Efficient Algorithm for Tate Pairing of Composite Order

  • Yutaro Kiyomura
  • Tsuyoshi Takagi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8231)


A lot of important cryptographic schemes such as fully secure leakage-resilient encryption and keyword searchable encryption are based on pairings of composite order. Miller’s algorithm is used to compute pairings, and the time taken to compute the pairings depends on the cost of calculating the Miller loop. As a way of speeding up calculations of the parings of prime order, the number of iterations of the Miller loop can be reduced by choosing a prime order of low hamming weight. However, it is difficult to choose a particular composite order that can speed up the pairings of composite order. Kobayashi et al. proposed an efficient algorithm for computing Miller’s algorithm by using a window method, called Window Miller’s algorithm. We can compute scalar multiplication of points on elliptic curves by using a window hybrid binary-ternary form (w-HBTF). In this paper, we propose a Miller’s algorithm that uses w-HBTF to compute Tate pairing efficiently. This algorithm needs a precomputation of the points on an elliptic curve and rational functions. The proposed algorithm was implemented in Java on a PC and compared with Window Miller’s Algorithm in terms of the time and memory needed to make their precomputed tables. We used the supersingular elliptic curve y 2 = x 3 + x of embedding degree 2 and a composite order of size of 2048 bits. The proposed algorithm with w = 6 = 2·3 was about 12% faster than Window Miller’s Algorithm with w = 2 given smallest precomputed tables of the same memory size. Moreover, the proposed algorithm with w = 162 = 2·34 was about 8.5% faster than Window Miller’s algorithm with w = 7 on each fastest algorithm.


Composite order pairing Miller’s Algorithm NAF w-HBTF 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Adikari, J., Dimitrov, V.S., Imbert, L.: Hybrid Binary-Ternary Number System for Elliptic Curve Cryptosystems. IEEE Transactions on Computers 60(2), 254–265 (2011)MathSciNetCrossRefGoogle Scholar
  2. 2.
    Barreto, P.S.L.M., Kim, H.Y., Lynn, B., Scott, M.: Efficient Algorithms for Pairing-Based Cryptosystems. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 354–369. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  3. 3.
    Barreto, P.S.L.M., Galbraith, S., ÓhÉigeartaigh, C., Scott, M.: Efficient Pairing Computation on Supersingular Abelian Varieties. Designs, Codes and Cryptography 42(3), 239–271 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Boneh, D., Goh, E.-J., Nissim, K.: Evaluating 2-DNF Formulas on Ciphertexts. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 325–341. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  5. 5.
    Boneh, D., Franklin, M.: Identity-Based Encryption from the Weil Pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. 6.
    Boneh, D., Di Crescenzo, G., Ostrovsky, R., Persiano, G.: Public Key Encryption with Keyword Search. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 506–522. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  7. 7.
    Ciet, M., Joye, M., Lauter, K., Montgomery, P.L.: Trading Inversions for Multiplications in Elliptic Curve Cryptography. Designs, Codes and Cryptography 39(2), 189–206 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Devegili, A., Eigeartaigh, C., Scott, M., Dahab, R.: Multiplication and Squaring on Pairing-Friendly Fields. Cryptography ePrint Archive, Report 2006/471 (2006)Google Scholar
  9. 9.
    Dimitrov, V.S., Imbert, L., Mishra, P.K.: Efficient and Secure Elliptic Curve Point Multiplication Using Double-Base Chains. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 59–78. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  10. 10.
    Dimitrov, V.S., Imbert, L., Mishra, P.K.: The Double-Base Number System and Its Application to Elliptic Curve Cryptography. Mathmatics of Computation 77(262), 1075–1104 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Doche, C., Imbert, L.: Extended Double-Base Number System with Applications to Elliptic Curve Cryptography. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 335–348. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  12. 12.
    Eisenträger, K., Lauter, K., Montgomery, P.L.: Fast Elliptic Curve Arithmetic and Improved Weil Pairing Evaluation. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 343–354. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  13. 13.
    Guillevic, A.: Comparing the Pairing Efficiency over Composite-Order and Prime-Order Elliptic Curves. Cryptography ePrint Archive, Report 2013/218 (2013)Google Scholar
  14. 14.
    Hankerson, D., Menezes, A., Vanstone, S.: Guide to Elliptic Curve Cryptography. Springer (2004)Google Scholar
  15. 15.
    Hess, F., Smart, N., Vercauteren, F.: The Eta Pairing Revisited. IEEE Transactions on Information Theory 52(10), 4595–4602 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
  16. 16.
    Joye, M.: RSA Moduli with a Predetermined Portion: Techniques and Applications. In: Chen, L., Mu, Y., Susilo, W. (eds.) ISPEC 2008. LNCS, vol. 4991, pp. 116–130. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  17. 17.
    Kobayashi, T., Aoki, K., Imai, H.: Efficient Algorithm for Tate Pairing. IEICE Transaction on Fundamentals of Electronics, Communications and Computer Sciences E89-A(1), 134–143 (2006)CrossRefGoogle Scholar
  18. 18.
    Koblitz, N., Menezes, A.: Pairing-Based Cryptography at High Security Levels. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 13–36. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  19. 19.
    Le, D., Tan, C.: Speeding Up Ate Pairing Computation in Affine Coordinates. Cryptography and Coding, Cryptography ePrint Archive, Report 2013/119 (2013)Google Scholar
  20. 20.
    Lee, E., Lee, H.S., Park, C.M.: Efficient and Generalized Pairing Computation on Abelian Varieties. IEEE Transactions on Information Theory 55(4), 1793–1803 (2009)CrossRefGoogle Scholar
  21. 21.
    Meiklejohn, S., Shacham, H., Freeman, D.M.: Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 519–538. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  22. 22.
    Miller, V.: Short Programs for Functions on Curves (1986) (unpublished manuscript)Google Scholar
  23. 23.
    Ostrovsky, R., Skeith III, W.E.: Private Searching on Streaming Data. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 223–240. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  24. 24.
    Shacham, H., Waters, B.: Efficient ring signatures without random oracles. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 166–180. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  25. 25.
    Takagi, T., Yen, S.-M., Wu, B.-C.: Radix-r non-adjacent form. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 99–110. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  26. 26.
    Vercauteren, F.: Optimal Pairings. IEEE Transactions on Information Theory 56(1), 455–461 (2010)MathSciNetCrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Yutaro Kiyomura
    • 1
  • Tsuyoshi Takagi
    • 2
  1. 1.Graduate School of MathematicsKyushu UniversityNishi-kuJapan
  2. 2.Institute of Mathematics for IndustryKyushu UniversityNishi-kuJapan

Personalised recommendations