Fast Software Implementations of Bilinear Pairings

Advancement in pairing-based protocols has had a major impact on the applicability of cryptography to the solution of more complex real-world problems. However, the computation of pairings in software still needs to be optimized for different platforms including emerging embedded systems and high-performance PCs. Few works in the literature have considered implementations of pairings on the former applications despite their growing importance in a post-PC world. In this paper, we investigate the efficient computation of the Optimal-Ate pairing over special class of pairing friendly Barreto-Naehrig curves in software at different security levels. We target both applications and perform our implementations on ARM-powered processors (with and without NEON instructions) and PC processors. We exploit state-of-the-art techniques and propose new optimizations to speed up the computation in the different levels including tower field and curve arithmetic. In particular, we extend the concept of lazy reduction to inversion in extension fields, analyze an efficient alternative for the sparse multiplication used inside the Miller's algorithm and reduce further the cost of point/line evaluation formulas in affine and projective homogeneous coordinates. In addition, we study the efficiency of using M-type and D-type sextic twists in the pairing computation and carry out a detailed comparison between affine, Jacobian, and homogeneous coordinate systems. Our implementations on various mass-market emerging embedded devices significantly improve the state-of-the-art of pairing computation on ARM-powered devices and x86-64 PC platforms. For ARM implementations we achieved considerably faster computations in comparison to the counterparts.