Computing the optimal ate pairing over elliptic curves with embedding degrees 54 and 48 at the 256-bit security level (Q2019841)
From MaRDI portal
scientific article
Language | Label | Description | Also known as |
---|---|---|---|
English | Computing the optimal ate pairing over elliptic curves with embedding degrees 54 and 48 at the 256-bit security level |
scientific article |
Statements
Computing the optimal ate pairing over elliptic curves with embedding degrees 54 and 48 at the 256-bit security level (English)
0 references
22 April 2021
0 references
Summary: Due to recent advances in the computation of finite fields discrete logarithms, the Barreto-Lynn-Scott family of elliptic curves of embedding degree 48 became suitable for instantiating pairing-based cryptography at the 256-bit security level. Observing the uncertainty around determining the constants that govern the best approach for computing discrete logarithms, \textit{M. Scott} and \textit{A. Guillevic} [Lect. Notes Comput. Sci. 11321, 43--57 (2018; Zbl 1446.11121)] consider pairing-friendly elliptic curves of embedding degree higher than 50, and discovered a new family of elliptic curves with embedding degree 54. This work aims at investigating the theoretical and practical cost of both the Miller algorithm and the final exponentiation in the computation of the optimal ate pairing on the two aforementioned curves. Both our theoretical results, based on the operation counts of base-field operations, and our experimental observations collected from a real implementation, confirm that BLS48 curves remain the faster curve in the computation of the optimal ate pairing at the 256-bit security level.
0 references
elliptic curves
0 references
pairing-friendly curves
0 references
optimal pairings
0 references
Miller loop
0 references
final exponentiation
0 references
embedding degrees 48 and 54
0 references
256 bits security level
0 references