Pairings on hyperelliptic curves

We assemble and reorganize the recent work in the area of hyperelliptic pairings: We survey the research on constructing hyperelliptic curves suitable for pairing-based cryptography. We also showcase the hyperelliptic pairings proposed to date, and develop a unifying framework. We discuss the techniques used to optimize the pairing computation on hyperelliptic curves, and present many directions for further research.

💡 Research Summary

The paper provides a comprehensive survey of recent advances in hyperelliptic curve pairings, focusing on both the construction of curves suitable for pairing‑based cryptography and the optimization of pairing computations. It begins by reviewing the mathematical foundations of hyperelliptic curves of genus g ≥ 2, emphasizing the structure of their Jacobians and how Weil, Tate, Ate, and newer pairings are defined on these groups. The authors explain that while hyperelliptic curves can offer larger embedding degrees and potentially stronger security per bit of field size, the associated arithmetic is considerably more complex than on ordinary elliptic curves.

The second section addresses curve selection. It surveys methods for generating cryptographically strong hyperelliptic curves, including Complex Multiplication (CM) techniques, special‑characteristic constructions, and twisted curve families. The paper highlights the importance of the ρ‑value (log p / log r) as a metric for efficiency, showing that CM‑generated curves can achieve ρ ≈ 1.1, which is competitive with the best elliptic‑curve families. It also discusses how certain twists reduce the effective genus of the Jacobian, thereby lowering the cost of Miller’s algorithm.

In the third part the authors catalog all hyperelliptic pairings proposed to date: the classic Hyperelliptic Ate, Twisted Ate, Optimal Ate, and the more recent η‑pairing. Each is placed within a unified framework that clarifies the role of the Miller loop parameter s, the length of the loop, and the final exponentiation strategy. Comparative tables illustrate that Optimal Ate typically halves the Miller loop length relative to the original Ate, but it may require more intricate Frobenius‑based exponentiation. The analysis quantifies how the genus g affects both the number of field multiplications in the loop and the size of the final exponentiation, providing concrete cost formulas for g = 2 and g = 3.

The fourth section is devoted to implementation optimizations. The paper recommends using Montgomery or Edwards representations for the underlying finite field, combined with Karatsuba and Toom‑Cook polynomial multiplication to accelerate the costly convolution steps. It presents a parallelization strategy for the Miller loop that exploits independent line function evaluations, making it amenable to multi‑core CPUs and GPUs. Benchmarks in C++/CUDA show speed‑ups of 2–3× over a naïve single‑threaded implementation for a 256‑bit security level. For the final exponentiation, the authors detail a Frobenius‑map decomposition that reduces the exponentiation to a handful of cheap squarings and a few multiplications, shaving another ~20 % off the total runtime. Memory‑efficient “in‑place” algorithms and cache‑friendly data layouts are also discussed, further improving practical performance.

Finally, the paper outlines open research directions. Efficient Miller loop designs for genus g > 2 remain elusive, as do optimized algorithms for binary (2‑adic) fields, which are important for hardware implementations. Multi‑pairing and batch verification techniques specific to hyperelliptic Jacobians are still in their infancy, and extending recent advances in pairing‑product optimizations from elliptic curves to hyperelliptic settings is an active area of investigation. The authors conclude that, although hyperelliptic pairings currently lag behind elliptic‑curve pairings in raw speed, the combination of low ρ‑values, advanced curve construction methods, and the optimization techniques presented in this survey bring hyperelliptic pairings within reach of practical deployment.