paper proposes the computation of the Tate pairing, Ate pairing and its variations on the special Jacobi quartic elliptic curve . We improve
the doubling and addition steps in Miller's algorithm to compute the Tate pairing. We use the birational equivalence between Jacobi quartic curves and Weierstrass curves, together with a specific point representation to obtain the best result to date among curves with quartic
twists. For the doubling and addition steps in Miller's algorithm for the computation of the Tate pairing,
we obtain a theoretical gain up to and , depending on the embedding degree and the extension
field arithmetic, with respect to Weierstrass curves and previous results on Jacobi quartic curves. Furthermore and for the first time, we compute and implement Ate, twisted Ate and optimal pairings on the Jacobi quartic curves. Our results are up to more efficient compared to the case of Weierstrass curves with
this pairing in cryptographic applications.
Keywords. Tatepairing, Weil pairing, self-pairing, pairing based cryptography.
2010 Mathematics Subject Classification. 14G50, 11T71, 11G20, 14Q05.
A pairing is a non-degenerate bilinear map
e W G1 G2 7! GT
where G1;G2;GT are cyclic groups of prime order r (the first two are usually
written additively, and the third multiplicatively). Such groups are found from
elliptic or hyperelliptic curves and the pairing is usually the Tate–Lichtenbaum
pairing or one of its variants. Pairings have found many
cohomology groups. In
§1.4 we state without proof the results we need concerning the Tatepair-
ing on local cohomology groups, and we study how our special subgroups
behave with respect to this pairing.
In §1.5 and §1.6 we define Selmer groups and give the basic examples of
ideal class groups and Selmer groups of elliptic curves and abelian varieties.
Then in §1.7, using Poitou-Tate global duality and the local orthogonality
results from §1.4, we derive our main tool (Theorem 1.7.3) for bounding
the size of Selmer groups.
1.1. p-adic Representations
diagram in which all the maps are isomorphisms
where AE is the formal group logarithm, and the bottom right isomorphism
is defined in [T3] Theorem 4.2. Using these identifications we will also view
AE as a homomorphism from E(Qn,p) to Qn,p·
Since V !::! V*, the local Tatepairing gives the second isomorphism in
Hom(E(Qn,p), Qp) !::! Hom(H}(Qn,p, V), Qp) !::! H!(Qn,p, V).
Thus there is a dual exponential map (see [Kal] §11.1.2)
expE; : H!(Qn,p, V) ~ Cotan(E;Qn,p) = Qn,pWE.
Write exp~E : Hi (Qn,p, V) ~ Qn,p for the composition wE; o expE;. Since
quence, pairings became very popular in asymmetric cryptography and computing
RNS in Fpk and pairings 65
them as fast as possible is very important. Let us first briefly recall the state of the
art in this field and then explain how an RNS arithmetic can be helpful.
4.2 The Tatepairing
The most popular pairing used in cryptography is the Tatepairing. We present it
here in a simplified and reduced form because it is the one usually used in cryp-
tographic applications. More details and generalities can be found in [16, 23]. In
this paper we assume that E is an
group of points of order r
defined over the ground field Fq. Hence, we consider a non-degenerate bilinear pairing
of the form
e : E(Fq)[r]× E(Fq)[r]→ µr ⊆ F∗qk .
We may obtain such a pairing from the Weil pairing  or Tatepairing  twisted by
an endomorphism ψ called a distortion map [21, 22].
For example, if the Tatepairing is used then we define
e(P,Q) = fr,P (ψ(Q))(q
where fr,P is a function on E with divisor (fr,P ) = r(P ) − r(0) (see  or  for
more details about pairings). The value fr,P (ψ(Q)) may be computed using Miller’s
for each n > 0. Let r be a prime dividing #Jac(C)(Fq) and
coprime to p. We define the embedding degree to be the smallest positive integer k
such that r divides qk − 1; note that Fqk is the field generated over Fq by adjoining the
group µr of rth roots of unity in Fq. Throughout,
er : Jac(C)[r]× Jac(C)[r]→ µr ⊂ F∗qk
denotes a non-degenerate, bilinear, and Galois-invariant pairing on Jac(C)[r], such as
the Weil pairing or the reduced Tatepairing; we refer the reader to [1, 2, 8, 7, 16, 17]
for details on pairings and pairing-based cryptography.
An elliptic curve E
–Rück attack and MOV attack use the Tatepairing and
Weil pairing, respectively, to map the discrete logarithm problem on the curve’s Jaco-
bian defined over Fq to the discrete logarithm in the multiplicative group of the exten-
20 Laura Hitt
sion field Fqk , for some integer k, where there are more efficient methods for solving
the DLP. This extension degree k is known as the embedding degree. We will say a
curve C has embedding degree k with respect to an integer N if and only if a subgroup
of order N of its Jacobian JC does. So for pairing-based cryptosystems, it is impor
E. Fouvry and H. Iwaniec,
Acta Arith. 79 (1997), no. 3, 249–287.
10.4064/aa-79-3-249-287 Fouvry E. Iwaniec H. Gaussian primes Acta Arith. 79 1997 3 249 287 
G. Frey, M. Müller and H.-G. Rück,
The Tatepairing and the discrete logarithm applied to elliptic curve cryptosystems,
IEEE Trans. Inform. Theory 45 (1999), no. 5, 1717–1719.
10.1109/18.771254 Frey G. Müller M. Rück H.-G. The Tatepairing and the discrete logarithm applied to elliptic curve cryptosystems IEEE Trans. Inform. Theory 45 1999 5 1717