Cocks–Pinch curves of embedding degrees five to eight and optimal ate pairing computation

Abstract

Recent algorithmic improvements of discrete logarithm computation in special extension fields threaten the security of pairing-friendly curves used in practice. A possible answer to this delicate situation is to propose alternative curves that are immune to these attacks, without compromising the efficiency of the pairing computation too much. We follow this direction, and focus on embedding degrees 5 to 8; we extend the Cocks–Pinch algorithm to obtain pairing-friendly curves with an efficient ate pairing. We carefully select our curve parameters so as to thwart possible attacks by “special” or “tower” Number Field Sieve algorithms. We target a 128-bit security level, and back this security claim by time estimates for the DLP computation. We also compare the efficiency of the optimal ate pairing computation on these curves to \(k=12\) curves (Barreto–Naehrig, Barreto–Lynn–Scott), \(k=16\) curves (Kachisa–Schaefer–Scott) and \(k=1\) curves (Chatterjee–Menezes–Rodríguez-Henríquez).

Appendices

Appendix A: second part of the final exponentiation for \(k=8\)

As an illustration, we give here pseudo-code that raises a finite field element a to the power \(c=(p+1-t_0)/r\), in the case \(k=8\) and \(i=1\) (code for all cases can be found in the code repository mentioned in Sect. 1.1). Recall that since the first part of the final exponentiation has been done, we know that \(a^{p^4+1}=0\) so that \(a^{-1}=a^{p^4}=\overline{a}\) where the conjugate is taken over the subfield \(\mathbb {F}_{p^4}\). The formula below is specific to \(i=1\), but we let \(T=4U+2V\) which is the most general form (with \(V\in \{0,1\}\)). If we apply this to the parameters in § 6.1, we can do some simplifications using \(V=0\) (in square brackets below).

$$\begin{aligned} \begin{array}{l@{}r} \displaystyle a_y = a^y ;\ a_u = a^u ;\ a_Q = a_y^y a_u^u ;\ b = a_Q \overline{a_u} ;\ &{}(2\mathbf{c} _u+2\mathbf{c} _y+2\mathbf{m} _k)\\ \displaystyle b = b^2 ;\ b = (b^2 a)^U b^V ;\ b = b {a_y} ;\ &{}(\mathbf{c} _T+2\mathbf{m} _k) \\ \displaystyle b = b^2 ;\ [b = b a^V] ;\ b = (b^2)^U b^V ;\ b = b \overline{a_y} ;\ &{}(\mathbf{c} _T+\mathbf{m} _k[+\mathbf{m} _k]) \\ \displaystyle b = b^2 ;\ b = (b^2 a)^U b^V ;\ b = b {a_u} ;\ b = b \overline{a} ;\ &{}(\mathbf{c} _T+3\mathbf{m} _k) \\ \displaystyle b = b^2 ;\ [b = b a^V] ;\ b = (b^2)^U b^V ;\ b = b a_Q ;\ &{}(\mathbf{c} _T+\mathbf{m} _k[+\mathbf{m} _k]) \end{array} \end{aligned}$$

The cost is \(11\mathbf{m} _k + 4\mathbf{c} _T + 2\mathbf{c} _u + 2\mathbf{c} _y\) in general, and \(2\mathbf{m} _k\) less if \(V=0\), using the notations of Sect. 5.2. Here we use \(\mathbf{c} _T\) to represent the cost of any set of operations whose cost is similar to \(b=b^2\) followed by \(b = (b^2)^U b^V\), although scheduling above is sometimes different.

Appendix B: estimating the cost of NFS, NFS-HD and TNFS

We would like to measure with the same methodology as Barbulescu and Duquesne in [7] the cost of computing a discrete logarithm in \(\mathbb {F}_{p_5^5}\), \(\mathbb {F}_{p_6^6}\), \(\mathbb {F}_{p_7^7}\), and \(\mathbb {F}_{p_8^8}\), and compare it with a prime field \(\mathbb {F}_{p_1}\) of 3072 bits. In our setting the primes \(p_1,p_5,p_7\) have no structure so we cannot use the Joux–Pierrot (JP) polynomial selection. We would like to show that the primes \(p_6\) and \(p_8\) have some structure but not enough to provide an advantage to the JP method (see Sect. 3). We compare the NFS, NFS-HD and TNFS variants. We give the best parameters we have found to minimise the running-time of the relation collection and the linear algebra steps, in the sense of [7]. Moreover we make available all the needed SageMath code to run our experiments (see Sect. 1.1)

Contrary to [37], we not only estimate the size of the norms but we generate polynomials for each polynomial selection method available, we find parameters (see Sect. B.2) so that enough relations are obtained, and we compare the estimated cost.

A remark about SpecialNFS and TNFS. We consider that a prime p in our set or primes (\(p_1,p_5,p_6,p_7,p_8\)) is special and provides a notable advantage to the SNFS or STNFS algorithm if it can be written \(p = P(u)\) where \(u \approx p^{1/d}\), and P is a polynomial of degree at least 3 and whose coefficients are much smaller than \(p^{1/d}\).

As a counterexample, for any prime p we can use the base-m polynomial selection method. It chooses \(m = \lfloor p^{1/d}\rceil \), writes p in basis m and outputs the corresponding polynomial P such that \(p=P(m)\). Then \(\Vert P\Vert _\infty = m\), and the coefficients are large.

The vulnerabilities of pairing-friendly curves are the following:

• a special prime p given by a polynomial of degree \(> 2\) and tiny coefficients, for instance \(p(x) = 36x^4+36x^3+24x^2+6x+1\) for BN curves [26, Ex. 6.8]. In that case, the Joux–Pierrot polynomial selection method (SNFS) allows a better complexity of NFS, in \(L_{p^k}(1/3, 1.923)\) instead of \(L_{p^k}(1/3, 2.201)\).

• a composite embedding degree k allowing the Kim–Barbulescu variant of TNFS. Note that the original TNFS algorithm where \(\deg h = k\) does apply but usually is not efficient when it is not combined with the Special variant.

• We note that the effectiveness of STNFS is not very clear. In [7], the authors found that for the KSS curves with \(k=16\), the optimal choice is \(\deg h = k = 16\), which is the original setting of Tower NFS, as in [9]. The key point is the special form of p: the prime is given by a polynomial \(p(s) = (s^{10}+2s^9+5s^8+48s^6+152s^5+240s^4+625s^2+2398s+3125)/980\).

1.1 B.1 Choices of polynomials

Figure 3 shows the polynomials on the NFS setting and in the Tower–NFS setting.

Fig. 3

Extensions of number fields for NFS and Tower variants

Polynomialh. In the Tower-NFS setting, the degree of the polynomial h divides the degree k of the extension. For \(k=6\), we can take \(\deg h \in \{2,3,6\}\) for example. We search for all monic polynomials h of chosen degree, coefficients in \(\{0,1,-1\}\) to minimise the norms, and of small Dedekind-zeta value \(\zeta _{K_h}(2)\), so that its inverse \(1/\zeta _{K_h}(2)\) is as close as possible to 1 (in practice, we observed that this value is in the interval ]0.4, 1.0[).

Polynomials\(f_0,f_1\). These two polynomials are selected according to a polynomial selection method: JLSV\(_1\), JLSV\(_2\), Joux–Lercier, Generalised Joux–Lercier, Conjugation, Joux–Pierrot (Special case), Sarkar–Singh (see for example [8, 33, 46]).

1.2 B.2 Methodology for cost estimation

Relation collection cost. To estimate this cost, we need first to discuss how relation collection will be performed. We make the conservative assumption that a sieving method can always be used. While this is of course commonplace for NFS computations, the same does not hold for TNFS, which needs \((2\deg h)\)-dimensional sieving for tuples of the form \((a_0,\ldots , a_{\deg h -1}, b_0, \ldots , b_{\deg h -1})\). As a consequence of this assumption, the relation collection cost can be approximated as the size of the set of tuples. (Alternatively, relation collection can also use smoothness detection algorithms based on remainder trees, which can perform well in practice, see e.g. [39].)

We estimate the size of the set of tuples \((a_0,\ldots , a_{\deg h -1}, b_0, \ldots , b_{\deg h -1})\) processed in the relation collection of the TNFS algorithm to be

$$\begin{aligned} S^0_{\mathrm {TNFS}}(h, A) = (2A+1)^{2\deg h}/2 \end{aligned}$$

(4)

and its core part (duplicates removed) to be

$$\begin{aligned} S^1_{\mathrm {TNFS}}(h, A) = (2A+1)^{2\deg h}/(2w(h) \zeta _{K_h}(2))~. \end{aligned}$$

(5)

We consider that the cost of the relation collection is proportional to the first quantity \(S^0_{\mathrm {TNFS}}(h, A)\), and to simplify, we assume that this is \(S^0_{\mathrm {TNFS}}(h, A)\). We estimate that the number of unique relations obtained is \(S^1_{\mathrm {TNFS}}(h, A)\) times the average smoothness probability. For the NFS-HD algorithm, we estimate the size of the set of tuples \((a_0, \ldots , a_{\dim -1})\) to be

$$\begin{aligned} S^0_{\mathrm {NFS-HD}}(\dim , A) = (2A+1)^{\dim }/2 \end{aligned}$$

(6)

and its core part (duplicates removed) to be

$$\begin{aligned} S^1_{\mathrm {NFS-HD}}(\dim , A) = (2A+1)^{\dim }/(2 \zeta (\dim ))~. \end{aligned}$$

(7)

Again, we consider that the cost of the relation collection is \(S^0_{\mathrm {NFS-HD}}(\dim , A)\), and the number of unique relations obtained is \(S^1_{\mathrm {NFS-HD}}(\dim , A)\) times the average smoothness probability.

In the NFS algorithm, the elements in the relation collection are pairs of integers (a, b). We need a, b to be coprime: the probability is \(1/\zeta (2) = 6/\pi ^2 \approx 0.60\). For NFS-HD, the probability that a tuple of random integers \((a_0, \ldots , a_{\dim -1})\) has \(\gcd \) 1 is \(1/\zeta (\dim )\). To avoid duplicates, the leading coefficient is chosen positive ((a, b) and \((-a,-b)\) give the same relation).

The generalisation to pairs of coprime ideals depends on the number field \(K_h\) defined by h. The probability that two ideals of \(K_h\) are coprime is \(1/\zeta _{K_h}(2)\). In practice we observed that it can vary from 0.44 to 0.99. Then as in [7, §5.2], we consider torsion units of \(K_h\) (it happens if h is a cyclotomic polynomial). Let w be the index of \(\{1,-1\}\) in the group of roots of unity in \(K_h\). If \(\mathfrak {q}\) is a prime ideal in \(K_f\), then \(u \mathfrak {q}\) is also a prime ideal giving the same relation, where u is any root of unity of \(K_h\). We can detect and avoid the case \(u = -1\) but (up to now) there does not exist a way to avoid the other roots of unity. The number of tuples that will contribute to distinct relations is divided by 2w.

The non-torsion units do not contribute to duplicates: their coefficients being quite large, the coefficients of the ideal \(u_1 \mathfrak {q}\) overpass the bound A and are not considered in the relation collection.

Average smoothness probability. To compute an average smoothness probability, we took at random \(10^6\) coprime tuples a of coefficients in \([-A,A]\) and positive leading coefficient (this requires about \(\zeta (\dim )\cdot 10^6\) random tuples), resp. \(10^6\) pairs of coprime ideals of \(K_h\) (this requires about \(\zeta _{K_h}(2)\cdot 10^6\) random tuples). Then we compute the resultants \(N_f, N_g\) on both sides (f and g) and we compute the smoothness probability of that tuple as

$$\begin{aligned} \Pr (a) = \Pr (N_f \text{ is } B\text{-smooth }) \times \Pr (N_g \text{ is } B\text{-smooth })~. \end{aligned}$$

(8)

We compute the average smoothness probability as the average over all the random unique tuples, that is \(10^{-6}\sum _{\mathrm {random}~ a,~ \mathrm {coprime}}\Pr (a)\).

We estimate the smoothness probability on one side with the formula

$$\begin{aligned} \Pr (N \text{ is } B\text{-smooth }) \approx \delta (u) + (1-\gamma ) \frac{\delta (u-1)}{\log N}, \text{ where } u = \frac{\log N + \alpha }{\log B } \end{aligned}$$

(9)

where \(\gamma \approx 0.577\) is Euler’s constant, and \(\delta \) is the Dickman rho function.⁴

Table 9 Data from recent record computations

Linear algebra cost (filtering, block-Wiedemann). We assume that the input of this step is a set of unique relations. Usually, a certain amount of excess is required: there are up to twice more relations than prime ideals involved in the relations (at this point, the matrix would be a vertical rectangle of twice more rows than columns). Before the linear algebra, the relations are processed to produce a dense matrix of good quality, in order to ease the linear algebra step. The filtering step removes the singletons (the prime ideals corresponding to columns that appear only in one relation). Doing this produces new singletons, so this step is done several times (two to ten times for example). Then a “clique removal” is performed, that also reduces part of the excess. Finally, a merge step increases the density of the matrix to some target density, reaching 125 to 200 non-zero entries per row in the recent record computations. The yield of the filtering step varies a lot in the literature: it reduced the size of the set of relations by a factor 9 for the SNFS-1024 DLP record [27], and by a factor 386 for the NFS-768 DLP record [39]

$$\begin{aligned} c_{\mathrm {filtering}, \min } = 9,~~ c_{\mathrm {filtering}, \max } = 386~. \end{aligned}$$

We summarise in Table 9 the parameters of the filtering step for the recent record-breaking integer factorisations and discrete logarithm computations⁵\(^,\)⁶. When we were not able to collect the data we put a question mark. Contrary to [7], we propose a different interpretation of the filtering step yield: in our point of view, it is highly software-dependent and cryptanalyst-dependent. Indeed, the low values correspond to records by the cado-nfs team, while the high values correspond to Kleinjung et al. record computations (the software being not available in the latter case). At first glance, it seems to be due to software performance differences. To refine this impression, we decided to compare the two integer factorisation records of \(2^{1039}-1\) and \(2^{1061}-1\) by the SNFS algorithm: for \(2^{1039}-1\), Kleinjung et al. have chosen a large prime bound of \(2^{36}\) to \(2^{38}\), while Childers has chosen the lower value \(2^{33}\) for the larger integer \(2^{1061}-1\) (Table 9). We can also compare the RSA-220 and RSA-768 record factorisations (220 and 232 decimal digits resp.) and obtain the same conclusion.

In fact, a strategy of oversieving was deployed for the DLP-768 record computation. The large prime bound was increased to \(2^{36}\), while a bound of \(2^{31}\) could have been enough (but it would have required a much higher effort in the linear algebra step). The ratio of ratios is \(386.34/8.84 = 43.7\) and part of it is explained by the factor \(2^5=32\) in the large prime bound choice. The larger set of relations to feed the filtering step allowed to obtain a matrix of better quality, reducing the linear algebra step. The density of rows seems more under control: from 134 to 200. We choose an upper bound: we assume that the density of a row is

$$\begin{aligned} \text{ Weight } \text{ per } \text{ row } = 200~. \end{aligned}$$

We estimate the time of the matrix-vector multiplications in the block-Wiedemann algorithm of the linear algebra step to be

$$\begin{aligned} (\text{ number } \text{ of } \text{ rows })^2 \times \texttt {w} \times (\text{ weight } \text{ per } \text{ row }) \end{aligned}$$

(10)

where w is the word-size of subgroup order (in our case, \(\log _2 r= 256\) bits and \(\texttt {w}=4\) words of 64 bits).

Appendix C: comparison of (S)TNFS cost for curves with \(k=6,8\)

In this section we explain how we obtained Figs. 1 and 2.

We estimate the cost of STNFS for three families of curves of respective embedding degree \(k=6\) and \(k=8\). To put a long story short, the important parameters in STNFS are the three polynomials \(f_0,f_1,h\). The polynomial h is chosen to define the first extension, its degree is a divisor of k. With \(k=6\), we have \(\deg h \in \{2,3,6\}\) and with \(k=8\), then \(\deg h \in \{2,4,8\}\); moreover h is chosen with tiny coefficients, so that \(\Vert h\Vert _\infty = 1\) or 2. The two other polynomials \(f_0\) and \(f_1\) are chosen such that \(p^{k/\deg h} \mid {{\,\mathrm{Res}\,}}(f_0,f_1)\). One uses the Joux-Pierrot polynomial selection method to select them.

The relation collection step enumerates bivariate polynomials

$$\begin{aligned} a=(a_0+a_1y+...+a_7y^7)+(b_0+b_1y+...+b_7y^7)x: |a_i|, |b_i| \le A \end{aligned}$$

computes the integers \(N_{f_0} = | {{\,\mathrm{Res}\,}}({{\,\mathrm{Res}\,}}(\mathbf {a}, f_0),h)|, \quad N_{f_1} = | {{\,\mathrm{Res}\,}}({{\,\mathrm{Res}\,}}(\mathbf {a}, f_1),h)|\) and factors these integers. The B-smooth integers produce a relation, where B is the smoothness bound. The aim of setting the STNFS parameters is to find the optimal A and B associated to a triple of polynomials \((f_0,f_1,h)\). Without an implementation of STNFS, we can only simulate the parameters of the algorithm and estimate A and B. The quantity to minimize for a faster running-time of STNFS is

$$\begin{aligned} A^{(\deg h)(\deg f_0 + \deg f_1)} \Vert f_0\Vert _{\infty }^{\deg h} \Vert f_1\Vert _\infty ^{\deg h} \end{aligned}$$

(11)

under the constraint of collecting enough relations.

The BLS-6 curves have \(\deg p = 4\), while MNT-6 curves have \(\deg p = 2\). For a same bitlength of p, the seed u is two times larger for MNT-6 curves. The TN-8 curves have \(\deg p = 6\), while FK-8 curves (with \(D=4\)) have \(\deg p = 8\). For polynomial selection in NFS, it implies that for the same bit length of p, the seed u will be 33% smaller for the second curves. Since u appears in the coefficients of the low degree polynomial \(f_1\) in the Special setting, this second polynomial will produce smaller norms. On the contrary, the high degree polynomial \(f_0\) will have a higher degree for the second curves and will produce larger norms. So the yield of Special-TNFS polynomials will be different for these two families. For our modified Cocks–Pinch, we have chosen to increase the coefficients of the polynomial p(x) (that is, increasing \(h_t\) and \(h_y\)) in order to increase \(\Vert f_0\Vert _\infty ^{\deg h}\) in Eq. (11).

1.1 C.1 Comparison of curves with \(k=6\)

We compare MNT6 and BLS6 curves [26, Theorem 5.2, Construction 6.6] to Cocks–Pinch \(k=6\) curves (CP-6). The parameters are given in Tables 10 and 11. The polynomials for simulating the Tower-NFS are given in Table 12. The graph of results is given in Fig. 1.

Table 10 Parameters of families with \(k=6\)

Table 11 Parameter sizes for curves with \(k=6\) to obtain 128 bits of security

Table 12 Polynomial pairs for (S)TNFS in \(\mathbb {F}_{p^6}\)

Table 13 STNFS and TNFS parameters for curves with \(k=6\)

Table 14 Parameters of families with \(k=8\) and \(D=4\)

Table 15 Parameter sizes for curves with \(k=8\) to obtain 128 bits of security

Table 16 Polynomial pairs for (S)TNFS

Table 17 STNFS and TNFS parameters for curves with \(k=8\) and \(D=4\)

1.2 C.2 Comparison of curves with \(k=8\)

We compare Tanaka–Nakamula (TN-8) curves [51], Fotiadis–Konstantinou (FK-8, \(D=4\)) curves [24, Table 3 row 4] and our Cocks–Pinch \(k=8\) curves (CP-8). The parameters are given in Tables 13 and 14. The polynomials for simulating the Tower-NFS are given in Table 15 and 16. The experimental data is summarized in Tables 17. The graph of results is given in Fig. 2. We conclude that to target a 128-bit security level (with some margin error), one needs a TN-8 curve with p of 576 bits, or an FK-8 curve with \(D=4\) and p of 664 bits, or a Cocks–Pinch \(k=8\) curve with p of 544 bits. For each curve, the Miller loop length is the bit length of the seed u. This is (roughly) 96 bits for TN-8 curves, 84 bits for FK-8 curves, and 64 bits for our Cocks–Pinch curves. It means our Cocks–Pinch \(k=8\) curves have a shorter Miller loop over a smaller prime field: it will be much faster. For the hard part of the final exponentiation, the advantage of Cocks–Pinch curves is less straightforward concerning its length, but the extension field is smaller anyway: \(p^k\) has length 4352 bits for Cocks–Pinch curves, 4608 for TN curves and 5312 bits for FK curves.