My Ph.D. defense presentation slides.

1. A Study of Efficient Pairing
Computation Algorithm Using
KSS Curves
Md. Al-Amin Khandaker
Ph.D. Supervisor: Professor Yasuyuki Nogami
Co-supervisors: Professor Nobuo Funabiki
Professor Satoshi Denno
Ph.D. Dissertation Defense
Graduate School of Natural Science and Technology
Okayama University, Japan

2. Publications
■ Peer Reviewed Journal: 2
■ International Conference: 8
2
■ Md. Al-Amin Khandaker and Yasuyuki Nogami. “An Improvement of
Scalar Multiplication by Skew Frobenius Map with Multi-Scalar
Multiplication for KSS Curve”. In: IEICE Transactions 100-A.9 (2017), pp.
1838-1845.
■ Md. Al-Amin Khandaker, Taehwan Park,Yasuyuki Nogami, and Howon
Kim. “A Comparative Study of Twist Property in KSS Curves of Embedding
Degree 16 and 18 from the Implementation Perspective”. In:
J. Inform. and Commun. Convergence Engineering 15.2 (2017), pp. 97-103.

3. Contribution Overview
■ This dissertation provides theoretical and
experimental basis of several improvements of
pairing-based cryptography (PBC).
■ We improved Miller’s algorithm of Ate-based pairing
and Scalar multiplication over KSS curves.
■ Many high-level crypto-protocols based on pairing
can utilize our improvements.
3

4. Outline
■ Background and Motivation
■ Fundamentals and Challenges of Pairing-Based
Cryptography
■ Improvement of Pairing Algorithm
■ Improvement of Scalar Multiplication
■ Conclusion and Future Works
4

5. Outline
■ Background and Motivation
■ Fundamentals and Challenges of Pairing-Based
Cryptography
■ Improvement of Pairing Algorithm
■ Improvement of Scalar Multiplication
■ Conclusion and Future Works
5

6. Background
■ About 40 years ago two important innovation
happened side-by-side.
◻ Internet Protocol Suite
■ (TCP/IP) (January 1, 1983)
◻ Public Key Cryptography
■ Diffie–Hellman key exchange (DH) (1976)
■ RSA cryptosystem (1977)
■ ECC cryptosystem (1985)
6

7. Internet Protocol Suite
Router Router
Figure: Network Topology
Ethernet/
Fiber Optic/
etc.
7

8. Internet Protocol Suite
Router Router
Security is powered by Cryptography
Figure: Network Topology
Ethernet/
Fiber/ Satellite/
etc.
8

9. Internet Protocol Suite
Figure: TPC/IP Data flow
Application
Transport
Internet
Link
Application
Transport
Internet
Link
Internet
Link
Internet
Link
Ethernet Satellite/etc
.
Ethernet
process-to-process
host-to-host
9

10. Internet Protocol Suite
Application
Transport
Internet
Link
Application
Transport
Internet
Link
Internet
Link
Internet
Link
Ethernet Satellite/etc
.
Ethernet
process-to-process
host-to-host
Most cryptography protocols (e.g.
TLS) are used in Application layer. *
* TLS runs on top of TCP which imply that it is above the Transport layer. It serves encryption to higher layers, which is normally the function
of the Application layer.
10

11. Before Public Key Cryptography
How can I send a secret message to Bob?
Alice Bob
How can I send a secret message to Alice?
11

12. Before Public Key Cryptography
Share the secret key by physically meeting or some other way
12
Symmetric(Private) key Cryptography

13. Before Public Key Cryptography
Encryption
Communication
Media
Decryption
13

14. After Public Key Cryptography
14
Diffie-Hellman Key-Exchange (DHKE)

15. Idea Behind the
DHKE
15

16. 3 Party Diffie-Hellman
Key-Exchange
16

17. 3 Party Diffie-Hellman
Key-Exchange
The better solution i.e. in one round of communication with
greater security can be done by using Pairing-Based Cryptography
(PBC).
17

18. Pairing-Based Crypto Application
■ Many elegant cryptographic applications are enabled
by PBC
◻ ID-Based encryption (an ID becomes a public key)
◻ Joux’s 3DH (more efficient key-agreement)
◻ zk-SNARK (used in cryptocurrency z.cash blockchain).
◻ And many more
18

19. What is Pairing?
19
Input
Pairing process flow
Pairing calculation Output

20. What is Pairing?
■
20

21. Arithmetic Level of Pairing
Protocols
Pairing
Elliptic curve
Extension Field
Prime Field
Higher Complexity
Lower Complexity
21

22. 22
Pairing and Protocols
Pairing
Miller’s
Algorithm
Line evaluation
Final
exponentiation
Easy part
Hard part
Exponentiation (Exp.)
Scalar Multiplication (SCM)

23. 23
Pairing and Protocols
Protocols
SCM in
SCM in
Exp. inPairing
Maps
Difficulty level comparison in terms of computation
costs.
Pairing

24. 24
Pairing and Protocols
Difficulty level comparison in
terms of computation costs.
Pairing
Elliptic curve cryptography
over Prime Field
Elliptic curve cryptography
over Extension Field
Exponentiation over
Extension Field
Elliptic Curve Cryptography and
Pairing over Extension Field

25. 25
Thesis Chapters and Covered Topics
Chapter 4. ICISC 2016, LNCS 10157.
Chapter 3. CANDAR 2016.
ext. ver. JICCE Journal 2017.
Chapter 5. WISA 2016, LNCS 10144.
ext. ver. IEICE Trans. 2017.
Chapter 6. INDOCRYPT 2017. LNCS 10698
Chapter 7. ext. of Chapter 6.
Chapter 8. in CANDAR 2018.
Pairing at
192-bit security
Pairing at 128-bit
security
State-of-the-art
Pairing
Chapter 4. ICISC 2016, LNCS 10157.
Chapter 8. in CANDAR 2018.
Pairing at
192-bit security
Pairing at 128-bit
security
State-of-the-art
Pairing

26. Outline
■ Background and Motivation
■ Fundamentals and Challenges of Pairing-Based
Cryptography
■ Improvement of Pairing Algorithm
■ Improvement of Scalar Multiplication
■ Conclusion and Future Works
26

27. Arithmetic Level of Pairing
Protocols
Pairing
Elliptic curve
Extension Field
Prime Field
Higher Complexity
Lower Complexity
27
Extension Field
Prime Field

28. Prime Field and Extension Field
Towering
used in pairing
28

29. Arithmetic Level of Pairing
Protocols
Pairing
Elliptic curve
Extension Field
Prime Field
Higher Complexity
Lower Complexity
29
Elliptic curve

30. Elliptic Curve Cryptography (ECC)
◻ Based on Elliptic Curve Discrete Logarithm Problem
(ECDLP)
◻ ECDLP is harder to break than Integer factoring used
for RSA.
Important: Provides mathematical setting to calculate
Pairing efficiently.
30
■ Benefits
◻ Similar security level with smaller parameter.
◻ Memory efficient [shorter keys and faster execution
time].

31. Elliptic Curves
31

32. Elliptic Curves
■
32

33. Elliptic Curves
■ Elliptic curve has two basic operations
Elliptic curve addition (ECA) Elliptic curve doubling (ECD)
33

34. Elliptic Curve Scalar Multiplication
34

35. Arithmetic Level of Pairing
Protocols
Pairing
Elliptic curve
Extension Field
Prime Field
Higher Complexity
Lower Complexity
35
Pairing

36. Pairing
■
Final Exponentiation
Miller’s Algorithm
36

37. 37
Challenges in Pairing
Computation
Difficulty level comparison in
terms of computation costs.
Pairing

38. Challenges in Pairing Computation
■
38
Twisting the curve
E
Curve definition Field is
reduced

39. Challenges in Pairing Computation
■
39

40. Challenges in Pairing Computation
40
Pairing-friendly
Curve
Families of
Curve
Sparse
families
MNT
Freeman
Complete
family
BLS
KSS
BN
Curves not
in family
Supersingular
Cock-Pinch

41. Challenges in Pairing Computation
41
Pairing-friendly
Curve
Families of
Curve
Sparse
families
MNT
Freeman
Complete
family
BLS
KSS
BN
Curves not
in family
Supersingular
Cock-Pinch
Which one is the best
curve for Pairing?

42. Challenges in Pairing Computation
42
Pairing-friendly
Curve
Families of
Curve
Sparse
families
MNT
Freeman
Complete
family
BLS
KSS
BN
Curves not
in family
Supersingular
Cock-Pinch
No specific answer.
Need research with
different settings.

43. Challenges in Pairing Computation
43
Pairing-friendly
Curve
Families of
Curve
Sparse
families
MNT
Freeman
Complete
family
BLS
KSS
BN
Curves not
in family
Supersingular
Cock-Pinch
Until 2016:
Best candidate for
128-bit security
2016 extNFS
attack on DLP
Security drops

44. Challenges in Pairing Computation
44
Pairing-friendly
Curve
Families of
Curve
Sparse
families
MNT
Freeman
Complete
family
BLS
KSS
BN
Curves not
in family
Supersingular
Cock-Pinch
Recently:
Competitive
candidate for
128/192-bit
security

45. Challenges in Pairing Computation
45
Pairing-friendly
Curve
Families of
Curve
Sparse
families
MNT
Freeman
Complete
family
BLS
KSS
BN
Curves not
in family
Supersingular
Cock-Pinch
Our focus

46. 46
Challenges in Pairing
Computation
Security of Pairing:
Pairing
ECDLP
DLP
Pairing Inversion

47. Challenges in Pairing Computation
47
Challenges
Curve
Pairing-friendly
Small embedding degree
Good parameter
Security
ECDLP DLP
Pairing
Miller's
Algorithm
Final
exponentiation
Some of them are interconnected.

48. Outline
■ Background and Motivation
■ Fundamentals and Challenges of Pairing-Based
Cryptography
■ Improvement of Pairing Algorithm
■ Improvement of Scalar Multiplication
■ Conclusion and Future Works
48

49. KSS-Curves
49
Kachisa-Schaefer-Scott (KSS)
2008

50. Improvement of Miller’s
Algorithm in KSS-18 Curve
■
50
The idea is published at ICISC 2016.
Chapter 4 contains the details.

51. Miller’s Algorithm
■
Improvement target
51

52. ■
z : quadratic and cubic
non residue
Isomorphic mapping
Degree 6 Twist for KSS-18 curve
52

53.
53
0
0 0

54. 11-Sparse Multiplication
11-Sparse
11 zeros
54
non-zero
zero
■
Improvement target

55. Sparse Multiplication
General
multiplication
11-sparse
multiplication
Pseudo 12-sparse
multiplication
more
efficient
A little
more
efficient
55

56. Pseudo 12-Sparse Multiplication
cancel by final exp.
Pseudo
12-Sparse
11 zeros and 1 one
56

57. Pseudo 12-Sparse Multiplication
■
57

58. Sparse Multiplication
11-sparse multiplication
Pseudo 12-sparse multiplication
58

59. Sparse Multiplication
Normal
Multiplication
324mul
11-Sparse 78mul
Pseudo 12-Sparse 60mul
Pseudo 12-sparse can reduce 18 multiplications
11-sparse
multiplication
Pseudo 12-sparse
multiplication
59

60. Experiment & Result
■ Experiment Environment
■ Parameters
CPU Intel Core i5-6600 (3.3GHz)
OS Ubuntu 16.04 LTS
GCC ver. 5.3.1
memory 8.00GB
60

61. Experiment & Result
74
Miller’s Algo.
Miller’s Algo. Calculation time (192-bit security level)
* 10000 times average
Vector Mult. 12.2% reduction
61
Both the 11-Sparse and pseudo 12-Sparse are new
works in literature.

62. Outline
■ Background and Motivation
■ Fundamentals and Challenges of Pairing-Based
Cryptography
■ Improvement of Pairing Algorithm
■ Improvement of Scalar Multiplication
■ Conclusion and Future Works
62

63. Elliptic Curve Scalar Multiplication
63

64.
64
0
0 0

65.
■
65

66.
■
66

67.
■
Reverse map
67

68.
■
4-split method
typical method
68

69.
■
4-split method
typical method
69

70. 4-Split Scalar Multiplication
Precomputed tableMSB LSB
1. Binarize
3. Operation
2. Precomputed table
70

71. 4-Split Scalar Multiplication
Precomputed table
MSB LSB
71

72. 4-Split Scalar Multiplication
Precomputed table
MSB LSB
72
computed

73. 4-Split Scalar Multiplication
Precomputed table
MSB LSB
73
computed

74. 4-Split Scalar Multiplication
Precomputed table
MSB LSB
74
ECD
computed

75. 4-Split Scalar Multiplication
Precomputed table
MSB LSB
75
computed

76. Experiment & Result
Experiment Environment
Parameters 128-bit Security Level
CPU Memory Compiler OS Language Library
Intel Core
i5 5257U
2.7GHz
16GB gcc 4.2.1 OS X 10.14 C GMP
76

77. Experiment & Result
Pre-computation Algorithm
computation
Time
[ms]
%
increment
ECA ECD ECA ECD
Binary SCM 0 0 120 262 42.81 124
4-Split 24 20 64 68 19.09 -
2-Split 5 6 98 138 28.48 49
8-Split 52 47 67 34 21.85 14
77

78. ELiPS Library
■ ELiPS (Efficient Library for Pairing-Based
Systems)
◻ Installable Shared Library for C/C++ in Unix
environments.
78
■ Implementations are available in GitHub
■ https://github.com/ISecOkayamaUniv [Lab Profile]
■ https://github.com/ISecOkayamaUni/ELiPS_KSS16
[Library Source]

79. Outline
■ Background and Motivation
■ Fundamentals and Challenges of Pairing-Based
Cryptography
■ Improvement of Pairing Algorithm
■ Improvement of Scalar Multiplication
■ Conclusion and Future Works
79

80. Conclusion and Future Work
■ We improved two major operations of
pairing-based cryptography.
◻ Miller’s Algorithm
◻ Scalar Multiplication
■ Similar techniques can be applied to other
curves.
■ As future work, improve the existing
implementations technique.
■ Apply our improvements to application.
80

81. Thank you for listening
81

82. Appendix
128 256 1.25 320 5120 1280
Values are in bits. Parameters recommended for KSS-16.
82