The Realm of the Pairings
Abstract
Bilinear maps, or pairings, initially proposed in a cryptologic context for cryptanalytic purposes, proved afterward to be an amazingly flexible and useful tool for the construction of cryptosystems with unique features. Yet, they are notoriously hard to implement efficiently, so that their effective deployment requires a careful choice of parameters and algorithms. In this paper we review the evolution of pairingbased cryptosystems, the development of efficient algorithms and the state of the art in pairing computation, and the challenges yet to be addressed on the subject, while also presenting some new algorithmic and implementation refinements in affine and projective coordinates.
Keywords
Pairingbased cryptosystems Efficient algorithms1 Introduction
Bilinear maps, or pairings, between the (divisors on the) groups of points of certain algebraic curves over a finite field, particularly the Weil pairing [94] and the Tate (or TateLichtenbaum) pairing [45], have been introduced in a cryptological scope for destructive cryptanalytic purposes, namely, mapping the discrete logarithm problem on those groups to the discrete logarithm problem on the multiplicative group of a certain extension of the base field [46, 66]: while the best generic classical (nonquantum) algorithm for the discrete logarithm problem on the former groups may be exponential, in the latter case subexponential algorithms are known, so that such a mapping may yield a problem that is asymptotically easier to solve.
It turned out, perhaps surprisingly, that these same tools have a much more relevant role in a constructive cryptographic context, as the basis for the definition of cryptosystems with unique properties. This has been shown in the seminal works on identitybased noninteractive authenticated key agreement by Sakai, Ohgishi and Kasahara [84], and on oneround tripartite key agreement by Joux [56], which then led to an explosion of protocols exploring the possibilities of identitybased cryptography and many other schemes, with ever more complex features.
All this flexibility comes at a price: pairings are notoriously expensive in implementation complexity and processing time (and/or storage occupation, in a tradeoff between time and space requirements). This imposes a very careful choice of algorithms and curves to make them really practical. The pioneering approach by Miller [67, 68] showed that pairings could be computed in polynomial time, but there is a large gap from there to a truly efficient implementation approach.
Indeed, progress in this line of research has not only revealed theoretical bounds on how efficiently a pairing can be computed in the sense of its overall order of complexity [93], but actually the literature has now very detailed approaches on how to attain truly practical, extremely optimized implementations that cover all operations typically found in a pairingbased cryptosystem, rather than just the pairing itself [4, 80]. One can therefore reasonably ask how far this trend can be pushed, and how “notoriously expensive” pairings really are (or even whether they really are as expensive as the folklore pictures them).
Our Contribution. In this paper we review the evolution of pairingbased cryptosystems, the development of efficient algorithms for the computation of pairings and the state of the art in the area, and the challenges yet to be addressed on the subject.
Furthermore, we provide some new refinements to the pairing computation in affine and projective coordinates over ordinary curves, perform an uptodate analysis of the best algorithms for the realization of pairings with special focus on the 128bit security level and present a very efficient implementation for x64 platforms.
Organization. The remainder of this paper is organized as follows. Section 2 introduces essential notions on elliptic curves and bilinear maps for cryptographic applications, including some of the main pairingbased cryptographic protocols and their underlying security assumptions. Section 3 reviews the main proposals for pairingfriendly curves and the fundamental algorithms for their construction and manipulation. In Sect. 4, we describe some optimizations to formulas in affine and projective coordinates, carry out a performance analysis of the best available algorithms and discuss benchmarking results of our highspeed implementation targeting the 128bit security level on various x64 platforms. We conclude in Sect. 5.
2 Preliminary Concepts
Let \(q = p^m\). An elliptic curve \(E/\mathbb {F}_q\) is a smooth projective algebraic curve of genus one with at least one point. The affine part satisfies an equation of the form \(E: y^2 + a_1 xy + a_3 y = x^3 + a_2 x^2 + a_4 x + a_6\) where \(a_i \in \mathbb {F}_q\). Points on \(E\) are affine points \((x, y) \in \mathbb {F}_q^2\) satisfying the curve equation, together with an additional point at infinity, denoted \(\infty \). The set of curve points whose coordinates lie in a particular extension field \(\mathbb {F}_{q^k}\) is denoted \(E(\mathbb {F}_{q^k})\) for \(k > 0\) (note that the \(a_i\) remain in \(\mathbb {F}_q\)). Let \(\#E(\mathbb {F}_q)=n\) and write \(n\) as \(n=p+1t\); \(t\) is called the trace of the Frobenius endomorphism. By Hasse’s theorem, \(t \leqslant 2\sqrt{q}\).
An (additive) Abelian group structure is defined on \(E\) by the well known chordandtangent method [91]. The order of a point \(P \in E\) is the least nonzero integer \(r\) such that \([r]P = \infty \), where \([r]P\) is the sum of \(r\) terms equal to \(P\). The order \(r\) of a point divides the curve order \(n\). For a given integer \(r\), the set of all points \(P \in E\) such that \([r]P = \infty \) is denoted \(E[r]\). We say that \(E[r]\) has embedding degree \(k\) if \(r \;\; q^k  1\) and \(r \not \mid q^s  1\) for any \(0 < s < k\).
The complex multiplication (CM) method [37] constructs an elliptic curve with a given number of points \(n\) over a given finite field \(\mathbb {F}_q\) as long as \(n = q + 1  t\) as required by the Hasse bound, and the norm equation \(DV^2 = 4q  t^2\) can be solved for “small” values of the discriminant \(D\), from which the \(j\)invariant of the curve (which is a function of the coefficients of the curve equation) can be computed, and the curve equation is finally given by \(y^2 = x^3 + b\) (for certain values of \(b\)) when \(j = 0\), by \(y^2 = x^3 + ax\) (for certain values of \(a\)) when \(j = 1728\), and by \(y^2 = x^3  3cx + 2c\) with \(c := j/(j  1728)\) when \(j \not \in \{0, 1728\}\).
A divisor is a finite formal sum \(\mathcal {A} = \sum _P{a_P(P)}\) of points on the curve \(E(\mathbb {F}_{q^k})\). An Abelian group structure is defined on the set of divisors by the addition of corresponding coefficients in their formal sums; in particular, \(n\mathcal {A} = \sum _P{(n \, a_P)(P)}\). The degree of a divisor \(\mathcal {A}\) is the sum \(\deg (\mathcal {A}) = \sum _P{a_P}\). Let \(f: E(\mathbb {F}_{q^k}) \rightarrow \mathbb {F}_{q^k}\) be a function on the curve. We define \(f(\mathcal {A}) \equiv \prod _P{f(P)^{a_P}}\). Let \({{\mathrm{ord}}}_P(f)\) denote the multiplicity of the zero or pole of \(f\) at \(P\) (if \(f\) has no zero or pole at \(P\), then \({{\mathrm{ord}}}_P(f) = 0\)). The divisor of \(f\) is \((f) := \sum _P{{{\mathrm{ord}}}_P(f)(P)}\). A divisor \(\mathcal {A}\) is called principal if \(\mathcal {A} = (f)\) for some function \((f)\). A divisor \(\mathcal {A}\) is principal if and only if \(\deg (\mathcal {A}) = 0\) and \(\sum _P{a_P P} = \infty \) [65, theorem 2.25]. Two divisors \(\mathcal {A}\) and \(\mathcal {B}\) are equivalent, \(\mathcal {A} \sim \mathcal {B}\), if their difference \(\mathcal {A}  \mathcal {B}\) is a principal divisor. Let \(P \in E(\mathbb {F}_q)[r]\) where \(r\) is coprime to \(q\), and let \(\mathcal {A}_P\) be a divisor equivalent to \((P)  (\infty )\); under these circumstances the divisor \(r\mathcal {A}_P\) is principal, and hence there is a function \(f_P\) such that \((f_P) = r\mathcal {A}_P = r(P)  r(\infty )\).
Given three groups \(\mathbb {G}_1\), \(\mathbb {G}_2\), and \(\mathbb {G}_T\) of the same prime order \(n\), a pairing is a feasibly computable, nondegenerate bilinear map \(e: \mathbb {G}_1 \times \mathbb {G}_2 \rightarrow \mathbb {G}_T\). The groups \(\mathbb {G}_1\) and \(\mathbb {G}_2\) are commonly (in the socalled Type III pairing setting) determined by the eigenspaces of the Frobenius endomorphism \(\phi _q\) on some elliptic curve \(E/\mathbb {F}_q\) of embedding degree \(k>1\). More precisely, \(\mathbb {G}_1\) is taken to be the 1eigenspace \(E[n] \cap \ker (\phi _q  [1]) = E(\mathbb {F}_q)[n]\). The group \(\mathbb {G}_2\) is usually taken to be the preimage \(E'(\mathbb {F}_{q^g})[n]\) of the \(q\)eigenspace \(E[n] \cap \ker (\phi _q  [q]) \subseteq E(\mathbb {F}_{q^k})[n]\) under a twisting isomorphism \(\psi : E' \rightarrow E\), \((x, y) \mapsto (\mu ^2 x, \mu ^3 y)\) for some \(\mu \in \mathbb {F}_{q^k}^*\). In particular, \(g = k/d\) where the curve \(E'/\mathbb {F}_{q^g}\) is the unique twist of \(E\) with largest possible twist degree \(d \mid k\) for which \(n\) divides \(\#E'(\mathbb {F}_{q^g})\) (see [55] for details). This means that \(g\) is as small as possible.
A Miller function \(f_{i,P}\) is a function with divisor \((f_{i,P}) = i(P)  ([i]P)  (i1)(\infty )\). Miller functions are at the root of most if not all pairings proposed for cryptographic purposes, which in turn induce efficient algorithms derived from Miller’s algorithm [67, 68]. A Miller function satisfies \(f_{a+b,P}(Q) = f_{a,P}(Q) \cdot f_{b,P}(Q) \cdot g_{[a]P,[b]P}(Q) / g_{[a+b]P}(Q)\) up to a constant nonzero factor in \(\mathbb {F}_q\), for all \(a, b \in \mathbb {Z}\), where the socalled line functions \(g_{[a]P,[b]P}\) and \(g_{[a+b]P}\) satisfy \((g_{[a]P,[b]P}) = ([a]P) + ([b]P) + ([a+b]P)  3(\infty )\), \((g_{[a+b]P}) = ([a+b]P) + ([a+b]P)  2(\infty )\). The advantage of Miller functions with respect to elliptic curve arithmetic is now clear, since with these relations the line functions, and hence the Miller functions themselves, can be efficiently computed as a side result during the computation of \([n]P\) by means of the usual chordandtangent method.
2.1 Protocols and Assumptions
As an illustration of the enormous flexibility that pairings bring to the construction of cryptographic protocols, we present a (necessarily incomplete) list of known schemes according to their overall category.
Foremost among pairingbased schemes are the identitybased cryptosystems. These include plain encryption [17], digital signatures [24, 83], (authenticated) key agreement [25], chameleon hashing [27], and hierarchical extensions thereof with or without random oracles [22, 51].
Other pairingbased schemes are not identitybased but feature special functionalities like secret handshakes [5], short/aggregate/verifiably encrypted/ group/ring/blind signatures [19, 20, 26, 97, 98] and signcryption [9, 21, 61].

\(\mathsf {q}\)Strong DiffieHellman (\(\mathsf {q}\)SDH) [16] and many related assumptions (like the Inverse Computational DiffieHellman (InvCDH), the Square Computational DiffieHellman (SquCDH), the Bilinear Inverse DiffieHellman (BIDH), and the Bilinear Square DiffieHellman (BSDH) assumptions [98]): Given a \((\mathsf {q}+2)\) tuple \((g_1,g_2, g_2^x, \dots , g_2^{x^\mathsf {q}}) \in \mathbb {G}_1 \times \mathbb {G}_2^{\mathsf {q}+1}\) as input, compute a pair \((c, g_1^{1/(x+c)}) \in \mathbb {Z}/n\mathbb {Z}\times \mathbb {G}_1\).

Decision Bilinear DiffieHellman (DBDH) [18] and related assumptions (like the \(k\)BDH assumption [14]): Given generators \(g_1\) and \(g_2\) of \(\mathbb {G}_1\) and \(\mathbb {G}_2\) respectively, and given \(g_1^a\), \(g_1^b\), \(g_1^c\), \(g_2^a\), \(g_2^b\), \(g_2^c\), \(e(g_1,g_2)^z\) determine whether \(e(g_1,g_2)^{abc} = e(g_1,g_2)^z\).

Gap DiffieHellman (GDH) assumption [77]: Given \((g, g^a, g^b) \in \mathbb {G}^3\) for a group \(\mathbb {G}\) equipped with an oracle for deciding whether \(g^{ab} = g^c\) for any given \(g^c \in \mathbb {G}\), find \(g^{ab}\).

\((k + 1)\) Exponent Function metaassumption: Given a function \(f: \mathbb {Z}/n\mathbb {Z}\rightarrow \mathbb {Z}/n\mathbb {Z}\) and a sequence \((g, g^a, g^{f(h_1+a)}, \dots , g^{f(h_k+a)}) \in \mathbb {G}_1^{k+2}\) for some \(a\), \(h_1, \dots , h_k \in \mathbb {Z}/n\mathbb {Z}\), compute \(g^{f(h+a)}\) for some \(h \notin \{h_1, \dots , h_k\}\).
Also, not all of these assumptions are entirely satisfactory from the point of view of their relation to the computational complexity of the more fundamental discrete logarithm problem. In particular, the Cheon attack [28, 29] showed that, contrary to most discretelogarithm style assumptions, which usually claim a practical security level of \(2^\lambda \) for \(2\lambda \)bit keys due to e.g. the Pollard\(\rho \) attack [81], the \(\mathsf {q}\)SDH assumption may need \(3\lambda \)bit keys to attain that security level, according to the choice of \(\mathsf {q}\).
3 Curves and Algorithms
3.1 Supersingular Curves
Early proposals to obtain efficient pairings invoked the adoption of supersingular curves [40, 49, 82], which led to the highly efficient concept of \(\eta \) pairings [7] over fields of small characteristic. This setting enables the so called Type I pairings, which are defined with both arguments from the same group [50] and facilitates the description of many protocols and the construction of formal security proofs. Unfortunately, recent developments bring that approach into question, since discrete logarithms in the multiplicative groups of the associated extension fields have proven far easier to compute than anticipated [6].
Certain ordinary curves, on the other hand, are not known to be susceptible to that line of attack, and also yield very efficient algorithms, as we will see next.
3.2 Generic Constructions

The CocksPinch construction [32] enables the construction of elliptic curves over \(\mathbb {F}_q\) containing a pairingfriendly group of order \(n\) with \(\lg (q)/\lg (n) \approx 2\).

The DupontEngeMorain strategy [39] is similarly generic in the sense of its embedding degree flexibility by maximizing the trace of the Frobenius endomorphism. Like the CocksPinch method, it only attains \(\lg (q)/\lg (n) \approx 2\).
3.3 Sparse Families of Curves
Certain families of curves may be obtained by parameterizing the norm equation \(4q  t^2 = 4hn  (t  2)^2 = DV^2\) with polynomials \(q(u)\), \(t(u)\), \(h(u)\), \(n(u)\), then choosing \(t(u)\) and \(h(u)\) according to some criteria (for instance, setting \(h(u)\) to be some small constant polynomial yields nearprime order curves), and directly finding integer solutions (in \(u\) and \(V\)) to the result. In practice this involves a clever mapping of the norm equation into a Pelllike equation, whose solutions lead to actual curve equations via complex multiplication (CM).
The only drawback they present is the relative rarity of suitable curves (the only embedding degrees that are known to yield solutions are \(k \in \{3, 4, 6, 10\}\), and the size of the integer solutions \(u\) grows exponentially), especially those with prime order. Historically, sparse families are divided into MiyajiNakabayashiTakano (MNT) curves and Freeman curves.
MNT curves were the first publicly known construction of ordinary pairingfriendly curves [71]. Given their limited range of admissible embedding degrees (namely, \(k \in \{3, 4, 6\}\)), the apparent finiteness of MNT curves of prime order [58, 63, 92], and efficiency considerations (see e.g. [44]), MNT curves are less useful for higher security levels (say, from about \(2^{112}\) onward).
Freeman curves [43], with embedding degree \(k = 10\), are far rarer and suffer more acutely from the fact that the nonexistence of a twist of degree higher than quadratic forces its \(\mathbb {G}_2\) group to be defined over \(\mathbb {F}_{q^5}\). Besides, this quintic extension cannot be constructed using a binomial representation.
3.4 Complete Families of Curves
Instead of trying to solve the partially parameterized norm equation \(4h(u)n(u)  (t(u)  2)^2 = DV^2\) for \(u\) and \(V\) directly as for the sparse families of curves, one can also parameterize \(V = V(u)\) as well. Solutions may exist if the parameters can be further constrained, which is usually done by considering the properties of the number field \(\mathbb {Q}[u]/n(u)\), specifically by requiring that it contains a \(k\)th root of unity where \(k\) is the desired embedding degree. Choosing \(n(u)\) to be a cyclotomic polynomial \(\varPhi _\ell (u)\) with \(k \mid \ell \) yields the suitably named cyclotomic family of curves [10, 11, 23, 44], which enable a reasonably small ratio \(\rho := \lg (q)/\lg (n)\) (e.g. \(\rho = (k+1)/(k1)\) for prime \(k \equiv 3 \pmod {4}\)).
Yet, there is one other family of curves that attain \(\rho \approx 1\), namely, the BarretoNaehrig (BN) curves [12]. BN curves arguably constitute one of the most versatile classes of pairingfriendly elliptic curves. A BN curve is an elliptic curve \(E_u: y^2 = x^3 + b\) defined over a finite prime^{1} field \(\mathbb {F}_p\) of (typically prime) order \(n\), where \(p\) and \(n\) are given by \(p = p(u) = 36u^4 + 36u^3 + 24u^2 + 6u + 1\) and \(n = n(u) = 36u^4 + 36u^3 + 18u^2 + 6u + 1\) (hence \(t = t(u) = 6u^2 + 1\)) for \(u \in \mathbb {Z}\). One can check by straightforward inspection that \(\varPhi _{12}(t(u)  1) = n(u) n(u)\), hence \(\varPhi _{12}(p(u)) \equiv \varPhi _{12}(t(u)  1) \equiv 0 \pmod {n(u)}\), so the group of order \(n(u)\) has embedding degree \(k = 12\).
BN curves also have \(j\)invariant 0, so there is no need to resort explicitly to the CM curve construction method: all one has to do is choose an integer \(u\) of suitable size such that \(p\) and \(n\) as given by the above polynomials are prime. To find a corresponding curve, one chooses \(b \in \mathbb {F}_p\) among the six possible classes so that the curve \(E: y^2 = x^3 + b\) has order \(n\).
Furthermore, BN curves admit a sextic twist (\(d=6\)), so that one can set \(\mathbb {G}_2 = E'(\mathbb {F}_{p^2})[n]\). This twist \(E'/\mathbb {F}_{p^2}\) may be selected by finding a nonsquare and noncube \(\xi \in \mathbb {F}_{p^2}\) and then checking via scalar multiplication whether the curve \(E': y^2 = x^3 + b'\) given by \(b' = b/\xi \) or by \(b' = b/\xi ^5\) has order divisible by \(n\). However, construction methods are known that dispense with such procedure, yielding the correct curve and its twist directly [80]. For convenience, following [85] we call the twist \(E': y^2 = x^3 + b/\xi \) a \(D\)type twist, and we call the twist \(E': y^2 = x^3 + b\xi \) an \(M\)type twist.
3.5 Holistic Families
Early works targeting specifically curves that have some efficiency advantage have focused on only one or a few implementation aspects, notably the pairing computation itself [13, 15, 38, 90].
More modern approaches tend to consider most if not all efficiency aspects that arise in pairingbased schemes [34, 36, 80]. This means that curves of those families tend to support not only fast pairing computation, but efficient finite field arithmetic for all fields involved, curve construction, generator construction for both \(\mathbb {G}_1\) and \(\mathbb {G}_2\), multiplication by a scalar in both \(\mathbb {G}_1\) and \(\mathbb {G}_2\), point sampling, hashing to the curve [42], and potentially other operations as well.
Curiously enough, there is not a great deal of diversity among the most promising such families, which comprise essentially only BN curves, BLS curves [10], and KSS curves [57].
3.6 Efficient Algorithms
Ordinary curves with small embedding degree also come equipped with efficient pairing algorithms, which tend to be variants of the Tate pairing [8, 48, 55, 60, 76] (although some fall back to the Weil pairing while remaining fairly efficient [94]). In particular, one now knows concrete practical limits to how efficient a pairing can be, in the form of the socalled optimal pairings [93].

Weil pairing: \(w(P,Q) := (1)^n f_{n,P}(Q)/f_{n,Q}(P)\).

Tate pairing: \(\tau (P,Q) := f_{n,P}(Q)^z\).

Eta pairing [7] (called the twisted Ate pairing when defined over an ordinary curve): \(\eta (P,Q) := f_{\lambda ,P}(Q)^z\) where \(\lambda ^d \equiv 1 \pmod {n}\).

Ate pairing [55]: \(a(P,Q) := f_{t  1,Q}(P)^z\), where \(t\) is the trace of the Frobenius.

Optimized Ate and twisted Ate pairings [64]: \(a_c(P,Q) := f_{(t  1)^c \mod n,Q}(P)^z\), \(\eta _c(P,Q) := f_{\lambda ^c \mod n,P}(Q)^z\), for some \(0 < c < k\).

Optimal Ate pairing [93]: \(a_{\mathrm {opt}}(P,Q) := f_{\ell ,Q}(P)^z\) for a certain \(\ell \) such that \(\lg \ell \approx (\lg n)/\varphi (k)\).
A clear trend in recent works has been to attain exceptional performance gains by limiting the allowed curves to a certain subset, sometimes to a single curve at a useful security level [4, 15, 75, 80]. In the next section, we discuss aspects pertaining such implementations.
4 Implementation Aspects
The optimal Ate pairing on BN curves has been the focus of intense implementation research in the last few years. Most remarkably, beginning in 2008, a series of works improved, each one on top of the preceding one, the practical performance on Intel 64bit platforms [15, 54, 75]. This effort reached its pinnacle in 2011, when Aranha et al. [4] reported an implementation running in about half a millisecond (see also [62]). Since then, performance of efficient software implementations has mostly stabilized, but some aspects of pairing computation continously improved through the availability of new techniques [47], processor architecture revisions and instruction set refinements [79]. In this section, we revisit the problem of efficient pairing computation working on top of the implementation presented in [4], to explore these latest advances and provide new performance figures. Our updated implementation achieves high performance on a variety of modern 64bit computing platforms, including both relatively old processors and latest microarchitectures.
4.1 Pairing Algorithm
4.2 Field Arithmetic
Prime fields involved in pairing computation in the asymmetric setting are commonly represented with dense moduli, resulting from the parameterized curve constructions. While the particular structure of the prime modulus has been successfully exploited for performance optimization in both software [75] and hardware [41], current software implementations rely on the standard Montgomery reduction [72] and stateoftheart hardware implementations on the parallelization capabilities of the Residue Number System [30].
Arithmetic in the base field is usually implemented in carefully scheduled Assembly code, but the small number of words required to represent a 256bit prime field element in a 64bit processor encourages the use of Assembly directly in the quadratic extension field, to avoid penalties related to frequent function calls [15]. Multiplication and reduction in \(\mathbb {F}_p\) are implemented through a Comba strategy [33], but a Schoolbook approach is favored in recent Intel processors, due to the availability of the carrypreserving multiplication instruction mulx, allowing delayed handling of carries [79]. Future processors will allow similar speedups on the Combabased multiplication and Montgomery reduction routines by carrypreserving addition instructions [78].
Divideandconquer approaches are used only for multiplication in \(\mathbb {F}_{p^{2}}\), \(\mathbb {F}_{p^{6}}\) and \(\mathbb {F}_{p^{12}}\), because Karatsuba is typically more efficient over extension fields, since additions are relatively inexpensive in comparison with multiplication. The full details of the formulas that we use in our implementation of extension field arithmetic can be found in [4], including the opportunities for reducing the number of Montgomery reductions via lazy reduction. The case of squaring is relatively more complex. We use the complex squaring in \(\mathbb {F}_{p^{2}}\) and, for \(\mathbb {F}_{p^{6}}\) and \(\mathbb {F}_{p^{12}}\), we employ the faster ChungHasan asymmetric SQR3 formula [31]. The sparseness of the line functions motivates the implementation of specialized multiplication routines for accumulating the line function into the Miller variable \(f\) (sparse multiplication) or for multiplying line functions together (sparser multiplication). For sparse multiplication over \(\mathbb {F}_{p^6}\) and \(\mathbb {F}_{p^{12}}\), we use the formulas proposed by Grewal et al. (see Algorithms 5 and 6 in [53]). Faster formulas for sparser multiplication can be trivially obtained by adapting the sparse multiplication formula to remove operations involving the missing subfield elements.
In the following, we closely follow notation for operation costs from [4]. Let \(m,s,a,i\) denote the cost of multiplication, squaring, addition and inversion in \(\mathbb {F}_p\), respectively; \(\tilde{m}, \tilde{s}, \tilde{a}, \tilde{\imath }\) denote the cost of multiplication, squaring, addition and inversion in \(\mathbb {F}_{p^{2}}\), respectively; \(m_u,s_u,r\) denote the cost of unreduced multiplication and squaring producing doubleprecision results, and modular reduction of doubleprecision integers, respectively; \(\tilde{m}_u,\tilde{s}_u,\tilde{r}\) denote the cost of unreduced multiplication and squaring, and modular reduction of doubleprecision elements in \(\mathbb {F}_{p^{2}}\), respectively. To simplify the operation count, we consider the cost of field subtraction, negation and division by two equivalent to that of field addition. Also, one doubleprecision addition is considered equivalent to the cost of two singleprecision additions.
4.3 Curve Arithmetic
Pairings can be computed over elliptic curves represented in any coordinate system, but popular choices have been homogeneous projective and affine coordinates, depending on the ratio between inversion and multiplication. Jacobian coordinates were initially explored in a few implementations [15, 75], but ended superseded by homogeneous coordinates because of their superior efficiency [35]. Point doublings and their corresponding line evaluations usually dominate the cost of the Miller loop, since efficient parameters tend to minimize the Hamming weight of the Miller variable \(\ell \) and the resulting number of points additions. Below, we review and slightly refine the best formulas available for the curve arithmetic involved in pairing computation on affine and homogeneous projective coordinates.
4.4 Operation Count
Computational cost for arithmetic required by Miller’s Algorithm.
\({E'(\mathbb {F}_{p^{2}})}\)Arithmetic  Operation count 

Precomp. (Affine)  \(i + m + a\) 
Precomp. (Proj)  \(4a\) 
Dbl./Eval. (Affine)  \(3\tilde{m} + 2\tilde{s} + 7\tilde{a} + \tilde{\imath } + 4m\) 
Add./Eval. (Affine)  \(3\tilde{m} + \tilde{s} + 6\tilde{a} + \tilde{\imath } + 4m\) 
Dbl./Eval. (Proj)  \(3\tilde{m}_u + 6\tilde{s}_u + 8\tilde{r} + 19\tilde{a} + 4m\) 
Add./Eval. (Proj)  \(11\tilde{m}_u + 2\tilde{s}_u + 11\tilde{r} + 10\tilde{a} + 4m\) 
\(p\)power Frobenius  \(2\tilde{m} + 2a\) 
\(p^2\)power Frobenius  \(2m + \tilde{a}\) 
Negation  \(\tilde{a}\) 
\({\mathbb {F}_{p^{2}}}\)Arithmetic  Operation count 

Add./Sub./Neg.  \(\tilde{a} = 2a\) 
Conjugation  \(a\) 
Multiplication  \(\tilde{m} = \tilde{m}_u + \tilde{r} = 3m_u + 2r + 8a\) 
Squaring  \(\tilde{s} = \tilde{s}_u + \tilde{r} =2m_u + 2r + 3a\) 
Multiplication by \(\beta \)  \(a\) 
Multiplication by \(\xi \)  \(2a\) 
Inversion  \(\tilde{\imath } = i + 2s_u + 2m_u + 2r + 3a\) 
\({\mathbb {F}_{p^{12}}}\)Arithmetic  Operation count 

Add./Sub.  \(6\tilde{a}\) 
Conjugation  \(3\tilde{a}\) 
Multiplication  \(18\tilde{m}_u + 6\tilde{r} + 110\tilde{a}\) 
Sparse Mult. (Affine)  \(10\tilde{m}_u + 6\tilde{r} + 31\tilde{a}\) 
Sparser Mult. (Affine)  \(5\tilde{m}_u + 3\tilde{r} + 13\tilde{a}\) 
Sparse Mult. (Proj)  \(13\tilde{m}_u + 6\tilde{r} + 48\tilde{a}\) 
Sparser Mult. (Proj)  \(6\tilde{m}_u + 5\tilde{r} + 22\tilde{a} \) 
Squaring  \(3\tilde{m}_u + 12\tilde{s}_u + 6\tilde{r} + 93\tilde{a}\) 
Cyc. Squaring  \(9\tilde{s}_u + 6\tilde{r} + 46\tilde{a}\) 
Comp. Squaring  \(6\tilde{s}_u + 4\tilde{r} + 31\tilde{a}\) 
Simult. Decomp.  \(9\tilde{m} + 6\tilde{s} + 22\tilde{a} + \tilde{\imath }\) 
\(p\)power Frobenius  \(5\tilde{m} + 6a\) 
\(p^2\)power Frobenius  \(10m + 2\tilde{a}\) 
\(p^3\)power Frobenius  \(5\tilde{m} + 2\tilde{a} + 6a\) 
Inversion  \(23\tilde{m}_u + 11\tilde{s}_u + 16\tilde{r}+129\tilde{a} + \tilde{\imath }\) 
4.5 Results and Discussion
Comparison between implementations based on affine and projective coordinates on 64bit architectures. Timings are presented in \(10^3\) clock cycles and were collected as the average of \(10^4\) repetitions of the same operation. Target platforms are AMD Phenom II (P II) and Intel Nehalem (N), Sandy Bridge (SB), Ivy Bridge (IB), Haswell (H) with or without support to the mulx instruction.
Platform  

Operation  N  P II  SB  IB  H  H+mulx 
Affine Miller loop  1,680  1,341  1,365  1,315  1,259  1,212 
Projective Miller loop  1,170  862  856  798  721  704 
Final exponentiation  745  557  572  537  492  473 
Affine pairing  2,425  1,898  1,937  1,852  1,751  1,685 
Projective pairing  1,915  1,419  1,428  1,335  1,213  1,177 
We obtain several performance improvements in comparison with current literature. Our implementation based on projective coordinates improves results from [4] by 6 % and 9 % in the Nehalem and Phenom II machines, respectively. Comparing to an updated version [95] of a previous record setting implementation [15], our Sandy Bridge timings are faster by 82,000 cycles, or 5 %. When independently benchmarking their available software in the Ivy Bridge machine, we observe a latency of 1,403 K cycles, thus an improvement by our software of 5 %. Now considering the Haswell results from the same software available at [69], we obtain a speedup of 8 % without taking into account the mulx instruction and comparable performance when mulx is employed. It is also interesting to note that the use of mulx injects a relatively small speedup of 3 %. When exploiting such an instruction, the lack of carrypreserving addition instructions in the first generation of Haswell processors makes an efficient implementation of Combabased multiplication and Montgomery reduction difficult, favoring the use of the typically slower Schoolbook versions. We anticipate a better support for Comba variants with the upcoming addition instructions [78].
In the implementation based on affine coordinates, the stateoftheart results at the 128bit security level is the one described by Acar et al. [1]. Unfortunately, only the latency of 15,6 million cycles on a Core 2 Duo is provided for 64bit Intel architectures. While this does not allow a direct comparison, observing the small performance improvement between the Core 2 Duo and Nehalem reported in [4] implies that our affine implementation should be around 6 times faster than [1] when executed in the same machine.
Despite being slower than our own projective version, our affine implementation is still considerably faster than some previous speed records on projective coordinates [15, 54, 75]. This hints at the possibility that affine pairings could be improved even further, contrary to the naive intuition that the affine representation is exceedingly worse than a projective approach.
5 Conclusion
Pairings are amazingly flexible tools that enable the design of innovative cryptographic protocols. Their complex implementation has been the focus of intense research since the beginning of the millennium in what became a formidable race to make it efficient and practical.
We have reviewed the theory behind pairings and covered stateoftheart algorithms, and also presented some further optimizations to the pairing computation in affine and projective coordinates, and analyzed the performance of the most efficient algorithmic options for pairing computation over ordinary curves at the 128bit security level. In particular, our implementations of affine and projective pairings using BarretoNaehrig curves shows that the efficiency of these two approaches are not as contrasting as it might seem, and hints that further optimizations might be possible. Remarkably, the combination of advances in processor technology and carefully crafted algorithms brings the computation of pairings close to the one million cycle mark.
Footnotes
 1.
Although there is no theoretical reason not to choose \(p\) to be a higher prime power, in practice such parameters are exceedingly rare and anyway unnecessary, so usually \(p\) is taken to be simply a prime.
Notes
Acknowledgements
The authors would like to thank Tanja Lange for the many suggestions to improve the quality of this paper.
References
 1.Acar, T., Lauter, K., Naehrig, M., Shumow, D.: Affine pairings on ARM. In: Abdalla, M., Lange, T. (eds.) Pairing 2012. LNCS, vol. 7708, pp. 203–209. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 2.Aranha, D.F., FuentesCastañeda, L., Knapp, E., Menezes, A., RodríguezHenríquez, F.: Implementing pairings at the 192bit security level. In: Abdalla, M., Lange, T. (eds.) Pairing 2012. LNCS, vol. 7708, pp. 177–195. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 3.Aranha, D.F., Gouvêa, C.P.L.: RELIC is an Efficient LIbrary for Cryptography. http://code.google.com/p/relictoolkit/
 4.Aranha, D.F., Karabina, K., Longa, P., Gebotys, C.H., López, J.: Faster explicit formulas for computing pairings over ordinary curves. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 48–68. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 5.Balfanz, D., Durfee, G., Shankar, N., Smetters, D.K., Staddon, J., Wong, H.C.: Secret handshakes from pairingbased key agreements. In: IEEE Symposium on Security and Privacy  S&P 2003, Berkeley, USA, pp. 180–196. IEEE Computer Society (2003)Google Scholar
 6.Barbulescu, R., Gaudry, P., Joux, A., Thomé, E.: A quasipolynomial algorithm for discrete logarithm in finite fields of small characteristic. Cryptology ePrint Archive, Report 2013/400 (2013). http://eprint.iacr.org/2013/400
 7.Barreto, P.S.L.M., Galbraith, S.D., ÓhÉigeartaigh, C., Scott, M.: Efficient pairing computation on supersingular abelian varieties. Des. Codes Crypt. 42(3), 239–271 (2007)CrossRefMATHGoogle Scholar
 8.Barreto, P.S.L.M., Kim, H.Y., Lynn, B., Scott, M.: Efficient algorithms for pairingbased cryptosystems. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 354–369. Springer, Heidelberg (2002)CrossRefGoogle Scholar
 9.Barreto, P.S.L.M., Libert, B., McCullagh, N., Quisquater, J.J.: Efficient and provablysecure identitybased signatures and signcryption from bilinear maps. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 515–532. Springer, Heidelberg (2005) CrossRefGoogle Scholar
 10.Barreto, P.S.L.M., Lynn, B., Scott, M.: Constructing elliptic curves with prescribed embedding degrees. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 257–267. Springer, Heidelberg (2003) Google Scholar
 11.Barreto, P.S.L.M., Lynn, B., Scott, M.: On the selection of pairingfriendly groups. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 17–25. Springer, Heidelberg (2004)Google Scholar
 12.Barreto, P.S.L.M., Naehrig, M.: Pairingfriendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006)Google Scholar
 13.Benger, N., Scott, M.: Constructing tower extensions of finite fields for implementation of pairingbased cryptography. In: Hasan, M.A., Helleseth, T. (eds.) WAIFI 2010. LNCS, vol. 6087, pp. 180–195. Springer, Heidelberg (2010) Google Scholar
 14.Benson, K., Shacham, H., Waters, B.: The \(k\)BDH assumption family: bilinear map cryptography from progressively weaker assumptions. In: Dawson, E. (ed.) CTRSA 2013. LNCS, vol. 7779, pp. 310–325. Springer, Heidelberg (2013) Google Scholar
 15.Beuchat, J.L., GonzálezDíaz, J.E., Mitsunari, S., Okamoto, E., RodríguezHenríquez, F., Teruya, T.: Highspeed software implementation of the optimal ate pairing over Barreto–Naehrig curves. In: Joye, M., Miyaji, A., Otsuka, A. (eds.) Pairing 2010. LNCS, vol. 6487, pp. 21–39. Springer, Heidelberg (2010) Google Scholar
 16.Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004) CrossRefGoogle Scholar
 17.Boneh, D., Franklin, M.: Identitybased encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001)CrossRefGoogle Scholar
 18.Boneh, D., Franklin, M.: Identitybased encryption from the Weil pairing. SIAM J. Comput. 32(3), 586–615 (2003)CrossRefMATHMathSciNetGoogle Scholar
 19.Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003)CrossRefGoogle Scholar
 20.Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001)CrossRefGoogle Scholar
 21.Boyen, X.: Multipurpose identitybased signcryption: A swiss army knife for identitybased cryptography. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 383–399. Springer, Heidelberg (2003) CrossRefGoogle Scholar
 22.Boyen, X., Waters, B.: Anonymous hierarchical identitybased encryption (without random oracles). In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 290–307. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 23.Brezing, F., Weng, A.: Elliptic curves suitable for pairing based cryptography. Des. Codes Crypt. 37(1), 133–141 (2005)CrossRefMATHMathSciNetGoogle Scholar
 24.Cha, J.C., Cheon, J.H.: An identitybased signature from gap DiffieHellman groups. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 18–30. Springer, Heidelberg (2002)Google Scholar
 25.Chen, L., Cheng, Z., Smart, N.P.: Identitybased key agreement protocols from pairings. Int. J. Inf. Secur. 6(4), 213–241 (2007)CrossRefGoogle Scholar
 26.Chen, X., Zhang, F., Kim, K.: New IDbased group signature from pairings. J. Electron. (China) 23(6), 892–900 (2006)CrossRefGoogle Scholar
 27.Chen, X., Zhang, F., Susilo, W., Tian, H., Li, J., Kim, K.: Identitybased chameleon hash scheme without key exposure. In: Steinfeld, R., Hawkes, P. (eds.) ACISP 2010. LNCS, vol. 6168, pp. 200–215. Springer, Heidelberg (2010) Google Scholar
 28.Cheon, J.H.: Security analysis of the strong DiffieHellman problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 1–11. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 29.Cheon, J.H.: Discrete logarithm problems with auxiliary inputs. J. Cryptology 23(3), 457–476 (2010)CrossRefMATHMathSciNetGoogle Scholar
 30.Cheung, R.C.C., Duquesne, S., Fan, J., Guillermin, N., Verbauwhede, I., Yao, G.X.: FPGA implementation of pairings using residue number system and lazy reduction. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 421–441. Springer, Heidelberg (2011) Google Scholar
 31.Chung, J., Hasan, M.: Asymmetric squaring formulae. In: 18th IEEE Symposium on Computer Arithmetic  ARITH18 2007, pp. 113–122 (2007)Google Scholar
 32.Cocks, C., Pinch, R.G.E.: Identitybased cryptosystems based on the Weil pairing (2001) (unpublished manuscript)Google Scholar
 33.Comba, P.G.: Exponentiation cryptosystems on the IBM PC. IBM Syst. J. 29(4), 526–538 (1990)CrossRefGoogle Scholar
 34.Costello, C.: Particularly friendly members of family trees. Cryptology ePrint Archive, Report 2012/072 (2012). http://eprint.iacr.org/
 35.Costello, C., Lange, T., Naehrig, M.: Faster pairing computations on curves with highdegree twists. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 224–242. Springer, Heidelberg (2010) Google Scholar
 36.Costello, C., Lauter, K., Naehrig, M.: Attractive subfamilies of BLS curves for implementing highsecurity pairings. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011. LNCS, vol. 7107, pp. 320–342. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 37.Crandall, R., Pomerance, C.: Prime Numbers: A Computational Perspective. Springer, Berlin (2001)CrossRefGoogle Scholar
 38.Devegili, A.J., Scott, M., Dahab, R.: Implementing cryptographic pairings over BarretoNaehrig curves. In: Takagi, T., Okamoto, E., Okamoto, T., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 197–207. Springer, Heidelberg (2007) CrossRefGoogle Scholar
 39.Dupont, R., Enge, A., Morain, F.: Building curves with arbitrary small MOV degree over finite prime fields. J. Cryptology 18(2), 79–89 (2005)CrossRefMATHMathSciNetGoogle Scholar
 40.Duursma, I., Lee, H.S.: Tate pairing implementation for hyperelliptic curves \(y^{2}=x^{p}x+d\). In: Laih, C.S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 111–123. Springer, Heidelberg (2003)CrossRefGoogle Scholar
 41.Fan, J., Vercauteren, F., Verbauwhede, I.: Efficient hardware implementation of \(\mathbb{F}_p\)arithmetic for pairingfriendly curves. IEEE Trans. Comput. 61(5), 676–685 (2012)CrossRefMathSciNetGoogle Scholar
 42.Fouque, P.A., Tibouchi, M.: Indifferentiable hashing to BarretoNaehrig curves. In: Hevia, A., Neven, G. (eds.) LatinCrypt 2012. LNCS, vol. 7533, pp. 1–17. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 43.Freeman, D.: Constructing pairingfriendly elliptic curves with embedding degree 10. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 452–465. Springer, Heidelberg (2006) Google Scholar
 44.Freeman, D., Scott, M., Teske, E.: A taxonomy of pairingfriendly elliptic curves. J. Cryptology 23(2), 224–280 (2010)CrossRefMATHMathSciNetGoogle Scholar
 45.Frey, G., Müller, M., Rück, H.: The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems. IEEE Trans. Inf. Theory 45(5), 1717–1719 (1999)CrossRefMATHGoogle Scholar
 46.Frey, G., Rück, H.G.: A remark concerning \(m\)divisibility and the discrete logarithm problem in the divisor class group of curves. Math. Comput. 62, 865–874 (1994)MATHGoogle Scholar
 47.FuentesCastañeda, L., Knapp, E., RodríguezHenríquez, F.: Faster hashing to \({\mathbb{G}}_2\). In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 412–430. Springer, Heidelberg (2012) Google Scholar
 48.Galbraith, S.D., Harrison, K., Soldera, D.: Implementing the Tate pairing. In: Fieker, C., Kohel, D.R. (eds.) ANTS 2002. LNCS, vol. 2369, pp. 324–337. Springer, Heidelberg (2002) Google Scholar
 49.Galbraith, S.D.: Supersingular curves in cryptography. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 495–513. Springer, Heidelberg (2001)CrossRefGoogle Scholar
 50.Galbraith, S.D., Paterson, K.G., Smart, N.P.: Pairings for cryptographers. Discrete Appl. Math. 156(16), 3113–3121 (2008)CrossRefMATHMathSciNetGoogle Scholar
 51.Gentry, C., Silverberg, A.: Hierarchical IDbased cryptography. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 548–566. Springer, Heidelberg (2002) CrossRefGoogle Scholar
 52.Gouvêa, C.P.L., López, J.: Software implementation of pairingbased cryptography on sensor networks using the MSP430 microcontroller. In: Roy, B., Sendrier, N. (eds.) INDOCRYPT 2009. LNCS, vol. 5922, pp. 248–262. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 53.Grewal, G., Azarderakhsh, R., Longa, P., Hu, S., Jao, D.: Efficient implementation of bilinear pairings on ARM processors. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 149–165. Springer, Heidelberg (2013) Google Scholar
 54.Hankerson, D., Menezes, A., Scott, M.: Software implementation of pairings. In: IdentityBased Cryptography, ch. 12, pp. 188–206. IOS Press, Amsterdam (2008)Google Scholar
 55.Hess, F., Smart, N., Vercauteren, F.: The eta pairing revisited. IEEE Trans. Inf. Theory 52, 4595–4602 (2006)CrossRefMATHMathSciNetGoogle Scholar
 56.Joux, A.: A oneround protocol for tripartite DiffieHellman. In: Bosma, W. (ed.) ANTS 2000. LNCS, vol. 1838, pp. 385–394. Springer, Heidelberg (2000)Google Scholar
 57.Kachisa, E.J., Schaefer, E.F., Scott, M.: Constructing BrezingWeng pairingfriendly elliptic curves using elements in the cyclotomic field. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 126–135. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 58.Karabina, K., Teske, E.: On primeorder elliptic curves with embedding degrees \(k\) = 3, 4, and 6. In: van der Poorten, A.J., Stein, A. (eds.) ANTSVIII 2008. LNCS, vol. 5011, pp. 102–117. Springer, Heidelberg (2008) Google Scholar
 59.Lauter, K., Montgomery, P.L., Naehrig, M.: An analysis of affine coordinates for pairing computation. In: Joye, M., Miyaji, A., Otsuka, A. (eds.) Pairing 2010. LNCS, vol. 6487, pp. 1–20. Springer, Heidelberg (2010) Google Scholar
 60.Lee, E., Lee, H.S., Park, C.M.: Efficient and generalized pairing computation on abelian varieties. IEEE Trans. Inf. Theory 55(4), 1793–1803 (2009)CrossRefGoogle Scholar
 61.Libert, B., Quisquater. J.J.: New identity based signcryption schemes from pairings. In: Information Theory Workshop  ITW 2003, pp. 155–158. IEEE (2003)Google Scholar
 62.Longa, P.: Highspeed elliptic curve and pairingbased cryptography. Ph.D. thesis, University of Waterloo, April 2011Google Scholar
 63.Luca, F., Shparlinski, I.E.: Elliptic curves with low embedding degree. J. Cryptology 19(4), 553–562 (2006)CrossRefMATHMathSciNetGoogle Scholar
 64.Matsuda, S., Kanayama, N., Hess, F., Okamoto, E.: Optimised versions of the ate and twisted ate pairings. In: Galbraith, S.D. (ed.) Cryptography and Coding 2007. LNCS, vol. 4887, pp. 302–312. Springer, Heidelberg (2007) Google Scholar
 65.Menezes, A.J.: Elliptic Curve Public Key Cryptosystems. Kluwer Academic Publishers, Boston (1993)CrossRefMATHGoogle Scholar
 66.Menezes, A.J., Okamoto, T., Vanstone, S.A.: Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inf. Theory 39, 1639–1646 (1993)CrossRefMATHMathSciNetGoogle Scholar
 67.Miller, V.S.: Short programs for functions on curves. IBM Thomas J. Watson Research Center Report (1986). http://crypto.stanford.edu/miller/miller.pdf
 68.Miller, V.S.: The Weil pairing, and its efficient calculation. J. Cryptology 17(4), 235–261 (2004)CrossRefMATHMathSciNetGoogle Scholar
 69.Mitsunari, S.: A fast implementation of the optimal ate pairing over BN curve on Intel Haswell processor. Cryptology ePrint Archive, Report 2013/362 (2013). http://eprint.iacr.org/
 70.Mitsunari, S., Sakai, R., Kasahara, M.: A new traitor tracing. IEICE Trans. Fundam. E85–A(2), 481–484 (2002)Google Scholar
 71.Miyaji, A., Nakabayashi, M., Takano, S.: New explicit conditions of elliptic curve traces for FRreduction. IEICE Trans. Fundam. E84–A(5), 1234–1243 (2001)Google Scholar
 72.Montgomery, P.L.: Modular multiplication without trial division. Math. Comput. 44(170), 519–521 (1985)CrossRefMATHGoogle Scholar
 73.Mori, Y., Akagi, S., Nogami, Y., Shirase, M.: Pseudo 8sparse multiplication for efficient atebased pairing on BarretoNaehrig curve. In: Cao, Z., Zhang, F. (eds.) Pairing 2013. LNCS, vol. 8365, pp. 186–198. Springer, Heidelberg (2014) Google Scholar
 74.Naehrig, M., Barreto, P.S.L.M., Schwabe, P.: On compressible pairings and their computation. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 371–388. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 75.Naehrig, M., Niederhagen, R., Schwabe, P.: New software speed records for cryptographic pairings. In: Abdalla, M., Barreto, P.S.L.M. (eds.) LATINCRYPT 2010. LNCS, vol. 6212, pp. 109–123. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 76.Nogami, Y., Akane, M., Sakemi, Y., Kato, H., Morikawa, Y.: Integer variable \(\chi\)–based ate pairing. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 178–191. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 77.Okamoto, T., Pointcheval, D.: The gapproblems: a new class of problems for the security of cryptographic schemes. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992, pp. 104–118. Springer, Heidelberg (2001)Google Scholar
 78.Ozturk, E., Guilford, J., Gopal, V.: Large integer squaring on intel architecture processors. Intel white paper (2013)Google Scholar
 79.Ozturk, E., Guilford, J., Gopal, V., Feghali, W.: New instructions supporting large integer arithmetic on intel architecture processors. Intel white paper (2012)Google Scholar
 80.Pereira, G.C.C.F., Simplício Jr, M.A., Naehrig, M., Barreto, P.S.L.M.: A family of implementationfriendly BN elliptic curves. J. Syst. Softw. 84(8), 1319–1326 (2011)CrossRefGoogle Scholar
 81.Pollard, J.M.: Monte Carlo methods for index computation (mod \(p\)). Math. Comput. 32, 918–924 (1978)MATHMathSciNetGoogle Scholar
 82.Rubin, K., Silverberg, A.: Supersingular abelian varieties in cryptology. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 336–353. Springer, Heidelberg (2002) CrossRefGoogle Scholar
 83.Sakai, R., Kasahara, M.: Cryptosystems based on pairing over elliptic curve. In: Symposium on Cryptography and Information Security  SCIS 2003, pp. 8C1, January 2003Google Scholar
 84.Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystems based on pairing. In: Symposium on Cryptography and Information Security  SCIS 2000, Okinawa, Japan, January 2000Google Scholar
 85.Scott, M.: A note on twists for pairing friendly curves (2009). ftp://ftp.computing.dcu.ie/pub/resources/crypto/twists.pdf
 86.Scott, M.: On the efficient implementation of pairingbased protocols. In: Chen, L. (ed.) IMACC 2011. LNCS, vol. 7089, pp. 296–308. Springer, Heidelberg (2011) Google Scholar
 87.Scott, M.: Unbalancing pairingbased key exchange protocols. Cryptology ePrint Archive, Report 2013/688 (2013). http://eprint.iacr.org/2013/688
 88.Scott, M., Barreto, P.S.L.M.: Compressed pairings. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 140–156. Springer, Heidelberg (2004) CrossRefGoogle Scholar
 89.Scott, M., Benger, N., Charlemagne, M., Dominguez Perez, L.J., Kachisa, E.J.: On the final exponentiation for calculating pairings on ordinary elliptic curves. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 78–88. Springer, Heidelberg (2009) Google Scholar
 90.Shirase, M.: BarretoNaehrig curve with fixed coefficient. IACR ePrint Archive, report 2010/134 (2010). http://eprint.iacr.org/2010/134
 91.Silverman, J.H.: The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics, vol. 106. Springer, Berlin (1986)MATHGoogle Scholar
 92.Urroz, J.J., Luca, F., Shparlinski, I.: On the number of isogeny classes of pairingfriendly elliptic curves and statistics of MNT curves. Math. Comput. 81(278), 1093–1110 (2012)CrossRefMATHGoogle Scholar
 93.Vercauteren, F.: Optimal pairings. IEEE Trans. Inf. Theory 56(1), 455–461 (2010)CrossRefMathSciNetGoogle Scholar
 94.Weil, A.: Sur les fonctions algébriques à corps de constantes fini. Comptes Rendus de l’Académie des Sciences 210, 592–594 (1940)MathSciNetGoogle Scholar
 95.Zavattoni, E., DomínguezPérez, L.J., Mitsunari, S., Sánchez, A.H., Teruya, T., RodríguezHenríquez, F.: Software implementation of attributebased encryption (2013). http://sandia.cs.cinvestav.mx/index.php?n=Site.CPABE
 96.Zhang, F., Chen, X.: Yet another short signatures without random oracles from bilinear pairings. IACR Cryptology ePrint Archive, report 2005/230 (2005)Google Scholar
 97.Zhang, F., Kim, K.: IDbased blind signature and ring signature from pairings. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 533–547. Springer, Heidelberg (2002) CrossRefGoogle Scholar
 98.Zhang, F., SafaviNaini, R., Susilo, W.: An efficient signature scheme from bilinear pairings and its applications. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 277–290. Springer, Heidelberg (2004) Google Scholar