Faster Pairing Computations on Curves with High-Degree Twists

  • Craig Costello
  • Tanja Lange
  • Michael Naehrig
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6056)

Abstract

Research on efficient pairing implementation has focussed on reducing the loop length and on using high-degree twists. Existence of twists of degree larger than 2 is a very restrictive criterion but luckily constructions for pairing-friendly elliptic curves with such twists exist. In fact, Freeman, Scott and Teske showed in their overview paper that often the best known methods of constructing pairing-friendly elliptic curves over fields of large prime characteristic produce curves that admit twists of degree 3, 4 or 6.

A few papers have presented explicit formulas for the doubling and the addition step in Miller’s algorithm, but the optimizations were all done for the Tate pairing with degree-2 twists, so the main usage of the high-degree twists remained incompatible with more efficient formulas.

In this paper we present efficient formulas for curves with twists of degree 2, 3, 4 or 6. These formulas are significantly faster than their predecessors. We show how these faster formulas can be applied to Tate and ate pairing variants, thereby speeding up all practical suggestions for efficient pairing implementations over fields of large characteristic.

Keywords

Pairings Miller functions explicit formulas Tate pairing ate pairing twists Weierstrass curves 

References

  1. 1.
    Akane, M., Nogami, Y., Morikawa, Y.: Fast ate pairing computation of embedding degree 12 using subfield-twisted elliptic curve. IEICE Transactions 92-A(2), 508–516 (2009)Google Scholar
  2. 2.
    Arene, C., Lange, T., Naehrig, M., Ritzenthaler, C.: Faster pairing computation. Cryptology ePrint Archive, Report 2009/155 (2009), http://eprint.iacr.org/
  3. 3.
    Barreto, P.S.L.M., Galbraith, S.D., O’hEigeartaigh, C., Scott, M.: Efficient pairing computation on supersingular abelian varieties. Des. Codes Cryptography 42(3), 239–271 (2007)MATHCrossRefMathSciNetGoogle Scholar
  4. 4.
    Barreto, P.S.L.M., Kim, H.Y., Lynn, B., Scott, M.: Efficient algorithms for pairing-based cryptosystems. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 354–368. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  5. 5.
    Barreto, P.S.L.M., Lynn, B., Scott, M.: Constructing elliptic curves with prescribed embedding degrees. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 257–267. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  6. 6.
    Barreto, P.S.L.M., Lynn, B., Scott, M.: On the selection of pairing-friendly groups. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 17–25. Springer, Heidelberg (2004)Google Scholar
  7. 7.
    Barreto, P.S.L.M., Lynn, B., Scott, M.: Efficient implementation of pairing-based cryptosystems. J. Cryptology 17(4), 321–334 (2004)MATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  9. 9.
    Benits Jr., W.D., Galbraith, S.D.: Constructing pairing-friendly elliptic curves using Gröbner basis reduction. In: Galbraith [19], pp. 336–345Google Scholar
  10. 10.
    Bernstein, D.J., Lange, T.: Explicit-formulas database, http://www.hyperelliptic.org/EFD
  11. 11.
    Brezing, F., Weng, A.: Elliptic curves suitable for pairing based cryptography. Des. Codes Cryptography 37(1), 133–141 (2005)MATHCrossRefMathSciNetGoogle Scholar
  12. 12.
    Chatterjee, S., Sarkar, P., Barua, R.: Efficient computation of Tate pairing in projective coordinate over general characteristic fields. In: Park, C.-s., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 168–181. Springer, Heidelberg (2005)Google Scholar
  13. 13.
    Costello, C., Hisil, H., Boyd, C., Nieto, J.M.G., Wong, K.K.-H.: Faster pairings on special Weierstrass curves. In: Shacham, Waters [40], pp. 89–101Google Scholar
  14. 14.
    Das, M.P.L., Sarkar, P.: Pairing computation on twisted Edwards form elliptic curves. In: Galbraith, Paterson (eds.) [23], pp. 192–210Google Scholar
  15. 15.
    Eisenträger, K., Lauter, K., Montgomery, P.L.: Improved Weil and Tate pairings for elliptic and hyperelliptic curves. In: Buell, D.A. (ed.) ANTS 2004. LNCS, vol. 3076, pp. 169–183. Springer, Heidelberg (2004)Google Scholar
  16. 16.
    Freeman, D.: Constructing pairing-friendly elliptic curves with embedding degree 10. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 452–465. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  17. 17.
    Freeman, D.: A generalized Brezing-Weng algorithm for constructing pairing-friendly ordinary abelian varieties. In: Galbraith, Paterson [23], pp. 146–163Google Scholar
  18. 18.
    Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing-friendly elliptic curves. J. Cryptology 23(2), 224–280 (2010)MATHCrossRefGoogle Scholar
  19. 19.
    Galbraith, S.D. (ed.): Cryptography and Coding 2007. LNCS, vol. 4887. Springer, Heidelberg (2007)MATHGoogle Scholar
  20. 20.
    Galbraith, S.D.: Twists of Edwards curves. unpublished manuscript (2009)Google Scholar
  21. 21.
    Galbraith, S.D., Lin, X.: Computing pairings using x-coordinates only. Des. Codes Cryptography 50(3), 305–324 (2009)CrossRefMathSciNetGoogle Scholar
  22. 22.
    Galbraith, S.D., McKee, J.F., Valença, P.C.: Ordinary abelian varieties having small embedding degree. Finite Fields and their Applications 13, 800–814 (2007)MATHCrossRefMathSciNetGoogle Scholar
  23. 23.
    Galbraith, S.D., Paterson, K.G. (eds.): Pairing 2008. LNCS, vol. 5209. Springer, Heidelberg (2008)MATHGoogle Scholar
  24. 24.
    Galbraith, S.D., Scott, M.: Exponentiation in pairing-friendly groups using homomorphisms. In: Galbraith, Paterson [23], pp. 211–224Google Scholar
  25. 25.
    Hess, F.: Pairing lattices. In: Galbraith, Paterson [23], pp. 18–38Google Scholar
  26. 26.
    Hess, F., Smart, N.P., Vercauteren, F.: The eta pairing revisited. IEEE Transactions on Information Theory 52(10), 4595–4602 (2006)CrossRefMathSciNetGoogle Scholar
  27. 27.
    Ionica, S., Joux, A.: Another approach to pairing computation in Edwards coordinates. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 400–413. Springer, Heidelberg (2008), http://eprint.iacr.org/2008/292 CrossRefGoogle Scholar
  28. 28.
    Kachisa, E.J., Schaefer, E.F., Scott, M.: Constructing Brezing-Weng pairing-friendly elliptic curves using elements in the cyclotomic field. In: Galbraith, Paterson [23], pp. 126–135Google Scholar
  29. 29.
    Koblitz, N., Menezes, A.: Pairing-based cryptography at high security levels. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 13–36. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  30. 30.
    Lee, E., Lee, H.-S., Park, C.-M.: Efficient and generalized pairing computation on abelian varieties. Cryptology ePrint Archive, Report 2008/040 (2008), http://eprint.iacr.org/2008/040
  31. 31.
    Lin, X., Zhao, C., Zhang, F., Wang, Y.: Computing the ate pairing on elliptic curves with embedding degree k = 9. IEICE Transactions 91-A(9), 2387–2393 (2008)Google Scholar
  32. 32.
    Matsuda, S., Kanayama, N., Hess, F., Okamoto, E.: Optimised versions of the ate and twisted ate pairings. In: Galbraith [19], pp. 302–312Google Scholar
  33. 33.
    Mrabet, N.E., Guillermin, N., Ionica, S.: A study of pairing computation for elliptic curves with embedding degree 15. Cryptology ePrint Archive, Report 2009/370 (2009), http://eprint.iacr.org/
  34. 34.
    Scott, M.: Computing the Tate pairing. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 293–304. Springer, Heidelberg (2005)Google Scholar
  35. 35.
    Scott, M.: Faster pairings using an elliptic curve with an efficient endomorphism. In: Maitra, S., Veni Madhavan, C.E., Venkatesan, R. (eds.) INDOCRYPT 2005. LNCS, vol. 3797, pp. 258–269. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  36. 36.
    Scott, M., Barreto, P.S.L.M.: Compressed pairings. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 140–156. Springer, Heidelberg (2004)Google Scholar
  37. 37.
    Scott, M., Barreto, P.S.L.M.: Generating more MNT elliptic curves. Des. Codes Cryptography 38(2), 209–217 (2006)MATHCrossRefMathSciNetGoogle Scholar
  38. 38.
    Scott, M., Benger, N., Charlemagne, M., Dominguez Perez, L.J., Kachisa, E.J.: Fast hashing to G 2 on pairing-friendly curves. In: Shacham, Waters [40], pp. 102–113Google Scholar
  39. 39.
    Scott, M., Benger, N., Charlemagne, M., Dominguez Perez, L.J., Kachisa, E.J.: On the final exponentiation for calculating pairings on ordinary elliptic curves. In: Shacham, Waters [40], pp. 78–88Google Scholar
  40. 40.
    Shacham, H., Waters, B. (eds.): Pairing 2009. LNCS, vol. 5671. Springer, Heidelberg (2009)Google Scholar
  41. 41.
    Tanaka, S., Nakamula, K.: Constructing pairing-friendly elliptic curves using factorization of cyclotomic polynomials. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 136–145. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  42. 42.
    Vercauteren, F.: Optimal pairings. IEEE Transactions on Information Theory 56(1), 455–461 (2010)CrossRefMathSciNetGoogle Scholar
  43. 43.
    Zhao, C.-A., Zhang, F., Huang, J.: A note on the ate pairing. International Journal of Information Security 7(6), 379–382 (2008)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Craig Costello
    • 1
  • Tanja Lange
    • 2
  • Michael Naehrig
    • 2
  1. 1.Information Security InstituteQueensland University of TechnologyBrisbaneAustralia
  2. 2.Department of Mathematics and Computer ScienceTechnische Universiteit EindhovenEindhovenNetherlands

Personalised recommendations