On the Final Exponentiation in Tate Pairing Computations

Abstract

The Tate pairing computation consists of two parts: Miller step and final exponentiation step. In this paper, we investigate the structure of the final exponentiation step. Consider an order r subgroup of an elliptic curve defined over Fq with embedding degree k. The final exponentiation in the Tate pairing is an exponentiation of an element in Fqk by (qk-1)/r . The hardest part of this computation is to raise to the power λ:=Φk(q)/r, where Φk(·) denotes the kth cyclotomic polynomial. Write it as λ = λ0+λ1q+⋯+λφ(k)-1qφ(k)-1 in the q -ary representation. The final exponentiation cost mostly depends on κ(λ), the size of the maximum of |λi|. In many parameterized pairing-friendly curves, the value κ is about (1-1/ρφ(k))log2q where ρ = log2q/log2r, while random curves will have κ ≈ log2q. We investigate how this small κ is obtained for parameterized pairing-friendly elliptic curves, and show that (1-1/ρφ(k))log2q is the lower bound for all known construction methods of parameterized pairing-friendly curves. In the second part of our paper, we propose a method to obtain a modified Tate pairing with small κ for any pairing-friendly elliptic curves including those not belonging to parameterized families. More precisely, our method finds an integer m using the lattice basis reduction such that κ(mλ)=(1-1/ρφ(k))log2q. Using this modified Tate pairing, we can reduce the number of squarings in the final exponentiation by a factor of (1-1/ρφ(k)) from the usual Tate pairing. We apply our method to several known pairing-friendly curves to verify the expected speedup.