On the Computation of the Optimal Ate Pairing at the 192-bit Security Level

Transcription

1 On the Computation of the Optimal Ate Paiing at the 192-bit Secuity Level Loubna Ghammam 1 and Emmanuel Fouotsa 2 (1) IRMAR, UMR CNRS 6625, Univesité Rennes 1, Campus de Beaulieu Rennes cedex, Fance. (1) Laboatoie d électonique et de micoé lectonique FSM Monasti Univesité de Monasti loubna.ghammam@yahoo.f (2) LMNO, UMR CNRS 5139 Univesité de Caen, Campus 2, Caen Cedex, Fance. (2) Highe Teache Taining College, Univesity of Bamenda, P.O.Box 39 Bambili, Cameoon emmanuel.fouotsa@yahoo.f Abstact. Baeto, Lynn and Scott elliptic cuves of embedding degee 12 denoted BLS12 have been poven to pesent fastest esults on the implementation of paiings at the 192-bit secuity level [1]. The computation of paiings in geneal involves the execution of the Mille algoithm and the final exponentiation. In this pape, we impove the complexity of these two steps up to 8% by seaching an appopiate paamete. We compute the optimal ate paiing on BLS cuves of embedding degee 12 and we also extend the same analysis to BLS cuves with embedding degee 24. Futhemoe, as many paiing based potocols ae implemented on memoy constained devices such as SIM o smat cads, we descibe an efficient algoithm fo the computation of the final exponentiation less memoy intensive with an impovement up to 25% with espect to the pevious wok. Keywods: BLS cuves, Optimal Ate paiing, final exponentiation, memoy esouces, Mille loop. 1 Intoduction The pefomance of paiing-based potocols depends on the efficiency of paiing computation. This computation consists of two main pats: the Mille step and the final exponentiation. Given an elliptic cuve E defined ove a finite field F p and two points R and S on E, the Mille step consists of computing the function f u,r with diviso Div(f u,r ) = u(r) ([u]r) (u 1)(O) whee u is an intege and O denotes the identity element of the goup of points of the elliptic cuve. The efficiency (the numbe of opeations) of the Mille step depends on the bit length

2 log 2 (u) of u and its Hamming weight since this step uses the doubleand-add Mille algoithm [2]. The final exponentiation consists of aising the esult f u,r (S) of the Mille step to the powe of pk 1 as follows f u,r (S) pk 1 = ( f u,r (S) p k 1 φ k (p) ) φ k (p), whee is a lage pime dividing the ode of the goup of ational points of E, k is called the embedding degee of E and is the smallest intege such that divides p k 1; and φ k (x) is the k-th cyclotomic polynomial. The computation of the fist pat of the final exponentiation i.e the computation of A = f u,r (S) p k 1 φ k (p) is geneally cheap as it consists of few multiplications, an invesion and taking p-th powe in F p k. The second pat which consists of the computation is moe difficult and is called the had pat. An efficient method to compute this tem is descibed by Scott et al. [3]. They suggested to wite d = φ k(p) in base p as d = d 0 + d 1 p d φ(k) 1 p φ(k) 1 and find a shot vectoial addition chain to compute A d much moe efficiently than the naive method. In this pape, we ae inteested in the impovement on the computation of the Mille step and the final exponentiation on BLS cuves [4] at the 192-bit secuity level. Indeed, the 192-bit secuity level is the highest secuity level fo public-key opeations in the National Secuity Agency s Suite B Cyptogaphy standad [5]. Also based on the esults concening implementation of paiings on elliptic cuves with embedding degee 12 at the 192-bit secuity level, BLS12 cuves have the fastest pefomances [1]. Specifically, we seach fo an adequate value of the paamete u to educe the numbe of addition steps in the Mille algoithm and the complexity of the final exponentiation. Futhemoe, as many paiing-based potocols ae implemented on memoy constained devices, we descibe an efficient algoithm fo the computation of the final exponentiation with less tempoay vaiables. The impovement in this wok is up to 25% in memoy esouces and about 8% in the complexity of the optimal ate paiing compaed to the pevious wok done in [1]. The est of the pape is oganised as follows: In Section 2 we pesent the Baeto-Lynn and Scott cuves (BLS) and a bief desciption of optimal paiings. The Section 3 is the state of the at on the computation of the had pat of the final exponentiation. In this section we follow the wok of Aanha et al.[1] and we study the numbe of tempoay vaiables used fo the computation of the final exponentiation using thei appoach in the development of the exponent. In Section 4 we pesent a new development of the exponent in A φ k (p)

3 the had pat of the final exponentiation fo BLS12 cuves which enable us to impove the cost of the computation and equies less memoy esouces compaatively to the esults in [1]. We popose also in section 5 a new paamete u of the BLS12 cuves which leads to the eduction of the Mille loop and an efficient final exponentiation. The Section 6 pesents a simila analysis fo BLS24 cuves. The esults obtained ae an impovement up to 8% than Aanha et al. esults. In Section 7 we compae the esults obtained in this wok with pevious fast esults on optimal ate paiings at the 192-bit secuity level. Section 8 concludes ou pape. Notations: In this pape we denote by: M k a multiplication in F p k. S k a squaing in F p k. F k a Fobenius map application in F p k. I k an invesion in F p k. A multiplication, a squaing and an invesion in F p ae denoted by M, S and I espectively. 2 Baeto-Lynn-Scott Cuves (BLS12) and Optimal Ate Paiings In 2002, Baeto, Lynn and Scott pesented in [4] a method to geneate paiing-fiendly elliptic cuves ove a pime field F p with embedding degee k = 12. BLS12 ae defined ove F p by the following equation: E : y 2 = x 3 + b and by a paamete u Z such that: p = (u 1) 2 (u 4 u 2 + 1)/3 + u = u 4 u t = u + 1 (1) whee t is the tace of the Fobenius map on the cuve. The paamete u is chosen such that p and ae pime and have the sizes coesponding to the desied secuity level following the ecommendations in [6]. At the 192-bit secuity level fo BLS12, p and ae of at least 640 and 384 bits in sizes espectively. The concept of optimal paiing is defined in [7]. Let π p : E ( ) F p

4 E ( ) F p, (x, y) (x p, y p ) be the Fobenius endomophism on the cuve whee F p is an algebaic closue of F p. Denote [n] : P [n]p the endomophism defined on E(F p ) which consists of adding P to itself n times. Let G 1 = E(F p )[] be the -tosion subgoup of E(F p ). Let G 2 = E (F p 2)[] Ke(π p [p]) whee E is the sextic twist of E and G 3 = µ is the subgoup of F p consisting of -th oots of unity. An 12 explicit fomula of the optimal ate paiing on BLS12 cuves is detailed in [1] and is given in Poposition 1. Poposition 1 [7] The optimal ate paiing ove the paametized BLS12 cuves is the bilinea and non degeneated map: e opt : G 1 G 2 G 3 (P, Q) f u,q (P ) p12 1 whee f u,r is the function with diviso Div(f u,r ) = u(r) ([u]r) (u 1)(O) Let u = u n 2 n u u 0 with u i { 1, 0, 1}. Let l R,Q be the line passing though the points R and Q of the elliptic cuves. The function f u,q (and in geneal the paiing f u,q (P ) p12 1 ) is efficiently computed thanks to the following algoithm known as the Mille s algoithm [2]. Mille algoithm and paiing computation: Input: u, n = log 2 (u), P,Q Output:f u,q(p ) p12 1 1: Set f 1 1 and R Q 2: Fo i = n 1 down to 0 do 3: f 1 f1 2 l R,R(P ), R 2R Doubling step 5: if u i = 1 then 6: f 1 f 1 l R,Q(P ) R R + Q, end if Addition step 7: if u i = 1 then 8: f 1 f 1 l R, Q(P ) R R Q, end fo Addition step 10: etun e = f p Final exponentiation l Remak 2 The loop length of the Mille algoithm is log 2 (u) and the addition steps ae done only if u i { 1, 1}. Theefoe any u with a smalle bit size (l u ) and low Hamming weight (w u ) will be a good solution fo the efficiency of the algoithm. Example 3 gives an illustation.

5 Example 3 Aanha et al. pesented in [1] a value u fo the BLS12 cuve which is a 107-bit intege length (l u = 108) of Hamming weight w u = 4: u = This paamete yields a 638-bit pime p and 427-bit pime. Fo this paamete u, in Mille loop, the numbe of doubling steps is 107 and the numbe of additions steps is 4. 3 Pevious Wok on the Computation of Final Exponentiation on BLS12 The computation of optimal ate paiing on BLS12 cuves is done in [1]. Howeve the authos do not take into consideation the numbe of tempoay vaiables involved especially in the computation of the final exponentiation. This may be a dawback when implementing paiings ove memoy constained devices. In this section we ty to ovecome this dawback by adding details to thei computation, especially fo the had pat of the final exponentiation given by: p 12 1 = ( p 6 1 ) ( p ) p 4 p To compute the fist pat f = f (p6 1)(p 2 +1) 1 we have to pefom just two easy Fobenius opeations, two multiplications and an invesion in F p 12. This invesion is a had opeation, howeve it has an impotant consequence fo the est of the computation. Indeed, poweing f 1 to the p 6 1 makes the esult unitay [8]. By this way, duing the had pat of the final exponentiation (the computation of f p4 p 2 +1 ) all the elements involved ae unitay. This simplifies the computations. Fo example any futue invesion can be implemented as a Fobenius opeato, moe pecisely f 1 = f p6 which is just a conjugation [8], [9]. Consequently, we assume in this section that invesions ae fee. The exponent p4 p 2 +1 of the had pat can be simply witten as a polynomial in p of degee 3: whee p 4 p = λ 0 + λ 1 p + λ 2 p 2 + λ 3 p 3 λ 0 = u 5 2u 4 + 2u 2 u + 3 λ 1 = u 4 2u 3 + 2u 1 λ 2 = u 3 2u 2 + u λ 3 = u 2 2u + 1 (2)

6 In [1], the computation of f λ 0+λ 1 p+λ 2 p 2 +λ 3 p 3 is done in 2 steps: Fist they compute f f 2 f u f 2u f u 2 f u2 2u f u3 2u 2 f u4 2u 3 f u4 2u 3 +2u f u5 2u 4 +2u 2 which equies 5 exponentiations by u, 2 multiplications in F p 12 and 2 cyclotomic squaings. The second step is applying Fobenius maps and multiplying tems togethe to have the following expession: f d ( = f u5 2u 4 +2u 2 f u 2 ) ( 1 f u4 2u 3 +2u f 1) p (f u3 2u 2 f u) p 2 ( ) p f u2 2u 3 f which equies 3 Fobenius maps and also othe 8 multiplications. Theefoe, the total cost of the had pat of the final exponentiation though Aanha et al. method is 5 exponentiations by u, 10 multiplications, 2 squaings and 3 Fobenius in F p 12. In thei pape, Aanha et al. do not specify the numbe of tempoay vaiables used to compute f d. This can be a equiement if we think about implementation of paiings in a esticted envionment. That s why, we have computed them and have found that we need to use at least 6 tempoay vaiables in F p 12 to compute the had pat of the final exponentiation as shown in Algoithm 1. A magma code to check the coectness of this algoithm is available hee. The oveall cost of computing f d is then (5l u 3)S 12 + (5w u + 5) + 3F 12. Consideing the value of u chosen in example 3, the total cost of this algoithm is 537S F 12. Remak 4 In fact, neithe Aanha et al [1] no the pesent authos compute the optimal ate paiing itself, but athe its cube. The advantage of that is that the coefficient λ i become integes. 4 New development of d with u poposed in [1] As we ealie said in the intoduction, ou aim in this pape is to educe the complexity and the numbe of tempoay vaiables used to compute the had pat of the final exponentiation f p4 p In this Section we popose anothe development of the exponent d which enable us to use less tempoay vaiables and theefoe decease the numbe of multiplications in F p. Recall that d = p4 p 2 +1 = λ 0 + λ 1 p + λ 2 p 2 + λ 3 p 3. To impove the cost of the computations we ewite λ i with 0 i 3 diffeently as

7 Algoithm 1: Aanha et al.[1] Computed Tems Cost development and comments Input: f, u Output: f p4 p 2 +1 Temp. va.: t 0, t 1, t 2, t 3, t 4 t 5 t 0 f 2 f 2 S 12 t 5 f u (l u 1)S 12 + (w u 1) t 1 t 2 5 f 2u S 12 t 3 t 0t 5 f u 2 t 0 t u 3 f u2 2u (l u 1)S 12 + (w u 1) t 2 t u 0 f u3 2u 2 (l u 1)S 12 + (w u 1) t 4 t u 2 f u4 2u 3 (l u 1)S 12 + (w u 1) t 4 t 1t 4 t 1 t u 4 f u5 2u 4 +2u 2 (l u 1)S 12 + (w u 1) t 3 t 1 3 t 1 t 3t 1 t 1 t 1f f λ 0 t 3 f 1 t 0 t 0f f λ 3 t 0 t p3 0 F 12 t 4 t 3t 4 f λ 1 t 4 t p 4 F 12 t 5 t 2t 5 f λ 2 t 5 t p2 5 F 12 t 5 t 5t 0 t 5 t 5t 4 t 5 t 5t 1 f p4 p 2 +1 etun t 5 Table 1. Tempoay vaiables used in the pevious wok [1] follows: λ 0 = λ 1 u + 3 λ 1 = λ 2 u λ 3 λ 2 = λ 3 u λ 3 = u 2 2u + 1 Fom these new elations satisfied by λ 0, λ 1, λ 2 and λ 3 we get algoithm 2 in Table 2 which allows us to compute f p4 p A magma code to check the coectness of this algoithm is available hee. To compute any exponentiation, we use the squae and multiply algoithm [10]. The cost of the fou exponentiations by u in this algoithm is 4(l u 1)S (w u 1) and the cost of the exponentiation by u/2 is (3)

8 Algoithm 2: new vaiant of Aanha et al.[1] Input: f, u Computed Tems Cost and comments Output: f p4 p 2 +1 Temp. va.: t 0, t 1, t 2, t 3, t 4 t 0 f 2 S 12 t 1 t u 0 (l u 1)S 12 + (w u 1) t 2 t u/2 1 f u2 (l u 2)S 12 + (w u 1) t 3 f 1 t 1 t 3t 1 f 2u 1 t 1 t 1 1 f 2u+1 t 1 t 1t 2 f λ 3 t 2 t u 1 f λ 2 (l u 1)S 12 + (w u 1) t 3 (t 2) u f λ 2u (l u 1)S 12 + (w u 1) t 1 t 1 1 f λ 3 t 3 t 1t 3 f λ 1 t 1 t 1 1 f λ 3 t 1 t p3 1 f λ 3p 3 F 12 t 2 t p2 2 f λ 2p 2 F 12 t 1 t 1t 2 f λ 3p 3 f λ 2p 2 t 2 t u 3 f λ 1u (l u 1)S 12 + (w u 1) t 2 t 2t 0 t 2 t 2f f λ 0 t 1 t 1t 2 f λ 3p 3 f λ 2p 2 f λ 0 t 2 t p 3 f λ 1p F 12 t 1 t 1t 2 f λ 3p 3 f λ 2p 2 f λ1p f λ 0 etun t 1 Table 2. Tempoay vaiables used with the new development of d (l u 2)S 12 +(w u 1). The oveall cost of computing f d with steps given in Algoithm 2 is then 4(l u 1)S 12 +(l u 2)S 12 +S 12 +(5w u +3) +3F 12. We summaise in Table 3 the two esults fom Table 1 and Table 2. Method Complexity Temp. va. S 12 F 12 Aanha et al.[1] 5lu 3 5w u (algoithm 1) This wok 5l u 5 5w u (algoithm 2) Table 3. Compaison between Aanha et al.[1] and ou new development

9 Though Table 3 we emak that ou appoach gives faste esults than the method given in [1] fo the computation of the had pat of the final exponentiation. We saved 2 squaings and 2 multiplications in F p 12 thanks to the fact that u is even. We have also deceased the used memoy esouces, we have used 4 tempoay vaiables instead of 6 in [1]. In ode to give a moe explicit compaison we conside Example 5. Example 5 Let E a BLS12 elliptic cuve defined ove a pime field F p by E : y 2 = x Based on the paamete u = poposed by Aanha et al. an exponentiation by u needs 3 multiplications and 107 squaings in F p 12. A detailed compaison is given in the following Table. Method Complexity Temp. va. S 12 F 12 Aanha et al.[1] (algoithm 1) This wok (algoithm 2) Table 4. Compaison between Aanha et al.[1] and ou new development Fo a full compaison, we give the complexity of each F p 12 opeation in F p. In ou case 1 is not a squae and (1 + α) is neithe a cube no a squae. The field F p 12 is built using the following extension towe. F p 2 = F p [α]/(α 2 + 1) F p 6 = F p 2[β]/ ( β 3 (α + 1)) ) F p 12 = F p 6[γ]/ ( γ 2 β ) The cost of aithmetic opeations in F p, F p 2, F p 6 and F p 12 ae detailed in [11], [12], [1]. 5 Development of d with a New Paamete u Ou aim is to educe the complexity of the computation of the paiing as much as possible fo both the computation of the had pat of the final exponentiation and also the Mille loop. We wote a Pai/GP code to find

10 a suitable u with low hamming weight and minimal numbe of bits fo the 192- bits secuity level. Poposition 6 The best value of u we wee able to find is u = which gives p a 641-bit pime numbe and a 428-bit pime numbe. The Hamming weight of u is w u = 3, this low Hamming weight has an advantage because any exponentiation by u needs only 2 multiplications instead of 3 needed if we use the paamete poposed by Aanha et al. Now we pesent the impoved cost of ou development of the had pat of the final exponentiation using the new value of the paamete u in the following Table 5. We can deduce that using the new paamete u in ou Method Aanha et al.[1] Complexity Numbe of Temp. va. S 12 F 12 must used This wok with u of Aanha et al.[1] This wok with new u Table 5. Compaison of the cost of the had pat of the final exponentiation development is a fast altenative fo computing the had pat of the final exponentiation. The oveall cost of the final exponentiation f (p6 1)(p 2 +1) p4 p 2 +1 is an invesion in F p 12, 10 multiplications, 4 Fobenius, one cyclotomic squaing, 5 exponentiations by u and 1 exponentiation by u/2, whee the easiest pat costs 2 multiplications, an invesion and a Fobenius. Any exponentiation by ou new paamete u equies 107 compessed squaings, simultaneous decompession of 4 field elements when Kaabina s exponentiation technique [13] is employed and 2 multiplications in F p 12. So we have to pefom 107(6S 2 ) + 4(3M 2 + 3S 2 ) + 3(3M 2 ) + I 2 + 2(18M 2 ) = (57M S 2 + I 2 ) to compute any exponentiation by u. The oveall cost of the final exponentiation is theefoe 4(57M S 2 + I 2 ) + (57M S 2 + I 2 ) + 4(15M) + 10(18M 2 ) + (23M S 2 + I 2 ) + 9S 2 =8116M+6I. As computed in [1], the cost of a multiplication in F p 12 is about 54M, a cyclotomic squaing costs 18M and a Fobenius in F p 12 is 15 multiplications in F p. Consequently, the cost of the final exponentiation using the

11 new paamete u and ou new development is less than the cost given in [1]. We saved about 408 multiplications in F p which is about 5% of the oveall cost of the final exponentiation. The advantage of ou paamete u is also that we educed the computational cost in the Mille loop. The numbe of doubling step in Mille algoithm is detemined by the length of u in base 2 which is log 2 (u) = l u. The Hamming weight of u detemines the numbe of addition steps in Mille s algoithm. That s why, using the new paamete u that we poposed in this pape we have to pefom just 2 addition steps instead of 3 done in [1]. Theefoe we save an addition step with line evaluation and also a multiplication in F p 12. This gain is about 80 multiplications in F p which epesents 1%. 6 Optimal Ate Paiings ove BLS24 Cuves Although BLS12 cuves pesent the fastest esults fo the implementation of paiings at the 192 bits secuity level [1], BLS cuves of embedding degee 24 ae also well suited fo implementing paiings at the high secuity level [14]. The objective of this section is to impove the cost of the computation of the optimal ate paiing ove BLS24 cuves. The analysis follows the same appoach we used in the case of BLS12 cuves. Mainly, a new paamete is obtained with low hamming weight. This enables us to impove the cost of the Mille loop and the computation of the final exponentiation. BLS24 cuves ae families of elliptic cuves paametized as follows: p = (u 1) 2 (u 8 u 4 + 1)/3 + u = u 8 u t = u + 1 The authos in [1] conside the implementation of optimal ate paiing on the BLS24 cuve defined by the equation y 2 = x and with the paamete u = (4) 6.1 Pevious esults on BLS24 cuves The final exponentiation fo BLS24 cuves is p 24 1 = ( p 12 1 ) ( p ) p 8 p 4 + 1

12 The exponent p8 p 4 +1 of the had pat of the final exponentiation is witten as whee p 8 p = φ(24) 1 i=0 λ i p i = λ 0 + λ 1 p + λ 2 p λ 7 p 7 λ 0 = u 9 2u 8 + u 7 u 5 + 2u 4 u λ 1 = u 8 2u 7 + u 6 u 4 + 2u 3 u 2 λ 2 = u 7 2u 6 + u 5 u 3 + 2u 2 u λ 3 = u 6 2u 5 + u 4 u 2 + 2u 1 λ 4 = u 5 2u 4 + u 3 λ 5 = u 4 2u 3 + u 2 λ 6 = u 3 2u 2 + u λ 7 = u 2 2u + 1 The had pat of the final exponentiation is computed as f d = f λ 0 f λ 1p f λ 2p 2 f λ 3p 3 f λ 4p 4 f λ 5p 5 f λ 6p 6 f λ 7p 7 Following [1], the computation of f d needs 9 exponentiations by u, 7 Fobenius opeations, 2 cyclotomic squaings and 12 multiplications in F p 24. Consideing the paamete u = , an exponentiation by u equies (l u 1) squaings and (w u 1) multiplications in F p 24. The cost of the had pat of the final exponentiation pesented in [1] is then (9(l u 1) + 2) S 24, (9(w u 1) + 12) M 24 and 7 Fobenius opeations. 6.2 Impovement of the cost of Optimal Ate paiing on BLS24 cuves To impove the computation of f d we obseved that the coefficients in the decomposition of d veify the following elations: λ 0 = λ 1 u + 3 λ 1 = λ 2 u λ 2 = λ 3 u λ 3 = λ 4 u λ 7 (6) λ 4 = λ 5 u λ 5 = λ 6 u λ 6 = λ 7 u λ 7 = u 2 2u + 1 Using these elations we can evaluate f d in Algoithm 3. (5)

13 Algoithm 3: BLS24 cuves. Input: f, u Computed Tems Cost and comments Output: f p8 p 4 +1 Temp. va.: t 0, t 1, t 2, t3, t4 t 7 f 2 S 24 t 1 t u 7 f 2u (l u 1)S 24 + (w u 1)M 24 t 2 t u/2 1 f u (l u 2)S 24 + (w u 1)M 24 t 3 t 1 2 t 2 t 1t 3 M 24 t 2 t 2f f λ 7 M 24 t 3 t u 2 f λ 6 (l u 1)S 24 + (w u 1)M 24 t 4 t u 3 f λ 5 (l u 1)S 24 + (w u 1)M 24 t 3 t p6 3 f λ 6p 6 F 24 t 4 t p5 4 f λ 5p 5 F 24 t 3 t 3t 4 M 24 t 5 t u 4 f λ 4 (l u 2)S 24 + (w u 1)M 24 t 6 t u 5 (l u 1)S 24 + (w u 1)M 24 t 0 t 1 2 t 6 t 6t 0 f λ 3 M 24 t 5 t p3 6 f λ 3p 3 F 24 t 3 t 3t 5 M 24 t 5 t u 6 f λ 2 (l u 1)S 24 + (w u 1)M 24 t 0 t p2 5 f λ 2p 2 F 24 t 3 t 3t 0 M 24 t 6 t u 5 f λ 1 (l u 1)S 24 + (w u 1)M 24 t 0 t p 6 f λ 1p F 24 t 3 t 3t 0 M 24 t 5 t u 6 f λ 0 (l u 1)S 24 + (w u 1)M 24 t 2 t p7 2 f λ 7p 7 F 24 t 5 t 5t 7 M 24 t 3 t 3t 2 M 24 t 3 t 3t 5 M 24 etun t 3 This algoithm equies (8(l u 1)) S 24, (l u 2) S 24, S 24, (9(w u 1) + 12) M 24 and 7 Fobenius opeations in F p 24. Thanks to the fact that u is even, we saved 2 squaings in F p 24. As in section 5, we also tied in this case to find a new paamete u which has a low Hamming weight. Ou Pai/GP code let us find the following paamete u = which gives p a 479-bit pime numbe and a 384-bit pime numbe. This new paamete u is a 48 bit intege as the u poposed in [1]. Howeve its

14 Hamming weight is 3 instead of 4 in the case of [1]. This is an advantage because we have in ou case less opeations to pefom. Fo the paametes p et, the extension field F p 24 is built using the following towe of extensions: F p 2 = F p [α]/(α 2 + 1) F p 6 = F p 2[β]/ ( β 3 (α + 2)) ) F p 12 = F p 6[γ]/ ( γ 2 β ) F p 24 = F p 12[θ]/ ( θ 2 γ ) The aithmetic fo this towe of extension is pesented in [1]. Using the new paamete u, any exponentiation by this paamete costs (l u 1) squaings and (w u 2) multiplications in F p 24. Because the Hamming weight of u is 3, this enables to save one multiplication in F p 24 in each exponentiation by u giving a total of 9 saved multiplications in F p 24. Theefoe the had pat of the final exponentiation equies (8(l u 1)) S 24, (l u 2) S 24, S 24, (9(w u 2) + 12) M 24 and 7 Fobenius opeations. Then the oveall cost of the computation of the final exponentiation is 8 (48(12M 2 ) + 89M 2 + 2S 2 + 2(54M 2 ) + I 2 )+8(45M)+14(54M 2 )+18M 2 + (47(12M 2 ) + 89M 2 + 2S 2 + 2(54M 2 ) + I 2 ) = 7802M S M + 10I. In tem of the computation of the had pat of the final exponentiation, ou method is faste than Aanha et al. method pesented in [1]. We saved 1548 multiplications in F p which is about 8%. The fastest cost of the Mille loop fo computing optimal ate paiing ove BLS24 cuves is epoted in [1]. The doubling step costs 21M 2 + 8M fo the point doubling and 36M 2 fo updating the Mille function in this step. The addition step costs 37M 2 +8M fo the point addition and 39M 2 fo updating the Mille function in this step. In this wok, we pesented a new paamete u which enable us to pefom only 3 point additions with line evaluations instead of 4 by using u. We win also one multiplication in F p 24 which epesents 353 multiplications in F p. Hence the gain is 2.5%. 7 Compaison In this pape we wee not only inteested in the complexity of the optimal ate paiing cuves but also on memoy usage on BLS12. We also studied the complexity of the computation of the optimal ate paiing on BLS24 cuves using a new development of the had pat of the final exponentiation and we pesented a new paamete u. A full compaison of the esults in this wok with pevious fast esults on optimal ate paiings at the 192-bit secuity level is given in the following table.

15 Complexity of Complexity of Cuves Method u Mille loop the final expo Aanha et al.[1] M+6I BLS12 Cuves This wok M+6I Aanha et al.[1] M+10I BLS24 Cuves This wok M+10I BN Cuves Aanha et al.[1] 16553M 7218M+4I KSS18 Cuves Aanha et al.[1] 13168M 23821M+8I Table 6. Compaison of pevious fast esults with this wok on paiing at the 192-bit secuity level Table 6 shows that ou new appoach is moe efficient than the method pesented by Aanha et al.[1] in the case of BLS12 cuves and also BLS24 cuves. 8 Conclusion Fo the 192-bit level secuity, it is ecommended to use BLS12 cuves because the computation of paiings ove this categoy of cuves is moe efficient than othes cuves such as BN cuves [15], KSS16 cuves [16]. In this pape we impoved the computation of the had pat of the final exponentiation and also the computation of Mille loop compaed to the costs pesented in [1] in BLS12 and BLS24 cuves. We implemented ou new algoithms in Magma to veify thei coectness [17]. As a conclusion, ou new methods fo computing the had pat of the final exponentiation ae moe efficient than pevious methods in the liteatue and they ae always less memoy intensive. Hence, thee ae an inteesting altenative fo paiing implementation in esticted envionments fo the 192-secuity level. Acknowledgements. The authos thank Sylvain Duquesne and John Boxall fo helpful discussions and comments on this pape. Refeences 1. Diego F. Aanha, Laua Fuentes-Castañeda, Edwad Knapp, Alfed Menezes, and Fancisco Rodíguez-Heníquez. Implementing paiings at the 192-bit secuity level. In Paiing-Based Cyptogaphy - Paiing th Intenational Confeence, Cologne, Gemany, May 16-18, 2012, Revised Selected Papes, pages , Victo S. Mille. The weil paiing, and its efficient calculation. J. Cyptology, 17(4): , Michael Scott, Naomi Benge, Manuel Chalemagne, Luis J. Dominguez Peez, and Ezekiel J. Kachisa. On the final exponentiation fo calculating paiings on odinay

16 elliptic cuves. In Paiing-Based Cyptogaphy - Paiing 2009, Thid Intenational Confeence, Palo Alto, CA, USA, August 12-14, 2009, Poceedings, pages 78 88, Paulo S. L. M. Baeto, Ben Lynn, and Michael Scott. Constucting elliptic cuves with pescibed embedding degees. In Secuity in Communication Netwoks, Thid Intenational Confeence, SCN 2002, Amalfi, Italy, Septembe 11-13, Revised Papes, pages , NSA Suite B Cyptogaphy. suitebcyptogaphy/index.shtml. 6. National Institute of Standads and Technology Fedeik Vecauteen. Optimal paiings. IEEE Tansactions on Infomation Theoy, 56(1): , Michael Scott and Paulo S. L. M. Baeto. Compessed paiings. In Advances in cyptology CRYPTO 2004, volume 3152 of Lectue Notes in Comput. Sci., pages Spinge, Belin, Matijn Stam and Ajen K. Lensta. Efficient subgoup exponentiation in quadatic and sixth degee extensions. In Cyptogaphic Hadwae and Embedded Systems - CHES 2002, 4th Intenational Wokshop, Redwood Shoes, CA, USA, August 13-15, 2002, Revised Papes, pages , Sylvain Duquesne and Loubna Ghammam. Memoy-saving computation of the paiing final exponentiation on BN cuves. IACR Cyptology epint Achive, 2015:192, C. C. F. Peeia Geovando, Macos A. Simplício J., Michael Naehig, and Paulo S. L. M. Baeto. A family of implementation-fiendly BN elliptic cuves. Jounal of Systems and Softwae, 84(8): , Diego F. Aanha, Koay Kaabina, Patick Longa, Catheine H. Gebotys, and Julio López. Faste explicit fomulas fo computing paiings ove odinay cuves. In Advances in Cyptology - EUROCRYPT th Annual Intenational Confeence on the Theoy and Applications of Cyptogaphic Techniques, Tallinn, Estonia, May 15-19, Poceedings, pages 48 68, Koay Kaabina. Squaing in cyclotomic subgoups. Math. Comput., 82(281), Caig Costello, Kistin E. Laute, and Michael Naehig. Attactive subfamilies of BLS cuves fo implementing high-secuity paiings. In Pogess in Cyptology - INDOCRYPT th Intenational Confeence on Cyptology in India, Chennai, India, Decembe 11-14, Poceedings, pages , Paulo S. L. M. Baeto and Michael Naehig. Paiing-fiendly elliptic cuves of pime ode. In Selected Aeas in Cyptogaphy, 12th Intenational Wokshop, SAC 2005, Kingston, ON, Canada, August 11-12, 2005, Revised Selected Papes, pages , Ezekiel J. Kachisa, Edwad F. Schaefe, and Michael Scott. Constucting bezingweng paiing fiendly elliptic cuves using elements in the cyclotomic field. IACR Cyptology epint Achive, 2007:452, L. Ghammam and E. Fouotsa.