Paper 2005/252

Faster Pairings using an Elliptic Curve with an Efficient Endomorphism

Michael Scott

Abstract

The most significant pairing-based cryptographic protocol to be proposed so far is undoubtedly the Identity-Based Encryption (IBE) protocol of Boneh and Franklin. In their paper \cite{boneh-franklin} they give details of how their scheme might be implemented in practise on certain supersingular elliptic curves of prime characteristic. They also point out that the scheme could as easily be implemented on certain special non-supersingular curves for the same level of security. An obvious question to be answered is -- which is most efficient? Motivated by the work of Gallant, Lambert and Vanstone \cite{gallant-lambert-vanstone} we demonstrate that, perhaps counter to intuition, certain ordinary curves closely related to the supersingular curves originally recommended by Boneh and Franklin, provide better performance. We illustrate our technique by implementing the fastest pairing algorithm to date (on elliptic curves of prime characteristic) for contemporary levels of security. We also point out that many of the non-supersingular families of curves recently discovered and proposed for use in pairing-based cryptography can also benefit (to an extent) from the same technique.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Published elsewhere. Unknown where it was published
Keywords
Tate pairing implementationpairing-based cryptosystems
Contact author(s)
mike @ computing dcu ie
History
2005-08-02: received
Short URL
https://ia.cr/2005/252
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2005/252,
      author = {Michael Scott},
      title = {Faster Pairings using an Elliptic Curve with an Efficient Endomorphism},
      howpublished = {Cryptology ePrint Archive, Paper 2005/252},
      year = {2005},
      note = {\url{https://eprint.iacr.org/2005/252}},
      url = {https://eprint.iacr.org/2005/252}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.