 Okay, thank you. Just a few words of introduction. This talk was to be given by my colleague, Rob Granger. Unfortunately, he was subject to one of those random events. He was attacked and he was knocked unconscious. And he's okay now, he's well, but he couldn't make it to the conference, right? So I'm here to give the talk in his place. He feels perfectly well. He says he looks like a bus hit him, which doesn't sound too good, but he'd be okay. So one issue we have here is that it's me talking and it's Rob Slides. So you'll forgive me if occasionally we get out of synchronism with one another. Well, I'll do my best to do justice to Rob Slides. Okay, the talk is three parts, motivation and results. Then the method we use and finally some applications for our results. Okay, here's the starting point. Consider basically an extension field, right? And the properties, they're off, right? Now, of course, when we do cryptography, we're interested in feeders. We're interested in prime order groups within feeders. And in that setting, we can do a lot of crypto. Of course, we're particularly interested in doing the crypto efficiently. So in the multiplicative feed of the setting, we're interested in fast exponentiation. And in the additive feed of nomenclature of elliptic curves, we're interested in fast doubling and adding. And I guess we're particularly interested or might be curious about places where squaring is particularly fast because the classic squaring and multiply algorithm or doubling and add algorithm, the time critical, the bottleneck operation there is the doubling or the squaring, right? Because the adding and multiplication, we can use windowing methods and we can reduce its overall significance. So we're particularly interested in groups where doubling is fast or where squaring is fast, right? An example would be a supersingular elliptic curves or characteristic two, right? Where doubling is almost for three, right? Of course, supersingular elliptic curves or characteristic two, there's a problem with them. They feel the famous MOV condition. So cryptographers got rid of them and said, don't use them, right? Then of course, pairings were discovered and the cryptographer said, ah, these are actually ideal. Come back and use them again. And the fast doubling behavior in these kind of groups is particularly useful. It means that we can implement things particularly efficiently. For example, we have the E2T pairing, which is based on earlier work by Dursman Lee, which very much exploits the fact that point doubling is very, very efficient compared to point addition, right? But anyway, coming back to the multiplicative setting and the field we're considering here, we might also be particularly interested in settings where squaring is particularly fast, right? Because then a square and multiply algorithm would be particularly efficient, right? So let's look at a generator and let's look at the problem on the consideration, the problem of squaring that element, right? Well, let's first of all assume that our element alpha belongs to a proper subgroup of the full field, right? And of course, the number of elements in the extension field is for q to the n is q to the n minus one, and q to the n minus one, of course, has a well-known factorization into psychotomic polynomials, right? So we use the notation phi subscript d to indicate the d-th psychotomic polynomial. And of course, the psychotomic polynomial divides q to the power of d minus one, where d is any divisor of n, right? So we got this subgroup embedded into the full field. Right, so this is our important definition, psychotomic subgroups, that's what we're talking about. That's the context, that's the setting, right? So we use the notation g subscript phi to the nq to indicate the psychotomic subgroup embedded in the extension field, right? And phi to the subscript nq is the order of the generator alpha. So alpha to the power of phi nq is equal to one, right? And phi nq, of course, phi n is irreducible so it can be a prime number, right? So we've got prime order groups. We're in a setting where we can do crypto. We can do Elgamal, we can do all those nice algorithms, right? So that's the setting. Why don't we do crypto in there, right? One question that arises is, can one square elements in this psychotomic subgroup faster than one can square general elements, right? And that's the question that we're going to answer and we're going to answer it positively. Now, what's motivating all this? Why are we looking into this? Well, the motivation is, as my earlier remarks might have indicated, our interest in pairing-based cryptography, right? Pairing-based cryptography requires an efficiently computable, non-degenerate bilinear pairing and you've all seen this notation, I'm sure, before. The pairing itself is protected by a bodyguard of hard problems, right? And it's important that they all be, all those bodyguards be up to the job, right? So we've got to have hard discrete logarithm problems in terms of G1, G2, and the target group GT, right? And of course, we also need to be able to calculate the pairing efficiently, right? That's very important. I notice every time that it gets quite common for other cryptographers when they mention the word pairing to put the adjective costly in front of it, right? Which is, I suppose a lot of us are trying to put a lot of work into, certainly, not exactly removing that adjective but at least kind of playing it down a little bit because pairings are expensive, all right? I mean, they're always going to be more expensive than a point multiplication on the elliptic curve. But really, a lot of workers have been working hard and the cost of the pairing has been incrementally driven down by the work of lots of people, right? But anyway, we need it to be efficient. So what pairing, as you know, there's lots of pairings. This is where things could potentially get out of hand in terms of getting confusing. There's the Bay pairing, there's the T-pairing, there's the H-pairing, there's the R-pairing. Here's one, perhaps the most common type of pairing out of which the fastest pairings are all derived and this is the T-pairing, right? So we see the T-pairing takes the elements parameters from G1 and G2 to produce an arc root of unity as the output. Now, what about the security level? Well, we've got to make sure the security level balances up at all levels. So the security levels we're traditionally interested in are the equivalent to AES, 80-bit, 128-bit, 192-bit, and 256-bit, right? To achieve that, our group size has got to be basically twice that to protect us from square root attacks. So it's got to be 162, 256, 384, 512, right? However, the pairing evaluates as an element in the extension field and here we're vulnerable to index calculus attacks. So here we need to ramp up the size of P to the power of K appropriately, right? To maintain the appropriate level of security. And as we know, an 80-bit, 1,024 bits is regarded as approximately the right level and those numbers increase quite rapidly because of the efficiency of index calculus methods as we go to higher levels of security. So what does this imply for the Pairing? Well, it has immediate implications for the appropriate optimum choice of the embedding degree K, right? So the K value should basically be like 1,024 divided by 160 is approximately six, right? 3,072 divided by 256 is 12, right? So this suggests the kind of embedding degree that we should be using. The water's muddied a little by this row parameter which depends on particular Pairing-friendly curve that we're using. We would like row to be equal to one. Sometimes we actually get that for example with BN curves with K equals 12. Other times though we come reasonably close to row being equal to one. So that's not a huge issue. So the kind of embedding degrees we were looking at would be K equals 6, 12, 18, 24, 30, 36. These seem to be good values to give us the full spread across all levels of security. Now you may notice there's a particular choice of values of K there. They're all divisible by six, right? So let me kind of maybe justify that a little bit. If the embedding degree is divisible by two, we can use the quadratic twist to represent points, elements, and G2. Now we've got these groups G1, G2, and GT. It's important that we try and keep those group sizes as small as possible. Now we can keep G1 small by doing that over the base field, right? To keep G2 small with type three Pairings is a little bit more problematic, right? And what can help us here is if we use curves with the maximum available twist, right? So if K is equal to two, we can always use the quadratic twist, right? That means G2 is half the size it would otherwise have to be. But there are other situations where we can do even better. It turns out that Pairing-friendly curves often have a very small CM discriminant, right? Typically one or three. And under these circumstances, if K is divisible by four or divisible by six, we can use either the quartic twist for G2 or the sextic twist for G2, right? Now just to give you an indication as to what the advantage of that is, G2 could be, sorry, the extension fee, K could be equal to 36, right? So that's a 36 extension that we need to do some arithmetic in. We'd rather not be handling G2 over that full extension. And we don't have to. By putting it on the sextic twist, 36 divided by six is six. G2 could be represented over just a sextic extension, which is a much smaller value to be moving around to be doing arithmetic with. So the advantages are fairly obvious. Other advantages of these particular values of K? Well, compression. We can compress the output size of the Pairing, right? And for two divides K, we can compress by a factor of two. For four divides K, we can again compress by a factor of two. But if six divides K, we can do a little bit better and we can compress by a factor of three, which is good. And finally, what about calculations in GT? Well, if two divides K, we've got a fast squaring method that we, I'll describe in a minute. If four divides K, we've also got a fast method. But this is where we're going to concentrate down here. This optimal case really where six divides K and here, we're going to give some very fast formula for doing squareings in the group GT. So that's contextualizes what we're trying to do. Okay, let's move to our main result. Well, let's first of all restrict Q equals one mod six. And this, typically we're working over a prime characteristic field. And if this is going to be a Pairing friendly curve, in fact, Q must be one mod six. So this is the setting that arises in the context of pairings, right? So here we've got the cyclotomic subgroup that we're interested in. And we're going to present a method to do the squaring twice as fast as that for squaring the general element over the full field, right? And as we'll see, we get some nice results. And why is the result significant? Well, it applies in particular to one of the important parts of the calculation in the pairing. The pairing you may be aware as the middle loop and the final exponentiation. This optimization that we're going to show you applies directly to the final power, right? The final exponentiation. And it gives us a nice speed up in that setting. It also applies to post pairing arithmetic when you're doing further arithmetic on the value of the pairing. And also applies to torus-based crypto. And it also arises in the context of some draft standards that are coming out. Now, coblets and menaces simplify things for us all by introducing the concept of a pairing friendly field, a particularly simple field in which to operate. And in this pairing friendly field, the restriction is the P should be congruent to one mod 12, which is a little over restrictive. In our paper, we go on at some length about this in the full paper. And we're going to restrict ourselves to K being factors, having only factors of two or three, right? So K is restricted to two to the A times three to the B for A greater than or equal to one and B greater than or equal to zero, right? Then that's what coblets and menaces refer to as a pairing friendly field, a PFF, right? And in this setting, well, we get a nice, a simple binomial irreducible polynomial to work over. And we also have this nice simple way of writing down the psychotomic polynomial, right? This identity is clearly true, right? And a little bit of staring at this for long enough, you see this nice condition at the bottom here. Can I wiggle around and point at it? See this nice relationship down here, which shows us that we only really need to deal with the sixth extension because that covers all cases for all values of K, right? So that's a simplifier. Now, let's look first of all at the quadratic extension fee, the simple case possible, the quadratic extension fee. In fact, all the main results are in already and work's already been done by others in this regard. So we're just kind of warming you up with that, with this description, right? If you've got an element in this quadratic extension fee, let's consider squaring a general element, right? And the element we'll write as a plus bx. And for those of you who, well, it's basically quite complex arithmetic as perhaps the way to think about it, right? This relationship is well known to even people in secondary schools, right? So we want to calculate alpha squared. Well, we just square it in the normal way. And of course, x squared is equal to i, right? So we can do a substitution over there. And we end up with this equation for the product, right? And when we calculate its cost, we see its cost is two multiplications, right? One multiplication here, and one multiplication, oops, of a times b, right? And you'll notice if i is minus one, that term actually disappears, the term I'm currently pointing at. So we get a nice simple relationship. Overall cost, two multiplications, two m, right? Right, now let's assume that alpha isn't just a general element. It's an element of the second cyclotomic subgroup, right? In which case, we know that alpha to the power of q plus one equals one, because q plus one is the second cyclotomic polynomial, right? Which we can rewrite as alpha to the q times alpha equals one. And with a little bit of elementary manipulation here, we can see that alpha to the q, using the Frobenius, is basically the conjugate of alpha, right? So alpha to the q is the conjugate of alpha, right? So therefore, exploiting that, we get alpha times its conjugate is equal to one, and multiplying that out, we see that a squared minus ib squared equals one. So interestingly, in this cyclotomic subgroup, a and b, a and b are not independent of one another. They're tied to one another. We've got this extra constraint, which basically ties a to b, as in this relationship, a squared minus ib squared equals one. Now, we can exploit that immediately, plug it back into our squaring formula, and as pointed out by Stam and Lenstra in the paper 2002 or 2003, I'm not sure, we get this identity here. And now you can see the cost has been reduced to two squareings, one squaring there, and one squaring there. So we've gone from two multiplications to two squareings, right, and this is, as I say, the observation first of all, Stam and Lenstra, right? Now, that's an improvement, right? Two multiplications to two squares. Now, if we're just working over the quadratic extension, you might say, nah, the improvement isn't great, because the difference between a multiplication of the squaring over the base field, often the factor is quoted as 0.85 or something like that. However, this improvement has much greater implications when it's at the top of the deep tower of extensions, right? So for example, if you're doing a multiplication, sorry, a squaring on the 36th extension field, right? You can actually do that with just two squareings on the 18th extension, 36 divided by two is 18, right? And that optimization then ripples right down through the tower, and the improvement becomes actually quite significant. So this is important in Perian-based crypto, where we use large extension degrees, right? Again, we can simplify if I is equal to one. Okay, so that's Stam and Lenstra from 2003. And of course, you can also use their method since a sixth extension is two times three. It can be used in that context as well. And Stam and Lenstra also, they were working very much in the context. They were very interested in the time in the XTR crypto system, right? So they were very interested in the sixth extension, right, specifically, right? And they obtained a further, a very nice result where they could do a squaring very quickly over the psychotomic field, right? But unfortunately, perhaps because they were working in the context of XTR, they had this restriction to Q is equal to two or five, mod nine. And in the Perian-friendly context, that doesn't cover our case, which Q is equal to one, mod three, right? So also, another group had a go at this problem, Granger, Page, and Smart. And they obtained some formula, but it turns out they're not quite as good as ours, right? So this is where we come in, right? Prior methods of using equations in subfields, FQ and FQ cubed, but not in FQ squared. And this is where we got lucky, and we got in there and got a nice result. Okay, now let's look at the representation of the sixth extension, right? And there's one way of representing it, fairly obviously. And there's a couple of ways of looking at that. You can look at it as a cubic extension of a quadratic, or a quadratic extension of a cubic. You can have a three over two tower or a two over three tower, right? So we actually are going to look at it in terms of a three over two tower, in which case we can represent elements like this, right? So let's go ahead and just do a squaring on that. And if we do a squaring, we end up with this, which ends up with this, right? So there's the effect of squaring a plus bx plus c squared, x squared for small a, b, and c. And here's the squaring value capital A, capital B, capital C. And the total amount of work you can add it up. One squaring, two squarings, three squarings, one multiplication, two multiplication, three multiplication, three multiplications, and three squarings, right? Not bad, but no prize, really. It turns out that Chung and Hassan came and looked at this again and they came up with a better way of doing it, which just requires four squarings and one multiplication. But we're gonna do even better still, right? Basically, we're gonna make use of the extra condition that applies to elements in the cyclotomic subfield, and there you can see it at the top. We've got this extra condition, right? And this is what we're going to exploit, right? So we exploit this, whoops, in a fairly elementary way. From here, the development was actually quite fun, it was quite enjoyable, all quite elementary stuff, right? We do an expansion, we do a comparison with both sides. So we end up with this nice condition here. This is how this constraint eventually works its way out. And you can see now B times C must be equal to A squared minus A bar. So I can represent this product in terms of this square, which I've calculated already, right? So you can see where this is going, and you can see how this is gonna work. So doing a simple solution, simple manipulation, we end up with values for B, C, A, B, and A, C. Substituting them back into our original square in formula, then we end up with our result, right? And here you can see it here. These rather beautiful equations, I think you may or may not agree, right? They have a nice elementary shape to them, and three squareings, right? Three squareings, right? So that's pretty good. This is in a cubic extension over a quadratic, right? So we're multiplying, we're squaring rather, in a cubic extension, and we get away with just three, three squareings, that's almost linear, which is probably the best that you can do. Most often when you do a multiplication, things get quadratic, but here it's virtually linear. And you can see these are very practical formula, in that they actually, there's very little extra work above and beyond the squareings, right? Okay, we've gotta multiply by two, that's an addition. Multiply by three, that's two additions. We've got us attraction, right? But the other overhead, with some settings, some other context, better formula, asymptotically, might turn out to be not as good in practice. These are actually good practical equations that give us a good practical speed up, right? So there, well, that's just another way of looking at it. So let's come down to operation counts. This is the Stam and Lenstra. We're only using their quadratic extension idea. If you do that, let's look at an embedding degree of K equals 24, it comes in at 72 M. We come in at a cost of 54 M, which is rather better. And over here, using the Granger page and smart solution, it's even more expensive, right? So not surprisingly, with these simple, elegant, rather nice formula, we do rather better. Okay, let's talk about BN curves, right? Which are probably the most popular type of peri-friendly curve. Well, there's the equations from the parameterized them. So we can obviously use our construction because the embedding degree is 12. So that's the sextic extension over the quadratic FP squared, right? And that's clearly a good way of going about it. And if we do it and implement it and use this formula, we notice that the cost of the final exponentiation goes down from nearly 6,000 M to approximately 48,000 M, an improvement of more than 20%. So there's the final exponentiation is about half the overall calculation time of the pairing. So overall pairings are suddenly got 10% faster, right? And we were delighted to see that Nerig and his coworkers recently sent a record for the calculation of pairing of BN curves, and that they used our new formula as part of their optimizations, right? So I think that justifies what we've done. This is Torian-based cryptography, which I know as a type of cryptography very close to Rob Granger's heart. Actually, when I saw this slide, I thought TBC meant to be continued. So that shows how much I know about Torian-based cryptography, right? Actually very little, but Rob assures me that these equations have application here as well. Okay. We looked at various extensions of the idea. Can we take these nice formulas to higher powerings? Well, we had a look, but nothing nice came out, basically. So there, anyway, to summarize, basically our method provides the fastest available squaring in the cyclotomic subgroup and for pairing-based cryptography, right? It's conceptually simple and from its generalization, right? It's highly applicable, so it's immediately useful. It's ideal for Torian-based cryptography, and it looks like it'll slot nicely into the developing standards for pairing-based cryptography. I guess that's the end. That is the end.