Search Results

You are looking at 1 - 10 of 17 items :

  • "Tate pairing" x
  • IT-Security and Cryptology x
Clear All

Abstract

This paper proposes the computation of the Tate pairing, Ate pairing and its variations on the special Jacobi quartic elliptic curve Y2=dX4+Z4. We improve the doubling and addition steps in Miller's algorithm to compute the Tate pairing. We use the birational equivalence between Jacobi quartic curves and Weierstrass curves, together with a specific point representation to obtain the best result to date among curves with quartic twists. For the doubling and addition steps in Miller's algorithm for the computation of the Tate pairing, we obtain a theoretical gain up to 27% and 39%, depending on the embedding degree and the extension field arithmetic, with respect to Weierstrass curves and previous results on Jacobi quartic curves. Furthermore and for the first time, we compute and implement Ate, twisted Ate and optimal pairings on the Jacobi quartic curves. Our results are up to 27% more efficient compared to the case of Weierstrass curves with quartic twists.

this pairing in cryptographic applications. Keywords. Tate pairing, Weil pairing, self-pairing, pairing based cryptography. 2010 Mathematics Subject Classification. 14G50, 11T71, 11G20, 14Q05. 1 Introduction A pairing is a non-degenerate bilinear map e W G1 G2 7! GT where G1;G2;GT are cyclic groups of prime order r (the first two are usually written additively, and the third multiplicatively). Such groups are found from elliptic or hyperelliptic curves and the pairing is usually the Tate–Lichtenbaum pairing or one of its variants. Pairings have found many

conse- quence, pairings became very popular in asymmetric cryptography and computing RNS in Fpk and pairings 65 them as fast as possible is very important. Let us first briefly recall the state of the art in this field and then explain how an RNS arithmetic can be helpful. 4.2 The Tate pairing The most popular pairing used in cryptography is the Tate pairing. We present it here in a simplified and reduced form because it is the one usually used in cryp- tographic applications. More details and generalities can be found in [16, 23]. In this paper we assume that E is an

group of points of order r defined over the ground field Fq. Hence, we consider a non-degenerate bilinear pairing of the form e : E(Fq)[r]× E(Fq)[r]→ µr ⊆ F∗qk . We may obtain such a pairing from the Weil pairing [20] or Tate pairing [9] twisted by an endomorphism ψ called a distortion map [21, 22]. For example, if the Tate pairing is used then we define e(P,Q) = fr,P (ψ(Q))(q k−1)/r where fr,P is a function on E with divisor (fr,P ) = r(P ) − r(0) (see [4] or [6] for more details about pairings). The value fr,P (ψ(Q)) may be computed using Miller’s algorithm [16]. 2

for optimal tate pairing check on the elliptic curve alt_bn128, 2017. https://eips.ethereum.org/EIPS/eip-197 . [20] J. Camenisch and M. Stadler. Proof systems for general statements about discrete logarithms. Technical report, Dept. of Computer Science, ETH Zurich., 1997. [21] Jan Camenisch, Rafik Chaabouni, and abhi shelat. Efficient protocols for set membership and range proofs. In Josef Pieprzyk, editor, Advances in Cryptology - ASIACRYPT 2008 , pages 234–252. Springer, 2008. [22] Sébastien Canard, Iwen Coisel, Amandine Jambert, and Jacques Traoré. New results

for each n > 0. Let r be a prime dividing #Jac(C)(Fq) and coprime to p. We define the embedding degree to be the smallest positive integer k such that r divides qk − 1; note that Fqk is the field generated over Fq by adjoining the group µr of rth roots of unity in Fq. Throughout, er : Jac(C)[r]× Jac(C)[r]→ µr ⊂ F∗qk denotes a non-degenerate, bilinear, and Galois-invariant pairing on Jac(C)[r], such as the Weil pairing or the reduced Tate pairing; we refer the reader to [1, 2, 8, 7, 16, 17] for details on pairings and pairing-based cryptography. An elliptic curve E

–Rück attack and MOV attack use the Tate pairing and Weil pairing, respectively, to map the discrete logarithm problem on the curve’s Jaco- bian defined over Fq to the discrete logarithm in the multiplicative group of the exten- 20 Laura Hitt sion field Fqk , for some integer k, where there are more efficient methods for solving the DLP. This extension degree k is known as the embedding degree. We will say a curve C has embedding degree k with respect to an integer N if and only if a subgroup of order N of its Jacobian JC does. So for pairing-based cryptosystems, it is impor

http://arxiv.org/abs/1409.0846 [11] E. Fouvry and H. Iwaniec, Gaussian primes, Acta Arith. 79 (1997), no. 3, 249–287. 10.4064/aa-79-3-249-287 Fouvry E. Iwaniec H. Gaussian primes Acta Arith. 79 1997 3 249 287 [12] G. Frey, M. Müller and H.-G. Rück, The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems, IEEE Trans. Inform. Theory 45 (1999), no. 5, 1717–1719. 10.1109/18.771254 Frey G. Müller M. Rück H.-G. The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems IEEE Trans. Inform. Theory 45 1999 5 1717

curves as proposed by Brezing and Weng [6]. We use the notation N, Z, Q for the set of positive integers, rational integers and rational numbers, respectively. We denote by Fq a finite field with order q. The order of an elliptic curve E over Fq is given by #E.Fq/ D q C 1 t; where t 2 Z is the trace of the Frobenius map. Pairing-based cryptographic systems require a non-degenerate pairing which can be efficiently computed. For example, the most common pairings used in 252 K. Okano applications are Weil and Tate pairings. We define the embedding degree with respect to

pairing a very costly object to compute [ 18 , 22 ]. Freeman provides sample parameter sizes of bilinear groups for various security levels [ 18 , Section 4] and mentions that for 80-bit security level a composite order Tate pairing on a 1024-bit supersingular curve would be approximately 50 times slower than a prime order Tate pairing on a 170-bit MNT curve. In [ 22 ] it was reported that a composite order pairing for 128-bit security level was approximately 254 times slower than its prime order counterpart for the same security level. This efficiency bottleneck