Further refinement of pairing computation based on Miller’s algorithm
Introduction
The Weil/Tate pairing is a mapping with nondegenerate and bilinear properties, which will map a special pair of points on elliptic curves to a certain multiplicative subgroup of a finite field. In 1993, Menezes et al. [11] found that the Weil pairing could be applied to reduce the elliptic curves discrete logarithm problem on a supersingular elliptic curve into a discrete logarithm problem of the multiplicative subgroup of a finite field. Their result shows that supersingular elliptic curves are unsuitable for many cryptographic schemes.
In recent years, the Weil/Tate pairings have been used as a constructive tool in cryptography. Indeed, many cryptographic applications based on pairings have been proposed, such as identity-based encryption system [5], digital signature [4], [6], [15], signcryption [10], [14], key agreement [9], [17], and so on. As a result, the application of pairings plays an important role in modern cryptography. Therefore, the computation of pairings becomes a critical issue for those applications based on pairings. The first efficient algorithm for computing pairing was proposed by Miller in 1986 [13]. The main idea of Miller’s algorithm is to use lines to integrate the divisors, which the algorithm has processed (see Section 2, for details). Many researches are directed in many different aspects in order to improve its efficiency [1], [7], [8]. The researches of Barreto et al. [1], and Galbraith et al. [8] focus particularly on the Tate pairing over some special curves. They propose methods to eliminate all of the vertical lines which are necessary in the computation of Tate pairing.
To speed up the computation of Weil/Tate pairing of general curves, Blake et al. [2] proposed a new concept based on the conjugate of a line to reduce the total number of lines in Miller’s algorithm. Though this concept does not dramatically decrease the cost of points adding and reduces fewer lines than Barreto–Kim–Lynn–Scott’s method. But it is novel and can be applied to decrease the number of field multiplications in the pairing computation over general elliptic curves. They proposed three different algorithms for three cases. The first case is there are relatively more zero bits (or average cases) of the binary representation of integer n (see Section 2, for details). The second case is there are relatively more one bits. And the third case is the characteristic of the field is three.
In this paper, we continue their work and suggest a generalized algorithm, which can reduce more lines than the first two algorithms in average cases. Even in the extreme cases, our algorithm still performs as well as the best one of their algorithms. In our algorithm, we use the same technique as Blake, Murty and Xu, but we consider the bits globally. We divide the binary representation of integer n, which is a constant in every pairing-based cryptosystem, into fragments. In accordance with these fragments, we design an algorithm to further reduce lines. In practice, properties of fragmentation can be further adopted to select (or construct) a suitable integer n. A combination of some ideal (perfect) patterns (which we will introduce in Section 3) can reduce all of the vertical lines in the process of pairing computation where might not be applicable.
The rest of the paper is organized as follows. We briefly describe the mathematical preliminaries, the Miller’s algorithm, and Blake Murty and Xu’s algorithms in Section 2. In Section 3, we describe our proposed algorithm. Its analysis is given in Section 4. In Section 5, we discuss the practical issue of choosing n for our refinement. Finally, some concluding remarks are given in Section 6.
Section snippets
Weil/Tate pairing and Miller’s algorithm
Let with a prime p and a positive integer m, then is a finite field with q elements and p is the characteristic of . An elliptic curve E define over , can be described as the set of points satisfying the Weierstrass equation , where . If is an extension of , the set of K-rational points of E together with an additional point at infinity, denoted as . There exists an abelian group law on E. Explicit formulas for computing the coordinates
Refinement of BMX algorithms
In this section, we propose a refinement to the BMX algorithms. We segment n into different bit sequences. For each sequence, we carefully design the algorithm to reduce more lines. From Lemma 2, there are two different kinds of bit sequences which can reduce all of the vertical lines, and they are the best two cases presented in [2]. One is a sequence of even number of zero bits, denoted by , and the other is a sequence of ones between two zeros, denoted . In the following, we give two
Analysis
We denote to be the number of lines used by the algorithm Alg with input integer n. For example, is the number of lines used in our refinement. We will show in Section 4.1 and in Section 4.2. That is, our algorithm can reduce more lines than both of the BMX algorithms. To simplify the analysis, we count the number of lines based on the corresponding dot notations introduced in Section 3. Suppose n is a bits integer, that is
Comparison and discussion
In this section, we first estimate the number of the lines required for the algorithms such as Miller’s algorithm, BMX-1, BMX-2, Barreto–Kim–Lynn–Scott’s algorithm (BKLS for short) and our refinement. Then we discuss the issue of choosing suitable values of n for our refinement.
Let n be a ()-bit positive integer. Suppose , and . Here, we will omit a special line which belongs to the case , for all algorithms. We can estimate the line requirement functions
Concluding remarks
We have proposed a refinement to the BMX algorithms. As we have seen in example 4, our refinement can reduce more vertical lines than BMX-1 (BMX-2) by an amount of (, respectively) in the average cases. Therefore, the saving in the number of multiplications of our algorithm is more than that of the BMX algorithms. Moreover, if n is a Solinas number then our refinement has better performance than BMX algorithms. In practice, we can select a suitable integer n to reduce all of the
References (17)
- et al.
Refinement of Miller’s algorithm for computing the Weil/Tate pairing
Journal of Algorithms
(2006) - P.S.L.M. Barreto, H.Y. Kim, B. Lynn, M. Scott, Efficient algorithms for pairing-based cryptosystems, CRYPTO 2002, LNCS...
- et al.
Elliptic Curve in Cryptography
(1999) - D. Boneh, X. Boyen, H. Shacham, Short Group Signatures, CRYPTO 2004, LNCS 3152, Springer-Verlag, 2004, pp....
- D. Boneh, M. Franklin, Identity-base encryption from the Weil pairing, CRYPTO 2001, LNCS 2139, Springer-Verlag, 2001,...
- D. Boneh, B. Lynn, H. Shacham, Short signature from the Weil pairing, ASIACRYPT 2001, LNCS 2248, Springer-Verlag, 2001,...
- K. Eisenträger, K. Lauter, P.L. Montgomery, Fast elliptic curve arithmetic and improved Weil pairing evaluation, CT-RSA...
- S. Galbraith, K. Harrison, D. Soldera, Implementing the Tate pairing, Algorithm Number Theory Symposium 2002, LNCS...
Cited by (8)
Computational number theory
2016, Computational Number TheorySpeeding up pairing computation using non-adjacent form and ELM method
2016, International Journal of Network SecurityEfficient public key encryption with user-friendly keywords search for searchable cloud storage
2015, Frontiers in Artificial Intelligence and ApplicationsA key agreement for large group using bilinear maps
2013, Journal of Theoretical and Applied Information TechnologyRefinements of Miller's algorithm over Weierstrass curves revisited
2011, Computer JournalThe fast algorithm of computing weil and tate pairing
2009, Fangzhi Gaoxiao Jichukexue Xuebao