Pairing-Friendly Elliptic Curves: Revisited Taxonomy, Attacks and Security Concern

TL;DR

This paper revisits the selection and classification of pairing-friendly elliptic curves, expanding existing taxonomy, analyzing security against recent attacks, and proposing better alternatives based on security and efficiency considerations.

Contribution

It expands the classification of pairing-friendly curves, introduces new families, and evaluates their security and efficiency against recent attacks.

Findings

New families of pairing-friendly curves identified.

Some families outperform BN, KSS, and BLS in security and key size.

Recent attacks necessitate larger key sizes for certain curves.

Abstract

Major families of pairing-friendly elliptic curves, including BN, BLS12, BLS24, KSS16, and KSS18 have recently been vulnerable to number field sieve (NFS) attacks. Due to the recent attacks on discrete logs in F_(q^k ), selecting such curves became relevant again. This paper revisited the topic of selecting pairing-friendly curves at different security levels. First, we expanded the classification given by Freeman et al. [1] by identifying new families that were not previously mentioned, such as a complete family with variable differentiation and new sparse families of curves. We discussed individual curves and a comprehensive framework for constructing parametric families. We estimated the security and assessed families of the pairing-friendly curve to discover families of curves better than BN, KSS, and BLS in terms of the required key size. We also evaluated the complexity of the optimal ate pairing that has never been discussed before, except by Barbulescu et al. [2]. We demonstrated that the recent attack (TNFS) on pairing needs to increase the key size. We compared families of curves in the context of key size and selected a suitable alternative to an elliptic curve.