Attractive Subfamilies of BLS Curves for Implementing High-Security Pairings

  • Craig Costello
  • Kristin Lauter
  • Michael Naehrig
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7107)


Barreto-Lynn-Scott (BLS) curves are a stand-out candidate for implementing high-security pairings. This paper shows that particular choices of the pairing-friendly search parameter give rise to four subfamilies of BLS curves, all of which offer highly efficient and implementation-friendly pairing instantiations.

Curves from these particular subfamilies are defined over prime fields that support very efficient towering options for the full extension field. The coefficients for a specific curve and its correct twist are automatically determined without any computational effort. The choice of an extremely sparse search parameter is immediately reflected by a highly efficient optimal ate Miller loop and final exponentiation. As a resource for implementors, we give a list with examples of implementation-friendly BLS curves through several high-security levels.


Pairing-friendly high-security pairings BLS curves 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aranha, D.F., Karabina, K., Longa, P., Gebotys, C.H., López, J.: Faster Explicit Formulas for Computing Pairings Over Ordinary Curves. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 48–68. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  2. 2.
    Barker, E., Barker, W., Burr, W., Polk, W., Smid, M.: Recommendation for key management - part 1: General (revised). Technical report, NIST National Institute of Standards and Technology, Published as NIST Special Publication 800–57 (2007),
  3. 3.
    Barreto, P.S.L.M., Lynn, B., Scott, M.: Constructing Elliptic Curves with Prescribed Embedding Degrees. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 257–267. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. 4.
    Barreto, P.S.L.M., Naehrig, M.: Pairing-Friendly Elliptic Curves of Prime Order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  5. 5.
    Benger, N.: Cryptographic Pairings: Efficiency and DLP Security. PhD thesis, Dublin City University (May 2010)Google Scholar
  6. 6.
    Benger, N., Scott, M.: Constructing Tower Extensions of Finite Fields for Implementation of Pairing-Based Cryptography. In: Hasan, M.A., Helleseth, T. (eds.) WAIFI 2010. LNCS, vol. 6087, pp. 180–195. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  7. 7.
    Beuchat, J.-L., González-Díaz, J.E., Mitsunari, S., Okamoto, E., Rodríguez-Henríquez, F., Teruya, T.: High-Speed Software Implementation of the Optimal Ate Pairing Over Barreto–Naehrig Curves. In: Joye, M., Miyaji, A., Otsuka, A. (eds.) Pairing 2010. LNCS, vol. 6487, pp. 21–39. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  8. 8.
    Costello, C., Hişil, H., Boyd, C., Nieto, J.M.G., Wong, K.K.-H.: Faster pairings on special Weierstrass curves. In: Shacham and Waters [30], pp. 89–101 (2009)Google Scholar
  9. 9.
    Costello, C., Lange, T., Naehrig, M.: Faster Pairing Computations on Curves with High-Degree Twists. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 224–242. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  10. 10.
    Devegili, A.J., hÉigeartaigh, C.Ó., Scott, M., Dahab, R.: Multiplication and squaring on pairing-friendly fields. Cryptology ePrint Archive, Report 2006/471 (2006),
  11. 11.
    Dominguez Perez, L.J., Scott, M.: Private communication (November 2010)Google Scholar
  12. 12.
    Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing-friendly elliptic curves. J. Cryptology 23(2), 224–280 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Granger, R., Scott, M.: Faster Squaring in the Cyclotomic Subgroup of Sixth Degree Extensions. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 209–223. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  14. 14.
    Hankerson, D., Menezes, A.J., Scott, M.: Software implementation of pairings. In: Joye, M., Neven, G. (eds.) Identity-Based Cryptography, pp. 188–206. IOS Press (2008)Google Scholar
  15. 15.
    Heß, F., Smart, N.P., Vercauteren, F.: The eta pairing revisited. IEEE Transactions on Information Theory 52, 4595–4602 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
  16. 16.
    Ireland, K., Rosen, M.: A Classical Introduction to Modern Number Theory. Graduate texts in mathematics, vol. 84. Springer, Heidelberg (1990)zbMATHGoogle Scholar
  17. 17.
    Karabina, K.: Squaring in cyclotomic subgroups. Cryptology ePrint Archive, Report 2010/542 (2010),
  18. 18.
    Lauter, K., Montgomery, P.L., Naehrig, M.: An Analysis of Affine Coordinates for Pairing Computation. In: Joye, M., Miyaji, A., Otsuka, A. (eds.) Pairing 2010. LNCS, vol. 6487, pp. 1–20. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  19. 19.
    Miller, V.S.: The Weil pairing, and its efficient calculation. Journal of Cryptology 17, 235–261 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Naehrig, M.: Constructive and computational aspects of cryptographic pairings. PhD thesis, Eindhoven University of Technology (May 2009)Google Scholar
  21. 21.
    Naehrig, M., Barreto, P.S.L.M., Schwabe, P.: On Compressible Pairings and Their Computation. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 371–388. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  22. 22.
    Naehrig, M., Niederhagen, R., Schwabe, P.: New Software Speed Records for Cryptographic Pairings. In: Abdalla, M., Barreto, P.S.L.M. (eds.) LATINCRYPT 2010. LNCS, vol. 6212, pp. 109–123. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  23. 23.
    Pereira, G.C.C.F., Simplício Jr., M.A., Naehrig, M., Barreto, P.S.L.M.: A family of implementation-friendly BN elliptic curves. Journal of Systems and Software 84(8), 1319–1326 (2011), CrossRefGoogle Scholar
  24. 24.
    Rubin, K., Silverberg, A.: Choosing the correct elliptic curve in the CM method. Mathematics of Computation 79, 545–561 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  25. 25.
    Scott, M.: Scaling security in pairing-based protocols. Cryptology ePrint Archive, Report 2005/139 (2005),
  26. 26.
    Scott, M.: A note on twists for pairing friendly curves (February 2009), Personal webpage
  27. 27.
    Scott, M.: On the efficient implementation of pairing-based protocols. Cryptology ePrint Archive, Report 2011/334 (2011),
  28. 28.
    Scott, M., Barreto, P.S.L.M.: Compressed Pairings. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 140–156. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  29. 29.
    Scott, M., Benger, N., Charlemagne, M., Dominguez Perez, L.J., Kachisa, E.J.: On the final exponentiation for calculating pairings on ordinary elliptic curves. In: Shacham and Waters [30], pp. 78–88 (2009)Google Scholar
  30. 30.
    Shacham, H., Waters, B. (eds.): Pairing 2009. LNCS, vol. 5671. Springer, Heidelberg (2009)zbMATHGoogle Scholar
  31. 31.
    Silverman, J.H.: The Arithmetic of Elliptic Curves. Graduate texts in mathematics, vol. 106. Springer, Heidelberg (1986)zbMATHGoogle Scholar
  32. 32.
    Smart, N. (ed.): ECRYPT II yearly report on algorithms and keysizes (2009-2010). Technical report, ECRYPT II – European Network of Excellence in Cryptology, EU FP7, ICT-2007-216676, Published as deliverable D.SPA.13 (2010),
  33. 33.
    Vercauteren, F.: Optimal pairings. IEEE Transactions on Information Theory 56(1), 455–461 (2010)MathSciNetCrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Craig Costello
    • 1
    • 2
  • Kristin Lauter
    • 2
  • Michael Naehrig
    • 2
    • 3
  1. 1.Information Security InstituteQueensland University of TechnologyBrisbaneAustralia
  2. 2.Microsoft ResearchRedmondUSA
  3. 3.Department of Mathematics and Computer ScienceTechnische Universiteit EindhovenEindhovenNetherlands

Personalised recommendations