Fixed Agument Paiing Invesion on Elliptic Cuves Sungwook Kim and Jung Hee Cheon ISaC & Dept. of Mathematical Sciences Seoul National Univesity Seoul, Koea {avell7,jhcheon}@snu.ac.k Abstact. Let E be an elliptic cuve ove a finite field F q with a powe of pime q, a pime dividing #E(F q), and k the smallest positive intege satisfying Φ k (p), called embedding degee. Then a bilinea map t : E(F q)[] E(F q k)/e(f q k) F q is defined, called the Tate k paiing. And the Ate paiing and othe vaiants ae obtained by educing the domain fo each agument and aising it to some powe. In this pape we conside the Fixed Agument Paiing Invesion (FAPI) poblem fo the Tate paiing and its vaiants. In 2012, consideing FAPI fo the Ate i paiing, Kanayama and Okamoto fomulated the Exponentiation Invesion (EI) poblem. Howeve the definition gives a somewhat vague desciption of the hadness of EI. We point out that the descibed EI can be easily solved, and hence claify the desciption so that the poblem does contain the actual hadness connection with the pescibed domain fo given paiings. Next we show that inveting the Ate paiing (including othe vaiants of the Tate paiing) defined on the smalle domain is neithe easie no hade than inveting the Tate paiing defined on the lage domain. This is vey inteesting because it is commonly believed that the stuctue of the Ate paiing is so simple and good (that is, the Mille length is shot, the solution domain is small and has an algebaic stuctue induced fom the Fobenius map) that it may leak some infomation, thus thee would be a chance fo attackes to find futhe appoach to solve FAPI fo the Ate paiing, diffeently fom the Tate paiing. Key wods: Paiing Inveision, Fixed Agument Paiing Invesion, Exponentiation Invesion, Tate Paiing, Ate paiing. 1 Intoduction Paiings have played an impotant ole in ecent public-key cyptogaphy. Many cyptogaphic systems and potocols have been poposed using paiings since the identity-based encyption scheme [2], the shot signatue scheme [3], and the one-ound thee-way key exchange potocol [10]. Let F q be a finite field with q = p m elements whee p is a pime and E an elliptic cuve ove F q. Fo a lage pime dividing #E(F q ), let k be the embedding degee of E(F q ), which is the smallest positive intege such that divides q k 1. Let G 1 and G 2 be two subgoups of E(F q k) and µ the set of -th oots of unity in F q k. Then a paiing is a bilinea map e : G 1 G 2 µ. The most widely used paiing is the Tate paiing t : E(F q )[] E(F q k)/e(f q k) µ. If E(F q k) does not contain any points of ode 2, both E(F q )[] and E(F q k)/e(f q k) ae identified with the diect sum of 1- and q-eigenspaces G 1 and G 2 of the Fobenius endomophism π q. Then simplifying the domain of the Tate paiing to G 1 G 2 o G 2 G 1 and aising it to a powe, thee have been numeous poposals on vaiants of the simplified Tate paiing [9, 17, 12, 16, 8].
The secuity of paiing-based cyptosystems elies on the hadness to solve the DLP on µ, ECDLP on G 1 and G 2, and the paiing invesion poblem. All the paiing computation is composed of the Mille step which evaluates the Mille function f at two ational points P and Q (o divisos) on the elliptic cuve and the final exponentiation step which aises the esult value f(p, Q) of the Mille step to some powe d. Thus the natual stategy to solve the paiing invesion poblem consists of two steps: 1) inveting the final exponentiation step which computes the d-th oot y F fo an element z µ q k and 2) finding points P and Q satisfying f(p, Q) = y. We call them the Exponentiation Invesion (EI) poblem and the Mille Invesion (MI) poblem, espectively. In this pape we focus ou concen to the Fixed Agument Paiing Invesion (FAPI) poblem. It asks to find an unknown point when the fist o the second agument of paiings ae fixed to some point, called FAPI-1 and FAPI-2, espectively. We fist discuss EI. Recently consideing FAPI on the Ate i paiing [11], Kanayama and Okamoto fomulated EI and mentioned that it is difficult in geneal. In Section 3 we point out the descibe EI in [11] is somewhat vague to explain the hadness of the poblem. Indeed it is geneally had to find a d-th oot in a goup if d is a diviso of the ode of goup. Howeve the situation in EI is diffeent fom the geneal case. Fo example in the Tate paiing the final exponentiation step aises the evaluation of Mille function to a powe qk 1 time fom the fact that ( qk 1. We show that one can find a qk 1 -th oot in polynomial, ) = 1. And we point out the cucial hadness is to find a oot which intesects with the image space of the Mille function on the pescibed domain fo given paiings, and hence claify the desciption of EI. In Section 4 we investigate the elationship between FAPI of the Tate paiing defined on the extended domain and the Ate paiing including othe vaiants. If two paiings ae defined on the same domain, i.e., G 1 G 2 o vice vesa, the equivalence is tivial. Howeve as studied in [6], if we conside the Tate paiing with extended domain t : E(F q k)[] E(F qk ) µ, bottlenecks to invet two paiings ae diffeent. In the case of the Tate paiing with lage domain since taking a andom qk 1 -th oot is enough, it is easy to solve EI, while had to invet the Mille function due to its high degee. And the situation becomes evese in the case of the Ate paiing. We show that FAPI of the Tate paiing with the extended domain is computationally equivalent to that of the Ate paiing (including othe vaiants). The esult implies even if the domain is changed, the total hadness of FAPI is invaiant. It is vey inteesting because it is commonly believed that the stuctue of the Ate paiing is so simple and good (that is, the Mille length is shot, the solution domain is small and has an algebaic stuctue induced fom the Fobenius map) that it may leak some infomation and hence thee would be a chance fo attackes to find futhe appoach to solve FAPI fo the Ate paiing, diffeently fom the Tate paiing. Notation. Thoughout the pape, fo integes a, b, and i, we use the notation a i b if a i b, but a i+1 b.
2 Peliminaies 2.1 The Tate Paiing Let F q be a finite field with q = p m elements whee p is a pime, and let E be an elliptic cuve ove F q. Conside a lage pime dividing #E(F q ). Thoughout we assume #E(F q ). Let k be the embedding degee of E(F q ), i.e., Φ k (q) whee Φ k (x) Z[x] is the k-th cyclotomic polynomial. In this case, E[] is contained in E(F q k), whee E[] is the set of -tosion points and isomophic to Z/Z Z/Z if gcd(, q) = 1. We define f s,q to be a nomalized F q k-ational function with diviso (f s,q ) = s(q) ([s]q) (s 1)(O). Fo each m, n Z, the nomalized Mille functions have the following popeties [13, 14]. We denote by l R,S the equation of the line though R and S, and by v R the equation of the vetical line though R. D1. f a+b,q = f a,q f b,q l[a]q,[b]q v [a+b]q D2. f ab,q = f a b,q f a,[b]q D3. f 1 a,q = f a,q v [a]q The Tate paiing is defined as follows: t : E(F q k)[] E(F q k)/e(f q k) µ F q k, t(p, Q) f,p (Q) (qk 1)/, whee µ is the set of tosion elements in F q k. The Mille length of the Tate paiing is log. If we do not conside nondegeneacy popety of paiings, the second agument of the above Tate paiing is extended to the lage set E(F q k). Thoughout we conside the Tate paiing on extended domain since it is moe convenient to deal with the paiing invesion poblem. 2.2 Vaiants of the Tate paiing Denote by π q the Fobenius endomophism π q : E E; (x, y) (x q, y q ), and define two eigenspaces of π q to be G 1 and G 2, i.e., G 1 = E[] ke(π q [1]) = E(F q )[], G 2 = E[] ke(π q [q]). Moe efficient paiings ove G 2 G 1 have been extensively studied such as the Ate paiing [9], Ate i paiing [17], R-ate paiing [12], optimal paiings [16, 8], and so on. One of the basic tool is the following lemma. Lemma 1. [9, Theoem 1] Let λ q mod and m = (λ k 1)/, then the educed Ate paiing a λ : G 2 G 1 ; (Q, P ) f λ,q (P ) (qk 1)/, defines a bilinea paiing which is non-degeneate fo m (i.e. 2 λ k 1). Futhe it satisfies a λ = t(q, P ) m(λ q)/(λk q k). As the case of the Ate paiing, all the vaiants of the Tate paiing can be obtained by aising the Tate paiing on G 2 G 1 (o vice vesa) to appopiate powe. Futhe, Vecauteen intoduced an optimal paiing [16], whose Mille length is vey shot.
Lemma 2. [16, Theoem 4] Let m and wite m = l i=0 c iq i and s i = l j=i c jq j then a [c0,...,c l ] : G 2 G 1 µ ; (Q, P ) ( l i=0 f qi c i,q (P ) l i=0 l [si+1 ]Q,[c i q i ]Q(P ) v [si ]Q(P ) Futhemoe, it is non-degeneate if m d dq qk (qk 1) d dq ( l i=0 c iq i ) mod. ) (q k 1)/ In a paallel computing model, the Mille length of the above paiing is log max i { c i }. Vecauteen gives a method to obtain small c i using lattice basis eduction algoithm. In bief conside the following φ(k)-dimensional lattice L spanned by ows of 0 0 0 q 1 0 0 L := q 2 0 1 0... q φ(k) 1 0 0 1 Then (c 0,..., c l ) belongs to L and by Minkowski s theoem thee exists a shot vecto V in L with V 1/φ(k). Thus the Mille length can be educed to log /φ(k). 2.3 Paiing Invesion Poblems The poblems of ou inteests ae fomulated as follows : Definition 1 ([6]). Fo subgoups G 1 and G 2 of E(F q k), let e : G 1 G 2 µ F be q k a well-defined, bilinea paiing. The Fixed Agument Paiing Invesion 1 (FAPI-1) poblem: given a paiing e, P 1 G 1, and z µ, find P 2 G 2 such that e(p 1, P 2 ) = z. The Fixed Agument Paiing Invesion 2 (FAPI-2) poblem: given a paiing e, P 2 G 2, and z µ, find P 1 G 1 such that e(p 1, P 2 ) = z. The Genealized Paiing Invesion (GPI) poblem: given a paiing e and z µ, find P 1 G 1 and P 2 G 2 such that e(p 1, P 2 ) = z. A paiing is computed by e(p 1, P 2 ) = f s,p1 (P 2 ) d fo some intege s and d, whee f s,p1 is a nomalized F q k-ational function with diviso (f s,p1 ) = s(p 1 ) ([s]p 1 ) (s 1)(O). Thus a natual way to solve FAPI fo a paiing e(p 1, P 2 ) = z is pefomed via two steps, i.e., computing a d-th oot y of z and then find a point P 2 (o P 1 ) satisfying the equation f,p1 ( ) = y (o f, (P 2 ) = y) when P 1 (o P 2 ) is fixed. The fist and second step ae called the Exponentiation invesion(ei) poblem and the Mille Invesion (MI) poblem, espectively. 3 Exponentiation Invesion In this section we conside EI. Dealing with the paiing invesion poblem of Ate i, Kanayama and Okamoto pesented the definition fo this poblem in [11] and mentioned that it is had in geneal. Though this section we explain that the descibed EI is not had. We point out whee the hadness to invet the final exponentiation step aises concetely and claify the desciption of EI..
3.1 The d-th Root Extaction In [11, Definition 3] Kanayama and Okamoto defined EI as follows: Definition 2. [11, Definition 3] Fo an unknown element y F q k, assume that an intege d and the value of z := y d F ae known. Then, the EI, o (d, z)-ei, is the poblem of q k finding y fom the instance (d, z). They mentioned that the above is geneally had. Howeve the desciption is insufficient to give an explanation fo the hadness of EI fo elevant paings pecisely. In fact one can find a d-th oot y in polynomial time fo most paiing fiendly cuves. The follwing lemma is well-known, but we give a poof fo the convenience of eades. Theoem 1. Let d be the intege such that d (q k 1) and (d, (q k 1)/d) = 1. Then given z (F ) d, thee exists an algoithm to find a oot y F of the equation y d = z in q k q k O(k 3 log 3 q)-bit opeations. Poof. Since (d, (q k 1)/d) = 1, thee exist integes a and b such that a d b (q k 1)/d = 1. Then fom (z a ) d = z 1+b(qk 1)/d = z z b(qk 1)/d = z (y d ) b(qk 1)/d = z, z a is a d-th oot of z. We can compute z a by executing the extended Euclidean algoithm one time and computing one F q k-exponentiation. ( ) Most of paiing fiendly cuves satisfy q k 1. In this case the exponent d := qk 1 is elatively pime to qk 1 d (= ). Thus one can find a d-th oot of z vey efficiently. Let ζ be a geneato of F. Fo a solution y q k 0 of y0 d = z, y 0ζ i is anothe solution fo each 0 i < d. A geneato ζ of F can be found in O(k 4 log 4 q)- bit opeations when q k the factoization of q k 1 is known [5]. Thus once one gets a solution y 0 of y0 d = z, one can compute evey solution of y d = z, i.e., {y 0 ζ i : 0 i < d}. We emak that in the case that d i q k 1 fo i > 1, a d-th oot can be computed by means of the Adleman-Mandes-Mille altoithm [1] (see also [4, Section 7.3]), which exploits the DLP solve as a suboutine. 3.2 The Hadness of EI Let us conside the Tate paiing t : E(F q k)[] E(F q k) µ F q k ; (Q, P ) f,q (P ) qk 1. Recall given Q and z, FAPI-1 fo the Tate paiing t(q, ) = z can be done by finding 1) a q k 1 -th oot y of z and then 2) a point P E(F q k) satisfying f,q (P ) = y. Since thee ae qk 1 candidates fo solutions of EI, it seems infeasible to find a pope oot. Howeve Galbaith, Hess, and Vecauteen showed that it is enough to wok with a andom oot y, i.e., thee exists a point P coesponding to a andom oot with the high pobability [6, Example 18]. Since computing a andom qk 1 oot is easy as discussed peviously, FAPI-1 fo the Tate paiing is polynomial time educible to MI. Howeve note
that MI equies to find a oot of a highe degee (appoximately ) polynomial equation induced fom a ational function equation f,q ( ) = y. Fo the Ate paiing o othe vaiants of the Tate paiing defined on G 2 G 1, the situation is totally diffeent. As biefly mentioned in [15], taking a andom qk 1 -th oot does not help to find a point of G 1 in MI. Moe pecisely these class of paiings can be descibed as follows: t : G 2 G 1 F q /(F k q ) µ k, whee the map fom G 2 G 1 to F q k /(F q k ) is given by f s,q (P ) fo an intege s and the isomophism is the qk 1 powe map. Since fo a fixed Q G 2 the aveage cadinality of the image set {f s,q (P ) : P G 1 } is, the image set foms the set of epesentatives of the equivalence class F /(F ). Suppose P G q k q k 1 is a solution of FAPI-1 fo these class of paiings t (Q, ) = z. Then a andom qk 1 -th oot of z is of the fom f s,q (P )α fo a α F q k. And solving the equation f s,q ( ) = f s,q (P )α does not give a point in G 1 in geneal. Theefoe it is equied to claify the definition of EI with egad to the pescibed domain so that it eflects the cucial hadness. Definition 3 (Refomulation of EI). Let e : G 1 G 2 F q k /(F q k ) µ be a paiing ove elliptic cuves, whee the map fom G 1 G 2 to F q k /(F q k ) is given by f s,q (P ) fo an intege s and the isomophism is the d-poweing map. Then given P 1 G 1 and z µ, the exponentiation invesion (EI) poblem is defined to find the value of {y F q k : y d = z} {f s,p1 (P 2 ) F q k : P 2 G 2 }. EI fo the fixed second agument is defined analogously. In the case of the Tate paiing on E(F k q)[] E(F q k), the cadinality of the set {y F q k : y d = z} {f s,p1 (P 2 ) F q k : P 2 G 2 } is appoximately d. And the value is appoximately 1 in the case of its vaiants on G 2 G 1, which implies that EI fo paiings on small domain is had. Once one solves EI fo the vaiants of the Tate paiing, MI is easie than that of the Tate paiing since the value s can be educed to 1/φ(k) [16]. Thus natually one can expect that the hadness of MI and that of EI ae complementay, hence the hadness of the Tate paiing on lage domain and its vaiants on smalle domain is invaiant. We discuss it pecisely in the next section. 4 Equivalence of FAPI fo the Tate and the Ate Paiings In this section we investigate the elationship between FAPI of the Tate paiing t : E(F q k)[] E(F q k) µ and the Ate paiing. Note that the Ate paiing and othe vaiants can be computed as t := t κ fo some intege κ with κ whose domain is esticted to G 2 G 1. If the domain of the Tate paiing is esticted to G 2 G 1, the equivalence of FAPI among these paiings is tivial. Howeve if the domain of the fist agument fo the Tate paiing ae extended to E(F q k)[] (o the second agument to E(F q k)), which is the oiginal space, then the elationship of FAPI between them does not seem obvious any moe. Note that if E(F q k) has no point of ode 2, E(F q k)[] is the set of epesentatives of E(F q k)/e(f q k). Thus fo evey R E(F q k), R is witten as a sum of some P G 1, Q G 2, and the -multiple of P E(F q k), i.e., R = P + Q + P. And since E(F q k)[] =
G 1 G 2, evey S E(F q k)[] is witten as a sum of some P G 1 and Q G 2. The following lemma is well-known. Lemma 3. Let E be an odinay elliptic cuve ove F q, a pime such that #E(F q k) and q 1. Then the maps t : G i G i µ fo i = 1 and 2 ae both tivial. Now we ae in a position to show that the computational equivalence between FAPI fo the Tate paiing on a lage domain and the Ate paiing on a smalle domain. Note that a solution of FAPI fo the Tate paiing does not belong to the domain of the Ate paiing. Thus it is equied to extact a pope point fom this intemediate solution. Theoem 2. Let E be an odinay elliptic cuve ove F q, a pime such that #E(F q k) and q 1. Suppose that E(F q k) has no point of ode 2. Then FAPI-1 fo the Tate paiing t : G 2 E(F q k) µ is computationally equivalent to that of the Ate paiing including its vaiants t := t κ : G 2 G 1 µ. Poof. Let z µ and Q G 2 be instances of FAPI-1. Let Σ t and Σ t be oacles of FAPI-1 fo t on G 2 E(F q k) and t on G 2 G 1, espectively. That is, on inputs z µ and Q G 2, Σ t and Σ t output P t E(F q k) and P t G 1 satisfying t(q, P t ) = z and t(q, P t ) = z, espectively. It is easy to see that FAPI-1 fo t on G 2 G 1 implies FAPI-1 fo t on G 2 E(F q k). Taking input (z, Q) to Σ t we have P t G 1 E(F q k). Since t(, ) κ = t(, ) on G 2 G 1, we have t(q, κp t ) = t(q, P t )κ = t(q, P t ) = z. Hence we can solve FAPI-1 fo t on G 2 E(F q k) by one call of Σ t. Convesely, on input (z, Q), suppose Σ t outputs P t such that t(q, P t ) = z. Then since E(F q k) has no point of ode 2, P t = Q 1 + P + P (1) fo some Q 1 G 2, P G 1, and P E(F q k). Fistly we claim that (κ 1 mod ) P is the desied point, i.e., t(q, (κ 1 mod ) P ) = z. This can be veified as follows: z κ = t(q, Q 1 + P + P ) κ = t(q, Q 1 ) κ t(q, P ) κ t(q, P ) κ = t(q, Q 1 ) κ t(q, P ) κ = t(q, Q 1 ) κ t(q, P ) = t(q, P ), whee the last equality comes fom Lemma 3. Now it suffices to extact P fom P t. Fom q 1, δ #E(F q k) fo some intege δ 2. (In fact, δ = 2 since E(F q k) is of ank at most 2 and has no point of ode 2.) Then taking #E(F q k)/ δ -multiple to both sides of (1), we have #E(F q k)/ δ P t = #E(F q k)/ δ Q 1 + #E(F q k)/ δ P + E(F q k)/ δ 1 P.
Note that if E(F q k)/ δ 1 P O, 2 should divide the ode of P, which contadicts that E(F q k) has no point of ode 2. Thus the above equation becomes #E(F q k)/ δ P t = #E(F q k)/ δ Q 1 + #E(F q k)/ δ P (2) Next we extact the point #E(F q k)/ δ P out of (2). The technique is followed fom the pevious wok by Galbaith and Veheul [7, Poposition 1]: taking the q-th powe Fobenius map to both sides of (2), we have and hence togethe with (2) #E(F q k)/ δ π q (P t ) = q #E(F q k)/ δ Q 1 + #E(F q k)/ δ P (q 1) #E(F q k)/ δ P = #E(F q k)/ δ (qp t π q (P t )). Since ( δ, q 1) = 1, the extended Euclidean algoithm yields two integes α and α such that α (q 1) α δ = 1. Then #E(F q k)/ δ P = (1 + α δ ) #E(F q k)/ δ P = α(q 1) #E(F q k)/ δ P = α #E(F q k)/ δ (qp t π q (P t )). Also since (#E(F q k)/ δ, ) = 1, thee exist two integes β and β such that β #E(F q k)/ δ β = 1. Hence we have P = (1 + β ) P = β #E(F q k)/ δ P = α β #E(F q k)/ δ (qp t π q (P t )). Theoem 3. Let E be an odinay elliptic cuve ove F q, a pime such that #E(F q k) and q 1. Suppose that E(F q k) has no point of ode 2. Then FAPI-2 fo the Tate paiing t : E(F q k)[] G 1 µ is computationally equivalent to the of the Ate paiing including its vaiants t := t κ : G 2 G 1 µ. Poof. Let z µ and P G 1 be instances of FAPI-2. Let Σ t and Σ t be oacles of FAPI-2 fo t on E(F q k)[] G 1 and t on G 2 G 1, espectively. That is, on inputs z µ and P G 1, Σ t and Σ t output Q t E(F q k)[] and Q t G 2 satisfying t(q t, P ) = z and t(q t, P ) = z, espectively. Taking input (z, P ) to Σ t we have Q t G 2 E(F q k)[]. Since t(, ) κ = t(, ) on G 2 G 1, we have t(κq t, P ) = t(q t, P )κ = t(q t, P ) = z. Hence we can solve FAPI-2 fo the Tate paiing on E(F q k)[] G 1 by one call of Σ t. Convesely, suppose, on input (z, P ), Σ t outputs Q t such that t(q t, P ) = z. Then since E(F q k)[] = G 1 G 2, we have Q t = P + Q (3)
fo some P G 1 and Q G 2. Then fom z κ = t(p + Q, P ) κ = t(p, P ) κ t(q, P ) κ = t(p, P ) κ t(q, P ) = t(q, P ), whee the last equality comes fom Lemma 3, (κ 1 mod ) Q is the desied point. Now as pesented in [7, Poposition 1], one can extact Q fom Q t as follows: taking q-th powe Fobenius map to both sides of (3) yields the equation π q (Q t ) = P + q Q. Woking the above equation togethe with (3), we have (q 1) Q = (Q t π q (Q t )). Since (, q 1) = 1, the extended Euclidean algoithm yields two integes α and α such that α (q 1) α = 1. Theefoe Q = (1 + α ) Q = α(q 1) Q = α(q t π q (Q t )). Thus inveting the Ate paiing (including othe vaiants of the Tate paiing) defined on the smalle domain is neithe easie no hade than inveting the Tate paiing defined on the lage domain. If MI gets easie (hade) with educed (extended) domain, EI gets hade (easie) to the same extent and vice vesa. Theefoe the oveall hadness is invaiant. 5 Conclusion In this pape we have efomulated the definition of EI given by Kanayama and Okamoto. We pointed out that a andom qk 1 -th oot can be computed easily given z µ and anlayzed the cucial hadness to invet the final exponentiation step in paiings. We have also investigated the elationship between the invesion of the Tate paiing defined on E(F q k)[] E(F q k) and the Ate paiing on G 2 G 1 and shown that FAPI fo the paiings ae computationally equivalent. It implies that the hadness of MI and that of EI ae complementay in the paiing invesion poblem. Howeve we stess that we cuently do not know the pecise hadness of FAPI. To the best of ou knowledge, thee is no known pactical attack on FAPI. It is still woth investigating the secuity of the paiing invesion poblem fo the Ate o its optimized vesions, focusing on the nice algebaic stuctue they exploit.
Refeences 1. L. M. Adleman, K. Mandes, and G. Mille, On taking Roots in Finite Field, in Poc. of 18th IEEE Symposium on Foundations of Compute Science, pp.175 177. 2. D. Boneh and M. Fanklin, Identity-based Encyption fom the Weil Paiing, in Poc. of CRYTO 2001, vol. 2139, Lectue Notes on Compute Science, pp.213 229, 2001 3. D. Boneh, X. Boyen, and H. Shacham, Shot Goup Signatues, in Poc. of CRYTO 2004, vol. 3152, Lectue Notes on Compute Science, pp.41 55, 2004. 4. E. Bach and J. Shallit, Algoithmic Numbe Theoy, Vol. 1. MIT Pess, 1996. 5. S. Galbaith, Mathematics of Public Key Cyptogaphy, Cambidge Univesity Pess, 2012. Available: http://www.math.auckland.ac.nz/~sgal018/cypto-book/cypto-book.html. 6. S. Galbaith, F. Hess, and F. Vecauteen, Aspects of Paiing Invesion, IEEE Tans. Inf. Theoy, vol. 54, no. 12, pp. 5719 5728, 2008. 7. S. Galbaith and R. Veheul, An Analysis of the Vecto Decomposition Poblem, Poc. of PKC 2008, vol. 4939, Lectue Notes on Compute Science, pp.308 327, 2008. 8. F. Hess, Paiing Lattices, in Poc. of PAIRING 2008, vol. 5209, Lectue Notes on Compute Science, pp.18 38, 2008. 9. F. Hess, N. Smat, and F. Vecauteen, The Eta Paiing Revisited, IEEE Tans. Inf. Theoy, vol. 52, no. 10, pp. 4595 4602, 2006. 10. A. Joux, A One Round Potocol fo Tipatite Diffie-Hellman, in Poc. of ANTS 2000, vol. 1838, Lectue Notes on Compute Science, pp. 385 393, 2000. 11. N. Kanayama and E. Okamoto, Appoach to Paiing Invesions Without Solving Mille Invesion, IEEE Tans. Inf. Theoy, vol.58, no.2, pp. 1248 1253, 2012. 12. E. Lee, H. Lee, and C. Pak, Efficient and Genealized Paiing Computation on Abelian Vaieties, IEEE Tans. Inf. Theoy, vol. 55, no. 4, pp. 1793 1803, 2006. 13. V. S. Mille, Shot pogams fo functions on cuves, unpublished manuscipt (1986). Available: http://cypto.stanfod.edu/mille/mille.pdf. 14. V. S. Mille, The Weil Paiing and its efficient calculation, J. Cyptol., vol. 17, no. 4, pp. 235 261, 2004. 15. F. Vecauteen, The Hidden Root Poblem, in Poc. of PAIRING 2008, vol. 5209, Lectue Notes on Compute Science, pp.89 99, 2008. 16. F. Vecauteen, Optimal Paiing, IEEE Tans. Inf. Theoy, vol. 56, no. 1, pp. 455 461, 2010. 17. C. Zhao, F. Zhang, and J. Huang A note on the Ate paiing, Int. J. Inf. Secuity, vol. 6, no. 7, pp.379 382, 2008.