Results 1  10
of
51
Faster explicit formulas for computing pairings over ordinary curves
, 2010
"... We describe e cient formulas for computing pairings on ordinary elliptic curves over prime fields. First, we generalize lazy reduction techniques, previously considered only for arithmetic in quadratic extensions, to the whole pairing computation, including towering and curve arithmetic. Second, we ..."
Abstract

Cited by 38 (8 self)
 Add to MetaCart
We describe e cient formulas for computing pairings on ordinary elliptic curves over prime fields. First, we generalize lazy reduction techniques, previously considered only for arithmetic in quadratic extensions, to the whole pairing computation, including towering and curve arithmetic. Second, we introduce a new compressed squaring formula for cyclotomic subgroups and a new technique to avoid performing an inversion in the final exponentiation when the curve is parameterized by a negative integer. The techniques are illustrated in the context of pairing computation over BarretoNaehrig curves, where they have a particularly efficient realization, and also combined with other important developments in the recent literature. The resulting formulas reduce the number of required operations and, consequently, execution time, improving on the stateoftheart performance of cryptographic pairings by 27%33% on several popular 64bit computing platforms. In particular, our techniques allow to compute a pairing under 2 million cycles for the first time on such architectures.
ON CRYPTOGRAPHIC PROTOCOLS EMPLOYING ASYMMETRIC PAIRINGS – THE ROLE OF Ψ REVISITED
"... Abstract. Asymmetric pairings e: G1 × G2 → GT for which an efficientlycomputable isomorphism ψ: G2 → G1 is known are called Type 2 pairings; if such an isomorphism ψ is not known then e is called a Type 3 pairing. Many cryptographic protocols in the asymmetric setting rely on the existence of ψ for ..."
Abstract

Cited by 27 (3 self)
 Add to MetaCart
Abstract. Asymmetric pairings e: G1 × G2 → GT for which an efficientlycomputable isomorphism ψ: G2 → G1 is known are called Type 2 pairings; if such an isomorphism ψ is not known then e is called a Type 3 pairing. Many cryptographic protocols in the asymmetric setting rely on the existence of ψ for their security reduction while some use it in the protocol itself. For these reasons, it is believed that some of these protocols cannot be implemented with Type 3 pairings, while for some the security reductions either cannot be transformed to the Type 3 setting or else require a stronger complexity assumption. Contrary to these widely held beliefs, we argue that Type 2 pairings are merely inefficient implementations of Type 3 pairings, and appear to offer no benefit for protocols based on asymmetric pairings from the point of view of functionality, security, and performance. 1.
Highspeed software implementation of the optimal ate pairing over Barreto–Naehrig curves
 PAIRINGBASED CRYPTOGRAPHY–PAIRING 2010. LECTURE NOTES IN COMPUTER SCIENCE
, 2010
"... This paper describes the design of a fast software library for the computation of the optimal ate pairing on a Barreto–Naehrig elliptic curve. Our library is able to compute the optimal ate pairing over a 254bit prime field Fp, injust2.33 million of clock cycles on a single core of an Intel Core ..."
Abstract

Cited by 25 (3 self)
 Add to MetaCart
(Show Context)
This paper describes the design of a fast software library for the computation of the optimal ate pairing on a Barreto–Naehrig elliptic curve. Our library is able to compute the optimal ate pairing over a 254bit prime field Fp, injust2.33 million of clock cycles on a single core of an Intel Core i7 2.8GHz processor, which implies that the pairing computation takes 0.832msec. We are able to achieve this performance by a careful implementation of the base field arithmetic through the usage of the customary Montgomery multiplier for prime fields. The prime field is constructed via the Barreto–Naehrig polynomial parametrization of the prime p given as, p =36t 4 +36t 3 +24t 2 +6t +1, with t =2 62 − 2 54 +2 44. This selection of t allows us to obtain important savings for both the Miller loop as well as the final exponentiation steps of the optimal ate pairing.
Succinct noninteractive zeroknowledge for a von Neumann architecture
, 2014
"... We build a system that provides succinct noninteractive zeroknowledge proofs (zkSNARKs) for program executions on a von Neumann RISC architecture. The system has two components: a cryptographic proof system for verifying satisfiability of arithmetic circuits, and a circuit generator to translate ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
We build a system that provides succinct noninteractive zeroknowledge proofs (zkSNARKs) for program executions on a von Neumann RISC architecture. The system has two components: a cryptographic proof system for verifying satisfiability of arithmetic circuits, and a circuit generator to translate program executions to such circuits. Our design of both components improves in functionality and efficiency over prior work, as follows. Our circuit generator is the first to be universal: it does not need to know the program, but only a bound on its running time. Moreover, the size of the output circuit depends additively (rather than multiplicatively) on program size, allowing verification of larger programs. The cryptographic proof system improves proving and verification times, by leveraging new algorithms and a pairing library tailored to the protocol. We evaluated our system for programs with up to 10,000 instructions, running for up to 32,000 machine steps, each of which can arbitrarily access randomaccess memory; and also demonstrated it executing programs that use justintime compilation. Our proofs are 230 bytes long at 80 bits of security, or 288 bytes long at 128 bits of security. Typical verification time is 5 milliseconds, regardless of the original program’s running time.
Optimal eta pairing on supersingular genus2 binary hyperelliptic curves
 In Proceedings of CTRSA 2012
, 2012
"... Abstract. This article presents a novel optimal pairing over supersingular genus2 binary hyperelliptic curves. Starting from Vercauteren's work on optimal pairings, we describe how to exploit the action of the 2 3m th power Verschiebung in order to further reduce the loop length of Miller&ap ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
(Show Context)
Abstract. This article presents a novel optimal pairing over supersingular genus2 binary hyperelliptic curves. Starting from Vercauteren's work on optimal pairings, we describe how to exploit the action of the 2 3m th power Verschiebung in order to further reduce the loop length of Miller's algorithm compared to the genus2 ηT approach. As a proof of concept, we detail an optimized software implementation and an FPGA accelerator for computing the proposed optimal Eta pairing on a genus2 hyperelliptic curve over F 2 367 , which satisfies the recommended security level of 128 bits. These designs achieve favourable performance in comparison with the best known implementations of 128bitsecurity Type1 pairings from the literature.
Faster Hashing to G2
"... Abstract. An asymmetric pairing e: G2 × G1 → GT is considered such ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
(Show Context)
Abstract. An asymmetric pairing e: G2 × G1 → GT is considered such
An analysis of affine coordinates for pairing computation
 In Proceedings of the 4th International Conference on Pairingbased Cryptography, Pairing ’10
, 2010
"... Abstract. In this paper we analyze the use of affine coordinates for pairing computation. We observe that in many practical settings, e. g. when implementing optimal ate pairings in high security levels, affine coordinates are faster than using the best currently known formulas for projective coord ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we analyze the use of affine coordinates for pairing computation. We observe that in many practical settings, e. g. when implementing optimal ate pairings in high security levels, affine coordinates are faster than using the best currently known formulas for projective coordinates. This observation relies on two known techniques for speeding up field inversions which we analyze in the context of pairing computation. We give detailed performance numbers for a pairing implementation based on these ideas, including timings for base field and extension field arithmetic with relative ratios for inversiontomultiplication costs, timings for pairings in both affine and projective coordinates, and average timings for multiple pairings and products of pairings.
A generalisation of Miller’s algorithm and applications to pairing computations on abelian varieties
, 2013
"... ..."
Efficient implementation of bilinear pairings on arm processors. IACR Cryptology ePrint Archive
"... Abstract. As hardware capabilities increase, lowpower devices such as smartphones represent a natural environment for the efficient implementation of cryptographic pairings. Few works in the literature have considered such platforms despite their growing importance in a postPC world. In this paper ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
Abstract. As hardware capabilities increase, lowpower devices such as smartphones represent a natural environment for the efficient implementation of cryptographic pairings. Few works in the literature have considered such platforms despite their growing importance in a postPC world. In this paper, we investigate the efficient computation of the OptimalAte pairing over BarretoNaehrig curves in software at different security levels on ARM processors. We exploit stateoftheart techniques and propose new optimizations to speed up the computation in the tower field and curve arithmetic. In particular, we extend the concept of lazy reduction to inversion in extension fields, analyze an efficient alternative for the sparse multiplication used inside the Miller’s algorithm and reduce further the cost of point/line evaluation formulas in affine and projective homogeneous coordinates. In addition, we study the efficiency of using Mtype sextic twists in the pairing computation and carry out a detailed comparison between affine and projective coordinate systems. Our implementations on various massmarket smartphones and tablets significantly improve the stateoftheart of pairing computation on ARMpowered devices, outperforming by at least a factor of 3.7 the best previous results in the literature.