ABSTRACT
The interest in using tower field extensions is based on an optimization of the arithmetic. In practice, the computation of pairings admitting an odd degree of twist is less efficient than computation of pairings with an even degree of twists. The pairing-friendly elliptic curves that are the most interesting for implementation purposes are obtained from families. The Jacobian coordinates often provide the most efficient formula for pairing computations. The choice of the pairing optimal Ate or twisted Ate depends on the number of iterations and the number of addition steps that must be executed. Indeed, if the elliptic curve admits at least one subgroup with order smaller than r, then the discrete logarithm problem is easier to solve in this subgroup. The attack path consists then in providing to the pairing computation a point of the elliptic curve belonging to the wrong subgroup.
