Pairing Computation on Edwards Curves with High-Degree Twists

Abstract

Elliptic curve can be seen as the intersection of two quadratic surfaces in space. In this paper, we used the geometry approach to explain the group law for general elliptic curves given by intersection of two quadratic surfaces, then we construct the Miller function over the intersection of quadratic surfaces. As an example, we obtain the Miller function of Tate pairing computation on twisted Edwards curves. Then we present the explicit formulae for pairing computation on Edwards curves. Our formulae for the doubling step are a littler faster than that proposed by Arène et al.. Moreover, when \(j=1728\) and \(j=0\) we consider quartic and sextic twists to improve the efficiency respectively. Finally, we present the formulae of refinements technique on Edwards curves to obtain gain up when the embedding degree is odd.

A Examples of Pairing-Friendly Edwards Curves

We list some pairing friendly Edwards curves with various k=6,12,24. We use construction 6.6 in [10] to present it. \(h=\#S_{1,d}(\mathbb {F}_p)/r\), \(\rho =\log _2(p)/\log _2(r)\).

$$\begin{aligned} k=&6, \rho =1.99, \lceil \log _2(p)\rceil =511, \lceil \log _2(r)\rceil =257, \lceil \log _2(p^k)\rceil =3063,\\ p=&4469269309980865699858008332735282459011729442283504212242920046\\&5254107669101255894363776709837049695943172869161549919107677836\\&20776600027887471085196217,\\ r=&1157920892373161954235709850086879132491274769309617791781887340\\&53461721558841,\\ h=&2^6\cdot 3\cdot 11^4\cdot 31^2\cdot 15659837533^2\cdot 241375889423392081986527^2,\\ d=&3664251552441012307564539365366691396566209647164298880039621750\\&3855065157940074941206695810480629869345608774421066373731513792\\&25747580224215243612885716.\\ \end{aligned}$$

$$\begin{aligned} k=&12, \rho =1.48, \lceil \log _2(p)\rceil =239, \lceil \log _2(r)\rceil =161, \lceil \log _2(p^k)\rceil =2861,\\ p=&5889490310694441330739011548712381814951849552463124431529211730\\&78632117,\\ r=&1461501653010476419563824324075703470606892615001,\\ h=&2^4\cdot 3\cdot 13^2\cdot 19^2\cdot 331^2\cdot 1120711^2,\\ d=&3039686049194322977578848038674418249362581181730689600918590539\\&56432956.\\ \end{aligned}$$

$$\begin{aligned} k=&12, \rho =1.49, \lceil \log _2(p)\rceil =383, \lceil \log _2(r)\rceil =257, \lceil \log _2(p^k)\rceil =4589,\\ p=&1313400206546489077704631059395345592330370814691407061669418717\\&8169845236078372714249135715340284274851981554471437,\\ r=&1157920892373165737821551871767212460418194942614239462794724036\\&61265709211401,\\ h=&2^4\cdot 3^5\cdot 3245503^2\cdot 52627646891^2,\\ d=&2086750387520096896070418610187776681469852959441702575044395173\\&987802972703740715028995508138402551966362217924268.\\ \end{aligned}$$

$$\begin{aligned} k=&24, \rho =1.24, \lceil \log _2(p)\rceil =319, \lceil \log _2(r)\rceil =257, \lceil \log _2(p^k)\rceil =7642,\\ p=&7120003282946788688767832825047892963122039770343506948090350241\\&49143440464464180057177127640101,\\ r=&1157926942199022831048968574721142864333630419694136944823750216\\&16015000100401,\\ h=&2^4\cdot 3^3\cdot 5^4\cdot 17^2\cdot 280717^2,\\ d=&6563654562067688285838956119740898916476600058476145431602456870\\&2651596101614445130173618550273.\\ \end{aligned}$$