Abstract
In this paper, we propose a new method for constructing a bilinear pairing over (hyper)elliptic curves, which we call the R-ate pairing. This pairing is a generalization of the Ate and Atei pairing, and can be computed more efficiently. Using the R-ate pairing, the loop length in Miller's algorithm can be as small as (r1/φ(κ)) for some pairing-friendly elliptic curves which have not reached this lower bound. Therefore, we obtain savings of between 29% and 69% in overall costs compared to the Ate pairing. On supersingular hyperelliptic curves of genus 2, we show that this approach makes the loop length in Miller's algorithm shorter than that of the Ate pairing.
| Original language | English |
|---|---|
| Pages (from-to) | 1793-1803 |
| Number of pages | 11 |
| Journal | IEEE Transactions on Information Theory |
| Volume | 55 |
| Issue number | 4 |
| DOIs | |
| State | Published - 2009 |
Bibliographical note
Funding Information:Manuscript received January 07, 2008; revised January 30, 2008. Current version published March 18, 2009. The work of E. Lee and H.-S. Lee was supported in part by KOSEF under Grant R01-2005-000-10713-0. The work of C.-M. Park was supported by BK 21. E. Lee is with the Department of Mathematics, North Carolina State University, Raleigh, NC 27695-8205 USA (e-mail: [email protected]). H.-S. Lee and C.-M. Park are with the Department of Mathematics, Ewha Womans University, 11-1 Daehyun-dong, Seodaemun-gu, Seoul 120-750, Korea (e-mail: [email protected]; [email protected]). Communicated by A. Canteaut, Associate Editor for Complexity and Cryptography. Digital Object Identifier 10.1109/TIT.2009.2013048
Keywords
- Ate pairing
- Elliptic curves
- Hyperelliptic curves
- Pairing based cryptography
- Tate pairing