Computing the Ate Pairing on Elliptic Curves with Embedding Degree k = 9

For AES 128 security level there are several natural choices for pairing-friendly elliptic curves. In particular, as we will explain, one might choose curves with k = 9 or curves with k = 12. The case k = 9 has not been studied in the literature, and so it is not clear how efficiently pairings can be computed in that case. In this paper, we present efficient methods for the k = 9 case, including generation of elliptic curves with the shorter Miller loop, the denominator elimination and speed up of the final exponentiation. Then we compare the performance of these choices. From the analysis, we conclude that for pairing-based cryptography at the AES 128 security level, the Barreto-Naehrig curves are the most efficient choice, and the performance of the case k = 9 is comparable to the Barreto-Naehrig curves.

[1]  Paulo S. L. M. Barreto,et al.  Efficient pairing computation on supersingular Abelian varieties , 2007, IACR Cryptol. ePrint Arch..

[2]  Eiji Okamoto,et al.  Optimised Versions of the Ate and Twisted Ate Pairings , 2007, IMACC.

[3]  Shi Cui,et al.  Special polynomial families for generating more suitable pairing-friendly elliptic curves , 2006 .

[4]  Iwan M. Duursma,et al.  Tate Pairing Implementation for Hyperelliptic Curves y2 = xp-x + d , 2003, ASIACRYPT.

[5]  A. Atkin,et al.  ELLIPTIC CURVES AND PRIMALITY PROVING , 1993 .

[6]  Michael Scott,et al.  A Taxonomy of Pairing-Friendly Elliptic Curves , 2010, Journal of Cryptology.

[7]  David Mandell Freeman,et al.  Constructing Pairing-Friendly Elliptic Curves with Embedding Degree 10 , 2006, ANTS.

[8]  Arjen K. Lenstra,et al.  Unbelievable Security. Matching AES Security Using Public Key Systems , 2001, ASIACRYPT.

[9]  Annegret Weng,et al.  Elliptic Curves Suitable for Pairing Based Cryptography , 2005, Des. Codes Cryptogr..

[10]  Paulo S. L. M. Barreto,et al.  On the Selection of Pairing-Friendly Groups , 2003, Selected Areas in Cryptography.

[11]  Alfred Menezes,et al.  Pairing-Based Cryptography at High Security Levels , 2005, IMACC.

[12]  Shi Cui,et al.  Special Polynomial Families for Generating More Suitable Elliptic Curves for Pairing-Based Cryptosystems , 2005, IACR Cryptol. ePrint Arch..

[13]  K. Conrad,et al.  Finite Fields , 2018, Series and Products in the Development of Mathematics.

[14]  Paulo S. L. M. Barreto,et al.  Efficient Algorithms for Pairing-Based Cryptosystems , 2002, CRYPTO.

[15]  Alfred Menezes,et al.  Guide to Elliptic Curve Cryptography , 2004, Springer Professional Computing.

[16]  Paulo S. L. M. Barreto,et al.  Constructing Elliptic Curves with Prescribed Embedding Degrees , 2002, SCN.

[17]  Frederik Vercauteren,et al.  The Eta Pairing Revisited , 2006, IEEE Transactions on Information Theory.

[18]  A. Miyaji,et al.  New Explicit Conditions of Elliptic Curve Traces for FR-Reduction , 2001 .

[19]  Nigel P. Smart,et al.  High Security Pairing-Based Cryptography Revisited , 2006, ANTS.

[20]  Paulo S. L. M. Barreto,et al.  Pairing-Friendly Elliptic Curves of Prime Order , 2005, Selected Areas in Cryptography.

[21]  Rudolf Lide,et al.  Finite fields , 1983 .