Refinements of Miller's Algorithm over Weierstrass Curves Revisited

In 1986 Victor Miller described an algorithm for computing the Weil pairing in his unpublished manuscript. This algorithm has then become the core of all pairing-based cryptosystems. Many improvements of the algorithm have been presented. Most of them involve a choice of elliptic curves of a \emph{special} forms to exploit a possible twist during Tate pairing computation. Other improvements involve a reduction of the number of iterations in the Miller's algorithm. For the generic case, Blake, Murty and Xu proposed three refinements to Miller's algorithm over Weierstrass curves. Though their refinements which only reduce the total number of vertical lines in Miller's algorithm, did not give an efficient computation as other optimizations, but they can be applied for computing \emph{both} of Weil and Tate pairings on \emph{all} pairing-friendly elliptic curves. In this paper we extend the Blake-Murty-Xu's method and show how to perform an elimination of all vertical lines in Miller's algorithm during Weil/Tate pairings computation on \emph{general} elliptic curves. Experimental results show that our algorithm is faster about 25% in comparison with the original Miller's algorithm.Comment: 17 page

Faster computation of the Tate pairing

This paper proposes new explicit formulas for the doubling and addition step in Miller's algorithm to compute the Tate pairing. For Edwards curves the formulas come from a new way of seeing the arithmetic. We state the first geometric interpretation of the group law on Edwards curves by presenting the functions which arise in the addition and doubling. Computing the coefficients of the functions and the sum or double of the points is faster than with all previously proposed formulas for pairings on Edwards curves. They are even competitive with all published formulas for pairing computation on Weierstrass curves. We also speed up pairing computation on Weierstrass curves in Jacobian coordinates. Finally, we present several examples of pairing-friendly Edwards curves.Comment: 15 pages, 2 figures. Final version accepted for publication in Journal of Number Theor

Computing local p-adic height pairings on hyperelliptic curves

We describe an algorithm to compute the local component at p of the Coleman-Gross p-adic height pairing on divisors on hyperelliptic curves. As the height pairing is given in terms of a Coleman integral, we also provide new techniques to evaluate Coleman integrals of meromorphic differentials and present our algorithms as implemented in Sage

Coleman-Gross height pairings and the pp-adic sigma function

We give a direct proof that the Mazur-Tate and Coleman-Gross heights on elliptic curves coincide. The main ingredient is to extend the Coleman-Gross height to the case of divisors with non-disjoint support and, doing some $p$-adic analysis, show that, in particular, its component above $p$ gives, in the special case of an ordinary elliptic curve, the $p$-adic sigma function. We use this result to give a short proof of a theorem of Kim characterizing integral points on elliptic curves in some cases under weaker assumptions. As a further application, we give new formulas to compute double Coleman integrals from tangential basepoints.Comment: AMS-LaTeX 17 page

Computing p-adic heights on hyperelliptic curves

We describe an algorithm to compute the local Coleman-Gross p-adic height at p on a hyperelliptic curve. Previously, this was only possible using an algorithm due to Balakrishnan and Besser, which was limited to odd degree. While we follow their general strategy, our algorithm is significantly faster and simpler and works for both odd and even degree. We discuss a precision analysis and an implementation in SageMath. Our work has several applications, also discussed in this article. These include various versions of the quadratic Chabauty method, and numerical evidence for a p-adic version of the conjecture of Birch and Swinnerton-Dyer in cases where this was not previously possible

Optimal TNFS-secure pairings on elliptic curves with composite embedding degree

In this paper we present a comprehensive comparison between pairing-friendly elliptic curves, considering di erent curve forms and twists where possible. We de ne an additional measure of the e- ciency of a parametrized pairing-friendly family that takes into account the number eld sieve (NFS) attacks (unlike the -value). This measure includes an approximation of the security of the discrete logarithm problem in F pk , computed via the method of Barbulescu and Duquesne [4]. We compute the security of the families presented by Fotiadis and Konstantinou in [14], compute some new families, and compare the eciency of both of these with the (adjusted) BLS, KSS, and BN families, and with the new families of [20]. Finally, we recommend pairing-friendly elliptic curves for security levels 128 and 192

Computing p-adic heights on hyperelliptic curves

We describe an algorithm to compute the local Coleman-Gross p-adic height at p on a hyperelliptic curve. Previously, this was only possible using an algorithm due to Balakrishnan and Besser, which was limited to odd degree. While we follow their general strategy, our algorithm is significantly faster and simpler and works for both odd and even degree. We discuss a precision analysis and an implementation in SageMath. Our work has several applications, also discussed in this article. These include various versions of the quadratic Chabauty method, and numerical evidence for a p-adic version of the conjecture of Birch and Swinnerton-Dyer in cases where this was not previously possible.Comment: 24 page