Batch point compression in the context of advanced pairing-based protocols

Abstract

This paper continues previous ones about compression of points on elliptic curves \(E_b\!: y^2 = x^3 + b\) (with j-invariant 0) over a finite field \(\mathbb {F}_{\!q}\) of characteristic \(p > 3\). It is shown in detail how any two (resp., three) points from \(E_b(\mathbb {F}_{\!q})\) can be quickly compressed to two (resp., three) elements of \(\mathbb {F}_{\!q}\) (apart from a few auxiliary bits) in such a way that the corresponding decompression stage requires to extract only one cubic (resp., sextic) root in \(\mathbb {F}_{\!q}\). As a result, for many fields \(\mathbb {F}_{\!q}\) occurring in practice, the new compression-decompression methods are more efficient than the classical one with the two (resp., three) x or y coordinates of the points, which extracts two (resp., three) roots in \(\mathbb {F}_{\!q}\). As a by-product, it is also explained how to sample uniformly at random two (resp., three) “independent” \(\mathbb {F}_{\!q}\)-points on \(E_b\) essentially at the cost of only one cubic (resp., sextic) root in \(\mathbb {F}_{\!q}\). Finally, the cases of four and more points from \(E_b(\mathbb {F}_{\!q})\) are commented on as well.

Appendices

Appendix A. Compressing \(E_{b}(\mathbb {F}_{\!q^2}) \!\times \!E_{b_2}(\mathbb {F}_{\!q})\)

Throughout the current supplementary section, we will assume that \(q \equiv 1 \ (\textrm{mod} \ 3)\) or, equivalently, \(\omega \in \mathbb {F}_{\!q}\). Unlike the main part of the paper, here the opposite situation would be drastically different as it becomes clear below. Given \(\gamma \in \mathbb {F}_{\!q}^* {\setminus } (\mathbb {F}_{\!q}^*)^2\), let \(b = b_0 + b_1\sqrt{\gamma }\) and \(b_0, b_1, b_2 \in \mathbb {F}_{\!q}\) such that \(bb_2 \ne 0\). Our goal is to simultaneously compress points \((x, y) = (x_0 + x_1\sqrt{\gamma }, y_0 + y_1\sqrt{\gamma })\) and \((x_2, y_2)\) from the sets \(E_{b}(\mathbb {F}_{\!q^2})\), \(E_{b_2}(\mathbb {F}_{\!q})\), respectively (here \(x_j, y_j \in \mathbb {F}_{\!q}\)). This problem is relevant for pairing delegation [1] and type 4 pairings [9, Section 3] whenever the embedding degree of the curve \(E_{b_2}\) is equal to 12. In this popular case, \(E_b\) is a sextic twist of \(E_{b_2}\) over the field \(\mathbb {F}_{\!q^2}\). See [11, Section 3.2.5] to understand the significance of twists in pairing-based cryptography.

For compressing \(E_{b}(\mathbb {F}_{\!q^2})\), it is suggested to apply the method from [30]. The given method extracts a cubic root in \(\mathbb {F}_{\!q}\) in the decompression stage. Therefore, the concatenation of its result \(z_0\), \(z_1\) with \(x_2\) gives rise to the compression method for \(E_{b}(\mathbb {F}_{\!q^2}) \!\times \!E_{b_2}(\mathbb {F}_{\!q})\) with the cost of a sextic root in \(\mathbb {F}_{\!q}\), by analogy with compressing three \(\mathbb {F}_{\!q}\)-points in Sect. 4.

Table 4 exhibits a complexity comparison (all the operations are carried out in \(\mathbb {F}_{\!q}\)) of the compression-decompression methods for points in the projective or Jacobian coordinates. As is customary, the addition, subtraction, and multiplication operations in \(\mathbb {F}_{\!q}\) are omitted, because they are much cheaper. We use the fact (e.g., from [11, Section 5.2.1]) that an inverse element (resp., square root) in \(\mathbb {F}_{\!q^2}\) can be expressed via an inverse element (resp., two square roots) in \(\mathbb {F}_{\!q}\). However, to the author’s knowledge, a cubic root in \(\mathbb {F}_{\!q^2}\) is not computed through a few radicals in \(\mathbb {F}_{\!q}\). As a result, in comparison with Table 2, the new table does not contain the very slow methods with the coordinates \(y_0\), \(y_1\), \(x_2\) or \(y_0\), \(y_1\), \(y_2\).

Table 4 Worst-case complexity for compressing \(\overline{E_{b}}(\mathbb {F}_{\!q^2}) \!\times \!\overline{E_{b_2}}(\mathbb {F}_{\!q})\) (with respect to the projective or Jacobian coordinates).

The method of [30] is similar to the one of Sects. 2, 3. It is based on \(\mathbb {F}_{\!q}\)-rationality of the surface

$$\begin{aligned} GK_b:= \alpha (t)(y_0^2 + \gamma y_1^2 - b_0) - \beta (t)(2y_0y_1 - b_1) \quad \subset \quad \mathbb {A}^{\!3}_{(t,y_0,y_1)}, \end{aligned}$$

where \(\alpha (t):= 3t^2 + \gamma \) and \(\beta (t):= t(t^2 + 3\gamma )\). The latter is nothing but the generalized Kummer surface \(R_b/[\omega ]_2\) (up to a birational \(\mathbb {F}_{\!q}\)-isomorphism). Here,

$$\begin{aligned} R_b = {\left\{ \begin{array}{ll} y_0^2 + \gamma y_1^2 = \rho _0:= x_0^3 + 3\gamma x_0x_1^2 + b_0,\\ 2y_0y_1 = \rho _1:= \gamma x_1^3 + 3x_0^2x_1 + b_1 \end{array}\right. } \subset \quad \mathbb {A}^{\!4}_{(x_0,x_1,y_0,y_1)} \end{aligned}$$

is the Weil restriction (see, e.g., [37, Section 4]) of \(E_b\), equipped with the \(\mathbb {F}_{\!q}\)-automorphism

of order 3. Notice that

$$\begin{aligned} t = \dfrac{x_0}{x_1}, \qquad x_1 = \root 3 \of { \dfrac{2y_0y_1 - b_1}{\alpha (t)} } = \root 3 \of { \dfrac{y_0^2 + \gamma y_1^2 - b_0}{\beta (t)} }. \end{aligned}$$

Although [30] does not deal with the case \(q \equiv 1 \ (\textrm{mod} \ 4)\) (including the BLS12-377 curve), it is not difficult to generalize the results to the given case if desired. We are not going to do this, because our purpose is opposite, namely to specify the \(\mathbb {F}_{\!q}\)-parametrization of \(GK_b\) as clearly as possible on the example of the BLS12-381 curve (\(b_0 = b_1 = 4\) and \(\gamma = -1\)). That makes sense, since the description in [30, Section 3.1] is not sufficiently explicit.

First, \(\sqrt{6} = \sqrt{-1} \!\cdot \! \sqrt{2} \!\cdot \! \sqrt{-3} \in \mathbb {F}_{\!q}\), because \(\sqrt{-3} = 2\omega + 1 \in \mathbb {F}_{\!q}\), but \(\sqrt{2} \not \in \mathbb {F}_{\!q}\). Indeed, \(4^2 \!\cdot \! 2\) is the norm of \(b = 4(1 + \sqrt{-1})\) with respect to the extension \(\mathbb {F}_{\!q^2}/\mathbb {F}_{\!q}\) and \(\sqrt{b} \not \in \mathbb {F}_{\!q^2}\) by virtue of [30, Remark 2]. Second, there is the birational \(\mathbb {F}_{\!q}\)-isomorphism

where

$$\begin{aligned}{} & {} \textrm{num}_{z_0}:= f_0(t)y_0 + f_1(t)y_1, \qquad \textrm{num}_{z_1}:= -\sqrt{6}\!\cdot \! \alpha (t)(t^2 - 4t + 1),\\{} & {} \textrm{den}_z:= g_0(t)y_0 + g_1(t)y_1, \end{aligned}$$

and

$$\begin{aligned} \begin{array}{l} f_0(t) \,= \ 6\big ( \ (7\sqrt{6} - 13)t^3 - 13t^2 + (3\sqrt{6} - 1)t - 1 \ \big ), \\ f_1(t) \,= \ 3\sqrt{6}\!\cdot \! \alpha (t)\big ( \ (\sqrt{6} - 3)t^2 + \sqrt{6}\!\cdot \! t - 1 \ \big ), \\ g_0(t) \,= \ 3\big ( \ (\sqrt{6} + 2)t^4 + 2t^3 - 2(4\sqrt{6} - 5)t^2 + 10t - \sqrt{6} \ \big ), \\ g_1(t) \,= \ 6\alpha (t)\big ( \ (\sqrt{6} - 1)t - 1 \ \big ). \end{array} \end{aligned}$$

It turns out that

where

$$\begin{aligned}{} & {} \textrm{num}_t:= z_0^2 + 12z_1^2 - 1, \qquad \textrm{den}_t:= -2(z_0 + 6z_1^2), \qquad \textrm{den}_y:= -\sqrt{6}\cdot \alpha (t)(t^2 + 1),\\{} & {} \textrm{num}_{y_0}:= \alpha (t) \big ( F_0(t)Z_0 + F_1(t)Z_1 \big ), \qquad \textrm{num}_{y_1}:= G_0(t)Z_0 + G_1(t)Z_1,\\{} & {} Z_0:= \dfrac{z_0 \!\cdot \! \textrm{den}_t + \textrm{num}_t}{z_1 \!\cdot \! \textrm{den}_t}, \qquad Z_1:= \dfrac{1}{z_1} \end{aligned}$$

and

$$\begin{aligned} \begin{array}{l} F_0(t) \,= \ 2\big ( \ (\sqrt{6} - 1)t - 1 \ \big ), \qquad F_1(t) \,= \ (\sqrt{6} - 4)t^2 - 4t + \sqrt{6}, \\ G_0(t) \,= \ -(\sqrt{6} + 2)t^4 - 2t^3 + 2(4\sqrt{6} - 5)t^2 - 10t + \sqrt{6}, \\ G_1(t) \,= \ (\sqrt{6} + 2)t^5 + 2t^4 + 2(3\sqrt{6} - 8)t^3 - 16t^2 + (5\sqrt{6} - 2)t - 2. \end{array} \end{aligned}$$

All the written formulas are checked in Magma, namely in [27]. As usual, to compress any points from \(E_{b}(\mathbb {F}_{\!q^2})\) it remains to process the degenerate cases when the denominators equal zero. In order not to complicate the text this is left as an elementary exercise.

Appendix B. Compressing \(E_b(\mathbb {F}_{\!q^2})\) sub-optimally in such a way that decompressing is for free

Let’s stick to the notation of the previous section. This one contains formulas obtained in the same way as in [24, Section 3.1] for compressing \(E_b^2(\mathbb {F}_{\!q})\) to \(\approx 3\lceil \log _2(q)\rceil \) bits. The new formulas are very simple and important, but the author did not find them anywhere else. So, the appendix is a good place to write out them. Probably, the similar approach from [24, Section 3.2] in the 3-dimensional case may be also adapted for compressing \(E_{b}(\mathbb {F}_{\!q^2}) \!\times \!E_{b_2}(\mathbb {F}_{\!q})\) to \(\approx 4\lceil \log _2(q)\rceil \) bits.

Given a non-zero point \(P = (x,y) \in E_b(\mathbb {F}_{\!q^2})\), consider the \(\mathbb {F}_{\!q}\)-elements

$$\begin{aligned} Y:= y_0 + y_1, \qquad Y_1:= \dfrac{2(\rho _0 - Y^2) + (\gamma + 1)\rho _1}{2(\gamma - 1)Y}. \end{aligned}$$

Obviously, \(\gamma \ne 1\). By looking at the defining equations of \(R_b\), it is readily checked (see also [27]) that \(y_1 = Y_1\) whenever \(Y \ne 0\). Therefore, we get the compression map

$$\begin{aligned}{} & {} \textrm{com}\!: E_b(\mathbb {F}_{\!q^2}) \setminus \{\mathcal {O}\} \ \hookrightarrow \ \mathbb {F}_{\!q}^3 \!\times \! \{0,1\}\\{} & {} \textrm{com}(P):= \left\{ \! \begin{array}{ll} ( x_0, x_1, y_1, 0 ) &{} \quad \textrm{if} \quad Y = 0, \\ ( x_0, x_1, Y, 1 ) &{} \quad \textrm{otherwise}. \end{array}\right. \end{aligned}$$

The corresponding decompression map has the form

Table 5 exhibits a complexity comparison (all the operations are carried out in \(\mathbb {F}_{\!q}\)) of the compression-decompression methods for \(\mathbb {F}_{\!q^2}\)-points on \(E_{b}\). It is worth noting that all the remarks given for Table 4 still hold for the new one.

Table 5 Worst-case complexity for compressing \(\overline{E_{b}}(\mathbb {F}_{\!q^2})\) (with respect to the projective or Jacobian coordinates)