Efficient Scalar Multiplication for Ate Based Pairing over KSS Curve of Embedding Degree 18
0 likes261 views
The document presents a proposal for efficient scalar multiplication techniques for ate-based pairing over the Kachisa-Schaefer-Scott (KSS) curve of embedding degree 18. The proposed method aims to significantly reduce the number of elliptic curve doubling (ECD) operations required, achieving a reduction by a factor of six compared to existing methods. Future work includes improving execution time and evaluating performance in pairing-based protocol implementations.
![Background
Introduction Preparation Proposal Conclusion
3
• Elliptic Curve over Finite Field
Fp : {0, 1, · · · , p 1}, +,
Fpk : {(a1, · · · , ak)|ai 2 Fp}, +,
Prime field
Extension Field
Fp
Fpk
• Elliptic curve over Fp
Group of rational points on the curve:
E(x, y) : y2
= x3
+ ax + b, a, b 2 Fp
E(Fp)
E(Fp) : rOrder of
{P, 2P, · · · , [a]P, · · · , [r]P}, +,E(Fp):
P1
P2
lP1P2
P3 = P1 + P2
y 2 Fp
x2 Fp
vP1+P2
rational point
P3
embedding degree
#E(Fp)
[#E(Fp)]P}, +](https://image.slidesharecdn.com/efficientscmwisa2016mod-160915102456/85/Efficient-Scalar-Multiplication-for-Ate-Based-Pairing-over-KSS-Curve-of-Embedding-Degree-18-3-320.jpg)
![Background
Introduction Preparation Proposal Conclusion
5
Pairing
G1
G2
order = r
P
Q
G3
order = r
E(Fp18 )
order = r
P 2 G1 ⇢ E(Fp)
Q 2 G2 ⇢ E(Fp18 )
r|#E(Fp)Let
[a]P =
a 1X
i=0
P
[b]Q =
b 1X
i=0
Q
Bilinearity
e(P, Q)ab](https://image.slidesharecdn.com/efficientscmwisa2016mod-160915102456/85/Efficient-Scalar-Multiplication-for-Ate-Based-Pairing-over-KSS-Curve-of-Embedding-Degree-18-5-320.jpg)
![Motivation
Introduction Preparation Proposal Conclusion
◆ Scalar Multiplication of EC defined over
here s is a natural number and
• Binary algorithm also required (n-1) ECD. n = bit
length of s.
• NAF, Sliding window reduces number of ECA.
• But they also need n-1 ECD.
7
[s]Q = Q + Q + · · · + Q
| {z }
s 1 times additions
Q 2 Fp18
Fp18](https://image.slidesharecdn.com/efficientscmwisa2016mod-160915102456/85/Efficient-Scalar-Multiplication-for-Ate-Based-Pairing-over-KSS-Curve-of-Embedding-Degree-18-7-320.jpg)
![Motivation
Introduction Preparation Proposal Conclusion
◆ Scalar Multiplication of EC defined over
here s is a natural number and
• In practice bit long
• It means almost 376 ECD is required in
That is why we tried to make it efficient in KSS curve
8
[s]Q = Q + Q + · · · + Q
| {z }
s 1 times additions
Q 2 Fp18
Fp18
Fp18
n 377](https://image.slidesharecdn.com/efficientscmwisa2016mod-160915102456/85/Efficient-Scalar-Multiplication-for-Ate-Based-Pairing-over-KSS-Curve-of-Embedding-Degree-18-8-320.jpg)
![Getting Rational Point in G2
Proposal Conclusion
r + 1
r
[r]T = O
• Randomly obtained rational
point R
• If
• Then is the rational
point whose order
becomes r
T
• Using we can get certain rational
point in
T
G2
10
groups
order
[
#E(Fp18 )
r2
]R 6= O
P 2 G1 ⇢ E(Fp)
Q 2 E(Fp18 ) ⇢ G2
2 E(Fp18 )](https://image.slidesharecdn.com/efficientscmwisa2016mod-160915102456/85/Efficient-Scalar-Multiplication-for-Ate-Based-Pairing-over-KSS-Curve-of-Embedding-Degree-18-10-320.jpg)
![• Check if
• Then belongs to
Getting Rational Point in G2
Proposal Conclusion
⇡p(Q) = [p]Q.
(⇡p [p])Q = O
• Frobenius mapping of , (⇡p 1)T = Q.
Q G2
T
11](https://image.slidesharecdn.com/efficientscmwisa2016mod-160915102456/85/Efficient-Scalar-Multiplication-for-Ate-Based-Pairing-over-KSS-Curve-of-Embedding-Degree-18-11-320.jpg)
![Proposed Scalar Multiplication
Proposal Conclusion
• Let, is a scalar and is the Scalar Multiplication[s]Q
• Here 0 < s < r
• Taking mod ,
p ⌘ t 1 mod r
• From KSS- curve,
• -adic representation(t 1)
12
#E(Fp) = p + 1 t
S = SH(t 1) + SL
Higher bits Lower bits
s
r|#E(Fp)
#E(Fp) = p + 1 t ⌘ 0 mod rr
s](https://image.slidesharecdn.com/efficientscmwisa2016mod-160915102456/85/Efficient-Scalar-Multiplication-for-Ate-Based-Pairing-over-KSS-Curve-of-Embedding-Degree-18-12-320.jpg)
![Proposed Scalar Multiplication
Proposal Conclusion
15
• Final representation of s with 6 coefficients
Consider multiplication of s with Q
[s]Q = (s0 + s1z)Q + (s2 + s3z)z2
Q + (s4 + s5z)(t 1)Q
s = (s0 + s1z) + (s2 + s3z)z2
+ (s4 + s5z)(t 1)](https://image.slidesharecdn.com/efficientscmwisa2016mod-160915102456/85/Efficient-Scalar-Multiplication-for-Ate-Based-Pairing-over-KSS-Curve-of-Embedding-Degree-18-15-320.jpg)
![Proposed Scalar Multiplication
Proposal Conclusion
16
Let = and =
[s]Q = (s0Q + s2Q1 + s4Q2)
+(s1z(Q) + s3z(Q1) + s5z(Q2))
[s]Q = (s0 + s1z)Q + (s2 + s3z)z2
Q + (s4 + s5z)(t 1)Q
[s]Q = (s0 + s1z)Q + (s2 + s3z)Q1 + (s4 + s5z)Q2](https://image.slidesharecdn.com/efficientscmwisa2016mod-160915102456/85/Efficient-Scalar-Multiplication-for-Ate-Based-Pairing-over-KSS-Curve-of-Embedding-Degree-18-16-320.jpg)
![Proposed Scalar Multiplication
Proposal Conclusion
17
13 Precomputed Points
• Using
[s]Q = (s0Q + s2Q1 + s4Q2)
+(s1z(Q) + s3z(Q1) + s5z(Q2))](https://image.slidesharecdn.com/efficientscmwisa2016mod-160915102456/85/Efficient-Scalar-Multiplication-for-Ate-Based-Pairing-over-KSS-Curve-of-Embedding-Degree-18-17-320.jpg)
![Example of Previous Scalar Multiplication
Proposal Conclusion
1 2 3 4 5 6 7 42
S 1 0 1 1 0 1 1 … 1
(Q) 2(2(2(Q))+Q)+Q
18
• Let, is a scalar and is the Scalar MultiplicationS [S]Q
Let S is 42 bit
2(2(Q))+Q2(Q)](https://image.slidesharecdn.com/efficientscmwisa2016mod-160915102456/85/Efficient-Scalar-Multiplication-for-Ate-Based-Pairing-over-KSS-Curve-of-Embedding-Degree-18-18-320.jpg)
![Example of Previous Scalar Multiplication
Proposal Conclusion
1 2 3 4 5 6 7 42
S 1 0 1 1 0 1 1 … 1
2(2(2(Q))+Q)+Q
19
• Let, is a scalar and is the Scalar MultiplicationS [S]Q
Let S is 42 bit
41 times ECD, which is about the size of S](https://image.slidesharecdn.com/efficientscmwisa2016mod-160915102456/85/Efficient-Scalar-Multiplication-for-Ate-Based-Pairing-over-KSS-Curve-of-Embedding-Degree-18-19-320.jpg)
Efficient Scalar Multiplication for Ate Based Pairing over KSS Curve of Embedding Degree 18
- 1. Introduction Preparation Proposal Conclusion Efficient Scalar Multiplication for Ate Based Pairing over KSS Curve of Embedding Degree 18 Md. Al-Amin Khandaker (Okayama University, Japan) Yasuyuki Nogami (Okayama University, Japan) Hwajeong Seo (Institute for Infocomm Research (I2R) - A Star) Sylvain Duquesne (Université Rennes I, France)
- 2. Background Introduction Preparation Proposal Conclusion 2 E Finite field arithmetic: multiplication, addition, subtraction, inversion,… Group operation: point Add/ Double Scalar Multiplication Elliptic Curve Cryptography Pairing Pairing based cryptography • Pairing based cryptography • Identity(ID)-based cryptography (Sakai et al. 2000) • Group signature (Boneh et al. 2003) Expensive Operation Therefore we focus on Scalar Multiplication Higher Complexity
- 3. Background Introduction Preparation Proposal Conclusion 3 • Elliptic Curve over Finite Field Fp : {0, 1, · · · , p 1}, +, Fpk : {(a1, · · · , ak)|ai 2 Fp}, +, Prime field Extension Field Fp Fpk • Elliptic curve over Fp Group of rational points on the curve: E(x, y) : y2 = x3 + ax + b, a, b 2 Fp E(Fp) E(Fp) : rOrder of {P, 2P, · · · , [a]P, · · · , [r]P}, +,E(Fp): P1 P2 lP1P2 P3 = P1 + P2 y 2 Fp x2 Fp vP1+P2 rational point P3 embedding degree #E(Fp) [#E(Fp)]P}, +
- 4. Background Introduction Preparation Proposal Conclusion 4 Pairing G1 G2 order = r P Q G3 order = r E(Fp18 ) additive multiplicative e(P, Q) order = r P 2 G1 ⇢ E(Fp) Q 2 G2 ⇢ E(Fp18 ) r|#E(Fp)Let
- 5. Background Introduction Preparation Proposal Conclusion 5 Pairing G1 G2 order = r P Q G3 order = r E(Fp18 ) order = r P 2 G1 ⇢ E(Fp) Q 2 G2 ⇢ E(Fp18 ) r|#E(Fp)Let [a]P = a 1X i=0 P [b]Q = b 1X i=0 Q Bilinearity e(P, Q)ab
- 6. Background • Kachisa-Schaefer-Scott (KSS) Curve Paring friendly elliptic curve of k = 18 Introduction Preparation Proposal Conclusion 6 • Characteristics p, Frobenius trace t and order r is given systematically by integer z E : y2 = x3 + b, (b 2 Fp, b 6= 0 and x, y 2 Fp18 ) r(z) = (z6 + 37z3 + 343)/343 p(z) = (z8 + 5z7 + 7z6 + 37z5 + 188z4 +259z3 + 343z2 + 1763z + 2401)/21 t(z) = (z4 + 16z + 7)/7 8 : 6 : 4
- 7. Motivation Introduction Preparation Proposal Conclusion ◆ Scalar Multiplication of EC defined over here s is a natural number and • Binary algorithm also required (n-1) ECD. n = bit length of s. • NAF, Sliding window reduces number of ECA. • But they also need n-1 ECD. 7 [s]Q = Q + Q + · · · + Q | {z } s 1 times additions Q 2 Fp18 Fp18
- 8. Motivation Introduction Preparation Proposal Conclusion ◆ Scalar Multiplication of EC defined over here s is a natural number and • In practice bit long • It means almost 376 ECD is required in That is why we tried to make it efficient in KSS curve 8 [s]Q = Q + Q + · · · + Q | {z } s 1 times additions Q 2 Fp18 Fp18 Fp18 n 377
- 9. Preparation Preparation Proposal Conclusion 9 Construct extension field arithmetic operations by towering. Find good parameters in KSS curve. Finally we need to find certain rational point in G2 G1 ⇥ G2 ! G3 Rational point groups Multiplicative group over Fp18 Fp18
- 10. Getting Rational Point in G2 Proposal Conclusion r + 1 r [r]T = O • Randomly obtained rational point R • If • Then is the rational point whose order becomes r T • Using we can get certain rational point in T G2 10 groups order [ #E(Fp18 ) r2 ]R 6= O P 2 G1 ⇢ E(Fp) Q 2 E(Fp18 ) ⇢ G2 2 E(Fp18 )
- 11. • Check if • Then belongs to Getting Rational Point in G2 Proposal Conclusion ⇡p(Q) = [p]Q. (⇡p [p])Q = O • Frobenius mapping of , (⇡p 1)T = Q. Q G2 T 11
- 12. Proposed Scalar Multiplication Proposal Conclusion • Let, is a scalar and is the Scalar Multiplication[s]Q • Here 0 < s < r • Taking mod , p ⌘ t 1 mod r • From KSS- curve, • -adic representation(t 1) 12 #E(Fp) = p + 1 t S = SH(t 1) + SL Higher bits Lower bits s r|#E(Fp) #E(Fp) = p + 1 t ⌘ 0 mod rr s
- 13. Proposed Scalar Multiplication Proposal Conclusion 13 (t 1) | {z } | {z } SH SL s = SH(t 1) + SL • -adic representation(t 1) S = SH(t 1) + SL • will be nearly equal to the size of (t − 1)SL • will be half size of (t − 1)SH s 8 : 6 : 4
- 14. Proposed Scalar Multiplication Proposal Conclusion 14 s5 s4 s3 s2 s1 s0 z3 z2 zz (t 1) | {z } | {z } SH SL 1 1 • Let’s consider z-adic representation of andSL SH s = SH(t 1) + SL = (s5z + s4)(t 1) + (s3z3 + s2z2 + s1z + s0) • z is the mother parameters of KSS curve properties • z is about 1/4 of that of (t−1)
- 15. Proposed Scalar Multiplication Proposal Conclusion 15 • Final representation of s with 6 coefficients Consider multiplication of s with Q [s]Q = (s0 + s1z)Q + (s2 + s3z)z2 Q + (s4 + s5z)(t 1)Q s = (s0 + s1z) + (s2 + s3z)z2 + (s4 + s5z)(t 1)
- 16. Proposed Scalar Multiplication Proposal Conclusion 16 Let = and = [s]Q = (s0Q + s2Q1 + s4Q2) +(s1z(Q) + s3z(Q1) + s5z(Q2)) [s]Q = (s0 + s1z)Q + (s2 + s3z)z2 Q + (s4 + s5z)(t 1)Q [s]Q = (s0 + s1z)Q + (s2 + s3z)Q1 + (s4 + s5z)Q2
- 17. Proposed Scalar Multiplication Proposal Conclusion 17 13 Precomputed Points • Using [s]Q = (s0Q + s2Q1 + s4Q2) +(s1z(Q) + s3z(Q1) + s5z(Q2))
- 18. Example of Previous Scalar Multiplication Proposal Conclusion 1 2 3 4 5 6 7 42 S 1 0 1 1 0 1 1 … 1 (Q) 2(2(2(Q))+Q)+Q 18 • Let, is a scalar and is the Scalar MultiplicationS [S]Q Let S is 42 bit 2(2(Q))+Q2(Q)
- 19. Example of Previous Scalar Multiplication Proposal Conclusion 1 2 3 4 5 6 7 42 S 1 0 1 1 0 1 1 … 1 2(2(2(Q))+Q)+Q 19 • Let, is a scalar and is the Scalar MultiplicationS [S]Q Let S is 42 bit 41 times ECD, which is about the size of S
- 20. Example of Efficient Scalar Multiplication Proposal Conclusion 20 s1z + s0 s3z + s2 s5z + s4 1 0 1 < z(Q) + z(Q2) > < Q + Q1 + Q2 > 1 1 1 s1 s3 s5 s0 s2 s4 = 1 0 1 1 0 0 1 = 0 1 1 1 0 1 0 = 1 1 0 1 0 0 0 = 1 1 0 1 1 0 1 = 1 0 0 0 0 0 0 = 1 0 1 1 0 0 0
- 21. Example of Efficient Scalar Multiplication Proposal Conclusion 21 s1z + s0 s3z + s2 s5z + s4 0 1 1 1 0 0 s1 s3 s5 s0 s2 s4 = 1 0 1 1 0 0 1 = 0 1 1 1 0 1 0 = 1 1 0 1 0 0 0 = 1 1 0 1 1 0 1 = 1 0 0 0 0 0 0 = 1 0 1 1 0 0 0 < z(Q1) + z(Q2) > < Q >
- 22. Example of Efficient Scalar Multiplication Proposal Conclusion 22 s1z + s0 s3z + s2 s5z + s4 1 1 0 0 0 1 s1 s3 s5 s0 s2 s4 = 1 0 1 1 0 0 1 = 0 1 1 1 0 1 0 = 1 1 0 1 0 0 0 = 1 1 0 1 1 0 1 = 1 0 0 0 0 0 0 = 1 0 1 1 0 0 0 < z(Q) + z(Q1) > < Q2 >
- 23. Example of Efficient Scalar Multiplication Proposal Conclusion 23 s1z + s0 s3z + s2 s5z + s4 1 1 1 1 0 1 s1 s3 s5 s0 s2 s4 = 1 0 1 1 0 0 1 = 0 1 1 1 0 1 0 = 1 1 0 1 0 0 0 = 1 1 0 1 1 0 1 = 1 0 0 0 0 0 0 = 1 0 1 1 0 0 0 < z(Q) + z(Q1) + z(Q2) > < Q + Q2 >
- 24. Example of Efficient Scalar Multiplication Proposal Conclusion 24 s1z + s0 s3z + s2 s5z + s4 1 1 1 1 0 1 s1 s3 s5 s0 s2 s4 = 1 0 1 1 0 0 1 = 0 1 1 1 0 1 0 = 1 1 0 1 0 0 0 = 1 1 0 1 1 0 1 = 1 0 0 0 0 0 0 = 1 0 1 1 0 0 0 < z(Q) + z(Q1) + z(Q2) > < Q + Q2 > represent the ECD 6 ECD is required
- 25. Result Evaluation Proposal Conclusion 25 Experiment Parameters KSS curve s Mother parameter Prime number Order trace 500 random scalar (about 377bit )
- 26. Result Evaluation Proposal Conclusion CPU* Memory OS Compiler Programm ing Language Library PC 2.7Ghz Intel Core i5 16 GB Mac OS X 10.11.4 gcc 4.2.1 C GMP 6.1.1 iPhone 6s Apple A9 Dual-core 1.84 GHz 2 GB iOS 9.3.1 gcc 4.2.1 Objective- C, C GMP 6.1.1 26 Experiment environment settings *Single core is utilized
- 27. Result Evaluation Proposal Conclusion 27 ECD is about 6 times less of total bit size of scalar Operation Count and Execution time comparison
- 28. Conclusion Conclusion Our proposed approach reduces the number of ECD by 6 times of existing approaches in KSS curve Future work • Reduce the execution time and operation complexity by Skew Frobenius mapping in sextic twisted isomorphic curve. • Test and evaluate the performance in Paring based protocol implementation. 28
- 29. Thank you