The Realm of the Pairings

  • Diego F. Aranha
  • Paulo S. L. M. Barreto
  • Patrick Longa
  • Jefferson E. Ricardini
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8282)

Abstract

Bilinear maps, or pairings, initially proposed in a cryptologic context for cryptanalytic purposes, proved afterward to be an amazingly flexible and useful tool for the construction of cryptosystems with unique features. Yet, they are notoriously hard to implement efficiently, so that their effective deployment requires a careful choice of parameters and algorithms. In this paper we review the evolution of pairing-based cryptosystems, the development of efficient algorithms and the state of the art in pairing computation, and the challenges yet to be addressed on the subject, while also presenting some new algorithmic and implementation refinements in affine and projective coordinates.

Keywords

Pairing-based cryptosystems Efficient algorithms 

1 Introduction

Bilinear maps, or pairings, between the (divisors on the) groups of points of certain algebraic curves over a finite field, particularly the Weil pairing [94] and the Tate (or Tate-Lichtenbaum) pairing [45], have been introduced in a cryptological scope for destructive cryptanalytic purposes, namely, mapping the discrete logarithm problem on those groups to the discrete logarithm problem on the multiplicative group of a certain extension of the base field [46, 66]: while the best generic classical (non-quantum) algorithm for the discrete logarithm problem on the former groups may be exponential, in the latter case subexponential algorithms are known, so that such a mapping may yield a problem that is asymptotically easier to solve.

It turned out, perhaps surprisingly, that these same tools have a much more relevant role in a constructive cryptographic context, as the basis for the definition of cryptosystems with unique properties. This has been shown in the seminal works on identity-based non-interactive authenticated key agreement by Sakai, Ohgishi and Kasahara [84], and on one-round tripartite key agreement by Joux [56], which then led to an explosion of protocols exploring the possibilities of identity-based cryptography and many other schemes, with ever more complex features.

All this flexibility comes at a price: pairings are notoriously expensive in implementation complexity and processing time (and/or storage occupation, in a trade-off between time and space requirements). This imposes a very careful choice of algorithms and curves to make them really practical. The pioneering approach by Miller [67, 68] showed that pairings could be computed in polynomial time, but there is a large gap from there to a truly efficient implementation approach.

Indeed, progress in this line of research has not only revealed theoretical bounds on how efficiently a pairing can be computed in the sense of its overall order of complexity [93], but actually the literature has now very detailed approaches on how to attain truly practical, extremely optimized implementations that cover all operations typically found in a pairing-based cryptosystem, rather than just the pairing itself [4, 80]. One can therefore reasonably ask how far this trend can be pushed, and how “notoriously expensive” pairings really are (or even whether they really are as expensive as the folklore pictures them).

Our Contribution. In this paper we review the evolution of pairing-based cryptosystems, the development of efficient algorithms for the computation of pairings and the state of the art in the area, and the challenges yet to be addressed on the subject.

Furthermore, we provide some new refinements to the pairing computation in affine and projective coordinates over ordinary curves, perform an up-to-date analysis of the best algorithms for the realization of pairings with special focus on the 128-bit security level and present a very efficient implementation for x64 platforms.

Organization. The remainder of this paper is organized as follows. Section 2 introduces essential notions on elliptic curves and bilinear maps for cryptographic applications, including some of the main pairing-based cryptographic protocols and their underlying security assumptions. Section 3 reviews the main proposals for pairing-friendly curves and the fundamental algorithms for their construction and manipulation. In Sect. 4, we describe some optimizations to formulas in affine and projective coordinates, carry out a performance analysis of the best available algorithms and discuss benchmarking results of our high-speed implementation targeting the 128-bit security level on various x64 platforms. We conclude in Sect. 5.

2 Preliminary Concepts

Let \(q = p^m\). An elliptic curve\(E/\mathbb {F}_q\) is a smooth projective algebraic curve of genus one with at least one point. The affine part satisfies an equation of the form \(E: y^2 + a_1 xy + a_3 y = x^3 + a_2 x^2 + a_4 x + a_6\) where \(a_i \in \mathbb {F}_q\). Points on \(E\) are affine points \((x, y) \in \mathbb {F}_q^2\) satisfying the curve equation, together with an additional point at infinity, denoted \(\infty \). The set of curve points whose coordinates lie in a particular extension field \(\mathbb {F}_{q^k}\) is denoted \(E(\mathbb {F}_{q^k})\) for \(k > 0\) (note that the \(a_i\) remain in \(\mathbb {F}_q\)). Let \(\#E(\mathbb {F}_q)=n\) and write \(n\) as \(n=p+1-t\); \(t\) is called the trace of the Frobenius endomorphism. By Hasse’s theorem, \(|t| \leqslant 2\sqrt{q}\).

An (additive) Abelian group structure is defined on \(E\) by the well known chord-and-tangent method [91]. The order of a point \(P \in E\) is the least nonzero integer \(r\) such that \([r]P = \infty \), where \([r]P\) is the sum of \(r\) terms equal to \(P\). The order \(r\) of a point divides the curve order \(n\). For a given integer \(r\), the set of all points \(P \in E\) such that \([r]P = \infty \) is denoted \(E[r]\). We say that \(E[r]\) has embedding degree\(k\) if \(r \;|\; q^k - 1\) and \(r \not \mid q^s - 1\) for any \(0 < s < k\).

The complex multiplication (CM) method [37] constructs an elliptic curve with a given number of points \(n\) over a given finite field \(\mathbb {F}_q\) as long as \(n = q + 1 - t\) as required by the Hasse bound, and the norm equation \(DV^2 = 4q - t^2\) can be solved for “small” values of the discriminant \(D\), from which the \(j\)-invariant of the curve (which is a function of the coefficients of the curve equation) can be computed, and the curve equation is finally given by \(y^2 = x^3 + b\) (for certain values of \(b\)) when \(j = 0\), by \(y^2 = x^3 + ax\) (for certain values of \(a\)) when \(j = 1728\), and by \(y^2 = x^3 - 3cx + 2c\) with \(c := j/(j - 1728)\) when \(j \not \in \{0, 1728\}\).

A divisor is a finite formal sum \(\mathcal {A} = \sum _P{a_P(P)}\) of points on the curve \(E(\mathbb {F}_{q^k})\). An Abelian group structure is defined on the set of divisors by the addition of corresponding coefficients in their formal sums; in particular, \(n\mathcal {A} = \sum _P{(n \, a_P)(P)}\). The degree of a divisor \(\mathcal {A}\) is the sum \(\deg (\mathcal {A}) = \sum _P{a_P}\). Let \(f: E(\mathbb {F}_{q^k}) \rightarrow \mathbb {F}_{q^k}\) be a function on the curve. We define \(f(\mathcal {A}) \equiv \prod _P{f(P)^{a_P}}\). Let \({{\mathrm{ord}}}_P(f)\) denote the multiplicity of the zero or pole of \(f\) at \(P\) (if \(f\) has no zero or pole at \(P\), then \({{\mathrm{ord}}}_P(f) = 0\)). The divisor of \(f\) is \((f) := \sum _P{{{\mathrm{ord}}}_P(f)(P)}\). A divisor \(\mathcal {A}\) is called principal if \(\mathcal {A} = (f)\) for some function \((f)\). A divisor \(\mathcal {A}\) is principal if and only if \(\deg (\mathcal {A}) = 0\) and \(\sum _P{a_P P} = \infty \) [65, theorem 2.25]. Two divisors \(\mathcal {A}\) and \(\mathcal {B}\) are equivalent, \(\mathcal {A} \sim \mathcal {B}\), if their difference \(\mathcal {A} - \mathcal {B}\) is a principal divisor. Let \(P \in E(\mathbb {F}_q)[r]\) where \(r\) is coprime to \(q\), and let \(\mathcal {A}_P\) be a divisor equivalent to \((P) - (\infty )\); under these circumstances the divisor \(r\mathcal {A}_P\) is principal, and hence there is a function \(f_P\) such that \((f_P) = r\mathcal {A}_P = r(P) - r(\infty )\).

Given three groups \(\mathbb {G}_1\), \(\mathbb {G}_2\), and \(\mathbb {G}_T\) of the same prime order \(n\), a pairing is a feasibly computable, non-degenerate bilinear map \(e: \mathbb {G}_1 \times \mathbb {G}_2 \rightarrow \mathbb {G}_T\). The groups \(\mathbb {G}_1\) and \(\mathbb {G}_2\) are commonly (in the so-called Type III pairing setting) determined by the eigenspaces of the Frobenius endomorphism \(\phi _q\) on some elliptic curve \(E/\mathbb {F}_q\) of embedding degree \(k>1\). More precisely, \(\mathbb {G}_1\) is taken to be the 1-eigenspace \(E[n] \cap \ker (\phi _q - [1]) = E(\mathbb {F}_q)[n]\). The group \(\mathbb {G}_2\) is usually taken to be the preimage \(E'(\mathbb {F}_{q^g})[n]\) of the \(q\)-eigenspace \(E[n] \cap \ker (\phi _q - [q]) \subseteq E(\mathbb {F}_{q^k})[n]\) under a twisting isomorphism \(\psi : E' \rightarrow E\), \((x, y) \mapsto (\mu ^2 x, \mu ^3 y)\) for some \(\mu \in \mathbb {F}_{q^k}^*\). In particular, \(g = k/d\) where the curve \(E'/\mathbb {F}_{q^g}\) is the unique twist of \(E\) with largest possible twist degree \(d \mid k\) for which \(n\) divides \(\#E'(\mathbb {F}_{q^g})\) (see [55] for details). This means that \(g\) is as small as possible.

A Miller function \(f_{i,P}\) is a function with divisor \((f_{i,P}) = i(P) - ([i]P) - (i-1)(\infty )\). Miller functions are at the root of most if not all pairings proposed for cryptographic purposes, which in turn induce efficient algorithms derived from Miller’s algorithm [67, 68]. A Miller function satisfies \(f_{a+b,P}(Q) = f_{a,P}(Q) \cdot f_{b,P}(Q) \cdot g_{[a]P,[b]P}(Q) / g_{[a+b]P}(Q)\) up to a constant nonzero factor in \(\mathbb {F}_q\), for all \(a, b \in \mathbb {Z}\), where the so-called line functions \(g_{[a]P,[b]P}\) and \(g_{[a+b]P}\) satisfy \((g_{[a]P,[b]P}) = ([a]P) + ([b]P) + (-[a+b]P) - 3(\infty )\), \((g_{[a+b]P}) = ([a+b]P) + (-[a+b]P) - 2(\infty )\). The advantage of Miller functions with respect to elliptic curve arithmetic is now clear, since with these relations the line functions, and hence the Miller functions themselves, can be efficiently computed as a side result during the computation of \([n]P\) by means of the usual chord-and-tangent method.

2.1 Protocols and Assumptions

As an illustration of the enormous flexibility that pairings bring to the construction of cryptographic protocols, we present a (necessarily incomplete) list of known schemes according to their overall category.

Foremost among pairing-based schemes are the identity-based cryptosystems. These include plain encryption [17], digital signatures [24, 83], (authenticated) key agreement [25], chameleon hashing [27], and hierarchical extensions thereof with or without random oracles [22, 51].

Other pairing-based schemes are not identity-based but feature special functionalities like secret handshakes [5], short/aggregate/verifiably encrypted/ group/ring/blind signatures [19, 20, 26, 97, 98] and signcryption [9, 21, 61].

Together with the abundance of protocols came a matching abundance of security assumptions, often tailored to the nature of each particular protocol although some assumptions found a more general use and became classical. Some of the most popular and useful security assumptions occurring in security proofs of pairing-based protocols are the following, with groups \(\mathbb {G}_1\) and \(\mathbb {G}_2\) of order \(n\) in multiplicative notation (and \(\mathbb {G}\) denotes either group):
  • \(\mathsf {q}\)-Strong Diffie-Hellman (\(\mathsf {q}\)-SDH) [16] and many related assumptions (like the Inverse Computational Diffie-Hellman (Inv-CDH), the Square Computational Diffie-Hellman (Squ-CDH), the Bilinear Inverse Diffie-Hellman (BIDH), and the Bilinear Square Diffie-Hellman (BSDH) assumptions [98]): Given a\((\mathsf {q}+2)\)-tuple\((g_1,g_2, g_2^x, \dots , g_2^{x^\mathsf {q}}) \in \mathbb {G}_1 \times \mathbb {G}_2^{\mathsf {q}+1}\)as input, compute a pair\((c, g_1^{1/(x+c)}) \in \mathbb {Z}/n\mathbb {Z}\times \mathbb {G}_1\).

  • Decision Bilinear Diffie-Hellman (DBDH) [18] and related assumptions (like the \(k\)-BDH assumption [14]): Given generators\(g_1\) and \(g_2\) of \(\mathbb {G}_1\) and \(\mathbb {G}_2\)respectively, and given\(g_1^a\), \(g_1^b\), \(g_1^c\), \(g_2^a\), \(g_2^b\), \(g_2^c\), \(e(g_1,g_2)^z\)determine whether\(e(g_1,g_2)^{abc} = e(g_1,g_2)^z\).

  • Gap Diffie-Hellman (GDH) assumption [77]: Given\((g, g^a, g^b) \in \mathbb {G}^3\)for a group\(\mathbb {G}\)equipped with an oracle for deciding whether\(g^{ab} = g^c\) for any given \(g^c \in \mathbb {G}\), find \(g^{ab}\).

  • \((k + 1)\) Exponent Function meta-assumption: Given a function\(f: \mathbb {Z}/n\mathbb {Z}\rightarrow \mathbb {Z}/n\mathbb {Z}\)and a sequence\((g, g^a, g^{f(h_1+a)}, \dots , g^{f(h_k+a)}) \in \mathbb {G}_1^{k+2}\)for some\(a\), \(h_1, \dots , h_k \in \mathbb {Z}/n\mathbb {Z}\), compute\(g^{f(h+a)}\)for some\(h \notin \{h_1, \dots , h_k\}\).

The last of these is actually a meta-assumption, since it is parameterized by a function \(f\) on the exponents. This meta-assumption includes the Collusion attack with \(k\) traitors (\(k\)-CAA) assumption [70], where \(f(x) := 1/x\), and the \((k + 1)\) Square Roots (\((k+1)\)-SR) assumption [96], where \(f(x) := \sqrt{x}\), among others. Of course, not all choices of \(f\) may lead to a consistent security assumption (for instance, the constant function is certainly a bad choice), so the instantiation of this meta-assumption must be done in a case-by-case basis.

Also, not all of these assumptions are entirely satisfactory from the point of view of their relation to the computational complexity of the more fundamental discrete logarithm problem. In particular, the Cheon attack [28, 29] showed that, contrary to most discrete-logarithm style assumptions, which usually claim a practical security level of \(2^\lambda \) for \(2\lambda \)-bit keys due to e.g. the Pollard-\(\rho \) attack [81], the \(\mathsf {q}\)-SDH assumption may need \(3\lambda \)-bit keys to attain that security level, according to the choice of \(\mathsf {q}\).

3 Curves and Algorithms

3.1 Supersingular Curves

Early proposals to obtain efficient pairings invoked the adoption of supersingular curves [40, 49, 82], which led to the highly efficient concept of \(\eta \) pairings [7] over fields of small characteristic. This setting enables the so called Type I pairings, which are defined with both arguments from the same group [50] and facilitates the description of many protocols and the construction of formal security proofs. Unfortunately, recent developments bring that approach into question, since discrete logarithms in the multiplicative groups of the associated extension fields have proven far easier to compute than anticipated [6].

Certain ordinary curves, on the other hand, are not known to be susceptible to that line of attack, and also yield very efficient algorithms, as we will see next.

3.2 Generic Constructions

Generic construction methods enable choosing the embedding degree at will, limited only by efficiency requirements. Two such constructions are known:
  • The Cocks-Pinch construction [32] enables the construction of elliptic curves over \(\mathbb {F}_q\) containing a pairing-friendly group of order \(n\) with \(\lg (q)/\lg (n) \approx 2\).

  • The Dupont-Enge-Morain strategy [39] is similarly generic in the sense of its embedding degree flexibility by maximizing the trace of the Frobenius endomorphism. Like the Cocks-Pinch method, it only attains \(\lg (q)/\lg (n) \approx 2\).

Because the smallest attainable ratio \(\lg (q)/\lg (n)\) is relatively large, these methods do not yield curves of prime order, which are necessary for certain applications like short signatures, and also tend to improve the overall processing efficiency.

3.3 Sparse Families of Curves

Certain families of curves may be obtained by parameterizing the norm equation \(4q - t^2 = 4hn - (t - 2)^2 = DV^2\) with polynomials \(q(u)\), \(t(u)\), \(h(u)\), \(n(u)\), then choosing \(t(u)\) and \(h(u)\) according to some criteria (for instance, setting \(h(u)\) to be some small constant polynomial yields near-prime order curves), and directly finding integer solutions (in \(u\) and \(V\)) to the result. In practice this involves a clever mapping of the norm equation into a Pell-like equation, whose solutions lead to actual curve equations via complex multiplication (CM).

The only drawback they present is the relative rarity of suitable curves (the only embedding degrees that are known to yield solutions are \(k \in \{3, 4, 6, 10\}\), and the size of the integer solutions \(u\) grows exponentially), especially those with prime order. Historically, sparse families are divided into Miyaji-Nakabayashi-Takano (MNT) curves and Freeman curves.

MNT curves were the first publicly known construction of ordinary pairing-friendly curves [71]. Given their limited range of admissible embedding degrees (namely, \(k \in \{3, 4, 6\}\)), the apparent finiteness of MNT curves of prime order [58, 63, 92], and efficiency considerations (see e.g. [44]), MNT curves are less useful for higher security levels (say, from about \(2^{112}\) onward).

Freeman curves [43], with embedding degree \(k = 10\), are far rarer and suffer more acutely from the fact that the nonexistence of a twist of degree higher than quadratic forces its \(\mathbb {G}_2\) group to be defined over \(\mathbb {F}_{q^5}\). Besides, this quintic extension cannot be constructed using a binomial representation.

3.4 Complete Families of Curves

Instead of trying to solve the partially parameterized norm equation \(4h(u)n(u) - (t(u) - 2)^2 = DV^2\) for \(u\) and \(V\) directly as for the sparse families of curves, one can also parameterize \(V = V(u)\) as well. Solutions may exist if the parameters can be further constrained, which is usually done by considering the properties of the number field \(\mathbb {Q}[u]/n(u)\), specifically by requiring that it contains a \(k\)-th root of unity where \(k\) is the desired embedding degree. Choosing \(n(u)\) to be a cyclotomic polynomial \(\varPhi _\ell (u)\) with \(k \mid \ell \) yields the suitably named cyclotomic family of curves [10, 11, 23, 44], which enable a reasonably small ratio \(\rho := \lg (q)/\lg (n)\) (e.g. \(\rho = (k+1)/(k-1)\) for prime \(k \equiv 3 \pmod {4}\)).

Yet, there is one other family of curves that attain \(\rho \approx 1\), namely, the Barreto-Naehrig (BN) curves [12]. BN curves arguably constitute one of the most versatile classes of pairing-friendly elliptic curves. A BN curve is an elliptic curve \(E_u: y^2 = x^3 + b\) defined over a finite prime1 field \(\mathbb {F}_p\) of (typically prime) order \(n\), where \(p\) and \(n\) are given by \(p = p(u) = 36u^4 + 36u^3 + 24u^2 + 6u + 1\) and \(n = n(u) = 36u^4 + 36u^3 + 18u^2 + 6u + 1\) (hence \(t = t(u) = 6u^2 + 1\)) for \(u \in \mathbb {Z}\). One can check by straightforward inspection that \(\varPhi _{12}(t(u) - 1) = n(u) n(-u)\), hence \(\varPhi _{12}(p(u)) \equiv \varPhi _{12}(t(u) - 1) \equiv 0 \pmod {n(u)}\), so the group of order \(n(u)\) has embedding degree \(k = 12\).

BN curves also have \(j\)-invariant 0, so there is no need to resort explicitly to the CM curve construction method: all one has to do is choose an integer \(u\) of suitable size such that \(p\) and \(n\) as given by the above polynomials are prime. To find a corresponding curve, one chooses \(b \in \mathbb {F}_p\) among the six possible classes so that the curve \(E: y^2 = x^3 + b\) has order \(n\).

Furthermore, BN curves admit a sextic twist (\(d=6\)), so that one can set \(\mathbb {G}_2 = E'(\mathbb {F}_{p^2})[n]\). This twist \(E'/\mathbb {F}_{p^2}\) may be selected by finding a non-square and non-cube \(\xi \in \mathbb {F}_{p^2}\) and then checking via scalar multiplication whether the curve \(E': y^2 = x^3 + b'\) given by \(b' = b/\xi \) or by \(b' = b/\xi ^5\) has order divisible by \(n\). However, construction methods are known that dispense with such procedure, yielding the correct curve and its twist directly [80]. For convenience, following [85] we call the twist \(E': y^2 = x^3 + b/\xi \) a \(D\)-type twist, and we call the twist \(E': y^2 = x^3 + b\xi \) an \(M\)-type twist.

3.5 Holistic Families

Early works targeting specifically curves that have some efficiency advantage have focused on only one or a few implementation aspects, notably the pairing computation itself [13, 15, 38, 90].

More modern approaches tend to consider most if not all efficiency aspects that arise in pairing-based schemes [34, 36, 80]. This means that curves of those families tend to support not only fast pairing computation, but efficient finite field arithmetic for all fields involved, curve construction, generator construction for both \(\mathbb {G}_1\) and \(\mathbb {G}_2\), multiplication by a scalar in both \(\mathbb {G}_1\) and \(\mathbb {G}_2\), point sampling, hashing to the curve [42], and potentially other operations as well.

Curiously enough, there is not a great deal of diversity among the most promising such families, which comprise essentially only BN curves, BLS curves [10], and KSS curves [57].

3.6 Efficient Algorithms

Ordinary curves with small embedding degree also come equipped with efficient pairing algorithms, which tend to be variants of the Tate pairing [8, 48, 55, 60, 76] (although some fall back to the Weil pairing while remaining fairly efficient [94]). In particular, one now knows concrete practical limits to how efficient a pairing can be, in the form of the so-called optimal pairings [93].

As we pointed out, Miller functions are essential to the definition of most cryptographic pairings. Although all pairings can be defined individually in formal terms, it is perhaps more instructive to give the following constructive definitions, assuming an underlying curve \(E/\mathbb {F}_q\) containing a group \(E(\mathbb {F}_q)[n]\) of prime order \(n\) with embedding degree \(k\) and letting \(z := (q^k-1)/n\):
  • Weil pairing: \(w(P,Q) := (-1)^n f_{n,P}(Q)/f_{n,Q}(P)\).

  • Tate pairing: \(\tau (P,Q) := f_{n,P}(Q)^z\).

  • Eta pairing [7] (called the twisted Ate pairing when defined over an ordinary curve): \(\eta (P,Q) := f_{\lambda ,P}(Q)^z\) where \(\lambda ^d \equiv 1 \pmod {n}\).

  • Ate pairing [55]: \(a(P,Q) := f_{t - 1,Q}(P)^z\), where \(t\) is the trace of the Frobenius.

  • Optimized Ate and twisted Ate pairings [64]: \(a_c(P,Q) := f_{(t - 1)^c \mod n,Q}(P)^z\), \(\eta _c(P,Q) := f_{\lambda ^c \mod n,P}(Q)^z\), for some \(0 < c < k\).

  • Optimal Ate pairing [93]: \(a_{\mathrm {opt}}(P,Q) := f_{\ell ,Q}(P)^z\) for a certain \(\ell \) such that \(\lg \ell \approx (\lg n)/\varphi (k)\).

Optimal pairings achieve the shortest loop length among all of these pairings. To obtain unique values, most of these pairings (the Weil pairing is an exception) are reduced via the final exponentiation by \(z\). The very computation of \(z\) is the subject of research per se [89]. In particular, for a BN curve with parameter \(u\) there exists an optimal Ate pairing with loop length \(\ell = |6u + 2|\).

A clear trend in recent works has been to attain exceptional performance gains by limiting the allowed curves to a certain subset, sometimes to a single curve at a useful security level [4, 15, 75, 80]. In the next section, we discuss aspects pertaining such implementations.

4 Implementation Aspects

The optimal Ate pairing on BN curves has been the focus of intense implementation research in the last few years. Most remarkably, beginning in 2008, a series of works improved, each one on top of the preceding one, the practical performance on Intel 64-bit platforms [15, 54, 75]. This effort reached its pinnacle in 2011, when Aranha et al. [4] reported an implementation running in about half a millisecond (see also [62]). Since then, performance of efficient software implementations has mostly stabilized, but some aspects of pairing computation continously improved through the availability of new techniques [47], processor architecture revisions and instruction set refinements [79]. In this section, we revisit the problem of efficient pairing computation working on top of the implementation presented in [4], to explore these latest advances and provide new performance figures. Our updated implementation achieves high performance on a variety of modern 64-bit computing platforms, including both relatively old processors and latest microarchitectures.

4.1 Pairing Algorithm

The BN family of curves is ideal from an implementation point of view. Having embedding degree \(k=12\), it is perfectly suited to the 128-bit security level and a competitive candidate at the 192-bit security level for protocols involving a small number of pairing computations [2]. Additionally, the size of the family facilitates generation [80] and supports many different parameter choices, allowing for customization of software implementations to radically different computing architectures [4, 52, 53]. The optimal Ate pairing construction applied to general BN curves further provides a rather simple formulation among the potential candidates [60, 76]:
$$\begin{aligned} a_{\mathrm {opt}}: \mathbb {G}_2\times \mathbb {G}_1&\rightarrow \mathbb {G}_T\\ (Q,P)&\mapsto (f_{\ell ,Q}(P) \cdot g_{[\ell ]Q,\phi _p(Q)}(P) \cdot g_{[\ell ]Q + \phi _p(Q),-\phi _p^2(Q)}(P))^{\frac{p^{12} - 1}{n}}, \end{aligned}$$
with \(\ell = 6u + 2\), map \(\phi _p\) and groups \(\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T\) as previously defined; and an especially efficient modification of Miller’s Algorithm for accumulating all the required line evaluations in the Miller variable \(f\) (Algorithm 1).
The extension field arithmetic involving \(f\) is in fact the main building block of the pairing computation, including Miller’s algorithm and final exponentiation. Hence, its efficient implementation is crucial. To that end, it has been recommended to implement the extension field through a tower of extensions built with appropriate choices of irreducible polynomials [15, 38, 54, 80]:
$$\begin{aligned} \mathbb {F}_{p^{2}}&= \mathbb {F}_p[i]/(i^2 - \beta ), \mathrm{with }\; \beta \;{\text {a non-square}},\end{aligned}$$
(1)
$$\begin{aligned} \mathbb {F}_{p^{4}}&= \mathbb {F}_{p^{2}}[s]/(s^2 - \xi ), \mathrm{with }\; \xi \; {\text {a non-square}},\end{aligned}$$
(2)
$$\begin{aligned} \mathbb {F}_{p^{6}}&= \mathbb {F}_{p^{2}}[v]/(v^3 - \xi ), \mathrm{with }\; \xi \; {\text {a non-cube}},\end{aligned}$$
(3)
$$\begin{aligned} \mathbb {F}_{p^{12}}&= \mathbb {F}_{p^{4}}[t]/(t^3 - s)\end{aligned}$$
(4)
$$\begin{aligned}&\mathrm{or}\;\; \mathbb {F}_{p^{6}}[w]/(w^2 - v)\end{aligned}$$
(5)
$$\begin{aligned}&\mathrm{or}\;\; \mathbb {F}_{p^{2}}[w]/(w^6 - \xi ), \mathrm{with }\; \xi \; {\text {a non-square and non-cube}}. \end{aligned}$$
(6)
Note that \(\xi \) is the same non-residue used to define the twist equations in Sect. 3.4 and that converting from one towering scheme to another is possible by simply reordering coefficients. By allowing intermediate values to grow to double precision and choosing \(p\) to be a prime number slightly smaller than a multiple of the processor word, lazy reduction can be efficiently employed in all levels of the towering arithmetic [4]. A remarkably efficient set of parameters arising from the curve choice \(E(\mathbb {F}_p) : y^2 = x^3 + 2\), with \(p \equiv 3 \pmod {4}\), is \(\beta = -1\), \(\xi = (1+i)\) [80], simultaneously optimizing finite field and curve arithmetic.

4.2 Field Arithmetic

Prime fields involved in pairing computation in the asymmetric setting are commonly represented with dense moduli, resulting from the parameterized curve constructions. While the particular structure of the prime modulus has been successfully exploited for performance optimization in both software [75] and hardware [41], current software implementations rely on the standard Montgomery reduction [72] and state-of-the-art hardware implementations on the parallelization capabilities of the Residue Number System [30].

Arithmetic in the base field is usually implemented in carefully scheduled Assembly code, but the small number of words required to represent a 256-bit prime field element in a 64-bit processor encourages the use of Assembly directly in the quadratic extension field, to avoid penalties related to frequent function calls [15]. Multiplication and reduction in \(\mathbb {F}_p\) are implemented through a Comba strategy [33], but a Schoolbook approach is favored in recent Intel processors, due to the availability of the carry-preserving multiplication instruction mulx, allowing delayed handling of carries [79]. Future processors will allow similar speedups on the Comba-based multiplication and Montgomery reduction routines by carry-preserving addition instructions [78].

Divide-and-conquer approaches are used only for multiplication in \(\mathbb {F}_{p^{2}}\), \(\mathbb {F}_{p^{6}}\) and \(\mathbb {F}_{p^{12}}\), because Karatsuba is typically more efficient over extension fields, since additions are relatively inexpensive in comparison with multiplication. The full details of the formulas that we use in our implementation of extension field arithmetic can be found in [4], including the opportunities for reducing the number of Montgomery reductions via lazy reduction. The case of squaring is relatively more complex. We use the complex squaring in \(\mathbb {F}_{p^{2}}\) and, for \(\mathbb {F}_{p^{6}}\) and \(\mathbb {F}_{p^{12}}\), we employ the faster Chung-Hasan asymmetric SQR3 formula [31]. The sparseness of the line functions motivates the implementation of specialized multiplication routines for accumulating the line function into the Miller variable \(f\) (sparse multiplication) or for multiplying line functions together (sparser multiplication). For sparse multiplication over \(\mathbb {F}_{p^6}\) and \(\mathbb {F}_{p^{12}}\), we use the formulas proposed by Grewal et al. (see Algorithms 5 and 6 in [53]). Faster formulas for sparser multiplication can be trivially obtained by adapting the sparse multiplication formula to remove operations involving the missing subfield elements.

In the following, we closely follow notation for operation costs from [4]. Let \(m,s,a,i\) denote the cost of multiplication, squaring, addition and inversion in \(\mathbb {F}_p\), respectively; \(\tilde{m}, \tilde{s}, \tilde{a}, \tilde{\imath }\) denote the cost of multiplication, squaring, addition and inversion in \(\mathbb {F}_{p^{2}}\), respectively; \(m_u,s_u,r\) denote the cost of unreduced multiplication and squaring producing double-precision results, and modular reduction of double-precision integers, respectively; \(\tilde{m}_u,\tilde{s}_u,\tilde{r}\) denote the cost of unreduced multiplication and squaring, and modular reduction of double-precision elements in \(\mathbb {F}_{p^{2}}\), respectively. To simplify the operation count, we consider the cost of field subtraction, negation and division by two equivalent to that of field addition. Also, one double-precision addition is considered equivalent to the cost of two single-precision additions.

4.3 Curve Arithmetic

Pairings can be computed over elliptic curves represented in any coordinate system, but popular choices have been homogeneous projective and affine coordinates, depending on the ratio between inversion and multiplication. Jacobian coordinates were initially explored in a few implementations [15, 75], but ended superseded by homogeneous coordinates because of their superior efficiency [35]. Point doublings and their corresponding line evaluations usually dominate the cost of the Miller loop, since efficient parameters tend to minimize the Hamming weight of the Miller variable \(\ell \) and the resulting number of points additions. Below, we review and slightly refine the best formulas available for the curve arithmetic involved in pairing computation on affine and homogeneous projective coordinates.

Affine Coordinates. The choice of affine coordinates has proven more useful at higher security levels and embedding degrees, due to the action of the norm map on simplifying the computation of inverses at higher extensions [59, 86]. The main advantages of affine coordinates are the simplicity of implementation and format of the line functions, allowing faster accumulation inside the Miller loop if the additional sparsity is exploited. If \(T = (x_1,y_1)\) is a point in \(E'(\mathbb {F}_{p^{2}})\), one can compute the point \(2T := T + T\) with the following formula [53]:
$$\begin{aligned} \begin{array}{c} \lambda = \displaystyle \frac{3x_1^2}{2y_1},\,\,\, x_3 = \lambda ^2 - 2x_1,\,\,\, y_3 = (\lambda x_1 - y_1) - \lambda x_3. \end{array} \end{aligned}$$
(7)
When \(E'\) is a \(D\)-type twist given by the twisting isomorphism \(\psi \), the tangent line evaluated at \(P = (x_P,y_P)\) has the format \(g_{2\psi (T)}(P) = y_P - \lambda x_Pw + (\lambda x_1 - y_1)w^3\) according to the tower representation given by Eq. (6). This function can be evaluated at a cost of \(3\tilde{m} + 2\tilde{s} + 7\tilde{a} + \tilde{\imath } + 2m\) with the precomputation cost of \(1a\) to compute \(\overline{x}_P = -x_P\) [53]. By performing more precomputation as \(y'_P = 1/y_P\) and \(x'_P = \overline{x}_P/y_P\), we can simplify the tangent line further:
$$\begin{aligned} y'_P \cdot g_{2\psi (T)}(P) = 1 + \lambda x'_Pw + y'_P(\lambda x_1 - y_1)w^3. \end{aligned}$$
Since the final exponentiation eliminates any subfield element multiplying the pairing value, this modification does not change the pairing result. Computing the simpler line function now requires \(3\tilde{m} + 2\tilde{s} + 7\tilde{a} + \tilde{\imath } + 4m\) with an additional precomputation cost of \((i + m)\):
$$\begin{aligned} \begin{array}{c} A = \dfrac{1}{2y_1},\,\,\,B = 3x_1^2,\,\,\,C = AB,\,\,\,D = 2x_1,\,\,\,x_3 = C^2 - D,\\ \,\,\,E = Cx_1 - y_1,\,\,\,y_3 = E - Cx_3,\,\,\,F = Cx'_P,\,\,\,G = Ey'_P,\\ y'_P \cdot g_{2\psi (T)}(P) = 1 + Fw + Gw^3. \end{array} \end{aligned}$$
This clearly does not save any operations compared to Eq. (7) and increases the cost by \(2m\). However, the simpler format allows the faster accumulation \(f^2 \cdot g_{2\psi (T)}(P) = (f_0 + f_1w)(1 + g_1w)\), where \(f_0,f_1,g_1 \in \mathbb {F}_{p^{6}}\), by saving \(6m\) corresponding to the multiplication between \(y_P\) and each subfield element of \(f_0\). The performance trade-off compared to [53] is thus \(4m\) per Miller doubling step.
When different points \(T = (x_1,y_1)\) and \(Q = (x_2,y_2)\) are considered, the point \(T + Q\) can be computed with the following formula:
$$\begin{aligned} \begin{array}{c} \lambda = \dfrac{y_2 - y_1}{x_2 - x_1},\,\,\, x_3 = \lambda ^2 - x_2 - x_1,\,\,\, y_3 = \lambda (x_1 - x_3) - y_1. \end{array} \end{aligned}$$
(8)
Applying the same trick described above gives the same performance trade-off, with a cost of \(3\tilde{m} + \tilde{s} + 6\tilde{a} + \tilde{\imath } + 4m\) [53]:
$$\begin{aligned} \begin{array}{c} A = \dfrac{1}{x_2 - x_1},\,\,\,B = y_2 - y_1,\,\,\,C = AB,\,\,\,D = x_1 + x_2,\,\,\,x_3 = C^2 - D,\\ \,\,\,E = Cx_1 - y_1,\,\,\,y_3 = E - Cx_3,\,\,\,F = Cx'_P,\,\,\,G = Ey'_P,\\ y'_P \cdot g_{\psi (T),\psi (Q)}(P) = 1 + Fw + Gw^3. \end{array} \end{aligned}$$
The technique can be further employed in \(M\)-type twists, conserving their equivalent performance to \(D\)-type twists [53], with some slight changes in the formula format and accumulation multiplier. A generalization for other pairing-friendly curves with degree-\(d\) twists and even embedding degree \(k\) would provide a performance trade-off of \((k/2 - k/d)\) multiplications per step in Miller’s Algorithm. The same idea was independently proposed and slightly improved in [73].
Homogeneous Projective Coordinates. The choice of projective coordinates has proven especially advantageous at the 128-bit security level for single pairing computation, due to the typically large inversion/multiplication ratio in this setting. If \(T = (X_1,Y_1,Z_1) \in E'(\mathbb {F}_{p^{2}})\) is a point in homogeneous coordinates, one can compute the point \(2T = (X_3,Y_3,Z_3)\) with the following formula [4]:
$$\begin{aligned} \begin{array}{c} X_3 = \displaystyle \frac{X_1Y_1}{2}(Y_1^2-9b'Z_1^2), \\ Y_3 = \left[ \displaystyle \frac{1}{2}(Y_1^2+9b'Z_1^2)\right] ^2-27b'^2Z_1^4,\,\,\, Z_3 = 2Y_1^3Z_1. \end{array} \end{aligned}$$
(9)
The twisting point \(P\) can be represented by \((x_Pw, y_P)\). When \(E'\) is a \(D\)-type twist given by the twisting isomorphism \(\psi \), the tangent line evaluated at \(P = (x_P,y_P)\) can be computed with the following formula [53]:
$$\begin{aligned} g_{2\psi (T)}(P) = -2YZy_P + 3X^2x_Pw + (3b'Z^2-Y^2)w^3 \end{aligned}$$
(10)
Equation (10) is basically the same line evaluation formula presented in [35] plus an efficient selection of the positioning of terms (obtained by multiplying the line evaluation by \(w^3\)), which was suggested in [53] to obtain a fast sparse multiplication in the Miller loop (in particular, the use of terms \(1, w\) and \(w^3\) [53] induces a sparse multiplication that saves \(13\tilde{a}\) in comparison to the use of terms \(1, v^2\) and \(wv\) in [4]). The full doubling/line function formulae in [35] costs \(2\tilde{m} + 7\tilde{s} + 23\tilde{a} + 4m + m_{b'}\). Based on Eqs. (9) and (10), [53] reports a cost of \(2\tilde{m} + 7\tilde{s} + 21\tilde{a} + 4m + m_{b'}\). We observe that the same formulae can be evaluated at a cost of only \(2\tilde{m} + 7\tilde{s} + 19\tilde{a} + 4m + m_{b'}\) with the precomputation cost of \(3a\) to compute \(\overline{y}_P = -y_P\) and \(x'_P = 3x_P\). Note that all these costs consider the computation of \(X_1 \cdot Y_1\) using the equivalence \(2XY = (X+Y)^2 - X^2 - Y^2\). We remark that, as in Aranha et al. [4], on x64 platforms it is more efficient to compute such term with a direct multiplication since \(\tilde{m} - \tilde{s} < 3\tilde{a}\). Considering this scenario, the cost applying our precomputations is then given by \(3\tilde{m} + 6\tilde{s} + 15\tilde{a} + 4m + m_{b'}\). Finally, further improvements are possible if \(b\) is cleverly selected [80]. For instance, if \(b=2\) then \(b'=2/(1+i)=1-i\), which minimizes the number of additions and subtractions. Computing the simpler doubling/line function now requires \(3\tilde{m} + 6\tilde{s} + 16\tilde{a} + 4m\) with the precomputation cost of \(3a\) (in comparison to the computation proposed in [4, 35, 53], we save \(2\tilde{a}, 3\tilde{a}\) and \(5\tilde{a}\), respectively, when \(\tilde{m} - \tilde{s} < 3\tilde{a}\)):
$$\begin{aligned} \begin{array}{c} A = X_1 \cdot Y_1/2,\,\,\, B = Y_1^2,\,\,\, C = Z_1^2,\,\,\, D = 3C,\,\,\, E_0 = D_0+D_1, \\ E_1 = D_1-D_0,\,\,\, F = 3E,\,\,\, X_3 = A \cdot (B - F),\,\,\, G = (B + F)/2, \\ Y_3 = G^2 - 3E^2,\,\,\, H = \left( Y_1+Z_1 \right) ^2 - (B+C),\,\,\, Z_3 = B \cdot H, \\ g_{2\psi (T)}(P) = H\bar{y_P} + X_1^2x'_Pw + (E-B)w^3. \end{array} \end{aligned}$$
(11)
Similarly, if \(T = (X_1,Y_1,Z_1)\) and \(Q = (x_2,y_2) \in E'(\mathbb {F}_{p^{2}})\) are points in homogeneous and affine coordinates, respectively, one can compute the point \(T+Q = (X_3,Y_3,Z_3)\) with the following formula:
$$\begin{aligned} \begin{array}{c} X_3 = \lambda (\lambda ^3 + Z_1\theta ^2 - 2X_1\lambda ^2), \\ Y_3 = \theta (3X_1\lambda ^2 - \lambda ^3 - Z_1\theta ^2) - Y_1 \lambda ^3,\,\,\, Z_3 = Z_1\lambda ^3, \end{array} \end{aligned}$$
(12)
where \(\theta = Y_1 - y_2 Z_1\) and \(\lambda = X_1 - x_2 Z_1\). In the case of a \(D\)-type twist, the line evaluated at \(P = (x_P,y_P)\) can be computed with the following formula [53]:
$$\begin{aligned} g_{\psi (T+Q)}(P) = -\lambda y_P - \theta x_Pw + (\theta X_2 - \lambda Y_2)w^3. \end{aligned}$$
(13)
Similar to the case of doubling, Eq. (13) is basically the same line evaluation formula presented in [35] plus an efficient selection of the positioning of terms suggested in [53] to obtain a fast sparse multiplication inside the Miller loop. The full mixed addition/line function formulae can be evaluated at a cost of \(11\tilde{m} + 2\tilde{s} + 8\tilde{a} + 4m\) with the precomputation cost of \(2a\) to compute \(\overline{x}_P = -x_P\) and \(\overline{y}_P = -y_P\) [53]:
$$\begin{aligned} \begin{array}{c} A=Y_2Z_1,\,\,\, B=X_2Z_1,\,\,\, \theta = Y_1-A,\,\,\, \lambda =X_1-B,\,\,\, C=\theta ^2, \\ D=\lambda ^2,\,\,\, E=\lambda ^3,\,\,\, F=Z_1 C,\,\,\, G=X_1 D,\,\,\, H=E+F-2G, \\ X_3=\lambda H,\,\,\, I = Y_1 E,\,\,\, Y_3=\theta (G-H)-I,\,\,\, Z_3 = Z_1E,\,\,\, J = \theta X_2 - \lambda Y_2, \\ g_{2\psi (T)}(P) = \lambda \bar{y}_P + \theta \bar{x}_Pw + Jw^3. \end{array} \end{aligned}$$
In the case of an \(M\)-type twist, the line function evaluated at \(\psi (P)=(x_P w^2, y_Pw^3)\) can be computed with the same sequence of operations shown above.

4.4 Operation Count

Table 1 presents a detailed operation count for each operation relevant in the computation of a pairing over a BN curve, considering all the improvements described in the previous section. Using these partial numbers, we obtain an operation count for the full pairing computation on a fixed BN curve.
Table 1.

Computational cost for arithmetic required by Miller’s Algorithm.

\({E'(\mathbb {F}_{p^{2}})}\)-Arithmetic

Operation count

Precomp. (Affine)

\(i + m + a\)

Precomp. (Proj)

\(4a\)

Dbl./Eval. (Affine)

\(3\tilde{m} + 2\tilde{s} + 7\tilde{a} + \tilde{\imath } + 4m\)

Add./Eval. (Affine)

\(3\tilde{m} + \tilde{s} + 6\tilde{a} + \tilde{\imath } + 4m\)

Dbl./Eval. (Proj)

\(3\tilde{m}_u + 6\tilde{s}_u + 8\tilde{r} + 19\tilde{a} + 4m\)

Add./Eval. (Proj)

\(11\tilde{m}_u + 2\tilde{s}_u + 11\tilde{r} + 10\tilde{a} + 4m\)

\(p\)-power Frobenius

\(2\tilde{m} + 2a\)

\(p^2\)-power Frobenius

\(2m + \tilde{a}\)

Negation

\(\tilde{a}\)

\({\mathbb {F}_{p^{2}}}\)-Arithmetic

Operation count

Add./Sub./Neg.

\(\tilde{a} = 2a\)

Conjugation

\(a\)

Multiplication

\(\tilde{m} = \tilde{m}_u + \tilde{r} = 3m_u + 2r + 8a\)

Squaring

\(\tilde{s} = \tilde{s}_u + \tilde{r} =2m_u + 2r + 3a\)

Multiplication by \(\beta \)

\(a\)

Multiplication by \(\xi \)

\(2a\)

Inversion

\(\tilde{\imath } = i + 2s_u + 2m_u + 2r + 3a\)

\({\mathbb {F}_{p^{12}}}\)-Arithmetic

Operation count

Add./Sub.

\(6\tilde{a}\)

Conjugation

\(3\tilde{a}\)

Multiplication

\(18\tilde{m}_u + 6\tilde{r} + 110\tilde{a}\)

Sparse Mult. (Affine)

\(10\tilde{m}_u + 6\tilde{r} + 31\tilde{a}\)

Sparser Mult. (Affine)

\(5\tilde{m}_u + 3\tilde{r} + 13\tilde{a}\)

Sparse Mult. (Proj)

\(13\tilde{m}_u + 6\tilde{r} + 48\tilde{a}\)

Sparser Mult. (Proj)

\(6\tilde{m}_u + 5\tilde{r} + 22\tilde{a} \)

Squaring

\(3\tilde{m}_u + 12\tilde{s}_u + 6\tilde{r} + 93\tilde{a}\)

Cyc. Squaring

\(9\tilde{s}_u + 6\tilde{r} + 46\tilde{a}\)

Comp. Squaring

\(6\tilde{s}_u + 4\tilde{r} + 31\tilde{a}\)

Simult. Decomp.

\(9\tilde{m} + 6\tilde{s} + 22\tilde{a} + \tilde{\imath }\)

\(p\)-power Frobenius

\(5\tilde{m} + 6a\)

\(p^2\)-power Frobenius

\(10m + 2\tilde{a}\)

\(p^3\)-power Frobenius

\(5\tilde{m} + 2\tilde{a} + 6a\)

Inversion

\(23\tilde{m}_u + 11\tilde{s}_u + 16\tilde{r}+129\tilde{a} + \tilde{\imath }\)

Miller Loop. Sophisticated pairing-based protocols may impose additional restrictions on the parameter choice along with some performance penalty, for example requiring the cofactor of the \(\mathbb {G}_T\) group to be a large prime number [87]. For efficiency and a fair comparison with related works, we adopt the parameters \(\beta \), \(\xi \), \(b = 2\), \(u = -(2^{62} + 2^{55} + 1)\) from [80]. For this set of parameters, the Miller loop in Algorithm 1 and the final line evaluations execute some amount of precomputation for accelerating the curve arithmetic formulas, 64 points doublings with line evaluations and 6 point additions with line evaluations; a single \(p\)-power Frobenius, a single \(p^2\)-power Frobenius and 2 negations in \(E'(\mathbb {F}_{p^{2}})\); and 66 sparse accumulations in the Miller variable, 2 sparser multiplications, 1 multiplication, 1 conjugation and 63 squarings in \(\mathbb {F}_{p^{12}}\). The corresponding costs in affine and homogeneous projective coordinates are, respectively:
$$\begin{aligned} \mathrm{MLA }&= (i + m + a) + 64 \cdot (3\tilde{m} + 2\tilde{s} + 7\tilde{a} + \tilde{\imath } + 4m)\\&+ ~6 \cdot (3\tilde{m} + \tilde{s} + 6\tilde{a} + \tilde{\imath } + 4m) + 2\tilde{m} + 2a + 2m + 2\tilde{a}\\&+ ~66 \cdot (10\tilde{m}_u + 6\tilde{r} + 31\tilde{a}) + 2 \cdot (5\tilde{m}_u + 3\tilde{r} + 13\tilde{a})\\&+ ~3\tilde{a} + (18\tilde{m}_u + 6\tilde{r} + 110\tilde{a}) + 63 \cdot (3\tilde{m}_u + 12\tilde{s}_u + 6\tilde{r} + 93\tilde{a})\\&= 1089\tilde{m}_u + 890\tilde{s}_u + 1132\tilde{r} + 8530\tilde{a} + 70\tilde{\imath } + i + 283m + 3a. \end{aligned}$$
$$\begin{aligned} \mathrm{MLP }&= (4a) + 64 \cdot (3\tilde{m}_u + 6\tilde{s}_u + 8\tilde{r} + 19\tilde{a} + 4m)\\&+ ~6 \cdot (11\tilde{m}_u + 2\tilde{s}_u + 11\tilde{r} + 10\tilde{a} + 4m) + 2\tilde{m} + 2a + 2m + 2\tilde{a}\\&+ ~66 \cdot (13\tilde{m}_u + 6\tilde{r} + 48\tilde{a}) + 2 \cdot (6\tilde{m}_u + 5\tilde{r} + 22\tilde{a})\\&+ ~3\tilde{a} + (18\tilde{m}_u + 6\tilde{r} + 110\tilde{a}) + 63 \cdot (3\tilde{m}_u + 12\tilde{s}_u + 6\tilde{r} + 93\tilde{a})\\&= ~1337\tilde{m}_u + 1152\tilde{s}_u + 1388\tilde{r} + 10462\tilde{a} + 282m + 6a. \end{aligned}$$
Final Exponentiation. For computing the final exponentiation, we employ the state-of-the-art approach by [47] in the context of BN curves. As initially proposed by [89], power \(\frac{p^{12} - 1}{r}\) is factored into the easy exponent \((p^6 - 1)(p^2 + 1)\) and the hard exponent \(\frac{p^4 - p^2 + 1}{n}\). The easy power is computed by a short sequence of multiplications, conjugations, fast applications of the Frobenius map [15] and a single inversion in \(\mathbb {F}_{p^{12}}\). The hard power is computed in the cyclotomic subgroup, where additional algebraic structure allows elements to be compressed and squared consecutively in their compressed form, with decompression required only when performing multiplications [4, 74, 88].
Moreover, lattice reduction is able to obtain parameterized multiples of the hard exponent and significantly reduce the length of the addition chain involved in that exponentiation [47]. In total, the hard part of the final exponentiation requires 3 exponentiations by parameter \(u\), 3 squarings in the cyclotomic subgroup, 10 full extension field multiplications and 3 applications of the Frobenius maps with increasing \(p\)th-powers. We refer to [4] for the cost of an exponentiation by our choice of \(u\) and compute the exact operation count of the final exponentiation:
$$\begin{aligned} \mathrm{FE }&= (23\tilde{m}_u + 11\tilde{s}_u + 16\tilde{r} + 129\tilde{a} + \tilde{\imath }) + 3\tilde{a} + 12 \cdot (18\tilde{m}_u + 6\tilde{r} + 110\tilde{a})\\&+ ~3 \cdot (45\tilde{m}_u + 378\tilde{s}_u + 275\tilde{r} + 2164\tilde{a} + \tilde{\imath }) + 3 \cdot (9\tilde{s}_u + 6\tilde{r} + 46\tilde{a})\\&+ ~(5\tilde{m} + 6a) + 2 \cdot (10m + 2\tilde{a}) + (5\tilde{m} + 2\tilde{a} + 6a)\\&= ~384\tilde{m}_u + 1172\tilde{s}_u + 941\tilde{r} + 8085\tilde{a} + 4\tilde{\imath } + 20m + 12a. \end{aligned}$$

4.5 Results and Discussion

The combined cost for a pairing computation in homogeneous projective coordinates can then be expressed as:
$$\begin{aligned} \mathrm{MLP }+\mathrm{FE }&= 1721\tilde{m}_u + 2324\tilde{s}_u + 2329\tilde{r} + 18547\tilde{a} + 4\tilde{\imath } + i + 302m + 18a\\&= 9811m_u + 4658r + 57384a + 4\tilde{\imath } + i + 302m + 18a\\&= 10113m_u + 4960r + 57852a + 4\tilde{\imath } + i. \end{aligned}$$
A direct comparison with a previous record-setting implementation [4], considering only the number of multiplications in \(\mathbb {F}_p\) generated by arithmetic in \(\mathbb {F}_{p^{2}}\) as the performance metric, shows that our updated implementation in projective coordinates saves 3.4 % of the base field multiplications. This reflects the faster final exponentiation adopted from [47] and the more efficient formulas for inversion and squaring in \(\mathbb {F}_{p^{12}}\). These formulas were not the most efficient in [4] due to higher number of additions, but this additional cost is now offset by improved addition handling and faster division by 2. Now comparing the total number of multiplications with more recent implementations [69, 95], our updated implementation saves 1.9 %, or 198 multiplications.
The pairing code was implemented in the C programming language, with the performance-critical code implemented in Assembly. The compiler used was GCC version 4.7.0, with switches turned on for loop unrolling, inlining of small functions to reduce function call overhead and optimization level \(\mathtt {-O3}\). Performance experiments were executed in a broad set of 64-bit Intel-compatible platforms: older Nehalem Core i5 540M 2.53 GHz and AMD Phenom II 3.0 GHz processors, and modern Sandy Bridge Xeon E31270 3.4 GHz and Ivy Bridge Core i5 3570 3.4 GHz processors, including a recent Haswell Core i7 4750 HQ 2.0 GHz processor. All machines had automatic overclocking capabilities disabled to reduce randomness in the results. Table 2 presents the timings split in the Miller loop and final exponentiation. This is not only useful for more fine-grained comparisons, but also to allow more accurate estimates of the latency of multi-pairings or precomputed pairings. The complete implementation will be made available in the next release of the RELIC toolkit [3].
Table 2.

Comparison between implementations based on affine and projective coordinates on 64-bit architectures. Timings are presented in \(10^3\) clock cycles and were collected as the average of \(10^4\) repetitions of the same operation. Target platforms are AMD Phenom II (P II) and Intel Nehalem (N), Sandy Bridge (SB), Ivy Bridge (IB), Haswell (H) with or without support to the mulx instruction.

 

Platform

Operation

N

P II

SB

IB

H

H+mulx

Affine Miller loop

1,680

1,341

1,365

1,315

1,259

1,212

Projective Miller loop

1,170

862

856

798

721

704

Final exponentiation

745

557

572

537

492

473

Affine pairing

2,425

1,898

1,937

1,852

1,751

1,685

Projective pairing

1,915

1,419

1,428

1,335

1,213

1,177

We obtain several performance improvements in comparison with current literature. Our implementation based on projective coordinates improves results from [4] by 6 % and 9 % in the Nehalem and Phenom II machines, respectively. Comparing to an updated version [95] of a previous record setting implementation [15], our Sandy Bridge timings are faster by 82,000 cycles, or 5 %. When independently benchmarking their available software in the Ivy Bridge machine, we observe a latency of 1,403 K cycles, thus an improvement by our software of 5 %. Now considering the Haswell results from the same software available at [69], we obtain a speedup of 8 % without taking into account the mulx instruction and comparable performance when mulx is employed. It is also interesting to note that the use of mulx injects a relatively small speedup of 3 %. When exploiting such an instruction, the lack of carry-preserving addition instructions in the first generation of Haswell processors makes an efficient implementation of Comba-based multiplication and Montgomery reduction difficult, favoring the use of the typically slower Schoolbook versions. We anticipate a better support for Comba variants with the upcoming addition instructions [78].

In the implementation based on affine coordinates, the state-of-the-art results at the 128-bit security level is the one described by Acar et al. [1]. Unfortunately, only the latency of 15,6 million cycles on a Core 2 Duo is provided for 64-bit Intel architectures. While this does not allow a direct comparison, observing the small performance improvement between the Core 2 Duo and Nehalem reported in [4] implies that our affine implementation should be around 6 times faster than [1] when executed in the same machine.

Despite being slower than our own projective version, our affine implementation is still considerably faster than some previous speed records on projective coordinates [15, 54, 75]. This hints at the possibility that affine pairings could be improved even further, contrary to the naive intuition that the affine representation is exceedingly worse than a projective approach.

5 Conclusion

Pairings are amazingly flexible tools that enable the design of innovative cryptographic protocols. Their complex implementation has been the focus of intense research since the beginning of the millennium in what became a formidable race to make it efficient and practical.

We have reviewed the theory behind pairings and covered state-of-the-art algorithms, and also presented some further optimizations to the pairing computation in affine and projective coordinates, and analyzed the performance of the most efficient algorithmic options for pairing computation over ordinary curves at the 128-bit security level. In particular, our implementations of affine and projective pairings using Barreto-Naehrig curves shows that the efficiency of these two approaches are not as contrasting as it might seem, and hints that further optimizations might be possible. Remarkably, the combination of advances in processor technology and carefully crafted algorithms brings the computation of pairings close to the one million cycle mark.

Footnotes

  1. 1.

    Although there is no theoretical reason not to choose \(p\) to be a higher prime power, in practice such parameters are exceedingly rare and anyway unnecessary, so usually \(p\) is taken to be simply a prime.

Notes

Acknowledgements

The authors would like to thank Tanja Lange for the many suggestions to improve the quality of this paper.

References

  1. 1.
    Acar, T., Lauter, K., Naehrig, M., Shumow, D.: Affine pairings on ARM. In: Abdalla, M., Lange, T. (eds.) Pairing 2012. LNCS, vol. 7708, pp. 203–209. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  2. 2.
    Aranha, D.F., Fuentes-Castañeda, L., Knapp, E., Menezes, A., Rodríguez-Henríquez, F.: Implementing pairings at the 192-bit security level. In: Abdalla, M., Lange, T. (eds.) Pairing 2012. LNCS, vol. 7708, pp. 177–195. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  3. 3.
    Aranha, D.F., Gouvêa, C.P.L.: RELIC is an Efficient LIbrary for Cryptography. http://code.google.com/p/relic-toolkit/
  4. 4.
    Aranha, D.F., Karabina, K., Longa, P., Gebotys, C.H., López, J.: Faster explicit formulas for computing pairings over ordinary curves. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 48–68. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  5. 5.
    Balfanz, D., Durfee, G., Shankar, N., Smetters, D.K., Staddon, J., Wong, H.C.: Secret handshakes from pairing-based key agreements. In: IEEE Symposium on Security and Privacy - S&P 2003, Berkeley, USA, pp. 180–196. IEEE Computer Society (2003)Google Scholar
  6. 6.
    Barbulescu, R., Gaudry, P., Joux, A., Thomé, E.: A quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. Cryptology ePrint Archive, Report 2013/400 (2013). http://eprint.iacr.org/2013/400
  7. 7.
    Barreto, P.S.L.M., Galbraith, S.D., ÓhÉigeartaigh, C., Scott, M.: Efficient pairing computation on supersingular abelian varieties. Des. Codes Crypt. 42(3), 239–271 (2007)CrossRefMATHGoogle Scholar
  8. 8.
    Barreto, P.S.L.M., Kim, H.Y., Lynn, B., Scott, M.: Efficient algorithms for pairing-based cryptosystems. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 354–369. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  9. 9.
    Barreto, P.S.L.M., Libert, B., McCullagh, N., Quisquater, J.-J.: Efficient and provably-secure identity-based signatures and signcryption from bilinear maps. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 515–532. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  10. 10.
    Barreto, P.S.L.M., Lynn, B., Scott, M.: Constructing elliptic curves with prescribed embedding degrees. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 257–267. Springer, Heidelberg (2003) Google Scholar
  11. 11.
    Barreto, P.S.L.M., Lynn, B., Scott, M.: On the selection of pairing-friendly groups. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 17–25. Springer, Heidelberg (2004)Google Scholar
  12. 12.
    Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006)Google Scholar
  13. 13.
    Benger, N., Scott, M.: Constructing tower extensions of finite fields for implementation of pairing-based cryptography. In: Hasan, M.A., Helleseth, T. (eds.) WAIFI 2010. LNCS, vol. 6087, pp. 180–195. Springer, Heidelberg (2010) Google Scholar
  14. 14.
    Benson, K., Shacham, H., Waters, B.: The \(k\)-BDH assumption family: bilinear map cryptography from progressively weaker assumptions. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 310–325. Springer, Heidelberg (2013) Google Scholar
  15. 15.
    Beuchat, J.-L., González-Díaz, J.E., Mitsunari, S., Okamoto, E., Rodríguez-Henríquez, F., Teruya, T.: High-speed software implementation of the optimal ate pairing over Barreto–Naehrig curves. In: Joye, M., Miyaji, A., Otsuka, A. (eds.) Pairing 2010. LNCS, vol. 6487, pp. 21–39. Springer, Heidelberg (2010) Google Scholar
  16. 16.
    Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  17. 17.
    Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  18. 18.
    Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. SIAM J. Comput. 32(3), 586–615 (2003)CrossRefMATHMathSciNetGoogle Scholar
  19. 19.
    Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  20. 20.
    Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  21. 21.
    Boyen, X.: Multipurpose identity-based signcryption: A swiss army knife for identity-based cryptography. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 383–399. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  22. 22.
    Boyen, X., Waters, B.: Anonymous hierarchical identity-based encryption (without random oracles). In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 290–307. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  23. 23.
    Brezing, F., Weng, A.: Elliptic curves suitable for pairing based cryptography. Des. Codes Crypt. 37(1), 133–141 (2005)CrossRefMATHMathSciNetGoogle Scholar
  24. 24.
    Cha, J.C., Cheon, J.H.: An identity-based signature from gap Diffie-Hellman groups. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 18–30. Springer, Heidelberg (2002)Google Scholar
  25. 25.
    Chen, L., Cheng, Z., Smart, N.P.: Identity-based key agreement protocols from pairings. Int. J. Inf. Secur. 6(4), 213–241 (2007)CrossRefGoogle Scholar
  26. 26.
    Chen, X., Zhang, F., Kim, K.: New ID-based group signature from pairings. J. Electron. (China) 23(6), 892–900 (2006)CrossRefGoogle Scholar
  27. 27.
    Chen, X., Zhang, F., Susilo, W., Tian, H., Li, J., Kim, K.: Identity-based chameleon hash scheme without key exposure. In: Steinfeld, R., Hawkes, P. (eds.) ACISP 2010. LNCS, vol. 6168, pp. 200–215. Springer, Heidelberg (2010) Google Scholar
  28. 28.
    Cheon, J.H.: Security analysis of the strong Diffie-Hellman problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 1–11. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  29. 29.
    Cheon, J.H.: Discrete logarithm problems with auxiliary inputs. J. Cryptology 23(3), 457–476 (2010)CrossRefMATHMathSciNetGoogle Scholar
  30. 30.
    Cheung, R.C.C., Duquesne, S., Fan, J., Guillermin, N., Verbauwhede, I., Yao, G.X.: FPGA implementation of pairings using residue number system and lazy reduction. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 421–441. Springer, Heidelberg (2011) Google Scholar
  31. 31.
    Chung, J., Hasan, M.: Asymmetric squaring formulae. In: 18th IEEE Symposium on Computer Arithmetic - ARITH-18 2007, pp. 113–122 (2007)Google Scholar
  32. 32.
    Cocks, C., Pinch, R.G.E.: Identity-based cryptosystems based on the Weil pairing (2001) (unpublished manuscript)Google Scholar
  33. 33.
    Comba, P.G.: Exponentiation cryptosystems on the IBM PC. IBM Syst. J. 29(4), 526–538 (1990)CrossRefGoogle Scholar
  34. 34.
    Costello, C.: Particularly friendly members of family trees. Cryptology ePrint Archive, Report 2012/072 (2012). http://eprint.iacr.org/
  35. 35.
    Costello, C., Lange, T., Naehrig, M.: Faster pairing computations on curves with high-degree twists. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 224–242. Springer, Heidelberg (2010) Google Scholar
  36. 36.
    Costello, C., Lauter, K., Naehrig, M.: Attractive subfamilies of BLS curves for implementing high-security pairings. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011. LNCS, vol. 7107, pp. 320–342. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  37. 37.
    Crandall, R., Pomerance, C.: Prime Numbers: A Computational Perspective. Springer, Berlin (2001)CrossRefGoogle Scholar
  38. 38.
    Devegili, A.J., Scott, M., Dahab, R.: Implementing cryptographic pairings over Barreto-Naehrig curves. In: Takagi, T., Okamoto, E., Okamoto, T., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 197–207. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  39. 39.
    Dupont, R., Enge, A., Morain, F.: Building curves with arbitrary small MOV degree over finite prime fields. J. Cryptology 18(2), 79–89 (2005)CrossRefMATHMathSciNetGoogle Scholar
  40. 40.
    Duursma, I., Lee, H.-S.: Tate pairing implementation for hyperelliptic curves \(y^{2}=x^{p}-x+d\). In: Laih, C.S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 111–123. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  41. 41.
    Fan, J., Vercauteren, F., Verbauwhede, I.: Efficient hardware implementation of \(\mathbb{F}_p\)-arithmetic for pairing-friendly curves. IEEE Trans. Comput. 61(5), 676–685 (2012)CrossRefMathSciNetGoogle Scholar
  42. 42.
    Fouque, P.-A., Tibouchi, M.: Indifferentiable hashing to Barreto-Naehrig curves. In: Hevia, A., Neven, G. (eds.) LatinCrypt 2012. LNCS, vol. 7533, pp. 1–17. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  43. 43.
    Freeman, D.: Constructing pairing-friendly elliptic curves with embedding degree 10. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 452–465. Springer, Heidelberg (2006) Google Scholar
  44. 44.
    Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing-friendly elliptic curves. J. Cryptology 23(2), 224–280 (2010)CrossRefMATHMathSciNetGoogle Scholar
  45. 45.
    Frey, G., Müller, M., Rück, H.: The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems. IEEE Trans. Inf. Theory 45(5), 1717–1719 (1999)CrossRefMATHGoogle Scholar
  46. 46.
    Frey, G., Rück, H.G.: A remark concerning \(m\)-divisibility and the discrete logarithm problem in the divisor class group of curves. Math. Comput. 62, 865–874 (1994)MATHGoogle Scholar
  47. 47.
    Fuentes-Castañeda, L., Knapp, E., Rodríguez-Henríquez, F.: Faster hashing to \({\mathbb{G}}_2\). In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 412–430. Springer, Heidelberg (2012) Google Scholar
  48. 48.
    Galbraith, S.D., Harrison, K., Soldera, D.: Implementing the Tate pairing. In: Fieker, C., Kohel, D.R. (eds.) ANTS 2002. LNCS, vol. 2369, pp. 324–337. Springer, Heidelberg (2002) Google Scholar
  49. 49.
    Galbraith, S.D.: Supersingular curves in cryptography. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 495–513. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  50. 50.
    Galbraith, S.D., Paterson, K.G., Smart, N.P.: Pairings for cryptographers. Discrete Appl. Math. 156(16), 3113–3121 (2008)CrossRefMATHMathSciNetGoogle Scholar
  51. 51.
    Gentry, C., Silverberg, A.: Hierarchical ID-based cryptography. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 548–566. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  52. 52.
    Gouvêa, C.P.L., López, J.: Software implementation of pairing-based cryptography on sensor networks using the MSP430 microcontroller. In: Roy, B., Sendrier, N. (eds.) INDOCRYPT 2009. LNCS, vol. 5922, pp. 248–262. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  53. 53.
    Grewal, G., Azarderakhsh, R., Longa, P., Hu, S., Jao, D.: Efficient implementation of bilinear pairings on ARM processors. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 149–165. Springer, Heidelberg (2013) Google Scholar
  54. 54.
    Hankerson, D., Menezes, A., Scott, M.: Software implementation of pairings. In: Identity-Based Cryptography, ch. 12, pp. 188–206. IOS Press, Amsterdam (2008)Google Scholar
  55. 55.
    Hess, F., Smart, N., Vercauteren, F.: The eta pairing revisited. IEEE Trans. Inf. Theory 52, 4595–4602 (2006)CrossRefMATHMathSciNetGoogle Scholar
  56. 56.
    Joux, A.: A one-round protocol for tripartite Diffie-Hellman. In: Bosma, W. (ed.) ANTS 2000. LNCS, vol. 1838, pp. 385–394. Springer, Heidelberg (2000)Google Scholar
  57. 57.
    Kachisa, E.J., Schaefer, E.F., Scott, M.: Constructing Brezing-Weng pairing-friendly elliptic curves using elements in the cyclotomic field. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 126–135. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  58. 58.
    Karabina, K., Teske, E.: On prime-order elliptic curves with embedding degrees \(k\) = 3, 4, and 6. In: van der Poorten, A.J., Stein, A. (eds.) ANTS-VIII 2008. LNCS, vol. 5011, pp. 102–117. Springer, Heidelberg (2008) Google Scholar
  59. 59.
    Lauter, K., Montgomery, P.L., Naehrig, M.: An analysis of affine coordinates for pairing computation. In: Joye, M., Miyaji, A., Otsuka, A. (eds.) Pairing 2010. LNCS, vol. 6487, pp. 1–20. Springer, Heidelberg (2010) Google Scholar
  60. 60.
    Lee, E., Lee, H.-S., Park, C.-M.: Efficient and generalized pairing computation on abelian varieties. IEEE Trans. Inf. Theory 55(4), 1793–1803 (2009)CrossRefGoogle Scholar
  61. 61.
    Libert, B., Quisquater. J.-J.: New identity based signcryption schemes from pairings. In: Information Theory Workshop - ITW 2003, pp. 155–158. IEEE (2003)Google Scholar
  62. 62.
    Longa, P.: High-speed elliptic curve and pairing-based cryptography. Ph.D. thesis, University of Waterloo, April 2011Google Scholar
  63. 63.
    Luca, F., Shparlinski, I.E.: Elliptic curves with low embedding degree. J. Cryptology 19(4), 553–562 (2006)CrossRefMATHMathSciNetGoogle Scholar
  64. 64.
    Matsuda, S., Kanayama, N., Hess, F., Okamoto, E.: Optimised versions of the ate and twisted ate pairings. In: Galbraith, S.D. (ed.) Cryptography and Coding 2007. LNCS, vol. 4887, pp. 302–312. Springer, Heidelberg (2007) Google Scholar
  65. 65.
    Menezes, A.J.: Elliptic Curve Public Key Cryptosystems. Kluwer Academic Publishers, Boston (1993)CrossRefMATHGoogle Scholar
  66. 66.
    Menezes, A.J., Okamoto, T., Vanstone, S.A.: Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inf. Theory 39, 1639–1646 (1993)CrossRefMATHMathSciNetGoogle Scholar
  67. 67.
    Miller, V.S.: Short programs for functions on curves. IBM Thomas J. Watson Research Center Report (1986). http://crypto.stanford.edu/miller/miller.pdf
  68. 68.
    Miller, V.S.: The Weil pairing, and its efficient calculation. J. Cryptology 17(4), 235–261 (2004)CrossRefMATHMathSciNetGoogle Scholar
  69. 69.
    Mitsunari, S.: A fast implementation of the optimal ate pairing over BN curve on Intel Haswell processor. Cryptology ePrint Archive, Report 2013/362 (2013). http://eprint.iacr.org/
  70. 70.
    Mitsunari, S., Sakai, R., Kasahara, M.: A new traitor tracing. IEICE Trans. Fundam. E85–A(2), 481–484 (2002)Google Scholar
  71. 71.
    Miyaji, A., Nakabayashi, M., Takano, S.: New explicit conditions of elliptic curve traces for FR-reduction. IEICE Trans. Fundam. E84–A(5), 1234–1243 (2001)Google Scholar
  72. 72.
    Montgomery, P.L.: Modular multiplication without trial division. Math. Comput. 44(170), 519–521 (1985)CrossRefMATHGoogle Scholar
  73. 73.
    Mori, Y., Akagi, S., Nogami, Y., Shirase, M.: Pseudo 8-sparse multiplication for efficient ate-based pairing on Barreto-Naehrig curve. In: Cao, Z., Zhang, F. (eds.) Pairing 2013. LNCS, vol. 8365, pp. 186–198. Springer, Heidelberg (2014) Google Scholar
  74. 74.
    Naehrig, M., Barreto, P.S.L.M., Schwabe, P.: On compressible pairings and their computation. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 371–388. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  75. 75.
    Naehrig, M., Niederhagen, R., Schwabe, P.: New software speed records for cryptographic pairings. In: Abdalla, M., Barreto, P.S.L.M. (eds.) LATINCRYPT 2010. LNCS, vol. 6212, pp. 109–123. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  76. 76.
    Nogami, Y., Akane, M., Sakemi, Y., Kato, H., Morikawa, Y.: Integer variable \(\chi\)–based ate pairing. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 178–191. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  77. 77.
    Okamoto, T., Pointcheval, D.: The gap-problems: a new class of problems for the security of cryptographic schemes. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992, pp. 104–118. Springer, Heidelberg (2001)Google Scholar
  78. 78.
    Ozturk, E., Guilford, J., Gopal, V.: Large integer squaring on intel architecture processors. Intel white paper (2013)Google Scholar
  79. 79.
    Ozturk, E., Guilford, J., Gopal, V., Feghali, W.: New instructions supporting large integer arithmetic on intel architecture processors. Intel white paper (2012)Google Scholar
  80. 80.
    Pereira, G.C.C.F., Simplício Jr, M.A., Naehrig, M., Barreto, P.S.L.M.: A family of implementation-friendly BN elliptic curves. J. Syst. Softw. 84(8), 1319–1326 (2011)CrossRefGoogle Scholar
  81. 81.
    Pollard, J.M.: Monte Carlo methods for index computation (mod \(p\)). Math. Comput. 32, 918–924 (1978)MATHMathSciNetGoogle Scholar
  82. 82.
    Rubin, K., Silverberg, A.: Supersingular abelian varieties in cryptology. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 336–353. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  83. 83.
    Sakai, R., Kasahara, M.: Cryptosystems based on pairing over elliptic curve. In: Symposium on Cryptography and Information Security - SCIS 2003, pp. 8C-1, January 2003Google Scholar
  84. 84.
    Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystems based on pairing. In: Symposium on Cryptography and Information Security - SCIS 2000, Okinawa, Japan, January 2000Google Scholar
  85. 85.
    Scott, M.: A note on twists for pairing friendly curves (2009). ftp://ftp.computing.dcu.ie/pub/resources/crypto/twists.pdf
  86. 86.
    Scott, M.: On the efficient implementation of pairing-based protocols. In: Chen, L. (ed.) IMACC 2011. LNCS, vol. 7089, pp. 296–308. Springer, Heidelberg (2011) Google Scholar
  87. 87.
    Scott, M.: Unbalancing pairing-based key exchange protocols. Cryptology ePrint Archive, Report 2013/688 (2013). http://eprint.iacr.org/2013/688
  88. 88.
    Scott, M., Barreto, P.S.L.M.: Compressed pairings. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 140–156. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  89. 89.
    Scott, M., Benger, N., Charlemagne, M., Dominguez Perez, L.J., Kachisa, E.J.: On the final exponentiation for calculating pairings on ordinary elliptic curves. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 78–88. Springer, Heidelberg (2009) Google Scholar
  90. 90.
    Shirase, M.: Barreto-Naehrig curve with fixed coefficient. IACR ePrint Archive, report 2010/134 (2010). http://eprint.iacr.org/2010/134
  91. 91.
    Silverman, J.H.: The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics, vol. 106. Springer, Berlin (1986)MATHGoogle Scholar
  92. 92.
    Urroz, J.J., Luca, F., Shparlinski, I.: On the number of isogeny classes of pairing-friendly elliptic curves and statistics of MNT curves. Math. Comput. 81(278), 1093–1110 (2012)CrossRefMATHGoogle Scholar
  93. 93.
    Vercauteren, F.: Optimal pairings. IEEE Trans. Inf. Theory 56(1), 455–461 (2010)CrossRefMathSciNetGoogle Scholar
  94. 94.
    Weil, A.: Sur les fonctions algébriques à corps de constantes fini. Comptes Rendus de l’Académie des Sciences 210, 592–594 (1940)MathSciNetGoogle Scholar
  95. 95.
    Zavattoni, E., Domínguez-Pérez, L.J., Mitsunari, S., Sánchez, A.H., Teruya, T., Rodríguez-Henríquez, F.: Software implementation of attribute-based encryption (2013). http://sandia.cs.cinvestav.mx/index.php?n=Site.CPABE
  96. 96.
    Zhang, F., Chen, X.: Yet another short signatures without random oracles from bilinear pairings. IACR Cryptology ePrint Archive, report 2005/230 (2005)Google Scholar
  97. 97.
    Zhang, F., Kim, K.: ID-based blind signature and ring signature from pairings. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 533–547. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  98. 98.
    Zhang, F., Safavi-Naini, R., Susilo, W.: An efficient signature scheme from bilinear pairings and its applications. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 277–290. Springer, Heidelberg (2004) Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Diego F. Aranha
    • 1
  • Paulo S. L. M. Barreto
    • 2
  • Patrick Longa
    • 3
  • Jefferson E. Ricardini
    • 2
  1. 1.Department of Computer ScienceUniversity of BrasíliaBrasíliaBrazil
  2. 2.Departamento de Engenharia de Computação e Sistemas DigitaisEscola Politécnica, University of São PauloSão PauloBrazil
  3. 3.Microsoft ResearchOne Microsoft WayRedmondUSA

Personalised recommendations