Abstract:Abstract. We describe e cient formulas for computing pairings on ordinary elliptic curves over prime elds. First, we generalize lazy reduction techniques, previously considered only for arithmetic in quadratic extensions, to the whole pairing computation, including towering and curve arithmetic. Second, we introduce a new compressed squaring formula for cyclotomic subgroups and a new technique to avoid performing an inversion in the nal exponentiation when the curve is parameterized by a negative integer. The … Show more
“…Our results are more than 2 times faster than Bernstein et al's implementation using a Montgomery curve over F p [5] on the targeted x64 processors. In comparison with curvebased implementations on genus 2 curves or binary curves, we observe that our results are between 24%-26% faster than the genus 2 implementation by Bos et al [8], and between 19%-24% faster than the implementation by Oliveira et al [35] based on a binary GLS curve using the 2-GLV method 1 . Only the recent implementation by Bernstein et al [4], which uses the same genus 2 Kummer surface employed by Bos et al [8], is able to achieve a performance that is comparable to this work, with a result that is slightly slower on the Intel Ivy Bridge processor.…”
Section: Resultsmentioning
confidence: 47%
“…6) if lazy reduction could be exploited in the curve arithmetic. This has been proven to be useful to formulas for the Weierstrass form [1], but unfortunately the technique cannot be advantageously exploited in the most efficient formulas for twisted Edwards (in this case, one should set rdcn = TRUE ). Squaring over F p 2 is computed using the complex method.…”
Section: Quadratic Extension Field Arithmeticmentioning
confidence: 99%
“…In this work, we take these optimizations further and propose a technique that interleaves ARM-and NEON-based multiprecision operations, such as multiplication, squaring and modular reduction, in extension field operations in order to maximize the inherent parallelism and hide the execution latency. The technique is especially relevant for implementing the quadratic extension field layer in GLS curves [16] and pairing computations [1]. For instance, it injects a significant speedup in the range 17%-34% in the scalar multiplication execution on a GLV-GLS curve (see §5 and §6).…”
We propose efficient algorithms and formulas that improve the performance of side channel protected elliptic curve computations with special focus on scalar multiplication exploiting the Gallant-Lambert-Vanstone (CRYPTO 2001) and Galbraith-Lin-Scott (EUROCRYPT 2009) methods. Firstly, by adapting Feng et al.'s recoding to the GLV setting, we derive new regular algorithms for variable-base scalar multiplication that offer protection against simple side-channel and timing attacks. Secondly, we propose an efficient, sidechannel protected algorithm for fixed-base scalar multiplication which combines Feng et al.'s recoding with Lim-Lee's comb method. Thirdly, we propose an efficient technique that interleaves ARM and NEON-based multiprecision operations over an extension field to improve performance of GLS curves on modern ARM processors. Finally, we showcase the efficiency of the proposed techniques by implementing a state-of-the-art GLV-GLS curve in twisted Edwards form defined over F p 2 , which supports a four dimensional decomposition of the scalar and is fully protected against timing attacks. Analysis and performance results are reported for modern x64 and ARM processors. For instance, we compute a variable-base scalar multiplication in 89,000 and 244,000 cycles on an Intel Ivy Bridge and an ARM Cortex-A15 processor (respect.); using a precomputed table of 6KB, we compute a fixed-base scalar multiplication in 49,000 and 116,000 cycles (respect.); and using a precomputed table of 3KB, we compute a double scalar multiplication in 115,000 and 285,000 cycles (respect.). The proposed techniques represent an important improvement of the state-ofthe-art performance of elliptic curve computations, and allow us to set new speed records in several modern processors. The techniques also reduce the cost of adding protection against timing attacks in the computation of GLV-based variable-base scalar multiplication to below 10%. This work is the extended version of a publication that appeared at CT-RSA 2014 [12].
“…Our results are more than 2 times faster than Bernstein et al's implementation using a Montgomery curve over F p [5] on the targeted x64 processors. In comparison with curvebased implementations on genus 2 curves or binary curves, we observe that our results are between 24%-26% faster than the genus 2 implementation by Bos et al [8], and between 19%-24% faster than the implementation by Oliveira et al [35] based on a binary GLS curve using the 2-GLV method 1 . Only the recent implementation by Bernstein et al [4], which uses the same genus 2 Kummer surface employed by Bos et al [8], is able to achieve a performance that is comparable to this work, with a result that is slightly slower on the Intel Ivy Bridge processor.…”
Section: Resultsmentioning
confidence: 47%
“…6) if lazy reduction could be exploited in the curve arithmetic. This has been proven to be useful to formulas for the Weierstrass form [1], but unfortunately the technique cannot be advantageously exploited in the most efficient formulas for twisted Edwards (in this case, one should set rdcn = TRUE ). Squaring over F p 2 is computed using the complex method.…”
Section: Quadratic Extension Field Arithmeticmentioning
confidence: 99%
“…In this work, we take these optimizations further and propose a technique that interleaves ARM-and NEON-based multiprecision operations, such as multiplication, squaring and modular reduction, in extension field operations in order to maximize the inherent parallelism and hide the execution latency. The technique is especially relevant for implementing the quadratic extension field layer in GLS curves [16] and pairing computations [1]. For instance, it injects a significant speedup in the range 17%-34% in the scalar multiplication execution on a GLV-GLS curve (see §5 and §6).…”
We propose efficient algorithms and formulas that improve the performance of side channel protected elliptic curve computations with special focus on scalar multiplication exploiting the Gallant-Lambert-Vanstone (CRYPTO 2001) and Galbraith-Lin-Scott (EUROCRYPT 2009) methods. Firstly, by adapting Feng et al.'s recoding to the GLV setting, we derive new regular algorithms for variable-base scalar multiplication that offer protection against simple side-channel and timing attacks. Secondly, we propose an efficient, sidechannel protected algorithm for fixed-base scalar multiplication which combines Feng et al.'s recoding with Lim-Lee's comb method. Thirdly, we propose an efficient technique that interleaves ARM and NEON-based multiprecision operations over an extension field to improve performance of GLS curves on modern ARM processors. Finally, we showcase the efficiency of the proposed techniques by implementing a state-of-the-art GLV-GLS curve in twisted Edwards form defined over F p 2 , which supports a four dimensional decomposition of the scalar and is fully protected against timing attacks. Analysis and performance results are reported for modern x64 and ARM processors. For instance, we compute a variable-base scalar multiplication in 89,000 and 244,000 cycles on an Intel Ivy Bridge and an ARM Cortex-A15 processor (respect.); using a precomputed table of 6KB, we compute a fixed-base scalar multiplication in 49,000 and 116,000 cycles (respect.); and using a precomputed table of 3KB, we compute a double scalar multiplication in 115,000 and 285,000 cycles (respect.). The proposed techniques represent an important improvement of the state-ofthe-art performance of elliptic curve computations, and allow us to set new speed records in several modern processors. The techniques also reduce the cost of adding protection against timing attacks in the computation of GLV-based variable-base scalar multiplication to below 10%. This work is the extended version of a publication that appeared at CT-RSA 2014 [12].
“…Therefore, researchers started to implement optimized pairing operations for desktop computers [1,6], for smart phones [20,31], and as dedicated hardware modules [16,24]. Cost-sensitive embedded applications however simply do not have the budget for such powerful application processors or 130-180 kGE of dedicated hardware.…”
Section: Introductionmentioning
confidence: 99%
“…These limitations motivated us to be the first to implement constant-runtime, side-channel protected optimal-Ate pairings using Barreto-Naehrig (BN) curves [4] on an ARM Cortex-M0+ [2,3] microprocessor 1 . The respective pairing runtime of 993 ms seems very promising as it is several times faster than related work 2 , but might be insufficient for interactive protocols as well.…”
Abstract. The research on pairing-based cryptography brought forth a wide range of protocols interesting for future embedded applications. One significant obstacle for the widespread deployment of pairing-based cryptography are its tremendous hardware and software requirements. In this paper we present three side-channel protected hardware/software designs for pairing-based cryptography yet small and practically fast: our plain ARM Cortex-M0+-based design computes a pairing in less than one second. The utilization of a multiply-accumulate instructionset extension or a light-weight drop-in hardware accelerator that is placed between CPU and data memory improves runtime up to six times. With a 10.1 kGE large drop-in module and a 49 kGE large platform, our design is one of the smallest pairing designs available. Its very practical runtime of 162 ms for one pairing on a 254-bit BN curve and its reusability for other elliptic-curve based crypto systems offer a great solution for every microprocessor-based embedded application.
Among the existing identity-based authenticated key agreement (ID-AKA) protocols, there are only a few of them that can resist to leakage of ephemeral secret keys, which is about the protection of the session secret key after the ephemeral secret keys of users are compromised. However, all these ID-AKA protocols with leakage of ephemeral secret keys resistance require expensive bilinear pairing operations. In this paper, we present a pairing-free ID-AKA protocol with ephemeral secrets leakage resistance. We also provide a full proof of its security in the extended Canetti-Krawczyk model, which not only can capture resistance to leakage of ephemeral secret keys but also can capture other basic security properties such as master key forward security and key compromise impersonation resistance. Compared with the existing ID-AKA protocols, our scheme is a good trade-off between security and efficiency.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.