Efficient algorithm for tate pairing of composite order

Yutaro Kiyomura, Tsuyoshi Takagi

Research output: Contribution to journalArticle

Abstract

Boneh et al. proposed the new idea of pairing-based cryptography by using the composite order group instead of prime order group. Recently, many cryptographic schemes using pairings of composite order group were proposed. Miller's algorithm is used to compute pairings, and the time of computing the pairings depends on the cost of calculating the Miller loop. As a method of speeding up calculations of the pairings of prime order, the number of iterations of the Miller loop can be reduced by choosing a prime order of low Hamming weight. However, it is difficult to choose a particular composite order that can speed up the pairings of composite order. Kobayashi et al. proposed an efficient algorithm for computing Miller's algorithm by using a window method, called Window Miller's algorithm. We can compute scalar multiplication of points on elliptic curves by using a window hybrid binary-ternary form (w-HBTF). In this paper, we propose a Miller's algorithm that uses w-HBTF to compute Tate pairing efficiently. This algorithm needs a precomputation both of the points on an elliptic curve and rational functions. The proposed algorithm was implemented in Java on a PC and compared with Window Miller's Algorithm in terms of the time and memory needed to make their precomputed tables. We used the supersingular elliptic curve y2 = x3 + x with embedding degree 2 and a composite order of size of 2048-bit. We denote w as window width. The proposed algorithm with w = 6 = 2 · 3 was about 12.9% faster than Window Miller's Algorithm with w = 2 although the memory size of these algorithms is the same. Moreover, the proposed algorithm with w = 162 = 2 · 34 was about 12.2% faster than Window Miller's algorithm with w = 7.

Original languageEnglish
Pages (from-to)2055-2063
Number of pages9
JournalIEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences
VolumeE97A
Issue number10
DOIs
Publication statusPublished - Oct 1 2014

Fingerprint

Tate Pairing
Efficient Algorithms
Composite
Composite materials
Pairing
Elliptic Curves
Ternary
Pairing-based Cryptography
Binary
Hamming Weight
Scalar multiplication
Data storage equipment
Computing
Rational functions
Rational function
Java
Tables

All Science Journal Classification (ASJC) codes

  • Signal Processing
  • Computer Graphics and Computer-Aided Design
  • Applied Mathematics
  • Electrical and Electronic Engineering

Cite this

Efficient algorithm for tate pairing of composite order. / Kiyomura, Yutaro; Takagi, Tsuyoshi.

In: IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, Vol. E97A, No. 10, 01.10.2014, p. 2055-2063.

Research output: Contribution to journalArticle

@article{03851c4aa802463dae25a07272f6b46d,
title = "Efficient algorithm for tate pairing of composite order",
abstract = "Boneh et al. proposed the new idea of pairing-based cryptography by using the composite order group instead of prime order group. Recently, many cryptographic schemes using pairings of composite order group were proposed. Miller's algorithm is used to compute pairings, and the time of computing the pairings depends on the cost of calculating the Miller loop. As a method of speeding up calculations of the pairings of prime order, the number of iterations of the Miller loop can be reduced by choosing a prime order of low Hamming weight. However, it is difficult to choose a particular composite order that can speed up the pairings of composite order. Kobayashi et al. proposed an efficient algorithm for computing Miller's algorithm by using a window method, called Window Miller's algorithm. We can compute scalar multiplication of points on elliptic curves by using a window hybrid binary-ternary form (w-HBTF). In this paper, we propose a Miller's algorithm that uses w-HBTF to compute Tate pairing efficiently. This algorithm needs a precomputation both of the points on an elliptic curve and rational functions. The proposed algorithm was implemented in Java on a PC and compared with Window Miller's Algorithm in terms of the time and memory needed to make their precomputed tables. We used the supersingular elliptic curve y2 = x3 + x with embedding degree 2 and a composite order of size of 2048-bit. We denote w as window width. The proposed algorithm with w = 6 = 2 · 3 was about 12.9{\%} faster than Window Miller's Algorithm with w = 2 although the memory size of these algorithms is the same. Moreover, the proposed algorithm with w = 162 = 2 · 34 was about 12.2{\%} faster than Window Miller's algorithm with w = 7.",
author = "Yutaro Kiyomura and Tsuyoshi Takagi",
year = "2014",
month = "10",
day = "1",
doi = "10.1587/transfun.E97.A.2055",
language = "English",
volume = "E97A",
pages = "2055--2063",
journal = "IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences",
issn = "0916-8508",
publisher = "Maruzen Co., Ltd/Maruzen Kabushikikaisha",
number = "10",

}

TY - JOUR

T1 - Efficient algorithm for tate pairing of composite order

AU - Kiyomura, Yutaro

AU - Takagi, Tsuyoshi

PY - 2014/10/1

Y1 - 2014/10/1

N2 - Boneh et al. proposed the new idea of pairing-based cryptography by using the composite order group instead of prime order group. Recently, many cryptographic schemes using pairings of composite order group were proposed. Miller's algorithm is used to compute pairings, and the time of computing the pairings depends on the cost of calculating the Miller loop. As a method of speeding up calculations of the pairings of prime order, the number of iterations of the Miller loop can be reduced by choosing a prime order of low Hamming weight. However, it is difficult to choose a particular composite order that can speed up the pairings of composite order. Kobayashi et al. proposed an efficient algorithm for computing Miller's algorithm by using a window method, called Window Miller's algorithm. We can compute scalar multiplication of points on elliptic curves by using a window hybrid binary-ternary form (w-HBTF). In this paper, we propose a Miller's algorithm that uses w-HBTF to compute Tate pairing efficiently. This algorithm needs a precomputation both of the points on an elliptic curve and rational functions. The proposed algorithm was implemented in Java on a PC and compared with Window Miller's Algorithm in terms of the time and memory needed to make their precomputed tables. We used the supersingular elliptic curve y2 = x3 + x with embedding degree 2 and a composite order of size of 2048-bit. We denote w as window width. The proposed algorithm with w = 6 = 2 · 3 was about 12.9% faster than Window Miller's Algorithm with w = 2 although the memory size of these algorithms is the same. Moreover, the proposed algorithm with w = 162 = 2 · 34 was about 12.2% faster than Window Miller's algorithm with w = 7.

AB - Boneh et al. proposed the new idea of pairing-based cryptography by using the composite order group instead of prime order group. Recently, many cryptographic schemes using pairings of composite order group were proposed. Miller's algorithm is used to compute pairings, and the time of computing the pairings depends on the cost of calculating the Miller loop. As a method of speeding up calculations of the pairings of prime order, the number of iterations of the Miller loop can be reduced by choosing a prime order of low Hamming weight. However, it is difficult to choose a particular composite order that can speed up the pairings of composite order. Kobayashi et al. proposed an efficient algorithm for computing Miller's algorithm by using a window method, called Window Miller's algorithm. We can compute scalar multiplication of points on elliptic curves by using a window hybrid binary-ternary form (w-HBTF). In this paper, we propose a Miller's algorithm that uses w-HBTF to compute Tate pairing efficiently. This algorithm needs a precomputation both of the points on an elliptic curve and rational functions. The proposed algorithm was implemented in Java on a PC and compared with Window Miller's Algorithm in terms of the time and memory needed to make their precomputed tables. We used the supersingular elliptic curve y2 = x3 + x with embedding degree 2 and a composite order of size of 2048-bit. We denote w as window width. The proposed algorithm with w = 6 = 2 · 3 was about 12.9% faster than Window Miller's Algorithm with w = 2 although the memory size of these algorithms is the same. Moreover, the proposed algorithm with w = 162 = 2 · 34 was about 12.2% faster than Window Miller's algorithm with w = 7.

UR - http://www.scopus.com/inward/record.url?scp=84924291057&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84924291057&partnerID=8YFLogxK

U2 - 10.1587/transfun.E97.A.2055

DO - 10.1587/transfun.E97.A.2055

M3 - Article

AN - SCOPUS:84924291057

VL - E97A

SP - 2055

EP - 2063

JO - IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences

JF - IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences

SN - 0916-8508

IS - 10

ER -