On the Final Exponentiation in Tate Pairing Computations

The Tate pairing computation consists of two parts: Miller step and final exponentiation step. In this paper, we investigate the structure of the final exponentiation step. Consider an order r subgroup of an elliptic curve defined over F_q with embedding degree k. The final exponentiation in the Tate pairing is an exponentiation of an element in F_q^k by (q^k-1)/r . The hardest part of this computation is to raise to the power λ:=Φ_k(q)/r, where Φ_k(·) denotes the kth cyclotomic polynomial. Write it as λ = λ₀+λ₁q+⋯+λ_φ(k)-1q^φ(k)-1 in the q -ary representation. The final exponentiation cost mostly depends on κ(λ), the size of the maximum of |λi|. In many parameterized pairing-friendly curves, the value κ is about (1-1/ρφ(k))log₂q where ρ = log₂q/log₂r, while random curves will have κ ≈ log₂q. We investigate how this small κ is obtained for parameterized pairing-friendly elliptic curves, and show that (1-1/ρφ(k))log₂q is the lower bound for all known construction methods of parameterized pairing-friendly curves. In the second part of our paper, we propose a method to obtain a modified Tate pairing with small κ for any pairing-friendly elliptic curves including those not belonging to parameterized families. More precisely, our method finds an integer m using the lattice basis reduction such that κ(mλ)=(1-1/ρφ(k))log₂q. Using this modified Tate pairing, we can reduce the number of squarings in the final exponentiation by a factor of- (1-1/ρφ(k)) from the usual Tate pairing. We apply our method to several known pairing-friendly curves to verify the expected speedup.