**Factor-4 and 6 (De)compression for Values of Pairings using Trace Maps**

*Tomoko Yonemura and Taichi Isogai and Hirofumi Muratani and Yoshikazu Hanatani*

**Abstract: **The security of pairing-based cryptosystems relies on the hardness of the discrete logarithm problems in elliptic curves and in finite fields related to the curves, namely, their embedding fields. Public keys and ciphertexts in the pairing-based cryptosystems are composed of points on the curves or values of pairings. Although the values of the pairings belong to the embedding fields, the representation of the field is inefficient in size because the size of the embedding fields is usually larger than the size of the elliptic curves. We show factor-4 and 6 compression and decompression for the values of the pairings with the supersingular elliptic curves of embedding degrees 4 and 6, respectively. For compression, we use the fact that the values of the pairings belong to algebraic tori
that are multiplicative subgroups of the embedding fields. The algebraic tori can be expressed by the affine representation or the trace representation. Although the affine representation allows decompression maps, decompression maps for the trace representation has not been known. In this paper, we propose a trace representation with decompression maps for the characteristics 2 and 3. We first construct efficient decompression maps for trace maps by adding extra information to the trace representation. Our decompressible trace representation with additional information is as efficient as the affine representation is in terms of the costs of compression, decompression and exponentiation, and the size.

**Category / Keywords: **public-key cryptography / discrete logarithm problem, algebraic tori, compression, decompression

**Publication Info: **Pairing 2012

**Date: **received 19 Oct 2012

**Contact author: **tomoko yonemura at toshiba co jp

**Available format(s): **PDF | BibTeX Citation

**Version: **20121025:123940 (All versions of this report)

**Short URL: **ia.cr/2012/593

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]