1. A Study of Efficient Pairing
Computation Algorithm Using
KSS Curves
Md. Al-Amin Khandaker
Ph.D. Supervisor: Professor Yasuyuki Nogami
Co-supervisors: Professor Nobuo Funabiki
Professor Satoshi Denno
Ph.D. Dissertation Defense
Graduate School of Natural Science and Technology
Okayama University, Japan
2. Publications
■ Peer Reviewed Journal: 2
■ International Conference: 8
2
■ Md. Al-Amin Khandaker and Yasuyuki Nogami. “An Improvement of
Scalar Multiplication by Skew Frobenius Map with Multi-Scalar
Multiplication for KSS Curve”. In: IEICE Transactions 100-A.9 (2017), pp.
1838-1845.
■ Md. Al-Amin Khandaker, Taehwan Park,Yasuyuki Nogami, and Howon
Kim. “A Comparative Study of Twist Property in KSS Curves of Embedding
Degree 16 and 18 from the Implementation Perspective”. In:
J. Inform. and Commun. Convergence Engineering 15.2 (2017), pp. 97-103.
3. Contribution Overview
■ This dissertation provides theoretical and
experimental basis of several improvements of
pairing-based cryptography (PBC).
■ We improved Miller’s algorithm of Ate-based pairing
and Scalar multiplication over KSS curves.
■ Many high-level crypto-protocols based on pairing
can utilize our improvements.
3
4. Outline
■ Background and Motivation
■ Fundamentals and Challenges of Pairing-Based
Cryptography
■ Improvement of Pairing Algorithm
■ Improvement of Scalar Multiplication
■ Conclusion and Future Works
4
5. Outline
■ Background and Motivation
■ Fundamentals and Challenges of Pairing-Based
Cryptography
■ Improvement of Pairing Algorithm
■ Improvement of Scalar Multiplication
■ Conclusion and Future Works
5
6. Background
■ About 40 years ago two important innovation
happened side-by-side.
◻ Internet Protocol Suite
■ (TCP/IP) (January 1, 1983)
◻ Public Key Cryptography
■ Diffie–Hellman key exchange (DH) (1976)
■ RSA cryptosystem (1977)
■ ECC cryptosystem (1985)
6
8. Internet Protocol Suite
Router Router
Security is powered by Cryptography
Figure: Network Topology
Ethernet/
Fiber/ Satellite/
etc.
8
9. Internet Protocol Suite
Figure: TPC/IP Data flow
Application
Transport
Internet
Link
Application
Transport
Internet
Link
Internet
Link
Internet
Link
Ethernet Satellite/etc
.
Ethernet
process-to-process
host-to-host
9
17. 3 Party Diffie-Hellman
Key-Exchange
The better solution i.e. in one round of communication with
greater security can be done by using Pairing-Based Cryptography
(PBC).
17
18. Pairing-Based Crypto Application
■ Many elegant cryptographic applications are enabled
by PBC
◻ ID-Based encryption (an ID becomes a public key)
◻ Joux’s 3DH (more efficient key-agreement)
◻ zk-SNARK (used in cryptocurrency z.cash blockchain).
◻ And many more
18
24. 24
Pairing and Protocols
Difficulty level comparison in
terms of computation costs.
Pairing
Elliptic curve cryptography
over Prime Field
Elliptic curve cryptography
over Extension Field
Exponentiation over
Extension Field
Elliptic Curve Cryptography and
Pairing over Extension Field
25. 25
Thesis Chapters and Covered Topics
Chapter 4. ICISC 2016, LNCS 10157.
Chapter 3. CANDAR 2016.
ext. ver. JICCE Journal 2017.
Chapter 5. WISA 2016, LNCS 10144.
ext. ver. IEICE Trans. 2017.
Chapter 6. INDOCRYPT 2017. LNCS 10698
Chapter 7. ext. of Chapter 6.
Chapter 8. in CANDAR 2018.
Pairing at
192-bit security
Pairing at 128-bit
security
State-of-the-art
Pairing
Chapter 4. ICISC 2016, LNCS 10157.
Chapter 8. in CANDAR 2018.
Pairing at
192-bit security
Pairing at 128-bit
security
State-of-the-art
Pairing
26. Outline
■ Background and Motivation
■ Fundamentals and Challenges of Pairing-Based
Cryptography
■ Improvement of Pairing Algorithm
■ Improvement of Scalar Multiplication
■ Conclusion and Future Works
26
27. Arithmetic Level of Pairing
Protocols
Pairing
Elliptic curve
Extension Field
Prime Field
Higher Complexity
Lower Complexity
27
Extension Field
Prime Field
29. Arithmetic Level of Pairing
Protocols
Pairing
Elliptic curve
Extension Field
Prime Field
Higher Complexity
Lower Complexity
29
Elliptic curve
30. Elliptic Curve Cryptography (ECC)
◻ Based on Elliptic Curve Discrete Logarithm Problem
(ECDLP)
◻ ECDLP is harder to break than Integer factoring used
for RSA.
Important: Provides mathematical setting to calculate
Pairing efficiently.
30
■ Benefits
◻ Similar security level with smaller parameter.
◻ Memory efficient [shorter keys and faster execution
time].
40. Challenges in Pairing Computation
40
Pairing-friendly
Curve
Families of
Curve
Sparse
families
MNT
Freeman
Complete
family
BLS
KSS
BN
Curves not
in family
Supersingular
Cock-Pinch
41. Challenges in Pairing Computation
41
Pairing-friendly
Curve
Families of
Curve
Sparse
families
MNT
Freeman
Complete
family
BLS
KSS
BN
Curves not
in family
Supersingular
Cock-Pinch
Which one is the best
curve for Pairing?
42. Challenges in Pairing Computation
42
Pairing-friendly
Curve
Families of
Curve
Sparse
families
MNT
Freeman
Complete
family
BLS
KSS
BN
Curves not
in family
Supersingular
Cock-Pinch
No specific answer.
Need research with
different settings.
43. Challenges in Pairing Computation
43
Pairing-friendly
Curve
Families of
Curve
Sparse
families
MNT
Freeman
Complete
family
BLS
KSS
BN
Curves not
in family
Supersingular
Cock-Pinch
Until 2016:
Best candidate for
128-bit security
2016 extNFS
attack on DLP
Security drops
44. Challenges in Pairing Computation
44
Pairing-friendly
Curve
Families of
Curve
Sparse
families
MNT
Freeman
Complete
family
BLS
KSS
BN
Curves not
in family
Supersingular
Cock-Pinch
Recently:
Competitive
candidate for
128/192-bit
security
45. Challenges in Pairing Computation
45
Pairing-friendly
Curve
Families of
Curve
Sparse
families
MNT
Freeman
Complete
family
BLS
KSS
BN
Curves not
in family
Supersingular
Cock-Pinch
Our focus
47. Challenges in Pairing Computation
47
Challenges
Curve
Pairing-friendly
Small embedding degree
Good parameter
Security
ECDLP DLP
Pairing
Miller's
Algorithm
Final
exponentiation
Some of them are interconnected.
48. Outline
■ Background and Motivation
■ Fundamentals and Challenges of Pairing-Based
Cryptography
■ Improvement of Pairing Algorithm
■ Improvement of Scalar Multiplication
■ Conclusion and Future Works
48
60. Experiment & Result
■ Experiment Environment
■ Parameters
CPU Intel Core i5-6600 (3.3GHz)
OS Ubuntu 16.04 LTS
GCC ver. 5.3.1
memory 8.00GB
60
61. Experiment & Result
74
Miller’s Algo.
Miller’s Algo. Calculation time (192-bit security level)
* 10000 times average
Vector Mult. 12.2% reduction
61
Both the 11-Sparse and pseudo 12-Sparse are new
works in literature.
62. Outline
■ Background and Motivation
■ Fundamentals and Challenges of Pairing-Based
Cryptography
■ Improvement of Pairing Algorithm
■ Improvement of Scalar Multiplication
■ Conclusion and Future Works
62
76. Experiment & Result
Experiment Environment
Parameters 128-bit Security Level
CPU Memory Compiler OS Language Library
Intel Core
i5 5257U
2.7GHz
16GB gcc 4.2.1 OS X 10.14 C GMP
76
78. ELiPS Library
■ ELiPS (Efficient Library for Pairing-Based
Systems)
◻ Installable Shared Library for C/C++ in Unix
environments.
78
■ Implementations are available in GitHub
■ https://github.com/ISecOkayamaUniv [Lab Profile]
■ https://github.com/ISecOkayamaUni/ELiPS_KSS16
[Library Source]
79. Outline
■ Background and Motivation
■ Fundamentals and Challenges of Pairing-Based
Cryptography
■ Improvement of Pairing Algorithm
■ Improvement of Scalar Multiplication
■ Conclusion and Future Works
79
80. Conclusion and Future Work
■ We improved two major operations of
pairing-based cryptography.
◻ Miller’s Algorithm
◻ Scalar Multiplication
■ Similar techniques can be applied to other
curves.
■ As future work, improve the existing
implementations technique.
■ Apply our improvements to application.
80