Choosing and generating parameters for pairing implementation on BN curves

Because pairings have many applications, many hardware and software pairing implementations can be found in the literature. However, the parameters generally used have been invalidated by the recent results on the discrete logarithm problem over pairing friendly elliptic curves (Kim and Barbulescu in CRYPTO 2016, volume 9814 of lecture notes in computer science, Springer, Berlin, pp 543–571, 2016 ). New parameters must be generated to insure enough security in pairing based protocols. More generally it could be useful to generate nice pairing parameters in many real-world applications (specific security level, resistance to specific attacks on a protocol, database of curves). The main purpose of this paper is to describe explicitly and exhaustively what should be done to generate the best possible parameters and to make the best choices depending on the implementation context (in terms of pairing algorithm, ways to build the tower field, 𝔽_p^12 arithmetic, groups involved and their generators, system of coordinates). We focus on low level implementations, assuming that 𝔽_p additions have a significant cost compared to other 𝔽_p operations. However, our results are still valid if 𝔽_p additions can be neglected. We also explain why the best choice for the polynomials defining the tower field 𝔽_p^12 is only dependent on the value of the BN parameter u mod small integers (like 12 for instance) as a nice application of old elementary arithmetic results. This should allow a faster generation of this parameter. Moreover, we use this opportunity to give some new slight improvements on 𝔽_p^12 arithmetic (in a pairing context).