Skip to main content

A Short-List of Pairing-Friendly Curves Resistant to Special TNFS at the 128-Bit Security Level

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12111)

Abstract

There have been notable improvements in discrete logarithm computations in finite fields since 2015 and the introduction of the Tower Number Field Sieve algorithm (TNFS) for extension fields. The Special TNFS is very efficient in finite fields that are target groups of pairings on elliptic curves, where the characteristic is special (e.g. sparse). The key sizes for pairings should be increased, and alternative pairing-friendly curves can be considered. We revisit the Special variant of TNFS for pairing-friendly curves. In this case the characteristic is given by a polynomial of moderate degree (between 4 and 38) and tiny coefficients, evaluated at an integer (a seed). We present a polynomial selection with a new practical trade-off between degree and coefficient size. As a consequence, the security of curves computed by Barbulescu, El Mrabet and Ghammam in 2019 should be revised: we obtain a smaller estimated cost of STNFS for all curves except BLS12 and BN. To obtain TNFS-secure curves, we reconsider the Brezing–Weng generic construction of families of pairing-friendly curves and estimate the cost of our new Special TNFS algorithm for these curves. This improves on the work of Fotiadis and Konstantinou, Fotiadis and Martindale, and Barbulescu, El Mrabet and Ghammam. We obtain a short-list of interesting families of curves that are resistant to the Special TNFS algorithm, of embedding degrees 10 to 16 for the 128-bit security level. We conclude that at the 128-bit security level, BLS-12 and Fotiadis–Konstantinou–Martindale curves with \(k=12\) over a 440 to 448-bit prime field seem to be the best choice for pairing efficiency. We also give hints at the 192-bit security level.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-45388-6_19
  • Chapter length: 30 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   109.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-45388-6
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   139.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.

References

  1. Aranha, D.F., Gouvêa, C.P.L.: RELIC is an Efficient LIbrary for Cryptography. https://github.com/relic-toolkit/relic

  2. Arène, C., Lange, T., Naehrig, M., Ritzenthaler, C.: Faster computation of the Tate pairing. J. Number Theory 131(5, Elliptic Curve Cryptography), 842–857 (2011). https://doi.org/10.1016/j.jnt.2010.05.013. http://cryptojedi.org/papers/#edpair

  3. Barbulescu, R., Duquesne, S.: Updating key size estimations for pairings. J. Cryptol. 32(4), 1298–1336 (2019). https://doi.org/10.1007/s00145-018-9280-5. https://ia.cr/2017/334

  4. Barbulescu, R., El Mrabet, N., Ghammam, L.: A taxonomy of pairings, their security, their complexity. ePrint 2019/485, 24 September 2019. https://ia.cr/2019/485

  5. Barbulescu, R., Gaudry, P., Kleinjung, T.: The tower number field sieve. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 31–55. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_2. https://ia.cr/2015/505

    CrossRef  Google Scholar 

  6. Barreto, P.S.L.M., Lynn, B., Scott, M.: Constructing elliptic curves with prescribed embedding degrees. In: Cimato, S., Persiano, G., Galdi, C. (eds.) SCN 2002. LNCS, vol. 2576, pp. 257–267. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36413-7_19

    CrossRef  Google Scholar 

  7. Bowe, S.: BLS12-381: New zk-SNARK elliptic curve construction. Zcash blog, 11 March 2017. https://blog.z.cash/new-snark-curve/

  8. Bowe, S., Chiesa, A., Green, M., Miers, I., Mishra, P., Wu, H.: ZEXE: enabling decentralized private computation. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 1114–1131. IEEE Computer Society, Los Alamitos (2020). https://www.computer.org/csdl/proceedings-article/sp/2020/349700b114/1iqVRI2nNra. https://ia.cr/2018/962

  9. Brezing, F., Weng, A.: Elliptic curves suitable for pairing based cryptography. Des. Codes Cryptogr. 37(1), 133–141 (2005). https://doi.org/10.1007/s10623-004-3808-4. https://ia.cr/2003/143

    MathSciNet  CrossRef  MATH  Google Scholar 

  10. Chatterjee, S., Menezes, A., Rodríguez-Henríquez, F.: On instantiating pairing-based protocols with elliptic curves of embedding degree one. IEEE Trans. Comput. 66(6), 1061–1070 (2017). https://doi.org/10.1109/TC.2016.2633340. https://ia.cr/2016/403

    MathSciNet  CrossRef  MATH  Google Scholar 

  11. Chatterjee, S., Sarkar, P., Barua, R.: Efficient computation of Tate pairing in projective coordinate over general characteristic fields. In: Park, C., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 168–181. Springer, Heidelberg (2005). https://doi.org/10.1007/11496618_13

    CrossRef  Google Scholar 

  12. Chiesa, A., Chua, L., Weidner, M.: On cycles of pairing-friendly elliptic curves. SIAM J. Appl. Algebr. Geom. 3(2), 175–192 (2019). https://doi.org/10.1137/18M1173708

    MathSciNet  CrossRef  MATH  Google Scholar 

  13. Costello, C., Lange, T., Naehrig, M.: Faster pairing computations on curves with high-degree twists. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 224–242. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13013-7_14. https://ia.cr/2009/615

    CrossRef  Google Scholar 

  14. Costello, C., Lauter, K., Naehrig, M.: Attractive subfamilies of BLS curves for implementing high-security pairings. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011. LNCS, vol. 7107, pp. 320–342. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25578-6_23. https://ia.cr/2011/465

    CrossRef  Google Scholar 

  15. Euthereum, Go implementation. https://github.com/ethereum/go-ethereum/tree/master/crypto/bn256

  16. Foster, K.: HT90 and “simplest” number fields. Illinois J. Math. 55(4), 1621–1655 (2011). http://arxiv.org/abs/1207.6099

  17. Fotiadis, G., Konstantinou, E.: TNFS resistant families of pairing-friendly elliptic curves. Theor. Comput. Sci. 800, 73–89 (2019). https://doi.org/10.1016/j.tcs.2019.10.017. https://ia.cr/2018/1017

    MathSciNet  CrossRef  MATH  Google Scholar 

  18. Fotiadis, G., Martindale, C.: Optimal TNFS-secure pairings on elliptic curves with composite embedding degree. ePrint 2019/555 (2019). https://ia.cr/2019/555

  19. Fouotsa, E., El Mrabet, N., Pecha, A.: Computing optimal ate pairings on elliptic curves with embedding degree 9, 15 and 27. ePrint 2016/1187 (2016). https://ia.cr/2016/1187

  20. Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing-friendly elliptic curves. J. Cryptol. 23(2), 224–280 (2010). https://doi.org/10.1007/s00145-009-9048-z. https://ia.cr/2006/372

    MathSciNet  CrossRef  MATH  Google Scholar 

  21. Galbraith, S.: Pairings. In: Blake, I.F., Seroussi, G., Smart, N.P. (eds.) Advances in Elliptic Curve Cryptography. London Mathematical Society Lecture Note Series, pp. 183–214. Cambridge University Press, Cambridge (2005). https://doi.org/10.1017/CBO9780511546570.011

    CrossRef  Google Scholar 

  22. Guillevic, A., Masson, S., Thomé, E.: Cocks–Pinch curves of embedding degrees five to eight and optimal ate pairing computation. Des. Codes Cryptogr. 1–35 (2020). https://doi.org/10.1007/s10623-020-00727-w. https://hal.inria.fr/hal-02305051

  23. Guillevic, A., Singh, S.: On the alpha value of polynomials in the tower number field sieve algorithm. ePrint 2019/885 (2019). https://ia.cr/2019/885

  24. ISO: ISO/IEC 15946–5:2017 Information technology - Security techniques - Cryptographic techniques based on elliptic curves - Part 5: Elliptic curve generation, 2 edn., August 2017. https://www.iso.org/standard/69726.html

  25. Joux, A., Pierrot, C.: The special number field sieve in \(\mathbb{F}_{p^{n}}\) - application to pairing-friendly constructions. In: Cao, Z., Zhang, F. (eds.) Pairing 2013. LNCS, vol. 8365, pp. 45–61. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-04873-4_3. https://ia.cr/2013/582

    CrossRef  MATH  Google Scholar 

  26. Kim, T., Barbulescu, R.: Extended tower number field sieve: a new complexity for the medium prime case. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 543–571. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_20. https://ia.cr/2015/1027

    CrossRef  Google Scholar 

  27. Kim, T., Jeong, J.: Extended tower number field sieve with application to finite fields of arbitrary composite extension degree. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10174, pp. 388–408. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54365-8_16. https://ia.cr/2016/526

    CrossRef  Google Scholar 

  28. Lenstra, A.K., Verheul, E.R.: Selecting cryptographic key sizes. J. Cryptol. 14(4), 255–293 (2001). https://doi.org/10.1007/s00145-001-0009-4

    MathSciNet  CrossRef  MATH  Google Scholar 

  29. Menezes, A., Sarkar, P., Singh, S.: Challenges with assessing the impact of NFS advances on the security of pairing-based cryptography. In: Phan, R.C.-W., Yung, M. (eds.) Mycrypt 2016. LNCS, vol. 10311, pp. 83–108. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-61273-7_5. https://ia.cr/2016/1102

    CrossRef  Google Scholar 

  30. Montgomery, P.L.: Five, six, and seven-term Karatsuba-like formulae. IEEE Trans. Comput. 54, 362–369 (2005). https://doi.org/10.1109/TC.2005.49

    CrossRef  MATH  Google Scholar 

  31. Pereira, G.C., Simplício, M.A., Naehrig, M., Barreto, P.S.: A family of implementation-friendly BN elliptic curves. J. Syst. Softw. 84(8), 1319–1326 (2011). https://doi.org/10.1016/j.jss.2011.03.083. https://ia.cr/2010/429

    CrossRef  Google Scholar 

  32. Sakemi, Y., Kobayashi, T., Saito, T.: Pairing-friendly curves. IETF draft, November 2019. https://tools.ietf.org/html/draft-irtf-cfrg-pairing-friendly-curves-00

  33. Scott, M., Guillevic, A.: A new family of pairing-friendly elliptic curves. In: Budaghyan, L., Rodríguez-Henríquez, F. (eds.) WAIFI 2018. LNCS, vol. 11321, pp. 43–57. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-05153-2_2. https://ia.cr/2018/193

    CrossRef  MATH  Google Scholar 

  34. Smith, B.: Easy scalar decompositions for efficient scalar multiplication on elliptic curves and genus 2 Jacobians. Contemp. Math. 637, 15 (2015). https://hal.inria.fr/hal-00874925

    MathSciNet  MATH  Google Scholar 

  35. Wahby, R.S., Boneh, D.: Fast and simple constant-time hashing to the BLS12-381 elliptic curve. IACR TCHES 2019(4), 154–179 (2019). https://doi.org/10.13154/tches.v2019.i4.154-179

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Aurore Guillevic .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2020 International Association for Cryptologic Research

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Guillevic, A. (2020). A Short-List of Pairing-Friendly Curves Resistant to Special TNFS at the 128-Bit Security Level. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds) Public-Key Cryptography – PKC 2020. PKC 2020. Lecture Notes in Computer Science(), vol 12111. Springer, Cham. https://doi.org/10.1007/978-3-030-45388-6_19

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-45388-6_19

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-45387-9

  • Online ISBN: 978-3-030-45388-6

  • eBook Packages: Computer ScienceComputer Science (R0)