Constructive and computational aspects of ... 2009/05/13 آ  Constructive and Computational Aspects...

download Constructive and computational aspects of ... 2009/05/13 آ  Constructive and Computational Aspects of

If you can't read please download the document

  • date post

    06-Jun-2020
  • Category

    Documents

  • view

    1
  • download

    0

Embed Size (px)

Transcript of Constructive and computational aspects of ... 2009/05/13 آ  Constructive and Computational Aspects...

  • Constructive and Computational Aspects

    of Cryptographic Pairings

    Michael Naehrig

  • Constructive and Computational Aspects of Cryptographic Pairings

    PROEFSCHRIFT

    ter verkrijging van de graad van doctor aan de

    Technische Universiteit Eindhoven, op gezag van de Rector Magnificus, prof.dr.ir. C.J. van Duijn, voor een

    commissie aangewezen door het College voor Promoties in het openbaar te verdedigen

    op donderdag 7 mei 2009 om 16.00 uur

    door

    Michael Naehrig

    geboren te Stolberg (Rhld.), Duitsland

  • Dit proefschrift is goedgekeurd door de promotor:

    prof.dr. T. Lange

    CIP-DATA LIBRARY TECHNISCHE UNIVERSITEIT EINDHOVEN

    Naehrig, Michael

    Constructive and Computational Aspects of Cryptographic Pairings / door Michael Naehrig. – Eindhoven: Technische Universiteit Eindhoven, 2009 Proefschrift. – ISBN 978-90-386-1731-2 NUR 919 Subject heading: Cryptology 2000 Mathematics Subject Classification: 94A60, 11G20, 14H45, 14H52, 14Q05

    Printed by Printservice Technische Universiteit Eindhoven Cover design by Verspaget & Bruinink, Nuenen

    c© Copyright 2009 by Michael Naehrig

  • Für Lukas und Julius

  • Promotor:

    prof.dr. T. Lange

    Commissie:

    prof.dr.dr.h.c. G. Frey (Universität Duisburg-Essen) prof.dr. M. Scott (Dublin City University) prof.dr.ir. H.C.A. van Tilborg prof.dr. A. Blokhuis prof.dr. D.J. Bernstein (University of Illinois at Chicago) prof.dr. P.S.L.M. Barreto (Universidade de São Paulo)

  • Alles, was man tun muss, ist, die richtige Taste zum richtigen Zeitpunkt zu treffen.

    Johann Sebastian Bach

    Thanks

    This dissertation would not exist without the help, encouragement, motivation, and company of many people. I owe much to my supervisor, Tanja Lange. I thank her for her support; for all the efforts she made, even in those years, when I was not her PhD student; for taking care of so many things; and for being a really good supervisor. Another important person, who deserves my sincere thanks is Paulo S.L.M. Barreto. Paulo was the one who initiated my interests in pairings. His encouragement and never-ending curiosity is a great source of motivation. It was a pleasure for me to work with him. My short visit to São Paulo was a pleasant and important experience. I highly appreciate Paulo’s friendship. I am also indebted to Gerhard Frey, who was always open to answer questions and comment on problems. I thank him for his patience, friendliness, help, and hospitality. I express my gratitude to Gerhard Frey, Michael Scott, Henk van Tilborg, Aart Blokhuis, Dan Bernstein, and Paulo Barreto for agreeing to join my PhD committee, and for reading the manuscript and giving valuable comments. Furthermore, I thank Laura Hitt O’Connor for scientific and general discussions. I have profited also from encouraging conversations with Steven Galbraith. I thank Paulo Barreto, Peter Schwabe, Laura Hitt O’Connor, Gary McGuire, Marco Streng, Christophe Arène, Tanja Lange, and Christophe Ritzenthaler for their fruitful col- laboration. Many thanks go to the people in the coding and cryptology group at TU/e, espe- cially to Henk and Anita for providing a nice working atmosphere, and to the PhD students, with which I had the pleasure to share a really big office: Christiane, Jing, José, Peter, Peter, Peter, Reza, and Sebastiaan. I also appreciate the company of the PhD students from the fridge: Antonino, Bruno, Gaëtan, Daniel, Mayla, and Relinde. I thank Peter Schwabe and Peter Birkner for proofreading and pointing out mistakes and inconsistencies in earlier versions of this dissertation. Peter Schwabe is always a great help in choosing the right band for our weekly motto. Let me also mention Matilde Getz, Detlef, Gernot, Tobias, Daniel, Georg, Alex, Wolfgang, and Melli, some of my former colleagues in Aachen. I am grateful for their company in the last years. I am very happy to have shared many great musical experiences with all the nice

    vii

  • viii

    people from the choir of the Aachener Bachverein. I also apologize to many friends for not being very communicative in the last months and thank them for understanding my full schedule. Vielen Dank an Simone und Andi für sehr willkommene Teepausen, die mich kurzzeitig von der Arbeit ablenken konnten. Ein besonderer Dank gilt meiner Familie: meinen Eltern, meinen Schwiegereltern, Großeltern und meinem Bruder für ihre Unterstützung und ihre Zuversicht. I need to thank Lukas and Julius for reminding me so many times of the important values in life. Finally, I deeply thank my wife Natalie. There are no words to express my gratitude for her enormous support and her love.

  • Contents

    Introduction 1

    1 Preliminaries 5

    1.1 Curves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.1.1 Affine and projective curves . . . . . . . . . . . . . . . . . . . 5 1.1.2 Singular points and tangent lines . . . . . . . . . . . . . . . . 9 1.1.3 Intersection numbers and Bézout’s Theorem . . . . . . . . . . 11 1.1.4 Functions, morphisms, and twists . . . . . . . . . . . . . . . . 13 1.1.5 Divisors, the Picard group and the genus . . . . . . . . . . . . 16 1.1.6 Elliptic curves . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 1.1.7 Edwards curves and twisted Edwards curves . . . . . . . . . . 26 1.1.8 Hyperelliptic curves . . . . . . . . . . . . . . . . . . . . . . . . 28

    1.2 Pairings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 1.2.1 The Tate-Lichtenbaum pairing . . . . . . . . . . . . . . . . . . 32 1.2.2 The Weil pairing . . . . . . . . . . . . . . . . . . . . . . . . . 35 1.2.3 Pairing computation on elliptic curves . . . . . . . . . . . . . 35

    1.3 Constructing pairing-friendly curves . . . . . . . . . . . . . . . . . . . 41 1.3.1 The CM method for elliptic curves . . . . . . . . . . . . . . . 43 1.3.2 Elliptic curves with small embedding degree . . . . . . . . . . 45

    2 BN curves 47

    2.1 Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 2.1.1 Distribution of BN prime pairs . . . . . . . . . . . . . . . . . 49 2.1.2 Choosing a generator point . . . . . . . . . . . . . . . . . . . 50

    2.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 2.2.1 Automorphisms . . . . . . . . . . . . . . . . . . . . . . . . . . 53 2.2.2 Twists and point representation . . . . . . . . . . . . . . . . . 54 2.2.3 Field extensions . . . . . . . . . . . . . . . . . . . . . . . . . . 55 2.2.4 Efficient endomorphisms . . . . . . . . . . . . . . . . . . . . . 56 2.2.5 Point compression . . . . . . . . . . . . . . . . . . . . . . . . . 59

    2.3 Pairing computation . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 2.3.1 Tate and twisted ate pairings . . . . . . . . . . . . . . . . . . 63 2.3.2 ate and optimal pairings . . . . . . . . . . . . . . . . . . . . . 64

    ix

  • x Contents

    2.3.3 Pairing compression . . . . . . . . . . . . . . . . . . . . . . . 65 2.4 Construction revisited . . . . . . . . . . . . . . . . . . . . . . . . . . 66

    2.4.1 Prime pairs and primitive roots . . . . . . . . . . . . . . . . . 67 2.4.2 Curve, twist, and automorphisms . . . . . . . . . . . . . . . . 68 2.4.3 Finite fields and twist isomorphism . . . . . . . . . . . . . . . 68

    2.5 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

    3 Compressed pairing computation 71

    3.1 Preliminaries on tori . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 3.2 Even embedding degree . . . . . . . . . . . . . . . . . . . . . . . . . . 73 3.3 Curves with a sextic twist . . . . . . . . . . . . . . . . . . . . . . . . 76 3.4 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

    4 Pairings on Edwards curves 85

    4.1 Lines and conics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 4.2 Geometric interpretation of the group law . . . . . . . . . . . . . . . 90 4.3 Explicit formulas for Miller functions . . . . . . . . . . . . . . . . . . 98

    4.3.1 Addition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 4.3.2 Doubling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 4.3.3 Miller loop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 4.3.4 Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

    5 Constructing curves of genus 2 with p-rank 1 103

    5.1 Abelian varieties with complex multiplication . . . . . . . . . . . . . 103 5.2 A CM construction for genus-2 curves with p-rank 1 . . . . . . . . . . 107

    5.2.1 Genus-2 curves with p-rank 1 . . . . . . . . . . . . . . . . . . 107 5.2.2 The CM method for genus 2 . . . . . . . . . . . . . . . . . . . 109 5.2.3 Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 5.2.4 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

    5.3 Prescribed embedding degree in genus 2 . . . . . . . . . . . . . . . . 115 5.4 Prescribed embedding degree for p-rank 1 . . . . . . . . . . . . . . . 116

    A Compressed torus arithmetic 119

    A.1 Verification of formulas . . . . . . . . . . . . . . . . . . . . . . . . . . 119 A.2 Pseudo code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

    Bibliography 125

    Index 135

    Summary 139

    Curriculum vitae 141

  • Introduction

    In 1976, Diffie and Hellman published their groundbreaking paper New Directions in Cryptography [DH76], in which they introduced the concept of public-key crypto- graphy. By then, t