Mathematical Problems in Engineering

Volume 2013, Article ID 136767, 8 pages

http://dx.doi.org/10.1155/2013/136767

## The Pairing Computation on Edwards Curves

^{1}College of Sciences, North China University of Technology, Beijing 100144, China^{2}School of Mathematical Sciences, Peking University, Beijing 100871, China^{3}Beijing International Center for Mathematical Research, Beijing 100871, China

Received 4 May 2013; Accepted 22 September 2013

Academic Editor: Jun Jiang

Copyright © 2013 Hongfeng Wu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

We propose an elaborate geometry approach to explain the group law on twisted Edwards curves which are seen as the intersection of quadric surfaces in place. Using the geometric interpretation of the group law, we obtain the Miller function for Tate pairing computation on twisted Edwards curves. Then we present the explicit formulae for pairing computation on twisted Edwards curves. Our formulae for the doubling step are a little faster than that proposed by Arène et al. Finally, to improve the efficiency of pairing computation, we present twists of degrees 4 and 6 on twisted Edwards curves.

#### 1. Introduction

Pairing-based cryptography has been one of the most active areas in elliptic curve cryptography since 2000. Some details on this subject can be found in [1, 2]. How to compute pairings efficiently is a bottleneck for implementing pairing-based cryptography. The most efficient method of computing pairings is Miller’s algorithm [3]. Consequently, various improvements were presented in [4–8]. One way to improve the efficiency is to find other models of elliptic curves which can provide more efficient algorithms for pairing computation. Edwards curves were one of the popular models. Edwards curve was discovered by Edwards [9] and was applied in cryptography by Bernstein and Lange [10]. Then twisted Edwards curves which are the generalization of Edwards curves were introduced by Bernstein et al. in [11]. Bernstein and Lange also pointed out several advantages of applying the Edwards curves to cryptography. Pairing computation over Edwards curves was first considered in [12, 13]. In 2009, Arène et al. [4] gave the geometric interpretation of the group law and presented explicit formulae for computing the Tate pairing on twisted Edwards curves. Their formulae are faster than all previously proposed formulas for pairings computation on twisted Edwards curves. Their formulae are even competitive with all published formulae for pairing computation on Weierstrass curves. In particular, if a pairing-friendly curve used in a pairing-based protocol is isomorphic or isogenous to an Edwards curve, all the scalar multiplication appearing in the protocol can be computed efficiently [14].

Any elliptic curve defined over a field with characteristic different from 2 is birationally equivalent to an Edwards curve over some extension of , that is, a curve given by with . In fact, the twisted Edwards curves can be seen as the intersection of two quadratic surfaces in space. That is to say, the twisted Edwards curves can be given by , . For general elliptic curves given by intersection of two quadratic surfaces, the geometric interpretation of group law had been discussed by Merriman et al. in [15]. In this paper, we proposed a more detailed geometry approach to explain the group law for the case of twisted Edwards curves which are seen as the intersection of two quadratic surfaces. Using the geometric interpretation of the group law, we obtain the Miller function of Tate pairing computation on twisted Edwards curves. Then we present the explicit formulae for pairing computation on twisted Edwards curves. The doubling step of our formulae is a little faster than that in [4]. Finally, to reduce the cost of evaluating the Miller function on twisted Edwards curve, we employ quadratic, quartic, or sextic twists to the formulae of the Tate pairing computation. The high twists had been sufficiently studied by Costello et al. [16] on Weierstrass curves. As the result given by [17], one elliptic curve and its quartic/sextic twist can not have a rational twisted Edwards model at the same time, so we turn to Weierstrass curves for the high-degree twists of twisted Edwards curves. These twists enable us to reduce the cost of substituting to a half and a third, respectively, in case and case.

The remainder of the paper is organized as follows. In Section 2, we provide some backgrounds and notations used in this paper. In Section 3, we give a geometry approach to explain the group law on twisted Edwards curves. In Section 4, we present pairing computation on twisted Edwards curves. In Section 5, we employ quartic and sextic twists to the formulae of the Tate pairing computation. In Section 6, we conclude our paper.

#### 2. Preliminaries

##### 2.1. Tate Pairing

Let be a prime, and let be a finite field with . is an elliptic curve defined over with neutral element denoted by . is a prime such that . Let denote the embedding degree with respect to ; that is, is the smallest positive integer such that . For any point , there exists a rational function defined over such that , which is unique up to a nonzero scalar multiple. The group of th roots of unity in is denoted by . The reduced Tate pairing is then defined as follows: The rational function can be computed in polynomial time by using Miller’s algorithm [3]. Let be the binary representation of , where . Let be the rational function satisfying , where denotes the sum of and on and additions of the form denote formal additions in the divisor group. Miller’s algorithm starts with , and is written as in Algorithm 1.

##### 2.2. Edwards Curves

For , a twisted Edwards curve defined over is given by where are distinct nonzero elements of . The projective closure of in is This curve consists of the points on the affine curve , embedded as usual into by , and extra points at infinity, that is, points when . There are exactly two such points, namely, and . These points are singular.

In fact, the twisted Edwards curve can be seen as the intersection of two quadric surfaces in space. That is, the twisted Edwards curve can be written as

More generally, every elliptic curve defined over a field with can be written in this normal form over an extension of . Set as the neutral element; the group law on (4) is given by where

The point has order 2. Note that the above formula is unified; that is, it can be applied to both adding two distinct points and doubling a point. The fast arithmetic on twisted Edwards curves given by (4) can be found in [18, 19].

We use and to denote the costs of multiplication and squaring in the base field , while and denote the costs of multiplication and squaring in the extension .

#### 3. Geometric Interpretation of the Group Law on Twisted Edwards Curves

The aim of this section is to give the elaborate geometric interpretation of the group law on twisted Edwards curves which are seen as the intersection of two quadric surfaces in space. We consider projective planes which are given by homogeneous projective equations . In this paper, we still use the symbol to denote projective planes. In fact, any plane intersects at exactly four points. Although these planes are not functions on , their divisors can be well defined as where is the intersection multiplicity of and at . Then the quotient of two projective planes is a well-defined function which gives principal divisor. As we will see, this divisor leads to the geometric interpretation of the group law.

When saying plane passes three points , and (not necessary distinct), we means that exactly satisfies . In fact, by Riemann-Roch theorem or by explicit discussion on multiplicity, one can prove that there exists a unique plane which satisfies the above inequality. So we may denote this plane by from now on.

##### 3.1. Group Law over the Twisted Edwards Curves

Abel-Jacobi theorem connects the group law with principal divisor. And we can get the lemma below.

Lemma 1. *For twist Edwards curve with neutral element , let . Then 4 points (not necessary distinct) , , , and satisfy if and only if there is a plane with .*

* Proof. *Firstly, it is an easy calculation to get that .

Then the “if” part follows directly: if , the principal divisor is translated into equation by the Abel-Jacobi Theorem.

For the “only if” part, suppose that . Consider the plane ; we can assume that , so it derives from the “if” part. Then we get ; that is, .

By this lemma, we can easily construct planes to give the group law. The fourth intersection of and the curve is , that is, the negative point of . The fourth intersection of and the curve is , and its negative point gives . Actually, this geometric interpretation is parallel with the tangent and chord law for the cubic plane curves.

The neutral element we chose here is the same with that of [11], so we can claim that our explicit formulae for negative point, point addition, and point doubling are equivalent with which of [11].

#### 4. Miller Function over

##### 4.1. Construction of Miller Function

In this section we construct the Miller function over . Let and be two points on ; by Lemma 1, we can get Thus, So for addition steps, the Miller function over can be given by setting , : For doubling steps, we set , and the Miller function over is given as

Then the remaining work is to compute the equation of these planes. The planes we use are of the form , because they always pass through . Thus we only need to compute , , and . To get a unified description, we use , for both addition and doubling steps and consider and , respectively, when necessary. Assume that , , and .

##### 4.2. Equation of with

In the case that , , and are pairwise distinct points on , by solving linear equations, we get the coefficients of the plane as follows:

##### 4.3. Equation of with

Suppose that . The tangent line to at is the intersection of the tangent planes to and at . The tangent plane to at is . The tangent plane to at is . Then is of the form: Note that ; that is, . One can verify that , satisfy the equation. Hence, the equation of is

Then we can get the coefficients of as follows:

##### 4.4. Equation of

The plane can be regarded as a special case of . For , , we have Thus, we have .

#### 5. Pairing Computation

In this section, we analysis steps in Miller’s algorithm explicitly. For an addition step or doubling step, as is shown in Algorithm 1, each addition or doubling step consists of three parts: computing the point or and the function or , evaluating or at , and then updating the variable by or by .

The updating part, as operation in , costs for addition step and for doubling step. It is usually the main cost but with little room for optimization in one step. For the evaluating part, some standard methods such as denominator elimination and subfield simplification can be used, as we introduce below.

We assume that embedding degree is even. Let be a generator of over with . Suppose that ; we can see that . If , , for evaluation of , we have where and . Note that and they are fixed during the whole computation, so they can be precomputed. The coefficients , , and are in ; thus the evaluation at given the coefficients of the plane can be computed in (multiplications by and need each).

The computation of the coordinates of points and the coefficients of planes, as a part of much variety, is discussed, respectively, for addition and doubling step as follows.

##### 5.1. Addition Steps

Let and be distinct points with . By variant of formulae of (6) and (12), the explicit formulas for computing and , , and are given as follows: With these formulas, and , , and can be computed in , where is constant multiplication by . For a mixed addition step, in which the base point is chosen to have , the costs reduce to .

Therefore, the total costs of an addition step are , while a mixed addition step costs .

##### 5.2. Doubling Steps

For , . By the formulae of (6) and (15), our explicit formulas for computing and , , are given as follows:

By the above formulae, and , , and can be computed in , where are constant multiplications by and .

So total costs of our formulae for a doubling step are , while the total costs of the formulae for the doubling step proposed in [4] are , where are both constant multiplication by .

#### 6. High-Degree Twists

Let , an elliptic curve over is called a twist of degree of if there is an isomorphism defined over , and this is the smallest extension of over which is defined. Depending on the -invariant of , there exist twists of degree at most , since . Pairing friendly curves with twists of degree higher than arise from constructions with -invariants and .

##### 6.1. Edwards Curves with

For twisted Edwards curve , the -invariant equals to ; hence, there exist twists of degree . The case is the “classical” Edwards curve with complex multiplication [20].

Lemma 2. *Assume that , is a generator of over and , which implies . Then the Weierstrass curve
**
is a twist of degree 4 over of . The isomorphism can be given as
*

*Proof. *Firstly, we prove that is well defined; that is, . Note that
We have
Then

Moreover, it can be easily checked that is invertible and satisfies ; that is, is an isomorphism. Besides, the minimal field that can be defined over is which has degree 4 over . Hence, the twist degree is 4.

For , we have . Then its corresponding point can be given as . One can check by substitution that For and , we have and with . Then for the evaluation of with , we get

So we can reduce to . Moreover we may precompute and since they are fixed during the whole computation. When , and are given, the evaluation at can be computed in , with each for multiplications by and .

The high twist not only reduces the cost of evaluating but also the cost of updating , which is the main multiplication in Miller’s algorithm as a multiplication in . Consider as an -vector space with bases , , , and . Then an arbitrary element can be denoted as with , . And the reduced value of we have gotten above can be denoted as , where and . When using the Schoolbook method, multiplying by costs for computing , and costs for and . The total cost equals to , considering that a general multiplication in costs . Namely, the quartic twist may reduce the cost of the main multiplication in Miller’s algorithm to .

Therefore, the *addition step* costs , where is constant multiplication by . For a mixed addition step, the costs reduce to .

The *doubling step* costs , where are constant multiplications by and .

##### 6.2. Edwards Curves with

The twisted Edwards curve has -invariant ; hence, if and only if . Note that is a square in finite field if and only if . Now we assume that and , satisfy the relation . Then Edwards curve has -invariant equal to ; hence, there exist twists of degree . The case is the Edwards curve with complex multiplication [20].

We denote that and when given .

Lemma 3. *Assume that , is a generator of over with , which implies and . Then the Weierstrass elliptic curve
**
is a twist of degree 6 over of . The isomorphism can be given as
*

*Proof. *Firstly, we check that is well defined; that is, . We denote that , then
Note that
Since , , and , we have
Thus

Moreover, it can be easily checked that is invertible and satisfies ; that is, is an isomorphism. Besides, the minimal field that can be defined over is which has degree 6 over . Hence, the twist degree is 6.

For , we have . Then its corresponding point can be given as . One can check by substitution that For and , we have with . Then for the evaluation of with , , we get

So we can reduce to the representative in the last line. Moreover we may precompute and since they are fixed during the whole computation. When , and , are given, the evaluation at can be computed in , with each for multiplications by and and a constant multiplication by .

Similarly with the case, consider as an -vector space with bases . Then an arbitrary element can be denoted as with , . And the reduced we have gotten above can be denoted as , where and . When using the Schoolbook method, multiplying by costs for computing , and costs for and . The total cost equals to , considering that a general multiplication in costs . Namely, the sextic twist may reduce the cost of the main multiplication in Miller’s algorithm to .

Therefore, the *addition step* costs , where are multiplications by and . For a mixed addition step, the costs reduce to .

The *doubling step* costs , where are multiplications by , , and .

Table 1 shows the concrete comparison for doubling step (DBL), mixed addition step (mADD), and addition step (ADD).

#### 7. Conclusion

In this paper, we propose an elaborate geometry approach to explain the group law on Edwards curves which are seen as the intersection of two quadric surfaces in space. Using the geometric interpretation of the group law, we obtain the Miller function of Tate pairing computation on twisted Edwards curves. Then we present the explicit formulae for pairing computation on twisted Edwards curves. The doubling step of our formulae is a little faster than that in [4]. Finally, to improve the efficiency, we present quartic and sextic twists on twisted Edwards curves. By using high twists, the costs of substituting in case and case can be reduced to a half and a third, respectively. Above all, it is interesting to consider more efficient formulae for pairing computation on twist Edwards curves.

#### Acknowledgments

This work was supported by National Natural Science Foundation of China (no. 11101002, no. 11271129, and no. 61370187) and Beijing Natural Science Foundation (no. 1132009).

#### References

- R. Avanzi, H. Cohen, C. Doche et al.,
*Handbook of Elliptic and Hyperelliptic Curve Cryptography*, CRC Press, 2005. View at MathSciNet - I. F. Blake, G. Seroussi, and N. P. Smart,
*Advances in Elliptic Curve Cryptography*, Cambridge University Press, Cambridge, UK, 2005. View at Publisher · View at Google Scholar · View at MathSciNet - V. S. Miller, “The weil pairing, and its efficient calculation,”
*Journal of Cryptology*, vol. 17, no. 4, pp. 235–261, 2004. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet · View at Scopus - C. Arène, T. Lange, M. Naehrig, and C. Ritzenthaler, “Faster computation of the Tate pairing,”
*Journal of Number Theory*, vol. 131, no. 5, pp. 842–857, 2011. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet · View at Scopus - F. Hess, N. P. Smart, and F. Vercauteren, “The Eta pairing revisited,”
*IEEE Transactions on Information Theory*, vol. 52, no. 10, pp. 4595–4602, 2006. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet · View at Scopus - F. Hess, “Pairing lattices,” in
*Pairing-Based Cryptography—Pairing 2008*, vol. 5209 of*Lecture Notes in Computer Science*, pp. 18–38, Springer, 2008. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - N. Koblitz and A. Menezes, “Pairing-based cryptography at high security levels,” in
*Cryptography and Coding*, vol. 3796 of*Lecture Notes in Computer Science*, pp. 13–36, Springer, 2005. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - F. Vercauteren, “Optimal pairings,”
*IEEE Transactions on Information Theory*, vol. 56, no. 1, pp. 455–461, 2010. View at Publisher · View at Google Scholar · View at MathSciNet · View at Scopus - H. M. Edwards, “A normal form for elliptic curves,”
*Bulletin of the American Mathematical Society*, vol. 44, no. 3, pp. 393–422, 2007. View at Publisher · View at Google Scholar · View at Scopus - D. J. Bernstein and T. Lange, “Faster addition and doubling on elliptic curves,” in
*Advances in Cryptology—ASIACRYPT 2007*, K. Kurosawa, Ed., vol. 4833 of*Lecture Notes in Computer Science*, pp. 29–50, Springer, 2007. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - D. J. Bernstein, P. Birkner, M. Joye, T. Lange, and C. Peters, “Twisted Edwards curves,” in
*Progress in Cryptology—AFRICACRYPT 2008*, vol. 5023 of*Lecture Notes in Computer Science*, pp. 389–405, Springer, 2008. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - M. P. L. Das and P. Sarkar, “Pairing computation on twisted Edwards form elliptic curves,” in
*Pairing-Based Cryptography—Pairing 2008*, vol. 5209 of*Lecture Notes in Computer Science*, pp. 192–210, Springer, 2008. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - S. Ionica and A. Joux, “Another approach to pairing computation in Edwards coordinates,” in
*Progress in Cryptology—INDOCRYPT 2008*, vol. 5365 of*Lecture Notes in Computer Science*, pp. 400–413, Springer, 2008. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - T. Yasuda, T. Takagi, and K. Sakurai, “Application of Scalar multiplication of Edwards curves to pairing-based cryptography,” in
*Advances in Information and Computer Security*, vol. 7631 of*Lecture Notes in Computer Science*, pp. 19–36, Springer, 2012. View at Google Scholar - J. R. Merriman, S. Siksek, and N. P. Smart, “Explicit 4-descents on an elliptic curve,”
*Acta Arithmetica*, vol. 77, no. 4, pp. 385–404, 1996. View at Google Scholar · View at MathSciNet · View at Scopus - C. Costello, T. Lange, and M. Naehrig, “Faster pairing computations on curves with high-degree twists,” in
*Public Key Cryptography—PKC 2010*, vol. 6056 of*Lecture Notes in Computer Science*, pp. 224–242, Springer, 2010. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - S. D. Galbraith,
*Mathematics of Public Key Cryptography*, Cambridge University Press, 2012. View at Publisher · View at Google Scholar · View at MathSciNet - H. Hisil, K. K.-H. Wong, G. Carter, and E. Dawson, “Twisted Edwards curves revisited,” in
*Advances in Cryptology—ASIACRYPT 2008*, vol. 5350 of*Lecture Notes in Computer Science*, pp. 326–343, Springer, 2008. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - D. J. Bernstein and T. Lange, “A complete set of addition laws for incomplete Edwards curves,”
*Journal of Number Theory*, vol. 131, no. 5, pp. 858–872, 2011. View at Publisher · View at Google Scholar · View at Scopus - S. D. Galbraith, X. Lin, and M. Scott, “Endomorphisms for faster elliptic curve cryptography on a large class of curves,”
*Journal of Cryptology*, vol. 24, no. 3, pp. 446–469, 2011. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet · View at Scopus