Computing the Ate Pairing on Elliptic Curves
نویسندگان
چکیده
For AES 128 security level there are several natural choices for pairing-friendly elliptic curves. In particular, as we will explain, one might choose curves with k = 9 or curves with k = 12. The case k = 9 has not been studied in the literature, and so it is not clear how efficiently pairings can be computed in that case. In this paper, we present efficient methods for the k = 9 case, including generation of elliptic curves with the shorter Miller loop, the denominator elimination and speed up of the final exponentiation. Then we compare the performance of these choices. From the analysis, we conclude that for pairing-based cryptography at the AES 128 security level, the Barreto-Naehrig curves are the most efficient choice, and the performance of the case k = 9 is comparable to the Barreto-Naehrig curves.
منابع مشابه
On a Relation between the Ate Pairing and the Weil Pairing for Supersingular Elliptic Curves
The hyperelliptic curve Ate pairing provides an efficient way to compute a bilinear pairing on the Jacobian variety of a hyperelliptic curve. We prove that, for supersingular elliptic curves with embedding degree two, square of the Ate pairing is nothing but the Weil pairing. Using the formula, we develop an X -coordinate only pairing inversion method. However, the algorithm is still infeasible...
متن کاملOn Efficient Pairings on Elliptic Curves over Extension Fields
In implementation of elliptic curve cryptography, three kinds of finite fields have been widely studied, i.e. prime field, binary field and optimal extension field. In pairing-based cryptography, however, pairingfriendly curves are usually chosen among ordinary curves over prime fields and supersingular curves over extension fields with small characteristics. In this paper, we study pairings on...
متن کاملSpeeding Up Ate Pairing Computation in Affine Coordinates
At Pairing 2010, Lauter et al’s analysis showed that Ate pairing computation in affine coordinates may be much faster than projective coordinates at high security levels. In this paper, we further investigate techniques to speed up Ate pairing computation in affine coordinates. On the one hand, we improve Ate pairing computation over elliptic curves admitting an even twist by describing an 4-ar...
متن کاملAte Pairing on Hyperelliptic Curves
In this paper we show that the Ate pairing, originally defined for elliptic curves, generalises to hyperelliptic curves and in fact to arbitrary algebraic curves. It has the following surprising properties: The loop length in Miller’s algorithm can be up to g times shorter than for the Tate pairing, with g the genus of the curve, and the pairing is also automatically reduced, that is no final e...
متن کاملAte Pairing on Hyperelliptic Curves
In this paper we show that the Ate pairing, originally defined for elliptic curves, generalises to hyperelliptic curves and in fact to arbitrary algebraic curves. It has the following surprising properties: The loop length in Miller’s algorithm can be up to g times shorter than for the Tate pairing, with g the genus of the curve, and the pairing is automatically reduced, i.e. no final exponenti...
متن کاملAdequate Elliptic Curves for Computing the Product of n Pairings
Many pairing-based protocols require the computation of the product and/or of a quotient of n pairings where n > 1 is a natural integer. Zhang et al.[1] recently showed that the Kachisa-Schafer and Scott family of elliptic curves with embedding degree 16 denoted KSS16 at the 192-bit security level is suitable for such protocols comparatively to the BarettoLynn and Scott family of elliptic curve...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2007