ABSTRACT
Since the introduction of cryptographic pairings as a constructive cryptographic primitive by Sakai, Ohgishi, and Kasahara in, and by Joux in, the efficient implementation of pairings has become an increasingly important research topic. Early works still mainly considered the Weil pairing, whose computation essentially consists of two so-called Miller loops, but soon it became clear that variants of the Tate pairing are more efficient. All those variants have in common that they consist of the computation of one Miller loop and one final exponentiation. Pairings can be computed over elliptic curves represented in any coordinate system, but homogeneous projective and affine coordinates are the most common, depending on the ratio between inversion and multiplication of a specific implementation. Due to the low Hamming weight of the curve parameter and its effect on reducing the number of additions, the cost of the Miller loop is usually dominated by point doubling and the corresponding line evaluations.
