¹¹institutetext: School of Mathematics, Sun Yat-sen University, Guangzhou 510275, P.R. China ²²institutetext: School of Mathematics and Statistics, Central South University, P.R. China ³³institutetext: Guangdong Key Laboratory of Information Security, Guangzhou 510006, P.R. China

The Elliptic Net Algorithm Revisited

Shiping Cai 11 Zhi Hu 22 Zheng-An Yao 11 Chang-An Zhao 1133

Abstract

Pairings have been widely used since their introduction to cryptography. They can be applied to identity-based encryption, tripartite Diffie-Hellman key agreement, blockchain and other cryptographic schemes. The Acceleration of pairing computations is crucial for these cryptographic schemes or protocols. In this paper, we will focus on the Elliptic Net algorithm which can compute pairings in polynomial time, but it requires more storage than Miller’s algorithm. We use several methods to speed up the Elliptic Net algorithm. Firstly, we eliminate the inverse operation in the improved Elliptic Net algorithm. In some circumstance, this finding can achieve further improvements. Secondly, we apply lazy reduction technique to the Elliptic Net algorithm, which helps us achieve a faster implementation. Finally, we propose a new derivation of the formulas for the computation of the Optimal Ate pairing on the twisted curve. Results show that the Elliptic Net algorithm can be significantly accelerated especially on the twisted curve. The algorithm can be $80\%$ faster than the previous ones on the twisted 381-bit BLS12 curve and $71.5\%$ faster on the twisted 676-bit KSS18 curve respectively.

Keywords:

Elliptic Net Algorithm Twists of Elliptic Curves Pairings Denominator Elimination High Security Level.

1 Introduction

Pairings as mathematical primitives can offer efficient solutions to some special difficult problems in cryptography [25]. Nowadays, pairings still play a vital role in some areas. In the blockchain, pairings can be applied for the zero-knowledge succinct non-interactive argument of knowledge (zk-SNARK) [8, 14]. Moreover, pairings can be used for the compression of public keys in the isogeny-based cryptosystem [26].

The implementation of pairings is a key operation in these applications. The Weil pairing, the Tate pairing and their variants such as the Ate pairing [17, 21], the R-ate pairing [19], and the Optimal Ate pairing [34] are used in some cryptographic schemes. It is well known that pairings can be computed by Miller’s algorithm [22, 23] which was proposed in 1986. Miller’s algorithm has been optimized a lot since 2000, and it has been developed to be in a relatively mature stage. There also exists another polynomial time algorithm to compute pairings, i.e., the Elliptic Net algorithm. This algorithm was proposed in 2007 by Stange [31] who first defined elliptic nets and gave a relationship between elliptic nets and the Tate pairing. We abbreviate this original Elliptic Net algorithm to ENA. Compared with Miller’s algorithm, the Elliptic Net algorithm requires more computational costs while it can be implemented efficiently on a personal computer. Furthermore, there is no inverse operation involved in affine coordinates in the Elliptic Net algorithm. Therefore, the implementation of this algorithm is simple and intuitive.

Elliptic nets are generated by elliptic divisibility sequences which were first studied by Morgan Ward [35] in 1948. These sequences arise from any choice of an elliptic curve and rational points on that curve. For more information about elliptic divisibility sequences see [10]. The method called Double-and-Add for updating each value of an elliptic divisibility sequence in polynomial time which was proposed by Rachel Shipsey [30].

Pairings can be computed using elliptic nets of rank $2$ . The ENA was used to compute the Tate pairing originally [31]. Then the explicit formulas for computing some variants of the Tate pairing using the ENA were given [33, 27]. In 2015, an improved version of the ENA was proposed [7]. We abbreviate this algorithm to IENA in this work. The IENA can perform well if the parameter of the Miller loop has low Hamming weight. Fortunately, the most popular paring-friendly curves all meet this condition. Due to the particularity of the structure of elliptic nets, an parallel strategy for the ENA to compute pairings was proposed [28].

Elliptic nets of rank $1$ can be applied to scalar multiplication, and it is an algorithm that can resist side-channel attacks. Kanayama et al. [18] adopted the ENA to compute scalar multiplication using elliptic nets of rank $1$ , i.e., division polynomials. Besides, there are some other works about scalar multiplication based on elliptic nets. An optimized version of scalar multiplication algorithm using division polynomials was proposed in [6], which saved $four$ multiplications at each iteration by using the equivalence of elliptic nets. Based on these previous works, Rao et al. [32] proposed a modified algorithm based on elliptic nets to compute scalar multiplication.

However, the efficiency of the Elliptic Net algorithm still needs to be avoided. In order to shorten the gap between the Elliptic Net algorithm and Miller’s algorithm in efficiency, we develop several methods. Firstly, we analyze the properties of elliptic nets and conclude that the inverse operation in the IENA can be eliminated. Secondly, we construct the Optimal Ate pairing on the twisted curve and discuss the relationship between the Optimal Ate pairing on the original elliptic curve and that on the twisted curve with divisor and pull-back. This is a new derivation of the formulas for pairing computation which is entirely on the twisted curve. Thirdly, lazy reduction technique is employed in our implementation to get a further improvement. The specific contributions of this work are:

•

We explore how to eliminate the inverse operation in the IENA. For the IENA, an inverse operation is involved at addition step in the Double-and-Add algorithm. In this paper, we get a result in the updating process of the IENA. If all the values of an elliptic net in the current state are multiplied by a non-zero fixed value, then the value of the reduced Tate pairing or its variants can not be changed. This finding means that the inverse operation can be replaced by several multiplications. The implementation indicates that the IENA works well if it is further modified by this trick. Besides, this trick contributes to the scalar multiplication algorithm in [32].
•

The idea of twists is employed to speed up the Elliptic Net algorithm. Twists of elliptic curves are deeply applied to Miller’s algorithm, which can significantly decrease the amount of multiplications. More detailed descriptions see [15, 17]. Throughout the process of Miller’s algorithm, Costello et al. [9] explored the pairing computation which is entirely on the twisted curve. Based on these works, we use the Elliptic Net algorithm to compute the Optimal Ate pairing entirely on the twisted curve. We will provide a new proof based on the theory of divisors and pull-back, which has a strength that it not depends on the process of Miller’s algorithm. Hence, this is totally different from the previous work. Furthermore, we give the explicit formulas of the line function of the Optimal Ate pairing on the twisted curve. We boost the performance of the Elliptic Net algorithm on a 381-bit BLS12 curve at 128-bit security level and a 676-bit KSS18 curve at 192-bit security level by using twists [4]. Twists of elliptic curves allow us to transfer the operations from $\mathbb{F}_{q^{k}}$ to the proper subfield of $\mathbb{F}_{q^{k}}$ , which significantly reduces the total amount of multiplications.
•

We adopt lazy reduction technique [20] which only performs one reduction for the sum of several multiplications to the Elliptic Net algorithm. Lazy reduction was first introduced in quadratic extension field arithmetic for Miller’s algorithm by Michael Scott [29] and further developed in [2]. In the Elliptic Net algorithm, we observe that there are many terms have the form $A\cdot B-C\cdot D$ , which inspires us to apply lazy reduction for this algorithm. In our implementation, lazy reduction reduces by around 27% the number of modular reductions.

We conclude that pairings can be efficiently computed with the Elliptic Net algorithm. Even though it is still slower than Miller’s algorithm, the ratio of the cost of the Elliptic Net algorithm to Miller’s algorithm is reduced from more than $9$ to less than $2$ after the modification in this work.

The rest of this paper is organized as follows. Section 2 gives an overview of pairings, twists of elliptic curves and the Elliptic Net algorithm. In Section 3, we replace an inverse operation by several multiplications in the IENA. Section 4 analyzes the Ate pairing and Optimal Ate pairing on the twisted curve that are computed by the Elliptic Net algorithm. In Section 5, we apply lazy reduction technique to the Elliptic Net algorithm. The implementation and efficiency analysis are discussed in Section 6. Section 7 concludes the paper.

2 Preliminaries

In this section, we will give the definition of the Tate pairing and the (Optimal) Ate pairing. A brief description of twists of elliptic curves and the Elliptic Net algorithm will also be provided.

2.1 Pairings

Let $\mathbb{F}_{q}$ be a finite field where $q=p^{m}\,(m\in\mathbb{Z}^{+})$ and $p$ is a prime. Let $E$ be an elliptic curve defined over $\mathbb{F}_{q}$ . We denote the $q$ -power Frobenius endomorphism on $E$ by $\pi_{q}$ . The number of points on $E/\mathbb{F}_{q}$ is given by $\#E(\mathbb{F}_{q})=q+1-t$ , where $t$ is the Frobenius trace of $\pi_{q}$ .

Choose a large prime $r$ with $r|\#E(\mathbb{F}_{q})$ , and let $k\in\mathbb{Z}^{+}$ be the embedding degree with respect to $r$ such that $r|q^{k}-1$ but $r^{2}\nmid q^{k}-1$ . Choose $P\in E(\mathbb{F}_{q})[r]$ and $Q\in\mathbb{E}(\mathbb{F}_{q^{k}})[r]$ . The $r$ -th roots of unity in $\mathbb{F}_{q^{k}}$ , which we denote by $\mu_{r}$ .

For an integer $i$ and a point $S$ on $E$ , let $f_{i,S}$ be a rational function such that

{\rm Div}(f_{i,S})=i(S)-(iS)-(i-1)(\infty).

In particular, ${\rm Div}(f_{r,P})=rD_{P}=r(P)-r(\infty)$ . Then the reduced Tate pairing [12] is defined as

	$\displaystyle Tate:\mathbb{E}(\mathbb{F}_{q})[r]\times\mathbb{E}(\mathbb{F}_{q^{k}})[r]$	$\displaystyle\rightarrow\mu_{r}$
	$\displaystyle(P,Q)$	$\displaystyle\mapsto Tate(P,Q)=f_{r,P}(Q)^{{q^{k}-1}/r}.$

Furthermore, if we choose $P$ and $Q$ in specific subgroups of $E[r]$ , the pairing computation can be sped up. Define

\mathbb{G}_{1}\triangleq E[r]\bigcap Ker(\pi_{q}-[1]),\,\mathbb{G}_{2}\triangleq E[r]\bigcap Ker(\pi_{q}-[q]).

Choose $P\in\mathbb{G}_{1}$ and $Q\in\mathbb{G}_{2}$ . Let $T=t-1$ . We can define a pairing when $r\nmid(T^{k}-1)/r$ :

	$\displaystyle Ate_{E}:\mathbb{G}_{2}\times\mathbb{G}_{1}$	$\displaystyle\rightarrow\mu_{r}$
	$\displaystyle(Q,P)$	$\displaystyle\mapsto Ate_{E}(Q,P)=f_{T,Q}(P)^{{q^{k}-1}/r},$

which is called the Ate pairing [17].

The Ate pairing is a variant of the Tate pairing, and the length of the Miller loop is short[21, 19]. The Optimal Ate pairing allows us to obtain the shortest loop length [34]. We have the following theorem [34, 37, 38].

Theorem 2.1

Let $\lambda=\alpha r$ with $r\nmid\alpha$ . We have $\lambda=\sum_{i=0}^{\varphi(k)}c_{i}q^{i}$ , where $\varphi(k)$ is the Euler function of $k$ , then we can define a bilinear map

	$\displaystyle Opt_{E}:\mathbb{G}_{2}\times\mathbb{G}_{1}$	$\displaystyle\rightarrow\mu_{r}$
	$\displaystyle(Q,P)$	$\displaystyle\!\mapsto Opt_{E}(Q,P)\!=(\!\prod_{i=0}^{\varphi(k)-1}\!f_{c_{i},Q}^{q^{i}}(P)\!\cdot\!\prod_{i=0}^{\varphi(k)-1}\!\frac{l_{[s_{i+1}]Q,[c_{i}q^{i}]Q}(P)}{v_{[s_{i}]Q}(P)})^{{q^{k}-1}/r},$

where $s_{i}=\sum_{j=i}^{\varphi(k)}c_{j}q^{j}$ . If $\alpha kq^{k-1}\neq\left(\left(q^{k}-1\right)/r\right)\sum_{i=0}^{\varphi(k)-1}ic_{i}q^{i-1}(\bmod\,r),$ then $Opt_{E}$ is non-degenerate. We call $Opt_{E}$ as the Optimal Ate pairing.

The explicit expression of the Optimal Ate pairing depends on the family type of pairing-friendly curves. In this work, we mainly consider the implementation of the Optimal Ate pairing on the BLS12 and KSS18 curves. More specific information will be discussed in Section 6.

2.2 Twists of Elliptic Curves

Definition 1

A twist of degree $d$ of $E$ is an elliptic curve $E^{\prime}$ defined over $\mathbb{F}_{q^{k/d}}$ . We can define an isomorphism $\Psi_{d}$ over $\mathbb{F}_{q^{k}}$ from $E^{\prime}$ to $E$ with $d$ is minimal:

\Psi_{d}:E^{\prime}\left(\mathbb{F}_{q^{k/d}}\right)\longrightarrow E\left(\mathbb{F}_{q^{k}}\right).

The potential degree $d$ is $2,3,4$ or $6$ [25, 15]. For the BLS12 and KSS18 curves, $E^{\prime}$ is a twist of degree $6$ of $E$ . Let $\xi\in\mathbb{F}_{q^{k/6}}$ . For the M-type and D-type twists [3] with degree $d=6$ , the corresponding isomorphism $\Psi_{6}$ is given as follows:

	$\displaystyle M-type:$	$\displaystyle E^{\prime}:y^{2}=x^{3}+b\xi$	$\displaystyle\Psi_{6}:E^{\prime}\rightarrow E:(x,y)\mapsto\left(\xi^{-1/3}x,\xi^{-1/2}y\right),$		(1)
	$\displaystyle D-type:$	$\displaystyle E^{\prime}:y^{2}=x^{3}+b/\xi$	$\displaystyle\Psi_{6}:E^{\prime}\rightarrow E:(x,y)\mapsto\left(\xi^{1/3}x,\xi^{1/2}y\right).$		(1)

Furthermore, we have the following theorem for the Tate pairing:

Theorem 2.2

[5] Let $E_{1}/\mathbb{F}_{q}$ be an elliptic curve. Choose $r_{0}|\#E_{1}(\mathbb{F}_{q})$ . Suppose that the embedding degree with respect to $q$ and $r_{0}$ is $k$ . There exists an isogeny $\phi:E_{1}\rightarrow E_{2}$ and $\hat{\phi}$ is the dual of $\phi$ , where $E_{2}$ is an elliptic curve over $\mathbb{F}_{q^{k}}$ . Choose $P\in E_{1}(\mathbb{F}_{q})[n]$ and $Q\in E_{2}(\mathbb{F}_{q^{k}})$ . We have $e(P,\phi(Q))=e(\hat{\phi}(P),Q)$ .

Notice that $\Psi_{d}$ is an isogeny of degree $1$ . If we denote the dual of $\Psi_{d}$ by $\hat{\Psi}_{d}$ , then $\hat{\Psi}_{d}\circ\Psi_{d}=[1]$ , i.e., $\Psi_{d}^{-1}=\hat{\Psi}_{d}$ . By Definition 1, choose $P\in E(\mathbb{F}_{q})[r]$ and $Q^{\prime}\in E^{\prime}(\mathbb{F}_{q^{k/d}})$ . We can compute pairings $(Opt)Ate_{E^{\prime}}(\hat{\Psi}_{d}(P),Q^{\prime})$ on the twisted curve $E^{\prime}$ . And the loop length is the same as $(Opt)Ate_{E}(P,\Psi_{d}(Q^{\prime}))$ which is computed on the original curve $E$ .

Furthermore, define

\Phi_{d}=\Psi_{d}^{-1}\circ\pi_{q}\circ\Psi_{d}.

One can verify that $\Phi_{d}$ is a group isomorphism from $E^{\prime}$ to $E^{\prime}$ over $\mathbb{F}_{q^{k}}$ [11], which can be used in Section 4.

2.3 The Elliptic Net algorithm

An elliptic net satisfies some certain recurrence relation which is a map $W$ from a finitely generated free Abelian group $A$ to an integral domain $R$ . An elliptic net of rank 1 satisfies the following recurrence relation:

		$\displaystyle W(\alpha+\beta+\delta,0)W(\alpha-\beta,0)W(\gamma+\delta,0)W(\gamma,0)$		(2)
		$\displaystyle+W(\beta+\gamma+\delta,0)W(\beta-\gamma,0)W(\alpha+\delta,0)W(\alpha,0)$
		$\displaystyle+W(\gamma+\alpha+\delta,0)W(\gamma-\alpha,0)W(\beta+\delta,0)W(\beta,0)=0,$

where $\alpha,\,\,\beta,\,\gamma,\,\delta\in A$ . Let $E_{0}:y^{2}=x^{3}+Ax+B$ be a short Weierstrass curve over $\mathbb{F}_{q}$ , where $4A^{3}+27B^{2}\neq 0$ . And the characteristic of $\mathbb{F}_{q}$ is not equal to $2$ or $3$ .

2.3.1 Scalar Multiplication

For each $n\in\mathbb{Z}^{+}$ , we can define division polynomials $\psi_{n}\in\mathbb{Z}[A,B,x,y]$ as follows [15].

	$\displaystyle\psi_{0}$	$\displaystyle=0,\psi_{1}=1,\psi_{2}=2y,$
	$\displaystyle\psi_{3}$	$\displaystyle=3x^{4}+6Ax^{2}+12Bx-A^{2},$
	$\displaystyle\psi_{4}$	$\displaystyle=4y(x^{6}+5Ax^{4}+20Bx^{3}-5A^{2}x^{2}-4ABx-8B^{2}-A^{3}),$
	$\displaystyle\psi_{2n+1}\psi_{1}$	$\displaystyle=\psi_{n+2}\psi_{n}^{3}-\psi_{n-1}\psi_{n+1}^{3}\,\,(n\geq 2),$
	$\displaystyle\psi_{2n}\psi_{2}$	$\displaystyle=\psi_{n}(\psi_{n+2}\psi_{n-1}^{2}-\psi_{n-2}\psi_{n+1}^{2})\,\,(n\geq 3).$

Division polynomials are elliptic nets of rank $1$ , i.e., $W(i,0)=\psi_{i},\,\forall i\in\mathbb{Z}$ . They can be used to compute scalar multiplication.

Choose $P=(x_{P},y_{P})\in E_{0}(\mathbb{F}_{q})$ , and define two polynomials $\zeta_{n},\,\omega_{n}$ . These formulas can be used to compute $[n]P=(x_{nP},y_{nP})$ as follows.

[n]P=\left(\frac{\zeta_{n}(P)}{\psi_{n}(P)^{2}},\frac{\omega_{n}(P)}{\psi_{n}(P)^{3}}\right),

(3)

where

	$\displaystyle\zeta_{n}$	$\displaystyle=x_{P}\psi_{n}^{2}-\psi_{n+1}\psi_{n-1},$
	$\displaystyle 4y_{P}\omega_{n}$	$\displaystyle=\psi_{n+2}\psi_{n-1}^{2}-\psi_{n-2}\psi_{n+1}^{2}.$

Equation (3) can be represented by elliptic nets of rank $1$ [18]:

	$\displaystyle x_{nP}$	$\displaystyle=x_{P}-\frac{W(n-1,0)W(n+1,0)}{W(n,0)^{2}},$		(4)
	$\displaystyle y_{nP}$	$\displaystyle=\frac{W(n-1,0)^{2}W(n+2,0)-W(n+1,0)^{2}W(n-2,0)}{4y_{P}W(n,0)^{3}}.$		(4)

2.3.2 Pairing Computation

Elliptic nets of rank $2$ is applied to pairing computation. The relationship between the Tate pairing and an elliptic net is given below.

Theorem 2.3

[31] Choose $P\in E(\mathbb{F}_{q})[r]$ and $Q\in E(\mathbb{F}_{q^{k}})[r]$ such that $[r]P=\infty$ . If $W_{P,Q}$ is the elliptic net associated to $E$ , $P$ , $Q$ , then we have

f_{r,P}(D_{Q})=\frac{W_{P,Q}(r+1,1)W_{P,Q}(1,0)}{W_{P,Q}(r+1,0)W_{P,Q}(1,1)}.

According to Equation (2), we obtain the explicit formulas to update the values of an elliptic net. We can compute the Tate pairing in polynomial time if the initial values of an elliptic net are given. For simplicity, we abbreviate $W_{P,Q}(n,s)$ to $W(n,s)$ . In [31], they defined a block that consists of a first vector of eight consecutive terms centered on term $W(i,0)$ and a second vector of three consecutive terms centered on $W(i,1)$ , where $i\in\mathbb{Z}$ .

Assume that $W(1,0)=W(0,1)=1$ . For the first vector, all of $W(n,0)$ terms can be updated by two formulas as follows.

W(2i-1,0)=W(i+1,0)W(i-1,0)^{3}-W(i-2,0)W(i,0)^{3},

(5)

\begin{split}W(2i,0)=(W(i,0)W(i+2,0)W(i-1,0)^{2}\\ -W(i,0)W(i-2,0)W(i+1,0)^{2})/W(2,0).\end{split}

(6)

For the second vector, we need the following formulas to update the $W(n,1)$ terms.

\begin{split}W(2i-1,1)=(W(i+1,1)W(i-1,1)W(i-1,0)^{2}\\ -W(i,0)W(i-2,0)W(i,1)^{2})/W(1,1),\end{split}

(7)

\begin{split}W(2i,1)=(W(i-1,1)W(i+1,1)W(i,0)^{2}\\ -W(i-1,0)W(i+1,0)W(i,1)^{2}),\end{split}

(8)

\begin{split}W(2i+1,1)=(W(i-1,1)W(i+1,1)W(i+1,0)^{2}\\ -W(i,0)W(i+2,0)W(i,1)^{2})/W(-1,1),\end{split}

(9)

\begin{split}W(2i+2,1)=(W(i+1,0)W(i+3,0)W(i,1)^{2}\\ -W(i-1,1)W(i+1,1)W(i+2,0)^{2})/W(2,-1).\end{split}

(10)

For some certain conditions, $W(2,0)$ can be changed to $1$ by the equivalence of elliptic nets [6].

Algorithm 1 The improved Elliptic Net algorithm [7]

0: Initial terms

a=W(2,0),\,b=W(3,0),\,c=W(4,0),\,d=W(2,1),\,e=W(-1,1),\,f=W(2,-1),\,g=W(1,1),\,h=W(2,1)

of the Elliptic Net algorithm satisfies

W(1,0)=W(0,1)=1

and

n=(d_{l}d_{l-1}...d_{0})_{2}\in\mathbb{Z}

with

d_{l}=1

and

d_{i}\in\{0,1\}

for

0\leq i\leq l-2

W(n,0),W(n,1)

V\leftarrow[[-a,-1,0,1,a,b,c],[1,g,d]]

2: for

i=l-1\to 0

3: if

d_{i}=0

then

V\leftarrow Double(V)

5: else

V\leftarrow DoubleAdd(V)

7: end if

8: end for

9: return

V[0,3],V[1,1]

The IENA is shown in Algorithm 1. Generally, updating a block centered on $i$ to a block centered on $2i$ is called the Double step, and updating a block centered on $i$ to a block centred on $2i+1$ is called the DoubleAdd step, which is represented by $Double(V)$ and $DoubleAdd(V)$ respectively. The algorithm to compute the process of line 2-8 in Algorithm 1 is called the Double-and-Add algorithm. If we just need to compute scalar multiplication, then we only need to update the first vector by Equation (5)-(6). We do not use the IENA to compute scalar multiplication here. There exists an inversion if we need to compute the DoubleAdd step in the IENA. But for the scalar multiplication, the scalar $n$ is random and we can not ensure that $n$ is an integer with low Hamming weight. Notice that $4$ multiplications can be saved at each iteration in the Double-and-Add algorithm if $gcd(p-1,3)=1$ [6]. In this work, we will improve the Double-and-Add algorithm for scalar multiplication in two situations in [32].

Note that twists of elliptic curves have been applied for accelerating Miller’s algorithm successfully. The situation of operations entirely on the twisted curve $E_{0}^{\prime}$ was proposed [9]. Their derivation of the Ate pairing entirely on the twisted curve heavily relies on the process of Miller’s algorithm. Pairings entirely on the twisted curve can also be computed by the Elliptic Net algorithm, but it still needs to be verified.

3 Elimination of the Inverse Operation

In the IENA, an inverse operation is always involved at addition step. We will show how to eliminate this inverse operation in this section, i.e., replace the inversion by few multiplications.

When a block centered on $i$ is updated to a block centered on $2i+1$ , the value $W(2i+4,0)$ satisfies the following recursive formula:

W(2i+4,0)=\frac{W(2i+3,0)W(2i+1,0)W(2,0)^{2}-W(3,0)W(1,0)W(2i+2,0)^{2}}{W(2i,0)}.

(11)

From Equation (11), we need to compute the inverse element of $W(2i,0)$ . To eliminate this inverse operation, we multiply $W(\lambda,0)_{2i-3\leq\lambda\leq 2i+4}$ by $W(2i,0)$ simultaneously when the bit is equal to $1$ . We have the following theorem to support this approach.

Theorem 3.1

Let $W(\lambda,0)_{i-3\leq\lambda\leq i+3}$ , $W(\lambda,1)_{i-1\leq\lambda\leq i+1}\in\mathbb{F}_{q^{k}}$ be the current state of an elliptic net.

For $\alpha\in\mathbb{F}_{q^{k}}^{*}$ , if $W(\lambda,0)_{i-3\leq\lambda\leq i+3}$ are multiplied by $\alpha$ , i.e.,

\hat{W}(\lambda,0)_{i-3\leq\lambda\leq i+3}=\alpha\cdot W(\lambda,0)_{i-3\leq\lambda\leq i+3},

then in the next state

		$\displaystyle\hat{W}(\lambda,0)_{2i-3\leq\lambda\leq 2i+3}=\alpha^{4}\cdot W(\lambda,0)_{2i-3\leq\lambda\leq 2i+3},$
		$\displaystyle\hat{W}(\lambda,1)_{2i-1\leq\lambda\leq 2i+1}=\alpha^{2}\cdot W(\lambda,1)_{2i-1\leq\lambda\leq 2i+1}.$

Furthermore, if $\alpha\neq 0$ is chosen to be in a proper subfield of $\mathbb{F}_{q^{k}}$ , then the value of the reduced Tate pairing or its variants can not be changed.

2.

For $\alpha\!\in\mathbb{F}_{q^{k}}^{*}$ , if $W(\lambda,0)_{i-3\leq\lambda\leq i+3}$ and $W(\lambda,1)_{i-1\leq\lambda\leq i+1}$ are multiplied by $\alpha$ , then in the next state all the terms of this elliptic net will be multiplied by $\alpha^{4}$ , and the value of the reduced Tate pairing or its variants can not be changed.

Proof

Let us consider $\hat{W}(2i-1,0)$ first.

Note that the recursive formula for $W(2i-1,0)$ is

\displaystyle W\!(2i\!-\!1,0)

\displaystyle=W\!(i\!+\!1,0)W\!(i\!-\!1,0)^{3}\!-\!W\!(i\!-\!2,0)W\!(i,0)^{3}.

(12)

We multiply $W(\lambda,0)_{i-3\leq\lambda\leq i+3}$ by $\alpha$ , then the new updated $\hat{W}(2i-1,0)$ should be

	$\displaystyle\hat{W}\!(2i\!-\!1,0)$	$\displaystyle=\alpha^{4}(W\!(i\!+\!1,0)W\!(i\!-\!1,0)^{3}\!-\!W\!(i\!-\!2,0)W\!(i,0)^{3})$		(13)
		$\displaystyle=\alpha^{4}\cdot W(2i-1,0).$		(13)

Similarly, we can show that the new updated $\hat{W}(2i,0)=\alpha^{4}\cdot W(2i,0).$ This finishes the proof for the first assertion.

Then we consider the second vector. Note that there are only two values of the first vector involved for computing each $W(\lambda,1)_{2i-1\leq\lambda\leq 2i+2}$ . The new updated $\hat{W}(\lambda,1)_{2i-1\leq\lambda\leq 2i+2}$ will be multiplied by $\alpha^{2}$ .

Therefore, the value of the new pairing is equal to the product of the original pairing value and a fixed power of $\alpha$ . However, if the constant $\alpha$ is chosen to be in a proper subfield of $\mathbb{F}_{q^{k}}$ , then the final exponentiation will eliminate the value of the fixed power of the constant $\alpha$ . So the value of the reduced Tate pairing or its variants can not be changed even if all the values of $W(\lambda,0)_{i-3\leq\lambda\leq i+3}$ in the state are multiplied by a non-zero fixed value $\alpha$ .

Now we prove the second part of this theorem. In Theorem 2.3, we know that

f_{r,P}(D_{Q})=\frac{W_{P,Q}(r+1,1)W_{P,Q}(1,0)}{W_{P,Q}(r+1,0)W_{P,Q}(1,1)}.

If we multiply $W(\lambda,0)_{i-3\leq\lambda\leq i+3}$ and $W(\lambda,1)_{i-1\leq\lambda\leq i+1}$ by $\alpha$ , where $\alpha$ is any non-zero value, then we have:

	$\displaystyle f_{r,P}(D_{Q})$	$\displaystyle=\frac{\alpha^{\ell}W_{P,Q}(r+1,1)W_{P,Q}(1,0)}{\alpha^{\ell}W_{P,Q}(r+1,0)W_{P,Q}(1,1)}$
		$\displaystyle=\frac{W_{P,Q}(r+1,1)W_{P,Q}(1,0)}{W_{P,Q}(r+1,0)W_{P,Q}(1,1)}$

for some integer $\ell$ . This means that if we multiply all values in the updating block by a fixed non-zero value, the ratio of $\frac{W_{P,Q}(r+1,1)}{W_{P,Q}(r+1,0)}$ can not be changed.∎

Remark 1

We just consider the situation at the Double step. At the the DoubleAdd step, the conclusion can be verified similarly.

Remark 2

Theorem 3.1 can also be applied for any pairing-friendly curves while we may have to multiply both dimension of vectors. In this situation, we cost $8$ multiplications and the result can not be changed.

Until now, we have shown how to replace the inverse operation by several multiplications. For some popular pairing-friendly curves, we have a friendly situation. Take the BLS12 curve we used in this work as an example, then there is a proposition which is helpful to our algorithm. The related parameters of the BLS12 curve can be seen in Section 6.1.1 and the towering scheme is shown as follows.

•

$\mathbb{F}_{q^{2}}=\mathbb{F}_{q}[u]/\langle u^{2}-\beta\rangle$ , where $\beta=-1$ ;
•

$\mathbb{F}_{q^{6}}=\mathbb{F}_{q^{2}}[v]/\langle v^{3}-\xi\rangle$ , where $\xi=u+1$ ;
•

$\mathbb{F}_{q^{12}}=\mathbb{F}_{q^{6}}[\omega]/\langle\omega^{2}-v\rangle$ .

Proposition 1

Choose $P\!\in E_{0}(\mathbb{F}_{q})$ and $Q^{\prime}\!=(x_{Q},y_{Q})\!\in E_{0}^{\prime}(\mathbb{F}_{q^{2}})$ .

For $W_{\Psi_{6}(Q^{\prime}),P}(s,0)(s\in\mathbb{Z})$ , if $s$ is odd, then $W_{\Psi_{6}(Q^{\prime}),P}(s,0)$ is in the proper subfield of $\mathbb{F}_{q^{12}}$ ; If $s$ is even, then $W_{\Psi_{6}(Q^{\prime}),P}(s,0)$ belongs to $\mathbb{F}_{q^{12}}$ . Furthermore, let $W_{\Psi_{6}(Q^{\prime}),P}(s,0)=a_{0}+a_{1}\omega,\,a_{0},a_{1}\in\mathbb{F}_{q^{6}}$ , $a_{0}=0$ if $s$ is even.

Proof

We abbreviate $W_{\Psi_{6}(Q^{\prime}),P}(s,0)$ to $W_{\Psi_{6}(Q^{\prime})}(s,0)$ .

Note that $W_{\Psi_{6}(Q^{\prime})}(s,0)=\psi_{s}\in\mathbb{Z}[x,y,A,B]$ , where $\psi_{s}$ is a division polynomial. Therefore, we just verify the proposition in two situations according to Section 3.2 in [36]:

1.

Assume that $s$ is odd, then $\psi_{s}$ is a polynomial in $\mathbb{Z}[x,y^{2},A,B]$ . For the short Weierstrass curve $y^{2}=x^{3}+Ax+B$ , $y^{2}$ can be replaced by polynomials in $x$ . Furthermore, $Q^{\prime}\in E^{\prime}$ and the $x$ -coordinate of $\Psi_{6}(Q^{\prime})$ is $x_{Q}v\in\mathbb{F}_{q^{6}}$ . Therefore, $W_{\Psi_{6}(Q^{\prime})}(s,0)$ is always in a proper subfield of $\mathbb{F}_{q^{12}}$ .
2.

If $s$ is even, then $\psi_{s}$ is a polynomial in $2y\mathbb{Z}[x,y^{2},A,B]$ . And the $y$ -coordinate of $\Psi_{6}(Q^{\prime})$ is $y_{Q}v\omega\in\mathbb{F}_{q^{12}}$ , so $\psi_{s}\in 2y\mathbb{Z}[x,y^{2},A,B]$ can be written as $a_{1}\omega$ , where $a_{1}\in\mathbb{F}_{q^{6}}$ .

∎

From Proposition 1, if $W(\lambda,0)_{i-3\leq\lambda\leq i+3}$ are multiplied by $\alpha=a_{1}\omega$ , where $a_{1}\in\mathbb{F}_{q^{6}}$ , then both $\alpha^{2}$ and $\alpha^{4}$ will always be in $\mathbb{F}_{q^{6}}$ . From Theorem 3.1, in the next state the value of $W_{\Psi_{6}(Q^{\prime}),P}(2s,0)$ or $W_{\Psi_{6}(Q^{\prime}),P}(2s+1,0)$ will be multiplied by $\alpha^{4}$ . And $W_{\Psi_{6}(Q^{\prime}),P}(2s,1)$ or $W_{\Psi_{6}(Q^{\prime}),P}(2s+1,1)$ will be multiplied by $\alpha^{2}$ . Therefore, if the last iteration is the doubling step, then the value of the reduced Tate pairing or its variants can not be changed.

Moreover, the last iteration of the Miller loop on the BLS12 curve will always invoke the doubling step. Hence, we can avoid the inversion in the IENA. This means that we can use $5$ multiplications to eliminate $1$ inversion. Therefore, the effect of our method always works well when the cost of $1$ inverse operation is more than that of $5$ multiplications.

For the situation of scalar multiplication algorithm based on elliptic nets, we have the following corollary.

Corollary 3.2

Choose $P=(x_{P},y_{P})\in E_{0}(\mathbb{F}_{q})$ . Let $W(\lambda,0)_{i-3\leq\lambda\leq i+4}\in\mathbb{F}_{q}$ be the current state of an elliptic net which is associate to $E_{0},\,P$ . For $\alpha\in\mathbb{F}_{q}^{*}$ , if $W(\lambda,0)_{i-3\leq\lambda\leq i+4}$ are multiplied by $\alpha$ , i.e., $\hat{W}(\lambda,0)_{i-3\leq\lambda\leq i+4}=\alpha\cdot W(\lambda,0)_{i-3\leq\lambda\leq i+4}$ . Then the value of the scalar multiplication $[n]P=(x_{nP},y_{nP})(n\in\mathbb{Z}^{+})$ can not be changed.

Proof

From Theorem 3.1, we know that in the next state each $W(\lambda,0)$ will be multiplied by $\alpha^{4}$ . According to Equation (4), we have the following formulae for some integer $l$ :

	$\displaystyle x_{nP}$	$\displaystyle=x_{P}-\frac{\alpha^{2l}W(n-1)W(n+1)}{\alpha^{2l}W(n)^{2}},$
		$\displaystyle=x_{P}-\frac{W(n-1)W(n+1)}{W(n)^{2}},$
	$\displaystyle y_{nP}$	$\displaystyle=\frac{\alpha^{3l}(W(n-1)^{2}W(n+2)-W(n+1)^{2}W(n-2))}{\alpha^{3l}4y_{P}W(n)^{3}},$
		$\displaystyle=\frac{W(n-1)^{2}W(n+2)-W(n+1)^{2}W(n-2)}{4y_{P}W(n)^{3}}.$

∎

Besides, we can have a further improvement based on the algorithm in [32]. Their Double-and-Add algorithm is improved by using some tricks to save $2$ multiplications at each iteration, but it involves $6$ right-shift operations. We can replace these operations by $2$ left-shift operations.

4 The Elliptic Net Algorithm on the Twisted Curve

The application of the twisted curve brings some significant improvements in Miller’s algorithm. However, if we use the twist trick on the original curve with the Elliptic Net algorithm, then it will not be as portable and intuitive as Miller’s algorithm. In 2010, Costello et al. [9] proposed the Ate pairing entirely on the twisted curve for Miller’s algorithm. Actually, when we use the Elliptic Net algorithm to compute pairings, it will also have a good improvement if the related parameters all on the twisted curve. In this section, we will analyze the Ate pairing and the Optimal Ate pairing on the twisted curve with our method and apply our work to the Elliptic Net algorithm.

4.1 The Ate Pairing on the Twisted Curve

Let $E$ be an elliptic curve over $\mathbb{F}_{q}$ , and the related parameters are defined in Section 2.1. Let $E^{\prime}/\mathbb{F}_{q^{e}}$ be the twist of $E$ of degree $d$ with $e=k/d$ . Let $\pi^{\prime}_{q^{e}}$ be the $q^{e}$ -power Frobenius map on $E^{\prime}$ . There exists an isomorphism $\Psi_{d}:E^{\prime}\rightarrow E$ over $\mathbb{F}_{q^{k}}$ , then we can define two groups

\mathbb{G}_{1}^{\prime}\triangleq E^{\prime}[r]\bigcap Ker(\pi^{\prime}_{q^{e}}-[1]),\,\mathbb{G}_{2}^{\prime}\triangleq E^{\prime}[r]\bigcap Ker(\pi^{\prime}_{q^{e}}-[q^{e}]).

Actually, the iterations of the Miller loop $T$ can be set as $(t-1)\,mod\,r$ [21]. When we compute the Ate pairing, the operations are all on the original curve. In the following part, we will give a new derivation of the theorem about pairings entirely on the twisted curve.

Theorem 4.1

For $\Psi_{d}^{-1}(P)\in\mathbb{G}_{2}^{\prime},\,Q^{\prime}\in\mathbb{G}_{1}^{\prime}$ , we can define a pairing on $\mathbb{G}_{1}^{\prime}\times\mathbb{G}_{2}^{\prime}$ if $r\nmid(T^{k}-1)/r$ :

	$\displaystyle Ate_{E^{\prime}}:\mathbb{G}_{1}^{\prime}\times\mathbb{G}_{2}^{\prime}$	$\displaystyle\rightarrow\mu_{r}$
	$\displaystyle(Q^{\prime},\Psi_{d}^{-1}(P))$	$\displaystyle\mapsto Ate_{E^{\prime}}(Q^{\prime},\Psi_{d}^{-1}(P))=(f_{T,Q^{\prime}}(\Psi_{d}^{-1}(P)))^{{q^{k}-1}/r}.$

Proof

We only need to prove that $f_{T,\Psi_{d}(Q^{\prime})}=f_{T,Q^{\prime}}\circ\Psi_{d}^{-1}$ , for all $Q^{\prime}\in\mathbb{G}_{1}^{\prime}$ .

The divisor of $f_{T,\Psi_{d}(Q^{\prime})}$ is

{\rm Div}(f_{T,\Psi_{d}(Q^{\prime})})=T(\Psi_{d}(Q^{\prime}))-([T]\Psi_{d}(Q^{\prime}))-(T-1)(\infty),

and since $\Psi_{d}$ is an isomorphism,

	$\displaystyle(\Psi_{d})^{*}{\rm Div}(f_{T,\Psi_{d}(Q^{\prime})})$	$\displaystyle=T(\Psi_{d})^{}(\Psi_{d}(Q^{\prime}))-(\Psi_{d})^{}([T]\Psi_{d}(Q^{\prime}))-(T-1)(\Psi_{d})^{*}(\infty),$
		$\displaystyle=T(Q^{\prime})-([T]Q^{\prime})-(T-1)(\infty),$
		$\displaystyle=(f_{T,Q^{\prime}}).$

Furthermore, we have $(\Psi_{d})^{*}{\rm Div}(f_{T,\Psi_{d}(Q^{\prime})})={\rm Div}(f_{T,\Psi_{d}(Q^{\prime})}\circ\Psi_{d})$ , then we have $f_{T,\Psi_{d}(Q^{\prime})}\circ\Psi_{d}=f_{T,Q^{\prime}}$ . We compose the formula with $\Psi_{d}^{-1}$ on both sides, and obtain:

f_{T,\Psi_{d}(Q^{\prime})}(P)=f_{T,Q^{\prime}}\circ\Psi_{d}^{-1}(P).

∎

Remark 3

When we compute pairings on the twisted curves, the operations are always in the field where $Q^{\prime}$ is located. The final value we need can be obtained by twists. The transformation involved here is very small for Miller’s algorithm. This is because each transformation only needs to be multiplied by a fixed value $\alpha$ on $\mathbb{F}_{q^{k}}$ . Generally, $\alpha$ is sparse. But for the Elliptic Net algorithm, if we adopt the same idea to use this isomorphism, then the value of $\alpha$ will be changed as the iterations, which means that the transformation of the value we need will not be a friendly process. Therefore, we choose to compute pairings on the twisted curve for the Elliptic Net algorithm.

4.2 The Optimal Ate Pairing on the Twisted Curve

For the Optimal Ate pairing on the twisted curve, the situation is more complicated than that of the Ate pairing while we can still derive the following theorem easily.

Theorem 4.2

Let $\lambda=mr$ with $r\nmid m$ and $\lambda=\sum_{i=0}^{\varphi(k)}c_{i}q^{i}$ . Define

\Phi_{d,i}=\Psi_{d}^{-1}\circ[c_{i}q^{i}]\circ\Psi_{d},

and note that $\Phi_{d,s_{i}}=\Psi_{d}^{-1}\circ[s_{i}]\circ\Psi_{d}$ , where $s_{i}=\sum_{j=i}^{\varphi(k)}c_{j}q^{j}$ . There exists a pairing on $\mathbb{G^{\prime}}_{1}\times\mathbb{G^{\prime}}_{2}$ :

	$\displaystyle Opt_{E^{\prime}}:\mathbb{G^{\prime}}_{1}\times\mathbb{G^{\prime}}_{2}$	$\displaystyle\rightarrow\mu_{r}$
	$\displaystyle(Q^{\prime},\Psi_{d}^{-1}(P))$	$\displaystyle\!\longmapsto(\!\prod_{i=0}^{\varphi(k)}\!f_{c_{i},Q^{\prime}}^{q^{i}}(\Psi_{d}^{-1}\!(P))\!\cdot\!\prod_{i=0}^{\varphi(k)-1}\!\frac{l_{\Phi_{d,s_{i+1}},\Phi_{d,i}(Q^{\prime})}}{v_{\Phi_{d,s_{i}}(Q^{\prime})}}(\Psi_{d}^{-1}(P)))^{(q^{k}-1)/r}.$

Proof

From Theorem 4.1, we have

{\rm Div}(\prod_{i=0}^{\varphi(k)}f_{c_{i},Q^{\prime}}^{q^{i}}\circ\Psi_{d}^{-1})={\rm Div}(\prod_{i=0}^{\varphi(k)}f_{c_{i},\Psi_{d}(Q^{\prime})}).

Let $Q_{i}\triangleq[s_{i+1}]\circ\Psi_{d}(Q^{\prime})$ . Consider the relation between $l_{\Phi_{d,s_{i+1}},\Phi_{d,i}(Q^{\prime})}$ and $l_{Q_{i},[c_{i}q^{i}]\Psi_{d}(Q^{\prime})}$ . From the definition of divisors,

{\rm Div}(l_{Q_{i},[c_{i}q^{i}]\Psi_{d}(Q^{\prime})})=(Q_{i})+([c_{i}q^{i}]\Psi_{d}(Q^{\prime}))+(-Q_{i+1})-3(\infty).

Since $\Psi_{d}$ is an isomorphism,

	$\displaystyle\Psi_{d}^{*}{\rm Div}(l_{Q_{i},[c_{i}q^{i}]\Psi_{d}(Q^{\prime})})$	$\displaystyle=(\Psi_{d}^{-1}(Q_{i}))+(\Psi_{d}^{-1}\circ[c_{i}q^{i}]\circ\Psi_{d}(Q^{\prime}))+(-Q_{i+1})-3(\infty),$
		$\displaystyle=(l_{\Phi_{d,s_{i+1}},\Phi_{d,i}(Q^{\prime})}).$

Therefore,

l_{Q_{i},[c_{i}q^{i}]\Psi_{d}(Q^{\prime})}(P)=l_{\Phi_{d,s_{i+1}},\Phi_{d,i}(Q^{\prime})}\circ\Psi_{d}^{-1}(P).

Similarly,

v_{Q_{i}}(P)=v_{\Phi_{d,i}}(Q^{\prime})\circ\Psi_{d}^{-1}(P).

∎

Remark 4

For $Q^{\prime}\in\mathbb{G}_{1}^{\prime}$ , we have $\pi_{q}\circ\Psi_{d}(Q^{\prime})=[q]\Psi_{d}(Q^{\prime})$ .

Since $\pi_{q}$ is an endomorphism and $\Psi_{d}$ is an isomorphism over $\mathbb{F}_{q^{k}}$ , we have

\pi_{q}\circ\Psi_{d}(Q^{\prime})=\Psi_{d}\circ[q](Q^{\prime}).

Therefore, we have

\Psi_{d}^{-1}\circ\pi_{q}\circ\Psi_{d}(Q^{\prime})=[q](Q^{\prime}),i.e.,\Phi_{d,1}(Q^{\prime})=[q](Q^{\prime}).

Thus, we know that the point in $\mathbb{G}_{1}^{\prime}$ can be mapped to a point in $E[r]$ . This also means that the line function on the twisted curve via this result.

Note that the ratio of the cost of inversions to the multiplications over $\mathbb{F}_{q^{k}}$ decreases if the size of $\mathbb{F}_{q^{k}}$ is larger. When we compute the Ate pairing on the twisted curve, our operations in the first dimension vector centered on $i$ are in $\mathbb{F}_{q^{e}}$ . Compared with the operations in $\mathbb{F}_{q^{k}}$ , it is more necessary to eliminate the inverse operation when the bit is not equal to $0$ . Furthermore, we can use the NAF form to ensure that the density $\rho$ is within the effective range to accelerate the IENA.

5 The Elliptic Net Algorithm with Lazy Reduction

Lazy reduction technique can also be applied to speed up the Elliptic Net algorithm. Lazy reduction was presented formally in [20]. It can save the number of modular reductions during the calculation. The main idea of lazy reduction is to put the required modular reductions of some multiplication operations like $\sum a_{i}b_{i}$ over $\mathbb{F}_{q}$ to the end. So these multiplication operations only need $1$ modular reduction over $\mathbb{F}_{q}$ . Thus it can save the number of modular reductions during the calculation. In this paper, we use Montgomery reduction [24], so the cost of a modular reduction is equal to the cost of one multiplication. Note that each item of $a_{i}b_{i}$ without modular reduction should satisfy the upper bound of Montgomery reduction.

When we use the Elliptic Net algorithm to compute pairings, it contains lots of multiplications like $A\cdot B\pm C\cdot D$ , which needs 2 modular reductions normally. But if we use lazy reduction, we can only need one modular reduction. Obviously, we are not concern about violating the upper bound for this situation since we only use the lazy reduction once each time, and we set $A,B,C,D\in\mathbb{F}_{q}$ . The proposed algorithms using lazy reduction are given for the initialization step and Double-and-Add step respectively. We mainly improve the term $W(3,0)$ and $W(4,0)$ at the initialization step. The improvement is not obvious here, so we only give the number of modular reductions of three situations in Table 1.

Table 1: The Number of Modular Reductions at the Initialization Step

Algorithm	$A,B\neq 0$	$B=0$	$A=0$
ENA [31]	10	8	6
This work	7	6	5

The explicit updating formulas at the Double-and-Add step are mentioned in Section 2.3. The $Double(V)$ and $DoubleAdd(V)$ functions are combined with the lazy reduction technique, and we adopt the new Double-and-Add step in [7] which needs 10 terms in total. We present the Double-and-Add algorithm based on the IENA in Appendix 0.A. Assume that our terms belong to the finite field $\mathbb{F}_{q}$ . At step [7]-[23] we compute the $Double(V)$ function. We update 7 terms in the first vector and 3 terms in the second vector that are both centered on $2i$ . In the ENA, we need 42 modular reductions in each iteration. In contrast, the number of modular reductions decreases to 37 in the IENA. With the help of lazy reduction, the updating process of each term can save one modular reduction, so 10 terms will save 10 modular reductions in total. The $DoubleAdd(V)$ function is computed at step [25]-[43]. These steps contain 40 modular reductions originally and the number of modular reductions decreases to 30 with lazy reduction in each iteration. Table 2 shows the number of modular reductions of three Elliptic Net Algorithms at the Double-and-Add step.

Table 2: The Number of Modular Reductions at the Double-and-Add Step

Algorithm	$Double(V)$	$DoubleAdd(V)$
ENA [31]	42	42
IENA [7]	37	40
This work	27	30

6 Implementation and Analysis

In this section, we implement the optimization of the Elliptic Net algorithm for scalar multiplication and pairing computation respectively. Our algorithms are implemented by using the C programming language compiled with the GCC compiler of which the version is 7.4.0. Our code is based on version 0.5.0 of the RELIC toolkit [1] and we use the Intel Core i7-8550U CPU processor operating at 1.80 GHz that runs on a 64-bit Linux. Our implementation will be divided into two parts. One is scalar multiplication, and the other one is pairing computation. We apply lazy reduction technique to both parts. Note that lazy reduction has a good acceleration effect in the Elliptic Net algorithm.

In the firsy part, we will use different methods to compare the efficiency of computing the Optimal Ate pairing on the twisted curve at 128-bit security level and 192-bit security level respectively. Notice that the $DoubleAdd(V)$ function is not friendly in the IENA. In general, we will choose the loop length which has a low Hamming weight so that we can use $Double(V)$ function more frequently in the whole iterations to accelerate the algorithm.

In the second part, we will show the comparison of the efficiency between computing scalar multiplication in [32] and our work. Scalar multiplication algorithm with division polynomials is similar to the ladder algorithm, and this algorithm is easily coded compared to the traditional double-and-add algorithm. It can naturally resist power attacks, but it is slower than the basic double-and-add algorithm. Therefore, we do not compare our algorithms with the state-of-the-art algorithm for standard elliptic curve scalar multiplication algorithm [13]. We choose the NIST P-384 curve and the NIST P-521 curve to compute scalar multiplication respectively [16]. Notice that for the NIST P-384 curve, the prime $p$ satisfies $\gcd(p-1,3)=1$ . Therefore, we can combine works in [6] with our work to get a further improvement on this curve.

The elliptic curves we choose are the 381-bit BLS12 and 676-bit KSS18 curves. We specify some symbols here to show the amount of operations in this section:

•

$M_{k}$ : the multiplication over $\mathbb{F}_{q^{k}}$ , $S_{k}$ : the square operation over $\mathbb{F}_{q^{k}}$ ,
•

$M$ : the multiplication over $\mathbb{F}_{q}$ , $S$ : the square operation over $\mathbb{F}_{q}$ ,
•

$I_{k}$ : the inversion over $\mathbb{F}_{q^{k}}$ , $A$ : the addition operation over $\mathbb{F}_{q}$ .

6.1 Pairing Computation

In the following part, we will focus on the improvement of pairing computation using the Elliptic Net algorithm.

6.1.1 381-bit BLS12 Curve

The concrete parameters for the 381-bit BLS12 curve with embedding degree $k=12$ are given as follows.

•

$t=-2^{63}-2^{62}-2^{60}-2^{57}-2^{48}-2^{16}$ ;
•

$r=t^{4}-t^{2}+1$ ;
•

$q=(t-1)^{2}(t^{4}-t^{2}+1)/3+t$ ;
•

$E_{0}:y^{2}=x^{3}+4$ over $\mathbb{F}_{q}$ ;
•

$\mathbb{F}_{q^{2}}=\mathbb{F}_{q}[u]/\langle u^{2}-\beta\rangle$ , where $\beta=-1$ ;
•

$\mathbb{F}_{q^{6}}=\mathbb{F}_{q^{2}}[v]/\langle v^{3}-\xi\rangle$ , where $\xi=u+1$ ;
•

$\mathbb{F}_{q^{12}}=\mathbb{F}_{q^{6}}[\omega]/\langle\omega^{2}-v\rangle$ ;
•

the twisted curve $E_{0}^{\prime}$ : $y^{2}=x^{3}+4\xi$ over $\mathbb{F}_{q^{2}}$ .

Recall that $P\in E_{0}(\mathbb{F}_{q})$ and $Q^{\prime}\in E_{0}^{\prime}(\mathbb{F}_{q^{e}})$ . We apply three techniques discussed in this work to the ENA and the IENA for computing the Optimal Ate pairing. According to Theorem 4.2 in Section 3, the explicit formulas of line functions on the twisted BLS12 curve can be obtained. Therefore, for the BLS12 curve, we only need to calculate

(f_{t,\Psi_{6}(Q^{\prime})}(P))^{\frac{q^{12}-1}{r}}\,\,or\,\,(f_{t,Q^{\prime}}(\Psi_{6}^{-1}(P)))^{\frac{q^{12}-1}{r}}.

The amount of operations for $f_{t,\Psi_{6}(Q^{\prime})}$ and $f_{t,Q^{\prime}}$ in one iteration is $7S_{12}+\frac{67}{2}M_{12}$ and $6S_{2}+62M_{2}+S_{12}+\frac{3}{2}M_{12}$ at the Double step in the ENA, respectively. Note that in our implementation, $1I_{12}\approx 3M_{12}$ , $1I_{2}\approx 13M_{2}$ , $1M_{2}\approx 3M$ and $1M_{12}\approx 54M$ . In the IENA, we need $6S_{12}+31M_{12}+I_{12}$ without twist when the bit is not equal to $0$ . If we compute pairings on its corresponding twisted curve, the operations can be reduced to $1S_{12}+1M_{12}+5S_{2}+39M_{2}+1I_{2}$ . Without considering the influence of delay error, it is not necessary to eliminate the inverse operation if we do not use twists of elliptic curves here. But when the cost of one inversion is greater than the cost of 5 multiplications, eliminating the inverse operation can have a more obvious improvement. Moreover, since $t$ is a negative number, we choose to compute $f_{-t,Q^{\prime}}$ and use the relationship $(f_{t,Q^{\prime}})^{(q^{12}-1)/r}=(\dfrac{1}{f_{-t,Q^{\prime}}})^{(q^{12}-1)/r}$ to revise the value. Note that in order to make the IENA work well, we choose to expand $-t$ in the NAF form to reduce the proportion of non-zero digits. Then the non-zero digits density $\rho$ will be smaller than that of the previous one. Although the Elliptic Net algorithm is much slower than Miller’s algorithm, it still counts in milliseconds. Therefore, we cycle the program $10,000$ times and take the average value to ensure the stability and accuracy of our program. The comparison about the efficiency of different methods is provided in Table 3.

Table 3: Efficiency Comparison on a 381-bit BLS12 Curve

Method	Clock Cycle ( $\times 10^{3}$ )	Time (ms)
ENA [31]	25,524	12.81
ENA with lazy reduction	24,599	12.35
IENA [7]	23,508	11.80
IENA with lazy reduction	22,586	11.34
IENA (Eliminate Inverse)	23,554	11.82
IENA (Eliminate Inverse) with lazy reduction	22,722	11.41
ENA (Twist)	4,890	2.45
ENA (Twist) with lazy reduction	4,463	2.24
IENA(Twist)	4,749	2.38
IENA(Twist) with lazy reduction	4,325	2.17
IENA(Twist $\&$ Eliminate Inv)	4,575	2.30
IENA(Twist $\&$ Eliminate Inv) with lazy reduction	4,315	2.16
Miller’s algorithm	3,123	1.57

From Table 3, we can see that this work speeds up the Elliptic Net algorithm indeed and the efficiency of computing the Optimal Ate pairing on the twisted curve is much quicker than that on the original elliptic curve. The twist technology has a good performance for both algorithms. The efficiency has been increased by about $80.9\%$ without using lazy reduction in the IENA. Notice that lazy reduction also plays a vital role in the algorithm, which further accelerates the algorithm. Besides, the elimination of the inversion has also been proved to be effective which is up to $3.36\%$ faster than the IENA. Compared to the ENA, the efficiency of our work on the original and twisted curves increases by around $11\%$ and $11.8\%$ , respectively.

6.1.2 676-bit KSS18 Curve

Now we give the parameters of the 676-bit KSS18 curve with embedding degree $k=18$ below:

•

$t=-2^{85}-2^{31}-2^{26}+2^{6}$ ;
•

$r=(t^{6}+37t^{3}+343)/343$ ;
•

$q=(t^{8}+5t^{7}+7t^{6}+37t^{5}+188t^{4}+259t^{3}+343t^{2}+1763t+2401)/21$ ;
•

$E_{0}:y^{2}=x^{3}+2$ over $\mathbb{F}_{q}$ ;
•

$\mathbb{F}_{q^{3}}=\mathbb{F}_{q}[u]/\langle u^{3}-\beta\rangle$ , where $\beta=-2$ ;
•

$\mathbb{F}_{q^{6}}=\mathbb{F}_{q^{2}}[v]/\langle v^{2}-\xi\rangle$ , where $\xi=u$ ;
•

$\mathbb{F}_{q^{18}}=\mathbb{F}_{q^{6}}[\omega]/\langle\omega^{3}-v\rangle$ ;
•

the twisted curve $E_{0}^{\prime}$ : $y^{2}=x^{3}+2/\xi$ over $\mathbb{F}_{q^{2}}$ .

We need to calculate

(f_{t,\Psi_{6}(Q^{\prime})}\cdot f_{3,\Psi_{6}(Q^{\prime})}^{q}\cdot l_{[t]\Psi_{6}(Q^{\prime}),[3q]\Psi_{6}(Q^{\prime})}(P))^{\frac{q^{18}-1}{r}}

(f_{t,Q^{\prime}}\cdot f_{3,Q^{\prime}}^{q}\cdot l_{\Psi_{6}^{-1}\circ[t]\circ\Psi_{6}(Q^{\prime}),\Psi_{6}^{-1}\circ[3q]\circ\Psi_{6}(Q^{\prime})}(\Psi_{6}^{-1}(P)))^{\frac{q^{18}-1}{r}}

for computing the Optimal Ate pairing on this curve. In order to make our comparisons more obviously and steadily, we calculate the Optimal Ate pairing $1,000$ times, and take the average value as the final result. Table 4 shows the timings of different methods for computing the Optimal Ate pairing.

Table 4: Efficiency Comparison on a 676-bit KSS Curve

Method	Clock Cycle ( $\times 10^{3}$ )	Time (ms)
ENA [31]	136,542	68.54
ENA with lazy reduction	132,700	66.61
IENA [7]	122,629	61.56
IENA with lazy reduction	119,991	60.23
IENA (Eliminate Inverse)	122,681	61.59
IENA (Eliminate Inverse) with lazy reduction	120,686	60.58
ENA (Twist)	40,949	20.56
ENA (Twist) with lazy reduction	39,440	19.80
IENA(Twist)	40,676	20.42
IENA(Twist) with lazy reduction	39,276	19.72
IENA(Twist $\&$ Eliminate Inv)	40,291	20.23
IENA(Twist $\&$ Eliminate Inv) with lazy reduction	38,904	19.53
Miller’s algorithm	17,149	8.61

On the KSS18 curve, the effect of our modification is similar to the performance on the BLS12 curve. Just comparing the performance of the ENA on the twisted curve and the original curve, the algorithm is $70\%$ faster on the twisted curve. But after eliminating the inverse operation and using lazy reduction technique, the algorithm can be about $5\%$ faster than the IENA on the twisted curve.

From these results, we find that the improvement of lazy reduction on the KSS18 curve is increased. This is mainly because the embedding degree on the KSS18 curve is bigger than that of the BLS12 curve. Besides, we have more iterations of the Miller loop on the KSS18 curve. But the amount of optimization in a single iteration is same. In contrast to our theory, the efficiency of computing the Optimal Ate pairing on the twisted curve is much higher than that on the original curve for the Elliptic Net algorithm. In addition, we can further improve the efficiency of the algorithm by eliminating the inverse operation. Notice that Miller’s algorithm performs well in our implementation with the cost time of $1.57\,ms$ on the 381-bit BLS12 curve. Its version in our work is the fastest one implemented by Diego et al. in the Relic toolkit [1], and we test its efficiency in our personal computer. However, compared with the previous work, the gap between the Elliptic Net algorithm and Miller’s algorithm has been greatly shortened, which from the original cost of more than 9 times to the current cost of less than 2 times.

6.2 Scalar Multiplication

Our work based on the scalar multiplication algorithm proposed in [32] is to replace $6$ right-shift operations by $2$ left-shift operations in each iteration. It seems that this improvement will not work obviously. However, after we use the lazy reduction technique, the efficiency will have a good improvement. We choose two curves which achieve 192-bit security level and 256-bit security level respectively. The equations of these curves over $\mathbb{F}_{q}$ have the form: $y^{2}=x^{3}-3x+b$ .

6.2.1 NIST P-521 Curve

In [32], the amount of operations is $24M+6S+36A$ and $6$ right-shift operations at each iteration. Let one subtraction operation or one double operation be equal to one addition operation. The trick in Section 3 is applied to this algorithm, and then we replace $6$ right-shift operations by $2$ left-shift operations. Table 5 provides the timings of scalar multiplication algorithm in [32] and this work.

Table 5: Efficiency of Scalar Multiplication on the NIST P-521 Curve

Method	Clock Cycle ( $\times 10^{3}$ )	Time (ms)
Algorithm [32]	5,097	2.56
Algorithm [32] with lazy reduction	4,844	2.43
This work	4,920	2.47
This work with lazy reduction	4,530	2.27

Our work facilitates an acceleration of around $11.2\%$ over the algorithm in [32] of scalar multiplication. However, the efficiency of these algorithms is slower than that of the ENA for scalar multiplication except the prime $p$ is large enough.

6.2.2 NIST P-384 Curve

We focus on the situation of $gcd(p-1,3)=1$ and combine the work in [6] and [32] to compute scalar multiplication. Let $\alpha\in\mathbb{F}_{q}$ such that $\alpha^{3}=W(2)^{-1}$ . Then the initial values of an elliptic net are given below:

		$\displaystyle\tilde{W}(1)=1,\tilde{W}(2)=1,\tilde{W}(3)=\alpha^{8}\cdot W(3),$
		$\displaystyle\tilde{W}(4)=\alpha^{15}\cdot W(4),\tilde{W}(5)=\tilde{W}(4)-\tilde{W}(3)^{3}.$

We use these new initial values above to compute scalar multiplication. The amount of operations will be reduced from $20M+6S+36A$ and $6$ right-shift operations to $18M+6S+36A$ and $2$ left-shift operations in each iteration. Table 6 reflects the efficiency of algorithm in [32] and our work for computing scalar multiplication on the NIST P-384 curve. Results shown that we have an improvement based on [32] with $14.96\%$ .

Table 6: Efficiency of Scalar Multiplication on the NIST P-384 Curve

Method	Clock Cycle ( $\times 10^{3}$ )	Time (ms)
Algorithm [32]	2,329	1.17
Algorithm [32] with lazy reduction	2,208	1.11
This work	2,234	1.12
This work with lazy reduction	1,980	0.99

7 Conclusions

In this work, we improved the Elliptic Net algorithm. Among different versions of the Elliptic Net algorithm, we analyzed their efficiency and presented higher speed records on the computation of the Optimal Ate pairing on a 381-bit BLS12 curve and a 676-bit KSS18 curve by using the Elliptic Net algorithm with several tricks, respectively. We also improved the scalar multiplication algorithm in [32] and implemented our work on a NIST P-384 curve and a NIST P-521 curve, respectively. The scalar multiplication algorithm was increased by up to $14.96\%$ than the work in [32]. The lazy reduction technique was able to reduce by around $27\%$ of the required modular reductions. Moreover, the application of twist technology helped us reduce the number of multiplications and the improvement was significant. Besides, the improved Elliptic Net algorithm was also further improved, i.e., the inverse operation can be replaced by few multiplications when the bit is equal to $1$ or $-1$ . On the 381-bit BLS12 curve, this work improved the performance of the Optimal Ate pairing by $80\%$ compared with the original version on a 64-bit Linux platform. The implementation on the 676-bit KSS18 curve had shown that this work was $71.5\%$ faster than the previous ones. Our results shown that the Elliptic Net algorithm can compute pairings efficiently on personal computers while it was still slower than Miller’s algorithm. In the future, we will consider the parallelization of the Elliptic Net algorithm to get a further improvement.

References

[1] Aranha, D.F., Gouvêa, C.P.L.: RELIC is an Efficient LIbrary for Cryptography. https://github.com/relic-toolkit/relic
[2] Aranha, D., Karabina, K., Longa, P., Gebotys, C., López, J.: Faster explicit formulas for computing pairings over ordinary curves. In: Paterson, K. (ed.) Advances in Cryptology – EUROCRYPT 2011, Lecture Notes in Computer Science, vol. 6632, pp. 48–68. Springer Berlin Heidelberg (2011)
[3] Azarderakhsh, R., Fishbein, D., Grewal, G., Hu, S., Jao, D., Longa, P., Verma, R.: Fast software implementations of bilinear pairings. IEEE Transactions on Dependable and Secure Computing 14(6), 605–619 (2017)
[4] Barbulescu, R., Duquesne, S.: Updating key size estimations for pairings. Journal of Cryptology 32(1), 1–39 (2018)
[5] Blake, I.F., Seroussi, G., Smart, N.P.: Advances in elliptic curve cryptography. Cambridge University Press (2005)
[6] Chen, B.L., Hu, C.Q., Zhao, C.A.: A note on scalar multiplication using division polynomials. IET Information Security 11(4), 195–198 (2017)
[7] Chen, B.L., Zhao, C.A.: An improvement of the elliptic net algorithm. IEEE Transactions on Computers 65, 2903–2909 (2015)
[8] Chiesa, A., Hu, Y., Maller, M., Mishra, P., Vesely, N., Ward, N.: Marlin: Preprocessing zksnarks with universal and updatable srs. In: Canteaut, A., Ishai, Y. (eds.) Advances in Cryptology – EUROCRYPT 2020. pp. 738–768. Springer International Publishing, Cham (2020)
[9] Costello, C., Lange, T., Naehrig, M.: Faster pairing computations on curves with high-degree twists. In: International Conference on Practice $\&$ Theory in Public Key Cryptography (2010)
[10] Einsiedler, M., Everest, G., Ward, T.: Primes in elliptic divisibility sequences. LMS Journal of Computation and Mathematics 4, 1–13 (2001)
[11] Galbraith, S.D., Lin, X., Scott, M.: Endomorphisms for faster elliptic curve cryptography on a large class of curves. J. Cryptology 24, 446–469 (2011)
[12] Granger, R., Hess, F., Oyono, R., Theriault, N., Vercauteren, F.: Ate pairing on hyperelliptic curves. In: Naor, M. (ed.) Advances in Cryptology - EUROCRYPT 2007, Lecture Notes in Computer Science, vol. 4515, pp. 430–447. Springer Berlin / Heidelberg (2007)
[13] Granger, R., Scott, M.: Faster ecc over $\mathbb{F}_{2^{521}-1}$ . In: Katz, J. (ed.) Public-Key Cryptography – PKC 2015. pp. 539–553. Springer Berlin Heidelberg, Berlin, Heidelberg (2015)
[14] Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.S. (eds.) Advances in Cryptology – EUROCRYPT 2016. pp. 305–326. Springer Berlin Heidelberg, Berlin, Heidelberg (2016)
[15] H. Silverman, J.: The Arithmetic of Elliptic Curves, vol. 106 (2009)
[16] Hankerson, D., Menezes, A.: NIST Elliptic Curves, pp. 843–844. Springer US, Boston, MA (2011)
[17] Hess, F., Smart, N., Vercauteren, F.: The eta pairing revisited. IEEE Transactions on Information Theory 52, 4595–4602 (2006)
[18] Kanayama, N., Liu, Y., Okamoto, E., Saito, K., Teruya, T., Uchiyama, S.: Implementation of an elliptic curve scalar multiplication method using division polynomials. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences E97.A(1), 300–302 (2014)
[19] Lee, E., Lee, H.S., Park, C.M.: Efficient and generalized pairing computation on abelian varieties. IEEE Transactions on Information Theory 55(4), 1793–1803 (2009)
[20] Lim, C.H., Hwang, H.S.: Fast implementation of elliptic curve arithmetic in ${G}{F}$ ( ${p}^{n}$ ). public key cryptography pp. 405–421 (2000)
[21] Matsuda, S., Kanayama, N., Hess, F., Okamoto, E.: Optimised versions of the ate and twisted ate pairings. In: Ima International Conference on Cryptography & Coding (2007)
[22] Miller, V., et al.: Short programs for functions on curves. Unpublished manuscript 97(101-102), 44 (1986)
[23] Miller, V.S.: The weil pairing, and its efficient calculation. J. Cryptology 17(4), 235–261 (2004)
[24] Montgomery, P.L.: Modular multiplication without trial division. Mathematics of Computation 44(170), 519–521 (1985)
[25] Mrabet, N.E., Joye., M.: Guide to Pairing-Based Cryptography. Chapman $\&$ HallCRC Cryptography and Network Security Series. CRC Press (01 2017)
[26] Naehrig, M., Renes, J.: Dual isogenies and their application to public-key compression for isogeny-based cryptography. In: Galbraith, S.D., Moriai, S. (eds.) Advances in Cryptology – ASIACRYPT 2019. pp. 243–272. Springer International Publishing, Cham (2019)
[27] Ogura, N., Kanayama, N., Uchiyama, S., Okamoto, E.: Cryptographic pairings based on elliptic nets. In: Iwata, T., Nishigaki, M. (eds.) Advances in Information and Computer Security. pp. 65–78. Springer Berlin Heidelberg, Berlin, Heidelberg (2011)
[28] Onuki, H., Teruya, T., Kanayama, N., Uchiyama, S.: Faster Explicit Formulae for Computing Pairings via Elliptic Nets and Their Parallel Computation (2016)
[29] Scott, M., Costigan, N., Abdulwahab, W.: Implementing cryptographic pairings on smartcards pp. 134–147 (2006)
[30] Shipsey, R.: Elliptic divisibility sequences. Goldsmiths College (2000)
[31] Stange, K.E.: The tate pairing via elliptic nets. In: Takagi, T., Okamoto, T., Okamoto, E., Okamoto, T. (eds.) Pairing-Based Cryptography - Pairing 2007, Lecture Notes in Computer Science, vol. 4575, pp. 329–348. Springer Berlin Heidelberg (2007)
[32] SubramanyaRao, S., Hu, Z., Zhao, C.A.: Division polynomial-based elliptic curve scalar multiplication revisited. IET Information Security 13(6), 614–617 (2019)
[33] Tang, C., Ni, D., Xu, M., Guo, B., Qi, Y.: Implementing optimized pairings with elliptic nets. Science China Information Sciences 57(5), 1–10 (2014)
[34] Vercauteren, F.: Optimal pairings. IEEE Transactions on Information Theory 56(1), 455–461 (2009)
[35] Ward, M.: Memoir on elliptic divisibility sequences. American Journal of Mathematics 70(1), 31 (1948)
[36] Washington, L.C.: Elliptic Curves Number Theory and Cryptography. Elsevier Science Publishers B. V. (2008)
[37] Zhao, C.A., Zhang, F.G., Huang, J.W.: All pairings are in a group. IEICE Transactions 91-A(10), 3084–3087 (2008)
[38] Zhao, C.A., Zhang, F.G., Huang, J.W.: A note on the ate pairing. Int. J. Inf. Sec 7(6), 379–382 (2008)

\addappheadtotoc

Appendix 0.A Algorithm in This Work

Algorithm 2 Double-and-Add Algorithm with Lazy Reduction (Eliminate Inversion)

0: Block

V

centered on

i

in which the first vector has 7 terms and the second vector has 3 terms.

W(1,0)=W(0,1)=1

\alpha=W(2,0)^{-1}

\beta=W(-1,1)^{-1}

\gamma_{1}=W(2,-1)^{-1}

\delta=W(1,1)^{-1}

\omega_{2}=W(2,0)^{2}

\omega_{13}=W(1,0)W(3,0)

flag\in\left\{0,1\right\}.

0: Block centered on

2i

flag=0

, centered on

2i+1

flag=1

S_{0}\leftarrow V[2,2]^{2}\,mod\,p

P_{0}\leftarrow(V[2,1]*V[2,3])\,mod\,p

; //

1S_{k}+1M_{k}

2: for

i=1\to 5

S[i]\leftarrow V[1,i+1]^{2}\,mod\,p

P[i]\leftarrow(V[1,i]*V[1,i+2])\,mod\,p

;

4: end for

5: if

flag=0

then

6: for

j=1\to 3

t_{0}\leftarrow S[j]*P[j+1]

t_{1}\leftarrow S[j+1]*P[j]

V[1,2j-1]\leftarrow(t_{0}-t_{1})\,mod\,p

;

t_{0}\leftarrow S[j]*P[j+2]

t_{1}\leftarrow S[j+2]*P[j]

V[1,2j]\leftarrow(t_{0}-t_{1})\,mod\,p

;

V[1,2j]\leftarrow(V[1,2j]*\alpha)\,mod\,p

;

10: end for

11:

t_{0}\leftarrow S[4]*P[5]

t_{1}\leftarrow S[5]*P[4]

V[1,7]\leftarrow(t_{0}-t_{1})\,mod\,p

;

12:

k_{0}\leftarrow S[2]*P_{0}

k_{1}\leftarrow P[2]*S_{0}

V[2,1]\leftarrow(k_{0}-k_{1})\,mod\,p

;

13:

V[2,1]\leftarrow(V[2,1]*\delta)\,mod\,p

;

14:

k_{0}\leftarrow S[3]*P_{0}

k_{1}\leftarrow P[3]*S_{0}

V[2,2]\leftarrow(k_{0}-k_{1})\,mod\,p

;

15:

k_{0}\leftarrow S[4]*P_{0}

k_{1}\leftarrow P[4]*S_{0}

V[2,3]\leftarrow(k_{0}-k_{1})\,mod\,p

;

16:

V[2,3]\leftarrow(V[2,3]*\beta)\,mod\,p

;

17: else

18: for

j=1\to 3

19:

t_{0}\leftarrow S[j]*P[j+2]

t_{1}\leftarrow S[j+2]*P[j]

V[1,2j-1]\leftarrow(t_{0}-t_{1})\,mod\,p

;

20:

V[1,2j-1]\leftarrow(V[1,2j-1]*\alpha)\,mod\,p

;

21:

t_{0}\leftarrow S[j+1]*P[j+2]

t_{1}\leftarrow S[j+2]*P[j+1]

V[1,2j]\leftarrow(t_{0}-t_{1})\,mod\,p

;

22: end for

23:

vt_{1}\leftarrow(V[1,4]*V[1,6])\,mod\,p

vt_{2}\leftarrow(V[1,5]^{2})\,mod\,p

; //

1M_{e}+1S_{e}

24:

t_{0}\leftarrow vt_{1}*\omega_{2}

t_{1}\leftarrow vt_{2}*\omega_{13}

V[1,7]\leftarrow(t_{0}-t_{1})\,mod\,p

; //

2M_{e}

25: for

j=1\to 6

26:

V[1,j]=(V[1,j]*V[1,3])\,mod\,p

;

27: end for

28:

k_{0}\leftarrow S[3]*P_{0}

k_{1}\leftarrow P[3]*S_{0}

V[2,1]\leftarrow(k_{0}-k_{1})\,mod\,p

;

29:

k_{0}\leftarrow S[4]*P_{0}

k_{1}\leftarrow P[4]*S_{0}

V[2,2]\leftarrow(k_{0}-k_{1})\,mod\,p

;

30:

V[2,2]\leftarrow(V[2,2]*\beta)\,mod\,p

;

31:

k_{0}\leftarrow S[5]*P_{0}

k_{1}\leftarrow P[5]*S_{0}

V[2,3]\leftarrow(k_{0}-k_{1})\,mod\,p

;

32:

V[2,3]\leftarrow(V[2,3]*\gamma_{1})\,mod\,p

33: end if

34: return

V