## DCLXVI: Pairing computation on AMD64 processors

In the paper New software speed records for cryptographic pairings we describe
an implementation of cryptographic pairings over a Barreto-Naehrig curve that sets new speed records for cryptographic
pairings on many amd64 processors. We put the software into the public domain.

To download and build the latest version of the software do the following:

tar xjvf dclxvi-20130329.tar.bz2

cd dclxvi-20130329/

make

This will produce 10 binaries: bilintest-check, bilintest-c, bilintest-as, speedtest-check, speedtest-c, and speedtest-as,
test_curvepoint_multiscalar-as, test_curvepoint_multiscalar-check, test_twistpoint_multiscalar-as, test_twistpoint_multiscalar-check.

The binaries ending on -check perform all arithmetic with included overflow check as described in the paper. The files ending on
-c are non-optimized implementations in C and the implementations ending on -as have all speed-critical functions implemented in
qhasm.

The bilintest binaries perform NTESTS bilinearity (and non-degeneracy) tests, the value NTESTS is defined in the Makefile.
The speedtest binaries measure the cycles counts of the most speed-critical functions.

Since version 20130329, DCLXVI also has faster (but not timing-attack protected!) functions for scalar multiplication
and multi-scalar multiplication on the curve and the twist. The test_curvepoint_multiscalar and test_twistpoint_multiscalar
binaries perform simple tests of this multi-scalar multiplication on curve and twist, respectively.

**Caution:** The software as described in the printed version of the paper
has a bug: The parameter *u=1966080* used to construct the curve we
use for the pairing does not generate a Barreto-Naehrig curve; the
order of the group *E(F _{p})* is not prime.
We thank Francisco Rodríguez- Henríquez and Jean-Luc Beuchat
for pointing out this bug.

The software from version 20100618 now uses a different curve generated with

*u=1868033*, the speed of this updated software is similar, actually even slightly faster.

For verification of the performance numbers the old version of the software is still available as dclxvi-notsecure.tar.bz2; do

**not**use this software for cryptographic purposes.

**Update:**
An even faster pairing implementation
has been presented by Jean-Luc Beuchat, Jorge Enrique González Díaz, Shigeo Mitsunari, Eiji Okamoto,
Francisco Rodríquez-Henríquez and Tadanori Teruya.

But our software is a bit (read: one bit) more secure.