Pairing-based-cryptography

Note: This is an experimental implementation of optimal Ate pairing in Java. It has never been used in production. Use it at your risk.

Introduction

Introduction to Parings

An admissible bilinear pairing is a function $e: \mathbb{G}_1 \times \mathbb{G}_2 \rightarrow \mathbb{G}_T$ , where $\mathbb{G}_1$ and $\mathbb{G}_2$ are cyclic subgroups of elliptic curve groups, $\mathbb{G}_T$ is a cyclic subgroup of the multiplicative group of a finite field, $\mathbb{G}_1$ , $\mathbb{G}_2$ and $\mathbb{G}_T$ have order r, and the following conditions hold:

• Bilinearity: for $P, Q \in \mathbb{G}_1$ and $R, S \in \mathbb{G}_2$ , $e(P + Q, R) = e(P, R).e(Q, R)$ and $e(P,R + S) = e(P,R).e(P,S)$

• Non-degeneracy: $e(P, R) \neq 1$ for some $P \in \mathbb{G}_1$ and $R \in \mathbb{G}_2$. Or, equivalently, $e(P, R) = 1$ for all $R \in \mathbb{G}_2$ if and only if $P = \mathcal{O}$; and $e(P, R) = 1$ for all $P \in \mathbb{G}_1$ if and only if $R = \mathcal{O}$.\

Also, it immediately follows that $e(aP, bR)=e(P, R)^{ab}=e(bP, aR)$ for any two integers a and b.

Barreto - Naehrig curves

A BN curve is an elliptic curve over a finite prime field $\mathbb{F}_p$ , with prime order n and embedding degree k = 12.

The equation of the curve is

$E_{u}: y^2 = x^3 + b \quad with \quad b \neq 0$

The curve order and the characteristic of $\mathbb{F}_p$ are parameterised as:

$p(u) = 36u^4 + 36u^3 + 24u^2 + 6u + 1$

$n(u) = 36u^4 + 36u^3 + 18u^2 + 6u + 1$

Hence the trace (of Frobenius) of the curve

$t(u) = 6u^2 + 1$

with $u \in \mathbb{Z}$

Finding b is actually very simple: take the smallest b ≠ 0 such that b + 1 is a quadratic residue modp and the point $G = (1,\sqrt[2]{b + 1}$ \quad mod \quad $p)$ , which is clearly on the curve. [3]

pairing-based-cryptography

An experimental Pairing-based cryptography in Java

Pairing-based-cryptography

Introduction

Introduction to Parings

Barreto - Naehrig curves