Acceleration of Inner-Pairing Product Operation for Secure Biometric Verification ^†

Abstract

With the recent advances in mobile technologies, biometric verification is being adopted in many smart devices as a means for authenticating their owners. As biometric data leakage may cause stringent privacy issues, many proposals have been offered to guarantee the security of stored biometric data, i.e., biometric template. One of the most promising solutions is the use of a remote server that stores the template in an encrypted form and performs a biometric comparison on the ciphertext domain, using recently proposed functional encryption (FE) techniques. However, the drawback of this approach is that considerable computation is required for the inner-pairing product operation used for the decryption procedure of the underlying FE, which is performed in the authentication phase. In this paper, we propose an enhanced method to accelerate the inner-pairing product computation and apply it to expedite the decryption operation of FE and for faster remote biometric verification. The following two important observations are the basis for our improvement—one of the two arguments for the decryption operation does not frequently change over authentication sessions, and we only need to evaluate the product of multiple pairings, rather than individual pairings. From the results of our experiments, the proposed method reduces the time required to compute an inner-pairing product by 30.7%, compared to the previous best method. With this improvement, the time required for biometric verification is expected to decrease by up to 10.0%, compared to a naive method.

1. Introduction

Biometric recognition is the automated recognition of individuals based on their biological and behavioral characteristics. Biometric recognition has two types [1]: biometric identification and biometric verification. Biometric identification is a process that searches against a biometric enrolment database to find and return the biometric reference identifier(s) attributable to a single user. Conversely, biometric verification is a process that confirms a biometric claim through biometric comparison. In a biometric verification system, a user can make a biometric claim to a biometric characteristic examiner. When a user claims that he or she is the source of a specified biometric reference, the examiner may verify this claim by performing a biometric comparison. With the recent advances in mobile technologies, biometric verification is being adopted in many smart devices as a tool for authenticating their owners. This technique is used not only to unlock devices but also permit users to run security-critical applications, such as financial services [2].

For biometric verification, the biometric data of a user should be stored first during biometric enrolment. The stored biometric data are referred to as a biometric reference, and they are stored using a data structure called a biometric template [1]. However, biometric characteristics are unique and unchangeable; this implies that leakage of these characteristics may cause more critical privacy issues than the compromise of existing passwords and personal identification numbers (PINs). Furthermore, users’ biometric templates are often compromised, especially for mobile devices [3]. Therefore, a biometric verification method that ensures the security of the biometric template must be developed [4,5].

Several proposals are available in the literature to secure biometric templates without additional hardware support such as ARM Trust Zone [6] and Apple Secure Enclave [7]. First, there are methods to convert biometric data using noninvertible transforms, such as cancelable biometrics [8,9] and fuzzy commitment [10]. However, these methods have a problem of decreasing recognition accuracy owing to the conversion process. In addition, there are many cases where one-way transformations are analyzed and inverted successfully [11,12,13].

There are also biometric key generation techniques for biometric template protection [14,15,16]. Using these methods, a unique and high-entropy key can be generated from the user’s biometric input on the fly. These methods have a very desirable property that the user’s biometric template does not need to be stored in the device. However, to achieve both goals of providing a sufficient level of recognition rate and effectively generating biometric keys, these methods require additional tools. For example, the electrocardiogram-based biometric key generation method in [14] requires for helper data to be stored. According to [16], the use of helper data is not desirable. The electroencephalography (EEG)-based method in [15] requires high-bandwidth data with more than 60 channels. It was pointed out in [17] that in most commercially available EEG devices, less than 20 channels are provided. The fingerprint-based biometric key generation method in [16] requires an additional device such as a smart card. On the contrary, if a remote server is available, storing the biometric template on the remote server outside the device is another option for biometric verification without the need for additional tools or performance degradation [18,19,20,21]. In these methods, the server functions as a secure repository. This approach is also suitable when a user wants to be granted access to a particular remote service using an authentication server (e.g., online banking). However, this approach can raise another privacy issue because the remote server can learn the user’s biometric characteristics. In other words, an honest-but-curious server may try to recover the user’s biometric features using the user’s stored template. In addition, attackers who intrude into the server may obtain the biometric features of the legitimate user. These features may be used to impersonate the legitimate user in another system [19,20,21]. Therefore, an encryption scheme that encrypts biometric data and makes the server examine the similarity in encrypted data is necessary for a privacy-preserving biometric verification.

Meanwhile, functional encryption (FE) is an encryption scheme in which possessing a secret key allows one to obtain only the result of $f\left(x\right)$ from a ciphertext $E\left(x\right)$, but not learn any information about the data x, where the secret key is related to the function f and the ciphertext $E\left(x\right)$ is the encryption of data x. Hence, FE is considered a suitable scheme for constructing a privacy-preserving biometric verification system [22,23,24]. As FE requires considerable computation, extensive research has been conducted to make FE more practical, particularly when the evaluated function is an inner product of a plaintext vector x with a vector y encoded in the function f [25,26,27,28,29]. Kim et al. proposed a practical inner product FE scheme with a function-hiding property, which implies that not only x but also y remain hidden [22]. They also provided a reference code implemented in Python and evaluated the required durations for main operations, such as key generation, encryption, and decryption. According to their measurement, the dominant operations took up to several seconds on a desktop PC, and this indicates that FE may guarantee a practical level of performance. Kim et al.’s scheme is very suitable as a base scheme for a privacy-preserving biometric verification system, but its decryption operation requires an inner-pairing product operation [22], which is its most time-consuming part. An inner-pairing product is the product of multiple pairings, and its inputs are two vectors comprising points on a certain elliptic curve [30]. There are several optimization techniques for the inner-pairing product [31,32,33,34]. Scott suggested to share underlying operations for multiple pairings [31] and the validity of this approach was verified in [32,33]. Costello et al. proposed to apply precomputation to accelerate pairing operations [34].

In this paper, we propose an improved method for accelerating inner-pairing product computation by combining the shared computation techniques and precomputation. The experimental results indicate that the proposed method reduces the time required to compute an inner-pairing product by up to 30.7%. To cope with the situation where the memory is not sufficient to store all the precomputed data, we also propose an adaptive method that can adjust the number of elements to be precomputed and stored. According to our analysis, the performance of the proposed method can be fine-tuned adaptively according to the storage capacity. Furthermore, we demonstrate that the proposed method is suitable for application to a remote biometric verification system using FE, where one of the two inputs to the inner-pairing product operation is not frequently changed. Using the proposed method, we can assume that the performance of biometric verification will be enhanced by 9.0–10.0%.

1.1. Related Works

In 2005, Scott proposed three ideas to optimize the inner-pairing product computation for Tate pairing by sharing the common operations among the pairings [31]. In 2006, Granger et al. showed that Scott’s method can also be applied to the inner-pairing product for Ate pairing [32]. In 2015, Zavattoni et al. proposed an optimized method to compute the products of optimal Ate pairings on the BN curve [33]. Meanwhile, in 2010, Costello et al. proposed a precomputation method to accelerate pairing computation when one argument of the pairing is fixed [34]. The more times the pairing is called, the more gain is obtained in the execution time, at the small expense of memory to store the precomputed elements. Recently, the pairing operations are being adopted as a crucial operation for many applications, such as privacy-preserving applications [35,36] and non-interactive zero-knowledge proofs [37,38].

There have been various research results in the literature for secure remote biometric verification [39,40,41,42,43,44,45,46,47,48]. In 2016, Cheon et al. proposed a homomorphic encryption (HE)-based protocol to support encrypted Hamming distance computation required for iris recognition [40]. In the same year, Im et al. [41] proposed an HE-based protocol to support encrypted Euclidean distance computation for palm print authentication [49]. In 2018, Gunasinghe and Bertino proposed a secure face verification protocol based on zero-knowledge proof of knowledge (ZKPK). To perform their protocol, a trusted execution environment (TEE) should be equipped on the device. In the same year, Droandi et al. [48] proposed a multi-party computation-based biometric matching protocol using SPDZ protocol [50]. Although their protocol was very fast, it required a high communication cost for preprocessing. In 2020, Im et al. proposed a secure face verification system that guarantees a real-time authentication performance on a smartphone [2]. They evaluated the performance of their system with two experiments; (1) an experiment involving 30 users in a real-world environment and (2) an experiment using the public face datasets CFP [51] and ORL [52]. In this paper, we consider the data presented in [2] as the criteria to evaluate the performance of the proposed method, since the result in [2] is one of the most up-to-date practical works in the literature of privacy-preserving biometric authentication. A more extensive survey of FE-based privacy-preserving applications can be found in [35].

1.2. Contributions

In this paper, we propose a method for accelerating inner-pairing product computation by combining the shared computation techniques and precomputation. To be precise, our contributions are as follows:

• We propose a new algorithm that accelerates inner-pairing product computation when one of the two input vectors are fixed. For each element in this fixed vector, we apply the precomputation method that was originally proposed for a single pairing in [34]. In addition, we reduce the overall computational complexity by sharing overlapping operations for multiple pairings, as in [31].
• To handle the situation where the memory is not sufficient to store all the precomputed data for all vector elements, we also propose an adaptive method that can adjust the number of precomputed elements. Therefore, the performance of the proposed method can be fine-tuned adaptively by selectively storing the precomputed elements according to the storage capacity.
• We demonstrate that the proposed method can significantly accelerate the FE-based biometric verification process. In particular, we exploit the fact that the values related to a biometric template can be precomputed when registered as the template is stored once and repeatedly used without any change.

2. Preliminaries

2.1. Remote Biometric Verification System

In this study, we focus on biometric verification among the two types of biometric recognition. A biometric characteristic examiner can use a remote biometric verification system to authenticate users. Figure 1 shows the generic structure of the remote biometric verification system [1]. For better understanding, we will explain the structure with a facial verification system as an example. The system consists of a client for the user and a remote server for the biometric characteristic examiner. We can consider a smartphone as a typical example of the client. The following are the steps required to register a user’s biometric data.

• A user presents a biometric characteristic to a biosensor in a biometric capture subsystem, and the subsystem runs its biometric capture process to acquire a biometric sample. For facial verification, the user’s smartphone camera takes a picture of the user’s face. In addition to the biometric capture process, a biometric acquisition process is performed when required. The biometric acquisition process includes segmentation, quality control, and other preprocessing steps. For facial verification, various image processing techniques, such as face detection, alignment and frontalization, can be applied.
• A client passes the biometric sample to the feature extraction module. The module attempts to extract a biometric feature from the biometric sample. For face verification, deep neural networks are frequently used [53,54].
• The client performs biometric enrolment. To be precise, the client sends the extracted biometric feature to the server, and the server stores the biometric feature as a biometric reference to a biometric enrolment database. In the database, biometric references are managed using a data structure referred to as a biometric template.

In the authentication phase, the client performs the biometric capture and feature extraction processes, which are the same as the first and second steps of the above biometric registration phase. Then, the client sends the extracted biometric feature as the biometric claim to be used for verification. The server delivers the biometric feature from the client to its verifying module. This claimed feature is referred to as a biometric probe. The module loads the biometric reference (i.e., the stored biometric template) of the claimant for biometric comparison. Biometric comparison is the similarity estimation between the biometric reference and the biometric probe. For example, if the biometric feature is represented as a vector, the similarity can be estimated by computing either the Hamming or Euclidean distance between the two feature vectors. Based on the result of biometric comparison (i.e., the comparison score) and a decision policy including a threshold, whether the biometric probe and biometric reference have the same biometric source is determined. If this is affirmative, the server accepts the claimant as an authenticated user.

However, as explained in the introduction, the above approach can be a threat to user’s privacy, because the server may try to recover the user’s biometric features from the stored template. Section 2.4 will briefly explain the countermeasure against this threat using functional encryption.

2.2. Barreto—Naehrig Curve (BN Curve)

If a non-supersingular elliptic curve over ${\mathbb{F}}_p$ contains a subgroup whose embedding degree k is not substantially large, it is called a pairing-friendly curve. In other words, computations in the field ${\mathbb{F}}_{p^k}$ are feasible. Barreto and Naehrig presented a method to construct pairing-friendly elliptic curves of prime order and embedding degree $k=12$ [55], whose curve form is $E\left({\mathbb{F}}_p\right):y^2=x^3+b$, with $b\ne 0$. For non-zero t, they parameterized the order n of the elliptic curve group and the characteristic p as follows:

$$n=36t^4+36t^3+18t^2+6t+1$$

(1)

$$p=36t^4+36t^3+24t^2+6t+1$$

(2)

The order of a point $P\in E$ is the least non-zero integer r such that $\left[r\right]P=\infty$, where $\left[r\right]P$ is the sum of r terms equal to P [56]. Therefore, the fact that n is a prime implicitly indicates that r is equal to n, and r is also prime.

2.3. Pairing

2.3.1. Cryptographic Pairing

Pairing is defined as a map $e:{\mathbb{G}}_1\times {\mathbb{G}}_2\to {\mathbb{G}}_T$ for additive groups ${\mathbb{G}}_1$, ${\mathbb{G}}_2$ and a multiplicative group ${\mathbb{G}}_T$ [57]. The orders of ${\mathbb{G}}_1$, ${\mathbb{G}}_2$, and ${\mathbb{G}}_T$ are the prime number r. The identity elements of these groups are denoted by $0_{{\mathbb{G}}_1}$, $0_{{\mathbb{G}}_2}$, and $1_{{\mathbb{G}}_T}$, respectively. Furthermore, the pairing should have the following two properties:

• Bilinearity For all $g_1\in {\mathbb{G}}_1$, $g_2\in {\mathbb{G}}_2$, and $a,b\in {\mathbb{Z}}_r$,

  $$e(\left[a\right]g_1,\left[b\right]g_2)=e{(g_1,g_2)}^{ab}.$$

  (3)
• Non-degeneracy For $g_1\ne 0_{{\mathbb{G}}_1}$, $g_2\ne 0_{{\mathbb{G}}_2}$

  $$e(g_1,g_2)\ne 1_{{\mathbb{G}}_T}.$$

  (4)

In addition to the above two mathematical properties, cryptographic pairing requires the following property [57]:

• Computability The map e can be efficiently computed.

The most efficient cryptographic pairings are constructed using an elliptic curve E, which is defined over a finite field ${\mathbb{F}}_q$. Specifically, ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ are subgroups of the rational points of an elliptic curve E defined over an extension ${\mathbb{F}}_{q^k}$ of ${\mathbb{F}}_q$. Furthermore, ${\mathbb{G}}_T$ is the group $({\mathbb{F}}_{q^k}^{*},\times )$, where the group law is given by the field multiplication on ${\mathbb{F}}_{q^k}$. We define the tuple $(r,{\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,g_1,g_2,e)$ as a bilinear environment of cryptographic pairing.

An inner-pairing product $e_{prod}$ is defined by the following equation for two vectors $\mathbf{P}$ = $(P_1,$ $P_2,$ $\dots ,$ $P_d)$ $\in {\mathbb{G}}_1^d$ and $\mathbf{Q}$ = $(Q_1,$ $Q_2,$ $\dots ,$ $Q_d)$ $\in {\mathbb{G}}_2^d$:

$$e_{prod}(\mathbf{P},\mathbf{Q})=\prod _{j=1}^{d}e(P_j,Q_j)$$

(5)

2.3.2. Miller’s Algorithm and Final Exponentiation

The Weil pairing was first introduced by André Weil in 1940 [58]. It plays an important role in the theoretical study of the arithmetic of elliptic curves and Abelian varieties [58]. Miller presented an algorithm in 2004 that efficiently computes Weil pairing, which is the first practical pairing computation method [59]. Since then, most pairings, including Weil Pairing, have been designed based on Miller’s algorithm for efficient operation. The basic Miller’s algorithm takes a pair of elements of the elliptic curve subgroups ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$, both of whose orders are the prime order r, and repeats a series of processes as much as the bit length m of r. This loop is referred to a Miller loop. For any point U, V on the elliptic curve and the element $X\in {\mathbb{G}}_1$, $Y\in {\mathbb{G}}_2$, line equation $L_{U,V}(X,Y)$ is defined as the equation of the line passing through U and V, whereas tangent equation $T_U(X,Y)$ is defined as the tangent to the point U. Miller’s algorithm includes multiplication and squaring operations on ${\mathbb{G}}_T$, addition and multiplication operations on ${\mathbb{G}}_1$ or ${\mathbb{G}}_2$, and evaluation of the line and tangent equations. Miller’s algorithm is used to compute not only Weil pairing but also many other cryptographic pairings, such as the Tate pairing or Tate variant pairings [60,61]. Thus, a special operation referred to as final exponentiation is performed to force the result of the Miller loop to be a unique value for the multiplicative group ${\mathbb{G}}_T$ [57]. In other words, final exponentiation must be performed after the Miller loop to obtain the correct operation result.

2.3.3. Optimal Ate Pairing on the BN Curve

The Ate pairing [62,63] and its variations [64,65,66] are simply optimized versions of the Tate pairing using Frobenius endomorphism [67]. In 2008, Vercauteren proposed optimal pairings and optimized the Miller loop of Ate pairing, which uses Frobenius endomorphism on a pairing-friendly elliptic curve [67]. In 2010, Beuchat et al. presented an implementation for the optimal Ate pairing of [67] on the BN curve [68]. They reported that the performance of Ate pairing is optimized by setting t of the BN curve as $2^{62}-2^{54}+2^{44}$. Algorithm 1 represents the algorithm for calculating the optimal Ate pairing [68], where $\pi \left(Q\right)$ is the Frobenius map of Q and ${\pi }^2\left(Q\right)=(\pi ·\pi )\left(Q\right)$.

Algorithm 1 Optimal Ate pairing on the BN curve.

Input:  $s=6t+2$, $m=$ the bit length of s, $P\in {\mathbb{G}}_1$, $Q\in {\mathbb{G}}_2$ Output:  $e(P,Q)$ 1: Write s in signed binary form, $s={\sum }_{i=0}^{m-1}s\left[i\right]2^i$ with $s\left[i\right]\in \{-1,0,1\}$ 2: $T\leftarrow Q,f\leftarrow 1$ 3: for$i\leftarrow m-2$down to 0 do 4:     $f\leftarrow f^2·L_{T,T}\left(P\right),T\leftarrow 2T$ 5:     if $s\left[i\right]=1$ then 6:         $f\leftarrow f·L_{T,Q}\left(P\right),T\leftarrow T+Q$ 7:     else if $s\left[i\right]=-1$ then 8:         $f\leftarrow f·L_{T,-Q}\left(P\right),T\leftarrow T-Q$ 9:     end if 10: end for 11: $R\leftarrow \pi \left(Q\right),f\leftarrow f·L_{T,R}\left(P\right),T\leftarrow T+R$ 12: $R\leftarrow {\pi }^2\left(Q\right),f\leftarrow f·L_{T,-R}\left(P\right),T\leftarrow T-R$ 13: $f\leftarrow f^{(p^{12}-1)/r}$ 14: returnf

2.4. Function-Hiding Inner Product Encryption

Inner product encryption (IPE) is an FE whose function f is the inner product of the input vector $\mathbf{x}$ with the vector $\mathbf{y}$ encoded in the function f. That is, IPE performs $f\left(\mathbf{x}\right)=\langle \mathbf{x},\mathbf{y}\rangle$, by using a secret key associated with vector $\mathbf{y}$ and the ciphertext associated with vector $\mathbf{x}$ as inputs.

Meanwhile, if the FE guarantees that the data associated with its function f remain hidden as well as $\mathbf{x}$, we confirm that an FE has a function-hiding property. For example, the associated data may be vector $\mathbf{y}$ for IPE, and a privacy-preserving biometric verification system using IPE should be equipped with the function-hiding property as the biometric data should be securely handled both in the registration and authentication phases [69].

Hereinafter, we use ${\prod }_{IPE}$, a function-hiding IPE with practical performance proposed by Kim et al. [22]. For $\lambda \in \mathbb{N}$, $d\in \mathbb{N}$, and the range of the inner product S, the function-hiding IPE is defined as ${\prod }_{IPE}$ = $(IPE.Setup$, $IPE.KeyGen$, $IPE.Encrypt$, $IPE.Decrypt)$, where each operation is defined as follows:

• $IPE.Setup(1^{\lambda },S)$
  • Select a bilinear environment $(r,{\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,g_1,g_2,e)$ according to the security parameter $\lambda$.
  • Choose a matrix $\mathbf{B}\leftarrow {\mathbb{GL}}_d\left({\mathbb{Z}}_r\right)$, where ${\mathbb{GL}}_d\left({\mathbb{Z}}_r\right)$ refers to a group of $d\times d$ square matrix, where each element belongs to the finite field ${\mathbb{Z}}_r$ and an inverse matrix exists.
  • Compute ${\mathbf{B}}^{\star }\leftarrow \mathsf{det}\left(\mathbf{B}\right)·{\left({\mathbf{B}}^{-1}\right)}^{\top }$.
  • Output the public parameter $pp=({\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,r,e,S)$ and the master secret key $msk=(pp,g_1,g_2,\mathbf{B},{\mathbf{B}}^{\star })$.
• $IPE.KeyGen(msk,\mathbf{y})$
  • Choose a uniformly random element $\alpha \stackrel{R}{\leftarrow }{\mathbb{Z}}_r$.
  • Using the master key $msk$ and the vector $\mathbf{y}\in {\mathbb{Z}}_r^d$, output the secret key $sk=(K_1,K_2)=([\alpha ·\mathsf{det}\left(\mathbf{B}\right)]g_1,[\alpha ·\mathbf{y}·\mathbf{B}]g_1)$, s.t. $K_2\in {\mathbb{G}}_1^d$.
• $IPE.Encrypt(msk,\mathbf{x})$
  • Choose a uniformly random element $\beta \stackrel{R}{\leftarrow }{\mathbb{Z}}_r$
  • Using the master key $msk$ and the vector $\mathbf{x}\in {\mathbb{Z}}_r^d$, output the ciphertext $ct=(C_1,C_2)=(\left[\beta \right]g_2,[\beta ·\mathbf{x}·{\mathbf{B}}^{\star }]g_2)$, s.t. $C_2\in {\mathbb{G}}_2^d$.
• $IPE.Decrypt(pp,sk,ct)$
  • Using the public parameter $pp$, the secret $sk=(K_1,K_2)$, and the ciphertext $ct=(C_1,C_2)$, compute $D_1=e(K_1,C_1)$ and $D_2=e_{prod}(K_2,C_2)$.
  • Find a solution z for $D_1^z=D_2$ If this z exists, it satisfies $z=\langle \mathbf{x},\mathbf{y}\rangle$. Output z if it exists; otherwise, output ⊥, indicating that a solution does not exist.

In this study, we use ${\prod }_{IPE}$ to construct a privacy-preserving biometric verification system. The two vectors x and y are encoded to ensure that they represent the biometric probe and biometric reference, respectively. Furthermore, the authors of [22] suggested methods to encode a biometric feature vector to either x or y; thus, the Hamming and the Euclidean distance between two biometric feature vectors can be calculated using the inner product $\langle \mathbf{x},\mathbf{y}\rangle$. Using this method, we can encrypt all biometric data transmitted to the server as well as the stored biometric template. The biometric comparison is performed on the encrypted biometric data. However, the comparison score is output as a plain value to ensure that the verification module can decide regarding the authenticity of the claimant. In summary, a biometric verification system that keeps all biometric data from leaking the biometric characteristics even during the biometric comparison can be constructed using ${\prod }_{IPE}$.

3. Existing Optimization Techniques for Computing Pairing

The inner-pairing product can be performed in a naive manner to calculate $e(P_j,Q_j)$ for all j and multiply them all. We call this approach the Naive method. However, this native method can be improved based on two directions of research. We briefly review them in this section.

3.1. Optimal Ate Pairing Product on the BN Curve

In 2005, Scott proposed three ideas to optimize the Naive method for Tate pairing [31].

• In the case of a modular multiplicative inverse operation, a simultaneous inversion operation [70] can be applied.
• During the computation of Miller’s algorithm, the squaring operation on ${\mathbb{G}}_T$ (e.g., in line 4 of Algorithm 1) can be shared.
• The final exponentiation operation can be shared.

In 2006, Robert Granger et al. reported that the performance of inner-pairing product computation for Ate pairings can be improved by applying the second and third ideas [32]. In 2015, Eric Zavattoni et al. implemented an optimized method to compute the products of optimal Ate pairings on the BN curve, which we call the Product method in this paper [33].

Algorithm 2 demonstrates how the Product method is computed in the bilinear environment of Section 2.3.3.

3.2. Fixed Argument Pairings

In 2010, Costello et al. proposed a method to compute a pairing using precomputation when one argument of the pairing is fixed [34]. Algorithm 3 demonstrates the application of precomputation to Q for the optimal Ate pairing, adopting the method in [34] when $Q\in {\mathbb{G}}_2$ is fixed. Algorithm 4 presents the pairing computation procedure when P and $Q^{\prime }$ are given as inputs, where $Q^{\prime }$ is a precomputed tuple based on Q. The main idea of this precomputation-based method is that the line and the tangent equation in the Miller loop of the optimal Ate pairing can be precomputed with only Q without P to obtain the gradient $\lambda$ and constant c of the equations. $\pi$ can also be computed in advance with only Q. Thus, it is also included in precomputation.

During online computation of the pairing, the precomputed $Q^{\prime }$, rather than Q, is applied to the linear equation, tangent equation, and $\pi$. The Fixed-Q method refers to an inner-pairing product method that replaces the individual pairing of the Naive method to the online computation of Fixed-Q pairing.

Algorithm 2 Products of optimal Ate pairings on the BN curve (Product method).

Input: $s=6t+2$, $m=$ the bit length of s, $P_j\in {\mathbb{G}}_1$, $Q_j\in {\mathbb{G}}_2$, where j is $1,\dots ,d$ Output: $e_{prod}(\mathbf{P},\mathbf{Q})$ 1: Write s in signed binary form, $s={\sum }_{i=0}^{m-1}s\left[i\right]2^i$ with $s\left[i\right]\in \{-1,0,1\}$ 2: $f\leftarrow 1$ 3: for$j\leftarrow 1$tondo 4:     $T_j\leftarrow Q_j$ 5: end for 6: for$i\leftarrow m-2$down to 0 do 7:     $f\leftarrow f^2$ 8:     for $j\leftarrow 1$ to d do 9:         $f\leftarrow f·L_{T_j,T_j}\left(P_j\right),T_j\leftarrow \left[2\right]T_j$ 10:         if $s\left[i\right]=1$ then 11:            $f\leftarrow f·L_{T_j,Q_j}\left(P_j\right),T_j\leftarrow T_j+Q_j$ 12:         else if $s\left[i\right]=-1$ then 13:            $f\leftarrow f·L_{T_j,-Q_j}\left(P_j\right),T_j\leftarrow T_j-Q_j$ 14:         end if 15:     end for 16: end for 17: for$j\leftarrow 1$toddo 18:     $R\leftarrow \pi \left(Q_j\right),f\leftarrow f·L_{T_j,R}\left(P_j\right),T_j\leftarrow T_j+R$ 19:     $R\leftarrow {\pi }^2\left(Q_j\right),f\leftarrow f·L_{T_j,-R}\left(P_j\right),T_j\leftarrow T_j-R$ 20: end for 21: $f\leftarrow f^{(p^{12}-1)/r}$ 22: returnf

Algorithm 3 Fixed-Q precomputation.

Input: $s=6t+2$, $m=$ the bit length of s, $Q\in {\mathbb{G}}_2$ Output: $Q^{\prime }=(G_{DBL},G_{ADD},{\pi }_Q,{{\pi }^2}_Q)$ 1: Write s in signed binary form, $s={\sum }_{i=0}^{m-1}s\left[i\right]2^i$ with $s\left[i\right]\in \{-1,0,1\}$ 2: $T\leftarrow Q,G_{DBL}\leftarrow \{\varnothing \},G_{ADD}\leftarrow \{\varnothing \}$ 3: for$i\leftarrow m-2$down to 0 do 4:     Compute $\lambda \mathrm{and}c$, such that $y_Q+\lambda x_Q+c$ is the line tangent to T 5:     $T\leftarrow \left[2\right]T$ 6:     Append $(\lambda ,c)$ to $G_{DBL}$ 7:     if $s\left[i\right]=1$ then 8:          Compute $\lambda \mathrm{and}c$, such that $y_Q+\lambda x_Q+c$ is the line joining T and Q 9:          $T\leftarrow T+Q$ 10:         Append $(\lambda ,c)$ to $G_{ADD}$ 11:     else if $s\left[i\right]=-1$ then 12:         Compute $\lambda \mathrm{and}c$, such that $y_{-Q}+\lambda x_{-Q}+c$ is the line joining T and $-Q$ 13:         $T\leftarrow T-Q$ 14:         Append $(\lambda ,c)$ to $G_{ADD}$ 15:     end if 16: end for 17: $R\leftarrow \pi \left(Q\right)$ 18: Compute $\lambda \mathrm{and}c$, such that $y_R+\lambda x_R+c$ is the line joining T and R 19: ${\pi }_Q\leftarrow (\lambda ,c)$ 20: $R\leftarrow -{\pi }^2\left(Q\right)$ 21: Compute $\lambda \mathrm{and}c$, such that $y_R+\lambda x_R+c$ is the line joining T and R 22: ${{\pi }^2}_Q\leftarrow (\lambda ,c)$ 23: $Q^{\prime }\leftarrow (G_{DBL},G_{ADD},{\pi }_Q,{{\pi }^2}_Q)$ 24: return$Q^{\prime }$

Algorithm 4 Fixed-Q pairing.

Input: $s=6t+2$, $m=$ the bit length of $s,P\in {\mathbb{G}}_1$, $Q^{\prime }=(G_{DBL},G_{ADD},{\pi }_Q,{{\pi }^2}_Q)$ (the precomputation tuple for Q, where $Q\in {\mathbb{G}}_2$) Output: $e(P,Q)$ 1: Write s in signed binary form, $s={\sum }_{i=0}^{m-1}s\left[i\right]2^i$ with $s\left[i\right]\in \{-1,0,1\}$ 2: $f\leftarrow 1,cnt\leftarrow 1$ 3: for$i\leftarrow m-2$down to 0 do 4:     $\lambda ,c\leftarrow G_{DBL}\left[i\right]$ 5:     Compute $g\leftarrow (y_P+\lambda x_P+c)$ 6:     $f\leftarrow f^2·g$ 7:     if $s\left[i\right]\ne 0$ then 8:          $\lambda ,c\leftarrow G_{ADD}\left[cnt\right]$ 9:          Compute $g\leftarrow (y_P+\lambda x_P+c)$ 10:         $cnt\leftarrow cnt+1$ 11:         $f\leftarrow f·g$ 12:     end if 13: end for 14: $\lambda ,c\leftarrow {\pi }_Q$ 15: Compute $g\leftarrow (y_P+\lambda x_P+c)$ 16: $f\leftarrow f·g$ 17: $\lambda ,c\leftarrow {{\pi }^2}_Q$ 18: Compute $g\leftarrow (y_P+\lambda x_P+c)$ 19: $f\leftarrow f·g$ 20: $f\leftarrow f^{(p^{12}-1)/r}$ 21: returnf

4. Proposed Method

In this section, we present our proposed method to efficiently compute an inner-pairing product. The proposed method combines two previous approaches and adopts both precomputation and shared computation techniques. We call our method the Fixed-Q Product method. This method is a revised version of the method presented in the preliminary version of this paper [71] and the Master’s Thesis of the first author [72].

Algorithm 5 presents the detailed procedure of the Fixed-Q Product method. In the input of the Fixed-Q Product method, ${\mathbf{Q}}^{\prime }$ is used instead of $\mathbf{Q}$, unlike the Product method. In other words, all elements of $\mathbf{Q}$ in Algorithm 2 are now used to obtain ${\mathbf{Q}}^{\prime }$ using the Fixed-Q precomputation (Algorithm 3) in advance.

We initialize a few variables in lines 1–5 of Algorithm 5 prior to performing the Miller loop. The parameter s is expanded as a signed binary form. The variable f for accumulating the products of the pairings is set to 1, and all elements of the array $cnt$ for $G_{ADD}$ are initialized to 1.

After initialization, the Miller loop runs in lines 6–20 of Algorithm 5. Unlike in a single pairing, the Miller loop has the form of a nested loop as it computes multiple pairings. In the case of the Naive method, the inside loop should have been executed many times, depending on the number of inputs d. The nested loop structure of Algorithm 5 is the same as that of the Product method to share the squaring operation. In other words, the code of lines 7–19 is repeated by the length of s by using i. In each iteration of this outer loop, lines 9–18 are repeated based on the number of inputs d using j in the inside loop. Through application of this nested loop, the proposed method can improve the performance of the Fixed-Q method similar to how the Product method improves the Naive method. Furthermore, we can describe the effect of our method in the aspect of the amount of online computation. In other words, unlike the Product method, the proposed method performs the Fixed-Q pairing using $Q_j^{\prime }$ in the code of lines 9–18. To support this improvement, each array element $cnt\left[j\right]$ plays the role of the variable $cnt$ of Algorithm 4.

Algorithm 5 Fixed-Q Product method.

Input: $s=6t+2$, $m=$ the bit length of s, $\mathbf{P}=\{(P_1,\dots ,P_d)\mid P_j\in {\mathbb{G}}_1\}$, ${\mathbf{Q}}^{\prime }=\{(Q_1^{\prime },\dots ,Q_d^{\prime })\mid Q_j^{\prime }$ is the precomputation tuple for $Q_j\in {\mathbb{G}}_2\}$ Output: $e_{prod}(\mathbf{P},\mathbf{Q})$ 1: Write s in signed binary form, $s={\sum }_{i=0}^{m-1}s\left[i\right]2^i$ with $s\left[i\right]\in \{-1,0,1\}$ 2: $f\leftarrow 1$ 3: for$j\leftarrow 1$toddo 4:     $cnt\left[j\right]\leftarrow 1$ 5: end for 6: for$i\leftarrow m-2$down to 0 do 7:     $f\leftarrow f^2$ 8:     for $j\leftarrow 1$ to d do 9:         $G_{DBL},G_{ADD}\leftarrow Q_j^{\prime }$ 10:         $\lambda ,c\leftarrow G_{DBL}\left[i\right]$ 11:         Compute $g\leftarrow (y_P+\lambda x_P+c)$ 12:         $f\leftarrow f·g$ 13:         if $s\left[i\right]\ne 0$ then 14:            $\lambda ,c\leftarrow G_{ADD}\left[cnt\left[j\right]\right]$ 15:            Compute $g\leftarrow (y_P+\lambda x_P+c)$ 16:            $cnt\left[j\right]\leftarrow cnt\left[j\right]+1$ 17:            $f\leftarrow f·g$ 18:         end if 19:     end for 20: end for 21: for$j\leftarrow 1$toddo 22:     ${{\pi }^{\prime }}_Q,{\left({\pi }^{\prime }\right)}_Q^2\leftarrow Q_j^{\prime }$ 23:     $\lambda ,c\leftarrow {{\pi }^{\prime }}_Q$ 24:     Compute $g\leftarrow (y_P+\lambda x_P+c)$ 25:     $f\leftarrow f·g$ 26:     $\lambda ,c\leftarrow {{\left({\pi }^{\prime }\right)}^2}_Q$ 27:     Compute $g\leftarrow (y_P+\lambda x_P+c)$ 28:     $f\leftarrow f·g$ 29: end for 30: $f\leftarrow f^{(p^{12}-1)/r}$ 31: returnf

The Frobenius map and final exponentiation should be applied to the optimal Ate pairing after the Miller loop. As the operation of the Frobenius map is only related to Q, all the Frobenius maps of individual pairings can be included in the Fixed-Q precomputation. Therefore, we apply the precomputed Frobenius maps to the proposed method by using ${\pi }_Q^{\prime }$ and ${\left({\pi }^{\prime }\right)}_Q^2$ from $Q_j^{\prime }$ in lines 21–29. As mentioned in Section 3.1, the final exponentiation is a shareable operation. Thus, the final exponentiation can be performed only once after the Miller loop (in line 30).

It should be noted that the speedup of the proposed method is obtained at the expense of additional memory to store ${\mathbf{Q}}^{\prime }$. The exact amount of memory required to store the d tuples $Q_1^{\prime },\dots ,Q_d^{\prime }$ of ${\mathbf{Q}}^{\prime }$ will be analyzed in the next section. To handle the situation where the memory budget is very tight, we propose an adaptive method that adjusts the number of precomputed tuples according to the storage capacity. Algorithm 6 is this modified version for the situation where only the memory for $k(\le d)$ precomputed tuples is available. Without loss of generality, we assume that only the precomputed tuples $Q_1^{\prime },\dots ,Q_k^{\prime }$ are given. Therefore, Algorithm 6 takes as input these tuples as well as $Q_{k+1},\dots ,Q_d$, the field elements for the non-precomputed portion. Algorithm 6 can be viewed as the combination of Algorithm 5 and Algorithm 2. Its main loop is the same as that of Algorithm 5. However, it has lines 6–8, lines 23–30, and lines 41–44, i.e., the routines to handle the operations corresponding to non-precomputed elements. By adjusting the parameter k, the algorithm can be adapted to the current memory capacity. That is, Algorithm 6 has a time-memory trade-off. The relation between the number of precomputed tuples and the speed will be precisely analyzed in the next section.

Algorithm 6 Adaptive method.

Input: $s=6t+2$, $m=$ the bit length of s, $\mathbf{P}=\{(P_1,\dots ,P_d)\mid P_j\in {\mathbb{G}}_1\}$, ${\mathbf{Q}}^{″}=\{(Q_1^{\prime },\dots ,Q_k^{\prime },Q_{k+1},\dots ,Q_d)$$\mid Q_j^{\prime }$ is the precomputation tuple for $Q_j\in {\mathbb{G}}_2,1<k\le d\}$ Output: $e_{prod}(\mathbf{P},\mathbf{Q})$ 1: Write s in signed binary form, $s={\sum }_{i=0}^{m-1}s\left[i\right]2^i$ with $s\left[i\right]\in \{-1,0,1\}$ 2: $f\leftarrow 1$ 3: for$j\leftarrow 1$tokdo 4:     $cnt\left[j\right]\leftarrow 1$ 5: end for 6: for$j\leftarrow k+1$toddo 7:     $T_j\leftarrow Q_j$ 8: end for 9: for$i\leftarrow m-2$down to 0 do 10:     $f\leftarrow f^2$ 11:     for $j\leftarrow 1$ to k do 12:         $G_{DBL},G_{ADD}\leftarrow Q_j^{\prime }$ 13:         $\lambda ,c\leftarrow G_{DBL}\left[i\right]$ 14:         Compute $g\leftarrow (y_P+\lambda x_P+c)$ 15:         $f\leftarrow f·g$ 16:         if $s\left[i\right]\ne 0$ then 17:            $\lambda ,c\leftarrow G_{ADD}\left[cnt\left[j\right]\right]$ 18:            Compute $g\leftarrow (y_P+\lambda x_P+c)$ 19:            $cnt\left[j\right]\leftarrow cnt\left[j\right]+1$ 20:            $f\leftarrow f·g$ 21:         end if 22:     end for 23:     for $j\leftarrow k+1$ to d do 24:         $f\leftarrow f·L_{T_j,T_j}\left(P_j\right),T_j\leftarrow \left[2\right]T_j$ 25:         if $s\left[i\right]=1$ then 26:            $f\leftarrow f·L_{T_j,Q_j}\left(P_j\right),T_j\leftarrow T_j+Q_j$ 27:         else if $s\left[i\right]=-1$ then 28:            $f\leftarrow f·L_{T_j,-Q_j}\left(P_j\right),T_j\leftarrow T_j-Q_j$ 29:         end if 30:     end for 31: end for 32: for$j\leftarrow 1$tokdo 33:     ${{\pi }^{\prime }}_Q,{\left({\pi }^{\prime }\right)}_Q^2\leftarrow Q_j^{\prime }$ 34:     $\lambda ,c\leftarrow {{\pi }^{\prime }}_Q$ 35:     Compute $g\leftarrow (y_P+\lambda x_P+c)$ 36:     $f\leftarrow f·g$ 37:     $\lambda ,c\leftarrow {{\left({\pi }^{\prime }\right)}^2}_Q$ 38:     Compute $g\leftarrow (y_P+\lambda x_P+c)$ 39:     $f\leftarrow f·g$ 40: end for 41: for$j\leftarrow k+1$toddo 42:     $R\leftarrow \pi \left(Q_j\right),f\leftarrow f·L_{T_j,R}\left(P_j\right),T_j\leftarrow T_j+R$ 43:     $R\leftarrow {\pi }^2\left(Q_j\right),f\leftarrow f·L_{T_j,-R}\left(P_j\right),T_j\leftarrow T_j-R$ 44: end for 45: $f\leftarrow f^{(p^{12}-1)/r}$ 46: returnf

5. Performance Analysis

5.1. Theoretical Analysis

In this subsection, we analyze the expected amount of computation and storage required for the Naive, Product, Fixed-Q, and the proposed Fixed-Q Product methods. First, we denote the total amount of computation required for the basic optimal Ate pairing algorithm (Algorithm 1) and the Fixed-Q pairing algorithm (Algorithm 4) as $C_{basic}$ and $C_{fixed}$, respectively. As explained in Section 3.2, $C_{fixed}$ is significantly smaller than $C_{basic}$. We also denote the amount of computation required for a squaring operation on ${\mathbb{G}}_T$ and the final exponentiation as $C_{sqr}$ and $C_{fin}$, respectively. Subsequently, the amount of computation required to compute an inner-pairing product (5) of two d-dimensional vectors can be expressed as follows:

• Naive method

  $$C_{basic}\times d$$

  (6)
• Product method

  $$(C_{basic}-C_{sqr}-C_{fin})\times d+C_{sqr}+C_{fin}$$

  (7)
• Fixed-Q method

  $$C_{fixed}\times d$$

  (8)
• Fixed-Q Product method (proposed)

  $$(C_{fixed}-C_{sqr}-C_{fin})\times d+C_{sqr}+C_{fin}$$

  (9)

Noticeably, the computational costs of all methods are represented as linear functions in d. However, comparing (6) and (7), we can observe that the term $C_{sqr}+C_{fin}$ was moved from the slope to the constant intercept part, thus, significantly reducing the slope. The same relation holds between (8) and (9). In particular, the cost reduction of the proposed method over the Fixed-Q method (and that of the Product method over the Naive method) is $(d-1)(C_{sqr}+C_{fin})$. Consequently, the proposed method is expected to be the fastest among the four methods when $d\ge 2$.

The amount of computation for the Fixed-Q method and the proposed method is reduced at the expense of memory to store the precomputed elements. In other words, a time-memory trade-off occurs. To estimate the additional memory required for storing the precomputed elements, we expressed the bit length of the data structure $Q^{\prime }$ that represents the precomputation table. $Q^{\prime }$ is a tuple composed of $(G_{DBL},G_{ADD},{\pi }_Q,{{\pi }^2}_Q)$. According to Algorithm 3, $G_{DBL}$ and $G_{ADD}$ are the arrays with their elements in ${\mathbb{F}}_p\times {\mathbb{F}}_p$. Whenever the code of line 6 in Algorithm 3 is run, the number of elements in the $G_{DBL}$ array is, thus, increased by one, and this line is repeated by $m-1$ times. Thereafter, $G_{DBL}$ will contain $m-1$ elements in ${\mathbb{F}}_p\times {\mathbb{F}}_p$. The codes of line 10 and 14 also increase the length of $G_{ADD}$ by one. However, these lines are executed only when the corresponding element $s\left[i\right]$ in the signed binary representation of s is non-zero. For given $t=2^{62}-2^{52}+2^{44}$, the number of non-zero terms in the signed binary representation of s is exactly seven. Therefore, $G_{ADD}$ will finally contain seven elements in ${\mathbb{F}}_p\times {\mathbb{F}}_p$. Finally, the codes of lines 19 and 22 are executed once for ${\pi }_Q$ and ${{\pi }^2}_Q$. Therefore, ${\pi }_Q,{{\pi }^2}_Q\in {\mathbb{F}}_p\times {\mathbb{F}}_p$. As m, the bit length of $s=6t+2$, is 65, we can observe that $Q^{\prime }\in {({\mathbb{F}}_p\times {\mathbb{F}}_p)}^{(m-1)+7+2}={({\mathbb{F}}_p\times {\mathbb{F}}_p)}^{73}$, and the bit length of $Q^{\prime }$ can be expressed as $73\times 2\times l=146l$, where l denotes the bit length of prime p. In other words, $146l$ bits are additionally required to store the precomputed data $Q^{\prime }$ in Algorithm 3 and use it in Algorithm 4. For Algorithm 5, we need d tables $Q_1^{\prime },\dots ,Q_d^{\prime }$, requiring $146dl$ bits of the precomputation storage.

5.2. Experimental Results

To verify the performance improvement, we implemented the proposed method as well as the three previous methods, and then we compared their performance in terms of execution time and memory usage. This experiment was conducted on a desktop PC with an Intel(R) Core(TM) i7-7700 CPU @ 3.60GHz, 16GB memory, and Ubuntu Desktop 16.04 LTS. The program was written in C++. In particular, GMP 6.1.2 [73], MCL 1.05 [74], and NTL 11.3.2 [75] libraries were applied for algebraic operations.

According to the theoretical analysis in Section 5.1, the amount of computation for each method can be expressed as a linear equation in the number d of the input pairs. The slope of the linear equation and the value of the y-intercept can be estimated by measuring the execution times of the component operations. Therefore, we measured the durations required for a squaring operation and final exponentiation and as those for pairing operations.

Table 1. Execution times of the operations constituting an inner-pairing product.

Operation Name	Execution Time (Mclk)
Squaring on ${\mathbb{G}}_T$	0.008
Final exponentiation	0.629
Basic optimal Ate pairing (Algorithm 1)	1.595
Fixed-Q pairing (Algorithm 4)	1.411

presents the result of this measurement. The figures in Table 1 are the average of the execution times in 10,000 executions with a random input for each operation, and the unit of execution time is ${10}^6$ CPU clocks (Mclk).

Using the measured data, we estimated the slopes and y-intercepts in the linear Equations (6)–(9) in the previous subsection. The cost of the squaring operation $C_{sqr}$ can be estimated as $m\times$(the execution time for a single squaring operation), where m (i.e., the bit length of $s=6t+2$) is calculated as 65 given that $t=2^{62}-2^{54}+2^{44}$ for the optimal Ate pairing. Consequently, we obtained the following expressions for the execution times of the four inner-pairing product methods, which are also summarized in

Table 2. Execution times of the inner-pairing product computation for various methods.

Methods	Expected Cost	Measured Cost
Naive	$C_{basic}\times d$	$1.595d$
Product	$(C_{basic}-C_{sqr}-C_{fin})\times d+C_{sqr}+C_{fin}$	$0.464d+1.131$
Fixed-Q	$C_{fixed}\times d$	$1.411d$
Proposed	$(C_{fixed}-C_{sqr}-C_{fin})\times d+C_{sqr}+C_{fin}$	$0.280d+1.131$

:

• Naive method:

  $$C_{Naive}=1.595d$$

  (10)
• Product method:

  $$C_{Prod}=(1.595-0.008\times 65-0.629)d+0.008\times 65+0.629=0.464d+1.131$$

  (11)
• Fixed-Q method:

  $$C_{FixedQ}=1.411d$$

  (12)
• Fixed-Q Product method (proposed):

  $$C_{FixedQProd}=(1.411-0.008\times 65-0.629)d+0.008\times 65+0.629=0.280d+1.131$$

  (13)

We also verified the validity of the expressions given above by directly measuring the execution times of the inner-pairing product computation. Furthermore, we measured these execution times, increasing d from 10 to 1000 by 10. For each combination, we measured the execution time of each method 1000 times. Figure 2 presents the average execution times of the four inner product methods. Certainly, the execution times of the four methods increase almost linearly with d. Figure 3 presents the relative ratio of the execution time of each method to that of the Naive method. We can observe that the ratio remains as a constant for each method, except the region for small d, where the influences of constant terms in (7) and (9) are non-negligible. Please note that the amounts of computation in the Naive and Fixed-Q methods (Equations (6) and (8)) are proportional to d, but those in the Product and Fixed-Q Product methods are not exactly proportional to d. However, when d gets sufficiently large, the constant terms in (7) and (9) almost do not affect the overall performance, and (7) and (9) become almost proportional to d. For this region with sufficiently large d, the relative ratio of the execution time is essentially the ratio of the slopes. For example, the ratio of the Fixed-Q Product method over the Naive method is approximately $(C_{fixed}-C_{sqr}-C_{fin})/\left(C_{basic}\right)$ for large d, whereas it is originally $((C_{fixed}-C_{sqr}-C_{fin})d+(C_{sqr}+C_{fin}))/\left(C_{basic}d\right)$. This explains the slightly bent portions in the curves for the Product and Fixed-Q Product methods in Figure 3.

In other words, four horizontal lines are almost parallel to the d-axis. The constant ratios are 0.881, 0.381, and 0.264 for the Fixed-Q, Product, and proposed methods, respectively. This implies that the proposed method improves the performance of the Naive, Fixed-Q, and Product methods by 3.8, 3.3, and 1.4 times, respectively. If we compare the proposed method with the best previous method, Product, we see that the proposed method reduces the execution time of the Product method by $1-0.264/0.381\approx 30.7\%$.

The amount of storage space required for each method was also measured and analyzed. The software module used in this study uses a 256-bit data type to express an element in ${\mathbb{F}}_p$. Each element in ${\mathbb{G}}_1$ is a point on an elliptic curve defined over ${\mathbb{F}}_p$. Therefore, it is composed of two elements in ${\mathbb{F}}_p$ to represent x and y coordinates. Each element in ${\mathbb{G}}_2$ is a point on an elliptic curve defined over an extension field. Therefore, it is composed of four elements in ${\mathbb{F}}_p$. Subsequently, the sizes of the data structures to handle the elements in ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ are $512(=2\times 256)$ and $1024(=4\times 256)$ bits, respectively. The data structure for a precomputation table $Q^{\prime }$ consumes $146\times 256=37,376$ bits. When an inner-pairing product is computed with two d-dimensional vectors using the proposed method, $37,376d$ bits are required for the precomputation table. For example, considering that $d=130$, which is a typical value for our biometric verification application, this amount corresponds to only 0.6 MB. As explained in Section 4, only a subset of precomputed elements may be computed if the storage is not sufficient. Figure 4 demonstrates the time-memory trade-off of Algorithm 6 for various values of k when $d=130$. The x-axis represents the amount of available memory. k varies from 0 to 130. When $k=130$, approximately 0.6 MB is required. As the graph shows, the execution time of Algorithm 6 linearly decreases according to the increase in the amount of memory.

Finally, we verify whether the Fixed-Q and Fixed-Q Product methods consume additional communication bandwidth for the transmission of the precomputation tables. When the inner-pairing product operation is applied to privacy-preserving remote biometric verification, this operation is performed by the receiver (i.e., by the remote authentication server) to conduct $IPE.Decrypt$ with two input vectors $\mathbf{P}$ = $(P_1,$$P_2,$$\dots ,$$P_d)$$\in {\mathbb{G}}_1^d$ and $\mathbf{Q}$ = $(Q_1,$$Q_2,$$\dots ,$$Q_d)$$\in {\mathbb{G}}_2^d$. The second vector, $\mathbf{Q}$, is related to the stored biometric template. Therefore, it is transmitted in the registration phase, and the required precomputation can be conducted on the server side. In other words, Algorithm 3 is performed for each element in $\mathbf{Q}$ by the server. Therefore, additional communication bandwidth is not required.

6. Application

As explained in Section 2.4, if FE is applied to a remote biometric verification system, the client may encrypt and securely transmit the user’s biometric data, the server may store the encrypted biometric template, and the biometric comparison may be performed while all biometric data remain encrypted. In this section, we construct a simple facial verification system using ${\prod }_{IPE}$ and describe how the FE can be applied to a remote biometric verification system, following the idea presented in [22]. We also demonstrate that the proposed method significantly improves the facial verification performance. For biometric comparison, the server uses Euclidean distance as the metric for the similarity between two feature vectors, which is the most widely used approach in biometric authentication. Furthermore, a vector encoding method proposed by Kim [22] is adopted to perform this comparison in the ciphertext domain. When two d-dimensional feature vectors $\mathbf{x}$ and $\mathbf{y}$ are given as a biometric reference and biometric probe, respectively, the similarity score is defined as ${\parallel \mathbf{x}-\mathbf{y}\parallel }^2$ (i.e., the square of the Euclidean distance between $\mathbf{x}$ and $\mathbf{y}$). To compute ${\parallel \mathbf{x}-\mathbf{y}\parallel }^2$ using ${\prod }_{IPE}$, the following three operations are defined:

• $EncodeX(msk,\mathbf{x})$
  • Construct a $(d+2)$-dimensional vector ${\mathbf{x}}^{\prime }={(\parallel \mathbf{x}\parallel }^2,-2x_1,-2x_2,\dots ,-2x_d,1)$ from $\mathbf{x}=(x_1,\dots ,x_d)$.
  • Output $ct=IPE.Encrypt(msk,{\mathbf{x}}^{\prime })$.
• $EncodeY(msk,\mathbf{y})$
  • Construct a $(d+2)$-dimensional vector ${\mathbf{y}}^{\prime }=(1,y_1,y_2,\dots ,y_d{,\parallel \mathbf{y}\parallel }^2)$ from $\mathbf{y}=(y_1,\dots ,y_d)$.
  • Output $sk=IPE.KeyGen(msk,{\mathbf{y}}^{\prime })$.
• $Euclid(pp,sk,ct)$
  • Calculate $z=IPE.Decrypt(pp,sk,ct)$.
  • Output z. (z satisfies $z=\langle {\mathbf{x}}^{\prime },{\mathbf{y}}^{\prime }\rangle ={(\parallel \mathbf{x}\parallel }^2-2x_1{y}_1-2x_2{y}_2-\dots -2x_d{y}_d+{\parallel \mathbf{y}\parallel }^2{)=(\parallel \mathbf{x}\parallel }^2-2\langle \mathbf{x},\mathbf{y}\rangle +{\parallel \mathbf{y}\parallel }^2{)=\parallel \mathbf{x}-\mathbf{y}\parallel }^2).$

In our biometric verification system, $IPE.Encrypt$ (i.e., $EncodeX$) will be used to protect the biometric template in the registration phase. Meanwhile, $IPE.KeyGen$ (i.e., $EncodeY$) will be used to protect the biometric probe of the claimant in the authentication phase. We might have used the IPE functions in other ways (i.e., $IPE.KeyGen$ for registration and $IPE.Encrypt$ for authentication). However, we made the above choice owing to the following reason: the stored biometric template does not change frequently after registration, whereas the biometric probe for authentication changes every session. Thus, applying precomputation to the stored template is suitable. According to Algorithm 5, the precomputation is only applicable to the second argument of $e_{prod}(\mathbf{P},\mathbf{Q})$, that is, $\mathbf{Q}$, whose elements are from ${\mathbb{G}}_2$. According to the description of ${\prod }_{IPE}$ in Section 2.4, this $\mathbf{Q}$ should be $C_2$, which is computed by $IPE.Encrypt$.

Figure 5 shows the simple facial verification system that uses the above three operations. $EncodeX$ and $EncodeY$ are performed by the client. Meanwhile, $Euclid$ is performed by the server and includes an inner-pairing product for $IPE.Decrypt$. In other words, if the inner-pairing product can be accelerated, we can also improve the performance of $Euclid$.

As shown in Figure 5, the client transmits a user’s encrypted feature vector as a biometric reference to the server, and then the server stores the encrypted vector as a biometric template in the registration phase. Using the proposed method, the server can perform the Fixed-Q precomputation on all the elements of the biometric template and use the precomputed data to accelerate the inner-pairing product computation in $Euclid$.

To estimate the effect of the proposed method in the performance of a remote biometric verification system, we emulated a remote facial verification system where the client comprises an image processing module that processes the face image and produces a feature vector, and a cryptographic module for the $EncodeX$ and $EncodeY$ operations. The server performs the biometric comparison using a cryptographic module implementing the $Euclid$ operation. We did not actually implement the image processing module, but emulated the one provided in [2]. We brought a part of the experimental results for image processing time in [2], and actually measured the durations for ${\prod }_{IPE}$ operations. Combining both data, we estimated the overall time for biometric verification. To measure the times for ${\prod }_{IPE}$ operations, we used the same mobile device and PC as used in [2].

Table 3. Performance improvement in the facial verification system using the proposed method compared to the Naive method (times in ms).

Biometric Dataset	Face Image Processing [2]	EncodeY	Euclid			Total (Naive)	Total (Proposed)	Ratio
			Pairing (Naive)	Pairing (Proposed)	DLP
Auto	193.27	106.47	58.86	15.66	120.30	478.90	435.70	9.0 %
Guide	157.47					443.10	399.90	9.7%
CFP	150.15					435.78	392.58	9.9%
ORL	147.33					432.96	389.76	10.0%

presents our experimental results. The face image processing column covers the entire image processing procedure, i.e., from biometric capture and acquisition process and feature extraction. In [2], four datasets were provided—Auto, Guide, CFP, and ORL. Each dataset uses 128-dimensional feature vectors in common. Therefore, we measured the performance of $EncodeY$ with 128-dimensional feature vectors. However, we did not compare the performance of $EncodeX$ as it is called only once for registration. In particular, we measured the performance of $Euclid$ by dividing it into two parts, Pairing and DLP. Pairing is the part that consists of a single pairing operation for $D_1$ and $e_{prod}$ for $D_2$ in $IPE.Decrypt$. For comparison, we measured the performance of the inner-pairing product, $e_{prod}$, using the proposed and Naive methods. DLP is the part that finds a solution to the discrete logarithm problem $D_1^z=D_2$. The total execution time for authentication comprises face image processing, $EncodeY$, and $Euclid$, and presents the data when the Naive method and the proposed method are applied. The last column provides the ratio of reduced time over the Naive method (i.e., $(1-\frac{Total\left(proposed\right)}{Total\left(Naive\right)})\times 100$%). From Table 3, the proposed Fixed-Q Product method reduces the time for $Euclid$ operation by $\left(1-\frac{15.66+120.30}{58.86+120.30}\right)\times 100$% = 24.1% compared to the Naive method, and the overall authentication time is also expected to be reduced by 9.0–10.0%. Regarding the required memory, note that approximately 0.6 MB of precomputation memory should be available to fully exploit Algorithm 5 when a 128-dimensional feature vector is used, i.e., $d=130$. If multiple users are registered to the authentication server, the amount of required memory will be proportional to the number of registered users. For example, 600 MB is required to store the precomputation data for 1000 users. However, if we use Algorithm 6, we may permit more users, slightly degrading the authentication speed.

Security Analysis

To show that our FE-based facial verification system manages and processes the biometric information in a secure and privacy-compliant manner, we evaluate our system based on the requirements of biometric information protection, i.e., irreversibility, unlinkability, renewability, and performance [76,77].

• Irreversibility: the irreversibility of our system depends on the security of ${\prod }_{IPE}$. Please note that the template is not stored in the client device. Therefore, the only concern is the possibility of template recovery on the server side. However, the ${\prod }_{IPE}$ guarantees that the server cannot learn any information about the stored ciphertext, except its inner product with another ciphertext. Therefore, the encrypted biometric information is protected by ${\prod }_{IPE}$.
• Unlinkability: Our procedure for template encryption, i.e., $IPE.Encrypt$, involves a uniformly random component $\beta$. Consequently, it may produce completely different ciphertexts even when the same biometric information is encrypted. Therefore, it is not possible to link two or more biometric templates encrypted using ${\prod }_{IPE}$.
• Renewability: Every call to the template encryption procedure $IPE.Encrypt$ generates a completely different ciphertext even for the same user using a random parameter $\beta$. Therefore, it can create multiple, independently transformed biometric templates.
• Performance: According to the ISO/IEC 19795-1 standard [77], we consider the biometric accuracy as a criterion of performance. It is straightforward that the accuracy of the proposed system is exactly the same as that of the underlying biometric verification system, because the proposed system does not revise the feature extraction process. It only encrypts the extracted features. Therefore, the biometric similarity score computed from $ct=EncodeX(msk,\mathbf{x})$ and $sk=EncodeY(msk,\mathbf{y})$ is exactly the same as that computed from the original $\mathbf{x}$ and $\mathbf{y}$.

Finally, we remark that the biometric information is still protected even when the precomputation on the biometric template is applied to the system. According to Algorithm 3, precomputation is performed only using $s,m$, and Q, where s and m are publicly known parameters. Q ($Q_j$ in later algorithms) is an element in the encrypted biometric template vector. Therefore, when the server performs Algorithm 3 for precomputation, it does not obtain any additional information about the feature value encoded in the template. Consequently, whether the server performs the precomputation or not does not affect the security of the system. The same holds for the case where the server is compromised by an attacker.

7. Discussion

In this paper, we proposed a method to accelerate the inner-pairing product operation for secure biometric verification. The proposed Fixed-Q Product method is a method that optimizes inner-pairing product computation by applying precomputation. We also applied the new inner-pairing product method to design a secure biometric verification system. To verify the feasibility of the proposed method, we emulated a simple facial verification system comprising a client and a server. Our analysis results indicate that the new inner-pairing product method accelerates biometric authentication. However, the proposed method has a time-memory trade-off. The reduction in the amount of computation for the proposed method is obtained at the expense of memory to store the precomputed elements. Although the new method requires more memory than the previous methods, the amount of the additional memory is not considerable. Moreover, there are no changes in the bandwidth requirement for communication as the precomputation is performed on the server side. Furthermore, we also provide the adaptive method where the amount of precomputed elements is parameterized. Therefore, a server can choose to apply the proposed method by itself while a client is not aware of it. In other words, selectively tuning the performance of the system is possible.

We remark that noise may affect the security and performance of a biometric authentication system [78]. Therefore, we consider the effect of noise on the proposed method. First, note that the proposed system does not revise the feature extraction procedure, but it only encrypts the extracted features. Therefore, the noise-robustness of the underlying system is maintained even after applying our method, if only the integrity of a transmitted or stored ciphertext is guaranteed. On the contrary, if a ciphertext is modified, the server will be able to notice this change immediately, because the modification of even a single bit will make the data invalid. The probability that a modified element becomes a valid field element constituting a ciphertext is almost zero. In summary, the proposed method does not affect the noise-robustness of a biometric authentication system.

Finally, the proposed method is suitable not only for remote biometric verification systems but also for any FE-based privacy-preserving applications where the evaluated function is an inner product and one of the two inputs of the inner product is entered offline [35,36]. Furthermore, the proposed method can be applied not only to FE-based systems but also to the other systems involving inner-pairing products, such as non-interactive zero-knowledge proofs [37,38].