Implement "Efficient Final Exponentiation via Cyclotomic Structure for Pairings over Families of Elliptic Curves"

[MauroToscano]

Follow this paper (page 14) to raise the result of the easy part to the power $3\Phi_{12}(p)/r$. Use a mix of GS cyclotomic squaring and Karabina's cyclotomic square for faster arithmetic in $\mathbb{F}_{p^{12}}$. See here for an implementation of this exact approach in golang (gnark).

The easy part is raising $f$, the outuput of the miller loop, to the power $(1-p^6)(p^2+1)$. For that perform the following steps: $$f \mapsto \bar f \mapsto (\bar f)^{-1} \mapsto (\bar f)^{-1} f \mapsto ((\bar f)^{-1} f)^{p^2}\mapsto ((\bar f)^{-1} f)^{p^2}f$$

[Raneet10]

Hello! I am trying to build intuition behind calculating the cyclotomic square of an element in Fₚ¹² . So, if f ∈ Fₚ¹²

f = a + bx , where a, b ∈ Fₚ⁶ f = (a₀ + a₁y + a₂y²) + (b₀ + b₁y + b₂y²)x , where a₀,....,b₂ ∈ Fₚ²

Now, f² = [a₀ + a₁y + a₂y²]² + [b₀ + b₁y + b₂y²]²x² + 2x[a₀ + a₁y + a₂y²][b₀ + b₁y + b₂y²]

According to this paper, f² = A₀ + A₁y + A₂y² + (B₀ + B₁y + B₂y²)x² + 2x√A√B

Now consider, Fₚ¹² = Fₚ(t)/t¹² - i , where i is the 12th power residue in Fₚ So, Fₚ² = Fₚ(z)/ z² - i , Fₚ⁶ = Fₚ²(y)/ y³ - √i and Fₚ¹² = Fₚ⁶(x)/ x² - (i)¹/⁶ (i)¹/⁶ = (i)¹/¹²*² = ⍵² , where ⍵ is a 12th root of unity in Fₚ.

Hence, f² = A' + B'⍵² + 2⍵*√A * √B , where A' = A₀ + A₁y + A₂y² , B' = B₀ + B₁y + B₂y² and x² = ⍵²

Does the above make much sense ? I am not sure whether I am arriving at the result correctly. Would love to know your thoughts!

[Raneet10]

Hey @MauroToscano , do you have any thoughts on the above ?