Efficient Computation of Miller\u27s Algorithm in Pairing-Based Cryptography

Pairing-based cryptography (PBC) provides novel security services, such as identity-based encryption, attribute-based encryption and anonymous authentication. The Miller\u27s Algorithm is considered one of the most important algorithms in PBC and carries the most computation in PBC. In this thesis, two modified Miller\u27s algorithms are proposed. The first proposed algorithm introduces a right-to-left version algorithm compared to the fact that the original Miller\u27s algorithm works only in the fashion of left-to-right. Furthermore, this new algorithm introduces parallelable computation within each loop and thus it can achieve a much higher speed. The second proposal has the advantage over the original Miller\u27s algorithm not only in parallelable computation but also in resistance to certain side channel attacks based on the new feature of the equilibrium of computational complexities. An elaborate comparison among the existing works and the proposed works is demonstrated. It is expected that the first proposed algorithm can replace the original Miller\u27s if a right-to-left input style is required and/or high speed is of importance. The second proposed algorithm should be chosen over the original Miller\u27s if side channel attack is a concern

Optimal Ate Pairing on Elliptic Curves with Embedding Degree 9,159,15 and 2727

Much attention has been given to the efficient computation of pairings on elliptic curves with even embedding degree since the advent of pairing-based cryptography. The few existing works in the case of odd embedding degrees require some improvements. This paper considers the computation of optimal ate pairings on elliptic curves of embedding degrees $k=9$, $15$, $27$ which have twists of order three. Our main goal is to provide a detailed arithmetic and cost estimation of operations in the tower extensions field of the corresponding extension fields. A good selection of parameters enables us to improve the theoretical cost for the Miller step and the final exponentiation using the lattice-based method as compared to the previous few works that exist in these cases. In particular, for $k=15$, $k=27$, we obtain an improvement, in terms of operations in the base field, of up to 25% and 29% respectively in the computation of the final exponentiation. We also find that elliptic curves with embedding degree $k=15$ present faster results than BN12 curves at the 128-bit security level. We provide a MAGMA implementation in each case to ensure the correctness of the formulas used in this work.Comment: 25 page

analysis of optimum pairing products at high security levels

In modern pairing implementations, considerable researches target at the optimum pairings at different security levels. However, in many cryptographic protocols, computing products or quotients of pairings is needed instead of computing single pairings. In this paper, we mainly analyze the computations of fast pairings on Kachisa-Schaefer-Scott curves with embedding degree 16 (KSS16) for the 192-bit security and Barreto-Lynn-Scott curves with embedding degree 27 (BLS27) for the 256-bit security, and then compare the cost estimations for implementing products and quotients of pairings at the 192 and 256-bit security levels. Being different from implementing single pairings, our results show that KSS16 curves could be most efficient for computing products or quotients of pairings for the 192-bit security; and for the 256-bit security, BLS27 curves might be more efficient for computing products of no less than 25 pairings, otherwise BLS24 curves are much more efficient. In addition, for the fast pairing computation on BLS27 curves, we propose faster Miller formulas in both affine and projective coordinates on curves with only cubic twist and embedding degree divisible by 3. © Springer-Verlag 2012.Defence Research and Developement Organization (D.R.D.O.); Google Inc.; Microsoft Research; National Board of Higher Mathematics (N.B.H.M.); Reserve Bank of India (R.B.I.); Tata Consultancy Services (T.C.S.)In modern pairing implementations, considerable researches target at the optimum pairings at different security levels. However, in many cryptographic protocols, computing products or quotients of pairings is needed instead of computing single pairings. In this paper, we mainly analyze the computations of fast pairings on Kachisa-Schaefer-Scott curves with embedding degree 16 (KSS16) for the 192-bit security and Barreto-Lynn-Scott curves with embedding degree 27 (BLS27) for the 256-bit security, and then compare the cost estimations for implementing products and quotients of pairings at the 192 and 256-bit security levels. Being different from implementing single pairings, our results show that KSS16 curves could be most efficient for computing products or quotients of pairings for the 192-bit security; and for the 256-bit security, BLS27 curves might be more efficient for computing products of no less than 25 pairings, otherwise BLS24 curves are much more efficient. In addition, for the fast pairing computation on BLS27 curves, we propose faster Miller formulas in both affine and projective coordinates on curves with only cubic twist and embedding degree divisible by 3. © Springer-Verlag 2012