Paper 2016/472

Adequate Elliptic Curve for Computing the Product of n Pairings

Loubna Ghammam and Emmanuel Fouotsa


Many pairing-based protocols require the computation of the product and/or of a quotient of n pairings where n > 1 is a natural integer. Zhang et al.[1] recently showed that the Kachisa-Schafer and Scott family of elliptic curves with embedding degree 16 denoted KSS16 at the 192-bit security level is suitable for such protocols comparatively to the Baretto- Lynn and Scott family of elliptic curves of embedding degree 12 (BLS12). In this work, we provide important corrections and improvements to their work based on the computation of the optimal Ate pairing. We focus on the computation of the nal exponentiation which represent an important part of the overall computation of this pairing. Our results improve by 864 multiplications in Fp the computations of Zhang et al.[1]. We prove that for computing the product or the quotient of 2 pairings, BLS12 curves are the best solution. In other cases, specially when n > 2 as mentioned in [1], KSS16 curves are recommended for computing product of n pairings. Furthermore, we prove that the curve presented by Zhang et al.[1] is not resistant against small subgroup attacks. We provide an example of KSS16 curve protected against such attacks.

Available format(s)
Publication info
Preprint. MINOR revision.
BN curvesKSS16 curvesBLS curvesoptimal Ate pair- ingproduct of n pairingssubgroup attacks.
Contact author(s)
ghammam loubna @ yahoo fr
2016-05-17: received
Short URL
Creative Commons Attribution


      author = {Loubna Ghammam and Emmanuel Fouotsa},
      title = {Adequate Elliptic Curve for Computing the Product of n Pairings},
      howpublished = {Cryptology ePrint Archive, Paper 2016/472},
      year = {2016},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.