Abstract
For ID-based cryptography, not only pairing but also scalar multiplication must be efficiently computable. In this paper, we propose a scalar multiplication method on the circumstances that we work at Ate pairing with Barreto-Naehrig (BN) curve. Note that the parameters of BN curve are given by a certain integer, namely mother parameter. Adhering the authors' previous policy that we execute scalar multiplication on subfield-twisted curve $\\ ilde{E} (\\boldsymbol{F}_{p^2}$) instead of doing on the original curve $E(\\boldsymbol{F}_{p^{12}}$), we at first show sextic twisted subfield Frobenius mapping (ST-SFM) $\\ ilde{\\varphi}$ in $\\ ilde{E} (\\boldsymbol{F}_{p^2})$. On BN curves, note $\\ ilde{\\varphi}$ is identified with the scalar multiplication by p. However a scalar is always smaller than the order r of BN curve for Ate pairing, so ST-SFM does not directly applicable to the above circumstances. We then exploit the expressions of the curve order r and the characteristic p by the mother parameter to derive some radices such that they are expressed as a polynomial of p. Thus, a scalar multiplication [s] can be written by the series of ST-SFMs $\\ ilde{\\varphi}$. In combination with the binary method or multi-exponentiation technique, this paper shows that the proposed method runs about twice or more faster than plain binary method.
