Computing the Optimal Ate Pairing over the BN254 Curve

The post BN254 For The Rest Of Us constitutes the base point for this article, so I highly recommend reading it to get a solid background of the BN254 curve. This post will reuse some parts with an emphasy on the computational aspect of the optimal Ate pairing over the BN254 curve.

For those with a poor background on Pairing-Based Cryptography (PBC) but with a decent background on Elliptic-Curve Cryptoraphy (ECC) I recommend reading the following resources in order:

Only after (and not before) you feel sufficiently comfortable with both PBC and ECC come back to this post and start to make sense out of it.

The implementation in zkASM can be found here.

The Curve

The BN254 is the elliptic curve

E

of the form:

y^{2} = x^{3} + 3

defined over a finite field

F_{p}

, where the prime

p

is the following

254

-bit number:

p = 21888242871839275222246405745257275088696311157297823662689037894645226208583

The number of points

# E (F_{p}) = p + 1 - t

happens to also be a prime

r

254

bits:

r = 21888242871839275222246405745257275088548364400416034343698204186575808495617

where t = 147946756881789318990833708069417712967 is known as the trace of Frobenius.

The point

(1, 2) \in E (F_{p})

is a point of order

r

, i.e. a generator of the group of points of the curve. In fact, all points in

E (F_{p}) ∖ {O}

are generators, as Lagrange's Theorem shows.

The embedding degree

k

of this curve is

12

For more information, refer to BN254 For The Rest Of Us or the EIPs 196 and 197.

Tower of Extension Fields

To represent

F_{p^{12}}

we use the following tower of extension fields:
fields:

\begin{aligned} F_{p^{2}} & = F_{p} [u] / (u^{2} - β), \\ F_{p^{6}} & = F_{p^{2}} [v] / (v^{3} - ξ), \\ F_{p^{12}} & = F_{p^{6}} [w] / (w^{2} - v), \end{aligned}

where

β

is not a quadratic residue in

F_{p}

and

ξ

is neither a quadratic residue or a cubic residue in

F_{p^{2}}

In the particular case of the BN254, we have

β = - 1

and

ξ = 9 + u

and therefore:

\begin{aligned} F_{p^{2}} & = F_{p} [u] / (u^{2} + 1), \\ F_{p^{6}} & = F_{p^{2}} [v] / (v^{3} - (9 + u)), \\ F_{p^{12}} & = F_{p^{6}} [w] / (w^{2} - v), \end{aligned}

from which we can extract the identities

u^{2} = - 1

w^{2} = v

v^{3} = 9 + u

and consequently the idenity

w^{6} = 9 + u

Using the latter identity, we can also write:

F_{p^{12}} = F_{p^{2}} [w] / (w^{6} - (9 + u))

These two representations of

F_{p^{12}}

will allow us to apply some optimizations:

Writing any element
$f \in F_{p^{12}}$ as
$f = g + h w$ , with
$g, h \in F_{p^{6}}$ implies ^[1]
$f^{p^{6}} = \bar{f} = g - h w$ . Thus, computing the
$p^{6}$ -th power of any element in
$F_{p^{12}}$ is computationally "free".
Now, if we write
$g = g_{0} + g_{1} v + g_{2} v^{2}$ and
$h = h_{0} + h_{1} v + h_{2} v^{2}$ where
$g_{0}$ ,
$g_{1}$ ,
$g_{2}$ ,
$h_{0}$ ,
$h_{1}$ ,
$h_{2} \in F_{p^{2}}$ we have:

$f = g_{0} + h_{0} w + g_{1} w^{2} + h_{1} w^{3} + g_{2} w^{4} + h_{2} w^{5},$
which will allow us to compute
$f^{p}, f^{p^{2}}$ and
$f^{p^{3}}$ (needed for the final exponentiation) very efficiently.

Twist

BN curves admits a sextic twist

E^{'}

defined over

F_{p^{2}}

of the form:

y^{' 2} = x^{' 3} + 3 / (9 + u)

or more specifically:

(y')² = (x')³ + (19485874751759354771024239261021720505790618469301721065564631296452457478373 + 266929791119991161246907387137283842545076965332900288569378510910307636690·u)

This means that pairing computations can be restricted to points

P \in E (F_{p})

and

Q \in E^{'} (F_{p^{2}})

and avoid computations over

F_{p^{12}}

entirely.

The number of points of

E^{'}

is:

# E^{'} (F_{p^{2}}) = (p + 1 - t) (p - 1 + t) = r \cdot c

which concrete to:

#E' = 479095176016622842441988045216678740799252316531100822436447802254070093686356349204969212544220033486413271283566945264650845755880805213916963058350733
c = 21888242871839275222246405745257275088844257914179612981679871602714643921549

The mapping

Ψ (x^{'}, y^{'}) = (w^{2} x^{'}, w^{3} y^{'})

defines a group homomorphism from

E^{'} (F_{p^{2}})

E (F_{p^{12}})

and we are going to use it to send points from the twisted curve

E^{'}

to the curve

E

(but not the other way around).

The Pairing

The optimal Ate pairing

e : G_{1} \times G_{2} \to G_{T}

over the BN254 curve is defined by:

e (P, Q) = {(f_{6 x + 2, Q} (P) \cdot ℓ_{[6 x + 2] Ψ (Q), π_{p} (Ψ (Q))} (P) \cdot ℓ_{[6 x + 2] Ψ (Q) + π_{p} (Ψ (Q)), - π_{p}^{2} (Ψ (Q))} (P))}^{\frac{p^{12} - 1}{r}}

where:

$G_{1} = E (F_{p}) [r]$ is the only subgroup of the
$r$ -torsion of
$E$ over
$F_{p}$ .
$G_{2} = E^{'} (F_{p^{2}}) [r]$ is the only subgroup of the
$r$ -torsion of
$E^{'}$ over
$F_{p^{2}}$ .
$G_{T} = μ_{r}$ is the set of
$r$ -th roots of unity over
$F_{p^{12}}^{*}$ .

x = 4965661367192848881 and therefore 6x+2 = 29793968203157093288, which is a number of

65

bits that can be expressed in the base

{- 1, 0, 1}

as follows:

2^3 + 2^5 - 2^7 + 2^10 - 2^11 + 2^14 + 2^17 + 2^18 - 2^20 + 2^23 - 2^25 + 2^30 + 2^31 + 2^32 - 2^35 + 2^38 - 2^44 + 2^47 + 2^48 - 2^51 + 2^55 + 2^56 - 2^58 + 2^61 + 2^63 + 2^64
[0, 0, 0, 1, 0, 1, 0, -1, 0, 0, 1, -1, 0, 0, 1, 0, 0, 1, 1, 0, -1, 0, 0, 1, 0, -1, 0, 0, 0, 0, 1, 1, 1, 0, 0, -1, 0, 0, 1, 0, 0, 0, 0, 0, -1, 0, 0, 1, 1, 0, 0, -1, 0, 0, 0, 1, 1, 0, -1, 0, 0, 1, 0, 1, 1]
0001010-1001-100100110-10010-1000011100-100100000-1001100-1000110-1001011

which has a Hamming weight of 26.

We prefer base

{- 1, 0, 1}

over base

{0, 1}

because 6x+2 expressed in the latter is:

2^3 + 2^5 + 2^7 + 2^8 + 2^9 + 2^11 + 2^12 + 2^13 + 2^17 + 2^18 + 2^20 + 2^21 + 2^22 + 2^25 + 2^26 + 2^27 + 2^28 + 2^29 + 2^31 + 2^32 + 2^35 + 2^36 + 2^37 + 2^44 + 2^45 + 2^46 + 2^48 + 2^51 + 2^52 + 2^53 + 2^54 + 2^56 + 2^58 + 2^59 + 2^60 + 2^63 + 2^64 
[0,0,0,1,0,1,0,1,1,1,0,1,1,1,0,0,0,1,1,0,1,1,1,0,0,1,1,1,1,1,0,1,1,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,1,0,0,1,1,1,1,0,1,0,1,1,1,0,0,1,1]
00010101110111000110111001111101100111000000111010011110101110011

which has a Hamming weigth of 37.

I moved from base

{0, 1}

to base

{- 1, 0, 1}

by using the identity^[2]

2^{n + 1} - 2^{m} = 2^{n} + 2^{n - 1} + . . . + 2^{m},

that holds for any

n, m \in N

such that

n \geq m

. In words, it is unpacking groups of

1

's of any size to a single

1

and

- 1

in the binary decomposition.

$f_{i, Q}$ , for any
$i \in N$ and
$Q \in G_{2}$ , is a
$F_{p^{12}}$ rational function on
$E$ that is computed using Miller's "double-and-add"-style algorithm:

$\begin{array}{r} f_{i + j, Q} = f_{i, Q} \cdot f_{j, Q} \cdot \frac{ℓ_{[i] Ψ (Q), [j] Ψ (Q)}}{v_{[i + j] Ψ (Q)}}, \\ f_{i + 1, Q} = f_{m, Q} \cdot \frac{ℓ_{[i] Ψ (Q), Ψ (Q)}}{v_{[i + 1] Ψ (Q)}}, \end{array}$
starting with
$f_{1, Q} = 1$ .
$ℓ_{P_{1}, P_{2}}$ denotes the equation of a line passing through
$P_{1}$ and
$P_{2}$ while
$v_{P}$ denotes the equation of a vertical line passing through
$P$ . However, due to the final exponentiation, the value of
$e (P, Q)$ remains unchanged if we omit the division by the vertical lines, so we will not care about such computation.
$π_{p}^{i} (x, y) = (x^{p^{i}}, y^{p^{i}})$ is known as the Frobenius operator.

Therefore, what we want to compute is the following:

































bound = [0, 0, 0, 1, 0, 1, 0, -1, 0, 0, 1, -1, 0, 0, 1, 0, 0, 1, 1, 0, -1,
         0, 0, 1, 0, -1, 0, 0, 0, 0, 1, 1, 1, 0, 0, -1, 0, 0, 1, 0, 0, 0,
         0, 0, -1, 0, 0, 1, 1, 0, 0, -1, 0, 0, 0, 1, 1, 0, -1, 0, 0, 1, 0,
         1, 1] 

1101111010011011000001001001000111011101011100001011001111110111111100000111110100101101000001011101000011111001111110101000110

         # This is 6x+2 in base {-1,0,1}, which has a Hamming weight of 26

def e(P,Q):
    assert(subgroup_check_G1(P))
    assert(subgroup_check_G2(Q))
    if ((P == 0) or (Q == 0)) return 1 # Here, 0 is the identity element of E
    
    R = Q
    f = 1
    for i in range(len(bound)-2,-1,-1): # len(bound)=65
        f = f * f * line(twist(R),twist(R),P)
        R = 2 * R
        if bound[i] == 1:
            f = f * line(untwist(R),untwist(Q),P)
            R = R + Q
        elif bound[i] == -1:
            f = f * line(untwist(R),untwist(-Q),P)
            R = R - Q
            
    Qp = Frobenius1(Q); # Q'
    f = f * line(twist(R), twist(Qp), P);
    R = R + Qp;
    Qpp = -Frobenius1(Qp); # Q''
    f = f * line(twist(R), twist(Qpp), P);

    return final_exponentiation(f)

In what follows we explain how to compute each of the components of the previous pseudocode snippet.

Subgroup Checks

To summary BN254 For The Rest Of Us, we have:

$P \in G_{1} = E (F_{p}) [r]$ if and only if
$P \in E (F_{p})$ . That is, if we write
$P = (x, y)$ then we simply need to ensure that the equation
$y^{2} = x^{3} + 3$ holds over
$F_{p}$ .

Costs:
$2 s + 1 m + 1 a$
A point
$Q = (x^{'}, y^{'}) \in E^{'} (F_{p^{2}})$ belongs to
$G_{2} = E^{'} (F_{p^{2}}) [r]$ if and only if
$ψ (Q) = [6 x^{2}] Q$ , where
$ψ : E^{'} (F_{p^{2}}) \to E^{'} (F_{p^{2}})$ is defined as:

$ψ (x^{'}, y^{'}) = (γ_{1, 2} {\bar{x}}^{'}, γ_{1, 3} {\bar{y}}^{'}),$
where
$γ_{1, 2} = (9 + u)^{\frac{p - 1}{3}}, γ_{1, 3} = (9 + u)^{\frac{p - 1}{2}}$ .

This was proven in Proposition 3 of 2022/352 and it is clearly much faster than the naive check
$[r] Q = O$ , since the constants
$γ_{1, 2}, γ_{1, 3}$ can be precomputed.

TODO:
A more efficient approach appears in 2022/348, which ensures that
$Q \in E^{'} (F_{p^{2}})$ belongs to
$G_{2}$ if and only if:

$[x + 1] Q + ψ ([x] Q) + ψ^{2} ([x] Q) = ψ^{3} ([2 x] Q)$

Costs:

2 \tilde{c} + 2 \tilde{m} + cost of [6 x^{2}] P

Line Equations

Different Points

Given two points

Q_{1} = (x_{1}^{'}, y_{1}^{'})

and

Q_{2} = (x_{2}^{'}, y_{2}^{'})

in the twisted curve

E^{'} (F_{p^{2}})

such that

x_{1}^{'} \neq y_{1}^{'}

and

x_{2}^{'} \neq y_{2}^{'}

and a point

P = (x, y)

in the curve

E (F_{p})

, the evaluation at

P

of the line passing through

Ψ (Q_{1})

and

Ψ (Q_{2})

is given by:

ℓ_{Ψ (Q_{1}), Ψ (Q_{2})} (P) = w^{2} (x_{2}^{'} - x_{1}^{'}) y + w^{3} (y_{1}^{'} - y_{2}^{'}) x + w^{5} (x_{1}^{'} y_{2}^{'} - x_{2}^{'} y_{1}^{'})

Costs:

3 \tilde{a} + 2 \tilde{m} + 4 m

The Same Points

Given a point

Q = (x^{'}, y^{'})

in the twisted curve

E^{'} (F_{p^{2}})

and a point

P = (x, y)

in the curve

E (F_{p})

, the evaluation at

P

of the line passing through

Ψ (Q)

is given by:

ℓ_{Ψ (Q), Ψ (Q)} (P) = (3 x^{' 3} - 2 y^{' 2}) (9 + u) + w^{3} (2 y y^{'}) + w^{4} (- 3 x x^{' 2})

Costs:

1 \tilde{a} + 2 \tilde{s} + 2 \tilde{m} + 10 m

The Last two Lines

Now we explain some tricks for the computation of the lines:

ℓ_{[6 x + 2] Ψ (Q), π_{p} (Ψ (Q))} (P), ℓ_{[6 x + 2] Ψ (Q) + π_{p} (Ψ (Q)), - π_{p}^{2} (Ψ (Q))} (P) .

For the first line notice that if
$Q = (x^{'}, y^{'}) \in E^{'} (F_{p^{2}})$ , then:

$π_{p} (Ψ (Q)) = ((w^{2} x^{'})^{p}, (w^{3} y^{'})^{p}) = (w^{2} (γ_{1, 2} x^{' p}), w^{3} (γ_{1, 3} y^{' p})) = Ψ (γ_{1, 2} x^{' p}, γ_{1, 3} y^{' p}) = Ψ (γ_{1, 2} {\bar{x}}^{'}, γ_{1, 3} {\bar{y}}^{'}),$
where
$γ_{1, 2} = (9 + u)^{\frac{p - 1}{3}}, γ_{1, 3} = (9 + u)^{\frac{p - 1}{2}}$ are precomputed.

The conjugate of an element in
$f = a + b u$ in
$F_{p^{2}}$ is
$\bar{f} = a - b u$ .

Moreover, due to
$Ψ$ being an homomorphism we have that
$[n] Ψ (Q) = Ψ ([n] Q)$ for all
$n \in F_{r}$ . Consequently, we compute
$ℓ_{Ψ ([6 x + 2] Q), Ψ (Q^{'})} (P)$ as in the previous section, with
$Q^{'} = (γ_{1, 2} {\bar{x}}^{'}, γ_{1, 3} {\bar{y}}^{'}) = (x_{1}, y_{1})$ (it's a good exercise to check that
$Q^{'}$ belongs to
$E$ ).

Costs:
$\underset{Q^{'}}{\underset{⏟}{2 \tilde{c} + 2 \tilde{m}}} + ℓ_{diff}$

I don't include the cost of computing
$[6 x + 2] Q$ , since it is obtained in the Miller loop.
For the second line we similarly have:

$- π_{p}^{2} (Ψ (Q)) = - π_{p} (π_{p} (Ψ (Q))) = - π_{p} (Ψ (x_{1}, y_{1})) = Ψ (γ_{1, 2} \bar{x_{1}}, - γ_{1, 3} \bar{y_{1}})$
Again, due to the homomorphic property of
$Ψ$ , we compute
$ℓ_{Ψ ([6 x + 2] Q + Q^{'}), Ψ (Q^{″})} (P)$ as in the previous section, with
$Q^{″} = (γ_{1, 2} \bar{x_{1}}, - γ_{1, 3} \bar{y_{1}})$ (again, check that
$Q^{″}$ belongs to
$E$ ).

Costs:
$1 E_{add}^{'} + \underset{Q^{″}}{\underset{⏟}{2 \tilde{c} + 2 \tilde{m} + 2 m}} + ℓ_{diff}$

Hence, in both cases, the Frobenius operator comes for free.

Final Exponentiation

In the final exponentiation, we raise an element

f \in F_{p^{12}}

to the power

(p^{12} - 1) / r

First, divide the exponent as follows:

\frac{p^{12} - 1}{r} = \underset{easy part}{\underset{⏟}{(p^{6} - 1) (p^{2} + 1)}} \underset{hard part}{\underset{⏟}{\frac{p^{4} - p^{2} + 1}{r}}}

The Easy Part

Let's start with the easy part of the easy part, when we first attempt to compute

f^{p^{6} - 1}

. But since,

f^{p^{6}} = \bar{f}

, we have

f^{p^{6} - 1} = \bar{f} \cdot f^{- 1}

, just one conjugate, one inversion and one multiplication in

F_{p^{12}}

The conjugate of an element in

f = a + b w

F_{p^{12}}

\bar{f} = a - b w

. Hence, if we write

f = g_{0} + h_{0} w + g_{1} w^{2} + h_{1} w^{3} + g_{2} w^{4} + h_{2} w^{5}

we have:

\bar{f} = g_{0} - h_{0} w + g_{1} w^{2} - h_{1} w^{3} + g_{2} w^{4} - h_{2} w^{5} .

To finish the easy part, we first compute

(f^{(p^{6} - 1)})^{p^{2}}

which is the Frobenius operator applied to

f^{p^{6} - 1}

and then multiply the result by

f^{p^{6} - 1}

to finally obtain

m := f^{(p^{6} - 1) (p^{2} + 1)} \in F_{p^{12}}

Importantly, after the computation of the easy part, the resulting field element becomes a member of the cyclotomic subgroup

G_{ϕ_{6} (p^{2})} = G_{ϕ_{12} (p)} = {a \in F_{p^{12}} ∣ a^{ϕ_{12} (p)} = a^{p^{4} - p^{2} + 1} = a^{p^{6} + 1} = 1}

, which means that inversion from now on can be computed by simply conjugation. Moreover, when an element

a

belongs to

G_{ϕ_{6} (p^{2})}

, one can compute

a^{2}

using fewer multiplications and therefore the overall costs of performing exponentiations (see this section).

Costs:

\underset{f^{p^{6} - 1}}{\underset{⏟}{1 C + 1 I + 1 M}} + 5 \tilde{m} + 1 M

The Hard Part

Following Section 5 of this 2008/490, we can write:

\frac{p^{4} - p^{2} + 1}{r} = λ_{0} + λ_{1} p + λ_{2} p^{2} + λ_{3} p^{3},

where:

$λ_{0} = - 2 - 18 x - 30 x^{2} - 36 x^{3}$ .
$λ_{1} = 1 - 12 x - 18 x^{2} - 36 x^{3}$ .
$λ_{2} = 1 + 6 x^{2}$ .
$λ_{3} = 1$ .

So we just need to compute:

m^{λ_{0}}, m^{λ_{1} p}, m^{λ_{2} p^{2}}, m^{λ_{3} p^{3}},

and then multiply them all.

In what follows, remember that x = 4965661367192848881, which is a number of

63

bits that can be expressed in the base

{- 1, 0, 1}

as follows:

1 - 2^4 + 2^9 + 2^11 + 2^16 + 2^19 + 2^21 + 2^22 + 2^25 + 2^27 + 2^30 + 2^34 + 2^36 + 2^37 + 2^39 + 2^41 + 2^44 + 2^47 + 2^48 + 2^51 - 2^53 + 2^56 + 2^58 + 2^62
[1,0,0,0,-1,0,0,0,0,1,0,1,0,0,0,0,1,0,0,1,0,1,1,0,0,1,0,1,0,0,1,0,0,0,1,0,1,1,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0,-1,0,0,1,0,1,0,0,0,1]
1000-1000010100001001011001010010001011010100100110010-1001010001

which has a Hamming weight of 24.

We prefer base

{- 1, 0, 1}

over base

{0, 1}

because x expressed in the latter is:

1 + 2^4 + 2^5 + 2^6 + 2^7 + 2^8 + 2^11 + 2^16 + 2^19 + 2^21 + 2^22 + 2^25 + 2^27 + 2^30 + 2^34 + 2^36 + 2^37 + 2^39 + 2^41 + 2^44 + 2^47 + 2^48 + 2^51 + 2^53 + 2^54 + 2^55 + 2^58 + 2^62
[1,0,0,0,1,1,1,1,1,0,0,1,0,0,0,0,1,0,0,1,0,1,1,0,0,1,0,1,0,0,1,0,0,0,1,0,1,1,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0,1,1,1,0,0,1,0,0,0,1]
100011111001000010010110010100100010110101001001100101110010001

which has a Hamming weigth of 28.

We proceed as follows:

We start by computing
$m^{x}, (m^{x})^{x}, (m^{x^{2}})^{x}$ .
Then, compute
$m^{p}, m^{p^{2}}, m^{p^{3}}, (m^{x})^{p}, (m^{x^{2}})^{p}, (m^{x^{3}})^{p}, (m^{x^{2}})^{p^{2}}$ (use the Frobenius operator).
Next, we group the previous elements as follows:

$\begin{aligned} y_{0} & = m^{p} \cdot m^{p^{2}} \cdot m^{p^{3}}, \\ y_{1} & = \bar{m}, \\ y_{2} & = m^{x^{2} p^{2}}, \\ y_{3} & = \overset{―}{m^{x p}}, \\ y_{4} & = \overset{―}{m^{x} \cdot m^{x^{2} p}}, \\ y_{5} & = \overset{―}{m^{x^{2}}}, \\ y_{6} & = \overset{―}{m^{x^{3}} \cdot m^{x^{3} p}} . \end{aligned}$
(recall that at this point computing the conjugate is the same as computing the inverse)
Finally, compute the product:

$y_{0} \cdot y_{1}^{2} \cdot y_{2}^{6} \cdot y_{3}^{12} \cdot y_{4}^{18} \cdot y_{5}^{30} \cdot y_{6}^{36}$

Expand for correctness

$\begin{aligned} y_{0} \cdot y_{1}^{2} \cdot y_{2}^{6} \cdot y_{3}^{12} \cdot y_{4}^{18} \cdot y_{5}^{30} \cdot y_{6}^{36} = \\ (m^{p} \cdot m^{p^{2}} \cdot m^{p^{3}}) \cdot {(\frac{1}{m})}^{2} \cdot (m^{x^{2} p^{2}})^{6} \cdot {(\frac{1}{m^{x p}})}^{12} \cdot {(\frac{1}{m^{x} m^{x^{2} p}})}^{18} \cdot {(\frac{1}{m^{x^{2}}})}^{30} \cdot {(\frac{1}{m^{x^{3}} m^{x^{3} p}})}^{36} \\ = \underset{m^{λ_{0}}}{\underset{⏟}{{(\frac{1}{m})}^{2} \cdot {(\frac{1}{m^{x}})}^{18} {(\frac{1}{m^{x^{2}}})}^{30} {(\frac{1}{m^{x^{3}}})}^{36}}} \cdot \underset{m^{λ_{1} p}}{\underset{⏟}{m^{p} \cdot {(\frac{1}{m^{x p}})}^{12} \cdot {(\frac{1}{m^{x^{2} p}})}^{18} \cdot {(\frac{1}{m^{x^{3} p}})}^{36}}} \cdot \underset{m^{λ_{2} p^{2}}}{\underset{⏟}{m^{p^{2}} \cdot (m^{x^{2} p^{2}})^{6}}} \cdot \underset{m^{λ_{3} p^{3}}}{\underset{⏟}{m^{p^{3}}}} \\ = m^{λ_{0}} \cdot m^{λ_{1} p} \cdot m^{λ_{2} p^{2}} \cdot m^{λ_{3} p^{3}} = m^{λ_{0} + λ_{1} p + λ_{2} p^{2} + λ_{3} p^{3}} = m^{\frac{p^{4} - p^{2} + 1}{r}} \end{aligned}$

To compute this product as efficient as possible, we use the vectorial addition chain technique as explained in the last part of Section 5 of 2008/490:

$\begin{aligned} T_{0, 1} & = y_{6}^{2} \cdot y_{4} \cdot y_{5}, \\ T_{1, 1} & = T_{0, 1} \cdot y_{3} \cdot y_{5}, \\ T_{0, 2} & = T_{0, 1} \cdot y_{2}, \\ T_{1, 2} & = T_{1, 1}^{2} \cdot T_{0, 2}, \\ T_{1, 3} & = T_{1, 2}^{2}, \\ T_{1, 4} & = T_{1, 3} \cdot y_{0}, \\ T_{0, 3} & = T_{1, 3} \cdot y_{1}, \\ T_{0, 4} & = T_{0, 3}^{2} \cdot T_{1, 4} . \end{aligned}$
which requires only
$9$ multiplications and
$4$ squarings.

Costs:

\underset{Step 1}{\underset{⏟}{(63 \cdot 3) S + (x \cdot 3) M}} + \underset{Step 2}{\underset{⏟}{5 \cdot (6 \tilde{c} + 5 \tilde{m}) + 2 \cdot (5 \tilde{m})}} + \underset{Step 3}{\underset{⏟}{4 M + 5 C}} + \underset{Step 4}{\underset{⏟}{9 M + 4 S}}

Frobenius Operator

As we have shown, in the final exponentation we must compute the first, second and third Frobenius operator

π_{p}, π_{p}^{2}, π_{p}^{3}

over an element in

F_{p^{12}}

. Recalling that

π_{p}^{i} (x) = x^{p^{i}}

, a naive implementation would take

O (\log p) = O (254)

F_{p^{12}}

-operations, but we will do it much better.

Recall that we can write any element

f \in F_{p^{12}}

as:

f = g + h w = g_{0} + h_{0} w + g_{1} w^{2} + h_{1} w^{3} + g_{2} w^{4} + h_{2} w^{5}

where

g = g_{0} + g_{1} v + g_{2} v^{2}

and

h = h_{0} + h_{1} v + h_{2} v^{2}

with

g, h \in F_{p^{6}}

and

g_{i}, h_{i} \in F_{p^{2}}

Expand to see the proof

We will now show that raising an

F_{p^{2}}

-element over any power of

p

is almost cost free and therefore so is

f

Take
$b = b_{0} + b_{1} u \in F_{p^{2}}$ with
$b_{0}, b_{1} \in F_{p}$ . Then,
$b^{p^{2 i}} = b_{0} + b_{1} (u^{(p^{2})^{i}}) = b_{0} + b_{1} u = b$ for Lagrange theorem. Similarly,
$b^{p^{2 i - 1}} = \frac{b^{p^{2 i}}}{b^{p^{2}} \cdot b^{p}} = \frac{b}{b \cdot b^{- p}} = \frac{1}{b^{- p}} = b^{p} = \bar{b}$ .
Notice
$w^{p} = (w^{6})^{\frac{p - 1}{6}} w = (9 + u)^{\frac{p - 1}{6}} w$ and therefore
$(w^{i})^{p} = γ_{1, i} w^{i}$ , where
$γ_{1, i} = (9 + u)^{i \frac{p - 1}{6}}$ .

Using all the previous observations, we have:

\begin{aligned} f^{p} & = (g_{0} + h_{0} w + g_{1} w^{2} + h_{1} w^{3} + g_{2} w^{4} + h_{2} w^{5})^{p} \\ = {\bar{g}}_{0} + {\bar{h}}_{0} w^{p} + {\bar{g}}_{1} w^{2 p} + {\bar{h}}_{1} w^{3 p} + {\bar{g}}_{2} w^{4 p} + {\bar{h}}_{2} w^{5} \\ = {\bar{g}}_{0} + {\bar{h}}_{0} γ_{1, 1} w + {\bar{g}}_{1} γ_{1, 2} w^{2} + {\bar{h}}_{1} γ_{1, 3} w^{3} + {\bar{g}}_{2} γ_{1, 4} w^{4} + {\bar{h}}_{2} γ_{1, 5} w^{5}, \end{aligned}

which can be computed using a few multiplications and a few conjugations, assuming each

γ_{1, i}

is pre-computed for

i \in [5]

Similarly, notice

w^{p^{2}} = (9 + u)^{\frac{p^{2} - 1}{6}} w = (γ_{1, 1})^{1 + p} w = γ_{1, 1} \cdot {\bar{γ}}_{1, 1} w

and therefore

(w^{i})^{p^{2}} = γ_{2, i} w^{i}

, where

γ_{2, i} = γ_{1, i} \cdot {\bar{γ}}_{1, i}

Lastly, we can use the identity

p^{3} - 1 = p^{2} (p - 1) + (p + 1) (p - 1)

to show that

w^{p^{3}} = (9 + u)^{\frac{p^{3} - 1}{6}} w = (γ_{1, 1})^{p^{2}} \cdot γ_{2, 1} w = γ_{1, 1} \cdot γ_{2, 1} w

and therefore

(w^{i})^{p^{3}} = γ_{3, i} w^{i}

, where

γ_{3, i} = γ_{1, i} \cdot γ_{2, i}

Then, we have:

\begin{array}{r} f^{p} = {\bar{g}}_{0} + {\bar{h}}_{0} γ_{1, 1} w + {\bar{g}}_{1} γ_{1, 2} w^{2} + {\bar{h}}_{1} γ_{1, 3} w^{3} + {\bar{g}}_{2} γ_{1, 4} w^{4} + {\bar{h}}_{2} γ_{1, 5} w^{5}, \\ f^{p^{2}} = g_{0} + h_{0} γ_{2, 1} w + g_{1} γ_{2, 2} w^{2} + h_{1} γ_{2, 3} w^{3} + g_{2} γ_{2, 4} w^{4} + h_{2} γ_{2, 5} w^{5}, \\ f^{p^{3}} = {\bar{g}}_{0} + {\bar{h}}_{0} γ_{3, 1} w + {\bar{g}}_{1} γ_{3, 2} w^{2} + {\bar{h}}_{1} γ_{3, 3} w^{3} + {\bar{g}}_{2} γ_{3, 4} w^{4} + {\bar{h}}_{2} γ_{3, 5} w^{5}, \end{array}

with

γ_{1, i} = (9 + u)^{i \frac{p - 1}{6}}

γ_{2, i} = (9 + u)^{i \frac{p^{2} - 1}{6}} = γ_{1, i} \cdot {\bar{γ}}_{1, i}

and

γ_{3, i} = (9 + u)^{i \frac{p^{3} - 1}{6}} = γ_{1, i} \cdot γ_{2, i}

. Hence, assuming the precomputation of

γ_{1, i}, γ_{2, i}, γ_{3, i}

for

i \in [5]

, we can compute

f^{p}, f^{p^{2}}

f^{p^{3}}

almost for free.

Costs:

\underset{f^{p}}{\underset{⏟}{6 \tilde{c} + 5 \tilde{m}}}, \underset{f^{p^{2}}}{\underset{⏟}{5 \tilde{m}}}, \underset{f^{p^{3}}}{\underset{⏟}{6 \tilde{c} + 5 \tilde{m}}}

Speeding up Computations in the Cyclotomic Subgroup

I follow 2010/542 closely for this section.

Recall that:

\begin{aligned} F_{p^{2}} & = F_{p} [u] / (u^{2} + 1), \\ F_{p^{6}} & = F_{p^{2}} [v] / (v^{3} - (9 + u)), \\ F_{p^{12}} & = F_{p^{6}} [w] / (w^{2} - v) . \end{aligned}

and also:

F_{p^{12}} = F_{p^{2}} [w] / (w^{6} - (9 + u))

For this optimitzation, we will further need the following

F_{p^{12}}

representation:

\begin{aligned} F_{p^{4}} & = F_{p^{2}} [w^{3}] / ((w^{3})^{2} - (9 + u)), \\ F_{p^{12}} & = F_{p^{4}} [w] / (w^{3} - w^{3}), \end{aligned}

so that for

f = (g_{0} + g_{1} w^{3}) + (g_{2} + g_{3} w^{3}) w + (g_{4} + g_{5} w^{3}) w^{2} \in C

, we can equivalently write

f = g_{0} + g_{2} w + g_{4} w^{2} + g_{1} w^{3} + g_{3} w^{4} + g_{5} w^{5} \in B

This optimization is due to "compression" and "decompression" technique, which exploits the algebraic relationships arising from elements belonging to the cyclotomic subgroup

G_{ϕ_{6} (p^{2})}

Compression and Decompression

f = g_{0} + g_{2} w + g_{4} w^{2} + g_{1} w^{3} + g_{3} w^{4} + g_{5} w^{5}

then the compression function

C

is:

C (f) = [g_{2}, g_{3}, g_{4}, g_{5}] .

and the decompression function

D

is:

D ([{\tilde{g}}_{2}, {\tilde{g}}_{3}, {\tilde{g}}_{4}, {\tilde{g}}_{5}]) = {\tilde{g}}_{0} + {\tilde{g}}_{2} w + {\tilde{g}}_{4} w^{2} + {\tilde{g}}_{1} w^{3} + {\tilde{g}}_{3} w^{4} + {\tilde{g}}_{5} w^{5},

where:

{\begin{cases} {\tilde{g}}_{1} = \frac{{\tilde{g}}_{5}^{2} (9 + u) + 3 {\tilde{g}}_{4}^{2} - 2 {\tilde{g}}_{3}}{4 {\tilde{g}}_{2}}, {\tilde{g}}_{0} = (2 {\tilde{g}}_{1}^{2} + {\tilde{g}}_{2} {\tilde{g}}_{5} - 3 {\tilde{g}}_{3} {\tilde{g}}_{4}) (9 + u) + 1, & if {\tilde{g}}_{2} \neq 0 \\ {\tilde{g}}_{1} = \frac{2 {\tilde{g}}_{4} {\tilde{g}}_{5}}{{\tilde{g}}_{3}}, {\tilde{g}}_{0} = (2 {\tilde{g}}_{1}^{2} - 3 {\tilde{g}}_{3} {\tilde{g}}_{4}) (9 + u) + 1, & if {\tilde{g}}_{2} = 0 \end{cases}

Compressed Squaring

Now, on input

f \in G_{ϕ_{6} (p^{2})}

we will be able to compute its square on compressed form. That is,

C (f^{2}) = [h_{2}, h_{3}, h_{4}, h_{5}]

, where

h = f^{2} = h_{0} + h_{2} w + h_{4} w^{2} + h_{1} w^{3} + h_{3} w^{4} + h_{5} w^{5}

\begin{aligned} h_{2} & = 2 (g_{2} + 3 (9 + u) B_{4, 5}), \\ h_{3} & = 3 (A_{4, 5} - (10 + u) B_{4, 5}) - 2 g_{3}, \\ h_{4} & = 3 (A_{2, 3} - (10 + u) B_{2, 3}) - 2 g_{4}, \\ h_{5} & = 2 (g_{5} + 3 B_{2, 3}), \\ A_{i, j} & = (g_{i} + g_{j}) (g_{i} + (9 + u) g_{j}), \\ B_{i, j} & = g_{i} \cdot g_{j} . \end{aligned}

Exponentiation in the Cyclotomic Subgroup

Given

f \in G_{ϕ_{6} (p^{2})} \subset F_{p^{12}}^{*}

and

e \geq 1

, the idea is to compute

f^{e}

using the squaring formula in compressed form.

Represent

e

in binary as

e = e_{ℓ - 1} e_{ℓ - 2} \dots e_{1} e_{0}

with

e_{ℓ - 1} = 1

and define

H_{e} = {i : 1 \leq i \leq ℓ - 1 and e_{i} = 1}

. Then:

f^{e} = \prod_{i = 0}^{ℓ - 1} f^{e_{i} \cdot 2^{i}} = f^{e_{0}} \prod_{i \in H_{e}} D (C (f)^{2^{i}}) .

Therefore, we can use the square-and-multiply algorithm to compute such product. Since we are going to be squaring in compressed form, we start at

C (f)

rather than the standard

f

in such algorithm.












def exp_cyclo(f,e):
    Cf = comp(f);
    result = 1;
    for i in range(len(e)):
        if (e[i] == 1) {
            result = decomp(Cf) * result;
        }

        Cf = square_comp(Cf);
    }

    return result;

Appendix A: Field Isomorphisms

Recall that:

\begin{aligned} F_{p^{2}} & = F_{p} [u] / (u^{2} + 1), \\ F_{p^{6}} & = F_{p^{2}} [v] / (v^{3} - (9 + u)), \\ A = F_{p^{12}} & = F_{p^{6}} [w] / (w^{2} - v) . \end{aligned}

We use two additional representations of

F_{p^{12}}

The first one is used to efficiently compute the Frobenius operator and is as follows:

B = F_{p^{12}} = F_{p^{2}} [w] / (w^{6} - (9 + u)) .

The second one is used to speed up the squares and exponentations in the hard part of the final exponentiation:

\begin{aligned} F_{p^{4}} & = F_{p^{2}} [w^{3}] / ((w^{3})^{2} - (9 + u)), \\ C = F_{p^{12}} & = F_{p^{4}} [w] / (w^{3} - w^{3}) . \end{aligned}

Isomorphism between A and B

We start with

A = F_{p^{6}} [w] / (w^{2} - v)

and

B = F_{p^{2}} [w] / (w^{6} - (9 + u))

, where we notice that if we take

a = a_{1} + a_{2} \cdot w \in A

, we can use the identity

v = w^{2}

to rewrite it as:

\begin{aligned} a & = (a_{1, 1} + a_{1, 2} v + a_{1, 3} v^{2}) + (a_{2, 1} + a_{2, 2} v + a_{2, 3} v^{2}) \cdot w = \\ = a_{1, 1} + a_{2, 1} \cdot w + a_{1, 2} \cdot w^{2} + a_{2, 2} \cdot w^{3} + a_{1, 3} \cdot w^{4} + a_{2, 3} \cdot w^{5} \in B \end{aligned}

This relationship induces the following field isomorphism

χ_{A B} : A \to B

and its inverse

χ_{A B}^{- 1} : B \to A

\begin{aligned} χ_{A B} (a_{1, 1}, a_{1, 2}, a_{1, 3}, a_{2, 1}, a_{2, 2}, a_{2, 3}) & = (a_{1, 1}, a_{2, 1}, a_{1, 2}, a_{2, 2}, a_{1, 3}, a_{2, 3}), \\ χ_{A B}^{- 1} (b_{1}, b_{2}, b_{3}, b_{4}, b_{5}, b_{6}) & = (b_{1}, b_{3}, b_{5}, b_{2}, b_{4}, b_{6}) . \end{aligned}

Exercise: Check that

χ_{A B}

is a field isomorphism between

A

and

B

and that for all

a \in A

and

b \in B

it is true that

χ_{A B}^{- 1} (χ_{A B} (a)) = a

and

χ_{A B} (χ_{A B}^{- 1} (b)) = b

Isomorphism between B and C

We continue with

B = F_{p^{2}} [w] / (w^{6} - (9 + u))

and

C = F_{p^{4}} [w] / (w^{3} - w^{3})

, for which we notice that

c = (c_{1} + c_{2} \cdot w^{3}) + (c_{3} + c_{4} \cdot w^{3}) w + (c_{5} + c_{6} \cdot w^{3}) \cdot w^{2} \in C

can be equivalently written as

c_{1} + c_{3} \cdot w + c_{5} \cdot w^{2} + c_{2} \cdot w^{3} + c_{4} \cdot w^{4} + c_{6} \cdot w^{5} \in B

This relationship induces the following field isomorphism

χ_{B C} : B \to C

and its inverse

χ_{B C}^{- 1} : C \to B

\begin{aligned} χ_{B C} (b_{1}, b_{2}, b_{3}, b_{4}, b_{5}, b_{6}) & = (b_{1}, b_{4}, b_{2}, b_{5}, b_{3}, b_{6}), \\ χ_{B C}^{- 1} (c_{1}, c_{2}, c_{3}, c_{4}, c_{5}, c_{6}) & = (c_{1}, c_{3}, c_{5}, c_{2}, c_{4}, c_{6}) . \end{aligned}

Exercise: Check that

χ_{B C}

is a field isomorphism between

B

and

C

and that for all

b \in B

and

c \in C

it is true that

χ_{B C}^{- 1} (χ_{B C} (b)) = b

and

χ_{B C} (χ_{B C}^{- 1} (c)) = c

Appendix B: Finite Field Arithmetic

Fp2 Arithmetic

Addition

# INPUT: (a = a1 + a2·u), (b = b1 + b2·u) ∈ Fp2, where ai,bi ∈ Fp
# OUTPUT: (c1 + c2·u) = a + b ∈ Fp
c1 = a1 + b1
c2 = a2 + b2

Subtraction

# INPUT: (a = a1 + a2·u), (b = b1 + b2·u) ∈ Fp2, where ai,bi ∈ Fp
# OUTPUT: (c1 + c2·u) = a - b ∈ Fp
c1 = a1 - b1
c2 = a2 - b2

Multiplication

# INPUT: (a = a1 + a2·u), (b = b1 + b2·u) ∈ Fp2, where ai,bi ∈ Fp
# OUTPUT: (c1 + c2·u) = a·b ∈ Fp
c1 = a1·b1 - a2·b2
c2 = a1·b2 + a2·b1

Scalar Multiplication

# INPUT: b ∈ Fp, (a = a1 + a2·u) ∈ Fp2, where ai ∈ Fp
# OUTPUT: (c1 + c2·u) = a·b ∈ Fp
c1 = b·a1
c2 = b·a2

Square

# INPUT: (a = a1 + a2·u) ∈ Fp2, where ai ∈ Fp
# OUTPUT: (c1 + c2·u) = a² ∈ Fp
c1 = (a1 - a2)·(a1 + a2)
c2 = 2·a1·a2

Inverse

# INPUT: (a = a1 + a2·u) ∈ Fp2, where ai ∈ Fp
# OUTPUT: (c1 + c2·u) = a⁻¹ ∈ Fp
c1 = a1·(a1² + a2²)⁻¹
c2 = -a2·(a1² + a2²)⁻¹

Fp4 Arithmetic

Square

# INPUT: (a = a1 + a2·V) ∈ Fp4, where ai ∈ Fp2
# OUTPUT: (c1 + c2·V) = a² ∈ Fp4
c1 = a2²·(9 + u) + a1²
c2 = (a1 + a2)² - a1² - a2²

Fp6 Arithmetic

Addition

# INPUT: (a = a1 + a2·v + a3·v²),(b = b1 + b2·v + b3·v²) ∈ Fp6, where ai,bi ∈ Fp2
# OUTPUT: (c1 + c2·v + c3·v²) = a + b ∈ Fp6
c1 = a1 + b1
c2 = a2 + b2
c3 = a3 + b3

Subtraction

# INPUT: (a = a1 + a2·v + a3·v²),(b = b1 + b2·v + b3·v²) ∈ Fp6, where ai,bi ∈ Fp2
# OUTPUT: (c1 + c2·v + c3·v²) = a - b ∈ Fp6
c1 = a1 - b1
c2 = a2 - b2
c3 = a3 - b3

Multiplication

# INPUT: (a = a1 + a2·v + a3·v²),(b = b1 + b2·v + b3·v²) ∈ Fp6, where ai,bi ∈ Fp2
# OUTPUT: (c1 + c2·v + c3·v²) = a·b ∈ Fp6
c1 = [(a2+a3)·(b2+b3) - a2·b2 - a3·b3]·(9+u) + a1·b1
c2 = (a1+a2)·(b1+b2) - a1·b1 - a2·b2 + (9+u)·(a3·b3)
c3 = (a1+a3)·(b1+b3) - a1·b1 + a2·b2 - a3·b3

Scalar Multiplication

# INPUT: b ∈ Fp, (a = a1 + a2·v + a3·v²) ∈ Fp6, where ai ∈ Fp2
# OUTPUT: (c1 + c2·v + c3·v²) = a·b ∈ Fp6
c1 = b·a1
c1 = b·a2
c1 = b·a3

The following three algorithms help to compute the line equations. See the sparse multiplications algorithms of next section for a full understanding.

Sparse Multiplication A

# INPUT: (a = a1 + a2·v + a3·v²),b = b2·v ∈ Fp6, where ai,b2 ∈ Fp2
# OUTPUT: (c1 + c2·v + c3·v²) = a·b ∈ Fp6
c1 = b2·a3·(9+u)
c2 = b2·a1
c3 = b2·a2

Sparse Multiplication B

# INPUT: (a = a1 + a2·v + a3·v²),(b = b2·v + b3·v²) ∈ Fp6, where ai,bi ∈ Fp2
# OUTPUT: (c1 + c2·v + c3·v²) = a·b ∈ Fp6
c1 = [(a2 + a3)·(b2 + b3) - a2·b2 - a3·b3]·(9+u)
c2 = a1·b2 + a3·b3·(9+u)
c3 = (a1 + a3)·b3 - a3·b3 + a2·b2

Sparse Multiplication C

# INPUT: (a = a1 + a2·v + a3·v²),(b = b1 + b3·v²) ∈ Fp6, where ai,bi ∈ Fp2
# OUTPUT: (c1 + c2·v + c3·v²) = a·b ∈ Fp6
c1 = a1·b1 + a2·b3·(9+u)
c2 = a2·b1 + a3·b3·(9+u)
c3 = (a1 + a3)·(b1 + b3) - a1·b1 - a3·b3

Square

# INPUT: (a = a1 + a2·v + a3·v²) ∈ Fp6, where ai ∈ Fp2
# OUTPUT: (c1 + c2·v + c3·v²) = a² ∈ Fp6
c1 = 2·a2·a3·(9 + u) + a1²
c2 = a3²·(9 + u) + 2·a1·a2
c3 = 2·a1·a2 - a3² + (a1 - a2 + a3)² + 2·a2·a3 - a1²

Inverse

# INPUT: (a = a1 + a2·v + a3·v²) ∈ Fp6, where ai ∈ Fp2
# OUTPUT: (c1 + c2·v + c3·v²) = a⁻¹ ∈ Fp6
c1mid = a1² - (9 + u)·(a2·a3)
c2mid = (9 + u)·a3² - (a1·a2)
c3mid = a2² - (a1·a3)
c1 = (a1² - (9 + u)·(a2·a3))·(a1·c1mid + xi·(a3·c2mid + a2·c3mid))⁻¹
c2 = ((9 + u)·a3² - (a1·a2))·(a1·c1mid + xi·(a3·c2mid + a2·c3mid))⁻¹
c3 = (a2²-a1·a3)·(a1·c1mid + xi·(a3·c2mid + a2·c3mid))⁻¹

Fp12 Arithmetic

Addition

# INPUT: (a = a1 + a2·w),(b = b1 + b2·w) ∈ Fp12, where ai,bi ∈ Fp6
# OUTPUT: (c1 + c2·w) = a + b ∈ Fp12
c1 = a1 + b1
c2 = a2 + b2

Subtraction

# INPUT: (a = a1 + a2·w),(b = b1 + b2·w) ∈ Fp12, where ai,bi ∈ Fp6
# OUTPUT: (c1 + c2·w) = a - b ∈ Fp12
c1 = a1 - b1
c2 = a2 - b2

Multiplication

# INPUT: (a = a1 + a2·w),(b = b1 + b2·w) ∈ Fp12, where ai,bi ∈ Fp6
# OUTPUT: (c1 + c2·w) = a·b ∈ Fp12
c1 = a1·b1 + a2·b2·v
c2 = (a1+a2)·(b1+b2) - a1·b1 - a2·b2

The following two algorithms are used to compute the line equations avoiding all multiplications by zero that arise from the sparisity of such equations.

Sparse Multiplication A

# INPUT: (a = a1 + a2·w),(b = b1 + b2·w) ∈ Fp12, where ai ∈ Fp6, b1 = b12·v and b2 = b22·v + b23·v², with b12,b22,b23 ∈ Fp2
# OUTPUT: (c1 + c2·w) = a·b ∈ Fp12
c1 = a1·b1 + a2·b2·v
c2 = (a1+a2)·[(b12+b22)·v + b23·v²] - a1·b1 - a2·b2

Sparse Multiplication B

# INPUT: (a = a1 + a2·w),(b = b1 + b2·w) ∈ Fp12, where ai ∈ Fp6, b1 = b11 + b13·v² and b2 = b22·v, with b11,b13,b22 ∈ Fp2
# OUTPUT: (c1 + c2·w) = a·b ∈ Fp12
c1 = a1·b1 + a2·b2·v
c2 = (a1+a2)·(b11 + b22·v + b13·v²) - a1·b1 - a2·b2

Square

# INPUT: (a = a1 + a2·w) ∈ Fp12, where ai ∈ Fp6
# OUTPUT: (c1 + c2·w) = a² ∈ Fp12
c1 = (a1-a2)·(a1-a2·v) + a1·a2 + a1·a2·v
c2 = 2·a1·a2

Inverse

# INPUT: (a = a1 + a2·w) ∈ Fp12, where ai ∈ Fp6
# OUTPUT: (c1 + c2·w) = a⁻¹ ∈ Fp12
c1 = a1·(a1² - a2²·v)⁻¹
c2 = -a2·(a1² - a2²·v)⁻¹

First Frobenius Operator

# INPUT: (a = a1 + a2·w) = ((a11 + a12v + a13v²) + (a21 + a22v + a23v²)) ∈ Fp12, where ai ∈ Fp6 and aij ∈ Fp2
# OUTPUT: (c1 + c2·w) = a^p ∈ Fp12
c1 = a̅11     + a̅12·γ12·v + a̅13·γ14·v²
c2 = a̅21·γ11 + a̅22·γ13·v + a̅23·γ15·v²

Second Frobenius Operator

# INPUT: (a = a1 + a2·w) = ((a11 + a12v + a13v²) + (a21 + a22v + a23v²)) ∈ Fp12, where ai ∈ Fp6 and aij ∈ Fp2
# OUTPUT: (c1 + c2·w) = a^p² ∈ Fp12
c1 = a11     + a12·γ22·v + a13·γ24·v²
c2 = a21·γ21 + a22·γ23·v + a23·γ25·v²

Third Frobenius Operator

# INPUT: (a = a1 + a2·w) = ((a11 + a12v + a13v²) + (a21 + a22v + a23v²)) ∈ Fp12, where ai ∈ Fp6 and aij ∈ Fp2
# OUTPUT: (c1 + c2·w) = a^p³ ∈ Fp12
c1 = a̅11     + a̅12·γ32·v + a̅13·γ34·v²
c2 = a̅21·γ31 + a̅22·γ33·v + a̅23·γ35·v²

The following two algorithms are used for computing squarings and exponentiations over the cyclotomic subgroup

G_{ϕ_{6} (p^{2})} \subset F_{p^{12}}

. Luckily for us, this is the case after performing the easy part of the final exponentiation.

Fast Squaring

# INPUT: (a = a1 + a2·w) ∈ GΦ6(p²), where ai ∈ Fp6
# OUTPUT: ((c11 + c12·v + c13·v²) + (c21 + c22·v + c23·v²)·w) = a² ∈ GΦ6(p²)
[t11,t22] = (a11 + a22·V)²
[t23,t12] = (a21 + a13·V)²
[t13,aux] = (a12 + a23·V)²
t21 = aux·(9+u)
c11 = -2·a11 + 3·t11
c12 = -2·a12 + 3·t23
c13 = -2·a13 + 3·t13
c21 = 2·a21 + 3·t21
c22 = 2·a22 + 3·t22
c23 = 2·a23 + 3·t12

Fast Exponentatiation

# INPUT: e, (a = a1 + a2·w) ∈ GΦ6(p²), where e ∈ [0,p¹²-2] ai ∈ Fp6
# OUTPUT: (c = c1 + c2·w) = a^e ∈ GΦ6(p²)
c = a
for i in range(L-2,-1,-1): # L is log2(e)
    c = c² # Use previous algorithm
    if e[i] == 1:
        c = c·a

return c

if you don't know why, make sure to review Galois theory. Start by noticing that Galois group
$Gal (F_{p^{12}} / F_{p^{6}})$ is a cyclic group of order
$2$ generated by the Frobenius endomorphism
$F (X) = X^{p^{6}}$ . ↩︎
I recently discoverd that this is just a particular case of the more generic non-adjacent form (NAF) of a number. ↩︎

Computing the Optimal Ate Pairing over the BN254 Curve

The Curve

Tower of Extension Fields

Twist

The Pairing

Subgroup Checks

Line Equations

Different Points

The Same Points

The Last two Lines

Final Exponentiation

The Easy Part

The Hard Part

Frobenius Operator

Speeding up Computations in the Cyclotomic Subgroup

Compression and Decompression

Compressed Squaring

Exponentiation in the Cyclotomic Subgroup

Appendix A: Field Isomorphisms

Isomorphism between A and B

Isomorphism between B and C

Appendix B: Finite Field Arithmetic

Fp2 Arithmetic

Fp4 Arithmetic

Fp6 Arithmetic

Fp12 Arithmetic

Read more

Elliptic Curves over Goldilocks

Fflonk

Computing the Optimal Ate Pairing over the BLS12-381 Curve

The Sponge Construction in Polygon zkEVM