TY - GEN

T1 - Efficient algorithm for Tate pairing of composite order

AU - Kiyomura, Yutaro

AU - Takagi, Tsuyoshi

PY - 2013

Y1 - 2013

N2 - A lot of important cryptographic schemes such as fully secure leakage-resilient encryption and keyword searchable encryption are based on pairings of composite order. Miller's algorithm is used to compute pairings, and the time taken to compute the pairings depends on the cost of calculating the Miller loop. As a way of speeding up calculations of the parings of prime order, the number of iterations of the Miller loop can be reduced by choosing a prime order of low hamming weight. However, it is difficult to choose a particular composite order that can speed up the pairings of composite order. Kobayashi et al. proposed an efficient algorithm for computing Miller's algorithm by using a window method, called Window Miller's algorithm. We can compute scalar multiplication of points on elliptic curves by using a window hybrid binary-ternary form (w-HBTF). In this paper, we propose a Miller's algorithm that uses w-HBTF to compute Tate pairing efficiently. This algorithm needs a precomputation of the points on an elliptic curve and rational functions. The proposed algorithm was implemented in Java on a PC and compared with Window Miller's Algorithm in terms of the time and memory needed to make their precomputed tables. We used the supersingular elliptic curve y2 = x3 + x of embedding degree 2 and a composite order of size of 2048 bits. The proposed algorithm with w = 6 = 2·3 was about 12% faster than Window Miller's Algorithm with w = 2 given smallest precomputed tables of the same memory size. Moreover, the proposed algorithm with w = 162 = 2·34 was about 8.5% faster than Window Miller's algorithm with w = 7 on each fastest algorithm.

AB - A lot of important cryptographic schemes such as fully secure leakage-resilient encryption and keyword searchable encryption are based on pairings of composite order. Miller's algorithm is used to compute pairings, and the time taken to compute the pairings depends on the cost of calculating the Miller loop. As a way of speeding up calculations of the parings of prime order, the number of iterations of the Miller loop can be reduced by choosing a prime order of low hamming weight. However, it is difficult to choose a particular composite order that can speed up the pairings of composite order. Kobayashi et al. proposed an efficient algorithm for computing Miller's algorithm by using a window method, called Window Miller's algorithm. We can compute scalar multiplication of points on elliptic curves by using a window hybrid binary-ternary form (w-HBTF). In this paper, we propose a Miller's algorithm that uses w-HBTF to compute Tate pairing efficiently. This algorithm needs a precomputation of the points on an elliptic curve and rational functions. The proposed algorithm was implemented in Java on a PC and compared with Window Miller's Algorithm in terms of the time and memory needed to make their precomputed tables. We used the supersingular elliptic curve y2 = x3 + x of embedding degree 2 and a composite order of size of 2048 bits. The proposed algorithm with w = 6 = 2·3 was about 12% faster than Window Miller's Algorithm with w = 2 given smallest precomputed tables of the same memory size. Moreover, the proposed algorithm with w = 162 = 2·34 was about 8.5% faster than Window Miller's algorithm with w = 7 on each fastest algorithm.

UR - http://www.scopus.com/inward/record.url?scp=84891917179&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84891917179&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-41383-4_13

DO - 10.1007/978-3-642-41383-4_13

M3 - Conference contribution

AN - SCOPUS:84891917179

SN - 9783642413827

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 201

EP - 216

BT - Advances in Information and Computer Security - 8th International Workshop on Security, IWSEC 2013, Proceedings

T2 - 8th International Workshop on Security, IWSEC 2013

Y2 - 18 November 2013 through 20 November 2013

ER -