Attractive Subfamilies of BLS Curves for Implementing High-Security Pairings

Transcription

1 Attractive Subfamilies of BLS Curves for Implementing High-Security Pairings Craig Costello,2, Kristin Lauter 2, and Michael Naehrig 2,3 Information Security Institute Queensland University of Technology, GPO Box 2434, Brisbane QLD 400, Australia 2 Microsoft Research One Microsoft Way, Redmond, WA 98052, USA 3 Department of Mathematics and Computer Science Technische Universiteit Eindhoven, P.O. Box 53, 5600 MB Eindhoven, Netherlands Abstract. Barreto-Lynn-Scott (BLS) curves are a stand-out candidate for implementing high-security pairings. This paper shos that particular choices of the pairing-friendly search parameter give rise to four subfamilies of BLS curves, all of hich offer highly efficient and implementationfriendly pairing instantiations. Curves from these particular subfamilies are defined over prime fields that support very efficient toering options for the full extension field. The coefficients for a specific curve and its correct tist are automatically determined ithout any computational effort. The choice of an extremely sparse search parameter is immediately reflected by a highly efficient optimal ate Miller loop and final exponentiation. As a resource for implementors, e give a list ith examples of implementation-friendly BLS curves through several high-security levels. Keyords: Pairing-friendly, high-security pairings, BLS curves. Introduction Current public-key security recommendations have influenced a concentrated effort from the pairing-based community toards optimiing the implementation of pairings on Barreto-Naehrig (BN) curves [4]. Indeed, aside from an array of many other attractive properties (see [20, 23] for more details), BN curves are perfectly suited to the security level of 28 bits (cf. [2], [32], and [2,.]), since they achieve an optimal balance beteen the necessary sies of the three groups involved in the pairing e : G G 2 G T. The BN pairing speed record of 0 million cycles set by Hankerson et al. in 2008 [4] stood until mid 200, hen Acknoledges funding from the Australian-American Fulbright Commission, the Queensland Government Smart State PhD Scholarship, and an Australian Postgraduate Aard.

2 three papers appeared in rapid succession [22, 7, ], each one shaving more time off the previous record and pushing the limit of efficiency at this security level. This ork as pinnacled by Aranha et al. [], ho applied a combination of improvements to accelerate the entire pairing computation to less than 2 million cycles. As implementors seemingly converge toards a satisfaction asymptote at the 28-bit security level, the focus is no beginning to shift to optimiing pairings at higher security levels. As Scott details [25], scaling security in pairing-based cryptography is fundamentally different than doing so in traditional public-key protocols that only require one group definition. Whilst increasing the security of other number theoretic protocols usually requires an increase in the sie of the modulus, an optimied scaling in the context of pairing-based cryptography can be achieved by increasing the embedding degree. Utiliing the flexibility of a higher embedding degree allos an implementor to inflate the sie of the finite field target group G T at a greater rate than the corresponding inflation in the elliptic curve groups G and G 2, paying respect to the faster subexponential attacks that must be resisted in G T. Stepping up to a significantly higher security level therefore calls for a different family of pairing-friendly elliptic curves altogether, and although many of the previous optimiations (e.g. for BN curves) can be immediately or easily transferred to computing pairings on the ne curves, there are naturally ne issues that arise hen advancing toards a thorough optimiation. This ork focuses on pairings that employ the Barreto-Lynn-Scott (BLS) family ith k = 24 [3] (see also [2, 6.6]). The BLS family has already been identified as the prime candidate for 256-bit secure pairings by Scott [27], ho no holds the current softare speed record at this level. The aim of this paper is to provide some of the finer details that ill begin to pave the ay for implementors ho may ish to further accelerate the state-of-the-art timings on BLS curves. The bulk of our discussion is motivated by Pereira et al. s ork in the case of BN curves [23], here they detail a very simple method of generating highly optimal instantiations of implementation-friendly BN curves. With the same intent, e point out four highly attractive subfamilies of BLS curves that facilitate very efficient instantiations of high-security pairings. The proposed curves are found by restricting the search parameter x in the polynomial representation to any one of four specific congruency classes, namely x 0 7, 6, 3, 64 (mod 72). These choices result in prime fields of characteristic p 9 (mod 24), hich in turn leads to three very efficient toering options for the full extension field F p 24. We sho that all curves found in any of the proposed subfamilies can immediately be given by the same short Weierstraß equation over F p, and the unique sextic tist E of correct order for use in the ate pairing setting is automatically determined. Not only is there no computational effort necessary to rite don the curve equations once the prime p is found, both E and E can be represented very compactly by the polynomial parameter x 0 alone. We give some details on line function computation and discuss an efficient version of the hard part in the final exponentiation. As a resource for implementors,

3 e give elaborate lists of example curves covering a range of high-security levels beteen 92- and 320-bit security, including the dedicated BLS security level of 256 bits. We have chosen the examples ith a very sparse parameter x hich leads to a lo number of addition steps in the Miller loop and simultaneously very efficient exponentiations by x, hich are needed in the final exponentiation. The remainder of this paper is organied as follos. Section 2 gives a brief background on the BLS family for embedding degree k = 24 and on computing optimal pairings on BLS curves. Section 3 describes the proposed implementationfriendly subfamilies of BLS curves, hilst Section 4 details some choices that can facilitate more simple pairing code. In Section 5 e apply the ork of Scott et al. [29] to give details on the final exponentiation routine. Lists of example curves at several security levels are presented in Section 6. Finally, Appendix A provides timing results of a C implementation of the optimal ate pairing on BLS curves. 2 Background The BLS family ith embedding degree 24. In [3], Barreto, Lynn and Scott propose polynomial parametriations for certain complete pairing-friendly curve families for specific fixed embedding degrees. All curves belonging to one of these so-called cyclotomic families have CM discriminant D = 3 (i.e. j-invariant j = 0) and can be given by a short Weierstraß equation E : y 2 = x 3 + b. For embedding degree k = 24, the Barreto-Lynn-Scott (BLS) family is given by the folloing parametriation (see also [2, Construction 6.6]): p(x) = (x ) 2 (x 8 x 4 + )/3 + x, r(x) = x 8 x 4 +, n(x) = (x ) 2 (x 8 x 4 + )/3, t(x) = x +, f(x) = (x )(2x 4 )/3. () Finding a specific BLS curve is achieved by running through integer values x 0 (mod 3) until p(x 0 ) and r(x 0 ) are both prime (note that x 0 (mod 3) leads to all involved parameters being integers). For each set of parameters, there exists an elliptic curve E over F p such that #E(F p ) = n(x 0 ). The correct curve E can be found by trying different values for b (i.e. different tists) and checking for the right group order. Another alternative is to compute the coefficient by the algorithm described in [24]. Since r(x 0 ) n(x 0 ), there is a subgroup of E(F p ) of prime order r(x 0 ). The CM discriminant is D = 3 because 4p(x 0 ) t(x 0 ) 2 = 3f(x 0 ) 2. The family has a ρ-value of ρ = deg(p)/ deg(r) =.25. BLS curves achieve the smallest ρ-value for k = 24 (see [2, Section 8]); they have tists of degree 6 and allo for many optimiations hen computing pairings, similar to Barreto-Naehrig (BN) curves. A particularly nice property is that the ate pairing [5] already provides an optimal pairing [33]. The number of iterations in Miller s algorithm to compute the ate pairing is log(t(x 0 ) ) = log(x 0 ) log(r(x 0 ))/ϕ(k) = log(r(x 0 ))/8. According to key sie recommendations in [2], [32], and [2, Section ], BLS curves are a good choice for pairings at the high-security 256-bit level. Indeed,

4 Scott [27] recently demonstrated an efficient implementation of pairings on BLS curves at that level. An optimal ate pairing. We no briefly recall the ate pairing on BLS curves and the arithmetic that is involved in its computation. Let E/F p be a BLS curve ith parameters constructed as above given an integer x 0 (mod 3), i.e. p = p(x 0 ), r = r(x 0 ) and so forth. Then there exists a unique tist E /F p 4 ith r #E (F p 4) ith tisting isomorphism ψ : E E over F p 4. Let us define the usual groups G = E(F p )[r] and G 2 = ker(φ p [p]) E(F p 24)[r] as the - and p-eigenspaces of the Frobenius endomorphism φ p on E[r]. Let the group G 2 = ψ (G 2 ) be the preimage of G 2 under ψ. Let T = t. As outlined in [9], e can either compute the original ate pairing a T : G 2 G F p 24, (Q, P ) f T,ψ(Q )(P ) p24 r, by untisting Q for the computation of f T,ψ(Q ); or e can compute a T : G 2 G F p 24, (Q, P ) f T,Q (ψ (P )) p24 r, i.e. compute entirely on the tist by tisting P to E. A function f T,R (S) for points R, S on E or E as above is computed ith Miller s algorithm [9]. It involves curve arithmetic in G 2, i.e. doubling and addition of points on the curve E over the field F p 4 and the computation of line functions from points in G 2 evaluated at a point in G or its preimage under ψ. The computations in F p 4 for point doubling and addition and for obtaining the corresponding line function coefficients share partial results and are thus usually optimied together. Depending on the context in hich the pairing is used and the computing platform, one needs to choose beteen affine and different variants of projective coordinates to find the best formulas for these operations. The function f T,R (S) is built up by accumulating the line function values. This requires efficient squaring and multiplication-by-line-function operations in the full extension field F p 24. The final exponentiation on elements in F p has a 24 fixed exponent and it is possible to use specialied more efficient squaring operations as ell as other optimiations [3, 7, ]. Full extension field arithmetic needs to be particularly efficient as pairing efficiency strongly depends on it. It is therefore important to ork ith a ell-chosen extension field toer [6]. 3 Particularly friendly subfamilies In this section e sho that specialiing the congruency classes of the curvefinding search parameter gives rise to four subfamilies of k = 24 BLS curves that are highly efficient in terms of all operations required in a pairing computation. Specifically, e sho that rather than searching ith x 0 (mod 3), searching ith any of x 0 7, 6, 3, 64 (mod 72) guarantees that the curves found offer (among other things) the folloing advantages.

5 The curve constant b is immediately determined (see Proposition 3 belo). This saves performing expensive computations that test different values of b and the corresponding group order until the correct tist is found; or the checks for quadratic and cubic residuosity and root computations for the algorithm in [24]. Highly efficient field toer options are available (see Proposition 2 belo). This facilitates very efficient field arithmetic in the full extension field (and all intermediate subfields). The correct tist is immediately determined (see Proposition 4 belo). Among other savings, having an automated and general representation for the correct tist saves group arithmetic on curves over the quartic extension field F p 4 in the generation phase. Also, the representations of the tists are alays simple and facilitate nice back-and-forth isomorphisms beteen E and E. In addition to the above efficiency benefits, generating curves ith identical or consistent parameters also offers the advantage of code reusability across different instantiations and security levels. This allos an implementor the flexibility of scaling parameter sies to better match a neighboring security level ithout changing any of the pairing code. Furthermore, having fixed coefficients for the curve and its tist leads to a very compact ay of representing the curve data. Note that in this setting, the knoledge of the generating parameter x 0 uniquely determines all information about both curves. What only remains is to give generators for the groups G and G 2, except for the case of x 0 64 (mod 72) for hich a compact generator in G is alays available as [h](3, 5) ith high probability, here h is the cofactor, i.e. [h] maps elements of E(F p ) into G. x 0 p(x 0) n(x 0) efficient E E (mod 72) (mod 72) (mod 72) toer (eq. ()) (eq. ()) (Prop. 2) (Prop. 3) (Prop. 4) y 2 = x 3 + y 2 = x 3 ± /v y 2 = x y 2 = x 3 ± 4v y 2 = x 3 + y 2 = x 3 ± v y 2 = x 3 2 y 2 = x 3 ± 2/v Table. Four attractive subfamilies of BLS curves We split the rest of this section into to subsections. The first subsection is dedicated to proving the claims in Table and shoing that taking x 0 7, 6, 3, 64 (mod 72) ill alays give rise to highly efficient BLS instantiations. The intention of the second subsection is to detail hy x 0 7, 6, 3, 64 (mod 72) reign supreme over the other possible congruence classes.

6 3. Using the four classes x 0 7, 6, 3, 64 (mod 72) We start ith a lemma that is instrumental in some of the proofs that follo. For a prime p, let QR(p) denote the set of quadratic residues modulo p. Lemma. Let x 0 Z be any of x 0 7, 6, 3, 64 (mod 72), and let p = p(x 0 ) ith p given by () be a prime. Then 2 is neither a quadratic nor a cubic residue modulo p. Proof. A simple calculation shos that for x 0 7, 6, 64 (mod 72), e have p(x 0 ) 9 (mod 72). For x 0 3 (mod 72), e have p(x 0 ) 43 (mod 72). In both cases, it is easy to deduce that 2 QR(p). It remains to sho that 2 is not a cube modulo p for each of the x 0 values. For all four cases, e use [6, Prop ], hich states that for p (mod 3), 2 is a cubic residue modulo p if and only if there exist integers C, D such that p = C D 2. According to [6, Prop ], for p (mod 3) there alays exist integers A and B such that 4p = A 2 +27B 2 and A, B are unique up to sign. Thus, if A and B in this unique representation are both even, 2 is a cube modulo p, otherise it is not. In each of the four cases x 0 7, 6, 3, 64 (mod 72), e examine A and B in terms of the polynomials from (). The CM norm equation for the BLS family is 4p = t 2 + 3f 2, here f = (x 0 )/3 (2x 4 0 ), see (). For x 0 64 (mod 72), e have f(x 0 ) 0 (mod 3) hich allos us to rite 4p(x 0 ) = t(x 0 ) (f(x 0 )/3) 2, so A = t(x 0 ) = x (mod 72) and B = f(x 0 )/3 = (x 0 )/9 (2x 4 0 ) 25 (mod 72) are both odd, meaning that for x 0 64 (mod 72), 2 is not a cubic residue modulo p(x 0 ). For the other three cases x 0 7, 6, 3 (mod 72), it is easy to sho that f(x 0 ) 0 (mod 3), so the CM equation does not directly yield A and B. The to cases x 0 7, 6 (mod 72) can be handled by considering a transformation of the CM norm as ( ) 2 ( ) 2 3f + t t f 4p = For x 0 7 (mod 72), t(x 0 ), f(x 0 ) 2 (mod 6), so that both A = (3f + t)/2 and B = (t f)/6 are integers. Furthermore, f(x 0 ) 2 mod 4 and t(x 0 ) 0 (mod 4) reveal that 3f + t 2 (mod 4) so that A is odd, from hich it follos that 2 is not a cubic residue modulo p(x 0 ) for x 0 7 (mod 72). For x 0 6 (mod 72), e have t(x 0 ), f(x 0 ) (mod 2) and t(x 0 ), f(x 0 ) 2 (mod 3). Furthermore, since t(x 0 ) (mod 4) and f(x 0 ) 3 (mod 4), again e conclude that 3f + t 2 (mod 4), meaning that A = (t 3f)/2 is odd and 2 is not a cube modulo p(x 0 ) for x 0 6 (mod 72). Finally, for x 0 3 (mod 72), e require a slightly different transformation of the CM equation as ( ) 2 ( ) 2 t 3f t + f 4p = In this case t(x 0 ) 2 (mod 6) and f(x 0 ) 4 (mod 6) so that A = (t 3f)/2 and B = (t+f)/6 are integers. Since t(x 0 ) 0 (mod 4) and f(x 0 ) 2 (mod 4),

7 it follos that A (mod 4) is odd and 2 is not cube modulo p(x 0 ) for x 0 3 (mod 72). The ideal ay to form a quadratic extension field arises hen p 3 (mod 4) hich allos us to take F p 2 = F p (u), u 2 + = 0. Operations in F p [u]/(u 2 + ) are cheaper than operations in F p [u]/(u 2 α) for any other non-residue α F p, since multiplication by α ± costs additions in F p (or see [0]). Since e have p 9 (mod 24) in all four cases, e alays have p 3 (mod 4). For the extension from F p 2 to F p 4 = F p 2(v), the ideal irreducible binomial in terms of simplicity ould be v 2 + u. Unfortunately the folloing proposition shos that if e form F p 2 as above, then this binomial cannot be used to define F p 4 (and this statement is true for any quartic extension fields, hether in the context of pairings or not). Proposition. If p 3 (mod 4), and F p 2 is constructed as F p (u), u 2 + = 0, then the polynomial x 2 + su ith s F p is reducible over F p 2. In particular, F p 4 cannot be constructed over F p 2 using a binomial of the above form. Proof. Since / QR(p), precisely one of s/2 or s/2 is a quadratic residue modulo p. In the first case, rite x 2 + su = x 2 + 2a 2 u = (x + au a)(x au + a) for s = 2a 2, a F p. In the second case, taking s = 2a 2 for some a F p gives x 2 + su = x 2 2a 2 u = (x + au + a)(x au a). Thus, x 2 + su ith s F p is reducible over F p 2. Nevertheless, a binomial that is almost as attractive in terms of efficiency is v 2 + (u + ), since multiplications by u + in F p 2 also come almost for free. The folloing proposition shos that the proposed subfamilies of BLS curves alays allo F p 4 to be constructed using this binomial. Furthermore, e also sho that the rest of the toer up to F p 24 can be constructed in three different ays; all three of hich employ optimal binomials, but may be preferred by implementors depending on various factors, such as the nature of previous pairing code, or hether compression is desired. Proposition 2. Let x 0 Z be any of x 0 7, 6, 3, 64 (mod 72). If p = p(x 0 ) given by the polynomial in () is prime, then the extension field F p 24 can be constructed using any of the folloing toering options T, T 2, T 3 : F p u 2 + F p 2 F 3 + p 8 F p 24; T, 2 +v v 2 +u+ F 6 +v p 4 F p 24; T 2, 3 +v F p 2 F p 24; T

8 Proof. For all four congruency classes x 0 7, 6, 3, 64 (mod 72), e have p(x 0 ) 9 (mod 24), so that p 3 (mod 4) and e can use F p 2 = F p (u) = F p [u]/(u 2 +). For the remaining irreducibility arguments, e make use of a theorem due to Benger and Scott [6, Thm. 4]. We immediately note that 2, 3 p. Let us compute N Fp 2 /F p ( (u + )) = N Fp 2 /F p ( )N Fp 2 /F p (u + ) = (u + ) p+ = (u + ) p (u + ) = ( u)(u + ) = 2. Since 2 is not a quadratic residue modulo p, Theorem 4 of [6] ensures that v 2 + u + is irreducible in F p 2[v] and e can construct F p 4 = F p 2[v]/(v 2 + u + ). Next, e compute N Fp 4 /F p ( v) = N Fp 4 /F p ( )N Fp 4 /F p (v) = N Fp 4 /F p (v) = v +p+p2 +p 3 = (v +p2 ) +p = (( (u + )) +p2 ) (+p)/2 = ((u + ) 2 ) (+p)/2 = (u + ) p+ = 2. Lemma tells us that 2 is neither a quadratic nor a cubic residue modulo p, and thus it follos from [6, Thm. 4] that 2 + v, 3 + v and 6 + v are all irreducible over F p 4, giving rise to the toer T 2, to T up to F p 8 and T 3 up to F p 2. For the remaining parts of T and T 3, e similarly compute N Fp 2 /F p ( ) = 2 (+p4 +p 8 )/3 and N Fp 8 /F p ( ) = 2 (+p4)/2. Since p (mod 6) for all cases, it follos that ( + p 4 + p 8 )/3 is odd and so N Fp 2 /F p ( ) is not a square in F p since 2 is not a square by Lemma. Similarly, (p 4 + )/2 (mod 3) and so N Fp 8 /F p ( ) is not a cube in F p. Therefore, [6, Thm. 4] ensures irreducibility of the remaining polynomials and completes the proof. We have no shon that once a BLS prime p is found using x 0 7, 6, 3, 64 (mod 72), a highly efficient toer is immediately available. The folloing to propositions sho that the curve constant and tisted curve are also immediate in all four cases. Proposition 3. If x 0 7, 3 (mod 72) in () produces a prime p = p(x 0 ), then the curve E/F p : y 2 = x 3 + is alays such that r = r(x 0 ) n = #E(F p ). Similarly, for x 0 6 (mod 72), the desired curve is alays E/F p : y 2 = x Finally, for x 0 64 (mod 72), the desired curve is alays E/F p : y 2 = x 3 2. Proof. It is ell knon that if g is neither a square nor a cube in F p, then all possible group orders an elliptic curve E : y 2 = x 3 + b can have over F p occur as the order of one of the 6 tists ith b {, g, g 2, g 3, g 4, g 5 }. Specifically, choosing b as exactly one of {, g, g 2, g 3, g 4, g 5 } ill give the correct number of points (cf. [3, X.5]), i.e. the curve ith r n = #E(F p ). Lemma shos that e can take g = 2, so that in all four cases the correct b is exactly one of {, 2, 4, 8, 6, 32}. For both x 0 7 (mod 72) and x 0 3 (mod 72), e have n(x 0 ) = (x 0 ) 2 (x 8 0 x )/3 2 (mod 72) from (). Thus, both cases have 2, 3 n, meaning that the correct curves E/F p necessarily contain points of order 2 and points of order 3. This implies that b is both a quadratic and cubic residue modulo p, from hich it follos that b = is the only option. For x 0 6 (mod 72), observe that n(x 0 ) 3 (mod 72) and thus the correct curve E has a point of order 3, but not a point of order 2. This rules out b =, 8, since the points (, 0) and ( 2, 0) have order 2 on the respective curves. The

9 curve E/F p : y 2 = x 3 + b has a point of order 3 if and only if b is a square in F p, hich rules out b = 2, and therefore b = 32 as ell. To rule out b = 6, e first observe that since n = n(x 0 ) 3 (mod 72), 9 n and E/F p has at most three points of order 3. If b = 6, then to such points are (0, 4) and (0, 4). It is easy to see that 3 QR(p), so let ν 2 = 3 for ν F p, and rite P = ( 4, 4ν) E(F p ) : y 2 = x An easy calculation (e.g. using point doubling formulas) shos that [2]P = ( 4, 4ν) = P, so that P has order 3, and similarly for P. Thus, there are at least four points of order 3 in F p if b = 6 contradicting 9 n, hich leaves b = 4 as the only option. For x 0 64 (mod 72), e can make use of Algorithm 3.5 in [24], here in our case U = t/2 and V = f/2. Since 2V = f(x 0 ) 0 mod 3 and 2U = t(x 0 ) = 2 mod 3, e immediately have E/F p : y 2 = x as the correct curve. Lastly, since 2 QR(p), rite µ 2 = 2 for µ F p, so that µ 6 = 8. Since E/F p : y 2 = x is isomorphic to Ẽ/F p : y 2 = x 3 + 6/µ 6 over F p, e can take b = 6/ 8 = 2 as the curve constant instead. Proposition 4. If x 0 7 (mod 72) produces the BLS curve y 2 = x 3 + described in Proposition 3, and F p 4 is constructed as in Proposition 2, then the correct sextic tist ith r = r(x 0 ) #E (F p 4) can be obtained as both E /F p 4 = y 2 = x 3 + /v and E /F p 4 : y 2 = x 3 /v. Similarly, x 0 6 mod 72 gives rise to the correct tist as both E /F p 4 : y 2 = x 3 + 4v or E /F p 4 : y 2 = x 3 4v; x 0 3 mod 72 gives rise to the correct tist as both E /F p 4 : y 2 = x 3 + v or E /F p 4 : y 2 = x 3 v; and finally, x 0 64 mod 72 gives rise to the correct tist as both E /F p 4 : y 2 = x 3 + 2/v or E /F p 4 : y 2 = x 3 2/v. Proof. We first note that = u 6 is a sixth poer in F p 2. Therefore, for b F p 4, the curves given by y 2 = x 3 + b and y 2 = x 3 b are isomorphic over F p 4. In each case the correct tist E is unique ith the property that r #E (F p 4) and it has degree 6 (see [5]). Since there are exactly to tists of E of degree 6 over F p 4, there are only to possible group orders. We have #E(F p 4) = p 4 + t 4, here t 4 can be computed from t and f (notation as before) as t 4 = (t 4 8t 2 f 2 + 9f 2 )/8 (see [3, V.2]). If e define f 4 by 4p 4 = t f 2 4, the possible group orders for the sextic tist are given in [5] as n 4, = p 4 + (3f 4 t 4 )/2, n 4,2 = p 4 + ( 3f 4 t 4 )/2. We compute both n 4, and n 4,2 as polynomials in terms of the parametriation (), and evaluate them at each of the congruency classes hich reveals opposing parities each time. The remainder of the proof is essentially the same for all four congruencies classes, so e demonstrate completely ith x 0 6 (mod 72). Taking x 0 6 (mod 72) gives n 4, 28 (mod 72) and n 4,2 49 (mod 72). In particular, n 4, is even and n 4,2 is odd in this case. From the polynomial parametriation, it is easy to check that r n 4,. Therefore, the unique sextic tist e are looking for in this case has an even group order over F p 4. Proposition 2 shos that v is neither a square nor a cube in F p 4, so the correct tist can be given as y 2 = x 3 + 4v or as y 2 = x 3 + 4v 5. We have 4v = (N Fp 4 /Fp (v)) 2 v = v 3+2p+2p2 +2p 3 as in the proof of Proposition 2. Since the

10 exponent on the right hand side of the last equation is divisible by 3, e conclude that 4v is a cube in F p 4. Similarly, one can sho that 4v 5 is not a cube. Since 4v is a cube, the curve y 2 = x 3 + 4v has a point of order 2, namely ( c, 0) ith c 3 = 4v. Hence its order is even and e have found the correct tist for x 0 6 (mod 72). The other three cases are proven analogously. 3.2 The other congruency classes We no sho hy the four congruency classes x 0 7, 6, 3, 64 (mod 72) stand out over the other congruency classes. After all, restricting x 0 (mod 3) to any or all of the proposed classes essentially discards 20 out of 24 other congruency classes modulo 72. Of course, there ill alays be examples here some of the discarded congruency classes produce curves that also perform highly efficiently. Hoever, e argue that x 0 7, 6, 3, 64 (mod 72) are the only classes for hich e can alays simultaneously guarantee the propositions in the previous subsection. Quadratic extension to F p 2: We start by eliminating the classes of x 0 mod 72 hich do not facilitate the quadratic extension as F p 2 = F p (u), u 2 + = 0. Of the 24 possible x 0 values modulo 72 in {, 4, 7,..., 67, 70}, 2 have x 0, 0 (mod 2), hich alays (undesirably) produce p (mod 2). The remaining 2 are {4, 7, 6, 9, 28, 3, 40, 43, 52, 55, 64, 67} ith x 0 = 4, 7 (mod 2), hich alays produce p(x 0 ) 7 (mod 2). Quadratic extension to F p 4: If F p 4 is to be constructed as F p 4 = F p 2(v), v 2 + u + = 0, then (refer back to the proof of Proposition 2) e can only guarantee this if N Fp 2 /F p ( (u + )) = 2 is not a quadratic residue in F p. Substituting the remaining 2 candidates for x 0 (mod 72) into () reveals only 4 possibilities for p (mod 72), those being p 7, 9, 43, 55 (mod 72). It is easy to check that only to of these have 2 / QR(p), namely p 9, 43 (mod 72). These correspond to 6 of the remaining x 0 congruencies, shrinking the pool of preferred candidates to {7, 6, 3, 40, 55, 64}. Sextic extension to F p 24: The proposed sextic extensions in Proposition 2 that employ simple binomials to form F p 24 over F p 4 require that 2 is not a cube in F p. This does not alays happen for x 0 {40, 55}. For the sake of counter examples, x 0 = (mod 72) and x 0 = (mod 72) produce BLS curves here 2 is a cube modulo p, and therefore fields hich can not use the toer in Proposition 2. Even if alternative binomials can be found in such cases, the fact that 2 is a cubic residue also affects the ease of guaranteeing the smallest identical curve constant b for all curves in the subfamily, as e ere able to do for the proposed four congruency classes in Proposition 3. For example, the smallest curve constant for the curve found ith x 0 = (mod 72) is b = 3, hilst the smallest constant for the curve found ith x 0 = (mod 72) is b = 9.

11 4 Choosing simple lines: tisting vs. untisting The aim of this short section is to detail some choices that can facilitate more simple (and theoretically faster) pairing code. For 28-bit security BN implementations, the complexity of a single Miller loop is higher than complexity of a single final exponentiation (see any of [22, 7, ]). Hoever, as the security level and embedding degree increases, a final exponentiation becomes much more costly than a Miller loop [] (or see our timings in Appendix A). This could influence implementors paying less attention to more complicated subtleties ithin the Miller loop, like adopting projective coordinates, and instead focusing on speedups ithin the exponentiation routine. On the other hand, a large number of recent pairing protocols like attribute-based encryption (ABE) require many Miller loops for each exponentiation (see Scott s recent ork [27] for an in depth look), and therefore in these scenarios savings ithin the loop again become more significant overall. In any case, a thoroughly optimied implementation ill make use of the fastest formulas inside the Miller loop, so even though our implementation slightly favored affine coordinates, and indeed Scott s current 256-bit record [27] also employed affine coordinates, it could ell be that a thoroughly optimied projective routine (like [] for k = 2) ends up outperforming affine formulas at this level too. We refer to [8, 9, 8] for ays to find the most efficient coordinate system depending on the specific protocol and implementation situation. As e mentioned briefly in the previous section, the choice of hich toer (T, T 2, T 3 in Proposition 2) to use in an implementation could be influenced by a number of factors. For example, if lo bandidth requirements favored maximum compression techniques [28], then T ould seem most appropriate. On the other hand, if the major priority is ra speed, then one could employ the field arithmetic presented in [0, 6] and favor the (slightly faster) quadratic over cubic extension offered by T 3. Or perhaps most commonly, if the implementor is adopting BLS curves to scale a prior (say BN) pairing implementation to a higher security level, then the toered code for the BN sextic extension from F p 2 to F p 2 could be easily updated to BLS code for the extension from F p 4 to F p 24. In any case, there are efficient formulas available for all three of the toering choices [0, 9], so e ill treat all three cases in parallel and highlight the differences that arise. One such difference lies in the sparse doubling and addition lines that are used to update the pairing function. For each of the proposed congruency classes, Table 2 follos the exposition in [26, 5] and details the correct placing of the line function coefficients for the three toer choices T, T 2, T 3 and the to tist choices in Proposition 4, both of hich have the same group order but result in different looking line functions. The point P is alays kept in affine coordinates (x P, y P ). For the affine formulas the line simply is l(p ) = y P λx P c, here λ F p 4 is the slope of the line as usual and c F p 4 is the constant coefficient. Projective formulas for these line functions usually output three coefficients L 0,0, L,0, L 0, F p 4 [9] that define the evaluated update l(p ) = L 0,0 + L,0 x ψ (P ) + L 0, y ψ (P ) F p 24

12 by being attached to different algebraic elements in the representation of F p 24 over F p 4 depending on the tisting isomorphism ψ. In all cases l(p ) is a sparse element of F p 24, ith the only difference being the places that the l i occupy as a result of the different algebraic toerings and maybe a sign change. To explain the different lines in Table 2, let us briefly look at the conversion beteen representations of an element in the different toering options T, T 2, and T 3. Let us start ith an element a in T 2 given by the coefficients a 0,..., a 5 F p 4, i.e. a = a 0 + a + a a a a 5 5. Converting to T, e take 3 and thus the same element is represented as a = (a 0 + a 3 ) + (a + a 4 ) + (a 2 + a 5 ) 2. To go to T 3, e use u (i.e. 2 ) and obtain a = (a 0 + a 2 + a 4 2 ) + ( a u a 3 u a 5 u 2 ). An optimied routine must take advantage of the sparse nature of l(p ) and tailor make a specialied multiplication routine to exploit the presence of ero entries. Roughly speaking, the options in Table 2 ill give rise to similar speeds, but it is obvious to see hich tist constant an implementor ould choose (all other things being equal) if their choice of toer is already concrete. For example, if T is the chosen toer, then using b = 4v gives a slightly easier line function to code than using b = 4v. A more important difference arises hen choosing hether to leave P E and untist Q E to Q E for the line function computation, or choosing to put both points on the tist for the entire routine [9]. The nature of the proposed toer actually means that there is a significant difference beteen the simplicity of the tisting and untisting isomorphisms, and one option ill be more desirable to implement than the other. For example, hen using T and b = 4v, the untisting isomorphism ψ is ψ : (x, y ) (x/ 2, y/) = (v(u )/2 x, v( u)/2 y ), hich is more annoying to code (and theoretically slightly sloer) than using ψ : (x, y) ( 2 x, y) to tist the second argument P instead. On the other hand, if the tist is given as E : y 2 = x 3 ± b/v, as is the cases hen x 0 7, 64 (mod 72), then it is the untisting isomorphism that is clearly preferable. 5 The final exponentiation An optimied final exponentiation routine is critical for fast pairings at highsecurity levels. Scott et al. [29] propose the most efficient algorithm to date, hich exploits the polynomial representations of p and r to reduce the ork encountered after the Miller loop. The first step is to split the exponent into to parts by factoring (p k )/r and exploiting the Frobenius operator hich raises elements to the poer of p almost for free. In our case the exponent splits as: (p 24 )/r = [(p 2 ) (p 4 + )] [(p 8 p 4 + )/r]. hard part After exploiting Frobenius operations to quickly raise the output of the Miller loop to the exponent in the left square parentheses, e then face the major

13 cong. tist toer tist isomorphism Miller lines class b choice ψ : E E Affine Projective T (x, y) ( 2 x, uy) [ bv T2 (x, y) ( 2 x, u 3 y) [ 6,3 T3 (x, y) ( x, y) [ T (x, y) ( 2 x, y) [ bv T2 (x, y) ( 2 x, 3 y) [ T3 (x, y) (x, uy) [ c c c : c c c : : yp u 0 : 2 λ xp : : λ xp : yp 0 : : λ xp 0 : 0 : : 0 2 λ xp 3 yp u : 0 : yp 2 λ xp 2 λ xp : 3 yp : : : : 0 ] [ 5 0 ] [ : 0 ] [ : 0 : yp u L0,0 L0,0 : L0,0 : 0 ] [ 5 0 ] [ : 0 ] [ 2 L0,0 L0,0 L0,0 : : L0, yp u 0 : 2 L,0 xp : : L,0 xp : L0, yp 0 : : L,0 xp 2 0 : 0 : 0 2 L,0 xp : tist toer untist isomorphism Miller lines b choice ψ : E E Affine Projective T (x, y ) ( 2 x, uy ) [ yp b/v T2 (x, y ) ( 2 x, u 3 y ) [ yp : 7,64 T3 (x, y ) ( x, y ) [ T (x, y ) ( 2 x, y ) [ : c u yp b/v T2 (x, y ) ( 2 x, 3 y ) [ yp : T3 (x, y) (x, uy ) [ yp λ u xp : yp : 0 : 0 2 : c : 0 : 0 2 λ xp : λ xp u 2 0 : λ xp λ xp 2 0 : λ u xp : 0 3 c u : : c : 0 3 c : 2 0 : 0 ] [ 4 0 : 5 0 ] [ : 0 ] [ 2 L0, yp L0, yp : 2 0 : 0 ] [ 4 0 : : c u : L0,0 u : : 0 L,0 u xp : L0, yp yp 5 0 ] [ yp : : 0 ] [ 2 yp : 0 : 0 2 : L0,0 : 0 : 0 2 L,0 xp : L,0 3 2 L0, yp u : 0 : L0, yp 2 L,0 xp 3 L0, yp : xp : 0 ] 4 0 : 4 0 : 0 : L0, yp u L,0 xp u 2 0 : L,0 xp L,0 xp 2 0 : L,0 u xp 3 3 : 0 L0,0 u : : 0 L0,0 : : L0,0 2 0 : 0 ] 4 0 : : L0,0 u 5 0 ] : 0 ] 2 : 0 ] 5 0 ] 5 0 ] : 0 ] : 0 ] 4 0 : : 0 ] 2 : 0 ] 2 Table 2. Details of the Miller line function depending on the choice of toer (and tist constant). 5 0 ]

14 bottle-neck in the exponentiation: raising a value m F p 24 to the poer of the hard part. One helpful observation hich aids the remaining computations is that, after exponentiation to the poer p 2, the value m F p 24 is no such that N Fp 24 /F (m) =. This allos any inversions in F p 2 p24 to be computed for free using a simple conjugation [28, 2, 29], and any squarings in F p 24 to be computed more efficiently than standard squarings [3, 7, ]. To apply the algorithm in [29], e use the parameteriations in () to rite the hard part as (p(x) 8 p(x) 4 + )/r(x) = 7 λ i (x)p(x) i. In an appendix of her thesis, Benger [5] computed the λ i for a range of curve families, including BLS curves ith k = 24, giving λ i = ν i /3, here ν 7 (x) = x 2 2x +, ν 6 (x) = x 3 2x 2 + x = x ν 7 (x), ν 5 (x) = x 4 2x 3 + x 2 = x ν 6 (x), ν 4 (x) = x 5 2x 4 + x 3 = x ν 5 (x), i=0 ν 3 (x) = x 6 2x 5 + x 4 x 2 + 2x = x ν 4 (x) ν 7 (x), ν 2 (x) = x 7 2x 6 + x 5 x 3 + 2x 2 x = x ν 3 (x), ν (x) = x 8 2x 7 + x 6 x 4 + 2x 3 x 2 = x ν 2 (x), ν 0 (x) = x 9 2x 8 + x 7 x 5 + 2x 4 x = x ν (x) + 3. This representation reveals another nice property exhibited by k = 24 BLS curves: namely, a very convenient ay to compute the ν i ith essentially just multiplications by x. Letting µ i = m νi(x0), this structure allos us to rite the hard part of the final exponentiation as m (p8 p 4 +)/r = µ 0 µ p µp2 2 µp3 3 µp4 4 µp5 5 µp6 6 µp7 7, here the µ i can be computed using the folloing sequence of operations: µ 7 = (m x0 ) x0 (m x0 ) 2 m, µ 6 = (µ 7 ) x0, µ 5 = (µ 6 ) x0, µ 4 = (µ 5 ) x0, µ 3 = (µ 4 ) x0 (µ 7 ), µ 2 = (µ 3 ) x0, µ = (µ 2 ) x0, µ 0 = (µ ) x0 m 2 m. The computation of m (p8 p 4 +)/r requires 9 exponentiations by x 0, 2 multiplications in F p 24, 2 special squarings, 2 conjugations to compute the inverses and 7 p-poer Frobenius operations. We detail a possible scheduling for the full exponentiation routine in Table 3. Note that e can simply forget about the difference beteen the λ i and the ν i ; by leaving aay the 3 in the denominators, e just compute the third poer of the pairing. By far the most costly stage of the final exponentiation is the nine exponentiations by x 0, hich are performed using a standard square-and-multiply routine.

15 FinalExp Input: f r,q(p ) F p 24 and loop parameter x 0 Initialie f f r,q(p ), t 0 /f, m f, m m t 0, t 0 π 4 p(m), m m t 0, m m x, m 2 m x m m 2, m m, µ 7 m 2 m, µ 7 µ 7 m, µ 6 µ x 7, µ 5 µ x 6, µ 4 µ x 5, µ 7 µ 7, µ 3 µ x 4, µ 3 µ 3 µ 7, µ 2 µ x 3, µ µ x 2, µ 0 µ x, m m 2, µ 0 µ 0 m, µ 0 µ 0 m, f π p(µ 7), f f µ 6, f π p(f), f f µ 5, f π p(f), f f µ 4, f π p(f), f f µ 3, f π p(f), f f µ 2, f π p(f), f f µ, f π p(f), f f µ 0, Return f r,q(p ) (p24 )/r f. Output: f r,q(p ) (p24 )/r Table 3. The final exponentiation for BLS curves ith k = 24 This is here the BLS pairing computation benefits most from the faster squarings in F p 24, and also from an x 0 value that has lo hamming-eight hich reduces the F p 24 multiplications encountered. In the folloing section e give several examples of very lo hamming-eight x 0 values that give rise to curves in the proposed implementation-friendly BLS subfamily. 6 Example curves This section provides four lists of implementation-friendly BLS curves at security levels here the entire BLS family is either competitive across all families, or is clearly the current outright favorite. Each list (Table 4 through to Table 7) corresponds to one of the four proposed subfamilies. We start ith 92-bit security since our timings of a C implementation of the optimal ate pairing at this level (see Appendix A) agreed ith Scott s comment [27] that the stand-out candidate curve family at this level is not yet as obvious as the 28- and 256-bit levels. In our implementation both a k = 2 BN curve and k = 24 BLS curve outperformed a k = 8 KSS curve at this level. Each table lists curves here x 0 is very sparse in signed binary representation, meaning here that it has eight 3, 4 or 5. Working ith signed binary representation for the Miller loop parameter and the poerings in the final exponentiation can be considered standard and extends the space of nice curves compared to just using plain binary representation. Nevertheless, e also included many x 0 values hich have the same plain binary representation as the signed binary representation; these are the x 0 values hich share the same sign for each poer of 2. All curves given have the implementation-friendly properties outlined in the previous sections. In particular, curves in Table 4 and Table 6 have x 0 7

16 (mod 72) and x 0 3 (mod 72) respectively, and are given by E : y 2 = x 3 + ; curves in Table 5 have x 0 6 (mod 72) and are given by E : y 2 = x 3 + 4, and curves in Table 7 have x 0 64 (mod 72) and are given by y 2 = x 3 2. In all cases all parameters are uniquely defined by the short value x 0. The curves in all four tables ere found by trying all possibilities for the signed binary representation of x 0 ith a fixed eight such that x 0 belongs to the right congruence class modulo 72. In our search, e did not find any curves in the considered range of parameter sies here x 0 is plus or minus a poer of 2 (i.e. eight ) or here it is a binomial, a sum of to such poers (i.e. eight 2). In this sense, our search indicates that eights 3, 4 and 5 are optimal for the security levels considered in this paper. The even congruencies (x 0 6, 64 (mod 72)) gain the slight advantage over the odd congruencies (x 0 7, 3 (mod 72)), since the last bit of the binary representation of odd congruencies is obviously forced to be. Thus, curves in the even congruency classes commonly have eights 3 and 4 hilst curves in the odd congruency classes commonly have eights 4 and 5. On the other hand, the odd congruencies both give rise to curves ith b = hich ould make for slightly faster point operations, but (all other things being equal) one ould probably achieve a faster implementation by taking the x 0 value ith the loest eight possible, since one less bit in x 0 saves over 0 full F p 24 multiplications per single pairing. Restricting x 0 to sparse values only results in a certain inflexibility hen adjusting the parameter sies to exact values, for example certain multiples of ord sies on a target implementation platform. Hoever, recent high-speed implementations of pairings at the 28-bit security level have shon that lay reduction techniques give significant improvements in the field toer arithmetic and thus the overall pairing computation [7, ]. Such techniques can be employed efficiently hen the bit sie of the prime characteristic p is a fe bits less than a multiple of the ord sie, hich provides a certain space for delaying reductions for field arithmetic. In Tables 4, 5, 6 and 7 e have tried to account for this (as far as possible), by including different choices of curves at each security level that have a varying gap beteen the prime field sie and multiples of standard ord sies 32 and 64, hich are also given in the table. We believe that most implementors of pairings in softare ill find a suitable curve at the desired security level in our tables, or else ill be able to find a suitable curve themselves ith similar properties. References. Diego F. Aranha, Koray Karabina, Patrick Longa, Catherine H. Gebotys, and Julio Lópe. Faster explicit formulas for computing pairings over ordinary curves. In Kenneth G. Paterson, editor, EUROCRYPT, volume 6632 of Lecture Notes in Computer Science, pages Springer, Elaine Barker, William Barker, William Burr, William Polk, and Miles Smid. Recommendation for key management - part : General (revised). Technical report, NIST National Institute of Standards and Technology, Published as

17 security x 0 7 (mod 72) eight p ords r ords security level (bits) for p (bits) for r (bits) Table 4. BLS curves ith lo-eight parameter x 0 7 (mod 72) aiming at several security levels given in the first column. The columns ords for p and ords for r give the necessary number of 32- or 64-bit ords to store the values for p and r, respectively. The last column provides the estimated actual security by the formula in [32].

18 security x 0 6 (mod 72) eight p ords r ords security level (bits) for p (bits) for r (bits) Table 5. BLS curves ith lo-eight parameter x 0 6 (mod 72) aiming at several security levels given in the first column. The columns ords for p and ords for r give the necessary number of 32- or 64-bit ords to store the values for p and r, respectively. The last column provides the estimated actual security by the formula in [32].

19 security x 0 3 (mod 72) eight p ords r ords security level (bits) for p (bits) for r (bits) Table 6. BLS curves ith lo-eight parameter x 0 3 (mod 72) aiming at several security levels given in the first column. The columns ords for p and ords for r give the necessary number of 32- or 64-bit ords to store the values for p and r, respectively. The last column provides the estimated actual security by the formula in [32].

20 security x 0 64 (mod 72) eight p ords r ords security level (bits) for p (bits) for r (bits) Table 7. BLS curves ith lo-eight parameter x 0 64 (mod 72) aiming at several security levels given in the first column. The columns ords for p and ords for r give the necessary number of 32- or 64-bit ords to store the values for p and r, respectively. The last column provides the estimated actual security by the formula in [32].