International Association for Cryptologic Research (IACR)
Abstract
Since 2015, there has been a significant decrease in the asymptotic complexity of computing discrete logarithms in finite fields. As a result, the key sizes of many mainstream pairing-friendly curves have to be updated to maintain the desired security level. In PKC\u2720, Guillevic conducted a comprehensive assessment of the security of a series of pairing-friendly curves with embedding degrees ranging from 9 to 17. In this paper, we focus on pairing-friendly curves with embedding degrees of 10 and 14. First, we extend the optimized formula of the optimal pairing on BW13-310, a 128-bit secure curve with a prime p in 310 bits and embedding degree 13, to our target curves. This generalization allows us to compute the optimal pairing in approximately logr/2φ(k) Miller iterations, where r and k are the order of pairing groups and the embedding degree respectively. Second, we develop optimized algorithms for cofactor multiplication for G1 and G2, as well as subgroup membership testing for G2 on these curves. Based on these theoretical results a new 128-bit secure curve emerges: BW14-351.
Finally, we provide detailed performance comparisons between BW14-351 and other popular curves on a 64-bit platform in terms of pairing computation, hashing to G1 and G2, group exponentiations and subgroup membership testings. Our results demonstrate that BW14-351 is a strong candidate for building pairing-based cryptographic protocols