Implementing Cryptographic Pairings over

Barreto-Naehrig Curves

Augusto Jun Devegili1? , Michael Scott2 , and Ricardo Dahab1

1
Instituto de Computação, Universidade Estadual de Campinas
Caixa Postal 6176, CEP 13084-971 Campinas, SP, Brazil
[email protected], [email protected]
2
School of Computing, Dublin City University
Dublin 9, Ireland
[email protected]

Abstract. In this paper we describe an efficient implementation of the

Tate and Ate pairings using Barreto-Naehrig pairing-friendly curves, on
both a standard 32-bit PC and on a 32-bit smartcard. First we introduce
a sub-family of such curves with a particularly simple representation.
Next we consider the issues that arise in the efficient implementation of
field arithmetic in Fp12 , which is crucial to good performance. Various
optimisations are suggested, including a novel approach to the ‘final ex-
ponentiation’, which is faster and requires less memory than the methods
previously recommended.

1 Introduction
Pairing-based cryptography requires pairing-friendly curves. These are parame-
terised by their embedding degree k. The embedding degree dictates to an extent
the security level efficiently achievable on the curve.
While it is well known that super-singular curves are viable and useful candi-
dates, they are limited in terms of the possible values of the embedding degree.
Furthermore the highest embedding degree possible for super-singular elliptic
curves (k = 6) requires us to use curves of characteristic 3, which is rather
awkward from an implementation point of view (we refer the reader to a recent
paper on arithmetic in GF(3m ) by Ahmadi, Hankerson and Menezes [1]). At-
tention has therefore switched to consideration of non-supersingular curves of
prime characteristic, for which there is no such limitation. Nonetheless finding
suitable curves, or ideally whole families of suitable curves, has proven to be
non-trivial [2].
In this context the security of pairing-based cryptography depends on finding
curves whose order n is divisible by a large prime r such that generic attacks on
small group orders (Pohlig-Hellman attacks) can be resisted. It is also important
that k lg(p), where p is the modulus, is large enough to resist index-calculus
attacks.
?
Funded by the Brazilian Government/Coordination for the Improvement of Higher
Education Personnel (CAPES)
 Given this scenario, Barreto-Naehrig (BN) curves with their embedding de-
gree of 12 are particularly significant, as before their discovery only MNT
curves [3] of embedding degree 3, 4 and 6 were known to support rare curves
of prime order (r = n). The prime order requirement is significant in terms of
efficiency of implementation [2], and is crucial for certain applications [4]. Fur-
thermore since BN curves define a whole family of curves, there are plenty to
choose from. One potential drawback of using BN curves is Schirokauer’s pro-
posed discrete logarithm algorithm [5], which may be applicable to BN primes
because of their special format. In this case, it might be necessary to rescale
parameters accordingly.

2 Bilinear Pairings
A bilinear pairing is a map e : G1 × G2 → G3 where G1 , G2 are additive groups,
G3 is a multiplicative group, and the map is linear in each component:

e(P + Q, R) = e(P, R) · e(Q, R)

e(P, Q + R) = e(P, Q) · e(P, R) .

Let Fp be the prime field with characteristic p and let E(Fp ) be an elliptic
curve defined over Fp . Let n be the order of E(Fp ), let r be a large prime dividing
n, and let k be the least positive integer such that r | pk − 1 and r2 - pk − 1.
We call such an integer k the embedding degree of r with regard to Fp , and we
know that the r-torsion group of the curve is contained in E(Fpk ) and the r-th
roots of unity are contained in Fpk .
Let [a]P denote the multiplication of a point P ∈ E by a scalar a ∈ Z, and
let ∞ ∈ E denote the point at infinity. A Miller [6] function fr,P (·) is a rational
function on E with r zeroes at P , one pole at [r]P and r − 1 poles at ∞:

(fr,P ) = r(P ) − ([r]P ) − (r − 1)∞ .

The Tate pairing [7] is a well-defined, non-degenerate bilinear pairing with

G1 = E[r], G2 = E(Fpk )/rE(Fpk ), and G3 = F∗pk /(F∗pk )r . Let P ∈ E[r] and
Q ∈ E(Fpk )/rE(Fpk ). Then the Tate pairing of P, Q is computed as
k
e(P, Q) = fr,P (Q)(p −1)/r
.

The Ate pairing [8] is a well-defined, non-degenerate bilinear pairing with

G1 = E[r] ∩ Ker(πq − [1]), G2 = E[r] ∩ Ker(πq − [q]), and G3 = F∗pk /(F∗pk )r ,
where πq is the Frobenius endomorphism. Let P ∈ E[r] ∩ Ker(πq − [1]), Q ∈
E[r] ∩ Ker(πq − [q]), and t be the trace of Frobenius of the curve. Then the Ate
pairing of Q, P is computed as
k
e(Q, P ) = ft−1,Q (P )(p −1)/r
.

The most efficient pairing computation algorithms are derived from Miller’s
algorithm [6], which computes a Miller function fr,P evaluated at a point Q.

2
Algorithm 1 describes the BKLS algorithm [7] commonly used to compute the
Tate pairing, including the denominator elimination optimisation that may be
applied for even embedding degree. The algorithm needs Fpk arithmetic (squar-
ing and multiplication), elliptic curve arithmetic (point addition and doubling),
computation of the line function lA,B (C) that intercepts points A, B and its
evaluation at a point C, and a final exponentiation in Fpk .

Algorithm 1 BKLS algorithm to compute the Tate pairing e(P, Q)

Input: P, Q ∈ E and r ∈ Z
k
Output: fr,P (Q)(p −1)/r
1: T ← P
2: f ← 1
3: for i ← blg(r)c − 2 downto 0 do
4: f ← f 2 · lT,T (Q)
5: T ← [2]T
6: if ri = 1 then
7: f ← f · lT,P (Q)
8: T ←T +P
9: end if
10: end for
k
11: f ← f (p −1)/r

3 Barreto-Naehrig Curves

Barreto and Naehrig [9] devised a method to generate pairing-friendly elliptic

curves over a prime field, with prime order and embedding degree k = 12. The
equation of the curve is E : y 2 = x3 + b, with b 6= 0. The trace (of Frobenius) of
the curve, the curve order and the characteristic of Fp are parameterised as:

t(x) = 6x2 + 1
n(x) = 36x4 − 36x3 + 18x2 − 6x + 1
p(x) = 36x4 − 36x3 + 24x2 − 6x + 1 .

Such a curve is called a Barreto-Naehrig or BN curve. Throughout this text, we

drop the parameter x and write t, n, p instead of t(x), n(x), p(x) respectively.
Because a BN curve has prime order, every point in the curve has order n, so
the r value defined in Section 2 (a large prime dividing the curve order) is the
same as n.
Since t, n, p are parameterised, the space needed to store or transmit in-
formation about a BN curve is small: The parameter x alone suffices. This pa-
rameterisation also allows for a faster final exponentiation method described in
Section 7.

3
 Because BN curves have embedding degree k = 12, pairings are computed
over points in E(Fp12 ). A common optimisation [7] is to take one of the points
in E(Fp ) ⊂ E(Fp12 ) and the other in E(Fp12 ). However, it is possible to do
better than this: By using an appropriate map, we can compress certain points
in E(Fp12 ) to points in a sextic twist E 0 (Fp2 ). Let ξ ∈ Fp2 be such that W 6 − ξ
is irreducible over Fp2 [W ] whenever p ≡ 1 (mod 6). Then there exists a curve
E 0 /Fp2 : y 02 = x03 +b/ξ that is a sextic twist of E/Fp and whose order is divisible
by n. In fact, the order of the sextic twist E 0 /Fp2 is n(2p − n).
Let z ∈ Fp12 be a root of W 6 − ξ. We can build an injective group homo-
morphism ψ : E 0 (Fp2 ) → E(Fp12 ) as (x0 , y 0 ) 7→ (x0 z 2 , y 0 z 3 ). This allows us to
map points in the sextic twist E 0 (Fp2 ) to points in E(Fp12 ), and if ξ is used to
construct the extension field Fp12 then multiplication by powers of z does not
incur any multiplication overhead.
We chose x such that p is a 256-bit prime subject to the following congruences:
p ≡ 7 (mod 8) (so that we can use −2 as a quadratic non-residue, optimising
arithmetic operations on Fp2 ), p ≡ 4 (mod 9) (as suggested in [9] to compute
cube roots efficiently), and p ≡ 1 (mod 6) (so that we can find ξ ∈ Fp2 such
that W 6 − ξ is irreducible over Fp2 [W ]). The elliptic curve equation is given
by E/Fp : y 2 = x3 + 3, and G = (1, 2) is a generator of E(Fp ). For a 256-bit
modulus, the x which defines the curve is just a 64-bit number.
Observe from Algorithm 1 that the Ate pairing benefits from r having low
Hamming weight. In the context of BN curves, this is facilitated by prefer-
ring an x value of low Hamming weight. For example, we find that r has a
Hamming weight of 90 and t has a Hamming weight of 28 if we choose x =
-6000000000001F2D (hex).

4 Finite Field Arithmetic

We construct the finite extension field Fp12 as a tower of finite extensions:

Quadratic on top of a cubic on top of a quadratic. The quadratic/cubic non-
residues and reduction polynomials are detailed in Table 1. The multiplication
and squaring algorithms chosen to implement field arithmetic are listed in Ta-
ble 2. We made the choice of multiplication and squaring algorithms based on
the exhaustive testing described in [10].

Table 1. Extension fields

Extension Non-Residue Construction Representation

Fp2 β = −2 Fp [X]/(X 2 − β) a = a0 + a1 X
√
Fp6 ξ = −1 − β Fp2 [Y ]/(Y 3 − ξ) a = a0 + a1 Y + a2 Y 2
√
Fp12 ξ0 = 3 ξ Fp6 [Z]/(Z 2 − ξ 0 ) a = a0 + a1 Z

4
 Table 2. Multiplication and squaring algorithms for finite extension fields

Extension Multiplication Squaring

Fp Comba Comba
Fp2 Karatsuba Complex
Fp6 Karatsuba Chung-Hasan SQR2
Fp12 Karatsuba Complex

Throughout this text we also use an alternative equivalent representation of

elements in Fp12 based on z, a root of (W 6 − ξ) ∈ Fp2 [W ]:

a ∈ Fp12 = (a0,0 + a0,1 Y + a0,2 Y 2 ) + (a1,0 + a1,1 Y + a1,2 Y 2 )Z

= a0,0 + a1,0 z + a0,1 z 2 + a1,1 z 3 + a0,2 z 4 + a1,2 z 5 ,

where ai,j ∈ Fp2 .

5 The Tate Pairing

The Tate pairing e(P, Q) takes a point P = (xP , yP ) ∈ E(Fp ) and a point
Q = (xQ , yQ ) ∈ E(Fp12 ). Recall from Section 3 that BN curves have sextic
twists defined over Fp2 , so we can use a point Q0 = (x0Q , yQ 0
) ∈ E 0 (Fp2 ) instead
of the full point Q ∈ E(Fp12 ), and that there exists a group homomorphism
ψ : E 0 (Fp2 ) → E(Fp12 ) defined as ψ((x0 , y 0 )) 7→ (x0 z 2 , y 0 z 3 ). The coordinates of
a point Q in the codomain of ψ have a compact representation, needing at most
1/6 of the number of Fp elements needed to represent a full Fp12 element.
In Algorithm 1, the point P is repeatedly doubled or added during the Miller
loop, and therefore we need elliptic curve arithmetic on E(Fp ).
We use λA,B in order to evaluate lA,B (Q). Because A, B ∈ E(Fp ), every
coordinate is an element of Fp and thus λA,B ∈ Fp . Let C = A + B. Using
projective coordinates,
3 3
lA,B (Q) = (yQ · zA − yA )zC − (xQ · zA − xA · zA )λA,B
= yQ · z · zA · zC − yA · zC − x0Q · z 2 · zA
0 3 3 3
· λA,B − xA · zA · λA,B
= (xA · zA · λA,B − yA · zC ) − (x0Q · zA
3
· λA,B )z 2 + (yQ
0 3
· zA · zC )z 3 .

Since xA , yA , λA,B ∈ Fp and x0Q , yQ

0
∈ Fp2 , we can avoid Fp12 arithmetic entirely
when computing lA,B (Q).

6 The Ate Pairing

The Ate pairing e(Q, P ) takes a point Q = (xQ , yQ ) ∈ E(Fp12 ) and a point
P = (xP , yP ) ∈ E(Fp ). As in Section 5, we can use a point Q0 = (x0Q , yQ 0
) ∈
0
E (Fp2 ) instead of the full point Q ∈ E(Fp12 ).
The Miller loop needs two elliptic curve arithmetic operations: Point doubling
and point addition. As these operations are computed over Q0 , we need elliptic

5
curve arithmetic over E 0 (Fp2 ). Instead of using r to control the Miller loop, the
Ate pairing uses s = t − 1, which in the case of BN curves provides for roughly
half the number of iterations needed to compute the Tate pairing. Algorithm 2
describes the BKLS algorithm adapted to compute the Ate pairing.

Algorithm 2 BKLS-like algorithm to compute the Ate pairing e(Q, P )

Input: P, Q ∈ E and r, s = t − 1 ∈ Z
k
Output: ft−1,Q (P )(p −1)/r
1: T ← Q
2: f ← 1
3: for i ← blg(s)c − 2 downto 0 do
4: f ← f 2 · lT,T (P )
5: T ← [2]T
6: if si = 1 then
7: f ← f · lT,Q (P )
8: T ←T +Q
9: end if
10: end for
k
11: f ← f (p −1)/r

The formula for the slope of the line function lA,B that intercepts two points
A = (xA , yA ) and B = (xB , yB ) is
yB − yA
λA,B = .
xB − xA
If A, B ∈ E(Fp12 ), the slope is an element of Fp12 . We can easily derive this
from the slope of the line function lA0 ,B 0 that intercepts A0 , B 0 ∈ E 0 (Fp2 ), where
A0 , B 0 are the images of A, B under ψ:
0 0
(yB − yA )z 3
λA,B = 0 0 = (λA0 ,B 0 )z ,
(xB − xA )z 2
so computing λA,B ∈ Fp12 amounts to computing λA0 ,B 0 ∈ Fp2 . We use this slope
to evaluate lA,B (P ) as follows:
lA,B (P ) = (xP − xA )λA,B − (yP − yA )
= (xP − x0A · z 2 )(λA0 ,B 0 )z − (yP − yA0
· z3)
0
= (−yP ) + (xP · λA0 ,B 0 )z + (yA − x0A · λA0 ,B 0 )z 3 .
In practise the use of projective coordinates for E(Fp2 ) point doublings and
additions is a little faster, even though for the pairing calculation elliptic curve
operations take up relatively little time compared with the Fp12 operations.
As xP , yP ∈ Fp and x0A , yA0
, λA0 ,B 0 ∈ Fp2 , again we can avoid Fp12 arithmetic
entirely when computing lA,B (P ). The resulting value has a sparse representation
in Fp12 , needing only five Fp elements instead of twelve. However, the Miller
variable is a full Fp12 element. For a given point P , the value −yP is constant,
so it needs to be computed only once during the pairing computation.

6
7 Final Exponentiation
Both the Ate and Tate pairing algorithms compute a final exponentiation after
the Miller loop. A common optimisation of this computation is to factor (pk −
1)/n into three parts: An easy exponentiation to the power of (pk/2 − 1), an
equally easy exponentiation to the power of (pk/2 + 1)/Φk (p) (easy because of
the Frobenius), and a ‘hard’ exponentiation to the power of Φk (p)/n, where
Φk is the k-th cyclotomic polynomial [11]. In the context of BN curves, these
exponents translate to (p6 − 1), (p2 + 1), and (p4 − p2 + 1)/n.
Recall that p and n have a special form: Both are polynomials on x. Therefore
this hard part of the final exponentiation can be computed explicitly as a large
polynomial in x. This can in turn be expressed to the base p as
p3 + (6x2 + 1)p2 + (36x3 − 18x2 + 12x + 1)p + (36x3 − 30x2 + 18x − 2) .
Now the standard continuation is to use the method of multi-exponentiation
combined with the Frobenius [12], so that the final exponentiation is the calcu-
lation of
3 2 2 3
−18x2 +12x+1 3
−30x2 +18x−2
(f p ) · (f p )6x +1
· (f p )36x · f 36x .
However, multi-exponentiation is expensive in terms of memory as it requires
extensive precomputation. So instead we exploit the specific and fixed form of
the final exponent to obtain Algorithm 3 which can easily be verified to produce
the equivalent result, but only requires simple exponentiation.

Algorithm 3 ‘Hard’ exponentiation

Input: f, x, p
4 2
Output: f (p −p +1)/n
6x−5
1: a ← f
2: b ← ap using Frobenius
3: b ← ab
2 3
4: Compute f p , f p , and f p using Frobenius
p3 p 2 p2 6x2 +1
5: f ← f · [b · (f ) · f ] · b · (f p · f )9 · a · f 4

Note that exponentiations to powers of p are efficiently computed using

Frobenius; other exponentiations may be computed using the square-and-multiply
method. Because x is chosen so as to have low Hamming weight, there is no ben-
efit in using window methods to compute the exponentiations to the powers of
6x − 5 and 6x2 + 1, which saves on memory. Experiments show this method to
be about 20% faster than using multi-exponentiation.

8 The Philips HiPerSmartTM Smartcard

As in [13], we used the Philips HiPerSmartTM smartcard, which is an instantia-
tion of the MIPS32°-based
R SmartMIPS° R architecture with various instruction

7
set enhancements to facilitate the implementation of popular cryptographic al-
gorithms. Fortunately these enhancements are also relevant to our efforts here.
Specifically the architecture supports a ACX|HI|LO triple of registers that
can be used to accumulate the partial products that arise when employing the
popular Comba/Montgomery technique for multi-precision multiplication [14].
This is supported by a modified MADDU instruction which carries out an unsigned
integer multiplication and addition to the triple register.
One architectural feature of particular significance is the 2 KB instruction
cache. This is appropriate for an algorithm which spends most of its time in a
small inner loop, as say for a modular exponentiation as required by the RSA
algorithm. However it is problematical for the more complex algorithms consid-
ered here. Therefore we found that it was hard to avoid frequent cache misses,
which are particularly expensive at the higher clock speeds. In particular it was
self-defeating to try and use the popular optimisation of loop-unrolling, as the
reduction in instruction count was more than offset by an increase in clock cycle
count.
By using stack allocation for the multiprecision variables it was possible to
keep the RAM requirement within the 16 KB allocation. However this could
have been a problem if we were to use methods which are more memory-hungry
(like multi-exponentiation).

9 Results

The performance of the Ate and Tate pairings was measured on two platforms:
The Philips HiPerSmartTM platform described in Section 8, and a 32-bit Intel
Pentium IV 3.0 GHz (Prescott) processor.
Our programs used the MIRACL library3 , which implements multi-precision
number arithmetic, and supports a number of powerful optional optimizations. In
particular it supports completely unrolled assembly language support for fixed-
size big number multiplication and modular reduction. Internally, prime field
elements are in Montgomery representation [15], which allows for fast reduction
without divisions. The memory for big numbers can be allocated from the heap,
or more efficiently from the stack, which is the case for our experiments. When
required to multiply big numbers by a small integer, multiplications by numbers
less than or equal to 6 are instead carried out by up to 3 modular additions.
Table 3 lists the number of instructions required to compute the pairings
on the smartcard, as well as the number of cache misses. The count of clock
cycles, the average Clocks Per Instruction (CPI), and the actual time needed to
compute the pairing is listed in Tables 4 and 5. The timings for the 3.0 GHz
Pentium IV are listed in Table 6. Here the implementation takes full advantage
of the Pentium’s SSE2 instruction set enhancements.
Our smartcard hardware emulator is only cycle-accurate up to 20.57 MHz,
but the maximum supported speed for the smartcard is 36 MHz. At this clock
3
http://www.shamus.ie

8
 Table 3. Instructions required (% icache misses) — Philips HiPerSmartTM

Ate pairing Tate pairing

Miller loop 37,929,400 (23.5%) 65,027,846 (20.5%)
Final exponentiation 22,161,919 (23.9%) 22,170,594 (23.2%)
Total 60,091,319 (23.7%) 87,198,440 (21.2%)

Table 4. Clock cycles required/CPI/time in seconds @ 9 MHz

Ate pairing Tate pairing

Miller loop 57,013,051/1.50/6.33 94,496,817/1.45/10.50
Final exponentiation 33,448,982/1.51/3.72 33,319,017/1.50/3.70
Total 90,462,033/1.51/10.05 127,815,834/1.47/14.20

frequency the Ate pairing over BN curves should take approximately 3 seconds,
which is not adequate for use at the moment. Nevertheless it is anticipated that,
with improvements in technology, BN curves might be practical even on such
resource constrained devices in the near future.

10 Conclusions
We have described the first implementation of both the Ate and Tate pairings
over Barreto-Naehrig curves.
Because of the restrictions imposed on the selection of primes for BN curves,
we have not used primes congruent to 1 (mod 12), and therefore our finite fields
are not strictly pairing-friendly in the sense of Koblitz and Menezes [16]. We
have used the technique of towering extensions to construct the extension field
Fp12 , and our choice of non-residues for the reduction polynomials that define
the extensions still allows for efficient finite field arithmetic.
In order to avoid full Fp12 arithmetic throughout the pairing computation,
we have provided explicit Fp2 -formulae for the evaluation of the line function
lA,B (C) required by the Miller algorithm, thus alleviating part of the burden
imposed by using the k = 12 embedding degree. The value of lA,B (C) computed
by the Ate (resp. Tate) pairing uses five (resp. six) Fp components instead of
twelve.
Our method for the final exponentiation is both faster and less memory-
intensive than previous methods in the literature which are based on multi-
exponentiation. We also observe that the analysis of Hess, Smart and Ver-

Table 5. Clock cycles required/CPI/time in seconds @ 20.57 MHz

Ate pairing Tate pairing

Miller loop 67,018,425/1.77/3.26 109,697,928/1.69/5.33
Final exponentiation 39,379,515/1.78/1.91 39,139,099/1.77/1.90
Total 106,397,940/1.77/5.17 148,837,027/1.71/7.24

9
 Table 6. Timings in milliseconds on a 32-bit 3.0 GHz Intel Pentium IV

Ate pairing Tate pairing

Miller loop 14.8 25.4
Final exponentiation 8.4 8.4
Total 23.2 33.8

cauteren [8] for the settings of BN curves (k = 12, lg(p) = lg(r) = 256) is
more optimistic with regard to the Ate pairing than our experimental results.

Acknowledgements We would like to thank the anonymous reviewers for their

valuable comments, and Décio Gazzoni for insightful information on the number
field sieve. Thanks also to Alfred Menezes and Darrel Hankerson for pointing
out a problem with our results as originally reported.

References
1. Omran Ahmadi, Darrel Hankerson, and Alfred Menezes. Software implementation
of arithmetic in GF(3m ). In WAIFI 2007 (to be published), 2007.
2. David Freeman, Michael Scott, and Edlyn Teske. A taxonomy of pairing-friendly el-
liptic curves. Cryptology ePrint Archive, Report 2006/372, 2006. http://eprint.
iacr.org/.
3. Atsuko Miyaji, Masaki Nakabayashi, and Sunzou Takano. New explicit condi-
tions of elliptic curve traces for FR-reduction. IEICE Trans. Fundamentals, E84-
A(5):1234–1243, May 2001.
4. D. Boneh, B. Lynn, and H. Schacham. Short signatures from the Weil pairing.
Journal of Cryptology, 17(4):297–319, 2004.
5. Oliver Schirokauer. The number field sieve for integers of low weight. Cryptology
ePrint Archive, Report 2006/107, 2006. http://eprint.iacr.org/.
6. Victor S. Miller. The Weil pairing, and its efficient calculation. Journal of Cryp-
tology, 17(4):235–261, September 2004.
7. Paulo S. L. M. Barreto, Hae Y. Kim, Ben Lynn, and Michael Scott. Efficient algo-
rithms for pairing-based cryptosystems. In CRYPTO 2002, number 2442 in Lec-
ture Notes in Computer Science, pages 354–369, Berlin Heidelberg, 2002. Springer-
Verlag.
8. Florian Hess, Nigel P. Smart, and Frederik Vercauteren. The Eta Pairing Revisited.
IEEE Transactions on Information Theory, 52(10):4595–4602, October 2006.
9. Paulo S. L. M. Barreto and Michael Naehrig. Pairing-friendly elliptic curves of
prime order. In B. Preneel and S. Tavares, editors, SAC 2005, number 3897
in Lecture Notes in Computer Science, pages 319–331, Berlin Heidelberg, 2006.
Springer-Verlag.
10. Augusto Jun Devegili, Colm Ó hÉigeartaigh, Michael Scott, and Ricardo Dahab.
Multiplication and squaring on pairing-friendly fields. Cryptology ePrint Archive,
Report 2006/471, 2006. http://eprint.iacr.org/.
11. Robert Granger, Dan Page, and Nigel P. Smart. High security pairing-based cryp-
tography revisited. In Florian Hess, Sebastian Pauli, and Michael E. Pohst, edi-
tors, ANTS, volume 4076 of Lecture Notes in Computer Science, pages 480–494.
Springer, 2006.

10
12. Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of
Applied Cryptography. CRC Press, Boca Raton, 1996.
13. Michael Scott, Neil Costigan, and Wesam Abdulwahab. Implementing crypto-
graphic pairings on smartcards. In L. Goubin and M. Matsui, editors, CHES 2006,
volume 4249 of Lecture Notes in Computer Science, pages 134–147, 2006.
14. Johann Großschädl and Erkay Savas. Instruction set extensions for fast arithmetic
in finite fields GF(p) and GF(2m ). In Marc Joye and Jean-Jacques Quisquater,
editors, CHES 2004, volume 3156 of Lecture Notes in Computer Science, pages
133–147. Springer, 2004.
15. Peter L. Montgomery. Modular multiplication without trial division. Mathematics
of Computation, 44(170):519–521, April 1985.
16. Neal Koblitz and Alfred Menezes. Pairing-based cryptography at high security
levels. In N.P. Smart, editor, Cryptography and Coding 2005, volume 3796 of
Lecture Notes in Computer Science, pages 13–36, Berlin Heidelberg, 2005. Springer-
Verlag.

11