Paper 2022/716

x-Superoptimal Pairings on some Elliptic Curves with Odd Prime Embedding Degrees

Abstract

The choice of the elliptic curve for a given pairing based protocol is primordial. For many cryptosystems based on pairings such as group signatures and their variants (EPID, anonymous attestation, etc) or accumulators, operations in the first pairing group $\mathbb{G}$ of points of the elliptic curve is more predominant. At $128$-bit security level two curves $BW13-P310$ and $$ with odd embedding degrees $$ and $$ suitable for super optimal pairing have been recommended for such pairing based protocols . But a prime embedding degree ($$) eliminates some important optimisation for the pairing computation. However The Miller loop length of the superoptimal pairing is the half of that of the optimal ate pairing but involve more exponentiations that affect its efficiency. In this work, we successfully develop methods and construct algorithms to efficiently evaluate and avoid heavy exponentiations that affect the efficiency of the superoptimal pairing. This leads to the definition of new bilinear and non degenerate pairing on $$ and $$ called $$-superoptimal pairing wchich is about $$ and $$ faster than the optimal ate pairing previousely computed on $$ and $$ respectively.