48 research outputs found
Refinements of Miller's Algorithm over Weierstrass Curves Revisited
In 1986 Victor Miller described an algorithm for computing the Weil pairing
in his unpublished manuscript. This algorithm has then become the core of all
pairing-based cryptosystems. Many improvements of the algorithm have been
presented. Most of them involve a choice of elliptic curves of a \emph{special}
forms to exploit a possible twist during Tate pairing computation. Other
improvements involve a reduction of the number of iterations in the Miller's
algorithm. For the generic case, Blake, Murty and Xu proposed three refinements
to Miller's algorithm over Weierstrass curves. Though their refinements which
only reduce the total number of vertical lines in Miller's algorithm, did not
give an efficient computation as other optimizations, but they can be applied
for computing \emph{both} of Weil and Tate pairings on \emph{all}
pairing-friendly elliptic curves. In this paper we extend the Blake-Murty-Xu's
method and show how to perform an elimination of all vertical lines in Miller's
algorithm during Weil/Tate pairings computation on \emph{general} elliptic
curves. Experimental results show that our algorithm is faster about 25% in
comparison with the original Miller's algorithm.Comment: 17 page
Faster computation of the Tate pairing
This paper proposes new explicit formulas for the doubling and addition step
in Miller's algorithm to compute the Tate pairing. For Edwards curves the
formulas come from a new way of seeing the arithmetic. We state the first
geometric interpretation of the group law on Edwards curves by presenting the
functions which arise in the addition and doubling. Computing the coefficients
of the functions and the sum or double of the points is faster than with all
previously proposed formulas for pairings on Edwards curves. They are even
competitive with all published formulas for pairing computation on Weierstrass
curves. We also speed up pairing computation on Weierstrass curves in Jacobian
coordinates. Finally, we present several examples of pairing-friendly Edwards
curves.Comment: 15 pages, 2 figures. Final version accepted for publication in
Journal of Number Theor
Constructing suitable ordinary pairing-friendly curves: A case of elliptic curves and genus two hyperelliptic curves
One of the challenges in the designing of pairing-based cryptographic protocols is to construct suitable pairing-friendly curves: Curves which would provide e�cient implementation without compromising the security of the protocols. These curves have small embedding degree and large prime order subgroup. Random curves are likely to have large embedding degree and hence are not practical for implementation of pairing-based protocols.
In this thesis we review some mathematical background on elliptic and hyperelliptic curves in relation to the construction of pairing-friendly hyper-elliptic curves. We also present the notion of pairing-friendly curves. Furthermore, we construct new pairing-friendly elliptic curves and Jacobians of genus two hyperelliptic curves which would facilitate an efficient implementation in pairing-based protocols. We aim for curves that have smaller values than ever before reported for di�erent embedding degrees. We also discuss optimisation of computing pairing in Tate pairing and its variants. Here we show how to e�ciently multiply a point in a subgroup de�ned on a twist curve by a large cofactor. Our approach uses the theory of addition chains. We also show a new method for implementation of the computation of the hard part of the �nal exponentiation in the calculation of the Tate pairing and its varian
Enhancing an embedded processor core for efficient and isolated execution of cryptographic algorithms
We propose enhancing a reconfigurable and extensible embedded RISC processor core with a protected zone for isolated execution of cryptographic algorithms. The protected zone is a collection of processor subsystems such as functional units optimized for high-speed execution of integer operations, a small amount of local memory for storing sensitive data during cryptographic computations, and special-purpose and cryptographic registers to execute instructions securely. We outline the principles for secure software implementations of cryptographic algorithms in a processor equipped with the proposed protected zone. We demonstrate the efficiency and effectiveness of our proposed zone by implementing the most-commonly used cryptographic algorithms in the protected zone; namely RSA, elliptic curve cryptography, pairing-based cryptography, AES block cipher, and SHA-1 and SHA-256 cryptographic hash functions. In terms
of time efficiency, our software implementations of cryptographic algorithms running on the enhanced core compare favorably with equivalent software implementations on similar processors reported in the literature. The protected zone is designed in such a modular fashion that it can easily be integrated into any RISC processor. The proposed enhancements for the protected zone are realized on an FPGA device. The implementation results on the FPGA confirm that
its area overhead is relatively moderate in the sense that it can be used in many embedded processors. Finally, the protected zone is useful against cold-boot and micro-architectural side-channel attacks such as cache-based and branch prediction attacks
Optimal Ate Pairing on Elliptic Curves with Embedding Degree and
Much attention has been given to the efficient computation of pairings on
elliptic curves with even embedding degree since the advent of pairing-based
cryptography. The few existing works in the case of odd embedding degrees
require some improvements. This paper considers the computation of optimal ate
pairings on elliptic curves of embedding degrees , , which have
twists of order three. Our main goal is to provide a detailed arithmetic and
cost estimation of operations in the tower extensions field of the
corresponding extension fields. A good selection of parameters enables us to
improve the theoretical cost for the Miller step and the final exponentiation
using the lattice-based method as compared to the previous few works that exist
in these cases. In particular, for , , we obtain an improvement, in
terms of operations in the base field, of up to 25% and 29% respectively in the
computation of the final exponentiation. We also find that elliptic curves with
embedding degree present faster results than BN12 curves at the 128-bit
security level. We provide a MAGMA implementation in each case to ensure the
correctness of the formulas used in this work.Comment: 25 page
Computing Optimal Ate Pairings on Elliptic Curves with Embedding Degree and
Much attention has been given to efficient computation of pairings on elliptic curves with even embedding degree since the advent of pairing-based cryptography. The existing few works in the case of odd embedding degrees require some improvements.
This paper considers the computation of optimal ate pairings on elliptic curves of embedding degrees k=9, 15 \mbox{ and } 27 which have twists of order three. Mainly, we provide a detailed arithmetic and cost estimation of operations in the tower extensions field of the corresponding extension fields. A good selection of parameters
enables us to improve the theoretical cost for the Miller step and the final exponentiation using the lattice-based method comparatively to the previous few works that exist in these cases. In particular for and we obtained an improvement, in terms of operations in the base field, of up to and respectively in the computation of the final exponentiation.
Also, we obtained that elliptic curves with embedding degree present faster results than BN curves at the -bit security levels.
We provided a MAGMA implementation in each case to ensure the correctness of the formulas used in this work
Memory-saving computation of the pairing final exponentiation on BN curves
In this paper, we describe and improve efficient methods for computing
the hard part of the final exponentiation of pairings on Barreto-Naehrig
curves.
Thanks to the variants of pairings which decrease the length of the Miller
loop, the final exponentiation has become a significant component of the
overall calculation. Here we exploit the structure of BN curves to improve
this computation.
We will first present the most famous methods in the literature that en-
sure the computing of the hard part of the final exponentiation. We are
particularly interested in the memory resources necessary for the implementation of these methods. Indeed, this is an important constraint in
restricted environments.
More precisely, we are studying Devegili et al. method, Scott et al. addition chain method and Fuentes et al. method. After recalling these methods and their complexities, we determine the number of required registers
to compute the final result, because this is not always given in the literature. Then, we will present new versions of these methods which require
less memory resources (up to 37%). Moreover, some of these variants are
providing algorithms which are also more efficient than the original ones
Area-Efficient Hardware Implementation of the Optimal Ate Pairing over BN curves.
To have an efficient asymmetric key encryption scheme such as elliptic curves,
hyperelliptic curves, pairing etc., we have to go through an arithmetic optimization
then a hardware one. Taking into consideration restricted environments’ compromises,
we should strike a balance between efficiency and memory resources. For
this reason, we studied the mathematical aspect of pairing computation and gave
new development of the methods that compute the hard part of the final exponentiation
in [2]. They prove that these new methods save an important number of
temporary variables, and they are certainly faster than the existing one. In this paper,
we will also present a new way of computing Miller loop, more precisely in
the doubling algorithm. So we will use this result and the arithmetic optimization
presented in [2]. Then, we will apply hardware optimization to find a satisfactory
design which give the best compromise between area occupation and execution
time. Our hardware implementation on a Virtex-6 FPGA(XC6VHX250T) used
only 5976 Slices, 30 DSP, which is less resources used compared with state-ofthe-art
hardware implementations, so we can say that our approach cope with the
limited resources of restricted environmen
Subgroup security in pairing-based cryptography
Pairings are typically implemented using ordinary pairing-friendly elliptic curves. The two input groups of the pairing function are groups of elliptic curve points, while the target group lies in the multiplicative group of a large finite field. At moderate levels of security, at least two of the three pairing groups are necessarily proper subgroups of a much larger composite-order group, which makes pairing implementations potentially susceptible to small-subgroup attacks.
To minimize the chances of such attacks, or the effort required to thwart them, we put forward a property for ordinary pairing-friendly curves called subgroup security. We point out that existing curves in the literature and in publicly available pairing libraries fail to achieve this notion, and propose a list of replacement curves that do offer subgroup security. These curves were chosen to drop into existing libraries with minimal code change, and to sustain state-of-the-art performance numbers. In fact, there are scenarios in which the replacement curves could facilitate faster implementations of protocols because they can remove the need for expensive group exponentiations that test subgroup membership