Pairing algorithms

There is only one known setting for cryptographically useful bilinear maps, namely el- liptic curves with an efficiently computable Weil or Tate pairing. It has been shown that the Tate pairing is simpler and more efficient then the Weil pairing [48]. Therefore this chapter is focused only on implementing the Tate pairing on embedded devices.

The Tate pairing, denoted e(P, Q), where the points P and Q are linearly independent points on an elliptic curve E(F_qk), evaluates as an element of an extension fieldF_qk . If P

is of prime order r, then the pairing evaluates as an element of order r. The Tate pairing can be calculated using different algorithms. The most basic one is Miller’s algorithm [89] (see Algorithm7).

Algorithm 7Computation of e(P, Q) with Miller’s algorithm

INPUT: Q ∈ E(Fqk), P ∈ E(F_qk), where P has order r with r = (r_t, . . . , r₀)₂ and t =

blog2rc − 1 OUTPUT: e(P, Q) 1: T ← P , f ← 1 2: for i← t downto 0 do 3: f ← f2·lT ,T(Q) v2T(Q) 4: T ← 2T 5: if ri= 1then 6: f ← f · lT ,P(Q) vT +P(Q) 7: T ← T + P 8: end if 9: end for 10: f ← f(qk−1)/r 11: return f

During the main loop, point P is multiplied by its group order r using a classic double- and-add line-and-tangent algorithm. The l function denotes a line through point T or points T and P . The v function marks a vertical line through point 2T or point T + P . The values of the line and vertical functions lT,P(Q)and vT +P(Q)respectively, are distances

calculated between the fixed point Q and the lines that arise when adding P to T on the elliptic curve in the standard way. If the point T has coordinates (xj, yj), the point T + P

has coordinates (xj + 1, yj + 1), the point Q has the coordinates (xQ, yQ), and the line

through T and P has a slope of λj, hence:

lT,P(Q) = (yQ− yj)− λj(xQ− xj) (5.4)

vT +P(Q) = (xQ− xj+1) (5.5)

Equations 5.4 and 5.5 use affine coordinates, although in most cases projective co- ordinates achieve better performance. Algorithm 7 may fail if one of the intermediate lines l passes directly through Q or a vertical function v evaluates as zero. Therefore P and Q should not be chosen at random. However, this is not a concern in most pairing- based protocols, because P and Q are usually chosen as P ∈ E(Fq) and Q ∈ E(Fqk).

Miller’s algorithm has O(log r) iterations, each requiring a constant number of arithmetic operations inFqk. In order to implement it efficiently on embedded devices, several opti-

mizations need to be applied.

One of the basic optimizations to Algorithm7is to choose r to have a low Hamming weight. In this way the execution of operations in lines 6 and 7 will be limited. In some

cases (e.g. for the MNT curves) the choice of a low Hamming weight order may not be practical, in which case the optimal strategy might be to represent r in a NAF format, and use a standard windowed NAF method (similar to Algorithm5). Further optimizations can be applied in case of particular pairing types.

5.1.3.1 Type 3 pairing optimizations

In the case of non-supersingular elliptic curves of prime characteristic (q = p), the em- bedding degree k is always chosen to be even. For even values of k, the extension field Fpk is built as a quadratic extension on top of an implementation ofF_pd where k = 2d.

In this case the exponent in the final exponentiation can be written as (pk − 1)/r = (pd−1)[(pd+ 1)/r]. Elements inF_pkcan be represented as w = a + ib where a, b∈ F_pd. The

conjugate of w is equal to ¯w = a− ib. From the Frobenius endomorphism one can derive:

(a + ib)pd = (a− ib) and (1/(a + ib))pd−1= (a− ib)pd−1 (5.6)

The above property can be used to eliminate the extension field divisions in the main loop of Algorithm7(line 3 and 6). The output of the main loop in Type 3 pairings has to be raised to the power of pd_{− 1. However, based on equation5.6, after raising to the}

power of pd_{− 1, the inverse and the conjugate give the same result. Hence it is possible}

to replace expensive divisions by v2T(Q)and vT +P(Q)with cheaper multiplications by

conjugates ¯v2T(Q)and ¯vT +P(Q).

Algorithm7can be further optimized by appropriate selection of point Q. Point Q = (xQ, yQ)is defined on E(Fpk), where x_Q= a + iband y_Q= c + idwith a, b, c, d∈ F_pd. By

selecting b = c = 0 the functions ¯v2T(Q), ¯vT +P(Q)evaluate as elements in the fieldFpd.

These functions are eliminated by the final exponentiation, which always includes pd− 1 as a factor of the exponent. This optimization is known as the denominator elimination technique [8].

Another optimization can be applied because of the group order r, which is always odd. In this case the last iteration of the main loop in Algorithm7, always contains r0= 1.

However, the last point addition results in a line value which is always eliminated by the final exponentiation. Hence this last step can be omitted. The final exponentiation itself can be also simplified. In many cases the exponent pd+ 1 can be further factored. For example p3+ 1 = (p + 1)(p2− p + 1), where p2− p + 1 is the sixth cyclotomic polynomial

Φ6(p). Based on the above factoring, the final exponentiation can be broken down into

three parts: easy exponentiations to the power of pd_{− 1 and (p}d_{+ 1)/Φ}

k(p) and more

expensive exponentiation to the power of Φk(p)/r. All the above modifications lead to

Algorithm8(based on [107]).

Algorithm 8Optimized algorithm for computation of e(P, Q)

INPUT: Q∈ E0(F_pd), P ∈ E(Fp), where P has order r

OUTPUT: e(P, Q) 1: T ← P , f ← 1 2: s← blog₂(r− 1)c 3: for i← s − 1 downto 0 do 4: f ← f2· lT,T(Q) 5: T ← 2T 6: if si = 1then 7: f ← f · lT,P(Q) 8: T ← T + P 9: end if 10: end for 11: f ← f(pd−1) 12: f ← f(pd+1)/Φk(p) 13: f ← fΦk(p)/r 14: return f

In some Pairing-Based Cryptography protocols the first parameter to the pairing, point P , may be a fixed public value or a fixed private key. If P is fixed, then all of the T values (which are multiples of P ) can be precomputed and stored in memory to accel- erate the calculation of e(P, Q). In this situation, it is preferable to use affine coordinates for all the points. This approach, however, requires a lot of space for precomputed val- ues and should be applied only on embedded devices with a large amount of available memory.

Additional useful optimizations of Type 3 pairings can be applied when particular pairing-friendly curves are chosen. For example, when using BN [9] or MNT [90] curves, the parameter w is always greater than one. In these cases it is possible to use a truncated loop variant of the Tate pairing, which is called the Ate pairing [61]. This method is very similar to Algorithm 8, but this time points P and Q change sides. Now P is on the twisted curve (P ∈ E0(F_pd)) and Q is on the curve over the base field (Q∈ E(F_p)). In this

setting the main loop of Algorithm8can be truncated by a factor of w and a viable pairing can still be calculated. For example, for the BN curves, the loop has half the number of iterations than in Algorithm8. The fact that P is over the extension field, introduces extra

computation when evaluating subsequent values of T . This, however, can be offset if the point P is fixed and by using the precomputation technique described earlier.

5.1.3.2 Type 1 pairing optimizations

Type 1 pairings can be evaluated only on supersingular elliptic curves. It has been shown that supersingular curves lead to some of the most efficient pairing implementations in terms of processing speed and bandwidth requirements [7], [8]. These features make this type of pairing especially attractive for low power environments like wireless sensor net- works where available resources are very constrained. One drawback of supersingular curves is the limited choice of embedding degree k, which limits the range of security levels that can be efficiently achieved.

For the supersingular curves of low characteristic, the basic Miller algorithm can be drastically simplified by integrating the distortion map (Ψ), the point multiplication, and the Frobenius endomorphism directly into the main loop. The fastest known method to compute pairings on supersingular curves is called the ηT pairing [7]. This pairing can be

evaluated very efficiently, especially in fields of characteristic 2. For the ηT pairing, the

main loop is truncated to half the length of the related η pairing (which is in turn closely related to the Tate pairing), and the final exponentiation cost is small.

If q = 2m, then on a supersingular elliptic curve E(Fq), the Tate pairing e(P, Q) eval-

uates as an element in F_qk, where in this case k is equal to 4. The parameters P and Q

are points of order r on the curve, where for the supersingular curve r is a large prime divisor of 2m_{± 2}(m+1)/2_{+ 1. This simple group order can be used to optimize the final}

exponentiation operation. On a supersingular y2_{+ y = x}3_{+ x + Bcurve overF}

2mwhere

B ∈ {0, 1} and m = 3 mod 8, the ηT pairing can be calculated using Algorithm9.

Algorithm 9 (based on [7]) presents an optimized scheme for the calculation of the ηT pairing. Pairs (xP, yP)and (xQ, yQ)are the coordinates of points P and Q represented

as binary polynomials inF2m. Values f and g are elements evaluated over the extension

fieldF₂4mand they can be efficiently represented as polynomials with four coefficients in

F2m. Elements s, t∈ F₂4m can be derived from the distortion map (Ψ) which is defined as:

Ψ(x, y) = (x + s2, y + sx + t) (5.7) The above distortion map maps a point from E(F2m)to E(F₂4m).

Algorithm 9Computation of ηT(P, Q)on a y2+ y = x3+ x + Bcurve overF2m INPUT: P, Q OUTPUT: ηT(P, Q) 1: let P = (xP, yP), Q = (xQ, yQ) 2: u← xP + 1 3: f ← u · (xP + xQ+ 1) + yP + yQ+ 1 + (u + xQ)s + t 4: for i← 1 to (m + 1)/2 do 5: u← xP, xP ← √xP, yP ← √yP 6: g← u · (xP + xQ) + yP + yQ+ xP + (u + xQ)s + t 7: f ← f · g 8: xQ← x2Q, yQ← yQ2 9: end for 10: return f(22m−1)(2m−2(m+1)/2+1)