Fangguo Zhang

A note on the Ate pairing

The Ate pairing has been suggested since it can be computed efficiently on ordinary elliptic curves with small values of the traces of Frobenius t. However, not all pairing-friendly elliptic curves have this property. In this paper, we generalize the Ate pairing and find a series of the variations of the Ate pairing. We show that the shortest Miller loop of the variations of the Ate pairing can possibly be as small as r1/φ(k) on some special pairing-friendly curves with large values of Frobenius trace, and hence speed up the pairing computation significantly.

Computing the Ate Pairing on Elliptic Curves with Embedding Degree k = 9

For AES 128 security level there are several natural choices for pairing-friendly elliptic curves. In particular, as we will explain, one might choose curves with k = 9 or curves with k = 12. The case k = 9 has not been studied in the literature, and so it is not clear how efficiently pairings can be computed in that case. In this paper, we present efficient methods for the k = 9 case, including generation of elliptic curves with the shorter Miller loop, the denominator elimination and speed up of the final exponentiation. Then we compare the performance of these choices. From the analysis, we conclude that for pairing-based cryptography at the AES 128 security level, the Barreto-Naehrig curves are the most efficient choice, and the performance of the case k = 9 is comparable to the Barreto-Naehrig curves.

All Pairings Are in a Group

In this paper, we suggest that all pairings are in a group from an abstract angle. Based on the results, some new pairings with the short Miller loop are constructed for great efficiency. It is possible that our observation can be applied into other aspects of pairing-based cryptosystems.

Efficient Tate pairing computation using double-base chains

Pairing-based cryptosystems have developed very fast in the last few years. The efficiencies of these cryptosystems depend on the computation of the bilinear pairings. In this paper, a new efficient algorithm based on double-base chains for computing the Tate pairing is proposed for odd characteristicp > 3. The inherent sparseness of double-base number system reduces the computational cost for computing the Tate pairing evidently. The new algorithm is 9% faster than the previous fastest method for the embedding degree k = 6.

Twisted Ate pairing on hyperelliptic curves and applications

In this paper we show that the twisted Ate pairing on elliptic curves can be generalized to hyperelliptic curves, and give a series of variations of the hyperelliptic Ate and twisted Ate pairings. Using the hyperelliptic Ate pairing and twisted Ate pairing, we propose a new approach to speeding up the Weil pairing computation. For some hyperelliptic curves with high degree twist, computing Weil pairing by our approach may be faster than Tate pairing, Ate pairing, and all other known pairings.

Secure linear system computation in the presence of malicious adversaries

In this paper, we study the system of linear equation problems in the two-party computation setting. Consider that P1 holds an m × m matrix M1 and an m-dimensional column vector B1. Similarly, P2 holds M2 and B2. Via executing a secure linear system computation, P1 gets the output x (or ⊥) conditioned on (M1 + M2)x = (B1 + B2), and the rank of matrix M1 + M2, while P2 gets nothing. This also can be used to settle other cooperative linear system problems. We firstly design an efficient protocol to solve this problem in the presence of malicious adversaries, then propose a simple way to modify our protocol for having a precise functionality, in which the rank of matrix M1+M2 is not necessary. We note that our protocol is more practical than these existing malicious secure protocols. We also give comparisons with other protocols and extensions to similar functions.