Choosing and generating parameters for pairing implementation on BN curves

Abstract

Because pairings have many applications, many hardware and software pairing implementations can be found in the literature. However, the parameters generally used have been invalidated by the recent results on the discrete logarithm problem over pairing friendly elliptic curves (Kim and Barbulescu in CRYPTO 2016, volume 9814 of lecture notes in computer science, Springer, Berlin, pp 543–571, 2016). New parameters must be generated to insure enough security in pairing based protocols. More generally it could be useful to generate nice pairing parameters in many real-world applications (specific security level, resistance to specific attacks on a protocol, database of curves). The main purpose of this paper is to describe explicitly and exhaustively what should be done to generate the best possible parameters and to make the best choices depending on the implementation context (in terms of pairing algorithm, ways to build the tower field, \(\mathbb {F}_{p^{12}}\) arithmetic, groups involved and their generators, system of coordinates). We focus on low level implementations, assuming that \(\mathbb {F}_p\) additions have a significant cost compared to other \(\mathbb {F}_p\) operations. However, our results are still valid if \(\mathbb {F}_p\) additions can be neglected. We also explain why the best choice for the polynomials defining the tower field \(\mathbb {F}_{p^{12}}\) is only dependent on the value of the BN parameter u mod small integers (like 12 for instance) as a nice application of old elementary arithmetic results. This should allow a faster generation of this parameter. Moreover, we use this opportunity to give some new slight improvements on \(\mathbb {F}_{p^{12}}\) arithmetic (in a pairing context).

Appendices

A Details for the new improvements of \(\mathbb {F}_{p^{12}}\) arithmetic given in Sect. 3.9

1.1 A.1 Multiplications by \(\xi -1\) in Karatsuba operations

The Karatsuba multiplication of \(x_0{\scriptstyle +}x_1\beta {\scriptstyle +}x_2\beta ^2\) by \(y_0{\scriptstyle +}y_1\beta {\scriptstyle +}y_0\beta ^2\) in \(\mathbb {F}_{p^{3i}}\) can be evaluated as

$$\begin{aligned}&x_0y_0+\xi ((x_1+ x_2)(y_1+ y_2)- x_1y_1- x_2y_2)\\&\quad +\,\left[ (x_0+ x_1)(y_0+ y_1)- x_0y_0- x_1y_1+ x_2y_2+(\xi -1) x_2y_2\right] \beta \\&\quad +\,\left[ (x_0+ x_2)(y_0+ y_2)- x_0y_0-(-x_1y_1+ x_2y_2)\right] \beta ^2. \end{aligned}$$

As in \(\mathbb {F}_{p^{2i}}\), one of the multiplications by \(\xi \) of the formula given in Sect. 3.3.1 is replaced by a multiplication by \(\xi -1\). Of course, this trick also applies to \(\mathbb {F}_{p^{2i}}\) and \(\mathbb {F}_{p^{3i}}\) Karatsuba squarings.

In the cases considered in Sect. 3.8, this improvement is only interesting in the intermediate fields (\(\mathbb {F}_{p^4}/\mathbb {F}_{p^2}\) or \(\mathbb {F}_{p^6}/\mathbb {F}_{p^2}\)) and allows to save some \(\mathbb {F}_p\) additions for each Karatsuba multiplication or squaring in \(\mathbb {F}_{p^4}\) or \(\mathbb {F}_{p^6}\) in the cases given in Table 10.

Table 10 Savings provided by the \(\xi -1\) trick

Remark 11

This trick is more interesting in the case 2, 2, 3 that in the case 2, 3, 2. Indeed, a Karatsuba multiplication in \(\mathbb {F}_{p^{12}}\) requires 6 multiplications at the middle level in the case 2, 2, 3 (and then \(6m_{2,\xi }\) are replaced by \(6m_{2,\xi -1}\)) but only 3 in the case 2, 3, 2. Of course, this remark also applies to sparse \(\mathbb {F}_{p^{12}}\) multiplications and to \(\mathbb {F}_{p^{12}}\) squarings.

Let us now give the details of the saving obtained if traces are precomputed in the three situations described in Sect. 3.9.2.

1.2 A.2 Use of precomputed traces in \(\mathbb {F}_{p^{12}}\) squarings

As explained in Sect. 3.3, the Chung–Hasan method for \(\mathbb {F}_{p^{3i}}\) squarings computes

$$\begin{aligned} x_1^2+2x_0x_2=(x_0+x_1+x_2)^2-\left( 2x_0x_1+2x_1x_2+x_0^2+x_2^2\right) . \end{aligned}$$

Then \(x_0, 2x_1\) and \(x_2\) are each used in two \(\mathbb {F}_{p^i}\) operations. If Karatsuba or complex arithmetic is used for these \(\mathbb {F}_{p^i}\) operations, \(3\mathbf {A}_{i/2}\) can then be saved by precomputing \(x_0, 2x_1\) and \(x_2\) traces. In fact, one can do even better, depending on the way to build \(\mathbb {F}_{p^{12}}\).

Case 2,3,2. We saw in Sect. 3.6 that a \(\mathbb {F}_{p^{12}}/\mathbb {F}_{p^6}\) squaring is usually performed using the Karatsuba method:

$$\begin{aligned} (c_0+c_1\gamma )^2=c_0^2+\left[ (c_0+c_1)^2-c_0^2- c_1^2\right] \gamma +c_1^2\beta . \end{aligned}$$

Then the Chung–Hasan squaring in \(\mathbb {F}_{p^6}\) is used 3 times. Moreover the \(\mathbb {F}_{p^6}/\mathbb {F}_{p^2}\) traces of \(c_0, c_1\) and \(c_0+c_1\) (which costs \(2\mathbf {A}_2\) each) are necessary but the latter is the sum of the 2 others so that one additional \(\mathbf {A}_2\) can be saved. Hence, if the Karatsuba method is used in \(\mathbb {F}_{p^2}\), \(11\mathbf {A}_1\) can be saved in \(\mathbf {S}_{12}\) thanks to trace precomputations (9 from \(\mathbb {F}_{p^6}/\mathbb {F}_{p^2}\) Chung–Hasan over Karatsuba squaring and 2 from \(\mathbb {F}_{p^{12}}/\mathbb {F}_{p^6}\) Karatsuba over Chung–Hasan squaring). If the Karatsuba method is not used in \(\mathbb {F}_{p^2}\), only the 2 last ones can be saved.

Case 2, 2, 3. We saw that computing \((c_0+c_1\gamma +c_2\gamma ^2)^2\) with the Chung–Hasan method, \(c_0, c_1\) and \(c_2\in \mathbb {F}_{p^4}\) are used twice, so that precomputing their \(\mathbb {F}_{p^4}/\mathbb {F}_{p^2}\) traces \(t_i\) saves \(3\mathbf {A}_2\). But their \(\mathbb {F}_{p^2}\) components are of course also used twice (in the same operations) and precomputing their \(\mathbb {F}_{p^2}/\mathbb {F}_p\) traces is then interesting if the Karatsuba/complex method is used in \(\mathbb {F}_{p^2}\). Moreover, in \(\mathbb {F}_{p^4}\) operations, the \(t_i\) play the same role as the \(\mathbb {F}_{p^2}\) components so that precomputing their traces is also interesting. Finally, if Karatsuba is used in \(\mathbb {F}_{p^2}\), \(15\mathbf {A}_1\) can be saved in \(\mathbf {S}_{12}\) thanks to trace precomputations (6 from the \(\mathbb {F}_{p^4}/\mathbb {F}_{p^2}\) traces of the \(c_i\), 6 from the \(\mathbb {F}_{p^2}/\mathbb {F}_p\) traces of the \(\mathbb {F}_{p^2}\) components of the \(c_i\) and 3 from the \(\mathbb {F}_{p^2}/\mathbb {F}_p\) traces of the \(\mathbb {F}_{p^4}/\mathbb {F}_{p^2}\) traces of the \(c_i\)). If Karatsuba is not used in \(\mathbb {F}_{p^2}\), only the first \(6\mathbf {A}_1\) can be saved.

1.3 A.3 Use of precomputed traces in \(\mathbb {F}_{p^{12}}\) sparse multiplications

The sparse multiplication involved in the Miller loop for the optimal Ate pairing involves schoolbook steps which will take advantage of precomputed traces. Again, the savings are dependent on the way to build \(\mathbb {F}_{p^{12}}\).

Case 2,3,2. Looking at Formula (3) given in Sect. 3.6.2, we can see that

• \(b_0\) is used in 3 \(\mathbb {F}_{p^2}\) multiplications. Precomputing its trace then saves \(2\mathbf {A}_1\),

• \(b_1\) and the third component of \(c_1\) are used in 2 \(\mathbb {F}_{p^2}\) multiplications during the sparse product \((b_1+b_3\beta )c_1\), so \(2\mathbf {A}_1\) can be saved,

• The same holds for the sparse product \((b_0+b_1+b_3\beta )(c_0+c_1)\),

• \(b_3\) is used twice in each of these sparse products, so \(3\mathbf {A}_1\) can be saved by precomputing \(tr_{\mathbb {F}_{p^2}/\mathbb {F}_p}(b_3)\).

Finally, \(9\mathbf {A}_1\) can be saved in the sparse multiplication if traces are precomputed (assuming that the Karatsuba method is used for \(\mathbb {F}_{p^2}\) multiplications)

Case 2, 2, 3. Looking at formula (4) given in Sect. 3.7.2, we can see that

• \(b_0+b_3\beta \) is used in 2 \(\mathbb {F}_{p^4}\) multiplications. Precomputing its trace (\(b_0+b_3\)) saves \(\mathbf {A}_2\),

• As a consequence of the previous point, \(b_0, b_3\) and \(b_0+b_3\) are used in 2 \(\mathbb {F}_{p^2}\) multiplications, so \(3\mathbf {A}_1\) can be saved,

• \(b_3\) is also used in the \(\mathbb {F}_{p^4}\) product \((c_0+c_1)(b_0+b_1+b_3\beta )\) which saves one additional \(\mathbf {A}_1\),

• \(b_1\) is used in 4 \(\mathbb {F}_{p^2}\) multiplications (\(c_2b_1\) and \(c_1b_1\)) so \(3\mathbf {A}_1\) can be saved,

• \(c_2\) is used twice (in \(c_2b_1\) and in \(c_2(b_0+b_3\beta )\)) so its \(\mathbb {F}_{p^2}\) coefficients are used twice each which saves \(2\mathbf {A}_1\).

Finally, \(11\mathbf {A}_1\) can be saved in the sparse multiplication if traces are precomputed (assuming that the Karatsuba method is used for \(\mathbb {F}_{p^2}\) multiplications, otherwise only \(2\mathbf {A}_1\) are saved).

In all considered cases, the saving obtained is around \(10\%\) of the total number of additions in \(\mathbb {F}_{p^{12}}\) operations which is not negligible if the relative cost of an addition compared to a multiplication in \(\mathbb {F}_p\) is not small.

1.4 A.4 Use of precomputed traces in the final exponentiation

Full multiplications in \(\mathbb {F}_{p^{12}}\) are only used in the final exponentiation. If the implemented exponentiation parses the exponent from left to right (which is usually the case), then the multiplication steps are performed with one constant term c. Hence, we can precompute and store all the traces depending only on c. Since the Karatsuba method is used at all levels of the extension tower (except in \(\mathbb {F}_{p^2}\) if \(\mathbf {A}_1>0.33\mathbf {M}_1\)), we will significantly reduce the number of required additions, whatever the way to build \(\mathbb {F}_{p^{12}}\).

Case 2,3,2.

• \(\mathbf {M}^{{\scriptscriptstyle K}}_{12}\) requires the \(\mathbb {F}_{p^{12}}/\mathbb {F}_{p^6}\) trace of c, thus \(\mathbf {A}_6\) can be saved if this trace is precomputed. It also requires \(3\mathbf {M}^{{\scriptscriptstyle K}}_6\) by a constant term (the 2 coordinates of c and its trace).

• Each \(\mathbf {M}^{{\scriptscriptstyle K}}_6\) involving a constant term b requires 3 sums of 2 coordinates of b, thus \(3\mathbf {A}_2\) can be saved if these sums are precomputed. Hence \(9\mathbf {A}_2\) are saved at this level. Each \(\mathbf {M}^{{\scriptscriptstyle K}}_6\) also requires \(6\mathbf {M}_2\) by a constant term (the 3 coordinates of b and the 3 sums of 2 coordinates).

• Each \(\mathbf {M}^{{\scriptscriptstyle K}}_2\) involving a constant term a requires the \(\mathbb {F}_{p^2}/\mathbb {F}_p\) trace of a, thus one \(\mathbf {A}_1\) can be saved if this trace is precomputed. Hence \(18\mathbf {A}_1\) can be saved at this level when the Karatsuba method is used for \(\mathbf {M}_2\).

Case 2, 2, 3.

• \(\mathbf {M}^{{\scriptscriptstyle K}}_{12}\) requires 3 sums of 2 coordinates of c, thus \(3\mathbf {A}_4\) can be saved if these sums are precomputed. It also requires \(6\mathbf {M}^{{\scriptscriptstyle K}}_4\) by a constant term (the 3 coordinates of c and the 3 sums of 2 coordinates).

• Each \(\mathbf {M}^{{\scriptscriptstyle K}}_4\) involving a constant term b requires the \(\mathbb {F}_{p^4}/\mathbb {F}_{p^2}\) trace of b, thus one \(\mathbf {A}_2\) can be saved if this trace is precomputed. Hence \(6\mathbf {A}_2\) are saved at this level. Each \(\mathbf {M}^{{\scriptscriptstyle K}}_4\) also requires \(3\mathbf {M}_2\) by a constant term (the 2 coordinates of b and its trace).

• Again, one \(\mathbf {A}_1\) can be saved for each \(\mathbf {M}^{{\scriptscriptstyle K}}_2\) involving a constant term if its trace is precomputed. Hence \(18\mathbf {A}_1\) can be saved at this level when Karatsuba is used for \(\mathbf {M}_2\).

In both cases, \(42\mathbf {A}_1\) can be saved for each multiplication in \(\mathbb {F}_{p^{12}}\) involving a constant term if its traces are precomputed. This is about \(20\%\) of the total number of additions in \(\mathbf {M}_{12}\) which is significant if the relative cost of an addition compared to a multiplication in \(\mathbb {F}_p\) is not small. If \(\mathbf {A}_1>0.33\mathbf {M}_1\), the schoolbook method is used for \(\mathbb {F}_{p^2}\) multiplication and only \(24\mathbf {A}_1\) can be saved.

B Appendix

In this appendix, we give tables summarizing complexities for \(\mathbb {F}_{p^{12}}\) arithmetic if \(\mu \ne -1\) (see Sect. 3.10 for more details) (Tables 11, 12, 13, 14, 15, 16).

Table 11 \(\mathbb {F}_{p^{12}}\) complexities if \(\mu =-2\) (assuming \(\mathbf {A}_1\le 0.33\mathbf {M}_1\) if our improvements are not used)

Table 12 \(\mathbb {F}_{p^{12}}\) complexities if \(\mu =-2\) if our improvements are not used and \(\mathbf {A}_1>0.33\mathbf {M}_1\)

Table 13 \(\mathbb {F}_{p^{12}}\) complexities if \(\mu =-5\) (assuming \(\mathbf {A}_1\le 0.33\mathbf {M}_1\) if our improvements are not used)

Table 14 \(\mathbb {F}_{p^{12}}\) complexities if \(\mu =-5\) if our improvements are not used and \(\mathbf {A}_1>0.33\mathbf {M}_1\)

Table 15 \(\mathbb {F}_{p^{12}}\) complexities if \(\mu \) is large (assuming \(\mathbf {A}_1\le 0.33\mathbf {M}_1\) if our improvements are not used)

Table 16 \(\mathbb {F}_{p^{12}}\) complexities if \(\mu \) is large if our improvements are not used and \(\mathbf {A}_1>0.33\mathbf {M}_1\)