Improving the computation of the optimal ate pairing for a high security level

  • Loubna Ghammam
  • Emmanuel FouotsaEmail author
Original Research


Barreto, Lynn and Scott elliptic curves of embedding degree 12 denoted BLS12 have been proven to present the fastest results on the implementation of pairings for the high security levels (Barbulescu and Duquesne in Updating key size estimations for pairings, 2017. In particular, BLS12 curves may presently be preferable for the 128 bits security level compared to the well known BN curves (Duquesne and Ghammam in Groups Complex Cryptol 8(1):75–90, 2016). The computation of pairings in general involves the execution of the Miller algorithm and the final exponentiation. In this paper, we propose new parameters that allow us to reduce the number of operations in the Miller loop and in the final exponentiation for BLS12 and extend the study to BLS24 curves. This improvement is up to \(8\%\), of multiplications in the finite field \(\mathbb {F}_p\). Furthermore, as pairings can be implemented on memory constrained devices such as SIM or smart cards (Duquesne and Ghammam in Groups Complex Cryptol 8(1):75–90, 2016), we describe in our work an efficient algorithm for the computation of the final exponentiation which is more efficient and less memory intensive with an improvement up to \(25\%\) in memory. Our new algorithm can be useful for implementations in a restricted environment.


BLS curves Optimal ate pairing Final exponentiation Memory resources Miller loop 

Mathematics Subject Classification

14H52 1990S 



The authors thanks anonymous reviewers for their useful comments which enable to improve the quality of this work. The authors also thank John Boxall and Sylvain Duquesne for comments on an earlier version of this work. This work was supported by the FAST-LIRIMA-MACISA project, the French ANR-12-INSE-0014 SIMPATIC Project financed by the Agence National de Recherche (France) and the Simons Foundation through Pole of Research in Mathematics with applications to Information Security, Subsaharan Africa.


  1. 1.
    Aranha, D.F., Fuentes-Castaneda, L., Knapp, E., Menezes, A., Rodríguez-Henríquez, F.: Implementing pairings at the 192-bit security level. In: Pairing-Based Cryptography—Pairing 2012—5th International Conference, Cologne, Germany, May 16–18, 2012, Revised Selected Papers, pp. 177–195 (2012)Google Scholar
  2. 2.
    Aranha, D.F., Karabina, K., Longa, P., Gebotys, C.H., López, J.: Faster explicit formulas for computing pairings over ordinary curves. In: Advances in Cryptology—EUROCRYPT 2011—30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tallinn, Estonia, May 15–19, 2011. Proceedings, pp. 48–68 (2011)Google Scholar
  3. 3.
    Barbulescu, R., Duquesne, S.: Updating key size estimations for pairings. IACR Cryptology ePrint Archive 2017, 334 (2017).
  4. 4.
    Barreto, P.S.L.M., Lynn, B., Scott, M.: Constructing elliptic curves with prescribed embedding degrees. In: Security in Communication Networks, Third International Conference, SCN 2002, Amalfi, Italy, September 11–13, 2002. Revised Papers, pp. 257–267 (2002)Google Scholar
  5. 5.
    Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Selected Areas in Cryptography, 12th International Workshop, SAC 2005, Kingston, ON, Canada, August 11–12, 2005, Revised Selected Papers, pp. 319–331 (2005)Google Scholar
  6. 6.
    Costello, C., Lauter, K.E., Naehrig, M.: Attractive subfamilies of BLS curves for implementing high-security pairings. In: Progress in Cryptology—INDOCRYPT 2011—12th International Conference on Cryptology in India, Chennai, India, December 11–14, 2011. Proceedings, pp. 320–342 (2011)Google Scholar
  7. 7.
    Duquesne, S., Ghammam, L.: Memory-saving computation of the pairing final exponentiation on BN curves. Groups Complex. Cryptol. 8(1), 75–90 (2016)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Geovandro, C.C.F.P., Geovandro, C.C.F.P., Jr, M.A.S., Naehrig, M., Barreto, P.S.L.M.: A family of implementation-friendly BN elliptic curves. J. Syst. Softw. 84(8), 1319–1326 (2011)CrossRefGoogle Scholar
  9. 9.
    Ghammam, L., Fouotsa, E.:
  10. 10.
    Jeong, J., Kim, T.: Extended tower number field sieve with application to finite fields of arbitrary composite extension degree. IACR Cryptol. 2016, 526 (2016)Google Scholar
  11. 11.
    Kachisa, E.J., Schaefer, E.F., Scott, M.: Constructing brezing-weng pairing friendly elliptic curves using elements in the cyclotomic field. IACR Cryptol. 2007, 452 (2007)zbMATHGoogle Scholar
  12. 12.
    Karabina, K.: Squaring in cyclotomic subgroups. Math. Comput. 82(281), 555–579 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Kim, T.: Extended tower number field sieve: a new complexity for medium prime case. IACR Cryptol. 2015, 1027 (2015)Google Scholar
  14. 14.
    Menezes, A., Sarkar, P., Singh, S.: Challenges with assessing the impact of NFS advances on the security of pairing-based cryptography. Cryptology ePrint Archive, Report 2016/1102 (2016).
  15. 15.
    Miller, V.S.: The weil pairing, and its efficient calculation. J. Cryptol. 17(4), 235–261 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
  16. 16.
    NIST: National Institute of Standards and Technology.
  17. 17.
    NSA: National Security Agency Suite B Cryptography.
  18. 18.
    Scott, M., Barreto, P.S.L.M.: Compressed pairings. In: Advances in cryptology—CRYPTO 2004, Lecture Notes in Comput. Sci., vol. 3152, pp. 140–156. Springer, Berlin (2004)Google Scholar
  19. 19.
    Scott, M., Benger, N., Charlemagne, M., Perez, L.J.D., Kachisa, E.J.: On the final exponentiation for calculating pairings on ordinary elliptic curves. In: Pairing-Based Cryptography—Pairing 2009, Third International Conference, Palo Alto, CA, USA, August 12-14, 2009, Proceedings, pp. 78–88 (2009)Google Scholar
  20. 20.
    Stam, M., Lenstra, A.K.: Efficient subgroup exponentiation in quadratic and sixth degree extensions. In: Cryptographic Hardware and Embedded Systems—CHES 2002, 4th International Workshop, Redwood Shores, CA, USA, August 13–15, 2002, Revised Papers, pp. 318–332 (2002)Google Scholar
  21. 21.
    Vercauteren, F.: Optimal pairings. IEEE Trans. Inf. Theory 56(1), 455–461 (2010)MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© Korean Society for Computational and Applied Mathematics 2018

Authors and Affiliations

  1. 1.RMAR, UMR CNRS 6625Université Rennes 1Rennes cedexFrance
  2. 2.Normandie University, UNICAEN, ENSICAEN, CNRS, GREYCCaenFrance
  3. 3.Laboratoire de Mathématiques Nicolas Oresme(LMNO)Université de CaenCAEN CedexFrance
  4. 4.Department of Mathematics, Higher Teacher Training CollegeThe University of BamendaBamendaCameroon

Personalised recommendations