A Construction of a Twisted Ate Pairing on a Family of

Kawazoe-Takahashi Curves at 192-bit Security Level and

Its Cost Estimate

Masahiro Ishii

, Atsuo Inomata

and Kazutoshi Fujikawa

Nara Institute of Science and Technology, 8916-5 Takayama, Ikoma, NARA, 630-0192, Japan

Information Initiative Center, Nara Institute of Science and Technology, 8916-5 Takayama, Ikoma, NARA, 630-0192, Japan

Keywords:

Twisted Ate Pairings, Optimal Pairings, Hyperelliptic Curves, Final Exponentiation.

Abstract:

Recently, there were major breakthroughs in computing DL in ﬁnite ﬁelds of small characteristics, as a result

the symmetric pairings which is deﬁned by using such ﬁnite ﬁelds became unsuitable for cryptography. This

research aims to reveal a more efﬁcient construction of pairings on hyperelliptic curves of genus 2, in the

beginning, we focus on the ordinary genus 2 curves and the optimal pairing algorithms at high (192-bit)

security level on such curves. In this paper, we show the method to construct optimal pairings over the family

of pairing-friendly curves of genus 2 by Kawazoe and Takahashi and offered a twisted version of Ate pairing.

We then provide the cost estimates to compare with the result of the pairings on elliptic curve at same security

level.

1 INTRODUCTION

Pairings on hyperelliptic curves (including elliptic

curves) have been applied to many cryptographic

schemes (functional encryption and its varieties), and

the various optimization methods that increase the

speed of the algorithm of pairings and their arithmetic

of curves have been exploited.

Recently, major theoretical and practical break-

through in computing discrete logarithms in ﬁnite

ﬁelds of small characteristic and also other ﬁelds have

been made (Barbulescu et al., 2014; Barbulescu et al.,

2015). As a result, the type 1 (symmetric) pairings

have been almost dead since these pairings are deﬁned

on the supersingular curves of high embedding degree

over ﬁnite ﬁelds of small characteristic to use their

distortion maps. We should also improve the secu-

rity level of pairings for the complexity of the discrete

logarithm algorithm in other ﬁnite ﬁelds. Since type

1 pairings are still useful for constructing some cryp-

tographic protocols, some authors offered the type 1

pairing on the curves not deﬁned over ﬁnite ﬁelds

of small characteristic in elliptic case (Teruya et al.,

2014; Zhang and Wang, 2014) and in genus 2 case

(Galbraith et al., 2008). Their pairings, however, are

not suitable for the situation required high security

level because of their small embedding degree.

Aranha et al. (Aranha et al., 2013) showed

optimal asymmetric pairings on Kachisa-Schaefer-

Scott (KSS), Barreto-Naehrig (BN), and Barreto-

Lynn-Scott (BLS) elliptic curves at the 192-bit secu-

rity level and their cost estimates and implementation

result. They constructed the optimal (ate) pairings and

Weil type ones (Hess, 2008; Vercauteren, 2010) on

each elliptic curve family. The BLS pairings is the

most efﬁcient and the result of serial implementation

of BLS pairings is more than 3 times faster than the

result of (Scott, 2011).

In this paper, we focus on the ordinary hyperel-

liptic curves of genus 2 at high, i.e. 192-bit secu-

rity level. We show the method to construct the op-

timal pairing and its twisted version over the fam-

ily of pairing-friendly curves of genus 2 by Kawa-

zoe and Takahashi (Kawazoe and Takahashi, 2008)

We offered that a twisted Ate pairing is most efﬁcient

and described cost estimates in detail. Especially, we

clarify the cost of the ﬁnal exponentiation where em-

bedding degree k = 16.

The aim of this research is that eventually reveal

an efﬁcient construction of pairings on hyperelliptic

curves of genus 2. This research for exploiting more

efﬁcient pairings on genus 2 curves is in progress and

our pairing showed in this paper does not faster one

than the state-of-the-art elliptic pairing.

The remainder of this paper is organized as fol-

lows. We recall background on several pairings on hy-

432

Ishii, M., Inomata, A. and Fujikawa, K.

A Construction of a Twisted Ate Pairing on a Family of Kawazoe-Takahashi Curves at 192-bit Security Level and Its Cost Estimate.

DOI: 10.5220/0005742304320439

In Proceedings of the 2nd International Conference on Information Systems Security and Privacy (ICISSP 2016), pages 432-439

ISBN: 978-989-758-167-0

perelliptic curves in section 2. Section 3 describes the

method of constructing Kawazoe-Takahashi curves

and the curve parameter we used to evaluate the pair-

ing in practice. We show how to construct optimal

pairings derived from Hess (Hess, 2008) and Ver-

cauteren (Vercauteren, 2010) on the curve and its

twisted version in section 4, after that the cost esti-

mates and its comparison are described in section 5.

Finally, we present conclusions and suggestions for

future work in section 6.

2 PRELIMINARY

In this section, we describe the pairings on hyperel-

liptic curves, especially, Hess-Vercauteren (HV) pair-

ings (Balakrishnan et al., 2009) given by Hess (Hess,

2008) and Vercauteren (Vercauteren, 2010) as general

framework for pairings on Frobenius eigenspaces.

Let C be a hyperelliptic curve deﬁned over F

and

let Jac

(' Pic

) denote Jacobian of C. Let r be a

positive integer and suppose that F

is an extension

ﬁeld of F

such that r|(q

− 1) and Jac

) con-

tains no elements of order r

. The smallest integer k

which holds the avobe condition is called embedding

degree of Jac

with respect to r. For a divisor class

D ∈ Jac

)[r], f

r,D

denotes a rational function as-

sociated the principal divisor rD. Let E =

∑

P be

a divisor class disjoint from D. Then we call T

the

modiﬁed Tate-Lichtenbaum pairing as follows

: Jac

)[r] ×Jac

)[r] → µ

⊂ F

(D,E) 7→ f

r,D

(E) =

∏

r,D

(P)

−1)/r

The map T

is bilinear, non-degenerate and the

value of T

is independent of representation of the di-

visor classes.

By limiting the domains of pairings to eigenspaces

of the Frobenius map, more efﬁcient pairings which

have shorter Miller loop were exploited, called Ate

pairings (Granger et al., 2007) and twisted Ate pair-

ings (Zhang, 2010). These pairings are special case

of HV pairings.

Let π be the q-th Frobenius map, we take G

and

which are subgroups of Jac

) as follows,

:= Jac

)[r] ∩ker (π − [1])

:= Jac

)[r] ∩ker (π − [q]).

We consider h(x) =

∑

i=0

∈ Z[x] such that h(x) ≡

0 (mod r) and generalized Miller function f

s,h,D

(D ∈

Jac

)[r]) which is any function with

∑

i=0

ρ(s

D),

where ρ(D) is the reduced divisor which is equivalent

to D. Let s ≡ q

(mod r) for some j ∈ Z. We then

obtain the bilinear pairing (HV pairing) (Balakrishnan

et al., 2009, Theorem 4.1)

s,h

: G

× G

→ µ

) 7→ f

s,h,D

)

−1)/r

satisfying

s,h

) = T

)

h(s)/r

s,h

is non-degenerate if and only if h(s) 6≡ 0

(mod r

If C has the twist C

of degree d, i.e., d is the

minimal integer satisfying that there exists an isomor-

phism φ: C

→ C over F

, a twisted version of the

HV pairing exists (Balakrishnan et al., 2009, Remark

4.4). We suppose that gcd(k,]Aut(C)) 6= 1, then

twist

s,h

: G

× G

→ µ

is also a bilinear and non-degenerate (under same con-

dition of HV pairings) pairing (Hess, 2008, Theorem

1).

In twisted case, we remark that the automorphism

[ξ]π

k/m

plays an important role where m = gcd(k, d)

and [ξ] ∈ Aut(C) deﬁned by the twist (see (Zhang,

2010)). This map acts on G

as [q

] and acts on G

as [1], therefore we can reverse the roles of G

and G

in HV pairings.

3 KAWAZOE-TAKAHASHI

CURVES AND SECURITY

LEVEL

Many researcher has exploited the pairing-friendly

curves of genus 2 (Kawazoe and Takahashi, 2008;

Kachisa, 2010; Freeman and Satoh, 2011; Guillevic

and Vergnaud, 2013). In this paper, we focus on

Kawazoe-Takahashi curve (Kawazoe and Takahashi,

2008) of embedding degree 16 for efﬁcient ﬁeld size

at 192-bit security level. By using the method to con-

struct the cyclotomic family of type I (Kawazoe and

Takahashi, 2008, Section 6.1), we can obtain a family

of curves

C : y

= x

+ ax

A Construction of a Twisted Ate Pairing on a Family of Kawazoe-Takahashi Curves at 192-bit Security Level and Its Cost Estimate

433

deﬁned over F

such that the parameter p and r (prime

factor of the order of Jac

)) are parametrized by

t ∈ Z as follows:

r(t) = Φ

(t)/2 = (t

+ 1)/2,

p(t) = (1 + 2t +t

+ 2t

+ 4t

+ 2t

− 4t

+ 2t

)/8.

Therefore, rho value ρ = glog q/ log r ≈ 3.5 (q is

the size of ﬁnite ﬁeld which the curve is deﬁned, so

now q = p) since p ≈ r

14/8

For 192-bit security level, we should choose r over

384

and p

over 2

7936

(BlueKrypt, 2012, NIST and

ECRYPT II Recommendations). Note that we chose

the embedding degree k = 16 and the family of curves

in the Table 1 in (Guillevic and Vergnaud, 2013) on

condition that k is in the form 2

(pairing-friendly

ﬁeld) and the size of r is as close as possible to the

appropriate key length 2

384

To reduce the cost of the pairing we should take

a low hamming weight t. We can ﬁnd the following

curve by using (Kawazoe and Takahashi, 2008, The-

orem 2):

C : y

= x

+ 11x,

r = 5044072482384476573782993927890\

= 7728964465436586245254453311630\

= 1265371549743031290473008113404\

= 9215268011143297044068561 (392 bits),

p = 8028045195460366401855608810858\

= 1087520356536010516694719024006\

= 5200170619103295404281314877038\

= 0691756335410705811073413334511\

= 1951668540846123577019763686758\

= 1081351540637127776953763530546\

= 24502257207565576569 (685 bits),

t = 562958543356163

= 2

+ 2

+ 2 + 1 (50 bits),

where ρ ≈ 3.497.

4 CONSTRUCTION OF THE

PAIRING

Here we construct the optimal HV pairing and its

twisted version on the Kawazoe-Takahashi curve of

embedding degree 16 as described previous section.

First we consider optimal pairings over genus 2

curves as offered in elliptic case by (Aranha et al.,

2013), then we focus twisted version of the pairing in

order to reduce the cost of computing the pairing since

the cost of arithmetic on Jacobian over extension ﬁeld

become extremely high.

4.1 Optimal HV Pairing

According to the optimal conjecture by Vercauteren

(Vercauteren, 2010), we can take the total loop length

of the Miller function as (log

r)/ϕ(k) where ϕ is

the Euler’s totient function and this length is opti-

mal. In order to construct optimal HV pairings, we

need to choose h(x) =

∑

i=0

∈ Z[x] so that the total

loop length h(x) =

∑

i=0

log

is optimal. Vercauteren

showed the several optimal HV pairings on elliptic

curve families by ﬁnding the shortest vectors in a

lattice (Vercauteren, 2010). Speciﬁcally, for a ϕ(k)-

dimensional lattice (spanned by the rows)

L =







r 0 0 ··· 0

−s (mod r) 1 0 ··· 0

−s

(mod r) 0 1 ··· 0

−s

ϕ(k)−1

(mod r) 0 1 ·· · 0







he used the function ShortestVectors() or

ShortVectors() in Magma (Bosma et al., 1997) for

speciﬁc input integers, and he found parametrized the

shortest vectors by interpolating for parametrized r

and s.

We can obtain the shortest vectors for HV pair-

ing a

p,h

on the Kawazoe-Takahashi curve deﬁned in

previous section in the same manner. The prameters

p,r should be represented as polynomials over integer

ring, we substitute t = 2x + 1 to p, r and obtain

r(x) = 128x

+ 512x

+ 896x

+ 560x

+ 224x

+ 56x

+ 8x +1,

p(x) = 4096x

+ 24576x

+ 67584x

+ 112640x

+ 126848x

+ 102144x

+ 61184x

+ 28544x

+ 11184x

+ 4064x

+ 1432x

+ 456x

+ 115x

+ 20x +2.

Now we can calculate shortest vectors for the lat-

tice L (s = p) using Magma, we obtain the vector

V (x) = [2x + 1,0, 0,0,0, 1,0, 0]

= [t,0,0,0, 0,1, 0,0],

ICISSP 2016 - 2nd International Conference on Information Systems Security and Privacy

434

therefore it holds 2x+ 1 + p(x)

≡ 0 (mod r(x)). We

then compute the Miller function except for ﬁnal ex-

ponentiation of HV pairing a

p,h

t+p

= f

t,D

c(x,y)

d(x, y)

where

div



c(x,y)

d(x, y)



= [t]D

+ [p

− [t + p

is a rational function. Now we consider Frobenius

eigenspace G

as the domain of the pairing, it

holds f

= f

1,D

and f

is constant, therefore we

can write

p,h

) = f

t,D

c(x,y)

d(x, y)

)

−1)/r

4.2 Twisted Optimal HV Pairing

As described in the beginning of this section, arith-

metic on Jacobian over the extension ﬁeld (F

) costs

very high, we consider twisted version of the HV pair-

ings

Since p ≡ 1 (mod 8), C has a twist of degree d =

8. Here we consider the twist over F

as follows:

: y

= x

+ 11λx,

ϕ: C

→ C

(x,y) 7→ (λ

x,λ

where λ ∈ F

is not l-th power residue in F

for

l ∈ {1, 2,4,8}. So it holds C(F

) ' C

In our case, since m = gcd(k,d) = 8 and e =

k/m = 2 we can represent G

= Jac

)[r] ∩ker ([ξ

]π

− 1).

Therefore, we should search short vectors for h(x)

where the coefﬁcients of p

(i: odd) equal to 0 to re-

duce the Miller function in the same manner as HV

pairings. For a lattice

L =







r 0 0 0

−p

(mod r) 1 0 0

−p

(mod r) 0 1 0

−p

(mod r) 0 0 1







we can ﬁnd the vector

W (x) = [(2x +1)

,1,0, 0] = [t

,1,0, 0]

by using ShortVectors() and it holds (2x + 1)

p(x)

≡ 0 (mod r(x)). In this case, the Miller loop

length is twice the one of optimal pairing. We

couldn’t ﬁnd essentially shorter vectors such that the

coefﬁcients of p

(i: odd) is 0. The twisted HV pair-

ing can be computed as follows:

twist

p,h

) = f

c(x,y)

d(x, y)

)

−1)/r

where

div



c(x,y)

d(x, y)



= [t

+ [p

− [t

+ p

4.3 Twisted Ate Pairing

Zhang (Zhang, 2010) proposed the hyperelliptic

twisted Ate pairing. Here we conﬁrm that previous

twisted HV pairing corresponds to a twisted Ate pair-

ing. Zhang showed that

(mod r),D

)

−1)/r

is a bilinear pairing (Zhang, 2010, Theorem 4) where

e is same as the above. We want to take the smallest ei

(mod r), now it holds p

(mod r) = t

. Therefore,

we can compute simply

twist

) = f

)

−1)/r

and the most efﬁcient pairing on this curve is the

twisted Ate pairing since there is no extra rational

function occurred in the twisted optimal HV pairing

in 4.2.

5 COST ESTIMATES

In this section we provide the cost estimate of the pair-

ing on the Kawazoe-Takahashi curve of embedding

degree 16. As described previous section, the twisted

Ate pairing seems to be the fastest one, we only focus

on this pairing. We have not optimally implemented

the pairing and arithmetic on the ﬁeld F

and F

yet,

we show here cost estimates by number of multiplica-

tions in deﬁnition ﬁeld F

The extension ﬁeld F

should be constructed the

tower of quadratic extension ﬁelds. In our case, we

can take 11 as a quadratic nonresidue modulo p and

this is the smallest one. We then construct each ex-

tension ﬁelds as follows:

' F

[x]/(x

− 11),

' F

[y]/(y

− α), (α

− 11 = 0),

' F

[z]/(z

− β), (β

− α = 0),

' F

[s]/(s

− γ), (γ

− β = 0).

We denote a multiplication and a squaring in F

and S

, respectively. We also suppose that the cost

A Construction of a Twisted Ate Pairing on a Family of Kawazoe-Takahashi Curves at 192-bit Security Level and Its Cost Estimate

435

of a squaring equal to one of a multiplication in F

i.e. M

= S

. We assume to use Karatsuba method for

multiplication in each ﬁeld, so M

= 81M

. In the

ﬁrst quadratic extension ﬁeld F

, we can perform a

squaring

(a + bx )

= a

+ 11b

+ 2abx

with computing

ab,

(a + b)(a +11b) − ab − 11ab.

It costs 2 multiplications in F

and additional ad-

ditions for computing 11c, (c ∈ F

) (5 additions)

and accumulating. We can therefore consider S

, and we assume that S

= 6M

, S

= 18M

and

= 54M

Fan, Gong, and Jao (Fan et al., 2008) proposed

to use the twist of the curve and degenerate divisors

(Frey and Lange, 2006) to use denominator elimina-

tion technique and reduce the cost to evaluate the sec-

ond argument divisors by the rational functions. Their

method can be applied the twisted Ate pairing in our

case:

(ϕ(D

))

−1)/r

= [x − x

] ∈ Jac

))

where ϕ(D

) = [x − λ

,λ

5.1 Miller Loop

For the parameter we described in section 3, the

Miller loop computation of f

) requires 96

doublings and 53 addition on Jacobian. In general

case, we can do arithmetic on the divisor group us-

ing afﬁne coordinates by Lange (Lange, 2005) where

the cost of a doubling is I

+ 5S

+ 22M

and the one

of an addition is I

+ 3S

+ 22M

. Here we use the

explicit formula and the dedicated coordinate system

by (Fan et al., 2009) for C. As noted by the authors

(Fan et al., 2009, Section 4.6), since f

, f

= 0 where

C : y

= f (x), f (x) = x

+ f

x + f

, a

doubling need 35M

+ 5S

. And we can perform a

mixed addition with 36M

+ 5S

In the Cantor’s algorithm and Miller loop, we need

to evaluate the auxiliary rational function by substi-

tuting the points associated D

. The rational function

can be obtained as

y − v(x )

(x)

where degree of v(x) is at most 3. Since the x-

coordinate of ϕ(D

) is deﬁned in F

, we can use

denominator elimination so we need not to evaluate

(x). By using the new coordinate system from (Fan

et al., 2009), we should evaluate

(x,y) = (˜rz

)y − ((s

+ l

x + l

(x,y) = (˜rz

)y − ((s

+ l

x + l

)

for a doubling and an addition, respectively, instead

of y− v(x). The parameters in the above functions are

from (Fan et al., 2008, Table 4,5)

Let f be the intermediate pairing value, when we

take degenerate divisors ϕ(D

) as second inputs for

the pairing, in each doubling step we compute

(ϕ(D

)) = f

(λ

,λ

)

and

f c

(ϕ(D

)) = f c

(λ

,λ

)

in each addition step. After precomputing

(λ

)

,(λ

)

with S

+ M

= 45M

, we evaluate

(ϕ(D

)) and c

(ϕ(D

)) with 16M

+ 3 · 8M

40M

. Therefore computing f

(ϕ(D

)) and

f c

(ϕ(D

)) requires 40M

= 175M

and

40M

+ M

= 121M

, respectively. Since

= 1 + 2

+ 2

Miller loop requires totally

{45 + 98(40 + 175) + 13(41 +121)}M

= 23221M

5.2 Final Exponentiation

For efﬁcient computation of the ﬁnal exponentiation,

we should use the method by Scott et al. (Scott et al.,

2009). In their method, we should estimate the cost

of computing Φ

(p)/r where

− 1)/r = (p − 1)(p + 1)(p

+ 1)(p

+ 1)/r.

By using the parametrization of p(x) and r(x), we

can compute the coefﬁcients as polynomial of the fol-

lowing polynomial

(p(x)

+ 1)r(x) =

∑

i=0

(x)p(x)

where

(x) = 256x

+ 896x

+ 1344x

+ 1120x

+ 568x

+ 196x

+ 66x

+ 27x

+ 8x +3

(x) = −2048x

− 10240x

− 23040x

− 30720x

− 26944x

− 16448x

− 7408x

− 2752x

− 980x

− 348x

− 111x

− 26x −3

ICISSP 2016 - 2nd International Conference on Information Systems Security and Privacy

436

(x) = −64x

− 160x

− 80x

− 22x

− 7x

− 4x −1

(x) = 512x

+ 2048x

+ 3584x

+ 2256x

+ 960x

+ 328x

+ 120x

+ 43x

+ 14x +3

(x) = −4096x

− 22528x

− 56320x

− 84480x

− 84608x

− 59840x

− 31264x

− 12912x

− 4712x

− −1676x

− 570x

− 163x

− 32x −3

(x) = −128x

− 384x

− 480x

− 320x

− 124x

− 36x

− 15x

− 6x −1

(x) = 1024x

+ 4608x

+ 9216x

+ 10752x

+ 8096x

+ 4176x

+ 1616x

+ 568x

+ 206x

+ 71x

+ 20x +3

(x) = 32x

+ 64x

+ 48x

+ 16x

+ 3x

+ 2x +1

First, for an element f ∈ F

, we need to compute

f := f

at 13 times ( f

, 1 ≤ i ≤ 13) and this requires

13 · (48S

+3M

) = 36855M

since x = 2

+ 1.

Second, we compute ( f

)

with 682M

for the

coefﬁcients of l

(x) as described in (Scott et al., 2009,

Section 5).

Finally, we should a vectorial addition chain such

as (Scott et al., 2009, Section 5) to compute the multi-

exponentiation. To do this we need to compute an

addition chain from coefﬁcients set from l

(x), and we

get

[1, 2, 3, 4, 6, 7, 8, 14, 15, 16, 20, 22, 26, 27, 32,

36, 43, 48, 64, 66, 68, 71, 80, 111, 112, 120, 124,

128, 160, 163, 196, 206, 256, 320, 328, 348, 384,

480, 512, 520, 568, 570, 896, 960, 980, 1024, 1120,

1344, 1348, 1360, 1616, 1676, 2048, 2256, 2272,

2752, 3072, 3584, 3592, 4096, 4608, 4656, 4712,

4716, 7408, 7528, 8096, 8352, 9216, 10240, 10752,

10864, 11776, 12912, 16448, 16704, 22528, 23040,

26944, 27968, 28352, 30720, 30752, 31264, 31872,

53760, 56320, 59840, 84480, 84608].

We then compute a vectorial addition chain from this

chain and obtain a chain of length 230. This im-

plies 230 − 71 = 159 multiplications in F

includ-

ing 3 squarings where 71 is the number of unit vec-

tors. Consequently the ﬁnal exponentiation requires

36855M

+ 3S

+ 156M

= 49653M

5.3 Comparison

In (Aranha et al., 2013), the authors showed that the

pairing over the BLS curves of embedding degree

12 (BLS12) is the most efﬁcient. Here we compare

our cost estimates of the twisted Ate pairing over the

Kawazoe-Takahashi curve with the result of the opti-

mal pairing over the BLS12 in Table 1.

Table 1: Comparison of the computation cost of pairing

over the pairing-friendly curve of genus 1 (BLS12) and

genus2 (Kawazoe-Takahashi).

Curve Phase Mult. in F

scaled

BLS12 Miller loop 10865M

640

10865M

640

Final exp. 8464M

640

8464M

640

Total 19329M

640

19329M

640

Kawazoe Miller loop 23221M

704

28098M

640

-Takahashi Final exp. 49653M

704

60081M

640

Total 72874M

704

88178M

640

As described in (Aranha et al., 2013, Section 8),

they represent ﬁeld elements a ∈ F

as n-bit proces-

sor words (n = d1/`e, ` = 1 + blog

pc) and estimate

the cost of ﬁeld arithmetic so we should use M

704

for comparison. We simply normalize the cost of

our pairing so that M

704

= 1.21M

640

where 1.21 =

(704/640)

and the data in “scaled” column are given

by multiplying 1.21 to each element.

In Miller loop, the cost of Kawazoe-Takahashi

pairing is about three times than the one of BLS12

pairing. Now the loop length of our pairing is twice as

much as optimal one, so the Miller loop cost seemed

not to be high and be efﬁcient more of less thanks to

using degenerate divisor and other techniques like de-

nominator elimination.

On the other hand, the ﬁnal exponentiation cost of

our pairing is very high than the one of BLS12 since

the arithmetic cost in F

is relatively high than one

in F

due to construction of their ﬁelds.In addition,

strategy to compute multi-exponentiation in ﬁnal ex-

ponentiation is more complicated than when k = 12.

6 CONCLUSION

Aranha et al. (Aranha et al., 2013) clarify appropri-

ate pairing-friendly elliptic curves and optimal pair-

ings over the curves at high (192-bit) security level.

In this paper, we considered several pairings over

Kawazoe-Takahashi curves of embedding degree 16

and propose the twisted Ate pairing as most efﬁcient

one. We showed the method to construct the opti-

mal pairings and its twisted version. Although the

Miller loop becomes twice as much as optimal one,

we offered a twisted version of Ate pairing since the

A Construction of a Twisted Ate Pairing on a Family of Kawazoe-Takahashi Curves at 192-bit Security Level and Its Cost Estimate

437

degree of twist is 8 which is half of the embedding de-

gree to avoid performing arithmetic on divisor classes

deﬁned over the extension ﬁeld. We described that

some techniques to reduce the computation cost as de-

scribed in (Fan et al., 2008) can apply to our twisted

Ate pairing.

As shown in our cost estimates, the ﬁnal exponen-

tiation cost is much larger than the stat-of-the-art el-

liptic pairing. We should consider other embedding

degree such as k = 12 to reduce complicated multi-

exponentiation, although we cannot take appropriate

r as an order of Jacobian whose size is close to 384-

bit. The other alternative, we consider to take k = 15

or 27 so that the embedding degrees are coprime to

degree of the twist. In this case, we can construct

twisted pairings whose length of Miller loop are op-

timal unlike the situation in 4.2. We will tackle to

construct the curves which have the above embedding

degrees and a twisted Ate pairing on each curve as a

future work. In addition, other pairing-friendly or-

dinary curves of genus 2 like (Freeman and Satoh,

2011) should be explored whether these curves are

appropriate for constructing pairings at high security

level.

Furthermore, we should explicitly construct ex-

tension ﬁelds and optimize the arithmetic on these

ﬁeld to obtain detailed cost estimate. We will imple-

ment the pairing on Haswell CPU using the SIMD

instructions (AVX2) and show experimental result in

practice.

REFERENCES

Aranha, D., Fuentes-Castaeda, L., Knapp, E., Menezes, A.,

and Rodrguez-Henrquez, F. (2013). Implementing

pairings at the 192-bit security level. In Abdalla, M.

and Lange, T., editors, Pairing-Based Cryptography

Pairing 2012, volume 7708 of Lecture Notes in Com-

puter Science, pages 177–195. Springer Berlin Hei-

delberg.

Balakrishnan, J., Belding, J., Chisholm, S., Eisentr

ager, K.,

Stange, K. E., and Teske, E. (2009). Pairings on hy-

perelliptic curves. CoRR, abs/0908.3731, Available:

http://arxiv.org/abs/0908.3731v2.

Barbulescu, R., Gaudry, P., Guillevic, A., and Morain, F.

(2015). Improving NFS for the discrete logarithm

problem in non-prime ﬁnite ﬁelds. In Oswald, E.

and Fischlin, M., editors, Advances in Cryptology –

EUROCRYPT 2015, volume 9056 of Lecture Notes

in Computer Science, pages 129–155. Springer Berlin

Heidelberg.

Barbulescu, R., Gaudry, P., Joux, A., and Thom, E. (2014).

A heuristic quasi-polynomial algorithm for discrete

logarithm in ﬁnite ﬁelds of small characteristic. In

Nguyen, P. and Oswald, E., editors, Advances in Cryp-

tology EUROCRYPT 2014, volume 8441 of Lec-

ture Notes in Computer Science, pages 1–16. Springer

Berlin Heidelberg.

BlueKrypt (2012). - cryptographic key length recommen-

dation, http://www.keylength.com.

Bosma, W., Cannon, J., and Playoust, C. (1997). The

Magma algebra system. I. The user language. J. Sym-

bolic Comput., 24(3-4):235–265. Computational al-

gebra and number theory (London, 1993).

Fan, X., Gong, G., and Jao, D. (2008). Speeding up pair-

ing computations on genus 2 hyperelliptic curves with

efﬁciently computable automorphisms. In Galbraith,

S. and Paterson, K., editors, Pairing-Based Cryptog-

raphy Pairing 2008, volume 5209 of Lecture Notes

in Computer Science, pages 243–264. Springer Berlin

Heidelberg.

Fan, X., Gong, G., and Jao, D. (2009). Efﬁcient pairing

computation on genus 2 curves in projective coordi-

nates. In Avanzi, R., Keliher, L., and Sica, F., ed-

itors, Selected Areas in Cryptography, volume 5381

of Lecture Notes in Computer Science, pages 18–34.

Springer Berlin Heidelberg.

Freeman, D. M. and Satoh, T. (2011). Constructing pairing-

friendly hyperelliptic curves using weil restriction.

Journal of Number Theory, 131(5):959 – 983. Elliptic

Curve Cryptography.

Frey, G. and Lange, T. (2006). Fast bilinear maps from the

tate-lichtenbaum pairing on hyperelliptic curves. In

Hess, F., Pauli, S., and Pohst, M., editors, Algorith-

mic Number Theory, volume 4076 of Lecture Notes

in Computer Science, pages 466–479. Springer Berlin

Heidelberg.

Galbraith, S. D., Lin, X., and Morales, D. J. M. (2008).

Pairings on hyperelliptic curves with a real model. In

Galbraith, S. and Paterson, K., editors, Pairing-Based

Cryptography – Pairing 2008, volume 5209 of Lecture

Notes in Computer Science, pages 265–281. Springer-

Verlag.

Granger, R., Hess, F., Oyono, R., Thriault, N., Vercauteren,

F., and Berlin, T. U. (2007). Ate pairing on hyperel-

liptic curves. In In Advances in Cryptology EURO-

CRYPT 2007, pages 419–436. Springer-Verlag.

Guillevic, A. and Vergnaud, D. (2013). Genus 2 hyperellip-

tic curve families with explicit jacobian order evalua-

tion and pairing-friendly constructions. In Abdalla,

M. and Lange, T., editors, Pairing-Based Cryptog-

raphy Pairing 2012, volume 7708 of Lecture Notes

in Computer Science, pages 234–253. Springer Berlin

Heidelberg.

Hess, F. (2008). Pairing lattices. In Galbraith, S. and Pater-

son, K., editors, Pairing-Based Cryptography – Pair-

ing 2008, volume 5209 of Lecture Notes in Computer

Science, pages 18–38. Springer-Verlag.

Kachisa, E. (2010). Generating more kawazoe-takahashi

genus 2 pairing-friendly hyperelliptic curves. In Joye,

M., Miyaji, A., and Otsuka, A., editors, Pairing-Based

Cryptography - Pairing 2010, volume 6487 of Lecture

Notes in Computer Science, pages 312–326. Springer

Berlin Heidelberg.

Kawazoe, M. and Takahashi, T. (2008). Pairing-friendly

hyperelliptic curves with ordinary jacobians of type

ICISSP 2016 - 2nd International Conference on Information Systems Security and Privacy

438

= x

+ax. In Galbraith, S. and Paterson, K., editors,

Pairing-Based Cryptography Pairing 2008, volume

5209 of Lecture Notes in Computer Science, pages

164–177. Springer Berlin Heidelberg.

Lange, T. (2005). Formulae for arithmetic on genus 2 hy-

perelliptic curves. Applicable Algebra in Engineering,

Communication and Computing, 15(5):295–328.

Scott, M. (2011). On the efﬁcient implementation of

pairing-based protocols. In Chen, L., editor, Cryp-

tography and Coding, volume 7089 of Lecture Notes

in Computer Science, pages 296–308. Springer Berlin

Heidelberg.

Scott, M., Benger, N., Charlemagne, M., Dominguez Perez,

L., and Kachisa, E. (2009). On the ﬁnal exponen-

tiation for calculating pairings on ordinary elliptic

curves. In Shacham, H. and Waters, B., editors,

Pairing-Based Cryptography Pairing 2009, volume

5671 of Lecture Notes in Computer Science, pages

78–88. Springer Berlin Heidelberg.

Teruya, T., Saito, K., Kanayama, N., Kawahara, Y.,

Kobayashi, T., and Okamoto, E. (2014). Constructing

symmetric pairings over supersingular elliptic curves

with embedding degree three. In Cao, Z. and Zhang,

F., editors, Pairing-Based Cryptography – Pairing

2013, volume 8365 of Lecture Notes in Computer Sci-

ence, pages 97–112. Springer-Verlag.

Vercauteren, F. (2010). Optimal pairings. IEEE Transac-

tions on Information Theory, 56(1):455–461.

Zhang, F. (2010). Twisted ate pairing on hyperelliptic

curves and applications. Science China Information

Sciences, 53(8):1528–1538.

Zhang, X. and Wang, K. (2014). Fast symmetric pairing

revisited. In Cao, Z. and Zhang, F., editors, Pairing-

Based Cryptography – Pairing 2013, volume 8365 of

Lecture Notes in Computer Science, pages 131–148.

Springer-Verlag.

A Construction of a Twisted Ate Pairing on a Family of Kawazoe-Takahashi Curves at 192-bit Security Level and Its Cost Estimate

439