We describe here some algorithms which should not inuence the choice of the parameters but which are important for the eciency of pairing computation.
7.1 Frobenius computation
Let
be an arbitrary element ofFp12, wherebj∈Fp2, j= 0, . . . ,5 andγ6=ξ∈Fp2.
The Frobenius map, which consists in computing ap, can be easily written in
terms of a. In this section, we give a way to compute it eciently, as well as api fori= 1, . . . ,11.
7.1.1 Computation ofap
Since the Frobenius map is linear, we have
ap=bp0+bp1γp+bp2 γ2p+bp3 γ3p+bp4 γ4p+bp5 γ5p,
andbpj is just the conjugatebjofbj. Therefore, we only have to study the γj p
. For this, we dene the constant
δ=ξp−61 ∈Fp2,
so thatγp= (γ6)(p−1)/6γ=δγ and we have
ap=b0+b1δγ+b2δ2γ2+b3δ3γ3+b4δ4γ4+b5δ5γ5.
The constants δj are only depending on the way to build
Fp12, so they can
be precomputed. Finally, computingap requires 5M
2. If precomputing the δj
is a problem in terms of memory resources, they can of course all be recovered fromδusing only2S2+ 2M2. But in any case,δshould be precomputed since
it is very expensive to compute.
Let us nally note that some particular choices of µ and ξ allow to improve
this computation by using a precomputed constant in Fp instead of δ ∈ Fp2.
Some details for the most interesting cases are given in Section 7.1.4. 7.1.2 Computation ofap2 In this case ap2 =b0+b1γp 2 +b2 γ2 p2 +b3 γ3 p2 +b4 γ4 p2 +b5 γ5 p2 .
We need the new precomputed constant
ω=ξp
2−1
6 =N
Fp2/Fp(δ)∈Fp.
Then we haveγp2 = (γ6)(p2−1)/6γ=ωγ. Notice that ω is a primitive6th root of unity (becauseξis neither a square nor a cube inFp2). In particular, we have
ω2−ω+ 1 = 0. (4)
Then
ap2 =b0+b1ωγ+b2(ω−1)γ2−b3γ3−b4ωγ4−b5(ω−1)γ5,
and computingap2 requires one addition in
Fp to computeω−1(it can be pre-
computed but the interest is really limited) and 5 multiplications of an element ofFp2 by an element ofFp, thus the total cost is 10M1+A1.
7.1.3 Generalization to the computation of api
The results of the two previous sections can be generalized as follows : for
i= 1, . . . ,11, j = 0, . . . ,5, letci,j =ωjbi/2c. Notice that it is easy to deduce
from (4) thatci,j = 1 (resp. ω, ω−1, −1, −ω, −ω+ 1) ifjbi/2c= 0 mod 6
(resp. 1, 2,3,4,5). We nd that fori= 1, . . . ,11,
api =b0+b1ci,1δγ+b2ci,2δ2γ2+b3ci,3δ3γ3+b4ci,4δ4γ4+b5ci,5δ5γ5
ifiis odd, and
api=b0+b1ci,1γ+b2ci,2γ2+b3ci,3γ3+b4ci,4γ4+b5ci,5γ5
ifiis even.
As explained for i = 2, the ci,j can be easily deduced from ω, so that only
ω, δ and possibly the ci,jδj need to be precomputed. We also note that com-
putingap6 is for free, since it is nothing but the conjugation inFp12/Fp6.
7.1.4 Simplication of the constantδ for odd powers
For some particular choices of µ and ξ, the precomputed constants for odd
powers of the Frobenius map can be simplied.
The caseµ=−1 and ξ= 1 +i. We proved in Section 3.8 that in this case, u= 7 or11modulo 12, sopequals 7modulo12. Then
δ= (1 +i)p−61 = (1 +i)2 p−7 12 (1 +i) = (2i) p−7 12 (1 +i) =i p−7 12 (1 +i)2 p−7 12 ,
thus we only need to precomputed1= 2
p−7
12 ∈Fpinstead ofδ∈Fp2. Moreover,
in this case,δ=iδ so that ω=iδ2 and by (4), we getδ4= 1−iδ2.Finally, if
d2=−2d21 andd3=d1d2, it is easy to nd that
δ, δ2, δ3, δ4, δ5 = ξd1,id2, ξd3, d2+ 1, ξ(d1+d3) ifu= 11,19 mod 24, = −ξd1,id2,−ξd3, d2+ 1,−ξ(d1+d3) if u= 7,23 mod 24.
It is not necessary to precomputed2 andd3because their computation requires
onlyM1+S1+A01. Once they are computed, computingap requires 5 mul-
tiplications of an element ofFp by an element ofFp2, 2 additions (1 +d2 and
d1+d3) and 3 multiplications byξ or ξ. Finally, assuming that d1 is precom-
puted, computingap requires11M
1+S1+ 8A1+A01.
The case ξ = √µ. We assume that u is even (see Section 3.5.1), so p = 1 mod 12. We have
δ=√µp −1
6 =µp12−1 ∈Fp.
Therefore, multiplications by δ and its powers byFp2 elements cost 2M1 and
δ=δ so that ω =δ2 and by (4), δ4 =δ2−1 (and δ5 =δ3−δ). Finally, if δ
is precomputed, computingap requires11M
1+S1+ 2A1 (M1+S1+ 2A1 to
7.2 Cyclotomic squaring
As mentioned in Section 2.4, the nal exponentiation requires exponentiations in the subgroup GΦ6(p2) of F
∗
p12 of elements of order dividing Φ6(p2). Since
around3 log2usquarings are performed during the nal exponentiation, saving
few eld operations for each squaring leads to a signicant improvement. Given
a∈Fp12, the conditionaΦ6(p 2)
= 1combined with a description of the Frobenius action gives algebraic relations on the coordinates ofa(whereFp12 is seen as a
Fp2-vector space). Granger and Scott [26] proposed to exploit these relations to
simplify the expression ofa2.
Furthermore, these relations can be used to compress the representation ofain
such a way that the square ofacan be directly computed in its compressed form
(multiplications have to be performed on the non-compressed forms). In partic- ular, Karabina's method for compressed squaring [31, 2] costs3S2+10A2+m2,ξ
less than Granger and Scott's method (in most cases). On the other hand, the decompression step is relatively expensive and requires an inversion inFp2. The
number of decompressions required for an exponentiation is at most the Ham- ming weight of the exponent, which is assumed to be small in our situation (see Sections 2.4 and 4), and moreover, Montgomery's simultaneous inversion trick [41] can be used (we refer to [2] for more details). Therefore, ifFp2 inversions
are available (at a reasonable cost), Karabina's method should be used for nal exponentiation, otherwise, Granger and Scott's method should be chosen. 7.2.1 Karabina's method
This method is due to Karabina [31] and was slightly improved in [2]. Let
a = b0 +b1γ +b2γ2+b3γ3 +b4γ4 +b5γ5 ∈ GΦ6(p2)\ {1}, with bj ∈ Fp2.
The compressed representation of a is [b1, b2, b4, b5]. The full representation
(decompression) ofais obtained via the formulae b3= b25ξ+ 3b22−2b4 4b1 , b0= (2b23+b1b5−3b4b2)ξ+ 1, ifb16= 0, b3= 2b2b5 b4 , b0= (2b23−3b4b2)ξ+ 1, ifb1= 0,
for a cost ofI2+2M2+3S2+4A02+6A2+2m2,ξ+A1(orI2+2M2+S2+2A02+
2A2+m2,ξ+A1 ifb1= 0). The compressed representation [B1, B2, B4, B5]of
a2can be computed using the formulae
B1= 2b1+ 3(S2,5−S2−S5)ξ B4= 3(S2+S5ξ)−2b4
B2= 3(S1+S4ξ)−2b2 B5= 2b5+ 3(S1,4−S1−S4),
whereSi,j= (bi+bj)2 andSi=bi2, for a cost of6S2+ 4A02+ 16A2+ 3m2,ξ.
7.2.2 Granger and Scott's method
This method is due to Granger and Scott [26]. They worked with a tower2,2,3 but their results can be easily adapted to a tower 2,3,2, either by using the
same technique and the formulae from Section 7.1, or simply by expanding the formulae for a tower2,2,3.
Case 2,2,3. With the notations of Section 3.7, let a = c0+c1γ+c2γ2 ∈
Fp12 =Fp2[γ], where c0, c1, c2∈Fp4 and write
a2=C0+C1γ+C2γ2,
where C0, C1, C2 ∈ Fp4. Ifa ∈ GΦ6(p2), then we have the following formulae,
given in [26]
C0 = 3c20−2c0
C1 = 3βc22+ 2c1
C2 = 3c21−2c2,
whereu+vβ=u−vβ, foru, v∈Fp2. Therefore, the square ofa∈GΦ6(p2)can
be computed for a cost of3S4+ 3A04+ 6A4+m4,β (using that an expression
of the form3u+ 2v = 2(u+v) +ucan be computed with one doubling and2 additions).
Case 2,3,2. With the notations of Section 3.6, leta = (b0+b2β+b4β2) +
(b1+b3β+b5β2)γ∈Fp2[γ], wherebi∈Fp2,i= 0, . . . ,5, and write
a2= (B0+B2β+B4β2) + (B1+B3β+B5β2)γ
whereBi∈Fp2,i= 0, . . . ,5. Ifa∈GΦ6(p2), then we have
B0 = 3(b23ξ+b 2 0)−2b0 B2 = 3(b24ξ+b21)−2b2 B4 = 3(b25ξ+b 2 2)−2b4 B1 = 3ξ((b2+b5)2−b22−b 2 5)) + 2b1 B3 = 3((b0+b3)2−b20−b 2 3)) + 2b3 B5 = 3((b4+b1)2−b24−b 2 1)) + 2b5.
We nd that the square of a ∈ GΦ6(p2) can be computed for a cost of 9S2+
6A02+ 24A2+ 4m2,ξ.
Remark 11. According to Table 3,S4= 3S2+m2,ξ+ 4A2in the most common
case and then it is easy to verify that the cost of squaring in the case2,2,3 is exactly the same as in the case2,3,2