Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
157 views19 pages

Implementing The Weil, Tate and Ate Pairings Using Sage Software

Sage is well-suited for implementing pairings like the Weil, Tate, and Ate pairings. The document outlines the construction of these pairings and the Miller algorithm used to compute the fr,P function, which is a central step. Sage makes it easy to perform elliptic curve arithmetic and write functions for point addition and doubling. While a naive implementation in Sage is sufficient, further optimization could improve performance.

Uploaded by

Muhammad Sadno
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
157 views19 pages

Implementing The Weil, Tate and Ate Pairings Using Sage Software

Sage is well-suited for implementing pairings like the Weil, Tate, and Ate pairings. The document outlines the construction of these pairings and the Miller algorithm used to compute the fr,P function, which is a central step. Sage makes it easy to perform elliptic curve arithmetic and write functions for point addition and doubling. While a naive implementation in Sage is sufficient, further optimization could improve performance.

Uploaded by

Muhammad Sadno
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

Sage days 10, Nancy, France

Implementing the Weil, Tate and Ate


pairings using Sage software

Nadia EL MRABET
LIRMM, I3M,
Université Montpellier 2

Saturday 11th October 2008


Outline of the presentation

1. Denition of a pairing

2. Construction of a pairing

3. Implementation of a pairing
What is a pairing ?
Properties

Let G1 , G2 and G3 be three groups with the same order r . A pairing


is a map :

e : G1 × G2 → G3
which veries the following properties :
• Non degenerate ;

 ∀P ∈ G1 {0}∃Q ∈ G2 /e (P , Q ) 6= 1
 ∀Q ∈ G2 {0}∃P ∈ G1 /e (P , Q ) 6= 1
• Bilinearity : ∀P , P 0 ∈ G1 , ∀Q , Q 0 ∈ G2
 ( + P 0 , Q ) = e (P , Q ).e (P 0 , Q )
e P

 ( ,
e P Q + Q 0 ) = e (P , Q ).e (P , Q 0 )
What is a pairing ?
Properties

Let G1 , G2 and G3 be three groups with the same order r . A pairing


is a map :

e : G1 × G2 → G3
which veries the following properties :
• Non degenerate ;

• Bilinearity ;

Consequence
∀j ∈ N, e ([j ]P , Q ) = e (P , Q )j = e (P , [j ]Q )
Elliptic Curve Cryptography and pairings
Part 1 - Cryptanalyse

The MOV/Frey Rück attack against the DLP on elliptic curves in


1993, 1994 :
using pairings, the DLP on elliptic curves becomes a DLP on nite
eld.
• Given P and Q = αP ∈ E (Fq ),
the DLP on E (Fq ) consists in nding α.
• Let S ∈ E (Fq ) be a point such that e (P , S ) 6= 1,
let e (P , S ) = g and e (Q , S ) = h ∈ E (Fq ), then
• the DLP becomes nding α such that h = g α in a nite eld.
Elliptic Curve Cryptography and pairings
Part 2 - Cryptography

Pairings allow the construction of novel protocols and simplication


of existing protocols.
• The tri partite Die Hellman key exchange protocol (Joux
2001)
• The Identity Based Encryption (Boneh and Franklin 2001)
• Short signature scheme (Boneh, Lynn, Schackamm 2001)
• Group signatures schemes (Boneh, Schackamm, 2004)
Elliptic Curve Cryptography and pairings
Pairings used

Four pairings are principally used in cryptography :


• the Weil pairing,
• the Tate pairing,
• the ηT pairing,
• the Ate pairing.
I focused only on the pairings constructed by the same way. The
Miller algorithm constructing the function fr ,P is a central step for
the Weil, Tate and Ate pairings.
Construction of the pairings
Data

To compute a pairing, we need the following elements :


• E an elliptic curve over Fq :
2 3
E : y = x + ax + b , where a, b ∈ Fq .

• r a prime dividing card(E (Fq )),


consider E [r ] : E [r ] = {P ∈ E (Fq ), [r ]P = P∞ }.
• The embedding degree k : minimal integer such that
k
r |(q − 1) :

If gcd (r , q ) = 1, then E [r ] ∼
= Z/r Z × Z/r Z,
If k > 1 then E [r ] = E (Fqk )[r ].
• A function fr ,P described lately.
Construction of the pairings
The Weil pairing

Let P ∈ E [r ] and Q ∈ E [r ]

The Weil pairing is the bilinear map :



eW : E [r ] × E [r ] → Fqk

fr ,P (Q )
(P , Q ) →
fr ,Q (P )
Construction of the pairings
The Tate pairing

Let P ∈ E (Fq )[r ], Q ∈ E (Fqk )/rE (Fqk ) and k be the embedding


degree of the elliptic curve.

The Tate pairing is the bilinear map :



e T : E (Fq )[r ] × E (Fqk )/rE (Fqk ) → Fqk
qk −1
(P , Q ) → fr ,P (Q ) r
Construction of the pairings
The Ate pairing

The Ate pairing is the latest optimisation of the Tate pairing. It is


constructed by the same way.

The Ate pairing eats the T in Tate, and uses it in order to be


computed with less iterations.
Let πq be the Frobenius map over the elliptic curve :

πq ([x , y ]) = [x q , y q ]

t denotes the trace of the Frobenius over E (Fq ) and T = t − 1.


Construction of the pairings
The Ate pairing

Let P ∈ E [r ] ∩ Ker(πq − [1]) and Q ∈ E [r ] ∩ Ker(πq − [q ]), i.e. Q

verifying πq (Q ) = [q ]Q .
The Ate pairing is the bilinear map :

A : E [r ] ∩ Ker(πq − [1]) × E [r ] ∩ Ker(πq − [q ]) → Fqk



e

q k −1
(P , Q ) → fT ,P (Q ) r
Miller algorithm
The function fr ,P

In order to compute the pairings, we need to compute the function


fr ,P . The principal property of this function is that :

Div f ( r ,P ) = rDiv (P ) − rDiv (P∞ )


Victor Miller established the Miller equation :
l[ i ]P ,[j ]P
f i + j , P = fi , P × fj , P ×
v[ i + j ]P
where l[i ]P +[j ]P is the line joining the points [i ]P and [j ]P ,
and v[i +j ]P is the vertical line passing through point [i + j ]P .
Miller algorithm
Example

We want to compute f7, P :


• 7=6+1
l
• f7,P = f6,P × f1,P × [v6]P ,P
[7]P

f1, P =1
l[6]P ,P
f7, P = f6,P × v[7]P
l
• f6,P = f3,P × f3,P × [3v]P ,[3]P
[6]P

when i = j , the line l is the tangent at point [i ]P


l
• f6,P = f32,P × [3v]P ,[3]P
[6]P

2 l[3]P ,[3]P l[6]P ,P


f7,P = f
3,P × v[6]P × v[7]P
Miller algorithm
Example

We want to compute f7,P :


l l
• f7,P = f32,P × [3v]P ,[3]P × [v6]P ,P
[6]P [7]P
l[2]P ,P
• f3,P = f2,P × f1,P × v
[3]P
l[2]P ,P
f3,P = f2,P ×
v[3]P
• f2,P = f1,P × f1,P × vP ,P
l
[2]P
2
l l l l
• f7,P = vP ,P × [v2]P ,P × [3v]P ,[3]P × [v6]P ,P

[2]P [3]P [6]P [7]P
Computing pairings
Miller algorithm : return fr ,P (Q )
Data : r= (rn . . . l0 )2 ,
P∈ E (Fq ) and Q
∈ E (Fqk ) ;
Result: fr ,P (Q ) ∈ F k ;

q
1 : T ← P , f1 ← 1, f2 ← 1 ;
for i = n − 1 to 0 do
2 : T ← [2]T ;
3 : f1 ←− f1 2 × l1 (Q ) ;
4 : f2 ←− f2 2 × v2 (Q ) ;
if ri = 1 then
5 : T ←T +P ;
;
;
end

end

return
Computing pairings
Miller algorithm : return fr ,P (Q )
Data : r= (rn . . . l0 )2 ,
P ∈ E (Fq ) and Q

∈ E (Fqk ) ;
Result: fr ,P (Q ) ∈ F k ;

q
1 : T ← P , f1 ← 1, f2 ← 1 ;
for i = n − 1 to 0 do
2 : T ← [2]T ,;
3 : f1 ←− f1 2 × ld (Q ) ;
4 : f2 ←− f2 2 × vd (Q ) ;
if ri = 1 then
5 : T ←T +P ;
6 : f1 ←− f1 × la (Q ) ;
7 : f2 ←− f2 × va (Q );
end

end
f1
return
f2
Implementation using Sage

Good points of Sage


• easy to write operation on the elliptic curve P + Q , and 2 ∗ P
for adding and multiplying point.
• the trace of the Frobenius is implemented
• random point on the elliptic curve
• the worksheet is very nice to use
• python quite easy to learn
Conclusion

To compute pairings, we have :


• arithmetic of nite eld
• operation on elliptic curves
It is very easy to implement with Sage.
A "naive" implementation gives good result compare to Magma.
I have to improve my implementation, in order to have better
performances.

You might also like