In many parametrized pairing-friendly curves, the value $\kappa$ is about $\left(1-\frac{1}{\rho\varphi(k)}\right)\log q$ where $\rho=\log q/\log r$, while random curves will have $\kappa \approx \log q$. We analyze how this small $\kappa$ is obtained for parametrized elliptic curves, and show that $\left(1-\frac{1}{\rho\varphi(k)}\right)\log q$ is almost optimal in the sense that for all known construction methods of parametrized pairing-friendly curves it is the lower bound. This method is useful, but has a limitation that it can only be applied to only parametrized curves and excludes many of elliptic curves.
In the second part of our paper, we propose a method to obtain a modified Tate pairing with smaller $\kappa$ for {\em any elliptic curves}. More precisely, our method finds an integer $m$ such that $\kappa(m\lambda)=\left(1-\frac{1}{\rho\varphi(k)}\right)\log q$ efficiently using lattice reduction. Using this modified Tate pairing, we can reduce the number of squarings in the final exponentiation by about $\left(1-\frac{1}{\rho\varphi(k)}\right)$ times from the usual Tate pairing. We apply our method to several known pairing friendly curves to verify the expected speedup.
Category / Keywords: public-key cryptography / Tate pairing, bilinear maps, final exponentiation, optimal pairing, pairing-friendly curves, elliptic curves, Miller length Date: received 2 Mar 2012 Contact author: tckim1458 at gmail com Available format(s): PDF | BibTeX Citation Version: 20120304:082405 (All versions of this report) Short URL: ia.cr/2012/119 Discussion forum: Show discussion | Start new discussion