The Pairing Computation on Edwards Curves

We propose an elaborate geometry approach to explain the group law on twisted Edwards curves which are seen as the intersection of quadric surfaces in place. Using the geometric interpretation of the group law, we obtain the Miller function for Tate pairing computation on twisted Edwards curves.Thenwe present the explicit formulae for pairing computation on twisted Edwards curves. Our formulae for the doubling step are a little faster than that proposed by Arène et al. Finally, to improve the efficiency of pairing computation, we present twists of degrees 4 and 6 on twisted Edwards curves.


Introduction
Pairing-based cryptography has been one of the most active areas in elliptic curve cryptography since 2000.Some details on this subject can be found in [1,2].How to compute pairings efficiently is a bottleneck for implementing pairing-based cryptography.The most efficient method of computing pairings is Miller's algorithm [3].Consequently, various improvements were presented in [4][5][6][7][8].One way to improve the efficiency is to find other models of elliptic curves which can provide more efficient algorithms for pairing computation.Edwards curves were one of the popular models.Edwards curve was discovered by Edwards [9] and was applied in cryptography by Bernstein and Lange [10].Then twisted Edwards curves which are the generalization of Edwards curves were introduced by Bernstein et al. in [11].Bernstein and Lange also pointed out several advantages of applying the Edwards curves to cryptography.Pairing computation over Edwards curves was first considered in [12,13].In 2009, Arène et al. [4] gave the geometric interpretation of the group law and presented explicit formulae for computing the Tate pairing on twisted Edwards curves.Their formulae are faster than all previously proposed formulas for pairings computation on twisted Edwards curves.Their formulae are even competitive with all published formulae for pairing computation on Weierstrass curves.In particular, if a pairing-friendly curve used in a pairing-based protocol is isomorphic or isogenous to an Edwards curve, all the scalar multiplication appearing in the protocol can be computed efficiently [14].
Any elliptic curve defined over a field  with characteristic different from 2 is birationally equivalent to an Edwards curve over some extension of , that is, a curve given by  2 +  2 = 1 +  2  2 with  ∉ {0, 1}.In fact, the twisted Edwards curves can be seen as the intersection of two quadratic surfaces in space.That is to say, the twisted Edwards curves can be given by  , :  2 +  2 −  2 −  2 = 0, − = 0.For general elliptic curves given by intersection of two quadratic surfaces, the geometric interpretation of group law had been discussed by Merriman et al. in [15].In this paper, we proposed a more detailed geometry approach to explain the group law for the case of twisted Edwards curves which are seen as the intersection of two quadratic surfaces.Using the geometric interpretation of the group law, we obtain the Miller function of Tate pairing computation on twisted Edwards curves.Then we present the explicit formulae for pairing computation on twisted Edwards curves.The doubling step of our formulae is a little faster than that in [4].Finally, to reduce the cost of evaluating the Miller function on twisted Edwards curve, we employ quadratic, quartic, or sextic twists to the formulae of the Tate pairing computation.The high twists had been sufficiently studied by Costello et al. [16] on Weierstrass curves.As the result given by [17], one elliptic curve and its quartic/sextic twist can not have a rational twisted Edwards model at the same time, so we turn to Weierstrass curves for the high-degree twists of twisted Edwards curves.These twists enable us to reduce the cost of substituting to a half and a third, respectively, in  = 1728 case and  = 0 case.
The remainder of the paper is organized as follows.In Section 2, we provide some backgrounds and notations used in this paper.In Section 3, we give a geometry approach to explain the group law on twisted Edwards curves.In Section 4, we present pairing computation on twisted Edwards curves.In Section 5, we employ quartic and sextic twists to the formulae of the Tate pairing computation.In Section 6, we conclude our paper.

Preliminaries
2.1.Tate Pairing.Let  > 3 be a prime, and let F  be a finite field with  =   . is an elliptic curve defined over F  with neutral element denoted by . is a prime such that  | #(F  ).Let  > 1 denote the embedding degree with respect to ; that is,  is the smallest positive integer such that  |   − 1.For any point  ∈ (F  )[], there exists a rational function   defined over F  such that div(  ) = () − (), which is unique up to a nonzero scalar multiple.The group of th roots of unity in F   is denoted by   .The reduced Tate pairing is then defined as follows: The rational function   can be computed in polynomial time by using Miller's algorithm [3].Let  = ( −1 , . . ., where ,  are distinct nonzero elements of F  .The projective closure of  , in P 2 is This curve consists of the points (, ) on the affine curve  , , embedded as usual into P 2 by (, )  → ( :  : 1), and extra points at infinity, that is, points when  = 0.There are exactly two such points, namely, Ω 1 = (1 : 0 : 0) and Ω 2 = (0 : 1 : 0).These points are singular.
We use m and s to denote the costs of multiplication and squaring in the base field F  , while M and S denote the costs of multiplication and squaring in the extension F   .

Geometric Interpretation of the Group Law on Twisted Edwards Curves
The aim of this section is to give the elaborate geometric interpretation of the group law on twisted Edwards curves which are seen as the intersection of two quadric surfaces in space.We consider projective planes which are given by homogeneous projective equations Π = 0.In this paper, we still use the symbol Π to denote projective planes.In fact, any plane Π intersects  , at exactly four points.Although these planes are not functions on  , , their divisors can be well defined as where   is the intersection multiplicity of Π and  , at .Then the quotient of two projective planes is a well-defined function which gives principal divisor.As we will see, this divisor leads to the geometric interpretation of the group law.When saying plane Π passes three points  1 ,  2 , and  3 (not necessary distinct), we means that Π exactly satisfies div(Π) ≥ ( 1 ) + ( 2 ) + ( 3 ).In fact, by Riemann-Roch theorem or by explicit discussion on multiplicity, one can prove that there exists a unique plane which satisfies the above inequality.So we may denote this plane by Π  1 , 2 , 3 from now on.

Group Law over the Twisted Edwards Curves.
Abel-Jacobi theorem connects the group law with principal divisor.And we can get the lemma below.
By this lemma, we can easily construct planes to give the group law.The fourth intersection of Π  1 ,,  and the curve is − 1 , that is, the negative point of  1 .The fourth intersection of Π  1 , 2 ,  and the curve is − 1 −  2 , and its negative point gives  1 +  2 .Actually, this geometric interpretation is parallel with the tangent and chord law for the cubic plane curves.
The neutral element we chose here is the same with that of [11], so we can claim that our explicit formulae for negative point, point addition, and point doubling are equivalent with which of [11].

Pairing Computation
In this section, we analysis steps in Miller's algorithm explicitly.For an addition step or doubling step, as is shown in Algorithm 1, each addition or doubling step consists of three parts: computing the point  +  or 2 and the function  , or  , , evaluating  , or  , at , and then updating the variable  by  ←  ⋅  , () or by  ←  2 ⋅  , ().
The updating part, as operation in F   , costs 1M for addition step and 1M + 1S for doubling step.It is usually the main cost but with little room for optimization in one step.For the evaluating part, some standard methods such as denominator elimination and subfield simplification can be used, as we introduce below.
We assume that embedding degree  is even.Let  be a generator of F   over F  /2 with  2 ∈ F  /2 .Suppose that   = ( 0 :  0 :  0 :  0 ) ∈   −2 , −2 (F  /2 ); we can see that  = ( 0 :  0 :  0 :  0 ) ∈  , (F   ).If  3 =  1 +  2 ̸ = ,   , for evaluation of   1 , 2 (), we have where  =  0 /( 0 +  0 ) and  =  0 /( 0 +  0 ).Note that ,  ∈ F  /2 and they are fixed during the whole computation, so they can be precomputed.The coefficients   ,   , and   are in F  ; thus the evaluation at  given the coefficients of the plane can be computed in m (multiplications by  and  need (/2)m each).The computation of the coordinates of points and the coefficients of planes, as a part of much variety, is discussed, respectively, for addition and doubling step as follows.

Addition Steps.
Let  1 =  and  2 =  be distinct points with  1  2 ̸ = 0.By variant of formulae of ( 6) and ( 12), the explicit formulas for computing  3 =  +  and   ,   , and   are given as follows: With these formulas,  +  and   ,   , and   can be computed in 14m+1m c , where 1m c is constant multiplication by .For a mixed addition step, in which the base point  is chosen to have  2 = 1, the costs reduce to 12m + 1m c .Therefore, the total costs of an addition step are 1M+m+ 14m+1m c , while a mixed addition step costs 1M+m+12m+ 1m c .
So total costs of our formulae for a doubling step are 1M+ 1S + m + 4m + 7s + 2m c , while the total costs of the formulae for the doubling step proposed in [4] are 1M+1S+m+6m+ 5s + 2m c , where 2m c are both constant multiplication by .

High-Degree Twists
Let  | , an elliptic curve   over F  / is called a twist of degree  of /F  / if there is an isomorphism  :   →  defined over F   , and this is the smallest extension of F  / over which  is defined.Depending on the -invariant () of , there exist twists of degree at most 6, since char(F  ) > 3.
Pairing friendly curves with twists of degree higher than 2 arise from constructions with -invariants () = 0 and () = 1728.(21) Proof.Firstly, we prove that  is well defined; that is, (, V) ∈  ,− .Note that We have Then Moreover, it can be easily checked that  is invertible and satisfies () = ; that is,  is an isomorphism.Besides, the minimal field that  can be defined over is F   which has degree 4 over F  /4 .Hence, the twist degree is 4.
The high twist not only reduces the cost of evaluating () but also the cost of updating , which is the main multiplication in Miller's algorithm as a multiplication in F   .Consider F   as an F  /4 -vector space with bases 1, ,  2 , and  3 .Then an arbitrary element  ∈ F   can be denoted as And the reduced value of () we have gotten above can be denoted as  =  0 +  2  2 +  3  3 , where  3 ∈ F  and  0 ,  2 ∈ F  /4 .When using the Schoolbook method, multiplying  by  costs 4⋅(/4)m for computing   ⋅ 3 ,  = 0, 1, 2, 3 and costs 8(/4) 2 m for   ⋅  0 and   ⋅  2 .The total cost ( 2 /2 + )m equals to ((1/2) + (1/))M, considering that a general multiplication in F   costs M =  2 m.Namely, the quartic twist may reduce the cost of the main multiplication in Miller's algorithm to ((1/2) + (1/))M.
Table 1 shows the concrete comparison for doubling step (DBL), mixed addition step (mADD), and addition step (ADD).

Conclusion
In this paper, we propose an elaborate geometry approach to explain the group law on Edwards curves which are seen as the intersection of two quadric surfaces in space.Using the geometric interpretation of the group law, we obtain the Miller function of Tate pairing computation on twisted Edwards curves.Then we present the explicit formulae for pairing computation on twisted Edwards curves.The doubling step of our formulae is a little faster than that in [4].Finally, to improve the efficiency, we present quartic and sextic twists on twisted Edwards curves.By using high twists, the costs of substituting in  = 1728 case and  = 0 case can be reduced to a half and a third, respectively.Above all, it is interesting to consider more efficient formulae for pairing computation on twist Edwards curves.