arithmetic on Hessian curves Public Key Cryptography – PKC 2010 Paris 2010 Lecture Notes in Comput. Sci. 6056 Springer Berlin 2010 243 260 9 D. Freeman, M. Scott and E. Teske,
A taxonomy of pairing-friendly elliptic curves,
J. Cryptology 23 (2010), 2, 224–280.
Freeman D. Scott M. Teske E. A taxonomy of pairing-friendly elliptic curves J. Cryptology 23 2010 2 224 280 10 G. Frey, M. Müller and H. Rück,
The tatepairing and the discrete logarithm applied to elliptic curve cryptosystems,
IEEE Trans. Inform. Theory 45 (1999), 5, 1717–1719.
Frey G. Müller M. Rück H. The tate
paper proposes the computation of the Tate pairing, Ate pairing and its variations on the special Jacobi quartic elliptic curve . We improve
the doubling and addition steps in Miller's algorithm to compute the Tate pairing. We use the birational equivalence between Jacobi quartic curves and Weierstrass curves, together with a specific point representation to obtain the best result to date among curves with quartic
twists. For the doubling and addition steps in Miller's algorithm for the computation of the Tate pairing,
we obtain a theoretical gain up to and , depending on the embedding degree and the extension
field arithmetic, with respect to Weierstrass curves and previous results on Jacobi quartic curves. Furthermore and for the first time, we compute and implement Ate, twisted Ate and optimal pairings on the Jacobi quartic curves. Our results are up to more efficient compared to the case of Weierstrass curves with
this pairing in cryptographic applications.
Keywords. Tatepairing, Weil pairing, self-pairing, pairing based cryptography.
2010 Mathematics Subject Classification. 14G50, 11T71, 11G20, 14Q05.
A pairing is a non-degenerate bilinear map
e W G1 G2 7! GT
where G1;G2;GT are cyclic groups of prime order r (the first two are usually
written additively, and the third multiplicatively). Such groups are found from
elliptic or hyperelliptic curves and the pairing is usually the Tate–Lichtenbaum
pairing or one of its variants. Pairings have found many
. Scott M. Faster squaring in the cyclotomic subgroup of sixth degree extensions Public Key Cryptography PKC 2010 Lecture Notes in Comput. Sci. 6056 Springer Berlin 2010 209 223 11 L. Hu, J. Dong and D. Pei,
Implementation of cryptosystems based on Tatepairing,
J. Comput. Sci. Tech. 20 (2005), 2, 264–269.
Hu L. Dong J. Pei D. Implementation of cryptosystems based on Tatepairing J. Comput. Sci. Tech. 20 2005 2 264 269 12 M. Joye and J. J. Quisquater,
Efficient computation of full Lucas sequences,
Electron. Lett. 36 (1996), 6, 537–538.
Joye M. Quisquater J. J
For which groups (of the same prime order p) used in cryp-
tographic protocols and which values i, 1 ≤ i ≤ p− 1, do efficient algorithms for
computing ei exist?
More generally, G can be E[m]; for the Tatepairing, efficient algorithms with
performance comparable to that of RSA have been found .
9.1.3 Cocyclic codes
Many good error-correcting block codes (see Chapter 3.2.1) are derived from v× v
matrices M with entries in a commutative ring R with unity, which have in addition
some internal structure.
The rows themselves may form the code. For example, the rows
letting the ®-
nite subgroup H 1f ;S K;T on T be the exact annihilator of H 1f ;S K ;T under the Tatepairing. This respects minimally rami®ed structures for p3 l; by , Proposition 3.8 it also
respects crystalline structures if T nZl Ql is deRham.
1.1.5. Archimedean structures. We brie¯y consider the archimedean case. Let K
denote either R or C and let T be an l-adic GK -module. The cohomology group H
1 K ;T is
trivial, so that there is only one choice for the ®nite/singular structure, unless K R and
l 2. We refer to , Remark 1.3.7 for the natural
that if the abelian variety AF has semistable ordinary reduction at all the primes of F above
p then the p-adic height pairing on AF defined using the unit-root splitting and the one of
Let us now describe the idea of the proof. p-adic height pairings are the Qp-valued
counterparts of the real-valued Néron-Tate height pairings on abelian varieties. As the
Néron-Tatepairings they can be decomposed into local contributions, one for each finite
place of the ground field F . At the places not dividing p, these local contributions are
the Cassels–Tatepairing equals that of the Artin–Verdier pairing ½a2; b 0,
where b 0 A H 1
U ;TZ=nZðM Þ
is a preimage of a 0. A diagram chasing now shows that a2
comes from ðcvÞ A
. It follows that ½a2; b 0 equals the sum of the local
pairings hcv; b 0viv for v A S, where b
v is the image of b
0 in H 1
Our assumption that ha; a 0i ¼ 0 for all a 0 A D1ðU ;M Þ½n thus implies that ðcvÞ
satisfies the assumptions of the lemma, and hence up to modifying it by an element
H0ðkv;MÞ (which does not change a), we may
field in one variable over a finite field, provided
that one ignores the p-primary torsion part of the groups under consideration, where
p ¼ char k. We leave the verification of this to the readers.
6. Comparison with the Cassels-Tatepairing
In this section, we give a definition of the pairing of Theorem 0.2 purely in terms
of Galois cohomology and show that in the case M ¼ ½0! A it reduces to the classical
Cassels-Tatepairing for abelian varieties.
The idea is to use the diminished cup-product construction discovered by Poonen and
Stoll (see , pp. 1117