Faster Pairing Computation on Jacobi Quartic Curves with High-Degree Twists

Abstract

In this paper, we first propose a geometric approach to explain the group law on Jacobi quartic curves which are seen as the intersection of two quadratic surfaces in space. Using the geometry interpretation we construct Miller function. Then we present explicit formulae for the addition and doubling steps in Miller’s algorithm to compute the Tate pairing on Jacobi quartic curves. Our formulae on Jacobi quartic curves are better than previously proposed ones for the general case of even embedding degree. Finally, we present efficient formulas for Jacobi quartic curves with twists of degree 4 or 6. Our pairing computation on Jacobi quartic curves are faster than the pairing computation on Weierstrass curves when \(j=1728\). The addition steps of our formulae are fewer than the addition steps on Weierstrass curves when \(j=0\).

Appendices

A Examples with \(j=1728\)

Using the construction in [19] and [23] to present Jacobi quartic curves with \(j=1728\) over \(\mathbb {F}_q\) for embedding degree \(k=8,16\), we list some pairing friendly Jacobi quartic curves with 4|k. Let q be the prime for the finite field \(\mathbb {F}_q\), r be the large prime order of a subgroup in \(J(\mathbb {F}_p)\), \(\rho = \log (p)/\log (r)\) and hw be the Hamming weight of r (Tables 5, 6).

Table 5. An example of TN8 curve

Table 6. An example of KSS16 curve

B Examples with \(j=0\)

Using the construction in [13] to present Jacobi quartic curves \(J_{a,d}:y^2=dx^4+2ax^2+1\) with \(j=0\) over \(\mathbb {F}_q\) for embedding degree \(k=12, 24\). For each k, curves at two security levels are given. Let t be the Frobenius trace, q be the prime for the finite field \(\mathbb {F}_q\), r be the large prime order of a subgroup in \(J(\mathbb {F}_q)\), \(n=\sharp J(\mathbb {F}_q)\), and \(\rho = \log (q)/\log (r)\) (Table 7).

Table 7. \(J_{-27,-9}:y^2=-27x^4-18x^2+1\) over \(\mathbb {F}_q\) for embedding degree \(k=12, 24\)