**Polynomials for Ate Pairing and $\mathbf{Ate}_{i}$ Pairing**

*Zhitu Su, Hui Li and JianFeng Ma*

**Abstract: **The irreducible factor $r(x)$ of $\mathrm{\Phi}_{k}(u(x))$ and $u(x)
$ are often used in constructing pairing-friendly curves. $u(x)$ and
$u_{c} \equiv u(x)^{c} \pmod{r(x)}$ are selected to be the Miller
loop control polynomial in Ate pairing and $\mathrm{Ate}_{i}$
pairing. In this paper we show that when $4|k$ or the minimal prime
which divides $k$ is larger than $2$, some $u(x)$ and $r(x)$ can not
be used as curve generation parameters if we want $\mathrm{Ate}_{i}$
pairing to be efficient. We also show that the Miller loop length
can not reach the bound $\frac{\mathrm{log_{2}r}}{\varphi(k)}$ when
we use the factorization of $\mathrm{\Phi}_{k}(u(x))$ to generate
elliptic curves.

**Category / Keywords: **public-key cryptography /

**Date: **received 8 May 2008

**Contact author: **ztsu at mail xidian edu cn

**Available format(s): **Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation

**Version: **20080512:202858 (All versions of this report)

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]