A New Family of Pairing-Friendly Elliptic Curves

  • Michael ScottEmail author
  • Aurore Guillevic
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11321)


There have been recent advances in solving the finite extension field discrete logarithm problem as it arises in the context of pairing-friendly elliptic curves. This has lead to the abandonment of approaches based on supersingular curves of small characteristic, and to the reconsideration of the field sizes required for implementation based on non-supersingular curves of large characteristic. This has resulted in a revision of recommendations for suitable curves, particularly at a higher level of security. Indeed for a security level of 256 bits, the BLS48 curves have been suggested, and demonstrated to be superior to other candidates. These curves have an embedding degree of 48. The well known taxonomy of Freeman, Scott and Teske only considered curves with embedding degrees up to 50. Given some uncertainty around the constants that apply to the best discrete logarithm algorithm, it would seem to be prudent to push a little beyond 50. In this note we announce the discovery of a new family of pairing friendly elliptic curves which includes a new construction for a curve with an embedding degree of 54.


Elliptic curves Pairing-based cryptography Aurifeuillean factorization 


  1. 1.
    Barbulescu, R., Duquesne, S.: Updating key size estimations for pairings. J. Cryptol. (2018).
  2. 2.
    Barreto, P.S.L.M., Lynn, B., Scott, M.: Constructing elliptic curves with prescribed embedding degrees. In: Cimato, S., Persiano, G., Galdi, C. (eds.) SCN 2002. LNCS, vol. 2576, pp. 257–267. Springer, Heidelberg (2003). Scholar
  3. 3.
    Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006). Scholar
  4. 4.
    Benger, N., Scott, M.: Constructing tower extensions of finite fields for implementation of pairing-based cryptography. In: Hasan, M.A., Helleseth, T. (eds.) WAIFI 2010. LNCS, vol. 6087, pp. 180–195. Springer, Heidelberg (2010). Scholar
  5. 5.
    Brent, R.P.: On computing factors of cyclotomic polynomials. Math. Comp. 61(203), 131–149 (1993). Scholar
  6. 6.
    Brezing, F., Weng, A.: Elliptic curves suitable for pairing based cryptography. Des. Codes Cryptogr. 37(1), 133–141 (2005). Scholar
  7. 7.
    Brillhart, J., Lehmer, D.H., Selfridge, J.L., Tuckerman, B., Wagstaff Jr., S.S.: Factorizations of \(b^n \pm 1\), \(b=2,3,5,6,7,10,11,12\) up to High Powers. Contemporary Mathematics, 2nd edn, vol. 22. American Mathematical Society, Providence (1988).
  8. 8.
    Estibals, N.: Compact hardware for computing the tate pairing over 128-bit-security supersingular curves. In: Joye, M., Miyaji, A., Otsuka, A. (eds.) Pairing 2010. LNCS, vol. 6487, pp. 397–416. Springer, Heidelberg (2010). Scholar
  9. 9.
    Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing-friendly elliptic curves. J. Cryptol. 23(2), 224–280 (2010). Scholar
  10. 10.
    Galbraith, S.D., McKee, J.F., Valença, P.C.: Ordinary Abelian varieties having small embedding degree. Finite Fields Appl. 13(4), 800–814 (2007). Scholar
  11. 11.
    Granville, A., Pleasants, P.: Aurifeuillian factorization. Math. Comp. 75(253), 497–508 (2006). Scholar
  12. 12.
    Joux, A., Pierrot, C.: The special number field sieve in \(\mathbb{F}_{p^{n}}\) - application to pairing-friendly constructions. In: Cao, Z., Zhang, F. (eds.) Pairing 2013. LNCS, vol. 8365, pp. 45–61. Springer, Cham (2014). Scholar
  13. 13.
    Kachisa, E.J., Schaefer, E.F., Scott, M.: Constructing brezing-weng pairing-friendly elliptic curves using elements in the cyclotomic field. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 126–135. Springer, Heidelberg (2008). Scholar
  14. 14.
    Kim, T., Barbulescu, R.: Extended tower number field sieve: a new complexity for the medium prime case. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 543–571. Springer, Heidelberg (2016). Scholar
  15. 15.
    Kiyomura, Y., Inoue, A., Kawahara, Y., Yasuda, M., Takagi, T., Kobayashi, T.: Secure and efficient pairing at 256-bit security level. In: Gollmann, D., Miyaji, A., Kikuchi, H. (eds.) ACNS 2017. LNCS, vol. 10355, pp. 59–79. Springer, Cham (2017). Scholar
  16. 16.
    Menezes, A., Sarkar, P., Singh, S.: Challenges with assessing the impact of NFS advances on the security of pairing-based cryptography. In: Phan, R.C.-W., Yung, M. (eds.) Mycrypt 2016. LNCS, vol. 10311, pp. 83–108. Springer, Cham (2017). Scholar
  17. 17.
    El Mrabet, N., Joye, M. (eds.): Guide to Pairing-Based Cryptography. Chapman and Hall/CRC, Boca Raton (2016).
  18. 18.
    Schinzel, A.: On primitive prime factors of \(a^n-b^n\). Proc. Cambridge Philos. Soc. 58(4), 555–562 (1962). Scholar
  19. 19.
    Schirokauer, O.: The number field sieve for integers of low weight. Math. Comput. 79(269), 583–602 (2010). Scholar
  20. 20.
    Scott, M.: On the efficient implementation of pairing-based protocols. In: Chen, L. (ed.) IMACC 2011. LNCS, vol. 7089, pp. 296–308. Springer, Heidelberg (2011). Scholar
  21. 21.
    Scott, M., Benger, N., Charlemagne, M., Dominguez Perez, L.J., Kachisa, E.J.: On the final exponentiation for calculating pairings on ordinary elliptic curves. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 78–88. Springer, Heidelberg (2009). Scholar
  22. 22.
    Stevenhagen, P.: On Aurifeuillian factorizations. Nederl. Akad. Wetensch. Indag. Math. 49(4), 451–468 (1987). Scholar
  23. 23.
    Vercauteren, F.: Optimal pairings. IEEE Trans. Inf. Theory 56, 455–461 (2009). Scholar
  24. 24.
    Wagstaff Jr., S.S.: The search for Aurifeuillian-like factorizations. J. Integers 12A(6), 1449–1461 (2012).

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.MIRACL.comTrimIreland
  2. 2.Université de Lorraine, CNRS, Inria, LORIANancyFrance

Personalised recommendations