Efficient Computation for Pairing Based Cryptography: A State of the Art

Cryptographic protocols are divided in two main classes, symmetric systems where keys are secret and asymmetric approaches with public keys. The security of this second category is based on algebraic problems known to be difficult to solve. Historically, in 1976, Diffie-Hellman described a protocol [26] which was one of the first crypto-systems based on the discrete logarithm problem. Later, the introduction of the elliptic curve in cryptography was promoted by V. Miller [55] and N. Koblitz [47] and a large spectrum of crypto-systems appeared. Pairings are bilinear maps which allow to transform an approach on abelian curves, such as elliptic ones, to a problem on finite fields. A first use of such maps concerns cryptanalysis and was proposed in1993 by Menezes Okamoto and Vanstone [53] and in 1994 by G. Frey and H.G. Ruck [36] they linked pairings to the discrete logarithmic problem on curves.


Introduction
Cryptographic protocols are divided in two main classes, symmetric systems where keys are secret and asymmetric approaches with public keys.The security of this second category is based on algebraic problems known to be difficult to solve.Historically, in 1976, Diffie-Hellman described a protocol [26] which was one of the first crypto-systems based on the discrete logarithm problem.Later, the introduction of the elliptic curve in cryptography was promoted by V. Miller [55] and N. Koblitz [47] and a large spectrum of crypto-systems appeared.Pairings are bilinear maps which allow to transform an approach on abelian curves, such as elliptic ones, to a problem on finite fields.A first use of such maps concerns cryptanalysis and was proposed in1993 by Menezes Okamoto and Vanstone [53] and in 1994 by G. Frey and H.G. Rück [36] they linked pairings to the discrete logarithmic problem on curves.
In 2000, A. Joux [45] had proposed a tripartite Diffie-Hellmann keys exchange using pairing.That was the beginning of a blossoming literature on the subject.In 2003, D. Boneh and M. Franklin broke a challenge given by Shamir [65] in 1984, creating an identity-based encryption scheme [19] based on pairings.The construction of the pairings is based on the algorithm proposed in 1986 by Victor Miller [54,56].A consequence of the rich literature on this subject [62] was the creation of a conference devoted to pairing based cryptography, Pairings [60].
With the birth of this new domain of investigation in cryptography, the problem of implementing these protocols occurs.This point is very relevant to the interest of pairings, the costs and the performances of the implementation make a cryptosystem available.Some good studies on pairings implementation are given by P. Barreto et al [13,15], we can also refer to some books [29,37].We detail later what is a pairing, but at a high level: a pairing is a bilinear map between two groups G 1 , G 2 into a third group G 3 all abelian groups and of the same order.
The bilinearity is the property that e(a • A, b • B) = e(A, B) a•b .
For efficient realization G 1 and G 2 are subgroups of an elliptic curve and G 3 is a subgroup of a finite field.The size of the group is fixed by security considerations and lays on the fact that the discrete logarithm problem is hard to solve over G 1 , G 2 and G 3 .The pairings are mainly computed with the Miller's algorithm.As a pairing evaluation can be enclosed in a smart card, the question of an efficient implementation is very important.
Several publications are dealing with the efficiency of implementation of pairings.Each of them focus on one aspect of the implementation.We want here to bring together each possible optimizations.The outline of the chapter is the following.First in Section 2 we present the necessary background for a pairing implementation.We present the two first pairings the Weil and the Tate pairings, as well as the optimizations of these, the Eta pairing, the Ate pairing, the twisted Ate pairing, which leads to the notion of optimal pairing and pairing lattices.We also give a first analysis of the arithmetic of pairings.In Section 4, we present the mathematical optimizations of pairings.The use of twisted elliptic curves which leads to the denominator elimination, the improvement of a squaring using cyclotomic subgroups.In Section 5, we present the arithmetical optimizations of a pairing implementation.We describe the different options for an efficient multiplication in Section 5.2, 5.3, 5.3.1 and 5.4.We describe as well how an original representation of a finite field can improve a pairing computation in Section 5.5.In Section 5.6, we describe how the choice of the model of elliptic curve and of its coordinates has a consequence on the implementation.Finally, we conclude in Section 6.

Background and notation
Let E be an elliptic curve over a finite field F q , with P ∞ denoting the identity element of the associated group of rational points E(F p ).For a positive integer r|#E(F p ) coprime to p, let F p k be the smallest extension field of F p which contains the r-th roots of unity in F p ; the extension degree k is called the security multiplier or embedding degree.Let E(F p ) [r] (respectively E(F p k )[r]) denote the subgroup of E(F p ) (respectively E(F p k )) of all points of order dividing r.The two groups G 1 and G 2 will be subgroups of elliptic curve groups and G 3 is a subgroup of the multiplicative group of a finite field.

The Miller algorithm
The Miller algorithm is the most important step for the Weil, Tate and Ate pairings computation.It is constructed like a double and add scheme using the construction of [r]P.Miller's algorithm is based on the notion of divisors.We only give here the essential elements for the pairing computation.
The Miller algorithm constructs the rational function f r,P associated to the point P, where P is a generator of G 1 ⊂ E(F p ); and at the same time, it evaluates f r,P (Q) for a point Q ∈ G 2 ⊂ E(F p k ).
is the equation of the tangent at the point T ; Definition 2.2.The Tate pairing, denoted e Tate , is defined by: Here, the function f r,P is normalized, i.e. (u r 0 f r,P )(P ∞ ) = 1 for some F p -rational uniformizer at P ∞ .This pairing is only defined up to a representative of (F p k ) r .In order to obtain a unique value we raise it to the power p k −1 r , obtaining an r-th root of unity that we call the reduced Tate pairing Let π p be the Frobenius map over the elliptic curve: π p : E → E : (x, y) → (x p , y p ).We denote the Frobenius trace by t.
Theorem 2.3.For P ∈ G 1 and p ∈ G 2 the following properties hold [43]: mod(r) ⋄ for r not dividing L, the Ate pairing is non degenerated.
We therefore obtain the reduced Ate pairing f T ,Q (P) (p k −1)/r which is a power of the Tate pairing.As the trace t is in average of size √ p, for r ∼ p, the loop length of Miller's algorithm when computing the Ate pairing is obviously going to be two times shorter than the loop length for the Tate pairing.

The Duursma-Lee pairing
Duursma and Lee use a family of hyperelliptic curves including supersingular curves over finite fields of characteristic three and adapt it to pairing.
For F p with p = 3 m and k = 6, suitable curves are defined by an equation of the form ) and G 3 = F p 6 , Algorithm 2 computes an admissible, symmetric pairing.

The η and η G pairings
Barreto et al. [12] introduce the η pairing by generalising the Duursma-Lee pairing to allow use of supersingular curves over finite fields of any small characteristic; Kwon [49] independently used the same approach and in both cases characteristic two is of specific interest.The η pairing has already a simple final powering, but work done by Galbraith et al. [38] (see [59,Section 5.4]) demonstrates that it can be eliminated entirely; the crucial step is the lack of normal denominator elimination, which is enabled by evaluation of additional line functions.Interestingly, the analysis of this approach demonstrates no negative security implication in terms of pairing inversion and so on.We follow Whelan and Scott [71] by terming this approach to the η G pairing.
For F p with p = 2 m and k = 4, suitable curves are defined by an equation of the form Theory and Practice of Cryptography and Network Security Protocols and Technologies Algorithm 3: The η pairing algorithm.
Note that s = t 5 and that t satisfies t 4 = t + 1, so we can also represent F p 4 as F p [t]/(t 4 + t + 1).Then, by setting G 1 = G 2 = E(F p ) and G 3 = F p 4 , Algorithm 4 computes an admissible, symmetric pairing.
Historically, the Weil and Tate pairing was developed by mathematicians without any consideration for cryptography.As efficient implementation of pairings become an interesting question for cryptographers, they searched for improving these two pairings.The Ate and twisted Ate pairing were improvement of the Tate pairing, throught mathematical properties [43].The notion of Optimal pairing [70] and pairing lattices [42] are the latest properties of pairing.The number of iterations is reduced to the minimum in [70].In [42], F. Hess proves that every pairing are in relation, because the different pairings are in fact element of a lattice in which each pairing is a power of another pairing.To present the following Sections, we work over the Tate pairing, since as any optimizations of the Tate pairing can be easily adapted to others pairings.

Analysis of the arithmetic
In order to present the different existing options for the optimizations of a pairing computation, we will focus on the Miller's algorithm.Among the several algorithms which exist to compute a pairing, the most efficient implementations are obtained with the Miller's algorithm.
Let P = (X P ,Y P ) be a point in affine coordinates of the set E(F p )[r] (or in Jacobian coordinates with Z P = 1).We consider the point p of order r in E(F p k ), also given in affine coordinates (x Q , y Q ).Let G 1 =< P > be the subgroup of order r of E(F p ) generated by the point P and G 2 =< Q > the subgroup of order r of E(F p k ).We want to compute a pairing between G 1 and G 2 , under the condition The group G 3 is a subgroup of order r of F ⋆ p k .
Let T = (X T ,Y T , Z T ) be a point of E(F p k ) in Jacobian coordinates.The main advantage of Jacobian coordinates is that there is no inversion during the arithmetical operation over the elliptic curve.The Miller's algorithm is given in Algorithm 5.
Algorithm 5: Miller(P, Q, r) The functions l 1 (Q), l 2 (Q), v 1 (Q) and v 2 (Q) occurring in Miller's algorithm have their images in F ⋆ p k .The parameters f 1 and f 2 are elements of F ⋆ p k .The order r of the subgroups is chosen with a very sparse binary decomposition.In this case, the addition step in Miller's algorithm is not often executed, whereas the doubling step is computed for every iteration of the Miller's algorithm.As a consequence, we consider that the complexity of Miller's algorithm is approximately given by the doubling step.So we will only consider the computation of l 1 and v 1 in the complexity evaluation of Miller's algorithm.
In a general case, we consider that the equation of the elliptic curve is given into the Weierstrass form E : Y 2 = X 3 + aXZ 4 + bZ 6 , with a and b elements of F p .In order to be very general, we consider a and b ordinary.Indeed, it is possible to consider that a = −3 [20] and the value of b is also a vector of optimizations, but we do not take in consideration these options.We denote P = (X P ,Y P ), T = (X T ,Y T , Z T ) is the current point in the Miller's algorithm and 2T = (X 2T ,Y 2T , Z 2T ) the doubling of T .
The formulas of the doubling in Jacobian coordinates are the following [25] Theory and Practice of Cryptography and Network Security Protocols and Technologies In this case, the expressions of l 1 and v 1 , for Q = (x Q , y Q ) ∈ E(F p k ) are given by We could remark that some intermediary results of the previous formulas may be reused, for instance . This precomputation reduce the cost of the doubling step, considering the number of operations over the finite field F p .
Let A p e (respectively Sub p e , Sq p e and M p e ) denote an addition (respectively a subtraction, a squaring and a multiplication) in the finite field F p e , for e a natural integer.Let also M a be the cost of a multiplication by a.The Table 1 gives the cost of each operation occurring in the computation of the doubling step.Each cost is given in number of operations over the finite fields.We optimize the computation as possible without any trick different from the one which are following.We consider that a multiplication by 2 is nothing more than a shift in binary representation and thus may be neglected.As a consequence, a multiplication by 3 can be seen as a multiplication by 2 plus an addition and then a multiplication by 3 is equivalent to an addition.We will present in Section 4 the optimizations related with mathematics and in Section the optimization in pairings related with the arithmetic of finite fields, in Section 4 the optimizations related with mathematics, in Section 5 the optimizations related with algorithmical breakout.

Pairing based cryptography
The first use of pairing in cryptography was destructive: in [53] the Weil pairing was used to shift the discrete logarithm problem from an elliptic curve to a finite field.As the discrete logarithm problem is more easily solved over a finite field than over an elliptic curve, the MOV attack consists in transfering a hard problem over a structure where the same problem is easier.The MOV attack is named after its authors Menezes Okamoto and Vanstome.Later on the pairing was used to improve existing protocols as tri-partite Diffie Hellman key exchange [45] and to construct original protocol like identity based encryption [19,21].
The aim of identity based encryption is that a person λ , even if λ does not know anything about cryptography, is able to receive and more importantly to read an encrypted message with almost no help.
The public key of λ is its identity, its private key would be send to λ by a trusted authority T. This trusted authority will have all the private keys related with the identity based protocol.
The general scheme of identity based encryption is the following.
The public data are an elliptic curve E over a finite field F p , a pairing ê and a hash function H, this hash function associates a point of E(F p ) to an identity: H : {Identity} → E(F p ).We consider that two person Alice and Bob want to exchange a common secret for use it as a key in a secure communication.
With the public data, Alice can compute Q B = H(Bob) the public key of Bob and Bob can compute Alice and Bob request the trusted authority to receive their secret key.The secret key is a point of E(F p ).
The trusted authority chooses s, as its secret key, then it generates P A = [s]Q A the secret key of Alice and Then, Alice (respectively Bob) can compute ê(P A , Q B ) (resp.ê(Q A , P B ), by bilinearity, Alice and Bob have calculated the same key: ê(Q A , Q B ) [s] .Indeed:

Mathematical optimizations
We recall here the mathematical optimizations of pairings.As a pairing is defined over an elliptic curve which is an abelian variety, the first optimization for a pairing computation comes from the mathematical background of pairings.We will use the twist of an elliptic curve, the pairing friendly elliptic curve will follow.We will consider the cyclotomic subgroup of a finite field and then how the final exponentiation in a pairing computation can be improve.

The twist of an elliptic curve
The twisted elliptic curve of E is another elliptic curve isomorphic to E. Using twisted elliptic curves (when it is possible) in pairing based cryptography is a way to avoid the denominator evaluation in Miller's algorithm.The execution of Miller's algorithm involves computation over E(F p k ), considering a twist of degree d of E(F p k ) allows some computations to be executed in Definition 4.1.Let E and E ′ be two elliptic curves, the elliptic curve E ′ is a twisted elliptic curve of E if there exists an isomorphisme Φ defined over F p mapping each point of E ′ to a point of E.
There is a limited number of twisted elliptic curves of E. The number of twisted curves depends on the finite field on which the elliptic curve E is defined.The Theorem 4.2 from [64] gives the classification of the possible twists.
Theorem 4.2.Let E be an elliptic curve of equation y 2 = x 3 + ax + b defined over F p k .Following the value of k, the possible degrees d of twists are 2, 3, 4 and 6.Let E ′ be a twist of E, the morphism between E and E ′ is one of the following.
, where D ∈ F p k/2 is not a quadratic residue, i.e. such that the polynomial X 2 − D has no solution over F p k/2 .The morphism Φ d is defined by ).
• d = 4.The elliptic curve E has a twist of degree 4 if and only if b = 0.The equation of E ′ is then , where D is not a residue of degree 4, i.e.D is not solution in F p k/4 of a polynomial X 4 − D. The morphism is then ).
• d = 3 (resp.6), the curve E has a twist of degree 3 or 6 if and only if a = 0.The equation of , where D is not a residue of degree 3 (resp.6), i.e.D is not solution of a polynomial X 3 − D (resp.X 6 − D).The morphism is then Considering the definition above, an elliptic curve can admit a twist of degree 2, 3, 4 or 6.We will only consider here the twisted elliptic curve for an even degree.In order to simplify the notations, we will consider a twist of degree 2. The same method can be applied for twists of degree 4 and 6.The case of twist of degree 3 is a little different, but can also be considered, we refer to [31] for more details.Using a twisted elliptic curve of E(F p k ) allows to make some computation of the Miller's algorithm in a subfield of F p k , instead of F p k and thus allows to simplify the computation.Using a twisted elliptic curve is the solution to avoid the denominators in the Miller's algorithm (i.e. the update of the function f 2 ).We will denote E(F p k/2 ) the twisted curve of E(F p k ), for an even k.We could remark that the twisted elliptic curve of E is an elliptic curve define over an extension of degree half of the initial extension (F p k ) [11] The probability that the point Q = (x, y √ ν) image of Q ′ = (x, y) ∈ E by Ψ 2 belongs to the subgroup generate by P ∈ E(F p ) is negligeable [11].This assures us that the pairing is non degenerated between As a consequence, we can consider that the coordinates of the point Q are element of F p k/2 plus a multiplication by √ ν.
We give the formulae for Miller's algorithm with the use of a twisted elliptic curve.Let A, B, C, D, E and F be the intermediate values in the doubling and addition of a point over E (in Jacobian coordinates).These values are dependant only on the point P = (X P ;Y P ; Z P ) and multiples of P: T = (X T ;Y T ; Z T ); 2T = (X 2T ;Y 2T ; Z 2T ) and T + P = (X 3 ;Y 3 ; Z 3 ).The equations of functions l 1 , l 2 , v 1 and v 2 are ( The multiplications and additions in these formulae are made in F p and we consider carefully the equations of v 1 and v 2 , we can remark that the results . Indeed, the y-coordinate of Q does not appear in the denominator v 1 and consequently √ ν either.This simple remark allows the elimination of the denominators during the Tate pairing computation.Property 4.3.During the evaluation of Miller's algorithm for the Tate pairing, the evaluation of f 2 and thus the computations of v 1 and v 2 can be omited [11]. Indeed, when using a twist, the equation shows that  Proof.The demonstration is a straight forward consequence of the construction of k as the smallest integer such that r divides p k − 1.So for an even k, p k − 1 = (p k/2 − 1)(p k/2 + 1) and r a prime integer divides p k − 1.Using the Gauss theorem, r divides (p k/2 − 1) or (p k/2 + 1).If r divides (p k/2 − 1), then the definition of k would be wrong, thus the only possibility is that r divides (p k/2 + 1).
For all ξ ∈ F p k/2 , we know that ξ p k/2 −1 ≡ 1 (from the Little Fermat's theorem).Consequently the final exponentiation of the Tate pairing kills every factor of the result belonging to a proper subfield of F p k .The Miller's computation can be simplified by forgetting v 1 and v 2 .But with the same remark, we can also simplify the function l 1 and l 2 into This method can be applied for every pairing with a final exponentiation.In the case of the Weil pairing, we can also apply it by raising the result of Weil pairing at the power p k/2 − 1.The cost of this exponentiation will be study in Section 4.4.

Pairing friendly fields and elliptic curves
The computation of pairings implies computations over extension fields of the form F p k .If the embedding degree k is smooth, than the arithmetic in F p k can be computed step by step.A complete an extensive nice definition of smooth number is given in [50], we recall here an intuitive naive definition.
Definition 4.5.A smooth integer is an integer such that its prime factor are composed only by small primes.
Example 4.6.An integer of the form 2 i 3 j is smooth.
We illustrate how a smooth integer k allows a construction of F p k with a tower field.
Example 4.7.Let l be a prime number and m an integer such that k = lm.The extension F p k of F p can be constructed like an extension of degree l of F p m .We suppose that we have already constructed the extension F p m .Let P(X ) be an irreducible polynomial of degree l in F p m [X ].Then F p lm = F (p m ) l is constructed with the quotient We use the tower field construction in order to optimize the multiplication over F p k .We will see in Section 5 that for extensions of degree 2 and 3, we can use the Karatsuba and Toom Cook multiplications.The tower field construction reduce the number of elementary operations over F p to compute a multiplication in F p k [35].
A.Menezes and N.Koblitz [48] proposed the definition of pairing friendly elliptic curves.There are elliptic curves suitable for pairing computation.Pairing friendly fields are defined with k smooth.
Definition 4.8.A pairing friendly field F p k is an extension of a finite field F p with the following property • the characteristic p is such that p ≡ 1 mod(12), • the embedding degree k is such that k = 2 i 3 j .
Pairing friendly field are such that the polynomial reduction over the extension F p k is very easy to compute [50, Theorem 3.75].
Theorem 4.9.Let β ∈ F p be a neither a square nor a cube in F p and F p k a pairing friendly field with k = 2 i 3 j .Then the polynomial X k − β is irreducible in F p .
Using the definition and the above property, we construct the extension F p k = F p [X ]/(X k − β ) using several extensions of degree 2 and 3.The construction is done step by step with square or cubic root of β and the results.
The representation of fields L, M and N are as follow The arithmetic in F p k can be composed in each floor of the tower field construction.As k is a product of power of 2 and 3, the Karatsuba and Toom Cook methods are the more suitable for improving the multiplication in F p k .We consider that a multiplication in F p k with k = 2 i 3 j involves 3 i 5 j multiplications in F p , which is denoted M p k = 3 i 5 j M p .

Cyclotomic subgroup and squaring
A. Lenstra and M. Stam introduce in [52] an efficient method for squaring.They use the structure of a cyclotomic subgroup.They construct an extension of degree 6 with a polynomial different from , where φ k (p) is the kth cyclotomic polynomial evaluated at p.The cyclotomic polynomials are constructed such that there roots are the primitive roots of unity.
The multiplication developed by Lenstra and Stam is interesting for computing squares in degree 6 extension of F p (or a degree multiple of 6).It could be interesting to generalize it for other degree extension.They construct the degree 6 extension using the cyclotomic polynomial φ k (X ) = X k/3 − X k/6 + 1.This method can be used for every degree extension multiple of 6.

Theory and Practice of Cryptography and Network Security Protocols and Technologies
We are seeking for the general expression of an element in G φ k (p) .We consider that α is a polynomial in several variables in F p (the a i s), with coefficients power of γ in F p k .
As α belong to the cyclotomic subgroup G φ k (p) , the order of α divides the cardinal of G φ k (p) which is φ k (p).So, we have that α p k/3 −p k/6 +1 = 1 in G φ k (p) .This equality can be written α p k/3 +1 = α p k/6 .In order to find the decomposition of α × α p k/3 − α p k/6 , we can then formally compute α p k/3 and α p k/6 Where As α ∈ G φ k (p) , we have that With this equation, we construct a system in the α i , the resolution of this system will give us the general form of an element in G φ k (p) .
The subgroup G φ k (p) is the set of elements α such that ∀i, v i = 0, which gives α 2 = α 2 + B.Γ. t v, with B = (1, γ, γ 2 , ..., γ k−1 ) and with Γ a chosen matrix.As v is zero in F p , we can reduce the cost of a square with this method. Denoting We can formally develop the right expression and for a well chosen matrix Γ, the formulae for a square in F p k would be simplified.For instance, for k = 6 [52] : Granger, Page and Smart apply this method to construct the Table 3

The finale exponentiation
The Tate pairing (and also the Ate, optimal Ate) is composed of two steps, first the Miller's execution and then a final exponentiation.This exponentiation is a very expensive operation as it takes place in F p k and the exponent p k −1 r is a large integer.In order to simplify this exponentiation it is split in two parts [48] using the fact that: where φ k (p) is the evaluation in p of the k-th cyclotomic polynomial.
The first part of the exponentiation uses the twisted elliptic curve and it is equivalent to computing the Frobenius map of elements in F p k .The second part is a reduced exponentiation in F p k which is performed with classical method for exponentiation.

First part of the exponentiation
We consider here the exponentiation to the power p k −1 φ k (p) .We can first remark that if k = 2 i 3 j , then φ k (p) = p k/3 − p k/6 + 1 and p k −1 φ k (p) = (p k/2 − 1)(p k/6 + 1).Using a twist, the result of Miller's algorithm is something like (X +Y The computation of (X +Y √ ν) p k/2 −1 can be decomposed in Raising an element of F p k to a power p k/2 is a Frobenius operation, which mainly consists in shifts.The total cost of the exponentiation to the power (p k/2 − 1) is a square in F p k and a Frobenius application.
We then have to compute (X ′ +Y ′ √ ν) p k/6 +1 which is another application of the Frobenius.
Let γ be a root of The property of a finite field gives a p = k−1 ∑ i=0 a i γ ip and recursively For i and j two integers let q i j and r i j be the quotient and the remainder of the Euclidien division of ip j by k, we know that γ ip j = β q i j mod(p) γ r i j .
The computation of (X ′ +Y ′ √ ν) p k/6 +1 can be decomposed in For example, if we describe what happened for the variable X ′ raised to the power p k/6 , we obtain the following step We have to compute the k 2 products (x i β q i(k/6) mod(p) ), with x i and β q i(k/6) mod(p) in F p .The total complexity of the first part of the exponentiation is 2kM p + S p k + M p k plus shifts and multiplications by β .

Second part of the exponentiation
The second part of the exponentiation is the hard part.We use classical method of exponentiation like the Lucas sequences [16] or sliding windows [40].In [67], more tricky method are developed.
The Lucas sequence method induces a cost of a square and a multiplication in the intermediate field F p k/2 for each bit of the exponent.The sliding window method has the advantage that the squares are computed in the cyclotomic subgroup and consequently we can use the method described in Section 4.3.The complexity of the two methods is linearly related to the number of the bits in the binary decomposition of the exponent, we recall here the complexity of the methods and refer to for instance the book [25] for more details.Let b r be the number of bits of r, the prime number dividing the cardinal of E. Let b p k be the number of bits of p k .The respective size of b r , b p k , r and p k are fixed by the security level we want to reach.We give them in the Table 4.The number of positive integers smaller than k and prime with k is ϕ(k), the Euler totent function evaluated at k.The number ϕ(k) is also the number of primitive k-roots of unity, then it is the degree of the polynomial φ k (p).The exponent of the second part of the exponentiation is The number of squares and multiplications involved for the computation of the exponentiation depends on The number γ is related to the security levels given in the The complexity of the Lucas sequance method is [16] The complexity of the sliding window method is [40] C sw = log 2 (e) where e = φ k (p) r , and n is the integer giving the size of the window in bits, generally n = 4.

Arithmetical optimisation
As the pairings computation lays on arithmetic over finite fields, a way to improve the efficiency of computation of pairings is to improve the arithmetic of finite fields and extension of finite fields.
The elliptic curve used in pairing based cryptography are constructed throught the complex multiplication method.These methods of constructions do not allow to fixe p the characteristic of the field F p , we can only choose the number of bits in the decomposition of p.As a consequence, the arithmetic of pairings is particular.We cannot choose p with a special structure which would provide an efficient arithmetic, like for example a sparse decomposition or a Mersenne or Pseudo Mersenne prime.
A very nice overview of construction of elliptic curve for pairing based cryptography is available in the work of Freeman, Scott and Teske [33].
We then begin this section with the presentation of efficient multiplications in finite fields and extensions of finite fields.We recall the different methods for a multiplication and we will provide a comparison of efficiency of these multiplications in Section 5.2, 5.3, 5.4.In Section 5.5, we will consider the representation of elements in a finite field.Indeed, in Section 5.1 we describe the classical representation of a finite field, this classical representation is used for the description of the multiplications.But it is possible, to have original representations of finite field, which can offer opportunities for improvement in pairing based cryptography.In Section 5.6 we will consider how the choice of coordinates can be a way for improving the efficiency of computation of pairings and on the equation of the elliptic curve.

Setting
We consider in this Section the cost of operations over F p k in number of operations over F p .We give the notations for the rest of the chapter.Let F p be a finite field field of prime characteristic p, with p of thousands digits.Let F p k be the extension of degree k of F p .The extension F p k is defined through an irreducible polynomial P(X ) of degree k.Let A and B be two elements of F p k .The elements of F p k are described in the basis B = (1, γ, γ 2 , . . . ,γ k−1 ), for γ a roots of P(X ) in F p k .An element of F p k is a polynomial in γ with coefficients in F p : A is represented by The product of A and B can be done in two steps.The first one is the the product of the polynomials, to obtain the polynomial C(X ) = A(X ) × B(X ) of degree (2k − 2).The second step is the polynomial reduction modulo P(X ).The cost of this reduction depends on the form of P(X ).The more P(X ) is sparse, the more the reduction is efficient.As a consequence, P(X ) should be as possible chosen of the form X k − β , with β ∈ F p [50].In this case, the polynomial reduction is reduced to multiplications by β and (k − 1) additions: with, C 0 (X ),C 1 (X ) of degree (k − 1).
The following theorem [50,Theorem 3.75] gives us a natural construction of the extension F p k using a sparse representation.
Theorem 5.1.Let k be an integer and F p k an extension of degree k of F p , for p a prime number.There exists β an element of F p which is not a k-th roots in F p and such that the polynomial X k − β is irreducible over F p .
Thus, we can consider that the complexity of a product in F p k is highly dependent on the complexity of the product of two polynomials, neglecting the complexity of the modular reduction.We introduce above the possible multiplications of polynomials.

The school book method
As the name gives the hint, the school book multiplication is the one we learned at school.The school book method of two polynomials is the following This simple method is very expensive, indeed its complexity is quadratic in the degree of the polynomials.The cost of this method is k 2 multiplications in F p plus k(2k − 1) addition, thus the complexity is k(2k − 1) The interpolation method are an alternative to the school book method, there are efficient for k greater than a fixed value.This value depends on the method.

Interpolation method
be the polynomials obtained by substitution (γ becomes X).The result C(X ) of A(X ) × B(X ) is a polynomial of degree (2k − 1).It is known that a polynomial of degree m is determined by its image in (m + 1) distinct values.
Theorem 5.2.Let P(X ) be a polynomial of degree m, then P(X ) is determined by the image of (m + 1) distinct values.
The multiplications by the interpolation method use in this theorem.The methodology is to find (2k −1) images of the polynomial C(X ) and then to reconstruct C(X ) by interpolation.All multiplications by interpolation follow this scheme 1. Find (2k − 1) distinct values in F p denoted by α 0 , α 1 , . . ., α 2k−2 .

Compute the evaluation of
4. Use these evaluations of C(X ) to reconstruct by interpolation the polynomial C(X ).
The complexity of a multiplication by interpolation depends 1. on the evaluation of the A(α i ), B(α i ),

on the multiplications in
3. and on the reconstruction of the polynomial expression of C(X ).
If we compare the interpolation method with the school book method, we substitute some multiplications in F p by multiplications by constants in F p .The constants are determined by the choice of the α i values.The drawback is that the multiplication by interpolation need more additions, but as an addition in F p is less expensive than a multiplication, for some degree k interpolation methods are more efficient than the school book method.
Let M a the cost of a multiplication by the constant a in F p .The evaluations in when executed using the Horner scheme: The computation of the Two classical method of interpolation exist, the Lagrange and the Newton interpolation methods.

Lagrange's interpolation method
We suppose that we have obtained the evaluation of the polynomial A(X ) and B(X ) in 2k − 1, denoted (α 0 , α 1 , . . . ,α 2k−2 ).We then have the image of C(X ) = A(X ) × B(X ) in these 2k − 1 points.The reconstruction of the coefficients of C(X ) using the Lagrange interpolation is done through the formula: The complexity of Lagrange's interpolation is

Newton's interpolation
As in the Lagrange's interpolation, we dispose of the C(α i )s and we want to find the coefficients of C(X ).The Newton's interpolation needs the construction of intermediates values.
The first step is the computation of the values . . .= . . .
The reconstruction of the coefficients of C(X ) can be done using the Horner's scheme The efficiency of the multiplication by interpolation depends on the choice of the α i s.The Newton's interpolation involves divisions be the differences of the α i s, these elements can be precomputed once for all as the α i s are fixed.Furthermore, the divisions by (α i − α j ) −1 can be transformed in multiplication by constants, as we work in a finite field.
The complexity of Newton's interpolation is the sum of the complexity of the computation of the C(α i ), the c ′ i and the reconstruction of the coefficients of C(X ).The complexity of Newton's interpolation is

Comparison between the two methods
The two methods involves the same number of multiplications in the base field F p : (2k − 1), for polynomials of degree (k − 1).The Lagrange's interpolation is very important when computations can be parallelised.Indeed, the (α i − α j ) are independent.The Newton's interpolation involves less additions and multiplications by constants than the Lagrange's one, but we cannot parallelise the computation.The c ′ i must be computed one after another.The Lagrange's interpolation should be privileged when computations can be parallelised and Newton when the size of the device is limited, typically for smart cards.

Karatsuba's method
The Karatsuba multiplication is a straightforward application of the Newton's method, for polynomials of degree 1.The result of the multiplication is a polynomial of degree 2, then we need 2 + 1 = 3 points of interpolation.These values are {0, 1, ∞}.The Karatsuba multiplication provide the product of two polynomials of degree 1 in 3 multiplications in the base field, instead of 4 using the school book method.The multiplication by constants in the Newton multiplication are free, because of the choice of the interpolation values.Let A(X ) = A 0 + A 1 X and B(X ) = B 0 + B 1 X be two polynomials of degree 1 and C(X ) = A(X ) × B(X ).
The evaluation of polynomial C(X ) in the 3 values involves 2A p + 3M p operations in the base field F p .
Then, we use the formulas in the Newton interpolation to reconstruct the polynomial C(X ).
We can resume the computation of the polynomial C(X ) using Karatsuba's multiplication by the following equation For polynomials of degree 1, the complexity of Karatsuba's multiplication is 3M p + 4A p .The Karatsuba's multiplication can be recursively applied for polynomials of degree greater than 1.Let A(X ) = A 0 + A 1 X + . . .A m X m , we can split A(X ) in two parts of degree smaller or equal to m 2 : Then, we apply the Karatsuba's multiplication to the two parts.Each of the three multiplications can also be done using the Karatsuba's multiplication.The recursive application of Karatsuba's multiplication is the most efficient method for the computation of polynomials of degree a power of 2. The asymptotic complexity of Karatsuba's multiplication is O(m log 2 (3) ) multiplications and O(m) additions, with m being the degree of the polynomials we want to multiply.
Which gives For polynomials of degree 2, the complexity of Toom Cook 3 is 5M p + 11CM p + 11A p .As for Karatsuba's method, the Toom Cook 3 method can be recursively applied.The asymptotic complexity of Toom Cook 3 multiplication is O(m log 3 (5) ) multiplications and O(m) additions, where m is the degree of the polynomials we want to multiply.

Extensions to other extensions
The Toom Cook 3 method can be extended to Toom Cook 5, this multiplication is suited for polynomials of degree 3. Few works deal with the multiplication of polynomials of degree greater than 3.For polynomials of degree 4, we can use the Karatsuba's method.As a consequence, in pairing based cryptography, field with extension degree of the form 2 i 3 j are called pairing friendly because we can use tower fields and for each stage of the tower we use the Karatsuba or Toom Cook 3 multiplication.However in pairing based cryptography (and in cryptography in general) there are some cases where it is more interesting to use fields with degree extensions different from 2 and 3. We can cite the problem of compression (i.e.representing elements in a finite field subgroup with fewer bits than classical algorithms) for extension fields in terms of algebraic tori T n (F q ) [63] or applications based on T 30 (F q ), such as El Gamal encryption, El Gamal signatures and voting schemes in [69].
Let F p be a finite field of characteristic greater than 5.For instance for polynomials of degree 5, we can begin with Karatsuba's method and then use Karatsuba and Toom Cook 3 for each part.This construction gives an efficient multiplication for polynomials of degree 5, but not the most efficient.For degree 5 extensions, Montgomery [58] has proposed a Karatsuba-like formula for 5-terms polynomials performed using 13 base field multiplications.This work was improved by El Mrabet et all in [30] using Newton's interpolation.
We recall here Montgomery's method for an extension of degree 5 The cost of these computations is 13M q + 22A q .Note that in order to recover the final expression of the polynomial of degree 8, we have to re-organize the 13 lines to find its coefficients.We denote the products on each of the 13 lines by u i , 0 ≤ i ≤ 12 (i.e.u 12 = (a 0 + a ) By re-arranging the formula in function of the degree of X, we obtain the following expression for C Considering this expression, hidden additions must be taken in account.Once every simplification is done, the total complexity of Montgomery's method is 13M p + 62A p .
In [30], the Newton's interpolation gives a better result for the multiplication of 5-terms polynomials.The interpolation values are With these values, the evaluations of A and B are only composed of shifts and additions.Details are provide in [30], the evaluations of A(X ) and B(X ) have a total complexity of 48A p .The evaluation of C(X ) in the α i s costs 9M p .The computation of the c ′ i s is not straightforward.Indeed, there are few divisions by 3, 5 and 7 that appear in the formula Section 5.3.2.To avoid the computation of a division which is an expensive operation over a finite field, using a trick on the binary decomposition of integers, they perform very efficiently the divisions.The complexity for these divisions is smaller than 2A p .The global complexity for the computation of the c ′ i s is then 64A p .Finally, the reconstruction of the polynomial C(X ) using the Horner's scheme has a complexity of 28A p .And the total complexity of the 5-terms polynomials is 9M q + 137A q .
The comparison with Montgomery's result is not evident, but implementations in [30] shows that the results are more efficient than the Montgomery's one.
In the two articles, the authors give also results for 6-terms and 7-terms polynomials.
The fact that we can compute efficiently the multiplication for extensions greater than 2 and 3 gives the opportunity to consider pairing computation over elliptic curve with an embedding degree k different from 2 i 3 j and can improve the implementation of pairings.But this work is still to be made.

Original representation of finite fields
In the previous section we consider efficient multiplications for a classical representation of finite fields and extension of finite fields.But they are many ways to represent a finite field.In [22], the authors use an original representation of finite field to provide a very efficient implementation of a pairing.This original representation is the Residue Number System (RNS) representation and it was developed in [7,8].The RNS representation relays on the Chinese remainder theorem.Let B = {m 1 , . . ., m n } be a set of co-prime natural integers, M = n ∏ i=1 m i and 0 ≤ X < M.There exists a unique representation X B of X in the basis B, X B = {X mod m 1 , . . .X mod m n } = {x 1 , x 2 , . . ., x n }.Given X B , we can reconstruct X using the Chinese Remainder theorem: The RNS representation is obviously very interesting for parallel computations.An efficient multiplication in RNS representation is described in [7,8].This multiplication is based on the Montgomery modular multiplication.In [22], the authors present two very efficient implementation of a pairing algorithm on an FPGA, in RNS representation.They implement the optimal Ate pairing at several security levels over Altera and Xilinx FPGA.They compare there result with previous work and obtaint very nice results.

The arithmetic of Pairings
The complexity of a computation of a pairing depends on the finite field and the arithmetic underlying, but also of the model and the equation of the elliptic curve and the choice of the coordinates.Usually, an elliptic curve is represented using the short Weierstrass equation which is on the form E : y 2 = x 3 + ax + b, with a and b elements of the finite field F p .In [20], Brier and Joye show that the value a can be chosen to be −3.This value contributes to improve the computation of pairings.But, even on a short Weierstrass equation, several cases exist, we can have b = 0, a = 0 with b a square or not just an integer.For each option, the coordinates have also an influence on the efficiency of the computation of a pairing.The coordinates are usually chosen between affine, Projective and Jacobian.The affine coordinates are often put aside.Indeed, the operations over the elliptic curve in affine coordinates involves inversion over finite fields.As inversion over a finite field is an expensive operation, one try to avoid them so far as possible.To achieve this aim, the Projective or Jacobian coordinates are suitable, Several works study the efficiency of an implementation of pairing over some of these models of elliptic curves.The Edwards elliptic curves were recently introduced in cryptographie.In [32], Edwards demonstrates that every elliptic curve E defined over an algebraic number field is birationally equivalent over some extension of that field to a curve given by the equation: Edwards curves became interesting for elliptic curve cryptography when it was proven by Bernstein and Lange in [18] that they provide addition and doubling formulas faster than all addition formulas known at that time.The advantage of Edwards coordinates is that the addition law can be complete (i.e. the formulas for adding or doubling two points are the same) and thus the exponentiation in Edwards coordinates is naturally protected against side channel attacks.Recently, the Edwards elliptic curves were used to compute pairings [3,44].In [46], the authors study the Huff's model of an elliptic curve, they provide explicit formulae for fast doubling and addition and also for Tate pairing computation.
Another example is the work in [72], in this work the authors consider the Selmer elliptic curves, they present formulae for doubling, addition and pairing computations.They compare there results to various elliptic curve models such as Weierstrass, Edwards, Hessian.There is many choices for the equation/model of the elliptic curve and of the coordinates, the website [17] regroups every new result on this subject.It is a very nice overview of this topic of research.

Conclusions
We presented the various pairings available for cryptographic use.As the pairing are aimed to be implemented in smart cards, the efficiency of a pairing implementation is a subject of several research.We presented optimizations developed for the improvement of a pairing implementation.We introduced the twisted elliptic curve which leads to the denominator elimination.We constructed the extension field F p k using tower fields and the method for an efficient multiplication over each step of the tower.We described efficient squaring method combine with the cyclotomic subgroup.We also highlighted the fact that the choice of the model of the elliptic curve and the choice of the coordinates is important for an efficient implementation.We saw that the representation of an element in the base field F p with original definition can leads to very efficient implementation.To conclude, the optimizations of pairing are a very interesting point of research and a lot of scientists work hardly to find new optimizations.Further research can follow the presented optimizations and adapt to the case of pairings over hyperelliptic curves, or find any other point of optimizations in the implementation.

Algorithm 1 :
Theory and Practice of Cryptography and Network Security Protocols and Technologies Efficient Computation for Pairing Based Cryptography: A State of the Art 3 10.5772/56295Miller(P, Q, l) By definition of the embedding degree k of the elliptic curve, p k −1 r is a multiple of p k/2 − 1 and f p k −1 r 2 = 1 by the following proposition.

Property 4 . 4 .
Let r be a prime divisor of #E(F p ) and E be an elliptic curve of embedding degree k relatively to r.Then p k −1 r is a multiple of p k/2 − 1.

Example 4 . 10 .
Example of possible tower field for k = 2 2 3 1 : is the equation of the line (PT ); Definition 2.1.The Weil pairing, denoted e W , is defined by:

Table 1 .
Sub p k + 8S p + (12 + 4k)M p + 2S p k + 2M p k Cost of the doubling step in Miller's algorithm

Table 2 .
Efficient Computation for Pairing Based Cryptography: A State of the Art 11 10.5772/56295In order to illustrate the simplification of the computation with the use of a pairing, we compare two computations of the doubling step in Miller's algorithm.The Miller Lite execution is the computation of the Miller's algorithm for the Tate pairing (Miller(P, Q)).The Miller full execution is the computation of Miller(Q, P).The Table 2 compare the cost of the doubling step in Miller Lite and Miller Full with and without the use of twisted elliptic curve.4k)M p + 2S p k + 2M p k 4S p + (7 + k)M p + S p k + M p k Full 3kM p + 10S p k + 14M p k kM p + 5S p k + 7M p k Cost of Miller Lite and Miller Full

Table 3 .
[41].Complexity of a square in F p kIn the particular case where k = 6 and p ≡ 2 (mod 9), the cost of a square with the Lenstra and Stam method is less than 0, 75M p k , which is usually the ratio of a square compare to a multiplication.

Table 4 .
Security level Theory and Practice of Cryptography and Network Security Protocols and Technologies Efficient Computation for Pairing Based Cryptography: A State of the Art 17 10.5772/56295 log 2 (p) + log 2 (p) S G φ k (p) + n + 2 − 1 M p k , Efficient Computation for Pairing Based Cryptography: A State of the Art http://dx.doi.org/10.5772/56295 Efficient Computation for Pairing Based Cryptography: A State of the Art 21 10.5772/56295

Table 5 .
Complexity in number of operation over the base field Efficient Computation for Pairing Based Cryptography: A State of the Art http://dx.doi.org/10.5772/56295