On the Implementation of Pairing-Based Cryptosystems a Dissertation Submitted to the Department of Computer Science and the Comm
Total Page:16
File Type:pdf, Size:1020Kb
ON THE IMPLEMENTATION OF PAIRING-BASED CRYPTOSYSTEMS A DISSERTATION SUBMITTED TO THE DEPARTMENT OF COMPUTER SCIENCE AND THE COMMITTEE ON GRADUATE STUDIES OF STANFORD UNIVERSITY IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY Ben Lynn June 2007 c Copyright by Ben Lynn 2007 All Rights Reserved ii I certify that I have read this dissertation and that, in my opinion, it is fully adequate in scope and quality as a dissertation for the degree of Doctor of Philosophy. Dan Boneh Principal Advisor I certify that I have read this dissertation and that, in my opinion, it is fully adequate in scope and quality as a dissertation for the degree of Doctor of Philosophy. John Mitchell I certify that I have read this dissertation and that, in my opinion, it is fully adequate in scope and quality as a dissertation for the degree of Doctor of Philosophy. Xavier Boyen Approved for the University Committee on Graduate Studies. iii Abstract Pairing-based cryptography has become a highly active research area. We define bilinear maps, or pairings, and show how they give rise to cryptosystems with new functionality. There is only one known mathematical setting where desirable pairings exist: hyperellip- tic curves. We focus on elliptic curves, which are the simplest case, and also the only curves used in practice. All existing implementations of pairing-based cryptosystems are built with elliptic curves. Accordingly, we provide a brief overview of elliptic curves, and functions known as the Tate and Weil pairings from which cryptographic pairings are derived. We describe several methods for obtaining curves that yield Tate and Weil pairings that are efficiently computable yet are still cryptographically secure. We discuss many optimizations that greatly reduce the running time of a naive imple- mentation of any pairing-based cryptosystem. These techniques were used to reduce the cost of a pairing from several minutes to several milliseconds on a modern consumer-level machine. Applications of pairings are largely beyond our scope, but we do show how pairings allow the construction of a digital signature scheme with the shortest known signature lengths at typical security levels. iv ON THE IMPLEMENTATION OF PAIRING-BASED CRYPTOSYSTEMS A DISSERTATION SUBMITTED TO THE DEPARTMENT OF COMPUTER SCIENCE AND THE COMMITTEE ON GRADUATE STUDIES OF STANFORD UNIVERSITY IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY Ben Lynn June 2007 c Copyright by Ben Lynn 2007 All Rights Reserved ii I certify that I have read this dissertation and that, in my opinion, it is fully adequate in scope and quality as a dissertation for the degree of Doctor of Philosophy. Dan Boneh Principal Advisor I certify that I have read this dissertation and that, in my opinion, it is fully adequate in scope and quality as a dissertation for the degree of Doctor of Philosophy. John Mitchell I certify that I have read this dissertation and that, in my opinion, it is fully adequate in scope and quality as a dissertation for the degree of Doctor of Philosophy. Xavier Boyen Approved for the University Committee on Graduate Studies. iii Preface Pairing-based cryptography is a relatively young area of cryptography that revolves around a particular function with interesting propreties. It allows the construction of novel cryp- tosystems that are otherwise difficult or impossible to assemble using standard primitives. We first define a cryptographic pairing abstractly and show how it can be used to build a signature scheme that is simple yet has many desirable properties. Next we examine how a pairing can be implemented in practice. The only known mathematical setting where suitable pairings exist are groups on certain families of curves. We focus on the simplest and most well-understood case: elliptic curves. We discuss methods for finding curves that yield cryptographic pairings, and outline various optimizations that can be applied. We shall see that pairing-based cryptosystems are quite practical and compare well against traditional cryptosystems. It is hoped that this work will be a useful guide to implementing pairing-based cryptog- raphy to a programmer who has experience with conventional cryptosystems. While not comprehensive, the information contained herein should be enough to allow one to build practical pairing-based applications from scratch. Notably absent are in-depth discussion of the characteristic 3 case, pairings where the subgroup size is necessarily significantly smaller than the field size, and hyperelliptic curves, This text is intended to be self-contained. Aside from arithmetic at the lowest level, algorithms not likely to be found in a basic course in number theory or cryptography are quoted here, enabling the reader to implement pairings without referring to any other sources. Some background is required by the reader as we do not review basic abstract algebra. On the other hand, we introduce enough elliptic curve theory for cryptographic purposes. The following publications form the foundation of this thesis: iv D.Boneh, B. Lynn, and H. Shacham. Short signatures from the Weil pairing. Journal • of Cryptology, 17(1):297–319, 2004. P. S. L. M. Barreto, H. Y. Kim, B. Lynn and M. Scott. Efficient algorithms for • pairing-based cryptosystems. In CRYPTO 2002, pages 354–368. P. S. L. M. Barreto, B. Lynn and M. Scott. Constructing elliptic curves with pre- • scribed embedding degree. In Third Conference on Security in Communication Net- works 2002. P. S. L. M. Barreto, B. Lynn and M. Scott. On the selection of pairing-friendly groups. • In Selected Areas of Cryptography 2003. More polished versions of the above works can be found in the Journal of Cryptology [18, 7]. Most of the described algorithms and optimizations feature in the PBC (Pairing-Based Cryptography) library, maintained by the author, and available under the GNU Public License at http://crypto.stanford.edu/pbc/. v Contents Abstract iv Preface iv 1 Bilinear Maps 1 1.1 CyclicGroups................................... 2 1.2 FormalSecurityDefinitions . ... 2 1.3 ConcreteCyclicGroups . .. .. .. .. .. .. .. .. 4 1.4 TheSymmetricPairing ............................. 5 1.5 TheBLSSignatureScheme . .. .. .. .. .. .. .. 6 1.6 NewHardnessAssumptions . 6 1.7 LooseningthePairingDefinition . .... 7 1.7.1 AProblemWithHashing ........................ 8 1.8 TheGeneralBilinearPairing . ... 8 1.9 Exponentiation as a Bilinear Pairing . ...... 10 1.10 ChoosingaDefinition . .. .. .. .. .. .. .. .. 10 1.11 ConcreteBilinearMaps . 11 2 Elliptic Curves 14 2.1 InformalOverviewofEllipticCurves . ...... 14 2.2 PointsonEllipticCurves . 15 2.3 FindingPoints .................................. 17 2.3.1 Tonelli-Shanks Algorithm . 18 2.3.2 HashingtoPoints ............................ 19 2.4 PointCompressionandReduction . 19 vi 2.5 The Chord-Tangent Law of Composition . 19 2.6 ExplicitFormulas................................ 20 2.7 EllipticCurveCryptography . 21 2.8 SingularEllipticCurves . 23 2.9 Security ...................................... 24 2.10 ShortSignatures ................................ 25 3 The Weil and Tate Pairings 26 3.1 TorsionPoints .................................. 26 3.2 RationalFunctions ............................... 27 3.3 CurveEndomorphisms.............................. 27 3.4 ZeroesandPoles ................................. 29 3.5 Divisors ...................................... 30 3.6 TheWeilPairing ................................. 31 3.6.1 WeilReciprocity ............................. 32 3.7 TheTatePairing ................................. 33 3.8 MergingTheorywithPractice. 34 3.9 Miller’sAlgorithm ............................... 35 3.9.1 TheWeilPairing ............................. 35 3.9.2 TheTatePairing............................. 36 3.9.3 Intermediate Poles and Zeroes . 38 3.10WorkedExamples ................................ 38 3.10.1 TheWeilPairing ............................. 39 3.10.2 TheTatePairing............................. 40 3.10.3 Remarks.................................. 42 3.11 RestrictingInputs .............................. 42 3.12 TheShipsey-StangeAlgorithm . 43 3.12.1 Example.................................. 45 3.12.2 Remarks.................................. 45 4 Curve Selection 47 4.1 TheEmbeddingDegree ............................. 48 4.2 Weil and Tate Pairing Comparison . 49 4.2.1 CompositeGroupOrders . 50 vii 4.3 PairingSecurity................................. 50 4.4 Lower Bounds on Field and Group Sizes . 51 4.5 ApproachestoFindingCurves . 52 4.6 SupersingularCurves. 53 4.7 TypeACurves .................................. 54 4.8 TypeBCurves .................................. 55 4.9 OtherEmbeddingDegree2Curves . 55 4.10TypeCCurves .................................. 56 4.11 Complex Multiplication . 57 4.12TypeDCurves .................................. 58 4.13TypeECurves .................................. 60 4.14TypeFCurves .................................. 61 4.15TypeGCurves .................................. 62 4.16 ComparingPairings .............................. 63 4.17PellEquations .................................. 64 4.18 Generalized Pell Equations . 65 4.19 HilbertPolynomials . .. .. .. .. .. .. .. .. 66 4.20 ArbitraryEmbeddingDegree . 68 5 Optimizing Cryptosystems 71 5.1 Multiprecision Arithmetic . 72 5.2 AllorNothing .................................. 73 5.3 MontgomeryReduction ............................. 73 5.4 CubeRoots.................................... 75 5.5 RandomPoints .................................. 75 5.6 DedicatedSquaring..............................