Faster Pairing Computations on Curves with High-Degree Twists

Abstract: Abstract. Research on efficient pairing implementation has focussed on reducing the loop length and on using high-degree twists. Existence of twists of degree larger than 2 is a very restrictive criterion but luckily constructions for pairing-friendly elliptic curves with such twists exist. In fact, Freeman, Scott and Teske showed in their overview paper that often the best known methods of constructing pairing-friendly elliptic curves over fields of large prime characteristic produce curves that admit twists … Show more

“…Observe that the Basic Implementation in Table 3 consistently outperforms Beuchat et al due to our careful implementation of an optimal choice of parameters (E(F p ) : y 2 = x 3 + 2, p = 3 mod 4) [10] combined with optimized curve arithmetic in homogeneous coordinates [9]. When lazy reduction and faster cyclotomic formulas are enabled, pairing computation becomes faster than the best previous result by 27%-33%.…”

“…Instead of Jacobian coordinates, Costello et al [9,Section 5] proposed the use of projective coordinates to perform the curve arithmetic entirely on the twist. Their formula for computing a point doubling and line evaluation costs 2m + 7s + 23ã + 4m + 1m b .…”

“…Their formula for computing a point doubling and line evaluation costs 2m + 7s + 23ã + 4m + 1m b . The twisting of point P , given in our case by (x P /w 2 , y P /w 3 ) = ( x P ξ v 2 , y P ξ vw), is eliminated by multiplying the whole line evaluation by ξ and relying on the nal exponentiation to eliminate this extra factor [9]. Clearly, the main drawback of this formula is the high number of additions.…”

“…X 3 = λ(λ 3 + Z 1 θ 2 − 2X 1 λ 2 ), Y 3 = θ(3X 1 λ 2 − λ 3 − Z 1 θ 2 ) − Y 1 λ 3 , Z 3 = Z 1 λ 3 , l = λ y P − (θ x P )v 2 + ξ(θX 2 − λY 2 )vw, (9) that has a total cost of 11m u + 2s u + 11r + 12ã + 4m if computed as detailed in Algorithm 12.…”

“…The Optimal Ate pairing [8] computed entirely on twists [9] with simplied nal line evaluations [6] over a recently-introduced subclass [10] of the Barreto-Naehrig (BN) family of pairing-friendly elliptic curves [11].…”

Faster Explicit Formulas for Computing Pairings over Ordinary Curves

“…Observe that the Basic Implementation in Table 3 consistently outperforms Beuchat et al due to our careful implementation of an optimal choice of parameters (E(F p ) : y 2 = x 3 + 2, p = 3 mod 4) [10] combined with optimized curve arithmetic in homogeneous coordinates [9]. When lazy reduction and faster cyclotomic formulas are enabled, pairing computation becomes faster than the best previous result by 27%-33%.…”

“…Instead of Jacobian coordinates, Costello et al [9,Section 5] proposed the use of projective coordinates to perform the curve arithmetic entirely on the twist. Their formula for computing a point doubling and line evaluation costs 2m + 7s + 23ã + 4m + 1m b .…”

“…Their formula for computing a point doubling and line evaluation costs 2m + 7s + 23ã + 4m + 1m b . The twisting of point P , given in our case by (x P /w 2 , y P /w 3 ) = ( x P ξ v 2 , y P ξ vw), is eliminated by multiplying the whole line evaluation by ξ and relying on the nal exponentiation to eliminate this extra factor [9]. Clearly, the main drawback of this formula is the high number of additions.…”

“…X 3 = λ(λ 3 + Z 1 θ 2 − 2X 1 λ 2 ), Y 3 = θ(3X 1 λ 2 − λ 3 − Z 1 θ 2 ) − Y 1 λ 3 , Z 3 = Z 1 λ 3 , l = λ y P − (θ x P )v 2 + ξ(θX 2 − λY 2 )vw, (9) that has a total cost of 11m u + 2s u + 11r + 12ã + 4m if computed as detailed in Algorithm 12.…”

“…The Optimal Ate pairing [8] computed entirely on twists [9] with simplied nal line evaluations [6] over a recently-introduced subclass [10] of the Barreto-Naehrig (BN) family of pairing-friendly elliptic curves [11].…”

Faster Explicit Formulas for Computing Pairings over Ordinary Curves

A Short-List of Pairing-Friendly Curves Resistant to Special TNFS at the 128-Bit Security Level

Optimized and Secure Pairing-Friendly Elliptic Curves Suitable for One Layer Proof Composition