Hai-bin SHEN,Hua-feng CHEN,Xiao-lang YAN

DOI: https://doi.org/10.3785/j.issn.1008-973X.2006.09.004

2006-01-01

Abstract:To accelerate point multiplication operation of elliptic curve cryptography (ECC), a fast reduction algorithm for modular operation was introduced. The algorithm applied the characteristic of the small second item's degree of irreducible polynomial in characteristic 2 finite field. Based on the algorithm and projective Montgomery point multiplication algorithm, a configurable ECC accelerator using very large scale integrated circuit technology was proposed. Scalable field design and unique pipeline technique was adapted in the accelerator. Simulation results show that the accelerator designed by the algorithm can rapidly complete ECC point multiplication operation. When 162 bits key and 192 bits key are selected, the point multiplication operation takes 0.22 ms and 0.43 ms respectively. The accelerator has simple interface and good flexibility, and provides a method for hardware implementation of public key cryptography algorithm.

Yi Wu,GuoQiang Bai,XingJun Wu

DOI: https://doi.org/10.1109/edssc.2019.8754380

2019-01-01

Abstract:Elliptic curve cryptosystem costs smaller calculation complexity compared with RSA. Identity Based Cryptography is a state-of-art scheme in all the elliptic curve cryptosystems. Bilinear pairing calculation over elliptic curves is the most time-consuming part which is also the pivotal to build IBC schemes. We dedicated this paper to the study of accelerating pairing computation. The proposed design uses Karatsuba algorithm based multiplier and exploits parallelism at different layer of extension field. On the other hand, some algorithm-level techniques are used for square for F-q12. Finally, the design is implemented on Xilinx Virtex-6 platform with the verification the R-ate pairing computation used in Identity-Based Algorithms SM9 issued by China, takes only 5.83ms. The results also outperform the performance using OpenCL.

Shiping Cai,Zhi Hu,Zheng-An Yao,Chang-An Zhao

DOI: https://doi.org/10.48550/arXiv.2109.07050

2021-09-15

Abstract:Pairings have been widely used since their introduction to cryptography. They can be applied to identity-based encryption, tripartite Diffie-Hellman key agreement, blockchain and other cryptographic schemes. The Acceleration of pairing computations is crucial for these cryptographic schemes or protocols. In this paper, we will focus on the Elliptic Net algorithm which can compute pairings in polynomial time, but it requires more storage than Miller's algorithm. We use several methods to speed up the Elliptic Net algorithm. Firstly, we eliminate the inverse operation in the improved Elliptic Net algorithm. In some circumstance, this finding can achieve further improvements. Secondly, we apply lazy reduction technique to the Elliptic Net algorithm, which helps us achieve a faster implementation. Finally, we propose a new derivation of the formulas for the computation of the Optimal Ate pairing on the twisted curve. Results show that the Elliptic Net algorithm can be significantly accelerated especially on the twisted curve. The algorithm can be $80\%$ faster than the previous ones on the twisted 381-bit BLS12 curve and $71.5\%$ faster on the twisted 676-bit KSS18 curve respectively.

Cryptography and Security,Algebraic Geometry,Number Theory

Xusheng Zhang,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-642-25516-8_19

2011-01-01

Abstract:In pairing-based cryptography, most researches are focused on elliptic curves of embedding degrees greater than six, but less on curves of small embedding degrees, although they are important for pairing-based cryptography over composite-order groups. This paper analyzes efficient pairings on ordinary elliptic curves of embedding degree 1 and 2 from the point of shortening Miller's loop. We first show that pairing lattices presented by Hess can be redefined on composite-order groups. Then we give a simpler variant of the Weil pairing lattice which can also be regarded as an Omega pairing lattice, and extend it to ordinary curves of embedding degree 1. In our analysis, the optimal Omega pairing, as the super-optimal pairing on elliptic curves of embedding degree 1 and 2, could be more efficient than Weil and Tate pairings. On the other hand, elliptic curves of embedding degree 2 are also very useful for pairings on elliptic curves over RSA rings proposed by Galbraith and McKee. So we analyze the construction of such curves over RSA rings, and redefine pairing lattices over RSA rings. Specially, modified Omega pairing lattices over RSA rings can be computed without knowing the RSA trapdoor. Furthermore, for keeping the trapdoor secret, we develop an original idea of evaluating pairings without leaking the group order.

Shiping Cai,Kaizhan Lin,Chang-An Zhao

DOI: https://doi.org/10.1049/2024/9631360

2024-10-04

IET Information Security

Abstract:In isogeny‐based cryptography, bilinear pairings are regarded as a powerful tool in various applications, including key compression, public key validation, and torsion basis generation. However, in most isogeny‐based protocols, the performance of pairing computations is unsatisfactory due to the high computational cost of the Miller function. Reducing the computational expense of the Miller function is crucial for enhancing the overall performance of pairing computations in isogeny‐based cryptography. This paper addresses this efficiency bottleneck. To achieve this, we propose several techniques for a better implementation of pairings in isogeny‐based cryptosystems. We use (modified) Jacobian coordinates and present new algorithms for Miller function computations to compute pairings of order 2∙ and 3∙. For pairings of arbitrary order, which are crucial for key compression in some SIDH‐based schemes (such as M‐SIDH and binSIDH), we combine Miller doublings with Miller additions/subtractions, leading to a considerable speedup. Moreover, the optimizations for pairing applications in CSIDH‐based protocols are also considered in this paper. In particular, our approach for supersingularity verification in CSIDH is 15.3% faster than Doliskani's test, which is the state‐of‐the‐art.

computer science, information systems, theory & methods

Shan Chen,Kunpeng Wang,Dongdai Lin

2013-01-01

Abstract:When implementing an efficient pairing calculation over KSS curves with embedding degree 18 and order r, the lower bound of the number of loop iterations of Miller's algorithm is 1/6[log2 r]. But the twisted Ate pairing requires 1/2 [log2 r] loop iterations, and thus is slower than the optimal Ate pairing which achieves the lower bound. This paper proposes an improved twisted Ate pairing and uses multi-pairing techniques to compute it. Therefore, the number of loop iterations in Miller's algorithm for the new pairing achieves the lower bound and it becomes faster than the original twisted Ate pairing by 30%. © Springer-Verlag Berlin Heidelberg 2013.

Xusheng Zhang,Kunpeng Wang,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-642-36334-4_1

2012-01-01

Abstract:In implementation of elliptic curve cryptography, three kinds of finite fields have been widely studied, i.e. prime field, binary field and optimal extension field. In pairing-based cryptography, however, pairing-friendly curves are usually chosen among ordinary curves over prime fields and supersingular curves over extension fields with small characteristics. In this paper, we study pairings on elliptic curves over extension fields from the point of view of accelerating the Miller's algorithm to present further advantage of pairing-friendly curves over extension fields, not relying on the much faster field arithmetic. We propose new pairings on elliptic curves over extension fields can make better use of the multi-pairing technique for the efficient implementation. By using some implementation skills, our new pairings could be implemented much more efficiently than the optimal ate pairing and the optimal twisted ate pairing on elliptic curves over extension fields. At last, we use the similar method to give more efficient pairings on Estibals's supersingular curves over composite extension fields in parallel implementation.

Andreas Enge,Jérôme Milan

DOI: https://doi.org/10.48550/arXiv.1407.5953

2014-07-23

Abstract:This study reports on an implementation of cryptographic pairings in a general purpose computer algebra system. For security levels equivalent to the different AES flavours, we exhibit suitable curves in parametric families and show that optimal ate and twisted ate pairings exist and can be efficiently evaluated. We provide a correct description of Miller's algorithm for signed binary expansions such as the NAF and extend a recent variant due to Boxall et al. to addition-subtraction chains. We analyse and compare several algorithms proposed in the literature for the final exponentiation. Finally, we ive recommendations on which curve and pairing to choose at each security level.

Number Theory,Cryptography and Security,Mathematical Software

Weizhen Wang,Jun Han,Jielin Wang,Xiaoyang Zeng

DOI: https://doi.org/10.1109/asicon.2015.7516999

2015-01-01

Abstract:Finite field arithmetic is the base of cryptography algorithms like Elliptic Curves Cryptography (ECC) and RSA. In this paper, We have designed an arithmetic unit to implement the operation (A ± αB)mod N, where α is a small number compared with N. In our design, the coefficient α is smaller than 128. The basic motivation of designing this multiply-accumulate (MAC) unit is to support some high security ECC algorithms such as Optimal Ate Pairings. The well-known Optimal Ate Pairing based on Barreto-Naehrig elliptic curve is famous for it's efficient implementation. In those cryptography algorithms, the calculation of αB mod N is required, where α is a small number. It is unefficient to use modular multiplication to calculate it. This is the basic motivation of implementing the operation (A ± αB)mod N with α <;<; N. Considering that the Barreto-Naehrig elliptic curve for pairing are defined in F P12 , we implement the arithmetic unit to be a Single Instruction Multiple Data (SIMD) unit with pipelined structure. Thus, the design is suitable for arithmetic in extensions of finte fields. We have modified the Barrett reduction algorithm to make it suitable for the design. The design is synthesized with SMIC 65nm CMOS process. Compared with using modular multiplication to calculate (A ± αB)mod N, Our work shows better performance with small latency and high throughput.

wang,hong,kunpeng,zhang,lijun,li,bao

IF: 1.019

2011-01-01

Chinese Journal of Electronics

Abstract:This paper proposes explicit formulae for the addition step and doubling step in Miller's algorithm to compute Tate pairing on Jacobi quartic curves. We present a geometric interpretation of the group law on Jacobi quartic curves, which leads to formulae for Miller's algorithm. The doubling step formula is competitive with that for Weierstrass curves and Edwards curves. Moreover, by carefully choosing the coefficients, there exist quartic twists of Jacobi quartic curves from which pairing computation can benefit a lot. Finally, we provide some examples of supersingular and ordinary pairing friendly Jacobi quartic curves.

Zhe-li LIU,JIAChun-fu,Tao SUN,Jing-wei LI,Hong-shun JI

DOI: https://doi.org/10.3969/j.issn.0493-2137.2011.12.003

2011-01-01

Abstract:In this paper, the research done in recent years on construction methods in identity-based cryptography(IBC) based on pairing was described. Each construction method was compared and analyzed in terms of pairing compatibility, security model, and time and space efficiency. The result shows that the commutative-blinding has been a new construction direction with rapid development for its good adaptability due to its algebraic stucture, independence of random oracle, and ability to generate more efficient constructions.

Yang Li,Jun Han,Shuai Wang,Dabin Fang,Xiaoyang Zeng

DOI: https://doi.org/10.1109/IPEC.2012.6522664

2012-01-01

Abstract:Pairings are attractive and competitive cryptographic primitives for establishing various novel and powerful information security schemes. An efficient implementation of pairings is usually critical for realizing a cryptographic scheme practically. This paper presents a high-performance pairing processor with a new combined Montgomery multiplier which implements the fundamental operations of Fp2 multiplication efficiently. The processor is fabricated in TSMC 65nm CMOS process. The chip achieves 800MHz (1.2V) with 266.5mW power consumption and a core area of 2.51mm2, and computes an optimal Ate pairing (254-bit curve) in 0.64ms.

Xiaokang Xiong,Duncan S. Wong,Xiaotie Deng

DOI: https://doi.org/10.1109/NCA.2009.30

2009-01-01

Abstract:Since the introduction of bilinear pairing to public key cryptography in 2001, pairing has been considered as one of the most expensive public key operations in terms of both computational complexity and memory requirement. Recently some work has been done on improving the computation time of pairing on resource-constrained wireless sensors. However, little has been focused on reducing the memory consumption. In this paper, we propose three new algorithms for speeding up the computation and reducing the memory footprint of cubing, modular reduction and polynomial multiplication in ΗT pairing over finite fields of characteristic three. We further propose new programming techniques for making the implementation even more lightweight. Our experimental results show that one ΗT pairing, with security level comparable to 1024-bit RSA, can be done on a MICAz sensor node in just 5.3 seconds, using only 154 bytes of RAM and 8,576 bytes of ROM. To the best of our knowledge, this is the most efficient nesC implementation to date. Also, when compared with the best known result found in the literature, our implementation reduces the RAM usage by 75% and the ROM usage by 51%. The resulting size of our implementation corresponds to only 3.7% and 6.5% of the RAM and ROM capacities of MICAz, respectively.

Jun Han,Yang Li,Zhiyi Yu,Xiaoyang Zeng

DOI: https://doi.org/10.1109/tvlsi.2014.2316514

2015-04-01

IEEE Transactions on Very Large Scale Integration (VLSI) Systems

Abstract:Pairings are attractive and competitive cryptographic primitives for establishing various novel and powerful information security schemes. This paper presents a flexible and high-performance processor for cryptographic pairings over pairing-friendly curves at high security levels. In this design, hardware for Fp2 arithmetic is optimized to accelerate the pairing computation, and especially a combined modular multiplier, which implements (AB + CD) based on Montgomery method, is proposed. This combined multiplier has the data path delay close to that of a single multiplier implementing (AB) but saves 20% area cost compared with two single multipliers. The Design I of the proposed processor is the first fabricated chip for pairing cryptography. An improved version, Design II, is implemented using TSMC 65-nm CMOS technology and achieves the working frequency of 633 MHz after placing and routing. As demonstrated, the optimal ate pairings of 126- and 128-bit security can be computed by Design II in 0.521 and 0.554 ms, respectively. These results outperform the hardware implementations reported by previous works.

engineering, electrical & electronic,computer science, hardware & architecture

Xusheng Zhang,Shan Chen,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-642-34704-7_16

2011-01-01

Abstract:Recently there are lots of studies on the Tate pairing computation with different coordinate systems, such as twisted Edwards curves and Hessian curves coordinate systems. However, Jacobi intersections curves coordinate system, as another useful one, is overlooked in pairing-based cryptosystems. This paper proposes the explicit formulae for the doubling and addition steps in Miller's algorithm to compute the Tate pairing on twisted Jacobi intersections curves, as a larger class containing Jacobi intersections curves. Although these curves are not plane elliptic curves, our formulae are still very efficient and competitive with others. When the embedding degree is even, our doubling formulae are the fastest except for the formulae on Hessian/Selmer curves, and the parallel execution of our formulae are even more competitive with the Selmer curves case in the parallel manner. Besides, we give the detailed analysis of the fast variants of our formulae with other embedding degrees, such as the embedding degree 1, and the embedding degree dividing 4 and 6. At last, we analyze the relation between the Tate pairings on two isogenous elliptic curves, and show that the Tate pairing on twisted Jacobi intersections curves can be substituted for the Tate pairing on twisted Edwards curves completely.

Michael Scott,Naomi Benger,Manuel Charlemagne,Luis J. Dominguez Perez,Ezekiel J. Kachisa

DOI: https://doi.org/10.1007/978-3-642-03298-1_6

2009-01-01

Abstract:When performing a Tate pairing (or a derivative thereof) on an ordinary pairing-friendly elliptic curve, the computation can be looked at as having two stages, the Miller loop and the so-called final exponentiation. As a result of good progress being made to reduce the Miller loop component of the algorithm (particularly with the discovery of "truncated loop" pairings like the R-ate pairing [18]), the final exponentiation has become a more significant component of the overall calculation. Here we exploit the structure of pairing-friendly elliptic curves to reduce to a minimum the computation required for the final exponentiation.

Oussama Azzouzi,Mohamed Anane,Mouloud Koudil,Mohamed Issad,Yassine Himeur

DOI: https://doi.org/10.1007/s11227-023-05578-5

2023-08-25

Abstract:While FPGA is a suitable platform for implementing cryptographic algorithms, there are several challenges associated with implementing Optimal Ate pairing on FPGA, such as security, limited computing resources, and high power consumption. To overcome these issues, this study introduces three approaches that can execute the optimal Ate pairing on Barreto-Naehrig curves using Jacobean coordinates with the goal of reaching 128-bit security on the Genesys board. The first approach is a pure software implementation utilizing the MicroBlaze processor. The second involves a combination of software and hardware, with key operations in $F_{p}$ and $F_{p^{2}}$ being transformed into IP cores for the MicroBlaze. The third approach builds on the second by incorporating parallelism to improve the pairing process. The utilization of multiple MicroBlaze processors within a single system offers both versatility and parallelism to speed up pairing calculations. A variety of methods and parameters are used to optimize the pairing computation, including Montgomery modular multiplication, the Karatsuba method, Jacobean coordinates, the Complex squaring method, sparse multiplication, squaring in $G_{\phi 6}F_{p^{12}}$, and the addition chain method. The proposed systems are designed to efficiently utilize limited resources in restricted environments, while still completing tasks in a timely manner.

Cryptography and Security

Wang Bei,Ouyang Yi,Hu Honggang

DOI: https://doi.org/10.1049/cje.2018.05.004

IF: 1.019

2018-01-01

Chinese Journal of Electronics

Abstract:In this paper, we construct the twists of twisted Edwards curves in Weierstrass form. Then we define a new twisted Ate pairing on twisted Weierstrass curves named the Tx-Ate pairing. Following Miller’s algorithm, we give a computation of the Tx-Ate pairing on high degree twisted Weierstrass curves, where the point operations are over Edwards form, and the computation of Miller function is over Weierstrass form. Although, in one doubling loop, our method to compute the Tx-Ate pairing is a litter slower than the previously fastest method.By twists, the Tx-Ate pairing can be calculated on more twisted Weierstrass curves with short loop length. The TxAte pairing is even competitive with optimal Ate pairing when they have the same short loop length.

Ye Zhang,Chun Jason Xue,Duncan S. Wong,Nikos Mamoulis,Siu Ming Yiu

DOI: https://doi.org/10.1007/978-3-642-34129-8_31

2012-01-01

Abstract:Recently, composite-order bilinear pairing has been shown to be useful in many cryptographic constructions. However, it is time-costly to evaluate. This is because the composite order should be at least 1024bit and, hence, the elliptic curve group order n and base field become too large, rendering the bilinear pairing algorithm itself too slow to be practical (e.g., the Miller loop is Ω(n)). Thus, composite-order computation easily becomes the bottleneck of a cryptographic construction, especially, in the case where many pairings need to be evaluated at the same time. The existing solution to this problem that converts composite-order pairings to prime-order ones is only valid for certain constructions. In this paper, we leverage the huge number of threads available on Graphics Processing Units (GPUs) to speed up composite-order pairing computation. We investigate suitable SIMD algorithms for base/extension field, elliptic curve and bilinear pairing computation as well as mapping these algorithms into GPUs with careful considerations. Experimental results show that our method achieves a record of 8.7ms per pairing on a 80bit security level, which is a 20-fold speedup compared to the state-of-the-art CPU implementation. This result also opens the road to adopting higher security levels and using rich-resource parallel platforms, which for example are available in cloud computing. For example, we can achieve a record of 7 ×10− 6 USD per pairing on the Amazon cloud computing environment.

LI Zi-chen,MIAO Peng-feng,WU Yan

DOI: https://doi.org/10.3969/j.issn.1673-9787.2006.03.003

2006-01-01

Abstract:Certificate managing is always the bottleneck of PKI,which is the main way to resolve information security problem,but ID-based crypto system constructed by bilinear pairing can solve well.Based on the study of some based-pairing cryptosystem,we can find them must resolve the following questions:(1)Decide whether Bilinear Diffie-Hellman Problem is realy a hard question or not;(2)Find more efficient arithmitric to compute bilinear pairing;(3)Propose more secure,efficient and special signature schemes,such as threshold signature and proxy signature etc.