arithmetic on Hessian curves Public Key Cryptography – PKC 2010 Paris 2010 Lecture Notes in Comput. Sci. 6056 Springer Berlin 2010 243 260 9 D. Freeman, M. Scott and E. Teske,
A taxonomy of pairing-friendly elliptic curves,
J. Cryptology 23 (2010), 2, 224–280.
Freeman D. Scott M. Teske E. A taxonomy of pairing-friendly elliptic curves J. Cryptology 23 2010 2 224 280 10 G. Frey, M. Müller and H. Rück,
The tatepairing and the discrete logarithm applied to elliptic curve cryptosystems,
IEEE Trans. Inform. Theory 45 (1999), 5, 1717–1719.
Frey G. Müller M. Rück H. The tate
paper proposes the computation of the Tate pairing, Ate pairing and its variations on the special Jacobi quartic elliptic curve . We improve
the doubling and addition steps in Miller's algorithm to compute the Tate pairing. We use the birational equivalence between Jacobi quartic curves and Weierstrass curves, together with a specific point representation to obtain the best result to date among curves with quartic
twists. For the doubling and addition steps in Miller's algorithm for the computation of the Tate pairing,
we obtain a theoretical gain up to and , depending on the embedding degree and the extension
field arithmetic, with respect to Weierstrass curves and previous results on Jacobi quartic curves. Furthermore and for the first time, we compute and implement Ate, twisted Ate and optimal pairings on the Jacobi quartic curves. Our results are up to more efficient compared to the case of Weierstrass curves with
this pairing in cryptographic applications.
Keywords. Tatepairing, Weil pairing, self-pairing, pairing based cryptography.
2010 Mathematics Subject Classification. 14G50, 11T71, 11G20, 14Q05.
A pairing is a non-degenerate bilinear map
e W G1 G2 7! GT
where G1;G2;GT are cyclic groups of prime order r (the first two are usually
written additively, and the third multiplicatively). Such groups are found from
elliptic or hyperelliptic curves and the pairing is usually the Tate–Lichtenbaum
pairing or one of its variants. Pairings have found many
. Scott M. Faster squaring in the cyclotomic subgroup of sixth degree extensions Public Key Cryptography PKC 2010 Lecture Notes in Comput. Sci. 6056 Springer Berlin 2010 209 223 11 L. Hu, J. Dong and D. Pei,
Implementation of cryptosystems based on Tatepairing,
J. Comput. Sci. Tech. 20 (2005), 2, 264–269.
Hu L. Dong J. Pei D. Implementation of cryptosystems based on Tatepairing J. Comput. Sci. Tech. 20 2005 2 264 269 12 M. Joye and J. J. Quisquater,
Efficient computation of full Lucas sequences,
Electron. Lett. 36 (1996), 6, 537–538.
Joye M. Quisquater J. J
quence, pairings became very popular in asymmetric cryptography and computing
RNS in Fpk and pairings 65
them as fast as possible is very important. Let us first briefly recall the state of the
art in this field and then explain how an RNS arithmetic can be helpful.
4.2 The Tatepairing
The most popular pairing used in cryptography is the Tatepairing. We present it
here in a simplified and reduced form because it is the one usually used in cryp-
tographic applications. More details and generalities can be found in [16, 23]. In
this paper we assume that E is an
group of points of order r
defined over the ground field Fq. Hence, we consider a non-degenerate bilinear pairing
of the form
e : E(Fq)[r]× E(Fq)[r]→ µr ⊆ F∗qk .
We may obtain such a pairing from the Weil pairing  or Tatepairing  twisted by
an endomorphism ψ called a distortion map [21, 22].
For example, if the Tatepairing is used then we define
e(P,Q) = fr,P (ψ(Q))(q
where fr,P is a function on E with divisor (fr,P ) = r(P ) − r(0) (see  or  for
more details about pairings). The value fr,P (ψ(Q)) may be computed using Miller’s
for optimal tatepairing check on the elliptic curve alt_bn128, 2017. https://eips.ethereum.org/EIPS/eip-197 .  J. Camenisch and M. Stadler. Proof systems for general statements about discrete logarithms. Technical report, Dept. of Computer Science, ETH Zurich., 1997.  Jan Camenisch, Rafik Chaabouni, and abhi shelat. Efficient protocols for set membership and range proofs. In Josef Pieprzyk, editor, Advances in Cryptology - ASIACRYPT 2008 , pages 234–252. Springer, 2008.  Sébastien Canard, Iwen Coisel, Amandine Jambert, and Jacques Traoré. New results
letting the ®-
nite subgroup H 1f ;S K;T on T be the exact annihilator of H 1f ;S K ;T under the Tatepairing. This respects minimally rami®ed structures for p3 l; by , Proposition 3.8 it also
respects crystalline structures if T nZl Ql is deRham.
1.1.5. Archimedean structures. We brie¯y consider the archimedean case. Let K
denote either R or C and let T be an l-adic GK -module. The cohomology group H
1 K ;T is
trivial, so that there is only one choice for the ®nite/singular structure, unless K R and
l 2. We refer to , Remark 1.3.7 for the natural