Fixed argument pairing inversion on elliptic curves

Let be an elliptic curve over a finite field with a power of prime a prime dividing , and the smallest positive integer satisfying , called embedding degree. Then a bilinear map is defined, called the Tate pairing. The Ate pairing and other variants are obtained by reducing the domain for each argument and raising it to some power. In this paper we consider the Fixed Argument Pairing Inversion (FAPI) problem for the Tate pairing and its variants. In 2012, considering FAPI for the Ate pairing, Kanayama and Okamoto formulated the Exponentiation Inversion (EI) problem. However the definition gives a somewhat inaccurate description of the hardness of EI. We point out that the described EI can be easily solved, and hence give a repaired definition of EI so that the problem does contain the actual hardness in connection with the prescribed domain for given pairings. Next we show that inverting the Ate pairing (including other variants of the Tate pairing) defined on the smaller domain is neither easier nor harder than inverting the Tate pairing defined on the larger domain. This is interesting because the structure of the Ate pairing is so simple and good (that is, the Miller length is short, the solution domain is small and has an algebraic structure induced from the Frobenius map) that it looks more probable that attackers find further approach to solve FAPI for the Ate pairing, differently from the Tate pairing.