3 research outputs found
Efficient Computation of Miller\u27s Algorithm in Pairing-Based Cryptography
Pairing-based cryptography (PBC) provides novel security services, such as identity-based encryption, attribute-based encryption and anonymous authentication. The Miller\u27s Algorithm is considered one of the most important algorithms in PBC and carries the most computation in PBC. In this thesis, two modified Miller\u27s algorithms are proposed. The first proposed algorithm introduces a right-to-left version algorithm compared to the fact that the original Miller\u27s algorithm works only in the fashion of left-to-right. Furthermore, this new algorithm introduces parallelable computation within each loop and thus it can achieve a much higher speed. The second proposal has the advantage over the original Miller\u27s algorithm not only in parallelable computation but also in resistance to certain side channel attacks based on the new feature of the equilibrium of computational complexities. An elaborate comparison among the existing works and the proposed works is demonstrated. It is expected that the first proposed algorithm can replace the original Miller\u27s if a right-to-left input style is required and/or high speed is of importance. The second proposed algorithm should be chosen over the original Miller\u27s if side channel attack is a concern
Optimal Ate Pairing on Elliptic Curves with Embedding Degree and
Much attention has been given to the efficient computation of pairings on
elliptic curves with even embedding degree since the advent of pairing-based
cryptography. The few existing works in the case of odd embedding degrees
require some improvements. This paper considers the computation of optimal ate
pairings on elliptic curves of embedding degrees , , which have
twists of order three. Our main goal is to provide a detailed arithmetic and
cost estimation of operations in the tower extensions field of the
corresponding extension fields. A good selection of parameters enables us to
improve the theoretical cost for the Miller step and the final exponentiation
using the lattice-based method as compared to the previous few works that exist
in these cases. In particular, for , , we obtain an improvement, in
terms of operations in the base field, of up to 25% and 29% respectively in the
computation of the final exponentiation. We also find that elliptic curves with
embedding degree present faster results than BN12 curves at the 128-bit
security level. We provide a MAGMA implementation in each case to ensure the
correctness of the formulas used in this work.Comment: 25 page
analysis of optimum pairing products at high security levels
In modern pairing implementations, considerable researches target at the optimum pairings at different security levels. However, in many cryptographic protocols, computing products or quotients of pairings is needed instead of computing single pairings. In this paper, we mainly analyze the computations of fast pairings on Kachisa-Schaefer-Scott curves with embedding degree 16 (KSS16) for the 192-bit security and Barreto-Lynn-Scott curves with embedding degree 27 (BLS27) for the 256-bit security, and then compare the cost estimations for implementing products and quotients of pairings at the 192 and 256-bit security levels. Being different from implementing single pairings, our results show that KSS16 curves could be most efficient for computing products or quotients of pairings for the 192-bit security; and for the 256-bit security, BLS27 curves might be more efficient for computing products of no less than 25 pairings, otherwise BLS24 curves are much more efficient. In addition, for the fast pairing computation on BLS27 curves, we propose faster Miller formulas in both affine and projective coordinates on curves with only cubic twist and embedding degree divisible by 3. © Springer-Verlag 2012.Defence Research and Developement Organization (D.R.D.O.); Google Inc.; Microsoft Research; National Board of Higher Mathematics (N.B.H.M.); Reserve Bank of India (R.B.I.); Tata Consultancy Services (T.C.S.)In modern pairing implementations, considerable researches target at the optimum pairings at different security levels. However, in many cryptographic protocols, computing products or quotients of pairings is needed instead of computing single pairings. In this paper, we mainly analyze the computations of fast pairings on Kachisa-Schaefer-Scott curves with embedding degree 16 (KSS16) for the 192-bit security and Barreto-Lynn-Scott curves with embedding degree 27 (BLS27) for the 256-bit security, and then compare the cost estimations for implementing products and quotients of pairings at the 192 and 256-bit security levels. Being different from implementing single pairings, our results show that KSS16 curves could be most efficient for computing products or quotients of pairings for the 192-bit security; and for the 256-bit security, BLS27 curves might be more efficient for computing products of no less than 25 pairings, otherwise BLS24 curves are much more efficient. In addition, for the fast pairing computation on BLS27 curves, we propose faster Miller formulas in both affine and projective coordinates on curves with only cubic twist and embedding degree divisible by 3. © Springer-Verlag 2012