1 Introduction

Many pairing-based cryptography (PBC) have been proposed, e.g., ID-based encryption [8, 40], attribute-based encryption [41], and functional encryption [38]. A pairing on the elliptic curve is a non-degenerate bilinear map \(e:\mathbb {G}_{1}\times \mathbb {G}_{2}\rightarrow \mathbb {G}_{3}\), where \(\mathbb {G}_{1}\), \(\mathbb {G}_{2}\), \(\mathbb {G}_{3}\) are a group with order r respectively. The security of the pairing is based on the difficulty in solving the discrete logarithm problem (DLP) in \(\mathbb {G}_{1}\), \(\mathbb {G}_{2}\), \(\mathbb {G}_{3}\). The group \(\mathbb {G}_{1}\), \(\mathbb {G}_{2}\) are a subgroup on the elliptic curve, and the DLP on an elliptic curve (ECDLP) in \(\mathbb {G}_{1}\), \(\mathbb {G}_{2}\) must be computationally infeasible against the rho algorithm [16, 39]. Hence, we should choose r with a secure bitlength against the rho algorithm. The group \(\mathbb {G}_{3}\) is a subgroup on finite field \(\mathbb {F}_{p^{k}}\), where p is a prime and \(k\ge 1\) is an embedding degree, and the DLP on a finite field (FFDLP) in \(\mathbb {G}_{3}\) must be computationally infeasible against the number field sieve (NFS) algorithms. There are various NFS algorithms (e.g. Classical-NFS [25], tower NFS (TNFS) [10, 45], and special NFS (SNFS) [10, 26]). We should choose p and k with a secure bitlength of \(p^{k}\) against the NFS algorithms.

The recommended bitlength of \(p^{k}\) of the pairing was discussed in the 2013 report of ENISA [15, Table 3.6], where the pairing and RSA have the same recommended bitlength. This was in accordance with a general belief stated, for example, by Lenstra: “An RSA modulus n and a finite field \(\mathbb {F}_{p^{k}}\) therefore offer about the same level of security if n and \(p^k\) are of the same order of magnitude” [32, Sect. 5.1]. The recommended bitlength of RSA was derived from the complexity of the NFS algorithm for integer factorization [33]. In other words, the bitlength of \(p^{k}\) of the pairing was estimated considering the complexity of this NFS algorithm.

At CRYPTO 2016, Kim and Barbulescu proposed an efficient NFS algorithm called the extended tower number field sieve (exTNFS) algorithm [28]. This NFS algorithm greatly impacted the security of the mainstream pairing such as optimal ate pairing [47]. The complexity of the exTNFS algorithm was reduced from that of previous NFS algorithms by using the trivial equation \(\mathbb {F}_{p^{k}}=\mathbb {F}_{p^{\eta \kappa }}\), where \(\gcd (\eta , \kappa )=1\). Kim and Barbulescu concluded that the bitlength of the pairing should increase roughly twice [28]. Therefore, we should revise to estimate the secure bitlength of \(p^k\) against the exTNFS in detail. Note that Menezes et al. estimated the bitlength of \(p^k\) for the pairing considering the exTNFS algorithm at 128- and 192-bit security levels [37].

Generally, faster timing of the main operations of PBC (i.e. pairing, scalar multiplication on the elliptic curves, and exponentiation on the finite field) is preferred to implement the PBC. To choose a suitable pairing-friendly curve from among various pairing-friendly curves is one of the factors that affect the efficiency of computing the main operations of PBC. Among the studies conducted before the exTNFS algorithm was proposed, Scott [44] theoretically chose the suitable pairing-friendly curve at each security level based on the bitlength of r, \(p^{k}\) and \(\rho \)-value given in Freeman et al.’s taxonomy [16]. However, Aranha et al. [3] discussed the suitable pairing-friendly curve different from that chosen theoretically by comparing the timing of the pairing among several pairing-friendly curves at 192-bit security level. To choose a suitable pairing-friendly curve at a certain security level, it is important to not only choose theoretically but also compare the timing of the main operations of PBC.

Our Contributions. Our goal with this paper is to obtain a secure and efficient pairing at 256-bit security level. To achieve this, our contribution is to revise the estimation of the bitlength of \(p^{k}\) due to the efficient NFS algorithms (e.g. Special exTNFS, Special TNFS) and choose the suitable pairing-friendly curve for efficiently computing the main operations of PBC. We focus on the Barreto-Lynn-Scott (BLS) [11] and Kachisa-Schaefer-Scott (KSS) [29] families that have high embedding degree and are easy to implement the pairing. We specifically choose the following five candidate pairing-friendly curves at the 256-bit security level; the BLS-k with \(k=24, 42, 48\) and KSS-k with \(k=32, 36\). For these curves, we estimate the secure bitlength \(p^{k}\) in detail against the efficient NFS algorithms by comparing the upper bound of norms of these algorithms using the Kim and Barbulescu’s estimation method [28]. Furthermore, based on the revised bitlength of \(p^k\), we search for the specific parameter of each candidate pairing-friendly curve to implement the main operations of PBC, and then compare the timing of these operations among the five candidate pairing-friendly curves. Finally, we show the suitable pairing-friendly curve at 256-bit security level.

2 Overview of Pairing

2.1 Definition and Properties

Let p be a prime and E be an elliptic curve defined over the finite field \(\mathbb {F}_{p}\). Let r be a prime with \(\gcd (p,r)=1\). An embedding degree k is the smallest positive integer with \(r\ | \ p^k-1\). Let \(\mathbb {G}_{1}\), \(\mathbb {G}_{2}\) be a subgroup on the elliptic curve with order r and \(\mathbb {G}_{3}\) be a subgroup on the finite field \(\mathbb {F}_{p^{k}}\) with order r. A pairing e is defined by \(e: \mathbb {G}_{1} \times \mathbb {G}_{2}\longrightarrow \mathbb {G}_{3}\) ; \( (P, Q)\longmapsto f_{r,P}(Q)^{(p^{k}-1)/r}\), where the rational function \(f_{r,P}\) satisfies div\((f_{r,P})=r(P)-r(\mathcal {O})\) for the point at infinity \(\mathcal {O}\). For \(P\in \mathbb {G}_{1}\), \(Q\in \mathbb {G}_{2}\) and \(a\in \mathbb {Z}\), a pairing e has the following properties;

  • bilinearity: \(e(aP, Q)=e(P, aQ)=e(P, Q)^a\),

  • non-degeneracy: for all \(P\in \mathbb {G}_{1}\), \(e(P,Q)=1\) then \(Q=\mathcal {O}\) and for all \(Q\in \mathbb {G}_{2}\), \(e(P,Q)=1\) then \(P=\mathcal {O}\),

  • efficiently computable: e(PQ) can be efficiently computed.

2.2 Optimal Ate Pairing

The optimal ate pairing proposed by Vercauteren [47] is the most efficient method of computing the pairing e. There are many implementation results of the optimal ate pairing [3, 9, 13, 36, 44]. Let m be an integer such that \(r \not \mid m\). Let \(\lambda =mr\) and write \(\lambda =\sum _{i=0}^{\omega }\alpha _{i}p^{i}\) where \(\omega =\lfloor \log _{p}\lambda \rfloor \). Let E[r] be an r-torsion subgroup. Define \(\mathbb {G}_{1}=E[r]\ \cap \) Ker\((\pi _{p}-[1])=E(\mathbb {F}_{p})[r]\), \(\hat{\mathbb {G}}_{2}=E[r] \cap \) Ker\((\pi _{p}-[p])\subseteq E(\mathbb {F}_{p^{k}})[r]\) as the subgroup with r. Let \(E'\) be a twist of degree d of E with \(\psi : E'\rightarrow E\) defined over \(\mathbb {F}_{p^{d}}\), and define \(\mathbb {G}_{2}=\psi ^{-1}(\hat{\mathbb {G}}_{2})\). Note that d depends on the pairing-friendly curve and is in {2, 3, 4, 6} [24]. An optimal ate pairing \(a_{k}\) is defined by

$$\begin{aligned} a_{k}:\mathbb {G}_{1}\times \mathbb {G}_{2} \longrightarrow \mathbb {G}_{3}, \ (P,Q)\longmapsto \left( \prod _{i=0}^{\omega }f_{\alpha _{i},Q}^{p^{i}}(P)\cdot \prod _{i=0}^{\omega -1}\frac{\ell _{[\beta _{i+1}]Q, [\alpha _{i}p^{i}]Q}(P)}{v_{[\beta _{i}]Q}(P)} \right) ^{\frac{p^{k}-1}{r}} \end{aligned}$$
(1)

where \(\beta _{i}=\sum _{j=i}^{\omega }\alpha _{j}p^{j}\), \(\ell _{T, T'}\) is the line through T and \(T'\), and \(v_{T}\) is the vertical line through T, where T and \(T'\) are points on the elliptic curve.

3 Candidate Pairing-Friendly Curves at 256-Bit Security Level

In this section, we choose the five candidate pairing-friendly curves satisfying the security and efficiency from the BLS [11] and KSS [29] families to choose the suitable pairing-friendly curve at 256-bit security level. In this paper, we define len(x) as the bitlength of x.

3.1 How to Choose Candidate Pairing-Friendly Curves

We show the security against the ECDLP and FFDLP and the efficiency for implementation of the main operations of PBC. An embedding degree k is determined by the chosen pairing-friendly curve, and the primes r and p are represented by the polynomial of a positive integer x.

Security. The parameters r, p, and k should satisfy the complexity of solving the DLP in \(\mathbb {G}_{1}\), \(\mathbb {G}_{2}\) and \(\mathbb {G}_{3}\) to achieve the \(\mathcal{K}\)-bit security level. The definition of ECDLP in \(\mathbb {G}_{1}\) and \(\mathbb {G}_{2}\) is as follows. Given points \(G, Y\in \mathbb {G}_{1}\) (or \(\mathbb {G}_{2})\), find \(x\in \mathbb {Z}\) such that \(Y=xG\). An efficient algorithm for solving the ECDLP is the rho algorithm [16, 39], which has the complexity of \(\mathcal{O}(\sqrt{r})\). Therefore, we should choose the bitlength of r with len\((r)\ge 2\mathcal{K}\). The definition of the FFDLP in \(\mathbb {G}_{3}\) is as follows. Given points \(g, y\in \mathbb {G}_{3}\), find \(x\in \mathbb {Z}\) such that \(y=g^x\). An efficient algorithm for solving the FFDLP are the STNFS [10, 26] and SexTNFS [28] algorithms. We give the bitlength of \(p^k\) which the FFDLP is computationally infeasible against these NFS algorithms in Sect. 5.

Efficiency. To efficiently compute the main operations of PBC (i.e. pairing, scalar multiplication in \(\mathbb {G}_{1}\) and \(\mathbb {G}_{2}\), and exponentiation in \(\mathbb {G}_{3}\)) with the above security, we consider the following conditions as affecting the efficiency of these operations.

  • len(r) and len\((p^{k})\) are as small as possible.

  • The \(\rho \)-value is approximately 1 (\(\rho =\log p / \log r\)).

  • Parameter x in polynomials (e.g. p(x), r(x)) has a low Hamming weight.

  • The embedding degree k has the form \(k=2^{i}\cdot 3^{j}\) \((i\in \mathbb {Z}_{\ge 1}, j\in \mathbb {Z}_{\ge 0})\).

  • The twist of degree d is 6 (\(d=6\) is maximum of degree).

These conditions are theoretically efficient ones, then the effect of each condition is uncertain in the implementation.

3.2 Selection of Candidate Pairing-Friendly Curves

In this subsection, we decide the candidate pairing-friendly curves from the BLS [11] and KSS [29] families to choose the suitable pairing-friendly curve at 256-bit security level based on Sect. 3.1. We focus on the BLS and KSS families that have high embedding degree and can be easy to construct the pairing. We specifically choose the following five candidate pairing-friendly curves at the 256-bit security level; the BLS-k with \(k=24, 42, 48\) and the KSS-k with \(k=32, 36\). In the case of the BLS-k, the small len(r) and len\((p^{k})\) in the BLS-42 and BLS-48 can be choose because these curve have high embedding degree k, and the implementation results in the BLS-24 exists [9, 44]. In the case of the KSS-k, the KSS-36 has the small len(r), the KSS-32 has small \(\rho \)-value and simple tower construction for \(\mathbb {F}_{p^k}\) since \(k=32=2^5\).

The detail of the five candidate pairing-friendly curves are as follows; the curves with \(6 \mid k\) are defined by \(E/\mathbb {F}_{p}\) : \(y^2=x^3+b\), and has the complex multiplication discriminant \(D=3\) and \(d=6\), the curves with \(4 \mid k\) is defined by \(E/\mathbb {F}_{p}\) : \(y^2=x^3+ax\), and has \(D=1\) and \(d=4\). Table 1 shows the parameters p(x), r(x), t(x), k, \(\rho \)-value, deg\(\left( p(x)\right) \), and Euler function \(\varphi (k)\) for each curves. The parameters n(x) and f(x) satisfy \(n(x)=p(x)+1-t(x)\) and \(4p(x)-t(x)^2=Df(x)^2\), respectively.

Table 1. Parameters for the five candidate pairing-friendly curves
Full size table

4 Overview of Number Field Sieve and Its Variants

In this section, we give an overview of the NFS algorithm and its variants to revise the bitlength of the five candidate pairing-friendly curves introduced in Sect. 3.2.

The FFDLP is classified into three cases by size of p: small, medium, or large. In medium and large cases, the NFS algorithms is the most efficient algorithm for solving the FFDLP. To accurately classify p, let \(p=L_{p^k}(l_p, c_p)\), where \(L_{p^k}(l_p, c_p)=\mathrm{exp}((c_p+o(1))(\log p^k)^{l_p}(\log \log p^k)^{1-l_p})\). o(1) becomes 0 when \(p^k \rightarrow \infty \). The prime p is called medium if \(1/3<l_p<2/3\), large if \(2/3<l_p<1\), boundary if \(l_p = 2/3\).

Note that the above \(L_{p^k}\)-notation is just an asymptotic value. If we fix the value of \(p^k\), the \(L_{p^k}\)-notation has a constant value c such that \(c\times \mathrm{exp}((c_p+o(1))(\log p^k)^{l_p}(\log \log p^k)^{1-l_p})\) and \(o(1)\not = 0\). Therefore, when we substitute the concrete value for \(p^k\) in \(L_{p^k}\)-notation, it is important to evaluate c and o(1).

The NFS algorithms for solving the FFDLP are classified into three types: Classical-NFS, TNFS, and exTNFS, according to their mathematical constructions. The Classical-NFS algorithm was proposed in 2006, and the complexities are \(L_{p^k}(1/3\), \((128/9)^{1/3})\) and \(L_{p^k}(1/3, (64/9)^{1/3})\) in the medium and large cases, respectively. The TNFS algorithm was proposed in 1999 and later applied to the large case in 2015, where the complexity of the TNFS algorithm is also \(L_{p^k}(1/3, (64/9)^{1/3})\) in the large case. Finally, the exTNFS algorithm proposed in 2015 is the generalization of combining the Classical-NFS and TNFS algorithms, and its complexities in medium and large cases are \(L_{p^k}(1/3, (64/9)^{1/3})\).

4.1 Extended TNFS and Special-NFS Algorithms

In this subsection, we explain the exTNFS algorithm [28], which is effective for solving the FFDLP. We then give an overview of the Special-NFS algorithm. The NFS algorithms (not specified for exTNFS) are divided into the following four steps: 1. polynomial selection, 2. relation collection, 3. linear algebra, and 4. individual logarithm.

exTNFS Algorithm. We can use the exTNFS algorithm when the extension degree k is composite. Let \(k=\eta \kappa \). We select an irreducible polynomial \(h(t)\in \mathbb {Z}[t]\) over \(\mathbb {Q}\) and \(\mathbb {F}_p\) whose degree is \(\eta \). We construct \(\mathbb {Q}(\iota )=\mathbb {Q}[t]/h(t)\) and put \(R = \mathbb {Z}[t]/h(t)\subset \mathbb {Q}(\iota )\).

Note that the Classical-NFS algorithm [25] is the case in which \(R=\mathbb {Z}\) in the exTNFS algorithm, and the TNFS algorithm [45] is the case in which \(\deg h = n\) in the exTNFS algorithm.

Polynomial Selection. We select polynomials \(f_1\) and \(f_2\in R[X]\) that satisfy the condition that \(f_1 \mod p\) and \(f_2 \mod p\) have a common factor \(\varphi (X)\) of degree \(\kappa \), which is irreducible over \(\mathbb {F}_{p^\eta } = R/pR\). In this section, \(i \in \{1, 2\}\). Let \(K_i\) be the number fields defined by \(f_i\) above the fraction field of R and \(\mathcal {O}_i\) be the integer ring of \(K_i\). We denote the roots of \(f_i\) in \(\mathbb {C}\) by \(\theta _i\) and the degree of \(f_i\) by \(d_i\). We then obtain two maps from R[X] to \((R/pR)[X]/\varphi (X)\cong \mathbb {F}_{p^k}\).

Relation Collection. We select smoothness bound \(B\in \mathbb {N}\) and define factor base \(\mathcal {F}_i\) as follows: \(\mathcal {F}_i = \{(\mathfrak {q}, \theta _i - \gamma ) : \mathfrak {q} : \) prime in \(\mathbb {Q}(\iota )\) lying over a prime \(p \le B\), \(f_i(\gamma ) \equiv 0 \mod \mathfrak {q} \}\). We then obtain \(a-bX \in R[X]\) by selecting \((a(t), b(t)) \in R^2\). The coefficients of a(t) and b(t) are bounded by A. Let \(E = A^{\eta }\) be the sieve parameter. The norm of \(a-b\theta _i\) in \(K_i\) is expressed as follows.

$$\begin{aligned} \mathcal {N}_{K_i/\mathbb {Q}}(a-b\theta _i) = \left| \mathrm{Res} \left( h(t), \sum _{j \in [0, d_i]} f_{i, j} a(t)^j b(t)^{d_i-j} \right) \right| , \end{aligned}$$

where \(f_{i, j}\) is the coefficient of polynomial \(f_i = \sum ^{d_i}_{j=0} f_{i, j} X^j\). When \(\mathcal {N}_{K_1/\mathbb {Q}}(a-b\theta _1)\) and \(\mathcal {N}_{K_2/\mathbb {Q}}(a-b\theta _2)\) are B-smooth, the (a(t), b(t)) pair is called a double smooth pair (an integer is B-smooth if the largest prime factor is less than B). When (a(t), b(t)) is a double smooth pair, \((a-b\theta _1)\) and \((a-b\theta _2)\) can be factored into the prime ideal in \(\mathcal {O}_1\) and \(\mathcal {O}_2\) using only the elements of \(\mathcal {F}_1\) and \(\mathcal {F}_2\), respectively. Therefore, we obtain the following notation: \((a-b\theta _i) = \prod _{\mathfrak {p}\in \mathcal {F}_i}\mathfrak {p}^{{\mu }_{\mathfrak {p}}}\) and the following relation up to units.

$$\begin{aligned} \phi _1((a-b\theta _1)) = \phi _2((a-b\theta _2)) \ \ \mathrm{in} \ \ \mathbb {F}_{p^k}\Longleftrightarrow & {} \phi _1(\prod _{\mathfrak {p} \in \mathcal {F}_1} \mathfrak {p}^{\mu _{\mathfrak {p}}}) = \phi _2(\prod _{\mathfrak {q} \in \mathcal {F}_2} \mathfrak {q}^{\mu _{\mathfrak {q}}})\\\Longleftrightarrow & {} \prod _{\mathfrak {p} \in \mathcal {F}_1} \phi _1(\mathfrak {p})^{\mu _{\mathfrak {p}}} = \prod _{\mathfrak {q} \in \mathcal {F}_2} \phi _2(\mathfrak {q})^{\mu _{\mathfrak {q}}} \end{aligned}$$

Thus, this leads to

$$\begin{aligned} \begin{aligned}&\sum _{\mathfrak {p} \in \mathcal {F}_1}{\mu _{\mathfrak {p}}}\log {\phi _1(\mathfrak {p})} + \sum _j \lambda _{1, j}\log {\varLambda _{1, j}}\\&= \sum _{\mathfrak {q} \in \mathcal {F}_2}{\mu _{\mathfrak {q}}}\log {\phi _2(\mathfrak {q})} + \sum _j \lambda _{2, j}\log {\varLambda _{2, j}} \mod p^k-1, \end{aligned} \end{aligned}$$
(2)

where \(\log \phi _1(\mathfrak {p})\), \(\log \phi _2(\mathfrak {q})\), \(\log \varLambda _{1,j}\) and \(\log \varLambda _{2,j}\) are the unknowns called virtual logarithms [46], and \(\lambda _{1,j}\) and \(\lambda _{2,j}\) are computable values called character maps to distinguish the difference in units. Let \(N_{\lambda }\) be the number of character maps. When we collect more than \(|\mathcal {F}_1|+|\mathcal {F}_2|+N_{\lambda }\) double smooth pairs (a(t), b(t)), we obtain the relations of (2).

In this section, we collect double smooth pairs (ab), but it is possible to collect double smooth tupples \((a_1, a_2, \cdots , a_{\tau })\). We call parameter \(\tau \) a sieve dimension.

Linear Algebra. In collecting adequate relations in the previous step, we can construct and solve the simultaneous congruence. We obtain the values of the virtual logarithms \(\log \phi _1(\mathfrak {p})\), \(\log \phi _2(\mathfrak {q})\), \(\log \varLambda _{1,j}\), and \(\log \varLambda _{2,j}\).

Individual Logarithm. Finally, we compute the target logarithm x from the values of the virtual logarithms.

Special-NFS Algorithms. We collectively call three NFS algorithms (exTNFS, Classical-NFS, and TNFS) as the General NFS (GNFS) algorithms. The GNFS algorithms can be applied for special polynomial selection when p has a special form. The special cases of the GNFS algorithms are called Special-NFS (SNFS) algorithms. We consider the SNFS algorithms for solving the FFDLP to estimate the security of the pairing where p has a special form.

4.2 Larger Norm Implies Higher Complexity

In this section, we give an overview on the complexity of the NFS algorithms. The main steps to evaluate this complexity are as follows.

  • We evaluate the upper bound of norms and probabilities in which the norms are B-smooth.

The smaller the upper bound of norms is, the higher the probability the norms are B-smooth. Therefore, we have to select polynomials so that the upper bounds of norms become small.

  • We set the parameters appropriately so that we can collect adequate double smooth pairs from the sieve region.

The sieve region is the region to collect relations. When the sieve degree is \(\tau \), the sieve region is \(E^{\tau }\). We set the appropriate parameters to satisfy the inequality that \(E^{\tau } \times \) (the probability of B-smooth of norm’s upper bound) \(\le \) (the number of double smooth pairs we collect) \( = B^{1+o(1)}\).

  • Relation collection and linear algebra have the same complexities.

The whole complexity of NFS algorithms is the sum of the complexities of following two steps: relation collection and linear algebra. In the exTNFS algorithm, the complexity of relation collection is \(O(E^2)\). We need to evaluate sizes of parameters because of the trade-off between relation collection and linear algebra.

When the norm is small, the probability that norms are B-smooth becomes high. We can obtain relations with a few trials. The complexity of relation collection becomes small, and the whole complexity becomes small. That is, the decrease in norms implies the reduction in the security of cryptography, which is based on the difficulty of the FFDLP. Therefore, we can estimate bitlengths by comparing the sizes of norms.

4.3 Comparing Norms of NFS Algorithms by Using Kim and Barbulescu’s Estimation Method

We refer to the method of comparing norms in [28] to estimate and compare the norms of various NFS algorithms. The norms of each GNFS algorithm are listed in Table 2, and the norms of each SNFS algorithm are listed in Table 3 (part of Table 2 is omitted).

Table 2. Norm sizes of GNFS algorithms
Full size table
Table 3. Norm sizes of SNFS algorithms
Full size table

In Tables 2 and 3, \(E_G\) is the sieve parameter of the GNFS algorithms and \(E_S\) is the sieve parameter of the SNFS algorithms. In addition, d is the degree of polynomial selected in the step of polynomial selection. Note that d in SNFS algorithm is equal to the degree of p. The \(\tau \) is the sieve dimension, and others are parameters used in each NFS algorithm. Sieve parameter E depends on the implementations. Kim and Barbulescu [28] used the formula

$$\begin{aligned} E_G=c_G L_{p^k}\left( \frac{1}{3}, \left( \frac{8}{9}\right) ^{1/3}\right) , E_S=c_S L_{p^k}\left( \frac{1}{3}, \left( \frac{4}{9}\right) ^{1/3}\right) . \end{aligned}$$

They determined \(\log _2{c_G} \approx -4.30 \) using the results of three implementations [6, 7, 14]. Similarly, they determined \(\log _2{c_S} \approx -4.27 \) using the results of an implementation [1]. After the values of \(E_G\) and \(E_S\) are determined, other parameters must be determined. The parameters, except \(\tau \), are computed using the theoretical optimal values. Then \(\tau \) is determined as the best value in their bitsize of the norm.

5 Revise the Bitlength for Candidate Pairing-Friendly Curves

In this section, we revise to estimate the bitlengths for the five pairing-friendly curves (i.e. the BLS-k with \(k=24, 42, 48\) and KSS-k with \(k=32, 36\)) at 256-bit security level by using the norms of NFS algorithms in the previous section.

5.1 Revised Estimation of Bitlength for BLS-48

In this subsection, we revised to estimate the bitlength for the BLS-48. We compare the norms of NFS algorithms based on the constants \(c_G\) and \(c_S\) and estimate the bitlength based on the initial norm of the GNFS algorithms at the 256-bit security level. The estimations for other pairing-friendly curves (i.e. the BLS-24, KSS-32, KSS-36 and BLS-42) are described in the Appendix A.

Determining Constants c \(_{\mathbf G}\) and c \(_{\mathbf {S}}\) . Before plotting norms, the constant values of \(c_G\) and \(c_S\) must be evaluated. As previously mentioned, \(c_G\) and \(c_S\) are evaluated from the implementation results. We discuss these values by adding new implementation results. In Kim and Barbulescu’s study [28], \(\log _2{c_G} \approx -4.30 \) and \(\log _2{c_S} \approx -4.27 \); however, we evaluate \(c_G\) and \(c_S\) by adding to new results. First, we evaluate \(c_G\) using the result from Kleinjung [31] who solved the DLP in \(\mathbb {F}_p\). We extrapolate from the pair (\(\log _2{p^k} = 768\), \(\log _2{E_G} \approx 35\)) Kleinjung used [31] and obtain \(\log _2{c_G} \approx -3.26 \). The sieve parameter \(E_G\) using Kleinjung’s result is larger than that Kim and Barbulescu evaluated. Because \(E_G\) by Kim and Barbulescu [28] is evaluated more strictly, we plot the norms of the GNFS algorithms using \(\log _2{c_G} \approx -4.30 \) they used. Next, we evaluate \(c_S\) using the results by Fried et al. [17] and Guillevic et al. [22]. We extrapolate from the pair (\(\log _2{p^k} = 1024\), \(\log _2{E_S} \approx 31\)) used by Fried et al. [17] and obtain \(\log _2{c_S} \approx -3.43 \). We also extrapolate from the pair (\(\log _2{p^k} = 510\), \(\log _2{E_S} \approx 26\)) used by Guillevic et al. [22] and obtain \(\log _2{c_S} \approx 0.67 \). The sieve parameters \(E_S\) using the results from Fried et al. and Guillevic et al. are larger than those Kim and Barbulescu evaluated. As with \(E_G\), because \(E_S\) from Kim and Barbulescu [28] is evaluated more strictly, we plot the norms of the SNFS algorithms using \(\log _2{c_S} \approx -4.27 \) they used.

Initial Norm of General NFS Algorithms at 256-Bit Security Level. We define the initial norm as the norm of the GNFS algorithm for integer factorization, which corresponds to the bitlength at 256-bit security level. Let N be a composite number. The norm of this GNFS algorithm is \(E_G^{d+1}N^{2/d+1}\), where d is the degree of the polynomial selected in the step of polynomial selection. The recommended bitlength of RSA at 256-bit security level is 15360-bit [5]. When N is 15360-bit, the optimal value of d is 15. We substitute the value of \(c_G\), which we evaluated in the previous section, for the norm, and the initial norm is about 4006-bit.

Fastest Variant of NFS Algorithms for BLS-48. We concretely estimate the bitlengths of the PBC. We give details of the BLS-48, and the other curves are mentioned in the Appendix A. We fix the extension degree to \(k = 48\) and examine the fastest NFS algorithm that solves the DLP in \(\mathbb {F}_{p^{48}}\), where p is expressed by the BLS-48.

First, we plot the norms of three GNFS algorithms (i.e. NFS-JLSV\(_1\), TNFS, and exTNFS-Conj) in Fig. 1. The \(E_G\) is as follows;

$$\begin{aligned} E_G = 2^{-4.3} L_{p^k}\left( \frac{1}{3}, \left( \frac{8}{9}\right) ^{\frac{1}{3}} \right) . \end{aligned}$$

  • NFS-JLSV\(_1\). The norm of the NFS-JLSV\(_1\) algorithm is expressed as

    \({E_G}^{\frac{4k}{\tau }}(p^k)^{\frac{\tau -1}{k}}\). The optimal value of \(\tau \) is 9 when the norm is \({E_G}^{\frac{192}{\tau }}(p^k)^{\frac{\tau -1}{48}}\).

  • TNFS. The norm of the TNFS algorithm is expressed as \({E_G}^{\frac{2(d+1)}{\tau }}(p^k)^{\frac{2(\tau -1)}{d+1}}\). The d is 15 using the formula \(d = \root 3 \of {3}\left( \log p^k / \log \log p^k \right) ^{1/3}\). The optimal value of \(\tau \) is 2 when the norm is \({E_G}^{\frac{32}{\tau }}(p^k)^{\frac{2(\tau -1)}{16}}\)

  • exTNFS-Conj. The norm of the exTNFS-Conj algorithm is expressed as \({E_G}^{\frac{6\kappa }{\tau }}(p^k)^{\frac{\tau -1}{2\kappa }}\). Kim and Barbulescu [28] used the case of gcd(\(\eta , \kappa \)) \(=\) 1. However, Kim and Jeong proposed an algorithm allowing the choosing of \(\eta \) and \(\kappa \) freely from the co-primality condition, and their algorithm has the same complexities as when \(\eta \) and \(\kappa \) are co-prime [30]. Therefore, we use all cases of (\(\eta \), \(\kappa \)). When \(n=48\), we can consider the cases of (\(\eta \), \(\kappa \)) \(=\) (2, 24), (3, 16), (4, 12), (6, 8), (8, 6), (12, 4), (16, 3), (24, 2). When (\(\eta \), \(\kappa \)) \(=\) (2, 24), (3, 16), (4, 12), (6, 8), (8, 6), (12, 4), (16, 3), (24, 2), the optimal value of \(\tau \) is 7, 5, 4, 3, 2, 2, 2, 2, respectively.

Next, we plot the norms of three SNFS algorithms (i.e. STNFS, SNFS-JP, and SexTNFS) in Fig. 2. In the BLS-48, deg\((p(x))=18\). The \(E_S\) is as follows:

$$\begin{aligned} E_S = 2^{-4.3} L_{p^k}\left( \frac{1}{3}, \left( \frac{4}{9}\right) ^{\frac{1}{3}} \right) \end{aligned}$$

  • STNFS. The norm of the STNFS algorithm is expressed as

    \({E_G}^{\frac{2(d+1)}{\tau }}(p^k)^{\frac{\tau -1}{d}}\). The optimal value of \(\tau \) is 2 when the norm is \({E_G}^{\frac{38}{\tau }}(p^k)^{\frac{\tau -1}{18}}\).

  • SNFS-JP. The norm of the SNFS-JP algorithm is expressed as

    \({E_G}^{\frac{2k(d+1)}{\tau }}(p^k)^{\frac{\tau -1}{kd}}\). The optimal value of \(\tau \) is 103 when the norm is \({E_G}^{\frac{1824}{\tau }}(p^k)^{\frac{\tau -1}{864}}\).

  • SexTNFS. The norm of the SexTNFS algorithm is expressed as

    \({E_G}^{\frac{2\kappa (d+1)}{\tau }}(p^k)^{\frac{\tau -1}{\kappa d}}\). We also use the all case of (\(\eta \), \(\kappa \)). When (\(\eta \), \(\kappa \)) \(=\) (2, 24), (3, 16), (4, 12), (6, 8), (8, 6), (12, 4), (16, 3), (24, 2), the optimal value of \(\tau \) is 51, 34, 26, 17, 13, 9, 6, 4, respectively.

Fig. 1.
figure 1

Norms of GNFS algorithms in \(\mathbb {F}_{p^{48}}\)

Full size image
Fig. 2.
figure 2

Norms of SNFS algorithms in \(\mathbb {F}_{p^{48}}\)

Full size image

In Figs. 1 and 2, the STFNS algorithm has the smallest norm. When the norm is the initial norm of 4006-bit, the bitlength of the STNFS algorithm is 27410-bit. Therefore, we can estimate that the bitlength at 256-bit security level is 27410-bit.

5.2 Revised Bitlength at 256-Bit Security Level

We revise to estimate the bitlength for the five candidate pairing-friendly curves (i.e. the BLS-k with \(k=24, 42, 48\) and KSS-k with \(k=32, 36\)) at 256-bit security level based on the Kim and Barbulescu’s method [28]. The results are listed in Table 4. According to ENISA [15, Table 3.6], the bitlength of the pairing requires more than 15360-bit to achieve the 256-bit security level [16]. However, our revised estimation shows that it is necessary to increase the bitlength by more than 10000-bit to achieve the 256-bit security level. In other word, it is necessary to approximately multiply the bitlength by 1.7 times to achieve the 256-bit security level.

Table 4. Revised bitlength at 256-bit security level
Full size table

6 Comparison of Timing Among Candidate Pairing-Friendly Curves

In this section, we measure and compare the timing of the main operations of PBC among the five candidate pairing-friendly curves using the revised bitlength to show a suitable pairing-friendly curve at 256-bit security level. Our implementation uses the efficient algorithms for computing the main operations of PBC.

6.1 Specific Parameter for Implementation

The specific parameter \(x_{0}\) for each candidate pairing-friendly curve is required to decide the parameters of each curve in Table 1 and implement the main operations of PBC. The \(x_{0}\) for the BLS-24 showed in [13] satisfies the revised bitlength of \(p^k\) in Table 4, but there are no documents showed the parameter satisfying the revised bitlength of \(p^k\) in Table 4 for other curves. Therefore, we should search for \(x_{0}\) for each KSS-32, KSS-36, BLS-42, and BLS-48.

To efficiently compute the pairing, we search for the specific parameter \(x_{0}\) with a low Hamming weight and len\((r)\ge 512\) and len(\(p^k\)) always more than the bitlength in Table 4. Table 6 shows \(x_{0}\), the bitlength of parameters, and Hamming weight of \(x_{0}\) for the five candidate pairing-friendly curves. Note that the \(\mathbb {G}_{1}\), \(\mathbb {G}_{2}\), \(\mathbb {G}_{3}\) are better to satisfy subgroup security [12] in order to resist against small-subgroup attacks as an optional security requirement. The information of implementation (i.e. the tower construction, elliptic curve E, twist \(E'\) of E, and \(\ell _{T,T'}(P)\)) are showed in Table 5.

Table 5. Information of implementation for the five candidate pairing-friendly curves
Full size table
Table 6. \(x_{0}\), bitlength of parameters and Hamming weight of \(x_{0}\)
Full size table

6.2 Our Implemented Algorithms

In this subsection, we give an overview of the implemented efficient algorithms for computing the main operations of PBC. We implement the base field \(\mathbb {F}_{p}\) arithmetic by using the GMP library [18]. Additionally, in the arithmetic of the tower field, we use the lazy reduction technique [42] which can reduce the number of the modulo operations of \(\mathbb {F}_{p}\).

Pairing. The formulas of optimal ate pairing for each candidate pairing-friendly curve are given in Table 7. Note that these formulas can be produced from Eq. (1) and [47, Eq. (9)]. There are two steps involved in computing the optimal ate pairing; the miller loop (ML) \(f'=f_{x, Q}(P)\cdot g\), where g is the part other than \(f_{x,Q}(P)\) in Table 7, and final exponentiation (FE) \(f'^{(p^k-1)/r}\).

Table 7. Formulas for computing optimal ate pairing \(a_{k}(P, Q)\)
Full size table

In the ML, the rational function \(f_{x, Q}(P)\) can be computed using Miller’s algorithm [34]. The computational cost of the ML is affected by bitlength \(x_{0}\) and the Hamming weight of \(x_{0}\). We can reduce the computational cost of the multiplication on \(\mathbb {F}_{p^{k}}\) by using the sparse multiplication technique [35]. We use the affine pairing [2] since the computation of the inversion in \(\mathbb {G}_{2}\) is fast.

In the FE, the equation \(f'^{(p^{k}-1)/r}\) can be broken down into three components by using cyclotomic polynomial \(\varPhi _{k}\) as follows [43].

$$\begin{aligned} (p^{k}-1)/r=\underbrace{[(p^{k/2}-1)]\cdot [(p^{k/2}+1)/\varPhi _{k}(p)] }_{\begin{array}{c} \mathrm{easy\; part} \end{array}} \cdot \underbrace{[\varPhi _{k}(p)/r]}_{\begin{array}{c} \mathrm{hard\; part} \end{array}}. \end{aligned}$$

The computation of the easy part \(m = f'^{(p^{k/2}-1) \cdot ((p^{k/2}+1)/\varPhi _{k}(p))}\) requires one conjugation, one inversion, some Frobenius operations and some multiplications on \(\mathbb {F}_{p^{k}}\), so the computational cost of the easy part hardly affects that of the whole FE. The hard part can be computed by using the base p representation of \(\varPhi _{k}\left( p \right) /r\) as

$$\begin{aligned} m^{\varPhi _{k}\left( p \right) /r} = (m^{\lambda _{0}})\cdot (m^{\lambda _{1}})^{p} \cdots (m^{\lambda _{s-1}})^{p^{s-1}}\cdot (m^{\lambda _{s}})^{p^{s}}, \end{aligned}$$
(3)

where \(\lambda _{i}\) is the polynomial by x and \(s=\varphi (k)-1\). For computing the Eq. (3), in the BLS-k, we can compute it with essentially just exponentiation by x since the BLS-k has a very convenient way to compute the each \(m^{\lambda _{i}}\) [13]. In the KSS-k, we apply the addition chain technique with Ghammam et al.’s \(\lambda _{i}\)-representation to compute the each \(m^{\lambda _{i}}\) efficiently since the coefficients of \(\lambda _{i}\) are dozens bits [23]. Additionally, to efficiently compute the exponentiation by x, we use the Karabina squaring technique [27] in the case of the curve with \(d=6\), and Granger-Scott squaring technique [19] in the case of the curve with \(d=4\) respectively. Hence, the computation of the hard part requires exponentiations by x deg\((p(x))-1\) times, Frobenius operations s times, and squarings/multiplications on \(\mathbb {F}_{p^{k}}\).

Scalar Mult. in \(\mathbb {G}_{1}\) and \(\mathbb {G}_{2}\) . To efficiently compute the scalar multiplication in \(\mathbb {G}_{1}\) and \(\mathbb {G}_{2}\), we use the Gallant-Lambert-Vanstone (GLV) [20] and Galbraith-Lin-Scott (GLS) [21] which are the scalar decomposition methods By using the GLV/GLS, for given a scalar u and \(P\in \mathbb {G}_{1}\) (or \(\mathbb {G}_{2})\), the scalar u is decomposed into t scalars \(u_{1}, u_{2}, \ldots , u_{t}\) with roughly the size len(u) / t, then we convert the multi-scalar multiplication \(uP = u_{1}P+u_{2}\psi (P)+\cdots +u_{t}\psi ^{t-1}(P)\) by using an efficient endomorphism \(\psi \) [9], where \(t=2\) in \(\mathbb {G}_{1}\) and \(t=\varphi (k)\) in \(\mathbb {G}_{2}\) respectively. The number of the doubling in \(\mathbb {G}_{1}\) and \(\mathbb {G}_{2}\) can reduce to roughly 1 / t. Moreover, by using the width-w non adjacent form (w-NAF) [45], the number of the addition in \(\mathbb {G}_{1}\) and \(\mathbb {G}_{2}\) can be reduced in the computing the each scalar multiplication \(u_{i}\psi ^{i-1}(P)\). Note that we chose the optimal window size w for the scalars \(u_{i}\). Let \({\texttt {I}}_{i}\) and \({\texttt {M}}_{i}\) be the cost of inversion and multiplication in \(\mathbb {F}_{p^{i}}\) respectively. We use the Jacobian coordinates in \(\mathbb {G}_{1}\) since \({\texttt {I}}_{1}\) \(\approx \) 17.7\({\texttt {M}}_{1}\). We use the affine coordinates in \(\mathbb {G}_{2}\) since \({\texttt {I}}_{k/d}\) \(\approx \) 3.3\({\texttt {M}}_{k/d}\) for BLS-24, KSS-32, KSS-36, BLS-48, and the Jacobian coordinates in \(\mathbb {G}_{2}\) since \({\texttt {I}}_{7}\) \(\approx \) 17.6\({\texttt {M}}_{7}\) for BLS-42.

Exp. in \(\mathbb {G}_{3}\) . To efficiently compute the exponentiation in \(\mathbb {G}_{3}\), we can use the GLS method and w-NAF since \(\mathbb {G}_{3}\subseteq \mathbb {G}_{\varPhi _{k}(p)}=\{ \alpha \in \mathbb {F}_{p^{k}}\ |\ \alpha ^{\varPhi _{k}(p)}=1 \}\) and the inversion in \(\mathbb {G}_{3}\) can be efficiently computed by the conjugation [4].

6.3 Timing and Comparison

In this subsection, we show the timing of the main operations of PBC and compare those among the five candidate pairing-friendly curves.

Environment. We implement in C language, and its compiler is gcc 6.2.0 with -O3 option. We also measure on an Intel Core i7-6700 @ 3.4 GHz, RAM: 32 GB and OS: Ubuntu 16.04 (64-bit).

Results. Table 8 shows the timing of computing the pairing (ML, FE), scalar multiplication in \(\mathbb {G}_{1}\), \(\mathbb {G}_{2}\), and exponentiation in \(\mathbb {G}_{3}\) for each candidate pairing-friendly curve. We discuss the timing of these operations among the five candidate pairing-friendly curves.

Table 8. Timing of computing pairing (ML, FE), scalar multiplication in \(\mathbb {G}_{1}\), \(\mathbb {G}_{2}\) and exponentiation in \(\mathbb {G}_{3}\) (M clk: million clocks)
Full size table

Pairing. The computational cost of the ML is affected by the bitlength and Hamming weight of \(x_{0}\). The effect on the timing of the ML by the Hamming weight of \(x_{0}\) is small since the Hamming weight of \(x_{0}\) of each five candidate pairing-friendly curves is sufficiently small and much the same. As the embedding degree k increases, the bitlength of \(x_ {0}\) decrease, so the timing of the ML in the BLS-48 can be computed most efficiently.

The computational cost of the FE is affected by the coefficient of \(\lambda _{i}\) of Eq. (3), \(\varphi (k)\), degree of p(x), the bitlength of \(x_{0}\) and \(p^k\). The timings of the FE in the KSS-k are slower than that of the BLS-k since the computational cost of addition chain is required in addition to the exponentiation by x to compute the each \(m^{\lambda _{i}}\) in Eq. (3) of KSS-k. In the BLS-k, the coefficient of each \(\lambda _{i}\) of Eq. (3) is a few bits. Hence, the cost to compute all \(m^{\lambda _{i}}\) in the BLS-k is affected by the bitlength of \(p^k\). The timing of the FE in the BLS-24 is faster than other BLS-k since the bitlength of \(x_{0}\) of the BLS-24 is smaller.

Consequently, the timing of the pairing in the BLS-48 is faster than other pairing-friendly curves. The multi-pairing requires computing multiple MLs and one FE. Hence, the pairing-friendly curve with fast calculation of the ML has a significant effect on the efficiency of the computing the multi-pairing.

Scalar Mult. in \(\mathbb {G}_{1}\) . The input of scalar multiplication in \(\mathbb {G}_{1}\) is a random element \(P\in \mathbb {G}_{1}\) and a random scalar value of less than r. The computational cost is affected by the bitlength of r and the point addition/doubling in \(\mathbb {G}_{1}\) affected by the bitlength of p. As k increases, the bitlength of p and r decrease. Hence, the timing of the scalar multiplication in \(\mathbb {G}_{1}\) in the BLS-48 is faster than other pairing-friendly curves.

Scalar Mult. in \(\mathbb {G}_{2}\) . The input of scalar multiplication in \(\mathbb {G}_{2}\) is a random element of \(P\in \mathbb {G}_{2}\) and a random scalar value of less than r. Its computational cost is affected by the degree of twist d, and the bitlength r and \(p^{k/d}\). The group \(\mathbb {G}_{2}\) is a subgroup on \(E'(\mathbb {F}_{p^{k/d}})\), and the bitlength of \(p^{k/d}\) can be small when d is large. The bitlength of \(p^{k/d}\) in the KSS-32 with \(d=4\) is about 2000-bit larger than that in the BLS-24, KSS-32, KSS-36, and BLS-48 with \(d=6\). Hence, the timing of the scalar multiplication in \(\mathbb {G}_{2}\) in the KSS-32 is slower than other curves. Among the BLS-24, KSS-36 and BLS-48, as k increases, the bitlength of r decrease. Hence, the timing of the scalar multiplication in \(\mathbb {G}_{2}\) in the BLS-48 is faster than other curves.

Exp. in \(\mathbb {G}_{3}\) . The input of exponentiation in \(\mathbb {G}_{3}\) is a random element of \(g\in \mathbb {G}_{3}\) and a random scalar value of less than r. The group \(\mathbb {G}_{3}\) is a subgroup on finite field \(\mathbb {F}_{p^{k}}\), and then the computational cost of the exponentiation in \(\mathbb {G}_{3}\) is affected by the bitlength of r and the multiplication/squaring in \(\mathbb {F}_{p^{k}}\). The BLS-42 and BLS-48 are theoretically better to compute the exponentiation in \(\mathbb {G}_{3}\) efficiently since the bitlength of r is small rather than other curves. The number of the squaring in \(\mathbb {F}_{p^{k}}\) in the BLS-48 is less than that in the BLS-42 because of the decomposition size. To compute the multi-exponentiation after the decomposition, the number of the multiplication in \(\mathbb {F}_{p^{k}}\) in the BLS-42 is more reduced rather than in the BLS-48 because the bigger window size can be use in BLS-42 by w-NAF. As the result, the timing of the exponentiation in \(\mathbb {G}_{3}\) in the BLS-42 is fastest in all candidate curves.

6.4 Impact on Timing by Revised Bitlength

In this subsection, we show the impact on the timing of the main operations of PBC by revised bitlength of \(p^{k}\) at 256-bit security level by comparing between our and previous implementations. Note that it is difficult to directly compare the timing of the main operations of PBC between our and previous implementations since the implemented algorithms and techniques are different.

In previous implementations, Scott [44] showed that the timing of the pairing is 88.8M clk, and Bos et al. [9] showed that the timing of the scalar multiplication in \(\mathbb {G}_{1}\) and \(\mathbb {G}_{2}\), and exponentiation in \(\mathbb {G}_{3}\) are 5.2, 27.6, 47.1M clk respectively. These implemented in BLS-24 with about 15000-bit \(p^{k}\) and 500-bit r.

We compare the timing between our BLS-48 implementation and the previous BLS-24 implementations. Our BLS-48 implementation of the scalar multiplication in \(\mathbb {G}_{1}\) is approximately 1.5 times faster than the previous BLS-24 implementations of that because the bitlength of r is the same between these implementations. Then, our BLS-48 implementation of other operations is approximately 1.0–1.3 times slower than the previous BLS-24 implementations of that due to the effect of the efficient NFS algorithms.

7 Conclusion

We give for the first time the revised bitlength which the DLP is computationally infeasible against the efficient NFS algorithms (e.g. SexTNFS, STNFS), and the timing of the main operations of PBC for the five candidate pairing-friendly curves (i.e. the BLS-k with \(k=24, 42, 48\), KSS-k with \(k=32, 36\)) at 256-bit security level. On the security side, we show that it is necessary to increase bitlengths by more than 10000-bit from the previous estimation to achieve the 256-bit security level. On the implementation side, we show that the BLS-48 curve is the suitable curve at the 256-bit security level by comparing the timing of the main operations of PBC among the five candidate pairing-friendly curves with revised bitlengths. For more speeding up, we should implement \(\mathbb {F}_{p}\)-arithmetic in assembly, apply other efficient algorithms, etc.