Choosing and generating parameters for pairing implementation on BN curves

Because pairings have many applications, many hardware and software pairing implementations can be found in the literature. However, the parameters generally used have been invalidated by the recent results on the discrete logarithm problem over pairing friendly elliptic curves (Kim and Barbulescu in CRYPTO 2016, volume 9814 of lecture notes in computer science, Springer, Berlin, pp 543–571, 2016). New parameters must be generated to insure enough security in pairing based protocols. More generally it could be useful to generate nice pairing parameters in many real-world applications (specific security level, resistance to specific attacks on a protocol, database of curves). The main purpose of this paper is to describe explicitly and exhaustively what should be done to generate the best possible parameters and to make the best choices depending on the implementation context (in terms of pairing algorithm, ways to build the tower field, $$\mathbb {F}_{p^{12}}$$Fp12 arithmetic, groups involved and their generators, system of coordinates). We focus on low level implementations, assuming that $$\mathbb {F}_p$$Fp additions have a significant cost compared to other $$\mathbb {F}_p$$Fp operations. However, our results are still valid if $$\mathbb {F}_p$$Fp additions can be neglected. We also explain why the best choice for the polynomials defining the tower field $$\mathbb {F}_{p^{12}}$$Fp12 is only dependent on the value of the BN parameter u mod small integers (like 12 for instance) as a nice application of old elementary arithmetic results. This should allow a faster generation of this parameter. Moreover, we use this opportunity to give some new slight improvements on $$\mathbb {F}_{p^{12}}$$Fp12 arithmetic (in a pairing context).

[1]  Koray Karabina Squaring in cyclotomic subgroups , 2013, Math. Comput..

[2]  Hyang-Sook Lee,et al.  Efficient and Generalized Pairing Computation on Abelian Varieties , 2009, IEEE Transactions on Information Theory.

[3]  Antoine Joux,et al.  A New Index Calculus Algorithm with Complexity $$L(1/4+o(1))$$ in Small Characteristic , 2013, Selected Areas in Cryptography.

[4]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[5]  Chik How Tan,et al.  Speeding up Ate Pairing Computation in Affine Coordinates , 2013, IACR Cryptol. ePrint Arch..

[6]  Paulo S. L. M. Barreto,et al.  Efficient pairing computation on supersingular Abelian varieties , 2007, IACR Cryptol. ePrint Arch..

[7]  Florian Hess,et al.  Pairing Lattices , 2008, Pairing.

[8]  Paul Barrett,et al.  Implementing the Rivest Shamir and Adleman Public Key Encryption Algorithm on a Standard Digital Signal Processor , 1986, CRYPTO.

[9]  Rudolf Lide,et al.  Finite fields , 1983 .

[10]  P. L. Montgomery Modular multiplication without trial division , 1985 .

[11]  Alfred Menezes,et al.  Pairing-Based Cryptography at High Security Levels , 2005, IMACC.

[12]  Paulo S. L. M. Barreto,et al.  Subgroup Security in Pairing-Based Cryptography , 2015, LATINCRYPT.

[13]  Frederik Vercauteren,et al.  Optimal Pairings , 2010, IEEE Transactions on Information Theory.

[14]  Donald E. Knuth,et al.  The art of computer programming. Vol.2: Seminumerical algorithms , 1981 .

[15]  Vincent Verneuil,et al.  Atomicity Improvement for Elliptic Curve Scalar Multiplication , 2010, CARDIS.

[16]  Ricardo Dahab,et al.  Multiplication and Squaring on Pairing-Friendly Fields , 2006, IACR Cryptol. ePrint Arch..

[17]  Eiji Okamoto,et al.  Optimised Versions of the Ate and Twisted Ate Pairings , 2007, IMACC.

[18]  Marc Joye,et al.  Pairing-Based Cryptography - Pairing 2010 - 4th International Conference, Yamanaka Hot Spring, Japan, December 2010. Proceedings , 2010, Pairing.

[19]  Ingrid Verbauwhede,et al.  FPGA Implementation of Pairings Using Residue Number System and Lazy Reduction , 2011, CHES.

[20]  Sylvain Duquesne,et al.  Memory-saving computation of the pairing final exponentiation on BN curves , 2015, Groups Complex. Cryptol..

[21]  Paulo S. L. M. Barreto,et al.  The Realm of the Pairings , 2013, IACR Cryptol. ePrint Arch..

[22]  Patrick Longa,et al.  Faster Explicit Formulas for Computing Pairings over Ordinary Curves , 2011, EUROCRYPT.

[23]  Michael Naehrig,et al.  An Analysis of Affine Coordinates for Pairing Computation , 2010, Pairing.

[24]  K. Gandhi Primes of the form x2 + ny2 , 2012 .

[25]  Chae Hoon Lim,et al.  A Key Recovery Attack on Discrete Log-based Schemes Using a Prime Order Subgroupp , 1997, CRYPTO.

[26]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[27]  Tanja Lange,et al.  Handbook of Elliptic and Hyperelliptic Curve Cryptography , 2005 .

[28]  Paulo S. L. M. Barreto,et al.  Efficient Algorithms for Pairing-Based Cryptosystems , 2002, CRYPTO.

[29]  H. Dubner,et al.  Primes of the form . , 2000 .

[30]  M. Anwar Hasan,et al.  Asymmetric Squaring Formulae , 2007, 18th IEEE Symposium on Computer Arithmetic (ARITH '07).

[31]  Yasuyuki Nogami,et al.  Integer Variable chi-Based Ate Pairing , 2008, Pairing.

[32]  Brent Waters,et al.  Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys , 2005, CRYPTO.

[33]  Peter Schwabe,et al.  New Software Speed Records for Cryptographic Pairings , 2010, LATINCRYPT.

[34]  Francisco Rodríguez-Henríquez,et al.  Faster Hashing to ${\mathbb G}_2$ , 2011, Selected Areas in Cryptography.

[35]  Alfred Menezes,et al.  Challenges with Assessing the Impact of NFS Advances on the Security of Pairing-Based Cryptography , 2016, Mycrypt.

[36]  Thomas Unterluggauer,et al.  Efficient Pairings and ECC for Embedded Systems , 2014, IACR Cryptol. ePrint Arch..

[37]  Tanja Lange,et al.  Faster Pairing Computations on Curves with High-Degree Twists , 2010, Public Key Cryptography.

[38]  Paulo S. L. M. Barreto,et al.  Pairing-Friendly Elliptic Curves of Prime Order , 2005, Selected Areas in Cryptography.

[39]  Paulo S. L. M. Barreto,et al.  A family of implementation-friendly BN elliptic curves , 2011, J. Syst. Softw..

[40]  M. Scott Implementing cryptographic pairings , 2007 .

[41]  Victor S. Miller,et al.  The Weil Pairing, and Its Efficient Calculation , 2004, Journal of Cryptology.

[42]  Michael Naehrig,et al.  Affine Pairings on ARM , 2012, Pairing.

[43]  晋輝 趙,et al.  H. Cohen, G. Frey, R. Avanzi, C. Doche, T. Lange, K. Nguyen and F. Vercauteren (eds.): Handbook of Elliptic and Hyperelliptic Curve Cryptography, Discrete Math. Appl. (Boca Raton)., Chapman & Hall/CRC, 2006年,xxxiv + 808ページ. , 2009 .

[44]  Razvan Barbulescu,et al.  Extended Tower Number Field Sieve: A New Complexity for the Medium Prime Case , 2016, CRYPTO.

[45]  Reza Azarderakhsh,et al.  Efficient Implementation of Bilinear Pairings on ARM Processors , 2012, Selected Areas in Cryptography.

[46]  K. Conrad,et al.  Finite Fields , 2018, Series and Products in the Development of Mathematics.

[47]  Frederik Vercauteren,et al.  The Eta Pairing Revisited , 2006, IEEE Transactions on Information Theory.

[48]  Michael Scott,et al.  Faster Squaring in the Cyclotomic Subgroup of Sixth Degree Extensions , 2009, IACR Cryptol. ePrint Arch..

[49]  Antoine Joux,et al.  A Heuristic Quasi-Polynomial Algorithm for Discrete Logarithm in Finite Fields of Small Characteristic , 2014, EUROCRYPT.

[50]  Michael Scott,et al.  On the Final Exponentiation for Calculating Pairings on Ordinary Elliptic Curves , 2009, Pairing.

[51]  Franck Rondepierre Revisiting Atomic Patterns for Scalar Multiplications on Elliptic Curves , 2013, CARDIS.

[52]  Arjen K. Lenstra,et al.  Efficient Subgroup Exponentiation in Quadratic and Sixth Degree Extensions , 2002, CHES.

[53]  Paulo S. L. M. Barreto,et al.  Compressed Pairings , 2004, CRYPTO.