Cryptology ePrint Archive: Report 2019/485

A taxonomy of pairings, their security, their complexity

Razvan Barbulescu and Nadia El Mrabet and Loubna Ghammam

Abstract: A recent NFS attack against pairings made it necessary to increase the key sizes of the most popular families of pairings : BN, BLS12, KSS16, KSS18 and BLS24. The attack applies to other families of pairings but not to all. In this paper we compute the key sizes required for more than 150 families of pairings to verify if there are any other families which are better than BN. The security estimation is not straightforward because it is not a mathematical formula, but rather one has to instantiate the Kim-Barbulescu attack by proposing polynomials and parameters.

After estimating the practical security of an extensive list of families, we compute the complexity of the optimal Ate pairing at 128 and 192 bits of security. For some of the families the optimal Ate has never been studied before. We show that a number of families of embedding degree 9, 14 and 15 are very competitive with $BN$, $BLS12$ and $KSS16$ at 128 bits of security. We identify a set of candidates for 192 bits and 256 bits of security.

Category / Keywords: public-key cryptography / Discrete Logarithm Problem; Number Field Sieve; Elliptic Curves; Pairings

Date: received 12 May 2019, last revised 15 May 2019

Contact author: ghammam loubna at gmail com

Available format(s): PDF | BibTeX Citation

Version: 20190515:111835 (All versions of this report)

Short URL: ia.cr/2019/485


[ Cryptology ePrint archive ]