paper proposes the computation of the Tate pairing, Ate pairing and its variations on the special Jacobi quartic elliptic curve . We improve
the doubling and addition steps in Miller's algorithm to compute the Tate pairing. We use the birational equivalence between Jacobi quartic curves and Weierstrass curves, together with a specific point representation to obtain the best result to date among curves with quartic
twists. For the doubling and addition steps in Miller's algorithm for the computation of the Tate pairing,
we obtain a theoretical gain up to and , depending on the embedding degree and the extension
field arithmetic, with respect to Weierstrass curves and previous results on Jacobi quartic curves. Furthermore and for the first time, we compute and implement Ate, twisted Ate and optimal pairings on the Jacobi quartic curves. Our results are up to more efficient compared to the case of Weierstrass curves with
this pairing in cryptographic applications.
Keywords. Tatepairing, Weil pairing, self-pairing, pairing based cryptography.
2010 Mathematics Subject Classification. 14G50, 11T71, 11G20, 14Q05.
A pairing is a non-degenerate bilinear map
e W G1 G2 7! GT
where G1;G2;GT are cyclic groups of prime order r (the first two are usually
written additively, and the third multiplicatively). Such groups are found from
elliptic or hyperelliptic curves and the pairing is usually the Tate–Lichtenbaum
pairing or one of its variants. Pairings have found many
quence, pairings became very popular in asymmetric cryptography and computing
RNS in Fpk and pairings 65
them as fast as possible is very important. Let us first briefly recall the state of the
art in this field and then explain how an RNS arithmetic can be helpful.
4.2 The Tatepairing
The most popular pairing used in cryptography is the Tatepairing. We present it
here in a simplified and reduced form because it is the one usually used in cryp-
tographic applications. More details and generalities can be found in [16, 23]. In
this paper we assume that E is an
group of points of order r
defined over the ground field Fq. Hence, we consider a non-degenerate bilinear pairing
of the form
e : E(Fq)[r]× E(Fq)[r]→ µr ⊆ F∗qk .
We may obtain such a pairing from the Weil pairing  or Tatepairing  twisted by
an endomorphism ψ called a distortion map [21, 22].
For example, if the Tatepairing is used then we define
e(P,Q) = fr,P (ψ(Q))(q
where fr,P is a function on E with divisor (fr,P ) = r(P ) − r(0) (see  or  for
more details about pairings). The value fr,P (ψ(Q)) may be computed using Miller’s
for optimal tatepairing check on the elliptic curve alt_bn128, 2017. https://eips.ethereum.org/EIPS/eip-197 .  J. Camenisch and M. Stadler. Proof systems for general statements about discrete logarithms. Technical report, Dept. of Computer Science, ETH Zurich., 1997.  Jan Camenisch, Rafik Chaabouni, and abhi shelat. Efficient protocols for set membership and range proofs. In Josef Pieprzyk, editor, Advances in Cryptology - ASIACRYPT 2008 , pages 234–252. Springer, 2008.  Sébastien Canard, Iwen Coisel, Amandine Jambert, and Jacques Traoré. New results
for each n > 0. Let r be a prime dividing #Jac(C)(Fq) and
coprime to p. We define the embedding degree to be the smallest positive integer k
such that r divides qk − 1; note that Fqk is the field generated over Fq by adjoining the
group µr of rth roots of unity in Fq. Throughout,
er : Jac(C)[r]× Jac(C)[r]→ µr ⊂ F∗qk
denotes a non-degenerate, bilinear, and Galois-invariant pairing on Jac(C)[r], such as
the Weil pairing or the reduced Tatepairing; we refer the reader to [1, 2, 8, 7, 16, 17]
for details on pairings and pairing-based cryptography.
An elliptic curve E
–Rück attack and MOV attack use the Tatepairing and
Weil pairing, respectively, to map the discrete logarithm problem on the curve’s Jaco-
bian defined over Fq to the discrete logarithm in the multiplicative group of the exten-
20 Laura Hitt
sion field Fqk , for some integer k, where there are more efficient methods for solving
the DLP. This extension degree k is known as the embedding degree. We will say a
curve C has embedding degree k with respect to an integer N if and only if a subgroup
of order N of its Jacobian JC does. So for pairing-based cryptosystems, it is impor
E. Fouvry and H. Iwaniec,
Acta Arith. 79 (1997), no. 3, 249–287.
10.4064/aa-79-3-249-287 Fouvry E. Iwaniec H. Gaussian primes Acta Arith. 79 1997 3 249 287 
G. Frey, M. Müller and H.-G. Rück,
The Tatepairing and the discrete logarithm applied to elliptic curve cryptosystems,
IEEE Trans. Inform. Theory 45 (1999), no. 5, 1717–1719.
10.1109/18.771254 Frey G. Müller M. Rück H.-G. The Tatepairing and the discrete logarithm applied to elliptic curve cryptosystems IEEE Trans. Inform. Theory 45 1999 5 1717
curves as proposed by Brezing and Weng . We use the notation N, Z, Q
for the set of positive integers, rational integers and rational numbers, respectively.
We denote by Fq a finite field with order q. The order of an elliptic curve E over
Fq is given by
#E.Fq/ D q C 1 t;
where t 2 Z is the trace of the Frobenius map.
Pairing-based cryptographic systems require a non-degenerate pairing which
can be efficiently computed. For example, the most common pairings used in
252 K. Okano
applications are Weil and Tatepairings. We define the embedding degree with
pairing a very costly object to compute [ 18 , 22 ]. Freeman provides sample parameter sizes of bilinear groups for various security levels [ 18 , Section 4] and
mentions that for 80-bit security level a composite order Tatepairing on a 1024-bit supersingular curve would be approximately 50 times slower than a prime order Tatepairing on a 170-bit MNT curve.
In [ 22 ] it was reported that a composite order pairing for 128-bit security level was approximately 254 times slower than its prime order counterpart for the same security level. This efficiency bottleneck