Efficient Computation of the Weil Pairing in ID-based Cryptosystems

全文

(1)Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan.. Efficient Computation of the Weil Pairing in ID-based Cryptosystems Jing-Shyang Hwu Department of Computer Science & Information Engineering National Chiao Tung University [email protected]. Rong-Jaye Chen Department of Computer Science & Information Engineering National Chiao Tung University [email protected]. Huei-Shyong Lue Department of Computer Science & Information Engineering Yuanpei Institute of Science and Technology [email protected]. Jer-Shyong Lin Department of Information Management Yuanpei Institute of Science and Technology [email protected]. cryptography, the pairing computing has significant overhead. Barreto, Kim, Lynn, and Scott [1] and Galbraith, Harrison and Soldera [6] focus on another bilinear pairing, called the Tate pairing, and they propose methods for speeding up the computation. In this paper, we extend the idea of the point halving, which was proposed by Knudsen [8], to speed up the computation of the Weil pairing. This paper is organized as follows. Section 2 provides the background about divisors and Weil pairing on elliptic curves. The Miller’s algorithm for computing Weil pairing is also described. Section 3 presents a detailed version of our algorithm for computation of Weil pairing using the point halving skill. The performance analysis compared with original Miller’s algorithm is provided in section 4, and section 5 concludes the paper.. Abstract- Although identity-based (ID-based) cryptography has a number of advantages over conventional public key methods; the computational cost is significantly greater. The dominant part of this cost is the Weil pairing. In this paper, we propose an efficient algorithm for computing the Weil pairing using point halving. Keywords: Weil pairing, ID-based cryptosystem, Elliptic curve.. 1. Introduction In 1984, Shamir [9] first invented the concept of identity-based (ID-based) cryptography, which addresses the authenticity problem of public keys in a different way. His central idea is that the public key of a user is simply their identity and hence implicitly known to all other users. More precisely, the public key of a user can be derived from public information that uniquely identifies the user. [email protected], for instance, could be treated as Alice’s identity (ID) and used as her public key. The advantage of an ID-based cryptosystem is that no certificate is needed to bind user names and their public keys. Some practical ID-based signature schemes (IBS) have been devised since 1984, but a fully satisfying ID-based encryption scheme (IBE) was first proposed by Boneh and Franklin [4] in 2001. They use a bilinear map (the Weil pairing) over supersingular elliptic curve to construct the encryption/decryption scheme. After that, the bilinear pairings have been used to design numerous identity based schemes, such as key exchange [7], short signature [5], and many others. Compared with other arithmetic in public key 1. 2. Background 2.1. Divisors Given an elliptic curve E over finite field K, a divisor D is a formal sum of points on E(K) D=. ∑n. p. ( P). P∈E. The group of divisors of E, denoted Div(E), is the free abelian group generated by the points of E, where addition is given by. ∑n. P∈E. P. ( P ) + ∑ mP ( P ) = P∈E. ∑ (n. P. + mP )( P ) .. P∈E. The support of a divisor D =. ∑n. P∈E. p. ( P ) ∈ Div ( E ) is. given by the set of points. 1. This work was supported by the National Science Council, R.O.C. , under contract no. NSC 93-2213-E-009-010-.. 1297. supp( D ) = {P ∈ E | n P ≠ 0} ..

(2) Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan.. where f3 = l/v. .. Further, its degree deg(D) is defined by deg( D) =. ∑n. P∈E. 2.2. Weil Pairing. p. It is easily verified that the divisors of degree 0, denoted Div0(E), form a subgroup of Div(E). Since the number of zeros and poles of a non-zero rational function f ∈ K (E ) * is finite, we can define the. Let m be an integer which is prime to p = char(K). The Weil pairing is a function:. em : E[m ] × E[m ] → µm ,. divisor of a function f, denoted div(f), as div( f ) =. where E [m] = {P ∈ E ( K ) : mP = O} called the mtorsion group, µm is the group of mth roots of unity in K.. ∑ ord P ( f )( P). P∈ E. A divisor D∈Div(E) is called principal if D=div(f) for some ration function f. Further, two divisors D1, D2 ∈Div(E) are said to be equivalent, denoted D1 ~ D2, if D1 - D2 is principal. A characterization of principal divisors is: D=. ∑n. P∈E. iff. ∑n. P∈E. p. Given P, Q∈E[m], there exist DP, DQ∈Div0(E) such that DP ~ (P) – (O) and DQ ~ (Q) – (O) As divisors mDP and mDQ are principal, there exist rational functions fP , fQ such that div(fP) = mDP , div(fQ) = mDQ. Suppose that DP and DQ have disjoint supports, and then the Weil pairing of P and Q can be computed by:. 0 is principal p ( P ) ∈ Div ( E ). P = O where O is the point at infinity.. We next describe how to evaluate a rational function f ∈ K(E) in a divisor D = ∑ n p ( P ) that. em ( P , Q ) =. f P ( DQ ) f Q ( DP ). P∈E. satisfies supp(div(f)) ∩ supp(D) = φ. The evaluation of f in D is given by f ( D ) = ∏ f ( P ) n P. Algorithm 1 Weil pairing. P∈sup( D ). (Miller’s probabilistic algorithm). Recall that for any degree zero divisor D∈Div0(E), there is a unique point P ∈ E such that D ~ (P) – (O). In other words, D can be written in what we call canonical form:. INPUT: P, Q∈E[m], m is prime to char(K) OUTPUT: em(P, Q). D = (P) – (O) + div(f), where f is a rational function. Now we give a formula for adding two divisors in canonical form, such that the result is in canonical form as well. The formula provides a method of finding a rational function f such that div(f) = D for a given divisor D.. 1. Pick random point T, U∈E(K) such that P + T, T, Q+U, U are distinct. 2.. Compute fP, fQ such that div(fP) = m(P+T) – m(T), div(fQ) = m(Q+U) – m(U). 3.. Let D1, D2 ∈ Div0(E) be given by. Evaluate f P (Q + U ) f Q (T ) f Q ( P + T ) f P (U ). D1 = (P1) – (O) + div(f1), D2 = (P2) – (O) + div(f2).. An important part of computing the Weil pairing is the evaluation of fP(R) for each point R in the support of DQ. Recall that DP = (P + T) – (T). Then for each integer k, there is a rational function fk such that. Let P1 + P2 = P3, and let l : l1 y + l2 x + l3 = 0 be the equation of the line through P1 and P2, v : x + v1 = 0 be the vertical line through P3. If P1 = P2 then l is the line tangent to P1, and if P3 = O then take v = 1. Then. div( f k ) = k ( P + T ) − k (T ) − ( kP ) + (O ) . Let k = m,. div(l) = (P1) + (P2) + (-P3) – 3(O),. div( f m ). div(v) = (P3) + (-P3) – 2(O). = m( P + T ) − m(T ) − ( mP ) + (O ) , = m( P + T ) − m(T ). Now we can write the sum of divisors D1 + D2 as: D1 + D2 = (P1) + (P2) – 2(O) + div(f1 f2) = (P3) – (O) + div(l) – div(v) + div(f1 f2) = (P3) – (O) + div(f1 f2 f3). 1298.

(3) Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan.. λ = x + y/x u = λ2 + λ + a v = x 2 + u(λ + 1). we have fP = fm. For any points R, S, let hR,S and hR be linear functions, where hR,S = 0 is the line passing through R, S, and hR = 0 is the vertical line passing through R. Then we have div ( f k1 +k2 ) = ( k1 + k 2 )( P + T ) − ( k1 + k 2 )(T ) − (( k1 + k 2 ) P ) + (O ) = k1 ( P + T ) − k1 (T ) − ( k1 P ) + (O ) + k 2 ( P + T ) − k 2 (T ) − ( k 2 P ) + (O ) + ( k1 P ) + ( k 2 P ) + ( −( k1 + k 2 ) P ) − 3(O ) − [(( k1 + k 2 ) P ) + ( −( k1 + k 2 ) P ) − 2(O )] = div ( f k1 ) + div ( f k2 ) + div ( hk1P ,k2 P ) − div ( h( k1 + k2 ) P ). f k1 f k 2 hk1 P , k 2 P . , and hence f k1 + k 2 = h( k1 + k 2 ) P. This is a recursive equation with initial conditions f0 = 1 and f = hP +T 1 hP ,T. Point halving was first proposed by Knudsen [8] with the following operation: given Q = (u, v), compute P = (x, y) such that Q = 2P. It provides a fast method for scalar multiplication on elliptic curve. The basic idea for halving is to solve (2) for λ, (3) for x, and finally (1) for y. When G is a subgroup of odd order m in E, point doubling and point halving are automorphisms in G (see [8]). Therefore, given a point Q∈G, there is a unique point P∈G such that Q = 2P. To uniquely find P, the trace function plays a central role in the algorithm for point halving. n −1. Tr ( c ) = c + c 2 + c 2 + ... + c 2 . Given Q = (u, v), point halving seeks the unique point P = (x, y) such that Q = 2P. The first step is to find λˆ by solving the equation 2. t. INPUT: m = ∑ bi 2i with bi∈{0,1}. λ2 + λ = u + a. i =0. (4). It is easily verified that λ∈{ λˆ , λˆ +1} and λ= λˆ if and only if Tr(v + u λˆ ) = 0. Hence λ can be identified, and then (3) is solved for the unique root x. Finally, if needed, y = x(x+λ) can be recovered with one field multiplication.. and bt = 1 , and a point S OUTPUT: fm(S) = fP(S) f ← f1(S); Z ← P; For j ← t-1, t-2, …, 0 do. Let the λ-representation of a point Q = (u, v) be (u, λQ), where λQ = u + v/u. Given the λrepresentation of Q as the input to point halving, we may compute t = v + u λˆ = u(u + λQ + λˆ ) without converting to affine coordinate. So in the point multiplication, repeated halving can be performed directly on the λ-representation of a point. Only when a point addition is required, a conversion to affine coordinate is needed.. hZ , Z ( S ) ; Z ← 2Z; h2 Z ( S ). If bj = 1 then f ← f1 f. (2) (3). The trace function Tr : F n → F n is defined by 2 2. Algorithm 2 Evaluation of fP on a point S [3]. f ← f2. (1). hZ , P ( S ) ; Z ← Z + P; hZ + P ( S ). Endif Endfor Return f. Algorithm 3 Point halving. INPUT: λ-representation (u, λQ) of Q∈G. This is a conventional double-and-add method for evaluation of rational function fP on a given point S. In the next section, we will propose a halve-andadd method to speed up the evaluation and hence have an efficient computation of the Weil pairing.. OUTPUT: λ-representation (x, λP) of P = (x, y) ∈G, where Q = 2P. 3. The Algorithm. 1. Find a solution λˆ of λ2 + λ = u + a .. 2. Compute t = u(u + λQ + λˆ ).. 3. If Tr(t) = 0, then λP ← λˆ , x ← else λP ← λˆ +1, x ← t. 4. Return (x, λP).. We restrict our attention to elliptic curves E over Galois field F n defined by the equation: 2. y 2 + xy = x 3 + ax 2 + b , where a, b ∈ F2 n , b ≠ 0 . Let. P = (x, y) be a point on E with P ≠ −P. The coordinate of Q = 2P = (u, v) can be computed as follows:. 1299. t+u.

(4) Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan.. The point halving algorithm requires a field multiplication and three main steps: 1. Solving the quadratic equation λ2 + λ = u + a. Algorithm 4 Evaluation of fP on a point S using halving. 2. Computing the trace of t. INPUT: m = ∑ bi 2i with bi∈{0,1} and bt = 1 ,. 3. Computing a square root. and a point S = (XS, YS), λ-representation of P = (x, λP). t. i =0. In a normal basis, a field element on F n is 2 represented in terms of a basis of the form n −1 }. Given a field element { β , β 2 ,..., β 2 c = ∑ ci β. 2i. OUTPUT: fm(S) = fP(S) t Translate m-1 to be the form ∑ bˆi 1 2i i =0. = ( cn −1 ,..., c0 ) , the squaring is a left. rotation, i.e. c 2 = ( cn − 2 ,..., c0 , cn −1 ) .. Therefore the. f ← f1(S); Z ← P ;. quadratic equation x + x = c can be solved bitwise. The square root computation is a right rotation, i.e. c = ( c0 , cn −1..., c1 ) . These operations are expected to be inexpensive relative to field multiplication. A detailed comparison will be given in the next section. 2. For j ← t-1, t-2, …, 0 do f ←. f ← f1 f. hZ , P ( S ) ; Z ← Z + P; hZ + P ( S ). Endif Endfor h ( S ) ; Z ← Z + P; f ← f1 f Z , P hZ + P ( S ) Return f. 2. DP + DP = (2P) – (O) + div( g l ). v Assume Q = 2P with λ-representation (u, λQ) corresponding to a divisor DQ with canonical form (Q) – (O) + div(f); then l = Y + λP X + x 2 ,. 4. Performance Comparison. v = X +u,. In this section we estimate the saved operations in our algorithm compared with the original Miller’s algorithm. When we consider the arithmetic operations in normal basis, the time saved by using halving instead of doubling is significant. In affine coordinates, both elliptic doubling and addition require 1 inversion, 2 multiplications and 1 squaring. While representing with λ-representation, we can save 1 inversion and 1 multiplication in point halving. But one additional multiplication is needed to recover the y-coordinate while performing addition. If the order of the Weil pairing m is represented by a bit string of length n with k nonzero entries, the operations needed for the scalar multiplication are:. Y + λP X + x 2 , g 2l = g2 f = X +u v. and we have f. X S + xZ ; Z ← 1 Z; 2 2 YS + λZ X S + x Z / 2. If bˆ j = 1 then. Let the λ-representation of a point P = (x, y) be (x, λP), and the canonical form of a divisor DP be (P) – (O) + div(g), where g is a rational function. We have. g=. f. X +u Y + λP X + x 2. Apply the halving operation to the evaluation of f on a point S; we have an efficient algorithm for Weil pairing computation.. Operation. Inversions Multiplications Squarings Solving λ2 + λ = u + a Square roots Trace computing. 1300. Double-andAdd n+k 2n + 2k n+k 0. Halve-andAdd k n + 3k n+k n. 0 0. n n.

(5) Int. Computer Symposium, Dec. 15-17, 2004, Taipei, Taiwan.. and the operations needed for the evaluation of rational functions in the given point are: Operation. Inversions Multiplications Squarings Square roots. Double-andAdd 2n + 2k 4n + 5k n 0. halving instead of doubling. The time saving is an important merit in the implementation of many new and interesting ID-based protocols that have been developed using the Weil pairing.. Halve-andAdd n+k 3n + 4k 2n n. References [1] P. S. L. M. Barreto, H. Y. Kim, B. Lynn and M. Scott, “Efficient Algorithms for Pairing-based Cryptosystems”, Advances in Cryptology-CRYPTO ’02, pp. 354–368. [2] I. F. Blake, G. Seroussi and N. P. Smart, Elliptic Curves in Cryptography, Cambridge University Press, Cambridge, (1999). [3] I. Blake, K. Murty and G. Xu, “Refinements of Miller’s Algorithm for Computing Weil/Tate Pairing”, ePrint 2004. [4] D. Boneh and M. Franklin, “Identity-based Encryption from the Weil Pairing”, Advances in CryptologyCRYPTO’01, pp. 213–239. [5] D. Boneh, B. Lynn and H. Shacham, “Short signatures from the Weil pairing”, Advances in CryptologyASIACRYPTO’01, pp. 514–532. [6] S. Galbraith, K. Harrison and D. Soldera, “Implementing the Tate Pairing”, Algorithm Number Theory Symposium, vol. 2369, Springer-Verlag Heidelberg, 2002, pp. 324–337. [7] A. Joux, “A One Round Protocol for Tripartite DiffieHelman”, Algorithm Number Theory Symposium, vol. 1838, Springer-Verlag Heidelberg, 2000, pp. 385–393. [8] E. Knudsen, “Elliptic Scalar Multiplication Using Point Halving”, Advances in Cryptology-ASIACRYPTO’99, pp. 135-149. [9] A. Shamir, “Identity-based Cryptosystems and Signature Schemes”, Advances in Cryptology– CRYPTO’84, pp. 47-53. [10] J. H. Silverman, The Arithmetic of Elliptic Curves, Graduate Texts in Mathematics, 106, Springer-Verlag, 1986.. Thus, by using point halving, we can save 2n+k inversions, 2n multiplications with additional cost in solving n quadratic equation, n squaring, 2n square roots and n trace computing. However, in a normal basis, the time needed to calculate the quadratic equation, squaring, square root, and the trace is negligible compared to the time needed to compute a multiplication or an inversion. As indicated in [2], we have the following assumptions on equivalence of timing: 1 inversion ~ 3 multiplications 1 multiplication ~ 10 squarings Our method reduces a number of inversions and multiplications which are expensive in computing the Weil pairing and thus provide a significant improvement.. 5. Conclusion We have proposed an efficient method for computing the Weil pairing. With the λrepresentation in a normal basis, a significant improvement is presented while running point. 1301.

(6)