Computing bilinear pairings on elliptic curves with automorphisms

Designs Codes and Cryptography (Impact Factor: 0.96). 01/2011; 58(1):35-44. DOI: 10.1007/s10623-010-9383-y
Source: DBLP


In this paper, we present a novel method for constructing a super-optimal pairing with great efficiency, which we call the
omega pairing. The computation of the omega pairing requires the simple final exponentiation and short loop length in Miller’s
algorithm which leads to a significant improvement over the previously known techniques on certain pairing-friendly curves.
Experimental results show that the omega pairing is about 22% faster and 19% faster than the super-optimal pairing proposed
by Scott at security level of AES 80 bits on certain pairing-friendly curves in affine coordinate systems and projective coordinate
systems, respectively.

KeywordsElliptic curves–Automorphism–Pairing based cryptography–Weil pairing

Download full-text


Available from: Fangguo Zhang, Apr 01, 2014
  • Source
    • "Note that we need 2 log r ⎢ ⎥ ⎣ ⎦ basic Miller iterations to compute f r, P (Q). Recall the pairings by q-expansion from [10], [12], [13], [16]. Let π q be the Frobenius endomorphism: "
    [Show abstract] [Hide abstract]
    ABSTRACT: The preexisting pairings ate, , R-ate, and optimal-ate use q-expansion, where q is the size of the defining field for the elliptic curves. Elliptic curves with small embedding degrees only allow a few of these pairings. In such cases, efficiently computable endomorphisms can be used, as in [11] and [12]. They used the endomorphisms that have characteristic polynomials with very small coefficients, which led to some restrictions in finding various pairing-friendly curves. To construct more pairing-friendly curves, we consider -expansion using the Gallant-Lambert-Vanstone (GLV) decomposition method, where is an arbitrary integer. We illustrate some pairing-friendly curves that provide more efficient pairing from the -expansion than from the ate pairing. The proposed method can achieve timing results at least 20% faster than the ate pairing.
    Etri Journal 10/2013; 35(5). DOI:10.4218/etrij.13.0112.0756 · 0.77 Impact Factor
  • Source
    • "For the implementation of our signature scheme we also need a point P with order n and an efficiently computable pairing e n such that e n (P, P ) is a primitive n-th root of 1. The Weil pairing does not fulfill this requirement and also, in many instances, the Tate pairing; the same happens for the eta, ate or omega pairings [1] [10] [22]. Let ǫ n be one of the previous pairings on E[n]. "
    [Show abstract] [Hide abstract]
    ABSTRACT: In this paper we propose a signature scheme based on two intractable problems, namely the integer factorization problem and the discrete logarithm problem for elliptic curves. It is suitable for applications requiring long-term security and provides a more efficient solution than the existing ones.
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: 2 DGA sorina.ionica, Abstract. Scott uses an eciently computable isomorphism in order to optimize pairing computation on a particular class of curves with embed- ding degree 2. He points out that pairing implementation becomes thus faster on these curves than on their supersingular equivalent, originally recommended by Boneh and Franklin for Identity Based Encryption. We extend Scott's method to other classes of curves with small embedding degree and eciently computable endomorphism.
Show more