In this section, we give the formulas for adding and doubling points on BN curves (with the line computation) and their complexities in the ane and the projective cases (it is now well known that Jacobian coordinates are always less ecient than projective coordinates for pairing computations [18]). This allows to determine which system of coordinates should be chosen, depending on the context. Assuming the previous choices, the two operations involved in the Miller loop are
The doubling step. In this step, we have to - double a temporary pointT = xTγ2, yTγ3
∈E Fp12
withxT, yT ∈Fp2,
- compute the tangent line toE atT,
- evaluate it atP = (xP, yP)∈E(Fp).
The addition step In this step, we have to - addQ= xQγ2, yQγ3 and T = xTγ2, yTγ3 in E Fp12withxQ, yQ, xT, yT ∈ Fp2,
- compute the line passing throughT andQ,
- evaluate it atP = (xP, yP)∈E(Fp).
6.1 Ane coordinates
The slope of the line passing through T and Q (or the tangent line at T if T =Q) isλγ, with λ= yT −yQ xT −xQ or λ=3x 2 T 2yT .
ThenT+Q(or2T) can be written in the form xT+Qγ2, yT+Qγ3
with
xT+Q =λ2−xT−xQ and yT+Q=λ(xT−xT+Q)−yT.
The equation of the line involved in the operation isy=λγ x−xTγ2
−yTγ3,
thus theFp12 element involved in the update off in Algorithm 1 is
`=yP −λxPγ+ (λxT −yT)γ3.
Assuming that −xP is precomputed, the cost of the addition step (including
the line computation) is thenI2+ 3M2+S2+ 2M1+ 7A2 and the cost of the
doubling step isI2+ 3M2+ 2S2+ 2M1+ 5A2+ 2A02.
Remark 9. Since λ is used three times in Fp2 operations (λ2, λ(xT −xT+Q)
and λxT), 2A1 can be saved using our idea of precomputing its trace if the
Karatsuba/complex methods are used forFp2 arithmetic. In the same way,xT
is used twice in the doubling step so that an additionalA1 can be saved in this
case.
6.2 Projective coordinates
In order to avoid inversions inFp2, projective coordinates are used for the point
T, so that T = XTγ2, YTγ3, ZT with
point Q is kept in ane coordinates (mixed addition method). According to [18],2T = X2Tγ2, Y2Tγ3, Z2T with X2T = 2XTYT(YT2−9bZ 2 T) Y2T = YT2+ 9bZ 2 T 2 −12(3bZT2)2 Z2T = 8YT3ZT
and the equation of the tangent to the curve at T is (up to some subeld
multiple)
`= 2yPYTZT −3xPXT2γ+ YT2−3bZT2
γ3.
Assuming that−3xP is precomputed, the doubling step (including the line com-
putation) then requires 2M2+ 7S2+ 4M1+ 13A2+ 5A02+ 2m1,b. In order
to obtain this complexity, the double products like 2XTYT are computed by
(XT +YT)2−XT2 −YT2. This trick is not always interesting over Fp (e.g. if
M1 = S1) but it is always interesting over Fp2 because S2 is clearly cheaper
thanM2 according to Section 3.5.
In the same way, if
N = YT −yQZT,
D = XT−xQZT (so thatλ=ND),
X = N2ZT−XTD2−xQD2ZT,
we compute the addition step with
XT+Q = DX
YT+Q = N(xQD2ZT −X)−yQD3ZT
ZT+Q = D3ZT
` = yPD−N xPγ+ (N xQ−DyQ)γ3.
Assuming that−xP is precomputed, this requires12M2+ 2S2+ 4M1+ 7A2.
Remark 10. Again, manyFp2 operands are used several times during the com-
putation, so that precomputing the traces saves additions inFp. We do not give
details here because the addition step is rarely used in the Miller loop but it is not dicult to see that16A1 can be saved if Karatsuba/complex arithmetic is
used forFp2 arithmetic.
6.3 Consequences of formulas
Several remarks can be made looking at these formulas.
The rst one is that the inuence ofb is small since it is just involved in two
multiplications byFpelements. Hence a sparseuor a value ofuenabling a nice
available.
The second one is that, as mentioned in Sections 3.6 and 3.7, the line ` is
of the formb0+b1γ+b3γ3withbi∈Fp2, thus it is sparse inFp12 and a multi-
plication by`is faster than a full multiplication inFp12.
The third one is that, as already mentioned in [34, 1, 35, 27], it can be better to use ane coordinates than projective coordinates, depending on the context. Indeed, using the complexity formula forI2 given in Section 3.2.4 and the com-
plexities obtained for the doubling step in ane and projective coordinates, it is easy to verify that ane coordinates become interesting for this step (and then for the full Miller loop) as soon as
I1<5S2−M2−2S1+ 15A1+ 6A01+ 2m1,b−m1,µ.
For example, in the caseµ=−1,A1≤0.33M1, Tables 1 and 2 show that ane
coordinates are interesting as soon as
I1<7M1−2S1+ 20A1+ 11A01+ 2m1,b. (3)
Depending on the way to implementFp inversion, this inequality may hold in
practice, especially ifFp addition are not negligible. In Table 15, we give the
maximum cost ofI1 for which ane coordinates should be chosen, depending
on the context. To make the results more readable, we assumed that S1 =
M1,A1 = A01 and b = 2 (which is the least advantageous value for ane
coordinates). In any case, the non-simplied result is very similar to (3).
µ Use ane coordinates if
−1 I1<5M1+ 33A1
−2 I1<5M1+ 41A1
−5 I1<5M1+ 42A1
any I1<13M1+ 28A1
Table 15: Ane coordinates versus projective ones