Computing Optimal 2-3 Chains for Pairings
Using double-base chains to represent integers, in particular chains with bases 2 and 3, can be beneficial to the efficiency of scalar multiplication and the computation of bilinear pairings via (a variation of) Miller’s algorithm. For one-time scalar multiplication, finding an optimal 2-3 chain could easily be more expensive than the scalar multiplication itself, and the associated risk of side-channel attacks based on the difference between doubling and tripling operations can produce serious complications to the use of 2-3 chains.
The situation changes when the scalar is fixed and public, as in the case of pairing computations. In such a situation, performing some extra work to obtain a chain that minimizes the cost associated to the scalar multiplication can be justified as the result may be re-used a large number of times. Even though this computation can be considered “attenuated” over several hundreds or thousands of scalar multiplications, it should still remain within the realm of “practical computations”, and ideally be as efficient as possible.
An exhaustive search is clearly out of the question as its complexity grows exponentially in the size of the scalar. Up to now, the best practical approaches consisted in obtaining an approximation of the optimal chain via a greedy algorithm, or using the tree-based approach of Doche and Habsieger, but these offer no guarantee on how good the approximation will be. In this paper, we show how to find the optimal 2-3 chain in polynomial time, which leads to faster pairing computations. We also introduce the notion of “negative” 2-3 chains, where all the terms (except the leading one) are negative, which can provide near-optimal performance but reduces the types of operations used (reducing code size for the pairing implementation).
KeywordsInteger representations Double-base chains Tate pairings
The authors would like to thanks the anonymous referees for their useful comments and suggestions.
- 6.A. Capuñay. Multibase Scalar Multiplications in Cryptographic Pairings. preprint, 2015Google Scholar