A Construction of a Twisted Ate Pairing on a Family of
Kawazoe-Takahashi Curves at 192-bit Security Level and
Its Cost Estimate
Masahiro Ishii
1
, Atsuo Inomata
2
and Kazutoshi Fujikawa
2
1
Nara Institute of Science and Technology, 8916-5 Takayama, Ikoma, NARA, 630-0192, Japan
2
Information Initiative Center, Nara Institute of Science and Technology, 8916-5 Takayama, Ikoma, NARA, 630-0192, Japan
Keywords:
Twisted Ate Pairings, Optimal Pairings, Hyperelliptic Curves, Final Exponentiation.
Abstract:
Recently, there were major breakthroughs in computing DL in finite fields of small characteristics, as a result
the symmetric pairings which is defined by using such finite fields became unsuitable for cryptography. This
research aims to reveal a more efficient construction of pairings on hyperelliptic curves of genus 2, in the
beginning, we focus on the ordinary genus 2 curves and the optimal pairing algorithms at high (192-bit)
security level on such curves. In this paper, we show the method to construct optimal pairings over the family
of pairing-friendly curves of genus 2 by Kawazoe and Takahashi and offered a twisted version of Ate pairing.
We then provide the cost estimates to compare with the result of the pairings on elliptic curve at same security
level.
1 INTRODUCTION
Pairings on hyperelliptic curves (including elliptic
curves) have been applied to many cryptographic
schemes (functional encryption and its varieties), and
the various optimization methods that increase the
speed of the algorithm of pairings and their arithmetic
of curves have been exploited.
Recently, major theoretical and practical break-
through in computing discrete logarithms in finite
fields of small characteristic and also other fields have
been made (Barbulescu et al., 2014; Barbulescu et al.,
2015). As a result, the type 1 (symmetric) pairings
have been almost dead since these pairings are defined
on the supersingular curves of high embedding degree
over finite fields of small characteristic to use their
distortion maps. We should also improve the secu-
rity level of pairings for the complexity of the discrete
logarithm algorithm in other finite fields. Since type
1 pairings are still useful for constructing some cryp-
tographic protocols, some authors offered the type 1
pairing on the curves not defined over finite fields
of small characteristic in elliptic case (Teruya et al.,
2014; Zhang and Wang, 2014) and in genus 2 case
(Galbraith et al., 2008). Their pairings, however, are
not suitable for the situation required high security
level because of their small embedding degree.
Aranha et al. (Aranha et al., 2013) showed
optimal asymmetric pairings on Kachisa-Schaefer-
Scott (KSS), Barreto-Naehrig (BN), and Barreto-
Lynn-Scott (BLS) elliptic curves at the 192-bit secu-
rity level and their cost estimates and implementation
result. They constructed the optimal (ate) pairings and
Weil type ones (Hess, 2008; Vercauteren, 2010) on
each elliptic curve family. The BLS pairings is the
most efficient and the result of serial implementation
of BLS pairings is more than 3 times faster than the
result of (Scott, 2011).
In this paper, we focus on the ordinary hyperel-
liptic curves of genus 2 at high, i.e. 192-bit secu-
rity level. We show the method to construct the op-
timal pairing and its twisted version over the fam-
ily of pairing-friendly curves of genus 2 by Kawa-
zoe and Takahashi (Kawazoe and Takahashi, 2008)
We offered that a twisted Ate pairing is most efficient
and described cost estimates in detail. Especially, we
clarify the cost of the final exponentiation where em-
bedding degree k = 16.
The aim of this research is that eventually reveal
an efficient construction of pairings on hyperelliptic
curves of genus 2. This research for exploiting more
efficient pairings on genus 2 curves is in progress and
our pairing showed in this paper does not faster one
than the state-of-the-art elliptic pairing.
The remainder of this paper is organized as fol-
lows. We recall background on several pairings on hy-
432
Ishii, M., Inomata, A. and Fujikawa, K.
A Construction of a Twisted Ate Pairing on a Family of Kawazoe-Takahashi Curves at 192-bit Security Level and Its Cost Estimate.
DOI: 10.5220/0005742304320439
In Proceedings of the 2nd International Conference on Information Systems Security and Privacy (ICISSP 2016), pages 432-439
ISBN: 978-989-758-167-0
Copyright
c
2016 by SCITEPRESS Science and Technology Publications, Lda. All rights reserved
perelliptic curves in section 2. Section 3 describes the
method of constructing Kawazoe-Takahashi curves
and the curve parameter we used to evaluate the pair-
ing in practice. We show how to construct optimal
pairings derived from Hess (Hess, 2008) and Ver-
cauteren (Vercauteren, 2010) on the curve and its
twisted version in section 4, after that the cost esti-
mates and its comparison are described in section 5.
Finally, we present conclusions and suggestions for
future work in section 6.
2 PRELIMINARY
In this section, we describe the pairings on hyperel-
liptic curves, especially, Hess-Vercauteren (HV) pair-
ings (Balakrishnan et al., 2009) given by Hess (Hess,
2008) and Vercauteren (Vercauteren, 2010) as general
framework for pairings on Frobenius eigenspaces.
Let C be a hyperelliptic curve defined over F
q
and
let Jac
C
(' Pic
0
C
) denote Jacobian of C. Let r be a
positive integer and suppose that F
q
k
is an extension
field of F
q
such that r|(q
k
1) and Jac
C
(F
q
k
) con-
tains no elements of order r
2
. The smallest integer k
which holds the avobe condition is called embedding
degree of Jac
C
with respect to r. For a divisor class
D Jac
C
(F
q
k
)[r], f
r,D
denotes a rational function as-
sociated the principal divisor rD. Let E =
n
P
P be
a divisor class disjoint from D. Then we call T
r
the
modified Tate-Lichtenbaum pairing as follows
T
r
: Jac
C
(F
q
k
)[r] ×Jac
C
(F
q
k
)[r] µ
r
F
q
k
(D,E) 7→ f
r,D
(E) =
P
f
r,D
(P)
n
P
!
(q
k
1)/r
.
The map T
r
is bilinear, non-degenerate and the
value of T
r
is independent of representation of the di-
visor classes.
By limiting the domains of pairings to eigenspaces
of the Frobenius map, more efficient pairings which
have shorter Miller loop were exploited, called Ate
pairings (Granger et al., 2007) and twisted Ate pair-
ings (Zhang, 2010). These pairings are special case
of HV pairings.
Let π be the q-th Frobenius map, we take G
1
and
G
2
which are subgroups of Jac
C
(F
q
k
) as follows,
G
1
:= Jac
C
(F
k
q
)[r] ker (π [1])
G
2
:= Jac
C
(F
k
q
)[r] ker (π [q]).
We consider h(x) =
n
i=0
h
i
x
i
Z[x] such that h(x)
0 (mod r) and generalized Miller function f
s,h,D
(D
Jac
C
(F
q
k
)[r]) which is any function with
n
i=0
h
i
ρ(s
i
D),
where ρ(D) is the reduced divisor which is equivalent
to D. Let s q
j
(mod r) for some j Z. We then
obtain the bilinear pairing (HV pairing) (Balakrishnan
et al., 2009, Theorem 4.1)
a
s,h
: G
2
× G
1
µ
r
(D
2
,D
1
) 7→ f
s,h,D
2
(D
1
)
(q
k
1)/r
,
satisfying
a
s,h
(D
2
,D
1
) = T
r
(D
2
,D
1
)
h(s)/r
.
a
s,h
is non-degenerate if and only if h(s) 6≡ 0
(mod r
2
).
If C has the twist C
t
of degree d, i.e., d is the
minimal integer satisfying that there exists an isomor-
phism φ: C
t
C over F
q
d
, a twisted version of the
HV pairing exists (Balakrishnan et al., 2009, Remark
4.4). We suppose that gcd(k,]Aut(C)) 6= 1, then
a
twist
s,h
: G
1
× G
2
µ
r
is also a bilinear and non-degenerate (under same con-
dition of HV pairings) pairing (Hess, 2008, Theorem
1).
In twisted case, we remark that the automorphism
[ξ]π
k/m
plays an important role where m = gcd(k, d)
and [ξ] Aut(C) defined by the twist (see (Zhang,
2010)). This map acts on G
1
as [q
m
] and acts on G
2
as [1], therefore we can reverse the roles of G
1
and G
2
in HV pairings.
3 KAWAZOE-TAKAHASHI
CURVES AND SECURITY
LEVEL
Many researcher has exploited the pairing-friendly
curves of genus 2 (Kawazoe and Takahashi, 2008;
Kachisa, 2010; Freeman and Satoh, 2011; Guillevic
and Vergnaud, 2013). In this paper, we focus on
Kawazoe-Takahashi curve (Kawazoe and Takahashi,
2008) of embedding degree 16 for efficient field size
at 192-bit security level. By using the method to con-
struct the cyclotomic family of type I (Kawazoe and
Takahashi, 2008, Section 6.1), we can obtain a family
of curves
C : y
2
= x
5
+ ax
A Construction of a Twisted Ate Pairing on a Family of Kawazoe-Takahashi Curves at 192-bit Security Level and Its Cost Estimate
433
defined over F
p
such that the parameter p and r (prime
factor of the order of Jac
C
(F
p
)) are parametrized by
t Z as follows:
r(t) = Φ
16
(t)/2 = (t
8
+ 1)/2,
p(t) = (1 + 2t +t
2
+ 2t
4
+ 4t
5
+ 2t
6
+t
8
+ 2t
9
+t
10
+ 2t
12
4t
13
+ 2t
14
)/8.
Therefore, rho value ρ = glog q/ log r 3.5 (q is
the size of finite field which the curve is defined, so
now q = p) since p r
14/8
.
For 192-bit security level, we should choose r over
2
384
and p
k
over 2
7936
(BlueKrypt, 2012, NIST and
ECRYPT II Recommendations). Note that we chose
the embedding degree k = 16 and the family of curves
in the Table 1 in (Guillevic and Vergnaud, 2013) on
condition that k is in the form 2
i
3
j
(pairing-friendly
field) and the size of r is as close as possible to the
appropriate key length 2
384
.
To reduce the cost of the pairing we should take
a low hamming weight t. We can find the following
curve by using (Kawazoe and Takahashi, 2008, The-
orem 2):
C : y
2
= x
5
+ 11x,
r = 5044072482384476573782993927890\
= 7728964465436586245254453311630\
= 1265371549743031290473008113404\
= 9215268011143297044068561 (392 bits),
p = 8028045195460366401855608810858\
= 1087520356536010516694719024006\
= 5200170619103295404281314877038\
= 0691756335410705811073413334511\
= 1951668540846123577019763686758\
= 1081351540637127776953763530546\
= 24502257207565576569 (685 bits),
t = 562958543356163
= 2
49
+ 2
33
+ 2
8
+ 2 + 1 (50 bits),
where ρ 3.497.
4 CONSTRUCTION OF THE
PAIRING
Here we construct the optimal HV pairing and its
twisted version on the Kawazoe-Takahashi curve of
embedding degree 16 as described previous section.
First we consider optimal pairings over genus 2
curves as offered in elliptic case by (Aranha et al.,
2013), then we focus twisted version of the pairing in
order to reduce the cost of computing the pairing since
the cost of arithmetic on Jacobian over extension field
become extremely high.
4.1 Optimal HV Pairing
According to the optimal conjecture by Vercauteren
(Vercauteren, 2010), we can take the total loop length
of the Miller function as (log
2
r)/ϕ(k) where ϕ is
the Euler’s totient function and this length is opti-
mal. In order to construct optimal HV pairings, we
need to choose h(x) =
n
i=0
h
i
x
i
Z[x] so that the total
loop length h(x) =
n
i=0
log
2
h
i
is optimal. Vercauteren
showed the several optimal HV pairings on elliptic
curve families by finding the shortest vectors in a
lattice (Vercauteren, 2010). Specifically, for a ϕ(k)-
dimensional lattice (spanned by the rows)
L =
r 0 0 ··· 0
s (mod r) 1 0 ··· 0
s
2
(mod r) 0 1 ··· 0
.
.
.
.
.
.
.
.
.
s
ϕ(k)1
(mod r) 0 1 ·· · 0
,
he used the function ShortestVectors() or
ShortVectors() in Magma (Bosma et al., 1997) for
specific input integers, and he found parametrized the
shortest vectors by interpolating for parametrized r
and s.
We can obtain the shortest vectors for HV pair-
ing a
p,h
on the Kawazoe-Takahashi curve defined in
previous section in the same manner. The prameters
p,r should be represented as polynomials over integer
ring, we substitute t = 2x + 1 to p, r and obtain
r(x) = 128x
8
+ 512x
7
+ 896x
6
+ 896x
5
+ 560x
4
+ 224x
3
+ 56x
2
+ 8x +1,
p(x) = 4096x
14
+ 24576x
13
+ 67584x
12
+ 112640x
11
+ 126848x
10
+ 102144x
9
+ 61184x
8
+ 28544x
7
+ 11184x
6
+ 4064x
5
+ 1432x
4
+ 456x
3
+ 115x
2
+ 20x +2.
Now we can calculate shortest vectors for the lat-
tice L (s = p) using Magma, we obtain the vector
V (x) = [2x + 1,0, 0,0,0, 1,0, 0]
= [t,0,0,0, 0,1, 0,0],
ICISSP 2016 - 2nd International Conference on Information Systems Security and Privacy
434
therefore it holds 2x+ 1 + p(x)
5
0 (mod r(x)). We
then compute the Miller function except for final ex-
ponentiation of HV pairing a
p,h
as
f
t+p
5
,D
2
= f
t,D
2
f
p
5
,D
2
c(x,y)
d(x, y)
where
div
c(x,y)
d(x, y)
= [t]D
2
+ [p
5
]D
2
[t + p
5
]D
2
is a rational function. Now we consider Frobenius
eigenspace G
1
,G
2
as the domain of the pairing, it
holds f
p
5
,D
2
= f
p
5
1,D
2
and f
1
is constant, therefore we
can write
a
p,h
(D
2
,D
1
) = f
t,D
2
·
c(x,y)
d(x, y)
(D
1
)
(q
k
1)/r
.
4.2 Twisted Optimal HV Pairing
As described in the beginning of this section, arith-
metic on Jacobian over the extension field (F
p
16
) costs
very high, we consider twisted version of the HV pair-
ings
Since p 1 (mod 8), C has a twist of degree d =
8. Here we consider the twist over F
p
2
as follows:
C
t
: y
2
= x
5
+ 11λx,
ϕ: C
t
C
(x,y) 7→ (λ
1
4
x,λ
5
8
y)
where λ F
p
2
is not l-th power residue in F
p
2
for
l {1, 2,4,8}. So it holds C(F
p
16
) ' C
t
(F
p
16
).
In our case, since m = gcd(k,d) = 8 and e =
k/m = 2 we can represent G
2
as
G
2
= Jac
C
(F
k
q
)[r] ker ([ξ
m
]π
2
1).
Therefore, we should search short vectors for h(x)
where the coefficients of p
i
(i: odd) equal to 0 to re-
duce the Miller function in the same manner as HV
pairings. For a lattice
L =
r 0 0 0
p
2
(mod r) 1 0 0
p
4
(mod r) 0 1 0
p
6
(mod r) 0 0 1
,
we can find the vector
W (x) = [(2x +1)
2
,1,0, 0] = [t
2
,1,0, 0]
by using ShortVectors() and it holds (2x + 1)
2
+
p(x)
2
0 (mod r(x)). In this case, the Miller loop
length is twice the one of optimal pairing. We
couldn’t find essentially shorter vectors such that the
coefficients of p
i
(i: odd) is 0. The twisted HV pair-
ing can be computed as follows:
a
twist
p,h
(D
1
,D
2
) = f
t
2
,D
1
·
c(x,y)
d(x, y)
(D
2
)
(q
k
1)/r
,
where
div
c(x,y)
d(x, y)
= [t
2
]D
1
+ [p
2
]D
1
[t
2
+ p
2
]D
1
.
4.3 Twisted Ate Pairing
Zhang (Zhang, 2010) proposed the hyperelliptic
twisted Ate pairing. Here we confirm that previous
twisted HV pairing corresponds to a twisted Ate pair-
ing. Zhang showed that
f
q
ei
(mod r),D
1
(D
2
)
(q
k
1)/r
is a bilinear pairing (Zhang, 2010, Theorem 4) where
e is same as the above. We want to take the smallest ei
(mod r), now it holds p
10
(mod r) = t
2
. Therefore,
we can compute simply
a
twist
(D
1
,D
2
) = f
t
2
,D
1
(D
2
)
(q
k
1)/r
,
and the most efficient pairing on this curve is the
twisted Ate pairing since there is no extra rational
function occurred in the twisted optimal HV pairing
in 4.2.
5 COST ESTIMATES
In this section we provide the cost estimate of the pair-
ing on the Kawazoe-Takahashi curve of embedding
degree 16. As described previous section, the twisted
Ate pairing seems to be the fastest one, we only focus
on this pairing. We have not optimally implemented
the pairing and arithmetic on the field F
p
and F
p
16
yet,
we show here cost estimates by number of multiplica-
tions in definition field F
p
.
The extension field F
p
16
should be constructed the
tower of quadratic extension fields. In our case, we
can take 11 as a quadratic nonresidue modulo p and
this is the smallest one. We then construct each ex-
tension fields as follows:
F
p
2
' F
p
[x]/(x
2
11),
F
p
4
' F
p
2
[y]/(y
2
α), (α
2
11 = 0),
F
p
8
' F
p
4
[z]/(z
2
β), (β
2
α = 0),
F
p
16
' F
p
8
[s]/(s
2
γ), (γ
2
β = 0).
We denote a multiplication and a squaring in F
p
i
by
M
i
and S
i
, respectively. We also suppose that the cost
A Construction of a Twisted Ate Pairing on a Family of Kawazoe-Takahashi Curves at 192-bit Security Level and Its Cost Estimate
435
of a squaring equal to one of a multiplication in F
p
,
i.e. M
1
= S
1
. We assume to use Karatsuba method for
multiplication in each field, so M
16
= 81M
1
. In the
first quadratic extension field F
p
2
, we can perform a
squaring
(a + bx )
2
= a
2
+ 11b
2
+ 2abx
with computing
ab,
(a + b)(a +11b) ab 11ab.
It costs 2 multiplications in F
p
and additional ad-
ditions for computing 11c, (c F
p
) (5 additions)
and accumulating. We can therefore consider S
2
as
2M
1
, and we assume that S
4
= 6M
4
, S
8
= 18M
8
and
S
16
= 54M
16
.
Fan, Gong, and Jao (Fan et al., 2008) proposed
to use the twist of the curve and degenerate divisors
(Frey and Lange, 2006) to use denominator elimina-
tion technique and reduce the cost to evaluate the sec-
ond argument divisors by the rational functions. Their
method can be applied the twisted Ate pairing in our
case:
f
t
2
,D
1
(ϕ(D
0
2
))
(q
k
1)/r
(D
0
2
= [x x
t
,y
t
] Jac
C
t
(F
q
2
))
where ϕ(D
0
2
) = [x λ
1
4
x
t
,λ
5
8
y
t
].
5.1 Miller Loop
For the parameter we described in section 3, the
Miller loop computation of f
t
2
,D
1
(D
2
) requires 96
doublings and 53 addition on Jacobian. In general
case, we can do arithmetic on the divisor group us-
ing affine coordinates by Lange (Lange, 2005) where
the cost of a doubling is I
1
+ 5S
1
+ 22M
1
and the one
of an addition is I
1
+ 3S
1
+ 22M
1
. Here we use the
explicit formula and the dedicated coordinate system
by (Fan et al., 2009) for C. As noted by the authors
(Fan et al., 2009, Section 4.6), since f
2
, f
3
= 0 where
C : y
2
= f (x), f (x) = x
5
+ f
3
x
3
+ f
2
x
3
+ f
1
x + f
0
, a
doubling need 35M
1
+ 5S
1
. And we can perform a
mixed addition with 36M
1
+ 5S
1
.
In the Cantor’s algorithm and Miller loop, we need
to evaluate the auxiliary rational function by substi-
tuting the points associated D
2
. The rational function
can be obtained as
y v(x )
u
0
(x)
where degree of v(x) is at most 3. Since the x-
coordinate of ϕ(D
0
2
) is defined in F
p
8
, we can use
denominator elimination so we need not to evaluate
u
0
(x). By using the new coordinate system from (Fan
et al., 2009), we should evaluate
c
D
(x,y) = (˜rz
11
)y ((s
0
1
z
11
)x
3
+ l
2
x
2
+ l
1
x + l
0
),
c
A
(x,y) = (˜rz
21
)y ((s
0
1
z
21
)x
3
+ l
2
x
2
+ l
1
x + l
0
)
for a doubling and an addition, respectively, instead
of y v(x). The parameters in the above functions are
from (Fan et al., 2008, Table 4,5)
Let f be the intermediate pairing value, when we
take degenerate divisors ϕ(D
0
2
) as second inputs for
the pairing, in each doubling step we compute
f
2
c
D
(ϕ(D
0
2
)) = f
2
c
D
(λ
1
4
x
t
,λ
5
8
y
t
)
and
f c
A
(ϕ(D
0
2
)) = f c
A
(λ
1
4
x
t
,λ
5
8
y
t
)
in each addition step. After precomputing
(λ
1
4
x
t
)
2
,(λ
1
4
x
t
)
3
with S
8
+ M
8
= 45M
1
, we evaluate
c
D
(ϕ(D
0
2
)) and c
A
(ϕ(D
0
2
)) with 16M
1
+ 3 · 8M
1
=
40M
1
. Therefore computing f
2
c
D
(ϕ(D
0
2
)) and
f c
A
(ϕ(D
0
2
)) requires 40M
1
+S
16
+M
16
= 175M
1
and
40M
1
+ M
16
= 121M
1
, respectively. Since
t
2
= 1 + 2
3
+ 2
9
+ 2
10
+ 2
16
+ 2
34
+ 2
35
+ 2
42
+ 2
50
+ 2
51
+ 2
58
+ 2
66
+ 2
83
+ 2
98
,
Miller loop requires totally
{45 + 98(40 + 175) + 13(41 +121)}M
1
= 23221M
1
.
5.2 Final Exponentiation
For efficient computation of the final exponentiation,
we should use the method by Scott et al. (Scott et al.,
2009). In their method, we should estimate the cost
of computing Φ
8
(p)/r where
(p
16
1)/r = (p 1)(p + 1)(p
2
+ 1)(p
4
+ 1)(p
8
+ 1)/r.
By using the parametrization of p(x) and r(x), we
can compute the coefficients as polynomial of the fol-
lowing polynomial
(p(x)
8
+ 1)r(x) =
7
i=0
l
i
(x)p(x)
i
.
where
l
0
(x) = 256x
9
+ 896x
8
+ 1344x
7
+ 1120x
6
+ 568x
5
+ 196x
4
+ 66x
3
+ 27x
2
+ 8x +3
l
1
(x) = 2048x
12
10240x
11
23040x
10
30720x
9
26944x
8
16448x
7
7408x
6
2752x
5
980x
4
348x
3
111x
2
26x 3
ICISSP 2016 - 2nd International Conference on Information Systems Security and Privacy
436
l
2
(x) = 64x
7
160x
6
160x
5
80x
4
22x
3
7x
2
4x 1
l
3
(x) = 512x
10
+ 2048x
9
+ 3584x
8
+ 3584x
7
+ 2256x
6
+ 960x
5
+ 328x
4
+ 120x
3
+ 43x
2
+ 14x +3
l
4
(x) = 4096x
13
22528x
12
56320x
11
84480x
10
84608x
9
59840x
8
31264x
7
12912x
6
4712x
5
− −1676x
4
570x
3
163x
2
32x 3
l
5
(x) = 128x
8
384x
7
480x
6
320x
5
124x
4
36x
3
15x
2
6x 1
l
6
(x) = 1024x
11
+ 4608x
10
+ 9216x
9
+ 10752x
8
+ 8096x
7
+ 4176x
6
+ 1616x
5
+ 568x
4
+ 206x
3
+ 71x
2
+ 20x +3
l
7
(x) = 32x
6
+ 64x
5
+ 48x
4
+ 16x
3
+ 3x
2
+ 2x +1
First, for an element f F
p
16
, we need to compute
f := f
x
at 13 times ( f
x
i
, 1 i 13) and this requires
13 · (48S
16
+3M
16
) = 36855M
1
since x = 2
48
+2
32
+
2
7
+ 1.
Second, we compute ( f
x
i
)
p
j
with 682M
1
for the
coefficients of l
i
(x) as described in (Scott et al., 2009,
Section 5).
Finally, we should a vectorial addition chain such
as (Scott et al., 2009, Section 5) to compute the multi-
exponentiation. To do this we need to compute an
addition chain from coefficients set from l
i
(x), and we
get
[1, 2, 3, 4, 6, 7, 8, 14, 15, 16, 20, 22, 26, 27, 32,
36, 43, 48, 64, 66, 68, 71, 80, 111, 112, 120, 124,
128, 160, 163, 196, 206, 256, 320, 328, 348, 384,
480, 512, 520, 568, 570, 896, 960, 980, 1024, 1120,
1344, 1348, 1360, 1616, 1676, 2048, 2256, 2272,
2752, 3072, 3584, 3592, 4096, 4608, 4656, 4712,
4716, 7408, 7528, 8096, 8352, 9216, 10240, 10752,
10864, 11776, 12912, 16448, 16704, 22528, 23040,
26944, 27968, 28352, 30720, 30752, 31264, 31872,
53760, 56320, 59840, 84480, 84608].
We then compute a vectorial addition chain from this
chain and obtain a chain of length 230. This im-
plies 230 71 = 159 multiplications in F
p
16
includ-
ing 3 squarings where 71 is the number of unit vec-
tors. Consequently the final exponentiation requires
36855M
1
+ 3S
16
+ 156M
16
= 49653M
1
.
5.3 Comparison
In (Aranha et al., 2013), the authors showed that the
pairing over the BLS curves of embedding degree
12 (BLS12) is the most efficient. Here we compare
our cost estimates of the twisted Ate pairing over the
Kawazoe-Takahashi curve with the result of the opti-
mal pairing over the BLS12 in Table 1.
Table 1: Comparison of the computation cost of pairing
over the pairing-friendly curve of genus 1 (BLS12) and
genus2 (Kawazoe-Takahashi).
Curve Phase Mult. in F
p
scaled
BLS12 Miller loop 10865M
640
10865M
640
Final exp. 8464M
640
8464M
640
Total 19329M
640
19329M
640
Kawazoe Miller loop 23221M
704
28098M
640
-Takahashi Final exp. 49653M
704
60081M
640
Total 72874M
704
88178M
640
As described in (Aranha et al., 2013, Section 8),
they represent field elements a F
p
as n-bit proces-
sor words (n = d1/`e, ` = 1 + blog
2
pc) and estimate
the cost of field arithmetic so we should use M
704
for comparison. We simply normalize the cost of
our pairing so that M
704
= 1.21M
640
where 1.21 =
(704/640)
2
and the data in “scaled” column are given
by multiplying 1.21 to each element.
In Miller loop, the cost of Kawazoe-Takahashi
pairing is about three times than the one of BLS12
pairing. Now the loop length of our pairing is twice as
much as optimal one, so the Miller loop cost seemed
not to be high and be efficient more of less thanks to
using degenerate divisor and other techniques like de-
nominator elimination.
On the other hand, the final exponentiation cost of
our pairing is very high than the one of BLS12 since
the arithmetic cost in F
p
16
is relatively high than one
in F
p
12
due to construction of their fields.In addition,
strategy to compute multi-exponentiation in final ex-
ponentiation is more complicated than when k = 12.
6 CONCLUSION
Aranha et al. (Aranha et al., 2013) clarify appropri-
ate pairing-friendly elliptic curves and optimal pair-
ings over the curves at high (192-bit) security level.
In this paper, we considered several pairings over
Kawazoe-Takahashi curves of embedding degree 16
and propose the twisted Ate pairing as most efficient
one. We showed the method to construct the opti-
mal pairings and its twisted version. Although the
Miller loop becomes twice as much as optimal one,
we offered a twisted version of Ate pairing since the
A Construction of a Twisted Ate Pairing on a Family of Kawazoe-Takahashi Curves at 192-bit Security Level and Its Cost Estimate
437
degree of twist is 8 which is half of the embedding de-
gree to avoid performing arithmetic on divisor classes
defined over the extension field. We described that
some techniques to reduce the computation cost as de-
scribed in (Fan et al., 2008) can apply to our twisted
Ate pairing.
As shown in our cost estimates, the final exponen-
tiation cost is much larger than the stat-of-the-art el-
liptic pairing. We should consider other embedding
degree such as k = 12 to reduce complicated multi-
exponentiation, although we cannot take appropriate
r as an order of Jacobian whose size is close to 384-
bit. The other alternative, we consider to take k = 15
or 27 so that the embedding degrees are coprime to
degree of the twist. In this case, we can construct
twisted pairings whose length of Miller loop are op-
timal unlike the situation in 4.2. We will tackle to
construct the curves which have the above embedding
degrees and a twisted Ate pairing on each curve as a
future work. In addition, other pairing-friendly or-
dinary curves of genus 2 like (Freeman and Satoh,
2011) should be explored whether these curves are
appropriate for constructing pairings at high security
level.
Furthermore, we should explicitly construct ex-
tension fields and optimize the arithmetic on these
field to obtain detailed cost estimate. We will imple-
ment the pairing on Haswell CPU using the SIMD
instructions (AVX2) and show experimental result in
practice.
REFERENCES
Aranha, D., Fuentes-Castaeda, L., Knapp, E., Menezes, A.,
and Rodrguez-Henrquez, F. (2013). Implementing
pairings at the 192-bit security level. In Abdalla, M.
and Lange, T., editors, Pairing-Based Cryptography
Pairing 2012, volume 7708 of Lecture Notes in Com-
puter Science, pages 177–195. Springer Berlin Hei-
delberg.
Balakrishnan, J., Belding, J., Chisholm, S., Eisentr
¨
ager, K.,
Stange, K. E., and Teske, E. (2009). Pairings on hy-
perelliptic curves. CoRR, abs/0908.3731, Available:
http://arxiv.org/abs/0908.3731v2.
Barbulescu, R., Gaudry, P., Guillevic, A., and Morain, F.
(2015). Improving NFS for the discrete logarithm
problem in non-prime finite fields. In Oswald, E.
and Fischlin, M., editors, Advances in Cryptology
EUROCRYPT 2015, volume 9056 of Lecture Notes
in Computer Science, pages 129–155. Springer Berlin
Heidelberg.
Barbulescu, R., Gaudry, P., Joux, A., and Thom, E. (2014).
A heuristic quasi-polynomial algorithm for discrete
logarithm in finite fields of small characteristic. In
Nguyen, P. and Oswald, E., editors, Advances in Cryp-
tology EUROCRYPT 2014, volume 8441 of Lec-
ture Notes in Computer Science, pages 1–16. Springer
Berlin Heidelberg.
BlueKrypt (2012). - cryptographic key length recommen-
dation, http://www.keylength.com.
Bosma, W., Cannon, J., and Playoust, C. (1997). The
Magma algebra system. I. The user language. J. Sym-
bolic Comput., 24(3-4):235–265. Computational al-
gebra and number theory (London, 1993).
Fan, X., Gong, G., and Jao, D. (2008). Speeding up pair-
ing computations on genus 2 hyperelliptic curves with
efficiently computable automorphisms. In Galbraith,
S. and Paterson, K., editors, Pairing-Based Cryptog-
raphy Pairing 2008, volume 5209 of Lecture Notes
in Computer Science, pages 243–264. Springer Berlin
Heidelberg.
Fan, X., Gong, G., and Jao, D. (2009). Efficient pairing
computation on genus 2 curves in projective coordi-
nates. In Avanzi, R., Keliher, L., and Sica, F., ed-
itors, Selected Areas in Cryptography, volume 5381
of Lecture Notes in Computer Science, pages 18–34.
Springer Berlin Heidelberg.
Freeman, D. M. and Satoh, T. (2011). Constructing pairing-
friendly hyperelliptic curves using weil restriction.
Journal of Number Theory, 131(5):959 – 983. Elliptic
Curve Cryptography.
Frey, G. and Lange, T. (2006). Fast bilinear maps from the
tate-lichtenbaum pairing on hyperelliptic curves. In
Hess, F., Pauli, S., and Pohst, M., editors, Algorith-
mic Number Theory, volume 4076 of Lecture Notes
in Computer Science, pages 466–479. Springer Berlin
Heidelberg.
Galbraith, S. D., Lin, X., and Morales, D. J. M. (2008).
Pairings on hyperelliptic curves with a real model. In
Galbraith, S. and Paterson, K., editors, Pairing-Based
Cryptography Pairing 2008, volume 5209 of Lecture
Notes in Computer Science, pages 265–281. Springer-
Verlag.
Granger, R., Hess, F., Oyono, R., Thriault, N., Vercauteren,
F., and Berlin, T. U. (2007). Ate pairing on hyperel-
liptic curves. In In Advances in Cryptology EURO-
CRYPT 2007, pages 419–436. Springer-Verlag.
Guillevic, A. and Vergnaud, D. (2013). Genus 2 hyperellip-
tic curve families with explicit jacobian order evalua-
tion and pairing-friendly constructions. In Abdalla,
M. and Lange, T., editors, Pairing-Based Cryptog-
raphy Pairing 2012, volume 7708 of Lecture Notes
in Computer Science, pages 234–253. Springer Berlin
Heidelberg.
Hess, F. (2008). Pairing lattices. In Galbraith, S. and Pater-
son, K., editors, Pairing-Based Cryptography Pair-
ing 2008, volume 5209 of Lecture Notes in Computer
Science, pages 18–38. Springer-Verlag.
Kachisa, E. (2010). Generating more kawazoe-takahashi
genus 2 pairing-friendly hyperelliptic curves. In Joye,
M., Miyaji, A., and Otsuka, A., editors, Pairing-Based
Cryptography - Pairing 2010, volume 6487 of Lecture
Notes in Computer Science, pages 312–326. Springer
Berlin Heidelberg.
Kawazoe, M. and Takahashi, T. (2008). Pairing-friendly
hyperelliptic curves with ordinary jacobians of type
ICISSP 2016 - 2nd International Conference on Information Systems Security and Privacy
438
y
2
= x
5
+ax. In Galbraith, S. and Paterson, K., editors,
Pairing-Based Cryptography Pairing 2008, volume
5209 of Lecture Notes in Computer Science, pages
164–177. Springer Berlin Heidelberg.
Lange, T. (2005). Formulae for arithmetic on genus 2 hy-
perelliptic curves. Applicable Algebra in Engineering,
Communication and Computing, 15(5):295–328.
Scott, M. (2011). On the efficient implementation of
pairing-based protocols. In Chen, L., editor, Cryp-
tography and Coding, volume 7089 of Lecture Notes
in Computer Science, pages 296–308. Springer Berlin
Heidelberg.
Scott, M., Benger, N., Charlemagne, M., Dominguez Perez,
L., and Kachisa, E. (2009). On the final exponen-
tiation for calculating pairings on ordinary elliptic
curves. In Shacham, H. and Waters, B., editors,
Pairing-Based Cryptography Pairing 2009, volume
5671 of Lecture Notes in Computer Science, pages
78–88. Springer Berlin Heidelberg.
Teruya, T., Saito, K., Kanayama, N., Kawahara, Y.,
Kobayashi, T., and Okamoto, E. (2014). Constructing
symmetric pairings over supersingular elliptic curves
with embedding degree three. In Cao, Z. and Zhang,
F., editors, Pairing-Based Cryptography Pairing
2013, volume 8365 of Lecture Notes in Computer Sci-
ence, pages 97–112. Springer-Verlag.
Vercauteren, F. (2010). Optimal pairings. IEEE Transac-
tions on Information Theory, 56(1):455–461.
Zhang, F. (2010). Twisted ate pairing on hyperelliptic
curves and applications. Science China Information
Sciences, 53(8):1528–1538.
Zhang, X. and Wang, K. (2014). Fast symmetric pairing
revisited. In Cao, Z. and Zhang, F., editors, Pairing-
Based Cryptography Pairing 2013, volume 8365 of
Lecture Notes in Computer Science, pages 131–148.
Springer-Verlag.
A Construction of a Twisted Ate Pairing on a Family of Kawazoe-Takahashi Curves at 192-bit Security Level and Its Cost Estimate
439