Security Analysis of Pairing-based Cryptography

TL;DR

This paper systematically reviews the security of pairing-based cryptography using NFS algorithms, revealing that some standardized curves are less secure than previously thought and providing recommendations for optimal curve choices based on security levels.

Contribution

It provides the first comprehensive security evaluation of standardized pairing-friendly curves using advanced NFS algorithms and offers practical recommendations for selecting efficient curves at various security levels.

Findings

BN256 curves have only 99.92 bits of security, below the 128-bit standard.

BLS12 and BLS24 are optimal for 128-bit security levels.

BLS24 offers best efficiency for security levels of 160, 192, and 256 bits.

Abstract

Recent progress in number field sieve (NFS) has shaken the security of Pairing-based Cryptography. For the discrete logarithm problem (DLP) in finite field, we present the first systematic review of the NFS algorithms from three perspectives: the degree $\alpha$, constant $c$, and hidden constant $o(1)$ in the asymptotic complexity $L_Q\left(\alpha,c\right)$ and indicate that further research is required to optimize the hidden constant. Using the special extended tower NFS algorithm, we conduct a thorough security evaluation for all the existing standardized PF curves as well as several commonly utilized curves, which reveals that the BN256 curves recommended by the SM9 and the previous ISO/IEC standard exhibit only 99.92 bits of security, significantly lower than the intended 128-bit level. In addition, we comprehensively analyze the security and efficiency of BN, BLS, and KSS curves for different security levels. Our analysis suggests that the BN curve exhibits superior efficiency for security strength below approximately 105 bit. For a 128-bit security level, BLS12 and BLS24 curves are the optimal choices, while the BLS24 curve offers the best efficiency for security levels of 160bit, 192bit, and 256bit.