Faster Beta Weil Pairing on BLS Pairing Friendly Curves with Odd Embedding Degree

Abstract

Since the advent of pairing-based cryptography, various optimization methods that increase the speed of pairing computations have been exploited, as well as new types of pairings. This paper extends the work of (Kinoshita and Suzuki Advances in Information and Computer Security - 15th International Workshop on Security, IWSEC 2020, Fukui, Japan, September 2-4, 2020, Proceedings, Lecture Notes in Computer Science, Springer, 2020) who proposed a new formula for the \( \beta \)-Weil pairing on curves with even embedding degree by eliminating denominators and exponents during the computation of the Weil pairing. We provide novel formulas suitable for the parallel computation for the \(\beta \)-Weil pairing on curves with odd embedding degree which involve vertical line functions useful for sparse multiplications. For computations we used Miller’s algorithm combined with storage and multifunction methods. Applying our framework to BLS-27, BLS-15 and BLS-9 curves at respectively the 256 bit, the 192 bit and the 128 bit security level, we obtain faster \(\beta \)-Weil pairings than the previous state-of-the-art constructions. The correctness of all the formulas and bilinearity of pairings obtained in this work is verified by a SageMath code.

Appendices

Appendix A. Computation of the \(\beta \)-Weil Pairing Over BLS-15 and BLS-9

1.1 Evaluation of the New \(\beta \)-Weil Pairing Formula on BLS-15 Curve

Following the same process, we find the theoretical cost of the serial and the parallel computations of the \(\beta \)-Weil pairing on BLS-15 curve. The proposed \(\beta \)-Weil pairing formula for BLS-15 is given as

$$\begin{aligned} \beta _{15}(P,Q)=\left( \prod _{i=0}^{4}f_{x,Q_{i}}(P_{i})\cdot f_{-x,P_{i}}(Q_{i})\cdot \mathcal {V}_{P_{i+1}}(Q_{i})\right) ^{p^5-1} \end{aligned}$$

where \(x=-2^{77} -2^{76} -2^{68} -2^{50} .\)

Costs of arithmetic operations in the fields \( \mathbb {F}_{p^{5}}\) and \( \mathbb {F}_{p^{15}}\) can be found in [35] and [17]. Also, the special operations in the \(\beta \)-Weil pairing computations on BLS-15 curve can be obtained in [17] (sect. 5).

1.1.1 Serial Computation of the \(\beta \)-Weil Pairing Over BLS-15

Algorithm 3 computes and stores the line functions necessary to find \(f_{-x,P_{i}},\) \(i=0,1,2,3,4\) for a cost of \( 5(77 \cdot 13 M+3\cdot 16 M) +4(I+2 M)= \mathbf{5253} M+ 4 I .\) Also Algorithm 3 computes and stores the line functions for \(f_{x,Q},\) for a cost of \(77(95 M+ I)+3(95 M+ I)=\mathbf{7600} M + 80 I \). Whereas Algorithm 4 computes and stores the line functions for \(f_{x,Q_{i}},\) \(i=1,2,3,4\) for a cost of \( 4 \cdot 80 \cdot 10 M=\mathbf{3200} M , \) where the \(p^i-\)th Frobenius map for line function is 10M.

Before using Algorithm 5 to find the product of Miller’s functions, we first compute \(\pi _{p^{i}}(Q)\) for \(1\le i\le 4\) for the cost of \( 4 \cdot 10 M=\mathbf{40} M .\) See Table 5 for the other computations.

Table 5 computational cost of Algorithm 5 for \(\beta _{15}\) (see [35] and [17] for basic operations)

The total cost of the \(\beta \)-Weil pairing on BLS-15 is then \(90477 M+ 85 I.\)

1.1.2 Parallel Computation of the \(\beta \)-Weil Pairing Over BLS-15 Using 3 Processors

The parallel computation of \(\beta _{15}(P,Q)\) with 3 processors of the \(\beta \)-Weil pairing on BLS-15 curve is defined as

$$\begin{aligned} \beta _{15}(P,Q)=(X^{p^2}\cdot Y\cdot Z)^{p^{5}-1}. \end{aligned}$$

Where

$$\begin{aligned} X= & {} f_{x,\pi _{p^2}(Q)}(P)\cdot f_{-x,P}(\pi _{p^2}(Q))\cdot f_{x,\pi _{p}(Q)}(P_{1})\cdot f_{-x,P_{1}}(\pi _{p}(Q))\cdot \mathcal {V}_{P_{1}}(\pi _{p^2}(Q))\cdot \mathcal {V}_{P_{2}}(\pi _{p}(Q)),\\ Y= & {} f_{x,\pi _{p^2}(Q)}(P_{2})\cdot f_{-x,P_{2}}(\pi _{p^2}(Q))\cdot f_{x,\pi _{p}(Q)}(P_{3})\cdot f_{-x,P_{3}}(\pi _{p}(Q))\cdot \mathcal {V}_{P_{3}}(\pi _{p^2}(Q))\cdot \mathcal {V}_{P_{4}}(\pi _{p}(Q)) \\ Z= & {} f_{x,Q}(P_{4})\cdot f_{-x,P_{4}}(Q) \cdot \mathcal {V}_{P_{5}}(Q) \end{aligned}$$

Step 1.

1. 1.

   The \( 1^{st}\) processor computes \(CSL([p^i]P,-x)=h_{i}\) for \(0\le i\le 4\) for a cost of \( 5(77\cdot 13 M+3\cdot 16 M) +4(I+2 M)=\mathbf{5253} M+ 4 I \) and \(CSL(Q,x)=g_{0}\) for a cost of \(77(95 M+ I)+3(95 M+ I)= \mathbf{7600} M + 80 I \).

2. 2.

   The \(2^{nd}\) processor computes \(\pi _{p}(Q)\) and \(CSL(\pi _{p}(Q),x)=g_{1}\) for a cost of \( 10 M+ (7600 M + 80 I)= 7610 M + 80 I\).

3. 3.

   The \(3^{rd}\) processor computes \( \pi _{p^2}(Q)\) and \(CSL(\pi _{p^2}(Q),x)=g_{2}\) for a cost of \( 10 M+ (7600 M + 80 I)= 7610 M + 80 I\).

Step 2.

1. 1.

   The \(1^{st}\) processor computes \(X_{1}=EPM \big (\big [(g_{2},P_{0}), (g_{1},P_{1}),(h_{0},\pi _{p^2}(Q)),\)

   \((h_{1},\pi _{p}(Q)), \big ],x\big )\) as in the table 5, for a cost of \(2\cdot 18M+ 1\cdot 70 M+77\cdot 78 M+77[2(70 M+5 M+78 M+15 M )]+3[2(70 M+5 M+78 M+15 M )+70 M]= \mathbf{33202} M .\) Also this processor computes \(X=X_{1}\cdot \mathcal {V}_{P_{1}}(\pi _{p^2}(Q))\cdot \mathcal {V}_{P_{2}}(\pi _{p}(Q))\) for \(2\cdot 49 M=\mathbf{98} M .\)

2. 2.

   The \(2^{nd}\) processor computes \(Y_{1}=EPM \big (\big [(g_{2},P_{2}), (g_{1},P_{3}), (h_{2},\pi _{p^2}(Q)),\)

   \((h_{3},\pi _{p}(Q)) \big ],x\big )\) and \(Y=Y_{1}\cdot \mathcal {V}_{P_{3}}(\pi _{p^2}(Q))\cdot \mathcal {V}_{P_{4}}(\pi _{p}(Q))\) for the same cost as the first processor.

3. 3.

   The \(3^{rd}\) processor computes \(Z_{1}=EPM \big (\big [ (g_{0},P_{4}), (h_{4},Q) \big ],x\big )\) for a cost of \(18M+77\cdot 78 M+77[(70 M+5 M+78 M+15 M )]+3[(70 M+5 M+78 M+15 M )+70 M]=19674 M\) Also this processor computes \(Z=Z_{1}\cdot \mathcal {V}_{P_{5}}(Q)\) for 49M.

Step 3.

Since \(\beta _{15}(P,Q)=(X^{p^2}\cdot Y \cdot Z)^{p^{5}-1},\) in the final step one processor computes one \( p^2\) Frobenius map, three multiplications and one inversion in \(\mathbb {F}_{p^{15}}\) which yields \(14 M+3 M_{15} +I_{15}=\mathbf{513} M+I . \)

The total cost of the parallel computation of the \(\beta \)-Weil pairing using 3 processors is \(\mathbf{46666} M+ 85 I .\)

1.2 Evaluation of the New \(\beta \)-Weil Pairing Formula on BLS-9 Curve

Similarly, we find the serial and the parallel computations of the \(\beta \)-Weil pairing on BLS-9. The proposed \(\beta \)-Weil pairing formula for BLS-9 is given as

$$\begin{aligned} \beta _{9}(P,Q)=\left( \prod _{i=0}^{2}f_{x,Q_{i}}(P_{i})\cdot f_{-x,P_{i}}(Q_{i})\cdot \mathcal {V}_{P_{i+1}}(Q_{i})\right) ^{p^3-1} \end{aligned}$$

where \(x=-2^{74} -2^{72} -2^{46} -2^{31} .\)

1.2.1 Serial Computation of the \(\beta \)-Weil Pairing Computations on the BLS-9

Algorithm 3 computes and stores the line functions necessary to find \(f_{-x,P_{i}},\) \(i=0,1,2\) for a cost of \( 3(74\cdot 13 M+3\cdot 16 M) +2(I+2 M)= \mathbf{3034M}+ 2I .\) Also Algorithm 3 computes and stores the line functions for \(f_{x,Q},\) for a cost of \(74(39 M+ I)+3(39 M+ I)=\mathbf{3003} M+77 I .\) Whereas Algorithm 4 computes and stores the line functions for \(f_{x,Q_{i}},\) \(i=1,2\) for a cost of \( 2\cdot 77\cdot 8 M=\mathbf{1232} M \).

Before using Algorithm 5 to find the product of Miller’s functions, we first compute \(\pi _{p^{i}}(Q)\) for \(i=1,2\) for the cost of \( 2\cdot 4 M=\mathbf{8} M .\) See Table 6 for the other computations.

Table 6 computational cost of Algorithm 5 for \(\beta _{9}\) with the help of [17]

The total cost of the \(\beta \)-Weil pairing on the BLS-9 is then \(26984 M+ 80I. \)

1.2.2 Parallel Computation of \(\beta _{9}(P,Q)\) Using 3 Processors

The parallel computation with 3 processors of the \(\beta \)-Weil pairing on the BLS-9 curve is defined as

$$\begin{aligned} \beta _{9}(P,Q)=(X^{p}\cdot Y \cdot Z)^{p^{3}-1} \end{aligned}$$

Where

$$\begin{aligned} X= & {} f_{x,\pi _{p}(Q)}(P) \cdot f_{-x,P}(\pi _{p}(Q)) \cdot \mathcal {V}_{P_{1}}(\pi _{p}(Q)),\\ Y= & {} f_{x,\pi _{p}(Q)}(P_{1}) \cdot f_{-x,P_{1}}(\pi _{p}(Q))\cdot \mathcal {V}_{P_{2}}(\pi _{p}(Q)),\\ Z= & {} f_{x,Q}(P_{2})\cdot f_{-x,P_{2}}(Q) \cdot \mathcal {V}_{P_{3}}(Q). \end{aligned}$$

Step 1.

1. 1.

   The \( 1^{st}\) processor computes \(CSL([p^i]P,-x)=h_{i}\) for \(i=0,1,2\) for a cost of \( 3(74\cdot 13 M+3\cdot 16 M) +2(I+2 M)= 3034 M+ 2 I .\)

2. 2.

   The \(2^{nd}\) processor computes \(CSL(Q,x)=g_{0}\) for a cost of \(74(39 M+ I)+3(39 M+ I)= 3003 M + 77 I.\)

3. 3.

   The \(3^{rd}\) processor computes \(\pi _{p}(Q)\) and \(CSL(\pi _{p}(Q),x)=g_{1}\) for a cost of \( 4 M+ 3003 M + 77 I= \mathbf{3007} M + 77 I . \)

Step 2.

1. 1.

   The \(1^{st}\) processor computes \(X_{1}=EPM \big (\big [ (g_{1},P_{0}),(h_{0},\pi _{p}(Q)) \big ],x\big )\) as in Table 6, at a cost of \(8M+74\cdot 25 M+74[(33 M+3 M+36 M+9 M )]+3[(33 M+3 M+36 M+9 M )+33 M]= \mathbf{8194} M .\) Also this processor computes \(X=X_{1} \cdot \mathcal {V}_{P_{1}}(\pi _{p}(Q))\) for \( \mathbf{24} M .\)

2. 2.

   The \(2^{nd}\) processor computes \(Y_{1}=EPM \big (\big [(g_{1},P_{1}), (h_{1},\pi _{p}(Q))\big ],x\big )\) and \(Y=Y_{1}\cdot \mathcal {V}_{P_{2}}(Q_{1})\) for the same cost.

3. 3.

   The \(3^{rd}\) processor computes \(Z_{1}=EPM \big (\big [(g_{0},P_{2}), (h_{2},Q)\big ],x\big )\) and \(Z=Z_{1}\cdot \mathcal {V}_{P_{3}}(Q)\) for the same cost.

Step 3.

Since \(\beta _{9}(P,Q)=((X^p\cdot Y \cdot Z)^{p^{3}-1},\) in the final step one processor computes one \( p^3\) Frobenius map, three multiplications and one inversion in \(\mathbb {F}_{p^{9}}\) which yields \(6 M+3 M_{9} +I_{9}=\mathbf{189} M+I . \)

The total cost of the parallel computation of the \(\beta \)-Weil pairing on BLS-9 using 3 processors is \(\mathbf{11414} M+78 I .\)

Appendix B. Original \(\beta \)-Weil Pairing on BLS Curves with Embedding Degree 27, 15 and 9.

In this section, we find the theoretical cost of the original \(\beta \)-Weil pairing computation on BLS-27,  BLS-15,  and BLS-9 curves without storage technique and multifunction technique.

The original \(\beta \)-Weil pairing (see theorem 2.1) on BLS-27 for seed \(x=-2^{51}-2^{31}-2^{21}-2^{8}-2^4\) is given as:

$$\begin{aligned} \beta _{27}(P,Q)= & {} \prod _{i=0}^{8}\left( \dfrac{f_{x,Q}([p^i]P)}{ f_{x,[p^i]P}(Q)}\right) ^{(p^{8-i})(p^{9}-1)}\\= & {} \bigg [ \big ( f^{p^8}_{x,Q}(P)\cdot f^{p^7}_{x,Q}([p]P)\cdot f^{p^6}_{x,Q}([p^2]P)\cdot f^{p^5}_{x,Q}([p^3]P)\cdot f^{p^4}_{x,Q}([p^4]P)\\&\cdot \,f^{p^3}_{x,Q}([p^5]P)\cdot f^{p^2}_{x,Q}([p^6]P)\cdot f^{p}_{x,Q}([p^7]P)\cdot f_{x,Q}([p^8]P)\big )\\&\cdot \, \big ( f^{p^8}_{x,P}(Q)\cdot f^{p^7}_{x,[p]P}(Q)\cdot f^{p^6}_{x,[p^2]P}(Q)\cdot f^{p^5}_{x,[p^3]P}(Q)\cdot f^{p^4}_{x,[p^4]P}(Q)\\&\cdot \,f^{p^3}_{x,[p^5]P}(Q)\cdot f^{p^2}_{x,[p^6]P}(Q)\cdot f^{p}_{x,[p^7]P}(Q)\cdot f_{x,[p^8]P}(Q)\big )^{-1} \bigg ]^{p^9-1} \end{aligned}$$

1.1 Serial Computation

Original \(\beta \)-Weil pairing for serial computation are 9 Miller lite functions, 9 full Miller functions, 2 p, 2 \(p^2,\) 2 \(p^3,\) 2 \(p^4,\) 2 \(p^5,\) 2 \(p^6,\) 2 \(p^7,\) 2 \(p^8,\) and 1 \(p^9\) Frobenius maps, 18 multiplications, 2 inversions in \(\mathbb {F}_{p^{27}}.\) From Algorithm 2, the cost of Miller Lite is \(34M+51(125 M)+51(13 M +27 M +216 M)+4(16 M +27 M + 216M+216 M) = 21365 M.\) The cost of Full Miller is \(34M+51(125 M)+51(233 M +I+9M +189 M)+4(233M +I+9M +189 M+189M) = 30870 M +55 I.\) The total cost is \( 9\cdot 21365 M+9(30870 M +55 I)+2(3\cdot 18 M+6\cdot 26 M)+18 M+ 18\cdot 216 M +2(I+449 M +62 S)=475463 M+497 I.\)

Similarly, the computational cost of the original \(\beta \)-Weil pairing on BLS-15 given as \(\beta _{15}(P,Q)= \prod _{i=0}^{4}\left( \dfrac{f_{x,Q}([p^i]P)}{ f_{x,[p^i]P}(Q)}\right) ^{(p^{4-i})(p^{5}-1)}\) with \(x=-2^{77}-2^{76}-2^{68}-2^{50}\) is \( 5 Miller.Lite+5 Full.Miller+2(F_{1}+F_{2}+F_{3}+F_{4})+10 M_{15}+F_{5}+2 I_{15}=177657 M+401 I, \) where \(Miller.Lite= 14747 M\) and \(Full.Miller=20498 M+80 I.\)

Also, the computational cost of the original \(\beta \)-Weil pairing on BLS-9 given as \(\beta _{9}(P,Q)= \prod _{i=0}^{2}\left( \dfrac{f_{x,Q}([p^i]P)}{ f_{x,[p^i]P}(Q)}\right) ^{(p^{2-i})(p^{3}-1)}\) with \(x=-2^{74}-2^{72}-2^{46}-2^{31}\) is \( 3 Miller.Lite+3 Full.Miller+2(F_{1}+F_{2})+6 M_{9}+F_{3}+2 I_{9}=43874 M+232I, \) where \(Miller.Lite= 6441 M\) and \(Full.Miller=7972 M+77 I.\)

1.2 Parallel Computation of \(\beta \)-Weil Pairing on BLS-27 Using 3 Processors

\(1^{st}\) processor computes

\(\bigg (f^{p^8}_{x,Q}(P). f^{p^7}_{x,Q}([p]P)\cdot f^{p^6}_{x,Q}([p^2]P)\bigg )\cdot \bigg ( f^{p^8}_{x,P}(Q)\cdot f^{p^7}_{x,[p]P}(Q)\cdot f^{p^6}_{x,[p^2]P}(Q) \bigg )^{-1}\)

\(2^{nd}\) processor computes

\(\bigg (f^{p^5}_{x,Q}([p^3]P)\cdot f^{p^4}_{x,Q}([p^4]P)\cdot f^{p^3}_{x,Q}([p^5]P)\bigg )\cdot \bigg ( f^{p^5}_{x,[p^3]P}(Q)\cdot f^{p^4}_{x,[p^4]P}(Q)\cdot f^{p^3}_{x,[p^5]P}(Q) \bigg )^{-1}\)

\(3^{rd}\) processor computes

\(\bigg ( f^{p^2}_{x,Q}([p^6]P)\cdot f^{p}_{x,Q}([p^7]P)\cdot f_{x,Q}([p^8]P)\bigg )\cdot \bigg ( f^{p^2}_{x,[p^6]P}(Q)\cdot f^{p}_{x,[p^7]P}(Q)\cdot f_{x,[p^8]P}(Q) \bigg )^{-1}\)

We see that, \(3^{rd}\) processor’s cost is greater than \(1^{st}\) and \(2^{nd}\) processors’ cost because \(3^{rd}\) processor require the extra computation of \([p^i]P\) \((1\le i\le 6)\) which does not require in \(1^{st}\) and \(2^{nd}\) processors. Therefore, the computational cost of the \(3^{rd}\) processor is \( cost.of.([p^6]P)+3 Miller.Lite+3 Full.MIller+2(F_{1}+F_{2})+5 M_{27}+I_{27}= 6\cdot 727 M+3(21365 M)+3(30870 M +55 I)+2( 26 M+26 M) + 5\cdot 216 M+(449 M+I)=162700 M+166 I.\) In the last step, one processor multiplies the three results of each processor and computes the \(p^9-1\) power at a cost of \(3\cdot 216 M+18M+(I+449 M)=1115 M+I.\) Therefore, the total cost is \(163815 M+167 I.\)

Appendix C: Computation of the Optimal Ate Pairing on BLS\(-27\) Curve with a New Parameter

Remark 8.1

The method of [8] (section 3 page 6 ) for parallelizing the computation of the Miller function \(f_{x, Q}\) is the following. We first write \(x=2^{w}x_{1}+x_{0},\) where \(x_{0}< 2^w.\) We obtain

$$\begin{aligned} f_{x, Q}= f^{2^w}_{x_{1}, Q} \cdot f_{2^w, x_{1}Q} \cdot f_{x_{0}, Q} \cdot \frac{l_{2^wx_{1}Q,x_{0}Q}}{V_{xQ}} \end{aligned}$$

Thus the computation of \(f_{x, Q}\) can be parallelized by computing \(f^{2^w}_{x_{1}, Q}\) on one processor, \(f_{2^w, x_{1}Q}\) on a second processor and \(f_{x_{0}, Q} \cdot \frac{l_{2^wx_{1}Q,x_{0}Q}}{V_{xQ}}\) on a third processor. This is the case where the three processors are independent. The parameter w should be carefully selected in order to balance the time of the three function computations. And if it is done in the right way we can estimate the cost one processor (the more costly) to be about \(\frac{1}{3}\) of the initial Miller loop. Note that we can only parallelize the Miller function but not the final exponentiation.

The optimal Ate pairing on \(BLS-27\) curve in [13] is given by:

$$\begin{aligned} e_{0}(Q,P)=f_{x,Q}(P)^{(p^{27}-1)/r}. \end{aligned}$$

For \(x=-2^{51}-2^{31}-2^{21}-2^{8}-2^{4},\) the Miller loop executes 51 doubling steps, 4 addition steps, 51 squarings and 59 multiplications in \(\mathbb {F}_{p^{27}}\). As in [17], the Miller loop cost of \(M{27}=34M+51(233 M +I+9M )+4(233M +I+9M )+51(125 M)+59\cdot 189 M = 30870 M +55 I.\)

The final exponentiation is divided into two parts: the easy part \(A=f^{p^{9}-1}\) and the hard part \(A^{d}\), where \(d=(p^{18}+p^{9}+1)/r\).

the easy part is 1 \(p^{9}-\)Frobenius, 1 multiplications and 1 inversion in \(\mathbb {F}_{p^{27}}\). That is \(18 M+ 1 M_{27}+1 I_{27}=682M+I\). The element \(d=(p^{18}p+^{9}+1)/r\), is decomposed as

\((x-1)^2\cdot (p^9+x^9+1)\cdot (p^8+x.p^7+...+x^7.p+x^8)+3.\) The evaluation of the hard part is as follows:

\(A_{1}=A^{p^8}\cdot A^{xp^7}\cdot A^{x^2p^6}\cdot A^{x^3p^5}\cdot A^{x^4p^4}\cdot A^{x^5p^3}\cdot A^{x^6p^2}\cdot A^{x^7p}\cdot A^{x^8},\)

\(A_{2}=A_{1}^{(x-1)^2},\) \(A_{3}=A_{2}^{x^9}\cdot A_{2}^{p^9}\cdot A_{2},\) \(A_{4}=A^3\cdot A_{3}.\)

The computation of the hard part requires 17 powers of x,  2 powers of \(x-1,\) 11 multiplications in \(\mathbb {F}_{p^{27}}\) and p, \(p^2, p^3, p^4, p^5, p^6, p^7, p^8, p^9-\)Frobenius maps. The negative coefficient in the value of x requires 19 inversions in the cyclotomic subgroup when raising to the power of x during the final exponentiation. (Note that \(A^{-1} = A^{p^9}\cdot A^{p^{18}}\) and cost \(2\cdot 18M+ 1 M_{27}=252 M \) ). The hard part then cost

\( 17(51 S_{27} + 4 M_{27})+2(51 S_{27} + 5 M_{27}) + 11 M_{27}+2\cdot 18M+6\cdot 26M+19 I_{G_{\varphi _{3}(p^9)}}= 145329 M .\) The computational cost of the optimal Ate pairing over \(BLS-27-\)curve is then \((31365 M +55 I) +(682M+I)+145329 M=\mathbf{176881} M+56I .\)

Appendix D: Computation of the Optimal Ate Pairing on BLS-15 Curve with a New Parameter

Similarly, we evaluate \(e_{0}(Q,P)=f_{x,Q}(P)^{(p^{15}-1)/r}\) with \(x=-2^{77}-2^{76}-2^{68}-2^{50}\) on BLS-15 curve. The computational cost of Miller full is \(20498 M +80 I\) and best cost of the final exponentiation is \(9 E_{x}+2 E_{x-1}+12 M_{15}+S_{15}+I_{15}+3 I_{cyc}+3 F_{1}+F_{2}+F_{3}+F_{4}+2 F_{5}+F_{6}+F_{7}\) see [36]) for this we will add 11 cyclotomique inversion due to the negative parameter x. \(E_{x}=77 S_{15}+3 M_{15},\) \(E_{x-1}=77 S_{15}+4 M_{15}\) and \(I_{cyc}=54 M.\) Thus the final exponentiation cost \(70971 M+I\) and the computational cost of the optimal ate is then \(91469 M+81I.\)

Appendix E: Computation of the Optimal Ate Pairing on BLS-9 Curve with a New Parameter

We evaluate \(e_{0}(Q,P)=f_{x,Q}(P)^{(p^{9}-1)/r}\) with \(x=-2^{74}-2^{72}-2^{46}-2^{31}\) on BLS-9 curve. The computational cost of Miller full is \(7972 M +77I\) and the optimal cost of the final exponentiation is \(5 E_{x}+2 E_{x-1}+7 M_{9}+S_{9}+I_{9}+ F_{1}+F_{2}+2F_{3}\) see [36]) for this we will add 7 cyclotomique inversion due to the negative parameter x. \(E_{x}=74 S_{9}+3 M_{9},\) \(E_{x-1}=74 S_{9}+4 M_{9}\) and \(I_{cyc}=33 M.\) Thus the final exponentiation cost \(14393M+I\) and the computational cost of the optimal Ate is then \(22365 M+78 I.\)