Skip to main content
SpringerLink
Log in
Book cover

International Conference on Information Security and Cryptology

Inscrypt 2013: Information Security and Cryptology pp 167–184Cite as

Omega Pairing on Hyperelliptic Curves

  • Conference paper
  • First Online:

  • 973 Accesses

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8567))

Abstract

The omega pairing is proposed as a variant of Weil pairing on special elliptic curves using automorphisms. In this paper, we generalize the omega pairing to general hyperelliptic curves and use the pairing lattice to construct the optimal omega pairing which has short Miller loop length and simple final exponentiation. On some special hyperelliptic curves, the optimal omega pairing could be super-optimal.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Miller, V.S.: The Weil Pairing and its efficient calculation. J. Cryptol. 17(4), 235–261 (2004)

    MATH  Google Scholar 

  2. Vercauteren, F.: Optimal pairings. IEEE Trans. Inf. Theory 56(1), 455–461 (2010)

    Article  MathSciNet  Google Scholar 

  3. Barreto, P.S.L.M., Galbraith, S., OhEigeartaigh, C., Scott, M.: Efficient pairing computation on supersingular abelian varieties. Des. Codes Crypt. 42(3), 239–271 (2007)

    Article  MathSciNet  MATH  Google Scholar 

  4. Hess, F., Smart, N.P., Vercauteren, F.: The eta pairing revisited. IEEE Trans. Inf. Theory 52(10), 4595–4602 (2006)

    Article  MathSciNet  MATH  Google Scholar 

  5. Zhao, C.A., Zhang, F., Huang, J.: A note on the Ate pairing. Int. J. Inf. Secur. Arch. 7(6), 379–382 (2008)

    Article  Google Scholar 

  6. Lee, E., Lee, H., Park, C.: Efficient and generalized pairing computation on Abelien varieties. IEEE Trans. Inf. Theory 55(4), 1793–1803 (2009)

    Article  Google Scholar 

  7. Zhao, C.A., Xie, D., Zhang, F., Zhang, J., Chen, B.L.: Computing bilinear pairings on elliptic curves with automorphisms. Des. Codes Crypt. 58(1), 35–44 (2011)

    Article  MathSciNet  MATH  Google Scholar 

  8. Hess, F.: Pairing lattices. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 18–38. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  9. Granger, R., Hess, F., Oyono, R., Thériault, N., Vercauteren, F.: Ate pairing on hyperelliptic curves. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 430–447. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  10. Zhang, F.: Twisted Ate pairing on hyperelliptic curves and applications Sciece China. Inf. Sci. 53(8), 1528–1538 (2010)

    MathSciNet  Google Scholar 

  11. Fan, X., Gong, G., Jao, D.: Speeding up pairing computations on genus 2 hyperelliptic curves with efficiently computable automorphisms. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 243–264. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  12. Fan, X., Gong, G., Jao, D.: Efficient pairing computation on genus 2 curves in projective coordinates. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 18–34. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  13. Tang, C., Xu, M., Qi, Y.: Faster pairing computation on genus 2 hyperelliptic curves. Inf. Process. Lett. 111, 494–499 (2011)

    Article  MathSciNet  MATH  Google Scholar 

  14. Balakrishnan, J., Belding, J., Chisholm, S., Eisenträger, K., Stange, K., Teske, E.: Pairings on hyperelliptic curves (2009). http://www.math.uwaterloo.ca/~eteske/teske/pairings.pdf

  15. Cantor, D.G.: Computing in the Jacobian of a hyperelliptic curve. Math. Comp 48(177), 95–101 (1987)

    Article  MathSciNet  MATH  Google Scholar 

  16. Mumford, D.: Tata Lectures on Theta I, II. Birkhäuser, Boston (1983/84)

    Google Scholar 

  17. Howe, E.W.: The Weil pairing and the Hilbert symbol. Math. Ann. 305, 387–392 (1996)

    Article  MathSciNet  MATH  Google Scholar 

  18. Joux, A.: A one round protocol for tripartite Diffie-Hellman. J. Cryptol. 17, 263–276 (2004)

    MathSciNet  MATH  Google Scholar 

  19. Choie, Y., Lee, E.: Implementation of Tate pairing on hyperelliptic curves of genus 2. In: Lim, J.-I., Lee, D.-H. (eds.) ICISC 2003. LNCS, vol. 2971, pp. 97–111. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  20. Scott, M., Barreto, P.S.L.M.: Compressed pairings. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 140–156. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  21. Granger, R., Hess, F., Oyono, R., Thériault, N., Vercauteren, F.: Ate pairing on hyperelliptic curves. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 430–447. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  22. Granger, R., Page, D.L., Smart, N.P.: High security pairing-based cryptography revisited. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 480–494. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  23. Silverman, H.: The Arithmetic of Elliptic Curves. GTM, vol. 106, 2nd edn. Springer, New York (2009)

    Book  MATH  Google Scholar 

  24. Zhao, C.A., Zhang, F., Huang, J.: All pairings are in a group. IEICE Trans. Fundam. E91–A(10), 3084–3087 (2008)

    Article  Google Scholar 

Download references

Acknowledgments

We would like to thank the anonymous reviewers for their helpful comments. This work is supported by the National 973 Program of China (No. 2011CB302400), the Strategic Priority Research Program of Chinese Academy of Sciences (No. XDA06010701, No. XDA06010702), the National Natural Science Foundation of China (No. 61303257) and Institute of Information Engineering’s Research Project on Cryptography (No. Y3Z0023103, No. Y3Z0011102).

Author information

Authors and Affiliations

  1. State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, 100093, People’s Republic of China

    Shan Chen, Kunpeng Wang & Dongdai Lin

  2. University of Chinese Academy of Sciences, Beijing, 100049, People’s Republic of China

    Shan Chen

  3. China Electric Power Research Institute, Beijing, 100192, People’s Republic of China

    Tao Wang

Authors
  1. Shan Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kunpeng Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dongdai Lin
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Tao Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shan Chen .

Editor information

Editors and Affiliations

  1. Chinese Academy of Sciences, Beijing, China

    Dongdai Lin

  2. University of Texas, San Antonio, Texas, USA

    Shouhuai Xu

  3. Columbia University, New York, New York, USA

    Moti Yung

A Explicit Proofs

A Explicit Proofs

Proof of Lemma 1: We denote \(D_l=\varepsilon (D_{l})-m_l(P_\infty )\) for \(l=1, 2\) and \([k] D_l=\varepsilon ([k]D_{l})-m_{lk}(P_\infty )\) for \(k=i, j. \) Let \(u_\infty \) be a \(\mathbb {F}_{q}\)-rational uniformizer for \(P_\infty \) and assume \(supp(div(u_\infty ))\cap supp(\varepsilon (D_{1}))=\emptyset \). Thus

$$ supp(div(f_{i,D_1}))\cap supp((jm_2-m_{2j})(P_\infty )+div(\frac{1}{{u_\infty }^{(jm_2-m_{2j})}}))=\emptyset . $$

Since \(f_{i,D_1}\) is a \(\mathbb {F}_{q}\)-rational function, so

$$ \left( f_{i,D_1}((jm_2-m_{2j})(P_\infty )+div(\frac{1}{{u_\infty }^{(jm_2-m_{2j})}}))\right) ^{q-1}=1 $$

by Fermat’s Little Theorem. According to Weil reciprocity [23] , we have

$$ \begin{array}{ll} &{}\left( f_{i,D_{1}}(\varepsilon ([j]D_{2}))f_{i,D_{1}}^{-j}(\varepsilon (D_{2}))\right) ^{q-1}\\ &{}=\left( f_{i,D_{1}}(\varepsilon ([j]D_{2})-j\varepsilon (D_{2})+(jm_2-m_{2j})(P_\infty )+div(\frac{1}{{u_\infty }^{(jm_2-m_{2j})}}))\right) ^{q-1}\\ &{}= \left( f_{i,D_{1}}([j]D_{2}-jD_{2}+div(\frac{1}{{u_\infty }^{(jm_2-m_{2j})}}))\right) ^{q-1} \\ &{}= \left( f_{i,D_{1}}(div((f_{j,D_{2}}{u_\infty }^{(jm_2-m_{2j})})^{-1}))\right) ^{q-1}\\ &{}= \left( (f_{j,D_{2}}{u_\infty }^{(jm_2-m_{2j})})^{-1}(div(f_{i,D_{1}}))\right) ^{q-1}\\ &{}=\left( {f_{j,D_{2}}{u_\infty }^{(jm_2-m_{2j})}}([i]D_1-iD_1)\right) ^{q-1}\\ &{}=\left( f_{j,D_{2}}(\varepsilon ([i]D_{1})-i\varepsilon (D_{1}))\right) ^{q-1} \left( { u_\infty }^{(jm_2-m_{2j})}(\varepsilon ([i]D_{1})-i\varepsilon (D_{1}))\right) ^{q-1}\\ &{}\cdot \left( {f_{j,D_{2}}{u_\infty }^{(jm_2-m_{2j})}}((im_1-m_{1i})(P_\infty ))\right) ^{q-1}\\ &{}= \left( f_{j,D_{2}}(\varepsilon ([i]D_{1}))f_{j,D_{2}}^{-i}(\varepsilon (D_{1}))\right) ^{q-1}. \end{array} $$

In fact, \(u_\infty \) and reduced divisor \(D_1\) are \(\mathbb {F}_{q}\)-rational, so

$$ \left( { u_\infty }^{(jm_2-m_{2j})}(\varepsilon ([i]D_{1})-i\varepsilon (D_{1}))\right) ^{q-1}=1. $$

On the other hand, \(ord_{P_\infty }({f_{j,D_{2}}{u_\infty }^{(jm_2-m_{2j})}})=0\) shows that this function is defined on \(P_\infty \). Then \({f_{j,D_{2}}{u_\infty }^{(jm_2-m_{2j})}} \) is normalised implies that

$$\begin{aligned} {f_{j,D_{2}}{u_\infty }^{(jm_2-m_{2j})}}(P_\infty )=lc_\infty ({f_{j,D_{2}}{u_\infty }^{(jm_2-m_{2j})}})=1. \end{aligned}$$
(2)

So the last indentity holds and it is followed by the equation

$$ \left( \frac{f_{i,D_{1}}(\varepsilon ([j]D_{2}))}{f_{j,D_{2}}(\varepsilon ([i]D_{1}))}\right) ^{q-1}= \left( \frac{f_{i,D_{1}}^j(\varepsilon (D_{2}))}{f_{j,D_{2}}^i(\varepsilon (D_{1}))}\right) ^{q-1} . $$

      \(\square \)

Proof of Lemma 2: Let \(\phi \) be the \(\mathbb {F}_{q}\)-rational automorphism defined in Theorem 1, then \([\lambda ]D_1=\phi (D_1)\). Since the automorphism is also an isogeny, so we can denote its daul isogeny as \(\widehat{\phi }\), where \(\phi \circ \widehat{\phi }=[1]\) and \(\widehat{\phi }\) is also \(\mathbb {F}_{q}\)-rational. Thus \([\lambda ]D_2=\widehat{\phi }(D_1)\). According to Lemma \(3\) in [11], we have \(f_{\lambda ,[\lambda ]D_{1}}=\alpha f_{\lambda ,D_{1}}\circ \widehat{\phi }\) with \(\alpha \in \mathbb {F}_{q}\). By mathematical induction, the identity can be obtained. Following Lemma 1, let \(i=j=\lambda \), we have

$$ \left( \frac{f_{\lambda ,D_{1}}(\varepsilon ([\lambda ]D_{2}))}{f_{\lambda ,D_{2}} (\varepsilon ([\lambda ]D_{1}))}\right) ^{q-1}= \left( \frac{f_{\lambda ,D_{1}}(\varepsilon (D_{2}))}{f_{\lambda ,D_{2}}(\varepsilon (D_{1}))}\right) ^{\lambda (q-1)}. $$

Suppose the identity in Lemma 2 holds for \(i\), we can prove it also holds for \(i+1\). In fact,

$$ \begin{array}{ll} \left( \frac{f_{\lambda ,D_{1}}(\varepsilon ([\lambda ^{i+1}]D_{2}))}{f_{\lambda ,D_{2}}(\varepsilon ([\lambda ^{i+1}]D_{1}))}\right) ^{q-1} &{}=\left( \frac{f_{\lambda ,D_{1}}(\varepsilon (\widehat{\phi }^i([\lambda ]D_{2})))}{f_{\lambda ,D_{2}}(\varepsilon ([\lambda ][\lambda ^{i}]D_{1}))}\right) ^{q-1}\\ &{}=\left( \frac{f_{\lambda ,D_{1}}(\widehat{\phi }^i(\varepsilon ([\lambda ]D_{2})))}{f_{\lambda ,D_{2}}(\varepsilon ([\lambda ][\lambda ^{i}]D_{1}))}\right) ^{q-1}\\ &{}=\left( \frac{f_{\lambda ,[\lambda ^i]D_{1}}(\varepsilon ([\lambda ]D_{2}))}{f_{\lambda ,D_{2}}(\varepsilon ([\lambda ][\lambda ^{i}]D_{1}))}\right) ^{q-1}\\ &{}=\left( \frac{f_{\lambda ,[\lambda ^i]D_{1}}(\varepsilon (D_{2}))}{f_{\lambda ,D_{2}}(\varepsilon ([\lambda ^{i}]D_{1}))}\right) ^{\lambda (q-1)}\\ &{}=\left( \frac{f_{\lambda ,D_{1}}(\varepsilon ([\lambda ^{i}]D_{2}))}{f_{\lambda ,D_{2}}(\varepsilon ([\lambda ^{i}]D_{1}))}\right) ^{\lambda (q-1)}\\ &{}=\left( \frac{f_{\lambda ,D_{1}}(\varepsilon (D_{2}))}{f_{\lambda ,D_{2}}(\varepsilon (D_{1}))}\right) ^{\lambda ^{i+1}(q-1)}. \end{array} $$

The mathematical induction gives the result of this lemma.       \(\square \)

Proof of Lemma 3: To prove the result, it suffices to show that \(\left( \left( \frac{f_{\lambda ,D_{1}}(\varepsilon (D_{2}))}{f_{\lambda ,D_{2}}(\varepsilon (D_{1}))}\right) ^{q-1}\right) ^r=1. \) As is stated in Lemma 1, \(u_\infty \) is a \(\mathbb {F}_{q}\)-rational uniformizer for \(P_\infty \). For the similar reasons with Equation (2),

$$ {f_{\lambda ,D_{2}}{u_\infty }^{((\lambda -1)m_{2})}}(P_\infty )={f_{r,D_{2}}{u_\infty }^{rm_{2}}}(P_\infty )=1. $$

Assume \(div(u_\infty )=P_\infty +D_\infty \) and \(supp(D_\infty ) \cap supp(div(f_{r,D_1}))=\emptyset \). According to Weil reciprocity [23] and Fermat’s Little Theorem, we have

$$ \begin{array}{ll} \left( \frac{f_{\lambda ,D_{1}}(\varepsilon (D_{2}))}{f_{\lambda ,D_{2}}(\varepsilon (D_{1}))}\right) ^{(q-1)r}\\ =\left( \frac{f_{\lambda ,D_{1}}(\varepsilon (D_{2})-m_2(P_\infty )+div(u_\infty ^{m_2}))}{f_{\lambda ,D_{2}}{u_\infty }^{(\lambda -1)m_{2}} (\varepsilon (D_{1})-m_1(P_\infty ))}\right) ^{(q-1)r}\\ =\left( \frac{f_{\lambda ,D_{1}}(r D_{2}+div(u_\infty ^{rm_2}))}{f_{\lambda ,D_{2}}{u_\infty }^{(\lambda -1)m_{2}}(r D_{1})}\right) ^{(q-1)r}\\ =\left( \frac{{f_{r,D_{2}}{u_\infty }^{rm_{2}}}(\lambda D_1-[\lambda ]D_1)}{f_{r,D_{1}}(\lambda D_2-[\lambda ]D_2+div(u_\infty ^{(\lambda -1)m_2}))}\right) ^{q-1}\\ =\left( \frac{{f_{r,D_{2}}(\lambda \varepsilon (D_{1})-\varepsilon ([\lambda ]D_{1})){u_\infty }^{rm_{2}}}(\lambda \varepsilon (D_{1})-\varepsilon ([\lambda ]D_{1})){f_{r,D_{2}}{u_\infty }^{rm_{2}}}(-(\lambda -1)m_1(P_\infty ))}{f_{r,D_{1}}(\lambda \varepsilon (D_{1})-\varepsilon ([\lambda ]D_{1}))f_{r,D_{1}}(D_\infty )}\right) ^{q-1}\\ =\left( \frac{f_{r,D_{2}}(\lambda \varepsilon (D_{1}))}{f_{r,D_{1}}(\lambda \varepsilon (D_{2}))} \frac{f_{r,D_{1}}(\varepsilon ([\lambda ]D_{2}))}{f_{r,D_{2}}(\varepsilon ([\lambda ]D_{1}))}\right) ^{q-1}\\ =\left( \frac{f_{r,D_{2}}( \varepsilon (D_{1}))}{f_{r,D_{1}}( \varepsilon (D_{2}))}\right) ^\lambda \left( \frac{f_{r,[\lambda ]D_{1}}(\varepsilon (D_{2}))}{f_{r,D_{2}}(\varepsilon ([\lambda ]D_{1}))}\right) ^{q-1}\\ =\left( (-1)^{rm_1m_2}e_r(D_{1},D_{2})^\lambda (-1)^{rm_1m_2}e_r(D_{2},[\lambda ]D_{1})\right) ^{q-1}\\ =\left( e_r(D_{1},D_{2})^\lambda e_r(D_{2},D_{1})^\lambda \right) ^{q-1}\\ =1 \end{array} $$

This complete the proof of Lemma 3.

      \(\square \)

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Chen, S., Wang, K., Lin, D., Wang, T. (2014). Omega Pairing on Hyperelliptic Curves. In: Lin, D., Xu, S., Yung, M. (eds) Information Security and Cryptology. Inscrypt 2013. Lecture Notes in Computer Science(), vol 8567. Springer, Cham. https://doi.org/10.1007/978-3-319-12087-4_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-12087-4_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-12086-7

  • Online ISBN: 978-3-319-12087-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation