**Choosing and generating parameters for low level pairing implementation on BN curves**

*Sylvain Duquesne and Nadia El Mrabet and Safia Haloui and Franck Rondepierre*

**Abstract: **Many hardware and software pairing implementations can be found in the literature and some pairing friendly parameters are given. However, depending on the situation, it could be useful to generate other nice parameters (e.g. resistance to subgroup attacks, larger security levels, database of pairing friendly curves). The main purpose of this paper is to describe explicitly and exhaustively what should be done to generate the best possible parameters and to make the best choices depending on the implementation context (in terms of pairing algorithm, ways to build the tower field, $\mathbb{F}_{p^{12}}$ arithmetic, groups involved and their generators, system of coordinates).

We focus on low level implementations, assuming that $\mathbb{F}_p$ additions have a significant cost compared to other $\mathbb{F}_p$ operations. However, the results obtained are still valid in the case where $\mathbb{F}_p$ additions can be neglected. We also explain why the best choice for the polynomials defining the tower field $\mathbb{F}_{p^{12}}$ is only depending on the value of the BN parameter $u$ modulo small integers like $12$ as a nice application of old elementary arithmetic results. Moreover, we use this opportunity to give some new improvements on $\mathbb{F}_{p^{12}}$ arithmetic (in a pairing context) in terms of $\mathbb{F}_p$-addition allowing to save around $10\%$ of them depending on the context.

**Category / Keywords: **pairing

**Date: **received 18 Dec 2015, last revised 21 Dec 2015

**Contact author: **sylvain duquesne at univ-rennes1 fr

**Available format(s): **PDF | BibTeX Citation

**Note: **abstract in the paper was completly wrong (it was not the last version)

**Version: **20151221:180434 (All versions of this report)

**Short URL: **ia.cr/2015/1212

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]