Paper 2024/1195

Efficient Implementation of Super-optimal Pairings on Curves with Small Prime Fields at the 192-bit Security Level

Jianming Lin, Sun Yat-sen University
Chang-An Zhao, Sun Yat-sen University
Yuhao Zheng, Sun Yat-sen University
Abstract

For many pairing-based cryptographic protocols such as Direct Anonymous Attestation (DAA) schemes, the arithmetic on the first pairing subgroup $\mathbb{G}_1$ is more fundamental. Such operations heavily depend on the sizes of prime fields. At the 192-bit security level, Gasnier and Guillevic presented a curve named GG22D7-457 with CM-discriminant $D = 7$ and embedding degree $k = 22$. Compared to other well-known pairing-friendly curves at the same security level, the curve GG22D7-457 has smaller prime field size and $\rho$-value, which benefits from the fast operations on $\mathbb{G}_1$. However, the pairing computation on GG22D7-457 is not efficient. In this paper, we investigate to derive a higher performance for the pairing computation on GG22D7-457. We first propose novel formulas of the super-optimal pairing on this curve by utilizing a $2$-isogeny as GLV-endomorphism. Besides, this tool can be generalized to more generic families of pairing-friendly curves with $n$-isogenies as endomorphisms. In our paper, we provide the explicit formulas for the super-optimal pairings exploiting $2, 3$-isogenies. Finally, we make a concrete computational cost analysis and implement the pairing computations on curve GG22D7-457 using our approaches. In terms of Miller function evaluation, employing the techniques in this paper obtain a saving of $24.44\% $ in $\mathbb{F}_p$-multiplications compared to the optimal ate pairing. As for the running time, the experimental results illustrate that the Miller loop on GG22D7-457 by utilizing our methods is $26.0\%$ faster than the state-of-the-art. Additionally, the performance of the super-optimal pairing on GG22D7-457 is competitive compared to the well-known pairing-friendly curves at the 192-bit security level. These results show that GG22D7-457 becomes an attractive candidate for the pairing-based protocols. Furthermore, our techniques have the potential to enhance the applications of super-optimal pairings on more pairing-friendly curves.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Preprint.
Keywords
Pairing-friendly curvesoptimal pairingsuper-optimal pairingisogeny;DAA schemes
Contact author(s)
linjm28 @ mail2 sysu edu cn
zhaochan3 @ mail sysu edu cn
zhengyh57 @ mail2 sysu edu cn
History
2024-08-01: revised
2024-07-24: received
See all versions
Short URL
https://ia.cr/2024/1195
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/1195,
      author = {Jianming Lin and Chang-An Zhao and Yuhao Zheng},
      title = {Efficient Implementation of Super-optimal Pairings on Curves with Small Prime Fields at the 192-bit Security Level},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1195},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1195}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.