Paper 2024/1223

A short-list of pairing-friendly curves resistant to the Special TNFS algorithm at the 192-bit security level

Diego F. Aranha, Aarhus University
Georgios Fotiadis, University of Luxembourg
Aurore Guillevic, Aarhus University, Université de Lorraine, CNRS, Inria, LORIA, Univ Rennes, Inria, CNRS, IRISA
Abstract

For more than two decades, pairings have been a fundamental tool for designing elegant cryptosystems, varying from digital signature schemes to more complex privacy-preserving constructions. However, the advancement of quantum computing threatens to undermine public-key cryptography. Concretely, it is widely accepted that a future large-scale quantum computer would be capable to break any public-key cryptosystem used today, rendering today's public-key cryptography obsolete and mandating the transition to quantum-safe cryptographic solutions. This necessity is enforced by numerous recognized government bodies around the world, including NIST which initiated the first open competition in standardizing post-quantum (PQ) cryptographic schemes, focusing primarily on digital signatures and key encapsulation/public-key encryption schemes. Despite the current efforts in standardizing PQ primitives, the landscape of complex, privacy-preserving cryptographic protocols, e.g., zkSNARKs/zkSTARKs, is at an early stage. Existing solutions suffer from various disadvantages in terms of efficiency and compactness and in addition, they need to undergo the required scrutiny to gain the necessary trust in the academic and industrial domains. Therefore, it is believed that the migration to purely quantum-safe cryptography would require an intermediate step where current classically secure protocols and quantum-safe solutions will co-exist. This is enforced by the report of the Commercial National Security Algorithm Suite version 2.0, mandating transition to quantum-safe cryptographic algorithms by 2033 and suggesting to incorporate ECC at 192-bit security in the meantime. To this end, the present paper aims at providing a comprehensive study on pairings at 192-bit security level. We start with an exhaustive review in the literature to search for all possible recommendations of such pairing constructions, from which we extract the most promising candidates in terms of efficiency and security, with respect to the advanced Special TNFS attacks. Our analysis is focused, not only on the pairing computation itself, but on additional operations that are relevant in pairing-based applications, such as hashing to pairing groups, cofactor clearing and subgroup membership testing. We implement all functionalities of the most promising candidates within the RELIC cryptographic toolkit in order to identify the most efficient pairing implementation at 192-bit security and provide extensive experimental results.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Preprint.
Keywords
pairing-friendly curvesSNARKTNFS
Contact author(s)
dfaranha @ cs au dk
georgios fotiadis @ uni lu
aurore guillevic @ inria fr
History
2024-07-31: approved
2024-07-31: received
See all versions
Short URL
https://ia.cr/2024/1223
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/1223,
      author = {Diego F. Aranha and Georgios Fotiadis and Aurore Guillevic},
      title = {A short-list of pairing-friendly curves resistant to the Special {TNFS} algorithm at the 192-bit security level},
      howpublished = {Cryptology ePrint Archive, Paper 2024/1223},
      year = {2024},
      note = {\url{https://eprint.iacr.org/2024/1223}},
      url = {https://eprint.iacr.org/2024/1223}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.