Scalar Multiplication on Pairing Friendly Elliptic Curves

Efficient computation of elliptic curve scalar multiplication has been a significant problem since Koblitz [13] and Miller [14] independently proposed elliptic curve cryptography, and several efficient methods of scalar multiplication have been proposed (e.g., [8], [9], [12]). A standard approach for computing scalar multiplication is to use the Frobenius endomorphism. If we compute the s-multiplication on a point Q, denoted by [s]Q (see Sect. 2.1), on an elliptic curve E over a finite field Fq of characteristic p, we expand s in base q and apply [q]Q = −πq(Q)+ [t]πq(Q) (where t is the trace of the Frobenius endomorphism πq). This approach is very useful for small characteristic p (e.g., p = 2, 3). Kobayashi et al. [12] proposed an efficient method for the relatively large characteristic case. Since Boneh et al. [2] and Sakai et al. [17] independently proposed ID-based cryptosystems using pairings, pairing-based cryptography has been a subject of great interest in cryptography. The fundamental components of several pairing-based cryptosystems are pairing computation and elliptic curve scalar multiplication. The standard approach using the Frobenius endomorphism is useful for supersingular elliptic curves over small characteristic finite fields (e.g., F2m or F3m ). However, the Frobenius endomorphism is difficult to apply directly to elliptic curves over prime finite fields of large characteristic p because p is generally larger than the scalar s. Therefore, it is necessary to find a good “base” in which to expand s. In the present paper, we propose elliptic curve scalar multiplication methods using the concepts of Atei pairing [21] and optimal pairing [22]. We can reduce the number of group operations over an elliptic curve by using these pro-