Adequate Elliptic Curves for Computing the Product of n Pairings

Abstract: International audienc

“…However, squaring is more optimized by using Devegili et al's [11] complex squaring technique which cost 2M p + 4A p + 2m α for one squaring operation in F p 2 . In total it costs 54M p for one squaring in F p 16 . Table 1 shows the operation estimation for F p 16 .…”

“…In total it costs 54M p for one squaring in F p 16 . Table 1 shows the operation estimation for F p 16 . Table 2 shows the operation estimation for F p 12 according to the towering shown in Eq.…”

“…As said before, this work is focused on Miller's algorithm. However, the authors made a "not state-of-art" implementation of some final exponentiation algorithms [16,14,17]. Table 11 shows the total final exponentiation time in [ms].…”

“…Zhang et al [31] have shown the computational estimation of the Miller's loop and proposed efficient final exponentiation for 192-bit security level in the context of OptimalAte pairing over KSS-16 curve. A few years later Ghammam et al [16] have shown that KSS-16 is the best suited for multi-pairing (i.e., the product and/or the quotient) when the number of pairing is more than two. Ghammam et al [16] also corrected the flaws of proposed final exponentiation algorithm by Zhang et al [31] and proposed a new one and showed the vulnerability of Zhang's parameter settings against small subgroup attack.…”

“…A few years later Ghammam et al [16] have shown that KSS-16 is the best suited for multi-pairing (i.e., the product and/or the quotient) when the number of pairing is more than two. Ghammam et al [16] also corrected the flaws of proposed final exponentiation algorithm by Zhang et al [31] and proposed a new one and showed the vulnerability of Zhang's parameter settings against small subgroup attack. The recent development of NFS by Kim and Barbulescu [21] requires updating the parameter selection for all the existing pairings over the well known pairing-friendly curve families such as BN [5], BLS [13] and KSS [19].…”

Efficient Optimal Ate Pairing at 128-Bit Security Level

“…However, squaring is more optimized by using Devegili et al's [11] complex squaring technique which cost 2M p + 4A p + 2m α for one squaring operation in F p 2 . In total it costs 54M p for one squaring in F p 16 . Table 1 shows the operation estimation for F p 16 .…”

“…In total it costs 54M p for one squaring in F p 16 . Table 1 shows the operation estimation for F p 16 . Table 2 shows the operation estimation for F p 12 according to the towering shown in Eq.…”

“…As said before, this work is focused on Miller's algorithm. However, the authors made a "not state-of-art" implementation of some final exponentiation algorithms [16,14,17]. Table 11 shows the total final exponentiation time in [ms].…”

“…Zhang et al [31] have shown the computational estimation of the Miller's loop and proposed efficient final exponentiation for 192-bit security level in the context of OptimalAte pairing over KSS-16 curve. A few years later Ghammam et al [16] have shown that KSS-16 is the best suited for multi-pairing (i.e., the product and/or the quotient) when the number of pairing is more than two. Ghammam et al [16] also corrected the flaws of proposed final exponentiation algorithm by Zhang et al [31] and proposed a new one and showed the vulnerability of Zhang's parameter settings against small subgroup attack.…”

“…A few years later Ghammam et al [16] have shown that KSS-16 is the best suited for multi-pairing (i.e., the product and/or the quotient) when the number of pairing is more than two. Ghammam et al [16] also corrected the flaws of proposed final exponentiation algorithm by Zhang et al [31] and proposed a new one and showed the vulnerability of Zhang's parameter settings against small subgroup attack. The recent development of NFS by Kim and Barbulescu [21] requires updating the parameter selection for all the existing pairings over the well known pairing-friendly curve families such as BN [5], BLS [13] and KSS [19].…”

Efficient Optimal Ate Pairing at 128-Bit Security Level

Secure and Efficient Pairing at 256-Bit Security Level

Updating Key Size Estimations for Pairings