This paper presents implementation techniques of fast Ate pairing of embedding degree 12. In this case, we have no trouble in finding a prime order pairing friendly curve E such as the Barreto-Naehrig curve y2=x3+a, a∈Fp. For the curve, an isomorphic substitution from G2 ⊂ E(Fp12 into G'2 in subfield-twisted elliptic curve E'(Fp2) speeds up scalar multiplications over G2 and wipes out denominator calculations in Miller's algorithm. This paper mainly provides about 30% improvement of the Miller's algorithm calculation using proper subfield arithmetic operations. Moreover, we also provide the efficient parameter settings of the BN curves. When p is a 254-bit prime, the embedding degree is 12, and the processor is Pentium4 (3.6 GHz), it is shown that the proposed algorithm computes Ate pairing in 13.3 milli-seconds including final exponentiation.

For ID-based cryptography, not only pairing but also scalar multiplication must be efficiently computable. In this paper, we propose a scalar multiplication method on the circumstances that we work at Ate pairing with Barreto-Naehrig (BN) curve. Note that the parameters of BN curve are given by a certain integer, namely mother parameter. Adhering the authors' previous policy that we execute scalar multiplication on subfield-twisted curve (Fp2) instead of doing on the original curve E(Fp12), we at first show sextic twisted subfield Frobenius mapping (ST-SFM) in (Fp2). On BN curves, note is identified with the scalar multiplication by p. However a scalar is always smaller than the order r of BN curve for Ate pairing, so ST-SFM does not directly applicable to the above circumstances. We then exploit the expressions of the curve order r and the characteristic p by the mother parameter to derive some radices such that they are expressed as a polynomial of p. Thus, a scalar multiplication [s] can be written by the series of ST-SFMs . In combination with the binary method or multi-exponentiation technique, this paper shows that the proposed method runs about twice or more faster than plain binary method.

It is said that the lower bound of the number of iterations of Miller's algorithm for pairing calculation is log 2r/(k), where () is the Euler's function, r is the group order, and k is the embedding degree. Ate pairing reduced the number of the loops of Miller's algorithm of Tate pairing from ⌊log 2r⌋ to ⌊ log 2(t-1)⌋, where t is the Frobenius trace. Recently, it is known to systematically prepare a pairing-friendly elliptic curve whose parameters are given by a polynomial of integer variable "χ." For such a curve, this paper gives integer variable χ-based Ate (Xate) pairing that achieves the lower bound. In the case of the well-known Barreto-Naehrig pairing-friendly curve, it reduces the number of loops to ⌊log 2χ⌋. Then, this paper optimizes Xate pairing for Barreto-Naehrig curve and shows its efficiency based on some simulation results.