Pairings for Cryptographers Craig Costello [email protected] talk based on disjoint work (not mine) by: Steven Galbraith, Kenny Paterson, Nigel Smart August 15, 2012 1 / 22 Pairing groups A pairing is a bilinear map e : G1 × G2 → GT P × Q 7→ e(P, Q) P and Q must come from linearly independent groups G1 and G2 of the same (prime) order r 2 / 22 Hashing: map-to-point and cofactor multiplication E : y 2 = x 3 + ax + b Assume r is biggest prime factor of #E , h called cofactor #E (Fq ) = h · r map-to-point: Modifying H : {0, 1}∗ → Fq ... increment output (i.e. u ← u + 1 ∈ Fq ) until u 3 + au + b = v 2 for some v ∈ Fq . Choose between ±v somehow. cofactor multiplication: [h](u, v ) is now of order r 3 / 22 Hashing: example Consider E : y 2 = x 3 + 4 over F11 #E (F11 ) = 12 We want to use biggest prime subgroup order possible (r = 3) Three points are killed by 3 in E (Fq ) E (F11 ) ={O, (1, 4), (1, 7), (2, 1), (2, 10), (0, 2), (0, 9), (6, 0), (10, 5), (10, 6), (3, 3), (3, 8)}. A generator is P = (2, 10) To get a point of order r = 3, take [4]P = (0, 9) A hashing example Suppose H : {0, 1}∗ → Fq gives H(str) = 7. Then Ĥ : {0, 1}∗ → E (Fq ) gives Ĥ(str) = [4](10, 5) = (0, 2) 4 / 22 Hashing: example Consider E : y 2 = x 3 + 4 over F11 #E (F11 ) = 12 We want to use biggest prime subgroup order possible (r = 3) Three points are killed by 3 in E (Fq ) E (F11 ) ={O, (1, 4), (1, 7), (2, 1), (2, 10), (0, 2), (0, 9), (6, 0), (10, 5), (10, 6), (3, 3), (3, 8)}. A generator is P = (2, 10) To get a point of order r = 3, take [4]P = (0, 9) A hashing example Suppose H : {0, 1}∗ → Fq gives H(str) = 7. Then Ĥ : {0, 1}∗ → E (Fq ) gives Ĥ(str) = [4](10, 5) = (0, 2) Question: can we now compute a pairing? 5 / 22 What happens when we extend Fq to Fq2 with i 2 = −1? O, (1, 4), (1, 7), (i + 6, 10i + 7), (i + 6, i + 4), (i + 2, 7i , 1), (i + 2, 4i ), (8i + 1, 3i + 3), (8i + 1, 8i + 8), (4i + 3, 5i ), (4i + 3, 6i ), (6i + 5, 4i + 10), (6i + 5, 7i + 1), (2, 1), (2, 10), (6i + 4, 7i + 2), (6i + 4, 4i + 9), (2i + 1, 4i + 8), (2i + 1, 7i + 3), (7i + 7, 8i + 3), (7i + 7, 3i + 8), (2i + 4, 8), (2i + 4, 3), (5i + 2, 9i + 8), (5i + 2, 2i + 3), (10i + 7, 7i + 10), (10i + 7, 4i + 1), (8i + 6, 5), (8i + 6, 6), (10i + 6, 10i + 4), (10i + 6, i + 7), (5i + 4, 4i + 2), (5i + 4, 7i + 9), (4, 8i ), (4, 3i ), (i + 8, 2i + 1), (i + 8, 9i + 10), (3i + 3, 9i + 3), (3i + 3, 2i + 8), (4i + 8, 0), (5i + 1, 9i ), (5i + 1, 2i ), (9i + 1, 4i + 3), (9i + 1, 7i + 8), (10i + 8, 9i + 1), (10i + 8, 2i + 10), (8, 10i), (8, i), (8i + 5, 4), (8i + 5, 7), (9i , 10i + 7), (9i , i + 4), (10i + 2, 7i ), (10i + 2, 4i ), (4i + 7, 3i + 3), (4i + 7, 8i + 8), (5, 5i ), (5, 6i ), (4i + 10, 4i + 10), (4i + 10, 7i + 1), (5i + 10, 1), (5i + 10, 10), (7i + 5, 7i + 2), (7i + 5, 4i + 9), (7i , 4i +8), (7i , 7i +3), (3i +1, 8i +3), (3i +1, 3i +8), (9i +4, 8), (9i +4, 3), (8i +3, 9i +8), (8i +3, 2i +3), (7i +10, 7i + 10), (7i + 10, 4i + 1), (10, 5), (10, 6), (10i + 5, 10i + 4), (10i + 5, i + 7), (2i + 2, 4i + 2), (2i + 2, 7i + 9), (10i + 9, 8i ), (10i + 9, 3i ), (3i + 10, 2i + 1), (3i + 10, 9i + 10), (6i + 2, 9i + 3), (6i + 2, 2i + 8), (7i + 8, 0), (9, 9i ), (9, 2i ), (9i + 10, 4i + 3), (9i + 10, 7i + 8), (4i + 4, 9i + 1), (4i + 4, 2i + 10), (9i + 7, 10i), (9i + 7, i), (3i + 5, 4), (3i + 5, 7), (i + 5, 10i + 7), (i + 5, i + 4), (7, 7i ), (7, 4i ), (10i +3, 3i +3), (10i +3, 8i +8), (7i +3, 5i , 1), (7i +3, 6i ), (i +7, 4i +10), (i +7, 7i +1), (6i +10, 1), (6i + 10, 10), (9i + 2, 7i + 2), (9i + 2, 4i + 9), (2i + 10, 4i + 8), (2i + 10, 7i + 3), (i + 3, 8i + 3), (i + 3, 3i + 8), (3, 8), (3, 3), (9i + 6, 9i + 8), (9i + 6, 2i + 3), (5i + 5, 7i + 10), (5i + 5, 4i + 1), (3i + 6, 5), (3i + 6, 6), (2i , 10i + 4), (2i , i + 7), (4i + 5, 4i + 2), (4i + 5, 7i + 9), (i + 9, 8i ), (i + 9, 3i ), (7i + 4, 2i + 1), (7i + 4, 9i + 10), (2i + 6, 9i + 3), (2i + 6, 2i + 8), (6, 0), (6i + 1, 9i ), (6i + 1, 2i ), (4i , 4i + 3), (4i , 7i + 8), (8i + 10, 9i + 1), (8i + 10, 2i + 10), (2i + 7, 10i), (2i + 7, i), (0, 2), (0, 9) There’s now 9 points that are killed by 3 6 / 22 Torsion points Top left petal: (0, 2) and (0 Top right petal: 2) and (0, 9) Bottom left petal: (8, i) and (8 ) and (8, 10i) ) and (2i + 7, 10i) Bottom right petal: (9i + 7, i) and (9 (2i + 7, i) and (2 ) and (9i + 7, 10i) 3 points in E (Fq )[3] 9 points in E (Fq2 )[3] (4 cyclic subgroups of order 3) 7 / 22 Torsion points Top left petal: (0, 2) and (0 Top right petal: 2) and (0, 9) Bottom left petal: (8, i) and (8 ) and (8, 10i) ) and (2i + 7, 10i) Bottom right petal: (9i + 7, i) and (9 (2i + 7, i) and (2 ) and (9i + 7, 10i) 3 points in E (Fq )[3] 9 points in E (Fq2 )[3] (4 cyclic subgroups of order 3) Question: How many points in E (Fq3 )[3], E (Fq4 )[3],...? 8 / 22 In general... No matter how far we extend Fq , there is precisely r 2 points that are killed by r They form r + 1 cyclic subgroups of order r (they all share O) In the previous example, all points killed by 3 were contained in Fq2 Thm: Balasubramanian-Koblitz Minimal k ∈ Z such that r | q k − 1 → all r 2 points killed by r lie in E (Fqk ) r points in E (Fq ) killed by r , but once we find one more in E (Fqk ), we find them all! 9 / 22 Another example Consider E : y 2 = x 3 + 7x + 2 over F11 #E (F11 ) = r = 7 E (F11 ) ={O, (7, 3), (7, 8), (8, 3), (8, 8), (10, 4), (10, 7)}. q = 11, r = 7, minimum k such that q k − 1 is k = 3 Fq3 = Fq [u]/(u 3 + u + 4) #E (F113 ) = 22 · 73 7 points killed by 7 in E (Fq ) 7 points killed by 7 in E (Fq2 ) 49 points killed by 7 in E (Fq3 ) 49 points killed by 7 in E (Fq4 ) ... 49 points killed by 7 in E (Fq ) 10 / 22 Another example: the 7-torsion ), (u481 , u1049 ) (u1052 , u924 ), ( ), (u1264 , u740 ), ( ), (u1315 , u1150 ) ), (u481 , u384 ), ( (10, 7) (u1315 , u485 ), ( ), (u1052 , u259 ), ( (8, 3) 1165 , u680 ), ( ), (u1264, uu75 ), ( ), (u (8, 8) 845 ), (u , u165 ), ( (10, 4) ), (u1165 , u15 ), ( (7, 3) ), (u845 , u830 ), ( (7, 8) ), (u942 , u749 ),(u(1011 , u579 ), ( ), (u1324 , u1095),),(u( 1011 , u1244 ) ), (u942 , u84),),(u( 1324 ,uuu430 ), ( ), (u932 , u854),), (u ( 932 , u189 ), ( (u1301 , u234),), (u ( 1301 , u899 ) ), (u604 , u825),),(u( 604 , u160 ), ( (u423 , u840 ), ( (u1161 , u464 ), ( ), (u619 , u1227 ) ), (u419 , u172 ), ( ), (u801 , u1114 ), ( ), (u643 , u1225 ), ( (u159 , u862 ), ( ), (u619 , u562 ), ( ), (u419 , u837 ), ( 663 595 ), (u423 , u175 ), ( ), (u1161,uu u1129 ), ( ), (u663 , u1260), ( ), (u , u ), ( ), (u801 , u449 ), ( ), (u643 , u560 ) 831 284 ), (u , u ), ( 159 197 ), (u , u ), ( ), (u831 , u949 ) The 7-torsion of E : y 2 = x 3 + 7x + 2 over F113 11 / 22 What do cryptographers want in a pairing? Of the (r + 1) cyclic subgroups of order r in E (Fqk ), we need to define two linearly independent subgroups G1 and G2 The main three properties cryptographers might want 1 to be able to hash onto G1 and G2 (randomly sample) 2 an isomorphism ψ : G2 → G1 for the security proof to work 3 the pairing to be as efficient as possible Crux of talk: all three not possible simultaneously... 12 / 22 ld e fie bas (the Tr su b u gro p) G ψ= Tr (th e (th e ba se bas e su ) bg ro up bg ro up ub ds fiel {O ( (t the E } he b [r a G = b a se ] ∩ K ( 2 = E se fi K er (t the E [r fie eld er(π( he t [r ] ∩ ld s q tr rac ] ∩ K su ubg ac e- K er bg ro e- ze er (π ro u ze ro (π q p ro s q − up) ) su ubg − [ [q] bg ro q]) ) ro up up ) ) → e (th G2 E Tr : su r =T tra ce -ze ro ψ fie ld P2 u gro p) Ty p P1 e 2 a mm = aTr end s... (on th e oth er a rro w) ψ= P1 ]) [1 ]) − [1 ) p q (π − u ) er π q ro up K er( bg ro q ∩ K su b g − [ Tr r ) = T [r] ∩ d su q l up ) = E [r] fie eld er(π π ro p = E se fi K er( bg rou 1 = a e su b g s ∩ b K G 1 he ba [r] ] ∩ ro su (t the E [r e-ze ero z = ( ac etr rac he t (t the ( P2 ) Maps on the general torsion (ordinary curves) Typ e P1 = 2 am men aTr ds.. . (on the oth er a rrow ) P2 13 / 22 The twisted curve The original curve (left) (97, 84) 84) (76,(76 19) (33 (11u2 , 95u3 ) (11 (101 (94 (101u2 , 95u3 ) (11u2 , 8u3 ) (11 p to ft le kw oc cl ise ise O er th , 44u5 + 51u4 + 89u3 + 54u2 + 68u + 32) 44 5) u + 7 u u u 94 7 u + ,3 95 ( 90 57u 2 , 95 5) 2 + + 4u 3 ) + +7 2 (9 5u 8u 7u 7u 6u 9 2 , 3 + 8 2 + 4 8) ) 1u u 3 + u 2 + u 2 49 1u 36 7u 96 u + (1 4 + 7 3 + 8 2 + u 4 + u 3 + u 2 + ) 66 u 59 5u 37 u 1 2 + 65 13 46 4 + 3 3 + u + u 4 + u 3 + 2 + + 2 91 5u 49 32u 8u u is 7 4 + 5 + 6 r 3 + 8 u 4 + we 8u 5 + u 3 + 91 68u (1 7u flo 54 u 5 + + 3 ,3 + 32 nd 5 3 95 + ha + (22u5 + 91u4 + 49u3 + 59u2 + 96u f+ t 44, le + 44, 54u5 + 68u4 + 32u3 + 15u2 +hu e + 28) t ls, bo m sy kw oc cl (99u5 + 66u4 + 49u3 + 8u2 + 90u + 44, + 44, 66u5 + 65u4 + 71u3 + 87u2 + 57u + 75) en th en th (81u5 + 49u4 + 12u3 + 59u2 + 83u + 67, , 37u5 + 65u4 + 32u3 + 87u2 + 46u + 75) ) ) (94 (94u2 , 95u3 ) (94u2 , 8u3 ) p ou gr (33, 84) ft le (58u5 + 81u4 + 99u3 + 66u2 + 49u + 8, , 8u5 + 23u4 + 14u3 + 66u2 + 65u + 71) (101u2 , 8u3 ) ) ) t p to u u + 44 + u5 8 + 18u 3 8, (45 + 1u 4 14 + 8u 5 u 5 u3 9 51 + + +8 u 4 22 + 1u 80 1u 4 5 u 4 + + 8 u 3+ 37u 9u 3 9 5 +1 + 4 1 u3 + 8u 4 + 1u 2 80 + 4u 3 + 54 + u4 8 + 66 u 2 49 37 u 2 + 1u 3 + u u2 + 14 68 u 3 +4 + 54 u 6 u + 9u 2 37 + 5u + 8 + u2 1 32 , 8u + 2u ) 65 u + 32 ) (97 ) + + (76 rs Fi 19) 19) 8 + ) u u u 71 u ,8 22 u 4 , 61 (65 49 + 36 + 89 2 + 5u + 6 5u + 32) u u (6 3 ) 66 2 + 59 ) 37 u + 1u 3 + 6u + 32 2 + 65 6 ) 4 ,6 u u + u 99 3 + 1u 2 + 49 u (3 9 68 u 4 + 4u 2 + 3 + 37 1 u u 2 + u + ) 81 4 + 91 4u 18 u3 54 5 5 + 3u 3 + 4 + 14 2 + 5 2 u 3 + 6 8u + u 4u 4 + 22 9u (5 66 2 + 8 4 + 5 + 0u 3 + 7u 8 u 4 + 3 8u + 81 1u 4u 3 + (4 u5 5 5 + 4 + u 3 37 ,8 4 5 + + 36 (55u5 + 81u 4 + 22u3 1+ 91u2 + 49u + 59, + (10u5 + 18u4 + 81u3 + 49u2 + 12u + 59, 8 + 59, 8u5 + 80u4 + 14u3 + 37u2 + 65u + 32) (33, 19) Ψ p ou gr (101, 95) t 95) (11, 95) (94, 8) (94 8) (76, 84) 84) (97, (97 19) ) rs Fi 8) 19) Ψ −1 (35u4 , 42u3 ) (65 (65u4 , 61u3 ) (3 ) (35u4 , 61u3 ) (101 4 3 ) (3u , 61u ) (65 ) (65u4 , 42u3 ) (35 ) (3u4 , 42u3 ) (3 (11 k = 6, + + (2 2u 5 + 49u + 91u 4 71 65 + 54 + u3 u4 3 44 (4 u 5 91 + 7u 3 ,3 u 5 u + 4 7u 5 + 32 + 68 + u3 3 u 4 49 + 66u 4 + 6u + u3 65 + 5 8 7u 2 u4 5 32 + + O u 3 59 u 5 49 + 4u 3 th + + u2 32 + + u4 er 46 15 + u3 8 65 + sy u 2 96 u 4 12 + u2 m th bo + u 87 + + u3 e u 2 13 u 32 + ls, rig + u 3 59 + u+ th ht 28 u2 46 4 + e ) ha le u 4, 87 + T ft nd he + 3 u 2 83 ha 75 7u sy flo + u nd ) m we 46 bo flo u r lo we is n r th is e ar ro w s (b ac k an d fo rt h) is (94 (94, 95) 95) (11,(11 8) Fq k = Fq [u]/(u 6 + 2)) r = 7, + (101, 8) 8) #E (Fq ) = 84, (22u5 + 49u4 + 91u3 + 59u2 + 20u + 67, 37 , 37u5 + 38u4 + 32u3 + 16u2 + 46u + 28) E /Fq : y 2 = x 3 + 72, (93u5 + 18u4 + 22u3 + 49u2 + 91u + 59, , 95u5 + 80u4 + 89u3 + 37u2 + 38u + 32) (q = 103, The twisted curve (right) (q = 103, E /Fq : y 2 = x 3 − 41, #E (Fq ) = 91, r = 7, k = 6, Fq k = Fq [u]/(u 6 + 2)) 14 / 22 G1 grou su b eld fi e bas (the p) Type 2 pairing P1 = P1 G2 ψ= P2 Tr G1 G2 Ty P1 p e 2 a aT = mm r( en on ds th ... eo t he ra rro w) = P2 Drawback: can’t hash onto G2 without knowing the ECDLP w.r.t. the generator 15 / 22 Type 3 pairing 1 G2 G1 P2 = P2 P1 = P1 G1 G2 Drawback: can’t compute ψ : G2 → G1 16 / 22 Type 4 pairing (Shacham’s thesis) G2 G1 P1 = P1 G1 G2 G2 G2 1 1 G2 G2 1 G2 Drawback: elements of G2 linearly independent 17 / 22 Type 1: Supersingular curves have distortion maps φ (25, 30) 30) (25, 29) 29) (35 (35, 28) 28) (31i + 51, 34i + 49) ) φ (35 (35, 31) ) ) (34, 29i) (24, 28i) (3122) (28i + 8, 10i++49) 34) (28i + 8, 49i + 25) + φ (34 (24 (24 (24, 31i) G1 G2 (28 φ φ + 10) (34, 30i) (25 (31i, 22i + 37) (55 (55i, 41i+ +37) 18) (55i, 18i + 41) (31 φ + 25) (31i + 51, 25i + 10) + 41) (28 + 37) + 34) + 41) (31i + 8, 49i + 34) φ (28i + 51, 34i + 10) (28 φ (31 (55 φ (28i + 51, 25i + 49) φ + 25) (4i, 18i + 18) (31i, 37i + 22) (28i, 37i + 37) (4 + 22), (4i, 41i + 41) φ (28 φ + 10) (31i + 8, 10i + 25) (31 (28i, 22i + 22), E : y 2 = x 3 + x over F592 = F59 [i ]/(i 2 + 1), map φ : (x, y ) 7→ (−x, iy ): can map out of G1 18 / 22 Type 1 pairing G1 = G Tr2 φ P1 = P2 = P1 P =P φ(P1 ) G1 G2 Drawback: curve must be supersingular, meaning k ≤ 6 for elliptic curves - either much less secure or much less efficient 19 / 22 Motivation for “Pairings for Dummies Cryptographers” Authors commonly write G × G → GT , and/or assume all properties (isomorphism, hashing, symmetry, etc) On the one hand, fair enough: pairings as a black-box On the other hand, it’s a cop out (especially if you have huge products of pairings etc, and want to claim scheme is “efficient” - or dare to claim/cite timings) Recommended reading for those that think they need ψ 1 2 Chatterjee-Menezes: “.... - The Role of ψ Revisisted” - Type 2 pairings offer no benefit over Type 3 pairings. also see Smart-Vercauteren: “On computable isomorphisms in efficient pairing-based systems” If you don’t need ψ, Type 3 pairings are the best 20 / 22 Match your protocol to the best type (modulo caveats) G1 P1 = P2 = P1 ) roup subg field base (the 1 G1 = G Tr2 φ P1 = P1 G1 G2 ) G2 Typ P1 e 2 am aT = r (o men n ds. th .. e ot her ar row = P2 ) Figure: Type 1 pairings (if you don’t need efficiency/security). G2 ψ= P2 Tr P =P φ(P1 ) G1 Figure: Type 2 pairings (if you don’t need to randomly sample from G2 ). G2 1 G2 G1 G1 P2 = P2 P1 = P1 G1 G2 P1 = P1 G1 1 G2 1 G2 G2 G2 G2 G2 Figure: Type 3 pairings (if your proof doesn’t need/want a computable ψ : G2 → G1 ). see next slide Figure: Type 4 pairings (if elements of G2 can be linearly independent). 21 / 22 Questions... In the question time of this talk, it was pointed out to me that I’d missed an important point: namely, that some schemes that are based on the external Diffie-Hellman assumption (XDH) or its variants actually rely on the non-existence of an efficiently computable ψ : G2 → G1 , i.e. where Type 3 pairings are a must have. This is because such schemes require the decisional Diffie-Hellman problem to also be hard in G2 , which is not the case if ψ is efficiently computable. 22 / 22
© Copyright 2026 Paperzz