The evaluation of pairings key sizes is done by a precise analysis of the NFS algorithm and its versions. At the beginning, form the point of view of asymptotic complexity, the best NFS attacks agains pairings of a given field size were as fast as the NFS attacks agains RSA. However, a series of improvements of NFS between 2013 and 2016 required an evaluation of key sizes dedicated to pairings.

In the article "Updating key size estimations for pairings", published in the Journal of Cryptology, the authors proposed a method to make a precise analysis of the extended tower number field sieve. The conclusion was that the key sizes had to be improved for KSS16, KSS18, BN, BLS12 and BLS24. They also proposed new key sizes for those families, new parameters and computed the complexity to guarantee a security level of 128, 192 and 256 bits.

In the article "A taxonomy of pairings, their security, their complexity", the authors apply the same method to compute the key sizes for over 150 families of pairings, which corresponds to all the families they could find in the literature. Once this work has been done manually, it would be interesting to obtain an automated manner to match the results. For some families, the exact formulas were not available or it was necessary to consult the literature to find improvements. Some of the embedding degrees are impossible for certain families, so it is usefull to have a large list of formulas (see TaxonomyComplete.sage).

The same article continues by proposing exact algorithmic choices for all the 150+ families, which allows to eliminate families which are much slower than the current best.

The complete security results for over 150 families of pairings, in particular the families treated in the first article, are available in the : security table . To reproduce the results one can use the auciliary files.

For this page we use the template of Rouse and Zureick-Brown.