TNFS resistant families of pairing-friendly elliptic curves

Recently there has been a signiﬁcant progress on the tower number ﬁeld sieve (TNFS) method, reducing the complexity of the discrete logarithm problem (DLP) in ﬁnite ﬁeld extensions of composite degree. These new variants of the TNFS attacks have a major impact on pairing-based cryptography and particularly on the selection of the underlying elliptic curve groups and extension ﬁelds. In this paper we revise the criteria for selecting pairing-friendly elliptic curves considering these new TNFS attacks in ﬁnite extensions of composite embedding degree. Additionally we update the criteria for ﬁnite extensions of prime degree in order to meet today’s security requirements. © 2019 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY license (http://creativecommons.org/licenses/by/4.0/).


Introduction
Let E/F p be an ordinary elliptic curve over a prime field F p and E(F p ) the group of F p -rational points whose order satisfies #E(F p ) ≈ p. Let also t = p + 1 − #E(F p ) be the trace of Frobenius and D > 0 the CM discriminant. This is the square-free integer satisfying the CM equation D y 2 = 4p − t 2 , for some y ∈ Z. We further assume that the order of the curve contains a large prime factor r, hence #E(F p ) = hr, for some cofactor h ≥ 1. To complete the elliptic curve notation, we denote by E[r] the group of r-torsion points on the curve, i.e. all points with coordinates in F p whose order is equal to r.
Let G 1 , G 2 and G T be three cyclic groups with G 1 = G 2 and #G 1 = #G 2 = #G T = r. An asymmetric pairing is a bilinear, non-degenerate, efficiently computable (polynomial time) map of the form: Asymmetric pairings are defined on ordinary elliptic curves E/F p and they are considered to be more efficient than the symmetric ones (G 1 = G 2 ), which are defined on supersingular curves. In the asymmetric case, the groups G 1 and G 2 are distinct, r-order subgroups of E(F p k ), while G T is an r-order subgroup of the multiplicative group of the extension field F p k . Thus, in practice, an asymmetric pairing takes two points on the curve of order r and coordinates in an extension F p k and maps them via some formula to an integer of order r, hence an rth root of unity in F * p k . The positive integer k is called the embedding degree of the curve E/F p with respect to r and it is defined as the smallest positive integer such that F p k contains all primitive rth roots of unity. Equivalently, k is the smallest positive integer, such that all r-torsion points have coordinates in F p k instead of the whole algebraic closure F p . In pairing-based cryptography, an elliptic curve must satisfy certain rules, in order to be suitable for applications. In particular: for some real constants ∈ [0, 1] and c > 0, where N = p k . In general for a finite field extension, the NFS attack applies with complexity L N [1/3, 1.923]. This complexity still holds today for finite extensions of prime degree. When k is composite and p has a special form, i.e. it derives from the evaluation of a polynomial at some value, recent variants of the TNFS method, such as the extended TNFS (exTNFS) or special exTNFS (SexTNFS) algorithms [9,11] reduce the complexity of the DLP to L N [1/3, 1.526].
The new improvements have a major effect on the construction of pairing-friendly curves with composite embedding degree. An immediate consequence is that the extension field should be larger than before and therefore the requirement ρ ≈ 1 may not be an ideal choice for composite k any more. For example, the Barreto-Naehrig (BN) curves [1] for k = 12 were ideal for generating a 256-bit prime and a 3072-bit extension field (i.e. ρ ≈ 1). Such parameters in the pre-TNFS period would correspond to an 128-bit security level. After the improvements of the TNFS method and according to Equation (1), an extension field of this size reaches a security level of 110-bits. In order to achieve an extension field with 128-bit security level, one should choose p 12 around 4608-bits. Since ρ ≈ 1 in BN-curves, this results in log r ≈ 384 and hence a mismatch between the security level in G 1 , G 2 and the security level in the target group G T .
In this paper we revise the criteria for constructing polynomial families (p(x), t(x), r(x)) considering the impact of the TNFS variants, presented in [9,11]. For composite embedding degrees we propose the use of optimal families that are likely to provide a balanced security level in the three pairing groups G 1 , G 2 , G T and produce pairing-friendly parameters that are resistant to TNFS attacks. Additionally, for prime values of k we recommend the use of polynomial families that achieve balanced security levels, but were not considered before due to a larger ρ-value. All families presented in this paper provide a security level of 128, 256 or 512 bits. We produce numerical examples of cryptographic value obtained by our recommended families based on the asymptotic complexity of the DLP in the finite extensions F p k . This is measured by the usual L-function presented in Equation (1) and ignoring the constant o (1). Therefore, the scope of this paper is to provide a guideline on how to choose pairing-friendly elliptic curves that are resistant to the new TNFS attacks. In Section 2 we give an overview of families of pairing-friendly elliptic curves and focus on the Brezing-Weng method [2] for their construction. In Sections 3 and 4 we present our recommendations on selecting Brezing-Weng polynomial families that are suitable for producing pairing-friendly parameters resistant to the TNFS variants. We also give numerical examples of pairing-friendly parameters with cryptographic value for various embedding degrees. Finally, we conclude this paper in Section 5, summarizing our recommendations for selecting suitable pairing-friendly parameters.

Families of pairing-friendly elliptic curves
For a prime p, let E/F p be an ordinary elliptic curve with trace t and order #E(F p ) = hr, for some h ≥ 1 and a prime r. In addition, for the rest of this paper we assume that p(x), t(x) and r(x) are non-zero polynomials with coefficients in Q. Definition 1 (Freeman et al. [8]). A polynomial triple (p(x), t(x), r(x)) parameterizes a family of pairing-friendly elliptic curves with embedding degree k and CM discriminant D if: 1. p(x) represents primes, i.e. it is irreducible, with deg p > 0 and lc(p) > 0. Additionally, p(x) ∈ Z, for some (or infinitely many) x ∈ Z and gcd {p(x) : x, p(x) ∈ Z} = 1.
2. r(x) represents primes, i.e. satisfies the same conditions as p(x).
The ρ-value of a polynomial family is defined as the ratio ρ(p, t, r) = deg p/ deg r. The third condition of Definition 1 implies that the order of the curve has a polynomial representation #E( is the polynomial representing the cofactor. In addition, the fact that is a primitive kth root of unity modulo r(x). There are three types of polynomial families depending on the form of the 2 , which is called the CM polynomial.
Using any type of family (p(x), t(x), r(x)), we can generate pairing-friendly elliptic curve parameters by evaluating these polynomials at some x 0 ∈ Z, such that p(x 0 ), t(x 0 ) and r(x 0 ) are integers and p(x 0 ), r(x 0 ) are both primes. However we can relax this strict condition and allow r(x 0 ) to contain a small factor s and a large prime. This extra condition increases the number of suitable parameters that can be generated by a polynomial family. If such a x 0 exists, then we obtain an elliptic curve E/F p(x 0 ) , with trace of Frobenius t(x 0 ) and order #E( Examples of complete families can be found in [1,2,8,10,15,16]. Complete families with variable discriminant are presented in [3,8,12,13]. Finally, examples of sparse families appear in [3,[5][6][7][8]14]. In this paper we will focus on the first two types of families of Definition 2, namely complete and complete with variable discriminant families.

The Brezing-Weng method
The most well known method for constructing polynomial families of pairing-friendly elliptic curves in the sense of Definition 2 is the Brezing-Weng method [2]. This method was originally applied for the case of complete families. Several modifications were presented in [10,15,16] in order to construct more examples of complete families. In [3], Robert Dryło Algorithm 1 The Brezing-Weng method [2]. Input: A number field K containing the kth roots of unity and √ −D, for some square-free D > 0 and a fixed k > 0.
Output: A complete family with embedding degree k and discriminant D.
presented a variant of the Brezing-Weng method for constructing the other two types of Definition 2, namely complete families with variable discriminant and sparse families. The original Brezing-Weng method is described in Algorithm 1.
The number field K in Algorithm 1 was set as the lth cyclotomic field Q(ζ l ), for some l > 0, such that k | l, which implies that ζ k ∈ K and we also need √ −D ∈ K . The polynomial r(x) is taken as the lth cyclotomic polynomial, in which case K ∼ = Q[x]/ r(x) . Then we fix t(x) and y(x) as the polynomials representing the elements ζ k + 1 and ( . Once these polynomials are determined, the calculation of the field polynomial p(x) is straightforward. It remains to examine whether p(x) satisfies the necessary conditions of Definition 1 and if this the case, we have a complete family of pairing-friendly elliptic curves with embedding degree k. A more detailed description of the Brezing-Weng method for constructing complete families is discussed in Section 3.
In [3] (Algorithm 5, p. 312), Robert Dryło extended the Brezing-Weng method in order to produce CVD families of pairing-friendly elliptic curves. His method works by fixing a number field K containing the primitive kth roots of unity and taking r(x) as the minimal polynomial of −z 2 , for some z ∈ K , such that z 2 is a primitive element of K . The difference between complete and CVD families is that the CM discriminant in the first case is some fixed, non-square positive value D, while in the case of CVD families it is represented by some linear polynomial g(x) = cx + d ∈ Q[x]. However, we can always apply the linear transformation x → (x − d)/c so that g(x) = x. This transformation is important as it makes the generation of pairing-friendly parameters easier for CVD families. We give a full analysis on how to construct this type of families via the Brezing and Weng method in Section 4.
Sparse families can also be constructed by modifying the Brezing-Weng method (see [3]). This type of families is probably the hardest one to study. This is due to the fact that it is computationally difficult to construct CM polynomials having a factorization as in Definition 2, namely f (x) = g(x) y(x) 2 , for some quadratic, non-square polynomial g(x), with positive leading coefficient. Another hard part in sparse families is that suitable elliptic curve parameters derive from the solutions of a generalized Pell equation and hence their generation is slightly more complicated than in the other two types of families. We do not consider this type of families in this paper, however several construction methods and various interesting examples can be found in [3,5,6,8,14].
A common characteristic in all three methods is that we need to ensure that the polynomials p(x), t(x) and r(x) are likely to extract integer values, or in other words they are integer-valued. This condition can be tested by examining whether there exists a linear transformation x → (az + b) such that p(az + b), t(az + b) and r(az + b) have integer coefficients. When (p(x), t(x), r(x)) is a complete family, we can generate suitable pairing-friendly parameters by searching for some x 0 ∈ Z, such that p(x 0 ) and r(x 0 ) are both primes of a desired size (see Section 3 for details). On the other hand, when (p(x), t(x), r(x)) is a CVD family, we are searching for some x 0 ∈ Z, such that g(x 0 ) = x 0 is a product of a square-free positive D times some perfect square y 2 and p(x 0 ), r(x 0 ) are both primes of a desired size (see Section 4 for the precise algorithm). As stated earlier, more examples can be obtained by allowing r(x 0 ) to contain itself a small cofactor.

Our contribution
Numerous examples can be found in the literature for both complete and CVD families of pairing-friendly elliptic curves with various embedding degrees (see for example [1,2,8,3,10,15,13,16]). The families in these papers focus on ρ-values that are close to 1, in order to get the smallest possible extension fields F p k that would in turn determine the efficiency of pairing calculations in the target group of a pairing. Unfortunately, this condition may not be ideal any more for a composite embedding degree k, due to the improvements of the TNFS method [9,11] for extension fields of composite degree. These TNFS variants lead to the conclusion that the previous examples we considered as optimal, may not still provide the same security level. Consequently, the searching for suitable elliptic curves that are ideal for implementation in pairing-based applications is still an open problem.
Motivated by these facts, in this paper we revise the criteria for selecting polynomial families of pairing-friendly elliptic curves for composite and prime embedding degrees in the range 5 ≤ k ≤ 39. More precisely, the scope of this work is threefold: 1. Composite k: We construct complete and CVD families of pairing-friendly elliptic curves for various composite embedding degrees, which are likely to generate suitable curve parameters resistant to the new TNFS attacks presented in [9,11]. These families have larger ρ-values compared to previous results in order to enlarge the extension field size k log p and hence increase the complexity of the DLP in the target group G T of asymmetric pairings.

Prime k:
We present recommendations of complete and CVD families of pairing-friendly elliptic curves for prime embedding degrees that have not previously appeared in the literature, due to a larger ρ-value. Since this case is not affected by the new TNFS variants, pairing-friendly elliptic curve parameters can be chosen according to the recommendations in Table 1. We argue that our proposals in this case are capable in producing a balanced security level in the three pairing groups G 1 , G 2 and G T . We argue that at present, finding families with the smallest ρ-value is not of the main concern. The families we choose must have ρ-values such that the DLP in the extension field is resistant to the new TNFS attacks and approximately as hard as in the source groups G 1 , G 2 . Therefore our recommendations consist of families of pairing-friendly elliptic curves with ρ(p, t, r) ≤ 2.

Complete families revised
We give a detailed description of the Brezing-Weng method, presented in Algorithm 1, for constructing complete families of pairing-friendly elliptic curves. By earlier discussion in Section 2, in order to apply this method, we first fix a number field K containing the primitive kth roots of unity and the element √ −D, for some square-free positive CM discriminant D. By [15] we know that the element √ −D is contained in some cyclotomic field Q(ζ m ), for some m > 0. Thus for a given Algorithm 2 The Brezing-Weng method for complete families of pairing-friendly elliptic curves.
) with embedding degree k and discriminant D.
embedding degree k and a CM discriminant D we can fix the number field K as Q(ζ l ), where l = lcm(k, m). In this case we set . Our examples of complete families are based on this setting, however r(x) can be also chosen as any irreducible polynomial with respect to condition (2) of Definition 1 (see for example [1,10,16]). This analysis leads us to the modified Brezing-Weng method presented in Algorithm 2. The complete families obtained by this algorithm have ρ-values less than 2 and particularly: This derives from the fact that t(x) and y(x) are polynomials in Q[x]/ r(x) and hence their degree is less than the degree of the polynomial r(x).

Remark 3.
As we will see later on, sometimes it is helpful to search for polynomial families with ρ(p, t, r) = 2, especially for small embedding degrees. Such families can be obtained by choosing constant lifts of the polynomials t(x) and y(x) in [2,3]). In practice this means that in Equation (3) we can set: The conditions for the element √ −D to lie in the number field K = Q(ζ l ), as well as the representation of √ −D in a cyclotomic field are given in the next lemma, which taken from Murphy and Fitzpatrick [15].
Proof. See [15], Lemma 2.3. 2 Additionally, the representation of √ −D in a cyclotomic field is based on the following facts. Let q be an odd prime, ζ q a primitive qth root of unity and Q(ζ q ) the qth cyclotomic field. Then: Table 2 Cyclotomic Complete families at 128-bit security level.
For every output of Algorithm 2, we need to make sure that the polynomials p(x), t(x) and r(x) have integer coefficients, or in other words they produce integer values. If this is true, then there exist a, b ∈ Z, such that p(x) ∈ Z, for every x ≡ b mod a. In order to generate suitable elliptic curve parameters p, t and r, we are searching for some x 0 ≡ b mod a, such that p(x 0 ) and r(x 0 ) are both primes, where r(x 0 ) has a desired size S r . By the construction of the family (p(x), t(x), r(x)),

Algorithm 3
Finding suitable parameters using complete families.
) and a desired bit size S r .
Output: A prime p, a (nearly) prime r and a Frobenius trace t.
since it has a certain ρ-value, the size of p(x 0 ) will be around ρ(p, t, r)S r . As stated in many papers we can relax this condition and allow r(x 0 ) to contain a small factor n ≥ 1. In this case r = r(x 0 )/n must be a large prime. This process is described in Algorithm 3. We emphasize on the fact that the search for suitable parameters described this algorithm is affected by the degree of the polynomials r(x), p(x) and particularly, as deg r grows, deg p grows as well and it is harder to find suitable candidates x 0 for both polynomials. Algorithm 3 is also affected by the size of the coefficients of these polynomials and more precisely, we need to keep the coefficients of r(x) and p(x) rather small. This is a reason why in most papers, r(x) is set as the lth cyclotomic polynomial (such polynomials have coefficients ±1 and 0). Consequently, we require polynomials with relatively small degree and coefficients, depending on the security level we are working in.

Recommendations of complete families
We present our recommendations of complete families aiming at security levels of 128, 192 and 256 bits. For the rest of this paper, by security level, we mean the size of the corresponding key that is used for symmetric cryptography, such as in AES encryption scheme. Recall that our basic concern is not to find the families with the smallest ρ-values but we are rather interested in families with ρ-values such that the DLP in the r-order subgroups G 1 , G 2 of E(F p k ) and in the extension field F p k have approximately the same difficulty. Therefore we also introduce complete families with ρ(p, t, r) = 2. Most of the families presented here derive from the following setup: . We will often refer to such families as cyclotomic. The asymptotic complexity of the DLP in the finite extension F p k is measured by the L-notation given in Equation (1) (ignoring the constant o(1)) for = 1/3, c = 1.923, when k is prime and c = 1.526, when k is composite, according to the improvements of the TNFS method for composite degree extension fields [9,11,4].

128-bit security level
In Table 2 we give our recommendations for complete families that are likely to achieve a 128-bit security level in the source groups G 1 , G 2 of a pairing and in the extension field F p k . In this case the prime r is around 256-bit long. On the other hand the asymptotic complexity of the DLP in F p k implies that k log p ≈ 2530 when k is prime and k log p ≈ 4352 when k is composite. We observe that the best balance in Table 2 for a composite embedding degree is achieved by the Table 3 Cyclotomic Complete families at 128-bit security level with lifts t 1 , y 1 ∈ Q and ρ = 2. mod 3   2560  128  5  20  8  1  12  1  0  0 mod 2  2560  128  5  2 0  8  5  4  1  pairs (k, ρ) = (10, 1.75) and (12, 1.5). In the first case, for a prime r around 256-bits, the size of the extension field F p 10 is around 4480-bits, while for k = 12, we get an extension field around 4608-bits. For k = 10, there are three families with ρ(p, t, r) = 1.75 in Table 2, with CM discriminants D ≡ 1, 5 and 15. In Example 5 we describe how to extract the complete family for k = 10, D = 5 and ρ(p, t, r) = 1.75 using Table 2.
Example 5. By Table 2, we set the number field K = Q(ζ 20 ). Thus we take r(x) as the 20th cyclotomic polynomial: For i = 18 in Algorithm 2 we obtain: The field polynomial p(x) is calculated by the relation: The polynomial p(x) is integer-valued when evaluated at integers satisfying x ≡ {0, 4, 6} mod 10. We conclude that the polynomial triple (p(x), t(x), r(x)) represents a complete family of elliptic curves with embedding degree k = 10, CM discriminant D = 5 and ρ-value: All examples of Table 2, as well as in all tables of this section are obtained in the same way. 2 The remaining examples of complete families in Table 2 also provide an acceptable balance between the security level in the source groups G 1 , G 2 and F p k , but with a slightly larger extension field. An optimal balance in the prime embedding degree case is achieved by families with k = 5 and ρ(p, t, r) = 2. We can obtain such families by applying Algorithm 2 and considering constant lifts t 1 , y 1 ∈ Q for the polynomials t(x) and y(x), as stated in Remark 3. Examples of complete families with embedding degrees 5, 8 and 9, aiming at a security level of 128-bits in the extension field are presented in Table 3. This are the first examples of families in the literature with ρ(p, t, r) = 2. Note that when k = 5, and log r = 256, the extension field F p 5 is approximately 2560-bits, which is not very large, although ρ = 2 is far from the ideal case. On the other hand, for the case k = 8, the best examples so far had ρ(p, t, r) = 1.5 resulting in extension fields of size around 3072-bits. We argue that the optimal case for k = 8 should be revised and use families with ρ(p, t, r) = 2 yielding extension fields around 4096-bits. Finally, we can also reach an extension field with 128-bit security level by choosing k = 9 and ρ(p, t, r) = 2, where 9 log q ≈ 4608. These facts justify our earlier claim, that finding families with the smallest ρ-value should not be our main concern at this point.

192-bit security level
Our recommendations for complete families that achieve a 192-bit security level in the three pairing groups G 1 , G 2 and G T are presented in Table 4. Clearly there is a larger variety of available families to choose from in this case. The size of the prime r dividing the order of the curve is now 384-bits. The asymptotic complexity of the DLP in the extension field F p k implies that for the prime embedding degree case we must have k log p ≈ 6670, while in the composite case we  Table 5 Cyclotomic Complete families at 192-bit security level with lifts t 1 , y 1 ∈ Q and ρ = 2. have k log p ≈ 11670. The best balance when k is prime can be obtained by the pairs (k, ρ) = (11, 1.6) and (13, 1.3333).
In the first case, p 11 is 6758-bit long and we present two such families in Table 4 with CM discriminant D = 3 and 11. In the second case, p 13 has a size around 6656-bits and there is one family for CM discriminant D = 3 in Table 4. For composite embedding degrees there are even more optimal families, for example (k, ρ) = (20, 1 These examples provide an extension field of size 11500 to 11900-bits, with security level around 192-bits, according to the asymptotic complexity given by Equation (1). The rest of the families in Table 4 also provide a nicely balanced security level in all pairing-groups. An optimal balance for composite embedding degrees can be also achieved with complete families having ρ(p, t, r) = 2. For families with this property, we need to take constant lifts t 1 , y 1 ∈ Q, in order to reach an 192-bit security level in the extension field F p k . We present such examples in Table 5, for k = 15, 16.

256-bit security level
For a 256-bit security level, the extension field F p k gets even larger. Today's requirements indicate that the optimal security level is around 128-bits corresponding to an AES symmetric key. Larger security levels, such as 192 and 256-bits, are for future reference. Additionally, the prime r that represents the order of the three pairing groups G 1 , G 2 and G T has now a size of 512-bits. Complete families at this security level should generate extension fields F p k around 13500-bits in the prime case and 23900-bits in the composite case. We give a list of optimal complete families in  Table 7 we demonstrate complete families with embedding degrees k = 13 and 24 and ρ(p, t, r) = 2. These are suitable for generating the desired extension fields, where the DLP is resistant to the new variants of the TNFS attacks.

Non-cyclotomic families
More complete families can be constructed by choosing the polynomial r(x) to be other than a cyclotomic polynomial, with respect to condition (2) of Definition 1. We refer to this type of complete families as non-cyclotomic. Such examples appear in [10,16], which however need to be updated as the proposed families were produced in the pre-TNFS period. The difficult part when constructing non-cyclotomic families is the choice of the polynomial r(x) and the primitive kth root of . Strategies for determining such polynomials can be found in [6,10,12,13,16]. However the problem  Table 7 Cyclotomic Complete families at 256-bit security level with lifts t 1 , y 1 ∈ Q and ρ = 2. is that the coefficients of the polynomials r(x) and p(x) might get very large affecting the process of generating suitable curve parameters. The most famous non-cyclotomic complete family is due to Barreto and Naehrig's BN-family. It has embedding degree k = 12, CM discriminant D = 3 and ρ(p, t, r) = 1 and it is represented by the polynomials: where u(x) = 6x 2 is a primitive 12th root of unity in Q[x]/ r(x) . This example was ideal for a security level of 128-bits in the pre-TNFS period, since it produces elliptic curve parameters with ρ = 1. More precisely, for a 256-bit prime r, it produces an extension field of 3072-bit. Due to the recent improvements of the TNFS method, the security level in F p 12 only reaches 110-bits. Therefore we need to consider larger extensions fields and particularly of size 12 log p ≈ 4608 leading to families with ρ(p, t, r) = 1.5 (see for example our recommendation in Table 2). The next example is produced by Barreto and Naehrigs' setup.

Example 6.
For l = k = 12 and D = 3, set: The ρ(p, t, r) = 1.5 and all polynomials have integer coefficients. 2 Kachisa et al. [10] presented several examples on non-cyclotomic families, that need to be updated. We give alternatives to these examples, based on the polynomials r(x) and u(x) presented in [10].
Then ρ(p, t, r) = 1.75 and all polynomials are integer-valued when x ≡ {25, 45} mod 70. 2 This family is suitable for producing extension fields of size 16 log p = 10752-bits, providing a security level of 185-bits, for primes r around 384-bits. The polynomials r(x) and u(x) were used in [10] to construct a complete family with ρ(p, t, r) = 1.25, which does not fall into any of the three security levels we consider.

Numerical examples
In Table 8 we give a list of numerical examples obtained by selected complete families presented in this section, for security levels of 128, 192 and 256-bits. Recall that in order to generate suitable elliptic curve parameters, given a complete family of pairing-friendly elliptic curves, we apply Algorithm 3. The column "x 0 " refers to the integer input for the polynomials p(x), t(x) and r(x). The column "n" on the other hand denotes the possible cofactor contained in r(x 0 ), in which case by Algorithm 3 we set r = r(x 0 )/n. As stated earlier, this factor n might be helpful in some cases as it further increases the size of the extension field. In the final column we measure the security level provided by the constructed extension field, using Equation (1)

and ignoring the constant o(1).
For instance, recall the complete family (p(x), t(x), r(x)) with k = 10 and D = 5 presented in Example 5. In order to obtain integer triples, these polynomials must be evaluated at some x 0 , such that x 0 ≡ {0, 4, 6} mod 10. If we set x 0 = 4658060020 ≡ 0 mod 10, we obtain the following parameters:  Table 8 are obtained by the families of this section in the same way.
Recall also that the search for suitable x 0 is affected by both the degree of the polynomial r(x), as well as by the size of its leading coefficient. In particular, this search is performed by choosing at random x 0 ∈ Z such that: deg r · log x 0 + log(lc(r)) ≈ security level, where lc(r) is the leading coefficient of r(x). Note that when r(x) = l (x) in cyclotomic families, then log(lc(r)) = 0. The security level in the r-order subgroups G 1 , G 2 is taken as log r/2. In Equation (4)  On the other hand, the security level in the extension field F p k is measured by the L-notation of Equation (1), namely L p k [1/3, c], where c = 1.923 when k is prime and c = 1.526 when k is composite. In general we want L p k [1/3, c] ≈ log r/2. Table 8 is just an instance of a few numerical examples. There are a lot of different triples (p, t, r) that can be produced by applying the techniques described in this section. Furthermore, we emphasize on the fact that the easiest way to generate pairing-friendly elliptic curve parameters is to use complete families, rather than the other two types of Definition 2.

CVD families revised
By Definition 2, the CM polynomial f (x) = 4q(x) − t(x) 2 is equal to the product of some linear term g(x) = cx + d times a perfect square y(x) 2 . As stated in Section 2 we can always apply on g(x) a linear transformation x → (x − d)/c in order to obtain g(x) = x. The difference in the case of CVD families is that the CM discriminant is not constant and predefined as in complete families, but it is represented by the linear term g(x) = x. Thus for a fixed embedding degree k we need to find a number field K containing both the primitive kth roots of unity and the element √ −x.
According to Dryło [3], we can apply a modified version of the Brezing-Weng method, introduced in Algorithm 2, for the case of CVD families. This modified version is presented in Algorithm 4. We set K = Q(ζ l ) and r(x) = l (x), for some l > 0, with k | l and then search for a polynomial z( . This search is easy Table 8 Numerical examples of pairing-friendly parameters from selected complete families.  [3]) (see also [12,13], for additional examples). Once z(x) is determined, then we proceed according to 5: Compute p(x) by the relation 4p(x) = t(x) 2 + xy(x) 2 . 6: If p(x) represents primes, return (p(x), t(x), r(x)).
Algorithm 2. The only thing that changes is the construction of the field polynomial in Equation (5). The families produced by Algorithm 4 have generally ρ-values: By Remark 3, if we wish to obtain a CVD family with ρ(p, t, r) = 2 we need to consider constant lifts t 1 , y 1 ∈ Q for the polynomials t(x) and y(x) respectively in step (3) of Algorithm 4. As in complete families, the outputs of Algorithm 4 are potential CVD families, since we need to make sure that the constructed polynomials are integer-valued. Thus we need to search for a, b ∈ Z, such that p(x) ∈ Z, for every x ≡ b mod a.
Algorithm 5 Finding suitable parameters using CVD families.
Input: A CVD family (p(x), t(x), r(x)) and a desired bit size S r .
Output: A prime p, a (nearly) prime r and a Frobenius trace t.
1: Find a, b ∈ Z, so that p(x) ∈ Z, for every x ≡ b mod a. 2: Search for x 0 ∈ Z of the form x 0 = D y 2 , with x 0 ≡ b mod a, such that r(x 0 ) = nr for some prime r and n ≥ 1. 3: Set p = p(x 0 ), r = r(x 0 )/n and t = t(x 0 ). 4: If log r ≈ S r and p is prime, return (p, t, r) and D.
Then, in order to generate pairing-friendly parameters using this type of families, we are searching for x 0 ∈ Z, such that p(x 0 ) is prime and r(x 0 ) is nearly prime, i.e. it contains a small factor n ≥ 1. An additional condition in this case is that g(x 0 ) must be equal to the product of some square-free D > 0 times a perfect square y 2 . We can perform this search by setting x 0 = D y 2 and vary D, y until we hit a valid pair (D, y), for which g(x 0 ) = D y 2 . This procedure is described in Algorithm 5 (see also Paragraph 4.2 for generating suitable elliptic curve parameters using CVD families). Once again this process is affected by the degree of the polynomial r(x), as well as the size of its coefficients (especially the leading coefficient).
In general, CVD families are a nice choice for applications that require large and flexible CM discriminants. Although there is no particular attack on elliptic curves with small discriminants, in [4] it is recommended to use curves with large D. However we emphasize on the fact that the values for D to be tested must be relatively small (e.g. D < 10 10 ), in order to apply the CM method for constructing elliptic curves efficiently. Another option for flexible CM discriminants is to use sparse families (see for example [3,6,8]), but in this case the procedure of generating suitable parameters is slightly more complicated.

Recommendations of CVD families
We now present our recommendations of CVD families at the usual security levels of 128, 192 and 256-bits. As stated in the case of complete families, our basic concern is to introduce CVD families with ρ-values such that the DLP in the r-order subgroups G 1 , G 2 of E(F p k ) and in the extension field F p k have approximately the same difficulty. Therefore we also introduce CVD families with ρ(p, t, r) = 2, that have not been considered before. The proposed CVD families are mainly cyclotomic families obtained by the following setup: for i = 1, . . . , ϕ(l) − 1, where u(x) and z(x) represent the primitive lth root of unity and the element respectively. In addition, by the choice of z(x) in Equation (6), we get that l must be an even, positive integer. This setup was first considered by Dryło [3], however his families are aiming for the smallest ρ-values for each embedding degree. In addition we also introduce a few non-cyclotomic CVD families for embedding degrees that do not appear in the cyclotomic case. For every proposed family we measure the asymptotic complexity of the DLP in the finite extension F p k by using the L-notation of Equation (1), for l = 1/3, c = 1.923, when k is prime and c = 1.526, when k is composite. This follows from the recent improvements of the TNFS methods for composite degree extension fields [9,11,4].

128-bit security level
Examples of cyclotomic CVD families for a 128-bit security are presented in Table 9. Recall that in this case the prime r = #G 1 = #G 2 is 256-bits, while the extension field must be k log p ≈ 2530, when k is prime and k log p ≈ 4352, when k is composite. The best examples in this case are achieved by the pairs (k, ρ) = (7, 1.5) and (10, 1.75). In the first case the extension field F p k is 2688-bits, while in the second case, it is 4480-bits. The rest of the examples produce a slightly larger extension field, but still close to the optimal balance. We describe how the first CVD family of Table 9 is obtained in the following example.

Example 8.
We set the number field K = Q(ζ 14 ). Hence the polynomial r(x) is the lth cyclotomic polynomial: and u(x) = x is a primitive 14th root of unity in Q[x]/ r(x) . By Equations (6), we set z(x) = x 4 so that For i = 8 in Algorithm 4 we obtain: t(x) ≡ (−x + 1) mod r(x) and y(x) ≡ (x 4 + x 3 ) mod r(x).
Since gcd(i, l) = 2, we get that k = 7, by step (4) of Algorithm 4. For the field polynomial p(x) we use the relation: Cyclotomic CVD families at 128-bit security level with lifts t 1 , y 1 ∈ Q and ρ = 2. 10  4  6  1  0  0 mod 2  2560  128  9  18  6  4  1  0  0 mod 2  4608  130   Table 11 Cyclotomic CVD families at 192-bit security level.  Table 12 Cyclotomic CVD families at 192-bit security level with lifts t 1 , y 1 ∈ Q and ρ = 2. All examples in Table 9, as well as all examples in the tables to follow are obtained in an analogous way. 2 As we did in Section 3, we also introduce several CVD families with ρ(p, t, r) = 2. Such families can be obtained by applying Algorithm 4 and considering constant lifts t 1 , y 1 ∈ Q for the polynomials t(x) and y(x). CVD families with this ρ-value have not considered before, however we argue that they are likely to offer a nicely balanced security level in the three pairing groups. We give two such examples in Table 10 for embedding degrees 5 and 9, which produce an extension field F p k of 2560-bits in the first case and 4608-bits in the second case. Although ρ = 2 in these families, the corresponding extension fields are not sol large that we cannot handle. Both in complete and CVD families we see that the potentially ideal families are limited when working at an 128-bit security level. However, each family is likely to produce a large number of pairing-friendly elliptic curves, when evaluated at appropriate integers. More families can be found when working at higher security levels, such as 192 or 256-bits as we will see in the next paragraphs.

192-bit security level
Our examples for the case of CVD families that produce an optimal security level in the three pairing groups G 1 , G 2 and G T are listed in Table 11. For an 192-bit security level recall that the prime r has a size of 384-bits and the extension field F p k should be around 6670-bits for prime embedding degrees and 11670-bits for composite values of k, in order for the DLP to be resistant against TNFS attacks. The best balance in the prime case is obtained by the pairs (k, ρ) = (11, 1.6) and (13, 1.3333) and for the composite case by the pairs (k, ρ) = (22, 1.4) and (26, 1.1667). The remaining examples in Table 11 also achieve a security level in the extension field close to 192 bits. We also introduce an example for k = 15 with ρ(p, t, r) = 2, which is obtained by taking constant lifts t 1 , y 1 ∈ Q for the polynomials t(x) and y(x). The extension field F p k in this case has size around 11520-bits, providing a security level of 190-bits (see Table 12).

256-bit security level
For a 256-bit security level, the prime r must be 512-bit large and the extension field must be 13500-bits for prime and 23780-bits for composite embedding degrees. The best possible balance for the security level in the three pairing groups is obtained by the pairs (k, ρ) = (17, 1 Table 13 also achieve a security level around 256-bits. It is also possible to get a nicely balanced security level by considering the family of Table 14, for k = 13, with ρ(p, t, r) = 2.

Non-cyclotomic families
An alternative approach is to choose the polynomial r(x) to be a non-cyclotomic polynomial, satisfying condition (2) of Definition 1, in which case we construct non-cyclotomic CVD families. This setup allows us to obtain examples of families for embedding degrees that we could not find using the cyclotomic setup of Equation (6). As stated when we were discussing complete families, it is sometimes hard to determine a primitive kth root of unity in Q[x]/ r(x) . In general, what we have to do is to find a polynomial u(x) ∈ Q[x], such that k (u(x)) = 0 mod r(x). Methods that produce such polynomials r(x) and u(x) can be found in [6,10,12,13,16]. In addition, for CVD families it is also hard to find a polynomial z(x) ≡ √ −x mod r(x). A general procedure to do this, is to set z(x) ∈ Q[x]/ r(x) to be of the form: z(x) = z deg r x deg r + z deg r−1 x deg r−1 + · · · + z 1 x + z 0 and then search for coefficients z i , such that z(x) 2 ≡ −x mod r(x), via an exhaustive search. Clearly this is a very time consuming process, especially when the degree of the polynomial r(x) is large (e.g. deg r > 4).
One trick to avoid the above process is to set r(x) = l (ax) and u(x) = ax, for some a ∈ Z and some l ∈ Z >0 , such that k | l, but still we need to determine a suitable polynomial z(x). Such examples are given in Table 15. The family for k = 30 was first introduced in [3]. For k = 28, Dryło presented a CVD family for the same r(x) as in Table 15, but with ρ(p, t, r) = 1.5. For a 512-bit prime, this family produces an extension field of size 21504-bits, which is more than 2000-bits smaller than the optimal size for a 256-bit security level. Using Dryło's setup, we introduce a CVD family with k = 28 and ρ(p, t, r) = 1.75. With this choice we obtain extension fields of size 25088-bits, which corresponds to a security level of 261-bits according to the new TNFS attacks for composite embedding degrees. Furthermore, with this setup we also constructed a family with k = 14 and ρ(p, t, r) = 1.4167, which could not be obtained by the cyclotomic setup of Equations (6).
In [3], Dryło presented a non-cyclotomic CVD family with embedding degree 8 and ρ(p, t, r) = 1.5. This family produces an extension field of 3072-bits, when log r = 256, which might have been optimal before the improvements of the TNFS method for composite k. Today, such extension fields reach a security level of 110-bits. Using Drył'os polynomials r(x) and u(x), we present our recommendation of a CVD family for k = 8 and ρ(p, t, r) = 2, in the following example.
Example 9. For l = k = 8 we take Dryło's polynomials [3]: We obtain a CVD family with embedding degree 8 and ρ(q, t, r) = 2, which is integer-valued when x ≡ 23 mod 24. 2 In Example 9 we actually take a lift t 1 = −1 for the trace polynomial t(x), so that the resulting field polynomial has deg p = 2 deg r. With this CVD family, the extension fields F p 8 have size around 4096-bits resulting in an 124-bit security level. These are just a few examples of non-cyclotomic CVD families, but we argue that a lot more can be found by choosing the right polynomials r(x), u(x) and z(x).

Numerical examples
We give our numerical examples obtained by the CVD families of this section in Table 16, for 128, 192 and 256-bit security level. The parameters we constructed are generated by applying Algorithm 5. The column "x 0 " refers to the integer input for the polynomials p(x), t(x) and r(x). Recall that an additional constraint in the case of CVD families is that the integer x 0 must be of the form x 0 = D y 2 , for some relatively small, positive and square-free D and some y ∈ Z. This D, hidden in x 0 is the CM discriminant and by relatively small, we mean D < 10 10 in order to ensure the efficiency of the CM method for constructing elliptic curves. The column "n" refers to the relaxed condition that r(x 0 ) might contain a small cofactor n, which increases the probability of finding pairing-friendly elliptic curve triples. In this case we set the prime r = r(x 0 )/n. In the final column, we calculate the complexity of the DLP in the extension field F p k , using Equation (1), for = 1/3 and ignoring the constant o (1). For prime k we set c = 1.923 and for composite k, we set c = 1.526, according to the new variants of the TNFS attacks [9,11,4].
For example we demonstrate how the values in Table 16 are obtained, by explaining the first line. Recall the CVD family (p(x), t(x), r(x)) with embedding degree 5 and ρ(p, t, r) = 2, presented in Table 10. We evaluate this family at x 0 = 8871207 · 1511472 2 ≡ 0 mod 2, thus the CM discriminant is D = 8871207 and y = 1511472. The corresponding polynomials extract the following values: r(x 0 ) = 16870645622941276613526765048486665176998090384315424123446880583 6830177009921   Table 16 are obtained in the same way.
Recall that the search for suitable integers x 0 is affected by the degree of the polynomial r(x) and by the size of its leading coefficient, where in the case of CVD families, x 0 = D y 2 .
In the examples of Table 16 we have considered CM discriminants D < 10 7 , however we could also allow it to be slightly larger. Our search is then performed by a random choice of D up to 10 7 and a random choice of y ∈ Z, such that deg r (log D + 2 log y) + log(lc(r)) ≈ security level, where lc(r) is the leading coefficient of r(x) (note that lc(r) = 0, when r(x) = l (x)). Then we set x 0 = D y 2 . In some case, in order to reach a desired security level, we need y = 1, so that x 0 = D. This happens when the degree of the polynomial r(x) is large. For CVD families at an 128-bit security level we have considered polynomials r(x) with deg r ≤ 10, for 192-bit security level we have deg r ≤ 20 and for 256-bit security level, deg r ≤ 24.

Remark 10.
As stated earlier in this section, a useful advantage of CVD families is that they allow us to obtain more flexible CM discriminants that the case of complete families, where D is fixed and relatively small. Throughout the tables in Sections 3 and 4, we see that for many embedding degrees, complete and CVD families have the same ρ-value. The advantage of the CVD families we presented is that the degree of the polynomial r(x) is half the degree of the corresponding polynomial r(x) for complete families. This allows us to better handle the sizes of the extracted elliptic curve parameters. 2

Conclusion
Since the recent improvements on variants of the TNFS methods [9,11,4] there has been much speculation on whether pairings can be indeed used for robust cryptographic applications. Especially for extension fields of composite degree these TNFS attacks have a major effect causing the necessity to update the criteria for selecting elliptic curve parameters of composite embedding degree for pairing-based implementations.
Motivated by this necessity, we presented a survey of families of pairing-friendly elliptic curves with composite embedding degrees, which are likely to generate elliptic curve parameters resistant to the improved TNFS attacks. As stated throughout this paper, our main concern is not to search for families with the smallest ρ-values, but for families that produce an equally balanced security level in the three pairing groups G 1 , G 2 ⊆ E(F p k ) and G T ⊆ F * p k . Therefore, we also introduce families with prime embedding degrees, which have not been considered before due to a larger ρ-value. Additionally, in this paper we are studying to types of polynomial families. These are complete families (see Section 3), where the CM discriminant is a constant square-free positive value D and complete with variable discriminant (see Section 4), where the CM discriminant is represented by a linear term x. We argue that all proposed families are suitable for producing a balanced security level of 128, 192 and 256-bits in the three pairing groups. Our recommendations are summarized in Table 17.