Another Approach to Pairing Computation in Edwards Coordinates · 1 ×G ′ 1 →G 2 where G 1,G ′ 1 are groups of order r noted additively and G 2 is a group of order r noted multiplicatively

Another Approach to Pairing Computation in

Edwards Coordinates

Sorina Ionica

PRISM, Universite de Versailles

joint work with Antoine Joux

Sorina Ionica Pairing Computation in Edwards Coordinates

What is a pairing?

A pairing is a mape : G1 × G

′

1 → G2

where G1,G′

1 are groups of order r noted additively and G2 is agroup of order r noted multiplicatively such that the followinghold:

bilinear: e(aP,Q) = e(P, aQ) = e(P,Q)a

nondegenerate: for every P ∈ G1 different from 0 there isQ ∈ G

′

1 such that e(P,Q) 6= 1.


Pairings in Elliptic Curve Cryptograhy

Pairings on elliptic curves: the Weil pairing, the Tate, Ate andEta pairings.

Applications:

one round protocol for tripartite Diffie-Hellmanidentity-based encryptionshort signaturesetc.


The Tate pairing. Notations.

Let E be an elliptic curve over finite field Fq with q ≥ 5, i.e.

E : y2 = x3 + ax + b.

Let r |♯E (Fq) and E [r ] the r -torsion subgroup, i.e. thesubgroup of points of order r in E (Fq).

If r |♯E (Fq) then E (Fq)[r ] gives at least one component.

Embedding degree: k minimal with r |(qk − 1).

Note r -roots of unity µr ∈ F×

qk .


The Tate pairing

If k > 1 then E (Fqk )[r ] = E [r ].

Choose P,Q ∈ E [r ] and G1 =< P >, G′

1 =< Q >.

Take fr ,P such that div(fr ,P) = r(P)− r(O) andD = (Q + T )− (T ), with T such as the support of D isdifferent from the support of fr ,P .

For crypto use:

Tr (·, ·) : G1 × G′

1 → µr

Tr (P,Q) = fr ,P(D)(qk−1)/r


Miller’s algorithm

Introduce for i ≥ 1 functions fi ,P such asdiv (fi ,P) = i(P)− (iP)− (i − 1)(O)

Notediv (fr ,P) = r(P)− r(O).

Establish the Millerequation

fi+j ,P = fi ,P fj ,PliP,jP

v(i+j)P

where liP,jP and v(i+j)P are such that

div (liP,jP) = (iP) + (jP) + (−(i + j)P)− 3(O)

div (v(i+j)P) = (−(i + j)P) + ((i + j)P)− 2(O)


Miller’s algorithm

f1,P(D) = 1

f2,P(D) = f 21,P(D)

lP,P(D)

v2P(D)

f3,P(D) = f1,P(D)f2,P(D)lP,2P(D)

v3P(D)..

..

fr ,P(D) = fr−1,P(D)f1,P(D)l(r−1)P,P(D)

Use the double-and-add method to compute fr ,P(D) (the Tatepairing!) in O(log2r)!


Miller’s algorithm or double-and-add

Choose a random point T ∈ E (Fqk ) and compute

Q′

= Q + T ∈ E (Fqk ).

Let n← [log2(r)], K ← P, f ← 1.

while n ≥ 1

Compute equations of l and v arising in the doubling of K .K ← 2K and f ← f 2(l(Q

′

)v(T ))/(v(Q′

)l(T )).the n-th bit of r is 1

Compute equations of l and v arising in the addition of K andP.K ← P + K and f ← f (l(Q

′

)v(T ))/((l(T )v(Q′

)).

Let n← n − 1.

end while


Implementing Miller’s algorithm

The doubling part of the double-and-add method is mostimportant

Use faster exponentiation techniques (sliding window method,NAF)Choose r with low Hamming weight

Choose P ∈ E (Fq)[r ] and Q ∈ E (Fqk )[r ].

Take k even and get major speed-ups by using twists andworking in subfields

Up to now best performance in Jacobian coordinates:(X ,Y ,Z ) such that ( X

Z2 ,YZ3 ) is a point on the elliptic curve E .


Edwards curves

Let E be an elliptic curve on Fq such that E (Fq) has an element oforder 4.

There is a nonsquare d ∈ Fq such that E is birationally equivalentover Fq to the Edwards curve

x2 + y2 = 1 + d(xy)2.

On the Edwards curve the addition law is

(x1, y1), (x2, y2)→ (x1y2 + y1x2

1 + dx1x2y1y2,

y1y2 − x1x2

1− dx1x2y1y2)


Edwards versus Jacobian

Actually use homogenous Edwards coordinates to avoid inversions:(X ,Y ,Z ) corresponding to (X/Z ,Y /Z ) on the Edwards curve.

Edwards coordinates Jacobian coordinates

addition 10m+1m 11m+5s

doubling 3m+4s1m+8s

or 3m+5s for a = −3

mixed addition9m+1s 7m+4s

(Z2 = 1)

s,m are the costs of operations in Fq (s = 0.8m).


Edwards curves

Note a 4-torsion subgroup defined over Fq:

{O = (0, 1),T4 = (1, 0),T2 = (0,−1),−T4 = (−1, 0)}

Take at look at the action of this subgroup on a fixed pointP = (x , y):

P → {P,P+T4 = (y ,−x),P+T2 = (−x ,−y),P−T4 = (−y , x)}


Edwards curves

If xy 6= 0 note p = (xy)2 and s = x/y − y/x to characterizethe point P up to the action of the 4-torsion subgroup.

Take Es,p : s2p = (1 + dp)2 − 4p and define

φ : E → Es,p

φ(x , y) = ((xy)2,x

y−

y

x).

φ is separable of degree 4.


And back to an elliptic curve...

Es,p is elliptic as :

s2p = (1 + dp)

2− 4p

↓ (P,S,Z)

S2P = (Z + dP)

2Z − 4PZ

2

↓ (P=1)

s2

= z3

+ (2d − 4)z2

+ dz

Consider the standard addition law: Os,p = (0, 1, 0) neutralelement and T2,s,p = (1, 0, 0) point of order 2.


Arithmetic of Es,p

Take ls,p the linepassing through P1

and P2. Take R itsthird point ofintersection with thecurve Es,p.

Take vs,p the verticalline through R.

P1 + P2 is the secondpoint of intersection ofvs,p with Es,p.

div (ls,p) = (P1) + (P2) + (−(P1 + P2))− 2(T2,s,p)− (Os,p) anddiv (vs,p) = (P1 + P2) + (−(P1 + P2))− 2(T2,s,p).


Miller’s algorithm on Edwards curves

Consider slightly modified functions f(4)i ,P :

div (f(4)i ,P ) = i((P) + (P + T4) + (P + T2) + (P − T4))

− ((iP) + (iP + T4) + (iP + T2) + (iP − T4))

− (i − 1)((O) + (T4) + (T2) + (−T4)).

Then div (f(4)r ,P ) = r((P) + (P + T4) + (P + T2) + (P −

T4))− r((O) + (T4) + (T2) + (−T4)).

Compute the 4-th power of the Tate pairing:

Tr (P,Q)4 = f(4)r ,P (D)

qk−1r .


Miller’s algorithm on the Edwards curve

Establish the Miller equation:

f(4)i+j ,P = f

(4)i ,P f

(4)j ,P

l

v,

where l/v is the function of divisor

div(l

v) = ((iP) + (iP + T4) + (iP + T2) + (iP − T4))

+ ((jP) + (jP + T4) + (jP + T2) + (jP − T4))

− (((i + j)P) + ((i + j)P + T4) + ((i + j)P + T2)

+ ((i + j)P − T4))− ((0) + (T4) + (T2) + (−T4)).


Miller’s algorithm on the Edwards curve

Let P′

= φ(P) and ls,p and vs,p such as

div (ls,p) = (iP′

) + (jP′

) + ((i + j)P′

)− 2(T2,s,p)− (Os,p)

and div (vs,p) = ((i + j)P′

) + (−(i + j)P′

)− 2(T2,s,p).

fi+j,P′ = fi,P′ fj,P′

ls,p

vs,p

↓ φ∗

f(4)i+j,P = f

(4)i,P f

(4)j,P

l

v

Compute l/v = φ∗(ls,p/vs,p).


Computing l and v

For the doubling step:

l(x , y) = ((X 21 + Y 2

1 − Z 21 )(X 2

1 − Y 21 )(2X1Y1(x/y − y/x)

−2(X 21 − Y 2

1 )) + Z3(dZ 21 (xy)2 − (X 2

1 + Y 21 − Z 2

1 )))/

(2X1Y1(X21 + Y 2

1 − Z 21 )(X 2

1 − Y 21 )),

v(x , y) = (dZ 23 (xy)2 − (X 2

3 + Y 23 − Z 2

3 ))/(X 23 + Y 2

3 − Z 23 ).

For the mixed addition step:

l(x , y) = ((X 21 + Y 2

1 − Z 21 − dZ 2

1 (X0Y0)2)(X1Y1(

x

y−

y

x)−

(X 21 − Y 2

1 ))− (X 21 − Y 2

1 − X1Y1(X0

Y0−

Y0

X0))

·(dZ 21 (xy)2 − (X 2

1 + Y 21 − Z 2

1 )))

/(X1Y1(X21 + Y 2

1 − Z 21 − dZ 2

1 (X0Y0)2));

v(x , y) = (dZ 23 (xy)2 − (X 2

3 + Y 23 − Z 2

3 ))/(X 23 + Y 2

3 − Z 23 ).


Comparison of costs for the doubling step of Miller’s

algorithm

k = 2 k ≥ 4

Jacobian coordinates 10s + 3m + S + M 11s + (k + 1)m + S + M

Jacobian coordinates for a = −3 4s + 8m + S + M 4s + (k + 7)m + S + M

Das/Sarkar Edwards coordinates6s + 9m + S + M -

(supersingular curves)

Edwards coordinates 4s + 9m + S + M 4s + (k + 8)m + S + M

s,m are costs of operations in Fq, S,M are costs ofoperations in Fqk .


Comparison of costs for the mixed addition step of the

Miller operation in the case of k even

k = 2 k ≥ 4

Jacobian coordinates 3s + 11m + M 3s + (k + 9)m + 1M

Das/Sarkar Edwards1s + 17m + M -

coordinates (supersingular curves)

Edwards coordinates 4s + 15m + M 4s + (k + 14)m + 1M


A useful scenario

Take E : y2 = x3 + x

Take q = 2520 + 2363 − 2360 − 1 (q ≡ 3 mod 4)

Then r = 2160 + 23 − 1 and the embedding degree k = 2

The Edwards form is x2 + y2 = 1− (xy)2, so d = −1.


A useful scenario

Suppose you want to implement a protocol in Edwardscoordinates.

protection from side channel attacks

You need to compute the pairing of two points e(P,Q), whereQ is a fixed point.

You have P = (X0,Y0, 1) in Edwards coordinates

Switch to Jacobian coordinates (viaψ(X0,Y0) = ((1 + Y0)/(1− Y0), (1 + Y0)/(X0(1− Y0)))) andcompute the pairing on the Weierstrass form.

faster, but you need one inversion with Montgomery’s trick!


An inversion free algorithm

Stick to Edwards coordinates and use our method toimplement the pairing

We need φ(X0,Y0) = ((X0Y0)2, X0

Y0− Y0

X0) to compute the

l-functions of the mixed addition step.

Replace l ← (X0Y0)l in the mixed addition step.

The mixed addition will be more expensive (+1m) but NOINVERSIONS!


Questions. . . ?


Another Approach to Pairing Computation in Edwards Coordinates · 1 ×G ′ 1 →G 2 where G 1,G ′ 1 are groups of order r noted additively and G 2 is a group of order r noted multiplicatively

Documents