3.1 Finite Fields, Elliptic Curves and Tate Pairing

3.1.4 Tate Pairing

into G2in the case of Type 3 pairing. However, no method is known to securely hash into G2when we are in the Type 2 setting (see [88] for a more detailed discussion).

Note that, the approach outlined above is probabilistic in nature, though the prob- ability of failure is extremely small. On the other hand, Icart [107] has recently suggested a method to deterministically hash into an elliptic curve.

To summarise, elliptic curves defined over finite fields provide rich examples of abelian groups. The main advantage is that no (generic) sub-exponential algorithm is known for solving the discrete log problem (we will qualify this statement later).

Consequently, one can work over comparatively smaller fields. The gains from do- ing this is two-fold: the finite field arithmetic is more efficient and the storage re- quirement is smaller which is important for implementation on resource constrained devices.

n-torsion points of E over K is defined to be the set E(L)[n] ={P∈E(L): nP=O}.

Define E(L)/rE(L)to be the collection of all cosets of E(L)modulo rE(L)and fs,Pto be an L-rational function with divisor

div(fs,P) =s(P)−([s]P)−(s−1)(O).

Let E be an elliptic curve defined over IFqand r be coprime to q and r|#E(IFq).

The embedding degree of E with respect to r is defined to be (under certain technical conditions) the smallest positive integer k such that r|(q^k−1). Then k is also the least positive integer such that the field IF_qkcontains all the rth roots of unity.

Let k be the embedding degree of E/IFq with respect to r. The (reduced and normalised) Tate pairing is defined as follows.

e: E(IFq)[r]×E(IF_qk)/rE(IF_qk)→µr(IF_qk) is given by

e(P,Q) =fr,P(Q)^(qk−1)/r, where

• Pis an r-torsion point from E(IF_qk);

• Qis any point in a coset in E(IF_qk)/rE(IF_qk)and it can be shown that the pairing value is independent of the coset representative;

• the result is an element of IF_qk of order r.

Note that P is from E(K)while Q is from E(L)where K is a finite field and L is a degree k extension of L. Since P is an r-torsion point, it follows that rP=Oand so

div(f_r,P) =r(P)−([r]P)−(r−1)(O)

=r(P)−r(O).

The computation of fs,Pis using a double-and-add algorithm similar to that of scalar multiplication. Assume that E is given in Weierstraß form. Let P and R be points on E. We define the following rational functions and their divisors.

1. ℓP,R(R6=P) is the line passing through P, R and−(P+R).

div(ℓP,R) = (P) + (R) + (−(P+R))−3(O).

2. ℓR,Ris the line passing through R and−2R.

div(ℓR,R) =2(R) + (−2R)−3(O).

3. ℓR,−Ris the line passing through R and−R.

div(ℓR,−R) = (R) + (−R)−2(O).

4. hP,Rfor R6=Pis defined to be hP,R=ℓP,R/ℓT,−T where T=R+P.

div(hP,R) = (ℓP,R)−(ℓT,−T).

5. hR,Ris defined to be hR,R=ℓR,R/ℓT,−T where T=2R.

div(hP,R) = (ℓR,R)−(ℓT,−T).

Note that div(f1,P) = (P)−(P) =0 and so f1,P=1. A recurrence for fs,Pcan be obtained as follows.

div(f_2m,P) =2m(P)−(2mP)−(2m−1)(O)

=2(m(P)−(mP)−(m−1)(O)) +2(mP)−(2mP)−(O)

=2div(f_m,P) +2(mP) + (−2mP)−3(O)

−((2mP) + (−2mP)−2(O))

=2div(f_m,P) +div(ℓmP,mP)−div(ℓ2mP,−2mP)

=2div(f_m,P) +div(hmP,mP).

div(f_2m+1,P) = (2m+1)(P)−((2m+1)P)−2m(O)

=2m(P)−(2mP)−(2m−1)(O) + (P) + (2mP)

−((2m+1)P)−(O)

=div(f2m,P) + (P) + (2mP) + (−(2m+1)P)−3(O)

−(((2m+1)P) + (−(2m+1)P)−2(O))

=div(f_2m,P) +div(ℓ2mP,P)−div(ℓ_{(2m+1)P,−(2m+1)P})

=div(f2m,P) +div(hP,2mP).

So, we have div(f2m,P) =2div(fm,P) +div(hmP,mP)from which we get f_2m,P=f_m,P² ×h_mP,mP.

Similarly, div(f2m+1,P) =2div(f_m,P) +div(hP,2mP)shows f2m+1,P=f2m,P×hP,2mP.

Computing Tate pairing reduces to the following task. Given P∈E(K)and Q∈ E(L)to compute fr,P(Q). This is done using Miller’s algorithm [135, 136] in the following manner. Let rt−1rt−2. . .r0be the binary expansion of r.

• Set f ←1.

• Compute rP from left-to-right using “double and add”.

• Let R be the input before the ith iteration.

– f ← f²×h_R,R(Q); R←2R;

– if rn−i=1 f← f×h_R,P(Q);

R←R+P.

The above computation is the so-called Miller operation. The final R obtained after the full iteration of the loop is raised to the power (q^k−1)/rto get a unique element inµr(L). This is the final exponentiation part in the (reduced) Tate pairing.

The first paper [133] to introduce bilinear maps to cryptology considered a dif- ferent map called the Weil pairing. Tate pairing was later introduced in [133, 84].

Several variants of Tate pairing such as ate and R-ate pairings are the currently known bilinear maps suitable for implementing pairing based cryptographic proto- cols (including IBE schemes). As a consequence, efficient implementation of pair- ing has become an active research area and there are important advances in different aspects. These include construction of elliptic curves suitable for pairing imple- mentation [18, 1, 19], efficient algorithms for pairing [104, 128, 167] and specially efficient implementation of pairing, even on resource constrained devices such as sensor networks (see [143, 12, 58, 138, 30] for some recent results).

A related and equally important problem is the construction of elliptic curves over which pairings can be computed very fast. Such curves are called pairing friendly curves. Interested readers are referred to [83] which provides a taxonomy of pairing friendly curves.

Use of pairings in cryptanalysis. We will be interested in use of pairings to construct IBE and other cryptographic schemes. But, the first application of pair- ings in cryptology was essentially to cryptanalysis. Bilinear maps were suggested in [133, 84] to reduce discrete log problem over elliptic curves to that over finite fields.

As before, suppose that E is an elliptic curve over a finite field K and r is a prime divisor of #E(K); and k is the embedding degree of E with respect to r.

Further, let L be the degree k extension of K. Then the bilinear map is of the form e : E(K)[r]×E(L)/rE(L)→µr(L).Write G1=E(K)[r]and G2=E(L)/rE(L)where G1 and G2 are seen as cyclic groups with generators P and Q respectively. Then e(P,Q)is a generator ofµr(L).

The discrete log problem in G1=hPiis that given R, it is required to find a such that R=aP. But, e(aP,Q) =e(P,Q)^a and so the problem reduces to finding the discrete log of h=e(R,Q)with respect to the base g=e(P,Q). It was previously mentioned that there are no known sub-exponential algorithms for finding discrete log in an elliptic curve group whereas such algorithms are known for the finite fields.

But, bilinear maps provide a method to convert the discrete log problem over elliptic curves to the discrete log problem over finite fields. This is the so-called MOV reduction named after Menezes, Okamoto and Vanstone who first observed such a relationship [133].

The question that now arises is how good is this method for finding discrete logs.

If the embedding degree k is very large, then the size of L is also very large and the above method will not be effective. So, the security of the discrete log problem over elliptic curves depend on the value of the embedding degree. For supersingular curves k≤6 and so the discrete log problem over such curves are not much more

difficult than over finite fields. On the other hand, for a randomly chosen ordinary elliptic curve the value of k is expected to be very large and so the above method is not useful [16].

The second argument Q of e(P,Q)is an element E(L). For certain types of curves (which includes the supersingular curves), it is possible to use a so-called distortion map and consider Q to be an element of E(K). In this case, we have G1=G2giving rise to a symmetric bilinear map, i.e., e(P,Q) =e(Q,P). This setting allows for an easy solution to the DDH problem in G1. An instance of the DDH problem in G1is a tuple(P,aP,bP,cP)and the requirement is to verify whether c=abor whether c is a uniform random element fromZZpwhich is independent of a and b. This is easily done by checking whether e(P,cP) =e(P,P)^cequals e(aP,bP) =e(P,P)^ab.