Results 1 - 10
of
98
Efficient Pairing Computation on Supersingular Abelian Varieties
- Designs, Codes and Cryptography
, 2004
"... We present a general technique for the efficient computation of pairings on supersingular Abelian varieties. As particular cases, we describe efficient pairing algorithms for elliptic and hyperelliptic curves in characteristic 2. The latter is faster than all previously known pairing algorithms, and ..."
Abstract
-
Cited by 179 (25 self)
- Add to MetaCart
(Show Context)
We present a general technique for the efficient computation of pairings on supersingular Abelian varieties. As particular cases, we describe efficient pairing algorithms for elliptic and hyperelliptic curves in characteristic 2. The latter is faster than all previously known pairing algorithms, and as a bonus also gives rise to faster conventional Jacobian arithmetic.
Efficient and generalized pairing computation on Abelian varieties
, 2008
"... In this paper, we propose a new method for constructing a bilinear pairing over (hyper)elliptic curves, which we call the R-ate pairing. This pairing is a generalization of the Ate and Atei pairing, and also improves efficiency of the pairing computation. Using the R-ate pairing, the loop length in ..."
Abstract
-
Cited by 54 (3 self)
- Add to MetaCart
In this paper, we propose a new method for constructing a bilinear pairing over (hyper)elliptic curves, which we call the R-ate pairing. This pairing is a generalization of the Ate and Atei pairing, and also improves efficiency of the pairing computation. Using the R-ate pairing, the loop length in Miller’s algorithm can be as small as log(r 1/φ(k) ) for some pairing-friendly elliptic curves which have not reached this lower bound. Therefore we obtain from 29 % to 69 % savings in overall costs compared to the Atei pairing. On supersingular hyperelliptic curves of genus 2, we show that this approach makes the loop length in Miller’s algorithm shorter than that of the Ate pairing.
Optimal Pairings
"... Abstract. In this paper we introduce the concept of an optimal pairing, which by definition can be computed using only log 2 r/ϕ(k) basic Miller iterations, with r the order of the groups involved and k the embedding degree. We describe an algorithm to construct optimal ate pairings on all parametri ..."
Abstract
-
Cited by 51 (0 self)
- Add to MetaCart
(Show Context)
Abstract. In this paper we introduce the concept of an optimal pairing, which by definition can be computed using only log 2 r/ϕ(k) basic Miller iterations, with r the order of the groups involved and k the embedding degree. We describe an algorithm to construct optimal ate pairings on all parametrized families of pairing friendly elliptic curves. Finally, we conjecture that any non-degenerate pairing on an elliptic curve without efficiently computable endomorphisms different from powers of Frobenius requires at least log 2 r/ϕ(k) basic Miller iterations.
Aggregated path authentication for efficient BGP security
- IN ACM CONFERERNCE ON COMPUTER AND COMMUNICATION SECURITY (CCS
, 2005
"... The Border Gateway Protocol (BGP) controls inter-domain routing in the Internet. BGP is vulnerable to many attacks, since routers rely on hearsay information from neighbors. Secure BGP (S-BGP) uses DSA to provide route authentication and mitigate many of these risks. However, many performance and de ..."
Abstract
-
Cited by 42 (1 self)
- Add to MetaCart
The Border Gateway Protocol (BGP) controls inter-domain routing in the Internet. BGP is vulnerable to many attacks, since routers rely on hearsay information from neighbors. Secure BGP (S-BGP) uses DSA to provide route authentication and mitigate many of these risks. However, many performance and deployment issues prevent S-BGP’s real-world deployment. Previous work has explored improving S-BGP processing latencies, but space problems, such as increased message size and memory cost, remain the major obstacles. In this paper, we design aggregated path authentication schemes by combining two efficient cryptographic techniques— signature amortization and aggregate signatures. We propose six constructions for aggregated path authentication that substantially improve efficiency of S-BGP’s path authentication on both speed and space criteria. Our performance evaluation shows that the new schemes achieve such an efficiency that they may overcome the space obstacles and provide a real-world practical solution for BGP security.
Ordinary abelian varieties having small embedding degree
- IN PROC. WORKSHOP ON MATHEMATICAL PROBLEMS AND TECHNIQUES IN CRYPTOLOGY
, 2004
"... Miyaji, Nakabayashi and Takano (MNT) gave families of group orders of ordinary elliptic curves with embedding degree suitable for pairing applications. In this paper we generalise their results by giving families corresponding to non-prime group orders. We also consider the case of ordinary abelia ..."
Abstract
-
Cited by 38 (1 self)
- Add to MetaCart
(Show Context)
Miyaji, Nakabayashi and Takano (MNT) gave families of group orders of ordinary elliptic curves with embedding degree suitable for pairing applications. In this paper we generalise their results by giving families corresponding to non-prime group orders. We also consider the case of ordinary abelian varieties of dimension 2. We give families of group orders with embedding degrees 5, 10 and 12.
TinyPBC: Pairings for authenticated identity-based non-interactive key distribution in sensor networks
- In Networked Sensing Systems, 2008. INSS 2008. 5th International Conference on
, 2008
"... Abstract — Key distribution in Wireless Sensor Networks (WSNs) is challenging. Symmetric cryptosystems can perform it efficiently, but they often do not provide a perfect trade-off between resilience and storage. Further, even though conventional public key and elliptic curve cryptosystems are compu ..."
Abstract
-
Cited by 38 (6 self)
- Add to MetaCart
(Show Context)
Abstract — Key distribution in Wireless Sensor Networks (WSNs) is challenging. Symmetric cryptosystems can perform it efficiently, but they often do not provide a perfect trade-off between resilience and storage. Further, even though conventional public key and elliptic curve cryptosystems are computationally feasible on sensor nodes, protocols based on them are not. They require exchange and storage of large keys and certificates, which is expensive. Using Pairing-based Cryptography (PBC) protocols, conversely, parties can agree on keys without any interaction. In this work, we (i) show how security in WSNs can be bootstrapped using an authenticated identitybased non-interactive protocol and (ii) present TinyPBC, to our knowledge, the most efficient implementation of PBC primitives for an 8-bit processor. TinyPBC is able to compute pairings in about 5.5s on an ATmega128L clocked at 7.3828-MHz (the MICA2 and MICAZ node microcontroller). I.
On Small Characteristic Algebraic Tori in Pairing-Based Cryptography
, 2004
"... The output of the Tate pairing on an elliptic curve over a nite eld is an element in the multiplicative group of an extension eld modulo a particular subgroup. One ordinarily powers this element to obtain a unique representative for the output coset, and performs any further necessary arithmet ..."
Abstract
-
Cited by 36 (5 self)
- Add to MetaCart
The output of the Tate pairing on an elliptic curve over a nite eld is an element in the multiplicative group of an extension eld modulo a particular subgroup. One ordinarily powers this element to obtain a unique representative for the output coset, and performs any further necessary arithmetic in the extension eld. Rather than an obstruction, we show to the contrary that one can exploit this quotient group to eliminate the nal powering, to speed up exponentiations and to obtain a simple compression of pairing values which is useful during interactive identity-based cryptographic protocols. Speci cally we demonstrate that methods available for fast point multiplication on elliptic curves such as mixed addition, signed digit representations and Frobenius expansions, all transfer easily to the quotient group, and provide a signi cant improvement over the arithmetic of the extension eld.
Efficient hardware for the tate pairing calculation in characteristic three
- in Proceedings of the 7th International Workshop on Cryptographic Hardware and Embedded Systems (CHES), Josyula R. Rao and Berk Sunar
"... Abstract. In this paper the benefits of implementation of the Tate pairing computation on dedicated hardware are discussed. The main observation lies in the fact that arithmetic architectures in the extension field GF (3 6m) are good candidates for parallelization, leading to a similar calculation t ..."
Abstract
-
Cited by 28 (1 self)
- Add to MetaCart
(Show Context)
Abstract. In this paper the benefits of implementation of the Tate pairing computation on dedicated hardware are discussed. The main observation lies in the fact that arithmetic architectures in the extension field GF (3 6m) are good candidates for parallelization, leading to a similar calculation time in hardware as for operations over the base field GF (3 m). Using this approach, an architecture for the hardware implementation of the Tate pairing calculation based on a modified Duursma-Lee algorithm is proposed.
High-speed software implementation of the optimal ate pairing over Barreto–Naehrig curves
- PAIRING-BASED CRYPTOGRAPHY–PAIRING 2010. LECTURE NOTES IN COMPUTER SCIENCE
, 2010
"... This paper describes the design of a fast software library for the computation of the optimal ate pairing on a Barreto–Naehrig elliptic curve. Our library is able to compute the optimal ate pairing over a 254-bit prime field Fp, injust2.33 million of clock cycles on a single core of an Intel Core ..."
Abstract
-
Cited by 25 (3 self)
- Add to MetaCart
(Show Context)
This paper describes the design of a fast software library for the computation of the optimal ate pairing on a Barreto–Naehrig elliptic curve. Our library is able to compute the optimal ate pairing over a 254-bit prime field Fp, injust2.33 million of clock cycles on a single core of an Intel Core i7 2.8GHz processor, which implies that the pairing computation takes 0.832msec. We are able to achieve this performance by a careful implementation of the base field arithmetic through the usage of the customary Montgomery multiplier for prime fields. The prime field is constructed via the Barreto–Naehrig polynomial parametrization of the prime p given as, p =36t 4 +36t 3 +24t 2 +6t +1, with t =2 62 − 2 54 +2 44. This selection of t allows us to obtain important savings for both the Miller loop as well as the final exponentiation steps of the optimal ate pairing.
