Computing the optimal ate pairing over elliptic curves with embedding degrees 54 and 48 at the 256-bit security level

Abstract

Due to recent advances in the computation of finite fields discrete logarithms, the Barreto-Lynn-Scott family of elliptic curves of embedding degree 48 became suitable for instantiating pairing-based cryptography at the 256-bit security level. Observing the uncertainty around determining the constants that govern the best approach for computing discrete logarithms, Scott and Guillevic consider pairing-friendly elliptic curves of embedding degree higher than 50, and discovered a new family of elliptic curves with embedding degree 54. This work aims at investigating the theoretical and practical cost of both the Miller algorithm and the final exponentiation in the computation of the optimal ate pairing on the two aforementioned curves. Both our theoretical results, based on the operation counts of base-field operations, and our experimental observations collected from a real implementation, confirm that BLS48 curves remain the faster curve in the computation of the optimal ate pairing at the 256-bit security level.