[Resource Topic] 2024/1195: Efficient Implementation of Super-optimal Pairings on Curves with Small Prime Fields at the 192-bit Security Level

system · July 25, 2024, 6:41am

Welcome to the resource topic for 2024/1195

Title:
Efficient Implementation of Super-optimal Pairings on Curves with Small Prime Fields at the 192-bit Security Level

Authors: Jianming Lin, Chang-An Zhao, Yuhao Zheng

Abstract:

For many pairing-based cryptographic protocols such as Direct Anonymous Attestation (DAA) schemes, the arithmetic on the first pairing subgroup \mathbb{G}_1 is more fundamental. Such operations heavily depend on the sizes of prime fields. At the 192-bit security level, Gasnier and Guillevic presented a curve named GG22D7-457 with CM-discriminant D = 7 and embedding degree k = 22. Compared to other well-known pairing-friendly curves at the same security level, the curve GG22D7-457 has smaller prime field size and \rho-value, which benefits from the fast operations on \mathbb{G}_1. However, the pairing computation on GG22D7-457 is not efficient.
In this paper, we investigate to derive a higher performance for the pairing computation on GG22D7-457. We first propose novel formulas of the super-optimal pairing on this curve by utilizing a 2-isogeny as GLV-endomorphism. Besides, this tool can be generalized to more generic families of pairing-friendly curves with n-isogenies as endomorphisms. In our paper, we provide the explicit formulas for the super-optimal pairings exploiting 2, 3-isogenies. Finally, we make a concrete computational cost analysis and implement the pairing computations on curve GG22D7-457 using our approaches. In terms of Miller function evaluation, employing the techniques in this paper obtain a saving of 24.44\% in \mathbb{F}_p-multiplications compared to the optimal ate pairing. As for the running time, the experimental results illustrate that the Miller loop on GG22D7-457 by utilizing our methods is 26.0\% faster than the state-of-the-art. Additionally, the performance of the super-optimal pairing on GG22D7-457 is competitive compared to the well-known pairing-friendly curves at the 192-bit security level. These results show that GG22D7-457 becomes an attractive candidate for the pairing-based protocols. Furthermore, our techniques have the potential to enhance the applications of super-optimal pairings on more pairing-friendly curves.

ePrint: https://eprint.iacr.org/2024/1195

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .