# The Realm of the Pairings

## Abstract

Bilinear maps, or pairings, initially proposed in a cryptologic context for cryptanalytic purposes, proved afterward to be an amazingly flexible and useful tool for the construction of cryptosystems with unique features. Yet, they are notoriously hard to implement efficiently, so that their effective deployment requires a careful choice of parameters and algorithms. In this paper we review the evolution of pairing-based cryptosystems, the development of efficient algorithms and the state of the art in pairing computation, and the challenges yet to be addressed on the subject, while also presenting some new algorithmic and implementation refinements in affine and projective coordinates.

### Keywords

Pairing-based cryptosystems Efficient algorithms## 1 Introduction

Bilinear maps, or *pairings*, between the (divisors on the) groups of points of certain algebraic curves over a finite field, particularly the Weil pairing [94] and the Tate (or Tate-Lichtenbaum) pairing [45], have been introduced in a cryptological scope for destructive cryptanalytic purposes, namely, mapping the discrete logarithm problem on those groups to the discrete logarithm problem on the multiplicative group of a certain extension of the base field [46, 66]: while the best generic classical (non-quantum) algorithm for the discrete logarithm problem on the former groups may be exponential, in the latter case subexponential algorithms are known, so that such a mapping may yield a problem that is asymptotically easier to solve.

It turned out, perhaps surprisingly, that these same tools have a much more relevant role in a constructive cryptographic context, as the basis for the definition of cryptosystems with unique properties. This has been shown in the seminal works on identity-based non-interactive authenticated key agreement by Sakai, Ohgishi and Kasahara [84], and on one-round tripartite key agreement by Joux [56], which then led to an explosion of protocols exploring the possibilities of *identity-based cryptography* and many other schemes, with ever more complex features.

All this flexibility comes at a price: pairings are notoriously expensive in implementation complexity and processing time (and/or storage occupation, in a trade-off between time and space requirements). This imposes a very careful choice of algorithms and curves to make them really practical. The pioneering approach by Miller [67, 68] showed that pairings could be computed in polynomial time, but there is a large gap from there to a truly efficient implementation approach.

Indeed, progress in this line of research has not only revealed theoretical bounds on how efficiently a pairing can be computed in the sense of its overall order of complexity [93], but actually the literature has now very detailed approaches on how to attain truly practical, extremely optimized implementations that cover all operations typically found in a pairing-based cryptosystem, rather than just the pairing itself [4, 80]. One can therefore reasonably ask how far this trend can be pushed, and how “notoriously expensive” pairings really are (or even whether they really are as expensive as the folklore pictures them).

**Our Contribution.** In this paper we review the evolution of pairing-based cryptosystems, the development of efficient algorithms for the computation of pairings and the state of the art in the area, and the challenges yet to be addressed on the subject.

Furthermore, we provide some new refinements to the pairing computation in affine and projective coordinates over ordinary curves, perform an up-to-date analysis of the best algorithms for the realization of pairings with special focus on the 128-bit security level and present a very efficient implementation for x64 platforms.

**Organization.** The remainder of this paper is organized as follows. Section 2 introduces essential notions on elliptic curves and bilinear maps for cryptographic applications, including some of the main pairing-based cryptographic protocols and their underlying security assumptions. Section 3 reviews the main proposals for pairing-friendly curves and the fundamental algorithms for their construction and manipulation. In Sect. 4, we describe some optimizations to formulas in affine and projective coordinates, carry out a performance analysis of the best available algorithms and discuss benchmarking results of our high-speed implementation targeting the 128-bit security level on various x64 platforms. We conclude in Sect. 5.

## 2 Preliminary Concepts

Let \(q = p^m\). An *elliptic curve*\(E/\mathbb {F}_q\) is a smooth projective algebraic curve of genus one with at least one point. The affine part satisfies an equation of the form \(E: y^2 + a_1 xy + a_3 y = x^3 + a_2 x^2 + a_4 x + a_6\) where \(a_i \in \mathbb {F}_q\). Points on \(E\) are affine points \((x, y) \in \mathbb {F}_q^2\) satisfying the curve equation, together with an additional point at infinity, denoted \(\infty \). The set of curve points whose coordinates lie in a particular extension field \(\mathbb {F}_{q^k}\) is denoted \(E(\mathbb {F}_{q^k})\) for \(k > 0\) (note that the \(a_i\) remain in \(\mathbb {F}_q\)). Let \(\#E(\mathbb {F}_q)=n\) and write \(n\) as \(n=p+1-t\); \(t\) is called the trace of the Frobenius endomorphism. By Hasse’s theorem, \(|t| \leqslant 2\sqrt{q}\).

An (additive) Abelian group structure is defined on \(E\) by the well known chord-and-tangent method [91]. The order of a point \(P \in E\) is the least nonzero integer \(r\) such that \([r]P = \infty \), where \([r]P\) is the sum of \(r\) terms equal to \(P\). The order \(r\) of a point divides the curve order \(n\). For a given integer \(r\), the set of all points \(P \in E\) such that \([r]P = \infty \) is denoted \(E[r]\). We say that \(E[r]\) has *embedding degree*\(k\) if \(r \;|\; q^k - 1\) and \(r \not \mid q^s - 1\) for any \(0 < s < k\).

The *complex multiplication* (CM) method [37] constructs an elliptic curve with a given number of points \(n\) over a given finite field \(\mathbb {F}_q\) as long as \(n = q + 1 - t\) as required by the Hasse bound, and the norm equation \(DV^2 = 4q - t^2\) can be solved for “small” values of the discriminant \(D\), from which the \(j\)-invariant of the curve (which is a function of the coefficients of the curve equation) can be computed, and the curve equation is finally given by \(y^2 = x^3 + b\) (for certain values of \(b\)) when \(j = 0\), by \(y^2 = x^3 + ax\) (for certain values of \(a\)) when \(j = 1728\), and by \(y^2 = x^3 - 3cx + 2c\) with \(c := j/(j - 1728)\) when \(j \not \in \{0, 1728\}\).

A *divisor* is a finite formal sum \(\mathcal {A} = \sum _P{a_P(P)}\) of points on the curve \(E(\mathbb {F}_{q^k})\). An Abelian group structure is defined on the set of divisors by the addition of corresponding coefficients in their formal sums; in particular, \(n\mathcal {A} = \sum _P{(n \, a_P)(P)}\). The *degree* of a divisor \(\mathcal {A}\) is the sum \(\deg (\mathcal {A}) = \sum _P{a_P}\). Let \(f: E(\mathbb {F}_{q^k}) \rightarrow \mathbb {F}_{q^k}\) be a function on the curve. We define \(f(\mathcal {A}) \equiv \prod _P{f(P)^{a_P}}\). Let \({{\mathrm{ord}}}_P(f)\) denote the multiplicity of the zero or pole of \(f\) at \(P\) (if \(f\) has no zero or pole at \(P\), then \({{\mathrm{ord}}}_P(f) = 0\)). The divisor of \(f\) is \((f) := \sum _P{{{\mathrm{ord}}}_P(f)(P)}\). A divisor \(\mathcal {A}\) is called *principal* if \(\mathcal {A} = (f)\) for some function \((f)\). A divisor \(\mathcal {A}\) is principal if and only if \(\deg (\mathcal {A}) = 0\) and \(\sum _P{a_P P} = \infty \) [65, theorem 2.25]. Two divisors \(\mathcal {A}\) and \(\mathcal {B}\) are *equivalent*, \(\mathcal {A} \sim \mathcal {B}\), if their difference \(\mathcal {A} - \mathcal {B}\) is a principal divisor. Let \(P \in E(\mathbb {F}_q)[r]\) where \(r\) is coprime to \(q\), and let \(\mathcal {A}_P\) be a divisor equivalent to \((P) - (\infty )\); under these circumstances the divisor \(r\mathcal {A}_P\) is principal, and hence there is a function \(f_P\) such that \((f_P) = r\mathcal {A}_P = r(P) - r(\infty )\).

Given three groups \(\mathbb {G}_1\), \(\mathbb {G}_2\), and \(\mathbb {G}_T\) of the same prime order \(n\), a *pairing* is a feasibly computable, non-degenerate bilinear map \(e: \mathbb {G}_1 \times \mathbb {G}_2 \rightarrow \mathbb {G}_T\). The groups \(\mathbb {G}_1\) and \(\mathbb {G}_2\) are commonly (in the so-called *Type III* pairing setting) determined by the eigenspaces of the Frobenius endomorphism \(\phi _q\) on some elliptic curve \(E/\mathbb {F}_q\) of embedding degree \(k>1\). More precisely, \(\mathbb {G}_1\) is taken to be the 1-eigenspace \(E[n] \cap \ker (\phi _q - [1]) = E(\mathbb {F}_q)[n]\). The group \(\mathbb {G}_2\) is usually taken to be the preimage \(E'(\mathbb {F}_{q^g})[n]\) of the \(q\)-eigenspace \(E[n] \cap \ker (\phi _q - [q]) \subseteq E(\mathbb {F}_{q^k})[n]\) under a twisting isomorphism \(\psi : E' \rightarrow E\), \((x, y) \mapsto (\mu ^2 x, \mu ^3 y)\) for some \(\mu \in \mathbb {F}_{q^k}^*\). In particular, \(g = k/d\) where the curve \(E'/\mathbb {F}_{q^g}\) is the unique twist of \(E\) with largest possible twist degree \(d \mid k\) for which \(n\) divides \(\#E'(\mathbb {F}_{q^g})\) (see [55] for details). This means that \(g\) is as small as possible.

A Miller function \(f_{i,P}\) is a function with divisor \((f_{i,P}) = i(P) - ([i]P) - (i-1)(\infty )\). Miller functions are at the root of most if not all pairings proposed for cryptographic purposes, which in turn induce efficient algorithms derived from Miller’s algorithm [67, 68]. A Miller function satisfies \(f_{a+b,P}(Q) = f_{a,P}(Q) \cdot f_{b,P}(Q) \cdot g_{[a]P,[b]P}(Q) / g_{[a+b]P}(Q)\) up to a constant nonzero factor in \(\mathbb {F}_q\), for all \(a, b \in \mathbb {Z}\), where the so-called line functions \(g_{[a]P,[b]P}\) and \(g_{[a+b]P}\) satisfy \((g_{[a]P,[b]P}) = ([a]P) + ([b]P) + (-[a+b]P) - 3(\infty )\), \((g_{[a+b]P}) = ([a+b]P) + (-[a+b]P) - 2(\infty )\). The advantage of Miller functions with respect to elliptic curve arithmetic is now clear, since with these relations the line functions, and hence the Miller functions themselves, can be efficiently computed as a side result during the computation of \([n]P\) by means of the usual chord-and-tangent method.

### 2.1 Protocols and Assumptions

As an illustration of the enormous flexibility that pairings bring to the construction of cryptographic protocols, we present a (necessarily incomplete) list of known schemes according to their overall category.

Foremost among pairing-based schemes are the identity-based cryptosystems. These include plain encryption [17], digital signatures [24, 83], (authenticated) key agreement [25], chameleon hashing [27], and hierarchical extensions thereof with or without random oracles [22, 51].

Other pairing-based schemes are not identity-based but feature special functionalities like secret handshakes [5], short/aggregate/verifiably encrypted/ group/ring/blind signatures [19, 20, 26, 97, 98] and signcryption [9, 21, 61].

\(\mathsf {q}\)-Strong Diffie-Hellman (\(\mathsf {q}\)-SDH) [16] and many related assumptions (like the Inverse Computational Diffie-Hellman (Inv-CDH), the Square Computational Diffie-Hellman (Squ-CDH), the Bilinear Inverse Diffie-Hellman (BIDH), and the Bilinear Square Diffie-Hellman (BSDH) assumptions [98]):

*Given a*\((\mathsf {q}+2)\)*-tuple*\((g_1,g_2, g_2^x, \dots , g_2^{x^\mathsf {q}}) \in \mathbb {G}_1 \times \mathbb {G}_2^{\mathsf {q}+1}\)*as input, compute a pair*\((c, g_1^{1/(x+c)}) \in \mathbb {Z}/n\mathbb {Z}\times \mathbb {G}_1\).Decision Bilinear Diffie-Hellman (DBDH) [18] and related assumptions (like the \(k\)-BDH assumption [14]):

*Given generators*\(g_1\) and \(g_2\) of \(\mathbb {G}_1\) and \(\mathbb {G}_2\)*respectively, and given*\(g_1^a\), \(g_1^b\), \(g_1^c\), \(g_2^a\), \(g_2^b\), \(g_2^c\), \(e(g_1,g_2)^z\)*determine whether*\(e(g_1,g_2)^{abc} = e(g_1,g_2)^z\).Gap Diffie-Hellman (GDH) assumption [77]:

*Given*\((g, g^a, g^b) \in \mathbb {G}^3\)*for a group*\(\mathbb {G}\)*equipped with an oracle for deciding whether*\(g^{ab} = g^c\) for any given \(g^c \in \mathbb {G}\), find \(g^{ab}\).\((k + 1)\) Exponent Function meta-assumption:

*Given a function*\(f: \mathbb {Z}/n\mathbb {Z}\rightarrow \mathbb {Z}/n\mathbb {Z}\)*and a sequence*\((g, g^a, g^{f(h_1+a)}, \dots , g^{f(h_k+a)}) \in \mathbb {G}_1^{k+2}\)*for some*\(a\), \(h_1, \dots , h_k \in \mathbb {Z}/n\mathbb {Z}\),*compute*\(g^{f(h+a)}\)*for some*\(h \notin \{h_1, \dots , h_k\}\).

Also, not all of these assumptions are entirely satisfactory from the point of view of their relation to the computational complexity of the more fundamental discrete logarithm problem. In particular, the Cheon attack [28, 29] showed that, contrary to most discrete-logarithm style assumptions, which usually claim a practical security level of \(2^\lambda \) for \(2\lambda \)-bit keys due to e.g. the Pollard-\(\rho \) attack [81], the \(\mathsf {q}\)-SDH assumption may need \(3\lambda \)-bit keys to attain that security level, according to the choice of \(\mathsf {q}\).

## 3 Curves and Algorithms

### 3.1 Supersingular Curves

Early proposals to obtain efficient pairings invoked the adoption of supersingular curves [40, 49, 82], which led to the highly efficient concept of \(\eta \) pairings [7] over fields of small characteristic. This setting enables the so called Type I pairings, which are defined with both arguments from the same group [50] and facilitates the description of many protocols and the construction of formal security proofs. Unfortunately, recent developments bring that approach into question, since discrete logarithms in the multiplicative groups of the associated extension fields have proven far easier to compute than anticipated [6].

Certain ordinary curves, on the other hand, are not known to be susceptible to that line of attack, and also yield very efficient algorithms, as we will see next.

### 3.2 Generic Constructions

The Cocks-Pinch construction [32] enables the construction of elliptic curves over \(\mathbb {F}_q\) containing a pairing-friendly group of order \(n\) with \(\lg (q)/\lg (n) \approx 2\).

The Dupont-Enge-Morain strategy [39] is similarly generic in the sense of its embedding degree flexibility by maximizing the trace of the Frobenius endomorphism. Like the Cocks-Pinch method, it only attains \(\lg (q)/\lg (n) \approx 2\).

### 3.3 Sparse Families of Curves

Certain families of curves may be obtained by parameterizing the norm equation \(4q - t^2 = 4hn - (t - 2)^2 = DV^2\) with polynomials \(q(u)\), \(t(u)\), \(h(u)\), \(n(u)\), then choosing \(t(u)\) and \(h(u)\) according to some criteria (for instance, setting \(h(u)\) to be some small constant polynomial yields near-prime order curves), and directly finding integer solutions (in \(u\) and \(V\)) to the result. In practice this involves a clever mapping of the norm equation into a Pell-like equation, whose solutions lead to actual curve equations via complex multiplication (CM).

The only drawback they present is the relative rarity of suitable curves (the only embedding degrees that are known to yield solutions are \(k \in \{3, 4, 6, 10\}\), and the size of the integer solutions \(u\) grows exponentially), especially those with prime order. Historically, sparse families are divided into Miyaji-Nakabayashi-Takano (MNT) curves and Freeman curves.

MNT curves were the first publicly known construction of ordinary pairing-friendly curves [71]. Given their limited range of admissible embedding degrees (namely, \(k \in \{3, 4, 6\}\)), the apparent finiteness of MNT curves of prime order [58, 63, 92], and efficiency considerations (see e.g. [44]), MNT curves are less useful for higher security levels (say, from about \(2^{112}\) onward).

Freeman curves [43], with embedding degree \(k = 10\), are far rarer and suffer more acutely from the fact that the nonexistence of a twist of degree higher than quadratic forces its \(\mathbb {G}_2\) group to be defined over \(\mathbb {F}_{q^5}\). Besides, this quintic extension cannot be constructed using a binomial representation.

### 3.4 Complete Families of Curves

Instead of trying to solve the partially parameterized norm equation \(4h(u)n(u) - (t(u) - 2)^2 = DV^2\) for \(u\) and \(V\) directly as for the sparse families of curves, one can also parameterize \(V = V(u)\) as well. Solutions may exist if the parameters can be further constrained, which is usually done by considering the properties of the number field \(\mathbb {Q}[u]/n(u)\), specifically by requiring that it contains a \(k\)-th root of unity where \(k\) is the desired embedding degree. Choosing \(n(u)\) to be a cyclotomic polynomial \(\varPhi _\ell (u)\) with \(k \mid \ell \) yields the suitably named cyclotomic family of curves [10, 11, 23, 44], which enable a reasonably small ratio \(\rho := \lg (q)/\lg (n)\) (e.g. \(\rho = (k+1)/(k-1)\) for prime \(k \equiv 3 \pmod {4}\)).

Yet, there is one other family of curves that attain \(\rho \approx 1\), namely, the Barreto-Naehrig (BN) curves [12]. BN curves arguably constitute one of the most versatile classes of pairing-friendly elliptic curves. A BN curve is an elliptic curve \(E_u: y^2 = x^3 + b\) defined over a finite prime^{1} field \(\mathbb {F}_p\) of (typically prime) order \(n\), where \(p\) and \(n\) are given by \(p = p(u) = 36u^4 + 36u^3 + 24u^2 + 6u + 1\) and \(n = n(u) = 36u^4 + 36u^3 + 18u^2 + 6u + 1\) (hence \(t = t(u) = 6u^2 + 1\)) for \(u \in \mathbb {Z}\). One can check by straightforward inspection that \(\varPhi _{12}(t(u) - 1) = n(u) n(-u)\), hence \(\varPhi _{12}(p(u)) \equiv \varPhi _{12}(t(u) - 1) \equiv 0 \pmod {n(u)}\), so the group of order \(n(u)\) has embedding degree \(k = 12\).

BN curves also have \(j\)-invariant 0, so there is no need to resort explicitly to the CM curve construction method: all one has to do is choose an integer \(u\) of suitable size such that \(p\) and \(n\) as given by the above polynomials are prime. To find a corresponding curve, one chooses \(b \in \mathbb {F}_p\) among the six possible classes so that the curve \(E: y^2 = x^3 + b\) has order \(n\).

Furthermore, BN curves admit a sextic twist (\(d=6\)), so that one can set \(\mathbb {G}_2 = E'(\mathbb {F}_{p^2})[n]\). This twist \(E'/\mathbb {F}_{p^2}\) may be selected by finding a non-square and non-cube \(\xi \in \mathbb {F}_{p^2}\) and then checking via scalar multiplication whether the curve \(E': y^2 = x^3 + b'\) given by \(b' = b/\xi \) or by \(b' = b/\xi ^5\) has order divisible by \(n\). However, construction methods are known that dispense with such procedure, yielding the correct curve and its twist directly [80]. For convenience, following [85] we call the twist \(E': y^2 = x^3 + b/\xi \) a \(D\)-type twist, and we call the twist \(E': y^2 = x^3 + b\xi \) an \(M\)-type twist.

### 3.5 Holistic Families

Early works targeting specifically curves that have some efficiency advantage have focused on only one or a few implementation aspects, notably the pairing computation itself [13, 15, 38, 90].

More modern approaches tend to consider most if not all efficiency aspects that arise in pairing-based schemes [34, 36, 80]. This means that curves of those families tend to support not only fast pairing computation, but efficient finite field arithmetic for all fields involved, curve construction, generator construction for both \(\mathbb {G}_1\) and \(\mathbb {G}_2\), multiplication by a scalar in both \(\mathbb {G}_1\) and \(\mathbb {G}_2\), point sampling, hashing to the curve [42], and potentially other operations as well.

Curiously enough, there is not a great deal of diversity among the most promising such families, which comprise essentially only BN curves, BLS curves [10], and KSS curves [57].

### 3.6 Efficient Algorithms

Ordinary curves with small embedding degree also come equipped with efficient pairing algorithms, which tend to be variants of the Tate pairing [8, 48, 55, 60, 76] (although some fall back to the Weil pairing while remaining fairly efficient [94]). In particular, one now knows concrete practical limits to how efficient a pairing can be, in the form of the so-called optimal pairings [93].

Weil pairing: \(w(P,Q) := (-1)^n f_{n,P}(Q)/f_{n,Q}(P)\).

Tate pairing: \(\tau (P,Q) := f_{n,P}(Q)^z\).

Eta pairing [7] (called the twisted Ate pairing when defined over an ordinary curve): \(\eta (P,Q) := f_{\lambda ,P}(Q)^z\) where \(\lambda ^d \equiv 1 \pmod {n}\).

Ate pairing [55]: \(a(P,Q) := f_{t - 1,Q}(P)^z\), where \(t\) is the trace of the Frobenius.

Optimized Ate and twisted Ate pairings [64]: \(a_c(P,Q) := f_{(t - 1)^c \mod n,Q}(P)^z\), \(\eta _c(P,Q) := f_{\lambda ^c \mod n,P}(Q)^z\), for some \(0 < c < k\).

Optimal Ate pairing [93]: \(a_{\mathrm {opt}}(P,Q) := f_{\ell ,Q}(P)^z\) for a certain \(\ell \) such that \(\lg \ell \approx (\lg n)/\varphi (k)\).

*per se*[89]. In particular, for a BN curve with parameter \(u\) there exists an optimal Ate pairing with loop length \(\ell = |6u + 2|\).

A clear trend in recent works has been to attain exceptional performance gains by limiting the allowed curves to a certain subset, sometimes to a single curve at a useful security level [4, 15, 75, 80]. In the next section, we discuss aspects pertaining such implementations.

## 4 Implementation Aspects

The optimal Ate pairing on BN curves has been the focus of intense implementation research in the last few years. Most remarkably, beginning in 2008, a series of works improved, each one on top of the preceding one, the practical performance on Intel 64-bit platforms [15, 54, 75]. This effort reached its pinnacle in 2011, when Aranha et al. [4] reported an implementation running in about half a millisecond (see also [62]). Since then, performance of efficient software implementations has mostly stabilized, but some aspects of pairing computation continously improved through the availability of new techniques [47], processor architecture revisions and instruction set refinements [79]. In this section, we revisit the problem of efficient pairing computation working on top of the implementation presented in [4], to explore these latest advances and provide new performance figures. Our updated implementation achieves high performance on a variety of modern 64-bit computing platforms, including both relatively old processors and latest microarchitectures.

### 4.1 Pairing Algorithm

### 4.2 Field Arithmetic

Prime fields involved in pairing computation in the asymmetric setting are commonly represented with dense moduli, resulting from the parameterized curve constructions. While the particular structure of the prime modulus has been successfully exploited for performance optimization in both software [75] and hardware [41], current software implementations rely on the standard Montgomery reduction [72] and state-of-the-art hardware implementations on the parallelization capabilities of the Residue Number System [30].

Arithmetic in the base field is usually implemented in carefully scheduled Assembly code, but the small number of words required to represent a 256-bit prime field element in a 64-bit processor encourages the use of Assembly directly in the quadratic extension field, to avoid penalties related to frequent function calls [15]. Multiplication and reduction in \(\mathbb {F}_p\) are implemented through a Comba strategy [33], but a Schoolbook approach is favored in recent Intel processors, due to the availability of the carry-preserving multiplication instruction mulx, allowing delayed handling of carries [79]. Future processors will allow similar speedups on the Comba-based multiplication and Montgomery reduction routines by carry-preserving addition instructions [78].

Divide-and-conquer approaches are used only for multiplication in \(\mathbb {F}_{p^{2}}\), \(\mathbb {F}_{p^{6}}\) and \(\mathbb {F}_{p^{12}}\), because Karatsuba is typically more efficient over extension fields, since additions are relatively inexpensive in comparison with multiplication. The full details of the formulas that we use in our implementation of extension field arithmetic can be found in [4], including the opportunities for reducing the number of Montgomery reductions via lazy reduction. The case of squaring is relatively more complex. We use the complex squaring in \(\mathbb {F}_{p^{2}}\) and, for \(\mathbb {F}_{p^{6}}\) and \(\mathbb {F}_{p^{12}}\), we employ the faster Chung-Hasan asymmetric SQR3 formula [31]. The sparseness of the line functions motivates the implementation of specialized multiplication routines for accumulating the line function into the Miller variable \(f\) (*sparse* multiplication) or for multiplying line functions together (*sparser* multiplication). For sparse multiplication over \(\mathbb {F}_{p^6}\) and \(\mathbb {F}_{p^{12}}\), we use the formulas proposed by Grewal et al. (see Algorithms 5 and 6 in [53]). Faster formulas for sparser multiplication can be trivially obtained by adapting the sparse multiplication formula to remove operations involving the missing subfield elements.

In the following, we closely follow notation for operation costs from [4]. Let \(m,s,a,i\) denote the cost of multiplication, squaring, addition and inversion in \(\mathbb {F}_p\), respectively; \(\tilde{m}, \tilde{s}, \tilde{a}, \tilde{\imath }\) denote the cost of multiplication, squaring, addition and inversion in \(\mathbb {F}_{p^{2}}\), respectively; \(m_u,s_u,r\) denote the cost of unreduced multiplication and squaring producing double-precision results, and modular reduction of double-precision integers, respectively; \(\tilde{m}_u,\tilde{s}_u,\tilde{r}\) denote the cost of unreduced multiplication and squaring, and modular reduction of double-precision elements in \(\mathbb {F}_{p^{2}}\), respectively. To simplify the operation count, we consider the cost of field subtraction, negation and division by two equivalent to that of field addition. Also, one double-precision addition is considered equivalent to the cost of two single-precision additions.

### 4.3 Curve Arithmetic

Pairings can be computed over elliptic curves represented in any coordinate system, but popular choices have been homogeneous projective and affine coordinates, depending on the ratio between inversion and multiplication. Jacobian coordinates were initially explored in a few implementations [15, 75], but ended superseded by homogeneous coordinates because of their superior efficiency [35]. Point doublings and their corresponding line evaluations usually dominate the cost of the Miller loop, since efficient parameters tend to minimize the Hamming weight of the Miller variable \(\ell \) and the resulting number of points additions. Below, we review and slightly refine the best formulas available for the curve arithmetic involved in pairing computation on affine and homogeneous projective coordinates.

**Affine Coordinates.**The choice of affine coordinates has proven more useful at higher security levels and embedding degrees, due to the action of the norm map on simplifying the computation of inverses at higher extensions [59, 86]. The main advantages of affine coordinates are the simplicity of implementation and format of the line functions, allowing faster accumulation inside the Miller loop if the additional sparsity is exploited. If \(T = (x_1,y_1)\) is a point in \(E'(\mathbb {F}_{p^{2}})\), one can compute the point \(2T := T + T\) with the following formula [53]:

**Homogeneous Projective Coordinates.**The choice of projective coordinates has proven especially advantageous at the 128-bit security level for single pairing computation, due to the typically large inversion/multiplication ratio in this setting. If \(T = (X_1,Y_1,Z_1) \in E'(\mathbb {F}_{p^{2}})\) is a point in homogeneous coordinates, one can compute the point \(2T = (X_3,Y_3,Z_3)\) with the following formula [4]:

### 4.4 Operation Count

Computational cost for arithmetic required by Miller’s Algorithm.

\({E'(\mathbb {F}_{p^{2}})}\)-Arithmetic | Operation count |
---|---|

Precomp. (Affine) | \(i + m + a\) |

Precomp. (Proj) | \(4a\) |

Dbl./Eval. (Affine) | \(3\tilde{m} + 2\tilde{s} + 7\tilde{a} + \tilde{\imath } + 4m\) |

Add./Eval. (Affine) | \(3\tilde{m} + \tilde{s} + 6\tilde{a} + \tilde{\imath } + 4m\) |

Dbl./Eval. (Proj) | \(3\tilde{m}_u + 6\tilde{s}_u + 8\tilde{r} + 19\tilde{a} + 4m\) |

Add./Eval. (Proj) | \(11\tilde{m}_u + 2\tilde{s}_u + 11\tilde{r} + 10\tilde{a} + 4m\) |

\(p\)-power Frobenius | \(2\tilde{m} + 2a\) |

\(p^2\)-power Frobenius | \(2m + \tilde{a}\) |

Negation | \(\tilde{a}\) |

\({\mathbb {F}_{p^{2}}}\)-Arithmetic | Operation count |
---|---|

Add./Sub./Neg. | \(\tilde{a} = 2a\) |

Conjugation | \(a\) |

Multiplication | \(\tilde{m} = \tilde{m}_u + \tilde{r} = 3m_u + 2r + 8a\) |

Squaring | \(\tilde{s} = \tilde{s}_u + \tilde{r} =2m_u + 2r + 3a\) |

Multiplication by \(\beta \) | \(a\) |

Multiplication by \(\xi \) | \(2a\) |

Inversion | \(\tilde{\imath } = i + 2s_u + 2m_u + 2r + 3a\) |

\({\mathbb {F}_{p^{12}}}\)-Arithmetic | Operation count |
---|---|

Add./Sub. | \(6\tilde{a}\) |

Conjugation | \(3\tilde{a}\) |

Multiplication | \(18\tilde{m}_u + 6\tilde{r} + 110\tilde{a}\) |

Sparse Mult. (Affine) | \(10\tilde{m}_u + 6\tilde{r} + 31\tilde{a}\) |

Sparser Mult. (Affine) | \(5\tilde{m}_u + 3\tilde{r} + 13\tilde{a}\) |

Sparse Mult. (Proj) | \(13\tilde{m}_u + 6\tilde{r} + 48\tilde{a}\) |

Sparser Mult. (Proj) | \(6\tilde{m}_u + 5\tilde{r} + 22\tilde{a} \) |

Squaring | \(3\tilde{m}_u + 12\tilde{s}_u + 6\tilde{r} + 93\tilde{a}\) |

Cyc. Squaring | \(9\tilde{s}_u + 6\tilde{r} + 46\tilde{a}\) |

Comp. Squaring | \(6\tilde{s}_u + 4\tilde{r} + 31\tilde{a}\) |

Simult. Decomp. | \(9\tilde{m} + 6\tilde{s} + 22\tilde{a} + \tilde{\imath }\) |

\(p\)-power Frobenius | \(5\tilde{m} + 6a\) |

\(p^2\)-power Frobenius | \(10m + 2\tilde{a}\) |

\(p^3\)-power Frobenius | \(5\tilde{m} + 2\tilde{a} + 6a\) |

Inversion | \(23\tilde{m}_u + 11\tilde{s}_u + 16\tilde{r}+129\tilde{a} + \tilde{\imath }\) |

**Miller Loop.**Sophisticated pairing-based protocols may impose additional restrictions on the parameter choice along with some performance penalty, for example requiring the cofactor of the \(\mathbb {G}_T\) group to be a large prime number [87]. For efficiency and a fair comparison with related works, we adopt the parameters \(\beta \), \(\xi \), \(b = 2\), \(u = -(2^{62} + 2^{55} + 1)\) from [80]. For this set of parameters, the Miller loop in Algorithm 1 and the final line evaluations execute some amount of precomputation for accelerating the curve arithmetic formulas, 64 points doublings with line evaluations and 6 point additions with line evaluations; a single \(p\)-power Frobenius, a single \(p^2\)-power Frobenius and 2 negations in \(E'(\mathbb {F}_{p^{2}})\); and 66 sparse accumulations in the Miller variable, 2 sparser multiplications, 1 multiplication, 1 conjugation and 63 squarings in \(\mathbb {F}_{p^{12}}\). The corresponding costs in affine and homogeneous projective coordinates are, respectively:

**Final Exponentiation.**For computing the final exponentiation, we employ the state-of-the-art approach by [47] in the context of BN curves. As initially proposed by [89], power \(\frac{p^{12} - 1}{r}\) is factored into the easy exponent \((p^6 - 1)(p^2 + 1)\) and the hard exponent \(\frac{p^4 - p^2 + 1}{n}\). The easy power is computed by a short sequence of multiplications, conjugations, fast applications of the Frobenius map [15] and a single inversion in \(\mathbb {F}_{p^{12}}\). The hard power is computed in the cyclotomic subgroup, where additional algebraic structure allows elements to be compressed and squared consecutively in their compressed form, with decompression required only when performing multiplications [4, 74, 88].

### 4.5 Results and Discussion

Comparison between implementations based on affine and projective coordinates on 64-bit architectures. Timings are presented in \(10^3\) clock cycles and were collected as the average of \(10^4\) repetitions of the same operation. Target platforms are AMD Phenom II (P II) and Intel Nehalem (N), Sandy Bridge (SB), Ivy Bridge (IB), Haswell (H) with or without support to the mulx instruction.

Platform | ||||||
---|---|---|---|---|---|---|

Operation | N | P II | SB | IB | H | H+mulx |

Affine Miller loop | 1,680 | 1,341 | 1,365 | 1,315 | 1,259 | 1,212 |

Projective Miller loop | 1,170 | 862 | 856 | 798 | 721 | 704 |

Final exponentiation | 745 | 557 | 572 | 537 | 492 | 473 |

Affine pairing | 2,425 | 1,898 | 1,937 | 1,852 | 1,751 | 1,685 |

Projective pairing | 1,915 | 1,419 | 1,428 | 1,335 | 1,213 | 1,177 |

We obtain several performance improvements in comparison with current literature. Our implementation based on projective coordinates improves results from [4] by 6 % and 9 % in the Nehalem and Phenom II machines, respectively. Comparing to an updated version [95] of a previous record setting implementation [15], our Sandy Bridge timings are faster by 82,000 cycles, or 5 %. When independently benchmarking their available software in the Ivy Bridge machine, we observe a latency of 1,403 K cycles, thus an improvement by our software of 5 %. Now considering the Haswell results from the same software available at [69], we obtain a speedup of 8 % without taking into account the mulx instruction and comparable performance when mulx is employed. It is also interesting to note that the use of mulx injects a relatively small speedup of 3 %. When exploiting such an instruction, the lack of carry-preserving addition instructions in the first generation of Haswell processors makes an efficient implementation of Comba-based multiplication and Montgomery reduction difficult, favoring the use of the typically slower Schoolbook versions. We anticipate a better support for Comba variants with the upcoming addition instructions [78].

In the implementation based on affine coordinates, the state-of-the-art results at the 128-bit security level is the one described by Acar *et al.* [1]. Unfortunately, only the latency of 15,6 million cycles on a Core 2 Duo is provided for 64-bit Intel architectures. While this does not allow a direct comparison, observing the small performance improvement between the Core 2 Duo and Nehalem reported in [4] implies that our affine implementation should be around 6 times faster than [1] when executed in the same machine.

Despite being slower than our own projective version, our affine implementation is still considerably faster than some previous speed records on projective coordinates [15, 54, 75]. This hints at the possibility that affine pairings could be improved even further, contrary to the naive intuition that the affine representation is exceedingly worse than a projective approach.

## 5 Conclusion

Pairings are amazingly flexible tools that enable the design of innovative cryptographic protocols. Their complex implementation has been the focus of intense research since the beginning of the millennium in what became a formidable race to make it efficient and practical.

We have reviewed the theory behind pairings and covered state-of-the-art algorithms, and also presented some further optimizations to the pairing computation in affine and projective coordinates, and analyzed the performance of the most efficient algorithmic options for pairing computation over ordinary curves at the 128-bit security level. In particular, our implementations of affine and projective pairings using Barreto-Naehrig curves shows that the efficiency of these two approaches are not as contrasting as it might seem, and hints that further optimizations might be possible. Remarkably, the combination of advances in processor technology and carefully crafted algorithms brings the computation of pairings close to the one million cycle mark.

## Footnotes

- 1.
Although there is no theoretical reason not to choose \(p\) to be a higher prime power, in practice such parameters are exceedingly rare and anyway unnecessary, so usually \(p\) is taken to be simply a prime.

## Notes

### Acknowledgements

The authors would like to thank Tanja Lange for the many suggestions to improve the quality of this paper.

### References

- 1.Acar, T., Lauter, K., Naehrig, M., Shumow, D.: Affine pairings on ARM. In: Abdalla, M., Lange, T. (eds.) Pairing 2012. LNCS, vol. 7708, pp. 203–209. Springer, Heidelberg (2013) CrossRefGoogle Scholar
- 2.Aranha, D.F., Fuentes-Castañeda, L., Knapp, E., Menezes, A., Rodríguez-Henríquez, F.: Implementing pairings at the 192-bit security level. In: Abdalla, M., Lange, T. (eds.) Pairing 2012. LNCS, vol. 7708, pp. 177–195. Springer, Heidelberg (2013) CrossRefGoogle Scholar
- 3.Aranha, D.F., Gouvêa, C.P.L.: RELIC is an Efficient LIbrary for Cryptography. http://code.google.com/p/relic-toolkit/
- 4.Aranha, D.F., Karabina, K., Longa, P., Gebotys, C.H., López, J.: Faster explicit formulas for computing pairings over ordinary curves. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 48–68. Springer, Heidelberg (2011) CrossRefGoogle Scholar
- 5.Balfanz, D., Durfee, G., Shankar, N., Smetters, D.K., Staddon, J., Wong, H.C.: Secret handshakes from pairing-based key agreements. In: IEEE Symposium on Security and Privacy - S&P 2003, Berkeley, USA, pp. 180–196. IEEE Computer Society (2003)Google Scholar
- 6.Barbulescu, R., Gaudry, P., Joux, A., Thomé, E.: A quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. Cryptology ePrint Archive, Report 2013/400 (2013). http://eprint.iacr.org/2013/400
- 7.Barreto, P.S.L.M., Galbraith, S.D., ÓhÉigeartaigh, C., Scott, M.: Efficient pairing computation on supersingular abelian varieties. Des. Codes Crypt.
**42**(3), 239–271 (2007)CrossRefMATHGoogle Scholar - 8.Barreto, P.S.L.M., Kim, H.Y., Lynn, B., Scott, M.: Efficient algorithms for pairing-based cryptosystems. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 354–369. Springer, Heidelberg (2002)CrossRefGoogle Scholar
- 9.Barreto, P.S.L.M., Libert, B., McCullagh, N., Quisquater, J.-J.: Efficient and provably-secure identity-based signatures and signcryption from bilinear maps. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 515–532. Springer, Heidelberg (2005) CrossRefGoogle Scholar
- 10.Barreto, P.S.L.M., Lynn, B., Scott, M.: Constructing elliptic curves with prescribed embedding degrees. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 257–267. Springer, Heidelberg (2003) Google Scholar
- 11.Barreto, P.S.L.M., Lynn, B., Scott, M.: On the selection of pairing-friendly groups. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 17–25. Springer, Heidelberg (2004)Google Scholar
- 12.Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006)Google Scholar
- 13.Benger, N., Scott, M.: Constructing tower extensions of finite fields for implementation of pairing-based cryptography. In: Hasan, M.A., Helleseth, T. (eds.) WAIFI 2010. LNCS, vol. 6087, pp. 180–195. Springer, Heidelberg (2010) Google Scholar
- 14.Benson, K., Shacham, H., Waters, B.: The \(k\)-BDH assumption family: bilinear map cryptography from progressively weaker assumptions. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 310–325. Springer, Heidelberg (2013) Google Scholar
- 15.Beuchat, J.-L., González-Díaz, J.E., Mitsunari, S., Okamoto, E., Rodríguez-Henríquez, F., Teruya, T.: High-speed software implementation of the optimal ate pairing over Barreto–Naehrig curves. In: Joye, M., Miyaji, A., Otsuka, A. (eds.) Pairing 2010. LNCS, vol. 6487, pp. 21–39. Springer, Heidelberg (2010) Google Scholar
- 16.Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004) CrossRefGoogle Scholar
- 17.Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001)CrossRefGoogle Scholar
- 18.Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. SIAM J. Comput.
**32**(3), 586–615 (2003)CrossRefMATHMathSciNetGoogle Scholar - 19.Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003)CrossRefGoogle Scholar
- 20.Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001)CrossRefGoogle Scholar
- 21.Boyen, X.: Multipurpose identity-based signcryption: A swiss army knife for identity-based cryptography. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 383–399. Springer, Heidelberg (2003) CrossRefGoogle Scholar
- 22.Boyen, X., Waters, B.: Anonymous hierarchical identity-based encryption (without random oracles). In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 290–307. Springer, Heidelberg (2006) CrossRefGoogle Scholar
- 23.Brezing, F., Weng, A.: Elliptic curves suitable for pairing based cryptography. Des. Codes Crypt.
**37**(1), 133–141 (2005)CrossRefMATHMathSciNetGoogle Scholar - 24.Cha, J.C., Cheon, J.H.: An identity-based signature from gap Diffie-Hellman groups. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 18–30. Springer, Heidelberg (2002)Google Scholar
- 25.Chen, L., Cheng, Z., Smart, N.P.: Identity-based key agreement protocols from pairings. Int. J. Inf. Secur.
**6**(4), 213–241 (2007)CrossRefGoogle Scholar - 26.Chen, X., Zhang, F., Kim, K.: New ID-based group signature from pairings. J. Electron. (China)
**23**(6), 892–900 (2006)CrossRefGoogle Scholar - 27.Chen, X., Zhang, F., Susilo, W., Tian, H., Li, J., Kim, K.: Identity-based chameleon hash scheme without key exposure. In: Steinfeld, R., Hawkes, P. (eds.) ACISP 2010. LNCS, vol. 6168, pp. 200–215. Springer, Heidelberg (2010) Google Scholar
- 28.Cheon, J.H.: Security analysis of the strong Diffie-Hellman problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 1–11. Springer, Heidelberg (2006) CrossRefGoogle Scholar
- 29.Cheon, J.H.: Discrete logarithm problems with auxiliary inputs. J. Cryptology
**23**(3), 457–476 (2010)CrossRefMATHMathSciNetGoogle Scholar - 30.Cheung, R.C.C., Duquesne, S., Fan, J., Guillermin, N., Verbauwhede, I., Yao, G.X.: FPGA implementation of pairings using residue number system and lazy reduction. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 421–441. Springer, Heidelberg (2011) Google Scholar
- 31.Chung, J., Hasan, M.: Asymmetric squaring formulae. In: 18th IEEE Symposium on Computer Arithmetic - ARITH-18 2007, pp. 113–122 (2007)Google Scholar
- 32.Cocks, C., Pinch, R.G.E.: Identity-based cryptosystems based on the Weil pairing (2001) (unpublished manuscript)Google Scholar
- 33.Comba, P.G.: Exponentiation cryptosystems on the IBM PC. IBM Syst. J.
**29**(4), 526–538 (1990)CrossRefGoogle Scholar - 34.Costello, C.: Particularly friendly members of family trees. Cryptology ePrint Archive, Report 2012/072 (2012). http://eprint.iacr.org/
- 35.Costello, C., Lange, T., Naehrig, M.: Faster pairing computations on curves with high-degree twists. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 224–242. Springer, Heidelberg (2010) Google Scholar
- 36.Costello, C., Lauter, K., Naehrig, M.: Attractive subfamilies of BLS curves for implementing high-security pairings. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011. LNCS, vol. 7107, pp. 320–342. Springer, Heidelberg (2011) CrossRefGoogle Scholar
- 37.Crandall, R., Pomerance, C.: Prime Numbers: A Computational Perspective. Springer, Berlin (2001)CrossRefGoogle Scholar
- 38.Devegili, A.J., Scott, M., Dahab, R.: Implementing cryptographic pairings over Barreto-Naehrig curves. In: Takagi, T., Okamoto, E., Okamoto, T., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 197–207. Springer, Heidelberg (2007) CrossRefGoogle Scholar
- 39.Dupont, R., Enge, A., Morain, F.: Building curves with arbitrary small MOV degree over finite prime fields. J. Cryptology
**18**(2), 79–89 (2005)CrossRefMATHMathSciNetGoogle Scholar - 40.Duursma, I., Lee, H.-S.: Tate pairing implementation for hyperelliptic curves \(y^{2}=x^{p}-x+d\). In: Laih, C.S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 111–123. Springer, Heidelberg (2003)CrossRefGoogle Scholar
- 41.Fan, J., Vercauteren, F., Verbauwhede, I.: Efficient hardware implementation of \(\mathbb{F}_p\)-arithmetic for pairing-friendly curves. IEEE Trans. Comput.
**61**(5), 676–685 (2012)CrossRefMathSciNetGoogle Scholar - 42.Fouque, P.-A., Tibouchi, M.: Indifferentiable hashing to Barreto-Naehrig curves. In: Hevia, A., Neven, G. (eds.) LatinCrypt 2012. LNCS, vol. 7533, pp. 1–17. Springer, Heidelberg (2012) CrossRefGoogle Scholar
- 43.Freeman, D.: Constructing pairing-friendly elliptic curves with embedding degree 10. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 452–465. Springer, Heidelberg (2006) Google Scholar
- 44.Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing-friendly elliptic curves. J. Cryptology
**23**(2), 224–280 (2010)CrossRefMATHMathSciNetGoogle Scholar - 45.Frey, G., Müller, M., Rück, H.: The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems. IEEE Trans. Inf. Theory
**45**(5), 1717–1719 (1999)CrossRefMATHGoogle Scholar - 46.Frey, G., Rück, H.G.: A remark concerning \(m\)-divisibility and the discrete logarithm problem in the divisor class group of curves. Math. Comput.
**62**, 865–874 (1994)MATHGoogle Scholar - 47.Fuentes-Castañeda, L., Knapp, E., Rodríguez-Henríquez, F.: Faster hashing to \({\mathbb{G}}_2\). In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 412–430. Springer, Heidelberg (2012) Google Scholar
- 48.Galbraith, S.D., Harrison, K., Soldera, D.: Implementing the Tate pairing. In: Fieker, C., Kohel, D.R. (eds.) ANTS 2002. LNCS, vol. 2369, pp. 324–337. Springer, Heidelberg (2002) Google Scholar
- 49.Galbraith, S.D.: Supersingular curves in cryptography. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 495–513. Springer, Heidelberg (2001)CrossRefGoogle Scholar
- 50.Galbraith, S.D., Paterson, K.G., Smart, N.P.: Pairings for cryptographers. Discrete Appl. Math.
**156**(16), 3113–3121 (2008)CrossRefMATHMathSciNetGoogle Scholar - 51.Gentry, C., Silverberg, A.: Hierarchical ID-based cryptography. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 548–566. Springer, Heidelberg (2002) CrossRefGoogle Scholar
- 52.Gouvêa, C.P.L., López, J.: Software implementation of pairing-based cryptography on sensor networks using the MSP430 microcontroller. In: Roy, B., Sendrier, N. (eds.) INDOCRYPT 2009. LNCS, vol. 5922, pp. 248–262. Springer, Heidelberg (2009) CrossRefGoogle Scholar
- 53.Grewal, G., Azarderakhsh, R., Longa, P., Hu, S., Jao, D.: Efficient implementation of bilinear pairings on ARM processors. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 149–165. Springer, Heidelberg (2013) Google Scholar
- 54.Hankerson, D., Menezes, A., Scott, M.: Software implementation of pairings. In: Identity-Based Cryptography, ch. 12, pp. 188–206. IOS Press, Amsterdam (2008)Google Scholar
- 55.Hess, F., Smart, N., Vercauteren, F.: The eta pairing revisited. IEEE Trans. Inf. Theory
**52**, 4595–4602 (2006)CrossRefMATHMathSciNetGoogle Scholar - 56.Joux, A.: A one-round protocol for tripartite Diffie-Hellman. In: Bosma, W. (ed.) ANTS 2000. LNCS, vol. 1838, pp. 385–394. Springer, Heidelberg (2000)Google Scholar
- 57.Kachisa, E.J., Schaefer, E.F., Scott, M.: Constructing Brezing-Weng pairing-friendly elliptic curves using elements in the cyclotomic field. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 126–135. Springer, Heidelberg (2008) CrossRefGoogle Scholar
- 58.Karabina, K., Teske, E.: On prime-order elliptic curves with embedding degrees \(k\) = 3, 4, and 6. In: van der Poorten, A.J., Stein, A. (eds.) ANTS-VIII 2008. LNCS, vol. 5011, pp. 102–117. Springer, Heidelberg (2008) Google Scholar
- 59.Lauter, K., Montgomery, P.L., Naehrig, M.: An analysis of affine coordinates for pairing computation. In: Joye, M., Miyaji, A., Otsuka, A. (eds.) Pairing 2010. LNCS, vol. 6487, pp. 1–20. Springer, Heidelberg (2010) Google Scholar
- 60.Lee, E., Lee, H.-S., Park, C.-M.: Efficient and generalized pairing computation on abelian varieties. IEEE Trans. Inf. Theory
**55**(4), 1793–1803 (2009)CrossRefGoogle Scholar - 61.Libert, B., Quisquater. J.-J.: New identity based signcryption schemes from pairings. In: Information Theory Workshop - ITW 2003, pp. 155–158. IEEE (2003)Google Scholar
- 62.Longa, P.: High-speed elliptic curve and pairing-based cryptography. Ph.D. thesis, University of Waterloo, April 2011Google Scholar
- 63.Luca, F., Shparlinski, I.E.: Elliptic curves with low embedding degree. J. Cryptology
**19**(4), 553–562 (2006)CrossRefMATHMathSciNetGoogle Scholar - 64.Matsuda, S., Kanayama, N., Hess, F., Okamoto, E.: Optimised versions of the ate and twisted ate pairings. In: Galbraith, S.D. (ed.) Cryptography and Coding 2007. LNCS, vol. 4887, pp. 302–312. Springer, Heidelberg (2007) Google Scholar
- 65.Menezes, A.J.: Elliptic Curve Public Key Cryptosystems. Kluwer Academic Publishers, Boston (1993)CrossRefMATHGoogle Scholar
- 66.Menezes, A.J., Okamoto, T., Vanstone, S.A.: Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inf. Theory
**39**, 1639–1646 (1993)CrossRefMATHMathSciNetGoogle Scholar - 67.Miller, V.S.: Short programs for functions on curves. IBM Thomas J. Watson Research Center Report (1986). http://crypto.stanford.edu/miller/miller.pdf
- 68.Miller, V.S.: The Weil pairing, and its efficient calculation. J. Cryptology
**17**(4), 235–261 (2004)CrossRefMATHMathSciNetGoogle Scholar - 69.Mitsunari, S.: A fast implementation of the optimal ate pairing over BN curve on Intel Haswell processor. Cryptology ePrint Archive, Report 2013/362 (2013). http://eprint.iacr.org/
- 70.Mitsunari, S., Sakai, R., Kasahara, M.: A new traitor tracing. IEICE Trans. Fundam.
**E85–A**(2), 481–484 (2002)Google Scholar - 71.Miyaji, A., Nakabayashi, M., Takano, S.: New explicit conditions of elliptic curve traces for FR-reduction. IEICE Trans. Fundam.
**E84–A**(5), 1234–1243 (2001)Google Scholar - 72.Montgomery, P.L.: Modular multiplication without trial division. Math. Comput.
**44**(170), 519–521 (1985)CrossRefMATHGoogle Scholar - 73.Mori, Y., Akagi, S., Nogami, Y., Shirase, M.: Pseudo 8-sparse multiplication for efficient ate-based pairing on Barreto-Naehrig curve. In: Cao, Z., Zhang, F. (eds.) Pairing 2013. LNCS, vol. 8365, pp. 186–198. Springer, Heidelberg (2014) Google Scholar
- 74.Naehrig, M., Barreto, P.S.L.M., Schwabe, P.: On compressible pairings and their computation. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 371–388. Springer, Heidelberg (2008) CrossRefGoogle Scholar
- 75.Naehrig, M., Niederhagen, R., Schwabe, P.: New software speed records for cryptographic pairings. In: Abdalla, M., Barreto, P.S.L.M. (eds.) LATINCRYPT 2010. LNCS, vol. 6212, pp. 109–123. Springer, Heidelberg (2010) CrossRefGoogle Scholar
- 76.Nogami, Y., Akane, M., Sakemi, Y., Kato, H., Morikawa, Y.: Integer variable \(\chi\)–based ate pairing. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 178–191. Springer, Heidelberg (2008) CrossRefGoogle Scholar
- 77.Okamoto, T., Pointcheval, D.: The gap-problems: a new class of problems for the security of cryptographic schemes. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992, pp. 104–118. Springer, Heidelberg (2001)Google Scholar
- 78.Ozturk, E., Guilford, J., Gopal, V.: Large integer squaring on intel architecture processors. Intel white paper (2013)Google Scholar
- 79.Ozturk, E., Guilford, J., Gopal, V., Feghali, W.: New instructions supporting large integer arithmetic on intel architecture processors. Intel white paper (2012)Google Scholar
- 80.Pereira, G.C.C.F., Simplício Jr, M.A., Naehrig, M., Barreto, P.S.L.M.: A family of implementation-friendly BN elliptic curves. J. Syst. Softw.
**84**(8), 1319–1326 (2011)CrossRefGoogle Scholar - 81.Pollard, J.M.: Monte Carlo methods for index computation (mod \(p\)). Math. Comput.
**32**, 918–924 (1978)MATHMathSciNetGoogle Scholar - 82.Rubin, K., Silverberg, A.: Supersingular abelian varieties in cryptology. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 336–353. Springer, Heidelberg (2002) CrossRefGoogle Scholar
- 83.Sakai, R., Kasahara, M.: Cryptosystems based on pairing over elliptic curve. In: Symposium on Cryptography and Information Security - SCIS 2003, pp. 8C-1, January 2003Google Scholar
- 84.Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystems based on pairing. In: Symposium on Cryptography and Information Security - SCIS 2000, Okinawa, Japan, January 2000Google Scholar
- 85.Scott, M.: A note on twists for pairing friendly curves (2009). ftp://ftp.computing.dcu.ie/pub/resources/crypto/twists.pdf
- 86.Scott, M.: On the efficient implementation of pairing-based protocols. In: Chen, L. (ed.) IMACC 2011. LNCS, vol. 7089, pp. 296–308. Springer, Heidelberg (2011) Google Scholar
- 87.Scott, M.: Unbalancing pairing-based key exchange protocols. Cryptology ePrint Archive, Report 2013/688 (2013). http://eprint.iacr.org/2013/688
- 88.Scott, M., Barreto, P.S.L.M.: Compressed pairings. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 140–156. Springer, Heidelberg (2004) CrossRefGoogle Scholar
- 89.Scott, M., Benger, N., Charlemagne, M., Dominguez Perez, L.J., Kachisa, E.J.: On the final exponentiation for calculating pairings on ordinary elliptic curves. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 78–88. Springer, Heidelberg (2009) Google Scholar
- 90.Shirase, M.: Barreto-Naehrig curve with fixed coefficient. IACR ePrint Archive, report 2010/134 (2010). http://eprint.iacr.org/2010/134
- 91.Silverman, J.H.: The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics, vol. 106. Springer, Berlin (1986)MATHGoogle Scholar
- 92.Urroz, J.J., Luca, F., Shparlinski, I.: On the number of isogeny classes of pairing-friendly elliptic curves and statistics of MNT curves. Math. Comput.
**81**(278), 1093–1110 (2012)CrossRefMATHGoogle Scholar - 93.Vercauteren, F.: Optimal pairings. IEEE Trans. Inf. Theory
**56**(1), 455–461 (2010)CrossRefMathSciNetGoogle Scholar - 94.Weil, A.: Sur les fonctions algébriques à corps de constantes fini. Comptes Rendus de l’Académie des Sciences
**210**, 592–594 (1940)MathSciNetGoogle Scholar - 95.Zavattoni, E., Domínguez-Pérez, L.J., Mitsunari, S., Sánchez, A.H., Teruya, T., Rodríguez-Henríquez, F.: Software implementation of attribute-based encryption (2013). http://sandia.cs.cinvestav.mx/index.php?n=Site.CPABE
- 96.Zhang, F., Chen, X.: Yet another short signatures without random oracles from bilinear pairings. IACR Cryptology ePrint Archive, report 2005/230 (2005)Google Scholar
- 97.Zhang, F., Kim, K.: ID-based blind signature and ring signature from pairings. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 533–547. Springer, Heidelberg (2002) CrossRefGoogle Scholar
- 98.Zhang, F., Safavi-Naini, R., Susilo, W.: An efficient signature scheme from bilinear pairings and its applications. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 277–290. Springer, Heidelberg (2004) Google Scholar