
1
1
0
0
s1s3s5
s0s2s4
= 1 0 1 1 0 0 1
= 0 1 1 1 0 1 0
= 1 1 0 1 0 0 0
= 1 1 0 1 1 0 1
= 1 0 0 0 0 0 0 = 1 0 1 1 0 0 0
< z(Q1) + z(Q2) > < Q >
Example of Efficient Scalar Multiplication
Proposal Conclusion
22
s1z + s0s3z + s2
s5z + s4
1
1
0
0
0
1
s1s3s5
s0s2s4
= 1 0 1 1 0 0 1
= 0 1 1 1 0 1 0
= 1 1 0 1 0 0 0
= 1 1 0 1 1 0 1
= 1 0 0 0 0 0 0 = 1 0 1 1 0 0 0
< z(Q) + z(Q1) > < Q2 >
Example of Efficient Scalar Multiplication
Proposal Conclusion
23
s1z + s0s3z + s2
s5z + s4
1
1
1
1
0
1
s1s3s5
s0s2s4
= 1 0 1 1 0 0 1
= 0 1 1 1 0 1 0
= 1 1 0 1 0 0 0
= 1 1 0 1 1 0 1
= 1 0 0 0 0 0 0 = 1 0 1 1 0 0 0
< z(Q) + z(Q1) + z(Q2) > < Q+Q2 >
Example of Efficient Scalar Multiplication
Proposal Conclusion
24
s1z + s0s3z + s2
s5z + s4
1
1
1
1
0
1
s1s3s5
s0s2s4
= 1 0 1 1 0 0 1
= 0 1 1 1 0 1 0
= 1 1 0 1 0 0 0
= 1 1 0 1 1 0 1
= 1 0 0 0 0 0 0 = 1 0 1 1 0 0 0
< z(Q) + z(Q1) + z(Q2) > < Q+Q2 >
represent the ECD 6 ECD is required
Result EvaluationProposal Conclusion
25
Experiment Parameters
KSS curve
s
Mother parameter
Prime numberOrder
trace
500 random scalar (about 377bit )
Result EvaluationProposal Conclusion
CPU* Memory OS CompilerProgramm
ing Language
Library
PC2.7Ghz
Intel Core i5
16 GB Mac OS X
10.11.4 gcc 4.2.1 CGMP
6.1.1
iPhone 6sApple A9 Dual-core 1.84 GHz
2 GB iOS 9.3.1 gcc 4.2.1 Objective-C, C
GMP
6.1.1
26
Experiment environment settings
*Single core is utilized
Result EvaluationProposal Conclusion
27
ECD is about 6 times less of total bit size of scalar
Operation Count and Execution time comparison
Conclusion
ConclusionOur proposed approach reduces the number of ECD by 6 times of existing approaches in KSS curve
Future work• Reduce the execution time and operation complexity by
Skew Frobenius mapping in sextic twisted isomorphic curve.
• Test and evaluate the performance in Paring based protocol implementation.
28
Thank you