A Consideration of Towering Scheme for Efficient

A Consideration of Towering Scheme for Efficient Arithmetic Operation over Extension Field of Degree 18 Md. Al-Amin Khandaker∗ and Yasuyuki NOGAMI† Graduate School of Natural Science and Technology, Okayama University 3-1-1, Tsushima-naka, Okayama 700-8530, Japan Email: ∗ [email protected], † [email protected] Abstract—Barreto-Naehrig (BN) curve is a well studied pairing friendly curve of embedding degree 12, that uses arithmetic in Fp12 . Therefore the arithmetic of Fp12 extension field is well studied. In this paper, we have proposed an efficient approach of arithmetic operation over the extension field of degree 18 by towering. Fp18 extension field arithmetic is considered to be the basis of implementing the next generation pairing based security protocols. We have proposed to use Fp element to construct irreducible binomial for building tower of extension field up to Fp6 , where conventional approach uses the root of previous irreducible polynomial to create next irreducible polynomials. Therefore using Fp elements in irreducible binomial construction, reduces the number of multiplications in Fp to calculate inversion and multiplication over Fp18 , which effects acceleration in total arithmetic operation over Fp18 . Index Terms—towering scheme, extension field arithmetic, pairing based cryptography, KSS curve

I. I NTRODUCTION The emerging information security of computer system stands on the strong base of cryptography. Compared to RSA cryptography, elliptic curve cryptography [1] gained much attention for its faster key generation, shorter key size with same security level and less memory and computing power consumption. Intractability of Elliptic Curve Discrete Logarithm Problem (ECDLP) encourages many innovative cryptographic protocols. At the very beginning of the twenty first century, a cyptosystems based on elliptic curve pairing was proposed independently by Sakai et al. [2] and Joux [3]. Since then this pairing based cryptosystem has unlocked several novel ideas to researchers such as Identity based encryption scheme explained by Boneh et al. [4]. In addition, group signature authentication [5], [6] and broadcast encryption [7] has increased the popularity of pairing based cryptography. Pairings such as Weil [8], Tate and Optimal-ate [9], Eta [10] and χ-Ate [11] pairings has gained much attention in recent years. Pairing is a bilinear map from two rational point groups denoted by G1 and G2 to a multiplicative group denoted by G3 [12]. It is generally denoted by G1 × G2 → G3 . In addition, these groups are defined over a certain extension field Fpk , where p is the prime number, also called characteristics and k is the extension degree, especially called embedding degree. Therefore it is important to efficiently construct extension field arithmetic in order to make pairing based cryptography

efficient. In prairing based cryptography, rational points are defined over a certain pairing friendly elliptic curve. Let E(Fpk ) be a set of rational points such as (x, y), x, y ∈ Fpk lies in the elliptic curve E, defined over extension field Fpk of embedding degree k. Security level of pairing based cryptography depends on the sizes of both r and pk , where r denotes the largest prime number that divides the order of E(Fp ). It is said that the next generation pairing-based cryptography needs log2 r ≈ 256 and log2 pk ≈ 3000 to 5000. Supposing the most efficient case of ρ = (log2 p)/(log2 r) = 1, k needs to be 12 to 20. In this paper we are considering k = 18 and 18 degree pairing friendly curve described in [13]. While using pairing based protocols, it is required to perform arithmetic in higher fields, such as Fpk for moderate value of k [12]. It is important to represent the field in such a way that, the arithmetic can be performed efficiently. One of the most efficient way is to use the tower of extension field [14]. Which explains that, higher level computations can be calculated as a function of lower level computations. Because of that, efficient implementation of lower level arithmetic results in the good performance of arithmetic in higher degree fields. Recently the implementation of pairing based cryptosystems for different low power and mobile devices are increasing. Moreover, the hardware capabilities of the embedded devices are improving which can make pairing implementations efficient and faster. Therefore efficiency of extension field arithmetic is important to improve the performance of pairing. In this paper we have presented an efficient way to construct Fp18 extension field and performing arithmetic operation on that field. In current approach of constructing extension field by towering, root of previous irreducible polynomial is used to construct the irreducible polynomial for next extension field. In our proposal, element in prime field Fp is used to construct the irreducible polynomial for the first two extension field and for in the last extension field root of base extension field is used for constructing irreducible polynomial. II. P RELIMINARIES In this section we will go though the background how tower of extension field is constructed in practice and some basic idea of basis to construct extension field.

A. Basis of extension field and towering In order to construct the arithmetic operations in Fpk , we generally need an irreducible polynomial f (x) of degree k over Fp . Let ω be a zero of f (x), that is ω ∈ Fpk , then the following set forms a basis of Fpk over Fp  1, ω, ω 2 , · · · , ω k−1 , (1) which is known as polynomial basis. An arbitrary element A in Fpk is written as 2

A = a0 + a1 ω + a2 ω + · · · + ak−1 ω

k−1

.

(2)

The vector representation of A is vA = (a0 , a1 , a2 , · · · ak−1 ). Multiplication and inversion in Fpk are carried out by using the relation f (ω) = 0, and therefore f (x) is called the modular reduction polynomial of Fpk . Frobenious mapping should be efficient while calculating conjugates of ω. Extension field of Fpk with moderate value of k, such as k ≥ 6 needs to be represented as a tower of sub extension field to improve pairing calculation. In [15] explained tower of extension by using irreducible binomial. In case of BarretoNaehrig (BN) curves [16], where k = 12, towering extension field with irreducible binomial is represented as follows:  Fp2 = Fq [ω]/(ω 2 − β), where β = c and c ∈ Fp .    Fp6 = Fq2 [τ ]/(τ 3 − ξ), where ξ = ω + 1.   F 12 = F 6 [θ]/(θ2 − τ ), where τ = ξ. p

q

irreducible binomial over Fp . Let ω be a zero  of f (x), which is an element in Fp3 . Therefore the set 1, ω, ω 2 forms a polynomial basis of Fp3 over Fp . Now let us consider two arbitrary element a, b in Fp3 , can be represented as follows: a

= a0 + a1 ω + a2 ω 2 ,

b

= b0 + b1 ω + b2 ω 2 , ai , bj ∈ Fp .

1) Addition and subtraction in Fp3 : Addition, subtraction within the elements and multiplication by a scalar with any element in Fp3 are carried out by coefficient wise operations over Fp as follows, a±b

=

(a0 ± b0 , a1 ± b1 , a2 ± b2 ),

(4)

ka

=

(ka0 , ka1 , ka2 ), k ∈ Fp .

(5)

2) Multiplication in Fp3 : Multiplication of two arbitrary vectors is performed as follows: ab = =

(a0 + a1 ω + a2 ω 2 )(b0 + b1 ω + b2 ω 2 ) a0 b0 + (a0 b1 + a1 b0 )ω + (a0 b2 + a1 b1 + a2 b0 )ω 2 +(a1 b2 + a2 b1 )ω 3 + a2 b2 ω 4 .

Here in Eq. (6), there are 9 multiplications and 4 additions in Fp . To reduce the number of multiplications in Eq. (6), we apply Fast Polynomial Multiplication introduced in [17] as follows:

Here p needs to be prime and p − 1 needs to be divisible by 4 and c should be quadratic and cubic non residue over Fp .

A0

=

a0 b0

A1

=

a1 b1

III. P ROPOSAL

A2

=

a2 b2

In this section we will construct the extension field of degree 18 as a tower of three sub extension field. The extension field Fp3 is the sextic twist of Fp18 . Therefore its is considered as the base field for constructing F((p3 )2 )3 extension field in our proposal. Figure 1 shows the top level overview of our proposal to construct the tower of extension fields.

A3

=

(a0 + a1 )(b0 + b1 )

A4

=

(a0 + a2 )(b0 + b2 )

A5

=

(a1 + a2 )(b1 + b2 ),

A. Arithmetic operations over extension field Fp3 At first, let us consider arithmetic operations in Fp3 , which is the degree 3 extension field over Fp . In order to perform arithmetic operations in Fp3 , we generally need an irreducible polynomial f (x) of degree 3 over Fp . Specifically irreducible binomial is efficient to use as reduction modular polynomial.
In order to obtain such binomial, Legendre symbol c1/p is convenient. Let us consider 3|(p − 1) and a non-zero element c1 ∈ Fp .   0 c1 = 0,   p−1 c1 3 = 1 (3) CPR,    otherwise CPNR, where CPR and CPNR are abbreviations of cubic power residue and cubic power non residue, respectively. If c1 does not have any cubic root in Fp , f (x) = x3 − c1 becomes an

(6)

(7)

where Ai , i = 0, 1, · · · P , 5 are the auxiliary products. Let us 4 consider ab = t(ω) = i=0 ti ω i . Now we can represent the coefficients t(ω) as only additions and subtractions of Ai , t0

= A0

t1

= A3 − A1 − A0 =

t2

= t3

(a0 b0 + a2 b0 + a0 b2 + a2 b2 ) − a2 b2 − a0 b0 + a1 b1

= A5 − A1 − A2 =

t4

(a0 b0 + a0 b1 + a1 b0 + a1 b1 ) − a1 b1 − a0 b0

= A4 − A2 − A0 + A1

(a1 b1 + a1 b2 + a2 b1 + a2 b2 ) − a1 b1 − a2 b2

= A2 .

(8)

Considering subtractions as additions, from the above equations we find that only 6 multiplications and 13 additions are required in Fp for multiplying two arbitrary vectors in Fp3 . Therefore, compared to Eq. (6) the above method will accelerate the vector multiplication, since in most processors multiplication is slower than addition. Substituting ω 3 = c1

Fig. 1.

Construction overview of F((p3 )2 )3

in Eq. (6), owing to the fact that f (ω) = 0 of the irreducible binomial f (x) = x3 − c1 ; ab becomes as follows: ab

(a0 + a1 ω + a2 ω 2 )p

= t0 + t1 ω + t2 ω 2 + t3 ω 3 + t4 ω 4 =

2

(t0 + c1 t3 ) + (t1 + c1 t4 )ω + t2 ω .

=

(a0 + a1 ω + a2 ω 2 )2

= a20 + 2c1 a1 a2 + [2a0 a1 + c1 a22 ]ω + [(a0 + a1 + a2 )2 (a20 + a22 + 2a1 a2 + 2a0 a1 )]ω 2 .

S1

= T2 + c1 T4 ,

(11a)

S2

= T5 + c1 T3 ,

(11b)

S3

= T6 − (T2 + T3 + T 4 + T5 ).

(11c)

When c1 = 2 , the operation cost of a squaring in Fp3 is 2 multiplications, 3 squaring and 8 additions in Fp and 2 bit wise left shifting. 4) Vector inversion in Fp3 : The inverse element a−1 ∈ Fp3 , can be easily calculated using Frobenius mapping (FM) π(a). 2 At first we find the conjugates ap , ap of a by applying FM. Then the inverse element a−1 is calculated as follows. 2

a−1 = n(a)−1 (ap ap ),

(12)

(a0 + a1 ω)p + (a2 ω 2 )p 3

+a2 ((ω ) = =

a0 +

=

a0 +

p−1 3

p−1 3

a0 + a1 (c1 ) +a2 ((c1 )

) ω2

p−1 3

p−1 3

ω

2

ω

2

) ω2

a1 c01 ω + a2 c001 ω 2 a01 ω + a02 ω 2 ,

(13)

p−1

where a01 , a02 ∈ Fp and c01 = (c1 ) 3 is already known from Eq. (3) and c001 = (c01 )2 can be precalculated. In the above computation, 2 multiplications in Fp is required. Now the 2 other conjugate ap can be calculated with the same number of operations according to the above procedure as follows:

(10)

In what follows, let us consider Eq. (10) be written as AB = S1 + S2 ω + S3 ω 2 and the coefficients are expressed as Eq. (11). The following terms can be pre-calculated to reduce the number of operations. T1 = 2a1 , T2 = a20 , T3 = a22 , T4 = T1 a2 , T5 = T1 a0 , T6 = (a0 + a1 + a2 )2 .

=

= a0 + a1 (ω 3 )

(9)

Here it requires 2 more Fp additions. Multiplication with c1 will not increase the number of multiplications in Fp since c1 is small such as 2 and it can be achieved using bit wise shifting. Finally 6 multiplications and 15 additions are required in Fp to multiply two elements in Fp3 . 3) Squaring in Fp3 : Squaring of an Fp3 element A is performed by applying Chung-Hasan method [18] as following.

A2

as follows:

ap

2

= (ap )p = (a0 + a01 ω + a02 ω 2 )p =

a0 + a01 c01 ω + a02 c001 ω 2

=

a0 + a001 ω + a002 ω 2 ,

(14)

where a001 , a002 ∈ Fp . Before calculating n(a) we first calculate 2 the multiplication of (ap ap ) like Eq. (6) as follows ap ap

2

=

(a0 + a01 ω + a02 ω 2 )(a0 + a001 ω + a002 ω 2 ). (15)

Now let us consider the following representation. 2 T = ap ap = (t0 , t1 , t2 ), n(a) = s = aT, Thereby the inversion of a can be expressed as a−1 = s−1 T. The vector representation of the non-zero scalar s is written 2 as s = (s, 0, 0). In addition, ap and ap is represented by the 0 following equations by using the relation c02 1 + c1 + 1 = 0, 03 where c1 = 1. 0 0 ap = (a0 , c01 a1 , c02 1 a2 ) = (a0 , c1 a1 , −a2 − c1 a2 ),

(16a)

2

where n(a) = (aap ap ) ∈ F∗p is the product of conjugates. Conjugate ap = (a0 + a1 ω + a2 ω 2 )p can be easily calculated

2

0 0 0 ap = (a0 , c02 1 a1 , c1 a2 ) = (a0 , −a1 − c1 a1 , c1 a2 ). (16b)

Now let us consider the variables T0 ∼ T5 as following expressions.

mn

=

a20 ,

T1

=

T2

=

T3

=

a21 , a22 , 02 0 (c01 a1 + c02 1 a2 )(c1 a1 + c1 a2 ) a21 − a1 a2 + a22 (a0 + c01 a1 )(a0 + c02 1 a1 ) 2 2 a0 − a0 a1 + a1 0 (a0 + c02 1 a2 )(a0 + c1 a2 ) 2 2 a0 − a0 a2 + a2 .

T0

= T4

= =

T5

= =

t2 t3

(18a)

= T4 − T0 − T1 + c1 T2 = c1 a22 − a0 a1 ,

(18b)

= T5 − T0 − T2 + T1 = a21 − a0 a2 .

(18c)

The calculation cost of t1 , t2 , t3 is 3 multiplications, 3 squaring, 3 additions and 2 bit shifting. The vector multiplication for getting s = aT = (s, 0, 0) can be done by calculating s = a0 b0 + c1 (a1 b2 + a2 b1 ) which costs 3 multiplication, 2 additions and 1 bit shifting. Finally the inversion of the scalar s and multiplication by the 2 inverse of scalar s with vector T = ap ap can be obtained by distributive law which takes 1 inversion and 3 multiplication in Fp . Therefore the total cost of inversion is 9 multiplications, 3 squaring, 5 additions, 3 bit shifting and 1 inversion in Fp . B. Arithmetic operations over extension field F(p3 )2 F(p3 )2 is constructed with the irreducible binomial g(x) = x2 −c2 where c2 ∈ Fp . Here it differs from the existing method to towering. Existing method uses x2 − ω as the irreducible polynomial in Fp6 ; that is the root of irreducible binomial of Fp3 is used to construct irreducible binomial in Fp6 . In this proposed approach, such binomial
can be easily obtained by applying Legendre Symbol c2/p over Fp . Then let its zero be τ ,τ ∈ F(p3 )2 , therefore the set {1, τ } forms the polynomial basis in F(p3 )2 . If we choose p such that p ≡ 3 (mod 4), that will accelerate the arithmetic operation significantly; since multiplication by c2 = −1 will be calculated only by substitution. Let us consider m, n as two arbitrary elements in F(p3 )2 as follows:

m

= a0 + a1 τ,

n

= b0 + b1 τ, ai , bj ∈ Fp3 .

(a0 + a1 τ )(b0 + b1 τ )

=

(a0 b0 + c2 a1 b1 ) + (a0 b1 + a1 b0 )τ

=

(a0 b0 + c2 a1 b1 ) + (a0 + a1 )(b0 + b1 )τ −(a0 b0 )τ − (a1 b1 )τ.

= T0 + c1 (T3 − T1 − T2 ) = a20 − c1 a1 a2 ,

=

= a0 b0 + (a0 b1 + a1 b0 )τ + a1 b1 τ 2

The elements of T = (t0 , t1 , t2 ) can be obtained as follows: t1

Addition and Subtraction is done coefficient wise similar to those in Fp3 . Multiplication of m, n is done as follows:

(19) (20)

Here Karatsuba method [19] is applied. In this calculation, we have substituted τ 2 = c2 , as τ is a zero of the irreducible binomial g(x) = x2 − c2 . Since prime number p is chosen such that p ≡ 3 (mod 4), therefore c2 is just substituted with −1. That means multiplication with c2 needs no countable computations in Fp . Moreover multiplication of a1 b1 and a0 b0 will be reused. Therefore we need 3 multiplications and 5 additions in Fp3 to multiply two vectors over F(p3 )2 , where we consider subtractions as additions. 1) Vector inversion in F(p3 )2 : For calculating the multiplicative inverse vector of a non-zero vector m ∈ F(p3 )2 , first we calculate the conjugate of m that is given by Frobenius 3 mapping πp3 (m) = mp . Then the inverse of m, m−1 is calculated as follows: 3

m−1 = n(m)−1 (mp ),

(21)

3

where m, mp are the conjugates and n(m) is their product. 3 FM of m, πp3 (m) = (a0 + a1 τ )p can be easily calculated using the defined irreducible binomial g(x) as follows: (a0 + a1 τ )p

3

= a0 + a1 τ p

3

= a0 + a1 (τ 2 ) =

a0 + a1 (c2 )

=

a0 − a1 τ,

p3 −1 2 p3 −1 2

τ τ (22)

where the modular relation τ 2 = c2 and c2 = −1 is substituted. In other words, the conjugate of m is given as a0 −a1 τ . No addition and multiplication is required here. Now 3 the calculation procedure for n(m) = mmp is as follows: n(m)

=

(a0 + a1 τ )(a0 − a1 τ )

=

a20 − a21 τ 2

=

a20 − c2 a21

=

a20 + a21 .

(23)

Here 2 squaring and 1 addition is required over Fp3 . Since n(m) is given without τ , it is found that n(m) ∈ Fp3 . Therefore, the inversion element n(m)−1 is calculated using Eq. (12) over Fp3 . Finally 2 multiplications, 2 squaring, 1 inversion and 1 addition in Fp3 is required to get an inverse element over F(p3 )2 . C. Arithmetic operations over extension field F((p3 )2 )3 To construct F((p3 )2 )3 arithmetic operation let us consider irreducible binomial h(x) = x3 − ω where ω ∈ Fp3 and ω is the root of f (x). Then let θ be a root of h(x), where

 θ ∈ F((p3 )2 )3 , therefore the set 1, θ, θ2 forms the polynomial basis in F((p3 )2 )3 . Let us consider u, v as two arbitrary elements in F((p3 )2 )3 as follows:

12

vp can be calculated according to the above procedure with the same number of operations as follows: v(p

6 2

)

=

v

= n0 + n1 θ + n2 θ2 ,

= n0 + n01 c0ω θ + n02 c00ω θ2

2

6

6

vp vp

2

= t00 + t01 θ + t02 θ2 + t03 θ3 + t04 θ4 (t0 + ωt3 ) + (t1 + ωt4 )θ + t02 θ2 .

12

6

12

v−1 = n(v)−1 (vp vp ),

The main focus of this proposal is to show the construction procedure of Fp18 extension field in a new approach of towering that will lead to efficient arithmetic operation. We can also apply sub-field isomorphic group arithmetic or Cyclic Vector Multiplication Algorithm (CVMA) to reduce the number of additions and multiplication in each extension field which will make this towering construction more efficient. But that is not focused in this paper. Table I shows the environment, used to experiment and evaluate the proposed method.

(26)

TABLE I C OMPUTATIONAL E NVIRONMENT

where v, vp , vp are the conjugates and n(v) is their product. 6 Here we first calculate πp6 (v) = (n0 + n1 θ + n2 θ2 )p using the defined irreducible binomial h(x) as follows: 6

6

=

(n0 + n1 θ)p + (n2 θ2 )p

=

n0 + n1 (θ3 ) +n2 ((θ3 )

=

n0 + n1 (ω 3 )

+n2 ((c1 ) =

n0 +

=

n0 +

2.7 GHz Intel Core i5

Memory

16 GB

OS

Mac OS X 10.11.4

Compiler

gcc 4.2.1

θ Programming Language Library

θ

* Only

)2 θ2

p6 −1 9

θ

)2 θ2

+ n2 c00ω θ2 n02 θ2 ,

p6 −1

*

θ

p6 −1 9

p6 −1 9

n1 c0ω θ n01 θ +

CPU

6

)2 θ2

p6 −1 9

n0 + n1 (c1 )

PC

)2 θ2

p6 −1 3

p6 −1 3

+n2 ((ω 3 ) =

p6 −1 3

p6 −1 3

n0 + n1 (ω) +n2 ((ω)

=

(n0 + n01 θ + n02 θ2 )(n0 + n001 θ + n002 θ2 ). (29)

IV. R ESULT EVALUATION

12

(n0 + n1 θ + n2 θ2 )p

=

The next calculation procedure is identical of Fp3 vector inversion which also results the same number of operation counts in Fp6 . Finally the total cost of 1 vector inversion in Fp18 is 9 multiplications, 3 squaring, 5 additions, 3 bit shifting and 1 inversion in Fp6 .

(25)

Multiplication of basis element with vector will not effect the calculation since it is comparatively small, which will be calculated as bit wise shifting. 1) Vector inversion in F((p3 )2 )3 : Inversion of F((p3 )2 )3 vector can be easily carried out by applying the similar steps of Fp3 vector inversion. For calculating the multiplicative inverse vector of a non-zero vector v ∈ F((p3 )2 )3 , at first we find 6 12 the conjugates vp , vp of v applying FM. Then the inverse −1 element v is calculated as follows:

(28)

12

Now computation of (vp vp ) according to Eq. (25) will cost 6 multiplication and 15 additions in F(p3 )2 as follows:

(m0 + m1 θ + m2 θ )(n0 + n1 θ + n2 θ ). (24)

=

6

= n0 + n001 θ + n002 θ2 .

After applying fast polynomial multiplication according to Eq. (7) and Eq. (8), here we have 6 multiplications and 15 additions in F(p3 )2 as follows:

6

(n0 + n01 θ + n02 θ2 )p

= m0 + m1 θ + m2 θ 2 ,

In F((p3 )2 )3 , vector addition and subtraction is performed coefficient wise over F(p3 )2 . Multiplication of u, v is performed by using h(x) as follows:

uv

(vp )

u

mi , nj ∈ F(p3 )2 .

uv =

12

=

(27)

where n01 , n02 ∈ F(p3 )2 and c0ω = (c1 ) 9 , c00ω = (c0ω )2 can be precalculated. Therefore only 6 multiplications in Fp is required in the above calculation. Now the other conjugate

C GNU MP

single core is used from two cores.

In the experiment we have used Kachisa-Schaefer-Scott (KSS) [20] pairing friendly curves with embedding degree k = 18 at the 192-bit security level. The prime number p = 511-bit is considered and the curve is defined as y 2 = x3 + 11. In what follows, let us consider m, s, a and i to denote the times of multiplication, squaring, addition and inversion respectively. The bit wise shifting operation is not taken into account during the final operation count. Table II shows the

TABLE II F((p3 )2 )3 OPERATION COUNT

Operation in

1 inversion in Fp18

1 multiplication in Fp18

Fp

199m + 9s + 660a + 1i

108m + 402a

TABLE III E XECUTION TIME [ MS ] FOR INVERSION AND MULTIPLICATION IN F((p3 )2 )3 Operation

Execution time[ms]

Inversion

5.4 × 10−1

Multiplication

3.3 × 10−1

calculation cost in the context of operation count and Table III shows the execution time. From Table II we find that only 199 multiplication, 9 squaring, 660 additions and 1 inversion is required in Fp to perform 1 inversion in Fp18 . There exist a competitive toweting scheme prsented by Aranha et al. [21] that uses sub-field isomorphic group to reduce number of arithmetic operation. Such isomorphic sub-field isomorphic rational point group technique can also be applied in the proposed towering approach which will be presented as our future work. V. C ONCLUSION AND FUTURE WORK In this paper we have presented a new towering scheme to construct Fp18 extension field arithmetic. This towering approach is one of the most important step for constructing the basis of pairing based cryptography defined over extension field of degree 18. This paper also presented the mathematical derivation for efficiently constructing the F((p3 )2 )3 extension field to accelerate arithmetic operation in Fp18 . The main focus of this paper was to present the new towering technique along with its implementation procedure that can be used for performing operation efficiently in the context of pairing based cryptography. As our future work, we would like to reduce the number of arithmetic operation by applying sub-field isomorphic rational point group technique in the proposed towering approach along with some pairing algorithms implementation in practical case. ACKNOWLEDGMENT This work is partially supported by the Strategic Information and Communications R&D Promotion Programme (SCOPE) of Ministry of Internal Affairs and Communications, Japan. R EFERENCES [1] N. Koblitz, “Elliptic curve cryptosystems,” Mathematics of computation, vol. 48, no. 177, pp. 203–209, 1987. [2] R. Sakai and M. Kasahara, “Id based cryptosystems with pairing on elliptic curve.,” IACR Cryptology ePrint Archive, vol. 2003, p. 54, 2003.

[3] A. Joux, “A one round protocol for tripartite diffie–hellman,” in International Algorithmic Number Theory Symposium, pp. 385–393, Springer, 2000. [4] D. Boneh, B. Lynn, and H. Shacham, “Short signatures from the weil pairing,” in Advances in CryptologyASIACRYPT 2001, pp. 514–532, Springer, 2001. [5] D. Boneh, X. Boyen, and H. Shacham, “Short group signatures,” in Advances in Cryptology–CRYPTO 2004, pp. 41–55, Springer, 2004. [6] T. Nakanishi and N. Funabiki, “Verifier-local revocation group signature schemes with backward unlinkability from bilinear maps,” in Advances in Cryptology-ASIACRYPT 2005, pp. 533–548, Springer, 2005. [7] D. Boneh, C. Gentry, and B. Waters, “Collusion resistant broadcast encryption with short ciphertexts and private keys,” in Advances in Cryptology–CRYPTO 2005, pp. 258–275, Springer, 2005. [8] V. S. Miller, “The weil pairing, and its efficient calculation,” Journal of Cryptology, vol. 17, no. 4, pp. 235–261, 2004. [9] F. Vercauteren, “Optimal pairings,” Information Theory, IEEE Transactions on, vol. 56, no. 1, pp. 455–461, 2010. [10] F. Hess, N. P. Smart, and F. Vercauteren, “The eta pairing revisited,” IEEE Transactions on Information Theory, vol. 52, no. 10, pp. 4595– 4602, 2006. [11] Y. Nogami, M. Akane, Y. Sakemi, H. Katou, and Y. Morikawa, “Integer variable chi-based ate pairing,” in Pairing-Based Cryptography - Pairing 2008, Second International Conference, Egham, UK, September 1-3, 2008. Proceedings, pp. 178–191, 2008. [12] J. H. Silverman, G. Cornell, and M. Artin, Arithmetic geometry. Springer, 1986. [13] D. Freeman, M. Scott, and E. Teske, “A taxonomy of pairing-friendly elliptic curves,” Journal of cryptology, vol. 23, no. 2, pp. 224–280, 2010. [14] N. Benger and M. Scott, “Constructing tower extensions of finite fields for implementation of pairing-based cryptography,” in Arithmetic of finite fields, pp. 180–195, Springer, 2010. [15] H. Lane, “Draft standard for identity-based publickey cryptography using pairings,” IEEE P1636, vol. 3, p. D1, 2008. [16] P. S. L. M. Barreto and M. Naehrig, “Pairing-friendly elliptic curves of prime order,” in Selected Areas in Cryptography, 12th International Workshop, SAC 2005, Kingston, ON, Canada, August 11-12, 2005, Revised Selected Papers, pp. 319–331, 2005. [17] D. V. Bailey and C. Paar, “Efficient arithmetic in finite field extensions with application in elliptic curve cryptography,” J. Cryptology, vol. 14, no. 3, pp. 153–176, 2001. [18] J. Chung and M. A. Hasan, “Asymmetric squaring formulae,” in 18th IEEE Symposium on Computer Arithmetic (ARITH’07), pp. 113–122, IEEE, 2007. [19] A. Karatsuba and Y. Ofman, “Multiplication of many-digital numbers by automatic computers,” DOKLADY AKADEMII NAUK SSSR, vol. 145, no. 2, p. 293, 1962. [20] E. Kachisa, E. Schaefer, and M. Scott, “Constructing brezing-weng pairing-friendly elliptic curves using elements in the cyclotomic field,” Pairing-Based Cryptography–Pairing 2008, pp. 126–135, 2008. [21] D. F. Aranha, L. Fuentes-Casta˜neda, E. Knapp, A. Menezes, and F. Rodr´ıguez-Henr´ıquez, “Implementing pairings at the 192-bit security level,” in Pairing-Based Cryptography–Pairing 2012, pp. 177–195, Springer, 2012.