Efficient Implementation of Bilinear Pairings on ARM Processors

Abstract. As hardware capabilities increase, low-power devices such as smartphones represent a natural environment for the efficient imple-mentation of cryptographic pairings. Few works in the literature have considered such platforms despite their growing importance in a post-PC world. In this paper, we investigate the efficient computation of the Optimal-Ate pairing over Barreto-Naehrig curves in software at differ-ent security levels on ARM processors. We exploit state-of-the-art tech-niques and propose new optimizations to speed up the computation in the tower field and curve arithmetic. In particular, we extend the concept of lazy reduction to inversion in extension fields, analyze an efficient al-ternative for the sparse multiplication used inside the Miller’s algorithm and reduce further the cost of point/line evaluation formulas in affine and projective homogeneous coordinates. In addition, we study the effi-ciency of using M-type sextic twists in the pairing computation and carry out a detailed comparison between affine and projective coordinate sys-tems. Our implementations on various mass-market smartphones and tablets significantly improve the state-of-the-art of pairing computation on ARM-powered devices, outperforming by at least a factor of 3.7 the best previous results in the literature

MoTE-ECC: Energy-Scalable Elliptic Curve Cryptography for Wireless Sensor Networks

Wireless Sensor Networks (WSNs) are susceptible to a wide range of malicious attacks, which has stimulated a body of research on "light-weight" security protocols and cryptographic primitives that are suitable for resource-restricted sensor nodes. In this paper we introduce MoTE-ECC, a highly optimized yet scalable ECC library for Memsic's MICAz motes and other sensor nodes equipped with an 8-bit AVR processor. MoTE-ECC supports scalar multiplication on Montgomery and twisted Edwards curves over Optimal Prime Fields (OPFs) of variable size, e.g. 160, 192, 224, and 256 bits, which allows for various trade-offs between security and execution time (resp. energy consumption). OPFs are a special family of "low-weight" prime fields that, in contrast to the NIST-specified fields, facilitate a parameterized implementation of the modular arithmetic so that one and the same software function can be used for operands of different length. To demonstrate the performance of MoTE-ECC, we take (ephemeral) ECDH key exchange between two nodes as example, which requires each node to execute two scalar multiplications. The first scalar multiplication is performed on a fixed base point (to generate a key pair), whereas the second scalar multiplication gets an arbitrary point as input. Our implementation uses a fixed-base comb method on a twisted Edwards curve for the former and a simple ladder approach on a birationally-equivalent Montgomery curve for the latter. Both scalar multiplications require about 9*10^6 clock cycles in total and occupy only 380 bytes in RAM when the underlying OPF has a length of 160 bits. We also describe our efforts to harden MoTE-ECC against side-channel attacks (e.g. simple power analysis) and introduce a highly regular implementation of the comb method

Elliptic and Hyperelliptic Curves: A Practical Security Analysis

Motivated by the advantages of using elliptic curves for discrete logarithm-based public-key cryptography, there is an active research area investigating the potential of using hyperelliptic curves of genus 2. For both types of curves, the best known algorithms to solve the discrete logarithm problem are generic attacks such as Pollard rho, for which it is well-known that the algorithm can be sped up when the target curve comes equipped with an efficiently computable automorphism. In this paper we incorporate all of the known optimizations (including those relating to the automorphism group) in order to perform a systematic security assessment of two elliptic curves and two hyperelliptic curves of genus 2. We use our software framework to give concrete estimates on the number of core years required to solve the discrete logarithm problem on four curves that target the 128-bit security level: on the standardized NIST CurveP-256, on a popular curve from the Barreto-Naehrig family, and on their respective analogues in genus 2. © 2014 Springer-Verlag Berlin Heidelberg

Breaking ‘128-bit Secure’ Supersingular Binary Curves

In late 2012 and early 2013 the discrete logarithm problem (DLP) in finite fields of small characteristic underwent a dramatic series of breakthroughs, culminating in a heuristic quasi-polynomial time algorithm, due to Barbulescu, Gaudry, Joux and Thomé. Using these developments, Adj, Menezes, Oliveira and Rodríguez-Henríquez analysed the concrete security of the DLP, as it arises from pairings on (the Jacobians of) various genus one and two supersingular curves in the literature, which were originally thought to be 128-bit secure. In particular, they suggested that the new algorithms have no impact on the security of a genus one curve over F21223 , and reduce the security of a genus two curve over F2367 to 94.6 bits. In this paper we propose a new field representation and efficient general descent principles which together make the new techniques far more practical. Indeed, at the ‘128-bit security level’ our analysis shows that the aforementioned genus one curve has approximately 59 bits of security, and we report a total break of the genus two curv

Risk profiles and one-year outcomes of patients with newly diagnosed atrial fibrillation in India: Insights from the GARFIELD-AF Registry.

BACKGROUND: The Global Anticoagulant Registry in the FIELD-Atrial Fibrillation (GARFIELD-AF) is an ongoing prospective noninterventional registry, which is providing important information on the baseline characteristics, treatment patterns, and 1-year outcomes in patients with newly diagnosed non-valvular atrial fibrillation (NVAF). This report describes data from Indian patients recruited in this registry. METHODS AND RESULTS: A total of 52,014 patients with newly diagnosed AF were enrolled globally; of these, 1388 patients were recruited from 26 sites within India (2012-2016). In India, the mean age was 65.8 years at diagnosis of NVAF. Hypertension was the most prevalent risk factor for AF, present in 68.5% of patients from India and in 76.3% of patients globally (P < 0.001). Diabetes and coronary artery disease (CAD) were prevalent in 36.2% and 28.1% of patients as compared with global prevalence of 22.2% and 21.6%, respectively (P < 0.001 for both). Antiplatelet therapy was the most common antithrombotic treatment in India. With increasing stroke risk, however, patients were more likely to receive oral anticoagulant therapy [mainly vitamin K antagonist (VKA)], but average international normalized ratio (INR) was lower among Indian patients [median INR value 1.6 (interquartile range {IQR}: 1.3-2.3) versus 2.3 (IQR 1.8-2.8) (P < 0.001)]. Compared with other countries, patients from India had markedly higher rates of all-cause mortality [7.68 per 100 person-years (95% confidence interval 6.32-9.35) vs 4.34 (4.16-4.53), P < 0.0001], while rates of stroke/systemic embolism and major bleeding were lower after 1 year of follow-up. CONCLUSION: Compared to previously published registries from India, the GARFIELD-AF registry describes clinical profiles and outcomes in Indian patients with AF of a different etiology. The registry data show that compared to the rest of the world, Indian AF patients are younger in age and have more diabetes and CAD. Patients with a higher stroke risk are more likely to receive anticoagulation therapy with VKA but are underdosed compared with the global average in the GARFIELD-AF. CLINICAL TRIAL REGISTRATION-URL: http://www.clinicaltrials.gov. Unique identifier: NCT01090362

Software implementation

Contains fulltext : 168765.pdf (publisher's version ) (Closed access

Attractive subfamilies of BLS curves for implementing high-security pairings

Barreto-Lynn-Scott (BLS) curves are a stand-out candidate for implementing high-security pairings. This paper shows that particular choices of the pairing-friendly search parameter give rise to four subfami- lies of BLS curves, all of which offer highly efficient and implementation- friendly pairing instantiations. Curves from these particular subfamilies are defined over prime fields that support very efficient towering options for the full extension field. The coefficients for a specific curve and its correct twist are automat-ically determined without any computational effort. The choice of an extremely sparse search parameter is immediately reflected by a highly efficient optimal ate Miller loop and final exponentiation. As a resource for implementors, we give a list with examples of implementation-friendly BLS curves through several high-security levels

Tinytate: Computing The Tate Pairing In Resource-constrained Sensor Nodes

After a few years of intense research, Wireless Sensor Networks (WSNs) still demand new secure and cryptographic schemes. On the other hand, the advent of cryptography from pairings has enabled a wide range of novel cryptosy stems. In this work we present TinyTate, the first known implementation of pairings for sensor nodes based on the 8-bit/7.3828-MHz ATmega128L microcontroller (e.g., MICA2 and MICAz motes). We then conclude that cryptography from pairings is indeed viable in resource-constrained nodes. © 2007 IEEE.318323Akyildiz, I.F., Su, W., Sankarasubramaniam, Y., Cayirci, E., A survey on sensor networks (2002) IEEE Communications Magazine, 40 (8), pp. 102-114. , AugustBarreto, P.S.L.M., Kim, H.Y., Lynn, B., Scott, M., Efficient algorithms for pairing-based cryptosystems (2002) the 22nd Annual Int'l Cryptology Conference on Advances in Cryptology CRYPTO '02, pp. 354-368D. W. Carman, P. S. Kruus, and B. J. Matt. Constraints and approaches for distributed sensor network security. Technical report, NAI Labs, The Security Research Division, Network Associates, Inc., 2000Çamtepe, S.A., Yener, B., Combinatorial design of key distribution mechanisms for wireless sensor networks (2004) Lecture Notes in Computer Science, pp. 293-308. , 9th European Symposium on Research Computer Security ESORICS'04, Sophia Antipolis, France, SeptemberChan, H., Perrig, A., Song, D., Random key predistribution schemes for sensor networks (2003) IEEE Symposium on Security and Privacy (S&P'03), pp. 197-213. , mayDorofeev, A., Dygin, D., Matyukhin, D., Nabble forums - number theory http://www.nabble.com/Discrete-logarithm-in-GF, p, 135-digits-t2870677. htmlDoyle, B., Bell, S., Smeaton, A.F., McCusker, K., O'Connor, N., Security considerations and key negotiation techniques for power constrained sensor networks (2006) The Computer Journal (Oxford University Press), 49 (4), pp. 443-453Du, W., Deng, J., Han, Y.S., Chen, S., Varshney, P., A key management scheme for wireless sensor networks using deployment knowledge (2004) Conference of the IEEE Communications Society (INFOCOM'04)Du, W., Deng, J., Han, Y.S., Varshney, P.K., Katz, J., Khalili, A., A pairwise key pre-distribution scheme for wireless sensor networks (2005) ACM Transactions on Information and System Security, 8 (2). , 228-58, Also in CCS'03Eschenauer, L., Gligor, V.D., A key management scheme for distributed sensor networks (2002) 9th ACM conf. on Computer and communications security (CCS'02), pp. 41-47Estrin, D., Govindan, R., Heidemann, J.S., Kumar, S., Next century challenges: Scalable coordination in sensor networks (1999) Mobile Computing and Networking (MobiCom'99), pp. 263-270. , Seattle, WA USAGalbraith, S., Pairings, Advances in Elliptic Curve Cryptography (2005) London Mathematical Society Lecture Notes, pp. 183-213. , I. Blake, G. Seroussi, and N. Smart, editors, chapter IX, Cambridge University PressGanesan, P., Venugopalan, R., Peddabachagari, P., Dean, A., Mueller, F., Sichitiu, M., Analyzing and modeling encryption overhead for sensor network nodes (2003) 2nd ACM international conference on Wireless sensor networks and applications, pp. 151-159. , ACM PressGura, N., Patel, A., Wander, A., Eberle, H., Shantz, S.C., Comparing elliptic curve cryptography and rsa on 8-bit cpus (2004) Workshop on Cryptographic Hardware and Embedded Systems (CHES'04), pp. 119-132Hess, F., Smart, N., Vercauteren, F., The eta pairing revisited (2006) IEEE Transactions on Information Theory, 52 (10), pp. 4595-4602. , OctoberHill, J.L., Culler, D.E., Mica: A wireless platform for deeply embedded networks (2002) IEEE Micro, 22 (6), pp. 12-24Huang, D., Mehta, M., Medhi, D., Harn, L., Locationaware key management scheme for wireless sensor networks (2004) 2nd ACM workshop on Security of ad hoc and sensor networks (SASN'04), pp. 29-12. , ACM PressHubaux, J.-P., Buttyán, L., Capkun, S., The quest for security in mobile ad hoc networks (2001) 2nd ACM international symposium on Mobile ad hoc networking & computing, pp. 146-155. , ACM PressHwang, J., Kim, Y., Revisiting random key predistribution schemes for wireless sensor networks (2004) 2nd ACM workshop on Security of ad hoc and sensor networks, pp. 43-52. , ACM PressA. Joux. A one round protocol for tripartite diffie-hellman. J. Cryptology, 17(4):263-276, 2004. Proceedings of ANTS-IV, 2000Kannan, R., Ray, L., Durresi, A., Security-performance tradeoffs of inheritance based key predistribution for wireless sensor networks (2004) 1st European Workshop on Security in Wireless and Ad-Hoc Sensor Networks (ESAS ' 04), , Heidelberg, Germany, AugustKarlof, C., Sastry, N., Wagner, D., Tinysec: A link layer security architecture for wireless sensor networks (2004) 2nd ACM SensSys, pp. 162-175. , NovC. Karlof and D. Wagner. Secure routing in wireless sensor networks: Attacks and countermeasures. Elsevier's AdHoc Networks Journal, Special Issue on Sensor Network Applications and Protocols, 1(2-3):293-315, 2003. Also apeared in 1st IEEE International Workshop on Sensor Network Protocols and ApplicationsKleinjung, T., Discrete logarithms in gf (p) ¿, 160. , http://listserv.nodak.edu/cgi-bin/wa.exe?A2=ind0702&L=nmbrthry&T =0&P=194, digitsKoblitz, N., Elliptic curve cryptosystems (1987) Mathematics of computation, 48, pp. 203-209Lercier, R., Home page: Computations - discrete log-arithms, , http://medicis.polytechnique.fr/~lercier/?lng=enLevis, P., Madden, S., Polastre, J., Szewczyk, R., Whitehouse, K., Woo, A., Gay, D., Culler, D., TinyOS: An operating system for wireless sensor networks (2004) Ambient Intelligence, , W. Weber, J. Rabaey, and E. Aarts, editors, Springer-Verlag, New York, NYLiu, A., Kampanakis, P., Ning, P., (2006)Liu, D., Ning, P., Location-based pairwise key establishments for static sensor networks (2003) 1st ACM workshop on Security of ad hoc and sensor networks (SASN'03), pp. 72-82. , ACM PressLiu, D., Ning, P., Li, R., Establishing pairwise keys in distributed sensor networks (2005) ACM Transactions on Information and System Security (TISSEC), 8 (1). , 41-77, Also in CCS'03Liu, D., Ning, P., Efficient distribution of key chain commitments for broadcast authentication in distributed sensor networks (2003) 10th Annual Network and Distributed Systems Security Symposium (NDSS'03), pp. 263-276Malan, D.J., Welsh, M., Smith, M.D., A public-key infrastructure for key distribution in tinyos based on elliptic curve cryptography (2004) 1st IEEE International Conference on Sensor and Ad Hoc Communications and Networks (SECON'04), , Santa Clara, California, OctoberK. McCusker, N. O'Connor, and D. Diamond. Low-energy finite field arithmetic primitives for implementing security in wireless sensor networks. In 2006 International Conference on Communications, Circuits And Systems, III -Computer, Optical and BroadbandCommunicationsComputational Intelligence, pages 1537-1541, June 2006Menezes, A., Okamoto, T., Vanstone, S., Reducing elliptic curve logarithms to logarithms in a finite field (1993) IEEE Transactions on Information Theory, 39 (5), pp. 1639-1646V. Miller. Short program for functions on curves, 1986. unpublished manuscriptMiller, V., Uses of elliptic curves in cryptography, advances in cryptology (1986) Lecture Notes in Computer Science, 218, pp. 417-426. , Crypto '85, Springer-VerlagOliveira, L.B., Dahab, R., Pairing-based cryptography for sensor networks (2006) 5th IEEE International Symposium on Network Computing and Applications, , Cambridge,MA,USA, July, fast abstractOliveira, L.B., Dahab, R., Lopez, J., Daguano, F., Loureiro, A.A.F., Identity-base encryption for sensor networks (2007) 3rd IEEE PerCom Workshop on Pervasive Wireless Networking (PerSeNS'07). In proceedings of IEEE PerCom 2007, , White Plains, NY, MarchOliveira, L.B., Wong, H.C., Bern, M., Dahab, R., Loureiro, A.A.F., SecLEACH - a random key distribution solution for securing clustered sensor networks (2006) 5th IEEE International Symposium on Network Computing and Applications, pp. 145-154. , Cambridge.MA, JulyL. B. Oliveira, H. C. Wong, R. Dahab, and A. A. F. Loureiro. On the design of secure protocols for hierarchical sensor networks. International Journal of Networks and Security, 2(3/4):216-227, 2007. Special Issue on Cryptography in NetworksPerrig, A., Szewczyk, R., Wen, V., Culler, D., Tygar, J.D., SPINS: Security protocols for sensor networks (2002) Wireless Networks, 8 (5), pp. 521-534. , Also inMobiCom'01, SeptPietro, R.D., Mancini, L.V., Mei, A., Random key-assignment for secure wireless sensor networks (2003) 1st ACM workshop on Security of ad hoc and sensor networks (SASN'03), pp. 62-71Sakai, R., Ohgishi, K., Kasahara, M., Cryptosystems based on pairing (2000) Symposium on Cryptography and Information Security (SCIS2000), pp. 26-28. , JanSchirokauer, O., The number field sieve for integers of low weight. Cryptology ePrint Archive (2006), http://eprint.iacr.org, Report 2006/107Scott, M., Computing the tate pairing (2005) Lecture Notes in Computer Science, 3376, pp. 293-304. , Topics in Cryptology, CT-RSA, of, SpringerWatro, R.J., Kong, D., fen Cuti, S., Gardiner, C., Lynn, C., Kruus, P., Tinypk: Securing sensor networks with public key technology (2004) 2nd ACM Workshop on Security of ad hoc and Sensor Networks (SASN'04), pp. 59-64Wood, A.D., Stankovic, J.A., Denial of service in sensor networks (2002) IEEE Computer, 35 (10), pp. 54-62. , OctZhang, Y., Liu, W., Lou, W., Fang, Y., Securing sensor networks with location-based keys (2005) IEEE Wireless Communications and Networking Conference (WCNC'05)Zhou, L., Haas, Z.J., Securing ad hoc networks (1999) IEEE Network, 13 (6), pp. 24-30Zhu, S., Setia, S., Jajodia, S., LEAP: Efficient security mechanisms for large-scale distributed sensor networks (2003) 10th ACM conference on Computer and communication security (CCS'03), pp. 62-72. , ACM PressZhu, S., Xu, S., Setia, S., Jajodia, S., Establishing pair-wise keys for secure communication in ad hoc networks: A probabilistic approach (2003) 11th IEEE Inter'l Conference on Network Protocols (ICNP'03), pp. 326-335. , Atlanta, No