arithmetic on Hessian curves Public Key Cryptography – PKC 2010 Paris 2010 Lecture Notes in Comput. Sci. 6056 Springer Berlin 2010 243 260 9 D. Freeman, M. Scott and E. Teske,
A taxonomy of pairing-friendly elliptic curves,
J. Cryptology 23 (2010), 2, 224–280.
Freeman D. Scott M. Teske E. A taxonomy of pairing-friendly elliptic curves J. Cryptology 23 2010 2 224 280 10 G. Frey, M. Müller and H. Rück,
The tatepairing and the discrete logarithm applied to elliptic curve cryptosystems,
IEEE Trans. Inform. Theory 45 (1999), 5, 1717–1719.
Frey G. Müller M. Rück H. The tate
paper proposes the computation of the Tate pairing, Ate pairing and its variations on the special Jacobi quartic elliptic curve . We improve
the doubling and addition steps in Miller's algorithm to compute the Tate pairing. We use the birational equivalence between Jacobi quartic curves and Weierstrass curves, together with a specific point representation to obtain the best result to date among curves with quartic
twists. For the doubling and addition steps in Miller's algorithm for the computation of the Tate pairing,
we obtain a theoretical gain up to and , depending on the embedding degree and the extension
field arithmetic, with respect to Weierstrass curves and previous results on Jacobi quartic curves. Furthermore and for the first time, we compute and implement Ate, twisted Ate and optimal pairings on the Jacobi quartic curves. Our results are up to more efficient compared to the case of Weierstrass curves with
this pairing in cryptographic applications.
Keywords. Tatepairing, Weil pairing, self-pairing, pairing based cryptography.
2010 Mathematics Subject Classification. 14G50, 11T71, 11G20, 14Q05.
A pairing is a non-degenerate bilinear map
e W G1 G2 7! GT
where G1;G2;GT are cyclic groups of prime order r (the first two are usually
written additively, and the third multiplicatively). Such groups are found from
elliptic or hyperelliptic curves and the pairing is usually the Tate–Lichtenbaum
pairing or one of its variants. Pairings have found many
. Scott M. Faster squaring in the cyclotomic subgroup of sixth degree extensions Public Key Cryptography PKC 2010 Lecture Notes in Comput. Sci. 6056 Springer Berlin 2010 209 223 11 L. Hu, J. Dong and D. Pei,
Implementation of cryptosystems based on Tatepairing,
J. Comput. Sci. Tech. 20 (2005), 2, 264–269.
Hu L. Dong J. Pei D. Implementation of cryptosystems based on Tatepairing J. Comput. Sci. Tech. 20 2005 2 264 269 12 M. Joye and J. J. Quisquater,
Efficient computation of full Lucas sequences,
Electron. Lett. 36 (1996), 6, 537–538.
Joye M. Quisquater J. J
Néron, see height, see theorem of Néron,
Nagell, see theorem of Nagell, Lutz, and
see theorem of Nagell, Lutz
non-split multiplicative reduction,
one-way function, 82
period, 33, 52, 54
period parallelogram, 33
plane algebraic curve, 2
Pohlig-Hellmann reduction of DLP, 83
point at infinity, 2, 3
primality test, Goldwasser, Kilian, 27
projective n-space, see n-space
public key, see cryptosystem
.37), respectively, are related by
OhD.P / D 3 Oh.P /.
A very important property of the canonical height is that, by means of it, a positive-
definite quadratic form is defined as follows: First, one defines the so-called Néron–
Tate (or Weil) pairing by
hP ,Qi D Oh.P CQ/ Oh.P / Oh.Q/.
The following important properties for the canonical height and the Néron–Tatepair-
ing hold (see [45, Theorem 9.3]):
The Néron–Tatepairing is bilinear.
For any P 2 E with PE 2 E.Q/ and anym 2 Z, Oh.mP / D m2 Oh.P /; in particular,
Oh.P / D Oh.P /.
Oh.P / 0 and Oh.P / D 0 if and only if PE
application to the arithmetic theta correspondence, which is
modeled on , we need Howe’s abstract formulation. The additional facts we need, some
of which are special to this particular dual pair, can be found in .
2This follows from invariance under HB(Af ) of the hermitian form on MW(MB) de-
termined by the Néron-Tatepairing.
CENTRAL DERIVATIVES OF L-FUNCTIONS 355
where δp(σp, ψ−p ) is the local dichotomy sign defined in (8.2.8). Note that
the occurrence here of the additive ψ−p , where ψ
p (x) = ψp(−x), is ex-
plained in Corollary 8.2.6. Since B is indefinite
〈P,Q〉 = ĥ(P +Q)− ĥ(P )− ĥ(Q)
is symmetric and bilinear. This pairing is called Néron–Tatepairing.
(Sometimes a factor 12 is placed in front of the right-hand side. This has the advantage
that then ĥ(P ) = 〈P, P 〉.)
Proof. a) As we have seen in Theorem 5.13, one has
2h(P )+ 2h(Q)− c1 ≤ h(P +Q)+ h(P −Q) ≤ 2h(P )+ 2h(Q)+ c2
for all P,Q ∈ E(K) with constants c1 and c2. Replacing P and Q by 2nP and 2nQ,
and dividing the equation by 22n, one gets the equation