eprint.iacr.org will be offline for approximately an hour for routine maintenance at 11pm UTC on Tuesday, April 16. We lost some data between April 12 and April 14, and some authors have been notified that they need to resubmit their papers.
You are looking at a specific version 20120304:082405 of this paper. See the latest version.

Paper 2012/119

Accelerating the Final Exponentiation in the Computation of the Tate Pairings

Taechan Kim, Sungwook Kim, Jung Hee Cheon

Abstract

Tate pairing computation consists of two parts: Miller step and final exponentiation step. In this paper, we investigate how to accelerate the final exponentiation step. Consider an order $r$ subgroup of an elliptic curve defined over $\Fq$ with embedding degree $k$. The final exponentiation in the Tate pairing is an exponentiation of an element in $\Fqk$ by $(q^k-1)/r$. The hardest part of this computation is to raise to the power $\lam:=\varphi_k(q)/r$. Write it as $\lam=\lam_0+\lam_1q+\cdots+\lam_{d-1}q^{d-1}$ in the $q$-ary representation. When using multi-exponentiation techniques with precomputation, the final exponentiation cost mostly depends on $\kappa(\lambda)$, the size of the maximum of $|\lambda_i|$. In many parametrized pairing-friendly curves, the value $\kappa$ is about $\left(1-\frac{1}{\rho\varphi(k)}\right)\log q$ where $\rho=\log q/\log r$, while random curves will have $\kappa \approx \log q$. We analyze how this small $\kappa$ is obtained for parametrized elliptic curves, and show that $\left(1-\frac{1}{\rho\varphi(k)}\right)\log q$ is almost optimal in the sense that for all known construction methods of parametrized pairing-friendly curves it is the lower bound. This method is useful, but has a limitation that it can only be applied to only parametrized curves and excludes many of elliptic curves. In the second part of our paper, we propose a method to obtain a modified Tate pairing with smaller $\kappa$ for {\em any elliptic curves}. More precisely, our method finds an integer $m$ such that $\kappa(m\lambda)=\left(1-\frac{1}{\rho\varphi(k)}\right)\log q$ efficiently using lattice reduction. Using this modified Tate pairing, we can reduce the number of squarings in the final exponentiation by about $\left(1-\frac{1}{\rho\varphi(k)}\right)$ times from the usual Tate pairing. We apply our method to several known pairing friendly curves to verify the expected speedup.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Published elsewhere. Unknown where it was published
Keywords
Tate pairingbilinear mapsfinal exponentiationoptimal pairingpairing-friendly curveselliptic curvesMiller length
Contact author(s)
tckim1458 @ gmail com
History
2012-03-04: received
Short URL
https://ia.cr/2012/119
License
Creative Commons Attribution
CC BY
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.