Faster Explicit Formulas for Computing Pairings over Ordinary Curves

Aranha, Diego F.; Karabina, Koray; Longa, Patrick; Gebotys, Catherine H.; López, Julio

doi:10.1007/978-3-642-20465-4_5

Cited by 131 publications

(191 citation statements)

References 30 publications

Supporting

Mentioning

188

Contrasting

Unclassified

Order By: Relevance

“…Our results are more than 2 times faster than Bernstein et al's implementation using a Montgomery curve over F p [5] on the targeted x64 processors. In comparison with curvebased implementations on genus 2 curves or binary curves, we observe that our results are between 24%-26% faster than the genus 2 implementation by Bos et al [8], and between 19%-24% faster than the implementation by Oliveira et al [35] based on a binary GLS curve using the 2-GLV method 1 . Only the recent implementation by Bernstein et al [4], which uses the same genus 2 Kummer surface employed by Bos et al [8], is able to achieve a performance that is comparable to this work, with a result that is slightly slower on the Intel Ivy Bridge processor.…”

Section: Resultsmentioning

confidence: 47%

“…6) if lazy reduction could be exploited in the curve arithmetic. This has been proven to be useful to formulas for the Weierstrass form [1], but unfortunately the technique cannot be advantageously exploited in the most efficient formulas for twisted Edwards (in this case, one should set rdcn = TRUE ). Squaring over F p 2 is computed using the complex method.…”

Section: Quadratic Extension Field Arithmeticmentioning

confidence: 99%

“…In this work, we take these optimizations further and propose a technique that interleaves ARM-and NEON-based multiprecision operations, such as multiplication, squaring and modular reduction, in extension field operations in order to maximize the inherent parallelism and hide the execution latency. The technique is especially relevant for implementing the quadratic extension field layer in GLS curves [16] and pairing computations [1]. For instance, it injects a significant speedup in the range 17%-34% in the scalar multiplication execution on a GLV-GLS curve (see §5 and §6).…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves

Faz-Hernández

Longa

Sánchez

2014

Topics in Cryptology – CT-RSA 2014

Self Cite

View full text Add to dashboard Cite

We propose efficient algorithms and formulas that improve the performance of side channel protected elliptic curve computations with special focus on scalar multiplication exploiting the Gallant-Lambert-Vanstone (CRYPTO 2001) and Galbraith-Lin-Scott (EUROCRYPT 2009) methods. Firstly, by adapting Feng et al.'s recoding to the GLV setting, we derive new regular algorithms for variable-base scalar multiplication that offer protection against simple side-channel and timing attacks. Secondly, we propose an efficient, sidechannel protected algorithm for fixed-base scalar multiplication which combines Feng et al.'s recoding with Lim-Lee's comb method. Thirdly, we propose an efficient technique that interleaves ARM and NEON-based multiprecision operations over an extension field to improve performance of GLS curves on modern ARM processors. Finally, we showcase the efficiency of the proposed techniques by implementing a state-of-the-art GLV-GLS curve in twisted Edwards form defined over F p 2 , which supports a four dimensional decomposition of the scalar and is fully protected against timing attacks. Analysis and performance results are reported for modern x64 and ARM processors. For instance, we compute a variable-base scalar multiplication in 89,000 and 244,000 cycles on an Intel Ivy Bridge and an ARM Cortex-A15 processor (respect.); using a precomputed table of 6KB, we compute a fixed-base scalar multiplication in 49,000 and 116,000 cycles (respect.); and using a precomputed table of 3KB, we compute a double scalar multiplication in 115,000 and 285,000 cycles (respect.). The proposed techniques represent an important improvement of the state-ofthe-art performance of elliptic curve computations, and allow us to set new speed records in several modern processors. The techniques also reduce the cost of adding protection against timing attacks in the computation of GLV-based variable-base scalar multiplication to below 10%. This work is the extended version of a publication that appeared at CT-RSA 2014 [12].

show abstract

Section: Resultsmentioning

confidence: 47%

Section: Quadratic Extension Field Arithmeticmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves

Faz-Hernández

Longa

Sánchez

2014

Topics in Cryptology – CT-RSA 2014

Self Cite

View full text Add to dashboard Cite

show abstract

“…Therefore, researchers started to implement optimized pairing operations for desktop computers [1,6], for smart phones [20,31], and as dedicated hardware modules [16,24]. Cost-sensitive embedded applications however simply do not have the budget for such powerful application processors or 130-180 kGE of dedicated hardware.…”

Section: Introductionmentioning

confidence: 99%

“…These limitations motivated us to be the first to implement constant-runtime, side-channel protected optimal-Ate pairings using Barreto-Naehrig (BN) curves [4] on an ARM Cortex-M0+ [2,3] microprocessor 1 . The respective pairing runtime of 993 ms seems very promising as it is several times faster than related work 2 , but might be insufficient for interactive protocols as well.…”

Section: Introductionmentioning

confidence: 99%

Efficient Pairings and ECC for Embedded Systems

Unterluggauer

Wenger

2014

Advanced Information Systems Engineering

View full text Add to dashboard Cite

Abstract. The research on pairing-based cryptography brought forth a wide range of protocols interesting for future embedded applications. One significant obstacle for the widespread deployment of pairing-based cryptography are its tremendous hardware and software requirements. In this paper we present three side-channel protected hardware/software designs for pairing-based cryptography yet small and practically fast: our plain ARM Cortex-M0+-based design computes a pairing in less than one second. The utilization of a multiply-accumulate instructionset extension or a light-weight drop-in hardware accelerator that is placed between CPU and data memory improves runtime up to six times. With a 10.1 kGE large drop-in module and a 49 kGE large platform, our design is one of the smallest pairing designs available. Its very practical runtime of 162 ms for one pairing on a 254-bit BN curve and its reusability for other elliptic-curve based crypto systems offer a great solution for every microprocessor-based embedded application.

show abstract

A strongly secure identity-based authenticated key agreement protocol without pairings under the GDH assumption

Sun

Wen

Zhang

et al. 2015

Security Comm. Networks

View full text Add to dashboard Cite

Among the existing identity-based authenticated key agreement (ID-AKA) protocols, there are only a few of them that can resist to leakage of ephemeral secret keys, which is about the protection of the session secret key after the ephemeral secret keys of users are compromised. However, all these ID-AKA protocols with leakage of ephemeral secret keys resistance require expensive bilinear pairing operations. In this paper, we present a pairing-free ID-AKA protocol with ephemeral secrets leakage resistance. We also provide a full proof of its security in the extended Canetti-Krawczyk model, which not only can capture resistance to leakage of ephemeral secret keys but also can capture other basic security properties such as master key forward security and key compromise impersonation resistance. Compared with the existing ID-AKA protocols, our scheme is a good trade-off between security and efficiency.

show abstract

Faster Explicit Formulas for Computing Pairings over Ordinary Curves

Cited by 131 publications

References 30 publications

Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves

Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves

Efficient Pairings and ECC for Embedded Systems

A strongly secure identity-based authenticated key agreement protocol without pairings under the GDH assumption

Contact Info

Product

Resources

About