Secure and Efficient Pairing at 256-Bit Security Level

  • Yutaro KiyomuraEmail author
  • Akiko Inoue
  • Yuto Kawahara
  • Masaya Yasuda
  • Tsuyoshi Takagi
  • Tetsutaro Kobayashi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10355)


At CRYPTO 2016, Kim and Barbulescu proposed an efficient number field sieve (NFS) algorithm for the discrete logarithm problem (DLP) in a finite field. The security of pairing-based cryptography (PBC) is based on the difficulty in solving the DLP. Hence, it has become necessary to revise the bitlength that the DLP is computationally infeasible against the efficient NFS algorithms. The timing of the main operations of PBC (i.e. pairing, scalar multiplication on the elliptic curves, and exponentiation on the finite field) generally becomes slower as the bitlength becomes longer, so it has become increasingly important to compute the main operations of PBC more efficiently. To choose a suitable pairing-friendly curve from among various pairing-friendly curves is one of the factors that affect the efficiency of computing the main operations of PBC. We should implement the main operations of PBC and compare the timing among some pairing-friendly curves in order to choose the suitable pairing-friendly curve precisely. In this paper, we focus on the five candidate pairing-friendly curves from the Barreto-Lynn-Scott (BLS) and Kachisa-Schaefer-Scott (KSS) families as the 256-bit secure pairing-friendly curves and show the following two results; (1) the revised bitlength that the DLP is computationally infeasible against the efficient NFS algorithms for each candidate pairing-friendly curve, (2) the suitable pairing-friendly curve by comparing the timing of the main operations of PBC among the candidate pairing-friendly curves using the revised bitlength.

Supplementary material


  1. 1.
    Aoki, K., Franke, J., Kleinjung, T., Lenstra, A.K., Osvik, D.A.: A kilobit special number field sieve factorization. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 1–12. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-76900-2_1 CrossRefGoogle Scholar
  2. 2.
    Acar, T., Lauter, K., Naehrig, M., Shumow, D.: Affine pairings on ARM. In: Abdalla, M., Lange, T. (eds.) Pairing 2012. LNCS, vol. 7708, pp. 203–209. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-36334-4_13 CrossRefGoogle Scholar
  3. 3.
    Aranha, D.F., Fuentes-Castañeda, L., Knapp, E., Menezes, A., Rodríguez-Henríquez, F.: Implementing pairings at the 192-bit security level. In: Abdalla, M., Lange, T. (eds.) Pairing 2012. LNCS, vol. 7708, pp. 177–195. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-36334-4_11 CrossRefGoogle Scholar
  4. 4.
    Aranha, D.F., Karabina, K., Longa, P., Gebotys, C.H., López, J.: Faster explicit formulas for computing pairings over ordinary curves. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 48–68. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-20465-4_5 CrossRefGoogle Scholar
  5. 5.
    Barker, E.B., Barker, W.C., Burr, W.E., Polk, W.T., Smid, M.E.: Recommendation for key management - part 1: General (Revision 4). NIST SP 800-57 (2016)Google Scholar
  6. 6.
    Barbulescu, R., Gaudry, P., Guillevic, A., Morain, F.: Improving NFS for the discrete logarithm problem in non-prime finite fields. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 129–155. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46800-5_6 Google Scholar
  7. 7.
    Bouvier, C., Gaudry, P., Imbert, L., Jeljeli, H., Thom, E.: Discrete logarithms in GF(p) — 180 digits. Announcement available at the NMBRTHRY archives, item 004703 (2014)Google Scholar
  8. 8.
    Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001). doi: 10.1007/3-540-44647-8_13 CrossRefGoogle Scholar
  9. 9.
    Bos, J.W., Costello, C., Naehrig, M.: Exponentiating in pairing groups. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 438–455. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-43414-7_22 CrossRefGoogle Scholar
  10. 10.
    Barbulescu, R., Gaudry, P., Kleinjung, T.: The tower number field sieve. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 31–55. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48800-3_2 CrossRefGoogle Scholar
  11. 11.
    Barreto, P.S.L.M., Lynn, B., Scott, M.: Constructing elliptic curves with prescribed embedding degrees. In: Cimato, S., Persiano, G., Galdi, C. (eds.) SCN 2002. LNCS, vol. 2576, pp. 257–267. Springer, Heidelberg (2003). doi: 10.1007/3-540-36413-7_19 CrossRefGoogle Scholar
  12. 12.
    Barreto, P.S.L.M., Costello, C., Misoczki, R., Naehrig, M., Pereira, G.C.C.F., Zanon, G.: Subgroup security in pairing-based cryptography. In: Lauter, K., Rodríguez-Henríquez, F. (eds.) LATINCRYPT 2015. LNCS, vol. 9230, pp. 245–265. Springer, Cham (2015). doi: 10.1007/978-3-319-22174-8_14 CrossRefGoogle Scholar
  13. 13.
    Costello, C., Lauter, K., Naehrig, M.: Attractive subfamilies of BLS curves for implementing high-security pairings. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011. LNCS, vol. 7107, pp. 320–342. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-25578-6_23 CrossRefGoogle Scholar
  14. 14.
    Danilov, S.A., Popovyan, I.A.: Factorization of RSA-180, Cryptology ePrint Archive, Report 2010/270 (2010)Google Scholar
  15. 15.
    European Union Agency of Network and Information Security (ENISA): Algorithms, key sizes and parameters report, 2013 recommandations, version 1.0, October 2013Google Scholar
  16. 16.
    Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing-friendly elliptic curves. J. Cryptol. 23, 224–280 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Fried, J., Gaudry, P., Heninger, N., Thomé, E.: A kilobit hidden SNFS discrete logarithm computation. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 202–231. Springer, Cham (2017). doi: 10.1007/978-3-319-56620-7_8 CrossRefGoogle Scholar
  18. 18.
    The GNU Multiple Precision Arithmetic Library.
  19. 19.
    Granger, R., Scott, M.: Faster squaring in the cyclotomic subgroup of sixth degree extensions. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 209–223. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-13013-7_13 CrossRefGoogle Scholar
  20. 20.
    Gallant, R.P., Lambert, R.J., Vanstone, S.A.: Faster point multiplication on elliptic curves with efficient endomorphisms. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 190–200. Springer, Heidelberg (2001). doi: 10.1007/3-540-44647-8_11 CrossRefGoogle Scholar
  21. 21.
    Galbraith, S.D., Lin, X., Scott, M.: Endomorphisms for faster elliptic curve cryptography on a large class of curves. J. Crypto 24, 446–469 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  22. 22.
    Guillevic, A., Morain, F., Thomé, E.: Solving discrete logarithms on a 170-bit MNT curve by pairing reduction, arXiv preprint arXiv:1605.07746 (2016)
  23. 23.
    Ghammam, L., Fouotsa, E.: Adequate elliptic curves for computing the product of n pairings. In: Duquesne, S., Petkova-Nikova, S. (eds.) WAIFI 2016. LNCS, vol. 10064, pp. 36–53. Springer, Cham (2016). doi: 10.1007/978-3-319-55227-9_3 CrossRefGoogle Scholar
  24. 24.
    Hess, F., Smart, N., Vercauteren, F.: The eta pairing revisited. IEEE Trans. Inf. Theory 52(10), 4595–4602 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
  25. 25.
    Joux, A., Lercier, R., Smart, N., Vercauteren, F.: The number field sieve in the medium prime case. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 326–344. Springer, Heidelberg (2006). doi: 10.1007/11818175_19 CrossRefGoogle Scholar
  26. 26.
    Joux, A., Pierrot, C.: The special number field sieve in \(\mathbb{F}_{p^{n}}\). In: Cao, Z., Zhang, F. (eds.) Pairing 2013. LNCS, vol. 8365, pp. 45–61. Springer, Cham (2014). doi: 10.1007/978-3-319-04873-4_3 CrossRefGoogle Scholar
  27. 27.
    Karabina, K.: Squaring in cyclotomic subgroups. Math. Comput. 82, 555–579 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    Kim, T., Barbulescu, R.: Extended tower number field sieve: a new complexity for the medium prime case. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 543–571. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53018-4_20 CrossRefGoogle Scholar
  29. 29.
    Kachisa, E.J., Schaefer, E.F., Scott, M.: Constructing brezing-weng pairing-friendly elliptic curves using elements in the cyclotomic field. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 126–135. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-85538-5_9 CrossRefGoogle Scholar
  30. 30.
    Kim, T., Jeong, J.: Extended tower number field sieve with application to finite fields of arbitrary composite extension degree. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10174, pp. 388–408. Springer, Heidelberg (2017). doi: 10.1007/978-3-662-54365-8_16 CrossRefGoogle Scholar
  31. 31.
    Kleinjung, T.: Discrete Logarithms in GF(p) – 768 bits. Announcement available at the NMBRTHRY archives, item 004917 (2016)Google Scholar
  32. 32.
    Lenstra, A.K.: Unbelievable security matching AES security using public key systems. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 67–86. Springer, Heidelberg (2001). doi: 10.1007/3-540-45682-1_5 CrossRefGoogle Scholar
  33. 33.
    Lenstra, A.K., Lenstra, H.W. (eds.): The Development of the Number Field Sieve. LNM, vol. 1554. Springer, Heidelberg (1993). doi: 10.1007/BFb0091534 zbMATHGoogle Scholar
  34. 34.
    Miller, V.S.: The weil pairing, and its efficient calculation. J. Cryptol. 17, 235–261 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
  35. 35.
    Mori, Y., Akagi, S., Nogami, Y., Shirase, M.: Pseudo 8–sparse multiplication for efficient ate–based pairing on barreto–naehrig curve. In: Cao, Z., Zhang, F. (eds.) Pairing 2013. LNCS, vol. 8365, pp. 186–198. Springer, Cham (2014). doi: 10.1007/978-3-319-04873-4_11 CrossRefGoogle Scholar
  36. 36.
    Mitsunari, S.: A fast implementation of the optimal ate pairing over BN curve on intel haswell processor, Cryptology ePrint Archive, Report 2013/362 (2013)Google Scholar
  37. 37.
    Menezes, A., Sarker, P., Singh, S.: Challenges with assessing the impact of NFS advances on the security of pairing-based cryptography, Cryptology ePrint Archive, Report 2016/1102 (2016)Google Scholar
  38. 38.
    Okamoto, T., Takashima, K.: Fully secure functional encryption with general relations from the decisional linear assumption. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 191–208. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-14623-7_11 CrossRefGoogle Scholar
  39. 39.
    Pollard, J.: Monte Carlo methods for index computation (mod p). Math. Comput. 32(143), 918–924 (1978)MathSciNetzbMATHGoogle Scholar
  40. 40.
    Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystems based on pairing. In: SCIS 2000, C-20, pp. 26–28 (2000)Google Scholar
  41. 41.
    Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005). doi: 10.1007/11426639_27 CrossRefGoogle Scholar
  42. 42.
    Devegili, A.J., Scott, M., Dahab, R.: Implementing cryptographic pairings over barreto-naehrig curves. In: Takagi, T., Okamoto, T., Okamoto, E., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 197–207. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-73489-5_10 CrossRefGoogle Scholar
  43. 43.
    Scott, M., Benger, N., Charlemagne, M., Dominguez Perez, L.J., Kachisa, E.J.: On the final exponentiation for calculating pairings on ordinary elliptic curves. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 78–88. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-03298-1_6 CrossRefGoogle Scholar
  44. 44.
    Scott, M.: On the efficient implementation of pairing-based protocols. In: Chen, L. (ed.) IMACC 2011. LNCS, vol. 7089, pp. 296–308. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-25516-8_18 CrossRefGoogle Scholar
  45. 45.
    Schirokauer, O.: Using number fields to compute logarithms in finite fields. Math. Comp. 69, 1267–1283 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  46. 46.
    Schirokauer, O.: Virtual logarithms. J. Algorithms 57, 140–147 (2005)MathSciNetCrossRefzbMATHGoogle Scholar
  47. 47.
    Vercauteren, F.: Optimal pairings. IEEE Trans. Inf. Theory 56(1), 455–461 (2010)MathSciNetCrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Yutaro Kiyomura
    • 1
    Email author
  • Akiko Inoue
    • 2
  • Yuto Kawahara
    • 1
  • Masaya Yasuda
    • 3
  • Tsuyoshi Takagi
    • 3
  • Tetsutaro Kobayashi
    • 1
  1. 1.NTT Secure Platform LaboratoriesMusashinoJapan
  2. 2.NEC Central Research LaboratoriesKawasakiJapan
  3. 3.Kyushu UniversityFukuokaJapan

Personalised recommendations