Results 1  10
of
25
Faster explicit formulas for computing pairings over ordinary curves
, 2010
"... We describe e cient formulas for computing pairings on ordinary elliptic curves over prime fields. First, we generalize lazy reduction techniques, previously considered only for arithmetic in quadratic extensions, to the whole pairing computation, including towering and curve arithmetic. Second, we ..."
Abstract

Cited by 38 (8 self)
 Add to MetaCart
We describe e cient formulas for computing pairings on ordinary elliptic curves over prime fields. First, we generalize lazy reduction techniques, previously considered only for arithmetic in quadratic extensions, to the whole pairing computation, including towering and curve arithmetic. Second, we introduce a new compressed squaring formula for cyclotomic subgroups and a new technique to avoid performing an inversion in the final exponentiation when the curve is parameterized by a negative integer. The techniques are illustrated in the context of pairing computation over BarretoNaehrig curves, where they have a particularly efficient realization, and also combined with other important developments in the recent literature. The resulting formulas reduce the number of required operations and, consequently, execution time, improving on the stateoftheart performance of cryptographic pairings by 27%33% on several popular 64bit computing platforms. In particular, our techniques allow to compute a pairing under 2 million cycles for the first time on such architectures.
Verifying computations with state
"... When outsourcing computations to the cloud or other thirdparties, a key issue for clients is the ability to verify the results. Recent work in proofbased verifiable computation, building on deep results in complexity theory and cryptography, has made significant progress on this problem. However, ..."
Abstract

Cited by 20 (2 self)
 Add to MetaCart
(Show Context)
When outsourcing computations to the cloud or other thirdparties, a key issue for clients is the ability to verify the results. Recent work in proofbased verifiable computation, building on deep results in complexity theory and cryptography, has made significant progress on this problem. However, all existing systems require computational models that do not incorporate state. This limits these systems to simplistic programming idioms and rules out computations where the client cannot materialize all of the input (e.g., very large MapReduce instances or database queries). This paper describes Pantry, the first built system that incorporates state. Pantry composes the machinery of proofbased verifiable computation with ideas from untrusted storage: the client expresses its computation in terms of digests that attests to state, and verifiably outsources that computation. Besides the boon to expressiveness, the client can gain from outsourcing even when the computation is sublinear in the input size. We describe a verifiable MapReduce application and a queriable database, among other simple applications. Although the resulting applications result in server overhead that is higher than we would like, Pantry is the first system to provide verifiability for realistic applications in a realistic programming model. 1
A Family of ImplementationFriendly BN Elliptic Curves
"... Abstract. For the last decade, elliptic curve cryptography has gained increasing interest in industry and in the academic community. This is especially due to the high level of security it provides with relatively small keys and to its ability to create very efficient and multifunctional cryptograph ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
(Show Context)
Abstract. For the last decade, elliptic curve cryptography has gained increasing interest in industry and in the academic community. This is especially due to the high level of security it provides with relatively small keys and to its ability to create very efficient and multifunctional cryptographic schemes by means of bilinear pairings. Pairings require pairingfriendly elliptic curves and among the possible choices, BarretoNaehrig (BN) curves arguably constitute one of the most versatile families. In this paper, we further expand the potential of the BN curve family. We describe BN curves that are not only computationally very simple to generate, but also specially suitable for efficient implementation on a very broad range of scenarios. We also present implementation results of the optimal ate pairing using such a curve defined over a 254bit prime field. 1
Optimal eta pairing on supersingular genus2 binary hyperelliptic curves
 In Proceedings of CTRSA 2012
, 2012
"... Abstract. This article presents a novel optimal pairing over supersingular genus2 binary hyperelliptic curves. Starting from Vercauteren's work on optimal pairings, we describe how to exploit the action of the 2 3m th power Verschiebung in order to further reduce the loop length of Miller&ap ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
(Show Context)
Abstract. This article presents a novel optimal pairing over supersingular genus2 binary hyperelliptic curves. Starting from Vercauteren's work on optimal pairings, we describe how to exploit the action of the 2 3m th power Verschiebung in order to further reduce the loop length of Miller's algorithm compared to the genus2 ηT approach. As a proof of concept, we detail an optimized software implementation and an FPGA accelerator for computing the proposed optimal Eta pairing on a genus2 hyperelliptic curve over F 2 367 , which satisfies the recommended security level of 128 bits. These designs achieve favourable performance in comparison with the best known implementations of 128bitsecurity Type1 pairings from the literature.
On the efficient implementation of pairingbased protocols
 IN CRYPTOGRAPHY AND CODING 2011
, 2011
"... The advent of Pairingbased protocols has had a major impact on the applicability of cryptography to the solution of more complex realworld problems. However there has always been a question mark over the performance of such protocols. In response much work has been done to optimize pairing implem ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
The advent of Pairingbased protocols has had a major impact on the applicability of cryptography to the solution of more complex realworld problems. However there has always been a question mark over the performance of such protocols. In response much work has been done to optimize pairing implementation, and now it is generally accepted that being pairingbased does not preclude a protocol from consideration as a practical proposition. However although a lot of effort has gone into the optimization of the standalone pairing, in many protocols the pairing calculation appears in a particular context within which further optimizations may be possible. It is the purpose of this paper to bridge the gap between theory and practise, and to show that even complex protocols may have a surprisingly efficient implementation. We also point out that in some cases the usually recommended pairing friendly curves may not in fact be optimal. We claim a new record with our implementation of a pairing at the AES256 bit level.
An analysis of affine coordinates for pairing computation
 In Proceedings of the 4th International Conference on Pairingbased Cryptography, Pairing ’10
, 2010
"... Abstract. In this paper we analyze the use of affine coordinates for pairing computation. We observe that in many practical settings, e. g. when implementing optimal ate pairings in high security levels, affine coordinates are faster than using the best currently known formulas for projective coord ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we analyze the use of affine coordinates for pairing computation. We observe that in many practical settings, e. g. when implementing optimal ate pairings in high security levels, affine coordinates are faster than using the best currently known formulas for projective coordinates. This observation relies on two known techniques for speeding up field inversions which we analyze in the context of pairing computation. We give detailed performance numbers for a pairing implementation based on these ideas, including timings for base field and extension field arithmetic with relative ratios for inversiontomultiplication costs, timings for pairings in both affine and projective coordinates, and average timings for multiple pairings and products of pairings.
Software implementation of binary elliptic curves: impact of the carryless multiplier on scalar multiplication
 CRYPTOGRAPHIC HARDWARE AND EMBEDDED SYSTEMS – CHES 2011
, 2011
"... Abstract. The availability of a new carryless multiplication instruction in the latest Intel desktop processors significantly accelerates multiplication in binary fields and hence presents the opportunity for reevaluating algorithms for binary field arithmetic and scalar multiplication over ellipti ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
Abstract. The availability of a new carryless multiplication instruction in the latest Intel desktop processors significantly accelerates multiplication in binary fields and hence presents the opportunity for reevaluating algorithms for binary field arithmetic and scalar multiplication over elliptic curves. We describe how to best employ this instruction in field multiplication and the effect on performance of doubling and halving operations. Alternate strategies for implementing inversion and halftrace are examined that restore most of their competitiveness relative to the new multiplier. These improvements in field arithmetic are complemented by a study on serial and parallel approaches for Koblitz and random curves, where parallelization strategies are implemented and compared. The contributions are illustrated with experimental results improving the stateoftheart performance of halving and doublingbased scalar multiplication on NIST curves at the 112 and 192bit security levels, and a new speed record for sidechannel resistant scalar multiplication in a random curve at the 128bit security level. Key words: Elliptic curve cryptography, finite field arithmetic, parallel algorithm.
TrueSet: Faster Verifiable Set Computations∗
"... Verifiable computation (VC) enables thin clients to efficiently verify the computational results produced by a powerful server. Although VC was initially considered to be mainly of theoretical interest, over the last two years, impressive progress has been made on implementing VC. Specifically, we ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
(Show Context)
Verifiable computation (VC) enables thin clients to efficiently verify the computational results produced by a powerful server. Although VC was initially considered to be mainly of theoretical interest, over the last two years, impressive progress has been made on implementing VC. Specifically, we now have opensource implementations of VC systems that can handle all classes of computations expressed either as circuits or in the RAM model. However, despite this very encouraging progress, new enhancements in the design and implementation of VC protocols are required in order to achieve truly practical VC for realworld applications. In this work, we show that for functionalities that can be expressed efficiently in terms of set operations (e.g., a subset of SQL queries) VC can be enhanced to become drastically more practical: We present the design and prototype implementation of a novel VC scheme that achieves orders of magnitude speedup in comparison with the state of the art. Specifically, we build and evaluate TrueSet, a system that can verifiably compute any polynomialtime function expressed as a circuit consisting of “set gates ” such as union, intersection, difference and set cardinality. Moreover, TrueSet supports hybrid circuits consisting of both set gates and traditional arithmetic gates. Therefore, it does not lose any of the expressiveness of the previous schemes—this also allows the user to choose the most efficient way to represent different parts of a computation. By expressing set computations as polynomial operations and introducing a novel Quadratic Polynomial Program technique, TrueSet achieves prover performance speedup ranging from 30x to 150x and yields up to 97 % evaluation key size reduction. 1
Affine Pairings on ARM
"... Abstract. We report on relative performance numbers for affine and projective pairings on a dualcore Cortex A9 ARM processor. Using a fast inversion in the base field and doing inversion in extension fields by using the norm map to reduce to inversions in smaller fields, we find a very low ratio of ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We report on relative performance numbers for affine and projective pairings on a dualcore Cortex A9 ARM processor. Using a fast inversion in the base field and doing inversion in extension fields by using the norm map to reduce to inversions in smaller fields, we find a very low ratio of inversiontomultiplication costs. In our implementation, this favors using affine coordinates, even for the current 128bit minimum security level specified by NIST. We use BarretoNaehrig (BN) curves and report on the performance of an optimal ate pairing for curves covering security levels between 128 and 192 bits. We compare with other reported performance numbers for pairing computation on ARM CPUs.
Comparing the Pairing Efficiency over CompositeOrder and PrimeOrder Elliptic Curves
"... Abstract. We provide software implementation timings for pairings over compositeorder and primeorder elliptic curves. Composite orders must be large enough to be infeasible to factor. They are modulus of 2 up to 5 large prime numbers in the literature. There exists size recommendations for twopri ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We provide software implementation timings for pairings over compositeorder and primeorder elliptic curves. Composite orders must be large enough to be infeasible to factor. They are modulus of 2 up to 5 large prime numbers in the literature. There exists size recommendations for twoprime RSA modulus and we extend the results of Lenstra concerning the RSA modulus sizes to multiprime modulus, for various security levels. We then implement a Tate pairing over a composite order supersingular curve and an optimal ate pairing over a primeorder BarretoNaehrig curve, both at the 128bit security level. We use our implementation timings to deduce the total cost of the homomorphic encryption scheme of Boneh, Goh and Nissim and its translation by Freeman in the primeorder setting. We also compare the efficiency of the unbounded Hierarchical Identity Based Encryption protocol of Lewko and Waters and its translation by Lewko in the prime order setting. Our results strengthen the previously observed inefficiency of compositeorder bilinear groups and advocate the use of primeorder group whenever possible in protocol design.