Even faster calculation of pairings on ARM processors

There's an interesting paper ("Efficient Implementation of Bilinear Pairings on ARM Procesors") on the IACR's eprint preprint server that talks about a new record for calculating pairings. Here's the paper's abstract:

As hardware capabilities increase, low-power devices such as smartphones represent a natural environment for the efficient implementation of cryptographic pairings. Few works in the literature have considered such platforms despite their growing importance in a post-PC world. In this paper, we investigate the efficient computation of the Optimal-Ate pairing over Barreto-Naehrig curves in software at different security levels on ARM processors. We exploit state-of-the-art techniques and propose new optimizations to speed up the computation in the tower field and curve arithmetic. In particular, we extend the concept of lazy reduction to inversion in extension fields, analyze an efficient alternative for the sparse multiplication used inside the Miller's algorithm and reduce further the cost of point/line evaluation formulas in affine and projective homogeneous coordinates. In addition, we study the efficiency of using M-type sextic twists in the pairing computation and carry out a detailed comparison between affine and projective coordinate systems. Our implementations on various mass-market smartphones and tablets significantly improve the state-of-the-art of pairing computation on ARM-powered devices, outperforming by at least a factor of 3.7 the best previous results in the literature.

That certainly sounds interesting, but I'd find it even more interesting is this paper had performance results at the security levels that are commonly used in the real world. Instead, it only talks about fields with sizes from 254 to 638 bits, while 2,048 bits are really what's required by essentially all relevent regulatory environments today. Many academics seem fairly out of touch with that particular aspect of the commercial cryptography market, but it's one that they should probably embrace if they want to make their work sound more relevant. 

  • Conrado

    These are the sizes of the base fields. With embedding degree 12, they correspond to 128-256 bits of security…


  • Diego F. Aranha

    As Conrado already pointed out, the paper targets standardized security levels used in practice (128 and 192 bits). I cannot see how this can be “out of touch” with the market.


  • David Jao

    Luther, I am one of the paper authors. You’re confusing symmetric and asymmetric key sizes. 2048-bit RSA is comparable to 256-bit ECC and 128-bit AES in security. Patrick Longa (another author) is currently employed at Microsoft, and this work is largely funded by Research In Motion. We are by no means out of touch with the commercial sector.


Leave a Reply

Your email address will not be published. Required fields are marked *