Twisted Ate Research Articles

Improving side-channel attacks against pairing-based cryptography

Although the vulnerability of pairing-based algorithms to side-channel attacks has been demonstrated—pairing implementations were targeted on three different devices in a recent paper [41]—it nevertheless remains difficult to choose an adapted leakage model and detect points of interest. Our proposed approach evaluates the parameters of the attack and validates the data processing workflow. We describe weaknesses in the implementation of cryptographic pairings, and we show how information leakage can be fully exploited. Different leakage models, point-of-interest detection methods, and parameter dependencies are compared. In addition, practical results were obtained with a software implementation of twisted Ate pairing on Barreto–Naehrig curves with an ARM Cortex-M3 processor running at 50 MHz. We discuss countermeasures aimed at reducing side-channel leakage and review the available literature.

Efficient Pairing Computation on Twisted Weierstrass Curves

In this paper, we construct the twists of twisted Edwards curves in Weierstrass form. Then we define a new twisted Ate pairing on twisted Weierstrass curves named the Tx-Ate pairing. Following Miller's algorithm, we give a computation of the Tx-Ate pairing on high degree twisted Weierstrass curves, where the point operations are over Edwards form, and the computation of Miller function is over Weierstrass form. Although, in one doubling loop, our method to compute the Tx-Ate pairing is a litter slower than the previously fastest method. By twists, the Tx-Ate pairing can be calculated on more twisted Weierstrass curves with short loop length. The TxAte pairing is even competitive with optimal Ate pairing when they have the same short loop length.

An Improvement of Twisted Ate Pairing Efficient for Multi-Pairing and Thread Computing

In the case of Barreto-Naehrig pairing-friendly curves of embedding degree 12 of order r, recent efficient Ate pairings such as R-ate, optimal, and Xate pairings achieve Miller loop lengths of (1/4)⌊log2r⌋. On the other hand, the twisted Ate pairing requires (3/4)⌊log2r⌋ loop iterations, and thus is usually slower than the recent efficient Ate pairings. This paper proposes an improved twisted Ate pairing using Frobenius maps and a small scalar multiplication. The proposed idea splits the Miller's algorithm calculation into several independent parts, for which multi-pairing techniques apply efficiently. The maximum number of loop iterations in Miller's algorithm for the proposed twisted Ate pairing is equal to the (1/4)⌊log2r⌋ attained by the most efficient Ate pairings.

Two Improvements of Twisted Ate Pairing with Barreto-Naehrig Curve by Dividing Miller's Algorithm

This paper shows two improvements of twisted-Ate pairing with Barreto-Naehrig curve so as to be efficiently carried out by dividing the calculation loops of Miller's algorithm based on divisor theorem. Then, this paper shows some experimental results from which it is shown that each improvements accelerate twisted-Ate pairing.

Twisted Ate pairing on hyperelliptic curves and applications

In this paper we show that the twisted Ate pairing on elliptic curves can be generalized to hyperelliptic curves, and give a series of variations of the hyperelliptic Ate and twisted Ate pairings. Using the hyperelliptic Ate pairing and twisted Ate pairing, we propose a new approach to speeding up the Weil pairing computation. For some hyperelliptic curves with high degree twist, computing Weil pairing by our approach may be faster than Tate pairing, Ate pairing, and all other known pairings.

Optimised Versions of the Ate and Twisted Ate Pairings

We observe a natural generalisation of the ate and twisted ate pairings, which allow for performance improvements in non standard applications of pairings to cryptography like composite group orders. We also give a performance comparison of our pairings and the Tate, ate and twisted ate pairings for certain polynomial families based on operation count estimations and on an implementation, showing that our pairings can achieve a speedup of a factor of up to two over the other pairings.

Integer Variable .CHI.-Based Cross Twisted Ate Pairing and Its Optimization for Barreto-Naehrig Curve

It is said that the lower bound of the number of iterations of Miller's algorithm for pairing calculation is log2 r/φ(k), where φ(·) is the Euler's function, r is the group order, and k is the embedding degree. Ate pairing reduced the number of the loops of Miller's algorithm of Tate pairing from ⌊log2 r⌋ to ⌊ log2(t-1)⌋, where t is the Frobenius trace. Recently, it is known to systematically prepare a pairing-friendly elliptic curve whose parameters are given by a polynomial of integer variable “χ.” For such a curve, this paper gives integer variable χ-based Ate (Xate) pairing that achieves the lower bound. In the case of the well-known Barreto-Naehrig pairing-friendly curve, it reduces the number of loops to ⌊log2χ⌋. Then, this paper optimizes Xate pairing for Barreto-Naehrig curve and shows its efficiency based on some simulation results.