Yuto Kawahara

Efficient Implementation of Tate Pairing on a Mobile Phone using Java

Pairing-based cryptosystems (PBC) have been attracted by researchers in cryptography. Some implementations show that PBC are relatively slower than the standard public key crypto systems. We present an efficient implementation for computing Tate pairing on a mobile phone using Java. We implemented the nT pairing (a recent efficient variation of Duursma-Lee algorithm) over some finite fields of characteristic 3 with extension degree m = {97,167,193, 239}. Our optimized implementation for m = 97 achieved about 0.5 seconds for computing Tate pairing over FOMA SH90US, NTT DoCoMo. Then our implementation of Tate pairing is compared in the same platform with other Java program of the standard cryptosystems, i.e., RSA cryptosystem and elliptic curve cryptosystem (ECC). The computation speed of Tate pairing is comparable to that of RSA or ECC on the same mobile device

Faster Implementation of η T Pairing over GF(3m) Using Minimum Number of Logical Instructions for GF(3)-Addition

The ηTpairing in characteristic threeis implemented by arithmetic in GF(3)={0,1,2}. Harrison et al.reported an efficient implementation of the GF(3)-addition by usingseven logical instructions (consisting of AND, OR, and XOR) withthe two-bit encoding { (0,0) →0, (0,1) →1, (1,0) → 2}. It has not yet been proven whether seven is the minimum numberof logical instructions for the GF(3)-addition. In this paper, weshow many implementations of the GF(3)-addition using only sixlogical instructions with different encodings such as { (1,1)→0, (0,1) →1, (1,0) →2 } or { (0,0) →0, (0,1)→1, (1,1) →2 }. We then prove that there is noimplementation of the GF(3)-addition using five logicalinstructions with any encoding of GF(3) by two bits. Moreover, weapply the new GF(3)-additions to an efficient softwareimplementation of the ηTpairing.The running time of the ηTpairing over GF(3509), that is considered to be realizedas 128-bit security, using the new GF(3)-addition with the encoding{ (0,0) →0, (0,1) →1, (1,1) →2 } is 16.3milliseconds on an AMD Opteron 2.2-GHz processor. This isapproximately 7% faster than the implementation using the previousGF(3)-addition with seven logical instructions.

Constructing Symmetric Pairings over Supersingular Elliptic Curves with Embedding Degree Three

In the present paper, we propose constructing symmetric pairings by applying the Ate pairing to supersingular elliptic curves over finite fields that have large characteristics with embedding degree three. We also propose an efficient algorithm of the Ate pairing on these curves. To construct the algorithm, we apply the denominator elimination technique and the signed-binary approach to the Millers algorithm, and improve the final exponentiation. We then show the efficiency of the proposed method through an experimental implementation.

Universal ηT pairing algorithm over arbitrary extension degree

The ηT pairing on supersingular is one of the most efficient algorithms for computing the bilinear pairing [3]. The ηT pairing defined over finite field F3n has embedding degree 6, so that it is particularly efficient for higher security with large extension degree n. Note that the explicit algorithm over F3n in [3] is designed just for n = 1 (mod 12), and it is relatively complicated to construct an explicit algorithm for n ≢ 1 (mod 12). It is better that we can select many ns to implement the ηT pairing, since n corresponds to security level of the ηT pairing. In this paper we construct an explicit algorithm for computing the ηT pairing with arbitrary extension degree n. However, the algorithm should contain many branch conditions depending on n and the curve parameters, that is undesirable for implementers of the ηT pairing. This paper then proposes the universal ηT pairing (ηT pairing), which satisfies the bilinearity of pairing (compatible with Tate pairing) without any branches in the program, and is as efficient as the original one. Therefore the proposed universal ηT pairing is suitable for the implementation of various extension degrees n with higher security.

Multi-cast Key Distribution: Scalable, Dynamic and Provably Secure Construction

In this paper, we propose a two-round dynamic multi-cast key distribution DMKD protocol under the star topology with a central authentication server. Users can share a common session key without revealing any information of the session key to the server, and can join/leave to/from the group at any time even after establishing the session key. Our protocol is scalable because communication and computation costs of each user are independent from the number of users. Also, our protocol is still secure if either private key or session-specific randomness of a user is exposed. Furthermore, time-based backward secrecy is guaranteed by renewing the session key for every time period even if the session key is exposed. We introduce the first formal security definition for DMKD under the star topology in order to capture such strong exposure resilience and time-based backward secrecy. We prove that our protocol is secure in our security model in the standard model.

Multi-cast key distribution: scalable, dynamic and provably secure construction

In this paper, we propose a two-round dynamic multi-cast key distribution (DMKD) protocol under the star topology with a central authentication server. Users can share a common session key without revealing any information of the session key to the server and can join/leave to/from the group at any time even after establishing the session key. Our protocol is scalable because communication and computation costs of each user are independent from the number of users. Also, our protocol is still secure if either private key or session-specific randomness of a user is exposed. Furthermore, time-based backward secrecy is guaranteed by renewing the session key for every time period even if the session key is exposed. We introduce the first formal security definition for DMKD under the star topology in order to capture such strong exposure resilience and time-based backward secrecy. We prove that our protocol is secure in our security model in the standard model.

Secure and Efficient Pairing at 256-Bit Security Level

At CRYPTO 2016, Kim and Barbulescu proposed an efficient number field sieve (NFS) algorithm for the discrete logarithm problem (DLP) in a finite field. The security of pairing-based cryptography (PBC) is based on the difficulty in solving the DLP. Hence, it has become necessary to revise the bitlength that the DLP is computationally infeasible against the efficient NFS algorithms. The timing of the main operations of PBC (i.e. pairing, scalar multiplication on the elliptic curves, and exponentiation on the finite field) generally becomes slower as the bitlength becomes longer, so it has become increasingly important to compute the main operations of PBC more efficiently. To choose a suitable pairing-friendly curve from among various pairing-friendly curves is one of the factors that affect the efficiency of computing the main operations of PBC. We should implement the main operations of PBC and compare the timing among some pairing-friendly curves in order to choose the suitable pairing-friendly curve precisely. In this paper, we focus on the five candidate pairing-friendly curves from the Barreto-Lynn-Scott (BLS) and Kachisa-Schaefer-Scott (KSS) families as the 256-bit secure pairing-friendly curves and show the following two results; (1) the revised bitlength that the DLP is computationally infeasible against the efficient NFS algorithms for each candidate pairing-friendly curve, (2) the suitable pairing-friendly curve by comparing the timing of the main operations of PBC among the candidate pairing-friendly curves using the revised bitlength.