Refinements of Miller's Algorithm over Weierstrass Curves Revisited

In 1986, Victor Miller described an algorithm for computing the Weil pairing in his unpublished manuscript. This algorithm has then become the core of all pairing-based cryptosystems. Many improvements of the algorithm have been presented. Most of them involve a choice of elliptic curves of a special form to exploit a possible twist during Tate pairing computation. Other improvements involve a reduction of the number of iterations in the Miller's algorithm. For the generic case, Blake, Murty and Xu proposed three refinements to Miller's algorithm over Weierstrass curves. Though their refinements, which only reduce the total number of vertical lines in Miller's algorithm, did not give an efficient computation as other optimizations, they can be applied for computing both Weil and Tate pairings on all pairing-friendly elliptic curves. In this paper, we extend the Blake–Murty–Xu's method and show how to perform an elimination of all vertical lines in Miller's algorithm during computation of Weil/Tate pairings, on general elliptic curves. Experimental results show that our algorithm is faster by ~25% in comparison with the original Miller's algorithm.

[1]  Florian Hess,et al.  Pairing Lattices , 2008, Pairing.

[2]  Neal Koblitz,et al.  Algebraic aspects of cryptography , 1998, Algorithms and computation in mathematics.

[3]  Alfred Menezes,et al.  Software Implementation of the NIST Elliptic Curves Over Prime Fields , 2001, CT-RSA.

[4]  Paulo S. L. M. Barreto,et al.  On the Selection of Pairing-Friendly Groups , 2003, Selected Areas in Cryptography.

[5]  Frederik Vercauteren,et al.  The Eta Pairing Revisited , 2006, IEEE Transactions on Information Theory.

[6]  Paulo S. L. M. Barreto,et al.  Efficient pairing computation on supersingular Abelian varieties , 2007, IACR Cryptol. ePrint Arch..

[7]  Alfred Menezes,et al.  Reducing elliptic curve logarithms to logarithms in a finite field , 1991, STOC '91.

[8]  Hyang-Sook Lee,et al.  Efficient and Generalized Pairing Computation on Abelian Varieties , 2009, IEEE Transactions on Information Theory.

[9]  Victor S. Miller,et al.  The Weil Pairing, and Its Efficient Calculation , 2004, Journal of Cryptology.

[10]  Michael Scott,et al.  A Taxonomy of Pairing-Friendly Elliptic Curves , 2010, Journal of Cryptology.

[11]  G. Frey,et al.  A remark concerning m -divisibility and the discrete logarithm in the divisor class group of curves , 1994 .

[12]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[13]  Michael Naehrig,et al.  An Analysis of Affine Coordinates for Pairing Computation , 2010, Pairing.

[14]  Gwoboa Horng,et al.  Further refinement of pairing computation based on Miller's algorithm , 2007, Appl. Math. Comput..

[15]  M. Scott Implementing cryptographic pairings , 2007 .

[16]  Paulo S. L. M. Barreto,et al.  Pairing-Friendly Elliptic Curves of Prime Order , 2005, Selected Areas in Cryptography.

[17]  Kristin E. Lauter,et al.  Fast Elliptic Curve Arithmetic and Improved Weil Pairing Evaluation , 2003, CT-RSA.

[18]  Alfred Menezes,et al.  Pairing-Based Cryptography at High Security Levels , 2005, IMACC.

[19]  Frederik Vercauteren,et al.  Optimal Pairings , 2010, IEEE Transactions on Information Theory.

[20]  Ian F. Blake,et al.  Refinements of Miller's algorithm for computing the Weil/Tate pairing , 2006, J. Algorithms.

[21]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[22]  Nadia El Mrabet,et al.  A Variant of Miller's Formula and Algorithm , 2010, Pairing.

[23]  Changan Zhao,et al.  Computing the Ate Pairing on Elliptic Curves with Embedding Degree k = 9 , 2008, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[24]  Michael Scott,et al.  Constructing Brezing-Weng Pairing-Friendly Elliptic Curves Using Elements in the Cyclotomic Field , 2008, Pairing.

[25]  Antoine Joux,et al.  A One Round Protocol for Tripartite Diffie–Hellman , 2000, Journal of Cryptology.