Multibase scalar multiplications in cryptographic pairings

Abstract

The efficient computation of the Tate pairing is crucial for various cryptographic applications. In the computation the Tate pairing, two types of costs should be considered: that of scalar multiplication and the evaluations of Miller’s line functions for elliptic curves. In this paper we optimize the calculation of \((f_{2j\pm 1}(Q),[2j\pm 1]P)\), \((f_{3j}(Q),[3]P)\), \((f_{3j\pm 1}(Q),[3j\pm 1]P)\) given the points P and Q in an elliptic curve, to improve the efficiency of the Tate pairing, when using the representation of the scalar n in NAF, in signed ternary base, and in double-base chain. Finally we compare their computational costs. In the case of a double-base chain, a general comparison is not simple, so we consider a few examples.

Appendix: Other representations of \(f_{2j\pm k}\), \(f_{3j}\) and \(f_{3j\pm k}\)

Using the technique of Eisenträger et al. [11] and Lemmas 1 and 2, we can present other representations for \(f_{2j\pm k}\), \(f_{3j}\) and \(f_{3j\pm k}\), from which the proof is straightforward. The computational cost of these functions is higher than the cost for the functions in Theorem 1 (see Table 7).

Lemma 3

Other representations of \(f_{2j\pm k}\):

$$\begin{aligned} f_{2j+k}= & {} f_{(j+j)+k}=f_j^2f_k\cdot \left( \dfrac{\ell _{jP,jP}\cdot \ell _{kP}}{\ell _{-2jP,-kP}}\right) . \end{aligned}$$

(7.1a)

$$\begin{aligned} f_{2j+k}= & {} f_{(j+k)+j}=f_j^2f_k\cdot \left( \dfrac{\ell _{jP,kP}\cdot \ell _{jP}}{\ell _{-jP,-(j+k)P}}\right) . \end{aligned}$$

(7.1b)

$$\begin{aligned} f_{2j-k}= & {} f_{(j-k)+j}=\dfrac{f_j^2}{f_k}\cdot \left( \dfrac{\mathscr {P}_{jP,-kP,(j-k)P}}{\ell _{kP}\cdot \ell _{(2j-k)P}}\right) . \end{aligned}$$

(7.1c)

$$\begin{aligned} f_{2j-k}= & {} f_{(j-k)+j}=\dfrac{f_j^2}{f_k}\cdot \left( \dfrac{\ell _{jP}}{\ell _{-jP,kP}}\cdot \dfrac{\ell _{(j-k)P,jP}}{\ell _{(2j-k)P}}\right) . \end{aligned}$$

(7.1d)

Lemma 4

Other representations of \(f_{3j}\), \(f_{3j\pm k}\):

$$\begin{aligned} f_{3j}= & {} f_{2j+j}=f_{2j}f_j\cdot \left( \dfrac{\ell _{2jP,jP}}{\ell _{3jP}}\right) =f_j^3\cdot \left( \dfrac{\ell _{jP,jP}\cdot \ell _{jP}}{\ell _{-2jP,-jP}}\right) . \end{aligned}$$

(7.2a)

$$\begin{aligned} f_{3j+k}= & {} f_{(3j)+k}=f_j^3f_k\cdot \left( \frac{\mathscr {P}_{jP,jP,2jP}\cdot \ell _{kP}}{\ell _{-kP,-3jP}}\right) . \end{aligned}$$

(7.2b)

$$\begin{aligned} f_{3j+k}= & {} f_{2j+(j+k)}=f_j^3f_k\cdot \left( \dfrac{\mathscr {P}_{jP,(j+k)P,(2j+k)P}\cdot \ell _{jP,kP}}{\ell _{(j+k)P}\cdot \ell _{(3j+k)P}}\right) . \end{aligned}$$

(7.2c)

$$\begin{aligned} f_{3j+k}= & {} f_{(j+k)+(2j)}=f_j^3f_k\cdot \left( \dfrac{\ell _{jP,kP}\cdot \ell _{jP,jP}}{\ell _{-(j+k)P,-2jP}}\right) . \end{aligned}$$

(7.2d)

$$\begin{aligned} f_{3j-k}= & {} f_{(2j-k)+j}=\dfrac{f_j^3}{f_k}\cdot \left( \dfrac{\ell _{jP,jP}\cdot \ell _{jP,(2j-k)P}}{\ell _{-2jP,kP}\cdot \ell _{(3j-k)P}}\right) . \end{aligned}$$

(7.2e)

$$\begin{aligned} f_{3j-k}= & {} f_{2j+(j-k)}=\dfrac{f_j^3}{f_k}\cdot \left( \dfrac{\mathscr {P}_{jP,(j-k)P,(2j-k)P}\cdot \ell _{jP}}{\ell _{-jP,kP}\cdot \ell _{(3j-k)P}}\right) . \end{aligned}$$

(7.2f)

$$\begin{aligned} f_{3j-k}= & {} f_{(j-k)+(2j)}=\dfrac{f_j^3}{f_k}\cdot \left( \dfrac{\ell _{jP,-kP}\cdot \ell _{jP,jP}}{\ell _{kP}\cdot \ell _{-(j-k)P,-2jP}}\right) . \end{aligned}$$

(7.2g)

Table 7 Computational cost using the functions of Lemmas 3 and 4 (\(jP=Z\) and \(k=1\))