Results 1  10
of
54
Optimal Pairings
"... Abstract. In this paper we introduce the concept of an optimal pairing, which by definition can be computed using only log 2 r/ϕ(k) basic Miller iterations, with r the order of the groups involved and k the embedding degree. We describe an algorithm to construct optimal ate pairings on all parametri ..."
Abstract

Cited by 51 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we introduce the concept of an optimal pairing, which by definition can be computed using only log 2 r/ϕ(k) basic Miller iterations, with r the order of the groups involved and k the embedding degree. We describe an algorithm to construct optimal ate pairings on all parametrized families of pairing friendly elliptic curves. Finally, we conjecture that any nondegenerate pairing on an elliptic curve without efficiently computable endomorphisms different from powers of Frobenius requires at least log 2 r/ϕ(k) basic Miller iterations.
Faster explicit formulas for computing pairings over ordinary curves
, 2010
"... We describe e cient formulas for computing pairings on ordinary elliptic curves over prime fields. First, we generalize lazy reduction techniques, previously considered only for arithmetic in quadratic extensions, to the whole pairing computation, including towering and curve arithmetic. Second, we ..."
Abstract

Cited by 38 (8 self)
 Add to MetaCart
We describe e cient formulas for computing pairings on ordinary elliptic curves over prime fields. First, we generalize lazy reduction techniques, previously considered only for arithmetic in quadratic extensions, to the whole pairing computation, including towering and curve arithmetic. Second, we introduce a new compressed squaring formula for cyclotomic subgroups and a new technique to avoid performing an inversion in the final exponentiation when the curve is parameterized by a negative integer. The techniques are illustrated in the context of pairing computation over BarretoNaehrig curves, where they have a particularly efficient realization, and also combined with other important developments in the recent literature. The resulting formulas reduce the number of required operations and, consequently, execution time, improving on the stateoftheart performance of cryptographic pairings by 27%33% on several popular 64bit computing platforms. In particular, our techniques allow to compute a pairing under 2 million cycles for the first time on such architectures.
ON CRYPTOGRAPHIC PROTOCOLS EMPLOYING ASYMMETRIC PAIRINGS – THE ROLE OF Ψ REVISITED
"... Abstract. Asymmetric pairings e: G1 × G2 → GT for which an efficientlycomputable isomorphism ψ: G2 → G1 is known are called Type 2 pairings; if such an isomorphism ψ is not known then e is called a Type 3 pairing. Many cryptographic protocols in the asymmetric setting rely on the existence of ψ for ..."
Abstract

Cited by 27 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Asymmetric pairings e: G1 × G2 → GT for which an efficientlycomputable isomorphism ψ: G2 → G1 is known are called Type 2 pairings; if such an isomorphism ψ is not known then e is called a Type 3 pairing. Many cryptographic protocols in the asymmetric setting rely on the existence of ψ for their security reduction while some use it in the protocol itself. For these reasons, it is believed that some of these protocols cannot be implemented with Type 3 pairings, while for some the security reductions either cannot be transformed to the Type 3 setting or else require a stronger complexity assumption. Contrary to these widely held beliefs, we argue that Type 2 pairings are merely inefficient implementations of Type 3 pairings, and appear to offer no benefit for protocols based on asymmetric pairings from the point of view of functionality, security, and performance. 1.
Pairing Lattices
 In Pairing 2009, volume 5209 of Lecture
"... Abstract. We provide a convenient mathematical framework that essentially encompasses all known pairing functions based on the Tate pairing and also applies to the Weil pairing. We prove nondegeneracy and bounds on the lowest possible degree of these pairing functions and show how endomorphisms can ..."
Abstract

Cited by 25 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We provide a convenient mathematical framework that essentially encompasses all known pairing functions based on the Tate pairing and also applies to the Weil pairing. We prove nondegeneracy and bounds on the lowest possible degree of these pairing functions and show how endomorphisms can be used to achieve a further degree reduction. 1
Highspeed software implementation of the optimal ate pairing over Barreto–Naehrig curves
 PAIRINGBASED CRYPTOGRAPHY–PAIRING 2010. LECTURE NOTES IN COMPUTER SCIENCE
, 2010
"... This paper describes the design of a fast software library for the computation of the optimal ate pairing on a Barreto–Naehrig elliptic curve. Our library is able to compute the optimal ate pairing over a 254bit prime field Fp, injust2.33 million of clock cycles on a single core of an Intel Core ..."
Abstract

Cited by 25 (3 self)
 Add to MetaCart
(Show Context)
This paper describes the design of a fast software library for the computation of the optimal ate pairing on a Barreto–Naehrig elliptic curve. Our library is able to compute the optimal ate pairing over a 254bit prime field Fp, injust2.33 million of clock cycles on a single core of an Intel Core i7 2.8GHz processor, which implies that the pairing computation takes 0.832msec. We are able to achieve this performance by a careful implementation of the base field arithmetic through the usage of the customary Montgomery multiplier for prime fields. The prime field is constructed via the Barreto–Naehrig polynomial parametrization of the prime p given as, p =36t 4 +36t 3 +24t 2 +6t +1, with t =2 62 − 2 54 +2 44. This selection of t allows us to obtain important savings for both the Miller loop as well as the final exponentiation steps of the optimal ate pairing.
Faster squaring in the cyclotomic subgroup of sixth degree extensions
, 2009
"... This paper describes an extremely efficient squaring operation in the socalled ‘cyclotomic subgroup’ of F × q6, for q ≡ 1 mod 6. This result arises from considering the Weil restriction of scalars of this group from Fq6 to Fq2, and provides efficiency improvements for both pairingbased and torus ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
(Show Context)
This paper describes an extremely efficient squaring operation in the socalled ‘cyclotomic subgroup’ of F × q6, for q ≡ 1 mod 6. This result arises from considering the Weil restriction of scalars of this group from Fq6 to Fq2, and provides efficiency improvements for both pairingbased and torusbased cryptographic protocols.
Comparing two pairingbased aggregate signature schemes
, 2009
"... In 2003, Boneh, Gentry, Lynn and Shacham (BGLS) devised the first provablysecure aggregate signature scheme. Their scheme uses bilinear pairings and their security proof is in the random oracle model. The first pairingbased aggregate signature scheme which has a security proof that does not make ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
(Show Context)
In 2003, Boneh, Gentry, Lynn and Shacham (BGLS) devised the first provablysecure aggregate signature scheme. Their scheme uses bilinear pairings and their security proof is in the random oracle model. The first pairingbased aggregate signature scheme which has a security proof that does not make the random oracle assumption was proposed in 2006 by Lu, Ostrovsky, Sahai, Shacham and Waters (LOSSW). In this paper, we compare the security and efficiency of the BGLS and LOSSW schemes when asymmetric pairings derived from BarretoNaehrig (BN) elliptic curves are employed.
Faster Fparithmetic for Cryptographic Pairings on BarretoNaehrig Curves
"... This paper describes a new method to speed up Fparithmetic for BarretoNaehrig (BN) curves. We explore the characteristics of the modulus defined by BN curves and choose curve parameters such that Fp multiplication becomes more efficient. The proposed algorithm uses Montgomery reduction in a poly ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
(Show Context)
This paper describes a new method to speed up Fparithmetic for BarretoNaehrig (BN) curves. We explore the characteristics of the modulus defined by BN curves and choose curve parameters such that Fp multiplication becomes more efficient. The proposed algorithm uses Montgomery reduction in a polynomial ring combined with a coefficient reduction phase using a pseudoMersenne number. With this algorithm, the performance of pairings on BN curves can be significantly improved, resulting in a factor 5.4 speedup compared with the stateoftheart hardware implementations. Using this algorithm, we implemented a pairing processor in hardware, which runs at 204 MHz and finishes one ate and Rate pairing computation over a 256bit BN curve in 4.22 ms and 2.91 ms, respectively.
Designing an ASIP for Cryptographic Pairings over BarretoNaehrig Curves
, 2009
"... This paper presents a designspace exploration of an applicationspecific instructionset processor (ASIP) for the computation of various cryptographic pairings over BarretoNaehrig curves (BN curves). Cryptographic pairings are based on elliptic curves over finite fields—in the case of BN curves a ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
(Show Context)
This paper presents a designspace exploration of an applicationspecific instructionset processor (ASIP) for the computation of various cryptographic pairings over BarretoNaehrig curves (BN curves). Cryptographic pairings are based on elliptic curves over finite fields—in the case of BN curves a field Fp of large prime order p. Efficient arithmetic in these fields is crucial for fast computation of pairings. Moreover, computation of cryptographic pairings is much more complex than ellipticcurve cryptography (ECC) in general. Therefore, we facilitate programming of the proposed ASIP by providing a C compiler. In order to speed up Fp arithmetic, a RISC core is extended with additional scalable functional units. Because the resulting speedup can be limited by the memory throughput, utilization of multiple datamemory banks is proposed. The presented design needs 15.8 ms for the computation of the OptimalAte pairing over a 256bit BN curve at 338 MHz implemented with a 130 nm standard cell library. The processor core consumes 97 kGates making it suitable for the use in embedded systems.