Hardware and Software Normal Basis
Arithmetic for Pairing Based Cryptography in
?
Characteristic Three
R. Granger, D. Page and M. Stam
Department of Computer Science,
University of Bristol,
MerchantVenturers Building,
Wo o dland Road,
Bristol, BS8 1UB,
United Kingdom.
fgranger, page, [email protected]
Abstract. Although identity based cryptography o ers a number of
functional advantages over conventional public key metho ds, the compu-
tational costs are signi cantly greater. The dominant part of this cost is
the Tate pairing which, in characteristic three, is b est computed using the
algorithm of Duursma and Lee. However, in hardware and constrained
environments this algorithm is unattractive since it requires online com-
putation of cub e ro ots or enough storage space to pre-compute required
results. We examine the use of normal basis arithmetic in characteristic
three in an attempt to get the b est of b oth worlds: an ecient metho d
for computing the Tate pairing that requires no pre-computation and
that may also be implemented in hardware to accelerate devices such
as smart-cards. Since normal basis arithmetic in characteristic three has
not received much attention b efore, we also discuss the construction of
suitable bases and asso ciated curve parameterisations.
1 Intro duction
Since it was rst suggested in 1984 by Shamir [29], the concept of identity based
cryptography has b een an attractive target for researchers b ecause of the p oten-
tial for simplifying conventional approaches to public key based systems. The
central idea is that the public key for a user is simply their identity and is hence
implicitly known to all other users. Identity is a exible concept but an often used
concrete example is that of an email address. Within this context, an identity
for Alice might b e the string
?
This work has b een submitted to the IEEE for p ossible publication. Copyrightmay
b e transferred without notice, after which this version may no longer b e accessible.
If Bob wants to send Alice secure email, he implicitly knows her email address
and hence her identity and public key. Therefore he can encrypt the email to
her without the same level of involvement from, for example, certi cate and
trust authorities. Recent advances have pro duced many workable instances of
identity based cryptography whichwere driven mainly by the seminal work of
Sakai, Ohgishi and Kasahara [27] and then by Boneh and Franklin [4] who b oth
prop osed concrete cryptographic schemes based on pairings on elliptic curves.
For suchschemes to b e feasible, one needs an eciently computable pairing,
or bilinear map. Generally the Tate pairing is selected for this task and is com-
puted using one of several algorithms, such as that of Barreto, Kim, Lynn and
Scott [2] or Duursma and Lee [6]. In characteristic three, which is often selected
due to the bandwidth advantages of the parameterisation, the Duursma-Lee al-
gorithm is certainly faster and recentwork shows that it is probably the current
b est choice [10, 28]. However, unlike the BKLS algorithm, it requires the compu-
tation of cub e ro ot op erations which are relatively slow when using a p olynomial
basis representation. Although these cub e ro ots can b e pre-computed online us-
ing cubings, the space requirement is so signi cant, in constrained or hardware
environments the metho d is unattractive as a result. As such, this feature means
identity based cryptography is currently to o exp ensive to run on naturally iden-
tityaware devices.
Normal bases [9] o er a convenient solution to this problem since cub e and
cub e ro ot op erations are simply cyclic shifts of the co ecients of an element.
Indeed, this seems to b e the metho d Duursma and Lee envisaged using in their
original pap er, yet without investigating how [6]. Therein lies the catch: normal
bases have a drawback in that multiplication is a more complex, and to a cer-
tain extent less studied op eration compared to p olynomial bases. To construct a
high p erformance implementation of Duursma-Lee that takes advantage of the
prop erties of normal bases, ecientmultiplication metho ds are required. In char-
acteristic three, we are not aware of anywork that addresses this problem and
we attempt to ll the gap in the literature with this pap er. We present metho ds
for constructing an appropriate basis, as well as software and hardware algo-
rithms for arithmetic in it. Our p erformance and cost results indicate that using
normal bases in software is unattractive due to the cost of multiplication, but
that this cost can b e avoided by parallel architectures in hardware. The use of
hardware acceleration for normal bases thus makes identity based cryptography
on constrained devices such as smart-cards a far more feasible prop osition. Note
that it is imp ortant to lo ok at the cost of software and hardware metho ds: in a
standard implementation it is unattractiveto convert b etween representations
where, for example, a smart-card might use hardware acceleration and a desktop
computer, which might utilise software comp onents only.
The pap er is organised as follows. Firstly,we use Section 2 to overview the
mathematics that underpin pairing based cryptography, paying particular at-
tention to the Duursma-Lee algorithm that motivates the use of normal basis
arithmetic. We then discuss how to construct such normal bases for characteristic
three elds in Section 3 and suitable curve parameterisations in Section 4. Arith-
metic with and representation of elds elements is presented in Section 5 b efore
software and hardware implementation results are intro duced in Sections 6 and 7
resp ectively. Finally we present some concluding remarks in Section 8.
2 Pairing Based Cryptography
The existence of eciently computable, non-degenerate bilinear maps, or pair-
ings, has allowed cryptographers to explore avenues of research which had previ-
ously b een uninstantiable [29]. Originally used as a metho d of attack on elliptic
curve cryptosystems [7, 21], the constructive p otential of pairings based on ellip-
tic curves is nowwell-studied, with many proto cols and applications [4, 5, 13, 16].
To supp ort these applications much research activity has fo cused on devel-
oping ecient and easily implementable algorithms for their deployment [2, 6, 8].
Currently the most ecient metho d for pairing computation is the Duursma-Lee
algorithm [6, 10], which applies to sup ersingular elliptic curves in characteristic
three with MOVemb edding degree six [21]. As well as pairing evaluation b eing
approximately two and a half times faster than with the BKLS algorithm [2],
the emb edding degree of six, while not optimal in terms of the relative security
requirements for discrete logarithm algorithms in characteristic three nite elds
and elliptic curves, still o ers a go o d security/eciency trade-o for contemp o-
rary key-size recommendations.
In this section we give a brief summary of the mathematics underlying the
reduced Tate pairing, as develop ed in [2, 8], and give details of its Duursma-Lee
variant, whichwe refer to as the mo di ed Tate pairing.
2.1 The reduced Tate pairing
We rst intro duce some notation. Let E b e an elliptic curveover a nite eld F ,
q
and let O denote the identity element of the asso ciated group of rational p oints
E
on E F . For a p ositiveinteger l coprime to q , let F k b e the smallest extension
q
q
F . Also, let E F [l ] denote eld of F which contains the l -th ro ots of unityin
q q q
the subgroup of E F of all p oints of order dividing l , and similarly for the
q
degree k extension of F .From an eciency p ersp ective, k is usually chosen to
q
be even [2]. For a thorough treatment of the following, we refer the reader to [2]
and also [8], and to [30] for an intro duction to divisors. The reduced Tate pairing
of order l is the map
l
e : E F [l ] E F k [l ] ! F =F ;
k k
l q
q
q q
given by e P; Q=f D . Here f is a function on E whose divisor is equiva-
l P;l P;l
lenttol P l O , D is a divisor equivalenttoQ O , whose supp ort is dis-
E E
Q P
a
i
joint from the supp ort of f , and f D = f P , where D = a P .
P;l P;l P;l i i i
i i
It satis es the following prop erties:
{ For each P 6= O there exists Q 2 E F k [l ] such that e P; Q 6= 1 2
E l
q
l
F =F non-degeneracy.
k k
q q
Field Field Polynomial Curve Order MOV security
79 26 2 3 79 40
79
F t + t +2 Y = X X 1 3 +3 +1 750
3
97 12 2 3 97 49
97
F t + t +2 Y = X X +1 3 +3 +1=7 906
3
163 80 2 3 163 82
16 3
F t + t +2 Y = X X 1 3 +3 +1 1548
3
193 12 2 3 193 97
19 3
F t + t +2 Y = X X 1 3 3 +1 1830
3
239 24 2 3 239 120
23 9
F t + t +2 Y = X X 1 3 3 +1 2268
3
353 142 2 3 353 177
35 3
F t + t +2 Y = X X 1 3 +3 +1 3354
3
Table 1. A table of eld de nitions and curve equations.
n
{ For anyinteger n, e [n]P; Q=e P; [n]Q=e P; Q for all P 2 E F [l ]
l l l q
and Q 2 E F k [l ] bilinearity.
q
k k
q 1=l q 1=L
{ Let L = hl . Then e P; Q = e P; Q .
l L
{ It is eciently computable.
The non-degeneracy condition requires that Q is not a multiple of P , i.e. that Q
is in some order l subgroup of E F disjoint from E F [l ]. When one computes
k
q
q
l
, and not =F f D , the value obtained b elongs to the quotient group F
k k P;l
q q
F . In this quotient, for a and b in F , a b if and only if there exists c 2 F
k k k
q q q
l
such that a = bc . Clearly, this is equivalentto
k k
q 1=l q 1=l
a b if and only if a = b ;
and hence one ordinarily uses this value as the canonical representative of each
l
coset. The isomorphism b etween F =F and the elements of order l in F
k k k
q q q
given by this exp onentiation makes it p ossible to compute f Q rather than
P;l
f D [2]. It also removes the need to compute the costly denominators in
P;l
Miller's algorithm. We note that there are other more ecient metho ds to obtain
a unique representative of the output coset [10]. However in this article we are
concerned primarily with the computation of the mo di ed Tate pairing.
2.2 The mo di ed Tate pairing
Duursma and Lee intro duced their algorithm in the context of pairings on a
family of hyp erelliptic curves. Restricting to the elliptic curve case, it applies
to a family of sup ersingular curves in characteristic three, including those in
Table 1.
The rst column gives the eld over which each curve is de ned, and the sec-
ond lists the corresp onding irreducible p olynomials de ning the eld extensions.
The third lists the curve equations and the fourth gives the order of the subgroup
used. The nal column gives the bit-length of the smallest nite eld into which
the pairing value emb eds, whichisalways a degree six extension in these cases.
These parameter values were generated simply by testing which prime extension
degrees suitable for ecient normal bases yielded orders for sup ersingular curves that are prime, or almost prime, i.e. those p ossessing a small cofactor.
Algorithm 2: The Duursma-Lee algorithms for calculating the Tate pairing
in characteristic three.
Input : p oint P =x ;y , p oint Q =x ;y
1 1 2 2
Output : f Q 2 F =F
6 3
P
q q
f 1
for i =1 to m do
3 3
x x ;y y
1 1
1 1
2
x + x + b; y y
1 2 1 2
2
g ;f f g
1=3 1=3
x x ;y y
2 2
2 2
return f
The mo di ed Tate pairing improves on the reduced variant in three ways.
Firstly, using the third prop erty listed ab ove, instead of computing the Tate
3
pairing of order l , one uses the pairing of order q + 1, which eliminates the need
for any p oint additions in Miller's algorithm. Secondly, while this apparently
increases the trit-length of the exp onentby a factor of three, Duursma and Lee
show that the divisor computed when pro cessing three trits at a time has a very
simple form, and hence no losses are incurred. Lastly, they provide a closed form
expression for the pairing, thus simplifying implementations.
m 2 3
Let q =3 and E F :Y = X X + b, with b = 1, and let P =x ;y
q 1 1
3
3
and Q =x ;y be p oints of order l . Let F = F []= b, with b =
2 2 q
q
2
6 3
1 dep ending on the curve equation, and let F = F [ ]= + 1. Then the
q q
6
mo di ed Tate pairing on E is the mapping f Q where : E F ! E F
P q
q
is the distortion map x ;y = x ;y . The metho d for computing this
2 2 2 2
is shown in Figure 2. Note that in each lo op, one must compute two cubings and
two cub e ro ots, in contrast to the BKLS algorithm where one must compute
four cubings.
Alternatively, if memory size is not an issue, one can pre-compute the cub e
ro ots in reverse order as successive cubings [10]. With this strategy, Algorithm
2is considerably more ecient than BKLS in characteristic three, and indeed
than the BKLS algorithm for even and large characteristic curves of comparable
order. To maintain this eciency when the pre-computation of cub e ro ots is not
viable, such as in constrained or hardware environments, it is vital that one can
p erform both cubings and cub e ro ots eciently. This is precisely why normal
bases are well suited to pairing based applications, since b oth a cubing and a
cub e ro ot are simply cyclic shifts of the vector of F elements representing an
3
element in the extension eld.
3 Notation and Construction of Bases
m
The nite eld F is isomorphic to F [X ]=f and F where f is an irre-
3 3 3
ducible p olynomial of degree m in F [X ] and isarootof f .We will identify 3
these three elds, but our notation will b e tailored towards F . In a p olyno-
3
mial basis F is regarded as an m-dimensional vector space over F with basis
3 3
0 1 m 1
; ;:::; . For an element a 2 F we will simply write the elements
3
in a p olynomial, or standard basis as
m 1
X
i
a = a^ :
i
i=0
Arithmetic in a p olynomial basis is fairly straightforward when based on con-
ventional p olynomial arithmetic. When discussing implementation of such arith-
metic, it is often useful to denote elements as a vector of co ecients suchas
a^ =^a ; a^ ; a^ ;::: ;a^ ;
0 1 2 m 1
so that physical op erations such as shifting and rotation of co ecients is more
i
naturally expressed. We use the notationa ^ to denote the left rotation of the
co ecients in sucha vector by distance i. That is, we write
i
a^ =^a ; a^ ; a^ ;::: ;a^ :
i+0 i+1 i+2 i+m 1
where in all cases, co ecient indices are reduced mo dulo m. Using this notation,
i
i
a^ represents the j -th co ecient of the rotated element^a .
j
In a normal basis, things are slightly more involved. Given an irreducible
p olynomial f of degree m and with ro ot , the full set of ro ots of f in F is
3
2 m 1
3 3 3
B = ; ; ;::: ; :
If the elements of B are linearly indep endent then the set of ro ots form a basis
of F over F and this basis, f and are all called normal. For an element
3 3
a 2 F we write
3
m 1
X
i
3
a a =
i
i=0
but again, for brevity,we often denote a normal basis eld element a using the
co ecientvectora and rotated co ecientvectors as describ ed ab ove.
The main advantage of a normal basis is that it allows fast application of
the Frob enius map and its inverse, i.e. cubing and taking cub e ro ots. Indeed, let
i
3
m
a 2 F b e represented bya, then for any i 2 Z the element a is represented
3
i
bya , i.e., applying Frob enius only takes a rotation.
Normal basis multiplication is more complicated, but a common technique is
m
based on a so-called multiplication matrix. Let a; b 2 F and let c = a b. Let 3
P
l k
m 1
1+3 3
= d , then
lk
k =0
m 1 m 1 m 1
X X X
j k i
3 3 3
b c = a
j k i
i=0 j =0
k =0
m 1 m 1
X X
i j j
1+3 3
= a b
i j
i=0 j =0
m 1 m 1 m 1
X X X
k j
3 3
= a b d
i j i j;k
i=0 j =0
k =0
m 1 m 1 m 1
X X X
k +j
3
= a b d
i j i j;k
i=0 j =0
k =0
m 1 m 1 m 1
X X X
k
3
= a b d
i+k j +k i j; j
i=0 j =0
k =0
m 1
X
k
k k T 3
= a M b ;
k =0
0 0 0 0
where for the p enultimate equality the transformation i = i + k ;j = j + k ;k =
0