Pairing-Based Cryptography at High Security Levels

  • Neal Koblitz
  • Alfred Menezes
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3796)


In recent years cryptographic protocols based on the Weil and Tate pairings on elliptic curves have attracted much attention. A notable success in this area was the elegant solution by Boneh and Franklin [8] of the problem of efficient identity-based encryption. At the same time, the security standards for public key cryptosystems are expected to increase, so that in the future they will be capable of providing security equivalent to 128-, 192-, or 256-bit AES keys. In this paper we examine the implications of heightened security needs for pairing-based cryptosystems. We first describe three different reasons why high-security users might have concerns about the long-term viability of these systems. However, in our view none of the risks inherent in pairing-based systems are sufficiently serious to warrant pulling them from the shelves.

We next discuss two families of elliptic curves E for use in pairing-based cryptosystems. The first has the property that the pairing takes values in the prime field \(\mathbb{F}_p\) over which the curve is defined; the second family consists of supersingular curves with embedding degree k = 2. Finally, we examine the efficiency of the Weil pairing as opposed to the Tate pairing and compare a range of choices of embedding degree k, including k = 1 and k = 24.


Elliptic Curve Elliptic Curf Security Level Elliptic Curve Cryptography High Security Level 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Adleman, L., Huang, M.: Function field sieve methods for discrete logarithms over finite fields. Information and Computation 151, 5–16 (1999)zbMATHCrossRefMathSciNetGoogle Scholar
  2. 2.
    Balasubramanian, R., Koblitz, N.: The improbability that an elliptic curve has subexponential discrete log problem under the Menezes–Okamoto–Vanstone algorithm. J. Cryptology 11, 141–145 (1998)zbMATHCrossRefMathSciNetGoogle Scholar
  3. 3.
    Barreto, P., Galbraith, S., ÓhÉigeartaigh, C., Scott, M.: Efficient pairing computation on supersingular abelian varieties,
  4. 4.
    Barreto, P., Lynn, B., Scott, M.: On the selection of pairing-friendly groups. In: Selected Areas in Cryptography – SAC 2003. LNCS, vol. 3006, pp. 17–25 (2003)Google Scholar
  5. 5.
    Barreto, P., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006), CrossRefGoogle Scholar
  6. 6.
    Boneh, D., Boyen, X., Goh, E.–J.: Hierarchical identity based encryption with constant size ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  7. 7.
    Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004)Google Scholar
  8. 8.
    Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. 9.
    Boneh, D., Gentry, C., Waters, B.: Collusion resistant broadcast encryption with short ciphertexts and private keys. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 258–275. Springer, Heidelberg (2005)Google Scholar
  10. 10.
    Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  11. 11.
    Boneh, D., Venkatesan, R.: Breaking RSA may not be equivalent to factoring. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 59–71. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  12. 12.
    Brezing, F., Weng, A.: Elliptic curves suitable for pairing based cryptography. Designs, Codes and Cryptography 37, 133–141 (2005)zbMATHCrossRefMathSciNetGoogle Scholar
  13. 13.
    Charlap, L., Coley, R.: An Elementary Introduction to Elliptic Curves II, CCR Expository Report 34 (1990), available from
  14. 14.
    Cohen, H.: A Course in Computational Algebraic Number Theory. Springer, Heidelberg (1993)zbMATHGoogle Scholar
  15. 15.
    Coppersmith, D.: Fast evaluation of logarithms in fields of characteristic two. IEEE Transactions on Information Theory 30, 587–594 (1984)zbMATHCrossRefMathSciNetGoogle Scholar
  16. 16.
    Denny, T., Schirokauer, O., Weber, D.: Discrete logarithms: the effectiveness of the index calculus method. In: Cohen, H. (ed.) ANTS 1996. LNCS, vol. 1122, pp. 337–361. Springer, Heidelberg (1996)Google Scholar
  17. 17.
    Frey, G., Rück, H.: A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves. Math. Comp. 62, 865–874 (1994)zbMATHCrossRefMathSciNetGoogle Scholar
  18. 18.
    Galbraith, S.: Pairings. In: Blake, I.F., Seroussi, G., Smart, N.P. (eds.) Advances in Elliptic Curve Cryptography, vol. 2, Cambridge University Press, Cambridge (2005)Google Scholar
  19. 19.
    Galbraith, S., McKee, J., Valença, P.: Ordinary abelian varieties having small embedding degree,
  20. 20.
    Gordon, D.: Discrete logarithms in GF(p) using the number field sieve. SIAM J. Discrete Math. 6, 124–138 (1993)zbMATHCrossRefMathSciNetGoogle Scholar
  21. 21.
    Granger, R., Vercauteren, F.: On the discrete logarithm problem on algebraic tori. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 66–85. Springer, Heidelberg (2005)Google Scholar
  22. 22.
    Hankerson, D., Menezes, A., Vanstone, S.: Guide to Elliptic Curve Cryptography. Springer, Heidelberg (2004)zbMATHGoogle Scholar
  23. 23.
    Joux, A.: A one round protocol for tripartite Diffie–Hellman. J. Cryptology 17, 263–276 (2004)zbMATHMathSciNetGoogle Scholar
  24. 24.
    Joux, A., Lercier, R.: Improvements to the general number field sieve for discrete logarithms in prime fields. Math. Comp. 72, 953–967 (2003)zbMATHCrossRefMathSciNetGoogle Scholar
  25. 25.
    Joux, A., Nguyen, K.: Separating Decision Diffie–Hellman from Computational Diffie–Hellman in cryptographic groups. J. Cryptology 16, 239–247 (2003)zbMATHCrossRefMathSciNetGoogle Scholar
  26. 26.
    Kang, B., Park, J.: On the relationship between squared pairings and plain pairings,
  27. 27.
    Knuth, D.: The Art of Computer Programming, 3rd edn., vol. 2. Addison-Wesley, Reading (1997)Google Scholar
  28. 28.
    Koblitz, N.: A Course in Number Theory and Cryptography. Springer, Heidelberg (1987)zbMATHGoogle Scholar
  29. 29.
    Koblitz, N.: Introduction to Elliptic Curves and Modular Forms, 2nd edn. Springer, Heidelberg (1993)zbMATHGoogle Scholar
  30. 30.
    Koblitz, N.: An elliptic curve implementation of the finite field digital signature algorithm. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 327–337. Springer, Heidelberg (1998)Google Scholar
  31. 31.
    Lenstra, A.: Unbelievable security: matching AES security using public key systems. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 67–86. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  32. 32.
    Lenstra, A., Verheul, E.: The XTR public key system. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 1–19. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  33. 33.
    Lenstra Jr., H.W.: Factoring integers with elliptic curves. Annals Math. 126, 649–673 (1987)CrossRefMathSciNetGoogle Scholar
  34. 34.
    Lidl, R., Niederreiter, H.: Finite Fields, 2nd edn. Cambridge University Press, Cambridge (1997)Google Scholar
  35. 35.
    Maurer, U., Wolf, S.: The Diffie–Hellman protocol. Designs, Codes and Cryptography 19, 147–171 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  36. 36.
    Menezes, A.: Elliptic Curve Public Key Cryptosystems. Kluwer Academic Publishers, Dordrecht (1993)zbMATHGoogle Scholar
  37. 37.
    Menezes, A., Okamoto, T., Vanstone, S.: Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inform. Theory IT-39, 1639–1646 (1993)CrossRefMathSciNetGoogle Scholar
  38. 38.
    Menezes, A., Vanstone, S.: ECSTR (XTR): Elliptic Curve Singular Trace Representation. Rump Session of Crypto (2000)Google Scholar
  39. 39.
    Miller, V.: The Weil pairing and its efficient calculation. J. Cryptology 17, 235–261 (2004)zbMATHMathSciNetGoogle Scholar
  40. 40.
    Miyaji, A., Nakabayashi, M., Takano, S.: New explicit conditions of elliptic curve traces for FR-reduction. IEICE Trans. Fundamentals, E84-A (5) (2001)Google Scholar
  41. 41.
    Naccache, D., Stern, J.: Signing on a postcard. In: Frankel, Y. (ed.) FC 2000. LNCS, vol. 1962, pp. 121–135. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  42. 42.
    National Institute of Standards and Technology, Special Publication 800-56: Recommendation for pair-wise key establishment schemes using discrete logarithm cryptography, Draft (2005)Google Scholar
  43. 43.
    Pintsov, L., Vanstone, S.: Postal revenue collection in the digital age. In: Frankel, Y. (ed.) FC 2000. LNCS, vol. 1962, pp. 105–120. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  44. 44.
    Sakai, R., Kasahara, M.: ID based cryptosystems with pairing on elliptic curve,
  45. 45.
    Schirokauer, O.: Discrete logarithms and local units. Phil. Trans. Royal Soc. London A 345, 409–423 (1993)zbMATHCrossRefMathSciNetGoogle Scholar
  46. 46.
    Schirokauer, O.: The special function field sieve. SIAM J. Discrete Math. 16, 81–98 (2002)zbMATHCrossRefMathSciNetGoogle Scholar
  47. 47.
    Schirokauer, O.: The number field sieve for integers of low weight (2005) (preprint)Google Scholar
  48. 48.
    Scott, M.: Computing the Tate pairing. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 300–312. Springer, Heidelberg (2005)Google Scholar
  49. 49.
    Scott, M., Barreto, P.: Compressed pairings. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 140–156. Springer, Heidelberg (2004)Google Scholar
  50. 50.
    Scott, M., Barreto, P.: Generating more MNT elliptic curves, Designs, Codes and Cryptography, (to appear)
  51. 51.
    Solinas, J.: Generalized Mersenne numbers, Technical Report CORR 99-39, University of Waterloo (1999),
  52. 52.
    Solinas, J.: ID-based digital signature algorithms (2003),
  53. 53.
    Verheul, E.: Evidence that XTR is more secure than supersingular elliptic curve cryptosystems. J. Cryptology 17, 277–296 (2004)zbMATHMathSciNetGoogle Scholar
  54. 54.
    Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Neal Koblitz
    • 1
  • Alfred Menezes
    • 2
  1. 1.Department of MathematicsUniversity of Washington 
  2. 2.Department of Combinatorics & OptimizationUniversity of Waterloo 

Personalised recommendations