Computing the Tate Pairing
Michael Scott
School of Computing,
Dublin City University,
Ballymun, Dublin 9, Ireland
mike@computing.dcu.ie
Abstract. We describe, in detail sufficient for easy implementation, a
fast method for calculation of the Tate pairing, as required for pairingbased cryptographic protocols. We point out various optimisations and
tricks, and compare timings of a pairing-based Identity Based Encryption
scheme with an optimised RSA implementation.
Keywords: Elliptic curves, pairing-based cryptosystems.
1
Introduction
In the fast growing world of pairing-based cryptography (for background see
[1]) there are many protocols, many pairings (Tate, Weil, modified Weil etc.)
and many choices for the embedding degree k, as well as a choice of super- or
non-supersingular curves over fields of large or small characteristic. The range of
protocols is impressive, many with novel properties [6, 7, 28]. For a recent review
see [11]. However so far there are not many reported implementations of the fast
algorithms for pairings that have been developed in [2, 4, 13].
Here for the sake of being concrete we will focus exclusively on the Tate
Pairing on non-supersingular curves over a field of large prime characteristic.
We will also focus on the case k = 2 for the following reasons:
– It simplifies the description
– Choosing k = 2 makes it easy to pick a group order of the lowest possible
Hamming weight which is very efficient.
– Choosing k = 2 allows us to implement the Tate pairing based protocols using only E(Fp ) elliptic curves as supported by many cryptographic libraries.
– k = 2 permits the important denominator elimination optimisation [2].
– It allows for easy times-2 compression of the Tate pairing value [25].
– In protocols elliptic curve point multiplication can often be replaced with
faster exponentiation using the identity er (wP, Q) = er (P, Q)w .
– Elliptic curves suitable for pairing based cryptosystems are, by design, in
flagrant breach of the MOV condition, as required for “ordinary” elliptic
curves [20]. The ECC community recently got a scare when Semaev [27]
suggested that a new index calculus type attack on normal elliptic curves may
Research supported by Enterprise Ireland grant IF/2002/0312/N.
A.J. Menezes (Ed.): CT-RSA 2005, LNCS 3376, pp. 293–304, 2005.
c Springer-Verlag Berlin Heidelberg 2005
294
–
–
–
–
Michael Scott
be possible. In the context considered here an index calculus attack is already
possible [20], and therefore we need not be too concerned. Nevertheless a
choice of a small value of k reduces the impact of any such new attack.
For a given level of security it is our experience that k = 2 is fastest.
In many protocols it is required to do a point multiplication prior to application of the Tate pairing. Using k = 2 this implies a point multiplication only
on an E(Fp ) curve, rather than a point multiplication on a curve defined over
a higher extension field, which would be computationally more expensive.
Fp2 arithmetic is particularly easy to implement. This is sometimes called
the quadratic extension field. If it is assumed in this paper that the prime
modulus p is 3 mod 4, then an element
√ in Fp2 can be considered as a “complex
number”, a+bi, a, b ∈ Fp , where i is −1. Note that −1 is always a quadratic
non-residue for a 3 mod 4 prime. There are exactly (p − 1)(p + 1) elements
in the field Fp2 . Note that (a + ib)p = (a − ib), where a − bi is the conjugate
of a + ib. Also an element ∈ Fp2 can be squared (or multiplied) using just
two (or three) Fp modular multiplications using the identity (a + bi)2 =
(a + b)(a − b) + 2abi and Karatsuba’s method respectively. Sometimes we use
the notation [a, b] to denote the Fp2 number a + bi.
Using k = 2 the time-critical function is 512-bit modular multiplication.
This is the same operation as required for 1024-bit RSA decryption using
the Chinese Remainder theorem and therefore it is likely to be supported
by hardware accelerators and co-processors. Highly optimized code for this
common operation may be already supported by cryptographic software libraries.
We do concede that k = 2 may not be optimal in some settings such as a
short signature scheme, like for example the BLS scheme [7].
In this paper we draw heavily from the theoretical results described by Barreto et al. [4] and [2]. Our results improve a little on those described there using
ideas from [25].
2
The Curve
There are many ways proposed to find non-supersingular curves of low embedding degree suitable for pairing-based protocols. See for example [3, 5, 8, 10, 21]
and [26]. Using these methods the existance of a suitable elliptic curve is first
determined, and then the actual parameters of the curve are found using the
method of Complex Multiplication as described in [14] and implemented in [23].
The particular curve we will use (found using the “folklore” method described
by Galbraith in Chapter 9 of [5]), is described in the Weierstrass form
E : y 2 = x3 − 3x + B
with B ∈ Fp . If x, y ∈ Fp , the curve has #E(Fp ) points on it, where #E(Fp ) =
p + 1 − t and t is the trace of the Frobenius [20]. If x, y ∈ Fp2 , it has #E(Fp2 ) =
(p + 1 − t)(p + 1 + t) points. A related twisted curve E (Fp ) is
E : y 2 = x3 − 3x − B