Efficient Pairings on Twisted Elliptic Curve

This paper proposes an efficient implementation of Ate pairing on twisted elliptic curve. Suppose that a pairing-friendly elliptic curve E has a twisted elliptic curve E' of degree d, and let psi<sub>d</sub> be an isomorphic map from E'(F<sub>pc</sub>) to the corresponding subgroup of E(F<sub>pk</sub>). Then,consider G'<sub>1</sub>= psi<sub>d</sub> <sup>-1</sup>(G<sub>1</sub>) and G'<sub>2</sub> = psi<sub>d</sub> <sup>-1</sup>(G<sub>2</sub>) for G<sub>1</sub>,G<sub>2</sub> at Ate pairing alpha. Let P isin G<sub>1</sub>, Q isin ,G<sub>2</sub>, P' isin G'<sub>1</sub> and Q' isin G'<sub>2</sub>, the authors have shown alpha(Q, P) = f<sub>t-1,Q</sub>(P) <sup>(</sup>p<sup>K</sup> <sup>-1)/r</sup> = f<sub>t-1,Q'</sub>(P') <sup>(</sup>p<sup>K</sup> <sup>-1)/r</sup> .This paper shows that this new Ate pairing, namely cross twisted (Xt) Ate pairing, provides an quite efficient implementation.


Introduction
Recently, pairing-based cryptographic applications such as ID-based cryptography [1] and group signature authentication [2] have received much attentions.In order to make these applications practical, pairing calculation needs to be efficiently carried out.For this purpose, several efficient pairings such as Tate [3], Ate [4], twisted Ate [5], and subfield-twisted Ate [6], [8] have been proposed.Consider an elliptic curve E : y 2 = x 3 + ax + b, a, b, ∈ F p and let its order #E(F p ) be a prime number r for simplicity.Then, let the embedding degree be k, r divides p k − 1 but not divide p i − 1, 1 ≤ i < k.Moreover, r 2 divides #E(F p k ) and thus pairing is considered on r-torsion group of E(F p k ).
Tate, Ate, and twisted Ate pairings can be roughly classified by the inputs for Miller's algorithm [4].In general, as the inputs, Miller's algorithm needs two rational points and the number of calculation loops.Tate pairing τ (•, •) uses rational points P ∈ E(F p ) and Q ∈ E(F p k )/rE(F p k ), and the number of loops of Miller's algorithm is log 2 r .Tate pairing mainly uses P for elliptic curve additions and line calculations in the loops.Q is used only for assignment calculations.The output of Miller's algorithm is denoted by f r,P (Q).Ate pairing α(•, •) uses rational points P ∈ E(F p ) and Q ∈ E[r] ∩ Ker(φ − [p]), but the number of loops is log 2 (t − 1) , where φ is Frobenius map for rational point, E[r] is the subgroup of rational points of order r, and t is the Frobenius trace of E(F p ), that is #E(F p ) = r = p + 1 − t.
The number of loops is about half of that of Tate pairing; however, Ate pairing mainly uses Q elliptic curve additions and line calculations in the loops.The output of Miller's algorithm is denoted by f t−1,Q (P ) and thus plain Ate pairing is slower than Tate pairing.
In the case that the embedding degree k is equal to 2e, 3e, 4e, 6e, where e is a positive integer, it is known that an isomorphic map exists between a certain subgroup of E(F p k ) and subfield-twisted curve E (F p e ).Let E : y 2 = x 3 + b, b ∈ F p be Barreto-Naehrig curve whose embedding degree is 12, Devegili et al. [6] accelerated Ate pairing by using subfield-twisted BN curve E (F p 2 ) and OEF (optimal extension field) technique [7], where the twisted BN curve is given by E : y 2 = x 3 + bv −1 and v is a quadratic and cubic non residue in subfield F p 2 .Denoting the isomorphic map from E (F p 2 ) to the corresponding subgroup of E(F p 12 ) by ψ 6 , it calculates )) for which subfield-twisted curve E (F p 2 ) and Q are efficiently used.In this case, since the twist degree d = k/e is 6, it is called sextic twist.
In this paper, first let us suppose where E is a pairing-friendly curve of embedding degree k = 2e, 3e, 4e, 6e.Let E be degree d = k/e twisted curve over F p e .Then, one can consider an isomorphic map between namely cross twisted (Xt) Ate pairing.Compared to plain Ate pairing and the previous work [6], Xt-Ate pairing can substantially use arithmetic operations in subfield F p e , thus it leads to quite efficient implementation of Ate pairing.After that, this paper shows a simulation result by using BN curve and sextic twist.When order r is a 254-bit prime number, it is shown that Xt-Ate pairing with BN curve is carried out within 14.0 milli-seconds for which the authors uses Pentium4 (3.6GHz), C language, and GNU MP library [9].Compared to the previous subfield-twisted Ate pairing [6], Xt-Ate pairing made the algorithmic implementation and cost evaluation much clearer.
Throughout this paper, p and k denote characteristic and embedding degree, respectively.F p k denotes k-th extension field over F p and F * p k denotes the multiplicative group in F p k .X | Y and X Y mean that X divides and does not divide Y , respectively.

Fundamentals
In this section, let us briefly go over some fundamentals of elliptic curve, twist technique, Ate pairing, and Miller's algorithm.

Elliptic Curve
Let F p be prime field and E be an elliptic curve over F p defined as (3) where t is the Frobenius trace of E(F p ).

Twist Technique
When embedding degree k is equal to 2e, where e is a positive integer, from Eq.(3) the following quadratictwisted elliptic curve E is given.
where v is a quadratic non residue in F p e .Then, between E (F p e ) and E(F p 2e ), the following isomorphism is given.
In this case, E is called quadratic-twisted curve.
In the same, when embedding degree k satisfies the following conditions, we can respectively consider the twisted curves.
• k = 3e (cubic twist) where v is a cubic non residue in F p e and 3 | (p − 1).
• k = 4e (quatic twist) where v is a quadratic non residue in F p e and 4 | (p − 1).
• k = 6e (sextic twist) where v is a quadratic and cubic non residue in F p e and 3 | (p − 1).
When one uses Barreto-Naehrig curve that is a class of pairing-friendly curve, one can apply any quadratic, cubic, quatic, or sextic twist because its embedding degree is equal to 12.As described in the following sections, sextic twist is the most efficient for pairing calculation.
Eqs.( 6), (7c), (8c), and (9c) are summarized as Thus, when twist degree d is even, x-coordinate xv 2/d belongs to proper subfield In addition, when d = 2 or 4, the coefficient of x of the twisted curve E can be written as av −4/d .

Ate Pairing
Letting P ∈ G 1 and Q ∈ G 2 , Ate pairing α is defined as a bilinear map: where G 1 and G 2 are denoted by E[r] denotes a subgroup of order r in E(F p k ) and [i] denotes i times scalar multiplication for a rational point.φ denotes Frobenius endomorphism, ı.e., where x and y are x-coordinate and y-coordinate of a rational point, respectively.In general, A = f t−1,Q (P ) is calculated by Miller's algorithm [3] and then so-called final exponentiation A (p k −1)/r follows.

Miller's Algorithm
Several improvements for Miller's algorithm have been given.Barreto T ← T + T 6. if end if 10. end for 11. return f Table 1.notations in Algorithm 1 s i : i-th bit of s from the lowest bit.l T,T : the tangent line at T .l T,Q : the line passing through T and Q. l 2T,O : the vertical line passing through 2T .l T +Q,O : the vertical line passing through T + Q.
As shown in the algorithm, elliptic curve addition and doubling that use rational points in E(F p k ) needs arithmetic operations in F p k .If it has subfield-twisted curve such as Eq.( 5), it can be efficiently reduced to subfield arithmetic operations by isomorphic maps such as Eq.( 6).Thus, twist degree d is preferred to be large such as 6, that is sextic twist.When the d is even number, the denominator calculations in Algorithm 1 can be ignored.

Main Proposal
In this section, a new fast pairing, namely cross twisted (Xt-) Ate pairing, is proposed.

Xt-Ate Pairing
Supposing that the pairing-friendly curve E has a degree d = k/e twist and E be a d-th twisted curve such as Eq.( 5).From the discussion in Sec.2.3, Ate pairing α is given as On the ohter hand, Xt-Ate pairing is proposed as where P is a point of Here, it is most importatnt thisng that the next equation is hold, The main feature of Xt-Ate pairing is that the isomorphic map ψ −1 d is to P as P = ψ −1 d (P ).In other words, Thus, the authors named it cross twisted (Xt-) Ate pairing.Fig. 1 shows the key map of Xt-Ate pairing with G 1 and G 2 .In spite of the inputted points P and Q on the twisted curvce, the miller loop s is given by t − 1, where t is the trace of E(F p ).The following three lemmas lead to Eq.( 16).
, the slopes λ T,T and λ T,Q are written as Thus, regardless of whether or not T = Q, we have Then, we have Since v ∈ F p e , the following equation holds.
Therefore, according to Lemma 1, v 3/d of Eq.( 24) becomes 1 at final exponentiation of Xt-Ate pairing.Thus, this lemma is shown.
P roof.Since the following equation holds, noting v ∈ F p e , we have Therefore, according to Lemma 1, v 2/d of Eq.( 27) becomes 1 at final exponentiation of Xt-Ate pairing.Thus, this lemma is shown.
is calculated with l T,T (P ), l T,Q (P ), and l T,O (P ).Therefore, according to Lemma 2 and Lemma 3, Eq.( 16) is shown.

Calculation Procedure
Suppose the following d-th twisted curve E over F p e .E : Xt-Ate pairing is computed by Algorithm 2.
Algorithm 2 : Xt-Ate pairing Input : T ← T + T 6. if end if 10. end for 11.f ← f (p k −1)/r 12. return f In practice, the main routine (Step 4&5 in Algorithm 2) and the sub routine (Step 7&8 in Algorithm 2) are computed as follows.First, compute Regardless of whether or not T = Q , we have and the next line calculations are computed as Every calculation excluding the one multiplication shown in Eq.(32a) are carried out in subfield F p e .Thus, most of this algorithm is effciently carried out by subfield arithmetic opearations in F p e .Note that the Eq.(32a) needs the multiplication between elements in F p e and F p k/ gcd(d,2) .When the twist degree d is even number, it has a little advantage.Of course, when the d is even, as previously introduced, the calculation of Eq.(32b) can be ignored.
The main rutine and the sub routine of Xt-Ate pairing can be written as the following algorithms.

Cost Evaluation
We evaluate the calculation cost of Xt-Ate pairing.In order to simplify the cost evaluation, we only take the cal- culation costs for multiplication, squaring, and inversion in finite field into account.Notations in Table 2 are used.

Table 2. Notations for cost evaluation
M i , S i , I i : the calculation costs of a multiplication, squaring, and inversion in F p i , respectively.M i,j : the calculation cost of a multiplication between two elements in F p i and F p j ,where i divides j.Hw(s) : the Hamming weight of s.
Let the calculation costs of main routine and sub routine in Algorithm 2 be TMAIN and TSUB, respectively.When the number of the calculation loops of Miller's algorithm is log 2 s , Xt-Ate pairing excluding the final exponentiation needs the following cost.Following the cost evaluation manner of [5], [4], M 2 i 3 j e be 3 i 5 j M e , M i,j = (j/i)M i , and S i = M i for simplicity.
Then, we have Table 3.This section shows the efficiency of Xt-Ate pairing.

Comparison of Pairings
Table 5 shows the comparison of the input parameters of Miller's algorithm between various pairings.
Consider the inputs for Miller's algorithm calculating f s,A (B) with s, A, and B. In detail, the number of calculation loops of Miller's algorithm is given by log 2 s , the

Table 5. Input parameters of f s,A (B)
point A is used for a lot of calculations, and the point B has little effect on the efficiency.Therefore, plain Tate pairing uses A ∈ E(F p ). Twisted Ate pairing [5] uses (t − 1) k/d (mod r) as s.For cyclotomic families such as Barreto-Naehrig curve, (t − 1) e (mod r) is smaller than t − 1 in general.Thus, twisted Ate pairing is more efficient than plain Tate pairing.Ate pairing made the number of the calculation loops of Miller's algorithm, that is t − 1, smaller than that of Tate pairing but it uses A ∈ E(F p k ).Thus, plain Ate pairing is not superior to Tate pairing.However, Ate pairing generally uses Xt-Ate pairing is more efficient than the Ate pairing.It uses , where G 1 ⊆ E(F p ). Xt-Ate pairing does not calculates l T,Q (P ) by eq.( 37) and it calculates l T ,Q (P ) by eq.(32a) for Miller's algorithm since every calculation is carried out over twisted curve E .
It is noted that Xt-Ate pairing uses G 2 and G 1 ; however, for pairing-based cryptographic applications such that a lot of scalar multiplications are needed, G 1 ⊆ E(F p ) and G 2 should be used for them.Appropriately using isomorphic map ψ d and ψ −1 d , not only Xt-Ate pairing but also scalar multiplications will be efficiently carried out.
As the most recent works, Vercauteren [10], Lee et al. [11], and the authors [12] have proposed efficient Ate pairings, namely optimal pairing, R-Ate pairing, Xate pairing, respectively.They have reduced the number of the calculation loops of Miller's algorithm less than t − 1.For their works, cross-twist technique can be efficiently applied.

Xt-Ate pairing for BN curve
In order to show the efficiency of Xt-Ate pairing, this subsection considers Barreto-Naehrig (BN) curve [13] of 254-bit prime order with k = 12 and d = 6.Since sextic twist is efficiently applied, embedding degree 12 is one of the most competitive research targets.As a typical feature of BN curve, characteristic p, order r, and Frobenius trace t are given by using an integer variable χ as For BN curve, Devegili et al. [6] proposed an improved Ate pairing whose Miller's algorithm calculates elliptic curve operations of G 2 ∈ E (F p 2 ).Then, G 2 is isomorphic to G 2 with ψ 6 defined by Eq.(9c), for every loop of Miller's algorithm, it needs to calculate l T,Q (P ) as follows: (37) This calculation needs 3 times F p multiplications.On the other hand, Xt-Ate pairing needs 9 times F p mutiplications to calculate l T ,Q (P ).Thus, in this view point, Devegili et.al. work is more efficient than Xt-Ate pairing.
Though the Devegili et.al. work restricts the parameters of pairing friendly curve.As also introduced in [6], [14], [15], χ of small Hamming weight is efficient for not only Miller's algorithm but also final exponentiation.Table 6 shows all χ's of Hamming weight 3 that gives 254bit prime order BN curve.Note that, in this case, there are no χ's of Hamming weight 2 such that order r becomes 254-bit prime number.

Simulation
This section shows a simulation result of Xt-Ate pairing.

Parameters of pairing-friendly curve
In this simulation, the authors used the following χ and BN curve, then r = #E(F p ) becomes 254-bit prime number and the order of F p 12 becomes 3048-bit number.

Representation of extension field
This simulation First, the authors prepared F p 4 with type-1, 4 Gauss period normal basis (GNB) [3] and also F p 3 with type-2, 3 GNB.Then, the authors prepared F p 12 as tower field F (p 4 ) 3 by towering 2, 3 GNB over F p 4 [16].For multiplication with GNB, the authors implemented our previous work cyclic vector multiplication algorithm (CVMA) [17].For example, CVMA calculates a multiplication in F (p m ) n by For inversions in extension field and prime field, the authors implemented Itoh-Tsujii inversion algorithm [18] and binary extended Euclidean algorithm [19], respectively.Since GNB is normal basis, one can easily prepare arithmetic operations in subfields F p 2 , F p 4 , F (p 2 ) 3 .Table 7 shows the timing of each operation.

Final Exponentiation
Using several Frobenius mappings, the final exponentiation is carried out as Algorithm 3 [6], where we note that the exponent (p 12 − 1)/r is factorized as f p i 's shown in Algorithm 3 are given by Frobenius mappings.In the case of BN curve of embedding degree 12, referring to [6], final exponentiation is carried out by Algorithm 3. Note that Frobenius maps such as f p i in Algorithm 3 do not need any arithmetic operations because GNB is normal basis.Algorithm 3 : Final exponentiation Input : f given by f t−1,Q (P ), χ, p Output : From Algorithm 3, it is found that the exponentiations of χ and χ 2 needs hard exponentiations such as binary method (square and multiply method).The calculation cost of an exponentiation closely depends on the binary representation of the exponent.

Simulation Result
Table 8 shows the simulation result.Xt-Ate pairing of 254-bit and 3048-bit security levels is carried out within 14.0 milli-seconds.Thus, it is shown that cross twist technique is quite efficient for Ate pairing.The authors simulated Xt-Ate pairing using Eq.( 38) with the computational environment Table 9.

2
and P ∈ G 1 , this paper proposed a new Ate pairing that calculatesα(Q , P ) = f t−1,Q (P ) (p k −1)/r , (45)namely cross twisted (Xt) Ate pairing.Compared to plain Ate pairing and Devegili's work, Xt-Ate pairing could substantially use arithmetic operations in subfield F p e , thus it lead to quite efficient implementation of Ate pairing.Then, this paper showed a simulation result by using BN curve and sextic twist.When order r was a 254-bit prime number, it was shown that Xt-Ate pairing with BN curve was carried out within 14.0 milli-seconds for which the authors used Pentium4 (3.6GHz), C language, GNU MP library.
is a set of rational points on the curve, including the infinity point O, forms an additive Abelien group.Let #E(F p ) be its order, consider a large prime r that divides #E(F p ).The smallest positive integer k such that r divides p k − 1 is especially called embedding degree.One can consider pairings such as Tate and Ate pairings over E(F p k ).#E(F p ) is usually given as et al. proposed BKLS algorithm.Algorithm 1 shows the calculation flow of the BKLS algorithm for f s,Q (P ).It consists of functions shown in Table 1.In this algorithm, main computation part is Step 4, Step 5, Step 7 and Step 8.In this paper, let Step 4 and Step5 be main routine, and let Step 7 and Step 8 be sub routine.In the case of Ate pairing, P (x P , y P

Table 3 . Calculation costs of TMAIN and TSUB for Xt-Ate pairing
5e = 15M e , and roughly I i = 7M i , thus we have Table4.
e + I e 18M e + I e Supposing that Hw(s) ≈ log 2 s /2, M

Table 8 . Timings of operations with 254-bit prime order BN curve
† with 254-bit random scalars/exponents.‡ Projective coordinate is used.