High-Speed Software Implementation of the Optimal Ate Pairing over Barreto–Naehrig Curves

  • Jean-Luc Beuchat
  • Jorge E. González-Díaz
  • Shigeo Mitsunari
  • Eiji Okamoto
  • Francisco Rodríguez-Henríquez
  • Tadanori Teruya
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6487)

Abstract

This paper describes the design of a fast software library for the computation of the optimal ate pairing on a Barreto–Naehrig elliptic curve. Our library is able to compute the optimal ate pairing over a 254-bit prime field \(\mathbb{F}_{p}\), in just 2.33 million of clock cycles on a single core of an Intel Core i7 2.8GHz processor, which implies that the pairing computation takes 0.832msec. We are able to achieve this performance by a careful implementation of the base field arithmetic through the usage of the customary Montgomery multiplier for prime fields. The prime field is constructed via the Barreto–Naehrig polynomial parametrization of the prime p given as, p = 36t4 + 36t3 + 24t2 + 6t + 1, with t = 262 − 254 + 244. This selection of t allows us to obtain important savings for both the Miller loop as well as the final exponentiation steps of the optimal ate pairing.

Keywords

Tate pairing optimal pairing Barreto–Naehrig curve ordinary curve finite field arithmetic bilinear pairing software implementation 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Aranha, D.F., López, J., Hankerson, D.: High-speed parallel software implementation of the η T pairing. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 89–105. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  2. 2.
    Arène, C., Lange, T., Naehrig, M., Ritzenthaler, C.: Faster computation of the Tate pairing. Cryptology ePrint Archive, Report 2009/155 (2009), http://eprint.iacr.org/2009/155.pdf
  3. 3.
    Barreto, P.S.L.M., Galbraith, S.D., Ó hÉigeartaigh, C., Scott, M.: Efficient pairing computation on supersingular Abelian varieties. Designs, Codes and Cryptography 42, 239–271 (2007)MATHCrossRefGoogle Scholar
  4. 4.
    Barreto, P.S.L.M., Kim, H.Y., Lynn, B., Scott, M.: Efficient algorithms for pairing-based cryptosystems. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 354–368. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  5. 5.
    Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  6. 6.
    Benger, N., Scott, M.: Constructing tower extensions for the implementation of pairing-based cryptography. Cryptology ePrint Archive, Report 2009/556 (2009), http://eprint.iacr.org/2009/556.pdf
  7. 7.
    Beuchat, J.-L., Detrey, J., Estibals, N., Okamoto, E., Rodríguez-Henríquez, F.: Fast architectures for the η T pairing over small-characteristic supersingular elliptic curves. Cryptology ePrint Archive, Report 2009/398 (2009), http://eprint.iacr.org/2009/398.pdf
  8. 8.
    Beuchat, J.-L., López-Trejo, E., Martínez-Ramos, L., Mitsunari, S., Rodríguez-Henríquez, F.: Multi-core implementation of the Tate pairing over supersingular elliptic curves. In: Garay, J.A., Miyaji, A., Otsuka, A. (eds.) CANS 2009. LNCS, vol. 5888, pp. 413–432. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  9. 9.
    Chung, J., Hasan, M.A.: Asymmetric squaring formulae. In: Kornerup, P., Muller, J.-M. (eds.) Proceedings of the 18th IEEE Symposium on Computer Arithmetic, pp. 113–122. IEEE Computer Society, Los Alamitos (2007)Google Scholar
  10. 10.
    Devegili, A.J., Scott, M., Dahab, R.: Implementing cryptographic pairings over Barreto–Naehrig curves. In: Takagi, T., Okamoto, T., Okamoto, E., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 197–207. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  11. 11.
    Duursma, I., Gaudry, P., Morain, F.: Speeding up the discrete log computation on curves with automorphisms. In: Lam, K.-Y., Okamoto, E., Xing, C. (eds.) ASIACRYPT 1999. LNCS, vol. 1716, pp. 103–121. Springer, Heidelberg (1999)Google Scholar
  12. 12.
    Duursma, I., Lee, H.S.: Tate pairing implementation for hyperelliptic curves y 2 = x p − x + d. In: Laih, C.S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 111–123. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  13. 13.
    Fan, J., Vercauteren, F., Verbauwhede, I.: Faster \(\mathbb{F}_p\)-arithmetic for cryptographic pairings on Barreto–Naehrig curves. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 240–253. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  14. 14.
    Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing-friendly elliptic curves. Journal of Cryptology 23(2), 224–280 (2010)MATHCrossRefMathSciNetGoogle Scholar
  15. 15.
    Galbraith, S., Paterson, K., Smart, N.: Pairings for cryptographers. Discrete Applied Mathematics 156, 3113–3121 (2008)MATHCrossRefMathSciNetGoogle Scholar
  16. 16.
    Grabher, P., Großschädl, J., Page, D.: On software parallel implementation of cryptographic pairings. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 34–49. Springer, Heidelberg (2008)Google Scholar
  17. 17.
    Granger, R., Scott, M.: Faster squaring in the cyclotomic subgroup of sixth degree extensions. Cryptology ePrint Archive, Report 2009/565 (2009), http://eprint.iacr.org/2009/565.pdf
  18. 18.
    Hankerson, D., Menezes, A., Scott, M.: Software implementation of pairings. In: Joye, M., Neven, G. (eds.) Identity-based Cryptography. Cryptology and Information Security Series, ch. 12, pp. 188–206. IOS Press, Amsterdam (2009)Google Scholar
  19. 19.
    Hankerson, D., Menezes, A., Vanstone, S.: Guide to Elliptic Curve Cryptography. Springer, New York (2004)MATHGoogle Scholar
  20. 20.
    Hess, F.: Pairing lattices. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 18–38. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  21. 21.
    Hess, F., Smart, N., Vercauteren, F.: The Eta pairing revisited. IEEE Transactions on Information Theory 52(10), 4595–4602 (2006)MATHCrossRefMathSciNetGoogle Scholar
  22. 22.
    Intel Corporation. Intel 64 and IA-32 Architectures Software Developer’s Manuals, http://www.intel.com/products/processor/manuals/
  23. 23.
    Kammler, D., Zhang, D., Schwabe, P., Scharwaechter, H., Langenberg, M., Auras, D., Ascheid, G., Mathar, R.: Designing an ASIP for cryptographic pairings over Barreto–Naehrig curves. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 254–271. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  24. 24.
    Koblitz, N., Menezes, A.: Pairing-based cryptography at high security levels. Cryptology ePrint Archive, Report 2005/076 (2005), http://eprint.iacr.org/2005/076.pdf
  25. 25.
    Lee, E., Lee, H.-S., Park, C.-M.: Efficient and generalized pairing computation on abelian varieties. Cryptology ePrint Archive, Report 2008/040 (2008), http://eprint.iacr.org/2008/040.pdf
  26. 26.
    Miller, V.S.: Short programs for functions on curves (1986), http://crypto.stanford.edu/miller
  27. 27.
    Miller, V.S.: The Weil pairing, and its efficient calculation. Journal of Cryptology 17(4), 235–261 (2004)MATHCrossRefMathSciNetGoogle Scholar
  28. 28.
    Mitsunari, S.: Xbyak: JIT assembler for C++, http://homepage1.nifty.com/herumi/soft/xbyak_e.html
  29. 29.
    Miyaji, A., Nakabayashi, M., Takano, S.: New explicit conditions of elliptic curve traces for FR-reduction. IEICE Trans. Fundamentals E84, 1234–1243 (2001)Google Scholar
  30. 30.
    Naehrig, M.: Constructive and Computational Aspects of Cryptographic Pairings. PhD thesis, Technische Universiteit Eindhoven (2009), http://www.cryptojedi.org/users/michael/data/thesis/2009-05-13-diss.pdf
  31. 31.
    Naehrig, M., Barreto, P.S.L.M., Schwabe, P.: On compressible pairings and their computation. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 371–388. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  32. 32.
    Naehrig, M., Niederhagen, R., Schwabe, P.: New software speed records for cryptographic pairings. Cryptology ePrint Archive, Report 2010/186 (2010), http://eprint.iacr.org/2010/186.pdf
  33. 33.
    Schwabe, P.: Software library of “New software speed records for cryptographic pairings”, http://cryptojedi.org/crypto/dclxvi (accessed June 4, 2010)
  34. 34.
    Scott, M.: Implementing cryptographic pairings. In: Takagi, T., Okamoto, T., Okamoto, E., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 177–196. Springer, Heidelberg (2007)Google Scholar
  35. 35.
    Scott, M., Barreto, P.S.L.M.: Compressed pairings. In: Franklin, M.K. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 140–156. Springer, Heidelberg (2004)Google Scholar
  36. 36.
    Scott, M., Benger, N., Charlemagne, M., Dominguez Perez, L.J., Kachisa, E.J.: On the final exponentiation for calculating pairings on ordinary elliptic curves. Cryptology ePrint Archive, Report 2008/490 (2008), http://eprint.iacr.org/2008/490.pdf
  37. 37.
    Shu, C., Kwon, S., Gaj, K.: Reconfigurable computing approach for Tate pairing cryptosystems over binary fields. IEEE Transactions on Computers 58(9), 1221–1237 (2009)CrossRefGoogle Scholar
  38. 38.
    Vercauteren, F.: Optimal pairings. IEEE Transactions on Information Theory 56(1), 455–461 (2010)CrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Jean-Luc Beuchat
    • 1
  • Jorge E. González-Díaz
    • 2
  • Shigeo Mitsunari
    • 3
  • Eiji Okamoto
    • 1
  • Francisco Rodríguez-Henríquez
    • 2
  • Tadanori Teruya
    • 1
  1. 1.Graduate School of Systems and Information EngineeringUniversity of TsukubaTsukubaJapan
  2. 2.Computer Science DepartmentCentro de Investigación y de Estudios Avanzados del IPNMéxico CityMéxico
  3. 3.Akasaka Twin Tower East 15FCybozu Labs, Inc.Minato-ku

Personalised recommendations