Cryptology ePrint Archive: Report 2015/1212

Choosing and generating parameters for low level pairing implementation on BN curves

Sylvain Duquesne and Nadia El Mrabet and Safia Haloui and Franck Rondepierre

Abstract: Many hardware and software pairing implementations can be found in the literature and some pairing friendly parameters are given. However, depending on the situation, it could be useful to generate other nice parameters (e.g. resistance to subgroup attacks, larger security levels, database of pairing friendly curves). The main purpose of this paper is to describe explicitly and exhaustively what should be done to generate the best possible parameters and to make the best choices depending on the implementation context (in terms of pairing algorithm, ways to build the tower field, $\mathbb{F}_{p^{12}}$ arithmetic, groups involved and their generators, system of coordinates).

We focus on low level implementations, assuming that $\mathbb{F}_p$ additions have a significant cost compared to other $\mathbb{F}_p$ operations. However, the results obtained are still valid in the case where $\mathbb{F}_p$ additions can be neglected. We also explain why the best choice for the polynomials defining the tower field $\mathbb{F}_{p^{12}}$ is only depending on the value of the BN parameter $u$ modulo small integers like $12$ as a nice application of old elementary arithmetic results. Moreover, we use this opportunity to give some new improvements on $\mathbb{F}_{p^{12}}$ arithmetic (in a pairing context) in terms of $\mathbb{F}_p$-addition allowing to save around $10\%$ of them depending on the context.

Category / Keywords: pairing

Date: received 18 Dec 2015, last revised 21 Dec 2015

Contact author: sylvain duquesne at univ-rennes1 fr

Available format(s): PDF | BibTeX Citation

Note: abstract in the paper was completly wrong (it was not the last version)

Version: 20151221:180434 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]