Memory-saving computation of the pairing final exponentiation on BN curves

Sylvain Duquesne 1  and Loubna Ghammam 2
  • 1 IRMAR, UMR CNRS 6625, University of Rennes 1, France
  • 2 IRMAR, UMR CNRS 6625, University of Rennes 1, France; and Laboratory of electronic and microelectronic, FSM, University of Monastir, Tunisia

Abstract

Tate pairing computation is made of two steps. The first one, the Miller loop, is an exponentiation in the group of points of an elliptic curve. The second one, the final exponentiation, is an exponentiation in the multiplicative group of a large finite field extension. In this paper, we describe and improve efficient methods for computing the hardest part of this second step for the most popular curves in pairing-based cryptography, namely Barreto–Naehrig curves. We present the methods given in the literature and their complexities. However, the necessary memory resources are not always given whereas it is an important constraint in restricted environments for practical implementations. Therefore, we determine the memory resources required by these known methods and we present new variants which require less memory resources (up to 37 %). Moreover, some of these new variants are providing algorithms which are also more efficient than the original ones.

  • 1

    D. F. Aranha, P. S. L. M. Barreto, P. Longa and J. E. Ricardini, The realm of the pairings, Selected Areas in Cryptography (SAC 2013), Lecture Notes in Comput. Sci. 8282, Springer, Berlin (2014), 3–25.

  • 2

    D. F. Aranha, K. Karabina, P. Longa, C. H. Gebotys and J. López, Faster explicit formulas for computing pairings over ordinary curves, Advances in Cryptology (EUROCRYPT 2011), Lecture Notes in Comput. Sci. 6632, Springer, Berlin (2011), 48–68.

  • 3

    P. S. L. M. Barreto and M. Naehrig, Pairing-friendly elliptic curves of prime order, Selected Areas in Cryptography (SAC 2005), Lecture Notes in Comput. Sci. 3897, Springer, Berlin (2006), 319–331.

  • 4

    J. Beuchat, J. E. González-Díaz, S. Mitsunari, E. Okamoto, F. Rodríguez-Henríquez and T. Teruya, High-speed software implementation of the optimal Ate pairing over Barreto–Naehrig curves, Pairing-Based Cryptography (Pairing 2010), Lecture Notes in Comput. Sci. 6487, Springer, Berlin (2010), 21–39.

  • 5

    H. Cohen, G. Frey, R. Avanzi, C. Doche, T. Lange, K. Nguyen and F. Vercauteren, Handbook of Elliptic and Hyperelliptic Curve Cryptography, Discrete Math. Appl. (Boca Raton), Chapman & Hall/CRC, Boca Raton, 2006.

  • 6

    A. J. Devegili, M. Scott and R. Dahab, Implementing cryptographic pairings over Barreto–Naehrig curves, Pairing-Based Cryptography (Pairing 2007), Lecture Notes in Comput. Sci. 4575, Springer, Berlin (2007), 197–207.

  • 7

    S. Duquesne and L. Ghammam, https://cloud.sagemath.com/projects/332de229-174f-4d90-ae79-ca9d3b0fc1f7/files/Algorithms.sagews.

  • 8

    L. Fuentes-Castaneda, E. Knapp and F. Rodriguez-Henriquez, Faster hashing to 𝔾2, Selected Areas in Cryptography (SAC 2011), Lecture Notes in Comput. Sci. 7118, Springer, Berlin (2012), 412–430.

  • 9

    R. Granger, D. Page and N. P. Smart, High security pairing-based cryptography revisited, Algorithmic Number Theory Symposium (ANTS-VII), Lecture Notes in Comput. Sci. 4076, Springer, Berlin (2006), 480–494.

  • 10

    R. Granger and M. Scott, Faster squaring in the cyclotomic subgroup of sixth degree extensions, Public Key Cryptography (PKC 2010), Lecture Notes in Comput. Sci. 6056, Springer, Berlin (2010), 209–223.

  • 11

    L. Hu, J. Dong and D. Pei, Implementation of cryptosystems based on Tate pairing, J. Comput. Sci. Tech. 20 (2005), 2, 264–269.

  • 12

    M. Joye and J. J. Quisquater, Efficient computation of full Lucas sequences, Electron. Lett. 36 (1996), 6, 537–538.

  • 13

    M. Joye and S. Yen, The montgomery powering ladder, Cryptographic Hardware and Embedded Systems (CHES 2002), Lecture Notes in Comput. Sci. 2523, Springer, Berlin (2003), 291–302.

  • 14

    P. L. Montgomery, Speeding the Pollard and elliptic curve methods of factorization, Math. Comp. 48 (1987), 177, 243–264.

  • 15

    Y. Nogami, M. Akane, Y. Sakemi, H. Katou and Y. Morikawa, Integer variable chi-based Ate pairing, Pairing-Based Cryptography (Pairing 2008), Lecture Notes in Comput. Sci. 5209, Springer, Berlin (2008), 178–191.

  • 16

    J. Olivos, On vectorial addition chains, J. Algorithms 2 (1981), 1, 13–21.

  • 17

    M. Scott and P. S. L. M. Barreto, Compressed pairings, Advances in cryptology (CRYPTO 2004), Lecture Notes in Comput. Sci. 3152, Springer, Berlin (2004), 140–156.

  • 18

    M. Scott, N. Benger, M. Charlemagne, L. J. D. Perez and E. J. Kachisa, On the final exponentiation for calculating pairings on ordinary elliptic curves, Pairing-Based Cryptography (Pairing 2009), Lecture Notes in Comput. Sci. 5671, Springer, Berlin (2009), 78–88.

  • 19

    A. Sghaier, L. Ghammam, M. Zeghid, S. Duquesne, L. B. Abdelghani and M. Machhout, Area-efficient hardware implementation of the optimal Ate pairing over BN curves, IACR Cryptol. ePrint Arch. 2015 (2015), Paper No. 1100.

  • 20

    I. Smeets, A. K. Lenstra, H. Lenstra, L. Lovász and P. van Emde Boas, The history of the LLL-algorithm, The LLL Algorithm – Survey and Applications, Inf. Secur. Cryptography, Springer, Dordrecht (2010), 1–17.

  • 21

    M. Stam and A. K. Lenstra, Efficient subgroup exponentiation in quadratic and sixth degree extensions, Cryptographic Hardware and Embedded Systems (CHES 2002), Lecture Notes in Comput. Sci. 2523, Springer, Berlin (2002), 318–332.

  • 22

    T. Unterluggauer and E. Wenger, Efficient pairings and ECC for embedded systems, Cryptographic Hardware and Embedded Systems (CHES 2014), Lecture Notes in Comput. Sci. 8731, Springer, Berlin (2014), 298–315.

  • 23

    The Sage Development Team, Sage Mathematics Software (Version SageMathCloud), 2015, https://cloud.sagemath.com/.

Purchase article
Get instant unlimited access to the article.
Log in
Already have access? Please log in.


or
Log in with your institution

Journal + Issues

Groups – Complexity – Cryptology is a journal for speedy publication of articles in the areas of combinatorial and computational group theory, computer algebra, complexity theory, and cryptology. GCC primarily publishes research papers, but comprehensive and timely survey articles on a topic inside the scope of the journal are also welcome.

Search