Faster computation of the Tate pairing (Q2430985)

From MaRDI portal
Revision as of 07:11, 5 March 2024 by Import240304020342 (talk | contribs) (Set profile property.)
scientific article
Language Label Description Also known as
English
Faster computation of the Tate pairing
scientific article

    Statements

    Faster computation of the Tate pairing (English)
    0 references
    0 references
    0 references
    0 references
    8 April 2011
    0 references
    The paper proposes some improvements in the computation of the Tate pairing on elliptic curves \(E\),\, both in Weierstrass form and in Edwards form, curves defined over a non-binary finite field \(F_q\)\, and with even embedding degree (for a prime \(n|\sharp(E)\)\, the embedding degree \(k\),\, with respect to \(n\),\, is the multiplicative degree of \(q\)\, modulo \(n\)). For \(E\)\, in Weierstrass form, Miller's algorithm computes efficiently the Tate pairing, using the chord-and-tangent method for the addition and doubling of points. Section 3 presents new formulas for the addition and doubling steps in Miller's algorithm. Those formulas use a representation of the points of \(E\)\, in Jacobian coordinates \((X:Y:Z:T)\), \(T^2=Z\), and the paper gives its cost in term of the costs \(m,s,M,S\) of multiplication and squaring in \(\mathbb F_q\) and \(\mathbb F_{q^k}\). A twisted Edwards curve, introduced by \textit{D. J. Bernstein} et al. [in: AFRICACRYPT 2008. Casablanca, Morocco, 2008. Lect. Notes Comput. Sci. 5023, 389--405 (2008; Zbl 1142.94332)], is a curve giving by an equation: \(E_{\text{ad}}: ax^2+y^2=1+dx^2y^2\), whose (affine) points have efficient addition formulas. Since the equation of \(E_{\text{ad}}\) has degree four the chord-and-tangent geometric interpretation of the addition is not more valid, but section 4 of the paper gives (theorem 2) a new geometric interpretation of the addition law for \(E_{\text{ad}}\), and with this tool section 5 shows how to compute Tate pairing on twisted Edwards curves. Section 6 gives the comparison of the proposed formulas with others in the literature, as the paper of \textit{S. Ionica} and \textit{A. Joux} [in: INDOCRYPT 2008. Kharagpur, India, 2008. Lect. Notes Comput. Sci. 5365, 400--413 (2008; Zbl 1203.94104)], concluding that `` ... our new formulas for Edwards curves solidly beat all previous formulas published for Tate computation on Edwards curves'' and `` Our new formulas for pairings on arbitrary Edwards curves are faster than all formulas previously known for Weierstrass curves except for the very special curves with \(a_4=0\).''. Finally, sections 7 and 8 present construction and numerical examples (with embedding degree \(k=6,8,10,22\)) of pairing-friendly Edwards curves, examples covering the most common security levels.
    0 references
    pairings
    0 references
    Miller functions
    0 references
    Weierstrass form
    0 references
    Edwards curves
    0 references
    doubling and addition formulas.
    0 references
    0 references
    0 references

    Identifiers

    0 references
    0 references
    0 references
    0 references
    0 references