Improving the computation of the optimal ate pairing for a high security level

Barreto, Lynn and Scott elliptic curves of embedding degree 12 denoted BLS12 have been proven to present the fastest results on the implementation of pairings for the high security levels (Barbulescu and Duquesne in Updating key size estimations for pairings, 2017. http://eprint.iacr.org/2017/334). In particular, BLS12 curves may presently be preferable for the 128 bits security level compared to the well known BN curves (Duquesne and Ghammam in Groups Complex Cryptol 8(1):75–90, 2016). The computation of pairings in general involves the execution of the Miller algorithm and the final exponentiation. In this paper, we propose new parameters that allow us to reduce the number of operations in the Miller loop and in the final exponentiation for BLS12 and extend the study to BLS24 curves. This improvement is up to $$8\%$$8%, of multiplications in the finite field $$\mathbb {F}_p$$Fp. Furthermore, as pairings can be implemented on memory constrained devices such as SIM or smart cards (Duquesne and Ghammam in Groups Complex Cryptol 8(1):75–90, 2016), we describe in our work an efficient algorithm for the computation of the final exponentiation which is more efficient and less memory intensive with an improvement up to $$25\%$$25% in memory. Our new algorithm can be useful for implementations in a restricted environment.

[1]  Patrick Longa,et al.  Faster Explicit Formulas for Computing Pairings over Ordinary Curves , 2011, EUROCRYPT.

[2]  Michael Scott,et al.  On the Final Exponentiation for Calculating Pairings on Ordinary Elliptic Curves , 2009, Pairing.

[3]  Craig Costello,et al.  Attractive Subfamilies of BLS Curves for Implementing High-Security Pairings , 2011, INDOCRYPT.

[4]  Paulo S. L. M. Barreto,et al.  Constructing Elliptic Curves with Prescribed Embedding Degrees , 2002, SCN.

[5]  Paulo S. L. M. Barreto,et al.  Pairing-Friendly Elliptic Curves of Prime Order , 2005, Selected Areas in Cryptography.

[6]  Razvan Barbulescu,et al.  Updating Key Size Estimations for Pairings , 2018, Journal of Cryptology.

[7]  Jinhyuck Jeong,et al.  Extended Tower Number Field Sieve with Application to Finite Fields of Arbitrary Composite Extension Degree , 2016, Public Key Cryptography.

[8]  Paulo S. L. M. Barreto,et al.  A family of implementation-friendly BN elliptic curves , 2011, J. Syst. Softw..

[9]  Michael Scott,et al.  Constructing Brezing-Weng Pairing-Friendly Elliptic Curves Using Elements in the Cyclotomic Field , 2008, Pairing.

[10]  Frederik Vercauteren,et al.  Optimal Pairings , 2010, IEEE Transactions on Information Theory.

[11]  Francisco Rodríguez-Henríquez,et al.  Implementing Pairings at the 192-bit Security Level , 2012, IACR Cryptol. ePrint Arch..

[12]  Koray Karabina Squaring in cyclotomic subgroups , 2013, Math. Comput..

[13]  Sylvain Duquesne,et al.  Memory-saving computation of the pairing final exponentiation on BN curves , 2015, Groups Complex. Cryptol..

[14]  Arjen K. Lenstra,et al.  Efficient Subgroup Exponentiation in Quadratic and Sixth Degree Extensions , 2002, CHES.

[15]  Victor S. Miller,et al.  The Weil Pairing, and Its Efficient Calculation , 2004, Journal of Cryptology.

[16]  Razvan Barbulescu,et al.  Extended Tower Number Field Sieve: A New Complexity for the Medium Prime Case , 2016, CRYPTO.

[17]  Alfred Menezes,et al.  Challenges with Assessing the Impact of NFS Advances on the Security of Pairing-Based Cryptography , 2016, Mycrypt.