Elliptic Curves, Bilinear Pairings

&
Multi-linear Maps

Ratna Dutta
Department of Mathematics
Indian Institute of Technology, Kharagpur
Autumn 2019
 Outline
• Brief review of
– Elliptic curves
– Cryptographic bilinear pairings
– Cryptographic multilinear Maps

Cryptography and Network Security, IIT Kharagpur, Autumn 2019 1

 Why Elliptic Curve Cryptosystems?
• The points on an elliptic curve E over a finite field K
form an abelian group.
• The addition operation of this abelian group involves a
few arithmetic operations in the underlying field K, and
is easy to implement, both in hardware and in software.
• The DLP in this group is believed to be very difficult, in
particular, harder than the DLP in finite fields of the
same size as K.

Cryptography and Network Security, IIT Kharagpur, Autumn 2019 2

 • The main motivation in studying Elliptic Curve
Cryptosystems (ECC) is there is no known
sub-exponential algorithm (like Index Calculus Method)
to solve the DLP on a general elliptic curve.
– The standard cryptographic protocols all have
analogues in the elliptic curve case
– potentially providing equivalent security, but with
smaller key sizes and hence smaller memory and
processor requirements.
– This makes them ideal for use in smart cards and other
environments where resources such as storage, time, or
power are at a premium.
Cryptography and Network Security, IIT Kharagpur, Autumn 2019 3
 • Another potential advantage of using elliptic curves
is the great diversity of elliptic curves available to provide
the groups.
– Each user may select a different curve E, even though
all users use the same underlying field K.
– Consequently, all users require the same hardware for
performing the field arithmetic, and the curve E can
be changed periodically for extra security.

Cryptography and Network Security, IIT Kharagpur, Autumn 2019 4

 • Finally, Pairing Based Cryptography (PBC)
– A new idea which facilitates novel and attractive
cryptographic constructions
– And good solutions to some old problems!
• Two things are needed to do PBC:
– Efficient algorithms for pairing implementations
– Suitable elliptic curves
• Both are available and the technology is viable.

Cryptography and Network Security, IIT Kharagpur, Autumn 2019 5

 Elliptic Curves
• K be a field and K its algebraic closure. ( If K = Fq ,
then K = Sm≥1 Fqm . )
• Weierstrass equation :
E/K : y 2 + a1xy + a3y = x3 + a2x2 + a4x + a6,
where a1, a2, a3, a4, a6 ∈ K with no singular point.
• The set of K–rational points
E(K) = {(x, y) ∈ K × K} {O}
[

where O is called the identity (also point at infinity).

Cryptography and Network Security, IIT Kharagpur, Autumn 2019 6

 • Simplified Weierstrass equation :
1. char(K) 6= 2, 3:
y 2 = x3 + ax + b, a, b ∈ K, 4a3 + 27b2 6= 0.
2. char(K) = 2:
y 2 + xy = x3 + ax2 + b, a, b ∈ K, b 6= 0
(non-supersingular)
or y 2 + cy = x3 + ax + b, a, b, c ∈ K, c 6= 0
(supersingular)
3. char(K) = 3:
y 2 = x3 + ax2 + bx + c, a, b, c ∈ K (cubic on the
right has no multiple roots)

Cryptography and Network Security, IIT Kharagpur, Autumn 2019 7

 Group Law
• E = E(K) given by Weierstrass equation.
• For all P, Q ∈ E
(i) O + P = P + O = P ( so O serves as the identity)
(ii) −O = O
(iii) if P = (x1, y1) 6= O, then
−P = (x1, −y1 − a1x1 − a3)
(P and −P are the only points on E with
x-co-ordinates equal to x1)
(iv) if Q = −P , then P + Q = O
Cryptography and Network Security, IIT Kharagpur, Autumn 2019 8
 (v) if P 6= O, Q 6= O, Q 6= −P , then P + Q = −R,
where R is the third point of intersection of the line
P Q (tangent P Q if P = Q) with the curve E.
• O is called point at infinity (if Q = −P , then
P + Q = O).

Cryptography and Network Security, IIT Kharagpur, Autumn 2019 9

 Q

R
P

−R = P+Q

Adding two points P, Q on an elliptic curve

Cryptography and Network Security, IIT Kharagpur, Autumn 2019 10

 R
P

[2]P

Doubling a point P on an elliptic curve

Cryptography and Network Security, IIT Kharagpur, Autumn 2019 11

 • Theorem :
– (E, +) is an abelian group with identity element O.
– If E is defined over K, then E(K) is a subgroup of
E.

Cryptography and Network Security, IIT Kharagpur, Autumn 2019 12

 Addition Formulae
• E/K : Weierstrass equation
– if P = (x1, y1) 6= O, then −P = (x1, −y1 − a1x1 − a3).
– if P = (x1, y1) 6= O, Q = (x2, y2) 6= O, P 6= −Q, then
P + Q = (x3, y3) with
x3 = λ2 + a1λ − a2 − x1 − x2
y3 = −(λ + a1)x3 − β − a3
where 
y2 −y1




x2−x1 if P 6= Q
λ = 

3x21+2a2 x1+a4 −a1 y1


2y1 +a1 x1 +a3 if P = Q
and β = y1 − λx1.
Cryptography and Network Security, IIT Kharagpur, Autumn 2019 13
 • E/K : y 2 = x3 + ax + b
– if P = (x1, y1) 6= O, then −P = (x1, −y1)
– if P = (x1, y1) 6= O, Q = (x2, y2) 6= O, P 6= −Q, then
P + Q = (x3, y3) with
x3 = λ2 − x1 − x2,
y3 = λ(x1 − x3) − y1
where 
y2 −y1




x2−x1 if P 6= Q
λ = 

3x21+a


2y1 if P = Q

Cryptography and Network Security, IIT Kharagpur, Autumn 2019 14

 • E/K : y 2 + xy = x3 + ax2 + b (non-supersingular)
– if P = (x1, y1) 6= O, then −P = (x1, y1 + x1)
– if P = (x1, y1) 6= O, Q = (x2, y2) 6= O, P 6= −Q, then
P + Q = (x3, y3) with
2

( xy11+y2 ) + y1 +y2 + x + x + a if P =
6 Q


1 2

x1+x2
x3 =  2 +x2 b



 x1 + 2 if P = Q
x

1

and
( xy11+y

 2 )(x + x ) + x + y if P =6 Q
1 3 3 1

+x2

y3 =  2

y1
 x1 + (x1 +
x1 )x3 + x3 if P = Q

Cryptography and Network Security, IIT Kharagpur, Autumn 2019 15

 • E/K : y 2 + cy = x3 + ax + b (supersingular)
– if P = (x1, y1) 6= O, then −P = (x1, y1 + c)
– if P = (x1, y1) 6= O, Q = (x2, y2) 6= O, P 6= −Q, then
P + Q = (x3, y3) with
2


( xy11+x
+y2
) + x1 + x2 if P 6= Q




x3 = 

2
x41+a2


c2
if P = Q
and
( xy11+x
+y2



 )(x1 + x3) + y1 + a3 if P 6= Q
y3 =  2


x21+a
 ( c )(x1 + x3) + y1 + c if P = Q

Cryptography and Network Security, IIT Kharagpur, Autumn 2019 16

 Example: Point counting
• E/Z11 : y 2 = x3 + x + 6
• Quadratic residue modulo p: Let p be an odd prime
and x be an integer, 1 ≤ x ≤ p − 1. x is defined to be a
quadratic residue or square modulo p if the congruence
y 2 ≡ x (mod p)
has a solution y ∈ Zp.
• Example: QR11 = {1, 3, 4, 5, 9}.

Cryptography and Network Security, IIT Kharagpur, Autumn 2019 17

 x x3 + x + 6 mod 11 quadratic residue? y
0 6 no -
1 6 no -
2 6 yes 4, 7
3 6 yes 5, 6
4 6 no -
5 6 yes 2, 9
6 6 no -
7 6 yes 2, 9
8 6 yes 3, 8
9 6 no -
10 6 yes 2, 9
Cryptography and Network Security, IIT Kharagpur, Autumn 2019 18
 • E/Z11 has 13 points on it including O
• We take a point α = (2, 7) and compute the power of α
(which we will write as multiples of , since the group
operation is additive).
• To compute 2α = (2, 7) + (2, 7), we use the point
doubling (Tangent law) and get 2α = (5, 2).
• To compute 3α = 2α + α = (5, 2) + (2, 7), we use the
point addition (Chord law) and get 3α = (8, 3).

Cryptography and Network Security, IIT Kharagpur, Autumn 2019 19

 α = (2, 7) 2α = (5, 2) 3α = (8, 3)
4α = (10, 2) 5α = (3, 6) 6α = (7, 9)
7α = (7, 2) 8α = (3, 5) 9α = (10, 9)
10α = (8, 8) 11α = (5, 9) 12α = (2, 4)
• α = (2, 7) is a primitive element.
• We can implement ElGamal encryption scheme using
elliptic curve group G = hαi with operation +

Cryptography and Network Security, IIT Kharagpur, Autumn 2019 20

 Group Structure
• E/Fq , q = pm, p is prime, char(Fq ).
• #E(Fq ) : number of points on E(Fq ).
• t = q + 1 − #E(Fq )
• Theorem (Hasse, conjectured by E. Artin):
(i) φ ◦ φ − [t] ◦ φ + [q] = O and
√
(ii) |t| ≤ 2 q
where [m] : P → mP and φ : E → E is the
Frobenius endomorphism on E defined by
φ(a, b) = (aq , bq ), t is the trace of the Frobenius
endomorphism.
Cryptography and Network Security, IIT Kharagpur, Autumn 2019 21
 • Theorem (Schoof’s Algorithm):
#E(Fq ) can be computed in polynomial time.
• Theorem (Weil, proved by Hasse):
Let t = q + 1 − #E(Fq ). Then
#E(Fqk ) = q k + 1 − αk − β k , where α, β are complex
numbers determined from the factorization of
1 − tT + qT 2 = (1 − αT )(1 − βT ).

Cryptography and Network Security, IIT Kharagpur, Autumn 2019 22

 • Theorem (Fundamental theorem of abelian groups):
E(Fq ) ∼
= Zn ⊕ Zn , where n2|n1 and n2|q − 1.
1 2
Moreover, E(Fq ) is cyclic if and only if n2 = 1.
• Theorem:
If gcd(n, q) = 1, then E[n] ∼
= Zn ⊕ Zn where
E[n] = {P ∈ E|nP = O}, set of all n-torsion
points.

Cryptography and Network Security, IIT Kharagpur, Autumn 2019 23

 Supersingular Elliptic Curve
• E/Fq is supersingular if p|t where
t = q + 1 − #E(Fq ), q = pm, p is the char(Fq ), prime.
• Theorem (Waterhouse):
E/Fq is supersingular if and only if t2 = 0, q, 2q, 3q
or 4q.
• Untill constructive applications of pairings were found,
from 2000, supersingular curves were considered bad for
cryptography (MOV attack)

Cryptography and Network Security, IIT Kharagpur, Autumn 2019 24

 • Theorem (Schoof):
Let E/Fq be a supersingular elliptic curve with
t = q + 1 − #E(Fq ). Then
1. if t2 = q, 2q or 3q, then E(Fq ) is cyclic.
√
2. if t2 = 4q and t = 2 q, then
E(Fq ) ∼
= Z√q−1 ⊕ Z√q−1
√
3. if t2 = 4q and t = −2 q, then
E(Fq ) ∼
= Z√q+1 ⊕ Z√q+1
4. if t = 0 and q 6= 3 mod 4, then E(Fq ) is cyclic
5. if t = 0 and q = 3 mod 4, then E(Fq ) ∼ = Z q+1 ⊕ Z2.
2

Cryptography and Network Security, IIT Kharagpur, Autumn 2019 25

 What’s a Pairing?
• Pairings are functions which map a pair of elliptic curve
points to an element of a multiplicative group of an
underlying finite field.
ê(P, Q) where P and Q are points on an elliptic curve.
• It has the property of bilinieaity.
ê(aP, bQ) = ê(bP, aQ) = ê(P, Q)ab
• Examples: Weil pairing, Tate pairing, Ate
pairing, Eta pairing etc.

Cryptography and Network Security, IIT Kharagpur, Autumn 2019 26

 Cryptographic Bilinear Pairing
• G1, G2 two groups of same prime order n
• G1 = hP i, G1 is additive group, identity O
• G2 is a multiplicative group with identity 1
• DLP is hard in both G1, G2

Cryptography and Network Security, IIT Kharagpur, Autumn 2019 27

 • Cryptographic bilinear pairing ê : G1 × G1 → G2
1. Bilinearity : for all R, S, T ∈ G1
ê(S + R, T ) = ê(S, T ) · ê(R, T )
ê(S, T + R) = ê(S, T ) · ê(S, R)
In other words, ê(aS, bT ) = ê(S, T )ab for all a, b ∈ Zn∗
2. Non-degeneracy : ê(P, P ) 6= 1
3. Computability : ê can be efficiently computed.
4. Symmetry : ê(S, T ) = ê(T, S).
• can be constructed from Weil, Tate pairing
Cryptography and Network Security, IIT Kharagpur, Autumn 2019 28
 Some Important Consequences
• Decision Diffie-Hellman (DDH) Problem in G1 = hP i :–
– Given P, aP, bP, cP ∈ G1 for some a, b, c ∈ Zn∗ , decide
whether c = ab mod n.
Theorem : DDH Problem is easy in G1.
proof:
– Pairings help us to solve DDH problem in G1
– Easy to check if ê(aP, bP ) = ê(P, cP )
ê(aP, bP ) = ê(P, P )ab and ê(P, cP ) = ê(P, P )c
ê(P, P )ab = ê(P, P )c iff c = ab mod n
Cryptography and Network Security, IIT Kharagpur, Autumn 2019 29
 • Computational Diffie-Hellman (CDH) Problem in
G1 = hP i :–
– Given P, aP, bP ∈ G1 for some a, b ∈ Zn∗ , compute the
value abP .
• Pairings do not help us to solve CDH problem (except by
perhaps making the discrete log problem a bit simpler!)
• Bilinear Diffie-Helllman (BDH) Problem in hG1, G2, êi :–
– Given P, aP, bP, cP ∈ G1 for some a, b, c ∈ Zn∗ ,
compute the value ê(P, P )abc.

Cryptography and Network Security, IIT Kharagpur, Autumn 2019 30

 • Theorem : If CDH problem in G1 is easy, then BDH
problem in hG1, G2, êi is easy.
• Theorem : If CDH problem in G2 is easy, then BDH
problem in hG1, G2, êi is easy.

Cryptography and Network Security, IIT Kharagpur, Autumn 2019 31

 Pairing computation
• Let P be a point of prime order r on a (supersingular)
elliptic curve E(Fq )
• Let k be the smallest positive integer such that r divides
q k − 1 (k is called the embedding degree)
• Then the pairing ê(P, Q) can be calculated, and evaluates
as an element in Fqk (via Miller’s algorithm or Elliptic
Nets)

Cryptography and Network Security, IIT Kharagpur, Autumn 2019 32

 Extension Fields
• An element in Fqk can be represented as a polynomial
with coefficients in Fq , modulo an irreducible polynomial
of degree k.
• Simple example, q = p, k = 2
• Assume p = 3 mod 4
• Then x2 + 1 is a suitable irreducible polynomial
• An element in Fqk can be written as a + xb, where x is a
root of the irreducible polynomial.
√ √
• In fact x = −1 mod p, so a + b. − 1 written as (a, b)
– just like complex numbers!
Cryptography and Network Security, IIT Kharagpur, Autumn 2019 33
 Pairings for Cryptanalysis
• MOV Reduction :–
(Menezes, Okamoto, Vanstone, 1993)

Theorem : DLP in G1 is no harder that DLP in G2.

proof:
– Consider the DLP on G1 (an elliptic curve group):
Given P and Q, where Q = xP , find x.
– ê(P, Q) = ê(P, P )x by bilinearity.
– Solve this DLP over finite field Fqk using index calculus.
– Relatively easy (if k is small)

Cryptography and Network Security, IIT Kharagpur, Autumn 2019 34

 Making it Secure
• If r is 160 bits, then Pohlig-Hellman attacks will take
∼ 280 steps
• If k log(q) ∼ 1024 bits, Discrete Log attacks will also take
∼ 280 steps
• So we can achieve appropriate levels of cryptographic
security
• We have to deal with “RSA-sizes” values in the extension
field Fqk

Cryptography and Network Security, IIT Kharagpur, Autumn 2019 35

 Why is pairing useful?
• Earlier bilinear pairings, namely Weil pairing and Tate
pairing of algebraic curves were used in cryptography to
reduce the DLP on some elliptic or hyperelliptic curves to
the DLP in a finite field (MOV reduction).
• In recent years, bilinear pairings have found positive
application in cryptography to construct new
cryptographic primitives.

Cryptography and Network Security, IIT Kharagpur, Autumn 2019 36

 • The first introduction of pairings in the constructive sense
were:
– Joux’s Key Agreement, 2000
– Boneh-Franklin’s Identity-Based Encryption (IBE),
2001
– Boneh-Lynn-Shacham’s Short Signature, 2001
• A multitude of pairing based protocols have been
suggested.
• A handful of efficient pairing implementations have been
developed.
Cryptography and Network Security, IIT Kharagpur, Autumn 2019 37
 Three-Party Key Agreement
(Joux, ANST IV 2000, LNCS, Springer)
abc
key = e(P, P)

aP bP cP

A B C
a b c

• G1 = hP i additive, G2 multiplicative group of a large

prime order q, ê : G1 × G1 → G2 the bilinear map
Cryptography and Network Security, IIT Kharagpur, Autumn 2019 38
 • security: hardness of BDH problem.
• BDH (Bilinear Diffie-Hellman) Problem in hG1, G2, ei:
given hP, aP, bP, cP i for some a, b, c ∈ Zq∗ , compute
e(P, P )abc.

Cryptography and Network Security, IIT Kharagpur, Autumn 2019 39

 (n + 1)-party Key Agreement
(Boneh and Silverberg, 2003, Contemporary Mathematics, AMS)

a a a ... a n+1
key =e(P, P, P, ..., P) 1 2 3

a1P a2P a3P an+1P

U1 U2 U3 Un+1
a1 a2 a3 an+1

• G1 = hP i additive, G2 multiplicative group of a large

prime order q, ê : Gn1 → G2 the n-linear map

Cryptography and Network Security, IIT Kharagpur, Autumn 2019 40

 Multilinear Map
• extending bilinear elliptic curve pairings to multilinear
maps is a long-standing open problem.
• amazingly powerful tool – so useful that a body of work
examined their applications even before any candidate
constructions is known to realize them

Cryptography and Network Security, IIT Kharagpur, Autumn 2019 41

 • two recent breakthrough constructions
– GGH: (Garg, Gentry and Halevi, EUROCRYPT 2013,
LNCS) - based on ideal lattices
– CLT: (Coron, Lepoint and Tibouchi, CRYPTO 2013,
LNCS) - over the integers
• Reliance on cryptographic tools built from multilinear
maps may be perilous as existing multilinear maps are
still heavy tools to use and suffering from many
non-trivial attacks.

Cryptography and Network Security, IIT Kharagpur, Autumn 2019 42