Results 1  10
of
14
Faster explicit formulas for computing pairings over ordinary curves. 2010. Available at http://eprint.iacr.org/2010/526
"... Abstract. We describe e cient formulas for computing pairings on ordinary elliptic curves over prime elds. First, we generalize lazy reduction techniques, previously considered only for arithmetic in quadratic extensions, to the whole pairing computation, including towering and curve arithmetic. Sec ..."
Abstract

Cited by 23 (6 self)
 Add to MetaCart
Abstract. We describe e cient formulas for computing pairings on ordinary elliptic curves over prime elds. First, we generalize lazy reduction techniques, previously considered only for arithmetic in quadratic extensions, to the whole pairing computation, including towering and curve arithmetic. Second, we introduce a new compressed squaring formula for cyclotomic subgroups and a new technique to avoid performing an inversion in the nal exponentiation when the curve is parameterized by a negative integer. The techniques are illustrated in the context of pairing computation over BarretoNaehrig curves, where they have a particularly e cient realization, and also combined with other important developments in the recent literature. The resulting formulas reduce the number of required operations and, consequently, execution time, improving on the stateoftheart performance of cryptographic pairings by 27%33 % on several popular 64bit computing platforms. In particular, our techniques allow to compute a pairing under 2 million cycles for the rst time on such architectures. cient software implementation, explicit formulas, bilinKey words: E ear pairings. 1
T.: Highspeed software implementation of the optimal ate pairing over Barreto–Naehrig curves
 PairingBased Cryptography–Pairing 2010. Lecture Notes in Computer Science
, 2010
"... Abstract. This paper describes the design of a fast software library for the computation of the optimal ate pairing on a Barreto–Naehrig elliptic curve. Our library is able to compute the optimal ate pairing over a 254bit prime field Fp, injust2.33 million of clock cycles on a single core of an Int ..."
Abstract

Cited by 15 (2 self)
 Add to MetaCart
Abstract. This paper describes the design of a fast software library for the computation of the optimal ate pairing on a Barreto–Naehrig elliptic curve. Our library is able to compute the optimal ate pairing over a 254bit prime field Fp, injust2.33 million of clock cycles on a single core of an Intel Core i7 2.8GHz processor, which implies that the pairing computation takes 0.832msec. We are able to achieve this performance by a careful implementation of the base field arithmetic through the usage of the customary Montgomery multiplier for prime fields. The prime field is constructed via the Barreto–Naehrig polynomial parametrization of the prime p given as, p =36t 4 +36t 3 +24t 2 +6t +1, with t =2 62 − 2 54 +2 44. This selection of t allows us to obtain important savings for both the Miller loop as well as the final exponentiation steps of the optimal ate pairing. Keywords: Tate pairing, optimal pairing, Barreto–Naehrig curve, ordinary curve, finite field arithmetic, bilinear pairing software implementation. 1
Pinocchio: Nearly practical verifiable computation
 In Proceedings of the IEEE Symposium on Security and Privacy
, 2013
"... To instill greater confidence in computations outsourced to the cloud, clients should be able to verify the correctness of the results returned. To this end, we introduce Pinocchio, a built system for efficiently verifying general computations while relying only on cryptographic assumptions. With Pi ..."
Abstract

Cited by 15 (2 self)
 Add to MetaCart
To instill greater confidence in computations outsourced to the cloud, clients should be able to verify the correctness of the results returned. To this end, we introduce Pinocchio, a built system for efficiently verifying general computations while relying only on cryptographic assumptions. With Pinocchio, the client creates a public evaluation key to describe her computation; this setup is proportional to evaluating the computation once. The worker then evaluates the computation on a particular input and uses the evaluation key to produce a proof of correctness. The proof is only 288 bytes, regardless of the computation performed or the size of the inputs and outputs. Anyone can use a public verification key to check the proof. Crucially, our evaluation on seven applications demonstrates that Pinocchio is efficient in practice too. Pinocchio’s verification time is typically 10ms: 57 orders of magnitude less than previous work; indeed Pinocchio is the first generalpurpose system to demonstrate verification cheaper than native execution (for some apps). Pinocchio also reduces the worker’s proof effort by an additional 1960×. As an additional feature, Pinocchio generalizes to zeroknowledge proofs at a negligible cost over the base protocol. Finally, to aid development, Pinocchio provides an endtoend toolchain that compiles a subset of C into programs that implement the verifiable computation protocol. 1
Highspeed highsecurity signatures
"... Abstract. This paper shows that a $390 massmarket quadcore 2.4GHz Intel Westmere (Xeon E5620) CPU can create 109000 signatures per second and verify 71000 signatures per second on an elliptic curve at a 2 128 security level. Public keys are 32 bytes, and signatures are 64 bytes. These performance ..."
Abstract

Cited by 10 (4 self)
 Add to MetaCart
Abstract. This paper shows that a $390 massmarket quadcore 2.4GHz Intel Westmere (Xeon E5620) CPU can create 109000 signatures per second and verify 71000 signatures per second on an elliptic curve at a 2 128 security level. Public keys are 32 bytes, and signatures are 64 bytes. These performance figures include strong defenses against software sidechannel attacks: there is no data flow from secret keys to array indices, and there is no data flow from secret keys to branch conditions.
An Analysis of Affine Coordinates for Pairing Computation
"... Abstract. In this paper we analyze the use of affine coordinates for pairing computation. We observe that in many practical settings, for example when implementing optimal ate pairings in high security levels, affine coordinates are faster than using the best currently known formulas for projective ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
Abstract. In this paper we analyze the use of affine coordinates for pairing computation. We observe that in many practical settings, for example when implementing optimal ate pairings in high security levels, affine coordinates are faster than using the best currently known formulas for projective coordinates. This observation relies on two known techniques for speeding up field inversions which we analyze in the context of pairing computation. We give detailed performance numbers for a pairing implementation based on these ideas, including timings for base field and extension field arithmetic with relative ratios for inversiontomultiplication costs, timings for pairings in both affine and projective coordinates, and average timings for multiple pairings and products of pairings. Keywords: Pairing computation, Miller’s algorithm, affine coordinates, optimal ate pairing, finite field inversions, pairing cost, multiple pairings, pairing products.
Optimal Eta Pairing on Supersingular Genus2 Binary Hyperelliptic Curves
, 2010
"... Abstract. This article presents a novel optimal pairing over supersingular genus2 binary hyperelliptic curves. Starting from Vercauteren’s work on optimal pairings, we describe how to exploit the action of the 2 3mth power Verschiebung in order to further reduce the loop length of Miller’s algorit ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
Abstract. This article presents a novel optimal pairing over supersingular genus2 binary hyperelliptic curves. Starting from Vercauteren’s work on optimal pairings, we describe how to exploit the action of the 2 3mth power Verschiebung in order to further reduce the loop length of Miller’s algorithm compared to the genus2 ηT approach. As a proof of concept, we detail an optimized software implementation and an FPGA accelerator for computing the proposed optimal Eta pairing on a genus2 hyperelliptic curve over F 2 367, which satisfies the recommended security level of 128 bits.
Affine Pairings on ARM
"... Abstract. We report on relative performance numbers for affine and projective pairings on a dualcore Cortex A9 ARM processor. Using a fast inversion in the base field and doing inversion in extension fields by using the norm map to reduce to inversions in smaller fields, we find a very low ratio of ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. We report on relative performance numbers for affine and projective pairings on a dualcore Cortex A9 ARM processor. Using a fast inversion in the base field and doing inversion in extension fields by using the norm map to reduce to inversions in smaller fields, we find a very low ratio of inversiontomultiplication costs. In our implementation, this favors using affine coordinates, even for the current 128bit minimum security level specified by NIST. We use BarretoNaehrig (BN) curves and report on the performance of an optimal ate pairing for curves covering security levels between 128 and 192 bits. We compare with other reported performance numbers for pairing computation on ARM CPUs.
A FPGA pairing implementation using the Residue Number System
"... Abstract. Recently, a lot of progresses have been made in software implementations of pairings at the 128bit security level in large characteristic. In this work, we obtain analogous progresses for hardware implementations. For this, we use the RNS representation of numbers which is especially well ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. Recently, a lot of progresses have been made in software implementations of pairings at the 128bit security level in large characteristic. In this work, we obtain analogous progresses for hardware implementations. For this, we use the RNS representation of numbers which is especially well suited for pairing computation in a hardware context. A FPGA implementation is proposed, based on an adaptation of Guillermin’s architecture which computes a pairing in 1.07 ms. It is 2 times faster than all previous hardware implementations (including ASIC and small characteristic implementations) and almost as fast as best software implementations.
Efficient Verification of WebContent Searching Through Authenticated Web Crawlers
"... We consider the problem of verifying the correctness and completeness of the result of a keyword search. We introduce the concept of an authenticated web crawler and present its design and prototype implementation. An authenticated web crawler is a trusted program that computes a speciallycrafted si ..."
Abstract
 Add to MetaCart
We consider the problem of verifying the correctness and completeness of the result of a keyword search. We introduce the concept of an authenticated web crawler and present its design and prototype implementation. An authenticated web crawler is a trusted program that computes a speciallycrafted signature over the web contents it visits. This signature enables (i) the verification of common Internet queries
Comparing the Pairing Efficiency over CompositeOrder and PrimeOrder Elliptic Curves
"... Abstract. We provide software implementation timings for pairings over compositeorder and primeorder elliptic curves. Composite orders must be large enough to be infeasible to factor. They are modulus of 2 up to 5 large prime numbers in the literature. There exists size recommendations for twopri ..."
Abstract
 Add to MetaCart
Abstract. We provide software implementation timings for pairings over compositeorder and primeorder elliptic curves. Composite orders must be large enough to be infeasible to factor. They are modulus of 2 up to 5 large prime numbers in the literature. There exists size recommendations for twoprime RSA modulus and we extend the results of Lenstra concerning the RSA modulus sizes to multiprime modulus, for various security levels. We then implement a Tate pairing over a composite order supersingular curve and an optimal ate pairing over a primeorder BarretoNaehrig curve, both at the 128bit security level. We use our implementation timings to deduce the total cost of the homomorphic encryption scheme of Boneh, Goh and Nissim and its translation by Freeman in the primeorder setting. We also compare the efficiency of the unbounded Hierarchical Identity Based Encryption protocol of Lewko and Waters and its translation by Lewko in the prime order setting. Our results strengthen the previously observed inefficiency of compositeorder bilinear groups and advocate the use of primeorder group whenever possible in protocol design.