Skip to main content

Pairing-Friendly Curves

Document Type Expired Internet-Draft (cfrg RG)
Authors Yumi Sakemi , Tetsutaro Kobayashi , Tsunekazu Saito , Riad S. Wahby
Last updated 2022-01-31 (Latest revision 2021-07-30)
Replaces draft-yonezawa-pairing-friendly-curves
Stream Internet Research Task Force (IRTF)
Intended RFC status Informational
Expired & archived
plain text html xml htmlized pdfized bibtex
Stream IRTF state Active RG Document
Revised I-D Needed
Consensus boilerplate Unknown
Document shepherd Stanislav V. Smyshlyaev
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to Stanislav Smyshlyaev <>
This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at:


Pairing-based cryptography, a subfield of elliptic curve cryptography, has received attention due to its flexible and practical functionality. Pairings are special maps defined using elliptic curves and it can be applied to construct several cryptographic protocols such as identity-based encryption, attribute- based encryption, and so on. At CRYPTO 2016, Kim and Barbulescu proposed an efficient number field sieve algorithm named exTNFS for the discrete logarithm problem in a finite field. Several types of pairing-friendly curves such as Barreto-Naehrig curves are affected by the attack. In particular, a Barreto-Naehrig curve with a 254-bit characteristic was adopted by a lot of cryptographic libraries as a parameter of 128-bit security, however, it ensures no more than the 100-bit security level due to the effect of the attack. In this memo, we list the security levels of certain pairing-friendly curves, and motivate our choices of curves. First, we summarize the adoption status of pairing-friendly curves in standards, libraries and applications, and classify them in the 128-bit, 192-bit, and 256-bit security levels. Then, from the viewpoints of "security" and "widely used", we select the recommended pairing-friendly curves considering exTNFS.


Yumi Sakemi
Tetsutaro Kobayashi
Tsunekazu Saito
Riad S. Wahby

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)