Refinements of Miller’s Algorithm for Computing Weil/Tate Pairing Ian Blake, Kumar Murty and Guangwu Xu University of Toronto October, 2003 Abstract In this paper we propose three refinements to Miller’s algorithm for computing Weil/Tate Pairing. The first one is an overall improvement and achieves its optimal behavior if the binary expansion of the involved integer has more zeros. If more ones are presented in the binary expansion, second improvement is suggested. The third one is especially efficient in the case base three. We also have some performance analysis. keywords: algorithm, elliptic curve, cryptography, Weil/Tate pairing 1 Introduction The Weil and Tate pairings are nondegenerate bilinear maps on certain pairs of points on elliptic curves to a multiplicative subgroup of an appropriate order in a certain finite field. The first notable application of pairings to cryptography was the work of Menezes et al [10] who showed that the Weil pairing on supersingular elliptic curves (whose Frobenius trace is divisible by the characteristic of the field of curve definition) can be used to imbed the discrete logarithm problem on the elliptic curve into a discrete logarithm problem on a certain subgroup of a suitable extension of the finite field of the curve definition. The complexity of the logarithm problem on the curve is often (for non-supersingular curves) assumed to have a complexity on the order of the square root of the group order while that in finite fields is of subexponential complexity. The work showed that discrete logarithm problems on supersingular curves are unsuitable for many cryptographic applications. This represented a dramatic lesson on the caution required in choosing such curves. Frey and Rück [5] also consider this situation using the Tate pairing, which has certain advantages. Recent work on parings in cryptography has considered their use in the definition and implementation of certain new and potentially very useful protocols. Boneh and Franklin [3] used pairings to develop an efficient identity-based encryption (IBE) system, the first such system since the notion of IBE was first described by Shamir [14]. In such a system a user’s public information such as his identity, email address etc. 1 can be used as their public key with their secret key being derived by a central authority possessing certain additional information on the curve. Since then pairings have been used to define numerous interesting protocols including the identity-based key exchange and signature schemes by Sakai, Ohgishi and Kashahara[13], the one round protocol for tripartite Diffie-Hellman key exchange by Joux[7], the short signature scheme by Boneh, Lynn and Shacham[4], and many others. Interestingly these protocols invariably require the use of supersingular curves. The working of the protocol depends on the properties of the pairing while the security of the protocol depends on the difficulty of the discrete logarithm problem in the multiplicative group of an extension of the finite field which must then be chosen sufficiently large. Thus the computation of Weil and Tate pairings is an important issue for such protocols which has attracted attention. The original algorithm for computing pairings is due to Miller[11] and most current algorithms are based in some manner on it. It is an efficient probabilistic polynomial-time algorithm for computing the pairings. What the algorithm does is the evaluation of a rational function associated with an n-torsion point of the ellicptic curve. The work of Barreto, Kim, Lynn and Scott[1] and Galbraith, Harrison and Soldera[6] focus in particular on the Tate pairing and they propose methods for its fast computation. They also consider a practically useful case of fields of characteristic three. In [8], Eisenträger, Lauter and Montgomery give an algorithm to speed up point multiplication of an elliptic curve. Using their method, H(n) field multiplications and H(n) field squarings is eliminated when performing scalar multiplication of nP for some point P , where H(n) denotes the Hamming weight of the number n, i.e., the number of one bits in the binary expansion of n. This observation, combined with a parabola substitution, enables them to get an improvement to Miller’s algorithm for general elliptic curves. In the framework of this paper, their improvement requires H(n) fewer field multiplications in addition. All of these contributions use ideas very different than those used in this work. In this paper, we present three versions of improvement to Miller’s algorithm. They apply to general elliptic curves. Version 1 is efficient in any case and log2 n field multiplications are saved. In particular, this improvement includes some practically interesting cases (for example, when n is a Solinas number of the form 2a ± 2b ± 1, see [1] ) that our version 2 and the algorithm of [8] are not strong enough to deal with. Version 2 gains more saving in the case where n has relatively high Hamming weight, to be more specific, 2H(n) field multiplications are removed. It is remarked that the technique of Eisenträger, Lauter and Montgomery does not apply here. However some modification can be still made to improve Miller’s algorithm to save H(n)(instead of 2H(n)) field multiplications. Moreover, with this modification, we are able to use the method of Eisenträger, Lauter and Montgomery in point multiplication and save H(n) field multiplications and H(n) field squarings. The third one is especially useful for the field of characteristic three where it saves log3 n field multiplications compared to the original algorithm in characteristic three. It is noticed that in this case the point tripling can be made very efficient. The work is organized as follows. After introducing the pairings and Miller’s algorithm briefly in section 2, some basic facts and observations on elliptic curves are 2 presented in section 3. In section 4, we use the results from section 3 to simplify some formulas used by Miller’s algorithm and get three improved versions of the algorithm. In section 5, some detailed analysis of the three versions is given. 2 Weil Pairing, Tate pairing and Miller’s Algorithm Let E/K be an elliptic curve. Recall that a divisor is an element of the free abelian group (denoted by Div(E)) generated by the set of points of E(K). P Given P n (P ), the degree of D is defined by deg(D) = a divisor D = P ∈E nP . P ∈E P We are interested in the subgroup of divisors of degree 0, namely Div0 (E) = {D ∈ Div(E) : deg(D) = 0}. For a nonzero rational function f over E, we P ord define div(f ) = P (f )(P ). It turns out that div(f ) is an element in P ∈E 0 Div (E) and of principal divisors P P is called a principal divisor. A characterization is: D = P ∈E nP (P ) ∈ Div0 (E) is principal iff P ∈E nP P = O where O is the point at infinity. The relation ∼ on Div0 (E) is defined to be D1 ∼ D2 iff D1 − D2 is principal. P The support of a divisor D = P ∈E nP (P ) is the set of points P with nP 6= 0. If f is a nonzero rational function such that div(f ) and D have disjoint supports, we can extend the evaluation of f at D by defining f (D) = ΠP ∈E f (P )nP . Let n be an integer which is prime to p =char(K) if p > 0, and E[n] = {P ∈ E(K) : nP = O}. Take P, Q ∈ E[n], there exist DP , DQ ∈ Div0 (E) such that DP ∼ (P ) − (O) and DQ ∼ (Q) − (O). Then there exist functions fP , fQ such that div(fP ) = nDP , div(fQ ) = nDQ . Suppose that DP and DQ have disjoint supports, then the following is meaningful: e(P, Q) = fP (DQ ) , fQ (DP ) and this is the Weil pairing. The Tate pairing can also be defined based on fP (DQ ). By a suitable field extension if necessary, we may assume that the field K contains nth roots of unity. Let P ∈ E(K)[n] and Q ∈ E(K). As before, there exits a function fP such that div(fP ) = n(P ) − n(O). Take a point S ∈ E such that DQ = (Q + S) − S and fP have disjoint supports. Then we have a map φn : E(K)[n] × (E(K)/nE(K)) → K ∗ /(K ∗ )n with φn (P, Q) = fP (DQ ), where Q is the equivalence class in E(K)/nE(K) containing Q, and fP (DQ ) is the equivalence class in K ∗ /(K ∗ )n containing fP (DQ ). The function φn is called Tate pairing. An essential part in computing the Weil/Tate pairing is the evaluation of fP (R) for each point R in the support of DQ . In his unpublished manuscript, Miller gave an elegant and efficient algorithm for this calculation. The main idea of Miller’s 3 algorithm is as follows. Randomly pick a point R, and let DP = (P + R) − (R). For each integer k, there is a rational function fk such that div(fk ) = k(P + R) − k(R) − (kP ) + (O). In particular, fn = fP . For any points S, T , let hS,T and hS be linear functions such that hS,T = 0 and hS = 0 are the line passing through S, T and the vertical line passing through S respectively. Notice that div(hk1 P,k2 P ) = (k1 P ) + (k2 P ) + (−(k1 + k2 )P ) − 3(O) and div(h(k1 +k2 )P ) = ((k1 + k2 )P ) + (−(k1 + k2 )P ) − 2(O), and we have div(fk1 +k2 ) = div(fk1 ) + div(fk2 ) + div(hk1 P,k2 P ) − div(h(k1 +k2 )P ), and hence fk1 +k2 = fk1 fk2 hk1 P,k2 P . h(k1 +k2 )P This is a recursive equation with initial conditions f0 = 1 and f1 = is because div(f1 ) = (P + R) − (R) − (P ) + (O). (2.1) hP,R hP +R . The latter Miller’s algorithm is given more formally below and its simliarity to the algorithms in [1, 3] is noted: Algorithm 2.1 (Miller’s algorithm) P INPUT: Integer n = ti=0 bi 2i with bi ∈ {0, 1} and bt = 1, and a point S ∈ E OUTPUT: f = fn (S). f ← f1 ; Z ← P ; For j ← t − 1, t − 2, . . . , 1, 0 do h (S) f ← f 2 hZ,Z ; Z ← 2Z; 2Z (S) If bj = 1 then hZ,P (S) f ← f1 f hZ+P (S) ; Z ← Z + P ; Endif Endfor Return f As indicated in [1], when we consider Tate pairing, the function fk can be choosen so that div(fk ) = k(P ) − (kP ) + (k − 1)(O). 4 In this case the above Miller’s algorithm remains the same except f1 = 1. For fields of characteristic three, the following version of Miller’s algorithm is more efficient, taking advantage of the fast implementation of point triples in such a case (see [1, 6]): Algorithm 2.2 (Miller’s algorithm in characteristic three) P INPUT: Integer n = ri=0 ti 3i with ti ∈ {0, 1, 2} and tr 6= 0, and a point S ∈ E OUTPUT: f = fn (S). If tr = 1 then f ← f1 ; Z ← P ; Endif If tr = 2 then h (S) ; Z ← 2P ; f ← f1 2 hP,P 2P (S) Endif For j ← r − 1, r − 2, . . . , 1, 0 do h (S) h2Z,Z (S) f ← f 3 hZ,Z ; Z ← 3Z; 2Z (S) h3Z (S) If tj = 1 then hZ,P (S) f1 f ← f hZ+P (S) ; Z ← Z + P ; Endif If tj = 2 then hZ,2P (S) f ← f1 2 f hZ+2P (S) ; Z ← Z + 2P ; Endif Endfor Return f 3 Preliminary Observations and Facts Some well known facts and observations that can be used to simplify computations in Miller’s algorithm are noted in this section. Consider the elliptic curve E of the form E : y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 . For a linear function h(x, y) = k(x − a) + b − y on E, where a, b and k are constants, define h(x, y) as the conjugate of h as follows: h(x, y) = k(x − a) + b + y + a1 x + a3 . Note that for a point R ∈ E, h(R) = h(−R). Also note that the product h(x, y)h(x, y) is exactly the norm NK(x,y)/K(x) (h). 5 The following fact will be useful. It is apparently well known although no proof of it in the literature was found. Lemma 3.1 If the line h(x, y) = 0 intersects with E at points P = (a, b), Q = (c, d) and −(P + Q) with P + Q = (α, β), then NK(x,y)/K(x) (h) = −(x − a)(x − c)(x − α). Proof: Notice that NK(x,y)/K(x) (h) can be reduced to a function of the form −x3 + t2 x2 + t1 x + t0 , where t0 , t1 , t2 ∈ K. Moreover, each of (x − a), (x − c) and (x − α) is a factor of NK(x,y)/K(x) (h), and so the desired factorization follows. [] For a point Q ∈ E, we write Q = (xQ , yQ ), i.e., xQ is the x−coordinate of Q and yQ the y−coordinate of Q. The following observations will play a key role in the refinements of Miller’s algorithm. Lemma 3.2 Let Q ∈ E[n] and S 6= Q, 2Q, · · · , nQ. Then 1. hQ,Q (S) 1 . =− hQ,Q (−S) h2Q (S)h2Q (S) 2. For any integer k, h(k+1)Q,kQ (S) hkQ (S) =− . h(k+1)Q (S)h(2k+1)Q (S) h(k+1)Q,kQ (−S) 3. hQ,Q (S)h2Q,Q (S) hQ,Q (S)hQ (S) =− . h2Q (S)h3Q (S) h2Q,Q (−S) Proof: By Lemma 3.1, we have 1. hQ,Q (S) 2 hQ (S)h2Q (S) = hQ,Q (S)hQ,Q (−S) 2 hQ (S)h2Q (S)hQ,Q (−S) NK(x,y)/K(x) (hQ,Q )(S) (xS − xQ )2 (xS − x2Q )hQ,Q (−S) 1 = − . hQ,Q (−S) = 6 2. h(k+1)Q,kQ (S) h(k+1)Q (S)h(2k+1)Q (S) = h(k+1)Q,kQ (S)h(k+1)Q,kQ (−S) h(k+1)Q (S)h(2k+1)Q (S)h(k+1)Q,kQ (−S) = NK(x,y)/K(x) (h(k+1)Q,kQ )(S) (x − x(k+1)Q )(x − x(2k+1)Q )h(k+1)Q,kQ (−S) = hkQ (S) . h(k+1)Q,kQ (−S) 3. hQ,Q (S)h2Q,Q (S) h2Q (S)h3Q (S) hQ,Q (S)h2Q,Q (S)h2Q,Q (−S) h2Q (S)h3Q (S)h2Q,Q (−S) hQ,Q (S)NK(x,y)/K(x) (h2Q,Q )(S) = (xS − x2Q )(xS − x3Q )h2Q,Q (−S) hQ,Q (S)(xS − xQ ) = − h2Q,Q (−S) hQ,Q (S)hQ (S) . = − h2Q,Q (−S) = [] Remark 3.3 1. Since div(f ) = div(cf ) for any nonzero constant c ∈ K, the sign does not affect the calculation of either pairing and therefore, minus signs will be omitted in the use of the above lemma. 2. In the rest of the discussion, the point P ∈ E[n] will be fixed and Q is taken to be some multiple of P . In order to satisfy the condition of the lemma, it is sufficient to let S 6= P, 2P, . . . , nP . This is also the requirement of the original Miller algorithm. 4 The Refinements Notice that Miller’s algorithm 2.1 uses the double-and-add method, and we can display an explicit formula for the function fn as fn = f1n Π1i=t h⌊ ni ⌋P,⌊ ni ⌋P h2⌊ ni ⌋P,bi−1 P 2 2 h2⌊ ni ⌋P 2 2 h⌊ n ⌋P 2i−1 !2i−1 , (4.1) n ⌋ − 2⌊ 2ni ⌋. In this formula, if bi−1 = 0, then where t = ⌊lg2 n⌋ and bi−1 = ⌊ 2i−1 n h2⌊ ni ⌋P,bi−1 P = h2⌊ ni ⌋P,O = h⌊ i−1 ⌋P . Without loss of generality, we also assume 2 2 2 that hO = 1. We arrange the product to start from term t down to term 1. This is the way that the algorithm works. 7 Similarly, in the case of base three, fn can be expressed as fn = f1n  h(3−⌊ 3nr ⌋)P,(⌊ 3nr ⌋−1)P h2P 3 r Π1i=r h⌊ ni ⌋P,⌊ ni ⌋P h2⌊ ni ⌋P,⌊ ni ⌋P h3⌊ ni ⌋P,ti−1 P 3 3 3 h2⌊ ni ⌋P 3 3 3 h3⌊ ni ⌋P h⌊ 3 n ⌋P 3i−1 !3i−1 , (4.2) n where r = ⌊lg3 n⌋ and ti−1 = ⌊ 3i−1 ⌋ − 3⌊ 3ni ⌋. 4.1 Refinement 1 P Consider the binary represenation of n = ti=0 bi 2i , and group every two terms in Formula 4.1 together. Then we get the following relation by applying Lemma 3.1. ! i−1 !2i−2 n n n h⌊ ni ⌋P,⌊ ni ⌋P h2⌊ ni ⌋P,bi−1 P 2 h⌊ i−1 ⌋P,⌊ i−1 ⌋P h2⌊ i−1 ⌋P,bi−2 P 2 2 h2⌊ ni ⌋P 2 2 h⌊ 2 2 h2⌊ n ⌋P 2i−1 n ⌋P 2i−1 2 h⌊ n ⌋P 2i−2    i−1  h n 2i−2 n ⌋P h2⌊ n ⌋P,P h⌊ n ⌋P,⌊ n ⌋P h2⌊ n ⌋P,P 2  ⌊ i−1 ⌋P,⌊ i−1  i i i i−1 2 2 2 2 2 2   h2⌊ n ⌋P h⌊ n ⌋P h2⌊ n ⌋P h⌊ n ⌋P   i i−1 i−1 2i−2    2i−1  h n 2  h n 2 n h 2n 2i−2  n  ⌊ i−1 ⌋P,⌊ i−1 ⌋P ⌊ i ⌋P,⌊ i ⌋P 2⌊ i ⌋P,P  2 2 2 2 2   h2⌊ n ⌋P h⌊ n ⌋P h2⌊ n ⌋P i i−1 i−1 2 2 2 = h n 2i−1  h n 2i−2 n ⌋P  ⌊ i−1 ⌋P,⌊ i−1 ⌊ i ⌋P,⌊ ni ⌋P h2⌊ ni ⌋P,P  2 2 2 2 2    h2⌊ n ⌋P h⌊ n ⌋P h2⌊ n ⌋P   2i 2i−1 2i−1  i−1    2i−2  2 n n n n h h  ⌊ i ⌋P,⌊ i ⌋P ⌊ i−1 ⌋P,⌊ i−1 ⌋P   2 2 2 2  n h n h 2⌊ i ⌋P 2 = 2⌊ i−1 ⌋P 2  h n 2i−1   ⌊ i ⌋P,⌊ ni ⌋P h2⌊ ni ⌋P,P  2 2 2   h2⌊ n ⌋P   2i     h n 2i−1   ⌊ i ⌋P,⌊ ni ⌋P h2⌊ ni ⌋P,P  2 2 2   h2⌊ n ⌋P  i h2⌊ h⌊ h⌊ n ⌋P,⌊ n ⌋P h⌊ n ⌋P 2i−1 2i−1 2i−2 2i−2 1 h⌊ 2   2i−1    h⌊ ni ⌋P,⌊ ni ⌋P   2 2        2i−1      h⌊ 2ni ⌋P,⌊ 2ni ⌋P h2⌊ n ⌋P,⌊ n ⌋P 2i−1 2i−1 n ⌋P,P 2i−1 n ⌋P,⌊ n ⌋P h⌊ n ⌋P 2i−1 2i−1 2i−2 2i−2 1 h⌊ n ⌋P,P 2i−1 n ⌋P,⌊ n ⌋P 2i−1 2i−1 ! ! !2i−2 !2i−2 if bi−1 = bi−2 = 1 if bi−1 = 1, bi−2 = 0 if bi−1 = 0, bi−2 = 1 if bi−1 = bi−2 = 0 if bi−1 = bi−2 = 1 if bi−1 = 1, bi−2 = 0 if bi−1 = 0, bi−2 = 1 if bi−1 = bi−2 = 0 This relation provides the correctness of an improved Miller’s algorithm which is generally efficient and achieves greater efficiency as the number of zero bi ’s increases. As the simplification is achieved by grouping two terms together, it is natural to expand n in terms of base 4 which is given in the next algorithm. Algorithm 4.1 (Improved Miller’s algorithm (version 1)) P INPUT: Integer n = ri=0 qi 4i with qi ∈ {0, 1, 2, 3} and qr 6= 0, and a point S ∈ E OUTPUT:f = fn (S). 8 f ← f1 ; Z ← P ; If qr = 2 then h (S) f ← f 2 hP,P ; Z ← 2P ; 2P (S) Endif If qr = 3 then h2 (S)hP (S) f ← f 3 P,P h2P,P (−S) ; Z ← 3P ; Endif For j ← r − 1, r − 2, . . . , 1, 0 do If qj = 0 then f 4 h2 (S) Z,Z f ← h2Z,2Z (−S) ; Z ← 4Z; Endif If qj = 1 then f 4 h2 (S)h4Z,P (S) Z,Z f ← f1 h4Z+P (S)h2Z,2Z (−S) ; Z ← 4Z + P ; Endif If qj = 2 then f 4 h2Z,Z (S)h22Z,P (S) ; 2Z (S)h2Z+P,2Z+P (−S) f ← f1 2 h2 Z ← 4Z + 2P ; Endif If qj = 3 then f 4 h2Z,Z (S)h22Z,P (S)h4Z+2P,P (S) ; 2Z (S)h2Z+P,2Z+P (−S)h4Z+3P (S) f ← f1 3 h2 Z ← 4Z + 3P ; Endif Endfor Return f 4.2 Refinement 2 P Suppose that most bits in the binary represenation of n = ti=0 bi 2i are 1, then Miller’s algorithm can be modified to save more field operations based on the following observation: By rearranging Formula 4.1 and then applying Lemma 3.2, the following computations are obtained: !2i−1  2t−1 n n n h h ⌋P,⌊ ⌋P ⌋P,b P 2⌊ ⌊ h h i−1 P,P 2P,bt−1 P 2i 2i 2i fn = f1n Π1i=t−1 h2P (h⌊ ni ⌋P )2 h2⌊ ni ⌋P 2 2 !2i−1 2t−1  n h2⌊ i ⌋P,bi−1 P hP,P h2P,bt−1 P 2 Π1i=t−1 = f1n h2P h⌊ ni ⌋P,⌊ ni ⌋P 2 2 The fact that hnP = 1 has been used and the last term inside the product symbol is h n 1 n . ⌊ 2 ⌋P,⌊ 2 ⌋P 9 Algorithm 4.2 (Improved Miller’s algorithm (version 2)) Pt INPUT: Integer n = i=0 bi 2i with bi ∈ {0, 1} and bt = 1, and a point S ∈ E OUTPUT: f = fn (S). If bt−1 = 0 then f ← f1 2 hP,P (S); Z ← 2P ; Else h (S)h2P,P (S) f ← f1 3 P,P h2P (S) ; Z ← 3P ; Endif For j ← t − 2, . . . , 1, 0 do If bj = 0 then h2Z (S) f ← f 2 hZ,Z (−S) ; Z ← 2Z; Else h2Z,P (S) f ← f1 f 2 hZ,Z (−S) ; Z ← 2Z + P ; Endif Endfor Return f In [8], Eisenträger, Lauter and Montgomery suggested a method that eliminates a field multiplication and a field squaring in the computation of 2Q+P . They obtained an improvement of Miller’s algorithm by using this observation and a parabola substitution. Their algorithm speeds up the computations in the case that most bits in the binary represenation of n are 1. However, although their method can not be combined with the above algorithm, we may modify and simplify the function fn as follows so that the method of Eisenträger, Lauter and Montgomery can be used. fn = f1n Π1i=t = f1n Π1i=t h⌊ ni ⌋P,bi−1 P h(⌊ ni ⌋+bi−1 )P,⌊ ni ⌋P 2 2 2 h(⌊ ni ⌋+bi−1 )P h(2⌊ ni ⌋+bi−1 )P 2 2 !2i−1 h⌊ ni ⌋P,bi−1 P h⌊ ni ⌋P 2 2 . h(⌊ ni ⌋+bi−1 )P,⌊ ni ⌋P 2 !2i−1 2 An algorithm can be formed as before based on the above formula. 4.3 Refinement 3 As stated in [1, 6], point tripling is a relatively cheap operation in the case of characteristic three and the base three version of Miller’s algorithm 2.2 should be used in this case. P Let n = ri=0 ti 3i with tr 6= 0. Applying part 2 of Lemma 3.1 to Formula 4.2, we 10 see that fn = f1n = f1n  h(3−⌊ 3nr ⌋)P,(⌊ 3nr ⌋−1)P  h(3−⌊ 3nr ⌋)P,(⌊ 3nr ⌋−1)P h2P h2P 3 r Π1i=r 3 r Π1i=r h⌊ ni ⌋P,⌊ ni ⌋P h2⌊ ni ⌋P,⌊ ni ⌋P h3⌊ ni ⌋P,ti−1 P 3 3 3 h2⌊ ni ⌋P 3 3 3 h3⌊ ni ⌋P h⌊ 3 n ⌋P 3i−1 3i−1 h⌊ ni ⌋P,⌊ ni ⌋P h⌊ ni ⌋P h3⌊ ni ⌋P,ti−1 P 3 3 3 3 h2⌊ ni ⌋P,⌊ ni ⌋P h⌊ 3 3 n ⌋P 3i−1 ! !3i−1 . This formula is realised by the algorithm 4.3 which improves algorithm 2.2. Algorithm 4.3 ( Improved Miller’s algorithm (version 3)) P INPUT: Integer n = ri=0 ti 3i with ti ∈ {0, 1, 2} and tr 6= 0, and a point S ∈ E OUTPUT: f = fn (S). h (S) f2 ← f1 2 hP,P ; 2P S) f ← f1 ; Z ← P ; If tr = 2 then f ← f2 ; Z ← 2P ; Endif For j ← r − 1, r − 2, . . . , 1, 0 do h (S)hZ (S) f = f 3 Z,Z h2Z,Z (−S) ; Z ← 3Z; If tj = 1 then hZ,P (S) f ← f1 f hZ+P (S) ; Z ← Z + P ; Endif If tj = 2 then hZ,2P (S) f ← f2 f hZ+2P (S) ; Z ← Z + 2P ; Endif Endfor Return f 5 Analysis In this section, some detailed analysis of the refinements are given and the number of operations that can be saved discussed. As indicated in [1, 6, 8], in the actual implementaion of the algorithms, the operations in the numerator and denominator in each step are separated and the single division is used at the end of the procedure. Observe that the savings come from the elimination of terms like hX,Y (S) and hX (S). It is easy to see that hX,Y (S) and hX,Y (−S) both cost one field multipliction if the slope has been precalculated. Also note that both algorithm 4.1 and algorithm 4.2 use the same method for doing point operations (doubling and addition) 11 as in Miller’s original algorithm 2.1. So we only count the field operations used to evaluate hX,Y , hX and to multiply (or square) terms like hX,Y (±S), hX (S). First, the savings made by using our first improvement, (algorithm 4.1) are estimated. Consider a single round of the for loop of algorithm 4.1. Two field multiplications will be saved for each case. For example, qj = 1, then the deduction is h2Z,Z (S)h4Z,P (S) . f ← f1 f 4 h2Z,2Z (−S)h4Z+P (S) If we assume that f1 and f have already been written as quotients on the right hand side, then it takes 2 squarings and 6 multiplications for the numerator, and 2 squarings and 4 multiplications for the denominator. This should be compared with 2 rounds of the for loop of the original Miller’s algorithm 2.1 with the following result: h2Z,Z (S)h2Z,2Z (S)h4Z,P (S) f ← f1 f 4 2 . h2Z (S)h4Z (S)h4Z+P (S) It requires 2 squarings and 8 multiplications for the numerator, and 2 squarings and 4 multiplications for the denominator. So, the number of field multiplication saved in total is 2 log4 n = log2 n. Next, the savings made by using algorithm 4.2 are considered. For each single round in the for loop, if bj = 1, our computation of f ← f1 f 2 h2Z,P (S) hZ,Z (−S) needs 1 squaring and 3 multiplications for the numerator, and 1 squaring and 3 multiplications for the denominator. This is two field multiplications fewer then the computation of hZ,Z (S)h2Z,P (S) f ← f1 f 2 h2Z (S)h2Z+P (S) which is from the original algorithm. Thus the overall savings is 2H(n), where again, H(n) is the weight of the binary expansion of n. As indicated in section 4.2, we can rewrite the case of bj = 1 of the for loop in the original Miller’s algorithm as f ← f1 f 2 hZ,P (S)hZ+P,Z (S) hZ+P (S)h2Z+P (S) and simplify it to f ← f1 f 2 hZ,P (S)hZ (S) . hZ+P,Z (−S) One field multiplication is saved from the numerator and hence a total of H(n) field multiplications are saved. But since there is no need to reference (the y-coordinate of) 2Z, the trick of Eisenträger, Lauter and Montgomery can be used, so another H(n) field multiplications and H(n) field squares can be saved. Similar to the previous discussion, it can be checked that the algorithm 4.3 saves log3 n field multiplications compared with its base three counterpart. Note that in 12 this case, log3 n of point triplings are performed. Since tripling can be made very efficient, therefore algorithm 4.3 is a good choice here. Table 1 summarizes the performance of the new algorithms, where the numbers in the saving column indicate the number of field multiplications eliminated in the respective algorithms. Algorithm Algorithm 4.1 Algorithm 4.2 Algorithm 4.3 Table 1: Performance Saving log2 n 2H(n) log3 n of the improved algorithms Condition for improvement All values of n Higher Hamming weight Characteristic three Finally, two examples are given. We list the calculation formulas for f191 , f257 using Miller’s algorithm from [1, 3] (Algorithm2.1), our improved version 1(Algorithm4.1) and our improved version 2(Algorithm4.2). Notice that the prime numbers 191 and 257 represent two extreme situations since the first has only the one zero in its binary expansion and the second is of weight two, the minimal weight possible for a nontrivial prime number. Here the symbols hkP,mP , hkP are shortened as hk,m , hk respectively. Also hk,m is used to denote hkP,mP (−S). Example 5.1 Compute f191 : Number 191 = (10111111)2 = (2333)4 Algorithm 2.1 f = f1 191 h1,1 64 Algorithm 4.1 f= 32 16 16 8 8 4 4 h64 h32 2,2 h4,1 h5,5 h10,1 h11,11 h22,1 h23,23 h46,1 32 h32 h16 h16 8 8 4 4 · h h h h h 2 4 5 10 11 22 23 46 47 2 2 h47,47 h94,1 h95,95 h190,1 h294 h295 h190 h191 32 32 8 8 2 2 16 4 64 191 h1,1 h2,2 h4,1 h10,1 h11,11 h22,1 h46,1 h47,47 h94,1 h190,1 f1 h64 h32 16 h16 h8 4 4 2 h47 h94 h95,95 h191 2 4 h 11 22 h 23,23 5,5 Algorithm 4.2 f= 16 16 8 4 2 h32 4,1 h5,5 h10,1 h22,1 h46,1 h94,1 h190,1 f1 191 h64 4 2 1,1 h32 h16 h16 h8 h 2,2 10 5,5 11,11 h23,23 h47,47 95,95 Compute f257 : Number 257 = (100000001)2 = (10001)4 Algorithm 2.1 1,1 f = f1 257 h128 Algorithm 4.1 f= Algorithm 4.2 f = f1 257 h128 1,1 32 16 8 4 2 h128 h64 2,2 h4,4 h8,8 h16,16 h32,32 h64,64 h128,128 h256,1 64 32 16 8 4 h256 h257 h4 h8 h16 h32 h64 h2128 2 128 h32 h8 2 h h h 256,1 4,4 16,16 64,64 f1 257 1,1 64 16 4 h128,128 h257 h h h 2,2 6 8,8 32,32 32 16 h64 4 h8 h16 64 h2,2 32 h4,4 16 h8,8 h832 h464 8 h16,16 4 h32,32 h2128 h256,1 2 h64,64 h128,128 Comments Three refinements for the computation of the Tate/Weil pairing have been given and the corresponding performance analyzed. The savings in the number of mul13 tiplications noted could prove important for the performance of algorithms in the implementations of many of the new and interesting protocols that have been, and will continue to be, developed using these pairings. References [1] P. S. L. M. Barreto, H. Y. Kim, B. Lynn and M. Scott,Efficient algorithms for pairing-based cryptosystems, Advances in Cryptology-CRYPTO ’02,(Santa Barbara, CA, 02) (M. Yung Ed.), Lecture Notes in Comput. Sci., vol. 2442, Springer-Verlag Heidelberg, 2002, pp. 354–368. [2] I. F. Blake, G. Seroussi and N. P. Smart, Elliptic Curves in Cryptography, Cambridge University Press, Cambridge, (1999). [3] D. Boneh and M. Franklin, Identity-based encryption from the Weil pairing, Advances in Cryptology, Crypt’01 (J. Kilian ED.), Lecture Notes in Comput. Sci., vol. 2139, Springer-Verlag Heidelberg, 2001, pp. 213–239. [4] D. Boneh, B. Lynn and H. Shacham, Short signatures from the Weil pairing, Advances in Cryptology, Asiacrypt’01 (C. Boyd ED.), Lecture Notes in Comput. Sci., vol. 2248, Springer-Verlag Heidelberg, 2001, pp. 514–532. [5] G. Frey and H. G. Rück, A remark concerning m-divisibilty and the discrete logarithm in divisor class group of curves, Mathematics of Computation, 62 (1994), 865–874. [6] S. Galbraith, K. Harrison and D. Soldera, Implementing the Tate Pairing, Algorithm Number Theory Symposium, ANTS-V (C. Fieker and D. Kohel EDS.), Lecture Notes in Comput. Sci., vol. 2369, Springer-Verlag Heidelberg, 2002, pp. 324–337. [7] A. Joux, A one round protocol for tripartite Diffie-Helman, Algorithm Number Theory Symposium, ANTS-IV (W. Bosma ED.), Lecture Notes in Comput. Sci., vol. 1838, Springer-Verlag Heidelberg, 2000, pp. 385–393. [8] K. Eisenträger, K. Lauter and P. L. Montgomery, Fast Elliptic curve arithmetic and improved Weil pairing Evaluation, Topics in Cryptology, CT-RSA’03, Lecture Notes in Comput. Sci., vol. 2612, Springer-Verlag Heidelberg, 2003, pp. 343– 354. [9] N. Koblitz, Elliptic curve cryptosystems, Mathematics of Computation, 48 (1987), 203-209. [10] A. J. Menezes, T. Okamoto and S. A. Vanstone, Reducing elliptic curve logarithms to logarithms in a finite field, IEEE Transactions on Information Theory, 39 (1993), 1639-1646. [11] V. Miller, Short Programs for functions on curves, unpublished manuscript, 1986. 14 [12] V. Miller, Uses of elliptic curves in cryptography, Advances in Cryptology, CRYPTO’85, Lecture Notes in Comput. Sci., vol. 218, Springer-Verlag Heidelberg, 1986, pp. 417–462. [13] R. Sakai, K. Ohgishi and M. Kasahara, Cryptosystems based on pairing, SCIS2000, OKinawa, Japan, 2000. [14] A. Shamir, Identity-based cryptosystems and signature schemes, Advances in Cryptology–Crypto’84, Lecture Notes in Comput. Sci., vol. 196, Springer-Verlag Heidelberg, 1984, pp. 47-53. [15] J. H. Silverman, The Arithmetic of Elliptic Curves, Graduate Texts in Mathematics, 106, Springer-Verlag, 1986. [16] E. R. Verheul, Self-blindable credential certificates from the Weil pairing, Advances in Cryptology, Asiacrypt’01 (C. Boyd ED.), Lecture Notes in Comput. Sci., vol. 2248, Springer-Verlag Heidelberg, 2001, pp. 533–551. 15