Computing the Tate Pairing

Computing the Tate Pairing
Michael Scott School of Computing, Dublin City University, Ballymun, Dublin 9, Ireland mike@computing.dcu.ie Abstract. We describe, in detail sufficient for easy implementation, a fast method for calculation of the Tate pairing, as required for pairingbased cryptographic protocols. We point out various optimisations and tricks, and compare timings of a pairing-based Identity Based Encryption scheme with an optimised RSA implementation. Keywords: Elliptic curves, pairing-based cryptosystems. 1 Introduction In the fast growing world of pairing-based cryptography (for background see [1]) there are many protocols, many pairings (Tate, Weil, modified Weil etc.) and many choices for the embedding degree k, as well as a choice of super- or non-supersingular curves over fields of large or small characteristic. The range of protocols is impressive, many with novel properties [6, 7, 28]. For a recent review see [11]. However so far there are not many reported implementations of the fast algorithms for pairings that have been developed in [2, 4, 13]. Here for the sake of being concrete we will focus exclusively on the Tate Pairing on non-supersingular curves over a field of large prime characteristic. We will also focus on the case k = 2 for the following reasons: – It simplifies the description – Choosing k = 2 makes it easy to pick a group order of the lowest possible Hamming weight which is very efficient. – Choosing k = 2 allows us to implement the Tate pairing based protocols using only E(Fp ) elliptic curves as supported by many cryptographic libraries. – k = 2 permits the important denominator elimination optimisation [2]. – It allows for easy times-2 compression of the Tate pairing value [25]. – In protocols elliptic curve point multiplication can often be replaced with faster exponentiation using the identity er (wP, Q) = er (P, Q)w . – Elliptic curves suitable for pairing based cryptosystems are, by design, in flagrant breach of the MOV condition, as required for “ordinary” elliptic curves [20]. The ECC community recently got a scare when Semaev [27] suggested that a new index calculus type attack on normal elliptic curves may
Research supported by Enterprise Ireland grant IF/2002/0312/N. A.J. Menezes (Ed.): CT-RSA 2005, LNCS 3376, pp. 293–304, 2005. c Springer-Verlag Berlin Heidelberg 2005
294 – – – – Michael Scott be possible. In the context considered here an index calculus attack is already possible [20], and therefore we need not be too concerned. Nevertheless a choice of a small value of k reduces the impact of any such new attack. For a given level of security it is our experience that k = 2 is fastest. In many protocols it is required to do a point multiplication prior to application of the Tate pairing. Using k = 2 this implies a point multiplication only on an E(Fp ) curve, rather than a point multiplication on a curve defined over a higher extension field, which would be computationally more expensive. Fp2 arithmetic is particularly easy to implement. This is sometimes called the quadratic extension field. If it is assumed in this paper that the prime modulus p is 3 mod 4, then an element √ in Fp2 can be considered as a “complex number”, a+bi, a, b ∈ Fp , where i is −1. Note that −1 is always a quadratic non-residue for a 3 mod 4 prime. There are exactly (p − 1)(p + 1) elements in the field Fp2 . Note that (a + ib)p = (a − ib), where a − bi is the conjugate of a + ib. Also an element ∈ Fp2 can be squared (or multiplied) using just two (or three) Fp modular multiplications using the identity (a + bi)2 = (a + b)(a − b) + 2abi and Karatsuba’s method respectively. Sometimes we use the notation [a, b] to denote the Fp2 number a + bi. Using k = 2 the time-critical function is 512-bit modular multiplication. This is the same operation as required for 1024-bit RSA decryption using the Chinese Remainder theorem and therefore it is likely to be supported by hardware accelerators and co-processors. Highly optimized code for this common operation may be already supported by cryptographic software libraries. We do concede that k = 2 may not be optimal in some settings such as a short signature scheme, like for example the BLS scheme [7]. In this paper we draw heavily from the theoretical results described by Barreto et al. [4] and [2]. Our results improve a little on those described there using ideas from [25]. 2 The Curve There are many ways proposed to find non-supersingular curves of low embedding degree suitable for pairing-based protocols. See for example [3, 5, 8, 10, 21] and [26]. Using these methods the existance of a suitable elliptic curve is first determined, and then the actual parameters of the curve are found using the method of Complex Multiplication as described in [14] and implemented in [23]. The particular curve we will use (found using the “folklore” method described by Galbraith in Chapter 9 of [5]), is described in the Weierstrass form E : y 2 = x3 − 3x + B with B ∈ Fp . If x, y ∈ Fp , the curve has #E(Fp ) points on it, where #E(Fp ) = p + 1 − t and t is the trace of the Frobenius [20]. If x, y ∈ Fp2 , it has #E(Fp2 ) = (p + 1 − t)(p + 1 + t) points. A related twisted curve E  (Fp ) is E  : y 2 = x3 − 3x − B