Cryptology ePrint Archive: Report 2016/472

Adequate Elliptic Curve for Computing the Product of n Pairings

Loubna Ghammam and Emmanuel Fouotsa

Abstract: Many pairing-based protocols require the computation of the product and/or of a quotient of n pairings where n > 1 is a natural integer. Zhang et al.[1] recently showed that the Kachisa-Schafer and Scott family of elliptic curves with embedding degree 16 denoted KSS16 at the 192-bit security level is suitable for such protocols comparatively to the Baretto- Lynn and Scott family of elliptic curves of embedding degree 12 (BLS12). In this work, we provide important corrections and improvements to their work based on the computation of the optimal Ate pairing. We focus on the computation of the nal exponentiation which represent an important part of the overall computation of this pairing. Our results improve by 864 multiplications in Fp the computations of Zhang et al.[1]. We prove that for computing the product or the quotient of 2 pairings, BLS12 curves are the best solution. In other cases, specially when n > 2 as mentioned in [1], KSS16 curves are recommended for computing product of n pairings. Furthermore, we prove that the curve presented by Zhang et al.[1] is not resistant against small subgroup attacks. We provide an example of KSS16 curve protected against such attacks.

Category / Keywords: foundations / BN curves, KSS16 curves, BLS curves, optimal Ate pair- ing, product of n pairings, subgroup attacks.

Date: received 17 May 2016

Contact author: ghammam loubna at yahoo fr

Available format(s): PDF | BibTeX Citation

Version: 20160517:151719 (All versions of this report)

Short URL: ia.cr/2016/472