# Pairings on Hyperelliptic Curves with Considering Recent Progress on the NFS Algorithms

## Abstract

In this paper, we analyze and reexamine the key lengths of the pairings on the hyperelliptic curves of genus 2 and considering the estimated run time of the (special) extended tower number field sieve. Pairing-based cryptosystems have become a major research topic in cryptography and have attracted more attention because of the increasing interest in the efficient and functional cryptographic protocols, e.g., functional encryption. Recently, the algorithm of number field sieve and its variants have made progress, and it is urgently necessary to estimate key lengths of pairings taking into account of impact of the algorithms. We report the detailed computational cost of the pairings on the Kawazoe–Takahashi curves of genus 2, and give the comparison of our pairing and the pairing on the BLS24 elliptic curves at the 192-bit security level. The estimated cost of our pairing is approximately 2.5 times more than the cost of the BLS24 pairing.

## Keywords

Twisted ate pairing Kawazoe–Takahashi curves Key length Security levels Extended tower number field sieve Hyperelliptic curves Jacobians Discrete logarithms in finite fields## References

- 1.D.F. Aranha, L. Fuentes-Castañeda, E. Knapp, A. Menezes, F. Rodríguez-Henríquez, Implementing pairings at the 192-bit security level, in
*Pairing-Based Cryptography - Pairing 2012*, vol. 7708, Lecture Notes in Computer Science, ed. by M. Abdalla, T. Lange (Springer, Berlin, 2013), pp. 177–195CrossRefGoogle Scholar - 2.J. Balakrishnan, J. Belding, S. Chisholm, K. Eisenträger, K.E. Stange, E. Teske, Pairings on hyperelliptic curves, in
*CoRR*, http://arxiv.org/abs/0908.3731v2 (2009) - 3.R. Barbulescu, P. Gaudry, A. Guillevic, F. Morain, Improving NFS for the discrete logarithm problem in non-prime finite fields, in
*Advances in Cryptology - EUROCRYPT 2015*, vol. 9056, Lecture Notes in Computer Science, ed. by E. Oswald, M. Fischlin (Springer, Berlin, 2015), pp. 129–155Google Scholar - 4.R. Barbulescu, P. Gaudry, A. Guillevic, F. Morain, Improving NFS for the discrete logarithm problem in non-prime finite fields, in
*Advances in Cryptology - EUROCRYPT 2015: 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26–30, 2015, Proceedings, Part I*, ed. by E. Oswald, M. Fischlin (Springer, Berlin, 2015), pp. 129–155Google Scholar - 5.R. Barbulescu, P. Gaudry, A. Joux, E. Thom, A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic, in
*Advances in Cryptology - EUROCRYPT 2014*, vol. 8441, Lecture Notes in Computer Science, ed. by P. Nguyen, E. Oswald (Springer, Berlin, 2014), pp. 1–16CrossRefGoogle Scholar - 6.R. Barbulescu, P. Gaudry, T. Kleinjung, The tower number field sieve, in
*Advances in Cryptology - ASIACRYPT 2015: 21st International Conference on the Theory and Application of Cryptology and Information Security, Auckland, New Zealand, November 29 - December 3, 2015, Proceedings, Part II*, ed. by T. Iwata, H.J. Cheon (Springer, Berlin, 2015), pp. 31–55CrossRefGoogle Scholar - 7.N. Benger, M. Scott, Constructing tower extensions of finite fields for implementation of pairing-based cryptography, in
*Arithmetic of Finite Fields: Third International Workshop*, ed. by M.A. Hasan, T. Helleseth, WAIFI 2010, Istanbul, Turkey, June 27–30, 2010. Proceedings (Springer, Berlin, 2010), pp. 180–195Google Scholar - 8.BlueKrypt: - cryptographic key length recommendation, http://www.keylength.com (2012)
- 9.X. Fan, G. Gong, D. Jao, Speeding up pairing computations on genus 2 hyperelliptic curves with efficiently computable automorphisms, in
*Pairing-Based Cryptography – Pairing 2008*, ed. by S. Galbraith, K. Paterson. Lecture Notes in Computer Science, vol. 5209 (Springer, Berlin, 2008), pp. 243–264. doi: 10.1007/978-3-540-85538-5_17 - 10.X. Fan, G. Gong, D. Jao, Efficient pairing computation on genus 2 curves in projective coordinates, in
*Selected Areas in Cryptography*, vol. 5381, Lecture Notes in Computer Science, ed. by R. Avanzi, L. Keliher, F. Sica (Springer, Berlin, 2009), pp. 18–34CrossRefGoogle Scholar - 11.D. Freeman, M. Scott, E. Teske, A taxonomy of pairing-friendly elliptic curves. J. Cryptol.
**23**(2), 224–280 (2010)MathSciNetCrossRefzbMATHGoogle Scholar - 12.L. Fuentes-Castañeda, E. Knapp, F. Rodríguez-Henríquez, Faster hashing to \(\mathbb{G}_2\), in
*Selected Areas in Cryptography: 18th International Workshop, SAC 2011, Toronto, ON, Canada, August 11–12, 2011, Revised Selected Papers*, ed. by A. Miri, S. Vaudenay (Springer, Berlin, 2012), pp. 412–430CrossRefGoogle Scholar - 13.S.D. Galbraith, X. Lin, D.J.M. Morales, Pairings on hyperelliptic curves with a real model, in
*Pairing-Based Cryptography – Pairing 2008*, ed. by S. Galbraith, K. Paterson. Lecture Notes in Computer Science, vol. 5209 (Springer, Berlin, 2008), pp. 265–281Google Scholar - 14.S.D. Galbraith, K.G. Paterson, N.P. Smart, Pairings for cryptographers. Discret. Appl. Math.
**156**(16), 3113–3121 (2008). doi: 10.1016/j.dam.2007.12.010 - 15.R. Granger, D. Page, N.P. Smart, High security pairing-based cryptography revisited, in
*Algorithmic Number Theory: 7th International Symposium, ANTS-VII*, Berlin, Germany, July 23–28, 2006. Proceedings, ed. by F. Hess, S. Pauli, M. Pohst (Springer, Berlin, 2006), pp. 480–494Google Scholar - 16.R. Granger, M. Scott, Faster squaring in the cyclotomic subgroup of sixth degree extensions, in
*Public Key Cryptography – PKC 2010: 13th International Conference on Practice and Theory in Public Key Cryptography*, Paris, France, May 26–28, 2010. Proceedings, ed. by P.Q. Nguyen, D. Pointcheval (Springer, Berlin, 2010), pp. 209–223Google Scholar - 17.M. Ishii, Pairings on hyperelliptic curves of genus 2 at high security levels. Ph.D. thesis, Nara Institute of Science and Technology (2016), http://library.naist.jp/dspace/handle/10061/11005
- 18.J. Jeong, T. Kim, Extended tower number field sieve with application to finite fields of arbitrary composite extension degree. Cryptol. ePrint Arch. Rep. 2016/526 (2016), http://eprint.iacr.org/2016/526
- 19.A. Joux, C. Pierrot, The special number field sieve in \(\mathbb{F}_{p^n}\), application to pairing-friendly constructions, in
*Pairing-Based Cryptography – Pairing 2013: 6th International Conference*, Beijing, China, November 22–24, 2013, Revised Selected Papers, ed. by Z. Cao, F. Zhang (Springer International Publishing, Berlin, 2014), pp. 45–61Google Scholar - 20.K. Karabina, Squaring in cyclotomic subgroups. Math. Comput.
**82**(281) (2013), http://dx.doi.org/10.1090/S0025-5718-2012-02625-1 - 21.M. Kawazoe, T. Takahashi, Pairing-friendly hyperelliptic curves with ordinary jacobians of type \(y^2=x^5+ax\), in
*Pairing-Based Cryptography - Pairing 2008*, vol. 5209, Lecture Notes in Computer Science, ed. by S. Galbraith, K. Paterson (Springer, Berlin, 2008), pp. 164–177CrossRefGoogle Scholar - 22.T. Kim, R. Barbulescu, Extended tower number field sieve: A new complexity for the medium prime case, in
*Advances in Cryptology - CRYPTO 2016: 36th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 14–18, 2016, Proceedings, Part I*, ed. by M. Robshaw, J. Katz (Springer, Berlin, 2016), pp. 543–571CrossRefGoogle Scholar - 23.N. Koblitz, A. Menezes, Pairing-based cryptography at high security levels, in
*Cryptography and Coding: 10th IMA International Conference*, Cirencester, UK, December 19–21, 2005. Proceedings, ed. by N.P. Smart (Springer, Berlin, 2005), pp. 13–36Google Scholar - 24.A. Menezes, P. Sarkar, S. Singh, Challenges with assessing the impact of NFS advances on the security of pairing-based cryptography. Cryptol. ePrint Arch. Rep. 2016/1102 (2016), http://eprint.iacr.org/2016/1102
- 25.C. Ó hÉigeartaigh, M. Scott, Pairing calculation on supersingular genus 2 curves, in
*Selected Areas in Cryptography: 13th International Workshop, SAC 2006*, ed. by E. Biham, A.M. Youssef. Lecture Notes in Computer Science, vol. 4356 (Springer, Berlin, 2007), pp. 302–316Google Scholar - 26.M. Scott, N. Benger, M. Charlemagne, L. Dominguez Perez, E. Kachisa, On the final exponentiation for calculating pairings on ordinary elliptic curves, in
*Pairing-Based Cryptography - Pairing 2009*, vol. 5671, Lecture Notes in Computer Science, ed. by H. Shacham, B. Waters (Springer, Berlin, 2009), pp. 78–88CrossRefGoogle Scholar - 27.M. Stam, A.K. Lenstra, Efficient subgroup exponentiation in quadratic and sixth degree extensions, in
*Cryptographic Hardware and Embedded Systems - CHES 2002: 4th International Workshop Redwood Shores*, CA, USA, August 13–15, 2002 Revised Papers, ed. by B.S. Kaliski, ç.K. Koç, C. Paar (Springer, Berlin, 2003), pp. 318–332Google Scholar - 28.T. Teruya, K. Saito, N. Kanayama, Y. Kawahara, T. Kobayashi, E. Okamoto, Constructing symmetric pairings over supersingular elliptic curves with embedding degree three, in
*Pairing-Based Cryptography – Pairing 2013*, ed. by Z. Cao, F. Zhang. Lecture Notes in Computer Science, vol. 8365 (Springer, Berlin, 2014), pp. 97–112Google Scholar - 29.F. Zhang, Twisted ate pairing on hyperelliptic curves and applications. Sci. China Inf. Sci.
**53**(8), 1528–1538 (2010)MathSciNetCrossRefGoogle Scholar - 30.X. Zhang, K. Wang, Fast symmetric pairing revisited, in
*Pairing-Based Cryptography – Pairing 2013*, ed. by Z. Cao, F. Zhang. Lecture Notes in Computer Science, vol. 8365 (Springer, Berlin, 2014), pp. 131–148Google Scholar