Efficient optimal ate pairing at 128-bit security level

Md Al Amin Khandaker; Yuki Nanjo; Loubna Ghammam; Sylvain Duquesne; Yasuyuki Nogami; Yuta Kodera

doi:10.1007/978-3-319-71667-1_10

Efficient optimal ate pairing at 128-bit security level

Md Al Amin Khandaker, Yuki Nanjo, Loubna Ghammam, Sylvain Duquesne, Yasuyuki Nogami, Yuta Kodera

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

10 Citations (Scopus)

Abstract

Following the emergence of Kim and Barbulescu’s new number field sieve (exTNFS) algorithm at CRYPTO’16 [21] for solving discrete logarithm problem (DLP) over the finite field; pairing-based cryptography researchers are intrigued to find new parameters that confirm standard security levels against exTNFS. Recently, Barbulescu and Duquesne have suggested new parameters [3] for well-studied pairing-friendly curves i.e., Barreto-Naehrig (BN) [5], Barreto-Lynn-Scott (BLS-12) [4] and Kachisa-Schaefer-Scott (KSS-16) [19] curves at 128-bit security level (twist and sub-group attack secure). They have also concluded that in the context of Optimal-Ate pairing with their suggested parameters, BLS-12 and KSS-16 curves are more efficient choices than BN curves. Therefore, this paper selects the atypical and less studied pairing-friendly curve in literature, i.e., KSS-16 which offers quartic twist, while BN and BLS-12 curves have sextic twist. In this paper, the authors optimize Miller’s algorithm of Optimal-Ate pairing for the KSS-16 curve by deriving efficient sparse multiplication and implement them. Furthermore, this paper concentrates on the Miller’s algorithm to experimentally verify Barbulescu et al.’s estimation. The result shows that Miller’s algorithm time with the derived pseudo 8-sparse multiplication is most efficient for KSS-16 than other two curves. Therefore, this paper defends Barbulescu and Duquesne’s conclusion for 128-bit security.

Original language	English
Title of host publication	Progress in Cryptology – INDOCRYPT 2017 - 18th International Conference on Cryptology in India, Proceedings
Editors	Arpita Patra, Nigel P. Smart
Publisher	Springer Verlag
Pages	186-205
Number of pages	20
ISBN (Print)	9783319716664
DOIs	https://doi.org/10.1007/978-3-319-71667-1_10
Publication status	Published - 2017
Event	18th International Conference on Cryptology in India, INDOCRYPT 2017 - Chennai, India Duration: Dec 10 2017 → Dec 13 2017

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	10698 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Other

Other	18th International Conference on Cryptology in India, INDOCRYPT 2017
Country/Territory	India
City	Chennai
Period	12/10/17 → 12/13/17

Keywords

KSS-16 curve
Optimal-Ate pairing
Sparse multiplication

ASJC Scopus subject areas

Theoretical Computer Science
Computer Science(all)

Access to Document

10.1007/978-3-319-71667-1_10

Cite this

Khandaker, M. A. A., Nanjo, Y., Ghammam, L., Duquesne, S., Nogami, Y., & Kodera, Y. (2017). Efficient optimal ate pairing at 128-bit security level. In A. Patra, & N. P. Smart (Eds.), Progress in Cryptology – INDOCRYPT 2017 - 18th International Conference on Cryptology in India, Proceedings (pp. 186-205). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10698 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-71667-1_10

Efficient optimal ate pairing at 128-bit security level. / Khandaker, Md Al Amin; Nanjo, Yuki; Ghammam, Loubna; Duquesne, Sylvain; Nogami, Yasuyuki ; Kodera, Yuta.

Progress in Cryptology – INDOCRYPT 2017 - 18th International Conference on Cryptology in India, Proceedings. ed. / Arpita Patra; Nigel P. Smart. Springer Verlag, 2017. p. 186-205 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10698 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Khandaker, MAA, Nanjo, Y, Ghammam, L, Duquesne, S, Nogami, Y & Kodera, Y 2017, Efficient optimal ate pairing at 128-bit security level. in A Patra & NP Smart (eds), Progress in Cryptology – INDOCRYPT 2017 - 18th International Conference on Cryptology in India, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10698 LNCS, Springer Verlag, pp. 186-205, 18th International Conference on Cryptology in India, INDOCRYPT 2017, Chennai, India, 12/10/17. https://doi.org/10.1007/978-3-319-71667-1_10

Khandaker MAA, Nanjo Y, Ghammam L, Duquesne S, Nogami Y , Kodera Y. Efficient optimal ate pairing at 128-bit security level. In Patra A, Smart NP, editors, Progress in Cryptology – INDOCRYPT 2017 - 18th International Conference on Cryptology in India, Proceedings. Springer Verlag. 2017. p. 186-205. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-319-71667-1_10

Khandaker, Md Al Amin ; Nanjo, Yuki ; Ghammam, Loubna ; Duquesne, Sylvain ; Nogami, Yasuyuki ; Kodera, Yuta. / Efficient optimal ate pairing at 128-bit security level. Progress in Cryptology – INDOCRYPT 2017 - 18th International Conference on Cryptology in India, Proceedings. editor / Arpita Patra ; Nigel P. Smart. Springer Verlag, 2017. pp. 186-205 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{9e4b6720f04a46fda37dad959f7c5491,

title = "Efficient optimal ate pairing at 128-bit security level",

abstract = "Following the emergence of Kim and Barbulescu{\textquoteright}s new number field sieve (exTNFS) algorithm at CRYPTO{\textquoteright}16 [21] for solving discrete logarithm problem (DLP) over the finite field; pairing-based cryptography researchers are intrigued to find new parameters that confirm standard security levels against exTNFS. Recently, Barbulescu and Duquesne have suggested new parameters [3] for well-studied pairing-friendly curves i.e., Barreto-Naehrig (BN) [5], Barreto-Lynn-Scott (BLS-12) [4] and Kachisa-Schaefer-Scott (KSS-16) [19] curves at 128-bit security level (twist and sub-group attack secure). They have also concluded that in the context of Optimal-Ate pairing with their suggested parameters, BLS-12 and KSS-16 curves are more efficient choices than BN curves. Therefore, this paper selects the atypical and less studied pairing-friendly curve in literature, i.e., KSS-16 which offers quartic twist, while BN and BLS-12 curves have sextic twist. In this paper, the authors optimize Miller{\textquoteright}s algorithm of Optimal-Ate pairing for the KSS-16 curve by deriving efficient sparse multiplication and implement them. Furthermore, this paper concentrates on the Miller{\textquoteright}s algorithm to experimentally verify Barbulescu et al.{\textquoteright}s estimation. The result shows that Miller{\textquoteright}s algorithm time with the derived pseudo 8-sparse multiplication is most efficient for KSS-16 than other two curves. Therefore, this paper defends Barbulescu and Duquesne{\textquoteright}s conclusion for 128-bit security.",

keywords = "KSS-16 curve, Optimal-Ate pairing, Sparse multiplication",

author = "Khandaker, {Md Al Amin} and Yuki Nanjo and Loubna Ghammam and Sylvain Duquesne and Yasuyuki Nogami and Yuta Kodera",

note = "Funding Information: Acknowledgments. This work was partially supported by the Strategic Information and Communications R&D Promotion Programme (SCOPE) of Ministry of Internal Affairs and Communications, Japan and The French projects ANR-16-CE39-0012 “SafeTLS” and ANR-11-LABX-0020-01 “Centre Henri Lebesgue”. Publisher Copyright: {\textcopyright} Springer International Publishing AG 2017.; 18th International Conference on Cryptology in India, INDOCRYPT 2017 ; Conference date: 10-12-2017 Through 13-12-2017",

year = "2017",

doi = "10.1007/978-3-319-71667-1_10",

language = "English",

isbn = "9783319716664",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "186--205",

editor = "Arpita Patra and Smart, {Nigel P.}",

booktitle = "Progress in Cryptology – INDOCRYPT 2017 - 18th International Conference on Cryptology in India, Proceedings",

}

TY - GEN

T1 - Efficient optimal ate pairing at 128-bit security level

AU - Khandaker, Md Al Amin

AU - Nanjo, Yuki

AU - Ghammam, Loubna

AU - Duquesne, Sylvain

AU - Nogami, Yasuyuki

AU - Kodera, Yuta

N1 - Funding Information: Acknowledgments. This work was partially supported by the Strategic Information and Communications R&D Promotion Programme (SCOPE) of Ministry of Internal Affairs and Communications, Japan and The French projects ANR-16-CE39-0012 “SafeTLS” and ANR-11-LABX-0020-01 “Centre Henri Lebesgue”. Publisher Copyright: © Springer International Publishing AG 2017.

PY - 2017

Y1 - 2017

N2 - Following the emergence of Kim and Barbulescu’s new number field sieve (exTNFS) algorithm at CRYPTO’16 [21] for solving discrete logarithm problem (DLP) over the finite field; pairing-based cryptography researchers are intrigued to find new parameters that confirm standard security levels against exTNFS. Recently, Barbulescu and Duquesne have suggested new parameters [3] for well-studied pairing-friendly curves i.e., Barreto-Naehrig (BN) [5], Barreto-Lynn-Scott (BLS-12) [4] and Kachisa-Schaefer-Scott (KSS-16) [19] curves at 128-bit security level (twist and sub-group attack secure). They have also concluded that in the context of Optimal-Ate pairing with their suggested parameters, BLS-12 and KSS-16 curves are more efficient choices than BN curves. Therefore, this paper selects the atypical and less studied pairing-friendly curve in literature, i.e., KSS-16 which offers quartic twist, while BN and BLS-12 curves have sextic twist. In this paper, the authors optimize Miller’s algorithm of Optimal-Ate pairing for the KSS-16 curve by deriving efficient sparse multiplication and implement them. Furthermore, this paper concentrates on the Miller’s algorithm to experimentally verify Barbulescu et al.’s estimation. The result shows that Miller’s algorithm time with the derived pseudo 8-sparse multiplication is most efficient for KSS-16 than other two curves. Therefore, this paper defends Barbulescu and Duquesne’s conclusion for 128-bit security.

AB - Following the emergence of Kim and Barbulescu’s new number field sieve (exTNFS) algorithm at CRYPTO’16 [21] for solving discrete logarithm problem (DLP) over the finite field; pairing-based cryptography researchers are intrigued to find new parameters that confirm standard security levels against exTNFS. Recently, Barbulescu and Duquesne have suggested new parameters [3] for well-studied pairing-friendly curves i.e., Barreto-Naehrig (BN) [5], Barreto-Lynn-Scott (BLS-12) [4] and Kachisa-Schaefer-Scott (KSS-16) [19] curves at 128-bit security level (twist and sub-group attack secure). They have also concluded that in the context of Optimal-Ate pairing with their suggested parameters, BLS-12 and KSS-16 curves are more efficient choices than BN curves. Therefore, this paper selects the atypical and less studied pairing-friendly curve in literature, i.e., KSS-16 which offers quartic twist, while BN and BLS-12 curves have sextic twist. In this paper, the authors optimize Miller’s algorithm of Optimal-Ate pairing for the KSS-16 curve by deriving efficient sparse multiplication and implement them. Furthermore, this paper concentrates on the Miller’s algorithm to experimentally verify Barbulescu et al.’s estimation. The result shows that Miller’s algorithm time with the derived pseudo 8-sparse multiplication is most efficient for KSS-16 than other two curves. Therefore, this paper defends Barbulescu and Duquesne’s conclusion for 128-bit security.

KW - KSS-16 curve

KW - Optimal-Ate pairing

KW - Sparse multiplication

UR - http://www.scopus.com/inward/record.url?scp=85037848576&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85037848576&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-71667-1_10

DO - 10.1007/978-3-319-71667-1_10

M3 - Conference contribution

AN - SCOPUS:85037848576

SN - 9783319716664

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 186

EP - 205

BT - Progress in Cryptology – INDOCRYPT 2017 - 18th International Conference on Cryptology in India, Proceedings

A2 - Patra, Arpita

A2 - Smart, Nigel P.

PB - Springer Verlag

T2 - 18th International Conference on Cryptology in India, INDOCRYPT 2017

Y2 - 10 December 2017 through 13 December 2017

ER -

Efficient optimal ate pairing at 128-bit security level

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this