Faster Pairing Computations on Curves with High-Degree Twists

Research on efficient pairing implementation has focussed on reducing the loop length and on using high-degree twists. Existence of twists of degree larger than 2 is a very restrictive criterion but luckily constructions for pairing-friendly elliptic curves with such twists exist. In fact, Freeman, Scott and Teske showed in their overview paper that often the best known methods of constructing pairing-friendly elliptic curves over fields of large prime characteristic produce curves that admit twists of degree 3, 4 or 6. A few papers have presented explicit formulas for the doubling and the addition step in Miller’s algorithm, but the optimizations were all done for the Tate pairing with degree-2 twists, so the main usage of the high- degree twists remained incompatible with more efficient formulas. In this paper we present efficient formulas for curves with twists of degree 2, 3, 4 or 6. These formulas are significantly faster than their predecessors. We show how these faster formulas can be applied to Tate and ate pairing variants, thereby speeding up all practical suggestions for efficient pairing implementations over fields of large characteristic.

[1]  David Mandell Freeman,et al.  A Generalized Brezing-Weng Algorithm for Constructing Pairing-Friendly Ordinary Abelian Varieties , 2008, Pairing.

[2]  Sanjit Chatterjee,et al.  Efficient Computation of Tate Pairing in Projective Coordinate over General Characteristic Fields , 2004, ICISC.

[3]  Paulo S. L. M. Barreto,et al.  Generating More MNT Elliptic Curves , 2006, Des. Codes Cryptogr..

[4]  Paulo S. L. M. Barreto,et al.  Compressed Pairings , 2004, CRYPTO.

[5]  Antoine Joux,et al.  Another Approach to Pairing Computation in Edwards Coordinates , 2008, INDOCRYPT.

[6]  Michael Scott,et al.  On the Final Exponentiation for Calculating Pairings on Ordinary Elliptic Curves , 2009, Pairing.

[7]  Frederik Vercauteren,et al.  The Eta Pairing Revisited , 2006, IEEE Transactions on Information Theory.

[8]  Yasuyuki Nogami,et al.  Fast Ate Pairing Computation of Embedding Degree 12 Using Subfield-Twisted Elliptic Curve , 2009, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[9]  Kristin E. Lauter,et al.  Improved Weil and Tate Pairings for Elliptic and Hyperelliptic Curves , 2004, ANTS.

[10]  Changan Zhao,et al.  Computing the Ate Pairing on Elliptic Curves with Embedding Degree k = 9 , 2008, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[11]  David Mandell Freeman,et al.  Constructing Pairing-Friendly Elliptic Curves with Embedding Degree 10 , 2006, ANTS.

[12]  Michael Scott,et al.  Fast Hashing to G2 on Pairing-Friendly Curves , 2009, Pairing.

[13]  Colin Boyd,et al.  Faster Pairings on Special Weierstrass Curves , 2009, Pairing.

[14]  Florian Hess,et al.  Pairing Lattices , 2008, Pairing.

[15]  Mike Burmester,et al.  Cryptography and Coding, 11th IMA International Conference, Cirencester, UK, December 18-20, 2007, Proceedings , 2007, IMACC.

[16]  Steven D. Galbraith,et al.  Constructing Pairing-Friendly Elliptic Curves Using Gröbner Basis Reduction , 2007, IMACC.

[17]  Paulo S. L. M. Barreto,et al.  Efficient Implementation of Pairing-Based Cryptosystems , 2004, Journal of Cryptology.

[18]  Michael Scott,et al.  Exponentiation in Pairing-Friendly Groups Using Homomorphisms , 2008, Pairing.

[19]  Hovav Shacham,et al.  Pairing-Based Cryptography - Pairing 2009, Third International Conference, Palo Alto, CA, USA, August 12-14, 2009, Proceedings , 2009, Pairing.

[20]  Jiwu Huang,et al.  A note on the Ate pairing , 2008, International Journal of Information Security.

[21]  Ken Nakamula,et al.  Constructing Pairing-Friendly Elliptic Curves Using Factorization of Cyclotomic Polynomials , 2008, Pairing.

[22]  Michael Scott,et al.  Faster Pairings Using an Elliptic Curve with an Efficient Endomorphism , 2005, INDOCRYPT.

[23]  Paulo S. L. M. Barreto,et al.  Efficient Algorithms for Pairing-Based Cryptosystems , 2002, CRYPTO.

[24]  Sorina Ionica,et al.  Pairing Computation for Elliptic Curves with Embedding Degree 15 , 2009 .

[25]  Paulo S. L. M. Barreto,et al.  Pairing-Friendly Elliptic Curves of Prime Order , 2005, Selected Areas in Cryptography.

[26]  Steven D. Galbraith,et al.  Ordinary abelian varieties having small embedding degree , 2007, Finite Fields Their Appl..

[27]  Alfred Menezes,et al.  Pairing-Based Cryptography at High Security Levels , 2005, IMACC.

[28]  Frederik Vercauteren,et al.  Optimal Pairings , 2010, IEEE Transactions on Information Theory.

[29]  Palash Sarkar,et al.  Pairing Computation on Twisted Edwards Form Elliptic Curves , 2008, Pairing.

[30]  Eiji Okamoto,et al.  Optimised Versions of the Ate and Twisted Ate Pairings , 2007, IMACC.

[31]  Hyang-Sook Lee,et al.  Efficient and Generalized Pairing Computation on Abelian Varieties , 2009, IEEE Transactions on Information Theory.

[32]  Paulo S. L. M. Barreto,et al.  On the Selection of Pairing-Friendly Groups , 2003, Selected Areas in Cryptography.

[33]  Paulo S. L. M. Barreto,et al.  Efficient pairing computation on supersingular Abelian varieties , 2007, IACR Cryptol. ePrint Arch..

[34]  Steven D. Galbraith,et al.  Computing pairings using x-coordinates only , 2009, Des. Codes Cryptogr..

[35]  Michael Scott,et al.  Computing the Tate Pairing , 2005, CT-RSA.

[36]  Michael Scott,et al.  Constructing Brezing-Weng Pairing-Friendly Elliptic Curves Using Elements in the Cyclotomic Field , 2008, Pairing.

[37]  Michael Scott,et al.  A Taxonomy of Pairing-Friendly Elliptic Curves , 2010, Journal of Cryptology.

[38]  Paulo S. L. M. Barreto,et al.  Constructing Elliptic Curves with Prescribed Embedding Degrees , 2002, SCN.

[39]  Annegret Weng,et al.  Elliptic Curves Suitable for Pairing Based Cryptography , 2005, Des. Codes Cryptogr..

[40]  Tanja Lange,et al.  Faster Pairing Computation , 2009 .