 And good afternoon. I'd like to start by also thanking the organizers of the conference, David and Fong for having us all here in Paris in such a beautiful place. As was said, this is joint work with Tanya Lung and Michael Narig. So I suppose in the public key community, pairings don't really need the biggest introduction. Over the past decade, this powerful bilinearity property of pairings has brought us a number of unique and cool things that were previously unattainable without pairings. Things like ID-based encryption, which really sparked off this pairing-based cryptography. All these types of cool signatures and nowadays we've got things like predicate-based and attribute-based encryption as well. You don't really have to flip far through the proceedings of this conference to see the power of pairings used for protocols. So to motivate this work, I suppose the last ten years since pairings were introduced, initially they were too slow to be considered practical. And this is what really made them grab the attention of a lot of the big mathematical cryptographers and computer scientists to try and speed these things up. As Mike was saying, and a decade on from the introduction, the current situation, at least on elliptic curves, is that many of the high-level optimizations have now been considered to be exhausted. So things like loop shortening, exhausting the endomorphism rings, choosing the groups and the representations, these pairing-friendly curves, and many of these high-level tricks are somewhat exhausted at this stage. So we're looking for other ways to speed things up and I suppose get our hands dirty and get down to the explicit formulas throughout the miller loop and the miller iterations. So in this work we look at curves that are of the standard Y-stress form. And optimal curve construction methods usually always produce a curve with either the curve constant A being zero or the curve constant B being zero. And the nice thing about this is that they also facilitate high-degree twists on these curves. So if we want to use a cubic or a quartic or a sextic twist, we've got to look to set one of these curve constants as zero. So we wanted to look at minimizing the field operations that we encounter when computing a pairing on these special types of curves. Rather than looking at the general Y-stress curve, we want to look at these curves that arise with A zero or B zero. Another motivation for this work was that the Tate and Ate formulas haven't always been compatible. So a lot of papers came out in the field that have reduced operation counts and applied this to the Tate pairing, but the application or the transfer of these formulas to the Ate pairing isn't always trivial. So I suppose we really wanted to tidy up that too. And also special curve models such as Edwards curves or these special types of Y-stress curves, they haven't always trivially allowed for the Ate pairing computation either. So we wanted to try and remedy this. And we wanted to improve and collect all or most of the required explicit formulae and the records for these pairing computations. We wanted to put it all together into the one paper. So I suppose the binary property and things don't need the greatest introduction after Mike's talk and after previous talks. So I'll jump straight into defining the two most common groups that are used in pairing computations. We always refer to G1 and G2. And G1 is all the points on the elliptic curve of order r, so in the r-torsion. And it's in the one eigenspace of the Frobenius map. And G2 also consists of the points of order r there in the Q eigenspace of the Frobenius map. And to define this whole group or this whole torsion group or to define both of G1 and G2, what we need to do is extend this base field to extend the field FQ up to the FQ to the K. So we need to form this K-degree extension with our embedding degree K so that the whole torsions contains and we've got our two order r subgroups to work with. If you don't like the definitions there or it doesn't look familiar, then all you really need to know is that the elements of G1 are nice and simple. They're defined over the base field. So if P is a random point in G1, say for example K equals 12, then the coordinates of P are nice. They're defined over the base field. For K equals 12 though, the coordinates of Q we have to go all the way to the full extension. I haven't formed the extension as a tower but normally things in G2 look about that nasty. So that's a trivial I suppose extension and things bigger polynomials over the base field. Luckily we have the power of the twisted curve as Mike was saying. So we always have this original curve that we construct and we can use the power of this twist. So we can define a curve by these omega values over a subfield of the full extension field and that twisted curve is such that points on the original curve might be defined over large fields but when you bring them to the twisted curve, their coordinates shrink to much smaller fields and vice versa. So we can exploit these twisted curves to give more compact representation of points and to shrink the size of these elements in G2. And the possible degrees of the twists available are 2, 3, 4 and 6 and like I said before the degree twisted of bigger than 2 require that we take a0 or b0. And we've got this twisting isomorphism between the two curves. So a point on the twisted curve can be taken to a point on the ordinary curve or the regular curve by dividing by these algebraic omegas in the subfield of the full extension field. So instead of working with Q on G2, a lot of work can be done with this new group G2 dash which is defined over the subfield. So if we take a sextic twist on the embedded degree 12 case, then our point before looked that bad but now it looks not so bad with these algebraic omega values. It would be a lot easier to deal with computationally. So the two types of pairings or the two methodologies I suppose that we can look at is the tape pairing in its variance and also the ape pairing in its variance. The tape pairing always takes its first argument from G1, from the ground field and its second argument Q, it takes from that twisted subfield or from the full extension field and the ape pairing reverses these arguments so it takes its first argument from the larger field and its second argument from the ground field. The pairings themselves require the computation of these miller functions. So these f subscript m are of s's and these are functions of degree m. These functions have large degree for a typical value of r would be 160 bits. So the function in the tape pairing might be 160 bits. The degree of this function is 160 bits. And to compute these functions we require the log of the loop parameter m, many iterations of Miller's algorithm. And the most important thing to note I suppose at this stage is that most of the work in Miller's algorithm or in the iteration, a lot of the bottleneck is the first argument. So we do a lot of computations in the first argument and not so many in the second argument. So the first argument in the tape pairing is much smaller. So all of this work is done in the ground field while in the ape pairing the argument is much bigger and all the work is done in the extension field. But the reason the ape pairing wins most of the time is that we need much less iterations. So we only need log 2 of capital T iterations in the ape pairing compared to the r in the tape pairing. So the trade-off is that more work in the ape pairing is done in the larger field. So just a brief overview of Miller's algorithm and how it works. Well, we often write this loop parameter, this integer in its base 2 or its binary representation and what we want to output is this function f, this value f, which is a value in a finite field. So what we do is we carry this value of f through the iterations appending these line functions to f. f is carried through as an extension field element. We evaluate these functions at the point s as we go and at the end we exponentiate but in this talk we're only concerned with the Miller loop itself. And these line functions in the Dublin ad, I suppose in the Weistruss sense, they're the line functions that you get from the standard cord and tangent rule. So in the Dublin it's this tangent line here divided by this vertical line at the point 2u and in the addition of u plus r we get this slope line that joins u and r and we also get this vertical line through u plus r. And these are the lines that we append to this Miller function as we go. So why do we choose Weistruss curves for fast pairings? Well, in the ECC sense in standard elliptic curve cryptography we don't really have to worry about these lines so much. So we can say use Edwards curves or Hessian curves or different curve models to give fast doublings and additions and that's all we need to worry about. But in the pairing sense we need to do fast doublings and additions but we also need to do fast line computations. So we need to be able to compute these line functions with minimal overhead. That's the beauty of Weistruss curves. The cubic elliptic curves give a natural combination of point operations and line computations. So what that means is that these lines are basically inherent in the doubling and addition formulas themselves. So often there's not a lot of work to do for Weistruss curves in getting these lines. High degree curves you have to do with conics and quadratic functions but here it's just simple lines. So to sort of separate the roles of the arguments in Miller's algorithm at both the doubling stage up the top and the addition stage what we have to do is we have to compute these lines in the doubling of u or the addition of u and r and we have to of course do the point operations themselves the doubling u and adding u to r and all of these red operations the ones in red are completely u dependent. So whatever field u is in that's what field these computations take place in. The evaluation of f double and f add at the point s in optimized implementations this will cost the same regardless of whether we use the 8 or the tape pairing and these squareings and multiplications in the extension fields these will always be the same but in the tape pairing and the 8 pairing these red computations will occur in different fields. So the black operations have the same complexity regardless of the tater 8 pairing because there are all the operations in fq to the k but for the steps 1 and 2 in both doubling and addition these depend entirely on r and so when r is in the ground field fq which it is for the tape pairing a large k means that the step 3 will dominate the complexity and as k grows larger with respect to the base field then the operations in 3 become more dominant so any savings in the red operations for the tape pairing will be less and less for bigger k but for the 8 pairing this field fq to the e where r lies it grows at the same rate as fq to the k so any savings we have for a small embedding degree are likely to be consistent as the embedding degree grows too so we'd like to apply these tape formulas to the 8 pairing the problem is that the tape pairing it has quite a simple definition in that at least the computation of it has a simple definition in that the tape pairing keeps the point u on the same curve throughout the whole computation but for the 8 pairing what we do for computational convenience is we twist u back and forth between the curve and its twisted curve so when we want that nice short representation we jump to the twisted curve and when we come to evaluate it at the we come to evaluate the lines we need the element to be in the full extension field so we twist it back so there's this jumping back and forth between curves in the 8 pairing and this is okay if the formulas derived for the pairing computation cover both the curve and its twist but in some circumstances like Edwards curves or these special Weistraus curves the curve and its twist can't have the same group order or they can't be represented by the same curve model so to derive formulas for both curves under the same curve model it doesn't actually work so the red computations you can see that u is in the twisted subfield but when it comes to evaluating the line function we aren't twist u back so what we want to do is we want to remedy this so that we can compute the 8 pairing on these Edwards and these special Weistraus curves so the remedy to this is to compute the 8 pairing entirely on the twisted curve and this is the coincidence of theorem 1 in corollary 2 and what we do is instead of twisting u instead of twisting q rather back and forth between curves we leave q to be on the twist the entire computation and we also twist p to be on the twist as well so throughout the whole computation now throughout all these steps the point u dash will always be on the twisted curve and the point s dash will also remain on the twisted curve so everything now you can see is happening on the twisted curve which is great because it now means that we can compute the 8 pairing on Edwards curves or these special curves provided that the twisted curve can be written in this form so if we want to derive formulas for these operations using say Edwards curve or a special curve then it's great because everything is on the twisted curve and it turns out that computationally this is no different to the original definition of the 8 pairing computation so nothing changes in terms of complexity but it allows us to do some things that we couldn't trivially do before and it also means that the Tate and 8 operation counts are somewhat analogous on all curve shapes now so what we did in the paper was go ahead and I suppose use this groundwork to then look to derive faster formulas on these special shaped curves and the way we do this is to always just get the just to get the affine version or the schoolbook version of these lines that you could get a high school kid to derive probably and what we do is we look for the best representation and the projection of these affine points so we're really searching through these different methods of projection to find which one gives the most simple simply computable expressions for both the point operations and the line computation and as Mike said it's common that we prioritize the doublings and this stage of the routine if we choose the loop parameter carefully then these additions are rare so we're much more concerned with the complexity of these doublings they dominate the runtime so we prioritize the doublings in our search we want to find the fastest doublings and the different degree twists require curves of different shapes so a quadratic twist, the degree 2 twist it can happen on any Y stress curve so the general curve but usually it's most advantageous to set A equals 0 or B equals 0 anyway all of the optimal constructions would suggest this and any quadratic twist formulas are also compatible with the high degree even twist formulas and then of course we can look at cubic twists quartic twists and sextic twists so the cubic and sextic twists they both occur on J invariant 0 curves or curves Y squared is X cubed plus B but because of the nature of the twists we have to handle these two cases separately so in the sections 4 to 6 what we do is we look at trying to develop fast formulas for these curves that admit the high degree twists so in section 4 we look at trying to speed up computations for curves employing a quartic twist that's these Y squared is X cubed plus AX curves popular for ECC and with the quartic twists popular for pairing based cryptography too so like I said we always just get these schoolbook formulas you turn to the first page of an elliptic curve textbook you always see these simple schoolbook formulas but it's how we project them or how we deal with them in the projective sense that changes the complexity of their computation so we don't want to compute these inversions with the affine formulas what we have to do is project and we found the most success with these J and variant 1, 7, 2, 8 curves in what we call weight 1, 2 coordinates so that's when you get the affine X coordinate and project it to X over Z and the affine Y coordinate and project it to Y over Z squared these coordinates hadn't been used before in prime fields but some people might know them as low-pes-darb coordinates over binary fields so if we projectify these top-red formulas using this projection then the projective formulas for the point doubling at least look okay and it turns out that we can evaluate these formulas using one field multiplication six squareings and if A is smaller than this almost negligible a cost of multiplication via curve constant and considering this as a doubling step alone currently this is the fastest doubling step in the EFT the explicit formulas database so for just standard ECC these curves and this way of projecting could become quite popular with these fast doublings especially for sliding windows techniques that allow doublings to really dominate standard ECC run time and the formula for the line computation came out to be pretty nice too usually with even degree twists we've always got to deal with this multiplication by the coordinates of S here both the X and Y coordinates but this other work we have to do to get these coefficients here it only cost an extra one multiplication and two squareings on top of the doubling formulas so what we got in total for both the doubling and the line computation was two field multiplications eight squareings and one multiplication by a curve constant which beats the previous record which was in Jacobian coordinates two separate authors by about two field operations one multiplication three squareings less one multiplication so a little bit faster there for sextic twists we have to use these Jane variant zero curves and we do the exact same thing except this time the lambda is a little simpler because A is zero and luckily the success here was with the standard homogeneous projective coordinates so all we do is take little X and project it to capital X over capital Z and the same for Y and our doubling formulas simplify somewhat and our line is simple again too on top of the doubling it was only I think two squareings or maybe one multiplication one squareings so here we get two field multiplications seven squareings and one multiplication by a curve constant which beats the previous record again by one multiplication and one squareings which was in Jacobian coordinates and for cubic twists the story is a little different the denominator elimination that's usually used it takes advantage of X coordinates being in subfields but in the case of cubic twists it's our Y coordinates in subfields so what we have to do is get our fine line and multiply it by this factor in the full extension field so it makes things a little more complicated but again in homogeneous projective coordinates we dealt with that somewhat successfully to get it quite a simple miller line relatively speaking so this has only got three multiplications here one with the coordinate of XS one with the coordinate of XS squared and one with the coordinate of YS and here we save two full two field multiplications two field squareings a couple of multiplications in the ground field which beats the previous records I suppose somewhat significantly so to summarize what we've done is really listed probably the four most popular options for pairing computation that will be used if one's going to implement these things in practice so if we look up at the top curve it's basically just a summary but here we've also got the additions included as well and you'll notice if you go through that I haven't highlighted additions strategically haven't done that because our additions are somewhat slower but with low hamming weight loop parameters we would expect at least a significant speed up in all of the cases so at least in the top case the third case and the fourth case our work really improved on the prior work in the second case we only gave an option to improve the addition formulas so what's missing from this table is this full extension field of multiplication and squaring that is common to all implementations so you've also got a factor that into each entry but the cubic twists are faster by over four field operations the accorded twists are faster by two field operations and the sexy twists are faster by two as well so what we did was we tabulated for different pairing-friendly embedding degrees we had a look at an estimation of the ground field the equivalent number of ground field multiplications throughout a standard doubling only iteration to compare the speed of the 8 and the Tate pairings of these embedding degrees of course the 8 speed up over the Tate speed up is nothing to do with our work but we thought it might be of interest to have a look at how much faster it is given the fastest formulas for various embedding degrees so in summary really the Tate speed up is like I said it's only significant for these small embedding degrees so these papers that came out and said here's faster formulas to be used for the Tate pairing well for higher embedding degrees these formulas don't become that much faster in practice the relative speed up isn't that great but for the 8 pairing these formulas when we transfer them and apply them they give a speed up that's relatively consistent across all embedding degrees so if you're going to implement a pairing on one of these secure embedding degrees these higher embedding degrees then you should employ the 8 pairing obviously and hopefully then you'll if you want a significant speed up you'll employ these formulas as well thank you