Skip to main content
Article
Licensed
Unlicensed Requires Authentication

Memory-saving computation of the pairing final exponentiation on BN curves

  • EMAIL logo and
Published/Copyright: April 9, 2016
Become an author with De Gruyter Brill
Author Information Explore this Subject
Groups Complexity Cryptology
From the journal Groups Complexity Cryptology Volume 8 Issue 1

Abstract

Tate pairing computation is made of two steps. The first one, the Miller loop, is an exponentiation in the group of points of an elliptic curve. The second one, the final exponentiation, is an exponentiation in the multiplicative group of a large finite field extension. In this paper, we describe and improve efficient methods for computing the hardest part of this second step for the most popular curves in pairing-based cryptography, namely Barreto–Naehrig curves. We present the methods given in the literature and their complexities. However, the necessary memory resources are not always given whereas it is an important constraint in restricted environments for practical implementations. Therefore, we determine the memory resources required by these known methods and we present new variants which require less memory resources (up to 37 %). Moreover, some of these new variants are providing algorithms which are also more efficient than the original ones.

Keywords: BN curves; Tate pairing; final exponentiation; memory resources; addition chain
MSC: 11G07; 14G50; 14Q20; 94A60

Funding source: Association Nationale de la Recherche et de la Technologie

Award Identifier / Grant number: ANR-12-BS01-0010-01 “PEACE”

Funding source: Association Nationale de la Recherche et de la Technologie

Award Identifier / Grant number: ANR-12-INSE-0014 “SIMPATIC”

Funding source: Association Nationale de la Recherche et de la Technologie

Award Identifier / Grant number: ANR-11-LABX-0020-01 “Centre Henri Lebesgue”

Funding statement: This work was supported in part by French projects ANR-12-BS01-0010-01 “PEACE”, ANR-12-INSE-0014 “SIMPATIC”, ANR-11-LABX-0020-01 “Centre Henri Lebesgue” and by the LIRIMA MACISA project.

The authors thank John Boxall for helpful discussions and comments on this paper.

References

1 D. F. Aranha, P. S. L. M. Barreto, P. Longa and J. E. Ricardini, The realm of the pairings, Selected Areas in Cryptography (SAC 2013), Lecture Notes in Comput. Sci. 8282, Springer, Berlin (2014), 3–25. 10.1007/978-3-662-43414-7_1Search in Google Scholar

2 D. F. Aranha, K. Karabina, P. Longa, C. H. Gebotys and J. López, Faster explicit formulas for computing pairings over ordinary curves, Advances in Cryptology (EUROCRYPT 2011), Lecture Notes in Comput. Sci. 6632, Springer, Berlin (2011), 48–68. 10.1007/978-3-642-20465-4_5Search in Google Scholar

3 P. S. L. M. Barreto and M. Naehrig, Pairing-friendly elliptic curves of prime order, Selected Areas in Cryptography (SAC 2005), Lecture Notes in Comput. Sci. 3897, Springer, Berlin (2006), 319–331. 10.1007/11693383_22Search in Google Scholar

4 J. Beuchat, J. E. González-Díaz, S. Mitsunari, E. Okamoto, F. Rodríguez-Henríquez and T. Teruya, High-speed software implementation of the optimal Ate pairing over Barreto–Naehrig curves, Pairing-Based Cryptography (Pairing 2010), Lecture Notes in Comput. Sci. 6487, Springer, Berlin (2010), 21–39. 10.1007/978-3-642-17455-1_2Search in Google Scholar

5 H. Cohen, G. Frey, R. Avanzi, C. Doche, T. Lange, K. Nguyen and F. Vercauteren, Handbook of Elliptic and Hyperelliptic Curve Cryptography, Discrete Math. Appl. (Boca Raton), Chapman & Hall/CRC, Boca Raton, 2006. 10.1201/9781420034981Search in Google Scholar

6 A. J. Devegili, M. Scott and R. Dahab, Implementing cryptographic pairings over Barreto–Naehrig curves, Pairing-Based Cryptography (Pairing 2007), Lecture Notes in Comput. Sci. 4575, Springer, Berlin (2007), 197–207. 10.1007/978-3-540-73489-5_10Search in Google Scholar

7 S. Duquesne and L. Ghammam, https://cloud.sagemath.com/projects/332de229-174f-4d90-ae79-ca9d3b0fc1f7/files/Algorithms.sagews. Search in Google Scholar

8 L. Fuentes-Castaneda, E. Knapp and F. Rodriguez-Henriquez, Faster hashing to 𝔾2, Selected Areas in Cryptography (SAC 2011), Lecture Notes in Comput. Sci. 7118, Springer, Berlin (2012), 412–430. 10.1007/978-3-642-28496-0_25Search in Google Scholar

9 R. Granger, D. Page and N. P. Smart, High security pairing-based cryptography revisited, Algorithmic Number Theory Symposium (ANTS-VII), Lecture Notes in Comput. Sci. 4076, Springer, Berlin (2006), 480–494. 10.1007/11792086_34Search in Google Scholar

10 R. Granger and M. Scott, Faster squaring in the cyclotomic subgroup of sixth degree extensions, Public Key Cryptography (PKC 2010), Lecture Notes in Comput. Sci. 6056, Springer, Berlin (2010), 209–223. 10.1007/978-3-642-13013-7_13Search in Google Scholar

11 L. Hu, J. Dong and D. Pei, Implementation of cryptosystems based on Tate pairing, J. Comput. Sci. Tech. 20 (2005), 2, 264–269. 10.1007/s11390-005-0264-1Search in Google Scholar

12 M. Joye and J. J. Quisquater, Efficient computation of full Lucas sequences, Electron. Lett. 36 (1996), 6, 537–538. 10.1049/el:19960359Search in Google Scholar

13 M. Joye and S. Yen, The montgomery powering ladder, Cryptographic Hardware and Embedded Systems (CHES 2002), Lecture Notes in Comput. Sci. 2523, Springer, Berlin (2003), 291–302. 10.1007/3-540-36400-5_22Search in Google Scholar

14 P. L. Montgomery, Speeding the Pollard and elliptic curve methods of factorization, Math. Comp. 48 (1987), 177, 243–264. 10.1090/S0025-5718-1987-0866113-7Search in Google Scholar

15 Y. Nogami, M. Akane, Y. Sakemi, H. Katou and Y. Morikawa, Integer variable chi-based Ate pairing, Pairing-Based Cryptography (Pairing 2008), Lecture Notes in Comput. Sci. 5209, Springer, Berlin (2008), 178–191. Search in Google Scholar

16 J. Olivos, On vectorial addition chains, J. Algorithms 2 (1981), 1, 13–21. 10.1016/0196-6774(81)90003-1Search in Google Scholar

17 M. Scott and P. S. L. M. Barreto, Compressed pairings, Advances in cryptology (CRYPTO 2004), Lecture Notes in Comput. Sci. 3152, Springer, Berlin (2004), 140–156. 10.1007/978-3-540-28628-8_9Search in Google Scholar

18 M. Scott, N. Benger, M. Charlemagne, L. J. D. Perez and E. J. Kachisa, On the final exponentiation for calculating pairings on ordinary elliptic curves, Pairing-Based Cryptography (Pairing 2009), Lecture Notes in Comput. Sci. 5671, Springer, Berlin (2009), 78–88. 10.1007/978-3-642-03298-1_6Search in Google Scholar

19 A. Sghaier, L. Ghammam, M. Zeghid, S. Duquesne, L. B. Abdelghani and M. Machhout, Area-efficient hardware implementation of the optimal Ate pairing over BN curves, IACR Cryptol. ePrint Arch. 2015 (2015), Paper No. 1100. Search in Google Scholar

20 I. Smeets, A. K. Lenstra, H. Lenstra, L. Lovász and P. van Emde Boas, The history of the LLL-algorithm, The LLL Algorithm – Survey and Applications, Inf. Secur. Cryptography, Springer, Dordrecht (2010), 1–17. 10.1007/978-3-642-02295-1_1Search in Google Scholar

21 M. Stam and A. K. Lenstra, Efficient subgroup exponentiation in quadratic and sixth degree extensions, Cryptographic Hardware and Embedded Systems (CHES 2002), Lecture Notes in Comput. Sci. 2523, Springer, Berlin (2002), 318–332. 10.1007/3-540-36400-5_24Search in Google Scholar

22 T. Unterluggauer and E. Wenger, Efficient pairings and ECC for embedded systems, Cryptographic Hardware and Embedded Systems (CHES 2014), Lecture Notes in Comput. Sci. 8731, Springer, Berlin (2014), 298–315. 10.1007/978-3-662-44709-3_17Search in Google Scholar

23 The Sage Development Team, Sage Mathematics Software (Version SageMathCloud), 2015, https://cloud.sagemath.com/. Search in Google Scholar

Received: 2015-3-25
Published Online: 2016-4-9
Published in Print: 2016-5-1

© 2016 by De Gruyter

Articles in the same Issue

  1. Frontmatter
  2. A class of hash functions based on the algebraic eraser™
  3. Generic case complexity of the Graph Isomorphism Problem
  4. Thompson's group F is 1-counter graph automatic
  5. The automorphism group of a finitely generated virtually abelian group
  6. Factoring multi-power RSA moduli with primes sharing least or most significant bits
  7. Faster Ate pairing computation on Selmer's model of elliptic curves
  8. A PTIME solution to the restricted conjugacy problem in generalized Heisenberg groups
  9. Memory-saving computation of the pairing final exponentiation on BN curves
https://doi.org/10.1515/gcc-2016-0006
Keywords for this article
BN curves; Tate pairing; final exponentiation; memory resources; addition chain

Articles in the same Issue

  1. Frontmatter
  2. A class of hash functions based on the algebraic eraser™
  3. Generic case complexity of the Graph Isomorphism Problem
  4. Thompson's group F is 1-counter graph automatic
  5. The automorphism group of a finitely generated virtually abelian group
  6. Factoring multi-power RSA moduli with primes sharing least or most significant bits
  7. Faster Ate pairing computation on Selmer's model of elliptic curves
  8. A PTIME solution to the restricted conjugacy problem in generalized Heisenberg groups
  9. Memory-saving computation of the pairing final exponentiation on BN curves
Downloaded on 24.4.2026 from https://www.degruyterbrill.com/document/doi/10.1515/gcc-2016-0006/html?lang=en
Scroll to top button