Get 20M+ Full-Text Papers For Less Than $1.50/day. Start a 14-Day Trial for You or Your Team.

Learn More →

Memory-saving computation of the pairing final exponentiation on BN curves

Memory-saving computation of the pairing final exponentiation on BN curves Abstract Tate pairing computation is made of two steps. The first one, the Miller loop, is an exponentiation in the group of points of an elliptic curve. The second one, the final exponentiation, is an exponentiation in the multiplicative group of a large finite field extension. In this paper, we describe and improve efficient methods for computing the hardest part of this second step for the most popular curves in pairing-based cryptography, namely Barreto–Naehrig curves. We present the methods given in the literature and their complexities. However, the necessary memory resources are not always given whereas it is an important constraint in restricted environments for practical implementations. Therefore, we determine the memory resources required by these known methods and we present new variants which require less memory resources (up to 37 %). Moreover, some of these new variants are providing algorithms which are also more efficient than the original ones. http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png Groups Complexity Cryptology de Gruyter

Memory-saving computation of the pairing final exponentiation on BN curves

Memory-saving computation of the pairing final exponentiation on BN curves


Tate pairing computation is made of two steps. The first one, the Miller loop, is an exponentiation in the group of points of an elliptic curve. The second one, the final exponentiation, is an exponentiation in the multiplicative group of a large finite field extension. In this paper, we describe and improve efficient s for computing the hardest part of this second step for the most popular curves in pairing-based cryptography, namely Barreto­Naehrig curves. We present the s given in the literature and their complexities. However, the necessary memory resources are not always given whereas it is an important constraint in restricted environments for practical implementations. Therefore, we determine the memory resources required by these known s and we present new variants which require less memory resources (up to 37 %). Moreover, some of these new variants are providing algorithms which are also more efficient than the original ones. Keywords: BN curves, Tate pairing, final exponentiation, memory resources, addition chain MSC: 11G07, 14G50, 14Q20, 94A60 1 Introduction The most significant complexity parameter of a pairing-friendly elliptic curve is its embedding degree k. It is defined as the smallest integer such that r | p k - , where r is the prime order of a large group of points of an elliptic curve E and p is the base field characteristic. The embedding degree changes from one curve to another and it is usually chosen in pairing based cryptography in the form k = i j with i , j (see [10]). In this paper we are interested in pairings on Barreto­Naehrig curves defined over p for which k = . Tate pairing and its derivatives have two steps. After computing the Miller loop, we must carry out an extra step to ensure a unique result for the pairing. This second step is called the final exponentiation, where k the Miller loop result f must be raised to the power p r- . Thanks to the variants of pairings which decrease the length of the Miller loop, the...
Loading next page...
 
/lp/de-gruyter/memory-saving-computation-of-the-pairing-final-exponentiation-on-bn-hAitAtU0s8
Publisher
de Gruyter
Copyright
Copyright © 2016 by the
ISSN
1867-1144
eISSN
1869-6104
DOI
10.1515/gcc-2016-0006
Publisher site
See Article on Publisher Site

Abstract

Abstract Tate pairing computation is made of two steps. The first one, the Miller loop, is an exponentiation in the group of points of an elliptic curve. The second one, the final exponentiation, is an exponentiation in the multiplicative group of a large finite field extension. In this paper, we describe and improve efficient methods for computing the hardest part of this second step for the most popular curves in pairing-based cryptography, namely Barreto–Naehrig curves. We present the methods given in the literature and their complexities. However, the necessary memory resources are not always given whereas it is an important constraint in restricted environments for practical implementations. Therefore, we determine the memory resources required by these known methods and we present new variants which require less memory resources (up to 37 %). Moreover, some of these new variants are providing algorithms which are also more efficient than the original ones.

Journal

Groups Complexity Cryptologyde Gruyter

Published: May 1, 2016

References