IACR News item: 17 May 2016
Loubna Ghammam, Emmanuel Fouotsa
ePrint Report
Many pairing-based protocols require the computation of the product
and/or of a quotient of n pairings where n > 1 is a natural integer.
Zhang et al.[1] recently showed that the Kachisa-Schafer and Scott family
of elliptic curves with embedding degree 16 denoted KSS16 at the 192-bit
security level is suitable for such protocols comparatively to the Baretto-
Lynn and Scott family of elliptic curves of embedding degree 12 (BLS12).
In this work, we provide important corrections and improvements to their
work based on the computation of the optimal Ate pairing. We focus on
the computation of the nal exponentiation which represent an important
part of the overall computation of this pairing. Our results improve by
864 multiplications in Fp the computations of Zhang et al.[1]. We prove
that for computing the product or the quotient of 2 pairings, BLS12 curves
are the best solution. In other cases, specially when n > 2 as mentioned in
[1], KSS16 curves are recommended for computing product of n pairings.
Furthermore, we prove that the curve presented by Zhang et al.[1] is not
resistant against small subgroup attacks. We provide an example of KSS16
curve protected against such attacks.
Additional news items may be found on the IACR news page.