Get 20M+ Full-Text Papers For Less Than $1.50/day. Start a 14-Day Trial for You or Your Team.

Learn More →

Memory-saving computation of the pairing final exponentiation on BN curves

Memory-saving computation of the pairing final exponentiation on BN curves Abstract Tate pairing computation is made of two steps. The first one, the Miller loop, is an exponentiation in the group of points of an elliptic curve. The second one, the final exponentiation, is an exponentiation in the multiplicative group of a large finite field extension. In this paper, we describe and improve efficient methods for computing the hardest part of this second step for the most popular curves in pairing-based cryptography, namely Barreto–Naehrig curves. We present the methods given in the literature and their complexities. However, the necessary memory resources are not always given whereas it is an important constraint in restricted environments for practical implementations. Therefore, we determine the memory resources required by these known methods and we present new variants which require less memory resources (up to 37 %). Moreover, some of these new variants are providing algorithms which are also more efficient than the original ones. http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png Groups Complexity Cryptology de Gruyter

Memory-saving computation of the pairing final exponentiation on BN curves

Download PDF

Memory-saving computation of the pairing final exponentiation on BN curves


Tate pairing computation is made of two steps. The first one, the Miller loop, is an exponentiation in the group of points of an elliptic curve. The second one, the final exponentiation, is an exponentiation in the multiplicative group of a large finite field extension. In this paper, we describe and improve efficient s for computing the hardest part of this second step for the most popular curves in pairing-based cryptography, namely Barreto­Naehrig curves. We present the s given in the literature and their complexities. However, the necessary memory resources are not always given whereas it is an important constraint in restricted environments for practical implementations. Therefore, we determine the memory resources required by these known s and we present new variants which require less memory resources (up to 37 %). Moreover, some of these new variants are providing algorithms which are also more efficient than the original ones. Keywords: BN curves, Tate pairing, final exponentiation, memory resources, addition chain MSC: 11G07, 14G50, 14Q20, 94A60 1 Introduction The most significant complexity parameter of a pairing-friendly elliptic curve is its embedding degree k. It is defined as the smallest integer such that r | p k - , where r is the prime order of a large group of points of an elliptic curve E and p is the base field characteristic. The embedding degree changes from one curve to another and it is usually chosen in pairing based cryptography in the form k = i j with i , j (see [10]). In this paper we are interested in pairings on Barreto­Naehrig curves defined over p for which k = . Tate pairing and its derivatives have two steps. After computing the Miller loop, we must carry out an extra step to ensure a unique result for the pairing. This second step is called the final exponentiation, where k the Miller loop result f must be raised to the power p r- . Thanks to the variants of pairings which decrease the length of the Miller loop, the...
Loading next page...
 
/lp/de-gruyter/memory-saving-computation-of-the-pairing-final-exponentiation-on-bn-hAitAtU0s8
Publisher
de Gruyter
Copyright
Copyright © 2016 by the
ISSN
1867-1144
eISSN
1869-6104
DOI
10.1515/gcc-2016-0006
Publisher site
See Article on Publisher Site

Abstract

Abstract Tate pairing computation is made of two steps. The first one, the Miller loop, is an exponentiation in the group of points of an elliptic curve. The second one, the final exponentiation, is an exponentiation in the multiplicative group of a large finite field extension. In this paper, we describe and improve efficient methods for computing the hardest part of this second step for the most popular curves in pairing-based cryptography, namely Barreto–Naehrig curves. We present the methods given in the literature and their complexities. However, the necessary memory resources are not always given whereas it is an important constraint in restricted environments for practical implementations. Therefore, we determine the memory resources required by these known methods and we present new variants which require less memory resources (up to 37 %). Moreover, some of these new variants are providing algorithms which are also more efficient than the original ones.

Journal

Groups Complexity Cryptologyde Gruyter

Published: May 1, 2016

References

  • Pairing - friendly elliptic curves of prime order Selected Areas in Lecture Notes in Pairing - friendly elliptic curves of prime orderSelected Areas in CryptographySAC Lecture Notes in
    Barreto
  • On the final exponentiation for calculating pairings on ordinary elliptic curves Pairing - Based Lecture Notes in On the final exponentiation for calculating pairings on ordinary elliptic curvesPairing - Based CryptographyPairing Lecture Notes in
    Scott
  • Integer variable chi - based Ate pairing Pairing - Based Lecture Notes in Integer variable chi - based Ate pairingPairing - Based CryptographyPairing Lecture Notes in
    Nogami
  • Faster hashing to 𝔾 Selected Areas in Lecture Notes in Faster hashing to 𝔾 Selected Areas in CryptographySAC Lecture Notes in
    Fuentes
  • Handbook of Elliptic and Hyperelliptic Curve Cryptography Discrete Boca Raton Handbook of Elliptic and Hyperelliptic Curve CryptographyDiscrete CRCBoca Raton
    Cohen
  • Faster explicit formulas for computing pairings over ordinary curves Advances in Lecture Notes in Faster explicit formulas for computing pairings over ordinary curvesAdvances in CryptologyEUROCRYPT Lecture Notes in
    Aranha
  • Speeding the Pollard and elliptic curve methods of factorization Speeding the Pollard and elliptic curve methods of factorizationMath
    Montgomery
  • Efficient computation of full Lucas sequences Efficient computation of full Lucas sequencesElectron
    Joye
  • Implementing cryptographic pairings over Barreto Naehrig curves Pairing - Based Lecture Notes in Implementing cryptographic pairings over Barreto Naehrig curvesPairing - Based CryptographyPairing Lecture Notes in
    Devegili
  • Implementation of cryptosystems based on Tate pairing Implementation of cryptosystems based on Tate pairingJ
    Hu
  • The montgomery powering ladder Cryptographic Hardware and Embedded Lecture Notes in The montgomery powering ladderCryptographic Hardware and Embedded SystemsCHES Lecture Notes in
    Joye
  • High security pairing - based cryptography revisited Algorithmic Number Theory ANTS - VII ) Lecture Notes in High security pairing - based cryptography revisitedAlgorithmic Number Theory SymposiumANTS - VIILecture Notes in
    Granger
  • Efficient pairings and ECC for embedded systems Cryptographic Hardware and Embedded Lecture Notes in Efficient pairings and ECC for embedded systemsCryptographic Hardware and Embedded SystemsCHES Lecture Notes in
    Unterluggauer
  • The realm of the pairings Selected Areas in Lecture Notes in The realm of the pairingsSelected Areas in CryptographySAC Lecture Notes in
    Aranha
  • Faster squaring in the cyclotomic subgroup of sixth degree extensions Public Key Lecture Notes in Faster squaring in the cyclotomic subgroup of sixth degree extensionsPublic Key CryptographyPKC Lecture Notes in
    Granger
  • Compressed pairings Advances in Lecture Notes in Compressed pairingsAdvances in cryptologyCRYPTO Lecture Notes in
    Scott