Computing Optimal 2-3 Chains for Pairings

Abstract

Using double-base chains to represent integers, in particular chains with bases 2 and 3, can be beneficial to the efficiency of scalar multiplication and the computation of bilinear pairings via (a variation of) Miller’s algorithm. For one-time scalar multiplication, finding an optimal 2-3 chain could easily be more expensive than the scalar multiplication itself, and the associated risk of side-channel attacks based on the difference between doubling and tripling operations can produce serious complications to the use of 2-3 chains.

The situation changes when the scalar is fixed and public, as in the case of pairing computations. In such a situation, performing some extra work to obtain a chain that minimizes the cost associated to the scalar multiplication can be justified as the result may be re-used a large number of times. Even though this computation can be considered “attenuated” over several hundreds or thousands of scalar multiplications, it should still remain within the realm of “practical computations”, and ideally be as efficient as possible.

An exhaustive search is clearly out of the question as its complexity grows exponentially in the size of the scalar. Up to now, the best practical approaches consisted in obtaining an approximation of the optimal chain via a greedy algorithm, or using the tree-based approach of Doche and Habsieger, but these offer no guarantee on how good the approximation will be. In this paper, we show how to find the optimal 2-3 chain in polynomial time, which leads to faster pairing computations. We also introduce the notion of “negative” 2-3 chains, where all the terms (except the leading one) are negative, which can provide near-optimal performance but reduces the types of operations used (reducing code size for the pairing implementation).

This research was supported by FONDECYT grant 1151326 (Chile).

Appendices

A Proofs of Lemmas and Theorems

Proof

(Corollary 1 ). Since the tables process the updates from the values of \(n_{i,j}\), \(n_{i-1,j}\) and \(n_{i,j-1}\), and not \(\overline{n}_{i,j}\), \(\overline{n}_{i-1,j}\) and \(\overline{n}_{i,j-1}\), we must use Eq. 4, hence the distinctions between the cases \(n_{i-1,j}=0\) vs. \(n_{i-1,j}>0\) and \(n_{i,j-1}=0\) vs. \(n_{i,j-1}>0\).

Applying Lemma 3 to the cases \(n_{i-1,j}=0\) and \(n_{i,j-1}=0\) (with Eqs. 5 and 6) is straightforward.

To complete Table 1 we deal with two cases: If \(n_{i,j}=n_{i-1,j}\), then \(n_{i,j}=\overline{n}_{i-1,j}+2^{i-1}3^j\) and \(\overline{n}_{i,j}=n_{i-1,j}-2 \cdot 2^{i-1}3^j=\overline{n}_{i-1,j}-2^{i-1}3^j\). If \(n_{i,j}=n_{i-1,j}+2^{i-1}3^j\), then \(n_{i,j}=\overline{n}_{i-1,j}+2 \cdot 2^{i-1}3^j\) and \(\overline{n}_{i,j}=n_{i-1,j}-2^{i-1}3^j=\overline{n}_{i-1,j}\). We can then apply Lemma 3 to each case.

To complete Table 2 we deal with three cases: If \(n_{i,j}=n_{i,j-1}\), then \(n_{i,j}=\overline{n}_{i,j-1}+2^i3^{j-1}\) and \(\overline{n}_{i,j}=n_{i,j-1}-3 \cdot 2^{i-1}3^j=\overline{n}_{i-1,j}-2 \cdot 2^{i-1}3^j\). If \(n_{i,j}=n_{i,j-1}+2^i3^{j-1}\), then \(n_{i,j}=\overline{n}_{i,j-1}+2 \cdot 2^i3^{j-1}\) and \(\overline{n}_{i,j}=n_{i,j-1}-2 \cdot 2^{i-1}3^j=\overline{n}_{i-1,j}-2^{i-1}3^j\). If \(n_{i,j}=n_{i,j-1}+2 \cdot 2^i3^{j-1}\), then \(n_{i,j}=\overline{n}_{i,j-1}+3 \cdot 2^i3^{j-1}\) and \(\overline{n}_{i,j}=n_{i,j-1}-2^{i-1}3^j=\overline{n}_{i-1,j}\). We can then apply Lemma 3 to each case.   \(\square \)

Proof

(Lemma 4 ). We observe that \(\mathscr {C}_{0,0}=0=\overline{\mathscr {C}}_{0,0}\) (since \(n_{0,0}=0=\overline{n}_{0,0}\)), so at the “starting point” of the algorithm both chains exist. The result is then easily obtained by (double) induction. Table 1 ensures that at least one of the two chains exist when going from position \((i-1,j)\) to position (i, j), and Table 2 ensures that at least one of the two chains exist when going from position \((i,j-1)\) to position (i, j).    \(\square \)

Proof

(Theorem 1 ). From Definitions 4, 5, and 6, neither \(C_{i,j}\) nor \(2^i3^j+\overline{C}_{i,j}\) can be a chain for n if \(i < i_j\). We now show that chains \(C_{i,j}\) and \(2^i3^j+\overline{C}_{i,j}\) need not be considered for \(i > i_j\).

Let C be a chain with largest term \(2^i3^j\) with \(i>i_j\), and let \(\pm 2^a 3^b\) be its first term with \(a>a_b\) (using the same definition as \(i_j\)). We define to subchains: \(C_{low}=C_{a,b}\) or \(\overline{C}_{a,b}\) (depending on the sign of its largest term), and \(C_{high}\) which consists of all the terms which are multiples of \(2^a 3^b\). Due to the growth in a 2-3 chain (by factors of 2 and 3), any chain with terms bounded above by \(2^r3^s\) represents a number between \(-(2^r3^s-1)\) and \(2^r3^s-1\). Since none of the terms in \(C_{high}\) can affect the remainder modulo \(2^a3^b\), \(C_{low}\) must then represent either n or \(n-2^a3^b\). If \(C_{low}\) represents n, then it is a better chain than C. If \(C_{low}\) represents \(n-2^a3^b\), then \(2^a3^b+C_{low}\) is a better chain than C unless they are equal.

We can therefore restrict the search of a minimal chain for n to chains of the form \(C_{i,j}\) and \(2^i3^j+\overline{C}_{i,j}\) where \(i=i_j\). From Lemma 2, all subchains of a minimal chain must also be minimal, so we can restrict ourselves to the chains \(C_j\) and \(\overline{C}_j\) produced by Algorithm 2.    \(\square \)

Proof

(Theorem 2 ). Since \(0 \le i \le \lceil \log _2(n+1) \rceil \) and \(0 \le j \le m \le \lceil \log _3(n+1) \rceil \), there are clearly \(O((\log n)^2)\) steps in Algorithm 2. The operations performed at each step is easily bounded by \(O((\log n)^2)\) bit operations. The algorithm produces \(2(\lceil \log _3(n+1) \rceil +1)\) chains (\(C_j\) and \(\overline{C}_j\)), each consisting in a sum of at most \(\lceil \log _2(n+1) \rceil +1\) terms of size bounded by 2n, from which the result follows directly.    \(\square \)

B Update Tables for Optimal Chains

Table 3. Possible sources of \({C_{i,j}}^{(k)}\) when multiplying by 2 (\({C_{i,j}}^{(3)}\) not possible)

Table 4. Possible sources of \({\overline{C}_{i,j}}^{(k)}\) when multiplying by 2 (\({\overline{C}_{i,j}}^{(3)}\) not possible)

Table 5. Possible sources of \({C_{i,j}}^{(k)}\) when multiplying by 3 (\({C_{i,j}}^{(2)}\) not possible)

Table 6. Possible sources of \({\overline{C}_{i,j}}^{(k)}\) when multiplying by 3 (\({\overline{C}_{i,j}}^{(2)}\) not possible)

Table 7. Cost updates for \({C_{i,j}}^{(k)}\) and \({\overline{C}_{i,j}}^{(k)}\)