Abstract
Recently, Edwards curves have received a lot of attention in the cryptographic community due to their fast scalar multiplication algorithms. Then, many works on the application of these curves to pairing-based cryptography have been introduced. In this paper, we investigate refinements to Miller’s algorithm that play a central role in paring computation. We first introduce a variant of Miller function that leads to a more efficient variant of Miller’s algorithm on Edwards curves. Then, based on the new Miller function, we present a refinement to Miller’s algorithm that significantly improves the performance in comparison with the original Miller’s algorithm. Our analyses also show that the proposed refinement is approximately 25 % faster than Xu–Lin’s refinements (CT-RSA, 2010). Last but not least, our approach is generic, hence the proposed algorithms allow to compute both Weil and Tate pairings on pairing-friendly Edwards curves of any embedding degree.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
Let E be an elliptic curve defined over a prime finite field \(\mathbb {F}_p\), and r be a prime dividing \(\#E(\mathbb {F}_p\)). The embedding degree of E with respect to r is the smallest positive integer k such that \(r | p^k - 1\). In other words, k is the smallest integer such that \(\mathbb {F}^*_{p^k}\) contains r-roots of unity.
Note that by definition optimal pairings only require about \(\log _2(r)/\varphi (k)\) iterations of the basic loop, where r is the group order, \(\varphi \) is Euler’s totient function, and k is the embedding degree. For example, when k is prime, then \(\varphi (k) = k - 1\). If we choose a curve having embedding degree \(k \pm 1\), then \(\varphi (k\pm 1)\le \frac{k+1}{2}\) which is roughly \(\frac{\varphi (k)}{2}=\frac{k-1}{2}\), so that at least twice as many iterations are necessary if curves with embedding degrees \(k \pm 1\) are used instead of curves of embedding degree k.
Lines 3, 4 in Algorithm 3 combine both a doubling and an addition step.
References
Arène, C., Lange, T., Naehrig, M., Ritzenthaler, C.: Faster computation of the Tate pairing. J. Number Theory 131(5), 842–857 (2011)
Bernstein, D.J., Birkner, P., Joye, M., Lange, T., Peters, C.: Twisted Edwards curves. In: Proceedings of the Cryptology in Africa 1st International Conference on Progress in Cryptology. AFRICACRYPT’08, pp. 389–405. Springer, Berlin/Heidelberg (2008)
Boxall, J., El Mrabet, N., Laguillaumie, F., Le, D.-P.: A variant of Miller’s formula and algorithm. In: Proceedings of the 4th International Conference on Pairing-Based Cryptography, Pairing’10, Springer, Berlin, Heidelberg, pp. 417–434 (2010)
Boneh, D., Franklin, M.K.: Identity-based encryption from the weil pairing. In: CRYPTO ’01: Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology, pp. 213–229. Springer, Heidelberg (2001)
Barreto, P.S.L.M., Kim, H.Y., Lynn, B., Scott, M.: Efficient algorithms for pairing-based cryptosystems. In: CRYPTO ’02: Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology. Springer, London, UK, pp. 354–368 (2002)
Barreto, P.S., Galbraith, S.D., Héigeartaigh, C.Ó., Scott, M.: Efficient pairing computation on supersingular abelian varieties. Des. Codes Cryptogr. 42(3), 239–271 (2007)
Bernstein, D.J., Lange, T.: Faster addition and doubling on elliptic curves. In: Proceedings of the Advances in Crypotology 13th International Conference on Theory and Application of Cryptology and Information Security. ASIACRYPT’07, pp. 29–50. Springer, Berlin, Heidelberg (2007)
Bernstein, D.J., Lange, T.: Inverted Edwards coordinates. In: Proceedings of the 17th International Conference on Applied Algebra, Algebraic Algorithms and Error-Correcting Codes. AAECC’07, pp. 20–27. Springer, Berlin, Heidelberg (2007)
Bernstein, D.J., Lange, T.: A complete set of addition laws for incomplete Edwards curves. J. Number Theory 131(5), 858–872 (2011)
Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Proceedings of SAC 2005. Volume 3897 of LNCS, pp. 319–331. Springer, Heidelberg (2005)
Blake, I.F., Murty, V.K., Xu, G.: Refinements of Miller’s algorithm for computing the Weil/Tate pairing. J. Algorithms 58(2), 134–149 (2006)
Costello, C., Lange, T., Naehrig, M.: Faster pairing computations on curves with high-degree twists. In: Nguyen, P., Pointcheval, D. (eds.) Public Key Cryptography—PKC 2010 Volume 6056 of Lecture Notes in Computer Science, pp. 224–242. Springer, Berlin/Heidelberg (2010)
Das, M.P., Sarkar, P.: Pairing computation on twisted edwards form elliptic curves. In: Proceedings of the 2nd International Conference on Pairing-Based Cryptography, pp. 192–210. Pairing ’08. Springer, Berlin, Heidelberg (2008)
Hess, F.: Pairing lattices. In: Proceedings of the 2nd International Conference on Pairing-Based Cryptography. Pairing ’08, pp. 18–38. Springer, Berlin, Heidelberg (2008)
Hess, F., Smart, N.P., Vercauteren, F.: The Eta pairing revisited. IEEE Trans. Inf. Theory 52, 4595–4602 (2006)
Hisil, H., Wong, K.K.-H., Carter, G., Dawson, E.: Twisted Edwards curves revisited. In: Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology. ASIACRYPT ’08, pp. 326–343. Springer, Berlin, Heidelberg (2008)
Ionica, S., Joux, A.: Another approach to pairing computation in edwards coordinates. In: Progress in Cryptology—INDOCRYPT 2008. Lecture Notes in Computer Science, vol. 5365, pp. 400–413. Springer, Berlin/Heidelberg (2008)
Joux, A.: A one round protocol for tripartite Diffie-Hellman. In: ANTS-IV: Proceedings of the 4th International Symposium on Algorithmic Number Theory, pp. 385–394. Springer, Berlin (2000)
Le, D.-P., Liu, C.-L.: Refinements of Miller’s algorithm over Weierstrass curves revisited. Comput. J. 54(10), 1582–1591 (2011)
Le, D.-P., Tan, C.H.: Improved Miller’s algorithm for computing pairings on Edwards curves. IEEE Trans. Comput. 63(10), 2626–2632 (2014)
Miller, V.S.: Short programs for functions on curves. IBM Thomas J. Watson Research Center, New York (1986)
Miller, V.S.: The Weil pairing, and its efficient calculation. J. Cryptol. 17(4), 235–261 (2004)
Vercauteren, F.: Optimal pairings. IEEE Trans. Inf. Theory 56(1), 455–461 (2010)
Xu, L., Lin, D.: Refinement of Miller’s algorithm over Edwards curves. In: Pieprzyk, J. (ed.) CT-RSA. Lecture Notes in Computer Science, vol. 5985, pp. 106–118. Springer, Berlin (2010)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Le, DP., Tan, C.H. Further refinements of Miller’s algorithm on Edwards curves. AAECC 27, 205–217 (2016). https://doi.org/10.1007/s00200-015-0278-z
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00200-015-0278-z